Begin the deprecation of auto-idna for x509.DNSName (#3830)
* Begin the deprecation of auto-idna for x509.DNSName
Refs #3357
* fix warning
* py3k fixes
* fix docs
* sigh
* flake8
* these are words
* words
* tests for coverage
* another test
* do idna things
* more idna things
diff --git a/tests/test_x509.py b/tests/test_x509.py
index 41ccbed..661461d 100644
--- a/tests/test_x509.py
+++ b/tests/test_x509.py
@@ -225,7 +225,7 @@
assert aia.value == x509.AuthorityInformationAccess([
x509.AccessDescription(
AuthorityInformationAccessOID.CA_ISSUERS,
- x509.DNSName(u"cryptography.io")
+ x509.DNSName(b"cryptography.io")
)
])
assert ian.value == x509.IssuerAlternativeName([
@@ -1176,8 +1176,8 @@
ExtensionOID.SUBJECT_ALTERNATIVE_NAME
)
assert list(ext.value) == [
- x509.DNSName(u"cryptography.io"),
- x509.DNSName(u"sub.cryptography.io"),
+ x509.DNSName(b"cryptography.io"),
+ x509.DNSName(b"sub.cryptography.io"),
]
def test_public_bytes_pem(self, backend):
@@ -1405,7 +1405,7 @@
).add_extension(
x509.BasicConstraints(ca=False, path_length=None), True,
).add_extension(
- x509.SubjectAlternativeName([x509.DNSName(u"cryptography.io")]),
+ x509.SubjectAlternativeName([x509.DNSName(b"cryptography.io")]),
critical=False,
).not_valid_before(
not_valid_before
@@ -1427,7 +1427,7 @@
ExtensionOID.SUBJECT_ALTERNATIVE_NAME
)
assert list(subject_alternative_name.value) == [
- x509.DNSName(u"cryptography.io"),
+ x509.DNSName(b"cryptography.io"),
]
def test_build_cert_printable_string_country_name(self, backend):
@@ -2166,7 +2166,7 @@
).add_extension(
x509.BasicConstraints(ca=False, path_length=None), True,
).add_extension(
- x509.SubjectAlternativeName([x509.DNSName(u"cryptography.io")]),
+ x509.SubjectAlternativeName([x509.DNSName(b"cryptography.io")]),
critical=False,
).not_valid_before(
not_valid_before
@@ -2188,7 +2188,7 @@
ExtensionOID.SUBJECT_ALTERNATIVE_NAME
)
assert list(subject_alternative_name.value) == [
- x509.DNSName(u"cryptography.io"),
+ x509.DNSName(b"cryptography.io"),
]
@pytest.mark.requires_backend_interface(interface=EllipticCurveBackend)
@@ -2212,7 +2212,7 @@
).add_extension(
x509.BasicConstraints(ca=False, path_length=None), True,
).add_extension(
- x509.SubjectAlternativeName([x509.DNSName(u"cryptography.io")]),
+ x509.SubjectAlternativeName([x509.DNSName(b"cryptography.io")]),
critical=False,
).not_valid_before(
not_valid_before
@@ -2234,7 +2234,7 @@
ExtensionOID.SUBJECT_ALTERNATIVE_NAME
)
assert list(subject_alternative_name.value) == [
- x509.DNSName(u"cryptography.io"),
+ x509.DNSName(b"cryptography.io"),
]
@pytest.mark.requires_backend_interface(interface=RSABackend)
@@ -2375,7 +2375,7 @@
123
).add_extension(
x509.IssuerAlternativeName([
- x509.DNSName(u"myissuer"),
+ x509.DNSName(b"myissuer"),
x509.RFC822Name(u"email@domain.com"),
]), critical=False
).sign(issuer_private_key, hashes.SHA256(), backend)
@@ -2385,7 +2385,7 @@
)
assert ext.critical is False
assert ext.value == x509.IssuerAlternativeName([
- x509.DNSName(u"myissuer"),
+ x509.DNSName(b"myissuer"),
x509.RFC822Name(u"email@domain.com"),
])
@@ -2525,7 +2525,7 @@
ipaddress.IPv6Network(u"FF:FF:0:0:0:0:0:0/128")
),
],
