Gitiles
Code Review Sign In
gerrit-public.fairphone.software / platform / external / python / cryptography / 14fd697c5c4a2435b2113e425c95ac9c05702cc2 / . / tests / test_x509_ext.py
blob: 258be12da4a0c7c898382e7406368a15c4101bd9 [file] [log] [blame]
Paul Kehrer8cf26422015-03-21 09:50:24 -0500[diff] [blame]1# This file is dual licensed under the terms of the Apache License, Version
2# 2.0, and the BSD License. See the LICENSE file in the root of this repository
3# for complete details.
4
5from __future__ import absolute_import, division, print_function
6
Paul Kehrer1eb82a62015-03-31 20:00:33 -0500[diff] [blame]7import binascii
Paul Kehrer23c0bbc2015-12-25 22:35:19 -0600[diff] [blame]8import datetime
Paul Kehrer31bdf792015-03-25 14:11:00 -0500[diff] [blame]9import ipaddress
Paul Kehrerfbb7ac82015-03-16 19:26:29 -0500[diff] [blame]10import os
11
Paul Kehrer8cf26422015-03-21 09:50:24 -0500[diff] [blame]12import pytest
13
Paul Kehrercbfb1012015-04-10 20:57:20 -0400[diff] [blame]14import six
15
Paul Kehrer8cf26422015-03-21 09:50:24 -0500[diff] [blame]16from cryptography import x509
Paul Kehrerf22f6122015-08-05 12:57:13 +0100[diff] [blame]17from cryptography.hazmat.backends.interfaces import (
18 DSABackend, EllipticCurveBackend, RSABackend, X509Backend
19)
20from cryptography.hazmat.primitives.asymmetric import ec
Paul Kehrer9e102db2015-08-10 21:53:09 -0500[diff] [blame]21from cryptography.x509.oid import (
Nick Bastin326fc8e2015-12-12 19:08:12 -0800[diff] [blame]22 AuthorityInformationAccessOID, ExtendedKeyUsageOID, ExtensionOID,
23 NameOID, ObjectIdentifier
Paul Kehrer9e102db2015-08-10 21:53:09 -0500[diff] [blame]24)
Paul Kehrerfbb7ac82015-03-16 19:26:29 -0500[diff] [blame]25
Paul Kehrerf22f6122015-08-05 12:57:13 +0100[diff] [blame]26from .hazmat.primitives.test_ec import _skip_curve_unsupported
Paul Kehrerfbb7ac82015-03-16 19:26:29 -0500[diff] [blame]27from .test_x509 import _load_cert
Paul Kehrer8cf26422015-03-21 09:50:24 -0500[diff] [blame]28
29
Paul Kehrer85894662015-03-22 13:19:31 -0500[diff] [blame]30class TestExtension(object):
31 def test_not_an_oid(self):
Paul Kehrera5c6e9a2015-03-23 19:23:43 -0500[diff] [blame]32 bc = x509.BasicConstraints(ca=False, path_length=None)
Paul Kehrer85894662015-03-22 13:19:31 -0500[diff] [blame]33 with pytest.raises(TypeError):
34 x509.Extension("notanoid", True, bc)
35
36 def test_critical_not_a_bool(self):
Paul Kehrera5c6e9a2015-03-23 19:23:43 -0500[diff] [blame]37 bc = x509.BasicConstraints(ca=False, path_length=None)
Paul Kehrer85894662015-03-22 13:19:31 -0500[diff] [blame]38 with pytest.raises(TypeError):
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]39 x509.Extension(ExtensionOID.BASIC_CONSTRAINTS, "notabool", bc)
Paul Kehrer85894662015-03-22 13:19:31 -0500[diff] [blame]40
41 def test_repr(self):
Paul Kehrera5c6e9a2015-03-23 19:23:43 -0500[diff] [blame]42 bc = x509.BasicConstraints(ca=False, path_length=None)
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]43 ext = x509.Extension(ExtensionOID.BASIC_CONSTRAINTS, True, bc)
Paul Kehrer85894662015-03-22 13:19:31 -0500[diff] [blame]44 assert repr(ext) == (
45 "<Extension(oid=<ObjectIdentifier(oid=2.5.29.19, name=basicConst"
46 "raints)>, critical=True, value=<BasicConstraints(ca=False, path"
47 "_length=None)>)>"
48 )
49
Paul Kehrer58e870c2015-05-17 09:15:30 -0700[diff] [blame]50 def test_eq(self):
51 ext1 = x509.Extension(
52 x509.ObjectIdentifier('1.2.3.4'), False, 'value'
53 )
54 ext2 = x509.Extension(
55 x509.ObjectIdentifier('1.2.3.4'), False, 'value'
56 )
57 assert ext1 == ext2
58
59 def test_ne(self):
60 ext1 = x509.Extension(
61 x509.ObjectIdentifier('1.2.3.4'), False, 'value'
62 )
63 ext2 = x509.Extension(
64 x509.ObjectIdentifier('1.2.3.5'), False, 'value'
65 )
66 ext3 = x509.Extension(
67 x509.ObjectIdentifier('1.2.3.4'), True, 'value'
68 )
69 ext4 = x509.Extension(
70 x509.ObjectIdentifier('1.2.3.4'), False, 'value4'
71 )
72 assert ext1 != ext2
73 assert ext1 != ext3
74 assert ext1 != ext4
75 assert ext1 != object()
76
Paul Kehrer85894662015-03-22 13:19:31 -0500[diff] [blame]77
Paul Kehrer14fd6972015-12-30 10:58:25 -0600[diff] [blame^]78class TestUnrecognizedExtension(object):
79 def test_invalid_oid(self):
80 with pytest.raises(TypeError):
81 x509.UnrecognizedExtension("notanoid", b"somedata")
82
83 def test_eq(self):
84 ext1 = x509.UnrecognizedExtension(
85 x509.ObjectIdentifier("1.2.3.4"), b"\x03\x02\x01"
86 )
87 ext2 = x509.UnrecognizedExtension(
88 x509.ObjectIdentifier("1.2.3.4"), b"\x03\x02\x01"
89 )
90 assert ext1 == ext2
91
92 def test_ne(self):
93 ext1 = x509.UnrecognizedExtension(
94 x509.ObjectIdentifier("1.2.3.4"), b"\x03\x02\x01"
95 )
96 ext2 = x509.UnrecognizedExtension(
97 x509.ObjectIdentifier("1.2.3.4"), b"\x03\x02\x02"
98 )
99 ext3 = x509.UnrecognizedExtension(
100 x509.ObjectIdentifier("1.2.3.5"), b"\x03\x02\x01"
101 )
102 assert ext1 != ext2
103 assert ext1 != ext3
104 assert ext1 != object()
105
106 def test_repr(self):
107 ext1 = x509.UnrecognizedExtension(
108 x509.ObjectIdentifier("1.2.3.4"), b"\x03\x02\x01"
109 )
110 assert repr(ext1) == (
111 "<UnrecognizedExtension(oid=<ObjectIdentifier(oid=1.2.3.4, name="
112 "Unknown OID)>, value='\\x03\\x02\\x01')>"
113 )
114
115 def test_hash(self):
116 ext1 = x509.UnrecognizedExtension(
117 x509.ObjectIdentifier("1.2.3.4"), b"\x03\x02\x01"
118 )
119 ext2 = x509.UnrecognizedExtension(
120 x509.ObjectIdentifier("1.2.3.4"), b"\x03\x02\x01"
121 )
122 ext3 = x509.UnrecognizedExtension(
123 x509.ObjectIdentifier("1.2.3.5"), b"\x03\x02\x01"
124 )
125 assert hash(ext1) == hash(ext2)
126 assert hash(ext1) != hash(ext3)
127
128
Paul Kehrer49bb7562015-12-25 16:17:40 -0600[diff] [blame]129class TestCertificateIssuer(object):
130 def test_iter_names(self):
131 ci = x509.CertificateIssuer([
132 x509.DNSName(u"cryptography.io"),
133 x509.DNSName(u"crypto.local"),
134 ])
135 assert len(ci) == 2
136 assert list(ci) == [
137 x509.DNSName(u"cryptography.io"),
138 x509.DNSName(u"crypto.local"),
139 ]
140
Paul Kehrer5c999d32015-12-26 17:45:20 -0600[diff] [blame]141 def test_indexing(self):
142 ci = x509.CertificateIssuer([
143 x509.DNSName(u"cryptography.io"),
144 x509.DNSName(u"crypto.local"),
145 x509.DNSName(u"another.local"),
146 x509.RFC822Name(u"email@another.local"),
147 x509.UniformResourceIdentifier(u"http://another.local"),
148 ])
149 assert ci[-1] == ci[4]
150 assert ci[2:6:2] == [ci[2], ci[4]]
151
Paul Kehrer49bb7562015-12-25 16:17:40 -0600[diff] [blame]152 def test_eq(self):
153 ci1 = x509.CertificateIssuer([x509.DNSName(u"cryptography.io")])
154 ci2 = x509.CertificateIssuer([x509.DNSName(u"cryptography.io")])
155 assert ci1 == ci2
156
157 def test_ne(self):
158 ci1 = x509.CertificateIssuer([x509.DNSName(u"cryptography.io")])
159 ci2 = x509.CertificateIssuer([x509.DNSName(u"somethingelse.tld")])
160 assert ci1 != ci2
161 assert ci1 != object()
162
163 def test_repr(self):
164 ci = x509.CertificateIssuer([x509.DNSName(u"cryptography.io")])
165 assert repr(ci) == (
166 "<CertificateIssuer(<GeneralNames([<DNSName(value=cryptography.io"
167 ")>])>)>"
168 )
169
170 def test_get_values_for_type(self):
171 ci = x509.CertificateIssuer(
172 [x509.DNSName(u"cryptography.io")]
173 )
174 names = ci.get_values_for_type(x509.DNSName)
175 assert names == [u"cryptography.io"]
176
177
Paul Kehrer7058ece2015-12-25 22:28:29 -0600[diff] [blame]178class TestCRLReason(object):
179 def test_invalid_reason_flags(self):
180 with pytest.raises(TypeError):
181 x509.CRLReason("notareason")
182
183 def test_eq(self):
184 reason1 = x509.CRLReason(x509.ReasonFlags.unspecified)
185 reason2 = x509.CRLReason(x509.ReasonFlags.unspecified)
186 assert reason1 == reason2
187
188 def test_ne(self):
189 reason1 = x509.CRLReason(x509.ReasonFlags.unspecified)
190 reason2 = x509.CRLReason(x509.ReasonFlags.ca_compromise)
191 assert reason1 != reason2
192 assert reason1 != object()
193
Alex Gaynor07d5cae2015-12-27 15:30:39 -0500[diff] [blame]194 def test_hash(self):
195 reason1 = x509.CRLReason(x509.ReasonFlags.unspecified)
196 reason2 = x509.CRLReason(x509.ReasonFlags.unspecified)
197 reason3 = x509.CRLReason(x509.ReasonFlags.ca_compromise)
198
199 assert hash(reason1) == hash(reason2)
200 assert hash(reason1) != hash(reason3)
201
Paul Kehrer7058ece2015-12-25 22:28:29 -0600[diff] [blame]202 def test_repr(self):
203 reason1 = x509.CRLReason(x509.ReasonFlags.unspecified)
204 assert repr(reason1) == (
205 "<CRLReason(reason=ReasonFlags.unspecified)>"
206 )
207
208
Paul Kehrer23c0bbc2015-12-25 22:35:19 -0600[diff] [blame]209class TestInvalidityDate(object):
210 def test_invalid_invalidity_date(self):
211 with pytest.raises(TypeError):
212 x509.InvalidityDate("notadate")
213
214 def test_eq(self):
215 invalid1 = x509.InvalidityDate(datetime.datetime(2015, 1, 1, 1, 1))
216 invalid2 = x509.InvalidityDate(datetime.datetime(2015, 1, 1, 1, 1))
217 assert invalid1 == invalid2
218
219 def test_ne(self):
220 invalid1 = x509.InvalidityDate(datetime.datetime(2015, 1, 1, 1, 1))
221 invalid2 = x509.InvalidityDate(datetime.datetime(2015, 1, 1, 1, 2))
222 assert invalid1 != invalid2
223 assert invalid1 != object()
224
225 def test_repr(self):
226 invalid1 = x509.InvalidityDate(datetime.datetime(2015, 1, 1, 1, 1))
227 assert repr(invalid1) == (
228 "<InvalidityDate(invalidity_date=2015-01-01 01:01:00)>"
229 )
230
Paul Kehrer67cde762015-12-26 11:37:14 -0600[diff] [blame]231 def test_hash(self):
232 invalid1 = x509.InvalidityDate(datetime.datetime(2015, 1, 1, 1, 1))
233 invalid2 = x509.InvalidityDate(datetime.datetime(2015, 1, 1, 1, 1))
234 invalid3 = x509.InvalidityDate(datetime.datetime(2015, 1, 1, 1, 2))
235 assert hash(invalid1) == hash(invalid2)
236 assert hash(invalid1) != hash(invalid3)
Paul Kehrer23c0bbc2015-12-25 22:35:19 -0600[diff] [blame]237
Paul Kehrerc0297dd2015-12-26 11:37:57 -0600[diff] [blame]238
Paul Kehrer2b622582015-04-15 11:04:29 -0400[diff] [blame]239class TestNoticeReference(object):
240 def test_notice_numbers_not_all_int(self):
241 with pytest.raises(TypeError):
242 x509.NoticeReference("org", [1, 2, "three"])
243
244 def test_notice_numbers_none(self):
Paul Kehrer6e198b02015-05-12 15:53:38 -0500[diff] [blame]245 with pytest.raises(TypeError):
246 x509.NoticeReference("org", None)
Paul Kehrer2b622582015-04-15 11:04:29 -0400[diff] [blame]247
248 def test_repr(self):
Paul Kehrer73be2ca2015-05-11 21:22:38 -0500[diff] [blame]249 nr = x509.NoticeReference(u"org", [1, 3, 4])
Paul Kehrer2b622582015-04-15 11:04:29 -0400[diff] [blame]250
Paul Kehrer73be2ca2015-05-11 21:22:38 -0500[diff] [blame]251 if six.PY3:
252 assert repr(nr) == (
253 "<NoticeReference(organization='org', notice_numbers=[1, 3, 4"
254 "])>"
255 )
256 else:
257 assert repr(nr) == (
258 "<NoticeReference(organization=u'org', notice_numbers=[1, 3, "
259 "4])>"
260 )
Paul Kehrer2b622582015-04-15 11:04:29 -0400[diff] [blame]261
Paul Kehrerc56ab622015-05-03 09:56:31 -0500[diff] [blame]262 def test_eq(self):
263 nr = x509.NoticeReference("org", [1, 2])
264 nr2 = x509.NoticeReference("org", [1, 2])
265 assert nr == nr2
266
267 def test_ne(self):
268 nr = x509.NoticeReference("org", [1, 2])
269 nr2 = x509.NoticeReference("org", [1])
270 nr3 = x509.NoticeReference(None, [1, 2])
271 assert nr != nr2
272 assert nr != nr3
273 assert nr != object()
274
Paul Kehrer2b622582015-04-15 11:04:29 -0400[diff] [blame]275
276class TestUserNotice(object):
277 def test_notice_reference_invalid(self):
278 with pytest.raises(TypeError):
279 x509.UserNotice("invalid", None)
280
281 def test_notice_reference_none(self):
282 un = x509.UserNotice(None, "text")
283 assert un.notice_reference is None
284 assert un.explicit_text == "text"
285
286 def test_repr(self):
Paul Kehrer6e198b02015-05-12 15:53:38 -0500[diff] [blame]287 un = x509.UserNotice(x509.NoticeReference(u"org", [1]), u"text")
Paul Kehrer73be2ca2015-05-11 21:22:38 -0500[diff] [blame]288 if six.PY3:
289 assert repr(un) == (
290 "<UserNotice(notice_reference=<NoticeReference(organization='"
Paul Kehrer6e198b02015-05-12 15:53:38 -0500[diff] [blame]291 "org', notice_numbers=[1])>, explicit_text='text')>"
Paul Kehrer73be2ca2015-05-11 21:22:38 -0500[diff] [blame]292 )
293 else:
294 assert repr(un) == (
295 "<UserNotice(notice_reference=<NoticeReference(organization=u"
Paul Kehrer6e198b02015-05-12 15:53:38 -0500[diff] [blame]296 "'org', notice_numbers=[1])>, explicit_text=u'text')>"
Paul Kehrer73be2ca2015-05-11 21:22:38 -0500[diff] [blame]297 )
Paul Kehrer2b622582015-04-15 11:04:29 -0400[diff] [blame]298
Paul Kehrerc56ab622015-05-03 09:56:31 -0500[diff] [blame]299 def test_eq(self):
300 nr = x509.NoticeReference("org", [1, 2])
301 nr2 = x509.NoticeReference("org", [1, 2])
302 un = x509.UserNotice(nr, "text")
303 un2 = x509.UserNotice(nr2, "text")
304 assert un == un2
305
306 def test_ne(self):
307 nr = x509.NoticeReference("org", [1, 2])
308 nr2 = x509.NoticeReference("org", [1])
309 un = x509.UserNotice(nr, "text")
310 un2 = x509.UserNotice(nr2, "text")
311 un3 = x509.UserNotice(nr, "text3")
312 assert un != un2
313 assert un != un3
314 assert un != object()
315
Paul Kehrer2b622582015-04-15 11:04:29 -0400[diff] [blame]316
Paul Kehrer2b622582015-04-15 11:04:29 -0400[diff] [blame]317class TestPolicyInformation(object):
318 def test_invalid_policy_identifier(self):
319 with pytest.raises(TypeError):
320 x509.PolicyInformation("notanoid", None)
321
322 def test_none_policy_qualifiers(self):
323 pi = x509.PolicyInformation(x509.ObjectIdentifier("1.2.3"), None)
324 assert pi.policy_identifier == x509.ObjectIdentifier("1.2.3")
325 assert pi.policy_qualifiers is None
326
327 def test_policy_qualifiers(self):
Paul Kehrerba35b3b2015-05-10 13:07:59 -0500[diff] [blame]328 pq = [u"string"]
Paul Kehrer2b622582015-04-15 11:04:29 -0400[diff] [blame]329 pi = x509.PolicyInformation(x509.ObjectIdentifier("1.2.3"), pq)
330 assert pi.policy_identifier == x509.ObjectIdentifier("1.2.3")
331 assert pi.policy_qualifiers == pq
332
333 def test_invalid_policy_identifiers(self):
334 with pytest.raises(TypeError):
335 x509.PolicyInformation(x509.ObjectIdentifier("1.2.3"), [1, 2])
336
337 def test_repr(self):
Paul Kehrer73be2ca2015-05-11 21:22:38 -0500[diff] [blame]338 pq = [u"string", x509.UserNotice(None, u"hi")]
Paul Kehrer2b622582015-04-15 11:04:29 -0400[diff] [blame]339 pi = x509.PolicyInformation(x509.ObjectIdentifier("1.2.3"), pq)
Paul Kehrerba35b3b2015-05-10 13:07:59 -0500[diff] [blame]340 if six.PY3:
341 assert repr(pi) == (
342 "<PolicyInformation(policy_identifier=<ObjectIdentifier(oid=1."
343 "2.3, name=Unknown OID)>, policy_qualifiers=['string', <UserNo"
Paul Kehrer9aaef9e2015-05-11 10:49:20 -0500[diff] [blame]344 "tice(notice_reference=None, explicit_text='hi')>])>"
Paul Kehrerba35b3b2015-05-10 13:07:59 -0500[diff] [blame]345 )
346 else:
347 assert repr(pi) == (
348 "<PolicyInformation(policy_identifier=<ObjectIdentifier(oid=1."
