Gitiles
Code Review Sign In
gerrit-public.fairphone.software / platform / external / python / cryptography / 07d5cae4be47933f5001e8d28d0dddab6edeec3e / . / tests / test_x509_ext.py
blob: 8f961b0b16d402010440aa2b08e0b4313b4bd713 [file] [log] [blame]
Paul Kehrer8cf26422015-03-21 09:50:24 -0500[diff] [blame]1# This file is dual licensed under the terms of the Apache License, Version
2# 2.0, and the BSD License. See the LICENSE file in the root of this repository
3# for complete details.
4
5from __future__ import absolute_import, division, print_function
6
Paul Kehrer1eb82a62015-03-31 20:00:33 -0500[diff] [blame]7import binascii
Paul Kehrer23c0bbc2015-12-25 22:35:19 -0600[diff] [blame]8import datetime
Paul Kehrer31bdf792015-03-25 14:11:00 -0500[diff] [blame]9import ipaddress
Paul Kehrerfbb7ac82015-03-16 19:26:29 -0500[diff] [blame]10import os
11
Paul Kehrer8cf26422015-03-21 09:50:24 -0500[diff] [blame]12import pytest
13
Paul Kehrercbfb1012015-04-10 20:57:20 -0400[diff] [blame]14import six
15
Paul Kehrer8cf26422015-03-21 09:50:24 -0500[diff] [blame]16from cryptography import x509
Paul Kehrerf22f6122015-08-05 12:57:13 +0100[diff] [blame]17from cryptography.hazmat.backends.interfaces import (
18 DSABackend, EllipticCurveBackend, RSABackend, X509Backend
19)
20from cryptography.hazmat.primitives.asymmetric import ec
Paul Kehrer9e102db2015-08-10 21:53:09 -0500[diff] [blame]21from cryptography.x509.oid import (
Nick Bastin326fc8e2015-12-12 19:08:12 -0800[diff] [blame]22 AuthorityInformationAccessOID, ExtendedKeyUsageOID, ExtensionOID,
23 NameOID, ObjectIdentifier
Paul Kehrer9e102db2015-08-10 21:53:09 -0500[diff] [blame]24)
Paul Kehrerfbb7ac82015-03-16 19:26:29 -0500[diff] [blame]25
Paul Kehrerf22f6122015-08-05 12:57:13 +0100[diff] [blame]26from .hazmat.primitives.test_ec import _skip_curve_unsupported
Paul Kehrerfbb7ac82015-03-16 19:26:29 -0500[diff] [blame]27from .test_x509 import _load_cert
Paul Kehrer8cf26422015-03-21 09:50:24 -0500[diff] [blame]28
29
Paul Kehrer85894662015-03-22 13:19:31 -0500[diff] [blame]30class TestExtension(object):
31 def test_not_an_oid(self):
Paul Kehrera5c6e9a2015-03-23 19:23:43 -0500[diff] [blame]32 bc = x509.BasicConstraints(ca=False, path_length=None)
Paul Kehrer85894662015-03-22 13:19:31 -0500[diff] [blame]33 with pytest.raises(TypeError):
34 x509.Extension("notanoid", True, bc)
35
36 def test_critical_not_a_bool(self):
Paul Kehrera5c6e9a2015-03-23 19:23:43 -0500[diff] [blame]37 bc = x509.BasicConstraints(ca=False, path_length=None)
Paul Kehrer85894662015-03-22 13:19:31 -0500[diff] [blame]38 with pytest.raises(TypeError):
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]39 x509.Extension(ExtensionOID.BASIC_CONSTRAINTS, "notabool", bc)
Paul Kehrer85894662015-03-22 13:19:31 -0500[diff] [blame]40
41 def test_repr(self):
Paul Kehrera5c6e9a2015-03-23 19:23:43 -0500[diff] [blame]42 bc = x509.BasicConstraints(ca=False, path_length=None)
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]43 ext = x509.Extension(ExtensionOID.BASIC_CONSTRAINTS, True, bc)
Paul Kehrer85894662015-03-22 13:19:31 -0500[diff] [blame]44 assert repr(ext) == (
45 "<Extension(oid=<ObjectIdentifier(oid=2.5.29.19, name=basicConst"
46 "raints)>, critical=True, value=<BasicConstraints(ca=False, path"
47 "_length=None)>)>"
48 )
49
Paul Kehrer58e870c2015-05-17 09:15:30 -0700[diff] [blame]50 def test_eq(self):
51 ext1 = x509.Extension(
52 x509.ObjectIdentifier('1.2.3.4'), False, 'value'
53 )
54 ext2 = x509.Extension(
55 x509.ObjectIdentifier('1.2.3.4'), False, 'value'
56 )
57 assert ext1 == ext2
58
59 def test_ne(self):
60 ext1 = x509.Extension(
61 x509.ObjectIdentifier('1.2.3.4'), False, 'value'
62 )
63 ext2 = x509.Extension(
64 x509.ObjectIdentifier('1.2.3.5'), False, 'value'
65 )
66 ext3 = x509.Extension(
67 x509.ObjectIdentifier('1.2.3.4'), True, 'value'
68 )
69 ext4 = x509.Extension(
70 x509.ObjectIdentifier('1.2.3.4'), False, 'value4'
71 )
72 assert ext1 != ext2
73 assert ext1 != ext3
74 assert ext1 != ext4
75 assert ext1 != object()
76
Paul Kehrer85894662015-03-22 13:19:31 -0500[diff] [blame]77
Paul Kehrer49bb7562015-12-25 16:17:40 -0600[diff] [blame]78class TestCertificateIssuer(object):
79 def test_iter_names(self):
80 ci = x509.CertificateIssuer([
81 x509.DNSName(u"cryptography.io"),
82 x509.DNSName(u"crypto.local"),
83 ])
84 assert len(ci) == 2
85 assert list(ci) == [
86 x509.DNSName(u"cryptography.io"),
87 x509.DNSName(u"crypto.local"),
88 ]
89
Paul Kehrer5c999d32015-12-26 17:45:20 -0600[diff] [blame]90 def test_indexing(self):
91 ci = x509.CertificateIssuer([
92 x509.DNSName(u"cryptography.io"),
93 x509.DNSName(u"crypto.local"),
94 x509.DNSName(u"another.local"),
95 x509.RFC822Name(u"email@another.local"),
96 x509.UniformResourceIdentifier(u"http://another.local"),
97 ])
98 assert ci[-1] == ci[4]
99 assert ci[2:6:2] == [ci[2], ci[4]]
100
Paul Kehrer49bb7562015-12-25 16:17:40 -0600[diff] [blame]101 def test_eq(self):
102 ci1 = x509.CertificateIssuer([x509.DNSName(u"cryptography.io")])
103 ci2 = x509.CertificateIssuer([x509.DNSName(u"cryptography.io")])
104 assert ci1 == ci2
105
106 def test_ne(self):
107 ci1 = x509.CertificateIssuer([x509.DNSName(u"cryptography.io")])
108 ci2 = x509.CertificateIssuer([x509.DNSName(u"somethingelse.tld")])
109 assert ci1 != ci2
110 assert ci1 != object()
111
112 def test_repr(self):
113 ci = x509.CertificateIssuer([x509.DNSName(u"cryptography.io")])
114 assert repr(ci) == (
115 "<CertificateIssuer(<GeneralNames([<DNSName(value=cryptography.io"
116 ")>])>)>"
117 )
118
119 def test_get_values_for_type(self):
120 ci = x509.CertificateIssuer(
121 [x509.DNSName(u"cryptography.io")]
122 )
123 names = ci.get_values_for_type(x509.DNSName)
124 assert names == [u"cryptography.io"]
125
126
Paul Kehrer7058ece2015-12-25 22:28:29 -0600[diff] [blame]127class TestCRLReason(object):
128 def test_invalid_reason_flags(self):
129 with pytest.raises(TypeError):
130 x509.CRLReason("notareason")
131
132 def test_eq(self):
133 reason1 = x509.CRLReason(x509.ReasonFlags.unspecified)
134 reason2 = x509.CRLReason(x509.ReasonFlags.unspecified)
135 assert reason1 == reason2
136
137 def test_ne(self):
138 reason1 = x509.CRLReason(x509.ReasonFlags.unspecified)
139 reason2 = x509.CRLReason(x509.ReasonFlags.ca_compromise)
140 assert reason1 != reason2
141 assert reason1 != object()
142
Alex Gaynor07d5cae2015-12-27 15:30:39 -0500[diff] [blame^]143 def test_hash(self):
144 reason1 = x509.CRLReason(x509.ReasonFlags.unspecified)
145 reason2 = x509.CRLReason(x509.ReasonFlags.unspecified)
146 reason3 = x509.CRLReason(x509.ReasonFlags.ca_compromise)
147
148 assert hash(reason1) == hash(reason2)
149 assert hash(reason1) != hash(reason3)
150
Paul Kehrer7058ece2015-12-25 22:28:29 -0600[diff] [blame]151 def test_repr(self):
152 reason1 = x509.CRLReason(x509.ReasonFlags.unspecified)
153 assert repr(reason1) == (
154 "<CRLReason(reason=ReasonFlags.unspecified)>"
155 )
156
157
Paul Kehrer23c0bbc2015-12-25 22:35:19 -0600[diff] [blame]158class TestInvalidityDate(object):
159 def test_invalid_invalidity_date(self):
160 with pytest.raises(TypeError):
161 x509.InvalidityDate("notadate")
162
163 def test_eq(self):
164 invalid1 = x509.InvalidityDate(datetime.datetime(2015, 1, 1, 1, 1))
165 invalid2 = x509.InvalidityDate(datetime.datetime(2015, 1, 1, 1, 1))
166 assert invalid1 == invalid2
167
168 def test_ne(self):
169 invalid1 = x509.InvalidityDate(datetime.datetime(2015, 1, 1, 1, 1))
170 invalid2 = x509.InvalidityDate(datetime.datetime(2015, 1, 1, 1, 2))
171 assert invalid1 != invalid2
172 assert invalid1 != object()
173
174 def test_repr(self):
175 invalid1 = x509.InvalidityDate(datetime.datetime(2015, 1, 1, 1, 1))
176 assert repr(invalid1) == (
177 "<InvalidityDate(invalidity_date=2015-01-01 01:01:00)>"
178 )
179
Paul Kehrer67cde762015-12-26 11:37:14 -0600[diff] [blame]180 def test_hash(self):
181 invalid1 = x509.InvalidityDate(datetime.datetime(2015, 1, 1, 1, 1))
182 invalid2 = x509.InvalidityDate(datetime.datetime(2015, 1, 1, 1, 1))
183 invalid3 = x509.InvalidityDate(datetime.datetime(2015, 1, 1, 1, 2))
184 assert hash(invalid1) == hash(invalid2)
185 assert hash(invalid1) != hash(invalid3)
Paul Kehrer23c0bbc2015-12-25 22:35:19 -0600[diff] [blame]186
Paul Kehrerc0297dd2015-12-26 11:37:57 -0600[diff] [blame]187
Paul Kehrer2b622582015-04-15 11:04:29 -0400[diff] [blame]188class TestNoticeReference(object):
189 def test_notice_numbers_not_all_int(self):
190 with pytest.raises(TypeError):
191 x509.NoticeReference("org", [1, 2, "three"])
192
193 def test_notice_numbers_none(self):
Paul Kehrer6e198b02015-05-12 15:53:38 -0500[diff] [blame]194 with pytest.raises(TypeError):
195 x509.NoticeReference("org", None)
Paul Kehrer2b622582015-04-15 11:04:29 -0400[diff] [blame]196
197 def test_repr(self):
Paul Kehrer73be2ca2015-05-11 21:22:38 -0500[diff] [blame]198 nr = x509.NoticeReference(u"org", [1, 3, 4])
Paul Kehrer2b622582015-04-15 11:04:29 -0400[diff] [blame]199
Paul Kehrer73be2ca2015-05-11 21:22:38 -0500[diff] [blame]200 if six.PY3:
201 assert repr(nr) == (
202 "<NoticeReference(organization='org', notice_numbers=[1, 3, 4"
203 "])>"
204 )
205 else:
206 assert repr(nr) == (
207 "<NoticeReference(organization=u'org', notice_numbers=[1, 3, "
208 "4])>"
209 )
Paul Kehrer2b622582015-04-15 11:04:29 -0400[diff] [blame]210
Paul Kehrerc56ab622015-05-03 09:56:31 -0500[diff] [blame]211 def test_eq(self):
212 nr = x509.NoticeReference("org", [1, 2])
213 nr2 = x509.NoticeReference("org", [1, 2])
214 assert nr == nr2
215
216 def test_ne(self):
217 nr = x509.NoticeReference("org", [1, 2])
218 nr2 = x509.NoticeReference("org", [1])
219 nr3 = x509.NoticeReference(None, [1, 2])
220 assert nr != nr2
221 assert nr != nr3
222 assert nr != object()
223
Paul Kehrer2b622582015-04-15 11:04:29 -0400[diff] [blame]224
225class TestUserNotice(object):
226 def test_notice_reference_invalid(self):
227 with pytest.raises(TypeError):
228 x509.UserNotice("invalid", None)
229
230 def test_notice_reference_none(self):
231 un = x509.UserNotice(None, "text")
232 assert un.notice_reference is None
233 assert un.explicit_text == "text"
234
235 def test_repr(self):
Paul Kehrer6e198b02015-05-12 15:53:38 -0500[diff] [blame]236 un = x509.UserNotice(x509.NoticeReference(u"org", [1]), u"text")
Paul Kehrer73be2ca2015-05-11 21:22:38 -0500[diff] [blame]237 if six.PY3:
238 assert repr(un) == (
239 "<UserNotice(notice_reference=<NoticeReference(organization='"
Paul Kehrer6e198b02015-05-12 15:53:38 -0500[diff] [blame]240 "org', notice_numbers=[1])>, explicit_text='text')>"
Paul Kehrer73be2ca2015-05-11 21:22:38 -0500[diff] [blame]241 )
242 else:
243 assert repr(un) == (
244 "<UserNotice(notice_reference=<NoticeReference(organization=u"
Paul Kehrer6e198b02015-05-12 15:53:38 -0500[diff] [blame]245 "'org', notice_numbers=[1])>, explicit_text=u'text')>"
Paul Kehrer73be2ca2015-05-11 21:22:38 -0500[diff] [blame]246 )
Paul Kehrer2b622582015-04-15 11:04:29 -0400[diff] [blame]247
Paul Kehrerc56ab622015-05-03 09:56:31 -0500[diff] [blame]248 def test_eq(self):
249 nr = x509.NoticeReference("org", [1, 2])
250 nr2 = x509.NoticeReference("org", [1, 2])
251 un = x509.UserNotice(nr, "text")
252 un2 = x509.UserNotice(nr2, "text")
253 assert un == un2
254
255 def test_ne(self):
256 nr = x509.NoticeReference("org", [1, 2])
257 nr2 = x509.NoticeReference("org", [1])
258 un = x509.UserNotice(nr, "text")
259 un2 = x509.UserNotice(nr2, "text")
260 un3 = x509.UserNotice(nr, "text3")
261 assert un != un2
262 assert un != un3
263 assert un != object()
264
Paul Kehrer2b622582015-04-15 11:04:29 -0400[diff] [blame]265
Paul Kehrer2b622582015-04-15 11:04:29 -0400[diff] [blame]266class TestPolicyInformation(object):
267 def test_invalid_policy_identifier(self):
268 with pytest.raises(TypeError):
269 x509.PolicyInformation("notanoid", None)
270
271 def test_none_policy_qualifiers(self):
272 pi = x509.PolicyInformation(x509.ObjectIdentifier("1.2.3"), None)
273 assert pi.policy_identifier == x509.ObjectIdentifier("1.2.3")
274 assert pi.policy_qualifiers is None
275
276 def test_policy_qualifiers(self):
Paul Kehrerba35b3b2015-05-10 13:07:59 -0500[diff] [blame]277 pq = [u"string"]
Paul Kehrer2b622582015-04-15 11:04:29 -0400[diff] [blame]278 pi = x509.PolicyInformation(x509.ObjectIdentifier("1.2.3"), pq)
279 assert pi.policy_identifier == x509.ObjectIdentifier("1.2.3")
280 assert pi.policy_qualifiers == pq
281
282 def test_invalid_policy_identifiers(self):
283 with pytest.raises(TypeError):
284 x509.PolicyInformation(x509.ObjectIdentifier("1.2.3"), [1, 2])
285
286 def test_repr(self):
Paul Kehrer73be2ca2015-05-11 21:22:38 -0500[diff] [blame]287 pq = [u"string", x509.UserNotice(None, u"hi")]
Paul Kehrer2b622582015-04-15 11:04:29 -0400[diff] [blame]288 pi = x509.PolicyInformation(x509.ObjectIdentifier("1.2.3"), pq)
Paul Kehrerba35b3b2015-05-10 13:07:59 -0500[diff] [blame]289 if six.PY3:
290 assert repr(pi) == (
291 "<PolicyInformation(policy_identifier=<ObjectIdentifier(oid=1."
292 "2.3, name=Unknown OID)>, policy_qualifiers=['string', <UserNo"
Paul Kehrer9aaef9e2015-05-11 10:49:20 -0500[diff] [blame]293 "tice(notice_reference=None, explicit_text='hi')>])>"
Paul Kehrerba35b3b2015-05-10 13:07:59 -0500[diff] [blame]294 )
295 else:
296 assert repr(pi) == (
297 "<PolicyInformation(policy_identifier=<ObjectIdentifier(oid=1."
