Merge pull request #2258 from reaperhulk/changelog-update
add missing extensions to changelog
diff --git a/src/cryptography/x509/__init__.py b/src/cryptography/x509/__init__.py
index 3e6420e..389d737 100644
--- a/src/cryptography/x509/__init__.py
+++ b/src/cryptography/x509/__init__.py
@@ -5,7 +5,7 @@
from __future__ import absolute_import, division, print_function
from cryptography.x509.base import (
- AccessDescription, AuthorityInformationAccess, AuthorityKeyIdentifier,
+ AccessDescription, AuthorityInformationAccess,
BasicConstraints, CRLDistributionPoints, Certificate, CertificateBuilder,
CertificatePolicies, CertificateRevocationList, CertificateSigningRequest,
CertificateSigningRequestBuilder, DistributionPoint,
@@ -14,10 +14,13 @@
InvalidVersion, IssuerAlternativeName, KeyUsage, NameConstraints,
NoticeReference, OCSPNoCheck, ObjectIdentifier,
PolicyInformation, ReasonFlags,
- RevokedCertificate, SubjectAlternativeName, SubjectKeyIdentifier,
+ RevokedCertificate, SubjectAlternativeName,
UnsupportedExtension, UserNotice, Version, load_der_x509_certificate,
load_der_x509_csr, load_pem_x509_certificate, load_pem_x509_csr,
)
+from cryptography.x509.extensions import (
+ AuthorityKeyIdentifier, SubjectKeyIdentifier
+)
from cryptography.x509.general_name import (
DNSName, DirectoryName, GeneralName, IPAddress, OtherName, RFC822Name,
RegisteredID, UniformResourceIdentifier, UnsupportedGeneralNameType,
diff --git a/src/cryptography/x509/base.py b/src/cryptography/x509/base.py
index 4f0d11e..b906c7a 100644
--- a/src/cryptography/x509/base.py
+++ b/src/cryptography/x509/base.py
@@ -6,17 +6,12 @@
import abc
import datetime
-import hashlib
import ipaddress
from enum import Enum
-from pyasn1.codec.der import decoder
-from pyasn1.type import namedtype, univ
-
import six
from cryptography import utils
-from cryptography.hazmat.primitives import serialization
from cryptography.hazmat.primitives.asymmetric import dsa, ec, rsa
from cryptography.x509.general_name import GeneralName, IPAddress, OtherName
from cryptography.x509.name import Name
@@ -25,34 +20,6 @@
)
-class _SubjectPublicKeyInfo(univ.Sequence):
- componentType = namedtype.NamedTypes(
- namedtype.NamedType('algorithm', univ.Sequence()),
- namedtype.NamedType('subjectPublicKey', univ.BitString())
- )
-
-
-def _key_identifier_from_public_key(public_key):
- # This is a very slow way to do this.
- serialized = public_key.public_bytes(
- serialization.Encoding.DER,
- serialization.PublicFormat.SubjectPublicKeyInfo
- )
- spki, remaining = decoder.decode(
- serialized, asn1Spec=_SubjectPublicKeyInfo()
- )
- assert not remaining
- # the univ.BitString object is a tuple of bits. We need bytes and
- # pyasn1 really doesn't want to give them to us. To get it we'll
- # build an integer and convert that to bytes.
- bits = 0
- for bit in spki.getComponentByName("subjectPublicKey"):
- bits = bits << 1 | bit
-
- data = utils.int_to_bytes(bits)
- return hashlib.sha1(data).digest()
-
-
_UNIX_EPOCH = datetime.datetime(1970, 1, 1)
@@ -534,34 +501,6 @@
@utils.register_interface(ExtensionType)
-class SubjectKeyIdentifier(object):
- oid = ExtensionOID.SUBJECT_KEY_IDENTIFIER
-
- def __init__(self, digest):
- self._digest = digest
-
- @classmethod
- def from_public_key(cls, public_key):
- return cls(_key_identifier_from_public_key(public_key))
-
- digest = utils.read_only_property("_digest")
-
- def __repr__(self):
- return "<SubjectKeyIdentifier(digest={0!r})>".format(self.digest)
-
- def __eq__(self, other):
- if not isinstance(other, SubjectKeyIdentifier):
- return NotImplemented
-
- return (
- self.digest == other.digest
- )
-
- def __ne__(self, other):
- return not self == other
-
-
-@utils.register_interface(ExtensionType)
class NameConstraints(object):
oid = ExtensionOID.NAME_CONSTRAINTS
@@ -876,74 +815,6 @@
return not self == other
-@utils.register_interface(ExtensionType)
-class AuthorityKeyIdentifier(object):
- oid = ExtensionOID.AUTHORITY_KEY_IDENTIFIER
-
- def __init__(self, key_identifier, authority_cert_issuer,
- authority_cert_serial_number):
