Gitiles
Code Review Sign In
gerrit-public.fairphone.software / platform / external / python / cryptography / 42e0c790c5150bec47add345065929ca7df8e6ff / . / tests / test_x509_ext.py
blob: 7cd24a69c32f26f481bc343493a297da357ee30d [file] [log] [blame]
Paul Kehrer8cf26422015-03-21 09:50:24 -0500[diff] [blame]1# This file is dual licensed under the terms of the Apache License, Version
2# 2.0, and the BSD License. See the LICENSE file in the root of this repository
3# for complete details.
4
5from __future__ import absolute_import, division, print_function
6
Paul Kehrer1eb82a62015-03-31 20:00:33 -0500[diff] [blame]7import binascii
Paul Kehrer23c0bbc2015-12-25 22:35:19 -0600[diff] [blame]8import datetime
Paul Kehrer31bdf792015-03-25 14:11:00 -0500[diff] [blame]9import ipaddress
Paul Kehrerfbb7ac82015-03-16 19:26:29 -0500[diff] [blame]10import os
11
Paul Kehrer8cf26422015-03-21 09:50:24 -0500[diff] [blame]12import pytest
13
Paul Kehrercbfb1012015-04-10 20:57:20 -0400[diff] [blame]14import six
15
Paul Kehrer8cf26422015-03-21 09:50:24 -0500[diff] [blame]16from cryptography import x509
Paul Kehrerf22f6122015-08-05 12:57:13 +0100[diff] [blame]17from cryptography.hazmat.backends.interfaces import (
18 DSABackend, EllipticCurveBackend, RSABackend, X509Backend
19)
20from cryptography.hazmat.primitives.asymmetric import ec
Paul Kehrer9e102db2015-08-10 21:53:09 -0500[diff] [blame]21from cryptography.x509.oid import (
Nick Bastin326fc8e2015-12-12 19:08:12 -0800[diff] [blame]22 AuthorityInformationAccessOID, ExtendedKeyUsageOID, ExtensionOID,
23 NameOID, ObjectIdentifier
Paul Kehrer9e102db2015-08-10 21:53:09 -0500[diff] [blame]24)
Paul Kehrerfbb7ac82015-03-16 19:26:29 -0500[diff] [blame]25
Paul Kehrerf22f6122015-08-05 12:57:13 +0100[diff] [blame]26from .hazmat.primitives.test_ec import _skip_curve_unsupported
Paul Kehrerfbb7ac82015-03-16 19:26:29 -0500[diff] [blame]27from .test_x509 import _load_cert
Paul Kehrer8cf26422015-03-21 09:50:24 -0500[diff] [blame]28
29
Paul Kehrer85894662015-03-22 13:19:31 -0500[diff] [blame]30class TestExtension(object):
31 def test_not_an_oid(self):
Paul Kehrera5c6e9a2015-03-23 19:23:43 -0500[diff] [blame]32 bc = x509.BasicConstraints(ca=False, path_length=None)
Paul Kehrer85894662015-03-22 13:19:31 -0500[diff] [blame]33 with pytest.raises(TypeError):
34 x509.Extension("notanoid", True, bc)
35
36 def test_critical_not_a_bool(self):
Paul Kehrera5c6e9a2015-03-23 19:23:43 -0500[diff] [blame]37 bc = x509.BasicConstraints(ca=False, path_length=None)
Paul Kehrer85894662015-03-22 13:19:31 -0500[diff] [blame]38 with pytest.raises(TypeError):
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]39 x509.Extension(ExtensionOID.BASIC_CONSTRAINTS, "notabool", bc)
Paul Kehrer85894662015-03-22 13:19:31 -0500[diff] [blame]40
41 def test_repr(self):
Paul Kehrera5c6e9a2015-03-23 19:23:43 -0500[diff] [blame]42 bc = x509.BasicConstraints(ca=False, path_length=None)
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]43 ext = x509.Extension(ExtensionOID.BASIC_CONSTRAINTS, True, bc)
Paul Kehrer85894662015-03-22 13:19:31 -0500[diff] [blame]44 assert repr(ext) == (
45 "<Extension(oid=<ObjectIdentifier(oid=2.5.29.19, name=basicConst"
46 "raints)>, critical=True, value=<BasicConstraints(ca=False, path"
47 "_length=None)>)>"
48 )
49
Paul Kehrer58e870c2015-05-17 09:15:30 -0700[diff] [blame]50 def test_eq(self):
51 ext1 = x509.Extension(
52 x509.ObjectIdentifier('1.2.3.4'), False, 'value'
53 )
54 ext2 = x509.Extension(
55 x509.ObjectIdentifier('1.2.3.4'), False, 'value'
56 )
57 assert ext1 == ext2
58
59 def test_ne(self):
60 ext1 = x509.Extension(
61 x509.ObjectIdentifier('1.2.3.4'), False, 'value'
62 )
63 ext2 = x509.Extension(
64 x509.ObjectIdentifier('1.2.3.5'), False, 'value'
65 )
66 ext3 = x509.Extension(
67 x509.ObjectIdentifier('1.2.3.4'), True, 'value'
68 )
69 ext4 = x509.Extension(
70 x509.ObjectIdentifier('1.2.3.4'), False, 'value4'
71 )
72 assert ext1 != ext2
73 assert ext1 != ext3
74 assert ext1 != ext4
75 assert ext1 != object()
76
Paul Kehrer85894662015-03-22 13:19:31 -0500[diff] [blame]77
Paul Kehrer49bb7562015-12-25 16:17:40 -0600[diff] [blame]78class TestCertificateIssuer(object):
79 def test_iter_names(self):
80 ci = x509.CertificateIssuer([
81 x509.DNSName(u"cryptography.io"),
82 x509.DNSName(u"crypto.local"),
83 ])
84 assert len(ci) == 2
85 assert list(ci) == [
86 x509.DNSName(u"cryptography.io"),
87 x509.DNSName(u"crypto.local"),
88 ]
89
Paul Kehrer5c999d32015-12-26 17:45:20 -0600[diff] [blame]90 def test_indexing(self):
91 ci = x509.CertificateIssuer([
92 x509.DNSName(u"cryptography.io"),
93 x509.DNSName(u"crypto.local"),
94 x509.DNSName(u"another.local"),
95 x509.RFC822Name(u"email@another.local"),
96 x509.UniformResourceIdentifier(u"http://another.local"),
97 ])
98 assert ci[-1] == ci[4]
99 assert ci[2:6:2] == [ci[2], ci[4]]
100
Paul Kehrer49bb7562015-12-25 16:17:40 -0600[diff] [blame]101 def test_eq(self):
102 ci1 = x509.CertificateIssuer([x509.DNSName(u"cryptography.io")])
103 ci2 = x509.CertificateIssuer([x509.DNSName(u"cryptography.io")])
104 assert ci1 == ci2
105
106 def test_ne(self):
107 ci1 = x509.CertificateIssuer([x509.DNSName(u"cryptography.io")])
108 ci2 = x509.CertificateIssuer([x509.DNSName(u"somethingelse.tld")])
109 assert ci1 != ci2
110 assert ci1 != object()
111
112 def test_repr(self):
113 ci = x509.CertificateIssuer([x509.DNSName(u"cryptography.io")])
114 assert repr(ci) == (
115 "<CertificateIssuer(<GeneralNames([<DNSName(value=cryptography.io"
116 ")>])>)>"
117 )
118
119 def test_get_values_for_type(self):
120 ci = x509.CertificateIssuer(
121 [x509.DNSName(u"cryptography.io")]
122 )
123 names = ci.get_values_for_type(x509.DNSName)
124 assert names == [u"cryptography.io"]
125
126
Paul Kehrer7058ece2015-12-25 22:28:29 -0600[diff] [blame]127class TestCRLReason(object):
128 def test_invalid_reason_flags(self):
129 with pytest.raises(TypeError):
130 x509.CRLReason("notareason")
131
132 def test_eq(self):
133 reason1 = x509.CRLReason(x509.ReasonFlags.unspecified)
134 reason2 = x509.CRLReason(x509.ReasonFlags.unspecified)
135 assert reason1 == reason2
136
137 def test_ne(self):
138 reason1 = x509.CRLReason(x509.ReasonFlags.unspecified)
139 reason2 = x509.CRLReason(x509.ReasonFlags.ca_compromise)
140 assert reason1 != reason2
141 assert reason1 != object()
142
Alex Gaynor07d5cae2015-12-27 15:30:39 -0500[diff] [blame]143 def test_hash(self):
144 reason1 = x509.CRLReason(x509.ReasonFlags.unspecified)
145 reason2 = x509.CRLReason(x509.ReasonFlags.unspecified)
146 reason3 = x509.CRLReason(x509.ReasonFlags.ca_compromise)
147
148 assert hash(reason1) == hash(reason2)
149 assert hash(reason1) != hash(reason3)
150
Paul Kehrer7058ece2015-12-25 22:28:29 -0600[diff] [blame]151 def test_repr(self):
152 reason1 = x509.CRLReason(x509.ReasonFlags.unspecified)
153 assert repr(reason1) == (
154 "<CRLReason(reason=ReasonFlags.unspecified)>"
155 )
156
157
Paul Kehrer23c0bbc2015-12-25 22:35:19 -0600[diff] [blame]158class TestInvalidityDate(object):
159 def test_invalid_invalidity_date(self):
160 with pytest.raises(TypeError):
161 x509.InvalidityDate("notadate")
162
163 def test_eq(self):
164 invalid1 = x509.InvalidityDate(datetime.datetime(2015, 1, 1, 1, 1))
165 invalid2 = x509.InvalidityDate(datetime.datetime(2015, 1, 1, 1, 1))
166 assert invalid1 == invalid2
167
168 def test_ne(self):
169 invalid1 = x509.InvalidityDate(datetime.datetime(2015, 1, 1, 1, 1))
170 invalid2 = x509.InvalidityDate(datetime.datetime(2015, 1, 1, 1, 2))
171 assert invalid1 != invalid2
172 assert invalid1 != object()
173
174 def test_repr(self):
175 invalid1 = x509.InvalidityDate(datetime.datetime(2015, 1, 1, 1, 1))
176 assert repr(invalid1) == (
177 "<InvalidityDate(invalidity_date=2015-01-01 01:01:00)>"
178 )
179
Paul Kehrer67cde762015-12-26 11:37:14 -0600[diff] [blame]180 def test_hash(self):
181 invalid1 = x509.InvalidityDate(datetime.datetime(2015, 1, 1, 1, 1))
182 invalid2 = x509.InvalidityDate(datetime.datetime(2015, 1, 1, 1, 1))
183 invalid3 = x509.InvalidityDate(datetime.datetime(2015, 1, 1, 1, 2))
184 assert hash(invalid1) == hash(invalid2)
185 assert hash(invalid1) != hash(invalid3)
Paul Kehrer23c0bbc2015-12-25 22:35:19 -0600[diff] [blame]186
Paul Kehrerc0297dd2015-12-26 11:37:57 -0600[diff] [blame]187
Paul Kehrer2b622582015-04-15 11:04:29 -0400[diff] [blame]188class TestNoticeReference(object):
189 def test_notice_numbers_not_all_int(self):
190 with pytest.raises(TypeError):
191 x509.NoticeReference("org", [1, 2, "three"])
192
193 def test_notice_numbers_none(self):
Paul Kehrer6e198b02015-05-12 15:53:38 -0500[diff] [blame]194 with pytest.raises(TypeError):
195 x509.NoticeReference("org", None)
Paul Kehrer2b622582015-04-15 11:04:29 -0400[diff] [blame]196
197 def test_repr(self):
Paul Kehrer73be2ca2015-05-11 21:22:38 -0500[diff] [blame]198 nr = x509.NoticeReference(u"org", [1, 3, 4])
Paul Kehrer2b622582015-04-15 11:04:29 -0400[diff] [blame]199
Paul Kehrer73be2ca2015-05-11 21:22:38 -0500[diff] [blame]200 if six.PY3:
201 assert repr(nr) == (
202 "<NoticeReference(organization='org', notice_numbers=[1, 3, 4"
203 "])>"
204 )
205 else:
206 assert repr(nr) == (
207 "<NoticeReference(organization=u'org', notice_numbers=[1, 3, "
208 "4])>"
209 )
Paul Kehrer2b622582015-04-15 11:04:29 -0400[diff] [blame]210
Paul Kehrerc56ab622015-05-03 09:56:31 -0500[diff] [blame]211 def test_eq(self):
212 nr = x509.NoticeReference("org", [1, 2])
213 nr2 = x509.NoticeReference("org", [1, 2])
214 assert nr == nr2
215
216 def test_ne(self):
217 nr = x509.NoticeReference("org", [1, 2])
218 nr2 = x509.NoticeReference("org", [1])
219 nr3 = x509.NoticeReference(None, [1, 2])
220 assert nr != nr2
221 assert nr != nr3
222 assert nr != object()
223
Paul Kehrer2b622582015-04-15 11:04:29 -0400[diff] [blame]224
225class TestUserNotice(object):
226 def test_notice_reference_invalid(self):
227 with pytest.raises(TypeError):
228 x509.UserNotice("invalid", None)
229
230 def test_notice_reference_none(self):
231 un = x509.UserNotice(None, "text")
232 assert un.notice_reference is None
233 assert un.explicit_text == "text"
234
235 def test_repr(self):
Paul Kehrer6e198b02015-05-12 15:53:38 -0500[diff] [blame]236 un = x509.UserNotice(x509.NoticeReference(u"org", [1]), u"text")
Paul Kehrer73be2ca2015-05-11 21:22:38 -0500[diff] [blame]237 if six.PY3:
238 assert repr(un) == (
239 "<UserNotice(notice_reference=<NoticeReference(organization='"
Paul Kehrer6e198b02015-05-12 15:53:38 -0500[diff] [blame]240 "org', notice_numbers=[1])>, explicit_text='text')>"
Paul Kehrer73be2ca2015-05-11 21:22:38 -0500[diff] [blame]241 )
242 else:
243 assert repr(un) == (
244 "<UserNotice(notice_reference=<NoticeReference(organization=u"
Paul Kehrer6e198b02015-05-12 15:53:38 -0500[diff] [blame]245 "'org', notice_numbers=[1])>, explicit_text=u'text')>"
Paul Kehrer73be2ca2015-05-11 21:22:38 -0500[diff] [blame]246 )
Paul Kehrer2b622582015-04-15 11:04:29 -0400[diff] [blame]247
Paul Kehrerc56ab622015-05-03 09:56:31 -0500[diff] [blame]248 def test_eq(self):
249 nr = x509.NoticeReference("org", [1, 2])
250 nr2 = x509.NoticeReference("org", [1, 2])
251 un = x509.UserNotice(nr, "text")
252 un2 = x509.UserNotice(nr2, "text")
253 assert un == un2
254
255 def test_ne(self):
256 nr = x509.NoticeReference("org", [1, 2])
257 nr2 = x509.NoticeReference("org", [1])
258 un = x509.UserNotice(nr, "text")
259 un2 = x509.UserNotice(nr2, "text")
260 un3 = x509.UserNotice(nr, "text3")
261 assert un != un2
262 assert un != un3
263 assert un != object()
264
Paul Kehrer2b622582015-04-15 11:04:29 -0400[diff] [blame]265
Paul Kehrer2b622582015-04-15 11:04:29 -0400[diff] [blame]266class TestPolicyInformation(object):
267 def test_invalid_policy_identifier(self):
268 with pytest.raises(TypeError):
269 x509.PolicyInformation("notanoid", None)
270
271 def test_none_policy_qualifiers(self):
272 pi = x509.PolicyInformation(x509.ObjectIdentifier("1.2.3"), None)
273 assert pi.policy_identifier == x509.ObjectIdentifier("1.2.3")
274 assert pi.policy_qualifiers is None
275
276 def test_policy_qualifiers(self):
Paul Kehrerba35b3b2015-05-10 13:07:59 -0500[diff] [blame]277 pq = [u"string"]
Paul Kehrer2b622582015-04-15 11:04:29 -0400[diff] [blame]278 pi = x509.PolicyInformation(x509.ObjectIdentifier("1.2.3"), pq)
279 assert pi.policy_identifier == x509.ObjectIdentifier("1.2.3")
280 assert pi.policy_qualifiers == pq
281
282 def test_invalid_policy_identifiers(self):
283 with pytest.raises(TypeError):
284 x509.PolicyInformation(x509.ObjectIdentifier("1.2.3"), [1, 2])
285
286 def test_repr(self):
Paul Kehrer73be2ca2015-05-11 21:22:38 -0500[diff] [blame]287 pq = [u"string", x509.UserNotice(None, u"hi")]
Paul Kehrer2b622582015-04-15 11:04:29 -0400[diff] [blame]288 pi = x509.PolicyInformation(x509.ObjectIdentifier("1.2.3"), pq)
Paul Kehrerba35b3b2015-05-10 13:07:59 -0500[diff] [blame]289 if six.PY3:
290 assert repr(pi) == (
291 "<PolicyInformation(policy_identifier=<ObjectIdentifier(oid=1."
