Gitiles
Code Review Sign In
gerrit-public.fairphone.software / platform / external / python / cryptography / 2eb69f6cf88d15e2c6c2383335d96f2a81fd8ffe / . / tests / test_x509_ext.py
blob: 20d44c5972ed31c0cd6f76c59644847dd5a8347d [file] [log] [blame]
Paul Kehrer8cf26422015-03-21 09:50:24 -0500[diff] [blame]1# This file is dual licensed under the terms of the Apache License, Version
2# 2.0, and the BSD License. See the LICENSE file in the root of this repository
3# for complete details.
4
5from __future__ import absolute_import, division, print_function
6
Paul Kehrer1eb82a62015-03-31 20:00:33 -0500[diff] [blame]7import binascii
Paul Kehrer23c0bbc2015-12-25 22:35:19 -0600[diff] [blame]8import datetime
Paul Kehrer31bdf792015-03-25 14:11:00 -0500[diff] [blame]9import ipaddress
Paul Kehrerfbb7ac82015-03-16 19:26:29 -0500[diff] [blame]10import os
11
Paul Kehrer8cf26422015-03-21 09:50:24 -0500[diff] [blame]12import pytest
13
Paul Kehrercbfb1012015-04-10 20:57:20 -0400[diff] [blame]14import six
15
Paul Kehrer8cf26422015-03-21 09:50:24 -0500[diff] [blame]16from cryptography import x509
Paul Kehrerf22f6122015-08-05 12:57:13 +0100[diff] [blame]17from cryptography.hazmat.backends.interfaces import (
18 DSABackend, EllipticCurveBackend, RSABackend, X509Backend
19)
20from cryptography.hazmat.primitives.asymmetric import ec
Paul Kehrer9e102db2015-08-10 21:53:09 -0500[diff] [blame]21from cryptography.x509.oid import (
Nick Bastin326fc8e2015-12-12 19:08:12 -0800[diff] [blame]22 AuthorityInformationAccessOID, ExtendedKeyUsageOID, ExtensionOID,
23 NameOID, ObjectIdentifier
Paul Kehrer9e102db2015-08-10 21:53:09 -0500[diff] [blame]24)
Paul Kehrerfbb7ac82015-03-16 19:26:29 -0500[diff] [blame]25
Paul Kehrerf22f6122015-08-05 12:57:13 +0100[diff] [blame]26from .hazmat.primitives.test_ec import _skip_curve_unsupported
Paul Kehrerfbb7ac82015-03-16 19:26:29 -0500[diff] [blame]27from .test_x509 import _load_cert
Paul Kehrer8cf26422015-03-21 09:50:24 -0500[diff] [blame]28
29
Paul Kehrer85894662015-03-22 13:19:31 -0500[diff] [blame]30class TestExtension(object):
31 def test_not_an_oid(self):
Paul Kehrera5c6e9a2015-03-23 19:23:43 -0500[diff] [blame]32 bc = x509.BasicConstraints(ca=False, path_length=None)
Paul Kehrer85894662015-03-22 13:19:31 -0500[diff] [blame]33 with pytest.raises(TypeError):
34 x509.Extension("notanoid", True, bc)
35
36 def test_critical_not_a_bool(self):
Paul Kehrera5c6e9a2015-03-23 19:23:43 -0500[diff] [blame]37 bc = x509.BasicConstraints(ca=False, path_length=None)
Paul Kehrer85894662015-03-22 13:19:31 -0500[diff] [blame]38 with pytest.raises(TypeError):
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]39 x509.Extension(ExtensionOID.BASIC_CONSTRAINTS, "notabool", bc)
Paul Kehrer85894662015-03-22 13:19:31 -0500[diff] [blame]40
41 def test_repr(self):
Paul Kehrera5c6e9a2015-03-23 19:23:43 -0500[diff] [blame]42 bc = x509.BasicConstraints(ca=False, path_length=None)
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]43 ext = x509.Extension(ExtensionOID.BASIC_CONSTRAINTS, True, bc)
Paul Kehrer85894662015-03-22 13:19:31 -0500[diff] [blame]44 assert repr(ext) == (
45 "<Extension(oid=<ObjectIdentifier(oid=2.5.29.19, name=basicConst"
46 "raints)>, critical=True, value=<BasicConstraints(ca=False, path"
47 "_length=None)>)>"
48 )
49
Paul Kehrer58e870c2015-05-17 09:15:30 -0700[diff] [blame]50 def test_eq(self):
51 ext1 = x509.Extension(
52 x509.ObjectIdentifier('1.2.3.4'), False, 'value'
53 )
54 ext2 = x509.Extension(
55 x509.ObjectIdentifier('1.2.3.4'), False, 'value'
56 )
57 assert ext1 == ext2
58
59 def test_ne(self):
60 ext1 = x509.Extension(
61 x509.ObjectIdentifier('1.2.3.4'), False, 'value'
62 )
63 ext2 = x509.Extension(
64 x509.ObjectIdentifier('1.2.3.5'), False, 'value'
65 )
66 ext3 = x509.Extension(
67 x509.ObjectIdentifier('1.2.3.4'), True, 'value'
68 )
69 ext4 = x509.Extension(
70 x509.ObjectIdentifier('1.2.3.4'), False, 'value4'
71 )
72 assert ext1 != ext2
73 assert ext1 != ext3
74 assert ext1 != ext4
75 assert ext1 != object()
76
Paul Kehrer85894662015-03-22 13:19:31 -0500[diff] [blame]77
Paul Kehrer49bb7562015-12-25 16:17:40 -0600[diff] [blame]78class TestCertificateIssuer(object):
79 def test_iter_names(self):
80 ci = x509.CertificateIssuer([
81 x509.DNSName(u"cryptography.io"),
82 x509.DNSName(u"crypto.local"),
83 ])
84 assert len(ci) == 2
85 assert list(ci) == [
86 x509.DNSName(u"cryptography.io"),
87 x509.DNSName(u"crypto.local"),
88 ]
89
Paul Kehrer5c999d32015-12-26 17:45:20 -0600[diff] [blame]90 def test_indexing(self):
91 ci = x509.CertificateIssuer([
92 x509.DNSName(u"cryptography.io"),
93 x509.DNSName(u"crypto.local"),
94 x509.DNSName(u"another.local"),
95 x509.RFC822Name(u"email@another.local"),
96 x509.UniformResourceIdentifier(u"http://another.local"),
97 ])
98 assert ci[-1] == ci[4]
99 assert ci[2:6:2] == [ci[2], ci[4]]
100
Paul Kehrer49bb7562015-12-25 16:17:40 -0600[diff] [blame]101 def test_eq(self):
102 ci1 = x509.CertificateIssuer([x509.DNSName(u"cryptography.io")])
103 ci2 = x509.CertificateIssuer([x509.DNSName(u"cryptography.io")])
104 assert ci1 == ci2
105
106 def test_ne(self):
107 ci1 = x509.CertificateIssuer([x509.DNSName(u"cryptography.io")])
108 ci2 = x509.CertificateIssuer([x509.DNSName(u"somethingelse.tld")])
109 assert ci1 != ci2
110 assert ci1 != object()
111
112 def test_repr(self):
113 ci = x509.CertificateIssuer([x509.DNSName(u"cryptography.io")])
114 assert repr(ci) == (
115 "<CertificateIssuer(<GeneralNames([<DNSName(value=cryptography.io"
116 ")>])>)>"
117 )
118
119 def test_get_values_for_type(self):
120 ci = x509.CertificateIssuer(
121 [x509.DNSName(u"cryptography.io")]
122 )
123 names = ci.get_values_for_type(x509.DNSName)
124 assert names == [u"cryptography.io"]
125
126
Paul Kehrer7058ece2015-12-25 22:28:29 -0600[diff] [blame]127class TestCRLReason(object):
128 def test_invalid_reason_flags(self):
129 with pytest.raises(TypeError):
130 x509.CRLReason("notareason")
131
132 def test_eq(self):
133 reason1 = x509.CRLReason(x509.ReasonFlags.unspecified)
134 reason2 = x509.CRLReason(x509.ReasonFlags.unspecified)
135 assert reason1 == reason2
136
137 def test_ne(self):
138 reason1 = x509.CRLReason(x509.ReasonFlags.unspecified)
139 reason2 = x509.CRLReason(x509.ReasonFlags.ca_compromise)
140 assert reason1 != reason2
141 assert reason1 != object()
142
143 def test_repr(self):
144 reason1 = x509.CRLReason(x509.ReasonFlags.unspecified)
145 assert repr(reason1) == (
146 "<CRLReason(reason=ReasonFlags.unspecified)>"
147 )
148
149
Paul Kehrer23c0bbc2015-12-25 22:35:19 -0600[diff] [blame]150class TestInvalidityDate(object):
151 def test_invalid_invalidity_date(self):
152 with pytest.raises(TypeError):
153 x509.InvalidityDate("notadate")
154
155 def test_eq(self):
156 invalid1 = x509.InvalidityDate(datetime.datetime(2015, 1, 1, 1, 1))
157 invalid2 = x509.InvalidityDate(datetime.datetime(2015, 1, 1, 1, 1))
158 assert invalid1 == invalid2
159
160 def test_ne(self):
161 invalid1 = x509.InvalidityDate(datetime.datetime(2015, 1, 1, 1, 1))
162 invalid2 = x509.InvalidityDate(datetime.datetime(2015, 1, 1, 1, 2))
163 assert invalid1 != invalid2
164 assert invalid1 != object()
165
166 def test_repr(self):
167 invalid1 = x509.InvalidityDate(datetime.datetime(2015, 1, 1, 1, 1))
168 assert repr(invalid1) == (
169 "<InvalidityDate(invalidity_date=2015-01-01 01:01:00)>"
170 )
171
Paul Kehrer67cde762015-12-26 11:37:14 -0600[diff] [blame]172 def test_hash(self):
173 invalid1 = x509.InvalidityDate(datetime.datetime(2015, 1, 1, 1, 1))
174 invalid2 = x509.InvalidityDate(datetime.datetime(2015, 1, 1, 1, 1))
175 invalid3 = x509.InvalidityDate(datetime.datetime(2015, 1, 1, 1, 2))
176 assert hash(invalid1) == hash(invalid2)
177 assert hash(invalid1) != hash(invalid3)
Paul Kehrer23c0bbc2015-12-25 22:35:19 -0600[diff] [blame]178
Paul Kehrerc0297dd2015-12-26 11:37:57 -0600[diff] [blame]179
Paul Kehrer2b622582015-04-15 11:04:29 -0400[diff] [blame]180class TestNoticeReference(object):
181 def test_notice_numbers_not_all_int(self):
182 with pytest.raises(TypeError):
183 x509.NoticeReference("org", [1, 2, "three"])
184
185 def test_notice_numbers_none(self):
Paul Kehrer6e198b02015-05-12 15:53:38 -0500[diff] [blame]186 with pytest.raises(TypeError):
187 x509.NoticeReference("org", None)
Paul Kehrer2b622582015-04-15 11:04:29 -0400[diff] [blame]188
189 def test_repr(self):
Paul Kehrer73be2ca2015-05-11 21:22:38 -0500[diff] [blame]190 nr = x509.NoticeReference(u"org", [1, 3, 4])
Paul Kehrer2b622582015-04-15 11:04:29 -0400[diff] [blame]191
Paul Kehrer73be2ca2015-05-11 21:22:38 -0500[diff] [blame]192 if six.PY3:
193 assert repr(nr) == (
194 "<NoticeReference(organization='org', notice_numbers=[1, 3, 4"
195 "])>"
196 )
197 else:
198 assert repr(nr) == (
199 "<NoticeReference(organization=u'org', notice_numbers=[1, 3, "
200 "4])>"
201 )
Paul Kehrer2b622582015-04-15 11:04:29 -0400[diff] [blame]202
Paul Kehrerc56ab622015-05-03 09:56:31 -0500[diff] [blame]203 def test_eq(self):
204 nr = x509.NoticeReference("org", [1, 2])
205 nr2 = x509.NoticeReference("org", [1, 2])
206 assert nr == nr2
207
208 def test_ne(self):
209 nr = x509.NoticeReference("org", [1, 2])
210 nr2 = x509.NoticeReference("org", [1])
211 nr3 = x509.NoticeReference(None, [1, 2])
212 assert nr != nr2
213 assert nr != nr3
214 assert nr != object()
215
Paul Kehrer2b622582015-04-15 11:04:29 -0400[diff] [blame]216
217class TestUserNotice(object):
218 def test_notice_reference_invalid(self):
219 with pytest.raises(TypeError):
220 x509.UserNotice("invalid", None)
221
222 def test_notice_reference_none(self):
223 un = x509.UserNotice(None, "text")
224 assert un.notice_reference is None
225 assert un.explicit_text == "text"
226
227 def test_repr(self):
Paul Kehrer6e198b02015-05-12 15:53:38 -0500[diff] [blame]228 un = x509.UserNotice(x509.NoticeReference(u"org", [1]), u"text")
Paul Kehrer73be2ca2015-05-11 21:22:38 -0500[diff] [blame]229 if six.PY3:
230 assert repr(un) == (
231 "<UserNotice(notice_reference=<NoticeReference(organization='"
Paul Kehrer6e198b02015-05-12 15:53:38 -0500[diff] [blame]232 "org', notice_numbers=[1])>, explicit_text='text')>"
Paul Kehrer73be2ca2015-05-11 21:22:38 -0500[diff] [blame]233 )
234 else:
235 assert repr(un) == (
236 "<UserNotice(notice_reference=<NoticeReference(organization=u"
Paul Kehrer6e198b02015-05-12 15:53:38 -0500[diff] [blame]237 "'org', notice_numbers=[1])>, explicit_text=u'text')>"
Paul Kehrer73be2ca2015-05-11 21:22:38 -0500[diff] [blame]238 )
Paul Kehrer2b622582015-04-15 11:04:29 -0400[diff] [blame]239
Paul Kehrerc56ab622015-05-03 09:56:31 -0500[diff] [blame]240 def test_eq(self):
241 nr = x509.NoticeReference("org", [1, 2])
242 nr2 = x509.NoticeReference("org", [1, 2])
243 un = x509.UserNotice(nr, "text")
244 un2 = x509.UserNotice(nr2, "text")
245 assert un == un2
246
247 def test_ne(self):
248 nr = x509.NoticeReference("org", [1, 2])
249 nr2 = x509.NoticeReference("org", [1])
250 un = x509.UserNotice(nr, "text")
251 un2 = x509.UserNotice(nr2, "text")
252 un3 = x509.UserNotice(nr, "text3")
253 assert un != un2
254 assert un != un3
255 assert un != object()
256
Paul Kehrer2b622582015-04-15 11:04:29 -0400[diff] [blame]257
Paul Kehrer2b622582015-04-15 11:04:29 -0400[diff] [blame]258class TestPolicyInformation(object):
259 def test_invalid_policy_identifier(self):
260 with pytest.raises(TypeError):
261 x509.PolicyInformation("notanoid", None)
262
263 def test_none_policy_qualifiers(self):
264 pi = x509.PolicyInformation(x509.ObjectIdentifier("1.2.3"), None)
265 assert pi.policy_identifier == x509.ObjectIdentifier("1.2.3")
266 assert pi.policy_qualifiers is None
267
268 def test_policy_qualifiers(self):
Paul Kehrerba35b3b2015-05-10 13:07:59 -0500[diff] [blame]269 pq = [u"string"]
Paul Kehrer2b622582015-04-15 11:04:29 -0400[diff] [blame]270 pi = x509.PolicyInformation(x509.ObjectIdentifier("1.2.3"), pq)
271 assert pi.policy_identifier == x509.ObjectIdentifier("1.2.3")
272 assert pi.policy_qualifiers == pq
273
274 def test_invalid_policy_identifiers(self):
275 with pytest.raises(TypeError):
276 x509.PolicyInformation(x509.ObjectIdentifier("1.2.3"), [1, 2])
277
278 def test_repr(self):
Paul Kehrer73be2ca2015-05-11 21:22:38 -0500[diff] [blame]279 pq = [u"string", x509.UserNotice(None, u"hi")]
Paul Kehrer2b622582015-04-15 11:04:29 -0400[diff] [blame]280 pi = x509.PolicyInformation(x509.ObjectIdentifier("1.2.3"), pq)
Paul Kehrerba35b3b2015-05-10 13:07:59 -0500[diff] [blame]281 if six.PY3:
282 assert repr(pi) == (
283 "<PolicyInformation(policy_identifier=<ObjectIdentifier(oid=1."
284 "2.3, name=Unknown OID)>, policy_qualifiers=['string', <UserNo"
Paul Kehrer9aaef9e2015-05-11 10:49:20 -0500[diff] [blame]285 "tice(notice_reference=None, explicit_text='hi')>])>"
Paul Kehrerba35b3b2015-05-10 13:07:59 -0500[diff] [blame]286 )
287 else:
288 assert repr(pi) == (
289 "<PolicyInformation(policy_identifier=<ObjectIdentifier(oid=1."