- if authority_cert_issuer or authority_cert_serial_number:
- if not authority_cert_issuer or not authority_cert_serial_number:
- raise ValueError(
- "authority_cert_issuer and authority_cert_serial_number "
- "must both be present or both None"
- )
-
- if not all(
- isinstance(x, GeneralName) for x in authority_cert_issuer
- ):
- raise TypeError(
- "authority_cert_issuer must be a list of GeneralName "
- "objects"
- )
-
- if not isinstance(authority_cert_serial_number, six.integer_types):
- raise TypeError(
- "authority_cert_serial_number must be an integer"
- )
-
- self._key_identifier = key_identifier
- self._authority_cert_issuer = authority_cert_issuer
- self._authority_cert_serial_number = authority_cert_serial_number
-
- @classmethod
- def from_issuer_public_key(cls, public_key):
- digest = _key_identifier_from_public_key(public_key)
- return cls(
- key_identifier=digest,
- authority_cert_issuer=None,
- authority_cert_serial_number=None
- )
-
- def __repr__(self):
- return (
- "<AuthorityKeyIdentifier(key_identifier={0.key_identifier!r}, "
- "authority_cert_issuer={0.authority_cert_issuer}, "
- "authority_cert_serial_number={0.authority_cert_serial_number}"
- ")>".format(self)
- )
-
- def __eq__(self, other):
- if not isinstance(other, AuthorityKeyIdentifier):
- return NotImplemented
-
- return (
- self.key_identifier == other.key_identifier and
- self.authority_cert_issuer == other.authority_cert_issuer and
- self.authority_cert_serial_number ==
- other.authority_cert_serial_number
- )
-
- def __ne__(self, other):
- return not self == other
-
- key_identifier = utils.read_only_property("_key_identifier")
- authority_cert_issuer = utils.read_only_property("_authority_cert_issuer")
- authority_cert_serial_number = utils.read_only_property(
- "_authority_cert_serial_number"
- )
-
-
@six.add_metaclass(abc.ABCMeta)
class Certificate(object):
@abc.abstractmethod
diff --git a/src/cryptography/x509/extensions.py b/src/cryptography/x509/extensions.py
new file mode 100644
index 0000000..3817553
--- /dev/null
+++ b/src/cryptography/x509/extensions.py
@@ -0,0 +1,144 @@
+# This file is dual licensed under the terms of the Apache License, Version
+# 2.0, and the BSD License. See the LICENSE file in the root of this repository
+# for complete details.
+
+from __future__ import absolute_import, division, print_function
+
+import hashlib
+
+from pyasn1.codec.der import decoder
+from pyasn1.type import namedtype, univ
+
+import six
+
+from cryptography import utils
+from cryptography.hazmat.primitives import serialization
+from cryptography.x509.base import ExtensionType
+from cryptography.x509.general_name import GeneralName
+from cryptography.x509.oid import (
+ ExtensionOID
+)
+
+
+class _SubjectPublicKeyInfo(univ.Sequence):
+ componentType = namedtype.NamedTypes(
+ namedtype.NamedType('algorithm', univ.Sequence()),
+ namedtype.NamedType('subjectPublicKey', univ.BitString())
+ )
+
+
+def _key_identifier_from_public_key(public_key):
+ # This is a very slow way to do this.
+ serialized = public_key.public_bytes(
+ serialization.Encoding.DER,
+ serialization.PublicFormat.SubjectPublicKeyInfo
+ )
+ spki, remaining = decoder.decode(
+ serialized, asn1Spec=_SubjectPublicKeyInfo()
+ )
+ assert not remaining
+ # the univ.BitString object is a tuple of bits. We need bytes and
+ # pyasn1 really doesn't want to give them to us. To get it we'll
+ # build an integer and convert that to bytes.
+ bits = 0
+ for bit in spki.getComponentByName("subjectPublicKey"):
+ bits = bits << 1 | bit
+
+ data = utils.int_to_bytes(bits)
+ return hashlib.sha1(data).digest()
+
+
+@utils.register_interface(ExtensionType)
+class AuthorityKeyIdentifier(object):
+ oid = ExtensionOID.AUTHORITY_KEY_IDENTIFIER
+
+ def __init__(self, key_identifier, authority_cert_issuer,
+ authority_cert_serial_number):
+ if authority_cert_issuer or authority_cert_serial_number:
+ if not authority_cert_issuer or not authority_cert_serial_number:
+ raise ValueError(
+ "authority_cert_issuer and authority_cert_serial_number "