349 "2.3, name=Unknown OID)>, policy_qualifiers=[u'string', <UserN"
Paul Kehrer73be2ca2015-05-11 21:22:38 -0500[diff] [blame]350 "otice(notice_reference=None, explicit_text=u'hi')>])>"
Paul Kehrerba35b3b2015-05-10 13:07:59 -0500[diff] [blame]351 )
Paul Kehrer2b622582015-04-15 11:04:29 -0400[diff] [blame]352
Paul Kehrerc56ab622015-05-03 09:56:31 -0500[diff] [blame]353 def test_eq(self):
354 pi = x509.PolicyInformation(
355 x509.ObjectIdentifier("1.2.3"),
356 [u"string", x509.UserNotice(None, u"hi")]
357 )
358 pi2 = x509.PolicyInformation(
359 x509.ObjectIdentifier("1.2.3"),
360 [u"string", x509.UserNotice(None, u"hi")]
361 )
362 assert pi == pi2
363
364 def test_ne(self):
365 pi = x509.PolicyInformation(
366 x509.ObjectIdentifier("1.2.3"), [u"string"]
367 )
368 pi2 = x509.PolicyInformation(
369 x509.ObjectIdentifier("1.2.3"), [u"string2"]
370 )
371 pi3 = x509.PolicyInformation(
372 x509.ObjectIdentifier("1.2.3.4"), [u"string"]
373 )
374 assert pi != pi2
375 assert pi != pi3
376 assert pi != object()
377
Paul Kehrer2b622582015-04-15 11:04:29 -0400[diff] [blame]378
379class TestCertificatePolicies(object):
380 def test_invalid_policies(self):
Paul Kehrerba35b3b2015-05-10 13:07:59 -0500[diff] [blame]381 pq = [u"string"]
Paul Kehrer2b622582015-04-15 11:04:29 -0400[diff] [blame]382 pi = x509.PolicyInformation(x509.ObjectIdentifier("1.2.3"), pq)
383 with pytest.raises(TypeError):
384 x509.CertificatePolicies([1, pi])
385
386 def test_iter_len(self):
Paul Kehrerba35b3b2015-05-10 13:07:59 -0500[diff] [blame]387 pq = [u"string"]
Paul Kehrer2b622582015-04-15 11:04:29 -0400[diff] [blame]388 pi = x509.PolicyInformation(x509.ObjectIdentifier("1.2.3"), pq)
389 cp = x509.CertificatePolicies([pi])
390 assert len(cp) == 1
391 for policyinfo in cp:
392 assert policyinfo == pi
393
394 def test_repr(self):
Paul Kehrerba35b3b2015-05-10 13:07:59 -0500[diff] [blame]395 pq = [u"string"]
Paul Kehrer2b622582015-04-15 11:04:29 -0400[diff] [blame]396 pi = x509.PolicyInformation(x509.ObjectIdentifier("1.2.3"), pq)
397 cp = x509.CertificatePolicies([pi])
Paul Kehrerba35b3b2015-05-10 13:07:59 -0500[diff] [blame]398 if six.PY3:
399 assert repr(cp) == (
400 "<CertificatePolicies([<PolicyInformation(policy_identifier=<O"
401 "bjectIdentifier(oid=1.2.3, name=Unknown OID)>, policy_qualifi"
402 "ers=['string'])>])>"
403 )
404 else:
405 assert repr(cp) == (
406 "<CertificatePolicies([<PolicyInformation(policy_identifier=<O"
407 "bjectIdentifier(oid=1.2.3, name=Unknown OID)>, policy_qualifi"
408 "ers=[u'string'])>])>"
409 )
Paul Kehrer2b622582015-04-15 11:04:29 -0400[diff] [blame]410
Paul Kehrerc56ab622015-05-03 09:56:31 -0500[diff] [blame]411 def test_eq(self):
412 pi = x509.PolicyInformation(
413 x509.ObjectIdentifier("1.2.3"), [u"string"]
414 )
415 cp = x509.CertificatePolicies([pi])
416 pi2 = x509.PolicyInformation(
417 x509.ObjectIdentifier("1.2.3"), [u"string"]
418 )
419 cp2 = x509.CertificatePolicies([pi2])
420 assert cp == cp2
421
422 def test_ne(self):
423 pi = x509.PolicyInformation(
424 x509.ObjectIdentifier("1.2.3"), [u"string"]
425 )
426 cp = x509.CertificatePolicies([pi])
427 pi2 = x509.PolicyInformation(
428 x509.ObjectIdentifier("1.2.3"), [u"string2"]
429 )
430 cp2 = x509.CertificatePolicies([pi2])
431 assert cp != cp2
432 assert cp != object()
433
Paul Kehrere8db7bd2015-12-27 17:32:57 -0600[diff] [blame]434 def test_indexing(self):
435 pi = x509.PolicyInformation(x509.ObjectIdentifier("1.2.3"), [u"test"])
436 pi2 = x509.PolicyInformation(x509.ObjectIdentifier("1.2.4"), [u"test"])
437 pi3 = x509.PolicyInformation(x509.ObjectIdentifier("1.2.5"), [u"test"])
438 pi4 = x509.PolicyInformation(x509.ObjectIdentifier("1.2.6"), [u"test"])
439 pi5 = x509.PolicyInformation(x509.ObjectIdentifier("1.2.7"), [u"test"])
440 cp = x509.CertificatePolicies([pi, pi2, pi3, pi4, pi5])
441 assert cp[-1] == cp[4]
442 assert cp[2:6:2] == [cp[2], cp[4]]
443
Paul Kehrer2b622582015-04-15 11:04:29 -0400[diff] [blame]444
Paul Kehrer11026fe2015-05-12 11:23:56 -0500[diff] [blame]445@pytest.mark.requires_backend_interface(interface=RSABackend)
446@pytest.mark.requires_backend_interface(interface=X509Backend)
447class TestCertificatePoliciesExtension(object):
448 def test_cps_uri_policy_qualifier(self, backend):
449 cert = _load_cert(
450 os.path.join("x509", "custom", "cp_cps_uri.pem"),
451 x509.load_pem_x509_certificate,
452 backend
453 )
454
455 cp = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]456 ExtensionOID.CERTIFICATE_POLICIES
Paul Kehrer11026fe2015-05-12 11:23:56 -0500[diff] [blame]457 ).value
458
459 assert cp == x509.CertificatePolicies([
460 x509.PolicyInformation(
461 x509.ObjectIdentifier("2.16.840.1.12345.1.2.3.4.1"),
462 [u"http://other.com/cps"]
463 )
464 ])
465
466 def test_user_notice_with_notice_reference(self, backend):
467 cert = _load_cert(
468 os.path.join(
469 "x509", "custom", "cp_user_notice_with_notice_reference.pem"
470 ),
471 x509.load_pem_x509_certificate,
472 backend
473 )
474
475 cp = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]476 ExtensionOID.CERTIFICATE_POLICIES
Paul Kehrer11026fe2015-05-12 11:23:56 -0500[diff] [blame]477 ).value
478
479 assert cp == x509.CertificatePolicies([
480 x509.PolicyInformation(
481 x509.ObjectIdentifier("2.16.840.1.12345.1.2.3.4.1"),
482 [
483 u"http://example.com/cps",
484 u"http://other.com/cps",
485 x509.UserNotice(
486 x509.NoticeReference(u"my org", [1, 2, 3, 4]),
487 u"thing"
488 )
489 ]
490 )
491 ])
492
493 def test_user_notice_with_explicit_text(self, backend):
494 cert = _load_cert(
495 os.path.join(
496 "x509", "custom", "cp_user_notice_with_explicit_text.pem"
497 ),
498 x509.load_pem_x509_certificate,
499 backend
500 )
501
502 cp = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]503 ExtensionOID.CERTIFICATE_POLICIES
Paul Kehrer11026fe2015-05-12 11:23:56 -0500[diff] [blame]504 ).value
505
506 assert cp == x509.CertificatePolicies([
507 x509.PolicyInformation(
508 x509.ObjectIdentifier("2.16.840.1.12345.1.2.3.4.1"),
509 [x509.UserNotice(None, u"thing")]
510 )
511 ])
512
513 def test_user_notice_no_explicit_text(self, backend):
514 cert = _load_cert(
515 os.path.join(
516 "x509", "custom", "cp_user_notice_no_explicit_text.pem"
517 ),
518 x509.load_pem_x509_certificate,
519 backend
520 )
521
522 cp = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]523 ExtensionOID.CERTIFICATE_POLICIES
Paul Kehrer11026fe2015-05-12 11:23:56 -0500[diff] [blame]524 ).value
525
526 assert cp == x509.CertificatePolicies([
527 x509.PolicyInformation(
528 x509.ObjectIdentifier("2.16.840.1.12345.1.2.3.4.1"),
529 [
530 x509.UserNotice(
531 x509.NoticeReference(u"my org", [1, 2, 3, 4]),
532 None
533 )
534 ]
535 )
536 ])
537
538
Paul Kehrercecbbba2015-03-30 14:58:38 -0500[diff] [blame]539class TestKeyUsage(object):
540 def test_key_agreement_false_encipher_decipher_true(self):
541 with pytest.raises(ValueError):
542 x509.KeyUsage(
543 digital_signature=False,
544 content_commitment=False,
545 key_encipherment=False,
546 data_encipherment=False,
547 key_agreement=False,
548 key_cert_sign=False,
549 crl_sign=False,
550 encipher_only=True,
551 decipher_only=False
552 )
553
554 with pytest.raises(ValueError):
555 x509.KeyUsage(
556 digital_signature=False,
557 content_commitment=False,
558 key_encipherment=False,
559 data_encipherment=False,
560 key_agreement=False,
561 key_cert_sign=False,
562 crl_sign=False,
563 encipher_only=True,
564 decipher_only=True
565 )
566
567 with pytest.raises(ValueError):
568 x509.KeyUsage(
569 digital_signature=False,
570 content_commitment=False,
571 key_encipherment=False,
572 data_encipherment=False,
573 key_agreement=False,
574 key_cert_sign=False,
575 crl_sign=False,
576 encipher_only=False,
577 decipher_only=True
578 )
579
580 def test_properties_key_agreement_true(self):
581 ku = x509.KeyUsage(
582 digital_signature=True,
583 content_commitment=True,
584 key_encipherment=False,
585 data_encipherment=False,
586 key_agreement=False,
587 key_cert_sign=True,
588 crl_sign=False,
589 encipher_only=False,
590 decipher_only=False
591 )
592 assert ku.digital_signature is True
593 assert ku.content_commitment is True
594 assert ku.key_encipherment is False
595 assert ku.data_encipherment is False
596 assert ku.key_agreement is False
597 assert ku.key_cert_sign is True
598 assert ku.crl_sign is False
599
600 def test_key_agreement_true_properties(self):
601 ku = x509.KeyUsage(
602 digital_signature=False,
603 content_commitment=False,
604 key_encipherment=False,
605 data_encipherment=False,
606 key_agreement=True,
607 key_cert_sign=False,
608 crl_sign=False,
609 encipher_only=False,
610 decipher_only=True
611 )
612 assert ku.key_agreement is True
613 assert ku.encipher_only is False
614 assert ku.decipher_only is True
615
616 def test_key_agreement_false_properties(self):
617 ku = x509.KeyUsage(
618 digital_signature=False,
619 content_commitment=False,
620 key_encipherment=False,
621 data_encipherment=False,
622 key_agreement=False,
623 key_cert_sign=False,
624 crl_sign=False,
625 encipher_only=False,
626 decipher_only=False
627 )
628 assert ku.key_agreement is False
629 with pytest.raises(ValueError):
630 ku.encipher_only
631
632 with pytest.raises(ValueError):
633 ku.decipher_only
634
Paul Kehrerac3e5bb2015-04-02 23:07:10 -0500[diff] [blame]635 def test_repr_key_agreement_false(self):
636 ku = x509.KeyUsage(
637 digital_signature=True,
638 content_commitment=True,
639 key_encipherment=False,
640 data_encipherment=False,
641 key_agreement=False,
642 key_cert_sign=True,
643 crl_sign=False,
644 encipher_only=False,
645 decipher_only=False
646 )
647 assert repr(ku) == (
648 "<KeyUsage(digital_signature=True, content_commitment=True, key_en"
649 "cipherment=False, data_encipherment=False, key_agreement=False, k"
Paul Kehrerb372e672015-04-15 11:05:24 -0400[diff] [blame]650 "ey_cert_sign=True, crl_sign=False, encipher_only=None, decipher_o"
651 "nly=None)>"
Paul Kehrerac3e5bb2015-04-02 23:07:10 -0500[diff] [blame]652 )
653
654 def test_repr_key_agreement_true(self):
655 ku = x509.KeyUsage(
656 digital_signature=True,
657 content_commitment=True,
658 key_encipherment=False,
659 data_encipherment=False,
660 key_agreement=True,
661 key_cert_sign=True,
662 crl_sign=False,
663 encipher_only=False,
664 decipher_only=False
665 )
666 assert repr(ku) == (
667 "<KeyUsage(digital_signature=True, content_commitment=True, key_en"
668 "cipherment=False, data_encipherment=False, key_agreement=True, k"
669 "ey_cert_sign=True, crl_sign=False, encipher_only=False, decipher_"
670 "only=False)>"
671 )
672
Paul Kehrer8565f5e2015-05-13 09:57:09 -0500[diff] [blame]673 def test_eq(self):
674 ku = x509.KeyUsage(
675 digital_signature=False,
676 content_commitment=False,
677 key_encipherment=False,
678 data_encipherment=False,
679 key_agreement=True,
680 key_cert_sign=False,
681 crl_sign=False,
682 encipher_only=False,
683 decipher_only=True
684 )
685 ku2 = x509.KeyUsage(
686 digital_signature=False,
687 content_commitment=False,
688 key_encipherment=False,
689 data_encipherment=False,
690 key_agreement=True,
691 key_cert_sign=False,
692 crl_sign=False,
693 encipher_only=False,
694 decipher_only=True
695 )
696 assert ku == ku2
697
698 def test_ne(self):
699 ku = x509.KeyUsage(
700 digital_signature=False,
701 content_commitment=False,
702 key_encipherment=False,
703 data_encipherment=False,
704 key_agreement=True,
705 key_cert_sign=False,
706 crl_sign=False,
707 encipher_only=False,
708 decipher_only=True
709 )
710 ku2 = x509.KeyUsage(
711 digital_signature=False,
712 content_commitment=False,
713 key_encipherment=False,
714 data_encipherment=False,
715 key_agreement=False,
716 key_cert_sign=False,
717 crl_sign=False,
718 encipher_only=False,
719 decipher_only=False
720 )
721 assert ku != ku2
722 assert ku != object()
723
Paul Kehrercecbbba2015-03-30 14:58:38 -0500[diff] [blame]724
Paul Kehrer1eb82a62015-03-31 20:00:33 -0500[diff] [blame]725class TestSubjectKeyIdentifier(object):
726 def test_properties(self):
Paul Kehrercbfb1012015-04-10 20:57:20 -0400[diff] [blame]727 value = binascii.unhexlify(b"092384932230498bc980aa8098456f6ff7ff3ac9")
Paul Kehrer1eb82a62015-03-31 20:00:33 -0500[diff] [blame]728 ski = x509.SubjectKeyIdentifier(value)
729 assert ski.digest == value
Paul Kehrer1eb82a62015-03-31 20:00:33 -0500[diff] [blame]730
731 def test_repr(self):
732 ski = x509.SubjectKeyIdentifier(
Paul Kehreree997262015-04-04 12:20:28 -0500[diff] [blame]733 binascii.unhexlify(b"092384932230498bc980aa8098456f6ff7ff3ac9")
Paul Kehrer1eb82a62015-03-31 20:00:33 -0500[diff] [blame]734 )
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]735 ext = x509.Extension(ExtensionOID.SUBJECT_KEY_IDENTIFIER, False, ski)
Paul Kehrercbfb1012015-04-10 20:57:20 -0400[diff] [blame]736 if six.PY3:
737 assert repr(ext) == (
738 "<Extension(oid=<ObjectIdentifier(oid=2.5.29.14, name=subjectK"
739 "eyIdentifier)>, critical=False, value=<SubjectKeyIdentifier(d"
740 "igest=b\'\\t#\\x84\\x93\"0I\\x8b\\xc9\\x80\\xaa\\x80\\x98Eoo"
741 "\\xf7\\xff:\\xc9\')>)>"
742 )
743 else:
744 assert repr(ext) == (
745 "<Extension(oid=<ObjectIdentifier(oid=2.5.29.14, name=subjectK"
746 "eyIdentifier)>, critical=False, value=<SubjectKeyIdentifier(d"
747 "igest=\'\\t#\\x84\\x93\"0I\\x8b\\xc9\\x80\\xaa\\x80\\x98Eoo"
748 "\\xf7\\xff:\\xc9\')>)>"
749 )
Paul Kehrer1eb82a62015-03-31 20:00:33 -0500[diff] [blame]750
751 def test_eq(self):
752 ski = x509.SubjectKeyIdentifier(
Paul Kehreree997262015-04-04 12:20:28 -0500[diff] [blame]753 binascii.unhexlify(b"092384932230498bc980aa8098456f6ff7ff3ac9")
Paul Kehrer1eb82a62015-03-31 20:00:33 -0500[diff] [blame]754 )
755 ski2 = x509.SubjectKeyIdentifier(
Paul Kehreree997262015-04-04 12:20:28 -0500[diff] [blame]756 binascii.unhexlify(b"092384932230498bc980aa8098456f6ff7ff3ac9")
Paul Kehrer1eb82a62015-03-31 20:00:33 -0500[diff] [blame]757 )
758 assert ski == ski2
759
760 def test_ne(self):
761 ski = x509.SubjectKeyIdentifier(
Paul Kehreree997262015-04-04 12:20:28 -0500[diff] [blame]762 binascii.unhexlify(b"092384932230498bc980aa8098456f6ff7ff3ac9")
Paul Kehrer1eb82a62015-03-31 20:00:33 -0500[diff] [blame]763 )
764 ski2 = x509.SubjectKeyIdentifier(
Paul Kehreree997262015-04-04 12:20:28 -0500[diff] [blame]765 binascii.unhexlify(b"aa8098456f6ff7ff3ac9092384932230498bc980")
Paul Kehrer1eb82a62015-03-31 20:00:33 -0500[diff] [blame]766 )
767 assert ski != ski2
768 assert ski != object()
769
Alex Gaynor410fe352015-12-26 15:01:25 -0500[diff] [blame]770 def test_hash(self):
771 ski1 = x509.SubjectKeyIdentifier(
772 binascii.unhexlify(b"092384932230498bc980aa8098456f6ff7ff3ac9")
773 )
774 ski2 = x509.SubjectKeyIdentifier(
775 binascii.unhexlify(b"092384932230498bc980aa8098456f6ff7ff3ac9")
776 )
777 ski3 = x509.SubjectKeyIdentifier(
778 binascii.unhexlify(b"aa8098456f6ff7ff3ac9092384932230498bc980")
779 )
780
781 assert hash(ski1) == hash(ski2)
782 assert hash(ski1) != hash(ski3)
783
Paul Kehrer1eb82a62015-03-31 20:00:33 -0500[diff] [blame]784
Paul Kehrer2eb4ed92015-04-11 15:33:45 -0400[diff] [blame]785class TestAuthorityKeyIdentifier(object):
Paul Kehrerc6e0f062015-05-03 11:04:34 -0500[diff] [blame]786 def test_authority_cert_issuer_not_generalname(self):
Paul Kehrer2eb4ed92015-04-11 15:33:45 -0400[diff] [blame]787 with pytest.raises(TypeError):
Paul Kehrerc6e0f062015-05-03 11:04:34 -0500[diff] [blame]788 x509.AuthorityKeyIdentifier(b"identifier", ["notname"], 3)
Paul Kehrer2eb4ed92015-04-11 15:33:45 -0400[diff] [blame]789
790 def test_authority_cert_serial_number_not_integer(self):
Paul Kehrerc6e0f062015-05-03 11:04:34 -0500[diff] [blame]791 dirname = x509.DirectoryName(
792 x509.Name([
Nick Bastin6721fb82015-12-14 12:26:24 -0800[diff] [blame]793 x509.NameAttribute(
794 x509.ObjectIdentifier('2.999.1'),
795 u'value1'
796 ),
797 x509.NameAttribute(
798 x509.ObjectIdentifier('2.999.2'),
799 u'value2'
800 ),
Paul Kehrerc6e0f062015-05-03 11:04:34 -0500[diff] [blame]801 ])
802 )
Paul Kehrer2eb4ed92015-04-11 15:33:45 -0400[diff] [blame]803 with pytest.raises(TypeError):
Paul Kehrerc6e0f062015-05-03 11:04:34 -0500[diff] [blame]804 x509.AuthorityKeyIdentifier(b"identifier", [dirname], "notanint")
Paul Kehrer2eb4ed92015-04-11 15:33:45 -0400[diff] [blame]805
806 def test_authority_issuer_none_serial_not_none(self):
807 with pytest.raises(ValueError):
808 x509.AuthorityKeyIdentifier(b"identifier", None, 3)
809
810 def test_authority_issuer_not_none_serial_none(self):
Paul Kehrerc6e0f062015-05-03 11:04:34 -0500[diff] [blame]811 dirname = x509.DirectoryName(
812 x509.Name([
Nick Bastin6721fb82015-12-14 12:26:24 -0800[diff] [blame]813 x509.NameAttribute(
814 x509.ObjectIdentifier('2.999.1'),
815 u'value1'
816 ),
817 x509.NameAttribute(
818 x509.ObjectIdentifier('2.999.2'),
819 u'value2'
820 ),
Paul Kehrerc6e0f062015-05-03 11:04:34 -0500[diff] [blame]821 ])
822 )
Paul Kehrer2eb4ed92015-04-11 15:33:45 -0400[diff] [blame]823 with pytest.raises(ValueError):
Paul Kehrerc6e0f062015-05-03 11:04:34 -0500[diff] [blame]824 x509.AuthorityKeyIdentifier(b"identifier", [dirname], None)
Paul Kehrer2eb4ed92015-04-11 15:33:45 -0400[diff] [blame]825
826 def test_authority_cert_serial_and_issuer_none(self):
827 aki = x509.AuthorityKeyIdentifier(b"id", None, None)
828 assert aki.key_identifier == b"id"
829 assert aki.authority_cert_issuer is None
830 assert aki.authority_cert_serial_number is None
831
832 def test_repr(self):
Paul Kehrerc6e0f062015-05-03 11:04:34 -0500[diff] [blame]833 dirname = x509.DirectoryName(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]834 x509.Name([x509.NameAttribute(NameOID.COMMON_NAME, u'myCN')])
Paul Kehrerc6e0f062015-05-03 11:04:34 -0500[diff] [blame]835 )
836 aki = x509.AuthorityKeyIdentifier(b"digest", [dirname], 1234)
Paul Kehrer2eb4ed92015-04-11 15:33:45 -0400[diff] [blame]837
838 if six.PY3:
839 assert repr(aki) == (
840 "<AuthorityKeyIdentifier(key_identifier=b'digest', authority_"
Paul Kehrerc6e0f062015-05-03 11:04:34 -0500[diff] [blame]841 "cert_issuer=[<DirectoryName(value=<Name([<NameAttribute(oid="
Ian Cordascoa908d692015-06-16 21:35:24 -0500[diff] [blame]842 "<ObjectIdentifier(oid=2.5.4.3, name=commonName)>, value='myC"
Paul Kehrerc6e0f062015-05-03 11:04:34 -0500[diff] [blame]843 "N')>])>)>], authority_cert_serial_number=1234)>"
