Gitiles
Code Review Sign In
gerrit-public.fairphone.software / platform / external / python / cryptography / a08693f3a71a6537da9cfa7d9dda7781aef2bcdd / . / tests / test_x509_ext.py
blob: 2980808f3137284ce4d44d316c56385f90d08dc0 [file] [log] [blame]
Paul Kehrer8cf26422015-03-21 09:50:24 -0500[diff] [blame]1# This file is dual licensed under the terms of the Apache License, Version
2# 2.0, and the BSD License. See the LICENSE file in the root of this repository
3# for complete details.
4
5from __future__ import absolute_import, division, print_function
6
Paul Kehrer1eb82a62015-03-31 20:00:33 -0500[diff] [blame]7import binascii
Paul Kehrer31bdf792015-03-25 14:11:00 -0500[diff] [blame]8import ipaddress
Paul Kehrerfbb7ac82015-03-16 19:26:29 -0500[diff] [blame]9import os
10
Paul Kehrer8cf26422015-03-21 09:50:24 -0500[diff] [blame]11import pytest
12
Paul Kehrercbfb1012015-04-10 20:57:20 -0400[diff] [blame]13import six
14
Paul Kehrer8cf26422015-03-21 09:50:24 -0500[diff] [blame]15from cryptography import x509
Paul Kehrerfbb7ac82015-03-16 19:26:29 -0500[diff] [blame]16from cryptography.hazmat.backends.interfaces import RSABackend, X509Backend
17
18from .test_x509 import _load_cert
Paul Kehrer8cf26422015-03-21 09:50:24 -0500[diff] [blame]19
20
Paul Kehrer85894662015-03-22 13:19:31 -0500[diff] [blame]21class TestExtension(object):
22 def test_not_an_oid(self):
Paul Kehrera5c6e9a2015-03-23 19:23:43 -0500[diff] [blame]23 bc = x509.BasicConstraints(ca=False, path_length=None)
Paul Kehrer85894662015-03-22 13:19:31 -0500[diff] [blame]24 with pytest.raises(TypeError):
25 x509.Extension("notanoid", True, bc)
26
27 def test_critical_not_a_bool(self):
Paul Kehrera5c6e9a2015-03-23 19:23:43 -0500[diff] [blame]28 bc = x509.BasicConstraints(ca=False, path_length=None)
Paul Kehrer85894662015-03-22 13:19:31 -0500[diff] [blame]29 with pytest.raises(TypeError):
30 x509.Extension(x509.OID_BASIC_CONSTRAINTS, "notabool", bc)
31
32 def test_repr(self):
Paul Kehrera5c6e9a2015-03-23 19:23:43 -0500[diff] [blame]33 bc = x509.BasicConstraints(ca=False, path_length=None)
Paul Kehrer85894662015-03-22 13:19:31 -0500[diff] [blame]34 ext = x509.Extension(x509.OID_BASIC_CONSTRAINTS, True, bc)
35 assert repr(ext) == (
36 "<Extension(oid=<ObjectIdentifier(oid=2.5.29.19, name=basicConst"
37 "raints)>, critical=True, value=<BasicConstraints(ca=False, path"
38 "_length=None)>)>"
39 )
40
Paul Kehrer58e870c2015-05-17 09:15:30 -0700[diff] [blame]41 def test_eq(self):
42 ext1 = x509.Extension(
43 x509.ObjectIdentifier('1.2.3.4'), False, 'value'
44 )
45 ext2 = x509.Extension(
46 x509.ObjectIdentifier('1.2.3.4'), False, 'value'
47 )
48 assert ext1 == ext2
49
50 def test_ne(self):
51 ext1 = x509.Extension(
52 x509.ObjectIdentifier('1.2.3.4'), False, 'value'
53 )
54 ext2 = x509.Extension(
55 x509.ObjectIdentifier('1.2.3.5'), False, 'value'
56 )
57 ext3 = x509.Extension(
58 x509.ObjectIdentifier('1.2.3.4'), True, 'value'
59 )
60 ext4 = x509.Extension(
61 x509.ObjectIdentifier('1.2.3.4'), False, 'value4'
62 )
63 assert ext1 != ext2
64 assert ext1 != ext3
65 assert ext1 != ext4
66 assert ext1 != object()
67
Paul Kehrer85894662015-03-22 13:19:31 -0500[diff] [blame]68
Paul Kehrer2b622582015-04-15 11:04:29 -0400[diff] [blame]69class TestNoticeReference(object):
70 def test_notice_numbers_not_all_int(self):
71 with pytest.raises(TypeError):
72 x509.NoticeReference("org", [1, 2, "three"])
73
74 def test_notice_numbers_none(self):
Paul Kehrer6e198b02015-05-12 15:53:38 -0500[diff] [blame]75 with pytest.raises(TypeError):
76 x509.NoticeReference("org", None)
Paul Kehrer2b622582015-04-15 11:04:29 -0400[diff] [blame]77
78 def test_repr(self):
Paul Kehrer73be2ca2015-05-11 21:22:38 -0500[diff] [blame]79 nr = x509.NoticeReference(u"org", [1, 3, 4])
Paul Kehrer2b622582015-04-15 11:04:29 -0400[diff] [blame]80
Paul Kehrer73be2ca2015-05-11 21:22:38 -0500[diff] [blame]81 if six.PY3:
82 assert repr(nr) == (
83 "<NoticeReference(organization='org', notice_numbers=[1, 3, 4"
84 "])>"
85 )
86 else:
87 assert repr(nr) == (
88 "<NoticeReference(organization=u'org', notice_numbers=[1, 3, "
89 "4])>"
90 )
Paul Kehrer2b622582015-04-15 11:04:29 -0400[diff] [blame]91
Paul Kehrerc56ab622015-05-03 09:56:31 -0500[diff] [blame]92 def test_eq(self):
93 nr = x509.NoticeReference("org", [1, 2])
94 nr2 = x509.NoticeReference("org", [1, 2])
95 assert nr == nr2
96
97 def test_ne(self):
98 nr = x509.NoticeReference("org", [1, 2])
99 nr2 = x509.NoticeReference("org", [1])
100 nr3 = x509.NoticeReference(None, [1, 2])
101 assert nr != nr2
102 assert nr != nr3
103 assert nr != object()
104
Paul Kehrer2b622582015-04-15 11:04:29 -0400[diff] [blame]105
106class TestUserNotice(object):
107 def test_notice_reference_invalid(self):
108 with pytest.raises(TypeError):
109 x509.UserNotice("invalid", None)
110
111 def test_notice_reference_none(self):
112 un = x509.UserNotice(None, "text")
113 assert un.notice_reference is None
114 assert un.explicit_text == "text"
115
116 def test_repr(self):
Paul Kehrer6e198b02015-05-12 15:53:38 -0500[diff] [blame]117 un = x509.UserNotice(x509.NoticeReference(u"org", [1]), u"text")
Paul Kehrer73be2ca2015-05-11 21:22:38 -0500[diff] [blame]118 if six.PY3:
119 assert repr(un) == (
120 "<UserNotice(notice_reference=<NoticeReference(organization='"
Paul Kehrer6e198b02015-05-12 15:53:38 -0500[diff] [blame]121 "org', notice_numbers=[1])>, explicit_text='text')>"
Paul Kehrer73be2ca2015-05-11 21:22:38 -0500[diff] [blame]122 )
123 else:
124 assert repr(un) == (
125 "<UserNotice(notice_reference=<NoticeReference(organization=u"
Paul Kehrer6e198b02015-05-12 15:53:38 -0500[diff] [blame]126 "'org', notice_numbers=[1])>, explicit_text=u'text')>"
Paul Kehrer73be2ca2015-05-11 21:22:38 -0500[diff] [blame]127 )
Paul Kehrer2b622582015-04-15 11:04:29 -0400[diff] [blame]128
Paul Kehrerc56ab622015-05-03 09:56:31 -0500[diff] [blame]129 def test_eq(self):
130 nr = x509.NoticeReference("org", [1, 2])
131 nr2 = x509.NoticeReference("org", [1, 2])
132 un = x509.UserNotice(nr, "text")
133 un2 = x509.UserNotice(nr2, "text")
134 assert un == un2
135
136 def test_ne(self):
137 nr = x509.NoticeReference("org", [1, 2])
138 nr2 = x509.NoticeReference("org", [1])
139 un = x509.UserNotice(nr, "text")
140 un2 = x509.UserNotice(nr2, "text")
141 un3 = x509.UserNotice(nr, "text3")
142 assert un != un2
143 assert un != un3
144 assert un != object()
145
Paul Kehrer2b622582015-04-15 11:04:29 -0400[diff] [blame]146
Paul Kehrer2b622582015-04-15 11:04:29 -0400[diff] [blame]147class TestPolicyInformation(object):
148 def test_invalid_policy_identifier(self):
149 with pytest.raises(TypeError):
150 x509.PolicyInformation("notanoid", None)
151
152 def test_none_policy_qualifiers(self):
153 pi = x509.PolicyInformation(x509.ObjectIdentifier("1.2.3"), None)
154 assert pi.policy_identifier == x509.ObjectIdentifier("1.2.3")
155 assert pi.policy_qualifiers is None
156
157 def test_policy_qualifiers(self):
Paul Kehrerba35b3b2015-05-10 13:07:59 -0500[diff] [blame]158 pq = [u"string"]
Paul Kehrer2b622582015-04-15 11:04:29 -0400[diff] [blame]159 pi = x509.PolicyInformation(x509.ObjectIdentifier("1.2.3"), pq)
160 assert pi.policy_identifier == x509.ObjectIdentifier("1.2.3")
161 assert pi.policy_qualifiers == pq
162
163 def test_invalid_policy_identifiers(self):
164 with pytest.raises(TypeError):
165 x509.PolicyInformation(x509.ObjectIdentifier("1.2.3"), [1, 2])
166
167 def test_repr(self):
Paul Kehrer73be2ca2015-05-11 21:22:38 -0500[diff] [blame]168 pq = [u"string", x509.UserNotice(None, u"hi")]
Paul Kehrer2b622582015-04-15 11:04:29 -0400[diff] [blame]169 pi = x509.PolicyInformation(x509.ObjectIdentifier("1.2.3"), pq)
Paul Kehrerba35b3b2015-05-10 13:07:59 -0500[diff] [blame]170 if six.PY3:
171 assert repr(pi) == (
172 "<PolicyInformation(policy_identifier=<ObjectIdentifier(oid=1."
173 "2.3, name=Unknown OID)>, policy_qualifiers=['string', <UserNo"
Paul Kehrer9aaef9e2015-05-11 10:49:20 -0500[diff] [blame]174 "tice(notice_reference=None, explicit_text='hi')>])>"
Paul Kehrerba35b3b2015-05-10 13:07:59 -0500[diff] [blame]175 )
176 else:
177 assert repr(pi) == (
178 "<PolicyInformation(policy_identifier=<ObjectIdentifier(oid=1."
179 "2.3, name=Unknown OID)>, policy_qualifiers=[u'string', <UserN"
Paul Kehrer73be2ca2015-05-11 21:22:38 -0500[diff] [blame]180 "otice(notice_reference=None, explicit_text=u'hi')>])>"
Paul Kehrerba35b3b2015-05-10 13:07:59 -0500[diff] [blame]181 )
Paul Kehrer2b622582015-04-15 11:04:29 -0400[diff] [blame]182
Paul Kehrerc56ab622015-05-03 09:56:31 -0500[diff] [blame]183 def test_eq(self):
184 pi = x509.PolicyInformation(
185 x509.ObjectIdentifier("1.2.3"),
186 [u"string", x509.UserNotice(None, u"hi")]
187 )
188 pi2 = x509.PolicyInformation(
189 x509.ObjectIdentifier("1.2.3"),
190 [u"string", x509.UserNotice(None, u"hi")]
191 )
192 assert pi == pi2
193
194 def test_ne(self):
195 pi = x509.PolicyInformation(
196 x509.ObjectIdentifier("1.2.3"), [u"string"]
197 )
198 pi2 = x509.PolicyInformation(
199 x509.ObjectIdentifier("1.2.3"), [u"string2"]
200 )
201 pi3 = x509.PolicyInformation(
202 x509.ObjectIdentifier("1.2.3.4"), [u"string"]
203 )
204 assert pi != pi2
205 assert pi != pi3
206 assert pi != object()
207
Paul Kehrer2b622582015-04-15 11:04:29 -0400[diff] [blame]208
209class TestCertificatePolicies(object):
210 def test_invalid_policies(self):
Paul Kehrerba35b3b2015-05-10 13:07:59 -0500[diff] [blame]211 pq = [u"string"]
Paul Kehrer2b622582015-04-15 11:04:29 -0400[diff] [blame]212 pi = x509.PolicyInformation(x509.ObjectIdentifier("1.2.3"), pq)
213 with pytest.raises(TypeError):
214 x509.CertificatePolicies([1, pi])
215
216 def test_iter_len(self):
Paul Kehrerba35b3b2015-05-10 13:07:59 -0500[diff] [blame]217 pq = [u"string"]
Paul Kehrer2b622582015-04-15 11:04:29 -0400[diff] [blame]218 pi = x509.PolicyInformation(x509.ObjectIdentifier("1.2.3"), pq)
219 cp = x509.CertificatePolicies([pi])
220 assert len(cp) == 1
221 for policyinfo in cp:
222 assert policyinfo == pi
223
224 def test_repr(self):
Paul Kehrerba35b3b2015-05-10 13:07:59 -0500[diff] [blame]225 pq = [u"string"]
Paul Kehrer2b622582015-04-15 11:04:29 -0400[diff] [blame]226 pi = x509.PolicyInformation(x509.ObjectIdentifier("1.2.3"), pq)
227 cp = x509.CertificatePolicies([pi])
Paul Kehrerba35b3b2015-05-10 13:07:59 -0500[diff] [blame]228 if six.PY3:
229 assert repr(cp) == (
230 "<CertificatePolicies([<PolicyInformation(policy_identifier=<O"
231 "bjectIdentifier(oid=1.2.3, name=Unknown OID)>, policy_qualifi"
232 "ers=['string'])>])>"
233 )
234 else:
235 assert repr(cp) == (
236 "<CertificatePolicies([<PolicyInformation(policy_identifier=<O"
237 "bjectIdentifier(oid=1.2.3, name=Unknown OID)>, policy_qualifi"
238 "ers=[u'string'])>])>"
239 )
Paul Kehrer2b622582015-04-15 11:04:29 -0400[diff] [blame]240
Paul Kehrerc56ab622015-05-03 09:56:31 -0500[diff] [blame]241 def test_eq(self):
242 pi = x509.PolicyInformation(
243 x509.ObjectIdentifier("1.2.3"), [u"string"]
244 )
245 cp = x509.CertificatePolicies([pi])
246 pi2 = x509.PolicyInformation(
247 x509.ObjectIdentifier("1.2.3"), [u"string"]
248 )
249 cp2 = x509.CertificatePolicies([pi2])
250 assert cp == cp2
251
252 def test_ne(self):
253 pi = x509.PolicyInformation(
254 x509.ObjectIdentifier("1.2.3"), [u"string"]
255 )
256 cp = x509.CertificatePolicies([pi])
257 pi2 = x509.PolicyInformation(
258 x509.ObjectIdentifier("1.2.3"), [u"string2"]
259 )
260 cp2 = x509.CertificatePolicies([pi2])
261 assert cp != cp2
262 assert cp != object()
263
Paul Kehrer2b622582015-04-15 11:04:29 -0400[diff] [blame]264
Paul Kehrer11026fe2015-05-12 11:23:56 -0500[diff] [blame]265@pytest.mark.requires_backend_interface(interface=RSABackend)
266@pytest.mark.requires_backend_interface(interface=X509Backend)
267class TestCertificatePoliciesExtension(object):
268 def test_cps_uri_policy_qualifier(self, backend):
269 cert = _load_cert(
270 os.path.join("x509", "custom", "cp_cps_uri.pem"),
271 x509.load_pem_x509_certificate,
272 backend
273 )
274
275 cp = cert.extensions.get_extension_for_oid(
276 x509.OID_CERTIFICATE_POLICIES
277 ).value
278
279 assert cp == x509.CertificatePolicies([
280 x509.PolicyInformation(
281 x509.ObjectIdentifier("2.16.840.1.12345.1.2.3.4.1"),
282 [u"http://other.com/cps"]
283 )
284 ])
285
286 def test_user_notice_with_notice_reference(self, backend):
287 cert = _load_cert(
288 os.path.join(
289 "x509", "custom", "cp_user_notice_with_notice_reference.pem"
290 ),
291 x509.load_pem_x509_certificate,
292 backend
293 )
294
295 cp = cert.extensions.get_extension_for_oid(
296 x509.OID_CERTIFICATE_POLICIES
297 ).value
298
299 assert cp == x509.CertificatePolicies([
300 x509.PolicyInformation(
301 x509.ObjectIdentifier("2.16.840.1.12345.1.2.3.4.1"),
302 [
303 u"http://example.com/cps",
304 u"http://other.com/cps",
305 x509.UserNotice(
306 x509.NoticeReference(u"my org", [1, 2, 3, 4]),
307 u"thing"
308 )
309 ]
310 )
311 ])
312
313 def test_user_notice_with_explicit_text(self, backend):
314 cert = _load_cert(
315 os.path.join(
316 "x509", "custom", "cp_user_notice_with_explicit_text.pem"
317 ),
318 x509.load_pem_x509_certificate,
319 backend
320 )
321
322 cp = cert.extensions.get_extension_for_oid(
323 x509.OID_CERTIFICATE_POLICIES
324 ).value
325