+ "must both be present or both None"
+ )
+
+ if not all(
+ isinstance(x, GeneralName) for x in authority_cert_issuer
+ ):
+ raise TypeError(
+ "authority_cert_issuer must be a list of GeneralName "
+ "objects"
+ )
+
+ if not isinstance(authority_cert_serial_number, six.integer_types):
+ raise TypeError(
+ "authority_cert_serial_number must be an integer"
+ )
+
+ self._key_identifier = key_identifier
+ self._authority_cert_issuer = authority_cert_issuer
+ self._authority_cert_serial_number = authority_cert_serial_number
+
+ @classmethod
+ def from_issuer_public_key(cls, public_key):
+ digest = _key_identifier_from_public_key(public_key)
+ return cls(
+ key_identifier=digest,
+ authority_cert_issuer=None,
+ authority_cert_serial_number=None
+ )
+
+ def __repr__(self):
+ return (
+ "<AuthorityKeyIdentifier(key_identifier={0.key_identifier!r}, "
+ "authority_cert_issuer={0.authority_cert_issuer}, "
+ "authority_cert_serial_number={0.authority_cert_serial_number}"
+ ")>".format(self)
+ )
+
+ def __eq__(self, other):
+ if not isinstance(other, AuthorityKeyIdentifier):
+ return NotImplemented
+
+ return (
+ self.key_identifier == other.key_identifier and
+ self.authority_cert_issuer == other.authority_cert_issuer and
+ self.authority_cert_serial_number ==
+ other.authority_cert_serial_number
+ )
+
+ def __ne__(self, other):
+ return not self == other
+
+ key_identifier = utils.read_only_property("_key_identifier")
+ authority_cert_issuer = utils.read_only_property("_authority_cert_issuer")
+ authority_cert_serial_number = utils.read_only_property(
+ "_authority_cert_serial_number"
+ )
+
+
+@utils.register_interface(ExtensionType)
+class SubjectKeyIdentifier(object):
+ oid = ExtensionOID.SUBJECT_KEY_IDENTIFIER
+
+ def __init__(self, digest):
+ self._digest = digest
+
+ @classmethod
+ def from_public_key(cls, public_key):
+ return cls(_key_identifier_from_public_key(public_key))
+
+ digest = utils.read_only_property("_digest")
+
+ def __repr__(self):
+ return "<SubjectKeyIdentifier(digest={0!r})>".format(self.digest)
+
+ def __eq__(self, other):
+ if not isinstance(other, SubjectKeyIdentifier):
+ return NotImplemented
+
+ return (
+ self.digest == other.digest
+ )
+
+ def __ne__(self, other):
+ return not self == other
diff --git a/tests/test_x509.py b/tests/test_x509.py
index 99ac69e..42f8f58 100644
--- a/tests/test_x509.py
+++ b/tests/test_x509.py
@@ -20,7 +20,7 @@
)
from cryptography.hazmat.primitives import hashes, serialization
from cryptography.hazmat.primitives.asymmetric import dsa, ec, rsa
-from cryptography.x509.oid import NameOID
+from cryptography.x509.oid import ExtensionOID, NameOID
from .hazmat.primitives.fixtures_dsa import DSA_KEY_2048
from .hazmat.primitives.fixtures_rsa import RSA_KEY_2048, RSA_KEY_512
@@ -586,7 +586,7 @@
with pytest.raises(x509.DuplicateExtension) as exc:
request.extensions
- assert exc.value.oid == x509.OID_BASIC_CONSTRAINTS
+ assert exc.value.oid == ExtensionOID.BASIC_CONSTRAINTS
def test_unsupported_critical_extension(self, backend):
request = _load_cert(
@@ -624,7 +624,7 @@
assert isinstance(extensions, x509.Extensions)
assert list(extensions) == [
x509.Extension(
- x509.OID_BASIC_CONSTRAINTS,
+ ExtensionOID.BASIC_CONSTRAINTS,
True,
x509.BasicConstraints(ca=True, path_length=1),
),
@@ -637,7 +637,7 @@
backend,
)
ext = request.extensions.get_extension_for_oid(
- x509.OID_SUBJECT_ALTERNATIVE_NAME
+ ExtensionOID.SUBJECT_ALTERNATIVE_NAME
)
assert list(ext.value) == [
x509.DNSName(u"cryptography.io"),
@@ -821,12 +821,12 @@
assert cert.not_valid_before == not_valid_before
assert cert.not_valid_after == not_valid_after
basic_constraints = cert.extensions.get_extension_for_oid(
- x509.OID_BASIC_CONSTRAINTS
+ ExtensionOID.BASIC_CONSTRAINTS
)
assert basic_constraints.value.ca is False
assert basic_constraints.value.path_length is None
subject_alternative_name = cert.extensions.get_extension_for_oid(
- x509.OID_SUBJECT_ALTERNATIVE_NAME
+ ExtensionOID.SUBJECT_ALTERNATIVE_NAME
)
assert list(subject_alternative_name.value) == [
x509.DNSName(u"cryptography.io"),
@@ -1315,7 +1315,7 @@
