Merge pull request #2250 from reaperhulk/fix-2246
resolve incorrect docs/naming around DSA (r, s) tuple encode/decode
diff --git a/CHANGELOG.rst b/CHANGELOG.rst
index f06aea0..99c0884 100644
--- a/CHANGELOG.rst
+++ b/CHANGELOG.rst
@@ -50,6 +50,8 @@
* :class:`~cryptography.x509.AuthorityInformationAccess`
* :class:`~cryptography.x509.CRLDistributionPoints`
* :class:`~cryptography.x509.InhibitAnyPolicy`
+ * :class:`~cryptography.x509.IssuerAlternativeName`
+ * :class:`~cryptography.x509.OCSPNoCheck`
* Add support for creating certificate signing requests with
:class:`~cryptography.x509.CertificateSigningRequestBuilder`. This includes
diff --git a/docs/x509/reference.rst b/docs/x509/reference.rst
index d86ebbe..8d5d6a6 100644
--- a/docs/x509/reference.rst
+++ b/docs/x509/reference.rst
@@ -401,6 +401,7 @@
>>> from cryptography.hazmat.backends import default_backend
>>> from cryptography.hazmat.primitives import hashes
>>> from cryptography.hazmat.primitives.asymmetric import rsa
+ >>> from cryptography.x509.oid import NameOID
>>> import datetime
>>> import uuid
>>> one_day = datetime.timedelta(1, 0, 0)
@@ -416,10 +417,10 @@
... ).public_key()
>>> builder = x509.CertificateBuilder()
>>> builder = builder.subject_name(x509.Name([
- ... x509.NameAttribute(x509.OID_COMMON_NAME, u'cryptography.io'),
+ ... x509.NameAttribute(NameOID.COMMON_NAME, u'cryptography.io'),
... ]))
>>> builder = builder.issuer_name(x509.Name([
- ... x509.NameAttribute(x509.OID_COMMON_NAME, u'cryptography.io'),
+ ... x509.NameAttribute(NameOID.COMMON_NAME, u'cryptography.io'),
... ]))
>>> builder = builder.not_valid_before(datetime.datetime.today() - one_day)
>>> builder = builder.not_valid_after(datetime.datetime(2018, 8, 2))
@@ -634,6 +635,7 @@
>>> from cryptography.hazmat.backends import default_backend
>>> from cryptography.hazmat.primitives import hashes
>>> from cryptography.hazmat.primitives.asymmetric import rsa
+ >>> from cryptography.x509.oid import NameOID
>>> private_key = rsa.generate_private_key(
... public_exponent=65537,
... key_size=2048,
@@ -641,7 +643,7 @@
... )
>>> builder = x509.CertificateSigningRequestBuilder()
>>> builder = builder.subject_name(x509.Name([
- ... x509.NameAttribute(x509.OID_COMMON_NAME, u'cryptography.io'),
+ ... x509.NameAttribute(NameOID.COMMON_NAME, u'cryptography.io'),
... ]))
>>> builder = builder.add_extension(
... x509.BasicConstraints(ca=False, path_length=None), critical=True,
@@ -720,7 +722,7 @@
.. doctest::
- >>> cert.subject.get_attributes_for_oid(x509.OID_COMMON_NAME)
+ >>> cert.subject.get_attributes_for_oid(NameOID.COMMON_NAME)
[<NameAttribute(oid=<ObjectIdentifier(oid=2.5.4.3, name=commonName)>, value=u'Good CA')>]
.. class:: Version
@@ -883,7 +885,8 @@
.. doctest::
- >>> cert.extensions.get_extension_for_oid(x509.OID_BASIC_CONSTRAINTS)
+ >>> from cryptography.x509.oid import ExtensionOID
+ >>> cert.extensions.get_extension_for_oid(ExtensionOID.BASIC_CONSTRAINTS)
<Extension(oid=<ObjectIdentifier(oid=2.5.29.19, name=basicConstraints)>, critical=True, value=<BasicConstraints(ca=True, path_length=None)>)>
.. class:: Extension
@@ -894,7 +897,7 @@
:type: :class:`ObjectIdentifier`
- The :ref:`extension OID <extension_oids>`.
+ One of the :class:`~cryptography.x509.oid.ExtensionOID` OIDs.
.. attribute:: critical
@@ -930,7 +933,7 @@
:type: :class:`ObjectIdentifier`
- Returns :data:`OID_KEY_USAGE`.
+ Returns :attr:`~cryptography.x509.oid.ExtensionOID.KEY_USAGE`.
.. attribute:: digital_signature
@@ -1029,7 +1032,7 @@
:type: :class:`ObjectIdentifier`
- Returns :data:`OID_BASIC_CONSTRAINTS`.
+ Returns :attr:`~cryptography.x509.oid.ExtensionOID.BASIC_CONSTRAINTS`.
.. attribute:: ca
@@ -1057,7 +1060,8 @@
This extension indicates one or more purposes for which the certified
public key may be used, in addition to or in place of the basic
purposes indicated in the key usage extension. The object is
- iterable to obtain the list of :ref:`extended key usage OIDs <eku_oids>`.
+ iterable to obtain the list of
+ :class:`~cryptography.x509.oid.ExtendedKeyUsageOID` OIDs present.
.. attribute:: oid
@@ -1065,7 +1069,7 @@
:type: :class:`ObjectIdentifier`
- Returns :data:`OID_EXTENDED_KEY_USAGE`.
+ Returns :attr:`~cryptography.x509.oid.ExtensionOID.EXTENDED_KEY_USAGE`.
.. class:: OCSPNoCheck
@@ -1087,7 +1091,7 @@
:type: :class:`ObjectIdentifier`
- Returns :data:`OID_OCSP_NO_CHECK`.
+ Returns :attr:`~cryptography.x509.oid.ExtensionOID.OCSP_NO_CHECK`.
.. class:: NameConstraints
@@ -1104,7 +1108,7 @@
:type: :class:`ObjectIdentifier`
- Returns :data:`OID_NAME_CONSTRAINTS`.
+ Returns :attr:`~cryptography.x509.oid.ExtensionOID.NAME_CONSTRAINTS`.
.. attribute:: permitted_subtrees
@@ -1139,7 +1143,8 @@
:type: :class:`ObjectIdentifier`
- Returns :data:`OID_AUTHORITY_KEY_IDENTIFIER`.
+ Returns
+ :attr:`~cryptography.x509.oid.ExtensionOID.AUTHORITY_KEY_IDENTIFIER`.
.. attribute:: key_identifier
@@ -1204,7 +1209,8 @@
:type: :class:`ObjectIdentifier`
- Returns :data:`OID_SUBJECT_KEY_IDENTIFIER`.
+ Returns
+ :attr:`~cryptography.x509.oid.ExtensionOID.SUBJECT_KEY_IDENTIFIER`.
.. attribute:: digest
@@ -1252,7 +1258,8 @@
:type: :class:`ObjectIdentifier`
- Returns :data:`OID_SUBJECT_ALTERNATIVE_NAME`.
+ Returns
+ :attr:`~cryptography.x509.oid.ExtensionOID.SUBJECT_ALTERNATIVE_NAME`.
.. method:: get_values_for_type(type)
@@ -1269,7 +1276,7 @@
>>> from cryptography.hazmat.primitives import hashes
>>> cert = x509.load_pem_x509_certificate(cryptography_cert_pem, default_backend())
>>> # Get the subjectAltName extension from the certificate
- >>> ext = cert.extensions.get_extension_for_oid(x509.OID_SUBJECT_ALTERNATIVE_NAME)
+ >>> ext = cert.extensions.get_extension_for_oid(ExtensionOID.SUBJECT_ALTERNATIVE_NAME)
>>> # Get the dNSName entries from the SAN extension
>>> ext.value.get_values_for_type(x509.DNSName)
[u'www.cryptography.io', u'cryptography.io']
@@ -1290,7 +1297,8 @@
:type: :class:`ObjectIdentifier`
- Returns :data:`OID_ISSUER_ALTERNATIVE_NAME`.
+ Returns
+ :attr:`~cryptography.x509.oid.ExtensionOID.ISSUER_ALTERNATIVE_NAME`.
.. method:: get_values_for_type(type)
@@ -1308,7 +1316,8 @@
information and services for the issuer of the certificate in which
the extension appears. Information and services may include online
validation services (such as OCSP) and issuer data. It is an iterable,
- containing one or more :class:`AccessDescription` instances.
+ containing one or more :class:`~cryptography.x509.AccessDescription`
+ instances.
.. attribute:: oid
@@ -1316,7 +1325,8 @@
:type: :class:`ObjectIdentifier`
- Returns :data:`OID_AUTHORITY_INFORMATION_ACCESS`.
+ Returns
+ :attr:`~cryptography.x509.oid.ExtensionOID.AUTHORITY_INFORMATION_ACCESS`.
.. class:: AccessDescription
@@ -1328,11 +1338,16 @@
:type: :class:`ObjectIdentifier`
The access method defines what the ``access_location`` means. It must
- be either :data:`OID_OCSP` or :data:`OID_CA_ISSUERS`. If it is
- :data:`OID_OCSP` the access location will be where to obtain OCSP
- information for the certificate. If it is :data:`OID_CA_ISSUERS` the
- access location will provide additional information about the issuing
- certificate.
+ be either
+ :attr:`~cryptography.x509.oid.AuthorityInformationAccessOID.OCSP` or
+ :attr:`~cryptography.x509.oid.AuthorityInformationAccessOID.CA_ISSUERS`.
+ If it is
+ :attr:`~cryptography.x509.oid.AuthorityInformationAccessOID.OCSP`
+ the access location will be where to obtain OCSP
+ information for the certificate. If it is
+ :attr:`~cryptography.x509.oid.AuthorityInformationAccessOID.CA_ISSUERS`
+ the access location will provide additional information about the
+ issuing certificate.
.. attribute:: access_location
@@ -1354,7 +1369,8 @@
:type: :class:`ObjectIdentifier`
- Returns :data:`OID_CRL_DISTRIBUTION_POINTS`.
+ Returns
+ :attr:`~cryptography.x509.oid.ExtensionOID.CRL_DISTRIBUTION_POINTS`.
.. class:: DistributionPoint
@@ -1445,14 +1461,16 @@
.. versionadded:: 1.0
The inhibit ``anyPolicy`` extension indicates that the special OID
- :data:`OID_ANY_POLICY`, is not considered an explicit match for other
- :class:`CertificatePolicies` except when it appears in an intermediate
- self-issued CA certificate. The value indicates the number of additional
- non-self-issued certificates that may appear in the path before
- :data:`OID_ANY_POLICY` is no longer permitted. For example, a value
- of one indicates that :data:`OID_ANY_POLICY` may be processed in
- certificates issued by the subject of this certificate, but not in
- additional certificates in the path.
+ :attr:`~cryptography.x509.oid.CertificatePoliciesOID.ANY_POLICY`, is not
+ considered an explicit match for other :class:`CertificatePolicies` except
+ when it appears in an intermediate self-issued CA certificate. The value
+ indicates the number of additional non-self-issued certificates that may
+ appear in the path before
+ :attr:`~cryptography.x509.oid.CertificatePoliciesOID.ANY_POLICY` is no
+ longer permitted. For example, a value of one indicates that
+ :attr:`~cryptography.x509.oid.CertificatePoliciesOID.ANY_POLICY` may be
+ processed in certificates issued by the subject of this certificate, but
+ not in additional certificates in the path.
.. attribute:: oid
@@ -1460,7 +1478,8 @@
:type: :class:`ObjectIdentifier`
- Returns :data:`OID_INHIBIT_ANY_POLICY`.
+ Returns
+ :attr:`~cryptography.x509.oid.ExtensionOID.INHIBIT_ANY_POLICY`.
.. attribute:: skip_certs
@@ -1479,7 +1498,8 @@
:type: :class:`ObjectIdentifier`
- Returns :data:`OID_CERTIFICATE_POLICIES`.
+ Returns
+ :attr:`~cryptography.x509.oid.ExtensionOID.CERTIFICATE_POLICIES`.
Certificate Policies Classes
~~~~~~~~~~~~~~~~~~~~~~~~~~~~
@@ -1555,297 +1575,303 @@
X.509 elements are frequently identified by :class:`ObjectIdentifier`
instances. The following common OIDs are available as constants.
-Name OIDs
-~~~~~~~~~
+.. currentmodule:: cryptography.x509.oid
-.. data:: OID_COMMON_NAME
+.. class:: NameOID
- Corresponds to the dotted string ``"2.5.4.3"``. Historically the domain
- name would be encoded here for server certificates. :rfc:`2818` deprecates
- this practice and names of that type should now be located in a
- SubjectAlternativeName extension. This OID is typically seen in X.509 names.
+ These OIDs are typically seen in X.509 names.
-.. data:: OID_COUNTRY_NAME
+ .. versionadded:: 1.0
- Corresponds to the dotted string ``"2.5.4.6"``. This OID is typically seen
- in X.509 names.
+ .. attribute:: COMMON_NAME
-.. data:: OID_LOCALITY_NAME
+ Corresponds to the dotted string ``"2.5.4.3"``. Historically the domain
+ name would be encoded here for server certificates. :rfc:`2818`
+ deprecates this practice and names of that type should now be located
+ in a :class:`~cryptography.x509.SubjectAlternativeName` extension.
- Corresponds to the dotted string ``"2.5.4.7"``. This OID is typically seen
- in X.509 names.
+ .. attribute:: COUNTRY_NAME
-.. data:: OID_STATE_OR_PROVINCE_NAME
+ Corresponds to the dotted string ``"2.5.4.6"``.
- Corresponds to the dotted string ``"2.5.4.8"``. This OID is typically seen
- in X.509 names.
+ .. attribute:: LOCALITY_NAME
-.. data:: OID_ORGANIZATION_NAME
+ Corresponds to the dotted string ``"2.5.4.7"``.
- Corresponds to the dotted string ``"2.5.4.10"``. This OID is typically seen
- in X.509 names.
+ .. attribute:: STATE_OR_PROVINCE_NAME
-.. data:: OID_ORGANIZATIONAL_UNIT_NAME
+ Corresponds to the dotted string ``"2.5.4.8"``.
- Corresponds to the dotted string ``"2.5.4.11"``. This OID is typically seen
- in X.509 names.
+ .. attribute:: ORGANIZATION_NAME
-.. data:: OID_SERIAL_NUMBER
+ Corresponds to the dotted string ``"2.5.4.10"``.
- Corresponds to the dotted string ``"2.5.4.5"``. This is distinct from the
- serial number of the certificate itself (which can be obtained with
- :func:`Certificate.serial`). This OID is typically seen in X.509 names.
+ .. attribute:: ORGANIZATIONAL_UNIT_NAME
-.. data:: OID_SURNAME
+ Corresponds to the dotted string ``"2.5.4.11"``.
- Corresponds to the dotted string ``"2.5.4.4"``. This OID is typically seen
- in X.509 names.
+ .. attribute:: SERIAL_NUMBER
-.. data:: OID_GIVEN_NAME
+ Corresponds to the dotted string ``"2.5.4.5"``. This is distinct from
+ the serial number of the certificate itself (which can be obtained with
+ :func:`~cryptography.x509.Certificate.serial`).
- Corresponds to the dotted string ``"2.5.4.42"``. This OID is typically seen
- in X.509 names.
+ .. attribute:: SURNAME
-.. data:: OID_TITLE
+ Corresponds to the dotted string ``"2.5.4.4"``.
- Corresponds to the dotted string ``"2.5.4.12"``. This OID is typically seen
- in X.509 names.
+ .. attribute:: GIVEN_NAME
-.. data:: OID_GENERATION_QUALIFIER
+ Corresponds to the dotted string ``"2.5.4.42"``.
- Corresponds to the dotted string ``"2.5.4.44"``. This OID is typically seen
- in X.509 names.
+ .. attribute:: TITLE
-.. data:: OID_DN_QUALIFIER
+ Corresponds to the dotted string ``"2.5.4.12"``.
- Corresponds to the dotted string ``"2.5.4.46"``. This specifies
- disambiguating information to add to the relative distinguished name of an
- entry. See :rfc:`2256`. This OID is typically seen in X.509 names.
+ .. attribute:: GENERATION_QUALIFIER
-.. data:: OID_PSEUDONYM
+ Corresponds to the dotted string ``"2.5.4.44"``.
- Corresponds to the dotted string ``"2.5.4.65"``. This OID is typically seen
- in X.509 names.
+ .. attribute:: DN_QUALIFIER
-.. data:: OID_DOMAIN_COMPONENT
+ Corresponds to the dotted string ``"2.5.4.46"``. This specifies
+ disambiguating information to add to the relative distinguished name of an
+ entry. See :rfc:`2256`.
- Corresponds to the dotted string ``"0.9.2342.19200300.100.1.25"``. A string
- holding one component of a domain name. See :rfc:`4519`. This OID is
- typically seen in X.509 names.
+ .. attribute:: PSEUDONYM
-.. data:: OID_EMAIL_ADDRESS
+ Corresponds to the dotted string ``"2.5.4.65"``.
- Corresponds to the dotted string ``"1.2.840.113549.1.9.1"``. This OID is
- typically seen in X.509 names.
+ .. attribute:: DOMAIN_COMPONENT
-Signature Algorithm OIDs
-~~~~~~~~~~~~~~~~~~~~~~~~
+ Corresponds to the dotted string ``"0.9.2342.19200300.100.1.25"``. A string
+ holding one component of a domain name. See :rfc:`4519`.
-.. data:: OID_RSA_WITH_MD5
+ .. attribute:: EMAIL_ADDRESS
- Corresponds to the dotted string ``"1.2.840.113549.1.1.4"``. This is
- an MD5 digest signed by an RSA key.
+ Corresponds to the dotted string ``"1.2.840.113549.1.9.1"``.
-.. data:: OID_RSA_WITH_SHA1
- Corresponds to the dotted string ``"1.2.840.113549.1.1.5"``. This is
- a SHA1 digest signed by an RSA key.
+.. class:: SignatureAlgorithmOID
-.. data:: OID_RSA_WITH_SHA224
+ .. versionadded:: 1.0
- Corresponds to the dotted string ``"1.2.840.113549.1.1.14"``. This is
- a SHA224 digest signed by an RSA key.
+ .. attribute:: RSA_WITH_MD5
-.. data:: OID_RSA_WITH_SHA256
+ Corresponds to the dotted string ``"1.2.840.113549.1.1.4"``. This is
+ an MD5 digest signed by an RSA key.
- Corresponds to the dotted string ``"1.2.840.113549.1.1.11"``. This is
- a SHA256 digest signed by an RSA key.
+ .. attribute:: RSA_WITH_SHA1
-.. data:: OID_RSA_WITH_SHA384
+ Corresponds to the dotted string ``"1.2.840.113549.1.1.5"``. This is
+ a SHA1 digest signed by an RSA key.
- Corresponds to the dotted string ``"1.2.840.113549.1.1.12"``. This is
- a SHA384 digest signed by an RSA key.
+ .. attribute:: RSA_WITH_SHA224
-.. data:: OID_RSA_WITH_SHA512
+ Corresponds to the dotted string ``"1.2.840.113549.1.1.14"``. This is
+ a SHA224 digest signed by an RSA key.
- Corresponds to the dotted string ``"1.2.840.113549.1.1.13"``. This is
- a SHA512 digest signed by an RSA key.
+ .. attribute:: RSA_WITH_SHA256
-.. data:: OID_ECDSA_WITH_SHA1
+ Corresponds to the dotted string ``"1.2.840.113549.1.1.11"``. This is
+ a SHA256 digest signed by an RSA key.
- Corresponds to the dotted string ``"1.2.840.10045.4.1"``. This is a SHA1
- digest signed by an ECDSA key.
+ .. attribute:: RSA_WITH_SHA384
-.. data:: OID_ECDSA_WITH_SHA224
+ Corresponds to the dotted string ``"1.2.840.113549.1.1.12"``. This is
+ a SHA384 digest signed by an RSA key.
- Corresponds to the dotted string ``"1.2.840.10045.4.3.1"``. This is
- a SHA224 digest signed by an ECDSA key.
+ .. attribute:: RSA_WITH_SHA512
-.. data:: OID_ECDSA_WITH_SHA256
+ Corresponds to the dotted string ``"1.2.840.113549.1.1.13"``. This is
+ a SHA512 digest signed by an RSA key.
- Corresponds to the dotted string ``"1.2.840.10045.4.3.2"``. This is
- a SHA256 digest signed by an ECDSA key.
+ .. attribute:: ECDSA_WITH_SHA1
-.. data:: OID_ECDSA_WITH_SHA384
+ Corresponds to the dotted string ``"1.2.840.10045.4.1"``. This is a SHA1
+ digest signed by an ECDSA key.
- Corresponds to the dotted string ``"1.2.840.10045.4.3.3"``. This is
- a SHA384 digest signed by an ECDSA key.
+ .. attribute:: ECDSA_WITH_SHA224
-.. data:: OID_ECDSA_WITH_SHA512
+ Corresponds to the dotted string ``"1.2.840.10045.4.3.1"``. This is
+ a SHA224 digest signed by an ECDSA key.
+
+ .. attribute:: ECDSA_WITH_SHA256
+
+ Corresponds to the dotted string ``"1.2.840.10045.4.3.2"``. This is
+ a SHA256 digest signed by an ECDSA key.
+
+ .. attribute:: ECDSA_WITH_SHA384
+
+ Corresponds to the dotted string ``"1.2.840.10045.4.3.3"``. This is
+ a SHA384 digest signed by an ECDSA key.
+
+ .. attribute:: ECDSA_WITH_SHA512
+
+ Corresponds to the dotted string ``"1.2.840.10045.4.3.4"``. This is
+ a SHA512 digest signed by an ECDSA key.
+
+ .. attribute:: DSA_WITH_SHA1
+
+ Corresponds to the dotted string ``"1.2.840.10040.4.3"``. This is
+ a SHA1 digest signed by a DSA key.
+
+ .. attribute:: DSA_WITH_SHA224
+
+ Corresponds to the dotted string ``"2.16.840.1.101.3.4.3.1"``. This is
+ a SHA224 digest signed by a DSA key.
+
+ .. attribute:: DSA_WITH_SHA256
- Corresponds to the dotted string ``"1.2.840.10045.4.3.4"``. This is
- a SHA512 digest signed by an ECDSA key.
+ Corresponds to the dotted string ``"2.16.840.1.101.3.4.3.2"``. This is
+ a SHA256 digest signed by a DSA key.
-.. data:: OID_DSA_WITH_SHA1
- Corresponds to the dotted string ``"1.2.840.10040.4.3"``. This is
- a SHA1 digest signed by a DSA key.
+.. class:: ExtendedKeyUsageOID
-.. data:: OID_DSA_WITH_SHA224
+ .. versionadded:: 1.0
- Corresponds to the dotted string ``"2.16.840.1.101.3.4.3.1"``. This is
- a SHA224 digest signed by a DSA key.
+ .. attribute:: SERVER_AUTH
-.. data:: OID_DSA_WITH_SHA256
+ Corresponds to the dotted string ``"1.3.6.1.5.5.7.3.1"``. This is used
+ to denote that a certificate may be used for TLS web server
+ authentication.
- Corresponds to the dotted string ``"2.16.840.1.101.3.4.3.2"``. This is
- a SHA256 digest signed by a DSA key.
+ .. attribute:: CLIENT_AUTH
-.. _eku_oids:
+ Corresponds to the dotted string ``"1.3.6.1.5.5.7.3.2"``. This is used
+ to denote that a certificate may be used for TLS web client
+ authentication.
-Extended Key Usage OIDs
-~~~~~~~~~~~~~~~~~~~~~~~
+ .. attribute:: CODE_SIGNING
-.. data:: OID_SERVER_AUTH
+ Corresponds to the dotted string ``"1.3.6.1.5.5.7.3.3"``. This is used
+ to denote that a certificate may be used for code signing.
- Corresponds to the dotted string ``"1.3.6.1.5.5.7.3.1"``. This is used to
- denote that a certificate may be used for TLS web server authentication.
+ .. attribute:: EMAIL_PROTECTION
-.. data:: OID_CLIENT_AUTH
+ Corresponds to the dotted string ``"1.3.6.1.5.5.7.3.4"``. This is used
+ to denote that a certificate may be used for email protection.
- Corresponds to the dotted string ``"1.3.6.1.5.5.7.3.2"``. This is used to
- denote that a certificate may be used for TLS web client authentication.
+ .. attribute:: TIME_STAMPING
-.. data:: OID_CODE_SIGNING
+ Corresponds to the dotted string ``"1.3.6.1.5.5.7.3.8"``. This is used
+ to denote that a certificate may be used for time stamping.
- Corresponds to the dotted string ``"1.3.6.1.5.5.7.3.3"``. This is used to
- denote that a certificate may be used for code signing.
+ .. attribute:: OCSP_SIGNING
-.. data:: OID_EMAIL_PROTECTION
+ Corresponds to the dotted string ``"1.3.6.1.5.5.7.3.9"``. This is used
+ to denote that a certificate may be used for signing OCSP responses.
- Corresponds to the dotted string ``"1.3.6.1.5.5.7.3.4"``. This is used to
- denote that a certificate may be used for email protection.