326 assert cp == x509.CertificatePolicies([
327 x509.PolicyInformation(
328 x509.ObjectIdentifier("2.16.840.1.12345.1.2.3.4.1"),
329 [x509.UserNotice(None, u"thing")]
330 )
331 ])
332
333 def test_user_notice_no_explicit_text(self, backend):
334 cert = _load_cert(
335 os.path.join(
336 "x509", "custom", "cp_user_notice_no_explicit_text.pem"
337 ),
338 x509.load_pem_x509_certificate,
339 backend
340 )
341
342 cp = cert.extensions.get_extension_for_oid(
343 x509.OID_CERTIFICATE_POLICIES
344 ).value
345
346 assert cp == x509.CertificatePolicies([
347 x509.PolicyInformation(
348 x509.ObjectIdentifier("2.16.840.1.12345.1.2.3.4.1"),
349 [
350 x509.UserNotice(
351 x509.NoticeReference(u"my org", [1, 2, 3, 4]),
352 None
353 )
354 ]
355 )
356 ])
357
358
Paul Kehrercecbbba2015-03-30 14:58:38 -0500[diff] [blame]359class TestKeyUsage(object):
360 def test_key_agreement_false_encipher_decipher_true(self):
361 with pytest.raises(ValueError):
362 x509.KeyUsage(
363 digital_signature=False,
364 content_commitment=False,
365 key_encipherment=False,
366 data_encipherment=False,
367 key_agreement=False,
368 key_cert_sign=False,
369 crl_sign=False,
370 encipher_only=True,
371 decipher_only=False
372 )
373
374 with pytest.raises(ValueError):
375 x509.KeyUsage(
376 digital_signature=False,
377 content_commitment=False,
378 key_encipherment=False,
379 data_encipherment=False,
380 key_agreement=False,
381 key_cert_sign=False,
382 crl_sign=False,
383 encipher_only=True,
384 decipher_only=True
385 )
386
387 with pytest.raises(ValueError):
388 x509.KeyUsage(
389 digital_signature=False,
390 content_commitment=False,
391 key_encipherment=False,
392 data_encipherment=False,
393 key_agreement=False,
394 key_cert_sign=False,
395 crl_sign=False,
396 encipher_only=False,
397 decipher_only=True
398 )
399
400 def test_properties_key_agreement_true(self):
401 ku = x509.KeyUsage(
402 digital_signature=True,
403 content_commitment=True,
404 key_encipherment=False,
405 data_encipherment=False,
406 key_agreement=False,
407 key_cert_sign=True,
408 crl_sign=False,
409 encipher_only=False,
410 decipher_only=False
411 )
412 assert ku.digital_signature is True
413 assert ku.content_commitment is True
414 assert ku.key_encipherment is False
415 assert ku.data_encipherment is False
416 assert ku.key_agreement is False
417 assert ku.key_cert_sign is True
418 assert ku.crl_sign is False
419
420 def test_key_agreement_true_properties(self):
421 ku = x509.KeyUsage(
422 digital_signature=False,
423 content_commitment=False,
424 key_encipherment=False,
425 data_encipherment=False,
426 key_agreement=True,
427 key_cert_sign=False,
428 crl_sign=False,
429 encipher_only=False,
430 decipher_only=True
431 )
432 assert ku.key_agreement is True
433 assert ku.encipher_only is False
434 assert ku.decipher_only is True
435
436 def test_key_agreement_false_properties(self):
437 ku = x509.KeyUsage(
438 digital_signature=False,
439 content_commitment=False,
440 key_encipherment=False,
441 data_encipherment=False,
442 key_agreement=False,
443 key_cert_sign=False,
444 crl_sign=False,
445 encipher_only=False,
446 decipher_only=False
447 )
448 assert ku.key_agreement is False
449 with pytest.raises(ValueError):
450 ku.encipher_only
451
452 with pytest.raises(ValueError):
453 ku.decipher_only
454
Paul Kehrerac3e5bb2015-04-02 23:07:10 -0500[diff] [blame]455 def test_repr_key_agreement_false(self):
456 ku = x509.KeyUsage(
457 digital_signature=True,
458 content_commitment=True,
459 key_encipherment=False,
460 data_encipherment=False,
461 key_agreement=False,
462 key_cert_sign=True,
463 crl_sign=False,
464 encipher_only=False,
465 decipher_only=False
466 )
467 assert repr(ku) == (
468 "<KeyUsage(digital_signature=True, content_commitment=True, key_en"
469 "cipherment=False, data_encipherment=False, key_agreement=False, k"
Paul Kehrerb372e672015-04-15 11:05:24 -0400[diff] [blame]470 "ey_cert_sign=True, crl_sign=False, encipher_only=None, decipher_o"
471 "nly=None)>"
Paul Kehrerac3e5bb2015-04-02 23:07:10 -0500[diff] [blame]472 )
473
474 def test_repr_key_agreement_true(self):
475 ku = x509.KeyUsage(
476 digital_signature=True,
477 content_commitment=True,
478 key_encipherment=False,
479 data_encipherment=False,
480 key_agreement=True,
481 key_cert_sign=True,
482 crl_sign=False,
483 encipher_only=False,
484 decipher_only=False
485 )
486 assert repr(ku) == (
487 "<KeyUsage(digital_signature=True, content_commitment=True, key_en"
488 "cipherment=False, data_encipherment=False, key_agreement=True, k"
489 "ey_cert_sign=True, crl_sign=False, encipher_only=False, decipher_"
490 "only=False)>"
491 )
492
Paul Kehrer8565f5e2015-05-13 09:57:09 -0500[diff] [blame]493 def test_eq(self):
494 ku = x509.KeyUsage(
495 digital_signature=False,
496 content_commitment=False,
497 key_encipherment=False,
498 data_encipherment=False,
499 key_agreement=True,
500 key_cert_sign=False,
501 crl_sign=False,
502 encipher_only=False,
503 decipher_only=True
504 )
505 ku2 = x509.KeyUsage(
506 digital_signature=False,
507 content_commitment=False,
508 key_encipherment=False,
509 data_encipherment=False,
510 key_agreement=True,
511 key_cert_sign=False,
512 crl_sign=False,
513 encipher_only=False,
514 decipher_only=True
515 )
516 assert ku == ku2
517
518 def test_ne(self):
519 ku = x509.KeyUsage(
520 digital_signature=False,
521 content_commitment=False,
522 key_encipherment=False,
523 data_encipherment=False,
524 key_agreement=True,
525 key_cert_sign=False,
526 crl_sign=False,
527 encipher_only=False,
528 decipher_only=True
529 )
530 ku2 = x509.KeyUsage(
531 digital_signature=False,
532 content_commitment=False,
533 key_encipherment=False,
534 data_encipherment=False,
535 key_agreement=False,
536 key_cert_sign=False,
537 crl_sign=False,
538 encipher_only=False,
539 decipher_only=False
540 )
541 assert ku != ku2
542 assert ku != object()
543
Paul Kehrercecbbba2015-03-30 14:58:38 -0500[diff] [blame]544
Paul Kehrer1eb82a62015-03-31 20:00:33 -0500[diff] [blame]545class TestSubjectKeyIdentifier(object):
546 def test_properties(self):
Paul Kehrercbfb1012015-04-10 20:57:20 -0400[diff] [blame]547 value = binascii.unhexlify(b"092384932230498bc980aa8098456f6ff7ff3ac9")
Paul Kehrer1eb82a62015-03-31 20:00:33 -0500[diff] [blame]548 ski = x509.SubjectKeyIdentifier(value)
549 assert ski.digest == value
Paul Kehrer1eb82a62015-03-31 20:00:33 -0500[diff] [blame]550
551 def test_repr(self):
552 ski = x509.SubjectKeyIdentifier(
Paul Kehreree997262015-04-04 12:20:28 -0500[diff] [blame]553 binascii.unhexlify(b"092384932230498bc980aa8098456f6ff7ff3ac9")
Paul Kehrer1eb82a62015-03-31 20:00:33 -0500[diff] [blame]554 )
555 ext = x509.Extension(x509.OID_SUBJECT_KEY_IDENTIFIER, False, ski)
Paul Kehrercbfb1012015-04-10 20:57:20 -0400[diff] [blame]556 if six.PY3:
557 assert repr(ext) == (
558 "<Extension(oid=<ObjectIdentifier(oid=2.5.29.14, name=subjectK"
559 "eyIdentifier)>, critical=False, value=<SubjectKeyIdentifier(d"
560 "igest=b\'\\t#\\x84\\x93\"0I\\x8b\\xc9\\x80\\xaa\\x80\\x98Eoo"
561 "\\xf7\\xff:\\xc9\')>)>"
562 )
563 else:
564 assert repr(ext) == (
565 "<Extension(oid=<ObjectIdentifier(oid=2.5.29.14, name=subjectK"
566 "eyIdentifier)>, critical=False, value=<SubjectKeyIdentifier(d"
567 "igest=\'\\t#\\x84\\x93\"0I\\x8b\\xc9\\x80\\xaa\\x80\\x98Eoo"
568 "\\xf7\\xff:\\xc9\')>)>"
569 )
Paul Kehrer1eb82a62015-03-31 20:00:33 -0500[diff] [blame]570
571 def test_eq(self):
572 ski = x509.SubjectKeyIdentifier(
Paul Kehreree997262015-04-04 12:20:28 -0500[diff] [blame]573 binascii.unhexlify(b"092384932230498bc980aa8098456f6ff7ff3ac9")
Paul Kehrer1eb82a62015-03-31 20:00:33 -0500[diff] [blame]574 )
575 ski2 = x509.SubjectKeyIdentifier(
Paul Kehreree997262015-04-04 12:20:28 -0500[diff] [blame]576 binascii.unhexlify(b"092384932230498bc980aa8098456f6ff7ff3ac9")
Paul Kehrer1eb82a62015-03-31 20:00:33 -0500[diff] [blame]577 )
578 assert ski == ski2
579
580 def test_ne(self):
581 ski = x509.SubjectKeyIdentifier(
Paul Kehreree997262015-04-04 12:20:28 -0500[diff] [blame]582 binascii.unhexlify(b"092384932230498bc980aa8098456f6ff7ff3ac9")
Paul Kehrer1eb82a62015-03-31 20:00:33 -0500[diff] [blame]583 )
584 ski2 = x509.SubjectKeyIdentifier(
Paul Kehreree997262015-04-04 12:20:28 -0500[diff] [blame]585 binascii.unhexlify(b"aa8098456f6ff7ff3ac9092384932230498bc980")
Paul Kehrer1eb82a62015-03-31 20:00:33 -0500[diff] [blame]586 )
587 assert ski != ski2
588 assert ski != object()
589
590
Paul Kehrer2eb4ed92015-04-11 15:33:45 -0400[diff] [blame]591class TestAuthorityKeyIdentifier(object):
Paul Kehrerc6e0f062015-05-03 11:04:34 -0500[diff] [blame]592 def test_authority_cert_issuer_not_generalname(self):
Paul Kehrer2eb4ed92015-04-11 15:33:45 -0400[diff] [blame]593 with pytest.raises(TypeError):
Paul Kehrerc6e0f062015-05-03 11:04:34 -0500[diff] [blame]594 x509.AuthorityKeyIdentifier(b"identifier", ["notname"], 3)
Paul Kehrer2eb4ed92015-04-11 15:33:45 -0400[diff] [blame]595
596 def test_authority_cert_serial_number_not_integer(self):
Paul Kehrerc6e0f062015-05-03 11:04:34 -0500[diff] [blame]597 dirname = x509.DirectoryName(
598 x509.Name([
Ian Cordasco82fc3762015-06-16 20:59:50 -0500[diff] [blame]599 x509.NameAttribute(x509.ObjectIdentifier('oid'), u'value1'),
600 x509.NameAttribute(x509.ObjectIdentifier('oid2'), u'value2'),
Paul Kehrerc6e0f062015-05-03 11:04:34 -0500[diff] [blame]601 ])
602 )
Paul Kehrer2eb4ed92015-04-11 15:33:45 -0400[diff] [blame]603 with pytest.raises(TypeError):
Paul Kehrerc6e0f062015-05-03 11:04:34 -0500[diff] [blame]604 x509.AuthorityKeyIdentifier(b"identifier", [dirname], "notanint")
Paul Kehrer2eb4ed92015-04-11 15:33:45 -0400[diff] [blame]605
606 def test_authority_issuer_none_serial_not_none(self):
607 with pytest.raises(ValueError):
608 x509.AuthorityKeyIdentifier(b"identifier", None, 3)
609
610 def test_authority_issuer_not_none_serial_none(self):
Paul Kehrerc6e0f062015-05-03 11:04:34 -0500[diff] [blame]611 dirname = x509.DirectoryName(
612 x509.Name([
Ian Cordasco82fc3762015-06-16 20:59:50 -0500[diff] [blame]613 x509.NameAttribute(x509.ObjectIdentifier('oid'), u'value1'),
614 x509.NameAttribute(x509.ObjectIdentifier('oid2'), u'value2'),
Paul Kehrerc6e0f062015-05-03 11:04:34 -0500[diff] [blame]615 ])
616 )
Paul Kehrer2eb4ed92015-04-11 15:33:45 -0400[diff] [blame]617 with pytest.raises(ValueError):
Paul Kehrerc6e0f062015-05-03 11:04:34 -0500[diff] [blame]618 x509.AuthorityKeyIdentifier(b"identifier", [dirname], None)
Paul Kehrer2eb4ed92015-04-11 15:33:45 -0400[diff] [blame]619
620 def test_authority_cert_serial_and_issuer_none(self):
621 aki = x509.AuthorityKeyIdentifier(b"id", None, None)
622 assert aki.key_identifier == b"id"
623 assert aki.authority_cert_issuer is None
624 assert aki.authority_cert_serial_number is None
625
626 def test_repr(self):
Paul Kehrerc6e0f062015-05-03 11:04:34 -0500[diff] [blame]627 dirname = x509.DirectoryName(
Ian Cordasco82fc3762015-06-16 20:59:50 -0500[diff] [blame]628 x509.Name([x509.NameAttribute(x509.OID_COMMON_NAME, u'myCN')])
Paul Kehrerc6e0f062015-05-03 11:04:34 -0500[diff] [blame]629 )
630 aki = x509.AuthorityKeyIdentifier(b"digest", [dirname], 1234)
Paul Kehrer2eb4ed92015-04-11 15:33:45 -0400[diff] [blame]631
632 if six.PY3:
633 assert repr(aki) == (
634 "<AuthorityKeyIdentifier(key_identifier=b'digest', authority_"
Paul Kehrerc6e0f062015-05-03 11:04:34 -0500[diff] [blame]635 "cert_issuer=[<DirectoryName(value=<Name([<NameAttribute(oid="
Ian Cordascoa908d692015-06-16 21:35:24 -0500[diff] [blame]636 "<ObjectIdentifier(oid=2.5.4.3, name=commonName)>, value='myC"
Paul Kehrerc6e0f062015-05-03 11:04:34 -0500[diff] [blame]637 "N')>])>)>], authority_cert_serial_number=1234)>"
Paul Kehrer2eb4ed92015-04-11 15:33:45 -0400[diff] [blame]638 )
639 else:
640 assert repr(aki) == (
641 "<AuthorityKeyIdentifier(key_identifier='digest', authority_ce"
Paul Kehrerc6e0f062015-05-03 11:04:34 -0500[diff] [blame]642 "rt_issuer=[<DirectoryName(value=<Name([<NameAttribute(oid=<Ob"
Ian Cordasco82fc3762015-06-16 20:59:50 -0500[diff] [blame]643 "jectIdentifier(oid=2.5.4.3, name=commonName)>, value=u'myCN')"
644 ">])>)>], authority_cert_serial_number=1234)>"
Paul Kehrer2eb4ed92015-04-11 15:33:45 -0400[diff] [blame]645 )
646
Paul Kehrer2ca2eb32015-05-03 10:04:57 -0500[diff] [blame]647 def test_eq(self):
648 dirname = x509.DirectoryName(
Ian Cordasco82fc3762015-06-16 20:59:50 -0500[diff] [blame]649 x509.Name([x509.NameAttribute(x509.OID_COMMON_NAME, u'myCN')])
Paul Kehrer2ca2eb32015-05-03 10:04:57 -0500[diff] [blame]650 )
651 aki = x509.AuthorityKeyIdentifier(b"digest", [dirname], 1234)
652 dirname2 = x509.DirectoryName(
Ian Cordasco82fc3762015-06-16 20:59:50 -0500[diff] [blame]653 x509.Name([x509.NameAttribute(x509.OID_COMMON_NAME, u'myCN')])
Paul Kehrer2ca2eb32015-05-03 10:04:57 -0500[diff] [blame]654 )
655 aki2 = x509.AuthorityKeyIdentifier(b"digest", [dirname2], 1234)
656 assert aki == aki2
657
658 def test_ne(self):
659 dirname = x509.DirectoryName(
Ian Cordasco82fc3762015-06-16 20:59:50 -0500[diff] [blame]660 x509.Name([x509.NameAttribute(x509.OID_COMMON_NAME, u'myCN')])
Paul Kehrer2ca2eb32015-05-03 10:04:57 -0500[diff] [blame]661 )
662 dirname5 = x509.DirectoryName(
Ian Cordasco82fc3762015-06-16 20:59:50 -0500[diff] [blame]663 x509.Name([x509.NameAttribute(x509.OID_COMMON_NAME, u'aCN')])