cert = builder.sign(issuer_private_key, hashes.SHA1(), backend)
ext = cert.extensions.get_extension_for_oid(
- x509.OID_CRL_DISTRIBUTION_POINTS
+ ExtensionOID.CRL_DISTRIBUTION_POINTS
)
assert ext.critical is False
assert ext.value == cdp
@@ -1357,12 +1357,12 @@
assert cert.not_valid_before == not_valid_before
assert cert.not_valid_after == not_valid_after
basic_constraints = cert.extensions.get_extension_for_oid(
- x509.OID_BASIC_CONSTRAINTS
+ ExtensionOID.BASIC_CONSTRAINTS
)
assert basic_constraints.value.ca is False
assert basic_constraints.value.path_length is None
subject_alternative_name = cert.extensions.get_extension_for_oid(
- x509.OID_SUBJECT_ALTERNATIVE_NAME
+ ExtensionOID.SUBJECT_ALTERNATIVE_NAME
)
assert list(subject_alternative_name.value) == [
x509.DNSName(u"cryptography.io"),
@@ -1406,12 +1406,12 @@
assert cert.not_valid_before == not_valid_before
assert cert.not_valid_after == not_valid_after
basic_constraints = cert.extensions.get_extension_for_oid(
- x509.OID_BASIC_CONSTRAINTS
+ ExtensionOID.BASIC_CONSTRAINTS
)
assert basic_constraints.value.ca is False
assert basic_constraints.value.path_length is None
subject_alternative_name = cert.extensions.get_extension_for_oid(
- x509.OID_SUBJECT_ALTERNATIVE_NAME
+ ExtensionOID.SUBJECT_ALTERNATIVE_NAME
)
assert list(subject_alternative_name.value) == [
x509.DNSName(u"cryptography.io"),
@@ -1472,7 +1472,7 @@
).sign(issuer_private_key, hashes.SHA256(), backend)
ext = cert.extensions.get_extension_for_oid(
- x509.OID_ISSUER_ALTERNATIVE_NAME
+ ExtensionOID.ISSUER_ALTERNATIVE_NAME
)
assert ext.critical is False
assert ext.value == x509.IssuerAlternativeName([
@@ -1510,7 +1510,7 @@
).sign(issuer_private_key, hashes.SHA256(), backend)
eku = cert.extensions.get_extension_for_oid(
- x509.OID_EXTENDED_KEY_USAGE
+ ExtensionOID.EXTENDED_KEY_USAGE
)
assert eku.critical is False
assert eku.value == x509.ExtendedKeyUsage([
@@ -1545,7 +1545,7 @@
).sign(issuer_private_key, hashes.SHA256(), backend)
ext = cert.extensions.get_extension_for_oid(
- x509.OID_INHIBIT_ANY_POLICY
+ ExtensionOID.INHIBIT_ANY_POLICY
)
assert ext.value == x509.InhibitAnyPolicy(3)
@@ -1585,7 +1585,7 @@
critical=False
).sign(issuer_private_key, hashes.SHA256(), backend)
- ext = cert.extensions.get_extension_for_oid(x509.OID_KEY_USAGE)
+ ext = cert.extensions.get_extension_for_oid(ExtensionOID.KEY_USAGE)
assert ext.critical is False
assert ext.value == x509.KeyUsage(
digital_signature=True,
@@ -1641,7 +1641,7 @@
x509.NameAttribute(NameOID.ORGANIZATION_NAME, u'PyCA'),
]
basic_constraints = request.extensions.get_extension_for_oid(
- x509.OID_BASIC_CONSTRAINTS
+ ExtensionOID.BASIC_CONSTRAINTS
)
assert basic_constraints.value.ca is True
assert basic_constraints.value.path_length == 2
@@ -1689,7 +1689,7 @@
x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
]
basic_constraints = request.extensions.get_extension_for_oid(
- x509.OID_BASIC_CONSTRAINTS
+ ExtensionOID.BASIC_CONSTRAINTS
)
assert basic_constraints.value.ca is False
assert basic_constraints.value.path_length is None
@@ -1719,7 +1719,7 @@
x509.NameAttribute(NameOID.STATE_OR_PROVINCE_NAME, u'Texas'),
]
basic_constraints = request.extensions.get_extension_for_oid(
- x509.OID_BASIC_CONSTRAINTS
+ ExtensionOID.BASIC_CONSTRAINTS
)
assert basic_constraints.value.ca is True
assert basic_constraints.value.path_length == 2
@@ -1748,7 +1748,7 @@
x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
]
basic_constraints = request.extensions.get_extension_for_oid(
- x509.OID_BASIC_CONSTRAINTS
+ ExtensionOID.BASIC_CONSTRAINTS
)
assert basic_constraints.value.ca is True
assert basic_constraints.value.path_length == 2
@@ -1811,7 +1811,7 @@
critical=False
).sign(private_key, hashes.SHA256(), backend)
assert len(request.extensions) == 1
- ext = request.extensions.get_extension_for_oid(x509.OID_KEY_USAGE)
+ ext = request.extensions.get_extension_for_oid(ExtensionOID.KEY_USAGE)
assert ext.critical is False
assert ext.value == x509.KeyUsage(
digital_signature=True,
@@ -1847,7 +1847,7 @@
critical=False
).sign(private_key, hashes.SHA256(), backend)
