Backwards incompatible change to DNSName (#3951)
* Backwards incompatible change to DNSName
During this release cycle we decided to officially deprecate passing
U-labels to our GeneralName constructors. At first we tried changing
this in a purely backwards compatible way but get_values_for_type made
that untenable. This PR modifies DNSName to take three different types.
U-label strings (which raises a deprecation warning), A-label strings
(the new preferred type), and bytes (which are assumed to be decodable
to unicode strings). The latter, while supported, is primarily intended
for use by our parser and allows us to return the actual encoded data in
a certificate even if it has not been properly encoded to A-label before
the certificate is created. (Of course, if the certificate contains
invalid utf8 sequences this will still fail, but let's handle one
catastrophic failure at a time).
* coverage
* don't delete that asterisk from a test. it does things.
* no bytes in DNSName. Private constructor for bypassing validation
* test unicode in dnsname (yuck)
* fix docs
* empty commit, you disappoint me codecov
* CI is the worst
diff --git a/docs/x509/reference.rst b/docs/x509/reference.rst
index 951e6b7..238a24e 100644
--- a/docs/x509/reference.rst
+++ b/docs/x509/reference.rst
@@ -611,7 +611,7 @@
>>> builder = builder.public_key(public_key)
>>> builder = builder.add_extension(
... x509.SubjectAlternativeName(
- ... [x509.DNSName(b'cryptography.io')]
+ ... [x509.DNSName(u'cryptography.io')]
... ),
... critical=False
... )
diff --git a/src/cryptography/hazmat/backends/openssl/decode_asn1.py b/src/cryptography/hazmat/backends/openssl/decode_asn1.py
index 2665fb2..aefb242 100644
--- a/src/cryptography/hazmat/backends/openssl/decode_asn1.py
+++ b/src/cryptography/hazmat/backends/openssl/decode_asn1.py
@@ -88,8 +88,14 @@
def _decode_general_name(backend, gn):
if gn.type == backend._lib.GEN_DNS:
- data = _asn1_string_to_bytes(backend, gn.d.dNSName)
- return x509.DNSName(data)
+ # Convert to bytes and then decode to utf8. We don't use
+ # asn1_string_to_utf8 here because it doesn't properly convert
+ # utf8 from ia5strings.
+ data = _asn1_string_to_bytes(backend, gn.d.dNSName).decode("utf8")
+ # We don't use the constructor for DNSName so we can bypass validation
+ # This allows us to create DNSName objects that have unicode chars
+ # when a certificate (against the RFC) contains them.
+ return x509.DNSName._init_without_validation(data)
elif gn.type == backend._lib.GEN_URI:
data = _asn1_string_to_bytes(backend, gn.d.uniformResourceIdentifier)
return x509.UniformResourceIdentifier(data)
diff --git a/src/cryptography/hazmat/backends/openssl/encode_asn1.py b/src/cryptography/hazmat/backends/openssl/encode_asn1.py
index e45e105..3177cf9 100644
--- a/src/cryptography/hazmat/backends/openssl/encode_asn1.py
+++ b/src/cryptography/hazmat/backends/openssl/encode_asn1.py
@@ -368,7 +368,9 @@
ia5 = backend._lib.ASN1_IA5STRING_new()
backend.openssl_assert(ia5 != backend._ffi.NULL)
- value = name.bytes_value
+ # ia5strings are supposed to be ITU T.50 but to allow round-tripping
+ # of broken certs that encode utf8 we'll encode utf8 here too.
+ value = name.value.encode("utf8")
res = backend._lib.ASN1_STRING_set(ia5, value, len(value))
backend.openssl_assert(res == 1)
diff --git a/src/cryptography/x509/general_name.py b/src/cryptography/x509/general_name.py
index 768be3b..d4d92c8 100644
--- a/src/cryptography/x509/general_name.py
+++ b/src/cryptography/x509/general_name.py
@@ -131,8 +131,8 @@
for prefix in ['*.', '.']:
if value.startswith(prefix):
value = value[len(prefix):]
- return prefix.encode('ascii') + idna.encode(value)
- return idna.encode(value)
+ return prefix + idna.encode(value).decode("ascii")
+ return idna.encode(value).decode("ascii")
@utils.register_interface(GeneralName)
@@ -140,73 +140,44 @@
def __init__(self, value):
if isinstance(value, six.text_type):
try:
- value = value.encode("ascii")
+ value.encode("ascii")
except UnicodeEncodeError:
value = _idna_encode(value)
warnings.warn(
- "DNSName values should be passed as idna-encoded bytes, "
- "not strings. Support for passing unicode strings will be "
- "removed in a future version.",
+ "DNSName values should be passed as an A-label string. "
+ "This means unicode characters should be encoded via "
+ "idna. Support for passing unicode strings (aka U-label) "
+ " will be removed in a future version.",
utils.DeprecatedIn21,
stacklevel=2,
)
- else:
- warnings.warn(
- "DNSName values should be passed as bytes, not strings. "
- "Support for passing unicode strings will be removed in a "
- "future version.",
- utils.DeprecatedIn21,
- stacklevel=2,
- )
- elif not isinstance(value, bytes):
- raise TypeError("value must be bytes")
-
- self._bytes_value = value
-
- bytes_value = utils.read_only_property("_bytes_value")
-
- @property
- def value(self):
- warnings.warn(
- "DNSName.bytes_value should be used instead of DNSName.value; it "
- "contains the DNS name as raw bytes, instead of as an idna-decoded"
- " unicode string. DNSName.value will be removed in a future "
- "version.",
- utils.DeprecatedIn21,
- stacklevel=2
- )
- data = self._bytes_value
- if not data:
- decoded = u""
- elif data.startswith(b"*."):
- # This is a wildcard name. We need to remove the leading wildcard,
- # IDNA decode, then re-add the wildcard. Wildcard characters should
- # always be left-most (RFC 2595 section 2.4).
