Gitiles
Code Review Sign In
gerrit-public.fairphone.software / platform / external / python / cryptography / d5d0a3102b609907f2dfadad8e0da10374475697 / . / tests / test_x509_ext.py
blob: 67081b234cd355b338d20f21637baa24765d6fe6 [file] [log] [blame]
Paul Kehrer8cf26422015-03-21 09:50:24 -0500[diff] [blame]1# This file is dual licensed under the terms of the Apache License, Version
2# 2.0, and the BSD License. See the LICENSE file in the root of this repository
3# for complete details.
4
5from __future__ import absolute_import, division, print_function
6
Paul Kehrer1eb82a62015-03-31 20:00:33 -0500[diff] [blame]7import binascii
Paul Kehrer23c0bbc2015-12-25 22:35:19 -0600[diff] [blame]8import datetime
Paul Kehrer31bdf792015-03-25 14:11:00 -0500[diff] [blame]9import ipaddress
Paul Kehrerfbb7ac82015-03-16 19:26:29 -0500[diff] [blame]10import os
11
Paul Kehrer8cf26422015-03-21 09:50:24 -0500[diff] [blame]12import pytest
13
Paul Kehrercbfb1012015-04-10 20:57:20 -0400[diff] [blame]14import six
15
Paul Kehrer8cf26422015-03-21 09:50:24 -0500[diff] [blame]16from cryptography import x509
Paul Kehrerf22f6122015-08-05 12:57:13 +0100[diff] [blame]17from cryptography.hazmat.backends.interfaces import (
18 DSABackend, EllipticCurveBackend, RSABackend, X509Backend
19)
20from cryptography.hazmat.primitives.asymmetric import ec
Paul Kehrer9e102db2015-08-10 21:53:09 -0500[diff] [blame]21from cryptography.x509.oid import (
Nick Bastin326fc8e2015-12-12 19:08:12 -0800[diff] [blame]22 AuthorityInformationAccessOID, ExtendedKeyUsageOID, ExtensionOID,
23 NameOID, ObjectIdentifier
Paul Kehrer9e102db2015-08-10 21:53:09 -0500[diff] [blame]24)
Paul Kehrerfbb7ac82015-03-16 19:26:29 -0500[diff] [blame]25
Paul Kehrerf22f6122015-08-05 12:57:13 +0100[diff] [blame]26from .hazmat.primitives.test_ec import _skip_curve_unsupported
Paul Kehrerfbb7ac82015-03-16 19:26:29 -0500[diff] [blame]27from .test_x509 import _load_cert
Paul Kehrer8cf26422015-03-21 09:50:24 -0500[diff] [blame]28
29
Paul Kehrer85894662015-03-22 13:19:31 -0500[diff] [blame]30class TestExtension(object):
31 def test_not_an_oid(self):
Paul Kehrera5c6e9a2015-03-23 19:23:43 -0500[diff] [blame]32 bc = x509.BasicConstraints(ca=False, path_length=None)
Paul Kehrer85894662015-03-22 13:19:31 -0500[diff] [blame]33 with pytest.raises(TypeError):
34 x509.Extension("notanoid", True, bc)
35
36 def test_critical_not_a_bool(self):
Paul Kehrera5c6e9a2015-03-23 19:23:43 -0500[diff] [blame]37 bc = x509.BasicConstraints(ca=False, path_length=None)
Paul Kehrer85894662015-03-22 13:19:31 -0500[diff] [blame]38 with pytest.raises(TypeError):
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]39 x509.Extension(ExtensionOID.BASIC_CONSTRAINTS, "notabool", bc)
Paul Kehrer85894662015-03-22 13:19:31 -0500[diff] [blame]40
41 def test_repr(self):
Paul Kehrera5c6e9a2015-03-23 19:23:43 -0500[diff] [blame]42 bc = x509.BasicConstraints(ca=False, path_length=None)
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]43 ext = x509.Extension(ExtensionOID.BASIC_CONSTRAINTS, True, bc)
Paul Kehrer85894662015-03-22 13:19:31 -0500[diff] [blame]44 assert repr(ext) == (
45 "<Extension(oid=<ObjectIdentifier(oid=2.5.29.19, name=basicConst"
46 "raints)>, critical=True, value=<BasicConstraints(ca=False, path"
47 "_length=None)>)>"
48 )
49
Paul Kehrer58e870c2015-05-17 09:15:30 -0700[diff] [blame]50 def test_eq(self):
51 ext1 = x509.Extension(
52 x509.ObjectIdentifier('1.2.3.4'), False, 'value'
53 )
54 ext2 = x509.Extension(
55 x509.ObjectIdentifier('1.2.3.4'), False, 'value'
56 )
57 assert ext1 == ext2
58
59 def test_ne(self):
60 ext1 = x509.Extension(
61 x509.ObjectIdentifier('1.2.3.4'), False, 'value'
62 )
63 ext2 = x509.Extension(
64 x509.ObjectIdentifier('1.2.3.5'), False, 'value'
65 )
66 ext3 = x509.Extension(
67 x509.ObjectIdentifier('1.2.3.4'), True, 'value'
68 )
69 ext4 = x509.Extension(
70 x509.ObjectIdentifier('1.2.3.4'), False, 'value4'
71 )
72 assert ext1 != ext2
73 assert ext1 != ext3
74 assert ext1 != ext4
75 assert ext1 != object()
76
Paul Kehrer85894662015-03-22 13:19:31 -0500[diff] [blame]77
Paul Kehrer49bb7562015-12-25 16:17:40 -0600[diff] [blame]78class TestCertificateIssuer(object):
79 def test_iter_names(self):
80 ci = x509.CertificateIssuer([
81 x509.DNSName(u"cryptography.io"),
82 x509.DNSName(u"crypto.local"),
83 ])
84 assert len(ci) == 2
85 assert list(ci) == [
86 x509.DNSName(u"cryptography.io"),
87 x509.DNSName(u"crypto.local"),
88 ]
89
Paul Kehrer5c999d32015-12-26 17:45:20 -0600[diff] [blame]90 def test_indexing(self):
91 ci = x509.CertificateIssuer([
92 x509.DNSName(u"cryptography.io"),
93 x509.DNSName(u"crypto.local"),
94 x509.DNSName(u"another.local"),
95 x509.RFC822Name(u"email@another.local"),
96 x509.UniformResourceIdentifier(u"http://another.local"),
97 ])
98 assert ci[-1] == ci[4]
99 assert ci[2:6:2] == [ci[2], ci[4]]
100
Paul Kehrer49bb7562015-12-25 16:17:40 -0600[diff] [blame]101 def test_eq(self):
102 ci1 = x509.CertificateIssuer([x509.DNSName(u"cryptography.io")])
103 ci2 = x509.CertificateIssuer([x509.DNSName(u"cryptography.io")])
104 assert ci1 == ci2
105
106 def test_ne(self):
107 ci1 = x509.CertificateIssuer([x509.DNSName(u"cryptography.io")])
108 ci2 = x509.CertificateIssuer([x509.DNSName(u"somethingelse.tld")])
109 assert ci1 != ci2
110 assert ci1 != object()
111
112 def test_repr(self):
113 ci = x509.CertificateIssuer([x509.DNSName(u"cryptography.io")])
114 assert repr(ci) == (
115 "<CertificateIssuer(<GeneralNames([<DNSName(value=cryptography.io"
116 ")>])>)>"
117 )
118
119 def test_get_values_for_type(self):
120 ci = x509.CertificateIssuer(
121 [x509.DNSName(u"cryptography.io")]
122 )
123 names = ci.get_values_for_type(x509.DNSName)
124 assert names == [u"cryptography.io"]
125
126
Paul Kehrer7058ece2015-12-25 22:28:29 -0600[diff] [blame]127class TestCRLReason(object):
128 def test_invalid_reason_flags(self):
129 with pytest.raises(TypeError):
130 x509.CRLReason("notareason")
131
132 def test_eq(self):
133 reason1 = x509.CRLReason(x509.ReasonFlags.unspecified)
134 reason2 = x509.CRLReason(x509.ReasonFlags.unspecified)
135 assert reason1 == reason2
136
137 def test_ne(self):
138 reason1 = x509.CRLReason(x509.ReasonFlags.unspecified)
139 reason2 = x509.CRLReason(x509.ReasonFlags.ca_compromise)
140 assert reason1 != reason2
141 assert reason1 != object()
142
143 def test_repr(self):
144 reason1 = x509.CRLReason(x509.ReasonFlags.unspecified)
145 assert repr(reason1) == (
146 "<CRLReason(reason=ReasonFlags.unspecified)>"
147 )
148
149
Paul Kehrer23c0bbc2015-12-25 22:35:19 -0600[diff] [blame]150class TestInvalidityDate(object):
151 def test_invalid_invalidity_date(self):
152 with pytest.raises(TypeError):
153 x509.InvalidityDate("notadate")
154
155 def test_eq(self):
156 invalid1 = x509.InvalidityDate(datetime.datetime(2015, 1, 1, 1, 1))
157 invalid2 = x509.InvalidityDate(datetime.datetime(2015, 1, 1, 1, 1))
158 assert invalid1 == invalid2
159
160 def test_ne(self):
161 invalid1 = x509.InvalidityDate(datetime.datetime(2015, 1, 1, 1, 1))
162 invalid2 = x509.InvalidityDate(datetime.datetime(2015, 1, 1, 1, 2))
163 assert invalid1 != invalid2
164 assert invalid1 != object()
165
166 def test_repr(self):
167 invalid1 = x509.InvalidityDate(datetime.datetime(2015, 1, 1, 1, 1))
168 assert repr(invalid1) == (
169 "<InvalidityDate(invalidity_date=2015-01-01 01:01:00)>"
170 )
171
Paul Kehrer67cde762015-12-26 11:37:14 -0600[diff] [blame]172 def test_hash(self):
173 invalid1 = x509.InvalidityDate(datetime.datetime(2015, 1, 1, 1, 1))
174 invalid2 = x509.InvalidityDate(datetime.datetime(2015, 1, 1, 1, 1))
175 invalid3 = x509.InvalidityDate(datetime.datetime(2015, 1, 1, 1, 2))
176 assert hash(invalid1) == hash(invalid2)
177 assert hash(invalid1) != hash(invalid3)
Paul Kehrer23c0bbc2015-12-25 22:35:19 -0600[diff] [blame]178
Paul Kehrerc0297dd2015-12-26 11:37:57 -0600[diff] [blame]179
Paul Kehrer2b622582015-04-15 11:04:29 -0400[diff] [blame]180class TestNoticeReference(object):
181 def test_notice_numbers_not_all_int(self):
182 with pytest.raises(TypeError):
183 x509.NoticeReference("org", [1, 2, "three"])
184
185 def test_notice_numbers_none(self):
Paul Kehrer6e198b02015-05-12 15:53:38 -0500[diff] [blame]186 with pytest.raises(TypeError):
187 x509.NoticeReference("org", None)
Paul Kehrer2b622582015-04-15 11:04:29 -0400[diff] [blame]188
189 def test_repr(self):
Paul Kehrer73be2ca2015-05-11 21:22:38 -0500[diff] [blame]190 nr = x509.NoticeReference(u"org", [1, 3, 4])
Paul Kehrer2b622582015-04-15 11:04:29 -0400[diff] [blame]191
Paul Kehrer73be2ca2015-05-11 21:22:38 -0500[diff] [blame]192 if six.PY3:
193 assert repr(nr) == (
194 "<NoticeReference(organization='org', notice_numbers=[1, 3, 4"
195 "])>"
196 )
197 else:
198 assert repr(nr) == (
199 "<NoticeReference(organization=u'org', notice_numbers=[1, 3, "
200 "4])>"
201 )
Paul Kehrer2b622582015-04-15 11:04:29 -0400[diff] [blame]202
Paul Kehrerc56ab622015-05-03 09:56:31 -0500[diff] [blame]203 def test_eq(self):
204 nr = x509.NoticeReference("org", [1, 2])
205 nr2 = x509.NoticeReference("org", [1, 2])
206 assert nr == nr2
207
208 def test_ne(self):
209 nr = x509.NoticeReference("org", [1, 2])
210 nr2 = x509.NoticeReference("org", [1])
211 nr3 = x509.NoticeReference(None, [1, 2])
212 assert nr != nr2
213 assert nr != nr3
214 assert nr != object()
215
Paul Kehrer2b622582015-04-15 11:04:29 -0400[diff] [blame]216
217class TestUserNotice(object):
218 def test_notice_reference_invalid(self):
219 with pytest.raises(TypeError):
220 x509.UserNotice("invalid", None)
221
222 def test_notice_reference_none(self):
223 un = x509.UserNotice(None, "text")
224 assert un.notice_reference is None
225 assert un.explicit_text == "text"
226
227 def test_repr(self):
Paul Kehrer6e198b02015-05-12 15:53:38 -0500[diff] [blame]228 un = x509.UserNotice(x509.NoticeReference(u"org", [1]), u"text")
Paul Kehrer73be2ca2015-05-11 21:22:38 -0500[diff] [blame]229 if six.PY3:
230 assert repr(un) == (
231 "<UserNotice(notice_reference=<NoticeReference(organization='"
Paul Kehrer6e198b02015-05-12 15:53:38 -0500[diff] [blame]232 "org', notice_numbers=[1])>, explicit_text='text')>"
Paul Kehrer73be2ca2015-05-11 21:22:38 -0500[diff] [blame]233 )
234 else:
235 assert repr(un) == (
236 "<UserNotice(notice_reference=<NoticeReference(organization=u"
Paul Kehrer6e198b02015-05-12 15:53:38 -0500[diff] [blame]237 "'org', notice_numbers=[1])>, explicit_text=u'text')>"
Paul Kehrer73be2ca2015-05-11 21:22:38 -0500[diff] [blame]238 )
Paul Kehrer2b622582015-04-15 11:04:29 -0400[diff] [blame]239
Paul Kehrerc56ab622015-05-03 09:56:31 -0500[diff] [blame]240 def test_eq(self):
241 nr = x509.NoticeReference("org", [1, 2])
242 nr2 = x509.NoticeReference("org", [1, 2])
243 un = x509.UserNotice(nr, "text")
244 un2 = x509.UserNotice(nr2, "text")
245 assert un == un2
246
247 def test_ne(self):
248 nr = x509.NoticeReference("org", [1, 2])
249 nr2 = x509.NoticeReference("org", [1])
250 un = x509.UserNotice(nr, "text")
251 un2 = x509.UserNotice(nr2, "text")
252 un3 = x509.UserNotice(nr, "text3")
253 assert un != un2
254 assert un != un3
255 assert un != object()
256
Paul Kehrer2b622582015-04-15 11:04:29 -0400[diff] [blame]257
Paul Kehrer2b622582015-04-15 11:04:29 -0400[diff] [blame]258class TestPolicyInformation(object):
259 def test_invalid_policy_identifier(self):
260 with pytest.raises(TypeError):
261 x509.PolicyInformation("notanoid", None)
262
263 def test_none_policy_qualifiers(self):
264 pi = x509.PolicyInformation(x509.ObjectIdentifier("1.2.3"), None)
265 assert pi.policy_identifier == x509.ObjectIdentifier("1.2.3")
266 assert pi.policy_qualifiers is None
267
268 def test_policy_qualifiers(self):
Paul Kehrerba35b3b2015-05-10 13:07:59 -0500[diff] [blame]269 pq = [u"string"]
Paul Kehrer2b622582015-04-15 11:04:29 -0400[diff] [blame]270 pi = x509.PolicyInformation(x509.ObjectIdentifier("1.2.3"), pq)
271 assert pi.policy_identifier == x509.ObjectIdentifier("1.2.3")
272 assert pi.policy_qualifiers == pq
273
274 def test_invalid_policy_identifiers(self):
275 with pytest.raises(TypeError):
276 x509.PolicyInformation(x509.ObjectIdentifier("1.2.3"), [1, 2])
277
278 def test_repr(self):
Paul Kehrer73be2ca2015-05-11 21:22:38 -0500[diff] [blame]279 pq = [u"string", x509.UserNotice(None, u"hi")]
Paul Kehrer2b622582015-04-15 11:04:29 -0400[diff] [blame]280 pi = x509.PolicyInformation(x509.ObjectIdentifier("1.2.3"), pq)
Paul Kehrerba35b3b2015-05-10 13:07:59 -0500[diff] [blame]281 if six.PY3:
282 assert repr(pi) == (
283 "<PolicyInformation(policy_identifier=<ObjectIdentifier(oid=1."
284 "2.3, name=Unknown OID)>, policy_qualifiers=['string', <UserNo"
Paul Kehrer9aaef9e2015-05-11 10:49:20 -0500[diff] [blame]285 "tice(notice_reference=None, explicit_text='hi')>])>"
Paul Kehrerba35b3b2015-05-10 13:07:59 -0500[diff] [blame]286 )
287 else:
288 assert repr(pi) == (
289 "<PolicyInformation(policy_identifier=<ObjectIdentifier(oid=1."