292 "2.3, name=Unknown OID)>, policy_qualifiers=['string', <UserNo"
Paul Kehrer9aaef9e2015-05-11 10:49:20 -0500[diff] [blame]293 "tice(notice_reference=None, explicit_text='hi')>])>"
Paul Kehrerba35b3b2015-05-10 13:07:59 -0500[diff] [blame]294 )
295 else:
296 assert repr(pi) == (
297 "<PolicyInformation(policy_identifier=<ObjectIdentifier(oid=1."
298 "2.3, name=Unknown OID)>, policy_qualifiers=[u'string', <UserN"
Paul Kehrer73be2ca2015-05-11 21:22:38 -0500[diff] [blame]299 "otice(notice_reference=None, explicit_text=u'hi')>])>"
Paul Kehrerba35b3b2015-05-10 13:07:59 -0500[diff] [blame]300 )
Paul Kehrer2b622582015-04-15 11:04:29 -0400[diff] [blame]301
Paul Kehrerc56ab622015-05-03 09:56:31 -0500[diff] [blame]302 def test_eq(self):
303 pi = x509.PolicyInformation(
304 x509.ObjectIdentifier("1.2.3"),
305 [u"string", x509.UserNotice(None, u"hi")]
306 )
307 pi2 = x509.PolicyInformation(
308 x509.ObjectIdentifier("1.2.3"),
309 [u"string", x509.UserNotice(None, u"hi")]
310 )
311 assert pi == pi2
312
313 def test_ne(self):
314 pi = x509.PolicyInformation(
315 x509.ObjectIdentifier("1.2.3"), [u"string"]
316 )
317 pi2 = x509.PolicyInformation(
318 x509.ObjectIdentifier("1.2.3"), [u"string2"]
319 )
320 pi3 = x509.PolicyInformation(
321 x509.ObjectIdentifier("1.2.3.4"), [u"string"]
322 )
323 assert pi != pi2
324 assert pi != pi3
325 assert pi != object()
326
Paul Kehrer2b622582015-04-15 11:04:29 -0400[diff] [blame]327
328class TestCertificatePolicies(object):
329 def test_invalid_policies(self):
Paul Kehrerba35b3b2015-05-10 13:07:59 -0500[diff] [blame]330 pq = [u"string"]
Paul Kehrer2b622582015-04-15 11:04:29 -0400[diff] [blame]331 pi = x509.PolicyInformation(x509.ObjectIdentifier("1.2.3"), pq)
332 with pytest.raises(TypeError):
333 x509.CertificatePolicies([1, pi])
334
335 def test_iter_len(self):
Paul Kehrerba35b3b2015-05-10 13:07:59 -0500[diff] [blame]336 pq = [u"string"]
Paul Kehrer2b622582015-04-15 11:04:29 -0400[diff] [blame]337 pi = x509.PolicyInformation(x509.ObjectIdentifier("1.2.3"), pq)
338 cp = x509.CertificatePolicies([pi])
339 assert len(cp) == 1
340 for policyinfo in cp:
341 assert policyinfo == pi
342
343 def test_repr(self):
Paul Kehrerba35b3b2015-05-10 13:07:59 -0500[diff] [blame]344 pq = [u"string"]
Paul Kehrer2b622582015-04-15 11:04:29 -0400[diff] [blame]345 pi = x509.PolicyInformation(x509.ObjectIdentifier("1.2.3"), pq)
346 cp = x509.CertificatePolicies([pi])
Paul Kehrerba35b3b2015-05-10 13:07:59 -0500[diff] [blame]347 if six.PY3:
348 assert repr(cp) == (
349 "<CertificatePolicies([<PolicyInformation(policy_identifier=<O"
350 "bjectIdentifier(oid=1.2.3, name=Unknown OID)>, policy_qualifi"
351 "ers=['string'])>])>"
352 )
353 else:
354 assert repr(cp) == (
355 "<CertificatePolicies([<PolicyInformation(policy_identifier=<O"
356 "bjectIdentifier(oid=1.2.3, name=Unknown OID)>, policy_qualifi"
357 "ers=[u'string'])>])>"
358 )
Paul Kehrer2b622582015-04-15 11:04:29 -0400[diff] [blame]359
Paul Kehrerc56ab622015-05-03 09:56:31 -0500[diff] [blame]360 def test_eq(self):
361 pi = x509.PolicyInformation(
362 x509.ObjectIdentifier("1.2.3"), [u"string"]
363 )
364 cp = x509.CertificatePolicies([pi])
365 pi2 = x509.PolicyInformation(
366 x509.ObjectIdentifier("1.2.3"), [u"string"]
367 )
368 cp2 = x509.CertificatePolicies([pi2])
369 assert cp == cp2
370
371 def test_ne(self):
372 pi = x509.PolicyInformation(
373 x509.ObjectIdentifier("1.2.3"), [u"string"]
374 )
375 cp = x509.CertificatePolicies([pi])
376 pi2 = x509.PolicyInformation(
377 x509.ObjectIdentifier("1.2.3"), [u"string2"]
378 )
379 cp2 = x509.CertificatePolicies([pi2])
380 assert cp != cp2
381 assert cp != object()
382
Paul Kehrere8db7bd2015-12-27 17:32:57 -0600[diff] [blame]383 def test_indexing(self):
384 pi = x509.PolicyInformation(x509.ObjectIdentifier("1.2.3"), [u"test"])
385 pi2 = x509.PolicyInformation(x509.ObjectIdentifier("1.2.4"), [u"test"])
386 pi3 = x509.PolicyInformation(x509.ObjectIdentifier("1.2.5"), [u"test"])
387 pi4 = x509.PolicyInformation(x509.ObjectIdentifier("1.2.6"), [u"test"])
388 pi5 = x509.PolicyInformation(x509.ObjectIdentifier("1.2.7"), [u"test"])
389 cp = x509.CertificatePolicies([pi, pi2, pi3, pi4, pi5])
390 assert cp[-1] == cp[4]
391 assert cp[2:6:2] == [cp[2], cp[4]]
392
Paul Kehrer2b622582015-04-15 11:04:29 -0400[diff] [blame]393
Paul Kehrer11026fe2015-05-12 11:23:56 -0500[diff] [blame]394@pytest.mark.requires_backend_interface(interface=RSABackend)
395@pytest.mark.requires_backend_interface(interface=X509Backend)
396class TestCertificatePoliciesExtension(object):
397 def test_cps_uri_policy_qualifier(self, backend):
398 cert = _load_cert(
399 os.path.join("x509", "custom", "cp_cps_uri.pem"),
400 x509.load_pem_x509_certificate,
401 backend
402 )
403
404 cp = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]405 ExtensionOID.CERTIFICATE_POLICIES
Paul Kehrer11026fe2015-05-12 11:23:56 -0500[diff] [blame]406 ).value
407
408 assert cp == x509.CertificatePolicies([
409 x509.PolicyInformation(
410 x509.ObjectIdentifier("2.16.840.1.12345.1.2.3.4.1"),
411 [u"http://other.com/cps"]
412 )
413 ])
414
415 def test_user_notice_with_notice_reference(self, backend):
416 cert = _load_cert(
417 os.path.join(
418 "x509", "custom", "cp_user_notice_with_notice_reference.pem"
419 ),
420 x509.load_pem_x509_certificate,
421 backend
422 )
423
424 cp = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]425 ExtensionOID.CERTIFICATE_POLICIES
Paul Kehrer11026fe2015-05-12 11:23:56 -0500[diff] [blame]426 ).value
427
428 assert cp == x509.CertificatePolicies([
429 x509.PolicyInformation(
430 x509.ObjectIdentifier("2.16.840.1.12345.1.2.3.4.1"),
431 [
432 u"http://example.com/cps",
433 u"http://other.com/cps",
434 x509.UserNotice(
435 x509.NoticeReference(u"my org", [1, 2, 3, 4]),
436 u"thing"
437 )
438 ]
439 )
440 ])
441
442 def test_user_notice_with_explicit_text(self, backend):
443 cert = _load_cert(
444 os.path.join(
445 "x509", "custom", "cp_user_notice_with_explicit_text.pem"
446 ),
447 x509.load_pem_x509_certificate,
448 backend
449 )
450
451 cp = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]452 ExtensionOID.CERTIFICATE_POLICIES
Paul Kehrer11026fe2015-05-12 11:23:56 -0500[diff] [blame]453 ).value
454
455 assert cp == x509.CertificatePolicies([
456 x509.PolicyInformation(
457 x509.ObjectIdentifier("2.16.840.1.12345.1.2.3.4.1"),
458 [x509.UserNotice(None, u"thing")]
459 )
460 ])
461
462 def test_user_notice_no_explicit_text(self, backend):
463 cert = _load_cert(
464 os.path.join(
465 "x509", "custom", "cp_user_notice_no_explicit_text.pem"
466 ),
467 x509.load_pem_x509_certificate,
468 backend
469 )
470
471 cp = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]472 ExtensionOID.CERTIFICATE_POLICIES
Paul Kehrer11026fe2015-05-12 11:23:56 -0500[diff] [blame]473 ).value
474
475 assert cp == x509.CertificatePolicies([
476 x509.PolicyInformation(
477 x509.ObjectIdentifier("2.16.840.1.12345.1.2.3.4.1"),
478 [
479 x509.UserNotice(
480 x509.NoticeReference(u"my org", [1, 2, 3, 4]),
481 None
482 )
483 ]
484 )
485 ])
486
487
Paul Kehrercecbbba2015-03-30 14:58:38 -0500[diff] [blame]488class TestKeyUsage(object):
489 def test_key_agreement_false_encipher_decipher_true(self):
490 with pytest.raises(ValueError):
491 x509.KeyUsage(
492 digital_signature=False,
493 content_commitment=False,
494 key_encipherment=False,
495 data_encipherment=False,
496 key_agreement=False,
497 key_cert_sign=False,
498 crl_sign=False,
499 encipher_only=True,
500 decipher_only=False
501 )
502
503 with pytest.raises(ValueError):
504 x509.KeyUsage(
505 digital_signature=False,
506 content_commitment=False,
507 key_encipherment=False,
508 data_encipherment=False,
509 key_agreement=False,
510 key_cert_sign=False,
511 crl_sign=False,
512 encipher_only=True,
513 decipher_only=True
514 )
515
516 with pytest.raises(ValueError):
517 x509.KeyUsage(
518 digital_signature=False,
519 content_commitment=False,
520 key_encipherment=False,
521 data_encipherment=False,
522 key_agreement=False,
523 key_cert_sign=False,
524 crl_sign=False,
525 encipher_only=False,
526 decipher_only=True
527 )
528
529 def test_properties_key_agreement_true(self):
530 ku = x509.KeyUsage(
531 digital_signature=True,
532 content_commitment=True,
533 key_encipherment=False,
534 data_encipherment=False,
535 key_agreement=False,
536 key_cert_sign=True,
537 crl_sign=False,
538 encipher_only=False,
539 decipher_only=False
540 )
541 assert ku.digital_signature is True
542 assert ku.content_commitment is True
543 assert ku.key_encipherment is False
544 assert ku.data_encipherment is False
545 assert ku.key_agreement is False
546 assert ku.key_cert_sign is True
547 assert ku.crl_sign is False
548
549 def test_key_agreement_true_properties(self):
550 ku = x509.KeyUsage(
551 digital_signature=False,
552 content_commitment=False,
553 key_encipherment=False,
554 data_encipherment=False,
555 key_agreement=True,
556 key_cert_sign=False,
557 crl_sign=False,
558 encipher_only=False,
559 decipher_only=True
560 )
561 assert ku.key_agreement is True
562 assert ku.encipher_only is False
563 assert ku.decipher_only is True
564
565 def test_key_agreement_false_properties(self):
566 ku = x509.KeyUsage(
567 digital_signature=False,
568 content_commitment=False,
569 key_encipherment=False,
570 data_encipherment=False,
571 key_agreement=False,
572 key_cert_sign=False,
573 crl_sign=False,
574 encipher_only=False,
575 decipher_only=False
576 )
577 assert ku.key_agreement is False
578 with pytest.raises(ValueError):
579 ku.encipher_only
580
581 with pytest.raises(ValueError):
582 ku.decipher_only
583
Paul Kehrerac3e5bb2015-04-02 23:07:10 -0500[diff] [blame]584 def test_repr_key_agreement_false(self):
585 ku = x509.KeyUsage(
586 digital_signature=True,
587 content_commitment=True,
588 key_encipherment=False,
589 data_encipherment=False,
590 key_agreement=False,
591 key_cert_sign=True,
592 crl_sign=False,
593 encipher_only=False,
594 decipher_only=False
595 )
596 assert repr(ku) == (
597 "<KeyUsage(digital_signature=True, content_commitment=True, key_en"
598 "cipherment=False, data_encipherment=False, key_agreement=False, k"
Paul Kehrerb372e672015-04-15 11:05:24 -0400[diff] [blame]599 "ey_cert_sign=True, crl_sign=False, encipher_only=None, decipher_o"
600 "nly=None)>"
Paul Kehrerac3e5bb2015-04-02 23:07:10 -0500[diff] [blame]601 )
602
603 def test_repr_key_agreement_true(self):
604 ku = x509.KeyUsage(
605 digital_signature=True,
606 content_commitment=True,
607 key_encipherment=False,
608 data_encipherment=False,
609 key_agreement=True,
610 key_cert_sign=True,
611 crl_sign=False,
612 encipher_only=False,
613 decipher_only=False
614 )
615 assert repr(ku) == (
616 "<KeyUsage(digital_signature=True, content_commitment=True, key_en"
617 "cipherment=False, data_encipherment=False, key_agreement=True, k"
618 "ey_cert_sign=True, crl_sign=False, encipher_only=False, decipher_"
619 "only=False)>"
620 )
621
Paul Kehrer8565f5e2015-05-13 09:57:09 -0500[diff] [blame]622 def test_eq(self):
623 ku = x509.KeyUsage(
624 digital_signature=False,
625 content_commitment=False,
626 key_encipherment=False,
627 data_encipherment=False,
628 key_agreement=True,
629 key_cert_sign=False,
630 crl_sign=False,
631 encipher_only=False,
632 decipher_only=True
633 )
634 ku2 = x509.KeyUsage(
635 digital_signature=False,
636 content_commitment=False,
637 key_encipherment=False,
638 data_encipherment=False,
639 key_agreement=True,
640 key_cert_sign=False,
641 crl_sign=False,
642 encipher_only=False,
643 decipher_only=True
644 )
645 assert ku == ku2
646
647 def test_ne(self):
648 ku = x509.KeyUsage(
649 digital_signature=False,
650 content_commitment=False,
651 key_encipherment=False,
652 data_encipherment=False,
653 key_agreement=True,
654 key_cert_sign=False,
655 crl_sign=False,
656 encipher_only=False,
657 decipher_only=True
658 )
659 ku2 = x509.KeyUsage(
660 digital_signature=False,
661 content_commitment=False,
662 key_encipherment=False,
663 data_encipherment=False,
664 key_agreement=False,
665 key_cert_sign=False,
666 crl_sign=False,
667 encipher_only=False,
668 decipher_only=False
669 )
670 assert ku != ku2
671 assert ku != object()
672
Paul Kehrercecbbba2015-03-30 14:58:38 -0500[diff] [blame]673
Paul Kehrer1eb82a62015-03-31 20:00:33 -0500[diff] [blame]674class TestSubjectKeyIdentifier(object):
675 def test_properties(self):
Paul Kehrercbfb1012015-04-10 20:57:20 -0400[diff] [blame]676 value = binascii.unhexlify(b"092384932230498bc980aa8098456f6ff7ff3ac9")
Paul Kehrer1eb82a62015-03-31 20:00:33 -0500[diff] [blame]677 ski = x509.SubjectKeyIdentifier(value)
678 assert ski.digest == value
Paul Kehrer1eb82a62015-03-31 20:00:33 -0500[diff] [blame]679
680 def test_repr(self):
681 ski = x509.SubjectKeyIdentifier(
Paul Kehreree997262015-04-04 12:20:28 -0500[diff] [blame]682 binascii.unhexlify(b"092384932230498bc980aa8098456f6ff7ff3ac9")
Paul Kehrer1eb82a62015-03-31 20:00:33 -0500[diff] [blame]683 )
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]684 ext = x509.Extension(ExtensionOID.SUBJECT_KEY_IDENTIFIER, False, ski)
Paul Kehrercbfb1012015-04-10 20:57:20 -0400[diff] [blame]685 if six.PY3:
686 assert repr(ext) == (
687 "<Extension(oid=<ObjectIdentifier(oid=2.5.29.14, name=subjectK"
688 "eyIdentifier)>, critical=False, value=<SubjectKeyIdentifier(d"
