Upgrade cryptography from 2.5 to 3.3
Source code is from https://github.com/pyca/cryptography/tree/3.3.x
Run setup.py locally and rename _openssl.so/_padding.so
Bug: 205265538
Test: None
Change-Id: If031739ef5830ba2fb177add74515e4660e2906e
diff --git a/tests/x509/test_ocsp.py b/tests/x509/test_ocsp.py
index 3abaff5..b649402 100644
--- a/tests/x509/test_ocsp.py
+++ b/tests/x509/test_ocsp.py
@@ -13,7 +13,7 @@
from cryptography import x509
from cryptography.exceptions import UnsupportedAlgorithm
from cryptography.hazmat.primitives import hashes, serialization
-from cryptography.hazmat.primitives.asymmetric import ec
+from cryptography.hazmat.primitives.asymmetric import ec, ed25519, ed448
from cryptography.hazmat.primitives.asymmetric.padding import PKCS1v15
from cryptography.x509 import ocsp
@@ -24,51 +24,52 @@
def _load_data(filename, loader):
return load_vectors_from_file(
- filename=filename,
- loader=lambda data: loader(data.read()),
- mode="rb"
+ filename=filename, loader=lambda data: loader(data.read()), mode="rb"
)
def _cert_and_issuer():
from cryptography.hazmat.backends.openssl.backend import backend
+
cert = _load_cert(
os.path.join("x509", "cryptography.io.pem"),
x509.load_pem_x509_certificate,
- backend
+ backend,
)
issuer = _load_cert(
os.path.join("x509", "rapidssl_sha256_ca_g3.pem"),
x509.load_pem_x509_certificate,
- backend
+ backend,
)
return cert, issuer
-def _generate_root():
+def _generate_root(private_key=None, algorithm=hashes.SHA256()):
from cryptography.hazmat.backends.openssl.backend import backend
- private_key = EC_KEY_SECP256R1.private_key(backend)
- subject = x509.Name([
- x509.NameAttribute(x509.NameOID.COUNTRY_NAME, u'US'),
- x509.NameAttribute(x509.NameOID.COMMON_NAME, u'Cryptography CA'),
- ])
+ if private_key is None:
+ private_key = EC_KEY_SECP256R1.private_key(backend)
- builder = x509.CertificateBuilder().serial_number(
- 123456789
- ).issuer_name(
- subject
- ).subject_name(
- subject
- ).public_key(
- private_key.public_key()
- ).not_valid_before(
- datetime.datetime.now()
- ).not_valid_after(
- datetime.datetime.now() + datetime.timedelta(days=3650)
+ subject = x509.Name(
+ [
+ x509.NameAttribute(x509.NameOID.COUNTRY_NAME, u"US"),
+ x509.NameAttribute(x509.NameOID.COMMON_NAME, u"Cryptography CA"),
+ ]
)
- cert = builder.sign(private_key, hashes.SHA256(), backend)
+ builder = (
+ x509.CertificateBuilder()
+ .serial_number(123456789)
+ .issuer_name(subject)
+ .subject_name(subject)
+ .public_key(private_key.public_key())
+ .not_valid_before(datetime.datetime.now())
+ .not_valid_after(
+ datetime.datetime.now() + datetime.timedelta(days=3650)
+ )
+ )
+
+ cert = builder.sign(private_key, algorithm, backend)
return cert, private_key
@@ -82,10 +83,12 @@
os.path.join("x509", "ocsp", "req-sha1.der"),
ocsp.load_der_ocsp_request,
)
- assert req.issuer_name_hash == (b"8\xcaF\x8c\x07D\x8d\xf4\x81\x96"
- b"\xc7mmLpQ\x9e`\xa7\xbd")
- assert req.issuer_key_hash == (b"yu\xbb\x84:\xcb,\xdez\t\xbe1"
- b"\x1bC\xbc\x1c*MSX")
+ assert req.issuer_name_hash == (
+ b"8\xcaF\x8c\x07D\x8d\xf4\x81\x96" b"\xc7mmLpQ\x9e`\xa7\xbd"
+ )
+ assert req.issuer_key_hash == (
+ b"yu\xbb\x84:\xcb,\xdez\t\xbe1" b"\x1bC\xbc\x1c*MSX"
+ )
assert isinstance(req.hash_algorithm, hashes.SHA1)
assert req.serial_number == int(
"98D9E5C0B4C373552DF77C5D0F1EB5128E4945F9", 16
@@ -123,7 +126,7 @@
req_bytes = load_vectors_from_file(
filename=os.path.join("x509", "ocsp", "req-sha1.der"),
loader=lambda data: data.read(),
- mode="rb"
+ mode="rb",
)
req = ocsp.load_der_ocsp_request(req_bytes)
assert req.public_bytes(serialization.Encoding.DER) == req_bytes
@@ -194,16 +197,14 @@
[
[x509.OCSPNonce(b"0000"), False],
[x509.OCSPNonce(b"\x00\x01\x02"), True],
- ]
+ ],
)
def test_create_ocsp_request_with_extension(self, ext, critical):
cert, issuer = _cert_and_issuer()
builder = ocsp.OCSPRequestBuilder()
builder = builder.add_certificate(
cert, issuer, hashes.SHA1()
- ).add_extension(
- ext, critical
- )
+ ).add_extension(ext, critical)
req = builder.build()
assert len(req.extensions) == 1
assert req.extensions[0].value == ext
@@ -217,13 +218,25 @@
time = datetime.datetime.now()
builder = ocsp.OCSPResponseBuilder()
builder = builder.add_response(
- cert, issuer, hashes.SHA256(), ocsp.OCSPCertStatus.GOOD, time,
- time, None, None
+ cert,
+ issuer,
+ hashes.SHA256(),
+ ocsp.OCSPCertStatus.GOOD,
+ time,
+ time,
+ None,
+ None,
)
with pytest.raises(ValueError):
builder.add_response(
- cert, issuer, hashes.SHA256(), ocsp.OCSPCertStatus.GOOD, time,
- time, None, None
+ cert,
+ issuer,
+ hashes.SHA256(),
+ ocsp.OCSPCertStatus.GOOD,
+ time,
+ time,
+ None,
+ None,
)
def test_invalid_add_response(self):
@@ -233,28 +246,58 @@
builder = ocsp.OCSPResponseBuilder()
with pytest.raises(TypeError):
builder.add_response(
- 'bad', issuer, hashes.SHA256(), ocsp.OCSPCertStatus.GOOD,
- time, time, None, None
+ "bad",
+ issuer,
+ hashes.SHA256(),
+ ocsp.OCSPCertStatus.GOOD,
+ time,
+ time,
+ None,
+ None,
)
with pytest.raises(TypeError):
builder.add_response(
- cert, 'bad', hashes.SHA256(), ocsp.OCSPCertStatus.GOOD,
- time, time, None, None
+ cert,
+ "bad",
+ hashes.SHA256(),
+ ocsp.OCSPCertStatus.GOOD,
+ time,
+ time,
+ None,
+ None,
)
with pytest.raises(ValueError):
builder.add_response(
- cert, issuer, 'notahash', ocsp.OCSPCertStatus.GOOD,
- time, time, None, None
+ cert,
+ issuer,
+ "notahash",
+ ocsp.OCSPCertStatus.GOOD,
+ time,
+ time,
+ None,
+ None,
)
with pytest.raises(TypeError):
builder.add_response(
- cert, issuer, hashes.SHA256(), ocsp.OCSPCertStatus.GOOD,
- 'bad', time, None, None
+ cert,
+ issuer,
+ hashes.SHA256(),
+ ocsp.OCSPCertStatus.GOOD,
+ "bad",
+ time,
+ None,
+ None,
)
with pytest.raises(TypeError):
builder.add_response(
- cert, issuer, hashes.SHA256(), ocsp.OCSPCertStatus.GOOD,
- time, 'bad', None, None
+ cert,
+ issuer,
+ hashes.SHA256(),
+ ocsp.OCSPCertStatus.GOOD,
+ time,
+ "bad",
+ None,
+ None,
)
with pytest.raises(TypeError):
@@ -263,28 +306,58 @@
)
with pytest.raises(ValueError):
builder.add_response(
- cert, issuer, hashes.SHA256(), ocsp.OCSPCertStatus.GOOD,
- time, time, time, None
+ cert,
+ issuer,
+ hashes.SHA256(),
+ ocsp.OCSPCertStatus.GOOD,
+ time,
+ time,
+ time,
+ None,
)
with pytest.raises(ValueError):
builder.add_response(
- cert, issuer, hashes.SHA256(), ocsp.OCSPCertStatus.GOOD,
- time, time, None, reason
+ cert,
+ issuer,
+ hashes.SHA256(),
+ ocsp.OCSPCertStatus.GOOD,
+ time,
+ time,
+ None,
+ reason,
)
with pytest.raises(TypeError):
builder.add_response(
- cert, issuer, hashes.SHA256(), ocsp.OCSPCertStatus.REVOKED,
- time, time, None, reason
+ cert,
+ issuer,
+ hashes.SHA256(),
+ ocsp.OCSPCertStatus.REVOKED,
+ time,
+ time,
+ None,
+ reason,
)
with pytest.raises(TypeError):
builder.add_response(
- cert, issuer, hashes.SHA256(), ocsp.OCSPCertStatus.REVOKED,
- time, time, time, 0
+ cert,
+ issuer,
+ hashes.SHA256(),
+ ocsp.OCSPCertStatus.REVOKED,
+ time,
+ time,
+ time,
+ 0,
)
with pytest.raises(ValueError):
builder.add_response(
- cert, issuer, hashes.SHA256(), ocsp.OCSPCertStatus.REVOKED,
- time, time, time - datetime.timedelta(days=36500), None
+ cert,
+ issuer,
+ hashes.SHA256(),
+ ocsp.OCSPCertStatus.REVOKED,
+ time,
+ time,
+ time - datetime.timedelta(days=36500),
+ None,
)
def test_invalid_certificates(self):
@@ -292,9 +365,9 @@
with pytest.raises(ValueError):
builder.certificates([])
with pytest.raises(TypeError):
- builder.certificates(['notacert'])
+ builder.certificates(["notacert"])
with pytest.raises(TypeError):
- builder.certificates('invalid')
+ builder.certificates("invalid")
_, issuer = _cert_and_issuer()
builder = builder.certificates([issuer])
@@ -305,9 +378,9 @@
builder = ocsp.OCSPResponseBuilder()
cert, _ = _cert_and_issuer()
with pytest.raises(TypeError):
- builder.responder_id(ocsp.OCSPResponderEncoding.HASH, 'invalid')
+ builder.responder_id(ocsp.OCSPResponderEncoding.HASH, "invalid")
with pytest.raises(TypeError):
- builder.responder_id('notanenum', cert)
+ builder.responder_id("notanenum", cert)
builder = builder.responder_id(ocsp.OCSPResponderEncoding.NAME, cert)
with pytest.raises(ValueError):
@@ -335,8 +408,14 @@
this_update = current_time - datetime.timedelta(days=1)
next_update = this_update + datetime.timedelta(days=7)
builder = builder.add_response(
- cert, issuer, hashes.SHA1(), ocsp.OCSPCertStatus.GOOD, this_update,
- next_update, None, None
+ cert,
+ issuer,
+ hashes.SHA1(),
+ ocsp.OCSPCertStatus.GOOD,
+ this_update,
+ next_update,
+ None,
+ None,
)
with pytest.raises(ValueError):
builder.sign(private_key, hashes.SHA256())
@@ -351,11 +430,17 @@
builder = builder.responder_id(
ocsp.OCSPResponderEncoding.NAME, root_cert
).add_response(
- cert, issuer, hashes.SHA1(), ocsp.OCSPCertStatus.GOOD, this_update,
- next_update, None, None
+ cert,
+ issuer,
+ hashes.SHA1(),
+ ocsp.OCSPCertStatus.GOOD,
+ this_update,
+ next_update,
+ None,
+ None,
)
with pytest.raises(TypeError):
- builder.sign(private_key, 'notahash')
+ builder.sign(private_key, "notahash")
def test_sign_good_cert(self):
builder = ocsp.OCSPResponseBuilder()
@@ -367,15 +452,23 @@
builder = builder.responder_id(
ocsp.OCSPResponderEncoding.NAME, root_cert
).add_response(
- cert, issuer, hashes.SHA1(), ocsp.OCSPCertStatus.GOOD, this_update,
- next_update, None, None
+ cert,
+ issuer,
+ hashes.SHA1(),
+ ocsp.OCSPCertStatus.GOOD,
+ this_update,
+ next_update,
+ None,
+ None,
)
resp = builder.sign(private_key, hashes.SHA256())
assert resp.responder_name == root_cert.subject
assert resp.responder_key_hash is None
assert (current_time - resp.produced_at).total_seconds() < 10
- assert (resp.signature_algorithm_oid ==
- x509.SignatureAlgorithmOID.ECDSA_WITH_SHA256)
+ assert (
+ resp.signature_algorithm_oid
+ == x509.SignatureAlgorithmOID.ECDSA_WITH_SHA256
+ )
assert resp.certificate_status == ocsp.OCSPCertStatus.GOOD
assert resp.revocation_time is None
assert resp.revocation_reason is None
@@ -396,8 +489,14 @@
builder = builder.responder_id(
ocsp.OCSPResponderEncoding.NAME, root_cert
).add_response(
- cert, issuer, hashes.SHA1(), ocsp.OCSPCertStatus.REVOKED,
- this_update, next_update, revoked_date, None
+ cert,
+ issuer,
+ hashes.SHA1(),
+ ocsp.OCSPCertStatus.REVOKED,
+ this_update,
+ next_update,
+ revoked_date,
+ None,
)
resp = builder.sign(private_key, hashes.SHA256())
assert resp.certificate_status == ocsp.OCSPCertStatus.REVOKED
@@ -416,13 +515,19 @@
current_time = datetime.datetime.utcnow().replace(microsecond=0)
this_update = current_time - datetime.timedelta(days=1)
next_update = this_update + datetime.timedelta(days=7)
- builder = builder.responder_id(
- ocsp.OCSPResponderEncoding.NAME, root_cert
- ).add_response(
- cert, issuer, hashes.SHA1(), ocsp.OCSPCertStatus.GOOD, this_update,
- next_update, None, None
- ).certificates(
- [root_cert]
+ builder = (
+ builder.responder_id(ocsp.OCSPResponderEncoding.NAME, root_cert)
+ .add_response(
+ cert,
+ issuer,
+ hashes.SHA1(),
+ ocsp.OCSPCertStatus.GOOD,
+ this_update,
+ next_update,
+ None,
+ None,
+ )
+ .certificates([root_cert])
)
resp = builder.sign(private_key, hashes.SHA256())
assert resp.certificates == [root_cert]
@@ -437,8 +542,14 @@
builder = builder.responder_id(
ocsp.OCSPResponderEncoding.NAME, root_cert
).add_response(
- cert, issuer, hashes.SHA1(), ocsp.OCSPCertStatus.REVOKED,
- this_update, None, revoked_date, None
+ cert,
+ issuer,
+ hashes.SHA1(),
+ ocsp.OCSPCertStatus.REVOKED,
+ this_update,
+ None,
+ revoked_date,
+ None,
)
resp = builder.sign(private_key, hashes.SHA256())
assert resp.certificate_status == ocsp.OCSPCertStatus.REVOKED
@@ -461,9 +572,14 @@
builder = builder.responder_id(
ocsp.OCSPResponderEncoding.NAME, root_cert
).add_response(
- cert, issuer, hashes.SHA1(), ocsp.OCSPCertStatus.REVOKED,
- this_update, next_update, revoked_date,
- x509.ReasonFlags.key_compromise
+ cert,
+ issuer,
+ hashes.SHA1(),
+ ocsp.OCSPCertStatus.REVOKED,
+ this_update,
+ next_update,
+ revoked_date,
+ x509.ReasonFlags.key_compromise,
)
resp = builder.sign(private_key, hashes.SHA256())
assert resp.certificate_status == ocsp.OCSPCertStatus.REVOKED
@@ -485,13 +601,19 @@
builder = builder.responder_id(
ocsp.OCSPResponderEncoding.HASH, root_cert
).add_response(
- cert, issuer, hashes.SHA1(), ocsp.OCSPCertStatus.GOOD, this_update,
- next_update, None, None
+ cert,
+ issuer,
+ hashes.SHA1(),
+ ocsp.OCSPCertStatus.GOOD,
+ this_update,
+ next_update,
+ None,
+ None,
)
resp = builder.sign(private_key, hashes.SHA256())
assert resp.responder_name is None
assert resp.responder_key_hash == (
- b'\x8ca\x94\xe0\x948\xed\x89\xd8\xd4N\x89p\t\xd6\xf9^_\xec}'
+ b"\x8ca\x94\xe0\x948\xed\x89\xd8\xd4N\x89p\t\xd6\xf9^_\xec}"
)
private_key.public_key().verify(
resp.signature, resp.tbs_response_bytes, ec.ECDSA(hashes.SHA256())
@@ -507,10 +629,17 @@
builder = builder.responder_id(
ocsp.OCSPResponderEncoding.HASH, root_cert
).add_response(
- cert, issuer, hashes.SHA1(), ocsp.OCSPCertStatus.GOOD, this_update,
- next_update, None, None
+ cert,
+ issuer,
+ hashes.SHA1(),
+ ocsp.OCSPCertStatus.GOOD,
+ this_update,
+ next_update,
+ None,
+ None,
)
from cryptography.hazmat.backends.openssl.backend import backend
+
diff_key = ec.generate_private_key(ec.SECP256R1(), backend)
with pytest.raises(ValueError):
builder.sign(diff_key, hashes.SHA256())
@@ -522,13 +651,19 @@
current_time = datetime.datetime.utcnow().replace(microsecond=0)
this_update = current_time - datetime.timedelta(days=1)
next_update = this_update + datetime.timedelta(days=7)
- builder = builder.responder_id(
- ocsp.OCSPResponderEncoding.HASH, root_cert
- ).add_response(
- cert, issuer, hashes.SHA1(), ocsp.OCSPCertStatus.GOOD, this_update,
- next_update, None, None
- ).add_extension(
- x509.OCSPNonce(b"012345"), False
+ builder = (
+ builder.responder_id(ocsp.OCSPResponderEncoding.HASH, root_cert)
+ .add_response(
+ cert,
+ issuer,
+ hashes.SHA1(),
+ ocsp.OCSPCertStatus.GOOD,
+ this_update,
+ next_update,
+ None,
+ None,
+ )
+ .add_extension(x509.OCSPNonce(b"012345"), False)
)
resp = builder.sign(private_key, hashes.SHA256())
assert len(resp.extensions) == 1
@@ -546,7 +681,7 @@
(ocsp.OCSPResponseStatus.TRY_LATER, b"0\x03\n\x01\x03"),
(ocsp.OCSPResponseStatus.SIG_REQUIRED, b"0\x03\n\x01\x05"),
(ocsp.OCSPResponseStatus.UNAUTHORIZED, b"0\x03\n\x01\x06"),
- ]
+ ],
)
def test_build_non_successful_statuses(self, status, der):
resp = ocsp.OCSPResponseBuilder.build_unsuccessful(status)
@@ -564,6 +699,92 @@
)
+class TestSignedCertificateTimestampsExtension(object):
+ def test_init(self):
+ with pytest.raises(TypeError):
+ x509.SignedCertificateTimestamps([object()])
+
+ def test_repr(self):
+ assert repr(x509.SignedCertificateTimestamps([])) == (
+ "<SignedCertificateTimestamps([])>"
+ )
+
+ @pytest.mark.supported(
+ only_if=lambda backend: (backend._lib.Cryptography_HAS_SCT),
+ skip_message="Requires CT support",
+ )
+ def test_eq(self, backend):
+ sct1 = (
+ _load_data(
+ os.path.join("x509", "ocsp", "resp-sct-extension.der"),
+ ocsp.load_der_ocsp_response,
+ )
+ .single_extensions.get_extension_for_class(
+ x509.SignedCertificateTimestamps
+ )
+ .value
+ )
+ sct2 = (
+ _load_data(
+ os.path.join("x509", "ocsp", "resp-sct-extension.der"),
+ ocsp.load_der_ocsp_response,
+ )
+ .single_extensions.get_extension_for_class(
+ x509.SignedCertificateTimestamps
+ )
+ .value
+ )
+ assert sct1 == sct2
+
+ @pytest.mark.supported(
+ only_if=lambda backend: (backend._lib.Cryptography_HAS_SCT),
+ skip_message="Requires CT support",
+ )
+ def test_ne(self, backend):
+ sct1 = (
+ _load_data(
+ os.path.join("x509", "ocsp", "resp-sct-extension.der"),
+ ocsp.load_der_ocsp_response,
+ )
+ .single_extensions.get_extension_for_class(
+ x509.SignedCertificateTimestamps
+ )
+ .value
+ )
+ sct2 = x509.SignedCertificateTimestamps([])
+ assert sct1 != sct2
+ assert sct1 != object()
+
+ @pytest.mark.supported(
+ only_if=lambda backend: (backend._lib.Cryptography_HAS_SCT),
+ skip_message="Requires CT support",
+ )
+ def test_hash(self, backend):
+ sct1 = (
+ _load_data(
+ os.path.join("x509", "ocsp", "resp-sct-extension.der"),
+ ocsp.load_der_ocsp_response,
+ )
+ .single_extensions.get_extension_for_class(
+ x509.SignedCertificateTimestamps
+ )
+ .value
+ )
+ sct2 = (
+ _load_data(
+ os.path.join("x509", "ocsp", "resp-sct-extension.der"),
+ ocsp.load_der_ocsp_response,
+ )
+ .single_extensions.get_extension_for_class(
+ x509.SignedCertificateTimestamps
+ )
+ .value
+ )
+ sct3 = x509.SignedCertificateTimestamps([])
+ assert hash(sct1) == hash(sct2)
+ assert hash(sct1) != hash(sct3)
+
+
class TestOCSPResponse(object):
def test_bad_response(self):
with pytest.raises(ValueError):
@@ -575,14 +796,17 @@
ocsp.load_der_ocsp_response,
)
from cryptography.hazmat.backends.openssl.backend import backend
+
issuer = _load_cert(
os.path.join("x509", "letsencryptx3.pem"),
x509.load_pem_x509_certificate,
- backend
+ backend,
)
assert resp.response_status == ocsp.OCSPResponseStatus.SUCCESSFUL
- assert (resp.signature_algorithm_oid ==
- x509.SignatureAlgorithmOID.RSA_WITH_SHA256)
+ assert (
+ resp.signature_algorithm_oid
+ == x509.SignatureAlgorithmOID.RSA_WITH_SHA256
+ )
assert isinstance(resp.signature_hash_algorithm, hashes.SHA256)
assert resp.signature == base64.b64decode(
b"I9KUlyLV/2LbNCVu1BQphxdNlU/jBzXsPYVscPjW5E93pCrSO84GkIWoOJtqsnt"
@@ -603,7 +827,7 @@
resp.signature,
resp.tbs_response_bytes,
PKCS1v15(),
- resp.signature_hash_algorithm
+ resp.signature_hash_algorithm,
)
assert resp.certificates == []
assert resp.responder_key_hash is None
@@ -615,15 +839,22 @@
assert resp.this_update == datetime.datetime(2018, 8, 30, 11, 0)
assert resp.next_update == datetime.datetime(2018, 9, 6, 11, 0)
assert resp.issuer_key_hash == (
- b'\xa8Jjc\x04}\xdd\xba\xe6\xd19\xb7\xa6Ee\xef\xf3\xa8\xec\xa1'
+ b"\xa8Jjc\x04}\xdd\xba\xe6\xd19\xb7\xa6Ee\xef\xf3\xa8\xec\xa1"
)
assert resp.issuer_name_hash == (
- b'~\xe6j\xe7r\x9a\xb3\xfc\xf8\xa2 dl\x16\xa1-`q\x08]'
+ b"~\xe6j\xe7r\x9a\xb3\xfc\xf8\xa2 dl\x16\xa1-`q\x08]"
)
assert isinstance(resp.hash_algorithm, hashes.SHA1)
assert resp.serial_number == 271024907440004808294641238224534273948400
assert len(resp.extensions) == 0
+ def test_load_multi_valued_response(self):
+ with pytest.raises(ValueError):
+ _load_data(
+ os.path.join("x509", "ocsp", "ocsp-army.deps.mil-resp.der"),
+ ocsp.load_der_ocsp_response,
+ )
+
def test_load_unauthorized(self):
resp = _load_data(
os.path.join("x509", "ocsp", "resp-unauthorized.der"),
@@ -705,7 +936,7 @@
)
assert resp.responder_name is None
assert resp.responder_key_hash == (
- b'\x0f\x80a\x1c\x821a\xd5/(\xe7\x8dF8\xb4,\xe1\xc6\xd9\xe2'
+ b"\x0f\x80a\x1c\x821a\xd5/(\xe7\x8dF8\xb4,\xe1\xc6\xd9\xe2"
)
def test_load_revoked_reason(self):
@@ -739,7 +970,7 @@
resp_bytes = load_vectors_from_file(
filename=os.path.join("x509", "ocsp", "resp-revoked.der"),
loader=lambda data: data.read(),
- mode="rb"
+ mode="rb",
)
resp = ocsp.load_der_ocsp_response(resp_bytes)
assert resp.public_bytes(serialization.Encoding.DER) == resp_bytes
@@ -753,3 +984,161 @@
resp.public_bytes("invalid")
with pytest.raises(ValueError):
resp.public_bytes(serialization.Encoding.PEM)
+
+ @pytest.mark.supported(
+ only_if=lambda backend: (backend._lib.Cryptography_HAS_SCT),
+ skip_message="Requires CT support",
+ )
+ def test_single_extensions_sct(self, backend):
+ resp = _load_data(
+ os.path.join("x509", "ocsp", "resp-sct-extension.der"),
+ ocsp.load_der_ocsp_response,
+ )
+ assert len(resp.single_extensions) == 1
+ ext = resp.single_extensions[0]
+ assert ext.oid == x509.ObjectIdentifier("1.3.6.1.4.1.11129.2.4.5")
+ assert len(ext.value) == 4
+ log_ids = [base64.b64encode(sct.log_id) for sct in ext.value]
+ assert log_ids == [
+ b"RJRlLrDuzq/EQAfYqP4owNrmgr7YyzG1P9MzlrW2gag=",
+ b"b1N2rDHwMRnYmQCkURX/dxUcEdkCwQApBo2yCJo32RM=",
+ b"u9nfvB+KcbWTlCOXqpJ7RzhXlQqrUugakJZkNo4e0YU=",
+ b"7ku9t3XOYLrhQmkfq+GeZqMPfl+wctiDAMR7iXqo/cs=",
+ ]
+
+ @pytest.mark.supported(
+ only_if=lambda backend: (
+ not backend._lib.CRYPTOGRAPHY_OPENSSL_110F_OR_GREATER
+ ),
+ skip_message="Requires OpenSSL < 1.1.0f",
+ )
+ def test_skips_single_extensions_scts_if_unsupported(self, backend):
+ resp = _load_data(
+ os.path.join("x509", "ocsp", "resp-sct-extension.der"),
+ ocsp.load_der_ocsp_response,
+ )
+ with pytest.raises(x509.ExtensionNotFound):
+ resp.single_extensions.get_extension_for_class(
+ x509.SignedCertificateTimestamps
+ )
+
+ ext = resp.single_extensions.get_extension_for_oid(
+ x509.ExtensionOID.SIGNED_CERTIFICATE_TIMESTAMPS
+ )
+ assert isinstance(ext.value, x509.UnrecognizedExtension)
+
+ def test_single_extensions(self, backend):
+ resp = _load_data(
+ os.path.join("x509", "ocsp", "resp-single-extension-reason.der"),
+ ocsp.load_der_ocsp_response,
+ )
+ assert len(resp.single_extensions) == 1
+ ext = resp.single_extensions[0]
+ assert ext.oid == x509.CRLReason.oid
+ assert ext.value == x509.CRLReason(x509.ReasonFlags.unspecified)
+
+
+class TestOCSPEdDSA(object):
+ @pytest.mark.supported(
+ only_if=lambda backend: backend.ed25519_supported(),
+ skip_message="Requires OpenSSL with Ed25519 support / OCSP",
+ )
+ def test_invalid_algorithm(self, backend):
+ builder = ocsp.OCSPResponseBuilder()
+ cert, issuer = _cert_and_issuer()
+ private_key = ed25519.Ed25519PrivateKey.generate()
+ root_cert, _ = _generate_root(private_key, None)
+ current_time = datetime.datetime.utcnow().replace(microsecond=0)
+ this_update = current_time - datetime.timedelta(days=1)
+ next_update = this_update + datetime.timedelta(days=7)
+ revoked_date = this_update - datetime.timedelta(days=300)
+ builder = builder.responder_id(
+ ocsp.OCSPResponderEncoding.NAME, root_cert
+ ).add_response(
+ cert,
+ issuer,
+ hashes.SHA1(),
+ ocsp.OCSPCertStatus.REVOKED,
+ this_update,
+ next_update,
+ revoked_date,
+ x509.ReasonFlags.key_compromise,
+ )
+ with pytest.raises(ValueError):
+ builder.sign(private_key, hashes.SHA256())
+
+ @pytest.mark.supported(
+ only_if=lambda backend: backend.ed25519_supported(),
+ skip_message="Requires OpenSSL with Ed25519 support / OCSP",
+ )
+ def test_sign_ed25519(self, backend):
+ builder = ocsp.OCSPResponseBuilder()
+ cert, issuer = _cert_and_issuer()
+ private_key = ed25519.Ed25519PrivateKey.generate()
+ root_cert, _ = _generate_root(private_key, None)
+ current_time = datetime.datetime.utcnow().replace(microsecond=0)
+ this_update = current_time - datetime.timedelta(days=1)
+ next_update = this_update + datetime.timedelta(days=7)
+ revoked_date = this_update - datetime.timedelta(days=300)
+ builder = builder.responder_id(
+ ocsp.OCSPResponderEncoding.NAME, root_cert
+ ).add_response(
+ cert,
+ issuer,
+ hashes.SHA1(),
+ ocsp.OCSPCertStatus.REVOKED,
+ this_update,
+ next_update,
+ revoked_date,
+ x509.ReasonFlags.key_compromise,
+ )
+ resp = builder.sign(private_key, None)
+ assert resp.certificate_status == ocsp.OCSPCertStatus.REVOKED
+ assert resp.revocation_time == revoked_date
+ assert resp.revocation_reason is x509.ReasonFlags.key_compromise
+ assert resp.this_update == this_update
+ assert resp.next_update == next_update
+ assert resp.signature_hash_algorithm is None
+ assert (
+ resp.signature_algorithm_oid == x509.SignatureAlgorithmOID.ED25519
+ )
+ private_key.public_key().verify(
+ resp.signature, resp.tbs_response_bytes
+ )
+
+ @pytest.mark.supported(
+ only_if=lambda backend: backend.ed448_supported(),
+ skip_message="Requires OpenSSL with Ed448 support / OCSP",
+ )
+ def test_sign_ed448(self, backend):
+ builder = ocsp.OCSPResponseBuilder()
+ cert, issuer = _cert_and_issuer()
+ private_key = ed448.Ed448PrivateKey.generate()
+ root_cert, _ = _generate_root(private_key, None)
+ current_time = datetime.datetime.utcnow().replace(microsecond=0)
+ this_update = current_time - datetime.timedelta(days=1)
+ next_update = this_update + datetime.timedelta(days=7)
+ revoked_date = this_update - datetime.timedelta(days=300)
+ builder = builder.responder_id(
+ ocsp.OCSPResponderEncoding.NAME, root_cert
+ ).add_response(
+ cert,
+ issuer,
+ hashes.SHA1(),
+ ocsp.OCSPCertStatus.REVOKED,
+ this_update,
+ next_update,
+ revoked_date,
+ x509.ReasonFlags.key_compromise,
+ )
+ resp = builder.sign(private_key, None)
+ assert resp.certificate_status == ocsp.OCSPCertStatus.REVOKED
+ assert resp.revocation_time == revoked_date
+ assert resp.revocation_reason is x509.ReasonFlags.key_compromise
+ assert resp.this_update == this_update
+ assert resp.next_update == next_update
+ assert resp.signature_hash_algorithm is None
+ assert resp.signature_algorithm_oid == x509.SignatureAlgorithmOID.ED448
+ private_key.public_key().verify(
+ resp.signature, resp.tbs_response_bytes
+ )
diff --git a/tests/x509/test_x509.py b/tests/x509/test_x509.py
index c8c863f..146619b 100644
--- a/tests/x509/test_x509.py
+++ b/tests/x509/test_x509.py
@@ -1,3 +1,4 @@
+# -*- coding: utf-8 -*-
# This file is dual licensed under the terms of the Apache License, Version
# 2.0, and the BSD License. See the LICENSE file in the root of this repository
# for complete details.
@@ -5,12 +6,12 @@
from __future__ import absolute_import, division, print_function
import binascii
+import collections
+import copy
import datetime
import ipaddress
import os
-from asn1crypto.x509 import Certificate
-
import pytest
import pytz
@@ -19,25 +20,54 @@
from cryptography import utils, x509
from cryptography.exceptions import UnsupportedAlgorithm
+from cryptography.hazmat._der import (
+ BIT_STRING,
+ CONSTRUCTED,
+ CONTEXT_SPECIFIC,
+ DERReader,
+ GENERALIZED_TIME,
+ INTEGER,
+ OBJECT_IDENTIFIER,
+ PRINTABLE_STRING,
+ SEQUENCE,
+ SET,
+ UTC_TIME,
+)
from cryptography.hazmat.backends.interfaces import (
- DSABackend, EllipticCurveBackend, RSABackend, X509Backend
+ DSABackend,
+ EllipticCurveBackend,
+ RSABackend,
+ X509Backend,
)
from cryptography.hazmat.primitives import hashes, serialization
-from cryptography.hazmat.primitives.asymmetric import dsa, ec, padding, rsa
-from cryptography.hazmat.primitives.asymmetric.utils import (
- decode_dss_signature
+from cryptography.hazmat.primitives.asymmetric import (
+ dh,
+ dsa,
+ ec,
+ ed25519,
+ ed448,
+ padding,
+ rsa,
)
+from cryptography.hazmat.primitives.asymmetric.utils import (
+ decode_dss_signature,
+)
+from cryptography.utils import int_from_bytes
from cryptography.x509.name import _ASN1Type
from cryptography.x509.oid import (
- AuthorityInformationAccessOID, ExtendedKeyUsageOID, ExtensionOID,
- NameOID, SignatureAlgorithmOID
+ AuthorityInformationAccessOID,
+ ExtendedKeyUsageOID,
+ ExtensionOID,
+ NameOID,
+ SignatureAlgorithmOID,
+ SubjectInformationAccessOID,
)
from ..hazmat.primitives.fixtures_dsa import DSA_KEY_2048
from ..hazmat.primitives.fixtures_ec import EC_KEY_SECP256R1
from ..hazmat.primitives.fixtures_rsa import RSA_KEY_2048, RSA_KEY_512
from ..hazmat.primitives.test_ec import _skip_curve_unsupported
-from ..utils import load_vectors_from_file
+from ..utils import load_nist_vectors, load_vectors_from_file
@utils.register_interface(x509.ExtensionType)
@@ -57,18 +87,64 @@
cert = load_vectors_from_file(
filename=filename,
loader=lambda pemfile: loader(pemfile.read(), backend),
- mode="rb"
+ mode="rb",
)
return cert
+ParsedCertificate = collections.namedtuple(
+ "ParsedCertificate",
+ ["not_before_tag", "not_after_tag", "issuer", "subject"],
+)
+
+
+def _parse_cert(der):
+ # See the Certificate structured, defined in RFC 5280.
+ with DERReader(der).read_single_element(SEQUENCE) as cert:
+ tbs_cert = cert.read_element(SEQUENCE)
+ # Skip outer signature algorithm
+ _ = cert.read_element(SEQUENCE)
+ # Skip signature
+ _ = cert.read_element(BIT_STRING)
+
+ with tbs_cert:
+ # Skip version
+ _ = tbs_cert.read_optional_element(CONTEXT_SPECIFIC | CONSTRUCTED | 0)
+ # Skip serialNumber
+ _ = tbs_cert.read_element(INTEGER)
+ # Skip inner signature algorithm
+ _ = tbs_cert.read_element(SEQUENCE)
+ issuer = tbs_cert.read_element(SEQUENCE)
+ validity = tbs_cert.read_element(SEQUENCE)
+ subject = tbs_cert.read_element(SEQUENCE)
+ # Skip subjectPublicKeyInfo
+ _ = tbs_cert.read_element(SEQUENCE)
+ # Skip issuerUniqueID
+ _ = tbs_cert.read_optional_element(CONTEXT_SPECIFIC | CONSTRUCTED | 1)
+ # Skip subjectUniqueID
+ _ = tbs_cert.read_optional_element(CONTEXT_SPECIFIC | CONSTRUCTED | 2)
+ # Skip extensions
+ _ = tbs_cert.read_optional_element(CONTEXT_SPECIFIC | CONSTRUCTED | 3)
+
+ with validity:
+ not_before_tag, _ = validity.read_any_element()
+ not_after_tag, _ = validity.read_any_element()
+
+ return ParsedCertificate(
+ not_before_tag=not_before_tag,
+ not_after_tag=not_after_tag,
+ issuer=issuer,
+ subject=subject,
+ )
+
+
@pytest.mark.requires_backend_interface(interface=X509Backend)
class TestCertificateRevocationList(object):
def test_load_pem_crl(self, backend):
crl = _load_cert(
os.path.join("x509", "custom", "crl_all_reasons.pem"),
x509.load_pem_x509_crl,
- backend
+ backend,
)
assert isinstance(crl, x509.CertificateRevocationList)
@@ -76,15 +152,15 @@
assert fingerprint == b"3234b0cb4c0cedf6423724b736729dcfc9e441ef"
assert isinstance(crl.signature_hash_algorithm, hashes.SHA256)
assert (
- crl.signature_algorithm_oid ==
- SignatureAlgorithmOID.RSA_WITH_SHA256
+ crl.signature_algorithm_oid
+ == SignatureAlgorithmOID.RSA_WITH_SHA256
)
def test_load_der_crl(self, backend):
crl = _load_cert(
os.path.join("x509", "PKITS_data", "crls", "GoodCACRL.crl"),
x509.load_der_x509_crl,
- backend
+ backend,
)
assert isinstance(crl, x509.CertificateRevocationList)
@@ -106,48 +182,48 @@
"x509", "custom", "crl_md2_unknown_crit_entry_ext.pem"
),
x509.load_pem_x509_crl,
- backend
+ backend,
)
with pytest.raises(UnsupportedAlgorithm):
- crl.signature_hash_algorithm()
+ crl.signature_hash_algorithm()
def test_issuer(self, backend):
crl = _load_cert(
os.path.join("x509", "PKITS_data", "crls", "GoodCACRL.crl"),
x509.load_der_x509_crl,
- backend
+ backend,
)
assert isinstance(crl.issuer, x509.Name)
assert list(crl.issuer) == [
- x509.NameAttribute(x509.OID_COUNTRY_NAME, u'US'),
+ x509.NameAttribute(x509.OID_COUNTRY_NAME, u"US"),
x509.NameAttribute(
- x509.OID_ORGANIZATION_NAME, u'Test Certificates 2011'
+ x509.OID_ORGANIZATION_NAME, u"Test Certificates 2011"
),
- x509.NameAttribute(x509.OID_COMMON_NAME, u'Good CA')
+ x509.NameAttribute(x509.OID_COMMON_NAME, u"Good CA"),
]
assert crl.issuer.get_attributes_for_oid(x509.OID_COMMON_NAME) == [
- x509.NameAttribute(x509.OID_COMMON_NAME, u'Good CA')
+ x509.NameAttribute(x509.OID_COMMON_NAME, u"Good CA")
]
def test_equality(self, backend):
crl1 = _load_cert(
os.path.join("x509", "PKITS_data", "crls", "GoodCACRL.crl"),
x509.load_der_x509_crl,
- backend
+ backend,
)
crl2 = _load_cert(
os.path.join("x509", "PKITS_data", "crls", "GoodCACRL.crl"),
x509.load_der_x509_crl,
- backend
+ backend,
)
crl3 = _load_cert(
os.path.join("x509", "custom", "crl_all_reasons.pem"),
x509.load_pem_x509_crl,
- backend
+ backend,
)
assert crl1 == crl2
@@ -158,7 +234,7 @@
crl = _load_cert(
os.path.join("x509", "custom", "crl_all_reasons.pem"),
x509.load_pem_x509_crl,
- backend
+ backend,
)
assert isinstance(crl.next_update, datetime.datetime)
@@ -171,7 +247,7 @@
crl = _load_cert(
os.path.join("x509", "custom", "crl_all_reasons.pem"),
x509.load_pem_x509_crl,
- backend
+ backend,
)
for r in crl:
@@ -183,9 +259,10 @@
def test_get_revoked_certificate_by_serial_number(self, backend):
crl = _load_cert(
os.path.join(
- "x509", "PKITS_data", "crls", "LongSerialNumberCACRL.crl"),
+ "x509", "PKITS_data", "crls", "LongSerialNumberCACRL.crl"
+ ),
x509.load_der_x509_crl,
- backend
+ backend,
)
serial_number = 725064303890588110203033396814564464046290047507
revoked = crl.get_revoked_certificate_by_serial_number(serial_number)
@@ -201,7 +278,7 @@
revoked = _load_cert(
os.path.join("x509", "custom", "crl_all_reasons.pem"),
x509.load_pem_x509_crl,
- backend
+ backend,
)[11]
assert revoked.revocation_date == datetime.datetime(2015, 1, 1, 0, 0)
assert revoked.serial_number == 11
@@ -210,7 +287,7 @@
crl = _load_cert(
os.path.join("x509", "custom", "crl_ian_aia_aki.pem"),
x509.load_pem_x509_crl,
- backend
+ backend,
)
crl_number = crl.extensions.get_extension_for_oid(
@@ -228,40 +305,40 @@
assert crl_number.value == x509.CRLNumber(1)
assert crl_number.critical is False
assert aki.value == x509.AuthorityKeyIdentifier(
- key_identifier=(
- b'yu\xbb\x84:\xcb,\xdez\t\xbe1\x1bC\xbc\x1c*MSX'
- ),
+ key_identifier=(b"yu\xbb\x84:\xcb,\xdez\t\xbe1\x1bC\xbc\x1c*MSX"),
authority_cert_issuer=None,
- authority_cert_serial_number=None
+ authority_cert_serial_number=None,
)
- assert aia.value == x509.AuthorityInformationAccess([
- x509.AccessDescription(
- AuthorityInformationAccessOID.CA_ISSUERS,
- x509.DNSName(u"cryptography.io")
- )
- ])
- assert ian.value == x509.IssuerAlternativeName([
- x509.UniformResourceIdentifier(u"https://cryptography.io"),
- ])
+ assert aia.value == x509.AuthorityInformationAccess(
+ [
+ x509.AccessDescription(
+ AuthorityInformationAccessOID.CA_ISSUERS,
+ x509.DNSName(u"cryptography.io"),
+ )
+ ]
+ )
+ assert ian.value == x509.IssuerAlternativeName(
+ [x509.UniformResourceIdentifier(u"https://cryptography.io")]
+ )
def test_delta_crl_indicator(self, backend):
crl = _load_cert(
os.path.join("x509", "custom", "crl_delta_crl_indicator.pem"),
x509.load_pem_x509_crl,
- backend
+ backend,
)
dci = crl.extensions.get_extension_for_oid(
ExtensionOID.DELTA_CRL_INDICATOR
)
assert dci.value == x509.DeltaCRLIndicator(12345678901234567890)
- assert dci.critical is False
+ assert dci.critical is True
def test_signature(self, backend):
crl = _load_cert(
os.path.join("x509", "custom", "crl_all_reasons.pem"),
x509.load_pem_x509_crl,
- backend
+ backend,
)
assert crl.signature == binascii.unhexlify(
@@ -280,31 +357,36 @@
crl = _load_cert(
os.path.join("x509", "PKITS_data", "crls", "GoodCACRL.crl"),
x509.load_der_x509_crl,
- backend
+ backend,
)
ca_cert = _load_cert(
os.path.join("x509", "PKITS_data", "certs", "GoodCACert.crt"),
x509.load_der_x509_certificate,
- backend
+ backend,
)
ca_cert.public_key().verify(
- crl.signature, crl.tbs_certlist_bytes,
- padding.PKCS1v15(), crl.signature_hash_algorithm
+ crl.signature,
+ crl.tbs_certlist_bytes,
+ padding.PKCS1v15(),
+ crl.signature_hash_algorithm,
)
def test_public_bytes_pem(self, backend):
crl = _load_cert(
os.path.join("x509", "custom", "crl_empty.pem"),
x509.load_pem_x509_crl,
- backend
+ backend,
)
# Encode it to PEM and load it back.
- crl = x509.load_pem_x509_crl(crl.public_bytes(
- encoding=serialization.Encoding.PEM,
- ), backend)
+ crl = x509.load_pem_x509_crl(
+ crl.public_bytes(
+ encoding=serialization.Encoding.PEM,
+ ),
+ backend,
+ )
assert len(crl) == 0
assert crl.last_update == datetime.datetime(2015, 12, 20, 23, 44, 47)
@@ -314,13 +396,16 @@
crl = _load_cert(
os.path.join("x509", "custom", "crl_all_reasons.pem"),
x509.load_pem_x509_crl,
- backend
+ backend,
)
# Encode it to DER and load it back.
- crl = x509.load_der_x509_crl(crl.public_bytes(
- encoding=serialization.Encoding.DER,
- ), backend)
+ crl = x509.load_der_x509_crl(
+ crl.public_bytes(
+ encoding=serialization.Encoding.DER,
+ ),
+ backend,
+ )
assert len(crl) == 12
assert crl.last_update == datetime.datetime(2015, 1, 1, 0, 0, 0)
@@ -339,10 +424,11 @@
x509.load_der_x509_crl,
serialization.Encoding.DER,
),
- ]
+ ],
)
- def test_public_bytes_match(self, cert_path, loader_func, encoding,
- backend):
+ def test_public_bytes_match(
+ self, cert_path, loader_func, encoding, backend
+ ):
crl_bytes = load_vectors_from_file(
cert_path, lambda pemfile: pemfile.read(), mode="rb"
)
@@ -354,22 +440,22 @@
crl = _load_cert(
os.path.join("x509", "custom", "crl_empty.pem"),
x509.load_pem_x509_crl,
- backend
+ backend,
)
with pytest.raises(TypeError):
- crl.public_bytes('NotAnEncoding')
+ crl.public_bytes("NotAnEncoding")
def test_verify_bad(self, backend):
crl = _load_cert(
os.path.join("x509", "custom", "invalid_signature.pem"),
x509.load_pem_x509_crl,
- backend
+ backend,
)
crt = _load_cert(
os.path.join("x509", "custom", "invalid_signature.pem"),
x509.load_pem_x509_certificate,
- backend
+ backend,
)
assert not crl.is_signature_valid(crt.public_key())
@@ -378,12 +464,12 @@
crl = _load_cert(
os.path.join("x509", "custom", "valid_signature.pem"),
x509.load_pem_x509_crl,
- backend
+ backend,
)
crt = _load_cert(
os.path.join("x509", "custom", "valid_signature.pem"),
x509.load_pem_x509_certificate,
- backend
+ backend,
)
assert crl.is_signature_valid(crt.public_key())
@@ -392,7 +478,7 @@
crl = _load_cert(
os.path.join("x509", "custom", "valid_signature.pem"),
x509.load_pem_x509_crl,
- backend
+ backend,
)
with pytest.raises(TypeError):
@@ -408,7 +494,7 @@
crl = _load_cert(
os.path.join("x509", "custom", "crl_all_reasons.pem"),
x509.load_pem_x509_crl,
- backend
+ backend,
)
for i, rev in enumerate(crl):
@@ -424,14 +510,20 @@
crl = _load_cert(
os.path.join("x509", "custom", "crl_all_reasons.pem"),
x509.load_pem_x509_crl,
- backend
+ backend,
)
exp_issuer = [
- x509.DirectoryName(x509.Name([
- x509.NameAttribute(x509.OID_COUNTRY_NAME, u"US"),
- x509.NameAttribute(x509.OID_COMMON_NAME, u"cryptography.io"),
- ]))
+ x509.DirectoryName(
+ x509.Name(
+ [
+ x509.NameAttribute(x509.OID_COUNTRY_NAME, u"US"),
+ x509.NameAttribute(
+ x509.OID_COMMON_NAME, u"cryptography.io"
+ ),
+ ]
+ )
+ )
]
# First revoked cert doesn't have extensions, test if it is handled
@@ -451,16 +543,17 @@
rev1 = crl[1]
assert isinstance(rev1.extensions, x509.Extensions)
- reason = rev1.extensions.get_extension_for_class(
- x509.CRLReason).value
+ reason = rev1.extensions.get_extension_for_class(x509.CRLReason).value
assert reason == x509.CRLReason(x509.ReasonFlags.unspecified)
issuer = rev1.extensions.get_extension_for_class(
- x509.CertificateIssuer).value
+ x509.CertificateIssuer
+ ).value
assert issuer == x509.CertificateIssuer(exp_issuer)
date = rev1.extensions.get_extension_for_class(
- x509.InvalidityDate).value
+ x509.InvalidityDate
+ ).value
assert date == x509.InvalidityDate(datetime.datetime(2015, 1, 1, 0, 0))