290 "2.3, name=Unknown OID)>, policy_qualifiers=[u'string', <UserN"
Paul Kehrer73be2ca2015-05-11 21:22:38 -0500[diff] [blame]291 "otice(notice_reference=None, explicit_text=u'hi')>])>"
Paul Kehrerba35b3b2015-05-10 13:07:59 -0500[diff] [blame]292 )
Paul Kehrer2b622582015-04-15 11:04:29 -0400[diff] [blame]293
Paul Kehrerc56ab622015-05-03 09:56:31 -0500[diff] [blame]294 def test_eq(self):
295 pi = x509.PolicyInformation(
296 x509.ObjectIdentifier("1.2.3"),
297 [u"string", x509.UserNotice(None, u"hi")]
298 )
299 pi2 = x509.PolicyInformation(
300 x509.ObjectIdentifier("1.2.3"),
301 [u"string", x509.UserNotice(None, u"hi")]
302 )
303 assert pi == pi2
304
305 def test_ne(self):
306 pi = x509.PolicyInformation(
307 x509.ObjectIdentifier("1.2.3"), [u"string"]
308 )
309 pi2 = x509.PolicyInformation(
310 x509.ObjectIdentifier("1.2.3"), [u"string2"]
311 )
312 pi3 = x509.PolicyInformation(
313 x509.ObjectIdentifier("1.2.3.4"), [u"string"]
314 )
315 assert pi != pi2
316 assert pi != pi3
317 assert pi != object()
318
Paul Kehrer2b622582015-04-15 11:04:29 -0400[diff] [blame]319
320class TestCertificatePolicies(object):
321 def test_invalid_policies(self):
Paul Kehrerba35b3b2015-05-10 13:07:59 -0500[diff] [blame]322 pq = [u"string"]
Paul Kehrer2b622582015-04-15 11:04:29 -0400[diff] [blame]323 pi = x509.PolicyInformation(x509.ObjectIdentifier("1.2.3"), pq)
324 with pytest.raises(TypeError):
325 x509.CertificatePolicies([1, pi])
326
327 def test_iter_len(self):
Paul Kehrerba35b3b2015-05-10 13:07:59 -0500[diff] [blame]328 pq = [u"string"]
Paul Kehrer2b622582015-04-15 11:04:29 -0400[diff] [blame]329 pi = x509.PolicyInformation(x509.ObjectIdentifier("1.2.3"), pq)
330 cp = x509.CertificatePolicies([pi])
331 assert len(cp) == 1
332 for policyinfo in cp:
333 assert policyinfo == pi
334
335 def test_repr(self):
Paul Kehrerba35b3b2015-05-10 13:07:59 -0500[diff] [blame]336 pq = [u"string"]
Paul Kehrer2b622582015-04-15 11:04:29 -0400[diff] [blame]337 pi = x509.PolicyInformation(x509.ObjectIdentifier("1.2.3"), pq)
338 cp = x509.CertificatePolicies([pi])
Paul Kehrerba35b3b2015-05-10 13:07:59 -0500[diff] [blame]339 if six.PY3:
340 assert repr(cp) == (
341 "<CertificatePolicies([<PolicyInformation(policy_identifier=<O"
342 "bjectIdentifier(oid=1.2.3, name=Unknown OID)>, policy_qualifi"
343 "ers=['string'])>])>"
344 )
345 else:
346 assert repr(cp) == (
347 "<CertificatePolicies([<PolicyInformation(policy_identifier=<O"
348 "bjectIdentifier(oid=1.2.3, name=Unknown OID)>, policy_qualifi"
349 "ers=[u'string'])>])>"
350 )
Paul Kehrer2b622582015-04-15 11:04:29 -0400[diff] [blame]351
Paul Kehrerc56ab622015-05-03 09:56:31 -0500[diff] [blame]352 def test_eq(self):
353 pi = x509.PolicyInformation(
354 x509.ObjectIdentifier("1.2.3"), [u"string"]
355 )
356 cp = x509.CertificatePolicies([pi])
357 pi2 = x509.PolicyInformation(
358 x509.ObjectIdentifier("1.2.3"), [u"string"]
359 )
360 cp2 = x509.CertificatePolicies([pi2])
361 assert cp == cp2
362
363 def test_ne(self):
364 pi = x509.PolicyInformation(
365 x509.ObjectIdentifier("1.2.3"), [u"string"]
366 )
367 cp = x509.CertificatePolicies([pi])
368 pi2 = x509.PolicyInformation(
369 x509.ObjectIdentifier("1.2.3"), [u"string2"]
370 )
371 cp2 = x509.CertificatePolicies([pi2])
372 assert cp != cp2
373 assert cp != object()
374
Paul Kehrer2b622582015-04-15 11:04:29 -0400[diff] [blame]375
Paul Kehrer11026fe2015-05-12 11:23:56 -0500[diff] [blame]376@pytest.mark.requires_backend_interface(interface=RSABackend)
377@pytest.mark.requires_backend_interface(interface=X509Backend)
378class TestCertificatePoliciesExtension(object):
379 def test_cps_uri_policy_qualifier(self, backend):
380 cert = _load_cert(
381 os.path.join("x509", "custom", "cp_cps_uri.pem"),
382 x509.load_pem_x509_certificate,
383 backend
384 )
385
386 cp = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]387 ExtensionOID.CERTIFICATE_POLICIES
Paul Kehrer11026fe2015-05-12 11:23:56 -0500[diff] [blame]388 ).value
389
390 assert cp == x509.CertificatePolicies([
391 x509.PolicyInformation(
392 x509.ObjectIdentifier("2.16.840.1.12345.1.2.3.4.1"),
393 [u"http://other.com/cps"]
394 )
395 ])
396
397 def test_user_notice_with_notice_reference(self, backend):
398 cert = _load_cert(
399 os.path.join(
400 "x509", "custom", "cp_user_notice_with_notice_reference.pem"
401 ),
402 x509.load_pem_x509_certificate,
403 backend
404 )
405
406 cp = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]407 ExtensionOID.CERTIFICATE_POLICIES
Paul Kehrer11026fe2015-05-12 11:23:56 -0500[diff] [blame]408 ).value
409
410 assert cp == x509.CertificatePolicies([
411 x509.PolicyInformation(
412 x509.ObjectIdentifier("2.16.840.1.12345.1.2.3.4.1"),
413 [
414 u"http://example.com/cps",
415 u"http://other.com/cps",
416 x509.UserNotice(
417 x509.NoticeReference(u"my org", [1, 2, 3, 4]),
418 u"thing"
419 )
420 ]
421 )
422 ])
423
424 def test_user_notice_with_explicit_text(self, backend):
425 cert = _load_cert(
426 os.path.join(
427 "x509", "custom", "cp_user_notice_with_explicit_text.pem"
428 ),
429 x509.load_pem_x509_certificate,
430 backend
431 )
432
433 cp = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]434 ExtensionOID.CERTIFICATE_POLICIES
Paul Kehrer11026fe2015-05-12 11:23:56 -0500[diff] [blame]435 ).value
436
437 assert cp == x509.CertificatePolicies([
438 x509.PolicyInformation(
439 x509.ObjectIdentifier("2.16.840.1.12345.1.2.3.4.1"),
440 [x509.UserNotice(None, u"thing")]
441 )
442 ])
443
444 def test_user_notice_no_explicit_text(self, backend):
445 cert = _load_cert(
446 os.path.join(
447 "x509", "custom", "cp_user_notice_no_explicit_text.pem"
448 ),
449 x509.load_pem_x509_certificate,
450 backend
451 )
452
453 cp = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]454 ExtensionOID.CERTIFICATE_POLICIES
Paul Kehrer11026fe2015-05-12 11:23:56 -0500[diff] [blame]455 ).value
456
457 assert cp == x509.CertificatePolicies([
458 x509.PolicyInformation(
459 x509.ObjectIdentifier("2.16.840.1.12345.1.2.3.4.1"),
460 [
461 x509.UserNotice(
462 x509.NoticeReference(u"my org", [1, 2, 3, 4]),
463 None
464 )
465 ]
466 )
467 ])
468
469
Paul Kehrercecbbba2015-03-30 14:58:38 -0500[diff] [blame]470class TestKeyUsage(object):
471 def test_key_agreement_false_encipher_decipher_true(self):
472 with pytest.raises(ValueError):
473 x509.KeyUsage(
474 digital_signature=False,
475 content_commitment=False,
476 key_encipherment=False,
477 data_encipherment=False,
478 key_agreement=False,
479 key_cert_sign=False,
480 crl_sign=False,
481 encipher_only=True,
482 decipher_only=False
483 )
484
485 with pytest.raises(ValueError):
486 x509.KeyUsage(
487 digital_signature=False,
488 content_commitment=False,
489 key_encipherment=False,
490 data_encipherment=False,
491 key_agreement=False,
492 key_cert_sign=False,
493 crl_sign=False,
494 encipher_only=True,
495 decipher_only=True
496 )
497
498 with pytest.raises(ValueError):
499 x509.KeyUsage(
500 digital_signature=False,
501 content_commitment=False,
502 key_encipherment=False,
503 data_encipherment=False,
504 key_agreement=False,
505 key_cert_sign=False,
506 crl_sign=False,
507 encipher_only=False,
508 decipher_only=True
509 )
510
511 def test_properties_key_agreement_true(self):
512 ku = x509.KeyUsage(
513 digital_signature=True,
514 content_commitment=True,
515 key_encipherment=False,
516 data_encipherment=False,
517 key_agreement=False,
518 key_cert_sign=True,
519 crl_sign=False,
520 encipher_only=False,
521 decipher_only=False
522 )
523 assert ku.digital_signature is True
524 assert ku.content_commitment is True
525 assert ku.key_encipherment is False
526 assert ku.data_encipherment is False
527 assert ku.key_agreement is False
528 assert ku.key_cert_sign is True
529 assert ku.crl_sign is False
530
531 def test_key_agreement_true_properties(self):
532 ku = x509.KeyUsage(
533 digital_signature=False,
534 content_commitment=False,
535 key_encipherment=False,
536 data_encipherment=False,
537 key_agreement=True,
538 key_cert_sign=False,
539 crl_sign=False,
540 encipher_only=False,
541 decipher_only=True
542 )
543 assert ku.key_agreement is True
544 assert ku.encipher_only is False
545 assert ku.decipher_only is True
546
547 def test_key_agreement_false_properties(self):
548 ku = x509.KeyUsage(
549 digital_signature=False,
550 content_commitment=False,
551 key_encipherment=False,
552 data_encipherment=False,
553 key_agreement=False,
554 key_cert_sign=False,
555 crl_sign=False,
556 encipher_only=False,
557 decipher_only=False
558 )
559 assert ku.key_agreement is False
560 with pytest.raises(ValueError):
561 ku.encipher_only
562
563 with pytest.raises(ValueError):
564 ku.decipher_only
565
Paul Kehrerac3e5bb2015-04-02 23:07:10 -0500[diff] [blame]566 def test_repr_key_agreement_false(self):
567 ku = x509.KeyUsage(
568 digital_signature=True,
569 content_commitment=True,
570 key_encipherment=False,
571 data_encipherment=False,
572 key_agreement=False,
573 key_cert_sign=True,
574 crl_sign=False,
575 encipher_only=False,
576 decipher_only=False
577 )
578 assert repr(ku) == (
579 "<KeyUsage(digital_signature=True, content_commitment=True, key_en"
580 "cipherment=False, data_encipherment=False, key_agreement=False, k"
Paul Kehrerb372e672015-04-15 11:05:24 -0400[diff] [blame]581 "ey_cert_sign=True, crl_sign=False, encipher_only=None, decipher_o"
582 "nly=None)>"
Paul Kehrerac3e5bb2015-04-02 23:07:10 -0500[diff] [blame]583 )
584
585 def test_repr_key_agreement_true(self):
586 ku = x509.KeyUsage(
587 digital_signature=True,
588 content_commitment=True,
589 key_encipherment=False,
590 data_encipherment=False,
591 key_agreement=True,
592 key_cert_sign=True,
593 crl_sign=False,
594 encipher_only=False,
595 decipher_only=False
596 )
597 assert repr(ku) == (
598 "<KeyUsage(digital_signature=True, content_commitment=True, key_en"
599 "cipherment=False, data_encipherment=False, key_agreement=True, k"
600 "ey_cert_sign=True, crl_sign=False, encipher_only=False, decipher_"
601 "only=False)>"
602 )
603
Paul Kehrer8565f5e2015-05-13 09:57:09 -0500[diff] [blame]604 def test_eq(self):
605 ku = x509.KeyUsage(
606 digital_signature=False,
607 content_commitment=False,
608 key_encipherment=False,
609 data_encipherment=False,
610 key_agreement=True,
611 key_cert_sign=False,
612 crl_sign=False,
613 encipher_only=False,
614 decipher_only=True
615 )
616 ku2 = x509.KeyUsage(
617 digital_signature=False,
618 content_commitment=False,
619 key_encipherment=False,
620 data_encipherment=False,
621 key_agreement=True,
622 key_cert_sign=False,
623 crl_sign=False,
624 encipher_only=False,
625 decipher_only=True
626 )
627 assert ku == ku2
628
629 def test_ne(self):
630 ku = x509.KeyUsage(
631 digital_signature=False,
632 content_commitment=False,
633 key_encipherment=False,
634 data_encipherment=False,
635 key_agreement=True,
636 key_cert_sign=False,
637 crl_sign=False,
638 encipher_only=False,
639 decipher_only=True
640 )
641 ku2 = x509.KeyUsage(
642 digital_signature=False,
643 content_commitment=False,
644 key_encipherment=False,
645 data_encipherment=False,
646 key_agreement=False,
647 key_cert_sign=False,
648 crl_sign=False,
649 encipher_only=False,
650 decipher_only=False
651 )
652 assert ku != ku2
653 assert ku != object()
654
Paul Kehrercecbbba2015-03-30 14:58:38 -0500[diff] [blame]655
Paul Kehrer1eb82a62015-03-31 20:00:33 -0500[diff] [blame]656class TestSubjectKeyIdentifier(object):
657 def test_properties(self):
Paul Kehrercbfb1012015-04-10 20:57:20 -0400[diff] [blame]658 value = binascii.unhexlify(b"092384932230498bc980aa8098456f6ff7ff3ac9")
Paul Kehrer1eb82a62015-03-31 20:00:33 -0500[diff] [blame]659 ski = x509.SubjectKeyIdentifier(value)
660 assert ski.digest == value
Paul Kehrer1eb82a62015-03-31 20:00:33 -0500[diff] [blame]661
662 def test_repr(self):
663 ski = x509.SubjectKeyIdentifier(
Paul Kehreree997262015-04-04 12:20:28 -0500[diff] [blame]664 binascii.unhexlify(b"092384932230498bc980aa8098456f6ff7ff3ac9")
Paul Kehrer1eb82a62015-03-31 20:00:33 -0500[diff] [blame]665 )
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]666 ext = x509.Extension(ExtensionOID.SUBJECT_KEY_IDENTIFIER, False, ski)
Paul Kehrercbfb1012015-04-10 20:57:20 -0400[diff] [blame]667 if six.PY3:
668 assert repr(ext) == (
669 "<Extension(oid=<ObjectIdentifier(oid=2.5.29.14, name=subjectK"
670 "eyIdentifier)>, critical=False, value=<SubjectKeyIdentifier(d"
671 "igest=b\'\\t#\\x84\\x93\"0I\\x8b\\xc9\\x80\\xaa\\x80\\x98Eoo"
672 "\\xf7\\xff:\\xc9\')>)>"
673 )
674 else:
675 assert repr(ext) == (
676 "<Extension(oid=<ObjectIdentifier(oid=2.5.29.14, name=subjectK"
677 "eyIdentifier)>, critical=False, value=<SubjectKeyIdentifier(d"
678 "igest=\'\\t#\\x84\\x93\"0I\\x8b\\xc9\\x80\\xaa\\x80\\x98Eoo"
679 "\\xf7\\xff:\\xc9\')>)>"
680 )
Paul Kehrer1eb82a62015-03-31 20:00:33 -0500[diff] [blame]681
682 def test_eq(self):
683 ski = x509.SubjectKeyIdentifier(
Paul Kehreree997262015-04-04 12:20:28 -0500[diff] [blame]684 binascii.unhexlify(b"092384932230498bc980aa8098456f6ff7ff3ac9")
Paul Kehrer1eb82a62015-03-31 20:00:33 -0500[diff] [blame]685 )
686 ski2 = x509.SubjectKeyIdentifier(
Paul Kehreree997262015-04-04 12:20:28 -0500[diff] [blame]687 binascii.unhexlify(b"092384932230498bc980aa8098456f6ff7ff3ac9")
Paul Kehrer1eb82a62015-03-31 20:00:33 -0500[diff] [blame]688 )
689 assert ski == ski2
690
691 def test_ne(self):
692 ski = x509.SubjectKeyIdentifier(
Paul Kehreree997262015-04-04 12:20:28 -0500[diff] [blame]693 binascii.unhexlify(b"092384932230498bc980aa8098456f6ff7ff3ac9")
Paul Kehrer1eb82a62015-03-31 20:00:33 -0500[diff] [blame]694 )
695 ski2 = x509.SubjectKeyIdentifier(
Paul Kehreree997262015-04-04 12:20:28 -0500[diff] [blame]696 binascii.unhexlify(b"aa8098456f6ff7ff3ac9092384932230498bc980")
Paul Kehrer1eb82a62015-03-31 20:00:33 -0500[diff] [blame]697 )
698 assert ski != ski2
699 assert ski != object()
700
Alex Gaynor410fe352015-12-26 15:01:25 -0500[diff] [blame]701 def test_hash(self):
702 ski1 = x509.SubjectKeyIdentifier(
703 binascii.unhexlify(b"092384932230498bc980aa8098456f6ff7ff3ac9")
704 )
705 ski2 = x509.SubjectKeyIdentifier(
706 binascii.unhexlify(b"092384932230498bc980aa8098456f6ff7ff3ac9")
707 )
708 ski3 = x509.SubjectKeyIdentifier(
709 binascii.unhexlify(b"aa8098456f6ff7ff3ac9092384932230498bc980")
710 )
711
712 assert hash(ski1) == hash(ski2)
713 assert hash(ski1) != hash(ski3)
714
Paul Kehrer1eb82a62015-03-31 20:00:33 -0500[diff] [blame]715
Paul Kehrer2eb4ed92015-04-11 15:33:45 -0400[diff] [blame]716class TestAuthorityKeyIdentifier(object):
Paul Kehrerc6e0f062015-05-03 11:04:34 -0500[diff] [blame]717 def test_authority_cert_issuer_not_generalname(self):
Paul Kehrer2eb4ed92015-04-11 15:33:45 -0400[diff] [blame]718 with pytest.raises(TypeError):
Paul Kehrerc6e0f062015-05-03 11:04:34 -0500[diff] [blame]719 x509.AuthorityKeyIdentifier(b"identifier", ["notname"], 3)
Paul Kehrer2eb4ed92015-04-11 15:33:45 -0400[diff] [blame]720
721 def test_authority_cert_serial_number_not_integer(self):
Paul Kehrerc6e0f062015-05-03 11:04:34 -0500[diff] [blame]722 dirname = x509.DirectoryName(
723 x509.Name([
Nick Bastin6721fb82015-12-14 12:26:24 -0800[diff] [blame]724 x509.NameAttribute(
725 x509.ObjectIdentifier('2.999.1'),
726 u'value1'
727 ),
728 x509.NameAttribute(
729 x509.ObjectIdentifier('2.999.2'),
730 u'value2'
731 ),
Paul Kehrerc6e0f062015-05-03 11:04:34 -0500[diff] [blame]732 ])
733 )
Paul Kehrer2eb4ed92015-04-11 15:33:45 -0400[diff] [blame]734 with pytest.raises(TypeError):
Paul Kehrerc6e0f062015-05-03 11:04:34 -0500[diff] [blame]735 x509.AuthorityKeyIdentifier(b"identifier", [dirname], "notanint")
Paul Kehrer2eb4ed92015-04-11 15:33:45 -0400[diff] [blame]736
737 def test_authority_issuer_none_serial_not_none(self):
738 with pytest.raises(ValueError):
739 x509.AuthorityKeyIdentifier(b"identifier", None, 3)
740
741 def test_authority_issuer_not_none_serial_none(self):
Paul Kehrerc6e0f062015-05-03 11:04:34 -0500[diff] [blame]742 dirname = x509.DirectoryName(
743 x509.Name([
Nick Bastin6721fb82015-12-14 12:26:24 -0800[diff] [blame]744 x509.NameAttribute(
745 x509.ObjectIdentifier('2.999.1'),
746 u'value1'
747 ),
748 x509.NameAttribute(
749 x509.ObjectIdentifier('2.999.2'),
750 u'value2'
751 ),
Paul Kehrerc6e0f062015-05-03 11:04:34 -0500[diff] [blame]752 ])
753 )
Paul Kehrer2eb4ed92015-04-11 15:33:45 -0400[diff] [blame]754 with pytest.raises(ValueError):
Paul Kehrerc6e0f062015-05-03 11:04:34 -0500[diff] [blame]755 x509.AuthorityKeyIdentifier(b"identifier", [dirname], None)
Paul Kehrer2eb4ed92015-04-11 15:33:45 -0400[diff] [blame]756
757 def test_authority_cert_serial_and_issuer_none(self):
758 aki = x509.AuthorityKeyIdentifier(b"id", None, None)
759 assert aki.key_identifier == b"id"
760 assert aki.authority_cert_issuer is None
761 assert aki.authority_cert_serial_number is None
762
763 def test_repr(self):
Paul Kehrerc6e0f062015-05-03 11:04:34 -0500[diff] [blame]764 dirname = x509.DirectoryName(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]765 x509.Name([x509.NameAttribute(NameOID.COMMON_NAME, u'myCN')])
Paul Kehrerc6e0f062015-05-03 11:04:34 -0500[diff] [blame]766 )
767 aki = x509.AuthorityKeyIdentifier(b"digest", [dirname], 1234)
Paul Kehrer2eb4ed92015-04-11 15:33:45 -0400[diff] [blame]768
769 if six.PY3:
770 assert repr(aki) == (
771 "<AuthorityKeyIdentifier(key_identifier=b'digest', authority_"
Paul Kehrerc6e0f062015-05-03 11:04:34 -0500[diff] [blame]772 "cert_issuer=[<DirectoryName(value=<Name([<NameAttribute(oid="
Ian Cordascoa908d692015-06-16 21:35:24 -0500[diff] [blame]773 "<ObjectIdentifier(oid=2.5.4.3, name=commonName)>, value='myC"
Paul Kehrerc6e0f062015-05-03 11:04:34 -0500[diff] [blame]774 "N')>])>)>], authority_cert_serial_number=1234)>"
Paul Kehrer2eb4ed92015-04-11 15:33:45 -0400[diff] [blame]775 )
776 else:
777 assert repr(aki) == (
778 "<AuthorityKeyIdentifier(key_identifier='digest', authority_ce"
Paul Kehrerc6e0f062015-05-03 11:04:34 -0500[diff] [blame]779 "rt_issuer=[<DirectoryName(value=<Name([<NameAttribute(oid=<Ob"
