diff options
| author | maxim-yurchuk <maxim-yurchuk@yandex-team.com> | 2024-10-09 12:29:46 +0300 |
|---|---|---|
| committer | maxim-yurchuk <maxim-yurchuk@yandex-team.com> | 2024-10-09 13:14:22 +0300 |
| commit | 9731d8a4bb7ee2cc8554eaf133bb85498a4c7d80 (patch) | |
| tree | a8fb3181d5947c0d78cf402aa56e686130179049 /contrib/python/pyOpenSSL/py3/tests/test_crypto.py | |
| parent | a44b779cd359f06c3ebbef4ec98c6b38609d9d85 (diff) | |
| download | ydb-9731d8a4bb7ee2cc8554eaf133bb85498a4c7d80.tar.gz | |
publishFullContrib: true for ydb
<HIDDEN_URL>
commit_hash:c82a80ac4594723cebf2c7387dec9c60217f603e
Diffstat (limited to 'contrib/python/pyOpenSSL/py3/tests/test_crypto.py')
| -rw-r--r-- | contrib/python/pyOpenSSL/py3/tests/test_crypto.py | 4466 |
1 files changed, 4466 insertions, 0 deletions
diff --git a/contrib/python/pyOpenSSL/py3/tests/test_crypto.py b/contrib/python/pyOpenSSL/py3/tests/test_crypto.py new file mode 100644 index 0000000000..ef3429d17f --- /dev/null +++ b/contrib/python/pyOpenSSL/py3/tests/test_crypto.py @@ -0,0 +1,4466 @@ +# Copyright (c) Jean-Paul Calderone +# See LICENSE file for details. + +""" +Unit tests for :py:mod:`OpenSSL.crypto`. +""" + +from warnings import simplefilter + +import base64 +from subprocess import PIPE, Popen +from datetime import datetime, timedelta +import sys + +import pytest + +from cryptography import x509 +from cryptography.hazmat.backends.openssl.backend import backend +from cryptography.hazmat.primitives import serialization +from cryptography.hazmat.primitives.asymmetric import rsa + +import flaky + +from OpenSSL.crypto import TYPE_RSA, TYPE_DSA, Error, PKey +from OpenSSL.crypto import X509, X509Name +from OpenSSL.crypto import ( + X509Store, + X509StoreFlags, + X509StoreContext, + X509StoreContextError, +) +from OpenSSL.crypto import X509Req +from OpenSSL.crypto import X509Extension +from OpenSSL.crypto import load_certificate, load_privatekey +from OpenSSL.crypto import load_publickey, dump_publickey +from OpenSSL.crypto import FILETYPE_PEM, FILETYPE_ASN1, FILETYPE_TEXT +from OpenSSL.crypto import dump_certificate, load_certificate_request +from OpenSSL.crypto import dump_certificate_request, dump_privatekey +from OpenSSL.crypto import PKCS7, load_pkcs7_data +from OpenSSL.crypto import PKCS12, load_pkcs12 +from OpenSSL.crypto import CRL, Revoked, dump_crl, load_crl +from OpenSSL.crypto import NetscapeSPKI +from OpenSSL.crypto import ( + sign, + verify, + get_elliptic_curve, + get_elliptic_curves, +) + +from OpenSSL._util import ffi as _ffi, lib as _lib + +from .util import ( + EqualityTestsMixin, + is_consistent_type, + WARNING_TYPE_EXPECTED, + NON_ASCII, +) + + +def normalize_privatekey_pem(pem): + return dump_privatekey(FILETYPE_PEM, load_privatekey(FILETYPE_PEM, pem)) + + +GOOD_CIPHER = "blowfish" +BAD_CIPHER = "zippers" + +GOOD_DIGEST = "SHA1" +BAD_DIGEST = "monkeys" + +old_root_cert_pem = b"""-----BEGIN CERTIFICATE----- +MIIC7TCCAlagAwIBAgIIPQzE4MbeufQwDQYJKoZIhvcNAQEFBQAwWDELMAkGA1UE +BhMCVVMxCzAJBgNVBAgTAklMMRAwDgYDVQQHEwdDaGljYWdvMRAwDgYDVQQKEwdU +ZXN0aW5nMRgwFgYDVQQDEw9UZXN0aW5nIFJvb3QgQ0EwIhgPMjAwOTAzMjUxMjM2 +NThaGA8yMDE3MDYxMTEyMzY1OFowWDELMAkGA1UEBhMCVVMxCzAJBgNVBAgTAklM +MRAwDgYDVQQHEwdDaGljYWdvMRAwDgYDVQQKEwdUZXN0aW5nMRgwFgYDVQQDEw9U +ZXN0aW5nIFJvb3QgQ0EwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAPmaQumL +urpE527uSEHdL1pqcDRmWzu+98Y6YHzT/J7KWEamyMCNZ6fRW1JCR782UQ8a07fy +2xXsKy4WdKaxyG8CcatwmXvpvRQ44dSANMihHELpANTdyVp6DCysED6wkQFurHlF +1dshEaJw8b/ypDhmbVIo6Ci1xvCJqivbLFnbAgMBAAGjgbswgbgwHQYDVR0OBBYE +FINVdy1eIfFJDAkk51QJEo3IfgSuMIGIBgNVHSMEgYAwfoAUg1V3LV4h8UkMCSTn +VAkSjch+BK6hXKRaMFgxCzAJBgNVBAYTAlVTMQswCQYDVQQIEwJJTDEQMA4GA1UE +BxMHQ2hpY2FnbzEQMA4GA1UEChMHVGVzdGluZzEYMBYGA1UEAxMPVGVzdGluZyBS +b290IENBggg9DMTgxt659DAMBgNVHRMEBTADAQH/MA0GCSqGSIb3DQEBBQUAA4GB +AGGCDazMJGoWNBpc03u6+smc95dEead2KlZXBATOdFT1VesY3+nUOqZhEhTGlDMi +hkgaZnzoIq/Uamidegk4hirsCT/R+6vsKAAxNTcBjUeZjlykCJWy5ojShGftXIKY +w/njVbKMXrvc83qmTdGl3TAM0fxQIpqgcglFLveEBgzn +-----END CERTIFICATE----- +""" + +root_cert_pem = b"""-----BEGIN CERTIFICATE----- +MIIE7jCCA1agAwIBAgIIPQzE4MbeufQwDQYJKoZIhvcNAQELBQAwWDELMAkGA1UE +BhMCVVMxCzAJBgNVBAgTAklMMRAwDgYDVQQHEwdDaGljYWdvMRAwDgYDVQQKEwdU +ZXN0aW5nMRgwFgYDVQQDEw9UZXN0aW5nIFJvb3QgQ0EwHhcNMjAwODAyMTcxMTE5 +WhcNNDcxMjIwMTcxMTE5WjBYMQswCQYDVQQGEwJVUzELMAkGA1UECBMCSUwxEDAO +BgNVBAcTB0NoaWNhZ28xEDAOBgNVBAoTB1Rlc3RpbmcxGDAWBgNVBAMTD1Rlc3Rp +bmcgUm9vdCBDQTCCAaIwDQYJKoZIhvcNAQEBBQADggGPADCCAYoCggGBALpY5jb+ +S7AUbx9gzN06wkqUeb+eNLTjCOKofiMTn8Y0TqCA2ZyY3XMcNBMaIS7hdFTgmmqt +fFntYobxLAl/twfbz9AnRaVDh2HyUvHvMBxKn1HSDLALLtqdF0pcXIjP04S7NKPQ +Umgkv2H0KwcUpYlgjTFtXRiP+7wDSiQeP1YVSriEoE0TXK14F8np6ZKK0oQ+u16d +Wn3MGQwFzS+Ipgoz0jbi5D2KzmK2dzHdxY8M2Dktkz/W3DUfUwaTohYed2DG39LP +NUFOxekgXdIZ3vQbDfsEQt27TUzOztbo/BqK7YkRLzzOQFz+dKAxH6Hy6Bu9op7e +DWS9TfD/+UmDxr3IeoLMpmUBKxmzTC4qpej+W1UuCE12dMo4LoadlkG+/l1oABqd +Ucf45WgaFk3xpyEuGnDxjs6rqYPoEapIichxN2fgN+jkgH9ed44r0yOoVeG2pmwD +YFCCxzkmiuzLADlfM1LUzqUNKVFcOakD3iujHEalnDIJsc/znYsqaRvCkQIDAQAB +o4G7MIG4MB0GA1UdDgQWBBSDVXctXiHxSQwJJOdUCRKNyH4ErjCBiAYDVR0jBIGA +MH6AFINVdy1eIfFJDAkk51QJEo3IfgSuoVykWjBYMQswCQYDVQQGEwJVUzELMAkG +A1UECBMCSUwxEDAOBgNVBAcTB0NoaWNhZ28xEDAOBgNVBAoTB1Rlc3RpbmcxGDAW +BgNVBAMTD1Rlc3RpbmcgUm9vdCBDQYIIPQzE4MbeufQwDAYDVR0TBAUwAwEB/zAN +BgkqhkiG9w0BAQsFAAOCAYEAFIMFxLHaVDY/nsbYzI7+zxe4GJeUqRIj2g4XK/nF +6lHLRFL2YP5yJ+Jm4JDkoZqKq/tcEQLIssQS++s6tBSdvFwdY6imfpEZgFPuodrZ +KbYm4Xuouw09EQCEjPxBOQ1NEcPuwuDtvD6/BOfm3SRFRTq/gQwxKlZ7C/4l8b1+ +OQPIUryqdlFBpyE/M95GzaNdmkQx41PevEih2nqWnbTsXLeiSXLGoubMTxKEK4T+ +J7Ci2KTRJ3SYMgTNU6MNcl7b9Tpw9/KVG80IbpzNQ1LDh3ZtkOfqoou1lmBTeNPu +g2C/oiW6lVAmZx1TL9gbUtkJ0Q2iW4D9TF+zuYi2qpbVU3RvoqK25x3AuIWf4JOL +3cTNjJ/3zmGSORRJvcGyvVnL30R+vwpaxvyuqMjz3kBjkK2Z2pvElZMJiZhbGG7k +MHZQ5A26v0/iQVno6FRv3cQb9EeAZtNHcIEgsNhPZ53XVnwZ58ByvATMLKNN8dWF +Q+8Bbr7QFxeWvQfHYX2yaQZ/ +-----END CERTIFICATE----- +""" + +root_key_pem = b"""-----BEGIN RSA PRIVATE KEY----- +MIIG5AIBAAKCAYEAuljmNv5LsBRvH2DM3TrCSpR5v540tOMI4qh+IxOfxjROoIDZ +nJjdcxw0ExohLuF0VOCaaq18We1ihvEsCX+3B9vP0CdFpUOHYfJS8e8wHEqfUdIM +sAsu2p0XSlxciM/ThLs0o9BSaCS/YfQrBxSliWCNMW1dGI/7vANKJB4/VhVKuISg +TRNcrXgXyenpkorShD67Xp1afcwZDAXNL4imCjPSNuLkPYrOYrZ3Md3FjwzYOS2T +P9bcNR9TBpOiFh53YMbf0s81QU7F6SBd0hne9BsN+wRC3btNTM7O1uj8GortiREv +PM5AXP50oDEfofLoG72int4NZL1N8P/5SYPGvch6gsymZQErGbNMLiql6P5bVS4I +TXZ0yjguhp2WQb7+XWgAGp1Rx/jlaBoWTfGnIS4acPGOzqupg+gRqkiJyHE3Z+A3 +6OSAf153jivTI6hV4bambANgUILHOSaK7MsAOV8zUtTOpQ0pUVw5qQPeK6McRqWc +Mgmxz/OdiyppG8KRAgMBAAECggGAGi6Tafagu8SjOE1pe0veMIxb7shTr3aWsQHr +dxIyyK5gvbxc1tvDgYDc8DIjp2qV5bcI+yQU7K2lwj/waAVBuiDwOdbKukWap/Bc +JxHsOI1jhSN2FOX9V0nrE8+WUMKifWuwIbQLYAaJvUGJKh2EhKDENcWf5uuT+v6b +VCfLzlR/gx1fSHUH+Hd/ICd1YdmPanVF7i09oZ8jhcTq51rTuWs+heerGdp+1O++ +H4uBTnAHkUEOB1Iw7mXQTIRBqcntzob/TJrDKycdbFHEeRR0L1hALGEVftq7zI6F +BA9caO1W7HkcVmeT6HATIEIGG5H7QAwSfZflJ/82ZXtDemqhBRVwQ2Fx/99wW3r9 +puUvJyLbba7NCwL1+P9w8ebr00kFyYoy6rE1JjqlE+9ZHwakZUWTA1lMOGWNEkRS +bKZNHgrngs2zk5qCYRllmsBZ3obdufnP/wyag+BFVniAIN3a08y46SYmgYTeLdBX +/DHSZIKWI9rBiNg6Qw49N+06XwiBAoHBAOMZQbRT8hEffRFbxcsRdJ4dUCM1RAXV +/IMLeVQgKEWETX3pCydpQ2v65fJPACfLLwwRMq4BX4YpJVHCk6BZh/2zx8T1spmJ +uBkHH6+VYgB9JVU0hv/APAjTZxdBjdhkaXVxccpmBBJqKKwOGf3nRVhmMsItBx2x +ZCz+x50+buRMTKsF+FeK2Dr2e9WrfMkOJ3nQFwbGvOBIQeXKmu0wYUVyebnCdZW5 +pKI0Co7wp9soCa02YvTFR8n2kxMe9Y91jQKBwQDSD/xSsRfgDT0uiEwazVQ2D/42 +96U2MYe+k+p1GHBnjIX4eRPcWOnQNUd/QVy1UK4bQg1dVZi+NQJ1YS3mKNCpqOaK +ovrgHHmYC1YIn8Xmq2YGzrm/JLwXw0BkPhHp/1yQVPVgyFKeNa3fSa0tkqCed5rs +erM8090IIzWPzKtXId8Db4i0xHkDzP7xDThb6pPNx5bvAaempJRDLtN9xP/hQRyh +xZ/MECKGRgyAVfndIZaI82kuUQFlnPMqk4FxFhUCgcAhnMdgzVvytNpqC09HMxoz +nNsTmvqqcnWhX71hejD7uQ1PKYMBHk9gWA5YwuCfAy+/dXwuzP06ejSP2WDIRvgd +0NIskMESgJPDAI7sCgwrTlqMNe4VRHqeQ8vqYUWBVbtWKqhQ8LCBmTzT2nJ2ZhiZ +cObqXofDGVJeZodc+rSnDbP7TDLpoh9G+txxT6R0jafCG86MrjWebJN0U3yCxrpe +8QabO/DzbDq110YIyg3OHirwfDBBUkHB3sD9/4MQ7LECgcEAs2UFhxVIn4aO5ott ++0G5lkYIQ6cwx9x64i3ugDvz2uruiunUJU0luTOXML2AUDRrzEmXokr0nBQnWlk4 +2qOmuA3PfTx85iJLUab0vX69gyaDhnLLvMrBe8W62yELKXx076ouuI27yPNs3xFL +vWzIkSzx+N0870i8LjPrjTgsZ8g8bfG1nTNhafaLDw/MPutReN7oLouKQs2w9MMr +yPAR2qxBqIJe2uY4pdVy3bMPJWOG7MR74hs6By6HmKfKVuqVAoHBAMRSefX1QtfS +3wWpQhkE7Sooco4LI8kfNncZ2gzNDbYf6aOkgzv0/SWJh+CdcKep9xk12O02Lpsm +SsPYeYlPDCCvyJYGpR19QocYp6JCaemb7uMd6FuPHSHUgyoR4GS8PUuIbiRnpPxN +4ta7VzmIZOCFu5e+vOq1NwTd0hR6sy5uNsTHV5ezOOqz2SB+yTRMDPr7cW0dMSJ8 +jsvxvqVnkIhWeuP9GIb6XUhq74huGZ0Hpaxe6xG34QYiBpr/O3O/ew== +-----END RSA PRIVATE KEY----- +""" + +root_key_der = base64.b64decode( + """ +MIIG5AIBAAKCAYEAuljmNv5LsBRvH2DM3TrCSpR5v540tOMI4qh+IxOfxjROoIDZ +nJjdcxw0ExohLuF0VOCaaq18We1ihvEsCX+3B9vP0CdFpUOHYfJS8e8wHEqfUdIM +sAsu2p0XSlxciM/ThLs0o9BSaCS/YfQrBxSliWCNMW1dGI/7vANKJB4/VhVKuISg +TRNcrXgXyenpkorShD67Xp1afcwZDAXNL4imCjPSNuLkPYrOYrZ3Md3FjwzYOS2T +P9bcNR9TBpOiFh53YMbf0s81QU7F6SBd0hne9BsN+wRC3btNTM7O1uj8GortiREv +PM5AXP50oDEfofLoG72int4NZL1N8P/5SYPGvch6gsymZQErGbNMLiql6P5bVS4I +TXZ0yjguhp2WQb7+XWgAGp1Rx/jlaBoWTfGnIS4acPGOzqupg+gRqkiJyHE3Z+A3 +6OSAf153jivTI6hV4bambANgUILHOSaK7MsAOV8zUtTOpQ0pUVw5qQPeK6McRqWc +Mgmxz/OdiyppG8KRAgMBAAECggGAGi6Tafagu8SjOE1pe0veMIxb7shTr3aWsQHr +dxIyyK5gvbxc1tvDgYDc8DIjp2qV5bcI+yQU7K2lwj/waAVBuiDwOdbKukWap/Bc +JxHsOI1jhSN2FOX9V0nrE8+WUMKifWuwIbQLYAaJvUGJKh2EhKDENcWf5uuT+v6b +VCfLzlR/gx1fSHUH+Hd/ICd1YdmPanVF7i09oZ8jhcTq51rTuWs+heerGdp+1O++ +H4uBTnAHkUEOB1Iw7mXQTIRBqcntzob/TJrDKycdbFHEeRR0L1hALGEVftq7zI6F +BA9caO1W7HkcVmeT6HATIEIGG5H7QAwSfZflJ/82ZXtDemqhBRVwQ2Fx/99wW3r9 +puUvJyLbba7NCwL1+P9w8ebr00kFyYoy6rE1JjqlE+9ZHwakZUWTA1lMOGWNEkRS +bKZNHgrngs2zk5qCYRllmsBZ3obdufnP/wyag+BFVniAIN3a08y46SYmgYTeLdBX +/DHSZIKWI9rBiNg6Qw49N+06XwiBAoHBAOMZQbRT8hEffRFbxcsRdJ4dUCM1RAXV +/IMLeVQgKEWETX3pCydpQ2v65fJPACfLLwwRMq4BX4YpJVHCk6BZh/2zx8T1spmJ +uBkHH6+VYgB9JVU0hv/APAjTZxdBjdhkaXVxccpmBBJqKKwOGf3nRVhmMsItBx2x +ZCz+x50+buRMTKsF+FeK2Dr2e9WrfMkOJ3nQFwbGvOBIQeXKmu0wYUVyebnCdZW5 +pKI0Co7wp9soCa02YvTFR8n2kxMe9Y91jQKBwQDSD/xSsRfgDT0uiEwazVQ2D/42 +96U2MYe+k+p1GHBnjIX4eRPcWOnQNUd/QVy1UK4bQg1dVZi+NQJ1YS3mKNCpqOaK +ovrgHHmYC1YIn8Xmq2YGzrm/JLwXw0BkPhHp/1yQVPVgyFKeNa3fSa0tkqCed5rs +erM8090IIzWPzKtXId8Db4i0xHkDzP7xDThb6pPNx5bvAaempJRDLtN9xP/hQRyh +xZ/MECKGRgyAVfndIZaI82kuUQFlnPMqk4FxFhUCgcAhnMdgzVvytNpqC09HMxoz +nNsTmvqqcnWhX71hejD7uQ1PKYMBHk9gWA5YwuCfAy+/dXwuzP06ejSP2WDIRvgd +0NIskMESgJPDAI7sCgwrTlqMNe4VRHqeQ8vqYUWBVbtWKqhQ8LCBmTzT2nJ2ZhiZ +cObqXofDGVJeZodc+rSnDbP7TDLpoh9G+txxT6R0jafCG86MrjWebJN0U3yCxrpe +8QabO/DzbDq110YIyg3OHirwfDBBUkHB3sD9/4MQ7LECgcEAs2UFhxVIn4aO5ott ++0G5lkYIQ6cwx9x64i3ugDvz2uruiunUJU0luTOXML2AUDRrzEmXokr0nBQnWlk4 +2qOmuA3PfTx85iJLUab0vX69gyaDhnLLvMrBe8W62yELKXx076ouuI27yPNs3xFL +vWzIkSzx+N0870i8LjPrjTgsZ8g8bfG1nTNhafaLDw/MPutReN7oLouKQs2w9MMr +yPAR2qxBqIJe2uY4pdVy3bMPJWOG7MR74hs6By6HmKfKVuqVAoHBAMRSefX1QtfS +3wWpQhkE7Sooco4LI8kfNncZ2gzNDbYf6aOkgzv0/SWJh+CdcKep9xk12O02Lpsm +SsPYeYlPDCCvyJYGpR19QocYp6JCaemb7uMd6FuPHSHUgyoR4GS8PUuIbiRnpPxN +4ta7VzmIZOCFu5e+vOq1NwTd0hR6sy5uNsTHV5ezOOqz2SB+yTRMDPr7cW0dMSJ8 +jsvxvqVnkIhWeuP9GIb6XUhq74huGZ0Hpaxe6xG34QYiBpr/O3O/ew==' +""" +) + +normalized_root_key_pem = normalize_privatekey_pem(root_key_pem) + +intermediate_cert_pem = b"""-----BEGIN CERTIFICATE----- +MIIEXDCCAsSgAwIBAgIRAMPzhm6//0Y/g2pmnHR2C4cwDQYJKoZIhvcNAQELBQAw +WDELMAkGA1UEBhMCVVMxCzAJBgNVBAgTAklMMRAwDgYDVQQHEwdDaGljYWdvMRAw +DgYDVQQKEwdUZXN0aW5nMRgwFgYDVQQDEw9UZXN0aW5nIFJvb3QgQ0EwHhcNMjAw +ODAyMTcxMTIwWhcNNDcxMjIwMTcxMTIwWjBmMRUwEwYDVQQDEwxpbnRlcm1lZGlh +dGUxDDAKBgNVBAoTA29yZzERMA8GA1UECxMIb3JnLXVuaXQxCzAJBgNVBAYTAlVT +MQswCQYDVQQIEwJDQTESMBAGA1UEBxMJU2FuIERpZWdvMIIBojANBgkqhkiG9w0B +AQEFAAOCAY8AMIIBigKCAYEAo3rOxOVrdLdRsR1o0+JG7MRpCtMoafA63TM/DczL +Q4jURv5MzyTE7FFdXq4xNJRYgD16vUavZluQGj30+5Lkt07CuO/BK3itl8UW+dsH +p95gzBvgnj5AVZGkNOQ0Y4CbXO087Ywep7tpBfZ5fzURLeH+OHQGseEFZ5e0w8Az +AarWu+Ez5RGpkaZ61iiJa53mAgkrjw+o83UrpDT2nrXiyR6Fx4K4eb1rarodWqGv +jSkdT5MA4i0gDhsIBnTarPB+0KM8M7od8DkLsTHBt4rYYCHgCX1bWavzGlqPEw9h +ksK+LAbQKD9J2AxYDkL0PAeUuvWMhxEmN6hXePiw63sJzukRunAvut5A2+42JMkW +guDyqIvAjlCYcIyBvUbphP3qSFqww/hpZ2wh5UZOc1mzYJKR9MgI8/UhRJEJ7NyY +pF24EJbisjNE30ot8aM2/5cI5KevclcuPJWH8PjT/i1VnNpM4S8MqoPw6F+d75d/ +CtfI+LLfns4k3G9I+Qgxmpa5AgMBAAGjEzARMA8GA1UdEwEB/wQFMAMBAf8wDQYJ +KoZIhvcNAQELBQADggGBAFVQ3Dmljrnbjys9ZIqcTs/B5ktKUAU2KNMO9TmoFymE +YhHKbCb5u/CnWq3jtBW6jgkQHrhfY9leUlH87BkB2o16BcSKjHknHZ2MCdEvQvOM +/nkkMDkOEoRn8mfCCxxgt8Kxf07wHDcnKoeJ3h9BXIl6nyJqJAcVWEJm1d75ayDG +0Kr0z+LcqMtQqYI0csK/XDQkunlE95qti1HzxW+JeAf6nRkr7RNZLtGmUGAMfyBK +9A0Db8QLR7O92YEmwoXtp+euN6uDdjw4A7KHjNXMdvqZoRfbZEA9c6XJTBj22h87 +gYUFRVpkNDrC/c9u6WgA943yMgFCwjrlTsmi+uoweT9U5r4TA+dVCDAv943aWCNm +A+TiuIXlJAHl2PlH7Umu/oMQKDEt+0n4QcQLBZyK3CYU5kg+ms9vOvE19Lhp8HeS +xqm6dwKpdm7/8EfGNW3s8Gm4KM26mb7dtSdHJFuR/BQ5y/cn4qIMyeGfHvsVew+2 +neyFR2Oc/nUlZMKfyHI+pA== +-----END CERTIFICATE----- +""" + +intermediate_key_pem = b"""-----BEGIN RSA PRIVATE KEY----- +MIIG4gIBAAKCAYEAo3rOxOVrdLdRsR1o0+JG7MRpCtMoafA63TM/DczLQ4jURv5M +zyTE7FFdXq4xNJRYgD16vUavZluQGj30+5Lkt07CuO/BK3itl8UW+dsHp95gzBvg +nj5AVZGkNOQ0Y4CbXO087Ywep7tpBfZ5fzURLeH+OHQGseEFZ5e0w8AzAarWu+Ez +5RGpkaZ61iiJa53mAgkrjw+o83UrpDT2nrXiyR6Fx4K4eb1rarodWqGvjSkdT5MA +4i0gDhsIBnTarPB+0KM8M7od8DkLsTHBt4rYYCHgCX1bWavzGlqPEw9hksK+LAbQ +KD9J2AxYDkL0PAeUuvWMhxEmN6hXePiw63sJzukRunAvut5A2+42JMkWguDyqIvA +jlCYcIyBvUbphP3qSFqww/hpZ2wh5UZOc1mzYJKR9MgI8/UhRJEJ7NyYpF24EJbi +sjNE30ot8aM2/5cI5KevclcuPJWH8PjT/i1VnNpM4S8MqoPw6F+d75d/CtfI+LLf +ns4k3G9I+Qgxmpa5AgMBAAECggGAc0i/V4qR5JUCPuyGaCVB7uXzTXbrIQoP+L2S +0aCCFvX+/LGIaOt9E0mtln8wo+uZHZY9YAzg1EXtsRPQFzjXoY0hNFme15EamdSb +B0e2dmMTz9w44l7z72PtcH8dkq224ilKthoB5Db9MP9HXrWFj9228QihT/9nWE5b +Y0++qIZZN9TwS7HQ6q2EIlIj1ohbE0R0O0bH1ifixsGyyOlrLHkhzjgY74Dspy7o +VGmA6wL7cIoyLU21NT1Kw4LUUvCk3MTd62gIg43qLsoLJ1AVZg9AmLmhZn4HiGZa +tiE1+Iz70E+qxIXDQTip/EY4qe9HHYM2VccjlMQsLLCw5Y2CJL0xbRUSPkKev+Us +PyasHgxPP6s5sHTKm0fee+riJrR+CqODGT45CirJr+WjDznlJETgVDW5DmtTWGVW +2WeBarXdYOn4S+uK3Pe3aTAiE9Uw7KrOdJqrWg89YFnMWw4HlMz0369HCUv5BqSg +qtrJ7iPJhN5MMhA4Te2Rnc5onqEhAoHBANKmZP4/g5RoYy6Gjkwe9PSgp9URxCJt +VHiE5r33jXxOMw2lJQD8JVLmWuNTbKEClj6Rd/5OzM2q2icYDu0k/wcX+BgXg5b2 +ozyfjzgnqddKs8SlNd9oc2xiFRLgBkdHI5XFQlcp6vpEM+m47azEw72RtsKObN0g +PZwSK8RWTj4zCXTdYMdr+gbdOA3fzUztckHLJQeS42JT3XJVSrSzFyXuVgXmdnS9 +bQ2dUfPT+JzwHy/HMmaBDM7fodDgv/XUywKBwQDGrLTomybbfc3ilZv+CZMW7bTy +pX8ydj6GSIBWLd+7gduQHYqam5gNK2v4BKPVHXMMcRZNIIId3FZztMaP3vkWQXIG +/bNBnL4Aa8mZFUle1VGoPZxMt1aaVLv3UqWi47ptciA6uZCuc/6si3THTsNr/7kR +k6A7UmA0CRYWzuezRsbEGRXZCCFGwJm2WCfewjNRqH/I+Kvfj06AddKkwByujfc6 +zQDH/m0QFNAKgEZYvFOL/Yd2cuFhU2OPUO4jFgsCgcBXRbjx3T6WbekpjXXG88xo +zWa7T/ECkmk8xVMTwUxNA9kC/jimf9C219kv9ZA75OZ6ZaphIiSX0QEw0Tbd6UX/ +ml6fHJ7YHLbklvavPT+QgtKX1hrLxGqNrNUuTMJNJZwIoQErO6KurTMU0hkmSx8N +myEs2fUgaAsebijT3y3rdxmj4VQHSyT7Uwu2M9LK3FVKDO/6g1DRnA1TISMiWlBs +1qGtMB5Dn3de/J7Hdjq6SoGhOdYXwb+ctepEr9jX8KECgcAE2nk86XVkjUk3TNJX +vWIjgEEYYGSgFfVnEGRaNpqtmPmFJsOZDU4EnFfx4iMidKq31hdmYPHsytIt12+2 +WgsZuRWRCCeV5b9agUeWfsehEnMBOigUU7JA6OsCmrlDJm8Kd2xEIv5e1KSXEH0U +1V6+x6t8u2+Bo3yIKOSqP/m3DnaSmc5H1AQEF3Zp1vN6ZKIeT5B3l2OTfYu8ZaR0 +s+C/fuZYQGPRfuypJOkEKKgPSOJ9m/7wLNRGrWPUP3Th1IsCgcBb2O9ROv793a3x +PtW4qzkqF69KKc2O/vT819NBQjGopQetOcsY3VHp0eJMv85ut4cCeqScAfdtFIiC +ScnrBO4JtdE6FkTY1k8el1DrctrUR3PZ2rt3m5k2XfPDGEypH3BReD3dHUe2M99D ++dceH46rKyMXQ2lLA3iyzGE6NyWUTZ6co35/Qm2n8lV9IG1CuX5HVAVrr2osLG93 +zZvFSeTrN2MZvmelhS6aUJCV/PxiQPHlou8vLU6zzfPMSERTjOI= +-----END RSA PRIVATE KEY----- +""" + +server_cert_pem = b"""-----BEGIN CERTIFICATE----- +MIIEKTCCApGgAwIBAgIJAJn/HpR21r/8MA0GCSqGSIb3DQEBCwUAMFgxCzAJBgNV +BAYTAlVTMQswCQYDVQQIDAJJTDEQMA4GA1UEBwwHQ2hpY2FnbzEQMA4GA1UECgwH +VGVzdGluZzEYMBYGA1UEAwwPVGVzdGluZyBSb290IENBMB4XDTIwMDgwMjE3MTEy +MFoXDTQ3MTIyMDE3MTEyMFowGDEWMBQGA1UEAwwNbG92ZWx5IHNlcnZlcjCCAaIw +DQYJKoZIhvcNAQEBBQADggGPADCCAYoCggGBAKU9txhKg6Nc0dVK9Vv4MYuYP6Hs +oR483+wC53V8axkfy2TynrBSug8HapeSFW5jwdwcsjaDwEIAugZfRoz0N1vR/Q6T +OFAYn2hRwlAgUXVk3NXpDNV/QRliGvxhLAVpvu1a4ExfVZoOQyPa8pogDgrUdB3e +tYmmFHNa09Lv1nyMZWi6t7zH2weq6/Dxpm0BWf+THFcunv9TNfAqmDV5qbxvaUPh +uvRpN+X2N3tejB8WKt+UmzAXUi3P3OgYimWXwq8Rmorc1rk5j+ksl6qYwZvi7rRV +g1ZAH7bGhXC9eEU/1Z9q26OhAPdTyJD0pc+G9vMz6VijLRXcgHBUP09lSeqxnNxc +pWoX6nRdGn6PkDhewHM05iqAE3ZHnc8kSBcRX85SoW5dGOhvvUTs4ePVNTo3vHdQ +vftTDD+I3rbFnYTKUAzHTPSWGE7LVEiWJ94RKSADXgve0qq8o377UMnY7W3UygSY +odyUZ29B5EfZ88EpIs/h5NomDv5VcQEoCWN1owIDAQABozYwNDAdBgNVHQ4EFgQU +g1V3LV4h8UkMCSTnVAkSjch+BK4wEwYDVR0lBAwwCgYIKwYBBQUHAwEwDQYJKoZI +hvcNAQELBQADggGBACn0LsqO94tk8i+RbG5hryNduem9n8b8doYD97iaux6QLvY/ +A8DFduJtUevZ3OCsRYQSGa3V/ysMzN7/DIUkpRLevZmdw+1L6PGR7peR2xIQ+yEW +bL88vLjezaYIzMKHJRmN8oP3DQtGJm6U2fMMiEHWqRtULIVpnFppzPI2z7+tDeyg +PFD2YeiFWoq5lmXStrK+KYPJbhTn0gz4QlGBs7PLY2JMDRSVj6ctkvrpXbC3Rb3m +qo2FY/y51ACg77Txc6NAmNE6tCknwaUjRQP2MuoYFm5/Z6O9/g49AEVIE101zHqV +N6SkcTUaXAuQIyZaqwdndfOB4rrFyAkoxTM5OamIQl80hZKf4R5rM7D7Sz8kAWJi +BPIcewN0XnI6lm+zPAVUAE8dZfgJmJR5ifZHYCuv96EX0RpYsddeik8UmjkZ2/ch +vRzvRSNNxVC6Zoe6vKNUb89XMtJZqY80WxfWG3Z2Hwf9KvS+2KAH/6MiSMj0RI5F +SCB2PMQm6DYXwM1EyA== +-----END CERTIFICATE----- +""" + +server_key_pem = normalize_privatekey_pem( + b"""-----BEGIN RSA PRIVATE KEY----- +MIIG5AIBAAKCAYEApT23GEqDo1zR1Ur1W/gxi5g/oeyhHjzf7ALndXxrGR/LZPKe +sFK6Dwdql5IVbmPB3ByyNoPAQgC6Bl9GjPQ3W9H9DpM4UBifaFHCUCBRdWTc1ekM +1X9BGWIa/GEsBWm+7VrgTF9Vmg5DI9rymiAOCtR0Hd61iaYUc1rT0u/WfIxlaLq3 +vMfbB6rr8PGmbQFZ/5McVy6e/1M18CqYNXmpvG9pQ+G69Gk35fY3e16MHxYq35Sb +MBdSLc/c6BiKZZfCrxGaitzWuTmP6SyXqpjBm+LutFWDVkAftsaFcL14RT/Vn2rb +o6EA91PIkPSlz4b28zPpWKMtFdyAcFQ/T2VJ6rGc3FylahfqdF0afo+QOF7AczTm +KoATdkedzyRIFxFfzlKhbl0Y6G+9ROzh49U1Oje8d1C9+1MMP4jetsWdhMpQDMdM +9JYYTstUSJYn3hEpIANeC97SqryjfvtQydjtbdTKBJih3JRnb0HkR9nzwSkiz+Hk +2iYO/lVxASgJY3WjAgMBAAECggGAJST2X5OAe9yFnri25vGn0YVr6G5U2YM9osQU +W6iYOpGXGx4e5evyvyYfo+rGvoXWMjCRLwf2099t8bjBFzZeq1lM1VXqtraSPtUC +JRjettDxg3Rb2jI85APVpR4C00SuEpT3DrPvfi3ukcTJ/DNwdKbFY2GI1WRr/HJS +Y3xebqjwstYmL12Nsu+NEiCAFMjU/kqHeGGWhDakTVSF2p96tE0nEIdRi1eLpTnv +xt++B87n3FJ/gBP9+SZcth+uHKA8Wr42CqJR3z8b/blICYCd2LABFdZjL4aHfce9 +Xe7UyVoySYC6N0YSbLLfsVu/w/qsYitcTvWCyekX4eT2U9Sdje46LGN4MFJSYy8K +Qw4hzz6JhUrAiwxPb2MLkq6q7AvdFwVAFl7xuH9J13yuN9x+w4NL9h3hzr4iC7nk +xVrmme279h1hfuCR1+1Bb0fLvdl5VevT9SZYCg5BCL7JxHGofcBZ3ZE9R9Q7QYVv +rCKHFZ5tIOkVJk2mcR5NvK6r7ethAoHBAM7BFvBPHgJ5xtny7M9xvaMQD9PZ3zzb +PUD83lh+DlmLyzKLw2/OblyJgO8ECWUDNR1QkL5khq5Z2t1Kj77Hak7mUUlICbIc +LKZLiAosuKBo/ps6emRRhIf9NNYR2G1k9GWyk3KicD/htllPl10j64vgBg2M/LQJ +2Oh95oWMck7RRdWHCwfBjND3YsYoN0hY9GXgr+ByDRQgAacvnpHlFCRmSPqiAJGh +kPKIRfjLgVFbL1cIj7oHpcModgZr7Dgc/wKBwQDMmVhsmiefTscZSCoCIqXVsJJ0 +edDmIvAl3cFozf9/+5JADjnp/9zcdANNN/oMfynOPx+0R2CygxooZaRKbnHPcVlu +SCxwaloagNSFVt8lZ2PwybutfdMN8YbU431ypNLJjInI3Z66eHBRDZZZviu5AtoL +5WYAvFzN502P1IVrJBo0lht7ftQMwM4NAhRaaFrUCrycREwUl0u9PxswmDhignWs ++fyJ93D5aVC1wHjUN9WYTEOM66goZTuSDD8mE10CgcAbl3UiOMy+c9XvvBWSUZGH +M1uJYCgEjRWNmLFridcMaDWD11cLkrbzrn4AZ7+BNX5fHSNT5UJ7/g3RPmQUh7RO +Nzpd1zlEBbKHtsi+4tz4u0pPGOzAeoh/RXFJqDQD1VcwQzaeM8NbIxocrRx8F5EV +p53nLQuEU1QZIsQiym1uy0rQhicYr+HE+V67Jx7JjuV+uw99mnrYVrUhxJ8axUF8 +4hGXMQt2Y+NeGoWMAEyPuOWGbeQQZXjfpISrsrdhfa0CgcEAxqbdRBUpA3Tpu5Jl +t00M1z5p9M2SFuE1ao61i5z3xrvsdGVbtefH+gRqcD85eYi+fpKrpc7oBGtmqnKF +4f76YgAcZQeOnlekxLbxocWHRDnuv4wfvYO9uHwZ/fojg3ylbSwXXABSbZsi8o/O +u7P5n9k0/Pfu4igBs6oxlMU0BaM4DnbwmCe8m+VYKykpud440kjaeJ+XfyanU0hC +jhw+Iueoehr/KLYn6wJmaxJGP0c3DHh/3gOxcgdYn6VkawPBAoHBAMJ7jfxZJfBO +i0gDsD9Kz3EkGI8HbBpgC2Cd9DGQR9qTZy1/l/ObM2jwNumJjoHsN8fkha1d6/3n +01hA4LwLB/SLQHx+7k1749sH7m1FaczWa9eUxNkwFiVTBYIyvbekNfJogLX9pVow +vEuNe+J8vxLt3gQJ1DUz+2Air8v//OIqQ+akDnPkwiqHDqynNNWO+jq708aUunVT +TTvknsoT3qT8H/N1FwbCZ14eKV+bXHcv1lVrLdW/DnjDZRpMFa3LSg== +-----END RSA PRIVATE KEY----- +""" +) + +intermediate_server_cert_pem = b"""-----BEGIN CERTIFICATE----- +MIIEXTCCAsWgAwIBAgIRAPQFY9jfskSihdiNSNdt6GswDQYJKoZIhvcNAQELBQAw +ZjEVMBMGA1UEAxMMaW50ZXJtZWRpYXRlMQwwCgYDVQQKEwNvcmcxETAPBgNVBAsT +CG9yZy11bml0MQswCQYDVQQGEwJVUzELMAkGA1UECBMCQ0ExEjAQBgNVBAcTCVNh +biBEaWVnbzAeFw0yMDA4MDIxNzExMjBaFw00NzEyMjAxNzExMjBaMG4xHTAbBgNV +BAMTFGludGVybWVkaWF0ZS1zZXJ2aWNlMQwwCgYDVQQKEwNvcmcxETAPBgNVBAsT +CG9yZy11bml0MQswCQYDVQQGEwJVUzELMAkGA1UECBMCQ0ExEjAQBgNVBAcTCVNh +biBEaWVnbzCCAaIwDQYJKoZIhvcNAQEBBQADggGPADCCAYoCggGBAL3UcTxwCsMZ +qIE+7lolm8t6lT0IYZkE4L7u2qI64m9CvztudqqKYZcrprZobZxqPhqc8IO3CFR2 +nVzwZWxrHCcm6nAzJjVXUFrc4TLsVYYJL1QvKXxr97VIiySU7x6xWrQQsqDtlrb0 +jH59EYFbM2eMk2fBT2X4h6YMXlqyrDjZF6apClXtkdxGJGqR5PCTs4cvrYW7TpIm +cuJq0S+MRBguZpriM+wOK7cXrqfRPFRzZtPXskpQPSAMDDAOGKl8OZfoVFYzG8KG +omOa0hcHtgYX2GCDs1g1maY6Haw9bgs041BoApH9aQxehy5dfU39DcFoKSE3dCjR +FaR6ryCA+f8L1F3xVaHsvX443CYF0/holfsptTjNd1T1z8WR5h1jtY0gJ/ERgcJZ +UgDRE3lEkTLExS/nuGVfdwnlkxny9jbtYp2YcjYjUkChLtTgz4ommeIdBdDvSu8M +wWHMtQNxECs5qA5J384cLh11Nd9exWUjiQ9yAZ0qTOzTkdH7VPHfxQIDAQABMA0G +CSqGSIb3DQEBCwUAA4IBgQA2jC5hJ/+46RLBuaZiJhBawiY+HqybEAZWM/IBGZO4 +UKcRotovU+sb1jg+vpXwePSBPEtQoZce0jN0TKiCdlLM4/9lybAvc6qBLJ0d4VS5 +BU5QsCs9IKyvswAFVipQZi0szYwHk8T145SH/fPao8oznf5ae4a6rK9PyZqT7Ix1 +nnKGffbJs0dY+jlxmx/BPlbsGfTwPL6LexghjvbpbXWUdVLP3gAW6DPCtRd6lhWj +JvgCkF2SnbQ7GgnPEYi8h09j0c6/sK6jLoNAatJyIlRGE1cdGYZVUlVW/xP6lYM0 +Mi1KKl0ZXOne4vPTtnTBBqrpjdLydH3WM1IxdwSRbmF15OD6BWzzKV4IYUJ21GDh +YrVrcIeN49pUoKVTTn0Sql8f8mXxJhJ54wo9TKdIGZeuwTZrfWjcjWghXgghXGoP +RI/I5fk/OMu0Oc06/+xdwCBHCSge0/vxK6fhTu7PxmJhQcZF0sDZyb6LXm2feVkG +6FsxnsvstVNO3oJdpa8daLs= +-----END CERTIFICATE----- +""" + +intermediate_server_key_pem = b"""-----BEGIN RSA PRIVATE KEY----- +MIIG5AIBAAKCAYEAvdRxPHAKwxmogT7uWiWby3qVPQhhmQTgvu7aojrib0K/O252 +qophlyumtmhtnGo+Gpzwg7cIVHadXPBlbGscJybqcDMmNVdQWtzhMuxVhgkvVC8p +fGv3tUiLJJTvHrFatBCyoO2WtvSMfn0RgVszZ4yTZ8FPZfiHpgxeWrKsONkXpqkK +Ve2R3EYkapHk8JOzhy+thbtOkiZy4mrRL4xEGC5mmuIz7A4rtxeup9E8VHNm09ey +SlA9IAwMMA4YqXw5l+hUVjMbwoaiY5rSFwe2BhfYYIOzWDWZpjodrD1uCzTjUGgC +kf1pDF6HLl19Tf0NwWgpITd0KNEVpHqvIID5/wvUXfFVoey9fjjcJgXT+GiV+ym1 +OM13VPXPxZHmHWO1jSAn8RGBwllSANETeUSRMsTFL+e4ZV93CeWTGfL2Nu1inZhy +NiNSQKEu1ODPiiaZ4h0F0O9K7wzBYcy1A3EQKzmoDknfzhwuHXU1317FZSOJD3IB +nSpM7NOR0ftU8d/FAgMBAAECggGAYNwla1FALIzLDieuNxE5jXne7GV6Zzm187as +mFqzb1H/gbO7mQlDAn+jcS+Xvlf3mFy73HloJrDfWqzPE6MTmmag+N8gf9ctiS9r +OTCd8uZ839ews2vj2PxLAz97Q437WiWq/7I7VN8zUNdAN2DxucRg8nAQs1c8390v +x9ejSN580u0t+OpfoqWnrzkCOD8lO7V4NOR+EtTLifw3AKvxkuUaNa12ENyqMaJD +3B1HS1AXB8DnmEOY7OE41sxaiSB44M7tsr31ldUCbEf/A5OZWeCfloP2c2g+Td8s ++sl+AzoGa1HsFOqiqdDw8lKynfT1VukaaCtOr0pGeh6XW65aHRGI0B+mHIEM7yR0 +f2NjfvgejqNekWyJ+XeTcmrPPcSH72F9ansLRpUullAi+6OkPFIiwyKCP/S2sLwh +cqe3NITfMweWDt7GqgOhz1yWaewXgdruWiFAYAh2JDBtgMWTUwWgkKyFCb4mrI6r +zqiBpA8Mjm/H17h/dQqF3iRuaZOBAoHBAPDvVseeiGwZjDXuQD9acCBZU23xwevR +6NVe/FLY1bybgsOBQCApQIWKH72eIHo12ULRMe/uZUo3su9JSCc8Gt8DsQpiZ2a+ +z8rS6uEw/UZGMWeLjcIVK5IeeD7OJ/BXEbwoxVvWLYYgWHpYwY9eqppsMlVqmIHY +lfRAaepEkU/4euRl1VTFxkU0sYw7Tj+gbFQDydB0NSLIU/x10tlHblT+O5tgBLJh +kL7II9tyoGaCUjNnACErmi1FA+lNsx1eAwKBwQDJsw+sIhujRHrajCV5dqq5cx3h +ZQNfamoX6xfXYjNHjkeFnFpHB2w6ffe00q2Kt5+0AaSA295n1vPx6IKzKYMr8kpD +0Kiv+mlKK5w7lZzdCeoJb8Co2t9viZXrN9lNetXiSZldrg5nlG8Gmi2RKn65vIfp +ZFc8CExXpQWNMSLJlu2qM8Sjt4h8M880khuTggCeIDbw7YfyanlNhsNpOGv/r+Hd +3i0BP0Qd1sZWkZ+hp/JJFdvyEh5vINgSABfNJJcCgcEA8LqioVcEBcZM8oG3jdVF +3PyDQIHieUXFdpOuVvSyMf3LXJ3ivX+aKRNF/YZl+tWc24b7dzhh2hLm5PD6d8E1 +NAiTNsX1fJJAOe4dopz5IuL1b/jezcGrRBbPnCkNfLTyUmcGMmlAGRhubugJlb9H +hH2AmRmlgW8u/NnzOZADBL1HxLb+vPHS1cj9cRi8aRRXyGX0miPSB4vTZpcu8cvO +MHvIgMkiSDz1i7mbIiNYorOpgBR066+OH5cqfkwVH82TAoHAO3dZdYyQzXARMIIF +QmxkJUz1UFCxz93V7btYSh4ftEcUeyX/z9U2aYBeGafLloxQv4eEcqFgTwkm3vmI +Hz5r9/b1Qk0wjsGrbTyyUTbpCpozsBiMmrv9CCtuUe0jWh6PFKpSVzZL9OnkWfP2 +30fCGQymnX8B4ScpKuXyXxBPi1O+OmIM5Z/k04mK25sAGltHx1cEG8BMRoJxxROo +ZUtHPBkk5H7ukeGPOaTq0PcaM1UKr9WMBTCmXGk4iwYP/mF9AoHBAOTlFVgGbbjk +Cp/Wd7IrYCBKlnkIyBUMx5icLcsFmgXWx+Gx1HualD2aZ7kctYOfo+zLEyA6roni +bSFLrxT4Od4uqwb51iZoJWxO+C3H1i9NoieU5JOnw5Osyl7OMXm3DkaS/N+ipP/b +3bx1y8/WnGgqWWguXKt2lmgOItaEKrXYr6VZ1Z4upnLtkbxLANnqkQcL9287tXaW +GPVXEteEXrtPj1f+9QYsMKuTWfaw6XfnBkBHxEZgWR+2hAN2z3c/Eg== +-----END RSA PRIVATE KEY----- +""" + +client_cert_pem = b"""-----BEGIN CERTIFICATE----- +MIIEJzCCAo+gAwIBAgIJAKxpFI5lODkjMA0GCSqGSIb3DQEBCwUAMFgxCzAJBgNV +BAYTAlVTMQswCQYDVQQIDAJJTDEQMA4GA1UEBwwHQ2hpY2FnbzEQMA4GA1UECgwH +VGVzdGluZzEYMBYGA1UEAwwPVGVzdGluZyBSb290IENBMB4XDTIwMDgwMjE3MTEy +MVoXDTQ3MTIyMDE3MTEyMVowFjEUMBIGA1UEAwwLdWdseSBjbGllbnQwggGiMA0G +CSqGSIb3DQEBAQUAA4IBjwAwggGKAoIBgQDGChdOMY164FScJqfiJ5LEtjYOKEg4 +nmMAMGuHIT8wZZEfzaaHhBbypzKq2cPP1qtyHgvtUMM6KOFEj4y9AonqzzdlVxbM +i6+AvYLWlPoB5r/G1GdslUvXbc7F02B/6sB/+iFXmcdjOjAQcLWxVgUL+1CoeoY1 +awNYmzQueK/T82a/6AYTdrx7XRX4wfxjYb1o3bnnRD/jGSakIylXeUGFsiSNkBs/ +dJMkUONxizAdAE2tW6NhPuE2O0UipzUhdgFnH6WPfJ0J1S7jZ3eQTUrLkFpWSp/Z +hx/l/Ql9vO0wagHaT2wOiZdKVT8S6V6OPzJ7/H1evCoM6EuSPBC5DDP1nPetCK1v +uC9kb7Dg6yFPt1CKrVFt0Y6W5Y5/GzisUtvYV/OGtX4DOwL9It68D04Qrvun1t/a +Dh/c5gKqfqIGHUvUucFmOi6DrRpadfraLZMRGN2ysPjoVwhMgwwSmSWhziQIUfxK +oyz1CUsyr5Gh5gdifbe1AOYwu6YdtlmhqCsCAwEAAaM2MDQwHQYDVR0OBBYEFINV +dy1eIfFJDAkk51QJEo3IfgSuMBMGA1UdJQQMMAoGCCsGAQUFBwMCMA0GCSqGSIb3 +DQEBCwUAA4IBgQAhAEACc1j6EYoSfVJD8N/FlYfHRizdfVJyrmMnC8ID1vtfrU2z +S2q+49ja2NyM4Sq+Cf+i+sFfzFG92LayZt9Mc1BnHZMdNzQL7Ynr2nDLxHsHzuYa +N21/ucTpHEFGLmvQ/eWBMxQQ9TbiNXn+tnnqg46dRzN3vHJp+g5+ijtMcuh007z2 +niiO8F07wlb960XviejWejMC8hBLWlA7i3EjAkDO8RFQnG2Py5cQX9GgmWH1sDy3 +rIsWlU+e46ysSWK/bnudnAlzZMB9KJATVZu5+xmCumH2hLJv5vz+jnKcgU9MBZMO +cKgNdFUbtRlU/gfTaohmLIuSquunCCrXLsLD8ygbKKXfSPGVo2XkvX3oxqUo6dmA +LvU4N4sCQGiSzW+a13HBtk3TBZFsJSWUGSW/H7TVFiAonumJKRqRxMOkkB9JxX+V +9LZBYuBLpOeK4wZ8BUSNlHKnGpDzl0DzdYrGlzWz0jXlLGZ8KMfXAn9h0mOZ+IyK +eUlgMBYyAspCQzM= +-----END CERTIFICATE----- +""" + +client_key_pem = normalize_privatekey_pem( + b"""-----BEGIN RSA PRIVATE KEY----- +MIIG5AIBAAKCAYEAxgoXTjGNeuBUnCan4ieSxLY2DihIOJ5jADBrhyE/MGWRH82m +h4QW8qcyqtnDz9arch4L7VDDOijhRI+MvQKJ6s83ZVcWzIuvgL2C1pT6Aea/xtRn +bJVL123OxdNgf+rAf/ohV5nHYzowEHC1sVYFC/tQqHqGNWsDWJs0Lniv0/Nmv+gG +E3a8e10V+MH8Y2G9aN2550Q/4xkmpCMpV3lBhbIkjZAbP3STJFDjcYswHQBNrVuj +YT7hNjtFIqc1IXYBZx+lj3ydCdUu42d3kE1Ky5BaVkqf2Ycf5f0JfbztMGoB2k9s +DomXSlU/Eulejj8ye/x9XrwqDOhLkjwQuQwz9Zz3rQitb7gvZG+w4OshT7dQiq1R +bdGOluWOfxs4rFLb2FfzhrV+AzsC/SLevA9OEK77p9bf2g4f3OYCqn6iBh1L1LnB +Zjoug60aWnX62i2TERjdsrD46FcITIMMEpkloc4kCFH8SqMs9QlLMq+RoeYHYn23 +tQDmMLumHbZZoagrAgMBAAECggGAAXA5UxwRBv9yHeA5/+6BpmQcaGXqgF7GIU44 +ubaIGvXh4/U+bGWNNR35xDvorC3G+QE23PZlNJrvZ+wS/ZxzG/19TYMga0Podmrp +9F0Io9LlObB5P9SlxF7LzawHW2Z9F3DdpSE8zX+ysavf5fXV+4xLva2GJAUu9QnL +izrdLBDsgiBRSvrly4+VhUUDbEVddtGFdCSOwjuAiFipCDWdQDdXBKAzUnaqSu07 +eaulIdDKv6OWwDIQuLAdhG7qd9+/h5MB/rAG8v4bgbHz1H/RZw5VIOuOhfCodzJx +3Smfh5td21jwJ2RfZYEPNOMtFa9eRFtH2/uRa5jbJiZb8YWIzWy0xCNQpKheSoBO +wiuMDBS2HCYm2SgEYDdJiE2OkRAk0UwTiUmlmZd0a3NfJ/rfQE+JiDQ28Arj3EZl +SY/V3KdviM4MbaoX7f9j9sjAe5Rk1M+yI8OsnM/hf77m0CSiJJpLpvgqhMjjT+NI +aBm1FyTq6qu506d0YUZy+Wr2DRsBAoHBAPfshuOiDXo9UmJxM1mSJQ0rQlxWSWmX +bIAsPrpKslTFYHk7xbcCbJCqMbHmCsyvYy3oW3SpJs6Vi2wQWuUQmsm0YC7qdkXF +Fyo2f7vF7roQcXLxVmQRo0OxZ9JpLAZ9DKMEcNfYyUiQiqJmZuIyWKngqBl6OoL2 +8EJSFjTY1tR/nDxGLpZSsqoZJWQGd9B2bK4y6NktDF1GkexCpKaSyXZT612JGPG2 +0gSIwRq1OgZH3SPHevhVMjJtxGue2XARywKBwQDMfZHtdJI9RuurM9UuULZ72SmW +oLzki3LwFQ/QoS9wrHK+OqQDWH2ddON1PoB4LOCpwB4CC83pMyfxurgLHut6saHL +hQ5N+h0jUC2pSJOXZSfF2Hx8YHCT7Dga5kmgEy89c1TF48IL2LdUZQQIGZt8+FxM +4nxT9NFlu/UWY2oftT+ZwFsIock/DYYUKxDXw9YkOmt1lO5u1SKte0NdQ4RhBeqK +nRADMSS9oKZkSUxkwaDJH2GkUVTyBsF/kmh+dyECgcEA6jy3yRQPxcFwOAAZ8vOo +PAP2I8WGgNQHOCYVce8nA/6jwocdq2YH6rpST3E4HOFMRFB3MAas2pvh6UyehDOm ++xGHmmv9KLgoxcJN9rvwbC0i8uVfqRYc+dUAcYTaiprVOKP2dYilzAB8ayly5R2K +NZ5DVCbuZ1Ql9ZMW1gFVH9odY7kvROmHUjyF3jZaN0PcNM12v9HXD72gGudwJs0i +uMBa7LmeLql7TbtjLvewhcSaA7bx0PS1g33ACapAZ6j3AoHAN2PsGz3wPtjvDTjF +Df6e730rXrm7cMy1HYMW/ZQrnYGYsx5/PsjBfd0jn6aGdgbx9AkuF6/K3tgUgc3p +/Fkrv9hN0yr/bO/K5L3bIHegQuoLk/PIBIi69daOe/rVBp8rtKGA3PmMnljdj+as +6OTG0VsU5V6T/snZzozTHnVfUaduyt7nybbJJGMtZlkj/s31O2r3oKnuy+a/te4l +mSWovf80QMe6hqLRKOxTJecU4lXwj4oIkNHXCJf74epuk5MBAoHBALyvg90KzMFX +ZEjdPIXULR6/3rub8yD7LVYbNhhYWGo8GybzsBUC0kczRpRXFnmbq1GDIXQf5A+2 +3ZaGsWzAxLjvL3KwH1LUaXVWwFMOM2n6zTk18XEXrNvp+E5QtPwpO5c4VlPr0cAC +tTPAmbu6kVPlQ6mKiqlPAsfh0BD2mRVo2cTjZgDotKshb5uCHD8/PnCfOjCXFxOf +DWjBuR73/r5Bj+ktRoD4V2SFdO6loJwH6B8rsBjD0NbAGs9otKvy+Q== +-----END RSA PRIVATE KEY----- +""" +) + +cleartextCertificateRequestPEM = b"""-----BEGIN CERTIFICATE REQUEST----- +MIIBnjCCAQcCAQAwXjELMAkGA1UEBhMCVVMxCzAJBgNVBAgTAklMMRAwDgYDVQQH +EwdDaGljYWdvMRcwFQYDVQQKEw5NeSBDb21wYW55IEx0ZDEXMBUGA1UEAxMORnJl +ZGVyaWNrIERlYW4wgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBANp6Y17WzKSw +BsUWkXdqg6tnXy8H8hA1msCMWpc+/2KJ4mbv5NyD6UD+/SqagQqulPbF/DFea9nA +E0zhmHJELcM8gUTIlXv/cgDWnmK4xj8YkjVUiCdqKRAKeuzLG1pGmwwF5lGeJpXN +xQn5ecR0UYSOWj6TTGXB9VyUMQzCClcBAgMBAAGgADANBgkqhkiG9w0BAQUFAAOB +gQAAJGuF/R/GGbeC7FbFW+aJgr9ee0Xbl6nlhu7pTe67k+iiKT2dsl2ti68MVTnu +Vrb3HUNqOkiwsJf6kCtq5oPn3QVYzTa76Dt2y3Rtzv6boRSlmlfrgS92GNma8JfR +oICQk3nAudi6zl1Dix3BCv1pUp5KMtGn3MeDEi6QFGy2rA== +-----END CERTIFICATE REQUEST----- +""" + +encryptedPrivateKeyPEM = b"""-----BEGIN RSA PRIVATE KEY----- +Proc-Type: 4,ENCRYPTED +DEK-Info: DES-EDE3-CBC,9573604A18579E9E + +SHOho56WxDkT0ht10UTeKc0F5u8cqIa01kzFAmETw0MAs8ezYtK15NPdCXUm3X/2 +a17G7LSF5bkxOgZ7vpXyMzun/owrj7CzvLxyncyEFZWvtvzaAhPhvTJtTIB3kf8B +8+qRcpTGK7NgXEgYBW5bj1y4qZkD4zCL9o9NQzsKI3Ie8i0239jsDOWR38AxjXBH +mGwAQ4Z6ZN5dnmM4fhMIWsmFf19sNyAML4gHenQCHhmXbjXeVq47aC2ProInJbrm ++00TcisbAQ40V9aehVbcDKtS4ZbMVDwncAjpXpcncC54G76N6j7F7wL7L/FuXa3A +fvSVy9n2VfF/pJ3kYSflLHH2G/DFxjF7dl0GxhKPxJjp3IJi9VtuvmN9R2jZWLQF +tfC8dXgy/P9CfFQhlinqBTEwgH0oZ/d4k4NVFDSdEMaSdmBAjlHpc+Vfdty3HVnV +rKXj//wslsFNm9kIwJGIgKUa/n2jsOiydrsk1mgH7SmNCb3YHgZhbbnq0qLat/HC +gHDt3FHpNQ31QzzL3yrenFB2L9osIsnRsDTPFNi4RX4SpDgNroxOQmyzCCV6H+d4 +o1mcnNiZSdxLZxVKccq0AfRpHqpPAFnJcQHP6xyT9MZp6fBa0XkxDnt9kNU8H3Qw +7SJWZ69VXjBUzMlQViLuaWMgTnL+ZVyFZf9hTF7U/ef4HMLMAVNdiaGG+G+AjCV/ +MbzjS007Oe4qqBnCWaFPSnJX6uLApeTbqAxAeyCql56ULW5x6vDMNC3dwjvS/CEh +11n8RkgFIQA0AhuKSIg3CbuartRsJnWOLwgLTzsrKYL4yRog1RJrtw== +-----END RSA PRIVATE KEY----- +""" + +encryptedPrivateKeyPEMPassphrase = b"foobar" + +cleartextPrivateKeyPEM = """-----BEGIN PRIVATE KEY----- +MIICdwIBADANBgkqhkiG9w0BAQEFAASCAmEwggJdAgEAAoGBAMcRMugJ4kvkOEuT +AvMFr9+3A6+HAB6nKYcXXZz93ube8rJpBZQEfWn73H10dQiQR/a+rhxYEeLy8dPc +UkFcGR9miVkukJ59zex7iySJY76bdBD8gyx1LTKrkCstP2XHKEYqgbj+tm7VzJnY +sQLqoaa5NeyWJnUC3MJympkAS7p3AgMBAAECgYAoBAcNqd75jnjaiETRgVUnTWzK +PgMCJmwsob/JrSa/lhWHU6Exbe2f/mcGOQDFpesxaIcrX3DJBDkkc2d9h/vsfo5v +JLk/rbHoItWxwuY5n5raAPeQPToKpTDxDrL6Ejhgcxd19wNht7/XSrYZ+dq3iU6G +mOEvU2hrnfIW3kwVYQJBAP62G6R0gucNfaKGtHzfR3TN9G/DnCItchF+TxGTtpdh +Cz32MG+7pirT/0xunekmUIp15QHdRy496sVxWTCooLkCQQDIEwXTAwhLNRGFEs5S +jSkxNfTVeNiOzlG8jPBJJDAdlLt1gUqjZWnk9yU+itMSGi/6eeuH2n04FFk+SV/T +7ryvAkB0y0ZDk5VOozX/p2rtc2iNm77A3N4kIdiTQuq4sZXhNgN0pwWwxke8jbcb +8gEAnqwBwWt//locTxHu9TmjgT8pAkEAlbF16B0atXptM02QxT8MlN8z4gxaqu4/ +RX2FwpOq1FcVsqMbvwj/o+ouGY8wwRiK0TMrQCf/DFhdNTcc1aqHzQJBAKWtq4LI +uVZjCAuyrqEnt7R1bOiLrar+/ezJPY2z+f2rb1TGr31ztPeFvO3edLw+QdhzwJGp +QKImYzqMe+zkIOQ= +-----END PRIVATE KEY----- +""" + +cleartextPublicKeyPEM = b"""-----BEGIN PUBLIC KEY----- +MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAxszlc+b71LvlLS0ypt/l +gT/JzSVJtnEqw9WUNGeiChywX2mmQLHEt7KP0JikqUFZOtPclNY823Q4pErMTSWC +90qlUxI47vNJbXGRfmO2q6Zfw6SE+E9iUb74xezbOJLjBuUIkQzEKEFV+8taiRV+ +ceg1v01yCT2+OjhQW3cxG42zxyRFmqesbQAUWgS3uhPrUQqYQUEiTmVhh4FBUKZ5 +XIneGUpX1S7mXRxTLH6YzRoGFqRoc9A0BBNcoXHTWnxV215k4TeHMFYE5RG0KYAS +8Xk5iKICEXwnZreIt3jyygqoOKsKZMK/Zl2VhMGhJR6HXRpQCyASzEG7bgtROLhL +ywIDAQAB +-----END PUBLIC KEY----- +""" + +# Some PKCS#7 stuff. Generated with the openssl command line: +# +# openssl crl2pkcs7 -inform pem -outform pem -certfile s.pem -nocrl +# +# with a certificate and key (but the key should be irrelevant) in s.pem +pkcs7Data = b"""\ +-----BEGIN PKCS7----- +MIIDNwYJKoZIhvcNAQcCoIIDKDCCAyQCAQExADALBgkqhkiG9w0BBwGgggMKMIID +BjCCAm+gAwIBAgIBATANBgkqhkiG9w0BAQQFADB7MQswCQYDVQQGEwJTRzERMA8G +A1UEChMITTJDcnlwdG8xFDASBgNVBAsTC00yQ3J5cHRvIENBMSQwIgYDVQQDExtN +MkNyeXB0byBDZXJ0aWZpY2F0ZSBNYXN0ZXIxHTAbBgkqhkiG9w0BCQEWDm5ncHNA +cG9zdDEuY29tMB4XDTAwMDkxMDA5NTEzMFoXDTAyMDkxMDA5NTEzMFowUzELMAkG +A1UEBhMCU0cxETAPBgNVBAoTCE0yQ3J5cHRvMRIwEAYDVQQDEwlsb2NhbGhvc3Qx +HTAbBgkqhkiG9w0BCQEWDm5ncHNAcG9zdDEuY29tMFwwDQYJKoZIhvcNAQEBBQAD +SwAwSAJBAKy+e3dulvXzV7zoTZWc5TzgApr8DmeQHTYC8ydfzH7EECe4R1Xh5kwI +zOuuFfn178FBiS84gngaNcrFi0Z5fAkCAwEAAaOCAQQwggEAMAkGA1UdEwQCMAAw +LAYJYIZIAYb4QgENBB8WHU9wZW5TU0wgR2VuZXJhdGVkIENlcnRpZmljYXRlMB0G +A1UdDgQWBBTPhIKSvnsmYsBVNWjj0m3M2z0qVTCBpQYDVR0jBIGdMIGagBT7hyNp +65w6kxXlxb8pUU/+7Sg4AaF/pH0wezELMAkGA1UEBhMCU0cxETAPBgNVBAoTCE0y +Q3J5cHRvMRQwEgYDVQQLEwtNMkNyeXB0byBDQTEkMCIGA1UEAxMbTTJDcnlwdG8g +Q2VydGlmaWNhdGUgTWFzdGVyMR0wGwYJKoZIhvcNAQkBFg5uZ3BzQHBvc3QxLmNv +bYIBADANBgkqhkiG9w0BAQQFAAOBgQA7/CqT6PoHycTdhEStWNZde7M/2Yc6BoJu +VwnW8YxGO8Sn6UJ4FeffZNcYZddSDKosw8LtPOeWoK3JINjAk5jiPQ2cww++7QGG +/g5NDjxFZNDJP1dGiLAxPW6JXwov4v0FmdzfLOZ01jDcgQQZqEpYlgpuI5JEWUQ9 +Ho4EzbYCOaEAMQA= +-----END PKCS7----- +""" + +pkcs7DataASN1 = base64.b64decode( + b""" +MIIDNwYJKoZIhvcNAQcCoIIDKDCCAyQCAQExADALBgkqhkiG9w0BBwGgggMKMIID +BjCCAm+gAwIBAgIBATANBgkqhkiG9w0BAQQFADB7MQswCQYDVQQGEwJTRzERMA8G +A1UEChMITTJDcnlwdG8xFDASBgNVBAsTC00yQ3J5cHRvIENBMSQwIgYDVQQDExtN +MkNyeXB0byBDZXJ0aWZpY2F0ZSBNYXN0ZXIxHTAbBgkqhkiG9w0BCQEWDm5ncHNA +cG9zdDEuY29tMB4XDTAwMDkxMDA5NTEzMFoXDTAyMDkxMDA5NTEzMFowUzELMAkG +A1UEBhMCU0cxETAPBgNVBAoTCE0yQ3J5cHRvMRIwEAYDVQQDEwlsb2NhbGhvc3Qx +HTAbBgkqhkiG9w0BCQEWDm5ncHNAcG9zdDEuY29tMFwwDQYJKoZIhvcNAQEBBQAD +SwAwSAJBAKy+e3dulvXzV7zoTZWc5TzgApr8DmeQHTYC8ydfzH7EECe4R1Xh5kwI +zOuuFfn178FBiS84gngaNcrFi0Z5fAkCAwEAAaOCAQQwggEAMAkGA1UdEwQCMAAw +LAYJYIZIAYb4QgENBB8WHU9wZW5TU0wgR2VuZXJhdGVkIENlcnRpZmljYXRlMB0G +A1UdDgQWBBTPhIKSvnsmYsBVNWjj0m3M2z0qVTCBpQYDVR0jBIGdMIGagBT7hyNp +65w6kxXlxb8pUU/+7Sg4AaF/pH0wezELMAkGA1UEBhMCU0cxETAPBgNVBAoTCE0y +Q3J5cHRvMRQwEgYDVQQLEwtNMkNyeXB0byBDQTEkMCIGA1UEAxMbTTJDcnlwdG8g +Q2VydGlmaWNhdGUgTWFzdGVyMR0wGwYJKoZIhvcNAQkBFg5uZ3BzQHBvc3QxLmNv +bYIBADANBgkqhkiG9w0BAQQFAAOBgQA7/CqT6PoHycTdhEStWNZde7M/2Yc6BoJu +VwnW8YxGO8Sn6UJ4FeffZNcYZddSDKosw8LtPOeWoK3JINjAk5jiPQ2cww++7QGG +/g5NDjxFZNDJP1dGiLAxPW6JXwov4v0FmdzfLOZ01jDcgQQZqEpYlgpuI5JEWUQ9 +Ho4EzbYCOaEAMQA= +""" +) + +crlData = b"""\ +-----BEGIN X509 CRL----- +MIIBWzCBxTANBgkqhkiG9w0BAQQFADBYMQswCQYDVQQGEwJVUzELMAkGA1UECBMC +SUwxEDAOBgNVBAcTB0NoaWNhZ28xEDAOBgNVBAoTB1Rlc3RpbmcxGDAWBgNVBAMT +D1Rlc3RpbmcgUm9vdCBDQRcNMDkwNzI2MDQzNDU2WhcNMTIwOTI3MDI0MTUyWjA8 +MBUCAgOrGA8yMDA5MDcyNTIzMzQ1NlowIwICAQAYDzIwMDkwNzI1MjMzNDU2WjAM +MAoGA1UdFQQDCgEEMA0GCSqGSIb3DQEBBAUAA4GBAEBt7xTs2htdD3d4ErrcGAw1 +4dKcVnIWTutoI7xxen26Wwvh8VCsT7i/UeP+rBl9rC/kfjWjzQk3/zleaarGTpBT +0yp4HXRFFoRhhSE/hP+eteaPXRgrsNRLHe9ZDd69wmh7J1wMDb0m81RG7kqcbsid +vrzEeLDRiiPl92dyyWmu +-----END X509 CRL----- +""" + +crlDataUnsupportedExtension = b"""\ +-----BEGIN X509 CRL----- +MIIGRzCCBS8CAQIwDQYJKoZIhvcNAQELBQAwJzELMAkGA1UEBhMCVVMxGDAWBgNV +BAMMD2NyeXB0b2dyYXBoeS5pbxgPMjAxNTAxMDEwMDAwMDBaGA8yMDE2MDEwMTAw +MDAwMFowggTOMBQCAQAYDzIwMTUwMTAxMDAwMDAwWjByAgEBGA8yMDE1MDEwMTAw +MDAwMFowXDAYBgNVHRgEERgPMjAxNTAxMDEwMDAwMDBaMDQGA1UdHQQtMCukKTAn +MQswCQYDVQQGEwJVUzEYMBYGA1UEAwwPY3J5cHRvZ3JhcGh5LmlvMAoGA1UdFQQD +CgEAMHICAQIYDzIwMTUwMTAxMDAwMDAwWjBcMBgGA1UdGAQRGA8yMDE1MDEwMTAw +MDAwMFowNAYDVR0dBC0wK6QpMCcxCzAJBgNVBAYTAlVTMRgwFgYDVQQDDA9jcnlw +dG9ncmFwaHkuaW8wCgYDVR0VBAMKAQEwcgIBAxgPMjAxNTAxMDEwMDAwMDBaMFww +GAYDVR0YBBEYDzIwMTUwMTAxMDAwMDAwWjA0BgNVHR0ELTArpCkwJzELMAkGA1UE +BhMCVVMxGDAWBgNVBAMMD2NyeXB0b2dyYXBoeS5pbzAKBgNVHRUEAwoBAjByAgEE +GA8yMDE1MDEwMTAwMDAwMFowXDAYBgNVHRgEERgPMjAxNTAxMDEwMDAwMDBaMDQG +A1UdHQQtMCukKTAnMQswCQYDVQQGEwJVUzEYMBYGA1UEAwwPY3J5cHRvZ3JhcGh5 +LmlvMAoGA1UdFQQDCgEDMHICAQUYDzIwMTUwMTAxMDAwMDAwWjBcMBgGA1UdGAQR +GA8yMDE1MDEwMTAwMDAwMFowNAYDVR0dBC0wK6QpMCcxCzAJBgNVBAYTAlVTMRgw +FgYDVQQDDA9jcnlwdG9ncmFwaHkuaW8wCgYDVR0VBAMKAQQwcgIBBhgPMjAxNTAx +MDEwMDAwMDBaMFwwGAYDVR0YBBEYDzIwMTUwMTAxMDAwMDAwWjA0BgNVHR0ELTAr +pCkwJzELMAkGA1UEBhMCVVMxGDAWBgNVBAMMD2NyeXB0b2dyYXBoeS5pbzAKBgNV +HRUEAwoBBTByAgEHGA8yMDE1MDEwMTAwMDAwMFowXDAYBgNVHRgEERgPMjAxNTAx +MDEwMDAwMDBaMDQGA1UdHQQtMCukKTAnMQswCQYDVQQGEwJVUzEYMBYGA1UEAwwP +Y3J5cHRvZ3JhcGh5LmlvMAoGA1UdFQQDCgEGMHICAQgYDzIwMTUwMTAxMDAwMDAw +WjBcMBgGA1UdGAQRGA8yMDE1MDEwMTAwMDAwMFowNAYDVR0dBC0wK6QpMCcxCzAJ +BgNVBAYTAlVTMRgwFgYDVQQDDA9jcnlwdG9ncmFwaHkuaW8wCgYDVR0VBAMKAQgw +cgIBCRgPMjAxNTAxMDEwMDAwMDBaMFwwGAYDVR0YBBEYDzIwMTUwMTAxMDAwMDAw +WjA0BgNVHR0ELTArpCkwJzELMAkGA1UEBhMCVVMxGDAWBgNVBAMMD2NyeXB0b2dy +YXBoeS5pbzAKBgNVHRUEAwoBCTByAgEKGA8yMDE1MDEwMTAwMDAwMFowXDAYBgNV +HRgEERgPMjAxNTAxMDEwMDAwMDBaMDQGA1UdHQQtMCukKTAnMQswCQYDVQQGEwJV +UzEYMBYGA1UEAwwPY3J5cHRvZ3JhcGh5LmlvMAoGA1UdFQQDCgEKMC4CAQsYDzIw +MTUwMTAxMDAwMDAwWjAYMAoGA1UdFQQDCgEBMAoGAyoDBAQDCgEAMA0GCSqGSIb3 +DQEBCwUAA4IBAQBTaloHlPaCZzYee8LxkWej5meiqxQVNWFoVdjesroa+f1FRrH+ +drRU60Nq97KCKf7f9GNN/J3ZIlQmYhmuDqh12f+XLpotoj1ZRfBz2hjFCkJlv+2c +oWWGNHgA70ndFoVtcmX088SYpX8E3ARATivS4q2h9WlwV6rO93mhg3HGIe3JpcK4 +7BcW6Poi/ut/zsDOkVbI00SqaujRpdmdCTht82MH3ztjyDkI9KYaD/YEweKSrWOz +SdEILd164bfBeLuplVI+xpmTEMVNpXBlSXl7+xIw9Vk7p7Q1Pa3k/SvhOldYCm6y +C1xAg/AAq6w78yzYt18j5Mj0s6eeHi1YpHKw +-----END X509 CRL----- +""" + + +# A broken RSA private key which can be used to test the error path through +# PKey.check. +inconsistentPrivateKeyPEM = b"""-----BEGIN RSA PRIVATE KEY----- +MIIBPAIBAAJBAKy+e3dulvXzV7zoTZWc5TzgApr8DmeQHTYC8ydfzH7EECe4R1Xh +5kwIzOuuFfn178FBiS84gngaNcrFi0Z5fAkCAwEaAQJBAIqm/bz4NA1H++Vx5Ewx +OcKp3w19QSaZAwlGRtsUxrP7436QjnREM3Bm8ygU11BjkPVmtrKm6AayQfCHqJoT +zIECIQDW0BoMoL0HOYM/mrTLhaykYAVqgIeJsPjvkEhTFXWBuQIhAM3deFAvWNu4 +nklUQ37XsCT2c9tmNt1LAT+slG2JOTTRAiAuXDtC/m3NYVwyHfFm+zKHRzHkClk2 +HjubeEgjpj32AQIhAJqMGTaZVOwevTXvvHwNeH+vRWsAYU/gbx+OQB+7VOcBAiEA +oolb6NMg/R3enNPvS1O4UU1H8wpaF77L4yiSWlE0p4w= +-----END RSA PRIVATE KEY----- +""" + +# certificate with NULL bytes in subjectAltName and common name + +nulbyteSubjectAltNamePEM = b"""-----BEGIN CERTIFICATE----- +MIIE2DCCA8CgAwIBAgIBADANBgkqhkiG9w0BAQUFADCBxTELMAkGA1UEBhMCVVMx +DzANBgNVBAgMBk9yZWdvbjESMBAGA1UEBwwJQmVhdmVydG9uMSMwIQYDVQQKDBpQ +eXRob24gU29mdHdhcmUgRm91bmRhdGlvbjEgMB4GA1UECwwXUHl0aG9uIENvcmUg +RGV2ZWxvcG1lbnQxJDAiBgNVBAMMG251bGwucHl0aG9uLm9yZwBleGFtcGxlLm9y +ZzEkMCIGCSqGSIb3DQEJARYVcHl0aG9uLWRldkBweXRob24ub3JnMB4XDTEzMDgw +NzEzMTE1MloXDTEzMDgwNzEzMTI1MlowgcUxCzAJBgNVBAYTAlVTMQ8wDQYDVQQI +DAZPcmVnb24xEjAQBgNVBAcMCUJlYXZlcnRvbjEjMCEGA1UECgwaUHl0aG9uIFNv +ZnR3YXJlIEZvdW5kYXRpb24xIDAeBgNVBAsMF1B5dGhvbiBDb3JlIERldmVsb3Bt +ZW50MSQwIgYDVQQDDBtudWxsLnB5dGhvbi5vcmcAZXhhbXBsZS5vcmcxJDAiBgkq +hkiG9w0BCQEWFXB5dGhvbi1kZXZAcHl0aG9uLm9yZzCCASIwDQYJKoZIhvcNAQEB +BQADggEPADCCAQoCggEBALXq7cn7Rn1vO3aA3TrzA5QLp6bb7B3f/yN0CJ2XFj+j +pHs+Gw6WWSUDpybiiKnPec33BFawq3kyblnBMjBU61ioy5HwQqVkJ8vUVjGIUq3P +vX/wBmQfzCe4o4uM89gpHyUL9UYGG8oCRa17dgqcv7u5rg0Wq2B1rgY+nHwx3JIv +KRrgSwyRkGzpN8WQ1yrXlxWjgI9de0mPVDDUlywcWze1q2kwaEPTM3hLAmD1PESA +oY/n8A/RXoeeRs9i/Pm/DGUS8ZPINXk/yOzsR/XvvkTVroIeLZqfmFpnZeF0cHzL +08LODkVJJ9zjLdT7SA4vnne4FEbAxDbKAq5qkYzaL4UCAwEAAaOB0DCBzTAMBgNV +HRMBAf8EAjAAMB0GA1UdDgQWBBSIWlXAUv9hzVKjNQ/qWpwkOCL3XDALBgNVHQ8E +BAMCBeAwgZAGA1UdEQSBiDCBhYIeYWx0bnVsbC5weXRob24ub3JnAGV4YW1wbGUu +Y29tgSBudWxsQHB5dGhvbi5vcmcAdXNlckBleGFtcGxlLm9yZ4YpaHR0cDovL251 +bGwucHl0aG9uLm9yZwBodHRwOi8vZXhhbXBsZS5vcmeHBMAAAgGHECABDbgAAAAA +AAAAAAAAAAEwDQYJKoZIhvcNAQEFBQADggEBAKxPRe99SaghcI6IWT7UNkJw9aO9 +i9eo0Fj2MUqxpKbdb9noRDy2CnHWf7EIYZ1gznXPdwzSN4YCjV5d+Q9xtBaowT0j +HPERs1ZuytCNNJTmhyqZ8q6uzMLoht4IqH/FBfpvgaeC5tBTnTT0rD5A/olXeimk +kX4LxlEx5RAvpGB2zZVRGr6LobD9rVK91xuHYNIxxxfEGE8tCCWjp0+3ksri9SXx +VHWBnbM9YaL32u3hxm8sYB/Yb8WSBavJCWJJqRStVRHM1koZlJmXNx2BX4vPo6iW +RFEIPQsFZRLrtnCAiEhyT8bC2s/Njlu6ly9gtJZWSV46Q3ZjBL4q9sHKqZQ= +-----END CERTIFICATE-----""" + +large_key_pem = b"""-----BEGIN RSA PRIVATE KEY----- +MIIJYgIBAAKCAg4AtRua8eIeevRfsj+fkcHr1vmse7Kgb+oX1ssJAvCb1R7JQMnH +hNDjDP6b3vEkZuPUzlDHymP+cNkXvvi4wJ4miVbO3+SeU4Sh+jmsHeHzGIXat9xW +9PFtuPM5FQq8zvkY8aDeRYmYwN9JKu4/neMBCBqostYlTEWg+bSytO/qWnyHTHKh +g0GfaDdqUQPsGQw+J0MgaYIjQOCVASHAPlzbDQLCtuOb587rwTLkZA2GwoHB/LyJ +BwT0HHgBaiObE12Vs6wi2en0Uu11CiwEuK1KIBcZ2XbE6eApaZa6VH9ysEmUxPt7 +TqyZ4E2oMIYaLPNRxuvozdwTlj1svI1k1FrkaXGc5MTjbgigPMKjIb0T7b/4GNzt +DhP1LvAeUMnrEi3hJJrcJPXHPqS8/RiytR9xQQW6Sdh4LaA3f9MQm3WSevWage3G +P8YcCLssOVKsArDjuA52NF5LmYuAeUzXprm4ITDi2oO+0iFBpFW6VPEK4A9vO0Yk +M/6Wt6tG8zyWhaSH1zFUTwfQ9Yvjyt5w1lrUaAJuoTpwbMVZaDJaEhjOaXU0dyPQ +jOsePDOQcU6dkeTWsQ3LsHPEEug/X6819TLG5mb3V7bvV9nPFBfTJSCEG794kr90 +XgZfIN71FrdByxLerlbuJI21pPs/nZi9SXi9jAWeiS45/azUxMsyYgJArui+gjq7 +sV1pWiBm6/orAgMBAAECggINQp5L6Yu+oIXBqcSjgq8tfF9M5hd30pLuf/EheHZf +LA7uAqn2fVGFI2OInIJhXIOT5OxsAXO0xXfltzawZxIFpOFMqajj4F7aYjvSpw9V +J4EdSiJ/zgv8y1qUdbwEZbHVThRZjoSlrtSzilonBoHZAE0mHtqMz7iRFSk1zz6t +GunRrvo/lROPentf3TsvHquVNUYI5yaapyO1S7xJhecMIIYSb8nbsHI54FBDGNas +6mFmpPwI/47/6HTwOEWupnn3NicsjrHzUInOUpaMig4cRR+aP5bjqg/ty8xI8AoN +evEmCytiWTc+Rvbp1ieN+1jpjN18PjUk80/W7qioHUDt4ieLic8uxWH2VD9SCEnX +Mpi9tA/FqoZ+2A/3m1OfrY6jiZVE2g+asi9lCK7QVWL39eK82H4rPvtp0/dyo1/i +ZZz68TXg+m8IgEZcp88hngbkuoTTzpGE73QuPKhGA1uMIimDdqPPB5WP76q+03Oi +IRR5DfZnqPERed49by0enJ7tKa/gFPZizOV8ALKr0Dp+vfAkxGDLPLBLd2A3//tw +xg0Q/wltihHSBujv4nYlDXdc5oYyMYZ+Lhc/VuOghHfBq3tgEQ1ECM/ofqXEIdy7 +nVcpZn3Eeq8Jl5CrqxE1ee3NxlzsJHn99yGQpr7mOhW/psJF3XNz80Meg3L4m1T8 +sMBK0GbaassuJhdzb5whAoIBBw48sx1b1WR4XxQc5O/HjHva+l16i2pjUnOUTcDF +RWmSbIhBm2QQ2rVhO8+fak0tkl6ZnMWW4i0U/X5LOEBbC7+IS8bO3j3Revi+Vw5x +j96LMlIe9XEub5i/saEWgiz7maCvfzLFU08e1OpT4qPDpP293V400ubA6R7WQTCv +pBkskGwHeu0l/TuKkVqBFFUTu7KEbps8Gjg7MkJaFriAOv1zis/umK8pVS3ZAM6e +8w5jfpRccn8Xzta2fRwTB5kCmfxdDsY0oYGxPLRAbW72bORoLGuyyPp/ojeGwoik +JX9RttErc6FjyZtks370Pa8UL5QskyhMbDhrZW2jFD+RXYM1BrvmZRjbAoIBBwy4 +iFJpuDfytJfz1MWtaL5DqEL/kmiZYAXl6hifNhGu5GAipVIIGsDqEYW4i+VC15aa +7kOCwz/I5zsB3vSDW96IRs4wXtqEZSibc2W/bqfVi+xcvPPl1ZhQ2EAwa4D/x035 +kyf20ffWOU+1yf2cnijzqs3IzlveUm+meLw5s3Rc+iG7DPWWeCoe1hVwANI1euNc +pqKwKY905yFyjOje2OgiEU2kS4YME4zGeBys8yo7E42hNnN2EPK6xkkUqzdudLLQ +8OUlKRTc8AbIf3XG1rpA4VUpTv3hhxGGwCRy6If8zgZQsNYchgNztRGk72Gcb8Dm +vFSEN3ZtwxU64G3YZzntdcr2WPzxAoIBBw30g6Fgdb/gmVnOpL0//T0ePNDKIMPs +jVJLaRduhoZgB1Bb9qPUPX0SzRzLZtg1tkZSDjBDoHmOHJfhxUaXt+FLCPPbrE4t ++nq9n/nBaMM779w9ClqhqLOyGrwKoxjSmhi+TVEHyIxCbXMvPHVHfX9WzxjbcGrN +ZvRaEVZWo+QlIX8yqdSwqxLk1WtAIRzvlcj7NKum8xBxPed6BNFep/PtgIAmoLT5 +L8wb7EWb2iUdc2KbZ4OaY51lDScqpATgXu3WjXfM+Q52G0mX6Wyd0cjlL711Zrjb +yLbiueZT94lgIHHRRKtKc8CEqcjkQV5OzABS3P/gQSfgZXBdLKjOpTnKDUq7IBeH +AoIBBweAOEIAPLQg1QRUrr3xRrYKRwlakgZDii9wJt1l5AgBTICzbTA1vzDJ1JM5 +AqSpCV6w9JWyYVcXK+HLdKBRZLaPPNEQDJ5lOxD6uMziWGl2rg8tj+1xNMWfxiPz +aTCjoe4EoBUMoTq2gwzRcM2usEQNikXVhnj9Wzaivsaeb4bJ3GRPW5DkrO6JSEtT +w+gvyMqQM2Hy5k7E7BT46sXVwaj/jZxuqGnebRixXtnp0WixdRIqYWUr1UqLf6hQ +G7WP2BgoxCMaCmNW8+HMD/xuxucEotoIhZ+GgJKBFoNnjl3BX+qxYdSe9RbL/5Tr +4It6Jxtj8uETJXEbv9Cg6v1agWPS9YY8RLTBAoIBBwrU2AsAUts6h1LgGLKK3UWZ +oLH5E+4o+7HqSGRcRodVeN9NBXIYdHHOLeEG6YNGJiJ3bFP5ZQEu9iDsyoFVKJ9O +Mw/y6dKZuxOCZ+X8FopSROg3yWfdOpAm6cnQZp3WqLNX4n/Q6WvKojfyEiPphjwT +0ymrUJELXLWJmjUyPoAk6HgC0Gs28ZnEXbyhx7CSbZNFyCU/PNUDZwto3GisIPD3 +le7YjqHugezmjMGlA0sDw5aCXjfbl74vowRFYMO6e3ItApfSRgNV86CDoX74WI/5 +AYU/QVM4wGt8XGT2KwDFJaxYGKsGDMWmXY04dS+WPuetCbouWUusyFwRb9SzFave +vYeU7Ab/ +-----END RSA PRIVATE KEY-----""" + +ec_private_key_pem = b"""-----BEGIN PRIVATE KEY----- +MIGHAgEAMBMGByqGSM49AgEGCCqGSM49AwEHBG0wawIBAQQgYirTZSx+5O8Y6tlG +cka6W6btJiocdrdolfcukSoTEk+hRANCAAQkvPNu7Pa1GcsWU4v7ptNfqCJVq8Cx +zo0MUVPQgwJ3aJtNM1QMOQUayCrRwfklg+D/rFSUwEUqtZh7fJDiFqz3 +-----END PRIVATE KEY----- +""" + +ec_root_key_pem = b"""-----BEGIN EC PRIVATE KEY----- +MIGlAgEBBDEAz/HOBFPYLB0jLWeTpJn4Yc4m/C4mdWymVHBjOmnwiPHKT326iYN/ +ZhmSs+RM94RsoAcGBSuBBAAioWQDYgAEwE5vDdla/nLpWAPAQ0yFGqwLuw4BcN2r +U+sKab5EAEHzLeceRa8ffncYdCXNoVsBcdob1y66CFZMEWLetPTmGapyWkBAs6/L +8kUlkU9OsE+7IVo4QQJkgV5gM+Dim1XE +-----END EC PRIVATE KEY----- +""" + +ec_root_cert_pem = b"""-----BEGIN CERTIFICATE----- +MIICLTCCAbKgAwIBAgIMWW/hwTl6ufz6/WkCMAoGCCqGSM49BAMDMFgxGDAWBgNV +BAMTD1Rlc3RpbmcgUm9vdCBDQTEQMA4GA1UEChMHVGVzdGluZzEQMA4GA1UEBxMH +Q2hpY2FnbzELMAkGA1UECBMCSUwxCzAJBgNVBAYTAlVTMCAXDTE3MDcxOTIyNDgz +M1oYDzk5OTkxMjMxMjM1OTU5WjBYMRgwFgYDVQQDEw9UZXN0aW5nIFJvb3QgQ0Ex +EDAOBgNVBAoTB1Rlc3RpbmcxEDAOBgNVBAcTB0NoaWNhZ28xCzAJBgNVBAgTAklM +MQswCQYDVQQGEwJVUzB2MBAGByqGSM49AgEGBSuBBAAiA2IABMBObw3ZWv5y6VgD +wENMhRqsC7sOAXDdq1PrCmm+RABB8y3nHkWvH353GHQlzaFbAXHaG9cuughWTBFi +3rT05hmqclpAQLOvy/JFJZFPTrBPuyFaOEECZIFeYDPg4ptVxKNDMEEwDwYDVR0T +AQH/BAUwAwEB/zAPBgNVHQ8BAf8EBQMDBwQAMB0GA1UdDgQWBBSoTrF0H2m8RDzB +MnY2KReEPfz7ZjAKBggqhkjOPQQDAwNpADBmAjEA3+G1oVCxGjYX4iUN93QYcNHe +e3fJQJwX9+KsHRut6qNZDUbvRbtO1YIAwB4UJZjwAjEAtXCPURS5A4McZHnSwgTi +Td8GMrwKz0557OxxtKN6uVVy4ACFMqEw0zN/KJI1vxc9 +-----END CERTIFICATE-----""" + +rsa_p_not_prime_pem = """ +-----BEGIN RSA PRIVATE KEY----- +MBsCAQACAS0CAQcCAQACAQ8CAQMCAQACAQACAQA= +-----END RSA PRIVATE KEY----- +""" + + +@pytest.fixture +def x509_data(): + """ + Create a new private key and start a certificate request (for a test + to finish in one way or another). + """ + # Basic setup stuff to generate a certificate + pkey = PKey() + pkey.generate_key(TYPE_RSA, 512) + req = X509Req() + req.set_pubkey(pkey) + # Authority good you have. + req.get_subject().commonName = "Yoda root CA" + x509 = X509() + subject = x509.get_subject() + subject.commonName = req.get_subject().commonName + x509.set_issuer(subject) + x509.set_pubkey(pkey) + now = datetime.now() + expire = datetime.now() + timedelta(days=100) + x509.set_notBefore(now.strftime("%Y%m%d%H%M%SZ").encode()) + x509.set_notAfter(expire.strftime("%Y%m%d%H%M%SZ").encode()) + yield pkey, x509 + + +class TestX509Ext(object): + """ + Tests for `OpenSSL.crypto.X509Extension`. + """ + + def test_str(self): + """ + The string representation of `X509Extension` instances as + returned by `str` includes stuff. + """ + # This isn't necessarily the best string representation. Perhaps it + # will be changed/improved in the future. + assert ( + str(X509Extension(b"basicConstraints", True, b"CA:false")) + == "CA:FALSE" + ) + + def test_type(self): + """ + `X509Extension` can be used to create instances of that type. + """ + assert is_consistent_type( + X509Extension, + "X509Extension", + b"basicConstraints", + True, + b"CA:true", + ) + + def test_construction(self): + """ + `X509Extension` accepts an extension type name, a critical flag, + and an extension value and returns an `X509Extension` instance. + """ + basic = X509Extension(b"basicConstraints", True, b"CA:true") + assert isinstance(basic, X509Extension) + + comment = X509Extension(b"nsComment", False, b"pyOpenSSL unit test") + assert isinstance(comment, X509Extension) + + @pytest.mark.parametrize( + "type_name, critical, value", + [ + (b"thisIsMadeUp", False, b"hi"), + (b"basicConstraints", False, b"blah blah"), + # Exercise a weird one (an extension which uses the r2i method). + # This exercises the codepath that requires a non-NULL ctx to be + # passed to X509V3_EXT_nconf. It can't work now because we provide + # no configuration database. It might be made to work in the + # future. + ( + b"proxyCertInfo", + True, + b"language:id-ppl-anyLanguage,pathlen:1,policy:text:AB", + ), + ], + ) + def test_invalid_extension(self, type_name, critical, value): + """ + `X509Extension` raises something if it is passed a bad + extension name or value. + """ + with pytest.raises(Error): + X509Extension(type_name, critical, value) + + @pytest.mark.parametrize("critical_flag", [True, False]) + def test_get_critical(self, critical_flag): + """ + `X509ExtensionType.get_critical` returns the value of the + extension's critical flag. + """ + ext = X509Extension(b"basicConstraints", critical_flag, b"CA:true") + assert ext.get_critical() == critical_flag + + @pytest.mark.parametrize( + "short_name, value", + [(b"basicConstraints", b"CA:true"), (b"nsComment", b"foo bar")], + ) + def test_get_short_name(self, short_name, value): + """ + `X509ExtensionType.get_short_name` returns a string giving the + short type name of the extension. + """ + ext = X509Extension(short_name, True, value) + assert ext.get_short_name() == short_name + + def test_get_data(self): + """ + `X509Extension.get_data` returns a string giving the data of + the extension. + """ + ext = X509Extension(b"basicConstraints", True, b"CA:true") + # Expect to get back the DER encoded form of CA:true. + assert ext.get_data() == b"0\x03\x01\x01\xff" + + def test_unused_subject(self, x509_data): + """ + The `subject` parameter to `X509Extension` may be provided for an + extension which does not use it and is ignored in this case. + """ + pkey, x509 = x509_data + ext1 = X509Extension( + b"basicConstraints", False, b"CA:TRUE", subject=x509 + ) + x509.add_extensions([ext1]) + x509.sign(pkey, "sha1") + # This is a little lame. Can we think of a better way? + text = dump_certificate(FILETYPE_TEXT, x509) + assert b"X509v3 Basic Constraints:" in text + assert b"CA:TRUE" in text + + def test_subject(self, x509_data): + """ + If an extension requires a subject, the `subject` parameter to + `X509Extension` provides its value. + """ + pkey, x509 = x509_data + ext3 = X509Extension( + b"subjectKeyIdentifier", False, b"hash", subject=x509 + ) + x509.add_extensions([ext3]) + x509.sign(pkey, "sha1") + text = dump_certificate(FILETYPE_TEXT, x509) + assert b"X509v3 Subject Key Identifier:" in text + + def test_missing_subject(self): + """ + If an extension requires a subject and the `subject` parameter + is given no value, something happens. + """ + with pytest.raises(Error): + X509Extension(b"subjectKeyIdentifier", False, b"hash") + + @pytest.mark.parametrize("bad_obj", [True, object(), "hello", []]) + def test_invalid_subject(self, bad_obj): + """ + If the `subject` parameter is given a value which is not an + `X509` instance, `TypeError` is raised. + """ + with pytest.raises(TypeError): + X509Extension( + "basicConstraints", False, "CA:TRUE", subject=bad_obj + ) + + def test_unused_issuer(self, x509_data): + """ + The `issuer` parameter to `X509Extension` may be provided for an + extension which does not use it and is ignored in this case. + """ + pkey, x509 = x509_data + ext1 = X509Extension( + b"basicConstraints", False, b"CA:TRUE", issuer=x509 + ) + x509.add_extensions([ext1]) + x509.sign(pkey, "sha1") + text = dump_certificate(FILETYPE_TEXT, x509) + assert b"X509v3 Basic Constraints:" in text + assert b"CA:TRUE" in text + + def test_issuer(self, x509_data): + """ + If an extension requires an issuer, the `issuer` parameter to + `X509Extension` provides its value. + """ + pkey, x509 = x509_data + ext2 = X509Extension( + b"authorityKeyIdentifier", False, b"issuer:always", issuer=x509 + ) + x509.add_extensions([ext2]) + x509.sign(pkey, "sha1") + text = dump_certificate(FILETYPE_TEXT, x509) + assert b"X509v3 Authority Key Identifier:" in text + assert b"DirName:/CN=Yoda root CA" in text + + def test_missing_issuer(self): + """ + If an extension requires an issue and the `issuer` parameter is + given no value, something happens. + """ + with pytest.raises(Error): + X509Extension( + b"authorityKeyIdentifier", False, b"keyid:always,issuer:always" + ) + + @pytest.mark.parametrize("bad_obj", [True, object(), "hello", []]) + def test_invalid_issuer(self, bad_obj): + """ + If the `issuer` parameter is given a value which is not an + `X509` instance, `TypeError` is raised. + """ + with pytest.raises(TypeError): + X509Extension( + "basicConstraints", + False, + "keyid:always,issuer:always", + issuer=bad_obj, + ) + + +class TestPKey(object): + """ + Tests for `OpenSSL.crypto.PKey`. + """ + + def test_convert_from_cryptography_private_key(self): + """ + PKey.from_cryptography_key creates a proper private PKey. + """ + key = serialization.load_pem_private_key( + intermediate_key_pem, None, backend + ) + pkey = PKey.from_cryptography_key(key) + + assert isinstance(pkey, PKey) + assert pkey.bits() == key.key_size + assert pkey._only_public is False + assert pkey._initialized is True + + def test_convert_from_cryptography_public_key(self): + """ + PKey.from_cryptography_key creates a proper public PKey. + """ + key = serialization.load_pem_public_key(cleartextPublicKeyPEM, backend) + pkey = PKey.from_cryptography_key(key) + + assert isinstance(pkey, PKey) + assert pkey.bits() == key.key_size + assert pkey._only_public is True + assert pkey._initialized is True + + def test_convert_from_cryptography_unsupported_type(self): + """ + PKey.from_cryptography_key raises TypeError with an unsupported type. + """ + key = serialization.load_pem_private_key( + ec_private_key_pem, None, backend + ) + with pytest.raises(TypeError): + PKey.from_cryptography_key(key) + + def test_convert_public_pkey_to_cryptography_key(self): + """ + PKey.to_cryptography_key creates a proper cryptography public key. + """ + pkey = load_publickey(FILETYPE_PEM, cleartextPublicKeyPEM) + key = pkey.to_cryptography_key() + + assert isinstance(key, rsa.RSAPublicKey) + assert pkey.bits() == key.key_size + + def test_convert_private_pkey_to_cryptography_key(self): + """ + PKey.to_cryptography_key creates a proper cryptography private key. + """ + pkey = load_privatekey(FILETYPE_PEM, root_key_pem) + key = pkey.to_cryptography_key() + + assert isinstance(key, rsa.RSAPrivateKey) + assert pkey.bits() == key.key_size + + def test_type(self): + """ + `PKey` can be used to create instances of that type. + """ + assert is_consistent_type(PKey, "PKey") + + def test_construction(self): + """ + `PKey` takes no arguments and returns a new `PKey` instance. + """ + key = PKey() + assert isinstance(key, PKey) + + def test_pregeneration(self): + """ + `PKey.bits` and `PKey.type` return `0` before the key is generated. + `PKey.check` raises `TypeError` before the key is generated. + """ + key = PKey() + assert key.type() == 0 + assert key.bits() == 0 + with pytest.raises(TypeError): + key.check() + + def test_failed_generation(self): + """ + `PKey.generate_key` takes two arguments, the first giving the key type + as one of `TYPE_RSA` or `TYPE_DSA` and the second giving the number of + bits to generate. If an invalid type is specified or generation fails, + `Error` is raised. If an invalid number of bits is specified, + `ValueError` or `Error` is raised. + """ + key = PKey() + with pytest.raises(TypeError): + key.generate_key("foo", "bar") + with pytest.raises(Error): + key.generate_key(-1, 0) + + with pytest.raises(ValueError): + key.generate_key(TYPE_RSA, -1) + with pytest.raises(ValueError): + key.generate_key(TYPE_RSA, 0) + + with pytest.raises(TypeError): + key.generate_key(TYPE_RSA, object()) + + # XXX RSA generation for small values of bits is fairly buggy in a wide + # range of OpenSSL versions. I need to figure out what the safe lower + # bound for a reasonable number of OpenSSL versions is and explicitly + # check for that in the wrapper. The failure behavior is typically an + # infinite loop inside OpenSSL. + + # with pytest.raises(Error): + # key.generate_key(TYPE_RSA, 2) + + # XXX DSA generation seems happy with any number of bits. The DSS + # says bits must be between 512 and 1024 inclusive. OpenSSL's DSA + # generator doesn't seem to care about the upper limit at all. For + # the lower limit, it uses 512 if anything smaller is specified. + # So, it doesn't seem possible to make generate_key fail for + # TYPE_DSA with a bits argument which is at least an int. + + # with pytest.raises(Error): + # key.generate_key(TYPE_DSA, -7) + + def test_rsa_generation(self): + """ + `PKey.generate_key` generates an RSA key when passed `TYPE_RSA` as a + type and a reasonable number of bits. + """ + bits = 512 + key = PKey() + key.generate_key(TYPE_RSA, bits) + assert key.type() == TYPE_RSA + assert key.bits() == bits + assert key.check() + + def test_dsa_generation(self): + """ + `PKey.generate_key` generates a DSA key when passed `TYPE_DSA` as a + type and a reasonable number of bits. + """ + # 512 is a magic number. The DSS (Digital Signature Standard) + # allows a minimum of 512 bits for DSA. DSA_generate_parameters + # will silently promote any value below 512 to 512. + bits = 512 + key = PKey() + key.generate_key(TYPE_DSA, bits) + assert key.type() == TYPE_DSA + assert key.bits() == bits + with pytest.raises(TypeError): + key.check() + + def test_regeneration(self): + """ + `PKey.generate_key` can be called multiple times on the same key to + generate new keys. + """ + key = PKey() + for type, bits in [(TYPE_RSA, 512), (TYPE_DSA, 576)]: + key.generate_key(type, bits) + assert key.type() == type + assert key.bits() == bits + + def test_inconsistent_key(self): + """ + `PKey.check` returns `Error` if the key is not consistent. + """ + key = load_privatekey(FILETYPE_PEM, inconsistentPrivateKeyPEM) + with pytest.raises(Error): + key.check() + + def test_check_public_key(self): + """ + `PKey.check` raises `TypeError` if only the public part of the key + is available. + """ + # A trick to get a public-only key + key = PKey() + key.generate_key(TYPE_RSA, 512) + cert = X509() + cert.set_pubkey(key) + pub = cert.get_pubkey() + with pytest.raises(TypeError): + pub.check() + + def test_check_pr_897(self): + """ + `PKey.check` raises `OpenSSL.crypto.Error` if provided with broken key + """ + pkey = load_privatekey(FILETYPE_PEM, rsa_p_not_prime_pem) + with pytest.raises(Error): + pkey.check() + + +def x509_name(**attrs): + """ + Return a new X509Name with the given attributes. + """ + # XXX There's no other way to get a new X509Name yet. + name = X509().get_subject() + attrs = list(attrs.items()) + + # Make the order stable - order matters! + def key(attr): + return attr[1] + + attrs.sort(key=key) + for k, v in attrs: + setattr(name, k, v) + return name + + +class TestX509Name(object): + """ + Unit tests for `OpenSSL.crypto.X509Name`. + """ + + def test_type(self): + """ + The type of X509Name objects is `X509Name`. + """ + name = x509_name() + assert isinstance(name, X509Name) + + def test_only_string_attributes(self): + """ + Attempting to set a non-`str` attribute name on an `X509Name` instance + causes `TypeError` to be raised. + """ + name = x509_name() + # Beyond these cases, you may also think that unicode should be + # rejected. Sorry, you're wrong. unicode is automatically converted + # to str outside of the control of X509Name, so there's no way to + # reject it. + + # Also, this used to test str subclasses, but that test is less + # relevant now that the implementation is in Python instead of C. Also + # PyPy automatically converts str subclasses to str when they are + # passed to setattr, so we can't test it on PyPy. Apparently CPython + # does this sometimes as well. + with pytest.raises(TypeError): + setattr(name, None, "hello") + with pytest.raises(TypeError): + setattr(name, 30, "hello") + + def