689 "igest=b\'\\t#\\x84\\x93\"0I\\x8b\\xc9\\x80\\xaa\\x80\\x98Eoo"
690 "\\xf7\\xff:\\xc9\')>)>"
691 )
692 else:
693 assert repr(ext) == (
694 "<Extension(oid=<ObjectIdentifier(oid=2.5.29.14, name=subjectK"
695 "eyIdentifier)>, critical=False, value=<SubjectKeyIdentifier(d"
696 "igest=\'\\t#\\x84\\x93\"0I\\x8b\\xc9\\x80\\xaa\\x80\\x98Eoo"
697 "\\xf7\\xff:\\xc9\')>)>"
698 )
Paul Kehrer1eb82a62015-03-31 20:00:33 -0500[diff] [blame]699
700 def test_eq(self):
701 ski = x509.SubjectKeyIdentifier(
Paul Kehreree997262015-04-04 12:20:28 -0500[diff] [blame]702 binascii.unhexlify(b"092384932230498bc980aa8098456f6ff7ff3ac9")
Paul Kehrer1eb82a62015-03-31 20:00:33 -0500[diff] [blame]703 )
704 ski2 = x509.SubjectKeyIdentifier(
Paul Kehreree997262015-04-04 12:20:28 -0500[diff] [blame]705 binascii.unhexlify(b"092384932230498bc980aa8098456f6ff7ff3ac9")
Paul Kehrer1eb82a62015-03-31 20:00:33 -0500[diff] [blame]706 )
707 assert ski == ski2
708
709 def test_ne(self):
710 ski = x509.SubjectKeyIdentifier(
Paul Kehreree997262015-04-04 12:20:28 -0500[diff] [blame]711 binascii.unhexlify(b"092384932230498bc980aa8098456f6ff7ff3ac9")
Paul Kehrer1eb82a62015-03-31 20:00:33 -0500[diff] [blame]712 )
713 ski2 = x509.SubjectKeyIdentifier(
Paul Kehreree997262015-04-04 12:20:28 -0500[diff] [blame]714 binascii.unhexlify(b"aa8098456f6ff7ff3ac9092384932230498bc980")
Paul Kehrer1eb82a62015-03-31 20:00:33 -0500[diff] [blame]715 )
716 assert ski != ski2
717 assert ski != object()
718
Alex Gaynor410fe352015-12-26 15:01:25 -0500[diff] [blame]719 def test_hash(self):
720 ski1 = x509.SubjectKeyIdentifier(
721 binascii.unhexlify(b"092384932230498bc980aa8098456f6ff7ff3ac9")
722 )
723 ski2 = x509.SubjectKeyIdentifier(
724 binascii.unhexlify(b"092384932230498bc980aa8098456f6ff7ff3ac9")
725 )
726 ski3 = x509.SubjectKeyIdentifier(
727 binascii.unhexlify(b"aa8098456f6ff7ff3ac9092384932230498bc980")
728 )
729
730 assert hash(ski1) == hash(ski2)
731 assert hash(ski1) != hash(ski3)
732
Paul Kehrer1eb82a62015-03-31 20:00:33 -0500[diff] [blame]733
Paul Kehrer2eb4ed92015-04-11 15:33:45 -0400[diff] [blame]734class TestAuthorityKeyIdentifier(object):
Paul Kehrerc6e0f062015-05-03 11:04:34 -0500[diff] [blame]735 def test_authority_cert_issuer_not_generalname(self):
Paul Kehrer2eb4ed92015-04-11 15:33:45 -0400[diff] [blame]736 with pytest.raises(TypeError):
Paul Kehrerc6e0f062015-05-03 11:04:34 -0500[diff] [blame]737 x509.AuthorityKeyIdentifier(b"identifier", ["notname"], 3)
Paul Kehrer2eb4ed92015-04-11 15:33:45 -0400[diff] [blame]738
739 def test_authority_cert_serial_number_not_integer(self):
Paul Kehrerc6e0f062015-05-03 11:04:34 -0500[diff] [blame]740 dirname = x509.DirectoryName(
741 x509.Name([
Nick Bastin6721fb82015-12-14 12:26:24 -0800[diff] [blame]742 x509.NameAttribute(
743 x509.ObjectIdentifier('2.999.1'),
744 u'value1'
745 ),
746 x509.NameAttribute(
747 x509.ObjectIdentifier('2.999.2'),
748 u'value2'
749 ),
Paul Kehrerc6e0f062015-05-03 11:04:34 -0500[diff] [blame]750 ])
751 )
Paul Kehrer2eb4ed92015-04-11 15:33:45 -0400[diff] [blame]752 with pytest.raises(TypeError):
Paul Kehrerc6e0f062015-05-03 11:04:34 -0500[diff] [blame]753 x509.AuthorityKeyIdentifier(b"identifier", [dirname], "notanint")
Paul Kehrer2eb4ed92015-04-11 15:33:45 -0400[diff] [blame]754
755 def test_authority_issuer_none_serial_not_none(self):
756 with pytest.raises(ValueError):
757 x509.AuthorityKeyIdentifier(b"identifier", None, 3)
758
759 def test_authority_issuer_not_none_serial_none(self):
Paul Kehrerc6e0f062015-05-03 11:04:34 -0500[diff] [blame]760 dirname = x509.DirectoryName(
761 x509.Name([
Nick Bastin6721fb82015-12-14 12:26:24 -0800[diff] [blame]762 x509.NameAttribute(
763 x509.ObjectIdentifier('2.999.1'),
764 u'value1'
765 ),
766 x509.NameAttribute(
767 x509.ObjectIdentifier('2.999.2'),
768 u'value2'
769 ),
Paul Kehrerc6e0f062015-05-03 11:04:34 -0500[diff] [blame]770 ])
771 )
Paul Kehrer2eb4ed92015-04-11 15:33:45 -0400[diff] [blame]772 with pytest.raises(ValueError):
Paul Kehrerc6e0f062015-05-03 11:04:34 -0500[diff] [blame]773 x509.AuthorityKeyIdentifier(b"identifier", [dirname], None)
Paul Kehrer2eb4ed92015-04-11 15:33:45 -0400[diff] [blame]774
775 def test_authority_cert_serial_and_issuer_none(self):
776 aki = x509.AuthorityKeyIdentifier(b"id", None, None)
777 assert aki.key_identifier == b"id"
778 assert aki.authority_cert_issuer is None
779 assert aki.authority_cert_serial_number is None
780
781 def test_repr(self):
Paul Kehrerc6e0f062015-05-03 11:04:34 -0500[diff] [blame]782 dirname = x509.DirectoryName(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]783 x509.Name([x509.NameAttribute(NameOID.COMMON_NAME, u'myCN')])
Paul Kehrerc6e0f062015-05-03 11:04:34 -0500[diff] [blame]784 )
785 aki = x509.AuthorityKeyIdentifier(b"digest", [dirname], 1234)
Paul Kehrer2eb4ed92015-04-11 15:33:45 -0400[diff] [blame]786
787 if six.PY3:
788 assert repr(aki) == (
789 "<AuthorityKeyIdentifier(key_identifier=b'digest', authority_"
Paul Kehrerc6e0f062015-05-03 11:04:34 -0500[diff] [blame]790 "cert_issuer=[<DirectoryName(value=<Name([<NameAttribute(oid="
Ian Cordascoa908d692015-06-16 21:35:24 -0500[diff] [blame]791 "<ObjectIdentifier(oid=2.5.4.3, name=commonName)>, value='myC"
Paul Kehrerc6e0f062015-05-03 11:04:34 -0500[diff] [blame]792 "N')>])>)>], authority_cert_serial_number=1234)>"
Paul Kehrer2eb4ed92015-04-11 15:33:45 -0400[diff] [blame]793 )
794 else:
795 assert repr(aki) == (
796 "<AuthorityKeyIdentifier(key_identifier='digest', authority_ce"
Paul Kehrerc6e0f062015-05-03 11:04:34 -0500[diff] [blame]797 "rt_issuer=[<DirectoryName(value=<Name([<NameAttribute(oid=<Ob"
Ian Cordasco82fc3762015-06-16 20:59:50 -0500[diff] [blame]798 "jectIdentifier(oid=2.5.4.3, name=commonName)>, value=u'myCN')"
799 ">])>)>], authority_cert_serial_number=1234)>"
Paul Kehrer2eb4ed92015-04-11 15:33:45 -0400[diff] [blame]800 )
801
Paul Kehrer2ca2eb32015-05-03 10:04:57 -0500[diff] [blame]802 def test_eq(self):
803 dirname = x509.DirectoryName(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]804 x509.Name([x509.NameAttribute(NameOID.COMMON_NAME, u'myCN')])
Paul Kehrer2ca2eb32015-05-03 10:04:57 -0500[diff] [blame]805 )
806 aki = x509.AuthorityKeyIdentifier(b"digest", [dirname], 1234)
807 dirname2 = x509.DirectoryName(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]808 x509.Name([x509.NameAttribute(NameOID.COMMON_NAME, u'myCN')])
Paul Kehrer2ca2eb32015-05-03 10:04:57 -0500[diff] [blame]809 )
810 aki2 = x509.AuthorityKeyIdentifier(b"digest", [dirname2], 1234)
811 assert aki == aki2
812
813 def test_ne(self):
814 dirname = x509.DirectoryName(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]815 x509.Name([x509.NameAttribute(NameOID.COMMON_NAME, u'myCN')])
Paul Kehrer2ca2eb32015-05-03 10:04:57 -0500[diff] [blame]816 )
817 dirname5 = x509.DirectoryName(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]818 x509.Name([x509.NameAttribute(NameOID.COMMON_NAME, u'aCN')])
Paul Kehrer2ca2eb32015-05-03 10:04:57 -0500[diff] [blame]819 )
820 aki = x509.AuthorityKeyIdentifier(b"digest", [dirname], 1234)
821 aki2 = x509.AuthorityKeyIdentifier(b"diges", [dirname], 1234)
822 aki3 = x509.AuthorityKeyIdentifier(b"digest", None, None)
823 aki4 = x509.AuthorityKeyIdentifier(b"digest", [dirname], 12345)
824 aki5 = x509.AuthorityKeyIdentifier(b"digest", [dirname5], 12345)
825 assert aki != aki2
826 assert aki != aki3
827 assert aki != aki4
828 assert aki != aki5
829 assert aki != object()
830
Paul Kehrer2eb4ed92015-04-11 15:33:45 -0400[diff] [blame]831
Paul Kehrer8cf26422015-03-21 09:50:24 -0500[diff] [blame]832class TestBasicConstraints(object):
833 def test_ca_not_boolean(self):
834 with pytest.raises(TypeError):
Paul Kehrera5c6e9a2015-03-23 19:23:43 -0500[diff] [blame]835 x509.BasicConstraints(ca="notbool", path_length=None)
Paul Kehrer8cf26422015-03-21 09:50:24 -0500[diff] [blame]836
837 def test_path_length_not_ca(self):
838 with pytest.raises(ValueError):
Paul Kehrera5c6e9a2015-03-23 19:23:43 -0500[diff] [blame]839 x509.BasicConstraints(ca=False, path_length=0)
Paul Kehrer8cf26422015-03-21 09:50:24 -0500[diff] [blame]840
841 def test_path_length_not_int(self):
842 with pytest.raises(TypeError):
Paul Kehrera5c6e9a2015-03-23 19:23:43 -0500[diff] [blame]843 x509.BasicConstraints(ca=True, path_length=1.1)
Paul Kehrer8cf26422015-03-21 09:50:24 -0500[diff] [blame]844
845 with pytest.raises(TypeError):
Paul Kehrera5c6e9a2015-03-23 19:23:43 -0500[diff] [blame]846 x509.BasicConstraints(ca=True, path_length="notint")
Paul Kehrer8cf26422015-03-21 09:50:24 -0500[diff] [blame]847
848 def test_path_length_negative(self):
849 with pytest.raises(TypeError):
Paul Kehrera5c6e9a2015-03-23 19:23:43 -0500[diff] [blame]850 x509.BasicConstraints(ca=True, path_length=-1)
Paul Kehrer8cf26422015-03-21 09:50:24 -0500[diff] [blame]851
852 def test_repr(self):
Paul Kehrera5c6e9a2015-03-23 19:23:43 -0500[diff] [blame]853 na = x509.BasicConstraints(ca=True, path_length=None)
Paul Kehrer8cf26422015-03-21 09:50:24 -0500[diff] [blame]854 assert repr(na) == (
Paul Kehrer85894662015-03-22 13:19:31 -0500[diff] [blame]855 "<BasicConstraints(ca=True, path_length=None)>"
Paul Kehrer8cf26422015-03-21 09:50:24 -0500[diff] [blame]856 )
Paul Kehrerfbb7ac82015-03-16 19:26:29 -0500[diff] [blame]857
Paul Kehrer2eb69f62015-12-27 11:46:11 -0600[diff] [blame]858 def test_hash(self):
859 na = x509.BasicConstraints(ca=True, path_length=None)
860 na2 = x509.BasicConstraints(ca=True, path_length=None)
Paul Kehrerb39af8d2015-12-27 14:30:19 -0600[diff] [blame]861 na3 = x509.BasicConstraints(ca=True, path_length=0)
Paul Kehrer2eb69f62015-12-27 11:46:11 -0600[diff] [blame]862 assert hash(na) == hash(na2)
Paul Kehrerb39af8d2015-12-27 14:30:19 -0600[diff] [blame]863 assert hash(na) != hash(na3)
Paul Kehrer2eb69f62015-12-27 11:46:11 -0600[diff] [blame]864
Paul Kehrer3a69b132015-05-13 10:03:46 -0500[diff] [blame]865 def test_eq(self):
866 na = x509.BasicConstraints(ca=True, path_length=None)
867 na2 = x509.BasicConstraints(ca=True, path_length=None)
868 assert na == na2
869
870 def test_ne(self):
871 na = x509.BasicConstraints(ca=True, path_length=None)
872 na2 = x509.BasicConstraints(ca=True, path_length=1)
873 na3 = x509.BasicConstraints(ca=False, path_length=None)
874 assert na != na2
875 assert na != na3
876 assert na != object()
877
Paul Kehrerfbb7ac82015-03-16 19:26:29 -0500[diff] [blame]878
Paul Kehrerffa2a152015-03-31 08:18:25 -0500[diff] [blame]879class TestExtendedKeyUsage(object):
880 def test_not_all_oids(self):
881 with pytest.raises(TypeError):
882 x509.ExtendedKeyUsage(["notoid"])
883
884 def test_iter_len(self):
885 eku = x509.ExtendedKeyUsage([
886 x509.ObjectIdentifier("1.3.6.1.5.5.7.3.1"),
887 x509.ObjectIdentifier("1.3.6.1.5.5.7.3.2"),
888 ])
889 assert len(eku) == 2
890 assert list(eku) == [
Paul Kehrer9e102db2015-08-10 21:53:09 -0500[diff] [blame]891 ExtendedKeyUsageOID.SERVER_AUTH,
892 ExtendedKeyUsageOID.CLIENT_AUTH
Paul Kehrerffa2a152015-03-31 08:18:25 -0500[diff] [blame]893 ]
894
Paul Kehrer23d10c32015-04-02 23:12:32 -0500[diff] [blame]895 def test_repr(self):
896 eku = x509.ExtendedKeyUsage([
897 x509.ObjectIdentifier("1.3.6.1.5.5.7.3.1"),
898 x509.ObjectIdentifier("1.3.6.1.5.5.7.3.2"),
899 ])
900 assert repr(eku) == (
901 "<ExtendedKeyUsage([<ObjectIdentifier(oid=1.3.6.1.5.5.7.3.1, name="
902 "serverAuth)>, <ObjectIdentifier(oid=1.3.6.1.5.5.7.3.2, name=clien"
903 "tAuth)>])>"
904 )
905
Paul Kehrerb0476172015-05-02 19:34:51 -0500[diff] [blame]906 def test_eq(self):
907 eku = x509.ExtendedKeyUsage([
908 x509.ObjectIdentifier("1.3.6"), x509.ObjectIdentifier("1.3.7")
909 ])
910 eku2 = x509.ExtendedKeyUsage([
911 x509.ObjectIdentifier("1.3.6"), x509.ObjectIdentifier("1.3.7")
912 ])
913 assert eku == eku2
914
915 def test_ne(self):
916 eku = x509.ExtendedKeyUsage([x509.ObjectIdentifier("1.3.6")])
917 eku2 = x509.ExtendedKeyUsage([x509.ObjectIdentifier("1.3.6.1")])
918 assert eku != eku2
919 assert eku != object()
920
Paul Kehrerffa2a152015-03-31 08:18:25 -0500[diff] [blame]921
Paul Kehrerfbb7ac82015-03-16 19:26:29 -0500[diff] [blame]922@pytest.mark.requires_backend_interface(interface=RSABackend)
923@pytest.mark.requires_backend_interface(interface=X509Backend)
924class TestExtensions(object):
925 def test_no_extensions(self, backend):
926 cert = _load_cert(
927 os.path.join("x509", "verisign_md2_root.pem"),
928 x509.load_pem_x509_certificate,
929 backend
930 )
931 ext = cert.extensions
932 assert len(ext) == 0
933 assert list(ext) == []
Paul Kehrerfa56a232015-03-17 13:14:03 -0500[diff] [blame]934 with pytest.raises(x509.ExtensionNotFound) as exc:
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]935 ext.get_extension_for_oid(ExtensionOID.BASIC_CONSTRAINTS)
Paul Kehrerfa56a232015-03-17 13:14:03 -0500[diff] [blame]936
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]937 assert exc.value.oid == ExtensionOID.BASIC_CONSTRAINTS
Paul Kehrerfa56a232015-03-17 13:14:03 -0500[diff] [blame]938
939 def test_one_extension(self, backend):
940 cert = _load_cert(
941 os.path.join(
942 "x509", "custom", "basic_constraints_not_critical.pem"
943 ),
944 x509.load_pem_x509_certificate,
945 backend
946 )
947 extensions = cert.extensions
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]948 ext = extensions.get_extension_for_oid(ExtensionOID.BASIC_CONSTRAINTS)
Paul Kehrerfa56a232015-03-17 13:14:03 -0500[diff] [blame]949 assert ext is not None