assert len(request.extensions) == 1
- ext = request.extensions.get_extension_for_oid(x509.OID_KEY_USAGE)
+ ext = request.extensions.get_extension_for_oid(ExtensionOID.KEY_USAGE)
assert ext.critical is False
assert ext.value == x509.KeyUsage(
digital_signature=False,
@@ -1877,12 +1877,12 @@
public_key = request.public_key()
assert isinstance(public_key, rsa.RSAPublicKey)
basic_constraints = request.extensions.get_extension_for_oid(
- x509.OID_BASIC_CONSTRAINTS
+ ExtensionOID.BASIC_CONSTRAINTS
)
assert basic_constraints.value.ca is True
assert basic_constraints.value.path_length == 2
ext = request.extensions.get_extension_for_oid(
- x509.OID_SUBJECT_ALTERNATIVE_NAME
+ ExtensionOID.SUBJECT_ALTERNATIVE_NAME
)
assert list(ext.value) == [x509.DNSName(u"cryptography.io")]
@@ -1939,10 +1939,10 @@
assert len(csr.extensions) == 1
ext = csr.extensions.get_extension_for_oid(
- x509.OID_SUBJECT_ALTERNATIVE_NAME
+ ExtensionOID.SUBJECT_ALTERNATIVE_NAME
)
assert not ext.critical
- assert ext.oid == x509.OID_SUBJECT_ALTERNATIVE_NAME
+ assert ext.oid == ExtensionOID.SUBJECT_ALTERNATIVE_NAME
assert list(ext.value) == [
x509.DNSName(u"example.com"),
x509.DNSName(u"*.example.com"),
@@ -2018,7 +2018,7 @@
).sign(private_key, hashes.SHA256(), backend)
eku = request.extensions.get_extension_for_oid(
- x509.OID_EXTENDED_KEY_USAGE
+ ExtensionOID.EXTENDED_KEY_USAGE
)
assert eku.critical is False
assert eku.value == x509.ExtendedKeyUsage([
@@ -2079,7 +2079,7 @@
cert = builder.sign(issuer_private_key, hashes.SHA1(), backend)
ext = cert.extensions.get_extension_for_oid(
- x509.OID_AUTHORITY_INFORMATION_ACCESS
+ ExtensionOID.AUTHORITY_INFORMATION_ACCESS
)
assert ext.value == aia
@@ -2115,7 +2115,7 @@
cert = builder.sign(issuer_private_key, hashes.SHA1(), backend)
ext = cert.extensions.get_extension_for_oid(
- x509.OID_SUBJECT_KEY_IDENTIFIER
+ ExtensionOID.SUBJECT_KEY_IDENTIFIER
)
assert ext.value == ski
@@ -2191,7 +2191,7 @@
cert = builder.sign(issuer_private_key, hashes.SHA256(), backend)
ext = cert.extensions.get_extension_for_oid(
- x509.OID_AUTHORITY_KEY_IDENTIFIER
+ ExtensionOID.AUTHORITY_KEY_IDENTIFIER
)
assert ext.value == aki
@@ -2221,7 +2221,7 @@
cert = builder.sign(issuer_private_key, hashes.SHA256(), backend)
ext = cert.extensions.get_extension_for_oid(
- x509.OID_OCSP_NO_CHECK
+ ExtensionOID.OCSP_NO_CHECK
)
assert isinstance(ext.value, x509.OCSPNoCheck)
diff --git a/tests/test_x509_ext.py b/tests/test_x509_ext.py
index c94ffae..faf9086 100644
--- a/tests/test_x509_ext.py
+++ b/tests/test_x509_ext.py
@@ -17,7 +17,7 @@
DSABackend, EllipticCurveBackend, RSABackend, X509Backend
)
from cryptography.hazmat.primitives.asymmetric import ec
-from cryptography.x509.oid import NameOID
+from cryptography.x509.oid import ExtensionOID, NameOID
from .hazmat.primitives.test_ec import _skip_curve_unsupported
from .test_x509 import _load_cert
@@ -32,11 +32,11 @@
def test_critical_not_a_bool(self):
bc = x509.BasicConstraints(ca=False, path_length=None)
with pytest.raises(TypeError):
- x509.Extension(x509.OID_BASIC_CONSTRAINTS, "notabool", bc)
+ x509.Extension(ExtensionOID.BASIC_CONSTRAINTS, "notabool", bc)
def test_repr(self):
bc = x509.BasicConstraints(ca=False, path_length=None)
- ext = x509.Extension(x509.OID_BASIC_CONSTRAINTS, True, bc)
+ ext = x509.Extension(ExtensionOID.BASIC_CONSTRAINTS, True, bc)
assert repr(ext) == (
"<Extension(oid=<ObjectIdentifier(oid=2.5.29.19, name=basicConst"
"raints)>, critical=True, value=<BasicConstraints(ca=False, path"
@@ -278,7 +278,7 @@
)
cp = cert.extensions.get_extension_for_oid(
- x509.OID_CERTIFICATE_POLICIES
+ ExtensionOID.CERTIFICATE_POLICIES
).value
assert cp == x509.CertificatePolicies([
@@ -298,7 +298,7 @@
)
cp = cert.extensions.get_extension_for_oid(
- x509.OID_CERTIFICATE_POLICIES
+ ExtensionOID.CERTIFICATE_POLICIES
).value
assert cp == x509.CertificatePolicies([
@@ -325,7 +325,7 @@
)
cp = cert.extensions.get_extension_for_oid(
- x509.OID_CERTIFICATE_POLICIES
+ ExtensionOID.CERTIFICATE_POLICIES
).value
assert cp == x509.CertificatePolicies([
@@ -345,7 +345,7 @@