- excluded_subtrees=[x509.DNSName(u"name.local")]
+ excluded_subtrees=[x509.DNSName(b"name.local")]
),
x509.NameConstraints(
permitted_subtrees=[
@@ -2535,7 +2535,7 @@
),
x509.NameConstraints(
permitted_subtrees=None,
- excluded_subtrees=[x509.DNSName(u"name.local")]
+ excluded_subtrees=[x509.DNSName(b"name.local")]
),
]
)
@@ -2909,7 +2909,7 @@
x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
])
).add_extension(
- x509.SubjectAlternativeName([x509.DNSName(u"cryptography.io")]),
+ x509.SubjectAlternativeName([x509.DNSName(b"cryptography.io")]),
critical=False,
).add_extension(
DummyExtension(), False
@@ -2995,7 +2995,7 @@
request = builder.subject_name(
x509.Name([x509.NameAttribute(NameOID.COUNTRY_NAME, u'US')])
).add_extension(
- x509.SubjectAlternativeName([x509.DNSName(u"cryptography.io")]),
+ x509.SubjectAlternativeName([x509.DNSName(b"cryptography.io")]),
critical=False,
).add_extension(
x509.BasicConstraints(ca=True, path_length=2), critical=True
@@ -3012,7 +3012,7 @@
ext = request.extensions.get_extension_for_oid(
ExtensionOID.SUBJECT_ALTERNATIVE_NAME
)
- assert list(ext.value) == [x509.DNSName(u"cryptography.io")]
+ assert list(ext.value) == [x509.DNSName(b"cryptography.io")]
def test_set_subject_twice(self):
builder = x509.CertificateSigningRequestBuilder()
@@ -3032,8 +3032,8 @@
private_key = RSA_KEY_2048.private_key(backend)
san = x509.SubjectAlternativeName([
- x509.DNSName(u"example.com"),
- x509.DNSName(u"*.example.com"),
+ x509.DNSName(b"example.com"),
+ x509.DNSName(b"*.example.com"),
x509.RegisteredID(x509.ObjectIdentifier("1.2.3.4.5.6.7")),
x509.DirectoryName(x509.Name([
x509.NameAttribute(NameOID.COMMON_NAME, u'PyCA'),
diff --git a/tests/test_x509_ext.py b/tests/test_x509_ext.py
index c324397..b707156 100644
--- a/tests/test_x509_ext.py
+++ b/tests/test_x509_ext.py
@@ -13,7 +13,7 @@
import six
-from cryptography import x509
+from cryptography import utils, x509
from cryptography.hazmat.backends.interfaces import (
DSABackend, EllipticCurveBackend, RSABackend, X509Backend
)
@@ -152,20 +152,20 @@
class TestCertificateIssuer(object):
def test_iter_names(self):
ci = x509.CertificateIssuer([
- x509.DNSName(u"cryptography.io"),
- x509.DNSName(u"crypto.local"),
+ x509.DNSName(b"cryptography.io"),
+ x509.DNSName(b"crypto.local"),
])
assert len(ci) == 2
assert list(ci) == [
- x509.DNSName(u"cryptography.io"),
- x509.DNSName(u"crypto.local"),
+ x509.DNSName(b"cryptography.io"),
+ x509.DNSName(b"crypto.local"),
]
def test_indexing(self):
ci = x509.CertificateIssuer([
- x509.DNSName(u"cryptography.io"),
- x509.DNSName(u"crypto.local"),
- x509.DNSName(u"another.local"),
+ x509.DNSName(b"cryptography.io"),
+ x509.DNSName(b"crypto.local"),
+ x509.DNSName(b"another.local"),
x509.RFC822Name(u"email@another.local"),
x509.UniformResourceIdentifier(u"http://another.local"),
])
@@ -173,26 +173,32 @@
assert ci[2:6:2] == [ci[2], ci[4]]
def test_eq(self):
- ci1 = x509.CertificateIssuer([x509.DNSName(u"cryptography.io")])
- ci2 = x509.CertificateIssuer([x509.DNSName(u"cryptography.io")])
+ ci1 = x509.CertificateIssuer([x509.DNSName(b"cryptography.io")])
+ ci2 = x509.CertificateIssuer([x509.DNSName(b"cryptography.io")])