- decoded = u"*." + idna.decode(data[2:])
else:
- # Not a wildcard, decode away. If the string has a * in it anywhere
- # invalid this will raise an InvalidCodePoint
- decoded = idna.decode(data)
- if data.startswith(b"."):
- # idna strips leading periods. Name constraints can have that
- # so we need to re-add it. Sigh.
- decoded = u"." + decoded
- return decoded
+ raise TypeError("value must be string")
+
+ self._value = value
+
+ value = utils.read_only_property("_value")
+
+ @classmethod
+ def _init_without_validation(cls, value):
+ instance = cls.__new__(cls)
+ instance._value = value
+ return instance
def __repr__(self):
- return "<DNSName(bytes_value={0!r})>".format(self.bytes_value)
+ return "<DNSName(value={0!r})>".format(self.value)
def __eq__(self, other):
if not isinstance(other, DNSName):
return NotImplemented
- return self.bytes_value == other.bytes_value
+ return self.value == other.value
def __ne__(self, other):
return not self == other
def __hash__(self):
- return hash(self.bytes_value)
+ return hash(self.value)
@utils.register_interface(GeneralName)
diff --git a/tests/x509/test_x509.py b/tests/x509/test_x509.py
index 0ce0a63..afe1c0e 100644
--- a/tests/x509/test_x509.py
+++ b/tests/x509/test_x509.py
@@ -226,7 +226,7 @@
assert aia.value == x509.AuthorityInformationAccess([
x509.AccessDescription(
AuthorityInformationAccessOID.CA_ISSUERS,
- x509.DNSName(b"cryptography.io")
+ x509.DNSName(u"cryptography.io")
)
])
assert ian.value == x509.IssuerAlternativeName([
@@ -777,6 +777,24 @@
)
]
+ def test_non_ascii_dns_name(self, backend):
+ cert = _load_cert(
+ os.path.join("x509", "utf8-dnsname.pem"),
+ x509.load_pem_x509_certificate,
+ backend
+ )
+ san = cert.extensions.get_extension_for_class(
+ x509.SubjectAlternativeName
+ ).value
+
+ names = san.get_values_for_type(x509.DNSName)
+
+ assert names == [
+ u'partner.biztositas.hu', u'biztositas.hu', u'*.biztositas.hu',
+ u'biztos\xedt\xe1s.hu', u'*.biztos\xedt\xe1s.hu',
+ u'xn--biztosts-fza2j.hu', u'*.xn--biztosts-fza2j.hu'
+ ]
+
def test_all_subject_name_types(self, backend):
cert = _load_cert(
os.path.join(
@@ -1243,8 +1261,8 @@
ExtensionOID.SUBJECT_ALTERNATIVE_NAME
)
assert list(ext.value) == [
- x509.DNSName(b"cryptography.io"),
- x509.DNSName(b"sub.cryptography.io"),
+ x509.DNSName(u"cryptography.io"),
+ x509.DNSName(u"sub.cryptography.io"),
]
def test_public_bytes_pem(self, backend):
@@ -1472,7 +1490,7 @@
).add_extension(
x509.BasicConstraints(ca=False, path_length=None), True,
).add_extension(
- x509.SubjectAlternativeName([x509.DNSName(b"cryptography.io")]),
+ x509.SubjectAlternativeName([x509.DNSName(u"cryptography.io")]),
critical=False,
).not_valid_before(
not_valid_before
@@ -1494,7 +1512,7 @@
ExtensionOID.SUBJECT_ALTERNATIVE_NAME
)
assert list(subject_alternative_name.value) == [
- x509.DNSName(b"cryptography.io"),
+ x509.DNSName(u"cryptography.io"),
]
def test_build_cert_private_type_encoding(self, backend):
@@ -2122,7 +2140,7 @@
).add_extension(
x509.BasicConstraints(ca=False, path_length=None), True,
).add_extension(
- x509.SubjectAlternativeName([x509.DNSName(b"cryptography.io")]),
+ x509.SubjectAlternativeName([x509.DNSName(u"cryptography.io")]),
critical=False,
).not_valid_before(
not_valid_before
@@ -2144,7 +2162,7 @@
ExtensionOID.SUBJECT_ALTERNATIVE_NAME
)
assert list(subject_alternative_name.value) == [
- x509.DNSName(b"cryptography.io"),
+ x509.DNSName(u"cryptography.io"),
]
@pytest.mark.requires_backend_interface(interface=EllipticCurveBackend)
@@ -2168,7 +2186,7 @@
).add_extension(
x509.BasicConstraints(ca=False, path_length=None), True,
).add_extension(
- x509.SubjectAlternativeName([x509.DNSName(b"cryptography.io")]),
+ x509.SubjectAlternativeName([x509.DNSName(u"cryptography.io")]),
critical=False,
).not_valid_before(
not_valid_before