950 assert ext.value.ca is False
Paul Kehrerfbb7ac82015-03-16 19:26:29 -0500[diff] [blame]951
952 def test_duplicate_extension(self, backend):
953 cert = _load_cert(
954 os.path.join(
955 "x509", "custom", "two_basic_constraints.pem"
956 ),
957 x509.load_pem_x509_certificate,
958 backend
959 )
960 with pytest.raises(x509.DuplicateExtension) as exc:
961 cert.extensions
962
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]963 assert exc.value.oid == ExtensionOID.BASIC_CONSTRAINTS
Paul Kehrerfbb7ac82015-03-16 19:26:29 -0500[diff] [blame]964
965 def test_unsupported_critical_extension(self, backend):
966 cert = _load_cert(
967 os.path.join(
968 "x509", "custom", "unsupported_extension_critical.pem"
969 ),
970 x509.load_pem_x509_certificate,
971 backend
972 )
973 with pytest.raises(x509.UnsupportedExtension) as exc:
974 cert.extensions
975
976 assert exc.value.oid == x509.ObjectIdentifier("1.2.3.4")
977
978 def test_unsupported_extension(self, backend):
979 # TODO: this will raise an exception when all extensions are complete
980 cert = _load_cert(
981 os.path.join(
982 "x509", "custom", "unsupported_extension.pem"
983 ),
984 x509.load_pem_x509_certificate,
985 backend
986 )
987 extensions = cert.extensions
988 assert len(extensions) == 0
Paul Kehrerfa56a232015-03-17 13:14:03 -0500[diff] [blame]989
Phoebe Queenecae9812015-08-12 05:00:32 +0100[diff] [blame]990 def test_no_extensions_get_for_class(self, backend):
991 cert = _load_cert(
992 os.path.join(
Phoebe Queencb5ec4e2015-08-12 15:06:26 +0100[diff] [blame]993 "x509", "cryptography.io.pem"
Phoebe Queenecae9812015-08-12 05:00:32 +0100[diff] [blame]994 ),
995 x509.load_pem_x509_certificate,
996 backend
997 )
Phoebe Queenc93752b2015-08-12 10:54:46 +0100[diff] [blame]998 exts = cert.extensions
Phoebe Queenecae9812015-08-12 05:00:32 +0100[diff] [blame]999 with pytest.raises(x509.ExtensionNotFound) as exc:
Phoebe Queencb5ec4e2015-08-12 15:06:26 +0100[diff] [blame]1000 exts.get_extension_for_class(x509.IssuerAlternativeName)
1001 assert exc.value.oid == ExtensionOID.ISSUER_ALTERNATIVE_NAME
Phoebe Queenecae9812015-08-12 05:00:32 +0100[diff] [blame]1002
Paul Kehrer5b90c972015-12-26 00:52:58 -0600[diff] [blame]1003 def test_indexing(self, backend):
1004 cert = _load_cert(
1005 os.path.join("x509", "cryptography.io.pem"),
1006 x509.load_pem_x509_certificate,
1007 backend
1008 )
1009 exts = cert.extensions
1010 assert exts[-1] == exts[7]
Alex Gaynorf0dd2e72015-12-26 16:50:29 -0500[diff] [blame]1011 assert exts[2:6:2] == [exts[2], exts[4]]
Paul Kehrer5b90c972015-12-26 00:52:58 -0600[diff] [blame]1012
Phoebe Queen9fbb8892015-08-12 03:51:33 +0100[diff] [blame]1013 def test_one_extension_get_for_class(self, backend):
1014 cert = _load_cert(
Phoebe Queen2cc111a2015-08-12 04:14:22 +0100[diff] [blame]1015 os.path.join(
1016 "x509", "custom", "basic_constraints_not_critical.pem"
1017 ),
Phoebe Queen9fbb8892015-08-12 03:51:33 +0100[diff] [blame]1018 x509.load_pem_x509_certificate,
1019 backend
1020 )
1021 ext = cert.extensions.get_extension_for_class(x509.BasicConstraints)
1022 assert ext is not None
Phoebe Queen9fbb8892015-08-12 03:51:33 +0100[diff] [blame]1023 assert isinstance(ext.value, x509.BasicConstraints)
Paul Kehrerfa56a232015-03-17 13:14:03 -0500[diff] [blame]1024
Paul Kehrerafbe75b2015-10-20 08:08:43 -0500[diff] [blame]1025 def test_repr(self, backend):
1026 cert = _load_cert(
1027 os.path.join(
1028 "x509", "custom", "basic_constraints_not_critical.pem"
1029 ),
1030 x509.load_pem_x509_certificate,
1031 backend
1032 )
1033 assert repr(cert.extensions) == (
1034 "<Extensions([<Extension(oid=<ObjectIdentifier(oid=2.5.29.19, name"
1035 "=basicConstraints)>, critical=False, value=<BasicConstraints(ca=F"
1036 "alse, path_length=None)>)>])>"
1037 )
1038
Phoebe Queen2cc111a2015-08-12 04:14:22 +0100[diff] [blame]1039
Paul Kehrerfa56a232015-03-17 13:14:03 -0500[diff] [blame]1040@pytest.mark.requires_backend_interface(interface=RSABackend)
1041@pytest.mark.requires_backend_interface(interface=X509Backend)
Paul Kehrerde813ea2015-03-28 12:44:34 -0500[diff] [blame]1042class TestBasicConstraintsExtension(object):
Paul Kehrerfa56a232015-03-17 13:14:03 -0500[diff] [blame]1043 def test_ca_true_pathlen_6(self, backend):
1044 cert = _load_cert(
1045 os.path.join(
1046 "x509", "PKITS_data", "certs", "pathLenConstraint6CACert.crt"
1047 ),
1048 x509.load_der_x509_certificate,
1049 backend
1050 )
Phoebe Queen062dec72015-08-12 11:42:23 +0100[diff] [blame]1051 ext = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]1052 ExtensionOID.BASIC_CONSTRAINTS
Paul Kehrerfa56a232015-03-17 13:14:03 -0500[diff] [blame]1053 )
1054 assert ext is not None
1055 assert ext.critical is True
1056 assert ext.value.ca is True
1057 assert ext.value.path_length == 6
1058
1059 def test_path_length_zero(self, backend):
1060 cert = _load_cert(
1061 os.path.join("x509", "custom", "bc_path_length_zero.pem"),
1062 x509.load_pem_x509_certificate,
1063 backend
1064 )
1065 ext = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]1066 ExtensionOID.BASIC_CONSTRAINTS
Paul Kehrerfa56a232015-03-17 13:14:03 -0500[diff] [blame]1067 )
1068 assert ext is not None
1069 assert ext.critical is True
1070 assert ext.value.ca is True
1071 assert ext.value.path_length == 0
1072
1073 def test_ca_true_no_pathlen(self, backend):
1074 cert = _load_cert(
1075 os.path.join("x509", "PKITS_data", "certs", "GoodCACert.crt"),
1076 x509.load_der_x509_certificate,
1077 backend
1078 )
1079 ext = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]1080 ExtensionOID.BASIC_CONSTRAINTS
Paul Kehrerfa56a232015-03-17 13:14:03 -0500[diff] [blame]1081 )
1082 assert ext is not None
1083 assert ext.critical is True
1084 assert ext.value.ca is True
1085 assert ext.value.path_length is None
1086
1087 def test_ca_false(self, backend):
1088 cert = _load_cert(
1089 os.path.join("x509", "cryptography.io.pem"),
1090 x509.load_pem_x509_certificate,
1091 backend
1092 )
1093 ext = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]1094 ExtensionOID.BASIC_CONSTRAINTS
Paul Kehrerfa56a232015-03-17 13:14:03 -0500[diff] [blame]1095 )
1096 assert ext is not None
1097 assert ext.critical is True
1098 assert ext.value.ca is False
1099 assert ext.value.path_length is None
1100
1101 def test_no_basic_constraints(self, backend):
1102 cert = _load_cert(
1103 os.path.join(
1104 "x509",
1105 "PKITS_data",
1106 "certs",
1107 "ValidCertificatePathTest1EE.crt"
1108 ),
1109 x509.load_der_x509_certificate,
1110 backend
1111 )
1112 with pytest.raises(x509.ExtensionNotFound):
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]1113 cert.extensions.get_extension_for_oid(
1114 ExtensionOID.BASIC_CONSTRAINTS
1115 )
Paul Kehrerfa56a232015-03-17 13:14:03 -0500[diff] [blame]1116
1117 def test_basic_constraint_not_critical(self, backend):
1118 cert = _load_cert(
1119 os.path.join(
1120 "x509", "custom", "basic_constraints_not_critical.pem"
1121 ),
1122 x509.load_pem_x509_certificate,
1123 backend
1124 )
1125 ext = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]1126 ExtensionOID.BASIC_CONSTRAINTS
Paul Kehrerfa56a232015-03-17 13:14:03 -0500[diff] [blame]1127 )
1128 assert ext is not None
1129 assert ext.critical is False
1130 assert ext.value.ca is False
Paul Kehrer1eb82a62015-03-31 20:00:33 -0500[diff] [blame]1131
1132
Paul Kehrer1eb82a62015-03-31 20:00:33 -0500[diff] [blame]1133class TestSubjectKeyIdentifierExtension(object):
Paul Kehrerf22f6122015-08-05 12:57:13 +0100[diff] [blame]1134 @pytest.mark.requires_backend_interface(interface=RSABackend)
1135 @pytest.mark.requires_backend_interface(interface=X509Backend)
Paul Kehrer1eb82a62015-03-31 20:00:33 -0500[diff] [blame]1136 def test_subject_key_identifier(self, backend):
1137 cert = _load_cert(
1138 os.path.join("x509", "PKITS_data", "certs", "GoodCACert.crt"),
1139 x509.load_der_x509_certificate,
1140 backend
1141 )
1142 ext = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]1143 ExtensionOID.SUBJECT_KEY_IDENTIFIER
Paul Kehrer1eb82a62015-03-31 20:00:33 -0500[diff] [blame]1144 )
1145 ski = ext.value
1146 assert ext is not None
1147 assert ext.critical is False
Paul Kehrer1eb82a62015-03-31 20:00:33 -0500[diff] [blame]1148 assert ski.digest == binascii.unhexlify(
Paul Kehreree997262015-04-04 12:20:28 -0500[diff] [blame]1149 b"580184241bbc2b52944a3da510721451f5af3ac9"
Paul Kehrer1eb82a62015-03-31 20:00:33 -0500[diff] [blame]1150 )
1151
Paul Kehrerf22f6122015-08-05 12:57:13 +0100[diff] [blame]1152 @pytest.mark.requires_backend_interface(interface=RSABackend)
1153 @pytest.mark.requires_backend_interface(interface=X509Backend)
Paul Kehrer1eb82a62015-03-31 20:00:33 -0500[diff] [blame]1154 def test_no_subject_key_identifier(self, backend):
1155 cert = _load_cert(
1156 os.path.join("x509", "custom", "bc_path_length_zero.pem"),
1157 x509.load_pem_x509_certificate,
1158 backend
1159 )
1160 with pytest.raises(x509.ExtensionNotFound):
1161 cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]1162 ExtensionOID.SUBJECT_KEY_IDENTIFIER
Paul Kehrer1eb82a62015-03-31 20:00:33 -0500[diff] [blame]1163 )
Paul Kehrer5508ee22015-04-02 19:31:03 -0500[diff] [blame]1164
Paul Kehrerf22f6122015-08-05 12:57:13 +0100[diff] [blame]1165 @pytest.mark.requires_backend_interface(interface=RSABackend)
1166 @pytest.mark.requires_backend_interface(interface=X509Backend)
Paul Kehrerd4a7f062015-08-05 18:32:18 +0100[diff] [blame]1167 def test_from_rsa_public_key(self, backend):
Paul Kehrerf22f6122015-08-05 12:57:13 +0100[diff] [blame]1168 cert = _load_cert(
1169 os.path.join("x509", "PKITS_data", "certs", "GoodCACert.crt"),
1170 x509.load_der_x509_certificate,
1171 backend
1172 )
1173 ext = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]1174 ExtensionOID.SUBJECT_KEY_IDENTIFIER
Paul Kehrerf22f6122015-08-05 12:57:13 +0100[diff] [blame]1175 )
Paul Kehrerd4a7f062015-08-05 18:32:18 +0100[diff] [blame]1176 ski = x509.SubjectKeyIdentifier.from_public_key(
Paul Kehrerf22f6122015-08-05 12:57:13 +0100[diff] [blame]1177 cert.public_key()
1178 )
1179 assert ext.value == ski
1180
1181 @pytest.mark.requires_backend_interface(interface=DSABackend)
1182 @pytest.mark.requires_backend_interface(interface=X509Backend)
Paul Kehrerd4a7f062015-08-05 18:32:18 +0100[diff] [blame]1183 def test_from_dsa_public_key(self, backend):
Paul Kehrerf22f6122015-08-05 12:57:13 +0100[diff] [blame]1184 cert = _load_cert(
1185 os.path.join("x509", "custom", "dsa_selfsigned_ca.pem"),
1186 x509.load_pem_x509_certificate,
1187 backend
1188 )
1189
1190 ext = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]1191 ExtensionOID.SUBJECT_KEY_IDENTIFIER
Paul Kehrerf22f6122015-08-05 12:57:13 +0100[diff] [blame]1192 )
Paul Kehrerd4a7f062015-08-05 18:32:18 +0100[diff] [blame]1193 ski = x509.SubjectKeyIdentifier.from_public_key(
Paul Kehrerf22f6122015-08-05 12:57:13 +0100[diff] [blame]1194 cert.public_key()
1195 )
1196 assert ext.value == ski
1197
1198 @pytest.mark.requires_backend_interface(interface=EllipticCurveBackend)
1199 @pytest.mark.requires_backend_interface(interface=X509Backend)
Paul Kehrerd4a7f062015-08-05 18:32:18 +0100[diff] [blame]1200 def test_from_ec_public_key(self, backend):
Paul Kehrerf22f6122015-08-05 12:57:13 +0100[diff] [blame]1201 _skip_curve_unsupported(backend, ec.SECP384R1())
1202 cert = _load_cert(
1203 os.path.join("x509", "ecdsa_root.pem"),
1204 x509.load_pem_x509_certificate,
1205 backend
1206 )
1207
1208 ext = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]1209 ExtensionOID.SUBJECT_KEY_IDENTIFIER
Paul Kehrerf22f6122015-08-05 12:57:13 +0100[diff] [blame]1210 )
Paul Kehrerd4a7f062015-08-05 18:32:18 +0100[diff] [blame]1211 ski = x509.SubjectKeyIdentifier.from_public_key(
Paul Kehrerf22f6122015-08-05 12:57:13 +0100[diff] [blame]1212 cert.public_key()
1213 )
1214 assert ext.value == ski
1215
Paul Kehrer5508ee22015-04-02 19:31:03 -0500[diff] [blame]1216
1217@pytest.mark.requires_backend_interface(interface=RSABackend)
1218@pytest.mark.requires_backend_interface(interface=X509Backend)
1219class TestKeyUsageExtension(object):
1220 def test_no_key_usage(self, backend):
1221 cert = _load_cert(
1222 os.path.join("x509", "verisign_md2_root.pem"),
1223 x509.load_pem_x509_certificate,
1224 backend
1225 )
1226 ext = cert.extensions
1227 with pytest.raises(x509.ExtensionNotFound) as exc:
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]1228 ext.get_extension_for_oid(ExtensionOID.KEY_USAGE)
Paul Kehrer5508ee22015-04-02 19:31:03 -0500[diff] [blame]1229
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]1230 assert exc.value.oid == ExtensionOID.KEY_USAGE
Paul Kehrer5508ee22015-04-02 19:31:03 -0500[diff] [blame]1231
1232 def test_all_purposes(self, backend):
1233 cert = _load_cert(
1234 os.path.join(
1235 "x509", "custom", "all_key_usages.pem"
1236 ),
1237 x509.load_pem_x509_certificate,
1238 backend
1239 )
1240 extensions = cert.extensions
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]1241 ext = extensions.get_extension_for_oid(ExtensionOID.KEY_USAGE)
Paul Kehrer5508ee22015-04-02 19:31:03 -0500[diff] [blame]1242 assert ext is not None
1243
1244 ku = ext.value
1245 assert ku.digital_signature is True
1246 assert ku.content_commitment is True
1247 assert ku.key_encipherment is True
1248 assert ku.data_encipherment is True