# Check if all reason flags can be found in the CRL.
@@ -480,7 +573,7 @@
crl = _load_cert(
os.path.join("x509", "custom", "crl_empty.pem"),
x509.load_pem_x509_crl,
- backend
+ backend,
)
assert len(crl) == 0
@@ -488,7 +581,7 @@
crl = _load_cert(
os.path.join("x509", "custom", "crl_dup_entry_ext.pem"),
x509.load_pem_x509_crl,
- backend
+ backend,
)
with pytest.raises(x509.DuplicateExtension):
@@ -500,7 +593,7 @@
"x509", "custom", "crl_md2_unknown_crit_entry_ext.pem"
),
x509.load_pem_x509_crl,
- backend
+ backend,
)
ext = crl[0].extensions.get_extension_for_oid(
@@ -510,11 +603,9 @@
def test_unsupported_reason(self, backend):
crl = _load_cert(
- os.path.join(
- "x509", "custom", "crl_unsupported_reason.pem"
- ),
+ os.path.join("x509", "custom", "crl_unsupported_reason.pem"),
x509.load_pem_x509_crl,
- backend
+ backend,
)
with pytest.raises(ValueError):
@@ -526,7 +617,7 @@
"x509", "custom", "crl_inval_cert_issuer_entry_ext.pem"
),
x509.load_pem_x509_crl,
- backend
+ backend,
)
with pytest.raises(ValueError):
@@ -536,7 +627,7 @@
crl = _load_cert(
os.path.join("x509", "custom", "crl_all_reasons.pem"),
x509.load_pem_x509_crl,
- backend
+ backend,
)
with pytest.raises(IndexError):
@@ -553,21 +644,27 @@
private_key = RSA_KEY_2048.private_key(backend)
last_update = datetime.datetime(2002, 1, 1, 12, 1)
next_update = datetime.datetime(2030, 1, 1, 12, 1)
- builder = x509.CertificateRevocationListBuilder().issuer_name(
- x509.Name([
- x509.NameAttribute(NameOID.COMMON_NAME, u"cryptography.io CA")
- ])
- ).last_update(
- last_update
- ).next_update(
- next_update
+ builder = (
+ x509.CertificateRevocationListBuilder()
+ .issuer_name(
+ x509.Name(
+ [
+ x509.NameAttribute(
+ NameOID.COMMON_NAME, u"cryptography.io CA"
+ )
+ ]
+ )
+ )
+ .last_update(last_update)
+ .next_update(next_update)
)
for i in [2, 500, 3, 49, 7, 1]:
- revoked_cert = x509.RevokedCertificateBuilder().serial_number(
- i
- ).revocation_date(
- datetime.datetime(2012, 1, 1, 1, 1)
- ).build(backend)
+ revoked_cert = (
+ x509.RevokedCertificateBuilder()
+ .serial_number(i)
+ .revocation_date(datetime.datetime(2012, 1, 1, 1, 1))
+ .build(backend)
+ )
builder = builder.add_revoked_certificate(revoked_cert)
crl = builder.sign(private_key, hashes.SHA256(), backend)
assert crl[0].serial_number == 2
@@ -586,7 +683,7 @@
cert = _load_cert(
os.path.join("x509", "custom", "post2000utctime.pem"),
x509.load_pem_x509_certificate,
- backend
+ backend,
)
assert isinstance(cert, x509.Certificate)
assert cert.serial_number == 11559813051657483483
@@ -597,44 +694,31 @@
cert.signature_algorithm_oid == SignatureAlgorithmOID.RSA_WITH_SHA1
)
+ def test_negative_serial_number(self, backend):
+ cert = _load_cert(
+ os.path.join("x509", "custom", "negative_serial.pem"),
+ x509.load_pem_x509_certificate,
+ backend,
+ )
+ assert cert.serial_number == -18008675309
+
def test_alternate_rsa_with_sha1_oid(self, backend):
cert = _load_cert(
os.path.join("x509", "alternate-rsa-sha1-oid.pem"),
x509.load_pem_x509_certificate,
- backend
+ backend,
)
assert isinstance(cert.signature_hash_algorithm, hashes.SHA1)
assert (
- cert.signature_algorithm_oid ==
- SignatureAlgorithmOID._RSA_WITH_SHA1
+ cert.signature_algorithm_oid
+ == SignatureAlgorithmOID._RSA_WITH_SHA1
)
- def test_cert_serial_number(self, backend):
- cert = _load_cert(
- os.path.join("x509", "PKITS_data", "certs", "GoodCACert.crt"),
- x509.load_der_x509_certificate,
- backend
- )
-
- with pytest.warns(utils.CryptographyDeprecationWarning):
- assert cert.serial == 2
- assert cert.serial_number == 2
-
- def test_cert_serial_warning(self, backend):
- cert = _load_cert(
- os.path.join("x509", "PKITS_data", "certs", "GoodCACert.crt"),
- x509.load_der_x509_certificate,
- backend
- )
-
- with pytest.warns(utils.CryptographyDeprecationWarning):
- cert.serial
-
def test_load_der_cert(self, backend):
cert = _load_cert(
os.path.join("x509", "PKITS_data", "certs", "GoodCACert.crt"),
x509.load_der_x509_certificate,
- backend
+ backend,
)
assert isinstance(cert, x509.Certificate)
assert cert.serial_number == 2
@@ -646,7 +730,7 @@
cert = _load_cert(
os.path.join("x509", "custom", "post2000utctime.pem"),
x509.load_pem_x509_certificate,
- backend
+ backend,
)
assert cert.signature == binascii.unhexlify(
b"8e0f72fcbebe4755abcaf76c8ce0bae17cde4db16291638e1b1ce04a93cdb4c"
@@ -665,7 +749,7 @@
cert = _load_cert(
os.path.join("x509", "custom", "post2000utctime.pem"),
x509.load_pem_x509_certificate,
- backend
+ backend,
)
assert cert.tbs_certificate_bytes == binascii.unhexlify(
b"308202d8a003020102020900a06cb4b955f7f4db300d06092a864886f70d010"
@@ -694,132 +778,126 @@
b"3040530030101ff"
)
cert.public_key().verify(
- cert.signature, cert.tbs_certificate_bytes,
- padding.PKCS1v15(), cert.signature_hash_algorithm
+ cert.signature,
+ cert.tbs_certificate_bytes,
+ padding.PKCS1v15(),
+ cert.signature_hash_algorithm,
)
def test_issuer(self, backend):
cert = _load_cert(
os.path.join(
- "x509", "PKITS_data", "certs",
- "Validpre2000UTCnotBeforeDateTest3EE.crt"
+ "x509",
+ "PKITS_data",
+ "certs",
+ "Validpre2000UTCnotBeforeDateTest3EE.crt",
),
x509.load_der_x509_certificate,
- backend
+ backend,
)
issuer = cert.issuer
assert isinstance(issuer, x509.Name)
assert list(issuer) == [
- x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
+ x509.NameAttribute(NameOID.COUNTRY_NAME, u"US"),
x509.NameAttribute(
- NameOID.ORGANIZATION_NAME, u'Test Certificates 2011'
+ NameOID.ORGANIZATION_NAME, u"Test Certificates 2011"
),
- x509.NameAttribute(NameOID.COMMON_NAME, u'Good CA')
+ x509.NameAttribute(NameOID.COMMON_NAME, u"Good CA"),
]
assert issuer.get_attributes_for_oid(NameOID.COMMON_NAME) == [
- x509.NameAttribute(NameOID.COMMON_NAME, u'Good CA')
+ x509.NameAttribute(NameOID.COMMON_NAME, u"Good CA")
]
def test_all_issuer_name_types(self, backend):
cert = _load_cert(
- os.path.join(
- "x509", "custom",
- "all_supported_names.pem"
- ),
+ os.path.join("x509", "custom", "all_supported_names.pem"),
x509.load_pem_x509_certificate,
- backend
+ backend,
)
issuer = cert.issuer
assert isinstance(issuer, x509.Name)
assert list(issuer) == [
- x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
- x509.NameAttribute(NameOID.COUNTRY_NAME, u'CA'),
- x509.NameAttribute(NameOID.STATE_OR_PROVINCE_NAME, u'Texas'),
- x509.NameAttribute(NameOID.STATE_OR_PROVINCE_NAME, u'Illinois'),
- x509.NameAttribute(NameOID.LOCALITY_NAME, u'Chicago'),
- x509.NameAttribute(NameOID.LOCALITY_NAME, u'Austin'),
- x509.NameAttribute(NameOID.ORGANIZATION_NAME, u'Zero, LLC'),
- x509.NameAttribute(NameOID.ORGANIZATION_NAME, u'One, LLC'),
- x509.NameAttribute(NameOID.COMMON_NAME, u'common name 0'),
- x509.NameAttribute(NameOID.COMMON_NAME, u'common name 1'),
- x509.NameAttribute(NameOID.ORGANIZATIONAL_UNIT_NAME, u'OU 0'),
- x509.NameAttribute(NameOID.ORGANIZATIONAL_UNIT_NAME, u'OU 1'),
- x509.NameAttribute(NameOID.DN_QUALIFIER, u'dnQualifier0'),
- x509.NameAttribute(NameOID.DN_QUALIFIER, u'dnQualifier1'),
- x509.NameAttribute(NameOID.SERIAL_NUMBER, u'123'),
- x509.NameAttribute(NameOID.SERIAL_NUMBER, u'456'),
- x509.NameAttribute(NameOID.TITLE, u'Title 0'),
- x509.NameAttribute(NameOID.TITLE, u'Title 1'),
- x509.NameAttribute(NameOID.SURNAME, u'Surname 0'),
- x509.NameAttribute(NameOID.SURNAME, u'Surname 1'),
- x509.NameAttribute(NameOID.GIVEN_NAME, u'Given Name 0'),
- x509.NameAttribute(NameOID.GIVEN_NAME, u'Given Name 1'),
- x509.NameAttribute(NameOID.PSEUDONYM, u'Incognito 0'),
- x509.NameAttribute(NameOID.PSEUDONYM, u'Incognito 1'),
- x509.NameAttribute(NameOID.GENERATION_QUALIFIER, u'Last Gen'),
- x509.NameAttribute(NameOID.GENERATION_QUALIFIER, u'Next Gen'),
- x509.NameAttribute(NameOID.DOMAIN_COMPONENT, u'dc0'),
- x509.NameAttribute(NameOID.DOMAIN_COMPONENT, u'dc1'),
- x509.NameAttribute(NameOID.EMAIL_ADDRESS, u'test0@test.local'),
- x509.NameAttribute(NameOID.EMAIL_ADDRESS, u'test1@test.local'),
+ x509.NameAttribute(NameOID.COUNTRY_NAME, u"US"),
+ x509.NameAttribute(NameOID.COUNTRY_NAME, u"CA"),
+ x509.NameAttribute(NameOID.STATE_OR_PROVINCE_NAME, u"Texas"),
+ x509.NameAttribute(NameOID.STATE_OR_PROVINCE_NAME, u"Illinois"),
+ x509.NameAttribute(NameOID.LOCALITY_NAME, u"Chicago"),
+ x509.NameAttribute(NameOID.LOCALITY_NAME, u"Austin"),
+ x509.NameAttribute(NameOID.ORGANIZATION_NAME, u"Zero, LLC"),
+ x509.NameAttribute(NameOID.ORGANIZATION_NAME, u"One, LLC"),
+ x509.NameAttribute(NameOID.COMMON_NAME, u"common name 0"),
+ x509.NameAttribute(NameOID.COMMON_NAME, u"common name 1"),
+ x509.NameAttribute(NameOID.ORGANIZATIONAL_UNIT_NAME, u"OU 0"),
+ x509.NameAttribute(NameOID.ORGANIZATIONAL_UNIT_NAME, u"OU 1"),
+ x509.NameAttribute(NameOID.DN_QUALIFIER, u"dnQualifier0"),
+ x509.NameAttribute(NameOID.DN_QUALIFIER, u"dnQualifier1"),
+ x509.NameAttribute(NameOID.SERIAL_NUMBER, u"123"),
+ x509.NameAttribute(NameOID.SERIAL_NUMBER, u"456"),
+ x509.NameAttribute(NameOID.TITLE, u"Title 0"),
+ x509.NameAttribute(NameOID.TITLE, u"Title 1"),
+ x509.NameAttribute(NameOID.SURNAME, u"Surname 0"),
+ x509.NameAttribute(NameOID.SURNAME, u"Surname 1"),
+ x509.NameAttribute(NameOID.GIVEN_NAME, u"Given Name 0"),
+ x509.NameAttribute(NameOID.GIVEN_NAME, u"Given Name 1"),
+ x509.NameAttribute(NameOID.PSEUDONYM, u"Incognito 0"),
+ x509.NameAttribute(NameOID.PSEUDONYM, u"Incognito 1"),
+ x509.NameAttribute(NameOID.GENERATION_QUALIFIER, u"Last Gen"),
+ x509.NameAttribute(NameOID.GENERATION_QUALIFIER, u"Next Gen"),
+ x509.NameAttribute(NameOID.DOMAIN_COMPONENT, u"dc0"),
+ x509.NameAttribute(NameOID.DOMAIN_COMPONENT, u"dc1"),
+ x509.NameAttribute(NameOID.EMAIL_ADDRESS, u"test0@test.local"),
+ x509.NameAttribute(NameOID.EMAIL_ADDRESS, u"test1@test.local"),
]
def test_subject(self, backend):
cert = _load_cert(
os.path.join(
- "x509", "PKITS_data", "certs",
- "Validpre2000UTCnotBeforeDateTest3EE.crt"
+ "x509",
+ "PKITS_data",
+ "certs",
+ "Validpre2000UTCnotBeforeDateTest3EE.crt",
),
x509.load_der_x509_certificate,
- backend
+ backend,
)
subject = cert.subject
assert isinstance(subject, x509.Name)
assert list(subject) == [
- x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
+ x509.NameAttribute(NameOID.COUNTRY_NAME, u"US"),
x509.NameAttribute(
- NameOID.ORGANIZATION_NAME, u'Test Certificates 2011'
+ NameOID.ORGANIZATION_NAME, u"Test Certificates 2011"
),
x509.NameAttribute(
NameOID.COMMON_NAME,
- u'Valid pre2000 UTC notBefore Date EE Certificate Test3'
- )
+ u"Valid pre2000 UTC notBefore Date EE Certificate Test3",
+ ),
]
assert subject.get_attributes_for_oid(NameOID.COMMON_NAME) == [
x509.NameAttribute(
NameOID.COMMON_NAME,
- u'Valid pre2000 UTC notBefore Date EE Certificate Test3'
+ u"Valid pre2000 UTC notBefore Date EE Certificate Test3",
)
]
def test_unicode_name(self, backend):
cert = _load_cert(
- os.path.join(
- "x509", "custom",
- "utf8_common_name.pem"
- ),
+ os.path.join("x509", "custom", "utf8_common_name.pem"),
x509.load_pem_x509_certificate,
- backend
+ backend,
)
assert cert.subject.get_attributes_for_oid(NameOID.COMMON_NAME) == [
- x509.NameAttribute(
- NameOID.COMMON_NAME,
- u'We heart UTF8!\u2122'
- )
+ x509.NameAttribute(NameOID.COMMON_NAME, u"We heart UTF8!\u2122")
]
assert cert.issuer.get_attributes_for_oid(NameOID.COMMON_NAME) == [
- x509.NameAttribute(
- NameOID.COMMON_NAME,
- u'We heart UTF8!\u2122'
- )
+ x509.NameAttribute(NameOID.COMMON_NAME, u"We heart UTF8!\u2122")
]
def test_non_ascii_dns_name(self, backend):
cert = _load_cert(
os.path.join("x509", "utf8-dnsname.pem"),
x509.load_pem_x509_certificate,
- backend
+ backend,
)
san = cert.extensions.get_extension_for_class(
x509.SubjectAlternativeName
@@ -828,64 +906,65 @@
names = san.get_values_for_type(x509.DNSName)
assert names == [
- u'partner.biztositas.hu', u'biztositas.hu', u'*.biztositas.hu',
- u'biztos\xedt\xe1s.hu', u'*.biztos\xedt\xe1s.hu',
- u'xn--biztosts-fza2j.hu', u'*.xn--biztosts-fza2j.hu'
+ u"partner.biztositas.hu",
+ u"biztositas.hu",
+ u"*.biztositas.hu",
+ u"biztos\xedt\xe1s.hu",
+ u"*.biztos\xedt\xe1s.hu",
+ u"xn--biztosts-fza2j.hu",
+ u"*.xn--biztosts-fza2j.hu",
]
def test_all_subject_name_types(self, backend):
cert = _load_cert(
- os.path.join(
- "x509", "custom",
- "all_supported_names.pem"
- ),
+ os.path.join("x509", "custom", "all_supported_names.pem"),
x509.load_pem_x509_certificate,
- backend
+ backend,
)
subject = cert.subject
assert isinstance(subject, x509.Name)
assert list(subject) == [
- x509.NameAttribute(NameOID.COUNTRY_NAME, u'AU'),
- x509.NameAttribute(NameOID.COUNTRY_NAME, u'DE'),
- x509.NameAttribute(NameOID.STATE_OR_PROVINCE_NAME, u'California'),
- x509.NameAttribute(NameOID.STATE_OR_PROVINCE_NAME, u'New York'),
- x509.NameAttribute(NameOID.LOCALITY_NAME, u'San Francisco'),
- x509.NameAttribute(NameOID.LOCALITY_NAME, u'Ithaca'),
- x509.NameAttribute(NameOID.ORGANIZATION_NAME, u'Org Zero, LLC'),
- x509.NameAttribute(NameOID.ORGANIZATION_NAME, u'Org One, LLC'),
- x509.NameAttribute(NameOID.COMMON_NAME, u'CN 0'),
- x509.NameAttribute(NameOID.COMMON_NAME, u'CN 1'),
+ x509.NameAttribute(NameOID.COUNTRY_NAME, u"AU"),
+ x509.NameAttribute(NameOID.COUNTRY_NAME, u"DE"),
+ x509.NameAttribute(NameOID.STATE_OR_PROVINCE_NAME, u"California"),
+ x509.NameAttribute(NameOID.STATE_OR_PROVINCE_NAME, u"New York"),
+ x509.NameAttribute(NameOID.LOCALITY_NAME, u"San Francisco"),
+ x509.NameAttribute(NameOID.LOCALITY_NAME, u"Ithaca"),
+ x509.NameAttribute(NameOID.ORGANIZATION_NAME, u"Org Zero, LLC"),
+ x509.NameAttribute(NameOID.ORGANIZATION_NAME, u"Org One, LLC"),
+ x509.NameAttribute(NameOID.COMMON_NAME, u"CN 0"),
+ x509.NameAttribute(NameOID.COMMON_NAME, u"CN 1"),
x509.NameAttribute(
- NameOID.ORGANIZATIONAL_UNIT_NAME, u'Engineering 0'
+ NameOID.ORGANIZATIONAL_UNIT_NAME, u"Engineering 0"
),
x509.NameAttribute(
- NameOID.ORGANIZATIONAL_UNIT_NAME, u'Engineering 1'
+ NameOID.ORGANIZATIONAL_UNIT_NAME, u"Engineering 1"
),
- x509.NameAttribute(NameOID.DN_QUALIFIER, u'qualified0'),
- x509.NameAttribute(NameOID.DN_QUALIFIER, u'qualified1'),
- x509.NameAttribute(NameOID.SERIAL_NUMBER, u'789'),
- x509.NameAttribute(NameOID.SERIAL_NUMBER, u'012'),
- x509.NameAttribute(NameOID.TITLE, u'Title IX'),
- x509.NameAttribute(NameOID.TITLE, u'Title X'),
- x509.NameAttribute(NameOID.SURNAME, u'Last 0'),
- x509.NameAttribute(NameOID.SURNAME, u'Last 1'),
- x509.NameAttribute(NameOID.GIVEN_NAME, u'First 0'),
- x509.NameAttribute(NameOID.GIVEN_NAME, u'First 1'),
- x509.NameAttribute(NameOID.PSEUDONYM, u'Guy Incognito 0'),
- x509.NameAttribute(NameOID.PSEUDONYM, u'Guy Incognito 1'),
- x509.NameAttribute(NameOID.GENERATION_QUALIFIER, u'32X'),
- x509.NameAttribute(NameOID.GENERATION_QUALIFIER, u'Dreamcast'),
- x509.NameAttribute(NameOID.DOMAIN_COMPONENT, u'dc2'),
- x509.NameAttribute(NameOID.DOMAIN_COMPONENT, u'dc3'),
- x509.NameAttribute(NameOID.EMAIL_ADDRESS, u'test2@test.local'),
- x509.NameAttribute(NameOID.EMAIL_ADDRESS, u'test3@test.local'),
+ x509.NameAttribute(NameOID.DN_QUALIFIER, u"qualified0"),
+ x509.NameAttribute(NameOID.DN_QUALIFIER, u"qualified1"),
+ x509.NameAttribute(NameOID.SERIAL_NUMBER, u"789"),
+ x509.NameAttribute(NameOID.SERIAL_NUMBER, u"012"),
+ x509.NameAttribute(NameOID.TITLE, u"Title IX"),
+ x509.NameAttribute(NameOID.TITLE, u"Title X"),
+ x509.NameAttribute(NameOID.SURNAME, u"Last 0"),
+ x509.NameAttribute(NameOID.SURNAME, u"Last 1"),
+ x509.NameAttribute(NameOID.GIVEN_NAME, u"First 0"),
+ x509.NameAttribute(NameOID.GIVEN_NAME, u"First 1"),
+ x509.NameAttribute(NameOID.PSEUDONYM, u"Guy Incognito 0"),
+ x509.NameAttribute(NameOID.PSEUDONYM, u"Guy Incognito 1"),
+ x509.NameAttribute(NameOID.GENERATION_QUALIFIER, u"32X"),
+ x509.NameAttribute(NameOID.GENERATION_QUALIFIER, u"Dreamcast"),
+ x509.NameAttribute(NameOID.DOMAIN_COMPONENT, u"dc2"),
+ x509.NameAttribute(NameOID.DOMAIN_COMPONENT, u"dc3"),
+ x509.NameAttribute(NameOID.EMAIL_ADDRESS, u"test2@test.local"),
+ x509.NameAttribute(NameOID.EMAIL_ADDRESS, u"test3@test.local"),
]
def test_load_good_ca_cert(self, backend):
cert = _load_cert(
os.path.join("x509", "PKITS_data", "certs", "GoodCACert.crt"),
x509.load_der_x509_certificate,
- backend
+ backend,
)
assert cert.not_valid_before == datetime.datetime(2010, 1, 1, 8, 30)
@@ -900,11 +979,13 @@
def test_utc_pre_2000_not_before_cert(self, backend):
cert = _load_cert(
os.path.join(
- "x509", "PKITS_data", "certs",
- "Validpre2000UTCnotBeforeDateTest3EE.crt"
+ "x509",
+ "PKITS_data",
+ "certs",
+ "Validpre2000UTCnotBeforeDateTest3EE.crt",
),
x509.load_der_x509_certificate,
- backend
+ backend,
)
assert cert.not_valid_before == datetime.datetime(1950, 1, 1, 12, 1)
@@ -912,11 +993,13 @@
def test_pre_2000_utc_not_after_cert(self, backend):
cert = _load_cert(
os.path.join(
- "x509", "PKITS_data", "certs",
- "Invalidpre2000UTCEEnotAfterDateTest7EE.crt"
+ "x509",
+ "PKITS_data",
+ "certs",
+ "Invalidpre2000UTCEEnotAfterDateTest7EE.crt",
),
x509.load_der_x509_certificate,
- backend
+ backend,
)
assert cert.not_valid_after == datetime.datetime(1999, 1, 1, 12, 1)
@@ -925,7 +1008,7 @@
cert = _load_cert(
os.path.join("x509", "custom", "post2000utctime.pem"),
x509.load_pem_x509_certificate,
- backend
+ backend,
)
assert cert.not_valid_before == datetime.datetime(
2014, 11, 26, 21, 41, 20
@@ -937,11 +1020,13 @@
def test_generalized_time_not_before_cert(self, backend):
cert = _load_cert(
os.path.join(
- "x509", "PKITS_data", "certs",
- "ValidGeneralizedTimenotBeforeDateTest4EE.crt"
+ "x509",
+ "PKITS_data",
+ "certs",
+ "ValidGeneralizedTimenotBeforeDateTest4EE.crt",
),
x509.load_der_x509_certificate,
- backend
+ backend,
)
assert cert.not_valid_before == datetime.datetime(2002, 1, 1, 12, 1)
assert cert.not_valid_after == datetime.datetime(2030, 12, 31, 8, 30)
@@ -950,24 +1035,25 @@
def test_generalized_time_not_after_cert(self, backend):
cert = _load_cert(
os.path.join(
- "x509", "PKITS_data", "certs",
- "ValidGeneralizedTimenotAfterDateTest8EE.crt"
+ "x509",
+ "PKITS_data",
+ "certs",
+ "ValidGeneralizedTimenotAfterDateTest8EE.crt",
),
x509.load_der_x509_certificate,
- backend
+ backend,
)
assert cert.not_valid_before == datetime.datetime(2010, 1, 1, 8, 30)
assert cert.not_valid_after == datetime.datetime(2050, 1, 1, 12, 1)
assert cert.version is x509.Version.v3
def test_invalid_version_cert(self, backend):
- cert = _load_cert(
- os.path.join("x509", "custom", "invalid_version.pem"),
- x509.load_pem_x509_certificate,
- backend
- )
with pytest.raises(x509.InvalidVersion) as exc:
- cert.version
+ _load_cert(
+ os.path.join("x509", "custom", "invalid_version.pem"),
+ x509.load_pem_x509_certificate,
+ backend,
+ )
assert exc.value.parsed_version == 7
@@ -975,12 +1061,12 @@
cert = _load_cert(
os.path.join("x509", "custom", "post2000utctime.pem"),
x509.load_pem_x509_certificate,
- backend
+ backend,
)
cert2 = _load_cert(
os.path.join("x509", "custom", "post2000utctime.pem"),
x509.load_pem_x509_certificate,
- backend
+ backend,
)
assert cert == cert2
@@ -988,15 +1074,17 @@
cert = _load_cert(
os.path.join("x509", "custom", "post2000utctime.pem"),
x509.load_pem_x509_certificate,
- backend
+ backend,
)
cert2 = _load_cert(
os.path.join(
- "x509", "PKITS_data", "certs",
- "ValidGeneralizedTimenotAfterDateTest8EE.crt"
+ "x509",
+ "PKITS_data",
+ "certs",
+ "ValidGeneralizedTimenotAfterDateTest8EE.crt",
),
x509.load_der_x509_certificate,
- backend
+ backend,
)
assert cert != cert2
assert cert != object()
@@ -1005,20 +1093,22 @@
cert1 = _load_cert(
os.path.join("x509", "custom", "post2000utctime.pem"),
x509.load_pem_x509_certificate,
- backend
+ backend,
)
cert2 = _load_cert(
os.path.join("x509", "custom", "post2000utctime.pem"),
x509.load_pem_x509_certificate,
- backend
+ backend,
)
cert3 = _load_cert(
os.path.join(
- "x509", "PKITS_data", "certs",
- "ValidGeneralizedTimenotAfterDateTest8EE.crt"
+ "x509",
+ "PKITS_data",
+ "certs",
+ "ValidGeneralizedTimenotAfterDateTest8EE.crt",
),
x509.load_der_x509_certificate,
- backend
+ backend,
)
assert hash(cert1) == hash(cert2)
@@ -1028,7 +1118,7 @@
cert = _load_cert(
os.path.join("x509", "v1_cert.pem"),
x509.load_pem_x509_certificate,
- backend
+ backend,
)
assert cert.version is x509.Version.v1
@@ -1044,7 +1134,7 @@
cert = _load_cert(
os.path.join("x509", "verisign_md2_root.pem"),
x509.load_pem_x509_certificate,
- backend
+ backend,
)
with pytest.raises(UnsupportedAlgorithm):
cert.signature_hash_algorithm
@@ -1054,13 +1144,16 @@
cert = _load_cert(
os.path.join("x509", "PKITS_data", "certs", "GoodCACert.crt"),
x509.load_der_x509_certificate,
- backend
+ backend,
)
# Encode it to PEM and load it back.
- cert = x509.load_pem_x509_certificate(cert.public_bytes(
- encoding=serialization.Encoding.PEM,
- ), backend)
+ cert = x509.load_pem_x509_certificate(
+ cert.public_bytes(
+ encoding=serialization.Encoding.PEM,
+ ),
+ backend,
+ )
# We should recover what we had to start with.
assert cert.not_valid_before == datetime.datetime(2010, 1, 1, 8, 30)
@@ -1077,13 +1170,16 @@
cert = _load_cert(
os.path.join("x509", "PKITS_data", "certs", "GoodCACert.crt"),
x509.load_der_x509_certificate,
- backend
+ backend,
)
# Encode it to DER and load it back.
- cert = x509.load_der_x509_certificate(cert.public_bytes(
- encoding=serialization.Encoding.DER,
- ), backend)
+ cert = x509.load_der_x509_certificate(
+ cert.public_bytes(
+ encoding=serialization.Encoding.DER,
+ ),
+ backend,
+ )
# We should recover what we had to start with.
assert cert.not_valid_before == datetime.datetime(2010, 1, 1, 8, 30)
@@ -1099,11 +1195,11 @@
cert = _load_cert(
os.path.join("x509", "PKITS_data", "certs", "GoodCACert.crt"),
x509.load_der_x509_certificate,
- backend
+ backend,
)
with pytest.raises(TypeError):
- cert.public_bytes('NotAnEncoding')
+ cert.public_bytes("NotAnEncoding")
@pytest.mark.parametrize(
("cert_path", "loader_func", "encoding"),
@@ -1118,10 +1214,11 @@
x509.load_der_x509_certificate,
serialization.Encoding.DER,
),
- ]
+ ],
)
- def test_public_bytes_match(self, cert_path, loader_func, encoding,
- backend):
+ def test_public_bytes_match(
+ self, cert_path, loader_func, encoding, backend
+ ):
cert_bytes = load_vectors_from_file(
cert_path, lambda pemfile: pemfile.read(), mode="rb"
)
@@ -1131,11 +1228,9 @@
def test_certificate_repr(self, backend):
cert = _load_cert(
- os.path.join(
- "x509", "cryptography.io.pem"
- ),
+ os.path.join("x509", "cryptography.io.pem"),
x509.load_pem_x509_certificate,
- backend
+ backend,
)
assert repr(cert) == (
"<Certificate(subject=<Name(OU=GT48742965,OU=See www.rapidssl.com"
@@ -1147,7 +1242,7 @@
cert = _load_cert(
os.path.join("x509", "tls-feature-ocsp-staple.pem"),
x509.load_pem_x509_certificate,
- backend
+ backend,
)
ext = cert.extensions.get_extension_for_class(x509.TLSFeature)
assert ext.critical is False
@@ -1164,39 +1259,99 @@
[
[
os.path.join("x509", "requests", "rsa_sha1.pem"),
- x509.load_pem_x509_csr
+ x509.load_pem_x509_csr,
],
[
os.path.join("x509", "requests", "rsa_sha1.der"),
- x509.load_der_x509_csr
+ x509.load_der_x509_csr,
],
- ]
+ ],
)
def test_load_rsa_certificate_request(self, path, loader_func, backend):
request = _load_cert(path, loader_func, backend)
assert isinstance(request.signature_hash_algorithm, hashes.SHA1)
assert (
- request.signature_algorithm_oid ==
- SignatureAlgorithmOID.RSA_WITH_SHA1
+ request.signature_algorithm_oid
+ == SignatureAlgorithmOID.RSA_WITH_SHA1
)
public_key = request.public_key()
assert isinstance(public_key, rsa.RSAPublicKey)
subject = request.subject
assert isinstance(subject, x509.Name)
assert list(subject) == [
- x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
- x509.NameAttribute(NameOID.STATE_OR_PROVINCE_NAME, u'Texas'),
- x509.NameAttribute(NameOID.LOCALITY_NAME, u'Austin'),
- x509.NameAttribute(NameOID.ORGANIZATION_NAME, u'PyCA'),
- x509.NameAttribute(NameOID.COMMON_NAME, u'cryptography.io'),
+ x509.NameAttribute(NameOID.COUNTRY_NAME, u"US"),
+ x509.NameAttribute(NameOID.STATE_OR_PROVINCE_NAME, u"Texas"),
+ x509.NameAttribute(NameOID.LOCALITY_NAME, u"Austin"),
+ x509.NameAttribute(NameOID.ORGANIZATION_NAME, u"PyCA"),
+ x509.NameAttribute(NameOID.COMMON_NAME, u"cryptography.io"),
]
extensions = request.extensions
assert isinstance(extensions, x509.Extensions)
assert list(extensions) == []
+ def test_get_attribute_for_oid_challenge(self, backend):
+ request = _load_cert(
+ os.path.join("x509", "requests", "challenge.pem"),
+ x509.load_pem_x509_csr,
+ backend,
+ )
+ assert (
+ request.get_attribute_for_oid(
+ x509.oid.AttributeOID.CHALLENGE_PASSWORD
+ )
+ == b"challenge me!"
+ )
+
+ def test_get_attribute_for_oid_multiple(self, backend):
+ request = _load_cert(
+ os.path.join("x509", "requests", "challenge-unstructured.pem"),
+ x509.load_pem_x509_csr,
+ backend,
+ )
+ assert (
+ request.get_attribute_for_oid(
+ x509.oid.AttributeOID.CHALLENGE_PASSWORD
+ )
+ == b"beauty"
+ )
+ assert (
+ request.get_attribute_for_oid(
+ x509.oid.AttributeOID.UNSTRUCTURED_NAME
+ )
+ == b"an unstructured field"
+ )
+
+ def test_invalid_attribute_for_oid(self, backend):
+ """
+ This test deliberately triggers a ValueError because to parse
+ CSR attributes we need to do a C cast. If we're wrong about the
+ type that would be Very Bad so this test confirms we properly explode
+ in the presence of the wrong types.
+ """
+ request = _load_cert(
+ os.path.join("x509", "requests", "challenge-invalid.der"),
+ x509.load_der_x509_csr,
+ backend,
+ )
+ with pytest.raises(ValueError):
+ request.get_attribute_for_oid(
+ x509.oid.AttributeOID.CHALLENGE_PASSWORD
+ )
+
+ def test_no_challenge_password(self, backend):
+ request = _load_cert(
+ os.path.join("x509", "requests", "rsa_sha256.pem"),
+ x509.load_pem_x509_csr,
+ backend,
+ )
+ with pytest.raises(x509.AttributeNotFound) as exc:
+ request.get_attribute_for_oid(
+ x509.oid.AttributeOID.CHALLENGE_PASSWORD
+ )
+ assert exc.value.oid == x509.oid.AttributeOID.CHALLENGE_PASSWORD
+
@pytest.mark.parametrize(
- "loader_func",
- [x509.load_pem_x509_csr, x509.load_der_x509_csr]
+ "loader_func", [x509.load_pem_x509_csr, x509.load_der_x509_csr]
)
def test_invalid_certificate_request(self, loader_func, backend):
with pytest.raises(ValueError):
@@ -1206,18 +1361,16 @@
request = _load_cert(
os.path.join("x509", "requests", "rsa_md4.pem"),
x509.load_pem_x509_csr,
- backend
+ backend,
)
with pytest.raises(UnsupportedAlgorithm):
request.signature_hash_algorithm
def test_duplicate_extension(self, backend):
request = _load_cert(
- os.path.join(
- "x509", "requests", "two_basic_constraints.pem"
- ),
+ os.path.join("x509", "requests", "two_basic_constraints.pem"),
x509.load_pem_x509_csr,
- backend
+ backend,
)
with pytest.raises(x509.DuplicateExtension) as exc:
request.extensions
@@ -1230,20 +1383,18 @@
"x509", "requests", "unsupported_extension_critical.pem"
),
x509.load_pem_x509_csr,
- backend
+ backend,
)
ext = request.extensions.get_extension_for_oid(
- x509.ObjectIdentifier('1.2.3.4')
+ x509.ObjectIdentifier("1.2.3.4")
)
assert ext.value.value == b"value"
def test_unsupported_extension(self, backend):
request = _load_cert(
- os.path.join(
- "x509", "requests", "unsupported_extension.pem"
- ),
+ os.path.join("x509", "requests", "unsupported_extension.pem"),
x509.load_pem_x509_csr,
- backend
+ backend,
)
extensions = request.extensions
assert len(extensions) == 1
@@ -1254,11 +1405,9 @@
def test_request_basic_constraints(self, backend):
request = _load_cert(
- os.path.join(
- "x509", "requests", "basic_constraints.pem"
- ),
+ os.path.join("x509", "requests", "basic_constraints.pem"),
x509.load_pem_x509_csr,
- backend
+ backend,
)
extensions = request.extensions
assert isinstance(extensions, x509.Extensions)
@@ -1289,13 +1438,16 @@
request = _load_cert(
os.path.join("x509", "requests", "rsa_sha1.pem"),
x509.load_pem_x509_csr,
- backend
+ backend,
)
# Encode it to PEM and load it back.
- request = x509.load_pem_x509_csr(request.public_bytes(
- encoding=serialization.Encoding.PEM,
- ), backend)
+ request = x509.load_pem_x509_csr(
+ request.public_bytes(
+ encoding=serialization.Encoding.PEM,
+ ),
+ backend,
+ )
# We should recover what we had to start with.
assert isinstance(request.signature_hash_algorithm, hashes.SHA1)
@@ -1304,11 +1456,11 @@
subject = request.subject
assert isinstance(subject, x509.Name)
assert list(subject) == [
- x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
- x509.NameAttribute(NameOID.STATE_OR_PROVINCE_NAME, u'Texas'),
- x509.NameAttribute(NameOID.LOCALITY_NAME, u'Austin'),
- x509.NameAttribute(NameOID.ORGANIZATION_NAME, u'PyCA'),
- x509.NameAttribute(NameOID.COMMON_NAME, u'cryptography.io'),
+ x509.NameAttribute(NameOID.COUNTRY_NAME, u"US"),
+ x509.NameAttribute(NameOID.STATE_OR_PROVINCE_NAME, u"Texas"),
+ x509.NameAttribute(NameOID.LOCALITY_NAME, u"Austin"),
+ x509.NameAttribute(NameOID.ORGANIZATION_NAME, u"PyCA"),
+ x509.NameAttribute(NameOID.COMMON_NAME, u"cryptography.io"),
]
def test_public_bytes_der(self, backend):
@@ -1316,13 +1468,16 @@
request = _load_cert(
os.path.join("x509", "requests", "rsa_sha1.pem"),
x509.load_pem_x509_csr,
- backend
+ backend,
)
# Encode it to DER and load it back.
- request = x509.load_der_x509_csr(request.public_bytes(
- encoding=serialization.Encoding.DER,
- ), backend)
+ request = x509.load_der_x509_csr(
+ request.public_bytes(
+ encoding=serialization.Encoding.DER,
+ ),
+ backend,
+ )
# We should recover what we had to start with.
assert isinstance(request.signature_hash_algorithm, hashes.SHA1)
@@ -1331,18 +1486,18 @@
subject = request.subject
assert isinstance(subject, x509.Name)
assert list(subject) == [
- x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
- x509.NameAttribute(NameOID.STATE_OR_PROVINCE_NAME, u'Texas'),
- x509.NameAttribute(NameOID.LOCALITY_NAME, u'Austin'),
- x509.NameAttribute(NameOID.ORGANIZATION_NAME, u'PyCA'),
- x509.NameAttribute(NameOID.COMMON_NAME, u'cryptography.io'),
+ x509.NameAttribute(NameOID.COUNTRY_NAME, u"US"),
+ x509.NameAttribute(NameOID.STATE_OR_PROVINCE_NAME, u"Texas"),
+ x509.NameAttribute(NameOID.LOCALITY_NAME, u"Austin"),
+ x509.NameAttribute(NameOID.ORGANIZATION_NAME, u"PyCA"),
+ x509.NameAttribute(NameOID.COMMON_NAME, u"cryptography.io"),
]
def test_signature(self, backend):
request = _load_cert(
os.path.join("x509", "requests", "rsa_sha1.pem"),
x509.load_pem_x509_csr,
- backend
+ backend,
)
assert request.signature == binascii.unhexlify(
b"8364c86ffbbfe0bfc9a21f831256658ca8989741b80576d36f08a934603a43b1"
@@ -1359,7 +1514,7 @@
request = _load_cert(
os.path.join("x509", "requests", "rsa_sha1.pem"),
x509.load_pem_x509_csr,
- backend
+ backend,
)
assert request.tbs_certrequest_bytes == binascii.unhexlify(
b"308201840201003057310b3009060355040613025553310e300c060355040813"
@@ -1380,24 +1535,24 @@
request.signature,
request.tbs_certrequest_bytes,
padding.PKCS1v15(),
- request.signature_hash_algorithm
+ request.signature_hash_algorithm,
)
def test_public_bytes_invalid_encoding(self, backend):
request = _load_cert(
os.path.join("x509", "requests", "rsa_sha1.pem"),
x509.load_pem_x509_csr,
- backend
+ backend,
)
with pytest.raises(TypeError):
- request.public_bytes('NotAnEncoding')
+ request.public_bytes("NotAnEncoding")
def test_signature_invalid(self, backend):
request = _load_cert(
os.path.join("x509", "requests", "invalid_signature.pem"),
x509.load_pem_x509_csr,
- backend
+ backend,
)
assert not request.is_signature_valid
@@ -1405,7 +1560,7 @@
request = _load_cert(
os.path.join("x509", "requests", "rsa_sha256.pem"),
x509.load_pem_x509_csr,
- backend
+ backend,
)
assert request.is_signature_valid
@@ -1422,10 +1577,11 @@
x509.load_der_x509_csr,
serialization.Encoding.DER,
),
- ]
+ ],
)
- def test_public_bytes_match(self, request_path, loader_func, encoding,
- backend):
+ def test_public_bytes_match(
+ self, request_path, loader_func, encoding, backend
+ ):
request_bytes = load_vectors_from_file(
request_path, lambda pemfile: pemfile.read(), mode="rb"
)
@@ -1437,12 +1593,12 @@
request1 = _load_cert(
os.path.join("x509", "requests", "rsa_sha1.pem"),
x509.load_pem_x509_csr,
- backend
+ backend,
)
request2 = _load_cert(
os.path.join("x509", "requests", "rsa_sha1.pem"),
x509.load_pem_x509_csr,
- backend
+ backend,
)
assert request1 == request2
@@ -1451,12 +1607,12 @@
request1 = _load_cert(
os.path.join("x509", "requests", "rsa_sha1.pem"),
x509.load_pem_x509_csr,
- backend
+ backend,
)
request2 = _load_cert(
os.path.join("x509", "requests", "san_rsa_sha1.pem"),
x509.load_pem_x509_csr,
- backend
+ backend,
)
assert request1 != request2
@@ -1466,17 +1622,17 @@
request1 = _load_cert(
os.path.join("x509", "requests", "rsa_sha1.pem"),
x509.load_pem_x509_csr,
- backend
+ backend,
)
request2 = _load_cert(
os.path.join("x509", "requests", "rsa_sha1.pem"),
x509.load_pem_x509_csr,
- backend
+ backend,
)
request3 = _load_cert(
os.path.join("x509", "requests", "san_rsa_sha1.pem"),
x509.load_pem_x509_csr,
- backend
+ backend,
)
assert hash(request1) == hash(request2)
@@ -1489,31 +1645,52 @@
not_valid_before = datetime.datetime(2002, 1, 1, 12, 1)
not_valid_after = datetime.datetime(2030, 12, 31, 8, 30)
- builder = x509.CertificateBuilder().serial_number(
- 777
- ).issuer_name(x509.Name([
- x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
- x509.NameAttribute(NameOID.STATE_OR_PROVINCE_NAME, u'Texas'),
- x509.NameAttribute(NameOID.LOCALITY_NAME, u'Austin'),
- x509.NameAttribute(NameOID.ORGANIZATION_NAME, u'PyCA'),
- x509.NameAttribute(NameOID.COMMON_NAME, u'cryptography.io'),
- ])).subject_name(x509.Name([
- x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
- x509.NameAttribute(NameOID.STATE_OR_PROVINCE_NAME, u'Texas'),
- x509.NameAttribute(NameOID.LOCALITY_NAME, u'Austin'),
- x509.NameAttribute(NameOID.ORGANIZATION_NAME, u'PyCA'),
- x509.NameAttribute(NameOID.COMMON_NAME, u'cryptography.io'),
- ])).public_key(
- subject_private_key.public_key()
- ).add_extension(
- x509.BasicConstraints(ca=False, path_length=None), True,
- ).add_extension(
- x509.SubjectAlternativeName([x509.DNSName(u"cryptography.io")]),
- critical=False,
- ).not_valid_before(
- not_valid_before
- ).not_valid_after(
- not_valid_after
+ builder = (
+ x509.CertificateBuilder()
+ .serial_number(777)
+ .issuer_name(
+ x509.Name(
+ [
+ x509.NameAttribute(NameOID.COUNTRY_NAME, u"US"),
+ x509.NameAttribute(
+ NameOID.STATE_OR_PROVINCE_NAME, u"Texas"
+ ),
+ x509.NameAttribute(NameOID.LOCALITY_NAME, u"Austin"),
+ x509.NameAttribute(NameOID.ORGANIZATION_NAME, u"PyCA"),
+ x509.NameAttribute(
+ NameOID.COMMON_NAME, u"cryptography.io"
+ ),
+ ]
+ )
+ )
+ .subject_name(
+ x509.Name(
+ [
+ x509.NameAttribute(NameOID.COUNTRY_NAME, u"US"),
+ x509.NameAttribute(
+ NameOID.STATE_OR_PROVINCE_NAME, u"Texas"
+ ),
+ x509.NameAttribute(NameOID.LOCALITY_NAME, u"Austin"),
+ x509.NameAttribute(NameOID.ORGANIZATION_NAME, u"PyCA"),
+ x509.NameAttribute(
+ NameOID.COMMON_NAME, u"cryptography.io"
+ ),
+ ]
+ )
+ )
+ .public_key(subject_private_key.public_key())
+ .add_extension(
+ x509.BasicConstraints(ca=False, path_length=None),
+ True,
+ )
+ .add_extension(
+ x509.SubjectAlternativeName(
+ [x509.DNSName(u"cryptography.io")]
+ ),
+ critical=False,
+ )
+ .not_valid_before(not_valid_before)
+ .not_valid_after(not_valid_after)
)
cert = builder.sign(issuer_private_key, hashes.SHA1(), backend)
@@ -1538,37 +1715,49 @@
subject_private_key = RSA_KEY_2048.private_key(backend)
not_valid_before = datetime.datetime(2002, 1, 1, 12, 1)
not_valid_after = datetime.datetime(2030, 12, 31, 8, 30)
- name = x509.Name([
- x509.NameAttribute(
- NameOID.STATE_OR_PROVINCE_NAME, u'Texas',
- _ASN1Type.PrintableString),
- x509.NameAttribute(NameOID.LOCALITY_NAME, u'Austin'),
- x509.NameAttribute(
- NameOID.COMMON_NAME, u'cryptography.io', _ASN1Type.IA5String),
- ])
- builder = x509.CertificateBuilder().serial_number(
- 777
- ).issuer_name(
- name
- ).subject_name(
- name
- ).public_key(
- subject_private_key.public_key()
- ).not_valid_before(
- not_valid_before
- ).not_valid_after(not_valid_after)
+ name = x509.Name(
+ [
+ x509.NameAttribute(
+ NameOID.STATE_OR_PROVINCE_NAME,
+ u"Texas",
+ _ASN1Type.PrintableString,
+ ),
+ x509.NameAttribute(NameOID.LOCALITY_NAME, u"Austin"),
+ x509.NameAttribute(
+ NameOID.COMMON_NAME,
+ u"cryptography.io",
+ _ASN1Type.IA5String,
+ ),
+ ]
+ )
+ builder = (
+ x509.CertificateBuilder()
+ .serial_number(777)
+ .issuer_name(name)
+ .subject_name(name)
+ .public_key(subject_private_key.public_key())
+ .not_valid_before(not_valid_before)
+ .not_valid_after(not_valid_after)
+ )
cert = builder.sign(issuer_private_key, hashes.SHA256(), backend)
for dn in (cert.subject, cert.issuer):
- assert dn.get_attributes_for_oid(
- NameOID.STATE_OR_PROVINCE_NAME
- )[0]._type == _ASN1Type.PrintableString
- assert dn.get_attributes_for_oid(
- NameOID.STATE_OR_PROVINCE_NAME
- )[0]._type == _ASN1Type.PrintableString
- assert dn.get_attributes_for_oid(
- NameOID.LOCALITY_NAME
- )[0]._type == _ASN1Type.UTF8String
+ assert (
+ dn.get_attributes_for_oid(NameOID.STATE_OR_PROVINCE_NAME)[
+ 0
+ ]._type
+ == _ASN1Type.PrintableString
+ )
+ assert (
+ dn.get_attributes_for_oid(NameOID.STATE_OR_PROVINCE_NAME)[
+ 0
+ ]._type
+ == _ASN1Type.PrintableString
+ )
+ assert (
+ dn.get_attributes_for_oid(NameOID.LOCALITY_NAME)[0]._type
+ == _ASN1Type.UTF8String
+ )
def test_build_cert_printable_string_country_name(self, backend):
issuer_private_key = RSA_KEY_2048.private_key(backend)
@@ -1577,41 +1766,65 @@
not_valid_before = datetime.datetime(2002, 1, 1, 12, 1)
not_valid_after = datetime.datetime(2030, 12, 31, 8, 30)
- builder = x509.CertificateBuilder().serial_number(
- 777
- ).issuer_name(x509.Name([
- x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
- x509.NameAttribute(NameOID.JURISDICTION_COUNTRY_NAME, u'US'),
- x509.NameAttribute(NameOID.STATE_OR_PROVINCE_NAME, u'Texas'),
- ])).subject_name(x509.Name([
- x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
- x509.NameAttribute(NameOID.JURISDICTION_COUNTRY_NAME, u'US'),
- x509.NameAttribute(NameOID.STATE_OR_PROVINCE_NAME, u'Texas'),
- ])).public_key(
- subject_private_key.public_key()
- ).not_valid_before(
- not_valid_before
- ).not_valid_after(
- not_valid_after
+ builder = (
+ x509.CertificateBuilder()
+ .serial_number(777)
+ .issuer_name(
+ x509.Name(
+ [
+ x509.NameAttribute(NameOID.COUNTRY_NAME, u"US"),
+ x509.NameAttribute(
+ NameOID.JURISDICTION_COUNTRY_NAME, u"US"
+ ),
+ x509.NameAttribute(
+ NameOID.STATE_OR_PROVINCE_NAME, u"Texas"
+ ),
+ ]
+ )
+ )
+ .subject_name(
+ x509.Name(
+ [
+ x509.NameAttribute(NameOID.COUNTRY_NAME, u"US"),
+ x509.NameAttribute(
+ NameOID.JURISDICTION_COUNTRY_NAME, u"US"
+ ),
+ x509.NameAttribute(
+ NameOID.STATE_OR_PROVINCE_NAME, u"Texas"
+ ),
+ ]
+ )
+ )
+ .public_key(subject_private_key.public_key())
+ .not_valid_before(not_valid_before)
+ .not_valid_after(not_valid_after)
)
cert = builder.sign(issuer_private_key, hashes.SHA256(), backend)
- parsed = Certificate.load(
- cert.public_bytes(serialization.Encoding.DER))
+ parsed = _parse_cert(cert.public_bytes(serialization.Encoding.DER))
+ subject = parsed.subject
+ issuer = parsed.issuer
+
+ def read_next_rdn_value_tag(reader):
+ # Assume each RDN has a single attribute.
+ with reader.read_element(SET) as rdn:
+ attribute = rdn.read_element(SEQUENCE)
+
+ with attribute:
+ _ = attribute.read_element(OBJECT_IDENTIFIER)
+ tag, value = attribute.read_any_element()