298 "2.3, name=Unknown OID)>, policy_qualifiers=[u'string', <UserN"
Paul Kehrer73be2ca2015-05-11 21:22:38 -0500[diff] [blame]299 "otice(notice_reference=None, explicit_text=u'hi')>])>"
Paul Kehrerba35b3b2015-05-10 13:07:59 -0500[diff] [blame]300 )
Paul Kehrer2b622582015-04-15 11:04:29 -0400[diff] [blame]301
Paul Kehrerc56ab622015-05-03 09:56:31 -0500[diff] [blame]302 def test_eq(self):
303 pi = x509.PolicyInformation(
304 x509.ObjectIdentifier("1.2.3"),
305 [u"string", x509.UserNotice(None, u"hi")]
306 )
307 pi2 = x509.PolicyInformation(
308 x509.ObjectIdentifier("1.2.3"),
309 [u"string", x509.UserNotice(None, u"hi")]
310 )
311 assert pi == pi2
312
313 def test_ne(self):
314 pi = x509.PolicyInformation(
315 x509.ObjectIdentifier("1.2.3"), [u"string"]
316 )
317 pi2 = x509.PolicyInformation(
318 x509.ObjectIdentifier("1.2.3"), [u"string2"]
319 )
320 pi3 = x509.PolicyInformation(
321 x509.ObjectIdentifier("1.2.3.4"), [u"string"]
322 )
323 assert pi != pi2
324 assert pi != pi3
325 assert pi != object()
326
Paul Kehrer2b622582015-04-15 11:04:29 -0400[diff] [blame]327
328class TestCertificatePolicies(object):
329 def test_invalid_policies(self):
Paul Kehrerba35b3b2015-05-10 13:07:59 -0500[diff] [blame]330 pq = [u"string"]
Paul Kehrer2b622582015-04-15 11:04:29 -0400[diff] [blame]331 pi = x509.PolicyInformation(x509.ObjectIdentifier("1.2.3"), pq)
332 with pytest.raises(TypeError):
333 x509.CertificatePolicies([1, pi])
334
335 def test_iter_len(self):
Paul Kehrerba35b3b2015-05-10 13:07:59 -0500[diff] [blame]336 pq = [u"string"]
Paul Kehrer2b622582015-04-15 11:04:29 -0400[diff] [blame]337 pi = x509.PolicyInformation(x509.ObjectIdentifier("1.2.3"), pq)
338 cp = x509.CertificatePolicies([pi])
339 assert len(cp) == 1
340 for policyinfo in cp:
341 assert policyinfo == pi
342
343 def test_repr(self):
Paul Kehrerba35b3b2015-05-10 13:07:59 -0500[diff] [blame]344 pq = [u"string"]
Paul Kehrer2b622582015-04-15 11:04:29 -0400[diff] [blame]345 pi = x509.PolicyInformation(x509.ObjectIdentifier("1.2.3"), pq)
346 cp = x509.CertificatePolicies([pi])
Paul Kehrerba35b3b2015-05-10 13:07:59 -0500[diff] [blame]347 if six.PY3:
348 assert repr(cp) == (
349 "<CertificatePolicies([<PolicyInformation(policy_identifier=<O"
350 "bjectIdentifier(oid=1.2.3, name=Unknown OID)>, policy_qualifi"
351 "ers=['string'])>])>"
352 )
353 else:
354 assert repr(cp) == (
355 "<CertificatePolicies([<PolicyInformation(policy_identifier=<O"
356 "bjectIdentifier(oid=1.2.3, name=Unknown OID)>, policy_qualifi"
357 "ers=[u'string'])>])>"
358 )
Paul Kehrer2b622582015-04-15 11:04:29 -0400[diff] [blame]359
Paul Kehrerc56ab622015-05-03 09:56:31 -0500[diff] [blame]360 def test_eq(self):
361 pi = x509.PolicyInformation(
362 x509.ObjectIdentifier("1.2.3"), [u"string"]
363 )
364 cp = x509.CertificatePolicies([pi])
365 pi2 = x509.PolicyInformation(
366 x509.ObjectIdentifier("1.2.3"), [u"string"]
367 )
368 cp2 = x509.CertificatePolicies([pi2])
369 assert cp == cp2
370
371 def test_ne(self):
372 pi = x509.PolicyInformation(
373 x509.ObjectIdentifier("1.2.3"), [u"string"]
374 )
375 cp = x509.CertificatePolicies([pi])
376 pi2 = x509.PolicyInformation(
377 x509.ObjectIdentifier("1.2.3"), [u"string2"]
378 )
379 cp2 = x509.CertificatePolicies([pi2])
380 assert cp != cp2
381 assert cp != object()
382
Paul Kehrer2b622582015-04-15 11:04:29 -0400[diff] [blame]383
Paul Kehrer11026fe2015-05-12 11:23:56 -0500[diff] [blame]384@pytest.mark.requires_backend_interface(interface=RSABackend)
385@pytest.mark.requires_backend_interface(interface=X509Backend)
386class TestCertificatePoliciesExtension(object):
387 def test_cps_uri_policy_qualifier(self, backend):
388 cert = _load_cert(
389 os.path.join("x509", "custom", "cp_cps_uri.pem"),
390 x509.load_pem_x509_certificate,
391 backend
392 )
393
394 cp = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]395 ExtensionOID.CERTIFICATE_POLICIES
Paul Kehrer11026fe2015-05-12 11:23:56 -0500[diff] [blame]396 ).value
397
398 assert cp == x509.CertificatePolicies([
399 x509.PolicyInformation(
400 x509.ObjectIdentifier("2.16.840.1.12345.1.2.3.4.1"),
401 [u"http://other.com/cps"]
402 )
403 ])
404
405 def test_user_notice_with_notice_reference(self, backend):
406 cert = _load_cert(
407 os.path.join(
408 "x509", "custom", "cp_user_notice_with_notice_reference.pem"
409 ),
410 x509.load_pem_x509_certificate,
411 backend
412 )
413
414 cp = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]415 ExtensionOID.CERTIFICATE_POLICIES
Paul Kehrer11026fe2015-05-12 11:23:56 -0500[diff] [blame]416 ).value
417
418 assert cp == x509.CertificatePolicies([
419 x509.PolicyInformation(
420 x509.ObjectIdentifier("2.16.840.1.12345.1.2.3.4.1"),
421 [
422 u"http://example.com/cps",
423 u"http://other.com/cps",
424 x509.UserNotice(
425 x509.NoticeReference(u"my org", [1, 2, 3, 4]),
426 u"thing"
427 )
428 ]
429 )
430 ])
431
432 def test_user_notice_with_explicit_text(self, backend):
433 cert = _load_cert(
434 os.path.join(
435 "x509", "custom", "cp_user_notice_with_explicit_text.pem"
436 ),
437 x509.load_pem_x509_certificate,
438 backend
439 )
440
441 cp = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]442 ExtensionOID.CERTIFICATE_POLICIES
Paul Kehrer11026fe2015-05-12 11:23:56 -0500[diff] [blame]443 ).value
444
445 assert cp == x509.CertificatePolicies([
446 x509.PolicyInformation(
447 x509.ObjectIdentifier("2.16.840.1.12345.1.2.3.4.1"),
448 [x509.UserNotice(None, u"thing")]
449 )
450 ])
451
452 def test_user_notice_no_explicit_text(self, backend):
453 cert = _load_cert(
454 os.path.join(
455 "x509", "custom", "cp_user_notice_no_explicit_text.pem"
456 ),
457 x509.load_pem_x509_certificate,
458 backend
459 )
460
461 cp = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]462 ExtensionOID.CERTIFICATE_POLICIES
Paul Kehrer11026fe2015-05-12 11:23:56 -0500[diff] [blame]463 ).value
464
465 assert cp == x509.CertificatePolicies([
466 x509.PolicyInformation(
467 x509.ObjectIdentifier("2.16.840.1.12345.1.2.3.4.1"),
468 [
469 x509.UserNotice(
470 x509.NoticeReference(u"my org", [1, 2, 3, 4]),
471 None
472 )
473 ]
474 )
475 ])
476
477
Paul Kehrercecbbba2015-03-30 14:58:38 -0500[diff] [blame]478class TestKeyUsage(object):
479 def test_key_agreement_false_encipher_decipher_true(self):
480 with pytest.raises(ValueError):
481 x509.KeyUsage(
482 digital_signature=False,
483 content_commitment=False,
484 key_encipherment=False,
485 data_encipherment=False,
486 key_agreement=False,
487 key_cert_sign=False,
488 crl_sign=False,
489 encipher_only=True,
490 decipher_only=False
491 )
492
493 with pytest.raises(ValueError):
494 x509.KeyUsage(
495 digital_signature=False,
496 content_commitment=False,
497 key_encipherment=False,
498 data_encipherment=False,
499 key_agreement=False,
500 key_cert_sign=False,
501 crl_sign=False,
502 encipher_only=True,
503 decipher_only=True
504 )
505
506 with pytest.raises(ValueError):
507 x509.KeyUsage(
508 digital_signature=False,
509 content_commitment=False,
510 key_encipherment=False,
511 data_encipherment=False,
512 key_agreement=False,
513 key_cert_sign=False,
514 crl_sign=False,
515 encipher_only=False,
516 decipher_only=True
517 )
518
519 def test_properties_key_agreement_true(self):
520 ku = x509.KeyUsage(
521 digital_signature=True,
522 content_commitment=True,
523 key_encipherment=False,
524 data_encipherment=False,
525 key_agreement=False,
526 key_cert_sign=True,
527 crl_sign=False,
528 encipher_only=False,
529 decipher_only=False
530 )
531 assert ku.digital_signature is True
532 assert ku.content_commitment is True
533 assert ku.key_encipherment is False
534 assert ku.data_encipherment is False
535 assert ku.key_agreement is False
536 assert ku.key_cert_sign is True
537 assert ku.crl_sign is False
538
539 def test_key_agreement_true_properties(self):
540 ku = x509.KeyUsage(
541 digital_signature=False,
542 content_commitment=False,
543 key_encipherment=False,
544 data_encipherment=False,
545 key_agreement=True,
546 key_cert_sign=False,
547 crl_sign=False,
548 encipher_only=False,
549 decipher_only=True
550 )
551 assert ku.key_agreement is True
552 assert ku.encipher_only is False
553 assert ku.decipher_only is True
554
555 def test_key_agreement_false_properties(self):
556 ku = x509.KeyUsage(
557 digital_signature=False,
558 content_commitment=False,
559 key_encipherment=False,
560 data_encipherment=False,
561 key_agreement=False,
562 key_cert_sign=False,
563 crl_sign=False,
564 encipher_only=False,
565 decipher_only=False
566 )
567 assert ku.key_agreement is False
568 with pytest.raises(ValueError):
569 ku.encipher_only
570
571 with pytest.raises(ValueError):
572 ku.decipher_only
573
Paul Kehrerac3e5bb2015-04-02 23:07:10 -0500[diff] [blame]574 def test_repr_key_agreement_false(self):
575 ku = x509.KeyUsage(
576 digital_signature=True,
577 content_commitment=True,
578 key_encipherment=False,
579 data_encipherment=False,
580 key_agreement=False,
581 key_cert_sign=True,
582 crl_sign=False,
583 encipher_only=False,
584 decipher_only=False
585 )
586 assert repr(ku) == (
587 "<KeyUsage(digital_signature=True, content_commitment=True, key_en"
588 "cipherment=False, data_encipherment=False, key_agreement=False, k"
Paul Kehrerb372e672015-04-15 11:05:24 -0400[diff] [blame]589 "ey_cert_sign=True, crl_sign=False, encipher_only=None, decipher_o"
590 "nly=None)>"
Paul Kehrerac3e5bb2015-04-02 23:07:10 -0500[diff] [blame]591 )
592
593 def test_repr_key_agreement_true(self):
594 ku = x509.KeyUsage(
595 digital_signature=True,
596 content_commitment=True,
597 key_encipherment=False,
598 data_encipherment=False,
599 key_agreement=True,
600 key_cert_sign=True,
601 crl_sign=False,
602 encipher_only=False,
603 decipher_only=False
604 )
605 assert repr(ku) == (
606 "<KeyUsage(digital_signature=True, content_commitment=True, key_en"
607 "cipherment=False, data_encipherment=False, key_agreement=True, k"
608 "ey_cert_sign=True, crl_sign=False, encipher_only=False, decipher_"
609 "only=False)>"
610 )
611
Paul Kehrer8565f5e2015-05-13 09:57:09 -0500[diff] [blame]612 def test_eq(self):
613 ku = x509.KeyUsage(
614 digital_signature=False,
615 content_commitment=False,
616 key_encipherment=False,
617 data_encipherment=False,
618 key_agreement=True,
619 key_cert_sign=False,
620 crl_sign=False,
621 encipher_only=False,
622 decipher_only=True
623 )
624 ku2 = x509.KeyUsage(
625 digital_signature=False,
626 content_commitment=False,
627 key_encipherment=False,
628 data_encipherment=False,
629 key_agreement=True,
630 key_cert_sign=False,
631 crl_sign=False,
632 encipher_only=False,
633 decipher_only=True
634 )
635 assert ku == ku2
636
637 def test_ne(self):
638 ku = x509.KeyUsage(
639 digital_signature=False,
640 content_commitment=False,
641 key_encipherment=False,
642 data_encipherment=False,
643 key_agreement=True,
644 key_cert_sign=False,
645 crl_sign=False,
646 encipher_only=False,
647 decipher_only=True
648 )
649 ku2 = x509.KeyUsage(
650 digital_signature=False,
651 content_commitment=False,
652 key_encipherment=False,
653 data_encipherment=False,
654 key_agreement=False,
655 key_cert_sign=False,
656 crl_sign=False,
657 encipher_only=False,
658 decipher_only=False
659 )
660 assert ku != ku2
661 assert ku != object()
662
Paul Kehrercecbbba2015-03-30 14:58:38 -0500[diff] [blame]663
Paul Kehrer1eb82a62015-03-31 20:00:33 -0500[diff] [blame]664class TestSubjectKeyIdentifier(object):
665 def test_properties(self):
Paul Kehrercbfb1012015-04-10 20:57:20 -0400[diff] [blame]666 value = binascii.unhexlify(b"092384932230498bc980aa8098456f6ff7ff3ac9")
Paul Kehrer1eb82a62015-03-31 20:00:33 -0500[diff] [blame]667 ski = x509.SubjectKeyIdentifier(value)
668 assert ski.digest == value
Paul Kehrer1eb82a62015-03-31 20:00:33 -0500[diff] [blame]669
670 def test_repr(self):
671 ski = x509.SubjectKeyIdentifier(
Paul Kehreree997262015-04-04 12:20:28 -0500[diff] [blame]672 binascii.unhexlify(b"092384932230498bc980aa8098456f6ff7ff3ac9")
Paul Kehrer1eb82a62015-03-31 20:00:33 -0500[diff] [blame]673 )
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]674 ext = x509.Extension(ExtensionOID.SUBJECT_KEY_IDENTIFIER, False, ski)
Paul Kehrercbfb1012015-04-10 20:57:20 -0400[diff] [blame]675 if six.PY3:
676 assert repr(ext) == (
677 "<Extension(oid=<ObjectIdentifier(oid=2.5.29.14, name=subjectK"
678 "eyIdentifier)>, critical=False, value=<SubjectKeyIdentifier(d"
679 "igest=b\'\\t#\\x84\\x93\"0I\\x8b\\xc9\\x80\\xaa\\x80\\x98Eoo"
680 "\\xf7\\xff:\\xc9\')>)>"
681 )
682 else:
683 assert repr(ext) == (
684 "<Extension(oid=<ObjectIdentifier(oid=2.5.29.14, name=subjectK"
685 "eyIdentifier)>, critical=False, value=<SubjectKeyIdentifier(d"
686 "igest=\'\\t#\\x84\\x93\"0I\\x8b\\xc9\\x80\\xaa\\x80\\x98Eoo"
687 "\\xf7\\xff:\\xc9\')>)>"
688 )
Paul Kehrer1eb82a62015-03-31 20:00:33 -0500[diff] [blame]689
690 def test_eq(self):
691 ski = x509.SubjectKeyIdentifier(
Paul Kehreree997262015-04-04 12:20:28 -0500[diff] [blame]692 binascii.unhexlify(b"092384932230498bc980aa8098456f6ff7ff3ac9")
Paul Kehrer1eb82a62015-03-31 20:00:33 -0500[diff] [blame]693 )
694 ski2 = x509.SubjectKeyIdentifier(
Paul Kehreree997262015-04-04 12:20:28 -0500[diff] [blame]695 binascii.unhexlify(b"092384932230498bc980aa8098456f6ff7ff3ac9")
Paul Kehrer1eb82a62015-03-31 20:00:33 -0500[diff] [blame]696 )
697 assert ski == ski2
698
699 def test_ne(self):
700 ski = x509.SubjectKeyIdentifier(
Paul Kehreree997262015-04-04 12:20:28 -0500[diff] [blame]701 binascii.unhexlify(b"092384932230498bc980aa8098456f6ff7ff3ac9")
Paul Kehrer1eb82a62015-03-31 20:00:33 -0500[diff] [blame]702 )
703 ski2 = x509.SubjectKeyIdentifier(
Paul Kehreree997262015-04-04 12:20:28 -0500[diff] [blame]704 binascii.unhexlify(b"aa8098456f6ff7ff3ac9092384932230498bc980")
Paul Kehrer1eb82a62015-03-31 20:00:33 -0500[diff] [blame]705 )
706 assert ski != ski2
707 assert ski != object()
708
Alex Gaynor410fe352015-12-26 15:01:25 -0500[diff] [blame]709 def test_hash(self):
710 ski1 = x509.SubjectKeyIdentifier(
711 binascii.unhexlify(b"092384932230498bc980aa8098456f6ff7ff3ac9")
712 )
713 ski2 = x509.SubjectKeyIdentifier(
714 binascii.unhexlify(b"092384932230498bc980aa8098456f6ff7ff3ac9")
715 )
716 ski3 = x509.SubjectKeyIdentifier(
717 binascii.unhexlify(b"aa8098456f6ff7ff3ac9092384932230498bc980")
718 )
719
720 assert hash(ski1) == hash(ski2)
721 assert hash(ski1) != hash(ski3)
722
Paul Kehrer1eb82a62015-03-31 20:00:33 -0500[diff] [blame]723
Paul Kehrer2eb4ed92015-04-11 15:33:45 -0400[diff] [blame]724class TestAuthorityKeyIdentifier(object):
Paul Kehrerc6e0f062015-05-03 11:04:34 -0500[diff] [blame]725 def test_authority_cert_issuer_not_generalname(self):
Paul Kehrer2eb4ed92015-04-11 15:33:45 -0400[diff] [blame]726 with pytest.raises(TypeError):
Paul Kehrerc6e0f062015-05-03 11:04:34 -0500[diff] [blame]727 x509.AuthorityKeyIdentifier(b"identifier", ["notname"], 3)
Paul Kehrer2eb4ed92015-04-11 15:33:45 -0400[diff] [blame]728
729 def test_authority_cert_serial_number_not_integer(self):
Paul Kehrerc6e0f062015-05-03 11:04:34 -0500[diff] [blame]730 dirname = x509.DirectoryName(
731 x509.Name([
Nick Bastin6721fb82015-12-14 12:26:24 -0800[diff] [blame]732 x509.NameAttribute(
733 x509.ObjectIdentifier('2.999.1'),
734 u'value1'
735 ),
736 x509.NameAttribute(
737 x509.ObjectIdentifier('2.999.2'),
738 u'value2'
739 ),
Paul Kehrerc6e0f062015-05-03 11:04:34 -0500[diff] [blame]740 ])
741 )
Paul Kehrer2eb4ed92015-04-11 15:33:45 -0400[diff] [blame]742 with pytest.raises(TypeError):
Paul Kehrerc6e0f062015-05-03 11:04:34 -0500[diff] [blame]743 x509.AuthorityKeyIdentifier(b"identifier", [dirname], "notanint")
Paul Kehrer2eb4ed92015-04-11 15:33:45 -0400[diff] [blame]744
745 def test_authority_issuer_none_serial_not_none(self):
746 with pytest.raises(ValueError):
747 x509.AuthorityKeyIdentifier(b"identifier", None, 3)
748
749 def test_authority_issuer_not_none_serial_none(self):
Paul Kehrerc6e0f062015-05-03 11:04:34 -0500[diff] [blame]750 dirname = x509.DirectoryName(
751 x509.Name([
Nick Bastin6721fb82015-12-14 12:26:24 -0800[diff] [blame]752 x509.NameAttribute(
753 x509.ObjectIdentifier('2.999.1'),
754 u'value1'
755 ),
756 x509.NameAttribute(
757 x509.ObjectIdentifier('2.999.2'),
758 u'value2'
759 ),
Paul Kehrerc6e0f062015-05-03 11:04:34 -0500[diff] [blame]760 ])
761 )
Paul Kehrer2eb4ed92015-04-11 15:33:45 -0400[diff] [blame]762 with pytest.raises(ValueError):
Paul Kehrerc6e0f062015-05-03 11:04:34 -0500[diff] [blame]763 x509.AuthorityKeyIdentifier(b"identifier", [dirname], None)
Paul Kehrer2eb4ed92015-04-11 15:33:45 -0400[diff] [blame]764
765 def test_authority_cert_serial_and_issuer_none(self):
766 aki = x509.AuthorityKeyIdentifier(b"id", None, None)
767 assert aki.key_identifier == b"id"
768 assert aki.authority_cert_issuer is None
769 assert aki.authority_cert_serial_number is None
770
771 def test_repr(self):
Paul Kehrerc6e0f062015-05-03 11:04:34 -0500[diff] [blame]772 dirname = x509.DirectoryName(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]773 x509.Name([x509.NameAttribute(NameOID.COMMON_NAME, u'myCN')])
Paul Kehrerc6e0f062015-05-03 11:04:34 -0500[diff] [blame]774 )
775 aki = x509.AuthorityKeyIdentifier(b"digest", [dirname], 1234)
Paul Kehrer2eb4ed92015-04-11 15:33:45 -0400[diff] [blame]776
777 if six.PY3:
778 assert repr(aki) == (
779 "<AuthorityKeyIdentifier(key_identifier=b'digest', authority_"
Paul Kehrerc6e0f062015-05-03 11:04:34 -0500[diff] [blame]780 "cert_issuer=[<DirectoryName(value=<Name([<NameAttribute(oid="
Ian Cordascoa908d692015-06-16 21:35:24 -0500[diff] [blame]781 "<ObjectIdentifier(oid=2.5.4.3, name=commonName)>, value='myC"
Paul Kehrerc6e0f062015-05-03 11:04:34 -0500[diff] [blame]782 "N')>])>)>], authority_cert_serial_number=1234)>"
Paul Kehrer2eb4ed92015-04-11 15:33:45 -0400[diff] [blame]783 )
784 else:
785 assert repr(aki) == (
786 "<AuthorityKeyIdentifier(key_identifier='digest', authority_ce"
Paul Kehrerc6e0f062015-05-03 11:04:34 -0500[diff] [blame]787 "rt_issuer=[<DirectoryName(value=<Name([<NameAttribute(oid=<Ob"