290 "2.3, name=Unknown OID)>, policy_qualifiers=[u'string', <UserN"
Paul Kehrer73be2ca2015-05-11 21:22:38 -0500[diff] [blame]291 "otice(notice_reference=None, explicit_text=u'hi')>])>"
Paul Kehrerba35b3b2015-05-10 13:07:59 -0500[diff] [blame]292 )
Paul Kehrer2b622582015-04-15 11:04:29 -0400[diff] [blame]293
Paul Kehrerc56ab622015-05-03 09:56:31 -0500[diff] [blame]294 def test_eq(self):
295 pi = x509.PolicyInformation(
296 x509.ObjectIdentifier("1.2.3"),
297 [u"string", x509.UserNotice(None, u"hi")]
298 )
299 pi2 = x509.PolicyInformation(
300 x509.ObjectIdentifier("1.2.3"),
301 [u"string", x509.UserNotice(None, u"hi")]
302 )
303 assert pi == pi2
304
305 def test_ne(self):
306 pi = x509.PolicyInformation(
307 x509.ObjectIdentifier("1.2.3"), [u"string"]
308 )
309 pi2 = x509.PolicyInformation(
310 x509.ObjectIdentifier("1.2.3"), [u"string2"]
311 )
312 pi3 = x509.PolicyInformation(
313 x509.ObjectIdentifier("1.2.3.4"), [u"string"]
314 )
315 assert pi != pi2
316 assert pi != pi3
317 assert pi != object()
318
Paul Kehrer2b622582015-04-15 11:04:29 -0400[diff] [blame]319
320class TestCertificatePolicies(object):
321 def test_invalid_policies(self):
Paul Kehrerba35b3b2015-05-10 13:07:59 -0500[diff] [blame]322 pq = [u"string"]
Paul Kehrer2b622582015-04-15 11:04:29 -0400[diff] [blame]323 pi = x509.PolicyInformation(x509.ObjectIdentifier("1.2.3"), pq)
324 with pytest.raises(TypeError):
325 x509.CertificatePolicies([1, pi])
326
327 def test_iter_len(self):
Paul Kehrerba35b3b2015-05-10 13:07:59 -0500[diff] [blame]328 pq = [u"string"]
Paul Kehrer2b622582015-04-15 11:04:29 -0400[diff] [blame]329 pi = x509.PolicyInformation(x509.ObjectIdentifier("1.2.3"), pq)
330 cp = x509.CertificatePolicies([pi])
331 assert len(cp) == 1
332 for policyinfo in cp:
333 assert policyinfo == pi
334
335 def test_repr(self):
Paul Kehrerba35b3b2015-05-10 13:07:59 -0500[diff] [blame]336 pq = [u"string"]
Paul Kehrer2b622582015-04-15 11:04:29 -0400[diff] [blame]337 pi = x509.PolicyInformation(x509.ObjectIdentifier("1.2.3"), pq)
338 cp = x509.CertificatePolicies([pi])
Paul Kehrerba35b3b2015-05-10 13:07:59 -0500[diff] [blame]339 if six.PY3:
340 assert repr(cp) == (
341 "<CertificatePolicies([<PolicyInformation(policy_identifier=<O"
342 "bjectIdentifier(oid=1.2.3, name=Unknown OID)>, policy_qualifi"
343 "ers=['string'])>])>"
344 )
345 else:
346 assert repr(cp) == (
347 "<CertificatePolicies([<PolicyInformation(policy_identifier=<O"
348 "bjectIdentifier(oid=1.2.3, name=Unknown OID)>, policy_qualifi"
349 "ers=[u'string'])>])>"
350 )
Paul Kehrer2b622582015-04-15 11:04:29 -0400[diff] [blame]351
Paul Kehrerc56ab622015-05-03 09:56:31 -0500[diff] [blame]352 def test_eq(self):
353 pi = x509.PolicyInformation(
354 x509.ObjectIdentifier("1.2.3"), [u"string"]
355 )
356 cp = x509.CertificatePolicies([pi])
357 pi2 = x509.PolicyInformation(
358 x509.ObjectIdentifier("1.2.3"), [u"string"]
359 )
360 cp2 = x509.CertificatePolicies([pi2])
361 assert cp == cp2
362
363 def test_ne(self):
364 pi = x509.PolicyInformation(
365 x509.ObjectIdentifier("1.2.3"), [u"string"]
366 )
367 cp = x509.CertificatePolicies([pi])
368 pi2 = x509.PolicyInformation(
369 x509.ObjectIdentifier("1.2.3"), [u"string2"]
370 )
371 cp2 = x509.CertificatePolicies([pi2])
372 assert cp != cp2
373 assert cp != object()
374
Paul Kehrer2b622582015-04-15 11:04:29 -0400[diff] [blame]375
Paul Kehrer11026fe2015-05-12 11:23:56 -0500[diff] [blame]376@pytest.mark.requires_backend_interface(interface=RSABackend)
377@pytest.mark.requires_backend_interface(interface=X509Backend)
378class TestCertificatePoliciesExtension(object):
379 def test_cps_uri_policy_qualifier(self, backend):
380 cert = _load_cert(
381 os.path.join("x509", "custom", "cp_cps_uri.pem"),
382 x509.load_pem_x509_certificate,
383 backend
384 )
385
386 cp = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]387 ExtensionOID.CERTIFICATE_POLICIES
Paul Kehrer11026fe2015-05-12 11:23:56 -0500[diff] [blame]388 ).value
389
390 assert cp == x509.CertificatePolicies([
391 x509.PolicyInformation(
392 x509.ObjectIdentifier("2.16.840.1.12345.1.2.3.4.1"),
393 [u"http://other.com/cps"]
394 )
395 ])
396
397 def test_user_notice_with_notice_reference(self, backend):
398 cert = _load_cert(
399 os.path.join(
400 "x509", "custom", "cp_user_notice_with_notice_reference.pem"
401 ),
402 x509.load_pem_x509_certificate,
403 backend
404 )
405
406 cp = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]407 ExtensionOID.CERTIFICATE_POLICIES
Paul Kehrer11026fe2015-05-12 11:23:56 -0500[diff] [blame]408 ).value
409
410 assert cp == x509.CertificatePolicies([
411 x509.PolicyInformation(
412 x509.ObjectIdentifier("2.16.840.1.12345.1.2.3.4.1"),
413 [
414 u"http://example.com/cps",
415 u"http://other.com/cps",
416 x509.UserNotice(
417 x509.NoticeReference(u"my org", [1, 2, 3, 4]),
418 u"thing"
419 )
420 ]
421 )
422 ])
423
424 def test_user_notice_with_explicit_text(self, backend):
425 cert = _load_cert(
426 os.path.join(
427 "x509", "custom", "cp_user_notice_with_explicit_text.pem"
428 ),
429 x509.load_pem_x509_certificate,
430 backend
431 )
432
433 cp = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]434 ExtensionOID.CERTIFICATE_POLICIES
Paul Kehrer11026fe2015-05-12 11:23:56 -0500[diff] [blame]435 ).value
436
437 assert cp == x509.CertificatePolicies([
438 x509.PolicyInformation(
439 x509.ObjectIdentifier("2.16.840.1.12345.1.2.3.4.1"),
440 [x509.UserNotice(None, u"thing")]
441 )
442 ])
443
444 def test_user_notice_no_explicit_text(self, backend):
445 cert = _load_cert(
446 os.path.join(
447 "x509", "custom", "cp_user_notice_no_explicit_text.pem"
448 ),
449 x509.load_pem_x509_certificate,
450 backend
451 )
452
453 cp = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]454 ExtensionOID.CERTIFICATE_POLICIES
Paul Kehrer11026fe2015-05-12 11:23:56 -0500[diff] [blame]455 ).value
456
457 assert cp == x509.CertificatePolicies([
458 x509.PolicyInformation(
459 x509.ObjectIdentifier("2.16.840.1.12345.1.2.3.4.1"),
460 [
461 x509.UserNotice(
462 x509.NoticeReference(u"my org", [1, 2, 3, 4]),
463 None
464 )
465 ]
466 )
467 ])
468
469
Paul Kehrercecbbba2015-03-30 14:58:38 -0500[diff] [blame]470class TestKeyUsage(object):
471 def test_key_agreement_false_encipher_decipher_true(self):
472 with pytest.raises(ValueError):
473 x509.KeyUsage(
474 digital_signature=False,
475 content_commitment=False,
476 key_encipherment=False,
477 data_encipherment=False,
478 key_agreement=False,
479 key_cert_sign=False,
480 crl_sign=False,
481 encipher_only=True,
482 decipher_only=False
483 )
484
485 with pytest.raises(ValueError):
486 x509.KeyUsage(
487 digital_signature=False,
488 content_commitment=False,
489 key_encipherment=False,
490 data_encipherment=False,
491 key_agreement=False,
492 key_cert_sign=False,
493 crl_sign=False,
494 encipher_only=True,
495 decipher_only=True
496 )
497
498 with pytest.raises(ValueError):
499 x509.KeyUsage(
500 digital_signature=False,
501 content_commitment=False,
502 key_encipherment=False,
503 data_encipherment=False,
504 key_agreement=False,
505 key_cert_sign=False,
506 crl_sign=False,
507 encipher_only=False,
508 decipher_only=True
509 )
510
511 def test_properties_key_agreement_true(self):
512 ku = x509.KeyUsage(
513 digital_signature=True,
514 content_commitment=True,
515 key_encipherment=False,
516 data_encipherment=False,
517 key_agreement=False,
518 key_cert_sign=True,
519 crl_sign=False,
520 encipher_only=False,
521 decipher_only=False
522 )
523 assert ku.digital_signature is True
524 assert ku.content_commitment is True
525 assert ku.key_encipherment is False
526 assert ku.data_encipherment is False
527 assert ku.key_agreement is False
528 assert ku.key_cert_sign is True
529 assert ku.crl_sign is False
530
531 def test_key_agreement_true_properties(self):
532 ku = x509.KeyUsage(
533 digital_signature=False,
534 content_commitment=False,
535 key_encipherment=False,
536 data_encipherment=False,
537 key_agreement=True,
538 key_cert_sign=False,
539 crl_sign=False,
540 encipher_only=False,
541 decipher_only=True
542 )
543 assert ku.key_agreement is True
544 assert ku.encipher_only is False
545 assert ku.decipher_only is True
546
547 def test_key_agreement_false_properties(self):
548 ku = x509.KeyUsage(
549 digital_signature=False,
550 content_commitment=False,
551 key_encipherment=False,
552 data_encipherment=False,
553 key_agreement=False,
554 key_cert_sign=False,
555 crl_sign=False,
556 encipher_only=False,
557 decipher_only=False
558 )
559 assert ku.key_agreement is False
560 with pytest.raises(ValueError):
561 ku.encipher_only
562
563 with pytest.raises(ValueError):
564 ku.decipher_only
565
Paul Kehrerac3e5bb2015-04-02 23:07:10 -0500[diff] [blame]566 def test_repr_key_agreement_false(self):
567 ku = x509.KeyUsage(
568 digital_signature=True,
569 content_commitment=True,
570 key_encipherment=False,
571 data_encipherment=False,
572 key_agreement=False,
573 key_cert_sign=True,
574 crl_sign=False,
575 encipher_only=False,
576 decipher_only=False
577 )
578 assert repr(ku) == (
579 "<KeyUsage(digital_signature=True, content_commitment=True, key_en"
580 "cipherment=False, data_encipherment=False, key_agreement=False, k"
Paul Kehrerb372e672015-04-15 11:05:24 -0400[diff] [blame]581 "ey_cert_sign=True, crl_sign=False, encipher_only=None, decipher_o"
582 "nly=None)>"
Paul Kehrerac3e5bb2015-04-02 23:07:10 -0500[diff] [blame]583 )
584
585 def test_repr_key_agreement_true(self):
586 ku = x509.KeyUsage(
587 digital_signature=True,
588 content_commitment=True,
589 key_encipherment=False,
590 data_encipherment=False,
591 key_agreement=True,
592 key_cert_sign=True,
593 crl_sign=False,
594 encipher_only=False,
595 decipher_only=False
596 )
597 assert repr(ku) == (
598 "<KeyUsage(digital_signature=True, content_commitment=True, key_en"
599 "cipherment=False, data_encipherment=False, key_agreement=True, k"
600 "ey_cert_sign=True, crl_sign=False, encipher_only=False, decipher_"
601 "only=False)>"
602 )
603
Paul Kehrer8565f5e2015-05-13 09:57:09 -0500[diff] [blame]604 def test_eq(self):
605 ku = x509.KeyUsage(
606 digital_signature=False,
607 content_commitment=False,
608 key_encipherment=False,
609 data_encipherment=False,
610 key_agreement=True,
611 key_cert_sign=False,
612 crl_sign=False,
613 encipher_only=False,
614 decipher_only=True
615 )
616 ku2 = x509.KeyUsage(
617 digital_signature=False,
618 content_commitment=False,
619 key_encipherment=False,
620 data_encipherment=False,
621 key_agreement=True,
622 key_cert_sign=False,
623 crl_sign=False,
624 encipher_only=False,
625 decipher_only=True
626 )
627 assert ku == ku2
628
629 def test_ne(self):
630 ku = x509.KeyUsage(
631 digital_signature=False,
632 content_commitment=False,
633 key_encipherment=False,
634 data_encipherment=False,
635 key_agreement=True,
636 key_cert_sign=False,
637 crl_sign=False,
638 encipher_only=False,
639 decipher_only=True
640 )
641 ku2 = x509.KeyUsage(
642 digital_signature=False,
643 content_commitment=False,
644 key_encipherment=False,
645 data_encipherment=False,
646 key_agreement=False,
647 key_cert_sign=False,
648 crl_sign=False,
649 encipher_only=False,
650 decipher_only=False
651 )
652 assert ku != ku2
653 assert ku != object()
654
Paul Kehrercecbbba2015-03-30 14:58:38 -0500[diff] [blame]655
Paul Kehrer1eb82a62015-03-31 20:00:33 -0500[diff] [blame]656class TestSubjectKeyIdentifier(object):
657 def test_properties(self):
Paul Kehrercbfb1012015-04-10 20:57:20 -0400[diff] [blame]658 value = binascii.unhexlify(b"092384932230498bc980aa8098456f6ff7ff3ac9")
Paul Kehrer1eb82a62015-03-31 20:00:33 -0500[diff] [blame]659 ski = x509.SubjectKeyIdentifier(value)
660 assert ski.digest == value
Paul Kehrer1eb82a62015-03-31 20:00:33 -0500[diff] [blame]661
662 def test_repr(self):
663 ski = x509.SubjectKeyIdentifier(
Paul Kehreree997262015-04-04 12:20:28 -0500[diff] [blame]664 binascii.unhexlify(b"092384932230498bc980aa8098456f6ff7ff3ac9")
Paul Kehrer1eb82a62015-03-31 20:00:33 -0500[diff] [blame]665 )
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]666 ext = x509.Extension(ExtensionOID.SUBJECT_KEY_IDENTIFIER, False, ski)
Paul Kehrercbfb1012015-04-10 20:57:20 -0400[diff] [blame]667 if six.PY3:
668 assert repr(ext) == (
669 "<Extension(oid=<ObjectIdentifier(oid=2.5.29.14, name=subjectK"
670 "eyIdentifier)>, critical=False, value=<SubjectKeyIdentifier(d"
671 "igest=b\'\\t#\\x84\\x93\"0I\\x8b\\xc9\\x80\\xaa\\x80\\x98Eoo"
672 "\\xf7\\xff:\\xc9\')>)>"
673 )
674 else:
675 assert repr(ext) == (
676 "<Extension(oid=<ObjectIdentifier(oid=2.5.29.14, name=subjectK"
677 "eyIdentifier)>, critical=False, value=<SubjectKeyIdentifier(d"
678 "igest=\'\\t#\\x84\\x93\"0I\\x8b\\xc9\\x80\\xaa\\x80\\x98Eoo"
679 "\\xf7\\xff:\\xc9\')>)>"
680 )
Paul Kehrer1eb82a62015-03-31 20:00:33 -0500[diff] [blame]681
682 def test_eq(self):
683 ski = x509.SubjectKeyIdentifier(
Paul Kehreree997262015-04-04 12:20:28 -0500[diff] [blame]684 binascii.unhexlify(b"092384932230498bc980aa8098456f6ff7ff3ac9")
Paul Kehrer1eb82a62015-03-31 20:00:33 -0500[diff] [blame]685 )
686 ski2 = x509.SubjectKeyIdentifier(
Paul Kehreree997262015-04-04 12:20:28 -0500[diff] [blame]687 binascii.unhexlify(b"092384932230498bc980aa8098456f6ff7ff3ac9")
Paul Kehrer1eb82a62015-03-31 20:00:33 -0500[diff] [blame]688 )
689 assert ski == ski2
690
691 def test_ne(self):
692 ski = x509.SubjectKeyIdentifier(
Paul Kehreree997262015-04-04 12:20:28 -0500[diff] [blame]693 binascii.unhexlify(b"092384932230498bc980aa8098456f6ff7ff3ac9")
Paul Kehrer1eb82a62015-03-31 20:00:33 -0500[diff] [blame]694 )
695 ski2 = x509.SubjectKeyIdentifier(
Paul Kehreree997262015-04-04 12:20:28 -0500[diff] [blame]696 binascii.unhexlify(b"aa8098456f6ff7ff3ac9092384932230498bc980")
Paul Kehrer1eb82a62015-03-31 20:00:33 -0500[diff] [blame]697 )
698 assert ski != ski2
699 assert ski != object()
700
Alex Gaynor410fe352015-12-26 15:01:25 -0500[diff] [blame]701 def test_hash(self):
702 ski1 = x509.SubjectKeyIdentifier(
703 binascii.unhexlify(b"092384932230498bc980aa8098456f6ff7ff3ac9")
704 )
705 ski2 = x509.SubjectKeyIdentifier(
706 binascii.unhexlify(b"092384932230498bc980aa8098456f6ff7ff3ac9")
707 )
708 ski3 = x509.SubjectKeyIdentifier(
709 binascii.unhexlify(b"aa8098456f6ff7ff3ac9092384932230498bc980")
710 )
711
712 assert hash(ski1) == hash(ski2)
713 assert hash(ski1) != hash(ski3)
714
Paul Kehrer1eb82a62015-03-31 20:00:33 -0500[diff] [blame]715
Paul Kehrer2eb4ed92015-04-11 15:33:45 -0400[diff] [blame]716class TestAuthorityKeyIdentifier(object):
Paul Kehrerc6e0f062015-05-03 11:04:34 -0500[diff] [blame]717 def test_authority_cert_issuer_not_generalname(self):
Paul Kehrer2eb4ed92015-04-11 15:33:45 -0400[diff] [blame]718 with pytest.raises(TypeError):
Paul Kehrerc6e0f062015-05-03 11:04:34 -0500[diff] [blame]719 x509.AuthorityKeyIdentifier(b"identifier", ["notname"], 3)
Paul Kehrer2eb4ed92015-04-11 15:33:45 -0400[diff] [blame]720
721 def test_authority_cert_serial_number_not_integer(self):
Paul Kehrerc6e0f062015-05-03 11:04:34 -0500[diff] [blame]722 dirname = x509.DirectoryName(
723 x509.Name([
Nick Bastin6721fb82015-12-14 12:26:24 -0800[diff] [blame]724 x509.NameAttribute(
725 x509.ObjectIdentifier('2.999.1'),
726 u'value1'
727 ),
728 x509.NameAttribute(
729 x509.ObjectIdentifier('2.999.2'),
730 u'value2'
731 ),
Paul Kehrerc6e0f062015-05-03 11:04:34 -0500[diff] [blame]732 ])
733 )
Paul Kehrer2eb4ed92015-04-11 15:33:45 -0400[diff] [blame]734 with pytest.raises(TypeError):
Paul Kehrerc6e0f062015-05-03 11:04:34 -0500[diff] [blame]735 x509.AuthorityKeyIdentifier(b"identifier", [dirname], "notanint")
Paul Kehrer2eb4ed92015-04-11 15:33:45 -0400[diff] [blame]736
737 def test_authority_issuer_none_serial_not_none(self):
738 with pytest.raises(ValueError):
739 x509.AuthorityKeyIdentifier(b"identifier", None, 3)
740
741 def test_authority_issuer_not_none_serial_none(self):
Paul Kehrerc6e0f062015-05-03 11:04:34 -0500[diff] [blame]742 dirname = x509.DirectoryName(
743 x509.Name([
Nick Bastin6721fb82015-12-14 12:26:24 -0800[diff] [blame]744 x509.NameAttribute(
745 x509.ObjectIdentifier('2.999.1'),
746 u'value1'
747 ),
748 x509.NameAttribute(
749 x509.ObjectIdentifier('2.999.2'),
750 u'value2'
751 ),
Paul Kehrerc6e0f062015-05-03 11:04:34 -0500[diff] [blame]752 ])
753 )
Paul Kehrer2eb4ed92015-04-11 15:33:45 -0400[diff] [blame]754 with pytest.raises(ValueError):
Paul Kehrerc6e0f062015-05-03 11:04:34 -0500[diff] [blame]755 x509.AuthorityKeyIdentifier(b"identifier", [dirname], None)
Paul Kehrer2eb4ed92015-04-11 15:33:45 -0400[diff] [blame]756
757 def test_authority_cert_serial_and_issuer_none(self):
758 aki = x509.AuthorityKeyIdentifier(b"id", None, None)
759 assert aki.key_identifier == b"id"
760 assert aki.authority_cert_issuer is None
761 assert aki.authority_cert_serial_number is None
762
763 def test_repr(self):
Paul Kehrerc6e0f062015-05-03 11:04:34 -0500[diff] [blame]764 dirname = x509.DirectoryName(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]765 x509.Name([x509.NameAttribute(NameOID.COMMON_NAME, u'myCN')])
Paul Kehrerc6e0f062015-05-03 11:04:34 -0500[diff] [blame]766 )
767 aki = x509.AuthorityKeyIdentifier(b"digest", [dirname], 1234)
Paul Kehrer2eb4ed92015-04-11 15:33:45 -0400[diff] [blame]768
769 if six.PY3:
770 assert repr(aki) == (
771 "<AuthorityKeyIdentifier(key_identifier=b'digest', authority_"
Paul Kehrerc6e0f062015-05-03 11:04:34 -0500[diff] [blame]772 "cert_issuer=[<DirectoryName(value=<Name([<NameAttribute(oid="
Ian Cordascoa908d692015-06-16 21:35:24 -0500[diff] [blame]773 "<ObjectIdentifier(oid=2.5.4.3, name=commonName)>, value='myC"
Paul Kehrerc6e0f062015-05-03 11:04:34 -0500[diff] [blame]774 "N')>])>)>], authority_cert_serial_number=1234)>"
Paul Kehrer2eb4ed92015-04-11 15:33:45 -0400[diff] [blame]775 )
776 else:
777 assert repr(aki) == (
778 "<AuthorityKeyIdentifier(key_identifier='digest', authority_ce"
Paul Kehrerc6e0f062015-05-03 11:04:34 -0500[diff] [blame]779 "rt_issuer=[<DirectoryName(value=<Name([<NameAttribute(oid=<Ob"