Ian Cordasco82fc3762015-06-16 20:59:50 -0500[diff] [blame]780 "jectIdentifier(oid=2.5.4.3, name=commonName)>, value=u'myCN')"
781 ">])>)>], authority_cert_serial_number=1234)>"
Paul Kehrer2eb4ed92015-04-11 15:33:45 -0400[diff] [blame]782 )
783
Paul Kehrer2ca2eb32015-05-03 10:04:57 -0500[diff] [blame]784 def test_eq(self):
785 dirname = x509.DirectoryName(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]786 x509.Name([x509.NameAttribute(NameOID.COMMON_NAME, u'myCN')])
Paul Kehrer2ca2eb32015-05-03 10:04:57 -0500[diff] [blame]787 )
788 aki = x509.AuthorityKeyIdentifier(b"digest", [dirname], 1234)
789 dirname2 = x509.DirectoryName(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]790 x509.Name([x509.NameAttribute(NameOID.COMMON_NAME, u'myCN')])
Paul Kehrer2ca2eb32015-05-03 10:04:57 -0500[diff] [blame]791 )
792 aki2 = x509.AuthorityKeyIdentifier(b"digest", [dirname2], 1234)
793 assert aki == aki2
794
795 def test_ne(self):
796 dirname = x509.DirectoryName(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]797 x509.Name([x509.NameAttribute(NameOID.COMMON_NAME, u'myCN')])
Paul Kehrer2ca2eb32015-05-03 10:04:57 -0500[diff] [blame]798 )
799 dirname5 = x509.DirectoryName(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]800 x509.Name([x509.NameAttribute(NameOID.COMMON_NAME, u'aCN')])
Paul Kehrer2ca2eb32015-05-03 10:04:57 -0500[diff] [blame]801 )
802 aki = x509.AuthorityKeyIdentifier(b"digest", [dirname], 1234)
803 aki2 = x509.AuthorityKeyIdentifier(b"diges", [dirname], 1234)
804 aki3 = x509.AuthorityKeyIdentifier(b"digest", None, None)
805 aki4 = x509.AuthorityKeyIdentifier(b"digest", [dirname], 12345)
806 aki5 = x509.AuthorityKeyIdentifier(b"digest", [dirname5], 12345)
807 assert aki != aki2
808 assert aki != aki3
809 assert aki != aki4
810 assert aki != aki5
811 assert aki != object()
812
Paul Kehrer2eb4ed92015-04-11 15:33:45 -0400[diff] [blame]813
Paul Kehrer8cf26422015-03-21 09:50:24 -0500[diff] [blame]814class TestBasicConstraints(object):
815 def test_ca_not_boolean(self):
816 with pytest.raises(TypeError):
Paul Kehrera5c6e9a2015-03-23 19:23:43 -0500[diff] [blame]817 x509.BasicConstraints(ca="notbool", path_length=None)
Paul Kehrer8cf26422015-03-21 09:50:24 -0500[diff] [blame]818
819 def test_path_length_not_ca(self):
820 with pytest.raises(ValueError):
Paul Kehrera5c6e9a2015-03-23 19:23:43 -0500[diff] [blame]821 x509.BasicConstraints(ca=False, path_length=0)
Paul Kehrer8cf26422015-03-21 09:50:24 -0500[diff] [blame]822
823 def test_path_length_not_int(self):
824 with pytest.raises(TypeError):
Paul Kehrera5c6e9a2015-03-23 19:23:43 -0500[diff] [blame]825 x509.BasicConstraints(ca=True, path_length=1.1)
Paul Kehrer8cf26422015-03-21 09:50:24 -0500[diff] [blame]826
827 with pytest.raises(TypeError):
Paul Kehrera5c6e9a2015-03-23 19:23:43 -0500[diff] [blame]828 x509.BasicConstraints(ca=True, path_length="notint")
Paul Kehrer8cf26422015-03-21 09:50:24 -0500[diff] [blame]829
830 def test_path_length_negative(self):
831 with pytest.raises(TypeError):
Paul Kehrera5c6e9a2015-03-23 19:23:43 -0500[diff] [blame]832 x509.BasicConstraints(ca=True, path_length=-1)
Paul Kehrer8cf26422015-03-21 09:50:24 -0500[diff] [blame]833
834 def test_repr(self):
Paul Kehrera5c6e9a2015-03-23 19:23:43 -0500[diff] [blame]835 na = x509.BasicConstraints(ca=True, path_length=None)
Paul Kehrer8cf26422015-03-21 09:50:24 -0500[diff] [blame]836 assert repr(na) == (
Paul Kehrer85894662015-03-22 13:19:31 -0500[diff] [blame]837 "<BasicConstraints(ca=True, path_length=None)>"
Paul Kehrer8cf26422015-03-21 09:50:24 -0500[diff] [blame]838 )
Paul Kehrerfbb7ac82015-03-16 19:26:29 -0500[diff] [blame]839
Paul Kehrer2eb69f62015-12-27 11:46:11 -0600[diff] [blame^]840 def test_hash(self):
841 na = x509.BasicConstraints(ca=True, path_length=None)
842 na2 = x509.BasicConstraints(ca=True, path_length=None)
843 assert hash(na) == hash(na2)
844
Paul Kehrer3a69b132015-05-13 10:03:46 -0500[diff] [blame]845 def test_eq(self):
846 na = x509.BasicConstraints(ca=True, path_length=None)
847 na2 = x509.BasicConstraints(ca=True, path_length=None)
848 assert na == na2
849
850 def test_ne(self):
851 na = x509.BasicConstraints(ca=True, path_length=None)
852 na2 = x509.BasicConstraints(ca=True, path_length=1)
853 na3 = x509.BasicConstraints(ca=False, path_length=None)
854 assert na != na2
855 assert na != na3
856 assert na != object()
857
Paul Kehrerfbb7ac82015-03-16 19:26:29 -0500[diff] [blame]858
Paul Kehrerffa2a152015-03-31 08:18:25 -0500[diff] [blame]859class TestExtendedKeyUsage(object):
860 def test_not_all_oids(self):
861 with pytest.raises(TypeError):
862 x509.ExtendedKeyUsage(["notoid"])
863
864 def test_iter_len(self):
865 eku = x509.ExtendedKeyUsage([
866 x509.ObjectIdentifier("1.3.6.1.5.5.7.3.1"),
867 x509.ObjectIdentifier("1.3.6.1.5.5.7.3.2"),
868 ])
869 assert len(eku) == 2
870 assert list(eku) == [
Paul Kehrer9e102db2015-08-10 21:53:09 -0500[diff] [blame]871 ExtendedKeyUsageOID.SERVER_AUTH,
872 ExtendedKeyUsageOID.CLIENT_AUTH
Paul Kehrerffa2a152015-03-31 08:18:25 -0500[diff] [blame]873 ]
874
Paul Kehrer23d10c32015-04-02 23:12:32 -0500[diff] [blame]875 def test_repr(self):
876 eku = x509.ExtendedKeyUsage([
877 x509.ObjectIdentifier("1.3.6.1.5.5.7.3.1"),
878 x509.ObjectIdentifier("1.3.6.1.5.5.7.3.2"),
879 ])
880 assert repr(eku) == (
881 "<ExtendedKeyUsage([<ObjectIdentifier(oid=1.3.6.1.5.5.7.3.1, name="
882 "serverAuth)>, <ObjectIdentifier(oid=1.3.6.1.5.5.7.3.2, name=clien"
883 "tAuth)>])>"
884 )
885
Paul Kehrerb0476172015-05-02 19:34:51 -0500[diff] [blame]886 def test_eq(self):
887 eku = x509.ExtendedKeyUsage([
888 x509.ObjectIdentifier("1.3.6"), x509.ObjectIdentifier("1.3.7")
889 ])
890 eku2 = x509.ExtendedKeyUsage([
891 x509.ObjectIdentifier("1.3.6"), x509.ObjectIdentifier("1.3.7")
892 ])
893 assert eku == eku2
894
895 def test_ne(self):
896 eku = x509.ExtendedKeyUsage([x509.ObjectIdentifier("1.3.6")])
897 eku2 = x509.ExtendedKeyUsage([x509.ObjectIdentifier("1.3.6.1")])
898 assert eku != eku2
899 assert eku != object()
900
Paul Kehrerffa2a152015-03-31 08:18:25 -0500[diff] [blame]901
Paul Kehrerfbb7ac82015-03-16 19:26:29 -0500[diff] [blame]902@pytest.mark.requires_backend_interface(interface=RSABackend)
903@pytest.mark.requires_backend_interface(interface=X509Backend)
904class TestExtensions(object):
905 def test_no_extensions(self, backend):
906 cert = _load_cert(
907 os.path.join("x509", "verisign_md2_root.pem"),
908 x509.load_pem_x509_certificate,
909 backend
910 )
911 ext = cert.extensions
912 assert len(ext) == 0
913 assert list(ext) == []
Paul Kehrerfa56a232015-03-17 13:14:03 -0500[diff] [blame]914 with pytest.raises(x509.ExtensionNotFound) as exc:
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]915 ext.get_extension_for_oid(ExtensionOID.BASIC_CONSTRAINTS)
Paul Kehrerfa56a232015-03-17 13:14:03 -0500[diff] [blame]916
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]917 assert exc.value.oid == ExtensionOID.BASIC_CONSTRAINTS
Paul Kehrerfa56a232015-03-17 13:14:03 -0500[diff] [blame]918
919 def test_one_extension(self, backend):
920 cert = _load_cert(
921 os.path.join(
922 "x509", "custom", "basic_constraints_not_critical.pem"
923 ),
924 x509.load_pem_x509_certificate,
925 backend
926 )
927 extensions = cert.extensions
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]928 ext = extensions.get_extension_for_oid(ExtensionOID.BASIC_CONSTRAINTS)
Paul Kehrerfa56a232015-03-17 13:14:03 -0500[diff] [blame]929 assert ext is not None
930 assert ext.value.ca is False
Paul Kehrerfbb7ac82015-03-16 19:26:29 -0500[diff] [blame]931
932 def test_duplicate_extension(self, backend):
933 cert = _load_cert(
934 os.path.join(
935 "x509", "custom", "two_basic_constraints.pem"
936 ),
937 x509.load_pem_x509_certificate,
938 backend
939 )
940 with pytest.raises(x509.DuplicateExtension) as exc:
941 cert.extensions
942
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]943 assert exc.value.oid == ExtensionOID.BASIC_CONSTRAINTS
Paul Kehrerfbb7ac82015-03-16 19:26:29 -0500[diff] [blame]944
945 def test_unsupported_critical_extension(self, backend):
946 cert = _load_cert(
947 os.path.join(
948 "x509", "custom", "unsupported_extension_critical.pem"
949 ),
950 x509.load_pem_x509_certificate,
951 backend
952 )
953 with pytest.raises(x509.UnsupportedExtension) as exc:
954 cert.extensions
955
956 assert exc.value.oid == x509.ObjectIdentifier("1.2.3.4")
957
958 def test_unsupported_extension(self, backend):
959 # TODO: this will raise an exception when all extensions are complete
960 cert = _load_cert(
961 os.path.join(
962 "x509", "custom", "unsupported_extension.pem"
963 ),
964 x509.load_pem_x509_certificate,
965 backend
966 )
967 extensions = cert.extensions
968 assert len(extensions) == 0
Paul Kehrerfa56a232015-03-17 13:14:03 -0500[diff] [blame]969
Phoebe Queenecae9812015-08-12 05:00:32 +0100[diff] [blame]970 def test_no_extensions_get_for_class(self, backend):
971 cert = _load_cert(
972 os.path.join(
Phoebe Queencb5ec4e2015-08-12 15:06:26 +0100[diff] [blame]973 "x509", "cryptography.io.pem"
Phoebe Queenecae9812015-08-12 05:00:32 +0100[diff] [blame]974 ),
975 x509.load_pem_x509_certificate,
976 backend
977 )
Phoebe Queenc93752b2015-08-12 10:54:46 +0100[diff] [blame]978 exts = cert.extensions
Phoebe Queenecae9812015-08-12 05:00:32 +0100[diff] [blame]979 with pytest.raises(x509.ExtensionNotFound) as exc:
Phoebe Queencb5ec4e2015-08-12 15:06:26 +0100[diff] [blame]980 exts.get_extension_for_class(x509.IssuerAlternativeName)
981 assert exc.value.oid == ExtensionOID.ISSUER_ALTERNATIVE_NAME
Phoebe Queenecae9812015-08-12 05:00:32 +0100[diff] [blame]982
Paul Kehrer5b90c972015-12-26 00:52:58 -0600[diff] [blame]983 def test_indexing(self, backend):
984 cert = _load_cert(
985 os.path.join("x509", "cryptography.io.pem"),
986 x509.load_pem_x509_certificate,
987 backend
988 )
989 exts = cert.extensions
990 assert exts[-1] == exts[7]
Alex Gaynorf0dd2e72015-12-26 16:50:29 -0500[diff] [blame]991 assert exts[2:6:2] == [exts[2], exts[4]]
Paul Kehrer5b90c972015-12-26 00:52:58 -0600[diff] [blame]992
Phoebe Queen9fbb8892015-08-12 03:51:33 +0100[diff] [blame]993 def test_one_extension_get_for_class(self, backend):
994 cert = _load_cert(
Phoebe Queen2cc111a2015-08-12 04:14:22 +0100[diff] [blame]995 os.path.join(
996 "x509", "custom", "basic_constraints_not_critical.pem"
997 ),
Phoebe Queen9fbb8892015-08-12 03:51:33 +0100[diff] [blame]998 x509.load_pem_x509_certificate,
999 backend
1000 )
1001 ext = cert.extensions.get_extension_for_class(x509.BasicConstraints)
1002 assert ext is not None
Phoebe Queen9fbb8892015-08-12 03:51:33 +0100[diff] [blame]1003 assert isinstance(ext.value, x509.BasicConstraints)
Paul Kehrerfa56a232015-03-17 13:14:03 -0500[diff] [blame]1004
Paul Kehrerafbe75b2015-10-20 08:08:43 -0500[diff] [blame]1005 def test_repr(self, backend):
1006 cert = _load_cert(
1007 os.path.join(
1008 "x509", "custom", "basic_constraints_not_critical.pem"
1009 ),
1010 x509.load_pem_x509_certificate,
1011 backend
1012 )
1013 assert repr(cert.extensions) == (
1014 "<Extensions([<Extension(oid=<ObjectIdentifier(oid=2.5.29.19, name"
1015 "=basicConstraints)>, critical=False, value=<BasicConstraints(ca=F"
1016 "alse, path_length=None)>)>])>"
1017 )
1018
Phoebe Queen2cc111a2015-08-12 04:14:22 +0100[diff] [blame]1019
Paul Kehrerfa56a232015-03-17 13:14:03 -0500[diff] [blame]1020@pytest.mark.requires_backend_interface(interface=RSABackend)
1021@pytest.mark.requires_backend_interface(interface=X509Backend)
Paul Kehrerde813ea2015-03-28 12:44:34 -0500[diff] [blame]1022class TestBasicConstraintsExtension(object):
Paul Kehrerfa56a232015-03-17 13:14:03 -0500[diff] [blame]1023 def test_ca_true_pathlen_6(self, backend):
1024 cert = _load_cert(
1025 os.path.join(
1026 "x509", "PKITS_data", "certs", "pathLenConstraint6CACert.crt"
1027 ),
1028 x509.load_der_x509_certificate,
1029 backend
1030 )
Phoebe Queen062dec72015-08-12 11:42:23 +0100[diff] [blame]1031 ext = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]1032 ExtensionOID.BASIC_CONSTRAINTS
Paul Kehrerfa56a232015-03-17 13:14:03 -0500[diff] [blame]1033 )
1034 assert ext is not None
1035 assert ext.critical is True
1036 assert ext.value.ca is True
1037 assert ext.value.path_length == 6
1038
1039 def test_path_length_zero(self, backend):
1040 cert = _load_cert(
1041 os.path.join("x509", "custom", "bc_path_length_zero.pem"),
1042 x509.load_pem_x509_certificate,
1043 backend
1044 )
1045 ext = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]1046 ExtensionOID.BASIC_CONSTRAINTS
Paul Kehrerfa56a232015-03-17 13:14:03 -0500[diff] [blame]1047 )
1048 assert ext is not None
1049 assert ext.critical is True
1050 assert ext.value.ca is True
1051 assert ext.value.path_length == 0
1052
1053 def test_ca_true_no_pathlen(self, backend):
1054 cert = _load_cert(
1055 os.path.join("x509", "PKITS_data", "certs", "GoodCACert.crt"),
1056 x509.load_der_x509_certificate,
1057 backend
1058 )
1059 ext = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]1060 ExtensionOID.BASIC_CONSTRAINTS
Paul Kehrerfa56a232015-03-17 13:14:03 -0500[diff] [blame]1061 )
1062 assert ext is not None
1063 assert ext.critical is True
1064 assert ext.value.ca is True
1065 assert ext.value.path_length is None
1066
1067 def test_ca_false(self, backend):
1068 cert = _load_cert(
1069 os.path.join("x509", "cryptography.io.pem"),
1070 x509.load_pem_x509_certificate,
1071 backend
1072 )
1073 ext = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]1074 ExtensionOID.BASIC_CONSTRAINTS
Paul Kehrerfa56a232015-03-17 13:14:03 -0500[diff] [blame]1075 )
1076 assert ext is not None
1077 assert ext.critical is True
1078 assert ext.value.ca is False
1079 assert ext.value.path_length is None
1080
1081 def test_no_basic_constraints(self, backend):
1082 cert = _load_cert(
1083 os.path.join(
1084 "x509",
1085 "PKITS_data",
1086 "certs",
1087 "ValidCertificatePathTest1EE.crt"
1088 ),
1089 x509.load_der_x509_certificate,
1090 backend
1091 )
1092 with pytest.raises(x509.ExtensionNotFound):
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]1093 cert.extensions.get_extension_for_oid(
1094 ExtensionOID.BASIC_CONSTRAINTS
1095 )
Paul Kehrerfa56a232015-03-17 13:14:03 -0500[diff] [blame]1096
1097 def test_basic_constraint_not_critical(self, backend):
1098 cert = _load_cert(
1099 os.path.join(
1100 "x509", "custom", "basic_constraints_not_critical.pem"
1101 ),
1102 x509.load_pem_x509_certificate,
1103 backend
1104 )
1105 ext = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]1106 ExtensionOID.BASIC_CONSTRAINTS
Paul Kehrerfa56a232015-03-17 13:14:03 -0500[diff] [blame]1107 )
1108 assert ext is not None
1109 assert ext.critical is False
1110 assert ext.value.ca is False
Paul Kehrer1eb82a62015-03-31 20:00:33 -0500[diff] [blame]1111
1112
Paul Kehrer1eb82a62015-03-31 20:00:33 -0500[diff] [blame]1113class TestSubjectKeyIdentifierExtension(object):
Paul Kehrerf22f6122015-08-05 12:57:13 +0100[diff] [blame]1114 @pytest.mark.requires_backend_interface(interface=RSABackend)
1115 @pytest.mark.requires_backend_interface(interface=X509Backend)
Paul Kehrer1eb82a62015-03-31 20:00:33 -0500[diff] [blame]1116 def test_subject_key_identifier(self, backend):
1117 cert = _load_cert(
1118 os.path.join("x509", "PKITS_data", "certs", "GoodCACert.crt"),
1119 x509.load_der_x509_certificate,
1120 backend
1121 )
1122 ext = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]1123 ExtensionOID.SUBJECT_KEY_IDENTIFIER
Paul Kehrer1eb82a62015-03-31 20:00:33 -0500[diff] [blame]1124 )
1125 ski = ext.value
1126 assert ext is not None
1127 assert ext.critical is False
Paul Kehrer1eb82a62015-03-31 20:00:33 -0500[diff] [blame]1128 assert ski.digest == binascii.unhexlify(
Paul Kehreree997262015-04-04 12:20:28 -0500[diff] [blame]1129 b"580184241bbc2b52944a3da510721451f5af3ac9"
Paul Kehrer1eb82a62015-03-31 20:00:33 -0500[diff] [blame]1130 )
1131
Paul Kehrerf22f6122015-08-05 12:57:13 +0100[diff] [blame]1132 @pytest.mark.requires_backend_interface(interface=RSABackend)
1133 @pytest.mark.requires_backend_interface(interface=X509Backend)
Paul Kehrer1eb82a62015-03-31 20:00:33 -0500[diff] [blame]1134 def test_no_subject_key_identifier(self, backend):
1135 cert = _load_cert(
1136 os.path.join("x509", "custom", "bc_path_length_zero.pem"),
1137 x509.load_pem_x509_certificate,
1138 backend
1139 )
1140 with pytest.raises(x509.ExtensionNotFound):
1141 cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]1142 ExtensionOID.SUBJECT_KEY_IDENTIFIER
Paul Kehrer1eb82a62015-03-31 20:00:33 -0500[diff] [blame]1143 )
Paul Kehrer5508ee22015-04-02 19:31:03 -0500[diff] [blame]1144
Paul Kehrerf22f6122015-08-05 12:57:13 +0100[diff] [blame]1145 @pytest.mark.requires_backend_interface(interface=RSABackend)
1146 @pytest.mark.requires_backend_interface(interface=X509Backend)
Paul Kehrerd4a7f062015-08-05 18:32:18 +0100[diff] [blame]1147 def test_from_rsa_public_key(self, backend):
Paul Kehrerf22f6122015-08-05 12:57:13 +0100[diff] [blame]1148 cert = _load_cert(
1149 os.path.join("x509", "PKITS_data", "certs", "GoodCACert.crt"),
1150 x509.load_der_x509_certificate,
1151 backend
1152 )
1153 ext = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]1154 ExtensionOID.SUBJECT_KEY_IDENTIFIER
Paul Kehrerf22f6122015-08-05 12:57:13 +0100[diff] [blame]1155 )
Paul Kehrerd4a7f062015-08-05 18:32:18 +0100[diff] [blame]1156 ski = x509.SubjectKeyIdentifier.from_public_key(
Paul Kehrerf22f6122015-08-05 12:57:13 +0100[diff] [blame]1157 cert.public_key()
1158 )
1159 assert ext.value == ski
1160
1161 @pytest.mark.requires_backend_interface(interface=DSABackend)
1162 @pytest.mark.requires_backend_interface(interface=X509Backend)
Paul Kehrerd4a7f062015-08-05 18:32:18 +0100[diff] [blame]1163 def test_from_dsa_public_key(self, backend):
Paul Kehrerf22f6122015-08-05 12:57:13 +0100[diff] [blame]1164 cert = _load_cert(
1165 os.path.join("x509", "custom", "dsa_selfsigned_ca.pem"),
1166 x509.load_pem_x509_certificate,
1167 backend
1168 )
1169
1170 ext = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]1171 ExtensionOID.SUBJECT_KEY_IDENTIFIER
