def test_sign_ed448_key(self, backend):
private_key = ed448.Ed448PrivateKey.generate()
invalidity_date = x509.InvalidityDate(
datetime.datetime(2002, 1, 1, 0, 0))
ian = x509.IssuerAlternativeName(
[x509.UniformResourceIdentifier("https://cryptography.io")])
revoked_cert0 = (
x509.RevokedCertificateBuilder().serial_number(2).revocation_date(
datetime.datetime(2012, 1, 1, 1,
1)).add_extension(invalidity_date,
False).build(backend))
last_update = datetime.datetime(2002, 1, 1, 12, 1)
next_update = datetime.datetime(2030, 1, 1, 12, 1)
builder = (x509.CertificateRevocationListBuilder().issuer_name(
x509.Name([
x509.NameAttribute(NameOID.COMMON_NAME, "cryptography.io CA")
])).last_update(last_update).next_update(next_update).
add_revoked_certificate(revoked_cert0).add_extension(
ian, False))
crl = builder.sign(private_key, None, backend)
assert crl.signature_hash_algorithm is None
assert crl.signature_algorithm_oid == SignatureAlgorithmOID.ED448
assert (crl.extensions.get_extension_for_class(
x509.IssuerAlternativeName).value == ian)
assert crl[0].serial_number == revoked_cert0.serial_number
assert crl[0].revocation_date == revoked_cert0.revocation_date
assert len(crl[0].extensions) == 1
ext = crl[0].extensions.get_extension_for_class(x509.InvalidityDate)
assert ext.critical is False
assert ext.value == invalidity_date
def test_add_multiple_extensions(self, backend):
serial_number = 333
revocation_date = datetime.datetime(2002, 1, 1, 12, 1)
invalidity_date = x509.InvalidityDate(
datetime.datetime(2015, 1, 1, 0, 0)
)
certificate_issuer = x509.CertificateIssuer(
[x509.DNSName(u"cryptography.io")]
)
crl_reason = x509.CRLReason(x509.ReasonFlags.aa_compromise)
builder = (
x509.RevokedCertificateBuilder()
.serial_number(serial_number)
.revocation_date(revocation_date)
.add_extension(invalidity_date, True)
.add_extension(crl_reason, True)
.add_extension(certificate_issuer, True)
)
revoked_certificate = builder.build(backend)
assert len(revoked_certificate.extensions) == 3
for ext_data in [invalidity_date, certificate_issuer, crl_reason]:
ext = revoked_certificate.extensions.get_extension_for_class(
type(ext_data)
)
assert ext.critical is True
assert ext.value == ext_data
def test_sign_ec_key(self, backend):
_skip_curve_unsupported(backend, ec.SECP256R1())
private_key = ec.generate_private_key(ec.SECP256R1(), backend)
invalidity_date = x509.InvalidityDate(
datetime.datetime(2002, 1, 1, 0, 0))
ian = x509.IssuerAlternativeName(
[x509.UniformResourceIdentifier("https://cryptography.io")])
revoked_cert0 = (
x509.RevokedCertificateBuilder().serial_number(2).revocation_date(
datetime.datetime(2012, 1, 1, 1,
1)).add_extension(invalidity_date,
False).build(backend))
last_update = datetime.datetime(2002, 1, 1, 12, 1)
next_update = datetime.datetime(2030, 1, 1, 12, 1)
builder = (x509.CertificateRevocationListBuilder().issuer_name(
x509.Name([
x509.NameAttribute(NameOID.COMMON_NAME, "cryptography.io CA")
])).last_update(last_update).next_update(next_update).