-.. data:: OID_TIME_STAMPING
+.. class:: AuthorityInformationAccessOID
- Corresponds to the dotted string ``"1.3.6.1.5.5.7.3.8"``. This is used to
- denote that a certificate may be used for time stamping.
+ .. versionadded:: 1.0
-.. data:: OID_OCSP_SIGNING
+ .. attribute:: OCSP
- Corresponds to the dotted string ``"1.3.6.1.5.5.7.3.9"``. This is used to
- denote that a certificate may be used for signing OCSP responses.
+ Corresponds to the dotted string ``"1.3.6.1.5.5.7.48.1"``. Used as the
+ identifier for OCSP data in
+ :class:`~cryptography.x509.AccessDescription` objects.
-Authority Information Access OIDs
-~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ .. attribute:: CA_ISSUERS
-.. data:: OID_OCSP
+ Corresponds to the dotted string ``"1.3.6.1.5.5.7.48.2"``. Used as the
+ identifier for CA issuer data in
+ :class:`~cryptography.x509.AccessDescription` objects.
- Corresponds to the dotted string ``"1.3.6.1.5.5.7.48.1"``. Used as the
- identifier for OCSP data in :class:`AccessDescription` objects.
-.. data:: OID_CA_ISSUERS
+.. class:: CertificatePoliciesOID
- Corresponds to the dotted string ``"1.3.6.1.5.5.7.48.2"``. Used as the
- identifier for CA issuer data in :class:`AccessDescription` objects.
+ .. versionadded:: 1.0
-Policy Qualifier OIDs
-~~~~~~~~~~~~~~~~~~~~~
+ .. attribute:: CPS_QUALIFIER
-.. data:: OID_CPS_QUALIFIER
+ Corresponds to the dotted string ``"1.3.6.1.5.5.7.2.1"``.
- Corresponds to the dotted string ``"1.3.6.1.5.5.7.2.1"``.
+ .. attribute:: CPS_USER_NOTICE
-.. data:: OID_CPS_USER_NOTICE
+ Corresponds to the dotted string ``"1.3.6.1.5.5.7.2.2"``.
- Corresponds to the dotted string ``"1.3.6.1.5.5.7.2.2"``.
+ .. attribute:: ANY_POLICY
-.. data:: OID_ANY_POLICY
+ Corresponds to the dotted string ``"2.5.29.32.0"``.
- Corresponds to the dotted string ``"2.5.29.32.0"``.
-.. _extension_oids:
+.. class:: ExtensionOID
-Extension OIDs
-~~~~~~~~~~~~~~
+ .. versionadded:: 1.0
-.. data:: OID_BASIC_CONSTRAINTS
+ .. attribute:: BASIC_CONSTRAINTS
- Corresponds to the dotted string ``"2.5.29.19"``. The identifier for the
- :class:`BasicConstraints` extension type.
+ Corresponds to the dotted string ``"2.5.29.19"``. The identifier for the
+ :class:`~cryptography.x509.BasicConstraints` extension type.
-.. data:: OID_KEY_USAGE
+ .. attribute:: KEY_USAGE
- Corresponds to the dotted string ``"2.5.29.15"``. The identifier for the
- :class:`KeyUsage` extension type.
+ Corresponds to the dotted string ``"2.5.29.15"``. The identifier for the
+ :class:`~cryptography.x509.KeyUsage` extension type.
-.. data:: OID_SUBJECT_ALTERNATIVE_NAME
+ .. attribute:: SUBJECT_ALTERNATIVE_NAME
- Corresponds to the dotted string ``"2.5.29.17"``. The identifier for the
- :class:`SubjectAlternativeName` extension type.
+ Corresponds to the dotted string ``"2.5.29.17"``. The identifier for the
+ :class:`~cryptography.x509.SubjectAlternativeName` extension type.
-.. data:: OID_ISSUER_ALTERNATIVE_NAME
+ .. attribute:: ISSUER_ALTERNATIVE_NAME
- Corresponds to the dotted string ``"2.5.29.18"``. The identifier for the
- :class:`IssuerAlternativeName` extension type.
+ Corresponds to the dotted string ``"2.5.29.18"``. The identifier for the
+ :class:`~cryptography.x509.IssuerAlternativeName` extension type.
-.. data:: OID_SUBJECT_KEY_IDENTIFIER
+ .. attribute:: SUBJECT_KEY_IDENTIFIER
- Corresponds to the dotted string ``"2.5.29.14"``. The identifier for the
- :class:`SubjectKeyIdentifier` extension type.
+ Corresponds to the dotted string ``"2.5.29.14"``. The identifier for the
+ :class:`~cryptography.x509.SubjectKeyIdentifier` extension type.
-.. data:: OID_NAME_CONSTRAINTS
+ .. attribute:: NAME_CONSTRAINTS
- Corresponds to the dotted string ``"2.5.29.30"``. The identifier for the
- :class:`NameConstraints` extension type.
+ Corresponds to the dotted string ``"2.5.29.30"``. The identifier for the
+ :class:`~cryptography.x509.NameConstraints` extension type.
-.. data:: OID_CRL_DISTRIBUTION_POINTS
+ .. attribute:: CRL_DISTRIBUTION_POINTS
- Corresponds to the dotted string ``"2.5.29.31"``. The identifier for the
- :class:`CRLDistributionPoints` extension type.
+ Corresponds to the dotted string ``"2.5.29.31"``. The identifier for the
+ :class:`~cryptography.x509.CRLDistributionPoints` extension type.
-.. data:: OID_CERTIFICATE_POLICIES
+ .. attribute:: CERTIFICATE_POLICIES
- Corresponds to the dotted string ``"2.5.29.32"``. The identifier for the
- :class:`CertificatePolicies` extension type.
+ Corresponds to the dotted string ``"2.5.29.32"``. The identifier for the
+ :class:`~cryptography.x509.CertificatePolicies` extension type.
-.. data:: OID_AUTHORITY_KEY_IDENTIFIER
+ .. attribute:: AUTHORITY_KEY_IDENTIFIER
- Corresponds to the dotted string ``"2.5.29.35"``. The identifier for the
- :class:`AuthorityKeyIdentifier` extension type.
+ Corresponds to the dotted string ``"2.5.29.35"``. The identifier for the
+ :class:`~cryptography.x509.AuthorityKeyIdentifier` extension type.
-.. data:: OID_EXTENDED_KEY_USAGE
+ .. attribute:: EXTENDED_KEY_USAGE
- Corresponds to the dotted string ``"2.5.29.37"``. The identifier for the
- :class:`ExtendedKeyUsage` extension type.
+ Corresponds to the dotted string ``"2.5.29.37"``. The identifier for the
+ :class:`~cryptography.x509.ExtendedKeyUsage` extension type.
-.. data:: OID_AUTHORITY_INFORMATION_ACCESS
+ .. attribute:: AUTHORITY_INFORMATION_ACCESS
- Corresponds to the dotted string ``"1.3.6.1.5.5.7.1.1"``. The identifier
- for the :class:`AuthorityInformationAccess` extension type.
+ Corresponds to the dotted string ``"1.3.6.1.5.5.7.1.1"``. The identifier
+ for the :class:`~cryptography.x509.AuthorityInformationAccess` extension
+ type.
-.. data:: OID_INHIBIT_ANY_POLICY
+ .. attribute:: INHIBIT_ANY_POLICY
- Corresponds to the dotted string ``"2.5.29.54"``. The identifier
- for the :class:`InhibitAnyPolicy` extension type.
+ Corresponds to the dotted string ``"2.5.29.54"``. The identifier
+ for the :class:`~cryptography.x509.InhibitAnyPolicy` extension type.
-.. data:: OID_OCSP_NO_CHECK
+ .. attribute:: OCSP_NO_CHECK
- Corresponds to the dotted string ``"1.3.6.1.5.5.7.48.1.5"``. The identifier
- for the :class:`OCSPNoCheck` extension type.
+ Corresponds to the dotted string ``"1.3.6.1.5.5.7.48.1.5"``. The
+ identifier for the :class:`~cryptography.x509.OCSPNoCheck` extension
+ type.
Exceptions
~~~~~~~~~~
+.. currentmodule:: cryptography.x509
.. class:: InvalidVersion
diff --git a/docs/x509/tutorial.rst b/docs/x509/tutorial.rst
index bcaec80..5e8d54e 100644
--- a/docs/x509/tutorial.rst
+++ b/docs/x509/tutorial.rst
@@ -57,14 +57,15 @@
.. code-block:: pycon
>>> from cryptography import x509
+ >>> from cryptography.x509.oid import NameOID
>>> # Generate a CSR
>>> csr = x509.CertificateSigningRequestBuilder().subject_name(x509.Name([
... # Provide various details about who we are.
- ... x509.NameAttribute(x509.OID_COUNTRY_NAME, u"US"),
- ... x509.NameAttribute(x509.OID_STATE_OR_PROVINCE_NAME, u"CA"),
- ... x509.NameAttribute(x509.OID_LOCALITY_NAME, u"San Francisco"),
- ... x509.NameAttribute(x509.OID_ORGANIZATION_NAME, u"My Company"),
- ... x509.NameAttribute(x509.COMMON_NAME, u"mysite.com"),
+ ... x509.NameAttribute(NameOID.COUNTRY_NAME, u"US"),
+ ... x509.NameAttribute(NameOID.STATE_OR_PROVINCE_NAME, u"CA"),
+ ... x509.NameAttribute(NameOID.LOCALITY_NAME, u"San Francisco"),
+ ... x509.NameAttribute(NameOID.ORGANIZATION_NAME, u"My Company"),
+ ... x509.NameAttribute(NameOID.COMMON_NAME, u"mysite.com"),
... ])).add_extension(x509.SubjectAlternativeName([
... # Describe what sites we want this certificate for.
... x509.DNSName(u"mysite.com"),
diff --git a/src/cryptography/hazmat/backends/openssl/backend.py b/src/cryptography/hazmat/backends/openssl/backend.py
index 3866c0d..9eae69c 100644
--- a/src/cryptography/hazmat/backends/openssl/backend.py
+++ b/src/cryptography/hazmat/backends/openssl/backend.py
@@ -53,6 +53,7 @@
from cryptography.hazmat.primitives.ciphers.modes import (
CBC, CFB, CFB8, CTR, ECB, GCM, OFB
)
+from cryptography.x509.oid import ExtensionOID
_MemoryBIO = collections.namedtuple("_MemoryBIO", ["bio", "char_ptr"])
@@ -482,19 +483,19 @@
_EXTENSION_ENCODE_HANDLERS = {
- x509.OID_BASIC_CONSTRAINTS: _encode_basic_constraints,
- x509.OID_SUBJECT_KEY_IDENTIFIER: _encode_subject_key_identifier,
- x509.OID_KEY_USAGE: _encode_key_usage,
- x509.OID_SUBJECT_ALTERNATIVE_NAME: _encode_alt_name,
- x509.OID_ISSUER_ALTERNATIVE_NAME: _encode_alt_name,
- x509.OID_EXTENDED_KEY_USAGE: _encode_extended_key_usage,
- x509.OID_AUTHORITY_KEY_IDENTIFIER: _encode_authority_key_identifier,
- x509.OID_AUTHORITY_INFORMATION_ACCESS: (
+ ExtensionOID.BASIC_CONSTRAINTS: _encode_basic_constraints,
+ ExtensionOID.SUBJECT_KEY_IDENTIFIER: _encode_subject_key_identifier,
+ ExtensionOID.KEY_USAGE: _encode_key_usage,
+ ExtensionOID.SUBJECT_ALTERNATIVE_NAME: _encode_alt_name,
+ ExtensionOID.ISSUER_ALTERNATIVE_NAME: _encode_alt_name,
+ ExtensionOID.EXTENDED_KEY_USAGE: _encode_extended_key_usage,
+ ExtensionOID.AUTHORITY_KEY_IDENTIFIER: _encode_authority_key_identifier,
+ ExtensionOID.AUTHORITY_INFORMATION_ACCESS: (
_encode_authority_information_access
),
- x509.OID_CRL_DISTRIBUTION_POINTS: _encode_crl_distribution_points,
- x509.OID_INHIBIT_ANY_POLICY: _encode_inhibit_any_policy,
- x509.OID_OCSP_NO_CHECK: _encode_ocsp_nocheck,
+ ExtensionOID.CRL_DISTRIBUTION_POINTS: _encode_crl_distribution_points,
+ ExtensionOID.INHIBIT_ANY_POLICY: _encode_inhibit_any_policy,
+ ExtensionOID.OCSP_NO_CHECK: _encode_ocsp_nocheck,
}
diff --git a/src/cryptography/hazmat/backends/openssl/x509.py b/src/cryptography/hazmat/backends/openssl/x509.py
index 564b268..e9af97f 100644
--- a/src/cryptography/hazmat/backends/openssl/x509.py
+++ b/src/cryptography/hazmat/backends/openssl/x509.py
@@ -17,6 +17,7 @@
from cryptography import utils, x509
from cryptography.exceptions import UnsupportedAlgorithm
from cryptography.hazmat.primitives import hashes, serialization
+from cryptography.x509.oid import CertificatePoliciesOID, ExtensionOID
def _obj2txt(backend, obj):
@@ -385,13 +386,13 @@
pqualid = x509.ObjectIdentifier(
_obj2txt(backend, pqi.pqualid)
)
- if pqualid == x509.OID_CPS_QUALIFIER:
+ if pqualid == CertificatePoliciesOID.CPS_QUALIFIER:
cpsuri = backend._ffi.buffer(
pqi.d.cpsuri.data, pqi.d.cpsuri.length
)[:].decode('ascii')
qualifiers.append(cpsuri)
else:
- assert pqualid == x509.OID_CPS_USER_NOTICE
+ assert pqualid == CertificatePoliciesOID.CPS_USER_NOTICE
user_notice = _decode_user_notice(
backend, pqi.d.usernotice
)
@@ -756,21 +757,21 @@
_EXTENSION_HANDLERS = {
- x509.OID_BASIC_CONSTRAINTS: _decode_basic_constraints,
- x509.OID_SUBJECT_KEY_IDENTIFIER: _decode_subject_key_identifier,
- x509.OID_KEY_USAGE: _decode_key_usage,
- x509.OID_SUBJECT_ALTERNATIVE_NAME: _decode_subject_alt_name,
- x509.OID_EXTENDED_KEY_USAGE: _decode_extended_key_usage,
- x509.OID_AUTHORITY_KEY_IDENTIFIER: _decode_authority_key_identifier,
- x509.OID_AUTHORITY_INFORMATION_ACCESS: (
+ ExtensionOID.BASIC_CONSTRAINTS: _decode_basic_constraints,
+ ExtensionOID.SUBJECT_KEY_IDENTIFIER: _decode_subject_key_identifier,
+ ExtensionOID.KEY_USAGE: _decode_key_usage,
+ ExtensionOID.SUBJECT_ALTERNATIVE_NAME: _decode_subject_alt_name,
+ ExtensionOID.EXTENDED_KEY_USAGE: _decode_extended_key_usage,
+ ExtensionOID.AUTHORITY_KEY_IDENTIFIER: _decode_authority_key_identifier,
+ ExtensionOID.AUTHORITY_INFORMATION_ACCESS: (
_decode_authority_information_access
),
- x509.OID_CERTIFICATE_POLICIES: _decode_certificate_policies,
- x509.OID_CRL_DISTRIBUTION_POINTS: _decode_crl_distribution_points,
- x509.OID_OCSP_NO_CHECK: _decode_ocsp_no_check,
- x509.OID_INHIBIT_ANY_POLICY: _decode_inhibit_any_policy,
- x509.OID_ISSUER_ALTERNATIVE_NAME: _decode_issuer_alt_name,
- x509.OID_NAME_CONSTRAINTS: _decode_name_constraints,
+ ExtensionOID.CERTIFICATE_POLICIES: _decode_certificate_policies,
+ ExtensionOID.CRL_DISTRIBUTION_POINTS: _decode_crl_distribution_points,
+ ExtensionOID.OCSP_NO_CHECK: _decode_ocsp_no_check,
+ ExtensionOID.INHIBIT_ANY_POLICY: _decode_inhibit_any_policy,
+ ExtensionOID.ISSUER_ALTERNATIVE_NAME: _decode_issuer_alt_name,
+ ExtensionOID.NAME_CONSTRAINTS: _decode_name_constraints,
}
diff --git a/src/cryptography/x509/__init__.py b/src/cryptography/x509/__init__.py
index 82e8361..1aa2598 100644
--- a/src/cryptography/x509/__init__.py
+++ b/src/cryptography/x509/__init__.py
@@ -5,18 +5,21 @@
from __future__ import absolute_import, division, print_function
from cryptography.x509.base import (
- AccessDescription, AuthorityInformationAccess, AuthorityKeyIdentifier,
- BasicConstraints, CRLDistributionPoints, Certificate, CertificateBuilder,
- CertificatePolicies, CertificateRevocationList, CertificateSigningRequest,
- CertificateSigningRequestBuilder, DistributionPoint,
- DuplicateExtension, ExtendedKeyUsage, Extension, ExtensionNotFound,
- ExtensionType, Extensions, GeneralNames, InhibitAnyPolicy,
- InvalidVersion, IssuerAlternativeName, KeyUsage, NameConstraints,
- NoticeReference, OCSPNoCheck, ObjectIdentifier,
- PolicyInformation, ReasonFlags,
- RevokedCertificate, SubjectAlternativeName, SubjectKeyIdentifier,
- UnsupportedExtension, UserNotice, Version, load_der_x509_certificate,
- load_der_x509_csr, load_pem_x509_certificate, load_pem_x509_csr,
+ Certificate, CertificateBuilder, CertificateRevocationList,
+ CertificateSigningRequest, CertificateSigningRequestBuilder,
+ InvalidVersion, RevokedCertificate,
+ Version, load_der_x509_certificate, load_der_x509_csr,
+ load_pem_x509_certificate, load_pem_x509_csr,
+)
+from cryptography.x509.extensions import (
+ AccessDescription, AuthorityInformationAccess,
+ AuthorityKeyIdentifier, BasicConstraints, CRLDistributionPoints,
+ CertificatePolicies, DistributionPoint, DuplicateExtension,
+ ExtendedKeyUsage, Extension, ExtensionNotFound, ExtensionType, Extensions,
+ GeneralNames, InhibitAnyPolicy, IssuerAlternativeName, KeyUsage,
+ NameConstraints, NoticeReference, OCSPNoCheck, PolicyInformation,
+ ReasonFlags, SubjectAlternativeName, SubjectKeyIdentifier,
+ UnsupportedExtension, UserNotice
)
from cryptography.x509.general_name import (
DNSName, DirectoryName, GeneralName, IPAddress, OtherName, RFC822Name,
@@ -25,11 +28,8 @@
)
from cryptography.x509.name import Name, NameAttribute
from cryptography.x509.oid import (
- ExtensionOID, NameOID, OID_ANY_POLICY,
- OID_CA_ISSUERS, OID_CERTIFICATE_ISSUER, OID_CLIENT_AUTH,
- OID_CODE_SIGNING, OID_CPS_QUALIFIER, OID_CPS_USER_NOTICE, OID_CRL_REASON,
- OID_EMAIL_PROTECTION, OID_INVALIDITY_DATE, OID_OCSP, OID_OCSP_SIGNING,
- OID_SERVER_AUTH, OID_TIME_STAMPING,
+ AuthorityInformationAccessOID, CRLExtensionOID, CertificatePoliciesOID,
+ ExtendedKeyUsageOID, ExtensionOID, NameOID, ObjectIdentifier,
SignatureAlgorithmOID, _SIG_OIDS_TO_HASH
)
@@ -84,6 +84,24 @@
OID_SURNAME = NameOID.SURNAME
OID_TITLE = NameOID.TITLE
+OID_CLIENT_AUTH = ExtendedKeyUsageOID.CLIENT_AUTH
+OID_CODE_SIGNING = ExtendedKeyUsageOID.CODE_SIGNING
+OID_EMAIL_PROTECTION = ExtendedKeyUsageOID.EMAIL_PROTECTION
+OID_OCSP_SIGNING = ExtendedKeyUsageOID.OCSP_SIGNING
+OID_SERVER_AUTH = ExtendedKeyUsageOID.SERVER_AUTH
+OID_TIME_STAMPING = ExtendedKeyUsageOID.TIME_STAMPING
+
+OID_ANY_POLICY = CertificatePoliciesOID.ANY_POLICY
+OID_CPS_QUALIFIER = CertificatePoliciesOID.CPS_QUALIFIER
+OID_CPS_USER_NOTICE = CertificatePoliciesOID.CPS_USER_NOTICE
+
+OID_CERTIFICATE_ISSUER = CRLExtensionOID.CERTIFICATE_ISSUER
+OID_CRL_REASON = CRLExtensionOID.CRL_REASON
+OID_INVALIDITY_DATE = CRLExtensionOID.INVALIDITY_DATE
+
+OID_CA_ISSUERS = AuthorityInformationAccessOID.CA_ISSUERS
+OID_OCSP = AuthorityInformationAccessOID.OCSP
+
__all__ = [
"load_pem_x509_certificate",
@@ -136,20 +154,8 @@
"CertificateSigningRequestBuilder",
"CertificateBuilder",
"Version",
- "OID_CRL_REASON",
- "OID_INVALIDITY_DATE",
- "OID_CERTIFICATE_ISSUER",
"_SIG_OIDS_TO_HASH",
- "OID_CPS_QUALIFIER",
- "OID_CPS_USER_NOTICE",
- "OID_ANY_POLICY",
"OID_CA_ISSUERS",
"OID_OCSP",
- "OID_SERVER_AUTH",
- "OID_CLIENT_AUTH",
- "OID_CODE_SIGNING",
- "OID_EMAIL_PROTECTION",
- "OID_TIME_STAMPING",
- "OID_OCSP_SIGNING",
"_GENERAL_NAMES",
]
diff --git a/src/cryptography/x509/base.py b/src/cryptography/x509/base.py
index 8eabee8..27eafac 100644
--- a/src/cryptography/x509/base.py
+++ b/src/cryptography/x509/base.py
@@ -6,51 +6,14 @@
import abc
import datetime
-import hashlib
-import ipaddress
from enum import Enum
-from pyasn1.codec.der import decoder
-from pyasn1.type import namedtype, univ
-
import six
from cryptography import utils
-from cryptography.hazmat.primitives import serialization
from cryptography.hazmat.primitives.asymmetric import dsa, ec, rsa
-from cryptography.x509.general_name import GeneralName, IPAddress, OtherName
+from cryptography.x509.extensions import Extension, ExtensionType
from cryptography.x509.name import Name
-from cryptography.x509.oid import (
- ExtensionOID, OID_CA_ISSUERS, OID_OCSP, ObjectIdentifier
-)
-
-
-class _SubjectPublicKeyInfo(univ.Sequence):
- componentType = namedtype.NamedTypes(
- namedtype.NamedType('algorithm', univ.Sequence()),
- namedtype.NamedType('subjectPublicKey', univ.BitString())
- )
-
-
-def _key_identifier_from_public_key(public_key):
- # This is a very slow way to do this.
- serialized = public_key.public_bytes(
- serialization.Encoding.DER,
- serialization.PublicFormat.SubjectPublicKeyInfo
- )
- spki, remaining = decoder.decode(
- serialized, asn1Spec=_SubjectPublicKeyInfo()
- )
- assert not remaining
- # the univ.BitString object is a tuple of bits. We need bytes and
- # pyasn1 really doesn't want to give them to us. To get it we'll
- # build an integer and convert that to bytes.
- bits = 0
- for bit in spki.getComponentByName("subjectPublicKey"):
- bits = bits << 1 | bit
-
- data = utils.int_to_bytes(bits)
- return hashlib.sha1(data).digest()
_UNIX_EPOCH = datetime.datetime(1970, 1, 1)
@@ -83,866 +46,6 @@
self.parsed_version = parsed_version
-class DuplicateExtension(Exception):
- def __init__(self, msg, oid):
- super(DuplicateExtension, self).__init__(msg)
- self.oid = oid
-
-
-class UnsupportedExtension(Exception):
- def __init__(self, msg, oid):
- super(UnsupportedExtension, self).__init__(msg)
- self.oid = oid
-
-
-class ExtensionNotFound(Exception):
- def __init__(self, msg, oid):
- super(ExtensionNotFound, self).__init__(msg)
- self.oid = oid
-
-
-class Extensions(object):
- def __init__(self, extensions):
- self._extensions = extensions
-
- def get_extension_for_oid(self, oid):
- for ext in self:
- if ext.oid == oid:
- return ext
-
- raise ExtensionNotFound("No {0} extension was found".format(oid), oid)
-
- def __iter__(self):
- return iter(self._extensions)
-
- def __len__(self):
- return len(self._extensions)
-
-
-class Extension(object):
- def __init__(self, oid, critical, value):
- if not isinstance(oid, ObjectIdentifier):
- raise TypeError(
- "oid argument must be an ObjectIdentifier instance."