@@ -2190,7 +2208,7 @@
ExtensionOID.SUBJECT_ALTERNATIVE_NAME
)
assert list(subject_alternative_name.value) == [
- x509.DNSName(b"cryptography.io"),
+ x509.DNSName(u"cryptography.io"),
]
@pytest.mark.requires_backend_interface(interface=RSABackend)
@@ -2224,6 +2242,9 @@
@pytest.mark.parametrize(
"add_ext",
[
+ x509.SubjectAlternativeName(
+ [x509.DNSName._init_without_validation(u'a\xedt\xe1s.test')]
+ ),
x509.CertificatePolicies([
x509.PolicyInformation(
x509.ObjectIdentifier("2.16.840.1.12345.1.2.3.4.1"),
@@ -2279,7 +2300,7 @@
)
]),
x509.IssuerAlternativeName([
- x509.DNSName(b"myissuer"),
+ x509.DNSName(u"myissuer"),
x509.RFC822Name(u"email@domain.com"),
]),
x509.ExtendedKeyUsage([
@@ -2308,7 +2329,7 @@
ipaddress.IPv6Network(u"FF:FF:0:0:0:0:0:0/128")
),
],
- excluded_subtrees=[x509.DNSName(b"name.local")]
+ excluded_subtrees=[x509.DNSName(u"name.local")]
),
x509.NameConstraints(
permitted_subtrees=[
@@ -2318,7 +2339,7 @@
),
x509.NameConstraints(
permitted_subtrees=None,
- excluded_subtrees=[x509.DNSName(b"name.local")]
+ excluded_subtrees=[x509.DNSName(u"name.local")]
),
x509.PolicyConstraints(
require_explicit_policy=None,
@@ -2847,7 +2868,7 @@
x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
])
).add_extension(
- x509.SubjectAlternativeName([x509.DNSName(b"cryptography.io")]),
+ x509.SubjectAlternativeName([x509.DNSName(u"cryptography.io")]),
critical=False,
).add_extension(
DummyExtension(), False
@@ -2933,7 +2954,7 @@
request = builder.subject_name(
x509.Name([x509.NameAttribute(NameOID.COUNTRY_NAME, u'US')])
).add_extension(
- x509.SubjectAlternativeName([x509.DNSName(b"cryptography.io")]),
+ x509.SubjectAlternativeName([x509.DNSName(u"cryptography.io")]),
critical=False,
).add_extension(
x509.BasicConstraints(ca=True, path_length=2), critical=True
@@ -2950,7 +2971,7 @@
ext = request.extensions.get_extension_for_oid(
ExtensionOID.SUBJECT_ALTERNATIVE_NAME
)
- assert list(ext.value) == [x509.DNSName(b"cryptography.io")]
+ assert list(ext.value) == [x509.DNSName(u"cryptography.io")]
def test_set_subject_twice(self):
builder = x509.CertificateSigningRequestBuilder()
@@ -2970,8 +2991,8 @@
private_key = RSA_KEY_2048.private_key(backend)
san = x509.SubjectAlternativeName([
- x509.DNSName(b"example.com"),
- x509.DNSName(b"*.example.com"),
+ x509.DNSName(u"example.com"),
+ x509.DNSName(u"*.example.com"),
x509.RegisteredID(x509.ObjectIdentifier("1.2.3.4.5.6.7")),
x509.DirectoryName(x509.Name([
x509.NameAttribute(NameOID.COMMON_NAME, u'PyCA'),
diff --git a/tests/x509/test_x509_ext.py b/tests/x509/test_x509_ext.py
index 11e06ea..6e376bb 100644
--- a/tests/x509/test_x509_ext.py
+++ b/tests/x509/test_x509_ext.py
@@ -234,20 +234,20 @@
class TestCertificateIssuer(object):
def test_iter_names(self):
ci = x509.CertificateIssuer([
- x509.DNSName(b"cryptography.io"),
- x509.DNSName(b"crypto.local"),
+ x509.DNSName(u"cryptography.io"),
+ x509.DNSName(u"crypto.local"),
])
assert len(ci) == 2
assert list(ci) == [
- x509.DNSName(b"cryptography.io"),
- x509.DNSName(b"crypto.local"),
+ x509.DNSName(u"cryptography.io"),
+ x509.DNSName(u"crypto.local"),
]
def test_indexing(self):
ci = x509.CertificateIssuer([
- x509.DNSName(b"cryptography.io"),
- x509.DNSName(b"crypto.local"),
- x509.DNSName(b"another.local"),
+ x509.DNSName(u"cryptography.io"),
+ x509.DNSName(u"crypto.local"),
+ x509.DNSName(u"another.local"),
x509.RFC822Name(b"email@another.local"),
x509.UniformResourceIdentifier(b"http://another.local"),
])
@@ -255,39 +255,39 @@
assert ci[2:6:2] == [ci[2], ci[4]]
def test_eq(self):
- ci1 = x509.CertificateIssuer([x509.DNSName(b"cryptography.io")])
- ci2 = x509.CertificateIssuer([x509.DNSName(b"cryptography.io")])
+ ci1 = x509.CertificateIssuer([x509.DNSName(u"cryptography.io")])
+ ci2 = x509.CertificateIssuer([x509.DNSName(u"cryptography.io")])
assert ci1 == ci2