Paul Kehrer2eb4ed92015-04-11 15:33:45 -0400[diff] [blame]844 )
845 else:
846 assert repr(aki) == (
847 "<AuthorityKeyIdentifier(key_identifier='digest', authority_ce"
Paul Kehrerc6e0f062015-05-03 11:04:34 -0500[diff] [blame]848 "rt_issuer=[<DirectoryName(value=<Name([<NameAttribute(oid=<Ob"
Ian Cordasco82fc3762015-06-16 20:59:50 -0500[diff] [blame]849 "jectIdentifier(oid=2.5.4.3, name=commonName)>, value=u'myCN')"
850 ">])>)>], authority_cert_serial_number=1234)>"
Paul Kehrer2eb4ed92015-04-11 15:33:45 -0400[diff] [blame]851 )
852
Paul Kehrer2ca2eb32015-05-03 10:04:57 -0500[diff] [blame]853 def test_eq(self):
854 dirname = x509.DirectoryName(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]855 x509.Name([x509.NameAttribute(NameOID.COMMON_NAME, u'myCN')])
Paul Kehrer2ca2eb32015-05-03 10:04:57 -0500[diff] [blame]856 )
857 aki = x509.AuthorityKeyIdentifier(b"digest", [dirname], 1234)
858 dirname2 = x509.DirectoryName(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]859 x509.Name([x509.NameAttribute(NameOID.COMMON_NAME, u'myCN')])
Paul Kehrer2ca2eb32015-05-03 10:04:57 -0500[diff] [blame]860 )
861 aki2 = x509.AuthorityKeyIdentifier(b"digest", [dirname2], 1234)
862 assert aki == aki2
863
864 def test_ne(self):
865 dirname = x509.DirectoryName(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]866 x509.Name([x509.NameAttribute(NameOID.COMMON_NAME, u'myCN')])
Paul Kehrer2ca2eb32015-05-03 10:04:57 -0500[diff] [blame]867 )
868 dirname5 = x509.DirectoryName(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]869 x509.Name([x509.NameAttribute(NameOID.COMMON_NAME, u'aCN')])
Paul Kehrer2ca2eb32015-05-03 10:04:57 -0500[diff] [blame]870 )
871 aki = x509.AuthorityKeyIdentifier(b"digest", [dirname], 1234)
872 aki2 = x509.AuthorityKeyIdentifier(b"diges", [dirname], 1234)
873 aki3 = x509.AuthorityKeyIdentifier(b"digest", None, None)
874 aki4 = x509.AuthorityKeyIdentifier(b"digest", [dirname], 12345)
875 aki5 = x509.AuthorityKeyIdentifier(b"digest", [dirname5], 12345)
876 assert aki != aki2
877 assert aki != aki3
878 assert aki != aki4
879 assert aki != aki5
880 assert aki != object()
881
Paul Kehrer2eb4ed92015-04-11 15:33:45 -0400[diff] [blame]882
Paul Kehrer8cf26422015-03-21 09:50:24 -0500[diff] [blame]883class TestBasicConstraints(object):
884 def test_ca_not_boolean(self):
885 with pytest.raises(TypeError):
Paul Kehrera5c6e9a2015-03-23 19:23:43 -0500[diff] [blame]886 x509.BasicConstraints(ca="notbool", path_length=None)
Paul Kehrer8cf26422015-03-21 09:50:24 -0500[diff] [blame]887
888 def test_path_length_not_ca(self):
889 with pytest.raises(ValueError):
Paul Kehrera5c6e9a2015-03-23 19:23:43 -0500[diff] [blame]890 x509.BasicConstraints(ca=False, path_length=0)
Paul Kehrer8cf26422015-03-21 09:50:24 -0500[diff] [blame]891
892 def test_path_length_not_int(self):
893 with pytest.raises(TypeError):
Paul Kehrera5c6e9a2015-03-23 19:23:43 -0500[diff] [blame]894 x509.BasicConstraints(ca=True, path_length=1.1)
Paul Kehrer8cf26422015-03-21 09:50:24 -0500[diff] [blame]895
896 with pytest.raises(TypeError):
Paul Kehrera5c6e9a2015-03-23 19:23:43 -0500[diff] [blame]897 x509.BasicConstraints(ca=True, path_length="notint")
Paul Kehrer8cf26422015-03-21 09:50:24 -0500[diff] [blame]898
899 def test_path_length_negative(self):
900 with pytest.raises(TypeError):
Paul Kehrera5c6e9a2015-03-23 19:23:43 -0500[diff] [blame]901 x509.BasicConstraints(ca=True, path_length=-1)
Paul Kehrer8cf26422015-03-21 09:50:24 -0500[diff] [blame]902
903 def test_repr(self):
Paul Kehrera5c6e9a2015-03-23 19:23:43 -0500[diff] [blame]904 na = x509.BasicConstraints(ca=True, path_length=None)
Paul Kehrer8cf26422015-03-21 09:50:24 -0500[diff] [blame]905 assert repr(na) == (
Paul Kehrer85894662015-03-22 13:19:31 -0500[diff] [blame]906 "<BasicConstraints(ca=True, path_length=None)>"
Paul Kehrer8cf26422015-03-21 09:50:24 -0500[diff] [blame]907 )
Paul Kehrerfbb7ac82015-03-16 19:26:29 -0500[diff] [blame]908
Paul Kehrer2eb69f62015-12-27 11:46:11 -0600[diff] [blame]909 def test_hash(self):
910 na = x509.BasicConstraints(ca=True, path_length=None)
911 na2 = x509.BasicConstraints(ca=True, path_length=None)
Paul Kehrerb39af8d2015-12-27 14:30:19 -0600[diff] [blame]912 na3 = x509.BasicConstraints(ca=True, path_length=0)
Paul Kehrer2eb69f62015-12-27 11:46:11 -0600[diff] [blame]913 assert hash(na) == hash(na2)
Paul Kehrerb39af8d2015-12-27 14:30:19 -0600[diff] [blame]914 assert hash(na) != hash(na3)
Paul Kehrer2eb69f62015-12-27 11:46:11 -0600[diff] [blame]915
Paul Kehrer3a69b132015-05-13 10:03:46 -0500[diff] [blame]916 def test_eq(self):
917 na = x509.BasicConstraints(ca=True, path_length=None)
918 na2 = x509.BasicConstraints(ca=True, path_length=None)
919 assert na == na2
920
921 def test_ne(self):
922 na = x509.BasicConstraints(ca=True, path_length=None)
923 na2 = x509.BasicConstraints(ca=True, path_length=1)
924 na3 = x509.BasicConstraints(ca=False, path_length=None)
925 assert na != na2
926 assert na != na3
927 assert na != object()
928
Paul Kehrerfbb7ac82015-03-16 19:26:29 -0500[diff] [blame]929
Paul Kehrerffa2a152015-03-31 08:18:25 -0500[diff] [blame]930class TestExtendedKeyUsage(object):
931 def test_not_all_oids(self):
932 with pytest.raises(TypeError):
933 x509.ExtendedKeyUsage(["notoid"])
934
935 def test_iter_len(self):
936 eku = x509.ExtendedKeyUsage([
937 x509.ObjectIdentifier("1.3.6.1.5.5.7.3.1"),
938 x509.ObjectIdentifier("1.3.6.1.5.5.7.3.2"),
939 ])
940 assert len(eku) == 2
941 assert list(eku) == [
Paul Kehrer9e102db2015-08-10 21:53:09 -0500[diff] [blame]942 ExtendedKeyUsageOID.SERVER_AUTH,
943 ExtendedKeyUsageOID.CLIENT_AUTH
Paul Kehrerffa2a152015-03-31 08:18:25 -0500[diff] [blame]944 ]
945
Paul Kehrer23d10c32015-04-02 23:12:32 -0500[diff] [blame]946 def test_repr(self):
947 eku = x509.ExtendedKeyUsage([
948 x509.ObjectIdentifier("1.3.6.1.5.5.7.3.1"),
949 x509.ObjectIdentifier("1.3.6.1.5.5.7.3.2"),
950 ])
951 assert repr(eku) == (
952 "<ExtendedKeyUsage([<ObjectIdentifier(oid=1.3.6.1.5.5.7.3.1, name="
953 "serverAuth)>, <ObjectIdentifier(oid=1.3.6.1.5.5.7.3.2, name=clien"
954 "tAuth)>])>"
955 )
956
Paul Kehrerb0476172015-05-02 19:34:51 -0500[diff] [blame]957 def test_eq(self):
958 eku = x509.ExtendedKeyUsage([
959 x509.ObjectIdentifier("1.3.6"), x509.ObjectIdentifier("1.3.7")
960 ])
961 eku2 = x509.ExtendedKeyUsage([
962 x509.ObjectIdentifier("1.3.6"), x509.ObjectIdentifier("1.3.7")
963 ])
964 assert eku == eku2
965
966 def test_ne(self):
967 eku = x509.ExtendedKeyUsage([x509.ObjectIdentifier("1.3.6")])
968 eku2 = x509.ExtendedKeyUsage([x509.ObjectIdentifier("1.3.6.1")])
969 assert eku != eku2
970 assert eku != object()
971
Paul Kehrerffa2a152015-03-31 08:18:25 -0500[diff] [blame]972
Paul Kehrerfbb7ac82015-03-16 19:26:29 -0500[diff] [blame]973@pytest.mark.requires_backend_interface(interface=RSABackend)
974@pytest.mark.requires_backend_interface(interface=X509Backend)
975class TestExtensions(object):
976 def test_no_extensions(self, backend):
977 cert = _load_cert(
978 os.path.join("x509", "verisign_md2_root.pem"),
979 x509.load_pem_x509_certificate,
980 backend
981 )
982 ext = cert.extensions
983 assert len(ext) == 0
984 assert list(ext) == []
Paul Kehrerfa56a232015-03-17 13:14:03 -0500[diff] [blame]985 with pytest.raises(x509.ExtensionNotFound) as exc:
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]986 ext.get_extension_for_oid(ExtensionOID.BASIC_CONSTRAINTS)
Paul Kehrerfa56a232015-03-17 13:14:03 -0500[diff] [blame]987
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]988 assert exc.value.oid == ExtensionOID.BASIC_CONSTRAINTS
Paul Kehrerfa56a232015-03-17 13:14:03 -0500[diff] [blame]989
990 def test_one_extension(self, backend):
991 cert = _load_cert(
992 os.path.join(
993 "x509", "custom", "basic_constraints_not_critical.pem"
994 ),
995 x509.load_pem_x509_certificate,
996 backend
997 )
998 extensions = cert.extensions
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]999 ext = extensions.get_extension_for_oid(ExtensionOID.BASIC_CONSTRAINTS)
Paul Kehrerfa56a232015-03-17 13:14:03 -0500[diff] [blame]1000 assert ext is not None
1001 assert ext.value.ca is False
Paul Kehrerfbb7ac82015-03-16 19:26:29 -0500[diff] [blame]1002
1003 def test_duplicate_extension(self, backend):
1004 cert = _load_cert(
1005 os.path.join(
1006 "x509", "custom", "two_basic_constraints.pem"
1007 ),
1008 x509.load_pem_x509_certificate,
1009 backend
1010 )
1011 with pytest.raises(x509.DuplicateExtension) as exc:
1012 cert.extensions
1013
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]1014 assert exc.value.oid == ExtensionOID.BASIC_CONSTRAINTS
Paul Kehrerfbb7ac82015-03-16 19:26:29 -0500[diff] [blame]1015
1016 def test_unsupported_critical_extension(self, backend):
1017 cert = _load_cert(
1018 os.path.join(
1019 "x509", "custom", "unsupported_extension_critical.pem"
1020 ),
1021 x509.load_pem_x509_certificate,
1022 backend
1023 )
1024 with pytest.raises(x509.UnsupportedExtension) as exc:
1025 cert.extensions
1026
1027 assert exc.value.oid == x509.ObjectIdentifier("1.2.3.4")
1028
1029 def test_unsupported_extension(self, backend):
1030 # TODO: this will raise an exception when all extensions are complete
1031 cert = _load_cert(
1032 os.path.join(
1033 "x509", "custom", "unsupported_extension.pem"
1034 ),
1035 x509.load_pem_x509_certificate,
1036 backend
1037 )
1038 extensions = cert.extensions
1039 assert len(extensions) == 0
Paul Kehrerfa56a232015-03-17 13:14:03 -0500[diff] [blame]1040
Phoebe Queenecae9812015-08-12 05:00:32 +0100[diff] [blame]1041 def test_no_extensions_get_for_class(self, backend):
1042 cert = _load_cert(
1043 os.path.join(
Phoebe Queencb5ec4e2015-08-12 15:06:26 +0100[diff] [blame]1044 "x509", "cryptography.io.pem"
Phoebe Queenecae9812015-08-12 05:00:32 +0100[diff] [blame]1045 ),
1046 x509.load_pem_x509_certificate,
1047 backend
1048 )
Phoebe Queenc93752b2015-08-12 10:54:46 +0100[diff] [blame]1049 exts = cert.extensions
Phoebe Queenecae9812015-08-12 05:00:32 +0100[diff] [blame]1050 with pytest.raises(x509.ExtensionNotFound) as exc:
Phoebe Queencb5ec4e2015-08-12 15:06:26 +0100[diff] [blame]1051 exts.get_extension_for_class(x509.IssuerAlternativeName)
1052 assert exc.value.oid == ExtensionOID.ISSUER_ALTERNATIVE_NAME
Phoebe Queenecae9812015-08-12 05:00:32 +0100[diff] [blame]1053
Paul Kehrer5b90c972015-12-26 00:52:58 -0600[diff] [blame]1054 def test_indexing(self, backend):
1055 cert = _load_cert(
1056 os.path.join("x509", "cryptography.io.pem"),
1057 x509.load_pem_x509_certificate,
1058 backend
1059 )
1060 exts = cert.extensions
1061 assert exts[-1] == exts[7]
Alex Gaynorf0dd2e72015-12-26 16:50:29 -0500[diff] [blame]1062 assert exts[2:6:2] == [exts[2], exts[4]]
Paul Kehrer5b90c972015-12-26 00:52:58 -0600[diff] [blame]1063
Phoebe Queen9fbb8892015-08-12 03:51:33 +0100[diff] [blame]1064 def test_one_extension_get_for_class(self, backend):
1065 cert = _load_cert(
Phoebe Queen2cc111a2015-08-12 04:14:22 +0100[diff] [blame]1066 os.path.join(
1067 "x509", "custom", "basic_constraints_not_critical.pem"
1068 ),
Phoebe Queen9fbb8892015-08-12 03:51:33 +0100[diff] [blame]1069 x509.load_pem_x509_certificate,
1070 backend
1071 )
1072 ext = cert.extensions.get_extension_for_class(x509.BasicConstraints)
1073 assert ext is not None
Phoebe Queen9fbb8892015-08-12 03:51:33 +0100[diff] [blame]1074 assert isinstance(ext.value, x509.BasicConstraints)
Paul Kehrerfa56a232015-03-17 13:14:03 -0500[diff] [blame]1075
Paul Kehrerafbe75b2015-10-20 08:08:43 -0500[diff] [blame]1076 def test_repr(self, backend):
1077 cert = _load_cert(
1078 os.path.join(
1079 "x509", "custom", "basic_constraints_not_critical.pem"
1080 ),
1081 x509.load_pem_x509_certificate,
1082 backend
1083 )
1084 assert repr(cert.extensions) == (
1085 "<Extensions([<Extension(oid=<ObjectIdentifier(oid=2.5.29.19, name"
1086 "=basicConstraints)>, critical=False, value=<BasicConstraints(ca=F"
1087 "alse, path_length=None)>)>])>"
1088 )
1089
Phoebe Queen2cc111a2015-08-12 04:14:22 +0100[diff] [blame]1090
Paul Kehrerfa56a232015-03-17 13:14:03 -0500[diff] [blame]1091@pytest.mark.requires_backend_interface(interface=RSABackend)
1092@pytest.mark.requires_backend_interface(interface=X509Backend)
Paul Kehrerde813ea2015-03-28 12:44:34 -0500[diff] [blame]1093class TestBasicConstraintsExtension(object):
Paul Kehrerfa56a232015-03-17 13:14:03 -0500[diff] [blame]1094 def test_ca_true_pathlen_6(self, backend):
1095 cert = _load_cert(
1096 os.path.join(
1097 "x509", "PKITS_data", "certs", "pathLenConstraint6CACert.crt"
1098 ),
1099 x509.load_der_x509_certificate,
1100 backend
1101 )
Phoebe Queen062dec72015-08-12 11:42:23 +0100[diff] [blame]1102 ext = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]1103 ExtensionOID.BASIC_CONSTRAINTS
Paul Kehrerfa56a232015-03-17 13:14:03 -0500[diff] [blame]1104 )
1105 assert ext is not None
1106 assert ext.critical is True
1107 assert ext.value.ca is True
1108 assert ext.value.path_length == 6
1109
1110 def test_path_length_zero(self, backend):
1111 cert = _load_cert(
1112 os.path.join("x509", "custom", "bc_path_length_zero.pem"),
1113 x509.load_pem_x509_certificate,
1114 backend
1115 )
1116 ext = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]1117 ExtensionOID.BASIC_CONSTRAINTS
Paul Kehrerfa56a232015-03-17 13:14:03 -0500[diff] [blame]1118 )
1119 assert ext is not None
1120 assert ext.critical is True
1121 assert ext.value.ca is True
1122 assert ext.value.path_length == 0
1123
1124 def test_ca_true_no_pathlen(self, backend):
1125 cert = _load_cert(
1126 os.path.join("x509", "PKITS_data", "certs", "GoodCACert.crt"),
1127 x509.load_der_x509_certificate,
1128 backend
1129 )
1130 ext = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]1131 ExtensionOID.BASIC_CONSTRAINTS
Paul Kehrerfa56a232015-03-17 13:14:03 -0500[diff] [blame]1132 )
1133 assert ext is not None
1134 assert ext.critical is True
1135 assert ext.value.ca is True
1136 assert ext.value.path_length is None
1137
1138 def test_ca_false(self, backend):
1139 cert = _load_cert(
1140 os.path.join("x509", "cryptography.io.pem"),
1141 x509.load_pem_x509_certificate,
1142 backend
1143 )
1144 ext = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]1145 ExtensionOID.BASIC_CONSTRAINTS
Paul Kehrerfa56a232015-03-17 13:14:03 -0500[diff] [blame]1146 )
1147 assert ext is not None
1148 assert ext.critical is True
1149 assert ext.value.ca is False
1150 assert ext.value.path_length is None
1151
1152 def test_no_basic_constraints(self, backend):
1153 cert = _load_cert(
1154 os.path.join(
1155 "x509",
1156 "PKITS_data",
1157 "certs",
1158 "ValidCertificatePathTest1EE.crt"
1159 ),
1160 x509.load_der_x509_certificate,
1161 backend
1162 )
1163 with pytest.raises(x509.ExtensionNotFound):
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]1164 cert.extensions.get_extension_for_oid(
1165 ExtensionOID.BASIC_CONSTRAINTS
1166 )
Paul Kehrerfa56a232015-03-17 13:14:03 -0500[diff] [blame]1167
1168 def test_basic_constraint_not_critical(self, backend):
1169 cert = _load_cert(
1170 os.path.join(
1171 "x509", "custom", "basic_constraints_not_critical.pem"
1172 ),
1173 x509.load_pem_x509_certificate,
1174 backend
1175 )
1176 ext = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]1177 ExtensionOID.BASIC_CONSTRAINTS
Paul Kehrerfa56a232015-03-17 13:14:03 -0500[diff] [blame]1178 )
1179 assert ext is not None
1180 assert ext.critical is False
1181 assert ext.value.ca is False
Paul Kehrer1eb82a62015-03-31 20:00:33 -0500[diff] [blame]1182
1183
Paul Kehrer1eb82a62015-03-31 20:00:33 -0500[diff] [blame]1184class TestSubjectKeyIdentifierExtension(object):
Paul Kehrerf22f6122015-08-05 12:57:13 +0100[diff] [blame]1185 @pytest.mark.requires_backend_interface(interface=RSABackend)
1186 @pytest.mark.requires_backend_interface(interface=X509Backend)
Paul Kehrer1eb82a62015-03-31 20:00:33 -0500[diff] [blame]1187 def test_subject_key_identifier(self, backend):
1188 cert = _load_cert(
1189 os.path.join("x509", "PKITS_data", "certs", "GoodCACert.crt"),
1190 x509.load_der_x509_certificate,
1191 backend
1192 )
1193 ext = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]1194 ExtensionOID.SUBJECT_KEY_IDENTIFIER
Paul Kehrer1eb82a62015-03-31 20:00:33 -0500[diff] [blame]1195 )
1196 ski = ext.value
1197 assert ext is not None
1198 assert ext.critical is False
Paul Kehrer1eb82a62015-03-31 20:00:33 -0500[diff] [blame]1199 assert ski.digest == binascii.unhexlify(
Paul Kehreree997262015-04-04 12:20:28 -0500[diff] [blame]1200 b"580184241bbc2b52944a3da510721451f5af3ac9"
Paul Kehrer1eb82a62015-03-31 20:00:33 -0500[diff] [blame]1201 )
1202
Paul Kehrerf22f6122015-08-05 12:57:13 +0100[diff] [blame]1203 @pytest.mark.requires_backend_interface(interface=RSABackend)
1204 @pytest.mark.requires_backend_interface(interface=X509Backend)
Paul Kehrer1eb82a62015-03-31 20:00:33 -0500[diff] [blame]1205 def test_no_subject_key_identifier(self, backend):
1206 cert = _load_cert(
1207 os.path.join("x509", "custom", "bc_path_length_zero.pem"),
1208 x509.load_pem_x509_certificate,
1209 backend
1210 )
1211 with pytest.raises(x509.ExtensionNotFound):
1212 cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]1213 ExtensionOID.SUBJECT_KEY_IDENTIFIER
Paul Kehrer1eb82a62015-03-31 20:00:33 -0500[diff] [blame]1214 )
Paul Kehrer5508ee22015-04-02 19:31:03 -0500[diff] [blame]1215
Paul Kehrerf22f6122015-08-05 12:57:13 +0100[diff] [blame]1216 @pytest.mark.requires_backend_interface(interface=RSABackend)
1217 @pytest.mark.requires_backend_interface(interface=X509Backend)
Paul Kehrerd4a7f062015-08-05 18:32:18 +0100[diff] [blame]1218 def test_from_rsa_public_key(self, backend):
Paul Kehrerf22f6122015-08-05 12:57:13 +0100[diff] [blame]1219 cert = _load_cert(
1220 os.path.join("x509", "PKITS_data", "certs", "GoodCACert.crt"),
1221 x509.load_der_x509_certificate,
1222 backend
1223 )
1224 ext = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]1225 ExtensionOID.SUBJECT_KEY_IDENTIFIER
Paul Kehrerf22f6122015-08-05 12:57:13 +0100[diff] [blame]1226 )
Paul Kehrerd4a7f062015-08-05 18:32:18 +0100[diff] [blame]1227 ski = x509.SubjectKeyIdentifier.from_public_key(
Paul Kehrerf22f6122015-08-05 12:57:13 +0100[diff] [blame]1228 cert.public_key()
1229 )
1230 assert ext.value == ski
1231