Paul Kehrerf22f6122015-08-05 12:57:13 +0100[diff] [blame]1172 )
Paul Kehrerd4a7f062015-08-05 18:32:18 +0100[diff] [blame]1173 ski = x509.SubjectKeyIdentifier.from_public_key(
Paul Kehrerf22f6122015-08-05 12:57:13 +0100[diff] [blame]1174 cert.public_key()
1175 )
1176 assert ext.value == ski
1177
1178 @pytest.mark.requires_backend_interface(interface=EllipticCurveBackend)
1179 @pytest.mark.requires_backend_interface(interface=X509Backend)
Paul Kehrerd4a7f062015-08-05 18:32:18 +0100[diff] [blame]1180 def test_from_ec_public_key(self, backend):
Paul Kehrerf22f6122015-08-05 12:57:13 +0100[diff] [blame]1181 _skip_curve_unsupported(backend, ec.SECP384R1())
1182 cert = _load_cert(
1183 os.path.join("x509", "ecdsa_root.pem"),
1184 x509.load_pem_x509_certificate,
1185 backend
1186 )
1187
1188 ext = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]1189 ExtensionOID.SUBJECT_KEY_IDENTIFIER
Paul Kehrerf22f6122015-08-05 12:57:13 +0100[diff] [blame]1190 )
Paul Kehrerd4a7f062015-08-05 18:32:18 +0100[diff] [blame]1191 ski = x509.SubjectKeyIdentifier.from_public_key(
Paul Kehrerf22f6122015-08-05 12:57:13 +0100[diff] [blame]1192 cert.public_key()
1193 )
1194 assert ext.value == ski
1195
Paul Kehrer5508ee22015-04-02 19:31:03 -0500[diff] [blame]1196
1197@pytest.mark.requires_backend_interface(interface=RSABackend)
1198@pytest.mark.requires_backend_interface(interface=X509Backend)
1199class TestKeyUsageExtension(object):
1200 def test_no_key_usage(self, backend):
1201 cert = _load_cert(
1202 os.path.join("x509", "verisign_md2_root.pem"),
1203 x509.load_pem_x509_certificate,
1204 backend
1205 )
1206 ext = cert.extensions
1207 with pytest.raises(x509.ExtensionNotFound) as exc:
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]1208 ext.get_extension_for_oid(ExtensionOID.KEY_USAGE)
Paul Kehrer5508ee22015-04-02 19:31:03 -0500[diff] [blame]1209
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]1210 assert exc.value.oid == ExtensionOID.KEY_USAGE
Paul Kehrer5508ee22015-04-02 19:31:03 -0500[diff] [blame]1211
1212 def test_all_purposes(self, backend):
1213 cert = _load_cert(
1214 os.path.join(
1215 "x509", "custom", "all_key_usages.pem"
1216 ),
1217 x509.load_pem_x509_certificate,
1218 backend
1219 )
1220 extensions = cert.extensions
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]1221 ext = extensions.get_extension_for_oid(ExtensionOID.KEY_USAGE)
Paul Kehrer5508ee22015-04-02 19:31:03 -0500[diff] [blame]1222 assert ext is not None
1223
1224 ku = ext.value
1225 assert ku.digital_signature is True
1226 assert ku.content_commitment is True
1227 assert ku.key_encipherment is True
1228 assert ku.data_encipherment is True
1229 assert ku.key_agreement is True
1230 assert ku.key_cert_sign is True
1231 assert ku.crl_sign is True
1232 assert ku.encipher_only is True
1233 assert ku.decipher_only is True
1234
1235 def test_key_cert_sign_crl_sign(self, backend):
1236 cert = _load_cert(
1237 os.path.join(
1238 "x509", "PKITS_data", "certs", "pathLenConstraint6CACert.crt"
1239 ),
1240 x509.load_der_x509_certificate,
1241 backend
1242 )
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]1243 ext = cert.extensions.get_extension_for_oid(ExtensionOID.KEY_USAGE)
Paul Kehrer5508ee22015-04-02 19:31:03 -0500[diff] [blame]1244 assert ext is not None
1245 assert ext.critical is True
1246
1247 ku = ext.value
1248 assert ku.digital_signature is False
1249 assert ku.content_commitment is False
1250 assert ku.key_encipherment is False
1251 assert ku.data_encipherment is False
1252 assert ku.key_agreement is False
1253 assert ku.key_cert_sign is True
1254 assert ku.crl_sign is True
Paul Kehrer31bdf792015-03-25 14:11:00 -0500[diff] [blame]1255
1256
1257@pytest.mark.parametrize(
1258 "name", [
1259 x509.RFC822Name,
1260 x509.DNSName,
1261 x509.UniformResourceIdentifier
1262 ]
1263)
1264class TestTextGeneralNames(object):
1265 def test_not_text(self, name):
1266 with pytest.raises(TypeError):
1267 name(b"notaunicodestring")
1268
1269 with pytest.raises(TypeError):
1270 name(1.3)
1271
1272 def test_repr(self, name):
Eeshan Gargf1234152015-04-29 18:41:00 +0530[diff] [blame]1273 gn = name(u"string")
Paul Kehrer31bdf792015-03-25 14:11:00 -0500[diff] [blame]1274 assert repr(gn) == "<{0}(value=string)>".format(name.__name__)
1275
1276 def test_eq(self, name):
Eeshan Gargf1234152015-04-29 18:41:00 +0530[diff] [blame]1277 gn = name(u"string")
1278 gn2 = name(u"string")
Paul Kehrer31bdf792015-03-25 14:11:00 -0500[diff] [blame]1279 assert gn == gn2
1280
1281 def test_ne(self, name):
Eeshan Gargf1234152015-04-29 18:41:00 +0530[diff] [blame]1282 gn = name(u"string")
1283 gn2 = name(u"string2")
Paul Kehrer31bdf792015-03-25 14:11:00 -0500[diff] [blame]1284 assert gn != gn2
1285 assert gn != object()
1286
1287
1288class TestDirectoryName(object):
1289 def test_not_name(self):
1290 with pytest.raises(TypeError):
1291 x509.DirectoryName(b"notaname")
1292
1293 with pytest.raises(TypeError):
1294 x509.DirectoryName(1.3)
1295
1296 def test_repr(self):
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1297 name = x509.Name([x509.NameAttribute(NameOID.COMMON_NAME, u'value1')])
Paul Kehrer31bdf792015-03-25 14:11:00 -0500[diff] [blame]1298 gn = x509.DirectoryName(x509.Name([name]))
Ian Cordascoa908d692015-06-16 21:35:24 -0500[diff] [blame]1299 if six.PY3:
1300 assert repr(gn) == (
1301 "<DirectoryName(value=<Name([<Name([<NameAttribute(oid=<Object"
1302 "Identifier(oid=2.5.4.3, name=commonName)>, value='value1')>])"
1303 ">])>)>"
1304 )
1305 else:
1306 assert repr(gn) == (
1307 "<DirectoryName(value=<Name([<Name([<NameAttribute(oid=<Object"
1308 "Identifier(oid=2.5.4.3, name=commonName)>, value=u'value1')>]"
1309 ")>])>)>"
1310 )
Paul Kehrer31bdf792015-03-25 14:11:00 -0500[diff] [blame]1311
1312 def test_eq(self):
1313 name = x509.Name([
Nick Bastin6721fb82015-12-14 12:26:24 -0800[diff] [blame]1314 x509.NameAttribute(x509.ObjectIdentifier('2.999.1'), u'value1')
Paul Kehrer31bdf792015-03-25 14:11:00 -0500[diff] [blame]1315 ])
1316 name2 = x509.Name([
Nick Bastin6721fb82015-12-14 12:26:24 -0800[diff] [blame]1317 x509.NameAttribute(x509.ObjectIdentifier('2.999.1'), u'value1')
Paul Kehrer31bdf792015-03-25 14:11:00 -0500[diff] [blame]1318 ])
1319 gn = x509.DirectoryName(x509.Name([name]))
1320 gn2 = x509.DirectoryName(x509.Name([name2]))
1321 assert gn == gn2
1322
1323 def test_ne(self):
1324 name = x509.Name([
Nick Bastin6721fb82015-12-14 12:26:24 -0800[diff] [blame]1325 x509.NameAttribute(x509.ObjectIdentifier('2.999.1'), u'value1')
Paul Kehrer31bdf792015-03-25 14:11:00 -0500[diff] [blame]1326 ])
1327 name2 = x509.Name([
Nick Bastin6721fb82015-12-14 12:26:24 -0800[diff] [blame]1328 x509.NameAttribute(x509.ObjectIdentifier('2.999.2'), u'value2')
Paul Kehrer31bdf792015-03-25 14:11:00 -0500[diff] [blame]1329 ])
1330 gn = x509.DirectoryName(x509.Name([name]))
1331 gn2 = x509.DirectoryName(x509.Name([name2]))
1332 assert gn != gn2
1333 assert gn != object()
1334
1335
Paul Kehrer01d5d0b2015-07-12 09:41:21 -0500[diff] [blame]1336class TestRFC822Name(object):
1337 def test_invalid_email(self):
1338 with pytest.raises(ValueError):
1339 x509.RFC822Name(u"Name <email>")
1340
1341 with pytest.raises(ValueError):
1342 x509.RFC822Name(u"")
1343
1344 def test_single_label(self):
1345 gn = x509.RFC822Name(u"administrator")
1346 assert gn.value == u"administrator"
1347
1348 def test_idna(self):
1349 gn = x509.RFC822Name(u"email@em\xe5\xefl.com")
1350 assert gn.value == u"email@em\xe5\xefl.com"
1351 assert gn._encoded == b"email@xn--eml-vla4c.com"
1352
1353
Paul Kehrere28d6c42015-07-12 14:59:37 -0500[diff] [blame]1354class TestUniformResourceIdentifier(object):
1355 def test_no_parsed_hostname(self):
1356 gn = x509.UniformResourceIdentifier(u"singlelabel")
1357 assert gn.value == u"singlelabel"
1358
1359 def test_with_port(self):
1360 gn = x509.UniformResourceIdentifier(u"singlelabel:443/test")
1361 assert gn.value == u"singlelabel:443/test"
1362
1363 def test_idna_no_port(self):
1364 gn = x509.UniformResourceIdentifier(
1365 u"http://\u043f\u044b\u043a\u0430.cryptography"
1366 )
1367 assert gn.value == u"http://\u043f\u044b\u043a\u0430.cryptography"
1368 assert gn._encoded == b"http://xn--80ato2c.cryptography"
1369
1370 def test_idna_with_port(self):
1371 gn = x509.UniformResourceIdentifier(
1372 u"gopher://\u043f\u044b\u043a\u0430.cryptography:70/some/path"
1373 )
1374 assert gn.value == (
1375 u"gopher://\u043f\u044b\u043a\u0430.cryptography:70/some/path"
1376 )
1377 assert gn._encoded == b"gopher://xn--80ato2c.cryptography:70/some/path"
1378
1379 def test_query_and_fragment(self):
1380 gn = x509.UniformResourceIdentifier(
1381 u"ldap://cryptography:90/path?query=true#somedata"
1382 )
1383 assert gn.value == u"ldap://cryptography:90/path?query=true#somedata"
1384
1385
Paul Kehrer31bdf792015-03-25 14:11:00 -0500[diff] [blame]1386class TestRegisteredID(object):
1387 def test_not_oid(self):
1388 with pytest.raises(TypeError):
1389 x509.RegisteredID(b"notanoid")
1390
1391 with pytest.raises(TypeError):
1392 x509.RegisteredID(1.3)
1393
1394 def test_repr(self):
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1395 gn = x509.RegisteredID(NameOID.COMMON_NAME)
Paul Kehrer31bdf792015-03-25 14:11:00 -0500[diff] [blame]1396 assert repr(gn) == (
1397 "<RegisteredID(value=<ObjectIdentifier(oid=2.5.4.3, name=commonNam"
1398 "e)>)>"
1399 )
1400
1401 def test_eq(self):
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1402 gn = x509.RegisteredID(NameOID.COMMON_NAME)
1403 gn2 = x509.RegisteredID(NameOID.COMMON_NAME)
Paul Kehrer31bdf792015-03-25 14:11:00 -0500[diff] [blame]1404 assert gn == gn2
1405
1406 def test_ne(self):
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1407 gn = x509.RegisteredID(NameOID.COMMON_NAME)
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]1408 gn2 = x509.RegisteredID(ExtensionOID.BASIC_CONSTRAINTS)
Paul Kehrer31bdf792015-03-25 14:11:00 -0500[diff] [blame]1409 assert gn != gn2
1410 assert gn != object()
1411
1412
1413class TestIPAddress(object):
1414 def test_not_ipaddress(self):
1415 with pytest.raises(TypeError):
1416 x509.IPAddress(b"notanipaddress")
1417
1418 with pytest.raises(TypeError):
1419 x509.IPAddress(1.3)
1420
1421 def test_repr(self):
Eeshan Gargf1234152015-04-29 18:41:00 +0530[diff] [blame]1422 gn = x509.IPAddress(ipaddress.IPv4Address(u"127.0.0.1"))
Paul Kehrer31bdf792015-03-25 14:11:00 -0500[diff] [blame]1423 assert repr(gn) == "<IPAddress(value=127.0.0.1)>"
1424
Eeshan Gargf1234152015-04-29 18:41:00 +0530[diff] [blame]1425 gn2 = x509.IPAddress(ipaddress.IPv6Address(u"ff::"))
Paul Kehrer31bdf792015-03-25 14:11:00 -0500[diff] [blame]1426 assert repr(gn2) == "<IPAddress(value=ff::)>"
1427
Paul Kehrereb177932015-05-17 18:33:33 -0700[diff] [blame]1428 gn3 = x509.IPAddress(ipaddress.IPv4Network(u"192.168.0.0/24"))
1429 assert repr(gn3) == "<IPAddress(value=192.168.0.0/24)>"
1430
1431 gn4 = x509.IPAddress(ipaddress.IPv6Network(u"ff::/96"))
1432 assert repr(gn4) == "<IPAddress(value=ff::/96)>"
1433
Paul Kehrer31bdf792015-03-25 14:11:00 -0500[diff] [blame]1434 def test_eq(self):
Eeshan Gargf1234152015-04-29 18:41:00 +0530[diff] [blame]1435 gn = x509.IPAddress(ipaddress.IPv4Address(u"127.0.0.1"))
1436 gn2 = x509.IPAddress(ipaddress.IPv4Address(u"127.0.0.1"))
Paul Kehrer31bdf792015-03-25 14:11:00 -0500[diff] [blame]1437 assert gn == gn2
1438
1439 def test_ne(self):
Eeshan Gargf1234152015-04-29 18:41:00 +0530[diff] [blame]1440 gn = x509.IPAddress(ipaddress.IPv4Address(u"127.0.0.1"))
1441 gn2 = x509.IPAddress(ipaddress.IPv4Address(u"127.0.0.2"))
Paul Kehrer31bdf792015-03-25 14:11:00 -0500[diff] [blame]1442 assert gn != gn2
1443 assert gn != object()
1444
1445
Joshua Tauberer18b6fc82015-07-05 21:44:51 +0000[diff] [blame]1446class TestOtherName(object):
1447 def test_invalid_args(self):
1448 with pytest.raises(TypeError):
1449 x509.OtherName(b"notanobjectidentifier", b"derdata")
1450
1451 with pytest.raises(TypeError):
1452 x509.OtherName(x509.ObjectIdentifier("1.2.3.4"), u"notderdata")
1453
1454 def test_repr(self):
1455 gn = x509.OtherName(x509.ObjectIdentifier("1.2.3.4"), b"derdata")
1456 if six.PY3:
1457 assert repr(gn) == (
1458 "<OtherName(type_id=<ObjectIdentifier(oid=1.2.3.4, "
1459 "name=Unknown OID)>, value=b'derdata')>"
1460 )
1461 else:
1462 assert repr(gn) == (
1463 "<OtherName(type_id=<ObjectIdentifier(oid=1.2.3.4, "
1464 "name=Unknown OID)>, value='derdata')>"
1465 )
1466
1467 gn = x509.OtherName(x509.ObjectIdentifier("2.5.4.65"), b"derdata")
1468 if six.PY3:
1469 assert repr(gn) == (
1470 "<OtherName(type_id=<ObjectIdentifier(oid=2.5.4.65, "
1471 "name=pseudonym)>, value=b'derdata')>"
1472 )
1473 else:
1474 assert repr(gn) == (
1475 "<OtherName(type_id=<ObjectIdentifier(oid=2.5.4.65, "
1476 "name=pseudonym)>, value='derdata')>"
1477 )
1478
1479 def test_eq(self):
1480 gn = x509.OtherName(x509.ObjectIdentifier("1.2.3.4"), b"derdata")
1481 gn2 = x509.OtherName(x509.ObjectIdentifier("1.2.3.4"), b"derdata")
1482 assert gn == gn2
1483
1484 def test_ne(self):
1485 gn = x509.OtherName(x509.ObjectIdentifier("1.2.3.4"), b"derdata")
1486 assert gn != object()
1487
1488 gn2 = x509.OtherName(x509.ObjectIdentifier("1.2.3.4"), b"derdata2")
1489 assert gn != gn2
1490
1491 gn2 = x509.OtherName(x509.ObjectIdentifier("1.2.3.5"), b"derdata")
1492 assert gn != gn2
1493
1494
Erik Trauschke2dcce902015-05-14 16:12:24 -0700[diff] [blame]1495class TestGeneralNames(object):
1496 def test_get_values_for_type(self):
1497 gns = x509.GeneralNames(
1498 [x509.DNSName(u"cryptography.io")]
1499 )
1500 names = gns.get_values_for_type(x509.DNSName)
1501 assert names == [u"cryptography.io"]
1502
1503 def test_iter_names(self):
1504 gns = x509.GeneralNames([
1505 x509.DNSName(u"cryptography.io"),
1506 x509.DNSName(u"crypto.local"),
1507 ])
1508 assert len(gns) == 2
1509 assert list(gns) == [
1510 x509.DNSName(u"cryptography.io"),
1511 x509.DNSName(u"crypto.local"),
1512 ]
1513
Paul Kehrer8adb5962015-12-26 14:46:58 -0600[diff] [blame]1514 def test_indexing(self):
1515 gn = x509.GeneralNames([
1516 x509.DNSName(u"cryptography.io"),
1517 x509.DNSName(u"crypto.local"),
1518 x509.DNSName(u"another.local"),
1519 x509.RFC822Name(u"email@another.local"),
1520 x509.UniformResourceIdentifier(u"http://another.local"),
1521 ])
1522 assert gn[-1] == gn[4]
Alex Gaynorf0dd2e72015-12-26 16:50:29 -0500[diff] [blame]1523 assert gn[2:6:2] == [gn[2], gn[4]]
Paul Kehrer8adb5962015-12-26 14:46:58 -0600[diff] [blame]1524
Erik Trauschke2dcce902015-05-14 16:12:24 -0700[diff] [blame]1525 def test_invalid_general_names(self):
1526 with pytest.raises(TypeError):
1527 x509.GeneralNames(
1528 [x509.DNSName(u"cryptography.io"), "invalid"]
1529 )
1530
1531 def test_repr(self):
1532 gns = x509.GeneralNames(
1533 [
1534 x509.DNSName(u"cryptography.io")
1535 ]
1536 )
1537 assert repr(gns) == (
1538 "<GeneralNames([<DNSName(value=cryptography.io)>])>"
1539 )
1540
1541 def test_eq(self):
1542 gns = x509.GeneralNames(
1543 [x509.DNSName(u"cryptography.io")]
1544 )
1545 gns2 = x509.GeneralNames(
1546 [x509.DNSName(u"cryptography.io")]
1547 )
1548 assert gns == gns2
1549
1550 def test_ne(self):
1551 gns = x509.GeneralNames(
1552 [x509.DNSName(u"cryptography.io")]
1553 )
1554 gns2 = x509.GeneralNames(
1555 [x509.RFC822Name(u"admin@cryptography.io")]
1556 )
1557 assert gns != gns2
1558 assert gns != object()
1559
1560
Paul Kehrer99125c92015-06-07 18:37:10 -0500[diff] [blame]1561class TestIssuerAlternativeName(object):
1562 def test_get_values_for_type(self):
1563 san = x509.IssuerAlternativeName(
1564 [x509.DNSName(u"cryptography.io")]
1565 )
1566 names = san.get_values_for_type(x509.DNSName)
1567 assert names == [u"cryptography.io"]
1568
1569 def test_iter_names(self):
1570 san = x509.IssuerAlternativeName([
1571 x509.DNSName(u"cryptography.io"),
1572 x509.DNSName(u"crypto.local"),
1573 ])
1574 assert len(san) == 2
1575 assert list(san) == [
1576 x509.DNSName(u"cryptography.io"),
1577 x509.DNSName(u"crypto.local"),
1578 ]
1579
Paul Kehrer5c999d32015-12-26 17:45:20 -0600[diff] [blame]1580 def test_indexing(self):
1581 ian = x509.IssuerAlternativeName([
1582 x509.DNSName(u"cryptography.io"),
1583 x509.DNSName(u"crypto.local"),
1584 x509.DNSName(u"another.local"),
1585 x509.RFC822Name(u"email@another.local"),
1586 x509.UniformResourceIdentifier(u"http://another.local"),
1587 ])
1588 assert ian[-1] == ian[4]
1589 assert ian[2:6:2] == [ian[2], ian[4]]
1590
Paul Kehrer99125c92015-06-07 18:37:10 -0500[diff] [blame]1591 def test_invalid_general_names(self):
1592 with pytest.raises(TypeError):
1593 x509.IssuerAlternativeName(
1594 [x509.DNSName(u"cryptography.io"), "invalid"]
1595 )
1596
1597 def test_repr(self):
1598 san = x509.IssuerAlternativeName(
1599 [
1600 x509.DNSName(u"cryptography.io")
1601 ]
1602 )
1603 assert repr(san) == (
1604 "<IssuerAlternativeName("
1605 "<GeneralNames([<DNSName(value=cryptography.io)>])>)>"
1606 )
1607
1608 def test_eq(self):
1609 san = x509.IssuerAlternativeName(
1610 [x509.DNSName(u"cryptography.io")]
1611 )
1612 san2 = x509.IssuerAlternativeName(
1613 [x509.DNSName(u"cryptography.io")]
1614 )
1615 assert san == san2
1616
1617 def test_ne(self):
1618 san = x509.IssuerAlternativeName(
1619 [x509.DNSName(u"cryptography.io")]
1620 )
1621 san2 = x509.IssuerAlternativeName(
1622 [x509.RFC822Name(u"admin@cryptography.io")]
1623 )
1624 assert san != san2
1625 assert san != object()
1626
1627
Alex Gaynorf1c17672015-06-20 14:20:20 -0400[diff] [blame]1628@pytest.mark.requires_backend_interface(interface=RSABackend)
1629@pytest.mark.requires_backend_interface(interface=X509Backend)
1630class TestRSAIssuerAlternativeNameExtension(object):
1631 def test_uri(self, backend):
1632 cert = _load_cert(
1633 os.path.join("x509", "custom", "ian_uri.pem"),
1634 x509.load_pem_x509_certificate,
1635 backend,
1636 )
1637 ext = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]1638 ExtensionOID.ISSUER_ALTERNATIVE_NAME