+ return tag
# Check that each value was encoded as an ASN.1 PRINTABLESTRING.
- assert parsed.subject.chosen[0][0]['value'].chosen.tag == 19
- assert parsed.issuer.chosen[0][0]['value'].chosen.tag == 19
+ assert read_next_rdn_value_tag(subject) == PRINTABLE_STRING
+ assert read_next_rdn_value_tag(issuer) == PRINTABLE_STRING
if (
# This only works correctly in OpenSSL 1.1.0f+ and 1.0.2l+
- backend._lib.CRYPTOGRAPHY_OPENSSL_110F_OR_GREATER or (
- backend._lib.CRYPTOGRAPHY_OPENSSL_102L_OR_GREATER and
- not backend._lib.CRYPTOGRAPHY_OPENSSL_110_OR_GREATER
- )
+ backend._lib.CRYPTOGRAPHY_OPENSSL_110F_OR_GREATER
):
- assert parsed.subject.chosen[1][0]['value'].chosen.tag == 19
- assert parsed.issuer.chosen[1][0]['value'].chosen.tag == 19
+ assert read_next_rdn_value_tag(subject) == PRINTABLE_STRING
+ assert read_next_rdn_value_tag(issuer) == PRINTABLE_STRING
class TestCertificateBuilder(object):
@@ -1619,20 +1832,19 @@
@pytest.mark.requires_backend_interface(interface=X509Backend)
def test_checks_for_unsupported_extensions(self, backend):
private_key = RSA_KEY_2048.private_key(backend)
- builder = x509.CertificateBuilder().subject_name(x509.Name([
- x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
- ])).issuer_name(x509.Name([
- x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
- ])).public_key(
- private_key.public_key()
- ).serial_number(
- 777
- ).not_valid_before(
- datetime.datetime(1999, 1, 1)
- ).not_valid_after(
- datetime.datetime(2020, 1, 1)
- ).add_extension(
- DummyExtension(), False
+ builder = (
+ x509.CertificateBuilder()
+ .subject_name(
+ x509.Name([x509.NameAttribute(NameOID.COUNTRY_NAME, u"US")])
+ )
+ .issuer_name(
+ x509.Name([x509.NameAttribute(NameOID.COUNTRY_NAME, u"US")])
+ )
+ .public_key(private_key.public_key())
+ .serial_number(777)
+ .not_valid_before(datetime.datetime(1999, 1, 1))
+ .not_valid_after(datetime.datetime(2020, 1, 1))
+ .add_extension(DummyExtension(), False)
)
with pytest.raises(NotImplementedError):
@@ -1643,133 +1855,163 @@
def test_encode_nonstandard_aia(self, backend):
private_key = RSA_KEY_2048.private_key(backend)
- aia = x509.AuthorityInformationAccess([
- x509.AccessDescription(
- x509.ObjectIdentifier("2.999.7"),
- x509.UniformResourceIdentifier(u"http://example.com")
- ),
- ])
+ aia = x509.AuthorityInformationAccess(
+ [
+ x509.AccessDescription(
+ x509.ObjectIdentifier("2.999.7"),
+ x509.UniformResourceIdentifier(u"http://example.com"),
+ ),
+ ]
+ )
- builder = x509.CertificateBuilder().subject_name(x509.Name([
- x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
- ])).issuer_name(x509.Name([
- x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
- ])).public_key(
- private_key.public_key()
- ).serial_number(
- 777
- ).not_valid_before(
- datetime.datetime(1999, 1, 1)
- ).not_valid_after(
- datetime.datetime(2020, 1, 1)
- ).add_extension(
- aia, False
+ builder = (
+ x509.CertificateBuilder()
+ .subject_name(
+ x509.Name([x509.NameAttribute(NameOID.COUNTRY_NAME, u"US")])
+ )
+ .issuer_name(
+ x509.Name([x509.NameAttribute(NameOID.COUNTRY_NAME, u"US")])
+ )
+ .public_key(private_key.public_key())
+ .serial_number(777)
+ .not_valid_before(datetime.datetime(1999, 1, 1))
+ .not_valid_after(datetime.datetime(2020, 1, 1))
+ .add_extension(aia, False)
)
builder.sign(private_key, hashes.SHA256(), backend)
@pytest.mark.requires_backend_interface(interface=RSABackend)
@pytest.mark.requires_backend_interface(interface=X509Backend)
+ def test_encode_nonstandard_sia(self, backend):
+ private_key = RSA_KEY_2048.private_key(backend)
+
+ sia = x509.SubjectInformationAccess(
+ [
+ x509.AccessDescription(
+ x509.ObjectIdentifier("2.999.7"),
+ x509.UniformResourceIdentifier(u"http://example.com"),
+ ),
+ ]
+ )
+
+ builder = (
+ x509.CertificateBuilder()
+ .subject_name(
+ x509.Name([x509.NameAttribute(NameOID.COUNTRY_NAME, u"US")])
+ )
+ .issuer_name(
+ x509.Name([x509.NameAttribute(NameOID.COUNTRY_NAME, u"US")])
+ )
+ .public_key(private_key.public_key())
+ .serial_number(777)
+ .not_valid_before(datetime.datetime(2015, 1, 1))
+ .not_valid_after(datetime.datetime(2040, 1, 1))
+ .add_extension(sia, False)
+ )
+
+ cert = builder.sign(private_key, hashes.SHA256(), backend)
+ ext = cert.extensions.get_extension_for_oid(
+ ExtensionOID.SUBJECT_INFORMATION_ACCESS
+ )
+ assert ext.value == sia
+
+ @pytest.mark.requires_backend_interface(interface=RSABackend)
+ @pytest.mark.requires_backend_interface(interface=X509Backend)
def test_subject_dn_asn1_types(self, backend):
private_key = RSA_KEY_2048.private_key(backend)
- name = x509.Name([
- x509.NameAttribute(NameOID.COMMON_NAME, u"mysite.com"),
- x509.NameAttribute(NameOID.COUNTRY_NAME, u"US"),
- x509.NameAttribute(NameOID.LOCALITY_NAME, u"value"),
- x509.NameAttribute(NameOID.STATE_OR_PROVINCE_NAME, u"value"),
- x509.NameAttribute(NameOID.STREET_ADDRESS, u"value"),
- x509.NameAttribute(NameOID.ORGANIZATION_NAME, u"value"),
- x509.NameAttribute(NameOID.ORGANIZATIONAL_UNIT_NAME, u"value"),
- x509.NameAttribute(NameOID.SERIAL_NUMBER, u"value"),
- x509.NameAttribute(NameOID.SURNAME, u"value"),
- x509.NameAttribute(NameOID.GIVEN_NAME, u"value"),
- x509.NameAttribute(NameOID.TITLE, u"value"),
- x509.NameAttribute(NameOID.GENERATION_QUALIFIER, u"value"),
- x509.NameAttribute(NameOID.X500_UNIQUE_IDENTIFIER, u"value"),
- x509.NameAttribute(NameOID.DN_QUALIFIER, u"value"),
- x509.NameAttribute(NameOID.PSEUDONYM, u"value"),
- x509.NameAttribute(NameOID.USER_ID, u"value"),
- x509.NameAttribute(NameOID.DOMAIN_COMPONENT, u"value"),
- x509.NameAttribute(NameOID.EMAIL_ADDRESS, u"value"),
- x509.NameAttribute(NameOID.JURISDICTION_COUNTRY_NAME, u"US"),
- x509.NameAttribute(NameOID.JURISDICTION_LOCALITY_NAME, u"value"),
- x509.NameAttribute(
- NameOID.JURISDICTION_STATE_OR_PROVINCE_NAME, u"value"
- ),
- x509.NameAttribute(NameOID.BUSINESS_CATEGORY, u"value"),
- x509.NameAttribute(NameOID.POSTAL_ADDRESS, u"value"),
- x509.NameAttribute(NameOID.POSTAL_CODE, u"value"),
- ])
- cert = x509.CertificateBuilder().subject_name(
- name
- ).issuer_name(
- name
- ).public_key(
- private_key.public_key()
- ).serial_number(
- 777
- ).not_valid_before(
- datetime.datetime(1999, 1, 1)
- ).not_valid_after(
- datetime.datetime(2020, 1, 1)
- ).sign(private_key, hashes.SHA256(), backend)
+ name = x509.Name(
+ [
+ x509.NameAttribute(NameOID.COMMON_NAME, u"mysite.com"),
+ x509.NameAttribute(NameOID.COUNTRY_NAME, u"US"),
+ x509.NameAttribute(NameOID.LOCALITY_NAME, u"value"),
+ x509.NameAttribute(NameOID.STATE_OR_PROVINCE_NAME, u"value"),
+ x509.NameAttribute(NameOID.STREET_ADDRESS, u"value"),
+ x509.NameAttribute(NameOID.ORGANIZATION_NAME, u"value"),
+ x509.NameAttribute(NameOID.ORGANIZATIONAL_UNIT_NAME, u"value"),
+ x509.NameAttribute(NameOID.SERIAL_NUMBER, u"value"),
+ x509.NameAttribute(NameOID.SURNAME, u"value"),
+ x509.NameAttribute(NameOID.GIVEN_NAME, u"value"),
+ x509.NameAttribute(NameOID.TITLE, u"value"),
+ x509.NameAttribute(NameOID.GENERATION_QUALIFIER, u"value"),
+ x509.NameAttribute(NameOID.X500_UNIQUE_IDENTIFIER, u"value"),
+ x509.NameAttribute(NameOID.DN_QUALIFIER, u"value"),
+ x509.NameAttribute(NameOID.PSEUDONYM, u"value"),
+ x509.NameAttribute(NameOID.USER_ID, u"value"),
+ x509.NameAttribute(NameOID.DOMAIN_COMPONENT, u"value"),
+ x509.NameAttribute(NameOID.EMAIL_ADDRESS, u"value"),
+ x509.NameAttribute(NameOID.JURISDICTION_COUNTRY_NAME, u"US"),
+ x509.NameAttribute(
+ NameOID.JURISDICTION_LOCALITY_NAME, u"value"
+ ),
+ x509.NameAttribute(
+ NameOID.JURISDICTION_STATE_OR_PROVINCE_NAME, u"value"
+ ),
+ x509.NameAttribute(NameOID.BUSINESS_CATEGORY, u"value"),
+ x509.NameAttribute(NameOID.POSTAL_ADDRESS, u"value"),
+ x509.NameAttribute(NameOID.POSTAL_CODE, u"value"),
+ ]
+ )
+ cert = (
+ x509.CertificateBuilder()
+ .subject_name(name)
+ .issuer_name(name)
+ .public_key(private_key.public_key())
+ .serial_number(777)
+ .not_valid_before(datetime.datetime(1999, 1, 1))
+ .not_valid_after(datetime.datetime(2020, 1, 1))
+ .sign(private_key, hashes.SHA256(), backend)
+ )
for dn in (cert.subject, cert.issuer):
for oid, asn1_type in TestNameAttribute.EXPECTED_TYPES:
- assert dn.get_attributes_for_oid(
- oid
- )[0]._type == asn1_type
+ assert dn.get_attributes_for_oid(oid)[0]._type == asn1_type
@pytest.mark.parametrize(
("not_valid_before", "not_valid_after"),
[
[datetime.datetime(1970, 2, 1), datetime.datetime(9999, 1, 1)],
[datetime.datetime(1970, 2, 1), datetime.datetime(9999, 12, 31)],
- ]
+ ],
)
@pytest.mark.requires_backend_interface(interface=RSABackend)
@pytest.mark.requires_backend_interface(interface=X509Backend)
def test_extreme_times(self, not_valid_before, not_valid_after, backend):
private_key = RSA_KEY_2048.private_key(backend)
- builder = x509.CertificateBuilder().subject_name(x509.Name([
- x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
- ])).issuer_name(x509.Name([
- x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
- ])).public_key(
- private_key.public_key()
- ).serial_number(
- 777
- ).not_valid_before(
- not_valid_before
- ).not_valid_after(
- not_valid_after
+ builder = (
+ x509.CertificateBuilder()
+ .subject_name(
+ x509.Name([x509.NameAttribute(NameOID.COUNTRY_NAME, u"US")])
+ )
+ .issuer_name(
+ x509.Name([x509.NameAttribute(NameOID.COUNTRY_NAME, u"US")])
+ )
+ .public_key(private_key.public_key())
+ .serial_number(777)
+ .not_valid_before(not_valid_before)
+ .not_valid_after(not_valid_after)
)
cert = builder.sign(private_key, hashes.SHA256(), backend)
assert cert.not_valid_before == not_valid_before
assert cert.not_valid_after == not_valid_after
- parsed = Certificate.load(
- cert.public_bytes(serialization.Encoding.DER)
- )
- not_before = parsed['tbs_certificate']['validity']['not_before']
- not_after = parsed['tbs_certificate']['validity']['not_after']
- assert not_before.chosen.tag == 23 # UTCTime
- assert not_after.chosen.tag == 24 # GeneralizedTime
+ parsed = _parse_cert(cert.public_bytes(serialization.Encoding.DER))
+ assert parsed.not_before_tag == UTC_TIME
+ assert parsed.not_after_tag == GENERALIZED_TIME
@pytest.mark.requires_backend_interface(interface=RSABackend)
@pytest.mark.requires_backend_interface(interface=X509Backend)
def test_no_subject_name(self, backend):
subject_private_key = RSA_KEY_2048.private_key(backend)
- builder = x509.CertificateBuilder().serial_number(
- 777
- ).issuer_name(x509.Name([
- x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
- ])).public_key(
- subject_private_key.public_key()
- ).not_valid_before(
- datetime.datetime(2002, 1, 1, 12, 1)
- ).not_valid_after(
- datetime.datetime(2030, 12, 31, 8, 30)
+ builder = (
+ x509.CertificateBuilder()
+ .serial_number(777)
+ .issuer_name(
+ x509.Name([x509.NameAttribute(NameOID.COUNTRY_NAME, u"US")])
+ )
+ .public_key(subject_private_key.public_key())
+ .not_valid_before(datetime.datetime(2002, 1, 1, 12, 1))
+ .not_valid_after(datetime.datetime(2030, 12, 31, 8, 30))
)
with pytest.raises(ValueError):
builder.sign(subject_private_key, hashes.SHA256(), backend)
@@ -1778,16 +2020,15 @@
@pytest.mark.requires_backend_interface(interface=X509Backend)
def test_no_issuer_name(self, backend):
subject_private_key = RSA_KEY_2048.private_key(backend)
- builder = x509.CertificateBuilder().serial_number(
- 777
- ).subject_name(x509.Name([
- x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
- ])).public_key(
- subject_private_key.public_key()
- ).not_valid_before(
- datetime.datetime(2002, 1, 1, 12, 1)
- ).not_valid_after(
- datetime.datetime(2030, 12, 31, 8, 30)
+ builder = (
+ x509.CertificateBuilder()
+ .serial_number(777)
+ .subject_name(
+ x509.Name([x509.NameAttribute(NameOID.COUNTRY_NAME, u"US")])
+ )
+ .public_key(subject_private_key.public_key())
+ .not_valid_before(datetime.datetime(2002, 1, 1, 12, 1))
+ .not_valid_after(datetime.datetime(2030, 12, 31, 8, 30))
)
with pytest.raises(ValueError):
builder.sign(subject_private_key, hashes.SHA256(), backend)
@@ -1796,16 +2037,17 @@
@pytest.mark.requires_backend_interface(interface=X509Backend)
def test_no_public_key(self, backend):
subject_private_key = RSA_KEY_2048.private_key(backend)
- builder = x509.CertificateBuilder().serial_number(
- 777
- ).issuer_name(x509.Name([
- x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
- ])).subject_name(x509.Name([
- x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
- ])).not_valid_before(
- datetime.datetime(2002, 1, 1, 12, 1)
- ).not_valid_after(
- datetime.datetime(2030, 12, 31, 8, 30)
+ builder = (
+ x509.CertificateBuilder()
+ .serial_number(777)
+ .issuer_name(
+ x509.Name([x509.NameAttribute(NameOID.COUNTRY_NAME, u"US")])
+ )
+ .subject_name(
+ x509.Name([x509.NameAttribute(NameOID.COUNTRY_NAME, u"US")])
+ )
+ .not_valid_before(datetime.datetime(2002, 1, 1, 12, 1))
+ .not_valid_after(datetime.datetime(2030, 12, 31, 8, 30))
)
with pytest.raises(ValueError):
builder.sign(subject_private_key, hashes.SHA256(), backend)
@@ -1814,16 +2056,17 @@
@pytest.mark.requires_backend_interface(interface=X509Backend)
def test_no_not_valid_before(self, backend):
subject_private_key = RSA_KEY_2048.private_key(backend)
- builder = x509.CertificateBuilder().serial_number(
- 777
- ).issuer_name(x509.Name([
- x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
- ])).subject_name(x509.Name([
- x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
- ])).public_key(
- subject_private_key.public_key()
- ).not_valid_after(
- datetime.datetime(2030, 12, 31, 8, 30)
+ builder = (
+ x509.CertificateBuilder()
+ .serial_number(777)
+ .issuer_name(
+ x509.Name([x509.NameAttribute(NameOID.COUNTRY_NAME, u"US")])
+ )
+ .subject_name(
+ x509.Name([x509.NameAttribute(NameOID.COUNTRY_NAME, u"US")])
+ )
+ .public_key(subject_private_key.public_key())
+ .not_valid_after(datetime.datetime(2030, 12, 31, 8, 30))
)
with pytest.raises(ValueError):
builder.sign(subject_private_key, hashes.SHA256(), backend)
@@ -1832,16 +2075,17 @@
@pytest.mark.requires_backend_interface(interface=X509Backend)
def test_no_not_valid_after(self, backend):
subject_private_key = RSA_KEY_2048.private_key(backend)
- builder = x509.CertificateBuilder().serial_number(
- 777
- ).issuer_name(x509.Name([
- x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
- ])).subject_name(x509.Name([
- x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
- ])).public_key(
- subject_private_key.public_key()
- ).not_valid_before(
- datetime.datetime(2002, 1, 1, 12, 1)
+ builder = (
+ x509.CertificateBuilder()
+ .serial_number(777)
+ .issuer_name(
+ x509.Name([x509.NameAttribute(NameOID.COUNTRY_NAME, u"US")])
+ )
+ .subject_name(
+ x509.Name([x509.NameAttribute(NameOID.COUNTRY_NAME, u"US")])
+ )
+ .public_key(subject_private_key.public_key())
+ .not_valid_before(datetime.datetime(2002, 1, 1, 12, 1))
)
with pytest.raises(ValueError):
builder.sign(subject_private_key, hashes.SHA256(), backend)
@@ -1850,16 +2094,17 @@
@pytest.mark.requires_backend_interface(interface=X509Backend)
def test_no_serial_number(self, backend):
subject_private_key = RSA_KEY_2048.private_key(backend)
- builder = x509.CertificateBuilder().issuer_name(x509.Name([
- x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
- ])).subject_name(x509.Name([
- x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
- ])).public_key(
- subject_private_key.public_key()
- ).not_valid_before(
- datetime.datetime(2002, 1, 1, 12, 1)
- ).not_valid_after(
- datetime.datetime(2030, 12, 31, 8, 30)
+ builder = (
+ x509.CertificateBuilder()
+ .issuer_name(
+ x509.Name([x509.NameAttribute(NameOID.COUNTRY_NAME, u"US")])
+ )
+ .subject_name(
+ x509.Name([x509.NameAttribute(NameOID.COUNTRY_NAME, u"US")])
+ )
+ .public_key(subject_private_key.public_key())
+ .not_valid_before(datetime.datetime(2002, 1, 1, 12, 1))
+ .not_valid_after(datetime.datetime(2030, 12, 31, 8, 30))
)
with pytest.raises(ValueError):
builder.sign(subject_private_key, hashes.SHA256(), backend)
@@ -1874,9 +2119,7 @@
builder.issuer_name(object)
def test_issuer_name_may_only_be_set_once(self):
- name = x509.Name([
- x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
- ])
+ name = x509.Name([x509.NameAttribute(NameOID.COUNTRY_NAME, u"US")])
builder = x509.CertificateBuilder().issuer_name(name)
with pytest.raises(ValueError):
@@ -1892,9 +2135,7 @@
builder.subject_name(object)
def test_subject_name_may_only_be_set_once(self):
- name = x509.Name([
- x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
- ])
+ name = x509.Name([x509.NameAttribute(NameOID.COUNTRY_NAME, u"US")])
builder = x509.CertificateBuilder().subject_name(name)
with pytest.raises(ValueError):
@@ -1903,13 +2144,9 @@
def test_not_valid_before_after_not_valid_after(self):
builder = x509.CertificateBuilder()
- builder = builder.not_valid_after(
- datetime.datetime(2002, 1, 1, 12, 1)
- )
+ builder = builder.not_valid_after(datetime.datetime(2002, 1, 1, 12, 1))
with pytest.raises(ValueError):
- builder.not_valid_before(
- datetime.datetime(2003, 1, 1, 12, 1)
- )
+ builder.not_valid_before(datetime.datetime(2003, 1, 1, 12, 1))
def test_not_valid_after_before_not_valid_before(self):
builder = x509.CertificateBuilder()
@@ -1918,9 +2155,7 @@
datetime.datetime(2002, 1, 1, 12, 1)
)
with pytest.raises(ValueError):
- builder.not_valid_after(
- datetime.datetime(2001, 1, 1, 12, 1)
- )
+ builder.not_valid_after(datetime.datetime(2001, 1, 1, 12, 1))
@pytest.mark.requires_backend_interface(interface=RSABackend)
@pytest.mark.requires_backend_interface(interface=X509Backend)
@@ -1957,18 +2192,18 @@
@pytest.mark.requires_backend_interface(interface=X509Backend)
def test_minimal_serial_number(self, backend):
subject_private_key = RSA_KEY_2048.private_key(backend)
- builder = x509.CertificateBuilder().serial_number(
- 1
- ).subject_name(x509.Name([
- x509.NameAttribute(NameOID.COUNTRY_NAME, u'RU'),
- ])).issuer_name(x509.Name([
- x509.NameAttribute(NameOID.COUNTRY_NAME, u'RU'),
- ])).public_key(
- subject_private_key.public_key()
- ).not_valid_before(
- datetime.datetime(2002, 1, 1, 12, 1)
- ).not_valid_after(
- datetime.datetime(2030, 12, 31, 8, 30)
+ builder = (
+ x509.CertificateBuilder()
+ .serial_number(1)
+ .subject_name(
+ x509.Name([x509.NameAttribute(NameOID.COUNTRY_NAME, u"RU")])
+ )
+ .issuer_name(
+ x509.Name([x509.NameAttribute(NameOID.COUNTRY_NAME, u"RU")])
+ )
+ .public_key(subject_private_key.public_key())
+ .not_valid_before(datetime.datetime(2002, 1, 1, 12, 1))
+ .not_valid_after(datetime.datetime(2030, 12, 31, 8, 30))
)
cert = builder.sign(subject_private_key, hashes.SHA256(), backend)
assert cert.serial_number == 1
@@ -1977,18 +2212,18 @@
@pytest.mark.requires_backend_interface(interface=X509Backend)
def test_biggest_serial_number(self, backend):
subject_private_key = RSA_KEY_2048.private_key(backend)
- builder = x509.CertificateBuilder().serial_number(
- (1 << 159) - 1
- ).subject_name(x509.Name([
- x509.NameAttribute(NameOID.COUNTRY_NAME, u'RU'),
- ])).issuer_name(x509.Name([
- x509.NameAttribute(NameOID.COUNTRY_NAME, u'RU'),
- ])).public_key(
- subject_private_key.public_key()
- ).not_valid_before(
- datetime.datetime(2002, 1, 1, 12, 1)
- ).not_valid_after(
- datetime.datetime(2030, 12, 31, 8, 30)
+ builder = (
+ x509.CertificateBuilder()
+ .serial_number((1 << 159) - 1)
+ .subject_name(
+ x509.Name([x509.NameAttribute(NameOID.COUNTRY_NAME, u"RU")])
+ )
+ .issuer_name(
+ x509.Name([x509.NameAttribute(NameOID.COUNTRY_NAME, u"RU")])
+ )
+ .public_key(subject_private_key.public_key())
+ .not_valid_before(datetime.datetime(2002, 1, 1, 12, 1))
+ .not_valid_after(datetime.datetime(2030, 12, 31, 8, 30))
)
cert = builder.sign(subject_private_key, hashes.SHA256(), backend)
assert cert.serial_number == (1 << 159) - 1
@@ -2012,16 +2247,16 @@
utc_time = datetime.datetime(2012, 1, 17, 6, 43)
private_key = RSA_KEY_2048.private_key(backend)
cert_builder = x509.CertificateBuilder().not_valid_after(time)
- cert_builder = cert_builder.subject_name(
- x509.Name([x509.NameAttribute(NameOID.COUNTRY_NAME, u'US')])
- ).issuer_name(
- x509.Name([x509.NameAttribute(NameOID.COUNTRY_NAME, u'US')])
- ).serial_number(
- 1
- ).public_key(
- private_key.public_key()
- ).not_valid_before(
- utc_time - datetime.timedelta(days=365)
+ cert_builder = (
+ cert_builder.subject_name(
+ x509.Name([x509.NameAttribute(NameOID.COUNTRY_NAME, u"US")])
+ )
+ .issuer_name(
+ x509.Name([x509.NameAttribute(NameOID.COUNTRY_NAME, u"US")])
+ )
+ .serial_number(1)
+ .public_key(private_key.public_key())
+ .not_valid_before(utc_time - datetime.timedelta(days=365))
)
cert = cert_builder.sign(private_key, hashes.SHA256(), backend)
@@ -2032,29 +2267,25 @@
def test_earliest_time(self, backend):
time = datetime.datetime(1950, 1, 1)
private_key = RSA_KEY_2048.private_key(backend)
- cert_builder = x509.CertificateBuilder().subject_name(
- x509.Name([x509.NameAttribute(NameOID.COUNTRY_NAME, u'US')])
- ).issuer_name(
- x509.Name([x509.NameAttribute(NameOID.COUNTRY_NAME, u'US')])
- ).serial_number(
- 1
- ).public_key(
- private_key.public_key()
- ).not_valid_before(
- time
- ).not_valid_after(
- time
+ cert_builder = (
+ x509.CertificateBuilder()
+ .subject_name(
+ x509.Name([x509.NameAttribute(NameOID.COUNTRY_NAME, u"US")])
+ )
+ .issuer_name(
+ x509.Name([x509.NameAttribute(NameOID.COUNTRY_NAME, u"US")])
+ )
+ .serial_number(1)
+ .public_key(private_key.public_key())
+ .not_valid_before(time)
+ .not_valid_after(time)
)
cert = cert_builder.sign(private_key, hashes.SHA256(), backend)
assert cert.not_valid_before == time
assert cert.not_valid_after == time
- parsed = Certificate.load(
- cert.public_bytes(serialization.Encoding.DER)
- )
- not_before = parsed['tbs_certificate']['validity']['not_before']
- not_after = parsed['tbs_certificate']['validity']['not_after']
- assert not_before.chosen.tag == 23 # UTCTime
- assert not_after.chosen.tag == 23 # UTCTime
+ parsed = _parse_cert(cert.public_bytes(serialization.Encoding.DER))
+ assert parsed.not_before_tag == UTC_TIME
+ assert parsed.not_after_tag == UTC_TIME
def test_invalid_not_valid_after(self):
with pytest.raises(TypeError):
@@ -2074,9 +2305,7 @@
)
with pytest.raises(ValueError):
- builder.not_valid_after(
- datetime.datetime.now()
- )
+ builder.not_valid_after(datetime.datetime.now())
@pytest.mark.requires_backend_interface(interface=RSABackend)
@pytest.mark.requires_backend_interface(interface=X509Backend)
@@ -2087,16 +2316,16 @@
utc_time = datetime.datetime(2012, 1, 17, 6, 43)
private_key = RSA_KEY_2048.private_key(backend)
cert_builder = x509.CertificateBuilder().not_valid_before(time)
- cert_builder = cert_builder.subject_name(
- x509.Name([x509.NameAttribute(NameOID.COUNTRY_NAME, u'US')])
- ).issuer_name(
- x509.Name([x509.NameAttribute(NameOID.COUNTRY_NAME, u'US')])
- ).serial_number(
- 1
- ).public_key(
- private_key.public_key()
- ).not_valid_after(
- utc_time + datetime.timedelta(days=366)
+ cert_builder = (
+ cert_builder.subject_name(
+ x509.Name([x509.NameAttribute(NameOID.COUNTRY_NAME, u"US")])
+ )
+ .issuer_name(
+ x509.Name([x509.NameAttribute(NameOID.COUNTRY_NAME, u"US")])
+ )
+ .serial_number(1)
+ .public_key(private_key.public_key())
+ .not_valid_after(utc_time + datetime.timedelta(days=366))
)
cert = cert_builder.sign(private_key, hashes.SHA256(), backend)
@@ -2120,18 +2349,18 @@
)
with pytest.raises(ValueError):
- builder.not_valid_before(
- datetime.datetime.now()
- )
+ builder.not_valid_before(datetime.datetime.now())
def test_add_extension_checks_for_duplicates(self):
builder = x509.CertificateBuilder().add_extension(
- x509.BasicConstraints(ca=False, path_length=None), True,
+ x509.BasicConstraints(ca=False, path_length=None),
+ True,
)
with pytest.raises(ValueError):
builder.add_extension(
- x509.BasicConstraints(ca=False, path_length=None), True,
+ x509.BasicConstraints(ca=False, path_length=None),
+ True,
)
def test_add_invalid_extension_type(self):
@@ -2142,86 +2371,143 @@
@pytest.mark.requires_backend_interface(interface=RSABackend)
@pytest.mark.requires_backend_interface(interface=X509Backend)
- def test_sign_with_unsupported_hash(self, backend):
+ @pytest.mark.parametrize("algorithm", [object(), None])
+ def test_sign_with_unsupported_hash(self, algorithm, backend):
private_key = RSA_KEY_2048.private_key(backend)
builder = x509.CertificateBuilder()
- builder = builder.subject_name(
- x509.Name([x509.NameAttribute(NameOID.COUNTRY_NAME, u'US')])
- ).issuer_name(
- x509.Name([x509.NameAttribute(NameOID.COUNTRY_NAME, u'US')])
- ).serial_number(
- 1
- ).public_key(
- private_key.public_key()
- ).not_valid_before(
- datetime.datetime(2002, 1, 1, 12, 1)
- ).not_valid_after(
- datetime.datetime(2032, 1, 1, 12, 1)
+ builder = (
+ builder.subject_name(
+ x509.Name([x509.NameAttribute(NameOID.COUNTRY_NAME, u"US")])
+ )
+ .issuer_name(
+ x509.Name([x509.NameAttribute(NameOID.COUNTRY_NAME, u"US")])
+ )
+ .serial_number(1)
+ .public_key(private_key.public_key())
+ .not_valid_before(datetime.datetime(2002, 1, 1, 12, 1))
+ .not_valid_after(datetime.datetime(2032, 1, 1, 12, 1))
)
with pytest.raises(TypeError):
- builder.sign(private_key, object(), backend)
+ builder.sign(private_key, algorithm, backend)
+
+ @pytest.mark.supported(
+ only_if=lambda backend: backend.ed25519_supported(),
+ skip_message="Requires OpenSSL with Ed25519 support",
+ )
+ @pytest.mark.requires_backend_interface(interface=X509Backend)
+ def test_sign_with_unsupported_hash_ed25519(self, backend):
+ private_key = ed25519.Ed25519PrivateKey.generate()
+ builder = (
+ x509.CertificateBuilder()
+ .subject_name(
+ x509.Name([x509.NameAttribute(NameOID.COUNTRY_NAME, u"US")])
+ )
+ .issuer_name(
+ x509.Name([x509.NameAttribute(NameOID.COUNTRY_NAME, u"US")])
+ )
+ .serial_number(1)
+ .public_key(private_key.public_key())
+ .not_valid_before(datetime.datetime(2002, 1, 1, 12, 1))
+ .not_valid_after(datetime.datetime(2032, 1, 1, 12, 1))
+ )
+
+ with pytest.raises(ValueError):
+ builder.sign(private_key, hashes.SHA256(), backend)
+
+ @pytest.mark.supported(
+ only_if=lambda backend: backend.ed448_supported(),
+ skip_message="Requires OpenSSL with Ed448 support",
+ )
+ @pytest.mark.requires_backend_interface(interface=X509Backend)
+ def test_sign_with_unsupported_hash_ed448(self, backend):
+ private_key = ed448.Ed448PrivateKey.generate()
+ builder = (
+ x509.CertificateBuilder()
+ .subject_name(
+ x509.Name([x509.NameAttribute(NameOID.COUNTRY_NAME, u"US")])
+ )
+ .issuer_name(
+ x509.Name([x509.NameAttribute(NameOID.COUNTRY_NAME, u"US")])
+ )
+ .serial_number(1)
+ .public_key(private_key.public_key())
+ .not_valid_before(datetime.datetime(2002, 1, 1, 12, 1))
+ .not_valid_after(datetime.datetime(2032, 1, 1, 12, 1))
+ )
+
+ with pytest.raises(ValueError):
+ builder.sign(private_key, hashes.SHA256(), backend)
@pytest.mark.requires_backend_interface(interface=RSABackend)
@pytest.mark.requires_backend_interface(interface=X509Backend)
+ @pytest.mark.supported(
+ only_if=lambda backend: backend.hash_supported(hashes.MD5()),
+ skip_message="Requires OpenSSL with MD5 support",
+ )
def test_sign_rsa_with_md5(self, backend):
private_key = RSA_KEY_2048.private_key(backend)
builder = x509.CertificateBuilder()
- builder = builder.subject_name(
- x509.Name([x509.NameAttribute(NameOID.COUNTRY_NAME, u'US')])
- ).issuer_name(
- x509.Name([x509.NameAttribute(NameOID.COUNTRY_NAME, u'US')])
- ).serial_number(
- 1
- ).public_key(
- private_key.public_key()
- ).not_valid_before(
- datetime.datetime(2002, 1, 1, 12, 1)
- ).not_valid_after(
- datetime.datetime(2032, 1, 1, 12, 1)
+ builder = (
+ builder.subject_name(
+ x509.Name([x509.NameAttribute(NameOID.COUNTRY_NAME, u"US")])
+ )
+ .issuer_name(
+ x509.Name([x509.NameAttribute(NameOID.COUNTRY_NAME, u"US")])
+ )
+ .serial_number(1)
+ .public_key(private_key.public_key())
+ .not_valid_before(datetime.datetime(2002, 1, 1, 12, 1))
+ .not_valid_after(datetime.datetime(2032, 1, 1, 12, 1))
)
cert = builder.sign(private_key, hashes.MD5(), backend)
assert isinstance(cert.signature_hash_algorithm, hashes.MD5)
@pytest.mark.requires_backend_interface(interface=DSABackend)
@pytest.mark.requires_backend_interface(interface=X509Backend)
+ @pytest.mark.supported(
+ only_if=lambda backend: backend.hash_supported(hashes.MD5()),
+ skip_message="Requires OpenSSL with MD5 support",
+ )
def test_sign_dsa_with_md5(self, backend):
private_key = DSA_KEY_2048.private_key(backend)
builder = x509.CertificateBuilder()
- builder = builder.subject_name(
- x509.Name([x509.NameAttribute(NameOID.COUNTRY_NAME, u'US')])
- ).issuer_name(
- x509.Name([x509.NameAttribute(NameOID.COUNTRY_NAME, u'US')])
- ).serial_number(
- 1
- ).public_key(
- private_key.public_key()
- ).not_valid_before(
- datetime.datetime(2002, 1, 1, 12, 1)
- ).not_valid_after(
- datetime.datetime(2032, 1, 1, 12, 1)
+ builder = (
+ builder.subject_name(
+ x509.Name([x509.NameAttribute(NameOID.COUNTRY_NAME, u"US")])
+ )
+ .issuer_name(
+ x509.Name([x509.NameAttribute(NameOID.COUNTRY_NAME, u"US")])
+ )
+ .serial_number(1)
+ .public_key(private_key.public_key())
+ .not_valid_before(datetime.datetime(2002, 1, 1, 12, 1))
+ .not_valid_after(datetime.datetime(2032, 1, 1, 12, 1))
)
with pytest.raises(ValueError):
builder.sign(private_key, hashes.MD5(), backend)
@pytest.mark.requires_backend_interface(interface=EllipticCurveBackend)
@pytest.mark.requires_backend_interface(interface=X509Backend)
+ @pytest.mark.supported(
+ only_if=lambda backend: backend.hash_supported(hashes.MD5()),
+ skip_message="Requires OpenSSL with MD5 support",
+ )
def test_sign_ec_with_md5(self, backend):
_skip_curve_unsupported(backend, ec.SECP256R1())
private_key = EC_KEY_SECP256R1.private_key(backend)
builder = x509.CertificateBuilder()
- builder = builder.subject_name(
- x509.Name([x509.NameAttribute(NameOID.COUNTRY_NAME, u'US')])
- ).issuer_name(
- x509.Name([x509.NameAttribute(NameOID.COUNTRY_NAME, u'US')])
- ).serial_number(
- 1
- ).public_key(
- private_key.public_key()
- ).not_valid_before(
- datetime.datetime(2002, 1, 1, 12, 1)
- ).not_valid_after(
- datetime.datetime(2032, 1, 1, 12, 1)
+ builder = (
+ builder.subject_name(
+ x509.Name([x509.NameAttribute(NameOID.COUNTRY_NAME, u"US")])
+ )
+ .issuer_name(
+ x509.Name([x509.NameAttribute(NameOID.COUNTRY_NAME, u"US")])
+ )
+ .serial_number(1)
+ .public_key(private_key.public_key())
+ .not_valid_before(datetime.datetime(2002, 1, 1, 12, 1))
+ .not_valid_after(datetime.datetime(2032, 1, 1, 12, 1))
)
with pytest.raises(ValueError):
builder.sign(private_key, hashes.MD5(), backend)
@@ -2235,23 +2521,28 @@
not_valid_before = datetime.datetime(2002, 1, 1, 12, 1)
not_valid_after = datetime.datetime(2030, 12, 31, 8, 30)
- builder = x509.CertificateBuilder().serial_number(
- 777
- ).issuer_name(x509.Name([
- x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
- ])).subject_name(x509.Name([
- x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
- ])).public_key(
- subject_private_key.public_key()
- ).add_extension(
- x509.BasicConstraints(ca=False, path_length=None), True,
- ).add_extension(
- x509.SubjectAlternativeName([x509.DNSName(u"cryptography.io")]),
- critical=False,
- ).not_valid_before(
- not_valid_before
- ).not_valid_after(
- not_valid_after
+ builder = (
+ x509.CertificateBuilder()
+ .serial_number(777)
+ .issuer_name(
+ x509.Name([x509.NameAttribute(NameOID.COUNTRY_NAME, u"US")])
+ )
+ .subject_name(
+ x509.Name([x509.NameAttribute(NameOID.COUNTRY_NAME, u"US")])
+ )
+ .public_key(subject_private_key.public_key())
+ .add_extension(
+ x509.BasicConstraints(ca=False, path_length=None),
+ True,
+ )
+ .add_extension(
+ x509.SubjectAlternativeName(
+ [x509.DNSName(u"cryptography.io")]
+ ),
+ critical=False,
+ )
+ .not_valid_before(not_valid_before)
+ .not_valid_after(not_valid_after)
)
cert = builder.sign(issuer_private_key, hashes.SHA1(), backend)
@@ -2281,23 +2572,28 @@
not_valid_before = datetime.datetime(2002, 1, 1, 12, 1)
not_valid_after = datetime.datetime(2030, 12, 31, 8, 30)
- builder = x509.CertificateBuilder().serial_number(
- 777
- ).issuer_name(x509.Name([
- x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
- ])).subject_name(x509.Name([
- x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
- ])).public_key(
- subject_private_key.public_key()
- ).add_extension(
- x509.BasicConstraints(ca=False, path_length=None), True,
- ).add_extension(
- x509.SubjectAlternativeName([x509.DNSName(u"cryptography.io")]),
- critical=False,
- ).not_valid_before(
- not_valid_before
- ).not_valid_after(
- not_valid_after
+ builder = (
+ x509.CertificateBuilder()
+ .serial_number(777)
+ .issuer_name(
+ x509.Name([x509.NameAttribute(NameOID.COUNTRY_NAME, u"US")])
+ )
+ .subject_name(
+ x509.Name([x509.NameAttribute(NameOID.COUNTRY_NAME, u"US")])
+ )
+ .public_key(subject_private_key.public_key())
+ .add_extension(
+ x509.BasicConstraints(ca=False, path_length=None),
+ True,
+ )
+ .add_extension(
+ x509.SubjectAlternativeName(
+ [x509.DNSName(u"cryptography.io")]
+ ),
+ critical=False,
+ )
+ .not_valid_before(not_valid_before)
+ .not_valid_after(not_valid_after)
)
cert = builder.sign(issuer_private_key, hashes.SHA1(), backend)
@@ -2317,6 +2613,202 @@
x509.DNSName(u"cryptography.io"),
]
+ @pytest.mark.supported(
+ only_if=lambda backend: backend.ed25519_supported(),
+ skip_message="Requires OpenSSL with Ed25519 support",
+ )
+ @pytest.mark.requires_backend_interface(interface=X509Backend)
+ def test_build_cert_with_ed25519(self, backend):
+ issuer_private_key = ed25519.Ed25519PrivateKey.generate()
+ subject_private_key = ed25519.Ed25519PrivateKey.generate()
+
+ not_valid_before = datetime.datetime(2002, 1, 1, 12, 1)
+ not_valid_after = datetime.datetime(2030, 12, 31, 8, 30)
+
+ builder = (
+ x509.CertificateBuilder()
+ .serial_number(777)
+ .issuer_name(
+ x509.Name([x509.NameAttribute(NameOID.COUNTRY_NAME, u"US")])
+ )
+ .subject_name(
+ x509.Name([x509.NameAttribute(NameOID.COUNTRY_NAME, u"US")])
+ )
+ .public_key(subject_private_key.public_key())
+ .add_extension(
+ x509.BasicConstraints(ca=False, path_length=None),
+ True,
+ )
+ .add_extension(
+ x509.SubjectAlternativeName(
+ [x509.DNSName(u"cryptography.io")]
+ ),
+ critical=False,
+ )
+ .not_valid_before(not_valid_before)
+ .not_valid_after(not_valid_after)
+ )
+
+ cert = builder.sign(issuer_private_key, None, backend)
+ issuer_private_key.public_key().verify(
+ cert.signature, cert.tbs_certificate_bytes
+ )
+ assert cert.signature_algorithm_oid == SignatureAlgorithmOID.ED25519
+ assert cert.signature_hash_algorithm is None
+ assert isinstance(cert.public_key(), ed25519.Ed25519PublicKey)
+ assert cert.version is x509.Version.v3
+ assert cert.not_valid_before == not_valid_before
+ assert cert.not_valid_after == not_valid_after
+ basic_constraints = cert.extensions.get_extension_for_oid(
+ ExtensionOID.BASIC_CONSTRAINTS
+ )
+ assert basic_constraints.value.ca is False
+ assert basic_constraints.value.path_length is None
+ subject_alternative_name = cert.extensions.get_extension_for_oid(
+ ExtensionOID.SUBJECT_ALTERNATIVE_NAME
+ )
+ assert list(subject_alternative_name.value) == [
+ x509.DNSName(u"cryptography.io"),
+ ]
+
+ @pytest.mark.supported(
+ only_if=lambda backend: backend.ed25519_supported(),
+ skip_message="Requires OpenSSL with Ed25519 support",
+ )
+ @pytest.mark.requires_backend_interface(interface=X509Backend)
+ @pytest.mark.requires_backend_interface(interface=RSABackend)
+ def test_build_cert_with_public_ed25519_rsa_sig(self, backend):
+ issuer_private_key = RSA_KEY_2048.private_key(backend)
+ subject_private_key = ed25519.Ed25519PrivateKey.generate()
+
+ not_valid_before = datetime.datetime(2002, 1, 1, 12, 1)
+ not_valid_after = datetime.datetime(2030, 12, 31, 8, 30)
+
+ builder = (
+ x509.CertificateBuilder()
+ .serial_number(777)
+ .issuer_name(
+ x509.Name([x509.NameAttribute(NameOID.COUNTRY_NAME, u"US")])
+ )
+ .subject_name(
+ x509.Name([x509.NameAttribute(NameOID.COUNTRY_NAME, u"US")])
+ )
+ .public_key(subject_private_key.public_key())
+ .not_valid_before(not_valid_before)
+ .not_valid_after(not_valid_after)
+ )
+
+ cert = builder.sign(issuer_private_key, hashes.SHA256(), backend)
+ issuer_private_key.public_key().verify(
+ cert.signature,
+ cert.tbs_certificate_bytes,
+ padding.PKCS1v15(),
+ cert.signature_hash_algorithm,
+ )
+ assert cert.signature_algorithm_oid == (
+ SignatureAlgorithmOID.RSA_WITH_SHA256
+ )
+ assert isinstance(cert.signature_hash_algorithm, hashes.SHA256)
+ assert isinstance(cert.public_key(), ed25519.Ed25519PublicKey)
+
+ @pytest.mark.supported(
+ only_if=lambda backend: backend.ed448_supported(),
+ skip_message="Requires OpenSSL with Ed448 support",
+ )
+ @pytest.mark.requires_backend_interface(interface=X509Backend)
+ def test_build_cert_with_ed448(self, backend):
+ issuer_private_key = ed448.Ed448PrivateKey.generate()
+ subject_private_key = ed448.Ed448PrivateKey.generate()
+
+ not_valid_before = datetime.datetime(2002, 1, 1, 12, 1)
+ not_valid_after = datetime.datetime(2030, 12, 31, 8, 30)
+
+ builder = (
+ x509.CertificateBuilder()
+ .serial_number(777)
+ .issuer_name(
+ x509.Name([x509.NameAttribute(NameOID.COUNTRY_NAME, u"US")])
+ )
+ .subject_name(
+ x509.Name([x509.NameAttribute(NameOID.COUNTRY_NAME, u"US")])
+ )
+ .public_key(subject_private_key.public_key())
+ .add_extension(
+ x509.BasicConstraints(ca=False, path_length=None),
+ True,
+ )
+ .add_extension(
+ x509.SubjectAlternativeName(
+ [x509.DNSName(u"cryptography.io")]
+ ),
+ critical=False,
+ )
+ .not_valid_before(not_valid_before)
+ .not_valid_after(not_valid_after)
+ )
+
+ cert = builder.sign(issuer_private_key, None, backend)
+ issuer_private_key.public_key().verify(
+ cert.signature, cert.tbs_certificate_bytes
+ )
+ assert cert.signature_algorithm_oid == SignatureAlgorithmOID.ED448
+ assert cert.signature_hash_algorithm is None
+ assert isinstance(cert.public_key(), ed448.Ed448PublicKey)
+ assert cert.version is x509.Version.v3
+ assert cert.not_valid_before == not_valid_before
+ assert cert.not_valid_after == not_valid_after
+ basic_constraints = cert.extensions.get_extension_for_oid(
+ ExtensionOID.BASIC_CONSTRAINTS
+ )
+ assert basic_constraints.value.ca is False
+ assert basic_constraints.value.path_length is None
+ subject_alternative_name = cert.extensions.get_extension_for_oid(
+ ExtensionOID.SUBJECT_ALTERNATIVE_NAME
+ )
+ assert list(subject_alternative_name.value) == [
+ x509.DNSName(u"cryptography.io"),
+ ]
+
+ @pytest.mark.supported(
+ only_if=lambda backend: backend.ed448_supported(),
+ skip_message="Requires OpenSSL with Ed448 support",
+ )
+ @pytest.mark.requires_backend_interface(interface=X509Backend)
+ @pytest.mark.requires_backend_interface(interface=RSABackend)
+ def test_build_cert_with_public_ed448_rsa_sig(self, backend):
+ issuer_private_key = RSA_KEY_2048.private_key(backend)
+ subject_private_key = ed448.Ed448PrivateKey.generate()
+
+ not_valid_before = datetime.datetime(2002, 1, 1, 12, 1)
+ not_valid_after = datetime.datetime(2030, 12, 31, 8, 30)
+
+ builder = (
+ x509.CertificateBuilder()
+ .serial_number(777)
+ .issuer_name(
+ x509.Name([x509.NameAttribute(NameOID.COUNTRY_NAME, u"US")])
+ )
+ .subject_name(
+ x509.Name([x509.NameAttribute(NameOID.COUNTRY_NAME, u"US")])
+ )
+ .public_key(subject_private_key.public_key())
+ .not_valid_before(not_valid_before)
+ .not_valid_after(not_valid_after)
+ )
+
+ cert = builder.sign(issuer_private_key, hashes.SHA256(), backend)
+ issuer_private_key.public_key().verify(
+ cert.signature,
+ cert.tbs_certificate_bytes,
+ padding.PKCS1v15(),
+ cert.signature_hash_algorithm,
+ )
+ assert cert.signature_algorithm_oid == (
+ SignatureAlgorithmOID.RSA_WITH_SHA256
+ )
+ assert isinstance(cert.signature_hash_algorithm, hashes.SHA256)
+ assert isinstance(cert.public_key(), ed448.Ed448PublicKey)
+
@pytest.mark.requires_backend_interface(interface=RSABackend)
@pytest.mark.requires_backend_interface(interface=X509Backend)
def test_build_cert_with_rsa_key_too_small(self, backend):
@@ -2326,18 +2818,18 @@
not_valid_before = datetime.datetime(2002, 1, 1, 12, 1)
not_valid_after = datetime.datetime(2030, 12, 31, 8, 30)
- builder = x509.CertificateBuilder().serial_number(
- 777
- ).issuer_name(x509.Name([
- x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
- ])).subject_name(x509.Name([
- x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
- ])).public_key(
- subject_private_key.public_key()
- ).not_valid_before(
- not_valid_before
- ).not_valid_after(
- not_valid_after
+ builder = (
+ x509.CertificateBuilder()
+ .serial_number(777)
+ .issuer_name(
+ x509.Name([x509.NameAttribute(NameOID.COUNTRY_NAME, u"US")])
+ )
+ .subject_name(
+ x509.Name([x509.NameAttribute(NameOID.COUNTRY_NAME, u"US")])
+ )
+ .public_key(subject_private_key.public_key())
+ .not_valid_before(not_valid_before)
+ .not_valid_after(not_valid_after)
)
with pytest.raises(ValueError):
@@ -2352,85 +2844,105 @@
[
# These examples exist to verify compatibility with
# certificates that have utf8 encoded data in the ia5string
- x509.DNSName._init_without_validation(u'a\xedt\xe1s.test'),
+ x509.DNSName._init_without_validation(u"a\xedt\xe1s.test"),
x509.RFC822Name._init_without_validation(
- u'test@a\xedt\xe1s.test'
+ u"test@a\xedt\xe1s.test"
),
x509.UniformResourceIdentifier._init_without_validation(
- u'http://a\xedt\xe1s.test'
+ u"http://a\xedt\xe1s.test"
),
]
),
- x509.CertificatePolicies([
- x509.PolicyInformation(
- x509.ObjectIdentifier("2.16.840.1.12345.1.2.3.4.1"),
- [u"http://other.com/cps"]
- )
- ]),
- x509.CertificatePolicies([
- x509.PolicyInformation(
- x509.ObjectIdentifier("2.16.840.1.12345.1.2.3.4.1"),
- None
- )
- ]),
- x509.CertificatePolicies([
- x509.PolicyInformation(
- x509.ObjectIdentifier("2.16.840.1.12345.1.2.3.4.1"),
- [
- u"http://example.com/cps",
- u"http://other.com/cps",
- x509.UserNotice(
- x509.NoticeReference(u"my org", [1, 2, 3, 4]),
- u"thing"
- )
- ]
- )
- ]),
- x509.CertificatePolicies([
- x509.PolicyInformation(
- x509.ObjectIdentifier("2.16.840.1.12345.1.2.3.4.1"),
- [
- u"http://example.com/cps",
- x509.UserNotice(
- x509.NoticeReference(u"UTF8\u2122'", [1, 2, 3, 4]),
- u"We heart UTF8!\u2122"
- )
- ]
- )
- ]),
- x509.CertificatePolicies([
- x509.PolicyInformation(
- x509.ObjectIdentifier("2.16.840.1.12345.1.2.3.4.1"),
- [x509.UserNotice(None, u"thing")]
- )
- ]),
- x509.CertificatePolicies([
- x509.PolicyInformation(
- x509.ObjectIdentifier("2.16.840.1.12345.1.2.3.4.1"),
- [
- x509.UserNotice(
- x509.NoticeReference(u"my org", [1, 2, 3, 4]),
- None
- )
- ]
- )
- ]),
- x509.IssuerAlternativeName([
- x509.DNSName(u"myissuer"),
- x509.RFC822Name(u"email@domain.com"),
- ]),
- x509.ExtendedKeyUsage([
- ExtendedKeyUsageOID.CLIENT_AUTH,
- ExtendedKeyUsageOID.SERVER_AUTH,
- ExtendedKeyUsageOID.CODE_SIGNING,
- ]),
+ x509.CertificatePolicies(
+ [
+ x509.PolicyInformation(
+ x509.ObjectIdentifier("2.16.840.1.12345.1.2.3.4.1"),
+ [u"http://other.com/cps"],
+ )
+ ]
+ ),
+ x509.CertificatePolicies(
+ [
+ x509.PolicyInformation(
+ x509.ObjectIdentifier("2.16.840.1.12345.1.2.3.4.1"),
+ None,
+ )
+ ]
+ ),
+ x509.CertificatePolicies(
+ [
+ x509.PolicyInformation(
+ x509.ObjectIdentifier("2.16.840.1.12345.1.2.3.4.1"),
+ [
+ u"http://example.com/cps",
+ u"http://other.com/cps",
+ x509.UserNotice(
+ x509.NoticeReference(u"my org", [1, 2, 3, 4]),
+ u"thing",
+ ),
+ ],
+ )
+ ]
+ ),
+ x509.CertificatePolicies(
+ [
+ x509.PolicyInformation(
+ x509.ObjectIdentifier("2.16.840.1.12345.1.2.3.4.1"),
+ [
+ u"http://example.com/cps",
+ x509.UserNotice(
+ x509.NoticeReference(
+ u"UTF8\u2122'", [1, 2, 3, 4]
+ ),
+ u"We heart UTF8!\u2122",
+ ),
+ ],
+ )
+ ]
+ ),
+ x509.CertificatePolicies(
+ [
+ x509.PolicyInformation(
+ x509.ObjectIdentifier("2.16.840.1.12345.1.2.3.4.1"),
+ [x509.UserNotice(None, u"thing")],
+ )
+ ]
+ ),
+ x509.CertificatePolicies(
+ [
+ x509.PolicyInformation(
+ x509.ObjectIdentifier("2.16.840.1.12345.1.2.3.4.1"),
+ [
+ x509.UserNotice(
+ x509.NoticeReference(u"my org", [1, 2, 3, 4]),
+ None,
+ )
+ ],
+ )
+ ]
+ ),
+ x509.IssuerAlternativeName(
+ [
+ x509.DNSName(u"myissuer"),
+ x509.RFC822Name(u"email@domain.com"),
+ ]
+ ),
+ x509.ExtendedKeyUsage(
+ [
+ ExtendedKeyUsageOID.CLIENT_AUTH,
+ ExtendedKeyUsageOID.SERVER_AUTH,
+ ExtendedKeyUsageOID.CODE_SIGNING,
+ ]
+ ),
x509.InhibitAnyPolicy(3),
x509.TLSFeature([x509.TLSFeatureType.status_request]),
x509.TLSFeature([x509.TLSFeatureType.status_request_v2]),
- x509.TLSFeature([
- x509.TLSFeatureType.status_request,
- x509.TLSFeatureType.status_request_v2
- ]),
+ x509.TLSFeature(
+ [
+ x509.TLSFeatureType.status_request,
+ x509.TLSFeatureType.status_request_v2,
+ ]
+ ),
x509.NameConstraints(
permitted_subtrees=[
x509.IPAddress(ipaddress.IPv4Network(u"192.168.0.0/24")),
@@ -2445,192 +2957,252 @@
ipaddress.IPv6Network(u"FF:FF:0:0:0:0:0:0/128")
),
],
- excluded_subtrees=[x509.DNSName(u"name.local")]
+ excluded_subtrees=[x509.DNSName(u"name.local")],
),
x509.NameConstraints(
permitted_subtrees=[
x509.IPAddress(ipaddress.IPv4Network(u"0.0.0.0/0")),
],
- excluded_subtrees=None
+ excluded_subtrees=None,
),
x509.NameConstraints(
permitted_subtrees=None,
- excluded_subtrees=[x509.DNSName(u"name.local")]
+ excluded_subtrees=[x509.DNSName(u"name.local")],
),
x509.PolicyConstraints(
- require_explicit_policy=None,
- inhibit_policy_mapping=1
+ require_explicit_policy=None, inhibit_policy_mapping=1
),
x509.PolicyConstraints(
- require_explicit_policy=3,
- inhibit_policy_mapping=1
+ require_explicit_policy=3, inhibit_policy_mapping=1
),
x509.PolicyConstraints(
- require_explicit_policy=0,
- inhibit_policy_mapping=None
+ require_explicit_policy=0, inhibit_policy_mapping=None
),
- x509.CRLDistributionPoints([
- x509.DistributionPoint(
- full_name=None,
- relative_name=x509.RelativeDistinguishedName([
- x509.NameAttribute(
- NameOID.COMMON_NAME,
- u"indirect CRL for indirectCRL CA3"
+ x509.CRLDistributionPoints(
+ [
+ x509.DistributionPoint(
+ full_name=None,
+ relative_name=x509.RelativeDistinguishedName(
+ [
+ x509.NameAttribute(
+ NameOID.COMMON_NAME,
+ u"indirect CRL for indirectCRL CA3",
+ ),
+ ]
),
- ]),
- reasons=None,
- crl_issuer=[x509.DirectoryName(
- x509.Name([
- x509.NameAttribute(NameOID.COUNTRY_NAME, u"US"),
- x509.NameAttribute(
- NameOID.ORGANIZATION_NAME,
- u"Test Certificates 2011"
+ reasons=None,
+ crl_issuer=[
+ x509.DirectoryName(
+ x509.Name(
+ [
+ x509.NameAttribute(
+ NameOID.COUNTRY_NAME, u"US"
+ ),
+ x509.NameAttribute(
+ NameOID.ORGANIZATION_NAME,
+ u"Test Certificates 2011",
+ ),
+ x509.NameAttribute(
+ NameOID.ORGANIZATIONAL_UNIT_NAME,
+ u"indirectCRL CA3 cRLIssuer",
+ ),
+ ]
+ )
+ )
+ ],
+ )
+ ]
+ ),
+ x509.CRLDistributionPoints(
+ [
+ x509.DistributionPoint(
+ full_name=[
+ x509.DirectoryName(
+ x509.Name(
+ [
+ x509.NameAttribute(
+ NameOID.COUNTRY_NAME, u"US"
+ ),
+ ]
+ )
+ )
+ ],
+ relative_name=None,
+ reasons=None,
+ crl_issuer=[
+ x509.DirectoryName(
+ x509.Name(
+ [
+ x509.NameAttribute(
+ NameOID.ORGANIZATION_NAME,
+ u"cryptography Testing",
+ ),
+ ]
+ )
+ )
+ ],
+ )
+ ]
+ ),
+ x509.CRLDistributionPoints(
+ [
+ x509.DistributionPoint(
+ full_name=[
+ x509.UniformResourceIdentifier(
+ u"http://myhost.com/myca.crl"
),
- x509.NameAttribute(
- NameOID.ORGANIZATIONAL_UNIT_NAME,
- u"indirectCRL CA3 cRLIssuer"
+ x509.UniformResourceIdentifier(
+ u"http://backup.myhost.com/myca.crl"
),
- ])
- )],
- )
- ]),
- x509.CRLDistributionPoints([
- x509.DistributionPoint(
- full_name=[x509.DirectoryName(
- x509.Name([
- x509.NameAttribute(NameOID.COUNTRY_NAME, u"US"),
- ])
- )],
- relative_name=None,
- reasons=None,
- crl_issuer=[x509.DirectoryName(
- x509.Name([
- x509.NameAttribute(
- NameOID.ORGANIZATION_NAME,
- u"cryptography Testing"
- ),
- ])
- )],
- )
- ]),
- x509.CRLDistributionPoints([
- x509.DistributionPoint(
- full_name=[
- x509.UniformResourceIdentifier(
- u"http://myhost.com/myca.crl"
+ ],
+ relative_name=None,
+ reasons=frozenset(
+ [
+ x509.ReasonFlags.key_compromise,
+ x509.ReasonFlags.ca_compromise,
+ ]
),
- x509.UniformResourceIdentifier(
- u"http://backup.myhost.com/myca.crl"
- )
- ],
- relative_name=None,
- reasons=frozenset([
- x509.ReasonFlags.key_compromise,
- x509.ReasonFlags.ca_compromise
- ]),
- crl_issuer=[x509.DirectoryName(
- x509.Name([
- x509.NameAttribute(NameOID.COUNTRY_NAME, u"US"),
- x509.NameAttribute(
- NameOID.COMMON_NAME, u"cryptography CA"
- ),
- ])
- )],
- )
- ]),
- x509.CRLDistributionPoints([
- x509.DistributionPoint(
- full_name=[x509.UniformResourceIdentifier(
- u"http://domain.com/some.crl"
- )],
- relative_name=None,
- reasons=frozenset([
- x509.ReasonFlags.key_compromise,
- x509.ReasonFlags.ca_compromise,
- x509.ReasonFlags.affiliation_changed,
- x509.ReasonFlags.superseded,
- x509.ReasonFlags.privilege_withdrawn,
- x509.ReasonFlags.cessation_of_operation,
- x509.ReasonFlags.aa_compromise,
- x509.ReasonFlags.certificate_hold,
- ]),
- crl_issuer=None
- )
- ]),
- x509.CRLDistributionPoints([
- x509.DistributionPoint(
- full_name=None,
- relative_name=None,
- reasons=None,
- crl_issuer=[x509.DirectoryName(
- x509.Name([
- x509.NameAttribute(
- NameOID.COMMON_NAME, u"cryptography CA"
- ),
- ])
- )],
- )
- ]),
- x509.CRLDistributionPoints([
- x509.DistributionPoint(
- full_name=[x509.UniformResourceIdentifier(
- u"http://domain.com/some.crl"
- )],
- relative_name=None,
- reasons=frozenset([x509.ReasonFlags.aa_compromise]),
- crl_issuer=None
- )
- ]),
- x509.FreshestCRL([
- x509.DistributionPoint(
- full_name=[x509.UniformResourceIdentifier(
- u"http://domain.com/some.crl"
- )],
- relative_name=None,
- reasons=frozenset([
- x509.ReasonFlags.key_compromise,
- x509.ReasonFlags.ca_compromise,
- x509.ReasonFlags.affiliation_changed,
- x509.ReasonFlags.superseded,
- x509.ReasonFlags.privilege_withdrawn,
- x509.ReasonFlags.cessation_of_operation,
- x509.ReasonFlags.aa_compromise,
- x509.ReasonFlags.certificate_hold,
- ]),
- crl_issuer=None
- )
- ]),
- x509.FreshestCRL([
- x509.DistributionPoint(
- full_name=None,
- relative_name=x509.RelativeDistinguishedName([
- x509.NameAttribute(
- NameOID.COMMON_NAME,
- u"indirect CRL for indirectCRL CA3"
+ crl_issuer=[
+ x509.DirectoryName(
+ x509.Name(
+ [
+ x509.NameAttribute(
+ NameOID.COUNTRY_NAME, u"US"
+ ),
+ x509.NameAttribute(
+ NameOID.COMMON_NAME,
+ u"cryptography CA",
+ ),
+ ]
+ )
+ )
+ ],
+ )
+ ]
+ ),
+ x509.CRLDistributionPoints(
+ [
+ x509.DistributionPoint(
+ full_name=[
+ x509.UniformResourceIdentifier(
+ u"http://domain.com/some.crl"
+ )
+ ],
+ relative_name=None,
+ reasons=frozenset(
+ [
+ x509.ReasonFlags.key_compromise,
+ x509.ReasonFlags.ca_compromise,
+ x509.ReasonFlags.affiliation_changed,
+ x509.ReasonFlags.superseded,
+ x509.ReasonFlags.privilege_withdrawn,
+ x509.ReasonFlags.cessation_of_operation,
+ x509.ReasonFlags.aa_compromise,
+ x509.ReasonFlags.certificate_hold,
+ ]
),
- ]),
- reasons=None,
- crl_issuer=None,
- )
- ]),
- x509.FreshestCRL([
- x509.DistributionPoint(
- full_name=None,
- relative_name=x509.RelativeDistinguishedName([
- x509.NameAttribute(
- NameOID.COMMON_NAME,
- u"indirect CRL for indirectCRL CA3"
+ crl_issuer=None,
+ )
+ ]
+ ),
+ x509.CRLDistributionPoints(
+ [
+ x509.DistributionPoint(
+ full_name=None,
+ relative_name=None,
+ reasons=None,
+ crl_issuer=[
+ x509.DirectoryName(
+ x509.Name(
+ [
+ x509.NameAttribute(
+ NameOID.COMMON_NAME,
+ u"cryptography CA",
+ ),
+ ]
+ )
+ )
+ ],
+ )
+ ]
+ ),
+ x509.CRLDistributionPoints(
+ [
+ x509.DistributionPoint(
+ full_name=[
+ x509.UniformResourceIdentifier(
+ u"http://domain.com/some.crl"
+ )
+ ],
+ relative_name=None,
+ reasons=frozenset([x509.ReasonFlags.aa_compromise]),
+ crl_issuer=None,
+ )
+ ]
+ ),
+ x509.FreshestCRL(
+ [
+ x509.DistributionPoint(
+ full_name=[
+ x509.UniformResourceIdentifier(
+ u"http://domain.com/some.crl"
+ )
+ ],
+ relative_name=None,
+ reasons=frozenset(
+ [
+ x509.ReasonFlags.key_compromise,
+ x509.ReasonFlags.ca_compromise,
+ x509.ReasonFlags.affiliation_changed,
+ x509.ReasonFlags.superseded,
+ x509.ReasonFlags.privilege_withdrawn,
+ x509.ReasonFlags.cessation_of_operation,
+ x509.ReasonFlags.aa_compromise,
+ x509.ReasonFlags.certificate_hold,
+ ]
),
- x509.NameAttribute(
- NameOID.COUNTRY_NAME,
- u"US"
+ crl_issuer=None,
+ )
+ ]
+ ),
+ x509.FreshestCRL(
+ [
+ x509.DistributionPoint(
+ full_name=None,
+ relative_name=x509.RelativeDistinguishedName(
+ [
+ x509.NameAttribute(
+ NameOID.COMMON_NAME,
+ u"indirect CRL for indirectCRL CA3",
+ ),
+ ]
),
- ]),
- reasons=None,
- crl_issuer=None,
- )
- ]),
- ]
+ reasons=None,
+ crl_issuer=None,
+ )
+ ]
+ ),
+ x509.FreshestCRL(
+ [
+ x509.DistributionPoint(
+ full_name=None,
+ relative_name=x509.RelativeDistinguishedName(
+ [
+ x509.NameAttribute(
+ NameOID.COMMON_NAME,
+ u"indirect CRL for indirectCRL CA3",
+ ),
+ x509.NameAttribute(
+ NameOID.COUNTRY_NAME, u"US"
+ ),
+ ]
+ ),
+ reasons=None,
+ crl_issuer=None,
+ )
+ ]
+ ),
+ ],
)
def test_ext(self, add_ext, backend):
issuer_private_key = RSA_KEY_2048.private_key(backend)
@@ -2639,21 +3211,21 @@
not_valid_before = datetime.datetime(2002, 1, 1, 12, 1)
not_valid_after = datetime.datetime(2030, 12, 31, 8, 30)
- cert = x509.CertificateBuilder().subject_name(
- x509.Name([x509.NameAttribute(NameOID.COUNTRY_NAME, u'US')])
- ).issuer_name(
- x509.Name([x509.NameAttribute(NameOID.COUNTRY_NAME, u'US')])
- ).not_valid_before(
- not_valid_before
- ).not_valid_after(
- not_valid_after
- ).public_key(
- subject_private_key.public_key()
- ).serial_number(
- 123
- ).add_extension(
- add_ext, critical=False
- ).sign(issuer_private_key, hashes.SHA256(), backend)
+ cert = (
+ x509.CertificateBuilder()
+ .subject_name(
+ x509.Name([x509.NameAttribute(NameOID.COUNTRY_NAME, u"US")])
+ )
+ .issuer_name(
+ x509.Name([x509.NameAttribute(NameOID.COUNTRY_NAME, u"US")])
+ )
+ .not_valid_before(not_valid_before)
+ .not_valid_after(not_valid_after)
+ .public_key(subject_private_key.public_key())
+ .serial_number(123)
+ .add_extension(add_ext, critical=False)
+ .sign(issuer_private_key, hashes.SHA256(), backend)
+ )
ext = cert.extensions.get_extension_for_class(type(add_ext))
assert ext.critical is False
@@ -2668,32 +3240,34 @@
not_valid_before = datetime.datetime(2002, 1, 1, 12, 1)
not_valid_after = datetime.datetime(2030, 12, 31, 8, 30)
- cert = x509.CertificateBuilder().subject_name(
- x509.Name([x509.NameAttribute(NameOID.COUNTRY_NAME, u'US')])
- ).issuer_name(
- x509.Name([x509.NameAttribute(NameOID.COUNTRY_NAME, u'US')])
- ).not_valid_before(
- not_valid_before
- ).not_valid_after(
- not_valid_after
- ).public_key(
- subject_private_key.public_key()
- ).serial_number(
- 123
- ).add_extension(
- x509.KeyUsage(
- digital_signature=True,
- content_commitment=True,
- key_encipherment=False,
- data_encipherment=False,
- key_agreement=False,
- key_cert_sign=True,
- crl_sign=False,
- encipher_only=False,
- decipher_only=False
- ),
- critical=False
- ).sign(issuer_private_key, hashes.SHA256(), backend)
+ cert = (
+ x509.CertificateBuilder()
+ .subject_name(
+ x509.Name([x509.NameAttribute(NameOID.COUNTRY_NAME, u"US")])
+ )
+ .issuer_name(
+ x509.Name([x509.NameAttribute(NameOID.COUNTRY_NAME, u"US")])
+ )
+ .not_valid_before(not_valid_before)
+ .not_valid_after(not_valid_after)
+ .public_key(subject_private_key.public_key())
+ .serial_number(123)
+ .add_extension(
+ x509.KeyUsage(
+ digital_signature=True,
+ content_commitment=True,
+ key_encipherment=False,
+ data_encipherment=False,
+ key_agreement=False,
+ key_cert_sign=True,
+ crl_sign=False,
+ encipher_only=False,
+ decipher_only=False,
+ ),
+ critical=False,
+ )
+ .sign(issuer_private_key, hashes.SHA256(), backend)
+ )
ext = cert.extensions.get_extension_for_oid(ExtensionOID.KEY_USAGE)
assert ext.critical is False
@@ -2706,7 +3280,7 @@
key_cert_sign=True,
crl_sign=False,
encipher_only=False,
- decipher_only=False
+ decipher_only=False,
)
@pytest.mark.requires_backend_interface(interface=RSABackend)
@@ -2714,14 +3288,18 @@
def test_build_ca_request_with_path_length_none(self, backend):
private_key = RSA_KEY_2048.private_key(backend)
- request = x509.CertificateSigningRequestBuilder().subject_name(
- x509.Name([
- x509.NameAttribute(NameOID.ORGANIZATION_NAME,
- u'PyCA'),
- ])
- ).add_extension(
- x509.BasicConstraints(ca=True, path_length=None), critical=True
- ).sign(private_key, hashes.SHA1(), backend)
+ request = (
+ x509.CertificateSigningRequestBuilder()
+ .subject_name(
+ x509.Name(
+ [x509.NameAttribute(NameOID.ORGANIZATION_NAME, u"PyCA")]
+ )
+ )
+ .add_extension(
+ x509.BasicConstraints(ca=True, path_length=None), critical=True
+ )
+ .sign(private_key, hashes.SHA1(), backend)
+ )
loaded_request = x509.load_pem_x509_csr(
request.public_bytes(encoding=serialization.Encoding.PEM), backend
@@ -2734,33 +3312,34 @@
assert basic_constraints.value.path_length is None
@pytest.mark.parametrize(
- "unrecognized", [
+ "unrecognized",
+ [
x509.UnrecognizedExtension(
x509.ObjectIdentifier("1.2.3.4.5"),
b"abcdef",
)
- ]
+ ],
)
@pytest.mark.requires_backend_interface(interface=RSABackend)
@pytest.mark.requires_backend_interface(interface=X509Backend)
def test_unrecognized_extension(self, backend, unrecognized):
private_key = RSA_KEY_2048.private_key(backend)
- cert = x509.CertificateBuilder().subject_name(
- x509.Name([x509.NameAttribute(x509.OID_COUNTRY_NAME, u'US')])
- ).issuer_name(
- x509.Name([x509.NameAttribute(x509.OID_COUNTRY_NAME, u'US')])
- ).not_valid_before(
- datetime.datetime(2002, 1, 1, 12, 1)
- ).not_valid_after(
- datetime.datetime(2030, 12, 31, 8, 30)
- ).public_key(
- private_key.public_key()
- ).serial_number(
- 123
- ).add_extension(
- unrecognized, critical=False
- ).sign(private_key, hashes.SHA256(), backend)
+ cert = (
+ x509.CertificateBuilder()
+ .subject_name(
+ x509.Name([x509.NameAttribute(x509.OID_COUNTRY_NAME, u"US")])
+ )
+ .issuer_name(
+ x509.Name([x509.NameAttribute(x509.OID_COUNTRY_NAME, u"US")])
+ )
+ .not_valid_before(datetime.datetime(2002, 1, 1, 12, 1))
+ .not_valid_after(datetime.datetime(2030, 12, 31, 8, 30))
+ .public_key(private_key.public_key())
+ .serial_number(123)
+ .add_extension(unrecognized, critical=False)
+ .sign(private_key, hashes.SHA256(), backend)
+ )
ext = cert.extensions.get_extension_for_oid(unrecognized.oid)
@@ -2777,39 +3356,73 @@
x509.Name([])
)
with pytest.raises(TypeError):
- builder.sign(private_key, 'NotAHash', backend)
+ builder.sign(private_key, "NotAHash", backend)
+
+ @pytest.mark.supported(
+ only_if=lambda backend: backend.ed25519_supported(),
+ skip_message="Requires OpenSSL with Ed25519 support",
+ )
+ @pytest.mark.requires_backend_interface(interface=X509Backend)
+ def test_request_with_unsupported_hash_ed25519(self, backend):
+ private_key = ed25519.Ed25519PrivateKey.generate()