1232 @pytest.mark.requires_backend_interface(interface=DSABackend)
1233 @pytest.mark.requires_backend_interface(interface=X509Backend)
Paul Kehrerd4a7f062015-08-05 18:32:18 +0100[diff] [blame]1234 def test_from_dsa_public_key(self, backend):
Paul Kehrerf22f6122015-08-05 12:57:13 +0100[diff] [blame]1235 cert = _load_cert(
1236 os.path.join("x509", "custom", "dsa_selfsigned_ca.pem"),
1237 x509.load_pem_x509_certificate,
1238 backend
1239 )
1240
1241 ext = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]1242 ExtensionOID.SUBJECT_KEY_IDENTIFIER
Paul Kehrerf22f6122015-08-05 12:57:13 +0100[diff] [blame]1243 )
Paul Kehrerd4a7f062015-08-05 18:32:18 +0100[diff] [blame]1244 ski = x509.SubjectKeyIdentifier.from_public_key(
Paul Kehrerf22f6122015-08-05 12:57:13 +0100[diff] [blame]1245 cert.public_key()
1246 )
1247 assert ext.value == ski
1248
1249 @pytest.mark.requires_backend_interface(interface=EllipticCurveBackend)
1250 @pytest.mark.requires_backend_interface(interface=X509Backend)
Paul Kehrerd4a7f062015-08-05 18:32:18 +0100[diff] [blame]1251 def test_from_ec_public_key(self, backend):
Paul Kehrerf22f6122015-08-05 12:57:13 +0100[diff] [blame]1252 _skip_curve_unsupported(backend, ec.SECP384R1())
1253 cert = _load_cert(
1254 os.path.join("x509", "ecdsa_root.pem"),
1255 x509.load_pem_x509_certificate,
1256 backend
1257 )
1258
1259 ext = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]1260 ExtensionOID.SUBJECT_KEY_IDENTIFIER
Paul Kehrerf22f6122015-08-05 12:57:13 +0100[diff] [blame]1261 )
Paul Kehrerd4a7f062015-08-05 18:32:18 +0100[diff] [blame]1262 ski = x509.SubjectKeyIdentifier.from_public_key(
Paul Kehrerf22f6122015-08-05 12:57:13 +0100[diff] [blame]1263 cert.public_key()
1264 )
1265 assert ext.value == ski
1266
Paul Kehrer5508ee22015-04-02 19:31:03 -0500[diff] [blame]1267
1268@pytest.mark.requires_backend_interface(interface=RSABackend)
1269@pytest.mark.requires_backend_interface(interface=X509Backend)
1270class TestKeyUsageExtension(object):
1271 def test_no_key_usage(self, backend):
1272 cert = _load_cert(
1273 os.path.join("x509", "verisign_md2_root.pem"),
1274 x509.load_pem_x509_certificate,
1275 backend
1276 )
1277 ext = cert.extensions
1278 with pytest.raises(x509.ExtensionNotFound) as exc:
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]1279 ext.get_extension_for_oid(ExtensionOID.KEY_USAGE)
Paul Kehrer5508ee22015-04-02 19:31:03 -0500[diff] [blame]1280
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]1281 assert exc.value.oid == ExtensionOID.KEY_USAGE
Paul Kehrer5508ee22015-04-02 19:31:03 -0500[diff] [blame]1282
1283 def test_all_purposes(self, backend):
1284 cert = _load_cert(
1285 os.path.join(
1286 "x509", "custom", "all_key_usages.pem"
1287 ),
1288 x509.load_pem_x509_certificate,
1289 backend
1290 )
1291 extensions = cert.extensions
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]1292 ext = extensions.get_extension_for_oid(ExtensionOID.KEY_USAGE)
Paul Kehrer5508ee22015-04-02 19:31:03 -0500[diff] [blame]1293 assert ext is not None
1294
1295 ku = ext.value
1296 assert ku.digital_signature is True
1297 assert ku.content_commitment is True
1298 assert ku.key_encipherment is True
1299 assert ku.data_encipherment is True
1300 assert ku.key_agreement is True
1301 assert ku.key_cert_sign is True
1302 assert ku.crl_sign is True
1303 assert ku.encipher_only is True
1304 assert ku.decipher_only is True
1305
1306 def test_key_cert_sign_crl_sign(self, backend):
1307 cert = _load_cert(
1308 os.path.join(
1309 "x509", "PKITS_data", "certs", "pathLenConstraint6CACert.crt"
1310 ),
1311 x509.load_der_x509_certificate,
1312 backend
1313 )
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]1314 ext = cert.extensions.get_extension_for_oid(ExtensionOID.KEY_USAGE)
Paul Kehrer5508ee22015-04-02 19:31:03 -0500[diff] [blame]1315 assert ext is not None
1316 assert ext.critical is True
1317
1318 ku = ext.value
1319 assert ku.digital_signature is False
1320 assert ku.content_commitment is False
1321 assert ku.key_encipherment is False
1322 assert ku.data_encipherment is False
1323 assert ku.key_agreement is False
1324 assert ku.key_cert_sign is True
1325 assert ku.crl_sign is True
Paul Kehrer31bdf792015-03-25 14:11:00 -0500[diff] [blame]1326
1327
1328@pytest.mark.parametrize(
1329 "name", [
1330 x509.RFC822Name,
1331 x509.DNSName,
1332 x509.UniformResourceIdentifier
1333 ]
1334)
1335class TestTextGeneralNames(object):
1336 def test_not_text(self, name):
1337 with pytest.raises(TypeError):
1338 name(b"notaunicodestring")
1339
1340 with pytest.raises(TypeError):
1341 name(1.3)
1342
1343 def test_repr(self, name):
Eeshan Gargf1234152015-04-29 18:41:00 +0530[diff] [blame]1344 gn = name(u"string")
Paul Kehrer31bdf792015-03-25 14:11:00 -0500[diff] [blame]1345 assert repr(gn) == "<{0}(value=string)>".format(name.__name__)
1346
1347 def test_eq(self, name):
Eeshan Gargf1234152015-04-29 18:41:00 +0530[diff] [blame]1348 gn = name(u"string")
1349 gn2 = name(u"string")
Paul Kehrer31bdf792015-03-25 14:11:00 -0500[diff] [blame]1350 assert gn == gn2
1351
1352 def test_ne(self, name):
Eeshan Gargf1234152015-04-29 18:41:00 +0530[diff] [blame]1353 gn = name(u"string")
1354 gn2 = name(u"string2")
Paul Kehrer31bdf792015-03-25 14:11:00 -0500[diff] [blame]1355 assert gn != gn2
1356 assert gn != object()
1357
1358
1359class TestDirectoryName(object):
1360 def test_not_name(self):
1361 with pytest.raises(TypeError):
1362 x509.DirectoryName(b"notaname")
1363
1364 with pytest.raises(TypeError):
1365 x509.DirectoryName(1.3)
1366
1367 def test_repr(self):
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1368 name = x509.Name([x509.NameAttribute(NameOID.COMMON_NAME, u'value1')])
Paul Kehrer31bdf792015-03-25 14:11:00 -0500[diff] [blame]1369 gn = x509.DirectoryName(x509.Name([name]))
Ian Cordascoa908d692015-06-16 21:35:24 -0500[diff] [blame]1370 if six.PY3:
1371 assert repr(gn) == (
1372 "<DirectoryName(value=<Name([<Name([<NameAttribute(oid=<Object"
1373 "Identifier(oid=2.5.4.3, name=commonName)>, value='value1')>])"
1374 ">])>)>"
1375 )
1376 else:
1377 assert repr(gn) == (
1378 "<DirectoryName(value=<Name([<Name([<NameAttribute(oid=<Object"
1379 "Identifier(oid=2.5.4.3, name=commonName)>, value=u'value1')>]"
1380 ")>])>)>"
1381 )
Paul Kehrer31bdf792015-03-25 14:11:00 -0500[diff] [blame]1382
1383 def test_eq(self):
1384 name = x509.Name([
Nick Bastin6721fb82015-12-14 12:26:24 -0800[diff] [blame]1385 x509.NameAttribute(x509.ObjectIdentifier('2.999.1'), u'value1')
Paul Kehrer31bdf792015-03-25 14:11:00 -0500[diff] [blame]1386 ])
1387 name2 = x509.Name([
Nick Bastin6721fb82015-12-14 12:26:24 -0800[diff] [blame]1388 x509.NameAttribute(x509.ObjectIdentifier('2.999.1'), u'value1')
Paul Kehrer31bdf792015-03-25 14:11:00 -0500[diff] [blame]1389 ])
1390 gn = x509.DirectoryName(x509.Name([name]))
1391 gn2 = x509.DirectoryName(x509.Name([name2]))
1392 assert gn == gn2
1393
1394 def test_ne(self):
1395 name = x509.Name([
Nick Bastin6721fb82015-12-14 12:26:24 -0800[diff] [blame]1396 x509.NameAttribute(x509.ObjectIdentifier('2.999.1'), u'value1')
Paul Kehrer31bdf792015-03-25 14:11:00 -0500[diff] [blame]1397 ])
1398 name2 = x509.Name([
Nick Bastin6721fb82015-12-14 12:26:24 -0800[diff] [blame]1399 x509.NameAttribute(x509.ObjectIdentifier('2.999.2'), u'value2')
Paul Kehrer31bdf792015-03-25 14:11:00 -0500[diff] [blame]1400 ])
1401 gn = x509.DirectoryName(x509.Name([name]))
1402 gn2 = x509.DirectoryName(x509.Name([name2]))
1403 assert gn != gn2
1404 assert gn != object()
1405
1406
Paul Kehrer01d5d0b2015-07-12 09:41:21 -0500[diff] [blame]1407class TestRFC822Name(object):
1408 def test_invalid_email(self):
1409 with pytest.raises(ValueError):
1410 x509.RFC822Name(u"Name <email>")
1411
1412 with pytest.raises(ValueError):
1413 x509.RFC822Name(u"")
1414
1415 def test_single_label(self):
1416 gn = x509.RFC822Name(u"administrator")
1417 assert gn.value == u"administrator"
1418
1419 def test_idna(self):
1420 gn = x509.RFC822Name(u"email@em\xe5\xefl.com")
1421 assert gn.value == u"email@em\xe5\xefl.com"
1422 assert gn._encoded == b"email@xn--eml-vla4c.com"
1423
1424
Paul Kehrere28d6c42015-07-12 14:59:37 -0500[diff] [blame]1425class TestUniformResourceIdentifier(object):
1426 def test_no_parsed_hostname(self):
1427 gn = x509.UniformResourceIdentifier(u"singlelabel")
1428 assert gn.value == u"singlelabel"
1429
1430 def test_with_port(self):
1431 gn = x509.UniformResourceIdentifier(u"singlelabel:443/test")
1432 assert gn.value == u"singlelabel:443/test"
1433
1434 def test_idna_no_port(self):
1435 gn = x509.UniformResourceIdentifier(
1436 u"http://\u043f\u044b\u043a\u0430.cryptography"
1437 )
1438 assert gn.value == u"http://\u043f\u044b\u043a\u0430.cryptography"
1439 assert gn._encoded == b"http://xn--80ato2c.cryptography"
1440
1441 def test_idna_with_port(self):
1442 gn = x509.UniformResourceIdentifier(
1443 u"gopher://\u043f\u044b\u043a\u0430.cryptography:70/some/path"
1444 )
1445 assert gn.value == (
1446 u"gopher://\u043f\u044b\u043a\u0430.cryptography:70/some/path"
1447 )
1448 assert gn._encoded == b"gopher://xn--80ato2c.cryptography:70/some/path"
1449
1450 def test_query_and_fragment(self):
1451 gn = x509.UniformResourceIdentifier(
1452 u"ldap://cryptography:90/path?query=true#somedata"
1453 )
1454 assert gn.value == u"ldap://cryptography:90/path?query=true#somedata"
1455
1456
Paul Kehrer31bdf792015-03-25 14:11:00 -0500[diff] [blame]1457class TestRegisteredID(object):
1458 def test_not_oid(self):
1459 with pytest.raises(TypeError):
1460 x509.RegisteredID(b"notanoid")
1461
1462 with pytest.raises(TypeError):
1463 x509.RegisteredID(1.3)
1464
1465 def test_repr(self):
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1466 gn = x509.RegisteredID(NameOID.COMMON_NAME)
Paul Kehrer31bdf792015-03-25 14:11:00 -0500[diff] [blame]1467 assert repr(gn) == (
1468 "<RegisteredID(value=<ObjectIdentifier(oid=2.5.4.3, name=commonNam"
1469 "e)>)>"
1470 )
1471
1472 def test_eq(self):
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1473 gn = x509.RegisteredID(NameOID.COMMON_NAME)
1474 gn2 = x509.RegisteredID(NameOID.COMMON_NAME)
Paul Kehrer31bdf792015-03-25 14:11:00 -0500[diff] [blame]1475 assert gn == gn2
1476
1477 def test_ne(self):
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1478 gn = x509.RegisteredID(NameOID.COMMON_NAME)
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]1479 gn2 = x509.RegisteredID(ExtensionOID.BASIC_CONSTRAINTS)
Paul Kehrer31bdf792015-03-25 14:11:00 -0500[diff] [blame]1480 assert gn != gn2
1481 assert gn != object()
1482
1483
1484class TestIPAddress(object):
1485 def test_not_ipaddress(self):
1486 with pytest.raises(TypeError):
1487 x509.IPAddress(b"notanipaddress")
1488
1489 with pytest.raises(TypeError):
1490 x509.IPAddress(1.3)
1491
1492 def test_repr(self):
Eeshan Gargf1234152015-04-29 18:41:00 +0530[diff] [blame]1493 gn = x509.IPAddress(ipaddress.IPv4Address(u"127.0.0.1"))
Paul Kehrer31bdf792015-03-25 14:11:00 -0500[diff] [blame]1494 assert repr(gn) == "<IPAddress(value=127.0.0.1)>"
1495
Eeshan Gargf1234152015-04-29 18:41:00 +0530[diff] [blame]1496 gn2 = x509.IPAddress(ipaddress.IPv6Address(u"ff::"))
Paul Kehrer31bdf792015-03-25 14:11:00 -0500[diff] [blame]1497 assert repr(gn2) == "<IPAddress(value=ff::)>"
1498
Paul Kehrereb177932015-05-17 18:33:33 -0700[diff] [blame]1499 gn3 = x509.IPAddress(ipaddress.IPv4Network(u"192.168.0.0/24"))
1500 assert repr(gn3) == "<IPAddress(value=192.168.0.0/24)>"
1501
1502 gn4 = x509.IPAddress(ipaddress.IPv6Network(u"ff::/96"))
1503 assert repr(gn4) == "<IPAddress(value=ff::/96)>"
1504
Paul Kehrer31bdf792015-03-25 14:11:00 -0500[diff] [blame]1505 def test_eq(self):
Eeshan Gargf1234152015-04-29 18:41:00 +0530[diff] [blame]1506 gn = x509.IPAddress(ipaddress.IPv4Address(u"127.0.0.1"))
1507 gn2 = x509.IPAddress(ipaddress.IPv4Address(u"127.0.0.1"))
Paul Kehrer31bdf792015-03-25 14:11:00 -0500[diff] [blame]1508 assert gn == gn2
1509
1510 def test_ne(self):
Eeshan Gargf1234152015-04-29 18:41:00 +0530[diff] [blame]1511 gn = x509.IPAddress(ipaddress.IPv4Address(u"127.0.0.1"))
1512 gn2 = x509.IPAddress(ipaddress.IPv4Address(u"127.0.0.2"))
Paul Kehrer31bdf792015-03-25 14:11:00 -0500[diff] [blame]1513 assert gn != gn2
1514 assert gn != object()
1515
1516
Joshua Tauberer18b6fc82015-07-05 21:44:51 +0000[diff] [blame]1517class TestOtherName(object):
1518 def test_invalid_args(self):
1519 with pytest.raises(TypeError):
1520 x509.OtherName(b"notanobjectidentifier", b"derdata")
1521
1522 with pytest.raises(TypeError):
1523 x509.OtherName(x509.ObjectIdentifier("1.2.3.4"), u"notderdata")
1524
1525 def test_repr(self):
1526 gn = x509.OtherName(x509.ObjectIdentifier("1.2.3.4"), b"derdata")
1527 if six.PY3:
1528 assert repr(gn) == (
1529 "<OtherName(type_id=<ObjectIdentifier(oid=1.2.3.4, "
1530 "name=Unknown OID)>, value=b'derdata')>"
1531 )
1532 else:
1533 assert repr(gn) == (
1534 "<OtherName(type_id=<ObjectIdentifier(oid=1.2.3.4, "
1535 "name=Unknown OID)>, value='derdata')>"
1536 )
1537
1538 gn = x509.OtherName(x509.ObjectIdentifier("2.5.4.65"), b"derdata")
1539 if six.PY3:
1540 assert repr(gn) == (
1541 "<OtherName(type_id=<ObjectIdentifier(oid=2.5.4.65, "
1542 "name=pseudonym)>, value=b'derdata')>"
1543 )
1544 else:
1545 assert repr(gn) == (
1546 "<OtherName(type_id=<ObjectIdentifier(oid=2.5.4.65, "
1547 "name=pseudonym)>, value='derdata')>"
1548 )
1549
1550 def test_eq(self):
1551 gn = x509.OtherName(x509.ObjectIdentifier("1.2.3.4"), b"derdata")
1552 gn2 = x509.OtherName(x509.ObjectIdentifier("1.2.3.4"), b"derdata")
1553 assert gn == gn2
1554
1555 def test_ne(self):
1556 gn = x509.OtherName(x509.ObjectIdentifier("1.2.3.4"), b"derdata")
1557 assert gn != object()
1558
1559 gn2 = x509.OtherName(x509.ObjectIdentifier("1.2.3.4"), b"derdata2")
1560 assert gn != gn2
1561
1562 gn2 = x509.OtherName(x509.ObjectIdentifier("1.2.3.5"), b"derdata")
1563 assert gn != gn2
1564
1565
Erik Trauschke2dcce902015-05-14 16:12:24 -0700[diff] [blame]1566class TestGeneralNames(object):
1567 def test_get_values_for_type(self):
1568 gns = x509.GeneralNames(
1569 [x509.DNSName(u"cryptography.io")]
1570 )
1571 names = gns.get_values_for_type(x509.DNSName)
1572 assert names == [u"cryptography.io"]
1573
1574 def test_iter_names(self):
1575 gns = x509.GeneralNames([
1576 x509.DNSName(u"cryptography.io"),
1577 x509.DNSName(u"crypto.local"),
1578 ])
1579 assert len(gns) == 2
1580 assert list(gns) == [
1581 x509.DNSName(u"cryptography.io"),
1582 x509.DNSName(u"crypto.local"),
1583 ]
1584
Paul Kehrer8adb5962015-12-26 14:46:58 -0600[diff] [blame]1585 def test_indexing(self):
1586 gn = x509.GeneralNames([
1587 x509.DNSName(u"cryptography.io"),
1588 x509.DNSName(u"crypto.local"),
1589 x509.DNSName(u"another.local"),
1590 x509.RFC822Name(u"email@another.local"),
1591 x509.UniformResourceIdentifier(u"http://another.local"),
1592 ])
1593 assert gn[-1] == gn[4]
Alex Gaynorf0dd2e72015-12-26 16:50:29 -0500[diff] [blame]1594 assert gn[2:6:2] == [gn[2], gn[4]]
Paul Kehrer8adb5962015-12-26 14:46:58 -0600[diff] [blame]1595
Erik Trauschke2dcce902015-05-14 16:12:24 -0700[diff] [blame]1596 def test_invalid_general_names(self):
1597 with pytest.raises(TypeError):
1598 x509.GeneralNames(
1599 [x509.DNSName(u"cryptography.io"), "invalid"]
1600 )
1601
1602 def test_repr(self):
1603 gns = x509.GeneralNames(
1604 [
1605 x509.DNSName(u"cryptography.io")
1606 ]
1607 )
1608 assert repr(gns) == (
1609 "<GeneralNames([<DNSName(value=cryptography.io)>])>"
1610 )
1611
1612 def test_eq(self):
1613 gns = x509.GeneralNames(
1614 [x509.DNSName(u"cryptography.io")]
1615 )
1616 gns2 = x509.GeneralNames(
1617 [x509.DNSName(u"cryptography.io")]
1618 )
1619 assert gns == gns2
1620
1621 def test_ne(self):
1622 gns = x509.GeneralNames(
1623 [x509.DNSName(u"cryptography.io")]
1624 )
1625 gns2 = x509.GeneralNames(
1626 [x509.RFC822Name(u"admin@cryptography.io")]
1627 )
1628 assert gns != gns2
1629 assert gns != object()
1630
1631
Paul Kehrer99125c92015-06-07 18:37:10 -0500[diff] [blame]1632class TestIssuerAlternativeName(object):
1633 def test_get_values_for_type(self):
1634 san = x509.IssuerAlternativeName(
1635 [x509.DNSName(u"cryptography.io")]
1636 )
1637 names = san.get_values_for_type(x509.DNSName)
1638 assert names == [u"cryptography.io"]
1639
1640 def test_iter_names(self):
1641 san = x509.IssuerAlternativeName([
1642 x509.DNSName(u"cryptography.io"),
1643 x509.DNSName(u"crypto.local"),
1644 ])
1645 assert len(san) == 2
1646 assert list(san) == [
1647 x509.DNSName(u"cryptography.io"),
1648 x509.DNSName(u"crypto.local"),
1649 ]
1650
Paul Kehrer5c999d32015-12-26 17:45:20 -0600[diff] [blame]1651 def test_indexing(self):
1652 ian = x509.IssuerAlternativeName([
1653 x509.DNSName(u"cryptography.io"),
1654 x509.DNSName(u"crypto.local"),
1655 x509.DNSName(u"another.local"),
1656 x509.RFC822Name(u"email@another.local"),
1657 x509.UniformResourceIdentifier(u"http://another.local"),
1658 ])
1659 assert ian[-1] == ian[4]
1660 assert ian[2:6:2] == [ian[2], ian[4]]
1661
Paul Kehrer99125c92015-06-07 18:37:10 -0500[diff] [blame]1662 def test_invalid_general_names(self):
1663 with pytest.raises(TypeError):
1664 x509.IssuerAlternativeName(
1665 [x509.DNSName(u"cryptography.io"), "invalid"]
1666 )
1667
1668 def test_repr(self):
1669 san = x509.IssuerAlternativeName(
1670 [
1671 x509.DNSName(u"cryptography.io")
1672 ]
1673 )
1674 assert repr(san) == (
1675 "<IssuerAlternativeName("
1676 "<GeneralNames([<DNSName(value=cryptography.io)>])>)>"
1677 )
1678
1679 def test_eq(self):
1680 san = x509.IssuerAlternativeName(
1681 [x509.DNSName(u"cryptography.io")]
1682 )
1683 san2 = x509.IssuerAlternativeName(
1684 [x509.DNSName(u"cryptography.io")]
1685 )
1686 assert san == san2
1687
1688 def test_ne(self):
1689 san = x509.IssuerAlternativeName(
1690 [x509.DNSName(u"cryptography.io")]
1691 )
1692 san2 = x509.IssuerAlternativeName(
1693 [x509.RFC822Name(u"admin@cryptography.io")]
1694 )
1695 assert san != san2
1696 assert san != object()
1697
1698
Alex Gaynorf1c17672015-06-20 14:20:20 -0400[diff] [blame]1699@pytest.mark.requires_backend_interface(interface=RSABackend)
1700@pytest.mark.requires_backend_interface(interface=X509Backend)
1701class TestRSAIssuerAlternativeNameExtension(object):
1702 def test_uri(self, backend):