)
cp = cert.extensions.get_extension_for_oid(
- x509.OID_CERTIFICATE_POLICIES
+ ExtensionOID.CERTIFICATE_POLICIES
).value
assert cp == x509.CertificatePolicies([
@@ -557,7 +557,7 @@
ski = x509.SubjectKeyIdentifier(
binascii.unhexlify(b"092384932230498bc980aa8098456f6ff7ff3ac9")
)
- ext = x509.Extension(x509.OID_SUBJECT_KEY_IDENTIFIER, False, ski)
+ ext = x509.Extension(ExtensionOID.SUBJECT_KEY_IDENTIFIER, False, ski)
if six.PY3:
assert repr(ext) == (
"<Extension(oid=<ObjectIdentifier(oid=2.5.29.14, name=subjectK"
@@ -775,9 +775,9 @@
assert len(ext) == 0
assert list(ext) == []
with pytest.raises(x509.ExtensionNotFound) as exc:
- ext.get_extension_for_oid(x509.OID_BASIC_CONSTRAINTS)
+ ext.get_extension_for_oid(ExtensionOID.BASIC_CONSTRAINTS)
- assert exc.value.oid == x509.OID_BASIC_CONSTRAINTS
+ assert exc.value.oid == ExtensionOID.BASIC_CONSTRAINTS
def test_one_extension(self, backend):
cert = _load_cert(
@@ -788,7 +788,7 @@
backend
)
extensions = cert.extensions
- ext = extensions.get_extension_for_oid(x509.OID_BASIC_CONSTRAINTS)
+ ext = extensions.get_extension_for_oid(ExtensionOID.BASIC_CONSTRAINTS)
assert ext is not None
assert ext.value.ca is False
@@ -803,7 +803,7 @@
with pytest.raises(x509.DuplicateExtension) as exc:
cert.extensions
- assert exc.value.oid == x509.OID_BASIC_CONSTRAINTS
+ assert exc.value.oid == ExtensionOID.BASIC_CONSTRAINTS
def test_unsupported_critical_extension(self, backend):
cert = _load_cert(
@@ -843,7 +843,7 @@
backend
)
ext = cert.extensions.get_extension_for_oid(
- x509.OID_BASIC_CONSTRAINTS
+ ExtensionOID.BASIC_CONSTRAINTS
)
assert ext is not None
assert ext.critical is True
@@ -857,7 +857,7 @@
backend
)
ext = cert.extensions.get_extension_for_oid(
- x509.OID_BASIC_CONSTRAINTS
+ ExtensionOID.BASIC_CONSTRAINTS
)
assert ext is not None
assert ext.critical is True
@@ -871,7 +871,7 @@
backend
)
ext = cert.extensions.get_extension_for_oid(
- x509.OID_BASIC_CONSTRAINTS
+ ExtensionOID.BASIC_CONSTRAINTS
)
assert ext is not None
assert ext.critical is True
@@ -885,7 +885,7 @@
backend
)
ext = cert.extensions.get_extension_for_oid(
- x509.OID_BASIC_CONSTRAINTS
+ ExtensionOID.BASIC_CONSTRAINTS
)
assert ext is not None
assert ext.critical is True
@@ -904,7 +904,9 @@
backend
)
with pytest.raises(x509.ExtensionNotFound):
- cert.extensions.get_extension_for_oid(x509.OID_BASIC_CONSTRAINTS)
+ cert.extensions.get_extension_for_oid(
+ ExtensionOID.BASIC_CONSTRAINTS
+ )
def test_basic_constraint_not_critical(self, backend):
cert = _load_cert(
@@ -915,7 +917,7 @@
backend
)
ext = cert.extensions.get_extension_for_oid(
- x509.OID_BASIC_CONSTRAINTS
+ ExtensionOID.BASIC_CONSTRAINTS
)
assert ext is not None
assert ext.critical is False
@@ -932,7 +934,7 @@
backend
)
ext = cert.extensions.get_extension_for_oid(
- x509.OID_SUBJECT_KEY_IDENTIFIER
+ ExtensionOID.SUBJECT_KEY_IDENTIFIER
)
ski = ext.value
assert ext is not None
@@ -951,7 +953,7 @@
)
with pytest.raises(x509.ExtensionNotFound):
cert.extensions.get_extension_for_oid(
- x509.OID_SUBJECT_KEY_IDENTIFIER
+ ExtensionOID.SUBJECT_KEY_IDENTIFIER
)
@pytest.mark.requires_backend_interface(interface=RSABackend)
@@ -963,7 +965,7 @@
backend
)
ext = cert.extensions.get_extension_for_oid(
- x509.OID_SUBJECT_KEY_IDENTIFIER
+ ExtensionOID.SUBJECT_KEY_IDENTIFIER
)
ski = x509.SubjectKeyIdentifier.from_public_key(
cert.public_key()
@@ -980,7 +982,7 @@
)
ext = cert.extensions.get_extension_for_oid(
- x509.OID_SUBJECT_KEY_IDENTIFIER
+ ExtensionOID.SUBJECT_KEY_IDENTIFIER
)
ski = x509.SubjectKeyIdentifier.from_public_key(
cert.public_key()
@@ -998,7 +1000,7 @@
)
ext = cert.extensions.get_extension_for_oid(
- x509.OID_SUBJECT_KEY_IDENTIFIER
+ ExtensionOID.SUBJECT_KEY_IDENTIFIER
)
ski = x509.SubjectKeyIdentifier.from_public_key(
cert.public_key()
@@ -1017,9 +1019,9 @@
)
ext = cert.extensions
with pytest.raises(x509.ExtensionNotFound) as exc:
- ext.get_extension_for_oid(x509.OID_KEY_USAGE)
+ ext.get_extension_for_oid(ExtensionOID.KEY_USAGE)
- assert exc.value.oid == x509.OID_KEY_USAGE
+ assert exc.value.oid == ExtensionOID.KEY_USAGE