Alex Gaynorf1c17672015-06-20 14:20:20 -0400[diff] [blame]1639 )
1640 assert list(ext.value) == [
1641 x509.UniformResourceIdentifier(u"http://path.to.root/root.crt"),
1642 ]
1643
1644
Paul Kehrer3b95cd72015-12-22 21:40:20 -0600[diff] [blame]1645class TestCRLNumber(object):
1646 def test_eq(self):
1647 crl_number = x509.CRLNumber(15)
1648 assert crl_number == x509.CRLNumber(15)
1649
1650 def test_ne(self):
1651 crl_number = x509.CRLNumber(15)
1652 assert crl_number != x509.CRLNumber(14)
1653 assert crl_number != object()
1654
1655 def test_repr(self):
1656 crl_number = x509.CRLNumber(15)
1657 assert repr(crl_number) == "<CRLNumber(15)>"
1658
Paul Kehrera9718fc2015-12-22 22:55:35 -0600[diff] [blame]1659 def test_invalid_number(self):
1660 with pytest.raises(TypeError):
1661 x509.CRLNumber("notanumber")
1662
Alex Gaynorf9a77b62015-12-26 12:14:25 -0500[diff] [blame]1663 def test_hash(self):
1664 c1 = x509.CRLNumber(1)
1665 c2 = x509.CRLNumber(1)
1666 c3 = x509.CRLNumber(2)
1667 assert hash(c1) == hash(c2)
1668 assert hash(c1) != hash(c3)
1669
Paul Kehrer3b95cd72015-12-22 21:40:20 -0600[diff] [blame]1670
Paul Kehrer31bdf792015-03-25 14:11:00 -0500[diff] [blame]1671class TestSubjectAlternativeName(object):
1672 def test_get_values_for_type(self):
1673 san = x509.SubjectAlternativeName(
Eeshan Gargf1234152015-04-29 18:41:00 +0530[diff] [blame]1674 [x509.DNSName(u"cryptography.io")]
Paul Kehrer31bdf792015-03-25 14:11:00 -0500[diff] [blame]1675 )
1676 names = san.get_values_for_type(x509.DNSName)
Eeshan Gargf1234152015-04-29 18:41:00 +0530[diff] [blame]1677 assert names == [u"cryptography.io"]
Paul Kehrer31bdf792015-03-25 14:11:00 -0500[diff] [blame]1678
1679 def test_iter_names(self):
1680 san = x509.SubjectAlternativeName([
Eeshan Gargf1234152015-04-29 18:41:00 +0530[diff] [blame]1681 x509.DNSName(u"cryptography.io"),
1682 x509.DNSName(u"crypto.local"),
Paul Kehrer31bdf792015-03-25 14:11:00 -0500[diff] [blame]1683 ])
1684 assert len(san) == 2
1685 assert list(san) == [
Eeshan Gargf1234152015-04-29 18:41:00 +0530[diff] [blame]1686 x509.DNSName(u"cryptography.io"),
1687 x509.DNSName(u"crypto.local"),
Paul Kehrer31bdf792015-03-25 14:11:00 -0500[diff] [blame]1688 ]
1689
Paul Kehrer8adb5962015-12-26 14:46:58 -0600[diff] [blame]1690 def test_indexing(self):
1691 san = x509.SubjectAlternativeName([
1692 x509.DNSName(u"cryptography.io"),
1693 x509.DNSName(u"crypto.local"),
1694 x509.DNSName(u"another.local"),
1695 x509.RFC822Name(u"email@another.local"),
1696 x509.UniformResourceIdentifier(u"http://another.local"),
1697 ])
1698 assert san[-1] == san[4]
Alex Gaynorf0dd2e72015-12-26 16:50:29 -0500[diff] [blame]1699 assert san[2:6:2] == [san[2], san[4]]
Paul Kehrer8adb5962015-12-26 14:46:58 -0600[diff] [blame]1700
Paul Kehrerd04b39b2015-04-21 08:44:17 -0500[diff] [blame]1701 def test_invalid_general_names(self):
1702 with pytest.raises(TypeError):
1703 x509.SubjectAlternativeName(
Eeshan Gargf1234152015-04-29 18:41:00 +0530[diff] [blame]1704 [x509.DNSName(u"cryptography.io"), "invalid"]
Paul Kehrerd04b39b2015-04-21 08:44:17 -0500[diff] [blame]1705 )
1706
Paul Kehrer31bdf792015-03-25 14:11:00 -0500[diff] [blame]1707 def test_repr(self):
1708 san = x509.SubjectAlternativeName(
1709 [
Eeshan Gargf1234152015-04-29 18:41:00 +0530[diff] [blame]1710 x509.DNSName(u"cryptography.io")
Paul Kehrer31bdf792015-03-25 14:11:00 -0500[diff] [blame]1711 ]
1712 )
1713 assert repr(san) == (
Erik Trauschke2dcce902015-05-14 16:12:24 -0700[diff] [blame]1714 "<SubjectAlternativeName("
1715 "<GeneralNames([<DNSName(value=cryptography.io)>])>)>"
Paul Kehrer31bdf792015-03-25 14:11:00 -0500[diff] [blame]1716 )
Paul Kehrer40f83382015-04-20 15:00:16 -0500[diff] [blame]1717
Paul Kehrer58cc3972015-05-13 10:00:41 -0500[diff] [blame]1718 def test_eq(self):
1719 san = x509.SubjectAlternativeName(
1720 [x509.DNSName(u"cryptography.io")]
1721 )
1722 san2 = x509.SubjectAlternativeName(
1723 [x509.DNSName(u"cryptography.io")]
1724 )
1725 assert san == san2
1726
1727 def test_ne(self):
1728 san = x509.SubjectAlternativeName(
1729 [x509.DNSName(u"cryptography.io")]
1730 )
1731 san2 = x509.SubjectAlternativeName(
1732 [x509.RFC822Name(u"admin@cryptography.io")]
1733 )
1734 assert san != san2
1735 assert san != object()
1736
Paul Kehrer40f83382015-04-20 15:00:16 -0500[diff] [blame]1737
1738@pytest.mark.requires_backend_interface(interface=RSABackend)
1739@pytest.mark.requires_backend_interface(interface=X509Backend)
1740class TestRSASubjectAlternativeNameExtension(object):
1741 def test_dns_name(self, backend):
1742 cert = _load_cert(
1743 os.path.join("x509", "cryptography.io.pem"),
1744 x509.load_pem_x509_certificate,
1745 backend
1746 )
1747 ext = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]1748 ExtensionOID.SUBJECT_ALTERNATIVE_NAME
Paul Kehrer40f83382015-04-20 15:00:16 -0500[diff] [blame]1749 )
1750 assert ext is not None
1751 assert ext.critical is False
1752
1753 san = ext.value
1754
1755 dns = san.get_values_for_type(x509.DNSName)
1756 assert dns == [u"www.cryptography.io", u"cryptography.io"]
Paul Kehrer9089c912015-04-20 22:15:20 -0500[diff] [blame]1757
Paul Kehrer3c6bba52015-06-26 18:43:26 -0500[diff] [blame]1758 def test_wildcard_dns_name(self, backend):
1759 cert = _load_cert(
1760 os.path.join("x509", "wildcard_san.pem"),
1761 x509.load_pem_x509_certificate,
1762 backend
1763 )
1764 ext = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]1765 ExtensionOID.SUBJECT_ALTERNATIVE_NAME
Paul Kehrer3c6bba52015-06-26 18:43:26 -0500[diff] [blame]1766 )
1767
1768 dns = ext.value.get_values_for_type(x509.DNSName)
1769 assert dns == [
1770 u'*.langui.sh',
1771 u'langui.sh',
1772 u'*.saseliminator.com',
1773 u'saseliminator.com'
1774 ]
1775
Dominic Chen87bb9572015-10-09 00:23:07 -0400[diff] [blame]1776 def test_san_empty_hostname(self, backend):
1777 cert = _load_cert(
1778 os.path.join(
1779 "x509", "custom", "san_empty_hostname.pem"
1780 ),
1781 x509.load_pem_x509_certificate,
1782 backend
1783 )
1784 san = cert.extensions.get_extension_for_oid(
1785 ExtensionOID.SUBJECT_ALTERNATIVE_NAME
1786 )
1787
1788 dns = san.value.get_values_for_type(x509.DNSName)
1789 assert dns == [u'']
1790
Paul Kehrer3c6bba52015-06-26 18:43:26 -0500[diff] [blame]1791 def test_san_wildcard_idna_dns_name(self, backend):
1792 cert = _load_cert(
1793 os.path.join("x509", "custom", "san_wildcard_idna.pem"),
1794 x509.load_pem_x509_certificate,
1795 backend
1796 )
1797 ext = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]1798 ExtensionOID.SUBJECT_ALTERNATIVE_NAME
Paul Kehrer3c6bba52015-06-26 18:43:26 -0500[diff] [blame]1799 )
1800
1801 dns = ext.value.get_values_for_type(x509.DNSName)
1802 assert dns == [u'*.\u043f\u044b\u043a\u0430.cryptography']
1803
Paul Kehrer7bdf6572015-07-05 08:55:44 -0500[diff] [blame]1804 def test_unsupported_gn(self, backend):
Paul Kehrer9089c912015-04-20 22:15:20 -0500[diff] [blame]1805 cert = _load_cert(
Paul Kehrer7bdf6572015-07-05 08:55:44 -0500[diff] [blame]1806 os.path.join("x509", "san_x400address.der"),
1807 x509.load_der_x509_certificate,
Paul Kehrer9089c912015-04-20 22:15:20 -0500[diff] [blame]1808 backend
1809 )
Paul Kehrerbed07352015-04-21 08:31:10 -0500[diff] [blame]1810 with pytest.raises(x509.UnsupportedGeneralNameType) as exc:
Paul Kehrer9089c912015-04-20 22:15:20 -0500[diff] [blame]1811 cert.extensions
Paul Kehrerbed07352015-04-21 08:31:10 -0500[diff] [blame]1812
Paul Kehrer7bdf6572015-07-05 08:55:44 -0500[diff] [blame]1813 assert exc.value.type == 3
Paul Kehrer4db96622015-04-20 22:17:39 -0500[diff] [blame]1814
1815 def test_registered_id(self, backend):
1816 cert = _load_cert(
1817 os.path.join(
1818 "x509", "custom", "san_registered_id.pem"
1819 ),
1820 x509.load_pem_x509_certificate,
1821 backend
1822 )
1823 ext = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]1824 ExtensionOID.SUBJECT_ALTERNATIVE_NAME
Paul Kehrer4db96622015-04-20 22:17:39 -0500[diff] [blame]1825 )
1826 assert ext is not None
1827 assert ext.critical is False
1828
1829 san = ext.value
1830 rid = san.get_values_for_type(x509.RegisteredID)
1831 assert rid == [x509.ObjectIdentifier("1.2.3.4")]
Paul Kehrerb8ef82e2015-04-22 16:04:24 -0500[diff] [blame]1832
1833 def test_uri(self, backend):
1834 cert = _load_cert(
1835 os.path.join(
1836 "x509", "custom", "san_uri_with_port.pem"
1837 ),
1838 x509.load_pem_x509_certificate,
1839 backend
1840 )
1841 ext = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]1842 ExtensionOID.SUBJECT_ALTERNATIVE_NAME
Paul Kehrerb8ef82e2015-04-22 16:04:24 -0500[diff] [blame]1843 )
1844 assert ext is not None
1845 uri = ext.value.get_values_for_type(
1846 x509.UniformResourceIdentifier
1847 )
1848 assert uri == [
1849 u"gopher://\u043f\u044b\u043a\u0430.cryptography:70/path?q=s#hel"
1850 u"lo",
1851 u"http://someregulardomain.com",
1852 ]
Paul Kehrera5f030c2015-04-28 08:33:18 -0500[diff] [blame]1853
1854 def test_ipaddress(self, backend):
1855 cert = _load_cert(
1856 os.path.join(
1857 "x509", "custom", "san_ipaddr.pem"
1858 ),
1859 x509.load_pem_x509_certificate,
1860 backend
1861 )
1862 ext = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]1863 ExtensionOID.SUBJECT_ALTERNATIVE_NAME
Paul Kehrera5f030c2015-04-28 08:33:18 -0500[diff] [blame]1864 )
1865 assert ext is not None
1866 assert ext.critical is False
1867
1868 san = ext.value
1869
1870 ip = san.get_values_for_type(x509.IPAddress)
1871 assert [
1872 ipaddress.ip_address(u"127.0.0.1"),
1873 ipaddress.ip_address(u"ff::")
1874 ] == ip
Paul Kehrer2187a052015-04-30 08:22:07 -0500[diff] [blame]1875
1876 def test_dirname(self, backend):
1877 cert = _load_cert(
1878 os.path.join(
1879 "x509", "custom", "san_dirname.pem"
1880 ),
1881 x509.load_pem_x509_certificate,
1882 backend
1883 )
1884 ext = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]1885 ExtensionOID.SUBJECT_ALTERNATIVE_NAME
Paul Kehrer2187a052015-04-30 08:22:07 -0500[diff] [blame]1886 )
1887 assert ext is not None
1888 assert ext.critical is False
1889
1890 san = ext.value
1891
1892 dirname = san.get_values_for_type(x509.DirectoryName)
1893 assert [
1894 x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1895 x509.NameAttribute(NameOID.COMMON_NAME, u'test'),
1896 x509.NameAttribute(NameOID.ORGANIZATION_NAME, u'Org'),
1897 x509.NameAttribute(NameOID.STATE_OR_PROVINCE_NAME, u'Texas'),
Paul Kehrer2187a052015-04-30 08:22:07 -0500[diff] [blame]1898 ])
1899 ] == dirname
Paul Kehrere06cab42015-04-30 10:23:33 -0500[diff] [blame]1900
1901 def test_rfc822name(self, backend):
1902 cert = _load_cert(
1903 os.path.join(
1904 "x509", "custom", "san_rfc822_idna.pem"
1905 ),
1906 x509.load_pem_x509_certificate,
1907 backend
1908 )
1909 ext = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]1910 ExtensionOID.SUBJECT_ALTERNATIVE_NAME
Paul Kehrere06cab42015-04-30 10:23:33 -0500[diff] [blame]1911 )
1912 assert ext is not None
1913 assert ext.critical is False
1914
1915 san = ext.value
1916
1917 rfc822name = san.get_values_for_type(x509.RFC822Name)
1918 assert [u"email@em\xe5\xefl.com"] == rfc822name
1919
Paul Kehrerb8968812015-05-15 09:01:34 -0700[diff] [blame]1920 def test_idna2003_invalid(self, backend):
1921 cert = _load_cert(
1922 os.path.join(
1923 "x509", "custom", "san_idna2003_dnsname.pem"
1924 ),
1925 x509.load_pem_x509_certificate,
1926 backend
1927 )
1928 with pytest.raises(UnicodeError):
1929 cert.extensions
1930
Paul Kehrere06cab42015-04-30 10:23:33 -0500[diff] [blame]1931 def test_unicode_rfc822_name_dns_name_uri(self, backend):
1932 cert = _load_cert(
1933 os.path.join(
1934 "x509", "custom", "san_idna_names.pem"
1935 ),
1936 x509.load_pem_x509_certificate,
1937 backend
1938 )
1939 ext = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]1940 ExtensionOID.SUBJECT_ALTERNATIVE_NAME
Paul Kehrere06cab42015-04-30 10:23:33 -0500[diff] [blame]1941 )
1942 assert ext is not None
1943 rfc822_name = ext.value.get_values_for_type(x509.RFC822Name)
1944 dns_name = ext.value.get_values_for_type(x509.DNSName)
1945 uri = ext.value.get_values_for_type(x509.UniformResourceIdentifier)
1946 assert rfc822_name == [u"email@\u043f\u044b\u043a\u0430.cryptography"]
1947 assert dns_name == [u"\u043f\u044b\u043a\u0430.cryptography"]
1948 assert uri == [u"https://www.\u043f\u044b\u043a\u0430.cryptography"]
1949
1950 def test_rfc822name_dnsname_ipaddress_directoryname_uri(self, backend):
1951 cert = _load_cert(
1952 os.path.join(
1953 "x509", "custom", "san_email_dns_ip_dirname_uri.pem"
1954 ),
1955 x509.load_pem_x509_certificate,
1956 backend
1957 )
1958 ext = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]1959 ExtensionOID.SUBJECT_ALTERNATIVE_NAME
Paul Kehrere06cab42015-04-30 10:23:33 -0500[diff] [blame]1960 )
1961 assert ext is not None
1962 assert ext.critical is False
1963
1964 san = ext.value
1965
1966 rfc822_name = san.get_values_for_type(x509.RFC822Name)
1967 uri = san.get_values_for_type(x509.UniformResourceIdentifier)
1968 dns = san.get_values_for_type(x509.DNSName)
1969 ip = san.get_values_for_type(x509.IPAddress)
1970 dirname = san.get_values_for_type(x509.DirectoryName)
1971 assert [u"user@cryptography.io"] == rfc822_name
Paul Kehrere3a330c2015-05-02 16:42:52 -0500[diff] [blame]1972 assert [u"https://cryptography.io"] == uri
Paul Kehrere06cab42015-04-30 10:23:33 -0500[diff] [blame]1973 assert [u"cryptography.io"] == dns
1974 assert [
1975 x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1976 x509.NameAttribute(NameOID.COMMON_NAME, u'dirCN'),
Paul Kehrere06cab42015-04-30 10:23:33 -0500[diff] [blame]1977 x509.NameAttribute(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1978 NameOID.ORGANIZATION_NAME, u'Cryptographic Authority'
Paul Kehrere06cab42015-04-30 10:23:33 -0500[diff] [blame]1979 ),
1980 ])
1981 ] == dirname
1982 assert [
1983 ipaddress.ip_address(u"127.0.0.1"),
1984 ipaddress.ip_address(u"ff::")
1985 ] == ip
1986
1987 def test_invalid_rfc822name(self, backend):
1988 cert = _load_cert(
1989 os.path.join(
1990 "x509", "custom", "san_rfc822_names.pem"
1991 ),
1992 x509.load_pem_x509_certificate,
1993 backend
1994 )
1995 with pytest.raises(ValueError) as exc:
1996 cert.extensions
1997
1998 assert 'Invalid rfc822name value' in str(exc.value)
Paul Kehrer94c69602015-05-02 19:29:40 -0500[diff] [blame]1999
Joshua Tauberer2ee5e3c2015-07-04 20:09:46 +0000[diff] [blame]2000 def test_other_name(self, backend):
2001 cert = _load_cert(
2002 os.path.join(
2003 "x509", "custom", "san_other_name.pem"
2004 ),
2005 x509.load_pem_x509_certificate,
2006 backend
2007 )
2008
2009 ext = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]2010 ExtensionOID.SUBJECT_ALTERNATIVE_NAME
Joshua Tauberer2ee5e3c2015-07-04 20:09:46 +0000[diff] [blame]2011 )
2012 assert ext is not None
2013 assert ext.critical is False
2014
Joshua Taubererd2afad32015-07-06 22:37:53 +0000[diff] [blame]2015 expected = x509.OtherName(x509.ObjectIdentifier("1.2.3.4"),
2016 b'\x16\x0bHello World')
Joshua Tauberer2ee5e3c2015-07-04 20:09:46 +0000[diff] [blame]2017 assert len(ext.value) == 1
Joshua Taubererd2afad32015-07-06 22:37:53 +0000[diff] [blame]2018 assert list(ext.value)[0] == expected
Joshua Tauberer2ee5e3c2015-07-04 20:09:46 +0000[diff] [blame]2019
2020 othernames = ext.value.get_values_for_type(x509.OtherName)
Joshua Taubererd2afad32015-07-06 22:37:53 +0000[diff] [blame]2021 assert othernames == [expected]
Joshua Tauberer2ee5e3c2015-07-04 20:09:46 +0000[diff] [blame]2022
Paul Kehrer94c69602015-05-02 19:29:40 -0500[diff] [blame]2023
2024@pytest.mark.requires_backend_interface(interface=RSABackend)
2025@pytest.mark.requires_backend_interface(interface=X509Backend)
2026class TestExtendedKeyUsageExtension(object):
2027 def test_eku(self, backend):
2028 cert = _load_cert(
2029 os.path.join(
2030 "x509", "custom", "extended_key_usage.pem"
2031 ),
2032 x509.load_pem_x509_certificate,
2033 backend
2034 )
2035 ext = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]2036 ExtensionOID.EXTENDED_KEY_USAGE
Paul Kehrer94c69602015-05-02 19:29:40 -0500[diff] [blame]2037 )
2038 assert ext is not None
2039 assert ext.critical is False
2040
2041 assert [
2042 x509.ObjectIdentifier("1.3.6.1.5.5.7.3.1"),
2043 x509.ObjectIdentifier("1.3.6.1.5.5.7.3.2"),
2044 x509.ObjectIdentifier("1.3.6.1.5.5.7.3.3"),
2045 x509.ObjectIdentifier("1.3.6.1.5.5.7.3.4"),
2046 x509.ObjectIdentifier("1.3.6.1.5.5.7.3.9"),
2047 x509.ObjectIdentifier("1.3.6.1.5.5.7.3.8"),
2048 x509.ObjectIdentifier("2.5.29.37.0"),
2049 x509.ObjectIdentifier("2.16.840.1.113730.4.1"),
2050 ] == list(ext.value)
Paul Kehrer3e6d5582015-05-02 21:57:56 -0500[diff] [blame]2051
2052
2053class TestAccessDescription(object):
2054 def test_invalid_access_method(self):
Nick Bastind06763d2015-12-12 18:32:59 -0800[diff] [blame]2055 with pytest.raises(TypeError):
Paul Kehrer3e6d5582015-05-02 21:57:56 -0500[diff] [blame]2056 x509.AccessDescription("notanoid", x509.DNSName(u"test"))
2057
2058 def test_invalid_access_location(self):
2059 with pytest.raises(TypeError):
Paul Kehrer9e102db2015-08-10 21:53:09 -0500[diff] [blame]2060 x509.AccessDescription(
2061 AuthorityInformationAccessOID.CA_ISSUERS, "invalid"
2062 )
Paul Kehrer3e6d5582015-05-02 21:57:56 -0500[diff] [blame]2063
Nick Bastind2ecf862015-12-13 05:44:46 -0800[diff] [blame]2064 def test_valid_nonstandard_method(self):
Nick Bastin326fc8e2015-12-12 19:08:12 -0800[diff] [blame]2065 ad = x509.AccessDescription(
2066 ObjectIdentifier("2.999.1"),
2067 x509.UniformResourceIdentifier(u"http://example.com")
2068 )
Nick Bastin11f0f8a2015-12-12 18:54:12 -0800[diff] [blame]2069 assert ad is not None
2070
Paul Kehrer3e6d5582015-05-02 21:57:56 -0500[diff] [blame]2071 def test_repr(self):
2072 ad = x509.AccessDescription(
Paul Kehrer9e102db2015-08-10 21:53:09 -0500[diff] [blame]2073 AuthorityInformationAccessOID.OCSP,
Paul Kehrer3e6d5582015-05-02 21:57:56 -0500[diff] [blame]2074 x509.UniformResourceIdentifier(u"http://ocsp.domain.com")
2075 )
2076 assert repr(ad) == (
2077 "<AccessDescription(access_method=<ObjectIdentifier(oid=1.3.6.1.5."