Paul Kehrer2ca2eb32015-05-03 10:04:57 -0500[diff] [blame]664 )
665 aki = x509.AuthorityKeyIdentifier(b"digest", [dirname], 1234)
666 aki2 = x509.AuthorityKeyIdentifier(b"diges", [dirname], 1234)
667 aki3 = x509.AuthorityKeyIdentifier(b"digest", None, None)
668 aki4 = x509.AuthorityKeyIdentifier(b"digest", [dirname], 12345)
669 aki5 = x509.AuthorityKeyIdentifier(b"digest", [dirname5], 12345)
670 assert aki != aki2
671 assert aki != aki3
672 assert aki != aki4
673 assert aki != aki5
674 assert aki != object()
675
Paul Kehrer2eb4ed92015-04-11 15:33:45 -0400[diff] [blame]676
Paul Kehrer8cf26422015-03-21 09:50:24 -0500[diff] [blame]677class TestBasicConstraints(object):
678 def test_ca_not_boolean(self):
679 with pytest.raises(TypeError):
Paul Kehrera5c6e9a2015-03-23 19:23:43 -0500[diff] [blame]680 x509.BasicConstraints(ca="notbool", path_length=None)
Paul Kehrer8cf26422015-03-21 09:50:24 -0500[diff] [blame]681
682 def test_path_length_not_ca(self):
683 with pytest.raises(ValueError):
Paul Kehrera5c6e9a2015-03-23 19:23:43 -0500[diff] [blame]684 x509.BasicConstraints(ca=False, path_length=0)
Paul Kehrer8cf26422015-03-21 09:50:24 -0500[diff] [blame]685
686 def test_path_length_not_int(self):
687 with pytest.raises(TypeError):
Paul Kehrera5c6e9a2015-03-23 19:23:43 -0500[diff] [blame]688 x509.BasicConstraints(ca=True, path_length=1.1)
Paul Kehrer8cf26422015-03-21 09:50:24 -0500[diff] [blame]689
690 with pytest.raises(TypeError):
Paul Kehrera5c6e9a2015-03-23 19:23:43 -0500[diff] [blame]691 x509.BasicConstraints(ca=True, path_length="notint")
Paul Kehrer8cf26422015-03-21 09:50:24 -0500[diff] [blame]692
693 def test_path_length_negative(self):
694 with pytest.raises(TypeError):
Paul Kehrera5c6e9a2015-03-23 19:23:43 -0500[diff] [blame]695 x509.BasicConstraints(ca=True, path_length=-1)
Paul Kehrer8cf26422015-03-21 09:50:24 -0500[diff] [blame]696
697 def test_repr(self):
Paul Kehrera5c6e9a2015-03-23 19:23:43 -0500[diff] [blame]698 na = x509.BasicConstraints(ca=True, path_length=None)
Paul Kehrer8cf26422015-03-21 09:50:24 -0500[diff] [blame]699 assert repr(na) == (
Paul Kehrer85894662015-03-22 13:19:31 -0500[diff] [blame]700 "<BasicConstraints(ca=True, path_length=None)>"
Paul Kehrer8cf26422015-03-21 09:50:24 -0500[diff] [blame]701 )
Paul Kehrerfbb7ac82015-03-16 19:26:29 -0500[diff] [blame]702
Paul Kehrer3a69b132015-05-13 10:03:46 -0500[diff] [blame]703 def test_eq(self):
704 na = x509.BasicConstraints(ca=True, path_length=None)
705 na2 = x509.BasicConstraints(ca=True, path_length=None)
706 assert na == na2
707
708 def test_ne(self):
709 na = x509.BasicConstraints(ca=True, path_length=None)
710 na2 = x509.BasicConstraints(ca=True, path_length=1)
711 na3 = x509.BasicConstraints(ca=False, path_length=None)
712 assert na != na2
713 assert na != na3
714 assert na != object()
715
Paul Kehrerfbb7ac82015-03-16 19:26:29 -0500[diff] [blame]716
Paul Kehrerffa2a152015-03-31 08:18:25 -0500[diff] [blame]717class TestExtendedKeyUsage(object):
718 def test_not_all_oids(self):
719 with pytest.raises(TypeError):
720 x509.ExtendedKeyUsage(["notoid"])
721
722 def test_iter_len(self):
723 eku = x509.ExtendedKeyUsage([
724 x509.ObjectIdentifier("1.3.6.1.5.5.7.3.1"),
725 x509.ObjectIdentifier("1.3.6.1.5.5.7.3.2"),
726 ])
727 assert len(eku) == 2
728 assert list(eku) == [
729 x509.OID_SERVER_AUTH,
730 x509.OID_CLIENT_AUTH
731 ]
732
Paul Kehrer23d10c32015-04-02 23:12:32 -0500[diff] [blame]733 def test_repr(self):
734 eku = x509.ExtendedKeyUsage([
735 x509.ObjectIdentifier("1.3.6.1.5.5.7.3.1"),
736 x509.ObjectIdentifier("1.3.6.1.5.5.7.3.2"),
737 ])
738 assert repr(eku) == (
739 "<ExtendedKeyUsage([<ObjectIdentifier(oid=1.3.6.1.5.5.7.3.1, name="
740 "serverAuth)>, <ObjectIdentifier(oid=1.3.6.1.5.5.7.3.2, name=clien"
741 "tAuth)>])>"
742 )
743
Paul Kehrerb0476172015-05-02 19:34:51 -0500[diff] [blame]744 def test_eq(self):
745 eku = x509.ExtendedKeyUsage([
746 x509.ObjectIdentifier("1.3.6"), x509.ObjectIdentifier("1.3.7")
747 ])
748 eku2 = x509.ExtendedKeyUsage([
749 x509.ObjectIdentifier("1.3.6"), x509.ObjectIdentifier("1.3.7")
750 ])
751 assert eku == eku2
752
753 def test_ne(self):
754 eku = x509.ExtendedKeyUsage([x509.ObjectIdentifier("1.3.6")])
755 eku2 = x509.ExtendedKeyUsage([x509.ObjectIdentifier("1.3.6.1")])
756 assert eku != eku2
757 assert eku != object()
758
Paul Kehrerffa2a152015-03-31 08:18:25 -0500[diff] [blame]759
Paul Kehrerfbb7ac82015-03-16 19:26:29 -0500[diff] [blame]760@pytest.mark.requires_backend_interface(interface=RSABackend)
761@pytest.mark.requires_backend_interface(interface=X509Backend)
762class TestExtensions(object):
763 def test_no_extensions(self, backend):
764 cert = _load_cert(
765 os.path.join("x509", "verisign_md2_root.pem"),
766 x509.load_pem_x509_certificate,
767 backend
768 )
769 ext = cert.extensions
770 assert len(ext) == 0
771 assert list(ext) == []
Paul Kehrerfa56a232015-03-17 13:14:03 -0500[diff] [blame]772 with pytest.raises(x509.ExtensionNotFound) as exc:
773 ext.get_extension_for_oid(x509.OID_BASIC_CONSTRAINTS)
774
775 assert exc.value.oid == x509.OID_BASIC_CONSTRAINTS
776
777 def test_one_extension(self, backend):
778 cert = _load_cert(
779 os.path.join(
780 "x509", "custom", "basic_constraints_not_critical.pem"
781 ),
782 x509.load_pem_x509_certificate,
783 backend
784 )
785 extensions = cert.extensions
786 ext = extensions.get_extension_for_oid(x509.OID_BASIC_CONSTRAINTS)
787 assert ext is not None
788 assert ext.value.ca is False
Paul Kehrerfbb7ac82015-03-16 19:26:29 -0500[diff] [blame]789
790 def test_duplicate_extension(self, backend):
791 cert = _load_cert(
792 os.path.join(
793 "x509", "custom", "two_basic_constraints.pem"
794 ),
795 x509.load_pem_x509_certificate,
796 backend
797 )
798 with pytest.raises(x509.DuplicateExtension) as exc:
799 cert.extensions
800
801 assert exc.value.oid == x509.OID_BASIC_CONSTRAINTS
802
803 def test_unsupported_critical_extension(self, backend):
804 cert = _load_cert(
805 os.path.join(
806 "x509", "custom", "unsupported_extension_critical.pem"
807 ),
808 x509.load_pem_x509_certificate,
809 backend
810 )
811 with pytest.raises(x509.UnsupportedExtension) as exc:
812 cert.extensions
813
814 assert exc.value.oid == x509.ObjectIdentifier("1.2.3.4")
815
816 def test_unsupported_extension(self, backend):
817 # TODO: this will raise an exception when all extensions are complete
818 cert = _load_cert(
819 os.path.join(
820 "x509", "custom", "unsupported_extension.pem"
821 ),
822 x509.load_pem_x509_certificate,
823 backend
824 )
825 extensions = cert.extensions
826 assert len(extensions) == 0
Paul Kehrerfa56a232015-03-17 13:14:03 -0500[diff] [blame]827
828
829@pytest.mark.requires_backend_interface(interface=RSABackend)
830@pytest.mark.requires_backend_interface(interface=X509Backend)
Paul Kehrerde813ea2015-03-28 12:44:34 -0500[diff] [blame]831class TestBasicConstraintsExtension(object):
Paul Kehrerfa56a232015-03-17 13:14:03 -0500[diff] [blame]832 def test_ca_true_pathlen_6(self, backend):
833 cert = _load_cert(
834 os.path.join(
835 "x509", "PKITS_data", "certs", "pathLenConstraint6CACert.crt"
836 ),
837 x509.load_der_x509_certificate,
838 backend
839 )
840 ext = cert.extensions.get_extension_for_oid(
841 x509.OID_BASIC_CONSTRAINTS
842 )
843 assert ext is not None
844 assert ext.critical is True
845 assert ext.value.ca is True
846 assert ext.value.path_length == 6
847
848 def test_path_length_zero(self, backend):
849 cert = _load_cert(
850 os.path.join("x509", "custom", "bc_path_length_zero.pem"),
851 x509.load_pem_x509_certificate,
852 backend
853 )
854 ext = cert.extensions.get_extension_for_oid(
855 x509.OID_BASIC_CONSTRAINTS
856 )
857 assert ext is not None
858 assert ext.critical is True
859 assert ext.value.ca is True
860 assert ext.value.path_length == 0
861
862 def test_ca_true_no_pathlen(self, backend):
863 cert = _load_cert(
864 os.path.join("x509", "PKITS_data", "certs", "GoodCACert.crt"),
865 x509.load_der_x509_certificate,
866 backend
867 )
868 ext = cert.extensions.get_extension_for_oid(
869 x509.OID_BASIC_CONSTRAINTS
870 )
871 assert ext is not None
872 assert ext.critical is True
873 assert ext.value.ca is True
874 assert ext.value.path_length is None
875
876 def test_ca_false(self, backend):
877 cert = _load_cert(
878 os.path.join("x509", "cryptography.io.pem"),
879 x509.load_pem_x509_certificate,
880 backend
881 )
882 ext = cert.extensions.get_extension_for_oid(
883 x509.OID_BASIC_CONSTRAINTS
884 )
885 assert ext is not None
886 assert ext.critical is True
887 assert ext.value.ca is False
888 assert ext.value.path_length is None
889
890 def test_no_basic_constraints(self, backend):
891 cert = _load_cert(
892 os.path.join(
893 "x509",
894 "PKITS_data",
895 "certs",
896 "ValidCertificatePathTest1EE.crt"
897 ),
898 x509.load_der_x509_certificate,
899 backend
900 )
901 with pytest.raises(x509.ExtensionNotFound):
902 cert.extensions.get_extension_for_oid(x509.OID_BASIC_CONSTRAINTS)
903
904 def test_basic_constraint_not_critical(self, backend):
905 cert = _load_cert(
906 os.path.join(
907 "x509", "custom", "basic_constraints_not_critical.pem"
908 ),
909 x509.load_pem_x509_certificate,
910 backend
911 )
912 ext = cert.extensions.get_extension_for_oid(
913 x509.OID_BASIC_CONSTRAINTS
914 )
915 assert ext is not None
916 assert ext.critical is False
917 assert ext.value.ca is False
Paul Kehrer1eb82a62015-03-31 20:00:33 -0500[diff] [blame]918
919
920@pytest.mark.requires_backend_interface(interface=RSABackend)
921@pytest.mark.requires_backend_interface(interface=X509Backend)
922class TestSubjectKeyIdentifierExtension(object):
923 def test_subject_key_identifier(self, backend):
924 cert = _load_cert(
925 os.path.join("x509", "PKITS_data", "certs", "GoodCACert.crt"),
926 x509.load_der_x509_certificate,
927 backend
928 )
929 ext = cert.extensions.get_extension_for_oid(
930 x509.OID_SUBJECT_KEY_IDENTIFIER
931 )
932 ski = ext.value
933 assert ext is not None
934 assert ext.critical is False
Paul Kehrer1eb82a62015-03-31 20:00:33 -0500[diff] [blame]935 assert ski.digest == binascii.unhexlify(
Paul Kehreree997262015-04-04 12:20:28 -0500[diff] [blame]936 b"580184241bbc2b52944a3da510721451f5af3ac9"
Paul Kehrer1eb82a62015-03-31 20:00:33 -0500[diff] [blame]937 )
938
939 def test_no_subject_key_identifier(self, backend):
940 cert = _load_cert(
941 os.path.join("x509", "custom", "bc_path_length_zero.pem"),
942 x509.load_pem_x509_certificate,
943 backend
944 )
945 with pytest.raises(x509.ExtensionNotFound):
946 cert.extensions.get_extension_for_oid(
947 x509.OID_SUBJECT_KEY_IDENTIFIER
948 )
Paul Kehrer5508ee22015-04-02 19:31:03 -0500[diff] [blame]949
950
951@pytest.mark.requires_backend_interface(interface=RSABackend)
952@pytest.mark.requires_backend_interface(interface=X509Backend)
953class TestKeyUsageExtension(object):
954 def test_no_key_usage(self, backend):
955 cert = _load_cert(
956 os.path.join("x509", "verisign_md2_root.pem"),
957 x509.load_pem_x509_certificate,
958 backend
959 )
960 ext = cert.extensions
961 with pytest.raises(x509.ExtensionNotFound) as exc:
962 ext.get_extension_for_oid(x509.OID_KEY_USAGE)
963
964 assert exc.value.oid == x509.OID_KEY_USAGE
965
966 def test_all_purposes(self, backend):
967 cert = _load_cert(
968 os.path.join(
969 "x509", "custom", "all_key_usages.pem"
970 ),
971 x509.load_pem_x509_certificate,
972 backend
973 )
974 extensions = cert.extensions
975 ext = extensions.get_extension_for_oid(x509.OID_KEY_USAGE)
976 assert ext is not None
977
978 ku = ext.value
979 assert ku.digital_signature is True
980 assert ku.content_commitment is True
981 assert ku.key_encipherment is True
982 assert ku.data_encipherment is True
983 assert ku.key_agreement is True
984 assert ku.key_cert_sign is True
985 assert ku.crl_sign is True
986 assert ku.encipher_only is True
987 assert ku.decipher_only is True
988
989 def test_key_cert_sign_crl_sign(self, backend):
990 cert = _load_cert(
991 os.path.join(
992 "x509", "PKITS_data", "certs", "pathLenConstraint6CACert.crt"
993 ),
994 x509.load_der_x509_certificate,
995 backend
996 )
997 ext = cert.extensions.get_extension_for_oid(x509.OID_KEY_USAGE)
998 assert ext is not None
999 assert ext.critical is True
1000
1001 ku = ext.value
1002 assert ku.digital_signature is False
1003 assert ku.content_commitment is False
1004 assert ku.key_encipherment is False
1005 assert ku.data_encipherment is False
1006 assert ku.key_agreement is False
1007 assert ku.key_cert_sign is True
1008 assert ku.crl_sign is True
Paul Kehrer31bdf792015-03-25 14:11:00 -0500[diff] [blame]1009
1010
1011@pytest.mark.parametrize(
1012 "name", [
1013 x509.RFC822Name,
1014 x509.DNSName,
1015 x509.UniformResourceIdentifier
1016 ]
1017)
1018class TestTextGeneralNames(object):
1019 def test_not_text(self, name):
1020 with pytest.raises(TypeError):
1021 name(b"notaunicodestring")
1022
1023 with pytest.raises(TypeError):
1024 name(1.3)
1025
1026 def test_repr(self, name):
Eeshan Gargf1234152015-04-29 18:41:00 +0530[diff] [blame]1027 gn = name(u"string")
Paul Kehrer31bdf792015-03-25 14:11:00 -0500[diff] [blame]1028 assert repr(gn) == "<{0}(value=string)>".format(name.__name__)
1029
1030 def test_eq(self, name):