+ builder = x509.CertificateSigningRequestBuilder().subject_name(
+ x509.Name([x509.NameAttribute(NameOID.COUNTRY_NAME, u"US")])
+ )
+
+ with pytest.raises(ValueError):
+ builder.sign(private_key, hashes.SHA256(), backend)
+
+ @pytest.mark.supported(
+ only_if=lambda backend: backend.ed448_supported(),
+ skip_message="Requires OpenSSL with Ed448 support",
+ )
+ @pytest.mark.requires_backend_interface(interface=X509Backend)
+ def test_request_with_unsupported_hash_ed448(self, backend):
+ private_key = ed448.Ed448PrivateKey.generate()
+ builder = x509.CertificateSigningRequestBuilder().subject_name(
+ x509.Name([x509.NameAttribute(NameOID.COUNTRY_NAME, u"US")])
+ )
+
+ with pytest.raises(ValueError):
+ builder.sign(private_key, hashes.SHA256(), backend)
@pytest.mark.requires_backend_interface(interface=RSABackend)
+ @pytest.mark.supported(
+ only_if=lambda backend: backend.hash_supported(hashes.MD5()),
+ skip_message="Requires OpenSSL with MD5 support",
+ )
def test_sign_rsa_with_md5(self, backend):
private_key = RSA_KEY_2048.private_key(backend)
builder = x509.CertificateSigningRequestBuilder().subject_name(
- x509.Name([
- x509.NameAttribute(NameOID.ORGANIZATION_NAME, u'PyCA'),
- ])
+ x509.Name([x509.NameAttribute(NameOID.ORGANIZATION_NAME, u"PyCA")])
)
request = builder.sign(private_key, hashes.MD5(), backend)
assert isinstance(request.signature_hash_algorithm, hashes.MD5)
@pytest.mark.requires_backend_interface(interface=DSABackend)
+ @pytest.mark.supported(
+ only_if=lambda backend: backend.hash_supported(hashes.MD5()),
+ skip_message="Requires OpenSSL with MD5 support",
+ )
def test_sign_dsa_with_md5(self, backend):
private_key = DSA_KEY_2048.private_key(backend)
builder = x509.CertificateSigningRequestBuilder().subject_name(
- x509.Name([
- x509.NameAttribute(NameOID.ORGANIZATION_NAME, u'PyCA'),
- ])
+ x509.Name([x509.NameAttribute(NameOID.ORGANIZATION_NAME, u"PyCA")])
)
with pytest.raises(ValueError):
builder.sign(private_key, hashes.MD5(), backend)
@pytest.mark.requires_backend_interface(interface=EllipticCurveBackend)
+ @pytest.mark.supported(
+ only_if=lambda backend: backend.hash_supported(hashes.MD5()),
+ skip_message="Requires OpenSSL with MD5 support",
+ )
def test_sign_ec_with_md5(self, backend):
_skip_curve_unsupported(backend, ec.SECP256R1())
private_key = EC_KEY_SECP256R1.private_key(backend)
builder = x509.CertificateSigningRequestBuilder().subject_name(
- x509.Name([
- x509.NameAttribute(NameOID.ORGANIZATION_NAME, u'PyCA'),
- ])
+ x509.Name([x509.NameAttribute(NameOID.ORGANIZATION_NAME, u"PyCA")])
)
with pytest.raises(ValueError):
builder.sign(private_key, hashes.MD5(), backend)
@@ -2826,13 +3439,18 @@
def test_build_ca_request_with_rsa(self, backend):
private_key = RSA_KEY_2048.private_key(backend)
- request = x509.CertificateSigningRequestBuilder().subject_name(
- x509.Name([
- x509.NameAttribute(NameOID.ORGANIZATION_NAME, u'PyCA'),
- ])
- ).add_extension(
- x509.BasicConstraints(ca=True, path_length=2), critical=True
- ).sign(private_key, hashes.SHA1(), backend)
+ request = (
+ x509.CertificateSigningRequestBuilder()
+ .subject_name(
+ x509.Name(
+ [x509.NameAttribute(NameOID.ORGANIZATION_NAME, u"PyCA")]
+ )
+ )
+ .add_extension(
+ x509.BasicConstraints(ca=True, path_length=2), critical=True
+ )
+ .sign(private_key, hashes.SHA1(), backend)
+ )
assert isinstance(request.signature_hash_algorithm, hashes.SHA1)
public_key = request.public_key()
@@ -2840,7 +3458,7 @@
subject = request.subject
assert isinstance(subject, x509.Name)
assert list(subject) == [
- x509.NameAttribute(NameOID.ORGANIZATION_NAME, u'PyCA'),
+ x509.NameAttribute(NameOID.ORGANIZATION_NAME, u"PyCA"),
]
basic_constraints = request.extensions.get_extension_for_oid(
ExtensionOID.BASIC_CONSTRAINTS
@@ -2852,14 +3470,22 @@
def test_build_ca_request_with_unicode(self, backend):
private_key = RSA_KEY_2048.private_key(backend)
- request = x509.CertificateSigningRequestBuilder().subject_name(
- x509.Name([
- x509.NameAttribute(NameOID.ORGANIZATION_NAME,
- u'PyCA\U0001f37a'),
- ])
- ).add_extension(
- x509.BasicConstraints(ca=True, path_length=2), critical=True
- ).sign(private_key, hashes.SHA1(), backend)
+ request = (
+ x509.CertificateSigningRequestBuilder()
+ .subject_name(
+ x509.Name(
+ [
+ x509.NameAttribute(
+ NameOID.ORGANIZATION_NAME, u"PyCA\U0001f37a"
+ ),
+ ]
+ )
+ )
+ .add_extension(
+ x509.BasicConstraints(ca=True, path_length=2), critical=True
+ )
+ .sign(private_key, hashes.SHA1(), backend)
+ )
loaded_request = x509.load_pem_x509_csr(
request.public_bytes(encoding=serialization.Encoding.PEM), backend
@@ -2867,67 +3493,95 @@
subject = loaded_request.subject
assert isinstance(subject, x509.Name)
assert list(subject) == [
- x509.NameAttribute(NameOID.ORGANIZATION_NAME, u'PyCA\U0001f37a'),
+ x509.NameAttribute(NameOID.ORGANIZATION_NAME, u"PyCA\U0001f37a"),
]
@pytest.mark.requires_backend_interface(interface=RSABackend)
def test_subject_dn_asn1_types(self, backend):
private_key = RSA_KEY_2048.private_key(backend)
- request = x509.CertificateSigningRequestBuilder().subject_name(
- x509.Name([
- x509.NameAttribute(NameOID.COMMON_NAME, u"mysite.com"),
- x509.NameAttribute(NameOID.COUNTRY_NAME, u"US"),
- x509.NameAttribute(NameOID.LOCALITY_NAME, u"value"),
- x509.NameAttribute(NameOID.STATE_OR_PROVINCE_NAME, u"value"),
- x509.NameAttribute(NameOID.STREET_ADDRESS, u"value"),
- x509.NameAttribute(NameOID.ORGANIZATION_NAME, u"value"),
- x509.NameAttribute(NameOID.ORGANIZATIONAL_UNIT_NAME, u"value"),
- x509.NameAttribute(NameOID.SERIAL_NUMBER, u"value"),
- x509.NameAttribute(NameOID.SURNAME, u"value"),
- x509.NameAttribute(NameOID.GIVEN_NAME, u"value"),
- x509.NameAttribute(NameOID.TITLE, u"value"),
- x509.NameAttribute(NameOID.GENERATION_QUALIFIER, u"value"),
- x509.NameAttribute(NameOID.X500_UNIQUE_IDENTIFIER, u"value"),
- x509.NameAttribute(NameOID.DN_QUALIFIER, u"value"),
- x509.NameAttribute(NameOID.PSEUDONYM, u"value"),
- x509.NameAttribute(NameOID.USER_ID, u"value"),
- x509.NameAttribute(NameOID.DOMAIN_COMPONENT, u"value"),
- x509.NameAttribute(NameOID.EMAIL_ADDRESS, u"value"),
- x509.NameAttribute(NameOID.JURISDICTION_COUNTRY_NAME, u"US"),
- x509.NameAttribute(
- NameOID.JURISDICTION_LOCALITY_NAME, u"value"
- ),
- x509.NameAttribute(
- NameOID.JURISDICTION_STATE_OR_PROVINCE_NAME, u"value"
- ),
- x509.NameAttribute(NameOID.BUSINESS_CATEGORY, u"value"),
- x509.NameAttribute(NameOID.POSTAL_ADDRESS, u"value"),
- x509.NameAttribute(NameOID.POSTAL_CODE, u"value"),
- ])
- ).sign(private_key, hashes.SHA256(), backend)
+ request = (
+ x509.CertificateSigningRequestBuilder()
+ .subject_name(
+ x509.Name(
+ [
+ x509.NameAttribute(NameOID.COMMON_NAME, u"mysite.com"),
+ x509.NameAttribute(NameOID.COUNTRY_NAME, u"US"),
+ x509.NameAttribute(NameOID.LOCALITY_NAME, u"value"),
+ x509.NameAttribute(
+ NameOID.STATE_OR_PROVINCE_NAME, u"value"
+ ),
+ x509.NameAttribute(NameOID.STREET_ADDRESS, u"value"),
+ x509.NameAttribute(
+ NameOID.ORGANIZATION_NAME, u"value"
+ ),
+ x509.NameAttribute(
+ NameOID.ORGANIZATIONAL_UNIT_NAME, u"value"
+ ),
+ x509.NameAttribute(NameOID.SERIAL_NUMBER, u"value"),
+ x509.NameAttribute(NameOID.SURNAME, u"value"),
+ x509.NameAttribute(NameOID.GIVEN_NAME, u"value"),
+ x509.NameAttribute(NameOID.TITLE, u"value"),
+ x509.NameAttribute(
+ NameOID.GENERATION_QUALIFIER, u"value"
+ ),
+ x509.NameAttribute(
+ NameOID.X500_UNIQUE_IDENTIFIER, u"value"
+ ),
+ x509.NameAttribute(NameOID.DN_QUALIFIER, u"value"),
+ x509.NameAttribute(NameOID.PSEUDONYM, u"value"),
+ x509.NameAttribute(NameOID.USER_ID, u"value"),
+ x509.NameAttribute(NameOID.DOMAIN_COMPONENT, u"value"),
+ x509.NameAttribute(NameOID.EMAIL_ADDRESS, u"value"),
+ x509.NameAttribute(
+ NameOID.JURISDICTION_COUNTRY_NAME, u"US"
+ ),
+ x509.NameAttribute(
+ NameOID.JURISDICTION_LOCALITY_NAME, u"value"
+ ),
+ x509.NameAttribute(
+ NameOID.JURISDICTION_STATE_OR_PROVINCE_NAME,
+ u"value",
+ ),
+ x509.NameAttribute(
+ NameOID.BUSINESS_CATEGORY, u"value"
+ ),
+ x509.NameAttribute(NameOID.POSTAL_ADDRESS, u"value"),
+ x509.NameAttribute(NameOID.POSTAL_CODE, u"value"),
+ ]
+ )
+ )
+ .sign(private_key, hashes.SHA256(), backend)
+ )
for oid, asn1_type in TestNameAttribute.EXPECTED_TYPES:
- assert request.subject.get_attributes_for_oid(
- oid
- )[0]._type == asn1_type
+ assert (
+ request.subject.get_attributes_for_oid(oid)[0]._type
+ == asn1_type
+ )
@pytest.mark.requires_backend_interface(interface=RSABackend)
def test_build_ca_request_with_multivalue_rdns(self, backend):
private_key = RSA_KEY_2048.private_key(backend)
- subject = x509.Name([
- x509.RelativeDistinguishedName([
- x509.NameAttribute(NameOID.TITLE, u'Test'),
- x509.NameAttribute(NameOID.COMMON_NAME, u'Multivalue'),
- x509.NameAttribute(NameOID.SURNAME, u'RDNs'),
- ]),
- x509.RelativeDistinguishedName([
- x509.NameAttribute(NameOID.ORGANIZATION_NAME, u'PyCA')
- ]),
- ])
+ subject = x509.Name(
+ [
+ x509.RelativeDistinguishedName(
+ [
+ x509.NameAttribute(NameOID.TITLE, u"Test"),
+ x509.NameAttribute(NameOID.COMMON_NAME, u"Multivalue"),
+ x509.NameAttribute(NameOID.SURNAME, u"RDNs"),
+ ]
+ ),
+ x509.RelativeDistinguishedName(
+ [x509.NameAttribute(NameOID.ORGANIZATION_NAME, u"PyCA")]
+ ),
+ ]
+ )
- request = x509.CertificateSigningRequestBuilder().subject_name(
- subject
- ).sign(private_key, hashes.SHA1(), backend)
+ request = (
+ x509.CertificateSigningRequestBuilder()
+ .subject_name(subject)
+ .sign(private_key, hashes.SHA1(), backend)
+ )
loaded_request = x509.load_pem_x509_csr(
request.public_bytes(encoding=serialization.Encoding.PEM), backend
@@ -2939,13 +3593,17 @@
def test_build_nonca_request_with_rsa(self, backend):
private_key = RSA_KEY_2048.private_key(backend)
- request = x509.CertificateSigningRequestBuilder().subject_name(
- x509.Name([
- x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
- ])
- ).add_extension(
- x509.BasicConstraints(ca=False, path_length=None), critical=True,
- ).sign(private_key, hashes.SHA1(), backend)
+ request = (
+ x509.CertificateSigningRequestBuilder()
+ .subject_name(
+ x509.Name([x509.NameAttribute(NameOID.COUNTRY_NAME, u"US")])
+ )
+ .add_extension(
+ x509.BasicConstraints(ca=False, path_length=None),
+ critical=True,
+ )
+ .sign(private_key, hashes.SHA1(), backend)
+ )
assert isinstance(request.signature_hash_algorithm, hashes.SHA1)
public_key = request.public_key()
@@ -2953,7 +3611,7 @@
subject = request.subject
assert isinstance(subject, x509.Name)
assert list(subject) == [
- x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
+ x509.NameAttribute(NameOID.COUNTRY_NAME, u"US"),
]
basic_constraints = request.extensions.get_extension_for_oid(
ExtensionOID.BASIC_CONSTRAINTS
@@ -2966,13 +3624,22 @@
_skip_curve_unsupported(backend, ec.SECP256R1())
private_key = ec.generate_private_key(ec.SECP256R1(), backend)
- request = x509.CertificateSigningRequestBuilder().subject_name(
- x509.Name([
- x509.NameAttribute(NameOID.STATE_OR_PROVINCE_NAME, u'Texas'),
- ])
- ).add_extension(
- x509.BasicConstraints(ca=True, path_length=2), critical=True
- ).sign(private_key, hashes.SHA1(), backend)
+ request = (
+ x509.CertificateSigningRequestBuilder()
+ .subject_name(
+ x509.Name(
+ [
+ x509.NameAttribute(
+ NameOID.STATE_OR_PROVINCE_NAME, u"Texas"
+ ),
+ ]
+ )
+ )
+ .add_extension(
+ x509.BasicConstraints(ca=True, path_length=2), critical=True
+ )
+ .sign(private_key, hashes.SHA1(), backend)
+ )
assert isinstance(request.signature_hash_algorithm, hashes.SHA1)
public_key = request.public_key()
@@ -2980,7 +3647,85 @@
subject = request.subject
assert isinstance(subject, x509.Name)
assert list(subject) == [
- x509.NameAttribute(NameOID.STATE_OR_PROVINCE_NAME, u'Texas'),
+ x509.NameAttribute(NameOID.STATE_OR_PROVINCE_NAME, u"Texas"),
+ ]
+ basic_constraints = request.extensions.get_extension_for_oid(
+ ExtensionOID.BASIC_CONSTRAINTS
+ )
+ assert basic_constraints.value.ca is True
+ assert basic_constraints.value.path_length == 2
+
+ @pytest.mark.supported(
+ only_if=lambda backend: backend.ed25519_supported(),
+ skip_message="Requires OpenSSL with Ed25519 support",
+ )
+ @pytest.mark.requires_backend_interface(interface=X509Backend)
+ def test_build_ca_request_with_ed25519(self, backend):
+ private_key = ed25519.Ed25519PrivateKey.generate()
+
+ request = (
+ x509.CertificateSigningRequestBuilder()
+ .subject_name(
+ x509.Name(
+ [
+ x509.NameAttribute(
+ NameOID.STATE_OR_PROVINCE_NAME, u"Texas"
+ ),
+ ]
+ )
+ )
+ .add_extension(
+ x509.BasicConstraints(ca=True, path_length=2), critical=True
+ )
+ .sign(private_key, None, backend)
+ )
+
+ assert request.signature_hash_algorithm is None
+ public_key = request.public_key()
+ assert isinstance(public_key, ed25519.Ed25519PublicKey)
+ subject = request.subject
+ assert isinstance(subject, x509.Name)
+ assert list(subject) == [
+ x509.NameAttribute(NameOID.STATE_OR_PROVINCE_NAME, u"Texas"),
+ ]
+ basic_constraints = request.extensions.get_extension_for_oid(
+ ExtensionOID.BASIC_CONSTRAINTS
+ )
+ assert basic_constraints.value.ca is True
+ assert basic_constraints.value.path_length == 2
+
+ @pytest.mark.supported(
+ only_if=lambda backend: backend.ed448_supported(),
+ skip_message="Requires OpenSSL with Ed448 support",
+ )
+ @pytest.mark.requires_backend_interface(interface=X509Backend)
+ def test_build_ca_request_with_ed448(self, backend):
+ private_key = ed448.Ed448PrivateKey.generate()
+
+ request = (
+ x509.CertificateSigningRequestBuilder()
+ .subject_name(
+ x509.Name(
+ [
+ x509.NameAttribute(
+ NameOID.STATE_OR_PROVINCE_NAME, u"Texas"
+ ),
+ ]
+ )
+ )
+ .add_extension(
+ x509.BasicConstraints(ca=True, path_length=2), critical=True
+ )
+ .sign(private_key, None, backend)
+ )
+
+ assert request.signature_hash_algorithm is None
+ public_key = request.public_key()
+ assert isinstance(public_key, ed448.Ed448PublicKey)
+ subject = request.subject
+ assert isinstance(subject, x509.Name)
+ assert list(subject) == [
+ x509.NameAttribute(NameOID.STATE_OR_PROVINCE_NAME, u"Texas"),
]
basic_constraints = request.extensions.get_extension_for_oid(
ExtensionOID.BASIC_CONSTRAINTS
@@ -2992,13 +3737,16 @@
def test_build_ca_request_with_dsa(self, backend):
private_key = DSA_KEY_2048.private_key(backend)
- request = x509.CertificateSigningRequestBuilder().subject_name(
- x509.Name([
- x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
- ])
- ).add_extension(
- x509.BasicConstraints(ca=True, path_length=2), critical=True
- ).sign(private_key, hashes.SHA1(), backend)
+ request = (
+ x509.CertificateSigningRequestBuilder()
+ .subject_name(
+ x509.Name([x509.NameAttribute(NameOID.COUNTRY_NAME, u"US")])
+ )
+ .add_extension(
+ x509.BasicConstraints(ca=True, path_length=2), critical=True
+ )
+ .sign(private_key, hashes.SHA1(), backend)
+ )
assert isinstance(request.signature_hash_algorithm, hashes.SHA1)
public_key = request.public_key()
@@ -3006,7 +3754,7 @@
subject = request.subject
assert isinstance(subject, x509.Name)
assert list(subject) == [
- x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
+ x509.NameAttribute(NameOID.COUNTRY_NAME, u"US"),
]
basic_constraints = request.extensions.get_extension_for_oid(
ExtensionOID.BASIC_CONSTRAINTS
@@ -3016,17 +3764,19 @@
def test_add_duplicate_extension(self):
builder = x509.CertificateSigningRequestBuilder().add_extension(
- x509.BasicConstraints(True, 2), critical=True,
+ x509.BasicConstraints(True, 2),
+ critical=True,
)
with pytest.raises(ValueError):
builder.add_extension(
- x509.BasicConstraints(True, 2), critical=True,
+ x509.BasicConstraints(True, 2),
+ critical=True,
)
def test_set_invalid_subject(self):
builder = x509.CertificateSigningRequestBuilder()
with pytest.raises(TypeError):
- builder.subject_name('NotAName')
+ builder.subject_name("NotAName")
def test_add_invalid_extension_type(self):
builder = x509.CertificateSigningRequestBuilder()
@@ -3037,15 +3787,17 @@
def test_add_unsupported_extension(self, backend):
private_key = RSA_KEY_2048.private_key(backend)
builder = x509.CertificateSigningRequestBuilder()
- builder = builder.subject_name(
- x509.Name([
- x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
- ])
- ).add_extension(
- x509.SubjectAlternativeName([x509.DNSName(u"cryptography.io")]),
- critical=False,
- ).add_extension(
- DummyExtension(), False
+ builder = (
+ builder.subject_name(
+ x509.Name([x509.NameAttribute(NameOID.COUNTRY_NAME, u"US")])
+ )
+ .add_extension(
+ x509.SubjectAlternativeName(
+ [x509.DNSName(u"cryptography.io")]
+ ),
+ critical=False,
+ )
+ .add_extension(DummyExtension(), False)
)
with pytest.raises(NotImplementedError):
builder.sign(private_key, hashes.SHA256(), backend)
@@ -3053,24 +3805,26 @@
def test_key_usage(self, backend):
private_key = RSA_KEY_2048.private_key(backend)
builder = x509.CertificateSigningRequestBuilder()
- request = builder.subject_name(
- x509.Name([
- x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
- ])
- ).add_extension(
- x509.KeyUsage(
- digital_signature=True,
- content_commitment=True,
- key_encipherment=False,
- data_encipherment=False,
- key_agreement=False,
- key_cert_sign=True,
- crl_sign=False,
- encipher_only=False,
- decipher_only=False
- ),
- critical=False
- ).sign(private_key, hashes.SHA256(), backend)
+ request = (
+ builder.subject_name(
+ x509.Name([x509.NameAttribute(NameOID.COUNTRY_NAME, u"US")])
+ )
+ .add_extension(
+ x509.KeyUsage(
+ digital_signature=True,
+ content_commitment=True,
+ key_encipherment=False,
+ data_encipherment=False,
+ key_agreement=False,
+ key_cert_sign=True,
+ crl_sign=False,
+ encipher_only=False,
+ decipher_only=False,
+ ),
+ critical=False,
+ )
+ .sign(private_key, hashes.SHA256(), backend)
+ )
assert len(request.extensions) == 1
ext = request.extensions.get_extension_for_oid(ExtensionOID.KEY_USAGE)
assert ext.critical is False
@@ -3083,30 +3837,32 @@
key_cert_sign=True,
crl_sign=False,
encipher_only=False,
- decipher_only=False
+ decipher_only=False,
)
def test_key_usage_key_agreement_bit(self, backend):
private_key = RSA_KEY_2048.private_key(backend)
builder = x509.CertificateSigningRequestBuilder()
- request = builder.subject_name(
- x509.Name([
- x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
- ])
- ).add_extension(
- x509.KeyUsage(
- digital_signature=False,
- content_commitment=False,
- key_encipherment=False,
- data_encipherment=False,
- key_agreement=True,
- key_cert_sign=True,
- crl_sign=False,
- encipher_only=False,
- decipher_only=True
- ),
- critical=False
- ).sign(private_key, hashes.SHA256(), backend)
+ request = (
+ builder.subject_name(
+ x509.Name([x509.NameAttribute(NameOID.COUNTRY_NAME, u"US")])
+ )
+ .add_extension(
+ x509.KeyUsage(
+ digital_signature=False,
+ content_commitment=False,
+ key_encipherment=False,
+ data_encipherment=False,
+ key_agreement=True,
+ key_cert_sign=True,
+ crl_sign=False,
+ encipher_only=False,
+ decipher_only=True,
+ ),
+ critical=False,
+ )
+ .sign(private_key, hashes.SHA256(), backend)
+ )
assert len(request.extensions) == 1
ext = request.extensions.get_extension_for_oid(ExtensionOID.KEY_USAGE)
assert ext.critical is False
@@ -3119,20 +3875,27 @@
key_cert_sign=True,
crl_sign=False,
encipher_only=False,
- decipher_only=True
+ decipher_only=True,
)
def test_add_two_extensions(self, backend):
private_key = RSA_KEY_2048.private_key(backend)
builder = x509.CertificateSigningRequestBuilder()
- request = builder.subject_name(
- x509.Name([x509.NameAttribute(NameOID.COUNTRY_NAME, u'US')])
- ).add_extension(
- x509.SubjectAlternativeName([x509.DNSName(u"cryptography.io")]),
- critical=False,
- ).add_extension(
- x509.BasicConstraints(ca=True, path_length=2), critical=True
- ).sign(private_key, hashes.SHA1(), backend)
+ request = (
+ builder.subject_name(
+ x509.Name([x509.NameAttribute(NameOID.COUNTRY_NAME, u"US")])
+ )
+ .add_extension(
+ x509.SubjectAlternativeName(
+ [x509.DNSName(u"cryptography.io")]
+ ),
+ critical=False,
+ )
+ .add_extension(
+ x509.BasicConstraints(ca=True, path_length=2), critical=True
+ )
+ .sign(private_key, hashes.SHA1(), backend)
+ )
assert isinstance(request.signature_hash_algorithm, hashes.SHA1)
public_key = request.public_key()
@@ -3147,58 +3910,129 @@
)
assert list(ext.value) == [x509.DNSName(u"cryptography.io")]
+ @pytest.mark.requires_backend_interface(interface=EllipticCurveBackend)
+ def test_add_attributes(self, backend):
+ _skip_curve_unsupported(backend, ec.SECP256R1())
+ private_key = ec.generate_private_key(ec.SECP256R1(), backend)
+ challenge_password = b"challenge me!"
+ unstructured_name = b"no structure, for shame"
+ locality = b"this shouldn't even be an X509 attribute"
+
+ request = (
+ x509.CertificateSigningRequestBuilder()
+ .subject_name(
+ x509.Name(
+ [
+ x509.NameAttribute(
+ NameOID.STATE_OR_PROVINCE_NAME, u"Texas"
+ ),
+ ]
+ )
+ )
+ .add_attribute(
+ x509.oid.AttributeOID.CHALLENGE_PASSWORD, challenge_password
+ )
+ .add_attribute(
+ x509.oid.AttributeOID.UNSTRUCTURED_NAME, unstructured_name
+ )
+ .add_attribute(x509.oid.NameOID.LOCALITY_NAME, locality)
+ .sign(private_key, hashes.SHA256(), backend)
+ )
+
+ assert (
+ request.get_attribute_for_oid(
+ x509.oid.AttributeOID.CHALLENGE_PASSWORD
+ )
+ == challenge_password
+ )
+ assert (
+ request.get_attribute_for_oid(
+ x509.oid.AttributeOID.UNSTRUCTURED_NAME
+ )
+ == unstructured_name
+ )
+ assert (
+ request.get_attribute_for_oid(x509.oid.NameOID.LOCALITY_NAME)
+ == locality
+ )
+
+ def test_add_attribute_bad_types(self, backend):
+ request = x509.CertificateSigningRequestBuilder()
+ with pytest.raises(TypeError):
+ request.add_attribute(b"not an oid", b"val")
+
+ with pytest.raises(TypeError):
+ request.add_attribute(
+ x509.oid.AttributeOID.CHALLENGE_PASSWORD, 383
+ )
+
+ def test_duplicate_attribute(self, backend):
+ request = x509.CertificateSigningRequestBuilder().add_attribute(
+ x509.oid.AttributeOID.CHALLENGE_PASSWORD, b"val"
+ )
+ with pytest.raises(ValueError):
+ request.add_attribute(
+ x509.oid.AttributeOID.CHALLENGE_PASSWORD, b"val2"
+ )
+
def test_set_subject_twice(self):
builder = x509.CertificateSigningRequestBuilder()
builder = builder.subject_name(
- x509.Name([
- x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
- ])
+ x509.Name([x509.NameAttribute(NameOID.COUNTRY_NAME, u"US")])
)
with pytest.raises(ValueError):
builder.subject_name(
- x509.Name([
- x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
- ])
+ x509.Name([x509.NameAttribute(NameOID.COUNTRY_NAME, u"US")])
)
def test_subject_alt_names(self, backend):
private_key = RSA_KEY_2048.private_key(backend)
- san = x509.SubjectAlternativeName([
- x509.DNSName(u"example.com"),
- x509.DNSName(u"*.example.com"),
- x509.RegisteredID(x509.ObjectIdentifier("1.2.3.4.5.6.7")),
- x509.DirectoryName(x509.Name([
- x509.NameAttribute(NameOID.COMMON_NAME, u'PyCA'),
- x509.NameAttribute(
- NameOID.ORGANIZATION_NAME, u'We heart UTF8!\u2122'
- )
- ])),
- x509.IPAddress(ipaddress.ip_address(u"127.0.0.1")),
- x509.IPAddress(ipaddress.ip_address(u"ff::")),
- x509.OtherName(
- type_id=x509.ObjectIdentifier("1.2.3.3.3.3"),
- value=b"0\x03\x02\x01\x05"
- ),
- x509.RFC822Name(u"test@example.com"),
- x509.RFC822Name(u"email"),
- x509.RFC822Name(u"email@xn--eml-vla4c.com"),
- x509.UniformResourceIdentifier(
- u"https://xn--80ato2c.cryptography"
- ),
- x509.UniformResourceIdentifier(
- u"gopher://cryptography:70/some/path"
- ),
- ])
+ san = x509.SubjectAlternativeName(
+ [
+ x509.DNSName(u"example.com"),
+ x509.DNSName(u"*.example.com"),
+ x509.RegisteredID(x509.ObjectIdentifier("1.2.3.4.5.6.7")),
+ x509.DirectoryName(
+ x509.Name(
+ [
+ x509.NameAttribute(NameOID.COMMON_NAME, u"PyCA"),
+ x509.NameAttribute(
+ NameOID.ORGANIZATION_NAME,
+ u"We heart UTF8!\u2122",
+ ),
+ ]
+ )
+ ),
+ x509.IPAddress(ipaddress.ip_address(u"127.0.0.1")),
+ x509.IPAddress(ipaddress.ip_address(u"ff::")),
+ x509.OtherName(
+ type_id=x509.ObjectIdentifier("1.2.3.3.3.3"),
+ value=b"0\x03\x02\x01\x05",
+ ),
+ x509.RFC822Name(u"test@example.com"),
+ x509.RFC822Name(u"email"),
+ x509.RFC822Name(u"email@xn--eml-vla4c.com"),
+ x509.UniformResourceIdentifier(
+ u"https://xn--80ato2c.cryptography"
+ ),
+ x509.UniformResourceIdentifier(
+ u"gopher://cryptography:70/some/path"
+ ),
+ ]
+ )
- csr = x509.CertificateSigningRequestBuilder().subject_name(
- x509.Name([
- x509.NameAttribute(NameOID.COMMON_NAME, u"SAN"),
- ])
- ).add_extension(
- san,
- critical=False,
- ).sign(private_key, hashes.SHA256(), backend)
+ csr = (
+ x509.CertificateSigningRequestBuilder()
+ .subject_name(
+ x509.Name([x509.NameAttribute(NameOID.COMMON_NAME, u"SAN")])
+ )
+ .add_extension(
+ san,
+ critical=False,
+ )
+ .sign(private_key, hashes.SHA256(), backend)
+ )
assert len(csr.extensions) == 1
ext = csr.extensions.get_extension_for_oid(
@@ -3211,18 +4045,22 @@
def test_invalid_asn1_othername(self, backend):
private_key = RSA_KEY_2048.private_key(backend)
- builder = x509.CertificateSigningRequestBuilder().subject_name(
- x509.Name([
- x509.NameAttribute(NameOID.COMMON_NAME, u"SAN"),
- ])
- ).add_extension(
- x509.SubjectAlternativeName([
- x509.OtherName(
- type_id=x509.ObjectIdentifier("1.2.3.3.3.3"),
- value=b"\x01\x02\x01\x05"
+ builder = (
+ x509.CertificateSigningRequestBuilder()
+ .subject_name(
+ x509.Name([x509.NameAttribute(NameOID.COMMON_NAME, u"SAN")])
+ )
+ .add_extension(
+ x509.SubjectAlternativeName(
+ [
+ x509.OtherName(
+ type_id=x509.ObjectIdentifier("1.2.3.3.3.3"),
+ value=b"\x01\x02\x01\x05",
+ ),
+ ]
),
- ]),
- critical=False,
+ critical=False,
+ )
)
with pytest.raises(ValueError):
builder.sign(private_key, hashes.SHA256(), backend)
@@ -3230,13 +4068,15 @@
def test_subject_alt_name_unsupported_general_name(self, backend):
private_key = RSA_KEY_2048.private_key(backend)
- builder = x509.CertificateSigningRequestBuilder().subject_name(
- x509.Name([
- x509.NameAttribute(NameOID.COMMON_NAME, u"SAN"),
- ])
- ).add_extension(
- x509.SubjectAlternativeName([FakeGeneralName("")]),
- critical=False,
+ builder = (
+ x509.CertificateSigningRequestBuilder()
+ .subject_name(
+ x509.Name([x509.NameAttribute(NameOID.COMMON_NAME, u"SAN")])
+ )
+ .add_extension(
+ x509.SubjectAlternativeName([FakeGeneralName("")]),
+ critical=False,
+ )
)
with pytest.raises(ValueError):
@@ -3244,17 +4084,21 @@
def test_extended_key_usage(self, backend):
private_key = RSA_KEY_2048.private_key(backend)
- eku = x509.ExtendedKeyUsage([
- ExtendedKeyUsageOID.CLIENT_AUTH,
- ExtendedKeyUsageOID.SERVER_AUTH,
- ExtendedKeyUsageOID.CODE_SIGNING,
- ])
+ eku = x509.ExtendedKeyUsage(
+ [
+ ExtendedKeyUsageOID.CLIENT_AUTH,
+ ExtendedKeyUsageOID.SERVER_AUTH,
+ ExtendedKeyUsageOID.CODE_SIGNING,
+ ]
+ )
builder = x509.CertificateSigningRequestBuilder()
- request = builder.subject_name(
- x509.Name([x509.NameAttribute(NameOID.COUNTRY_NAME, u'US')])
- ).add_extension(
- eku, critical=False
- ).sign(private_key, hashes.SHA256(), backend)
+ request = (
+ builder.subject_name(
+ x509.Name([x509.NameAttribute(NameOID.COUNTRY_NAME, u"US")])
+ )
+ .add_extension(eku, critical=False)
+ .sign(private_key, hashes.SHA256(), backend)
+ )
ext = request.extensions.get_extension_for_oid(
ExtensionOID.EXTENDED_KEY_USAGE
@@ -3264,17 +4108,15 @@
@pytest.mark.requires_backend_interface(interface=RSABackend)
def test_rsa_key_too_small(self, backend):
- private_key = rsa.generate_private_key(65537, 512, backend)
+ private_key = RSA_KEY_512.private_key(backend)
builder = x509.CertificateSigningRequestBuilder()
builder = builder.subject_name(
- x509.Name([x509.NameAttribute(NameOID.COUNTRY_NAME, u'US')])
+ x509.Name([x509.NameAttribute(NameOID.COUNTRY_NAME, u"US")])
)
- with pytest.raises(ValueError) as exc:
+ with pytest.raises(ValueError):
builder.sign(private_key, hashes.SHA512(), backend)
- assert str(exc.value) == "Digest too big for RSA key"
-
@pytest.mark.requires_backend_interface(interface=RSABackend)
@pytest.mark.requires_backend_interface(interface=X509Backend)
def test_build_cert_with_aia(self, backend):
@@ -3284,31 +4126,34 @@
not_valid_before = datetime.datetime(2002, 1, 1, 12, 1)
not_valid_after = datetime.datetime(2030, 12, 31, 8, 30)
- aia = x509.AuthorityInformationAccess([
- x509.AccessDescription(
- AuthorityInformationAccessOID.OCSP,
- x509.UniformResourceIdentifier(u"http://ocsp.domain.com")
- ),
- x509.AccessDescription(
- AuthorityInformationAccessOID.CA_ISSUERS,
- x509.UniformResourceIdentifier(u"http://domain.com/ca.crt")
- )
- ])
+ aia = x509.AuthorityInformationAccess(
+ [
+ x509.AccessDescription(
+ AuthorityInformationAccessOID.OCSP,
+ x509.UniformResourceIdentifier(u"http://ocsp.domain.com"),
+ ),
+ x509.AccessDescription(
+ AuthorityInformationAccessOID.CA_ISSUERS,
+ x509.UniformResourceIdentifier(
+ u"http://domain.com/ca.crt"
+ ),
+ ),
+ ]
+ )
- builder = x509.CertificateBuilder().serial_number(
- 777
- ).issuer_name(x509.Name([
- x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
- ])).subject_name(x509.Name([
- x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
- ])).public_key(
- subject_private_key.public_key()
- ).add_extension(
- aia, critical=False
- ).not_valid_before(
- not_valid_before
- ).not_valid_after(
- not_valid_after
+ builder = (
+ x509.CertificateBuilder()
+ .serial_number(777)
+ .issuer_name(
+ x509.Name([x509.NameAttribute(NameOID.COUNTRY_NAME, u"US")])
+ )
+ .subject_name(
+ x509.Name([x509.NameAttribute(NameOID.COUNTRY_NAME, u"US")])
+ )
+ .public_key(subject_private_key.public_key())
+ .add_extension(aia, critical=False)
+ .not_valid_before(not_valid_before)
+ .not_valid_after(not_valid_after)
)
cert = builder.sign(issuer_private_key, hashes.SHA1(), backend)
@@ -3320,6 +4165,46 @@
@pytest.mark.requires_backend_interface(interface=RSABackend)
@pytest.mark.requires_backend_interface(interface=X509Backend)
+ def test_build_cert_with_sia(self, backend):
+ issuer_private_key = RSA_KEY_2048.private_key(backend)
+ subject_private_key = RSA_KEY_2048.private_key(backend)
+
+ not_valid_before = datetime.datetime(2002, 1, 1, 12, 1)
+ not_valid_after = datetime.datetime(2030, 12, 31, 8, 30)
+
+ sia = x509.SubjectInformationAccess(
+ [
+ x509.AccessDescription(
+ SubjectInformationAccessOID.CA_REPOSITORY,
+ x509.UniformResourceIdentifier(u"http://ca.domain.com"),
+ ),
+ ]
+ )
+
+ builder = (
+ x509.CertificateBuilder()
+ .serial_number(777)
+ .issuer_name(
+ x509.Name([x509.NameAttribute(NameOID.COUNTRY_NAME, u"US")])
+ )
+ .subject_name(
+ x509.Name([x509.NameAttribute(NameOID.COUNTRY_NAME, u"US")])
+ )
+ .public_key(subject_private_key.public_key())
+ .add_extension(sia, critical=False)
+ .not_valid_before(not_valid_before)
+ .not_valid_after(not_valid_after)
+ )
+
+ cert = builder.sign(issuer_private_key, hashes.SHA256(), backend)
+
+ ext = cert.extensions.get_extension_for_oid(
+ ExtensionOID.SUBJECT_INFORMATION_ACCESS
+ )
+ assert ext.value == sia
+
+ @pytest.mark.requires_backend_interface(interface=RSABackend)
+ @pytest.mark.requires_backend_interface(interface=X509Backend)
def test_build_cert_with_ski(self, backend):
issuer_private_key = RSA_KEY_2048.private_key(backend)
subject_private_key = RSA_KEY_2048.private_key(backend)
@@ -3331,20 +4216,19 @@
subject_private_key.public_key()
)
- builder = x509.CertificateBuilder().serial_number(
- 777
- ).issuer_name(x509.Name([
- x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
- ])).subject_name(x509.Name([
- x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
- ])).public_key(
- subject_private_key.public_key()
- ).add_extension(
- ski, critical=False
- ).not_valid_before(
- not_valid_before
- ).not_valid_after(
- not_valid_after
+ builder = (
+ x509.CertificateBuilder()
+ .serial_number(777)
+ .issuer_name(
+ x509.Name([x509.NameAttribute(NameOID.COUNTRY_NAME, u"US")])
+ )
+ .subject_name(
+ x509.Name([x509.NameAttribute(NameOID.COUNTRY_NAME, u"US")])
+ )
+ .public_key(subject_private_key.public_key())
+ .add_extension(ski, critical=False)
+ .not_valid_before(not_valid_before)
+ .not_valid_after(not_valid_after)
)
cert = builder.sign(issuer_private_key, hashes.SHA1(), backend)
@@ -3361,42 +4245,46 @@
b"\xc3\x9c\xf3\xfc\xd3F\x084\xbb\xceF\x7f\xa0|[\xf3\xe2\x08"
b"\xcbY",
None,
- None
+ None,
),
x509.AuthorityKeyIdentifier(
b"\xc3\x9c\xf3\xfc\xd3F\x084\xbb\xceF\x7f\xa0|[\xf3\xe2\x08"
b"\xcbY",
[
x509.DirectoryName(
- x509.Name([
- x509.NameAttribute(
- NameOID.ORGANIZATION_NAME, u"PyCA"
- ),
- x509.NameAttribute(
- NameOID.COMMON_NAME, u"cryptography CA"
- )
- ])
+ x509.Name(
+ [
+ x509.NameAttribute(
+ NameOID.ORGANIZATION_NAME, u"PyCA"
+ ),
+ x509.NameAttribute(
+ NameOID.COMMON_NAME, u"cryptography CA"
+ ),
+ ]
+ )
)
],
- 333
+ 333,
),
x509.AuthorityKeyIdentifier(
None,
[
x509.DirectoryName(
- x509.Name([
- x509.NameAttribute(
- NameOID.ORGANIZATION_NAME, u"PyCA"
- ),
- x509.NameAttribute(
- NameOID.COMMON_NAME, u"cryptography CA"
- )
- ])
+ x509.Name(
+ [
+ x509.NameAttribute(
+ NameOID.ORGANIZATION_NAME, u"PyCA"
+ ),
+ x509.NameAttribute(
+ NameOID.COMMON_NAME, u"cryptography CA"
+ ),
+ ]
+ )
)
],
- 333
+ 333,
),
- ]
+ ],
)
@pytest.mark.requires_backend_interface(interface=RSABackend)
@pytest.mark.requires_backend_interface(interface=X509Backend)
@@ -3407,20 +4295,19 @@
not_valid_before = datetime.datetime(2002, 1, 1, 12, 1)
not_valid_after = datetime.datetime(2030, 12, 31, 8, 30)
- builder = x509.CertificateBuilder().serial_number(
- 777
- ).issuer_name(x509.Name([
- x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
- ])).subject_name(x509.Name([
- x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
- ])).public_key(
- subject_private_key.public_key()
- ).add_extension(
- aki, critical=False
- ).not_valid_before(
- not_valid_before
- ).not_valid_after(
- not_valid_after
+ builder = (
+ x509.CertificateBuilder()
+ .serial_number(777)
+ .issuer_name(
+ x509.Name([x509.NameAttribute(NameOID.COUNTRY_NAME, u"US")])
+ )
+ .subject_name(
+ x509.Name([x509.NameAttribute(NameOID.COUNTRY_NAME, u"US")])
+ )
+ .public_key(subject_private_key.public_key())
+ .add_extension(aki, critical=False)
+ .not_valid_before(not_valid_before)
+ .not_valid_after(not_valid_after)
)
cert = builder.sign(issuer_private_key, hashes.SHA256(), backend)
@@ -3437,27 +4324,24 @@
not_valid_before = datetime.datetime(2002, 1, 1, 12, 1)
not_valid_after = datetime.datetime(2030, 12, 31, 8, 30)
- builder = x509.CertificateBuilder().serial_number(
- 777
- ).issuer_name(x509.Name([
- x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
- ])).subject_name(x509.Name([
- x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
- ])).public_key(
- subject_private_key.public_key()
- ).add_extension(
- x509.OCSPNoCheck(), critical=False
- ).not_valid_before(
- not_valid_before
- ).not_valid_after(
- not_valid_after
+ builder = (
+ x509.CertificateBuilder()
+ .serial_number(777)
+ .issuer_name(
+ x509.Name([x509.NameAttribute(NameOID.COUNTRY_NAME, u"US")])
+ )
+ .subject_name(
+ x509.Name([x509.NameAttribute(NameOID.COUNTRY_NAME, u"US")])
+ )
+ .public_key(subject_private_key.public_key())
+ .add_extension(x509.OCSPNoCheck(), critical=False)
+ .not_valid_before(not_valid_before)
+ .not_valid_after(not_valid_after)
)
cert = builder.sign(issuer_private_key, hashes.SHA256(), backend)
- ext = cert.extensions.get_extension_for_oid(
- ExtensionOID.OCSP_NO_CHECK
- )
+ ext = cert.extensions.get_extension_for_oid(ExtensionOID.OCSP_NO_CHECK)
assert isinstance(ext.value, x509.OCSPNoCheck)
@@ -3468,7 +4352,7 @@
cert = _load_cert(
os.path.join("x509", "custom", "dsa_selfsigned_ca.pem"),
x509.load_pem_x509_certificate,
- backend
+ backend,
)
assert isinstance(cert.signature_hash_algorithm, hashes.SHA1)
public_key = cert.public_key()
@@ -3483,7 +4367,8 @@
"1b4bb7b81c2783da97cea62df67af5e85991fdc13aff10fc60e06586386"
"b96bb78d65750f542f86951e05a6d81baadbcd35a2e5cad4119923ae6a2"
"002091a3d17017f93c52970113cdc119970b9074ca506eac91c3dd37632"
- "5df4af6b3911ef267d26623a5a1c5df4a6d13f1c", 16
+ "5df4af6b3911ef267d26623a5a1c5df4a6d13f1c",
+ 16,
)
assert num.parameter_numbers.g == int(
"4b7ced71dc353965ecc10d441a9a06fc24943a32d66429dd5ef44d43e67"
@@ -3494,7 +4379,8 @@
"3fbfa136205f130bee2cf5b9c38dc1095d4006f2e73335c07352c64130a"
"1ab2b89f13b48f628d3cc3868beece9bb7beade9f830eacc6fa241425c0"
"b3fcc0df416a0c89f7bf35668d765ec95cdcfbe9caff49cfc156c668c76"
- "fa6247676a6d3ac945844a083509c6a1b436baca", 16
+ "fa6247676a6d3ac945844a083509c6a1b436baca",
+ 16,
)
assert num.parameter_numbers.p == int(
"bfade6048e373cd4e48b677e878c8e5b08c02102ae04eb2cb5c46a523a3"
@@ -3505,7 +4391,8 @@
"e703313743d86caa885930f62ed5bf342d8165627681e9cc3244ba72aa2"
"2148400a6bbe80154e855d042c9dc2a3405f1e517be9dea50562f56da93"
"f6085f844a7e705c1f043e65751c583b80d29103e590ccb26efdaa0893d"
- "833e36468f3907cfca788a3cb790f0341c8a31bf", 16
+ "833e36468f3907cfca788a3cb790f0341c8a31bf",
+ 16,
)
assert num.parameter_numbers.q == int(
"822ff5d234e073b901cf5941f58e1f538e71d40d", 16
@@ -3515,7 +4402,7 @@
cert = _load_cert(
os.path.join("x509", "custom", "dsa_selfsigned_ca.pem"),
x509.load_pem_x509_certificate,
- backend
+ backend,
)
assert cert.signature == binascii.unhexlify(
b"302c021425c4a84a936ab311ee017d3cbd9a3c650bb3ae4a02145d30c64b4326"
@@ -3529,7 +4416,7 @@
cert = _load_cert(
os.path.join("x509", "custom", "dsa_selfsigned_ca.pem"),
x509.load_pem_x509_certificate,
- backend
+ backend,
)
assert cert.tbs_certificate_bytes == binascii.unhexlify(
b"3082051aa003020102020900a37352e0b2142f86300906072a8648ce3804033"
@@ -3576,8 +4463,9 @@
b"0b2142f86300c0603551d13040530030101ff"
)
cert.public_key().verify(
- cert.signature, cert.tbs_certificate_bytes,
- cert.signature_hash_algorithm
+ cert.signature,
+ cert.tbs_certificate_bytes,
+ cert.signature_hash_algorithm,
)
@@ -3589,13 +4477,13 @@
[
[
os.path.join("x509", "requests", "dsa_sha1.pem"),
- x509.load_pem_x509_csr
+ x509.load_pem_x509_csr,
],
[
os.path.join("x509", "requests", "dsa_sha1.der"),
- x509.load_der_x509_csr
+ x509.load_der_x509_csr,
],
- ]
+ ],
)
def test_load_dsa_request(self, path, loader_func, backend):
request = _load_cert(path, loader_func, backend)
@@ -3605,18 +4493,18 @@
subject = request.subject
assert isinstance(subject, x509.Name)
assert list(subject) == [
- x509.NameAttribute(NameOID.COMMON_NAME, u'cryptography.io'),
- x509.NameAttribute(NameOID.ORGANIZATION_NAME, u'PyCA'),
- x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
- x509.NameAttribute(NameOID.STATE_OR_PROVINCE_NAME, u'Texas'),
- x509.NameAttribute(NameOID.LOCALITY_NAME, u'Austin'),
+ x509.NameAttribute(NameOID.COMMON_NAME, u"cryptography.io"),
+ x509.NameAttribute(NameOID.ORGANIZATION_NAME, u"PyCA"),
+ x509.NameAttribute(NameOID.COUNTRY_NAME, u"US"),
+ x509.NameAttribute(NameOID.STATE_OR_PROVINCE_NAME, u"Texas"),
+ x509.NameAttribute(NameOID.LOCALITY_NAME, u"Austin"),
]
def test_signature(self, backend):
request = _load_cert(
os.path.join("x509", "requests", "dsa_sha1.pem"),
x509.load_pem_x509_csr,
- backend
+ backend,
)
assert request.signature == binascii.unhexlify(
b"302c021461d58dc028d0110818a7d817d74235727c4acfdf0214097b52e198e"
@@ -3627,7 +4515,7 @@
request = _load_cert(
os.path.join("x509", "requests", "dsa_sha1.pem"),
x509.load_pem_x509_csr,
- backend
+ backend,
)
assert request.tbs_certrequest_bytes == binascii.unhexlify(
b"3082021802010030573118301606035504030c0f63727970746f677261706879"
@@ -3651,7 +4539,7 @@
request.public_key().verify(
request.signature,
request.tbs_certrequest_bytes,
- request.signature_hash_algorithm
+ request.signature_hash_algorithm,
)
@@ -3663,7 +4551,7 @@
cert = _load_cert(
os.path.join("x509", "ecdsa_root.pem"),
x509.load_pem_x509_certificate,
- backend
+ backend,
)
assert isinstance(cert.signature_hash_algorithm, hashes.SHA384)
public_key = cert.public_key()
@@ -3671,11 +4559,13 @@
num = public_key.public_numbers()
assert num.x == int(
"dda7d9bb8ab80bfb0b7f21d2f0bebe73f3335d1abc34eadec69bbcd095f"
- "6f0ccd00bba615b51467e9e2d9fee8e630c17", 16
+ "6f0ccd00bba615b51467e9e2d9fee8e630c17",
+ 16,
)
assert num.y == int(
"ec0770f5cf842e40839ce83f416d3badd3a4145936789d0343ee10136c7"
- "2deae88a7a16bb543ce67dc23ff031ca3e23e", 16
+ "2deae88a7a16bb543ce67dc23ff031ca3e23e",
+ 16,
)
assert isinstance(num.curve, ec.SECP384R1)
@@ -3683,7 +4573,7 @@
cert = _load_cert(
os.path.join("x509", "ecdsa_root.pem"),
x509.load_pem_x509_certificate,
- backend
+ backend,
)
assert cert.signature == binascii.unhexlify(
b"3065023100adbcf26c3f124ad12d39c30a099773f488368c8827bbe6888d5085"
@@ -3695,12 +4585,12 @@
assert r == int(
"adbcf26c3f124ad12d39c30a099773f488368c8827bbe6888d5085a763f99e32"
"de66930ff1ccb1098fdd6cabfa6b7fa0",
- 16
+ 16,
)
assert s == int(
"39665bc2648db89e50dca8d549a2edc7dcd1497f1701b8c8868f4e8c882ba89a"
"a98ac5d100bdf854e29ae55b7cb32717",
- 16
+ 16,
)
def test_tbs_certificate_bytes(self, backend):
@@ -3708,7 +4598,7 @@
cert = _load_cert(
os.path.join("x509", "ecdsa_root.pem"),
x509.load_pem_x509_certificate,
- backend
+ backend,
)
assert cert.tbs_certificate_bytes == binascii.unhexlify(
b"308201c5a0030201020210055556bcf25ea43535c3a40fd5ab4572300a06082"
@@ -3728,8 +4618,9 @@
b"f9a1c5d8ae3641cc1163696229bc4bc6"
)
cert.public_key().verify(
- cert.signature, cert.tbs_certificate_bytes,
- ec.ECDSA(cert.signature_hash_algorithm)
+ cert.signature,
+ cert.tbs_certificate_bytes,
+ ec.ECDSA(cert.signature_hash_algorithm),
)
def test_load_ecdsa_no_named_curve(self, backend):
@@ -3737,7 +4628,7 @@
cert = _load_cert(
os.path.join("x509", "custom", "ec_no_named_curve.pem"),
x509.load_pem_x509_certificate,
- backend
+ backend,
)
with pytest.raises(NotImplementedError):
cert.public_key()
@@ -3751,13 +4642,13 @@
[
[
os.path.join("x509", "requests", "ec_sha256.pem"),
- x509.load_pem_x509_csr
+ x509.load_pem_x509_csr,
],
[
os.path.join("x509", "requests", "ec_sha256.der"),
- x509.load_der_x509_csr
+ x509.load_der_x509_csr,
],
- ]
+ ],
)
def test_load_ecdsa_certificate_request(self, path, loader_func, backend):
_skip_curve_unsupported(backend, ec.SECP384R1())
@@ -3768,11 +4659,11 @@
subject = request.subject
assert isinstance(subject, x509.Name)
assert list(subject) == [
- x509.NameAttribute(NameOID.COMMON_NAME, u'cryptography.io'),
- x509.NameAttribute(NameOID.ORGANIZATION_NAME, u'PyCA'),
- x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
- x509.NameAttribute(NameOID.STATE_OR_PROVINCE_NAME, u'Texas'),
- x509.NameAttribute(NameOID.LOCALITY_NAME, u'Austin'),
+ x509.NameAttribute(NameOID.COMMON_NAME, u"cryptography.io"),
+ x509.NameAttribute(NameOID.ORGANIZATION_NAME, u"PyCA"),
+ x509.NameAttribute(NameOID.COUNTRY_NAME, u"US"),
+ x509.NameAttribute(NameOID.STATE_OR_PROVINCE_NAME, u"Texas"),
+ x509.NameAttribute(NameOID.LOCALITY_NAME, u"Austin"),
]
def test_signature(self, backend):
@@ -3780,7 +4671,7 @@
request = _load_cert(
os.path.join("x509", "requests", "ec_sha256.pem"),
x509.load_pem_x509_csr,
- backend
+ backend,
)
assert request.signature == binascii.unhexlify(
b"306502302c1a9f7de8c1787332d2307a886b476a59f172b9b0e250262f3238b1"
@@ -3794,7 +4685,7 @@
request = _load_cert(
os.path.join("x509", "requests", "ec_sha256.pem"),
x509.load_pem_x509_csr,
- backend
+ backend,
)
assert request.tbs_certrequest_bytes == binascii.unhexlify(
b"3081d602010030573118301606035504030c0f63727970746f6772617068792"
@@ -3806,8 +4697,9 @@
b"accff0ffaf7155812909d3726bd59fde001cff4bb9b2f5af8cbaa000"
)
request.public_key().verify(
- request.signature, request.tbs_certrequest_bytes,
- ec.ECDSA(request.signature_hash_algorithm)
+ request.signature,
+ request.tbs_certrequest_bytes,
+ ec.ECDSA(request.signature_hash_algorithm),
)
@@ -3827,14 +4719,12 @@
def test_bad_time_in_validity(self, backend):
cert = _load_cert(
- os.path.join(
- "x509", "badasn1time.pem"
- ),
+ os.path.join("x509", "badasn1time.pem"),
x509.load_pem_x509_certificate,
backend,
)
- with pytest.raises(ValueError, match='19020701025736Z'):
+ with pytest.raises(ValueError, match="19020701025736Z"):
cert.not_valid_after
@@ -3860,10 +4750,7 @@
(NameOID.EMAIL_ADDRESS, _ASN1Type.IA5String),
(NameOID.JURISDICTION_COUNTRY_NAME, _ASN1Type.PrintableString),
(NameOID.JURISDICTION_LOCALITY_NAME, _ASN1Type.UTF8String),
- (
- NameOID.JURISDICTION_STATE_OR_PROVINCE_NAME,
- _ASN1Type.UTF8String
- ),
+ (NameOID.JURISDICTION_STATE_OR_PROVINCE_NAME, _ASN1Type.UTF8String),
(NameOID.BUSINESS_CATEGORY, _ASN1Type.UTF8String),
(NameOID.POSTAL_ADDRESS, _ASN1Type.UTF8String),
(NameOID.POSTAL_CODE, _ASN1Type.UTF8String),
@@ -3882,32 +4769,23 @@
def test_init_bad_oid(self):
with pytest.raises(TypeError):
- x509.NameAttribute(None, u'value')
+ x509.NameAttribute(None, u"value")
def test_init_bad_value(self):
with pytest.raises(TypeError):
- x509.NameAttribute(
- x509.ObjectIdentifier('2.999.1'),
- b'bytes'
- )
+ x509.NameAttribute(x509.ObjectIdentifier("2.999.1"), b"bytes")
+
+ def test_init_none_value(self):
+ with pytest.raises(TypeError):
+ x509.NameAttribute(NameOID.ORGANIZATION_NAME, None)
def test_init_bad_country_code_value(self):
with pytest.raises(ValueError):
- x509.NameAttribute(
- NameOID.COUNTRY_NAME,
- u'United States'
- )
+ x509.NameAttribute(NameOID.COUNTRY_NAME, u"United States")
# unicode string of length 2, but > 2 bytes
with pytest.raises(ValueError):
- x509.NameAttribute(
- NameOID.COUNTRY_NAME,
- u'\U0001F37A\U0001F37A'
- )
-
- def test_init_empty_value(self):
- with pytest.raises(ValueError):
- x509.NameAttribute(NameOID.ORGANIZATION_NAME, u'')
+ x509.NameAttribute(NameOID.COUNTRY_NAME, u"\U0001F37A\U0001F37A")
def test_invalid_type(self):
with pytest.raises(TypeError):
@@ -3915,28 +4793,23 @@
def test_eq(self):
assert x509.NameAttribute(
- x509.ObjectIdentifier('2.999.1'), u'value'
- ) == x509.NameAttribute(
- x509.ObjectIdentifier('2.999.1'), u'value'
- )
+ x509.ObjectIdentifier("2.999.1"), u"value"
+ ) == x509.NameAttribute(x509.ObjectIdentifier("2.999.1"), u"value")
def test_ne(self):
assert x509.NameAttribute(
- x509.ObjectIdentifier('2.5.4.3'), u'value'
- ) != x509.NameAttribute(
- x509.ObjectIdentifier('2.5.4.5'), u'value'
- )
+ x509.ObjectIdentifier("2.5.4.3"), u"value"
+ ) != x509.NameAttribute(x509.ObjectIdentifier("2.5.4.5"), u"value")
assert x509.NameAttribute(
- x509.ObjectIdentifier('2.999.1'), u'value'
- ) != x509.NameAttribute(
- x509.ObjectIdentifier('2.999.1'), u'value2'
+ x509.ObjectIdentifier("2.999.1"), u"value"
+ ) != x509.NameAttribute(x509.ObjectIdentifier("2.999.1"), u"value2")
+ assert (
+ x509.NameAttribute(x509.ObjectIdentifier("2.999.2"), u"value")
+ != object()
)
- assert x509.NameAttribute(
- x509.ObjectIdentifier('2.999.2'), u'value'
- ) != object()
def test_repr(self):
- na = x509.NameAttribute(x509.ObjectIdentifier('2.5.4.3'), u'value')
+ na = x509.NameAttribute(x509.ObjectIdentifier("2.5.4.3"), u"value")
if not six.PY2:
assert repr(na) == (
"<NameAttribute(oid=<ObjectIdentifier(oid=2.5.4.3, name=commo"
@@ -3951,14 +4824,19 @@
def test_distinugished_name(self):
# Escaping
na = x509.NameAttribute(NameOID.COMMON_NAME, u'James "Jim" Smith, III')
- assert na.rfc4514_string() == r'CN=James \"Jim\" Smith\, III'
- na = x509.NameAttribute(NameOID.USER_ID, u'# escape+,;\0this ')
- assert na.rfc4514_string() == r'UID=\# escape\+\,\;\00this\ '
+ assert na.rfc4514_string() == r"CN=James \"Jim\" Smith\, III"
+ na = x509.NameAttribute(NameOID.USER_ID, u"# escape+,;\0this ")
+ assert na.rfc4514_string() == r"UID=\# escape\+\,\;\00this\ "
# Nonstandard attribute OID
- na = x509.NameAttribute(NameOID.EMAIL_ADDRESS, u'somebody@example.com')
- assert (na.rfc4514_string() ==
- '1.2.840.113549.1.9.1=somebody@example.com')
+ na = x509.NameAttribute(NameOID.EMAIL_ADDRESS, u"somebody@example.com")
+ assert (
+ na.rfc4514_string() == "1.2.840.113549.1.9.1=somebody@example.com"
+ )
+
+ def test_empty_value(self):
+ na = x509.NameAttribute(NameOID.STATE_OR_PROVINCE_NAME, u"")
+ assert na.rfc4514_string() == r"ST="
class TestRelativeDistinguishedName(object):
@@ -3972,78 +4850,126 @@
def test_init_duplicate_attribute(self):
with pytest.raises(ValueError):
- x509.RelativeDistinguishedName([
- x509.NameAttribute(x509.ObjectIdentifier('2.999.1'), u'val1'),
- x509.NameAttribute(x509.ObjectIdentifier('2.999.1'), u'val1'),
- ])
+ x509.RelativeDistinguishedName(
+ [
+ x509.NameAttribute(
+ x509.ObjectIdentifier("2.999.1"), u"val1"
+ ),
+ x509.NameAttribute(
+ x509.ObjectIdentifier("2.999.1"), u"val1"
+ ),
+ ]
+ )
def test_hash(self):
- rdn1 = x509.RelativeDistinguishedName([
- x509.NameAttribute(x509.ObjectIdentifier('2.999.1'), u'value1'),
- x509.NameAttribute(x509.ObjectIdentifier('2.999.2'), u'value2'),
- ])
- rdn2 = x509.RelativeDistinguishedName([
- x509.NameAttribute(x509.ObjectIdentifier('2.999.2'), u'value2'),
- x509.NameAttribute(x509.ObjectIdentifier('2.999.1'), u'value1'),
- ])
- rdn3 = x509.RelativeDistinguishedName([
- x509.NameAttribute(x509.ObjectIdentifier('2.999.1'), u'value1'),
- x509.NameAttribute(x509.ObjectIdentifier('2.999.2'), u'value3'),
- ])
+ rdn1 = x509.RelativeDistinguishedName(
+ [
+ x509.NameAttribute(
+ x509.ObjectIdentifier("2.999.1"), u"value1"
+ ),
+ x509.NameAttribute(
+ x509.ObjectIdentifier("2.999.2"), u"value2"
+ ),
+ ]
+ )
+ rdn2 = x509.RelativeDistinguishedName(
+ [
+ x509.NameAttribute(
+ x509.ObjectIdentifier("2.999.2"), u"value2"
+ ),
+ x509.NameAttribute(
+ x509.ObjectIdentifier("2.999.1"), u"value1"
+ ),
+ ]
+ )
+ rdn3 = x509.RelativeDistinguishedName(
+ [
+ x509.NameAttribute(
+ x509.ObjectIdentifier("2.999.1"), u"value1"
+ ),
+ x509.NameAttribute(
+ x509.ObjectIdentifier("2.999.2"), u"value3"
+ ),
+ ]
+ )
assert hash(rdn1) == hash(rdn2)
assert hash(rdn1) != hash(rdn3)
def test_eq(self):
- rdn1 = x509.RelativeDistinguishedName([
- x509.NameAttribute(x509.ObjectIdentifier('2.999.1'), u'value1'),
- x509.NameAttribute(x509.ObjectIdentifier('2.999.2'), u'value2'),
- ])
- rdn2 = x509.RelativeDistinguishedName([
- x509.NameAttribute(x509.ObjectIdentifier('2.999.2'), u'value2'),
- x509.NameAttribute(x509.ObjectIdentifier('2.999.1'), u'value1'),
- ])
+ rdn1 = x509.RelativeDistinguishedName(
+ [
+ x509.NameAttribute(
+ x509.ObjectIdentifier("2.999.1"), u"value1"
+ ),
+ x509.NameAttribute(
+ x509.ObjectIdentifier("2.999.2"), u"value2"
+ ),
+ ]
+ )
+ rdn2 = x509.RelativeDistinguishedName(
+ [
+ x509.NameAttribute(
+ x509.ObjectIdentifier("2.999.2"), u"value2"
+ ),
+ x509.NameAttribute(
+ x509.ObjectIdentifier("2.999.1"), u"value1"
+ ),
+ ]
+ )
assert rdn1 == rdn2
def test_ne(self):
- rdn1 = x509.RelativeDistinguishedName([
- x509.NameAttribute(x509.ObjectIdentifier('2.999.1'), u'value1'),
- x509.NameAttribute(x509.ObjectIdentifier('2.999.2'), u'value2'),
- ])
- rdn2 = x509.RelativeDistinguishedName([
- x509.NameAttribute(x509.ObjectIdentifier('2.999.1'), u'value1'),
- x509.NameAttribute(x509.ObjectIdentifier('2.999.2'), u'value3'),
- ])
+ rdn1 = x509.RelativeDistinguishedName(
+ [
+ x509.NameAttribute(
+ x509.ObjectIdentifier("2.999.1"), u"value1"
+ ),
+ x509.NameAttribute(
+ x509.ObjectIdentifier("2.999.2"), u"value2"
+ ),
+ ]
+ )
+ rdn2 = x509.RelativeDistinguishedName(
+ [
+ x509.NameAttribute(
+ x509.ObjectIdentifier("2.999.1"), u"value1"
+ ),
+ x509.NameAttribute(
+ x509.ObjectIdentifier("2.999.2"), u"value3"
+ ),
+ ]
+ )
assert rdn1 != rdn2
assert rdn1 != object()
def test_iter_input(self):
# Order must be preserved too
attrs = [
- x509.NameAttribute(x509.ObjectIdentifier('2.999.1'), u'value1'),
- x509.NameAttribute(x509.ObjectIdentifier('2.999.1'), u'value2'),
- x509.NameAttribute(x509.ObjectIdentifier('2.999.1'), u'value3')
+ x509.NameAttribute(x509.ObjectIdentifier("2.999.1"), u"value1"),
+ x509.NameAttribute(x509.ObjectIdentifier("2.999.1"), u"value2"),
+ x509.NameAttribute(x509.ObjectIdentifier("2.999.1"), u"value3"),
]
rdn = x509.RelativeDistinguishedName(iter(attrs))
assert list(rdn) == attrs
assert list(rdn) == attrs
def test_get_attributes_for_oid(self):
- oid = x509.ObjectIdentifier('2.999.1')
- attr = x509.NameAttribute(oid, u'value1')
+ oid = x509.ObjectIdentifier("2.999.1")
+ attr = x509.NameAttribute(oid, u"value1")
rdn = x509.RelativeDistinguishedName([attr])
assert rdn.get_attributes_for_oid(oid) == [attr]
- assert rdn.get_attributes_for_oid(x509.ObjectIdentifier('1.2.3')) == []
+ assert rdn.get_attributes_for_oid(x509.ObjectIdentifier("1.2.3")) == []
class TestObjectIdentifier(object):
def test_eq(self):
- oid1 = x509.ObjectIdentifier('2.999.1')
- oid2 = x509.ObjectIdentifier('2.999.1')
+ oid1 = x509.ObjectIdentifier("2.999.1")
+ oid2 = x509.ObjectIdentifier("2.999.1")
assert oid1 == oid2
def test_ne(self):
- oid1 = x509.ObjectIdentifier('2.999.1')
- assert oid1 != x509.ObjectIdentifier('2.999.2')
+ oid1 = x509.ObjectIdentifier("2.999.1")
+ assert oid1 != x509.ObjectIdentifier("2.999.2")
assert oid1 != object()
def test_repr(self):
@@ -4054,9 +4980,9 @@
def test_name_property(self):
oid = x509.ObjectIdentifier("2.5.4.3")
- assert oid._name == 'commonName'
+ assert oid._name == "commonName"
oid = x509.ObjectIdentifier("2.999.1")
- assert oid._name == 'Unknown OID'
+ assert oid._name == "Unknown OID"
def test_too_short(self):
with pytest.raises(ValueError):
@@ -4084,21 +5010,23 @@
class TestName(object):
def test_eq(self):
- ava1 = x509.NameAttribute(x509.ObjectIdentifier('2.999.1'), u'value1')
- ava2 = x509.NameAttribute(x509.ObjectIdentifier('2.999.2'), u'value2')
+ ava1 = x509.NameAttribute(x509.ObjectIdentifier("2.999.1"), u"value1")
+ ava2 = x509.NameAttribute(x509.ObjectIdentifier("2.999.2"), u"value2")
name1 = x509.Name([ava1, ava2])
- name2 = x509.Name([
- x509.RelativeDistinguishedName([ava1]),
- x509.RelativeDistinguishedName([ava2]),
- ])
+ name2 = x509.Name(
+ [
+ x509.RelativeDistinguishedName([ava1]),
+ x509.RelativeDistinguishedName([ava2]),
+ ]
+ )
name3 = x509.Name([x509.RelativeDistinguishedName([ava1, ava2])])
name4 = x509.Name([x509.RelativeDistinguishedName([ava2, ava1])])
assert name1 == name2
assert name3 == name4
def test_ne(self):
- ava1 = x509.NameAttribute(x509.ObjectIdentifier('2.999.1'), u'value1')
- ava2 = x509.NameAttribute(x509.ObjectIdentifier('2.999.2'), u'value2')
+ ava1 = x509.NameAttribute(x509.ObjectIdentifier("2.999.1"), u"value1")
+ ava2 = x509.NameAttribute(x509.ObjectIdentifier("2.999.2"), u"value2")
name1 = x509.Name([ava1, ava2])
name2 = x509.Name([ava2, ava1])
name3 = x509.Name([x509.RelativeDistinguishedName([ava1, ava2])])
@@ -4107,13 +5035,15 @@
assert name1 != object()
def test_hash(self):
- ava1 = x509.NameAttribute(x509.ObjectIdentifier('2.999.1'), u'value1')
- ava2 = x509.NameAttribute(x509.ObjectIdentifier('2.999.2'), u'value2')
+ ava1 = x509.NameAttribute(x509.ObjectIdentifier("2.999.1"), u"value1")
+ ava2 = x509.NameAttribute(x509.ObjectIdentifier("2.999.2"), u"value2")
name1 = x509.Name([ava1, ava2])
- name2 = x509.Name([
- x509.RelativeDistinguishedName([ava1]),
- x509.RelativeDistinguishedName([ava2]),
- ])
+ name2 = x509.Name(
+ [
+ x509.RelativeDistinguishedName([ava1]),
+ x509.RelativeDistinguishedName([ava2]),
+ ]
+ )
name3 = x509.Name([ava2, ava1])
name4 = x509.Name([x509.RelativeDistinguishedName([ava1, ava2])])
name5 = x509.Name([x509.RelativeDistinguishedName([ava2, ava1])])
@@ -4124,15 +5054,15 @@
def test_iter_input(self):
attrs = [
- x509.NameAttribute(x509.ObjectIdentifier('2.999.1'), u'value1')
+ x509.NameAttribute(x509.ObjectIdentifier("2.999.1"), u"value1")
]
name = x509.Name(iter(attrs))
assert list(name) == attrs
assert list(name) == attrs
def test_rdns(self):
- rdn1 = x509.NameAttribute(x509.ObjectIdentifier('2.999.1'), u'value1')
- rdn2 = x509.NameAttribute(x509.ObjectIdentifier('2.999.2'), u'value2')
+ rdn1 = x509.NameAttribute(x509.ObjectIdentifier("2.999.1"), u"value1")
+ rdn2 = x509.NameAttribute(x509.ObjectIdentifier("2.999.2"), u"value2")
name1 = x509.Name([rdn1, rdn2])
assert name1.rdns == [
x509.RelativeDistinguishedName([rdn1]),
@@ -4141,29 +5071,63 @@
name2 = x509.Name([x509.RelativeDistinguishedName([rdn1, rdn2])])
assert name2.rdns == [x509.RelativeDistinguishedName([rdn1, rdn2])]
- def test_repr(self):
- name = x509.Name([
- x509.NameAttribute(NameOID.COMMON_NAME, u'cryptography.io'),
- x509.NameAttribute(NameOID.ORGANIZATION_NAME, u'PyCA'),
- ])
+ @pytest.mark.parametrize(
+ ("common_name", "org_name", "expected_repr"),
+ [
+ (
+ u"cryptography.io",
+ u"PyCA",
+ "<Name(CN=cryptography.io,O=PyCA)>",
+ ),
+ (
+ u"Certificación",
+ u"Certificación",
+ "<Name(CN=Certificación,O=Certificación)>",
+ ),
+ ],
+ )
+ def test_repr(self, common_name, org_name, expected_repr):
+ name = x509.Name(
+ [
+ x509.NameAttribute(NameOID.COMMON_NAME, common_name),
+ x509.NameAttribute(NameOID.ORGANIZATION_NAME, org_name),
+ ]
+ )
- assert repr(name) == "<Name(CN=cryptography.io,O=PyCA)>"
+ assert repr(name) == expected_repr
def test_rfc4514_string(self):
- n = x509.Name([
- x509.RelativeDistinguishedName([
- x509.NameAttribute(NameOID.ORGANIZATIONAL_UNIT_NAME, u'Sales'),
- x509.NameAttribute(NameOID.COMMON_NAME, u'J. Smith'),
- ]),
- x509.RelativeDistinguishedName([
- x509.NameAttribute(NameOID.DOMAIN_COMPONENT, u'example'),
- ]),
- x509.RelativeDistinguishedName([
- x509.NameAttribute(NameOID.DOMAIN_COMPONENT, u'net'),
- ]),
- ])
- assert (n.rfc4514_string() ==
- 'OU=Sales+CN=J. Smith,DC=example,DC=net')
+ n = x509.Name(
+ [
+ x509.RelativeDistinguishedName(
+ [x509.NameAttribute(NameOID.DOMAIN_COMPONENT, u"net")]
+ ),
+ x509.RelativeDistinguishedName(
+ [x509.NameAttribute(NameOID.DOMAIN_COMPONENT, u"example")]
+ ),
+ x509.RelativeDistinguishedName(
+ [
+ x509.NameAttribute(
+ NameOID.ORGANIZATIONAL_UNIT_NAME, u"Sales"
+ ),
+ x509.NameAttribute(NameOID.COMMON_NAME, u"J. Smith"),
+ ]
+ ),
+ ]
+ )
+ assert n.rfc4514_string() == "OU=Sales+CN=J. Smith,DC=example,DC=net"
+
+ def test_rfc4514_string_empty_values(self):
+ n = x509.Name(
+ [
+ x509.NameAttribute(NameOID.COUNTRY_NAME, u"US"),
+ x509.NameAttribute(NameOID.STATE_OR_PROVINCE_NAME, u""),
+ x509.NameAttribute(NameOID.LOCALITY_NAME, u""),
+ x509.NameAttribute(NameOID.ORGANIZATION_NAME, u"PyCA"),
+ x509.NameAttribute(NameOID.COMMON_NAME, u"cryptography.io"),
+ ]
+ )
+ assert n.rfc4514_string() == "CN=cryptography.io,O=PyCA,L=,ST=,C=US"
def test_not_nameattribute(self):
with pytest.raises(TypeError):
@@ -4171,10 +5135,12 @@
@pytest.mark.requires_backend_interface(interface=X509Backend)
def test_bytes(self, backend):
- name = x509.Name([
- x509.NameAttribute(NameOID.COMMON_NAME, u'cryptography.io'),
- x509.NameAttribute(NameOID.ORGANIZATION_NAME, u'PyCA'),
- ])
+ name = x509.Name(
+ [
+ x509.NameAttribute(NameOID.COMMON_NAME, u"cryptography.io"),
+ x509.NameAttribute(NameOID.ORGANIZATION_NAME, u"PyCA"),
+ ]
+ )
assert name.public_bytes(backend) == binascii.unhexlify(
b"30293118301606035504030c0f63727970746f6772617068792e696f310d300"
b"b060355040a0c0450794341"