def test_ne(self):
- ci1 = x509.CertificateIssuer([x509.DNSName(b"cryptography.io")])
- ci2 = x509.CertificateIssuer([x509.DNSName(b"somethingelse.tld")])
+ ci1 = x509.CertificateIssuer([x509.DNSName(u"cryptography.io")])
+ ci2 = x509.CertificateIssuer([x509.DNSName(u"somethingelse.tld")])
assert ci1 != ci2
assert ci1 != object()
def test_repr(self):
- ci = x509.CertificateIssuer([x509.DNSName(b"cryptography.io")])
+ ci = x509.CertificateIssuer([x509.DNSName(u"cryptography.io")])
if six.PY3:
assert repr(ci) == (
- "<CertificateIssuer(<GeneralNames([<DNSName(bytes_value="
- "b'cryptography.io')>])>)>"
+ "<CertificateIssuer(<GeneralNames([<DNSName(value="
+ "'cryptography.io')>])>)>"
)
else:
assert repr(ci) == (
- "<CertificateIssuer(<GeneralNames([<DNSName(bytes_value="
- "'cryptography.io')>])>)>"
+ "<CertificateIssuer(<GeneralNames([<DNSName(value="
+ "u'cryptography.io')>])>)>"
)
def test_get_values_for_type(self):
ci = x509.CertificateIssuer(
- [x509.DNSName(b"cryptography.io")]
+ [x509.DNSName(u"cryptography.io")]
)
names = ci.get_values_for_type(x509.DNSName)
assert names == [u"cryptography.io"]
def test_hash(self):
- ci1 = x509.CertificateIssuer([x509.DNSName(b"cryptography.io")])
- ci2 = x509.CertificateIssuer([x509.DNSName(b"cryptography.io")])
+ ci1 = x509.CertificateIssuer([x509.DNSName(u"cryptography.io")])
+ ci2 = x509.CertificateIssuer([x509.DNSName(u"cryptography.io")])
ci3 = x509.CertificateIssuer(
[x509.UniformResourceIdentifier(b"http://something")]
)
@@ -1099,7 +1099,7 @@
assert aki.authority_cert_serial_number is None
def test_authority_cert_serial_zero(self):
- dns = x509.DNSName(b"SomeIssuer")
+ dns = x509.DNSName(u"SomeIssuer")
aki = x509.AuthorityKeyIdentifier(b"id", [dns], 0)
assert aki.key_identifier == b"id"
assert aki.authority_cert_issuer == [dns]
@@ -1662,33 +1662,34 @@
class TestDNSName(object):
def test_init(self):
- with pytest.warns(utils.DeprecatedIn21):
- name = x509.DNSName(u"*.\xf5\xe4\xf6\xfc.example.com")
- assert name.bytes_value == b"*.xn--4ca7aey.example.com"
+ name = x509.DNSName(u"*.xn--4ca7aey.example.com")
+ assert name.value == u"*.xn--4ca7aey.example.com"
with pytest.warns(utils.DeprecatedIn21):
name = x509.DNSName(u".\xf5\xe4\xf6\xfc.example.com")
- assert name.bytes_value == b".xn--4ca7aey.example.com"
- assert name.value == u".\xf5\xe4\xf6\xfc.example.com"
+ assert name.value == u".xn--4ca7aey.example.com"
with pytest.warns(utils.DeprecatedIn21):
name = x509.DNSName(u"\xf5\xe4\xf6\xfc.example.com")
- assert name.bytes_value == b"xn--4ca7aey.example.com"
+ assert name.value == u"xn--4ca7aey.example.com"
with pytest.raises(TypeError):
x509.DNSName(1.3)
+ with pytest.raises(TypeError):
+ x509.DNSName(b"bytes not allowed")
+
def test_ne(self):
- n1 = x509.DNSName(b"test1")
- n2 = x509.DNSName(b"test2")
- n3 = x509.DNSName(b"test2")
+ n1 = x509.DNSName(u"test1")
+ n2 = x509.DNSName(u"test2")
+ n3 = x509.DNSName(u"test2")
assert n1 != n2
assert not (n2 != n3)
def test_hash(self):
- n1 = x509.DNSName(b"test1")
- n2 = x509.DNSName(b"test2")
- n3 = x509.DNSName(b"test2")
+ n1 = x509.DNSName(u"test1")
+ n2 = x509.DNSName(u"test2")
+ n3 = x509.DNSName(u"test2")
assert hash(n1) != hash(n2)
assert hash(n2) == hash(n3)
@@ -2016,35 +2017,35 @@
class TestGeneralNames(object):
def test_get_values_for_type(self):
gns = x509.GeneralNames(
- [x509.DNSName(b"cryptography.io")]
+ [x509.DNSName(u"cryptography.io")]
)
names = gns.get_values_for_type(x509.DNSName)
assert names == [u"cryptography.io"]
def test_iter_names(self):
gns = x509.GeneralNames([
- x509.DNSName(b"cryptography.io"),
- x509.DNSName(b"crypto.local"),
+ x509.DNSName(u"cryptography.io"),
+ x509.DNSName(u"crypto.local"),
])
assert len(gns) == 2
assert list(gns) == [
- x509.DNSName(b"cryptography.io"),
- x509.DNSName(b"crypto.local"),