- )
-
- if not isinstance(critical, bool):
- raise TypeError("critical must be a boolean value")
-
- self._oid = oid
- self._critical = critical
- self._value = value
-
- oid = utils.read_only_property("_oid")
- critical = utils.read_only_property("_critical")
- value = utils.read_only_property("_value")
-
- def __repr__(self):
- return ("<Extension(oid={0.oid}, critical={0.critical}, "
- "value={0.value})>").format(self)
-
- def __eq__(self, other):
- if not isinstance(other, Extension):
- return NotImplemented
-
- return (
- self.oid == other.oid and
- self.critical == other.critical and
- self.value == other.value
- )
-
- def __ne__(self, other):
- return not self == other
-
-
-@six.add_metaclass(abc.ABCMeta)
-class ExtensionType(object):
- @abc.abstractproperty
- def oid(self):
- """
- Returns the oid associated with the given extension type.
- """
-
-
-@utils.register_interface(ExtensionType)
-class ExtendedKeyUsage(object):
- oid = ExtensionOID.EXTENDED_KEY_USAGE
-
- def __init__(self, usages):
- if not all(isinstance(x, ObjectIdentifier) for x in usages):
- raise TypeError(
- "Every item in the usages list must be an ObjectIdentifier"
- )
-
- self._usages = usages
-
- def __iter__(self):
- return iter(self._usages)
-
- def __len__(self):
- return len(self._usages)
-
- def __repr__(self):
- return "<ExtendedKeyUsage({0})>".format(self._usages)
-
- def __eq__(self, other):
- if not isinstance(other, ExtendedKeyUsage):
- return NotImplemented
-
- return self._usages == other._usages
-
- def __ne__(self, other):
- return not self == other
-
-
-@utils.register_interface(ExtensionType)
-class OCSPNoCheck(object):
- oid = ExtensionOID.OCSP_NO_CHECK
-
-
-@utils.register_interface(ExtensionType)
-class BasicConstraints(object):
- oid = ExtensionOID.BASIC_CONSTRAINTS
-
- def __init__(self, ca, path_length):
- if not isinstance(ca, bool):
- raise TypeError("ca must be a boolean value")
-
- if path_length is not None and not ca:
- raise ValueError("path_length must be None when ca is False")
-
- if (
- path_length is not None and
- (not isinstance(path_length, six.integer_types) or path_length < 0)
- ):
- raise TypeError(
- "path_length must be a non-negative integer or None"
- )
-
- self._ca = ca
- self._path_length = path_length
-
- ca = utils.read_only_property("_ca")
- path_length = utils.read_only_property("_path_length")
-
- def __repr__(self):
- return ("<BasicConstraints(ca={0.ca}, "
- "path_length={0.path_length})>").format(self)
-
- def __eq__(self, other):
- if not isinstance(other, BasicConstraints):
- return NotImplemented
-
- return self.ca == other.ca and self.path_length == other.path_length
-
- def __ne__(self, other):
- return not self == other
-
-
-@utils.register_interface(ExtensionType)
-class KeyUsage(object):
- oid = ExtensionOID.KEY_USAGE
-
- def __init__(self, digital_signature, content_commitment, key_encipherment,
- data_encipherment, key_agreement, key_cert_sign, crl_sign,
- encipher_only, decipher_only):
- if not key_agreement and (encipher_only or decipher_only):
- raise ValueError(
- "encipher_only and decipher_only can only be true when "
- "key_agreement is true"
- )
-
- self._digital_signature = digital_signature
- self._content_commitment = content_commitment
- self._key_encipherment = key_encipherment
- self._data_encipherment = data_encipherment
- self._key_agreement = key_agreement
- self._key_cert_sign = key_cert_sign
- self._crl_sign = crl_sign
- self._encipher_only = encipher_only
- self._decipher_only = decipher_only
-
- digital_signature = utils.read_only_property("_digital_signature")
- content_commitment = utils.read_only_property("_content_commitment")
- key_encipherment = utils.read_only_property("_key_encipherment")
- data_encipherment = utils.read_only_property("_data_encipherment")
- key_agreement = utils.read_only_property("_key_agreement")
- key_cert_sign = utils.read_only_property("_key_cert_sign")
- crl_sign = utils.read_only_property("_crl_sign")
-
- @property
- def encipher_only(self):
- if not self.key_agreement:
- raise ValueError(
- "encipher_only is undefined unless key_agreement is true"
- )
- else:
- return self._encipher_only
-
- @property
- def decipher_only(self):
- if not self.key_agreement:
- raise ValueError(
- "decipher_only is undefined unless key_agreement is true"
- )
- else:
- return self._decipher_only
-
- def __repr__(self):
- try:
- encipher_only = self.encipher_only
- decipher_only = self.decipher_only
- except ValueError:
- encipher_only = None
- decipher_only = None
-
- return ("<KeyUsage(digital_signature={0.digital_signature}, "
- "content_commitment={0.content_commitment}, "
- "key_encipherment={0.key_encipherment}, "
- "data_encipherment={0.data_encipherment}, "
- "key_agreement={0.key_agreement}, "
- "key_cert_sign={0.key_cert_sign}, crl_sign={0.crl_sign}, "
- "encipher_only={1}, decipher_only={2})>").format(
- self, encipher_only, decipher_only)
-
- def __eq__(self, other):
- if not isinstance(other, KeyUsage):
- return NotImplemented
-
- return (
- self.digital_signature == other.digital_signature and
- self.content_commitment == other.content_commitment and
- self.key_encipherment == other.key_encipherment and
- self.data_encipherment == other.data_encipherment and
- self.key_agreement == other.key_agreement and
- self.key_cert_sign == other.key_cert_sign and
- self.crl_sign == other.crl_sign and
- self._encipher_only == other._encipher_only and
- self._decipher_only == other._decipher_only
- )
-
- def __ne__(self, other):
- return not self == other
-
-
-@utils.register_interface(ExtensionType)
-class AuthorityInformationAccess(object):
- oid = ExtensionOID.AUTHORITY_INFORMATION_ACCESS
-
- def __init__(self, descriptions):
- if not all(isinstance(x, AccessDescription) for x in descriptions):
- raise TypeError(
- "Every item in the descriptions list must be an "
- "AccessDescription"
- )
-
- self._descriptions = descriptions
-
- def __iter__(self):
- return iter(self._descriptions)
-
- def __len__(self):
- return len(self._descriptions)
-
- def __repr__(self):
- return "<AuthorityInformationAccess({0})>".format(self._descriptions)
-
- def __eq__(self, other):
- if not isinstance(other, AuthorityInformationAccess):
- return NotImplemented
-
- return self._descriptions == other._descriptions
-
- def __ne__(self, other):
- return not self == other
-
-
-class AccessDescription(object):
- def __init__(self, access_method, access_location):
- if not (access_method == OID_OCSP or access_method == OID_CA_ISSUERS):
- raise ValueError(
- "access_method must be OID_OCSP or OID_CA_ISSUERS"
- )
-
- if not isinstance(access_location, GeneralName):
- raise TypeError("access_location must be a GeneralName")
-
- self._access_method = access_method
- self._access_location = access_location
-
- def __repr__(self):
- return (
- "<AccessDescription(access_method={0.access_method}, access_locati"
- "on={0.access_location})>".format(self)
- )
-
- def __eq__(self, other):
- if not isinstance(other, AccessDescription):
- return NotImplemented
-
- return (
- self.access_method == other.access_method and
- self.access_location == other.access_location
- )
-
- def __ne__(self, other):
- return not self == other
-
- access_method = utils.read_only_property("_access_method")
- access_location = utils.read_only_property("_access_location")
-
-
-@utils.register_interface(ExtensionType)
-class CertificatePolicies(object):
- oid = ExtensionOID.CERTIFICATE_POLICIES
-
- def __init__(self, policies):
- if not all(isinstance(x, PolicyInformation) for x in policies):
- raise TypeError(
- "Every item in the policies list must be a "
- "PolicyInformation"
- )
-
- self._policies = policies
-
- def __iter__(self):
- return iter(self._policies)
-
- def __len__(self):
- return len(self._policies)
-
- def __repr__(self):
- return "<CertificatePolicies({0})>".format(self._policies)
-
- def __eq__(self, other):
- if not isinstance(other, CertificatePolicies):
- return NotImplemented
-
- return self._policies == other._policies
-
- def __ne__(self, other):
- return not self == other
-
-
-class PolicyInformation(object):
- def __init__(self, policy_identifier, policy_qualifiers):
- if not isinstance(policy_identifier, ObjectIdentifier):
- raise TypeError("policy_identifier must be an ObjectIdentifier")
-
- self._policy_identifier = policy_identifier
- if policy_qualifiers and not all(
- isinstance(
- x, (six.text_type, UserNotice)
- ) for x in policy_qualifiers
- ):
- raise TypeError(
- "policy_qualifiers must be a list of strings and/or UserNotice"
- " objects or None"
- )
-
- self._policy_qualifiers = policy_qualifiers
-
- def __repr__(self):
- return (
- "<PolicyInformation(policy_identifier={0.policy_identifier}, polic"
- "y_qualifiers={0.policy_qualifiers})>".format(self)
- )
-
- def __eq__(self, other):
- if not isinstance(other, PolicyInformation):
- return NotImplemented
-
- return (
- self.policy_identifier == other.policy_identifier and
- self.policy_qualifiers == other.policy_qualifiers
- )
-
- def __ne__(self, other):
- return not self == other
-
- policy_identifier = utils.read_only_property("_policy_identifier")
- policy_qualifiers = utils.read_only_property("_policy_qualifiers")
-
-
-class UserNotice(object):
- def __init__(self, notice_reference, explicit_text):
- if notice_reference and not isinstance(
- notice_reference, NoticeReference
- ):
- raise TypeError(
- "notice_reference must be None or a NoticeReference"
- )
-
- self._notice_reference = notice_reference
- self._explicit_text = explicit_text
-
- def __repr__(self):
- return (
- "<UserNotice(notice_reference={0.notice_reference}, explicit_text="
- "{0.explicit_text!r})>".format(self)
- )
-
- def __eq__(self, other):
- if not isinstance(other, UserNotice):
- return NotImplemented
-
- return (
- self.notice_reference == other.notice_reference and
- self.explicit_text == other.explicit_text
- )
-
- def __ne__(self, other):
- return not self == other
-
- notice_reference = utils.read_only_property("_notice_reference")
- explicit_text = utils.read_only_property("_explicit_text")
-
-
-class NoticeReference(object):
- def __init__(self, organization, notice_numbers):
- self._organization = organization
- if not isinstance(notice_numbers, list) or not all(
- isinstance(x, int) for x in notice_numbers
- ):
- raise TypeError(
- "notice_numbers must be a list of integers"
- )
-
- self._notice_numbers = notice_numbers
-
- def __repr__(self):
- return (
- "<NoticeReference(organization={0.organization!r}, notice_numbers="
- "{0.notice_numbers})>".format(self)
- )
-
- def __eq__(self, other):
- if not isinstance(other, NoticeReference):
- return NotImplemented
-
- return (
- self.organization == other.organization and
- self.notice_numbers == other.notice_numbers
- )
-
- def __ne__(self, other):
- return not self == other
-
- organization = utils.read_only_property("_organization")
- notice_numbers = utils.read_only_property("_notice_numbers")
-
-
-@utils.register_interface(ExtensionType)
-class SubjectKeyIdentifier(object):
- oid = ExtensionOID.SUBJECT_KEY_IDENTIFIER
-
- def __init__(self, digest):
- self._digest = digest
-
- @classmethod
- def from_public_key(cls, public_key):
- return cls(_key_identifier_from_public_key(public_key))
-
- digest = utils.read_only_property("_digest")
-
- def __repr__(self):
- return "<SubjectKeyIdentifier(digest={0!r})>".format(self.digest)
-
- def __eq__(self, other):
- if not isinstance(other, SubjectKeyIdentifier):
- return NotImplemented
-
- return (
- self.digest == other.digest
- )
-
- def __ne__(self, other):
- return not self == other
-
-
-@utils.register_interface(ExtensionType)
-class NameConstraints(object):
- oid = ExtensionOID.NAME_CONSTRAINTS
-
- def __init__(self, permitted_subtrees, excluded_subtrees):
- if permitted_subtrees is not None:
- if not all(
- isinstance(x, GeneralName) for x in permitted_subtrees
- ):
- raise TypeError(
- "permitted_subtrees must be a list of GeneralName objects "
- "or None"
- )
-
- self._validate_ip_name(permitted_subtrees)
-
- if excluded_subtrees is not None:
- if not all(
- isinstance(x, GeneralName) for x in excluded_subtrees
- ):
- raise TypeError(
- "excluded_subtrees must be a list of GeneralName objects "
- "or None"
- )
-
- self._validate_ip_name(excluded_subtrees)
-
- if permitted_subtrees is None and excluded_subtrees is None:
- raise ValueError(
- "At least one of permitted_subtrees and excluded_subtrees "
- "must not be None"
- )
-
- self._permitted_subtrees = permitted_subtrees
- self._excluded_subtrees = excluded_subtrees
-
- def __eq__(self, other):
- if not isinstance(other, NameConstraints):
- return NotImplemented
-
- return (
- self.excluded_subtrees == other.excluded_subtrees and
- self.permitted_subtrees == other.permitted_subtrees
- )
-
- def __ne__(self, other):
- return not self == other
-
- def _validate_ip_name(self, tree):
- if any(isinstance(name, IPAddress) and not isinstance(
- name.value, (ipaddress.IPv4Network, ipaddress.IPv6Network)
- ) for name in tree):
- raise TypeError(
- "IPAddress name constraints must be an IPv4Network or"
- " IPv6Network object"
- )
-
- def __repr__(self):
- return (
- u"<NameConstraints(permitted_subtrees={0.permitted_subtrees}, "
- u"excluded_subtrees={0.excluded_subtrees})>".format(self)
- )
-
- permitted_subtrees = utils.read_only_property("_permitted_subtrees")
- excluded_subtrees = utils.read_only_property("_excluded_subtrees")
-
-
-@utils.register_interface(ExtensionType)
-class CRLDistributionPoints(object):
- oid = ExtensionOID.CRL_DISTRIBUTION_POINTS
-
- def __init__(self, distribution_points):
- if not all(
- isinstance(x, DistributionPoint) for x in distribution_points
- ):
- raise TypeError(
- "distribution_points must be a list of DistributionPoint "
- "objects"
- )
-
- self._distribution_points = distribution_points
-
- def __iter__(self):
- return iter(self._distribution_points)
-
- def __len__(self):
- return len(self._distribution_points)
-
- def __repr__(self):
- return "<CRLDistributionPoints({0})>".format(self._distribution_points)
-
- def __eq__(self, other):
- if not isinstance(other, CRLDistributionPoints):
- return NotImplemented
-
- return self._distribution_points == other._distribution_points
-
- def __ne__(self, other):
- return not self == other
-
-
-class DistributionPoint(object):
- def __init__(self, full_name, relative_name, reasons, crl_issuer):
- if full_name and relative_name:
- raise ValueError(
- "You cannot provide both full_name and relative_name, at "
- "least one must be None."
- )
-
- if full_name and not all(
- isinstance(x, GeneralName) for x in full_name
- ):
- raise TypeError(
- "full_name must be a list of GeneralName objects"
- )
-
- if relative_name and not isinstance(relative_name, Name):
- raise TypeError("relative_name must be a Name")
-
- if crl_issuer and not all(
- isinstance(x, GeneralName) for x in crl_issuer
- ):
- raise TypeError(
- "crl_issuer must be None or a list of general names"
- )
-
- if reasons and (not isinstance(reasons, frozenset) or not all(
- isinstance(x, ReasonFlags) for x in reasons
- )):
- raise TypeError("reasons must be None or frozenset of ReasonFlags")
-
- if reasons and (
- ReasonFlags.unspecified in reasons or
- ReasonFlags.remove_from_crl in reasons
- ):
- raise ValueError(
- "unspecified and remove_from_crl are not valid reasons in a "
- "DistributionPoint"
- )
-
- if reasons and not crl_issuer and not (full_name or relative_name):
- raise ValueError(
- "You must supply crl_issuer, full_name, or relative_name when "
- "reasons is not None"
- )
-
- self._full_name = full_name
- self._relative_name = relative_name
- self._reasons = reasons
- self._crl_issuer = crl_issuer
-
- def __repr__(self):
- return (
- "<DistributionPoint(full_name={0.full_name}, relative_name={0.rela"
- "tive_name}, reasons={0.reasons}, crl_issuer={0.crl_is"
- "suer})>".format(self)
- )
-
- def __eq__(self, other):
- if not isinstance(other, DistributionPoint):
- return NotImplemented
-
- return (
- self.full_name == other.full_name and
- self.relative_name == other.relative_name and
- self.reasons == other.reasons and
- self.crl_issuer == other.crl_issuer
- )
-
- def __ne__(self, other):
- return not self == other
-
- full_name = utils.read_only_property("_full_name")
- relative_name = utils.read_only_property("_relative_name")
- reasons = utils.read_only_property("_reasons")
- crl_issuer = utils.read_only_property("_crl_issuer")
-
-
-class ReasonFlags(Enum):
- unspecified = "unspecified"
- key_compromise = "keyCompromise"
- ca_compromise = "cACompromise"
- affiliation_changed = "affiliationChanged"
- superseded = "superseded"
- cessation_of_operation = "cessationOfOperation"
- certificate_hold = "certificateHold"
- privilege_withdrawn = "privilegeWithdrawn"
- aa_compromise = "aACompromise"
- remove_from_crl = "removeFromCRL"
-
-
-@utils.register_interface(ExtensionType)
-class InhibitAnyPolicy(object):
- oid = ExtensionOID.INHIBIT_ANY_POLICY
-
- def __init__(self, skip_certs):
- if not isinstance(skip_certs, six.integer_types):
- raise TypeError("skip_certs must be an integer")
-
- if skip_certs < 0:
- raise ValueError("skip_certs must be a non-negative integer")
-
- self._skip_certs = skip_certs
-
- def __repr__(self):
- return "<InhibitAnyPolicy(skip_certs={0.skip_certs})>".format(self)
-
- def __eq__(self, other):
- if not isinstance(other, InhibitAnyPolicy):
- return NotImplemented
-
- return self.skip_certs == other.skip_certs
-
- def __ne__(self, other):
- return not self == other
-
- skip_certs = utils.read_only_property("_skip_certs")
-
-
-class GeneralNames(object):
- def __init__(self, general_names):
- if not all(isinstance(x, GeneralName) for x in general_names):
- raise TypeError(
- "Every item in the general_names list must be an "
- "object conforming to the GeneralName interface"
- )
-
- self._general_names = general_names
-
- def __iter__(self):
- return iter(self._general_names)
-
- def __len__(self):
- return len(self._general_names)
-
- def get_values_for_type(self, type):
- # Return the value of each GeneralName, except for OtherName instances
- # which we return directly because it has two important properties not
- # just one value.
- objs = (i for i in self if isinstance(i, type))
- if type != OtherName:
- objs = (i.value for i in objs)
- return list(objs)
-
- def __repr__(self):
- return "<GeneralNames({0})>".format(self._general_names)
-
- def __eq__(self, other):
- if not isinstance(other, GeneralNames):
- return NotImplemented
-
- return self._general_names == other._general_names
-
- def __ne__(self, other):
- return not self == other
-
-
-@utils.register_interface(ExtensionType)
-class SubjectAlternativeName(object):
- oid = ExtensionOID.SUBJECT_ALTERNATIVE_NAME
-
- def __init__(self, general_names):
- self._general_names = GeneralNames(general_names)
-
- def __iter__(self):
- return iter(self._general_names)
-
- def __len__(self):
- return len(self._general_names)
-
- def get_values_for_type(self, type):
- return self._general_names.get_values_for_type(type)
-
- def __repr__(self):
- return "<SubjectAlternativeName({0})>".format(self._general_names)
-
- def __eq__(self, other):
- if not isinstance(other, SubjectAlternativeName):
- return NotImplemented
-
- return self._general_names == other._general_names
-
- def __ne__(self, other):
- return not self == other
-
-
-@utils.register_interface(ExtensionType)
-class IssuerAlternativeName(object):
- oid = ExtensionOID.ISSUER_ALTERNATIVE_NAME
-
- def __init__(self, general_names):
- self._general_names = GeneralNames(general_names)
-
- def __iter__(self):
- return iter(self._general_names)
-
- def __len__(self):
- return len(self._general_names)
-
- def get_values_for_type(self, type):
- return self._general_names.get_values_for_type(type)
-
- def __repr__(self):
- return "<IssuerAlternativeName({0})>".format(self._general_names)
-
- def __eq__(self, other):
- if not isinstance(other, IssuerAlternativeName):
- return NotImplemented
-
- return self._general_names == other._general_names
-
- def __ne__(self, other):
- return not self == other
-
-
-@utils.register_interface(ExtensionType)
-class AuthorityKeyIdentifier(object):
- oid = ExtensionOID.AUTHORITY_KEY_IDENTIFIER
-
- def __init__(self, key_identifier, authority_cert_issuer,
- authority_cert_serial_number):
- if authority_cert_issuer or authority_cert_serial_number:
- if not authority_cert_issuer or not authority_cert_serial_number:
- raise ValueError(
- "authority_cert_issuer and authority_cert_serial_number "
- "must both be present or both None"
- )
-
- if not all(
- isinstance(x, GeneralName) for x in authority_cert_issuer
- ):
- raise TypeError(
- "authority_cert_issuer must be a list of GeneralName "
- "objects"
- )
-
- if not isinstance(authority_cert_serial_number, six.integer_types):
- raise TypeError(
- "authority_cert_serial_number must be an integer"
- )
-
- self._key_identifier = key_identifier
- self._authority_cert_issuer = authority_cert_issuer
- self._authority_cert_serial_number = authority_cert_serial_number
-
- @classmethod
- def from_issuer_public_key(cls, public_key):
- digest = _key_identifier_from_public_key(public_key)
- return cls(
- key_identifier=digest,
- authority_cert_issuer=None,
- authority_cert_serial_number=None
- )
-
- def __repr__(self):
- return (
- "<AuthorityKeyIdentifier(key_identifier={0.key_identifier!r}, "
- "authority_cert_issuer={0.authority_cert_issuer}, "
- "authority_cert_serial_number={0.authority_cert_serial_number}"
- ")>".format(self)
- )
-
- def __eq__(self, other):
- if not isinstance(other, AuthorityKeyIdentifier):
- return NotImplemented
-
- return (
- self.key_identifier == other.key_identifier and
- self.authority_cert_issuer == other.authority_cert_issuer and
- self.authority_cert_serial_number ==
- other.authority_cert_serial_number
- )
-
- def __ne__(self, other):
- return not self == other
-
- key_identifier = utils.read_only_property("_key_identifier")
- authority_cert_issuer = utils.read_only_property("_authority_cert_issuer")
- authority_cert_serial_number = utils.read_only_property(
- "_authority_cert_serial_number"
- )
-
-
@six.add_metaclass(abc.ABCMeta)
class Certificate(object):
@abc.abstractmethod
diff --git a/src/cryptography/x509/extensions.py b/src/cryptography/x509/extensions.py
new file mode 100644
index 0000000..798a0e3
--- /dev/null
+++ b/src/cryptography/x509/extensions.py
@@ -0,0 +1,912 @@
+# This file is dual licensed under the terms of the Apache License, Version
+# 2.0, and the BSD License. See the LICENSE file in the root of this repository
+# for complete details.
+
+from __future__ import absolute_import, division, print_function
+
+import abc
+import hashlib
+import ipaddress
+from enum import Enum
+
+from pyasn1.codec.der import decoder
+from pyasn1.type import namedtype, univ
+
+import six
+
+from cryptography import utils
+from cryptography.hazmat.primitives import serialization
+from cryptography.x509.general_name import GeneralName, IPAddress, OtherName
+from cryptography.x509.name import Name
+from cryptography.x509.oid import (
+ AuthorityInformationAccessOID, ExtensionOID, ObjectIdentifier
+)
+
+
+class _SubjectPublicKeyInfo(univ.Sequence):
+ componentType = namedtype.NamedTypes(
+ namedtype.NamedType('algorithm', univ.Sequence()),
+ namedtype.NamedType('subjectPublicKey', univ.BitString())
+ )
+
+
+def _key_identifier_from_public_key(public_key):
+ # This is a very slow way to do this.
+ serialized = public_key.public_bytes(
+ serialization.Encoding.DER,
+ serialization.PublicFormat.SubjectPublicKeyInfo
+ )
+ spki, remaining = decoder.decode(
+ serialized, asn1Spec=_SubjectPublicKeyInfo()
+ )
+ assert not remaining
+ # the univ.BitString object is a tuple of bits. We need bytes and
+ # pyasn1 really doesn't want to give them to us. To get it we'll
+ # build an integer and convert that to bytes.
+ bits = 0
+ for bit in spki.getComponentByName("subjectPublicKey"):
+ bits = bits << 1 | bit
+
+ data = utils.int_to_bytes(bits)
+ return hashlib.sha1(data).digest()
+
+
+class DuplicateExtension(Exception):
+ def __init__(self, msg, oid):
+ super(DuplicateExtension, self).__init__(msg)
+ self.oid = oid
+
+
+class UnsupportedExtension(Exception):
+ def __init__(self, msg, oid):
+ super(UnsupportedExtension, self).__init__(msg)
+ self.oid = oid
+
+
+class ExtensionNotFound(Exception):
+ def __init__(self, msg, oid):
+ super(ExtensionNotFound, self).__init__(msg)
+ self.oid = oid
+
+
+@six.add_metaclass(abc.ABCMeta)
+class ExtensionType(object):
+ @abc.abstractproperty
+ def oid(self):
+ """
+ Returns the oid associated with the given extension type.