@@ -4185,19 +5151,150 @@
# For this test we need an odd length string. BMPString is UCS-2
# encoded so it will always be even length and OpenSSL will error if
# you pass an odd length string without encoding it properly first.
- name = x509.Name([
- x509.NameAttribute(
- NameOID.COMMON_NAME,
- u'cryptography.io',
- _ASN1Type.BMPString
- ),
- x509.NameAttribute(NameOID.ORGANIZATION_NAME, u'PyCA'),
- ])
+ name = x509.Name(
+ [
+ x509.NameAttribute(
+ NameOID.COMMON_NAME,
+ u"cryptography.io",
+ _ASN1Type.BMPString,
+ ),
+ x509.NameAttribute(NameOID.ORGANIZATION_NAME, u"PyCA"),
+ ]
+ )
assert name.public_bytes(backend) == binascii.unhexlify(
b"30383127302506035504031e1e00630072007900700074006f00670072006100"
b"7000680079002e0069006f310d300b060355040a0c0450794341"
)
+ @pytest.mark.requires_backend_interface(interface=X509Backend)
+ def test_universalstring_bytes(self, backend):
+ # UniversalString is UCS-4
+ name = x509.Name(
+ [
+ x509.NameAttribute(
+ NameOID.COMMON_NAME,
+ u"cryptography.io",
+ _ASN1Type.UniversalString,
+ ),
+ x509.NameAttribute(NameOID.ORGANIZATION_NAME, u"PyCA"),
+ ]
+ )
+ assert name.public_bytes(backend) == binascii.unhexlify(
+ b"30563145304306035504031c3c00000063000000720000007900000070000000"
+ b"740000006f000000670000007200000061000000700000006800000079000000"
+ b"2e000000690000006f310d300b060355040a0c0450794341"
+ )
+
+
+@pytest.mark.supported(
+ only_if=lambda backend: backend.ed25519_supported(),
+ skip_message="Requires OpenSSL with Ed25519 support",
+)
+@pytest.mark.requires_backend_interface(interface=X509Backend)
+class TestEd25519Certificate(object):
+ def test_load_pem_cert(self, backend):
+ cert = _load_cert(
+ os.path.join("x509", "ed25519", "root-ed25519.pem"),
+ x509.load_pem_x509_certificate,
+ backend,
+ )
+ # self-signed, so this will work
+ cert.public_key().verify(cert.signature, cert.tbs_certificate_bytes)
+ assert isinstance(cert, x509.Certificate)
+ assert cert.serial_number == 9579446940964433301
+ assert cert.signature_hash_algorithm is None
+ assert cert.signature_algorithm_oid == SignatureAlgorithmOID.ED25519
+
+ def test_deepcopy(self, backend):
+ cert = _load_cert(
+ os.path.join("x509", "ed25519", "root-ed25519.pem"),
+ x509.load_pem_x509_certificate,
+ backend,
+ )
+ assert copy.deepcopy(cert) is cert
+
+
+@pytest.mark.supported(
+ only_if=lambda backend: backend.ed448_supported(),
+ skip_message="Requires OpenSSL with Ed448 support",
+)
+@pytest.mark.requires_backend_interface(interface=X509Backend)
+class TestEd448Certificate(object):
+ def test_load_pem_cert(self, backend):
+ cert = _load_cert(
+ os.path.join("x509", "ed448", "root-ed448.pem"),
+ x509.load_pem_x509_certificate,
+ backend,
+ )
+ # self-signed, so this will work
+ cert.public_key().verify(cert.signature, cert.tbs_certificate_bytes)
+ assert isinstance(cert, x509.Certificate)
+ assert cert.serial_number == 448
+ assert cert.signature_hash_algorithm is None
+ assert cert.signature_algorithm_oid == SignatureAlgorithmOID.ED448
+
+
+@pytest.mark.requires_backend_interface(interface=X509Backend)
+class TestSignatureRejection(object):
+ """Test if signing rejects DH keys properly."""
+
+ def load_key(self, backend):
+ vector = load_vectors_from_file(
+ os.path.join("asymmetric", "DH", "rfc3526.txt"),
+ load_nist_vectors,
+ )[1]
+ p = int_from_bytes(binascii.unhexlify(vector["p"]), "big")
+ params = dh.DHParameterNumbers(p, int(vector["g"]))
+ param = params.parameters(backend)
+ return param.generate_private_key()
+
+ def test_crt_signing_check(self, backend):
+ issuer_private_key = self.load_key(backend)
+ public_key = RSA_KEY_2048.private_key(backend).public_key()
+ not_valid_before = datetime.datetime(2020, 1, 1, 1, 1)
+ not_valid_after = datetime.datetime(2050, 12, 31, 8, 30)
+ builder = (
+ x509.CertificateBuilder()
+ .serial_number(777)
+ .issuer_name(
+ x509.Name([x509.NameAttribute(NameOID.COUNTRY_NAME, u"US")])
+ )
+ .subject_name(
+ x509.Name([x509.NameAttribute(NameOID.COUNTRY_NAME, u"US")])
+ )
+ .public_key(public_key)
+ .not_valid_before(not_valid_before)
+ .not_valid_after(not_valid_after)
+ )
+
+ with pytest.raises(TypeError):
+ builder.sign(issuer_private_key, hashes.SHA256(), backend)
+
+ def test_csr_signing_check(self, backend):
+ private_key = self.load_key(backend)
+ builder = x509.CertificateSigningRequestBuilder().subject_name(
+ x509.Name([x509.NameAttribute(NameOID.COUNTRY_NAME, u"US")])
+ )
+
+ with pytest.raises(TypeError):
+ builder.sign(private_key, hashes.SHA256(), backend)
+
+ def test_crl_signing_check(self, backend):
+ private_key = self.load_key(backend)
+ last_time = datetime.datetime.utcnow().replace(microsecond=0)
+ next_time = last_time
+ builder = (
+ x509.CertificateRevocationListBuilder()
+ .issuer_name(
+ x509.Name([x509.NameAttribute(NameOID.COMMON_NAME, u"CA")])
+ )
+ .last_update(last_time)
+ .next_update(next_time)
+ )
+
+ with pytest.raises(TypeError):
+ builder.sign(private_key, hashes.SHA256(), backend)
+
def test_random_serial_number(monkeypatch):
sample_data = os.urandom(20)
@@ -4210,7 +5307,5 @@
serial_number = x509.random_serial_number()
- assert (
- serial_number == utils.int_from_bytes(sample_data, "big") >> 1
- )
+ assert serial_number == utils.int_from_bytes(sample_data, "big") >> 1
assert serial_number.bit_length() < 160
diff --git a/tests/x509/test_x509_crlbuilder.py b/tests/x509/test_x509_crlbuilder.py
index 5f220bc..922d249 100644
--- a/tests/x509/test_x509_crlbuilder.py
+++ b/tests/x509/test_x509_crlbuilder.py
@@ -12,11 +12,18 @@
from cryptography import x509
from cryptography.hazmat.backends.interfaces import (
- DSABackend, EllipticCurveBackend, RSABackend, X509Backend
+ DSABackend,
+ EllipticCurveBackend,
+ RSABackend,
+ X509Backend,
)
from cryptography.hazmat.primitives import hashes
-from cryptography.hazmat.primitives.asymmetric import ec
-from cryptography.x509.oid import AuthorityInformationAccessOID, NameOID
+from cryptography.hazmat.primitives.asymmetric import ec, ed25519, ed448
+from cryptography.x509.oid import (
+ AuthorityInformationAccessOID,
+ NameOID,
+ SignatureAlgorithmOID,
+)
from ..hazmat.primitives.fixtures_dsa import DSA_KEY_2048
from ..hazmat.primitives.fixtures_ec import EC_KEY_SECP256R1
@@ -32,11 +39,11 @@
def test_set_issuer_name_twice(self):
builder = x509.CertificateRevocationListBuilder().issuer_name(
- x509.Name([x509.NameAttribute(NameOID.COUNTRY_NAME, u'US')])
+ x509.Name([x509.NameAttribute(NameOID.COUNTRY_NAME, u"US")])
)
with pytest.raises(ValueError):
builder.issuer_name(
- x509.Name([x509.NameAttribute(NameOID.COUNTRY_NAME, u'US')])
+ x509.Name([x509.NameAttribute(NameOID.COUNTRY_NAME, u"US")])
)
@pytest.mark.requires_backend_interface(interface=RSABackend)
@@ -48,11 +55,20 @@
utc_last = datetime.datetime(2012, 1, 17, 6, 43)
next_time = datetime.datetime(2022, 1, 17, 6, 43)
private_key = RSA_KEY_2048.private_key(backend)
- builder = x509.CertificateRevocationListBuilder().issuer_name(
- x509.Name([
- x509.NameAttribute(NameOID.COMMON_NAME, u"cryptography.io CA")
- ])
- ).last_update(last_time).next_update(next_time)
+ builder = (
+ x509.CertificateRevocationListBuilder()
+ .issuer_name(
+ x509.Name(
+ [
+ x509.NameAttribute(
+ NameOID.COMMON_NAME, u"cryptography.io CA"
+ )
+ ]
+ )
+ )
+ .last_update(last_time)
+ .next_update(next_time)
+ )
crl = builder.sign(private_key, hashes.SHA256(), backend)
assert crl.last_update == utc_last
@@ -83,11 +99,20 @@
utc_next = datetime.datetime(2022, 1, 17, 6, 43)
last_time = datetime.datetime(2012, 1, 17, 6, 43)
private_key = RSA_KEY_2048.private_key(backend)
- builder = x509.CertificateRevocationListBuilder().issuer_name(
- x509.Name([
- x509.NameAttribute(NameOID.COMMON_NAME, u"cryptography.io CA")
- ])
- ).last_update(last_time).next_update(next_time)
+ builder = (
+ x509.CertificateRevocationListBuilder()
+ .issuer_name(
+ x509.Name(
+ [
+ x509.NameAttribute(
+ NameOID.COMMON_NAME, u"cryptography.io CA"
+ )
+ ]
+ )
+ )
+ .last_update(last_time)
+ .next_update(next_time)
+ )
crl = builder.sign(private_key, hashes.SHA256(), backend)
assert crl.next_update == utc_next
@@ -112,18 +137,14 @@
def test_last_update_after_next_update(self):
builder = x509.CertificateRevocationListBuilder()
- builder = builder.next_update(
- datetime.datetime(2002, 1, 1, 12, 1)
- )
+ builder = builder.next_update(datetime.datetime(2002, 1, 1, 12, 1))
with pytest.raises(ValueError):
builder.last_update(datetime.datetime(2003, 1, 1, 12, 1))
def test_next_update_after_last_update(self):
builder = x509.CertificateRevocationListBuilder()
- builder = builder.last_update(
- datetime.datetime(2002, 1, 1, 12, 1)
- )
+ builder = builder.last_update(datetime.datetime(2002, 1, 1, 12, 1))
with pytest.raises(ValueError):
builder.next_update(datetime.datetime(2001, 1, 1, 12, 1))
@@ -139,9 +160,7 @@
builder = x509.CertificateRevocationListBuilder()
with pytest.raises(TypeError):
- builder.add_extension(
- object(), False
- )
+ builder.add_extension(object(), False)
def test_add_invalid_revoked_certificate(self):
builder = x509.CertificateRevocationListBuilder()
@@ -153,10 +172,10 @@
@pytest.mark.requires_backend_interface(interface=X509Backend)
def test_no_issuer_name(self, backend):
private_key = RSA_KEY_2048.private_key(backend)
- builder = x509.CertificateRevocationListBuilder().last_update(
- datetime.datetime(2002, 1, 1, 12, 1)
- ).next_update(
- datetime.datetime(2030, 1, 1, 12, 1)
+ builder = (
+ x509.CertificateRevocationListBuilder()
+ .last_update(datetime.datetime(2002, 1, 1, 12, 1))
+ .next_update(datetime.datetime(2030, 1, 1, 12, 1))
)
with pytest.raises(ValueError):
@@ -166,10 +185,12 @@
@pytest.mark.requires_backend_interface(interface=X509Backend)
def test_no_last_update(self, backend):
private_key = RSA_KEY_2048.private_key(backend)
- builder = x509.CertificateRevocationListBuilder().issuer_name(
- x509.Name([x509.NameAttribute(NameOID.COUNTRY_NAME, u'US')])
- ).next_update(
- datetime.datetime(2030, 1, 1, 12, 1)
+ builder = (
+ x509.CertificateRevocationListBuilder()
+ .issuer_name(
+ x509.Name([x509.NameAttribute(NameOID.COUNTRY_NAME, u"US")])
+ )
+ .next_update(datetime.datetime(2030, 1, 1, 12, 1))
)
with pytest.raises(ValueError):
@@ -179,10 +200,12 @@
@pytest.mark.requires_backend_interface(interface=X509Backend)
def test_no_next_update(self, backend):
private_key = RSA_KEY_2048.private_key(backend)
- builder = x509.CertificateRevocationListBuilder().issuer_name(
- x509.Name([x509.NameAttribute(NameOID.COUNTRY_NAME, u'US')])
- ).last_update(
- datetime.datetime(2030, 1, 1, 12, 1)
+ builder = (
+ x509.CertificateRevocationListBuilder()
+ .issuer_name(
+ x509.Name([x509.NameAttribute(NameOID.COUNTRY_NAME, u"US")])
+ )
+ .last_update(datetime.datetime(2030, 1, 1, 12, 1))
)
with pytest.raises(ValueError):
@@ -194,11 +217,20 @@
private_key = RSA_KEY_2048.private_key(backend)
last_update = datetime.datetime(2002, 1, 1, 12, 1)
next_update = datetime.datetime(2030, 1, 1, 12, 1)
- builder = x509.CertificateRevocationListBuilder().issuer_name(
- x509.Name([
- x509.NameAttribute(NameOID.COMMON_NAME, u"cryptography.io CA")
- ])
- ).last_update(last_update).next_update(next_update)
+ builder = (
+ x509.CertificateRevocationListBuilder()
+ .issuer_name(
+ x509.Name(
+ [
+ x509.NameAttribute(
+ NameOID.COMMON_NAME, u"cryptography.io CA"
+ )
+ ]
+ )
+ )
+ .last_update(last_update)
+ .next_update(next_update)
+ )
crl = builder.sign(private_key, hashes.SHA256(), backend)
assert len(crl) == 0
@@ -214,18 +246,20 @@
b"\xc3\x9c\xf3\xfc\xd3F\x084\xbb\xceF\x7f\xa0|[\xf3\xe2\x08"
b"\xcbY",
None,
- None
+ None,
),
- x509.AuthorityInformationAccess([
- x509.AccessDescription(
- AuthorityInformationAccessOID.CA_ISSUERS,
- x509.DNSName(u"cryptography.io")
- )
- ]),
- x509.IssuerAlternativeName([
- x509.UniformResourceIdentifier(u"https://cryptography.io"),
- ])
- ]
+ x509.AuthorityInformationAccess(
+ [
+ x509.AccessDescription(
+ AuthorityInformationAccessOID.CA_ISSUERS,
+ x509.DNSName(u"cryptography.io"),
+ )
+ ]
+ ),
+ x509.IssuerAlternativeName(
+ [x509.UniformResourceIdentifier(u"https://cryptography.io")]
+ ),
+ ],
)
@pytest.mark.requires_backend_interface(interface=RSABackend)
@pytest.mark.requires_backend_interface(interface=X509Backend)
@@ -233,16 +267,20 @@
private_key = RSA_KEY_2048.private_key(backend)
last_update = datetime.datetime(2002, 1, 1, 12, 1)
next_update = datetime.datetime(2030, 1, 1, 12, 1)
- builder = x509.CertificateRevocationListBuilder().issuer_name(
- x509.Name([
- x509.NameAttribute(NameOID.COMMON_NAME, u"cryptography.io CA")
- ])
- ).last_update(
- last_update
- ).next_update(
- next_update
- ).add_extension(
- extension, False
+ builder = (
+ x509.CertificateRevocationListBuilder()
+ .issuer_name(
+ x509.Name(
+ [
+ x509.NameAttribute(
+ NameOID.COMMON_NAME, u"cryptography.io CA"
+ )
+ ]
+ )
+ )
+ .last_update(last_update)
+ .next_update(next_update)
+ .add_extension(extension, False)
)
crl = builder.sign(private_key, hashes.SHA256(), backend)
@@ -258,22 +296,25 @@
private_key = RSA_KEY_2048.private_key(backend)
last_update = datetime.datetime(2002, 1, 1, 12, 1)
next_update = datetime.datetime(2030, 1, 1, 12, 1)
- ian = x509.IssuerAlternativeName([
- x509.UniformResourceIdentifier(u"https://cryptography.io"),
- ])
+ ian = x509.IssuerAlternativeName(
+ [x509.UniformResourceIdentifier(u"https://cryptography.io")]
+ )
crl_number = x509.CRLNumber(13)
- builder = x509.CertificateRevocationListBuilder().issuer_name(
- x509.Name([
- x509.NameAttribute(NameOID.COMMON_NAME, u"cryptography.io CA")
- ])
- ).last_update(
- last_update
- ).next_update(
- next_update
- ).add_extension(
- crl_number, False
- ).add_extension(
- ian, True
+ builder = (
+ x509.CertificateRevocationListBuilder()
+ .issuer_name(
+ x509.Name(
+ [
+ x509.NameAttribute(
+ NameOID.COMMON_NAME, u"cryptography.io CA"
+ )
+ ]
+ )
+ )
+ .last_update(last_update)
+ .next_update(next_update)
+ .add_extension(crl_number, False)
+ .add_extension(ian, True)
)
crl = builder.sign(private_key, hashes.SHA256(), backend)
@@ -290,20 +331,66 @@
@pytest.mark.requires_backend_interface(interface=RSABackend)
@pytest.mark.requires_backend_interface(interface=X509Backend)
+ def test_freshestcrl_extension(self, backend):
+ private_key = RSA_KEY_2048.private_key(backend)
+ last_update = datetime.datetime(2002, 1, 1, 12, 1)
+ next_update = datetime.datetime(2030, 1, 1, 12, 1)
+ freshest = x509.FreshestCRL(
+ [
+ x509.DistributionPoint(
+ [x509.UniformResourceIdentifier(u"http://d.om/delta")],
+ None,
+ None,
+ None,
+ )
+ ]
+ )
+ builder = (
+ x509.CertificateRevocationListBuilder()
+ .issuer_name(
+ x509.Name(
+ [
+ x509.NameAttribute(
+ NameOID.COMMON_NAME, u"cryptography.io CA"
+ )
+ ]
+ )
+ )
+ .last_update(last_update)
+ .next_update(next_update)
+ .add_extension(freshest, False)
+ )
+
+ crl = builder.sign(private_key, hashes.SHA256(), backend)
+ assert len(crl) == 0
+ assert len(crl.extensions) == 1
+ ext1 = crl.extensions.get_extension_for_class(x509.FreshestCRL)
+ assert ext1.critical is False
+ assert isinstance(ext1.value[0], x509.DistributionPoint)
+ uri = ext1.value[0].full_name[0]
+ assert isinstance(uri, x509.UniformResourceIdentifier)
+ assert uri.value == u"http://d.om/delta"
+
+ @pytest.mark.requires_backend_interface(interface=RSABackend)
+ @pytest.mark.requires_backend_interface(interface=X509Backend)
def test_add_unsupported_extension(self, backend):
private_key = RSA_KEY_2048.private_key(backend)
last_update = datetime.datetime(2002, 1, 1, 12, 1)
next_update = datetime.datetime(2030, 1, 1, 12, 1)
- builder = x509.CertificateRevocationListBuilder().issuer_name(
- x509.Name([
- x509.NameAttribute(NameOID.COMMON_NAME, u"cryptography.io CA")
- ])
- ).last_update(
- last_update
- ).next_update(
- next_update
- ).add_extension(
- x509.OCSPNoCheck(), False
+ builder = (
+ x509.CertificateRevocationListBuilder()
+ .issuer_name(
+ x509.Name(
+ [
+ x509.NameAttribute(
+ NameOID.COMMON_NAME, u"cryptography.io CA"
+ )
+ ]
+ )
+ )
+ .last_update(last_update)
+ .next_update(next_update)
+ .add_extension(x509.OCSPNoCheck(), False)
)
with pytest.raises(NotImplementedError):
builder.sign(private_key, hashes.SHA256(), backend)
@@ -314,14 +401,19 @@
private_key = RSA_KEY_512.private_key(backend)
last_update = datetime.datetime(2002, 1, 1, 12, 1)
next_update = datetime.datetime(2030, 1, 1, 12, 1)
- builder = x509.CertificateRevocationListBuilder().issuer_name(
- x509.Name([
- x509.NameAttribute(NameOID.COMMON_NAME, u"cryptography.io CA")
- ])
- ).last_update(
- last_update
- ).next_update(
- next_update
+ builder = (
+ x509.CertificateRevocationListBuilder()
+ .issuer_name(
+ x509.Name(
+ [
+ x509.NameAttribute(
+ NameOID.COMMON_NAME, u"cryptography.io CA"
+ )
+ ]
+ )
+ )
+ .last_update(last_update)
+ .next_update(next_update)
)
with pytest.raises(ValueError):
@@ -333,19 +425,82 @@
private_key = RSA_KEY_2048.private_key(backend)
last_update = datetime.datetime(2002, 1, 1, 12, 1)
next_update = datetime.datetime(2030, 1, 1, 12, 1)
- builder = x509.CertificateRevocationListBuilder().issuer_name(
- x509.Name([
- x509.NameAttribute(NameOID.COMMON_NAME, u"cryptography.io CA")
- ])
- ).last_update(
- last_update
- ).next_update(
- next_update
+ builder = (
+ x509.CertificateRevocationListBuilder()
+ .issuer_name(
+ x509.Name(
+ [
+ x509.NameAttribute(
+ NameOID.COMMON_NAME, u"cryptography.io CA"
+ )
+ ]
+ )
+ )
+ .last_update(last_update)
+ .next_update(next_update)
)
with pytest.raises(TypeError):
builder.sign(private_key, object(), backend)
+ @pytest.mark.supported(
+ only_if=lambda backend: backend.ed25519_supported(),
+ skip_message="Requires OpenSSL with Ed25519 support",
+ )
+ @pytest.mark.requires_backend_interface(interface=X509Backend)
+ def test_sign_with_invalid_hash_ed25519(self, backend):
+ private_key = ed25519.Ed25519PrivateKey.generate()
+ last_update = datetime.datetime(2002, 1, 1, 12, 1)
+ next_update = datetime.datetime(2030, 1, 1, 12, 1)
+ builder = (
+ x509.CertificateRevocationListBuilder()
+ .issuer_name(
+ x509.Name(
+ [
+ x509.NameAttribute(
+ NameOID.COMMON_NAME, u"cryptography.io CA"
+ )
+ ]
+ )
+ )
+ .last_update(last_update)
+ .next_update(next_update)
+ )
+
+ with pytest.raises(ValueError):
+ builder.sign(private_key, object(), backend)
+ with pytest.raises(ValueError):
+ builder.sign(private_key, hashes.SHA256(), backend)
+
+ @pytest.mark.supported(
+ only_if=lambda backend: backend.ed448_supported(),
+ skip_message="Requires OpenSSL with Ed448 support",
+ )
+ @pytest.mark.requires_backend_interface(interface=X509Backend)
+ def test_sign_with_invalid_hash_ed448(self, backend):
+ private_key = ed448.Ed448PrivateKey.generate()
+ last_update = datetime.datetime(2002, 1, 1, 12, 1)
+ next_update = datetime.datetime(2030, 1, 1, 12, 1)
+ builder = (
+ x509.CertificateRevocationListBuilder()
+ .issuer_name(
+ x509.Name(
+ [
+ x509.NameAttribute(
+ NameOID.COMMON_NAME, u"cryptography.io CA"
+ )
+ ]
+ )
+ )
+ .last_update(last_update)
+ .next_update(next_update)
+ )
+
+ with pytest.raises(ValueError):
+ builder.sign(private_key, object(), backend)
+ with pytest.raises(ValueError):
+ builder.sign(private_key, hashes.SHA256(), backend)
+
@pytest.mark.requires_backend_interface(interface=DSABackend)
@pytest.mark.requires_backend_interface(interface=X509Backend)
def test_sign_dsa_key(self, backend):
@@ -353,36 +508,42 @@
invalidity_date = x509.InvalidityDate(
datetime.datetime(2002, 1, 1, 0, 0)
)
- ian = x509.IssuerAlternativeName([
- x509.UniformResourceIdentifier(u"https://cryptography.io"),
- ])
- revoked_cert0 = x509.RevokedCertificateBuilder().serial_number(
- 2
- ).revocation_date(
- datetime.datetime(2012, 1, 1, 1, 1)
- ).add_extension(
- invalidity_date, False
- ).build(backend)
+ ian = x509.IssuerAlternativeName(
+ [x509.UniformResourceIdentifier(u"https://cryptography.io")]
+ )
+ revoked_cert0 = (
+ x509.RevokedCertificateBuilder()
+ .serial_number(2)
+ .revocation_date(datetime.datetime(2012, 1, 1, 1, 1))
+ .add_extension(invalidity_date, False)
+ .build(backend)
+ )
last_update = datetime.datetime(2002, 1, 1, 12, 1)
next_update = datetime.datetime(2030, 1, 1, 12, 1)
- builder = x509.CertificateRevocationListBuilder().issuer_name(
- x509.Name([
- x509.NameAttribute(NameOID.COMMON_NAME, u"cryptography.io CA")
- ])
- ).last_update(
- last_update
- ).next_update(
- next_update
- ).add_revoked_certificate(
- revoked_cert0
- ).add_extension(
- ian, False
+ builder = (
+ x509.CertificateRevocationListBuilder()
+ .issuer_name(
+ x509.Name(
+ [
+ x509.NameAttribute(
+ NameOID.COMMON_NAME, u"cryptography.io CA"
+ )
+ ]
+ )
+ )
+ .last_update(last_update)
+ .next_update(next_update)
+ .add_revoked_certificate(revoked_cert0)
+ .add_extension(ian, False)
)
crl = builder.sign(private_key, hashes.SHA256(), backend)
- assert crl.extensions.get_extension_for_class(
- x509.IssuerAlternativeName
- ).value == ian
+ assert (
+ crl.extensions.get_extension_for_class(
+ x509.IssuerAlternativeName
+ ).value
+ == ian
+ )
assert crl[0].serial_number == revoked_cert0.serial_number
assert crl[0].revocation_date == revoked_cert0.revocation_date
assert len(crl[0].extensions) == 1
@@ -398,36 +559,152 @@
invalidity_date = x509.InvalidityDate(
datetime.datetime(2002, 1, 1, 0, 0)
)
- ian = x509.IssuerAlternativeName([
- x509.UniformResourceIdentifier(u"https://cryptography.io"),
- ])
- revoked_cert0 = x509.RevokedCertificateBuilder().serial_number(
- 2
- ).revocation_date(
- datetime.datetime(2012, 1, 1, 1, 1)
- ).add_extension(
- invalidity_date, False
- ).build(backend)
+ ian = x509.IssuerAlternativeName(
+ [x509.UniformResourceIdentifier(u"https://cryptography.io")]
+ )
+ revoked_cert0 = (
+ x509.RevokedCertificateBuilder()
+ .serial_number(2)
+ .revocation_date(datetime.datetime(2012, 1, 1, 1, 1))
+ .add_extension(invalidity_date, False)
+ .build(backend)
+ )
last_update = datetime.datetime(2002, 1, 1, 12, 1)
next_update = datetime.datetime(2030, 1, 1, 12, 1)
- builder = x509.CertificateRevocationListBuilder().issuer_name(
- x509.Name([
- x509.NameAttribute(NameOID.COMMON_NAME, u"cryptography.io CA")
- ])
- ).last_update(
- last_update
- ).next_update(
- next_update
- ).add_revoked_certificate(
- revoked_cert0
- ).add_extension(
- ian, False
+ builder = (
+ x509.CertificateRevocationListBuilder()
+ .issuer_name(
+ x509.Name(
+ [
+ x509.NameAttribute(
+ NameOID.COMMON_NAME, u"cryptography.io CA"
+ )
+ ]
+ )
+ )
+ .last_update(last_update)
+ .next_update(next_update)
+ .add_revoked_certificate(revoked_cert0)
+ .add_extension(ian, False)
)
crl = builder.sign(private_key, hashes.SHA256(), backend)
- assert crl.extensions.get_extension_for_class(
- x509.IssuerAlternativeName
- ).value == ian
+ assert (
+ crl.extensions.get_extension_for_class(
+ x509.IssuerAlternativeName
+ ).value
+ == ian
+ )
+ assert crl[0].serial_number == revoked_cert0.serial_number
+ assert crl[0].revocation_date == revoked_cert0.revocation_date
+ assert len(crl[0].extensions) == 1
+ ext = crl[0].extensions.get_extension_for_class(x509.InvalidityDate)
+ assert ext.critical is False
+ assert ext.value == invalidity_date
+
+ @pytest.mark.supported(
+ only_if=lambda backend: backend.ed25519_supported(),
+ skip_message="Requires OpenSSL with Ed25519 support",
+ )
+ @pytest.mark.requires_backend_interface(interface=X509Backend)
+ def test_sign_ed25519_key(self, backend):
+ private_key = ed25519.Ed25519PrivateKey.generate()
+ invalidity_date = x509.InvalidityDate(
+ datetime.datetime(2002, 1, 1, 0, 0)
+ )
+ ian = x509.IssuerAlternativeName(
+ [x509.UniformResourceIdentifier(u"https://cryptography.io")]
+ )
+ revoked_cert0 = (
+ x509.RevokedCertificateBuilder()
+ .serial_number(2)
+ .revocation_date(datetime.datetime(2012, 1, 1, 1, 1))
+ .add_extension(invalidity_date, False)
+ .build(backend)
+ )
+ last_update = datetime.datetime(2002, 1, 1, 12, 1)
+ next_update = datetime.datetime(2030, 1, 1, 12, 1)
+ builder = (
+ x509.CertificateRevocationListBuilder()
+ .issuer_name(
+ x509.Name(
+ [
+ x509.NameAttribute(
+ NameOID.COMMON_NAME, u"cryptography.io CA"
+ )
+ ]
+ )
+ )
+ .last_update(last_update)
+ .next_update(next_update)
+ .add_revoked_certificate(revoked_cert0)
+ .add_extension(ian, False)
+ )
+
+ crl = builder.sign(private_key, None, backend)
+ assert crl.signature_hash_algorithm is None
+ assert crl.signature_algorithm_oid == SignatureAlgorithmOID.ED25519
+ assert (
+ crl.extensions.get_extension_for_class(
+ x509.IssuerAlternativeName
+ ).value
+ == ian
+ )
+ assert crl[0].serial_number == revoked_cert0.serial_number
+ assert crl[0].revocation_date == revoked_cert0.revocation_date
+ assert len(crl[0].extensions) == 1
+ ext = crl[0].extensions.get_extension_for_class(x509.InvalidityDate)
+ assert ext.critical is False
+ assert ext.value == invalidity_date
+
+ @pytest.mark.supported(
+ only_if=lambda backend: backend.ed448_supported(),
+ skip_message="Requires OpenSSL with Ed448 support",
+ )
+ @pytest.mark.requires_backend_interface(interface=X509Backend)
+ def test_sign_ed448_key(self, backend):
+ private_key = ed448.Ed448PrivateKey.generate()
+ invalidity_date = x509.InvalidityDate(
+ datetime.datetime(2002, 1, 1, 0, 0)
+ )
+ ian = x509.IssuerAlternativeName(
+ [x509.UniformResourceIdentifier(u"https://cryptography.io")]
+ )
+ revoked_cert0 = (
+ x509.RevokedCertificateBuilder()
+ .serial_number(2)
+ .revocation_date(datetime.datetime(2012, 1, 1, 1, 1))
+ .add_extension(invalidity_date, False)
+ .build(backend)
+ )
+ last_update = datetime.datetime(2002, 1, 1, 12, 1)
+ next_update = datetime.datetime(2030, 1, 1, 12, 1)
+ builder = (
+ x509.CertificateRevocationListBuilder()
+ .issuer_name(
+ x509.Name(
+ [
+ x509.NameAttribute(
+ NameOID.COMMON_NAME, u"cryptography.io CA"
+ )
+ ]
+ )
+ )
+ .last_update(last_update)
+ .next_update(next_update)
+ .add_revoked_certificate(revoked_cert0)
+ .add_extension(ian, False)
+ )
+
+ crl = builder.sign(private_key, None, backend)
+ assert crl.signature_hash_algorithm is None
+ assert crl.signature_algorithm_oid == SignatureAlgorithmOID.ED448
+ assert (
+ crl.extensions.get_extension_for_class(
+ x509.IssuerAlternativeName
+ ).value
+ == ian
+ )
assert crl[0].serial_number == revoked_cert0.serial_number
assert crl[0].revocation_date == revoked_cert0.revocation_date
assert len(crl[0].extensions) == 1
@@ -441,11 +718,20 @@
private_key = DSA_KEY_2048.private_key(backend)
last_time = datetime.datetime(2012, 1, 16, 22, 43)
next_time = datetime.datetime(2022, 1, 17, 6, 43)
- builder = x509.CertificateRevocationListBuilder().issuer_name(
- x509.Name([
- x509.NameAttribute(NameOID.COMMON_NAME, u"cryptography.io CA")
- ])
- ).last_update(last_time).next_update(next_time)
+ builder = (
+ x509.CertificateRevocationListBuilder()
+ .issuer_name(
+ x509.Name(
+ [
+ x509.NameAttribute(
+ NameOID.COMMON_NAME, u"cryptography.io CA"
+ )
+ ]
+ )
+ )
+ .last_update(last_time)
+ .next_update(next_time)
+ )
with pytest.raises(ValueError):
builder.sign(private_key, hashes.MD5(), backend)
@@ -457,11 +743,20 @@
private_key = EC_KEY_SECP256R1.private_key(backend)
last_time = datetime.datetime(2012, 1, 16, 22, 43)
next_time = datetime.datetime(2022, 1, 17, 6, 43)
- builder = x509.CertificateRevocationListBuilder().issuer_name(
- x509.Name([
- x509.NameAttribute(NameOID.COMMON_NAME, u"cryptography.io CA")
- ])
- ).last_update(last_time).next_update(next_time)
+ builder = (
+ x509.CertificateRevocationListBuilder()
+ .issuer_name(
+ x509.Name(
+ [
+ x509.NameAttribute(
+ NameOID.COMMON_NAME, u"cryptography.io CA"
+ )
+ ]
+ )
+ )
+ .last_update(last_time)
+ .next_update(next_time)
+ )
with pytest.raises(ValueError):
builder.sign(private_key, hashes.MD5(), backend)
@@ -475,30 +770,34 @@
invalidity_date = x509.InvalidityDate(
datetime.datetime(2002, 1, 1, 0, 0)
)
- revoked_cert0 = x509.RevokedCertificateBuilder().serial_number(
- 38
- ).revocation_date(
- datetime.datetime(2011, 1, 1, 1, 1)
- ).build(backend)
- revoked_cert1 = x509.RevokedCertificateBuilder().serial_number(
- 2
- ).revocation_date(
- datetime.datetime(2012, 1, 1, 1, 1)
- ).add_extension(
- invalidity_date, False
- ).build(backend)
- builder = x509.CertificateRevocationListBuilder().issuer_name(
- x509.Name([
- x509.NameAttribute(NameOID.COMMON_NAME, u"cryptography.io CA")
- ])
- ).last_update(
- last_update
- ).next_update(
- next_update
- ).add_revoked_certificate(
- revoked_cert0
- ).add_revoked_certificate(
- revoked_cert1
+ revoked_cert0 = (
+ x509.RevokedCertificateBuilder()
+ .serial_number(38)
+ .revocation_date(datetime.datetime(2011, 1, 1, 1, 1))
+ .build(backend)
+ )
+ revoked_cert1 = (
+ x509.RevokedCertificateBuilder()
+ .serial_number(2)
+ .revocation_date(datetime.datetime(2012, 1, 1, 1, 1))
+ .add_extension(invalidity_date, False)
+ .build(backend)
+ )
+ builder = (
+ x509.CertificateRevocationListBuilder()
+ .issuer_name(
+ x509.Name(
+ [
+ x509.NameAttribute(
+ NameOID.COMMON_NAME, u"cryptography.io CA"
+ )
+ ]
+ )
+ )
+ .last_update(last_update)
+ .next_update(next_update)
+ .add_revoked_certificate(revoked_cert0)
+ .add_revoked_certificate(revoked_cert1)
)
crl = builder.sign(private_key, hashes.SHA256(), backend)
diff --git a/tests/x509/test_x509_ext.py b/tests/x509/test_x509_ext.py
index 6de105f..8e2b402 100644
--- a/tests/x509/test_x509_ext.py
+++ b/tests/x509/test_x509_ext.py
@@ -9,53 +9,52 @@
import ipaddress
import os
+import pretend
+
import pytest
import six
-from cryptography import utils, x509
+from cryptography import x509
from cryptography.hazmat.backends.interfaces import (
- DSABackend, EllipticCurveBackend, RSABackend, X509Backend
+ DSABackend,
+ EllipticCurveBackend,
+ RSABackend,
+ X509Backend,
)
from cryptography.hazmat.primitives import hashes
from cryptography.hazmat.primitives.asymmetric import ec
from cryptography.x509 import DNSName, NameConstraints, SubjectAlternativeName
-from cryptography.x509.general_name import _lazy_import_idna
+from cryptography.x509.extensions import _key_identifier_from_public_key
from cryptography.x509.oid import (
- AuthorityInformationAccessOID, ExtendedKeyUsageOID, ExtensionOID,
- NameOID, ObjectIdentifier
+ AuthorityInformationAccessOID,
+ ExtendedKeyUsageOID,
+ ExtensionOID,
+ NameOID,
+ ObjectIdentifier,
+ SubjectInformationAccessOID,
+ _OID_NAMES,
)
from .test_x509 import _load_cert
from ..hazmat.primitives.fixtures_rsa import RSA_KEY_2048
from ..hazmat.primitives.test_ec import _skip_curve_unsupported
+from ..utils import load_vectors_from_file
def _make_certbuilder(private_key):
- name = x509.Name(
- [x509.NameAttribute(NameOID.COMMON_NAME, u'example.org')])
+ name = x509.Name([x509.NameAttribute(NameOID.COMMON_NAME, u"example.org")])
return (
x509.CertificateBuilder()
- .subject_name(name)
- .issuer_name(name)
- .public_key(private_key.public_key())
- .serial_number(777)
- .not_valid_before(datetime.datetime(1999, 1, 1))
- .not_valid_after(datetime.datetime(2020, 1, 1))
+ .subject_name(name)
+ .issuer_name(name)
+ .public_key(private_key.public_key())
+ .serial_number(777)
+ .not_valid_before(datetime.datetime(1999, 1, 1))
+ .not_valid_after(datetime.datetime(2020, 1, 1))
)
-def test_lazy_idna_import():
- try:
- __import__("idna")
- pytest.skip("idna is installed")
- except ImportError:
- pass
-
- with pytest.raises(ImportError):
- _lazy_import_idna()
-
-
class TestExtension(object):
def test_not_an_oid(self):
bc = x509.BasicConstraints(ca=False, path_length=None)
@@ -77,26 +76,16 @@
)
def test_eq(self):
- ext1 = x509.Extension(
- x509.ObjectIdentifier('1.2.3.4'), False, 'value'
- )
- ext2 = x509.Extension(
- x509.ObjectIdentifier('1.2.3.4'), False, 'value'
- )
+ ext1 = x509.Extension(x509.ObjectIdentifier("1.2.3.4"), False, "value")
+ ext2 = x509.Extension(x509.ObjectIdentifier("1.2.3.4"), False, "value")
assert ext1 == ext2
def test_ne(self):
- ext1 = x509.Extension(
- x509.ObjectIdentifier('1.2.3.4'), False, 'value'
- )
- ext2 = x509.Extension(
- x509.ObjectIdentifier('1.2.3.5'), False, 'value'
- )
- ext3 = x509.Extension(
- x509.ObjectIdentifier('1.2.3.4'), True, 'value'
- )
+ ext1 = x509.Extension(x509.ObjectIdentifier("1.2.3.4"), False, "value")
+ ext2 = x509.Extension(x509.ObjectIdentifier("1.2.3.5"), False, "value")
+ ext3 = x509.Extension(x509.ObjectIdentifier("1.2.3.4"), True, "value")
ext4 = x509.Extension(
- x509.ObjectIdentifier('1.2.3.4'), False, 'value4'
+ x509.ObjectIdentifier("1.2.3.4"), False, "value4"
)
assert ext1 != ext2
assert ext1 != ext3
@@ -107,17 +96,17 @@
ext1 = x509.Extension(
ExtensionOID.BASIC_CONSTRAINTS,
False,
- x509.BasicConstraints(ca=False, path_length=None)
+ x509.BasicConstraints(ca=False, path_length=None),
)
ext2 = x509.Extension(
ExtensionOID.BASIC_CONSTRAINTS,
False,
- x509.BasicConstraints(ca=False, path_length=None)
+ x509.BasicConstraints(ca=False, path_length=None),
)
ext3 = x509.Extension(
ExtensionOID.BASIC_CONSTRAINTS,
False,
- x509.BasicConstraints(ca=True, path_length=None)
+ x509.BasicConstraints(ca=True, path_length=None),
)
assert hash(ext1) == hash(ext2)
assert hash(ext1) != hash(ext3)
@@ -146,10 +135,12 @@
def test_ne(self):
ext1 = x509.TLSFeature([x509.TLSFeatureType.status_request])
ext2 = x509.TLSFeature([x509.TLSFeatureType.status_request_v2])
- ext3 = x509.TLSFeature([
- x509.TLSFeatureType.status_request,
- x509.TLSFeatureType.status_request_v2
- ])
+ ext3 = x509.TLSFeature(
+ [
+ x509.TLSFeatureType.status_request,
+ x509.TLSFeatureType.status_request_v2,
+ ]
+ )
assert ext1 != ext2
assert ext1 != ext3
assert ext1 != object()
@@ -157,10 +148,12 @@
def test_hash(self):
ext1 = x509.TLSFeature([x509.TLSFeatureType.status_request])
ext2 = x509.TLSFeature([x509.TLSFeatureType.status_request])
- ext3 = x509.TLSFeature([
- x509.TLSFeatureType.status_request,
- x509.TLSFeatureType.status_request_v2
- ])
+ ext3 = x509.TLSFeature(
+ [
+ x509.TLSFeatureType.status_request,
+ x509.TLSFeatureType.status_request_v2,
+ ]
+ )
assert hash(ext1) == hash(ext2)
assert hash(ext1) != hash(ext3)
@@ -178,10 +171,12 @@
assert list(ext2) == ext2_features
def test_indexing(self):
- ext = x509.TLSFeature([
- x509.TLSFeatureType.status_request,
- x509.TLSFeatureType.status_request_v2,
- ])
+ ext = x509.TLSFeature(
+ [
+ x509.TLSFeatureType.status_request,
+ x509.TLSFeatureType.status_request_v2,
+ ]
+ )
assert ext[-1] == ext[1]
assert ext[0] == x509.TLSFeatureType.status_request
@@ -245,10 +240,9 @@
class TestCertificateIssuer(object):
def test_iter_names(self):
- ci = x509.CertificateIssuer([
- x509.DNSName(u"cryptography.io"),
- x509.DNSName(u"crypto.local"),
- ])
+ ci = x509.CertificateIssuer(
+ [x509.DNSName(u"cryptography.io"), x509.DNSName(u"crypto.local")]
+ )
assert len(ci) == 2
assert list(ci) == [
x509.DNSName(u"cryptography.io"),
@@ -256,13 +250,15 @@
]
def test_indexing(self):
- ci = x509.CertificateIssuer([
- x509.DNSName(u"cryptography.io"),
- x509.DNSName(u"crypto.local"),
- x509.DNSName(u"another.local"),
- x509.RFC822Name(u"email@another.local"),
- x509.UniformResourceIdentifier(u"http://another.local"),
- ])
+ ci = x509.CertificateIssuer(
+ [
+ x509.DNSName(u"cryptography.io"),
+ x509.DNSName(u"crypto.local"),
+ x509.DNSName(u"another.local"),
+ x509.RFC822Name(u"email@another.local"),
+ x509.UniformResourceIdentifier(u"http://another.local"),
+ ]
+ )
assert ci[-1] == ci[4]
assert ci[2:6:2] == [ci[2], ci[4]]
@@ -291,9 +287,7 @@
)
def test_get_values_for_type(self):
- ci = x509.CertificateIssuer(
- [x509.DNSName(u"cryptography.io")]
- )
+ ci = x509.CertificateIssuer([x509.DNSName(u"cryptography.io")])
names = ci.get_values_for_type(x509.DNSName)
assert names == [u"cryptography.io"]
@@ -333,9 +327,7 @@
def test_repr(self):
reason1 = x509.CRLReason(x509.ReasonFlags.unspecified)
- assert repr(reason1) == (
- "<CRLReason(reason=ReasonFlags.unspecified)>"
- )
+ assert repr(reason1) == ("<CRLReason(reason=ReasonFlags.unspecified)>")
class TestDeltaCRLIndicator(object):
@@ -356,9 +348,7 @@
def test_repr(self):
delta1 = x509.DeltaCRLIndicator(2)
- assert repr(delta1) == (
- "<DeltaCRLIndicator(crl_number=2)>"
- )
+ assert repr(delta1) == ("<DeltaCRLIndicator(crl_number=2)>")
def test_hash(self):
delta1 = x509.DeltaCRLIndicator(1)
@@ -541,11 +531,11 @@
def test_eq(self):
pi = x509.PolicyInformation(
x509.ObjectIdentifier("1.2.3"),
- [u"string", x509.UserNotice(None, u"hi")]
+ [u"string", x509.UserNotice(None, u"hi")],
)
pi2 = x509.PolicyInformation(
x509.ObjectIdentifier("1.2.3"),
- [u"string", x509.UserNotice(None, u"hi")]
+ [u"string", x509.UserNotice(None, u"hi")],
)
assert pi == pi2
@@ -566,11 +556,11 @@
def test_hash(self):
pi = x509.PolicyInformation(
x509.ObjectIdentifier("1.2.3"),
- [u"string", x509.UserNotice(None, u"hi")]
+ [u"string", x509.UserNotice(None, u"hi")],
)
pi2 = x509.PolicyInformation(
x509.ObjectIdentifier("1.2.3"),
- [u"string", x509.UserNotice(None, u"hi")]
+ [u"string", x509.UserNotice(None, u"hi")],
)
pi3 = x509.PolicyInformation(x509.ObjectIdentifier("1.2.3"), None)
assert hash(pi) == hash(pi2)
@@ -658,10 +648,9 @@
cert = _load_cert(
os.path.join("x509", "bigoid.pem"),
x509.load_pem_x509_certificate,
- backend
+ backend,
)
- ext = cert.extensions.get_extension_for_class(
- x509.CertificatePolicies)
+ ext = cert.extensions.get_extension_for_class(x509.CertificatePolicies)
oid = x509.ObjectIdentifier(
"1.3.6.1.4.1.311.21.8.8950086.10656446.2706058"
@@ -694,19 +683,21 @@
cert = _load_cert(
os.path.join("x509", "custom", "cp_cps_uri.pem"),
x509.load_pem_x509_certificate,
- backend
+ backend,
)
cp = cert.extensions.get_extension_for_oid(
ExtensionOID.CERTIFICATE_POLICIES
).value
- assert cp == x509.CertificatePolicies([
- x509.PolicyInformation(
- x509.ObjectIdentifier("2.16.840.1.12345.1.2.3.4.1"),
- [u"http://other.com/cps"]
- )
- ])
+ assert cp == x509.CertificatePolicies(
+ [
+ x509.PolicyInformation(
+ x509.ObjectIdentifier("2.16.840.1.12345.1.2.3.4.1"),
+ [u"http://other.com/cps"],
+ )
+ ]
+ )
def test_user_notice_with_notice_reference(self, backend):
cert = _load_cert(
@@ -714,26 +705,28 @@
"x509", "custom", "cp_user_notice_with_notice_reference.pem"
),
x509.load_pem_x509_certificate,
- backend
+ backend,
)
cp = cert.extensions.get_extension_for_oid(
ExtensionOID.CERTIFICATE_POLICIES
).value
- assert cp == x509.CertificatePolicies([
- x509.PolicyInformation(
- x509.ObjectIdentifier("2.16.840.1.12345.1.2.3.4.1"),
- [
- u"http://example.com/cps",
- u"http://other.com/cps",
- x509.UserNotice(
- x509.NoticeReference(u"my org", [1, 2, 3, 4]),
- u"thing"
- )
- ]
- )
- ])
+ assert cp == x509.CertificatePolicies(
+ [
+ x509.PolicyInformation(
+ x509.ObjectIdentifier("2.16.840.1.12345.1.2.3.4.1"),
+ [
+ u"http://example.com/cps",
+ u"http://other.com/cps",
+ x509.UserNotice(
+ x509.NoticeReference(u"my org", [1, 2, 3, 4]),
+ u"thing",
+ ),
+ ],
+ )
+ ]
+ )
def test_user_notice_with_explicit_text(self, backend):
cert = _load_cert(
@@ -741,19 +734,21 @@
"x509", "custom", "cp_user_notice_with_explicit_text.pem"
),
x509.load_pem_x509_certificate,
- backend
+ backend,
)
cp = cert.extensions.get_extension_for_oid(
ExtensionOID.CERTIFICATE_POLICIES
).value
- assert cp == x509.CertificatePolicies([
- x509.PolicyInformation(
- x509.ObjectIdentifier("2.16.840.1.12345.1.2.3.4.1"),
- [x509.UserNotice(None, u"thing")]
- )
- ])
+ assert cp == x509.CertificatePolicies(
+ [
+ x509.PolicyInformation(
+ x509.ObjectIdentifier("2.16.840.1.12345.1.2.3.4.1"),
+ [x509.UserNotice(None, u"thing")],
+ )
+ ]
+ )
def test_user_notice_no_explicit_text(self, backend):
cert = _load_cert(
@@ -761,24 +756,25 @@
"x509", "custom", "cp_user_notice_no_explicit_text.pem"
),
x509.load_pem_x509_certificate,
- backend
+ backend,
)
cp = cert.extensions.get_extension_for_oid(
ExtensionOID.CERTIFICATE_POLICIES
).value
- assert cp == x509.CertificatePolicies([
- x509.PolicyInformation(
- x509.ObjectIdentifier("2.16.840.1.12345.1.2.3.4.1"),
- [
- x509.UserNotice(
- x509.NoticeReference(u"my org", [1, 2, 3, 4]),
- None
- )
- ]
- )
- ])
+ assert cp == x509.CertificatePolicies(
+ [
+ x509.PolicyInformation(
+ x509.ObjectIdentifier("2.16.840.1.12345.1.2.3.4.1"),
+ [
+ x509.UserNotice(
+ x509.NoticeReference(u"my org", [1, 2, 3, 4]), None
+ )
+ ],
+ )
+ ]
+ )
class TestKeyUsage(object):
@@ -793,7 +789,7 @@
key_cert_sign=False,
crl_sign=False,
encipher_only=True,
- decipher_only=False
+ decipher_only=False,
)
with pytest.raises(ValueError):
@@ -806,7 +802,7 @@
key_cert_sign=False,
crl_sign=False,
encipher_only=True,
- decipher_only=True
+ decipher_only=True,
)
with pytest.raises(ValueError):
@@ -819,7 +815,7 @@
key_cert_sign=False,
crl_sign=False,
encipher_only=False,
- decipher_only=True
+ decipher_only=True,
)
def test_properties_key_agreement_true(self):
@@ -832,7 +828,7 @@
key_cert_sign=True,
crl_sign=False,
encipher_only=False,
- decipher_only=False
+ decipher_only=False,
)
assert ku.digital_signature is True
assert ku.content_commitment is True
@@ -852,7 +848,7 @@
key_cert_sign=False,
crl_sign=False,
encipher_only=False,
- decipher_only=True
+ decipher_only=True,
)
assert ku.key_agreement is True
assert ku.encipher_only is False
@@ -868,7 +864,7 @@
key_cert_sign=False,
crl_sign=False,
encipher_only=False,
- decipher_only=False
+ decipher_only=False,
)
assert ku.key_agreement is False
with pytest.raises(ValueError):
@@ -887,13 +883,13 @@
key_cert_sign=True,
crl_sign=False,
encipher_only=False,
- decipher_only=False
+ decipher_only=False,
)
assert repr(ku) == (
"<KeyUsage(digital_signature=True, content_commitment=True, key_en"
"cipherment=False, data_encipherment=False, key_agreement=False, k"
- "ey_cert_sign=True, crl_sign=False, encipher_only=None, decipher_o"
- "nly=None)>"
+ "ey_cert_sign=True, crl_sign=False, encipher_only=False, decipher_"
+ "only=False)>"
)
def test_repr_key_agreement_true(self):
@@ -906,7 +902,7 @@
key_cert_sign=True,
crl_sign=False,
encipher_only=False,
- decipher_only=False
+ decipher_only=False,
)
assert repr(ku) == (
"<KeyUsage(digital_signature=True, content_commitment=True, key_en"
@@ -925,7 +921,7 @@
key_cert_sign=False,
crl_sign=False,
encipher_only=False,
- decipher_only=True
+ decipher_only=True,
)
ku2 = x509.KeyUsage(
digital_signature=False,
@@ -936,7 +932,7 @@
key_cert_sign=False,
crl_sign=False,
encipher_only=False,