Ian Cordasco82fc3762015-06-16 20:59:50 -0500[diff] [blame]788 "jectIdentifier(oid=2.5.4.3, name=commonName)>, value=u'myCN')"
789 ">])>)>], authority_cert_serial_number=1234)>"
Paul Kehrer2eb4ed92015-04-11 15:33:45 -0400[diff] [blame]790 )
791
Paul Kehrer2ca2eb32015-05-03 10:04:57 -0500[diff] [blame]792 def test_eq(self):
793 dirname = x509.DirectoryName(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]794 x509.Name([x509.NameAttribute(NameOID.COMMON_NAME, u'myCN')])
Paul Kehrer2ca2eb32015-05-03 10:04:57 -0500[diff] [blame]795 )
796 aki = x509.AuthorityKeyIdentifier(b"digest", [dirname], 1234)
797 dirname2 = x509.DirectoryName(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]798 x509.Name([x509.NameAttribute(NameOID.COMMON_NAME, u'myCN')])
Paul Kehrer2ca2eb32015-05-03 10:04:57 -0500[diff] [blame]799 )
800 aki2 = x509.AuthorityKeyIdentifier(b"digest", [dirname2], 1234)
801 assert aki == aki2
802
803 def test_ne(self):
804 dirname = x509.DirectoryName(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]805 x509.Name([x509.NameAttribute(NameOID.COMMON_NAME, u'myCN')])
Paul Kehrer2ca2eb32015-05-03 10:04:57 -0500[diff] [blame]806 )
807 dirname5 = x509.DirectoryName(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]808 x509.Name([x509.NameAttribute(NameOID.COMMON_NAME, u'aCN')])
Paul Kehrer2ca2eb32015-05-03 10:04:57 -0500[diff] [blame]809 )
810 aki = x509.AuthorityKeyIdentifier(b"digest", [dirname], 1234)
811 aki2 = x509.AuthorityKeyIdentifier(b"diges", [dirname], 1234)
812 aki3 = x509.AuthorityKeyIdentifier(b"digest", None, None)
813 aki4 = x509.AuthorityKeyIdentifier(b"digest", [dirname], 12345)
814 aki5 = x509.AuthorityKeyIdentifier(b"digest", [dirname5], 12345)
815 assert aki != aki2
816 assert aki != aki3
817 assert aki != aki4
818 assert aki != aki5
819 assert aki != object()
820
Paul Kehrer2eb4ed92015-04-11 15:33:45 -0400[diff] [blame]821
Paul Kehrer8cf26422015-03-21 09:50:24 -0500[diff] [blame]822class TestBasicConstraints(object):
823 def test_ca_not_boolean(self):
824 with pytest.raises(TypeError):
Paul Kehrera5c6e9a2015-03-23 19:23:43 -0500[diff] [blame]825 x509.BasicConstraints(ca="notbool", path_length=None)
Paul Kehrer8cf26422015-03-21 09:50:24 -0500[diff] [blame]826
827 def test_path_length_not_ca(self):
828 with pytest.raises(ValueError):
Paul Kehrera5c6e9a2015-03-23 19:23:43 -0500[diff] [blame]829 x509.BasicConstraints(ca=False, path_length=0)
Paul Kehrer8cf26422015-03-21 09:50:24 -0500[diff] [blame]830
831 def test_path_length_not_int(self):
832 with pytest.raises(TypeError):
Paul Kehrera5c6e9a2015-03-23 19:23:43 -0500[diff] [blame]833 x509.BasicConstraints(ca=True, path_length=1.1)
Paul Kehrer8cf26422015-03-21 09:50:24 -0500[diff] [blame]834
835 with pytest.raises(TypeError):
Paul Kehrera5c6e9a2015-03-23 19:23:43 -0500[diff] [blame]836 x509.BasicConstraints(ca=True, path_length="notint")
Paul Kehrer8cf26422015-03-21 09:50:24 -0500[diff] [blame]837
838 def test_path_length_negative(self):
839 with pytest.raises(TypeError):
Paul Kehrera5c6e9a2015-03-23 19:23:43 -0500[diff] [blame]840 x509.BasicConstraints(ca=True, path_length=-1)
Paul Kehrer8cf26422015-03-21 09:50:24 -0500[diff] [blame]841
842 def test_repr(self):
Paul Kehrera5c6e9a2015-03-23 19:23:43 -0500[diff] [blame]843 na = x509.BasicConstraints(ca=True, path_length=None)
Paul Kehrer8cf26422015-03-21 09:50:24 -0500[diff] [blame]844 assert repr(na) == (
Paul Kehrer85894662015-03-22 13:19:31 -0500[diff] [blame]845 "<BasicConstraints(ca=True, path_length=None)>"
Paul Kehrer8cf26422015-03-21 09:50:24 -0500[diff] [blame]846 )
Paul Kehrerfbb7ac82015-03-16 19:26:29 -0500[diff] [blame]847
Paul Kehrer3a69b132015-05-13 10:03:46 -0500[diff] [blame]848 def test_eq(self):
849 na = x509.BasicConstraints(ca=True, path_length=None)
850 na2 = x509.BasicConstraints(ca=True, path_length=None)
851 assert na == na2
852
853 def test_ne(self):
854 na = x509.BasicConstraints(ca=True, path_length=None)
855 na2 = x509.BasicConstraints(ca=True, path_length=1)
856 na3 = x509.BasicConstraints(ca=False, path_length=None)
857 assert na != na2
858 assert na != na3
859 assert na != object()
860
Paul Kehrerfbb7ac82015-03-16 19:26:29 -0500[diff] [blame]861
Paul Kehrerffa2a152015-03-31 08:18:25 -0500[diff] [blame]862class TestExtendedKeyUsage(object):
863 def test_not_all_oids(self):
864 with pytest.raises(TypeError):
865 x509.ExtendedKeyUsage(["notoid"])
866
867 def test_iter_len(self):
868 eku = x509.ExtendedKeyUsage([
869 x509.ObjectIdentifier("1.3.6.1.5.5.7.3.1"),
870 x509.ObjectIdentifier("1.3.6.1.5.5.7.3.2"),
871 ])
872 assert len(eku) == 2
873 assert list(eku) == [
Paul Kehrer9e102db2015-08-10 21:53:09 -0500[diff] [blame]874 ExtendedKeyUsageOID.SERVER_AUTH,
875 ExtendedKeyUsageOID.CLIENT_AUTH
Paul Kehrerffa2a152015-03-31 08:18:25 -0500[diff] [blame]876 ]
877
Paul Kehrer23d10c32015-04-02 23:12:32 -0500[diff] [blame]878 def test_repr(self):
879 eku = x509.ExtendedKeyUsage([
880 x509.ObjectIdentifier("1.3.6.1.5.5.7.3.1"),
881 x509.ObjectIdentifier("1.3.6.1.5.5.7.3.2"),
882 ])
883 assert repr(eku) == (
884 "<ExtendedKeyUsage([<ObjectIdentifier(oid=1.3.6.1.5.5.7.3.1, name="
885 "serverAuth)>, <ObjectIdentifier(oid=1.3.6.1.5.5.7.3.2, name=clien"
886 "tAuth)>])>"
887 )
888
Paul Kehrerb0476172015-05-02 19:34:51 -0500[diff] [blame]889 def test_eq(self):
890 eku = x509.ExtendedKeyUsage([
891 x509.ObjectIdentifier("1.3.6"), x509.ObjectIdentifier("1.3.7")
892 ])
893 eku2 = x509.ExtendedKeyUsage([
894 x509.ObjectIdentifier("1.3.6"), x509.ObjectIdentifier("1.3.7")
895 ])
896 assert eku == eku2
897
898 def test_ne(self):
899 eku = x509.ExtendedKeyUsage([x509.ObjectIdentifier("1.3.6")])
900 eku2 = x509.ExtendedKeyUsage([x509.ObjectIdentifier("1.3.6.1")])
901 assert eku != eku2
902 assert eku != object()
903
Paul Kehrerffa2a152015-03-31 08:18:25 -0500[diff] [blame]904
Paul Kehrerfbb7ac82015-03-16 19:26:29 -0500[diff] [blame]905@pytest.mark.requires_backend_interface(interface=RSABackend)
906@pytest.mark.requires_backend_interface(interface=X509Backend)
907class TestExtensions(object):
908 def test_no_extensions(self, backend):
909 cert = _load_cert(
910 os.path.join("x509", "verisign_md2_root.pem"),
911 x509.load_pem_x509_certificate,
912 backend
913 )
914 ext = cert.extensions
915 assert len(ext) == 0
916 assert list(ext) == []
Paul Kehrerfa56a232015-03-17 13:14:03 -0500[diff] [blame]917 with pytest.raises(x509.ExtensionNotFound) as exc:
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]918 ext.get_extension_for_oid(ExtensionOID.BASIC_CONSTRAINTS)
Paul Kehrerfa56a232015-03-17 13:14:03 -0500[diff] [blame]919
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]920 assert exc.value.oid == ExtensionOID.BASIC_CONSTRAINTS
Paul Kehrerfa56a232015-03-17 13:14:03 -0500[diff] [blame]921
922 def test_one_extension(self, backend):
923 cert = _load_cert(
924 os.path.join(
925 "x509", "custom", "basic_constraints_not_critical.pem"
926 ),
927 x509.load_pem_x509_certificate,
928 backend
929 )
930 extensions = cert.extensions
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]931 ext = extensions.get_extension_for_oid(ExtensionOID.BASIC_CONSTRAINTS)
Paul Kehrerfa56a232015-03-17 13:14:03 -0500[diff] [blame]932 assert ext is not None
933 assert ext.value.ca is False
Paul Kehrerfbb7ac82015-03-16 19:26:29 -0500[diff] [blame]934
935 def test_duplicate_extension(self, backend):
936 cert = _load_cert(
937 os.path.join(
938 "x509", "custom", "two_basic_constraints.pem"
939 ),
940 x509.load_pem_x509_certificate,
941 backend
942 )
943 with pytest.raises(x509.DuplicateExtension) as exc:
944 cert.extensions
945
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]946 assert exc.value.oid == ExtensionOID.BASIC_CONSTRAINTS
Paul Kehrerfbb7ac82015-03-16 19:26:29 -0500[diff] [blame]947
948 def test_unsupported_critical_extension(self, backend):
949 cert = _load_cert(
950 os.path.join(
951 "x509", "custom", "unsupported_extension_critical.pem"
952 ),
953 x509.load_pem_x509_certificate,
954 backend
955 )
956 with pytest.raises(x509.UnsupportedExtension) as exc:
957 cert.extensions
958
959 assert exc.value.oid == x509.ObjectIdentifier("1.2.3.4")
960
961 def test_unsupported_extension(self, backend):
962 # TODO: this will raise an exception when all extensions are complete
963 cert = _load_cert(
964 os.path.join(
965 "x509", "custom", "unsupported_extension.pem"
966 ),
967 x509.load_pem_x509_certificate,
968 backend
969 )
970 extensions = cert.extensions
971 assert len(extensions) == 0
Paul Kehrerfa56a232015-03-17 13:14:03 -0500[diff] [blame]972
Phoebe Queenecae9812015-08-12 05:00:32 +0100[diff] [blame]973 def test_no_extensions_get_for_class(self, backend):
974 cert = _load_cert(
975 os.path.join(
Phoebe Queencb5ec4e2015-08-12 15:06:26 +0100[diff] [blame]976 "x509", "cryptography.io.pem"
Phoebe Queenecae9812015-08-12 05:00:32 +0100[diff] [blame]977 ),
978 x509.load_pem_x509_certificate,
979 backend
980 )
Phoebe Queenc93752b2015-08-12 10:54:46 +0100[diff] [blame]981 exts = cert.extensions
Phoebe Queenecae9812015-08-12 05:00:32 +0100[diff] [blame]982 with pytest.raises(x509.ExtensionNotFound) as exc:
Phoebe Queencb5ec4e2015-08-12 15:06:26 +0100[diff] [blame]983 exts.get_extension_for_class(x509.IssuerAlternativeName)
984 assert exc.value.oid == ExtensionOID.ISSUER_ALTERNATIVE_NAME
Phoebe Queenecae9812015-08-12 05:00:32 +0100[diff] [blame]985
Paul Kehrer5b90c972015-12-26 00:52:58 -0600[diff] [blame]986 def test_indexing(self, backend):
987 cert = _load_cert(
988 os.path.join("x509", "cryptography.io.pem"),
989 x509.load_pem_x509_certificate,
990 backend
991 )
992 exts = cert.extensions
993 assert exts[-1] == exts[7]
Alex Gaynorf0dd2e72015-12-26 16:50:29 -0500[diff] [blame]994 assert exts[2:6:2] == [exts[2], exts[4]]
Paul Kehrer5b90c972015-12-26 00:52:58 -0600[diff] [blame]995
Phoebe Queen9fbb8892015-08-12 03:51:33 +0100[diff] [blame]996 def test_one_extension_get_for_class(self, backend):
997 cert = _load_cert(
Phoebe Queen2cc111a2015-08-12 04:14:22 +0100[diff] [blame]998 os.path.join(
999 "x509", "custom", "basic_constraints_not_critical.pem"
1000 ),
Phoebe Queen9fbb8892015-08-12 03:51:33 +0100[diff] [blame]1001 x509.load_pem_x509_certificate,
1002 backend
1003 )
1004 ext = cert.extensions.get_extension_for_class(x509.BasicConstraints)
1005 assert ext is not None
Phoebe Queen9fbb8892015-08-12 03:51:33 +0100[diff] [blame]1006 assert isinstance(ext.value, x509.BasicConstraints)
Paul Kehrerfa56a232015-03-17 13:14:03 -0500[diff] [blame]1007
Paul Kehrerafbe75b2015-10-20 08:08:43 -0500[diff] [blame]1008 def test_repr(self, backend):
1009 cert = _load_cert(
1010 os.path.join(
1011 "x509", "custom", "basic_constraints_not_critical.pem"
1012 ),
1013 x509.load_pem_x509_certificate,
1014 backend
1015 )
1016 assert repr(cert.extensions) == (
1017 "<Extensions([<Extension(oid=<ObjectIdentifier(oid=2.5.29.19, name"
1018 "=basicConstraints)>, critical=False, value=<BasicConstraints(ca=F"
1019 "alse, path_length=None)>)>])>"
1020 )
1021
Phoebe Queen2cc111a2015-08-12 04:14:22 +0100[diff] [blame]1022
Paul Kehrerfa56a232015-03-17 13:14:03 -0500[diff] [blame]1023@pytest.mark.requires_backend_interface(interface=RSABackend)
1024@pytest.mark.requires_backend_interface(interface=X509Backend)
Paul Kehrerde813ea2015-03-28 12:44:34 -0500[diff] [blame]1025class TestBasicConstraintsExtension(object):
Paul Kehrerfa56a232015-03-17 13:14:03 -0500[diff] [blame]1026 def test_ca_true_pathlen_6(self, backend):
1027 cert = _load_cert(
1028 os.path.join(
1029 "x509", "PKITS_data", "certs", "pathLenConstraint6CACert.crt"
1030 ),
1031 x509.load_der_x509_certificate,
1032 backend
1033 )
Phoebe Queen062dec72015-08-12 11:42:23 +0100[diff] [blame]1034 ext = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]1035 ExtensionOID.BASIC_CONSTRAINTS
Paul Kehrerfa56a232015-03-17 13:14:03 -0500[diff] [blame]1036 )
1037 assert ext is not None
1038 assert ext.critical is True
1039 assert ext.value.ca is True
1040 assert ext.value.path_length == 6
1041
1042 def test_path_length_zero(self, backend):
1043 cert = _load_cert(
1044 os.path.join("x509", "custom", "bc_path_length_zero.pem"),
1045 x509.load_pem_x509_certificate,
1046 backend
1047 )
1048 ext = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]1049 ExtensionOID.BASIC_CONSTRAINTS
Paul Kehrerfa56a232015-03-17 13:14:03 -0500[diff] [blame]1050 )
1051 assert ext is not None
1052 assert ext.critical is True
1053 assert ext.value.ca is True
1054 assert ext.value.path_length == 0
1055
1056 def test_ca_true_no_pathlen(self, backend):
1057 cert = _load_cert(
1058 os.path.join("x509", "PKITS_data", "certs", "GoodCACert.crt"),
1059 x509.load_der_x509_certificate,
1060 backend
1061 )
1062 ext = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]1063 ExtensionOID.BASIC_CONSTRAINTS
Paul Kehrerfa56a232015-03-17 13:14:03 -0500[diff] [blame]1064 )
1065 assert ext is not None
1066 assert ext.critical is True
1067 assert ext.value.ca is True
1068 assert ext.value.path_length is None
1069
1070 def test_ca_false(self, backend):
1071 cert = _load_cert(
1072 os.path.join("x509", "cryptography.io.pem"),
1073 x509.load_pem_x509_certificate,
1074 backend
1075 )
1076 ext = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]1077 ExtensionOID.BASIC_CONSTRAINTS
Paul Kehrerfa56a232015-03-17 13:14:03 -0500[diff] [blame]1078 )
1079 assert ext is not None
1080 assert ext.critical is True
1081 assert ext.value.ca is False
1082 assert ext.value.path_length is None
1083
1084 def test_no_basic_constraints(self, backend):
1085 cert = _load_cert(
1086 os.path.join(
1087 "x509",
1088 "PKITS_data",
1089 "certs",
1090 "ValidCertificatePathTest1EE.crt"
1091 ),
1092 x509.load_der_x509_certificate,
1093 backend
1094 )
1095 with pytest.raises(x509.ExtensionNotFound):
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]1096 cert.extensions.get_extension_for_oid(
1097 ExtensionOID.BASIC_CONSTRAINTS
1098 )
Paul Kehrerfa56a232015-03-17 13:14:03 -0500[diff] [blame]1099
1100 def test_basic_constraint_not_critical(self, backend):
1101 cert = _load_cert(
1102 os.path.join(
1103 "x509", "custom", "basic_constraints_not_critical.pem"
1104 ),
1105 x509.load_pem_x509_certificate,
1106 backend
1107 )
1108 ext = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]1109 ExtensionOID.BASIC_CONSTRAINTS
Paul Kehrerfa56a232015-03-17 13:14:03 -0500[diff] [blame]1110 )
1111 assert ext is not None
1112 assert ext.critical is False
1113 assert ext.value.ca is False
Paul Kehrer1eb82a62015-03-31 20:00:33 -0500[diff] [blame]1114
1115
Paul Kehrer1eb82a62015-03-31 20:00:33 -0500[diff] [blame]1116class TestSubjectKeyIdentifierExtension(object):
Paul Kehrerf22f6122015-08-05 12:57:13 +0100[diff] [blame]1117 @pytest.mark.requires_backend_interface(interface=RSABackend)
1118 @pytest.mark.requires_backend_interface(interface=X509Backend)
Paul Kehrer1eb82a62015-03-31 20:00:33 -0500[diff] [blame]1119 def test_subject_key_identifier(self, backend):
1120 cert = _load_cert(
1121 os.path.join("x509", "PKITS_data", "certs", "GoodCACert.crt"),
1122 x509.load_der_x509_certificate,
1123 backend
1124 )
1125 ext = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]1126 ExtensionOID.SUBJECT_KEY_IDENTIFIER
Paul Kehrer1eb82a62015-03-31 20:00:33 -0500[diff] [blame]1127 )
1128 ski = ext.value
1129 assert ext is not None
1130 assert ext.critical is False
Paul Kehrer1eb82a62015-03-31 20:00:33 -0500[diff] [blame]1131 assert ski.digest == binascii.unhexlify(
Paul Kehreree997262015-04-04 12:20:28 -0500[diff] [blame]1132 b"580184241bbc2b52944a3da510721451f5af3ac9"
Paul Kehrer1eb82a62015-03-31 20:00:33 -0500[diff] [blame]1133 )
1134
Paul Kehrerf22f6122015-08-05 12:57:13 +0100[diff] [blame]1135 @pytest.mark.requires_backend_interface(interface=RSABackend)
1136 @pytest.mark.requires_backend_interface(interface=X509Backend)
Paul Kehrer1eb82a62015-03-31 20:00:33 -0500[diff] [blame]1137 def test_no_subject_key_identifier(self, backend):
1138 cert = _load_cert(
1139 os.path.join("x509", "custom", "bc_path_length_zero.pem"),
1140 x509.load_pem_x509_certificate,
1141 backend
1142 )
1143 with pytest.raises(x509.ExtensionNotFound):
1144 cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]1145 ExtensionOID.SUBJECT_KEY_IDENTIFIER
Paul Kehrer1eb82a62015-03-31 20:00:33 -0500[diff] [blame]1146 )
Paul Kehrer5508ee22015-04-02 19:31:03 -0500[diff] [blame]1147
Paul Kehrerf22f6122015-08-05 12:57:13 +0100[diff] [blame]1148 @pytest.mark.requires_backend_interface(interface=RSABackend)
1149 @pytest.mark.requires_backend_interface(interface=X509Backend)
Paul Kehrerd4a7f062015-08-05 18:32:18 +0100[diff] [blame]1150 def test_from_rsa_public_key(self, backend):
Paul Kehrerf22f6122015-08-05 12:57:13 +0100[diff] [blame]1151 cert = _load_cert(
1152 os.path.join("x509", "PKITS_data", "certs", "GoodCACert.crt"),
1153 x509.load_der_x509_certificate,
1154 backend
1155 )
1156 ext = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]1157 ExtensionOID.SUBJECT_KEY_IDENTIFIER
Paul Kehrerf22f6122015-08-05 12:57:13 +0100[diff] [blame]1158 )
Paul Kehrerd4a7f062015-08-05 18:32:18 +0100[diff] [blame]1159 ski = x509.SubjectKeyIdentifier.from_public_key(
Paul Kehrerf22f6122015-08-05 12:57:13 +0100[diff] [blame]1160 cert.public_key()
1161 )
1162 assert ext.value == ski
1163
1164 @pytest.mark.requires_backend_interface(interface=DSABackend)
1165 @pytest.mark.requires_backend_interface(interface=X509Backend)
Paul Kehrerd4a7f062015-08-05 18:32:18 +0100[diff] [blame]1166 def test_from_dsa_public_key(self, backend):
Paul Kehrerf22f6122015-08-05 12:57:13 +0100[diff] [blame]1167 cert = _load_cert(
1168 os.path.join("x509", "custom", "dsa_selfsigned_ca.pem"),
1169 x509.load_pem_x509_certificate,
1170 backend
1171 )
1172
1173 ext = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]1174 ExtensionOID.SUBJECT_KEY_IDENTIFIER
Paul Kehrerf22f6122015-08-05 12:57:13 +0100[diff] [blame]1175 )