2078 "5.7.48.1, name=OCSP)>, access_location=<UniformResourceIdentifier"
2079 "(value=http://ocsp.domain.com)>)>"
2080 )
2081
2082 def test_eq(self):
2083 ad = x509.AccessDescription(
Paul Kehrer9e102db2015-08-10 21:53:09 -0500[diff] [blame]2084 AuthorityInformationAccessOID.OCSP,
Paul Kehrer3e6d5582015-05-02 21:57:56 -0500[diff] [blame]2085 x509.UniformResourceIdentifier(u"http://ocsp.domain.com")
2086 )
2087 ad2 = x509.AccessDescription(
Paul Kehrer9e102db2015-08-10 21:53:09 -0500[diff] [blame]2088 AuthorityInformationAccessOID.OCSP,
Paul Kehrer3e6d5582015-05-02 21:57:56 -0500[diff] [blame]2089 x509.UniformResourceIdentifier(u"http://ocsp.domain.com")
2090 )
2091 assert ad == ad2
2092
2093 def test_ne(self):
2094 ad = x509.AccessDescription(
Paul Kehrer9e102db2015-08-10 21:53:09 -0500[diff] [blame]2095 AuthorityInformationAccessOID.OCSP,
Paul Kehrer3e6d5582015-05-02 21:57:56 -0500[diff] [blame]2096 x509.UniformResourceIdentifier(u"http://ocsp.domain.com")
2097 )
2098 ad2 = x509.AccessDescription(
Paul Kehrer9e102db2015-08-10 21:53:09 -0500[diff] [blame]2099 AuthorityInformationAccessOID.CA_ISSUERS,
Paul Kehrer3e6d5582015-05-02 21:57:56 -0500[diff] [blame]2100 x509.UniformResourceIdentifier(u"http://ocsp.domain.com")
2101 )
2102 ad3 = x509.AccessDescription(
Paul Kehrer9e102db2015-08-10 21:53:09 -0500[diff] [blame]2103 AuthorityInformationAccessOID.OCSP,
Paul Kehrer3e6d5582015-05-02 21:57:56 -0500[diff] [blame]2104 x509.UniformResourceIdentifier(u"http://notthesame")
2105 )
2106 assert ad != ad2
2107 assert ad != ad3
2108 assert ad != object()
2109
2110
2111class TestAuthorityInformationAccess(object):
2112 def test_invalid_descriptions(self):
2113 with pytest.raises(TypeError):
2114 x509.AuthorityInformationAccess(["notanAccessDescription"])
2115
2116 def test_iter_len(self):
2117 aia = x509.AuthorityInformationAccess([
2118 x509.AccessDescription(
Paul Kehrer9e102db2015-08-10 21:53:09 -0500[diff] [blame]2119 AuthorityInformationAccessOID.OCSP,
Paul Kehrer3e6d5582015-05-02 21:57:56 -0500[diff] [blame]2120 x509.UniformResourceIdentifier(u"http://ocsp.domain.com")
2121 ),
2122 x509.AccessDescription(
Paul Kehrer9e102db2015-08-10 21:53:09 -0500[diff] [blame]2123 AuthorityInformationAccessOID.CA_ISSUERS,
Paul Kehrer3e6d5582015-05-02 21:57:56 -0500[diff] [blame]2124 x509.UniformResourceIdentifier(u"http://domain.com/ca.crt")
2125 )
2126 ])
2127 assert len(aia) == 2
2128 assert list(aia) == [
2129 x509.AccessDescription(
Paul Kehrer9e102db2015-08-10 21:53:09 -0500[diff] [blame]2130 AuthorityInformationAccessOID.OCSP,
Paul Kehrer3e6d5582015-05-02 21:57:56 -0500[diff] [blame]2131 x509.UniformResourceIdentifier(u"http://ocsp.domain.com")
2132 ),
2133 x509.AccessDescription(
Paul Kehrer9e102db2015-08-10 21:53:09 -0500[diff] [blame]2134 AuthorityInformationAccessOID.CA_ISSUERS,
Paul Kehrer3e6d5582015-05-02 21:57:56 -0500[diff] [blame]2135 x509.UniformResourceIdentifier(u"http://domain.com/ca.crt")
2136 )
2137 ]
2138
2139 def test_repr(self):
2140 aia = x509.AuthorityInformationAccess([
2141 x509.AccessDescription(
Paul Kehrer9e102db2015-08-10 21:53:09 -0500[diff] [blame]2142 AuthorityInformationAccessOID.OCSP,
Paul Kehrer3e6d5582015-05-02 21:57:56 -0500[diff] [blame]2143 x509.UniformResourceIdentifier(u"http://ocsp.domain.com")
2144 ),
2145 x509.AccessDescription(
Paul Kehrer9e102db2015-08-10 21:53:09 -0500[diff] [blame]2146 AuthorityInformationAccessOID.CA_ISSUERS,
Paul Kehrer3e6d5582015-05-02 21:57:56 -0500[diff] [blame]2147 x509.UniformResourceIdentifier(u"http://domain.com/ca.crt")
2148 )
2149 ])
2150 assert repr(aia) == (
2151 "<AuthorityInformationAccess([<AccessDescription(access_method=<Ob"
2152 "jectIdentifier(oid=1.3.6.1.5.5.7.48.1, name=OCSP)>, access_locati"
2153 "on=<UniformResourceIdentifier(value=http://ocsp.domain.com)>)>, <"
2154 "AccessDescription(access_method=<ObjectIdentifier(oid=1.3.6.1.5.5"
2155 ".7.48.2, name=caIssuers)>, access_location=<UniformResourceIdenti"
2156 "fier(value=http://domain.com/ca.crt)>)>])>"
2157 )
2158
2159 def test_eq(self):
2160 aia = x509.AuthorityInformationAccess([
2161 x509.AccessDescription(
Paul Kehrer9e102db2015-08-10 21:53:09 -0500[diff] [blame]2162 AuthorityInformationAccessOID.OCSP,
Paul Kehrer3e6d5582015-05-02 21:57:56 -0500[diff] [blame]2163 x509.UniformResourceIdentifier(u"http://ocsp.domain.com")
2164 ),
2165 x509.AccessDescription(
Paul Kehrer9e102db2015-08-10 21:53:09 -0500[diff] [blame]2166 AuthorityInformationAccessOID.CA_ISSUERS,
Paul Kehrer3e6d5582015-05-02 21:57:56 -0500[diff] [blame]2167 x509.UniformResourceIdentifier(u"http://domain.com/ca.crt")
2168 )
2169 ])
2170 aia2 = x509.AuthorityInformationAccess([
2171 x509.AccessDescription(
Paul Kehrer9e102db2015-08-10 21:53:09 -0500[diff] [blame]2172 AuthorityInformationAccessOID.OCSP,
Paul Kehrer3e6d5582015-05-02 21:57:56 -0500[diff] [blame]2173 x509.UniformResourceIdentifier(u"http://ocsp.domain.com")
2174 ),
2175 x509.AccessDescription(
Paul Kehrer9e102db2015-08-10 21:53:09 -0500[diff] [blame]2176 AuthorityInformationAccessOID.CA_ISSUERS,
Paul Kehrer3e6d5582015-05-02 21:57:56 -0500[diff] [blame]2177 x509.UniformResourceIdentifier(u"http://domain.com/ca.crt")
2178 )
2179 ])
2180 assert aia == aia2
2181
2182 def test_ne(self):
2183 aia = x509.AuthorityInformationAccess([
2184 x509.AccessDescription(
Paul Kehrer9e102db2015-08-10 21:53:09 -0500[diff] [blame]2185 AuthorityInformationAccessOID.OCSP,
Paul Kehrer3e6d5582015-05-02 21:57:56 -0500[diff] [blame]2186 x509.UniformResourceIdentifier(u"http://ocsp.domain.com")
2187 ),
2188 x509.AccessDescription(
Paul Kehrer9e102db2015-08-10 21:53:09 -0500[diff] [blame]2189 AuthorityInformationAccessOID.CA_ISSUERS,
Paul Kehrer3e6d5582015-05-02 21:57:56 -0500[diff] [blame]2190 x509.UniformResourceIdentifier(u"http://domain.com/ca.crt")
2191 )
2192 ])
2193 aia2 = x509.AuthorityInformationAccess([
2194 x509.AccessDescription(
Paul Kehrer9e102db2015-08-10 21:53:09 -0500[diff] [blame]2195 AuthorityInformationAccessOID.OCSP,
Paul Kehrer3e6d5582015-05-02 21:57:56 -0500[diff] [blame]2196 x509.UniformResourceIdentifier(u"http://ocsp.domain.com")
2197 ),
2198 ])
2199
2200 assert aia != aia2
2201 assert aia != object()
Paul Kehrerd774de92015-05-03 10:52:25 -0500[diff] [blame]2202
2203
2204@pytest.mark.requires_backend_interface(interface=RSABackend)
2205@pytest.mark.requires_backend_interface(interface=X509Backend)
Paul Kehrera1476992015-05-04 17:35:47 -0500[diff] [blame]2206class TestAuthorityInformationAccessExtension(object):
2207 def test_aia_ocsp_ca_issuers(self, backend):
2208 cert = _load_cert(
2209 os.path.join("x509", "cryptography.io.pem"),
2210 x509.load_pem_x509_certificate,
2211 backend
2212 )
2213 ext = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]2214 ExtensionOID.AUTHORITY_INFORMATION_ACCESS
Paul Kehrera1476992015-05-04 17:35:47 -0500[diff] [blame]2215 )
2216 assert ext is not None
2217 assert ext.critical is False
2218
2219 assert ext.value == x509.AuthorityInformationAccess([
2220 x509.AccessDescription(
Paul Kehrer9e102db2015-08-10 21:53:09 -0500[diff] [blame]2221 AuthorityInformationAccessOID.OCSP,
Paul Kehrera1476992015-05-04 17:35:47 -0500[diff] [blame]2222 x509.UniformResourceIdentifier(u"http://gv.symcd.com")
2223 ),
2224 x509.AccessDescription(
Paul Kehrer9e102db2015-08-10 21:53:09 -0500[diff] [blame]2225 AuthorityInformationAccessOID.CA_ISSUERS,
Paul Kehrera1476992015-05-04 17:35:47 -0500[diff] [blame]2226 x509.UniformResourceIdentifier(u"http://gv.symcb.com/gv.crt")
2227 ),
2228 ])
2229
2230 def test_aia_multiple_ocsp_ca_issuers(self, backend):
2231 cert = _load_cert(
2232 os.path.join("x509", "custom", "aia_ocsp_ca_issuers.pem"),
2233 x509.load_pem_x509_certificate,
2234 backend
2235 )
2236 ext = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]2237 ExtensionOID.AUTHORITY_INFORMATION_ACCESS
Paul Kehrera1476992015-05-04 17:35:47 -0500[diff] [blame]2238 )
2239 assert ext is not None
2240 assert ext.critical is False
2241
2242 assert ext.value == x509.AuthorityInformationAccess([
2243 x509.AccessDescription(
Paul Kehrer9e102db2015-08-10 21:53:09 -0500[diff] [blame]2244 AuthorityInformationAccessOID.OCSP,
Paul Kehrera1476992015-05-04 17:35:47 -0500[diff] [blame]2245 x509.UniformResourceIdentifier(u"http://ocsp.domain.com")
2246 ),
2247 x509.AccessDescription(
Paul Kehrer9e102db2015-08-10 21:53:09 -0500[diff] [blame]2248 AuthorityInformationAccessOID.OCSP,
Paul Kehrera1476992015-05-04 17:35:47 -0500[diff] [blame]2249 x509.UniformResourceIdentifier(u"http://ocsp2.domain.com")
2250 ),
2251 x509.AccessDescription(
Paul Kehrer9e102db2015-08-10 21:53:09 -0500[diff] [blame]2252 AuthorityInformationAccessOID.CA_ISSUERS,
Paul Kehrera1476992015-05-04 17:35:47 -0500[diff] [blame]2253 x509.DirectoryName(x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2254 x509.NameAttribute(NameOID.COMMON_NAME, u"myCN"),
2255 x509.NameAttribute(NameOID.ORGANIZATION_NAME,
Ian Cordasco82fc3762015-06-16 20:59:50 -0500[diff] [blame]2256 u"some Org"),
Paul Kehrera1476992015-05-04 17:35:47 -0500[diff] [blame]2257 ]))
2258 ),
2259 ])
2260
2261 def test_aia_ocsp_only(self, backend):
2262 cert = _load_cert(
2263 os.path.join("x509", "custom", "aia_ocsp.pem"),
2264 x509.load_pem_x509_certificate,
2265 backend
2266 )
2267 ext = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]2268 ExtensionOID.AUTHORITY_INFORMATION_ACCESS
Paul Kehrera1476992015-05-04 17:35:47 -0500[diff] [blame]2269 )
2270 assert ext is not None
2271 assert ext.critical is False
2272
2273 assert ext.value == x509.AuthorityInformationAccess([
2274 x509.AccessDescription(
Paul Kehrer9e102db2015-08-10 21:53:09 -0500[diff] [blame]2275 AuthorityInformationAccessOID.OCSP,
Paul Kehrera1476992015-05-04 17:35:47 -0500[diff] [blame]2276 x509.UniformResourceIdentifier(u"http://ocsp.domain.com")
2277 ),
2278 ])
2279
2280 def test_aia_ca_issuers_only(self, backend):
2281 cert = _load_cert(
2282 os.path.join("x509", "custom", "aia_ca_issuers.pem"),
2283 x509.load_pem_x509_certificate,
2284 backend
2285 )
2286 ext = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]2287 ExtensionOID.AUTHORITY_INFORMATION_ACCESS
Paul Kehrera1476992015-05-04 17:35:47 -0500[diff] [blame]2288 )
2289 assert ext is not None
2290 assert ext.critical is False
2291
2292 assert ext.value == x509.AuthorityInformationAccess([
2293 x509.AccessDescription(
Paul Kehrer9e102db2015-08-10 21:53:09 -0500[diff] [blame]2294 AuthorityInformationAccessOID.CA_ISSUERS,
Paul Kehrera1476992015-05-04 17:35:47 -0500[diff] [blame]2295 x509.DirectoryName(x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2296 x509.NameAttribute(NameOID.COMMON_NAME, u"myCN"),
2297 x509.NameAttribute(NameOID.ORGANIZATION_NAME,
Ian Cordasco82fc3762015-06-16 20:59:50 -0500[diff] [blame]2298 u"some Org"),
Paul Kehrera1476992015-05-04 17:35:47 -0500[diff] [blame]2299 ]))
2300 ),
2301 ])
2302
2303
2304@pytest.mark.requires_backend_interface(interface=RSABackend)
2305@pytest.mark.requires_backend_interface(interface=X509Backend)
Paul Kehrerd774de92015-05-03 10:52:25 -0500[diff] [blame]2306class TestAuthorityKeyIdentifierExtension(object):
2307 def test_aki_keyid(self, backend):
2308 cert = _load_cert(
2309 os.path.join(
2310 "x509", "cryptography.io.pem"
2311 ),
2312 x509.load_pem_x509_certificate,
2313 backend
2314 )
2315 ext = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]2316 ExtensionOID.AUTHORITY_KEY_IDENTIFIER
Paul Kehrerd774de92015-05-03 10:52:25 -0500[diff] [blame]2317 )
2318 assert ext is not None
2319 assert ext.critical is False
2320
2321 assert ext.value.key_identifier == (
2322 b"\xc3\x9c\xf3\xfc\xd3F\x084\xbb\xceF\x7f\xa0|[\xf3\xe2\x08\xcbY"
2323 )
2324 assert ext.value.authority_cert_issuer is None
2325 assert ext.value.authority_cert_serial_number is None
2326
2327 def test_aki_all_fields(self, backend):
2328 cert = _load_cert(
2329 os.path.join(
2330 "x509", "custom", "authority_key_identifier.pem"
2331 ),
2332 x509.load_pem_x509_certificate,
2333 backend
2334 )
2335 ext = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]2336 ExtensionOID.AUTHORITY_KEY_IDENTIFIER
Paul Kehrerd774de92015-05-03 10:52:25 -0500[diff] [blame]2337 )
2338 assert ext is not None
2339 assert ext.critical is False
2340
2341 assert ext.value.key_identifier == (
2342 b"9E>\xca=b\x1d\xea\x86I\xf6Z\xab@\xb7\xa4p\x98\xf1\xec"
2343 )
2344 assert ext.value.authority_cert_issuer == [
2345 x509.DirectoryName(
2346 x509.Name([
2347 x509.NameAttribute(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2348 NameOID.ORGANIZATION_NAME, u"PyCA"
Paul Kehrerd774de92015-05-03 10:52:25 -0500[diff] [blame]2349 ),
2350 x509.NameAttribute(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2351 NameOID.COMMON_NAME, u"cryptography.io"
Paul Kehrerd774de92015-05-03 10:52:25 -0500[diff] [blame]2352 )
2353 ])
2354 )
2355 ]
2356 assert ext.value.authority_cert_serial_number == 3
2357
2358 def test_aki_no_keyid(self, backend):
2359 cert = _load_cert(
2360 os.path.join(
2361 "x509", "custom", "authority_key_identifier_no_keyid.pem"
2362 ),
2363 x509.load_pem_x509_certificate,
2364 backend
2365 )
2366 ext = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]2367 ExtensionOID.AUTHORITY_KEY_IDENTIFIER
Paul Kehrerd774de92015-05-03 10:52:25 -0500[diff] [blame]2368 )
2369 assert ext is not None
2370 assert ext.critical is False
2371
2372 assert ext.value.key_identifier is None
2373 assert ext.value.authority_cert_issuer == [
2374 x509.DirectoryName(
2375 x509.Name([
2376 x509.NameAttribute(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2377 NameOID.ORGANIZATION_NAME, u"PyCA"
Paul Kehrerd774de92015-05-03 10:52:25 -0500[diff] [blame]2378 ),
2379 x509.NameAttribute(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2380 NameOID.COMMON_NAME, u"cryptography.io"
Paul Kehrerd774de92015-05-03 10:52:25 -0500[diff] [blame]2381 )
2382 ])
2383 )
2384 ]
2385 assert ext.value.authority_cert_serial_number == 3
Paul Kehrer5a485522015-05-06 00:29:12 -0500[diff] [blame]2386
Paul Kehrer253929a2015-08-05 17:30:39 +0100[diff] [blame]2387 def test_from_certificate(self, backend):
2388 issuer_cert = _load_cert(
2389 os.path.join("x509", "rapidssl_sha256_ca_g3.pem"),
2390 x509.load_pem_x509_certificate,
2391 backend
2392 )
2393 cert = _load_cert(
2394 os.path.join("x509", "cryptography.io.pem"),
2395 x509.load_pem_x509_certificate,
2396 backend
2397 )
2398 ext = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]2399 ExtensionOID.AUTHORITY_KEY_IDENTIFIER
Paul Kehrer253929a2015-08-05 17:30:39 +0100[diff] [blame]2400 )
2401 aki = x509.AuthorityKeyIdentifier.from_issuer_public_key(
2402 issuer_cert.public_key()
2403 )
2404 assert ext.value == aki
2405
Paul Kehrer5a485522015-05-06 00:29:12 -0500[diff] [blame]2406
Paul Kehrere0017be2015-05-17 20:39:40 -0600[diff] [blame]2407class TestNameConstraints(object):
2408 def test_ipaddress_wrong_type(self):
2409 with pytest.raises(TypeError):
2410 x509.NameConstraints(
2411 permitted_subtrees=[
2412 x509.IPAddress(ipaddress.IPv4Address(u"127.0.0.1"))
2413 ],
2414 excluded_subtrees=None
2415 )
2416
2417 with pytest.raises(TypeError):
2418 x509.NameConstraints(
2419 permitted_subtrees=None,
2420 excluded_subtrees=[
2421 x509.IPAddress(ipaddress.IPv4Address(u"127.0.0.1"))
2422 ]
2423 )
2424
2425 def test_ipaddress_allowed_type(self):
2426 permitted = [x509.IPAddress(ipaddress.IPv4Network(u"192.168.0.0/29"))]
2427 excluded = [x509.IPAddress(ipaddress.IPv4Network(u"10.10.0.0/24"))]
2428 nc = x509.NameConstraints(
2429 permitted_subtrees=permitted,
2430 excluded_subtrees=excluded
2431 )
2432 assert nc.permitted_subtrees == permitted
2433 assert nc.excluded_subtrees == excluded
2434
2435 def test_invalid_permitted_subtrees(self):
2436 with pytest.raises(TypeError):
2437 x509.NameConstraints("badpermitted", None)
2438
2439 def test_invalid_excluded_subtrees(self):
2440 with pytest.raises(TypeError):
2441 x509.NameConstraints(None, "badexcluded")
2442
2443 def test_no_subtrees(self):
2444 with pytest.raises(ValueError):