Ian Cordasco82fc3762015-06-16 20:59:50 -0500[diff] [blame]780 "jectIdentifier(oid=2.5.4.3, name=commonName)>, value=u'myCN')"
781 ">])>)>], authority_cert_serial_number=1234)>"
Paul Kehrer2eb4ed92015-04-11 15:33:45 -0400[diff] [blame]782 )
783
Paul Kehrer2ca2eb32015-05-03 10:04:57 -0500[diff] [blame]784 def test_eq(self):
785 dirname = x509.DirectoryName(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]786 x509.Name([x509.NameAttribute(NameOID.COMMON_NAME, u'myCN')])
Paul Kehrer2ca2eb32015-05-03 10:04:57 -0500[diff] [blame]787 )
788 aki = x509.AuthorityKeyIdentifier(b"digest", [dirname], 1234)
789 dirname2 = x509.DirectoryName(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]790 x509.Name([x509.NameAttribute(NameOID.COMMON_NAME, u'myCN')])
Paul Kehrer2ca2eb32015-05-03 10:04:57 -0500[diff] [blame]791 )
792 aki2 = x509.AuthorityKeyIdentifier(b"digest", [dirname2], 1234)
793 assert aki == aki2
794
795 def test_ne(self):
796 dirname = x509.DirectoryName(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]797 x509.Name([x509.NameAttribute(NameOID.COMMON_NAME, u'myCN')])
Paul Kehrer2ca2eb32015-05-03 10:04:57 -0500[diff] [blame]798 )
799 dirname5 = x509.DirectoryName(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]800 x509.Name([x509.NameAttribute(NameOID.COMMON_NAME, u'aCN')])
Paul Kehrer2ca2eb32015-05-03 10:04:57 -0500[diff] [blame]801 )
802 aki = x509.AuthorityKeyIdentifier(b"digest", [dirname], 1234)
803 aki2 = x509.AuthorityKeyIdentifier(b"diges", [dirname], 1234)
804 aki3 = x509.AuthorityKeyIdentifier(b"digest", None, None)
805 aki4 = x509.AuthorityKeyIdentifier(b"digest", [dirname], 12345)
806 aki5 = x509.AuthorityKeyIdentifier(b"digest", [dirname5], 12345)
807 assert aki != aki2
808 assert aki != aki3
809 assert aki != aki4
810 assert aki != aki5
811 assert aki != object()
812
Paul Kehrer2eb4ed92015-04-11 15:33:45 -0400[diff] [blame]813
Paul Kehrer8cf26422015-03-21 09:50:24 -0500[diff] [blame]814class TestBasicConstraints(object):
815 def test_ca_not_boolean(self):
816 with pytest.raises(TypeError):
Paul Kehrera5c6e9a2015-03-23 19:23:43 -0500[diff] [blame]817 x509.BasicConstraints(ca="notbool", path_length=None)
Paul Kehrer8cf26422015-03-21 09:50:24 -0500[diff] [blame]818
819 def test_path_length_not_ca(self):
820 with pytest.raises(ValueError):
Paul Kehrera5c6e9a2015-03-23 19:23:43 -0500[diff] [blame]821 x509.BasicConstraints(ca=False, path_length=0)
Paul Kehrer8cf26422015-03-21 09:50:24 -0500[diff] [blame]822
823 def test_path_length_not_int(self):
824 with pytest.raises(TypeError):
Paul Kehrera5c6e9a2015-03-23 19:23:43 -0500[diff] [blame]825 x509.BasicConstraints(ca=True, path_length=1.1)
Paul Kehrer8cf26422015-03-21 09:50:24 -0500[diff] [blame]826
827 with pytest.raises(TypeError):
Paul Kehrera5c6e9a2015-03-23 19:23:43 -0500[diff] [blame]828 x509.BasicConstraints(ca=True, path_length="notint")
Paul Kehrer8cf26422015-03-21 09:50:24 -0500[diff] [blame]829
830 def test_path_length_negative(self):
831 with pytest.raises(TypeError):
Paul Kehrera5c6e9a2015-03-23 19:23:43 -0500[diff] [blame]832 x509.BasicConstraints(ca=True, path_length=-1)
Paul Kehrer8cf26422015-03-21 09:50:24 -0500[diff] [blame]833
834 def test_repr(self):
Paul Kehrera5c6e9a2015-03-23 19:23:43 -0500[diff] [blame]835 na = x509.BasicConstraints(ca=True, path_length=None)
Paul Kehrer8cf26422015-03-21 09:50:24 -0500[diff] [blame]836 assert repr(na) == (
Paul Kehrer85894662015-03-22 13:19:31 -0500[diff] [blame]837 "<BasicConstraints(ca=True, path_length=None)>"
Paul Kehrer8cf26422015-03-21 09:50:24 -0500[diff] [blame]838 )
Paul Kehrerfbb7ac82015-03-16 19:26:29 -0500[diff] [blame]839
Paul Kehrer3a69b132015-05-13 10:03:46 -0500[diff] [blame]840 def test_eq(self):
841 na = x509.BasicConstraints(ca=True, path_length=None)
842 na2 = x509.BasicConstraints(ca=True, path_length=None)
843 assert na == na2
844
845 def test_ne(self):
846 na = x509.BasicConstraints(ca=True, path_length=None)
847 na2 = x509.BasicConstraints(ca=True, path_length=1)
848 na3 = x509.BasicConstraints(ca=False, path_length=None)
849 assert na != na2
850 assert na != na3
851 assert na != object()
852
Paul Kehrerfbb7ac82015-03-16 19:26:29 -0500[diff] [blame]853
Paul Kehrerffa2a152015-03-31 08:18:25 -0500[diff] [blame]854class TestExtendedKeyUsage(object):
855 def test_not_all_oids(self):
856 with pytest.raises(TypeError):
857 x509.ExtendedKeyUsage(["notoid"])
858
859 def test_iter_len(self):
860 eku = x509.ExtendedKeyUsage([
861 x509.ObjectIdentifier("1.3.6.1.5.5.7.3.1"),
862 x509.ObjectIdentifier("1.3.6.1.5.5.7.3.2"),
863 ])
864 assert len(eku) == 2
865 assert list(eku) == [
Paul Kehrer9e102db2015-08-10 21:53:09 -0500[diff] [blame]866 ExtendedKeyUsageOID.SERVER_AUTH,
867 ExtendedKeyUsageOID.CLIENT_AUTH
Paul Kehrerffa2a152015-03-31 08:18:25 -0500[diff] [blame]868 ]
869
Paul Kehrer23d10c32015-04-02 23:12:32 -0500[diff] [blame]870 def test_repr(self):
871 eku = x509.ExtendedKeyUsage([
872 x509.ObjectIdentifier("1.3.6.1.5.5.7.3.1"),
873 x509.ObjectIdentifier("1.3.6.1.5.5.7.3.2"),
874 ])
875 assert repr(eku) == (
876 "<ExtendedKeyUsage([<ObjectIdentifier(oid=1.3.6.1.5.5.7.3.1, name="
877 "serverAuth)>, <ObjectIdentifier(oid=1.3.6.1.5.5.7.3.2, name=clien"
878 "tAuth)>])>"
879 )
880
Paul Kehrerb0476172015-05-02 19:34:51 -0500[diff] [blame]881 def test_eq(self):
882 eku = x509.ExtendedKeyUsage([
883 x509.ObjectIdentifier("1.3.6"), x509.ObjectIdentifier("1.3.7")
884 ])
885 eku2 = x509.ExtendedKeyUsage([
886 x509.ObjectIdentifier("1.3.6"), x509.ObjectIdentifier("1.3.7")
887 ])
888 assert eku == eku2
889
890 def test_ne(self):
891 eku = x509.ExtendedKeyUsage([x509.ObjectIdentifier("1.3.6")])
892 eku2 = x509.ExtendedKeyUsage([x509.ObjectIdentifier("1.3.6.1")])
893 assert eku != eku2
894 assert eku != object()
895
Paul Kehrerffa2a152015-03-31 08:18:25 -0500[diff] [blame]896
Paul Kehrerfbb7ac82015-03-16 19:26:29 -0500[diff] [blame]897@pytest.mark.requires_backend_interface(interface=RSABackend)
898@pytest.mark.requires_backend_interface(interface=X509Backend)
899class TestExtensions(object):
900 def test_no_extensions(self, backend):
901 cert = _load_cert(
902 os.path.join("x509", "verisign_md2_root.pem"),
903 x509.load_pem_x509_certificate,
904 backend
905 )
906 ext = cert.extensions
907 assert len(ext) == 0
908 assert list(ext) == []
Paul Kehrerfa56a232015-03-17 13:14:03 -0500[diff] [blame]909 with pytest.raises(x509.ExtensionNotFound) as exc:
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]910 ext.get_extension_for_oid(ExtensionOID.BASIC_CONSTRAINTS)
Paul Kehrerfa56a232015-03-17 13:14:03 -0500[diff] [blame]911
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]912 assert exc.value.oid == ExtensionOID.BASIC_CONSTRAINTS
Paul Kehrerfa56a232015-03-17 13:14:03 -0500[diff] [blame]913
914 def test_one_extension(self, backend):
915 cert = _load_cert(
916 os.path.join(
917 "x509", "custom", "basic_constraints_not_critical.pem"
918 ),
919 x509.load_pem_x509_certificate,
920 backend
921 )
922 extensions = cert.extensions
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]923 ext = extensions.get_extension_for_oid(ExtensionOID.BASIC_CONSTRAINTS)
Paul Kehrerfa56a232015-03-17 13:14:03 -0500[diff] [blame]924 assert ext is not None
925 assert ext.value.ca is False
Paul Kehrerfbb7ac82015-03-16 19:26:29 -0500[diff] [blame]926
927 def test_duplicate_extension(self, backend):
928 cert = _load_cert(
929 os.path.join(
930 "x509", "custom", "two_basic_constraints.pem"
931 ),
932 x509.load_pem_x509_certificate,
933 backend
934 )
935 with pytest.raises(x509.DuplicateExtension) as exc:
936 cert.extensions
937
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]938 assert exc.value.oid == ExtensionOID.BASIC_CONSTRAINTS
Paul Kehrerfbb7ac82015-03-16 19:26:29 -0500[diff] [blame]939
940 def test_unsupported_critical_extension(self, backend):
941 cert = _load_cert(
942 os.path.join(
943 "x509", "custom", "unsupported_extension_critical.pem"
944 ),
945 x509.load_pem_x509_certificate,
946 backend
947 )
948 with pytest.raises(x509.UnsupportedExtension) as exc:
949 cert.extensions
950
951 assert exc.value.oid == x509.ObjectIdentifier("1.2.3.4")
952
953 def test_unsupported_extension(self, backend):
954 # TODO: this will raise an exception when all extensions are complete
955 cert = _load_cert(
956 os.path.join(
957 "x509", "custom", "unsupported_extension.pem"
958 ),
959 x509.load_pem_x509_certificate,
960 backend
961 )
962 extensions = cert.extensions
963 assert len(extensions) == 0
Paul Kehrerfa56a232015-03-17 13:14:03 -0500[diff] [blame]964
Phoebe Queenecae9812015-08-12 05:00:32 +0100[diff] [blame]965 def test_no_extensions_get_for_class(self, backend):
966 cert = _load_cert(
967 os.path.join(
Phoebe Queencb5ec4e2015-08-12 15:06:26 +0100[diff] [blame]968 "x509", "cryptography.io.pem"
Phoebe Queenecae9812015-08-12 05:00:32 +0100[diff] [blame]969 ),
970 x509.load_pem_x509_certificate,
971 backend
972 )
Phoebe Queenc93752b2015-08-12 10:54:46 +0100[diff] [blame]973 exts = cert.extensions
Phoebe Queenecae9812015-08-12 05:00:32 +0100[diff] [blame]974 with pytest.raises(x509.ExtensionNotFound) as exc:
Phoebe Queencb5ec4e2015-08-12 15:06:26 +0100[diff] [blame]975 exts.get_extension_for_class(x509.IssuerAlternativeName)
976 assert exc.value.oid == ExtensionOID.ISSUER_ALTERNATIVE_NAME
Phoebe Queenecae9812015-08-12 05:00:32 +0100[diff] [blame]977
Paul Kehrer5b90c972015-12-26 00:52:58 -0600[diff] [blame]978 def test_indexing(self, backend):
979 cert = _load_cert(
980 os.path.join("x509", "cryptography.io.pem"),
981 x509.load_pem_x509_certificate,
982 backend
983 )
984 exts = cert.extensions
985 assert exts[-1] == exts[7]
Alex Gaynorf0dd2e72015-12-26 16:50:29 -0500[diff] [blame]986 assert exts[2:6:2] == [exts[2], exts[4]]
Paul Kehrer5b90c972015-12-26 00:52:58 -0600[diff] [blame]987
Phoebe Queen9fbb8892015-08-12 03:51:33 +0100[diff] [blame]988 def test_one_extension_get_for_class(self, backend):
989 cert = _load_cert(
Phoebe Queen2cc111a2015-08-12 04:14:22 +0100[diff] [blame]990 os.path.join(
991 "x509", "custom", "basic_constraints_not_critical.pem"
992 ),
Phoebe Queen9fbb8892015-08-12 03:51:33 +0100[diff] [blame]993 x509.load_pem_x509_certificate,
994 backend
995 )
996 ext = cert.extensions.get_extension_for_class(x509.BasicConstraints)
997 assert ext is not None
Phoebe Queen9fbb8892015-08-12 03:51:33 +0100[diff] [blame]998 assert isinstance(ext.value, x509.BasicConstraints)
Paul Kehrerfa56a232015-03-17 13:14:03 -0500[diff] [blame]999
Paul Kehrerafbe75b2015-10-20 08:08:43 -0500[diff] [blame]1000 def test_repr(self, backend):
1001 cert = _load_cert(
1002 os.path.join(
1003 "x509", "custom", "basic_constraints_not_critical.pem"
1004 ),
1005 x509.load_pem_x509_certificate,
1006 backend
1007 )
1008 assert repr(cert.extensions) == (
1009 "<Extensions([<Extension(oid=<ObjectIdentifier(oid=2.5.29.19, name"
1010 "=basicConstraints)>, critical=False, value=<BasicConstraints(ca=F"
1011 "alse, path_length=None)>)>])>"
1012 )
1013
Phoebe Queen2cc111a2015-08-12 04:14:22 +0100[diff] [blame]1014
Paul Kehrerfa56a232015-03-17 13:14:03 -0500[diff] [blame]1015@pytest.mark.requires_backend_interface(interface=RSABackend)
1016@pytest.mark.requires_backend_interface(interface=X509Backend)
Paul Kehrerde813ea2015-03-28 12:44:34 -0500[diff] [blame]1017class TestBasicConstraintsExtension(object):
Paul Kehrerfa56a232015-03-17 13:14:03 -0500[diff] [blame]1018 def test_ca_true_pathlen_6(self, backend):
1019 cert = _load_cert(
1020 os.path.join(
1021 "x509", "PKITS_data", "certs", "pathLenConstraint6CACert.crt"
1022 ),
1023 x509.load_der_x509_certificate,
1024 backend
1025 )
Phoebe Queen062dec72015-08-12 11:42:23 +0100[diff] [blame]1026 ext = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]1027 ExtensionOID.BASIC_CONSTRAINTS
Paul Kehrerfa56a232015-03-17 13:14:03 -0500[diff] [blame]1028 )
1029 assert ext is not None
1030 assert ext.critical is True
1031 assert ext.value.ca is True
1032 assert ext.value.path_length == 6
1033
1034 def test_path_length_zero(self, backend):
1035 cert = _load_cert(
1036 os.path.join("x509", "custom", "bc_path_length_zero.pem"),
1037 x509.load_pem_x509_certificate,
1038 backend
1039 )
1040 ext = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]1041 ExtensionOID.BASIC_CONSTRAINTS
Paul Kehrerfa56a232015-03-17 13:14:03 -0500[diff] [blame]1042 )
1043 assert ext is not None
1044 assert ext.critical is True
1045 assert ext.value.ca is True
1046 assert ext.value.path_length == 0
1047
1048 def test_ca_true_no_pathlen(self, backend):
1049 cert = _load_cert(
1050 os.path.join("x509", "PKITS_data", "certs", "GoodCACert.crt"),
1051 x509.load_der_x509_certificate,
1052 backend
1053 )
1054 ext = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]1055 ExtensionOID.BASIC_CONSTRAINTS
Paul Kehrerfa56a232015-03-17 13:14:03 -0500[diff] [blame]1056 )
1057 assert ext is not None
1058 assert ext.critical is True
1059 assert ext.value.ca is True
1060 assert ext.value.path_length is None
1061
1062 def test_ca_false(self, backend):
1063 cert = _load_cert(
1064 os.path.join("x509", "cryptography.io.pem"),
1065 x509.load_pem_x509_certificate,
1066 backend
1067 )
1068 ext = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]1069 ExtensionOID.BASIC_CONSTRAINTS
Paul Kehrerfa56a232015-03-17 13:14:03 -0500[diff] [blame]1070 )
1071 assert ext is not None
1072 assert ext.critical is True
1073 assert ext.value.ca is False
1074 assert ext.value.path_length is None
1075
1076 def test_no_basic_constraints(self, backend):
1077 cert = _load_cert(
1078 os.path.join(
1079 "x509",
1080 "PKITS_data",
1081 "certs",
1082 "ValidCertificatePathTest1EE.crt"
1083 ),
1084 x509.load_der_x509_certificate,
1085 backend
1086 )
1087 with pytest.raises(x509.ExtensionNotFound):
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]1088 cert.extensions.get_extension_for_oid(
1089 ExtensionOID.BASIC_CONSTRAINTS
1090 )
Paul Kehrerfa56a232015-03-17 13:14:03 -0500[diff] [blame]1091
1092 def test_basic_constraint_not_critical(self, backend):
1093 cert = _load_cert(
1094 os.path.join(
1095 "x509", "custom", "basic_constraints_not_critical.pem"
1096 ),
1097 x509.load_pem_x509_certificate,
1098 backend
1099 )
1100 ext = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]1101 ExtensionOID.BASIC_CONSTRAINTS
Paul Kehrerfa56a232015-03-17 13:14:03 -0500[diff] [blame]1102 )
1103 assert ext is not None
1104 assert ext.critical is False
1105 assert ext.value.ca is False
Paul Kehrer1eb82a62015-03-31 20:00:33 -0500[diff] [blame]1106
1107
Paul Kehrer1eb82a62015-03-31 20:00:33 -0500[diff] [blame]1108class TestSubjectKeyIdentifierExtension(object):
Paul Kehrerf22f6122015-08-05 12:57:13 +0100[diff] [blame]1109 @pytest.mark.requires_backend_interface(interface=RSABackend)
1110 @pytest.mark.requires_backend_interface(interface=X509Backend)
Paul Kehrer1eb82a62015-03-31 20:00:33 -0500[diff] [blame]1111 def test_subject_key_identifier(self, backend):
1112 cert = _load_cert(
1113 os.path.join("x509", "PKITS_data", "certs", "GoodCACert.crt"),
1114 x509.load_der_x509_certificate,
1115 backend
1116 )
1117 ext = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]1118 ExtensionOID.SUBJECT_KEY_IDENTIFIER
Paul Kehrer1eb82a62015-03-31 20:00:33 -0500[diff] [blame]1119 )
1120 ski = ext.value
1121 assert ext is not None
1122 assert ext.critical is False
Paul Kehrer1eb82a62015-03-31 20:00:33 -0500[diff] [blame]1123 assert ski.digest == binascii.unhexlify(
Paul Kehreree997262015-04-04 12:20:28 -0500[diff] [blame]1124 b"580184241bbc2b52944a3da510721451f5af3ac9"
Paul Kehrer1eb82a62015-03-31 20:00:33 -0500[diff] [blame]1125 )
1126
Paul Kehrerf22f6122015-08-05 12:57:13 +0100[diff] [blame]1127 @pytest.mark.requires_backend_interface(interface=RSABackend)
1128 @pytest.mark.requires_backend_interface(interface=X509Backend)
Paul Kehrer1eb82a62015-03-31 20:00:33 -0500[diff] [blame]1129 def test_no_subject_key_identifier(self, backend):
1130 cert = _load_cert(
1131 os.path.join("x509", "custom", "bc_path_length_zero.pem"),
1132 x509.load_pem_x509_certificate,
1133 backend
1134 )
1135 with pytest.raises(x509.ExtensionNotFound):
1136 cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]1137 ExtensionOID.SUBJECT_KEY_IDENTIFIER
Paul Kehrer1eb82a62015-03-31 20:00:33 -0500[diff] [blame]1138 )
Paul Kehrer5508ee22015-04-02 19:31:03 -0500[diff] [blame]1139
Paul Kehrerf22f6122015-08-05 12:57:13 +0100[diff] [blame]1140 @pytest.mark.requires_backend_interface(interface=RSABackend)
1141 @pytest.mark.requires_backend_interface(interface=X509Backend)
Paul Kehrerd4a7f062015-08-05 18:32:18 +0100[diff] [blame]1142 def test_from_rsa_public_key(self, backend):
Paul Kehrerf22f6122015-08-05 12:57:13 +0100[diff] [blame]1143 cert = _load_cert(
1144 os.path.join("x509", "PKITS_data", "certs", "GoodCACert.crt"),
1145 x509.load_der_x509_certificate,
1146 backend
1147 )
1148 ext = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]1149 ExtensionOID.SUBJECT_KEY_IDENTIFIER
Paul Kehrerf22f6122015-08-05 12:57:13 +0100[diff] [blame]1150 )
Paul Kehrerd4a7f062015-08-05 18:32:18 +0100[diff] [blame]1151 ski = x509.SubjectKeyIdentifier.from_public_key(
Paul Kehrerf22f6122015-08-05 12:57:13 +0100[diff] [blame]1152 cert.public_key()
1153 )
1154 assert ext.value == ski
1155
1156 @pytest.mark.requires_backend_interface(interface=DSABackend)
1157 @pytest.mark.requires_backend_interface(interface=X509Backend)
Paul Kehrerd4a7f062015-08-05 18:32:18 +0100[diff] [blame]1158 def test_from_dsa_public_key(self, backend):
Paul Kehrerf22f6122015-08-05 12:57:13 +0100[diff] [blame]1159 cert = _load_cert(
1160 os.path.join("x509", "custom", "dsa_selfsigned_ca.pem"),
1161 x509.load_pem_x509_certificate,
1162 backend
1163 )
1164
1165 ext = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]1166 ExtensionOID.SUBJECT_KEY_IDENTIFIER
Paul Kehrerf22f6122015-08-05 12:57:13 +0100[diff] [blame]1167 )