- decipher_only=True
+ decipher_only=True,
)
assert ku == ku2
@@ -950,7 +946,7 @@
key_cert_sign=False,
crl_sign=False,
encipher_only=False,
- decipher_only=True
+ decipher_only=True,
)
ku2 = x509.KeyUsage(
digital_signature=False,
@@ -961,7 +957,7 @@
key_cert_sign=False,
crl_sign=False,
encipher_only=False,
- decipher_only=False
+ decipher_only=False,
)
assert ku != ku2
assert ku != object()
@@ -976,7 +972,7 @@
key_cert_sign=False,
crl_sign=False,
encipher_only=False,
- decipher_only=True
+ decipher_only=True,
)
ku2 = x509.KeyUsage(
digital_signature=False,
@@ -987,7 +983,7 @@
key_cert_sign=False,
crl_sign=False,
encipher_only=False,
- decipher_only=True
+ decipher_only=True,
)
ku3 = x509.KeyUsage(
digital_signature=False,
@@ -998,7 +994,7 @@
key_cert_sign=False,
crl_sign=False,
encipher_only=False,
- decipher_only=False
+ decipher_only=False,
)
assert hash(ku) == hash(ku2)
assert hash(ku) != hash(ku3)
@@ -1019,15 +1015,15 @@
assert repr(ext) == (
"<Extension(oid=<ObjectIdentifier(oid=2.5.29.14, name=subjectK"
"eyIdentifier)>, critical=False, value=<SubjectKeyIdentifier(d"
- "igest=b\'\\t#\\x84\\x93\"0I\\x8b\\xc9\\x80\\xaa\\x80\\x98Eoo"
- "\\xf7\\xff:\\xc9\')>)>"
+ "igest=b'\\t#\\x84\\x93\"0I\\x8b\\xc9\\x80\\xaa\\x80\\x98Eoo"
+ "\\xf7\\xff:\\xc9')>)>"
)
else:
assert repr(ext) == (
"<Extension(oid=<ObjectIdentifier(oid=2.5.29.14, name=subjectK"
"eyIdentifier)>, critical=False, value=<SubjectKeyIdentifier(d"
- "igest=\'\\t#\\x84\\x93\"0I\\x8b\\xc9\\x80\\xaa\\x80\\x98Eoo"
- "\\xf7\\xff:\\xc9\')>)>"
+ "igest='\\t#\\x84\\x93\"0I\\x8b\\xc9\\x80\\xaa\\x80\\x98Eoo"
+ "\\xf7\\xff:\\xc9')>)>"
)
def test_eq(self):
@@ -1070,16 +1066,16 @@
def test_authority_cert_serial_number_not_integer(self):
dirname = x509.DirectoryName(
- x509.Name([
- x509.NameAttribute(
- x509.ObjectIdentifier('2.999.1'),
- u'value1'
- ),
- x509.NameAttribute(
- x509.ObjectIdentifier('2.999.2'),
- u'value2'
- ),
- ])
+ x509.Name(
+ [
+ x509.NameAttribute(
+ x509.ObjectIdentifier("2.999.1"), u"value1"
+ ),
+ x509.NameAttribute(
+ x509.ObjectIdentifier("2.999.2"), u"value2"
+ ),
+ ]
+ )
)
with pytest.raises(TypeError):
x509.AuthorityKeyIdentifier(b"identifier", [dirname], "notanint")
@@ -1090,16 +1086,16 @@
def test_authority_issuer_not_none_serial_none(self):
dirname = x509.DirectoryName(
- x509.Name([
- x509.NameAttribute(
- x509.ObjectIdentifier('2.999.1'),
- u'value1'
- ),
- x509.NameAttribute(
- x509.ObjectIdentifier('2.999.2'),
- u'value2'
- ),
- ])
+ x509.Name(
+ [
+ x509.NameAttribute(
+ x509.ObjectIdentifier("2.999.1"), u"value1"
+ ),
+ x509.NameAttribute(
+ x509.ObjectIdentifier("2.999.2"), u"value2"
+ ),
+ ]
+ )
)
with pytest.raises(ValueError):
x509.AuthorityKeyIdentifier(b"identifier", [dirname], None)
@@ -1120,7 +1116,7 @@
def test_iter_input(self):
dirnames = [
x509.DirectoryName(
- x509.Name([x509.NameAttribute(NameOID.COMMON_NAME, u'myCN')])
+ x509.Name([x509.NameAttribute(NameOID.COMMON_NAME, u"myCN")])
)
]
aki = x509.AuthorityKeyIdentifier(b"digest", iter(dirnames), 1234)
@@ -1128,7 +1124,7 @@
def test_repr(self):
dirname = x509.DirectoryName(
- x509.Name([x509.NameAttribute(NameOID.COMMON_NAME, u'myCN')])
+ x509.Name([x509.NameAttribute(NameOID.COMMON_NAME, u"myCN")])
)
aki = x509.AuthorityKeyIdentifier(b"digest", [dirname], 1234)
@@ -1147,21 +1143,21 @@
def test_eq(self):
dirname = x509.DirectoryName(
- x509.Name([x509.NameAttribute(NameOID.COMMON_NAME, u'myCN')])
+ x509.Name([x509.NameAttribute(NameOID.COMMON_NAME, u"myCN")])
)
aki = x509.AuthorityKeyIdentifier(b"digest", [dirname], 1234)
dirname2 = x509.DirectoryName(
- x509.Name([x509.NameAttribute(NameOID.COMMON_NAME, u'myCN')])
+ x509.Name([x509.NameAttribute(NameOID.COMMON_NAME, u"myCN")])
)
aki2 = x509.AuthorityKeyIdentifier(b"digest", [dirname2], 1234)
assert aki == aki2
def test_ne(self):
dirname = x509.DirectoryName(
- x509.Name([x509.NameAttribute(NameOID.COMMON_NAME, u'myCN')])
+ x509.Name([x509.NameAttribute(NameOID.COMMON_NAME, u"myCN")])
)
dirname5 = x509.DirectoryName(
- x509.Name([x509.NameAttribute(NameOID.COMMON_NAME, u'aCN')])
+ x509.Name([x509.NameAttribute(NameOID.COMMON_NAME, u"aCN")])
)
aki = x509.AuthorityKeyIdentifier(b"digest", [dirname], 1234)
aki2 = x509.AuthorityKeyIdentifier(b"diges", [dirname], 1234)
@@ -1176,7 +1172,7 @@
def test_hash(self):
dirname = x509.DirectoryName(
- x509.Name([x509.NameAttribute(NameOID.COMMON_NAME, u'myCN')])
+ x509.Name([x509.NameAttribute(NameOID.COMMON_NAME, u"myCN")])
)
aki1 = x509.AuthorityKeyIdentifier(b"digest", [dirname], 1234)
aki2 = x509.AuthorityKeyIdentifier(b"digest", [dirname], 1234)
@@ -1207,9 +1203,7 @@
def test_repr(self):
na = x509.BasicConstraints(ca=True, path_length=None)
- assert repr(na) == (
- "<BasicConstraints(ca=True, path_length=None)>"
- )
+ assert repr(na) == ("<BasicConstraints(ca=True, path_length=None)>")
def test_hash(self):
na = x509.BasicConstraints(ca=True, path_length=None)
@@ -1238,14 +1232,16 @@
x509.ExtendedKeyUsage(["notoid"])
def test_iter_len(self):
- eku = x509.ExtendedKeyUsage([
- x509.ObjectIdentifier("1.3.6.1.5.5.7.3.1"),
- x509.ObjectIdentifier("1.3.6.1.5.5.7.3.2"),
- ])
+ eku = x509.ExtendedKeyUsage(
+ [
+ x509.ObjectIdentifier("1.3.6.1.5.5.7.3.1"),
+ x509.ObjectIdentifier("1.3.6.1.5.5.7.3.2"),
+ ]
+ )
assert len(eku) == 2
assert list(eku) == [
ExtendedKeyUsageOID.SERVER_AUTH,
- ExtendedKeyUsageOID.CLIENT_AUTH
+ ExtendedKeyUsageOID.CLIENT_AUTH,
]
def test_iter_input(self):
@@ -1257,10 +1253,12 @@
assert list(aia) == usages
def test_repr(self):
- eku = x509.ExtendedKeyUsage([
- x509.ObjectIdentifier("1.3.6.1.5.5.7.3.1"),
- x509.ObjectIdentifier("1.3.6.1.5.5.7.3.2"),
- ])
+ eku = x509.ExtendedKeyUsage(
+ [
+ x509.ObjectIdentifier("1.3.6.1.5.5.7.3.1"),
+ x509.ObjectIdentifier("1.3.6.1.5.5.7.3.2"),
+ ]
+ )
assert repr(eku) == (
"<ExtendedKeyUsage([<ObjectIdentifier(oid=1.3.6.1.5.5.7.3.1, name="
"serverAuth)>, <ObjectIdentifier(oid=1.3.6.1.5.5.7.3.2, name=clien"
@@ -1268,12 +1266,12 @@
)
def test_eq(self):
- eku = x509.ExtendedKeyUsage([
- x509.ObjectIdentifier("1.3.6"), x509.ObjectIdentifier("1.3.7")
- ])
- eku2 = x509.ExtendedKeyUsage([
- x509.ObjectIdentifier("1.3.6"), x509.ObjectIdentifier("1.3.7")
- ])
+ eku = x509.ExtendedKeyUsage(
+ [x509.ObjectIdentifier("1.3.6"), x509.ObjectIdentifier("1.3.7")]
+ )
+ eku2 = x509.ExtendedKeyUsage(
+ [x509.ObjectIdentifier("1.3.6"), x509.ObjectIdentifier("1.3.7")]
+ )
assert eku == eku2
def test_ne(self):
@@ -1283,12 +1281,12 @@
assert eku != object()
def test_hash(self):
- eku = x509.ExtendedKeyUsage([
- x509.ObjectIdentifier("1.3.6"), x509.ObjectIdentifier("1.3.7")
- ])
- eku2 = x509.ExtendedKeyUsage([
- x509.ObjectIdentifier("1.3.6"), x509.ObjectIdentifier("1.3.7")
- ])
+ eku = x509.ExtendedKeyUsage(
+ [x509.ObjectIdentifier("1.3.6"), x509.ObjectIdentifier("1.3.7")]
+ )
+ eku2 = x509.ExtendedKeyUsage(
+ [x509.ObjectIdentifier("1.3.6"), x509.ObjectIdentifier("1.3.7")]
+ )
eku3 = x509.ExtendedKeyUsage([x509.ObjectIdentifier("1.3.6")])
assert hash(eku) == hash(eku2)
assert hash(eku) != hash(eku3)
@@ -1301,7 +1299,7 @@
cert = _load_cert(
os.path.join("x509", "verisign_md2_root.pem"),
x509.load_pem_x509_certificate,
- backend
+ backend,
)
ext = cert.extensions
assert len(ext) == 0
@@ -1317,7 +1315,7 @@
"x509", "custom", "basic_constraints_not_critical.pem"
),
x509.load_pem_x509_certificate,
- backend
+ backend,
)
extensions = cert.extensions
ext = extensions.get_extension_for_oid(ExtensionOID.BASIC_CONSTRAINTS)
@@ -1326,11 +1324,9 @@
def test_duplicate_extension(self, backend):
cert = _load_cert(
- os.path.join(
- "x509", "custom", "two_basic_constraints.pem"
- ),
+ os.path.join("x509", "custom", "two_basic_constraints.pem"),
x509.load_pem_x509_certificate,
- backend
+ backend,
)
with pytest.raises(x509.DuplicateExtension) as exc:
cert.extensions
@@ -1343,7 +1339,7 @@
"x509", "custom", "unsupported_extension_critical.pem"
),
x509.load_pem_x509_certificate,
- backend
+ backend,
)
ext = cert.extensions.get_extension_for_oid(
x509.ObjectIdentifier("1.2.3.4")
@@ -1353,11 +1349,9 @@
@pytest.mark.requires_backend_interface(interface=EllipticCurveBackend)
def test_unsupported_extension(self, backend):
cert = _load_cert(
- os.path.join(
- "x509", "custom", "unsupported_extension_2.pem"
- ),
+ os.path.join("x509", "custom", "unsupported_extension_2.pem"),
x509.load_pem_x509_certificate,
- backend
+ backend,
)
extensions = cert.extensions
assert len(extensions) == 2
@@ -1367,24 +1361,21 @@
)
assert extensions[0].value == x509.UnrecognizedExtension(
x509.ObjectIdentifier("1.3.6.1.4.1.41482.2"),
- b"1.3.6.1.4.1.41482.1.2"
+ b"1.3.6.1.4.1.41482.1.2",
)
assert extensions[1].critical is False
assert extensions[1].oid == x509.ObjectIdentifier(
"1.3.6.1.4.1.45724.2.1.1"
)
assert extensions[1].value == x509.UnrecognizedExtension(
- x509.ObjectIdentifier("1.3.6.1.4.1.45724.2.1.1"),
- b"\x03\x02\x040"
+ x509.ObjectIdentifier("1.3.6.1.4.1.45724.2.1.1"), b"\x03\x02\x040"
)
def test_no_extensions_get_for_class(self, backend):
cert = _load_cert(
- os.path.join(
- "x509", "cryptography.io.pem"
- ),
+ os.path.join("x509", "cryptography.io.pem"),
x509.load_pem_x509_certificate,
- backend
+ backend,
)
exts = cert.extensions
with pytest.raises(x509.ExtensionNotFound) as exc:
@@ -1400,7 +1391,7 @@
cert = _load_cert(
os.path.join("x509", "cryptography.io.pem"),
x509.load_pem_x509_certificate,
- backend
+ backend,
)
exts = cert.extensions
assert exts[-1] == exts[7]
@@ -1412,7 +1403,7 @@
"x509", "custom", "basic_constraints_not_critical.pem"
),
x509.load_pem_x509_certificate,
- backend
+ backend,
)
ext = cert.extensions.get_extension_for_class(x509.BasicConstraints)
assert ext is not None
@@ -1424,7 +1415,7 @@
"x509", "custom", "basic_constraints_not_critical.pem"
),
x509.load_pem_x509_certificate,
- backend
+ backend,
)
assert repr(cert.extensions) == (
"<Extensions([<Extension(oid=<ObjectIdentifier(oid=2.5.29.19, name"
@@ -1442,7 +1433,7 @@
"x509", "PKITS_data", "certs", "pathLenConstraint6CACert.crt"
),
x509.load_der_x509_certificate,
- backend
+ backend,
)
ext = cert.extensions.get_extension_for_oid(
ExtensionOID.BASIC_CONSTRAINTS
@@ -1456,7 +1447,7 @@
cert = _load_cert(
os.path.join("x509", "custom", "bc_path_length_zero.pem"),
x509.load_pem_x509_certificate,
- backend
+ backend,
)
ext = cert.extensions.get_extension_for_oid(
ExtensionOID.BASIC_CONSTRAINTS
@@ -1470,7 +1461,7 @@
cert = _load_cert(
os.path.join("x509", "PKITS_data", "certs", "GoodCACert.crt"),
x509.load_der_x509_certificate,
- backend
+ backend,
)
ext = cert.extensions.get_extension_for_oid(
ExtensionOID.BASIC_CONSTRAINTS
@@ -1484,7 +1475,7 @@
cert = _load_cert(
os.path.join("x509", "cryptography.io.pem"),
x509.load_pem_x509_certificate,
- backend
+ backend,
)
ext = cert.extensions.get_extension_for_oid(
ExtensionOID.BASIC_CONSTRAINTS
@@ -1500,10 +1491,10 @@
"x509",
"PKITS_data",
"certs",
- "ValidCertificatePathTest1EE.crt"
+ "ValidCertificatePathTest1EE.crt",
),
x509.load_der_x509_certificate,
- backend
+ backend,
)
with pytest.raises(x509.ExtensionNotFound):
cert.extensions.get_extension_for_oid(
@@ -1516,7 +1507,7 @@
"x509", "custom", "basic_constraints_not_critical.pem"
),
x509.load_pem_x509_certificate,
- backend
+ backend,
)
ext = cert.extensions.get_extension_for_oid(
ExtensionOID.BASIC_CONSTRAINTS
@@ -1533,7 +1524,7 @@
cert = _load_cert(
os.path.join("x509", "PKITS_data", "certs", "GoodCACert.crt"),
x509.load_der_x509_certificate,
- backend
+ backend,
)
ext = cert.extensions.get_extension_for_oid(
ExtensionOID.SUBJECT_KEY_IDENTIFIER
@@ -1551,7 +1542,7 @@
cert = _load_cert(
os.path.join("x509", "custom", "bc_path_length_zero.pem"),
x509.load_pem_x509_certificate,
- backend
+ backend,
)
with pytest.raises(x509.ExtensionNotFound):
cert.extensions.get_extension_for_oid(
@@ -1564,14 +1555,12 @@
cert = _load_cert(
os.path.join("x509", "PKITS_data", "certs", "GoodCACert.crt"),
x509.load_der_x509_certificate,
- backend
+ backend,
)
ext = cert.extensions.get_extension_for_oid(
ExtensionOID.SUBJECT_KEY_IDENTIFIER
)
- ski = x509.SubjectKeyIdentifier.from_public_key(
- cert.public_key()
- )
+ ski = x509.SubjectKeyIdentifier.from_public_key(cert.public_key())
assert ext.value == ski
@pytest.mark.requires_backend_interface(interface=DSABackend)
@@ -1580,17 +1569,49 @@
cert = _load_cert(
os.path.join("x509", "custom", "dsa_selfsigned_ca.pem"),
x509.load_pem_x509_certificate,
- backend
+ backend,
)
ext = cert.extensions.get_extension_for_oid(
ExtensionOID.SUBJECT_KEY_IDENTIFIER
)
- ski = x509.SubjectKeyIdentifier.from_public_key(
- cert.public_key()
- )
+ ski = x509.SubjectKeyIdentifier.from_public_key(cert.public_key())
assert ext.value == ski
+ @pytest.mark.requires_backend_interface(interface=DSABackend)
+ @pytest.mark.requires_backend_interface(interface=X509Backend)
+ def test_invalid_bit_string_padding_from_public_key(self, backend):
+ data = load_vectors_from_file(
+ filename=os.path.join(
+ "asymmetric",
+ "DER_Serialization",
+ "dsa_public_key_invalid_bit_string.der",
+ ),
+ loader=lambda data: data.read(),
+ mode="rb",
+ )
+ pretend_key = pretend.stub(public_bytes=lambda x, y: data)
+ with pytest.raises(ValueError):
+ _key_identifier_from_public_key(pretend_key)
+
+ @pytest.mark.requires_backend_interface(interface=DSABackend)
+ @pytest.mark.requires_backend_interface(interface=X509Backend)
+ def test_no_optional_params_allowed_from_public_key(self, backend):
+ data = load_vectors_from_file(
+ filename=os.path.join(
+ "asymmetric",
+ "DER_Serialization",
+ "dsa_public_key_no_params.der",
+ ),
+ loader=lambda data: data.read(),
+ mode="rb",
+ )
+ pretend_key = pretend.stub(public_bytes=lambda x, y: data)
+ key_identifier = _key_identifier_from_public_key(pretend_key)
+ assert key_identifier == binascii.unhexlify(
+ b"24c0133a6a492f2c48a18c7648e515db5ac76749"
+ )
+
@pytest.mark.requires_backend_interface(interface=EllipticCurveBackend)
@pytest.mark.requires_backend_interface(interface=X509Backend)
def test_from_ec_public_key(self, backend):
@@ -1598,15 +1619,49 @@
cert = _load_cert(
os.path.join("x509", "ecdsa_root.pem"),
x509.load_pem_x509_certificate,
- backend
+ backend,
)
ext = cert.extensions.get_extension_for_oid(
ExtensionOID.SUBJECT_KEY_IDENTIFIER
)
- ski = x509.SubjectKeyIdentifier.from_public_key(
- cert.public_key()
+ ski = x509.SubjectKeyIdentifier.from_public_key(cert.public_key())
+ assert ext.value == ski
+
+ @pytest.mark.supported(
+ only_if=lambda backend: backend.ed25519_supported(),
+ skip_message="Requires OpenSSL with Ed25519 support",
+ )
+ @pytest.mark.requires_backend_interface(interface=X509Backend)
+ def test_from_ed25519_public_key(self, backend):
+ cert = _load_cert(
+ os.path.join("x509", "ed25519", "root-ed25519.pem"),
+ x509.load_pem_x509_certificate,
+ backend,
)
+
+ ext = cert.extensions.get_extension_for_oid(
+ ExtensionOID.SUBJECT_KEY_IDENTIFIER
+ )
+ ski = x509.SubjectKeyIdentifier.from_public_key(cert.public_key())
+ assert ext.value == ski
+
+ @pytest.mark.supported(
+ only_if=lambda backend: backend.ed448_supported(),
+ skip_message="Requires OpenSSL with Ed448 support",
+ )
+ @pytest.mark.requires_backend_interface(interface=X509Backend)
+ def test_from_ed448_public_key(self, backend):
+ cert = _load_cert(
+ os.path.join("x509", "ed448", "root-ed448.pem"),
+ x509.load_pem_x509_certificate,
+ backend,
+ )
+
+ ext = cert.extensions.get_extension_for_oid(
+ ExtensionOID.SUBJECT_KEY_IDENTIFIER
+ )
+ ski = x509.SubjectKeyIdentifier.from_public_key(cert.public_key())
assert ext.value == ski
@@ -1617,7 +1672,7 @@
cert = _load_cert(
os.path.join("x509", "verisign_md2_root.pem"),
x509.load_pem_x509_certificate,
- backend
+ backend,
)
ext = cert.extensions
with pytest.raises(x509.ExtensionNotFound) as exc:
@@ -1627,11 +1682,9 @@
def test_all_purposes(self, backend):
cert = _load_cert(
- os.path.join(
- "x509", "custom", "all_key_usages.pem"
- ),
+ os.path.join("x509", "custom", "all_key_usages.pem"),
x509.load_pem_x509_certificate,
- backend
+ backend,
)
extensions = cert.extensions
ext = extensions.get_extension_for_oid(ExtensionOID.KEY_USAGE)
@@ -1654,7 +1707,7 @@
"x509", "PKITS_data", "certs", "pathLenConstraint6CACert.crt"
),
x509.load_der_x509_certificate,
- backend
+ backend,
)
ext = cert.extensions.get_extension_for_oid(ExtensionOID.KEY_USAGE)
assert ext is not None
@@ -1671,15 +1724,9 @@
class TestDNSName(object):
- def test_init_deprecated(self):
- pytest.importorskip("idna")
- with pytest.warns(utils.DeprecatedIn21):
- name = x509.DNSName(u".\xf5\xe4\xf6\xfc.example.com")
- assert name.value == u".xn--4ca7aey.example.com"
-
- with pytest.warns(utils.DeprecatedIn21):
- name = x509.DNSName(u"\xf5\xe4\xf6\xfc.example.com")
- assert name.value == u"xn--4ca7aey.example.com"
+ def test_non_a_label(self):
+ with pytest.raises(ValueError):
+ x509.DNSName(u".\xf5\xe4\xf6\xfc.example.com")
def test_init(self):
name = x509.DNSName(u"*.xn--4ca7aey.example.com")
@@ -1715,40 +1762,40 @@
x509.DirectoryName(1.3)
def test_repr(self):
- name = x509.Name([x509.NameAttribute(NameOID.COMMON_NAME, u'value1')])
+ name = x509.Name([x509.NameAttribute(NameOID.COMMON_NAME, u"value1")])
gn = x509.DirectoryName(name)
assert repr(gn) == "<DirectoryName(value=<Name(CN=value1)>)>"
def test_eq(self):
- name = x509.Name([
- x509.NameAttribute(x509.ObjectIdentifier('2.999.1'), u'value1')
- ])
- name2 = x509.Name([
- x509.NameAttribute(x509.ObjectIdentifier('2.999.1'), u'value1')
- ])
+ name = x509.Name(
+ [x509.NameAttribute(x509.ObjectIdentifier("2.999.1"), u"value1")]
+ )
+ name2 = x509.Name(
+ [x509.NameAttribute(x509.ObjectIdentifier("2.999.1"), u"value1")]
+ )
gn = x509.DirectoryName(name)
gn2 = x509.DirectoryName(name2)
assert gn == gn2
def test_ne(self):
- name = x509.Name([
- x509.NameAttribute(x509.ObjectIdentifier('2.999.1'), u'value1')
- ])
- name2 = x509.Name([
- x509.NameAttribute(x509.ObjectIdentifier('2.999.2'), u'value2')
- ])
+ name = x509.Name(
+ [x509.NameAttribute(x509.ObjectIdentifier("2.999.1"), u"value1")]
+ )
+ name2 = x509.Name(
+ [x509.NameAttribute(x509.ObjectIdentifier("2.999.2"), u"value2")]
+ )
gn = x509.DirectoryName(name)
gn2 = x509.DirectoryName(name2)
assert gn != gn2
assert gn != object()
def test_hash(self):
- name = x509.Name([
- x509.NameAttribute(x509.ObjectIdentifier('2.999.1'), u'value1')
- ])
- name2 = x509.Name([
- x509.NameAttribute(x509.ObjectIdentifier('2.999.2'), u'value2')
- ])
+ name = x509.Name(
+ [x509.NameAttribute(x509.ObjectIdentifier("2.999.1"), u"value1")]
+ )
+ name2 = x509.Name(
+ [x509.NameAttribute(x509.ObjectIdentifier("2.999.2"), u"value2")]
+ )
gn = x509.DirectoryName(name)
gn2 = x509.DirectoryName(name)
gn3 = x509.DirectoryName(name2)
@@ -1790,15 +1837,9 @@
gn = x509.RFC822Name(u"administrator")
assert gn.value == u"administrator"
- def test_idna(self):
- pytest.importorskip("idna")
- with pytest.warns(utils.DeprecatedIn21):
- gn = x509.RFC822Name(u"email@em\xe5\xefl.com")
-
- assert gn.value == u"email@xn--eml-vla4c.com"
-
- gn2 = x509.RFC822Name(u"email@xn--eml-vla4c.com")
- assert gn2.value == u"email@xn--eml-vla4c.com"
+ def test_non_a_label(self):
+ with pytest.raises(ValueError):
+ x509.RFC822Name(u"email@em\xe5\xefl.com")
def test_hash(self):
g1 = x509.RFC822Name(u"email@host.com")
@@ -1830,41 +1871,16 @@
gn = x509.UniformResourceIdentifier(u"singlelabel:443/test")
assert gn.value == u"singlelabel:443/test"
- def test_idna_no_port(self):
- pytest.importorskip("idna")
- with pytest.warns(utils.DeprecatedIn21):
- gn = x509.UniformResourceIdentifier(
+ def test_non_a_label(self):
+ with pytest.raises(ValueError):
+ x509.UniformResourceIdentifier(
u"http://\u043f\u044b\u043a\u0430.cryptography"
)
- assert gn.value == u"http://xn--80ato2c.cryptography"
-
- def test_idna_with_port(self):
- pytest.importorskip("idna")
- with pytest.warns(utils.DeprecatedIn21):
- gn = x509.UniformResourceIdentifier(
- u"gopher://\u043f\u044b\u043a\u0430.cryptography:70/some/path"
- )
-
- assert gn.value == (
- u"gopher://xn--80ato2c.cryptography:70/some/path"
- )
-
def test_empty_hostname(self):
gn = x509.UniformResourceIdentifier(u"ldap:///some-nonsense")
assert gn.value == "ldap:///some-nonsense"
- def test_query_and_fragment(self):
- pytest.importorskip("idna")
- with pytest.warns(utils.DeprecatedIn21):
- gn = x509.UniformResourceIdentifier(
- u"ldap://\u043f\u044b\u043a\u0430.cryptography:90/path?query="
- u"true#somedata"
- )
- assert gn.value == (
- u"ldap://xn--80ato2c.cryptography:90/path?query=true#somedata"
- )
-
def test_hash(self):
g1 = x509.UniformResourceIdentifier(u"http://host.com")
g2 = x509.UniformResourceIdentifier(u"http://host.com")
@@ -1876,13 +1892,9 @@
def test_repr(self):
gn = x509.UniformResourceIdentifier(u"string")
if not six.PY2:
- assert repr(gn) == (
- "<UniformResourceIdentifier(value='string')>"
- )
+ assert repr(gn) == ("<UniformResourceIdentifier(value='string')>")
else:
- assert repr(gn) == (
- "<UniformResourceIdentifier(value=u'string')>"
- )
+ assert repr(gn) == ("<UniformResourceIdentifier(value=u'string')>")
class TestRegisteredID(object):
@@ -2017,17 +2029,14 @@
class TestGeneralNames(object):
def test_get_values_for_type(self):
- gns = x509.GeneralNames(
- [x509.DNSName(u"cryptography.io")]
- )
+ gns = x509.GeneralNames([x509.DNSName(u"cryptography.io")])
names = gns.get_values_for_type(x509.DNSName)
assert names == [u"cryptography.io"]
def test_iter_names(self):
- gns = x509.GeneralNames([
- x509.DNSName(u"cryptography.io"),
- x509.DNSName(u"crypto.local"),
- ])
+ gns = x509.GeneralNames(
+ [x509.DNSName(u"cryptography.io"), x509.DNSName(u"crypto.local")]
+ )
assert len(gns) == 2
assert list(gns) == [
x509.DNSName(u"cryptography.io"),
@@ -2043,28 +2052,24 @@
assert list(gns) == names
def test_indexing(self):
- gn = x509.GeneralNames([
- x509.DNSName(u"cryptography.io"),
- x509.DNSName(u"crypto.local"),
- x509.DNSName(u"another.local"),
- x509.RFC822Name(u"email@another.local"),
- x509.UniformResourceIdentifier(u"http://another.local"),
- ])
+ gn = x509.GeneralNames(
+ [
+ x509.DNSName(u"cryptography.io"),
+ x509.DNSName(u"crypto.local"),
+ x509.DNSName(u"another.local"),
+ x509.RFC822Name(u"email@another.local"),
+ x509.UniformResourceIdentifier(u"http://another.local"),
+ ]
+ )
assert gn[-1] == gn[4]
assert gn[2:6:2] == [gn[2], gn[4]]
def test_invalid_general_names(self):
with pytest.raises(TypeError):
- x509.GeneralNames(
- [x509.DNSName(u"cryptography.io"), "invalid"]
- )
+ x509.GeneralNames([x509.DNSName(u"cryptography.io"), "invalid"])
def test_repr(self):
- gns = x509.GeneralNames(
- [
- x509.DNSName(u"cryptography.io")
- ]
- )
+ gns = x509.GeneralNames([x509.DNSName(u"cryptography.io")])
if not six.PY2:
assert repr(gns) == (
"<GeneralNames([<DNSName(value='cryptography.io')>])>"
@@ -2075,21 +2080,13 @@
)
def test_eq(self):
- gns = x509.GeneralNames(
- [x509.DNSName(u"cryptography.io")]
- )
- gns2 = x509.GeneralNames(
- [x509.DNSName(u"cryptography.io")]
- )
+ gns = x509.GeneralNames([x509.DNSName(u"cryptography.io")])
+ gns2 = x509.GeneralNames([x509.DNSName(u"cryptography.io")])
assert gns == gns2
def test_ne(self):
- gns = x509.GeneralNames(
- [x509.DNSName(u"cryptography.io")]
- )
- gns2 = x509.GeneralNames(
- [x509.RFC822Name(u"admin@cryptography.io")]
- )
+ gns = x509.GeneralNames([x509.DNSName(u"cryptography.io")])
+ gns2 = x509.GeneralNames([x509.RFC822Name(u"admin@cryptography.io")])
assert gns != gns2
assert gns != object()
@@ -2103,17 +2100,14 @@
class TestIssuerAlternativeName(object):
def test_get_values_for_type(self):
- san = x509.IssuerAlternativeName(
- [x509.DNSName(u"cryptography.io")]
- )
+ san = x509.IssuerAlternativeName([x509.DNSName(u"cryptography.io")])
names = san.get_values_for_type(x509.DNSName)
assert names == [u"cryptography.io"]
def test_iter_names(self):
- san = x509.IssuerAlternativeName([
- x509.DNSName(u"cryptography.io"),
- x509.DNSName(u"crypto.local"),
- ])
+ san = x509.IssuerAlternativeName(
+ [x509.DNSName(u"cryptography.io"), x509.DNSName(u"crypto.local")]
+ )
assert len(san) == 2
assert list(san) == [
x509.DNSName(u"cryptography.io"),
@@ -2121,13 +2115,15 @@
]
def test_indexing(self):
- ian = x509.IssuerAlternativeName([
- x509.DNSName(u"cryptography.io"),
- x509.DNSName(u"crypto.local"),
- x509.DNSName(u"another.local"),
- x509.RFC822Name(u"email@another.local"),
- x509.UniformResourceIdentifier(u"http://another.local"),
- ])
+ ian = x509.IssuerAlternativeName(
+ [
+ x509.DNSName(u"cryptography.io"),
+ x509.DNSName(u"crypto.local"),
+ x509.DNSName(u"another.local"),
+ x509.RFC822Name(u"email@another.local"),
+ x509.UniformResourceIdentifier(u"http://another.local"),
+ ]
+ )
assert ian[-1] == ian[4]
assert ian[2:6:2] == [ian[2], ian[4]]
@@ -2138,11 +2134,7 @@
)
def test_repr(self):
- san = x509.IssuerAlternativeName(
- [
- x509.DNSName(u"cryptography.io")
- ]
- )
+ san = x509.IssuerAlternativeName([x509.DNSName(u"cryptography.io")])
if not six.PY2:
assert repr(san) == (
"<IssuerAlternativeName("
@@ -2155,18 +2147,12 @@
)
def test_eq(self):
- san = x509.IssuerAlternativeName(
- [x509.DNSName(u"cryptography.io")]
- )
- san2 = x509.IssuerAlternativeName(
- [x509.DNSName(u"cryptography.io")]
- )
+ san = x509.IssuerAlternativeName([x509.DNSName(u"cryptography.io")])
+ san2 = x509.IssuerAlternativeName([x509.DNSName(u"cryptography.io")])
assert san == san2
def test_ne(self):
- san = x509.IssuerAlternativeName(
- [x509.DNSName(u"cryptography.io")]
- )
+ san = x509.IssuerAlternativeName([x509.DNSName(u"cryptography.io")])
san2 = x509.IssuerAlternativeName(
[x509.RFC822Name(u"admin@cryptography.io")]
)
@@ -2228,17 +2214,14 @@
class TestSubjectAlternativeName(object):
def test_get_values_for_type(self):
- san = x509.SubjectAlternativeName(
- [x509.DNSName(u"cryptography.io")]
- )
+ san = x509.SubjectAlternativeName([x509.DNSName(u"cryptography.io")])
names = san.get_values_for_type(x509.DNSName)
assert names == [u"cryptography.io"]
def test_iter_names(self):
- san = x509.SubjectAlternativeName([
- x509.DNSName(u"cryptography.io"),
- x509.DNSName(u"crypto.local"),
- ])
+ san = x509.SubjectAlternativeName(
+ [x509.DNSName(u"cryptography.io"), x509.DNSName(u"crypto.local")]
+ )
assert len(san) == 2
assert list(san) == [
x509.DNSName(u"cryptography.io"),
@@ -2246,13 +2229,15 @@
]
def test_indexing(self):
- san = x509.SubjectAlternativeName([
- x509.DNSName(u"cryptography.io"),
- x509.DNSName(u"crypto.local"),
- x509.DNSName(u"another.local"),
- x509.RFC822Name(u"email@another.local"),
- x509.UniformResourceIdentifier(u"http://another.local"),
- ])
+ san = x509.SubjectAlternativeName(
+ [
+ x509.DNSName(u"cryptography.io"),
+ x509.DNSName(u"crypto.local"),
+ x509.DNSName(u"another.local"),
+ x509.RFC822Name(u"email@another.local"),
+ x509.UniformResourceIdentifier(u"http://another.local"),
+ ]
+ )
assert san[-1] == san[4]
assert san[2:6:2] == [san[2], san[4]]
@@ -2263,11 +2248,7 @@
)
def test_repr(self):
- san = x509.SubjectAlternativeName(
- [
- x509.DNSName(u"cryptography.io")
- ]
- )
+ san = x509.SubjectAlternativeName([x509.DNSName(u"cryptography.io")])
if not six.PY2:
assert repr(san) == (
"<SubjectAlternativeName("
@@ -2280,18 +2261,12 @@
)
def test_eq(self):
- san = x509.SubjectAlternativeName(
- [x509.DNSName(u"cryptography.io")]
- )
- san2 = x509.SubjectAlternativeName(
- [x509.DNSName(u"cryptography.io")]
- )
+ san = x509.SubjectAlternativeName([x509.DNSName(u"cryptography.io")])
+ san2 = x509.SubjectAlternativeName([x509.DNSName(u"cryptography.io")])
assert san == san2
def test_ne(self):
- san = x509.SubjectAlternativeName(
- [x509.DNSName(u"cryptography.io")]
- )
+ san = x509.SubjectAlternativeName([x509.DNSName(u"cryptography.io")])
san2 = x509.SubjectAlternativeName(
[x509.RFC822Name(u"admin@cryptography.io")]
)
@@ -2315,7 +2290,7 @@
cert = _load_cert(
os.path.join("x509", "cryptography.io.pem"),
x509.load_pem_x509_certificate,
- backend
+ backend,
)
ext = cert.extensions.get_extension_for_oid(
ExtensionOID.SUBJECT_ALTERNATIVE_NAME
@@ -2332,7 +2307,7 @@
cert = _load_cert(
os.path.join("x509", "wildcard_san.pem"),
x509.load_pem_x509_certificate,
- backend
+ backend,
)
ext = cert.extensions.get_extension_for_oid(
ExtensionOID.SUBJECT_ALTERNATIVE_NAME
@@ -2340,45 +2315,43 @@
dns = ext.value.get_values_for_type(x509.DNSName)
assert dns == [
- u'*.langui.sh',
- u'langui.sh',
- u'*.saseliminator.com',
- u'saseliminator.com'
+ u"*.langui.sh",
+ u"langui.sh",
+ u"*.saseliminator.com",
+ u"saseliminator.com",
]
def test_san_empty_hostname(self, backend):
cert = _load_cert(
- os.path.join(
- "x509", "custom", "san_empty_hostname.pem"
- ),
+ os.path.join("x509", "custom", "san_empty_hostname.pem"),
x509.load_pem_x509_certificate,
- backend
+ backend,
)
san = cert.extensions.get_extension_for_oid(
ExtensionOID.SUBJECT_ALTERNATIVE_NAME
)
dns = san.value.get_values_for_type(x509.DNSName)
- assert dns == [u'']
+ assert dns == [u""]
def test_san_wildcard_idna_dns_name(self, backend):
cert = _load_cert(
os.path.join("x509", "custom", "san_wildcard_idna.pem"),
x509.load_pem_x509_certificate,
- backend
+ backend,
)
ext = cert.extensions.get_extension_for_oid(
ExtensionOID.SUBJECT_ALTERNATIVE_NAME
)
dns = ext.value.get_values_for_type(x509.DNSName)
- assert dns == [u'*.xn--80ato2c.cryptography']
+ assert dns == [u"*.xn--80ato2c.cryptography"]
def test_unsupported_gn(self, backend):
cert = _load_cert(
os.path.join("x509", "san_x400address.der"),
x509.load_der_x509_certificate,
- backend
+ backend,
)
with pytest.raises(x509.UnsupportedGeneralNameType) as exc:
cert.extensions
@@ -2387,11 +2360,9 @@
def test_registered_id(self, backend):
cert = _load_cert(
- os.path.join(
- "x509", "custom", "san_registered_id.pem"
- ),
+ os.path.join("x509", "custom", "san_registered_id.pem"),
x509.load_pem_x509_certificate,
- backend
+ backend,
)
ext = cert.extensions.get_extension_for_oid(
ExtensionOID.SUBJECT_ALTERNATIVE_NAME
@@ -2405,32 +2376,25 @@
def test_uri(self, backend):
cert = _load_cert(
- os.path.join(
- "x509", "custom", "san_uri_with_port.pem"
- ),
+ os.path.join("x509", "custom", "san_uri_with_port.pem"),
x509.load_pem_x509_certificate,
- backend
+ backend,
)
ext = cert.extensions.get_extension_for_oid(
ExtensionOID.SUBJECT_ALTERNATIVE_NAME
)
assert ext is not None
- uri = ext.value.get_values_for_type(
- x509.UniformResourceIdentifier
- )
+ uri = ext.value.get_values_for_type(x509.UniformResourceIdentifier)
assert uri == [
- u"gopher://xn--80ato2c.cryptography:70/path?q=s#hel"
- u"lo",
+ u"gopher://xn--80ato2c.cryptography:70/path?q=s#hel" u"lo",
u"http://someregulardomain.com",
]
def test_ipaddress(self, backend):
cert = _load_cert(
- os.path.join(
- "x509", "custom", "san_ipaddr.pem"
- ),
+ os.path.join("x509", "custom", "san_ipaddr.pem"),
x509.load_pem_x509_certificate,
- backend
+ backend,
)
ext = cert.extensions.get_extension_for_oid(
ExtensionOID.SUBJECT_ALTERNATIVE_NAME
@@ -2443,16 +2407,14 @@
ip = san.get_values_for_type(x509.IPAddress)
assert [
ipaddress.ip_address(u"127.0.0.1"),
- ipaddress.ip_address(u"ff::")
+ ipaddress.ip_address(u"ff::"),
] == ip
def test_dirname(self, backend):
cert = _load_cert(
- os.path.join(
- "x509", "custom", "san_dirname.pem"
- ),
+ os.path.join("x509", "custom", "san_dirname.pem"),
x509.load_pem_x509_certificate,
- backend
+ backend,
)
ext = cert.extensions.get_extension_for_oid(
ExtensionOID.SUBJECT_ALTERNATIVE_NAME
@@ -2464,20 +2426,22 @@
dirname = san.get_values_for_type(x509.DirectoryName)
assert [
- x509.Name([
- x509.NameAttribute(NameOID.COMMON_NAME, u'test'),
- x509.NameAttribute(NameOID.ORGANIZATION_NAME, u'Org'),
- x509.NameAttribute(NameOID.STATE_OR_PROVINCE_NAME, u'Texas'),
- ])
+ x509.Name(
+ [
+ x509.NameAttribute(NameOID.COMMON_NAME, u"test"),
+ x509.NameAttribute(NameOID.ORGANIZATION_NAME, u"Org"),
+ x509.NameAttribute(
+ NameOID.STATE_OR_PROVINCE_NAME, u"Texas"
+ ),
+ ]
+ )
] == dirname
def test_rfc822name(self, backend):
cert = _load_cert(
- os.path.join(
- "x509", "custom", "san_rfc822_idna.pem"
- ),
+ os.path.join("x509", "custom", "san_rfc822_idna.pem"),
x509.load_pem_x509_certificate,
- backend
+ backend,
)
ext = cert.extensions.get_extension_for_oid(
ExtensionOID.SUBJECT_ALTERNATIVE_NAME
@@ -2492,11 +2456,9 @@
def test_idna2003_invalid(self, backend):
cert = _load_cert(
- os.path.join(
- "x509", "custom", "san_idna2003_dnsname.pem"
- ),
+ os.path.join("x509", "custom", "san_idna2003_dnsname.pem"),
x509.load_pem_x509_certificate,
- backend
+ backend,
)
san = cert.extensions.get_extension_for_class(
x509.SubjectAlternativeName
@@ -2508,11 +2470,9 @@
def test_unicode_rfc822_name_dns_name_uri(self, backend):
cert = _load_cert(
- os.path.join(
- "x509", "custom", "san_idna_names.pem"
- ),
+ os.path.join("x509", "custom", "san_idna_names.pem"),
x509.load_pem_x509_certificate,
- backend
+ backend,
)
ext = cert.extensions.get_extension_for_oid(
ExtensionOID.SUBJECT_ALTERNATIVE_NAME
@@ -2527,11 +2487,9 @@
def test_rfc822name_dnsname_ipaddress_directoryname_uri(self, backend):
cert = _load_cert(
- os.path.join(
- "x509", "custom", "san_email_dns_ip_dirname_uri.pem"
- ),
+ os.path.join("x509", "custom", "san_email_dns_ip_dirname_uri.pem"),
x509.load_pem_x509_certificate,
- backend
+ backend,
)
ext = cert.extensions.get_extension_for_oid(
ExtensionOID.SUBJECT_ALTERNATIVE_NAME
@@ -2550,42 +2508,43 @@
assert [u"https://cryptography.io"] == uri
assert [u"cryptography.io"] == dns
assert [
- x509.Name([
- x509.NameAttribute(NameOID.COMMON_NAME, u'dirCN'),
- x509.NameAttribute(
- NameOID.ORGANIZATION_NAME, u'Cryptographic Authority'
- ),
- ])
+ x509.Name(
+ [
+ x509.NameAttribute(NameOID.COMMON_NAME, u"dirCN"),
+ x509.NameAttribute(
+ NameOID.ORGANIZATION_NAME, u"Cryptographic Authority"
+ ),
+ ]
+ )
] == dirname
assert [
ipaddress.ip_address(u"127.0.0.1"),
- ipaddress.ip_address(u"ff::")
+ ipaddress.ip_address(u"ff::"),
] == ip
def test_invalid_rfc822name(self, backend):
cert = _load_cert(
- os.path.join(
- "x509", "custom", "san_rfc822_names.pem"
- ),
+ os.path.join("x509", "custom", "san_rfc822_names.pem"),
x509.load_pem_x509_certificate,
- backend
+ backend,
)
san = cert.extensions.get_extension_for_class(
x509.SubjectAlternativeName
).value
values = san.get_values_for_type(x509.RFC822Name)
assert values == [
- u'email', u'email <email>', u'email <email@email>',
- u'email <email@xn--eml-vla4c.com>', u'myemail:'
+ u"email",
+ u"email <email>",
+ u"email <email@email>",
+ u"email <email@xn--eml-vla4c.com>",
+ u"myemail:",
]
def test_other_name(self, backend):
cert = _load_cert(
- os.path.join(
- "x509", "custom", "san_other_name.pem"
- ),
+ os.path.join("x509", "custom", "san_other_name.pem"),
x509.load_pem_x509_certificate,
- backend
+ backend,
)
ext = cert.extensions.get_extension_for_oid(
@@ -2594,8 +2553,9 @@
assert ext is not None
assert ext.critical is False
- expected = x509.OtherName(x509.ObjectIdentifier("1.2.3.4"),
- b'\x16\x0bHello World')
+ expected = x509.OtherName(
+ x509.ObjectIdentifier("1.2.3.4"), b"\x16\x0bHello World"
+ )
assert len(ext.value) == 1
assert list(ext.value)[0] == expected
@@ -2603,12 +2563,16 @@
assert othernames == [expected]
def test_certbuilder(self, backend):
- sans = [u'*.example.org', u'*.xn--4ca7aey.example.com',
- u'foobar.example.net']
+ sans = [
+ u"*.example.org",
+ u"*.xn--4ca7aey.example.com",
+ u"foobar.example.net",
+ ]
private_key = RSA_KEY_2048.private_key(backend)
builder = _make_certbuilder(private_key)
builder = builder.add_extension(
- SubjectAlternativeName(list(map(DNSName, sans))), True)
+ SubjectAlternativeName(list(map(DNSName, sans))), True
+ )
cert = builder.sign(private_key, hashes.SHA1(), backend)
result = [
@@ -2625,11 +2589,9 @@
class TestExtendedKeyUsageExtension(object):
def test_eku(self, backend):
cert = _load_cert(
- os.path.join(
- "x509", "custom", "extended_key_usage.pem"
- ),
+ os.path.join("x509", "custom", "extended_key_usage.pem"),
x509.load_pem_x509_certificate,
- backend
+ backend,
)
ext = cert.extensions.get_extension_for_oid(
ExtensionOID.EXTENDED_KEY_USAGE
@@ -2663,14 +2625,14 @@
def test_valid_nonstandard_method(self):
ad = x509.AccessDescription(
ObjectIdentifier("2.999.1"),
- x509.UniformResourceIdentifier(u"http://example.com")
+ x509.UniformResourceIdentifier(u"http://example.com"),
)
assert ad is not None
def test_repr(self):
ad = x509.AccessDescription(
AuthorityInformationAccessOID.OCSP,
- x509.UniformResourceIdentifier(u"http://ocsp.domain.com")
+ x509.UniformResourceIdentifier(u"http://ocsp.domain.com"),
)
if not six.PY2:
assert repr(ad) == (
@@ -2688,26 +2650,26 @@
def test_eq(self):
ad = x509.AccessDescription(
AuthorityInformationAccessOID.OCSP,
- x509.UniformResourceIdentifier(u"http://ocsp.domain.com")
+ x509.UniformResourceIdentifier(u"http://ocsp.domain.com"),
)
ad2 = x509.AccessDescription(
AuthorityInformationAccessOID.OCSP,
- x509.UniformResourceIdentifier(u"http://ocsp.domain.com")
+ x509.UniformResourceIdentifier(u"http://ocsp.domain.com"),
)
assert ad == ad2
def test_ne(self):
ad = x509.AccessDescription(
AuthorityInformationAccessOID.OCSP,
- x509.UniformResourceIdentifier(u"http://ocsp.domain.com")
+ x509.UniformResourceIdentifier(u"http://ocsp.domain.com"),
)
ad2 = x509.AccessDescription(
AuthorityInformationAccessOID.CA_ISSUERS,
- x509.UniformResourceIdentifier(u"http://ocsp.domain.com")
+ x509.UniformResourceIdentifier(u"http://ocsp.domain.com"),
)
ad3 = x509.AccessDescription(
AuthorityInformationAccessOID.OCSP,
- x509.UniformResourceIdentifier(u"http://notthesame")
+ x509.UniformResourceIdentifier(u"http://notthesame"),
)
assert ad != ad2
assert ad != ad3
@@ -2716,15 +2678,15 @@
def test_hash(self):
ad = x509.AccessDescription(
AuthorityInformationAccessOID.OCSP,
- x509.UniformResourceIdentifier(u"http://ocsp.domain.com")
+ x509.UniformResourceIdentifier(u"http://ocsp.domain.com"),
)
ad2 = x509.AccessDescription(
AuthorityInformationAccessOID.OCSP,
- x509.UniformResourceIdentifier(u"http://ocsp.domain.com")
+ x509.UniformResourceIdentifier(u"http://ocsp.domain.com"),
)
ad3 = x509.AccessDescription(
AuthorityInformationAccessOID.CA_ISSUERS,
- x509.UniformResourceIdentifier(u"http://ocsp.domain.com")
+ x509.UniformResourceIdentifier(u"http://ocsp.domain.com"),
)
assert hash(ad) == hash(ad2)
assert hash(ad) != hash(ad3)
@@ -2779,7 +2741,7 @@
cert = _load_cert(
os.path.join("x509", "department-of-state-root.pem"),
x509.load_pem_x509_certificate,
- backend
+ backend,
)
ext = cert.extensions.get_extension_for_oid(
ExtensionOID.POLICY_CONSTRAINTS,
@@ -2787,21 +2749,23 @@
assert ext.critical is True
assert ext.value == x509.PolicyConstraints(
- require_explicit_policy=None, inhibit_policy_mapping=0,
+ require_explicit_policy=None,
+ inhibit_policy_mapping=0,
)
def test_require_explicit_policy(self, backend):
cert = _load_cert(
os.path.join("x509", "custom", "policy_constraints_explicit.pem"),
x509.load_pem_x509_certificate,
- backend
+ backend,
)
ext = cert.extensions.get_extension_for_oid(
ExtensionOID.POLICY_CONSTRAINTS
)
assert ext.critical is True
assert ext.value == x509.PolicyConstraints(
- require_explicit_policy=1, inhibit_policy_mapping=None,
+ require_explicit_policy=1,
+ inhibit_policy_mapping=None,
)
@@ -2811,49 +2775,57 @@
x509.AuthorityInformationAccess(["notanAccessDescription"])
def test_iter_len(self):
- aia = x509.AuthorityInformationAccess([
- x509.AccessDescription(
- AuthorityInformationAccessOID.OCSP,
- x509.UniformResourceIdentifier(u"http://ocsp.domain.com")
- ),
- x509.AccessDescription(
- AuthorityInformationAccessOID.CA_ISSUERS,
- x509.UniformResourceIdentifier(u"http://domain.com/ca.crt")
- )
- ])
+ aia = x509.AuthorityInformationAccess(
+ [
+ x509.AccessDescription(
+ AuthorityInformationAccessOID.OCSP,
+ x509.UniformResourceIdentifier(u"http://ocsp.domain.com"),
+ ),
+ x509.AccessDescription(
+ AuthorityInformationAccessOID.CA_ISSUERS,
+ x509.UniformResourceIdentifier(
+ u"http://domain.com/ca.crt"
+ ),
+ ),
+ ]
+ )
assert len(aia) == 2
assert list(aia) == [
x509.AccessDescription(
AuthorityInformationAccessOID.OCSP,
- x509.UniformResourceIdentifier(u"http://ocsp.domain.com")
+ x509.UniformResourceIdentifier(u"http://ocsp.domain.com"),
),
x509.AccessDescription(
AuthorityInformationAccessOID.CA_ISSUERS,
- x509.UniformResourceIdentifier(u"http://domain.com/ca.crt")
- )
+ x509.UniformResourceIdentifier(u"http://domain.com/ca.crt"),
+ ),
]
def test_iter_input(self):
desc = [
x509.AccessDescription(
AuthorityInformationAccessOID.OCSP,
- x509.UniformResourceIdentifier(u"http://ocsp.domain.com")
+ x509.UniformResourceIdentifier(u"http://ocsp.domain.com"),
)
]
aia = x509.AuthorityInformationAccess(iter(desc))
assert list(aia) == desc
def test_repr(self):
- aia = x509.AuthorityInformationAccess([
- x509.AccessDescription(
- AuthorityInformationAccessOID.OCSP,
- x509.UniformResourceIdentifier(u"http://ocsp.domain.com")
- ),
- x509.AccessDescription(
- AuthorityInformationAccessOID.CA_ISSUERS,
- x509.UniformResourceIdentifier(u"http://domain.com/ca.crt")
- )
- ])
+ aia = x509.AuthorityInformationAccess(
+ [
+ x509.AccessDescription(
+ AuthorityInformationAccessOID.OCSP,
+ x509.UniformResourceIdentifier(u"http://ocsp.domain.com"),
+ ),
+ x509.AccessDescription(
+ AuthorityInformationAccessOID.CA_ISSUERS,
+ x509.UniformResourceIdentifier(
+ u"http://domain.com/ca.crt"
+ ),
+ ),
+ ]
+ )
if not six.PY2:
assert repr(aia) == (
"<AuthorityInformationAccess([<AccessDescription(access_method"
@@ -2876,110 +2848,356 @@
)
def test_eq(self):
- aia = x509.AuthorityInformationAccess([
- x509.AccessDescription(
- AuthorityInformationAccessOID.OCSP,
- x509.UniformResourceIdentifier(u"http://ocsp.domain.com")
- ),
- x509.AccessDescription(
- AuthorityInformationAccessOID.CA_ISSUERS,
- x509.UniformResourceIdentifier(u"http://domain.com/ca.crt")
- )
- ])
- aia2 = x509.AuthorityInformationAccess([
- x509.AccessDescription(
- AuthorityInformationAccessOID.OCSP,
- x509.UniformResourceIdentifier(u"http://ocsp.domain.com")
- ),
- x509.AccessDescription(
- AuthorityInformationAccessOID.CA_ISSUERS,
- x509.UniformResourceIdentifier(u"http://domain.com/ca.crt")
- )
- ])
+ aia = x509.AuthorityInformationAccess(
+ [
+ x509.AccessDescription(
+ AuthorityInformationAccessOID.OCSP,