1249 assert ku.key_agreement is True
1250 assert ku.key_cert_sign is True
1251 assert ku.crl_sign is True
1252 assert ku.encipher_only is True
1253 assert ku.decipher_only is True
1254
1255 def test_key_cert_sign_crl_sign(self, backend):
1256 cert = _load_cert(
1257 os.path.join(
1258 "x509", "PKITS_data", "certs", "pathLenConstraint6CACert.crt"
1259 ),
1260 x509.load_der_x509_certificate,
1261 backend
1262 )
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]1263 ext = cert.extensions.get_extension_for_oid(ExtensionOID.KEY_USAGE)
Paul Kehrer5508ee22015-04-02 19:31:03 -0500[diff] [blame]1264 assert ext is not None
1265 assert ext.critical is True
1266
1267 ku = ext.value
1268 assert ku.digital_signature is False
1269 assert ku.content_commitment is False
1270 assert ku.key_encipherment is False
1271 assert ku.data_encipherment is False
1272 assert ku.key_agreement is False
1273 assert ku.key_cert_sign is True
1274 assert ku.crl_sign is True
Paul Kehrer31bdf792015-03-25 14:11:00 -0500[diff] [blame]1275
1276
1277@pytest.mark.parametrize(
1278 "name", [
1279 x509.RFC822Name,
1280 x509.DNSName,
1281 x509.UniformResourceIdentifier
1282 ]
1283)
1284class TestTextGeneralNames(object):
1285 def test_not_text(self, name):
1286 with pytest.raises(TypeError):
1287 name(b"notaunicodestring")
1288
1289 with pytest.raises(TypeError):
1290 name(1.3)
1291
1292 def test_repr(self, name):
Eeshan Gargf1234152015-04-29 18:41:00 +0530[diff] [blame]1293 gn = name(u"string")
Paul Kehrer31bdf792015-03-25 14:11:00 -0500[diff] [blame]1294 assert repr(gn) == "<{0}(value=string)>".format(name.__name__)
1295
1296 def test_eq(self, name):
Eeshan Gargf1234152015-04-29 18:41:00 +0530[diff] [blame]1297 gn = name(u"string")
1298 gn2 = name(u"string")
Paul Kehrer31bdf792015-03-25 14:11:00 -0500[diff] [blame]1299 assert gn == gn2
1300
1301 def test_ne(self, name):
Eeshan Gargf1234152015-04-29 18:41:00 +0530[diff] [blame]1302 gn = name(u"string")
1303 gn2 = name(u"string2")
Paul Kehrer31bdf792015-03-25 14:11:00 -0500[diff] [blame]1304 assert gn != gn2
1305 assert gn != object()
1306
1307
1308class TestDirectoryName(object):
1309 def test_not_name(self):
1310 with pytest.raises(TypeError):
1311 x509.DirectoryName(b"notaname")
1312
1313 with pytest.raises(TypeError):
1314 x509.DirectoryName(1.3)
1315
1316 def test_repr(self):
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1317 name = x509.Name([x509.NameAttribute(NameOID.COMMON_NAME, u'value1')])
Paul Kehrer31bdf792015-03-25 14:11:00 -0500[diff] [blame]1318 gn = x509.DirectoryName(x509.Name([name]))
Ian Cordascoa908d692015-06-16 21:35:24 -0500[diff] [blame]1319 if six.PY3:
1320 assert repr(gn) == (
1321 "<DirectoryName(value=<Name([<Name([<NameAttribute(oid=<Object"
1322 "Identifier(oid=2.5.4.3, name=commonName)>, value='value1')>])"
1323 ">])>)>"
1324 )
1325 else:
1326 assert repr(gn) == (
1327 "<DirectoryName(value=<Name([<Name([<NameAttribute(oid=<Object"
1328 "Identifier(oid=2.5.4.3, name=commonName)>, value=u'value1')>]"
1329 ")>])>)>"
1330 )
Paul Kehrer31bdf792015-03-25 14:11:00 -0500[diff] [blame]1331
1332 def test_eq(self):
1333 name = x509.Name([
Nick Bastin6721fb82015-12-14 12:26:24 -0800[diff] [blame]1334 x509.NameAttribute(x509.ObjectIdentifier('2.999.1'), u'value1')
Paul Kehrer31bdf792015-03-25 14:11:00 -0500[diff] [blame]1335 ])
1336 name2 = x509.Name([
Nick Bastin6721fb82015-12-14 12:26:24 -0800[diff] [blame]1337 x509.NameAttribute(x509.ObjectIdentifier('2.999.1'), u'value1')
Paul Kehrer31bdf792015-03-25 14:11:00 -0500[diff] [blame]1338 ])
1339 gn = x509.DirectoryName(x509.Name([name]))
1340 gn2 = x509.DirectoryName(x509.Name([name2]))
1341 assert gn == gn2
1342
1343 def test_ne(self):
1344 name = x509.Name([
Nick Bastin6721fb82015-12-14 12:26:24 -0800[diff] [blame]1345 x509.NameAttribute(x509.ObjectIdentifier('2.999.1'), u'value1')
Paul Kehrer31bdf792015-03-25 14:11:00 -0500[diff] [blame]1346 ])
1347 name2 = x509.Name([
Nick Bastin6721fb82015-12-14 12:26:24 -0800[diff] [blame]1348 x509.NameAttribute(x509.ObjectIdentifier('2.999.2'), u'value2')
Paul Kehrer31bdf792015-03-25 14:11:00 -0500[diff] [blame]1349 ])
1350 gn = x509.DirectoryName(x509.Name([name]))
1351 gn2 = x509.DirectoryName(x509.Name([name2]))
1352 assert gn != gn2
1353 assert gn != object()
1354
1355
Paul Kehrer01d5d0b2015-07-12 09:41:21 -0500[diff] [blame]1356class TestRFC822Name(object):
1357 def test_invalid_email(self):
1358 with pytest.raises(ValueError):
1359 x509.RFC822Name(u"Name <email>")
1360
1361 with pytest.raises(ValueError):
1362 x509.RFC822Name(u"")
1363
1364 def test_single_label(self):
1365 gn = x509.RFC822Name(u"administrator")
1366 assert gn.value == u"administrator"
1367
1368 def test_idna(self):
1369 gn = x509.RFC822Name(u"email@em\xe5\xefl.com")
1370 assert gn.value == u"email@em\xe5\xefl.com"
1371 assert gn._encoded == b"email@xn--eml-vla4c.com"
1372
1373
Paul Kehrere28d6c42015-07-12 14:59:37 -0500[diff] [blame]1374class TestUniformResourceIdentifier(object):
1375 def test_no_parsed_hostname(self):
1376 gn = x509.UniformResourceIdentifier(u"singlelabel")
1377 assert gn.value == u"singlelabel"
1378
1379 def test_with_port(self):
1380 gn = x509.UniformResourceIdentifier(u"singlelabel:443/test")
1381 assert gn.value == u"singlelabel:443/test"
1382
1383 def test_idna_no_port(self):
1384 gn = x509.UniformResourceIdentifier(
1385 u"http://\u043f\u044b\u043a\u0430.cryptography"
1386 )
1387 assert gn.value == u"http://\u043f\u044b\u043a\u0430.cryptography"
1388 assert gn._encoded == b"http://xn--80ato2c.cryptography"
1389
1390 def test_idna_with_port(self):
1391 gn = x509.UniformResourceIdentifier(
1392 u"gopher://\u043f\u044b\u043a\u0430.cryptography:70/some/path"
1393 )
1394 assert gn.value == (
1395 u"gopher://\u043f\u044b\u043a\u0430.cryptography:70/some/path"
1396 )
1397 assert gn._encoded == b"gopher://xn--80ato2c.cryptography:70/some/path"
1398
1399 def test_query_and_fragment(self):
1400 gn = x509.UniformResourceIdentifier(
1401 u"ldap://cryptography:90/path?query=true#somedata"
1402 )
1403 assert gn.value == u"ldap://cryptography:90/path?query=true#somedata"
1404
1405
Paul Kehrer31bdf792015-03-25 14:11:00 -0500[diff] [blame]1406class TestRegisteredID(object):
1407 def test_not_oid(self):
1408 with pytest.raises(TypeError):
1409 x509.RegisteredID(b"notanoid")
1410
1411 with pytest.raises(TypeError):
1412 x509.RegisteredID(1.3)
1413
1414 def test_repr(self):
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1415 gn = x509.RegisteredID(NameOID.COMMON_NAME)
Paul Kehrer31bdf792015-03-25 14:11:00 -0500[diff] [blame]1416 assert repr(gn) == (
1417 "<RegisteredID(value=<ObjectIdentifier(oid=2.5.4.3, name=commonNam"
1418 "e)>)>"
1419 )
1420
1421 def test_eq(self):
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1422 gn = x509.RegisteredID(NameOID.COMMON_NAME)
1423 gn2 = x509.RegisteredID(NameOID.COMMON_NAME)
Paul Kehrer31bdf792015-03-25 14:11:00 -0500[diff] [blame]1424 assert gn == gn2
1425
1426 def test_ne(self):
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1427 gn = x509.RegisteredID(NameOID.COMMON_NAME)
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]1428 gn2 = x509.RegisteredID(ExtensionOID.BASIC_CONSTRAINTS)
Paul Kehrer31bdf792015-03-25 14:11:00 -0500[diff] [blame]1429 assert gn != gn2
1430 assert gn != object()
1431
1432
1433class TestIPAddress(object):
1434 def test_not_ipaddress(self):
1435 with pytest.raises(TypeError):
1436 x509.IPAddress(b"notanipaddress")
1437
1438 with pytest.raises(TypeError):
1439 x509.IPAddress(1.3)
1440
1441 def test_repr(self):
Eeshan Gargf1234152015-04-29 18:41:00 +0530[diff] [blame]1442 gn = x509.IPAddress(ipaddress.IPv4Address(u"127.0.0.1"))
Paul Kehrer31bdf792015-03-25 14:11:00 -0500[diff] [blame]1443 assert repr(gn) == "<IPAddress(value=127.0.0.1)>"
1444
Eeshan Gargf1234152015-04-29 18:41:00 +0530[diff] [blame]1445 gn2 = x509.IPAddress(ipaddress.IPv6Address(u"ff::"))
Paul Kehrer31bdf792015-03-25 14:11:00 -0500[diff] [blame]1446 assert repr(gn2) == "<IPAddress(value=ff::)>"
1447
Paul Kehrereb177932015-05-17 18:33:33 -0700[diff] [blame]1448 gn3 = x509.IPAddress(ipaddress.IPv4Network(u"192.168.0.0/24"))
1449 assert repr(gn3) == "<IPAddress(value=192.168.0.0/24)>"
1450
1451 gn4 = x509.IPAddress(ipaddress.IPv6Network(u"ff::/96"))
1452 assert repr(gn4) == "<IPAddress(value=ff::/96)>"
1453
Paul Kehrer31bdf792015-03-25 14:11:00 -0500[diff] [blame]1454 def test_eq(self):
Eeshan Gargf1234152015-04-29 18:41:00 +0530[diff] [blame]1455 gn = x509.IPAddress(ipaddress.IPv4Address(u"127.0.0.1"))
1456 gn2 = x509.IPAddress(ipaddress.IPv4Address(u"127.0.0.1"))
Paul Kehrer31bdf792015-03-25 14:11:00 -0500[diff] [blame]1457 assert gn == gn2
1458
1459 def test_ne(self):
Eeshan Gargf1234152015-04-29 18:41:00 +0530[diff] [blame]1460 gn = x509.IPAddress(ipaddress.IPv4Address(u"127.0.0.1"))
1461 gn2 = x509.IPAddress(ipaddress.IPv4Address(u"127.0.0.2"))
Paul Kehrer31bdf792015-03-25 14:11:00 -0500[diff] [blame]1462 assert gn != gn2
1463 assert gn != object()
1464
1465
Joshua Tauberer18b6fc82015-07-05 21:44:51 +0000[diff] [blame]1466class TestOtherName(object):
1467 def test_invalid_args(self):
1468 with pytest.raises(TypeError):
1469 x509.OtherName(b"notanobjectidentifier", b"derdata")
1470
1471 with pytest.raises(TypeError):
1472 x509.OtherName(x509.ObjectIdentifier("1.2.3.4"), u"notderdata")
1473
1474 def test_repr(self):
1475 gn = x509.OtherName(x509.ObjectIdentifier("1.2.3.4"), b"derdata")
1476 if six.PY3:
1477 assert repr(gn) == (
1478 "<OtherName(type_id=<ObjectIdentifier(oid=1.2.3.4, "
1479 "name=Unknown OID)>, value=b'derdata')>"
1480 )
1481 else:
1482 assert repr(gn) == (
1483 "<OtherName(type_id=<ObjectIdentifier(oid=1.2.3.4, "
1484 "name=Unknown OID)>, value='derdata')>"
1485 )
1486
1487 gn = x509.OtherName(x509.ObjectIdentifier("2.5.4.65"), b"derdata")
1488 if six.PY3:
1489 assert repr(gn) == (
1490 "<OtherName(type_id=<ObjectIdentifier(oid=2.5.4.65, "
1491 "name=pseudonym)>, value=b'derdata')>"
1492 )
1493 else:
1494 assert repr(gn) == (
1495 "<OtherName(type_id=<ObjectIdentifier(oid=2.5.4.65, "
1496 "name=pseudonym)>, value='derdata')>"
1497 )
1498
1499 def test_eq(self):
1500 gn = x509.OtherName(x509.ObjectIdentifier("1.2.3.4"), b"derdata")
1501 gn2 = x509.OtherName(x509.ObjectIdentifier("1.2.3.4"), b"derdata")
1502 assert gn == gn2
1503
1504 def test_ne(self):
1505 gn = x509.OtherName(x509.ObjectIdentifier("1.2.3.4"), b"derdata")
1506 assert gn != object()
1507
1508 gn2 = x509.OtherName(x509.ObjectIdentifier("1.2.3.4"), b"derdata2")
1509 assert gn != gn2
1510
1511 gn2 = x509.OtherName(x509.ObjectIdentifier("1.2.3.5"), b"derdata")
1512 assert gn != gn2
1513
1514
Erik Trauschke2dcce902015-05-14 16:12:24 -0700[diff] [blame]1515class TestGeneralNames(object):
1516 def test_get_values_for_type(self):
1517 gns = x509.GeneralNames(
1518 [x509.DNSName(u"cryptography.io")]
1519 )
1520 names = gns.get_values_for_type(x509.DNSName)
1521 assert names == [u"cryptography.io"]
1522
1523 def test_iter_names(self):
1524 gns = x509.GeneralNames([
1525 x509.DNSName(u"cryptography.io"),
1526 x509.DNSName(u"crypto.local"),
1527 ])
1528 assert len(gns) == 2
1529 assert list(gns) == [
1530 x509.DNSName(u"cryptography.io"),
1531 x509.DNSName(u"crypto.local"),
1532 ]
1533
Paul Kehrer8adb5962015-12-26 14:46:58 -0600[diff] [blame]1534 def test_indexing(self):
1535 gn = x509.GeneralNames([
1536 x509.DNSName(u"cryptography.io"),
1537 x509.DNSName(u"crypto.local"),
1538 x509.DNSName(u"another.local"),
1539 x509.RFC822Name(u"email@another.local"),
1540 x509.UniformResourceIdentifier(u"http://another.local"),
1541 ])
1542 assert gn[-1] == gn[4]
Alex Gaynorf0dd2e72015-12-26 16:50:29 -0500[diff] [blame]1543 assert gn[2:6:2] == [gn[2], gn[4]]
Paul Kehrer8adb5962015-12-26 14:46:58 -0600[diff] [blame]1544
Erik Trauschke2dcce902015-05-14 16:12:24 -0700[diff] [blame]1545 def test_invalid_general_names(self):
1546 with pytest.raises(TypeError):
1547 x509.GeneralNames(
1548 [x509.DNSName(u"cryptography.io"), "invalid"]
1549 )
1550
1551 def test_repr(self):
1552 gns = x509.GeneralNames(
1553 [
1554 x509.DNSName(u"cryptography.io")
1555 ]
1556 )
1557 assert repr(gns) == (
1558 "<GeneralNames([<DNSName(value=cryptography.io)>])>"
1559 )
1560
1561 def test_eq(self):
1562 gns = x509.GeneralNames(
1563 [x509.DNSName(u"cryptography.io")]
1564 )
1565 gns2 = x509.GeneralNames(
1566 [x509.DNSName(u"cryptography.io")]
1567 )
1568 assert gns == gns2
1569
1570 def test_ne(self):
1571 gns = x509.GeneralNames(
1572 [x509.DNSName(u"cryptography.io")]
1573 )
1574 gns2 = x509.GeneralNames(
1575 [x509.RFC822Name(u"admin@cryptography.io")]
1576 )
1577 assert gns != gns2
1578 assert gns != object()
1579
1580
Paul Kehrer99125c92015-06-07 18:37:10 -0500[diff] [blame]1581class TestIssuerAlternativeName(object):
1582 def test_get_values_for_type(self):
1583 san = x509.IssuerAlternativeName(
1584 [x509.DNSName(u"cryptography.io")]
1585 )
1586 names = san.get_values_for_type(x509.DNSName)
1587 assert names == [u"cryptography.io"]
1588
1589 def test_iter_names(self):
1590 san = x509.IssuerAlternativeName([
1591 x509.DNSName(u"cryptography.io"),
1592 x509.DNSName(u"crypto.local"),
1593 ])
1594 assert len(san) == 2
1595 assert list(san) == [
1596 x509.DNSName(u"cryptography.io"),
1597 x509.DNSName(u"crypto.local"),
1598 ]
1599