Paul Kehrerd4a7f062015-08-05 18:32:18 +0100[diff] [blame]1176 ski = x509.SubjectKeyIdentifier.from_public_key(
Paul Kehrerf22f6122015-08-05 12:57:13 +0100[diff] [blame]1177 cert.public_key()
1178 )
1179 assert ext.value == ski
1180
1181 @pytest.mark.requires_backend_interface(interface=EllipticCurveBackend)
1182 @pytest.mark.requires_backend_interface(interface=X509Backend)
Paul Kehrerd4a7f062015-08-05 18:32:18 +0100[diff] [blame]1183 def test_from_ec_public_key(self, backend):
Paul Kehrerf22f6122015-08-05 12:57:13 +0100[diff] [blame]1184 _skip_curve_unsupported(backend, ec.SECP384R1())
1185 cert = _load_cert(
1186 os.path.join("x509", "ecdsa_root.pem"),
1187 x509.load_pem_x509_certificate,
1188 backend
1189 )
1190
1191 ext = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]1192 ExtensionOID.SUBJECT_KEY_IDENTIFIER
Paul Kehrerf22f6122015-08-05 12:57:13 +0100[diff] [blame]1193 )
Paul Kehrerd4a7f062015-08-05 18:32:18 +0100[diff] [blame]1194 ski = x509.SubjectKeyIdentifier.from_public_key(
Paul Kehrerf22f6122015-08-05 12:57:13 +0100[diff] [blame]1195 cert.public_key()
1196 )
1197 assert ext.value == ski
1198
Paul Kehrer5508ee22015-04-02 19:31:03 -0500[diff] [blame]1199
1200@pytest.mark.requires_backend_interface(interface=RSABackend)
1201@pytest.mark.requires_backend_interface(interface=X509Backend)
1202class TestKeyUsageExtension(object):
1203 def test_no_key_usage(self, backend):
1204 cert = _load_cert(
1205 os.path.join("x509", "verisign_md2_root.pem"),
1206 x509.load_pem_x509_certificate,
1207 backend
1208 )
1209 ext = cert.extensions
1210 with pytest.raises(x509.ExtensionNotFound) as exc:
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]1211 ext.get_extension_for_oid(ExtensionOID.KEY_USAGE)
Paul Kehrer5508ee22015-04-02 19:31:03 -0500[diff] [blame]1212
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]1213 assert exc.value.oid == ExtensionOID.KEY_USAGE
Paul Kehrer5508ee22015-04-02 19:31:03 -0500[diff] [blame]1214
1215 def test_all_purposes(self, backend):
1216 cert = _load_cert(
1217 os.path.join(
1218 "x509", "custom", "all_key_usages.pem"
1219 ),
1220 x509.load_pem_x509_certificate,
1221 backend
1222 )
1223 extensions = cert.extensions
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]1224 ext = extensions.get_extension_for_oid(ExtensionOID.KEY_USAGE)
Paul Kehrer5508ee22015-04-02 19:31:03 -0500[diff] [blame]1225 assert ext is not None
1226
1227 ku = ext.value
1228 assert ku.digital_signature is True
1229 assert ku.content_commitment is True
1230 assert ku.key_encipherment is True
1231 assert ku.data_encipherment is True
1232 assert ku.key_agreement is True
1233 assert ku.key_cert_sign is True
1234 assert ku.crl_sign is True
1235 assert ku.encipher_only is True
1236 assert ku.decipher_only is True
1237
1238 def test_key_cert_sign_crl_sign(self, backend):
1239 cert = _load_cert(
1240 os.path.join(
1241 "x509", "PKITS_data", "certs", "pathLenConstraint6CACert.crt"
1242 ),
1243 x509.load_der_x509_certificate,
1244 backend
1245 )
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]1246 ext = cert.extensions.get_extension_for_oid(ExtensionOID.KEY_USAGE)
Paul Kehrer5508ee22015-04-02 19:31:03 -0500[diff] [blame]1247 assert ext is not None
1248 assert ext.critical is True
1249
1250 ku = ext.value
1251 assert ku.digital_signature is False
1252 assert ku.content_commitment is False
1253 assert ku.key_encipherment is False
1254 assert ku.data_encipherment is False
1255 assert ku.key_agreement is False
1256 assert ku.key_cert_sign is True
1257 assert ku.crl_sign is True
Paul Kehrer31bdf792015-03-25 14:11:00 -0500[diff] [blame]1258
1259
1260@pytest.mark.parametrize(
1261 "name", [
1262 x509.RFC822Name,
1263 x509.DNSName,
1264 x509.UniformResourceIdentifier
1265 ]
1266)
1267class TestTextGeneralNames(object):
1268 def test_not_text(self, name):
1269 with pytest.raises(TypeError):
1270 name(b"notaunicodestring")
1271
1272 with pytest.raises(TypeError):
1273 name(1.3)
1274
1275 def test_repr(self, name):
Eeshan Gargf1234152015-04-29 18:41:00 +0530[diff] [blame]1276 gn = name(u"string")
Paul Kehrer31bdf792015-03-25 14:11:00 -0500[diff] [blame]1277 assert repr(gn) == "<{0}(value=string)>".format(name.__name__)
1278
1279 def test_eq(self, name):
Eeshan Gargf1234152015-04-29 18:41:00 +0530[diff] [blame]1280 gn = name(u"string")
1281 gn2 = name(u"string")
Paul Kehrer31bdf792015-03-25 14:11:00 -0500[diff] [blame]1282 assert gn == gn2
1283
1284 def test_ne(self, name):
Eeshan Gargf1234152015-04-29 18:41:00 +0530[diff] [blame]1285 gn = name(u"string")
1286 gn2 = name(u"string2")
Paul Kehrer31bdf792015-03-25 14:11:00 -0500[diff] [blame]1287 assert gn != gn2
1288 assert gn != object()
1289
1290
1291class TestDirectoryName(object):
1292 def test_not_name(self):
1293 with pytest.raises(TypeError):
1294 x509.DirectoryName(b"notaname")
1295
1296 with pytest.raises(TypeError):
1297 x509.DirectoryName(1.3)
1298
1299 def test_repr(self):
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1300 name = x509.Name([x509.NameAttribute(NameOID.COMMON_NAME, u'value1')])
Paul Kehrer31bdf792015-03-25 14:11:00 -0500[diff] [blame]1301 gn = x509.DirectoryName(x509.Name([name]))
Ian Cordascoa908d692015-06-16 21:35:24 -0500[diff] [blame]1302 if six.PY3:
1303 assert repr(gn) == (
1304 "<DirectoryName(value=<Name([<Name([<NameAttribute(oid=<Object"
1305 "Identifier(oid=2.5.4.3, name=commonName)>, value='value1')>])"
1306 ">])>)>"
1307 )
1308 else:
1309 assert repr(gn) == (
1310 "<DirectoryName(value=<Name([<Name([<NameAttribute(oid=<Object"
1311 "Identifier(oid=2.5.4.3, name=commonName)>, value=u'value1')>]"
1312 ")>])>)>"
1313 )
Paul Kehrer31bdf792015-03-25 14:11:00 -0500[diff] [blame]1314
1315 def test_eq(self):
1316 name = x509.Name([
Nick Bastin6721fb82015-12-14 12:26:24 -0800[diff] [blame]1317 x509.NameAttribute(x509.ObjectIdentifier('2.999.1'), u'value1')
Paul Kehrer31bdf792015-03-25 14:11:00 -0500[diff] [blame]1318 ])
1319 name2 = x509.Name([
Nick Bastin6721fb82015-12-14 12:26:24 -0800[diff] [blame]1320 x509.NameAttribute(x509.ObjectIdentifier('2.999.1'), u'value1')
Paul Kehrer31bdf792015-03-25 14:11:00 -0500[diff] [blame]1321 ])
1322 gn = x509.DirectoryName(x509.Name([name]))
1323 gn2 = x509.DirectoryName(x509.Name([name2]))
1324 assert gn == gn2
1325
1326 def test_ne(self):
1327 name = x509.Name([
Nick Bastin6721fb82015-12-14 12:26:24 -0800[diff] [blame]1328 x509.NameAttribute(x509.ObjectIdentifier('2.999.1'), u'value1')
Paul Kehrer31bdf792015-03-25 14:11:00 -0500[diff] [blame]1329 ])
1330 name2 = x509.Name([
Nick Bastin6721fb82015-12-14 12:26:24 -0800[diff] [blame]1331 x509.NameAttribute(x509.ObjectIdentifier('2.999.2'), u'value2')
Paul Kehrer31bdf792015-03-25 14:11:00 -0500[diff] [blame]1332 ])
1333 gn = x509.DirectoryName(x509.Name([name]))
1334 gn2 = x509.DirectoryName(x509.Name([name2]))
1335 assert gn != gn2
1336 assert gn != object()
1337
1338
Paul Kehrer01d5d0b2015-07-12 09:41:21 -0500[diff] [blame]1339class TestRFC822Name(object):
1340 def test_invalid_email(self):
1341 with pytest.raises(ValueError):
1342 x509.RFC822Name(u"Name <email>")
1343
1344 with pytest.raises(ValueError):
1345 x509.RFC822Name(u"")
1346
1347 def test_single_label(self):
1348 gn = x509.RFC822Name(u"administrator")
1349 assert gn.value == u"administrator"
1350
1351 def test_idna(self):
1352 gn = x509.RFC822Name(u"email@em\xe5\xefl.com")
1353 assert gn.value == u"email@em\xe5\xefl.com"
1354 assert gn._encoded == b"email@xn--eml-vla4c.com"
1355
1356
Paul Kehrere28d6c42015-07-12 14:59:37 -0500[diff] [blame]1357class TestUniformResourceIdentifier(object):
1358 def test_no_parsed_hostname(self):
1359 gn = x509.UniformResourceIdentifier(u"singlelabel")
1360 assert gn.value == u"singlelabel"
1361
1362 def test_with_port(self):
1363 gn = x509.UniformResourceIdentifier(u"singlelabel:443/test")
1364 assert gn.value == u"singlelabel:443/test"
1365
1366 def test_idna_no_port(self):
1367 gn = x509.UniformResourceIdentifier(
1368 u"http://\u043f\u044b\u043a\u0430.cryptography"
1369 )
1370 assert gn.value == u"http://\u043f\u044b\u043a\u0430.cryptography"
1371 assert gn._encoded == b"http://xn--80ato2c.cryptography"
1372
1373 def test_idna_with_port(self):
1374 gn = x509.UniformResourceIdentifier(
1375 u"gopher://\u043f\u044b\u043a\u0430.cryptography:70/some/path"
1376 )
1377 assert gn.value == (
1378 u"gopher://\u043f\u044b\u043a\u0430.cryptography:70/some/path"
1379 )
1380 assert gn._encoded == b"gopher://xn--80ato2c.cryptography:70/some/path"
1381
1382 def test_query_and_fragment(self):
1383 gn = x509.UniformResourceIdentifier(
1384 u"ldap://cryptography:90/path?query=true#somedata"
1385 )
1386 assert gn.value == u"ldap://cryptography:90/path?query=true#somedata"
1387
1388
Paul Kehrer31bdf792015-03-25 14:11:00 -0500[diff] [blame]1389class TestRegisteredID(object):
1390 def test_not_oid(self):
1391 with pytest.raises(TypeError):
1392 x509.RegisteredID(b"notanoid")
1393
1394 with pytest.raises(TypeError):
1395 x509.RegisteredID(1.3)
1396
1397 def test_repr(self):
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1398 gn = x509.RegisteredID(NameOID.COMMON_NAME)
Paul Kehrer31bdf792015-03-25 14:11:00 -0500[diff] [blame]1399 assert repr(gn) == (
1400 "<RegisteredID(value=<ObjectIdentifier(oid=2.5.4.3, name=commonNam"
1401 "e)>)>"
1402 )
1403
1404 def test_eq(self):
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1405 gn = x509.RegisteredID(NameOID.COMMON_NAME)
1406 gn2 = x509.RegisteredID(NameOID.COMMON_NAME)
Paul Kehrer31bdf792015-03-25 14:11:00 -0500[diff] [blame]1407 assert gn == gn2
1408
1409 def test_ne(self):
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1410 gn = x509.RegisteredID(NameOID.COMMON_NAME)
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]1411 gn2 = x509.RegisteredID(ExtensionOID.BASIC_CONSTRAINTS)
Paul Kehrer31bdf792015-03-25 14:11:00 -0500[diff] [blame]1412 assert gn != gn2
1413 assert gn != object()
1414
1415
1416class TestIPAddress(object):
1417 def test_not_ipaddress(self):
1418 with pytest.raises(TypeError):
1419 x509.IPAddress(b"notanipaddress")
1420
1421 with pytest.raises(TypeError):
1422 x509.IPAddress(1.3)
1423
1424 def test_repr(self):
Eeshan Gargf1234152015-04-29 18:41:00 +0530[diff] [blame]1425 gn = x509.IPAddress(ipaddress.IPv4Address(u"127.0.0.1"))
Paul Kehrer31bdf792015-03-25 14:11:00 -0500[diff] [blame]1426 assert repr(gn) == "<IPAddress(value=127.0.0.1)>"
1427
Eeshan Gargf1234152015-04-29 18:41:00 +0530[diff] [blame]1428 gn2 = x509.IPAddress(ipaddress.IPv6Address(u"ff::"))
Paul Kehrer31bdf792015-03-25 14:11:00 -0500[diff] [blame]1429 assert repr(gn2) == "<IPAddress(value=ff::)>"
1430
Paul Kehrereb177932015-05-17 18:33:33 -0700[diff] [blame]1431 gn3 = x509.IPAddress(ipaddress.IPv4Network(u"192.168.0.0/24"))
1432 assert repr(gn3) == "<IPAddress(value=192.168.0.0/24)>"
1433
1434 gn4 = x509.IPAddress(ipaddress.IPv6Network(u"ff::/96"))
1435 assert repr(gn4) == "<IPAddress(value=ff::/96)>"
1436
Paul Kehrer31bdf792015-03-25 14:11:00 -0500[diff] [blame]1437 def test_eq(self):
Eeshan Gargf1234152015-04-29 18:41:00 +0530[diff] [blame]1438 gn = x509.IPAddress(ipaddress.IPv4Address(u"127.0.0.1"))
1439 gn2 = x509.IPAddress(ipaddress.IPv4Address(u"127.0.0.1"))
Paul Kehrer31bdf792015-03-25 14:11:00 -0500[diff] [blame]1440 assert gn == gn2
1441
1442 def test_ne(self):
Eeshan Gargf1234152015-04-29 18:41:00 +0530[diff] [blame]1443 gn = x509.IPAddress(ipaddress.IPv4Address(u"127.0.0.1"))
1444 gn2 = x509.IPAddress(ipaddress.IPv4Address(u"127.0.0.2"))
Paul Kehrer31bdf792015-03-25 14:11:00 -0500[diff] [blame]1445 assert gn != gn2
1446 assert gn != object()
1447
1448
Joshua Tauberer18b6fc82015-07-05 21:44:51 +0000[diff] [blame]1449class TestOtherName(object):
1450 def test_invalid_args(self):
1451 with pytest.raises(TypeError):
1452 x509.OtherName(b"notanobjectidentifier", b"derdata")
1453
1454 with pytest.raises(TypeError):
1455 x509.OtherName(x509.ObjectIdentifier("1.2.3.4"), u"notderdata")
1456
1457 def test_repr(self):
1458 gn = x509.OtherName(x509.ObjectIdentifier("1.2.3.4"), b"derdata")
1459 if six.PY3:
1460 assert repr(gn) == (
1461 "<OtherName(type_id=<ObjectIdentifier(oid=1.2.3.4, "
1462 "name=Unknown OID)>, value=b'derdata')>"
1463 )
1464 else:
1465 assert repr(gn) == (
1466 "<OtherName(type_id=<ObjectIdentifier(oid=1.2.3.4, "
1467 "name=Unknown OID)>, value='derdata')>"
1468 )
1469
1470 gn = x509.OtherName(x509.ObjectIdentifier("2.5.4.65"), b"derdata")
1471 if six.PY3:
1472 assert repr(gn) == (
1473 "<OtherName(type_id=<ObjectIdentifier(oid=2.5.4.65, "
1474 "name=pseudonym)>, value=b'derdata')>"
1475 )
1476 else:
1477 assert repr(gn) == (
1478 "<OtherName(type_id=<ObjectIdentifier(oid=2.5.4.65, "
1479 "name=pseudonym)>, value='derdata')>"
1480 )
1481
1482 def test_eq(self):
1483 gn = x509.OtherName(x509.ObjectIdentifier("1.2.3.4"), b"derdata")
1484 gn2 = x509.OtherName(x509.ObjectIdentifier("1.2.3.4"), b"derdata")
1485 assert gn == gn2
1486
1487 def test_ne(self):
1488 gn = x509.OtherName(x509.ObjectIdentifier("1.2.3.4"), b"derdata")
1489 assert gn != object()
1490
1491 gn2 = x509.OtherName(x509.ObjectIdentifier("1.2.3.4"), b"derdata2")
1492 assert gn != gn2
1493
1494 gn2 = x509.OtherName(x509.ObjectIdentifier("1.2.3.5"), b"derdata")
1495 assert gn != gn2
1496
1497
Erik Trauschke2dcce902015-05-14 16:12:24 -0700[diff] [blame]1498class TestGeneralNames(object):
1499 def test_get_values_for_type(self):
1500 gns = x509.GeneralNames(
1501 [x509.DNSName(u"cryptography.io")]
1502 )
1503 names = gns.get_values_for_type(x509.DNSName)
1504 assert names == [u"cryptography.io"]
1505
1506 def test_iter_names(self):
1507 gns = x509.GeneralNames([
1508 x509.DNSName(u"cryptography.io"),
1509 x509.DNSName(u"crypto.local"),
1510 ])
1511 assert len(gns) == 2
1512 assert list(gns) == [
1513 x509.DNSName(u"cryptography.io"),
1514 x509.DNSName(u"crypto.local"),
1515 ]
1516
Paul Kehrer8adb5962015-12-26 14:46:58 -0600[diff] [blame]1517 def test_indexing(self):
1518 gn = x509.GeneralNames([
1519 x509.DNSName(u"cryptography.io"),
1520 x509.DNSName(u"crypto.local"),
1521 x509.DNSName(u"another.local"),
1522 x509.RFC822Name(u"email@another.local"),
1523 x509.UniformResourceIdentifier(u"http://another.local"),
1524 ])
1525 assert gn[-1] == gn[4]
Alex Gaynorf0dd2e72015-12-26 16:50:29 -0500[diff] [blame]1526 assert gn[2:6:2] == [gn[2], gn[4]]
Paul Kehrer8adb5962015-12-26 14:46:58 -0600[diff] [blame]1527
Erik Trauschke2dcce902015-05-14 16:12:24 -0700[diff] [blame]1528 def test_invalid_general_names(self):
1529 with pytest.raises(TypeError):
1530 x509.GeneralNames(
1531 [x509.DNSName(u"cryptography.io"), "invalid"]
1532 )
1533
1534 def test_repr(self):
1535 gns = x509.GeneralNames(
1536 [
1537 x509.DNSName(u"cryptography.io")
1538 ]
1539 )
1540 assert repr(gns) == (
1541 "<GeneralNames([<DNSName(value=cryptography.io)>])>"
1542 )
1543
1544 def test_eq(self):
1545 gns = x509.GeneralNames(
1546 [x509.DNSName(u"cryptography.io")]
1547 )
1548 gns2 = x509.GeneralNames(
1549 [x509.DNSName(u"cryptography.io")]
1550 )
1551 assert gns == gns2
1552
1553 def test_ne(self):
1554 gns = x509.GeneralNames(
1555 [x509.DNSName(u"cryptography.io")]
1556 )
1557 gns2 = x509.GeneralNames(
1558 [x509.RFC822Name(u"admin@cryptography.io")]
1559 )
1560 assert gns != gns2
1561 assert gns != object()
1562
1563
Paul Kehrer99125c92015-06-07 18:37:10 -0500[diff] [blame]1564class TestIssuerAlternativeName(object):
1565 def test_get_values_for_type(self):
1566 san = x509.IssuerAlternativeName(
1567 [x509.DNSName(u"cryptography.io")]
1568 )
1569 names = san.get_values_for_type(x509.DNSName)
1570 assert names == [u"cryptography.io"]
1571
1572 def test_iter_names(self):
1573 san = x509.IssuerAlternativeName([
1574 x509.DNSName(u"cryptography.io"),
1575 x509.DNSName(u"crypto.local"),
1576 ])
1577 assert len(san) == 2
1578 assert list(san) == [
1579 x509.DNSName(u"cryptography.io"),
1580 x509.DNSName(u"crypto.local"),
1581 ]
1582
Paul Kehrer5c999d32015-12-26 17:45:20 -0600[diff] [blame]1583 def test_indexing(self):
1584 ian = x509.IssuerAlternativeName([
1585 x509.DNSName(u"cryptography.io"),
1586 x509.DNSName(u"crypto.local"),
1587 x509.DNSName(u"another.local"),
1588 x509.RFC822Name(u"email@another.local"),
1589 x509.UniformResourceIdentifier(u"http://another.local"),
1590 ])
1591 assert ian[-1] == ian[4]
1592 assert ian[2:6:2] == [ian[2], ian[4]]
1593
Paul Kehrer99125c92015-06-07 18:37:10 -0500[diff] [blame]1594 def test_invalid_general_names(self):
1595 with pytest.raises(TypeError):
1596 x509.IssuerAlternativeName(
1597 [x509.DNSName(u"cryptography.io"), "invalid"]
1598 )
1599
1600 def test_repr(self):
1601 san = x509.IssuerAlternativeName(
1602 [
1603 x509.DNSName(u"cryptography.io")
1604 ]
1605 )
1606 assert repr(san) == (
1607 "<IssuerAlternativeName("
1608 "<GeneralNames([<DNSName(value=cryptography.io)>])>)>"
1609 )
1610
1611 def test_eq(self):
1612 san = x509.IssuerAlternativeName(
1613 [x509.DNSName(u"cryptography.io")]
1614 )
1615 san2 = x509.IssuerAlternativeName(
1616 [x509.DNSName(u"cryptography.io")]
1617 )
1618 assert san == san2
1619
1620 def test_ne(self):
1621 san = x509.IssuerAlternativeName(
1622 [x509.DNSName(u"cryptography.io")]
1623 )
1624 san2 = x509.IssuerAlternativeName(
1625 [x509.RFC822Name(u"admin@cryptography.io")]
1626 )
1627 assert san != san2
1628 assert san != object()
1629
1630
Alex Gaynorf1c17672015-06-20 14:20:20 -0400[diff] [blame]1631@pytest.mark.requires_backend_interface(interface=RSABackend)
1632@pytest.mark.requires_backend_interface(interface=X509Backend)
1633class TestRSAIssuerAlternativeNameExtension(object):
1634 def test_uri(self, backend):
1635 cert = _load_cert(
1636 os.path.join("x509", "custom", "ian_uri.pem"),
1637 x509.load_pem_x509_certificate,
1638 backend,
1639 )
1640 ext = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]1641 ExtensionOID.ISSUER_ALTERNATIVE_NAME
Alex Gaynorf1c17672015-06-20 14:20:20 -0400[diff] [blame]1642 )