+ """
+
+
+class Extensions(object):
+ def __init__(self, extensions):
+ self._extensions = extensions
+
+ def get_extension_for_oid(self, oid):
+ for ext in self:
+ if ext.oid == oid:
+ return ext
+
+ raise ExtensionNotFound("No {0} extension was found".format(oid), oid)
+
+ def __iter__(self):
+ return iter(self._extensions)
+
+ def __len__(self):
+ return len(self._extensions)
+
+
+@utils.register_interface(ExtensionType)
+class AuthorityKeyIdentifier(object):
+ oid = ExtensionOID.AUTHORITY_KEY_IDENTIFIER
+
+ def __init__(self, key_identifier, authority_cert_issuer,
+ authority_cert_serial_number):
+ if authority_cert_issuer or authority_cert_serial_number:
+ if not authority_cert_issuer or not authority_cert_serial_number:
+ raise ValueError(
+ "authority_cert_issuer and authority_cert_serial_number "
+ "must both be present or both None"
+ )
+
+ if not all(
+ isinstance(x, GeneralName) for x in authority_cert_issuer
+ ):
+ raise TypeError(
+ "authority_cert_issuer must be a list of GeneralName "
+ "objects"
+ )
+
+ if not isinstance(authority_cert_serial_number, six.integer_types):
+ raise TypeError(
+ "authority_cert_serial_number must be an integer"
+ )
+
+ self._key_identifier = key_identifier
+ self._authority_cert_issuer = authority_cert_issuer
+ self._authority_cert_serial_number = authority_cert_serial_number
+
+ @classmethod
+ def from_issuer_public_key(cls, public_key):
+ digest = _key_identifier_from_public_key(public_key)
+ return cls(
+ key_identifier=digest,
+ authority_cert_issuer=None,
+ authority_cert_serial_number=None
+ )
+
+ def __repr__(self):
+ return (
+ "<AuthorityKeyIdentifier(key_identifier={0.key_identifier!r}, "
+ "authority_cert_issuer={0.authority_cert_issuer}, "
+ "authority_cert_serial_number={0.authority_cert_serial_number}"
+ ")>".format(self)
+ )
+
+ def __eq__(self, other):
+ if not isinstance(other, AuthorityKeyIdentifier):
+ return NotImplemented
+
+ return (
+ self.key_identifier == other.key_identifier and
+ self.authority_cert_issuer == other.authority_cert_issuer and
+ self.authority_cert_serial_number ==
+ other.authority_cert_serial_number
+ )
+
+ def __ne__(self, other):
+ return not self == other
+
+ key_identifier = utils.read_only_property("_key_identifier")
+ authority_cert_issuer = utils.read_only_property("_authority_cert_issuer")
+ authority_cert_serial_number = utils.read_only_property(
+ "_authority_cert_serial_number"
+ )
+
+
+@utils.register_interface(ExtensionType)
+class SubjectKeyIdentifier(object):
+ oid = ExtensionOID.SUBJECT_KEY_IDENTIFIER
+
+ def __init__(self, digest):
+ self._digest = digest
+
+ @classmethod
+ def from_public_key(cls, public_key):
+ return cls(_key_identifier_from_public_key(public_key))
+
+ digest = utils.read_only_property("_digest")
+
+ def __repr__(self):
+ return "<SubjectKeyIdentifier(digest={0!r})>".format(self.digest)
+
+ def __eq__(self, other):
+ if not isinstance(other, SubjectKeyIdentifier):
+ return NotImplemented
+
+ return (
+ self.digest == other.digest
+ )
+
+ def __ne__(self, other):
+ return not self == other
+
+
+@utils.register_interface(ExtensionType)
+class AuthorityInformationAccess(object):
+ oid = ExtensionOID.AUTHORITY_INFORMATION_ACCESS
+
+ def __init__(self, descriptions):
+ if not all(isinstance(x, AccessDescription) for x in descriptions):
+ raise TypeError(
+ "Every item in the descriptions list must be an "
+ "AccessDescription"
+ )
+
+ self._descriptions = descriptions
+
+ def __iter__(self):
+ return iter(self._descriptions)
+
+ def __len__(self):
+ return len(self._descriptions)
+
+ def __repr__(self):
+ return "<AuthorityInformationAccess({0})>".format(self._descriptions)
+
+ def __eq__(self, other):
+ if not isinstance(other, AuthorityInformationAccess):
+ return NotImplemented
+
+ return self._descriptions == other._descriptions
+
+ def __ne__(self, other):
+ return not self == other
+
+
+class AccessDescription(object):
+ def __init__(self, access_method, access_location):
+ if not (access_method == AuthorityInformationAccessOID.OCSP or
+ access_method == AuthorityInformationAccessOID.CA_ISSUERS):
+ raise ValueError(
+ "access_method must be OID_OCSP or OID_CA_ISSUERS"
+ )
+
+ if not isinstance(access_location, GeneralName):
+ raise TypeError("access_location must be a GeneralName")
+
+ self._access_method = access_method
+ self._access_location = access_location
+
+ def __repr__(self):
+ return (
+ "<AccessDescription(access_method={0.access_method}, access_locati"
+ "on={0.access_location})>".format(self)
+ )
+
+ def __eq__(self, other):
+ if not isinstance(other, AccessDescription):
+ return NotImplemented
+
+ return (
+ self.access_method == other.access_method and
+ self.access_location == other.access_location
+ )
+
+ def __ne__(self, other):
+ return not self == other
+
+ access_method = utils.read_only_property("_access_method")
+ access_location = utils.read_only_property("_access_location")
+
+
+@utils.register_interface(ExtensionType)
+class BasicConstraints(object):
+ oid = ExtensionOID.BASIC_CONSTRAINTS
+
+ def __init__(self, ca, path_length):
+ if not isinstance(ca, bool):
+ raise TypeError("ca must be a boolean value")
+
+ if path_length is not None and not ca:
+ raise ValueError("path_length must be None when ca is False")
+
+ if (
+ path_length is not None and
+ (not isinstance(path_length, six.integer_types) or path_length < 0)
+ ):
+ raise TypeError(
+ "path_length must be a non-negative integer or None"
+ )
+
+ self._ca = ca
+ self._path_length = path_length
+
+ ca = utils.read_only_property("_ca")
+ path_length = utils.read_only_property("_path_length")
+
+ def __repr__(self):
+ return ("<BasicConstraints(ca={0.ca}, "
+ "path_length={0.path_length})>").format(self)
+
+ def __eq__(self, other):
+ if not isinstance(other, BasicConstraints):
+ return NotImplemented
+
+ return self.ca == other.ca and self.path_length == other.path_length
+
+ def __ne__(self, other):
+ return not self == other
+
+
+@utils.register_interface(ExtensionType)
+class CRLDistributionPoints(object):
+ oid = ExtensionOID.CRL_DISTRIBUTION_POINTS
+
+ def __init__(self, distribution_points):
+ if not all(
+ isinstance(x, DistributionPoint) for x in distribution_points
+ ):
+ raise TypeError(
+ "distribution_points must be a list of DistributionPoint "
+ "objects"
+ )
+
+ self._distribution_points = distribution_points
+
+ def __iter__(self):
+ return iter(self._distribution_points)
+
+ def __len__(self):
+ return len(self._distribution_points)
+
+ def __repr__(self):
+ return "<CRLDistributionPoints({0})>".format(self._distribution_points)
+
+ def __eq__(self, other):
+ if not isinstance(other, CRLDistributionPoints):
+ return NotImplemented
+
+ return self._distribution_points == other._distribution_points
+
+ def __ne__(self, other):
+ return not self == other
+
+
+class DistributionPoint(object):
+ def __init__(self, full_name, relative_name, reasons, crl_issuer):
+ if full_name and relative_name:
+ raise ValueError(
+ "You cannot provide both full_name and relative_name, at "
+ "least one must be None."
+ )
+
+ if full_name and not all(
+ isinstance(x, GeneralName) for x in full_name
+ ):
+ raise TypeError(
+ "full_name must be a list of GeneralName objects"
+ )
+
+ if relative_name and not isinstance(relative_name, Name):
+ raise TypeError("relative_name must be a Name")
+
+ if crl_issuer and not all(
+ isinstance(x, GeneralName) for x in crl_issuer
+ ):
+ raise TypeError(
+ "crl_issuer must be None or a list of general names"
+ )
+
+ if reasons and (not isinstance(reasons, frozenset) or not all(
+ isinstance(x, ReasonFlags) for x in reasons
+ )):
+ raise TypeError("reasons must be None or frozenset of ReasonFlags")
+
+ if reasons and (
+ ReasonFlags.unspecified in reasons or
+ ReasonFlags.remove_from_crl in reasons
+ ):
+ raise ValueError(
+ "unspecified and remove_from_crl are not valid reasons in a "
+ "DistributionPoint"
+ )
+
+ if reasons and not crl_issuer and not (full_name or relative_name):
+ raise ValueError(
+ "You must supply crl_issuer, full_name, or relative_name when "
+ "reasons is not None"
+ )
+
+ self._full_name = full_name
+ self._relative_name = relative_name
+ self._reasons = reasons
+ self._crl_issuer = crl_issuer
+
+ def __repr__(self):
+ return (
+ "<DistributionPoint(full_name={0.full_name}, relative_name={0.rela"
+ "tive_name}, reasons={0.reasons}, crl_issuer={0.crl_is"
+ "suer})>".format(self)
+ )
+
+ def __eq__(self, other):
+ if not isinstance(other, DistributionPoint):
+ return NotImplemented
+
+ return (
+ self.full_name == other.full_name and
+ self.relative_name == other.relative_name and
+ self.reasons == other.reasons and
+ self.crl_issuer == other.crl_issuer
+ )
+
+ def __ne__(self, other):
+ return not self == other
+
+ full_name = utils.read_only_property("_full_name")
+ relative_name = utils.read_only_property("_relative_name")
+ reasons = utils.read_only_property("_reasons")
+ crl_issuer = utils.read_only_property("_crl_issuer")
+
+
+class ReasonFlags(Enum):
+ unspecified = "unspecified"
+ key_compromise = "keyCompromise"
+ ca_compromise = "cACompromise"
+ affiliation_changed = "affiliationChanged"
+ superseded = "superseded"
+ cessation_of_operation = "cessationOfOperation"
+ certificate_hold = "certificateHold"
+ privilege_withdrawn = "privilegeWithdrawn"
+ aa_compromise = "aACompromise"
+ remove_from_crl = "removeFromCRL"
+
+
+@utils.register_interface(ExtensionType)
+class CertificatePolicies(object):
+ oid = ExtensionOID.CERTIFICATE_POLICIES
+
+ def __init__(self, policies):
+ if not all(isinstance(x, PolicyInformation) for x in policies):
+ raise TypeError(
+ "Every item in the policies list must be a "
+ "PolicyInformation"
+ )
+
+ self._policies = policies
+
+ def __iter__(self):
+ return iter(self._policies)
+
+ def __len__(self):
+ return len(self._policies)
+
+ def __repr__(self):
+ return "<CertificatePolicies({0})>".format(self._policies)
+
+ def __eq__(self, other):
+ if not isinstance(other, CertificatePolicies):
+ return NotImplemented
+
+ return self._policies == other._policies
+
+ def __ne__(self, other):
+ return not self == other
+
+
+class PolicyInformation(object):
+ def __init__(self, policy_identifier, policy_qualifiers):
+ if not isinstance(policy_identifier, ObjectIdentifier):
+ raise TypeError("policy_identifier must be an ObjectIdentifier")
+
+ self._policy_identifier = policy_identifier
+ if policy_qualifiers and not all(
+ isinstance(
+ x, (six.text_type, UserNotice)
+ ) for x in policy_qualifiers
+ ):
+ raise TypeError(
+ "policy_qualifiers must be a list of strings and/or UserNotice"
+ " objects or None"
+ )
+
+ self._policy_qualifiers = policy_qualifiers
+
+ def __repr__(self):
+ return (
+ "<PolicyInformation(policy_identifier={0.policy_identifier}, polic"
+ "y_qualifiers={0.policy_qualifiers})>".format(self)
+ )
+
+ def __eq__(self, other):
+ if not isinstance(other, PolicyInformation):
+ return NotImplemented
+
+ return (
+ self.policy_identifier == other.policy_identifier and
+ self.policy_qualifiers == other.policy_qualifiers
+ )
+
+ def __ne__(self, other):
+ return not self == other
+
+ policy_identifier = utils.read_only_property("_policy_identifier")
+ policy_qualifiers = utils.read_only_property("_policy_qualifiers")
+
+
+class UserNotice(object):
+ def __init__(self, notice_reference, explicit_text):
+ if notice_reference and not isinstance(
+ notice_reference, NoticeReference
+ ):
+ raise TypeError(
+ "notice_reference must be None or a NoticeReference"
+ )
+
+ self._notice_reference = notice_reference
+ self._explicit_text = explicit_text
+
+ def __repr__(self):
+ return (
+ "<UserNotice(notice_reference={0.notice_reference}, explicit_text="
+ "{0.explicit_text!r})>".format(self)
+ )
+
+ def __eq__(self, other):
+ if not isinstance(other, UserNotice):
+ return NotImplemented
+
+ return (
+ self.notice_reference == other.notice_reference and
+ self.explicit_text == other.explicit_text
+ )
+
+ def __ne__(self, other):
+ return not self == other
+
+ notice_reference = utils.read_only_property("_notice_reference")
+ explicit_text = utils.read_only_property("_explicit_text")
+
+
+class NoticeReference(object):
+ def __init__(self, organization, notice_numbers):
+ self._organization = organization
+ if not isinstance(notice_numbers, list) or not all(
+ isinstance(x, int) for x in notice_numbers
+ ):
+ raise TypeError(
+ "notice_numbers must be a list of integers"
+ )
+
+ self._notice_numbers = notice_numbers
+
+ def __repr__(self):
+ return (
+ "<NoticeReference(organization={0.organization!r}, notice_numbers="
+ "{0.notice_numbers})>".format(self)
+ )
+
+ def __eq__(self, other):
+ if not isinstance(other, NoticeReference):
+ return NotImplemented
+
+ return (
+ self.organization == other.organization and
+ self.notice_numbers == other.notice_numbers
+ )
+
+ def __ne__(self, other):
+ return not self == other
+
+ organization = utils.read_only_property("_organization")
+ notice_numbers = utils.read_only_property("_notice_numbers")
+
+
+@utils.register_interface(ExtensionType)
+class ExtendedKeyUsage(object):
+ oid = ExtensionOID.EXTENDED_KEY_USAGE
+
+ def __init__(self, usages):
+ if not all(isinstance(x, ObjectIdentifier) for x in usages):
+ raise TypeError(
+ "Every item in the usages list must be an ObjectIdentifier"
+ )
+
+ self._usages = usages
+
+ def __iter__(self):
+ return iter(self._usages)
+
+ def __len__(self):
+ return len(self._usages)
+
+ def __repr__(self):
+ return "<ExtendedKeyUsage({0})>".format(self._usages)
+
+ def __eq__(self, other):
+ if not isinstance(other, ExtendedKeyUsage):
+ return NotImplemented
+
+ return self._usages == other._usages
+
+ def __ne__(self, other):
+ return not self == other
+
+
+@utils.register_interface(ExtensionType)
+class OCSPNoCheck(object):
+ oid = ExtensionOID.OCSP_NO_CHECK
+
+
+@utils.register_interface(ExtensionType)
+class InhibitAnyPolicy(object):
+ oid = ExtensionOID.INHIBIT_ANY_POLICY
+
+ def __init__(self, skip_certs):
+ if not isinstance(skip_certs, six.integer_types):
+ raise TypeError("skip_certs must be an integer")
+
+ if skip_certs < 0:
+ raise ValueError("skip_certs must be a non-negative integer")
+
+ self._skip_certs = skip_certs
+
+ def __repr__(self):
+ return "<InhibitAnyPolicy(skip_certs={0.skip_certs})>".format(self)
+
+ def __eq__(self, other):
+ if not isinstance(other, InhibitAnyPolicy):
+ return NotImplemented
+
+ return self.skip_certs == other.skip_certs
+
+ def __ne__(self, other):
+ return not self == other
+
+ skip_certs = utils.read_only_property("_skip_certs")
+
+
+@utils.register_interface(ExtensionType)
+class KeyUsage(object):
+ oid = ExtensionOID.KEY_USAGE
+
+ def __init__(self, digital_signature, content_commitment, key_encipherment,
+ data_encipherment, key_agreement, key_cert_sign, crl_sign,
+ encipher_only, decipher_only):
+ if not key_agreement and (encipher_only or decipher_only):
+ raise ValueError(
+ "encipher_only and decipher_only can only be true when "
+ "key_agreement is true"
+ )
+
+ self._digital_signature = digital_signature
+ self._content_commitment = content_commitment
+ self._key_encipherment = key_encipherment
+ self._data_encipherment = data_encipherment
+ self._key_agreement = key_agreement
+ self._key_cert_sign = key_cert_sign
+ self._crl_sign = crl_sign
+ self._encipher_only = encipher_only
+ self._decipher_only = decipher_only
+
+ digital_signature = utils.read_only_property("_digital_signature")
+ content_commitment = utils.read_only_property("_content_commitment")
+ key_encipherment = utils.read_only_property("_key_encipherment")
+ data_encipherment = utils.read_only_property("_data_encipherment")
+ key_agreement = utils.read_only_property("_key_agreement")
+ key_cert_sign = utils.read_only_property("_key_cert_sign")
+ crl_sign = utils.read_only_property("_crl_sign")
+
+ @property
+ def encipher_only(self):
+ if not self.key_agreement:
+ raise ValueError(
+ "encipher_only is undefined unless key_agreement is true"
+ )
+ else:
+ return self._encipher_only
+
+ @property
+ def decipher_only(self):
+ if not self.key_agreement:
+ raise ValueError(
+ "decipher_only is undefined unless key_agreement is true"
+ )
+ else:
+ return self._decipher_only
+
+ def __repr__(self):
+ try:
+ encipher_only = self.encipher_only
+ decipher_only = self.decipher_only
+ except ValueError:
+ encipher_only = None
+ decipher_only = None
+
+ return ("<KeyUsage(digital_signature={0.digital_signature}, "
+ "content_commitment={0.content_commitment}, "
+ "key_encipherment={0.key_encipherment}, "
+ "data_encipherment={0.data_encipherment}, "
+ "key_agreement={0.key_agreement}, "
+ "key_cert_sign={0.key_cert_sign}, crl_sign={0.crl_sign}, "
+ "encipher_only={1}, decipher_only={2})>").format(
+ self, encipher_only, decipher_only)
+
+ def __eq__(self, other):
+ if not isinstance(other, KeyUsage):
+ return NotImplemented
+
+ return (
+ self.digital_signature == other.digital_signature and
+ self.content_commitment == other.content_commitment and
+ self.key_encipherment == other.key_encipherment and
+ self.data_encipherment == other.data_encipherment and
+ self.key_agreement == other.key_agreement and
+ self.key_cert_sign == other.key_cert_sign and
+ self.crl_sign == other.crl_sign and
+ self._encipher_only == other._encipher_only and
+ self._decipher_only == other._decipher_only
+ )
+
+ def __ne__(self, other):
+ return not self == other
+
+
+@utils.register_interface(ExtensionType)
+class NameConstraints(object):
+ oid = ExtensionOID.NAME_CONSTRAINTS
+
+ def __init__(self, permitted_subtrees, excluded_subtrees):
+ if permitted_subtrees is not None:
+ if not all(
+ isinstance(x, GeneralName) for x in permitted_subtrees
+ ):
+ raise TypeError(
+ "permitted_subtrees must be a list of GeneralName objects "
+ "or None"
+ )
+
+ self._validate_ip_name(permitted_subtrees)
+
+ if excluded_subtrees is not None:
+ if not all(
+ isinstance(x, GeneralName) for x in excluded_subtrees
+ ):
+ raise TypeError(
+ "excluded_subtrees must be a list of GeneralName objects "
+ "or None"
+ )
+
+ self._validate_ip_name(excluded_subtrees)
+
+ if permitted_subtrees is None and excluded_subtrees is None:
+ raise ValueError(
+ "At least one of permitted_subtrees and excluded_subtrees "
+ "must not be None"
+ )
+
+ self._permitted_subtrees = permitted_subtrees
+ self._excluded_subtrees = excluded_subtrees
+
+ def __eq__(self, other):
+ if not isinstance(other, NameConstraints):
+ return NotImplemented
+
+ return (
+ self.excluded_subtrees == other.excluded_subtrees and
+ self.permitted_subtrees == other.permitted_subtrees
+ )
+
+ def __ne__(self, other):
+ return not self == other
+
+ def _validate_ip_name(self, tree):
+ if any(isinstance(name, IPAddress) and not isinstance(
+ name.value, (ipaddress.IPv4Network, ipaddress.IPv6Network)
+ ) for name in tree):
+ raise TypeError(
+ "IPAddress name constraints must be an IPv4Network or"
+ " IPv6Network object"
+ )
+
+ def __repr__(self):
+ return (
+ u"<NameConstraints(permitted_subtrees={0.permitted_subtrees}, "
+ u"excluded_subtrees={0.excluded_subtrees})>".format(self)
+ )
+
+ permitted_subtrees = utils.read_only_property("_permitted_subtrees")
+ excluded_subtrees = utils.read_only_property("_excluded_subtrees")
+
+
+class Extension(object):
+ def __init__(self, oid, critical, value):
+ if not isinstance(oid, ObjectIdentifier):
+ raise TypeError(
+ "oid argument must be an ObjectIdentifier instance."
+ )
+
+ if not isinstance(critical, bool):
+ raise TypeError("critical must be a boolean value")
+
+ self._oid = oid
+ self._critical = critical
+ self._value = value
+
+ oid = utils.read_only_property("_oid")
+ critical = utils.read_only_property("_critical")
+ value = utils.read_only_property("_value")
+
+ def __repr__(self):
+ return ("<Extension(oid={0.oid}, critical={0.critical}, "
+ "value={0.value})>").format(self)
+
+ def __eq__(self, other):
+ if not isinstance(other, Extension):
+ return NotImplemented
+
+ return (
+ self.oid == other.oid and
+ self.critical == other.critical and
+ self.value == other.value
+ )
+
+ def __ne__(self, other):
+ return not self == other
+
+
+class GeneralNames(object):
+ def __init__(self, general_names):
+ if not all(isinstance(x, GeneralName) for x in general_names):
+ raise TypeError(
+ "Every item in the general_names list must be an "
+ "object conforming to the GeneralName interface"
+ )
+
+ self._general_names = general_names
+
+ def __iter__(self):
+ return iter(self._general_names)
+
+ def __len__(self):
+ return len(self._general_names)
+
+ def get_values_for_type(self, type):
+ # Return the value of each GeneralName, except for OtherName instances
+ # which we return directly because it has two important properties not
+ # just one value.
