Gitiles
Code Review Sign In
gerrit-public.fairphone.software / platform / external / python / cryptography / 165ac6734a4210f93853271e9a085446cde9ef2a / . / tests / test_x509_ext.py
blob: c94ffae1feb97aaf8596366eb944d298018ac4ea [file] [log] [blame]
Paul Kehrer8cf26422015-03-21 09:50:24 -0500[diff] [blame]1# This file is dual licensed under the terms of the Apache License, Version
2# 2.0, and the BSD License. See the LICENSE file in the root of this repository
3# for complete details.
4
5from __future__ import absolute_import, division, print_function
6
Paul Kehrer1eb82a62015-03-31 20:00:33 -0500[diff] [blame]7import binascii
Paul Kehrer31bdf792015-03-25 14:11:00 -0500[diff] [blame]8import ipaddress
Paul Kehrerfbb7ac82015-03-16 19:26:29 -0500[diff] [blame]9import os
10
Paul Kehrer8cf26422015-03-21 09:50:24 -0500[diff] [blame]11import pytest
12
Paul Kehrercbfb1012015-04-10 20:57:20 -0400[diff] [blame]13import six
14
Paul Kehrer8cf26422015-03-21 09:50:24 -0500[diff] [blame]15from cryptography import x509
Paul Kehrerf22f6122015-08-05 12:57:13 +0100[diff] [blame]16from cryptography.hazmat.backends.interfaces import (
17 DSABackend, EllipticCurveBackend, RSABackend, X509Backend
18)
19from cryptography.hazmat.primitives.asymmetric import ec
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]20from cryptography.x509.oid import NameOID
Paul Kehrerfbb7ac82015-03-16 19:26:29 -0500[diff] [blame]21
Paul Kehrerf22f6122015-08-05 12:57:13 +0100[diff] [blame]22from .hazmat.primitives.test_ec import _skip_curve_unsupported
Paul Kehrerfbb7ac82015-03-16 19:26:29 -0500[diff] [blame]23from .test_x509 import _load_cert
Paul Kehrer8cf26422015-03-21 09:50:24 -0500[diff] [blame]24
25
Paul Kehrer85894662015-03-22 13:19:31 -0500[diff] [blame]26class TestExtension(object):
27 def test_not_an_oid(self):
Paul Kehrera5c6e9a2015-03-23 19:23:43 -0500[diff] [blame]28 bc = x509.BasicConstraints(ca=False, path_length=None)
Paul Kehrer85894662015-03-22 13:19:31 -0500[diff] [blame]29 with pytest.raises(TypeError):
30 x509.Extension("notanoid", True, bc)
31
32 def test_critical_not_a_bool(self):
Paul Kehrera5c6e9a2015-03-23 19:23:43 -0500[diff] [blame]33 bc = x509.BasicConstraints(ca=False, path_length=None)
Paul Kehrer85894662015-03-22 13:19:31 -0500[diff] [blame]34 with pytest.raises(TypeError):
35 x509.Extension(x509.OID_BASIC_CONSTRAINTS, "notabool", bc)
36
37 def test_repr(self):
Paul Kehrera5c6e9a2015-03-23 19:23:43 -0500[diff] [blame]38 bc = x509.BasicConstraints(ca=False, path_length=None)
Paul Kehrer85894662015-03-22 13:19:31 -0500[diff] [blame]39 ext = x509.Extension(x509.OID_BASIC_CONSTRAINTS, True, bc)
40 assert repr(ext) == (
41 "<Extension(oid=<ObjectIdentifier(oid=2.5.29.19, name=basicConst"
42 "raints)>, critical=True, value=<BasicConstraints(ca=False, path"
43 "_length=None)>)>"
44 )
45
Paul Kehrer58e870c2015-05-17 09:15:30 -0700[diff] [blame]46 def test_eq(self):
47 ext1 = x509.Extension(
48 x509.ObjectIdentifier('1.2.3.4'), False, 'value'
49 )
50 ext2 = x509.Extension(
51 x509.ObjectIdentifier('1.2.3.4'), False, 'value'
52 )
53 assert ext1 == ext2
54
55 def test_ne(self):
56 ext1 = x509.Extension(
57 x509.ObjectIdentifier('1.2.3.4'), False, 'value'
58 )
59 ext2 = x509.Extension(
60 x509.ObjectIdentifier('1.2.3.5'), False, 'value'
61 )
62 ext3 = x509.Extension(
63 x509.ObjectIdentifier('1.2.3.4'), True, 'value'
64 )
65 ext4 = x509.Extension(
66 x509.ObjectIdentifier('1.2.3.4'), False, 'value4'
67 )
68 assert ext1 != ext2
69 assert ext1 != ext3
70 assert ext1 != ext4
71 assert ext1 != object()
72
Paul Kehrer85894662015-03-22 13:19:31 -0500[diff] [blame]73
Paul Kehrer2b622582015-04-15 11:04:29 -0400[diff] [blame]74class TestNoticeReference(object):
75 def test_notice_numbers_not_all_int(self):
76 with pytest.raises(TypeError):
77 x509.NoticeReference("org", [1, 2, "three"])
78
79 def test_notice_numbers_none(self):
Paul Kehrer6e198b02015-05-12 15:53:38 -0500[diff] [blame]80 with pytest.raises(TypeError):
81 x509.NoticeReference("org", None)
Paul Kehrer2b622582015-04-15 11:04:29 -0400[diff] [blame]82
83 def test_repr(self):
Paul Kehrer73be2ca2015-05-11 21:22:38 -0500[diff] [blame]84 nr = x509.NoticeReference(u"org", [1, 3, 4])
Paul Kehrer2b622582015-04-15 11:04:29 -0400[diff] [blame]85
Paul Kehrer73be2ca2015-05-11 21:22:38 -0500[diff] [blame]86 if six.PY3:
87 assert repr(nr) == (
88 "<NoticeReference(organization='org', notice_numbers=[1, 3, 4"
89 "])>"
90 )
91 else:
92 assert repr(nr) == (
93 "<NoticeReference(organization=u'org', notice_numbers=[1, 3, "
94 "4])>"
95 )
Paul Kehrer2b622582015-04-15 11:04:29 -0400[diff] [blame]96
Paul Kehrerc56ab622015-05-03 09:56:31 -0500[diff] [blame]97 def test_eq(self):
98 nr = x509.NoticeReference("org", [1, 2])
99 nr2 = x509.NoticeReference("org", [1, 2])
100 assert nr == nr2
101
102 def test_ne(self):
103 nr = x509.NoticeReference("org", [1, 2])
104 nr2 = x509.NoticeReference("org", [1])
105 nr3 = x509.NoticeReference(None, [1, 2])
106 assert nr != nr2
107 assert nr != nr3
108 assert nr != object()
109
Paul Kehrer2b622582015-04-15 11:04:29 -0400[diff] [blame]110
111class TestUserNotice(object):
112 def test_notice_reference_invalid(self):
113 with pytest.raises(TypeError):
114 x509.UserNotice("invalid", None)
115
116 def test_notice_reference_none(self):
117 un = x509.UserNotice(None, "text")
118 assert un.notice_reference is None
119 assert un.explicit_text == "text"
120
121 def test_repr(self):
Paul Kehrer6e198b02015-05-12 15:53:38 -0500[diff] [blame]122 un = x509.UserNotice(x509.NoticeReference(u"org", [1]), u"text")
Paul Kehrer73be2ca2015-05-11 21:22:38 -0500[diff] [blame]123 if six.PY3:
124 assert repr(un) == (
125 "<UserNotice(notice_reference=<NoticeReference(organization='"
Paul Kehrer6e198b02015-05-12 15:53:38 -0500[diff] [blame]126 "org', notice_numbers=[1])>, explicit_text='text')>"
Paul Kehrer73be2ca2015-05-11 21:22:38 -0500[diff] [blame]127 )
128 else:
129 assert repr(un) == (
130 "<UserNotice(notice_reference=<NoticeReference(organization=u"
Paul Kehrer6e198b02015-05-12 15:53:38 -0500[diff] [blame]131 "'org', notice_numbers=[1])>, explicit_text=u'text')>"
Paul Kehrer73be2ca2015-05-11 21:22:38 -0500[diff] [blame]132 )
Paul Kehrer2b622582015-04-15 11:04:29 -0400[diff] [blame]133
Paul Kehrerc56ab622015-05-03 09:56:31 -0500[diff] [blame]134 def test_eq(self):
135 nr = x509.NoticeReference("org", [1, 2])
136 nr2 = x509.NoticeReference("org", [1, 2])
137 un = x509.UserNotice(nr, "text")
138 un2 = x509.UserNotice(nr2, "text")
139 assert un == un2
140
141 def test_ne(self):
142 nr = x509.NoticeReference("org", [1, 2])
143 nr2 = x509.NoticeReference("org", [1])
144 un = x509.UserNotice(nr, "text")
145 un2 = x509.UserNotice(nr2, "text")
146 un3 = x509.UserNotice(nr, "text3")
147 assert un != un2
148 assert un != un3
149 assert un != object()
150
Paul Kehrer2b622582015-04-15 11:04:29 -0400[diff] [blame]151
Paul Kehrer2b622582015-04-15 11:04:29 -0400[diff] [blame]152class TestPolicyInformation(object):
153 def test_invalid_policy_identifier(self):
154 with pytest.raises(TypeError):
155 x509.PolicyInformation("notanoid", None)
156
157 def test_none_policy_qualifiers(self):
158 pi = x509.PolicyInformation(x509.ObjectIdentifier("1.2.3"), None)
159 assert pi.policy_identifier == x509.ObjectIdentifier("1.2.3")
160 assert pi.policy_qualifiers is None
161
162 def test_policy_qualifiers(self):
Paul Kehrerba35b3b2015-05-10 13:07:59 -0500[diff] [blame]163 pq = [u"string"]
Paul Kehrer2b622582015-04-15 11:04:29 -0400[diff] [blame]164 pi = x509.PolicyInformation(x509.ObjectIdentifier("1.2.3"), pq)
165 assert pi.policy_identifier == x509.ObjectIdentifier("1.2.3")
166 assert pi.policy_qualifiers == pq
167
168 def test_invalid_policy_identifiers(self):
169 with pytest.raises(TypeError):
170 x509.PolicyInformation(x509.ObjectIdentifier("1.2.3"), [1, 2])
171
172 def test_repr(self):
Paul Kehrer73be2ca2015-05-11 21:22:38 -0500[diff] [blame]173 pq = [u"string", x509.UserNotice(None, u"hi")]
Paul Kehrer2b622582015-04-15 11:04:29 -0400[diff] [blame]174 pi = x509.PolicyInformation(x509.ObjectIdentifier("1.2.3"), pq)
Paul Kehrerba35b3b2015-05-10 13:07:59 -0500[diff] [blame]175 if six.PY3:
176 assert repr(pi) == (
177 "<PolicyInformation(policy_identifier=<ObjectIdentifier(oid=1."
178 "2.3, name=Unknown OID)>, policy_qualifiers=['string', <UserNo"
Paul Kehrer9aaef9e2015-05-11 10:49:20 -0500[diff] [blame]179 "tice(notice_reference=None, explicit_text='hi')>])>"
Paul Kehrerba35b3b2015-05-10 13:07:59 -0500[diff] [blame]180 )
181 else:
182 assert repr(pi) == (
183 "<PolicyInformation(policy_identifier=<ObjectIdentifier(oid=1."
184 "2.3, name=Unknown OID)>, policy_qualifiers=[u'string', <UserN"
Paul Kehrer73be2ca2015-05-11 21:22:38 -0500[diff] [blame]185 "otice(notice_reference=None, explicit_text=u'hi')>])>"
Paul Kehrerba35b3b2015-05-10 13:07:59 -0500[diff] [blame]186 )
Paul Kehrer2b622582015-04-15 11:04:29 -0400[diff] [blame]187
Paul Kehrerc56ab622015-05-03 09:56:31 -0500[diff] [blame]188 def test_eq(self):
189 pi = x509.PolicyInformation(
190 x509.ObjectIdentifier("1.2.3"),
191 [u"string", x509.UserNotice(None, u"hi")]
192 )
193 pi2 = x509.PolicyInformation(
194 x509.ObjectIdentifier("1.2.3"),
195 [u"string", x509.UserNotice(None, u"hi")]
196 )
197 assert pi == pi2
198
199 def test_ne(self):
200 pi = x509.PolicyInformation(
201 x509.ObjectIdentifier("1.2.3"), [u"string"]
202 )
203 pi2 = x509.PolicyInformation(
204 x509.ObjectIdentifier("1.2.3"), [u"string2"]
205 )
206 pi3 = x509.PolicyInformation(
207 x509.ObjectIdentifier("1.2.3.4"), [u"string"]
208 )
209 assert pi != pi2
210 assert pi != pi3
211 assert pi != object()
212
Paul Kehrer2b622582015-04-15 11:04:29 -0400[diff] [blame]213
214class TestCertificatePolicies(object):
215 def test_invalid_policies(self):
Paul Kehrerba35b3b2015-05-10 13:07:59 -0500[diff] [blame]216 pq = [u"string"]
Paul Kehrer2b622582015-04-15 11:04:29 -0400[diff] [blame]217 pi = x509.PolicyInformation(x509.ObjectIdentifier("1.2.3"), pq)
218 with pytest.raises(TypeError):
219 x509.CertificatePolicies([1, pi])
220
221 def test_iter_len(self):
Paul Kehrerba35b3b2015-05-10 13:07:59 -0500[diff] [blame]222 pq = [u"string"]
Paul Kehrer2b622582015-04-15 11:04:29 -0400[diff] [blame]223 pi = x509.PolicyInformation(x509.ObjectIdentifier("1.2.3"), pq)
224 cp = x509.CertificatePolicies([pi])
225 assert len(cp) == 1
226 for policyinfo in cp:
227 assert policyinfo == pi
228
229 def test_repr(self):
Paul Kehrerba35b3b2015-05-10 13:07:59 -0500[diff] [blame]230 pq = [u"string"]
Paul Kehrer2b622582015-04-15 11:04:29 -0400[diff] [blame]231 pi = x509.PolicyInformation(x509.ObjectIdentifier("1.2.3"), pq)
232 cp = x509.CertificatePolicies([pi])
Paul Kehrerba35b3b2015-05-10 13:07:59 -0500[diff] [blame]233 if six.PY3:
234 assert repr(cp) == (
235 "<CertificatePolicies([<PolicyInformation(policy_identifier=<O"
236 "bjectIdentifier(oid=1.2.3, name=Unknown OID)>, policy_qualifi"
237 "ers=['string'])>])>"
238 )
239 else:
240 assert repr(cp) == (
241 "<CertificatePolicies([<PolicyInformation(policy_identifier=<O"
242 "bjectIdentifier(oid=1.2.3, name=Unknown OID)>, policy_qualifi"
243 "ers=[u'string'])>])>"
244 )
Paul Kehrer2b622582015-04-15 11:04:29 -0400[diff] [blame]245
Paul Kehrerc56ab622015-05-03 09:56:31 -0500[diff] [blame]246 def test_eq(self):
247 pi = x509.PolicyInformation(
248 x509.ObjectIdentifier("1.2.3"), [u"string"]
249 )
250 cp = x509.CertificatePolicies([pi])
251 pi2 = x509.PolicyInformation(
252 x509.ObjectIdentifier("1.2.3"), [u"string"]
253 )
254 cp2 = x509.CertificatePolicies([pi2])
255 assert cp == cp2
256
257 def test_ne(self):
258 pi = x509.PolicyInformation(
259 x509.ObjectIdentifier("1.2.3"), [u"string"]
260 )
261 cp = x509.CertificatePolicies([pi])
262 pi2 = x509.PolicyInformation(
263 x509.ObjectIdentifier("1.2.3"), [u"string2"]
264 )
265 cp2 = x509.CertificatePolicies([pi2])
266 assert cp != cp2
267 assert cp != object()
268
Paul Kehrer2b622582015-04-15 11:04:29 -0400[diff] [blame]269
Paul Kehrer11026fe2015-05-12 11:23:56 -0500[diff] [blame]270@pytest.mark.requires_backend_interface(interface=RSABackend)
271@pytest.mark.requires_backend_interface(interface=X509Backend)
272class TestCertificatePoliciesExtension(object):
273 def test_cps_uri_policy_qualifier(self, backend):
274 cert = _load_cert(
275 os.path.join("x509", "custom", "cp_cps_uri.pem"),
276 x509.load_pem_x509_certificate,
277 backend
278 )
279
280 cp = cert.extensions.get_extension_for_oid(
281 x509.OID_CERTIFICATE_POLICIES
282 ).value
283
284 assert cp == x509.CertificatePolicies([
285 x509.PolicyInformation(
286 x509.ObjectIdentifier("2.16.840.1.12345.1.2.3.4.1"),
287 [u"http://other.com/cps"]
288 )
289 ])
290
291 def test_user_notice_with_notice_reference(self, backend):
292 cert = _load_cert(
293 os.path.join(
294 "x509", "custom", "cp_user_notice_with_notice_reference.pem"
295 ),
296 x509.load_pem_x509_certificate,
297 backend
298 )
299
300 cp = cert.extensions.get_extension_for_oid(
301 x509.OID_CERTIFICATE_POLICIES
302 ).value
303
304 assert cp == x509.CertificatePolicies([
305 x509.PolicyInformation(
306 x509.ObjectIdentifier("2.16.840.1.12345.1.2.3.4.1"),
307 [
308 u"http://example.com/cps",
309 u"http://other.com/cps",
310 x509.UserNotice(
311 x509.NoticeReference(u"my org", [1, 2, 3, 4]),
312 u"thing"
313 )
314 ]
315 )
316 ])
317
318 def test_user_notice_with_explicit_text(self, backend):
319 cert = _load_cert(
320 os.path.join(
321 "x509", "custom", "cp_user_notice_with_explicit_text.pem"
322 ),
323 x509.load_pem_x509_certificate,
324 backend
325 )
326
327 cp = cert.extensions.get_extension_for_oid(
328 x509.OID_CERTIFICATE_POLICIES
329 ).value
330
331 assert cp == x509.CertificatePolicies([
332 x509.PolicyInformation(
333 x509.ObjectIdentifier("2.16.840.1.12345.1.2.3.4.1"),
334 [x509.UserNotice(None, u"thing")]
335 )
336 ])
337
338 def test_user_notice_no_explicit_text(self, backend):
339 cert = _load_cert(
340 os.path.join(