Paul Kehrerd4a7f062015-08-05 18:32:18 +0100[diff] [blame]1168 ski = x509.SubjectKeyIdentifier.from_public_key(
Paul Kehrerf22f6122015-08-05 12:57:13 +0100[diff] [blame]1169 cert.public_key()
1170 )
1171 assert ext.value == ski
1172
1173 @pytest.mark.requires_backend_interface(interface=EllipticCurveBackend)
1174 @pytest.mark.requires_backend_interface(interface=X509Backend)
Paul Kehrerd4a7f062015-08-05 18:32:18 +0100[diff] [blame]1175 def test_from_ec_public_key(self, backend):
Paul Kehrerf22f6122015-08-05 12:57:13 +0100[diff] [blame]1176 _skip_curve_unsupported(backend, ec.SECP384R1())
1177 cert = _load_cert(
1178 os.path.join("x509", "ecdsa_root.pem"),
1179 x509.load_pem_x509_certificate,
1180 backend
1181 )
1182
1183 ext = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]1184 ExtensionOID.SUBJECT_KEY_IDENTIFIER
Paul Kehrerf22f6122015-08-05 12:57:13 +0100[diff] [blame]1185 )
Paul Kehrerd4a7f062015-08-05 18:32:18 +0100[diff] [blame]1186 ski = x509.SubjectKeyIdentifier.from_public_key(
Paul Kehrerf22f6122015-08-05 12:57:13 +0100[diff] [blame]1187 cert.public_key()
1188 )
1189 assert ext.value == ski
1190
Paul Kehrer5508ee22015-04-02 19:31:03 -0500[diff] [blame]1191
1192@pytest.mark.requires_backend_interface(interface=RSABackend)
1193@pytest.mark.requires_backend_interface(interface=X509Backend)
1194class TestKeyUsageExtension(object):
1195 def test_no_key_usage(self, backend):
1196 cert = _load_cert(
1197 os.path.join("x509", "verisign_md2_root.pem"),
1198 x509.load_pem_x509_certificate,
1199 backend
1200 )
1201 ext = cert.extensions
1202 with pytest.raises(x509.ExtensionNotFound) as exc:
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]1203 ext.get_extension_for_oid(ExtensionOID.KEY_USAGE)
Paul Kehrer5508ee22015-04-02 19:31:03 -0500[diff] [blame]1204
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]1205 assert exc.value.oid == ExtensionOID.KEY_USAGE
Paul Kehrer5508ee22015-04-02 19:31:03 -0500[diff] [blame]1206
1207 def test_all_purposes(self, backend):
1208 cert = _load_cert(
1209 os.path.join(
1210 "x509", "custom", "all_key_usages.pem"
1211 ),
1212 x509.load_pem_x509_certificate,
1213 backend
1214 )
1215 extensions = cert.extensions
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]1216 ext = extensions.get_extension_for_oid(ExtensionOID.KEY_USAGE)
Paul Kehrer5508ee22015-04-02 19:31:03 -0500[diff] [blame]1217 assert ext is not None
1218
1219 ku = ext.value
1220 assert ku.digital_signature is True
1221 assert ku.content_commitment is True
1222 assert ku.key_encipherment is True
1223 assert ku.data_encipherment is True
1224 assert ku.key_agreement is True
1225 assert ku.key_cert_sign is True
1226 assert ku.crl_sign is True
1227 assert ku.encipher_only is True
1228 assert ku.decipher_only is True
1229
1230 def test_key_cert_sign_crl_sign(self, backend):
1231 cert = _load_cert(
1232 os.path.join(
1233 "x509", "PKITS_data", "certs", "pathLenConstraint6CACert.crt"
1234 ),
1235 x509.load_der_x509_certificate,
1236 backend
1237 )
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]1238 ext = cert.extensions.get_extension_for_oid(ExtensionOID.KEY_USAGE)
Paul Kehrer5508ee22015-04-02 19:31:03 -0500[diff] [blame]1239 assert ext is not None
1240 assert ext.critical is True
1241
1242 ku = ext.value
1243 assert ku.digital_signature is False
1244 assert ku.content_commitment is False
1245 assert ku.key_encipherment is False
1246 assert ku.data_encipherment is False
1247 assert ku.key_agreement is False
1248 assert ku.key_cert_sign is True
1249 assert ku.crl_sign is True
Paul Kehrer31bdf792015-03-25 14:11:00 -0500[diff] [blame]1250
1251
1252@pytest.mark.parametrize(
1253 "name", [
1254 x509.RFC822Name,
1255 x509.DNSName,
1256 x509.UniformResourceIdentifier
1257 ]
1258)
1259class TestTextGeneralNames(object):
1260 def test_not_text(self, name):
1261 with pytest.raises(TypeError):
1262 name(b"notaunicodestring")
1263
1264 with pytest.raises(TypeError):
1265 name(1.3)
1266
1267 def test_repr(self, name):
Eeshan Gargf1234152015-04-29 18:41:00 +0530[diff] [blame]1268 gn = name(u"string")
Paul Kehrer31bdf792015-03-25 14:11:00 -0500[diff] [blame]1269 assert repr(gn) == "<{0}(value=string)>".format(name.__name__)
1270
1271 def test_eq(self, name):
Eeshan Gargf1234152015-04-29 18:41:00 +0530[diff] [blame]1272 gn = name(u"string")
1273 gn2 = name(u"string")
Paul Kehrer31bdf792015-03-25 14:11:00 -0500[diff] [blame]1274 assert gn == gn2
1275
1276 def test_ne(self, name):
Eeshan Gargf1234152015-04-29 18:41:00 +0530[diff] [blame]1277 gn = name(u"string")
1278 gn2 = name(u"string2")
Paul Kehrer31bdf792015-03-25 14:11:00 -0500[diff] [blame]1279 assert gn != gn2
1280 assert gn != object()
1281
1282
1283class TestDirectoryName(object):
1284 def test_not_name(self):
1285 with pytest.raises(TypeError):
1286 x509.DirectoryName(b"notaname")
1287
1288 with pytest.raises(TypeError):
1289 x509.DirectoryName(1.3)
1290
1291 def test_repr(self):
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1292 name = x509.Name([x509.NameAttribute(NameOID.COMMON_NAME, u'value1')])
Paul Kehrer31bdf792015-03-25 14:11:00 -0500[diff] [blame]1293 gn = x509.DirectoryName(x509.Name([name]))
Ian Cordascoa908d692015-06-16 21:35:24 -0500[diff] [blame]1294 if six.PY3:
1295 assert repr(gn) == (
1296 "<DirectoryName(value=<Name([<Name([<NameAttribute(oid=<Object"
1297 "Identifier(oid=2.5.4.3, name=commonName)>, value='value1')>])"
1298 ">])>)>"
1299 )
1300 else:
1301 assert repr(gn) == (
1302 "<DirectoryName(value=<Name([<Name([<NameAttribute(oid=<Object"
1303 "Identifier(oid=2.5.4.3, name=commonName)>, value=u'value1')>]"
1304 ")>])>)>"
1305 )
Paul Kehrer31bdf792015-03-25 14:11:00 -0500[diff] [blame]1306
1307 def test_eq(self):
1308 name = x509.Name([
Nick Bastin6721fb82015-12-14 12:26:24 -0800[diff] [blame]1309 x509.NameAttribute(x509.ObjectIdentifier('2.999.1'), u'value1')
Paul Kehrer31bdf792015-03-25 14:11:00 -0500[diff] [blame]1310 ])
1311 name2 = x509.Name([
Nick Bastin6721fb82015-12-14 12:26:24 -0800[diff] [blame]1312 x509.NameAttribute(x509.ObjectIdentifier('2.999.1'), u'value1')
Paul Kehrer31bdf792015-03-25 14:11:00 -0500[diff] [blame]1313 ])
1314 gn = x509.DirectoryName(x509.Name([name]))
1315 gn2 = x509.DirectoryName(x509.Name([name2]))
1316 assert gn == gn2
1317
1318 def test_ne(self):
1319 name = x509.Name([
Nick Bastin6721fb82015-12-14 12:26:24 -0800[diff] [blame]1320 x509.NameAttribute(x509.ObjectIdentifier('2.999.1'), u'value1')
Paul Kehrer31bdf792015-03-25 14:11:00 -0500[diff] [blame]1321 ])
1322 name2 = x509.Name([
Nick Bastin6721fb82015-12-14 12:26:24 -0800[diff] [blame]1323 x509.NameAttribute(x509.ObjectIdentifier('2.999.2'), u'value2')
Paul Kehrer31bdf792015-03-25 14:11:00 -0500[diff] [blame]1324 ])
1325 gn = x509.DirectoryName(x509.Name([name]))
1326 gn2 = x509.DirectoryName(x509.Name([name2]))
1327 assert gn != gn2
1328 assert gn != object()
1329
1330
Paul Kehrer01d5d0b2015-07-12 09:41:21 -0500[diff] [blame]1331class TestRFC822Name(object):
1332 def test_invalid_email(self):
1333 with pytest.raises(ValueError):
1334 x509.RFC822Name(u"Name <email>")
1335
1336 with pytest.raises(ValueError):
1337 x509.RFC822Name(u"")
1338
1339 def test_single_label(self):
1340 gn = x509.RFC822Name(u"administrator")
1341 assert gn.value == u"administrator"
1342
1343 def test_idna(self):
1344 gn = x509.RFC822Name(u"email@em\xe5\xefl.com")
1345 assert gn.value == u"email@em\xe5\xefl.com"
1346 assert gn._encoded == b"email@xn--eml-vla4c.com"
1347
1348
Paul Kehrere28d6c42015-07-12 14:59:37 -0500[diff] [blame]1349class TestUniformResourceIdentifier(object):
1350 def test_no_parsed_hostname(self):
1351 gn = x509.UniformResourceIdentifier(u"singlelabel")
1352 assert gn.value == u"singlelabel"
1353
1354 def test_with_port(self):
1355 gn = x509.UniformResourceIdentifier(u"singlelabel:443/test")
1356 assert gn.value == u"singlelabel:443/test"
1357
1358 def test_idna_no_port(self):
1359 gn = x509.UniformResourceIdentifier(
1360 u"http://\u043f\u044b\u043a\u0430.cryptography"
1361 )
1362 assert gn.value == u"http://\u043f\u044b\u043a\u0430.cryptography"
1363 assert gn._encoded == b"http://xn--80ato2c.cryptography"
1364
1365 def test_idna_with_port(self):
1366 gn = x509.UniformResourceIdentifier(
1367 u"gopher://\u043f\u044b\u043a\u0430.cryptography:70/some/path"
1368 )
1369 assert gn.value == (
1370 u"gopher://\u043f\u044b\u043a\u0430.cryptography:70/some/path"
1371 )
1372 assert gn._encoded == b"gopher://xn--80ato2c.cryptography:70/some/path"
1373
1374 def test_query_and_fragment(self):
1375 gn = x509.UniformResourceIdentifier(
1376 u"ldap://cryptography:90/path?query=true#somedata"
1377 )
1378 assert gn.value == u"ldap://cryptography:90/path?query=true#somedata"
1379
1380
Paul Kehrer31bdf792015-03-25 14:11:00 -0500[diff] [blame]1381class TestRegisteredID(object):
1382 def test_not_oid(self):
1383 with pytest.raises(TypeError):
1384 x509.RegisteredID(b"notanoid")
1385
1386 with pytest.raises(TypeError):
1387 x509.RegisteredID(1.3)
1388
1389 def test_repr(self):
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1390 gn = x509.RegisteredID(NameOID.COMMON_NAME)
Paul Kehrer31bdf792015-03-25 14:11:00 -0500[diff] [blame]1391 assert repr(gn) == (
1392 "<RegisteredID(value=<ObjectIdentifier(oid=2.5.4.3, name=commonNam"
1393 "e)>)>"
1394 )
1395
1396 def test_eq(self):
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1397 gn = x509.RegisteredID(NameOID.COMMON_NAME)
1398 gn2 = x509.RegisteredID(NameOID.COMMON_NAME)
Paul Kehrer31bdf792015-03-25 14:11:00 -0500[diff] [blame]1399 assert gn == gn2
1400
1401 def test_ne(self):
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1402 gn = x509.RegisteredID(NameOID.COMMON_NAME)
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]1403 gn2 = x509.RegisteredID(ExtensionOID.BASIC_CONSTRAINTS)
Paul Kehrer31bdf792015-03-25 14:11:00 -0500[diff] [blame]1404 assert gn != gn2
1405 assert gn != object()
1406
1407
1408class TestIPAddress(object):
1409 def test_not_ipaddress(self):
1410 with pytest.raises(TypeError):
1411 x509.IPAddress(b"notanipaddress")
1412
1413 with pytest.raises(TypeError):
1414 x509.IPAddress(1.3)
1415
1416 def test_repr(self):
Eeshan Gargf1234152015-04-29 18:41:00 +0530[diff] [blame]1417 gn = x509.IPAddress(ipaddress.IPv4Address(u"127.0.0.1"))
Paul Kehrer31bdf792015-03-25 14:11:00 -0500[diff] [blame]1418 assert repr(gn) == "<IPAddress(value=127.0.0.1)>"
1419
Eeshan Gargf1234152015-04-29 18:41:00 +0530[diff] [blame]1420 gn2 = x509.IPAddress(ipaddress.IPv6Address(u"ff::"))
Paul Kehrer31bdf792015-03-25 14:11:00 -0500[diff] [blame]1421 assert repr(gn2) == "<IPAddress(value=ff::)>"
1422
Paul Kehrereb177932015-05-17 18:33:33 -0700[diff] [blame]1423 gn3 = x509.IPAddress(ipaddress.IPv4Network(u"192.168.0.0/24"))
1424 assert repr(gn3) == "<IPAddress(value=192.168.0.0/24)>"
1425
1426 gn4 = x509.IPAddress(ipaddress.IPv6Network(u"ff::/96"))
1427 assert repr(gn4) == "<IPAddress(value=ff::/96)>"
1428
Paul Kehrer31bdf792015-03-25 14:11:00 -0500[diff] [blame]1429 def test_eq(self):
Eeshan Gargf1234152015-04-29 18:41:00 +0530[diff] [blame]1430 gn = x509.IPAddress(ipaddress.IPv4Address(u"127.0.0.1"))
1431 gn2 = x509.IPAddress(ipaddress.IPv4Address(u"127.0.0.1"))
Paul Kehrer31bdf792015-03-25 14:11:00 -0500[diff] [blame]1432 assert gn == gn2
1433
1434 def test_ne(self):
Eeshan Gargf1234152015-04-29 18:41:00 +0530[diff] [blame]1435 gn = x509.IPAddress(ipaddress.IPv4Address(u"127.0.0.1"))
1436 gn2 = x509.IPAddress(ipaddress.IPv4Address(u"127.0.0.2"))
Paul Kehrer31bdf792015-03-25 14:11:00 -0500[diff] [blame]1437 assert gn != gn2
1438 assert gn != object()
1439
1440
Joshua Tauberer18b6fc82015-07-05 21:44:51 +0000[diff] [blame]1441class TestOtherName(object):
1442 def test_invalid_args(self):
1443 with pytest.raises(TypeError):
1444 x509.OtherName(b"notanobjectidentifier", b"derdata")
1445
1446 with pytest.raises(TypeError):
1447 x509.OtherName(x509.ObjectIdentifier("1.2.3.4"), u"notderdata")
1448
1449 def test_repr(self):
1450 gn = x509.OtherName(x509.ObjectIdentifier("1.2.3.4"), b"derdata")
1451 if six.PY3:
1452 assert repr(gn) == (
1453 "<OtherName(type_id=<ObjectIdentifier(oid=1.2.3.4, "
1454 "name=Unknown OID)>, value=b'derdata')>"
1455 )
1456 else:
1457 assert repr(gn) == (
1458 "<OtherName(type_id=<ObjectIdentifier(oid=1.2.3.4, "
1459 "name=Unknown OID)>, value='derdata')>"
1460 )
1461
1462 gn = x509.OtherName(x509.ObjectIdentifier("2.5.4.65"), b"derdata")
1463 if six.PY3:
1464 assert repr(gn) == (
1465 "<OtherName(type_id=<ObjectIdentifier(oid=2.5.4.65, "
1466 "name=pseudonym)>, value=b'derdata')>"
1467 )
1468 else:
1469 assert repr(gn) == (
1470 "<OtherName(type_id=<ObjectIdentifier(oid=2.5.4.65, "
1471 "name=pseudonym)>, value='derdata')>"
1472 )
1473
1474 def test_eq(self):
1475 gn = x509.OtherName(x509.ObjectIdentifier("1.2.3.4"), b"derdata")
1476 gn2 = x509.OtherName(x509.ObjectIdentifier("1.2.3.4"), b"derdata")
1477 assert gn == gn2
1478
1479 def test_ne(self):
1480 gn = x509.OtherName(x509.ObjectIdentifier("1.2.3.4"), b"derdata")
1481 assert gn != object()
1482
1483 gn2 = x509.OtherName(x509.ObjectIdentifier("1.2.3.4"), b"derdata2")
1484 assert gn != gn2
1485
1486 gn2 = x509.OtherName(x509.ObjectIdentifier("1.2.3.5"), b"derdata")
1487 assert gn != gn2
1488
1489
Erik Trauschke2dcce902015-05-14 16:12:24 -0700[diff] [blame]1490class TestGeneralNames(object):
1491 def test_get_values_for_type(self):
1492 gns = x509.GeneralNames(
1493 [x509.DNSName(u"cryptography.io")]
1494 )
1495 names = gns.get_values_for_type(x509.DNSName)
1496 assert names == [u"cryptography.io"]
1497
1498 def test_iter_names(self):
1499 gns = x509.GeneralNames([
1500 x509.DNSName(u"cryptography.io"),
1501 x509.DNSName(u"crypto.local"),
1502 ])
1503 assert len(gns) == 2
1504 assert list(gns) == [
1505 x509.DNSName(u"cryptography.io"),
1506 x509.DNSName(u"crypto.local"),
1507 ]
1508
Paul Kehrer8adb5962015-12-26 14:46:58 -0600[diff] [blame]1509 def test_indexing(self):
1510 gn = x509.GeneralNames([
1511 x509.DNSName(u"cryptography.io"),
1512 x509.DNSName(u"crypto.local"),
1513 x509.DNSName(u"another.local"),
1514 x509.RFC822Name(u"email@another.local"),
1515 x509.UniformResourceIdentifier(u"http://another.local"),
1516 ])
1517 assert gn[-1] == gn[4]
Alex Gaynorf0dd2e72015-12-26 16:50:29 -0500[diff] [blame]1518 assert gn[2:6:2] == [gn[2], gn[4]]
Paul Kehrer8adb5962015-12-26 14:46:58 -0600[diff] [blame]1519
Erik Trauschke2dcce902015-05-14 16:12:24 -0700[diff] [blame]1520 def test_invalid_general_names(self):
1521 with pytest.raises(TypeError):
1522 x509.GeneralNames(
1523 [x509.DNSName(u"cryptography.io"), "invalid"]
1524 )
1525
1526 def test_repr(self):
1527 gns = x509.GeneralNames(
1528 [
1529 x509.DNSName(u"cryptography.io")
1530 ]
1531 )
1532 assert repr(gns) == (
1533 "<GeneralNames([<DNSName(value=cryptography.io)>])>"
1534 )
1535
1536 def test_eq(self):
1537 gns = x509.GeneralNames(
1538 [x509.DNSName(u"cryptography.io")]
1539 )
1540 gns2 = x509.GeneralNames(
1541 [x509.DNSName(u"cryptography.io")]
1542 )
1543 assert gns == gns2
1544
1545 def test_ne(self):
1546 gns = x509.GeneralNames(
1547 [x509.DNSName(u"cryptography.io")]
1548 )
1549 gns2 = x509.GeneralNames(
1550 [x509.RFC822Name(u"admin@cryptography.io")]
1551 )
1552 assert gns != gns2
1553 assert gns != object()
1554
1555
Paul Kehrer99125c92015-06-07 18:37:10 -0500[diff] [blame]1556class TestIssuerAlternativeName(object):
1557 def test_get_values_for_type(self):
1558 san = x509.IssuerAlternativeName(
1559 [x509.DNSName(u"cryptography.io")]
1560 )
1561 names = san.get_values_for_type(x509.DNSName)
1562 assert names == [u"cryptography.io"]
1563
1564 def test_iter_names(self):
1565 san = x509.IssuerAlternativeName([
1566 x509.DNSName(u"cryptography.io"),
1567 x509.DNSName(u"crypto.local"),
1568 ])
1569 assert len(san) == 2
1570 assert list(san) == [
1571 x509.DNSName(u"cryptography.io"),
1572 x509.DNSName(u"crypto.local"),
1573 ]
1574
Paul Kehrer5c999d32015-12-26 17:45:20 -0600[diff] [blame]1575 def test_indexing(self):
1576 ian = x509.IssuerAlternativeName([
1577 x509.DNSName(u"cryptography.io"),
1578 x509.DNSName(u"crypto.local"),
1579 x509.DNSName(u"another.local"),
1580 x509.RFC822Name(u"email@another.local"),
1581 x509.UniformResourceIdentifier(u"http://another.local"),
1582 ])
1583 assert ian[-1] == ian[4]
1584 assert ian[2:6:2] == [ian[2], ian[4]]
1585
Paul Kehrer99125c92015-06-07 18:37:10 -0500[diff] [blame]1586 def test_invalid_general_names(self):
1587 with pytest.raises(TypeError):
1588 x509.IssuerAlternativeName(
1589 [x509.DNSName(u"cryptography.io"), "invalid"]
1590 )
1591
1592 def test_repr(self):
1593 san = x509.IssuerAlternativeName(
1594 [
1595 x509.DNSName(u"cryptography.io")
1596 ]
1597 )
1598 assert repr(san) == (
1599 "<IssuerAlternativeName("
1600 "<GeneralNames([<DNSName(value=cryptography.io)>])>)>"
1601 )
1602
1603 def test_eq(self):
1604 san = x509.IssuerAlternativeName(
1605 [x509.DNSName(u"cryptography.io")]
1606 )
1607 san2 = x509.IssuerAlternativeName(
1608 [x509.DNSName(u"cryptography.io")]
1609 )
1610 assert san == san2
1611
1612 def test_ne(self):
1613 san = x509.IssuerAlternativeName(
1614 [x509.DNSName(u"cryptography.io")]
1615 )
1616 san2 = x509.IssuerAlternativeName(
1617 [x509.RFC822Name(u"admin@cryptography.io")]
1618 )
1619 assert san != san2
1620 assert san != object()
1621
1622
Alex Gaynorf1c17672015-06-20 14:20:20 -0400[diff] [blame]1623@pytest.mark.requires_backend_interface(interface=RSABackend)
1624@pytest.mark.requires_backend_interface(interface=X509Backend)
1625class TestRSAIssuerAlternativeNameExtension(object):
1626 def test_uri(self, backend):
1627 cert = _load_cert(
1628 os.path.join("x509", "custom", "ian_uri.pem"),
1629 x509.load_pem_x509_certificate,
1630 backend,
1631 )
1632 ext = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]1633 ExtensionOID.ISSUER_ALTERNATIVE_NAME
Alex Gaynorf1c17672015-06-20 14:20:20 -0400[diff] [blame]1634 )