+ objs = (i for i in self if isinstance(i, type))
+ if type != OtherName:
+ objs = (i.value for i in objs)
+ return list(objs)
+
+ def __repr__(self):
+ return "<GeneralNames({0})>".format(self._general_names)
+
+ def __eq__(self, other):
+ if not isinstance(other, GeneralNames):
+ return NotImplemented
+
+ return self._general_names == other._general_names
+
+ def __ne__(self, other):
+ return not self == other
+
+
+@utils.register_interface(ExtensionType)
+class SubjectAlternativeName(object):
+ oid = ExtensionOID.SUBJECT_ALTERNATIVE_NAME
+
+ def __init__(self, general_names):
+ self._general_names = GeneralNames(general_names)
+
+ def __iter__(self):
+ return iter(self._general_names)
+
+ def __len__(self):
+ return len(self._general_names)
+
+ def get_values_for_type(self, type):
+ return self._general_names.get_values_for_type(type)
+
+ def __repr__(self):
+ return "<SubjectAlternativeName({0})>".format(self._general_names)
+
+ def __eq__(self, other):
+ if not isinstance(other, SubjectAlternativeName):
+ return NotImplemented
+
+ return self._general_names == other._general_names
+
+ def __ne__(self, other):
+ return not self == other
+
+
+@utils.register_interface(ExtensionType)
+class IssuerAlternativeName(object):
+ oid = ExtensionOID.ISSUER_ALTERNATIVE_NAME
+
+ def __init__(self, general_names):
+ self._general_names = GeneralNames(general_names)
+
+ def __iter__(self):
+ return iter(self._general_names)
+
+ def __len__(self):
+ return len(self._general_names)
+
+ def get_values_for_type(self, type):
+ return self._general_names.get_values_for_type(type)
+
+ def __repr__(self):
+ return "<IssuerAlternativeName({0})>".format(self._general_names)
+
+ def __eq__(self, other):
+ if not isinstance(other, IssuerAlternativeName):
+ return NotImplemented
+
+ return self._general_names == other._general_names
+
+ def __ne__(self, other):
+ return not self == other
diff --git a/src/cryptography/x509/oid.py b/src/cryptography/x509/oid.py
index 911343e..9fabab7 100644
--- a/src/cryptography/x509/oid.py
+++ b/src/cryptography/x509/oid.py
@@ -54,9 +54,10 @@
OCSP_NO_CHECK = ObjectIdentifier("1.3.6.1.5.5.7.48.1.5")
-OID_CRL_REASON = ObjectIdentifier("2.5.29.21")
-OID_INVALIDITY_DATE = ObjectIdentifier("2.5.29.24")
-OID_CERTIFICATE_ISSUER = ObjectIdentifier("2.5.29.29")
+class CRLExtensionOID(object):
+ CERTIFICATE_ISSUER = ObjectIdentifier("2.5.29.29")
+ CRL_REASON = ObjectIdentifier("2.5.29.21")
+ INVALIDITY_DATE = ObjectIdentifier("2.5.29.24")
class NameOID(object):
@@ -110,19 +111,25 @@
SignatureAlgorithmOID.DSA_WITH_SHA256.dotted_string: hashes.SHA256()
}
-OID_SERVER_AUTH = ObjectIdentifier("1.3.6.1.5.5.7.3.1")
-OID_CLIENT_AUTH = ObjectIdentifier("1.3.6.1.5.5.7.3.2")
-OID_CODE_SIGNING = ObjectIdentifier("1.3.6.1.5.5.7.3.3")
-OID_EMAIL_PROTECTION = ObjectIdentifier("1.3.6.1.5.5.7.3.4")
-OID_TIME_STAMPING = ObjectIdentifier("1.3.6.1.5.5.7.3.8")
-OID_OCSP_SIGNING = ObjectIdentifier("1.3.6.1.5.5.7.3.9")
-OID_CA_ISSUERS = ObjectIdentifier("1.3.6.1.5.5.7.48.2")
-OID_OCSP = ObjectIdentifier("1.3.6.1.5.5.7.48.1")
+class ExtendedKeyUsageOID(object):
+ SERVER_AUTH = ObjectIdentifier("1.3.6.1.5.5.7.3.1")
+ CLIENT_AUTH = ObjectIdentifier("1.3.6.1.5.5.7.3.2")
+ CODE_SIGNING = ObjectIdentifier("1.3.6.1.5.5.7.3.3")
+ EMAIL_PROTECTION = ObjectIdentifier("1.3.6.1.5.5.7.3.4")
+ TIME_STAMPING = ObjectIdentifier("1.3.6.1.5.5.7.3.8")
+ OCSP_SIGNING = ObjectIdentifier("1.3.6.1.5.5.7.3.9")
-OID_CPS_QUALIFIER = ObjectIdentifier("1.3.6.1.5.5.7.2.1")
-OID_CPS_USER_NOTICE = ObjectIdentifier("1.3.6.1.5.5.7.2.2")
-OID_ANY_POLICY = ObjectIdentifier("2.5.29.32.0")
+
+class AuthorityInformationAccessOID(object):
+ CA_ISSUERS = ObjectIdentifier("1.3.6.1.5.5.7.48.2")
+ OCSP = ObjectIdentifier("1.3.6.1.5.5.7.48.1")
+
+
+class CertificatePoliciesOID(object):
+ CPS_QUALIFIER = ObjectIdentifier("1.3.6.1.5.5.7.2.1")
+ CPS_USER_NOTICE = ObjectIdentifier("1.3.6.1.5.5.7.2.2")
+ ANY_POLICY = ObjectIdentifier("2.5.29.32.0")
_OID_NAMES = {
NameOID.COMMON_NAME: "commonName",
@@ -154,21 +161,21 @@
SignatureAlgorithmOID.DSA_WITH_SHA1: "dsa-with-sha1",
SignatureAlgorithmOID.DSA_WITH_SHA224: "dsa-with-sha224",
SignatureAlgorithmOID.DSA_WITH_SHA256: "dsa-with-sha256",
- OID_SERVER_AUTH: "serverAuth",
- OID_CLIENT_AUTH: "clientAuth",
- OID_CODE_SIGNING: "codeSigning",
- OID_EMAIL_PROTECTION: "emailProtection",
- OID_TIME_STAMPING: "timeStamping",
- OID_OCSP_SIGNING: "OCSPSigning",
+ ExtendedKeyUsageOID.SERVER_AUTH: "serverAuth",
+ ExtendedKeyUsageOID.CLIENT_AUTH: "clientAuth",
+ ExtendedKeyUsageOID.CODE_SIGNING: "codeSigning",
+ ExtendedKeyUsageOID.EMAIL_PROTECTION: "emailProtection",
+ ExtendedKeyUsageOID.TIME_STAMPING: "timeStamping",
+ ExtendedKeyUsageOID.OCSP_SIGNING: "OCSPSigning",
ExtensionOID.SUBJECT_DIRECTORY_ATTRIBUTES: "subjectDirectoryAttributes",
ExtensionOID.SUBJECT_KEY_IDENTIFIER: "subjectKeyIdentifier",
ExtensionOID.KEY_USAGE: "keyUsage",
ExtensionOID.SUBJECT_ALTERNATIVE_NAME: "subjectAltName",
ExtensionOID.ISSUER_ALTERNATIVE_NAME: "issuerAltName",
ExtensionOID.BASIC_CONSTRAINTS: "basicConstraints",
- OID_CRL_REASON: "cRLReason",
- OID_INVALIDITY_DATE: "invalidityDate",
- OID_CERTIFICATE_ISSUER: "certificateIssuer",
+ CRLExtensionOID.CRL_REASON: "cRLReason",
+ CRLExtensionOID.INVALIDITY_DATE: "invalidityDate",
+ CRLExtensionOID.CERTIFICATE_ISSUER: "certificateIssuer",
ExtensionOID.NAME_CONSTRAINTS: "nameConstraints",
ExtensionOID.CRL_DISTRIBUTION_POINTS: "cRLDistributionPoints",
ExtensionOID.CERTIFICATE_POLICIES: "certificatePolicies",
@@ -181,8 +188,8 @@
ExtensionOID.AUTHORITY_INFORMATION_ACCESS: "authorityInfoAccess",
ExtensionOID.SUBJECT_INFORMATION_ACCESS: "subjectInfoAccess",
ExtensionOID.OCSP_NO_CHECK: "OCSPNoCheck",
- OID_OCSP: "OCSP",
- OID_CA_ISSUERS: "caIssuers",
- OID_CPS_QUALIFIER: "id-qt-cps",
- OID_CPS_USER_NOTICE: "id-qt-unotice",
+ AuthorityInformationAccessOID.OCSP: "OCSP",
+ AuthorityInformationAccessOID.CA_ISSUERS: "caIssuers",
+ CertificatePoliciesOID.CPS_QUALIFIER: "id-qt-cps",
+ CertificatePoliciesOID.CPS_USER_NOTICE: "id-qt-unotice",
}
diff --git a/tests/test_x509.py b/tests/test_x509.py
index 9434057..b7602d1 100644
--- a/tests/test_x509.py
+++ b/tests/test_x509.py
@@ -20,6 +20,9 @@
)
from cryptography.hazmat.primitives import hashes, serialization
from cryptography.hazmat.primitives.asymmetric import dsa, ec, rsa
+from cryptography.x509.oid import (
+ AuthorityInformationAccessOID, ExtendedKeyUsageOID, ExtensionOID, NameOID
+)
from .hazmat.primitives.fixtures_dsa import DSA_KEY_2048
from .hazmat.primitives.fixtures_rsa import RSA_KEY_2048, RSA_KEY_512
@@ -88,14 +91,14 @@
issuer = cert.issuer
assert isinstance(issuer, x509.Name)
assert list(issuer) == [
- x509.NameAttribute(x509.OID_COUNTRY_NAME, u'US'),
+ x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
x509.NameAttribute(
- x509.OID_ORGANIZATION_NAME, u'Test Certificates 2011'
+ NameOID.ORGANIZATION_NAME, u'Test Certificates 2011'
),
- x509.NameAttribute(x509.OID_COMMON_NAME, u'Good CA')
+ x509.NameAttribute(NameOID.COMMON_NAME, u'Good CA')
]
- assert issuer.get_attributes_for_oid(x509.OID_COMMON_NAME) == [
- x509.NameAttribute(x509.OID_COMMON_NAME, u'Good CA')
+ assert issuer.get_attributes_for_oid(NameOID.COMMON_NAME) == [
+ x509.NameAttribute(NameOID.COMMON_NAME, u'Good CA')
]
def test_all_issuer_name_types(self, backend):
@@ -111,36 +114,36 @@
assert isinstance(issuer, x509.Name)
assert list(issuer) == [
- x509.NameAttribute(x509.OID_COUNTRY_NAME, u'US'),
- x509.NameAttribute(x509.OID_COUNTRY_NAME, u'CA'),
- x509.NameAttribute(x509.OID_STATE_OR_PROVINCE_NAME, u'Texas'),
- x509.NameAttribute(x509.OID_STATE_OR_PROVINCE_NAME, u'Illinois'),
- x509.NameAttribute(x509.OID_LOCALITY_NAME, u'Chicago'),
- x509.NameAttribute(x509.OID_LOCALITY_NAME, u'Austin'),
- x509.NameAttribute(x509.OID_ORGANIZATION_NAME, u'Zero, LLC'),
- x509.NameAttribute(x509.OID_ORGANIZATION_NAME, u'One, LLC'),
- x509.NameAttribute(x509.OID_COMMON_NAME, u'common name 0'),
- x509.NameAttribute(x509.OID_COMMON_NAME, u'common name 1'),
- x509.NameAttribute(x509.OID_ORGANIZATIONAL_UNIT_NAME, u'OU 0'),
- x509.NameAttribute(x509.OID_ORGANIZATIONAL_UNIT_NAME, u'OU 1'),
- x509.NameAttribute(x509.OID_DN_QUALIFIER, u'dnQualifier0'),
- x509.NameAttribute(x509.OID_DN_QUALIFIER, u'dnQualifier1'),
- x509.NameAttribute(x509.OID_SERIAL_NUMBER, u'123'),
- x509.NameAttribute(x509.OID_SERIAL_NUMBER, u'456'),
- x509.NameAttribute(x509.OID_TITLE, u'Title 0'),
- x509.NameAttribute(x509.OID_TITLE, u'Title 1'),
- x509.NameAttribute(x509.OID_SURNAME, u'Surname 0'),
- x509.NameAttribute(x509.OID_SURNAME, u'Surname 1'),
- x509.NameAttribute(x509.OID_GIVEN_NAME, u'Given Name 0'),
- x509.NameAttribute(x509.OID_GIVEN_NAME, u'Given Name 1'),
- x509.NameAttribute(x509.OID_PSEUDONYM, u'Incognito 0'),
- x509.NameAttribute(x509.OID_PSEUDONYM, u'Incognito 1'),
- x509.NameAttribute(x509.OID_GENERATION_QUALIFIER, u'Last Gen'),
- x509.NameAttribute(x509.OID_GENERATION_QUALIFIER, u'Next Gen'),
- x509.NameAttribute(x509.OID_DOMAIN_COMPONENT, u'dc0'),
- x509.NameAttribute(x509.OID_DOMAIN_COMPONENT, u'dc1'),
- x509.NameAttribute(x509.OID_EMAIL_ADDRESS, u'test0@test.local'),
- x509.NameAttribute(x509.OID_EMAIL_ADDRESS, u'test1@test.local'),
+ x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
+ x509.NameAttribute(NameOID.COUNTRY_NAME, u'CA'),
+ x509.NameAttribute(NameOID.STATE_OR_PROVINCE_NAME, u'Texas'),
+ x509.NameAttribute(NameOID.STATE_OR_PROVINCE_NAME, u'Illinois'),
+ x509.NameAttribute(NameOID.LOCALITY_NAME, u'Chicago'),
+ x509.NameAttribute(NameOID.LOCALITY_NAME, u'Austin'),
+ x509.NameAttribute(NameOID.ORGANIZATION_NAME, u'Zero, LLC'),
+ x509.NameAttribute(NameOID.ORGANIZATION_NAME, u'One, LLC'),
+ x509.NameAttribute(NameOID.COMMON_NAME, u'common name 0'),
+ x509.NameAttribute(NameOID.COMMON_NAME, u'common name 1'),
+ x509.NameAttribute(NameOID.ORGANIZATIONAL_UNIT_NAME, u'OU 0'),
+ x509.NameAttribute(NameOID.ORGANIZATIONAL_UNIT_NAME, u'OU 1'),
+ x509.NameAttribute(NameOID.DN_QUALIFIER, u'dnQualifier0'),
+ x509.NameAttribute(NameOID.DN_QUALIFIER, u'dnQualifier1'),
+ x509.NameAttribute(NameOID.SERIAL_NUMBER, u'123'),
+ x509.NameAttribute(NameOID.SERIAL_NUMBER, u'456'),
+ x509.NameAttribute(NameOID.TITLE, u'Title 0'),
+ x509.NameAttribute(NameOID.TITLE, u'Title 1'),
+ x509.NameAttribute(NameOID.SURNAME, u'Surname 0'),
+ x509.NameAttribute(NameOID.SURNAME, u'Surname 1'),
+ x509.NameAttribute(NameOID.GIVEN_NAME, u'Given Name 0'),
+ x509.NameAttribute(NameOID.GIVEN_NAME, u'Given Name 1'),
+ x509.NameAttribute(NameOID.PSEUDONYM, u'Incognito 0'),
+ x509.NameAttribute(NameOID.PSEUDONYM, u'Incognito 1'),
+ x509.NameAttribute(NameOID.GENERATION_QUALIFIER, u'Last Gen'),
+ x509.NameAttribute(NameOID.GENERATION_QUALIFIER, u'Next Gen'),
+ x509.NameAttribute(NameOID.DOMAIN_COMPONENT, u'dc0'),
+ x509.NameAttribute(NameOID.DOMAIN_COMPONENT, u'dc1'),
+ x509.NameAttribute(NameOID.EMAIL_ADDRESS, u'test0@test.local'),
+ x509.NameAttribute(NameOID.EMAIL_ADDRESS, u'test1@test.local'),
]
def test_subject(self, backend):
@@ -155,18 +158,18 @@
subject = cert.subject
assert isinstance(subject, x509.Name)
assert list(subject) == [
- x509.NameAttribute(x509.OID_COUNTRY_NAME, u'US'),
+ x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
x509.NameAttribute(
- x509.OID_ORGANIZATION_NAME, u'Test Certificates 2011'
+ NameOID.ORGANIZATION_NAME, u'Test Certificates 2011'
),
x509.NameAttribute(
- x509.OID_COMMON_NAME,
+ NameOID.COMMON_NAME,
u'Valid pre2000 UTC notBefore Date EE Certificate Test3'
)
]
- assert subject.get_attributes_for_oid(x509.OID_COMMON_NAME) == [
+ assert subject.get_attributes_for_oid(NameOID.COMMON_NAME) == [
x509.NameAttribute(
- x509.OID_COMMON_NAME,
+ NameOID.COMMON_NAME,
u'Valid pre2000 UTC notBefore Date EE Certificate Test3'
)
]
@@ -180,15 +183,15 @@
x509.load_pem_x509_certificate,
backend
)
- assert cert.subject.get_attributes_for_oid(x509.OID_COMMON_NAME) == [
+ assert cert.subject.get_attributes_for_oid(NameOID.COMMON_NAME) == [
x509.NameAttribute(
- x509.OID_COMMON_NAME,
+ NameOID.COMMON_NAME,
u'We heart UTF8!\u2122'
)
]
- assert cert.issuer.get_attributes_for_oid(x509.OID_COMMON_NAME) == [
+ assert cert.issuer.get_attributes_for_oid(NameOID.COMMON_NAME) == [
x509.NameAttribute(
- x509.OID_COMMON_NAME,
+ NameOID.COMMON_NAME,
u'We heart UTF8!\u2122'
)
]
@@ -205,40 +208,40 @@
subject = cert.subject
assert isinstance(subject, x509.Name)
assert list(subject) == [
- x509.NameAttribute(x509.OID_COUNTRY_NAME, u'AU'),
- x509.NameAttribute(x509.OID_COUNTRY_NAME, u'DE'),
- x509.NameAttribute(x509.OID_STATE_OR_PROVINCE_NAME, u'California'),
- x509.NameAttribute(x509.OID_STATE_OR_PROVINCE_NAME, u'New York'),
- x509.NameAttribute(x509.OID_LOCALITY_NAME, u'San Francisco'),
- x509.NameAttribute(x509.OID_LOCALITY_NAME, u'Ithaca'),
- x509.NameAttribute(x509.OID_ORGANIZATION_NAME, u'Org Zero, LLC'),
- x509.NameAttribute(x509.OID_ORGANIZATION_NAME, u'Org One, LLC'),
- x509.NameAttribute(x509.OID_COMMON_NAME, u'CN 0'),
- x509.NameAttribute(x509.OID_COMMON_NAME, u'CN 1'),
+ x509.NameAttribute(NameOID.COUNTRY_NAME, u'AU'),
+ x509.NameAttribute(NameOID.COUNTRY_NAME, u'DE'),
+ x509.NameAttribute(NameOID.STATE_OR_PROVINCE_NAME, u'California'),
+ x509.NameAttribute(NameOID.STATE_OR_PROVINCE_NAME, u'New York'),
+ x509.NameAttribute(NameOID.LOCALITY_NAME, u'San Francisco'),
+ x509.NameAttribute(NameOID.LOCALITY_NAME, u'Ithaca'),
+ x509.NameAttribute(NameOID.ORGANIZATION_NAME, u'Org Zero, LLC'),
+ x509.NameAttribute(NameOID.ORGANIZATION_NAME, u'Org One, LLC'),
+ x509.NameAttribute(NameOID.COMMON_NAME, u'CN 0'),
+ x509.NameAttribute(NameOID.COMMON_NAME, u'CN 1'),
x509.NameAttribute(
- x509.OID_ORGANIZATIONAL_UNIT_NAME, u'Engineering 0'
+ NameOID.ORGANIZATIONAL_UNIT_NAME, u'Engineering 0'
),
x509.NameAttribute(
- x509.OID_ORGANIZATIONAL_UNIT_NAME, u'Engineering 1'
+ NameOID.ORGANIZATIONAL_UNIT_NAME, u'Engineering 1'
),
- x509.NameAttribute(x509.OID_DN_QUALIFIER, u'qualified0'),
- x509.NameAttribute(x509.OID_DN_QUALIFIER, u'qualified1'),
- x509.NameAttribute(x509.OID_SERIAL_NUMBER, u'789'),
- x509.NameAttribute(x509.OID_SERIAL_NUMBER, u'012'),
- x509.NameAttribute(x509.OID_TITLE, u'Title IX'),
- x509.NameAttribute(x509.OID_TITLE, u'Title X'),
- x509.NameAttribute(x509.OID_SURNAME, u'Last 0'),
- x509.NameAttribute(x509.OID_SURNAME, u'Last 1'),
- x509.NameAttribute(x509.OID_GIVEN_NAME, u'First 0'),
- x509.NameAttribute(x509.OID_GIVEN_NAME, u'First 1'),
- x509.NameAttribute(x509.OID_PSEUDONYM, u'Guy Incognito 0'),
- x509.NameAttribute(x509.OID_PSEUDONYM, u'Guy Incognito 1'),
- x509.NameAttribute(x509.OID_GENERATION_QUALIFIER, u'32X'),
- x509.NameAttribute(x509.OID_GENERATION_QUALIFIER, u'Dreamcast'),
- x509.NameAttribute(x509.OID_DOMAIN_COMPONENT, u'dc2'),
- x509.NameAttribute(x509.OID_DOMAIN_COMPONENT, u'dc3'),
- x509.NameAttribute(x509.OID_EMAIL_ADDRESS, u'test2@test.local'),
- x509.NameAttribute(x509.OID_EMAIL_ADDRESS, u'test3@test.local'),
+ x509.NameAttribute(NameOID.DN_QUALIFIER, u'qualified0'),
+ x509.NameAttribute(NameOID.DN_QUALIFIER, u'qualified1'),
+ x509.NameAttribute(NameOID.SERIAL_NUMBER, u'789'),
+ x509.NameAttribute(NameOID.SERIAL_NUMBER, u'012'),
+ x509.NameAttribute(NameOID.TITLE, u'Title IX'),
+ x509.NameAttribute(NameOID.TITLE, u'Title X'),
+ x509.NameAttribute(NameOID.SURNAME, u'Last 0'),
+ x509.NameAttribute(NameOID.SURNAME, u'Last 1'),
+ x509.NameAttribute(NameOID.GIVEN_NAME, u'First 0'),
+ x509.NameAttribute(NameOID.GIVEN_NAME, u'First 1'),
+ x509.NameAttribute(NameOID.PSEUDONYM, u'Guy Incognito 0'),
+ x509.NameAttribute(NameOID.PSEUDONYM, u'Guy Incognito 1'),
+ x509.NameAttribute(NameOID.GENERATION_QUALIFIER, u'32X'),
+ x509.NameAttribute(NameOID.GENERATION_QUALIFIER, u'Dreamcast'),
+ x509.NameAttribute(NameOID.DOMAIN_COMPONENT, u'dc2'),
+ x509.NameAttribute(NameOID.DOMAIN_COMPONENT, u'dc3'),
+ x509.NameAttribute(NameOID.EMAIL_ADDRESS, u'test2@test.local'),
+ x509.NameAttribute(NameOID.EMAIL_ADDRESS, u'test3@test.local'),
]
def test_load_good_ca_cert(self, backend):
@@ -547,11 +550,11 @@
subject = request.subject
assert isinstance(subject, x509.Name)
assert list(subject) == [
- x509.NameAttribute(x509.OID_COUNTRY_NAME, u'US'),
- x509.NameAttribute(x509.OID_STATE_OR_PROVINCE_NAME, u'Texas'),
- x509.NameAttribute(x509.OID_LOCALITY_NAME, u'Austin'),
- x509.NameAttribute(x509.OID_ORGANIZATION_NAME, u'PyCA'),
- x509.NameAttribute(x509.OID_COMMON_NAME, u'cryptography.io'),
+ x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
+ x509.NameAttribute(NameOID.STATE_OR_PROVINCE_NAME, u'Texas'),
+ x509.NameAttribute(NameOID.LOCALITY_NAME, u'Austin'),
+ x509.NameAttribute(NameOID.ORGANIZATION_NAME, u'PyCA'),
+ x509.NameAttribute(NameOID.COMMON_NAME, u'cryptography.io'),
]
extensions = request.extensions
assert isinstance(extensions, x509.Extensions)
@@ -585,7 +588,7 @@
with pytest.raises(x509.DuplicateExtension) as exc:
request.extensions
- assert exc.value.oid == x509.OID_BASIC_CONSTRAINTS
+ assert exc.value.oid == ExtensionOID.BASIC_CONSTRAINTS
def test_unsupported_critical_extension(self, backend):
request = _load_cert(
@@ -623,7 +626,7 @@
assert isinstance(extensions, x509.Extensions)
assert list(extensions) == [
x509.Extension(
- x509.OID_BASIC_CONSTRAINTS,
+ ExtensionOID.BASIC_CONSTRAINTS,
True,
x509.BasicConstraints(ca=True, path_length=1),
),
@@ -636,7 +639,7 @@
backend,
)
ext = request.extensions.get_extension_for_oid(
- x509.OID_SUBJECT_ALTERNATIVE_NAME
+ ExtensionOID.SUBJECT_ALTERNATIVE_NAME
)
assert list(ext.value) == [
x509.DNSName(u"cryptography.io"),
@@ -663,11 +666,11 @@
subject = request.subject
assert isinstance(subject, x509.Name)
assert list(subject) == [
- x509.NameAttribute(x509.OID_COUNTRY_NAME, u'US'),
- x509.NameAttribute(x509.OID_STATE_OR_PROVINCE_NAME, u'Texas'),
- x509.NameAttribute(x509.OID_LOCALITY_NAME, u'Austin'),
- x509.NameAttribute(x509.OID_ORGANIZATION_NAME, u'PyCA'),
- x509.NameAttribute(x509.OID_COMMON_NAME, u'cryptography.io'),
+ x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
+ x509.NameAttribute(NameOID.STATE_OR_PROVINCE_NAME, u'Texas'),
+ x509.NameAttribute(NameOID.LOCALITY_NAME, u'Austin'),
+ x509.NameAttribute(NameOID.ORGANIZATION_NAME, u'PyCA'),
+ x509.NameAttribute(NameOID.COMMON_NAME, u'cryptography.io'),
]
def test_public_bytes_der(self, backend):
@@ -690,11 +693,11 @@
subject = request.subject
assert isinstance(subject, x509.Name)
assert list(subject) == [
- x509.NameAttribute(x509.OID_COUNTRY_NAME, u'US'),
- x509.NameAttribute(x509.OID_STATE_OR_PROVINCE_NAME, u'Texas'),
- x509.NameAttribute(x509.OID_LOCALITY_NAME, u'Austin'),
- x509.NameAttribute(x509.OID_ORGANIZATION_NAME, u'PyCA'),