1643 assert list(ext.value) == [
1644 x509.UniformResourceIdentifier(u"http://path.to.root/root.crt"),
1645 ]
1646
1647
Paul Kehrer3b95cd72015-12-22 21:40:20 -0600[diff] [blame]1648class TestCRLNumber(object):
1649 def test_eq(self):
1650 crl_number = x509.CRLNumber(15)
1651 assert crl_number == x509.CRLNumber(15)
1652
1653 def test_ne(self):
1654 crl_number = x509.CRLNumber(15)
1655 assert crl_number != x509.CRLNumber(14)
1656 assert crl_number != object()
1657
1658 def test_repr(self):
1659 crl_number = x509.CRLNumber(15)
1660 assert repr(crl_number) == "<CRLNumber(15)>"
1661
Paul Kehrera9718fc2015-12-22 22:55:35 -0600[diff] [blame]1662 def test_invalid_number(self):
1663 with pytest.raises(TypeError):
1664 x509.CRLNumber("notanumber")
1665
Alex Gaynorf9a77b62015-12-26 12:14:25 -0500[diff] [blame]1666 def test_hash(self):
1667 c1 = x509.CRLNumber(1)
1668 c2 = x509.CRLNumber(1)
1669 c3 = x509.CRLNumber(2)
1670 assert hash(c1) == hash(c2)
1671 assert hash(c1) != hash(c3)
1672
Paul Kehrer3b95cd72015-12-22 21:40:20 -0600[diff] [blame]1673
Paul Kehrer31bdf792015-03-25 14:11:00 -0500[diff] [blame]1674class TestSubjectAlternativeName(object):
1675 def test_get_values_for_type(self):
1676 san = x509.SubjectAlternativeName(
Eeshan Gargf1234152015-04-29 18:41:00 +0530[diff] [blame]1677 [x509.DNSName(u"cryptography.io")]
Paul Kehrer31bdf792015-03-25 14:11:00 -0500[diff] [blame]1678 )
1679 names = san.get_values_for_type(x509.DNSName)
Eeshan Gargf1234152015-04-29 18:41:00 +0530[diff] [blame]1680 assert names == [u"cryptography.io"]
Paul Kehrer31bdf792015-03-25 14:11:00 -0500[diff] [blame]1681
1682 def test_iter_names(self):
1683 san = x509.SubjectAlternativeName([
Eeshan Gargf1234152015-04-29 18:41:00 +0530[diff] [blame]1684 x509.DNSName(u"cryptography.io"),
1685 x509.DNSName(u"crypto.local"),
Paul Kehrer31bdf792015-03-25 14:11:00 -0500[diff] [blame]1686 ])
1687 assert len(san) == 2
1688 assert list(san) == [
Eeshan Gargf1234152015-04-29 18:41:00 +0530[diff] [blame]1689 x509.DNSName(u"cryptography.io"),
1690 x509.DNSName(u"crypto.local"),
Paul Kehrer31bdf792015-03-25 14:11:00 -0500[diff] [blame]1691 ]
1692
Paul Kehrer8adb5962015-12-26 14:46:58 -0600[diff] [blame]1693 def test_indexing(self):
1694 san = x509.SubjectAlternativeName([
1695 x509.DNSName(u"cryptography.io"),
1696 x509.DNSName(u"crypto.local"),
1697 x509.DNSName(u"another.local"),
1698 x509.RFC822Name(u"email@another.local"),
1699 x509.UniformResourceIdentifier(u"http://another.local"),
1700 ])
1701 assert san[-1] == san[4]
Alex Gaynorf0dd2e72015-12-26 16:50:29 -0500[diff] [blame]1702 assert san[2:6:2] == [san[2], san[4]]
Paul Kehrer8adb5962015-12-26 14:46:58 -0600[diff] [blame]1703
Paul Kehrerd04b39b2015-04-21 08:44:17 -0500[diff] [blame]1704 def test_invalid_general_names(self):
1705 with pytest.raises(TypeError):
1706 x509.SubjectAlternativeName(
Eeshan Gargf1234152015-04-29 18:41:00 +0530[diff] [blame]1707 [x509.DNSName(u"cryptography.io"), "invalid"]
Paul Kehrerd04b39b2015-04-21 08:44:17 -0500[diff] [blame]1708 )
1709
Paul Kehrer31bdf792015-03-25 14:11:00 -0500[diff] [blame]1710 def test_repr(self):
1711 san = x509.SubjectAlternativeName(
1712 [
Eeshan Gargf1234152015-04-29 18:41:00 +0530[diff] [blame]1713 x509.DNSName(u"cryptography.io")
Paul Kehrer31bdf792015-03-25 14:11:00 -0500[diff] [blame]1714 ]
1715 )
1716 assert repr(san) == (
Erik Trauschke2dcce902015-05-14 16:12:24 -0700[diff] [blame]1717 "<SubjectAlternativeName("
1718 "<GeneralNames([<DNSName(value=cryptography.io)>])>)>"
Paul Kehrer31bdf792015-03-25 14:11:00 -0500[diff] [blame]1719 )
Paul Kehrer40f83382015-04-20 15:00:16 -0500[diff] [blame]1720
Paul Kehrer58cc3972015-05-13 10:00:41 -0500[diff] [blame]1721 def test_eq(self):
1722 san = x509.SubjectAlternativeName(
1723 [x509.DNSName(u"cryptography.io")]
1724 )
1725 san2 = x509.SubjectAlternativeName(
1726 [x509.DNSName(u"cryptography.io")]
1727 )
1728 assert san == san2
1729
1730 def test_ne(self):
1731 san = x509.SubjectAlternativeName(
1732 [x509.DNSName(u"cryptography.io")]
1733 )
1734 san2 = x509.SubjectAlternativeName(
1735 [x509.RFC822Name(u"admin@cryptography.io")]
1736 )
1737 assert san != san2
1738 assert san != object()
1739
Paul Kehrer40f83382015-04-20 15:00:16 -0500[diff] [blame]1740
1741@pytest.mark.requires_backend_interface(interface=RSABackend)
1742@pytest.mark.requires_backend_interface(interface=X509Backend)
1743class TestRSASubjectAlternativeNameExtension(object):
1744 def test_dns_name(self, backend):
1745 cert = _load_cert(
1746 os.path.join("x509", "cryptography.io.pem"),
1747 x509.load_pem_x509_certificate,
1748 backend
1749 )
1750 ext = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]1751 ExtensionOID.SUBJECT_ALTERNATIVE_NAME
Paul Kehrer40f83382015-04-20 15:00:16 -0500[diff] [blame]1752 )
1753 assert ext is not None
1754 assert ext.critical is False
1755
1756 san = ext.value
1757
1758 dns = san.get_values_for_type(x509.DNSName)
1759 assert dns == [u"www.cryptography.io", u"cryptography.io"]
Paul Kehrer9089c912015-04-20 22:15:20 -0500[diff] [blame]1760
Paul Kehrer3c6bba52015-06-26 18:43:26 -0500[diff] [blame]1761 def test_wildcard_dns_name(self, backend):
1762 cert = _load_cert(
1763 os.path.join("x509", "wildcard_san.pem"),
1764 x509.load_pem_x509_certificate,
1765 backend
1766 )
1767 ext = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]1768 ExtensionOID.SUBJECT_ALTERNATIVE_NAME
Paul Kehrer3c6bba52015-06-26 18:43:26 -0500[diff] [blame]1769 )
1770
1771 dns = ext.value.get_values_for_type(x509.DNSName)
1772 assert dns == [
1773 u'*.langui.sh',
1774 u'langui.sh',
1775 u'*.saseliminator.com',
1776 u'saseliminator.com'
1777 ]
1778
Dominic Chen87bb9572015-10-09 00:23:07 -0400[diff] [blame]1779 def test_san_empty_hostname(self, backend):
1780 cert = _load_cert(
1781 os.path.join(
1782 "x509", "custom", "san_empty_hostname.pem"
1783 ),
1784 x509.load_pem_x509_certificate,
1785 backend
1786 )
1787 san = cert.extensions.get_extension_for_oid(
1788 ExtensionOID.SUBJECT_ALTERNATIVE_NAME
1789 )
1790
1791 dns = san.value.get_values_for_type(x509.DNSName)
1792 assert dns == [u'']
1793
Paul Kehrer3c6bba52015-06-26 18:43:26 -0500[diff] [blame]1794 def test_san_wildcard_idna_dns_name(self, backend):
1795 cert = _load_cert(
1796 os.path.join("x509", "custom", "san_wildcard_idna.pem"),
1797 x509.load_pem_x509_certificate,
1798 backend
1799 )
1800 ext = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]1801 ExtensionOID.SUBJECT_ALTERNATIVE_NAME
Paul Kehrer3c6bba52015-06-26 18:43:26 -0500[diff] [blame]1802 )
1803
1804 dns = ext.value.get_values_for_type(x509.DNSName)
1805 assert dns == [u'*.\u043f\u044b\u043a\u0430.cryptography']
1806
Paul Kehrer7bdf6572015-07-05 08:55:44 -0500[diff] [blame]1807 def test_unsupported_gn(self, backend):
Paul Kehrer9089c912015-04-20 22:15:20 -0500[diff] [blame]1808 cert = _load_cert(
Paul Kehrer7bdf6572015-07-05 08:55:44 -0500[diff] [blame]1809 os.path.join("x509", "san_x400address.der"),
1810 x509.load_der_x509_certificate,
Paul Kehrer9089c912015-04-20 22:15:20 -0500[diff] [blame]1811 backend
1812 )
Paul Kehrerbed07352015-04-21 08:31:10 -0500[diff] [blame]1813 with pytest.raises(x509.UnsupportedGeneralNameType) as exc:
Paul Kehrer9089c912015-04-20 22:15:20 -0500[diff] [blame]1814 cert.extensions
Paul Kehrerbed07352015-04-21 08:31:10 -0500[diff] [blame]1815
Paul Kehrer7bdf6572015-07-05 08:55:44 -0500[diff] [blame]1816 assert exc.value.type == 3
Paul Kehrer4db96622015-04-20 22:17:39 -0500[diff] [blame]1817
1818 def test_registered_id(self, backend):
1819 cert = _load_cert(
1820 os.path.join(
1821 "x509", "custom", "san_registered_id.pem"
1822 ),
1823 x509.load_pem_x509_certificate,
1824 backend
1825 )
1826 ext = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]1827 ExtensionOID.SUBJECT_ALTERNATIVE_NAME
Paul Kehrer4db96622015-04-20 22:17:39 -0500[diff] [blame]1828 )
1829 assert ext is not None
1830 assert ext.critical is False
1831
1832 san = ext.value
1833 rid = san.get_values_for_type(x509.RegisteredID)
1834 assert rid == [x509.ObjectIdentifier("1.2.3.4")]
Paul Kehrerb8ef82e2015-04-22 16:04:24 -0500[diff] [blame]1835
1836 def test_uri(self, backend):
1837 cert = _load_cert(
1838 os.path.join(
1839 "x509", "custom", "san_uri_with_port.pem"
1840 ),
1841 x509.load_pem_x509_certificate,
1842 backend
1843 )
1844 ext = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]1845 ExtensionOID.SUBJECT_ALTERNATIVE_NAME
Paul Kehrerb8ef82e2015-04-22 16:04:24 -0500[diff] [blame]1846 )
1847 assert ext is not None
1848 uri = ext.value.get_values_for_type(
1849 x509.UniformResourceIdentifier
1850 )
1851 assert uri == [
1852 u"gopher://\u043f\u044b\u043a\u0430.cryptography:70/path?q=s#hel"
1853 u"lo",
1854 u"http://someregulardomain.com",
1855 ]
Paul Kehrera5f030c2015-04-28 08:33:18 -0500[diff] [blame]1856
1857 def test_ipaddress(self, backend):
1858 cert = _load_cert(
1859 os.path.join(
1860 "x509", "custom", "san_ipaddr.pem"
1861 ),
1862 x509.load_pem_x509_certificate,
1863 backend
1864 )
1865 ext = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]1866 ExtensionOID.SUBJECT_ALTERNATIVE_NAME
Paul Kehrera5f030c2015-04-28 08:33:18 -0500[diff] [blame]1867 )
1868 assert ext is not None
1869 assert ext.critical is False
1870
1871 san = ext.value
1872
1873 ip = san.get_values_for_type(x509.IPAddress)
1874 assert [
1875 ipaddress.ip_address(u"127.0.0.1"),
1876 ipaddress.ip_address(u"ff::")
1877 ] == ip
Paul Kehrer2187a052015-04-30 08:22:07 -0500[diff] [blame]1878
1879 def test_dirname(self, backend):
1880 cert = _load_cert(
1881 os.path.join(
1882 "x509", "custom", "san_dirname.pem"
1883 ),
1884 x509.load_pem_x509_certificate,
1885 backend
1886 )
1887 ext = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]1888 ExtensionOID.SUBJECT_ALTERNATIVE_NAME
Paul Kehrer2187a052015-04-30 08:22:07 -0500[diff] [blame]1889 )
1890 assert ext is not None
1891 assert ext.critical is False
1892
1893 san = ext.value
1894
1895 dirname = san.get_values_for_type(x509.DirectoryName)
1896 assert [
1897 x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1898 x509.NameAttribute(NameOID.COMMON_NAME, u'test'),
1899 x509.NameAttribute(NameOID.ORGANIZATION_NAME, u'Org'),
1900 x509.NameAttribute(NameOID.STATE_OR_PROVINCE_NAME, u'Texas'),
Paul Kehrer2187a052015-04-30 08:22:07 -0500[diff] [blame]1901 ])
1902 ] == dirname
Paul Kehrere06cab42015-04-30 10:23:33 -0500[diff] [blame]1903
1904 def test_rfc822name(self, backend):
1905 cert = _load_cert(
1906 os.path.join(
1907 "x509", "custom", "san_rfc822_idna.pem"
1908 ),
1909 x509.load_pem_x509_certificate,
1910 backend
1911 )
1912 ext = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]1913 ExtensionOID.SUBJECT_ALTERNATIVE_NAME
Paul Kehrere06cab42015-04-30 10:23:33 -0500[diff] [blame]1914 )
1915 assert ext is not None
1916 assert ext.critical is False
1917
1918 san = ext.value
1919
1920 rfc822name = san.get_values_for_type(x509.RFC822Name)
1921 assert [u"email@em\xe5\xefl.com"] == rfc822name
1922
Paul Kehrerb8968812015-05-15 09:01:34 -0700[diff] [blame]1923 def test_idna2003_invalid(self, backend):
1924 cert = _load_cert(
1925 os.path.join(
1926 "x509", "custom", "san_idna2003_dnsname.pem"
1927 ),
1928 x509.load_pem_x509_certificate,
1929 backend
1930 )
1931 with pytest.raises(UnicodeError):
1932 cert.extensions
1933
Paul Kehrere06cab42015-04-30 10:23:33 -0500[diff] [blame]1934 def test_unicode_rfc822_name_dns_name_uri(self, backend):
1935 cert = _load_cert(
1936 os.path.join(
1937 "x509", "custom", "san_idna_names.pem"
1938 ),
1939 x509.load_pem_x509_certificate,
1940 backend
1941 )
1942 ext = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]1943 ExtensionOID.SUBJECT_ALTERNATIVE_NAME
Paul Kehrere06cab42015-04-30 10:23:33 -0500[diff] [blame]1944 )
1945 assert ext is not None
1946 rfc822_name = ext.value.get_values_for_type(x509.RFC822Name)
1947 dns_name = ext.value.get_values_for_type(x509.DNSName)
1948 uri = ext.value.get_values_for_type(x509.UniformResourceIdentifier)
1949 assert rfc822_name == [u"email@\u043f\u044b\u043a\u0430.cryptography"]
1950 assert dns_name == [u"\u043f\u044b\u043a\u0430.cryptography"]
1951 assert uri == [u"https://www.\u043f\u044b\u043a\u0430.cryptography"]
1952
1953 def test_rfc822name_dnsname_ipaddress_directoryname_uri(self, backend):
1954 cert = _load_cert(
1955 os.path.join(
1956 "x509", "custom", "san_email_dns_ip_dirname_uri.pem"
1957 ),
1958 x509.load_pem_x509_certificate,
1959 backend
1960 )
1961 ext = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]1962 ExtensionOID.SUBJECT_ALTERNATIVE_NAME
Paul Kehrere06cab42015-04-30 10:23:33 -0500[diff] [blame]1963 )
1964 assert ext is not None
1965 assert ext.critical is False
1966
1967 san = ext.value
1968
1969 rfc822_name = san.get_values_for_type(x509.RFC822Name)
1970 uri = san.get_values_for_type(x509.UniformResourceIdentifier)
1971 dns = san.get_values_for_type(x509.DNSName)
1972 ip = san.get_values_for_type(x509.IPAddress)
1973 dirname = san.get_values_for_type(x509.DirectoryName)
1974 assert [u"user@cryptography.io"] == rfc822_name
Paul Kehrere3a330c2015-05-02 16:42:52 -0500[diff] [blame]1975 assert [u"https://cryptography.io"] == uri
Paul Kehrere06cab42015-04-30 10:23:33 -0500[diff] [blame]1976 assert [u"cryptography.io"] == dns
1977 assert [
1978 x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1979 x509.NameAttribute(NameOID.COMMON_NAME, u'dirCN'),
Paul Kehrere06cab42015-04-30 10:23:33 -0500[diff] [blame]1980 x509.NameAttribute(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1981 NameOID.ORGANIZATION_NAME, u'Cryptographic Authority'
Paul Kehrere06cab42015-04-30 10:23:33 -0500[diff] [blame]1982 ),
1983 ])
1984 ] == dirname
1985 assert [
1986 ipaddress.ip_address(u"127.0.0.1"),
1987 ipaddress.ip_address(u"ff::")
1988 ] == ip
1989
1990 def test_invalid_rfc822name(self, backend):
1991 cert = _load_cert(
1992 os.path.join(
1993 "x509", "custom", "san_rfc822_names.pem"
1994 ),
1995 x509.load_pem_x509_certificate,
1996 backend
1997 )
1998 with pytest.raises(ValueError) as exc:
1999 cert.extensions
2000
2001 assert 'Invalid rfc822name value' in str(exc.value)
Paul Kehrer94c69602015-05-02 19:29:40 -0500[diff] [blame]2002
Joshua Tauberer2ee5e3c2015-07-04 20:09:46 +0000[diff] [blame]2003 def test_other_name(self, backend):
2004 cert = _load_cert(
2005 os.path.join(
2006 "x509", "custom", "san_other_name.pem"
2007 ),
2008 x509.load_pem_x509_certificate,
2009 backend
2010 )
2011
2012 ext = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]2013 ExtensionOID.SUBJECT_ALTERNATIVE_NAME
Joshua Tauberer2ee5e3c2015-07-04 20:09:46 +0000[diff] [blame]2014 )
2015 assert ext is not None
2016 assert ext.critical is False
2017
Joshua Taubererd2afad32015-07-06 22:37:53 +0000[diff] [blame]2018 expected = x509.OtherName(x509.ObjectIdentifier("1.2.3.4"),
2019 b'\x16\x0bHello World')
Joshua Tauberer2ee5e3c2015-07-04 20:09:46 +0000[diff] [blame]2020 assert len(ext.value) == 1
Joshua Taubererd2afad32015-07-06 22:37:53 +0000[diff] [blame]2021 assert list(ext.value)[0] == expected
Joshua Tauberer2ee5e3c2015-07-04 20:09:46 +0000[diff] [blame]2022
2023 othernames = ext.value.get_values_for_type(x509.OtherName)
Joshua Taubererd2afad32015-07-06 22:37:53 +0000[diff] [blame]2024 assert othernames == [expected]
Joshua Tauberer2ee5e3c2015-07-04 20:09:46 +0000[diff] [blame]2025
Paul Kehrer94c69602015-05-02 19:29:40 -0500[diff] [blame]2026
2027@pytest.mark.requires_backend_interface(interface=RSABackend)
2028@pytest.mark.requires_backend_interface(interface=X509Backend)
2029class TestExtendedKeyUsageExtension(object):
2030 def test_eku(self, backend):
2031 cert = _load_cert(
2032 os.path.join(
2033 "x509", "custom", "extended_key_usage.pem"
2034 ),
2035 x509.load_pem_x509_certificate,
2036 backend
2037 )
2038 ext = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]2039 ExtensionOID.EXTENDED_KEY_USAGE
Paul Kehrer94c69602015-05-02 19:29:40 -0500[diff] [blame]2040 )
2041 assert ext is not None
2042 assert ext.critical is False
2043
2044 assert [
2045 x509.ObjectIdentifier("1.3.6.1.5.5.7.3.1"),
2046 x509.ObjectIdentifier("1.3.6.1.5.5.7.3.2"),
2047 x509.ObjectIdentifier("1.3.6.1.5.5.7.3.3"),
2048 x509.ObjectIdentifier("1.3.6.1.5.5.7.3.4"),
2049 x509.ObjectIdentifier("1.3.6.1.5.5.7.3.9"),
2050 x509.ObjectIdentifier("1.3.6.1.5.5.7.3.8"),
2051 x509.ObjectIdentifier("2.5.29.37.0"),
2052 x509.ObjectIdentifier("2.16.840.1.113730.4.1"),
2053 ] == list(ext.value)
Paul Kehrer3e6d5582015-05-02 21:57:56 -0500[diff] [blame]2054
2055
2056class TestAccessDescription(object):
2057 def test_invalid_access_method(self):
Nick Bastind06763d2015-12-12 18:32:59 -0800[diff] [blame]2058 with pytest.raises(TypeError):
Paul Kehrer3e6d5582015-05-02 21:57:56 -0500[diff] [blame]2059 x509.AccessDescription("notanoid", x509.DNSName(u"test"))
2060
2061 def test_invalid_access_location(self):
2062 with pytest.raises(TypeError):
Paul Kehrer9e102db2015-08-10 21:53:09 -0500[diff] [blame]2063 x509.AccessDescription(
2064 AuthorityInformationAccessOID.CA_ISSUERS, "invalid"
2065 )
Paul Kehrer3e6d5582015-05-02 21:57:56 -0500[diff] [blame]2066
Nick Bastind2ecf862015-12-13 05:44:46 -0800[diff] [blame]2067 def test_valid_nonstandard_method(self):
Nick Bastin326fc8e2015-12-12 19:08:12 -0800[diff] [blame]2068 ad = x509.AccessDescription(
2069 ObjectIdentifier("2.999.1"),
2070 x509.UniformResourceIdentifier(u"http://example.com")
2071 )
Nick Bastin11f0f8a2015-12-12 18:54:12 -0800[diff] [blame]2072 assert ad is not None
2073
Paul Kehrer3e6d5582015-05-02 21:57:56 -0500[diff] [blame]2074 def test_repr(self):
2075 ad = x509.AccessDescription(
Paul Kehrer9e102db2015-08-10 21:53:09 -0500[diff] [blame]2076 AuthorityInformationAccessOID.OCSP,
Paul Kehrer3e6d5582015-05-02 21:57:56 -0500[diff] [blame]2077 x509.UniformResourceIdentifier(u"http://ocsp.domain.com")
2078 )
2079 assert repr(ad) == (
2080 "<AccessDescription(access_method=<ObjectIdentifier(oid=1.3.6.1.5."