def test_all_purposes(self, backend):
cert = _load_cert(
@@ -1030,7 +1032,7 @@
backend
)
extensions = cert.extensions
- ext = extensions.get_extension_for_oid(x509.OID_KEY_USAGE)
+ ext = extensions.get_extension_for_oid(ExtensionOID.KEY_USAGE)
assert ext is not None
ku = ext.value
@@ -1052,7 +1054,7 @@
x509.load_der_x509_certificate,
backend
)
- ext = cert.extensions.get_extension_for_oid(x509.OID_KEY_USAGE)
+ ext = cert.extensions.get_extension_for_oid(ExtensionOID.KEY_USAGE)
assert ext is not None
assert ext.critical is True
@@ -1217,7 +1219,7 @@
def test_ne(self):
gn = x509.RegisteredID(NameOID.COMMON_NAME)
- gn2 = x509.RegisteredID(x509.OID_BASIC_CONSTRAINTS)
+ gn2 = x509.RegisteredID(ExtensionOID.BASIC_CONSTRAINTS)
assert gn != gn2
assert gn != object()
@@ -1425,7 +1427,7 @@
backend,
)
ext = cert.extensions.get_extension_for_oid(
- x509.OID_ISSUER_ALTERNATIVE_NAME
+ ExtensionOID.ISSUER_ALTERNATIVE_NAME
)
assert list(ext.value) == [
x509.UniformResourceIdentifier(u"http://path.to.root/root.crt"),
@@ -1498,7 +1500,7 @@
backend
)
ext = cert.extensions.get_extension_for_oid(
- x509.OID_SUBJECT_ALTERNATIVE_NAME
+ ExtensionOID.SUBJECT_ALTERNATIVE_NAME
)
assert ext is not None
assert ext.critical is False
@@ -1515,7 +1517,7 @@
backend
)
ext = cert.extensions.get_extension_for_oid(
- x509.OID_SUBJECT_ALTERNATIVE_NAME
+ ExtensionOID.SUBJECT_ALTERNATIVE_NAME
)
dns = ext.value.get_values_for_type(x509.DNSName)
@@ -1533,7 +1535,7 @@
backend
)
ext = cert.extensions.get_extension_for_oid(
- x509.OID_SUBJECT_ALTERNATIVE_NAME
+ ExtensionOID.SUBJECT_ALTERNATIVE_NAME
)
dns = ext.value.get_values_for_type(x509.DNSName)
@@ -1559,7 +1561,7 @@
backend
)
ext = cert.extensions.get_extension_for_oid(
- x509.OID_SUBJECT_ALTERNATIVE_NAME
+ ExtensionOID.SUBJECT_ALTERNATIVE_NAME
)
assert ext is not None
assert ext.critical is False
@@ -1577,7 +1579,7 @@
backend
)
ext = cert.extensions.get_extension_for_oid(
- x509.OID_SUBJECT_ALTERNATIVE_NAME
+ ExtensionOID.SUBJECT_ALTERNATIVE_NAME
)
assert ext is not None
uri = ext.value.get_values_for_type(
@@ -1598,7 +1600,7 @@
backend
)
ext = cert.extensions.get_extension_for_oid(
- x509.OID_SUBJECT_ALTERNATIVE_NAME
+ ExtensionOID.SUBJECT_ALTERNATIVE_NAME
)
assert ext is not None
assert ext.critical is False
@@ -1620,7 +1622,7 @@
backend
)
ext = cert.extensions.get_extension_for_oid(
- x509.OID_SUBJECT_ALTERNATIVE_NAME
+ ExtensionOID.SUBJECT_ALTERNATIVE_NAME
)
assert ext is not None
assert ext.critical is False
@@ -1645,7 +1647,7 @@
backend
)
ext = cert.extensions.get_extension_for_oid(
- x509.OID_SUBJECT_ALTERNATIVE_NAME
+ ExtensionOID.SUBJECT_ALTERNATIVE_NAME
)
assert ext is not None
assert ext.critical is False
@@ -1675,7 +1677,7 @@
backend
)
ext = cert.extensions.get_extension_for_oid(
- x509.OID_SUBJECT_ALTERNATIVE_NAME
+ ExtensionOID.SUBJECT_ALTERNATIVE_NAME
)
assert ext is not None
rfc822_name = ext.value.get_values_for_type(x509.RFC822Name)
@@ -1694,7 +1696,7 @@
backend
)
ext = cert.extensions.get_extension_for_oid(
- x509.OID_SUBJECT_ALTERNATIVE_NAME
+ ExtensionOID.SUBJECT_ALTERNATIVE_NAME
)
assert ext is not None
assert ext.critical is False
@@ -1745,7 +1747,7 @@
)
ext = cert.extensions.get_extension_for_oid(
- x509.OID_SUBJECT_ALTERNATIVE_NAME
+ ExtensionOID.SUBJECT_ALTERNATIVE_NAME
)
assert ext is not None
assert ext.critical is False
@@ -1771,7 +1773,7 @@
backend
)
ext = cert.extensions.get_extension_for_oid(
- x509.OID_EXTENDED_KEY_USAGE
+ ExtensionOID.EXTENDED_KEY_USAGE
)
assert ext is not None
assert ext.critical is False
@@ -1940,7 +1942,7 @@
backend
)
ext = cert.extensions.get_extension_for_oid(
- x509.OID_AUTHORITY_INFORMATION_ACCESS
+ ExtensionOID.AUTHORITY_INFORMATION_ACCESS
)
assert ext is not None
assert ext.critical is False
@@ -1963,7 +1965,7 @@
backend
)
ext = cert.extensions.get_extension_for_oid(
- x509.OID_AUTHORITY_INFORMATION_ACCESS
+ ExtensionOID.AUTHORITY_INFORMATION_ACCESS
)
assert ext is not None
assert ext.critical is False
@@ -1994,7 +1996,7 @@
backend
)
ext = cert.extensions.get_extension_for_oid(
- x509.OID_AUTHORITY_INFORMATION_ACCESS