assert ci1 == ci2
def test_ne(self):
- ci1 = x509.CertificateIssuer([x509.DNSName(u"cryptography.io")])
- ci2 = x509.CertificateIssuer([x509.DNSName(u"somethingelse.tld")])
+ ci1 = x509.CertificateIssuer([x509.DNSName(b"cryptography.io")])
+ ci2 = x509.CertificateIssuer([x509.DNSName(b"somethingelse.tld")])
assert ci1 != ci2
assert ci1 != object()
def test_repr(self):
- ci = x509.CertificateIssuer([x509.DNSName(u"cryptography.io")])
- assert repr(ci) == (
- "<CertificateIssuer(<GeneralNames([<DNSName(value=cryptography.io"
- ")>])>)>"
- )
+ ci = x509.CertificateIssuer([x509.DNSName(b"cryptography.io")])
+ if six.PY3:
+ assert repr(ci) == (
+ "<CertificateIssuer(<GeneralNames([<DNSName(bytes_value="
+ "b'cryptography.io')>])>)>"
+ )
+ else:
+ assert repr(ci) == (
+ "<CertificateIssuer(<GeneralNames([<DNSName(bytes_value="
+ "'cryptography.io')>])>)>"
+ )
def test_get_values_for_type(self):
ci = x509.CertificateIssuer(
- [x509.DNSName(u"cryptography.io")]
+ [x509.DNSName(b"cryptography.io")]
)
names = ci.get_values_for_type(x509.DNSName)
assert names == [u"cryptography.io"]
@@ -891,7 +897,7 @@
assert aki.authority_cert_serial_number is None
def test_authority_cert_serial_zero(self):
- dns = x509.DNSName(u"SomeIssuer")
+ dns = x509.DNSName(b"SomeIssuer")
aki = x509.AuthorityKeyIdentifier(b"id", [dns], 0)
assert aki.key_identifier == b"id"
assert aki.authority_cert_issuer == [dns]
@@ -1434,7 +1440,6 @@
@pytest.mark.parametrize(
"name", [
x509.RFC822Name,
- x509.DNSName,
x509.UniformResourceIdentifier
]
)
@@ -1462,6 +1467,32 @@
assert gn != object()
+class TestDNSName(object):
+ def test_init(self):
+ with pytest.warns(utils.DeprecatedIn21):
+ name = x509.DNSName(u"*.\xf5\xe4\xf6\xfc.example.com")
+ assert name.bytes_value == b"*.xn--4ca7aey.example.com"
+
+ with pytest.warns(utils.DeprecatedIn21):
+ name = x509.DNSName(u".\xf5\xe4\xf6\xfc.example.com")
+ assert name.bytes_value == b".xn--4ca7aey.example.com"
+ assert name.value == u".\xf5\xe4\xf6\xfc.example.com"
+
+ with pytest.warns(utils.DeprecatedIn21):
+ name = x509.DNSName(u"\xf5\xe4\xf6\xfc.example.com")
+ assert name.bytes_value == b"xn--4ca7aey.example.com"
+
+ with pytest.raises(TypeError):
+ x509.DNSName(1.3)
+
+ def test_ne(self):
+ n1 = x509.DNSName(b"test1")
+ n2 = x509.DNSName(b"test2")
+ n3 = x509.DNSName(b"test2")
+ assert n1 != n2
+ assert not (n2 != n3)
+
+
class TestDirectoryName(object):
def test_not_name(self):
with pytest.raises(TypeError):
@@ -1686,35 +1717,35 @@
class TestGeneralNames(object):
def test_get_values_for_type(self):
gns = x509.GeneralNames(
- [x509.DNSName(u"cryptography.io")]
+ [x509.DNSName(b"cryptography.io")]
)
names = gns.get_values_for_type(x509.DNSName)
assert names == [u"cryptography.io"]
def test_iter_names(self):
gns = x509.GeneralNames([
- x509.DNSName(u"cryptography.io"),
- x509.DNSName(u"crypto.local"),
+ x509.DNSName(b"cryptography.io"),
+ x509.DNSName(b"crypto.local"),
])
assert len(gns) == 2
assert list(gns) == [
- x509.DNSName(u"cryptography.io"),
- x509.DNSName(u"crypto.local"),
+ x509.DNSName(b"cryptography.io"),
+ x509.DNSName(b"crypto.local"),
]
def test_iter_input(self):
names = [