1703 cert = _load_cert(
1704 os.path.join("x509", "custom", "ian_uri.pem"),
1705 x509.load_pem_x509_certificate,
1706 backend,
1707 )
1708 ext = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]1709 ExtensionOID.ISSUER_ALTERNATIVE_NAME
Alex Gaynorf1c17672015-06-20 14:20:20 -0400[diff] [blame]1710 )
1711 assert list(ext.value) == [
1712 x509.UniformResourceIdentifier(u"http://path.to.root/root.crt"),
1713 ]
1714
1715
Paul Kehrer3b95cd72015-12-22 21:40:20 -0600[diff] [blame]1716class TestCRLNumber(object):
1717 def test_eq(self):
1718 crl_number = x509.CRLNumber(15)
1719 assert crl_number == x509.CRLNumber(15)
1720
1721 def test_ne(self):
1722 crl_number = x509.CRLNumber(15)
1723 assert crl_number != x509.CRLNumber(14)
1724 assert crl_number != object()
1725
1726 def test_repr(self):
1727 crl_number = x509.CRLNumber(15)
1728 assert repr(crl_number) == "<CRLNumber(15)>"
1729
Paul Kehrera9718fc2015-12-22 22:55:35 -0600[diff] [blame]1730 def test_invalid_number(self):
1731 with pytest.raises(TypeError):
1732 x509.CRLNumber("notanumber")
1733
Alex Gaynorf9a77b62015-12-26 12:14:25 -0500[diff] [blame]1734 def test_hash(self):
1735 c1 = x509.CRLNumber(1)
1736 c2 = x509.CRLNumber(1)
1737 c3 = x509.CRLNumber(2)
1738 assert hash(c1) == hash(c2)
1739 assert hash(c1) != hash(c3)
1740
Paul Kehrer3b95cd72015-12-22 21:40:20 -0600[diff] [blame]1741
Paul Kehrer31bdf792015-03-25 14:11:00 -0500[diff] [blame]1742class TestSubjectAlternativeName(object):
1743 def test_get_values_for_type(self):
1744 san = x509.SubjectAlternativeName(
Eeshan Gargf1234152015-04-29 18:41:00 +0530[diff] [blame]1745 [x509.DNSName(u"cryptography.io")]
Paul Kehrer31bdf792015-03-25 14:11:00 -0500[diff] [blame]1746 )
1747 names = san.get_values_for_type(x509.DNSName)
Eeshan Gargf1234152015-04-29 18:41:00 +0530[diff] [blame]1748 assert names == [u"cryptography.io"]
Paul Kehrer31bdf792015-03-25 14:11:00 -0500[diff] [blame]1749
1750 def test_iter_names(self):
1751 san = x509.SubjectAlternativeName([
Eeshan Gargf1234152015-04-29 18:41:00 +0530[diff] [blame]1752 x509.DNSName(u"cryptography.io"),
1753 x509.DNSName(u"crypto.local"),
Paul Kehrer31bdf792015-03-25 14:11:00 -0500[diff] [blame]1754 ])
1755 assert len(san) == 2
1756 assert list(san) == [
Eeshan Gargf1234152015-04-29 18:41:00 +0530[diff] [blame]1757 x509.DNSName(u"cryptography.io"),
1758 x509.DNSName(u"crypto.local"),
Paul Kehrer31bdf792015-03-25 14:11:00 -0500[diff] [blame]1759 ]
1760
Paul Kehrer8adb5962015-12-26 14:46:58 -0600[diff] [blame]1761 def test_indexing(self):
1762 san = x509.SubjectAlternativeName([
1763 x509.DNSName(u"cryptography.io"),
1764 x509.DNSName(u"crypto.local"),
1765 x509.DNSName(u"another.local"),
1766 x509.RFC822Name(u"email@another.local"),
1767 x509.UniformResourceIdentifier(u"http://another.local"),
1768 ])
1769 assert san[-1] == san[4]
Alex Gaynorf0dd2e72015-12-26 16:50:29 -0500[diff] [blame]1770 assert san[2:6:2] == [san[2], san[4]]
Paul Kehrer8adb5962015-12-26 14:46:58 -0600[diff] [blame]1771
Paul Kehrerd04b39b2015-04-21 08:44:17 -0500[diff] [blame]1772 def test_invalid_general_names(self):
1773 with pytest.raises(TypeError):
1774 x509.SubjectAlternativeName(
Eeshan Gargf1234152015-04-29 18:41:00 +0530[diff] [blame]1775 [x509.DNSName(u"cryptography.io"), "invalid"]
Paul Kehrerd04b39b2015-04-21 08:44:17 -0500[diff] [blame]1776 )
1777
Paul Kehrer31bdf792015-03-25 14:11:00 -0500[diff] [blame]1778 def test_repr(self):
1779 san = x509.SubjectAlternativeName(
1780 [
Eeshan Gargf1234152015-04-29 18:41:00 +0530[diff] [blame]1781 x509.DNSName(u"cryptography.io")
Paul Kehrer31bdf792015-03-25 14:11:00 -0500[diff] [blame]1782 ]
1783 )
1784 assert repr(san) == (
Erik Trauschke2dcce902015-05-14 16:12:24 -0700[diff] [blame]1785 "<SubjectAlternativeName("
1786 "<GeneralNames([<DNSName(value=cryptography.io)>])>)>"
Paul Kehrer31bdf792015-03-25 14:11:00 -0500[diff] [blame]1787 )
Paul Kehrer40f83382015-04-20 15:00:16 -0500[diff] [blame]1788
Paul Kehrer58cc3972015-05-13 10:00:41 -0500[diff] [blame]1789 def test_eq(self):
1790 san = x509.SubjectAlternativeName(
1791 [x509.DNSName(u"cryptography.io")]
1792 )
1793 san2 = x509.SubjectAlternativeName(
1794 [x509.DNSName(u"cryptography.io")]
1795 )
1796 assert san == san2
1797
1798 def test_ne(self):
1799 san = x509.SubjectAlternativeName(
1800 [x509.DNSName(u"cryptography.io")]
1801 )
1802 san2 = x509.SubjectAlternativeName(
1803 [x509.RFC822Name(u"admin@cryptography.io")]
1804 )
1805 assert san != san2
1806 assert san != object()
1807
Paul Kehrer40f83382015-04-20 15:00:16 -0500[diff] [blame]1808
1809@pytest.mark.requires_backend_interface(interface=RSABackend)
1810@pytest.mark.requires_backend_interface(interface=X509Backend)
1811class TestRSASubjectAlternativeNameExtension(object):
1812 def test_dns_name(self, backend):
1813 cert = _load_cert(
1814 os.path.join("x509", "cryptography.io.pem"),
1815 x509.load_pem_x509_certificate,
1816 backend
1817 )
1818 ext = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]1819 ExtensionOID.SUBJECT_ALTERNATIVE_NAME
Paul Kehrer40f83382015-04-20 15:00:16 -0500[diff] [blame]1820 )
1821 assert ext is not None
1822 assert ext.critical is False
1823
1824 san = ext.value
1825
1826 dns = san.get_values_for_type(x509.DNSName)
1827 assert dns == [u"www.cryptography.io", u"cryptography.io"]
Paul Kehrer9089c912015-04-20 22:15:20 -0500[diff] [blame]1828
Paul Kehrer3c6bba52015-06-26 18:43:26 -0500[diff] [blame]1829 def test_wildcard_dns_name(self, backend):
1830 cert = _load_cert(
1831 os.path.join("x509", "wildcard_san.pem"),
1832 x509.load_pem_x509_certificate,
1833 backend
1834 )
1835 ext = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]1836 ExtensionOID.SUBJECT_ALTERNATIVE_NAME
Paul Kehrer3c6bba52015-06-26 18:43:26 -0500[diff] [blame]1837 )
1838
1839 dns = ext.value.get_values_for_type(x509.DNSName)
1840 assert dns == [
1841 u'*.langui.sh',
1842 u'langui.sh',
1843 u'*.saseliminator.com',
1844 u'saseliminator.com'
1845 ]
1846
Dominic Chen87bb9572015-10-09 00:23:07 -0400[diff] [blame]1847 def test_san_empty_hostname(self, backend):
1848 cert = _load_cert(
1849 os.path.join(
1850 "x509", "custom", "san_empty_hostname.pem"
1851 ),
1852 x509.load_pem_x509_certificate,
1853 backend
1854 )
1855 san = cert.extensions.get_extension_for_oid(
1856 ExtensionOID.SUBJECT_ALTERNATIVE_NAME
1857 )
1858
1859 dns = san.value.get_values_for_type(x509.DNSName)
1860 assert dns == [u'']
1861
Paul Kehrer3c6bba52015-06-26 18:43:26 -0500[diff] [blame]1862 def test_san_wildcard_idna_dns_name(self, backend):
1863 cert = _load_cert(
1864 os.path.join("x509", "custom", "san_wildcard_idna.pem"),
1865 x509.load_pem_x509_certificate,
1866 backend
1867 )
1868 ext = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]1869 ExtensionOID.SUBJECT_ALTERNATIVE_NAME
Paul Kehrer3c6bba52015-06-26 18:43:26 -0500[diff] [blame]1870 )
1871
1872 dns = ext.value.get_values_for_type(x509.DNSName)
1873 assert dns == [u'*.\u043f\u044b\u043a\u0430.cryptography']
1874
Paul Kehrer7bdf6572015-07-05 08:55:44 -0500[diff] [blame]1875 def test_unsupported_gn(self, backend):
Paul Kehrer9089c912015-04-20 22:15:20 -0500[diff] [blame]1876 cert = _load_cert(
Paul Kehrer7bdf6572015-07-05 08:55:44 -0500[diff] [blame]1877 os.path.join("x509", "san_x400address.der"),
1878 x509.load_der_x509_certificate,
Paul Kehrer9089c912015-04-20 22:15:20 -0500[diff] [blame]1879 backend
1880 )
Paul Kehrerbed07352015-04-21 08:31:10 -0500[diff] [blame]1881 with pytest.raises(x509.UnsupportedGeneralNameType) as exc:
Paul Kehrer9089c912015-04-20 22:15:20 -0500[diff] [blame]1882 cert.extensions
Paul Kehrerbed07352015-04-21 08:31:10 -0500[diff] [blame]1883
Paul Kehrer7bdf6572015-07-05 08:55:44 -0500[diff] [blame]1884 assert exc.value.type == 3
Paul Kehrer4db96622015-04-20 22:17:39 -0500[diff] [blame]1885
1886 def test_registered_id(self, backend):
1887 cert = _load_cert(
1888 os.path.join(
1889 "x509", "custom", "san_registered_id.pem"
1890 ),
1891 x509.load_pem_x509_certificate,
1892 backend
1893 )
1894 ext = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]1895 ExtensionOID.SUBJECT_ALTERNATIVE_NAME
Paul Kehrer4db96622015-04-20 22:17:39 -0500[diff] [blame]1896 )
1897 assert ext is not None
1898 assert ext.critical is False
1899
1900 san = ext.value
1901 rid = san.get_values_for_type(x509.RegisteredID)
1902 assert rid == [x509.ObjectIdentifier("1.2.3.4")]
Paul Kehrerb8ef82e2015-04-22 16:04:24 -0500[diff] [blame]1903
1904 def test_uri(self, backend):
1905 cert = _load_cert(
1906 os.path.join(
1907 "x509", "custom", "san_uri_with_port.pem"
1908 ),
1909 x509.load_pem_x509_certificate,
1910 backend
1911 )
1912 ext = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]1913 ExtensionOID.SUBJECT_ALTERNATIVE_NAME
Paul Kehrerb8ef82e2015-04-22 16:04:24 -0500[diff] [blame]1914 )
1915 assert ext is not None
1916 uri = ext.value.get_values_for_type(
1917 x509.UniformResourceIdentifier
1918 )
1919 assert uri == [
1920 u"gopher://\u043f\u044b\u043a\u0430.cryptography:70/path?q=s#hel"
1921 u"lo",
1922 u"http://someregulardomain.com",
1923 ]
Paul Kehrera5f030c2015-04-28 08:33:18 -0500[diff] [blame]1924
1925 def test_ipaddress(self, backend):
1926 cert = _load_cert(
1927 os.path.join(
1928 "x509", "custom", "san_ipaddr.pem"
1929 ),
1930 x509.load_pem_x509_certificate,
1931 backend
1932 )
1933 ext = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]1934 ExtensionOID.SUBJECT_ALTERNATIVE_NAME
Paul Kehrera5f030c2015-04-28 08:33:18 -0500[diff] [blame]1935 )
1936 assert ext is not None
1937 assert ext.critical is False
1938
1939 san = ext.value
1940
1941 ip = san.get_values_for_type(x509.IPAddress)
1942 assert [
1943 ipaddress.ip_address(u"127.0.0.1"),
1944 ipaddress.ip_address(u"ff::")
1945 ] == ip
Paul Kehrer2187a052015-04-30 08:22:07 -0500[diff] [blame]1946
1947 def test_dirname(self, backend):
1948 cert = _load_cert(
1949 os.path.join(
1950 "x509", "custom", "san_dirname.pem"
1951 ),
1952 x509.load_pem_x509_certificate,
1953 backend
1954 )
1955 ext = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]1956 ExtensionOID.SUBJECT_ALTERNATIVE_NAME
Paul Kehrer2187a052015-04-30 08:22:07 -0500[diff] [blame]1957 )
1958 assert ext is not None
1959 assert ext.critical is False
1960
1961 san = ext.value
1962
1963 dirname = san.get_values_for_type(x509.DirectoryName)
1964 assert [
1965 x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1966 x509.NameAttribute(NameOID.COMMON_NAME, u'test'),
1967 x509.NameAttribute(NameOID.ORGANIZATION_NAME, u'Org'),
1968 x509.NameAttribute(NameOID.STATE_OR_PROVINCE_NAME, u'Texas'),
Paul Kehrer2187a052015-04-30 08:22:07 -0500[diff] [blame]1969 ])
1970 ] == dirname
Paul Kehrere06cab42015-04-30 10:23:33 -0500[diff] [blame]1971
1972 def test_rfc822name(self, backend):
1973 cert = _load_cert(
1974 os.path.join(
1975 "x509", "custom", "san_rfc822_idna.pem"
1976 ),
1977 x509.load_pem_x509_certificate,
1978 backend
1979 )
1980 ext = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]1981 ExtensionOID.SUBJECT_ALTERNATIVE_NAME
Paul Kehrere06cab42015-04-30 10:23:33 -0500[diff] [blame]1982 )
1983 assert ext is not None
1984 assert ext.critical is False
1985
1986 san = ext.value
1987
1988 rfc822name = san.get_values_for_type(x509.RFC822Name)
1989 assert [u"email@em\xe5\xefl.com"] == rfc822name
1990
Paul Kehrerb8968812015-05-15 09:01:34 -0700[diff] [blame]1991 def test_idna2003_invalid(self, backend):
1992 cert = _load_cert(
1993 os.path.join(
1994 "x509", "custom", "san_idna2003_dnsname.pem"
1995 ),
1996 x509.load_pem_x509_certificate,
1997 backend
1998 )
1999 with pytest.raises(UnicodeError):
2000 cert.extensions
2001
Paul Kehrere06cab42015-04-30 10:23:33 -0500[diff] [blame]2002 def test_unicode_rfc822_name_dns_name_uri(self, backend):
2003 cert = _load_cert(
2004 os.path.join(
2005 "x509", "custom", "san_idna_names.pem"
2006 ),
2007 x509.load_pem_x509_certificate,
2008 backend
2009 )
2010 ext = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]2011 ExtensionOID.SUBJECT_ALTERNATIVE_NAME
Paul Kehrere06cab42015-04-30 10:23:33 -0500[diff] [blame]2012 )
2013 assert ext is not None
2014 rfc822_name = ext.value.get_values_for_type(x509.RFC822Name)
2015 dns_name = ext.value.get_values_for_type(x509.DNSName)
2016 uri = ext.value.get_values_for_type(x509.UniformResourceIdentifier)
2017 assert rfc822_name == [u"email@\u043f\u044b\u043a\u0430.cryptography"]
2018 assert dns_name == [u"\u043f\u044b\u043a\u0430.cryptography"]
2019 assert uri == [u"https://www.\u043f\u044b\u043a\u0430.cryptography"]
2020
2021 def test_rfc822name_dnsname_ipaddress_directoryname_uri(self, backend):
2022 cert = _load_cert(
2023 os.path.join(
2024 "x509", "custom", "san_email_dns_ip_dirname_uri.pem"
2025 ),
2026 x509.load_pem_x509_certificate,
2027 backend
2028 )
2029 ext = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]2030 ExtensionOID.SUBJECT_ALTERNATIVE_NAME
Paul Kehrere06cab42015-04-30 10:23:33 -0500[diff] [blame]2031 )
2032 assert ext is not None
2033 assert ext.critical is False
2034
2035 san = ext.value
2036
2037 rfc822_name = san.get_values_for_type(x509.RFC822Name)
2038 uri = san.get_values_for_type(x509.UniformResourceIdentifier)
2039 dns = san.get_values_for_type(x509.DNSName)
2040 ip = san.get_values_for_type(x509.IPAddress)
2041 dirname = san.get_values_for_type(x509.DirectoryName)
2042 assert [u"user@cryptography.io"] == rfc822_name
Paul Kehrere3a330c2015-05-02 16:42:52 -0500[diff] [blame]2043 assert [u"https://cryptography.io"] == uri
Paul Kehrere06cab42015-04-30 10:23:33 -0500[diff] [blame]2044 assert [u"cryptography.io"] == dns
2045 assert [
2046 x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2047 x509.NameAttribute(NameOID.COMMON_NAME, u'dirCN'),
Paul Kehrere06cab42015-04-30 10:23:33 -0500[diff] [blame]2048 x509.NameAttribute(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2049 NameOID.ORGANIZATION_NAME, u'Cryptographic Authority'
Paul Kehrere06cab42015-04-30 10:23:33 -0500[diff] [blame]2050 ),
2051 ])
2052 ] == dirname
2053 assert [
2054 ipaddress.ip_address(u"127.0.0.1"),
2055 ipaddress.ip_address(u"ff::")
2056 ] == ip
2057
2058 def test_invalid_rfc822name(self, backend):
2059 cert = _load_cert(
2060 os.path.join(
2061 "x509", "custom", "san_rfc822_names.pem"
2062 ),
2063 x509.load_pem_x509_certificate,
2064 backend
2065 )
2066 with pytest.raises(ValueError) as exc:
2067 cert.extensions
2068
2069 assert 'Invalid rfc822name value' in str(exc.value)
Paul Kehrer94c69602015-05-02 19:29:40 -0500[diff] [blame]2070
Joshua Tauberer2ee5e3c2015-07-04 20:09:46 +0000[diff] [blame]2071 def test_other_name(self, backend):
2072 cert = _load_cert(
2073 os.path.join(
2074 "x509", "custom", "san_other_name.pem"
2075 ),
2076 x509.load_pem_x509_certificate,
2077 backend
2078 )
2079
2080 ext = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]2081 ExtensionOID.SUBJECT_ALTERNATIVE_NAME
Joshua Tauberer2ee5e3c2015-07-04 20:09:46 +0000[diff] [blame]2082 )
2083 assert ext is not None
2084 assert ext.critical is False
2085
Joshua Taubererd2afad32015-07-06 22:37:53 +0000[diff] [blame]2086 expected = x509.OtherName(x509.ObjectIdentifier("1.2.3.4"),
2087 b'\x16\x0bHello World')
Joshua Tauberer2ee5e3c2015-07-04 20:09:46 +0000[diff] [blame]2088 assert len(ext.value) == 1
Joshua Taubererd2afad32015-07-06 22:37:53 +0000[diff] [blame]2089 assert list(ext.value)[0] == expected
Joshua Tauberer2ee5e3c2015-07-04 20:09:46 +0000[diff] [blame]2090
2091 othernames = ext.value.get_values_for_type(x509.OtherName)
Joshua Taubererd2afad32015-07-06 22:37:53 +0000[diff] [blame]2092 assert othernames == [expected]
Joshua Tauberer2ee5e3c2015-07-04 20:09:46 +0000[diff] [blame]2093
Paul Kehrer94c69602015-05-02 19:29:40 -0500[diff] [blame]2094
2095@pytest.mark.requires_backend_interface(interface=RSABackend)
2096@pytest.mark.requires_backend_interface(interface=X509Backend)
2097class TestExtendedKeyUsageExtension(object):
2098 def test_eku(self, backend):
2099 cert = _load_cert(
2100 os.path.join(
2101 "x509", "custom", "extended_key_usage.pem"
2102 ),
2103 x509.load_pem_x509_certificate,
2104 backend
2105 )
2106 ext = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]2107 ExtensionOID.EXTENDED_KEY_USAGE
Paul Kehrer94c69602015-05-02 19:29:40 -0500[diff] [blame]2108 )
2109 assert ext is not None
2110 assert ext.critical is False
2111
2112 assert [
2113 x509.ObjectIdentifier("1.3.6.1.5.5.7.3.1"),
2114 x509.ObjectIdentifier("1.3.6.1.5.5.7.3.2"),
2115 x509.ObjectIdentifier("1.3.6.1.5.5.7.3.3"),
2116 x509.ObjectIdentifier("1.3.6.1.5.5.7.3.4"),
2117 x509.ObjectIdentifier("1.3.6.1.5.5.7.3.9"),
2118 x509.ObjectIdentifier("1.3.6.1.5.5.7.3.8"),
2119 x509.ObjectIdentifier("2.5.29.37.0"),
2120 x509.ObjectIdentifier("2.16.840.1.113730.4.1"),
2121 ] == list(ext.value)
Paul Kehrer3e6d5582015-05-02 21:57:56 -0500[diff] [blame]2122
2123
2124class TestAccessDescription(object):
2125 def test_invalid_access_method(self):
Nick Bastind06763d2015-12-12 18:32:59 -0800[diff] [blame]2126 with pytest.raises(TypeError):
Paul Kehrer3e6d5582015-05-02 21:57:56 -0500[diff] [blame]2127 x509.AccessDescription("notanoid", x509.DNSName(u"test"))
2128
2129 def test_invalid_access_location(self):
2130 with pytest.raises(TypeError):
Paul Kehrer9e102db2015-08-10 21:53:09 -0500[diff] [blame]2131 x509.AccessDescription(
2132 AuthorityInformationAccessOID.CA_ISSUERS, "invalid"
2133 )
Paul Kehrer3e6d5582015-05-02 21:57:56 -0500[diff] [blame]2134
Nick Bastind2ecf862015-12-13 05:44:46 -0800[diff] [blame]2135 def test_valid_nonstandard_method(self):
Nick Bastin326fc8e2015-12-12 19:08:12 -0800[diff] [blame]2136 ad = x509.AccessDescription(
2137 ObjectIdentifier("2.999.1"),
2138 x509.UniformResourceIdentifier(u"http://example.com")
2139 )
Nick Bastin11f0f8a2015-12-12 18:54:12 -0800[diff] [blame]2140 assert ad is not None
2141
Paul Kehrer3e6d5582015-05-02 21:57:56 -0500[diff] [blame]2142 def test_repr(self):
2143 ad = x509.AccessDescription(
Paul Kehrer9e102db2015-08-10 21:53:09 -0500[diff] [blame]2144 AuthorityInformationAccessOID.OCSP,
Paul Kehrer3e6d5582015-05-02 21:57:56 -0500[diff] [blame]2145 x509.UniformResourceIdentifier(u"http://ocsp.domain.com")
2146 )
2147 assert repr(ad) == (
2148 "<AccessDescription(access_method=<ObjectIdentifier(oid=1.3.6.1.5."