Paul Kehrer5c999d32015-12-26 17:45:20 -0600[diff] [blame]1600 def test_indexing(self):
1601 ian = x509.IssuerAlternativeName([
1602 x509.DNSName(u"cryptography.io"),
1603 x509.DNSName(u"crypto.local"),
1604 x509.DNSName(u"another.local"),
1605 x509.RFC822Name(u"email@another.local"),
1606 x509.UniformResourceIdentifier(u"http://another.local"),
1607 ])
1608 assert ian[-1] == ian[4]
1609 assert ian[2:6:2] == [ian[2], ian[4]]
1610
Paul Kehrer99125c92015-06-07 18:37:10 -0500[diff] [blame]1611 def test_invalid_general_names(self):
1612 with pytest.raises(TypeError):
1613 x509.IssuerAlternativeName(
1614 [x509.DNSName(u"cryptography.io"), "invalid"]
1615 )
1616
1617 def test_repr(self):
1618 san = x509.IssuerAlternativeName(
1619 [
1620 x509.DNSName(u"cryptography.io")
1621 ]
1622 )
1623 assert repr(san) == (
1624 "<IssuerAlternativeName("
1625 "<GeneralNames([<DNSName(value=cryptography.io)>])>)>"
1626 )
1627
1628 def test_eq(self):
1629 san = x509.IssuerAlternativeName(
1630 [x509.DNSName(u"cryptography.io")]
1631 )
1632 san2 = x509.IssuerAlternativeName(
1633 [x509.DNSName(u"cryptography.io")]
1634 )
1635 assert san == san2
1636
1637 def test_ne(self):
1638 san = x509.IssuerAlternativeName(
1639 [x509.DNSName(u"cryptography.io")]
1640 )
1641 san2 = x509.IssuerAlternativeName(
1642 [x509.RFC822Name(u"admin@cryptography.io")]
1643 )
1644 assert san != san2
1645 assert san != object()
1646
1647
Alex Gaynorf1c17672015-06-20 14:20:20 -0400[diff] [blame]1648@pytest.mark.requires_backend_interface(interface=RSABackend)
1649@pytest.mark.requires_backend_interface(interface=X509Backend)
1650class TestRSAIssuerAlternativeNameExtension(object):
1651 def test_uri(self, backend):
1652 cert = _load_cert(
1653 os.path.join("x509", "custom", "ian_uri.pem"),
1654 x509.load_pem_x509_certificate,
1655 backend,
1656 )
1657 ext = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]1658 ExtensionOID.ISSUER_ALTERNATIVE_NAME
Alex Gaynorf1c17672015-06-20 14:20:20 -0400[diff] [blame]1659 )
1660 assert list(ext.value) == [
1661 x509.UniformResourceIdentifier(u"http://path.to.root/root.crt"),
1662 ]
1663
1664
Paul Kehrer3b95cd72015-12-22 21:40:20 -0600[diff] [blame]1665class TestCRLNumber(object):
1666 def test_eq(self):
1667 crl_number = x509.CRLNumber(15)
1668 assert crl_number == x509.CRLNumber(15)
1669
1670 def test_ne(self):
1671 crl_number = x509.CRLNumber(15)
1672 assert crl_number != x509.CRLNumber(14)
1673 assert crl_number != object()
1674
1675 def test_repr(self):
1676 crl_number = x509.CRLNumber(15)
1677 assert repr(crl_number) == "<CRLNumber(15)>"
1678
Paul Kehrera9718fc2015-12-22 22:55:35 -0600[diff] [blame]1679 def test_invalid_number(self):
1680 with pytest.raises(TypeError):
1681 x509.CRLNumber("notanumber")
1682
Alex Gaynorf9a77b62015-12-26 12:14:25 -0500[diff] [blame]1683 def test_hash(self):
1684 c1 = x509.CRLNumber(1)
1685 c2 = x509.CRLNumber(1)
1686 c3 = x509.CRLNumber(2)
1687 assert hash(c1) == hash(c2)
1688 assert hash(c1) != hash(c3)
1689
Paul Kehrer3b95cd72015-12-22 21:40:20 -0600[diff] [blame]1690
Paul Kehrer31bdf792015-03-25 14:11:00 -0500[diff] [blame]1691class TestSubjectAlternativeName(object):
1692 def test_get_values_for_type(self):
1693 san = x509.SubjectAlternativeName(
Eeshan Gargf1234152015-04-29 18:41:00 +0530[diff] [blame]1694 [x509.DNSName(u"cryptography.io")]
Paul Kehrer31bdf792015-03-25 14:11:00 -0500[diff] [blame]1695 )
1696 names = san.get_values_for_type(x509.DNSName)
Eeshan Gargf1234152015-04-29 18:41:00 +0530[diff] [blame]1697 assert names == [u"cryptography.io"]
Paul Kehrer31bdf792015-03-25 14:11:00 -0500[diff] [blame]1698
1699 def test_iter_names(self):
1700 san = x509.SubjectAlternativeName([
Eeshan Gargf1234152015-04-29 18:41:00 +0530[diff] [blame]1701 x509.DNSName(u"cryptography.io"),
1702 x509.DNSName(u"crypto.local"),
Paul Kehrer31bdf792015-03-25 14:11:00 -0500[diff] [blame]1703 ])
1704 assert len(san) == 2
1705 assert list(san) == [
Eeshan Gargf1234152015-04-29 18:41:00 +0530[diff] [blame]1706 x509.DNSName(u"cryptography.io"),
1707 x509.DNSName(u"crypto.local"),
Paul Kehrer31bdf792015-03-25 14:11:00 -0500[diff] [blame]1708 ]
1709
Paul Kehrer8adb5962015-12-26 14:46:58 -0600[diff] [blame]1710 def test_indexing(self):
1711 san = x509.SubjectAlternativeName([
1712 x509.DNSName(u"cryptography.io"),
1713 x509.DNSName(u"crypto.local"),
1714 x509.DNSName(u"another.local"),
1715 x509.RFC822Name(u"email@another.local"),
1716 x509.UniformResourceIdentifier(u"http://another.local"),
1717 ])
1718 assert san[-1] == san[4]
Alex Gaynorf0dd2e72015-12-26 16:50:29 -0500[diff] [blame]1719 assert san[2:6:2] == [san[2], san[4]]
Paul Kehrer8adb5962015-12-26 14:46:58 -0600[diff] [blame]1720
Paul Kehrerd04b39b2015-04-21 08:44:17 -0500[diff] [blame]1721 def test_invalid_general_names(self):
1722 with pytest.raises(TypeError):
1723 x509.SubjectAlternativeName(
Eeshan Gargf1234152015-04-29 18:41:00 +0530[diff] [blame]1724 [x509.DNSName(u"cryptography.io"), "invalid"]
Paul Kehrerd04b39b2015-04-21 08:44:17 -0500[diff] [blame]1725 )
1726
Paul Kehrer31bdf792015-03-25 14:11:00 -0500[diff] [blame]1727 def test_repr(self):
1728 san = x509.SubjectAlternativeName(
1729 [
Eeshan Gargf1234152015-04-29 18:41:00 +0530[diff] [blame]1730 x509.DNSName(u"cryptography.io")
Paul Kehrer31bdf792015-03-25 14:11:00 -0500[diff] [blame]1731 ]
1732 )
1733 assert repr(san) == (
Erik Trauschke2dcce902015-05-14 16:12:24 -0700[diff] [blame]1734 "<SubjectAlternativeName("
1735 "<GeneralNames([<DNSName(value=cryptography.io)>])>)>"
Paul Kehrer31bdf792015-03-25 14:11:00 -0500[diff] [blame]1736 )
Paul Kehrer40f83382015-04-20 15:00:16 -0500[diff] [blame]1737
Paul Kehrer58cc3972015-05-13 10:00:41 -0500[diff] [blame]1738 def test_eq(self):
1739 san = x509.SubjectAlternativeName(
1740 [x509.DNSName(u"cryptography.io")]
1741 )
1742 san2 = x509.SubjectAlternativeName(
1743 [x509.DNSName(u"cryptography.io")]
1744 )
1745 assert san == san2
1746
1747 def test_ne(self):
1748 san = x509.SubjectAlternativeName(
1749 [x509.DNSName(u"cryptography.io")]
1750 )
1751 san2 = x509.SubjectAlternativeName(
1752 [x509.RFC822Name(u"admin@cryptography.io")]
1753 )
1754 assert san != san2
1755 assert san != object()
1756
Paul Kehrer40f83382015-04-20 15:00:16 -0500[diff] [blame]1757
1758@pytest.mark.requires_backend_interface(interface=RSABackend)
1759@pytest.mark.requires_backend_interface(interface=X509Backend)
1760class TestRSASubjectAlternativeNameExtension(object):
1761 def test_dns_name(self, backend):
1762 cert = _load_cert(
1763 os.path.join("x509", "cryptography.io.pem"),
1764 x509.load_pem_x509_certificate,
1765 backend
1766 )
1767 ext = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]1768 ExtensionOID.SUBJECT_ALTERNATIVE_NAME
Paul Kehrer40f83382015-04-20 15:00:16 -0500[diff] [blame]1769 )
1770 assert ext is not None
1771 assert ext.critical is False
1772
1773 san = ext.value
1774
1775 dns = san.get_values_for_type(x509.DNSName)
1776 assert dns == [u"www.cryptography.io", u"cryptography.io"]
Paul Kehrer9089c912015-04-20 22:15:20 -0500[diff] [blame]1777
Paul Kehrer3c6bba52015-06-26 18:43:26 -0500[diff] [blame]1778 def test_wildcard_dns_name(self, backend):
1779 cert = _load_cert(
1780 os.path.join("x509", "wildcard_san.pem"),
1781 x509.load_pem_x509_certificate,
1782 backend
1783 )
1784 ext = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]1785 ExtensionOID.SUBJECT_ALTERNATIVE_NAME
Paul Kehrer3c6bba52015-06-26 18:43:26 -0500[diff] [blame]1786 )
1787
1788 dns = ext.value.get_values_for_type(x509.DNSName)
1789 assert dns == [
1790 u'*.langui.sh',
1791 u'langui.sh',
1792 u'*.saseliminator.com',
1793 u'saseliminator.com'
1794 ]
1795
Dominic Chen87bb9572015-10-09 00:23:07 -0400[diff] [blame]1796 def test_san_empty_hostname(self, backend):
1797 cert = _load_cert(
1798 os.path.join(
1799 "x509", "custom", "san_empty_hostname.pem"
1800 ),
1801 x509.load_pem_x509_certificate,
1802 backend
1803 )
1804 san = cert.extensions.get_extension_for_oid(
1805 ExtensionOID.SUBJECT_ALTERNATIVE_NAME
1806 )
1807
1808 dns = san.value.get_values_for_type(x509.DNSName)
1809 assert dns == [u'']
1810
Paul Kehrer3c6bba52015-06-26 18:43:26 -0500[diff] [blame]1811 def test_san_wildcard_idna_dns_name(self, backend):
1812 cert = _load_cert(
1813 os.path.join("x509", "custom", "san_wildcard_idna.pem"),
1814 x509.load_pem_x509_certificate,
1815 backend
1816 )
1817 ext = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]1818 ExtensionOID.SUBJECT_ALTERNATIVE_NAME
Paul Kehrer3c6bba52015-06-26 18:43:26 -0500[diff] [blame]1819 )
1820
1821 dns = ext.value.get_values_for_type(x509.DNSName)
1822 assert dns == [u'*.\u043f\u044b\u043a\u0430.cryptography']
1823
Paul Kehrer7bdf6572015-07-05 08:55:44 -0500[diff] [blame]1824 def test_unsupported_gn(self, backend):
Paul Kehrer9089c912015-04-20 22:15:20 -0500[diff] [blame]1825 cert = _load_cert(
Paul Kehrer7bdf6572015-07-05 08:55:44 -0500[diff] [blame]1826 os.path.join("x509", "san_x400address.der"),
1827 x509.load_der_x509_certificate,
Paul Kehrer9089c912015-04-20 22:15:20 -0500[diff] [blame]1828 backend
1829 )
Paul Kehrerbed07352015-04-21 08:31:10 -0500[diff] [blame]1830 with pytest.raises(x509.UnsupportedGeneralNameType) as exc:
Paul Kehrer9089c912015-04-20 22:15:20 -0500[diff] [blame]1831 cert.extensions
Paul Kehrerbed07352015-04-21 08:31:10 -0500[diff] [blame]1832
Paul Kehrer7bdf6572015-07-05 08:55:44 -0500[diff] [blame]1833 assert exc.value.type == 3
Paul Kehrer4db96622015-04-20 22:17:39 -0500[diff] [blame]1834
1835 def test_registered_id(self, backend):
1836 cert = _load_cert(
1837 os.path.join(
1838 "x509", "custom", "san_registered_id.pem"
1839 ),
1840 x509.load_pem_x509_certificate,
1841 backend
1842 )
1843 ext = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]1844 ExtensionOID.SUBJECT_ALTERNATIVE_NAME
Paul Kehrer4db96622015-04-20 22:17:39 -0500[diff] [blame]1845 )
1846 assert ext is not None
1847 assert ext.critical is False
1848
1849 san = ext.value
1850 rid = san.get_values_for_type(x509.RegisteredID)
1851 assert rid == [x509.ObjectIdentifier("1.2.3.4")]
Paul Kehrerb8ef82e2015-04-22 16:04:24 -0500[diff] [blame]1852
1853 def test_uri(self, backend):
1854 cert = _load_cert(
1855 os.path.join(
1856 "x509", "custom", "san_uri_with_port.pem"
1857 ),
1858 x509.load_pem_x509_certificate,
1859 backend
1860 )
1861 ext = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]1862 ExtensionOID.SUBJECT_ALTERNATIVE_NAME
Paul Kehrerb8ef82e2015-04-22 16:04:24 -0500[diff] [blame]1863 )
1864 assert ext is not None
1865 uri = ext.value.get_values_for_type(
1866 x509.UniformResourceIdentifier
1867 )
1868 assert uri == [
1869 u"gopher://\u043f\u044b\u043a\u0430.cryptography:70/path?q=s#hel"
1870 u"lo",
1871 u"http://someregulardomain.com",
1872 ]
Paul Kehrera5f030c2015-04-28 08:33:18 -0500[diff] [blame]1873
1874 def test_ipaddress(self, backend):
1875 cert = _load_cert(
1876 os.path.join(
1877 "x509", "custom", "san_ipaddr.pem"
1878 ),
1879 x509.load_pem_x509_certificate,
1880 backend
1881 )
1882 ext = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]1883 ExtensionOID.SUBJECT_ALTERNATIVE_NAME
Paul Kehrera5f030c2015-04-28 08:33:18 -0500[diff] [blame]1884 )
1885 assert ext is not None
1886 assert ext.critical is False
1887
1888 san = ext.value
1889
1890 ip = san.get_values_for_type(x509.IPAddress)
1891 assert [
1892 ipaddress.ip_address(u"127.0.0.1"),
1893 ipaddress.ip_address(u"ff::")
1894 ] == ip
Paul Kehrer2187a052015-04-30 08:22:07 -0500[diff] [blame]1895
1896 def test_dirname(self, backend):
1897 cert = _load_cert(
1898 os.path.join(
1899 "x509", "custom", "san_dirname.pem"
1900 ),
1901 x509.load_pem_x509_certificate,
1902 backend
1903 )
1904 ext = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]1905 ExtensionOID.SUBJECT_ALTERNATIVE_NAME
Paul Kehrer2187a052015-04-30 08:22:07 -0500[diff] [blame]1906 )
1907 assert ext is not None
1908 assert ext.critical is False
1909
1910 san = ext.value
1911
1912 dirname = san.get_values_for_type(x509.DirectoryName)
1913 assert [
1914 x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1915 x509.NameAttribute(NameOID.COMMON_NAME, u'test'),
1916 x509.NameAttribute(NameOID.ORGANIZATION_NAME, u'Org'),
1917 x509.NameAttribute(NameOID.STATE_OR_PROVINCE_NAME, u'Texas'),
Paul Kehrer2187a052015-04-30 08:22:07 -0500[diff] [blame]1918 ])
1919 ] == dirname
Paul Kehrere06cab42015-04-30 10:23:33 -0500[diff] [blame]1920
1921 def test_rfc822name(self, backend):
1922 cert = _load_cert(
1923 os.path.join(
1924 "x509", "custom", "san_rfc822_idna.pem"
1925 ),
1926 x509.load_pem_x509_certificate,
1927 backend
1928 )
1929 ext = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]1930 ExtensionOID.SUBJECT_ALTERNATIVE_NAME
Paul Kehrere06cab42015-04-30 10:23:33 -0500[diff] [blame]1931 )
1932 assert ext is not None
1933 assert ext.critical is False
1934
1935 san = ext.value
1936
1937 rfc822name = san.get_values_for_type(x509.RFC822Name)
1938 assert [u"email@em\xe5\xefl.com"] == rfc822name
1939
Paul Kehrerb8968812015-05-15 09:01:34 -0700[diff] [blame]1940 def test_idna2003_invalid(self, backend):
1941 cert = _load_cert(
1942 os.path.join(
1943 "x509", "custom", "san_idna2003_dnsname.pem"
1944 ),
1945 x509.load_pem_x509_certificate,
1946 backend
1947 )
1948 with pytest.raises(UnicodeError):
1949 cert.extensions
1950