- x509.DNSName(u"cryptography.io"),
- x509.DNSName(u"crypto.local"),
+ x509.DNSName(b"cryptography.io"),
+ x509.DNSName(b"crypto.local"),
]
gns = x509.GeneralNames(iter(names))
assert list(gns) == names
def test_indexing(self):
gn = x509.GeneralNames([
- x509.DNSName(u"cryptography.io"),
- x509.DNSName(u"crypto.local"),
- x509.DNSName(u"another.local"),
+ x509.DNSName(b"cryptography.io"),
+ x509.DNSName(b"crypto.local"),
+ x509.DNSName(b"another.local"),
x509.RFC822Name(u"email@another.local"),
x509.UniformResourceIdentifier(u"http://another.local"),
])
@@ -1724,31 +1755,36 @@
def test_invalid_general_names(self):
with pytest.raises(TypeError):
x509.GeneralNames(
- [x509.DNSName(u"cryptography.io"), "invalid"]
+ [x509.DNSName(b"cryptography.io"), "invalid"]
)
def test_repr(self):
gns = x509.GeneralNames(
[
- x509.DNSName(u"cryptography.io")
+ x509.DNSName(b"cryptography.io")
]
)
- assert repr(gns) == (
- "<GeneralNames([<DNSName(value=cryptography.io)>])>"
- )
+ if six.PY3:
+ assert repr(gns) == (
+ "<GeneralNames([<DNSName(bytes_value=b'cryptography.io')>])>"
+ )
+ else:
+ assert repr(gns) == (
+ "<GeneralNames([<DNSName(bytes_value='cryptography.io')>])>"
+ )
def test_eq(self):
gns = x509.GeneralNames(
- [x509.DNSName(u"cryptography.io")]
+ [x509.DNSName(b"cryptography.io")]
)
gns2 = x509.GeneralNames(
- [x509.DNSName(u"cryptography.io")]
+ [x509.DNSName(b"cryptography.io")]
)
assert gns == gns2
def test_ne(self):
gns = x509.GeneralNames(
- [x509.DNSName(u"cryptography.io")]
+ [x509.DNSName(b"cryptography.io")]
)
gns2 = x509.GeneralNames(
[x509.RFC822Name(u"admin@cryptography.io")]
@@ -1760,27 +1796,27 @@
class TestIssuerAlternativeName(object):
def test_get_values_for_type(self):
san = x509.IssuerAlternativeName(
- [x509.DNSName(u"cryptography.io")]
+ [x509.DNSName(b"cryptography.io")]
)
names = san.get_values_for_type(x509.DNSName)
assert names == [u"cryptography.io"]
def test_iter_names(self):
san = x509.IssuerAlternativeName([
- x509.DNSName(u"cryptography.io"),
- x509.DNSName(u"crypto.local"),
+ x509.DNSName(b"cryptography.io"),
+ x509.DNSName(b"crypto.local"),
])
assert len(san) == 2
assert list(san) == [
- x509.DNSName(u"cryptography.io"),
- x509.DNSName(u"crypto.local"),
+ x509.DNSName(b"cryptography.io"),
+ x509.DNSName(b"crypto.local"),
]
def test_indexing(self):
ian = x509.IssuerAlternativeName([
- x509.DNSName(u"cryptography.io"),
- x509.DNSName(u"crypto.local"),
- x509.DNSName(u"another.local"),
+ x509.DNSName(b"cryptography.io"),
+ x509.DNSName(b"crypto.local"),
+ x509.DNSName(b"another.local"),
x509.RFC822Name(u"email@another.local"),
x509.UniformResourceIdentifier(u"http://another.local"),
])
@@ -1790,32 +1826,38 @@
def test_invalid_general_names(self):
with pytest.raises(TypeError):
x509.IssuerAlternativeName(
- [x509.DNSName(u"cryptography.io"), "invalid"]
+ [x509.DNSName(b"cryptography.io"), "invalid"]
)
def test_repr(self):
san = x509.IssuerAlternativeName(
[
- x509.DNSName(u"cryptography.io")
+ x509.DNSName(b"cryptography.io")
]
)
- assert repr(san) == (
- "<IssuerAlternativeName("
- "<GeneralNames([<DNSName(value=cryptography.io)>])>)>"
- )
+ if six.PY3:
