def test_truncated_extension(self):
"""
Include an extension without as much data as it specifies.
"""
self.assert_raises(certificate(extension_data = [b'']), 'Ed25519 extension is missing header field data')
self.assert_raises(certificate(extension_data = [b'\x50\x00\x00\x00\x15\x12']), "Ed25519 extension is truncated. It should have 20480 bytes of data but there's only 2.")
def test_with_invalid_cert_type(self):
"""
Provide an invalid certificate version. Tor specifies a couple ranges that
are reserved.
"""
self.assert_raises(certificate(cert_type = 0), 'Ed25519 certificate cannot have a type of 0. This is reserved to avoid conflicts with tor CERTS cells.')
self.assert_raises(certificate(cert_type = 7), 'Ed25519 certificate cannot have a type of 7. This is reserved for RSA identity cross-certification.')
def test_truncated_extension(self):
"""
Include an extension without as much data as it specifies.
"""
exc_msg = 'Ed25519 extension is missing header fields'
self.assertRaisesWith(ValueError, exc_msg, Ed25519Certificate.from_base64, certificate(extension_data = [b'']))
exc_msg = "Ed25519 extension is truncated. It should have 20480 bytes of data but there's only 2."
self.assertRaisesWith(ValueError, exc_msg, Ed25519Certificate.from_base64, certificate(extension_data = [b'\x50\x00\x00\x00\x15\x12']))
def test_truncated_extension(self):
"""
Include an extension without as much data as it specifies.
"""
self.assert_raises(certificate(extension_data=[b'']),
'Ed25519 extension is missing header field data')
self.assert_raises(
certificate(extension_data=[b'\x50\x00\x00\x00\x15\x12']),
"Ed25519 extension is truncated. It should have 20480 bytes of data but there's only 2."
)
def test_with_invalid_cert_type(self):
"""
Provide an invalid certificate version. Tor specifies a couple ranges that
are reserved.
"""
exc_msg = 'Ed25519 certificate cannot have a type of 0. This is reserved to avoid conflicts with tor CERTS cells.'
self.assertRaisesWith(ValueError, exc_msg, Ed25519Certificate.parse,
certificate(cert_type=0))
exc_msg = 'Ed25519 certificate cannot have a type of 7. This is reserved for RSA identity cross-certification.'
self.assertRaisesWith(ValueError, exc_msg, Ed25519Certificate.parse,
certificate(cert_type=7))
def test_with_invalid_cert_type(self):
"""
Provide an invalid certificate version. Tor specifies a couple ranges that
are reserved.
"""
self.assert_raises(
certificate(cert_type=0),
'Ed25519 certificate cannot have a type of 0. This is reserved to avoid conflicts with tor CERTS cells.'
)
self.assert_raises(
certificate(cert_type=7),
'Ed25519 certificate cannot have a type of 7. This is reserved for RSA identity cross-certification.'
)
def test_with_invalid_cert_type(self):
"""
Provide an invalid certificate version. Tor specifies a couple ranges that
are reserved.
"""
exc_msg = 'Ed25519 certificate type 0 is unrecognized'
self.assertRaisesWith(ValueError, exc_msg, Ed25519Certificate.from_base64, certificate(cert_type = 0))
exc_msg = 'Ed25519 certificate cannot have a type of 1. This is reserved for CERTS cells.'
self.assertRaisesWith(ValueError, exc_msg, Ed25519Certificate.from_base64, certificate(cert_type = 1))
exc_msg = 'Ed25519 certificate cannot have a type of 7. This is reserved for RSA identity cross-certification.'
self.assertRaisesWith(ValueError, exc_msg, Ed25519Certificate.from_base64, certificate(cert_type = 7))
def test_truncated_signing_key(self):
"""
Include an extension with an incorrect signing key size.
"""
exc_msg = 'Ed25519 HAS_SIGNING_KEY extension must be 32 bytes, but was 2.'
self.assertRaisesWith(ValueError, exc_msg, Ed25519Certificate.from_base64, certificate(extension_data = [b'\x00\x02\x04\x07\11\12']))
def test_extra_extension_data(self):
"""
Include an extension with more data than it specifies.
"""
exc_msg = 'Ed25519 certificate had 1 bytes of unused extension data'
self.assertRaisesWith(ValueError, exc_msg, Ed25519Certificate.from_base64, certificate(extension_data = [b'\x00\x01\x00\x00\x15\x12']))
def test_basic_parsing(self):
"""
Parse a basic test certificate.
"""
signing_key = b'\x11' * 32
cert_bytes = certificate(extension_data = [b'\x00\x20\x04\x07' + signing_key, b'\x00\x00\x05\x04'])
cert = Ed25519Certificate.parse(cert_bytes)
self.assertEqual(Ed25519CertificateV1, type(cert))
self.assertEqual(1, cert.version)
self.assertEqual(cert_bytes, cert.encoded)
self.assertEqual(CertType.SIGNING, cert.type)
self.assertEqual(datetime.datetime(1970, 1, 1, 0, 0), cert.expiration)
self.assertEqual(1, cert.key_type)
self.assertEqual(b'\x03' * 32, cert.key)
self.assertEqual(b'\x01' * ED25519_SIGNATURE_LENGTH, cert.signature)
self.assertEqual([
Ed25519Extension(type = ExtensionType.HAS_SIGNING_KEY, flags = [ExtensionFlag.AFFECTS_VALIDATION, ExtensionFlag.UNKNOWN], flag_int = 7, data = signing_key),
Ed25519Extension(type = 5, flags = [ExtensionFlag.UNKNOWN], flag_int = 4, data = b''),
], cert.extensions)
self.assertEqual(ExtensionType.HAS_SIGNING_KEY, cert.extensions[0].type)
self.assertTrue(cert.is_expired())
def test_with_invalid_version(self):
"""
We cannot support other certificate versions until they're documented.