341 "x509", "custom", "cp_user_notice_no_explicit_text.pem"
342 ),
343 x509.load_pem_x509_certificate,
344 backend
345 )
346
347 cp = cert.extensions.get_extension_for_oid(
348 x509.OID_CERTIFICATE_POLICIES
349 ).value
350
351 assert cp == x509.CertificatePolicies([
352 x509.PolicyInformation(
353 x509.ObjectIdentifier("2.16.840.1.12345.1.2.3.4.1"),
354 [
355 x509.UserNotice(
356 x509.NoticeReference(u"my org", [1, 2, 3, 4]),
357 None
358 )
359 ]
360 )
361 ])
362
363
Paul Kehrercecbbba2015-03-30 14:58:38 -0500[diff] [blame]364class TestKeyUsage(object):
365 def test_key_agreement_false_encipher_decipher_true(self):
366 with pytest.raises(ValueError):
367 x509.KeyUsage(
368 digital_signature=False,
369 content_commitment=False,
370 key_encipherment=False,
371 data_encipherment=False,
372 key_agreement=False,
373 key_cert_sign=False,
374 crl_sign=False,
375 encipher_only=True,
376 decipher_only=False
377 )
378
379 with pytest.raises(ValueError):
380 x509.KeyUsage(
381 digital_signature=False,
382 content_commitment=False,
383 key_encipherment=False,
384 data_encipherment=False,
385 key_agreement=False,
386 key_cert_sign=False,
387 crl_sign=False,
388 encipher_only=True,
389 decipher_only=True
390 )
391
392 with pytest.raises(ValueError):
393 x509.KeyUsage(
394 digital_signature=False,
395 content_commitment=False,
396 key_encipherment=False,
397 data_encipherment=False,
398 key_agreement=False,
399 key_cert_sign=False,
400 crl_sign=False,
401 encipher_only=False,
402 decipher_only=True
403 )
404
405 def test_properties_key_agreement_true(self):
406 ku = x509.KeyUsage(
407 digital_signature=True,
408 content_commitment=True,
409 key_encipherment=False,
410 data_encipherment=False,
411 key_agreement=False,
412 key_cert_sign=True,
413 crl_sign=False,
414 encipher_only=False,
415 decipher_only=False
416 )
417 assert ku.digital_signature is True
418 assert ku.content_commitment is True
419 assert ku.key_encipherment is False
420 assert ku.data_encipherment is False
421 assert ku.key_agreement is False
422 assert ku.key_cert_sign is True
423 assert ku.crl_sign is False
424
425 def test_key_agreement_true_properties(self):
426 ku = x509.KeyUsage(
427 digital_signature=False,
428 content_commitment=False,
429 key_encipherment=False,
430 data_encipherment=False,
431 key_agreement=True,
432 key_cert_sign=False,
433 crl_sign=False,
434 encipher_only=False,
435 decipher_only=True
436 )
437 assert ku.key_agreement is True
438 assert ku.encipher_only is False
439 assert ku.decipher_only is True
440
441 def test_key_agreement_false_properties(self):
442 ku = x509.KeyUsage(
443 digital_signature=False,
444 content_commitment=False,
445 key_encipherment=False,
446 data_encipherment=False,
447 key_agreement=False,
448 key_cert_sign=False,
449 crl_sign=False,
450 encipher_only=False,
451 decipher_only=False
452 )
453 assert ku.key_agreement is False
454 with pytest.raises(ValueError):
455 ku.encipher_only
456
457 with pytest.raises(ValueError):
458 ku.decipher_only
459
Paul Kehrerac3e5bb2015-04-02 23:07:10 -0500[diff] [blame]460 def test_repr_key_agreement_false(self):
461 ku = x509.KeyUsage(
462 digital_signature=True,
463 content_commitment=True,
464 key_encipherment=False,
465 data_encipherment=False,
466 key_agreement=False,
467 key_cert_sign=True,
468 crl_sign=False,
469 encipher_only=False,
470 decipher_only=False
471 )
472 assert repr(ku) == (
473 "<KeyUsage(digital_signature=True, content_commitment=True, key_en"
474 "cipherment=False, data_encipherment=False, key_agreement=False, k"
Paul Kehrerb372e672015-04-15 11:05:24 -0400[diff] [blame]475 "ey_cert_sign=True, crl_sign=False, encipher_only=None, decipher_o"
476 "nly=None)>"
Paul Kehrerac3e5bb2015-04-02 23:07:10 -0500[diff] [blame]477 )
478
479 def test_repr_key_agreement_true(self):
480 ku = x509.KeyUsage(
481 digital_signature=True,
482 content_commitment=True,
483 key_encipherment=False,
484 data_encipherment=False,
485 key_agreement=True,
486 key_cert_sign=True,
487 crl_sign=False,
488 encipher_only=False,
489 decipher_only=False
490 )
491 assert repr(ku) == (
492 "<KeyUsage(digital_signature=True, content_commitment=True, key_en"
493 "cipherment=False, data_encipherment=False, key_agreement=True, k"
494 "ey_cert_sign=True, crl_sign=False, encipher_only=False, decipher_"
495 "only=False)>"
496 )
497
Paul Kehrer8565f5e2015-05-13 09:57:09 -0500[diff] [blame]498 def test_eq(self):
499 ku = x509.KeyUsage(
500 digital_signature=False,
501 content_commitment=False,
502 key_encipherment=False,
503 data_encipherment=False,
504 key_agreement=True,
505 key_cert_sign=False,
506 crl_sign=False,
507 encipher_only=False,
508 decipher_only=True
509 )
510 ku2 = x509.KeyUsage(
511 digital_signature=False,
512 content_commitment=False,
513 key_encipherment=False,
514 data_encipherment=False,
515 key_agreement=True,
516 key_cert_sign=False,
517 crl_sign=False,
518 encipher_only=False,
519 decipher_only=True
520 )
521 assert ku == ku2
522
523 def test_ne(self):
524 ku = x509.KeyUsage(
525 digital_signature=False,
526 content_commitment=False,
527 key_encipherment=False,
528 data_encipherment=False,
529 key_agreement=True,
530 key_cert_sign=False,
531 crl_sign=False,
532 encipher_only=False,
533 decipher_only=True
534 )
535 ku2 = x509.KeyUsage(
536 digital_signature=False,
537 content_commitment=False,
538 key_encipherment=False,
539 data_encipherment=False,
540 key_agreement=False,
541 key_cert_sign=False,
542 crl_sign=False,
543 encipher_only=False,
544 decipher_only=False
545 )
546 assert ku != ku2
547 assert ku != object()
548
Paul Kehrercecbbba2015-03-30 14:58:38 -0500[diff] [blame]549
Paul Kehrer1eb82a62015-03-31 20:00:33 -0500[diff] [blame]550class TestSubjectKeyIdentifier(object):
551 def test_properties(self):
Paul Kehrercbfb1012015-04-10 20:57:20 -0400[diff] [blame]552 value = binascii.unhexlify(b"092384932230498bc980aa8098456f6ff7ff3ac9")
Paul Kehrer1eb82a62015-03-31 20:00:33 -0500[diff] [blame]553 ski = x509.SubjectKeyIdentifier(value)
554 assert ski.digest == value
Paul Kehrer1eb82a62015-03-31 20:00:33 -0500[diff] [blame]555
556 def test_repr(self):
557 ski = x509.SubjectKeyIdentifier(
Paul Kehreree997262015-04-04 12:20:28 -0500[diff] [blame]558 binascii.unhexlify(b"092384932230498bc980aa8098456f6ff7ff3ac9")
Paul Kehrer1eb82a62015-03-31 20:00:33 -0500[diff] [blame]559 )
560 ext = x509.Extension(x509.OID_SUBJECT_KEY_IDENTIFIER, False, ski)
Paul Kehrercbfb1012015-04-10 20:57:20 -0400[diff] [blame]561 if six.PY3:
562 assert repr(ext) == (
563 "<Extension(oid=<ObjectIdentifier(oid=2.5.29.14, name=subjectK"
564 "eyIdentifier)>, critical=False, value=<SubjectKeyIdentifier(d"
565 "igest=b\'\\t#\\x84\\x93\"0I\\x8b\\xc9\\x80\\xaa\\x80\\x98Eoo"
566 "\\xf7\\xff:\\xc9\')>)>"
567 )
568 else:
569 assert repr(ext) == (
570 "<Extension(oid=<ObjectIdentifier(oid=2.5.29.14, name=subjectK"
571 "eyIdentifier)>, critical=False, value=<SubjectKeyIdentifier(d"
572 "igest=\'\\t#\\x84\\x93\"0I\\x8b\\xc9\\x80\\xaa\\x80\\x98Eoo"
573 "\\xf7\\xff:\\xc9\')>)>"
574 )
Paul Kehrer1eb82a62015-03-31 20:00:33 -0500[diff] [blame]575
576 def test_eq(self):
577 ski = x509.SubjectKeyIdentifier(
Paul Kehreree997262015-04-04 12:20:28 -0500[diff] [blame]578 binascii.unhexlify(b"092384932230498bc980aa8098456f6ff7ff3ac9")
Paul Kehrer1eb82a62015-03-31 20:00:33 -0500[diff] [blame]579 )
580 ski2 = x509.SubjectKeyIdentifier(
Paul Kehreree997262015-04-04 12:20:28 -0500[diff] [blame]581 binascii.unhexlify(b"092384932230498bc980aa8098456f6ff7ff3ac9")
Paul Kehrer1eb82a62015-03-31 20:00:33 -0500[diff] [blame]582 )
583 assert ski == ski2
584
585 def test_ne(self):
586 ski = x509.SubjectKeyIdentifier(
Paul Kehreree997262015-04-04 12:20:28 -0500[diff] [blame]587 binascii.unhexlify(b"092384932230498bc980aa8098456f6ff7ff3ac9")
Paul Kehrer1eb82a62015-03-31 20:00:33 -0500[diff] [blame]588 )
589 ski2 = x509.SubjectKeyIdentifier(
Paul Kehreree997262015-04-04 12:20:28 -0500[diff] [blame]590 binascii.unhexlify(b"aa8098456f6ff7ff3ac9092384932230498bc980")
Paul Kehrer1eb82a62015-03-31 20:00:33 -0500[diff] [blame]591 )
592 assert ski != ski2
593 assert ski != object()
594
595
Paul Kehrer2eb4ed92015-04-11 15:33:45 -0400[diff] [blame]596class TestAuthorityKeyIdentifier(object):
Paul Kehrerc6e0f062015-05-03 11:04:34 -0500[diff] [blame]597 def test_authority_cert_issuer_not_generalname(self):
Paul Kehrer2eb4ed92015-04-11 15:33:45 -0400[diff] [blame]598 with pytest.raises(TypeError):
Paul Kehrerc6e0f062015-05-03 11:04:34 -0500[diff] [blame]599 x509.AuthorityKeyIdentifier(b"identifier", ["notname"], 3)
Paul Kehrer2eb4ed92015-04-11 15:33:45 -0400[diff] [blame]600
601 def test_authority_cert_serial_number_not_integer(self):
Paul Kehrerc6e0f062015-05-03 11:04:34 -0500[diff] [blame]602 dirname = x509.DirectoryName(
603 x509.Name([
Ian Cordasco82fc3762015-06-16 20:59:50 -0500[diff] [blame]604 x509.NameAttribute(x509.ObjectIdentifier('oid'), u'value1'),
605 x509.NameAttribute(x509.ObjectIdentifier('oid2'), u'value2'),
Paul Kehrerc6e0f062015-05-03 11:04:34 -0500[diff] [blame]606 ])
607 )
Paul Kehrer2eb4ed92015-04-11 15:33:45 -0400[diff] [blame]608 with pytest.raises(TypeError):
Paul Kehrerc6e0f062015-05-03 11:04:34 -0500[diff] [blame]609 x509.AuthorityKeyIdentifier(b"identifier", [dirname], "notanint")
Paul Kehrer2eb4ed92015-04-11 15:33:45 -0400[diff] [blame]610
611 def test_authority_issuer_none_serial_not_none(self):
612 with pytest.raises(ValueError):
613 x509.AuthorityKeyIdentifier(b"identifier", None, 3)
614
615 def test_authority_issuer_not_none_serial_none(self):
Paul Kehrerc6e0f062015-05-03 11:04:34 -0500[diff] [blame]616 dirname = x509.DirectoryName(
617 x509.Name([
Ian Cordasco82fc3762015-06-16 20:59:50 -0500[diff] [blame]618 x509.NameAttribute(x509.ObjectIdentifier('oid'), u'value1'),
619 x509.NameAttribute(x509.ObjectIdentifier('oid2'), u'value2'),
Paul Kehrerc6e0f062015-05-03 11:04:34 -0500[diff] [blame]620 ])
621 )
Paul Kehrer2eb4ed92015-04-11 15:33:45 -0400[diff] [blame]622 with pytest.raises(ValueError):
Paul Kehrerc6e0f062015-05-03 11:04:34 -0500[diff] [blame]623 x509.AuthorityKeyIdentifier(b"identifier", [dirname], None)
Paul Kehrer2eb4ed92015-04-11 15:33:45 -0400[diff] [blame]624
625 def test_authority_cert_serial_and_issuer_none(self):
626 aki = x509.AuthorityKeyIdentifier(b"id", None, None)
627 assert aki.key_identifier == b"id"
628 assert aki.authority_cert_issuer is None
629 assert aki.authority_cert_serial_number is None
630
631 def test_repr(self):
Paul Kehrerc6e0f062015-05-03 11:04:34 -0500[diff] [blame]632 dirname = x509.DirectoryName(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]633 x509.Name([x509.NameAttribute(NameOID.COMMON_NAME, u'myCN')])
Paul Kehrerc6e0f062015-05-03 11:04:34 -0500[diff] [blame]634 )
635 aki = x509.AuthorityKeyIdentifier(b"digest", [dirname], 1234)
Paul Kehrer2eb4ed92015-04-11 15:33:45 -0400[diff] [blame]636
637 if six.PY3:
638 assert repr(aki) == (
639 "<AuthorityKeyIdentifier(key_identifier=b'digest', authority_"
Paul Kehrerc6e0f062015-05-03 11:04:34 -0500[diff] [blame]640 "cert_issuer=[<DirectoryName(value=<Name([<NameAttribute(oid="
Ian Cordascoa908d692015-06-16 21:35:24 -0500[diff] [blame]641 "<ObjectIdentifier(oid=2.5.4.3, name=commonName)>, value='myC"
Paul Kehrerc6e0f062015-05-03 11:04:34 -0500[diff] [blame]642 "N')>])>)>], authority_cert_serial_number=1234)>"
Paul Kehrer2eb4ed92015-04-11 15:33:45 -0400[diff] [blame]643 )
644 else:
645 assert repr(aki) == (
646 "<AuthorityKeyIdentifier(key_identifier='digest', authority_ce"
Paul Kehrerc6e0f062015-05-03 11:04:34 -0500[diff] [blame]647 "rt_issuer=[<DirectoryName(value=<Name([<NameAttribute(oid=<Ob"
Ian Cordasco82fc3762015-06-16 20:59:50 -0500[diff] [blame]648 "jectIdentifier(oid=2.5.4.3, name=commonName)>, value=u'myCN')"
649 ">])>)>], authority_cert_serial_number=1234)>"
Paul Kehrer2eb4ed92015-04-11 15:33:45 -0400[diff] [blame]650 )
651
Paul Kehrer2ca2eb32015-05-03 10:04:57 -0500[diff] [blame]652 def test_eq(self):
653 dirname = x509.DirectoryName(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]654 x509.Name([x509.NameAttribute(NameOID.COMMON_NAME, u'myCN')])
Paul Kehrer2ca2eb32015-05-03 10:04:57 -0500[diff] [blame]655 )
656 aki = x509.AuthorityKeyIdentifier(b"digest", [dirname], 1234)
657 dirname2 = x509.DirectoryName(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]658 x509.Name([x509.NameAttribute(NameOID.COMMON_NAME, u'myCN')])
Paul Kehrer2ca2eb32015-05-03 10:04:57 -0500[diff] [blame]659 )
660 aki2 = x509.AuthorityKeyIdentifier(b"digest", [dirname2], 1234)
661 assert aki == aki2
662
663 def test_ne(self):
664 dirname = x509.DirectoryName(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]665 x509.Name([x509.NameAttribute(NameOID.COMMON_NAME, u'myCN')])
Paul Kehrer2ca2eb32015-05-03 10:04:57 -0500[diff] [blame]666 )
667 dirname5 = x509.DirectoryName(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]668 x509.Name([x509.NameAttribute(NameOID.COMMON_NAME, u'aCN')])
Paul Kehrer2ca2eb32015-05-03 10:04:57 -0500[diff] [blame]669 )
670 aki = x509.AuthorityKeyIdentifier(b"digest", [dirname], 1234)
671 aki2 = x509.AuthorityKeyIdentifier(b"diges", [dirname], 1234)
672 aki3 = x509.AuthorityKeyIdentifier(b"digest", None, None)
673 aki4 = x509.AuthorityKeyIdentifier(b"digest", [dirname], 12345)
674 aki5 = x509.AuthorityKeyIdentifier(b"digest", [dirname5], 12345)
675 assert aki != aki2
676 assert aki != aki3
677 assert aki != aki4
678 assert aki != aki5
679 assert aki != object()
680
Paul Kehrer2eb4ed92015-04-11 15:33:45 -0400[diff] [blame]681
Paul Kehrer8cf26422015-03-21 09:50:24 -0500[diff] [blame]682class TestBasicConstraints(object):
683 def test_ca_not_boolean(self):
684 with pytest.raises(TypeError):
Paul Kehrera5c6e9a2015-03-23 19:23:43 -0500[diff] [blame]685 x509.BasicConstraints(ca="notbool", path_length=None)
Paul Kehrer8cf26422015-03-21 09:50:24 -0500[diff] [blame]686
687 def test_path_length_not_ca(self):
688 with pytest.raises(ValueError):