- x509.NameAttribute(x509.OID_COMMON_NAME, u'cryptography.io'),
+ x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
+ x509.NameAttribute(NameOID.STATE_OR_PROVINCE_NAME, u'Texas'),
+ x509.NameAttribute(NameOID.LOCALITY_NAME, u'Austin'),
+ x509.NameAttribute(NameOID.ORGANIZATION_NAME, u'PyCA'),
+ x509.NameAttribute(NameOID.COMMON_NAME, u'cryptography.io'),
]
def test_public_bytes_invalid_encoding(self, backend):
@@ -790,17 +793,17 @@
builder = x509.CertificateBuilder().serial_number(
777
).issuer_name(x509.Name([
- x509.NameAttribute(x509.OID_COUNTRY_NAME, u'US'),
- x509.NameAttribute(x509.OID_STATE_OR_PROVINCE_NAME, u'Texas'),
- x509.NameAttribute(x509.OID_LOCALITY_NAME, u'Austin'),
- x509.NameAttribute(x509.OID_ORGANIZATION_NAME, u'PyCA'),
- x509.NameAttribute(x509.OID_COMMON_NAME, u'cryptography.io'),
+ x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
+ x509.NameAttribute(NameOID.STATE_OR_PROVINCE_NAME, u'Texas'),
+ x509.NameAttribute(NameOID.LOCALITY_NAME, u'Austin'),
+ x509.NameAttribute(NameOID.ORGANIZATION_NAME, u'PyCA'),
+ x509.NameAttribute(NameOID.COMMON_NAME, u'cryptography.io'),
])).subject_name(x509.Name([
- x509.NameAttribute(x509.OID_COUNTRY_NAME, u'US'),
- x509.NameAttribute(x509.OID_STATE_OR_PROVINCE_NAME, u'Texas'),
- x509.NameAttribute(x509.OID_LOCALITY_NAME, u'Austin'),
- x509.NameAttribute(x509.OID_ORGANIZATION_NAME, u'PyCA'),
- x509.NameAttribute(x509.OID_COMMON_NAME, u'cryptography.io'),
+ x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
+ x509.NameAttribute(NameOID.STATE_OR_PROVINCE_NAME, u'Texas'),
+ x509.NameAttribute(NameOID.LOCALITY_NAME, u'Austin'),
+ x509.NameAttribute(NameOID.ORGANIZATION_NAME, u'PyCA'),
+ x509.NameAttribute(NameOID.COMMON_NAME, u'cryptography.io'),
])).public_key(
subject_private_key.public_key()
).add_extension(
@@ -820,12 +823,12 @@
assert cert.not_valid_before == not_valid_before
assert cert.not_valid_after == not_valid_after
basic_constraints = cert.extensions.get_extension_for_oid(
- x509.OID_BASIC_CONSTRAINTS
+ ExtensionOID.BASIC_CONSTRAINTS
)
assert basic_constraints.value.ca is False
assert basic_constraints.value.path_length is None
subject_alternative_name = cert.extensions.get_extension_for_oid(
- x509.OID_SUBJECT_ALTERNATIVE_NAME
+ ExtensionOID.SUBJECT_ALTERNATIVE_NAME
)
assert list(subject_alternative_name.value) == [
x509.DNSName(u"cryptography.io"),
@@ -838,9 +841,9 @@
def test_checks_for_unsupported_extensions(self, backend):
private_key = RSA_KEY_2048.private_key(backend)
builder = x509.CertificateBuilder().subject_name(x509.Name([
- x509.NameAttribute(x509.OID_COUNTRY_NAME, u'US'),
+ x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
])).issuer_name(x509.Name([
- x509.NameAttribute(x509.OID_COUNTRY_NAME, u'US'),
+ x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
])).public_key(
private_key.public_key()
).serial_number(
@@ -863,7 +866,7 @@
builder = x509.CertificateBuilder().serial_number(
777
).issuer_name(x509.Name([
- x509.NameAttribute(x509.OID_COUNTRY_NAME, u'US'),
+ x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
])).public_key(
subject_private_key.public_key()
).not_valid_before(
@@ -881,7 +884,7 @@
builder = x509.CertificateBuilder().serial_number(
777
).subject_name(x509.Name([
- x509.NameAttribute(x509.OID_COUNTRY_NAME, u'US'),
+ x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
])).public_key(
subject_private_key.public_key()
).not_valid_before(
@@ -899,9 +902,9 @@
builder = x509.CertificateBuilder().serial_number(
777
).issuer_name(x509.Name([
- x509.NameAttribute(x509.OID_COUNTRY_NAME, u'US'),
+ x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
])).subject_name(x509.Name([
- x509.NameAttribute(x509.OID_COUNTRY_NAME, u'US'),
+ x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
])).not_valid_before(
datetime.datetime(2002, 1, 1, 12, 1)
).not_valid_after(
@@ -917,9 +920,9 @@
builder = x509.CertificateBuilder().serial_number(
777
).issuer_name(x509.Name([
- x509.NameAttribute(x509.OID_COUNTRY_NAME, u'US'),
+ x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
])).subject_name(x509.Name([
- x509.NameAttribute(x509.OID_COUNTRY_NAME, u'US'),
+ x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
])).public_key(
subject_private_key.public_key()
).not_valid_after(
@@ -935,9 +938,9 @@
builder = x509.CertificateBuilder().serial_number(
777
).issuer_name(x509.Name([
- x509.NameAttribute(x509.OID_COUNTRY_NAME, u'US'),
+ x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
])).subject_name(x509.Name([
- x509.NameAttribute(x509.OID_COUNTRY_NAME, u'US'),
+ x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
])).public_key(
subject_private_key.public_key()
).not_valid_before(
@@ -951,9 +954,9 @@
def test_no_serial_number(self, backend):
subject_private_key = RSA_KEY_2048.private_key(backend)
builder = x509.CertificateBuilder().issuer_name(x509.Name([
- x509.NameAttribute(x509.OID_COUNTRY_NAME, u'US'),
+ x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
])).subject_name(x509.Name([
- x509.NameAttribute(x509.OID_COUNTRY_NAME, u'US'),
+ x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
])).public_key(
subject_private_key.public_key()
).not_valid_before(
@@ -975,7 +978,7 @@
def test_issuer_name_may_only_be_set_once(self):
name = x509.Name([
- x509.NameAttribute(x509.OID_COUNTRY_NAME, u'US'),
+ x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
])
builder = x509.CertificateBuilder().issuer_name(name)
@@ -993,7 +996,7 @@
def test_subject_name_may_only_be_set_once(self):
name = x509.Name([
- x509.NameAttribute(x509.OID_COUNTRY_NAME, u'US'),
+ x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
])
builder = x509.CertificateBuilder().subject_name(name)
@@ -1104,9 +1107,9 @@
private_key = RSA_KEY_2048.private_key(backend)
builder = x509.CertificateBuilder()
builder = builder.subject_name(
- x509.Name([x509.NameAttribute(x509.OID_COUNTRY_NAME, u'US')])
+ x509.Name([x509.NameAttribute(NameOID.COUNTRY_NAME, u'US')])
).issuer_name(
- x509.Name([x509.NameAttribute(x509.OID_COUNTRY_NAME, u'US')])
+ x509.Name([x509.NameAttribute(NameOID.COUNTRY_NAME, u'US')])
).serial_number(
1
).public_key(
@@ -1129,9 +1132,9 @@
private_key = DSA_KEY_2048.private_key(backend)
builder = x509.CertificateBuilder()
builder = builder.subject_name(
- x509.Name([x509.NameAttribute(x509.OID_COUNTRY_NAME, u'US')])
+ x509.Name([x509.NameAttribute(NameOID.COUNTRY_NAME, u'US')])
).issuer_name(
- x509.Name([x509.NameAttribute(x509.OID_COUNTRY_NAME, u'US')])
+ x509.Name([x509.NameAttribute(NameOID.COUNTRY_NAME, u'US')])
).serial_number(
1
).public_key(
@@ -1155,9 +1158,9 @@
private_key = ec.generate_private_key(ec.SECP256R1(), backend)
builder = x509.CertificateBuilder()
builder = builder.subject_name(
- x509.Name([x509.NameAttribute(x509.OID_COUNTRY_NAME, u'US')])
+ x509.Name([x509.NameAttribute(NameOID.COUNTRY_NAME, u'US')])
).issuer_name(
- x509.Name([x509.NameAttribute(x509.OID_COUNTRY_NAME, u'US')])
+ x509.Name([x509.NameAttribute(NameOID.COUNTRY_NAME, u'US')])
).serial_number(
1
).public_key(
@@ -1179,20 +1182,20 @@
full_name=None,
relative_name=x509.Name([
x509.NameAttribute(
- x509.OID_COMMON_NAME,
+ NameOID.COMMON_NAME,
u"indirect CRL for indirectCRL CA3"
),
]),
reasons=None,
crl_issuer=[x509.DirectoryName(
x509.Name([
- x509.NameAttribute(x509.OID_COUNTRY_NAME, u"US"),
+ x509.NameAttribute(NameOID.COUNTRY_NAME, u"US"),
x509.NameAttribute(
- x509.OID_ORGANIZATION_NAME,
+ NameOID.ORGANIZATION_NAME,
u"Test Certificates 2011"
),
x509.NameAttribute(
- x509.OID_ORGANIZATIONAL_UNIT_NAME,
+ NameOID.ORGANIZATIONAL_UNIT_NAME,
u"indirectCRL CA3 cRLIssuer"
),
])
@@ -1203,7 +1206,7 @@
x509.DistributionPoint(
full_name=[x509.DirectoryName(
x509.Name([
- x509.NameAttribute(x509.OID_COUNTRY_NAME, u"US"),
+ x509.NameAttribute(NameOID.COUNTRY_NAME, u"US"),
])
)],
relative_name=None,
@@ -1211,7 +1214,7 @@
crl_issuer=[x509.DirectoryName(
x509.Name([
x509.NameAttribute(
- x509.OID_ORGANIZATION_NAME,
+ NameOID.ORGANIZATION_NAME,
u"cryptography Testing"
),
])
@@ -1235,9 +1238,9 @@
]),
crl_issuer=[x509.DirectoryName(
x509.Name([
- x509.NameAttribute(x509.OID_COUNTRY_NAME, u"US"),
+ x509.NameAttribute(NameOID.COUNTRY_NAME, u"US"),
x509.NameAttribute(
- x509.OID_COMMON_NAME, u"cryptography CA"
+ NameOID.COMMON_NAME, u"cryptography CA"
),
])
)],
@@ -1270,7 +1273,7 @@
crl_issuer=[x509.DirectoryName(
x509.Name([
x509.NameAttribute(
- x509.OID_COMMON_NAME, u"cryptography CA"
+ NameOID.COMMON_NAME, u"cryptography CA"
),
])
)],
@@ -1297,9 +1300,9 @@
builder = x509.CertificateBuilder().serial_number(
4444444
).issuer_name(x509.Name([
- x509.NameAttribute(x509.OID_LOCALITY_NAME, u'Austin'),
+ x509.NameAttribute(NameOID.LOCALITY_NAME, u'Austin'),
])).subject_name(x509.Name([
- x509.NameAttribute(x509.OID_LOCALITY_NAME, u'Austin'),
+ x509.NameAttribute(NameOID.LOCALITY_NAME, u'Austin'),
])).public_key(
subject_private_key.public_key()
).add_extension(
@@ -1314,7 +1317,7 @@
cert = builder.sign(issuer_private_key, hashes.SHA1(), backend)
ext = cert.extensions.get_extension_for_oid(
- x509.OID_CRL_DISTRIBUTION_POINTS
+ ExtensionOID.CRL_DISTRIBUTION_POINTS
)
assert ext.critical is False
assert ext.value == cdp
@@ -1334,9 +1337,9 @@
builder = x509.CertificateBuilder().serial_number(
777
).issuer_name(x509.Name([
- x509.NameAttribute(x509.OID_COUNTRY_NAME, u'US'),
+ x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
])).subject_name(x509.Name([
- x509.NameAttribute(x509.OID_COUNTRY_NAME, u'US'),
+ x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
])).public_key(
subject_private_key.public_key()
).add_extension(
@@ -1356,12 +1359,12 @@
assert cert.not_valid_before == not_valid_before
assert cert.not_valid_after == not_valid_after
basic_constraints = cert.extensions.get_extension_for_oid(
- x509.OID_BASIC_CONSTRAINTS
+ ExtensionOID.BASIC_CONSTRAINTS
)
assert basic_constraints.value.ca is False
assert basic_constraints.value.path_length is None
subject_alternative_name = cert.extensions.get_extension_for_oid(
- x509.OID_SUBJECT_ALTERNATIVE_NAME
+ ExtensionOID.SUBJECT_ALTERNATIVE_NAME
)
assert list(subject_alternative_name.value) == [
x509.DNSName(u"cryptography.io"),
@@ -1383,9 +1386,9 @@
builder = x509.CertificateBuilder().serial_number(
777
).issuer_name(x509.Name([
- x509.NameAttribute(x509.OID_COUNTRY_NAME, u'US'),
+ x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
])).subject_name(x509.Name([
- x509.NameAttribute(x509.OID_COUNTRY_NAME, u'US'),
+ x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
])).public_key(
subject_private_key.public_key()
).add_extension(
@@ -1405,12 +1408,12 @@
assert cert.not_valid_before == not_valid_before
assert cert.not_valid_after == not_valid_after
basic_constraints = cert.extensions.get_extension_for_oid(
- x509.OID_BASIC_CONSTRAINTS
+ ExtensionOID.BASIC_CONSTRAINTS
)
assert basic_constraints.value.ca is False
assert basic_constraints.value.path_length is None
subject_alternative_name = cert.extensions.get_extension_for_oid(
- x509.OID_SUBJECT_ALTERNATIVE_NAME
+ ExtensionOID.SUBJECT_ALTERNATIVE_NAME
)
assert list(subject_alternative_name.value) == [
x509.DNSName(u"cryptography.io"),
@@ -1428,9 +1431,9 @@
builder = x509.CertificateBuilder().serial_number(
777
).issuer_name(x509.Name([
- x509.NameAttribute(x509.OID_COUNTRY_NAME, u'US'),
+ x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
])).subject_name(x509.Name([
- x509.NameAttribute(x509.OID_COUNTRY_NAME, u'US'),
+ x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
])).public_key(
subject_private_key.public_key()
).not_valid_before(
@@ -1452,9 +1455,9 @@
not_valid_after = datetime.datetime(2030, 12, 31, 8, 30)
cert = x509.CertificateBuilder().subject_name(
- x509.Name([x509.NameAttribute(x509.OID_COUNTRY_NAME, u'US')])
+ x509.Name([x509.NameAttribute(NameOID.COUNTRY_NAME, u'US')])
).issuer_name(
- x509.Name([x509.NameAttribute(x509.OID_COUNTRY_NAME, u'US')])
+ x509.Name([x509.NameAttribute(NameOID.COUNTRY_NAME, u'US')])
).not_valid_before(
not_valid_before
).not_valid_after(
@@ -1471,7 +1474,7 @@
).sign(issuer_private_key, hashes.SHA256(), backend)
ext = cert.extensions.get_extension_for_oid(
- x509.OID_ISSUER_ALTERNATIVE_NAME
+ ExtensionOID.ISSUER_ALTERNATIVE_NAME
)
assert ext.critical is False
assert ext.value == x509.IssuerAlternativeName([
@@ -1489,9 +1492,9 @@
not_valid_after = datetime.datetime(2030, 12, 31, 8, 30)
cert = x509.CertificateBuilder().subject_name(
- x509.Name([x509.NameAttribute(x509.OID_COUNTRY_NAME, u'US')])
+ x509.Name([x509.NameAttribute(NameOID.COUNTRY_NAME, u'US')])
).issuer_name(
- x509.Name([x509.NameAttribute(x509.OID_COUNTRY_NAME, u'US')])
+ x509.Name([x509.NameAttribute(NameOID.COUNTRY_NAME, u'US')])
).not_valid_before(
not_valid_before
).not_valid_after(
@@ -1502,20 +1505,20 @@
123
).add_extension(
x509.ExtendedKeyUsage([
- x509.OID_CLIENT_AUTH,
- x509.OID_SERVER_AUTH,
- x509.OID_CODE_SIGNING,
+ ExtendedKeyUsageOID.CLIENT_AUTH,
+ ExtendedKeyUsageOID.SERVER_AUTH,
+ ExtendedKeyUsageOID.CODE_SIGNING,
]), critical=False
).sign(issuer_private_key, hashes.SHA256(), backend)
eku = cert.extensions.get_extension_for_oid(
- x509.OID_EXTENDED_KEY_USAGE
+ ExtensionOID.EXTENDED_KEY_USAGE
)
assert eku.critical is False
assert eku.value == x509.ExtendedKeyUsage([
- x509.OID_CLIENT_AUTH,
- x509.OID_SERVER_AUTH,
- x509.OID_CODE_SIGNING,
+ ExtendedKeyUsageOID.CLIENT_AUTH,
+ ExtendedKeyUsageOID.SERVER_AUTH,
+ ExtendedKeyUsageOID.CODE_SIGNING,
])
@pytest.mark.requires_backend_interface(interface=RSABackend)
@@ -1528,9 +1531,9 @@
not_valid_after = datetime.datetime(2030, 12, 31, 8, 30)
cert = x509.CertificateBuilder().subject_name(
- x509.Name([x509.NameAttribute(x509.OID_COUNTRY_NAME, u'US')])
+ x509.Name([x509.NameAttribute(NameOID.COUNTRY_NAME, u'US')])
).issuer_name(
- x509.Name([x509.NameAttribute(x509.OID_COUNTRY_NAME, u'US')])
+ x509.Name([x509.NameAttribute(NameOID.COUNTRY_NAME, u'US')])
).not_valid_before(
not_valid_before
).not_valid_after(
@@ -1544,7 +1547,7 @@
).sign(issuer_private_key, hashes.SHA256(), backend)
ext = cert.extensions.get_extension_for_oid(
- x509.OID_INHIBIT_ANY_POLICY
+ ExtensionOID.INHIBIT_ANY_POLICY
)
assert ext.value == x509.InhibitAnyPolicy(3)
@@ -1558,9 +1561,9 @@
not_valid_after = datetime.datetime(2030, 12, 31, 8, 30)
cert = x509.CertificateBuilder().subject_name(
- x509.Name([x509.NameAttribute(x509.OID_COUNTRY_NAME, u'US')])
+ x509.Name([x509.NameAttribute(NameOID.COUNTRY_NAME, u'US')])
).issuer_name(
- x509.Name([x509.NameAttribute(x509.OID_COUNTRY_NAME, u'US')])
+ x509.Name([x509.NameAttribute(NameOID.COUNTRY_NAME, u'US')])
).not_valid_before(
not_valid_before
).not_valid_after(
@@ -1584,7 +1587,7 @@
critical=False
).sign(issuer_private_key, hashes.SHA256(), backend)
- ext = cert.extensions.get_extension_for_oid(x509.OID_KEY_USAGE)
+ ext = cert.extensions.get_extension_for_oid(ExtensionOID.KEY_USAGE)
assert ext.critical is False
assert ext.value == x509.KeyUsage(
digital_signature=True,
@@ -1625,7 +1628,7 @@
request = x509.CertificateSigningRequestBuilder().subject_name(
x509.Name([
- x509.NameAttribute(x509.OID_ORGANIZATION_NAME, u'PyCA'),
+ x509.NameAttribute(NameOID.ORGANIZATION_NAME, u'PyCA'),
])
).add_extension(
x509.BasicConstraints(ca=True, path_length=2), critical=True
@@ -1637,10 +1640,10 @@
subject = request.subject
assert isinstance(subject, x509.Name)
assert list(subject) == [
- x509.NameAttribute(x509.OID_ORGANIZATION_NAME, u'PyCA'),
+ x509.NameAttribute(NameOID.ORGANIZATION_NAME, u'PyCA'),
]
basic_constraints = request.extensions.get_extension_for_oid(
- x509.OID_BASIC_CONSTRAINTS
+ ExtensionOID.BASIC_CONSTRAINTS
)
assert basic_constraints.value.ca is True
assert basic_constraints.value.path_length == 2
@@ -1651,7 +1654,7 @@
request = x509.CertificateSigningRequestBuilder().subject_name(
x509.Name([
- x509.NameAttribute(x509.OID_ORGANIZATION_NAME,
+ x509.NameAttribute(NameOID.ORGANIZATION_NAME,
u'PyCA\U0001f37a'),
])
).add_extension(
@@ -1664,7 +1667,7 @@
subject = loaded_request.subject
assert isinstance(subject, x509.Name)
assert list(subject) == [
- x509.NameAttribute(x509.OID_ORGANIZATION_NAME, u'PyCA\U0001f37a'),
+ x509.NameAttribute(NameOID.ORGANIZATION_NAME, u'PyCA\U0001f37a'),
]
@pytest.mark.requires_backend_interface(interface=RSABackend)
@@ -1673,7 +1676,7 @@
request = x509.CertificateSigningRequestBuilder().subject_name(
x509.Name([
- x509.NameAttribute(x509.OID_COUNTRY_NAME, u'US'),
+ x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
])
).add_extension(
x509.BasicConstraints(ca=False, path_length=None), critical=True,
@@ -1685,10 +1688,10 @@
subject = request.subject
assert isinstance(subject, x509.Name)
assert list(subject) == [
- x509.NameAttribute(x509.OID_COUNTRY_NAME, u'US'),
+ x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
]
basic_constraints = request.extensions.get_extension_for_oid(
- x509.OID_BASIC_CONSTRAINTS
+ ExtensionOID.BASIC_CONSTRAINTS
)
assert basic_constraints.value.ca is False
assert basic_constraints.value.path_length is None
@@ -1703,7 +1706,7 @@
request = x509.CertificateSigningRequestBuilder().subject_name(
x509.Name([
- x509.NameAttribute(x509.OID_STATE_OR_PROVINCE_NAME, u'Texas'),
+ x509.NameAttribute(NameOID.STATE_OR_PROVINCE_NAME, u'Texas'),
])
).add_extension(
x509.BasicConstraints(ca=True, path_length=2), critical=True
@@ -1715,10 +1718,10 @@
subject = request.subject
assert isinstance(subject, x509.Name)
assert list(subject) == [
- x509.NameAttribute(x509.OID_STATE_OR_PROVINCE_NAME, u'Texas'),
+ x509.NameAttribute(NameOID.STATE_OR_PROVINCE_NAME, u'Texas'),
]
basic_constraints = request.extensions.get_extension_for_oid(
- x509.OID_BASIC_CONSTRAINTS
+ ExtensionOID.BASIC_CONSTRAINTS
)
assert basic_constraints.value.ca is True
assert basic_constraints.value.path_length == 2
@@ -1732,7 +1735,7 @@
request = x509.CertificateSigningRequestBuilder().subject_name(
x509.Name([
- x509.NameAttribute(x509.OID_COUNTRY_NAME, u'US'),
+ x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
])
).add_extension(
x509.BasicConstraints(ca=True, path_length=2), critical=True
@@ -1744,10 +1747,10 @@
subject = request.subject
assert isinstance(subject, x509.Name)
assert list(subject) == [
- x509.NameAttribute(x509.OID_COUNTRY_NAME, u'US'),
+ x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
]
basic_constraints = request.extensions.get_extension_for_oid(
- x509.OID_BASIC_CONSTRAINTS
+ ExtensionOID.BASIC_CONSTRAINTS
)
assert basic_constraints.value.ca is True
assert basic_constraints.value.path_length == 2
@@ -1777,7 +1780,7 @@
builder = x509.CertificateSigningRequestBuilder()
builder = builder.subject_name(