Paul Kehrere06cab42015-04-30 10:23:33 -0500[diff] [blame]1951 def test_unicode_rfc822_name_dns_name_uri(self, backend):
1952 cert = _load_cert(
1953 os.path.join(
1954 "x509", "custom", "san_idna_names.pem"
1955 ),
1956 x509.load_pem_x509_certificate,
1957 backend
1958 )
1959 ext = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]1960 ExtensionOID.SUBJECT_ALTERNATIVE_NAME
Paul Kehrere06cab42015-04-30 10:23:33 -0500[diff] [blame]1961 )
1962 assert ext is not None
1963 rfc822_name = ext.value.get_values_for_type(x509.RFC822Name)
1964 dns_name = ext.value.get_values_for_type(x509.DNSName)
1965 uri = ext.value.get_values_for_type(x509.UniformResourceIdentifier)
1966 assert rfc822_name == [u"email@\u043f\u044b\u043a\u0430.cryptography"]
1967 assert dns_name == [u"\u043f\u044b\u043a\u0430.cryptography"]
1968 assert uri == [u"https://www.\u043f\u044b\u043a\u0430.cryptography"]
1969
1970 def test_rfc822name_dnsname_ipaddress_directoryname_uri(self, backend):
1971 cert = _load_cert(
1972 os.path.join(
1973 "x509", "custom", "san_email_dns_ip_dirname_uri.pem"
1974 ),
1975 x509.load_pem_x509_certificate,
1976 backend
1977 )
1978 ext = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]1979 ExtensionOID.SUBJECT_ALTERNATIVE_NAME
Paul Kehrere06cab42015-04-30 10:23:33 -0500[diff] [blame]1980 )
1981 assert ext is not None
1982 assert ext.critical is False
1983
1984 san = ext.value
1985
1986 rfc822_name = san.get_values_for_type(x509.RFC822Name)
1987 uri = san.get_values_for_type(x509.UniformResourceIdentifier)
1988 dns = san.get_values_for_type(x509.DNSName)
1989 ip = san.get_values_for_type(x509.IPAddress)
1990 dirname = san.get_values_for_type(x509.DirectoryName)
1991 assert [u"user@cryptography.io"] == rfc822_name
Paul Kehrere3a330c2015-05-02 16:42:52 -0500[diff] [blame]1992 assert [u"https://cryptography.io"] == uri
Paul Kehrere06cab42015-04-30 10:23:33 -0500[diff] [blame]1993 assert [u"cryptography.io"] == dns
1994 assert [
1995 x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1996 x509.NameAttribute(NameOID.COMMON_NAME, u'dirCN'),
Paul Kehrere06cab42015-04-30 10:23:33 -0500[diff] [blame]1997 x509.NameAttribute(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1998 NameOID.ORGANIZATION_NAME, u'Cryptographic Authority'
Paul Kehrere06cab42015-04-30 10:23:33 -0500[diff] [blame]1999 ),
2000 ])
2001 ] == dirname
2002 assert [
2003 ipaddress.ip_address(u"127.0.0.1"),
2004 ipaddress.ip_address(u"ff::")
2005 ] == ip
2006
2007 def test_invalid_rfc822name(self, backend):
2008 cert = _load_cert(
2009 os.path.join(
2010 "x509", "custom", "san_rfc822_names.pem"
2011 ),
2012 x509.load_pem_x509_certificate,
2013 backend
2014 )
2015 with pytest.raises(ValueError) as exc:
2016 cert.extensions
2017
2018 assert 'Invalid rfc822name value' in str(exc.value)
Paul Kehrer94c69602015-05-02 19:29:40 -0500[diff] [blame]2019
Joshua Tauberer2ee5e3c2015-07-04 20:09:46 +0000[diff] [blame]2020 def test_other_name(self, backend):
2021 cert = _load_cert(
2022 os.path.join(
2023 "x509", "custom", "san_other_name.pem"
2024 ),
2025 x509.load_pem_x509_certificate,
2026 backend
2027 )
2028
2029 ext = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]2030 ExtensionOID.SUBJECT_ALTERNATIVE_NAME
Joshua Tauberer2ee5e3c2015-07-04 20:09:46 +0000[diff] [blame]2031 )
2032 assert ext is not None
2033 assert ext.critical is False
2034
Joshua Taubererd2afad32015-07-06 22:37:53 +0000[diff] [blame]2035 expected = x509.OtherName(x509.ObjectIdentifier("1.2.3.4"),
2036 b'\x16\x0bHello World')
Joshua Tauberer2ee5e3c2015-07-04 20:09:46 +0000[diff] [blame]2037 assert len(ext.value) == 1
Joshua Taubererd2afad32015-07-06 22:37:53 +0000[diff] [blame]2038 assert list(ext.value)[0] == expected
Joshua Tauberer2ee5e3c2015-07-04 20:09:46 +0000[diff] [blame]2039
2040 othernames = ext.value.get_values_for_type(x509.OtherName)
Joshua Taubererd2afad32015-07-06 22:37:53 +0000[diff] [blame]2041 assert othernames == [expected]
Joshua Tauberer2ee5e3c2015-07-04 20:09:46 +0000[diff] [blame]2042
Paul Kehrer94c69602015-05-02 19:29:40 -0500[diff] [blame]2043
2044@pytest.mark.requires_backend_interface(interface=RSABackend)
2045@pytest.mark.requires_backend_interface(interface=X509Backend)
2046class TestExtendedKeyUsageExtension(object):
2047 def test_eku(self, backend):
2048 cert = _load_cert(
2049 os.path.join(
2050 "x509", "custom", "extended_key_usage.pem"
2051 ),
2052 x509.load_pem_x509_certificate,
2053 backend
2054 )
2055 ext = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]2056 ExtensionOID.EXTENDED_KEY_USAGE
Paul Kehrer94c69602015-05-02 19:29:40 -0500[diff] [blame]2057 )
2058 assert ext is not None
2059 assert ext.critical is False
2060
2061 assert [
2062 x509.ObjectIdentifier("1.3.6.1.5.5.7.3.1"),
2063 x509.ObjectIdentifier("1.3.6.1.5.5.7.3.2"),
2064 x509.ObjectIdentifier("1.3.6.1.5.5.7.3.3"),
2065 x509.ObjectIdentifier("1.3.6.1.5.5.7.3.4"),
2066 x509.ObjectIdentifier("1.3.6.1.5.5.7.3.9"),
2067 x509.ObjectIdentifier("1.3.6.1.5.5.7.3.8"),
2068 x509.ObjectIdentifier("2.5.29.37.0"),
2069 x509.ObjectIdentifier("2.16.840.1.113730.4.1"),
2070 ] == list(ext.value)
Paul Kehrer3e6d5582015-05-02 21:57:56 -0500[diff] [blame]2071
2072
2073class TestAccessDescription(object):
2074 def test_invalid_access_method(self):
Nick Bastind06763d2015-12-12 18:32:59 -0800[diff] [blame]2075 with pytest.raises(TypeError):
Paul Kehrer3e6d5582015-05-02 21:57:56 -0500[diff] [blame]2076 x509.AccessDescription("notanoid", x509.DNSName(u"test"))
2077
2078 def test_invalid_access_location(self):
2079 with pytest.raises(TypeError):
Paul Kehrer9e102db2015-08-10 21:53:09 -0500[diff] [blame]2080 x509.AccessDescription(
2081 AuthorityInformationAccessOID.CA_ISSUERS, "invalid"
2082 )
Paul Kehrer3e6d5582015-05-02 21:57:56 -0500[diff] [blame]2083
Nick Bastind2ecf862015-12-13 05:44:46 -0800[diff] [blame]2084 def test_valid_nonstandard_method(self):
Nick Bastin326fc8e2015-12-12 19:08:12 -0800[diff] [blame]2085 ad = x509.AccessDescription(
2086 ObjectIdentifier("2.999.1"),
2087 x509.UniformResourceIdentifier(u"http://example.com")
2088 )
Nick Bastin11f0f8a2015-12-12 18:54:12 -0800[diff] [blame]2089 assert ad is not None
2090
Paul Kehrer3e6d5582015-05-02 21:57:56 -0500[diff] [blame]2091 def test_repr(self):
2092 ad = x509.AccessDescription(
Paul Kehrer9e102db2015-08-10 21:53:09 -0500[diff] [blame]2093 AuthorityInformationAccessOID.OCSP,
Paul Kehrer3e6d5582015-05-02 21:57:56 -0500[diff] [blame]2094 x509.UniformResourceIdentifier(u"http://ocsp.domain.com")
2095 )
2096 assert repr(ad) == (
2097 "<AccessDescription(access_method=<ObjectIdentifier(oid=1.3.6.1.5."
2098 "5.7.48.1, name=OCSP)>, access_location=<UniformResourceIdentifier"
2099 "(value=http://ocsp.domain.com)>)>"
2100 )
2101
2102 def test_eq(self):
2103 ad = x509.AccessDescription(
Paul Kehrer9e102db2015-08-10 21:53:09 -0500[diff] [blame]2104 AuthorityInformationAccessOID.OCSP,
Paul Kehrer3e6d5582015-05-02 21:57:56 -0500[diff] [blame]2105 x509.UniformResourceIdentifier(u"http://ocsp.domain.com")
2106 )
2107 ad2 = x509.AccessDescription(
Paul Kehrer9e102db2015-08-10 21:53:09 -0500[diff] [blame]2108 AuthorityInformationAccessOID.OCSP,
Paul Kehrer3e6d5582015-05-02 21:57:56 -0500[diff] [blame]2109 x509.UniformResourceIdentifier(u"http://ocsp.domain.com")
2110 )
2111 assert ad == ad2
2112
2113 def test_ne(self):
2114 ad = x509.AccessDescription(
Paul Kehrer9e102db2015-08-10 21:53:09 -0500[diff] [blame]2115 AuthorityInformationAccessOID.OCSP,
Paul Kehrer3e6d5582015-05-02 21:57:56 -0500[diff] [blame]2116 x509.UniformResourceIdentifier(u"http://ocsp.domain.com")
2117 )
2118 ad2 = x509.AccessDescription(
Paul Kehrer9e102db2015-08-10 21:53:09 -0500[diff] [blame]2119 AuthorityInformationAccessOID.CA_ISSUERS,
Paul Kehrer3e6d5582015-05-02 21:57:56 -0500[diff] [blame]2120 x509.UniformResourceIdentifier(u"http://ocsp.domain.com")
2121 )
2122 ad3 = x509.AccessDescription(
Paul Kehrer9e102db2015-08-10 21:53:09 -0500[diff] [blame]2123 AuthorityInformationAccessOID.OCSP,
Paul Kehrer3e6d5582015-05-02 21:57:56 -0500[diff] [blame]2124 x509.UniformResourceIdentifier(u"http://notthesame")
2125 )
2126 assert ad != ad2
2127 assert ad != ad3
2128 assert ad != object()
2129
2130
2131class TestAuthorityInformationAccess(object):
2132 def test_invalid_descriptions(self):
2133 with pytest.raises(TypeError):
2134 x509.AuthorityInformationAccess(["notanAccessDescription"])
2135
2136 def test_iter_len(self):
2137 aia = x509.AuthorityInformationAccess([
2138 x509.AccessDescription(
Paul Kehrer9e102db2015-08-10 21:53:09 -0500[diff] [blame]2139 AuthorityInformationAccessOID.OCSP,
Paul Kehrer3e6d5582015-05-02 21:57:56 -0500[diff] [blame]2140 x509.UniformResourceIdentifier(u"http://ocsp.domain.com")
2141 ),
2142 x509.AccessDescription(
Paul Kehrer9e102db2015-08-10 21:53:09 -0500[diff] [blame]2143 AuthorityInformationAccessOID.CA_ISSUERS,
Paul Kehrer3e6d5582015-05-02 21:57:56 -0500[diff] [blame]2144 x509.UniformResourceIdentifier(u"http://domain.com/ca.crt")
2145 )
2146 ])
2147 assert len(aia) == 2
2148 assert list(aia) == [
2149 x509.AccessDescription(
Paul Kehrer9e102db2015-08-10 21:53:09 -0500[diff] [blame]2150 AuthorityInformationAccessOID.OCSP,
Paul Kehrer3e6d5582015-05-02 21:57:56 -0500[diff] [blame]2151 x509.UniformResourceIdentifier(u"http://ocsp.domain.com")
2152 ),
2153 x509.AccessDescription(
Paul Kehrer9e102db2015-08-10 21:53:09 -0500[diff] [blame]2154 AuthorityInformationAccessOID.CA_ISSUERS,
Paul Kehrer3e6d5582015-05-02 21:57:56 -0500[diff] [blame]2155 x509.UniformResourceIdentifier(u"http://domain.com/ca.crt")
2156 )
2157 ]
2158
2159 def test_repr(self):
2160 aia = x509.AuthorityInformationAccess([
2161 x509.AccessDescription(
Paul Kehrer9e102db2015-08-10 21:53:09 -0500[diff] [blame]2162 AuthorityInformationAccessOID.OCSP,
Paul Kehrer3e6d5582015-05-02 21:57:56 -0500[diff] [blame]2163 x509.UniformResourceIdentifier(u"http://ocsp.domain.com")
2164 ),
2165 x509.AccessDescription(
Paul Kehrer9e102db2015-08-10 21:53:09 -0500[diff] [blame]2166 AuthorityInformationAccessOID.CA_ISSUERS,
Paul Kehrer3e6d5582015-05-02 21:57:56 -0500[diff] [blame]2167 x509.UniformResourceIdentifier(u"http://domain.com/ca.crt")
2168 )
2169 ])
2170 assert repr(aia) == (
2171 "<AuthorityInformationAccess([<AccessDescription(access_method=<Ob"
2172 "jectIdentifier(oid=1.3.6.1.5.5.7.48.1, name=OCSP)>, access_locati"
2173 "on=<UniformResourceIdentifier(value=http://ocsp.domain.com)>)>, <"
2174 "AccessDescription(access_method=<ObjectIdentifier(oid=1.3.6.1.5.5"
2175 ".7.48.2, name=caIssuers)>, access_location=<UniformResourceIdenti"
2176 "fier(value=http://domain.com/ca.crt)>)>])>"
2177 )
2178
2179 def test_eq(self):
2180 aia = x509.AuthorityInformationAccess([
2181 x509.AccessDescription(
Paul Kehrer9e102db2015-08-10 21:53:09 -0500[diff] [blame]2182 AuthorityInformationAccessOID.OCSP,
Paul Kehrer3e6d5582015-05-02 21:57:56 -0500[diff] [blame]2183 x509.UniformResourceIdentifier(u"http://ocsp.domain.com")
2184 ),
2185 x509.AccessDescription(
Paul Kehrer9e102db2015-08-10 21:53:09 -0500[diff] [blame]2186 AuthorityInformationAccessOID.CA_ISSUERS,
Paul Kehrer3e6d5582015-05-02 21:57:56 -0500[diff] [blame]2187 x509.UniformResourceIdentifier(u"http://domain.com/ca.crt")
2188 )
2189 ])
2190 aia2 = x509.AuthorityInformationAccess([
2191 x509.AccessDescription(
Paul Kehrer9e102db2015-08-10 21:53:09 -0500[diff] [blame]2192 AuthorityInformationAccessOID.OCSP,
Paul Kehrer3e6d5582015-05-02 21:57:56 -0500[diff] [blame]2193 x509.UniformResourceIdentifier(u"http://ocsp.domain.com")
2194 ),
2195 x509.AccessDescription(
Paul Kehrer9e102db2015-08-10 21:53:09 -0500[diff] [blame]2196 AuthorityInformationAccessOID.CA_ISSUERS,
Paul Kehrer3e6d5582015-05-02 21:57:56 -0500[diff] [blame]2197 x509.UniformResourceIdentifier(u"http://domain.com/ca.crt")
2198 )
2199 ])
2200 assert aia == aia2
2201
2202 def test_ne(self):
2203 aia = x509.AuthorityInformationAccess([
2204 x509.AccessDescription(
Paul Kehrer9e102db2015-08-10 21:53:09 -0500[diff] [blame]2205 AuthorityInformationAccessOID.OCSP,
Paul Kehrer3e6d5582015-05-02 21:57:56 -0500[diff] [blame]2206 x509.UniformResourceIdentifier(u"http://ocsp.domain.com")
2207 ),
2208 x509.AccessDescription(
Paul Kehrer9e102db2015-08-10 21:53:09 -0500[diff] [blame]2209 AuthorityInformationAccessOID.CA_ISSUERS,
Paul Kehrer3e6d5582015-05-02 21:57:56 -0500[diff] [blame]2210 x509.UniformResourceIdentifier(u"http://domain.com/ca.crt")
2211 )
2212 ])
2213 aia2 = x509.AuthorityInformationAccess([
2214 x509.AccessDescription(
Paul Kehrer9e102db2015-08-10 21:53:09 -0500[diff] [blame]2215 AuthorityInformationAccessOID.OCSP,
Paul Kehrer3e6d5582015-05-02 21:57:56 -0500[diff] [blame]2216 x509.UniformResourceIdentifier(u"http://ocsp.domain.com")
2217 ),
2218 ])
2219
2220 assert aia != aia2
2221 assert aia != object()
Paul Kehrerd774de92015-05-03 10:52:25 -0500[diff] [blame]2222
Paul Kehrerad4b3592015-12-27 17:27:40 -0600[diff] [blame]2223 def test_indexing(self):
2224 aia = x509.AuthorityInformationAccess([
2225 x509.AccessDescription(
2226 AuthorityInformationAccessOID.OCSP,
2227 x509.UniformResourceIdentifier(u"http://ocsp.domain.com")
2228 ),
2229 x509.AccessDescription(
2230 AuthorityInformationAccessOID.CA_ISSUERS,
2231 x509.UniformResourceIdentifier(u"http://domain.com/ca.crt")
2232 ),
2233 x509.AccessDescription(
2234 AuthorityInformationAccessOID.OCSP,