Paul Kehrera5c6e9a2015-03-23 19:23:43 -0500[diff] [blame]689 x509.BasicConstraints(ca=False, path_length=0)
Paul Kehrer8cf26422015-03-21 09:50:24 -0500[diff] [blame]690
691 def test_path_length_not_int(self):
692 with pytest.raises(TypeError):
Paul Kehrera5c6e9a2015-03-23 19:23:43 -0500[diff] [blame]693 x509.BasicConstraints(ca=True, path_length=1.1)
Paul Kehrer8cf26422015-03-21 09:50:24 -0500[diff] [blame]694
695 with pytest.raises(TypeError):
Paul Kehrera5c6e9a2015-03-23 19:23:43 -0500[diff] [blame]696 x509.BasicConstraints(ca=True, path_length="notint")
Paul Kehrer8cf26422015-03-21 09:50:24 -0500[diff] [blame]697
698 def test_path_length_negative(self):
699 with pytest.raises(TypeError):
Paul Kehrera5c6e9a2015-03-23 19:23:43 -0500[diff] [blame]700 x509.BasicConstraints(ca=True, path_length=-1)
Paul Kehrer8cf26422015-03-21 09:50:24 -0500[diff] [blame]701
702 def test_repr(self):
Paul Kehrera5c6e9a2015-03-23 19:23:43 -0500[diff] [blame]703 na = x509.BasicConstraints(ca=True, path_length=None)
Paul Kehrer8cf26422015-03-21 09:50:24 -0500[diff] [blame]704 assert repr(na) == (
Paul Kehrer85894662015-03-22 13:19:31 -0500[diff] [blame]705 "<BasicConstraints(ca=True, path_length=None)>"
Paul Kehrer8cf26422015-03-21 09:50:24 -0500[diff] [blame]706 )
Paul Kehrerfbb7ac82015-03-16 19:26:29 -0500[diff] [blame]707
Paul Kehrer3a69b132015-05-13 10:03:46 -0500[diff] [blame]708 def test_eq(self):
709 na = x509.BasicConstraints(ca=True, path_length=None)
710 na2 = x509.BasicConstraints(ca=True, path_length=None)
711 assert na == na2
712
713 def test_ne(self):
714 na = x509.BasicConstraints(ca=True, path_length=None)
715 na2 = x509.BasicConstraints(ca=True, path_length=1)
716 na3 = x509.BasicConstraints(ca=False, path_length=None)
717 assert na != na2
718 assert na != na3
719 assert na != object()
720
Paul Kehrerfbb7ac82015-03-16 19:26:29 -0500[diff] [blame]721
Paul Kehrerffa2a152015-03-31 08:18:25 -0500[diff] [blame]722class TestExtendedKeyUsage(object):
723 def test_not_all_oids(self):
724 with pytest.raises(TypeError):
725 x509.ExtendedKeyUsage(["notoid"])
726
727 def test_iter_len(self):
728 eku = x509.ExtendedKeyUsage([
729 x509.ObjectIdentifier("1.3.6.1.5.5.7.3.1"),
730 x509.ObjectIdentifier("1.3.6.1.5.5.7.3.2"),
731 ])
732 assert len(eku) == 2
733 assert list(eku) == [
734 x509.OID_SERVER_AUTH,
735 x509.OID_CLIENT_AUTH
736 ]
737
Paul Kehrer23d10c32015-04-02 23:12:32 -0500[diff] [blame]738 def test_repr(self):
739 eku = x509.ExtendedKeyUsage([
740 x509.ObjectIdentifier("1.3.6.1.5.5.7.3.1"),
741 x509.ObjectIdentifier("1.3.6.1.5.5.7.3.2"),
742 ])
743 assert repr(eku) == (
744 "<ExtendedKeyUsage([<ObjectIdentifier(oid=1.3.6.1.5.5.7.3.1, name="
745 "serverAuth)>, <ObjectIdentifier(oid=1.3.6.1.5.5.7.3.2, name=clien"
746 "tAuth)>])>"
747 )
748
Paul Kehrerb0476172015-05-02 19:34:51 -0500[diff] [blame]749 def test_eq(self):
750 eku = x509.ExtendedKeyUsage([
751 x509.ObjectIdentifier("1.3.6"), x509.ObjectIdentifier("1.3.7")
752 ])
753 eku2 = x509.ExtendedKeyUsage([
754 x509.ObjectIdentifier("1.3.6"), x509.ObjectIdentifier("1.3.7")
755 ])
756 assert eku == eku2
757
758 def test_ne(self):
759 eku = x509.ExtendedKeyUsage([x509.ObjectIdentifier("1.3.6")])
760 eku2 = x509.ExtendedKeyUsage([x509.ObjectIdentifier("1.3.6.1")])
761 assert eku != eku2
762 assert eku != object()
763
Paul Kehrerffa2a152015-03-31 08:18:25 -0500[diff] [blame]764
Paul Kehrerfbb7ac82015-03-16 19:26:29 -0500[diff] [blame]765@pytest.mark.requires_backend_interface(interface=RSABackend)
766@pytest.mark.requires_backend_interface(interface=X509Backend)
767class TestExtensions(object):
768 def test_no_extensions(self, backend):
769 cert = _load_cert(
770 os.path.join("x509", "verisign_md2_root.pem"),
771 x509.load_pem_x509_certificate,
772 backend
773 )
774 ext = cert.extensions
775 assert len(ext) == 0
776 assert list(ext) == []
Paul Kehrerfa56a232015-03-17 13:14:03 -0500[diff] [blame]777 with pytest.raises(x509.ExtensionNotFound) as exc:
778 ext.get_extension_for_oid(x509.OID_BASIC_CONSTRAINTS)
779
780 assert exc.value.oid == x509.OID_BASIC_CONSTRAINTS
781
782 def test_one_extension(self, backend):
783 cert = _load_cert(
784 os.path.join(
785 "x509", "custom", "basic_constraints_not_critical.pem"
786 ),
787 x509.load_pem_x509_certificate,
788 backend
789 )
790 extensions = cert.extensions
791 ext = extensions.get_extension_for_oid(x509.OID_BASIC_CONSTRAINTS)
792 assert ext is not None
793 assert ext.value.ca is False
Paul Kehrerfbb7ac82015-03-16 19:26:29 -0500[diff] [blame]794
795 def test_duplicate_extension(self, backend):
796 cert = _load_cert(
797 os.path.join(
798 "x509", "custom", "two_basic_constraints.pem"
799 ),
800 x509.load_pem_x509_certificate,
801 backend
802 )
803 with pytest.raises(x509.DuplicateExtension) as exc:
804 cert.extensions
805
806 assert exc.value.oid == x509.OID_BASIC_CONSTRAINTS
807
808 def test_unsupported_critical_extension(self, backend):
809 cert = _load_cert(
810 os.path.join(
811 "x509", "custom", "unsupported_extension_critical.pem"
812 ),
813 x509.load_pem_x509_certificate,
814 backend
815 )
816 with pytest.raises(x509.UnsupportedExtension) as exc:
817 cert.extensions
818
819 assert exc.value.oid == x509.ObjectIdentifier("1.2.3.4")
820
821 def test_unsupported_extension(self, backend):
822 # TODO: this will raise an exception when all extensions are complete
823 cert = _load_cert(
824 os.path.join(
825 "x509", "custom", "unsupported_extension.pem"
826 ),
827 x509.load_pem_x509_certificate,
828 backend
829 )
830 extensions = cert.extensions
831 assert len(extensions) == 0
Paul Kehrerfa56a232015-03-17 13:14:03 -0500[diff] [blame]832
833
834@pytest.mark.requires_backend_interface(interface=RSABackend)
835@pytest.mark.requires_backend_interface(interface=X509Backend)
Paul Kehrerde813ea2015-03-28 12:44:34 -0500[diff] [blame]836class TestBasicConstraintsExtension(object):
Paul Kehrerfa56a232015-03-17 13:14:03 -0500[diff] [blame]837 def test_ca_true_pathlen_6(self, backend):
838 cert = _load_cert(
839 os.path.join(
840 "x509", "PKITS_data", "certs", "pathLenConstraint6CACert.crt"
841 ),
842 x509.load_der_x509_certificate,
843 backend
844 )
845 ext = cert.extensions.get_extension_for_oid(
846 x509.OID_BASIC_CONSTRAINTS
847 )
848 assert ext is not None
849 assert ext.critical is True
850 assert ext.value.ca is True
851 assert ext.value.path_length == 6
852
853 def test_path_length_zero(self, backend):
854 cert = _load_cert(
855 os.path.join("x509", "custom", "bc_path_length_zero.pem"),
856 x509.load_pem_x509_certificate,
857 backend
858 )
859 ext = cert.extensions.get_extension_for_oid(
860 x509.OID_BASIC_CONSTRAINTS
861 )
862 assert ext is not None
863 assert ext.critical is True
864 assert ext.value.ca is True
865 assert ext.value.path_length == 0
866
867 def test_ca_true_no_pathlen(self, backend):
868 cert = _load_cert(
869 os.path.join("x509", "PKITS_data", "certs", "GoodCACert.crt"),
870 x509.load_der_x509_certificate,
871 backend
872 )
873 ext = cert.extensions.get_extension_for_oid(
874 x509.OID_BASIC_CONSTRAINTS
875 )
876 assert ext is not None
877 assert ext.critical is True
878 assert ext.value.ca is True
879 assert ext.value.path_length is None
880
881 def test_ca_false(self, backend):
882 cert = _load_cert(
883 os.path.join("x509", "cryptography.io.pem"),
884 x509.load_pem_x509_certificate,
885 backend
886 )
887 ext = cert.extensions.get_extension_for_oid(
888 x509.OID_BASIC_CONSTRAINTS
889 )
890 assert ext is not None
891 assert ext.critical is True
892 assert ext.value.ca is False
893 assert ext.value.path_length is None
894
895 def test_no_basic_constraints(self, backend):
896 cert = _load_cert(
897 os.path.join(
898 "x509",
899 "PKITS_data",
900 "certs",
901 "ValidCertificatePathTest1EE.crt"
902 ),
903 x509.load_der_x509_certificate,
904 backend
905 )
906 with pytest.raises(x509.ExtensionNotFound):
907 cert.extensions.get_extension_for_oid(x509.OID_BASIC_CONSTRAINTS)
908
909 def test_basic_constraint_not_critical(self, backend):
910 cert = _load_cert(
911 os.path.join(
912 "x509", "custom", "basic_constraints_not_critical.pem"
913 ),
914 x509.load_pem_x509_certificate,
915 backend
916 )
917 ext = cert.extensions.get_extension_for_oid(
918 x509.OID_BASIC_CONSTRAINTS
919 )
920 assert ext is not None
921 assert ext.critical is False
922 assert ext.value.ca is False
Paul Kehrer1eb82a62015-03-31 20:00:33 -0500[diff] [blame]923
924
Paul Kehrer1eb82a62015-03-31 20:00:33 -0500[diff] [blame]925class TestSubjectKeyIdentifierExtension(object):
Paul Kehrerf22f6122015-08-05 12:57:13 +0100[diff] [blame]926 @pytest.mark.requires_backend_interface(interface=RSABackend)
927 @pytest.mark.requires_backend_interface(interface=X509Backend)
Paul Kehrer1eb82a62015-03-31 20:00:33 -0500[diff] [blame]928 def test_subject_key_identifier(self, backend):
929 cert = _load_cert(
930 os.path.join("x509", "PKITS_data", "certs", "GoodCACert.crt"),
931 x509.load_der_x509_certificate,
932 backend
933 )
934 ext = cert.extensions.get_extension_for_oid(
935 x509.OID_SUBJECT_KEY_IDENTIFIER
936 )
937 ski = ext.value
938 assert ext is not None
939 assert ext.critical is False
Paul Kehrer1eb82a62015-03-31 20:00:33 -0500[diff] [blame]940 assert ski.digest == binascii.unhexlify(
Paul Kehreree997262015-04-04 12:20:28 -0500[diff] [blame]941 b"580184241bbc2b52944a3da510721451f5af3ac9"
Paul Kehrer1eb82a62015-03-31 20:00:33 -0500[diff] [blame]942 )
943
Paul Kehrerf22f6122015-08-05 12:57:13 +0100[diff] [blame]944 @pytest.mark.requires_backend_interface(interface=RSABackend)
945 @pytest.mark.requires_backend_interface(interface=X509Backend)
Paul Kehrer1eb82a62015-03-31 20:00:33 -0500[diff] [blame]946 def test_no_subject_key_identifier(self, backend):
947 cert = _load_cert(
948 os.path.join("x509", "custom", "bc_path_length_zero.pem"),
949 x509.load_pem_x509_certificate,
950 backend
951 )
952 with pytest.raises(x509.ExtensionNotFound):
953 cert.extensions.get_extension_for_oid(
954 x509.OID_SUBJECT_KEY_IDENTIFIER
955 )
Paul Kehrer5508ee22015-04-02 19:31:03 -0500[diff] [blame]956
Paul Kehrerf22f6122015-08-05 12:57:13 +0100[diff] [blame]957 @pytest.mark.requires_backend_interface(interface=RSABackend)
958 @pytest.mark.requires_backend_interface(interface=X509Backend)
Paul Kehrerd4a7f062015-08-05 18:32:18 +0100[diff] [blame]959 def test_from_rsa_public_key(self, backend):
Paul Kehrerf22f6122015-08-05 12:57:13 +0100[diff] [blame]960 cert = _load_cert(
961 os.path.join("x509", "PKITS_data", "certs", "GoodCACert.crt"),
962 x509.load_der_x509_certificate,
963 backend
964 )
965 ext = cert.extensions.get_extension_for_oid(
966 x509.OID_SUBJECT_KEY_IDENTIFIER
967 )
Paul Kehrerd4a7f062015-08-05 18:32:18 +0100[diff] [blame]968 ski = x509.SubjectKeyIdentifier.from_public_key(
Paul Kehrerf22f6122015-08-05 12:57:13 +0100[diff] [blame]969 cert.public_key()
970 )
971 assert ext.value == ski
972
973 @pytest.mark.requires_backend_interface(interface=DSABackend)
974 @pytest.mark.requires_backend_interface(interface=X509Backend)
Paul Kehrerd4a7f062015-08-05 18:32:18 +0100[diff] [blame]975 def test_from_dsa_public_key(self, backend):
Paul Kehrerf22f6122015-08-05 12:57:13 +0100[diff] [blame]976 cert = _load_cert(
977 os.path.join("x509", "custom", "dsa_selfsigned_ca.pem"),
978 x509.load_pem_x509_certificate,
979 backend
980 )
981
982 ext = cert.extensions.get_extension_for_oid(
983 x509.OID_SUBJECT_KEY_IDENTIFIER
984 )
Paul Kehrerd4a7f062015-08-05 18:32:18 +0100[diff] [blame]985 ski = x509.SubjectKeyIdentifier.from_public_key(
Paul Kehrerf22f6122015-08-05 12:57:13 +0100[diff] [blame]986 cert.public_key()
987 )
988 assert ext.value == ski
989
990 @pytest.mark.requires_backend_interface(interface=EllipticCurveBackend)
991 @pytest.mark.requires_backend_interface(interface=X509Backend)
Paul Kehrerd4a7f062015-08-05 18:32:18 +0100[diff] [blame]992 def test_from_ec_public_key(self, backend):
Paul Kehrerf22f6122015-08-05 12:57:13 +0100[diff] [blame]993 _skip_curve_unsupported(backend, ec.SECP384R1())
994 cert = _load_cert(
995 os.path.join("x509", "ecdsa_root.pem"),
996 x509.load_pem_x509_certificate,
997 backend
998 )
999
1000 ext = cert.extensions.get_extension_for_oid(
1001 x509.OID_SUBJECT_KEY_IDENTIFIER
1002 )
Paul Kehrerd4a7f062015-08-05 18:32:18 +0100[diff] [blame]1003 ski = x509.SubjectKeyIdentifier.from_public_key(
Paul Kehrerf22f6122015-08-05 12:57:13 +0100[diff] [blame]1004 cert.public_key()
1005 )
1006 assert ext.value == ski
1007
Paul Kehrer5508ee22015-04-02 19:31:03 -0500[diff] [blame]1008
1009@pytest.mark.requires_backend_interface(interface=RSABackend)
1010@pytest.mark.requires_backend_interface(interface=X509Backend)
1011class TestKeyUsageExtension(object):
1012 def test_no_key_usage(self, backend):
1013 cert = _load_cert(
1014 os.path.join("x509", "verisign_md2_root.pem"),
1015 x509.load_pem_x509_certificate,
1016 backend
1017 )
1018 ext = cert.extensions
1019 with pytest.raises(x509.ExtensionNotFound) as exc:
1020 ext.get_extension_for_oid(x509.OID_KEY_USAGE)
1021
1022 assert exc.value.oid == x509.OID_KEY_USAGE
1023
1024 def test_all_purposes(self, backend):
1025 cert = _load_cert(
1026 os.path.join(
1027 "x509", "custom", "all_key_usages.pem"
1028 ),
1029 x509.load_pem_x509_certificate,
1030 backend
1031 )
1032 extensions = cert.extensions
1033 ext = extensions.get_extension_for_oid(x509.OID_KEY_USAGE)
1034 assert ext is not None
1035
1036 ku = ext.value
1037 assert ku.digital_signature is True
1038 assert ku.content_commitment is True
1039 assert ku.key_encipherment is True
1040 assert ku.data_encipherment is True
1041 assert ku.key_agreement is True
1042 assert ku.key_cert_sign is True
1043 assert ku.crl_sign is True
1044 assert ku.encipher_only is True
1045 assert ku.decipher_only is True
1046
1047 def test_key_cert_sign_crl_sign(self, backend):
1048 cert = _load_cert(
1049 os.path.join(
1050 "x509", "PKITS_data", "certs", "pathLenConstraint6CACert.crt"
1051 ),
1052 x509.load_der_x509_certificate,