1635 assert list(ext.value) == [
1636 x509.UniformResourceIdentifier(u"http://path.to.root/root.crt"),
1637 ]
1638
1639
Paul Kehrer3b95cd72015-12-22 21:40:20 -0600[diff] [blame]1640class TestCRLNumber(object):
1641 def test_eq(self):
1642 crl_number = x509.CRLNumber(15)
1643 assert crl_number == x509.CRLNumber(15)
1644
1645 def test_ne(self):
1646 crl_number = x509.CRLNumber(15)
1647 assert crl_number != x509.CRLNumber(14)
1648 assert crl_number != object()
1649
1650 def test_repr(self):
1651 crl_number = x509.CRLNumber(15)
1652 assert repr(crl_number) == "<CRLNumber(15)>"
1653
Paul Kehrera9718fc2015-12-22 22:55:35 -0600[diff] [blame]1654 def test_invalid_number(self):
1655 with pytest.raises(TypeError):
1656 x509.CRLNumber("notanumber")
1657
Alex Gaynorf9a77b62015-12-26 12:14:25 -0500[diff] [blame]1658 def test_hash(self):
1659 c1 = x509.CRLNumber(1)
1660 c2 = x509.CRLNumber(1)
1661 c3 = x509.CRLNumber(2)
1662 assert hash(c1) == hash(c2)
1663 assert hash(c1) != hash(c3)
1664
Paul Kehrer3b95cd72015-12-22 21:40:20 -0600[diff] [blame]1665
Paul Kehrer31bdf792015-03-25 14:11:00 -0500[diff] [blame]1666class TestSubjectAlternativeName(object):
1667 def test_get_values_for_type(self):
1668 san = x509.SubjectAlternativeName(
Eeshan Gargf1234152015-04-29 18:41:00 +0530[diff] [blame]1669 [x509.DNSName(u"cryptography.io")]
Paul Kehrer31bdf792015-03-25 14:11:00 -0500[diff] [blame]1670 )
1671 names = san.get_values_for_type(x509.DNSName)
Eeshan Gargf1234152015-04-29 18:41:00 +0530[diff] [blame]1672 assert names == [u"cryptography.io"]
Paul Kehrer31bdf792015-03-25 14:11:00 -0500[diff] [blame]1673
1674 def test_iter_names(self):
1675 san = x509.SubjectAlternativeName([
Eeshan Gargf1234152015-04-29 18:41:00 +0530[diff] [blame]1676 x509.DNSName(u"cryptography.io"),
1677 x509.DNSName(u"crypto.local"),
Paul Kehrer31bdf792015-03-25 14:11:00 -0500[diff] [blame]1678 ])
1679 assert len(san) == 2
1680 assert list(san) == [
Eeshan Gargf1234152015-04-29 18:41:00 +0530[diff] [blame]1681 x509.DNSName(u"cryptography.io"),
1682 x509.DNSName(u"crypto.local"),
Paul Kehrer31bdf792015-03-25 14:11:00 -0500[diff] [blame]1683 ]
1684
Paul Kehrer8adb5962015-12-26 14:46:58 -0600[diff] [blame]1685 def test_indexing(self):
1686 san = x509.SubjectAlternativeName([
1687 x509.DNSName(u"cryptography.io"),
1688 x509.DNSName(u"crypto.local"),
1689 x509.DNSName(u"another.local"),
1690 x509.RFC822Name(u"email@another.local"),
1691 x509.UniformResourceIdentifier(u"http://another.local"),
1692 ])
1693 assert san[-1] == san[4]
Alex Gaynorf0dd2e72015-12-26 16:50:29 -0500[diff] [blame]1694 assert san[2:6:2] == [san[2], san[4]]
Paul Kehrer8adb5962015-12-26 14:46:58 -0600[diff] [blame]1695
Paul Kehrerd04b39b2015-04-21 08:44:17 -0500[diff] [blame]1696 def test_invalid_general_names(self):
1697 with pytest.raises(TypeError):
1698 x509.SubjectAlternativeName(
Eeshan Gargf1234152015-04-29 18:41:00 +0530[diff] [blame]1699 [x509.DNSName(u"cryptography.io"), "invalid"]
Paul Kehrerd04b39b2015-04-21 08:44:17 -0500[diff] [blame]1700 )
1701
Paul Kehrer31bdf792015-03-25 14:11:00 -0500[diff] [blame]1702 def test_repr(self):
1703 san = x509.SubjectAlternativeName(
1704 [
Eeshan Gargf1234152015-04-29 18:41:00 +0530[diff] [blame]1705 x509.DNSName(u"cryptography.io")
Paul Kehrer31bdf792015-03-25 14:11:00 -0500[diff] [blame]1706 ]
1707 )
1708 assert repr(san) == (
Erik Trauschke2dcce902015-05-14 16:12:24 -0700[diff] [blame]1709 "<SubjectAlternativeName("
1710 "<GeneralNames([<DNSName(value=cryptography.io)>])>)>"
Paul Kehrer31bdf792015-03-25 14:11:00 -0500[diff] [blame]1711 )
Paul Kehrer40f83382015-04-20 15:00:16 -0500[diff] [blame]1712
Paul Kehrer58cc3972015-05-13 10:00:41 -0500[diff] [blame]1713 def test_eq(self):
1714 san = x509.SubjectAlternativeName(
1715 [x509.DNSName(u"cryptography.io")]
1716 )
1717 san2 = x509.SubjectAlternativeName(
1718 [x509.DNSName(u"cryptography.io")]
1719 )
1720 assert san == san2
1721
1722 def test_ne(self):
1723 san = x509.SubjectAlternativeName(
1724 [x509.DNSName(u"cryptography.io")]
1725 )
1726 san2 = x509.SubjectAlternativeName(
1727 [x509.RFC822Name(u"admin@cryptography.io")]
1728 )
1729 assert san != san2
1730 assert san != object()
1731
Paul Kehrer40f83382015-04-20 15:00:16 -0500[diff] [blame]1732
1733@pytest.mark.requires_backend_interface(interface=RSABackend)
1734@pytest.mark.requires_backend_interface(interface=X509Backend)
1735class TestRSASubjectAlternativeNameExtension(object):
1736 def test_dns_name(self, backend):
1737 cert = _load_cert(
1738 os.path.join("x509", "cryptography.io.pem"),
1739 x509.load_pem_x509_certificate,
1740 backend
1741 )
1742 ext = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]1743 ExtensionOID.SUBJECT_ALTERNATIVE_NAME
Paul Kehrer40f83382015-04-20 15:00:16 -0500[diff] [blame]1744 )
1745 assert ext is not None
1746 assert ext.critical is False
1747
1748 san = ext.value
1749
1750 dns = san.get_values_for_type(x509.DNSName)
1751 assert dns == [u"www.cryptography.io", u"cryptography.io"]
Paul Kehrer9089c912015-04-20 22:15:20 -0500[diff] [blame]1752
Paul Kehrer3c6bba52015-06-26 18:43:26 -0500[diff] [blame]1753 def test_wildcard_dns_name(self, backend):
1754 cert = _load_cert(
1755 os.path.join("x509", "wildcard_san.pem"),
1756 x509.load_pem_x509_certificate,
1757 backend
1758 )
1759 ext = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]1760 ExtensionOID.SUBJECT_ALTERNATIVE_NAME
Paul Kehrer3c6bba52015-06-26 18:43:26 -0500[diff] [blame]1761 )
1762
1763 dns = ext.value.get_values_for_type(x509.DNSName)
1764 assert dns == [
1765 u'*.langui.sh',
1766 u'langui.sh',
1767 u'*.saseliminator.com',
1768 u'saseliminator.com'
1769 ]
1770
Dominic Chen87bb9572015-10-09 00:23:07 -0400[diff] [blame]1771 def test_san_empty_hostname(self, backend):
1772 cert = _load_cert(
1773 os.path.join(
1774 "x509", "custom", "san_empty_hostname.pem"
1775 ),
1776 x509.load_pem_x509_certificate,
1777 backend
1778 )
1779 san = cert.extensions.get_extension_for_oid(
1780 ExtensionOID.SUBJECT_ALTERNATIVE_NAME
1781 )
1782
1783 dns = san.value.get_values_for_type(x509.DNSName)
1784 assert dns == [u'']
1785
Paul Kehrer3c6bba52015-06-26 18:43:26 -0500[diff] [blame]1786 def test_san_wildcard_idna_dns_name(self, backend):
1787 cert = _load_cert(
1788 os.path.join("x509", "custom", "san_wildcard_idna.pem"),
1789 x509.load_pem_x509_certificate,
1790 backend
1791 )
1792 ext = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]1793 ExtensionOID.SUBJECT_ALTERNATIVE_NAME
Paul Kehrer3c6bba52015-06-26 18:43:26 -0500[diff] [blame]1794 )
1795
1796 dns = ext.value.get_values_for_type(x509.DNSName)
1797 assert dns == [u'*.\u043f\u044b\u043a\u0430.cryptography']
1798
Paul Kehrer7bdf6572015-07-05 08:55:44 -0500[diff] [blame]1799 def test_unsupported_gn(self, backend):
Paul Kehrer9089c912015-04-20 22:15:20 -0500[diff] [blame]1800 cert = _load_cert(
Paul Kehrer7bdf6572015-07-05 08:55:44 -0500[diff] [blame]1801 os.path.join("x509", "san_x400address.der"),
1802 x509.load_der_x509_certificate,
Paul Kehrer9089c912015-04-20 22:15:20 -0500[diff] [blame]1803 backend
1804 )
Paul Kehrerbed07352015-04-21 08:31:10 -0500[diff] [blame]1805 with pytest.raises(x509.UnsupportedGeneralNameType) as exc:
Paul Kehrer9089c912015-04-20 22:15:20 -0500[diff] [blame]1806 cert.extensions
Paul Kehrerbed07352015-04-21 08:31:10 -0500[diff] [blame]1807
Paul Kehrer7bdf6572015-07-05 08:55:44 -0500[diff] [blame]1808 assert exc.value.type == 3
Paul Kehrer4db96622015-04-20 22:17:39 -0500[diff] [blame]1809
1810 def test_registered_id(self, backend):
1811 cert = _load_cert(
1812 os.path.join(
1813 "x509", "custom", "san_registered_id.pem"
1814 ),
1815 x509.load_pem_x509_certificate,
1816 backend
1817 )
1818 ext = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]1819 ExtensionOID.SUBJECT_ALTERNATIVE_NAME
Paul Kehrer4db96622015-04-20 22:17:39 -0500[diff] [blame]1820 )
1821 assert ext is not None
1822 assert ext.critical is False
1823
1824 san = ext.value
1825 rid = san.get_values_for_type(x509.RegisteredID)
1826 assert rid == [x509.ObjectIdentifier("1.2.3.4")]
Paul Kehrerb8ef82e2015-04-22 16:04:24 -0500[diff] [blame]1827
1828 def test_uri(self, backend):
1829 cert = _load_cert(
1830 os.path.join(
1831 "x509", "custom", "san_uri_with_port.pem"
1832 ),
1833 x509.load_pem_x509_certificate,
1834 backend
1835 )
1836 ext = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]1837 ExtensionOID.SUBJECT_ALTERNATIVE_NAME
Paul Kehrerb8ef82e2015-04-22 16:04:24 -0500[diff] [blame]1838 )
1839 assert ext is not None
1840 uri = ext.value.get_values_for_type(
1841 x509.UniformResourceIdentifier
1842 )
1843 assert uri == [
1844 u"gopher://\u043f\u044b\u043a\u0430.cryptography:70/path?q=s#hel"
1845 u"lo",
1846 u"http://someregulardomain.com",
1847 ]
Paul Kehrera5f030c2015-04-28 08:33:18 -0500[diff] [blame]1848
1849 def test_ipaddress(self, backend):
1850 cert = _load_cert(
1851 os.path.join(
1852 "x509", "custom", "san_ipaddr.pem"
1853 ),
1854 x509.load_pem_x509_certificate,
1855 backend
1856 )
1857 ext = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]1858 ExtensionOID.SUBJECT_ALTERNATIVE_NAME
Paul Kehrera5f030c2015-04-28 08:33:18 -0500[diff] [blame]1859 )
1860 assert ext is not None
1861 assert ext.critical is False
1862
1863 san = ext.value
1864
1865 ip = san.get_values_for_type(x509.IPAddress)
1866 assert [
1867 ipaddress.ip_address(u"127.0.0.1"),
1868 ipaddress.ip_address(u"ff::")
1869 ] == ip
Paul Kehrer2187a052015-04-30 08:22:07 -0500[diff] [blame]1870
1871 def test_dirname(self, backend):
1872 cert = _load_cert(
1873 os.path.join(
1874 "x509", "custom", "san_dirname.pem"
1875 ),
1876 x509.load_pem_x509_certificate,
1877 backend
1878 )
1879 ext = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]1880 ExtensionOID.SUBJECT_ALTERNATIVE_NAME
Paul Kehrer2187a052015-04-30 08:22:07 -0500[diff] [blame]1881 )
1882 assert ext is not None
1883 assert ext.critical is False
1884
1885 san = ext.value
1886
1887 dirname = san.get_values_for_type(x509.DirectoryName)
1888 assert [
1889 x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1890 x509.NameAttribute(NameOID.COMMON_NAME, u'test'),
1891 x509.NameAttribute(NameOID.ORGANIZATION_NAME, u'Org'),
1892 x509.NameAttribute(NameOID.STATE_OR_PROVINCE_NAME, u'Texas'),
Paul Kehrer2187a052015-04-30 08:22:07 -0500[diff] [blame]1893 ])
1894 ] == dirname
Paul Kehrere06cab42015-04-30 10:23:33 -0500[diff] [blame]1895
1896 def test_rfc822name(self, backend):
1897 cert = _load_cert(
1898 os.path.join(
1899 "x509", "custom", "san_rfc822_idna.pem"
1900 ),
1901 x509.load_pem_x509_certificate,
1902 backend
1903 )
1904 ext = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]1905 ExtensionOID.SUBJECT_ALTERNATIVE_NAME
Paul Kehrere06cab42015-04-30 10:23:33 -0500[diff] [blame]1906 )
1907 assert ext is not None
1908 assert ext.critical is False
1909
1910 san = ext.value
1911
1912 rfc822name = san.get_values_for_type(x509.RFC822Name)
1913 assert [u"email@em\xe5\xefl.com"] == rfc822name
1914
Paul Kehrerb8968812015-05-15 09:01:34 -0700[diff] [blame]1915 def test_idna2003_invalid(self, backend):
1916 cert = _load_cert(
1917 os.path.join(
1918 "x509", "custom", "san_idna2003_dnsname.pem"
1919 ),
1920 x509.load_pem_x509_certificate,
1921 backend
1922 )
1923 with pytest.raises(UnicodeError):
1924 cert.extensions
1925
Paul Kehrere06cab42015-04-30 10:23:33 -0500[diff] [blame]1926 def test_unicode_rfc822_name_dns_name_uri(self, backend):
1927 cert = _load_cert(
1928 os.path.join(
1929 "x509", "custom", "san_idna_names.pem"
1930 ),
1931 x509.load_pem_x509_certificate,
1932 backend
1933 )
1934 ext = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]1935 ExtensionOID.SUBJECT_ALTERNATIVE_NAME
Paul Kehrere06cab42015-04-30 10:23:33 -0500[diff] [blame]1936 )
1937 assert ext is not None
1938 rfc822_name = ext.value.get_values_for_type(x509.RFC822Name)
1939 dns_name = ext.value.get_values_for_type(x509.DNSName)
1940 uri = ext.value.get_values_for_type(x509.UniformResourceIdentifier)
1941 assert rfc822_name == [u"email@\u043f\u044b\u043a\u0430.cryptography"]
1942 assert dns_name == [u"\u043f\u044b\u043a\u0430.cryptography"]
1943 assert uri == [u"https://www.\u043f\u044b\u043a\u0430.cryptography"]
1944
1945 def test_rfc822name_dnsname_ipaddress_directoryname_uri(self, backend):
1946 cert = _load_cert(
1947 os.path.join(
1948 "x509", "custom", "san_email_dns_ip_dirname_uri.pem"
1949 ),
1950 x509.load_pem_x509_certificate,
1951 backend
1952 )
1953 ext = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]1954 ExtensionOID.SUBJECT_ALTERNATIVE_NAME
Paul Kehrere06cab42015-04-30 10:23:33 -0500[diff] [blame]1955 )
1956 assert ext is not None
1957 assert ext.critical is False
1958
1959 san = ext.value
1960
1961 rfc822_name = san.get_values_for_type(x509.RFC822Name)
1962 uri = san.get_values_for_type(x509.UniformResourceIdentifier)
1963 dns = san.get_values_for_type(x509.DNSName)
1964 ip = san.get_values_for_type(x509.IPAddress)
1965 dirname = san.get_values_for_type(x509.DirectoryName)
1966 assert [u"user@cryptography.io"] == rfc822_name
Paul Kehrere3a330c2015-05-02 16:42:52 -0500[diff] [blame]1967 assert [u"https://cryptography.io"] == uri
Paul Kehrere06cab42015-04-30 10:23:33 -0500[diff] [blame]1968 assert [u"cryptography.io"] == dns
1969 assert [
1970 x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1971 x509.NameAttribute(NameOID.COMMON_NAME, u'dirCN'),
Paul Kehrere06cab42015-04-30 10:23:33 -0500[diff] [blame]1972 x509.NameAttribute(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1973 NameOID.ORGANIZATION_NAME, u'Cryptographic Authority'
Paul Kehrere06cab42015-04-30 10:23:33 -0500[diff] [blame]1974 ),
1975 ])
1976 ] == dirname
1977 assert [
1978 ipaddress.ip_address(u"127.0.0.1"),
1979 ipaddress.ip_address(u"ff::")
1980 ] == ip
1981
1982 def test_invalid_rfc822name(self, backend):
1983 cert = _load_cert(
1984 os.path.join(
1985 "x509", "custom", "san_rfc822_names.pem"
1986 ),
1987 x509.load_pem_x509_certificate,
1988 backend
1989 )
1990 with pytest.raises(ValueError) as exc:
1991 cert.extensions
1992
1993 assert 'Invalid rfc822name value' in str(exc.value)
Paul Kehrer94c69602015-05-02 19:29:40 -0500[diff] [blame]1994
Joshua Tauberer2ee5e3c2015-07-04 20:09:46 +0000[diff] [blame]1995 def test_other_name(self, backend):
1996 cert = _load_cert(
1997 os.path.join(
1998 "x509", "custom", "san_other_name.pem"
1999 ),
2000 x509.load_pem_x509_certificate,
2001 backend
2002 )
2003
2004 ext = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]2005 ExtensionOID.SUBJECT_ALTERNATIVE_NAME
Joshua Tauberer2ee5e3c2015-07-04 20:09:46 +0000[diff] [blame]2006 )
2007 assert ext is not None
2008 assert ext.critical is False
2009
Joshua Taubererd2afad32015-07-06 22:37:53 +0000[diff] [blame]2010 expected = x509.OtherName(x509.ObjectIdentifier("1.2.3.4"),
2011 b'\x16\x0bHello World')
Joshua Tauberer2ee5e3c2015-07-04 20:09:46 +0000[diff] [blame]2012 assert len(ext.value) == 1
Joshua Taubererd2afad32015-07-06 22:37:53 +0000[diff] [blame]2013 assert list(ext.value)[0] == expected
Joshua Tauberer2ee5e3c2015-07-04 20:09:46 +0000[diff] [blame]2014
2015 othernames = ext.value.get_values_for_type(x509.OtherName)
Joshua Taubererd2afad32015-07-06 22:37:53 +0000[diff] [blame]2016 assert othernames == [expected]
Joshua Tauberer2ee5e3c2015-07-04 20:09:46 +0000[diff] [blame]2017
Paul Kehrer94c69602015-05-02 19:29:40 -0500[diff] [blame]2018
2019@pytest.mark.requires_backend_interface(interface=RSABackend)
2020@pytest.mark.requires_backend_interface(interface=X509Backend)
2021class TestExtendedKeyUsageExtension(object):
2022 def test_eku(self, backend):
2023 cert = _load_cert(
2024 os.path.join(
2025 "x509", "custom", "extended_key_usage.pem"
2026 ),
2027 x509.load_pem_x509_certificate,
2028 backend
2029 )
2030 ext = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]2031 ExtensionOID.EXTENDED_KEY_USAGE
Paul Kehrer94c69602015-05-02 19:29:40 -0500[diff] [blame]2032 )
2033 assert ext is not None
2034 assert ext.critical is False
2035
2036 assert [
2037 x509.ObjectIdentifier("1.3.6.1.5.5.7.3.1"),
2038 x509.ObjectIdentifier("1.3.6.1.5.5.7.3.2"),
2039 x509.ObjectIdentifier("1.3.6.1.5.5.7.3.3"),
2040 x509.ObjectIdentifier("1.3.6.1.5.5.7.3.4"),
2041 x509.ObjectIdentifier("1.3.6.1.5.5.7.3.9"),
2042 x509.ObjectIdentifier("1.3.6.1.5.5.7.3.8"),
2043 x509.ObjectIdentifier("2.5.29.37.0"),
2044 x509.ObjectIdentifier("2.16.840.1.113730.4.1"),
2045 ] == list(ext.value)
Paul Kehrer3e6d5582015-05-02 21:57:56 -0500[diff] [blame]2046
2047
2048class TestAccessDescription(object):
2049 def test_invalid_access_method(self):
Nick Bastind06763d2015-12-12 18:32:59 -0800[diff] [blame]2050 with pytest.raises(TypeError):
Paul Kehrer3e6d5582015-05-02 21:57:56 -0500[diff] [blame]2051 x509.AccessDescription("notanoid", x509.DNSName(u"test"))
2052
2053 def test_invalid_access_location(self):
2054 with pytest.raises(TypeError):
Paul Kehrer9e102db2015-08-10 21:53:09 -0500[diff] [blame]2055 x509.AccessDescription(
2056 AuthorityInformationAccessOID.CA_ISSUERS, "invalid"
2057 )
Paul Kehrer3e6d5582015-05-02 21:57:56 -0500[diff] [blame]2058
Nick Bastind2ecf862015-12-13 05:44:46 -0800[diff] [blame]2059 def test_valid_nonstandard_method(self):
Nick Bastin326fc8e2015-12-12 19:08:12 -0800[diff] [blame]2060 ad = x509.AccessDescription(
2061 ObjectIdentifier("2.999.1"),
2062 x509.UniformResourceIdentifier(u"http://example.com")
2063 )
Nick Bastin11f0f8a2015-12-12 18:54:12 -0800[diff] [blame]2064 assert ad is not None
2065
Paul Kehrer3e6d5582015-05-02 21:57:56 -0500[diff] [blame]2066 def test_repr(self):
2067 ad = x509.AccessDescription(
Paul Kehrer9e102db2015-08-10 21:53:09 -0500[diff] [blame]2068 AuthorityInformationAccessOID.OCSP,
Paul Kehrer3e6d5582015-05-02 21:57:56 -0500[diff] [blame]2069 x509.UniformResourceIdentifier(u"http://ocsp.domain.com")
2070 )
2071 assert repr(ad) == (
2072 "<AccessDescription(access_method=<ObjectIdentifier(oid=1.3.6.1.5."