Eeshan Gargf1234152015-04-29 18:41:00 +0530[diff] [blame]1031 gn = name(u"string")
1032 gn2 = name(u"string")
Paul Kehrer31bdf792015-03-25 14:11:00 -0500[diff] [blame]1033 assert gn == gn2
1034
1035 def test_ne(self, name):
Eeshan Gargf1234152015-04-29 18:41:00 +0530[diff] [blame]1036 gn = name(u"string")
1037 gn2 = name(u"string2")
Paul Kehrer31bdf792015-03-25 14:11:00 -0500[diff] [blame]1038 assert gn != gn2
1039 assert gn != object()
1040
1041
1042class TestDirectoryName(object):
1043 def test_not_name(self):
1044 with pytest.raises(TypeError):
1045 x509.DirectoryName(b"notaname")
1046
1047 with pytest.raises(TypeError):
1048 x509.DirectoryName(1.3)
1049
1050 def test_repr(self):
Ian Cordasco82fc3762015-06-16 20:59:50 -0500[diff] [blame]1051 name = x509.Name([x509.NameAttribute(x509.OID_COMMON_NAME, u'value1')])
Paul Kehrer31bdf792015-03-25 14:11:00 -0500[diff] [blame]1052 gn = x509.DirectoryName(x509.Name([name]))
Ian Cordascoa908d692015-06-16 21:35:24 -0500[diff] [blame]1053 if six.PY3:
1054 assert repr(gn) == (
1055 "<DirectoryName(value=<Name([<Name([<NameAttribute(oid=<Object"
1056 "Identifier(oid=2.5.4.3, name=commonName)>, value='value1')>])"
1057 ">])>)>"
1058 )
1059 else:
1060 assert repr(gn) == (
1061 "<DirectoryName(value=<Name([<Name([<NameAttribute(oid=<Object"
1062 "Identifier(oid=2.5.4.3, name=commonName)>, value=u'value1')>]"
1063 ")>])>)>"
1064 )
Paul Kehrer31bdf792015-03-25 14:11:00 -0500[diff] [blame]1065
1066 def test_eq(self):
1067 name = x509.Name([
Ian Cordasco82fc3762015-06-16 20:59:50 -0500[diff] [blame]1068 x509.NameAttribute(x509.ObjectIdentifier('oid'), u'value1')
Paul Kehrer31bdf792015-03-25 14:11:00 -0500[diff] [blame]1069 ])
1070 name2 = x509.Name([
Ian Cordasco82fc3762015-06-16 20:59:50 -0500[diff] [blame]1071 x509.NameAttribute(x509.ObjectIdentifier('oid'), u'value1')
Paul Kehrer31bdf792015-03-25 14:11:00 -0500[diff] [blame]1072 ])
1073 gn = x509.DirectoryName(x509.Name([name]))
1074 gn2 = x509.DirectoryName(x509.Name([name2]))
1075 assert gn == gn2
1076
1077 def test_ne(self):
1078 name = x509.Name([
Ian Cordasco82fc3762015-06-16 20:59:50 -0500[diff] [blame]1079 x509.NameAttribute(x509.ObjectIdentifier('oid'), u'value1')
Paul Kehrer31bdf792015-03-25 14:11:00 -0500[diff] [blame]1080 ])
1081 name2 = x509.Name([
Ian Cordasco82fc3762015-06-16 20:59:50 -0500[diff] [blame]1082 x509.NameAttribute(x509.ObjectIdentifier('oid'), u'value2')
Paul Kehrer31bdf792015-03-25 14:11:00 -0500[diff] [blame]1083 ])
1084 gn = x509.DirectoryName(x509.Name([name]))
1085 gn2 = x509.DirectoryName(x509.Name([name2]))
1086 assert gn != gn2
1087 assert gn != object()
1088
1089
Paul Kehrer01d5d0b2015-07-12 09:41:21 -0500[diff] [blame]1090class TestRFC822Name(object):
1091 def test_invalid_email(self):
1092 with pytest.raises(ValueError):
1093 x509.RFC822Name(u"Name <email>")
1094
1095 with pytest.raises(ValueError):
1096 x509.RFC822Name(u"")
1097
1098 def test_single_label(self):
1099 gn = x509.RFC822Name(u"administrator")
1100 assert gn.value == u"administrator"
1101
1102 def test_idna(self):
1103 gn = x509.RFC822Name(u"email@em\xe5\xefl.com")
1104 assert gn.value == u"email@em\xe5\xefl.com"
1105 assert gn._encoded == b"email@xn--eml-vla4c.com"
1106
1107
Paul Kehrere28d6c42015-07-12 14:59:37 -0500[diff] [blame]1108class TestUniformResourceIdentifier(object):
1109 def test_no_parsed_hostname(self):
1110 gn = x509.UniformResourceIdentifier(u"singlelabel")
1111 assert gn.value == u"singlelabel"
1112
1113 def test_with_port(self):
1114 gn = x509.UniformResourceIdentifier(u"singlelabel:443/test")
1115 assert gn.value == u"singlelabel:443/test"
1116
1117 def test_idna_no_port(self):
1118 gn = x509.UniformResourceIdentifier(
1119 u"http://\u043f\u044b\u043a\u0430.cryptography"
1120 )
1121 assert gn.value == u"http://\u043f\u044b\u043a\u0430.cryptography"
1122 assert gn._encoded == b"http://xn--80ato2c.cryptography"
1123
1124 def test_idna_with_port(self):
1125 gn = x509.UniformResourceIdentifier(
1126 u"gopher://\u043f\u044b\u043a\u0430.cryptography:70/some/path"
1127 )
1128 assert gn.value == (
1129 u"gopher://\u043f\u044b\u043a\u0430.cryptography:70/some/path"
1130 )
1131 assert gn._encoded == b"gopher://xn--80ato2c.cryptography:70/some/path"
1132
1133 def test_query_and_fragment(self):
1134 gn = x509.UniformResourceIdentifier(
1135 u"ldap://cryptography:90/path?query=true#somedata"
1136 )
1137 assert gn.value == u"ldap://cryptography:90/path?query=true#somedata"
1138
1139
Paul Kehrer31bdf792015-03-25 14:11:00 -0500[diff] [blame]1140class TestRegisteredID(object):
1141 def test_not_oid(self):
1142 with pytest.raises(TypeError):
1143 x509.RegisteredID(b"notanoid")
1144
1145 with pytest.raises(TypeError):
1146 x509.RegisteredID(1.3)
1147
1148 def test_repr(self):
1149 gn = x509.RegisteredID(x509.OID_COMMON_NAME)
1150 assert repr(gn) == (
1151 "<RegisteredID(value=<ObjectIdentifier(oid=2.5.4.3, name=commonNam"
1152 "e)>)>"
1153 )
1154
1155 def test_eq(self):
1156 gn = x509.RegisteredID(x509.OID_COMMON_NAME)
1157 gn2 = x509.RegisteredID(x509.OID_COMMON_NAME)
1158 assert gn == gn2
1159
1160 def test_ne(self):
1161 gn = x509.RegisteredID(x509.OID_COMMON_NAME)
1162 gn2 = x509.RegisteredID(x509.OID_BASIC_CONSTRAINTS)
1163 assert gn != gn2
1164 assert gn != object()
1165
1166
1167class TestIPAddress(object):
1168 def test_not_ipaddress(self):
1169 with pytest.raises(TypeError):
1170 x509.IPAddress(b"notanipaddress")
1171
1172 with pytest.raises(TypeError):
1173 x509.IPAddress(1.3)
1174
1175 def test_repr(self):
Eeshan Gargf1234152015-04-29 18:41:00 +0530[diff] [blame]1176 gn = x509.IPAddress(ipaddress.IPv4Address(u"127.0.0.1"))
Paul Kehrer31bdf792015-03-25 14:11:00 -0500[diff] [blame]1177 assert repr(gn) == "<IPAddress(value=127.0.0.1)>"
1178
Eeshan Gargf1234152015-04-29 18:41:00 +0530[diff] [blame]1179 gn2 = x509.IPAddress(ipaddress.IPv6Address(u"ff::"))
Paul Kehrer31bdf792015-03-25 14:11:00 -0500[diff] [blame]1180 assert repr(gn2) == "<IPAddress(value=ff::)>"
1181
Paul Kehrereb177932015-05-17 18:33:33 -0700[diff] [blame]1182 gn3 = x509.IPAddress(ipaddress.IPv4Network(u"192.168.0.0/24"))
1183 assert repr(gn3) == "<IPAddress(value=192.168.0.0/24)>"
1184
1185 gn4 = x509.IPAddress(ipaddress.IPv6Network(u"ff::/96"))
1186 assert repr(gn4) == "<IPAddress(value=ff::/96)>"
1187
Paul Kehrer31bdf792015-03-25 14:11:00 -0500[diff] [blame]1188 def test_eq(self):
Eeshan Gargf1234152015-04-29 18:41:00 +0530[diff] [blame]1189 gn = x509.IPAddress(ipaddress.IPv4Address(u"127.0.0.1"))
1190 gn2 = x509.IPAddress(ipaddress.IPv4Address(u"127.0.0.1"))
Paul Kehrer31bdf792015-03-25 14:11:00 -0500[diff] [blame]1191 assert gn == gn2
1192
1193 def test_ne(self):
Eeshan Gargf1234152015-04-29 18:41:00 +0530[diff] [blame]1194 gn = x509.IPAddress(ipaddress.IPv4Address(u"127.0.0.1"))
1195 gn2 = x509.IPAddress(ipaddress.IPv4Address(u"127.0.0.2"))
Paul Kehrer31bdf792015-03-25 14:11:00 -0500[diff] [blame]1196 assert gn != gn2
1197 assert gn != object()
1198
1199
Joshua Tauberer18b6fc82015-07-05 21:44:51 +0000[diff] [blame]1200class TestOtherName(object):
1201 def test_invalid_args(self):
1202 with pytest.raises(TypeError):
1203 x509.OtherName(b"notanobjectidentifier", b"derdata")
1204
1205 with pytest.raises(TypeError):
1206 x509.OtherName(x509.ObjectIdentifier("1.2.3.4"), u"notderdata")
1207
1208 def test_repr(self):
1209 gn = x509.OtherName(x509.ObjectIdentifier("1.2.3.4"), b"derdata")
1210 if six.PY3:
1211 assert repr(gn) == (
1212 "<OtherName(type_id=<ObjectIdentifier(oid=1.2.3.4, "
1213 "name=Unknown OID)>, value=b'derdata')>"
1214 )
1215 else:
1216 assert repr(gn) == (
1217 "<OtherName(type_id=<ObjectIdentifier(oid=1.2.3.4, "
1218 "name=Unknown OID)>, value='derdata')>"
1219 )
1220
1221 gn = x509.OtherName(x509.ObjectIdentifier("2.5.4.65"), b"derdata")
1222 if six.PY3:
1223 assert repr(gn) == (
1224 "<OtherName(type_id=<ObjectIdentifier(oid=2.5.4.65, "
1225 "name=pseudonym)>, value=b'derdata')>"
1226 )
1227 else:
1228 assert repr(gn) == (
1229 "<OtherName(type_id=<ObjectIdentifier(oid=2.5.4.65, "
1230 "name=pseudonym)>, value='derdata')>"
1231 )
1232
1233 def test_eq(self):
1234 gn = x509.OtherName(x509.ObjectIdentifier("1.2.3.4"), b"derdata")
1235 gn2 = x509.OtherName(x509.ObjectIdentifier("1.2.3.4"), b"derdata")
1236 assert gn == gn2
1237
1238 def test_ne(self):
1239 gn = x509.OtherName(x509.ObjectIdentifier("1.2.3.4"), b"derdata")
1240 assert gn != object()
1241
1242 gn2 = x509.OtherName(x509.ObjectIdentifier("1.2.3.4"), b"derdata2")
1243 assert gn != gn2
1244
1245 gn2 = x509.OtherName(x509.ObjectIdentifier("1.2.3.5"), b"derdata")
1246 assert gn != gn2
1247
1248
Erik Trauschke2dcce902015-05-14 16:12:24 -0700[diff] [blame]1249class TestGeneralNames(object):
1250 def test_get_values_for_type(self):
1251 gns = x509.GeneralNames(
1252 [x509.DNSName(u"cryptography.io")]
1253 )
1254 names = gns.get_values_for_type(x509.DNSName)
1255 assert names == [u"cryptography.io"]
1256
1257 def test_iter_names(self):
1258 gns = x509.GeneralNames([
1259 x509.DNSName(u"cryptography.io"),
1260 x509.DNSName(u"crypto.local"),
1261 ])
1262 assert len(gns) == 2
1263 assert list(gns) == [
1264 x509.DNSName(u"cryptography.io"),
1265 x509.DNSName(u"crypto.local"),
1266 ]
1267
1268 def test_invalid_general_names(self):
1269 with pytest.raises(TypeError):
1270 x509.GeneralNames(
1271 [x509.DNSName(u"cryptography.io"), "invalid"]
1272 )
1273
1274 def test_repr(self):
1275 gns = x509.GeneralNames(
1276 [
1277 x509.DNSName(u"cryptography.io")
1278 ]
1279 )
1280 assert repr(gns) == (
1281 "<GeneralNames([<DNSName(value=cryptography.io)>])>"
1282 )
1283
1284 def test_eq(self):
1285 gns = x509.GeneralNames(
1286 [x509.DNSName(u"cryptography.io")]
1287 )
1288 gns2 = x509.GeneralNames(
1289 [x509.DNSName(u"cryptography.io")]
1290 )
1291 assert gns == gns2
1292
1293 def test_ne(self):
1294 gns = x509.GeneralNames(
1295 [x509.DNSName(u"cryptography.io")]
1296 )
1297 gns2 = x509.GeneralNames(
1298 [x509.RFC822Name(u"admin@cryptography.io")]
1299 )
1300 assert gns != gns2
1301 assert gns != object()
1302
1303
Paul Kehrer99125c92015-06-07 18:37:10 -0500[diff] [blame]1304class TestIssuerAlternativeName(object):
1305 def test_get_values_for_type(self):
1306 san = x509.IssuerAlternativeName(
1307 [x509.DNSName(u"cryptography.io")]
1308 )
1309 names = san.get_values_for_type(x509.DNSName)
1310 assert names == [u"cryptography.io"]
1311
1312 def test_iter_names(self):
1313 san = x509.IssuerAlternativeName([
1314 x509.DNSName(u"cryptography.io"),
1315 x509.DNSName(u"crypto.local"),
1316 ])
1317 assert len(san) == 2
1318 assert list(san) == [
1319 x509.DNSName(u"cryptography.io"),
1320 x509.DNSName(u"crypto.local"),
1321 ]
1322
1323 def test_invalid_general_names(self):
1324 with pytest.raises(TypeError):
1325 x509.IssuerAlternativeName(
1326 [x509.DNSName(u"cryptography.io"), "invalid"]
1327 )
1328
1329 def test_repr(self):
1330 san = x509.IssuerAlternativeName(
1331 [
1332 x509.DNSName(u"cryptography.io")
1333 ]
1334 )
1335 assert repr(san) == (
1336 "<IssuerAlternativeName("
1337 "<GeneralNames([<DNSName(value=cryptography.io)>])>)>"
1338 )
1339
1340 def test_eq(self):
1341 san = x509.IssuerAlternativeName(
1342 [x509.DNSName(u"cryptography.io")]
1343 )
1344 san2 = x509.IssuerAlternativeName(
1345 [x509.DNSName(u"cryptography.io")]
1346 )
1347 assert san == san2
1348
1349 def test_ne(self):
1350 san = x509.IssuerAlternativeName(
1351 [x509.DNSName(u"cryptography.io")]
1352 )
1353 san2 = x509.IssuerAlternativeName(
1354 [x509.RFC822Name(u"admin@cryptography.io")]
1355 )
1356 assert san != san2
1357 assert san != object()
1358
1359
Alex Gaynorf1c17672015-06-20 14:20:20 -0400[diff] [blame]1360@pytest.mark.requires_backend_interface(interface=RSABackend)
1361@pytest.mark.requires_backend_interface(interface=X509Backend)
1362class TestRSAIssuerAlternativeNameExtension(object):
1363 def test_uri(self, backend):
1364 cert = _load_cert(
1365 os.path.join("x509", "custom", "ian_uri.pem"),
1366 x509.load_pem_x509_certificate,
1367 backend,
1368 )
1369 ext = cert.extensions.get_extension_for_oid(
1370 x509.OID_ISSUER_ALTERNATIVE_NAME
1371 )
1372 assert list(ext.value) == [
1373 x509.UniformResourceIdentifier(u"http://path.to.root/root.crt"),
1374 ]
1375
1376
Paul Kehrer31bdf792015-03-25 14:11:00 -0500[diff] [blame]1377class TestSubjectAlternativeName(object):
1378 def test_get_values_for_type(self):
1379 san = x509.SubjectAlternativeName(
Eeshan Gargf1234152015-04-29 18:41:00 +0530[diff] [blame]1380 [x509.DNSName(u"cryptography.io")]
Paul Kehrer31bdf792015-03-25 14:11:00 -0500[diff] [blame]1381 )
1382 names = san.get_values_for_type(x509.DNSName)
Eeshan Gargf1234152015-04-29 18:41:00 +0530[diff] [blame]1383 assert names == [u"cryptography.io"]
Paul Kehrer31bdf792015-03-25 14:11:00 -0500[diff] [blame]1384
1385 def test_iter_names(self):
1386 san = x509.SubjectAlternativeName([
Eeshan Gargf1234152015-04-29 18:41:00 +0530[diff] [blame]1387 x509.DNSName(u"cryptography.io"),
1388 x509.DNSName(u"crypto.local"),
Paul Kehrer31bdf792015-03-25 14:11:00 -0500[diff] [blame]1389 ])
1390 assert len(san) == 2
1391 assert list(san) == [
Eeshan Gargf1234152015-04-29 18:41:00 +0530[diff] [blame]1392 x509.DNSName(u"cryptography.io"),