1053 backend
1054 )
1055 ext = cert.extensions.get_extension_for_oid(x509.OID_KEY_USAGE)
1056 assert ext is not None
1057 assert ext.critical is True
1058
1059 ku = ext.value
1060 assert ku.digital_signature is False
1061 assert ku.content_commitment is False
1062 assert ku.key_encipherment is False
1063 assert ku.data_encipherment is False
1064 assert ku.key_agreement is False
1065 assert ku.key_cert_sign is True
1066 assert ku.crl_sign is True
Paul Kehrer31bdf792015-03-25 14:11:00 -0500[diff] [blame]1067
1068
1069@pytest.mark.parametrize(
1070 "name", [
1071 x509.RFC822Name,
1072 x509.DNSName,
1073 x509.UniformResourceIdentifier
1074 ]
1075)
1076class TestTextGeneralNames(object):
1077 def test_not_text(self, name):
1078 with pytest.raises(TypeError):
1079 name(b"notaunicodestring")
1080
1081 with pytest.raises(TypeError):
1082 name(1.3)
1083
1084 def test_repr(self, name):
Eeshan Gargf1234152015-04-29 18:41:00 +0530[diff] [blame]1085 gn = name(u"string")
Paul Kehrer31bdf792015-03-25 14:11:00 -0500[diff] [blame]1086 assert repr(gn) == "<{0}(value=string)>".format(name.__name__)
1087
1088 def test_eq(self, name):
Eeshan Gargf1234152015-04-29 18:41:00 +0530[diff] [blame]1089 gn = name(u"string")
1090 gn2 = name(u"string")
Paul Kehrer31bdf792015-03-25 14:11:00 -0500[diff] [blame]1091 assert gn == gn2
1092
1093 def test_ne(self, name):
Eeshan Gargf1234152015-04-29 18:41:00 +0530[diff] [blame]1094 gn = name(u"string")
1095 gn2 = name(u"string2")
Paul Kehrer31bdf792015-03-25 14:11:00 -0500[diff] [blame]1096 assert gn != gn2
1097 assert gn != object()
1098
1099
1100class TestDirectoryName(object):
1101 def test_not_name(self):
1102 with pytest.raises(TypeError):
1103 x509.DirectoryName(b"notaname")
1104
1105 with pytest.raises(TypeError):
1106 x509.DirectoryName(1.3)
1107
1108 def test_repr(self):
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1109 name = x509.Name([x509.NameAttribute(NameOID.COMMON_NAME, u'value1')])
Paul Kehrer31bdf792015-03-25 14:11:00 -0500[diff] [blame]1110 gn = x509.DirectoryName(x509.Name([name]))
Ian Cordascoa908d692015-06-16 21:35:24 -0500[diff] [blame]1111 if six.PY3:
1112 assert repr(gn) == (
1113 "<DirectoryName(value=<Name([<Name([<NameAttribute(oid=<Object"
1114 "Identifier(oid=2.5.4.3, name=commonName)>, value='value1')>])"
1115 ">])>)>"
1116 )
1117 else:
1118 assert repr(gn) == (
1119 "<DirectoryName(value=<Name([<Name([<NameAttribute(oid=<Object"
1120 "Identifier(oid=2.5.4.3, name=commonName)>, value=u'value1')>]"
1121 ")>])>)>"
1122 )
Paul Kehrer31bdf792015-03-25 14:11:00 -0500[diff] [blame]1123
1124 def test_eq(self):
1125 name = x509.Name([
Ian Cordasco82fc3762015-06-16 20:59:50 -0500[diff] [blame]1126 x509.NameAttribute(x509.ObjectIdentifier('oid'), u'value1')
Paul Kehrer31bdf792015-03-25 14:11:00 -0500[diff] [blame]1127 ])
1128 name2 = x509.Name([
Ian Cordasco82fc3762015-06-16 20:59:50 -0500[diff] [blame]1129 x509.NameAttribute(x509.ObjectIdentifier('oid'), u'value1')
Paul Kehrer31bdf792015-03-25 14:11:00 -0500[diff] [blame]1130 ])
1131 gn = x509.DirectoryName(x509.Name([name]))
1132 gn2 = x509.DirectoryName(x509.Name([name2]))
1133 assert gn == gn2
1134
1135 def test_ne(self):
1136 name = x509.Name([
Ian Cordasco82fc3762015-06-16 20:59:50 -0500[diff] [blame]1137 x509.NameAttribute(x509.ObjectIdentifier('oid'), u'value1')
Paul Kehrer31bdf792015-03-25 14:11:00 -0500[diff] [blame]1138 ])
1139 name2 = x509.Name([
Ian Cordasco82fc3762015-06-16 20:59:50 -0500[diff] [blame]1140 x509.NameAttribute(x509.ObjectIdentifier('oid'), u'value2')
Paul Kehrer31bdf792015-03-25 14:11:00 -0500[diff] [blame]1141 ])
1142 gn = x509.DirectoryName(x509.Name([name]))
1143 gn2 = x509.DirectoryName(x509.Name([name2]))
1144 assert gn != gn2
1145 assert gn != object()
1146
1147
Paul Kehrer01d5d0b2015-07-12 09:41:21 -0500[diff] [blame]1148class TestRFC822Name(object):
1149 def test_invalid_email(self):
1150 with pytest.raises(ValueError):
1151 x509.RFC822Name(u"Name <email>")
1152
1153 with pytest.raises(ValueError):
1154 x509.RFC822Name(u"")
1155
1156 def test_single_label(self):
1157 gn = x509.RFC822Name(u"administrator")
1158 assert gn.value == u"administrator"
1159
1160 def test_idna(self):
1161 gn = x509.RFC822Name(u"email@em\xe5\xefl.com")
1162 assert gn.value == u"email@em\xe5\xefl.com"
1163 assert gn._encoded == b"email@xn--eml-vla4c.com"
1164
1165
Paul Kehrere28d6c42015-07-12 14:59:37 -0500[diff] [blame]1166class TestUniformResourceIdentifier(object):
1167 def test_no_parsed_hostname(self):
1168 gn = x509.UniformResourceIdentifier(u"singlelabel")
1169 assert gn.value == u"singlelabel"
1170
1171 def test_with_port(self):
1172 gn = x509.UniformResourceIdentifier(u"singlelabel:443/test")
1173 assert gn.value == u"singlelabel:443/test"
1174
1175 def test_idna_no_port(self):
1176 gn = x509.UniformResourceIdentifier(
1177 u"http://\u043f\u044b\u043a\u0430.cryptography"
1178 )
1179 assert gn.value == u"http://\u043f\u044b\u043a\u0430.cryptography"
1180 assert gn._encoded == b"http://xn--80ato2c.cryptography"
1181
1182 def test_idna_with_port(self):
1183 gn = x509.UniformResourceIdentifier(
1184 u"gopher://\u043f\u044b\u043a\u0430.cryptography:70/some/path"
1185 )
1186 assert gn.value == (
1187 u"gopher://\u043f\u044b\u043a\u0430.cryptography:70/some/path"
1188 )
1189 assert gn._encoded == b"gopher://xn--80ato2c.cryptography:70/some/path"
1190
1191 def test_query_and_fragment(self):
1192 gn = x509.UniformResourceIdentifier(
1193 u"ldap://cryptography:90/path?query=true#somedata"
1194 )
1195 assert gn.value == u"ldap://cryptography:90/path?query=true#somedata"
1196
1197
Paul Kehrer31bdf792015-03-25 14:11:00 -0500[diff] [blame]1198class TestRegisteredID(object):
1199 def test_not_oid(self):
1200 with pytest.raises(TypeError):
1201 x509.RegisteredID(b"notanoid")
1202
1203 with pytest.raises(TypeError):
1204 x509.RegisteredID(1.3)
1205
1206 def test_repr(self):
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1207 gn = x509.RegisteredID(NameOID.COMMON_NAME)
Paul Kehrer31bdf792015-03-25 14:11:00 -0500[diff] [blame]1208 assert repr(gn) == (
1209 "<RegisteredID(value=<ObjectIdentifier(oid=2.5.4.3, name=commonNam"
1210 "e)>)>"
1211 )
1212
1213 def test_eq(self):
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1214 gn = x509.RegisteredID(NameOID.COMMON_NAME)
1215 gn2 = x509.RegisteredID(NameOID.COMMON_NAME)
Paul Kehrer31bdf792015-03-25 14:11:00 -0500[diff] [blame]1216 assert gn == gn2
1217
1218 def test_ne(self):
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1219 gn = x509.RegisteredID(NameOID.COMMON_NAME)
Paul Kehrer31bdf792015-03-25 14:11:00 -0500[diff] [blame]1220 gn2 = x509.RegisteredID(x509.OID_BASIC_CONSTRAINTS)
1221 assert gn != gn2
1222 assert gn != object()
1223
1224
1225class TestIPAddress(object):
1226 def test_not_ipaddress(self):
1227 with pytest.raises(TypeError):
1228 x509.IPAddress(b"notanipaddress")
1229
1230 with pytest.raises(TypeError):
1231 x509.IPAddress(1.3)
1232
1233 def test_repr(self):
Eeshan Gargf1234152015-04-29 18:41:00 +0530[diff] [blame]1234 gn = x509.IPAddress(ipaddress.IPv4Address(u"127.0.0.1"))
Paul Kehrer31bdf792015-03-25 14:11:00 -0500[diff] [blame]1235 assert repr(gn) == "<IPAddress(value=127.0.0.1)>"
1236
Eeshan Gargf1234152015-04-29 18:41:00 +0530[diff] [blame]1237 gn2 = x509.IPAddress(ipaddress.IPv6Address(u"ff::"))
Paul Kehrer31bdf792015-03-25 14:11:00 -0500[diff] [blame]1238 assert repr(gn2) == "<IPAddress(value=ff::)>"
1239
Paul Kehrereb177932015-05-17 18:33:33 -0700[diff] [blame]1240 gn3 = x509.IPAddress(ipaddress.IPv4Network(u"192.168.0.0/24"))
1241 assert repr(gn3) == "<IPAddress(value=192.168.0.0/24)>"
1242
1243 gn4 = x509.IPAddress(ipaddress.IPv6Network(u"ff::/96"))
1244 assert repr(gn4) == "<IPAddress(value=ff::/96)>"
1245
Paul Kehrer31bdf792015-03-25 14:11:00 -0500[diff] [blame]1246 def test_eq(self):
Eeshan Gargf1234152015-04-29 18:41:00 +0530[diff] [blame]1247 gn = x509.IPAddress(ipaddress.IPv4Address(u"127.0.0.1"))
1248 gn2 = x509.IPAddress(ipaddress.IPv4Address(u"127.0.0.1"))
Paul Kehrer31bdf792015-03-25 14:11:00 -0500[diff] [blame]1249 assert gn == gn2
1250
1251 def test_ne(self):
Eeshan Gargf1234152015-04-29 18:41:00 +0530[diff] [blame]1252 gn = x509.IPAddress(ipaddress.IPv4Address(u"127.0.0.1"))
1253 gn2 = x509.IPAddress(ipaddress.IPv4Address(u"127.0.0.2"))
Paul Kehrer31bdf792015-03-25 14:11:00 -0500[diff] [blame]1254 assert gn != gn2
1255 assert gn != object()
1256
1257
Joshua Tauberer18b6fc82015-07-05 21:44:51 +0000[diff] [blame]1258class TestOtherName(object):
1259 def test_invalid_args(self):
1260 with pytest.raises(TypeError):
1261 x509.OtherName(b"notanobjectidentifier", b"derdata")
1262
1263 with pytest.raises(TypeError):
1264 x509.OtherName(x509.ObjectIdentifier("1.2.3.4"), u"notderdata")
1265
1266 def test_repr(self):
1267 gn = x509.OtherName(x509.ObjectIdentifier("1.2.3.4"), b"derdata")
1268 if six.PY3:
1269 assert repr(gn) == (
1270 "<OtherName(type_id=<ObjectIdentifier(oid=1.2.3.4, "
1271 "name=Unknown OID)>, value=b'derdata')>"
1272 )
1273 else:
1274 assert repr(gn) == (
1275 "<OtherName(type_id=<ObjectIdentifier(oid=1.2.3.4, "
1276 "name=Unknown OID)>, value='derdata')>"
1277 )
1278
1279 gn = x509.OtherName(x509.ObjectIdentifier("2.5.4.65"), b"derdata")
1280 if six.PY3:
1281 assert repr(gn) == (
1282 "<OtherName(type_id=<ObjectIdentifier(oid=2.5.4.65, "
1283 "name=pseudonym)>, value=b'derdata')>"
1284 )
1285 else:
1286 assert repr(gn) == (
1287 "<OtherName(type_id=<ObjectIdentifier(oid=2.5.4.65, "
1288 "name=pseudonym)>, value='derdata')>"
1289 )
1290
1291 def test_eq(self):
1292 gn = x509.OtherName(x509.ObjectIdentifier("1.2.3.4"), b"derdata")
1293 gn2 = x509.OtherName(x509.ObjectIdentifier("1.2.3.4"), b"derdata")
1294 assert gn == gn2
1295
1296 def test_ne(self):
1297 gn = x509.OtherName(x509.ObjectIdentifier("1.2.3.4"), b"derdata")
1298 assert gn != object()
1299
1300 gn2 = x509.OtherName(x509.ObjectIdentifier("1.2.3.4"), b"derdata2")
1301 assert gn != gn2
1302
1303 gn2 = x509.OtherName(x509.ObjectIdentifier("1.2.3.5"), b"derdata")
1304 assert gn != gn2
1305
1306
Erik Trauschke2dcce902015-05-14 16:12:24 -0700[diff] [blame]1307class TestGeneralNames(object):
1308 def test_get_values_for_type(self):
1309 gns = x509.GeneralNames(
1310 [x509.DNSName(u"cryptography.io")]
1311 )
1312 names = gns.get_values_for_type(x509.DNSName)
1313 assert names == [u"cryptography.io"]
1314
1315 def test_iter_names(self):
1316 gns = x509.GeneralNames([
1317 x509.DNSName(u"cryptography.io"),
1318 x509.DNSName(u"crypto.local"),
1319 ])
1320 assert len(gns) == 2
1321 assert list(gns) == [
1322 x509.DNSName(u"cryptography.io"),
1323 x509.DNSName(u"crypto.local"),
1324 ]
1325
1326 def test_invalid_general_names(self):
1327 with pytest.raises(TypeError):
1328 x509.GeneralNames(
1329 [x509.DNSName(u"cryptography.io"), "invalid"]
1330 )
1331
1332 def test_repr(self):
1333 gns = x509.GeneralNames(
1334 [
1335 x509.DNSName(u"cryptography.io")
1336 ]
1337 )
1338 assert repr(gns) == (
1339 "<GeneralNames([<DNSName(value=cryptography.io)>])>"
1340 )
1341
1342 def test_eq(self):
1343 gns = x509.GeneralNames(
1344 [x509.DNSName(u"cryptography.io")]
1345 )
1346 gns2 = x509.GeneralNames(
1347 [x509.DNSName(u"cryptography.io")]
1348 )
1349 assert gns == gns2
1350
1351 def test_ne(self):
1352 gns = x509.GeneralNames(
1353 [x509.DNSName(u"cryptography.io")]
1354 )
1355 gns2 = x509.GeneralNames(
1356 [x509.RFC822Name(u"admin@cryptography.io")]
1357 )
1358 assert gns != gns2
1359 assert gns != object()
1360
1361
Paul Kehrer99125c92015-06-07 18:37:10 -0500[diff] [blame]1362class TestIssuerAlternativeName(object):
1363 def test_get_values_for_type(self):
1364 san = x509.IssuerAlternativeName(
1365 [x509.DNSName(u"cryptography.io")]
1366 )
1367 names = san.get_values_for_type(x509.DNSName)
1368 assert names == [u"cryptography.io"]
1369
1370 def test_iter_names(self):
1371 san = x509.IssuerAlternativeName([
1372 x509.DNSName(u"cryptography.io"),
1373 x509.DNSName(u"crypto.local"),
1374 ])
1375 assert len(san) == 2
1376 assert list(san) == [
1377 x509.DNSName(u"cryptography.io"),
1378 x509.DNSName(u"crypto.local"),
1379 ]
1380
1381 def test_invalid_general_names(self):
1382 with pytest.raises(TypeError):
1383 x509.IssuerAlternativeName(
1384 [x509.DNSName(u"cryptography.io"), "invalid"]
1385 )
1386
1387 def test_repr(self):
1388 san = x509.IssuerAlternativeName(
1389 [
1390 x509.DNSName(u"cryptography.io")
1391 ]
1392 )
1393 assert repr(san) == (
1394 "<IssuerAlternativeName("
1395 "<GeneralNames([<DNSName(value=cryptography.io)>])>)>"
1396 )
1397
1398 def test_eq(self):
1399 san = x509.IssuerAlternativeName(
1400 [x509.DNSName(u"cryptography.io")]
1401 )
1402 san2 = x509.IssuerAlternativeName(
1403 [x509.DNSName(u"cryptography.io")]
1404 )
1405 assert san == san2
1406
1407 def test_ne(self):
1408 san = x509.IssuerAlternativeName(
1409 [x509.DNSName(u"cryptography.io")]
1410 )
1411 san2 = x509.IssuerAlternativeName(
1412 [x509.RFC822Name(u"admin@cryptography.io")]
1413 )
1414 assert san != san2
1415 assert san != object()
1416
1417
Alex Gaynorf1c17672015-06-20 14:20:20 -0400[diff] [blame]1418@pytest.mark.requires_backend_interface(interface=RSABackend)
1419@pytest.mark.requires_backend_interface(interface=X509Backend)
1420class TestRSAIssuerAlternativeNameExtension(object):
1421 def test_uri(self, backend):
1422 cert = _load_cert(
1423 os.path.join("x509", "custom", "ian_uri.pem"),
1424 x509.load_pem_x509_certificate,
1425 backend,
1426 )
1427 ext = cert.extensions.get_extension_for_oid(
1428 x509.OID_ISSUER_ALTERNATIVE_NAME
1429 )
1430 assert list(ext.value) == [
1431 x509.UniformResourceIdentifier(u"http://path.to.root/root.crt"),
1432 ]
1433
1434
Paul Kehrer31bdf792015-03-25 14:11:00 -0500[diff] [blame]1435class TestSubjectAlternativeName(object):
1436 def test_get_values_for_type(self):
1437 san = x509.SubjectAlternativeName(