+ x509.UniformResourceIdentifier(u"http://ocsp.domain.com"),
+ ),
+ x509.AccessDescription(
+ AuthorityInformationAccessOID.CA_ISSUERS,
+ x509.UniformResourceIdentifier(
+ u"http://domain.com/ca.crt"
+ ),
+ ),
+ ]
+ )
+ aia2 = x509.AuthorityInformationAccess(
+ [
+ x509.AccessDescription(
+ AuthorityInformationAccessOID.OCSP,
+ x509.UniformResourceIdentifier(u"http://ocsp.domain.com"),
+ ),
+ x509.AccessDescription(
+ AuthorityInformationAccessOID.CA_ISSUERS,
+ x509.UniformResourceIdentifier(
+ u"http://domain.com/ca.crt"
+ ),
+ ),
+ ]
+ )
assert aia == aia2
def test_ne(self):
- aia = x509.AuthorityInformationAccess([
- x509.AccessDescription(
- AuthorityInformationAccessOID.OCSP,
- x509.UniformResourceIdentifier(u"http://ocsp.domain.com")
- ),
- x509.AccessDescription(
- AuthorityInformationAccessOID.CA_ISSUERS,
- x509.UniformResourceIdentifier(u"http://domain.com/ca.crt")
- )
- ])
- aia2 = x509.AuthorityInformationAccess([
- x509.AccessDescription(
- AuthorityInformationAccessOID.OCSP,
- x509.UniformResourceIdentifier(u"http://ocsp.domain.com")
- ),
- ])
+ aia = x509.AuthorityInformationAccess(
+ [
+ x509.AccessDescription(
+ AuthorityInformationAccessOID.OCSP,
+ x509.UniformResourceIdentifier(u"http://ocsp.domain.com"),
+ ),
+ x509.AccessDescription(
+ AuthorityInformationAccessOID.CA_ISSUERS,
+ x509.UniformResourceIdentifier(
+ u"http://domain.com/ca.crt"
+ ),
+ ),
+ ]
+ )
+ aia2 = x509.AuthorityInformationAccess(
+ [
+ x509.AccessDescription(
+ AuthorityInformationAccessOID.OCSP,
+ x509.UniformResourceIdentifier(u"http://ocsp.domain.com"),
+ ),
+ ]
+ )
assert aia != aia2
assert aia != object()
def test_indexing(self):
- aia = x509.AuthorityInformationAccess([
- x509.AccessDescription(
- AuthorityInformationAccessOID.OCSP,
- x509.UniformResourceIdentifier(u"http://ocsp.domain.com")
- ),
- x509.AccessDescription(
- AuthorityInformationAccessOID.CA_ISSUERS,
- x509.UniformResourceIdentifier(u"http://domain.com/ca.crt")
- ),
- x509.AccessDescription(
- AuthorityInformationAccessOID.OCSP,
- x509.UniformResourceIdentifier(u"http://ocsp2.domain.com")
- ),
- x509.AccessDescription(
- AuthorityInformationAccessOID.OCSP,
- x509.UniformResourceIdentifier(u"http://ocsp3.domain.com")
- ),
- x509.AccessDescription(
- AuthorityInformationAccessOID.OCSP,
- x509.UniformResourceIdentifier(u"http://ocsp4.domain.com")
- ),
- ])
+ aia = x509.AuthorityInformationAccess(
+ [
+ x509.AccessDescription(
+ AuthorityInformationAccessOID.OCSP,
+ x509.UniformResourceIdentifier(u"http://ocsp.domain.com"),
+ ),
+ x509.AccessDescription(
+ AuthorityInformationAccessOID.CA_ISSUERS,
+ x509.UniformResourceIdentifier(
+ u"http://domain.com/ca.crt"
+ ),
+ ),
+ x509.AccessDescription(
+ AuthorityInformationAccessOID.OCSP,
+ x509.UniformResourceIdentifier(u"http://ocsp2.domain.com"),
+ ),
+ x509.AccessDescription(
+ AuthorityInformationAccessOID.OCSP,
+ x509.UniformResourceIdentifier(u"http://ocsp3.domain.com"),
+ ),
+ x509.AccessDescription(
+ AuthorityInformationAccessOID.OCSP,
+ x509.UniformResourceIdentifier(u"http://ocsp4.domain.com"),
+ ),
+ ]
+ )
assert aia[-1] == aia[4]
assert aia[2:6:2] == [aia[2], aia[4]]
def test_hash(self):
- aia = x509.AuthorityInformationAccess([
- x509.AccessDescription(
- AuthorityInformationAccessOID.OCSP,
- x509.UniformResourceIdentifier(u"http://ocsp.domain.com")
- ),
- x509.AccessDescription(
- AuthorityInformationAccessOID.CA_ISSUERS,
- x509.UniformResourceIdentifier(u"http://domain.com/ca.crt")
- )
- ])
- aia2 = x509.AuthorityInformationAccess([
- x509.AccessDescription(
- AuthorityInformationAccessOID.OCSP,
- x509.UniformResourceIdentifier(u"http://ocsp.domain.com")
- ),
- x509.AccessDescription(
- AuthorityInformationAccessOID.CA_ISSUERS,
- x509.UniformResourceIdentifier(u"http://domain.com/ca.crt")
- )
- ])
- aia3 = x509.AuthorityInformationAccess([
- x509.AccessDescription(
- AuthorityInformationAccessOID.OCSP,
- x509.UniformResourceIdentifier(u"http://ocsp.other.com")
- ),
- x509.AccessDescription(
- AuthorityInformationAccessOID.CA_ISSUERS,
- x509.UniformResourceIdentifier(u"http://domain.com/ca.crt")
- )
- ])
+ aia = x509.AuthorityInformationAccess(
+ [
+ x509.AccessDescription(
+ AuthorityInformationAccessOID.OCSP,
+ x509.UniformResourceIdentifier(u"http://ocsp.domain.com"),
+ ),
+ x509.AccessDescription(
+ AuthorityInformationAccessOID.CA_ISSUERS,
+ x509.UniformResourceIdentifier(
+ u"http://domain.com/ca.crt"
+ ),
+ ),
+ ]
+ )
+ aia2 = x509.AuthorityInformationAccess(
+ [
+ x509.AccessDescription(
+ AuthorityInformationAccessOID.OCSP,
+ x509.UniformResourceIdentifier(u"http://ocsp.domain.com"),
+ ),
+ x509.AccessDescription(
+ AuthorityInformationAccessOID.CA_ISSUERS,
+ x509.UniformResourceIdentifier(
+ u"http://domain.com/ca.crt"
+ ),
+ ),
+ ]
+ )
+ aia3 = x509.AuthorityInformationAccess(
+ [
+ x509.AccessDescription(
+ AuthorityInformationAccessOID.OCSP,
+ x509.UniformResourceIdentifier(u"http://ocsp.other.com"),
+ ),
+ x509.AccessDescription(
+ AuthorityInformationAccessOID.CA_ISSUERS,
+ x509.UniformResourceIdentifier(
+ u"http://domain.com/ca.crt"
+ ),
+ ),
+ ]
+ )
assert hash(aia) == hash(aia2)
assert hash(aia) != hash(aia3)
+class TestSubjectInformationAccess(object):
+ def test_invalid_descriptions(self):
+ with pytest.raises(TypeError):
+ x509.SubjectInformationAccess(["notanAccessDescription"])
+
+ def test_iter_len(self):
+ sia = x509.SubjectInformationAccess(
+ [
+ x509.AccessDescription(
+ SubjectInformationAccessOID.CA_REPOSITORY,
+ x509.UniformResourceIdentifier(u"http://ca.domain.com"),
+ ),
+ x509.AccessDescription(
+ SubjectInformationAccessOID.CA_REPOSITORY,
+ x509.UniformResourceIdentifier(u"http://ca2.domain.com"),
+ ),
+ ]
+ )
+ assert len(sia) == 2
+ assert list(sia) == [
+ x509.AccessDescription(
+ SubjectInformationAccessOID.CA_REPOSITORY,
+ x509.UniformResourceIdentifier(u"http://ca.domain.com"),
+ ),
+ x509.AccessDescription(
+ SubjectInformationAccessOID.CA_REPOSITORY,
+ x509.UniformResourceIdentifier(u"http://ca2.domain.com"),
+ ),
+ ]
+
+ def test_iter_input(self):
+ desc = [
+ x509.AccessDescription(
+ SubjectInformationAccessOID.CA_REPOSITORY,
+ x509.UniformResourceIdentifier(u"http://ca.domain.com"),
+ )
+ ]
+ sia = x509.SubjectInformationAccess(iter(desc))
+ assert list(sia) == desc
+
+ def test_repr(self):
+ sia = x509.SubjectInformationAccess(
+ [
+ x509.AccessDescription(
+ SubjectInformationAccessOID.CA_REPOSITORY,
+ x509.UniformResourceIdentifier(u"http://ca.domain.com"),
+ )
+ ]
+ )
+ if not six.PY2:
+ assert repr(sia) == (
+ "<SubjectInformationAccess([<AccessDescription(access_method"
+ "=<ObjectIdentifier(oid=1.3.6.1.5.5.7.48.5, name=caRepositor"
+ "y)>, access_location=<UniformResourceIdentifier(value='http"
+ "://ca.domain.com')>)>])>"
+ )
+ else:
+ assert repr(sia) == (
+ "<SubjectInformationAccess([<AccessDescription(access_method"
+ "=<ObjectIdentifier(oid=1.3.6.1.5.5.7.48.5, name=caRepositor"
+ "y)>, access_location=<UniformResourceIdentifier(value=u'htt"
+ "p://ca.domain.com')>)>])>"
+ )
+
+ def test_eq(self):
+ sia = x509.SubjectInformationAccess(
+ [
+ x509.AccessDescription(
+ SubjectInformationAccessOID.CA_REPOSITORY,
+ x509.UniformResourceIdentifier(u"http://ca.domain.com"),
+ ),
+ x509.AccessDescription(
+ SubjectInformationAccessOID.CA_REPOSITORY,
+ x509.UniformResourceIdentifier(u"http://ca2.domain.com"),
+ ),
+ ]
+ )
+ sia2 = x509.SubjectInformationAccess(
+ [
+ x509.AccessDescription(
+ SubjectInformationAccessOID.CA_REPOSITORY,
+ x509.UniformResourceIdentifier(u"http://ca.domain.com"),
+ ),
+ x509.AccessDescription(
+ SubjectInformationAccessOID.CA_REPOSITORY,
+ x509.UniformResourceIdentifier(u"http://ca2.domain.com"),
+ ),
+ ]
+ )
+ assert sia == sia2
+
+ def test_ne(self):
+ sia = x509.SubjectInformationAccess(
+ [
+ x509.AccessDescription(
+ SubjectInformationAccessOID.CA_REPOSITORY,
+ x509.UniformResourceIdentifier(u"http://ca.domain.com"),
+ ),
+ x509.AccessDescription(
+ SubjectInformationAccessOID.CA_REPOSITORY,
+ x509.UniformResourceIdentifier(u"http://ca2.domain.com"),
+ ),
+ ]
+ )
+ sia2 = x509.SubjectInformationAccess(
+ [
+ x509.AccessDescription(
+ SubjectInformationAccessOID.CA_REPOSITORY,
+ x509.UniformResourceIdentifier(u"http://ca.domain.com"),
+ ),
+ ]
+ )
+
+ assert sia != sia2
+ assert sia != object()
+
+ def test_indexing(self):
+ sia = x509.SubjectInformationAccess(
+ [
+ x509.AccessDescription(
+ SubjectInformationAccessOID.CA_REPOSITORY,
+ x509.UniformResourceIdentifier(u"http://ca.domain.com"),
+ ),
+ x509.AccessDescription(
+ SubjectInformationAccessOID.CA_REPOSITORY,
+ x509.UniformResourceIdentifier(u"http://ca2.domain.com"),
+ ),
+ x509.AccessDescription(
+ SubjectInformationAccessOID.CA_REPOSITORY,
+ x509.UniformResourceIdentifier(u"http://ca3.domain.com"),
+ ),
+ x509.AccessDescription(
+ SubjectInformationAccessOID.CA_REPOSITORY,
+ x509.UniformResourceIdentifier(u"http://ca4.domain.com"),
+ ),
+ x509.AccessDescription(
+ SubjectInformationAccessOID.CA_REPOSITORY,
+ x509.UniformResourceIdentifier(u"http://ca5.domain.com"),
+ ),
+ ]
+ )
+ assert sia[-1] == sia[4]
+ assert sia[2:6:2] == [sia[2], sia[4]]
+
+ def test_hash(self):
+ sia = x509.SubjectInformationAccess(
+ [
+ x509.AccessDescription(
+ SubjectInformationAccessOID.CA_REPOSITORY,
+ x509.UniformResourceIdentifier(u"http://ca.domain.com"),
+ ),
+ x509.AccessDescription(
+ SubjectInformationAccessOID.CA_REPOSITORY,
+ x509.UniformResourceIdentifier(u"http://ca2.domain.com"),
+ ),
+ ]
+ )
+ sia2 = x509.SubjectInformationAccess(
+ [
+ x509.AccessDescription(
+ SubjectInformationAccessOID.CA_REPOSITORY,
+ x509.UniformResourceIdentifier(u"http://ca.domain.com"),
+ ),
+ x509.AccessDescription(
+ SubjectInformationAccessOID.CA_REPOSITORY,
+ x509.UniformResourceIdentifier(u"http://ca2.domain.com"),
+ ),
+ ]
+ )
+ sia3 = x509.SubjectInformationAccess(
+ [
+ x509.AccessDescription(
+ SubjectInformationAccessOID.CA_REPOSITORY,
+ x509.UniformResourceIdentifier(u"http://ca.domain.com"),
+ ),
+ x509.AccessDescription(
+ SubjectInformationAccessOID.CA_REPOSITORY,
+ x509.UniformResourceIdentifier(u"http://ca3.domain.com"),
+ ),
+ ]
+ )
+ assert hash(sia) == hash(sia2)
+ assert hash(sia) != hash(sia3)
+
+
+@pytest.mark.requires_backend_interface(interface=RSABackend)
+@pytest.mark.requires_backend_interface(interface=X509Backend)
+class TestSubjectInformationAccessExtension(object):
+ def test_sia(self, backend):
+ cert = _load_cert(
+ os.path.join("x509", "custom", "sia.pem"),
+ x509.load_pem_x509_certificate,
+ backend,
+ )
+ ext = cert.extensions.get_extension_for_oid(
+ ExtensionOID.SUBJECT_INFORMATION_ACCESS
+ )
+ assert ext is not None
+ assert ext.critical is False
+
+ assert ext.value == x509.SubjectInformationAccess(
+ [
+ x509.AccessDescription(
+ SubjectInformationAccessOID.CA_REPOSITORY,
+ x509.UniformResourceIdentifier(u"https://my.ca.issuer/"),
+ ),
+ x509.AccessDescription(
+ x509.ObjectIdentifier("2.999.7"),
+ x509.UniformResourceIdentifier(
+ u"gopher://info-mac-archive"
+ ),
+ ),
+ ]
+ )
+
+
@pytest.mark.requires_backend_interface(interface=RSABackend)
@pytest.mark.requires_backend_interface(interface=X509Backend)
class TestAuthorityInformationAccessExtension(object):
@@ -2987,7 +3205,7 @@
cert = _load_cert(
os.path.join("x509", "cryptography.io.pem"),
x509.load_pem_x509_certificate,
- backend
+ backend,
)
ext = cert.extensions.get_extension_for_oid(
ExtensionOID.AUTHORITY_INFORMATION_ACCESS
@@ -2995,22 +3213,26 @@
assert ext is not None
assert ext.critical is False
- assert ext.value == x509.AuthorityInformationAccess([
- x509.AccessDescription(
- AuthorityInformationAccessOID.OCSP,
- x509.UniformResourceIdentifier(u"http://gv.symcd.com")
- ),
- x509.AccessDescription(
- AuthorityInformationAccessOID.CA_ISSUERS,
- x509.UniformResourceIdentifier(u"http://gv.symcb.com/gv.crt")
- ),
- ])
+ assert ext.value == x509.AuthorityInformationAccess(
+ [
+ x509.AccessDescription(
+ AuthorityInformationAccessOID.OCSP,
+ x509.UniformResourceIdentifier(u"http://gv.symcd.com"),
+ ),
+ x509.AccessDescription(
+ AuthorityInformationAccessOID.CA_ISSUERS,
+ x509.UniformResourceIdentifier(
+ u"http://gv.symcb.com/gv.crt"
+ ),
+ ),
+ ]
+ )
def test_aia_multiple_ocsp_ca_issuers(self, backend):
cert = _load_cert(
os.path.join("x509", "custom", "aia_ocsp_ca_issuers.pem"),
x509.load_pem_x509_certificate,
- backend
+ backend,
)
ext = cert.extensions.get_extension_for_oid(
ExtensionOID.AUTHORITY_INFORMATION_ACCESS
@@ -3018,30 +3240,39 @@
assert ext is not None
assert ext.critical is False
- assert ext.value == x509.AuthorityInformationAccess([
- x509.AccessDescription(
- AuthorityInformationAccessOID.OCSP,
- x509.UniformResourceIdentifier(u"http://ocsp.domain.com")
- ),
- x509.AccessDescription(
- AuthorityInformationAccessOID.OCSP,
- x509.UniformResourceIdentifier(u"http://ocsp2.domain.com")
- ),
- x509.AccessDescription(
- AuthorityInformationAccessOID.CA_ISSUERS,
- x509.DirectoryName(x509.Name([
- x509.NameAttribute(NameOID.COMMON_NAME, u"myCN"),
- x509.NameAttribute(NameOID.ORGANIZATION_NAME,
- u"some Org"),
- ]))
- ),
- ])
+ assert ext.value == x509.AuthorityInformationAccess(
+ [
+ x509.AccessDescription(
+ AuthorityInformationAccessOID.OCSP,
+ x509.UniformResourceIdentifier(u"http://ocsp.domain.com"),
+ ),
+ x509.AccessDescription(
+ AuthorityInformationAccessOID.OCSP,
+ x509.UniformResourceIdentifier(u"http://ocsp2.domain.com"),
+ ),
+ x509.AccessDescription(
+ AuthorityInformationAccessOID.CA_ISSUERS,
+ x509.DirectoryName(
+ x509.Name(
+ [
+ x509.NameAttribute(
+ NameOID.COMMON_NAME, u"myCN"
+ ),
+ x509.NameAttribute(
+ NameOID.ORGANIZATION_NAME, u"some Org"
+ ),
+ ]
+ )
+ ),
+ ),
+ ]
+ )
def test_aia_ocsp_only(self, backend):
cert = _load_cert(
os.path.join("x509", "custom", "aia_ocsp.pem"),
x509.load_pem_x509_certificate,
- backend
+ backend,
)
ext = cert.extensions.get_extension_for_oid(
ExtensionOID.AUTHORITY_INFORMATION_ACCESS
@@ -3049,18 +3280,20 @@
assert ext is not None
assert ext.critical is False
- assert ext.value == x509.AuthorityInformationAccess([
- x509.AccessDescription(
- AuthorityInformationAccessOID.OCSP,
- x509.UniformResourceIdentifier(u"http://ocsp.domain.com")
- ),
- ])
+ assert ext.value == x509.AuthorityInformationAccess(
+ [
+ x509.AccessDescription(
+ AuthorityInformationAccessOID.OCSP,
+ x509.UniformResourceIdentifier(u"http://ocsp.domain.com"),
+ ),
+ ]
+ )
def test_aia_ca_issuers_only(self, backend):
cert = _load_cert(
os.path.join("x509", "custom", "aia_ca_issuers.pem"),
x509.load_pem_x509_certificate,
- backend
+ backend,
)
ext = cert.extensions.get_extension_for_oid(
ExtensionOID.AUTHORITY_INFORMATION_ACCESS
@@ -3068,16 +3301,25 @@
assert ext is not None
assert ext.critical is False
- assert ext.value == x509.AuthorityInformationAccess([
- x509.AccessDescription(
- AuthorityInformationAccessOID.CA_ISSUERS,
- x509.DirectoryName(x509.Name([
- x509.NameAttribute(NameOID.COMMON_NAME, u"myCN"),
- x509.NameAttribute(NameOID.ORGANIZATION_NAME,
- u"some Org"),
- ]))
- ),
- ])
+ assert ext.value == x509.AuthorityInformationAccess(
+ [
+ x509.AccessDescription(
+ AuthorityInformationAccessOID.CA_ISSUERS,
+ x509.DirectoryName(
+ x509.Name(
+ [
+ x509.NameAttribute(
+ NameOID.COMMON_NAME, u"myCN"
+ ),
+ x509.NameAttribute(
+ NameOID.ORGANIZATION_NAME, u"some Org"
+ ),
+ ]
+ )
+ ),
+ ),
+ ]
+ )
@pytest.mark.requires_backend_interface(interface=RSABackend)
@@ -3085,11 +3327,9 @@
class TestAuthorityKeyIdentifierExtension(object):
def test_aki_keyid(self, backend):
cert = _load_cert(
- os.path.join(
- "x509", "cryptography.io.pem"
- ),
+ os.path.join("x509", "cryptography.io.pem"),
x509.load_pem_x509_certificate,
- backend
+ backend,
)
ext = cert.extensions.get_extension_for_oid(
ExtensionOID.AUTHORITY_KEY_IDENTIFIER
@@ -3105,11 +3345,9 @@
def test_aki_all_fields(self, backend):
cert = _load_cert(
- os.path.join(
- "x509", "custom", "authority_key_identifier.pem"
- ),
+ os.path.join("x509", "custom", "authority_key_identifier.pem"),
x509.load_pem_x509_certificate,
- backend
+ backend,
)
ext = cert.extensions.get_extension_for_oid(
ExtensionOID.AUTHORITY_KEY_IDENTIFIER
@@ -3122,14 +3360,14 @@
)
assert ext.value.authority_cert_issuer == [
x509.DirectoryName(
- x509.Name([
- x509.NameAttribute(
- NameOID.ORGANIZATION_NAME, u"PyCA"
- ),
- x509.NameAttribute(
- NameOID.COMMON_NAME, u"cryptography.io"
- )
- ])
+ x509.Name(
+ [
+ x509.NameAttribute(NameOID.ORGANIZATION_NAME, u"PyCA"),
+ x509.NameAttribute(
+ NameOID.COMMON_NAME, u"cryptography.io"
+ ),
+ ]
+ )
)
]
assert ext.value.authority_cert_serial_number == 3
@@ -3140,7 +3378,7 @@
"x509", "custom", "authority_key_identifier_no_keyid.pem"
),
x509.load_pem_x509_certificate,
- backend
+ backend,
)
ext = cert.extensions.get_extension_for_oid(
ExtensionOID.AUTHORITY_KEY_IDENTIFIER
@@ -3151,14 +3389,14 @@
assert ext.value.key_identifier is None
assert ext.value.authority_cert_issuer == [
x509.DirectoryName(
- x509.Name([
- x509.NameAttribute(
- NameOID.ORGANIZATION_NAME, u"PyCA"
- ),
- x509.NameAttribute(
- NameOID.COMMON_NAME, u"cryptography.io"
- )
- ])
+ x509.Name(
+ [
+ x509.NameAttribute(NameOID.ORGANIZATION_NAME, u"PyCA"),
+ x509.NameAttribute(
+ NameOID.COMMON_NAME, u"cryptography.io"
+ ),
+ ]
+ )
)
]
assert ext.value.authority_cert_serial_number == 3
@@ -3167,12 +3405,12 @@
issuer_cert = _load_cert(
os.path.join("x509", "rapidssl_sha256_ca_g3.pem"),
x509.load_pem_x509_certificate,
- backend
+ backend,
)
cert = _load_cert(
os.path.join("x509", "cryptography.io.pem"),
x509.load_pem_x509_certificate,
- backend
+ backend,
)
ext = cert.extensions.get_extension_for_oid(
ExtensionOID.AUTHORITY_KEY_IDENTIFIER
@@ -3186,21 +3424,21 @@
issuer_cert = _load_cert(
os.path.join("x509", "rapidssl_sha256_ca_g3.pem"),
x509.load_pem_x509_certificate,
- backend
+ backend,
)
cert = _load_cert(
os.path.join("x509", "cryptography.io.pem"),
x509.load_pem_x509_certificate,
- backend
+ backend,
)
ext = cert.extensions.get_extension_for_oid(
ExtensionOID.AUTHORITY_KEY_IDENTIFIER
)
- ski = issuer_cert.extensions.get_extension_for_class(
+ ski_ext = issuer_cert.extensions.get_extension_for_class(
x509.SubjectKeyIdentifier
)
aki = x509.AuthorityKeyIdentifier.from_issuer_subject_key_identifier(
- ski
+ ski_ext.value
)
assert ext.value == aki
@@ -3212,7 +3450,7 @@
permitted_subtrees=[
x509.IPAddress(ipaddress.IPv4Address(u"127.0.0.1"))
],
- excluded_subtrees=None
+ excluded_subtrees=None,
)
with pytest.raises(TypeError):
@@ -3220,15 +3458,14 @@
permitted_subtrees=None,
excluded_subtrees=[
x509.IPAddress(ipaddress.IPv4Address(u"127.0.0.1"))
- ]
+ ],
)
def test_ipaddress_allowed_type(self):
permitted = [x509.IPAddress(ipaddress.IPv4Network(u"192.168.0.0/29"))]
excluded = [x509.IPAddress(ipaddress.IPv4Network(u"10.10.0.0/24"))]
nc = x509.NameConstraints(
- permitted_subtrees=permitted,
- excluded_subtrees=excluded
+ permitted_subtrees=permitted, excluded_subtrees=excluded
)
assert nc.permitted_subtrees == permitted
assert nc.excluded_subtrees == excluded
@@ -3270,8 +3507,7 @@
def test_repr(self):
permitted = [x509.DNSName(u"name.local"), x509.DNSName(u"name2.local")]
nc = x509.NameConstraints(
- permitted_subtrees=permitted,
- excluded_subtrees=None
+ permitted_subtrees=permitted, excluded_subtrees=None
)
if not six.PY2:
assert repr(nc) == (
@@ -3289,26 +3525,26 @@
def test_eq(self):
nc = x509.NameConstraints(
permitted_subtrees=[x509.DNSName(u"name.local")],
- excluded_subtrees=[x509.DNSName(u"name2.local")]
+ excluded_subtrees=[x509.DNSName(u"name2.local")],
)
nc2 = x509.NameConstraints(
permitted_subtrees=[x509.DNSName(u"name.local")],
- excluded_subtrees=[x509.DNSName(u"name2.local")]
+ excluded_subtrees=[x509.DNSName(u"name2.local")],
)
assert nc == nc2
def test_ne(self):
nc = x509.NameConstraints(
permitted_subtrees=[x509.DNSName(u"name.local")],
- excluded_subtrees=[x509.DNSName(u"name2.local")]
+ excluded_subtrees=[x509.DNSName(u"name2.local")],
)
nc2 = x509.NameConstraints(
permitted_subtrees=[x509.DNSName(u"name.local")],
- excluded_subtrees=None
+ excluded_subtrees=None,
)
nc3 = x509.NameConstraints(
permitted_subtrees=None,
- excluded_subtrees=[x509.DNSName(u"name2.local")]
+ excluded_subtrees=[x509.DNSName(u"name2.local")],
)
assert nc != nc2
@@ -3318,19 +3554,19 @@
def test_hash(self):
nc = x509.NameConstraints(
permitted_subtrees=[x509.DNSName(u"name.local")],
- excluded_subtrees=[x509.DNSName(u"name2.local")]
+ excluded_subtrees=[x509.DNSName(u"name2.local")],
)
nc2 = x509.NameConstraints(
permitted_subtrees=[x509.DNSName(u"name.local")],
- excluded_subtrees=[x509.DNSName(u"name2.local")]
+ excluded_subtrees=[x509.DNSName(u"name2.local")],
)
nc3 = x509.NameConstraints(
permitted_subtrees=[x509.DNSName(u"name.local")],
- excluded_subtrees=None
+ excluded_subtrees=None,
)
nc4 = x509.NameConstraints(
permitted_subtrees=None,
- excluded_subtrees=[x509.DNSName(u"name.local")]
+ excluded_subtrees=[x509.DNSName(u"name.local")],
)
assert hash(nc) == hash(nc2)
assert hash(nc) != hash(nc3)
@@ -3342,51 +3578,43 @@
class TestNameConstraintsExtension(object):
def test_permitted_excluded(self, backend):
cert = _load_cert(
- os.path.join(
- "x509", "custom", "nc_permitted_excluded_2.pem"
- ),
+ os.path.join("x509", "custom", "nc_permitted_excluded_2.pem"),
x509.load_pem_x509_certificate,
- backend
+ backend,
)
nc = cert.extensions.get_extension_for_oid(
ExtensionOID.NAME_CONSTRAINTS
).value
assert nc == x509.NameConstraints(
- permitted_subtrees=[
- x509.DNSName(u"zombo.local"),
- ],
+ permitted_subtrees=[x509.DNSName(u"zombo.local")],
excluded_subtrees=[
- x509.DirectoryName(x509.Name([
- x509.NameAttribute(NameOID.COMMON_NAME, u"zombo")
- ]))
- ]
+ x509.DirectoryName(
+ x509.Name(
+ [x509.NameAttribute(NameOID.COMMON_NAME, u"zombo")]
+ )
+ )
+ ],
)
def test_permitted(self, backend):
cert = _load_cert(
- os.path.join(
- "x509", "custom", "nc_permitted_2.pem"
- ),
+ os.path.join("x509", "custom", "nc_permitted_2.pem"),
x509.load_pem_x509_certificate,
- backend
+ backend,
)
nc = cert.extensions.get_extension_for_oid(
ExtensionOID.NAME_CONSTRAINTS
).value
assert nc == x509.NameConstraints(
- permitted_subtrees=[
- x509.DNSName(u"zombo.local"),
- ],
- excluded_subtrees=None
+ permitted_subtrees=[x509.DNSName(u"zombo.local")],
+ excluded_subtrees=None,
)
def test_permitted_with_leading_period(self, backend):
cert = _load_cert(
- os.path.join(
- "x509", "custom", "nc_permitted.pem"
- ),
+ os.path.join("x509", "custom", "nc_permitted.pem"),
x509.load_pem_x509_certificate,
- backend
+ backend,
)
nc = cert.extensions.get_extension_for_oid(
ExtensionOID.NAME_CONSTRAINTS
@@ -3394,18 +3622,16 @@
assert nc == x509.NameConstraints(
permitted_subtrees=[
x509.DNSName(u".cryptography.io"),
- x509.UniformResourceIdentifier(u"ftp://cryptography.test")
+ x509.UniformResourceIdentifier(u"ftp://cryptography.test"),
],
- excluded_subtrees=None
+ excluded_subtrees=None,
)
def test_excluded_with_leading_period(self, backend):
cert = _load_cert(
- os.path.join(
- "x509", "custom", "nc_excluded.pem"
- ),
+ os.path.join("x509", "custom", "nc_excluded.pem"),
x509.load_pem_x509_certificate,
- backend
+ backend,
)
nc = cert.extensions.get_extension_for_oid(
ExtensionOID.NAME_CONSTRAINTS
@@ -3414,17 +3640,15 @@
permitted_subtrees=None,
excluded_subtrees=[
x509.DNSName(u".cryptography.io"),
- x509.UniformResourceIdentifier(u"gopher://cryptography.test")
- ]
+ x509.UniformResourceIdentifier(u"gopher://cryptography.test"),
+ ],
)
def test_permitted_excluded_with_ips(self, backend):
cert = _load_cert(
- os.path.join(
- "x509", "custom", "nc_permitted_excluded.pem"
- ),
+ os.path.join("x509", "custom", "nc_permitted_excluded.pem"),
x509.load_pem_x509_certificate,
- backend
+ backend,
)
nc = cert.extensions.get_extension_for_oid(
ExtensionOID.NAME_CONSTRAINTS
@@ -3437,16 +3661,14 @@
excluded_subtrees=[
x509.DNSName(u".domain.com"),
x509.UniformResourceIdentifier(u"http://test.local"),
- ]
+ ],
)
def test_single_ip_netmask(self, backend):
cert = _load_cert(
- os.path.join(
- "x509", "custom", "nc_single_ip_netmask.pem"
- ),
+ os.path.join("x509", "custom", "nc_single_ip_netmask.pem"),
x509.load_pem_x509_certificate,
- backend
+ backend,
)
nc = cert.extensions.get_extension_for_oid(
ExtensionOID.NAME_CONSTRAINTS
@@ -3456,16 +3678,14 @@
x509.IPAddress(ipaddress.IPv6Network(u"FF:0:0:0:0:0:0:0/128")),
x509.IPAddress(ipaddress.IPv4Network(u"192.168.0.1/32")),
],
- excluded_subtrees=None
+ excluded_subtrees=None,
)
def test_invalid_netmask(self, backend):
cert = _load_cert(
- os.path.join(
- "x509", "custom", "nc_invalid_ip_netmask.pem"
- ),
+ os.path.join("x509", "custom", "nc_invalid_ip_netmask.pem"),
x509.load_pem_x509_certificate,
- backend
+ backend,
)
with pytest.raises(ValueError):
cert.extensions.get_extension_for_oid(
@@ -3473,13 +3693,20 @@
)
def test_certbuilder(self, backend):
- permitted = [u'.example.org', u'.xn--4ca7aey.example.com',
- u'foobar.example.net']
+ permitted = [
+ u".example.org",
+ u".xn--4ca7aey.example.com",
+ u"foobar.example.net",
+ ]
private_key = RSA_KEY_2048.private_key(backend)
builder = _make_certbuilder(private_key)
builder = builder.add_extension(
- NameConstraints(permitted_subtrees=list(map(DNSName, permitted)),
- excluded_subtrees=[]), True)
+ NameConstraints(
+ permitted_subtrees=list(map(DNSName, permitted)),
+ excluded_subtrees=[],
+ ),
+ True,
+ )
cert = builder.sign(private_key, hashes.SHA1(), backend)
result = [
@@ -3514,7 +3741,7 @@
[x509.UniformResourceIdentifier(u"http://crypt.og/crl")],
None,
frozenset(["notreasonflags"]),
- None
+ None,
)
def test_reason_not_frozenset(self):
@@ -3523,7 +3750,7 @@
[x509.UniformResourceIdentifier(u"http://crypt.og/crl")],
None,
[x509.ReasonFlags.ca_compromise],
- None
+ None,
)
def test_disallowed_reasons(self):
@@ -3532,7 +3759,7 @@
[x509.UniformResourceIdentifier(u"http://crypt.og/crl")],
None,
frozenset([x509.ReasonFlags.unspecified]),
- None
+ None,
)
with pytest.raises(ValueError):
@@ -3540,16 +3767,13 @@
[x509.UniformResourceIdentifier(u"http://crypt.og/crl")],
None,
frozenset([x509.ReasonFlags.remove_from_crl]),
- None
+ None,
)
def test_reason_only(self):
with pytest.raises(ValueError):
x509.DistributionPoint(
- None,
- None,
- frozenset([x509.ReasonFlags.aa_compromise]),
- None
+ None, None, frozenset([x509.ReasonFlags.aa_compromise]), None
)
def test_eq(self):
@@ -3559,11 +3783,13 @@
frozenset([x509.ReasonFlags.superseded]),
[
x509.DirectoryName(
- x509.Name([
- x509.NameAttribute(
- NameOID.COMMON_NAME, u"Important CA"
- )
- ])
+ x509.Name(
+ [
+ x509.NameAttribute(
+ NameOID.COMMON_NAME, u"Important CA"
+ )
+ ]
+ )
)
],
)
@@ -3573,11 +3799,13 @@
frozenset([x509.ReasonFlags.superseded]),
[
x509.DirectoryName(
- x509.Name([
- x509.NameAttribute(
- NameOID.COMMON_NAME, u"Important CA"
- )
- ])
+ x509.Name(
+ [
+ x509.NameAttribute(
+ NameOID.COMMON_NAME, u"Important CA"
+ )
+ ]
+ )
)
],
)
@@ -3590,11 +3818,13 @@
frozenset([x509.ReasonFlags.superseded]),
[
x509.DirectoryName(
- x509.Name([
- x509.NameAttribute(
- NameOID.COMMON_NAME, u"Important CA"
- )
- ])
+ x509.Name(
+ [
+ x509.NameAttribute(
+ NameOID.COMMON_NAME, u"Important CA"
+ )
+ ]
+ )
)
],
)
@@ -3602,7 +3832,7 @@
[x509.UniformResourceIdentifier(u"http://crypt.og/crl")],
None,
None,
- None
+ None,
)
assert dp != dp2
assert dp != object()
@@ -3611,9 +3841,9 @@
name = [x509.UniformResourceIdentifier(u"http://crypt.og/crl")]
issuer = [
x509.DirectoryName(
- x509.Name([
- x509.NameAttribute(NameOID.COMMON_NAME, u"Important CA")
- ])
+ x509.Name(
+ [x509.NameAttribute(NameOID.COMMON_NAME, u"Important CA")]
+ )
)
]
dp = x509.DistributionPoint(
@@ -3628,17 +3858,19 @@
def test_repr(self):
dp = x509.DistributionPoint(
None,
- x509.RelativeDistinguishedName([
- x509.NameAttribute(NameOID.COMMON_NAME, u"myCN")
- ]),
+ x509.RelativeDistinguishedName(
+ [x509.NameAttribute(NameOID.COMMON_NAME, u"myCN")]
+ ),
frozenset([x509.ReasonFlags.ca_compromise]),
[
x509.DirectoryName(
- x509.Name([
- x509.NameAttribute(
- NameOID.COMMON_NAME, u"Important CA"
- )
- ])
+ x509.Name(
+ [
+ x509.NameAttribute(
+ NameOID.COMMON_NAME, u"Important CA"
+ )
+ ]
+ )
)
],
)
@@ -3664,11 +3896,13 @@
frozenset([x509.ReasonFlags.superseded]),
[
x509.DirectoryName(
- x509.Name([
- x509.NameAttribute(
- NameOID.COMMON_NAME, u"Important CA"
- )
- ])
+ x509.Name(
+ [
+ x509.NameAttribute(
+ NameOID.COMMON_NAME, u"Important CA"
+ )
+ ]
+ )
)
],
)
@@ -3678,19 +3912,21 @@
frozenset([x509.ReasonFlags.superseded]),
[
x509.DirectoryName(
- x509.Name([
- x509.NameAttribute(
- NameOID.COMMON_NAME, u"Important CA"
- )
- ])
+ x509.Name(
+ [
+ x509.NameAttribute(
+ NameOID.COMMON_NAME, u"Important CA"
+ )
+ ]
+ )
)
],
)
dp3 = x509.DistributionPoint(
None,
- x509.RelativeDistinguishedName([
- x509.NameAttribute(NameOID.COMMON_NAME, u"myCN")
- ]),
+ x509.RelativeDistinguishedName(
+ [x509.NameAttribute(NameOID.COMMON_NAME, u"myCN")]
+ ),
None,
None,
)
@@ -3704,17 +3940,23 @@
x509.FreshestCRL(["notadistributionpoint"])
def test_iter_len(self):
- fcrl = x509.FreshestCRL([
- x509.DistributionPoint(
- [x509.UniformResourceIdentifier(u"http://domain")],
- None, None, None
- ),
- ])
+ fcrl = x509.FreshestCRL(
+ [
+ x509.DistributionPoint(
+ [x509.UniformResourceIdentifier(u"http://domain")],
+ None,
+ None,
+ None,
+ ),
+ ]
+ )
assert len(fcrl) == 1
assert list(fcrl) == [
x509.DistributionPoint(
[x509.UniformResourceIdentifier(u"http://domain")],
- None, None, None
+ None,
+ None,
+ None,
),
]
@@ -3722,21 +3964,25 @@
points = [
x509.DistributionPoint(
[x509.UniformResourceIdentifier(u"http://domain")],
- None, None, None
+ None,
+ None,
+ None,
),
]
fcrl = x509.FreshestCRL(iter(points))
assert list(fcrl) == points
def test_repr(self):
- fcrl = x509.FreshestCRL([
- x509.DistributionPoint(
- [x509.UniformResourceIdentifier(u"ftp://domain")],
- None,
- frozenset([x509.ReasonFlags.key_compromise]),
- None
- ),
- ])
+ fcrl = x509.FreshestCRL(
+ [
+ x509.DistributionPoint(
+ [x509.UniformResourceIdentifier(u"ftp://domain")],
+ None,
+ frozenset([x509.ReasonFlags.key_compromise]),
+ None,
+ ),
+ ]
+ )
if not six.PY2:
assert repr(fcrl) == (
"<FreshestCRL([<DistributionPoint(full_name=[<Unifo"
@@ -3753,134 +3999,178 @@
)
def test_eq(self):
- fcrl = x509.FreshestCRL([
- x509.DistributionPoint(
- [x509.UniformResourceIdentifier(u"ftp://domain")],
- None,
- frozenset([
- x509.ReasonFlags.key_compromise,
- x509.ReasonFlags.ca_compromise,
- ]),
- [x509.UniformResourceIdentifier(u"uri://thing")],
- ),
- ])
- fcrl2 = x509.FreshestCRL([
- x509.DistributionPoint(
- [x509.UniformResourceIdentifier(u"ftp://domain")],
- None,
- frozenset([
- x509.ReasonFlags.key_compromise,
- x509.ReasonFlags.ca_compromise,
- ]),
- [x509.UniformResourceIdentifier(u"uri://thing")],
- ),
- ])
+ fcrl = x509.FreshestCRL(
+ [
+ x509.DistributionPoint(
+ [x509.UniformResourceIdentifier(u"ftp://domain")],
+ None,
+ frozenset(
+ [
+ x509.ReasonFlags.key_compromise,
+ x509.ReasonFlags.ca_compromise,
+ ]
+ ),
+ [x509.UniformResourceIdentifier(u"uri://thing")],
+ ),
+ ]
+ )
+ fcrl2 = x509.FreshestCRL(
+ [
+ x509.DistributionPoint(
+ [x509.UniformResourceIdentifier(u"ftp://domain")],
+ None,
+ frozenset(
+ [
+ x509.ReasonFlags.key_compromise,
+ x509.ReasonFlags.ca_compromise,
+ ]
+ ),
+ [x509.UniformResourceIdentifier(u"uri://thing")],
+ ),
+ ]
+ )
assert fcrl == fcrl2
def test_ne(self):
- fcrl = x509.FreshestCRL([
- x509.DistributionPoint(
- [x509.UniformResourceIdentifier(u"ftp://domain")],
- None,
- frozenset([
- x509.ReasonFlags.key_compromise,
- x509.ReasonFlags.ca_compromise,
- ]),
- [x509.UniformResourceIdentifier(u"uri://thing")],
- ),
- ])
- fcrl2 = x509.FreshestCRL([
- x509.DistributionPoint(
- [x509.UniformResourceIdentifier(u"ftp://domain2")],
- None,
- frozenset([
- x509.ReasonFlags.key_compromise,
- x509.ReasonFlags.ca_compromise,
- ]),
- [x509.UniformResourceIdentifier(u"uri://thing")],
- ),
- ])
- fcrl3 = x509.FreshestCRL([
- x509.DistributionPoint(
- [x509.UniformResourceIdentifier(u"ftp://domain")],
- None,
- frozenset([x509.ReasonFlags.key_compromise]),
- [x509.UniformResourceIdentifier(u"uri://thing")],
- ),
- ])
- fcrl4 = x509.FreshestCRL([
- x509.DistributionPoint(
- [x509.UniformResourceIdentifier(u"ftp://domain")],
- None,
- frozenset([
- x509.ReasonFlags.key_compromise,
- x509.ReasonFlags.ca_compromise,
- ]),
- [x509.UniformResourceIdentifier(u"uri://thing2")],
- ),
- ])
+ fcrl = x509.FreshestCRL(
+ [
+ x509.DistributionPoint(
+ [x509.UniformResourceIdentifier(u"ftp://domain")],
+ None,
+ frozenset(
+ [
+ x509.ReasonFlags.key_compromise,
+ x509.ReasonFlags.ca_compromise,
+ ]
+ ),
+ [x509.UniformResourceIdentifier(u"uri://thing")],
+ ),
+ ]
+ )
+ fcrl2 = x509.FreshestCRL(
+ [
+ x509.DistributionPoint(
+ [x509.UniformResourceIdentifier(u"ftp://domain2")],
+ None,
+ frozenset(
+ [
+ x509.ReasonFlags.key_compromise,
+ x509.ReasonFlags.ca_compromise,
+ ]
+ ),
+ [x509.UniformResourceIdentifier(u"uri://thing")],
+ ),
+ ]
+ )
+ fcrl3 = x509.FreshestCRL(
+ [
+ x509.DistributionPoint(
+ [x509.UniformResourceIdentifier(u"ftp://domain")],
+ None,
+ frozenset([x509.ReasonFlags.key_compromise]),
+ [x509.UniformResourceIdentifier(u"uri://thing")],
+ ),
+ ]
+ )
+ fcrl4 = x509.FreshestCRL(
+ [
+ x509.DistributionPoint(
+ [x509.UniformResourceIdentifier(u"ftp://domain")],
+ None,
+ frozenset(
+ [
+ x509.ReasonFlags.key_compromise,
+ x509.ReasonFlags.ca_compromise,
+ ]
+ ),
+ [x509.UniformResourceIdentifier(u"uri://thing2")],
+ ),
+ ]
+ )
assert fcrl != fcrl2
assert fcrl != fcrl3
assert fcrl != fcrl4
assert fcrl != object()
def test_hash(self):
- fcrl = x509.FreshestCRL([
- x509.DistributionPoint(
- [x509.UniformResourceIdentifier(u"ftp://domain")],
- None,
- frozenset([
- x509.ReasonFlags.key_compromise,
- x509.ReasonFlags.ca_compromise,
- ]),
- [x509.UniformResourceIdentifier(u"uri://thing")],
- ),
- ])
- fcrl2 = x509.FreshestCRL([
- x509.DistributionPoint(
- [x509.UniformResourceIdentifier(u"ftp://domain")],
- None,
- frozenset([
- x509.ReasonFlags.key_compromise,
- x509.ReasonFlags.ca_compromise,
- ]),
- [x509.UniformResourceIdentifier(u"uri://thing")],
- ),
- ])
- fcrl3 = x509.FreshestCRL([
- x509.DistributionPoint(
- [x509.UniformResourceIdentifier(u"ftp://domain")],
- None,
- frozenset([x509.ReasonFlags.key_compromise]),
- [x509.UniformResourceIdentifier(u"uri://thing")],
- ),
- ])
+ fcrl = x509.FreshestCRL(
+ [
+ x509.DistributionPoint(
+ [x509.UniformResourceIdentifier(u"ftp://domain")],
+ None,
+ frozenset(
+ [
+ x509.ReasonFlags.key_compromise,
+ x509.ReasonFlags.ca_compromise,
+ ]
+ ),
+ [x509.UniformResourceIdentifier(u"uri://thing")],
+ ),
+ ]
+ )
+ fcrl2 = x509.FreshestCRL(
+ [
+ x509.DistributionPoint(
+ [x509.UniformResourceIdentifier(u"ftp://domain")],
+ None,
+ frozenset(
+ [
+ x509.ReasonFlags.key_compromise,
+ x509.ReasonFlags.ca_compromise,
+ ]
+ ),
+ [x509.UniformResourceIdentifier(u"uri://thing")],
+ ),
+ ]
+ )
+ fcrl3 = x509.FreshestCRL(
+ [
+ x509.DistributionPoint(
+ [x509.UniformResourceIdentifier(u"ftp://domain")],
+ None,
+ frozenset([x509.ReasonFlags.key_compromise]),
+ [x509.UniformResourceIdentifier(u"uri://thing")],
+ ),
+ ]
+ )
assert hash(fcrl) == hash(fcrl2)
assert hash(fcrl) != hash(fcrl3)
def test_indexing(self):
- fcrl = x509.FreshestCRL([
- x509.DistributionPoint(
- None, None, None,
- [x509.UniformResourceIdentifier(u"uri://thing")],
- ),
- x509.DistributionPoint(
- None, None, None,
- [x509.UniformResourceIdentifier(u"uri://thing2")],
- ),
- x509.DistributionPoint(
- None, None, None,
- [x509.UniformResourceIdentifier(u"uri://thing3")],
- ),
- x509.DistributionPoint(
- None, None, None,
- [x509.UniformResourceIdentifier(u"uri://thing4")],
- ),
- x509.DistributionPoint(
- None, None, None,
- [x509.UniformResourceIdentifier(u"uri://thing5")],
- ),
- ])
+ fcrl = x509.FreshestCRL(
+ [
+ x509.DistributionPoint(
+ None,
+ None,
+ None,
+ [x509.UniformResourceIdentifier(u"uri://thing")],
+ ),
+ x509.DistributionPoint(
+ None,
+ None,
+ None,
+ [x509.UniformResourceIdentifier(u"uri://thing2")],
+ ),
+ x509.DistributionPoint(
+ None,
+ None,
+ None,
+ [x509.UniformResourceIdentifier(u"uri://thing3")],
+ ),
+ x509.DistributionPoint(
+ None,
+ None,
+ None,
+ [x509.UniformResourceIdentifier(u"uri://thing4")],
+ ),
+ x509.DistributionPoint(
+ None,
+ None,
+ None,
+ [x509.UniformResourceIdentifier(u"uri://thing5")],
+ ),
+ ]
+ )
assert fcrl[-1] == fcrl[4]
assert fcrl[2:6:2] == [fcrl[2], fcrl[4]]
@@ -3891,39 +4181,45 @@
x509.CRLDistributionPoints(["notadistributionpoint"])
def test_iter_len(self):
- cdp = x509.CRLDistributionPoints([
- x509.DistributionPoint(
- [x509.UniformResourceIdentifier(u"http://domain")],
- None,
- None,
- None
- ),
- x509.DistributionPoint(
- [x509.UniformResourceIdentifier(u"ftp://domain")],
- None,
- frozenset([
- x509.ReasonFlags.key_compromise,
- x509.ReasonFlags.ca_compromise,
- ]),
- None
- ),
- ])
+ cdp = x509.CRLDistributionPoints(
+ [
+ x509.DistributionPoint(
+ [x509.UniformResourceIdentifier(u"http://domain")],
+ None,
+ None,
+ None,
+ ),
+ x509.DistributionPoint(
+ [x509.UniformResourceIdentifier(u"ftp://domain")],
+ None,
+ frozenset(
+ [
+ x509.ReasonFlags.key_compromise,
+ x509.ReasonFlags.ca_compromise,
+ ]
+ ),
+ None,
+ ),
+ ]
+ )
assert len(cdp) == 2
assert list(cdp) == [
x509.DistributionPoint(
[x509.UniformResourceIdentifier(u"http://domain")],
None,
None,
- None
+ None,
),
x509.DistributionPoint(
[x509.UniformResourceIdentifier(u"ftp://domain")],
None,
- frozenset([
- x509.ReasonFlags.key_compromise,
- x509.ReasonFlags.ca_compromise,
- ]),
- None
+ frozenset(
+ [
+ x509.ReasonFlags.key_compromise,
+ x509.ReasonFlags.ca_compromise,
+ ]
+ ),
+ None,
),
]
@@ -3933,21 +4229,23 @@
[x509.UniformResourceIdentifier(u"http://domain")],
None,
None,
- None
+ None,
),
]
cdp = x509.CRLDistributionPoints(iter(points))
assert list(cdp) == points
def test_repr(self):
- cdp = x509.CRLDistributionPoints([
- x509.DistributionPoint(
- [x509.UniformResourceIdentifier(u"ftp://domain")],
- None,
- frozenset([x509.ReasonFlags.key_compromise]),
- None
- ),
- ])
+ cdp = x509.CRLDistributionPoints(
+ [
+ x509.DistributionPoint(
+ [x509.UniformResourceIdentifier(u"ftp://domain")],
+ None,
+ frozenset([x509.ReasonFlags.key_compromise]),
+ None,
+ ),
+ ]
+ )
if not six.PY2:
assert repr(cdp) == (
"<CRLDistributionPoints([<DistributionPoint(full_name=[<Unifo"
@@ -3964,134 +4262,178 @@
)
def test_eq(self):
- cdp = x509.CRLDistributionPoints([
- x509.DistributionPoint(
- [x509.UniformResourceIdentifier(u"ftp://domain")],
- None,
- frozenset([
- x509.ReasonFlags.key_compromise,
- x509.ReasonFlags.ca_compromise,
- ]),
- [x509.UniformResourceIdentifier(u"uri://thing")],
- ),
- ])
- cdp2 = x509.CRLDistributionPoints([
- x509.DistributionPoint(
- [x509.UniformResourceIdentifier(u"ftp://domain")],
- None,
- frozenset([
- x509.ReasonFlags.key_compromise,
- x509.ReasonFlags.ca_compromise,
- ]),
- [x509.UniformResourceIdentifier(u"uri://thing")],
- ),
- ])
+ cdp = x509.CRLDistributionPoints(
+ [
+ x509.DistributionPoint(
+ [x509.UniformResourceIdentifier(u"ftp://domain")],
+ None,
+ frozenset(
+ [
+ x509.ReasonFlags.key_compromise,
+ x509.ReasonFlags.ca_compromise,
+ ]
+ ),
+ [x509.UniformResourceIdentifier(u"uri://thing")],
+ ),
+ ]
+ )
+ cdp2 = x509.CRLDistributionPoints(
+ [
+ x509.DistributionPoint(
+ [x509.UniformResourceIdentifier(u"ftp://domain")],
+ None,
+ frozenset(
+ [
+ x509.ReasonFlags.key_compromise,
+ x509.ReasonFlags.ca_compromise,
+ ]
+ ),
+ [x509.UniformResourceIdentifier(u"uri://thing")],
+ ),
+ ]
+ )
assert cdp == cdp2
def test_ne(self):
- cdp = x509.CRLDistributionPoints([
- x509.DistributionPoint(
- [x509.UniformResourceIdentifier(u"ftp://domain")],
- None,
- frozenset([
- x509.ReasonFlags.key_compromise,
- x509.ReasonFlags.ca_compromise,
- ]),
- [x509.UniformResourceIdentifier(u"uri://thing")],
- ),
- ])
- cdp2 = x509.CRLDistributionPoints([
- x509.DistributionPoint(
- [x509.UniformResourceIdentifier(u"ftp://domain2")],
- None,
- frozenset([
- x509.ReasonFlags.key_compromise,
- x509.ReasonFlags.ca_compromise,
- ]),
- [x509.UniformResourceIdentifier(u"uri://thing")],
- ),
- ])
- cdp3 = x509.CRLDistributionPoints([
- x509.DistributionPoint(
- [x509.UniformResourceIdentifier(u"ftp://domain")],
- None,
- frozenset([x509.ReasonFlags.key_compromise]),
- [x509.UniformResourceIdentifier(u"uri://thing")],
- ),
- ])
- cdp4 = x509.CRLDistributionPoints([
- x509.DistributionPoint(
- [x509.UniformResourceIdentifier(u"ftp://domain")],
- None,
- frozenset([
- x509.ReasonFlags.key_compromise,
- x509.ReasonFlags.ca_compromise,
- ]),
- [x509.UniformResourceIdentifier(u"uri://thing2")],
- ),
- ])
+ cdp = x509.CRLDistributionPoints(
+ [
+ x509.DistributionPoint(
+ [x509.UniformResourceIdentifier(u"ftp://domain")],
+ None,
+ frozenset(
+ [
+ x509.ReasonFlags.key_compromise,
+ x509.ReasonFlags.ca_compromise,
+ ]
+ ),
+ [x509.UniformResourceIdentifier(u"uri://thing")],
+ ),
+ ]
+ )
+ cdp2 = x509.CRLDistributionPoints(
+ [
+ x509.DistributionPoint(
+ [x509.UniformResourceIdentifier(u"ftp://domain2")],
+ None,
+ frozenset(
+ [
+ x509.ReasonFlags.key_compromise,
+ x509.ReasonFlags.ca_compromise,
+ ]
+ ),
+ [x509.UniformResourceIdentifier(u"uri://thing")],
+ ),
+ ]
+ )
+ cdp3 = x509.CRLDistributionPoints(
+ [
+ x509.DistributionPoint(
+ [x509.UniformResourceIdentifier(u"ftp://domain")],
+ None,
+ frozenset([x509.ReasonFlags.key_compromise]),
+ [x509.UniformResourceIdentifier(u"uri://thing")],
+ ),
+ ]
+ )
+ cdp4 = x509.CRLDistributionPoints(
+ [
+ x509.DistributionPoint(
+ [x509.UniformResourceIdentifier(u"ftp://domain")],
+ None,
+ frozenset(
+ [
+ x509.ReasonFlags.key_compromise,
+ x509.ReasonFlags.ca_compromise,
+ ]
+ ),
+ [x509.UniformResourceIdentifier(u"uri://thing2")],
+ ),
+ ]
+ )
assert cdp != cdp2
assert cdp != cdp3
assert cdp != cdp4
assert cdp != object()
def test_hash(self):
- cdp = x509.CRLDistributionPoints([
- x509.DistributionPoint(
- [x509.UniformResourceIdentifier(u"ftp://domain")],
- None,
- frozenset([
- x509.ReasonFlags.key_compromise,
- x509.ReasonFlags.ca_compromise,
- ]),
- [x509.UniformResourceIdentifier(u"uri://thing")],
- ),
- ])
- cdp2 = x509.CRLDistributionPoints([
- x509.DistributionPoint(