add_revoked_certificate(revoked_cert0).add_extension(
ian, False))
crl = builder.sign(private_key, hashes.SHA256(), backend)
assert (crl.extensions.get_extension_for_class(
x509.IssuerAlternativeName).value == ian)
assert crl[0].serial_number == revoked_cert0.serial_number
assert crl[0].revocation_date == revoked_cert0.revocation_date
assert len(crl[0].extensions) == 1
ext = crl[0].extensions.get_extension_for_class(x509.InvalidityDate)
assert ext.critical is False
assert ext.value == invalidity_date
def test_sign_with_revoked_certificates(self, backend):
private_key = RSA_KEY_2048.private_key(backend)
last_update = datetime.datetime(2002, 1, 1, 12, 1)
next_update = datetime.datetime(2030, 1, 1, 12, 1)
invalidity_date = x509.InvalidityDate(
datetime.datetime(2002, 1, 1, 0, 0))
revoked_cert0 = (
x509.RevokedCertificateBuilder().serial_number(38).revocation_date(
datetime.datetime(2011, 1, 1, 1, 1)).build(backend))
revoked_cert1 = (
x509.RevokedCertificateBuilder().serial_number(2).revocation_date(
datetime.datetime(2012, 1, 1, 1,
1)).add_extension(invalidity_date,
False).build(backend))
builder = (x509.CertificateRevocationListBuilder().issuer_name(
x509.Name([
x509.NameAttribute(NameOID.COMMON_NAME, u"cryptography.io CA")
])).last_update(last_update).next_update(
next_update).add_revoked_certificate(
revoked_cert0).add_revoked_certificate(revoked_cert1))
crl = builder.sign(private_key, hashes.SHA256(), backend)
assert len(crl) == 2
assert crl.last_update == last_update
assert crl.next_update == next_update
assert crl[0].serial_number == revoked_cert0.serial_number
assert crl[0].revocation_date == revoked_cert0.revocation_date
assert len(crl[0].extensions) == 0
assert crl[1].serial_number == revoked_cert1.serial_number
assert crl[1].revocation_date == revoked_cert1.revocation_date
assert len(crl[1].extensions) == 1
ext = crl[1].extensions.get_extension_for_class(x509.InvalidityDate)
assert ext.critical is False
assert ext.value == invalidity_date
def test_sign_dsa_key(self, backend):
if backend._lib.OPENSSL_VERSION_NUMBER < 0x10001000:
pytest.skip("Requires a newer OpenSSL. Must be >= 1.0.1")
private_key = DSA_KEY_2048.private_key(backend)
invalidity_date = x509.InvalidityDate(
datetime.datetime(2002, 1, 1, 0, 0))
ian = x509.IssuerAlternativeName([
x509.UniformResourceIdentifier(u"https://cryptography.io"),
])
revoked_cert0 = x509.RevokedCertificateBuilder().serial_number(
2).revocation_date(datetime.datetime(2012, 1, 1, 1,
1)).add_extension(
invalidity_date,
False).build(backend)
last_update = datetime.datetime(2002, 1, 1, 12, 1)
next_update = datetime.datetime(2030, 1, 1, 12, 1)
builder = x509.CertificateRevocationListBuilder().issuer_name(
x509.Name([
x509.NameAttribute(NameOID.COMMON_NAME, u"cryptography.io CA")
])).last_update(last_update).next_update(
next_update).add_revoked_certificate(
revoked_cert0).add_extension(ian, False)
crl = builder.sign(private_key, hashes.SHA256(), backend)
assert crl.extensions.get_extension_for_class(
x509.IssuerAlternativeName).value == ian
assert crl[0].serial_number == revoked_cert0.serial_number
assert crl[0].revocation_date == revoked_cert0.revocation_date
assert len(crl[0].extensions) == 1
ext = crl[0].extensions.get_extension_for_class(x509.InvalidityDate)
assert ext.critical is False
assert ext.value == invalidity_date
def _decode_invalidity_date(backend, inv_date):
generalized_time = backend._ffi.cast("ASN1_GENERALIZEDTIME *", inv_date)
generalized_time = backend._ffi.gc(
generalized_time, backend._lib.ASN1_GENERALIZEDTIME_free
)
return x509.InvalidityDate(
_parse_asn1_generalized_time(backend, generalized_time)
)
def _generate_crl(self):
backend = default_backend()
crl = CertificateRevocationListBuilder()
try:
crl = crl.issuer_name(
Name([
NameAttribute(cryptography_name_to_oid(entry[0]),
to_text(entry[1])) for entry in self.issuer
]))
except ValueError as e:
raise CRLError(e)
crl = crl.last_update(self.last_update)
crl = crl.next_update(self.next_update)
if self.update and self.crl:
new_entries = set([
self._compress_entry(entry)
for entry in self.revoked_certificates
])
for entry in self.crl:
decoded_entry = self._compress_entry(
cryptography_decode_revoked_certificate(entry))
if decoded_entry not in new_entries:
crl = crl.add_revoked_certificate(entry)
for entry in self.revoked_certificates:
revoked_cert = RevokedCertificateBuilder()
revoked_cert = revoked_cert.serial_number(entry['serial_number'])
revoked_cert = revoked_cert.revocation_date(
entry['revocation_date'])
if entry['issuer'] is not None:
revoked_cert = revoked_cert.add_extension(
x509.CertificateIssuer([
cryptography_get_name(name, 'issuer')
for name in entry['issuer']
]), entry['issuer_critical'])
if entry['reason'] is not None:
revoked_cert = revoked_cert.add_extension(
x509.CRLReason(entry['reason']), entry['reason_critical'])
if entry['invalidity_date'] is not None:
revoked_cert = revoked_cert.add_extension(
x509.InvalidityDate(entry['invalidity_date']),
entry['invalidity_date_critical'])
crl = crl.add_revoked_certificate(revoked_cert.build(backend))
self.crl = crl.sign(self.privatekey, self.digest, backend=backend)
if self.format == 'pem':
return self.crl.public_bytes(Encoding.PEM)
else:
return self.crl.public_bytes(Encoding.DER)
def get_revocation(self):
if self.revoked is False:
raise ValueError('Certificate is not revoked.')