+ assert repr(san) == (
+ "<IssuerAlternativeName("
+ "<GeneralNames([<DNSName(bytes_value=b'cryptography.io')>])>)>"
+ )
+ else:
+ assert repr(san) == (
+ "<IssuerAlternativeName("
+ "<GeneralNames([<DNSName(bytes_value='cryptography.io')>])>)>"
+ )
def test_eq(self):
san = x509.IssuerAlternativeName(
- [x509.DNSName(u"cryptography.io")]
+ [x509.DNSName(b"cryptography.io")]
)
san2 = x509.IssuerAlternativeName(
- [x509.DNSName(u"cryptography.io")]
+ [x509.DNSName(b"cryptography.io")]
)
assert san == san2
def test_ne(self):
san = x509.IssuerAlternativeName(
- [x509.DNSName(u"cryptography.io")]
+ [x509.DNSName(b"cryptography.io")]
)
san2 = x509.IssuerAlternativeName(
[x509.RFC822Name(u"admin@cryptography.io")]
@@ -1870,27 +1912,27 @@
class TestSubjectAlternativeName(object):
def test_get_values_for_type(self):
san = x509.SubjectAlternativeName(
- [x509.DNSName(u"cryptography.io")]
+ [x509.DNSName(b"cryptography.io")]
)
names = san.get_values_for_type(x509.DNSName)
assert names == [u"cryptography.io"]
def test_iter_names(self):
san = x509.SubjectAlternativeName([
- x509.DNSName(u"cryptography.io"),
- x509.DNSName(u"crypto.local"),
+ x509.DNSName(b"cryptography.io"),
+ x509.DNSName(b"crypto.local"),
])
assert len(san) == 2
assert list(san) == [
- x509.DNSName(u"cryptography.io"),
- x509.DNSName(u"crypto.local"),
+ x509.DNSName(b"cryptography.io"),
+ x509.DNSName(b"crypto.local"),
]
def test_indexing(self):
san = x509.SubjectAlternativeName([
- x509.DNSName(u"cryptography.io"),
- x509.DNSName(u"crypto.local"),
- x509.DNSName(u"another.local"),
+ x509.DNSName(b"cryptography.io"),
+ x509.DNSName(b"crypto.local"),
+ x509.DNSName(b"another.local"),
x509.RFC822Name(u"email@another.local"),
x509.UniformResourceIdentifier(u"http://another.local"),
])
@@ -1900,32 +1942,38 @@
def test_invalid_general_names(self):
with pytest.raises(TypeError):
x509.SubjectAlternativeName(
- [x509.DNSName(u"cryptography.io"), "invalid"]
+ [x509.DNSName(b"cryptography.io"), "invalid"]
)
def test_repr(self):
san = x509.SubjectAlternativeName(
[
- x509.DNSName(u"cryptography.io")
+ x509.DNSName(b"cryptography.io")
]
)
- assert repr(san) == (
- "<SubjectAlternativeName("
- "<GeneralNames([<DNSName(value=cryptography.io)>])>)>"
- )
+ if six.PY3:
+ assert repr(san) == (
+ "<SubjectAlternativeName("
+ "<GeneralNames([<DNSName(bytes_value=b'cryptography.io')>])>)>"
+ )
+ else:
+ assert repr(san) == (
+ "<SubjectAlternativeName("
+ "<GeneralNames([<DNSName(bytes_value='cryptography.io')>])>)>"
+ )
def test_eq(self):
san = x509.SubjectAlternativeName(
- [x509.DNSName(u"cryptography.io")]
+ [x509.DNSName(b"cryptography.io")]
)
san2 = x509.SubjectAlternativeName(
- [x509.DNSName(u"cryptography.io")]
+ [x509.DNSName(b"cryptography.io")]
)
assert san == san2
def test_ne(self):
san = x509.SubjectAlternativeName(
- [x509.DNSName(u"cryptography.io")]
+ [x509.DNSName(b"cryptography.io")]
)
san2 = x509.SubjectAlternativeName(
[x509.RFC822Name(u"admin@cryptography.io")]
@@ -2124,8 +2172,15 @@
x509.load_pem_x509_certificate,
backend
)
+ san = cert.extensions.get_extension_for_class(
+ x509.SubjectAlternativeName
+ ).value
+
+ assert len(san) == 1
+ [name] = san