2445 x509.NameConstraints(None, None)
2446
2447 def test_permitted_none(self):
2448 excluded = [x509.DNSName(u"name.local")]
2449 nc = x509.NameConstraints(
2450 permitted_subtrees=None, excluded_subtrees=excluded
2451 )
2452 assert nc.permitted_subtrees is None
2453 assert nc.excluded_subtrees is not None
2454
2455 def test_excluded_none(self):
2456 permitted = [x509.DNSName(u"name.local")]
2457 nc = x509.NameConstraints(
2458 permitted_subtrees=permitted, excluded_subtrees=None
2459 )
2460 assert nc.permitted_subtrees is not None
2461 assert nc.excluded_subtrees is None
2462
2463 def test_repr(self):
2464 permitted = [x509.DNSName(u"name.local"), x509.DNSName(u"name2.local")]
2465 nc = x509.NameConstraints(
2466 permitted_subtrees=permitted,
2467 excluded_subtrees=None
2468 )
2469 assert repr(nc) == (
2470 "<NameConstraints(permitted_subtrees=[<DNSName(value=name.local)>"
2471 ", <DNSName(value=name2.local)>], excluded_subtrees=None)>"
2472 )
2473
Paul Kehrer31894282015-06-21 21:46:41 -0500[diff] [blame]2474 def test_eq(self):
2475 nc = x509.NameConstraints(
2476 permitted_subtrees=[x509.DNSName(u"name.local")],
2477 excluded_subtrees=[x509.DNSName(u"name2.local")]
2478 )
2479 nc2 = x509.NameConstraints(
2480 permitted_subtrees=[x509.DNSName(u"name.local")],
2481 excluded_subtrees=[x509.DNSName(u"name2.local")]
2482 )
2483 assert nc == nc2
2484
2485 def test_ne(self):
2486 nc = x509.NameConstraints(
2487 permitted_subtrees=[x509.DNSName(u"name.local")],
2488 excluded_subtrees=[x509.DNSName(u"name2.local")]
2489 )
2490 nc2 = x509.NameConstraints(
2491 permitted_subtrees=[x509.DNSName(u"name.local")],
2492 excluded_subtrees=None
2493 )
2494 nc3 = x509.NameConstraints(
2495 permitted_subtrees=None,
2496 excluded_subtrees=[x509.DNSName(u"name2.local")]
2497 )
2498
2499 assert nc != nc2
2500 assert nc != nc3
2501 assert nc != object()
2502
Paul Kehrere0017be2015-05-17 20:39:40 -0600[diff] [blame]2503
Paul Kehrer870d7e82015-06-21 22:20:44 -0500[diff] [blame]2504@pytest.mark.requires_backend_interface(interface=RSABackend)
2505@pytest.mark.requires_backend_interface(interface=X509Backend)
2506class TestNameConstraintsExtension(object):
2507 def test_permitted_excluded(self, backend):
2508 cert = _load_cert(
2509 os.path.join(
2510 "x509", "custom", "nc_permitted_excluded_2.pem"
2511 ),
2512 x509.load_pem_x509_certificate,
2513 backend
2514 )
2515 nc = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]2516 ExtensionOID.NAME_CONSTRAINTS
Paul Kehrer870d7e82015-06-21 22:20:44 -0500[diff] [blame]2517 ).value
2518 assert nc == x509.NameConstraints(
2519 permitted_subtrees=[
2520 x509.DNSName(u"zombo.local"),
2521 ],
2522 excluded_subtrees=[
2523 x509.DirectoryName(x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2524 x509.NameAttribute(NameOID.COMMON_NAME, u"zombo")
Paul Kehrer870d7e82015-06-21 22:20:44 -0500[diff] [blame]2525 ]))
2526 ]
2527 )
2528
2529 def test_permitted(self, backend):
2530 cert = _load_cert(
2531 os.path.join(
2532 "x509", "custom", "nc_permitted_2.pem"
2533 ),
2534 x509.load_pem_x509_certificate,
2535 backend
2536 )
2537 nc = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]2538 ExtensionOID.NAME_CONSTRAINTS
Paul Kehrer870d7e82015-06-21 22:20:44 -0500[diff] [blame]2539 ).value
2540 assert nc == x509.NameConstraints(
2541 permitted_subtrees=[
2542 x509.DNSName(u"zombo.local"),
2543 ],
2544 excluded_subtrees=None
2545 )
2546
Paul Kehrer42376832015-07-01 18:10:32 -0500[diff] [blame]2547 def test_permitted_with_leading_period(self, backend):
2548 cert = _load_cert(
2549 os.path.join(
2550 "x509", "custom", "nc_permitted.pem"
2551 ),
2552 x509.load_pem_x509_certificate,
2553 backend
2554 )
2555 nc = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]2556 ExtensionOID.NAME_CONSTRAINTS
Paul Kehrer42376832015-07-01 18:10:32 -0500[diff] [blame]2557 ).value
2558 assert nc == x509.NameConstraints(
2559 permitted_subtrees=[
2560 x509.DNSName(u".cryptography.io"),
2561 x509.UniformResourceIdentifier(u"ftp://cryptography.test")
2562 ],
2563 excluded_subtrees=None
2564 )
2565
2566 def test_excluded_with_leading_period(self, backend):
2567 cert = _load_cert(
2568 os.path.join(
2569 "x509", "custom", "nc_excluded.pem"
2570 ),
2571 x509.load_pem_x509_certificate,
2572 backend
2573 )
2574 nc = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]2575 ExtensionOID.NAME_CONSTRAINTS
Paul Kehrer42376832015-07-01 18:10:32 -0500[diff] [blame]2576 ).value
2577 assert nc == x509.NameConstraints(
2578 permitted_subtrees=None,
2579 excluded_subtrees=[
2580 x509.DNSName(u".cryptography.io"),
2581 x509.UniformResourceIdentifier(u"gopher://cryptography.test")
2582 ]
2583 )
2584
Paul Kehrercfb8aa22015-07-01 19:16:36 -0500[diff] [blame]2585 def test_permitted_excluded_with_ips(self, backend):
2586 cert = _load_cert(
2587 os.path.join(
2588 "x509", "custom", "nc_permitted_excluded.pem"
2589 ),
2590 x509.load_pem_x509_certificate,
2591 backend
2592 )
2593 nc = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]2594 ExtensionOID.NAME_CONSTRAINTS
Paul Kehrercfb8aa22015-07-01 19:16:36 -0500[diff] [blame]2595 ).value
2596 assert nc == x509.NameConstraints(
2597 permitted_subtrees=[
2598 x509.IPAddress(ipaddress.IPv4Network(u"192.168.0.0/24")),
2599 x509.IPAddress(ipaddress.IPv6Network(u"FF:0:0:0:0:0:0:0/96")),
2600 ],
2601 excluded_subtrees=[
2602 x509.DNSName(u".domain.com"),
2603 x509.UniformResourceIdentifier(u"http://test.local"),
2604 ]
2605 )
2606
Paul Kehrera72ebaf2015-07-01 21:07:37 -0500[diff] [blame]2607 def test_single_ip_netmask(self, backend):
2608 cert = _load_cert(
2609 os.path.join(
2610 "x509", "custom", "nc_single_ip_netmask.pem"
2611 ),
2612 x509.load_pem_x509_certificate,
2613 backend
2614 )
2615 nc = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]2616 ExtensionOID.NAME_CONSTRAINTS
Paul Kehrera72ebaf2015-07-01 21:07:37 -0500[diff] [blame]2617 ).value
2618 assert nc == x509.NameConstraints(
2619 permitted_subtrees=[
2620 x509.IPAddress(ipaddress.IPv6Network(u"FF:0:0:0:0:0:0:0/128")),
2621 x509.IPAddress(ipaddress.IPv4Network(u"192.168.0.1/32")),
2622 ],
2623 excluded_subtrees=None
2624 )
2625
Paul Kehrercfb8aa22015-07-01 19:16:36 -0500[diff] [blame]2626 def test_invalid_netmask(self, backend):
2627 cert = _load_cert(
2628 os.path.join(
2629 "x509", "custom", "nc_invalid_ip_netmask.pem"
2630 ),
2631 x509.load_pem_x509_certificate,
2632 backend
2633 )
2634 with pytest.raises(ValueError):
2635 cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]2636 ExtensionOID.NAME_CONSTRAINTS
Paul Kehrercfb8aa22015-07-01 19:16:36 -0500[diff] [blame]2637 )
2638
Paul Kehrer870d7e82015-06-21 22:20:44 -0500[diff] [blame]2639
Paul Kehrer5a485522015-05-06 00:29:12 -0500[diff] [blame]2640class TestDistributionPoint(object):
Paul Kehrer4e8dacd2015-05-09 10:38:23 -0500[diff] [blame]2641 def test_distribution_point_full_name_not_general_names(self):
Paul Kehrer5a485522015-05-06 00:29:12 -0500[diff] [blame]2642 with pytest.raises(TypeError):
Paul Kehrer4e8dacd2015-05-09 10:38:23 -0500[diff] [blame]2643 x509.DistributionPoint(["notgn"], None, None, None)
Paul Kehrer5a485522015-05-06 00:29:12 -0500[diff] [blame]2644
Paul Kehrer4e8dacd2015-05-09 10:38:23 -0500[diff] [blame]2645 def test_distribution_point_relative_name_not_name(self):
Paul Kehrer5a485522015-05-06 00:29:12 -0500[diff] [blame]2646 with pytest.raises(TypeError):
Paul Kehrer4e8dacd2015-05-09 10:38:23 -0500[diff] [blame]2647 x509.DistributionPoint(None, "notname", None, None)
2648
2649 def test_distribution_point_full_and_relative_not_none(self):
2650 with pytest.raises(ValueError):
2651 x509.DistributionPoint("data", "notname", None, None)
Paul Kehrer5a485522015-05-06 00:29:12 -0500[diff] [blame]2652
2653 def test_crl_issuer_not_general_names(self):
2654 with pytest.raises(TypeError):
Paul Kehrer4e8dacd2015-05-09 10:38:23 -0500[diff] [blame]2655 x509.DistributionPoint(None, None, None, ["notgn"])
Paul Kehrer5a485522015-05-06 00:29:12 -0500[diff] [blame]2656
2657 def test_reason_not_reasonflags(self):
2658 with pytest.raises(TypeError):
2659 x509.DistributionPoint(
2660 [x509.UniformResourceIdentifier(u"http://crypt.og/crl")],
Paul Kehrer4e8dacd2015-05-09 10:38:23 -0500[diff] [blame]2661 None,
Paul Kehrer3fd02602015-05-09 19:46:13 -0500[diff] [blame]2662 frozenset(["notreasonflags"]),
2663 None
2664 )
2665
2666 def test_reason_not_frozenset(self):
2667 with pytest.raises(TypeError):
2668 x509.DistributionPoint(
2669 [x509.UniformResourceIdentifier(u"http://crypt.og/crl")],
2670 None,
2671 [x509.ReasonFlags.ca_compromise],
Paul Kehrer4e8dacd2015-05-09 10:38:23 -0500[diff] [blame]2672 None
2673 )
2674
2675 def test_disallowed_reasons(self):
2676 with pytest.raises(ValueError):
2677 x509.DistributionPoint(
2678 [x509.UniformResourceIdentifier(u"http://crypt.og/crl")],
2679 None,
Paul Kehrer3fd02602015-05-09 19:46:13 -0500[diff] [blame]2680 frozenset([x509.ReasonFlags.unspecified]),
Paul Kehrer4e8dacd2015-05-09 10:38:23 -0500[diff] [blame]2681 None
2682 )
2683
2684 with pytest.raises(ValueError):
2685 x509.DistributionPoint(
2686 [x509.UniformResourceIdentifier(u"http://crypt.og/crl")],
2687 None,
Paul Kehrer3fd02602015-05-09 19:46:13 -0500[diff] [blame]2688 frozenset([x509.ReasonFlags.remove_from_crl]),
Paul Kehrer5a485522015-05-06 00:29:12 -0500[diff] [blame]2689 None
2690 )
2691
2692 def test_reason_only(self):
2693 with pytest.raises(ValueError):
2694 x509.DistributionPoint(
2695 None,
Paul Kehrer4e8dacd2015-05-09 10:38:23 -0500[diff] [blame]2696 None,
Paul Kehrer3fd02602015-05-09 19:46:13 -0500[diff] [blame]2697 frozenset([x509.ReasonFlags.aa_compromise]),
Paul Kehrer5a485522015-05-06 00:29:12 -0500[diff] [blame]2698 None
2699 )
2700
2701 def test_eq(self):
2702 dp = x509.DistributionPoint(
2703 [x509.UniformResourceIdentifier(u"http://crypt.og/crl")],
Paul Kehrer4e8dacd2015-05-09 10:38:23 -0500[diff] [blame]2704 None,
Paul Kehrer3fd02602015-05-09 19:46:13 -0500[diff] [blame]2705 frozenset([x509.ReasonFlags.superseded]),
Paul Kehrer5a485522015-05-06 00:29:12 -0500[diff] [blame]2706 [
2707 x509.DirectoryName(
2708 x509.Name([
2709 x509.NameAttribute(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2710 NameOID.COMMON_NAME, u"Important CA"
Paul Kehrer5a485522015-05-06 00:29:12 -0500[diff] [blame]2711 )
2712 ])
2713 )
2714 ],
2715 )
2716 dp2 = x509.DistributionPoint(
2717 [x509.UniformResourceIdentifier(u"http://crypt.og/crl")],
Paul Kehrer4e8dacd2015-05-09 10:38:23 -0500[diff] [blame]2718 None,
Paul Kehrer3fd02602015-05-09 19:46:13 -0500[diff] [blame]2719 frozenset([x509.ReasonFlags.superseded]),
Paul Kehrer5a485522015-05-06 00:29:12 -0500[diff] [blame]2720 [
2721 x509.DirectoryName(
2722 x509.Name([
2723 x509.NameAttribute(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2724 NameOID.COMMON_NAME, u"Important CA"
Paul Kehrer5a485522015-05-06 00:29:12 -0500[diff] [blame]2725 )
2726 ])
2727 )
2728 ],
2729 )
2730 assert dp == dp2
2731
2732 def test_ne(self):
2733 dp = x509.DistributionPoint(
2734 [x509.UniformResourceIdentifier(u"http://crypt.og/crl")],
Paul Kehrer4e8dacd2015-05-09 10:38:23 -0500[diff] [blame]2735 None,
Paul Kehrer3fd02602015-05-09 19:46:13 -0500[diff] [blame]2736 frozenset([x509.ReasonFlags.superseded]),
Paul Kehrer5a485522015-05-06 00:29:12 -0500[diff] [blame]2737 [
2738 x509.DirectoryName(
2739 x509.Name([
2740 x509.NameAttribute(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2741 NameOID.COMMON_NAME, u"Important CA"
Paul Kehrer5a485522015-05-06 00:29:12 -0500[diff] [blame]2742 )
2743 ])
2744 )
2745 ],
2746 )
2747 dp2 = x509.DistributionPoint(
2748 [x509.UniformResourceIdentifier(u"http://crypt.og/crl")],
2749 None,
Paul Kehrer4e8dacd2015-05-09 10:38:23 -0500[diff] [blame]2750 None,
Paul Kehrer5a485522015-05-06 00:29:12 -0500[diff] [blame]2751 None
2752 )
2753 assert dp != dp2
2754 assert dp != object()
2755
2756 def test_repr(self):
2757 dp = x509.DistributionPoint(
Paul Kehrer4e8dacd2015-05-09 10:38:23 -0500[diff] [blame]2758 None,
Paul Kehrer5a485522015-05-06 00:29:12 -0500[diff] [blame]2759 x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2760 x509.NameAttribute(NameOID.COMMON_NAME, u"myCN")
Paul Kehrer5a485522015-05-06 00:29:12 -0500[diff] [blame]2761 ]),
Paul Kehrer96ef63c2015-05-09 21:17:04 -0500[diff] [blame]2762 frozenset([x509.ReasonFlags.ca_compromise]),
Paul Kehrer5a485522015-05-06 00:29:12 -0500[diff] [blame]2763 [
2764 x509.DirectoryName(
2765 x509.Name([
2766 x509.NameAttribute(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2767 NameOID.COMMON_NAME, u"Important CA"
Paul Kehrer5a485522015-05-06 00:29:12 -0500[diff] [blame]2768 )
2769 ])
2770 )
2771 ],
2772 )
Paul Kehrer749da3b2015-05-10 09:58:29 -0500[diff] [blame]2773 if six.PY3:
2774 assert repr(dp) == (
2775 "<DistributionPoint(full_name=None, relative_name=<Name([<Name"
2776 "Attribute(oid=<ObjectIdentifier(oid=2.5.4.3, name=commonName)"
Ian Cordascoa908d692015-06-16 21:35:24 -0500[diff] [blame]2777 ">, value='myCN')>])>, reasons=frozenset({<ReasonFlags.ca_comp"
2778 "romise: 'cACompromise'>}), crl_issuer=[<DirectoryName(value=<"
2779 "Name([<NameAttribute(oid=<ObjectIdentifier(oid=2.5.4.3, name="
2780 "commonName)>, value='Important CA')>])>)>])>"
Paul Kehrer749da3b2015-05-10 09:58:29 -0500[diff] [blame]2781 )
2782 else:
2783 assert repr(dp) == (
2784 "<DistributionPoint(full_name=None, relative_name=<Name([<Name"
2785 "Attribute(oid=<ObjectIdentifier(oid=2.5.4.3, name=commonName)"
Ian Cordasco82fc3762015-06-16 20:59:50 -0500[diff] [blame]2786 ">, value=u'myCN')>])>, reasons=frozenset([<ReasonFlags.ca_com"
2787 "promise: 'cACompromise'>]), crl_issuer=[<DirectoryName(value="
2788 "<Name([<NameAttribute(oid=<ObjectIdentifier(oid=2.5.4.3, name"
2789 "=commonName)>, value=u'Important CA')>])>)>])>"
Paul Kehrer749da3b2015-05-10 09:58:29 -0500[diff] [blame]2790 )
Paul Kehrer5a485522015-05-06 00:29:12 -0500[diff] [blame]2791
2792
2793class TestCRLDistributionPoints(object):
2794 def test_invalid_distribution_points(self):
2795 with pytest.raises(TypeError):
2796 x509.CRLDistributionPoints(["notadistributionpoint"])
2797
2798 def test_iter_len(self):
2799 cdp = x509.CRLDistributionPoints([
2800 x509.DistributionPoint(
2801 [x509.UniformResourceIdentifier(u"http://domain")],
2802 None,
Paul Kehrer4e8dacd2015-05-09 10:38:23 -0500[diff] [blame]2803 None,
Paul Kehrer5a485522015-05-06 00:29:12 -0500[diff] [blame]2804 None
2805 ),
2806 x509.DistributionPoint(
2807 [x509.UniformResourceIdentifier(u"ftp://domain")],
Paul Kehrer4e8dacd2015-05-09 10:38:23 -0500[diff] [blame]2808 None,
Paul Kehrer3fd02602015-05-09 19:46:13 -0500[diff] [blame]2809 frozenset([
Paul Kehrer4e8dacd2015-05-09 10:38:23 -0500[diff] [blame]2810 x509.ReasonFlags.key_compromise,
2811 x509.ReasonFlags.ca_compromise,
Paul Kehrer3fd02602015-05-09 19:46:13 -0500[diff] [blame]2812 ]),
Paul Kehrer5a485522015-05-06 00:29:12 -0500[diff] [blame]2813 None
2814 ),
2815 ])
2816 assert len(cdp) == 2
2817 assert list(cdp) == [
2818 x509.DistributionPoint(
2819 [x509.UniformResourceIdentifier(u"http://domain")],
2820 None,
Paul Kehrer4e8dacd2015-05-09 10:38:23 -0500[diff] [blame]2821 None,
Paul Kehrer5a485522015-05-06 00:29:12 -0500[diff] [blame]2822 None
2823 ),
2824 x509.DistributionPoint(
2825 [x509.UniformResourceIdentifier(u"ftp://domain")],
Paul Kehrer4e8dacd2015-05-09 10:38:23 -0500[diff] [blame]2826 None,
Paul Kehrer3fd02602015-05-09 19:46:13 -0500[diff] [blame]2827 frozenset([
Paul Kehrer4e8dacd2015-05-09 10:38:23 -0500[diff] [blame]2828 x509.ReasonFlags.key_compromise,
2829 x509.ReasonFlags.ca_compromise,
Paul Kehrer3fd02602015-05-09 19:46:13 -0500[diff] [blame]2830 ]),
Paul Kehrer5a485522015-05-06 00:29:12 -0500[diff] [blame]2831 None
2832 ),
2833 ]
2834
2835 def test_repr(self):
2836 cdp = x509.CRLDistributionPoints([
2837 x509.DistributionPoint(
2838 [x509.UniformResourceIdentifier(u"ftp://domain")],
Paul Kehrer4e8dacd2015-05-09 10:38:23 -0500[diff] [blame]2839 None,
Paul Kehrer96ef63c2015-05-09 21:17:04 -0500[diff] [blame]2840 frozenset([x509.ReasonFlags.key_compromise]),