+ x509.DNSName(u"cryptography.io"),
+ x509.DNSName(u"crypto.local"),
]
def test_iter_input(self):
names = [
- x509.DNSName(b"cryptography.io"),
- x509.DNSName(b"crypto.local"),
+ x509.DNSName(u"cryptography.io"),
+ x509.DNSName(u"crypto.local"),
]
gns = x509.GeneralNames(iter(names))
assert list(gns) == names
def test_indexing(self):
gn = x509.GeneralNames([
- x509.DNSName(b"cryptography.io"),
- x509.DNSName(b"crypto.local"),
- x509.DNSName(b"another.local"),
+ x509.DNSName(u"cryptography.io"),
+ x509.DNSName(u"crypto.local"),
+ x509.DNSName(u"another.local"),
x509.RFC822Name(b"email@another.local"),
x509.UniformResourceIdentifier(b"http://another.local"),
])
@@ -2054,36 +2055,36 @@
def test_invalid_general_names(self):
with pytest.raises(TypeError):
x509.GeneralNames(
- [x509.DNSName(b"cryptography.io"), "invalid"]
+ [x509.DNSName(u"cryptography.io"), "invalid"]
)
def test_repr(self):
gns = x509.GeneralNames(
[
- x509.DNSName(b"cryptography.io")
+ x509.DNSName(u"cryptography.io")
]
)
if six.PY3:
assert repr(gns) == (
- "<GeneralNames([<DNSName(bytes_value=b'cryptography.io')>])>"
+ "<GeneralNames([<DNSName(value='cryptography.io')>])>"
)
else:
assert repr(gns) == (
- "<GeneralNames([<DNSName(bytes_value='cryptography.io')>])>"
+ "<GeneralNames([<DNSName(value=u'cryptography.io')>])>"
)
def test_eq(self):
gns = x509.GeneralNames(
- [x509.DNSName(b"cryptography.io")]
+ [x509.DNSName(u"cryptography.io")]
)
gns2 = x509.GeneralNames(
- [x509.DNSName(b"cryptography.io")]
+ [x509.DNSName(u"cryptography.io")]
)
assert gns == gns2
def test_ne(self):
gns = x509.GeneralNames(
- [x509.DNSName(b"cryptography.io")]
+ [x509.DNSName(u"cryptography.io")]
)
gns2 = x509.GeneralNames(
[x509.RFC822Name(b"admin@cryptography.io")]
@@ -2092,8 +2093,8 @@
assert gns != object()
def test_hash(self):
- gns = x509.GeneralNames([x509.DNSName(b"cryptography.io")])
- gns2 = x509.GeneralNames([x509.DNSName(b"cryptography.io")])
+ gns = x509.GeneralNames([x509.DNSName(u"cryptography.io")])
+ gns2 = x509.GeneralNames([x509.DNSName(u"cryptography.io")])
gns3 = x509.GeneralNames([x509.RFC822Name(b"admin@cryptography.io")])
assert hash(gns) == hash(gns2)
assert hash(gns) != hash(gns3)
@@ -2102,27 +2103,27 @@
class TestIssuerAlternativeName(object):
def test_get_values_for_type(self):
san = x509.IssuerAlternativeName(
- [x509.DNSName(b"cryptography.io")]
+ [x509.DNSName(u"cryptography.io")]
)
names = san.get_values_for_type(x509.DNSName)
assert names == [u"cryptography.io"]
def test_iter_names(self):
san = x509.IssuerAlternativeName([
- x509.DNSName(b"cryptography.io"),
- x509.DNSName(b"crypto.local"),
+ x509.DNSName(u"cryptography.io"),
+ x509.DNSName(u"crypto.local"),
])
assert len(san) == 2
assert list(san) == [
- x509.DNSName(b"cryptography.io"),
- x509.DNSName(b"crypto.local"),
+ x509.DNSName(u"cryptography.io"),
+ x509.DNSName(u"crypto.local"),
]
def test_indexing(self):
ian = x509.IssuerAlternativeName([
- x509.DNSName(b"cryptography.io"),
- x509.DNSName(b"crypto.local"),
- x509.DNSName(b"another.local"),
+ x509.DNSName(u"cryptography.io"),
+ x509.DNSName(u"crypto.local"),
+ x509.DNSName(u"another.local"),
x509.RFC822Name(b"email@another.local"),
x509.UniformResourceIdentifier(b"http://another.local"),
])
@@ -2132,38 +2133,38 @@
def test_invalid_general_names(self):
with pytest.raises(TypeError):
x509.IssuerAlternativeName(
- [x509.DNSName(b"cryptography.io"), "invalid"]
+ [x509.DNSName(u"cryptography.io"), "invalid"]
)
def test_repr(self):
san = x509.IssuerAlternativeName(
[
- x509.DNSName(b"cryptography.io")
+ x509.DNSName(u"cryptography.io")
]
)
if six.PY3:
assert repr(san) == (
"<IssuerAlternativeName("
- "<GeneralNames([<DNSName(bytes_value=b'cryptography.io')>])>)>"
+ "<GeneralNames([<DNSName(value='cryptography.io')>])>)>"
)
else:
assert repr(san) == (