1393 x509.DNSName(u"crypto.local"),
Paul Kehrer31bdf792015-03-25 14:11:00 -0500[diff] [blame]1394 ]
1395
Paul Kehrerd04b39b2015-04-21 08:44:17 -0500[diff] [blame]1396 def test_invalid_general_names(self):
1397 with pytest.raises(TypeError):
1398 x509.SubjectAlternativeName(
Eeshan Gargf1234152015-04-29 18:41:00 +0530[diff] [blame]1399 [x509.DNSName(u"cryptography.io"), "invalid"]
Paul Kehrerd04b39b2015-04-21 08:44:17 -0500[diff] [blame]1400 )
1401
Paul Kehrer31bdf792015-03-25 14:11:00 -0500[diff] [blame]1402 def test_repr(self):
1403 san = x509.SubjectAlternativeName(
1404 [
Eeshan Gargf1234152015-04-29 18:41:00 +0530[diff] [blame]1405 x509.DNSName(u"cryptography.io")
Paul Kehrer31bdf792015-03-25 14:11:00 -0500[diff] [blame]1406 ]
1407 )
1408 assert repr(san) == (
Erik Trauschke2dcce902015-05-14 16:12:24 -0700[diff] [blame]1409 "<SubjectAlternativeName("
1410 "<GeneralNames([<DNSName(value=cryptography.io)>])>)>"
Paul Kehrer31bdf792015-03-25 14:11:00 -0500[diff] [blame]1411 )
Paul Kehrer40f83382015-04-20 15:00:16 -0500[diff] [blame]1412
Paul Kehrer58cc3972015-05-13 10:00:41 -0500[diff] [blame]1413 def test_eq(self):
1414 san = x509.SubjectAlternativeName(
1415 [x509.DNSName(u"cryptography.io")]
1416 )
1417 san2 = x509.SubjectAlternativeName(
1418 [x509.DNSName(u"cryptography.io")]
1419 )
1420 assert san == san2
1421
1422 def test_ne(self):
1423 san = x509.SubjectAlternativeName(
1424 [x509.DNSName(u"cryptography.io")]
1425 )
1426 san2 = x509.SubjectAlternativeName(
1427 [x509.RFC822Name(u"admin@cryptography.io")]
1428 )
1429 assert san != san2
1430 assert san != object()
1431
Paul Kehrer40f83382015-04-20 15:00:16 -0500[diff] [blame]1432
1433@pytest.mark.requires_backend_interface(interface=RSABackend)
1434@pytest.mark.requires_backend_interface(interface=X509Backend)
1435class TestRSASubjectAlternativeNameExtension(object):
1436 def test_dns_name(self, backend):
1437 cert = _load_cert(
1438 os.path.join("x509", "cryptography.io.pem"),
1439 x509.load_pem_x509_certificate,
1440 backend
1441 )
1442 ext = cert.extensions.get_extension_for_oid(
1443 x509.OID_SUBJECT_ALTERNATIVE_NAME
1444 )
1445 assert ext is not None
1446 assert ext.critical is False
1447
1448 san = ext.value
1449
1450 dns = san.get_values_for_type(x509.DNSName)
1451 assert dns == [u"www.cryptography.io", u"cryptography.io"]
Paul Kehrer9089c912015-04-20 22:15:20 -0500[diff] [blame]1452
Paul Kehrer3c6bba52015-06-26 18:43:26 -0500[diff] [blame]1453 def test_wildcard_dns_name(self, backend):
1454 cert = _load_cert(
1455 os.path.join("x509", "wildcard_san.pem"),
1456 x509.load_pem_x509_certificate,
1457 backend
1458 )
1459 ext = cert.extensions.get_extension_for_oid(
1460 x509.OID_SUBJECT_ALTERNATIVE_NAME
1461 )
1462
1463 dns = ext.value.get_values_for_type(x509.DNSName)
1464 assert dns == [
1465 u'*.langui.sh',
1466 u'langui.sh',
1467 u'*.saseliminator.com',
1468 u'saseliminator.com'
1469 ]
1470
1471 def test_san_wildcard_idna_dns_name(self, backend):
1472 cert = _load_cert(
1473 os.path.join("x509", "custom", "san_wildcard_idna.pem"),
1474 x509.load_pem_x509_certificate,
1475 backend
1476 )
1477 ext = cert.extensions.get_extension_for_oid(
1478 x509.OID_SUBJECT_ALTERNATIVE_NAME
1479 )
1480
1481 dns = ext.value.get_values_for_type(x509.DNSName)
1482 assert dns == [u'*.\u043f\u044b\u043a\u0430.cryptography']
1483
Paul Kehrer7bdf6572015-07-05 08:55:44 -0500[diff] [blame]1484 def test_unsupported_gn(self, backend):
Paul Kehrer9089c912015-04-20 22:15:20 -0500[diff] [blame]1485 cert = _load_cert(
Paul Kehrer7bdf6572015-07-05 08:55:44 -0500[diff] [blame]1486 os.path.join("x509", "san_x400address.der"),
1487 x509.load_der_x509_certificate,
Paul Kehrer9089c912015-04-20 22:15:20 -0500[diff] [blame]1488 backend
1489 )
Paul Kehrerbed07352015-04-21 08:31:10 -0500[diff] [blame]1490 with pytest.raises(x509.UnsupportedGeneralNameType) as exc:
Paul Kehrer9089c912015-04-20 22:15:20 -0500[diff] [blame]1491 cert.extensions
Paul Kehrerbed07352015-04-21 08:31:10 -0500[diff] [blame]1492
Paul Kehrer7bdf6572015-07-05 08:55:44 -0500[diff] [blame]1493 assert exc.value.type == 3
Paul Kehrer4db96622015-04-20 22:17:39 -0500[diff] [blame]1494
1495 def test_registered_id(self, backend):
1496 cert = _load_cert(
1497 os.path.join(
1498 "x509", "custom", "san_registered_id.pem"
1499 ),
1500 x509.load_pem_x509_certificate,
1501 backend
1502 )
1503 ext = cert.extensions.get_extension_for_oid(
1504 x509.OID_SUBJECT_ALTERNATIVE_NAME
1505 )
1506 assert ext is not None
1507 assert ext.critical is False
1508
1509 san = ext.value
1510 rid = san.get_values_for_type(x509.RegisteredID)
1511 assert rid == [x509.ObjectIdentifier("1.2.3.4")]
Paul Kehrerb8ef82e2015-04-22 16:04:24 -0500[diff] [blame]1512
1513 def test_uri(self, backend):
1514 cert = _load_cert(
1515 os.path.join(
1516 "x509", "custom", "san_uri_with_port.pem"
1517 ),
1518 x509.load_pem_x509_certificate,
1519 backend
1520 )
1521 ext = cert.extensions.get_extension_for_oid(
1522 x509.OID_SUBJECT_ALTERNATIVE_NAME
1523 )
1524 assert ext is not None
1525 uri = ext.value.get_values_for_type(
1526 x509.UniformResourceIdentifier
1527 )
1528 assert uri == [
1529 u"gopher://\u043f\u044b\u043a\u0430.cryptography:70/path?q=s#hel"
1530 u"lo",
1531 u"http://someregulardomain.com",
1532 ]
Paul Kehrera5f030c2015-04-28 08:33:18 -0500[diff] [blame]1533
1534 def test_ipaddress(self, backend):
1535 cert = _load_cert(
1536 os.path.join(
1537 "x509", "custom", "san_ipaddr.pem"
1538 ),
1539 x509.load_pem_x509_certificate,
1540 backend
1541 )
1542 ext = cert.extensions.get_extension_for_oid(
1543 x509.OID_SUBJECT_ALTERNATIVE_NAME
1544 )
1545 assert ext is not None
1546 assert ext.critical is False
1547
1548 san = ext.value
1549
1550 ip = san.get_values_for_type(x509.IPAddress)
1551 assert [
1552 ipaddress.ip_address(u"127.0.0.1"),
1553 ipaddress.ip_address(u"ff::")
1554 ] == ip
Paul Kehrer2187a052015-04-30 08:22:07 -0500[diff] [blame]1555
1556 def test_dirname(self, backend):
1557 cert = _load_cert(
1558 os.path.join(
1559 "x509", "custom", "san_dirname.pem"
1560 ),
1561 x509.load_pem_x509_certificate,
1562 backend
1563 )
1564 ext = cert.extensions.get_extension_for_oid(
1565 x509.OID_SUBJECT_ALTERNATIVE_NAME
1566 )
1567 assert ext is not None
1568 assert ext.critical is False
1569
1570 san = ext.value
1571
1572 dirname = san.get_values_for_type(x509.DirectoryName)
1573 assert [
1574 x509.Name([
Ian Cordasco82fc3762015-06-16 20:59:50 -0500[diff] [blame]1575 x509.NameAttribute(x509.OID_COMMON_NAME, u'test'),
1576 x509.NameAttribute(x509.OID_ORGANIZATION_NAME, u'Org'),
1577 x509.NameAttribute(x509.OID_STATE_OR_PROVINCE_NAME, u'Texas'),
Paul Kehrer2187a052015-04-30 08:22:07 -0500[diff] [blame]1578 ])
1579 ] == dirname
Paul Kehrere06cab42015-04-30 10:23:33 -0500[diff] [blame]1580
1581 def test_rfc822name(self, backend):
1582 cert = _load_cert(
1583 os.path.join(
1584 "x509", "custom", "san_rfc822_idna.pem"
1585 ),
1586 x509.load_pem_x509_certificate,
1587 backend
1588 )
1589 ext = cert.extensions.get_extension_for_oid(
1590 x509.OID_SUBJECT_ALTERNATIVE_NAME
1591 )
1592 assert ext is not None
1593 assert ext.critical is False
1594
1595 san = ext.value
1596
1597 rfc822name = san.get_values_for_type(x509.RFC822Name)
1598 assert [u"email@em\xe5\xefl.com"] == rfc822name
1599
Paul Kehrerb8968812015-05-15 09:01:34 -0700[diff] [blame]1600 def test_idna2003_invalid(self, backend):
1601 cert = _load_cert(
1602 os.path.join(
1603 "x509", "custom", "san_idna2003_dnsname.pem"
1604 ),
1605 x509.load_pem_x509_certificate,
1606 backend
1607 )
1608 with pytest.raises(UnicodeError):
1609 cert.extensions
1610
Paul Kehrere06cab42015-04-30 10:23:33 -0500[diff] [blame]1611 def test_unicode_rfc822_name_dns_name_uri(self, backend):
1612 cert = _load_cert(
1613 os.path.join(
1614 "x509", "custom", "san_idna_names.pem"
1615 ),
1616 x509.load_pem_x509_certificate,
1617 backend
1618 )
1619 ext = cert.extensions.get_extension_for_oid(
1620 x509.OID_SUBJECT_ALTERNATIVE_NAME
1621 )
1622 assert ext is not None
1623 rfc822_name = ext.value.get_values_for_type(x509.RFC822Name)
1624 dns_name = ext.value.get_values_for_type(x509.DNSName)
1625 uri = ext.value.get_values_for_type(x509.UniformResourceIdentifier)
1626 assert rfc822_name == [u"email@\u043f\u044b\u043a\u0430.cryptography"]
1627 assert dns_name == [u"\u043f\u044b\u043a\u0430.cryptography"]
1628 assert uri == [u"https://www.\u043f\u044b\u043a\u0430.cryptography"]
1629
1630 def test_rfc822name_dnsname_ipaddress_directoryname_uri(self, backend):
1631 cert = _load_cert(
1632 os.path.join(
1633 "x509", "custom", "san_email_dns_ip_dirname_uri.pem"
1634 ),
1635 x509.load_pem_x509_certificate,
1636 backend
1637 )
1638 ext = cert.extensions.get_extension_for_oid(
1639 x509.OID_SUBJECT_ALTERNATIVE_NAME
1640 )
1641 assert ext is not None
1642 assert ext.critical is False
1643
1644 san = ext.value
1645
1646 rfc822_name = san.get_values_for_type(x509.RFC822Name)
1647 uri = san.get_values_for_type(x509.UniformResourceIdentifier)
1648 dns = san.get_values_for_type(x509.DNSName)
1649 ip = san.get_values_for_type(x509.IPAddress)
1650 dirname = san.get_values_for_type(x509.DirectoryName)
1651 assert [u"user@cryptography.io"] == rfc822_name
Paul Kehrere3a330c2015-05-02 16:42:52 -0500[diff] [blame]1652 assert [u"https://cryptography.io"] == uri
Paul Kehrere06cab42015-04-30 10:23:33 -0500[diff] [blame]1653 assert [u"cryptography.io"] == dns
1654 assert [
1655 x509.Name([
Ian Cordasco82fc3762015-06-16 20:59:50 -0500[diff] [blame]1656 x509.NameAttribute(x509.OID_COMMON_NAME, u'dirCN'),
Paul Kehrere06cab42015-04-30 10:23:33 -0500[diff] [blame]1657 x509.NameAttribute(
Ian Cordasco82fc3762015-06-16 20:59:50 -0500[diff] [blame]1658 x509.OID_ORGANIZATION_NAME, u'Cryptographic Authority'
Paul Kehrere06cab42015-04-30 10:23:33 -0500[diff] [blame]1659 ),
1660 ])
1661 ] == dirname
1662 assert [
1663 ipaddress.ip_address(u"127.0.0.1"),
1664 ipaddress.ip_address(u"ff::")
1665 ] == ip
1666
1667 def test_invalid_rfc822name(self, backend):
1668 cert = _load_cert(
1669 os.path.join(
1670 "x509", "custom", "san_rfc822_names.pem"
1671 ),
1672 x509.load_pem_x509_certificate,
1673 backend
1674 )
1675 with pytest.raises(ValueError) as exc:
1676 cert.extensions
1677
1678 assert 'Invalid rfc822name value' in str(exc.value)
Paul Kehrer94c69602015-05-02 19:29:40 -0500[diff] [blame]1679
Joshua Tauberer2ee5e3c2015-07-04 20:09:46 +0000[diff] [blame]1680 def test_other_name(self, backend):
1681 cert = _load_cert(
1682 os.path.join(
1683 "x509", "custom", "san_other_name.pem"
1684 ),
1685 x509.load_pem_x509_certificate,
1686 backend
1687 )
1688
1689 ext = cert.extensions.get_extension_for_oid(
1690 x509.OID_SUBJECT_ALTERNATIVE_NAME
1691 )
1692 assert ext is not None
1693 assert ext.critical is False
1694
Joshua Taubererd2afad32015-07-06 22:37:53 +0000[diff] [blame]1695 expected = x509.OtherName(x509.ObjectIdentifier("1.2.3.4"),
1696 b'\x16\x0bHello World')
Joshua Tauberer2ee5e3c2015-07-04 20:09:46 +0000[diff] [blame]1697 assert len(ext.value) == 1
Joshua Taubererd2afad32015-07-06 22:37:53 +0000[diff] [blame]1698 assert list(ext.value)[0] == expected
Joshua Tauberer2ee5e3c2015-07-04 20:09:46 +0000[diff] [blame]1699
1700 othernames = ext.value.get_values_for_type(x509.OtherName)
Joshua Taubererd2afad32015-07-06 22:37:53 +0000[diff] [blame]1701 assert othernames == [expected]
Joshua Tauberer2ee5e3c2015-07-04 20:09:46 +0000[diff] [blame]1702
Paul Kehrer94c69602015-05-02 19:29:40 -0500[diff] [blame]1703
1704@pytest.mark.requires_backend_interface(interface=RSABackend)
1705@pytest.mark.requires_backend_interface(interface=X509Backend)
1706class TestExtendedKeyUsageExtension(object):
1707 def test_eku(self, backend):
1708 cert = _load_cert(
1709 os.path.join(
1710 "x509", "custom", "extended_key_usage.pem"
1711 ),
1712 x509.load_pem_x509_certificate,
1713 backend
1714 )
1715 ext = cert.extensions.get_extension_for_oid(
1716 x509.OID_EXTENDED_KEY_USAGE
1717 )
1718 assert ext is not None
1719 assert ext.critical is False
1720
1721 assert [
1722 x509.ObjectIdentifier("1.3.6.1.5.5.7.3.1"),
1723 x509.ObjectIdentifier("1.3.6.1.5.5.7.3.2"),
1724 x509.ObjectIdentifier("1.3.6.1.5.5.7.3.3"),
1725 x509.ObjectIdentifier("1.3.6.1.5.5.7.3.4"),
1726 x509.ObjectIdentifier("1.3.6.1.5.5.7.3.9"),
1727 x509.ObjectIdentifier("1.3.6.1.5.5.7.3.8"),
1728 x509.ObjectIdentifier("2.5.29.37.0"),
1729 x509.ObjectIdentifier("2.16.840.1.113730.4.1"),
1730 ] == list(ext.value)
Paul Kehrer3e6d5582015-05-02 21:57:56 -0500[diff] [blame]1731
1732
1733class TestAccessDescription(object):
1734 def test_invalid_access_method(self):
Paul Kehrerf506bca2015-05-02 22:31:47 -0500[diff] [blame]1735 with pytest.raises(ValueError):
Paul Kehrer3e6d5582015-05-02 21:57:56 -0500[diff] [blame]1736 x509.AccessDescription("notanoid", x509.DNSName(u"test"))
1737
1738 def test_invalid_access_location(self):
1739 with pytest.raises(TypeError):
1740 x509.AccessDescription(x509.OID_CA_ISSUERS, "invalid")
1741
1742 def test_repr(self):
1743 ad = x509.AccessDescription(
1744 x509.OID_OCSP,
1745 x509.UniformResourceIdentifier(u"http://ocsp.domain.com")
1746 )
1747 assert repr(ad) == (
1748 "<AccessDescription(access_method=<ObjectIdentifier(oid=1.3.6.1.5."