+ ExtensionOID.AUTHORITY_INFORMATION_ACCESS
)
assert ext is not None
assert ext.critical is False
@@ -2013,7 +2015,7 @@
backend
)
ext = cert.extensions.get_extension_for_oid(
- x509.OID_AUTHORITY_INFORMATION_ACCESS
+ ExtensionOID.AUTHORITY_INFORMATION_ACCESS
)
assert ext is not None
assert ext.critical is False
@@ -2042,7 +2044,7 @@
backend
)
ext = cert.extensions.get_extension_for_oid(
- x509.OID_AUTHORITY_KEY_IDENTIFIER
+ ExtensionOID.AUTHORITY_KEY_IDENTIFIER
)
assert ext is not None
assert ext.critical is False
@@ -2062,7 +2064,7 @@
backend
)
ext = cert.extensions.get_extension_for_oid(
- x509.OID_AUTHORITY_KEY_IDENTIFIER
+ ExtensionOID.AUTHORITY_KEY_IDENTIFIER
)
assert ext is not None
assert ext.critical is False
@@ -2093,7 +2095,7 @@
backend
)
ext = cert.extensions.get_extension_for_oid(
- x509.OID_AUTHORITY_KEY_IDENTIFIER
+ ExtensionOID.AUTHORITY_KEY_IDENTIFIER
)
assert ext is not None
assert ext.critical is False
@@ -2125,7 +2127,7 @@
backend
)
ext = cert.extensions.get_extension_for_oid(
- x509.OID_AUTHORITY_KEY_IDENTIFIER
+ ExtensionOID.AUTHORITY_KEY_IDENTIFIER
)
aki = x509.AuthorityKeyIdentifier.from_issuer_public_key(
issuer_cert.public_key()
@@ -2242,7 +2244,7 @@
backend
)
nc = cert.extensions.get_extension_for_oid(
- x509.OID_NAME_CONSTRAINTS
+ ExtensionOID.NAME_CONSTRAINTS
).value
assert nc == x509.NameConstraints(
permitted_subtrees=[
@@ -2264,7 +2266,7 @@
backend
)
nc = cert.extensions.get_extension_for_oid(
- x509.OID_NAME_CONSTRAINTS
+ ExtensionOID.NAME_CONSTRAINTS
).value
assert nc == x509.NameConstraints(
permitted_subtrees=[
@@ -2282,7 +2284,7 @@
backend
)
nc = cert.extensions.get_extension_for_oid(
- x509.OID_NAME_CONSTRAINTS
+ ExtensionOID.NAME_CONSTRAINTS
).value
assert nc == x509.NameConstraints(
permitted_subtrees=[
@@ -2301,7 +2303,7 @@
backend
)
nc = cert.extensions.get_extension_for_oid(
- x509.OID_NAME_CONSTRAINTS
+ ExtensionOID.NAME_CONSTRAINTS
).value
assert nc == x509.NameConstraints(
permitted_subtrees=None,
@@ -2320,7 +2322,7 @@
backend
)
nc = cert.extensions.get_extension_for_oid(
- x509.OID_NAME_CONSTRAINTS
+ ExtensionOID.NAME_CONSTRAINTS
).value
assert nc == x509.NameConstraints(
permitted_subtrees=[
@@ -2342,7 +2344,7 @@
backend
)
nc = cert.extensions.get_extension_for_oid(
- x509.OID_NAME_CONSTRAINTS
+ ExtensionOID.NAME_CONSTRAINTS
).value
assert nc == x509.NameConstraints(
permitted_subtrees=[
@@ -2362,7 +2364,7 @@
)
with pytest.raises(ValueError):
cert.extensions.get_extension_for_oid(
- x509.OID_NAME_CONSTRAINTS
+ ExtensionOID.NAME_CONSTRAINTS
)
@@ -2671,7 +2673,7 @@
)
cdps = cert.extensions.get_extension_for_oid(
- x509.OID_CRL_DISTRIBUTION_POINTS
+ ExtensionOID.CRL_DISTRIBUTION_POINTS
).value
assert cdps == x509.CRLDistributionPoints([
@@ -2721,7 +2723,7 @@
)
cdps = cert.extensions.get_extension_for_oid(
- x509.OID_CRL_DISTRIBUTION_POINTS
+ ExtensionOID.CRL_DISTRIBUTION_POINTS
).value
assert cdps == x509.CRLDistributionPoints([
@@ -2760,7 +2762,7 @@
)
cdps = cert.extensions.get_extension_for_oid(
- x509.OID_CRL_DISTRIBUTION_POINTS
+ ExtensionOID.CRL_DISTRIBUTION_POINTS
).value
assert cdps == x509.CRLDistributionPoints([
@@ -2797,7 +2799,7 @@
)
cdps = cert.extensions.get_extension_for_oid(
- x509.OID_CRL_DISTRIBUTION_POINTS
+ ExtensionOID.CRL_DISTRIBUTION_POINTS
).value
assert cdps == x509.CRLDistributionPoints([
@@ -2830,7 +2832,7 @@
)
cdps = cert.extensions.get_extension_for_oid(
- x509.OID_CRL_DISTRIBUTION_POINTS
+ ExtensionOID.CRL_DISTRIBUTION_POINTS
).value
assert cdps == x509.CRLDistributionPoints([
@@ -2854,7 +2856,7 @@
)
cdps = cert.extensions.get_extension_for_oid(
- x509.OID_CRL_DISTRIBUTION_POINTS
+ ExtensionOID.CRL_DISTRIBUTION_POINTS
).value
assert cdps == x509.CRLDistributionPoints([
@@ -2885,7 +2887,7 @@
backend
)
ext = cert.extensions.get_extension_for_oid(
- x509.OID_OCSP_NO_CHECK
+ ExtensionOID.OCSP_NO_CHECK
)
assert isinstance(ext.value, x509.OCSPNoCheck)
@@ -2927,7 +2929,7 @@
backend
)
iap = cert.extensions.get_extension_for_oid(
- x509.OID_INHIBIT_ANY_POLICY
+ ExtensionOID.INHIBIT_ANY_POLICY
).value
assert iap.skip_certs == 5