revoked_cert = x509.RevokedCertificateBuilder().serial_number(
self.x509.serial_number).revocation_date(self.revoked_date)
reason = self.get_revocation_reason()
if reason != x509.ReasonFlags.unspecified:
# RFC 5270, 5.3.1: "reason code CRL entry extension SHOULD be absent instead of using the
# unspecified (0) reasonCode value"
revoked_cert = revoked_cert.add_extension(x509.CRLReason(reason), critical=False)
compromised = self.get_compromised_time()
if compromised:
# RFC 5280, 5.3.2 says that this extension MUST be non-critical
revoked_cert = revoked_cert.add_extension(x509.InvalidityDate(compromised), critical=False)
return revoked_cert.build(default_backend())
class TestRevokedCertificateBuilder(object):
def test_serial_number_must_be_integer(self):
with pytest.raises(TypeError):
x509.RevokedCertificateBuilder().serial_number("notanx509name")
def test_serial_number_must_be_non_negative(self):
with pytest.raises(ValueError):
x509.RevokedCertificateBuilder().serial_number(-1)
def test_serial_number_must_be_positive(self):
with pytest.raises(ValueError):
x509.RevokedCertificateBuilder().serial_number(0)
@pytest.mark.requires_backend_interface(interface=X509Backend)
def test_minimal_serial_number(self, backend):
revocation_date = datetime.datetime(2002, 1, 1, 12, 1)
builder = x509.RevokedCertificateBuilder().serial_number(
1).revocation_date(revocation_date)
revoked_certificate = builder.build(backend)
assert revoked_certificate.serial_number == 1
@pytest.mark.requires_backend_interface(interface=X509Backend)
def test_biggest_serial_number(self, backend):
revocation_date = datetime.datetime(2002, 1, 1, 12, 1)
builder = x509.RevokedCertificateBuilder().serial_number(
(1 << 159) - 1).revocation_date(revocation_date)
revoked_certificate = builder.build(backend)
assert revoked_certificate.serial_number == (1 << 159) - 1
def test_serial_number_must_be_less_than_160_bits_long(self):
with pytest.raises(ValueError):
x509.RevokedCertificateBuilder().serial_number(1 << 159)
def test_set_serial_number_twice(self):
builder = x509.RevokedCertificateBuilder().serial_number(3)
with pytest.raises(ValueError):
builder.serial_number(4)
def test_revocation_date_invalid(self):
with pytest.raises(TypeError):
x509.RevokedCertificateBuilder().revocation_date("notadatetime")
def test_revocation_date_before_unix_epoch(self):
with pytest.raises(ValueError):
x509.RevokedCertificateBuilder().revocation_date(
datetime.datetime(1960, 8, 10))
def test_set_revocation_date_twice(self):
builder = x509.RevokedCertificateBuilder().revocation_date(
datetime.datetime(2002, 1, 1, 12, 1))
with pytest.raises(ValueError):
builder.revocation_date(datetime.datetime(2002, 1, 1, 12, 1))
def test_add_extension_checks_for_duplicates(self):
builder = x509.RevokedCertificateBuilder().add_extension(
x509.CRLReason(x509.ReasonFlags.ca_compromise), False)
with pytest.raises(ValueError):
builder.add_extension(
x509.CRLReason(x509.ReasonFlags.ca_compromise), False)
def test_add_invalid_extension(self):
with pytest.raises(TypeError):
x509.RevokedCertificateBuilder().add_extension(
"notanextension", False)
@pytest.mark.requires_backend_interface(interface=X509Backend)
def test_no_serial_number(self, backend):
builder = x509.RevokedCertificateBuilder().revocation_date(
datetime.datetime(2002, 1, 1, 12, 1))
with pytest.raises(ValueError):
builder.build(backend)
@pytest.mark.requires_backend_interface(interface=X509Backend)
def test_no_revocation_date(self, backend):
builder = x509.RevokedCertificateBuilder().serial_number(3)
with pytest.raises(ValueError):
builder.build(backend)
@pytest.mark.requires_backend_interface(interface=X509Backend)
def test_create_revoked(self, backend):
serial_number = 333