x509.Name([
- x509.NameAttribute(x509.OID_COUNTRY_NAME, u'US'),
+ x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
])
).add_extension(
x509.SubjectAlternativeName([x509.DNSName(u"cryptography.io")]),
@@ -1793,7 +1796,7 @@
builder = x509.CertificateSigningRequestBuilder()
request = builder.subject_name(
x509.Name([
- x509.NameAttribute(x509.OID_COUNTRY_NAME, u'US'),
+ x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
])
).add_extension(
x509.KeyUsage(
@@ -1810,7 +1813,7 @@
critical=False
).sign(private_key, hashes.SHA256(), backend)
assert len(request.extensions) == 1
- ext = request.extensions.get_extension_for_oid(x509.OID_KEY_USAGE)
+ ext = request.extensions.get_extension_for_oid(ExtensionOID.KEY_USAGE)
assert ext.critical is False
assert ext.value == x509.KeyUsage(
digital_signature=True,
@@ -1829,7 +1832,7 @@
builder = x509.CertificateSigningRequestBuilder()
request = builder.subject_name(
x509.Name([
- x509.NameAttribute(x509.OID_COUNTRY_NAME, u'US'),
+ x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
])
).add_extension(
x509.KeyUsage(
@@ -1846,7 +1849,7 @@
critical=False
).sign(private_key, hashes.SHA256(), backend)
assert len(request.extensions) == 1
- ext = request.extensions.get_extension_for_oid(x509.OID_KEY_USAGE)
+ ext = request.extensions.get_extension_for_oid(ExtensionOID.KEY_USAGE)
assert ext.critical is False
assert ext.value == x509.KeyUsage(
digital_signature=False,
@@ -1864,7 +1867,7 @@
private_key = RSA_KEY_2048.private_key(backend)
builder = x509.CertificateSigningRequestBuilder()
request = builder.subject_name(
- x509.Name([x509.NameAttribute(x509.OID_COUNTRY_NAME, u'US')])
+ x509.Name([x509.NameAttribute(NameOID.COUNTRY_NAME, u'US')])
).add_extension(
x509.SubjectAlternativeName([x509.DNSName(u"cryptography.io")]),
critical=False,
@@ -1876,12 +1879,12 @@
public_key = request.public_key()
assert isinstance(public_key, rsa.RSAPublicKey)
basic_constraints = request.extensions.get_extension_for_oid(
- x509.OID_BASIC_CONSTRAINTS
+ ExtensionOID.BASIC_CONSTRAINTS
)
assert basic_constraints.value.ca is True
assert basic_constraints.value.path_length == 2
ext = request.extensions.get_extension_for_oid(
- x509.OID_SUBJECT_ALTERNATIVE_NAME
+ ExtensionOID.SUBJECT_ALTERNATIVE_NAME
)
assert list(ext.value) == [x509.DNSName(u"cryptography.io")]
@@ -1889,13 +1892,13 @@
builder = x509.CertificateSigningRequestBuilder()
builder = builder.subject_name(
x509.Name([
- x509.NameAttribute(x509.OID_COUNTRY_NAME, u'US'),
+ x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
])
)
with pytest.raises(ValueError):
builder.subject_name(
x509.Name([
- x509.NameAttribute(x509.OID_COUNTRY_NAME, u'US'),
+ x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
])
)
@@ -1904,7 +1907,7 @@
csr = x509.CertificateSigningRequestBuilder().subject_name(
x509.Name([
- x509.NameAttribute(x509.OID_COMMON_NAME, u"SAN"),
+ x509.NameAttribute(NameOID.COMMON_NAME, u"SAN"),
])
).add_extension(
x509.SubjectAlternativeName([
@@ -1912,9 +1915,9 @@
x509.DNSName(u"*.example.com"),
x509.RegisteredID(x509.ObjectIdentifier("1.2.3.4.5.6.7")),
x509.DirectoryName(x509.Name([
- x509.NameAttribute(x509.OID_COMMON_NAME, u'PyCA'),
+ x509.NameAttribute(NameOID.COMMON_NAME, u'PyCA'),
x509.NameAttribute(
- x509.OID_ORGANIZATION_NAME, u'We heart UTF8!\u2122'
+ NameOID.ORGANIZATION_NAME, u'We heart UTF8!\u2122'
)
])),
x509.IPAddress(ipaddress.ip_address(u"127.0.0.1")),
@@ -1938,18 +1941,18 @@
assert len(csr.extensions) == 1
ext = csr.extensions.get_extension_for_oid(
- x509.OID_SUBJECT_ALTERNATIVE_NAME
+ ExtensionOID.SUBJECT_ALTERNATIVE_NAME
)
assert not ext.critical
- assert ext.oid == x509.OID_SUBJECT_ALTERNATIVE_NAME
+ assert ext.oid == ExtensionOID.SUBJECT_ALTERNATIVE_NAME
assert list(ext.value) == [
x509.DNSName(u"example.com"),
x509.DNSName(u"*.example.com"),
x509.RegisteredID(x509.ObjectIdentifier("1.2.3.4.5.6.7")),
x509.DirectoryName(x509.Name([
- x509.NameAttribute(x509.OID_COMMON_NAME, u'PyCA'),
+ x509.NameAttribute(NameOID.COMMON_NAME, u'PyCA'),
x509.NameAttribute(
- x509.OID_ORGANIZATION_NAME, u'We heart UTF8!\u2122'
+ NameOID.ORGANIZATION_NAME, u'We heart UTF8!\u2122'
),
])),
x509.IPAddress(ipaddress.ip_address(u"127.0.0.1")),
@@ -1974,7 +1977,7 @@
builder = x509.CertificateSigningRequestBuilder().subject_name(
x509.Name([
- x509.NameAttribute(x509.OID_COMMON_NAME, u"SAN"),
+ x509.NameAttribute(NameOID.COMMON_NAME, u"SAN"),
])
).add_extension(
x509.SubjectAlternativeName([
@@ -1993,7 +1996,7 @@
builder = x509.CertificateSigningRequestBuilder().subject_name(
x509.Name([
- x509.NameAttribute(x509.OID_COMMON_NAME, u"SAN"),
+ x509.NameAttribute(NameOID.COMMON_NAME, u"SAN"),
])
).add_extension(
x509.SubjectAlternativeName([FakeGeneralName("")]),
@@ -2007,23 +2010,23 @@
private_key = RSA_KEY_2048.private_key(backend)
builder = x509.CertificateSigningRequestBuilder()
request = builder.subject_name(
- x509.Name([x509.NameAttribute(x509.OID_COUNTRY_NAME, u'US')])
+ x509.Name([x509.NameAttribute(NameOID.COUNTRY_NAME, u'US')])
).add_extension(
x509.ExtendedKeyUsage([
- x509.OID_CLIENT_AUTH,
- x509.OID_SERVER_AUTH,
- x509.OID_CODE_SIGNING,
+ ExtendedKeyUsageOID.CLIENT_AUTH,
+ ExtendedKeyUsageOID.SERVER_AUTH,
+ ExtendedKeyUsageOID.CODE_SIGNING,
]), critical=False
).sign(private_key, hashes.SHA256(), backend)
eku = request.extensions.get_extension_for_oid(
- x509.OID_EXTENDED_KEY_USAGE
+ ExtensionOID.EXTENDED_KEY_USAGE
)
assert eku.critical is False
assert eku.value == x509.ExtendedKeyUsage([
- x509.OID_CLIENT_AUTH,
- x509.OID_SERVER_AUTH,
- x509.OID_CODE_SIGNING,
+ ExtendedKeyUsageOID.CLIENT_AUTH,
+ ExtendedKeyUsageOID.SERVER_AUTH,
+ ExtendedKeyUsageOID.CODE_SIGNING,
])
@pytest.mark.requires_backend_interface(interface=RSABackend)
@@ -2031,7 +2034,7 @@
private_key = rsa.generate_private_key(65537, 512, backend)
builder = x509.CertificateSigningRequestBuilder()
builder = builder.subject_name(
- x509.Name([x509.NameAttribute(x509.OID_COUNTRY_NAME, u'US')])
+ x509.Name([x509.NameAttribute(NameOID.COUNTRY_NAME, u'US')])
)
with pytest.raises(ValueError) as exc:
@@ -2050,11 +2053,11 @@
aia = x509.AuthorityInformationAccess([
x509.AccessDescription(
- x509.OID_OCSP,
+ AuthorityInformationAccessOID.OCSP,
x509.UniformResourceIdentifier(u"http://ocsp.domain.com")
),
x509.AccessDescription(
- x509.OID_CA_ISSUERS,
+ AuthorityInformationAccessOID.CA_ISSUERS,
x509.UniformResourceIdentifier(u"http://domain.com/ca.crt")
)
])
@@ -2062,9 +2065,9 @@
builder = x509.CertificateBuilder().serial_number(
777
).issuer_name(x509.Name([
- x509.NameAttribute(x509.OID_COUNTRY_NAME, u'US'),
+ x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
])).subject_name(x509.Name([
- x509.NameAttribute(x509.OID_COUNTRY_NAME, u'US'),
+ x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
])).public_key(
subject_private_key.public_key()
).add_extension(
@@ -2078,7 +2081,7 @@
cert = builder.sign(issuer_private_key, hashes.SHA1(), backend)
ext = cert.extensions.get_extension_for_oid(
- x509.OID_AUTHORITY_INFORMATION_ACCESS
+ ExtensionOID.AUTHORITY_INFORMATION_ACCESS
)
assert ext.value == aia
@@ -2098,9 +2101,9 @@
builder = x509.CertificateBuilder().serial_number(
777
).issuer_name(x509.Name([
- x509.NameAttribute(x509.OID_COUNTRY_NAME, u'US'),
+ x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
])).subject_name(x509.Name([
- x509.NameAttribute(x509.OID_COUNTRY_NAME, u'US'),
+ x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
])).public_key(
subject_private_key.public_key()
).add_extension(
@@ -2114,7 +2117,7 @@
cert = builder.sign(issuer_private_key, hashes.SHA1(), backend)
ext = cert.extensions.get_extension_for_oid(
- x509.OID_SUBJECT_KEY_IDENTIFIER
+ ExtensionOID.SUBJECT_KEY_IDENTIFIER
)
assert ext.value == ski
@@ -2134,10 +2137,10 @@
x509.DirectoryName(
x509.Name([
x509.NameAttribute(
- x509.OID_ORGANIZATION_NAME, u"PyCA"
+ NameOID.ORGANIZATION_NAME, u"PyCA"
),
x509.NameAttribute(
- x509.OID_COMMON_NAME, u"cryptography CA"
+ NameOID.COMMON_NAME, u"cryptography CA"
)
])
)
@@ -2150,10 +2153,10 @@
x509.DirectoryName(
x509.Name([
x509.NameAttribute(
- x509.OID_ORGANIZATION_NAME, u"PyCA"
+ NameOID.ORGANIZATION_NAME, u"PyCA"
),
x509.NameAttribute(
- x509.OID_COMMON_NAME, u"cryptography CA"
+ NameOID.COMMON_NAME, u"cryptography CA"
)
])
)
@@ -2174,9 +2177,9 @@
builder = x509.CertificateBuilder().serial_number(
777
).issuer_name(x509.Name([
- x509.NameAttribute(x509.OID_COUNTRY_NAME, u'US'),
+ x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
])).subject_name(x509.Name([
- x509.NameAttribute(x509.OID_COUNTRY_NAME, u'US'),
+ x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
])).public_key(
subject_private_key.public_key()
).add_extension(
@@ -2190,7 +2193,7 @@
cert = builder.sign(issuer_private_key, hashes.SHA256(), backend)
ext = cert.extensions.get_extension_for_oid(
- x509.OID_AUTHORITY_KEY_IDENTIFIER
+ ExtensionOID.AUTHORITY_KEY_IDENTIFIER
)
assert ext.value == aki
@@ -2204,9 +2207,9 @@
builder = x509.CertificateBuilder().serial_number(
777
).issuer_name(x509.Name([
- x509.NameAttribute(x509.OID_COUNTRY_NAME, u'US'),
+ x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
])).subject_name(x509.Name([
- x509.NameAttribute(x509.OID_COUNTRY_NAME, u'US'),
+ x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
])).public_key(
subject_private_key.public_key()
).add_extension(
@@ -2220,7 +2223,7 @@
cert = builder.sign(issuer_private_key, hashes.SHA256(), backend)
ext = cert.extensions.get_extension_for_oid(
- x509.OID_OCSP_NO_CHECK
+ ExtensionOID.OCSP_NO_CHECK
)
assert isinstance(ext.value, x509.OCSPNoCheck)
@@ -2296,11 +2299,11 @@
subject = request.subject
assert isinstance(subject, x509.Name)
assert list(subject) == [
- x509.NameAttribute(x509.OID_COMMON_NAME, u'cryptography.io'),
- x509.NameAttribute(x509.OID_ORGANIZATION_NAME, u'PyCA'),
- x509.NameAttribute(x509.OID_COUNTRY_NAME, u'US'),
- x509.NameAttribute(x509.OID_STATE_OR_PROVINCE_NAME, u'Texas'),
- x509.NameAttribute(x509.OID_LOCALITY_NAME, u'Austin'),
+ x509.NameAttribute(NameOID.COMMON_NAME, u'cryptography.io'),
+ x509.NameAttribute(NameOID.ORGANIZATION_NAME, u'PyCA'),
+ x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
+ x509.NameAttribute(NameOID.STATE_OR_PROVINCE_NAME, u'Texas'),
+ x509.NameAttribute(NameOID.LOCALITY_NAME, u'Austin'),
]
@@ -2360,11 +2363,11 @@
subject = request.subject
assert isinstance(subject, x509.Name)
assert list(subject) == [
- x509.NameAttribute(x509.OID_COMMON_NAME, u'cryptography.io'),
- x509.NameAttribute(x509.OID_ORGANIZATION_NAME, u'PyCA'),
- x509.NameAttribute(x509.OID_COUNTRY_NAME, u'US'),
- x509.NameAttribute(x509.OID_STATE_OR_PROVINCE_NAME, u'Texas'),
- x509.NameAttribute(x509.OID_LOCALITY_NAME, u'Austin'),
+ x509.NameAttribute(NameOID.COMMON_NAME, u'cryptography.io'),
+ x509.NameAttribute(NameOID.ORGANIZATION_NAME, u'PyCA'),
+ x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
+ x509.NameAttribute(NameOID.STATE_OR_PROVINCE_NAME, u'Texas'),
+ x509.NameAttribute(NameOID.LOCALITY_NAME, u'Austin'),
]
@@ -2460,8 +2463,8 @@
def test_repr(self):
name = x509.Name([
- x509.NameAttribute(x509.OID_COMMON_NAME, u'cryptography.io'),
- x509.NameAttribute(x509.OID_ORGANIZATION_NAME, u'PyCA'),
+ x509.NameAttribute(NameOID.COMMON_NAME, u'cryptography.io'),
+ x509.NameAttribute(NameOID.ORGANIZATION_NAME, u'PyCA'),
])
if six.PY3:
diff --git a/tests/test_x509_ext.py b/tests/test_x509_ext.py
index 40231b9..2c5438a 100644
--- a/tests/test_x509_ext.py
+++ b/tests/test_x509_ext.py
@@ -17,6 +17,9 @@
DSABackend, EllipticCurveBackend, RSABackend, X509Backend
)
from cryptography.hazmat.primitives.asymmetric import ec
+from cryptography.x509.oid import (
+ AuthorityInformationAccessOID, ExtendedKeyUsageOID, ExtensionOID, NameOID
+)
from .hazmat.primitives.test_ec import _skip_curve_unsupported
from .test_x509 import _load_cert
@@ -31,11 +34,11 @@
def test_critical_not_a_bool(self):
bc = x509.BasicConstraints(ca=False, path_length=None)
with pytest.raises(TypeError):
- x509.Extension(x509.OID_BASIC_CONSTRAINTS, "notabool", bc)
+ x509.Extension(ExtensionOID.BASIC_CONSTRAINTS, "notabool", bc)
def test_repr(self):
bc = x509.BasicConstraints(ca=False, path_length=None)
- ext = x509.Extension(x509.OID_BASIC_CONSTRAINTS, True, bc)
+ ext = x509.Extension(ExtensionOID.BASIC_CONSTRAINTS, True, bc)
assert repr(ext) == (
"<Extension(oid=<ObjectIdentifier(oid=2.5.29.19, name=basicConst"
"raints)>, critical=True, value=<BasicConstraints(ca=False, path"
@@ -277,7 +280,7 @@
)
cp = cert.extensions.get_extension_for_oid(
- x509.OID_CERTIFICATE_POLICIES
+ ExtensionOID.CERTIFICATE_POLICIES
).value
assert cp == x509.CertificatePolicies([
@@ -297,7 +300,7 @@
)
cp = cert.extensions.get_extension_for_oid(
- x509.OID_CERTIFICATE_POLICIES
+ ExtensionOID.CERTIFICATE_POLICIES
).value
assert cp == x509.CertificatePolicies([
@@ -324,7 +327,7 @@
)
cp = cert.extensions.get_extension_for_oid(
- x509.OID_CERTIFICATE_POLICIES
+ ExtensionOID.CERTIFICATE_POLICIES
).value
assert cp == x509.CertificatePolicies([
@@ -344,7 +347,7 @@
)
cp = cert.extensions.get_extension_for_oid(
- x509.OID_CERTIFICATE_POLICIES
+ ExtensionOID.CERTIFICATE_POLICIES
).value
assert cp == x509.CertificatePolicies([
@@ -556,7 +559,7 @@
ski = x509.SubjectKeyIdentifier(
binascii.unhexlify(b"092384932230498bc980aa8098456f6ff7ff3ac9")
)
- ext = x509.Extension(x509.OID_SUBJECT_KEY_IDENTIFIER, False, ski)
+ ext = x509.Extension(ExtensionOID.SUBJECT_KEY_IDENTIFIER, False, ski)
if six.PY3:
assert repr(ext) == (
"<Extension(oid=<ObjectIdentifier(oid=2.5.29.14, name=subjectK"
@@ -629,7 +632,7 @@
def test_repr(self):
dirname = x509.DirectoryName(
- x509.Name([x509.NameAttribute(x509.OID_COMMON_NAME, u'myCN')])
+ x509.Name([x509.NameAttribute(NameOID.COMMON_NAME, u'myCN')])
)
aki = x509.AuthorityKeyIdentifier(b"digest", [dirname], 1234)
@@ -650,21 +653,21 @@
def test_eq(self):
dirname = x509.DirectoryName(
- x509.Name([x509.NameAttribute(x509.OID_COMMON_NAME, u'myCN')])
+ x509.Name([x509.NameAttribute(NameOID.COMMON_NAME, u'myCN')])
)
aki = x509.AuthorityKeyIdentifier(b"digest", [dirname], 1234)
dirname2 = x509.DirectoryName(
- x509.Name([x509.NameAttribute(x509.OID_COMMON_NAME, u'myCN')])
+ x509.Name([x509.NameAttribute(NameOID.COMMON_NAME, u'myCN')])
)
aki2 = x509.AuthorityKeyIdentifier(b"digest", [dirname2], 1234)
assert aki == aki2
def test_ne(self):
dirname = x509.DirectoryName(
- x509.Name([x509.NameAttribute(x509.OID_COMMON_NAME, u'myCN')])
+ x509.Name([x509.NameAttribute(NameOID.COMMON_NAME, u'myCN')])
)
dirname5 = x509.DirectoryName(
- x509.Name([x509.NameAttribute(x509.OID_COMMON_NAME, u'aCN')])
+ x509.Name([x509.NameAttribute(NameOID.COMMON_NAME, u'aCN')])
)
aki = x509.AuthorityKeyIdentifier(b"digest", [dirname], 1234)
aki2 = x509.AuthorityKeyIdentifier(b"diges", [dirname], 1234)
@@ -730,8 +733,8 @@
])
assert len(eku) == 2
assert list(eku) == [
- x509.OID_SERVER_AUTH,
- x509.OID_CLIENT_AUTH
+ ExtendedKeyUsageOID.SERVER_AUTH,
+ ExtendedKeyUsageOID.CLIENT_AUTH
]
def test_repr(self):
@@ -774,9 +777,9 @@
assert len(ext) == 0
assert list(ext) == []
with pytest.raises(x509.ExtensionNotFound) as exc:
- ext.get_extension_for_oid(x509.OID_BASIC_CONSTRAINTS)
+ ext.get_extension_for_oid(ExtensionOID.BASIC_CONSTRAINTS)
- assert exc.value.oid == x509.OID_BASIC_CONSTRAINTS
+ assert exc.value.oid == ExtensionOID.BASIC_CONSTRAINTS
def test_one_extension(self, backend):
cert = _load_cert(
@@ -787,7 +790,7 @@
backend
)
extensions = cert.extensions
- ext = extensions.get_extension_for_oid(x509.OID_BASIC_CONSTRAINTS)
+ ext = extensions.get_extension_for_oid(ExtensionOID.BASIC_CONSTRAINTS)
assert ext is not None
assert ext.value.ca is False
@@ -802,7 +805,7 @@
with pytest.raises(x509.DuplicateExtension) as exc:
cert.extensions
- assert exc.value.oid == x509.OID_BASIC_CONSTRAINTS
+ assert exc.value.oid == ExtensionOID.BASIC_CONSTRAINTS
def test_unsupported_critical_extension(self, backend):
cert = _load_cert(
@@ -842,7 +845,7 @@
backend
)
ext = cert.extensions.get_extension_for_oid(
- x509.OID_BASIC_CONSTRAINTS
+ ExtensionOID.BASIC_CONSTRAINTS
)
assert ext is not None
assert ext.critical is True
@@ -856,7 +859,7 @@
backend
)
ext = cert.extensions.get_extension_for_oid(
- x509.OID_BASIC_CONSTRAINTS
+ ExtensionOID.BASIC_CONSTRAINTS
)
assert ext is not None
assert ext.critical is True
@@ -870,7 +873,7 @@
backend
)
ext = cert.extensions.get_extension_for_oid(
- x509.OID_BASIC_CONSTRAINTS
+ ExtensionOID.BASIC_CONSTRAINTS
)
assert ext is not None
assert ext.critical is True
@@ -884,7 +887,7 @@
backend
)
ext = cert.extensions.get_extension_for_oid(
- x509.OID_BASIC_CONSTRAINTS
+ ExtensionOID.BASIC_CONSTRAINTS
)
assert ext is not None
assert ext.critical is True
@@ -903,7 +906,9 @@
backend
)
with pytest.raises(x509.ExtensionNotFound):
- cert.extensions.get_extension_for_oid(x509.OID_BASIC_CONSTRAINTS)
+ cert.extensions.get_extension_for_oid(
+ ExtensionOID.BASIC_CONSTRAINTS
+ )
def test_basic_constraint_not_critical(self, backend):
cert = _load_cert(
@@ -914,7 +919,7 @@
backend
)
ext = cert.extensions.get_extension_for_oid(
- x509.OID_BASIC_CONSTRAINTS
+ ExtensionOID.BASIC_CONSTRAINTS
)
assert ext is not None
assert ext.critical is False
@@ -931,7 +936,7 @@
backend
)
ext = cert.extensions.get_extension_for_oid(
- x509.OID_SUBJECT_KEY_IDENTIFIER
+ ExtensionOID.SUBJECT_KEY_IDENTIFIER
)
ski = ext.value
assert ext is not None
@@ -950,7 +955,7 @@
)
with pytest.raises(x509.ExtensionNotFound):
cert.extensions.get_extension_for_oid(
- x509.OID_SUBJECT_KEY_IDENTIFIER
+ ExtensionOID.SUBJECT_KEY_IDENTIFIER
)
@pytest.mark.requires_backend_interface(interface=RSABackend)
@@ -962,7 +967,7 @@
backend
)
ext = cert.extensions.get_extension_for_oid(
- x509.OID_SUBJECT_KEY_IDENTIFIER
+ ExtensionOID.SUBJECT_KEY_IDENTIFIER
)
ski = x509.SubjectKeyIdentifier.from_public_key(
cert.public_key()
@@ -979,7 +984,7 @@
)
ext = cert.extensions.get_extension_for_oid(
- x509.OID_SUBJECT_KEY_IDENTIFIER
+ ExtensionOID.SUBJECT_KEY_IDENTIFIER
)
ski = x509.SubjectKeyIdentifier.from_public_key(
cert.public_key()
@@ -997,7 +1002,7 @@
)
ext = cert.extensions.get_extension_for_oid(
- x509.OID_SUBJECT_KEY_IDENTIFIER
+ ExtensionOID.SUBJECT_KEY_IDENTIFIER
)
ski = x509.SubjectKeyIdentifier.from_public_key(
cert.public_key()
@@ -1016,9 +1021,9 @@
)
ext = cert.extensions
with pytest.raises(x509.ExtensionNotFound) as exc:
- ext.get_extension_for_oid(x509.OID_KEY_USAGE)
+ ext.get_extension_for_oid(ExtensionOID.KEY_USAGE)
- assert exc.value.oid == x509.OID_KEY_USAGE
+ assert exc.value.oid == ExtensionOID.KEY_USAGE
def test_all_purposes(self, backend):
cert = _load_cert(
@@ -1029,7 +1034,7 @@
backend
)