2073 "5.7.48.1, name=OCSP)>, access_location=<UniformResourceIdentifier"
2074 "(value=http://ocsp.domain.com)>)>"
2075 )
2076
2077 def test_eq(self):
2078 ad = x509.AccessDescription(
Paul Kehrer9e102db2015-08-10 21:53:09 -0500[diff] [blame]2079 AuthorityInformationAccessOID.OCSP,
Paul Kehrer3e6d5582015-05-02 21:57:56 -0500[diff] [blame]2080 x509.UniformResourceIdentifier(u"http://ocsp.domain.com")
2081 )
2082 ad2 = x509.AccessDescription(
Paul Kehrer9e102db2015-08-10 21:53:09 -0500[diff] [blame]2083 AuthorityInformationAccessOID.OCSP,
Paul Kehrer3e6d5582015-05-02 21:57:56 -0500[diff] [blame]2084 x509.UniformResourceIdentifier(u"http://ocsp.domain.com")
2085 )
2086 assert ad == ad2
2087
2088 def test_ne(self):
2089 ad = x509.AccessDescription(
Paul Kehrer9e102db2015-08-10 21:53:09 -0500[diff] [blame]2090 AuthorityInformationAccessOID.OCSP,
Paul Kehrer3e6d5582015-05-02 21:57:56 -0500[diff] [blame]2091 x509.UniformResourceIdentifier(u"http://ocsp.domain.com")
2092 )
2093 ad2 = x509.AccessDescription(
Paul Kehrer9e102db2015-08-10 21:53:09 -0500[diff] [blame]2094 AuthorityInformationAccessOID.CA_ISSUERS,
Paul Kehrer3e6d5582015-05-02 21:57:56 -0500[diff] [blame]2095 x509.UniformResourceIdentifier(u"http://ocsp.domain.com")
2096 )
2097 ad3 = x509.AccessDescription(
Paul Kehrer9e102db2015-08-10 21:53:09 -0500[diff] [blame]2098 AuthorityInformationAccessOID.OCSP,
Paul Kehrer3e6d5582015-05-02 21:57:56 -0500[diff] [blame]2099 x509.UniformResourceIdentifier(u"http://notthesame")
2100 )
2101 assert ad != ad2
2102 assert ad != ad3
2103 assert ad != object()
2104
2105
2106class TestAuthorityInformationAccess(object):
2107 def test_invalid_descriptions(self):
2108 with pytest.raises(TypeError):
2109 x509.AuthorityInformationAccess(["notanAccessDescription"])
2110
2111 def test_iter_len(self):
2112 aia = x509.AuthorityInformationAccess([
2113 x509.AccessDescription(
Paul Kehrer9e102db2015-08-10 21:53:09 -0500[diff] [blame]2114 AuthorityInformationAccessOID.OCSP,
Paul Kehrer3e6d5582015-05-02 21:57:56 -0500[diff] [blame]2115 x509.UniformResourceIdentifier(u"http://ocsp.domain.com")
2116 ),
2117 x509.AccessDescription(
Paul Kehrer9e102db2015-08-10 21:53:09 -0500[diff] [blame]2118 AuthorityInformationAccessOID.CA_ISSUERS,
Paul Kehrer3e6d5582015-05-02 21:57:56 -0500[diff] [blame]2119 x509.UniformResourceIdentifier(u"http://domain.com/ca.crt")
2120 )
2121 ])
2122 assert len(aia) == 2
2123 assert list(aia) == [
2124 x509.AccessDescription(
Paul Kehrer9e102db2015-08-10 21:53:09 -0500[diff] [blame]2125 AuthorityInformationAccessOID.OCSP,
Paul Kehrer3e6d5582015-05-02 21:57:56 -0500[diff] [blame]2126 x509.UniformResourceIdentifier(u"http://ocsp.domain.com")
2127 ),
2128 x509.AccessDescription(
Paul Kehrer9e102db2015-08-10 21:53:09 -0500[diff] [blame]2129 AuthorityInformationAccessOID.CA_ISSUERS,
Paul Kehrer3e6d5582015-05-02 21:57:56 -0500[diff] [blame]2130 x509.UniformResourceIdentifier(u"http://domain.com/ca.crt")
2131 )
2132 ]
2133
2134 def test_repr(self):
2135 aia = x509.AuthorityInformationAccess([
2136 x509.AccessDescription(
Paul Kehrer9e102db2015-08-10 21:53:09 -0500[diff] [blame]2137 AuthorityInformationAccessOID.OCSP,
Paul Kehrer3e6d5582015-05-02 21:57:56 -0500[diff] [blame]2138 x509.UniformResourceIdentifier(u"http://ocsp.domain.com")
2139 ),
2140 x509.AccessDescription(
Paul Kehrer9e102db2015-08-10 21:53:09 -0500[diff] [blame]2141 AuthorityInformationAccessOID.CA_ISSUERS,
Paul Kehrer3e6d5582015-05-02 21:57:56 -0500[diff] [blame]2142 x509.UniformResourceIdentifier(u"http://domain.com/ca.crt")
2143 )
2144 ])
2145 assert repr(aia) == (
2146 "<AuthorityInformationAccess([<AccessDescription(access_method=<Ob"
2147 "jectIdentifier(oid=1.3.6.1.5.5.7.48.1, name=OCSP)>, access_locati"
2148 "on=<UniformResourceIdentifier(value=http://ocsp.domain.com)>)>, <"
2149 "AccessDescription(access_method=<ObjectIdentifier(oid=1.3.6.1.5.5"
2150 ".7.48.2, name=caIssuers)>, access_location=<UniformResourceIdenti"
2151 "fier(value=http://domain.com/ca.crt)>)>])>"
2152 )
2153
2154 def test_eq(self):
2155 aia = x509.AuthorityInformationAccess([
2156 x509.AccessDescription(
Paul Kehrer9e102db2015-08-10 21:53:09 -0500[diff] [blame]2157 AuthorityInformationAccessOID.OCSP,
Paul Kehrer3e6d5582015-05-02 21:57:56 -0500[diff] [blame]2158 x509.UniformResourceIdentifier(u"http://ocsp.domain.com")
2159 ),
2160 x509.AccessDescription(
Paul Kehrer9e102db2015-08-10 21:53:09 -0500[diff] [blame]2161 AuthorityInformationAccessOID.CA_ISSUERS,
Paul Kehrer3e6d5582015-05-02 21:57:56 -0500[diff] [blame]2162 x509.UniformResourceIdentifier(u"http://domain.com/ca.crt")
2163 )
2164 ])
2165 aia2 = x509.AuthorityInformationAccess([
2166 x509.AccessDescription(
Paul Kehrer9e102db2015-08-10 21:53:09 -0500[diff] [blame]2167 AuthorityInformationAccessOID.OCSP,
Paul Kehrer3e6d5582015-05-02 21:57:56 -0500[diff] [blame]2168 x509.UniformResourceIdentifier(u"http://ocsp.domain.com")
2169 ),
2170 x509.AccessDescription(
Paul Kehrer9e102db2015-08-10 21:53:09 -0500[diff] [blame]2171 AuthorityInformationAccessOID.CA_ISSUERS,
Paul Kehrer3e6d5582015-05-02 21:57:56 -0500[diff] [blame]2172 x509.UniformResourceIdentifier(u"http://domain.com/ca.crt")
2173 )
2174 ])
2175 assert aia == aia2
2176
2177 def test_ne(self):
2178 aia = x509.AuthorityInformationAccess([
2179 x509.AccessDescription(
Paul Kehrer9e102db2015-08-10 21:53:09 -0500[diff] [blame]2180 AuthorityInformationAccessOID.OCSP,
Paul Kehrer3e6d5582015-05-02 21:57:56 -0500[diff] [blame]2181 x509.UniformResourceIdentifier(u"http://ocsp.domain.com")
2182 ),
2183 x509.AccessDescription(
Paul Kehrer9e102db2015-08-10 21:53:09 -0500[diff] [blame]2184 AuthorityInformationAccessOID.CA_ISSUERS,
Paul Kehrer3e6d5582015-05-02 21:57:56 -0500[diff] [blame]2185 x509.UniformResourceIdentifier(u"http://domain.com/ca.crt")
2186 )
2187 ])
2188 aia2 = x509.AuthorityInformationAccess([
2189 x509.AccessDescription(
Paul Kehrer9e102db2015-08-10 21:53:09 -0500[diff] [blame]2190 AuthorityInformationAccessOID.OCSP,
Paul Kehrer3e6d5582015-05-02 21:57:56 -0500[diff] [blame]2191 x509.UniformResourceIdentifier(u"http://ocsp.domain.com")
2192 ),
2193 ])
2194
2195 assert aia != aia2
2196 assert aia != object()
Paul Kehrerd774de92015-05-03 10:52:25 -0500[diff] [blame]2197
2198
2199@pytest.mark.requires_backend_interface(interface=RSABackend)
2200@pytest.mark.requires_backend_interface(interface=X509Backend)
Paul Kehrera1476992015-05-04 17:35:47 -0500[diff] [blame]2201class TestAuthorityInformationAccessExtension(object):
2202 def test_aia_ocsp_ca_issuers(self, backend):
2203 cert = _load_cert(
2204 os.path.join("x509", "cryptography.io.pem"),
2205 x509.load_pem_x509_certificate,
2206 backend
2207 )
2208 ext = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]2209 ExtensionOID.AUTHORITY_INFORMATION_ACCESS
Paul Kehrera1476992015-05-04 17:35:47 -0500[diff] [blame]2210 )
2211 assert ext is not None
2212 assert ext.critical is False
2213
2214 assert ext.value == x509.AuthorityInformationAccess([
2215 x509.AccessDescription(
Paul Kehrer9e102db2015-08-10 21:53:09 -0500[diff] [blame]2216 AuthorityInformationAccessOID.OCSP,
Paul Kehrera1476992015-05-04 17:35:47 -0500[diff] [blame]2217 x509.UniformResourceIdentifier(u"http://gv.symcd.com")
2218 ),
2219 x509.AccessDescription(
Paul Kehrer9e102db2015-08-10 21:53:09 -0500[diff] [blame]2220 AuthorityInformationAccessOID.CA_ISSUERS,
Paul Kehrera1476992015-05-04 17:35:47 -0500[diff] [blame]2221 x509.UniformResourceIdentifier(u"http://gv.symcb.com/gv.crt")
2222 ),
2223 ])
2224
2225 def test_aia_multiple_ocsp_ca_issuers(self, backend):
2226 cert = _load_cert(
2227 os.path.join("x509", "custom", "aia_ocsp_ca_issuers.pem"),
2228 x509.load_pem_x509_certificate,
2229 backend
2230 )
2231 ext = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]2232 ExtensionOID.AUTHORITY_INFORMATION_ACCESS
Paul Kehrera1476992015-05-04 17:35:47 -0500[diff] [blame]2233 )
2234 assert ext is not None
2235 assert ext.critical is False
2236
2237 assert ext.value == x509.AuthorityInformationAccess([
2238 x509.AccessDescription(
Paul Kehrer9e102db2015-08-10 21:53:09 -0500[diff] [blame]2239 AuthorityInformationAccessOID.OCSP,
Paul Kehrera1476992015-05-04 17:35:47 -0500[diff] [blame]2240 x509.UniformResourceIdentifier(u"http://ocsp.domain.com")
2241 ),
2242 x509.AccessDescription(
Paul Kehrer9e102db2015-08-10 21:53:09 -0500[diff] [blame]2243 AuthorityInformationAccessOID.OCSP,
Paul Kehrera1476992015-05-04 17:35:47 -0500[diff] [blame]2244 x509.UniformResourceIdentifier(u"http://ocsp2.domain.com")
2245 ),
2246 x509.AccessDescription(
Paul Kehrer9e102db2015-08-10 21:53:09 -0500[diff] [blame]2247 AuthorityInformationAccessOID.CA_ISSUERS,
Paul Kehrera1476992015-05-04 17:35:47 -0500[diff] [blame]2248 x509.DirectoryName(x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2249 x509.NameAttribute(NameOID.COMMON_NAME, u"myCN"),
2250 x509.NameAttribute(NameOID.ORGANIZATION_NAME,
Ian Cordasco82fc3762015-06-16 20:59:50 -0500[diff] [blame]2251 u"some Org"),
Paul Kehrera1476992015-05-04 17:35:47 -0500[diff] [blame]2252 ]))
2253 ),
2254 ])
2255
2256 def test_aia_ocsp_only(self, backend):
2257 cert = _load_cert(
2258 os.path.join("x509", "custom", "aia_ocsp.pem"),
2259 x509.load_pem_x509_certificate,
2260 backend
2261 )
2262 ext = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]2263 ExtensionOID.AUTHORITY_INFORMATION_ACCESS
Paul Kehrera1476992015-05-04 17:35:47 -0500[diff] [blame]2264 )
2265 assert ext is not None
2266 assert ext.critical is False
2267
2268 assert ext.value == x509.AuthorityInformationAccess([
2269 x509.AccessDescription(
Paul Kehrer9e102db2015-08-10 21:53:09 -0500[diff] [blame]2270 AuthorityInformationAccessOID.OCSP,
Paul Kehrera1476992015-05-04 17:35:47 -0500[diff] [blame]2271 x509.UniformResourceIdentifier(u"http://ocsp.domain.com")
2272 ),
2273 ])
2274
2275 def test_aia_ca_issuers_only(self, backend):
2276 cert = _load_cert(
2277 os.path.join("x509", "custom", "aia_ca_issuers.pem"),
2278 x509.load_pem_x509_certificate,
2279 backend
2280 )
2281 ext = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]2282 ExtensionOID.AUTHORITY_INFORMATION_ACCESS
Paul Kehrera1476992015-05-04 17:35:47 -0500[diff] [blame]2283 )
2284 assert ext is not None
2285 assert ext.critical is False
2286
2287 assert ext.value == x509.AuthorityInformationAccess([
2288 x509.AccessDescription(
Paul Kehrer9e102db2015-08-10 21:53:09 -0500[diff] [blame]2289 AuthorityInformationAccessOID.CA_ISSUERS,
Paul Kehrera1476992015-05-04 17:35:47 -0500[diff] [blame]2290 x509.DirectoryName(x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2291 x509.NameAttribute(NameOID.COMMON_NAME, u"myCN"),
2292 x509.NameAttribute(NameOID.ORGANIZATION_NAME,
Ian Cordasco82fc3762015-06-16 20:59:50 -0500[diff] [blame]2293 u"some Org"),
Paul Kehrera1476992015-05-04 17:35:47 -0500[diff] [blame]2294 ]))
2295 ),
2296 ])
2297
2298
2299@pytest.mark.requires_backend_interface(interface=RSABackend)
2300@pytest.mark.requires_backend_interface(interface=X509Backend)
Paul Kehrerd774de92015-05-03 10:52:25 -0500[diff] [blame]2301class TestAuthorityKeyIdentifierExtension(object):
2302 def test_aki_keyid(self, backend):
2303 cert = _load_cert(
2304 os.path.join(
2305 "x509", "cryptography.io.pem"
2306 ),
2307 x509.load_pem_x509_certificate,
2308 backend
2309 )
2310 ext = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]2311 ExtensionOID.AUTHORITY_KEY_IDENTIFIER
Paul Kehrerd774de92015-05-03 10:52:25 -0500[diff] [blame]2312 )
2313 assert ext is not None
2314 assert ext.critical is False
2315
2316 assert ext.value.key_identifier == (
2317 b"\xc3\x9c\xf3\xfc\xd3F\x084\xbb\xceF\x7f\xa0|[\xf3\xe2\x08\xcbY"
2318 )
2319 assert ext.value.authority_cert_issuer is None
2320 assert ext.value.authority_cert_serial_number is None
2321
2322 def test_aki_all_fields(self, backend):
2323 cert = _load_cert(
2324 os.path.join(
2325 "x509", "custom", "authority_key_identifier.pem"
2326 ),
2327 x509.load_pem_x509_certificate,
2328 backend
2329 )
2330 ext = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]2331 ExtensionOID.AUTHORITY_KEY_IDENTIFIER
Paul Kehrerd774de92015-05-03 10:52:25 -0500[diff] [blame]2332 )
2333 assert ext is not None
2334 assert ext.critical is False
2335
2336 assert ext.value.key_identifier == (
2337 b"9E>\xca=b\x1d\xea\x86I\xf6Z\xab@\xb7\xa4p\x98\xf1\xec"
2338 )
2339 assert ext.value.authority_cert_issuer == [
2340 x509.DirectoryName(
2341 x509.Name([
2342 x509.NameAttribute(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2343 NameOID.ORGANIZATION_NAME, u"PyCA"
Paul Kehrerd774de92015-05-03 10:52:25 -0500[diff] [blame]2344 ),
2345 x509.NameAttribute(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2346 NameOID.COMMON_NAME, u"cryptography.io"
Paul Kehrerd774de92015-05-03 10:52:25 -0500[diff] [blame]2347 )
2348 ])
2349 )
2350 ]
2351 assert ext.value.authority_cert_serial_number == 3
2352
2353 def test_aki_no_keyid(self, backend):
2354 cert = _load_cert(
2355 os.path.join(
2356 "x509", "custom", "authority_key_identifier_no_keyid.pem"
2357 ),
2358 x509.load_pem_x509_certificate,
2359 backend
2360 )
2361 ext = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]2362 ExtensionOID.AUTHORITY_KEY_IDENTIFIER
Paul Kehrerd774de92015-05-03 10:52:25 -0500[diff] [blame]2363 )
2364 assert ext is not None
2365 assert ext.critical is False
2366
2367 assert ext.value.key_identifier is None
2368 assert ext.value.authority_cert_issuer == [
2369 x509.DirectoryName(
2370 x509.Name([
2371 x509.NameAttribute(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2372 NameOID.ORGANIZATION_NAME, u"PyCA"
Paul Kehrerd774de92015-05-03 10:52:25 -0500[diff] [blame]2373 ),
2374 x509.NameAttribute(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2375 NameOID.COMMON_NAME, u"cryptography.io"
Paul Kehrerd774de92015-05-03 10:52:25 -0500[diff] [blame]2376 )
2377 ])
2378 )
2379 ]
2380 assert ext.value.authority_cert_serial_number == 3
Paul Kehrer5a485522015-05-06 00:29:12 -0500[diff] [blame]2381
Paul Kehrer253929a2015-08-05 17:30:39 +0100[diff] [blame]2382 def test_from_certificate(self, backend):
2383 issuer_cert = _load_cert(
2384 os.path.join("x509", "rapidssl_sha256_ca_g3.pem"),
2385 x509.load_pem_x509_certificate,
2386 backend
2387 )
2388 cert = _load_cert(
2389 os.path.join("x509", "cryptography.io.pem"),
2390 x509.load_pem_x509_certificate,
2391 backend
2392 )
2393 ext = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]2394 ExtensionOID.AUTHORITY_KEY_IDENTIFIER
Paul Kehrer253929a2015-08-05 17:30:39 +0100[diff] [blame]2395 )
2396 aki = x509.AuthorityKeyIdentifier.from_issuer_public_key(
2397 issuer_cert.public_key()
2398 )
2399 assert ext.value == aki
2400
Paul Kehrer5a485522015-05-06 00:29:12 -0500[diff] [blame]2401
Paul Kehrere0017be2015-05-17 20:39:40 -0600[diff] [blame]2402class TestNameConstraints(object):
2403 def test_ipaddress_wrong_type(self):
2404 with pytest.raises(TypeError):
2405 x509.NameConstraints(
2406 permitted_subtrees=[
2407 x509.IPAddress(ipaddress.IPv4Address(u"127.0.0.1"))
2408 ],
2409 excluded_subtrees=None
2410 )
2411
2412 with pytest.raises(TypeError):
2413 x509.NameConstraints(
2414 permitted_subtrees=None,
2415 excluded_subtrees=[
2416 x509.IPAddress(ipaddress.IPv4Address(u"127.0.0.1"))
2417 ]
2418 )
2419
2420 def test_ipaddress_allowed_type(self):
2421 permitted = [x509.IPAddress(ipaddress.IPv4Network(u"192.168.0.0/29"))]
2422 excluded = [x509.IPAddress(ipaddress.IPv4Network(u"10.10.0.0/24"))]
2423 nc = x509.NameConstraints(
2424 permitted_subtrees=permitted,
2425 excluded_subtrees=excluded
2426 )
2427 assert nc.permitted_subtrees == permitted
2428 assert nc.excluded_subtrees == excluded
2429
2430 def test_invalid_permitted_subtrees(self):
2431 with pytest.raises(TypeError):
2432 x509.NameConstraints("badpermitted", None)
2433
2434 def test_invalid_excluded_subtrees(self):
2435 with pytest.raises(TypeError):
2436 x509.NameConstraints(None, "badexcluded")
2437
2438 def test_no_subtrees(self):
2439 with pytest.raises(ValueError):