+ assert name.bytes_value == b"xn--k4h.ws"
with pytest.raises(UnicodeError):
- cert.extensions
+ name.value
def test_unicode_rfc822_name_dns_name_uri(self, backend):
cert = _load_cert(
@@ -2220,16 +2275,20 @@
assert othernames == [expected]
def test_certbuilder(self, backend):
- sans = [u'*.example.org', u'*.\xf5\xe4\xf6\xfc.example.com',
- u'foobar.example.net']
+ sans = [b'*.example.org', b'*.xn--4ca7aey.example.com',
+ b'foobar.example.net']
private_key = RSA_KEY_2048.private_key(backend)
builder = _make_certbuilder(private_key)
builder = builder.add_extension(
SubjectAlternativeName(list(map(DNSName, sans))), True)
cert = builder.sign(private_key, hashes.SHA1(), backend)
- result = [x.value for x in cert.extensions.get_extension_for_class(
- SubjectAlternativeName).value]
+ result = [
+ x.bytes_value
+ for x in cert.extensions.get_extension_for_class(
+ SubjectAlternativeName
+ ).value
+ ]
assert result == sans
@@ -2265,7 +2324,7 @@
class TestAccessDescription(object):
def test_invalid_access_method(self):
with pytest.raises(TypeError):
- x509.AccessDescription("notanoid", x509.DNSName(u"test"))
+ x509.AccessDescription("notanoid", x509.DNSName(b"test"))
def test_invalid_access_location(self):
with pytest.raises(TypeError):
@@ -2799,7 +2858,7 @@
x509.NameConstraints(None, None)
def test_permitted_none(self):
- excluded = [x509.DNSName(u"name.local")]
+ excluded = [x509.DNSName(b"name.local")]
nc = x509.NameConstraints(
permitted_subtrees=None, excluded_subtrees=excluded
)
@@ -2807,7 +2866,7 @@
assert nc.excluded_subtrees is not None
def test_excluded_none(self):
- permitted = [x509.DNSName(u"name.local")]
+ permitted = [x509.DNSName(b"name.local")]
nc = x509.NameConstraints(
permitted_subtrees=permitted, excluded_subtrees=None
)
@@ -2821,39 +2880,47 @@
assert list(nc.excluded_subtrees) == subtrees
def test_repr(self):
- permitted = [x509.DNSName(u"name.local"), x509.DNSName(u"name2.local")]
+ permitted = [x509.DNSName(b"name.local"), x509.DNSName(b"name2.local")]
nc = x509.NameConstraints(
permitted_subtrees=permitted,
excluded_subtrees=None
)
- assert repr(nc) == (
- "<NameConstraints(permitted_subtrees=[<DNSName(value=name.local)>"
- ", <DNSName(value=name2.local)>], excluded_subtrees=None)>"
- )
+ if six.PY3:
+ assert repr(nc) == (
+ "<NameConstraints(permitted_subtrees=[<DNSName("
+ "bytes_value=b'name.local')>, <DNSName(bytes_value="
+ "b'name2.local')>], excluded_subtrees=None)>"
+ )
+ else:
+ assert repr(nc) == (
+ "<NameConstraints(permitted_subtrees=[<DNSName("
+ "bytes_value='name.local')>, <DNSName(bytes_value="
+ "'name2.local')>], excluded_subtrees=None)>"
+ )
def test_eq(self):
nc = x509.NameConstraints(
- permitted_subtrees=[x509.DNSName(u"name.local")],
- excluded_subtrees=[x509.DNSName(u"name2.local")]
+ permitted_subtrees=[x509.DNSName(b"name.local")],
+ excluded_subtrees=[x509.DNSName(b"name2.local")]
)
nc2 = x509.NameConstraints(
- permitted_subtrees=[x509.DNSName(u"name.local")],
- excluded_subtrees=[x509.DNSName(u"name2.local")]
+ permitted_subtrees=[x509.DNSName(b"name.local")],
+ excluded_subtrees=[x509.DNSName(b"name2.local")]
)
assert nc == nc2
def test_ne(self):