1749 "5.7.48.1, name=OCSP)>, access_location=<UniformResourceIdentifier"
1750 "(value=http://ocsp.domain.com)>)>"
1751 )
1752
1753 def test_eq(self):
1754 ad = x509.AccessDescription(
1755 x509.OID_OCSP,
1756 x509.UniformResourceIdentifier(u"http://ocsp.domain.com")
1757 )
1758 ad2 = x509.AccessDescription(
1759 x509.OID_OCSP,
1760 x509.UniformResourceIdentifier(u"http://ocsp.domain.com")
1761 )
1762 assert ad == ad2
1763
1764 def test_ne(self):
1765 ad = x509.AccessDescription(
1766 x509.OID_OCSP,
1767 x509.UniformResourceIdentifier(u"http://ocsp.domain.com")
1768 )
1769 ad2 = x509.AccessDescription(
1770 x509.OID_CA_ISSUERS,
1771 x509.UniformResourceIdentifier(u"http://ocsp.domain.com")
1772 )
1773 ad3 = x509.AccessDescription(
1774 x509.OID_OCSP,
1775 x509.UniformResourceIdentifier(u"http://notthesame")
1776 )
1777 assert ad != ad2
1778 assert ad != ad3
1779 assert ad != object()
1780
1781
1782class TestAuthorityInformationAccess(object):
1783 def test_invalid_descriptions(self):
1784 with pytest.raises(TypeError):
1785 x509.AuthorityInformationAccess(["notanAccessDescription"])
1786
1787 def test_iter_len(self):
1788 aia = x509.AuthorityInformationAccess([
1789 x509.AccessDescription(
1790 x509.OID_OCSP,
1791 x509.UniformResourceIdentifier(u"http://ocsp.domain.com")
1792 ),
1793 x509.AccessDescription(
1794 x509.OID_CA_ISSUERS,
1795 x509.UniformResourceIdentifier(u"http://domain.com/ca.crt")
1796 )
1797 ])
1798 assert len(aia) == 2
1799 assert list(aia) == [
1800 x509.AccessDescription(
1801 x509.OID_OCSP,
1802 x509.UniformResourceIdentifier(u"http://ocsp.domain.com")
1803 ),
1804 x509.AccessDescription(
1805 x509.OID_CA_ISSUERS,
1806 x509.UniformResourceIdentifier(u"http://domain.com/ca.crt")
1807 )
1808 ]
1809
1810 def test_repr(self):
1811 aia = x509.AuthorityInformationAccess([
1812 x509.AccessDescription(
1813 x509.OID_OCSP,
1814 x509.UniformResourceIdentifier(u"http://ocsp.domain.com")
1815 ),
1816 x509.AccessDescription(
1817 x509.OID_CA_ISSUERS,
1818 x509.UniformResourceIdentifier(u"http://domain.com/ca.crt")
1819 )
1820 ])
1821 assert repr(aia) == (
1822 "<AuthorityInformationAccess([<AccessDescription(access_method=<Ob"
1823 "jectIdentifier(oid=1.3.6.1.5.5.7.48.1, name=OCSP)>, access_locati"
1824 "on=<UniformResourceIdentifier(value=http://ocsp.domain.com)>)>, <"
1825 "AccessDescription(access_method=<ObjectIdentifier(oid=1.3.6.1.5.5"
1826 ".7.48.2, name=caIssuers)>, access_location=<UniformResourceIdenti"
1827 "fier(value=http://domain.com/ca.crt)>)>])>"
1828 )
1829
1830 def test_eq(self):
1831 aia = x509.AuthorityInformationAccess([
1832 x509.AccessDescription(
1833 x509.OID_OCSP,
1834 x509.UniformResourceIdentifier(u"http://ocsp.domain.com")
1835 ),
1836 x509.AccessDescription(
1837 x509.OID_CA_ISSUERS,
1838 x509.UniformResourceIdentifier(u"http://domain.com/ca.crt")
1839 )
1840 ])
1841 aia2 = x509.AuthorityInformationAccess([
1842 x509.AccessDescription(
1843 x509.OID_OCSP,
1844 x509.UniformResourceIdentifier(u"http://ocsp.domain.com")
1845 ),
1846 x509.AccessDescription(
1847 x509.OID_CA_ISSUERS,
1848 x509.UniformResourceIdentifier(u"http://domain.com/ca.crt")
1849 )
1850 ])
1851 assert aia == aia2
1852
1853 def test_ne(self):
1854 aia = x509.AuthorityInformationAccess([
1855 x509.AccessDescription(
1856 x509.OID_OCSP,
1857 x509.UniformResourceIdentifier(u"http://ocsp.domain.com")
1858 ),
1859 x509.AccessDescription(
1860 x509.OID_CA_ISSUERS,
1861 x509.UniformResourceIdentifier(u"http://domain.com/ca.crt")
1862 )
1863 ])
1864 aia2 = x509.AuthorityInformationAccess([
1865 x509.AccessDescription(
1866 x509.OID_OCSP,
1867 x509.UniformResourceIdentifier(u"http://ocsp.domain.com")
1868 ),
1869 ])
1870
1871 assert aia != aia2
1872 assert aia != object()
Paul Kehrerd774de92015-05-03 10:52:25 -0500[diff] [blame]1873
1874
1875@pytest.mark.requires_backend_interface(interface=RSABackend)
1876@pytest.mark.requires_backend_interface(interface=X509Backend)
Paul Kehrera1476992015-05-04 17:35:47 -0500[diff] [blame]1877class TestAuthorityInformationAccessExtension(object):
1878 def test_aia_ocsp_ca_issuers(self, backend):
1879 cert = _load_cert(
1880 os.path.join("x509", "cryptography.io.pem"),
1881 x509.load_pem_x509_certificate,
1882 backend
1883 )
1884 ext = cert.extensions.get_extension_for_oid(
1885 x509.OID_AUTHORITY_INFORMATION_ACCESS
1886 )
1887 assert ext is not None
1888 assert ext.critical is False
1889
1890 assert ext.value == x509.AuthorityInformationAccess([
1891 x509.AccessDescription(
1892 x509.OID_OCSP,
1893 x509.UniformResourceIdentifier(u"http://gv.symcd.com")
1894 ),
1895 x509.AccessDescription(
1896 x509.OID_CA_ISSUERS,
1897 x509.UniformResourceIdentifier(u"http://gv.symcb.com/gv.crt")
1898 ),
1899 ])
1900
1901 def test_aia_multiple_ocsp_ca_issuers(self, backend):
1902 cert = _load_cert(
1903 os.path.join("x509", "custom", "aia_ocsp_ca_issuers.pem"),
1904 x509.load_pem_x509_certificate,
1905 backend
1906 )
1907 ext = cert.extensions.get_extension_for_oid(
1908 x509.OID_AUTHORITY_INFORMATION_ACCESS
1909 )
1910 assert ext is not None
1911 assert ext.critical is False
1912
1913 assert ext.value == x509.AuthorityInformationAccess([
1914 x509.AccessDescription(
1915 x509.OID_OCSP,
1916 x509.UniformResourceIdentifier(u"http://ocsp.domain.com")
1917 ),
1918 x509.AccessDescription(
1919 x509.OID_OCSP,
1920 x509.UniformResourceIdentifier(u"http://ocsp2.domain.com")
1921 ),
1922 x509.AccessDescription(
1923 x509.OID_CA_ISSUERS,
1924 x509.DirectoryName(x509.Name([
Ian Cordasco82fc3762015-06-16 20:59:50 -0500[diff] [blame]1925 x509.NameAttribute(x509.OID_COMMON_NAME, u"myCN"),
1926 x509.NameAttribute(x509.OID_ORGANIZATION_NAME,
1927 u"some Org"),
Paul Kehrera1476992015-05-04 17:35:47 -0500[diff] [blame]1928 ]))
1929 ),
1930 ])
1931
1932 def test_aia_ocsp_only(self, backend):
1933 cert = _load_cert(
1934 os.path.join("x509", "custom", "aia_ocsp.pem"),
1935 x509.load_pem_x509_certificate,
1936 backend
1937 )
1938 ext = cert.extensions.get_extension_for_oid(
1939 x509.OID_AUTHORITY_INFORMATION_ACCESS
1940 )
1941 assert ext is not None
1942 assert ext.critical is False
1943
1944 assert ext.value == x509.AuthorityInformationAccess([
1945 x509.AccessDescription(
1946 x509.OID_OCSP,
1947 x509.UniformResourceIdentifier(u"http://ocsp.domain.com")
1948 ),
1949 ])
1950
1951 def test_aia_ca_issuers_only(self, backend):
1952 cert = _load_cert(
1953 os.path.join("x509", "custom", "aia_ca_issuers.pem"),
1954 x509.load_pem_x509_certificate,
1955 backend
1956 )
1957 ext = cert.extensions.get_extension_for_oid(
1958 x509.OID_AUTHORITY_INFORMATION_ACCESS
1959 )
1960 assert ext is not None
1961 assert ext.critical is False
1962
1963 assert ext.value == x509.AuthorityInformationAccess([
1964 x509.AccessDescription(
1965 x509.OID_CA_ISSUERS,
1966 x509.DirectoryName(x509.Name([
Ian Cordasco82fc3762015-06-16 20:59:50 -0500[diff] [blame]1967 x509.NameAttribute(x509.OID_COMMON_NAME, u"myCN"),
1968 x509.NameAttribute(x509.OID_ORGANIZATION_NAME,
1969 u"some Org"),
Paul Kehrera1476992015-05-04 17:35:47 -0500[diff] [blame]1970 ]))
1971 ),
1972 ])
1973
1974
1975@pytest.mark.requires_backend_interface(interface=RSABackend)
1976@pytest.mark.requires_backend_interface(interface=X509Backend)
Paul Kehrerd774de92015-05-03 10:52:25 -0500[diff] [blame]1977class TestAuthorityKeyIdentifierExtension(object):
1978 def test_aki_keyid(self, backend):
1979 cert = _load_cert(
1980 os.path.join(
1981 "x509", "cryptography.io.pem"
1982 ),
1983 x509.load_pem_x509_certificate,
1984 backend
1985 )
1986 ext = cert.extensions.get_extension_for_oid(
1987 x509.OID_AUTHORITY_KEY_IDENTIFIER
1988 )
1989 assert ext is not None
1990 assert ext.critical is False
1991
1992 assert ext.value.key_identifier == (
1993 b"\xc3\x9c\xf3\xfc\xd3F\x084\xbb\xceF\x7f\xa0|[\xf3\xe2\x08\xcbY"
1994 )
1995 assert ext.value.authority_cert_issuer is None
1996 assert ext.value.authority_cert_serial_number is None
1997
1998 def test_aki_all_fields(self, backend):
1999 cert = _load_cert(
2000 os.path.join(
2001 "x509", "custom", "authority_key_identifier.pem"
2002 ),
2003 x509.load_pem_x509_certificate,
2004 backend
2005 )
2006 ext = cert.extensions.get_extension_for_oid(
2007 x509.OID_AUTHORITY_KEY_IDENTIFIER
2008 )
2009 assert ext is not None
2010 assert ext.critical is False
2011
2012 assert ext.value.key_identifier == (
2013 b"9E>\xca=b\x1d\xea\x86I\xf6Z\xab@\xb7\xa4p\x98\xf1\xec"
2014 )
2015 assert ext.value.authority_cert_issuer == [
2016 x509.DirectoryName(
2017 x509.Name([
2018 x509.NameAttribute(
2019 x509.OID_ORGANIZATION_NAME, u"PyCA"
2020 ),
2021 x509.NameAttribute(
2022 x509.OID_COMMON_NAME, u"cryptography.io"
2023 )
2024 ])
2025 )
2026 ]
2027 assert ext.value.authority_cert_serial_number == 3
2028
2029 def test_aki_no_keyid(self, backend):
2030 cert = _load_cert(
2031 os.path.join(
2032 "x509", "custom", "authority_key_identifier_no_keyid.pem"
2033 ),
2034 x509.load_pem_x509_certificate,
2035 backend
2036 )
2037 ext = cert.extensions.get_extension_for_oid(
2038 x509.OID_AUTHORITY_KEY_IDENTIFIER
2039 )
2040 assert ext is not None
2041 assert ext.critical is False
2042
2043 assert ext.value.key_identifier is None
2044 assert ext.value.authority_cert_issuer == [
2045 x509.DirectoryName(
2046 x509.Name([
2047 x509.NameAttribute(
2048 x509.OID_ORGANIZATION_NAME, u"PyCA"
2049 ),
2050 x509.NameAttribute(
2051 x509.OID_COMMON_NAME, u"cryptography.io"
2052 )
2053 ])
2054 )
2055 ]
2056 assert ext.value.authority_cert_serial_number == 3
Paul Kehrer5a485522015-05-06 00:29:12 -0500[diff] [blame]2057
2058
Paul Kehrere0017be2015-05-17 20:39:40 -0600[diff] [blame]2059class TestNameConstraints(object):
2060 def test_ipaddress_wrong_type(self):
2061 with pytest.raises(TypeError):
2062 x509.NameConstraints(
2063 permitted_subtrees=[
2064 x509.IPAddress(ipaddress.IPv4Address(u"127.0.0.1"))
2065 ],
2066 excluded_subtrees=None
2067 )
2068
2069 with pytest.raises(TypeError):
2070 x509.NameConstraints(
2071 permitted_subtrees=None,
2072 excluded_subtrees=[
2073 x509.IPAddress(ipaddress.IPv4Address(u"127.0.0.1"))
2074 ]
2075 )
2076
2077 def test_ipaddress_allowed_type(self):
2078 permitted = [x509.IPAddress(ipaddress.IPv4Network(u"192.168.0.0/29"))]
2079 excluded = [x509.IPAddress(ipaddress.IPv4Network(u"10.10.0.0/24"))]
2080 nc = x509.NameConstraints(
2081 permitted_subtrees=permitted,
2082 excluded_subtrees=excluded
2083 )
2084 assert nc.permitted_subtrees == permitted
2085 assert nc.excluded_subtrees == excluded
2086
2087 def test_invalid_permitted_subtrees(self):
2088 with pytest.raises(TypeError):
2089 x509.NameConstraints("badpermitted", None)
2090
2091 def test_invalid_excluded_subtrees(self):
2092 with pytest.raises(TypeError):
2093 x509.NameConstraints(None, "badexcluded")
2094
2095 def test_no_subtrees(self):
2096 with pytest.raises(ValueError):
2097 x509.NameConstraints(None, None)
2098
2099 def test_permitted_none(self):
2100 excluded = [x509.DNSName(u"name.local")]
2101 nc = x509.NameConstraints(
2102 permitted_subtrees=None, excluded_subtrees=excluded
2103 )
2104 assert nc.permitted_subtrees is None
2105 assert nc.excluded_subtrees is not None
2106
2107 def test_excluded_none(self):
2108 permitted = [x509.DNSName(u"name.local")]
2109 nc = x509.NameConstraints(
2110 permitted_subtrees=permitted, excluded_subtrees=None
2111 )
2112 assert nc.permitted_subtrees is not None
2113 assert nc.excluded_subtrees is None
2114
2115 def test_repr(self):
2116 permitted = [x509.DNSName(u"name.local"), x509.DNSName(u"name2.local")]
2117 nc = x509.NameConstraints(
2118 permitted_subtrees=permitted,
2119 excluded_subtrees=None
2120 )
2121 assert repr(nc) == (
2122 "<NameConstraints(permitted_subtrees=[<DNSName(value=name.local)>"
2123 ", <DNSName(value=name2.local)>], excluded_subtrees=None)>"
2124 )
2125
Paul Kehrer31894282015-06-21 21:46:41 -0500[diff] [blame]2126 def test_eq(self):
2127 nc = x509.NameConstraints(
2128 permitted_subtrees=[x509.DNSName(u"name.local")],
2129 excluded_subtrees=[x509.DNSName(u"name2.local")]
2130 )
2131 nc2 = x509.NameConstraints(
2132 permitted_subtrees=[x509.DNSName(u"name.local")],
2133 excluded_subtrees=[x509.DNSName(u"name2.local")]
2134 )
2135 assert nc == nc2
2136
2137 def test_ne(self):
2138 nc = x509.NameConstraints(
2139 permitted_subtrees=[x509.DNSName(u"name.local")],
2140 excluded_subtrees=[x509.DNSName(u"name2.local")]
2141 )
2142 nc2 = x509.NameConstraints(
2143 permitted_subtrees=[x509.DNSName(u"name.local")],
2144 excluded_subtrees=None
2145 )
2146 nc3 = x509.NameConstraints(
2147 permitted_subtrees=None,
2148 excluded_subtrees=[x509.DNSName(u"name2.local")]
2149 )
2150
2151 assert nc != nc2
2152 assert nc != nc3
2153 assert nc != object()
2154
Paul Kehrere0017be2015-05-17 20:39:40 -0600[diff] [blame]2155
Paul Kehrer870d7e82015-06-21 22:20:44 -0500[diff] [blame]2156@pytest.mark.requires_backend_interface(interface=RSABackend)
2157@pytest.mark.requires_backend_interface(interface=X509Backend)
2158class TestNameConstraintsExtension(object):
2159 def test_permitted_excluded(self, backend):
2160 cert = _load_cert(
2161 os.path.join(
2162 "x509", "custom", "nc_permitted_excluded_2.pem"
2163 ),
2164 x509.load_pem_x509_certificate,
2165 backend
2166 )
2167 nc = cert.extensions.get_extension_for_oid(
2168 x509.OID_NAME_CONSTRAINTS
2169 ).value
2170 assert nc == x509.NameConstraints(
2171 permitted_subtrees=[
2172 x509.DNSName(u"zombo.local"),
2173 ],
2174 excluded_subtrees=[
2175 x509.DirectoryName(x509.Name([