test_set_invalid_attribute(self): + """ + Attempting to set any attribute name on an `X509Name` instance for + which no corresponding NID is defined causes `AttributeError` to be + raised. + """ + name = x509_name() + with pytest.raises(AttributeError): + setattr(name, "no such thing", None) + + def test_attributes(self): + """ + `X509Name` instances have attributes for each standard (?) + X509Name field. + """ + name = x509_name() + name.commonName = "foo" + assert name.commonName == "foo" + assert name.CN == "foo" + + name.CN = "baz" + assert name.commonName == "baz" + assert name.CN == "baz" + + name.commonName = "bar" + assert name.commonName == "bar" + assert name.CN == "bar" + + name.CN = "quux" + assert name.commonName == "quux" + assert name.CN == "quux" + + assert name.OU is None + + with pytest.raises(AttributeError): + name.foobar + + def test_copy(self): + """ + `X509Name` creates a new `X509Name` instance with all the same + attributes as an existing `X509Name` instance when called with one. + """ + name = x509_name(commonName="foo", emailAddress="bar@example.com") + + copy = X509Name(name) + assert copy.commonName == "foo" + assert copy.emailAddress == "bar@example.com" + + # Mutate the copy and ensure the original is unmodified. + copy.commonName = "baz" + assert name.commonName == "foo" + + # Mutate the original and ensure the copy is unmodified. + name.emailAddress = "quux@example.com" + assert copy.emailAddress == "bar@example.com" + + def test_repr(self): + """ + `repr` passed an `X509Name` instance should return a string containing + a description of the type and the NIDs which have been set on it. + """ + name = x509_name(commonName="foo", emailAddress="bar") + assert repr(name) == "<X509Name object '/emailAddress=bar/CN=foo'>" + + def test_comparison(self): + """ + `X509Name` instances should compare based on their NIDs. + """ + + def _equality(a, b, assert_true, assert_false): + assert_true(a == b) + assert_false(a != b) + assert_true(b == a) + assert_false(b != a) + + def assert_true(x): + assert x + + def assert_false(x): + assert not x + + def assert_equal(a, b): + _equality(a, b, assert_true, assert_false) + + # Instances compare equal to themselves. + name = x509_name() + assert_equal(name, name) + + # Empty instances should compare equal to each other. + assert_equal(x509_name(), x509_name()) + + # Instances with equal NIDs should compare equal to each other. + assert_equal(x509_name(commonName="foo"), x509_name(commonName="foo")) + + # Instance with equal NIDs set using different aliases should compare + # equal to each other. + assert_equal(x509_name(commonName="foo"), x509_name(CN="foo")) + + # Instances with more than one NID with the same values should compare + # equal to each other. + assert_equal( + x509_name(CN="foo", organizationalUnitName="bar"), + x509_name(commonName="foo", OU="bar"), + ) + + def assert_not_equal(a, b): + _equality(a, b, assert_false, assert_true) + + # Instances with different values for the same NID should not compare + # equal to each other. + assert_not_equal(x509_name(CN="foo"), x509_name(CN="bar")) + + # Instances with different NIDs should not compare equal to each other. + assert_not_equal(x509_name(CN="foo"), x509_name(OU="foo")) + + assert_not_equal(x509_name(), object()) + + def _inequality(a, b, assert_true, assert_false): + assert_true(a < b) + assert_true(a <= b) + assert_true(b > a) + assert_true(b >= a) + assert_false(a > b) + assert_false(a >= b) + assert_false(b < a) + assert_false(b <= a) + + def assert_less_than(a, b): + _inequality(a, b, assert_true, assert_false) + + # An X509Name with a NID with a value which sorts less than the value + # of the same NID on another X509Name compares less than the other + # X509Name. + assert_less_than(x509_name(CN="abc"), x509_name(CN="def")) + + def assert_greater_than(a, b): + _inequality(a, b, assert_false, assert_true) + + # An X509Name with a NID with a value which sorts greater than the + # value of the same NID on another X509Name compares greater than the + # other X509Name. + assert_greater_than(x509_name(CN="def"), x509_name(CN="abc")) + + def test_hash(self): + """ + `X509Name.hash` returns an integer hash based on the value of the name. + """ + a = x509_name(CN="foo") + b = x509_name(CN="foo") + assert a.hash() == b.hash() + a.CN = "bar" + assert a.hash() != b.hash() + + def test_der(self): + """ + `X509Name.der` returns the DER encoded form of the name. + """ + a = x509_name(CN="foo", C="US") + assert ( + a.der() == b"0\x1b1\x0b0\t\x06\x03U\x04\x06\x13\x02US" + b"1\x0c0\n\x06\x03U\x04\x03\x0c\x03foo" + ) + + def test_get_components(self): + """ + `X509Name.get_components` returns a `list` of two-tuples of `str` + giving the NIDs and associated values which make up the name. + """ + a = x509_name() + assert a.get_components() == [] + a.CN = "foo" + assert a.get_components() == [(b"CN", b"foo")] + a.organizationalUnitName = "bar" + assert a.get_components() == [(b"CN", b"foo"), (b"OU", b"bar")] + + def test_load_nul_byte_attribute(self): + """ + An `X509Name` from an `X509` instance loaded from a file can have a + NUL byte in the value of one of its attributes. + """ + cert = load_certificate(FILETYPE_PEM, nulbyteSubjectAltNamePEM) + subject = cert.get_subject() + assert "null.python.org\x00example.org" == subject.commonName + + def test_load_nul_byte_components(self): + """ + An `X509Name` from an `X509` instance loaded from a file can have a + NUL byte in the value of its components + """ + cert = load_certificate(FILETYPE_PEM, nulbyteSubjectAltNamePEM) + subject = cert.get_subject() + components = subject.get_components() + ccn = [value for name, value in components if name == b"CN"] + assert ccn[0] == b"null.python.org\x00example.org" + + def test_set_attribute_failure(self): + """ + If the value of an attribute cannot be set for some reason then + `Error` is raised. + """ + name = x509_name() + # This value is too long + with pytest.raises(Error): + setattr(name, "O", b"x" * 512) + + +class _PKeyInteractionTestsMixin: + """ + Tests which involve another thing and a PKey. + """ + + def signable(self): + """ + Return something with `set_pubkey` and `sign` methods. + """ + raise NotImplementedError() + + def test_sign_with_ungenerated(self): + """ + `X509Req.sign` raises `ValueError` when passed a `PKey` with no parts. + """ + request = self.signable() + key = PKey() + with pytest.raises(ValueError): + request.sign(key, GOOD_DIGEST) + + def test_sign_with_public_key(self): + """ + `X509Req.sign` raises `ValueError` when passed a `PKey` with no private + part as the signing key. + """ + request = self.signable() + key = PKey() + key.generate_key(TYPE_RSA, 512) + request.set_pubkey(key) + pub = request.get_pubkey() + with pytest.raises(ValueError): + request.sign(pub, GOOD_DIGEST) + + def test_sign_with_unknown_digest(self): + """ + `X509Req.sign` raises `ValueError` when passed a digest name which is + not known. + """ + request = self.signable() + key = PKey() + key.generate_key(TYPE_RSA, 512) + with pytest.raises(ValueError): + request.sign(key, BAD_DIGEST) + + def test_sign(self): + """ + `X509Req.sign` succeeds when passed a private key object and a + valid digest function. `X509Req.verify` can be used to check + the signature. + """ + request = self.signable() + key = PKey() + key.generate_key(TYPE_RSA, 512) + request.set_pubkey(key) + request.sign(key, GOOD_DIGEST) + # If the type has a verify method, cover that too. + if getattr(request, "verify", None) is not None: + pub = request.get_pubkey() + assert request.verify(pub) + # Make another key that won't verify. + key = PKey() + key.generate_key(TYPE_RSA, 512) + with pytest.raises(Error): + request.verify(key) + + +class TestX509Req(_PKeyInteractionTestsMixin): + """ + Tests for `OpenSSL.crypto.X509Req`. + """ + + def signable(self): + """ + Create and return a new `X509Req`. + """ + return X509Req() + + def test_type(self): + """ + `X509Req` can be used to create instances of that type. + """ + assert is_consistent_type(X509Req, "X509Req") + + def test_construction(self): + """ + `X509Req` takes no arguments and returns an `X509Req` instance. + """ + request = X509Req() + assert isinstance(request, X509Req) + + def test_version(self): + """ + `X509Req.set_version` sets the X.509 version of the certificate + request. `X509Req.get_version` returns the X.509 version of the + certificate request. The initial value of the version is 0. + """ + request = X509Req() + assert request.get_version() == 0 + request.set_version(1) + assert request.get_version() == 1 + request.set_version(3) + assert request.get_version() == 3 + + def test_version_wrong_args(self): + """ + `X509Req.set_version` raises `TypeError` if called with a non-`int` + argument. + """ + request = X509Req() + with pytest.raises(TypeError): + request.set_version("foo") + + def test_get_subject(self): + """ + `X509Req.get_subject` returns an `X509Name` for the subject of the + request and which is valid even after the request object is + otherwise dead. + """ + request = X509Req() + subject = request.get_subject() + assert isinstance(subject, X509Name) + subject.commonName = "foo" + assert request.get_subject().commonName == "foo" + del request + subject.commonName = "bar" + assert subject.commonName == "bar" + + def test_add_extensions(self): + """ + `X509Req.add_extensions` accepts a `list` of `X509Extension` instances + and adds them to the X509 request. + """ + request = X509Req() + request.add_extensions( + [X509Extension(b"basicConstraints", True, b"CA:false")] + ) + exts = request.get_extensions() + assert len(exts) == 1 + assert exts[0].get_short_name() == b"basicConstraints" + assert exts[0].get_critical() == 1 + assert exts[0].get_data() == b"0\x00" + + def test_get_extensions(self): + """ + `X509Req.get_extensions` returns a `list` of extensions added to this + X509 request. + """ + request = X509Req() + exts = request.get_extensions() + assert exts == [] + request.add_extensions( + [ + X509Extension(b"basicConstraints", True, b"CA:true"), + X509Extension(b"keyUsage", False, b"digitalSignature"), + ] + ) + exts = request.get_extensions() + assert len(exts) == 2 + assert exts[0].get_short_name() == b"basicConstraints" + assert exts[0].get_critical() == 1 + assert exts[0].get_data() == b"0\x03\x01\x01\xff" + assert exts[1].get_short_name() == b"keyUsage" + assert exts[1].get_critical() == 0 + assert exts[1].get_data() == b"\x03\x02\x07\x80" + # Requesting it a second time should return the same list + exts = request.get_extensions() + assert len(exts) == 2 + + def test_add_extensions_wrong_args(self): + """ + `X509Req.add_extensions` raises `TypeError` if called with a + non-`list`. Or it raises `ValueError` if called with a `list` + containing objects other than `X509Extension` instances. + """ + request = X509Req() + with pytest.raises(TypeError): + request.add_extensions(object()) + with pytest.raises(ValueError): + request.add_extensions([object()]) + + def test_verify_wrong_args(self): + """ + `X509Req.verify` raises `TypeError` if passed anything other than a + `PKey` instance as its single argument. + """ + request = X509Req() + with pytest.raises(TypeError): + request.verify(object()) + + def test_verify_uninitialized_key(self): + """ + `X509Req.verify` raises `OpenSSL.crypto.Error` if called with a + `OpenSSL.crypto.PKey` which contains no key data. + """ + request = X509Req() + pkey = PKey() + with pytest.raises(Error): + request.verify(pkey) + + def test_verify_wrong_key(self): + """ + `X509Req.verify` raises `OpenSSL.crypto.Error` if called with a + `OpenSSL.crypto.PKey` which does not represent the public part of the + key which signed the request. + """ + request = X509Req() + pkey = load_privatekey(FILETYPE_PEM, root_key_pem) + request.set_pubkey(pkey) + request.sign(pkey, GOOD_DIGEST) + another_pkey = load_privatekey(FILETYPE_PEM, client_key_pem) + with pytest.raises(Error): + request.verify(another_pkey) + + def test_verify_success(self): + """ + `X509Req.verify` returns `True` if called with a `OpenSSL.crypto.PKey` + which represents the public part of the key which signed the request. + """ + request = X509Req() + pkey = load_privatekey(FILETYPE_PEM, root_key_pem) + request.set_pubkey(pkey) + request.sign(pkey, GOOD_DIGEST) + assert request.verify(pkey) + + def test_convert_from_cryptography(self): + crypto_req = x509.load_pem_x509_csr( + cleartextCertificateRequestPEM, backend + ) + req = X509Req.from_cryptography(crypto_req) + assert isinstance(req, X509Req) + + def test_convert_from_cryptography_unsupported_type(self): + with pytest.raises(TypeError): + X509Req.from_cryptography(object()) + + def test_convert_to_cryptography_key(self): + req = load_certificate_request( + FILETYPE_PEM, cleartextCertificateRequestPEM + ) + crypto_req = req.to_cryptography() + assert isinstance(crypto_req, x509.CertificateSigningRequest) + + +class TestX509(_PKeyInteractionTestsMixin): + """ + Tests for `OpenSSL.crypto.X509`. + """ + + pemData = root_cert_pem + root_key_pem + + def signable(self): + """ + Create and return a new `X509`. + """ + certificate = X509() + # Fill in placeholder validity values. signable only expects to call + # set_pubkey and sign. + certificate.gmtime_adj_notBefore(-24 * 60 * 60) + certificate.gmtime_adj_notAfter(24 * 60 * 60) + return certificate + + def test_type(self): + """ + `X509` can be used to create instances of that type. + """ + assert is_consistent_type(X509, "X509") + + def test_construction(self): + """ + `X509` takes no arguments and returns an instance of `X509`. + """ + certificate = X509() + assert isinstance(certificate, X509) + assert type(certificate).__name__ == "X509" + assert type(certificate) == X509 + + def test_set_version_wrong_args(self): + """ + `X509.set_version` raises `TypeError` if invoked with an argument + not of type `int`. + """ + cert = X509() + with pytest.raises(TypeError): + cert.set_version(None) + + def test_version(self): + """ + `X509.set_version` sets the certificate version number. + `X509.get_version` retrieves it. + """ + cert = X509() + cert.set_version(1234) + assert cert.get_version() == 1234 + + def test_serial_number(self): + """ + The serial number of an `X509` can be retrieved and + modified with `X509.get_serial_number` and + `X509.set_serial_number`. + """ + certificate = X509() + with pytest.raises(TypeError): + certificate.set_serial_number("1") + assert certificate.get_serial_number() == 0 + certificate.set_serial_number(1) + assert certificate.get_serial_number() == 1 + certificate.set_serial_number(2 ** 32 + 1) + assert certificate.get_serial_number() == 2 ** 32 + 1 + certificate.set_serial_number(2 ** 64 + 1) + assert certificate.get_serial_number() == 2 ** 64 + 1 + certificate.set_serial_number(2 ** 128 + 1) + assert certificate.get_serial_number() == 2 ** 128 + 1 + + def _setBoundTest(self, which): + """ + `X509.set_notBefore` takes a string in the format of an + ASN1 GENERALIZEDTIME and sets the beginning of the certificate's + validity period to it. + """ + certificate = X509() + set = getattr(certificate, "set_not" + which) + get = getattr(certificate, "get_not" + which) + + # Starts with no value. + assert get() is None + + # GMT (Or is it UTC?) -exarkun + when = b"20040203040506Z" + set(when) + assert get() == when + + # A plus two hours and thirty minutes offset + when = b"20040203040506+0530" + set(when) + assert get() == when + + # A minus one hour fifteen minutes offset + when = b"20040203040506-0115" + set(when) + assert get() == when + + # An invalid string results in a ValueError + with pytest.raises(ValueError): + set(b"foo bar") + + # The wrong number of arguments results in a TypeError. + with pytest.raises(TypeError): + set() + with pytest.raises(TypeError): + set(b"20040203040506Z", b"20040203040506Z") + with pytest.raises(TypeError): + get(b"foo bar") + + # XXX ASN1_TIME (not GENERALIZEDTIME) + + def test_set_notBefore(self): + """ + `X509.set_notBefore` takes a string in the format of an + ASN1 GENERALIZEDTIME and sets the beginning of the certificate's + validity period to it. + """ + self._setBoundTest("Before") + + def test_set_notAfter(self): + """ + `X509.set_notAfter` takes a string in the format of an ASN1 + GENERALIZEDTIME and sets the end of the certificate's validity period + to it. + """ + self._setBoundTest("After") + + def test_get_notBefore(self): + """ + `X509.get_notBefore` returns a string in the format of an + ASN1 GENERALIZEDTIME even for certificates which store it as UTCTIME + internally. + """ + cert = load_certificate(FILETYPE_PEM, old_root_cert_pem) + assert cert.get_notBefore() == b"20090325123658Z" + + def test_get_notAfter(self): + """ + `X509.get_notAfter` returns a string in the format of an + ASN1 GENERALIZEDTIME even for certificates which store it as UTCTIME + internally. + """ + cert = load_certificate(FILETYPE_PEM, old_root_cert_pem) + assert cert.get_notAfter() == b"20170611123658Z" + + def test_gmtime_adj_notBefore_wrong_args(self): + """ + `X509.gmtime_adj_notBefore` raises `TypeError` if called with a + non-`int` argument. + """ + cert = X509() + with pytest.raises(TypeError): + cert.gmtime_adj_notBefore(None) + + @flaky.flaky + def test_gmtime_adj_notBefore(self): + """ + `X509.gmtime_adj_notBefore` changes the not-before timestamp to be the + current time plus the number of seconds passed in. + """ + cert = load_certificate(FILETYPE_PEM, self.pemData) + not_before_min = datetime.utcnow().replace(microsecond=0) + timedelta( + seconds=100 + ) + cert.gmtime_adj_notBefore(100) + not_before = datetime.strptime( + cert.get_notBefore().decode(), "%Y%m%d%H%M%SZ" + ) + not_before_max = datetime.utcnow() + timedelta(seconds=100) + assert not_before_min <= not_before <= not_before_max + + def test_gmtime_adj_notAfter_wrong_args(self): + """ + `X509.gmtime_adj_notAfter` raises `TypeError` if called with a + non-`int` argument. + """ + cert = X509() + with pytest.raises(TypeError): + cert.gmtime_adj_notAfter(None) + + @flaky.flaky + def test_gmtime_adj_notAfter(self): + """ + `X509.gmtime_adj_notAfter` changes the not-after timestamp + to be the current time plus the number of seconds passed in. + """ + cert = load_certificate(FILETYPE_PEM, self.pemData) + not_after_min = datetime.utcnow().replace(microsecond=0) + timedelta( + seconds=100 + ) + cert.gmtime_adj_notAfter(100) + not_after = datetime.strptime( + cert.get_notAfter().decode(), "%Y%m%d%H%M%SZ" + ) + not_after_max = datetime.utcnow() + timedelta(seconds=100) + assert not_after_min <= not_after <= not_after_max + + def test_has_expired(self): + """ + `X509.has_expired` returns `True` if the certificate's not-after time + is in the past. + """ + cert = X509() + cert.gmtime_adj_notAfter(-1) + assert cert.has_expired() + + def test_has_not_expired(self): + """ + `X509.has_expired` returns `False` if the certificate's not-after time + is in the future. + """ + cert = X509() + cert.gmtime_adj_notAfter(2) + assert not cert.has_expired() + + def test_root_has_not_expired(self): + """ + `X509.has_expired` returns `False` if the certificate's not-after time + is in the future. + """ + cert = load_certificate(FILETYPE_PEM, root_cert_pem) + assert not cert.has_expired() + + def test_digest(self): + """ + `X509.digest` returns a string giving ":"-separated hex-encoded + words of the digest of the certificate. + """ + cert = load_certificate(FILETYPE_PEM, old_root_cert_pem) + assert ( + # This is MD5 instead of GOOD_DIGEST because the digest algorithm + # actually matters to the assertion (ie, another arbitrary, good + # digest will not product the same digest). + # Digest verified with the command: + # openssl x509 -in root_cert.pem -noout -fingerprint -md5 + cert.digest("MD5") + == b"19:B3:05:26:2B:F8:F2:FF:0B:8F:21:07:A8:28:B8:75" + ) + + def _extcert(self, pkey, extensions): + cert = X509() + # Certificates with extensions must be X.509v3, which is encoded with a + # version of two. + cert.set_version(2) + cert.set_pubkey(pkey) + cert.get_subject().commonName = "Unit Tests" + cert.get_issuer().commonName = "Unit Tests" + when = datetime.now().strftime("%Y%m%d%H%M%SZ").encode("ascii") + cert.set_notBefore(when) + cert.set_notAfter(when) + + cert.add_extensions(extensions) + cert.sign(pkey, "sha1") + return load_certificate( + FILETYPE_PEM, dump_certificate(FILETYPE_PEM, cert) + ) + + def test_extension_count(self): + """ + `X509.get_extension_count` returns the number of extensions + that are present in the certificate. + """ + pkey = load_privatekey(FILETYPE_PEM, client_key_pem) + ca = X509Extension(b"basicConstraints", True, b"CA:FALSE") + key = X509Extension(b"keyUsage", True, b"digitalSignature") + subjectAltName = X509Extension( + b"subjectAltName", True, b"DNS:example.com" + ) + + # Try a certificate with no extensions at all. + c = self._extcert(pkey, []) + assert c.get_extension_count() == 0 + + # And a certificate with one + c = self._extcert(pkey, [ca]) + assert c.get_extension_count() == 1 + + # And a certificate with several + c = self._extcert(pkey, [ca, key, subjectAltName]) + assert c.get_extension_count() == 3 + + def test_get_extension(self): + """ + `X509.get_extension` takes an integer and returns an + `X509Extension` corresponding to the extension at that index. + """ + pkey = load_privatekey(FILETYPE_PEM, client_key_pem) + ca = X509Extension(b"basicConstraints", True, b"CA:FALSE") + key = X509Extension(b"keyUsage", True, b"digitalSignature") + subjectAltName = X509Extension( + b"subjectAltName", False, b"DNS:example.com" + ) + + cert = self._extcert(pkey, [ca, key, subjectAltName]) + + ext = cert.get_extension(0) + assert isinstance(ext, X509Extension) + assert ext.get_critical() + assert ext.get_short_name() == b"basicConstraints" + + ext = cert.get_extension(1) + assert isinstance(ext, X509Extension) + assert ext.get_critical() + assert ext.get_short_name() == b"keyUsage" + + ext = cert.get_extension(2) + assert isinstance(ext, X509Extension) + assert not ext.get_critical() + assert ext.get_short_name() == b"subjectAltName" + + with pytest.raises(IndexError): + cert.get_extension(-1) + with pytest.raises(IndexError): + cert.get_extension(4) + with pytest.raises(TypeError): + cert.get_extension("hello") + + def test_nullbyte_subjectAltName(self): + """ + The fields of a `subjectAltName` extension on an X509 may contain NUL + bytes and this value is reflected in the string representation of the + extension object. + """ + cert = load_certificate(FILETYPE_PEM, nulbyteSubjectAltNamePEM) + + ext = cert.get_extension(3) + assert ext.get_short_name() == b"subjectAltName" + assert ( + b"DNS:altnull.python.org\x00example.com, " + b"email:null@python.org\x00user@example.org, " + b"URI:http://null.python.org\x00http://example.org, " + b"IP Address:192.0.2.1, IP Address:2001:DB8:0:0:0:0:0:1\n" + == str(ext).encode("ascii") + ) + + def test_invalid_digest_algorithm(self): + """ + `X509.digest` raises `ValueError` if called with an unrecognized hash + algorithm. + """ + cert = X509() + with pytest.raises(ValueError): + cert.digest(BAD_DIGEST) + + def test_get_subject(self): + """ + `X509.get_subject` returns an `X509Name` instance. + """ + cert = load_certificate(FILETYPE_PEM, self.pemData) + subj = cert.get_subject() + assert isinstance(subj, X509Name) + assert subj.get_components() == [ + (b"C", b"US"), + (b"ST", b"IL"), + (b"L", b"Chicago"), + (b"O", b"Testing"), + (b"CN", b"Testing Root CA"), + ] + + def test_set_subject_wrong_args(self): + """ + `X509.set_subject` raises a `TypeError` if called with an argument not + of type `X509Name`. + """ + cert = X509() + with pytest.raises(TypeError): + cert.set_subject(None) + + def test_set_subject(self): + """ + `X509.set_subject` changes the subject of the certificate to the one + passed in. + """ + cert = X509() + name = cert.get_subject() + name.C = "AU" + name.OU = "Unit Tests" + cert.set_subject(name) + assert cert.get_subject().get_components() == [ + (b"C", b"AU"), + (b"OU", b"Unit Tests"), + ] + + def test_get_issuer(self): + """ + `X509.get_issuer` returns an `X509Name` instance. + """ + cert = load_certificate(FILETYPE_PEM, self.pemData) + subj = cert.get_issuer() + assert isinstance(subj, X509Name) + comp = subj.get_components() + assert comp == [ + (b"C", b"US"), + (b"ST", b"IL"), + (b"L", b"Chicago"), + (b"O", b"Testing"), + (b"CN", b"Testing Root CA"), + ] + + def test_set_issuer_wrong_args(self): + """ + `X509.set_issuer` raises a `TypeError` if called with an argument not + of type `X509Name`. + """ + cert = X509() + with pytest.raises(TypeError): + cert.set_issuer(None) + + def test_set_issuer(self): + """ + `X509.set_issuer` changes the issuer of the certificate to the + one passed in. + """ + cert = X509() + name = cert.get_issuer() + name.C = "AU" + name.OU = "Unit Tests" + cert.set_issuer(name) + assert cert.get_issuer().get_components() == [ + (b"C", b"AU"), + (b"OU", b"Unit Tests"), + ] + + def test_get_pubkey_uninitialized(self): + """ + When called on a certificate with no public key, `X509.get_pubkey` + raises `OpenSSL.crypto.Error`. + """ + cert = X509() + with pytest.raises(Error): + cert.get_pubkey() + + def test_set_pubkey_wrong_type(self): + """ + `X509.set_pubkey` raises `TypeError` when given an object of the + wrong type. + """ + cert = X509() + with pytest.raises(TypeError): + cert.set_pubkey(object()) + + def test_subject_name_hash(self): + """ + `X509.subject_name_hash` returns the hash of the certificate's + subject name. + """ + cert = load_certificate(FILETYPE_PEM, self.pemData) + # SHA1 + assert cert.subject_name_hash() == 3278919224 + + def test_get_signature_algorithm(self): + """ + `X509.get_signature_algorithm` returns a string which means + the algorithm used to sign the certificate. + """ + cert = load_certificate(FILETYPE_PEM, self.pemData) + assert b"sha256WithRSAEncryption" == cert.get_signature_algorithm() + + def test_get_undefined_signature_algorithm(self): + """ + `X509.get_signature_algorithm` raises `ValueError` if the signature + algorithm is undefined or unknown. + """ + # This certificate has been modified to indicate a bogus OID in the + # signature algorithm field so that OpenSSL does not recognize it. + certPEM = b"""\ +-----BEGIN CERTIFICATE----- +MIIC/zCCAmigAwIBAgIBATAGBgJ8BQUAMHsxCzAJBgNVBAYTAlNHMREwDwYDVQQK +EwhNMkNyeXB0bzEUMBIGA1UECxMLTTJDcnlwdG8gQ0ExJDAiBgNVBAMTG00yQ3J5 +cHRvIENlcnRpZmljYXRlIE1hc3RlcjEdMBsGCSqGSIb3DQEJARYObmdwc0Bwb3N0 +MS5jb20wHhcNMDAwOTEwMDk1MTMwWhcNMDIwOTEwMDk1MTMwWjBTMQswCQYDVQQG +EwJTRzERMA8GA1UEChMITTJDcnlwdG8xEjAQBgNVBAMTCWxvY2FsaG9zdDEdMBsG +CSqGSIb3DQEJARYObmdwc0Bwb3N0MS5jb20wXDANBgkqhkiG9w0BAQEFAANLADBI +AkEArL57d26W9fNXvOhNlZzlPOACmvwOZ5AdNgLzJ1/MfsQQJ7hHVeHmTAjM664V ++fXvwUGJLziCeBo1ysWLRnl8CQIDAQABo4IBBDCCAQAwCQYDVR0TBAIwADAsBglg +hkgBhvhCAQ0EHxYdT3BlblNTTCBHZW5lcmF0ZWQgQ2VydGlmaWNhdGUwHQYDVR0O +BBYEFM+EgpK+eyZiwFU1aOPSbczbPSpVMIGlBgNVHSMEgZ0wgZqAFPuHI2nrnDqT +FeXFvylRT/7tKDgBoX+kfTB7MQswCQYDVQQGEwJTRzERMA8GA1UEChMITTJDcnlw +dG8xFDASBgNVBAsTC00yQ3J5cHRvIENBMSQwIgYDVQQDExtNMkNyeXB0byBDZXJ0 +aWZpY2F0ZSBNYXN0ZXIxHTAbBgkqhkiG9w0BCQEWDm5ncHNAcG9zdDEuY29tggEA +MA0GCSqGSIb3DQEBBAUAA4GBADv8KpPo+gfJxN2ERK1Y1l17sz/ZhzoGgm5XCdbx +jEY7xKfpQngV599k1xhl11IMqizDwu0855agrckg2MCTmOI9DZzDD77tAYb+Dk0O +PEVk0Mk/V0aIsDE9bolfCi/i/QWZ3N8s5nTWMNyBBBmoSliWCm4jkkRZRD0ejgTN +tgI5 +-----END CERTIFICATE----- +""" + cert = load_certificate(FILETYPE_PEM, certPEM) + with pytest.raises(ValueError): + cert.get_signature_algorithm() + + def test_sign_bad_pubkey_type(self): + """ + `X509.sign` raises `TypeError` when called with the wrong type. + """ + cert = X509() + with pytest.raises(TypeError): + cert.sign(object(), b"sha256") + + def test_convert_from_cryptography(self): + crypto_cert = x509.load_pem_x509_certificate( + intermediate_cert_pem, backend + ) + cert = X509.from_cryptography(crypto_cert) + + assert isinstance(cert, X509) + assert cert.get_version() == crypto_cert.version.value + + def test_convert_from_cryptography_unsupported_type(self): + with pytest.raises(TypeError): + X509.from_cryptography(object()) + + def test_convert_to_cryptography_key(self): + cert = load_certificate(FILETYPE_PEM, intermediate_cert_pem) + crypto_cert = cert.to_cryptography() + + assert isinstance(crypto_cert, x509.Certificate) + assert crypto_cert.version.value == cert.get_version() + + +class TestX509Store(object): + """ + Test for `OpenSSL.crypto.X509Store`. + """ + + def test_type(self): + """ + `X509Store` is a type object. + """ + assert is_consistent_type(X509Store, "X509Store") + + def test_add_cert(self): + """ + `X509Store.add_cert` adds a `X509` instance to the certificate store. + """ + cert = load_certificate(FILETYPE_PEM, root_cert_pem) + store = X509Store() + store.add_cert(cert) + + @pytest.mark.parametrize("cert", [None, 1.0, "cert", object()]) + def test_add_cert_wrong_args(self, cert): + """ + `X509Store.add_cert` raises `TypeError` if passed a non-X509 object + as its first argument. + """ + store = X509Store() + with pytest.raises(TypeError): + store.add_cert(cert) + + def test_add_cert_accepts_duplicate(self): + """ + `X509Store.add_cert` doesn't raise `OpenSSL.crypto.Error` if an attempt + is made to add the same certificate to the store more than once. + """ + cert = load_certificate(FILETYPE_PEM, root_cert_pem) + store = X509Store() + store.add_cert(cert) + store.add_cert(cert) + + @pytest.mark.parametrize( + "cafile, capath, call_cafile, call_capath", + [ + ( + "/cafile" + NON_ASCII, + None, + b"/cafile" + NON_ASCII.encode(sys.getfilesystemencoding()), + _ffi.NULL, + ), + ( + b"/cafile" + NON_ASCII.encode("utf-8"), + None, + b"/cafile" + NON_ASCII.encode("utf-8"), + _ffi.NULL, + ), + ( + None, + "/capath" + NON_ASCII, + _ffi.NULL, + b"/capath" + NON_ASCII.encode(sys.getfilesystemencoding()), + ), + ( + None, + b"/capath" + NON_ASCII.encode("utf-8"), + _ffi.NULL, + b"/capath" + NON_ASCII.encode("utf-8"), + ), + ], + ) + def test_load_locations_parameters( + self, cafile, capath, call_cafile, call_capath, monkeypatch + ): + class LibMock(object): + def load_locations(self, store, cafile, capath): + self.cafile = cafile + self.capath = capath + return 1 + + lib_mock = LibMock() + monkeypatch.setattr( + _lib, "X509_STORE_load_locations", lib_mock.load_locations + ) + + store = X509Store() + store.load_locations(cafile=cafile, capath=capath) + + assert call_cafile == lib_mock.cafile + assert call_capath == lib_mock.capath + + def test_load_locations_fails_when_all_args_are_none(self): + store = X509Store() + with pytest.raises(Error): + store.load_locations(None, None) + + def test_load_locations_raises_error_on_failure(self, tmpdir): + invalid_ca_file = tmpdir.join("invalid.pem") + invalid_ca_file.write("This is not a certificate") + + store = X509Store() + with pytest.raises(Error): + store.load_locations(cafile=str(invalid_ca_file)) + + +class TestPKCS12(object): + """ + Test for `OpenSSL.crypto.PKCS12` and `OpenSSL.crypto.load_pkcs12`. + """ + + def test_type(self): + """ + `PKCS12` is a type object. + """ + assert is_consistent_type(PKCS12, "PKCS12") + + def test_empty_construction(self): + """ + `PKCS12` returns a new instance of `PKCS12` with no certificate, + private key, CA certificates, or friendly name. + """ + p12 = PKCS12() + assert None is p12.get_certificate() + assert None is p12.get_privatekey() + assert None is p12.get_ca_certificates() + assert None is p12.get_friendlyname() + + def test_type_errors(self): + """ + The `PKCS12` setter functions (`set_certificate`, `set_privatekey`, + `set_ca_certificates`, and `set_friendlyname`) raise `TypeError` + when passed objects of types other than those expected. + """ + p12 = PKCS12() + for bad_arg in [3, PKey(), X509]: + with pytest.raises(TypeError): + p12.set_certificate(bad_arg) + for bad_arg in [3, "legbone", X509()]: + with pytest.raises(TypeError): + p12.set_privatekey(bad_arg) + for bad_arg in [3, X509(), (3, 4), (PKey(),)]: + with pytest.raises(TypeError): + p12.set_ca_certificates(bad_arg) + for bad_arg in [6, ("foo", "bar")]: + with pytest.raises(TypeError): + p12.set_friendlyname(bad_arg) + + def test_key_only(self): + """ + A `PKCS12` with only a private key can be exported using + `PKCS12.export` and loaded again using `load_pkcs12`. + """ + passwd = b"blah" + p12 = PKCS12() + pkey = load_privatekey(FILETYPE_PEM, root_key_pem) + p12.set_privatekey(pkey) + assert None is p12.get_certificate() + assert pkey == p12.get_privatekey() + try: + dumped_p12 = p12.export(passphrase=passwd, iter=2, maciter=3) + except Error: + # Some versions of OpenSSL will throw an exception + # for this nearly useless PKCS12 we tried to generate: + # [('PKCS12 routines', 'PKCS12_create', 'invalid null argument')] + return + p12 = load_pkcs12(dumped_p12, passwd) + assert None is p12.get_ca_certificates() + assert None is p12.get_certificate() + + # OpenSSL fails to bring the key back to us. So sad. Perhaps in the + # future this will be improved. + assert isinstance(p12.get_privatekey(), (PKey, type(None))) + + def test_cert_only(self): + """ + A `PKCS12` with only a certificate can be exported using + `PKCS12.export` and loaded again using `load_pkcs12`. + """ + passwd = b"blah" + p12 = PKCS12() + cert = load_certificate(FILETYPE_PEM, root_cert_pem) + p12.set_certificate(cert) + assert cert == p12.get_certificate() + assert None is p12.get_privatekey() + try: + dumped_p12 = p12.export(passphrase=passwd, iter=2, maciter=3) + except Error: + # Some versions of OpenSSL will throw an exception + # for this nearly useless PKCS12 we tried to generate: + # [('PKCS12 routines', 'PKCS12_create', 'invalid null argument')] + return + p12 = load_pkcs12(dumped_p12, passwd) + assert None is p12.get_privatekey() + + # OpenSSL fails to bring the cert back to us. Groany mcgroan. + assert isinstance(p12.get_certificate(), (X509, type(None))) + + # Oh ho. It puts the certificate into the ca certificates list, in + # fact. Totally bogus, I would think. Nevertheless, let's exploit + # that to check to see if it reconstructed the certificate we expected + # it to. At some point, hopefully this will change so that + # p12.get_certificate() is actually what returns the loaded + # certificate. + assert root_cert_pem == dump_certificate( + FILETYPE_PEM, p12.get_ca_certificates()[0] + ) + + def gen_pkcs12( + self, cert_pem=None, key_pem=None, ca_pem=None, friendly_name=None + ): + """ + Generate a PKCS12 object with components from PEM. Verify that the set + functions return None. + """ + p12 = PKCS12() + if cert_pem: + ret = p12.set_certificate(load_certificate(FILETYPE_PEM, cert_pem)) + assert ret is None + if key_pem: + ret = p12.set_privatekey(load_privatekey(FILETYPE_PEM, key_pem)) + assert ret is None + if ca_pem: + ret = p12.set_ca_certificates( + (load_certificate(FILETYPE_PEM, ca_pem),) + ) + assert ret is None + if friendly_name: + ret = p12.set_friendlyname(friendly_name) + assert ret is None + return p12 + + def check_recovery( + self, p12_str, key=None, cert=None, ca=None, passwd=b"", extra=() + ): + """ + Use openssl program to confirm three components are recoverable from a + PKCS12 string. + """ + if key: + recovered_key = _runopenssl( + p12_str, + b"pkcs12", + b"-nocerts", + b"-nodes", + b"-passin", + b"pass:" + passwd, + *extra + ) + assert recovered_key[-len(key) :] == key + if cert: + recovered_cert = _runopenssl( + p12_str, + b"pkcs12", + b"-clcerts", + b"-nodes", + b"-passin", + b"pass:" + passwd, + b"-nokeys", + *extra + ) + assert recovered_cert[-len(cert) :] == cert + if ca: + recovered_cert = _runopenssl( + p12_str, + b"pkcs12", + b"-cacerts", + b"-nodes", + b"-passin", + b"pass:" + passwd, + b"-nokeys", + *extra + ) + assert recovered_cert[-len(ca) :] == ca + + def verify_pkcs12_container(self, p12): + """ + Verify that the PKCS#12 container contains the correct client + certificate and private key. + + :param p12: The PKCS12 instance to verify. + :type p12: `PKCS12` + """ + cert_pem = dump_certificate(FILETYPE_PEM, p12.get_certificate()) + key_pem = dump_privatekey(FILETYPE_PEM, p12.get_privatekey()) + assert (client_cert_pem, client_key_pem, None) == ( + cert_pem, + key_pem, + p12.get_ca_certificates(), + ) + + def test_load_pkcs12(self): + """ + A PKCS12 string generated using the openssl command line can be loaded + with `load_pkcs12` and its components extracted and examined. + """ + passwd = b"whatever" + pem = client_key_pem + client_cert_pem + p12_str = _runopenssl( + pem, + b"pkcs12", + b"-export", + b"-clcerts", + b"-passout", + b"pass:" + passwd, + ) + p12 = load_pkcs12(p12_str, passphrase=passwd) + self.verify_pkcs12_container(p12) + + def test_load_pkcs12_text_passphrase(self): + """ + A PKCS12 string generated using the openssl command line can be loaded + with `load_pkcs12` and its components extracted and examined. + Using text as passphrase instead of bytes. DeprecationWarning expected. + """ + pem = client_key_pem + client_cert_pem + passwd = b"whatever" + p12_str = _runopenssl( + pem, + b"pkcs12", + b"-export", + b"-clcerts", + b"-passout", + b"pass:" + passwd, + ) + with pytest.warns(DeprecationWarning) as w: + simplefilter("always") + p12 = load_pkcs12(p12_str, passphrase=b"whatever".decode("ascii")) + msg = "{0} for passphrase is no longer accepted, use bytes".format( + WARNING_TYPE_EXPECTED + ) + assert msg == str(w[-1].message) + + self.verify_pkcs12_container(p12) + + def test_load_pkcs12_no_passphrase(self): + """ + A PKCS12 string generated using openssl command line can be loaded with + `load_pkcs12` without a passphrase and its components extracted + and examined. + """ + pem = client_key_pem + client_cert_pem + p12_str = _runopenssl( + pem, b"pkcs12", b"-export", b"-clcerts", b"-passout", b"pass:" + ) + p12 = load_pkcs12(p12_str) + self.verify_pkcs12_container(p12) + + def _dump_and_load(self, dump_passphrase, load_passphrase): + """ + A helper method to dump and load a PKCS12 object. + """ + p12 = self.gen_pkcs12(client_cert_pem, client_key_pem) + dumped_p12 = p12.export(passphrase=dump_passphrase, iter=2, maciter=3) + return load_pkcs12(dumped_p12, passphrase=load_passphrase) + + def test_load_pkcs12_null_passphrase_load_empty(self): + """ + A PKCS12 string can be dumped with a null passphrase, loaded with an + empty passphrase with `load_pkcs12`, and its components + extracted and examined. + """ + self.verify_pkcs12_container( + self._dump_and_load(dump_passphrase=None, load_passphrase=b"") + ) + + def test_load_pkcs12_null_passphrase_load_null(self): + """ + A PKCS12 string can be dumped with a null passphrase, loaded with a + null passphrase with `load_pkcs12`, and its components + extracted and examined. + """ + self.verify_pkcs12_container( + self._dump_and_load(dump_passphrase=None, load_passphrase=None) + ) + + def test_load_pkcs12_empty_passphrase_load_empty(self): + """ + A PKCS12 string can be dumped with an empty passphrase, loaded with an + empty passphrase with `load_pkcs12`, and its components + extracted and examined. + """ + self.verify_pkcs12_container( + self._dump_and_load(dump_passphrase=b"", load_passphrase=b"") + ) + + def test_load_pkcs12_empty_passphrase_load_null(self): + """ + A PKCS12 string can be dumped with an empty passphrase, loaded with a + null passphrase with `load_pkcs12`, and its components + extracted and examined. + """ + self.verify_pkcs12_container( + self._dump_and_load(dump_passphrase=b"", load_passphrase=None) + ) + + def test_load_pkcs12_garbage(self): + """ + `load_pkcs12` raises `OpenSSL.crypto.Error` when passed + a string which is not a PKCS12 dump. + """ + passwd = b"whatever" + with pytest.raises(Error) as err: + load_pkcs12(b"fruit loops", passwd) + assert err.value.args[0][0][0] == "asn1 encoding routines" + assert len(err.value.args[0][0]) == 3 + + def test_replace(self): + """ + `PKCS12.set_certificate` replaces the certificate in a PKCS12 + cluster. `PKCS12.set_privatekey` replaces the private key. + `PKCS12.set_ca_certificates` replaces the CA certificates. + """ + p12 = self.gen_pkcs12(client_cert_pem, client_key_pem, root_cert_pem) + p12.set_certificate(load_certificate(FILETYPE_PEM, server_cert_pem)) + p12.set_privatekey(load_privatekey(FILETYPE_PEM, server_key_pem)) + root_cert = load_certificate(FILETYPE_PEM, root_cert_pem) + client_cert = load_certificate(FILETYPE_PEM, client_cert_pem) + p12.set_ca_certificates([root_cert]) # not a tuple + assert 1 == len(p12.get_ca_certificates()) + assert root_cert == p12.get_ca_certificates()[0] + p12.set_ca_certificates([client_cert, root_cert]) + assert 2 == len(p12.get_ca_certificates()) + assert client_cert == p12.get_ca_certificates()[0] + assert root_cert == p12.get_ca_certificates()[1] + + def test_friendly_name(self): + """ + The *friendlyName* of a PKCS12 can be set and retrieved via + `PKCS12.get_friendlyname` and `PKCS12_set_friendlyname`, and a + `PKCS12` with a friendly name set can be dumped with `PKCS12.export`. + """ + passwd = b'Dogmeat[]{}!