2081 "5.7.48.1, name=OCSP)>, access_location=<UniformResourceIdentifier"
2082 "(value=http://ocsp.domain.com)>)>"
2083 )
2084
2085 def test_eq(self):
2086 ad = x509.AccessDescription(
Paul Kehrer9e102db2015-08-10 21:53:09 -0500[diff] [blame]2087 AuthorityInformationAccessOID.OCSP,
Paul Kehrer3e6d5582015-05-02 21:57:56 -0500[diff] [blame]2088 x509.UniformResourceIdentifier(u"http://ocsp.domain.com")
2089 )
2090 ad2 = x509.AccessDescription(
Paul Kehrer9e102db2015-08-10 21:53:09 -0500[diff] [blame]2091 AuthorityInformationAccessOID.OCSP,
Paul Kehrer3e6d5582015-05-02 21:57:56 -0500[diff] [blame]2092 x509.UniformResourceIdentifier(u"http://ocsp.domain.com")
2093 )
2094 assert ad == ad2
2095
2096 def test_ne(self):
2097 ad = x509.AccessDescription(
Paul Kehrer9e102db2015-08-10 21:53:09 -0500[diff] [blame]2098 AuthorityInformationAccessOID.OCSP,
Paul Kehrer3e6d5582015-05-02 21:57:56 -0500[diff] [blame]2099 x509.UniformResourceIdentifier(u"http://ocsp.domain.com")
2100 )
2101 ad2 = x509.AccessDescription(
Paul Kehrer9e102db2015-08-10 21:53:09 -0500[diff] [blame]2102 AuthorityInformationAccessOID.CA_ISSUERS,
Paul Kehrer3e6d5582015-05-02 21:57:56 -0500[diff] [blame]2103 x509.UniformResourceIdentifier(u"http://ocsp.domain.com")
2104 )
2105 ad3 = x509.AccessDescription(
Paul Kehrer9e102db2015-08-10 21:53:09 -0500[diff] [blame]2106 AuthorityInformationAccessOID.OCSP,
Paul Kehrer3e6d5582015-05-02 21:57:56 -0500[diff] [blame]2107 x509.UniformResourceIdentifier(u"http://notthesame")
2108 )
2109 assert ad != ad2
2110 assert ad != ad3
2111 assert ad != object()
2112
2113
2114class TestAuthorityInformationAccess(object):
2115 def test_invalid_descriptions(self):
2116 with pytest.raises(TypeError):
2117 x509.AuthorityInformationAccess(["notanAccessDescription"])
2118
2119 def test_iter_len(self):
2120 aia = x509.AuthorityInformationAccess([
2121 x509.AccessDescription(
Paul Kehrer9e102db2015-08-10 21:53:09 -0500[diff] [blame]2122 AuthorityInformationAccessOID.OCSP,
Paul Kehrer3e6d5582015-05-02 21:57:56 -0500[diff] [blame]2123 x509.UniformResourceIdentifier(u"http://ocsp.domain.com")
2124 ),
2125 x509.AccessDescription(
Paul Kehrer9e102db2015-08-10 21:53:09 -0500[diff] [blame]2126 AuthorityInformationAccessOID.CA_ISSUERS,
Paul Kehrer3e6d5582015-05-02 21:57:56 -0500[diff] [blame]2127 x509.UniformResourceIdentifier(u"http://domain.com/ca.crt")
2128 )
2129 ])
2130 assert len(aia) == 2
2131 assert list(aia) == [
2132 x509.AccessDescription(
Paul Kehrer9e102db2015-08-10 21:53:09 -0500[diff] [blame]2133 AuthorityInformationAccessOID.OCSP,
Paul Kehrer3e6d5582015-05-02 21:57:56 -0500[diff] [blame]2134 x509.UniformResourceIdentifier(u"http://ocsp.domain.com")
2135 ),
2136 x509.AccessDescription(
Paul Kehrer9e102db2015-08-10 21:53:09 -0500[diff] [blame]2137 AuthorityInformationAccessOID.CA_ISSUERS,
Paul Kehrer3e6d5582015-05-02 21:57:56 -0500[diff] [blame]2138 x509.UniformResourceIdentifier(u"http://domain.com/ca.crt")
2139 )
2140 ]
2141
2142 def test_repr(self):
2143 aia = x509.AuthorityInformationAccess([
2144 x509.AccessDescription(
Paul Kehrer9e102db2015-08-10 21:53:09 -0500[diff] [blame]2145 AuthorityInformationAccessOID.OCSP,
Paul Kehrer3e6d5582015-05-02 21:57:56 -0500[diff] [blame]2146 x509.UniformResourceIdentifier(u"http://ocsp.domain.com")
2147 ),
2148 x509.AccessDescription(
Paul Kehrer9e102db2015-08-10 21:53:09 -0500[diff] [blame]2149 AuthorityInformationAccessOID.CA_ISSUERS,
Paul Kehrer3e6d5582015-05-02 21:57:56 -0500[diff] [blame]2150 x509.UniformResourceIdentifier(u"http://domain.com/ca.crt")
2151 )
2152 ])
2153 assert repr(aia) == (
2154 "<AuthorityInformationAccess([<AccessDescription(access_method=<Ob"
2155 "jectIdentifier(oid=1.3.6.1.5.5.7.48.1, name=OCSP)>, access_locati"
2156 "on=<UniformResourceIdentifier(value=http://ocsp.domain.com)>)>, <"
2157 "AccessDescription(access_method=<ObjectIdentifier(oid=1.3.6.1.5.5"
2158 ".7.48.2, name=caIssuers)>, access_location=<UniformResourceIdenti"
2159 "fier(value=http://domain.com/ca.crt)>)>])>"
2160 )
2161
2162 def test_eq(self):
2163 aia = x509.AuthorityInformationAccess([
2164 x509.AccessDescription(
Paul Kehrer9e102db2015-08-10 21:53:09 -0500[diff] [blame]2165 AuthorityInformationAccessOID.OCSP,
Paul Kehrer3e6d5582015-05-02 21:57:56 -0500[diff] [blame]2166 x509.UniformResourceIdentifier(u"http://ocsp.domain.com")
2167 ),
2168 x509.AccessDescription(
Paul Kehrer9e102db2015-08-10 21:53:09 -0500[diff] [blame]2169 AuthorityInformationAccessOID.CA_ISSUERS,
Paul Kehrer3e6d5582015-05-02 21:57:56 -0500[diff] [blame]2170 x509.UniformResourceIdentifier(u"http://domain.com/ca.crt")
2171 )
2172 ])
2173 aia2 = x509.AuthorityInformationAccess([
2174 x509.AccessDescription(
Paul Kehrer9e102db2015-08-10 21:53:09 -0500[diff] [blame]2175 AuthorityInformationAccessOID.OCSP,
Paul Kehrer3e6d5582015-05-02 21:57:56 -0500[diff] [blame]2176 x509.UniformResourceIdentifier(u"http://ocsp.domain.com")
2177 ),
2178 x509.AccessDescription(
Paul Kehrer9e102db2015-08-10 21:53:09 -0500[diff] [blame]2179 AuthorityInformationAccessOID.CA_ISSUERS,
Paul Kehrer3e6d5582015-05-02 21:57:56 -0500[diff] [blame]2180 x509.UniformResourceIdentifier(u"http://domain.com/ca.crt")
2181 )
2182 ])
2183 assert aia == aia2
2184
2185 def test_ne(self):
2186 aia = x509.AuthorityInformationAccess([
2187 x509.AccessDescription(
Paul Kehrer9e102db2015-08-10 21:53:09 -0500[diff] [blame]2188 AuthorityInformationAccessOID.OCSP,
Paul Kehrer3e6d5582015-05-02 21:57:56 -0500[diff] [blame]2189 x509.UniformResourceIdentifier(u"http://ocsp.domain.com")
2190 ),
2191 x509.AccessDescription(
Paul Kehrer9e102db2015-08-10 21:53:09 -0500[diff] [blame]2192 AuthorityInformationAccessOID.CA_ISSUERS,
Paul Kehrer3e6d5582015-05-02 21:57:56 -0500[diff] [blame]2193 x509.UniformResourceIdentifier(u"http://domain.com/ca.crt")
2194 )
2195 ])
2196 aia2 = x509.AuthorityInformationAccess([
2197 x509.AccessDescription(
Paul Kehrer9e102db2015-08-10 21:53:09 -0500[diff] [blame]2198 AuthorityInformationAccessOID.OCSP,
Paul Kehrer3e6d5582015-05-02 21:57:56 -0500[diff] [blame]2199 x509.UniformResourceIdentifier(u"http://ocsp.domain.com")
2200 ),
2201 ])
2202
2203 assert aia != aia2
2204 assert aia != object()
Paul Kehrerd774de92015-05-03 10:52:25 -0500[diff] [blame]2205
2206
2207@pytest.mark.requires_backend_interface(interface=RSABackend)
2208@pytest.mark.requires_backend_interface(interface=X509Backend)
Paul Kehrera1476992015-05-04 17:35:47 -0500[diff] [blame]2209class TestAuthorityInformationAccessExtension(object):
2210 def test_aia_ocsp_ca_issuers(self, backend):
2211 cert = _load_cert(
2212 os.path.join("x509", "cryptography.io.pem"),
2213 x509.load_pem_x509_certificate,
2214 backend
2215 )
2216 ext = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]2217 ExtensionOID.AUTHORITY_INFORMATION_ACCESS
Paul Kehrera1476992015-05-04 17:35:47 -0500[diff] [blame]2218 )
2219 assert ext is not None
2220 assert ext.critical is False
2221
2222 assert ext.value == x509.AuthorityInformationAccess([
2223 x509.AccessDescription(
Paul Kehrer9e102db2015-08-10 21:53:09 -0500[diff] [blame]2224 AuthorityInformationAccessOID.OCSP,
Paul Kehrera1476992015-05-04 17:35:47 -0500[diff] [blame]2225 x509.UniformResourceIdentifier(u"http://gv.symcd.com")
2226 ),
2227 x509.AccessDescription(
Paul Kehrer9e102db2015-08-10 21:53:09 -0500[diff] [blame]2228 AuthorityInformationAccessOID.CA_ISSUERS,
Paul Kehrera1476992015-05-04 17:35:47 -0500[diff] [blame]2229 x509.UniformResourceIdentifier(u"http://gv.symcb.com/gv.crt")
2230 ),
2231 ])
2232
2233 def test_aia_multiple_ocsp_ca_issuers(self, backend):
2234 cert = _load_cert(
2235 os.path.join("x509", "custom", "aia_ocsp_ca_issuers.pem"),
2236 x509.load_pem_x509_certificate,
2237 backend
2238 )
2239 ext = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]2240 ExtensionOID.AUTHORITY_INFORMATION_ACCESS
Paul Kehrera1476992015-05-04 17:35:47 -0500[diff] [blame]2241 )
2242 assert ext is not None
2243 assert ext.critical is False
2244
2245 assert ext.value == x509.AuthorityInformationAccess([
2246 x509.AccessDescription(
Paul Kehrer9e102db2015-08-10 21:53:09 -0500[diff] [blame]2247 AuthorityInformationAccessOID.OCSP,
Paul Kehrera1476992015-05-04 17:35:47 -0500[diff] [blame]2248 x509.UniformResourceIdentifier(u"http://ocsp.domain.com")
2249 ),
2250 x509.AccessDescription(
Paul Kehrer9e102db2015-08-10 21:53:09 -0500[diff] [blame]2251 AuthorityInformationAccessOID.OCSP,
Paul Kehrera1476992015-05-04 17:35:47 -0500[diff] [blame]2252 x509.UniformResourceIdentifier(u"http://ocsp2.domain.com")
2253 ),
2254 x509.AccessDescription(
Paul Kehrer9e102db2015-08-10 21:53:09 -0500[diff] [blame]2255 AuthorityInformationAccessOID.CA_ISSUERS,
Paul Kehrera1476992015-05-04 17:35:47 -0500[diff] [blame]2256 x509.DirectoryName(x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2257 x509.NameAttribute(NameOID.COMMON_NAME, u"myCN"),
2258 x509.NameAttribute(NameOID.ORGANIZATION_NAME,
Ian Cordasco82fc3762015-06-16 20:59:50 -0500[diff] [blame]2259 u"some Org"),
Paul Kehrera1476992015-05-04 17:35:47 -0500[diff] [blame]2260 ]))
2261 ),
2262 ])
2263
2264 def test_aia_ocsp_only(self, backend):
2265 cert = _load_cert(
2266 os.path.join("x509", "custom", "aia_ocsp.pem"),
2267 x509.load_pem_x509_certificate,
2268 backend
2269 )
2270 ext = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]2271 ExtensionOID.AUTHORITY_INFORMATION_ACCESS
Paul Kehrera1476992015-05-04 17:35:47 -0500[diff] [blame]2272 )
2273 assert ext is not None
2274 assert ext.critical is False
2275
2276 assert ext.value == x509.AuthorityInformationAccess([
2277 x509.AccessDescription(
Paul Kehrer9e102db2015-08-10 21:53:09 -0500[diff] [blame]2278 AuthorityInformationAccessOID.OCSP,
Paul Kehrera1476992015-05-04 17:35:47 -0500[diff] [blame]2279 x509.UniformResourceIdentifier(u"http://ocsp.domain.com")
2280 ),
2281 ])
2282
2283 def test_aia_ca_issuers_only(self, backend):
2284 cert = _load_cert(
2285 os.path.join("x509", "custom", "aia_ca_issuers.pem"),
2286 x509.load_pem_x509_certificate,
2287 backend
2288 )
2289 ext = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]2290 ExtensionOID.AUTHORITY_INFORMATION_ACCESS
Paul Kehrera1476992015-05-04 17:35:47 -0500[diff] [blame]2291 )
2292 assert ext is not None
2293 assert ext.critical is False
2294
2295 assert ext.value == x509.AuthorityInformationAccess([
2296 x509.AccessDescription(
Paul Kehrer9e102db2015-08-10 21:53:09 -0500[diff] [blame]2297 AuthorityInformationAccessOID.CA_ISSUERS,
Paul Kehrera1476992015-05-04 17:35:47 -0500[diff] [blame]2298 x509.DirectoryName(x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2299 x509.NameAttribute(NameOID.COMMON_NAME, u"myCN"),
2300 x509.NameAttribute(NameOID.ORGANIZATION_NAME,
Ian Cordasco82fc3762015-06-16 20:59:50 -0500[diff] [blame]2301 u"some Org"),
Paul Kehrera1476992015-05-04 17:35:47 -0500[diff] [blame]2302 ]))
2303 ),
2304 ])
2305
2306
2307@pytest.mark.requires_backend_interface(interface=RSABackend)
2308@pytest.mark.requires_backend_interface(interface=X509Backend)
Paul Kehrerd774de92015-05-03 10:52:25 -0500[diff] [blame]2309class TestAuthorityKeyIdentifierExtension(object):
2310 def test_aki_keyid(self, backend):
2311 cert = _load_cert(
2312 os.path.join(
2313 "x509", "cryptography.io.pem"
2314 ),
2315 x509.load_pem_x509_certificate,
2316 backend
2317 )
2318 ext = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]2319 ExtensionOID.AUTHORITY_KEY_IDENTIFIER
Paul Kehrerd774de92015-05-03 10:52:25 -0500[diff] [blame]2320 )
2321 assert ext is not None
2322 assert ext.critical is False
2323
2324 assert ext.value.key_identifier == (
2325 b"\xc3\x9c\xf3\xfc\xd3F\x084\xbb\xceF\x7f\xa0|[\xf3\xe2\x08\xcbY"
2326 )
2327 assert ext.value.authority_cert_issuer is None
2328 assert ext.value.authority_cert_serial_number is None
2329
2330 def test_aki_all_fields(self, backend):
2331 cert = _load_cert(
2332 os.path.join(
2333 "x509", "custom", "authority_key_identifier.pem"
2334 ),
2335 x509.load_pem_x509_certificate,
2336 backend
2337 )
2338 ext = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]2339 ExtensionOID.AUTHORITY_KEY_IDENTIFIER
Paul Kehrerd774de92015-05-03 10:52:25 -0500[diff] [blame]2340 )
2341 assert ext is not None
2342 assert ext.critical is False
2343
2344 assert ext.value.key_identifier == (
2345 b"9E>\xca=b\x1d\xea\x86I\xf6Z\xab@\xb7\xa4p\x98\xf1\xec"
2346 )
2347 assert ext.value.authority_cert_issuer == [
2348 x509.DirectoryName(
2349 x509.Name([
2350 x509.NameAttribute(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2351 NameOID.ORGANIZATION_NAME, u"PyCA"
Paul Kehrerd774de92015-05-03 10:52:25 -0500[diff] [blame]2352 ),
2353 x509.NameAttribute(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2354 NameOID.COMMON_NAME, u"cryptography.io"
Paul Kehrerd774de92015-05-03 10:52:25 -0500[diff] [blame]2355 )
2356 ])
2357 )
2358 ]
2359 assert ext.value.authority_cert_serial_number == 3
2360
2361 def test_aki_no_keyid(self, backend):
2362 cert = _load_cert(
2363 os.path.join(
2364 "x509", "custom", "authority_key_identifier_no_keyid.pem"
2365 ),
2366 x509.load_pem_x509_certificate,
2367 backend
2368 )
2369 ext = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]2370 ExtensionOID.AUTHORITY_KEY_IDENTIFIER
Paul Kehrerd774de92015-05-03 10:52:25 -0500[diff] [blame]2371 )
2372 assert ext is not None
2373 assert ext.critical is False
2374
2375 assert ext.value.key_identifier is None
2376 assert ext.value.authority_cert_issuer == [
2377 x509.DirectoryName(
2378 x509.Name([
2379 x509.NameAttribute(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2380 NameOID.ORGANIZATION_NAME, u"PyCA"
Paul Kehrerd774de92015-05-03 10:52:25 -0500[diff] [blame]2381 ),
2382 x509.NameAttribute(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2383 NameOID.COMMON_NAME, u"cryptography.io"
Paul Kehrerd774de92015-05-03 10:52:25 -0500[diff] [blame]2384 )
2385 ])
2386 )
2387 ]
2388 assert ext.value.authority_cert_serial_number == 3
Paul Kehrer5a485522015-05-06 00:29:12 -0500[diff] [blame]2389
Paul Kehrer253929a2015-08-05 17:30:39 +0100[diff] [blame]2390 def test_from_certificate(self, backend):
2391 issuer_cert = _load_cert(
2392 os.path.join("x509", "rapidssl_sha256_ca_g3.pem"),
2393 x509.load_pem_x509_certificate,
2394 backend
2395 )
2396 cert = _load_cert(
2397 os.path.join("x509", "cryptography.io.pem"),
2398 x509.load_pem_x509_certificate,
2399 backend
2400 )
2401 ext = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]2402 ExtensionOID.AUTHORITY_KEY_IDENTIFIER
Paul Kehrer253929a2015-08-05 17:30:39 +0100[diff] [blame]2403 )
2404 aki = x509.AuthorityKeyIdentifier.from_issuer_public_key(
2405 issuer_cert.public_key()
2406 )
2407 assert ext.value == aki
2408
Paul Kehrer5a485522015-05-06 00:29:12 -0500[diff] [blame]2409
Paul Kehrere0017be2015-05-17 20:39:40 -0600[diff] [blame]2410class TestNameConstraints(object):
2411 def test_ipaddress_wrong_type(self):
2412 with pytest.raises(TypeError):
2413 x509.NameConstraints(
2414 permitted_subtrees=[
2415 x509.IPAddress(ipaddress.IPv4Address(u"127.0.0.1"))
2416 ],
2417 excluded_subtrees=None
2418 )
2419
2420 with pytest.raises(TypeError):
2421 x509.NameConstraints(
2422 permitted_subtrees=None,
2423 excluded_subtrees=[
2424 x509.IPAddress(ipaddress.IPv4Address(u"127.0.0.1"))
2425 ]
2426 )
2427
2428 def test_ipaddress_allowed_type(self):
2429 permitted = [x509.IPAddress(ipaddress.IPv4Network(u"192.168.0.0/29"))]
2430 excluded = [x509.IPAddress(ipaddress.IPv4Network(u"10.10.0.0/24"))]
2431 nc = x509.NameConstraints(
2432 permitted_subtrees=permitted,
2433 excluded_subtrees=excluded
2434 )
2435 assert nc.permitted_subtrees == permitted
2436 assert nc.excluded_subtrees == excluded
2437
2438 def test_invalid_permitted_subtrees(self):
2439 with pytest.raises(TypeError):
2440 x509.NameConstraints("badpermitted", None)
2441
2442 def test_invalid_excluded_subtrees(self):
2443 with pytest.raises(TypeError):
2444 x509.NameConstraints(None, "badexcluded")
2445
2446 def test_no_subtrees(self):
2447 with pytest.raises(ValueError):