2176 x509.NameAttribute(x509.OID_COMMON_NAME, u"zombo")
2177 ]))
2178 ]
2179 )
2180
2181 def test_permitted(self, backend):
2182 cert = _load_cert(
2183 os.path.join(
2184 "x509", "custom", "nc_permitted_2.pem"
2185 ),
2186 x509.load_pem_x509_certificate,
2187 backend
2188 )
2189 nc = cert.extensions.get_extension_for_oid(
2190 x509.OID_NAME_CONSTRAINTS
2191 ).value
2192 assert nc == x509.NameConstraints(
2193 permitted_subtrees=[
2194 x509.DNSName(u"zombo.local"),
2195 ],
2196 excluded_subtrees=None
2197 )
2198
Paul Kehrer42376832015-07-01 18:10:32 -0500[diff] [blame]2199 def test_permitted_with_leading_period(self, backend):
2200 cert = _load_cert(
2201 os.path.join(
2202 "x509", "custom", "nc_permitted.pem"
2203 ),
2204 x509.load_pem_x509_certificate,
2205 backend
2206 )
2207 nc = cert.extensions.get_extension_for_oid(
2208 x509.OID_NAME_CONSTRAINTS
2209 ).value
2210 assert nc == x509.NameConstraints(
2211 permitted_subtrees=[
2212 x509.DNSName(u".cryptography.io"),
2213 x509.UniformResourceIdentifier(u"ftp://cryptography.test")
2214 ],
2215 excluded_subtrees=None
2216 )
2217
2218 def test_excluded_with_leading_period(self, backend):
2219 cert = _load_cert(
2220 os.path.join(
2221 "x509", "custom", "nc_excluded.pem"
2222 ),
2223 x509.load_pem_x509_certificate,
2224 backend
2225 )
2226 nc = cert.extensions.get_extension_for_oid(
2227 x509.OID_NAME_CONSTRAINTS
2228 ).value
2229 assert nc == x509.NameConstraints(
2230 permitted_subtrees=None,
2231 excluded_subtrees=[
2232 x509.DNSName(u".cryptography.io"),
2233 x509.UniformResourceIdentifier(u"gopher://cryptography.test")
2234 ]
2235 )
2236
Paul Kehrercfb8aa22015-07-01 19:16:36 -0500[diff] [blame]2237 def test_permitted_excluded_with_ips(self, backend):
2238 cert = _load_cert(
2239 os.path.join(
2240 "x509", "custom", "nc_permitted_excluded.pem"
2241 ),
2242 x509.load_pem_x509_certificate,
2243 backend
2244 )
2245 nc = cert.extensions.get_extension_for_oid(
2246 x509.OID_NAME_CONSTRAINTS
2247 ).value
2248 assert nc == x509.NameConstraints(
2249 permitted_subtrees=[
2250 x509.IPAddress(ipaddress.IPv4Network(u"192.168.0.0/24")),
2251 x509.IPAddress(ipaddress.IPv6Network(u"FF:0:0:0:0:0:0:0/96")),
2252 ],
2253 excluded_subtrees=[
2254 x509.DNSName(u".domain.com"),
2255 x509.UniformResourceIdentifier(u"http://test.local"),
2256 ]
2257 )
2258
Paul Kehrera72ebaf2015-07-01 21:07:37 -0500[diff] [blame]2259 def test_single_ip_netmask(self, backend):
2260 cert = _load_cert(
2261 os.path.join(
2262 "x509", "custom", "nc_single_ip_netmask.pem"
2263 ),
2264 x509.load_pem_x509_certificate,
2265 backend
2266 )
2267 nc = cert.extensions.get_extension_for_oid(
2268 x509.OID_NAME_CONSTRAINTS
2269 ).value
2270 assert nc == x509.NameConstraints(
2271 permitted_subtrees=[
2272 x509.IPAddress(ipaddress.IPv6Network(u"FF:0:0:0:0:0:0:0/128")),
2273 x509.IPAddress(ipaddress.IPv4Network(u"192.168.0.1/32")),
2274 ],
2275 excluded_subtrees=None
2276 )
2277
Paul Kehrercfb8aa22015-07-01 19:16:36 -0500[diff] [blame]2278 def test_invalid_netmask(self, backend):
2279 cert = _load_cert(
2280 os.path.join(
2281 "x509", "custom", "nc_invalid_ip_netmask.pem"
2282 ),
2283 x509.load_pem_x509_certificate,
2284 backend
2285 )
2286 with pytest.raises(ValueError):
2287 cert.extensions.get_extension_for_oid(
2288 x509.OID_NAME_CONSTRAINTS
2289 )
2290
Paul Kehrer870d7e82015-06-21 22:20:44 -0500[diff] [blame]2291
Paul Kehrer5a485522015-05-06 00:29:12 -0500[diff] [blame]2292class TestDistributionPoint(object):
Paul Kehrer4e8dacd2015-05-09 10:38:23 -0500[diff] [blame]2293 def test_distribution_point_full_name_not_general_names(self):
Paul Kehrer5a485522015-05-06 00:29:12 -0500[diff] [blame]2294 with pytest.raises(TypeError):
Paul Kehrer4e8dacd2015-05-09 10:38:23 -0500[diff] [blame]2295 x509.DistributionPoint(["notgn"], None, None, None)
Paul Kehrer5a485522015-05-06 00:29:12 -0500[diff] [blame]2296
Paul Kehrer4e8dacd2015-05-09 10:38:23 -0500[diff] [blame]2297 def test_distribution_point_relative_name_not_name(self):
Paul Kehrer5a485522015-05-06 00:29:12 -0500[diff] [blame]2298 with pytest.raises(TypeError):
Paul Kehrer4e8dacd2015-05-09 10:38:23 -0500[diff] [blame]2299 x509.DistributionPoint(None, "notname", None, None)
2300
2301 def test_distribution_point_full_and_relative_not_none(self):
2302 with pytest.raises(ValueError):
2303 x509.DistributionPoint("data", "notname", None, None)
Paul Kehrer5a485522015-05-06 00:29:12 -0500[diff] [blame]2304
2305 def test_crl_issuer_not_general_names(self):
2306 with pytest.raises(TypeError):
Paul Kehrer4e8dacd2015-05-09 10:38:23 -0500[diff] [blame]2307 x509.DistributionPoint(None, None, None, ["notgn"])
Paul Kehrer5a485522015-05-06 00:29:12 -0500[diff] [blame]2308
2309 def test_reason_not_reasonflags(self):
2310 with pytest.raises(TypeError):
2311 x509.DistributionPoint(
2312 [x509.UniformResourceIdentifier(u"http://crypt.og/crl")],
Paul Kehrer4e8dacd2015-05-09 10:38:23 -0500[diff] [blame]2313 None,
Paul Kehrer3fd02602015-05-09 19:46:13 -0500[diff] [blame]2314 frozenset(["notreasonflags"]),
2315 None
2316 )
2317
2318 def test_reason_not_frozenset(self):
2319 with pytest.raises(TypeError):
2320 x509.DistributionPoint(
2321 [x509.UniformResourceIdentifier(u"http://crypt.og/crl")],
2322 None,
2323 [x509.ReasonFlags.ca_compromise],
Paul Kehrer4e8dacd2015-05-09 10:38:23 -0500[diff] [blame]2324 None
2325 )
2326
2327 def test_disallowed_reasons(self):
2328 with pytest.raises(ValueError):
2329 x509.DistributionPoint(
2330 [x509.UniformResourceIdentifier(u"http://crypt.og/crl")],
2331 None,
Paul Kehrer3fd02602015-05-09 19:46:13 -0500[diff] [blame]2332 frozenset([x509.ReasonFlags.unspecified]),
Paul Kehrer4e8dacd2015-05-09 10:38:23 -0500[diff] [blame]2333 None
2334 )
2335
2336 with pytest.raises(ValueError):
2337 x509.DistributionPoint(
2338 [x509.UniformResourceIdentifier(u"http://crypt.og/crl")],
2339 None,
Paul Kehrer3fd02602015-05-09 19:46:13 -0500[diff] [blame]2340 frozenset([x509.ReasonFlags.remove_from_crl]),
Paul Kehrer5a485522015-05-06 00:29:12 -0500[diff] [blame]2341 None
2342 )
2343
2344 def test_reason_only(self):
2345 with pytest.raises(ValueError):
2346 x509.DistributionPoint(
2347 None,
Paul Kehrer4e8dacd2015-05-09 10:38:23 -0500[diff] [blame]2348 None,
Paul Kehrer3fd02602015-05-09 19:46:13 -0500[diff] [blame]2349 frozenset([x509.ReasonFlags.aa_compromise]),
Paul Kehrer5a485522015-05-06 00:29:12 -0500[diff] [blame]2350 None
2351 )
2352
2353 def test_eq(self):
2354 dp = x509.DistributionPoint(
2355 [x509.UniformResourceIdentifier(u"http://crypt.og/crl")],
Paul Kehrer4e8dacd2015-05-09 10:38:23 -0500[diff] [blame]2356 None,
Paul Kehrer3fd02602015-05-09 19:46:13 -0500[diff] [blame]2357 frozenset([x509.ReasonFlags.superseded]),
Paul Kehrer5a485522015-05-06 00:29:12 -0500[diff] [blame]2358 [
2359 x509.DirectoryName(
2360 x509.Name([
2361 x509.NameAttribute(
Ian Cordasco82fc3762015-06-16 20:59:50 -0500[diff] [blame]2362 x509.OID_COMMON_NAME, u"Important CA"
Paul Kehrer5a485522015-05-06 00:29:12 -0500[diff] [blame]2363 )
2364 ])
2365 )
2366 ],
2367 )
2368 dp2 = x509.DistributionPoint(
2369 [x509.UniformResourceIdentifier(u"http://crypt.og/crl")],
Paul Kehrer4e8dacd2015-05-09 10:38:23 -0500[diff] [blame]2370 None,
Paul Kehrer3fd02602015-05-09 19:46:13 -0500[diff] [blame]2371 frozenset([x509.ReasonFlags.superseded]),
Paul Kehrer5a485522015-05-06 00:29:12 -0500[diff] [blame]2372 [
2373 x509.DirectoryName(
2374 x509.Name([
2375 x509.NameAttribute(
Ian Cordasco82fc3762015-06-16 20:59:50 -0500[diff] [blame]2376 x509.OID_COMMON_NAME, u"Important CA"
Paul Kehrer5a485522015-05-06 00:29:12 -0500[diff] [blame]2377 )
2378 ])
2379 )
2380 ],
2381 )
2382 assert dp == dp2
2383
2384 def test_ne(self):
2385 dp = x509.DistributionPoint(
2386 [x509.UniformResourceIdentifier(u"http://crypt.og/crl")],
Paul Kehrer4e8dacd2015-05-09 10:38:23 -0500[diff] [blame]2387 None,
Paul Kehrer3fd02602015-05-09 19:46:13 -0500[diff] [blame]2388 frozenset([x509.ReasonFlags.superseded]),
Paul Kehrer5a485522015-05-06 00:29:12 -0500[diff] [blame]2389 [
2390 x509.DirectoryName(
2391 x509.Name([
2392 x509.NameAttribute(
Ian Cordasco82fc3762015-06-16 20:59:50 -0500[diff] [blame]2393 x509.OID_COMMON_NAME, u"Important CA"
Paul Kehrer5a485522015-05-06 00:29:12 -0500[diff] [blame]2394 )
2395 ])
2396 )
2397 ],
2398 )
2399 dp2 = x509.DistributionPoint(
2400 [x509.UniformResourceIdentifier(u"http://crypt.og/crl")],
2401 None,
Paul Kehrer4e8dacd2015-05-09 10:38:23 -0500[diff] [blame]2402 None,
Paul Kehrer5a485522015-05-06 00:29:12 -0500[diff] [blame]2403 None
2404 )
2405 assert dp != dp2
2406 assert dp != object()
2407
2408 def test_repr(self):
2409 dp = x509.DistributionPoint(
Paul Kehrer4e8dacd2015-05-09 10:38:23 -0500[diff] [blame]2410 None,
Paul Kehrer5a485522015-05-06 00:29:12 -0500[diff] [blame]2411 x509.Name([
Ian Cordasco82fc3762015-06-16 20:59:50 -0500[diff] [blame]2412 x509.NameAttribute(x509.OID_COMMON_NAME, u"myCN")
Paul Kehrer5a485522015-05-06 00:29:12 -0500[diff] [blame]2413 ]),
Paul Kehrer96ef63c2015-05-09 21:17:04 -0500[diff] [blame]2414 frozenset([x509.ReasonFlags.ca_compromise]),
Paul Kehrer5a485522015-05-06 00:29:12 -0500[diff] [blame]2415 [
2416 x509.DirectoryName(
2417 x509.Name([
2418 x509.NameAttribute(
Ian Cordasco82fc3762015-06-16 20:59:50 -0500[diff] [blame]2419 x509.OID_COMMON_NAME, u"Important CA"
Paul Kehrer5a485522015-05-06 00:29:12 -0500[diff] [blame]2420 )
2421 ])
2422 )
2423 ],
2424 )
Paul Kehrer749da3b2015-05-10 09:58:29 -0500[diff] [blame]2425 if six.PY3:
2426 assert repr(dp) == (
2427 "<DistributionPoint(full_name=None, relative_name=<Name([<Name"
2428 "Attribute(oid=<ObjectIdentifier(oid=2.5.4.3, name=commonName)"
Ian Cordascoa908d692015-06-16 21:35:24 -0500[diff] [blame]2429 ">, value='myCN')>])>, reasons=frozenset({<ReasonFlags.ca_comp"
2430 "romise: 'cACompromise'>}), crl_issuer=[<DirectoryName(value=<"
2431 "Name([<NameAttribute(oid=<ObjectIdentifier(oid=2.5.4.3, name="
2432 "commonName)>, value='Important CA')>])>)>])>"
Paul Kehrer749da3b2015-05-10 09:58:29 -0500[diff] [blame]2433 )
2434 else:
2435 assert repr(dp) == (
2436 "<DistributionPoint(full_name=None, relative_name=<Name([<Name"
2437 "Attribute(oid=<ObjectIdentifier(oid=2.5.4.3, name=commonName)"
Ian Cordasco82fc3762015-06-16 20:59:50 -0500[diff] [blame]2438 ">, value=u'myCN')>])>, reasons=frozenset([<ReasonFlags.ca_com"
2439 "promise: 'cACompromise'>]), crl_issuer=[<DirectoryName(value="
2440 "<Name([<NameAttribute(oid=<ObjectIdentifier(oid=2.5.4.3, name"
2441 "=commonName)>, value=u'Important CA')>])>)>])>"
Paul Kehrer749da3b2015-05-10 09:58:29 -0500[diff] [blame]2442 )
Paul Kehrer5a485522015-05-06 00:29:12 -0500[diff] [blame]2443
2444
2445class TestCRLDistributionPoints(object):
2446 def test_invalid_distribution_points(self):
2447 with pytest.raises(TypeError):
2448 x509.CRLDistributionPoints(["notadistributionpoint"])
2449
2450 def test_iter_len(self):
2451 cdp = x509.CRLDistributionPoints([
2452 x509.DistributionPoint(
2453 [x509.UniformResourceIdentifier(u"http://domain")],
2454 None,
Paul Kehrer4e8dacd2015-05-09 10:38:23 -0500[diff] [blame]2455 None,
Paul Kehrer5a485522015-05-06 00:29:12 -0500[diff] [blame]2456 None
2457 ),
2458 x509.DistributionPoint(
2459 [x509.UniformResourceIdentifier(u"ftp://domain")],
Paul Kehrer4e8dacd2015-05-09 10:38:23 -0500[diff] [blame]2460 None,
Paul Kehrer3fd02602015-05-09 19:46:13 -0500[diff] [blame]2461 frozenset([
Paul Kehrer4e8dacd2015-05-09 10:38:23 -0500[diff] [blame]2462 x509.ReasonFlags.key_compromise,
2463 x509.ReasonFlags.ca_compromise,
Paul Kehrer3fd02602015-05-09 19:46:13 -0500[diff] [blame]2464 ]),
Paul Kehrer5a485522015-05-06 00:29:12 -0500[diff] [blame]2465 None
2466 ),
2467 ])
2468 assert len(cdp) == 2
2469 assert list(cdp) == [
2470 x509.DistributionPoint(
2471 [x509.UniformResourceIdentifier(u"http://domain")],
2472 None,
Paul Kehrer4e8dacd2015-05-09 10:38:23 -0500[diff] [blame]2473 None,
Paul Kehrer5a485522015-05-06 00:29:12 -0500[diff] [blame]2474 None
2475 ),
2476 x509.DistributionPoint(
2477 [x509.UniformResourceIdentifier(u"ftp://domain")],
Paul Kehrer4e8dacd2015-05-09 10:38:23 -0500[diff] [blame]2478 None,
Paul Kehrer3fd02602015-05-09 19:46:13 -0500[diff] [blame]2479 frozenset([
Paul Kehrer4e8dacd2015-05-09 10:38:23 -0500[diff] [blame]2480 x509.ReasonFlags.key_compromise,
2481 x509.ReasonFlags.ca_compromise,
Paul Kehrer3fd02602015-05-09 19:46:13 -0500[diff] [blame]2482 ]),
Paul Kehrer5a485522015-05-06 00:29:12 -0500[diff] [blame]2483 None
2484 ),
2485 ]
2486
2487 def test_repr(self):
2488 cdp = x509.CRLDistributionPoints([
2489 x509.DistributionPoint(
2490 [x509.UniformResourceIdentifier(u"ftp://domain")],
Paul Kehrer4e8dacd2015-05-09 10:38:23 -0500[diff] [blame]2491 None,
Paul Kehrer96ef63c2015-05-09 21:17:04 -0500[diff] [blame]2492 frozenset([x509.ReasonFlags.key_compromise]),
Paul Kehrer5a485522015-05-06 00:29:12 -0500[diff] [blame]2493 None
2494 ),
2495 ])
Paul Kehrer749da3b2015-05-10 09:58:29 -0500[diff] [blame]2496 if six.PY3:
2497 assert repr(cdp) == (
2498 "<CRLDistributionPoints([<DistributionPoint(full_name=[<Unifo"
2499 "rmResourceIdentifier(value=ftp://domain)>], relative_name=No"
2500 "ne, reasons=frozenset({<ReasonFlags.key_compromise: 'keyComp"
2501 "romise'>}), crl_issuer=None)>])>"
2502 )
2503 else:
2504 assert repr(cdp) == (
2505 "<CRLDistributionPoints([<DistributionPoint(full_name=[<Unifo"
2506 "rmResourceIdentifier(value=ftp://domain)>], relative_name=No"
2507 "ne, reasons=frozenset([<ReasonFlags.key_compromise: 'keyComp"
2508 "romise'>]), crl_issuer=None)>])>"