2149 "5.7.48.1, name=OCSP)>, access_location=<UniformResourceIdentifier"
2150 "(value=http://ocsp.domain.com)>)>"
2151 )
2152
2153 def test_eq(self):
2154 ad = x509.AccessDescription(
Paul Kehrer9e102db2015-08-10 21:53:09 -0500[diff] [blame]2155 AuthorityInformationAccessOID.OCSP,
Paul Kehrer3e6d5582015-05-02 21:57:56 -0500[diff] [blame]2156 x509.UniformResourceIdentifier(u"http://ocsp.domain.com")
2157 )
2158 ad2 = x509.AccessDescription(
Paul Kehrer9e102db2015-08-10 21:53:09 -0500[diff] [blame]2159 AuthorityInformationAccessOID.OCSP,
Paul Kehrer3e6d5582015-05-02 21:57:56 -0500[diff] [blame]2160 x509.UniformResourceIdentifier(u"http://ocsp.domain.com")
2161 )
2162 assert ad == ad2
2163
2164 def test_ne(self):
2165 ad = x509.AccessDescription(
Paul Kehrer9e102db2015-08-10 21:53:09 -0500[diff] [blame]2166 AuthorityInformationAccessOID.OCSP,
Paul Kehrer3e6d5582015-05-02 21:57:56 -0500[diff] [blame]2167 x509.UniformResourceIdentifier(u"http://ocsp.domain.com")
2168 )
2169 ad2 = x509.AccessDescription(
Paul Kehrer9e102db2015-08-10 21:53:09 -0500[diff] [blame]2170 AuthorityInformationAccessOID.CA_ISSUERS,
Paul Kehrer3e6d5582015-05-02 21:57:56 -0500[diff] [blame]2171 x509.UniformResourceIdentifier(u"http://ocsp.domain.com")
2172 )
2173 ad3 = x509.AccessDescription(
Paul Kehrer9e102db2015-08-10 21:53:09 -0500[diff] [blame]2174 AuthorityInformationAccessOID.OCSP,
Paul Kehrer3e6d5582015-05-02 21:57:56 -0500[diff] [blame]2175 x509.UniformResourceIdentifier(u"http://notthesame")
2176 )
2177 assert ad != ad2
2178 assert ad != ad3
2179 assert ad != object()
2180
2181
2182class TestAuthorityInformationAccess(object):
2183 def test_invalid_descriptions(self):
2184 with pytest.raises(TypeError):
2185 x509.AuthorityInformationAccess(["notanAccessDescription"])
2186
2187 def test_iter_len(self):
2188 aia = x509.AuthorityInformationAccess([
2189 x509.AccessDescription(
Paul Kehrer9e102db2015-08-10 21:53:09 -0500[diff] [blame]2190 AuthorityInformationAccessOID.OCSP,
Paul Kehrer3e6d5582015-05-02 21:57:56 -0500[diff] [blame]2191 x509.UniformResourceIdentifier(u"http://ocsp.domain.com")
2192 ),
2193 x509.AccessDescription(
Paul Kehrer9e102db2015-08-10 21:53:09 -0500[diff] [blame]2194 AuthorityInformationAccessOID.CA_ISSUERS,
Paul Kehrer3e6d5582015-05-02 21:57:56 -0500[diff] [blame]2195 x509.UniformResourceIdentifier(u"http://domain.com/ca.crt")
2196 )
2197 ])
2198 assert len(aia) == 2
2199 assert list(aia) == [
2200 x509.AccessDescription(
Paul Kehrer9e102db2015-08-10 21:53:09 -0500[diff] [blame]2201 AuthorityInformationAccessOID.OCSP,
Paul Kehrer3e6d5582015-05-02 21:57:56 -0500[diff] [blame]2202 x509.UniformResourceIdentifier(u"http://ocsp.domain.com")
2203 ),
2204 x509.AccessDescription(
Paul Kehrer9e102db2015-08-10 21:53:09 -0500[diff] [blame]2205 AuthorityInformationAccessOID.CA_ISSUERS,
Paul Kehrer3e6d5582015-05-02 21:57:56 -0500[diff] [blame]2206 x509.UniformResourceIdentifier(u"http://domain.com/ca.crt")
2207 )
2208 ]
2209
2210 def test_repr(self):
2211 aia = x509.AuthorityInformationAccess([
2212 x509.AccessDescription(
Paul Kehrer9e102db2015-08-10 21:53:09 -0500[diff] [blame]2213 AuthorityInformationAccessOID.OCSP,
Paul Kehrer3e6d5582015-05-02 21:57:56 -0500[diff] [blame]2214 x509.UniformResourceIdentifier(u"http://ocsp.domain.com")
2215 ),
2216 x509.AccessDescription(
Paul Kehrer9e102db2015-08-10 21:53:09 -0500[diff] [blame]2217 AuthorityInformationAccessOID.CA_ISSUERS,
Paul Kehrer3e6d5582015-05-02 21:57:56 -0500[diff] [blame]2218 x509.UniformResourceIdentifier(u"http://domain.com/ca.crt")
2219 )
2220 ])
2221 assert repr(aia) == (
2222 "<AuthorityInformationAccess([<AccessDescription(access_method=<Ob"
2223 "jectIdentifier(oid=1.3.6.1.5.5.7.48.1, name=OCSP)>, access_locati"
2224 "on=<UniformResourceIdentifier(value=http://ocsp.domain.com)>)>, <"
2225 "AccessDescription(access_method=<ObjectIdentifier(oid=1.3.6.1.5.5"
2226 ".7.48.2, name=caIssuers)>, access_location=<UniformResourceIdenti"
2227 "fier(value=http://domain.com/ca.crt)>)>])>"
2228 )
2229
2230 def test_eq(self):
2231 aia = x509.AuthorityInformationAccess([
2232 x509.AccessDescription(
Paul Kehrer9e102db2015-08-10 21:53:09 -0500[diff] [blame]2233 AuthorityInformationAccessOID.OCSP,
Paul Kehrer3e6d5582015-05-02 21:57:56 -0500[diff] [blame]2234 x509.UniformResourceIdentifier(u"http://ocsp.domain.com")
2235 ),
2236 x509.AccessDescription(
Paul Kehrer9e102db2015-08-10 21:53:09 -0500[diff] [blame]2237 AuthorityInformationAccessOID.CA_ISSUERS,
Paul Kehrer3e6d5582015-05-02 21:57:56 -0500[diff] [blame]2238 x509.UniformResourceIdentifier(u"http://domain.com/ca.crt")
2239 )
2240 ])
2241 aia2 = x509.AuthorityInformationAccess([
2242 x509.AccessDescription(
Paul Kehrer9e102db2015-08-10 21:53:09 -0500[diff] [blame]2243 AuthorityInformationAccessOID.OCSP,
Paul Kehrer3e6d5582015-05-02 21:57:56 -0500[diff] [blame]2244 x509.UniformResourceIdentifier(u"http://ocsp.domain.com")
2245 ),
2246 x509.AccessDescription(
Paul Kehrer9e102db2015-08-10 21:53:09 -0500[diff] [blame]2247 AuthorityInformationAccessOID.CA_ISSUERS,
Paul Kehrer3e6d5582015-05-02 21:57:56 -0500[diff] [blame]2248 x509.UniformResourceIdentifier(u"http://domain.com/ca.crt")
2249 )
2250 ])
2251 assert aia == aia2
2252
2253 def test_ne(self):
2254 aia = x509.AuthorityInformationAccess([
2255 x509.AccessDescription(
Paul Kehrer9e102db2015-08-10 21:53:09 -0500[diff] [blame]2256 AuthorityInformationAccessOID.OCSP,
Paul Kehrer3e6d5582015-05-02 21:57:56 -0500[diff] [blame]2257 x509.UniformResourceIdentifier(u"http://ocsp.domain.com")
2258 ),
2259 x509.AccessDescription(
Paul Kehrer9e102db2015-08-10 21:53:09 -0500[diff] [blame]2260 AuthorityInformationAccessOID.CA_ISSUERS,
Paul Kehrer3e6d5582015-05-02 21:57:56 -0500[diff] [blame]2261 x509.UniformResourceIdentifier(u"http://domain.com/ca.crt")
2262 )
2263 ])
2264 aia2 = x509.AuthorityInformationAccess([
2265 x509.AccessDescription(
Paul Kehrer9e102db2015-08-10 21:53:09 -0500[diff] [blame]2266 AuthorityInformationAccessOID.OCSP,
Paul Kehrer3e6d5582015-05-02 21:57:56 -0500[diff] [blame]2267 x509.UniformResourceIdentifier(u"http://ocsp.domain.com")
2268 ),
2269 ])
2270
2271 assert aia != aia2
2272 assert aia != object()
Paul Kehrerd774de92015-05-03 10:52:25 -0500[diff] [blame]2273
Paul Kehrerad4b3592015-12-27 17:27:40 -0600[diff] [blame]2274 def test_indexing(self):
2275 aia = x509.AuthorityInformationAccess([
2276 x509.AccessDescription(
2277 AuthorityInformationAccessOID.OCSP,
2278 x509.UniformResourceIdentifier(u"http://ocsp.domain.com")
2279 ),
2280 x509.AccessDescription(
2281 AuthorityInformationAccessOID.CA_ISSUERS,
2282 x509.UniformResourceIdentifier(u"http://domain.com/ca.crt")
2283 ),
2284 x509.AccessDescription(
2285 AuthorityInformationAccessOID.OCSP,
2286 x509.UniformResourceIdentifier(u"http://ocsp2.domain.com")
2287 ),
2288 x509.AccessDescription(
2289 AuthorityInformationAccessOID.OCSP,
2290 x509.UniformResourceIdentifier(u"http://ocsp3.domain.com")
2291 ),
2292 x509.AccessDescription(
2293 AuthorityInformationAccessOID.OCSP,
2294 x509.UniformResourceIdentifier(u"http://ocsp4.domain.com")
2295 ),
2296 ])
2297 assert aia[-1] == aia[4]
2298 assert aia[2:6:2] == [aia[2], aia[4]]
2299
Paul Kehrerd774de92015-05-03 10:52:25 -0500[diff] [blame]2300
2301@pytest.mark.requires_backend_interface(interface=RSABackend)
2302@pytest.mark.requires_backend_interface(interface=X509Backend)
Paul Kehrera1476992015-05-04 17:35:47 -0500[diff] [blame]2303class TestAuthorityInformationAccessExtension(object):
2304 def test_aia_ocsp_ca_issuers(self, backend):
2305 cert = _load_cert(
2306 os.path.join("x509", "cryptography.io.pem"),
2307 x509.load_pem_x509_certificate,
2308 backend
2309 )
2310 ext = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]2311 ExtensionOID.AUTHORITY_INFORMATION_ACCESS
Paul Kehrera1476992015-05-04 17:35:47 -0500[diff] [blame]2312 )
2313 assert ext is not None
2314 assert ext.critical is False
2315
2316 assert ext.value == x509.AuthorityInformationAccess([
2317 x509.AccessDescription(
Paul Kehrer9e102db2015-08-10 21:53:09 -0500[diff] [blame]2318 AuthorityInformationAccessOID.OCSP,
Paul Kehrera1476992015-05-04 17:35:47 -0500[diff] [blame]2319 x509.UniformResourceIdentifier(u"http://gv.symcd.com")
2320 ),
2321 x509.AccessDescription(
Paul Kehrer9e102db2015-08-10 21:53:09 -0500[diff] [blame]2322 AuthorityInformationAccessOID.CA_ISSUERS,
Paul Kehrera1476992015-05-04 17:35:47 -0500[diff] [blame]2323 x509.UniformResourceIdentifier(u"http://gv.symcb.com/gv.crt")
2324 ),
2325 ])
2326
2327 def test_aia_multiple_ocsp_ca_issuers(self, backend):
2328 cert = _load_cert(
2329 os.path.join("x509", "custom", "aia_ocsp_ca_issuers.pem"),
2330 x509.load_pem_x509_certificate,
2331 backend
2332 )
2333 ext = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]2334 ExtensionOID.AUTHORITY_INFORMATION_ACCESS
Paul Kehrera1476992015-05-04 17:35:47 -0500[diff] [blame]2335 )
2336 assert ext is not None
2337 assert ext.critical is False
2338
2339 assert ext.value == x509.AuthorityInformationAccess([
2340 x509.AccessDescription(
Paul Kehrer9e102db2015-08-10 21:53:09 -0500[diff] [blame]2341 AuthorityInformationAccessOID.OCSP,
Paul Kehrera1476992015-05-04 17:35:47 -0500[diff] [blame]2342 x509.UniformResourceIdentifier(u"http://ocsp.domain.com")
2343 ),
2344 x509.AccessDescription(
Paul Kehrer9e102db2015-08-10 21:53:09 -0500[diff] [blame]2345 AuthorityInformationAccessOID.OCSP,
Paul Kehrera1476992015-05-04 17:35:47 -0500[diff] [blame]2346 x509.UniformResourceIdentifier(u"http://ocsp2.domain.com")
2347 ),
2348 x509.AccessDescription(
Paul Kehrer9e102db2015-08-10 21:53:09 -0500[diff] [blame]2349 AuthorityInformationAccessOID.CA_ISSUERS,
Paul Kehrera1476992015-05-04 17:35:47 -0500[diff] [blame]2350 x509.DirectoryName(x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2351 x509.NameAttribute(NameOID.COMMON_NAME, u"myCN"),
2352 x509.NameAttribute(NameOID.ORGANIZATION_NAME,
Ian Cordasco82fc3762015-06-16 20:59:50 -0500[diff] [blame]2353 u"some Org"),
Paul Kehrera1476992015-05-04 17:35:47 -0500[diff] [blame]2354 ]))
2355 ),
2356 ])
2357
2358 def test_aia_ocsp_only(self, backend):
2359 cert = _load_cert(
2360 os.path.join("x509", "custom", "aia_ocsp.pem"),
2361 x509.load_pem_x509_certificate,
2362 backend
2363 )
2364 ext = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]2365 ExtensionOID.AUTHORITY_INFORMATION_ACCESS
Paul Kehrera1476992015-05-04 17:35:47 -0500[diff] [blame]2366 )
2367 assert ext is not None
2368 assert ext.critical is False
2369
2370 assert ext.value == x509.AuthorityInformationAccess([
2371 x509.AccessDescription(
Paul Kehrer9e102db2015-08-10 21:53:09 -0500[diff] [blame]2372 AuthorityInformationAccessOID.OCSP,
Paul Kehrera1476992015-05-04 17:35:47 -0500[diff] [blame]2373 x509.UniformResourceIdentifier(u"http://ocsp.domain.com")
2374 ),
2375 ])
2376
2377 def test_aia_ca_issuers_only(self, backend):
2378 cert = _load_cert(
2379 os.path.join("x509", "custom", "aia_ca_issuers.pem"),
2380 x509.load_pem_x509_certificate,
2381 backend
2382 )
2383 ext = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]2384 ExtensionOID.AUTHORITY_INFORMATION_ACCESS
Paul Kehrera1476992015-05-04 17:35:47 -0500[diff] [blame]2385 )
2386 assert ext is not None
2387 assert ext.critical is False
2388
2389 assert ext.value == x509.AuthorityInformationAccess([
2390 x509.AccessDescription(
Paul Kehrer9e102db2015-08-10 21:53:09 -0500[diff] [blame]2391 AuthorityInformationAccessOID.CA_ISSUERS,
Paul Kehrera1476992015-05-04 17:35:47 -0500[diff] [blame]2392 x509.DirectoryName(x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2393 x509.NameAttribute(NameOID.COMMON_NAME, u"myCN"),
2394 x509.NameAttribute(NameOID.ORGANIZATION_NAME,
Ian Cordasco82fc3762015-06-16 20:59:50 -0500[diff] [blame]2395 u"some Org"),
Paul Kehrera1476992015-05-04 17:35:47 -0500[diff] [blame]2396 ]))
2397 ),
2398 ])
2399
2400
2401@pytest.mark.requires_backend_interface(interface=RSABackend)
2402@pytest.mark.requires_backend_interface(interface=X509Backend)
Paul Kehrerd774de92015-05-03 10:52:25 -0500[diff] [blame]2403class TestAuthorityKeyIdentifierExtension(object):
2404 def test_aki_keyid(self, backend):
2405 cert = _load_cert(
2406 os.path.join(
2407 "x509", "cryptography.io.pem"
2408 ),
2409 x509.load_pem_x509_certificate,
2410 backend
2411 )
2412 ext = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]2413 ExtensionOID.AUTHORITY_KEY_IDENTIFIER
Paul Kehrerd774de92015-05-03 10:52:25 -0500[diff] [blame]2414 )
2415 assert ext is not None
2416 assert ext.critical is False
2417
2418 assert ext.value.key_identifier == (
2419 b"\xc3\x9c\xf3\xfc\xd3F\x084\xbb\xceF\x7f\xa0|[\xf3\xe2\x08\xcbY"
2420 )
2421 assert ext.value.authority_cert_issuer is None
2422 assert ext.value.authority_cert_serial_number is None
2423
2424 def test_aki_all_fields(self, backend):
2425 cert = _load_cert(
2426 os.path.join(
2427 "x509", "custom", "authority_key_identifier.pem"
2428 ),
2429 x509.load_pem_x509_certificate,
2430 backend
2431 )
2432 ext = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]2433 ExtensionOID.AUTHORITY_KEY_IDENTIFIER
Paul Kehrerd774de92015-05-03 10:52:25 -0500[diff] [blame]2434 )
2435 assert ext is not None
2436 assert ext.critical is False
2437
2438 assert ext.value.key_identifier == (
2439 b"9E>\xca=b\x1d\xea\x86I\xf6Z\xab@\xb7\xa4p\x98\xf1\xec"
2440 )
2441 assert ext.value.authority_cert_issuer == [
2442 x509.DirectoryName(
2443 x509.Name([
2444 x509.NameAttribute(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2445 NameOID.ORGANIZATION_NAME, u"PyCA"
Paul Kehrerd774de92015-05-03 10:52:25 -0500[diff] [blame]2446 ),
2447 x509.NameAttribute(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2448 NameOID.COMMON_NAME, u"cryptography.io"
Paul Kehrerd774de92015-05-03 10:52:25 -0500[diff] [blame]2449 )
2450 ])
2451 )
2452 ]
2453 assert ext.value.authority_cert_serial_number == 3
2454
2455 def test_aki_no_keyid(self, backend):
2456 cert = _load_cert(
2457 os.path.join(
2458 "x509", "custom", "authority_key_identifier_no_keyid.pem"
2459 ),
2460 x509.load_pem_x509_certificate,
2461 backend
2462 )
2463 ext = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]2464 ExtensionOID.AUTHORITY_KEY_IDENTIFIER
Paul Kehrerd774de92015-05-03 10:52:25 -0500[diff] [blame]2465 )
2466 assert ext is not None
2467 assert ext.critical is False
2468
2469 assert ext.value.key_identifier is None
2470 assert ext.value.authority_cert_issuer == [
2471 x509.DirectoryName(
2472 x509.Name([
2473 x509.NameAttribute(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2474 NameOID.ORGANIZATION_NAME, u"PyCA"
Paul Kehrerd774de92015-05-03 10:52:25 -0500[diff] [blame]2475 ),
2476 x509.NameAttribute(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2477 NameOID.COMMON_NAME, u"cryptography.io"
Paul Kehrerd774de92015-05-03 10:52:25 -0500[diff] [blame]2478 )
2479 ])
2480 )
2481 ]
2482 assert ext.value.authority_cert_serial_number == 3
Paul Kehrer5a485522015-05-06 00:29:12 -0500[diff] [blame]2483
Paul Kehrer253929a2015-08-05 17:30:39 +0100[diff] [blame]2484 def test_from_certificate(self, backend):
2485 issuer_cert = _load_cert(
2486 os.path.join("x509", "rapidssl_sha256_ca_g3.pem"),
2487 x509.load_pem_x509_certificate,
2488 backend
2489 )
2490 cert = _load_cert(
2491 os.path.join("x509", "cryptography.io.pem"),
2492 x509.load_pem_x509_certificate,
2493 backend
2494 )
2495 ext = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]2496 ExtensionOID.AUTHORITY_KEY_IDENTIFIER
Paul Kehrer253929a2015-08-05 17:30:39 +0100[diff] [blame]2497 )
2498 aki = x509.AuthorityKeyIdentifier.from_issuer_public_key(
2499 issuer_cert.public_key()
2500 )
2501 assert ext.value == aki
2502
Paul Kehrer5a485522015-05-06 00:29:12 -0500[diff] [blame]2503
Paul Kehrere0017be2015-05-17 20:39:40 -0600[diff] [blame]2504class TestNameConstraints(object):
2505 def test_ipaddress_wrong_type(self):
2506 with pytest.raises(TypeError):
2507 x509.NameConstraints(
2508 permitted_subtrees=[
2509 x509.IPAddress(ipaddress.IPv4Address(u"127.0.0.1"))
2510 ],
2511 excluded_subtrees=None
2512 )
2513
2514 with pytest.raises(TypeError):
2515 x509.NameConstraints(
2516 permitted_subtrees=None,
2517 excluded_subtrees=[
2518 x509.IPAddress(ipaddress.IPv4Address(u"127.0.0.1"))
2519 ]
2520 )
2521
2522 def test_ipaddress_allowed_type(self):
2523 permitted = [x509.IPAddress(ipaddress.IPv4Network(u"192.168.0.0/29"))]
2524 excluded = [x509.IPAddress(ipaddress.IPv4Network(u"10.10.0.0/24"))]
2525 nc = x509.NameConstraints(
2526 permitted_subtrees=permitted,
2527 excluded_subtrees=excluded
2528 )
2529 assert nc.permitted_subtrees == permitted