Eeshan Gargf1234152015-04-29 18:41:00 +0530[diff] [blame]1438 [x509.DNSName(u"cryptography.io")]
Paul Kehrer31bdf792015-03-25 14:11:00 -0500[diff] [blame]1439 )
1440 names = san.get_values_for_type(x509.DNSName)
Eeshan Gargf1234152015-04-29 18:41:00 +0530[diff] [blame]1441 assert names == [u"cryptography.io"]
Paul Kehrer31bdf792015-03-25 14:11:00 -0500[diff] [blame]1442
1443 def test_iter_names(self):
1444 san = x509.SubjectAlternativeName([
Eeshan Gargf1234152015-04-29 18:41:00 +0530[diff] [blame]1445 x509.DNSName(u"cryptography.io"),
1446 x509.DNSName(u"crypto.local"),
Paul Kehrer31bdf792015-03-25 14:11:00 -0500[diff] [blame]1447 ])
1448 assert len(san) == 2
1449 assert list(san) == [
Eeshan Gargf1234152015-04-29 18:41:00 +0530[diff] [blame]1450 x509.DNSName(u"cryptography.io"),
1451 x509.DNSName(u"crypto.local"),
Paul Kehrer31bdf792015-03-25 14:11:00 -0500[diff] [blame]1452 ]
1453
Paul Kehrerd04b39b2015-04-21 08:44:17 -0500[diff] [blame]1454 def test_invalid_general_names(self):
1455 with pytest.raises(TypeError):
1456 x509.SubjectAlternativeName(
Eeshan Gargf1234152015-04-29 18:41:00 +0530[diff] [blame]1457 [x509.DNSName(u"cryptography.io"), "invalid"]
Paul Kehrerd04b39b2015-04-21 08:44:17 -0500[diff] [blame]1458 )
1459
Paul Kehrer31bdf792015-03-25 14:11:00 -0500[diff] [blame]1460 def test_repr(self):
1461 san = x509.SubjectAlternativeName(
1462 [
Eeshan Gargf1234152015-04-29 18:41:00 +0530[diff] [blame]1463 x509.DNSName(u"cryptography.io")
Paul Kehrer31bdf792015-03-25 14:11:00 -0500[diff] [blame]1464 ]
1465 )
1466 assert repr(san) == (
Erik Trauschke2dcce902015-05-14 16:12:24 -0700[diff] [blame]1467 "<SubjectAlternativeName("
1468 "<GeneralNames([<DNSName(value=cryptography.io)>])>)>"
Paul Kehrer31bdf792015-03-25 14:11:00 -0500[diff] [blame]1469 )
Paul Kehrer40f83382015-04-20 15:00:16 -0500[diff] [blame]1470
Paul Kehrer58cc3972015-05-13 10:00:41 -0500[diff] [blame]1471 def test_eq(self):
1472 san = x509.SubjectAlternativeName(
1473 [x509.DNSName(u"cryptography.io")]
1474 )
1475 san2 = x509.SubjectAlternativeName(
1476 [x509.DNSName(u"cryptography.io")]
1477 )
1478 assert san == san2
1479
1480 def test_ne(self):
1481 san = x509.SubjectAlternativeName(
1482 [x509.DNSName(u"cryptography.io")]
1483 )
1484 san2 = x509.SubjectAlternativeName(
1485 [x509.RFC822Name(u"admin@cryptography.io")]
1486 )
1487 assert san != san2
1488 assert san != object()
1489
Paul Kehrer40f83382015-04-20 15:00:16 -0500[diff] [blame]1490
1491@pytest.mark.requires_backend_interface(interface=RSABackend)
1492@pytest.mark.requires_backend_interface(interface=X509Backend)
1493class TestRSASubjectAlternativeNameExtension(object):
1494 def test_dns_name(self, backend):
1495 cert = _load_cert(
1496 os.path.join("x509", "cryptography.io.pem"),
1497 x509.load_pem_x509_certificate,
1498 backend
1499 )
1500 ext = cert.extensions.get_extension_for_oid(
1501 x509.OID_SUBJECT_ALTERNATIVE_NAME
1502 )
1503 assert ext is not None
1504 assert ext.critical is False
1505
1506 san = ext.value
1507
1508 dns = san.get_values_for_type(x509.DNSName)
1509 assert dns == [u"www.cryptography.io", u"cryptography.io"]
Paul Kehrer9089c912015-04-20 22:15:20 -0500[diff] [blame]1510
Paul Kehrer3c6bba52015-06-26 18:43:26 -0500[diff] [blame]1511 def test_wildcard_dns_name(self, backend):
1512 cert = _load_cert(
1513 os.path.join("x509", "wildcard_san.pem"),
1514 x509.load_pem_x509_certificate,
1515 backend
1516 )
1517 ext = cert.extensions.get_extension_for_oid(
1518 x509.OID_SUBJECT_ALTERNATIVE_NAME
1519 )
1520
1521 dns = ext.value.get_values_for_type(x509.DNSName)
1522 assert dns == [
1523 u'*.langui.sh',
1524 u'langui.sh',
1525 u'*.saseliminator.com',
1526 u'saseliminator.com'
1527 ]
1528
1529 def test_san_wildcard_idna_dns_name(self, backend):
1530 cert = _load_cert(
1531 os.path.join("x509", "custom", "san_wildcard_idna.pem"),
1532 x509.load_pem_x509_certificate,
1533 backend
1534 )
1535 ext = cert.extensions.get_extension_for_oid(
1536 x509.OID_SUBJECT_ALTERNATIVE_NAME
1537 )
1538
1539 dns = ext.value.get_values_for_type(x509.DNSName)
1540 assert dns == [u'*.\u043f\u044b\u043a\u0430.cryptography']
1541
Paul Kehrer7bdf6572015-07-05 08:55:44 -0500[diff] [blame]1542 def test_unsupported_gn(self, backend):
Paul Kehrer9089c912015-04-20 22:15:20 -0500[diff] [blame]1543 cert = _load_cert(
Paul Kehrer7bdf6572015-07-05 08:55:44 -0500[diff] [blame]1544 os.path.join("x509", "san_x400address.der"),
1545 x509.load_der_x509_certificate,
Paul Kehrer9089c912015-04-20 22:15:20 -0500[diff] [blame]1546 backend
1547 )
Paul Kehrerbed07352015-04-21 08:31:10 -0500[diff] [blame]1548 with pytest.raises(x509.UnsupportedGeneralNameType) as exc:
Paul Kehrer9089c912015-04-20 22:15:20 -0500[diff] [blame]1549 cert.extensions
Paul Kehrerbed07352015-04-21 08:31:10 -0500[diff] [blame]1550
Paul Kehrer7bdf6572015-07-05 08:55:44 -0500[diff] [blame]1551 assert exc.value.type == 3
Paul Kehrer4db96622015-04-20 22:17:39 -0500[diff] [blame]1552
1553 def test_registered_id(self, backend):
1554 cert = _load_cert(
1555 os.path.join(
1556 "x509", "custom", "san_registered_id.pem"
1557 ),
1558 x509.load_pem_x509_certificate,
1559 backend
1560 )
1561 ext = cert.extensions.get_extension_for_oid(
1562 x509.OID_SUBJECT_ALTERNATIVE_NAME
1563 )
1564 assert ext is not None
1565 assert ext.critical is False
1566
1567 san = ext.value
1568 rid = san.get_values_for_type(x509.RegisteredID)
1569 assert rid == [x509.ObjectIdentifier("1.2.3.4")]
Paul Kehrerb8ef82e2015-04-22 16:04:24 -0500[diff] [blame]1570
1571 def test_uri(self, backend):
1572 cert = _load_cert(
1573 os.path.join(
1574 "x509", "custom", "san_uri_with_port.pem"
1575 ),
1576 x509.load_pem_x509_certificate,
1577 backend
1578 )
1579 ext = cert.extensions.get_extension_for_oid(
1580 x509.OID_SUBJECT_ALTERNATIVE_NAME
1581 )
1582 assert ext is not None
1583 uri = ext.value.get_values_for_type(
1584 x509.UniformResourceIdentifier
1585 )
1586 assert uri == [
1587 u"gopher://\u043f\u044b\u043a\u0430.cryptography:70/path?q=s#hel"
1588 u"lo",
1589 u"http://someregulardomain.com",
1590 ]
Paul Kehrera5f030c2015-04-28 08:33:18 -0500[diff] [blame]1591
1592 def test_ipaddress(self, backend):
1593 cert = _load_cert(
1594 os.path.join(
1595 "x509", "custom", "san_ipaddr.pem"
1596 ),
1597 x509.load_pem_x509_certificate,
1598 backend
1599 )
1600 ext = cert.extensions.get_extension_for_oid(
1601 x509.OID_SUBJECT_ALTERNATIVE_NAME
1602 )
1603 assert ext is not None
1604 assert ext.critical is False
1605
1606 san = ext.value
1607
1608 ip = san.get_values_for_type(x509.IPAddress)
1609 assert [
1610 ipaddress.ip_address(u"127.0.0.1"),
1611 ipaddress.ip_address(u"ff::")
1612 ] == ip
Paul Kehrer2187a052015-04-30 08:22:07 -0500[diff] [blame]1613
1614 def test_dirname(self, backend):
1615 cert = _load_cert(
1616 os.path.join(
1617 "x509", "custom", "san_dirname.pem"
1618 ),
1619 x509.load_pem_x509_certificate,
1620 backend
1621 )
1622 ext = cert.extensions.get_extension_for_oid(
1623 x509.OID_SUBJECT_ALTERNATIVE_NAME
1624 )
1625 assert ext is not None
1626 assert ext.critical is False
1627
1628 san = ext.value
1629
1630 dirname = san.get_values_for_type(x509.DirectoryName)
1631 assert [
1632 x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1633 x509.NameAttribute(NameOID.COMMON_NAME, u'test'),
1634 x509.NameAttribute(NameOID.ORGANIZATION_NAME, u'Org'),
1635 x509.NameAttribute(NameOID.STATE_OR_PROVINCE_NAME, u'Texas'),
Paul Kehrer2187a052015-04-30 08:22:07 -0500[diff] [blame]1636 ])
1637 ] == dirname
Paul Kehrere06cab42015-04-30 10:23:33 -0500[diff] [blame]1638
1639 def test_rfc822name(self, backend):
1640 cert = _load_cert(
1641 os.path.join(
1642 "x509", "custom", "san_rfc822_idna.pem"
1643 ),
1644 x509.load_pem_x509_certificate,
1645 backend
1646 )
1647 ext = cert.extensions.get_extension_for_oid(
1648 x509.OID_SUBJECT_ALTERNATIVE_NAME
1649 )
1650 assert ext is not None
1651 assert ext.critical is False
1652
1653 san = ext.value
1654
1655 rfc822name = san.get_values_for_type(x509.RFC822Name)
1656 assert [u"email@em\xe5\xefl.com"] == rfc822name
1657
Paul Kehrerb8968812015-05-15 09:01:34 -0700[diff] [blame]1658 def test_idna2003_invalid(self, backend):
1659 cert = _load_cert(
1660 os.path.join(
1661 "x509", "custom", "san_idna2003_dnsname.pem"
1662 ),
1663 x509.load_pem_x509_certificate,
1664 backend
1665 )
1666 with pytest.raises(UnicodeError):
1667 cert.extensions
1668
Paul Kehrere06cab42015-04-30 10:23:33 -0500[diff] [blame]1669 def test_unicode_rfc822_name_dns_name_uri(self, backend):
1670 cert = _load_cert(
1671 os.path.join(
1672 "x509", "custom", "san_idna_names.pem"
1673 ),
1674 x509.load_pem_x509_certificate,
1675 backend
1676 )
1677 ext = cert.extensions.get_extension_for_oid(
1678 x509.OID_SUBJECT_ALTERNATIVE_NAME
1679 )
1680 assert ext is not None
1681 rfc822_name = ext.value.get_values_for_type(x509.RFC822Name)
1682 dns_name = ext.value.get_values_for_type(x509.DNSName)
1683 uri = ext.value.get_values_for_type(x509.UniformResourceIdentifier)
1684 assert rfc822_name == [u"email@\u043f\u044b\u043a\u0430.cryptography"]
1685 assert dns_name == [u"\u043f\u044b\u043a\u0430.cryptography"]
1686 assert uri == [u"https://www.\u043f\u044b\u043a\u0430.cryptography"]
1687
1688 def test_rfc822name_dnsname_ipaddress_directoryname_uri(self, backend):
1689 cert = _load_cert(
1690 os.path.join(
1691 "x509", "custom", "san_email_dns_ip_dirname_uri.pem"
1692 ),
1693 x509.load_pem_x509_certificate,
1694 backend
1695 )
1696 ext = cert.extensions.get_extension_for_oid(
1697 x509.OID_SUBJECT_ALTERNATIVE_NAME
1698 )
1699 assert ext is not None
1700 assert ext.critical is False
1701
1702 san = ext.value
1703
1704 rfc822_name = san.get_values_for_type(x509.RFC822Name)
1705 uri = san.get_values_for_type(x509.UniformResourceIdentifier)
1706 dns = san.get_values_for_type(x509.DNSName)
1707 ip = san.get_values_for_type(x509.IPAddress)
1708 dirname = san.get_values_for_type(x509.DirectoryName)
1709 assert [u"user@cryptography.io"] == rfc822_name
Paul Kehrere3a330c2015-05-02 16:42:52 -0500[diff] [blame]1710 assert [u"https://cryptography.io"] == uri
Paul Kehrere06cab42015-04-30 10:23:33 -0500[diff] [blame]1711 assert [u"cryptography.io"] == dns
1712 assert [
1713 x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1714 x509.NameAttribute(NameOID.COMMON_NAME, u'dirCN'),
Paul Kehrere06cab42015-04-30 10:23:33 -0500[diff] [blame]1715 x509.NameAttribute(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1716 NameOID.ORGANIZATION_NAME, u'Cryptographic Authority'
Paul Kehrere06cab42015-04-30 10:23:33 -0500[diff] [blame]1717 ),
1718 ])
1719 ] == dirname
1720 assert [
1721 ipaddress.ip_address(u"127.0.0.1"),
1722 ipaddress.ip_address(u"ff::")
1723 ] == ip
1724
1725 def test_invalid_rfc822name(self, backend):
1726 cert = _load_cert(
1727 os.path.join(
1728 "x509", "custom", "san_rfc822_names.pem"
1729 ),
1730 x509.load_pem_x509_certificate,
1731 backend
1732 )
1733 with pytest.raises(ValueError) as exc:
1734 cert.extensions
1735
1736 assert 'Invalid rfc822name value' in str(exc.value)
Paul Kehrer94c69602015-05-02 19:29:40 -0500[diff] [blame]1737
Joshua Tauberer2ee5e3c2015-07-04 20:09:46 +0000[diff] [blame]1738 def test_other_name(self, backend):
1739 cert = _load_cert(
1740 os.path.join(
1741 "x509", "custom", "san_other_name.pem"
1742 ),
1743 x509.load_pem_x509_certificate,
1744 backend
1745 )
1746
1747 ext = cert.extensions.get_extension_for_oid(
1748 x509.OID_SUBJECT_ALTERNATIVE_NAME
1749 )
1750 assert ext is not None
1751 assert ext.critical is False
1752
Joshua Taubererd2afad32015-07-06 22:37:53 +0000[diff] [blame]1753 expected = x509.OtherName(x509.ObjectIdentifier("1.2.3.4"),
1754 b'\x16\x0bHello World')
Joshua Tauberer2ee5e3c2015-07-04 20:09:46 +0000[diff] [blame]1755 assert len(ext.value) == 1
Joshua Taubererd2afad32015-07-06 22:37:53 +0000[diff] [blame]1756 assert list(ext.value)[0] == expected
Joshua Tauberer2ee5e3c2015-07-04 20:09:46 +0000[diff] [blame]1757
1758 othernames = ext.value.get_values_for_type(x509.OtherName)
Joshua Taubererd2afad32015-07-06 22:37:53 +0000[diff] [blame]1759 assert othernames == [expected]
Joshua Tauberer2ee5e3c2015-07-04 20:09:46 +0000[diff] [blame]1760
Paul Kehrer94c69602015-05-02 19:29:40 -0500[diff] [blame]1761
1762@pytest.mark.requires_backend_interface(interface=RSABackend)
1763@pytest.mark.requires_backend_interface(interface=X509Backend)
1764class TestExtendedKeyUsageExtension(object):
1765 def test_eku(self, backend):
1766 cert = _load_cert(
1767 os.path.join(
1768 "x509", "custom", "extended_key_usage.pem"
1769 ),
1770 x509.load_pem_x509_certificate,
1771 backend
1772 )
1773 ext = cert.extensions.get_extension_for_oid(
1774 x509.OID_EXTENDED_KEY_USAGE
1775 )
1776 assert ext is not None
1777 assert ext.critical is False
1778
1779 assert [
1780 x509.ObjectIdentifier("1.3.6.1.5.5.7.3.1"),
1781 x509.ObjectIdentifier("1.3.6.1.5.5.7.3.2"),
1782 x509.ObjectIdentifier("1.3.6.1.5.5.7.3.3"),
1783 x509.ObjectIdentifier("1.3.6.1.5.5.7.3.4"),
1784 x509.ObjectIdentifier("1.3.6.1.5.5.7.3.9"),
1785 x509.ObjectIdentifier("1.3.6.1.5.5.7.3.8"),
1786 x509.ObjectIdentifier("2.5.29.37.0"),
1787 x509.ObjectIdentifier("2.16.840.1.113730.4.1"),
1788 ] == list(ext.value)
Paul Kehrer3e6d5582015-05-02 21:57:56 -0500[diff] [blame]1789
1790
1791class TestAccessDescription(object):
1792 def test_invalid_access_method(self):
Paul Kehrerf506bca2015-05-02 22:31:47 -0500[diff] [blame]1793 with pytest.raises(ValueError):
Paul Kehrer3e6d5582015-05-02 21:57:56 -0500[diff] [blame]1794 x509.AccessDescription("notanoid", x509.DNSName(u"test"))
1795
1796 def test_invalid_access_location(self):
1797 with pytest.raises(TypeError):
1798 x509.AccessDescription(x509.OID_CA_ISSUERS, "invalid")
1799
1800 def test_repr(self):
1801 ad = x509.AccessDescription(
1802 x509.OID_OCSP,
1803 x509.UniformResourceIdentifier(u"http://ocsp.domain.com")
1804 )
1805 assert repr(ad) == (
1806 "<AccessDescription(access_method=<ObjectIdentifier(oid=1.3.6.1.5."