2509 )
Paul Kehrer5a485522015-05-06 00:29:12 -0500[diff] [blame]2510
2511 def test_eq(self):
2512 cdp = x509.CRLDistributionPoints([
2513 x509.DistributionPoint(
2514 [x509.UniformResourceIdentifier(u"ftp://domain")],
Paul Kehrer4e8dacd2015-05-09 10:38:23 -0500[diff] [blame]2515 None,
Paul Kehrer3fd02602015-05-09 19:46:13 -0500[diff] [blame]2516 frozenset([
Paul Kehrer4e8dacd2015-05-09 10:38:23 -0500[diff] [blame]2517 x509.ReasonFlags.key_compromise,
2518 x509.ReasonFlags.ca_compromise,
Paul Kehrer3fd02602015-05-09 19:46:13 -0500[diff] [blame]2519 ]),
Paul Kehrer5a485522015-05-06 00:29:12 -0500[diff] [blame]2520 [x509.UniformResourceIdentifier(u"uri://thing")],
2521 ),
2522 ])
2523 cdp2 = x509.CRLDistributionPoints([
2524 x509.DistributionPoint(
2525 [x509.UniformResourceIdentifier(u"ftp://domain")],
Paul Kehrer4e8dacd2015-05-09 10:38:23 -0500[diff] [blame]2526 None,
Paul Kehrer3fd02602015-05-09 19:46:13 -0500[diff] [blame]2527 frozenset([
Paul Kehrer4e8dacd2015-05-09 10:38:23 -0500[diff] [blame]2528 x509.ReasonFlags.key_compromise,
2529 x509.ReasonFlags.ca_compromise,
Paul Kehrer3fd02602015-05-09 19:46:13 -0500[diff] [blame]2530 ]),
Paul Kehrer5a485522015-05-06 00:29:12 -0500[diff] [blame]2531 [x509.UniformResourceIdentifier(u"uri://thing")],
2532 ),
2533 ])
2534 assert cdp == cdp2
2535
2536 def test_ne(self):
2537 cdp = x509.CRLDistributionPoints([
2538 x509.DistributionPoint(
2539 [x509.UniformResourceIdentifier(u"ftp://domain")],
Paul Kehrer4e8dacd2015-05-09 10:38:23 -0500[diff] [blame]2540 None,
Paul Kehrer3fd02602015-05-09 19:46:13 -0500[diff] [blame]2541 frozenset([
Paul Kehrer4e8dacd2015-05-09 10:38:23 -0500[diff] [blame]2542 x509.ReasonFlags.key_compromise,
2543 x509.ReasonFlags.ca_compromise,
Paul Kehrer3fd02602015-05-09 19:46:13 -0500[diff] [blame]2544 ]),
Paul Kehrer5a485522015-05-06 00:29:12 -0500[diff] [blame]2545 [x509.UniformResourceIdentifier(u"uri://thing")],
2546 ),
2547 ])
2548 cdp2 = x509.CRLDistributionPoints([
2549 x509.DistributionPoint(
2550 [x509.UniformResourceIdentifier(u"ftp://domain2")],
Paul Kehrer4e8dacd2015-05-09 10:38:23 -0500[diff] [blame]2551 None,
Paul Kehrer3fd02602015-05-09 19:46:13 -0500[diff] [blame]2552 frozenset([
Paul Kehrer4e8dacd2015-05-09 10:38:23 -0500[diff] [blame]2553 x509.ReasonFlags.key_compromise,
2554 x509.ReasonFlags.ca_compromise,
Paul Kehrer3fd02602015-05-09 19:46:13 -0500[diff] [blame]2555 ]),
Paul Kehrer5a485522015-05-06 00:29:12 -0500[diff] [blame]2556 [x509.UniformResourceIdentifier(u"uri://thing")],
2557 ),
2558 ])
2559 cdp3 = x509.CRLDistributionPoints([
2560 x509.DistributionPoint(
2561 [x509.UniformResourceIdentifier(u"ftp://domain")],
Paul Kehrer4e8dacd2015-05-09 10:38:23 -0500[diff] [blame]2562 None,
Paul Kehrer3fd02602015-05-09 19:46:13 -0500[diff] [blame]2563 frozenset([x509.ReasonFlags.key_compromise]),
Paul Kehrer5a485522015-05-06 00:29:12 -0500[diff] [blame]2564 [x509.UniformResourceIdentifier(u"uri://thing")],
2565 ),
2566 ])
2567 cdp4 = x509.CRLDistributionPoints([
2568 x509.DistributionPoint(
2569 [x509.UniformResourceIdentifier(u"ftp://domain")],
Paul Kehrer4e8dacd2015-05-09 10:38:23 -0500[diff] [blame]2570 None,
Paul Kehrer3fd02602015-05-09 19:46:13 -0500[diff] [blame]2571 frozenset([
Paul Kehrer4e8dacd2015-05-09 10:38:23 -0500[diff] [blame]2572 x509.ReasonFlags.key_compromise,
2573 x509.ReasonFlags.ca_compromise,
Paul Kehrer3fd02602015-05-09 19:46:13 -0500[diff] [blame]2574 ]),
Paul Kehrer5a485522015-05-06 00:29:12 -0500[diff] [blame]2575 [x509.UniformResourceIdentifier(u"uri://thing2")],
2576 ),
2577 ])
2578 assert cdp != cdp2
2579 assert cdp != cdp3
2580 assert cdp != cdp4
2581 assert cdp != object()
Paul Kehrer9a10d592015-05-10 14:55:51 -0500[diff] [blame]2582
2583
2584@pytest.mark.requires_backend_interface(interface=RSABackend)
2585@pytest.mark.requires_backend_interface(interface=X509Backend)
2586class TestCRLDistributionPointsExtension(object):
2587 def test_fullname_and_crl_issuer(self, backend):
2588 cert = _load_cert(
2589 os.path.join(
2590 "x509", "PKITS_data", "certs", "ValidcRLIssuerTest28EE.crt"
2591 ),
2592 x509.load_der_x509_certificate,
2593 backend
2594 )
2595
2596 cdps = cert.extensions.get_extension_for_oid(
2597 x509.OID_CRL_DISTRIBUTION_POINTS
2598 ).value
2599
2600 assert cdps == x509.CRLDistributionPoints([
2601 x509.DistributionPoint(
2602 full_name=[x509.DirectoryName(
2603 x509.Name([
Ian Cordasco82fc3762015-06-16 20:59:50 -0500[diff] [blame]2604 x509.NameAttribute(x509.OID_COUNTRY_NAME, u"US"),
Paul Kehrer9a10d592015-05-10 14:55:51 -0500[diff] [blame]2605 x509.NameAttribute(
2606 x509.OID_ORGANIZATION_NAME,
Ian Cordasco82fc3762015-06-16 20:59:50 -0500[diff] [blame]2607 u"Test Certificates 2011"
Paul Kehrer9a10d592015-05-10 14:55:51 -0500[diff] [blame]2608 ),
2609 x509.NameAttribute(
2610 x509.OID_ORGANIZATIONAL_UNIT_NAME,
Ian Cordasco82fc3762015-06-16 20:59:50 -0500[diff] [blame]2611 u"indirectCRL CA3 cRLIssuer"
Paul Kehrer9a10d592015-05-10 14:55:51 -0500[diff] [blame]2612 ),
2613 x509.NameAttribute(
2614 x509.OID_COMMON_NAME,
Ian Cordasco82fc3762015-06-16 20:59:50 -0500[diff] [blame]2615 u"indirect CRL for indirectCRL CA3"
Paul Kehrer9a10d592015-05-10 14:55:51 -0500[diff] [blame]2616 ),
2617 ])
2618 )],
2619 relative_name=None,
2620 reasons=None,
2621 crl_issuer=[x509.DirectoryName(
2622 x509.Name([
Ian Cordasco82fc3762015-06-16 20:59:50 -0500[diff] [blame]2623 x509.NameAttribute(x509.OID_COUNTRY_NAME, u"US"),
Paul Kehrer9a10d592015-05-10 14:55:51 -0500[diff] [blame]2624 x509.NameAttribute(
2625 x509.OID_ORGANIZATION_NAME,
Ian Cordasco82fc3762015-06-16 20:59:50 -0500[diff] [blame]2626 u"Test Certificates 2011"
Paul Kehrer9a10d592015-05-10 14:55:51 -0500[diff] [blame]2627 ),
2628 x509.NameAttribute(
2629 x509.OID_ORGANIZATIONAL_UNIT_NAME,
Ian Cordasco82fc3762015-06-16 20:59:50 -0500[diff] [blame]2630 u"indirectCRL CA3 cRLIssuer"
Paul Kehrer9a10d592015-05-10 14:55:51 -0500[diff] [blame]2631 ),
2632 ])
2633 )],
2634 )
2635 ])
2636
2637 def test_relativename_and_crl_issuer(self, backend):
2638 cert = _load_cert(
2639 os.path.join(
2640 "x509", "PKITS_data", "certs", "ValidcRLIssuerTest29EE.crt"
2641 ),
2642 x509.load_der_x509_certificate,
2643 backend
2644 )
2645
2646 cdps = cert.extensions.get_extension_for_oid(
2647 x509.OID_CRL_DISTRIBUTION_POINTS
2648 ).value
2649
2650 assert cdps == x509.CRLDistributionPoints([
2651 x509.DistributionPoint(
2652 full_name=None,
2653 relative_name=x509.Name([
2654 x509.NameAttribute(
2655 x509.OID_COMMON_NAME,
Ian Cordasco82fc3762015-06-16 20:59:50 -0500[diff] [blame]2656 u"indirect CRL for indirectCRL CA3"
Paul Kehrer9a10d592015-05-10 14:55:51 -0500[diff] [blame]2657 ),
2658 ]),
2659 reasons=None,
2660 crl_issuer=[x509.DirectoryName(
2661 x509.Name([
Ian Cordasco82fc3762015-06-16 20:59:50 -0500[diff] [blame]2662 x509.NameAttribute(x509.OID_COUNTRY_NAME, u"US"),
Paul Kehrer9a10d592015-05-10 14:55:51 -0500[diff] [blame]2663 x509.NameAttribute(
2664 x509.OID_ORGANIZATION_NAME,
Ian Cordasco82fc3762015-06-16 20:59:50 -0500[diff] [blame]2665 u"Test Certificates 2011"
Paul Kehrer9a10d592015-05-10 14:55:51 -0500[diff] [blame]2666 ),
2667 x509.NameAttribute(
2668 x509.OID_ORGANIZATIONAL_UNIT_NAME,
Ian Cordasco82fc3762015-06-16 20:59:50 -0500[diff] [blame]2669 u"indirectCRL CA3 cRLIssuer"
Paul Kehrer9a10d592015-05-10 14:55:51 -0500[diff] [blame]2670 ),
2671 ])
2672 )],
2673 )
2674 ])
2675
2676 def test_fullname_crl_issuer_reasons(self, backend):
2677 cert = _load_cert(
2678 os.path.join(
2679 "x509", "custom", "cdp_fullname_reasons_crl_issuer.pem"
2680 ),
2681 x509.load_pem_x509_certificate,
2682 backend
2683 )
2684
2685 cdps = cert.extensions.get_extension_for_oid(
2686 x509.OID_CRL_DISTRIBUTION_POINTS
2687 ).value
2688
2689 assert cdps == x509.CRLDistributionPoints([
2690 x509.DistributionPoint(
2691 full_name=[x509.UniformResourceIdentifier(
2692 u"http://myhost.com/myca.crl"
2693 )],
2694 relative_name=None,
2695 reasons=frozenset([
2696 x509.ReasonFlags.key_compromise,
2697 x509.ReasonFlags.ca_compromise
2698 ]),
2699 crl_issuer=[x509.DirectoryName(
2700 x509.Name([
Ian Cordasco82fc3762015-06-16 20:59:50 -0500[diff] [blame]2701 x509.NameAttribute(x509.OID_COUNTRY_NAME, u"US"),
Paul Kehrer9a10d592015-05-10 14:55:51 -0500[diff] [blame]2702 x509.NameAttribute(
Ian Cordasco82fc3762015-06-16 20:59:50 -0500[diff] [blame]2703 x509.OID_ORGANIZATION_NAME, u"PyCA"
Paul Kehrer9a10d592015-05-10 14:55:51 -0500[diff] [blame]2704 ),
2705 x509.NameAttribute(
Ian Cordasco82fc3762015-06-16 20:59:50 -0500[diff] [blame]2706 x509.OID_COMMON_NAME, u"cryptography CA"
Paul Kehrer9a10d592015-05-10 14:55:51 -0500[diff] [blame]2707 ),
2708 ])
2709 )],
2710 )
2711 ])
2712
Paul Kehrer594a2ed2015-05-12 23:27:32 -0500[diff] [blame]2713 def test_all_reasons(self, backend):
2714 cert = _load_cert(
2715 os.path.join(
2716 "x509", "custom", "cdp_all_reasons.pem"
2717 ),
2718 x509.load_pem_x509_certificate,
2719 backend
2720 )
2721
2722 cdps = cert.extensions.get_extension_for_oid(
2723 x509.OID_CRL_DISTRIBUTION_POINTS
2724 ).value
2725
2726 assert cdps == x509.CRLDistributionPoints([
2727 x509.DistributionPoint(
2728 full_name=[x509.UniformResourceIdentifier(
2729 u"http://domain.com/some.crl"
2730 )],
2731 relative_name=None,
2732 reasons=frozenset([
2733 x509.ReasonFlags.key_compromise,
2734 x509.ReasonFlags.ca_compromise,
2735 x509.ReasonFlags.affiliation_changed,
2736 x509.ReasonFlags.superseded,
2737 x509.ReasonFlags.privilege_withdrawn,
2738 x509.ReasonFlags.cessation_of_operation,
2739 x509.ReasonFlags.aa_compromise,
2740 x509.ReasonFlags.certificate_hold,
2741 ]),
2742 crl_issuer=None
2743 )
2744 ])
2745
2746 def test_single_reason(self, backend):
2747 cert = _load_cert(
2748 os.path.join(
2749 "x509", "custom", "cdp_reason_aa_compromise.pem"
2750 ),
2751 x509.load_pem_x509_certificate,
2752 backend
2753 )
2754
2755 cdps = cert.extensions.get_extension_for_oid(
2756 x509.OID_CRL_DISTRIBUTION_POINTS
2757 ).value
2758
2759 assert cdps == x509.CRLDistributionPoints([
2760 x509.DistributionPoint(
2761 full_name=[x509.UniformResourceIdentifier(
2762 u"http://domain.com/some.crl"
2763 )],
2764 relative_name=None,
2765 reasons=frozenset([x509.ReasonFlags.aa_compromise]),
2766 crl_issuer=None
2767 )
2768 ])
2769
Paul Kehrer9a10d592015-05-10 14:55:51 -0500[diff] [blame]2770 def test_crl_issuer_only(self, backend):
2771 cert = _load_cert(
2772 os.path.join(
2773 "x509", "custom", "cdp_crl_issuer.pem"
2774 ),
2775 x509.load_pem_x509_certificate,
2776 backend
2777 )
2778
2779 cdps = cert.extensions.get_extension_for_oid(
2780 x509.OID_CRL_DISTRIBUTION_POINTS
2781 ).value
2782
2783 assert cdps == x509.CRLDistributionPoints([
2784 x509.DistributionPoint(
2785 full_name=None,
2786 relative_name=None,
2787 reasons=None,
2788 crl_issuer=[x509.DirectoryName(
2789 x509.Name([
2790 x509.NameAttribute(
Ian Cordasco82fc3762015-06-16 20:59:50 -0500[diff] [blame]2791 x509.OID_COMMON_NAME, u"cryptography CA"
Paul Kehrer9a10d592015-05-10 14:55:51 -0500[diff] [blame]2792 ),
2793 ])
2794 )],
2795 )
2796 ])
Paul Kehrer16fae762015-05-01 23:14:20 -0500[diff] [blame]2797
2798
Paul Kehrerf54a50b2015-06-17 18:31:26 -0600[diff] [blame]2799@pytest.mark.requires_backend_interface(interface=RSABackend)
2800@pytest.mark.requires_backend_interface(interface=X509Backend)
2801class TestOCSPNoCheckExtension(object):
2802 def test_nocheck(self, backend):
2803 cert = _load_cert(
2804 os.path.join(
2805 "x509", "custom", "ocsp_nocheck.pem"
2806 ),
2807 x509.load_pem_x509_certificate,
2808 backend
2809 )
2810 ext = cert.extensions.get_extension_for_oid(
2811 x509.OID_OCSP_NO_CHECK
2812 )
2813 assert isinstance(ext.value, x509.OCSPNoCheck)
2814
2815
Paul Kehrer16fae762015-05-01 23:14:20 -0500[diff] [blame]2816class TestInhibitAnyPolicy(object):
2817 def test_not_int(self):
2818 with pytest.raises(TypeError):
2819 x509.InhibitAnyPolicy("notint")
2820
2821 def test_negative_int(self):
2822 with pytest.raises(ValueError):
2823 x509.InhibitAnyPolicy(-1)
2824
2825 def test_repr(self):
2826 iap = x509.InhibitAnyPolicy(0)
2827 assert repr(iap) == "<InhibitAnyPolicy(skip_certs=0)>"
2828
2829 def test_eq(self):
2830 iap = x509.InhibitAnyPolicy(1)
2831 iap2 = x509.InhibitAnyPolicy(1)
2832 assert iap == iap2
2833
2834 def test_ne(self):
2835 iap = x509.InhibitAnyPolicy(1)
2836 iap2 = x509.InhibitAnyPolicy(4)
2837 assert iap != iap2
2838 assert iap != object()
Paul Kehrerca6ce992015-06-17 22:13:15 -0600[diff] [blame]2839
2840
2841@pytest.mark.requires_backend_interface(interface=RSABackend)
2842@pytest.mark.requires_backend_interface(interface=X509Backend)
2843class TestInhibitAnyPolicyExtension(object):
2844 def test_nocheck(self, backend):
2845 cert = _load_cert(
2846 os.path.join(
2847 "x509", "custom", "inhibit_any_policy_5.pem"
2848 ),
2849 x509.load_pem_x509_certificate,
2850 backend
2851 )
2852 iap = cert.extensions.get_extension_for_oid(
2853 x509.OID_INHIBIT_ANY_POLICY
2854 ).value
2855 assert iap.skip_certs == 5
Paul Kehrera08693f2015-08-01 20:45:21 +0100[diff] [blame^]2856
2857
2858@pytest.mark.requires_backend_interface(interface=RSABackend)
2859@pytest.mark.requires_backend_interface(interface=X509Backend)
2860class TestCorruptExtension(object):
2861 def test_invalid_certificate_policies_data(self, backend):
2862 cert = _load_cert(
2863 os.path.join(
2864 "x509", "custom", "cp_invalid.pem"
2865 ),
2866 x509.load_pem_x509_certificate,
2867 backend
2868 )
2869 with pytest.raises(ValueError):
2870 cert.extensions