2440 x509.NameConstraints(None, None)
2441
2442 def test_permitted_none(self):
2443 excluded = [x509.DNSName(u"name.local")]
2444 nc = x509.NameConstraints(
2445 permitted_subtrees=None, excluded_subtrees=excluded
2446 )
2447 assert nc.permitted_subtrees is None
2448 assert nc.excluded_subtrees is not None
2449
2450 def test_excluded_none(self):
2451 permitted = [x509.DNSName(u"name.local")]
2452 nc = x509.NameConstraints(
2453 permitted_subtrees=permitted, excluded_subtrees=None
2454 )
2455 assert nc.permitted_subtrees is not None
2456 assert nc.excluded_subtrees is None
2457
2458 def test_repr(self):
2459 permitted = [x509.DNSName(u"name.local"), x509.DNSName(u"name2.local")]
2460 nc = x509.NameConstraints(
2461 permitted_subtrees=permitted,
2462 excluded_subtrees=None
2463 )
2464 assert repr(nc) == (
2465 "<NameConstraints(permitted_subtrees=[<DNSName(value=name.local)>"
2466 ", <DNSName(value=name2.local)>], excluded_subtrees=None)>"
2467 )
2468
Paul Kehrer31894282015-06-21 21:46:41 -0500[diff] [blame]2469 def test_eq(self):
2470 nc = x509.NameConstraints(
2471 permitted_subtrees=[x509.DNSName(u"name.local")],
2472 excluded_subtrees=[x509.DNSName(u"name2.local")]
2473 )
2474 nc2 = x509.NameConstraints(
2475 permitted_subtrees=[x509.DNSName(u"name.local")],
2476 excluded_subtrees=[x509.DNSName(u"name2.local")]
2477 )
2478 assert nc == nc2
2479
2480 def test_ne(self):
2481 nc = x509.NameConstraints(
2482 permitted_subtrees=[x509.DNSName(u"name.local")],
2483 excluded_subtrees=[x509.DNSName(u"name2.local")]
2484 )
2485 nc2 = x509.NameConstraints(
2486 permitted_subtrees=[x509.DNSName(u"name.local")],
2487 excluded_subtrees=None
2488 )
2489 nc3 = x509.NameConstraints(
2490 permitted_subtrees=None,
2491 excluded_subtrees=[x509.DNSName(u"name2.local")]
2492 )
2493
2494 assert nc != nc2
2495 assert nc != nc3
2496 assert nc != object()
2497
Paul Kehrere0017be2015-05-17 20:39:40 -0600[diff] [blame]2498
Paul Kehrer870d7e82015-06-21 22:20:44 -0500[diff] [blame]2499@pytest.mark.requires_backend_interface(interface=RSABackend)
2500@pytest.mark.requires_backend_interface(interface=X509Backend)
2501class TestNameConstraintsExtension(object):
2502 def test_permitted_excluded(self, backend):
2503 cert = _load_cert(
2504 os.path.join(
2505 "x509", "custom", "nc_permitted_excluded_2.pem"
2506 ),
2507 x509.load_pem_x509_certificate,
2508 backend
2509 )
2510 nc = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]2511 ExtensionOID.NAME_CONSTRAINTS
Paul Kehrer870d7e82015-06-21 22:20:44 -0500[diff] [blame]2512 ).value
2513 assert nc == x509.NameConstraints(
2514 permitted_subtrees=[
2515 x509.DNSName(u"zombo.local"),
2516 ],
2517 excluded_subtrees=[
2518 x509.DirectoryName(x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2519 x509.NameAttribute(NameOID.COMMON_NAME, u"zombo")
Paul Kehrer870d7e82015-06-21 22:20:44 -0500[diff] [blame]2520 ]))
2521 ]
2522 )
2523
2524 def test_permitted(self, backend):
2525 cert = _load_cert(
2526 os.path.join(
2527 "x509", "custom", "nc_permitted_2.pem"
2528 ),
2529 x509.load_pem_x509_certificate,
2530 backend
2531 )
2532 nc = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]2533 ExtensionOID.NAME_CONSTRAINTS
Paul Kehrer870d7e82015-06-21 22:20:44 -0500[diff] [blame]2534 ).value
2535 assert nc == x509.NameConstraints(
2536 permitted_subtrees=[
2537 x509.DNSName(u"zombo.local"),
2538 ],
2539 excluded_subtrees=None
2540 )
2541
Paul Kehrer42376832015-07-01 18:10:32 -0500[diff] [blame]2542 def test_permitted_with_leading_period(self, backend):
2543 cert = _load_cert(
2544 os.path.join(
2545 "x509", "custom", "nc_permitted.pem"
2546 ),
2547 x509.load_pem_x509_certificate,
2548 backend
2549 )
2550 nc = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]2551 ExtensionOID.NAME_CONSTRAINTS
Paul Kehrer42376832015-07-01 18:10:32 -0500[diff] [blame]2552 ).value
2553 assert nc == x509.NameConstraints(
2554 permitted_subtrees=[
2555 x509.DNSName(u".cryptography.io"),
2556 x509.UniformResourceIdentifier(u"ftp://cryptography.test")
2557 ],
2558 excluded_subtrees=None
2559 )
2560
2561 def test_excluded_with_leading_period(self, backend):
2562 cert = _load_cert(
2563 os.path.join(
2564 "x509", "custom", "nc_excluded.pem"
2565 ),
2566 x509.load_pem_x509_certificate,
2567 backend
2568 )
2569 nc = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]2570 ExtensionOID.NAME_CONSTRAINTS
Paul Kehrer42376832015-07-01 18:10:32 -0500[diff] [blame]2571 ).value
2572 assert nc == x509.NameConstraints(
2573 permitted_subtrees=None,
2574 excluded_subtrees=[
2575 x509.DNSName(u".cryptography.io"),
2576 x509.UniformResourceIdentifier(u"gopher://cryptography.test")
2577 ]
2578 )
2579
Paul Kehrercfb8aa22015-07-01 19:16:36 -0500[diff] [blame]2580 def test_permitted_excluded_with_ips(self, backend):
2581 cert = _load_cert(
2582 os.path.join(
2583 "x509", "custom", "nc_permitted_excluded.pem"
2584 ),
2585 x509.load_pem_x509_certificate,
2586 backend
2587 )
2588 nc = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]2589 ExtensionOID.NAME_CONSTRAINTS
Paul Kehrercfb8aa22015-07-01 19:16:36 -0500[diff] [blame]2590 ).value
2591 assert nc == x509.NameConstraints(
2592 permitted_subtrees=[
2593 x509.IPAddress(ipaddress.IPv4Network(u"192.168.0.0/24")),
2594 x509.IPAddress(ipaddress.IPv6Network(u"FF:0:0:0:0:0:0:0/96")),
2595 ],
2596 excluded_subtrees=[
2597 x509.DNSName(u".domain.com"),
2598 x509.UniformResourceIdentifier(u"http://test.local"),
2599 ]
2600 )
2601
Paul Kehrera72ebaf2015-07-01 21:07:37 -0500[diff] [blame]2602 def test_single_ip_netmask(self, backend):
2603 cert = _load_cert(
2604 os.path.join(
2605 "x509", "custom", "nc_single_ip_netmask.pem"
2606 ),
2607 x509.load_pem_x509_certificate,
2608 backend
2609 )
2610 nc = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]2611 ExtensionOID.NAME_CONSTRAINTS
Paul Kehrera72ebaf2015-07-01 21:07:37 -0500[diff] [blame]2612 ).value
2613 assert nc == x509.NameConstraints(
2614 permitted_subtrees=[
2615 x509.IPAddress(ipaddress.IPv6Network(u"FF:0:0:0:0:0:0:0/128")),
2616 x509.IPAddress(ipaddress.IPv4Network(u"192.168.0.1/32")),
2617 ],
2618 excluded_subtrees=None
2619 )
2620
Paul Kehrercfb8aa22015-07-01 19:16:36 -0500[diff] [blame]2621 def test_invalid_netmask(self, backend):
2622 cert = _load_cert(
2623 os.path.join(
2624 "x509", "custom", "nc_invalid_ip_netmask.pem"
2625 ),
2626 x509.load_pem_x509_certificate,
2627 backend
2628 )
2629 with pytest.raises(ValueError):
2630 cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]2631 ExtensionOID.NAME_CONSTRAINTS
Paul Kehrercfb8aa22015-07-01 19:16:36 -0500[diff] [blame]2632 )
2633
Paul Kehrer870d7e82015-06-21 22:20:44 -0500[diff] [blame]2634
Paul Kehrer5a485522015-05-06 00:29:12 -0500[diff] [blame]2635class TestDistributionPoint(object):
Paul Kehrer4e8dacd2015-05-09 10:38:23 -0500[diff] [blame]2636 def test_distribution_point_full_name_not_general_names(self):
Paul Kehrer5a485522015-05-06 00:29:12 -0500[diff] [blame]2637 with pytest.raises(TypeError):
Paul Kehrer4e8dacd2015-05-09 10:38:23 -0500[diff] [blame]2638 x509.DistributionPoint(["notgn"], None, None, None)
Paul Kehrer5a485522015-05-06 00:29:12 -0500[diff] [blame]2639
Paul Kehrer4e8dacd2015-05-09 10:38:23 -0500[diff] [blame]2640 def test_distribution_point_relative_name_not_name(self):
Paul Kehrer5a485522015-05-06 00:29:12 -0500[diff] [blame]2641 with pytest.raises(TypeError):
Paul Kehrer4e8dacd2015-05-09 10:38:23 -0500[diff] [blame]2642 x509.DistributionPoint(None, "notname", None, None)
2643
2644 def test_distribution_point_full_and_relative_not_none(self):
2645 with pytest.raises(ValueError):
2646 x509.DistributionPoint("data", "notname", None, None)
Paul Kehrer5a485522015-05-06 00:29:12 -0500[diff] [blame]2647
2648 def test_crl_issuer_not_general_names(self):
2649 with pytest.raises(TypeError):
Paul Kehrer4e8dacd2015-05-09 10:38:23 -0500[diff] [blame]2650 x509.DistributionPoint(None, None, None, ["notgn"])
Paul Kehrer5a485522015-05-06 00:29:12 -0500[diff] [blame]2651
2652 def test_reason_not_reasonflags(self):
2653 with pytest.raises(TypeError):
2654 x509.DistributionPoint(
2655 [x509.UniformResourceIdentifier(u"http://crypt.og/crl")],
Paul Kehrer4e8dacd2015-05-09 10:38:23 -0500[diff] [blame]2656 None,
Paul Kehrer3fd02602015-05-09 19:46:13 -0500[diff] [blame]2657 frozenset(["notreasonflags"]),
2658 None
2659 )
2660
2661 def test_reason_not_frozenset(self):
2662 with pytest.raises(TypeError):
2663 x509.DistributionPoint(
2664 [x509.UniformResourceIdentifier(u"http://crypt.og/crl")],
2665 None,
2666 [x509.ReasonFlags.ca_compromise],
Paul Kehrer4e8dacd2015-05-09 10:38:23 -0500[diff] [blame]2667 None
2668 )
2669
2670 def test_disallowed_reasons(self):
2671 with pytest.raises(ValueError):
2672 x509.DistributionPoint(
2673 [x509.UniformResourceIdentifier(u"http://crypt.og/crl")],
2674 None,
Paul Kehrer3fd02602015-05-09 19:46:13 -0500[diff] [blame]2675 frozenset([x509.ReasonFlags.unspecified]),
Paul Kehrer4e8dacd2015-05-09 10:38:23 -0500[diff] [blame]2676 None
2677 )
2678
2679 with pytest.raises(ValueError):
2680 x509.DistributionPoint(
2681 [x509.UniformResourceIdentifier(u"http://crypt.og/crl")],
2682 None,
Paul Kehrer3fd02602015-05-09 19:46:13 -0500[diff] [blame]2683 frozenset([x509.ReasonFlags.remove_from_crl]),
Paul Kehrer5a485522015-05-06 00:29:12 -0500[diff] [blame]2684 None
2685 )
2686
2687 def test_reason_only(self):
2688 with pytest.raises(ValueError):
2689 x509.DistributionPoint(
2690 None,
Paul Kehrer4e8dacd2015-05-09 10:38:23 -0500[diff] [blame]2691 None,
Paul Kehrer3fd02602015-05-09 19:46:13 -0500[diff] [blame]2692 frozenset([x509.ReasonFlags.aa_compromise]),
Paul Kehrer5a485522015-05-06 00:29:12 -0500[diff] [blame]2693 None
2694 )
2695
2696 def test_eq(self):
2697 dp = x509.DistributionPoint(
2698 [x509.UniformResourceIdentifier(u"http://crypt.og/crl")],
Paul Kehrer4e8dacd2015-05-09 10:38:23 -0500[diff] [blame]2699 None,
Paul Kehrer3fd02602015-05-09 19:46:13 -0500[diff] [blame]2700 frozenset([x509.ReasonFlags.superseded]),
Paul Kehrer5a485522015-05-06 00:29:12 -0500[diff] [blame]2701 [
2702 x509.DirectoryName(
2703 x509.Name([
2704 x509.NameAttribute(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2705 NameOID.COMMON_NAME, u"Important CA"
Paul Kehrer5a485522015-05-06 00:29:12 -0500[diff] [blame]2706 )
2707 ])
2708 )
2709 ],
2710 )
2711 dp2 = x509.DistributionPoint(
2712 [x509.UniformResourceIdentifier(u"http://crypt.og/crl")],
Paul Kehrer4e8dacd2015-05-09 10:38:23 -0500[diff] [blame]2713 None,
Paul Kehrer3fd02602015-05-09 19:46:13 -0500[diff] [blame]2714 frozenset([x509.ReasonFlags.superseded]),
Paul Kehrer5a485522015-05-06 00:29:12 -0500[diff] [blame]2715 [
2716 x509.DirectoryName(
2717 x509.Name([
2718 x509.NameAttribute(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2719 NameOID.COMMON_NAME, u"Important CA"
Paul Kehrer5a485522015-05-06 00:29:12 -0500[diff] [blame]2720 )
2721 ])
2722 )
2723 ],
2724 )
2725 assert dp == dp2
2726
2727 def test_ne(self):
2728 dp = x509.DistributionPoint(
2729 [x509.UniformResourceIdentifier(u"http://crypt.og/crl")],
Paul Kehrer4e8dacd2015-05-09 10:38:23 -0500[diff] [blame]2730 None,
Paul Kehrer3fd02602015-05-09 19:46:13 -0500[diff] [blame]2731 frozenset([x509.ReasonFlags.superseded]),
Paul Kehrer5a485522015-05-06 00:29:12 -0500[diff] [blame]2732 [
2733 x509.DirectoryName(
2734 x509.Name([
2735 x509.NameAttribute(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2736 NameOID.COMMON_NAME, u"Important CA"
Paul Kehrer5a485522015-05-06 00:29:12 -0500[diff] [blame]2737 )
2738 ])
2739 )
2740 ],
2741 )
2742 dp2 = x509.DistributionPoint(
2743 [x509.UniformResourceIdentifier(u"http://crypt.og/crl")],
2744 None,
Paul Kehrer4e8dacd2015-05-09 10:38:23 -0500[diff] [blame]2745 None,
Paul Kehrer5a485522015-05-06 00:29:12 -0500[diff] [blame]2746 None
2747 )
2748 assert dp != dp2
2749 assert dp != object()
2750
2751 def test_repr(self):
2752 dp = x509.DistributionPoint(
Paul Kehrer4e8dacd2015-05-09 10:38:23 -0500[diff] [blame]2753 None,
Paul Kehrer5a485522015-05-06 00:29:12 -0500[diff] [blame]2754 x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2755 x509.NameAttribute(NameOID.COMMON_NAME, u"myCN")
Paul Kehrer5a485522015-05-06 00:29:12 -0500[diff] [blame]2756 ]),
Paul Kehrer96ef63c2015-05-09 21:17:04 -0500[diff] [blame]2757 frozenset([x509.ReasonFlags.ca_compromise]),
Paul Kehrer5a485522015-05-06 00:29:12 -0500[diff] [blame]2758 [
2759 x509.DirectoryName(
2760 x509.Name([
2761 x509.NameAttribute(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2762 NameOID.COMMON_NAME, u"Important CA"
Paul Kehrer5a485522015-05-06 00:29:12 -0500[diff] [blame]2763 )
2764 ])
2765 )
2766 ],
2767 )
Paul Kehrer749da3b2015-05-10 09:58:29 -0500[diff] [blame]2768 if six.PY3:
2769 assert repr(dp) == (
2770 "<DistributionPoint(full_name=None, relative_name=<Name([<Name"
2771 "Attribute(oid=<ObjectIdentifier(oid=2.5.4.3, name=commonName)"
Ian Cordascoa908d692015-06-16 21:35:24 -0500[diff] [blame]2772 ">, value='myCN')>])>, reasons=frozenset({<ReasonFlags.ca_comp"
2773 "romise: 'cACompromise'>}), crl_issuer=[<DirectoryName(value=<"
2774 "Name([<NameAttribute(oid=<ObjectIdentifier(oid=2.5.4.3, name="
2775 "commonName)>, value='Important CA')>])>)>])>"
Paul Kehrer749da3b2015-05-10 09:58:29 -0500[diff] [blame]2776 )
2777 else:
2778 assert repr(dp) == (
2779 "<DistributionPoint(full_name=None, relative_name=<Name([<Name"
2780 "Attribute(oid=<ObjectIdentifier(oid=2.5.4.3, name=commonName)"
Ian Cordasco82fc3762015-06-16 20:59:50 -0500[diff] [blame]2781 ">, value=u'myCN')>])>, reasons=frozenset([<ReasonFlags.ca_com"
2782 "promise: 'cACompromise'>]), crl_issuer=[<DirectoryName(value="
2783 "<Name([<NameAttribute(oid=<ObjectIdentifier(oid=2.5.4.3, name"
2784 "=commonName)>, value=u'Important CA')>])>)>])>"
Paul Kehrer749da3b2015-05-10 09:58:29 -0500[diff] [blame]2785 )
Paul Kehrer5a485522015-05-06 00:29:12 -0500[diff] [blame]2786
2787
2788class TestCRLDistributionPoints(object):
2789 def test_invalid_distribution_points(self):
2790 with pytest.raises(TypeError):
2791 x509.CRLDistributionPoints(["notadistributionpoint"])
2792
2793 def test_iter_len(self):
2794 cdp = x509.CRLDistributionPoints([
2795 x509.DistributionPoint(
2796 [x509.UniformResourceIdentifier(u"http://domain")],
2797 None,
Paul Kehrer4e8dacd2015-05-09 10:38:23 -0500[diff] [blame]2798 None,
Paul Kehrer5a485522015-05-06 00:29:12 -0500[diff] [blame]2799 None
2800 ),
2801 x509.DistributionPoint(
2802 [x509.UniformResourceIdentifier(u"ftp://domain")],
Paul Kehrer4e8dacd2015-05-09 10:38:23 -0500[diff] [blame]2803 None,
Paul Kehrer3fd02602015-05-09 19:46:13 -0500[diff] [blame]2804 frozenset([
Paul Kehrer4e8dacd2015-05-09 10:38:23 -0500[diff] [blame]2805 x509.ReasonFlags.key_compromise,
2806 x509.ReasonFlags.ca_compromise,
Paul Kehrer3fd02602015-05-09 19:46:13 -0500[diff] [blame]2807 ]),
Paul Kehrer5a485522015-05-06 00:29:12 -0500[diff] [blame]2808 None
2809 ),
2810 ])
2811 assert len(cdp) == 2
2812 assert list(cdp) == [
2813 x509.DistributionPoint(
2814 [x509.UniformResourceIdentifier(u"http://domain")],
2815 None,
Paul Kehrer4e8dacd2015-05-09 10:38:23 -0500[diff] [blame]2816 None,
Paul Kehrer5a485522015-05-06 00:29:12 -0500[diff] [blame]2817 None
2818 ),
2819 x509.DistributionPoint(
2820 [x509.UniformResourceIdentifier(u"ftp://domain")],
Paul Kehrer4e8dacd2015-05-09 10:38:23 -0500[diff] [blame]2821 None,
Paul Kehrer3fd02602015-05-09 19:46:13 -0500[diff] [blame]2822 frozenset([
Paul Kehrer4e8dacd2015-05-09 10:38:23 -0500[diff] [blame]2823 x509.ReasonFlags.key_compromise,
2824 x509.ReasonFlags.ca_compromise,
Paul Kehrer3fd02602015-05-09 19:46:13 -0500[diff] [blame]2825 ]),
Paul Kehrer5a485522015-05-06 00:29:12 -0500[diff] [blame]2826 None
2827 ),
2828 ]
2829
2830 def test_repr(self):
2831 cdp = x509.CRLDistributionPoints([
2832 x509.DistributionPoint(
2833 [x509.UniformResourceIdentifier(u"ftp://domain")],
Paul Kehrer4e8dacd2015-05-09 10:38:23 -0500[diff] [blame]2834 None,
Paul Kehrer96ef63c2015-05-09 21:17:04 -0500[diff] [blame]2835 frozenset([x509.ReasonFlags.key_compromise]),