1807 "5.7.48.1, name=OCSP)>, access_location=<UniformResourceIdentifier"
1808 "(value=http://ocsp.domain.com)>)>"
1809 )
1810
1811 def test_eq(self):
1812 ad = x509.AccessDescription(
1813 x509.OID_OCSP,
1814 x509.UniformResourceIdentifier(u"http://ocsp.domain.com")
1815 )
1816 ad2 = x509.AccessDescription(
1817 x509.OID_OCSP,
1818 x509.UniformResourceIdentifier(u"http://ocsp.domain.com")
1819 )
1820 assert ad == ad2
1821
1822 def test_ne(self):
1823 ad = x509.AccessDescription(
1824 x509.OID_OCSP,
1825 x509.UniformResourceIdentifier(u"http://ocsp.domain.com")
1826 )
1827 ad2 = x509.AccessDescription(
1828 x509.OID_CA_ISSUERS,
1829 x509.UniformResourceIdentifier(u"http://ocsp.domain.com")
1830 )
1831 ad3 = x509.AccessDescription(
1832 x509.OID_OCSP,
1833 x509.UniformResourceIdentifier(u"http://notthesame")
1834 )
1835 assert ad != ad2
1836 assert ad != ad3
1837 assert ad != object()
1838
1839
1840class TestAuthorityInformationAccess(object):
1841 def test_invalid_descriptions(self):
1842 with pytest.raises(TypeError):
1843 x509.AuthorityInformationAccess(["notanAccessDescription"])
1844
1845 def test_iter_len(self):
1846 aia = x509.AuthorityInformationAccess([
1847 x509.AccessDescription(
1848 x509.OID_OCSP,
1849 x509.UniformResourceIdentifier(u"http://ocsp.domain.com")
1850 ),
1851 x509.AccessDescription(
1852 x509.OID_CA_ISSUERS,
1853 x509.UniformResourceIdentifier(u"http://domain.com/ca.crt")
1854 )
1855 ])
1856 assert len(aia) == 2
1857 assert list(aia) == [
1858 x509.AccessDescription(
1859 x509.OID_OCSP,
1860 x509.UniformResourceIdentifier(u"http://ocsp.domain.com")
1861 ),
1862 x509.AccessDescription(
1863 x509.OID_CA_ISSUERS,
1864 x509.UniformResourceIdentifier(u"http://domain.com/ca.crt")
1865 )
1866 ]
1867
1868 def test_repr(self):
1869 aia = x509.AuthorityInformationAccess([
1870 x509.AccessDescription(
1871 x509.OID_OCSP,
1872 x509.UniformResourceIdentifier(u"http://ocsp.domain.com")
1873 ),
1874 x509.AccessDescription(
1875 x509.OID_CA_ISSUERS,
1876 x509.UniformResourceIdentifier(u"http://domain.com/ca.crt")
1877 )
1878 ])
1879 assert repr(aia) == (
1880 "<AuthorityInformationAccess([<AccessDescription(access_method=<Ob"
1881 "jectIdentifier(oid=1.3.6.1.5.5.7.48.1, name=OCSP)>, access_locati"
1882 "on=<UniformResourceIdentifier(value=http://ocsp.domain.com)>)>, <"
1883 "AccessDescription(access_method=<ObjectIdentifier(oid=1.3.6.1.5.5"
1884 ".7.48.2, name=caIssuers)>, access_location=<UniformResourceIdenti"
1885 "fier(value=http://domain.com/ca.crt)>)>])>"
1886 )
1887
1888 def test_eq(self):
1889 aia = x509.AuthorityInformationAccess([
1890 x509.AccessDescription(
1891 x509.OID_OCSP,
1892 x509.UniformResourceIdentifier(u"http://ocsp.domain.com")
1893 ),
1894 x509.AccessDescription(
1895 x509.OID_CA_ISSUERS,
1896 x509.UniformResourceIdentifier(u"http://domain.com/ca.crt")
1897 )
1898 ])
1899 aia2 = x509.AuthorityInformationAccess([
1900 x509.AccessDescription(
1901 x509.OID_OCSP,
1902 x509.UniformResourceIdentifier(u"http://ocsp.domain.com")
1903 ),
1904 x509.AccessDescription(
1905 x509.OID_CA_ISSUERS,
1906 x509.UniformResourceIdentifier(u"http://domain.com/ca.crt")
1907 )
1908 ])
1909 assert aia == aia2
1910
1911 def test_ne(self):
1912 aia = x509.AuthorityInformationAccess([
1913 x509.AccessDescription(
1914 x509.OID_OCSP,
1915 x509.UniformResourceIdentifier(u"http://ocsp.domain.com")
1916 ),
1917 x509.AccessDescription(
1918 x509.OID_CA_ISSUERS,
1919 x509.UniformResourceIdentifier(u"http://domain.com/ca.crt")
1920 )
1921 ])
1922 aia2 = x509.AuthorityInformationAccess([
1923 x509.AccessDescription(
1924 x509.OID_OCSP,
1925 x509.UniformResourceIdentifier(u"http://ocsp.domain.com")
1926 ),
1927 ])
1928
1929 assert aia != aia2
1930 assert aia != object()
Paul Kehrerd774de92015-05-03 10:52:25 -0500[diff] [blame]1931
1932
1933@pytest.mark.requires_backend_interface(interface=RSABackend)
1934@pytest.mark.requires_backend_interface(interface=X509Backend)
Paul Kehrera1476992015-05-04 17:35:47 -0500[diff] [blame]1935class TestAuthorityInformationAccessExtension(object):
1936 def test_aia_ocsp_ca_issuers(self, backend):
1937 cert = _load_cert(
1938 os.path.join("x509", "cryptography.io.pem"),
1939 x509.load_pem_x509_certificate,
1940 backend
1941 )
1942 ext = cert.extensions.get_extension_for_oid(
1943 x509.OID_AUTHORITY_INFORMATION_ACCESS
1944 )
1945 assert ext is not None
1946 assert ext.critical is False
1947
1948 assert ext.value == x509.AuthorityInformationAccess([
1949 x509.AccessDescription(
1950 x509.OID_OCSP,
1951 x509.UniformResourceIdentifier(u"http://gv.symcd.com")
1952 ),
1953 x509.AccessDescription(
1954 x509.OID_CA_ISSUERS,
1955 x509.UniformResourceIdentifier(u"http://gv.symcb.com/gv.crt")
1956 ),
1957 ])
1958
1959 def test_aia_multiple_ocsp_ca_issuers(self, backend):
1960 cert = _load_cert(
1961 os.path.join("x509", "custom", "aia_ocsp_ca_issuers.pem"),
1962 x509.load_pem_x509_certificate,
1963 backend
1964 )
1965 ext = cert.extensions.get_extension_for_oid(
1966 x509.OID_AUTHORITY_INFORMATION_ACCESS
1967 )
1968 assert ext is not None
1969 assert ext.critical is False
1970
1971 assert ext.value == x509.AuthorityInformationAccess([
1972 x509.AccessDescription(
1973 x509.OID_OCSP,
1974 x509.UniformResourceIdentifier(u"http://ocsp.domain.com")
1975 ),
1976 x509.AccessDescription(
1977 x509.OID_OCSP,
1978 x509.UniformResourceIdentifier(u"http://ocsp2.domain.com")
1979 ),
1980 x509.AccessDescription(
1981 x509.OID_CA_ISSUERS,
1982 x509.DirectoryName(x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1983 x509.NameAttribute(NameOID.COMMON_NAME, u"myCN"),
1984 x509.NameAttribute(NameOID.ORGANIZATION_NAME,
Ian Cordasco82fc3762015-06-16 20:59:50 -0500[diff] [blame]1985 u"some Org"),
Paul Kehrera1476992015-05-04 17:35:47 -0500[diff] [blame]1986 ]))
1987 ),
1988 ])
1989
1990 def test_aia_ocsp_only(self, backend):
1991 cert = _load_cert(
1992 os.path.join("x509", "custom", "aia_ocsp.pem"),
1993 x509.load_pem_x509_certificate,
1994 backend
1995 )
1996 ext = cert.extensions.get_extension_for_oid(
1997 x509.OID_AUTHORITY_INFORMATION_ACCESS
1998 )
1999 assert ext is not None
2000 assert ext.critical is False
2001
2002 assert ext.value == x509.AuthorityInformationAccess([
2003 x509.AccessDescription(
2004 x509.OID_OCSP,
2005 x509.UniformResourceIdentifier(u"http://ocsp.domain.com")
2006 ),
2007 ])
2008
2009 def test_aia_ca_issuers_only(self, backend):
2010 cert = _load_cert(
2011 os.path.join("x509", "custom", "aia_ca_issuers.pem"),
2012 x509.load_pem_x509_certificate,
2013 backend
2014 )
2015 ext = cert.extensions.get_extension_for_oid(
2016 x509.OID_AUTHORITY_INFORMATION_ACCESS
2017 )
2018 assert ext is not None
2019 assert ext.critical is False
2020
2021 assert ext.value == x509.AuthorityInformationAccess([
2022 x509.AccessDescription(
2023 x509.OID_CA_ISSUERS,
2024 x509.DirectoryName(x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2025 x509.NameAttribute(NameOID.COMMON_NAME, u"myCN"),
2026 x509.NameAttribute(NameOID.ORGANIZATION_NAME,
Ian Cordasco82fc3762015-06-16 20:59:50 -0500[diff] [blame]2027 u"some Org"),
Paul Kehrera1476992015-05-04 17:35:47 -0500[diff] [blame]2028 ]))
2029 ),
2030 ])
2031
2032
2033@pytest.mark.requires_backend_interface(interface=RSABackend)
2034@pytest.mark.requires_backend_interface(interface=X509Backend)
Paul Kehrerd774de92015-05-03 10:52:25 -0500[diff] [blame]2035class TestAuthorityKeyIdentifierExtension(object):
2036 def test_aki_keyid(self, backend):
2037 cert = _load_cert(
2038 os.path.join(
2039 "x509", "cryptography.io.pem"
2040 ),
2041 x509.load_pem_x509_certificate,
2042 backend
2043 )
2044 ext = cert.extensions.get_extension_for_oid(
2045 x509.OID_AUTHORITY_KEY_IDENTIFIER
2046 )
2047 assert ext is not None
2048 assert ext.critical is False
2049
2050 assert ext.value.key_identifier == (
2051 b"\xc3\x9c\xf3\xfc\xd3F\x084\xbb\xceF\x7f\xa0|[\xf3\xe2\x08\xcbY"
2052 )
2053 assert ext.value.authority_cert_issuer is None
2054 assert ext.value.authority_cert_serial_number is None
2055
2056 def test_aki_all_fields(self, backend):
2057 cert = _load_cert(
2058 os.path.join(
2059 "x509", "custom", "authority_key_identifier.pem"
2060 ),
2061 x509.load_pem_x509_certificate,
2062 backend
2063 )
2064 ext = cert.extensions.get_extension_for_oid(
2065 x509.OID_AUTHORITY_KEY_IDENTIFIER
2066 )
2067 assert ext is not None
2068 assert ext.critical is False
2069
2070 assert ext.value.key_identifier == (
2071 b"9E>\xca=b\x1d\xea\x86I\xf6Z\xab@\xb7\xa4p\x98\xf1\xec"
2072 )
2073 assert ext.value.authority_cert_issuer == [
2074 x509.DirectoryName(
2075 x509.Name([
2076 x509.NameAttribute(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2077 NameOID.ORGANIZATION_NAME, u"PyCA"
Paul Kehrerd774de92015-05-03 10:52:25 -0500[diff] [blame]2078 ),
2079 x509.NameAttribute(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2080 NameOID.COMMON_NAME, u"cryptography.io"
Paul Kehrerd774de92015-05-03 10:52:25 -0500[diff] [blame]2081 )
2082 ])
2083 )
2084 ]
2085 assert ext.value.authority_cert_serial_number == 3
2086
2087 def test_aki_no_keyid(self, backend):
2088 cert = _load_cert(
2089 os.path.join(
2090 "x509", "custom", "authority_key_identifier_no_keyid.pem"
2091 ),
2092 x509.load_pem_x509_certificate,
2093 backend
2094 )
2095 ext = cert.extensions.get_extension_for_oid(
2096 x509.OID_AUTHORITY_KEY_IDENTIFIER
2097 )
2098 assert ext is not None
2099 assert ext.critical is False
2100
2101 assert ext.value.key_identifier is None
2102 assert ext.value.authority_cert_issuer == [
2103 x509.DirectoryName(
2104 x509.Name([
2105 x509.NameAttribute(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2106 NameOID.ORGANIZATION_NAME, u"PyCA"
Paul Kehrerd774de92015-05-03 10:52:25 -0500[diff] [blame]2107 ),
2108 x509.NameAttribute(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2109 NameOID.COMMON_NAME, u"cryptography.io"
Paul Kehrerd774de92015-05-03 10:52:25 -0500[diff] [blame]2110 )
2111 ])
2112 )
2113 ]
2114 assert ext.value.authority_cert_serial_number == 3
Paul Kehrer5a485522015-05-06 00:29:12 -0500[diff] [blame]2115
Paul Kehrer253929a2015-08-05 17:30:39 +0100[diff] [blame]2116 def test_from_certificate(self, backend):
2117 issuer_cert = _load_cert(
2118 os.path.join("x509", "rapidssl_sha256_ca_g3.pem"),
2119 x509.load_pem_x509_certificate,
2120 backend
2121 )
2122 cert = _load_cert(
2123 os.path.join("x509", "cryptography.io.pem"),
2124 x509.load_pem_x509_certificate,
2125 backend
2126 )
2127 ext = cert.extensions.get_extension_for_oid(
2128 x509.OID_AUTHORITY_KEY_IDENTIFIER
2129 )
2130 aki = x509.AuthorityKeyIdentifier.from_issuer_public_key(
2131 issuer_cert.public_key()
2132 )
2133 assert ext.value == aki
2134
Paul Kehrer5a485522015-05-06 00:29:12 -0500[diff] [blame]2135
Paul Kehrere0017be2015-05-17 20:39:40 -0600[diff] [blame]2136class TestNameConstraints(object):
2137 def test_ipaddress_wrong_type(self):
2138 with pytest.raises(TypeError):
2139 x509.NameConstraints(
2140 permitted_subtrees=[
2141 x509.IPAddress(ipaddress.IPv4Address(u"127.0.0.1"))
2142 ],
2143 excluded_subtrees=None
2144 )
2145
2146 with pytest.raises(TypeError):
2147 x509.NameConstraints(
2148 permitted_subtrees=None,
2149 excluded_subtrees=[
2150 x509.IPAddress(ipaddress.IPv4Address(u"127.0.0.1"))
2151 ]
2152 )
2153
2154 def test_ipaddress_allowed_type(self):
2155 permitted = [x509.IPAddress(ipaddress.IPv4Network(u"192.168.0.0/29"))]
2156 excluded = [x509.IPAddress(ipaddress.IPv4Network(u"10.10.0.0/24"))]
2157 nc = x509.NameConstraints(
2158 permitted_subtrees=permitted,
2159 excluded_subtrees=excluded
2160 )
2161 assert nc.permitted_subtrees == permitted
2162 assert nc.excluded_subtrees == excluded
2163
2164 def test_invalid_permitted_subtrees(self):
2165 with pytest.raises(TypeError):
2166 x509.NameConstraints("badpermitted", None)
2167
2168 def test_invalid_excluded_subtrees(self):
2169 with pytest.raises(TypeError):
2170 x509.NameConstraints(None, "badexcluded")
2171
2172 def test_no_subtrees(self):
2173 with pytest.raises(ValueError):
2174 x509.NameConstraints(None, None)
2175
2176 def test_permitted_none(self):
2177 excluded = [x509.DNSName(u"name.local")]
2178 nc = x509.NameConstraints(
2179 permitted_subtrees=None, excluded_subtrees=excluded
2180 )
2181 assert nc.permitted_subtrees is None
2182 assert nc.excluded_subtrees is not None
2183
2184 def test_excluded_none(self):
2185 permitted = [x509.DNSName(u"name.local")]
2186 nc = x509.NameConstraints(
2187 permitted_subtrees=permitted, excluded_subtrees=None
2188 )
2189 assert nc.permitted_subtrees is not None
2190 assert nc.excluded_subtrees is None
2191
2192 def test_repr(self):
2193 permitted = [x509.DNSName(u"name.local"), x509.DNSName(u"name2.local")]
2194 nc = x509.NameConstraints(
2195 permitted_subtrees=permitted,
2196 excluded_subtrees=None
2197 )
2198 assert repr(nc) == (
2199 "<NameConstraints(permitted_subtrees=[<DNSName(value=name.local)>"
2200 ", <DNSName(value=name2.local)>], excluded_subtrees=None)>"
2201 )
2202
Paul Kehrer31894282015-06-21 21:46:41 -0500[diff] [blame]2203 def test_eq(self):
2204 nc = x509.NameConstraints(
2205 permitted_subtrees=[x509.DNSName(u"name.local")],
2206 excluded_subtrees=[x509.DNSName(u"name2.local")]
2207 )
2208 nc2 = x509.NameConstraints(
2209 permitted_subtrees=[x509.DNSName(u"name.local")],
2210 excluded_subtrees=[x509.DNSName(u"name2.local")]
2211 )
2212 assert nc == nc2
2213
2214 def test_ne(self):
2215 nc = x509.NameConstraints(
2216 permitted_subtrees=[x509.DNSName(u"name.local")],
2217 excluded_subtrees=[x509.DNSName(u"name2.local")]
2218 )
2219 nc2 = x509.NameConstraints(
2220 permitted_subtrees=[x509.DNSName(u"name.local")],
2221 excluded_subtrees=None
2222 )
2223 nc3 = x509.NameConstraints(
2224 permitted_subtrees=None,
2225 excluded_subtrees=[x509.DNSName(u"name2.local")]
2226 )
2227
2228 assert nc != nc2
2229 assert nc != nc3
2230 assert nc != object()
2231
Paul Kehrere0017be2015-05-17 20:39:40 -0600[diff] [blame]2232
Paul Kehrer870d7e82015-06-21 22:20:44 -0500[diff] [blame]2233@pytest.mark.requires_backend_interface(interface=RSABackend)