"<IssuerAlternativeName("
- "<GeneralNames([<DNSName(bytes_value='cryptography.io')>])>)>"
+ "<GeneralNames([<DNSName(value=u'cryptography.io')>])>)>"
)
def test_eq(self):
san = x509.IssuerAlternativeName(
- [x509.DNSName(b"cryptography.io")]
+ [x509.DNSName(u"cryptography.io")]
)
san2 = x509.IssuerAlternativeName(
- [x509.DNSName(b"cryptography.io")]
+ [x509.DNSName(u"cryptography.io")]
)
assert san == san2
def test_ne(self):
san = x509.IssuerAlternativeName(
- [x509.DNSName(b"cryptography.io")]
+ [x509.DNSName(u"cryptography.io")]
)
san2 = x509.IssuerAlternativeName(
[x509.RFC822Name(b"admin@cryptography.io")]
@@ -2172,8 +2173,8 @@
assert san != object()
def test_hash(self):
- ian = x509.IssuerAlternativeName([x509.DNSName(b"cryptography.io")])
- ian2 = x509.IssuerAlternativeName([x509.DNSName(b"cryptography.io")])
+ ian = x509.IssuerAlternativeName([x509.DNSName(u"cryptography.io")])
+ ian2 = x509.IssuerAlternativeName([x509.DNSName(u"cryptography.io")])
ian3 = x509.IssuerAlternativeName(
[x509.RFC822Name(b"admin@cryptography.io")]
)
@@ -2227,27 +2228,27 @@
class TestSubjectAlternativeName(object):
def test_get_values_for_type(self):
san = x509.SubjectAlternativeName(
- [x509.DNSName(b"cryptography.io")]
+ [x509.DNSName(u"cryptography.io")]
)
names = san.get_values_for_type(x509.DNSName)
assert names == [u"cryptography.io"]
def test_iter_names(self):
san = x509.SubjectAlternativeName([
- x509.DNSName(b"cryptography.io"),
- x509.DNSName(b"crypto.local"),
+ x509.DNSName(u"cryptography.io"),
+ x509.DNSName(u"crypto.local"),
])
assert len(san) == 2
assert list(san) == [
- x509.DNSName(b"cryptography.io"),
- x509.DNSName(b"crypto.local"),
+ x509.DNSName(u"cryptography.io"),
+ x509.DNSName(u"crypto.local"),
]
def test_indexing(self):
san = x509.SubjectAlternativeName([
- x509.DNSName(b"cryptography.io"),
- x509.DNSName(b"crypto.local"),
- x509.DNSName(b"another.local"),
+ x509.DNSName(u"cryptography.io"),
+ x509.DNSName(u"crypto.local"),
+ x509.DNSName(u"another.local"),
x509.RFC822Name(b"email@another.local"),
x509.UniformResourceIdentifier(b"http://another.local"),
])
@@ -2257,38 +2258,38 @@
def test_invalid_general_names(self):
with pytest.raises(TypeError):
x509.SubjectAlternativeName(
- [x509.DNSName(b"cryptography.io"), "invalid"]
+ [x509.DNSName(u"cryptography.io"), "invalid"]
)
def test_repr(self):
san = x509.SubjectAlternativeName(
[
- x509.DNSName(b"cryptography.io")
+ x509.DNSName(u"cryptography.io")
]
)
if six.PY3:
assert repr(san) == (
"<SubjectAlternativeName("
- "<GeneralNames([<DNSName(bytes_value=b'cryptography.io')>])>)>"
+ "<GeneralNames([<DNSName(value='cryptography.io')>])>)>"
)
else:
assert repr(san) == (
"<SubjectAlternativeName("
- "<GeneralNames([<DNSName(bytes_value='cryptography.io')>])>)>"
+ "<GeneralNames([<DNSName(value=u'cryptography.io')>])>)>"
)
def test_eq(self):
san = x509.SubjectAlternativeName(
- [x509.DNSName(b"cryptography.io")]
+ [x509.DNSName(u"cryptography.io")]
)
san2 = x509.SubjectAlternativeName(
- [x509.DNSName(b"cryptography.io")]
+ [x509.DNSName(u"cryptography.io")]
)
assert san == san2
def test_ne(self):
san = x509.SubjectAlternativeName(
- [x509.DNSName(b"cryptography.io")]
+ [x509.DNSName(u"cryptography.io")]
)
san2 = x509.SubjectAlternativeName(
[x509.RFC822Name(b"admin@cryptography.io")]
@@ -2297,8 +2298,8 @@
assert san != object()
def test_hash(self):
- san = x509.SubjectAlternativeName([x509.DNSName(b"cryptography.io")])
- san2 = x509.SubjectAlternativeName([x509.DNSName(b"cryptography.io")])
+ san = x509.SubjectAlternativeName([x509.DNSName(u"cryptography.io")])
+ san2 = x509.SubjectAlternativeName([x509.DNSName(u"cryptography.io")])
san3 = x509.SubjectAlternativeName(
[x509.RFC822Name(b"admin@cryptography.io")]
)
@@ -2370,7 +2371,7 @@
)
dns = ext.value.get_values_for_type(x509.DNSName)