- [x509.UniformResourceIdentifier(u"ftp://domain")],
- None,
- frozenset([
- x509.ReasonFlags.key_compromise,
- x509.ReasonFlags.ca_compromise,
- ]),
- [x509.UniformResourceIdentifier(u"uri://thing")],
- ),
- ])
- cdp3 = x509.CRLDistributionPoints([
- x509.DistributionPoint(
- [x509.UniformResourceIdentifier(u"ftp://domain")],
- None,
- frozenset([x509.ReasonFlags.key_compromise]),
- [x509.UniformResourceIdentifier(u"uri://thing")],
- ),
- ])
+ cdp = x509.CRLDistributionPoints(
+ [
+ x509.DistributionPoint(
+ [x509.UniformResourceIdentifier(u"ftp://domain")],
+ None,
+ frozenset(
+ [
+ x509.ReasonFlags.key_compromise,
+ x509.ReasonFlags.ca_compromise,
+ ]
+ ),
+ [x509.UniformResourceIdentifier(u"uri://thing")],
+ ),
+ ]
+ )
+ cdp2 = x509.CRLDistributionPoints(
+ [
+ x509.DistributionPoint(
+ [x509.UniformResourceIdentifier(u"ftp://domain")],
+ None,
+ frozenset(
+ [
+ x509.ReasonFlags.key_compromise,
+ x509.ReasonFlags.ca_compromise,
+ ]
+ ),
+ [x509.UniformResourceIdentifier(u"uri://thing")],
+ ),
+ ]
+ )
+ cdp3 = x509.CRLDistributionPoints(
+ [
+ x509.DistributionPoint(
+ [x509.UniformResourceIdentifier(u"ftp://domain")],
+ None,
+ frozenset([x509.ReasonFlags.key_compromise]),
+ [x509.UniformResourceIdentifier(u"uri://thing")],
+ ),
+ ]
+ )
assert hash(cdp) == hash(cdp2)
assert hash(cdp) != hash(cdp3)
def test_indexing(self):
- ci = x509.CRLDistributionPoints([
- x509.DistributionPoint(
- None, None, None,
- [x509.UniformResourceIdentifier(u"uri://thing")],
- ),
- x509.DistributionPoint(
- None, None, None,
- [x509.UniformResourceIdentifier(u"uri://thing2")],
- ),
- x509.DistributionPoint(
- None, None, None,
- [x509.UniformResourceIdentifier(u"uri://thing3")],
- ),
- x509.DistributionPoint(
- None, None, None,
- [x509.UniformResourceIdentifier(u"uri://thing4")],
- ),
- x509.DistributionPoint(
- None, None, None,
- [x509.UniformResourceIdentifier(u"uri://thing5")],
- ),
- ])
+ ci = x509.CRLDistributionPoints(
+ [
+ x509.DistributionPoint(
+ None,
+ None,
+ None,
+ [x509.UniformResourceIdentifier(u"uri://thing")],
+ ),
+ x509.DistributionPoint(
+ None,
+ None,
+ None,
+ [x509.UniformResourceIdentifier(u"uri://thing2")],
+ ),
+ x509.DistributionPoint(
+ None,
+ None,
+ None,
+ [x509.UniformResourceIdentifier(u"uri://thing3")],
+ ),
+ x509.DistributionPoint(
+ None,
+ None,
+ None,
+ [x509.UniformResourceIdentifier(u"uri://thing4")],
+ ),
+ x509.DistributionPoint(
+ None,
+ None,
+ None,
+ [x509.UniformResourceIdentifier(u"uri://thing5")],
+ ),
+ ]
+ )
assert ci[-1] == ci[4]
assert ci[2:6:2] == [ci[2], ci[4]]
@@ -4105,49 +4447,63 @@
"x509", "PKITS_data", "certs", "ValidcRLIssuerTest28EE.crt"
),
x509.load_der_x509_certificate,
- backend
+ backend,
)
cdps = cert.extensions.get_extension_for_oid(
ExtensionOID.CRL_DISTRIBUTION_POINTS
).value
- assert cdps == x509.CRLDistributionPoints([
- x509.DistributionPoint(
- full_name=[x509.DirectoryName(
- x509.Name([
- x509.NameAttribute(NameOID.COUNTRY_NAME, u"US"),
- x509.NameAttribute(
- NameOID.ORGANIZATION_NAME,
- u"Test Certificates 2011"
- ),
- x509.NameAttribute(
- NameOID.ORGANIZATIONAL_UNIT_NAME,
- u"indirectCRL CA3 cRLIssuer"
- ),
- x509.NameAttribute(
- NameOID.COMMON_NAME,
- u"indirect CRL for indirectCRL CA3"
- ),
- ])
- )],
- relative_name=None,
- reasons=None,
- crl_issuer=[x509.DirectoryName(
- x509.Name([
- x509.NameAttribute(NameOID.COUNTRY_NAME, u"US"),
- x509.NameAttribute(
- NameOID.ORGANIZATION_NAME,
- u"Test Certificates 2011"
- ),
- x509.NameAttribute(
- NameOID.ORGANIZATIONAL_UNIT_NAME,
- u"indirectCRL CA3 cRLIssuer"
- ),
- ])
- )],
- )
- ])
+ assert cdps == x509.CRLDistributionPoints(
+ [
+ x509.DistributionPoint(
+ full_name=[
+ x509.DirectoryName(
+ x509.Name(
+ [
+ x509.NameAttribute(
+ NameOID.COUNTRY_NAME, u"US"
+ ),
+ x509.NameAttribute(
+ NameOID.ORGANIZATION_NAME,
+ u"Test Certificates 2011",
+ ),
+ x509.NameAttribute(
+ NameOID.ORGANIZATIONAL_UNIT_NAME,
+ u"indirectCRL CA3 cRLIssuer",
+ ),
+ x509.NameAttribute(
+ NameOID.COMMON_NAME,
+ u"indirect CRL for indirectCRL CA3",
+ ),
+ ]
+ )
+ )
+ ],
+ relative_name=None,
+ reasons=None,
+ crl_issuer=[
+ x509.DirectoryName(
+ x509.Name(
+ [
+ x509.NameAttribute(
+ NameOID.COUNTRY_NAME, u"US"
+ ),
+ x509.NameAttribute(
+ NameOID.ORGANIZATION_NAME,
+ u"Test Certificates 2011",
+ ),
+ x509.NameAttribute(
+ NameOID.ORGANIZATIONAL_UNIT_NAME,
+ u"indirectCRL CA3 cRLIssuer",
+ ),
+ ]
+ )
+ )
+ ],
+ )
+ ]
+ )
def test_relativename_and_crl_issuer(self, backend):
cert = _load_cert(
@@ -4155,38 +4511,48 @@
"x509", "PKITS_data", "certs", "ValidcRLIssuerTest29EE.crt"
),
x509.load_der_x509_certificate,
- backend
+ backend,
)
cdps = cert.extensions.get_extension_for_oid(
ExtensionOID.CRL_DISTRIBUTION_POINTS
).value
- assert cdps == x509.CRLDistributionPoints([
- x509.DistributionPoint(
- full_name=None,
- relative_name=x509.RelativeDistinguishedName([
- x509.NameAttribute(
- NameOID.COMMON_NAME,
- u"indirect CRL for indirectCRL CA3"
+ assert cdps == x509.CRLDistributionPoints(
+ [
+ x509.DistributionPoint(
+ full_name=None,
+ relative_name=x509.RelativeDistinguishedName(
+ [
+ x509.NameAttribute(
+ NameOID.COMMON_NAME,
+ u"indirect CRL for indirectCRL CA3",
+ ),
+ ]
),
- ]),
- reasons=None,
- crl_issuer=[x509.DirectoryName(
- x509.Name([
- x509.NameAttribute(NameOID.COUNTRY_NAME, u"US"),
- x509.NameAttribute(
- NameOID.ORGANIZATION_NAME,
- u"Test Certificates 2011"
- ),
- x509.NameAttribute(
- NameOID.ORGANIZATIONAL_UNIT_NAME,
- u"indirectCRL CA3 cRLIssuer"
- ),
- ])
- )],
- )
- ])
+ reasons=None,
+ crl_issuer=[
+ x509.DirectoryName(
+ x509.Name(
+ [
+ x509.NameAttribute(
+ NameOID.COUNTRY_NAME, u"US"
+ ),
+ x509.NameAttribute(
+ NameOID.ORGANIZATION_NAME,
+ u"Test Certificates 2011",
+ ),
+ x509.NameAttribute(
+ NameOID.ORGANIZATIONAL_UNIT_NAME,
+ u"indirectCRL CA3 cRLIssuer",
+ ),
+ ]
+ )
+ )
+ ],
+ )
+ ]
+ )
def test_fullname_crl_issuer_reasons(self, backend):
cert = _load_cert(
@@ -4194,145 +4560,169 @@
"x509", "custom", "cdp_fullname_reasons_crl_issuer.pem"
),
x509.load_pem_x509_certificate,
- backend
+ backend,
)
cdps = cert.extensions.get_extension_for_oid(
ExtensionOID.CRL_DISTRIBUTION_POINTS
).value
- assert cdps == x509.CRLDistributionPoints([
- x509.DistributionPoint(
- full_name=[x509.UniformResourceIdentifier(
- u"http://myhost.com/myca.crl"
- )],
- relative_name=None,
- reasons=frozenset([
- x509.ReasonFlags.key_compromise,
- x509.ReasonFlags.ca_compromise
- ]),
- crl_issuer=[x509.DirectoryName(
- x509.Name([
- x509.NameAttribute(NameOID.COUNTRY_NAME, u"US"),
- x509.NameAttribute(
- NameOID.ORGANIZATION_NAME, u"PyCA"
- ),
- x509.NameAttribute(
- NameOID.COMMON_NAME, u"cryptography CA"
- ),
- ])
- )],
- )
- ])
+ assert cdps == x509.CRLDistributionPoints(
+ [
+ x509.DistributionPoint(
+ full_name=[
+ x509.UniformResourceIdentifier(
+ u"http://myhost.com/myca.crl"
+ )
+ ],
+ relative_name=None,
+ reasons=frozenset(
+ [
+ x509.ReasonFlags.key_compromise,
+ x509.ReasonFlags.ca_compromise,
+ ]
+ ),
+ crl_issuer=[
+ x509.DirectoryName(
+ x509.Name(
+ [
+ x509.NameAttribute(
+ NameOID.COUNTRY_NAME, u"US"
+ ),
+ x509.NameAttribute(
+ NameOID.ORGANIZATION_NAME, u"PyCA"
+ ),
+ x509.NameAttribute(
+ NameOID.COMMON_NAME, u"cryptography CA"
+ ),
+ ]
+ )
+ )
+ ],
+ )
+ ]
+ )
def test_all_reasons(self, backend):
cert = _load_cert(
- os.path.join(
- "x509", "custom", "cdp_all_reasons.pem"
- ),
+ os.path.join("x509", "custom", "cdp_all_reasons.pem"),
x509.load_pem_x509_certificate,
- backend
+ backend,
)
cdps = cert.extensions.get_extension_for_oid(
ExtensionOID.CRL_DISTRIBUTION_POINTS
).value
- assert cdps == x509.CRLDistributionPoints([
- x509.DistributionPoint(
- full_name=[x509.UniformResourceIdentifier(
- u"http://domain.com/some.crl"
- )],
- relative_name=None,
- reasons=frozenset([
- x509.ReasonFlags.key_compromise,
- x509.ReasonFlags.ca_compromise,
- x509.ReasonFlags.affiliation_changed,
- x509.ReasonFlags.superseded,
- x509.ReasonFlags.privilege_withdrawn,
- x509.ReasonFlags.cessation_of_operation,
- x509.ReasonFlags.aa_compromise,
- x509.ReasonFlags.certificate_hold,
- ]),
- crl_issuer=None
- )
- ])
+ assert cdps == x509.CRLDistributionPoints(
+ [
+ x509.DistributionPoint(
+ full_name=[
+ x509.UniformResourceIdentifier(
+ u"http://domain.com/some.crl"
+ )
+ ],
+ relative_name=None,
+ reasons=frozenset(
+ [
+ x509.ReasonFlags.key_compromise,
+ x509.ReasonFlags.ca_compromise,
+ x509.ReasonFlags.affiliation_changed,
+ x509.ReasonFlags.superseded,
+ x509.ReasonFlags.privilege_withdrawn,
+ x509.ReasonFlags.cessation_of_operation,
+ x509.ReasonFlags.aa_compromise,
+ x509.ReasonFlags.certificate_hold,
+ ]
+ ),
+ crl_issuer=None,
+ )
+ ]
+ )
def test_single_reason(self, backend):
cert = _load_cert(
- os.path.join(
- "x509", "custom", "cdp_reason_aa_compromise.pem"
- ),
+ os.path.join("x509", "custom", "cdp_reason_aa_compromise.pem"),
x509.load_pem_x509_certificate,
- backend
+ backend,
)
cdps = cert.extensions.get_extension_for_oid(
ExtensionOID.CRL_DISTRIBUTION_POINTS
).value
- assert cdps == x509.CRLDistributionPoints([
- x509.DistributionPoint(
- full_name=[x509.UniformResourceIdentifier(
- u"http://domain.com/some.crl"
- )],
- relative_name=None,
- reasons=frozenset([x509.ReasonFlags.aa_compromise]),
- crl_issuer=None
- )
- ])
+ assert cdps == x509.CRLDistributionPoints(
+ [
+ x509.DistributionPoint(
+ full_name=[
+ x509.UniformResourceIdentifier(
+ u"http://domain.com/some.crl"
+ )
+ ],
+ relative_name=None,
+ reasons=frozenset([x509.ReasonFlags.aa_compromise]),
+ crl_issuer=None,
+ )
+ ]
+ )
def test_crl_issuer_only(self, backend):
cert = _load_cert(
- os.path.join(
- "x509", "custom", "cdp_crl_issuer.pem"
- ),
+ os.path.join("x509", "custom", "cdp_crl_issuer.pem"),
x509.load_pem_x509_certificate,
- backend
+ backend,
)
cdps = cert.extensions.get_extension_for_oid(
ExtensionOID.CRL_DISTRIBUTION_POINTS
).value
- assert cdps == x509.CRLDistributionPoints([
- x509.DistributionPoint(
- full_name=None,
- relative_name=None,
- reasons=None,
- crl_issuer=[x509.DirectoryName(
- x509.Name([
- x509.NameAttribute(
- NameOID.COMMON_NAME, u"cryptography CA"
- ),
- ])
- )],
- )
- ])
+ assert cdps == x509.CRLDistributionPoints(
+ [
+ x509.DistributionPoint(
+ full_name=None,
+ relative_name=None,
+ reasons=None,
+ crl_issuer=[
+ x509.DirectoryName(
+ x509.Name(
+ [
+ x509.NameAttribute(
+ NameOID.COMMON_NAME, u"cryptography CA"
+ ),
+ ]
+ )
+ )
+ ],
+ )
+ ]
+ )
def test_crl_empty_hostname(self, backend):
cert = _load_cert(
- os.path.join(
- "x509", "custom", "cdp_empty_hostname.pem"
- ),
+ os.path.join("x509", "custom", "cdp_empty_hostname.pem"),
x509.load_pem_x509_certificate,
- backend
+ backend,
)
cdps = cert.extensions.get_extension_for_oid(
ExtensionOID.CRL_DISTRIBUTION_POINTS
).value
- assert cdps == x509.CRLDistributionPoints([
- x509.DistributionPoint(
- full_name=[x509.UniformResourceIdentifier(
- u"ldap:///CN=A,OU=B,dc=C,DC=D?E?F?G?H=I"
- )],
- relative_name=None,
- reasons=None,
- crl_issuer=None
- )
- ])
+ assert cdps == x509.CRLDistributionPoints(
+ [
+ x509.DistributionPoint(
+ full_name=[
+ x509.UniformResourceIdentifier(
+ u"ldap:///CN=A,OU=B,dc=C,DC=D?E?F?G?H=I"
+ )
+ ],
+ relative_name=None,
+ reasons=None,
+ crl_issuer=None,
+ )
+ ]
+ )
@pytest.mark.requires_backend_interface(interface=RSABackend)
@@ -4340,39 +4730,47 @@
class TestFreshestCRLExtension(object):
def test_vector(self, backend):
cert = _load_cert(
- os.path.join(
- "x509", "custom", "freshestcrl.pem"
- ),
+ os.path.join("x509", "custom", "freshestcrl.pem"),
x509.load_pem_x509_certificate,
- backend
+ backend,
)
fcrl = cert.extensions.get_extension_for_class(x509.FreshestCRL).value
- assert fcrl == x509.FreshestCRL([
- x509.DistributionPoint(
- full_name=[
- x509.UniformResourceIdentifier(
- u'http://myhost.com/myca.crl'
- ),
- x509.UniformResourceIdentifier(
- u'http://backup.myhost.com/myca.crl'
- )
- ],
- relative_name=None,
- reasons=frozenset([
- x509.ReasonFlags.ca_compromise,
- x509.ReasonFlags.key_compromise
- ]),
- crl_issuer=[x509.DirectoryName(
- x509.Name([
- x509.NameAttribute(NameOID.COUNTRY_NAME, u"US"),
- x509.NameAttribute(
- NameOID.COMMON_NAME, u"cryptography CA"
+ assert fcrl == x509.FreshestCRL(
+ [
+ x509.DistributionPoint(
+ full_name=[
+ x509.UniformResourceIdentifier(
+ u"http://myhost.com/myca.crl"
),
- ])
- )]
- )
- ])
+ x509.UniformResourceIdentifier(
+ u"http://backup.myhost.com/myca.crl"
+ ),
+ ],
+ relative_name=None,
+ reasons=frozenset(
+ [
+ x509.ReasonFlags.ca_compromise,
+ x509.ReasonFlags.key_compromise,
+ ]
+ ),
+ crl_issuer=[
+ x509.DirectoryName(
+ x509.Name(
+ [
+ x509.NameAttribute(
+ NameOID.COUNTRY_NAME, u"US"
+ ),
+ x509.NameAttribute(
+ NameOID.COMMON_NAME, u"cryptography CA"
+ ),
+ ]
+ )
+ )
+ ],
+ )
+ ]
+ )
@pytest.mark.requires_backend_interface(interface=RSABackend)
@@ -4380,17 +4778,38 @@
class TestOCSPNoCheckExtension(object):
def test_nocheck(self, backend):
cert = _load_cert(
- os.path.join(
- "x509", "custom", "ocsp_nocheck.pem"
- ),
+ os.path.join("x509", "custom", "ocsp_nocheck.pem"),
x509.load_pem_x509_certificate,
- backend
+ backend,
)
- ext = cert.extensions.get_extension_for_oid(
- ExtensionOID.OCSP_NO_CHECK
- )
+ ext = cert.extensions.get_extension_for_oid(ExtensionOID.OCSP_NO_CHECK)
assert isinstance(ext.value, x509.OCSPNoCheck)
+ def test_eq(self):
+ onc1 = x509.OCSPNoCheck()
+ onc2 = x509.OCSPNoCheck()
+
+ assert onc1 == onc2
+
+ def test_hash(self):
+ onc1 = x509.OCSPNoCheck()
+ onc2 = x509.OCSPNoCheck()
+
+ assert hash(onc1) == hash(onc2)
+
+ def test_ne(self):
+ onc1 = x509.OCSPNoCheck()
+ onc2 = x509.OCSPNoCheck()
+
+ assert onc1 == onc2
+ assert (onc1 != onc2) is False
+ assert onc1 != object()
+
+ def test_repr(self):
+ onc = x509.OCSPNoCheck()
+
+ assert repr(onc) == "<OCSPNoCheck()>"
+
class TestInhibitAnyPolicy(object):
def test_not_int(self):
@@ -4429,11 +4848,9 @@
class TestInhibitAnyPolicyExtension(object):
def test_inhibit_any_policy(self, backend):
cert = _load_cert(
- os.path.join(
- "x509", "custom", "inhibit_any_policy_5.pem"
- ),
+ os.path.join("x509", "custom", "inhibit_any_policy_5.pem"),
x509.load_pem_x509_certificate,
- backend
+ backend,
)
iap = cert.extensions.get_extension_for_oid(
ExtensionOID.INHIBIT_ANY_POLICY
@@ -4450,7 +4867,8 @@
x509.IssuingDistributionPoint(
full_name=[
x509.UniformResourceIdentifier(
- u"http://myhost.com/myca.crl")
+ u"http://myhost.com/myca.crl"
+ )
],
relative_name=None,
only_contains_user_certs=False,
@@ -4458,14 +4876,15 @@
only_some_reasons=None,
indirect_crl=True,
only_contains_attribute_certs=False,
- )
+ ),
),
(
"crl_idp_fullname_only.pem",
x509.IssuingDistributionPoint(
full_name=[
x509.UniformResourceIdentifier(
- u"http://myhost.com/myca.crl")
+ u"http://myhost.com/myca.crl"
+ )
],
relative_name=None,
only_contains_user_certs=False,
@@ -4473,14 +4892,15 @@
only_some_reasons=None,
indirect_crl=False,
only_contains_attribute_certs=False,
- )
+ ),
),
(
"crl_idp_fullname_only_aa.pem",
x509.IssuingDistributionPoint(
full_name=[
x509.UniformResourceIdentifier(
- u"http://myhost.com/myca.crl")
+ u"http://myhost.com/myca.crl"
+ )
],
relative_name=None,
only_contains_user_certs=False,
@@ -4488,14 +4908,15 @@
only_some_reasons=None,
indirect_crl=False,
only_contains_attribute_certs=True,
- )
+ ),
),
(
"crl_idp_fullname_only_user.pem",
x509.IssuingDistributionPoint(
full_name=[
x509.UniformResourceIdentifier(
- u"http://myhost.com/myca.crl")
+ u"http://myhost.com/myca.crl"
+ )
],
relative_name=None,
only_contains_user_certs=True,
@@ -4503,23 +4924,26 @@
only_some_reasons=None,
indirect_crl=False,
only_contains_attribute_certs=False,
- )
+ ),
),
(
"crl_idp_only_ca.pem",
x509.IssuingDistributionPoint(
full_name=None,
- relative_name=x509.RelativeDistinguishedName([
- x509.NameAttribute(
- oid=x509.NameOID.ORGANIZATION_NAME, value=u"PyCA"
- )
- ]),
+ relative_name=x509.RelativeDistinguishedName(
+ [
+ x509.NameAttribute(
+ oid=x509.NameOID.ORGANIZATION_NAME,
+ value=u"PyCA",
+ )
+ ]
+ ),
only_contains_user_certs=False,
only_contains_ca_certs=True,
only_some_reasons=None,
indirect_crl=False,
only_contains_attribute_certs=False,
- )
+ ),
),
(
"crl_idp_reasons_only.pem",
@@ -4528,62 +4952,71 @@
relative_name=None,
only_contains_user_certs=False,
only_contains_ca_certs=False,
- only_some_reasons=frozenset([
- x509.ReasonFlags.key_compromise
- ]),
+ only_some_reasons=frozenset(
+ [x509.ReasonFlags.key_compromise]
+ ),
indirect_crl=False,
only_contains_attribute_certs=False,
- )
+ ),
),
(
"crl_idp_relative_user_all_reasons.pem",
x509.IssuingDistributionPoint(
full_name=None,
- relative_name=x509.RelativeDistinguishedName([
- x509.NameAttribute(
- oid=x509.NameOID.ORGANIZATION_NAME, value=u"PyCA"
- )
- ]),
+ relative_name=x509.RelativeDistinguishedName(
+ [
+ x509.NameAttribute(
+ oid=x509.NameOID.ORGANIZATION_NAME,
+ value=u"PyCA",
+ )
+ ]
+ ),
only_contains_user_certs=True,
only_contains_ca_certs=False,
- only_some_reasons=frozenset([
- x509.ReasonFlags.key_compromise,
- x509.ReasonFlags.ca_compromise,
- x509.ReasonFlags.affiliation_changed,
- x509.ReasonFlags.superseded,
- x509.ReasonFlags.cessation_of_operation,
- x509.ReasonFlags.certificate_hold,
- x509.ReasonFlags.privilege_withdrawn,
- x509.ReasonFlags.aa_compromise,
- ]),
+ only_some_reasons=frozenset(
+ [
+ x509.ReasonFlags.key_compromise,
+ x509.ReasonFlags.ca_compromise,
+ x509.ReasonFlags.affiliation_changed,
+ x509.ReasonFlags.superseded,
+ x509.ReasonFlags.cessation_of_operation,
+ x509.ReasonFlags.certificate_hold,
+ x509.ReasonFlags.privilege_withdrawn,
+ x509.ReasonFlags.aa_compromise,
+ ]
+ ),
indirect_crl=False,
only_contains_attribute_certs=False,
- )
+ ),
),
(
"crl_idp_relativename_only.pem",
x509.IssuingDistributionPoint(
full_name=None,
- relative_name=x509.RelativeDistinguishedName([
- x509.NameAttribute(
- oid=x509.NameOID.ORGANIZATION_NAME, value=u"PyCA"
- )
- ]),
+ relative_name=x509.RelativeDistinguishedName(
+ [
+ x509.NameAttribute(
+ oid=x509.NameOID.ORGANIZATION_NAME,
+ value=u"PyCA",
+ )
+ ]
+ ),
only_contains_user_certs=False,
only_contains_ca_certs=False,
only_some_reasons=None,
indirect_crl=False,
only_contains_attribute_certs=False,
- )
+ ),
),
- ]
+ ],
)
@pytest.mark.requires_backend_interface(interface=RSABackend)
@pytest.mark.requires_backend_interface(interface=X509Backend)
def test_vectors(self, filename, expected, backend):
crl = _load_cert(
os.path.join("x509", "custom", filename),
- x509.load_pem_x509_crl, backend
+ x509.load_pem_x509_crl,
+ backend,
)
idp = crl.extensions.get_extension_for_class(
x509.IssuingDistributionPoint
@@ -4592,51 +5025,96 @@
@pytest.mark.parametrize(
(
- "error", "only_contains_user_certs", "only_contains_ca_certs",
- "indirect_crl", "only_contains_attribute_certs",
- "only_some_reasons", "full_name", "relative_name"
+ "error",
+ "only_contains_user_certs",
+ "only_contains_ca_certs",
+ "indirect_crl",
+ "only_contains_attribute_certs",
+ "only_some_reasons",
+ "full_name",
+ "relative_name",
),
[
(
- TypeError, False, False, False, False, 'notafrozenset', None,
- None
+ TypeError,
+ False,
+ False,
+ False,
+ False,
+ "notafrozenset",
+ None,
+ None,
),
(
- TypeError, False, False, False, False, frozenset(['bad']),
- None, None
+ TypeError,
+ False,
+ False,
+ False,
+ False,
+ frozenset(["bad"]),
+ None,
+ None,
),
(
- ValueError, False, False, False, False,
- frozenset([x509.ReasonFlags.unspecified]), None, None
+ ValueError,
+ False,
+ False,
+ False,
+ False,
+ frozenset([x509.ReasonFlags.unspecified]),
+ None,
+ None,
),
(
- ValueError, False, False, False, False,
- frozenset([x509.ReasonFlags.remove_from_crl]), None, None
+ ValueError,
+ False,
+ False,
+ False,
+ False,
+ frozenset([x509.ReasonFlags.remove_from_crl]),
+ None,
+ None,
),
- (TypeError, 'notabool', False, False, False, None, None, None),
- (TypeError, False, 'notabool', False, False, None, None, None),
- (TypeError, False, False, 'notabool', False, None, None, None),
- (TypeError, False, False, False, 'notabool', None, None, None),
+ (TypeError, "notabool", False, False, False, None, None, None),
+ (TypeError, False, "notabool", False, False, None, None, None),
+ (TypeError, False, False, "notabool", False, None, None, None),
+ (TypeError, False, False, False, "notabool", None, None, None),
(ValueError, True, True, False, False, None, None, None),
(ValueError, False, False, True, True, None, None, None),
(ValueError, False, False, False, False, None, None, None),
- ]
+ ],
)
- def test_invalid_init(self, error, only_contains_user_certs,
- only_contains_ca_certs, indirect_crl,
- only_contains_attribute_certs, only_some_reasons,
- full_name, relative_name):
+ def test_invalid_init(
+ self,
+ error,
+ only_contains_user_certs,
+ only_contains_ca_certs,
+ indirect_crl,
+ only_contains_attribute_certs,
+ only_some_reasons,
+ full_name,
+ relative_name,
+ ):
with pytest.raises(error):
x509.IssuingDistributionPoint(
- full_name, relative_name, only_contains_user_certs,
- only_contains_ca_certs, only_some_reasons, indirect_crl,
- only_contains_attribute_certs
+ full_name,
+ relative_name,
+ only_contains_user_certs,
+ only_contains_ca_certs,
+ only_some_reasons,
+ indirect_crl,
+ only_contains_attribute_certs,
)
def test_repr(self):
idp = x509.IssuingDistributionPoint(
- None, None, False, False,
- frozenset([x509.ReasonFlags.key_compromise]), False, False
+ None,
+ None,
+ False,
+ False,
+ frozenset([x509.ReasonFlags.key_compromise]),
+ False,
+ False,
)
if not six.PY2:
assert repr(idp) == (
@@ -4663,10 +5141,13 @@
only_contains_attribute_certs=False,
only_some_reasons=None,
full_name=None,
- relative_name=x509.RelativeDistinguishedName([
- x509.NameAttribute(
- oid=x509.NameOID.ORGANIZATION_NAME, value=u"PyCA")
- ])
+ relative_name=x509.RelativeDistinguishedName(
+ [
+ x509.NameAttribute(
+ oid=x509.NameOID.ORGANIZATION_NAME, value=u"PyCA"
+ )
+ ]
+ ),
)
idp2 = x509.IssuingDistributionPoint(
only_contains_user_certs=False,
@@ -4675,10 +5156,13 @@
only_contains_attribute_certs=False,
only_some_reasons=None,
full_name=None,
- relative_name=x509.RelativeDistinguishedName([
- x509.NameAttribute(
- oid=x509.NameOID.ORGANIZATION_NAME, value=u"PyCA")
- ])
+ relative_name=x509.RelativeDistinguishedName(
+ [
+ x509.NameAttribute(
+ oid=x509.NameOID.ORGANIZATION_NAME, value=u"PyCA"
+ )
+ ]
+ ),
)
assert idp1 == idp2
@@ -4690,10 +5174,13 @@
only_contains_attribute_certs=False,
only_some_reasons=None,
full_name=None,
- relative_name=x509.RelativeDistinguishedName([
- x509.NameAttribute(
- oid=x509.NameOID.ORGANIZATION_NAME, value=u"PyCA")
- ])
+ relative_name=x509.RelativeDistinguishedName(
+ [
+ x509.NameAttribute(
+ oid=x509.NameOID.ORGANIZATION_NAME, value=u"PyCA"
+ )
+ ]
+ ),
)
idp2 = x509.IssuingDistributionPoint(
only_contains_user_certs=True,
@@ -4702,10 +5189,13 @@
only_contains_attribute_certs=False,
only_some_reasons=None,
full_name=None,
- relative_name=x509.RelativeDistinguishedName([
- x509.NameAttribute(
- oid=x509.NameOID.ORGANIZATION_NAME, value=u"PyCA")
- ])
+ relative_name=x509.RelativeDistinguishedName(
+ [
+ x509.NameAttribute(
+ oid=x509.NameOID.ORGANIZATION_NAME, value=u"PyCA"
+ )
+ ]
+ ),
)
assert idp1 != idp2
assert idp1 != object()
@@ -4719,11 +5209,18 @@
)
idp3 = x509.IssuingDistributionPoint(
None,
- x509.RelativeDistinguishedName([
- x509.NameAttribute(
- oid=x509.NameOID.ORGANIZATION_NAME, value=u"PyCA")
- ]),
- True, False, None, False, False
+ x509.RelativeDistinguishedName(
+ [
+ x509.NameAttribute(
+ oid=x509.NameOID.ORGANIZATION_NAME, value=u"PyCA"
+ )
+ ]
+ ),
+ True,
+ False,
+ None,
+ False,
+ False,
)
assert hash(idp1) == hash(idp2)
assert hash(idp1) != hash(idp3)
@@ -4787,11 +5284,13 @@
),
x509.IssuingDistributionPoint(
full_name=None,
- relative_name=x509.RelativeDistinguishedName([
- x509.NameAttribute(
- oid=x509.NameOID.ORGANIZATION_NAME, value=u"PyCA"
- )
- ]),
+ relative_name=x509.RelativeDistinguishedName(
+ [
+ x509.NameAttribute(
+ oid=x509.NameOID.ORGANIZATION_NAME, value=u"PyCA"
+ )
+ ]
+ ),
only_contains_user_certs=False,
only_contains_ca_certs=True,
only_some_reasons=None,
@@ -4809,53 +5308,65 @@
),
x509.IssuingDistributionPoint(
full_name=None,
- relative_name=x509.RelativeDistinguishedName([
- x509.NameAttribute(
- oid=x509.NameOID.ORGANIZATION_NAME, value=u"PyCA"),
- x509.NameAttribute(
- oid=x509.NameOID.COMMON_NAME, value=u"cryptography")
- ]),
+ relative_name=x509.RelativeDistinguishedName(
+ [
+ x509.NameAttribute(
+ oid=x509.NameOID.ORGANIZATION_NAME, value=u"PyCA"
+ ),
+ x509.NameAttribute(
+ oid=x509.NameOID.COMMON_NAME, value=u"cryptography"
+ ),
+ ]
+ ),
only_contains_user_certs=True,
only_contains_ca_certs=False,
- only_some_reasons=frozenset([
- x509.ReasonFlags.key_compromise,
- x509.ReasonFlags.ca_compromise,
- x509.ReasonFlags.affiliation_changed,
- x509.ReasonFlags.privilege_withdrawn,
- x509.ReasonFlags.aa_compromise,
- ]),
+ only_some_reasons=frozenset(
+ [
+ x509.ReasonFlags.key_compromise,
+ x509.ReasonFlags.ca_compromise,
+ x509.ReasonFlags.affiliation_changed,
+ x509.ReasonFlags.privilege_withdrawn,
+ x509.ReasonFlags.aa_compromise,
+ ]
+ ),
indirect_crl=False,
only_contains_attribute_certs=False,
),
x509.IssuingDistributionPoint(
full_name=None,
- relative_name=x509.RelativeDistinguishedName([
- x509.NameAttribute(
- oid=x509.NameOID.ORGANIZATION_NAME, value=u"PyCA"
- )
- ]),
+ relative_name=x509.RelativeDistinguishedName(
+ [
+ x509.NameAttribute(
+ oid=x509.NameOID.ORGANIZATION_NAME, value=u"PyCA"
+ )
+ ]
+ ),
only_contains_user_certs=False,
only_contains_ca_certs=False,
only_some_reasons=None,
indirect_crl=False,
only_contains_attribute_certs=False,
),
- ]
+ ],
)
def test_generate(self, idp, backend):
key = RSA_KEY_2048.private_key(backend)
last_update = datetime.datetime(2002, 1, 1, 12, 1)
next_update = datetime.datetime(2030, 1, 1, 12, 1)
- builder = x509.CertificateRevocationListBuilder().issuer_name(
- x509.Name([
- x509.NameAttribute(NameOID.COMMON_NAME, u"cryptography.io CA")
- ])
- ).last_update(
- last_update
- ).next_update(
- next_update
- ).add_extension(
- idp, True
+ builder = (
+ x509.CertificateRevocationListBuilder()
+ .issuer_name(
+ x509.Name(
+ [
+ x509.NameAttribute(
+ NameOID.COMMON_NAME, u"cryptography.io CA"
+ )
+ ]
+ )
+ )
+ .last_update(last_update)
+ .next_update(next_update)
+ .add_extension(idp, True)
)
crl = builder.sign(key, hashes.SHA256(), backend)
@@ -4873,7 +5384,7 @@
cert = _load_cert(
os.path.join("x509", "cryptography.io.precert.pem"),
x509.load_pem_x509_certificate,
- backend
+ backend,
)
poison = cert.extensions.get_extension_for_oid(
ExtensionOID.PRECERT_POISON
@@ -4886,90 +5397,142 @@
def test_generate(self, backend):
private_key = RSA_KEY_2048.private_key(backend)
- cert = _make_certbuilder(private_key).add_extension(
- x509.PrecertPoison(), critical=True
- ).sign(private_key, hashes.SHA256(), backend)
+ cert = (
+ _make_certbuilder(private_key)
+ .add_extension(x509.PrecertPoison(), critical=True)
+ .sign(private_key, hashes.SHA256(), backend)
+ )
poison = cert.extensions.get_extension_for_oid(
ExtensionOID.PRECERT_POISON
).value
assert isinstance(poison, x509.PrecertPoison)
+ def test_eq(self):
+ pcp1 = x509.PrecertPoison()
+ pcp2 = x509.PrecertPoison()
+
+ assert pcp1 == pcp2
+
+ def test_hash(self):
+ pcp1 = x509.PrecertPoison()
+ pcp2 = x509.PrecertPoison()
+
+ assert hash(pcp1) == hash(pcp2)
+
+ def test_ne(self):
+ pcp1 = x509.PrecertPoison()
+ pcp2 = x509.PrecertPoison()
+
+ assert pcp1 == pcp2
+ assert (pcp1 != pcp2) is False
+ assert pcp1 != object()
+
+ def test_repr(self):
+ pcp = x509.PrecertPoison()
+
+ assert repr(pcp) == "<PrecertPoison()>"
+
@pytest.mark.requires_backend_interface(interface=RSABackend)
@pytest.mark.requires_backend_interface(interface=X509Backend)
class TestSignedCertificateTimestamps(object):
@pytest.mark.supported(
- only_if=lambda backend: (
- backend._lib.CRYPTOGRAPHY_OPENSSL_110F_OR_GREATER),
- skip_message="Requires OpenSSL 1.1.0f+",
+ only_if=lambda backend: (backend._lib.Cryptography_HAS_SCT),
+ skip_message="Requires CT support",
)
def test_eq(self, backend):
- sct = _load_cert(
- os.path.join("x509", "badssl-sct.pem"),
- x509.load_pem_x509_certificate,
- backend
- ).extensions.get_extension_for_class(
- x509.PrecertificateSignedCertificateTimestamps
- ).value[0]
- sct2 = _load_cert(
- os.path.join("x509", "badssl-sct.pem"),
- x509.load_pem_x509_certificate,
- backend
- ).extensions.get_extension_for_class(
- x509.PrecertificateSignedCertificateTimestamps
- ).value[0]
+ sct = (
+ _load_cert(
+ os.path.join("x509", "badssl-sct.pem"),
+ x509.load_pem_x509_certificate,
+ backend,
+ )
+ .extensions.get_extension_for_class(
+ x509.PrecertificateSignedCertificateTimestamps
+ )
+ .value[0]
+ )
+ sct2 = (
+ _load_cert(
+ os.path.join("x509", "badssl-sct.pem"),
+ x509.load_pem_x509_certificate,
+ backend,
+ )
+ .extensions.get_extension_for_class(
+ x509.PrecertificateSignedCertificateTimestamps
+ )
+ .value[0]
+ )
assert sct == sct2
@pytest.mark.supported(
- only_if=lambda backend: (
- backend._lib.CRYPTOGRAPHY_OPENSSL_110F_OR_GREATER),
- skip_message="Requires OpenSSL 1.1.0f+",
+ only_if=lambda backend: (backend._lib.Cryptography_HAS_SCT),
+ skip_message="Requires CT support",
)
def test_ne(self, backend):
- sct = _load_cert(
- os.path.join("x509", "badssl-sct.pem"),
- x509.load_pem_x509_certificate,
- backend
- ).extensions.get_extension_for_class(
- x509.PrecertificateSignedCertificateTimestamps
- ).value[0]
- sct2 = _load_cert(
- os.path.join("x509", "cryptography-scts.pem"),
- x509.load_pem_x509_certificate,
- backend
- ).extensions.get_extension_for_class(
- x509.PrecertificateSignedCertificateTimestamps
- ).value[0]
+ sct = (
+ _load_cert(
+ os.path.join("x509", "badssl-sct.pem"),
+ x509.load_pem_x509_certificate,
+ backend,
+ )
+ .extensions.get_extension_for_class(
+ x509.PrecertificateSignedCertificateTimestamps
+ )
+ .value[0]
+ )
+ sct2 = (
+ _load_cert(
+ os.path.join("x509", "cryptography-scts.pem"),
+ x509.load_pem_x509_certificate,
+ backend,
+ )
+ .extensions.get_extension_for_class(
+ x509.PrecertificateSignedCertificateTimestamps
+ )
+ .value[0]
+ )
assert sct != sct2
assert sct != object()
@pytest.mark.supported(
- only_if=lambda backend: (
- backend._lib.CRYPTOGRAPHY_OPENSSL_110F_OR_GREATER),
- skip_message="Requires OpenSSL 1.1.0f+",
+ only_if=lambda backend: (backend._lib.Cryptography_HAS_SCT),
+ skip_message="Requires CT support",
)
def test_hash(self, backend):
- sct = _load_cert(
- os.path.join("x509", "badssl-sct.pem"),
- x509.load_pem_x509_certificate,
- backend
- ).extensions.get_extension_for_class(
- x509.PrecertificateSignedCertificateTimestamps
- ).value[0]
- sct2 = _load_cert(
- os.path.join("x509", "badssl-sct.pem"),
- x509.load_pem_x509_certificate,
- backend
- ).extensions.get_extension_for_class(
- x509.PrecertificateSignedCertificateTimestamps
- ).value[0]
- sct3 = _load_cert(
- os.path.join("x509", "cryptography-scts.pem"),
- x509.load_pem_x509_certificate,
- backend
- ).extensions.get_extension_for_class(
- x509.PrecertificateSignedCertificateTimestamps
- ).value[0]
+ sct = (
+ _load_cert(
+ os.path.join("x509", "badssl-sct.pem"),
+ x509.load_pem_x509_certificate,
+ backend,
+ )
+ .extensions.get_extension_for_class(
+ x509.PrecertificateSignedCertificateTimestamps
+ )
+ .value[0]
+ )
+ sct2 = (
+ _load_cert(
+ os.path.join("x509", "badssl-sct.pem"),
+ x509.load_pem_x509_certificate,
+ backend,
+ )
+ .extensions.get_extension_for_class(
+ x509.PrecertificateSignedCertificateTimestamps
+ )
+ .value[0]
+ )
+ sct3 = (
+ _load_cert(
+ os.path.join("x509", "cryptography-scts.pem"),
+ x509.load_pem_x509_certificate,
+ backend,
+ )
+ .extensions.get_extension_for_class(
+ x509.PrecertificateSignedCertificateTimestamps
+ )
+ .value[0]
+ )
assert hash(sct) == hash(sct2)
assert hash(sct) != hash(sct3)
@@ -4987,90 +5550,114 @@
)
@pytest.mark.supported(
- only_if=lambda backend: (
- backend._lib.CRYPTOGRAPHY_OPENSSL_110F_OR_GREATER),
- skip_message="Requires OpenSSL 1.1.0f+",
+ only_if=lambda backend: (backend._lib.Cryptography_HAS_SCT),
+ skip_message="Requires CT support",
)
def test_eq(self, backend):
- psct1 = _load_cert(
- os.path.join("x509", "badssl-sct.pem"),
- x509.load_pem_x509_certificate,
- backend
- ).extensions.get_extension_for_class(
- x509.PrecertificateSignedCertificateTimestamps
- ).value
- psct2 = _load_cert(
- os.path.join("x509", "badssl-sct.pem"),
- x509.load_pem_x509_certificate,
- backend
- ).extensions.get_extension_for_class(
- x509.PrecertificateSignedCertificateTimestamps
- ).value
+ psct1 = (
+ _load_cert(
+ os.path.join("x509", "badssl-sct.pem"),
+ x509.load_pem_x509_certificate,
+ backend,
+ )
+ .extensions.get_extension_for_class(
+ x509.PrecertificateSignedCertificateTimestamps
+ )
+ .value
+ )
+ psct2 = (
+ _load_cert(
+ os.path.join("x509", "badssl-sct.pem"),
+ x509.load_pem_x509_certificate,
+ backend,
+ )
+ .extensions.get_extension_for_class(
+ x509.PrecertificateSignedCertificateTimestamps
+ )
+ .value
+ )
assert psct1 == psct2
@pytest.mark.supported(
- only_if=lambda backend: (
- backend._lib.CRYPTOGRAPHY_OPENSSL_110F_OR_GREATER),
- skip_message="Requires OpenSSL 1.1.0f+",
+ only_if=lambda backend: (backend._lib.Cryptography_HAS_SCT),
+ skip_message="Requires CT support",
)
def test_ne(self, backend):
- psct1 = _load_cert(
- os.path.join("x509", "cryptography-scts.pem"),
- x509.load_pem_x509_certificate,
- backend
- ).extensions.get_extension_for_class(
- x509.PrecertificateSignedCertificateTimestamps
- ).value
- psct2 = _load_cert(
- os.path.join("x509", "badssl-sct.pem"),
- x509.load_pem_x509_certificate,
- backend
- ).extensions.get_extension_for_class(
- x509.PrecertificateSignedCertificateTimestamps
- ).value
+ psct1 = (
+ _load_cert(
+ os.path.join("x509", "cryptography-scts.pem"),
+ x509.load_pem_x509_certificate,
+ backend,
+ )
+ .extensions.get_extension_for_class(
+ x509.PrecertificateSignedCertificateTimestamps
+ )
+ .value
+ )
+ psct2 = (
+ _load_cert(
+ os.path.join("x509", "badssl-sct.pem"),
+ x509.load_pem_x509_certificate,
+ backend,
+ )
+ .extensions.get_extension_for_class(
+ x509.PrecertificateSignedCertificateTimestamps
+ )
+ .value
+ )
assert psct1 != psct2
assert psct1 != object()
@pytest.mark.supported(
- only_if=lambda backend: (
- backend._lib.CRYPTOGRAPHY_OPENSSL_110F_OR_GREATER),
- skip_message="Requires OpenSSL 1.1.0f+",
+ only_if=lambda backend: (backend._lib.Cryptography_HAS_SCT),
+ skip_message="Requires CT support",
)
def test_hash(self, backend):
- psct1 = _load_cert(
- os.path.join("x509", "badssl-sct.pem"),
- x509.load_pem_x509_certificate,
- backend
- ).extensions.get_extension_for_class(
- x509.PrecertificateSignedCertificateTimestamps
- ).value
- psct2 = _load_cert(
- os.path.join("x509", "badssl-sct.pem"),
- x509.load_pem_x509_certificate,
- backend
- ).extensions.get_extension_for_class(
- x509.PrecertificateSignedCertificateTimestamps
- ).value
- psct3 = _load_cert(
- os.path.join("x509", "cryptography-scts.pem"),
- x509.load_pem_x509_certificate,
- backend
- ).extensions.get_extension_for_class(
- x509.PrecertificateSignedCertificateTimestamps
- ).value
+ psct1 = (
+ _load_cert(
+ os.path.join("x509", "badssl-sct.pem"),
+ x509.load_pem_x509_certificate,
+ backend,
+ )
+ .extensions.get_extension_for_class(
+ x509.PrecertificateSignedCertificateTimestamps
+ )
+ .value
+ )
+ psct2 = (
+ _load_cert(
+ os.path.join("x509", "badssl-sct.pem"),
+ x509.load_pem_x509_certificate,
+ backend,
+ )
+ .extensions.get_extension_for_class(
+ x509.PrecertificateSignedCertificateTimestamps
+ )
+ .value
+ )
+ psct3 = (
+ _load_cert(
+ os.path.join("x509", "cryptography-scts.pem"),
+ x509.load_pem_x509_certificate,
+ backend,
+ )
+ .extensions.get_extension_for_class(
+ x509.PrecertificateSignedCertificateTimestamps
+ )
+ .value
+ )
assert hash(psct1) == hash(psct2)
assert hash(psct1) != hash(psct3)
@pytest.mark.supported(
- only_if=lambda backend: (
- backend._lib.CRYPTOGRAPHY_OPENSSL_110F_OR_GREATER),
- skip_message="Requires OpenSSL 1.1.0f+",
+ only_if=lambda backend: (backend._lib.Cryptography_HAS_SCT),
+ skip_message="Requires CT support",
)
def test_simple(self, backend):
cert = _load_cert(
os.path.join("x509", "badssl-sct.pem"),
x509.load_pem_x509_certificate,
- backend
+ backend,
)
scts = cert.extensions.get_extension_for_class(
x509.PrecertificateSignedCertificateTimestamps
@@ -5087,20 +5674,46 @@
2016, 11, 17, 1, 56, 25, 396000
)
assert (
- sct.entry_type ==
- x509.certificate_transparency.LogEntryType.PRE_CERTIFICATE
+ sct.entry_type
+ == x509.certificate_transparency.LogEntryType.PRE_CERTIFICATE
)
@pytest.mark.supported(
- only_if=lambda backend: (
- not backend._lib.CRYPTOGRAPHY_OPENSSL_110_OR_GREATER),
- skip_message="Requires OpenSSL < 1.1.0",
+ only_if=lambda backend: (backend._lib.Cryptography_HAS_SCT),
+ skip_message="Requires CT support",
+ )
+ def test_generate(self, backend):
+ cert = _load_cert(
+ os.path.join("x509", "badssl-sct.pem"),
+ x509.load_pem_x509_certificate,
+ backend,
+ )
+ scts = cert.extensions.get_extension_for_class(
+ x509.PrecertificateSignedCertificateTimestamps
+ ).value
+ assert len(scts) == 1
+ [sct] = scts
+
+ private_key = RSA_KEY_2048.private_key(backend)
+ builder = _make_certbuilder(private_key).add_extension(
+ x509.PrecertificateSignedCertificateTimestamps([sct]),
+ critical=False,
+ )
+ cert = builder.sign(private_key, hashes.SHA256(), backend)
+ ext = cert.extensions.get_extension_for_class(
+ x509.PrecertificateSignedCertificateTimestamps
+ ).value
+ assert list(ext) == [sct]
+
+ @pytest.mark.supported(
+ only_if=lambda backend: backend._lib.CRYPTOGRAPHY_IS_LIBRESSL,
+ skip_message="Requires LibreSSL",
)
def test_skips_scts_if_unsupported(self, backend):
cert = _load_cert(
os.path.join("x509", "badssl-sct.pem"),
x509.load_pem_x509_certificate,
- backend
+ backend,
)
assert len(cert.extensions) == 10
with pytest.raises(x509.ExtensionNotFound):
@@ -5119,11 +5732,9 @@
class TestInvalidExtension(object):
def test_invalid_certificate_policies_data(self, backend):
cert = _load_cert(
- os.path.join(
- "x509", "custom", "cp_invalid.pem"
- ),
+ os.path.join("x509", "custom", "cp_invalid.pem"),
x509.load_pem_x509_certificate,
- backend
+ backend,
)
with pytest.raises(ValueError):
cert.extensions
@@ -5158,3 +5769,10 @@
nonce3 = x509.OCSPNonce(b"1" * 5)
assert hash(nonce1) == hash(nonce2)
assert hash(nonce1) != hash(nonce3)
+
+
+def test_all_extension_oid_members_have_names_defined():
+ for oid in dir(ExtensionOID):
+ if oid.startswith("__"):
+ continue
+ assert getattr(ExtensionOID, oid) in _OID_NAMES
diff --git a/tests/x509/test_x509_revokedcertbuilder.py b/tests/x509/test_x509_revokedcertbuilder.py
index 75c6b26..0db6d2a 100644
--- a/tests/x509/test_x509_revokedcertbuilder.py
+++ b/tests/x509/test_x509_revokedcertbuilder.py
@@ -30,10 +30,10 @@
@pytest.mark.requires_backend_interface(interface=X509Backend)
def test_minimal_serial_number(self, backend):
revocation_date = datetime.datetime(2002, 1, 1, 12, 1)
- builder = x509.RevokedCertificateBuilder().serial_number(
- 1
- ).revocation_date(
- revocation_date
+ builder = (
+ x509.RevokedCertificateBuilder()
+ .serial_number(1)
+ .revocation_date(revocation_date)
)
revoked_certificate = builder.build(backend)
@@ -42,10 +42,10 @@
@pytest.mark.requires_backend_interface(interface=X509Backend)
def test_biggest_serial_number(self, backend):
revocation_date = datetime.datetime(2002, 1, 1, 12, 1)
- builder = x509.RevokedCertificateBuilder().serial_number(
- (1 << 159) - 1
- ).revocation_date(
- revocation_date
+ builder = (
+ x509.RevokedCertificateBuilder()
+ .serial_number((1 << 159) - 1)
+ .revocation_date(revocation_date)
)
revoked_certificate = builder.build(backend)
@@ -67,10 +67,10 @@
time = tz.localize(time)
utc_time = datetime.datetime(2012, 1, 17, 6, 43)
serial_number = 333
- builder = x509.RevokedCertificateBuilder().serial_number(
- serial_number
- ).revocation_date(
- time
+ builder = (
+ x509.RevokedCertificateBuilder()
+ .serial_number(serial_number)
+ .revocation_date(time)
)
revoked_certificate = builder.build(backend)
@@ -129,10 +129,10 @@
def test_create_revoked(self, backend):
serial_number = 333
revocation_date = datetime.datetime(2002, 1, 1, 12, 1)
- builder = x509.RevokedCertificateBuilder().serial_number(
- serial_number
- ).revocation_date(
- revocation_date
+ builder = (
+ x509.RevokedCertificateBuilder()
+ .serial_number(serial_number)
+ .revocation_date(revocation_date)
)
revoked_certificate = builder.build(backend)
@@ -145,21 +145,18 @@
[
x509.InvalidityDate(datetime.datetime(2015, 1, 1, 0, 0)),
x509.CRLReason(x509.ReasonFlags.ca_compromise),
- x509.CertificateIssuer([
- x509.DNSName(u"cryptography.io"),
- ])
- ]
+ x509.CertificateIssuer([x509.DNSName(u"cryptography.io")]),
+ ],
)
@pytest.mark.requires_backend_interface(interface=X509Backend)
def test_add_extensions(self, backend, extension):
serial_number = 333
revocation_date = datetime.datetime(2002, 1, 1, 12, 1)
- builder = x509.RevokedCertificateBuilder().serial_number(
- serial_number
- ).revocation_date(
- revocation_date
- ).add_extension(
- extension, False
+ builder = (
+ x509.RevokedCertificateBuilder()
+ .serial_number(serial_number)
+ .revocation_date(revocation_date)
+ .add_extension(extension, False)
)
revoked_certificate = builder.build(backend)
@@ -179,20 +176,17 @@
invalidity_date = x509.InvalidityDate(
datetime.datetime(2015, 1, 1, 0, 0)
)
- certificate_issuer = x509.CertificateIssuer([
- x509.DNSName(u"cryptography.io"),
- ])
+ certificate_issuer = x509.CertificateIssuer(
+ [x509.DNSName(u"cryptography.io")]
+ )
crl_reason = x509.CRLReason(x509.ReasonFlags.aa_compromise)
- builder = x509.RevokedCertificateBuilder().serial_number(
- serial_number
- ).revocation_date(
- revocation_date
- ).add_extension(
- invalidity_date, True
- ).add_extension(
- crl_reason, True
- ).add_extension(
- certificate_issuer, True
+ builder = (
+ x509.RevokedCertificateBuilder()
+ .serial_number(serial_number)
+ .revocation_date(revocation_date)
+ .add_extension(invalidity_date, True)
+ .add_extension(crl_reason, True)
+ .add_extension(certificate_issuer, True)
)
revoked_certificate = builder.build(backend)