Paul Kehrer5a485522015-05-06 00:29:12 -0500[diff] [blame]2836 None
2837 ),
2838 ])
Paul Kehrer749da3b2015-05-10 09:58:29 -0500[diff] [blame]2839 if six.PY3:
2840 assert repr(cdp) == (
2841 "<CRLDistributionPoints([<DistributionPoint(full_name=[<Unifo"
2842 "rmResourceIdentifier(value=ftp://domain)>], relative_name=No"
2843 "ne, reasons=frozenset({<ReasonFlags.key_compromise: 'keyComp"
2844 "romise'>}), crl_issuer=None)>])>"
2845 )
2846 else:
2847 assert repr(cdp) == (
2848 "<CRLDistributionPoints([<DistributionPoint(full_name=[<Unifo"
2849 "rmResourceIdentifier(value=ftp://domain)>], relative_name=No"
2850 "ne, reasons=frozenset([<ReasonFlags.key_compromise: 'keyComp"
2851 "romise'>]), crl_issuer=None)>])>"
2852 )
Paul Kehrer5a485522015-05-06 00:29:12 -0500[diff] [blame]2853
2854 def test_eq(self):
2855 cdp = x509.CRLDistributionPoints([
2856 x509.DistributionPoint(
2857 [x509.UniformResourceIdentifier(u"ftp://domain")],
Paul Kehrer4e8dacd2015-05-09 10:38:23 -0500[diff] [blame]2858 None,
Paul Kehrer3fd02602015-05-09 19:46:13 -0500[diff] [blame]2859 frozenset([
Paul Kehrer4e8dacd2015-05-09 10:38:23 -0500[diff] [blame]2860 x509.ReasonFlags.key_compromise,
2861 x509.ReasonFlags.ca_compromise,
Paul Kehrer3fd02602015-05-09 19:46:13 -0500[diff] [blame]2862 ]),
Paul Kehrer5a485522015-05-06 00:29:12 -0500[diff] [blame]2863 [x509.UniformResourceIdentifier(u"uri://thing")],
2864 ),
2865 ])
2866 cdp2 = x509.CRLDistributionPoints([
2867 x509.DistributionPoint(
2868 [x509.UniformResourceIdentifier(u"ftp://domain")],
Paul Kehrer4e8dacd2015-05-09 10:38:23 -0500[diff] [blame]2869 None,
Paul Kehrer3fd02602015-05-09 19:46:13 -0500[diff] [blame]2870 frozenset([
Paul Kehrer4e8dacd2015-05-09 10:38:23 -0500[diff] [blame]2871 x509.ReasonFlags.key_compromise,
2872 x509.ReasonFlags.ca_compromise,
Paul Kehrer3fd02602015-05-09 19:46:13 -0500[diff] [blame]2873 ]),
Paul Kehrer5a485522015-05-06 00:29:12 -0500[diff] [blame]2874 [x509.UniformResourceIdentifier(u"uri://thing")],
2875 ),
2876 ])
2877 assert cdp == cdp2
2878
2879 def test_ne(self):
2880 cdp = x509.CRLDistributionPoints([
2881 x509.DistributionPoint(
2882 [x509.UniformResourceIdentifier(u"ftp://domain")],
Paul Kehrer4e8dacd2015-05-09 10:38:23 -0500[diff] [blame]2883 None,
Paul Kehrer3fd02602015-05-09 19:46:13 -0500[diff] [blame]2884 frozenset([
Paul Kehrer4e8dacd2015-05-09 10:38:23 -0500[diff] [blame]2885 x509.ReasonFlags.key_compromise,
2886 x509.ReasonFlags.ca_compromise,
Paul Kehrer3fd02602015-05-09 19:46:13 -0500[diff] [blame]2887 ]),
Paul Kehrer5a485522015-05-06 00:29:12 -0500[diff] [blame]2888 [x509.UniformResourceIdentifier(u"uri://thing")],
2889 ),
2890 ])
2891 cdp2 = x509.CRLDistributionPoints([
2892 x509.DistributionPoint(
2893 [x509.UniformResourceIdentifier(u"ftp://domain2")],
Paul Kehrer4e8dacd2015-05-09 10:38:23 -0500[diff] [blame]2894 None,
Paul Kehrer3fd02602015-05-09 19:46:13 -0500[diff] [blame]2895 frozenset([
Paul Kehrer4e8dacd2015-05-09 10:38:23 -0500[diff] [blame]2896 x509.ReasonFlags.key_compromise,
2897 x509.ReasonFlags.ca_compromise,
Paul Kehrer3fd02602015-05-09 19:46:13 -0500[diff] [blame]2898 ]),
Paul Kehrer5a485522015-05-06 00:29:12 -0500[diff] [blame]2899 [x509.UniformResourceIdentifier(u"uri://thing")],
2900 ),
2901 ])
2902 cdp3 = x509.CRLDistributionPoints([
2903 x509.DistributionPoint(
2904 [x509.UniformResourceIdentifier(u"ftp://domain")],
Paul Kehrer4e8dacd2015-05-09 10:38:23 -0500[diff] [blame]2905 None,
Paul Kehrer3fd02602015-05-09 19:46:13 -0500[diff] [blame]2906 frozenset([x509.ReasonFlags.key_compromise]),
Paul Kehrer5a485522015-05-06 00:29:12 -0500[diff] [blame]2907 [x509.UniformResourceIdentifier(u"uri://thing")],
2908 ),
2909 ])
2910 cdp4 = x509.CRLDistributionPoints([
2911 x509.DistributionPoint(
2912 [x509.UniformResourceIdentifier(u"ftp://domain")],
Paul Kehrer4e8dacd2015-05-09 10:38:23 -0500[diff] [blame]2913 None,
Paul Kehrer3fd02602015-05-09 19:46:13 -0500[diff] [blame]2914 frozenset([
Paul Kehrer4e8dacd2015-05-09 10:38:23 -0500[diff] [blame]2915 x509.ReasonFlags.key_compromise,
2916 x509.ReasonFlags.ca_compromise,
Paul Kehrer3fd02602015-05-09 19:46:13 -0500[diff] [blame]2917 ]),
Paul Kehrer5a485522015-05-06 00:29:12 -0500[diff] [blame]2918 [x509.UniformResourceIdentifier(u"uri://thing2")],
2919 ),
2920 ])
2921 assert cdp != cdp2
2922 assert cdp != cdp3
2923 assert cdp != cdp4
2924 assert cdp != object()
Paul Kehrer9a10d592015-05-10 14:55:51 -0500[diff] [blame]2925
2926
2927@pytest.mark.requires_backend_interface(interface=RSABackend)
2928@pytest.mark.requires_backend_interface(interface=X509Backend)
2929class TestCRLDistributionPointsExtension(object):
2930 def test_fullname_and_crl_issuer(self, backend):
2931 cert = _load_cert(
2932 os.path.join(
2933 "x509", "PKITS_data", "certs", "ValidcRLIssuerTest28EE.crt"
2934 ),
2935 x509.load_der_x509_certificate,
2936 backend
2937 )
2938
2939 cdps = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]2940 ExtensionOID.CRL_DISTRIBUTION_POINTS
Paul Kehrer9a10d592015-05-10 14:55:51 -0500[diff] [blame]2941 ).value
2942
2943 assert cdps == x509.CRLDistributionPoints([
2944 x509.DistributionPoint(
2945 full_name=[x509.DirectoryName(
2946 x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2947 x509.NameAttribute(NameOID.COUNTRY_NAME, u"US"),
Paul Kehrer9a10d592015-05-10 14:55:51 -0500[diff] [blame]2948 x509.NameAttribute(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2949 NameOID.ORGANIZATION_NAME,
Ian Cordasco82fc3762015-06-16 20:59:50 -0500[diff] [blame]2950 u"Test Certificates 2011"
Paul Kehrer9a10d592015-05-10 14:55:51 -0500[diff] [blame]2951 ),
2952 x509.NameAttribute(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2953 NameOID.ORGANIZATIONAL_UNIT_NAME,
Ian Cordasco82fc3762015-06-16 20:59:50 -0500[diff] [blame]2954 u"indirectCRL CA3 cRLIssuer"
Paul Kehrer9a10d592015-05-10 14:55:51 -0500[diff] [blame]2955 ),
2956 x509.NameAttribute(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2957 NameOID.COMMON_NAME,
Ian Cordasco82fc3762015-06-16 20:59:50 -0500[diff] [blame]2958 u"indirect CRL for indirectCRL CA3"
Paul Kehrer9a10d592015-05-10 14:55:51 -0500[diff] [blame]2959 ),
2960 ])
2961 )],
2962 relative_name=None,
2963 reasons=None,
2964 crl_issuer=[x509.DirectoryName(
2965 x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2966 x509.NameAttribute(NameOID.COUNTRY_NAME, u"US"),
Paul Kehrer9a10d592015-05-10 14:55:51 -0500[diff] [blame]2967 x509.NameAttribute(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2968 NameOID.ORGANIZATION_NAME,
Ian Cordasco82fc3762015-06-16 20:59:50 -0500[diff] [blame]2969 u"Test Certificates 2011"
Paul Kehrer9a10d592015-05-10 14:55:51 -0500[diff] [blame]2970 ),
2971 x509.NameAttribute(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2972 NameOID.ORGANIZATIONAL_UNIT_NAME,
Ian Cordasco82fc3762015-06-16 20:59:50 -0500[diff] [blame]2973 u"indirectCRL CA3 cRLIssuer"
Paul Kehrer9a10d592015-05-10 14:55:51 -0500[diff] [blame]2974 ),
2975 ])
2976 )],
2977 )
2978 ])
2979
2980 def test_relativename_and_crl_issuer(self, backend):
2981 cert = _load_cert(
2982 os.path.join(
2983 "x509", "PKITS_data", "certs", "ValidcRLIssuerTest29EE.crt"
2984 ),
2985 x509.load_der_x509_certificate,
2986 backend
2987 )
2988
2989 cdps = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]2990 ExtensionOID.CRL_DISTRIBUTION_POINTS
Paul Kehrer9a10d592015-05-10 14:55:51 -0500[diff] [blame]2991 ).value
2992
2993 assert cdps == x509.CRLDistributionPoints([
2994 x509.DistributionPoint(
2995 full_name=None,
2996 relative_name=x509.Name([
2997 x509.NameAttribute(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2998 NameOID.COMMON_NAME,
Ian Cordasco82fc3762015-06-16 20:59:50 -0500[diff] [blame]2999 u"indirect CRL for indirectCRL CA3"
Paul Kehrer9a10d592015-05-10 14:55:51 -0500[diff] [blame]3000 ),
3001 ]),
3002 reasons=None,
3003 crl_issuer=[x509.DirectoryName(
3004 x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]3005 x509.NameAttribute(NameOID.COUNTRY_NAME, u"US"),
Paul Kehrer9a10d592015-05-10 14:55:51 -0500[diff] [blame]3006 x509.NameAttribute(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]3007 NameOID.ORGANIZATION_NAME,
Ian Cordasco82fc3762015-06-16 20:59:50 -0500[diff] [blame]3008 u"Test Certificates 2011"
Paul Kehrer9a10d592015-05-10 14:55:51 -0500[diff] [blame]3009 ),
3010 x509.NameAttribute(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]3011 NameOID.ORGANIZATIONAL_UNIT_NAME,
Ian Cordasco82fc3762015-06-16 20:59:50 -0500[diff] [blame]3012 u"indirectCRL CA3 cRLIssuer"
Paul Kehrer9a10d592015-05-10 14:55:51 -0500[diff] [blame]3013 ),
3014 ])
3015 )],
3016 )
3017 ])
3018
3019 def test_fullname_crl_issuer_reasons(self, backend):
3020 cert = _load_cert(
3021 os.path.join(
3022 "x509", "custom", "cdp_fullname_reasons_crl_issuer.pem"
3023 ),
3024 x509.load_pem_x509_certificate,
3025 backend
3026 )
3027
3028 cdps = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]3029 ExtensionOID.CRL_DISTRIBUTION_POINTS
Paul Kehrer9a10d592015-05-10 14:55:51 -0500[diff] [blame]3030 ).value
3031
3032 assert cdps == x509.CRLDistributionPoints([
3033 x509.DistributionPoint(
3034 full_name=[x509.UniformResourceIdentifier(
3035 u"http://myhost.com/myca.crl"
3036 )],
3037 relative_name=None,
3038 reasons=frozenset([
3039 x509.ReasonFlags.key_compromise,
3040 x509.ReasonFlags.ca_compromise
3041 ]),
3042 crl_issuer=[x509.DirectoryName(
3043 x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]3044 x509.NameAttribute(NameOID.COUNTRY_NAME, u"US"),
Paul Kehrer9a10d592015-05-10 14:55:51 -0500[diff] [blame]3045 x509.NameAttribute(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]3046 NameOID.ORGANIZATION_NAME, u"PyCA"
Paul Kehrer9a10d592015-05-10 14:55:51 -0500[diff] [blame]3047 ),
3048 x509.NameAttribute(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]3049 NameOID.COMMON_NAME, u"cryptography CA"
Paul Kehrer9a10d592015-05-10 14:55:51 -0500[diff] [blame]3050 ),
3051 ])
3052 )],
3053 )
3054 ])
3055
Paul Kehrer594a2ed2015-05-12 23:27:32 -0500[diff] [blame]3056 def test_all_reasons(self, backend):
3057 cert = _load_cert(
3058 os.path.join(
3059 "x509", "custom", "cdp_all_reasons.pem"
3060 ),
3061 x509.load_pem_x509_certificate,
3062 backend
3063 )
3064
3065 cdps = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]3066 ExtensionOID.CRL_DISTRIBUTION_POINTS
Paul Kehrer594a2ed2015-05-12 23:27:32 -0500[diff] [blame]3067 ).value
3068
3069 assert cdps == x509.CRLDistributionPoints([
3070 x509.DistributionPoint(
3071 full_name=[x509.UniformResourceIdentifier(
3072 u"http://domain.com/some.crl"
3073 )],
3074 relative_name=None,
3075 reasons=frozenset([
3076 x509.ReasonFlags.key_compromise,
3077 x509.ReasonFlags.ca_compromise,
3078 x509.ReasonFlags.affiliation_changed,
3079 x509.ReasonFlags.superseded,
3080 x509.ReasonFlags.privilege_withdrawn,
3081 x509.ReasonFlags.cessation_of_operation,
3082 x509.ReasonFlags.aa_compromise,
3083 x509.ReasonFlags.certificate_hold,
3084 ]),
3085 crl_issuer=None
3086 )
3087 ])
3088
3089 def test_single_reason(self, backend):
3090 cert = _load_cert(
3091 os.path.join(
3092 "x509", "custom", "cdp_reason_aa_compromise.pem"
3093 ),
3094 x509.load_pem_x509_certificate,
3095 backend
3096 )
3097
3098 cdps = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]3099 ExtensionOID.CRL_DISTRIBUTION_POINTS
Paul Kehrer594a2ed2015-05-12 23:27:32 -0500[diff] [blame]3100 ).value
3101
3102 assert cdps == x509.CRLDistributionPoints([
3103 x509.DistributionPoint(
3104 full_name=[x509.UniformResourceIdentifier(
3105 u"http://domain.com/some.crl"
3106 )],
3107 relative_name=None,
3108 reasons=frozenset([x509.ReasonFlags.aa_compromise]),
3109 crl_issuer=None
3110 )
3111 ])
3112
Paul Kehrer9a10d592015-05-10 14:55:51 -0500[diff] [blame]3113 def test_crl_issuer_only(self, backend):
3114 cert = _load_cert(
3115 os.path.join(
3116 "x509", "custom", "cdp_crl_issuer.pem"
3117 ),
3118 x509.load_pem_x509_certificate,
3119 backend
3120 )
3121
3122 cdps = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]3123 ExtensionOID.CRL_DISTRIBUTION_POINTS
Paul Kehrer9a10d592015-05-10 14:55:51 -0500[diff] [blame]3124 ).value
3125
3126 assert cdps == x509.CRLDistributionPoints([
3127 x509.DistributionPoint(
3128 full_name=None,
3129 relative_name=None,
3130 reasons=None,
3131 crl_issuer=[x509.DirectoryName(
3132 x509.Name([
3133 x509.NameAttribute(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]3134 NameOID.COMMON_NAME, u"cryptography CA"
Paul Kehrer9a10d592015-05-10 14:55:51 -0500[diff] [blame]3135 ),
3136 ])
3137 )],
3138 )
3139 ])
Paul Kehrer16fae762015-05-01 23:14:20 -0500[diff] [blame]3140
Dominic Chen87bb9572015-10-09 00:23:07 -0400[diff] [blame]3141 def test_crl_empty_hostname(self, backend):
3142 cert = _load_cert(
3143 os.path.join(
3144 "x509", "custom", "cdp_empty_hostname.pem"
3145 ),
3146 x509.load_pem_x509_certificate,
3147 backend
3148 )
3149
3150 cdps = cert.extensions.get_extension_for_oid(
3151 ExtensionOID.CRL_DISTRIBUTION_POINTS
3152 ).value
3153
3154 assert cdps == x509.CRLDistributionPoints([
3155 x509.DistributionPoint(
3156 full_name=[x509.UniformResourceIdentifier(
3157 u"ldap:/CN=A,OU=B,dc=C,DC=D?E?F?G?H=I"
3158 )],
3159 relative_name=None,
3160 reasons=None,
3161 crl_issuer=None
3162 )
3163 ])
3164
Paul Kehrer16fae762015-05-01 23:14:20 -0500[diff] [blame]3165
Paul Kehrerf54a50b2015-06-17 18:31:26 -0600[diff] [blame]3166@pytest.mark.requires_backend_interface(interface=RSABackend)
3167@pytest.mark.requires_backend_interface(interface=X509Backend)
3168class TestOCSPNoCheckExtension(object):
3169 def test_nocheck(self, backend):
3170 cert = _load_cert(
3171 os.path.join(
3172 "x509", "custom", "ocsp_nocheck.pem"
3173 ),
3174 x509.load_pem_x509_certificate,
3175 backend
3176 )
3177 ext = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]3178 ExtensionOID.OCSP_NO_CHECK
Paul Kehrerf54a50b2015-06-17 18:31:26 -0600[diff] [blame]3179 )
3180 assert isinstance(ext.value, x509.OCSPNoCheck)
3181
3182
Paul Kehrer16fae762015-05-01 23:14:20 -0500[diff] [blame]3183class TestInhibitAnyPolicy(object):
3184 def test_not_int(self):
3185 with pytest.raises(TypeError):
3186 x509.InhibitAnyPolicy("notint")
3187
3188 def test_negative_int(self):
3189 with pytest.raises(ValueError):
3190 x509.InhibitAnyPolicy(-1)
3191
3192 def test_repr(self):
3193 iap = x509.InhibitAnyPolicy(0)
3194 assert repr(iap) == "<InhibitAnyPolicy(skip_certs=0)>"
3195
3196 def test_eq(self):
3197 iap = x509.InhibitAnyPolicy(1)
3198 iap2 = x509.InhibitAnyPolicy(1)
3199 assert iap == iap2
3200
3201 def test_ne(self):
3202 iap = x509.InhibitAnyPolicy(1)
3203 iap2 = x509.InhibitAnyPolicy(4)
3204 assert iap != iap2
3205 assert iap != object()
Paul Kehrerca6ce992015-06-17 22:13:15 -0600[diff] [blame]3206
3207
3208@pytest.mark.requires_backend_interface(interface=RSABackend)
3209@pytest.mark.requires_backend_interface(interface=X509Backend)
3210class TestInhibitAnyPolicyExtension(object):
3211 def test_nocheck(self, backend):
3212 cert = _load_cert(
3213 os.path.join(
3214 "x509", "custom", "inhibit_any_policy_5.pem"
3215 ),
3216 x509.load_pem_x509_certificate,
3217 backend
3218 )
3219 iap = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]3220 ExtensionOID.INHIBIT_ANY_POLICY
Paul Kehrerca6ce992015-06-17 22:13:15 -0600[diff] [blame]3221 ).value
3222 assert iap.skip_certs == 5
Paul Kehrera08693f2015-08-01 20:45:21 +0100[diff] [blame]3223
3224
3225@pytest.mark.requires_backend_interface(interface=RSABackend)
3226@pytest.mark.requires_backend_interface(interface=X509Backend)
Paul Kehrer1b7500f2015-08-01 20:56:27 +0100[diff] [blame]3227class TestInvalidExtension(object):
Paul Kehrera08693f2015-08-01 20:45:21 +0100[diff] [blame]3228 def test_invalid_certificate_policies_data(self, backend):
3229 cert = _load_cert(
3230 os.path.join(
3231 "x509", "custom", "cp_invalid.pem"
3232 ),
3233 x509.load_pem_x509_certificate,
3234 backend
3235 )
3236 with pytest.raises(ValueError):
3237 cert.extensions