2448 x509.NameConstraints(None, None)
2449
2450 def test_permitted_none(self):
2451 excluded = [x509.DNSName(u"name.local")]
2452 nc = x509.NameConstraints(
2453 permitted_subtrees=None, excluded_subtrees=excluded
2454 )
2455 assert nc.permitted_subtrees is None
2456 assert nc.excluded_subtrees is not None
2457
2458 def test_excluded_none(self):
2459 permitted = [x509.DNSName(u"name.local")]
2460 nc = x509.NameConstraints(
2461 permitted_subtrees=permitted, excluded_subtrees=None
2462 )
2463 assert nc.permitted_subtrees is not None
2464 assert nc.excluded_subtrees is None
2465
2466 def test_repr(self):
2467 permitted = [x509.DNSName(u"name.local"), x509.DNSName(u"name2.local")]
2468 nc = x509.NameConstraints(
2469 permitted_subtrees=permitted,
2470 excluded_subtrees=None
2471 )
2472 assert repr(nc) == (
2473 "<NameConstraints(permitted_subtrees=[<DNSName(value=name.local)>"
2474 ", <DNSName(value=name2.local)>], excluded_subtrees=None)>"
2475 )
2476
Paul Kehrer31894282015-06-21 21:46:41 -0500[diff] [blame]2477 def test_eq(self):
2478 nc = x509.NameConstraints(
2479 permitted_subtrees=[x509.DNSName(u"name.local")],
2480 excluded_subtrees=[x509.DNSName(u"name2.local")]
2481 )
2482 nc2 = x509.NameConstraints(
2483 permitted_subtrees=[x509.DNSName(u"name.local")],
2484 excluded_subtrees=[x509.DNSName(u"name2.local")]
2485 )
2486 assert nc == nc2
2487
2488 def test_ne(self):
2489 nc = x509.NameConstraints(
2490 permitted_subtrees=[x509.DNSName(u"name.local")],
2491 excluded_subtrees=[x509.DNSName(u"name2.local")]
2492 )
2493 nc2 = x509.NameConstraints(
2494 permitted_subtrees=[x509.DNSName(u"name.local")],
2495 excluded_subtrees=None
2496 )
2497 nc3 = x509.NameConstraints(
2498 permitted_subtrees=None,
2499 excluded_subtrees=[x509.DNSName(u"name2.local")]
2500 )
2501
2502 assert nc != nc2
2503 assert nc != nc3
2504 assert nc != object()
2505
Paul Kehrere0017be2015-05-17 20:39:40 -0600[diff] [blame]2506
Paul Kehrer870d7e82015-06-21 22:20:44 -0500[diff] [blame]2507@pytest.mark.requires_backend_interface(interface=RSABackend)
2508@pytest.mark.requires_backend_interface(interface=X509Backend)
2509class TestNameConstraintsExtension(object):
2510 def test_permitted_excluded(self, backend):
2511 cert = _load_cert(
2512 os.path.join(
2513 "x509", "custom", "nc_permitted_excluded_2.pem"
2514 ),
2515 x509.load_pem_x509_certificate,
2516 backend
2517 )
2518 nc = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]2519 ExtensionOID.NAME_CONSTRAINTS
Paul Kehrer870d7e82015-06-21 22:20:44 -0500[diff] [blame]2520 ).value
2521 assert nc == x509.NameConstraints(
2522 permitted_subtrees=[
2523 x509.DNSName(u"zombo.local"),
2524 ],
2525 excluded_subtrees=[
2526 x509.DirectoryName(x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2527 x509.NameAttribute(NameOID.COMMON_NAME, u"zombo")
Paul Kehrer870d7e82015-06-21 22:20:44 -0500[diff] [blame]2528 ]))
2529 ]
2530 )
2531
2532 def test_permitted(self, backend):
2533 cert = _load_cert(
2534 os.path.join(
2535 "x509", "custom", "nc_permitted_2.pem"
2536 ),
2537 x509.load_pem_x509_certificate,
2538 backend
2539 )
2540 nc = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]2541 ExtensionOID.NAME_CONSTRAINTS
Paul Kehrer870d7e82015-06-21 22:20:44 -0500[diff] [blame]2542 ).value
2543 assert nc == x509.NameConstraints(
2544 permitted_subtrees=[
2545 x509.DNSName(u"zombo.local"),
2546 ],
2547 excluded_subtrees=None
2548 )
2549
Paul Kehrer42376832015-07-01 18:10:32 -0500[diff] [blame]2550 def test_permitted_with_leading_period(self, backend):
2551 cert = _load_cert(
2552 os.path.join(
2553 "x509", "custom", "nc_permitted.pem"
2554 ),
2555 x509.load_pem_x509_certificate,
2556 backend
2557 )
2558 nc = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]2559 ExtensionOID.NAME_CONSTRAINTS
Paul Kehrer42376832015-07-01 18:10:32 -0500[diff] [blame]2560 ).value
2561 assert nc == x509.NameConstraints(
2562 permitted_subtrees=[
2563 x509.DNSName(u".cryptography.io"),
2564 x509.UniformResourceIdentifier(u"ftp://cryptography.test")
2565 ],
2566 excluded_subtrees=None
2567 )
2568
2569 def test_excluded_with_leading_period(self, backend):
2570 cert = _load_cert(
2571 os.path.join(
2572 "x509", "custom", "nc_excluded.pem"
2573 ),
2574 x509.load_pem_x509_certificate,
2575 backend
2576 )
2577 nc = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]2578 ExtensionOID.NAME_CONSTRAINTS
Paul Kehrer42376832015-07-01 18:10:32 -0500[diff] [blame]2579 ).value
2580 assert nc == x509.NameConstraints(
2581 permitted_subtrees=None,
2582 excluded_subtrees=[
2583 x509.DNSName(u".cryptography.io"),
2584 x509.UniformResourceIdentifier(u"gopher://cryptography.test")
2585 ]
2586 )
2587
Paul Kehrercfb8aa22015-07-01 19:16:36 -0500[diff] [blame]2588 def test_permitted_excluded_with_ips(self, backend):
2589 cert = _load_cert(
2590 os.path.join(
2591 "x509", "custom", "nc_permitted_excluded.pem"
2592 ),
2593 x509.load_pem_x509_certificate,
2594 backend
2595 )
2596 nc = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]2597 ExtensionOID.NAME_CONSTRAINTS
Paul Kehrercfb8aa22015-07-01 19:16:36 -0500[diff] [blame]2598 ).value
2599 assert nc == x509.NameConstraints(
2600 permitted_subtrees=[
2601 x509.IPAddress(ipaddress.IPv4Network(u"192.168.0.0/24")),
2602 x509.IPAddress(ipaddress.IPv6Network(u"FF:0:0:0:0:0:0:0/96")),
2603 ],
2604 excluded_subtrees=[
2605 x509.DNSName(u".domain.com"),
2606 x509.UniformResourceIdentifier(u"http://test.local"),
2607 ]
2608 )
2609
Paul Kehrera72ebaf2015-07-01 21:07:37 -0500[diff] [blame]2610 def test_single_ip_netmask(self, backend):
2611 cert = _load_cert(
2612 os.path.join(
2613 "x509", "custom", "nc_single_ip_netmask.pem"
2614 ),
2615 x509.load_pem_x509_certificate,
2616 backend
2617 )
2618 nc = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]2619 ExtensionOID.NAME_CONSTRAINTS
Paul Kehrera72ebaf2015-07-01 21:07:37 -0500[diff] [blame]2620 ).value
2621 assert nc == x509.NameConstraints(
2622 permitted_subtrees=[
2623 x509.IPAddress(ipaddress.IPv6Network(u"FF:0:0:0:0:0:0:0/128")),
2624 x509.IPAddress(ipaddress.IPv4Network(u"192.168.0.1/32")),
2625 ],
2626 excluded_subtrees=None
2627 )
2628
Paul Kehrercfb8aa22015-07-01 19:16:36 -0500[diff] [blame]2629 def test_invalid_netmask(self, backend):
2630 cert = _load_cert(
2631 os.path.join(
2632 "x509", "custom", "nc_invalid_ip_netmask.pem"
2633 ),
2634 x509.load_pem_x509_certificate,
2635 backend
2636 )
2637 with pytest.raises(ValueError):
2638 cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]2639 ExtensionOID.NAME_CONSTRAINTS
Paul Kehrercfb8aa22015-07-01 19:16:36 -0500[diff] [blame]2640 )
2641
Paul Kehrer870d7e82015-06-21 22:20:44 -0500[diff] [blame]2642
Paul Kehrer5a485522015-05-06 00:29:12 -0500[diff] [blame]2643class TestDistributionPoint(object):
Paul Kehrer4e8dacd2015-05-09 10:38:23 -0500[diff] [blame]2644 def test_distribution_point_full_name_not_general_names(self):
Paul Kehrer5a485522015-05-06 00:29:12 -0500[diff] [blame]2645 with pytest.raises(TypeError):
Paul Kehrer4e8dacd2015-05-09 10:38:23 -0500[diff] [blame]2646 x509.DistributionPoint(["notgn"], None, None, None)
Paul Kehrer5a485522015-05-06 00:29:12 -0500[diff] [blame]2647
Paul Kehrer4e8dacd2015-05-09 10:38:23 -0500[diff] [blame]2648 def test_distribution_point_relative_name_not_name(self):
Paul Kehrer5a485522015-05-06 00:29:12 -0500[diff] [blame]2649 with pytest.raises(TypeError):
Paul Kehrer4e8dacd2015-05-09 10:38:23 -0500[diff] [blame]2650 x509.DistributionPoint(None, "notname", None, None)
2651
2652 def test_distribution_point_full_and_relative_not_none(self):
2653 with pytest.raises(ValueError):
2654 x509.DistributionPoint("data", "notname", None, None)
Paul Kehrer5a485522015-05-06 00:29:12 -0500[diff] [blame]2655
2656 def test_crl_issuer_not_general_names(self):
2657 with pytest.raises(TypeError):
Paul Kehrer4e8dacd2015-05-09 10:38:23 -0500[diff] [blame]2658 x509.DistributionPoint(None, None, None, ["notgn"])
Paul Kehrer5a485522015-05-06 00:29:12 -0500[diff] [blame]2659
2660 def test_reason_not_reasonflags(self):
2661 with pytest.raises(TypeError):
2662 x509.DistributionPoint(
2663 [x509.UniformResourceIdentifier(u"http://crypt.og/crl")],
Paul Kehrer4e8dacd2015-05-09 10:38:23 -0500[diff] [blame]2664 None,
Paul Kehrer3fd02602015-05-09 19:46:13 -0500[diff] [blame]2665 frozenset(["notreasonflags"]),
2666 None
2667 )
2668
2669 def test_reason_not_frozenset(self):
2670 with pytest.raises(TypeError):
2671 x509.DistributionPoint(
2672 [x509.UniformResourceIdentifier(u"http://crypt.og/crl")],
2673 None,
2674 [x509.ReasonFlags.ca_compromise],
Paul Kehrer4e8dacd2015-05-09 10:38:23 -0500[diff] [blame]2675 None
2676 )
2677
2678 def test_disallowed_reasons(self):
2679 with pytest.raises(ValueError):
2680 x509.DistributionPoint(
2681 [x509.UniformResourceIdentifier(u"http://crypt.og/crl")],
2682 None,
Paul Kehrer3fd02602015-05-09 19:46:13 -0500[diff] [blame]2683 frozenset([x509.ReasonFlags.unspecified]),
Paul Kehrer4e8dacd2015-05-09 10:38:23 -0500[diff] [blame]2684 None
2685 )
2686
2687 with pytest.raises(ValueError):
2688 x509.DistributionPoint(
2689 [x509.UniformResourceIdentifier(u"http://crypt.og/crl")],
2690 None,
Paul Kehrer3fd02602015-05-09 19:46:13 -0500[diff] [blame]2691 frozenset([x509.ReasonFlags.remove_from_crl]),
Paul Kehrer5a485522015-05-06 00:29:12 -0500[diff] [blame]2692 None
2693 )
2694
2695 def test_reason_only(self):
2696 with pytest.raises(ValueError):
2697 x509.DistributionPoint(
2698 None,
Paul Kehrer4e8dacd2015-05-09 10:38:23 -0500[diff] [blame]2699 None,
Paul Kehrer3fd02602015-05-09 19:46:13 -0500[diff] [blame]2700 frozenset([x509.ReasonFlags.aa_compromise]),
Paul Kehrer5a485522015-05-06 00:29:12 -0500[diff] [blame]2701 None
2702 )
2703
2704 def test_eq(self):
2705 dp = x509.DistributionPoint(
2706 [x509.UniformResourceIdentifier(u"http://crypt.og/crl")],
Paul Kehrer4e8dacd2015-05-09 10:38:23 -0500[diff] [blame]2707 None,
Paul Kehrer3fd02602015-05-09 19:46:13 -0500[diff] [blame]2708 frozenset([x509.ReasonFlags.superseded]),
Paul Kehrer5a485522015-05-06 00:29:12 -0500[diff] [blame]2709 [
2710 x509.DirectoryName(
2711 x509.Name([
2712 x509.NameAttribute(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2713 NameOID.COMMON_NAME, u"Important CA"
Paul Kehrer5a485522015-05-06 00:29:12 -0500[diff] [blame]2714 )
2715 ])
2716 )
2717 ],
2718 )
2719 dp2 = x509.DistributionPoint(
2720 [x509.UniformResourceIdentifier(u"http://crypt.og/crl")],
Paul Kehrer4e8dacd2015-05-09 10:38:23 -0500[diff] [blame]2721 None,
Paul Kehrer3fd02602015-05-09 19:46:13 -0500[diff] [blame]2722 frozenset([x509.ReasonFlags.superseded]),
Paul Kehrer5a485522015-05-06 00:29:12 -0500[diff] [blame]2723 [
2724 x509.DirectoryName(
2725 x509.Name([
2726 x509.NameAttribute(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2727 NameOID.COMMON_NAME, u"Important CA"
Paul Kehrer5a485522015-05-06 00:29:12 -0500[diff] [blame]2728 )
2729 ])
2730 )
2731 ],
2732 )
2733 assert dp == dp2
2734
2735 def test_ne(self):
2736 dp = x509.DistributionPoint(
2737 [x509.UniformResourceIdentifier(u"http://crypt.og/crl")],
Paul Kehrer4e8dacd2015-05-09 10:38:23 -0500[diff] [blame]2738 None,
Paul Kehrer3fd02602015-05-09 19:46:13 -0500[diff] [blame]2739 frozenset([x509.ReasonFlags.superseded]),
Paul Kehrer5a485522015-05-06 00:29:12 -0500[diff] [blame]2740 [
2741 x509.DirectoryName(
2742 x509.Name([
2743 x509.NameAttribute(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2744 NameOID.COMMON_NAME, u"Important CA"
Paul Kehrer5a485522015-05-06 00:29:12 -0500[diff] [blame]2745 )
2746 ])
2747 )
2748 ],
2749 )
2750 dp2 = x509.DistributionPoint(
2751 [x509.UniformResourceIdentifier(u"http://crypt.og/crl")],
2752 None,
Paul Kehrer4e8dacd2015-05-09 10:38:23 -0500[diff] [blame]2753 None,
Paul Kehrer5a485522015-05-06 00:29:12 -0500[diff] [blame]2754 None
2755 )
2756 assert dp != dp2
2757 assert dp != object()
2758
2759 def test_repr(self):
2760 dp = x509.DistributionPoint(
Paul Kehrer4e8dacd2015-05-09 10:38:23 -0500[diff] [blame]2761 None,
Paul Kehrer5a485522015-05-06 00:29:12 -0500[diff] [blame]2762 x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2763 x509.NameAttribute(NameOID.COMMON_NAME, u"myCN")
Paul Kehrer5a485522015-05-06 00:29:12 -0500[diff] [blame]2764 ]),
Paul Kehrer96ef63c2015-05-09 21:17:04 -0500[diff] [blame]2765 frozenset([x509.ReasonFlags.ca_compromise]),
Paul Kehrer5a485522015-05-06 00:29:12 -0500[diff] [blame]2766 [
2767 x509.DirectoryName(
2768 x509.Name([
2769 x509.NameAttribute(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2770 NameOID.COMMON_NAME, u"Important CA"
Paul Kehrer5a485522015-05-06 00:29:12 -0500[diff] [blame]2771 )
2772 ])
2773 )
2774 ],
2775 )
Paul Kehrer749da3b2015-05-10 09:58:29 -0500[diff] [blame]2776 if six.PY3:
2777 assert repr(dp) == (
2778 "<DistributionPoint(full_name=None, relative_name=<Name([<Name"
2779 "Attribute(oid=<ObjectIdentifier(oid=2.5.4.3, name=commonName)"
Ian Cordascoa908d692015-06-16 21:35:24 -0500[diff] [blame]2780 ">, value='myCN')>])>, reasons=frozenset({<ReasonFlags.ca_comp"
2781 "romise: 'cACompromise'>}), crl_issuer=[<DirectoryName(value=<"
2782 "Name([<NameAttribute(oid=<ObjectIdentifier(oid=2.5.4.3, name="
2783 "commonName)>, value='Important CA')>])>)>])>"
Paul Kehrer749da3b2015-05-10 09:58:29 -0500[diff] [blame]2784 )
2785 else:
2786 assert repr(dp) == (
2787 "<DistributionPoint(full_name=None, relative_name=<Name([<Name"
2788 "Attribute(oid=<ObjectIdentifier(oid=2.5.4.3, name=commonName)"
Ian Cordasco82fc3762015-06-16 20:59:50 -0500[diff] [blame]2789 ">, value=u'myCN')>])>, reasons=frozenset([<ReasonFlags.ca_com"
2790 "promise: 'cACompromise'>]), crl_issuer=[<DirectoryName(value="
2791 "<Name([<NameAttribute(oid=<ObjectIdentifier(oid=2.5.4.3, name"
2792 "=commonName)>, value=u'Important CA')>])>)>])>"
Paul Kehrer749da3b2015-05-10 09:58:29 -0500[diff] [blame]2793 )
Paul Kehrer5a485522015-05-06 00:29:12 -0500[diff] [blame]2794
2795
2796class TestCRLDistributionPoints(object):
2797 def test_invalid_distribution_points(self):
2798 with pytest.raises(TypeError):
2799 x509.CRLDistributionPoints(["notadistributionpoint"])
2800
2801 def test_iter_len(self):
2802 cdp = x509.CRLDistributionPoints([
2803 x509.DistributionPoint(
2804 [x509.UniformResourceIdentifier(u"http://domain")],
2805 None,
Paul Kehrer4e8dacd2015-05-09 10:38:23 -0500[diff] [blame]2806 None,
Paul Kehrer5a485522015-05-06 00:29:12 -0500[diff] [blame]2807 None
2808 ),
2809 x509.DistributionPoint(
2810 [x509.UniformResourceIdentifier(u"ftp://domain")],
Paul Kehrer4e8dacd2015-05-09 10:38:23 -0500[diff] [blame]2811 None,
Paul Kehrer3fd02602015-05-09 19:46:13 -0500[diff] [blame]2812 frozenset([
Paul Kehrer4e8dacd2015-05-09 10:38:23 -0500[diff] [blame]2813 x509.ReasonFlags.key_compromise,
2814 x509.ReasonFlags.ca_compromise,
Paul Kehrer3fd02602015-05-09 19:46:13 -0500[diff] [blame]2815 ]),
Paul Kehrer5a485522015-05-06 00:29:12 -0500[diff] [blame]2816 None
2817 ),
2818 ])
2819 assert len(cdp) == 2
2820 assert list(cdp) == [
2821 x509.DistributionPoint(
2822 [x509.UniformResourceIdentifier(u"http://domain")],
2823 None,
Paul Kehrer4e8dacd2015-05-09 10:38:23 -0500[diff] [blame]2824 None,
Paul Kehrer5a485522015-05-06 00:29:12 -0500[diff] [blame]2825 None
2826 ),
2827 x509.DistributionPoint(
2828 [x509.UniformResourceIdentifier(u"ftp://domain")],
Paul Kehrer4e8dacd2015-05-09 10:38:23 -0500[diff] [blame]2829 None,
Paul Kehrer3fd02602015-05-09 19:46:13 -0500[diff] [blame]2830 frozenset([
Paul Kehrer4e8dacd2015-05-09 10:38:23 -0500[diff] [blame]2831 x509.ReasonFlags.key_compromise,
2832 x509.ReasonFlags.ca_compromise,
Paul Kehrer3fd02602015-05-09 19:46:13 -0500[diff] [blame]2833 ]),
Paul Kehrer5a485522015-05-06 00:29:12 -0500[diff] [blame]2834 None
2835 ),
2836 ]
2837
2838 def test_repr(self):
2839 cdp = x509.CRLDistributionPoints([
2840 x509.DistributionPoint(
2841 [x509.UniformResourceIdentifier(u"ftp://domain")],
Paul Kehrer4e8dacd2015-05-09 10:38:23 -0500[diff] [blame]2842 None,
Paul Kehrer96ef63c2015-05-09 21:17:04 -0500[diff] [blame]2843 frozenset([x509.ReasonFlags.key_compromise]),