2530 assert nc.excluded_subtrees == excluded
2531
2532 def test_invalid_permitted_subtrees(self):
2533 with pytest.raises(TypeError):
2534 x509.NameConstraints("badpermitted", None)
2535
2536 def test_invalid_excluded_subtrees(self):
2537 with pytest.raises(TypeError):
2538 x509.NameConstraints(None, "badexcluded")
2539
2540 def test_no_subtrees(self):
2541 with pytest.raises(ValueError):
2542 x509.NameConstraints(None, None)
2543
2544 def test_permitted_none(self):
2545 excluded = [x509.DNSName(u"name.local")]
2546 nc = x509.NameConstraints(
2547 permitted_subtrees=None, excluded_subtrees=excluded
2548 )
2549 assert nc.permitted_subtrees is None
2550 assert nc.excluded_subtrees is not None
2551
2552 def test_excluded_none(self):
2553 permitted = [x509.DNSName(u"name.local")]
2554 nc = x509.NameConstraints(
2555 permitted_subtrees=permitted, excluded_subtrees=None
2556 )
2557 assert nc.permitted_subtrees is not None
2558 assert nc.excluded_subtrees is None
2559
2560 def test_repr(self):
2561 permitted = [x509.DNSName(u"name.local"), x509.DNSName(u"name2.local")]
2562 nc = x509.NameConstraints(
2563 permitted_subtrees=permitted,
2564 excluded_subtrees=None
2565 )
2566 assert repr(nc) == (
2567 "<NameConstraints(permitted_subtrees=[<DNSName(value=name.local)>"
2568 ", <DNSName(value=name2.local)>], excluded_subtrees=None)>"
2569 )
2570
Paul Kehrer31894282015-06-21 21:46:41 -0500[diff] [blame]2571 def test_eq(self):
2572 nc = x509.NameConstraints(
2573 permitted_subtrees=[x509.DNSName(u"name.local")],
2574 excluded_subtrees=[x509.DNSName(u"name2.local")]
2575 )
2576 nc2 = x509.NameConstraints(
2577 permitted_subtrees=[x509.DNSName(u"name.local")],
2578 excluded_subtrees=[x509.DNSName(u"name2.local")]
2579 )
2580 assert nc == nc2
2581
2582 def test_ne(self):
2583 nc = x509.NameConstraints(
2584 permitted_subtrees=[x509.DNSName(u"name.local")],
2585 excluded_subtrees=[x509.DNSName(u"name2.local")]
2586 )
2587 nc2 = x509.NameConstraints(
2588 permitted_subtrees=[x509.DNSName(u"name.local")],
2589 excluded_subtrees=None
2590 )
2591 nc3 = x509.NameConstraints(
2592 permitted_subtrees=None,
2593 excluded_subtrees=[x509.DNSName(u"name2.local")]
2594 )
2595
2596 assert nc != nc2
2597 assert nc != nc3
2598 assert nc != object()
2599
Paul Kehrere0017be2015-05-17 20:39:40 -0600[diff] [blame]2600
Paul Kehrer870d7e82015-06-21 22:20:44 -0500[diff] [blame]2601@pytest.mark.requires_backend_interface(interface=RSABackend)
2602@pytest.mark.requires_backend_interface(interface=X509Backend)
2603class TestNameConstraintsExtension(object):
2604 def test_permitted_excluded(self, backend):
2605 cert = _load_cert(
2606 os.path.join(
2607 "x509", "custom", "nc_permitted_excluded_2.pem"
2608 ),
2609 x509.load_pem_x509_certificate,
2610 backend
2611 )
2612 nc = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]2613 ExtensionOID.NAME_CONSTRAINTS
Paul Kehrer870d7e82015-06-21 22:20:44 -0500[diff] [blame]2614 ).value
2615 assert nc == x509.NameConstraints(
2616 permitted_subtrees=[
2617 x509.DNSName(u"zombo.local"),
2618 ],
2619 excluded_subtrees=[
2620 x509.DirectoryName(x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2621 x509.NameAttribute(NameOID.COMMON_NAME, u"zombo")
Paul Kehrer870d7e82015-06-21 22:20:44 -0500[diff] [blame]2622 ]))
2623 ]
2624 )
2625
2626 def test_permitted(self, backend):
2627 cert = _load_cert(
2628 os.path.join(
2629 "x509", "custom", "nc_permitted_2.pem"
2630 ),
2631 x509.load_pem_x509_certificate,
2632 backend
2633 )
2634 nc = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]2635 ExtensionOID.NAME_CONSTRAINTS
Paul Kehrer870d7e82015-06-21 22:20:44 -0500[diff] [blame]2636 ).value
2637 assert nc == x509.NameConstraints(
2638 permitted_subtrees=[
2639 x509.DNSName(u"zombo.local"),
2640 ],
2641 excluded_subtrees=None
2642 )
2643
Paul Kehrer42376832015-07-01 18:10:32 -0500[diff] [blame]2644 def test_permitted_with_leading_period(self, backend):
2645 cert = _load_cert(
2646 os.path.join(
2647 "x509", "custom", "nc_permitted.pem"
2648 ),
2649 x509.load_pem_x509_certificate,
2650 backend
2651 )
2652 nc = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]2653 ExtensionOID.NAME_CONSTRAINTS
Paul Kehrer42376832015-07-01 18:10:32 -0500[diff] [blame]2654 ).value
2655 assert nc == x509.NameConstraints(
2656 permitted_subtrees=[
2657 x509.DNSName(u".cryptography.io"),
2658 x509.UniformResourceIdentifier(u"ftp://cryptography.test")
2659 ],
2660 excluded_subtrees=None
2661 )
2662
2663 def test_excluded_with_leading_period(self, backend):
2664 cert = _load_cert(
2665 os.path.join(
2666 "x509", "custom", "nc_excluded.pem"
2667 ),
2668 x509.load_pem_x509_certificate,
2669 backend
2670 )
2671 nc = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]2672 ExtensionOID.NAME_CONSTRAINTS
Paul Kehrer42376832015-07-01 18:10:32 -0500[diff] [blame]2673 ).value
2674 assert nc == x509.NameConstraints(
2675 permitted_subtrees=None,
2676 excluded_subtrees=[
2677 x509.DNSName(u".cryptography.io"),
2678 x509.UniformResourceIdentifier(u"gopher://cryptography.test")
2679 ]
2680 )
2681
Paul Kehrercfb8aa22015-07-01 19:16:36 -0500[diff] [blame]2682 def test_permitted_excluded_with_ips(self, backend):
2683 cert = _load_cert(
2684 os.path.join(
2685 "x509", "custom", "nc_permitted_excluded.pem"
2686 ),
2687 x509.load_pem_x509_certificate,
2688 backend
2689 )
2690 nc = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]2691 ExtensionOID.NAME_CONSTRAINTS
Paul Kehrercfb8aa22015-07-01 19:16:36 -0500[diff] [blame]2692 ).value
2693 assert nc == x509.NameConstraints(
2694 permitted_subtrees=[
2695 x509.IPAddress(ipaddress.IPv4Network(u"192.168.0.0/24")),
2696 x509.IPAddress(ipaddress.IPv6Network(u"FF:0:0:0:0:0:0:0/96")),
2697 ],
2698 excluded_subtrees=[
2699 x509.DNSName(u".domain.com"),
2700 x509.UniformResourceIdentifier(u"http://test.local"),
2701 ]
2702 )
2703
Paul Kehrera72ebaf2015-07-01 21:07:37 -0500[diff] [blame]2704 def test_single_ip_netmask(self, backend):
2705 cert = _load_cert(
2706 os.path.join(
2707 "x509", "custom", "nc_single_ip_netmask.pem"
2708 ),
2709 x509.load_pem_x509_certificate,
2710 backend
2711 )
2712 nc = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]2713 ExtensionOID.NAME_CONSTRAINTS
Paul Kehrera72ebaf2015-07-01 21:07:37 -0500[diff] [blame]2714 ).value
2715 assert nc == x509.NameConstraints(
2716 permitted_subtrees=[
2717 x509.IPAddress(ipaddress.IPv6Network(u"FF:0:0:0:0:0:0:0/128")),
2718 x509.IPAddress(ipaddress.IPv4Network(u"192.168.0.1/32")),
2719 ],
2720 excluded_subtrees=None
2721 )
2722
Paul Kehrercfb8aa22015-07-01 19:16:36 -0500[diff] [blame]2723 def test_invalid_netmask(self, backend):
2724 cert = _load_cert(
2725 os.path.join(
2726 "x509", "custom", "nc_invalid_ip_netmask.pem"
2727 ),
2728 x509.load_pem_x509_certificate,
2729 backend
2730 )
2731 with pytest.raises(ValueError):
2732 cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]2733 ExtensionOID.NAME_CONSTRAINTS
Paul Kehrercfb8aa22015-07-01 19:16:36 -0500[diff] [blame]2734 )
2735
Paul Kehrer870d7e82015-06-21 22:20:44 -0500[diff] [blame]2736
Paul Kehrer5a485522015-05-06 00:29:12 -0500[diff] [blame]2737class TestDistributionPoint(object):
Paul Kehrer4e8dacd2015-05-09 10:38:23 -0500[diff] [blame]2738 def test_distribution_point_full_name_not_general_names(self):
Paul Kehrer5a485522015-05-06 00:29:12 -0500[diff] [blame]2739 with pytest.raises(TypeError):
Paul Kehrer4e8dacd2015-05-09 10:38:23 -0500[diff] [blame]2740 x509.DistributionPoint(["notgn"], None, None, None)
Paul Kehrer5a485522015-05-06 00:29:12 -0500[diff] [blame]2741
Paul Kehrer4e8dacd2015-05-09 10:38:23 -0500[diff] [blame]2742 def test_distribution_point_relative_name_not_name(self):
Paul Kehrer5a485522015-05-06 00:29:12 -0500[diff] [blame]2743 with pytest.raises(TypeError):
Paul Kehrer4e8dacd2015-05-09 10:38:23 -0500[diff] [blame]2744 x509.DistributionPoint(None, "notname", None, None)
2745
2746 def test_distribution_point_full_and_relative_not_none(self):
2747 with pytest.raises(ValueError):
2748 x509.DistributionPoint("data", "notname", None, None)
Paul Kehrer5a485522015-05-06 00:29:12 -0500[diff] [blame]2749
2750 def test_crl_issuer_not_general_names(self):
2751 with pytest.raises(TypeError):
Paul Kehrer4e8dacd2015-05-09 10:38:23 -0500[diff] [blame]2752 x509.DistributionPoint(None, None, None, ["notgn"])
Paul Kehrer5a485522015-05-06 00:29:12 -0500[diff] [blame]2753
2754 def test_reason_not_reasonflags(self):
2755 with pytest.raises(TypeError):
2756 x509.DistributionPoint(
2757 [x509.UniformResourceIdentifier(u"http://crypt.og/crl")],
Paul Kehrer4e8dacd2015-05-09 10:38:23 -0500[diff] [blame]2758 None,
Paul Kehrer3fd02602015-05-09 19:46:13 -0500[diff] [blame]2759 frozenset(["notreasonflags"]),
2760 None
2761 )
2762
2763 def test_reason_not_frozenset(self):
2764 with pytest.raises(TypeError):
2765 x509.DistributionPoint(
2766 [x509.UniformResourceIdentifier(u"http://crypt.og/crl")],
2767 None,
2768 [x509.ReasonFlags.ca_compromise],
Paul Kehrer4e8dacd2015-05-09 10:38:23 -0500[diff] [blame]2769 None
2770 )
2771
2772 def test_disallowed_reasons(self):
2773 with pytest.raises(ValueError):
2774 x509.DistributionPoint(
2775 [x509.UniformResourceIdentifier(u"http://crypt.og/crl")],
2776 None,
Paul Kehrer3fd02602015-05-09 19:46:13 -0500[diff] [blame]2777 frozenset([x509.ReasonFlags.unspecified]),
Paul Kehrer4e8dacd2015-05-09 10:38:23 -0500[diff] [blame]2778 None
2779 )
2780
2781 with pytest.raises(ValueError):
2782 x509.DistributionPoint(
2783 [x509.UniformResourceIdentifier(u"http://crypt.og/crl")],
2784 None,
Paul Kehrer3fd02602015-05-09 19:46:13 -0500[diff] [blame]2785 frozenset([x509.ReasonFlags.remove_from_crl]),
Paul Kehrer5a485522015-05-06 00:29:12 -0500[diff] [blame]2786 None
2787 )
2788
2789 def test_reason_only(self):
2790 with pytest.raises(ValueError):
2791 x509.DistributionPoint(
2792 None,
Paul Kehrer4e8dacd2015-05-09 10:38:23 -0500[diff] [blame]2793 None,
Paul Kehrer3fd02602015-05-09 19:46:13 -0500[diff] [blame]2794 frozenset([x509.ReasonFlags.aa_compromise]),
Paul Kehrer5a485522015-05-06 00:29:12 -0500[diff] [blame]2795 None
2796 )
2797
2798 def test_eq(self):
2799 dp = x509.DistributionPoint(
2800 [x509.UniformResourceIdentifier(u"http://crypt.og/crl")],
Paul Kehrer4e8dacd2015-05-09 10:38:23 -0500[diff] [blame]2801 None,
Paul Kehrer3fd02602015-05-09 19:46:13 -0500[diff] [blame]2802 frozenset([x509.ReasonFlags.superseded]),
Paul Kehrer5a485522015-05-06 00:29:12 -0500[diff] [blame]2803 [
2804 x509.DirectoryName(
2805 x509.Name([
2806 x509.NameAttribute(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2807 NameOID.COMMON_NAME, u"Important CA"
Paul Kehrer5a485522015-05-06 00:29:12 -0500[diff] [blame]2808 )
2809 ])
2810 )
2811 ],
2812 )
2813 dp2 = x509.DistributionPoint(
2814 [x509.UniformResourceIdentifier(u"http://crypt.og/crl")],
Paul Kehrer4e8dacd2015-05-09 10:38:23 -0500[diff] [blame]2815 None,
Paul Kehrer3fd02602015-05-09 19:46:13 -0500[diff] [blame]2816 frozenset([x509.ReasonFlags.superseded]),
Paul Kehrer5a485522015-05-06 00:29:12 -0500[diff] [blame]2817 [
2818 x509.DirectoryName(
2819 x509.Name([
2820 x509.NameAttribute(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2821 NameOID.COMMON_NAME, u"Important CA"
Paul Kehrer5a485522015-05-06 00:29:12 -0500[diff] [blame]2822 )
2823 ])
2824 )
2825 ],
2826 )
2827 assert dp == dp2
2828
2829 def test_ne(self):
2830 dp = x509.DistributionPoint(
2831 [x509.UniformResourceIdentifier(u"http://crypt.og/crl")],
Paul Kehrer4e8dacd2015-05-09 10:38:23 -0500[diff] [blame]2832 None,
Paul Kehrer3fd02602015-05-09 19:46:13 -0500[diff] [blame]2833 frozenset([x509.ReasonFlags.superseded]),
Paul Kehrer5a485522015-05-06 00:29:12 -0500[diff] [blame]2834 [
2835 x509.DirectoryName(
2836 x509.Name([
2837 x509.NameAttribute(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2838 NameOID.COMMON_NAME, u"Important CA"
Paul Kehrer5a485522015-05-06 00:29:12 -0500[diff] [blame]2839 )
2840 ])
2841 )
2842 ],
2843 )
2844 dp2 = x509.DistributionPoint(
2845 [x509.UniformResourceIdentifier(u"http://crypt.og/crl")],
2846 None,
Paul Kehrer4e8dacd2015-05-09 10:38:23 -0500[diff] [blame]2847 None,
Paul Kehrer5a485522015-05-06 00:29:12 -0500[diff] [blame]2848 None
2849 )
2850 assert dp != dp2
2851 assert dp != object()
2852
2853 def test_repr(self):
2854 dp = x509.DistributionPoint(
Paul Kehrer4e8dacd2015-05-09 10:38:23 -0500[diff] [blame]2855 None,
Paul Kehrer5a485522015-05-06 00:29:12 -0500[diff] [blame]2856 x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2857 x509.NameAttribute(NameOID.COMMON_NAME, u"myCN")
Paul Kehrer5a485522015-05-06 00:29:12 -0500[diff] [blame]2858 ]),
Paul Kehrer96ef63c2015-05-09 21:17:04 -0500[diff] [blame]2859 frozenset([x509.ReasonFlags.ca_compromise]),
Paul Kehrer5a485522015-05-06 00:29:12 -0500[diff] [blame]2860 [
2861 x509.DirectoryName(
2862 x509.Name([
2863 x509.NameAttribute(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2864 NameOID.COMMON_NAME, u"Important CA"
Paul Kehrer5a485522015-05-06 00:29:12 -0500[diff] [blame]2865 )
2866 ])
2867 )
2868 ],
2869 )
Paul Kehrer749da3b2015-05-10 09:58:29 -0500[diff] [blame]2870 if six.PY3:
2871 assert repr(dp) == (
2872 "<DistributionPoint(full_name=None, relative_name=<Name([<Name"
2873 "Attribute(oid=<ObjectIdentifier(oid=2.5.4.3, name=commonName)"
Ian Cordascoa908d692015-06-16 21:35:24 -0500[diff] [blame]2874 ">, value='myCN')>])>, reasons=frozenset({<ReasonFlags.ca_comp"
2875 "romise: 'cACompromise'>}), crl_issuer=[<DirectoryName(value=<"
2876 "Name([<NameAttribute(oid=<ObjectIdentifier(oid=2.5.4.3, name="
2877 "commonName)>, value='Important CA')>])>)>])>"
Paul Kehrer749da3b2015-05-10 09:58:29 -0500[diff] [blame]2878 )
2879 else:
2880 assert repr(dp) == (
2881 "<DistributionPoint(full_name=None, relative_name=<Name([<Name"
2882 "Attribute(oid=<ObjectIdentifier(oid=2.5.4.3, name=commonName)"
Ian Cordasco82fc3762015-06-16 20:59:50 -0500[diff] [blame]2883 ">, value=u'myCN')>])>, reasons=frozenset([<ReasonFlags.ca_com"
2884 "promise: 'cACompromise'>]), crl_issuer=[<DirectoryName(value="
2885 "<Name([<NameAttribute(oid=<ObjectIdentifier(oid=2.5.4.3, name"
2886 "=commonName)>, value=u'Important CA')>])>)>])>"
Paul Kehrer749da3b2015-05-10 09:58:29 -0500[diff] [blame]2887 )
Paul Kehrer5a485522015-05-06 00:29:12 -0500[diff] [blame]2888
2889
2890class TestCRLDistributionPoints(object):
2891 def test_invalid_distribution_points(self):
2892 with pytest.raises(TypeError):
2893 x509.CRLDistributionPoints(["notadistributionpoint"])
2894
2895 def test_iter_len(self):
2896 cdp = x509.CRLDistributionPoints([
2897 x509.DistributionPoint(
2898 [x509.UniformResourceIdentifier(u"http://domain")],
2899 None,
Paul Kehrer4e8dacd2015-05-09 10:38:23 -0500[diff] [blame]2900 None,
Paul Kehrer5a485522015-05-06 00:29:12 -0500[diff] [blame]2901 None
2902 ),
2903 x509.DistributionPoint(
2904 [x509.UniformResourceIdentifier(u"ftp://domain")],
Paul Kehrer4e8dacd2015-05-09 10:38:23 -0500[diff] [blame]2905 None,
Paul Kehrer3fd02602015-05-09 19:46:13 -0500[diff] [blame]2906 frozenset([
Paul Kehrer4e8dacd2015-05-09 10:38:23 -0500[diff] [blame]2907 x509.ReasonFlags.key_compromise,
2908 x509.ReasonFlags.ca_compromise,
Paul Kehrer3fd02602015-05-09 19:46:13 -0500[diff] [blame]2909 ]),
Paul Kehrer5a485522015-05-06 00:29:12 -0500[diff] [blame]2910 None
2911 ),
2912 ])
2913 assert len(cdp) == 2
2914 assert list(cdp) == [
2915 x509.DistributionPoint(
2916 [x509.UniformResourceIdentifier(u"http://domain")],
2917 None,
Paul Kehrer4e8dacd2015-05-09 10:38:23 -0500[diff] [blame]2918 None,
Paul Kehrer5a485522015-05-06 00:29:12 -0500[diff] [blame]2919 None
2920 ),
2921 x509.DistributionPoint(
2922 [x509.UniformResourceIdentifier(u"ftp://domain")],
Paul Kehrer4e8dacd2015-05-09 10:38:23 -0500[diff] [blame]2923 None,
Paul Kehrer3fd02602015-05-09 19:46:13 -0500[diff] [blame]2924 frozenset([
Paul Kehrer4e8dacd2015-05-09 10:38:23 -0500[diff] [blame]2925 x509.ReasonFlags.key_compromise,
2926 x509.ReasonFlags.ca_compromise,
Paul Kehrer3fd02602015-05-09 19:46:13 -0500[diff] [blame]2927 ]),
Paul Kehrer5a485522015-05-06 00:29:12 -0500[diff] [blame]2928 None
2929 ),
2930 ]
2931
2932 def test_repr(self):
2933 cdp = x509.CRLDistributionPoints([
2934 x509.DistributionPoint(
2935 [x509.UniformResourceIdentifier(u"ftp://domain")],
Paul Kehrer4e8dacd2015-05-09 10:38:23 -0500[diff] [blame]2936 None,
Paul Kehrer96ef63c2015-05-09 21:17:04 -0500[diff] [blame]2937 frozenset([x509.ReasonFlags.key_compromise]),
Paul Kehrer5a485522015-05-06 00:29:12 -0500[diff] [blame]2938 None
2939 ),
2940 ])
Paul Kehrer749da3b2015-05-10 09:58:29 -0500[diff] [blame]2941 if six.PY3:
2942 assert repr(cdp) == (