- assert dns == [u'*.\u043f\u044b\u043a\u0430.cryptography']
+ assert dns == [u'*.xn--80ato2c.cryptography']
def test_unsupported_gn(self, backend):
cert = _load_cert(
@@ -2502,9 +2503,7 @@
assert len(san) == 1
[name] = san
- assert name.bytes_value == b"xn--k4h.ws"
- with pytest.raises(UnicodeError):
- name.value
+ assert name.value == u"xn--k4h.ws"
def test_unicode_rfc822_name_dns_name_uri(self, backend):
cert = _load_cert(
@@ -2522,7 +2521,7 @@
dns_name = ext.value.get_values_for_type(x509.DNSName)
uri = ext.value.get_values_for_type(x509.UniformResourceIdentifier)
assert rfc822_name == [u"email@\u043f\u044b\u043a\u0430.cryptography"]
- assert dns_name == [u"\u043f\u044b\u043a\u0430.cryptography"]
+ assert dns_name == [u"xn--80ato2c.cryptography"]
assert uri == [u"https://www.\u043f\u044b\u043a\u0430.cryptography"]
def test_rfc822name_dnsname_ipaddress_directoryname_uri(self, backend):
@@ -2599,8 +2598,8 @@
assert othernames == [expected]
def test_certbuilder(self, backend):
- sans = [b'*.example.org', b'*.xn--4ca7aey.example.com',
- b'foobar.example.net']
+ sans = [u'*.example.org', u'*.xn--4ca7aey.example.com',
+ u'foobar.example.net']
private_key = RSA_KEY_2048.private_key(backend)
builder = _make_certbuilder(private_key)
builder = builder.add_extension(
@@ -2608,7 +2607,7 @@
cert = builder.sign(private_key, hashes.SHA1(), backend)
result = [
- x.bytes_value
+ x.value
for x in cert.extensions.get_extension_for_class(
SubjectAlternativeName
).value
@@ -2648,7 +2647,7 @@
class TestAccessDescription(object):
def test_invalid_access_method(self):
with pytest.raises(TypeError):
- x509.AccessDescription("notanoid", x509.DNSName(b"test"))
+ x509.AccessDescription("notanoid", x509.DNSName(u"test"))
def test_invalid_access_location(self):
with pytest.raises(TypeError):
@@ -3242,7 +3241,7 @@
x509.NameConstraints(None, None)
def test_permitted_none(self):
- excluded = [x509.DNSName(b"name.local")]
+ excluded = [x509.DNSName(u"name.local")]
nc = x509.NameConstraints(
permitted_subtrees=None, excluded_subtrees=excluded
)
@@ -3250,7 +3249,7 @@
assert nc.excluded_subtrees is not None
def test_excluded_none(self):
- permitted = [x509.DNSName(b"name.local")]
+ permitted = [x509.DNSName(u"name.local")]
nc = x509.NameConstraints(
permitted_subtrees=permitted, excluded_subtrees=None
)
@@ -3264,7 +3263,7 @@
assert list(nc.excluded_subtrees) == subtrees
def test_repr(self):
- permitted = [x509.DNSName(b"name.local"), x509.DNSName(b"name2.local")]
+ permitted = [x509.DNSName(u"name.local"), x509.DNSName(u"name2.local")]
nc = x509.NameConstraints(
permitted_subtrees=permitted,
excluded_subtrees=None
@@ -3272,39 +3271,39 @@
if six.PY3:
assert repr(nc) == (
"<NameConstraints(permitted_subtrees=[<DNSName("
- "bytes_value=b'name.local')>, <DNSName(bytes_value="
- "b'name2.local')>], excluded_subtrees=None)>"
+ "value='name.local')>, <DNSName(value="
+ "'name2.local')>], excluded_subtrees=None)>"
)
else:
assert repr(nc) == (
"<NameConstraints(permitted_subtrees=[<DNSName("
- "bytes_value='name.local')>, <DNSName(bytes_value="
- "'name2.local')>], excluded_subtrees=None)>"
+ "value=u'name.local')>, <DNSName(value="
+ "u'name2.local')>], excluded_subtrees=None)>"
)
def test_eq(self):
nc = x509.NameConstraints(
- permitted_subtrees=[x509.DNSName(b"name.local")],
- excluded_subtrees=[x509.DNSName(b"name2.local")]
+ permitted_subtrees=[x509.DNSName(u"name.local")],
+ excluded_subtrees=[x509.DNSName(u"name2.local")]
)
nc2 = x509.NameConstraints(
- permitted_subtrees=[x509.DNSName(b"name.local")],
- excluded_subtrees=[x509.DNSName(b"name2.local")]
+ permitted_subtrees=[x509.DNSName(u"name.local")],
+ excluded_subtrees=[x509.DNSName(u"name2.local")]
)
assert nc == nc2
def test_ne(self):
nc = x509.NameConstraints(
- permitted_subtrees=[x509.DNSName(b"name.local")],