Paul Kehrer5a485522015-05-06 00:29:12 -0500[diff] [blame]2844 None
2845 ),
2846 ])
Paul Kehrer749da3b2015-05-10 09:58:29 -0500[diff] [blame]2847 if six.PY3:
2848 assert repr(cdp) == (
2849 "<CRLDistributionPoints([<DistributionPoint(full_name=[<Unifo"
2850 "rmResourceIdentifier(value=ftp://domain)>], relative_name=No"
2851 "ne, reasons=frozenset({<ReasonFlags.key_compromise: 'keyComp"
2852 "romise'>}), crl_issuer=None)>])>"
2853 )
2854 else:
2855 assert repr(cdp) == (
2856 "<CRLDistributionPoints([<DistributionPoint(full_name=[<Unifo"
2857 "rmResourceIdentifier(value=ftp://domain)>], relative_name=No"
2858 "ne, reasons=frozenset([<ReasonFlags.key_compromise: 'keyComp"
2859 "romise'>]), crl_issuer=None)>])>"
2860 )
Paul Kehrer5a485522015-05-06 00:29:12 -0500[diff] [blame]2861
2862 def test_eq(self):
2863 cdp = x509.CRLDistributionPoints([
2864 x509.DistributionPoint(
2865 [x509.UniformResourceIdentifier(u"ftp://domain")],
Paul Kehrer4e8dacd2015-05-09 10:38:23 -0500[diff] [blame]2866 None,
Paul Kehrer3fd02602015-05-09 19:46:13 -0500[diff] [blame]2867 frozenset([
Paul Kehrer4e8dacd2015-05-09 10:38:23 -0500[diff] [blame]2868 x509.ReasonFlags.key_compromise,
2869 x509.ReasonFlags.ca_compromise,
Paul Kehrer3fd02602015-05-09 19:46:13 -0500[diff] [blame]2870 ]),
Paul Kehrer5a485522015-05-06 00:29:12 -0500[diff] [blame]2871 [x509.UniformResourceIdentifier(u"uri://thing")],
2872 ),
2873 ])
2874 cdp2 = x509.CRLDistributionPoints([
2875 x509.DistributionPoint(
2876 [x509.UniformResourceIdentifier(u"ftp://domain")],
Paul Kehrer4e8dacd2015-05-09 10:38:23 -0500[diff] [blame]2877 None,
Paul Kehrer3fd02602015-05-09 19:46:13 -0500[diff] [blame]2878 frozenset([
Paul Kehrer4e8dacd2015-05-09 10:38:23 -0500[diff] [blame]2879 x509.ReasonFlags.key_compromise,
2880 x509.ReasonFlags.ca_compromise,
Paul Kehrer3fd02602015-05-09 19:46:13 -0500[diff] [blame]2881 ]),
Paul Kehrer5a485522015-05-06 00:29:12 -0500[diff] [blame]2882 [x509.UniformResourceIdentifier(u"uri://thing")],
2883 ),
2884 ])
2885 assert cdp == cdp2
2886
2887 def test_ne(self):
2888 cdp = x509.CRLDistributionPoints([
2889 x509.DistributionPoint(
2890 [x509.UniformResourceIdentifier(u"ftp://domain")],
Paul Kehrer4e8dacd2015-05-09 10:38:23 -0500[diff] [blame]2891 None,
Paul Kehrer3fd02602015-05-09 19:46:13 -0500[diff] [blame]2892 frozenset([
Paul Kehrer4e8dacd2015-05-09 10:38:23 -0500[diff] [blame]2893 x509.ReasonFlags.key_compromise,
2894 x509.ReasonFlags.ca_compromise,
Paul Kehrer3fd02602015-05-09 19:46:13 -0500[diff] [blame]2895 ]),
Paul Kehrer5a485522015-05-06 00:29:12 -0500[diff] [blame]2896 [x509.UniformResourceIdentifier(u"uri://thing")],
2897 ),
2898 ])
2899 cdp2 = x509.CRLDistributionPoints([
2900 x509.DistributionPoint(
2901 [x509.UniformResourceIdentifier(u"ftp://domain2")],
Paul Kehrer4e8dacd2015-05-09 10:38:23 -0500[diff] [blame]2902 None,
Paul Kehrer3fd02602015-05-09 19:46:13 -0500[diff] [blame]2903 frozenset([
Paul Kehrer4e8dacd2015-05-09 10:38:23 -0500[diff] [blame]2904 x509.ReasonFlags.key_compromise,
2905 x509.ReasonFlags.ca_compromise,
Paul Kehrer3fd02602015-05-09 19:46:13 -0500[diff] [blame]2906 ]),
Paul Kehrer5a485522015-05-06 00:29:12 -0500[diff] [blame]2907 [x509.UniformResourceIdentifier(u"uri://thing")],
2908 ),
2909 ])
2910 cdp3 = x509.CRLDistributionPoints([
2911 x509.DistributionPoint(
2912 [x509.UniformResourceIdentifier(u"ftp://domain")],
Paul Kehrer4e8dacd2015-05-09 10:38:23 -0500[diff] [blame]2913 None,
Paul Kehrer3fd02602015-05-09 19:46:13 -0500[diff] [blame]2914 frozenset([x509.ReasonFlags.key_compromise]),
Paul Kehrer5a485522015-05-06 00:29:12 -0500[diff] [blame]2915 [x509.UniformResourceIdentifier(u"uri://thing")],
2916 ),
2917 ])
2918 cdp4 = x509.CRLDistributionPoints([
2919 x509.DistributionPoint(
2920 [x509.UniformResourceIdentifier(u"ftp://domain")],
Paul Kehrer4e8dacd2015-05-09 10:38:23 -0500[diff] [blame]2921 None,
Paul Kehrer3fd02602015-05-09 19:46:13 -0500[diff] [blame]2922 frozenset([
Paul Kehrer4e8dacd2015-05-09 10:38:23 -0500[diff] [blame]2923 x509.ReasonFlags.key_compromise,
2924 x509.ReasonFlags.ca_compromise,
Paul Kehrer3fd02602015-05-09 19:46:13 -0500[diff] [blame]2925 ]),
Paul Kehrer5a485522015-05-06 00:29:12 -0500[diff] [blame]2926 [x509.UniformResourceIdentifier(u"uri://thing2")],
2927 ),
2928 ])
2929 assert cdp != cdp2
2930 assert cdp != cdp3
2931 assert cdp != cdp4
2932 assert cdp != object()
Paul Kehrer9a10d592015-05-10 14:55:51 -0500[diff] [blame]2933
2934
2935@pytest.mark.requires_backend_interface(interface=RSABackend)
2936@pytest.mark.requires_backend_interface(interface=X509Backend)
2937class TestCRLDistributionPointsExtension(object):
2938 def test_fullname_and_crl_issuer(self, backend):
2939 cert = _load_cert(
2940 os.path.join(
2941 "x509", "PKITS_data", "certs", "ValidcRLIssuerTest28EE.crt"
2942 ),
2943 x509.load_der_x509_certificate,
2944 backend
2945 )
2946
2947 cdps = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]2948 ExtensionOID.CRL_DISTRIBUTION_POINTS
Paul Kehrer9a10d592015-05-10 14:55:51 -0500[diff] [blame]2949 ).value
2950
2951 assert cdps == x509.CRLDistributionPoints([
2952 x509.DistributionPoint(
2953 full_name=[x509.DirectoryName(
2954 x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2955 x509.NameAttribute(NameOID.COUNTRY_NAME, u"US"),
Paul Kehrer9a10d592015-05-10 14:55:51 -0500[diff] [blame]2956 x509.NameAttribute(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2957 NameOID.ORGANIZATION_NAME,
Ian Cordasco82fc3762015-06-16 20:59:50 -0500[diff] [blame]2958 u"Test Certificates 2011"
Paul Kehrer9a10d592015-05-10 14:55:51 -0500[diff] [blame]2959 ),
2960 x509.NameAttribute(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2961 NameOID.ORGANIZATIONAL_UNIT_NAME,
Ian Cordasco82fc3762015-06-16 20:59:50 -0500[diff] [blame]2962 u"indirectCRL CA3 cRLIssuer"
Paul Kehrer9a10d592015-05-10 14:55:51 -0500[diff] [blame]2963 ),
2964 x509.NameAttribute(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2965 NameOID.COMMON_NAME,
Ian Cordasco82fc3762015-06-16 20:59:50 -0500[diff] [blame]2966 u"indirect CRL for indirectCRL CA3"
Paul Kehrer9a10d592015-05-10 14:55:51 -0500[diff] [blame]2967 ),
2968 ])
2969 )],
2970 relative_name=None,
2971 reasons=None,
2972 crl_issuer=[x509.DirectoryName(
2973 x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2974 x509.NameAttribute(NameOID.COUNTRY_NAME, u"US"),
Paul Kehrer9a10d592015-05-10 14:55:51 -0500[diff] [blame]2975 x509.NameAttribute(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2976 NameOID.ORGANIZATION_NAME,
Ian Cordasco82fc3762015-06-16 20:59:50 -0500[diff] [blame]2977 u"Test Certificates 2011"
Paul Kehrer9a10d592015-05-10 14:55:51 -0500[diff] [blame]2978 ),
2979 x509.NameAttribute(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2980 NameOID.ORGANIZATIONAL_UNIT_NAME,
Ian Cordasco82fc3762015-06-16 20:59:50 -0500[diff] [blame]2981 u"indirectCRL CA3 cRLIssuer"
Paul Kehrer9a10d592015-05-10 14:55:51 -0500[diff] [blame]2982 ),
2983 ])
2984 )],
2985 )
2986 ])
2987
2988 def test_relativename_and_crl_issuer(self, backend):
2989 cert = _load_cert(
2990 os.path.join(
2991 "x509", "PKITS_data", "certs", "ValidcRLIssuerTest29EE.crt"
2992 ),
2993 x509.load_der_x509_certificate,
2994 backend
2995 )
2996
2997 cdps = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]2998 ExtensionOID.CRL_DISTRIBUTION_POINTS
Paul Kehrer9a10d592015-05-10 14:55:51 -0500[diff] [blame]2999 ).value
3000
3001 assert cdps == x509.CRLDistributionPoints([
3002 x509.DistributionPoint(
3003 full_name=None,
3004 relative_name=x509.Name([
3005 x509.NameAttribute(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]3006 NameOID.COMMON_NAME,
Ian Cordasco82fc3762015-06-16 20:59:50 -0500[diff] [blame]3007 u"indirect CRL for indirectCRL CA3"
Paul Kehrer9a10d592015-05-10 14:55:51 -0500[diff] [blame]3008 ),
3009 ]),
3010 reasons=None,
3011 crl_issuer=[x509.DirectoryName(
3012 x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]3013 x509.NameAttribute(NameOID.COUNTRY_NAME, u"US"),
Paul Kehrer9a10d592015-05-10 14:55:51 -0500[diff] [blame]3014 x509.NameAttribute(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]3015 NameOID.ORGANIZATION_NAME,
Ian Cordasco82fc3762015-06-16 20:59:50 -0500[diff] [blame]3016 u"Test Certificates 2011"
Paul Kehrer9a10d592015-05-10 14:55:51 -0500[diff] [blame]3017 ),
3018 x509.NameAttribute(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]3019 NameOID.ORGANIZATIONAL_UNIT_NAME,
Ian Cordasco82fc3762015-06-16 20:59:50 -0500[diff] [blame]3020 u"indirectCRL CA3 cRLIssuer"
Paul Kehrer9a10d592015-05-10 14:55:51 -0500[diff] [blame]3021 ),
3022 ])
3023 )],
3024 )
3025 ])
3026
3027 def test_fullname_crl_issuer_reasons(self, backend):
3028 cert = _load_cert(
3029 os.path.join(
3030 "x509", "custom", "cdp_fullname_reasons_crl_issuer.pem"
3031 ),
3032 x509.load_pem_x509_certificate,
3033 backend
3034 )
3035
3036 cdps = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]3037 ExtensionOID.CRL_DISTRIBUTION_POINTS
Paul Kehrer9a10d592015-05-10 14:55:51 -0500[diff] [blame]3038 ).value
3039
3040 assert cdps == x509.CRLDistributionPoints([
3041 x509.DistributionPoint(
3042 full_name=[x509.UniformResourceIdentifier(
3043 u"http://myhost.com/myca.crl"
3044 )],
3045 relative_name=None,
3046 reasons=frozenset([
3047 x509.ReasonFlags.key_compromise,
3048 x509.ReasonFlags.ca_compromise
3049 ]),
3050 crl_issuer=[x509.DirectoryName(
3051 x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]3052 x509.NameAttribute(NameOID.COUNTRY_NAME, u"US"),
Paul Kehrer9a10d592015-05-10 14:55:51 -0500[diff] [blame]3053 x509.NameAttribute(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]3054 NameOID.ORGANIZATION_NAME, u"PyCA"
Paul Kehrer9a10d592015-05-10 14:55:51 -0500[diff] [blame]3055 ),
3056 x509.NameAttribute(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]3057 NameOID.COMMON_NAME, u"cryptography CA"
Paul Kehrer9a10d592015-05-10 14:55:51 -0500[diff] [blame]3058 ),
3059 ])
3060 )],
3061 )
3062 ])
3063
Paul Kehrer594a2ed2015-05-12 23:27:32 -0500[diff] [blame]3064 def test_all_reasons(self, backend):
3065 cert = _load_cert(
3066 os.path.join(
3067 "x509", "custom", "cdp_all_reasons.pem"
3068 ),
3069 x509.load_pem_x509_certificate,
3070 backend
3071 )
3072
3073 cdps = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]3074 ExtensionOID.CRL_DISTRIBUTION_POINTS
Paul Kehrer594a2ed2015-05-12 23:27:32 -0500[diff] [blame]3075 ).value
3076
3077 assert cdps == x509.CRLDistributionPoints([
3078 x509.DistributionPoint(
3079 full_name=[x509.UniformResourceIdentifier(
3080 u"http://domain.com/some.crl"
3081 )],
3082 relative_name=None,
3083 reasons=frozenset([
3084 x509.ReasonFlags.key_compromise,
3085 x509.ReasonFlags.ca_compromise,
3086 x509.ReasonFlags.affiliation_changed,
3087 x509.ReasonFlags.superseded,
3088 x509.ReasonFlags.privilege_withdrawn,
3089 x509.ReasonFlags.cessation_of_operation,
3090 x509.ReasonFlags.aa_compromise,
3091 x509.ReasonFlags.certificate_hold,
3092 ]),
3093 crl_issuer=None
3094 )
3095 ])
3096
3097 def test_single_reason(self, backend):
3098 cert = _load_cert(
3099 os.path.join(
3100 "x509", "custom", "cdp_reason_aa_compromise.pem"
3101 ),
3102 x509.load_pem_x509_certificate,
3103 backend
3104 )
3105
3106 cdps = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]3107 ExtensionOID.CRL_DISTRIBUTION_POINTS
Paul Kehrer594a2ed2015-05-12 23:27:32 -0500[diff] [blame]3108 ).value
3109
3110 assert cdps == x509.CRLDistributionPoints([
3111 x509.DistributionPoint(
3112 full_name=[x509.UniformResourceIdentifier(
3113 u"http://domain.com/some.crl"
3114 )],
3115 relative_name=None,
3116 reasons=frozenset([x509.ReasonFlags.aa_compromise]),
3117 crl_issuer=None
3118 )
3119 ])
3120
Paul Kehrer9a10d592015-05-10 14:55:51 -0500[diff] [blame]3121 def test_crl_issuer_only(self, backend):
3122 cert = _load_cert(
3123 os.path.join(
3124 "x509", "custom", "cdp_crl_issuer.pem"
3125 ),
3126 x509.load_pem_x509_certificate,
3127 backend
3128 )
3129
3130 cdps = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]3131 ExtensionOID.CRL_DISTRIBUTION_POINTS
Paul Kehrer9a10d592015-05-10 14:55:51 -0500[diff] [blame]3132 ).value
3133
3134 assert cdps == x509.CRLDistributionPoints([
3135 x509.DistributionPoint(
3136 full_name=None,
3137 relative_name=None,
3138 reasons=None,
3139 crl_issuer=[x509.DirectoryName(
3140 x509.Name([
3141 x509.NameAttribute(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]3142 NameOID.COMMON_NAME, u"cryptography CA"
Paul Kehrer9a10d592015-05-10 14:55:51 -0500[diff] [blame]3143 ),
3144 ])
3145 )],
3146 )
3147 ])
Paul Kehrer16fae762015-05-01 23:14:20 -0500[diff] [blame]3148
Dominic Chen87bb9572015-10-09 00:23:07 -0400[diff] [blame]3149 def test_crl_empty_hostname(self, backend):
3150 cert = _load_cert(
3151 os.path.join(
3152 "x509", "custom", "cdp_empty_hostname.pem"
3153 ),
3154 x509.load_pem_x509_certificate,
3155 backend
3156 )
3157
3158 cdps = cert.extensions.get_extension_for_oid(
3159 ExtensionOID.CRL_DISTRIBUTION_POINTS
3160 ).value
3161
3162 assert cdps == x509.CRLDistributionPoints([
3163 x509.DistributionPoint(
3164 full_name=[x509.UniformResourceIdentifier(
3165 u"ldap:/CN=A,OU=B,dc=C,DC=D?E?F?G?H=I"
3166 )],
3167 relative_name=None,
3168 reasons=None,
3169 crl_issuer=None
3170 )
3171 ])
3172
Paul Kehrer16fae762015-05-01 23:14:20 -0500[diff] [blame]3173
Paul Kehrerf54a50b2015-06-17 18:31:26 -0600[diff] [blame]3174@pytest.mark.requires_backend_interface(interface=RSABackend)
3175@pytest.mark.requires_backend_interface(interface=X509Backend)
3176class TestOCSPNoCheckExtension(object):
3177 def test_nocheck(self, backend):
3178 cert = _load_cert(
3179 os.path.join(
3180 "x509", "custom", "ocsp_nocheck.pem"
3181 ),
3182 x509.load_pem_x509_certificate,
3183 backend
3184 )
3185 ext = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]3186 ExtensionOID.OCSP_NO_CHECK
Paul Kehrerf54a50b2015-06-17 18:31:26 -0600[diff] [blame]3187 )
3188 assert isinstance(ext.value, x509.OCSPNoCheck)
3189
3190
Paul Kehrer16fae762015-05-01 23:14:20 -0500[diff] [blame]3191class TestInhibitAnyPolicy(object):
3192 def test_not_int(self):
3193 with pytest.raises(TypeError):
3194 x509.InhibitAnyPolicy("notint")
3195
3196 def test_negative_int(self):
3197 with pytest.raises(ValueError):
3198 x509.InhibitAnyPolicy(-1)
3199
3200 def test_repr(self):
3201 iap = x509.InhibitAnyPolicy(0)
3202 assert repr(iap) == "<InhibitAnyPolicy(skip_certs=0)>"
3203
3204 def test_eq(self):
3205 iap = x509.InhibitAnyPolicy(1)
3206 iap2 = x509.InhibitAnyPolicy(1)
3207 assert iap == iap2
3208
3209 def test_ne(self):
3210 iap = x509.InhibitAnyPolicy(1)
3211 iap2 = x509.InhibitAnyPolicy(4)
3212 assert iap != iap2
3213 assert iap != object()
Paul Kehrerca6ce992015-06-17 22:13:15 -0600[diff] [blame]3214
3215
3216@pytest.mark.requires_backend_interface(interface=RSABackend)
3217@pytest.mark.requires_backend_interface(interface=X509Backend)
3218class TestInhibitAnyPolicyExtension(object):
3219 def test_nocheck(self, backend):
3220 cert = _load_cert(
3221 os.path.join(
3222 "x509", "custom", "inhibit_any_policy_5.pem"
3223 ),
3224 x509.load_pem_x509_certificate,
3225 backend
3226 )
3227 iap = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]3228 ExtensionOID.INHIBIT_ANY_POLICY
Paul Kehrerca6ce992015-06-17 22:13:15 -0600[diff] [blame]3229 ).value
3230 assert iap.skip_certs == 5
Paul Kehrera08693f2015-08-01 20:45:21 +0100[diff] [blame]3231
3232
3233@pytest.mark.requires_backend_interface(interface=RSABackend)
3234@pytest.mark.requires_backend_interface(interface=X509Backend)
Paul Kehrer1b7500f2015-08-01 20:56:27 +0100[diff] [blame]3235class TestInvalidExtension(object):
Paul Kehrera08693f2015-08-01 20:45:21 +0100[diff] [blame]3236 def test_invalid_certificate_policies_data(self, backend):
3237 cert = _load_cert(
3238 os.path.join(
3239 "x509", "custom", "cp_invalid.pem"
3240 ),
3241 x509.load_pem_x509_certificate,
3242 backend
3243 )
3244 with pytest.raises(ValueError):
3245 cert.extensions