revocation_date = datetime.datetime(2002, 1, 1, 12, 1)
builder = x509.RevokedCertificateBuilder().serial_number(
serial_number).revocation_date(revocation_date)
revoked_certificate = builder.build(backend)
assert revoked_certificate.serial_number == serial_number
assert revoked_certificate.revocation_date == revocation_date
assert len(revoked_certificate.extensions) == 0
@pytest.mark.parametrize("extension", [
x509.InvalidityDate(datetime.datetime(2015, 1, 1, 0, 0)),
x509.CRLReason(x509.ReasonFlags.ca_compromise),
x509.CertificateIssuer([
x509.DNSName(u"cryptography.io"),
])
])
@pytest.mark.requires_backend_interface(interface=X509Backend)
def test_add_extensions(self, backend, extension):
serial_number = 333
revocation_date = datetime.datetime(2002, 1, 1, 12, 1)
builder = x509.RevokedCertificateBuilder().serial_number(
serial_number).revocation_date(revocation_date).add_extension(
extension, False)
revoked_certificate = builder.build(backend)
assert revoked_certificate.serial_number == serial_number
assert revoked_certificate.revocation_date == revocation_date
assert len(revoked_certificate.extensions) == 1
ext = revoked_certificate.extensions.get_extension_for_class(
type(extension))
assert ext.critical is False
assert ext.value == extension
@pytest.mark.requires_backend_interface(interface=X509Backend)
def test_add_multiple_extensions(self, backend):
serial_number = 333
revocation_date = datetime.datetime(2002, 1, 1, 12, 1)
invalidity_date = x509.InvalidityDate(
datetime.datetime(2015, 1, 1, 0, 0))
certificate_issuer = x509.CertificateIssuer([
x509.DNSName(u"cryptography.io"),
])
crl_reason = x509.CRLReason(x509.ReasonFlags.aa_compromise)
builder = x509.RevokedCertificateBuilder().serial_number(
serial_number).revocation_date(revocation_date).add_extension(
invalidity_date,
True).add_extension(crl_reason, True).add_extension(
certificate_issuer, True)
revoked_certificate = builder.build(backend)
assert len(revoked_certificate.extensions) == 3
for ext_data in [invalidity_date, certificate_issuer, crl_reason]:
ext = revoked_certificate.extensions.get_extension_for_class(
type(ext_data))
assert ext.critical is True
assert ext.value == ext_data
class TestRevokedCertificateBuilder(object):
def test_serial_number_must_be_integer(self):
with pytest.raises(TypeError):
x509.RevokedCertificateBuilder().serial_number(
"notanx509name" # type: ignore[arg-type]
)
def test_serial_number_must_be_non_negative(self):
with pytest.raises(ValueError):
x509.RevokedCertificateBuilder().serial_number(-1)
def test_serial_number_must_be_positive(self):
with pytest.raises(ValueError):
x509.RevokedCertificateBuilder().serial_number(0)
def test_minimal_serial_number(self, backend):
revocation_date = datetime.datetime(2002, 1, 1, 12, 1)
builder = (x509.RevokedCertificateBuilder().serial_number(
1).revocation_date(revocation_date))
revoked_certificate = builder.build(backend)
assert revoked_certificate.serial_number == 1
def test_biggest_serial_number(self, backend):
revocation_date = datetime.datetime(2002, 1, 1, 12, 1)
builder = (x509.RevokedCertificateBuilder().serial_number(
(1 << 159) - 1).revocation_date(revocation_date))
revoked_certificate = builder.build(backend)
assert revoked_certificate.serial_number == (1 << 159) - 1
def test_serial_number_must_be_less_than_160_bits_long(self):
with pytest.raises(ValueError):
x509.RevokedCertificateBuilder().serial_number(1 << 159)
def test_set_serial_number_twice(self):
builder = x509.RevokedCertificateBuilder().serial_number(3)
with pytest.raises(ValueError):
builder.serial_number(4)
def test_aware_revocation_date(self, backend):
time = datetime.datetime(2012, 1, 16, 22, 43)
tz = pytz.timezone("US/Pacific")
time = tz.localize(time)