2234@pytest.mark.requires_backend_interface(interface=X509Backend)
2235class TestNameConstraintsExtension(object):
2236 def test_permitted_excluded(self, backend):
2237 cert = _load_cert(
2238 os.path.join(
2239 "x509", "custom", "nc_permitted_excluded_2.pem"
2240 ),
2241 x509.load_pem_x509_certificate,
2242 backend
2243 )
2244 nc = cert.extensions.get_extension_for_oid(
2245 x509.OID_NAME_CONSTRAINTS
2246 ).value
2247 assert nc == x509.NameConstraints(
2248 permitted_subtrees=[
2249 x509.DNSName(u"zombo.local"),
2250 ],
2251 excluded_subtrees=[
2252 x509.DirectoryName(x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2253 x509.NameAttribute(NameOID.COMMON_NAME, u"zombo")
Paul Kehrer870d7e82015-06-21 22:20:44 -0500[diff] [blame]2254 ]))
2255 ]
2256 )
2257
2258 def test_permitted(self, backend):
2259 cert = _load_cert(
2260 os.path.join(
2261 "x509", "custom", "nc_permitted_2.pem"
2262 ),
2263 x509.load_pem_x509_certificate,
2264 backend
2265 )
2266 nc = cert.extensions.get_extension_for_oid(
2267 x509.OID_NAME_CONSTRAINTS
2268 ).value
2269 assert nc == x509.NameConstraints(
2270 permitted_subtrees=[
2271 x509.DNSName(u"zombo.local"),
2272 ],
2273 excluded_subtrees=None
2274 )
2275
Paul Kehrer42376832015-07-01 18:10:32 -0500[diff] [blame]2276 def test_permitted_with_leading_period(self, backend):
2277 cert = _load_cert(
2278 os.path.join(
2279 "x509", "custom", "nc_permitted.pem"
2280 ),
2281 x509.load_pem_x509_certificate,
2282 backend
2283 )
2284 nc = cert.extensions.get_extension_for_oid(
2285 x509.OID_NAME_CONSTRAINTS
2286 ).value
2287 assert nc == x509.NameConstraints(
2288 permitted_subtrees=[
2289 x509.DNSName(u".cryptography.io"),
2290 x509.UniformResourceIdentifier(u"ftp://cryptography.test")
2291 ],
2292 excluded_subtrees=None
2293 )
2294
2295 def test_excluded_with_leading_period(self, backend):
2296 cert = _load_cert(
2297 os.path.join(
2298 "x509", "custom", "nc_excluded.pem"
2299 ),
2300 x509.load_pem_x509_certificate,
2301 backend
2302 )
2303 nc = cert.extensions.get_extension_for_oid(
2304 x509.OID_NAME_CONSTRAINTS
2305 ).value
2306 assert nc == x509.NameConstraints(
2307 permitted_subtrees=None,
2308 excluded_subtrees=[
2309 x509.DNSName(u".cryptography.io"),
2310 x509.UniformResourceIdentifier(u"gopher://cryptography.test")
2311 ]
2312 )
2313
Paul Kehrercfb8aa22015-07-01 19:16:36 -0500[diff] [blame]2314 def test_permitted_excluded_with_ips(self, backend):
2315 cert = _load_cert(
2316 os.path.join(
2317 "x509", "custom", "nc_permitted_excluded.pem"
2318 ),
2319 x509.load_pem_x509_certificate,
2320 backend
2321 )
2322 nc = cert.extensions.get_extension_for_oid(
2323 x509.OID_NAME_CONSTRAINTS
2324 ).value
2325 assert nc == x509.NameConstraints(
2326 permitted_subtrees=[
2327 x509.IPAddress(ipaddress.IPv4Network(u"192.168.0.0/24")),
2328 x509.IPAddress(ipaddress.IPv6Network(u"FF:0:0:0:0:0:0:0/96")),
2329 ],
2330 excluded_subtrees=[
2331 x509.DNSName(u".domain.com"),
2332 x509.UniformResourceIdentifier(u"http://test.local"),
2333 ]
2334 )
2335
Paul Kehrera72ebaf2015-07-01 21:07:37 -0500[diff] [blame]2336 def test_single_ip_netmask(self, backend):
2337 cert = _load_cert(
2338 os.path.join(
2339 "x509", "custom", "nc_single_ip_netmask.pem"
2340 ),
2341 x509.load_pem_x509_certificate,
2342 backend
2343 )
2344 nc = cert.extensions.get_extension_for_oid(
2345 x509.OID_NAME_CONSTRAINTS
2346 ).value
2347 assert nc == x509.NameConstraints(
2348 permitted_subtrees=[
2349 x509.IPAddress(ipaddress.IPv6Network(u"FF:0:0:0:0:0:0:0/128")),
2350 x509.IPAddress(ipaddress.IPv4Network(u"192.168.0.1/32")),
2351 ],
2352 excluded_subtrees=None
2353 )
2354
Paul Kehrercfb8aa22015-07-01 19:16:36 -0500[diff] [blame]2355 def test_invalid_netmask(self, backend):
2356 cert = _load_cert(
2357 os.path.join(
2358 "x509", "custom", "nc_invalid_ip_netmask.pem"
2359 ),
2360 x509.load_pem_x509_certificate,
2361 backend
2362 )
2363 with pytest.raises(ValueError):
2364 cert.extensions.get_extension_for_oid(
2365 x509.OID_NAME_CONSTRAINTS
2366 )
2367
Paul Kehrer870d7e82015-06-21 22:20:44 -0500[diff] [blame]2368
Paul Kehrer5a485522015-05-06 00:29:12 -0500[diff] [blame]2369class TestDistributionPoint(object):
Paul Kehrer4e8dacd2015-05-09 10:38:23 -0500[diff] [blame]2370 def test_distribution_point_full_name_not_general_names(self):
Paul Kehrer5a485522015-05-06 00:29:12 -0500[diff] [blame]2371 with pytest.raises(TypeError):
Paul Kehrer4e8dacd2015-05-09 10:38:23 -0500[diff] [blame]2372 x509.DistributionPoint(["notgn"], None, None, None)
Paul Kehrer5a485522015-05-06 00:29:12 -0500[diff] [blame]2373
Paul Kehrer4e8dacd2015-05-09 10:38:23 -0500[diff] [blame]2374 def test_distribution_point_relative_name_not_name(self):
Paul Kehrer5a485522015-05-06 00:29:12 -0500[diff] [blame]2375 with pytest.raises(TypeError):
Paul Kehrer4e8dacd2015-05-09 10:38:23 -0500[diff] [blame]2376 x509.DistributionPoint(None, "notname", None, None)
2377
2378 def test_distribution_point_full_and_relative_not_none(self):
2379 with pytest.raises(ValueError):
2380 x509.DistributionPoint("data", "notname", None, None)
Paul Kehrer5a485522015-05-06 00:29:12 -0500[diff] [blame]2381
2382 def test_crl_issuer_not_general_names(self):
2383 with pytest.raises(TypeError):
Paul Kehrer4e8dacd2015-05-09 10:38:23 -0500[diff] [blame]2384 x509.DistributionPoint(None, None, None, ["notgn"])
Paul Kehrer5a485522015-05-06 00:29:12 -0500[diff] [blame]2385
2386 def test_reason_not_reasonflags(self):
2387 with pytest.raises(TypeError):
2388 x509.DistributionPoint(
2389 [x509.UniformResourceIdentifier(u"http://crypt.og/crl")],
Paul Kehrer4e8dacd2015-05-09 10:38:23 -0500[diff] [blame]2390 None,
Paul Kehrer3fd02602015-05-09 19:46:13 -0500[diff] [blame]2391 frozenset(["notreasonflags"]),
2392 None
2393 )
2394
2395 def test_reason_not_frozenset(self):
2396 with pytest.raises(TypeError):
2397 x509.DistributionPoint(
2398 [x509.UniformResourceIdentifier(u"http://crypt.og/crl")],
2399 None,
2400 [x509.ReasonFlags.ca_compromise],
Paul Kehrer4e8dacd2015-05-09 10:38:23 -0500[diff] [blame]2401 None
2402 )
2403
2404 def test_disallowed_reasons(self):
2405 with pytest.raises(ValueError):
2406 x509.DistributionPoint(
2407 [x509.UniformResourceIdentifier(u"http://crypt.og/crl")],
2408 None,
Paul Kehrer3fd02602015-05-09 19:46:13 -0500[diff] [blame]2409 frozenset([x509.ReasonFlags.unspecified]),
Paul Kehrer4e8dacd2015-05-09 10:38:23 -0500[diff] [blame]2410 None
2411 )
2412
2413 with pytest.raises(ValueError):
2414 x509.DistributionPoint(
2415 [x509.UniformResourceIdentifier(u"http://crypt.og/crl")],
2416 None,
Paul Kehrer3fd02602015-05-09 19:46:13 -0500[diff] [blame]2417 frozenset([x509.ReasonFlags.remove_from_crl]),
Paul Kehrer5a485522015-05-06 00:29:12 -0500[diff] [blame]2418 None
2419 )
2420
2421 def test_reason_only(self):
2422 with pytest.raises(ValueError):
2423 x509.DistributionPoint(
2424 None,
Paul Kehrer4e8dacd2015-05-09 10:38:23 -0500[diff] [blame]2425 None,
Paul Kehrer3fd02602015-05-09 19:46:13 -0500[diff] [blame]2426 frozenset([x509.ReasonFlags.aa_compromise]),
Paul Kehrer5a485522015-05-06 00:29:12 -0500[diff] [blame]2427 None
2428 )
2429
2430 def test_eq(self):
2431 dp = x509.DistributionPoint(
2432 [x509.UniformResourceIdentifier(u"http://crypt.og/crl")],
Paul Kehrer4e8dacd2015-05-09 10:38:23 -0500[diff] [blame]2433 None,
Paul Kehrer3fd02602015-05-09 19:46:13 -0500[diff] [blame]2434 frozenset([x509.ReasonFlags.superseded]),
Paul Kehrer5a485522015-05-06 00:29:12 -0500[diff] [blame]2435 [
2436 x509.DirectoryName(
2437 x509.Name([
2438 x509.NameAttribute(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2439 NameOID.COMMON_NAME, u"Important CA"
Paul Kehrer5a485522015-05-06 00:29:12 -0500[diff] [blame]2440 )
2441 ])
2442 )
2443 ],
2444 )
2445 dp2 = x509.DistributionPoint(
2446 [x509.UniformResourceIdentifier(u"http://crypt.og/crl")],
Paul Kehrer4e8dacd2015-05-09 10:38:23 -0500[diff] [blame]2447 None,
Paul Kehrer3fd02602015-05-09 19:46:13 -0500[diff] [blame]2448 frozenset([x509.ReasonFlags.superseded]),
Paul Kehrer5a485522015-05-06 00:29:12 -0500[diff] [blame]2449 [
2450 x509.DirectoryName(
2451 x509.Name([
2452 x509.NameAttribute(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2453 NameOID.COMMON_NAME, u"Important CA"
Paul Kehrer5a485522015-05-06 00:29:12 -0500[diff] [blame]2454 )
2455 ])
2456 )
2457 ],
2458 )
2459 assert dp == dp2
2460
2461 def test_ne(self):
2462 dp = x509.DistributionPoint(
2463 [x509.UniformResourceIdentifier(u"http://crypt.og/crl")],
Paul Kehrer4e8dacd2015-05-09 10:38:23 -0500[diff] [blame]2464 None,
Paul Kehrer3fd02602015-05-09 19:46:13 -0500[diff] [blame]2465 frozenset([x509.ReasonFlags.superseded]),
Paul Kehrer5a485522015-05-06 00:29:12 -0500[diff] [blame]2466 [
2467 x509.DirectoryName(
2468 x509.Name([
2469 x509.NameAttribute(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2470 NameOID.COMMON_NAME, u"Important CA"
Paul Kehrer5a485522015-05-06 00:29:12 -0500[diff] [blame]2471 )
2472 ])
2473 )
2474 ],
2475 )
2476 dp2 = x509.DistributionPoint(
2477 [x509.UniformResourceIdentifier(u"http://crypt.og/crl")],
2478 None,
Paul Kehrer4e8dacd2015-05-09 10:38:23 -0500[diff] [blame]2479 None,
Paul Kehrer5a485522015-05-06 00:29:12 -0500[diff] [blame]2480 None
2481 )
2482 assert dp != dp2
2483 assert dp != object()
2484
2485 def test_repr(self):
2486 dp = x509.DistributionPoint(
Paul Kehrer4e8dacd2015-05-09 10:38:23 -0500[diff] [blame]2487 None,
Paul Kehrer5a485522015-05-06 00:29:12 -0500[diff] [blame]2488 x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2489 x509.NameAttribute(NameOID.COMMON_NAME, u"myCN")
Paul Kehrer5a485522015-05-06 00:29:12 -0500[diff] [blame]2490 ]),
Paul Kehrer96ef63c2015-05-09 21:17:04 -0500[diff] [blame]2491 frozenset([x509.ReasonFlags.ca_compromise]),
Paul Kehrer5a485522015-05-06 00:29:12 -0500[diff] [blame]2492 [
2493 x509.DirectoryName(
2494 x509.Name([
2495 x509.NameAttribute(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2496 NameOID.COMMON_NAME, u"Important CA"
Paul Kehrer5a485522015-05-06 00:29:12 -0500[diff] [blame]2497 )
2498 ])
2499 )
2500 ],
2501 )
Paul Kehrer749da3b2015-05-10 09:58:29 -0500[diff] [blame]2502 if six.PY3:
2503 assert repr(dp) == (
2504 "<DistributionPoint(full_name=None, relative_name=<Name([<Name"
2505 "Attribute(oid=<ObjectIdentifier(oid=2.5.4.3, name=commonName)"
Ian Cordascoa908d692015-06-16 21:35:24 -0500[diff] [blame]2506 ">, value='myCN')>])>, reasons=frozenset({<ReasonFlags.ca_comp"
2507 "romise: 'cACompromise'>}), crl_issuer=[<DirectoryName(value=<"
2508 "Name([<NameAttribute(oid=<ObjectIdentifier(oid=2.5.4.3, name="
2509 "commonName)>, value='Important CA')>])>)>])>"
Paul Kehrer749da3b2015-05-10 09:58:29 -0500[diff] [blame]2510 )
2511 else:
2512 assert repr(dp) == (
2513 "<DistributionPoint(full_name=None, relative_name=<Name([<Name"
2514 "Attribute(oid=<ObjectIdentifier(oid=2.5.4.3, name=commonName)"
Ian Cordasco82fc3762015-06-16 20:59:50 -0500[diff] [blame]2515 ">, value=u'myCN')>])>, reasons=frozenset([<ReasonFlags.ca_com"
2516 "promise: 'cACompromise'>]), crl_issuer=[<DirectoryName(value="
2517 "<Name([<NameAttribute(oid=<ObjectIdentifier(oid=2.5.4.3, name"
2518 "=commonName)>, value=u'Important CA')>])>)>])>"
Paul Kehrer749da3b2015-05-10 09:58:29 -0500[diff] [blame]2519 )
Paul Kehrer5a485522015-05-06 00:29:12 -0500[diff] [blame]2520
2521
2522class TestCRLDistributionPoints(object):
2523 def test_invalid_distribution_points(self):
2524 with pytest.raises(TypeError):
2525 x509.CRLDistributionPoints(["notadistributionpoint"])
2526
2527 def test_iter_len(self):
2528 cdp = x509.CRLDistributionPoints([
2529 x509.DistributionPoint(
2530 [x509.UniformResourceIdentifier(u"http://domain")],
2531 None,
Paul Kehrer4e8dacd2015-05-09 10:38:23 -0500[diff] [blame]2532 None,
Paul Kehrer5a485522015-05-06 00:29:12 -0500[diff] [blame]2533 None
2534 ),
2535 x509.DistributionPoint(
2536 [x509.UniformResourceIdentifier(u"ftp://domain")],
Paul Kehrer4e8dacd2015-05-09 10:38:23 -0500[diff] [blame]2537 None,
Paul Kehrer3fd02602015-05-09 19:46:13 -0500[diff] [blame]2538 frozenset([
Paul Kehrer4e8dacd2015-05-09 10:38:23 -0500[diff] [blame]2539 x509.ReasonFlags.key_compromise,
2540 x509.ReasonFlags.ca_compromise,
Paul Kehrer3fd02602015-05-09 19:46:13 -0500[diff] [blame]2541 ]),
Paul Kehrer5a485522015-05-06 00:29:12 -0500[diff] [blame]2542 None
2543 ),
2544 ])
2545 assert len(cdp) == 2
2546 assert list(cdp) == [
2547 x509.DistributionPoint(
2548 [x509.UniformResourceIdentifier(u"http://domain")],
2549 None,
Paul Kehrer4e8dacd2015-05-09 10:38:23 -0500[diff] [blame]2550 None,
Paul Kehrer5a485522015-05-06 00:29:12 -0500[diff] [blame]2551 None
2552 ),
2553 x509.DistributionPoint(
2554 [x509.UniformResourceIdentifier(u"ftp://domain")],
Paul Kehrer4e8dacd2015-05-09 10:38:23 -0500[diff] [blame]2555 None,
Paul Kehrer3fd02602015-05-09 19:46:13 -0500[diff] [blame]2556 frozenset([
Paul Kehrer4e8dacd2015-05-09 10:38:23 -0500[diff] [blame]2557 x509.ReasonFlags.key_compromise,
2558 x509.ReasonFlags.ca_compromise,
Paul Kehrer3fd02602015-05-09 19:46:13 -0500[diff] [blame]2559 ]),
Paul Kehrer5a485522015-05-06 00:29:12 -0500[diff] [blame]2560 None
2561 ),
2562 ]
2563
2564 def test_repr(self):
2565 cdp = x509.CRLDistributionPoints([
2566 x509.DistributionPoint(
2567 [x509.UniformResourceIdentifier(u"ftp://domain")],
Paul Kehrer4e8dacd2015-05-09 10:38:23 -0500[diff] [blame]2568 None,
Paul Kehrer96ef63c2015-05-09 21:17:04 -0500[diff] [blame]2569 frozenset([x509.ReasonFlags.key_compromise]),
Paul Kehrer5a485522015-05-06 00:29:12 -0500[diff] [blame]2570 None
2571 ),
2572 ])
Paul Kehrer749da3b2015-05-10 09:58:29 -0500[diff] [blame]2573 if six.PY3:
2574 assert repr(cdp) == (
2575 "<CRLDistributionPoints([<DistributionPoint(full_name=[<Unifo"
2576 "rmResourceIdentifier(value=ftp://domain)>], relative_name=No"
2577 "ne, reasons=frozenset({<ReasonFlags.key_compromise: 'keyComp"
2578 "romise'>}), crl_issuer=None)>])>"
2579 )
2580 else:
2581 assert repr(cdp) == (
2582 "<CRLDistributionPoints([<DistributionPoint(full_name=[<Unifo"
2583 "rmResourceIdentifier(value=ftp://domain)>], relative_name=No"