Paul Kehrer5a485522015-05-06 00:29:12 -0500[diff] [blame]2841 None
2842 ),
2843 ])
Paul Kehrer749da3b2015-05-10 09:58:29 -0500[diff] [blame]2844 if six.PY3:
2845 assert repr(cdp) == (
2846 "<CRLDistributionPoints([<DistributionPoint(full_name=[<Unifo"
2847 "rmResourceIdentifier(value=ftp://domain)>], relative_name=No"
2848 "ne, reasons=frozenset({<ReasonFlags.key_compromise: 'keyComp"
2849 "romise'>}), crl_issuer=None)>])>"
2850 )
2851 else:
2852 assert repr(cdp) == (
2853 "<CRLDistributionPoints([<DistributionPoint(full_name=[<Unifo"
2854 "rmResourceIdentifier(value=ftp://domain)>], relative_name=No"
2855 "ne, reasons=frozenset([<ReasonFlags.key_compromise: 'keyComp"
2856 "romise'>]), crl_issuer=None)>])>"
2857 )
Paul Kehrer5a485522015-05-06 00:29:12 -0500[diff] [blame]2858
2859 def test_eq(self):
2860 cdp = x509.CRLDistributionPoints([
2861 x509.DistributionPoint(
2862 [x509.UniformResourceIdentifier(u"ftp://domain")],
Paul Kehrer4e8dacd2015-05-09 10:38:23 -0500[diff] [blame]2863 None,
Paul Kehrer3fd02602015-05-09 19:46:13 -0500[diff] [blame]2864 frozenset([
Paul Kehrer4e8dacd2015-05-09 10:38:23 -0500[diff] [blame]2865 x509.ReasonFlags.key_compromise,
2866 x509.ReasonFlags.ca_compromise,
Paul Kehrer3fd02602015-05-09 19:46:13 -0500[diff] [blame]2867 ]),
Paul Kehrer5a485522015-05-06 00:29:12 -0500[diff] [blame]2868 [x509.UniformResourceIdentifier(u"uri://thing")],
2869 ),
2870 ])
2871 cdp2 = x509.CRLDistributionPoints([
2872 x509.DistributionPoint(
2873 [x509.UniformResourceIdentifier(u"ftp://domain")],
Paul Kehrer4e8dacd2015-05-09 10:38:23 -0500[diff] [blame]2874 None,
Paul Kehrer3fd02602015-05-09 19:46:13 -0500[diff] [blame]2875 frozenset([
Paul Kehrer4e8dacd2015-05-09 10:38:23 -0500[diff] [blame]2876 x509.ReasonFlags.key_compromise,
2877 x509.ReasonFlags.ca_compromise,
Paul Kehrer3fd02602015-05-09 19:46:13 -0500[diff] [blame]2878 ]),
Paul Kehrer5a485522015-05-06 00:29:12 -0500[diff] [blame]2879 [x509.UniformResourceIdentifier(u"uri://thing")],
2880 ),
2881 ])
2882 assert cdp == cdp2
2883
2884 def test_ne(self):
2885 cdp = x509.CRLDistributionPoints([
2886 x509.DistributionPoint(
2887 [x509.UniformResourceIdentifier(u"ftp://domain")],
Paul Kehrer4e8dacd2015-05-09 10:38:23 -0500[diff] [blame]2888 None,
Paul Kehrer3fd02602015-05-09 19:46:13 -0500[diff] [blame]2889 frozenset([
Paul Kehrer4e8dacd2015-05-09 10:38:23 -0500[diff] [blame]2890 x509.ReasonFlags.key_compromise,
2891 x509.ReasonFlags.ca_compromise,
Paul Kehrer3fd02602015-05-09 19:46:13 -0500[diff] [blame]2892 ]),
Paul Kehrer5a485522015-05-06 00:29:12 -0500[diff] [blame]2893 [x509.UniformResourceIdentifier(u"uri://thing")],
2894 ),
2895 ])
2896 cdp2 = x509.CRLDistributionPoints([
2897 x509.DistributionPoint(
2898 [x509.UniformResourceIdentifier(u"ftp://domain2")],
Paul Kehrer4e8dacd2015-05-09 10:38:23 -0500[diff] [blame]2899 None,
Paul Kehrer3fd02602015-05-09 19:46:13 -0500[diff] [blame]2900 frozenset([
Paul Kehrer4e8dacd2015-05-09 10:38:23 -0500[diff] [blame]2901 x509.ReasonFlags.key_compromise,
2902 x509.ReasonFlags.ca_compromise,
Paul Kehrer3fd02602015-05-09 19:46:13 -0500[diff] [blame]2903 ]),
Paul Kehrer5a485522015-05-06 00:29:12 -0500[diff] [blame]2904 [x509.UniformResourceIdentifier(u"uri://thing")],
2905 ),
2906 ])
2907 cdp3 = x509.CRLDistributionPoints([
2908 x509.DistributionPoint(
2909 [x509.UniformResourceIdentifier(u"ftp://domain")],
Paul Kehrer4e8dacd2015-05-09 10:38:23 -0500[diff] [blame]2910 None,
Paul Kehrer3fd02602015-05-09 19:46:13 -0500[diff] [blame]2911 frozenset([x509.ReasonFlags.key_compromise]),
Paul Kehrer5a485522015-05-06 00:29:12 -0500[diff] [blame]2912 [x509.UniformResourceIdentifier(u"uri://thing")],
2913 ),
2914 ])
2915 cdp4 = x509.CRLDistributionPoints([
2916 x509.DistributionPoint(
2917 [x509.UniformResourceIdentifier(u"ftp://domain")],
Paul Kehrer4e8dacd2015-05-09 10:38:23 -0500[diff] [blame]2918 None,
Paul Kehrer3fd02602015-05-09 19:46:13 -0500[diff] [blame]2919 frozenset([
Paul Kehrer4e8dacd2015-05-09 10:38:23 -0500[diff] [blame]2920 x509.ReasonFlags.key_compromise,
2921 x509.ReasonFlags.ca_compromise,
Paul Kehrer3fd02602015-05-09 19:46:13 -0500[diff] [blame]2922 ]),
Paul Kehrer5a485522015-05-06 00:29:12 -0500[diff] [blame]2923 [x509.UniformResourceIdentifier(u"uri://thing2")],
2924 ),
2925 ])
2926 assert cdp != cdp2
2927 assert cdp != cdp3
2928 assert cdp != cdp4
2929 assert cdp != object()
Paul Kehrer9a10d592015-05-10 14:55:51 -0500[diff] [blame]2930
2931
2932@pytest.mark.requires_backend_interface(interface=RSABackend)
2933@pytest.mark.requires_backend_interface(interface=X509Backend)
2934class TestCRLDistributionPointsExtension(object):
2935 def test_fullname_and_crl_issuer(self, backend):
2936 cert = _load_cert(
2937 os.path.join(
2938 "x509", "PKITS_data", "certs", "ValidcRLIssuerTest28EE.crt"
2939 ),
2940 x509.load_der_x509_certificate,
2941 backend
2942 )
2943
2944 cdps = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]2945 ExtensionOID.CRL_DISTRIBUTION_POINTS
Paul Kehrer9a10d592015-05-10 14:55:51 -0500[diff] [blame]2946 ).value
2947
2948 assert cdps == x509.CRLDistributionPoints([
2949 x509.DistributionPoint(
2950 full_name=[x509.DirectoryName(
2951 x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2952 x509.NameAttribute(NameOID.COUNTRY_NAME, u"US"),
Paul Kehrer9a10d592015-05-10 14:55:51 -0500[diff] [blame]2953 x509.NameAttribute(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2954 NameOID.ORGANIZATION_NAME,
Ian Cordasco82fc3762015-06-16 20:59:50 -0500[diff] [blame]2955 u"Test Certificates 2011"
Paul Kehrer9a10d592015-05-10 14:55:51 -0500[diff] [blame]2956 ),
2957 x509.NameAttribute(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2958 NameOID.ORGANIZATIONAL_UNIT_NAME,
Ian Cordasco82fc3762015-06-16 20:59:50 -0500[diff] [blame]2959 u"indirectCRL CA3 cRLIssuer"
Paul Kehrer9a10d592015-05-10 14:55:51 -0500[diff] [blame]2960 ),
2961 x509.NameAttribute(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2962 NameOID.COMMON_NAME,
Ian Cordasco82fc3762015-06-16 20:59:50 -0500[diff] [blame]2963 u"indirect CRL for indirectCRL CA3"
Paul Kehrer9a10d592015-05-10 14:55:51 -0500[diff] [blame]2964 ),
2965 ])
2966 )],
2967 relative_name=None,
2968 reasons=None,
2969 crl_issuer=[x509.DirectoryName(
2970 x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2971 x509.NameAttribute(NameOID.COUNTRY_NAME, u"US"),
Paul Kehrer9a10d592015-05-10 14:55:51 -0500[diff] [blame]2972 x509.NameAttribute(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2973 NameOID.ORGANIZATION_NAME,
Ian Cordasco82fc3762015-06-16 20:59:50 -0500[diff] [blame]2974 u"Test Certificates 2011"
Paul Kehrer9a10d592015-05-10 14:55:51 -0500[diff] [blame]2975 ),
2976 x509.NameAttribute(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2977 NameOID.ORGANIZATIONAL_UNIT_NAME,
Ian Cordasco82fc3762015-06-16 20:59:50 -0500[diff] [blame]2978 u"indirectCRL CA3 cRLIssuer"
Paul Kehrer9a10d592015-05-10 14:55:51 -0500[diff] [blame]2979 ),
2980 ])
2981 )],
2982 )
2983 ])
2984
2985 def test_relativename_and_crl_issuer(self, backend):
2986 cert = _load_cert(
2987 os.path.join(
2988 "x509", "PKITS_data", "certs", "ValidcRLIssuerTest29EE.crt"
2989 ),
2990 x509.load_der_x509_certificate,
2991 backend
2992 )
2993
2994 cdps = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]2995 ExtensionOID.CRL_DISTRIBUTION_POINTS
Paul Kehrer9a10d592015-05-10 14:55:51 -0500[diff] [blame]2996 ).value
2997
2998 assert cdps == x509.CRLDistributionPoints([
2999 x509.DistributionPoint(
3000 full_name=None,
3001 relative_name=x509.Name([
3002 x509.NameAttribute(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]3003 NameOID.COMMON_NAME,
Ian Cordasco82fc3762015-06-16 20:59:50 -0500[diff] [blame]3004 u"indirect CRL for indirectCRL CA3"
Paul Kehrer9a10d592015-05-10 14:55:51 -0500[diff] [blame]3005 ),
3006 ]),
3007 reasons=None,
3008 crl_issuer=[x509.DirectoryName(
3009 x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]3010 x509.NameAttribute(NameOID.COUNTRY_NAME, u"US"),
Paul Kehrer9a10d592015-05-10 14:55:51 -0500[diff] [blame]3011 x509.NameAttribute(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]3012 NameOID.ORGANIZATION_NAME,
Ian Cordasco82fc3762015-06-16 20:59:50 -0500[diff] [blame]3013 u"Test Certificates 2011"
Paul Kehrer9a10d592015-05-10 14:55:51 -0500[diff] [blame]3014 ),
3015 x509.NameAttribute(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]3016 NameOID.ORGANIZATIONAL_UNIT_NAME,
Ian Cordasco82fc3762015-06-16 20:59:50 -0500[diff] [blame]3017 u"indirectCRL CA3 cRLIssuer"
Paul Kehrer9a10d592015-05-10 14:55:51 -0500[diff] [blame]3018 ),
3019 ])
3020 )],
3021 )
3022 ])
3023
3024 def test_fullname_crl_issuer_reasons(self, backend):
3025 cert = _load_cert(
3026 os.path.join(
3027 "x509", "custom", "cdp_fullname_reasons_crl_issuer.pem"
3028 ),
3029 x509.load_pem_x509_certificate,
3030 backend
3031 )
3032
3033 cdps = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]3034 ExtensionOID.CRL_DISTRIBUTION_POINTS
Paul Kehrer9a10d592015-05-10 14:55:51 -0500[diff] [blame]3035 ).value
3036
3037 assert cdps == x509.CRLDistributionPoints([
3038 x509.DistributionPoint(
3039 full_name=[x509.UniformResourceIdentifier(
3040 u"http://myhost.com/myca.crl"
3041 )],
3042 relative_name=None,
3043 reasons=frozenset([
3044 x509.ReasonFlags.key_compromise,
3045 x509.ReasonFlags.ca_compromise
3046 ]),
3047 crl_issuer=[x509.DirectoryName(
3048 x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]3049 x509.NameAttribute(NameOID.COUNTRY_NAME, u"US"),
Paul Kehrer9a10d592015-05-10 14:55:51 -0500[diff] [blame]3050 x509.NameAttribute(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]3051 NameOID.ORGANIZATION_NAME, u"PyCA"
Paul Kehrer9a10d592015-05-10 14:55:51 -0500[diff] [blame]3052 ),
3053 x509.NameAttribute(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]3054 NameOID.COMMON_NAME, u"cryptography CA"
Paul Kehrer9a10d592015-05-10 14:55:51 -0500[diff] [blame]3055 ),
3056 ])
3057 )],
3058 )
3059 ])
3060
Paul Kehrer594a2ed2015-05-12 23:27:32 -0500[diff] [blame]3061 def test_all_reasons(self, backend):
3062 cert = _load_cert(
3063 os.path.join(
3064 "x509", "custom", "cdp_all_reasons.pem"
3065 ),
3066 x509.load_pem_x509_certificate,
3067 backend
3068 )
3069
3070 cdps = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]3071 ExtensionOID.CRL_DISTRIBUTION_POINTS
Paul Kehrer594a2ed2015-05-12 23:27:32 -0500[diff] [blame]3072 ).value
3073
3074 assert cdps == x509.CRLDistributionPoints([
3075 x509.DistributionPoint(
3076 full_name=[x509.UniformResourceIdentifier(
3077 u"http://domain.com/some.crl"
3078 )],
3079 relative_name=None,
3080 reasons=frozenset([
3081 x509.ReasonFlags.key_compromise,
3082 x509.ReasonFlags.ca_compromise,
3083 x509.ReasonFlags.affiliation_changed,
3084 x509.ReasonFlags.superseded,
3085 x509.ReasonFlags.privilege_withdrawn,
3086 x509.ReasonFlags.cessation_of_operation,
3087 x509.ReasonFlags.aa_compromise,
3088 x509.ReasonFlags.certificate_hold,
3089 ]),
3090 crl_issuer=None
3091 )
3092 ])
3093
3094 def test_single_reason(self, backend):
3095 cert = _load_cert(
3096 os.path.join(
3097 "x509", "custom", "cdp_reason_aa_compromise.pem"
3098 ),
3099 x509.load_pem_x509_certificate,
3100 backend
3101 )
3102
3103 cdps = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]3104 ExtensionOID.CRL_DISTRIBUTION_POINTS
Paul Kehrer594a2ed2015-05-12 23:27:32 -0500[diff] [blame]3105 ).value
3106
3107 assert cdps == x509.CRLDistributionPoints([
3108 x509.DistributionPoint(
3109 full_name=[x509.UniformResourceIdentifier(
3110 u"http://domain.com/some.crl"
3111 )],
3112 relative_name=None,
3113 reasons=frozenset([x509.ReasonFlags.aa_compromise]),
3114 crl_issuer=None
3115 )
3116 ])
3117
Paul Kehrer9a10d592015-05-10 14:55:51 -0500[diff] [blame]3118 def test_crl_issuer_only(self, backend):
3119 cert = _load_cert(
3120 os.path.join(
3121 "x509", "custom", "cdp_crl_issuer.pem"
3122 ),
3123 x509.load_pem_x509_certificate,
3124 backend
3125 )
3126
3127 cdps = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]3128 ExtensionOID.CRL_DISTRIBUTION_POINTS
Paul Kehrer9a10d592015-05-10 14:55:51 -0500[diff] [blame]3129 ).value
3130
3131 assert cdps == x509.CRLDistributionPoints([
3132 x509.DistributionPoint(
3133 full_name=None,
3134 relative_name=None,
3135 reasons=None,
3136 crl_issuer=[x509.DirectoryName(
3137 x509.Name([
3138 x509.NameAttribute(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]3139 NameOID.COMMON_NAME, u"cryptography CA"
Paul Kehrer9a10d592015-05-10 14:55:51 -0500[diff] [blame]3140 ),
3141 ])
3142 )],
3143 )
3144 ])
Paul Kehrer16fae762015-05-01 23:14:20 -0500[diff] [blame]3145
Dominic Chen87bb9572015-10-09 00:23:07 -0400[diff] [blame]3146 def test_crl_empty_hostname(self, backend):
3147 cert = _load_cert(
3148 os.path.join(
3149 "x509", "custom", "cdp_empty_hostname.pem"
3150 ),
3151 x509.load_pem_x509_certificate,
3152 backend
3153 )
3154
3155 cdps = cert.extensions.get_extension_for_oid(
3156 ExtensionOID.CRL_DISTRIBUTION_POINTS
3157 ).value
3158
3159 assert cdps == x509.CRLDistributionPoints([
3160 x509.DistributionPoint(
3161 full_name=[x509.UniformResourceIdentifier(
3162 u"ldap:/CN=A,OU=B,dc=C,DC=D?E?F?G?H=I"
3163 )],
3164 relative_name=None,
3165 reasons=None,
3166 crl_issuer=None
3167 )
3168 ])
3169
Paul Kehrer16fae762015-05-01 23:14:20 -0500[diff] [blame]3170
Paul Kehrerf54a50b2015-06-17 18:31:26 -0600[diff] [blame]3171@pytest.mark.requires_backend_interface(interface=RSABackend)
3172@pytest.mark.requires_backend_interface(interface=X509Backend)
3173class TestOCSPNoCheckExtension(object):
3174 def test_nocheck(self, backend):
3175 cert = _load_cert(
3176 os.path.join(
3177 "x509", "custom", "ocsp_nocheck.pem"
3178 ),
3179 x509.load_pem_x509_certificate,
3180 backend
3181 )
3182 ext = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]3183 ExtensionOID.OCSP_NO_CHECK
Paul Kehrerf54a50b2015-06-17 18:31:26 -0600[diff] [blame]3184 )
3185 assert isinstance(ext.value, x509.OCSPNoCheck)
3186
3187
Paul Kehrer16fae762015-05-01 23:14:20 -0500[diff] [blame]3188class TestInhibitAnyPolicy(object):
3189 def test_not_int(self):
3190 with pytest.raises(TypeError):
3191 x509.InhibitAnyPolicy("notint")
3192
3193 def test_negative_int(self):
3194 with pytest.raises(ValueError):
3195 x509.InhibitAnyPolicy(-1)
3196
3197 def test_repr(self):
3198 iap = x509.InhibitAnyPolicy(0)
3199 assert repr(iap) == "<InhibitAnyPolicy(skip_certs=0)>"
3200
3201 def test_eq(self):
3202 iap = x509.InhibitAnyPolicy(1)
3203 iap2 = x509.InhibitAnyPolicy(1)
3204 assert iap == iap2
3205
3206 def test_ne(self):
3207 iap = x509.InhibitAnyPolicy(1)
3208 iap2 = x509.InhibitAnyPolicy(4)
3209 assert iap != iap2
3210 assert iap != object()
Paul Kehrerca6ce992015-06-17 22:13:15 -0600[diff] [blame]3211
3212
3213@pytest.mark.requires_backend_interface(interface=RSABackend)
3214@pytest.mark.requires_backend_interface(interface=X509Backend)
3215class TestInhibitAnyPolicyExtension(object):
3216 def test_nocheck(self, backend):
3217 cert = _load_cert(
3218 os.path.join(
3219 "x509", "custom", "inhibit_any_policy_5.pem"
3220 ),
3221 x509.load_pem_x509_certificate,
3222 backend
3223 )
3224 iap = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]3225 ExtensionOID.INHIBIT_ANY_POLICY
Paul Kehrerca6ce992015-06-17 22:13:15 -0600[diff] [blame]3226 ).value
3227 assert iap.skip_certs == 5
Paul Kehrera08693f2015-08-01 20:45:21 +0100[diff] [blame]3228
3229
3230@pytest.mark.requires_backend_interface(interface=RSABackend)
3231@pytest.mark.requires_backend_interface(interface=X509Backend)
Paul Kehrer1b7500f2015-08-01 20:56:27 +0100[diff] [blame]3232class TestInvalidExtension(object):
Paul Kehrera08693f2015-08-01 20:45:21 +0100[diff] [blame]3233 def test_invalid_certificate_policies_data(self, backend):
3234 cert = _load_cert(
3235 os.path.join(
3236 "x509", "custom", "cp_invalid.pem"
3237 ),
3238 x509.load_pem_x509_certificate,
3239 backend
3240 )
3241 with pytest.raises(ValueError):
3242 cert.extensions