2943 "<CRLDistributionPoints([<DistributionPoint(full_name=[<Unifo"
2944 "rmResourceIdentifier(value=ftp://domain)>], relative_name=No"
2945 "ne, reasons=frozenset({<ReasonFlags.key_compromise: 'keyComp"
2946 "romise'>}), crl_issuer=None)>])>"
2947 )
2948 else:
2949 assert repr(cdp) == (
2950 "<CRLDistributionPoints([<DistributionPoint(full_name=[<Unifo"
2951 "rmResourceIdentifier(value=ftp://domain)>], relative_name=No"
2952 "ne, reasons=frozenset([<ReasonFlags.key_compromise: 'keyComp"
2953 "romise'>]), crl_issuer=None)>])>"
2954 )
Paul Kehrer5a485522015-05-06 00:29:12 -0500[diff] [blame]2955
2956 def test_eq(self):
2957 cdp = x509.CRLDistributionPoints([
2958 x509.DistributionPoint(
2959 [x509.UniformResourceIdentifier(u"ftp://domain")],
Paul Kehrer4e8dacd2015-05-09 10:38:23 -0500[diff] [blame]2960 None,
Paul Kehrer3fd02602015-05-09 19:46:13 -0500[diff] [blame]2961 frozenset([
Paul Kehrer4e8dacd2015-05-09 10:38:23 -0500[diff] [blame]2962 x509.ReasonFlags.key_compromise,
2963 x509.ReasonFlags.ca_compromise,
Paul Kehrer3fd02602015-05-09 19:46:13 -0500[diff] [blame]2964 ]),
Paul Kehrer5a485522015-05-06 00:29:12 -0500[diff] [blame]2965 [x509.UniformResourceIdentifier(u"uri://thing")],
2966 ),
2967 ])
2968 cdp2 = x509.CRLDistributionPoints([
2969 x509.DistributionPoint(
2970 [x509.UniformResourceIdentifier(u"ftp://domain")],
Paul Kehrer4e8dacd2015-05-09 10:38:23 -0500[diff] [blame]2971 None,
Paul Kehrer3fd02602015-05-09 19:46:13 -0500[diff] [blame]2972 frozenset([
Paul Kehrer4e8dacd2015-05-09 10:38:23 -0500[diff] [blame]2973 x509.ReasonFlags.key_compromise,
2974 x509.ReasonFlags.ca_compromise,
Paul Kehrer3fd02602015-05-09 19:46:13 -0500[diff] [blame]2975 ]),
Paul Kehrer5a485522015-05-06 00:29:12 -0500[diff] [blame]2976 [x509.UniformResourceIdentifier(u"uri://thing")],
2977 ),
2978 ])
2979 assert cdp == cdp2
2980
2981 def test_ne(self):
2982 cdp = x509.CRLDistributionPoints([
2983 x509.DistributionPoint(
2984 [x509.UniformResourceIdentifier(u"ftp://domain")],
Paul Kehrer4e8dacd2015-05-09 10:38:23 -0500[diff] [blame]2985 None,
Paul Kehrer3fd02602015-05-09 19:46:13 -0500[diff] [blame]2986 frozenset([
Paul Kehrer4e8dacd2015-05-09 10:38:23 -0500[diff] [blame]2987 x509.ReasonFlags.key_compromise,
2988 x509.ReasonFlags.ca_compromise,
Paul Kehrer3fd02602015-05-09 19:46:13 -0500[diff] [blame]2989 ]),
Paul Kehrer5a485522015-05-06 00:29:12 -0500[diff] [blame]2990 [x509.UniformResourceIdentifier(u"uri://thing")],
2991 ),
2992 ])
2993 cdp2 = x509.CRLDistributionPoints([
2994 x509.DistributionPoint(
2995 [x509.UniformResourceIdentifier(u"ftp://domain2")],
Paul Kehrer4e8dacd2015-05-09 10:38:23 -0500[diff] [blame]2996 None,
Paul Kehrer3fd02602015-05-09 19:46:13 -0500[diff] [blame]2997 frozenset([
Paul Kehrer4e8dacd2015-05-09 10:38:23 -0500[diff] [blame]2998 x509.ReasonFlags.key_compromise,
2999 x509.ReasonFlags.ca_compromise,
Paul Kehrer3fd02602015-05-09 19:46:13 -0500[diff] [blame]3000 ]),
Paul Kehrer5a485522015-05-06 00:29:12 -0500[diff] [blame]3001 [x509.UniformResourceIdentifier(u"uri://thing")],
3002 ),
3003 ])
3004 cdp3 = x509.CRLDistributionPoints([
3005 x509.DistributionPoint(
3006 [x509.UniformResourceIdentifier(u"ftp://domain")],
Paul Kehrer4e8dacd2015-05-09 10:38:23 -0500[diff] [blame]3007 None,
Paul Kehrer3fd02602015-05-09 19:46:13 -0500[diff] [blame]3008 frozenset([x509.ReasonFlags.key_compromise]),
Paul Kehrer5a485522015-05-06 00:29:12 -0500[diff] [blame]3009 [x509.UniformResourceIdentifier(u"uri://thing")],
3010 ),
3011 ])
3012 cdp4 = x509.CRLDistributionPoints([
3013 x509.DistributionPoint(
3014 [x509.UniformResourceIdentifier(u"ftp://domain")],
Paul Kehrer4e8dacd2015-05-09 10:38:23 -0500[diff] [blame]3015 None,
Paul Kehrer3fd02602015-05-09 19:46:13 -0500[diff] [blame]3016 frozenset([
Paul Kehrer4e8dacd2015-05-09 10:38:23 -0500[diff] [blame]3017 x509.ReasonFlags.key_compromise,
3018 x509.ReasonFlags.ca_compromise,
Paul Kehrer3fd02602015-05-09 19:46:13 -0500[diff] [blame]3019 ]),
Paul Kehrer5a485522015-05-06 00:29:12 -0500[diff] [blame]3020 [x509.UniformResourceIdentifier(u"uri://thing2")],
3021 ),
3022 ])
3023 assert cdp != cdp2
3024 assert cdp != cdp3
3025 assert cdp != cdp4
3026 assert cdp != object()
Paul Kehrer9a10d592015-05-10 14:55:51 -0500[diff] [blame]3027
Paul Kehreree2e92d2015-12-27 17:29:37 -0600[diff] [blame]3028 def test_indexing(self):
3029 ci = x509.CRLDistributionPoints([
3030 x509.DistributionPoint(
3031 None, None, None,
3032 [x509.UniformResourceIdentifier(u"uri://thing")],
3033 ),
3034 x509.DistributionPoint(
3035 None, None, None,
3036 [x509.UniformResourceIdentifier(u"uri://thing2")],
3037 ),
3038 x509.DistributionPoint(
3039 None, None, None,
3040 [x509.UniformResourceIdentifier(u"uri://thing3")],
3041 ),
3042 x509.DistributionPoint(
3043 None, None, None,
3044 [x509.UniformResourceIdentifier(u"uri://thing4")],
3045 ),
3046 x509.DistributionPoint(
3047 None, None, None,
3048 [x509.UniformResourceIdentifier(u"uri://thing5")],
3049 ),
3050 ])
3051 assert ci[-1] == ci[4]
3052 assert ci[2:6:2] == [ci[2], ci[4]]
3053
Paul Kehrer9a10d592015-05-10 14:55:51 -0500[diff] [blame]3054
3055@pytest.mark.requires_backend_interface(interface=RSABackend)
3056@pytest.mark.requires_backend_interface(interface=X509Backend)
3057class TestCRLDistributionPointsExtension(object):
3058 def test_fullname_and_crl_issuer(self, backend):
3059 cert = _load_cert(
3060 os.path.join(
3061 "x509", "PKITS_data", "certs", "ValidcRLIssuerTest28EE.crt"
3062 ),
3063 x509.load_der_x509_certificate,
3064 backend
3065 )
3066
3067 cdps = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]3068 ExtensionOID.CRL_DISTRIBUTION_POINTS
Paul Kehrer9a10d592015-05-10 14:55:51 -0500[diff] [blame]3069 ).value
3070
3071 assert cdps == x509.CRLDistributionPoints([
3072 x509.DistributionPoint(
3073 full_name=[x509.DirectoryName(
3074 x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]3075 x509.NameAttribute(NameOID.COUNTRY_NAME, u"US"),
Paul Kehrer9a10d592015-05-10 14:55:51 -0500[diff] [blame]3076 x509.NameAttribute(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]3077 NameOID.ORGANIZATION_NAME,
Ian Cordasco82fc3762015-06-16 20:59:50 -0500[diff] [blame]3078 u"Test Certificates 2011"
Paul Kehrer9a10d592015-05-10 14:55:51 -0500[diff] [blame]3079 ),
3080 x509.NameAttribute(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]3081 NameOID.ORGANIZATIONAL_UNIT_NAME,
Ian Cordasco82fc3762015-06-16 20:59:50 -0500[diff] [blame]3082 u"indirectCRL CA3 cRLIssuer"
Paul Kehrer9a10d592015-05-10 14:55:51 -0500[diff] [blame]3083 ),
3084 x509.NameAttribute(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]3085 NameOID.COMMON_NAME,
Ian Cordasco82fc3762015-06-16 20:59:50 -0500[diff] [blame]3086 u"indirect CRL for indirectCRL CA3"
Paul Kehrer9a10d592015-05-10 14:55:51 -0500[diff] [blame]3087 ),
3088 ])
3089 )],
3090 relative_name=None,
3091 reasons=None,
3092 crl_issuer=[x509.DirectoryName(
3093 x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]3094 x509.NameAttribute(NameOID.COUNTRY_NAME, u"US"),
Paul Kehrer9a10d592015-05-10 14:55:51 -0500[diff] [blame]3095 x509.NameAttribute(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]3096 NameOID.ORGANIZATION_NAME,
Ian Cordasco82fc3762015-06-16 20:59:50 -0500[diff] [blame]3097 u"Test Certificates 2011"
Paul Kehrer9a10d592015-05-10 14:55:51 -0500[diff] [blame]3098 ),
3099 x509.NameAttribute(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]3100 NameOID.ORGANIZATIONAL_UNIT_NAME,
Ian Cordasco82fc3762015-06-16 20:59:50 -0500[diff] [blame]3101 u"indirectCRL CA3 cRLIssuer"
Paul Kehrer9a10d592015-05-10 14:55:51 -0500[diff] [blame]3102 ),
3103 ])
3104 )],
3105 )
3106 ])
3107
3108 def test_relativename_and_crl_issuer(self, backend):
3109 cert = _load_cert(
3110 os.path.join(
3111 "x509", "PKITS_data", "certs", "ValidcRLIssuerTest29EE.crt"
3112 ),
3113 x509.load_der_x509_certificate,
3114 backend
3115 )
3116
3117 cdps = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]3118 ExtensionOID.CRL_DISTRIBUTION_POINTS
Paul Kehrer9a10d592015-05-10 14:55:51 -0500[diff] [blame]3119 ).value
3120
3121 assert cdps == x509.CRLDistributionPoints([
3122 x509.DistributionPoint(
3123 full_name=None,
3124 relative_name=x509.Name([
3125 x509.NameAttribute(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]3126 NameOID.COMMON_NAME,
Ian Cordasco82fc3762015-06-16 20:59:50 -0500[diff] [blame]3127 u"indirect CRL for indirectCRL CA3"
Paul Kehrer9a10d592015-05-10 14:55:51 -0500[diff] [blame]3128 ),
3129 ]),
3130 reasons=None,
3131 crl_issuer=[x509.DirectoryName(
3132 x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]3133 x509.NameAttribute(NameOID.COUNTRY_NAME, u"US"),
Paul Kehrer9a10d592015-05-10 14:55:51 -0500[diff] [blame]3134 x509.NameAttribute(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]3135 NameOID.ORGANIZATION_NAME,
Ian Cordasco82fc3762015-06-16 20:59:50 -0500[diff] [blame]3136 u"Test Certificates 2011"
Paul Kehrer9a10d592015-05-10 14:55:51 -0500[diff] [blame]3137 ),
3138 x509.NameAttribute(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]3139 NameOID.ORGANIZATIONAL_UNIT_NAME,
Ian Cordasco82fc3762015-06-16 20:59:50 -0500[diff] [blame]3140 u"indirectCRL CA3 cRLIssuer"
Paul Kehrer9a10d592015-05-10 14:55:51 -0500[diff] [blame]3141 ),
3142 ])
3143 )],
3144 )
3145 ])
3146
3147 def test_fullname_crl_issuer_reasons(self, backend):
3148 cert = _load_cert(
3149 os.path.join(
3150 "x509", "custom", "cdp_fullname_reasons_crl_issuer.pem"
3151 ),
3152 x509.load_pem_x509_certificate,
3153 backend
3154 )
3155
3156 cdps = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]3157 ExtensionOID.CRL_DISTRIBUTION_POINTS
Paul Kehrer9a10d592015-05-10 14:55:51 -0500[diff] [blame]3158 ).value
3159
3160 assert cdps == x509.CRLDistributionPoints([
3161 x509.DistributionPoint(
3162 full_name=[x509.UniformResourceIdentifier(
3163 u"http://myhost.com/myca.crl"
3164 )],
3165 relative_name=None,
3166 reasons=frozenset([
3167 x509.ReasonFlags.key_compromise,
3168 x509.ReasonFlags.ca_compromise
3169 ]),
3170 crl_issuer=[x509.DirectoryName(
3171 x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]3172 x509.NameAttribute(NameOID.COUNTRY_NAME, u"US"),
Paul Kehrer9a10d592015-05-10 14:55:51 -0500[diff] [blame]3173 x509.NameAttribute(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]3174 NameOID.ORGANIZATION_NAME, u"PyCA"
Paul Kehrer9a10d592015-05-10 14:55:51 -0500[diff] [blame]3175 ),
3176 x509.NameAttribute(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]3177 NameOID.COMMON_NAME, u"cryptography CA"
Paul Kehrer9a10d592015-05-10 14:55:51 -0500[diff] [blame]3178 ),
3179 ])
3180 )],
3181 )
3182 ])
3183
Paul Kehrer594a2ed2015-05-12 23:27:32 -0500[diff] [blame]3184 def test_all_reasons(self, backend):
3185 cert = _load_cert(
3186 os.path.join(
3187 "x509", "custom", "cdp_all_reasons.pem"
3188 ),
3189 x509.load_pem_x509_certificate,
3190 backend
3191 )
3192
3193 cdps = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]3194 ExtensionOID.CRL_DISTRIBUTION_POINTS
Paul Kehrer594a2ed2015-05-12 23:27:32 -0500[diff] [blame]3195 ).value
3196
3197 assert cdps == x509.CRLDistributionPoints([
3198 x509.DistributionPoint(
3199 full_name=[x509.UniformResourceIdentifier(
3200 u"http://domain.com/some.crl"
3201 )],
3202 relative_name=None,
3203 reasons=frozenset([
3204 x509.ReasonFlags.key_compromise,
3205 x509.ReasonFlags.ca_compromise,
3206 x509.ReasonFlags.affiliation_changed,
3207 x509.ReasonFlags.superseded,
3208 x509.ReasonFlags.privilege_withdrawn,
3209 x509.ReasonFlags.cessation_of_operation,
3210 x509.ReasonFlags.aa_compromise,
3211 x509.ReasonFlags.certificate_hold,
3212 ]),
3213 crl_issuer=None
3214 )
3215 ])
3216
3217 def test_single_reason(self, backend):
3218 cert = _load_cert(
3219 os.path.join(
3220 "x509", "custom", "cdp_reason_aa_compromise.pem"
3221 ),
3222 x509.load_pem_x509_certificate,
3223 backend
3224 )
3225
3226 cdps = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]3227 ExtensionOID.CRL_DISTRIBUTION_POINTS
Paul Kehrer594a2ed2015-05-12 23:27:32 -0500[diff] [blame]3228 ).value
3229
3230 assert cdps == x509.CRLDistributionPoints([
3231 x509.DistributionPoint(
3232 full_name=[x509.UniformResourceIdentifier(
3233 u"http://domain.com/some.crl"
3234 )],
3235 relative_name=None,
3236 reasons=frozenset([x509.ReasonFlags.aa_compromise]),
3237 crl_issuer=None
3238 )
3239 ])
3240
Paul Kehrer9a10d592015-05-10 14:55:51 -0500[diff] [blame]3241 def test_crl_issuer_only(self, backend):
3242 cert = _load_cert(
3243 os.path.join(
3244 "x509", "custom", "cdp_crl_issuer.pem"
3245 ),
3246 x509.load_pem_x509_certificate,
3247 backend
3248 )
3249
3250 cdps = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]3251 ExtensionOID.CRL_DISTRIBUTION_POINTS
Paul Kehrer9a10d592015-05-10 14:55:51 -0500[diff] [blame]3252 ).value
3253
3254 assert cdps == x509.CRLDistributionPoints([
3255 x509.DistributionPoint(
3256 full_name=None,
3257 relative_name=None,
3258 reasons=None,
3259 crl_issuer=[x509.DirectoryName(
3260 x509.Name([
3261 x509.NameAttribute(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]3262 NameOID.COMMON_NAME, u"cryptography CA"
Paul Kehrer9a10d592015-05-10 14:55:51 -0500[diff] [blame]3263 ),
3264 ])
3265 )],
3266 )
3267 ])
Paul Kehrer16fae762015-05-01 23:14:20 -0500[diff] [blame]3268
Dominic Chen87bb9572015-10-09 00:23:07 -0400[diff] [blame]3269 def test_crl_empty_hostname(self, backend):
3270 cert = _load_cert(
3271 os.path.join(
3272 "x509", "custom", "cdp_empty_hostname.pem"
3273 ),
3274 x509.load_pem_x509_certificate,
3275 backend
3276 )
3277
3278 cdps = cert.extensions.get_extension_for_oid(
3279 ExtensionOID.CRL_DISTRIBUTION_POINTS
3280 ).value
3281
3282 assert cdps == x509.CRLDistributionPoints([
3283 x509.DistributionPoint(
3284 full_name=[x509.UniformResourceIdentifier(
3285 u"ldap:/CN=A,OU=B,dc=C,DC=D?E?F?G?H=I"
3286 )],
3287 relative_name=None,
3288 reasons=None,
3289 crl_issuer=None
3290 )
3291 ])
3292
Paul Kehrer16fae762015-05-01 23:14:20 -0500[diff] [blame]3293
Paul Kehrerf54a50b2015-06-17 18:31:26 -0600[diff] [blame]3294@pytest.mark.requires_backend_interface(interface=RSABackend)
3295@pytest.mark.requires_backend_interface(interface=X509Backend)
3296class TestOCSPNoCheckExtension(object):
3297 def test_nocheck(self, backend):
3298 cert = _load_cert(
3299 os.path.join(
3300 "x509", "custom", "ocsp_nocheck.pem"
3301 ),
3302 x509.load_pem_x509_certificate,
3303 backend
3304 )
3305 ext = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]3306 ExtensionOID.OCSP_NO_CHECK
Paul Kehrerf54a50b2015-06-17 18:31:26 -0600[diff] [blame]3307 )
3308 assert isinstance(ext.value, x509.OCSPNoCheck)
3309
3310
Paul Kehrer16fae762015-05-01 23:14:20 -0500[diff] [blame]3311class TestInhibitAnyPolicy(object):
3312 def test_not_int(self):
3313 with pytest.raises(TypeError):
3314 x509.InhibitAnyPolicy("notint")
3315
3316 def test_negative_int(self):
3317 with pytest.raises(ValueError):
3318 x509.InhibitAnyPolicy(-1)
3319
3320 def test_repr(self):
3321 iap = x509.InhibitAnyPolicy(0)
3322 assert repr(iap) == "<InhibitAnyPolicy(skip_certs=0)>"
3323
3324 def test_eq(self):
3325 iap = x509.InhibitAnyPolicy(1)
3326 iap2 = x509.InhibitAnyPolicy(1)
3327 assert iap == iap2
3328
3329 def test_ne(self):
3330 iap = x509.InhibitAnyPolicy(1)
3331 iap2 = x509.InhibitAnyPolicy(4)
3332 assert iap != iap2
3333 assert iap != object()
Paul Kehrerca6ce992015-06-17 22:13:15 -0600[diff] [blame]3334
3335
3336@pytest.mark.requires_backend_interface(interface=RSABackend)
3337@pytest.mark.requires_backend_interface(interface=X509Backend)
3338class TestInhibitAnyPolicyExtension(object):
3339 def test_nocheck(self, backend):
3340 cert = _load_cert(
3341 os.path.join(
3342 "x509", "custom", "inhibit_any_policy_5.pem"
3343 ),
3344 x509.load_pem_x509_certificate,
3345 backend
3346 )
3347 iap = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]3348 ExtensionOID.INHIBIT_ANY_POLICY
Paul Kehrerca6ce992015-06-17 22:13:15 -0600[diff] [blame]3349 ).value
3350 assert iap.skip_certs == 5
Paul Kehrera08693f2015-08-01 20:45:21 +0100[diff] [blame]3351
3352
3353@pytest.mark.requires_backend_interface(interface=RSABackend)
3354@pytest.mark.requires_backend_interface(interface=X509Backend)
Paul Kehrer1b7500f2015-08-01 20:56:27 +0100[diff] [blame]3355class TestInvalidExtension(object):
Paul Kehrera08693f2015-08-01 20:45:21 +0100[diff] [blame]3356 def test_invalid_certificate_policies_data(self, backend):
3357 cert = _load_cert(
3358 os.path.join(
3359 "x509", "custom", "cp_invalid.pem"
3360 ),
3361 x509.load_pem_x509_certificate,
3362 backend
3363 )
3364 with pytest.raises(ValueError):
3365 cert.extensions