utc_time = datetime.datetime(2012, 1, 17, 6, 43)
serial_number = 333
builder = (x509.RevokedCertificateBuilder().serial_number(
serial_number).revocation_date(time))
revoked_certificate = builder.build(backend)
assert revoked_certificate.revocation_date == utc_time
def test_revocation_date_invalid(self):
with pytest.raises(TypeError):
x509.RevokedCertificateBuilder().revocation_date(
"notadatetime" # type: ignore[arg-type]
)
def test_revocation_date_before_1950(self):
with pytest.raises(ValueError):
x509.RevokedCertificateBuilder().revocation_date(
datetime.datetime(1940, 8, 10))
def test_set_revocation_date_twice(self):
builder = x509.RevokedCertificateBuilder().revocation_date(
datetime.datetime(2002, 1, 1, 12, 1))
with pytest.raises(ValueError):
builder.revocation_date(datetime.datetime(2002, 1, 1, 12, 1))
def test_add_extension_checks_for_duplicates(self):
builder = x509.RevokedCertificateBuilder().add_extension(
x509.CRLReason(x509.ReasonFlags.ca_compromise), False)
with pytest.raises(ValueError):
builder.add_extension(
x509.CRLReason(x509.ReasonFlags.ca_compromise), False)
def test_add_invalid_extension(self):
with pytest.raises(TypeError):
x509.RevokedCertificateBuilder().add_extension(
"notanextension",
False # type: ignore[arg-type]
)
def test_no_serial_number(self, backend):
builder = x509.RevokedCertificateBuilder().revocation_date(
datetime.datetime(2002, 1, 1, 12, 1))
with pytest.raises(ValueError):
builder.build(backend)
def test_no_revocation_date(self, backend):
builder = x509.RevokedCertificateBuilder().serial_number(3)
with pytest.raises(ValueError):
builder.build(backend)
def test_create_revoked(self, backend):
serial_number = 333
revocation_date = datetime.datetime(2002, 1, 1, 12, 1)
builder = (x509.RevokedCertificateBuilder().serial_number(
serial_number).revocation_date(revocation_date))
revoked_certificate = builder.build(backend)
assert revoked_certificate.serial_number == serial_number
assert revoked_certificate.revocation_date == revocation_date
assert len(revoked_certificate.extensions) == 0
@pytest.mark.parametrize(
"extension",
[
x509.InvalidityDate(datetime.datetime(2015, 1, 1, 0, 0)),
x509.CRLReason(x509.ReasonFlags.ca_compromise),
x509.CertificateIssuer([x509.DNSName("cryptography.io")]),
],
)
def test_add_extensions(self, backend, extension):
serial_number = 333
revocation_date = datetime.datetime(2002, 1, 1, 12, 1)
builder = (x509.RevokedCertificateBuilder().serial_number(
serial_number).revocation_date(revocation_date).add_extension(
extension, False))
revoked_certificate = builder.build(backend)
assert revoked_certificate.serial_number == serial_number
assert revoked_certificate.revocation_date == revocation_date
assert len(revoked_certificate.extensions) == 1
ext = revoked_certificate.extensions.get_extension_for_class(
type(extension))
assert ext.critical is False
assert ext.value == extension
def test_add_multiple_extensions(self, backend):
serial_number = 333
revocation_date = datetime.datetime(2002, 1, 1, 12, 1)
invalidity_date = x509.InvalidityDate(
datetime.datetime(2015, 1, 1, 0, 0))
certificate_issuer = x509.CertificateIssuer(
[x509.DNSName("cryptography.io")])
crl_reason = x509.CRLReason(x509.ReasonFlags.aa_compromise)
builder = (x509.RevokedCertificateBuilder().serial_number(
serial_number).revocation_date(revocation_date).add_extension(
invalidity_date,
True).add_extension(crl_reason, True).add_extension(
certificate_issuer, True))
revoked_certificate = builder.build(backend)
assert len(revoked_certificate.extensions) == 3
for ext_data in [invalidity_date, certificate_issuer, crl_reason]:
ext = revoked_certificate.extensions.get_extension_for_class(
type(ext_data))
assert ext.critical is True
assert ext.value == ext_data