nc = x509.NameConstraints(
- permitted_subtrees=[x509.DNSName(u"name.local")],
- excluded_subtrees=[x509.DNSName(u"name2.local")]
+ permitted_subtrees=[x509.DNSName(b"name.local")],
+ excluded_subtrees=[x509.DNSName(b"name2.local")]
)
nc2 = x509.NameConstraints(
- permitted_subtrees=[x509.DNSName(u"name.local")],
+ permitted_subtrees=[x509.DNSName(b"name.local")],
excluded_subtrees=None
)
nc3 = x509.NameConstraints(
permitted_subtrees=None,
- excluded_subtrees=[x509.DNSName(u"name2.local")]
+ excluded_subtrees=[x509.DNSName(b"name2.local")]
)
assert nc != nc2
@@ -2877,7 +2944,7 @@
).value
assert nc == x509.NameConstraints(
permitted_subtrees=[
- x509.DNSName(u"zombo.local"),
+ x509.DNSName(b"zombo.local"),
],
excluded_subtrees=[
x509.DirectoryName(x509.Name([
@@ -2899,7 +2966,7 @@
).value
assert nc == x509.NameConstraints(
permitted_subtrees=[
- x509.DNSName(u"zombo.local"),
+ x509.DNSName(b"zombo.local"),
],
excluded_subtrees=None
)
@@ -2917,7 +2984,7 @@
).value
assert nc == x509.NameConstraints(
permitted_subtrees=[
- x509.DNSName(u".cryptography.io"),
+ x509.DNSName(b".cryptography.io"),
x509.UniformResourceIdentifier(u"ftp://cryptography.test")
],
excluded_subtrees=None
@@ -2937,7 +3004,7 @@
assert nc == x509.NameConstraints(
permitted_subtrees=None,
excluded_subtrees=[
- x509.DNSName(u".cryptography.io"),
+ x509.DNSName(b".cryptography.io"),
x509.UniformResourceIdentifier(u"gopher://cryptography.test")
]
)
@@ -2959,7 +3026,7 @@
x509.IPAddress(ipaddress.IPv6Network(u"FF:0:0:0:0:0:0:0/96")),
],
excluded_subtrees=[
- x509.DNSName(u".domain.com"),
+ x509.DNSName(b".domain.com"),
x509.UniformResourceIdentifier(u"http://test.local"),
]
)
@@ -2997,8 +3064,8 @@
)
def test_certbuilder(self, backend):
- permitted = [u'.example.org', u'.\xf5\xe4\xf6\xfc.example.com',
- u'foobar.example.net']
+ permitted = [b'.example.org', b'.xn--4ca7aey.example.com',
+ b'foobar.example.net']
private_key = RSA_KEY_2048.private_key(backend)
builder = _make_certbuilder(private_key)
builder = builder.add_extension(
@@ -3006,8 +3073,12 @@
excluded_subtrees=[]), True)
cert = builder.sign(private_key, hashes.SHA1(), backend)
- result = [x.value for x in cert.extensions.get_extension_for_class(
- NameConstraints).value.permitted_subtrees]
+ result = [
+ x.bytes_value
+ for x in cert.extensions.get_extension_for_class(
+ NameConstraints
+ ).value.permitted_subtrees
+ ]
assert result == permitted
diff --git a/tests/test_x509_revokedcertbuilder.py b/tests/test_x509_revokedcertbuilder.py
index e3a0650..9fc5eaa 100644
--- a/tests/test_x509_revokedcertbuilder.py
+++ b/tests/test_x509_revokedcertbuilder.py
@@ -146,7 +146,7 @@
x509.InvalidityDate(datetime.datetime(2015, 1, 1, 0, 0)),
x509.CRLReason(x509.ReasonFlags.ca_compromise),
x509.CertificateIssuer([
- x509.DNSName(u"cryptography.io"),
+ x509.DNSName(b"cryptography.io"),
])
]
)
@@ -180,7 +180,7 @@
datetime.datetime(2015, 1, 1, 0, 0)
)
certificate_issuer = x509.CertificateIssuer([
- x509.DNSName(u"cryptography.io"),
+ x509.DNSName(b"cryptography.io"),
])
crl_reason = x509.CRLReason(x509.ReasonFlags.aa_compromise)
builder = x509.RevokedCertificateBuilder().serial_number(