Assert we raise if we don't handle a cert version yet.
"""
self.assert_raises(certificate(version = 2), 'Ed25519 certificate is version 2. Parser presently only supports version 1.')
def test_basic_parsing(self):
"""
Parse a basic test certificate.
"""
signing_key = b'\x11' * 32
cert_bytes = certificate(extension_data=[
b'\x00\x20\x04\x07' + signing_key, b'\x00\x00\x05\x04'
])
cert = Ed25519Certificate.from_base64(cert_bytes)
self.assertEqual(Ed25519CertificateV1, type(cert))
self.assertEqual(1, cert.version)
self.assertEqual(stem.util.str_tools._to_unicode(cert_bytes),
cert.to_base64().replace('\n', ''))
self.assertEqual(CertType.ED25519_SIGNING, cert.type)
self.assertEqual(datetime.datetime(1970, 1, 1, 0, 0), cert.expiration)
self.assertEqual(1, cert.key_type)
self.assertEqual(b'\x03' * 32, cert.key)
self.assertEqual(b'\x01' * ED25519_SIGNATURE_LENGTH, cert.signature)
self.assertEqual([
Ed25519Extension(ExtensionType.HAS_SIGNING_KEY, 7, signing_key),
Ed25519Extension(5, 4, b''),
], cert.extensions)
self.assertEqual(ExtensionType.HAS_SIGNING_KEY,
cert.extensions[0].type)
self.assertTrue(cert.is_expired())
def test_basic_parsing(self):
"""
Parse a basic test certificate.
"""
signing_key = b'\x11' * 32
cert_bytes = certificate(extension_data=[
b'\x00\x20\x04\x07' + signing_key, b'\x00\x00\x05\x04'
])
cert = Ed25519Certificate.parse(cert_bytes)
self.assertEqual(Ed25519CertificateV1, type(cert))
self.assertEqual(1, cert.version)
self.assertEqual(cert_bytes, cert.encoded)
self.assertEqual(CertType.SIGNING, cert.type)
self.assertEqual(datetime.datetime(1970, 1, 1, 0, 0), cert.expiration)
self.assertEqual(1, cert.key_type)
self.assertEqual(b'\x03' * 32, cert.key)
self.assertEqual(b'\x01' * ED25519_SIGNATURE_LENGTH, cert.signature)
self.assertEqual([
Ed25519Extension(type=ExtensionType.HAS_SIGNING_KEY,
flags=[
ExtensionFlag.AFFECTS_VALIDATION,
ExtensionFlag.UNKNOWN
],
flag_int=7,
data=signing_key),
Ed25519Extension(
type=5, flags=[ExtensionFlag.UNKNOWN], flag_int=4, data=b''),
], cert.extensions)
self.assertEqual(ExtensionType.HAS_SIGNING_KEY,
cert.extensions[0].type)
self.assertTrue(cert.is_expired())
def test_extra_extension_data(self):
"""
Include an extension with more data than it specifies.
"""
self.assert_raises(
certificate(extension_data=[b'\x00\x01\x00\x00\x15\x12']),
"Ed25519 certificate had 1 bytes of unused extension data")
def test_truncated_signing_key(self):
"""
Include an extension with an incorrect signing key size.
"""
self.assert_raises(
certificate(extension_data=[b'\x00\x02\x04\x07\11\12']),
"Ed25519 HAS_SIGNING_KEY extension must be 32 bytes, but was 2.")
def test_with_invalid_version(self):
"""
We cannot support other certificate versions until they're documented.
Assert we raise if we don't handle a cert version yet.
"""
exc_msg = 'Ed25519 certificate is version 2. Parser presently only supports version 1.'
self.assertRaisesWith(ValueError, exc_msg, Ed25519Certificate.from_base64, certificate(version = 2))
def test_validation_with_invalid_descriptor(self):
"""
Validate a descriptor without a valid signature.
"""
with open(get_resource('server_descriptor_with_ed25519'), 'rb') as descriptor_file:
desc = next(stem.descriptor.parse_file(descriptor_file, validate = False))
cert = Ed25519Certificate.parse(certificate())
self.assertRaisesRegexp(ValueError, re.escape('Ed25519KeyCertificate signing key is invalid (Signature was forged or corrupt)'), cert.validate, desc)
def test_validation_with_invalid_descriptor(self):
"""
Validate a descriptor without a valid signature.
"""
with open(get_resource('server_descriptor_with_ed25519'), 'rb') as descriptor_file:
desc = next(stem.descriptor.parse_file(descriptor_file, validate = False))
cert = Ed25519Certificate.from_base64(certificate())
self.assertRaisesWith(ValueError, 'Ed25519KeyCertificate signing key is invalid (signature forged or corrupt)', cert.validate, desc)
def test_with_invalid_version(self):
"""
We cannot support other certificate versions until they're documented.
Assert we raise if we don't handle a cert version yet.
"""
self.assert_raises(
certificate(version=2),
'Ed25519 certificate is version 2. Parser presently only supports version 1.'
)
def test_truncated_signing_key(self):
"""
Include an extension with an incorrect signing key size.
"""
self.assert_raises(certificate(extension_data = [b'\x00\x02\x04\x07\11\12']), "Ed25519 HAS_SIGNING_KEY extension must be 32 bytes, but was 2.")
def test_extra_extension_data(self):
"""
Include an extension with more data than it specifies.
"""
self.assert_raises(certificate(extension_data = [b'\x00\x01\x00\x00\x15\x12']), "Ed25519 certificate had 1 bytes of unused extension data")