extensions = cert.extensions
- ext = extensions.get_extension_for_oid(x509.OID_KEY_USAGE)
+ ext = extensions.get_extension_for_oid(ExtensionOID.KEY_USAGE)
assert ext is not None
ku = ext.value
@@ -1051,7 +1056,7 @@
x509.load_der_x509_certificate,
backend
)
- ext = cert.extensions.get_extension_for_oid(x509.OID_KEY_USAGE)
+ ext = cert.extensions.get_extension_for_oid(ExtensionOID.KEY_USAGE)
assert ext is not None
assert ext.critical is True
@@ -1105,7 +1110,7 @@
x509.DirectoryName(1.3)
def test_repr(self):
- name = x509.Name([x509.NameAttribute(x509.OID_COMMON_NAME, u'value1')])
+ name = x509.Name([x509.NameAttribute(NameOID.COMMON_NAME, u'value1')])
gn = x509.DirectoryName(x509.Name([name]))
if six.PY3:
assert repr(gn) == (
@@ -1203,20 +1208,20 @@
x509.RegisteredID(1.3)
def test_repr(self):
- gn = x509.RegisteredID(x509.OID_COMMON_NAME)
+ gn = x509.RegisteredID(NameOID.COMMON_NAME)
assert repr(gn) == (
"<RegisteredID(value=<ObjectIdentifier(oid=2.5.4.3, name=commonNam"
"e)>)>"
)
def test_eq(self):
- gn = x509.RegisteredID(x509.OID_COMMON_NAME)
- gn2 = x509.RegisteredID(x509.OID_COMMON_NAME)
+ gn = x509.RegisteredID(NameOID.COMMON_NAME)
+ gn2 = x509.RegisteredID(NameOID.COMMON_NAME)
assert gn == gn2
def test_ne(self):
- gn = x509.RegisteredID(x509.OID_COMMON_NAME)
- gn2 = x509.RegisteredID(x509.OID_BASIC_CONSTRAINTS)
+ gn = x509.RegisteredID(NameOID.COMMON_NAME)
+ gn2 = x509.RegisteredID(ExtensionOID.BASIC_CONSTRAINTS)
assert gn != gn2
assert gn != object()
@@ -1424,7 +1429,7 @@
backend,
)
ext = cert.extensions.get_extension_for_oid(
- x509.OID_ISSUER_ALTERNATIVE_NAME
+ ExtensionOID.ISSUER_ALTERNATIVE_NAME
)
assert list(ext.value) == [
x509.UniformResourceIdentifier(u"http://path.to.root/root.crt"),
@@ -1497,7 +1502,7 @@
backend
)
ext = cert.extensions.get_extension_for_oid(
- x509.OID_SUBJECT_ALTERNATIVE_NAME
+ ExtensionOID.SUBJECT_ALTERNATIVE_NAME
)
assert ext is not None
assert ext.critical is False
@@ -1514,7 +1519,7 @@
backend
)
ext = cert.extensions.get_extension_for_oid(
- x509.OID_SUBJECT_ALTERNATIVE_NAME
+ ExtensionOID.SUBJECT_ALTERNATIVE_NAME
)
dns = ext.value.get_values_for_type(x509.DNSName)
@@ -1532,7 +1537,7 @@
backend
)
ext = cert.extensions.get_extension_for_oid(
- x509.OID_SUBJECT_ALTERNATIVE_NAME
+ ExtensionOID.SUBJECT_ALTERNATIVE_NAME
)
dns = ext.value.get_values_for_type(x509.DNSName)
@@ -1558,7 +1563,7 @@
backend
)
ext = cert.extensions.get_extension_for_oid(
- x509.OID_SUBJECT_ALTERNATIVE_NAME
+ ExtensionOID.SUBJECT_ALTERNATIVE_NAME
)
assert ext is not None
assert ext.critical is False
@@ -1576,7 +1581,7 @@
backend
)
ext = cert.extensions.get_extension_for_oid(
- x509.OID_SUBJECT_ALTERNATIVE_NAME
+ ExtensionOID.SUBJECT_ALTERNATIVE_NAME
)
assert ext is not None
uri = ext.value.get_values_for_type(
@@ -1597,7 +1602,7 @@
backend
)
ext = cert.extensions.get_extension_for_oid(
- x509.OID_SUBJECT_ALTERNATIVE_NAME
+ ExtensionOID.SUBJECT_ALTERNATIVE_NAME
)
assert ext is not None
assert ext.critical is False
@@ -1619,7 +1624,7 @@
backend
)
ext = cert.extensions.get_extension_for_oid(
- x509.OID_SUBJECT_ALTERNATIVE_NAME
+ ExtensionOID.SUBJECT_ALTERNATIVE_NAME
)
assert ext is not None
assert ext.critical is False
@@ -1629,9 +1634,9 @@
dirname = san.get_values_for_type(x509.DirectoryName)
assert [
x509.Name([
- x509.NameAttribute(x509.OID_COMMON_NAME, u'test'),
- x509.NameAttribute(x509.OID_ORGANIZATION_NAME, u'Org'),
- x509.NameAttribute(x509.OID_STATE_OR_PROVINCE_NAME, u'Texas'),
+ x509.NameAttribute(NameOID.COMMON_NAME, u'test'),
+ x509.NameAttribute(NameOID.ORGANIZATION_NAME, u'Org'),
+ x509.NameAttribute(NameOID.STATE_OR_PROVINCE_NAME, u'Texas'),
])
] == dirname
@@ -1644,7 +1649,7 @@
backend
)
ext = cert.extensions.get_extension_for_oid(
- x509.OID_SUBJECT_ALTERNATIVE_NAME
+ ExtensionOID.SUBJECT_ALTERNATIVE_NAME
)
assert ext is not None
assert ext.critical is False
@@ -1674,7 +1679,7 @@
backend
)
ext = cert.extensions.get_extension_for_oid(
- x509.OID_SUBJECT_ALTERNATIVE_NAME
+ ExtensionOID.SUBJECT_ALTERNATIVE_NAME
)
assert ext is not None
rfc822_name = ext.value.get_values_for_type(x509.RFC822Name)
@@ -1693,7 +1698,7 @@
backend
)
ext = cert.extensions.get_extension_for_oid(
- x509.OID_SUBJECT_ALTERNATIVE_NAME
+ ExtensionOID.SUBJECT_ALTERNATIVE_NAME
)
assert ext is not None
assert ext.critical is False
@@ -1710,9 +1715,9 @@
assert [u"cryptography.io"] == dns
assert [
x509.Name([
- x509.NameAttribute(x509.OID_COMMON_NAME, u'dirCN'),
+ x509.NameAttribute(NameOID.COMMON_NAME, u'dirCN'),
x509.NameAttribute(
- x509.OID_ORGANIZATION_NAME, u'Cryptographic Authority'
+ NameOID.ORGANIZATION_NAME, u'Cryptographic Authority'
),
])
] == dirname
@@ -1744,7 +1749,7 @@
)
ext = cert.extensions.get_extension_for_oid(
- x509.OID_SUBJECT_ALTERNATIVE_NAME
+ ExtensionOID.SUBJECT_ALTERNATIVE_NAME
)
assert ext is not None
assert ext.critical is False
@@ -1770,7 +1775,7 @@
backend
)
ext = cert.extensions.get_extension_for_oid(
- x509.OID_EXTENDED_KEY_USAGE
+ ExtensionOID.EXTENDED_KEY_USAGE
)
assert ext is not None
assert ext.critical is False
@@ -1794,11 +1799,13 @@
def test_invalid_access_location(self):
with pytest.raises(TypeError):
- x509.AccessDescription(x509.OID_CA_ISSUERS, "invalid")
+ x509.AccessDescription(
+ AuthorityInformationAccessOID.CA_ISSUERS, "invalid"
+ )
def test_repr(self):
ad = x509.AccessDescription(
- x509.OID_OCSP,
+ AuthorityInformationAccessOID.OCSP,
x509.UniformResourceIdentifier(u"http://ocsp.domain.com")
)
assert repr(ad) == (
@@ -1809,26 +1816,26 @@
def test_eq(self):
ad = x509.AccessDescription(
- x509.OID_OCSP,
+ AuthorityInformationAccessOID.OCSP,
x509.UniformResourceIdentifier(u"http://ocsp.domain.com")
)
ad2 = x509.AccessDescription(
- x509.OID_OCSP,
+ AuthorityInformationAccessOID.OCSP,
x509.UniformResourceIdentifier(u"http://ocsp.domain.com")
)
assert ad == ad2
def test_ne(self):
ad = x509.AccessDescription(
- x509.OID_OCSP,
+ AuthorityInformationAccessOID.OCSP,
x509.UniformResourceIdentifier(u"http://ocsp.domain.com")
)
ad2 = x509.AccessDescription(
- x509.OID_CA_ISSUERS,
+ AuthorityInformationAccessOID.CA_ISSUERS,
x509.UniformResourceIdentifier(u"http://ocsp.domain.com")
)
ad3 = x509.AccessDescription(
- x509.OID_OCSP,
+ AuthorityInformationAccessOID.OCSP,
x509.UniformResourceIdentifier(u"http://notthesame")
)
assert ad != ad2
@@ -1844,22 +1851,22 @@
def test_iter_len(self):
aia = x509.AuthorityInformationAccess([
x509.AccessDescription(
- x509.OID_OCSP,
+ AuthorityInformationAccessOID.OCSP,
x509.UniformResourceIdentifier(u"http://ocsp.domain.com")
),
x509.AccessDescription(
- x509.OID_CA_ISSUERS,
+ AuthorityInformationAccessOID.CA_ISSUERS,
x509.UniformResourceIdentifier(u"http://domain.com/ca.crt")
)
])
assert len(aia) == 2
assert list(aia) == [
x509.AccessDescription(
- x509.OID_OCSP,
+ AuthorityInformationAccessOID.OCSP,
x509.UniformResourceIdentifier(u"http://ocsp.domain.com")
),
x509.AccessDescription(
- x509.OID_CA_ISSUERS,
+ AuthorityInformationAccessOID.CA_ISSUERS,
x509.UniformResourceIdentifier(u"http://domain.com/ca.crt")
)
]
@@ -1867,11 +1874,11 @@
def test_repr(self):
aia = x509.AuthorityInformationAccess([
x509.AccessDescription(
- x509.OID_OCSP,
+ AuthorityInformationAccessOID.OCSP,
x509.UniformResourceIdentifier(u"http://ocsp.domain.com")
),
x509.AccessDescription(
- x509.OID_CA_ISSUERS,
+ AuthorityInformationAccessOID.CA_ISSUERS,
x509.UniformResourceIdentifier(u"http://domain.com/ca.crt")
)
])
@@ -1887,21 +1894,21 @@
def test_eq(self):
aia = x509.AuthorityInformationAccess([
x509.AccessDescription(
- x509.OID_OCSP,
+ AuthorityInformationAccessOID.OCSP,
x509.UniformResourceIdentifier(u"http://ocsp.domain.com")
),
x509.AccessDescription(
- x509.OID_CA_ISSUERS,
+ AuthorityInformationAccessOID.CA_ISSUERS,
x509.UniformResourceIdentifier(u"http://domain.com/ca.crt")
)
])
aia2 = x509.AuthorityInformationAccess([
x509.AccessDescription(
- x509.OID_OCSP,
+ AuthorityInformationAccessOID.OCSP,
x509.UniformResourceIdentifier(u"http://ocsp.domain.com")
),
x509.AccessDescription(
- x509.OID_CA_ISSUERS,
+ AuthorityInformationAccessOID.CA_ISSUERS,
x509.UniformResourceIdentifier(u"http://domain.com/ca.crt")
)
])
@@ -1910,17 +1917,17 @@
def test_ne(self):
aia = x509.AuthorityInformationAccess([
x509.AccessDescription(
- x509.OID_OCSP,
+ AuthorityInformationAccessOID.OCSP,
x509.UniformResourceIdentifier(u"http://ocsp.domain.com")
),
x509.AccessDescription(
- x509.OID_CA_ISSUERS,
+ AuthorityInformationAccessOID.CA_ISSUERS,
x509.UniformResourceIdentifier(u"http://domain.com/ca.crt")
)
])
aia2 = x509.AuthorityInformationAccess([
x509.AccessDescription(
- x509.OID_OCSP,
+ AuthorityInformationAccessOID.OCSP,
x509.UniformResourceIdentifier(u"http://ocsp.domain.com")
),
])
@@ -1939,18 +1946,18 @@
backend
)
ext = cert.extensions.get_extension_for_oid(
- x509.OID_AUTHORITY_INFORMATION_ACCESS
+ ExtensionOID.AUTHORITY_INFORMATION_ACCESS
)
assert ext is not None
assert ext.critical is False
assert ext.value == x509.AuthorityInformationAccess([
x509.AccessDescription(
- x509.OID_OCSP,
+ AuthorityInformationAccessOID.OCSP,
x509.UniformResourceIdentifier(u"http://gv.symcd.com")
),
x509.AccessDescription(
- x509.OID_CA_ISSUERS,
+ AuthorityInformationAccessOID.CA_ISSUERS,
x509.UniformResourceIdentifier(u"http://gv.symcb.com/gv.crt")
),
])
@@ -1962,25 +1969,25 @@
backend
)
ext = cert.extensions.get_extension_for_oid(
- x509.OID_AUTHORITY_INFORMATION_ACCESS
+ ExtensionOID.AUTHORITY_INFORMATION_ACCESS
)
assert ext is not None
assert ext.critical is False
assert ext.value == x509.AuthorityInformationAccess([
x509.AccessDescription(
- x509.OID_OCSP,
+ AuthorityInformationAccessOID.OCSP,
x509.UniformResourceIdentifier(u"http://ocsp.domain.com")
),
x509.AccessDescription(
- x509.OID_OCSP,
+ AuthorityInformationAccessOID.OCSP,
x509.UniformResourceIdentifier(u"http://ocsp2.domain.com")
),
x509.AccessDescription(
- x509.OID_CA_ISSUERS,
+ AuthorityInformationAccessOID.CA_ISSUERS,
x509.DirectoryName(x509.Name([
- x509.NameAttribute(x509.OID_COMMON_NAME, u"myCN"),
- x509.NameAttribute(x509.OID_ORGANIZATION_NAME,
+ x509.NameAttribute(NameOID.COMMON_NAME, u"myCN"),
+ x509.NameAttribute(NameOID.ORGANIZATION_NAME,
u"some Org"),
]))
),
@@ -1993,14 +2000,14 @@
backend
)
ext = cert.extensions.get_extension_for_oid(
- x509.OID_AUTHORITY_INFORMATION_ACCESS
+ ExtensionOID.AUTHORITY_INFORMATION_ACCESS
)
assert ext is not None
assert ext.critical is False
assert ext.value == x509.AuthorityInformationAccess([
x509.AccessDescription(
- x509.OID_OCSP,
+ AuthorityInformationAccessOID.OCSP,
x509.UniformResourceIdentifier(u"http://ocsp.domain.com")
),
])
@@ -2012,17 +2019,17 @@
backend
)
ext = cert.extensions.get_extension_for_oid(
- x509.OID_AUTHORITY_INFORMATION_ACCESS
+ ExtensionOID.AUTHORITY_INFORMATION_ACCESS
)
assert ext is not None
assert ext.critical is False
assert ext.value == x509.AuthorityInformationAccess([
x509.AccessDescription(
- x509.OID_CA_ISSUERS,
+ AuthorityInformationAccessOID.CA_ISSUERS,
x509.DirectoryName(x509.Name([
- x509.NameAttribute(x509.OID_COMMON_NAME, u"myCN"),
- x509.NameAttribute(x509.OID_ORGANIZATION_NAME,
+ x509.NameAttribute(NameOID.COMMON_NAME, u"myCN"),
+ x509.NameAttribute(NameOID.ORGANIZATION_NAME,
u"some Org"),
]))
),
@@ -2041,7 +2048,7 @@
backend
)
ext = cert.extensions.get_extension_for_oid(
- x509.OID_AUTHORITY_KEY_IDENTIFIER
+ ExtensionOID.AUTHORITY_KEY_IDENTIFIER
)
assert ext is not None
assert ext.critical is False
@@ -2061,7 +2068,7 @@
backend
)
ext = cert.extensions.get_extension_for_oid(
- x509.OID_AUTHORITY_KEY_IDENTIFIER
+ ExtensionOID.AUTHORITY_KEY_IDENTIFIER
)
assert ext is not None
assert ext.critical is False
@@ -2073,10 +2080,10 @@
x509.DirectoryName(
x509.Name([
x509.NameAttribute(
- x509.OID_ORGANIZATION_NAME, u"PyCA"
+ NameOID.ORGANIZATION_NAME, u"PyCA"
),
x509.NameAttribute(
- x509.OID_COMMON_NAME, u"cryptography.io"
+ NameOID.COMMON_NAME, u"cryptography.io"
)
])
)
@@ -2092,7 +2099,7 @@
backend
)
ext = cert.extensions.get_extension_for_oid(
- x509.OID_AUTHORITY_KEY_IDENTIFIER
+ ExtensionOID.AUTHORITY_KEY_IDENTIFIER
)
assert ext is not None
assert ext.critical is False
@@ -2102,10 +2109,10 @@
x509.DirectoryName(
x509.Name([
x509.NameAttribute(
- x509.OID_ORGANIZATION_NAME, u"PyCA"
+ NameOID.ORGANIZATION_NAME, u"PyCA"
),
x509.NameAttribute(
- x509.OID_COMMON_NAME, u"cryptography.io"
+ NameOID.COMMON_NAME, u"cryptography.io"
)
])
)
@@ -2124,7 +2131,7 @@
backend
)
ext = cert.extensions.get_extension_for_oid(
- x509.OID_AUTHORITY_KEY_IDENTIFIER
+ ExtensionOID.AUTHORITY_KEY_IDENTIFIER
)
aki = x509.AuthorityKeyIdentifier.from_issuer_public_key(
issuer_cert.public_key()
@@ -2241,7 +2248,7 @@
backend
)
nc = cert.extensions.get_extension_for_oid(
- x509.OID_NAME_CONSTRAINTS
+ ExtensionOID.NAME_CONSTRAINTS
).value
assert nc == x509.NameConstraints(
permitted_subtrees=[
@@ -2249,7 +2256,7 @@
],
excluded_subtrees=[
x509.DirectoryName(x509.Name([
- x509.NameAttribute(x509.OID_COMMON_NAME, u"zombo")
+ x509.NameAttribute(NameOID.COMMON_NAME, u"zombo")
]))
]
)
@@ -2263,7 +2270,7 @@
backend
)
nc = cert.extensions.get_extension_for_oid(
- x509.OID_NAME_CONSTRAINTS
+ ExtensionOID.NAME_CONSTRAINTS
).value
assert nc == x509.NameConstraints(
permitted_subtrees=[
@@ -2281,7 +2288,7 @@
backend
)
nc = cert.extensions.get_extension_for_oid(
- x509.OID_NAME_CONSTRAINTS
+ ExtensionOID.NAME_CONSTRAINTS
).value
assert nc == x509.NameConstraints(
permitted_subtrees=[
@@ -2300,7 +2307,7 @@
backend
)
nc = cert.extensions.get_extension_for_oid(
- x509.OID_NAME_CONSTRAINTS
+ ExtensionOID.NAME_CONSTRAINTS
).value
assert nc == x509.NameConstraints(
permitted_subtrees=None,
@@ -2319,7 +2326,7 @@
backend
)
nc = cert.extensions.get_extension_for_oid(
- x509.OID_NAME_CONSTRAINTS
+ ExtensionOID.NAME_CONSTRAINTS
).value
assert nc == x509.NameConstraints(
permitted_subtrees=[
@@ -2341,7 +2348,7 @@
backend
)
nc = cert.extensions.get_extension_for_oid(
- x509.OID_NAME_CONSTRAINTS
+ ExtensionOID.NAME_CONSTRAINTS
).value
assert nc == x509.NameConstraints(
permitted_subtrees=[
@@ -2361,7 +2368,7 @@
)
with pytest.raises(ValueError):
cert.extensions.get_extension_for_oid(
- x509.OID_NAME_CONSTRAINTS
+ ExtensionOID.NAME_CONSTRAINTS
)
@@ -2435,7 +2442,7 @@
x509.DirectoryName(
x509.Name([
x509.NameAttribute(
- x509.OID_COMMON_NAME, u"Important CA"
+ NameOID.COMMON_NAME, u"Important CA"
)
])
)
@@ -2449,7 +2456,7 @@
x509.DirectoryName(
x509.Name([
x509.NameAttribute(
- x509.OID_COMMON_NAME, u"Important CA"
+ NameOID.COMMON_NAME, u"Important CA"
)
])
)
@@ -2466,7 +2473,7 @@
x509.DirectoryName(
x509.Name([
x509.NameAttribute(
- x509.OID_COMMON_NAME, u"Important CA"
+ NameOID.COMMON_NAME, u"Important CA"
)
])
)
@@ -2485,14 +2492,14 @@
dp = x509.DistributionPoint(
None,
x509.Name([
- x509.NameAttribute(x509.OID_COMMON_NAME, u"myCN")
+ x509.NameAttribute(NameOID.COMMON_NAME, u"myCN")
]),
frozenset([x509.ReasonFlags.ca_compromise]),
[
x509.DirectoryName(
x509.Name([
x509.NameAttribute(
- x509.OID_COMMON_NAME, u"Important CA"
+ NameOID.COMMON_NAME, u"Important CA"
)
])
)
@@ -2670,24 +2677,24 @@
)
cdps = cert.extensions.get_extension_for_oid(
- x509.OID_CRL_DISTRIBUTION_POINTS
+ ExtensionOID.CRL_DISTRIBUTION_POINTS
).value
assert cdps == x509.CRLDistributionPoints([
x509.DistributionPoint(
full_name=[x509.DirectoryName(
x509.Name([
- x509.NameAttribute(x509.OID_COUNTRY_NAME, u"US"),
+ x509.NameAttribute(NameOID.COUNTRY_NAME, u"US"),
x509.NameAttribute(
- x509.OID_ORGANIZATION_NAME,
+ NameOID.ORGANIZATION_NAME,
u"Test Certificates 2011"
),
x509.NameAttribute(
- x509.OID_ORGANIZATIONAL_UNIT_NAME,
+ NameOID.ORGANIZATIONAL_UNIT_NAME,
u"indirectCRL CA3 cRLIssuer"
),
x509.NameAttribute(
- x509.OID_COMMON_NAME,
+ NameOID.COMMON_NAME,
u"indirect CRL for indirectCRL CA3"
),
])
@@ -2696,13 +2703,13 @@
reasons=None,
crl_issuer=[x509.DirectoryName(
x509.Name([
- x509.NameAttribute(x509.OID_COUNTRY_NAME, u"US"),
+ x509.NameAttribute(NameOID.COUNTRY_NAME, u"US"),
x509.NameAttribute(
- x509.OID_ORGANIZATION_NAME,
+ NameOID.ORGANIZATION_NAME,
u"Test Certificates 2011"
),
x509.NameAttribute(
- x509.OID_ORGANIZATIONAL_UNIT_NAME,
+ NameOID.ORGANIZATIONAL_UNIT_NAME,
u"indirectCRL CA3 cRLIssuer"
),
])
@@ -2720,7 +2727,7 @@
)
cdps = cert.extensions.get_extension_for_oid(
- x509.OID_CRL_DISTRIBUTION_POINTS
+ ExtensionOID.CRL_DISTRIBUTION_POINTS
).value
assert cdps == x509.CRLDistributionPoints([
@@ -2728,20 +2735,20 @@
full_name=None,
relative_name=x509.Name([
x509.NameAttribute(
- x509.OID_COMMON_NAME,
+ NameOID.COMMON_NAME,
u"indirect CRL for indirectCRL CA3"
),
]),
reasons=None,
crl_issuer=[x509.DirectoryName(
x509.Name([
- x509.NameAttribute(x509.OID_COUNTRY_NAME, u"US"),
+ x509.NameAttribute(NameOID.COUNTRY_NAME, u"US"),
x509.NameAttribute(
- x509.OID_ORGANIZATION_NAME,
+ NameOID.ORGANIZATION_NAME,
u"Test Certificates 2011"
),
x509.NameAttribute(
- x509.OID_ORGANIZATIONAL_UNIT_NAME,
+ NameOID.ORGANIZATIONAL_UNIT_NAME,
u"indirectCRL CA3 cRLIssuer"
),
])
@@ -2759,7 +2766,7 @@
)
cdps = cert.extensions.get_extension_for_oid(
- x509.OID_CRL_DISTRIBUTION_POINTS
+ ExtensionOID.CRL_DISTRIBUTION_POINTS
).value
assert cdps == x509.CRLDistributionPoints([
@@ -2774,12 +2781,12 @@
]),
crl_issuer=[x509.DirectoryName(
x509.Name([
- x509.NameAttribute(x509.OID_COUNTRY_NAME, u"US"),
+ x509.NameAttribute(NameOID.COUNTRY_NAME, u"US"),
x509.NameAttribute(
- x509.OID_ORGANIZATION_NAME, u"PyCA"
+ NameOID.ORGANIZATION_NAME, u"PyCA"
),
x509.NameAttribute(
- x509.OID_COMMON_NAME, u"cryptography CA"
+ NameOID.COMMON_NAME, u"cryptography CA"
),
])
)],
@@ -2796,7 +2803,7 @@
)
cdps = cert.extensions.get_extension_for_oid(
- x509.OID_CRL_DISTRIBUTION_POINTS
+ ExtensionOID.CRL_DISTRIBUTION_POINTS
).value
assert cdps == x509.CRLDistributionPoints([
@@ -2829,7 +2836,7 @@
)
cdps = cert.extensions.get_extension_for_oid(
- x509.OID_CRL_DISTRIBUTION_POINTS
+ ExtensionOID.CRL_DISTRIBUTION_POINTS
).value
assert cdps == x509.CRLDistributionPoints([
@@ -2853,7 +2860,7 @@
)
cdps = cert.extensions.get_extension_for_oid(
- x509.OID_CRL_DISTRIBUTION_POINTS
+ ExtensionOID.CRL_DISTRIBUTION_POINTS
).value
assert cdps == x509.CRLDistributionPoints([
@@ -2864,7 +2871,7 @@
crl_issuer=[x509.DirectoryName(
x509.Name([
x509.NameAttribute(
- x509.OID_COMMON_NAME, u"cryptography CA"
+ NameOID.COMMON_NAME, u"cryptography CA"
),
])
)],
@@ -2884,7 +2891,7 @@
backend
)
ext = cert.extensions.get_extension_for_oid(
- x509.OID_OCSP_NO_CHECK
+ ExtensionOID.OCSP_NO_CHECK
)
assert isinstance(ext.value, x509.OCSPNoCheck)
@@ -2926,7 +2933,7 @@
backend
)
iap = cert.extensions.get_extension_for_oid(
- x509.OID_INHIBIT_ANY_POLICY
+ ExtensionOID.INHIBIT_ANY_POLICY
).value
assert iap.skip_certs == 5