- excluded_subtrees=[x509.DNSName(b"name2.local")]
+ permitted_subtrees=[x509.DNSName(u"name.local")],
+ excluded_subtrees=[x509.DNSName(u"name2.local")]
)
nc2 = x509.NameConstraints(
- permitted_subtrees=[x509.DNSName(b"name.local")],
+ permitted_subtrees=[x509.DNSName(u"name.local")],
excluded_subtrees=None
)
nc3 = x509.NameConstraints(
permitted_subtrees=None,
- excluded_subtrees=[x509.DNSName(b"name2.local")]
+ excluded_subtrees=[x509.DNSName(u"name2.local")]
)
assert nc != nc2
@@ -3313,20 +3312,20 @@
def test_hash(self):
nc = x509.NameConstraints(
- permitted_subtrees=[x509.DNSName(b"name.local")],
- excluded_subtrees=[x509.DNSName(b"name2.local")]
+ permitted_subtrees=[x509.DNSName(u"name.local")],
+ excluded_subtrees=[x509.DNSName(u"name2.local")]
)
nc2 = x509.NameConstraints(
- permitted_subtrees=[x509.DNSName(b"name.local")],
- excluded_subtrees=[x509.DNSName(b"name2.local")]
+ permitted_subtrees=[x509.DNSName(u"name.local")],
+ excluded_subtrees=[x509.DNSName(u"name2.local")]
)
nc3 = x509.NameConstraints(
- permitted_subtrees=[x509.DNSName(b"name.local")],
+ permitted_subtrees=[x509.DNSName(u"name.local")],
excluded_subtrees=None
)
nc4 = x509.NameConstraints(
permitted_subtrees=None,
- excluded_subtrees=[x509.DNSName(b"name.local")]
+ excluded_subtrees=[x509.DNSName(u"name.local")]
)
assert hash(nc) == hash(nc2)
assert hash(nc) != hash(nc3)
@@ -3349,7 +3348,7 @@
).value
assert nc == x509.NameConstraints(
permitted_subtrees=[
- x509.DNSName(b"zombo.local"),
+ x509.DNSName(u"zombo.local"),
],
excluded_subtrees=[
x509.DirectoryName(x509.Name([
@@ -3371,7 +3370,7 @@
).value
assert nc == x509.NameConstraints(
permitted_subtrees=[
- x509.DNSName(b"zombo.local"),
+ x509.DNSName(u"zombo.local"),
],
excluded_subtrees=None
)
@@ -3389,7 +3388,7 @@
).value
assert nc == x509.NameConstraints(
permitted_subtrees=[
- x509.DNSName(b".cryptography.io"),
+ x509.DNSName(u".cryptography.io"),
x509.UniformResourceIdentifier(b"ftp://cryptography.test")
],
excluded_subtrees=None
@@ -3409,7 +3408,7 @@
assert nc == x509.NameConstraints(
permitted_subtrees=None,
excluded_subtrees=[
- x509.DNSName(b".cryptography.io"),
+ x509.DNSName(u".cryptography.io"),
x509.UniformResourceIdentifier(b"gopher://cryptography.test")
]
)
@@ -3431,7 +3430,7 @@
x509.IPAddress(ipaddress.IPv6Network(u"FF:0:0:0:0:0:0:0/96")),
],
excluded_subtrees=[
- x509.DNSName(b".domain.com"),
+ x509.DNSName(u".domain.com"),
x509.UniformResourceIdentifier(b"http://test.local"),
]
)
@@ -3469,8 +3468,8 @@
)
def test_certbuilder(self, backend):
- permitted = [b'.example.org', b'.xn--4ca7aey.example.com',
- b'foobar.example.net']
+ permitted = [u'.example.org', u'.xn--4ca7aey.example.com',
+ u'foobar.example.net']
private_key = RSA_KEY_2048.private_key(backend)
builder = _make_certbuilder(private_key)
builder = builder.add_extension(
@@ -3479,7 +3478,7 @@
cert = builder.sign(private_key, hashes.SHA1(), backend)
result = [
- x.bytes_value
+ x.value
for x in cert.extensions.get_extension_for_class(
NameConstraints
).value.permitted_subtrees
diff --git a/tests/x509/test_x509_revokedcertbuilder.py b/tests/x509/test_x509_revokedcertbuilder.py
index 9fc5eaa..e3a0650 100644
--- a/tests/x509/test_x509_revokedcertbuilder.py
+++ b/tests/x509/test_x509_revokedcertbuilder.py
@@ -146,7 +146,7 @@
x509.InvalidityDate(datetime.datetime(2015, 1, 1, 0, 0)),
x509.CRLReason(x509.ReasonFlags.ca_compromise),
x509.CertificateIssuer([
- x509.DNSName(b"cryptography.io"),
+ x509.DNSName(u"cryptography.io"),
])
]
)
@@ -180,7 +180,7 @@
datetime.datetime(2015, 1, 1, 0, 0)
)
certificate_issuer = x509.CertificateIssuer([
- x509.DNSName(b"cryptography.io"),
+ x509.DNSName(u"cryptography.io"),
])
crl_reason = x509.CRLReason(x509.ReasonFlags.aa_compromise)
builder = x509.RevokedCertificateBuilder().serial_number(