@#$%^&*()~`?/.,<>-_+=";:' + p12 = self.gen_pkcs12(server_cert_pem, server_key_pem, root_cert_pem) + for friendly_name in [b"Serverlicious", None, b"###"]: + p12.set_friendlyname(friendly_name) + assert p12.get_friendlyname() == friendly_name + dumped_p12 = p12.export(passphrase=passwd, iter=2, maciter=3) + reloaded_p12 = load_pkcs12(dumped_p12, passwd) + assert p12.get_friendlyname() == reloaded_p12.get_friendlyname() + # We would use the openssl program to confirm the friendly + # name, but it is not possible. The pkcs12 command + # does not store the friendly name in the cert's + # alias, which we could then extract. + self.check_recovery( + dumped_p12, + key=server_key_pem, + cert=server_cert_pem, + ca=root_cert_pem, + passwd=passwd, + ) + + def test_various_empty_passphrases(self): + """ + Test that missing, None, and '' passphrases are identical for PKCS12 + export. + """ + p12 = self.gen_pkcs12(client_cert_pem, client_key_pem, root_cert_pem) + passwd = b"" + dumped_p12_empty = p12.export(iter=2, maciter=0, passphrase=passwd) + dumped_p12_none = p12.export(iter=3, maciter=2, passphrase=None) + dumped_p12_nopw = p12.export(iter=9, maciter=4) + for dumped_p12 in [dumped_p12_empty, dumped_p12_none, dumped_p12_nopw]: + self.check_recovery( + dumped_p12, + key=client_key_pem, + cert=client_cert_pem, + ca=root_cert_pem, + passwd=passwd, + ) + + def test_removing_ca_cert(self): + """ + Passing `None` to `PKCS12.set_ca_certificates` removes all CA + certificates. + """ + p12 = self.gen_pkcs12(server_cert_pem, server_key_pem, root_cert_pem) + p12.set_ca_certificates(None) + assert None is p12.get_ca_certificates() + + def test_export_without_mac(self): + """ + Exporting a PKCS12 with a `maciter` of `-1` excludes the MAC entirely. + """ + passwd = b"Lake Michigan" + p12 = self.gen_pkcs12(server_cert_pem, server_key_pem, root_cert_pem) + dumped_p12 = p12.export(maciter=-1, passphrase=passwd, iter=2) + self.check_recovery( + dumped_p12, + key=server_key_pem, + cert=server_cert_pem, + passwd=passwd, + extra=(b"-nomacver",), + ) + + def test_load_without_mac(self): + """ + Loading a PKCS12 without a MAC does something other than crash. + """ + passwd = b"Lake Michigan" + p12 = self.gen_pkcs12(server_cert_pem, server_key_pem, root_cert_pem) + dumped_p12 = p12.export(maciter=-1, passphrase=passwd, iter=2) + try: + recovered_p12 = load_pkcs12(dumped_p12, passwd) + # The person who generated this PCKS12 should be flogged, + # or better yet we should have a means to determine + # whether a PCKS12 had a MAC that was verified. + # Anyway, libopenssl chooses to allow it, so the + # pyopenssl binding does as well. + assert isinstance(recovered_p12, PKCS12) + except Error: + # Failing here with an exception is preferred as some openssl + # versions do. + pass + + def test_zero_len_list_for_ca(self): + """ + A PKCS12 with an empty CA certificates list can be exported. + """ + passwd = b"Hobie 18" + p12 = self.gen_pkcs12(server_cert_pem, server_key_pem) + p12.set_ca_certificates([]) + assert () == p12.get_ca_certificates() + dumped_p12 = p12.export(passphrase=passwd, iter=3) + self.check_recovery( + dumped_p12, key=server_key_pem, cert=server_cert_pem, passwd=passwd + ) + + def test_export_without_args(self): + """ + All the arguments to `PKCS12.export` are optional. + """ + p12 = self.gen_pkcs12(server_cert_pem, server_key_pem, root_cert_pem) + dumped_p12 = p12.export() # no args + self.check_recovery( + dumped_p12, key=server_key_pem, cert=server_cert_pem, passwd=b"" + ) + + def test_export_without_bytes(self): + """ + Test `PKCS12.export` with text not bytes as passphrase + """ + p12 = self.gen_pkcs12(server_cert_pem, server_key_pem, root_cert_pem) + + with pytest.warns(DeprecationWarning) as w: + simplefilter("always") + dumped_p12 = p12.export(passphrase=b"randomtext".decode("ascii")) + msg = "{0} for passphrase is no longer accepted, use bytes".format( + WARNING_TYPE_EXPECTED + ) + assert msg == str(w[-1].message) + self.check_recovery( + dumped_p12, + key=server_key_pem, + cert=server_cert_pem, + passwd=b"randomtext", + ) + + def test_key_cert_mismatch(self): + """ + `PKCS12.export` raises an exception when a key and certificate + mismatch. + """ + p12 = self.gen_pkcs12(server_cert_pem, client_key_pem, root_cert_pem) + with pytest.raises(Error): + p12.export() + + +def _runopenssl(pem, *args): + """ + Run the command line openssl tool with the given arguments and write + the given PEM to its stdin. Not safe for quotes. + """ + proc = Popen([b"openssl"] + list(args), stdin=PIPE, stdout=PIPE) + proc.stdin.write(pem) + proc.stdin.close() + output = proc.stdout.read() + proc.stdout.close() + proc.wait() + return output + + +class TestLoadPublicKey(object): + """ + Tests for :func:`load_publickey`. + """ + + def test_loading_works(self): + """ + load_publickey loads public keys and sets correct attributes. + """ + key = load_publickey(FILETYPE_PEM, cleartextPublicKeyPEM) + + assert True is key._only_public + assert 2048 == key.bits() + assert TYPE_RSA == key.type() + + def test_invalid_type(self): + """ + load_publickey doesn't support FILETYPE_TEXT. + """ + with pytest.raises(ValueError): + load_publickey(FILETYPE_TEXT, cleartextPublicKeyPEM) + + def test_invalid_key_format(self): + """ + load_publickey explodes on incorrect keys. + """ + with pytest.raises(Error): + load_publickey(FILETYPE_ASN1, cleartextPublicKeyPEM) + + def test_tolerates_unicode_strings(self): + """ + load_publickey works with text strings, not just bytes. + """ + serialized = cleartextPublicKeyPEM.decode("ascii") + key = load_publickey(FILETYPE_PEM, serialized) + dumped_pem = dump_publickey(FILETYPE_PEM, key) + + assert dumped_pem == cleartextPublicKeyPEM + + +class TestFunction(object): + """ + Tests for free-functions in the `OpenSSL.crypto` module. + """ + + def test_load_privatekey_invalid_format(self): + """ + `load_privatekey` raises `ValueError` if passed an unknown filetype. + """ + with pytest.raises(ValueError): + load_privatekey(100, root_key_pem) + + def test_load_privatekey_invalid_passphrase_type(self): + """ + `load_privatekey` raises `TypeError` if passed a passphrase that is + neither a `str` nor a callable. + """ + with pytest.raises(TypeError): + load_privatekey( + FILETYPE_PEM, encryptedPrivateKeyPEMPassphrase, object() + ) + + def test_load_privatekey_wrongPassphrase(self): + """ + `load_privatekey` raises `OpenSSL.crypto.Error` when it is passed an + encrypted PEM and an incorrect passphrase. + """ + with pytest.raises(Error) as err: + load_privatekey(FILETYPE_PEM, encryptedPrivateKeyPEM, b"quack") + assert err.value.args[0] != [] + + def test_load_privatekey_passphraseWrongType(self): + """ + `load_privatekey` raises `ValueError` when it is passeda passphrase + with a private key encoded in a format, that doesn't support + encryption. + """ + key = load_privatekey(FILETYPE_PEM, root_key_pem) + blob = dump_privatekey(FILETYPE_ASN1, key) + with pytest.raises(ValueError): + load_privatekey(FILETYPE_ASN1, blob, "secret") + + def test_load_privatekey_passphrase(self): + """ + `load_privatekey` can create a `PKey` object from an encrypted PEM + string if given the passphrase. + """ + key = load_privatekey( + FILETYPE_PEM, + encryptedPrivateKeyPEM, + encryptedPrivateKeyPEMPassphrase, + ) + assert isinstance(key, PKey) + + def test_load_privatekey_passphrase_exception(self): + """ + If the passphrase callback raises an exception, that exception is + raised by `load_privatekey`. + """ + + def cb(ignored): + raise ArithmeticError + + with pytest.raises(ArithmeticError): + load_privatekey(FILETYPE_PEM, encryptedPrivateKeyPEM, cb) + + def test_load_privatekey_wrongPassphraseCallback(self): + """ + `load_privatekey` raises `OpenSSL.crypto.Error` when it + is passed an encrypted PEM and a passphrase callback which returns an + incorrect passphrase. + """ + called = [] + + def cb(*a): + called.append(None) + return b"quack" + + with pytest.raises(Error) as err: + load_privatekey(FILETYPE_PEM, encryptedPrivateKeyPEM, cb) + assert called + assert err.value.args[0] != [] + + def test_load_privatekey_passphraseCallback(self): + """ + `load_privatekey` can create a `PKey` object from an encrypted PEM + string if given a passphrase callback which returns the correct + password. + """ + called = [] + + def cb(writing): + called.append(writing) + return encryptedPrivateKeyPEMPassphrase + + key = load_privatekey(FILETYPE_PEM, encryptedPrivateKeyPEM, cb) + assert isinstance(key, PKey) + assert called == [False] + + def test_load_privatekey_passphrase_wrong_return_type(self): + """ + `load_privatekey` raises `ValueError` if the passphrase callback + returns something other than a byte string. + """ + with pytest.raises(ValueError): + load_privatekey( + FILETYPE_PEM, encryptedPrivateKeyPEM, lambda *args: 3 + ) + + def test_dump_privatekey_wrong_args(self): + """ + `dump_privatekey` raises `TypeError` if called with a `cipher` + argument but no `passphrase` argument. + """ + key = PKey() + key.generate_key(TYPE_RSA, 512) + with pytest.raises(TypeError): + dump_privatekey(FILETYPE_PEM, key, cipher=GOOD_CIPHER) + + def test_dump_privatekey_not_rsa_key(self): + """ + `dump_privatekey` raises `TypeError` if called with a key that is + not RSA. + """ + key = PKey() + key.generate_key(TYPE_DSA, 512) + with pytest.raises(TypeError): + dump_privatekey(FILETYPE_TEXT, key) + + def test_dump_privatekey_invalid_pkey(self): + with pytest.raises(TypeError): + dump_privatekey(FILETYPE_TEXT, object()) + + def test_dump_privatekey_unknown_cipher(self): + """ + `dump_privatekey` raises `ValueError` if called with an unrecognized + cipher name. + """ + key = PKey() + key.generate_key(TYPE_RSA, 512) + with pytest.raises(ValueError): + dump_privatekey(FILETYPE_PEM, key, BAD_CIPHER, "passphrase") + + def test_dump_privatekey_invalid_passphrase_type(self): + """ + `dump_privatekey` raises `TypeError` if called with a passphrase which + is neither a `str` nor a callable. + """ + key = PKey() + key.generate_key(TYPE_RSA, 512) + with pytest.raises(TypeError): + dump_privatekey(FILETYPE_PEM, key, GOOD_CIPHER, object()) + + def test_dump_privatekey_invalid_filetype(self): + """ + `dump_privatekey` raises `ValueError` if called with an unrecognized + filetype. + """ + key = PKey() + key.generate_key(TYPE_RSA, 512) + with pytest.raises(ValueError): + dump_privatekey(100, key) + + def test_load_privatekey_passphrase_callback_length(self): + """ + `crypto.load_privatekey` should raise an error when the passphrase + provided by the callback is too long, not silently truncate it. + """ + + def cb(ignored): + return "a" * 1025 + + with pytest.raises(ValueError): + load_privatekey(FILETYPE_PEM, encryptedPrivateKeyPEM, cb) + + def test_dump_privatekey_passphrase(self): + """ + `dump_privatekey` writes an encrypted PEM when given a passphrase. + """ + passphrase = b"foo" + key = load_privatekey(FILETYPE_PEM, root_key_pem) + pem = dump_privatekey(FILETYPE_PEM, key, GOOD_CIPHER, passphrase) + assert isinstance(pem, bytes) + loadedKey = load_privatekey(FILETYPE_PEM, pem, passphrase) + assert isinstance(loadedKey, PKey) + assert loadedKey.type() == key.type() + assert loadedKey.bits() == key.bits() + + def test_dump_privatekey_passphrase_wrong_type(self): + """ + `dump_privatekey` raises `ValueError` when it is passed a passphrase + with a private key encoded in a format, that doesn't support + encryption. + """ + key = load_privatekey(FILETYPE_PEM, root_key_pem) + with pytest.raises(ValueError): + dump_privatekey(FILETYPE_ASN1, key, GOOD_CIPHER, "secret") + + def test_dump_certificate(self): + """ + `dump_certificate` writes PEM, DER, and text. + """ + pemData = root_cert_pem + root_key_pem + cert = load_certificate(FILETYPE_PEM, pemData) + dumped_pem = dump_certificate(FILETYPE_PEM, cert) + assert dumped_pem == root_cert_pem + dumped_der = dump_certificate(FILETYPE_ASN1, cert) + good_der = _runopenssl(dumped_pem, b"x509", b"-outform", b"DER") + assert dumped_der == good_der + cert2 = load_certificate(FILETYPE_ASN1, dumped_der) + dumped_pem2 = dump_certificate(FILETYPE_PEM, cert2) + assert dumped_pem2 == root_cert_pem + dumped_text = dump_certificate(FILETYPE_TEXT, cert) + assert len(dumped_text) > 500 + + def test_dump_certificate_bad_type(self): + """ + `dump_certificate` raises a `ValueError` if it's called with + a bad type. + """ + cert = load_certificate(FILETYPE_PEM, root_cert_pem) + with pytest.raises(ValueError): + dump_certificate(object(), cert) + + def test_dump_privatekey_pem(self): + """ + `dump_privatekey` writes a PEM + """ + key = load_privatekey(FILETYPE_PEM, root_key_pem) + assert key.check() + dumped_pem = dump_privatekey(FILETYPE_PEM, key) + assert dumped_pem == normalized_root_key_pem + + def test_dump_privatekey_asn1(self): + """ + `dump_privatekey` writes a DER + """ + key = load_privatekey(FILETYPE_PEM, root_key_pem) + + dumped_der = dump_privatekey(FILETYPE_ASN1, key) + assert dumped_der == root_key_der + + def test_load_privatekey_asn1(self): + """ + `dump_privatekey` writes a DER + """ + key = load_privatekey(FILETYPE_ASN1, root_key_der) + assert key.bits() == 3072 + assert key.type() == TYPE_RSA + + def test_dump_privatekey_text(self): + """ + `dump_privatekey` writes a text + """ + key = load_privatekey(FILETYPE_PEM, root_key_pem) + dumped_text = dump_privatekey(FILETYPE_TEXT, key) + assert len(dumped_text) > 500 + + def test_dump_publickey_pem(self): + """ + dump_publickey writes a PEM. + """ + key = load_publickey(FILETYPE_PEM, cleartextPublicKeyPEM) + dumped_pem = dump_publickey(FILETYPE_PEM, key) + assert dumped_pem == cleartextPublicKeyPEM + + def test_dump_publickey_asn1(self): + """ + dump_publickey writes a DER. + """ + key = load_publickey(FILETYPE_PEM, cleartextPublicKeyPEM) + dumped_der = dump_publickey(FILETYPE_ASN1, key) + key2 = load_publickey(FILETYPE_ASN1, dumped_der) + dumped_pem2 = dump_publickey(FILETYPE_PEM, key2) + assert dumped_pem2 == cleartextPublicKeyPEM + + def test_dump_publickey_invalid_type(self): + """ + dump_publickey doesn't support FILETYPE_TEXT. + """ + key = load_publickey(FILETYPE_PEM, cleartextPublicKeyPEM) + + with pytest.raises(ValueError): + dump_publickey(FILETYPE_TEXT, key) + + def test_dump_certificate_request(self): + """ + `dump_certificate_request` writes a PEM, DER, and text. + """ + req = load_certificate_request( + FILETYPE_PEM, cleartextCertificateRequestPEM + ) + dumped_pem = dump_certificate_request(FILETYPE_PEM, req) + assert dumped_pem == cleartextCertificateRequestPEM + dumped_der = dump_certificate_request(FILETYPE_ASN1, req) + good_der = _runopenssl(dumped_pem, b"req", b"-outform", b"DER") + assert dumped_der == good_der + req2 = load_certificate_request(FILETYPE_ASN1, dumped_der) + dumped_pem2 = dump_certificate_request(FILETYPE_PEM, req2) + assert dumped_pem2 == cleartextCertificateRequestPEM + dumped_text = dump_certificate_request(FILETYPE_TEXT, req) + assert len(dumped_text) > 500 + with pytest.raises(ValueError): + dump_certificate_request(100, req) + + def test_dump_privatekey_passphrase_callback(self): + """ + `dump_privatekey` writes an encrypted PEM when given a callback + which returns the correct passphrase. + """ + passphrase = b"foo" + called = [] + + def cb(writing): + called.append(writing) + return passphrase + + key = load_privatekey(FILETYPE_PEM, root_key_pem) + pem = dump_privatekey(FILETYPE_PEM, key, GOOD_CIPHER, cb) + assert isinstance(pem, bytes) + assert called == [True] + loadedKey = load_privatekey(FILETYPE_PEM, pem, passphrase) + assert isinstance(loadedKey, PKey) + assert loadedKey.type() == key.type() + assert loadedKey.bits() == key.bits() + + def test_dump_privatekey_passphrase_exception(self): + """ + `dump_privatekey` should not overwrite the exception raised + by the passphrase callback. + """ + + def cb(ignored): + raise ArithmeticError + + key = load_privatekey(FILETYPE_PEM, root_key_pem) + with pytest.raises(ArithmeticError): + dump_privatekey(FILETYPE_PEM, key, GOOD_CIPHER, cb) + + def test_dump_privatekey_passphraseCallbackLength(self): + """ + `crypto.dump_privatekey` should raise an error when the passphrase + provided by the callback is too long, not silently truncate it. + """ + + def cb(ignored): + return "a" * 1025 + + key = load_privatekey(FILETYPE_PEM, root_key_pem) + with pytest.raises(ValueError): + dump_privatekey(FILETYPE_PEM, key, GOOD_CIPHER, cb) + + def test_dump_privatekey_truncated(self): + """ + `crypto.dump_privatekey` should not truncate a passphrase that contains + a null byte. + """ + key = load_privatekey(FILETYPE_PEM, cleartextPrivateKeyPEM) + passphrase = b"foo\x00bar" + truncated_passphrase = passphrase.split(b"\x00", 1)[0] + + # By dumping with the full passphrase load should raise an error if we + # try to load using the truncated passphrase. If dump truncated the + # passphrase, then we WILL load the privatekey and the test fails + encrypted_key_pem = dump_privatekey( + FILETYPE_PEM, key, "AES-256-CBC", passphrase + ) + with pytest.raises(Error): + load_privatekey( + FILETYPE_PEM, encrypted_key_pem, truncated_passphrase + ) + + def test_load_privatekey_truncated(self): + """ + `crypto.load_privatekey` should not truncate a passphrase that contains + a null byte. + """ + key = load_privatekey(FILETYPE_PEM, cleartextPrivateKeyPEM) + passphrase = b"foo\x00bar" + truncated_passphrase = passphrase.split(b"\x00", 1)[0] + + # By dumping using the truncated passphrase load should raise an error + # if we try to load using the full passphrase. If load truncated the + # passphrase, then we WILL load the privatekey and the test fails + encrypted_key_pem = dump_privatekey( + FILETYPE_PEM, key, "AES-256-CBC", truncated_passphrase + ) + with pytest.raises(Error): + load_privatekey(FILETYPE_PEM, encrypted_key_pem, passphrase) + + def test_load_pkcs7_data_pem(self): + """ + `load_pkcs7_data` accepts a PKCS#7 string and returns an instance of + `PKCS`. + """ + pkcs7 = load_pkcs7_data(FILETYPE_PEM, pkcs7Data) + assert isinstance(pkcs7, PKCS7) + + def test_load_pkcs7_data_asn1(self): + """ + `load_pkcs7_data` accepts a bytes containing ASN1 data representing + PKCS#7 and returns an instance of `PKCS7`. + """ + pkcs7 = load_pkcs7_data(FILETYPE_ASN1, pkcs7DataASN1) + assert isinstance(pkcs7, PKCS7) + + def test_load_pkcs7_data_invalid(self): + """ + If the data passed to `load_pkcs7_data` is invalid, `Error` is raised. + """ + with pytest.raises(Error): + load_pkcs7_data(FILETYPE_PEM, b"foo") + + def test_load_pkcs7_type_invalid(self): + """ + If the type passed to `load_pkcs7_data`, `ValueError` is raised. + """ + with pytest.raises(ValueError): + load_pkcs7_data(object(), b"foo") + + +class TestLoadCertificate(object): + """ + Tests for `load_certificate_request`. + """ + + def test_bad_file_type(self): + """ + If the file type passed to `load_certificate_request` is neither + `FILETYPE_PEM` nor `FILETYPE_ASN1` then `ValueError` is raised. + """ + with pytest.raises(ValueError): + load_certificate_request(object(), b"") + with pytest.raises(ValueError): + load_certificate(object(), b"") + + def test_bad_certificate(self): + """ + If the bytes passed to `load_certificate` are not a valid certificate, + an exception is raised. + """ + with pytest.raises(Error): + load_certificate(FILETYPE_ASN1, b"lol") + + +class TestPKCS7(object): + """ + Tests for `PKCS7`. + """ + + def test_type_is_signed(self): + """ + `PKCS7.type_is_signed` returns `True` if the PKCS7 object is of + the type *signed*. + """ + pkcs7 = load_pkcs7_data(FILETYPE_PEM, pkcs7Data) + assert pkcs7.type_is_signed() + + def test_type_is_enveloped(self): + """ + `PKCS7.type_is_enveloped` returns `False` if the PKCS7 object is not + of the type *enveloped*. + """ + pkcs7 = load_pkcs7_data(FILETYPE_PEM, pkcs7Data) + assert not pkcs7.type_is_enveloped() + + def test_type_is_signed_and_enveloped(self): + """ + `PKCS7.type_is_signedAndEnveloped` returns `False` + if the PKCS7 object is not of the type *signed and enveloped*. + """ + pkcs7 = load_pkcs7_data(FILETYPE_PEM, pkcs7Data) + assert not pkcs7.type_is_signedAndEnveloped() + + def test_type_is_data(self): + """ + `PKCS7.type_is_data` returns `False` if the PKCS7 object is not of + the type data. + """ + pkcs7 = load_pkcs7_data(FILETYPE_PEM, pkcs7Data) + assert not pkcs7.type_is_data() + + def test_get_type_name(self): + """ + `PKCS7.get_type_name` returns a `str` giving the + type name. + """ + pkcs7 = load_pkcs7_data(FILETYPE_PEM, pkcs7Data) + assert pkcs7.get_type_name() == b"pkcs7-signedData" + + def test_attribute(self): + """ + If an attribute other than one of the methods tested here is accessed + on an instance of `PKCS7`, `AttributeError` is raised. + """ + pkcs7 = load_pkcs7_data(FILETYPE_PEM, pkcs7Data) + with pytest.raises(AttributeError): + pkcs7.foo + + +class TestNetscapeSPKI(_PKeyInteractionTestsMixin): + """ + Tests for `OpenSSL.crypto.NetscapeSPKI`. + """ + + def signable(self): + """ + Return a new `NetscapeSPKI` for use with signing tests. + """ + return NetscapeSPKI() + + def test_type(self): + """ + `NetscapeSPKI` can be used to create instances of that type. + """ + assert is_consistent_type(NetscapeSPKI, "NetscapeSPKI") + + def test_construction(self): + """ + `NetscapeSPKI` returns an instance of `NetscapeSPKI`. + """ + nspki = NetscapeSPKI() + assert isinstance(nspki, NetscapeSPKI) + + def test_invalid_attribute(self): + """ + Accessing a non-existent attribute of a `NetscapeSPKI` instance + causes an `AttributeError` to be raised. + """ + nspki = NetscapeSPKI() + with pytest.raises(AttributeError): + nspki.foo + + def test_b64_encode(self): + """ + `NetscapeSPKI.b64_encode` encodes the certificate to a base64 blob. + """ + nspki = NetscapeSPKI() + pkey = load_privatekey(FILETYPE_PEM, root_key_pem) + nspki.set_pubkey(pkey) + nspki.sign(pkey, GOOD_DIGEST) + blob = nspki.b64_encode() + assert isinstance(blob, bytes) + + +class TestRevoked(object): + """ + Tests for `OpenSSL.crypto.Revoked`. + """ + + def test_ignores_unsupported_revoked_cert_extension_get_reason(self): + """ + The get_reason method on the Revoked class checks to see if the + extension is NID_crl_reason and should skip it otherwise. This test + loads a CRL with extensions it should ignore. + """ + crl = load_crl(FILETYPE_PEM, crlDataUnsupportedExtension) + revoked = crl.get_revoked() + reason = revoked[1].get_reason() + assert reason == b"Unspecified" + + def test_ignores_unsupported_revoked_cert_extension_set_new_reason(self): + crl = load_crl(FILETYPE_PEM, crlDataUnsupportedExtension) + revoked = crl.get_revoked() + revoked[1].set_reason(None) + reason = revoked[1].get_reason() + assert reason is None + + def test_construction(self): + """ + Confirm we can create `OpenSSL.crypto.Revoked`. Check that it is + empty. + """ + revoked = Revoked() + assert isinstance(revoked, Revoked) + assert type(revoked) == Revoked + assert revoked.get_serial() == b"00" + assert revoked.get_rev_date() is None + assert revoked.get_reason() is None + + def test_serial(self): + """ + Confirm we can set and get serial numbers from + `OpenSSL.crypto.Revoked`. Confirm errors are handled with grace. + """ + revoked = Revoked() + ret = revoked.set_serial(b"10b") + assert ret is None + ser = revoked.get_serial() + assert ser == b"010B" + + revoked.set_serial(b"31ppp") # a type error would be nice + ser = revoked.get_serial() + assert ser == b"31" + + with pytest.raises(ValueError): + revoked.set_serial(b"pqrst") + with pytest.raises(TypeError): + revoked.set_serial(100) + + def test_date(self): + """ + Confirm we can set and get revocation dates from + `OpenSSL.crypto.Revoked`. Confirm errors are handled with grace. + """ + revoked = Revoked() + date = revoked.get_rev_date() + assert date is None + + now = datetime.now().strftime("%Y%m%d%H%M%SZ").encode("ascii") + ret = revoked.set_rev_date(now) + assert ret is None + date = revoked.get_rev_date() + assert date == now + + def test_reason(self): + """ + Confirm we can set and get revocation reasons from + `OpenSSL.crypto.Revoked`. The "get" need to work as "set". + Likewise, each reason of all_reasons() must work. + """ + revoked = Revoked() + for r in revoked.all_reasons(): + for x in range(2): + ret = revoked.set_reason(r) + assert ret is None + reason = revoked.get_reason() + assert reason.lower().replace(b" ", b"") == r.lower().replace( + b" ", b"" + ) + r = reason # again with the resp of get + + revoked.set_reason(None) + assert revoked.get_reason() is None + + @pytest.mark.parametrize("reason", [object(), 1.0, u"foo"]) + def test_set_reason_wrong_args(self, reason): + """ + `Revoked.set_reason` raises `TypeError` if called with an argument + which is neither `None` nor a byte string. + """ + revoked = Revoked() + with pytest.raises(TypeError): + revoked.set_reason(reason) + + def test_set_reason_invalid_reason(self): + """ + Calling `OpenSSL.crypto.Revoked.set_reason` with an argument which + isn't a valid reason results in `ValueError` being raised. + """ + revoked = Revoked() + with pytest.raises(ValueError): + revoked.set_reason(b"blue") + + +class TestCRL(object): + """ + Tests for `OpenSSL.crypto.CRL`. + """ + + cert = load_certificate(FILETYPE_PEM, root_cert_pem) + pkey = load_privatekey(FILETYPE_PEM, root_key_pem) + + root_cert = load_certificate(FILETYPE_PEM, root_cert_pem) + root_key = load_privatekey(FILETYPE_PEM, root_key_pem) + intermediate_cert = load_certificate(FILETYPE_PEM, intermediate_cert_pem) + intermediate_key = load_privatekey(FILETYPE_PEM, intermediate_key_pem) + intermediate_server_cert = load_certificate( + FILETYPE_PEM, intermediate_server_cert_pem + ) + intermediate_server_key = load_privatekey( + FILETYPE_PEM, intermediate_server_key_pem + ) + + def test_construction(self): + """ + Confirm we can create `OpenSSL.crypto.CRL`. Check + that it is empty + """ + crl = CRL() + assert isinstance(crl, CRL) + assert crl.get_revoked() is None + + def _get_crl(self): + """ + Get a new ``CRL`` with a revocation. + """ + crl = CRL() + revoked = Revoked() + now = datetime.now().strftime("%Y%m%d%H%M%SZ").encode("ascii") + revoked.set_rev_date(now) + revoked.set_serial(b"3ab") + revoked.set_reason(b"sUpErSeDEd") + crl.add_revoked(revoked) + return crl + + def test_export_pem(self): + """ + If not passed a format, ``CRL.export`` returns a "PEM" format string + representing a serial number, a revoked reason, and certificate issuer + information. + """ + # PEM format + dumped_crl = self._get_crl().export( + self.cert, self.pkey, days=20, digest=b"sha256" + ) + crl = x509.load_pem_x509_crl(dumped_crl, backend) + revoked = crl.get_revoked_certificate_by_serial_number(0x03AB) + assert revoked is not None + assert crl.issuer == x509.Name( + [ + x509.NameAttribute(x509.NameOID.COUNTRY_NAME, u"US"), + x509.NameAttribute(x509.NameOID.STATE_OR_PROVINCE_NAME, u"IL"), + x509.NameAttribute(x509.NameOID.LOCALITY_NAME, u"Chicago"), + x509.NameAttribute(x509.NameOID.ORGANIZATION_NAME, u"Testing"), + x509.NameAttribute( + x509.NameOID.COMMON_NAME, u"Testing Root CA" + ), + ] + ) + + def test_export_der(self): + """ + If passed ``FILETYPE_ASN1`` for the format, ``CRL.export`` returns a + "DER" format string representing a serial number, a revoked reason, and + certificate issuer information. + """ + crl = self._get_crl() + + # DER format + dumped_crl = self._get_crl().export( + self.cert, self.pkey, FILETYPE_ASN1, digest=b"md5" + ) + crl = x509.load_der_x509_crl(dumped_crl, backend) + revoked = crl.get_revoked_certificate_by_serial_number(0x03AB) + assert revoked is not None + assert crl.issuer == x509.Name( + [ + x509.NameAttribute(x509.NameOID.COUNTRY_NAME, u"US"), + x509.NameAttribute(x509.NameOID.STATE_OR_PROVINCE_NAME, u"IL"), + x509.NameAttribute(x509.NameOID.LOCALITY_NAME, u"Chicago"), + x509.NameAttribute(x509.NameOID.ORGANIZATION_NAME, u"Testing"), + x509.NameAttribute( + x509.NameOID.COMMON_NAME, u"Testing Root CA" + ), + ] + ) + + def test_export_text(self): + """ + If passed ``FILETYPE_TEXT`` for the format, ``CRL.export`` returns a + text format string like the one produced by the openssl command line + tool. + """ + crl = self._get_crl() + + # text format + dumped_text = crl.export( + self.cert, self.pkey, type=FILETYPE_TEXT, digest=b"md5" + ) + assert len(dumped_text) > 500 + + def test_export_custom_digest(self): + """ + If passed the name of a digest function, ``CRL.export`` uses a + signature algorithm based on that digest function. + """ + crl = self._get_crl() + dumped_crl = crl.export(self.cert, self.pkey, digest=b"sha1") + text = _runopenssl(dumped_crl, b"crl", b"-noout", b"-text") + text.index(b"Signature Algorithm: sha1") + + def test_export_md5_digest(self): + """ + If passed md5 as the digest function, ``CRL.export`` uses md5 and does + not emit a deprecation warning. + """ + crl = self._get_crl() + with pytest.warns(None) as catcher: + simplefilter("always") + assert 0 == len(catcher) + dumped_crl = crl.export(self.cert, self.pkey, digest=b"md5") + text = _runopenssl(dumped_crl, b"crl", b"-noout", b"-text") + text.index(b"Signature Algorithm: md5") + + def test_export_default_digest(self): + """ + If not passed the name of a digest function, ``CRL.export`` raises a + ``TypeError``. + """ + crl = self._get_crl() + with pytest.raises(TypeError): + crl.export(self.cert, self.pkey) + + def test_export_invalid(self): + """ + If `CRL.export` is used with an uninitialized `X509` instance, + `OpenSSL.crypto.Error` is raised. + """ + crl = CRL() + with pytest.raises(Error): + crl.export(X509(), PKey(), digest=b"sha256") + + def test_add_revoked_keyword(self): + """ + `OpenSSL.CRL.add_revoked` accepts its single argument as the + ``revoked`` keyword argument. + """ + crl = CRL() + revoked = Revoked() + revoked.set_serial(b"01") + revoked.set_rev_date(b"20160310020145Z") + crl.add_revoked(revoked=revoked) + assert isinstance(crl.get_revoked()[0], Revoked) + + def test_export_wrong_args(self): + """ + Calling `OpenSSL.CRL.export` with arguments other than the certificate, + private key, integer file type, and integer number of days it + expects, results in a `TypeError` being raised. + """ + crl = CRL() + with pytest.raises(TypeError): + crl.export(None, self.pkey, FILETYPE_PEM, 10) + with pytest.raises(TypeError): + crl.export(self.cert, None, FILETYPE_PEM, 10) + with pytest.raises(TypeError): + crl.export(self.cert, self.pkey, None, 10) + with pytest.raises(TypeError): + crl.export(self.cert, FILETYPE_PEM, None) + + def test_export_unknown_filetype(self): + """ + Calling `OpenSSL.CRL.export` with a file type other than + `FILETYPE_PEM`, `FILETYPE_ASN1`, or + `FILETYPE_TEXT` results in a `ValueError` being raised. + """ + crl = CRL() + with pytest.raises(ValueError): + crl.export(self.cert, self.pkey, 100, 10, digest=b"sha256") + + def test_export_unknown_digest(self): + """ + Calling `OpenSSL.CRL.export` with an unsupported digest results + in a `ValueError` being raised. + """ + crl = CRL() + with pytest.raises(ValueError): + crl.export( + self.cert, self.pkey, FILETYPE_PEM, 10, b"strange-digest" + ) + + def test_get_revoked(self): + """ + Use python to create a simple CRL with two revocations. Get back the + `Revoked` using `OpenSSL.CRL.get_revoked` and verify them. + """ + crl = CRL() + + revoked = Revoked() + now = datetime.now().strftime("%Y%m%d%H%M%SZ").encode("ascii") + revoked.set_rev_date(now) + revoked.set_serial(b"3ab") + crl.add_revoked(revoked) + revoked.set_serial(b"100") + revoked.set_reason(b"sUpErSeDEd") + crl.add_revoked(revoked) + + revs = crl.get_revoked() + assert len(revs) == 2 + assert type(revs[0]) == Revoked + assert type(revs[1]) == Revoked + assert revs[0].get_serial() == b"03AB" + assert revs[1].get_serial() == b"0100" + assert revs[0].get_rev_date() == now + assert revs[1].get_rev_date() == now + + def test_load_crl(self): + """ + Load a known CRL and inspect its revocations. Both EM and DER formats + are loaded. + """ + crl = load_crl(FILETYPE_PEM, crlData) + revs = crl.get_revoked() + assert len(revs) == 2 + assert revs[0].get_serial() == b"03AB" + assert revs[0].get_reason() is None + assert revs[1].get_serial() == b"0100" + assert revs[1].get_reason() == b"Superseded" + + der = _runopenssl(crlData, b"crl", b"-outform", b"DER") + crl = load_crl(FILETYPE_ASN1, der) + revs = crl.get_revoked() + assert len(revs) == 2 + assert revs[0].get_serial() == b"03AB" + assert revs[0].get_reason() is None + assert revs[1].get_serial() == b"0100" + assert revs[1].get_reason() == b"Superseded" + + def test_load_crl_bad_filetype(self): + """ + Calling `OpenSSL.crypto.load_crl` with an unknown file type raises a + `ValueError`. + """ + with pytest.raises(ValueError): + load_crl(100, crlData) + + def test_load_crl_bad_data(self): + """ + Calling `OpenSSL.crypto.load_crl` with file data which can't be loaded + raises a `OpenSSL.crypto.Error`. + """ + with pytest.raises(Error): + load_crl(FILETYPE_PEM, b"hello, world") + + def test_get_issuer(self): + """ + Load a known CRL and assert its issuer's common name is what we expect + from the encoded crlData string. + """ + crl = load_crl(FILETYPE_PEM, crlData) + assert isinstance(crl.get_issuer(), X509Name) + assert crl.get_issuer().CN == "Testing Root CA" + + def test_dump_crl(self): + """ + The dumped CRL matches the original input. + """ + crl = load_crl(FILETYPE_PEM, crlData) + buf = dump_crl(FILETYPE_PEM, crl) + assert buf == crlData + + def _make_test_crl(self, issuer_cert, issuer_key, certs=()): + """ + Create a CRL. + + :param list[X509] certs: A list of certificates to revoke. + :rtype: CRL + """ + crl = CRL() + for cert in certs: + revoked = Revoked() + # FIXME: This string splicing is an unfortunate implementation + # detail that has been reported in + # https://github.com/pyca/pyopenssl/issues/258 + serial = hex(cert.get_serial_number())[2:].encode("utf-8") + revoked.set_serial(serial) + revoked.set_reason(b"unspecified") + revoked.set_rev_date(b"20140601000000Z") + crl.add_revoked(revoked) + crl.set_version(1) + crl.set_lastUpdate(b"20140601000000Z") + crl.set_nextUpdate(b"20180601000000Z") + crl.sign(issuer_cert, issuer_key, digest=b"sha512") + return crl + + def test_verify_with_revoked(self): + """ + `verify_certificate` raises error when an intermediate certificate is + revoked. + """ + store = X509Store() + store.add_cert(self.root_cert) + store.add_cert(self.intermediate_cert) + root_crl = self._make_test_crl( + self.root_cert, self.root_key, certs=[self.intermediate_cert] + ) + intermediate_crl = self._make_test_crl( + self.intermediate_cert, self.intermediate_key, certs=[] + ) + store.add_crl(root_crl) + store.add_crl(intermediate_crl) + store.set_flags( + X509StoreFlags.CRL_CHECK | X509StoreFlags.CRL_CHECK_ALL + ) + store_ctx = X509StoreContext(store, self.intermediate_server_cert) + with pytest.raises(X509StoreContextError) as err: + store_ctx.verify_certificate() + assert err.value.args[0][2] == "certificate revoked" + + def test_verify_with_missing_crl(self): + """ + `verify_certificate` raises error when an intermediate certificate's + CRL is missing. + """ + store = X509Store() + store.add_cert(self.root_cert) + store.add_cert(self.intermediate_cert) + root_crl = self._make_test_crl( + self.root_cert, self.root_key, certs=[self.intermediate_cert] + ) + store.add_crl(root_crl) + store.set_flags( + X509StoreFlags.CRL_CHECK | X509StoreFlags.CRL_CHECK_ALL + ) + store_ctx = X509StoreContext(store, self.intermediate_server_cert) + with pytest.raises(X509StoreContextError) as err: + store_ctx.verify_certificate() + assert err.value.args[0][2] == "unable to get certificate CRL" + assert err.value.certificate.get_subject().CN == "intermediate-service" + + def test_convert_from_cryptography(self): + crypto_crl = x509.load_pem_x509_crl(crlData, backend) + crl = CRL.from_cryptography(crypto_crl) + assert isinstance(crl, CRL) + + def test_convert_from_cryptography_unsupported_type(self): + with pytest.raises(TypeError): + CRL.from_cryptography(object()) + + def test_convert_to_cryptography_key(self): + crl = load_crl(FILETYPE_PEM, crlData) + crypto_crl = crl.to_cryptography() + assert isinstance(crypto_crl, x509.CertificateRevocationList) + + +class TestX509StoreContext(object): + """ + Tests for `OpenSSL.crypto.X509StoreContext`. + """ + + root_cert = load_certificate(FILETYPE_PEM, root_cert_pem) + intermediate_cert = load_certificate(FILETYPE_PEM, intermediate_cert_pem) + intermediate_server_cert = load_certificate( + FILETYPE_PEM, intermediate_server_cert_pem + ) + + def test_valid(self): + """ + `verify_certificate` returns ``None`` when called with a certificate + and valid chain. + """ + store = X509Store() + store.add_cert(self.root_cert) + store.add_cert(self.intermediate_cert) + store_ctx = X509StoreContext(store, self.intermediate_server_cert) + assert store_ctx.verify_certificate() is None + + def test_reuse(self): + """ + `verify_certificate` can be called multiple times with the same + ``X509StoreContext`` instance to produce the same result. + """ + store = X509Store() + store.add_cert(self.root_cert) + store.add_cert(self.intermediate_cert) + store_ctx = X509StoreContext(store, self.intermediate_server_cert) + assert store_ctx.verify_certificate() is None + assert store_ctx.verify_certificate() is None + + @pytest.mark.parametrize( + "root_cert, chain, verified_cert", + [ + pytest.param( + root_cert, + [intermediate_cert], + intermediate_server_cert, + id="intermediate in chain", + ), + pytest.param( + root_cert, + [], + intermediate_cert, + id="empty chain", + ), + pytest.param( + root_cert, + [root_cert, intermediate_server_cert, intermediate_cert], + intermediate_server_cert, + id="extra certs in chain", + ), + ], + ) + def test_verify_success_with_chain(self, root_cert, chain, verified_cert): + store = X509Store() + store.add_cert(root_cert) + store_ctx = X509StoreContext(store, verified_cert, chain=chain) + assert store_ctx.verify_certificate() is None + + def test_valid_untrusted_chain_reuse(self): + """ + `verify_certificate` using an untrusted chain can be called multiple + times with the same ``X509StoreContext`` instance to produce the same + result. + """ + store = X509Store() + store.add_cert(self.root_cert) + chain = [self.intermediate_cert] + + store_ctx = X509StoreContext( + store, self.intermediate_server_cert, chain=chain + ) + assert store_ctx.verify_certificate() is None + assert store_ctx.verify_certificate() is None + + def test_chain_reference(self): + """ + ``X509StoreContext`` properly keeps references to the untrusted chain + certificates. + """ + store = X509Store() + store.add_cert(self.root_cert) + chain = [load_certificate(FILETYPE_PEM, intermediate_cert_pem)] + + store_ctx = X509StoreContext( + store, self.intermediate_server_cert, chain=chain + ) + + del chain + assert store_ctx.verify_certificate() is None + + @pytest.mark.parametrize( + "root_cert, chain, verified_cert", + [ + pytest.param( + root_cert, + [], + intermediate_server_cert, + id="intermediate missing", + ), + pytest.param( + None, + [intermediate_cert], + intermediate_server_cert, + id="no trusted root", + ), + pytest.param( + None, + [root_cert, intermediate_cert], + intermediate_server_cert, + id="untrusted root, full chain is available", + ), + pytest.param( + intermediate_cert, + [root_cert, intermediate_cert], + intermediate_server_cert, + id="untrusted root, intermediate is trusted and in chain", + ), + ], + ) + def test_verify_fail_with_chain(self, root_cert, chain, verified_cert): + store = X509Store() + if root_cert: + store.add_cert(root_cert) + + store_ctx = X509StoreContext(store, verified_cert, chain=chain) + + with pytest.raises(X509StoreContextError): + store_ctx.verify_certificate() + + @pytest.mark.parametrize( + "chain, expected_error", + [ + pytest.param( + [intermediate_cert, "This is not a certificate"], + TypeError, + id="non-certificate in chain", + ), + pytest.param( + 42, + TypeError, + id="non-list chain", + ), + ], + ) + def test_untrusted_chain_wrong_args(self, chain, expected_error): + """ + Creating ``X509StoreContext`` with wrong chain raises an exception. + """ + store = X509Store() + store.add_cert(self.root_cert) + + with pytest.raises(expected_error): + X509StoreContext(store, self.intermediate_server_cert, chain=chain) + + def test_failure_building_untrusted_chain_raises(self, monkeypatch): + """ + Creating ``X509StoreContext`` raises ``OpenSSL.crypto.Error`` when + the underlying lib fails to add the certificate to the stack. + """ + monkeypatch.setattr(_lib, "sk_X509_push", lambda _stack, _x509: -1) + + store = X509Store() + store.add_cert(self.root_cert) + chain = [self.intermediate_cert] + + with pytest.raises(Error): + X509StoreContext(store, self.intermediate_server_cert, chain=chain) + + def test_trusted_self_signed(self): + """ + `verify_certificate` returns ``None`` when called with a self-signed + certificate and itself in the chain. + """ + store = X509Store() + store.add_cert(self.root_cert) + store_ctx = X509StoreContext(store, self.root_cert) + assert store_ctx.verify_certificate() is None + + def test_untrusted_self_signed(self): + """ + `verify_certificate` raises error when a self-signed certificate is + verified without itself in the chain. + """ + store = X509Store() + store_ctx = X509StoreContext(store, self.root_cert) + with pytest.raises(X509StoreContextError) as exc: + store_ctx.verify_certificate() + + assert exc.value.args[0][2] == "self signed certificate" + assert exc.value.certificate.get_subject().CN == "Testing Root CA" + + def test_invalid_chain_no_root(self): + """ + `verify_certificate` raises error when a root certificate is missing + from the chain. + """ + store = X509Store() + store.add_cert(self.intermediate_cert) + store_ctx = X509StoreContext(store, self.intermediate_server_cert) + + with pytest.raises(X509StoreContextError) as exc: + store_ctx.verify_certificate() + + assert exc.value.args[0][2] == "unable to get issuer certificate" + assert exc.value.certificate.get_subject().CN == "intermediate" + + def test_invalid_chain_no_intermediate(self): + """ + `verify_certificate` raises error when an intermediate certificate is + missing from the chain. + """ + store = X509Store() + store.add_cert(self.root_cert) + store_ctx = X509StoreContext(store, self.intermediate_server_cert) + + with pytest.raises(X509StoreContextError) as exc: + store_ctx.verify_certificate() + + assert exc.value.args[0][2] == "unable to get local issuer certificate" + assert exc.value.certificate.get_subject().CN == "intermediate-service" + + def test_modification_pre_verify(self): + """ + `verify_certificate` can use a store context modified after + instantiation. + """ + store_bad = X509Store() + store_bad.add_cert(self.intermediate_cert) + store_good = X509Store() + store_good.add_cert(self.root_cert) + store_good.add_cert(self.intermediate_cert) + store_ctx = X509StoreContext(store_bad, self.intermediate_server_cert) + + with pytest.raises(X509StoreContextError) as exc: + store_ctx.verify_certificate() + + assert exc.value.args[0][2] == "unable to get issuer certificate" + assert exc.value.certificate.get_subject().CN == "intermediate" + + store_ctx.set_store(store_good) + assert store_ctx.verify_certificate() is None + + def test_verify_with_time(self): + """ + `verify_certificate` raises error when the verification time is + set at notAfter. + """ + store = X509Store() + store.add_cert(self.root_cert) + store.add_cert(self.intermediate_cert) + + expire_time = self.intermediate_server_cert.get_notAfter() + expire_datetime = datetime.strptime( + expire_time.decode("utf-8"), "%Y%m%d%H%M%SZ" + ) + store.set_time(expire_datetime) + + store_ctx = X509StoreContext(store, self.intermediate_server_cert) + with pytest.raises(X509StoreContextError) as exc: + store_ctx.verify_certificate() + + assert exc.value.args[0][2] == "certificate has expired" + + def test_get_verified_chain(self): + """ + `get_verified_chain` returns the verified chain. + """ + store = X509Store() + store.add_cert(self.root_cert) + store.add_cert(self.intermediate_cert) + store_ctx = X509StoreContext(store, self.intermediate_server_cert) + chain = store_ctx.get_verified_chain() + assert len(chain) == 3 + intermediate_subject = self.intermediate_server_cert.get_subject() + assert chain[0].get_subject() == intermediate_subject + assert chain[1].get_subject() == self.intermediate_cert.get_subject() + assert chain[2].get_subject() == self.root_cert.get_subject() + # Test reuse + chain = store_ctx.get_verified_chain() + assert len(chain) == 3 + assert chain[0].get_subject() == intermediate_subject + assert chain[1].get_subject() == self.intermediate_cert.get_subject() + assert chain[2].get_subject() == self.root_cert.get_subject() + + def test_get_verified_chain_invalid_chain_no_root(self): + """ + `get_verified_chain` raises error when cert verification fails. + """ + store = X509Store() + store.add_cert(self.intermediate_cert) + store_ctx = X509StoreContext(store, self.intermediate_server_cert) + + with pytest.raises(X509StoreContextError) as exc: + store_ctx.get_verified_chain() + + assert exc.value.args[0][2] == "unable to get issuer certificate" + assert exc.value.certificate.get_subject().CN == "intermediate" + + @pytest.fixture + def root_ca_file(self, tmpdir): + return self._create_ca_file(tmpdir, "root_ca_hash_dir", self.root_cert) + + @pytest.fixture + def intermediate_ca_file(self, tmpdir): + return self._create_ca_file( + tmpdir, "intermediate_ca_hash_dir", self.intermediate_cert + ) + + @staticmethod + def _create_ca_file(base_path, hash_directory, cacert): + ca_hash = "{:08x}.0".format(cacert.subject_name_hash()) + cafile = base_path.join(hash_directory, ca_hash) + cafile.write_binary( + dump_certificate(FILETYPE_PEM, cacert), ensure=True + ) + return cafile + + def test_verify_with_ca_file_location(self, root_ca_file): + store = X509Store() + store.load_locations(str(root_ca_file)) + + store_ctx = X509StoreContext(store, self.intermediate_cert) + store_ctx.verify_certificate() + + def test_verify_with_ca_path_location(self, root_ca_file): + store = X509Store() + store.load_locations(None, str(root_ca_file.dirname)) + + store_ctx = X509StoreContext(store, self.intermediate_cert) + store_ctx.verify_certificate() + + def test_verify_with_cafile_and_capath( + self, root_ca_file, intermediate_ca_file + ): + store = X509Store() + store.load_locations( + cafile=str(root_ca_file), capath=str(intermediate_ca_file.dirname) + ) + + store_ctx = X509StoreContext(store, self.intermediate_server_cert) + store_ctx.verify_certificate() + + def test_verify_with_multiple_ca_files( + self, root_ca_file, intermediate_ca_file + ): + store = X509Store() + store.load_locations(str(root_ca_file)) + store.load_locations(str(intermediate_ca_file)) + + store_ctx = X509StoreContext(store, self.intermediate_server_cert) + store_ctx.verify_certificate() + + def test_verify_failure_with_empty_ca_directory(self, tmpdir): + store = X509Store() + store.load_locations(None, str(tmpdir)) + + store_ctx = X509StoreContext(store, self.intermediate_cert) + with pytest.raises(X509StoreContextError) as exc: + store_ctx.verify_certificate() + + assert exc.value.args[0][2] == "unable to get local issuer certificate" + + +class TestSignVerify(object): + """ + Tests for `OpenSSL.crypto.sign` and `OpenSSL.crypto.verify`. + """ + + def test_sign_verify(self): + """ + `sign` generates a cryptographic signature which `verify` can check. + """ + content = ( + b"It was a bright cold day in April, and the clocks were striking " + b"thirteen. Winston Smith, his chin nuzzled into his breast in an " + b"effort to escape the vile wind, slipped quickly through the " + b"glass doors of Victory Mansions, though not quickly enough to " + b"prevent a swirl of gritty dust from entering along with him." + ) + + # sign the content with this private key + priv_key = load_privatekey(FILETYPE_PEM, root_key_pem) + # verify the content with this cert + good_cert = load_certificate(FILETYPE_PEM, root_cert_pem) + # certificate unrelated to priv_key, used to trigger an error + bad_cert = load_certificate(FILETYPE_PEM, server_cert_pem) + + for digest in ["md5", "sha1"]: + sig = sign(priv_key, content, digest) + + # Verify the signature of content, will throw an exception if + # error. + verify(good_cert, sig, content, digest) + + # This should fail because the certificate doesn't match the + # private key that was used to sign the content. + with pytest.raises(Error): + verify(bad_cert, sig, content, digest) + + # This should fail because we've "tainted" the content after + # signing it. + with pytest.raises(Error): + verify(good_cert, sig, content + b"tainted", digest) + + # test that unknown digest types fail + with pytest.raises(ValueError): + sign(priv_key, content, "strange-digest") + with pytest.raises(ValueError): + verify(good_cert, sig, content, "strange-digest") + + def test_sign_verify_with_text(self): + """ + `sign` generates a cryptographic signature which + `verify` can check. Deprecation warnings raised because using + text instead of bytes as content + """ + content = ( + b"It was a bright cold day in April, and the clocks were striking " + b"thirteen. Winston Smith, his chin nuzzled into his breast in an " + b"effort to escape the vile wind, slipped quickly through the " + b"glass doors of Victory Mansions, though not quickly enough to " + b"prevent a swirl of gritty dust from entering along with him." + ).decode("ascii") + + priv_key = load_privatekey(FILETYPE_PEM, root_key_pem) + cert = load_certificate(FILETYPE_PEM, root_cert_pem) + for digest in ["md5", "sha1"]: + with pytest.warns(DeprecationWarning) as w: + simplefilter("always") + sig = sign(priv_key, content, digest) + assert "{0} for data is no longer accepted, use bytes".format( + WARNING_TYPE_EXPECTED + ) == str(w[-1].message) + + with pytest.warns(DeprecationWarning) as w: + simplefilter("always") + verify(cert, sig, content, digest) + assert "{0} for data is no longer accepted, use bytes".format( + WARNING_TYPE_EXPECTED + ) == str(w[-1].message) + + def test_sign_verify_ecdsa(self): + """ + `sign` generates a cryptographic signature which `verify` can check. + ECDSA Signatures in the X9.62 format may have variable length, + different from the length of the private key. + """ + content = ( + b"It was a bright cold day in April, and the clocks were striking " + b"thirteen. Winston Smith, his chin nuzzled into his breast in an " + b"effort to escape the vile wind, slipped quickly through the " + b"glass doors of Victory Mansions, though not quickly enough to " + b"prevent a swirl of gritty dust from entering along with him." + ) + priv_key = load_privatekey(FILETYPE_PEM, ec_root_key_pem) + cert = load_certificate(FILETYPE_PEM, ec_root_cert_pem) + sig = sign(priv_key, content, "sha1") + verify(cert, sig, content, "sha1") + + def test_sign_nulls(self): + """ + `sign` produces a signature for a string with embedded nulls. + """ + content = b"Watch out! \0 Did you see it?" + priv_key = load_privatekey(FILETYPE_PEM, root_key_pem) + good_cert = load_certificate(FILETYPE_PEM, root_cert_pem) + sig = sign(priv_key, content, "sha1") + verify(good_cert, sig, content, "sha1") + + def test_sign_with_large_key(self): + """ + `sign` produces a signature for a string when using a long key. + """ + content = ( + b"It was a bright cold day in April, and the clocks were striking " + b"thirteen. Winston Smith, his chin nuzzled into his breast in an " + b"effort to escape the vile wind, slipped quickly through the " + b"glass doors of Victory Mansions, though not quickly enough to " + b"prevent a swirl of gritty dust from entering along with him." + ) + + priv_key = load_privatekey(FILETYPE_PEM, large_key_pem) + sign(priv_key, content, "sha1") + + +class TestEllipticCurve(object): + """ + Tests for `_EllipticCurve`, `get_elliptic_curve`, and + `get_elliptic_curves`. + """ + + def test_set(self): + """ + `get_elliptic_curves` returns a `set`. + """ + assert isinstance(get_elliptic_curves(), set) + + def test_a_curve(self): + """ + `get_elliptic_curve` can be used to retrieve a particular supported + curve. + """ + curves = get_elliptic_curves() + curve = next(iter(curves)) + assert curve.name == get_elliptic_curve(curve.name).name + + def test_not_a_curve(self): + """ + `get_elliptic_curve` raises `ValueError` if called with a name which + does not identify a supported curve. + """ + with pytest.raises(ValueError): + get_elliptic_curve(u"this curve was just invented") + + def test_repr(self): + """ + The string representation of a curve object includes simply states the + object is a curve and what its name is. + """ + curves = get_elliptic_curves() + curve = next(iter(curves)) + assert "<Curve %r>" % (curve.name,) == repr(curve) + + def test_to_EC_KEY(self): + """ + The curve object can export a version of itself as an EC_KEY* via the + private `_EllipticCurve._to_EC_KEY`. + """ + curves = get_elliptic_curves() + curve = next(iter(curves)) + # It's not easy to assert anything about this object. However, see + # leakcheck/crypto.py for a test that demonstrates it at least does + # not leak memory. + curve._to_EC_KEY() + + +class EllipticCurveFactory(object): + """ + A helper to get the names of two curves. + """ + + def __init__(self): + curves = iter(get_elliptic_curves()) + self.curve_name = next(curves).name + self.another_curve_name = next(curves).name + + +class TestEllipticCurveEquality(EqualityTestsMixin): + """ + Tests `_EllipticCurve`'s implementation of ``==`` and ``!=``. + """ + + curve_factory = EllipticCurveFactory() + + if curve_factory.curve_name is None: + skip = "There are no curves available there can be no curve objects." + + def anInstance(self): + """ + Get the curve object for an arbitrary curve supported by the system. + """ + return get_elliptic_curve(self.curve_factory.curve_name) + + def anotherInstance(self): + """ + Get the curve object for an arbitrary curve supported by the system - + but not the one returned by C{anInstance}. + """ + return get_elliptic_curve(self.curve_factory.another_curve_name) + + +class TestEllipticCurveHash(object): + """ + Tests for `_EllipticCurve`'s implementation of hashing (thus use as + an item in a `dict` or `set`). + """ + + curve_factory = EllipticCurveFactory() + + if curve_factory.curve_name is None: + skip = "There are no curves available there can be no curve objects." + + def test_contains(self): + """ + The ``in`` operator reports that a `set` containing a curve does + contain that curve. + """ + curve = get_elliptic_curve(self.curve_factory.curve_name) + curves = set([curve]) + assert curve in curves + + def test_does_not_contain(self): + """ + The ``in`` operator reports that a `set` not containing a curve + does not contain that curve. + """ + curve = get_elliptic_curve(self.curve_factory.curve_name) + curves = set( + [get_elliptic_curve(self.curve_factory.another_curve_name)] + ) + assert curve not in curves |