2584 "ne, reasons=frozenset([<ReasonFlags.key_compromise: 'keyComp"
2585 "romise'>]), crl_issuer=None)>])>"
2586 )
Paul Kehrer5a485522015-05-06 00:29:12 -0500[diff] [blame]2587
2588 def test_eq(self):
2589 cdp = x509.CRLDistributionPoints([
2590 x509.DistributionPoint(
2591 [x509.UniformResourceIdentifier(u"ftp://domain")],
Paul Kehrer4e8dacd2015-05-09 10:38:23 -0500[diff] [blame]2592 None,
Paul Kehrer3fd02602015-05-09 19:46:13 -0500[diff] [blame]2593 frozenset([
Paul Kehrer4e8dacd2015-05-09 10:38:23 -0500[diff] [blame]2594 x509.ReasonFlags.key_compromise,
2595 x509.ReasonFlags.ca_compromise,
Paul Kehrer3fd02602015-05-09 19:46:13 -0500[diff] [blame]2596 ]),
Paul Kehrer5a485522015-05-06 00:29:12 -0500[diff] [blame]2597 [x509.UniformResourceIdentifier(u"uri://thing")],
2598 ),
2599 ])
2600 cdp2 = x509.CRLDistributionPoints([
2601 x509.DistributionPoint(
2602 [x509.UniformResourceIdentifier(u"ftp://domain")],
Paul Kehrer4e8dacd2015-05-09 10:38:23 -0500[diff] [blame]2603 None,
Paul Kehrer3fd02602015-05-09 19:46:13 -0500[diff] [blame]2604 frozenset([
Paul Kehrer4e8dacd2015-05-09 10:38:23 -0500[diff] [blame]2605 x509.ReasonFlags.key_compromise,
2606 x509.ReasonFlags.ca_compromise,
Paul Kehrer3fd02602015-05-09 19:46:13 -0500[diff] [blame]2607 ]),
Paul Kehrer5a485522015-05-06 00:29:12 -0500[diff] [blame]2608 [x509.UniformResourceIdentifier(u"uri://thing")],
2609 ),
2610 ])
2611 assert cdp == cdp2
2612
2613 def test_ne(self):
2614 cdp = x509.CRLDistributionPoints([
2615 x509.DistributionPoint(
2616 [x509.UniformResourceIdentifier(u"ftp://domain")],
Paul Kehrer4e8dacd2015-05-09 10:38:23 -0500[diff] [blame]2617 None,
Paul Kehrer3fd02602015-05-09 19:46:13 -0500[diff] [blame]2618 frozenset([
Paul Kehrer4e8dacd2015-05-09 10:38:23 -0500[diff] [blame]2619 x509.ReasonFlags.key_compromise,
2620 x509.ReasonFlags.ca_compromise,
Paul Kehrer3fd02602015-05-09 19:46:13 -0500[diff] [blame]2621 ]),
Paul Kehrer5a485522015-05-06 00:29:12 -0500[diff] [blame]2622 [x509.UniformResourceIdentifier(u"uri://thing")],
2623 ),
2624 ])
2625 cdp2 = x509.CRLDistributionPoints([
2626 x509.DistributionPoint(
2627 [x509.UniformResourceIdentifier(u"ftp://domain2")],
Paul Kehrer4e8dacd2015-05-09 10:38:23 -0500[diff] [blame]2628 None,
Paul Kehrer3fd02602015-05-09 19:46:13 -0500[diff] [blame]2629 frozenset([
Paul Kehrer4e8dacd2015-05-09 10:38:23 -0500[diff] [blame]2630 x509.ReasonFlags.key_compromise,
2631 x509.ReasonFlags.ca_compromise,
Paul Kehrer3fd02602015-05-09 19:46:13 -0500[diff] [blame]2632 ]),
Paul Kehrer5a485522015-05-06 00:29:12 -0500[diff] [blame]2633 [x509.UniformResourceIdentifier(u"uri://thing")],
2634 ),
2635 ])
2636 cdp3 = x509.CRLDistributionPoints([
2637 x509.DistributionPoint(
2638 [x509.UniformResourceIdentifier(u"ftp://domain")],
Paul Kehrer4e8dacd2015-05-09 10:38:23 -0500[diff] [blame]2639 None,
Paul Kehrer3fd02602015-05-09 19:46:13 -0500[diff] [blame]2640 frozenset([x509.ReasonFlags.key_compromise]),
Paul Kehrer5a485522015-05-06 00:29:12 -0500[diff] [blame]2641 [x509.UniformResourceIdentifier(u"uri://thing")],
2642 ),
2643 ])
2644 cdp4 = x509.CRLDistributionPoints([
2645 x509.DistributionPoint(
2646 [x509.UniformResourceIdentifier(u"ftp://domain")],
Paul Kehrer4e8dacd2015-05-09 10:38:23 -0500[diff] [blame]2647 None,
Paul Kehrer3fd02602015-05-09 19:46:13 -0500[diff] [blame]2648 frozenset([
Paul Kehrer4e8dacd2015-05-09 10:38:23 -0500[diff] [blame]2649 x509.ReasonFlags.key_compromise,
2650 x509.ReasonFlags.ca_compromise,
Paul Kehrer3fd02602015-05-09 19:46:13 -0500[diff] [blame]2651 ]),
Paul Kehrer5a485522015-05-06 00:29:12 -0500[diff] [blame]2652 [x509.UniformResourceIdentifier(u"uri://thing2")],
2653 ),
2654 ])
2655 assert cdp != cdp2
2656 assert cdp != cdp3
2657 assert cdp != cdp4
2658 assert cdp != object()
Paul Kehrer9a10d592015-05-10 14:55:51 -0500[diff] [blame]2659
2660
2661@pytest.mark.requires_backend_interface(interface=RSABackend)
2662@pytest.mark.requires_backend_interface(interface=X509Backend)
2663class TestCRLDistributionPointsExtension(object):
2664 def test_fullname_and_crl_issuer(self, backend):
2665 cert = _load_cert(
2666 os.path.join(
2667 "x509", "PKITS_data", "certs", "ValidcRLIssuerTest28EE.crt"
2668 ),
2669 x509.load_der_x509_certificate,
2670 backend
2671 )
2672
2673 cdps = cert.extensions.get_extension_for_oid(
2674 x509.OID_CRL_DISTRIBUTION_POINTS
2675 ).value
2676
2677 assert cdps == x509.CRLDistributionPoints([
2678 x509.DistributionPoint(
2679 full_name=[x509.DirectoryName(
2680 x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2681 x509.NameAttribute(NameOID.COUNTRY_NAME, u"US"),
Paul Kehrer9a10d592015-05-10 14:55:51 -0500[diff] [blame]2682 x509.NameAttribute(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2683 NameOID.ORGANIZATION_NAME,
Ian Cordasco82fc3762015-06-16 20:59:50 -0500[diff] [blame]2684 u"Test Certificates 2011"
Paul Kehrer9a10d592015-05-10 14:55:51 -0500[diff] [blame]2685 ),
2686 x509.NameAttribute(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2687 NameOID.ORGANIZATIONAL_UNIT_NAME,
Ian Cordasco82fc3762015-06-16 20:59:50 -0500[diff] [blame]2688 u"indirectCRL CA3 cRLIssuer"
Paul Kehrer9a10d592015-05-10 14:55:51 -0500[diff] [blame]2689 ),
2690 x509.NameAttribute(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2691 NameOID.COMMON_NAME,
Ian Cordasco82fc3762015-06-16 20:59:50 -0500[diff] [blame]2692 u"indirect CRL for indirectCRL CA3"
Paul Kehrer9a10d592015-05-10 14:55:51 -0500[diff] [blame]2693 ),
2694 ])
2695 )],
2696 relative_name=None,
2697 reasons=None,
2698 crl_issuer=[x509.DirectoryName(
2699 x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2700 x509.NameAttribute(NameOID.COUNTRY_NAME, u"US"),
Paul Kehrer9a10d592015-05-10 14:55:51 -0500[diff] [blame]2701 x509.NameAttribute(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2702 NameOID.ORGANIZATION_NAME,
Ian Cordasco82fc3762015-06-16 20:59:50 -0500[diff] [blame]2703 u"Test Certificates 2011"
Paul Kehrer9a10d592015-05-10 14:55:51 -0500[diff] [blame]2704 ),
2705 x509.NameAttribute(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2706 NameOID.ORGANIZATIONAL_UNIT_NAME,
Ian Cordasco82fc3762015-06-16 20:59:50 -0500[diff] [blame]2707 u"indirectCRL CA3 cRLIssuer"
Paul Kehrer9a10d592015-05-10 14:55:51 -0500[diff] [blame]2708 ),
2709 ])
2710 )],
2711 )
2712 ])
2713
2714 def test_relativename_and_crl_issuer(self, backend):
2715 cert = _load_cert(
2716 os.path.join(
2717 "x509", "PKITS_data", "certs", "ValidcRLIssuerTest29EE.crt"
2718 ),
2719 x509.load_der_x509_certificate,
2720 backend
2721 )
2722
2723 cdps = cert.extensions.get_extension_for_oid(
2724 x509.OID_CRL_DISTRIBUTION_POINTS
2725 ).value
2726
2727 assert cdps == x509.CRLDistributionPoints([
2728 x509.DistributionPoint(
2729 full_name=None,
2730 relative_name=x509.Name([
2731 x509.NameAttribute(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2732 NameOID.COMMON_NAME,
Ian Cordasco82fc3762015-06-16 20:59:50 -0500[diff] [blame]2733 u"indirect CRL for indirectCRL CA3"
Paul Kehrer9a10d592015-05-10 14:55:51 -0500[diff] [blame]2734 ),
2735 ]),
2736 reasons=None,
2737 crl_issuer=[x509.DirectoryName(
2738 x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2739 x509.NameAttribute(NameOID.COUNTRY_NAME, u"US"),
Paul Kehrer9a10d592015-05-10 14:55:51 -0500[diff] [blame]2740 x509.NameAttribute(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2741 NameOID.ORGANIZATION_NAME,
Ian Cordasco82fc3762015-06-16 20:59:50 -0500[diff] [blame]2742 u"Test Certificates 2011"
Paul Kehrer9a10d592015-05-10 14:55:51 -0500[diff] [blame]2743 ),
2744 x509.NameAttribute(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2745 NameOID.ORGANIZATIONAL_UNIT_NAME,
Ian Cordasco82fc3762015-06-16 20:59:50 -0500[diff] [blame]2746 u"indirectCRL CA3 cRLIssuer"
Paul Kehrer9a10d592015-05-10 14:55:51 -0500[diff] [blame]2747 ),
2748 ])
2749 )],
2750 )
2751 ])
2752
2753 def test_fullname_crl_issuer_reasons(self, backend):
2754 cert = _load_cert(
2755 os.path.join(
2756 "x509", "custom", "cdp_fullname_reasons_crl_issuer.pem"
2757 ),
2758 x509.load_pem_x509_certificate,
2759 backend
2760 )
2761
2762 cdps = cert.extensions.get_extension_for_oid(
2763 x509.OID_CRL_DISTRIBUTION_POINTS
2764 ).value
2765
2766 assert cdps == x509.CRLDistributionPoints([
2767 x509.DistributionPoint(
2768 full_name=[x509.UniformResourceIdentifier(
2769 u"http://myhost.com/myca.crl"
2770 )],
2771 relative_name=None,
2772 reasons=frozenset([
2773 x509.ReasonFlags.key_compromise,
2774 x509.ReasonFlags.ca_compromise
2775 ]),
2776 crl_issuer=[x509.DirectoryName(
2777 x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2778 x509.NameAttribute(NameOID.COUNTRY_NAME, u"US"),
Paul Kehrer9a10d592015-05-10 14:55:51 -0500[diff] [blame]2779 x509.NameAttribute(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2780 NameOID.ORGANIZATION_NAME, u"PyCA"
Paul Kehrer9a10d592015-05-10 14:55:51 -0500[diff] [blame]2781 ),
2782 x509.NameAttribute(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2783 NameOID.COMMON_NAME, u"cryptography CA"
Paul Kehrer9a10d592015-05-10 14:55:51 -0500[diff] [blame]2784 ),
2785 ])
2786 )],
2787 )
2788 ])
2789
Paul Kehrer594a2ed2015-05-12 23:27:32 -0500[diff] [blame]2790 def test_all_reasons(self, backend):
2791 cert = _load_cert(
2792 os.path.join(
2793 "x509", "custom", "cdp_all_reasons.pem"
2794 ),
2795 x509.load_pem_x509_certificate,
2796 backend
2797 )
2798
2799 cdps = cert.extensions.get_extension_for_oid(
2800 x509.OID_CRL_DISTRIBUTION_POINTS
2801 ).value
2802
2803 assert cdps == x509.CRLDistributionPoints([
2804 x509.DistributionPoint(
2805 full_name=[x509.UniformResourceIdentifier(
2806 u"http://domain.com/some.crl"
2807 )],
2808 relative_name=None,
2809 reasons=frozenset([
2810 x509.ReasonFlags.key_compromise,
2811 x509.ReasonFlags.ca_compromise,
2812 x509.ReasonFlags.affiliation_changed,
2813 x509.ReasonFlags.superseded,
2814 x509.ReasonFlags.privilege_withdrawn,
2815 x509.ReasonFlags.cessation_of_operation,
2816 x509.ReasonFlags.aa_compromise,
2817 x509.ReasonFlags.certificate_hold,
2818 ]),
2819 crl_issuer=None
2820 )
2821 ])
2822
2823 def test_single_reason(self, backend):
2824 cert = _load_cert(
2825 os.path.join(
2826 "x509", "custom", "cdp_reason_aa_compromise.pem"
2827 ),
2828 x509.load_pem_x509_certificate,
2829 backend
2830 )
2831
2832 cdps = cert.extensions.get_extension_for_oid(
2833 x509.OID_CRL_DISTRIBUTION_POINTS
2834 ).value
2835
2836 assert cdps == x509.CRLDistributionPoints([
2837 x509.DistributionPoint(
2838 full_name=[x509.UniformResourceIdentifier(
2839 u"http://domain.com/some.crl"
2840 )],
2841 relative_name=None,
2842 reasons=frozenset([x509.ReasonFlags.aa_compromise]),
2843 crl_issuer=None
2844 )
2845 ])
2846
Paul Kehrer9a10d592015-05-10 14:55:51 -0500[diff] [blame]2847 def test_crl_issuer_only(self, backend):
2848 cert = _load_cert(
2849 os.path.join(
2850 "x509", "custom", "cdp_crl_issuer.pem"
2851 ),
2852 x509.load_pem_x509_certificate,
2853 backend
2854 )
2855
2856 cdps = cert.extensions.get_extension_for_oid(
2857 x509.OID_CRL_DISTRIBUTION_POINTS
2858 ).value
2859
2860 assert cdps == x509.CRLDistributionPoints([
2861 x509.DistributionPoint(
2862 full_name=None,
2863 relative_name=None,
2864 reasons=None,
2865 crl_issuer=[x509.DirectoryName(
2866 x509.Name([
2867 x509.NameAttribute(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2868 NameOID.COMMON_NAME, u"cryptography CA"
Paul Kehrer9a10d592015-05-10 14:55:51 -0500[diff] [blame]2869 ),
2870 ])
2871 )],
2872 )
2873 ])
Paul Kehrer16fae762015-05-01 23:14:20 -0500[diff] [blame]2874
2875
Paul Kehrerf54a50b2015-06-17 18:31:26 -0600[diff] [blame]2876@pytest.mark.requires_backend_interface(interface=RSABackend)
2877@pytest.mark.requires_backend_interface(interface=X509Backend)
2878class TestOCSPNoCheckExtension(object):
2879 def test_nocheck(self, backend):
2880 cert = _load_cert(
2881 os.path.join(
2882 "x509", "custom", "ocsp_nocheck.pem"
2883 ),
2884 x509.load_pem_x509_certificate,
2885 backend
2886 )
2887 ext = cert.extensions.get_extension_for_oid(
2888 x509.OID_OCSP_NO_CHECK
2889 )
2890 assert isinstance(ext.value, x509.OCSPNoCheck)
2891
2892
Paul Kehrer16fae762015-05-01 23:14:20 -0500[diff] [blame]2893class TestInhibitAnyPolicy(object):
2894 def test_not_int(self):
2895 with pytest.raises(TypeError):
2896 x509.InhibitAnyPolicy("notint")
2897
2898 def test_negative_int(self):
2899 with pytest.raises(ValueError):
2900 x509.InhibitAnyPolicy(-1)
2901
2902 def test_repr(self):
2903 iap = x509.InhibitAnyPolicy(0)
2904 assert repr(iap) == "<InhibitAnyPolicy(skip_certs=0)>"
2905
2906 def test_eq(self):
2907 iap = x509.InhibitAnyPolicy(1)
2908 iap2 = x509.InhibitAnyPolicy(1)
2909 assert iap == iap2
2910
2911 def test_ne(self):
2912 iap = x509.InhibitAnyPolicy(1)
2913 iap2 = x509.InhibitAnyPolicy(4)
2914 assert iap != iap2
2915 assert iap != object()
Paul Kehrerca6ce992015-06-17 22:13:15 -0600[diff] [blame]2916
2917
2918@pytest.mark.requires_backend_interface(interface=RSABackend)
2919@pytest.mark.requires_backend_interface(interface=X509Backend)
2920class TestInhibitAnyPolicyExtension(object):
2921 def test_nocheck(self, backend):
2922 cert = _load_cert(
2923 os.path.join(
2924 "x509", "custom", "inhibit_any_policy_5.pem"
2925 ),
2926 x509.load_pem_x509_certificate,
2927 backend
2928 )
2929 iap = cert.extensions.get_extension_for_oid(
2930 x509.OID_INHIBIT_ANY_POLICY
2931 ).value
2932 assert iap.skip_certs == 5
Paul Kehrera08693f2015-08-01 20:45:21 +0100[diff] [blame]2933
2934
2935@pytest.mark.requires_backend_interface(interface=RSABackend)
2936@pytest.mark.requires_backend_interface(interface=X509Backend)
Paul Kehrer1b7500f2015-08-01 20:56:27 +0100[diff] [blame]2937class TestInvalidExtension(object):
Paul Kehrera08693f2015-08-01 20:45:21 +0100[diff] [blame]2938 def test_invalid_certificate_policies_data(self, backend):
2939 cert = _load_cert(
2940 os.path.join(
2941 "x509", "custom", "cp_invalid.pem"
2942 ),
2943 x509.load_pem_x509_certificate,
2944 backend
2945 )
2946 with pytest.raises(ValueError):
2947 cert.extensions