2235 x509.UniformResourceIdentifier(u"http://ocsp2.domain.com")
2236 ),
2237 x509.AccessDescription(
2238 AuthorityInformationAccessOID.OCSP,
2239 x509.UniformResourceIdentifier(u"http://ocsp3.domain.com")
2240 ),
2241 x509.AccessDescription(
2242 AuthorityInformationAccessOID.OCSP,
2243 x509.UniformResourceIdentifier(u"http://ocsp4.domain.com")
2244 ),
2245 ])
2246 assert aia[-1] == aia[4]
2247 assert aia[2:6:2] == [aia[2], aia[4]]
2248
Paul Kehrerd774de92015-05-03 10:52:25 -0500[diff] [blame]2249
2250@pytest.mark.requires_backend_interface(interface=RSABackend)
2251@pytest.mark.requires_backend_interface(interface=X509Backend)
Paul Kehrera1476992015-05-04 17:35:47 -0500[diff] [blame]2252class TestAuthorityInformationAccessExtension(object):
2253 def test_aia_ocsp_ca_issuers(self, backend):
2254 cert = _load_cert(
2255 os.path.join("x509", "cryptography.io.pem"),
2256 x509.load_pem_x509_certificate,
2257 backend
2258 )
2259 ext = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]2260 ExtensionOID.AUTHORITY_INFORMATION_ACCESS
Paul Kehrera1476992015-05-04 17:35:47 -0500[diff] [blame]2261 )
2262 assert ext is not None
2263 assert ext.critical is False
2264
2265 assert ext.value == x509.AuthorityInformationAccess([
2266 x509.AccessDescription(
Paul Kehrer9e102db2015-08-10 21:53:09 -0500[diff] [blame]2267 AuthorityInformationAccessOID.OCSP,
Paul Kehrera1476992015-05-04 17:35:47 -0500[diff] [blame]2268 x509.UniformResourceIdentifier(u"http://gv.symcd.com")
2269 ),
2270 x509.AccessDescription(
Paul Kehrer9e102db2015-08-10 21:53:09 -0500[diff] [blame]2271 AuthorityInformationAccessOID.CA_ISSUERS,
Paul Kehrera1476992015-05-04 17:35:47 -0500[diff] [blame]2272 x509.UniformResourceIdentifier(u"http://gv.symcb.com/gv.crt")
2273 ),
2274 ])
2275
2276 def test_aia_multiple_ocsp_ca_issuers(self, backend):
2277 cert = _load_cert(
2278 os.path.join("x509", "custom", "aia_ocsp_ca_issuers.pem"),
2279 x509.load_pem_x509_certificate,
2280 backend
2281 )
2282 ext = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]2283 ExtensionOID.AUTHORITY_INFORMATION_ACCESS
Paul Kehrera1476992015-05-04 17:35:47 -0500[diff] [blame]2284 )
2285 assert ext is not None
2286 assert ext.critical is False
2287
2288 assert ext.value == x509.AuthorityInformationAccess([
2289 x509.AccessDescription(
Paul Kehrer9e102db2015-08-10 21:53:09 -0500[diff] [blame]2290 AuthorityInformationAccessOID.OCSP,
Paul Kehrera1476992015-05-04 17:35:47 -0500[diff] [blame]2291 x509.UniformResourceIdentifier(u"http://ocsp.domain.com")
2292 ),
2293 x509.AccessDescription(
Paul Kehrer9e102db2015-08-10 21:53:09 -0500[diff] [blame]2294 AuthorityInformationAccessOID.OCSP,
Paul Kehrera1476992015-05-04 17:35:47 -0500[diff] [blame]2295 x509.UniformResourceIdentifier(u"http://ocsp2.domain.com")
2296 ),
2297 x509.AccessDescription(
Paul Kehrer9e102db2015-08-10 21:53:09 -0500[diff] [blame]2298 AuthorityInformationAccessOID.CA_ISSUERS,
Paul Kehrera1476992015-05-04 17:35:47 -0500[diff] [blame]2299 x509.DirectoryName(x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2300 x509.NameAttribute(NameOID.COMMON_NAME, u"myCN"),
2301 x509.NameAttribute(NameOID.ORGANIZATION_NAME,
Ian Cordasco82fc3762015-06-16 20:59:50 -0500[diff] [blame]2302 u"some Org"),
Paul Kehrera1476992015-05-04 17:35:47 -0500[diff] [blame]2303 ]))
2304 ),
2305 ])
2306
2307 def test_aia_ocsp_only(self, backend):
2308 cert = _load_cert(
2309 os.path.join("x509", "custom", "aia_ocsp.pem"),
2310 x509.load_pem_x509_certificate,
2311 backend
2312 )
2313 ext = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]2314 ExtensionOID.AUTHORITY_INFORMATION_ACCESS
Paul Kehrera1476992015-05-04 17:35:47 -0500[diff] [blame]2315 )
2316 assert ext is not None
2317 assert ext.critical is False
2318
2319 assert ext.value == x509.AuthorityInformationAccess([
2320 x509.AccessDescription(
Paul Kehrer9e102db2015-08-10 21:53:09 -0500[diff] [blame]2321 AuthorityInformationAccessOID.OCSP,
Paul Kehrera1476992015-05-04 17:35:47 -0500[diff] [blame]2322 x509.UniformResourceIdentifier(u"http://ocsp.domain.com")
2323 ),
2324 ])
2325
2326 def test_aia_ca_issuers_only(self, backend):
2327 cert = _load_cert(
2328 os.path.join("x509", "custom", "aia_ca_issuers.pem"),
2329 x509.load_pem_x509_certificate,
2330 backend
2331 )
2332 ext = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]2333 ExtensionOID.AUTHORITY_INFORMATION_ACCESS
Paul Kehrera1476992015-05-04 17:35:47 -0500[diff] [blame]2334 )
2335 assert ext is not None
2336 assert ext.critical is False
2337
2338 assert ext.value == x509.AuthorityInformationAccess([
2339 x509.AccessDescription(
Paul Kehrer9e102db2015-08-10 21:53:09 -0500[diff] [blame]2340 AuthorityInformationAccessOID.CA_ISSUERS,
Paul Kehrera1476992015-05-04 17:35:47 -0500[diff] [blame]2341 x509.DirectoryName(x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2342 x509.NameAttribute(NameOID.COMMON_NAME, u"myCN"),
2343 x509.NameAttribute(NameOID.ORGANIZATION_NAME,
Ian Cordasco82fc3762015-06-16 20:59:50 -0500[diff] [blame]2344 u"some Org"),
Paul Kehrera1476992015-05-04 17:35:47 -0500[diff] [blame]2345 ]))
2346 ),
2347 ])
2348
2349
2350@pytest.mark.requires_backend_interface(interface=RSABackend)
2351@pytest.mark.requires_backend_interface(interface=X509Backend)
Paul Kehrerd774de92015-05-03 10:52:25 -0500[diff] [blame]2352class TestAuthorityKeyIdentifierExtension(object):
2353 def test_aki_keyid(self, backend):
2354 cert = _load_cert(
2355 os.path.join(
2356 "x509", "cryptography.io.pem"
2357 ),
2358 x509.load_pem_x509_certificate,
2359 backend
2360 )
2361 ext = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]2362 ExtensionOID.AUTHORITY_KEY_IDENTIFIER
Paul Kehrerd774de92015-05-03 10:52:25 -0500[diff] [blame]2363 )
2364 assert ext is not None
2365 assert ext.critical is False
2366
2367 assert ext.value.key_identifier == (
2368 b"\xc3\x9c\xf3\xfc\xd3F\x084\xbb\xceF\x7f\xa0|[\xf3\xe2\x08\xcbY"
2369 )
2370 assert ext.value.authority_cert_issuer is None
2371 assert ext.value.authority_cert_serial_number is None
2372
2373 def test_aki_all_fields(self, backend):
2374 cert = _load_cert(
2375 os.path.join(
2376 "x509", "custom", "authority_key_identifier.pem"
2377 ),
2378 x509.load_pem_x509_certificate,
2379 backend
2380 )
2381 ext = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]2382 ExtensionOID.AUTHORITY_KEY_IDENTIFIER
Paul Kehrerd774de92015-05-03 10:52:25 -0500[diff] [blame]2383 )
2384 assert ext is not None
2385 assert ext.critical is False
2386
2387 assert ext.value.key_identifier == (
2388 b"9E>\xca=b\x1d\xea\x86I\xf6Z\xab@\xb7\xa4p\x98\xf1\xec"
2389 )
2390 assert ext.value.authority_cert_issuer == [
2391 x509.DirectoryName(
2392 x509.Name([
2393 x509.NameAttribute(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2394 NameOID.ORGANIZATION_NAME, u"PyCA"
Paul Kehrerd774de92015-05-03 10:52:25 -0500[diff] [blame]2395 ),
2396 x509.NameAttribute(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2397 NameOID.COMMON_NAME, u"cryptography.io"
Paul Kehrerd774de92015-05-03 10:52:25 -0500[diff] [blame]2398 )
2399 ])
2400 )
2401 ]
2402 assert ext.value.authority_cert_serial_number == 3
2403
2404 def test_aki_no_keyid(self, backend):
2405 cert = _load_cert(
2406 os.path.join(
2407 "x509", "custom", "authority_key_identifier_no_keyid.pem"
2408 ),
2409 x509.load_pem_x509_certificate,
2410 backend
2411 )
2412 ext = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]2413 ExtensionOID.AUTHORITY_KEY_IDENTIFIER
Paul Kehrerd774de92015-05-03 10:52:25 -0500[diff] [blame]2414 )
2415 assert ext is not None
2416 assert ext.critical is False
2417
2418 assert ext.value.key_identifier is None
2419 assert ext.value.authority_cert_issuer == [
2420 x509.DirectoryName(
2421 x509.Name([
2422 x509.NameAttribute(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2423 NameOID.ORGANIZATION_NAME, u"PyCA"
Paul Kehrerd774de92015-05-03 10:52:25 -0500[diff] [blame]2424 ),
2425 x509.NameAttribute(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2426 NameOID.COMMON_NAME, u"cryptography.io"
Paul Kehrerd774de92015-05-03 10:52:25 -0500[diff] [blame]2427 )
2428 ])
2429 )
2430 ]
2431 assert ext.value.authority_cert_serial_number == 3
Paul Kehrer5a485522015-05-06 00:29:12 -0500[diff] [blame]2432
Paul Kehrer253929a2015-08-05 17:30:39 +0100[diff] [blame]2433 def test_from_certificate(self, backend):
2434 issuer_cert = _load_cert(
2435 os.path.join("x509", "rapidssl_sha256_ca_g3.pem"),
2436 x509.load_pem_x509_certificate,
2437 backend
2438 )
2439 cert = _load_cert(
2440 os.path.join("x509", "cryptography.io.pem"),
2441 x509.load_pem_x509_certificate,
2442 backend
2443 )
2444 ext = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]2445 ExtensionOID.AUTHORITY_KEY_IDENTIFIER
Paul Kehrer253929a2015-08-05 17:30:39 +0100[diff] [blame]2446 )
2447 aki = x509.AuthorityKeyIdentifier.from_issuer_public_key(
2448 issuer_cert.public_key()
2449 )
2450 assert ext.value == aki
2451
Paul Kehrer5a485522015-05-06 00:29:12 -0500[diff] [blame]2452
Paul Kehrere0017be2015-05-17 20:39:40 -0600[diff] [blame]2453class TestNameConstraints(object):
2454 def test_ipaddress_wrong_type(self):
2455 with pytest.raises(TypeError):
2456 x509.NameConstraints(
2457 permitted_subtrees=[
2458 x509.IPAddress(ipaddress.IPv4Address(u"127.0.0.1"))
2459 ],
2460 excluded_subtrees=None
2461 )
2462
2463 with pytest.raises(TypeError):
2464 x509.NameConstraints(
2465 permitted_subtrees=None,
2466 excluded_subtrees=[
2467 x509.IPAddress(ipaddress.IPv4Address(u"127.0.0.1"))
2468 ]
2469 )
2470
2471 def test_ipaddress_allowed_type(self):
2472 permitted = [x509.IPAddress(ipaddress.IPv4Network(u"192.168.0.0/29"))]
2473 excluded = [x509.IPAddress(ipaddress.IPv4Network(u"10.10.0.0/24"))]
2474 nc = x509.NameConstraints(
2475 permitted_subtrees=permitted,
2476 excluded_subtrees=excluded
2477 )
2478 assert nc.permitted_subtrees == permitted
2479 assert nc.excluded_subtrees == excluded
2480
2481 def test_invalid_permitted_subtrees(self):
2482 with pytest.raises(TypeError):
2483 x509.NameConstraints("badpermitted", None)
2484
2485 def test_invalid_excluded_subtrees(self):
2486 with pytest.raises(TypeError):
2487 x509.NameConstraints(None, "badexcluded")
2488
2489 def test_no_subtrees(self):
2490 with pytest.raises(ValueError):
2491 x509.NameConstraints(None, None)
2492
2493 def test_permitted_none(self):
2494 excluded = [x509.DNSName(u"name.local")]
2495 nc = x509.NameConstraints(
2496 permitted_subtrees=None, excluded_subtrees=excluded
2497 )
2498 assert nc.permitted_subtrees is None
2499 assert nc.excluded_subtrees is not None
2500
2501 def test_excluded_none(self):
2502 permitted = [x509.DNSName(u"name.local")]
2503 nc = x509.NameConstraints(
2504 permitted_subtrees=permitted, excluded_subtrees=None
2505 )
2506 assert nc.permitted_subtrees is not None
2507 assert nc.excluded_subtrees is None
2508
2509 def test_repr(self):
2510 permitted = [x509.DNSName(u"name.local"), x509.DNSName(u"name2.local")]
2511 nc = x509.NameConstraints(
2512 permitted_subtrees=permitted,
2513 excluded_subtrees=None
2514 )
2515 assert repr(nc) == (
2516 "<NameConstraints(permitted_subtrees=[<DNSName(value=name.local)>"
2517 ", <DNSName(value=name2.local)>], excluded_subtrees=None)>"
2518 )
2519
Paul Kehrer31894282015-06-21 21:46:41 -0500[diff] [blame]2520 def test_eq(self):
2521 nc = x509.NameConstraints(
2522 permitted_subtrees=[x509.DNSName(u"name.local")],
2523 excluded_subtrees=[x509.DNSName(u"name2.local")]
2524 )
2525 nc2 = x509.NameConstraints(
2526 permitted_subtrees=[x509.DNSName(u"name.local")],
2527 excluded_subtrees=[x509.DNSName(u"name2.local")]
2528 )
2529 assert nc == nc2
2530
2531 def test_ne(self):
2532 nc = x509.NameConstraints(
2533 permitted_subtrees=[x509.DNSName(u"name.local")],
2534 excluded_subtrees=[x509.DNSName(u"name2.local")]
2535 )
2536 nc2 = x509.NameConstraints(
2537 permitted_subtrees=[x509.DNSName(u"name.local")],
2538 excluded_subtrees=None
2539 )
2540 nc3 = x509.NameConstraints(
2541 permitted_subtrees=None,
2542 excluded_subtrees=[x509.DNSName(u"name2.local")]
2543 )
2544
2545 assert nc != nc2
2546 assert nc != nc3
2547 assert nc != object()
2548
Paul Kehrere0017be2015-05-17 20:39:40 -0600[diff] [blame]2549
Paul Kehrer870d7e82015-06-21 22:20:44 -0500[diff] [blame]2550@pytest.mark.requires_backend_interface(interface=RSABackend)
2551@pytest.mark.requires_backend_interface(interface=X509Backend)
2552class TestNameConstraintsExtension(object):
2553 def test_permitted_excluded(self, backend):
2554 cert = _load_cert(
2555 os.path.join(
2556 "x509", "custom", "nc_permitted_excluded_2.pem"
2557 ),
2558 x509.load_pem_x509_certificate,
2559 backend
2560 )
2561 nc = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]2562 ExtensionOID.NAME_CONSTRAINTS
Paul Kehrer870d7e82015-06-21 22:20:44 -0500[diff] [blame]2563 ).value
2564 assert nc == x509.NameConstraints(
2565 permitted_subtrees=[
2566 x509.DNSName(u"zombo.local"),
2567 ],
2568 excluded_subtrees=[
2569 x509.DirectoryName(x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2570 x509.NameAttribute(NameOID.COMMON_NAME, u"zombo")
Paul Kehrer870d7e82015-06-21 22:20:44 -0500[diff] [blame]2571 ]))
2572 ]
2573 )
2574
2575 def test_permitted(self, backend):
2576 cert = _load_cert(
2577 os.path.join(
2578 "x509", "custom", "nc_permitted_2.pem"
2579 ),
2580 x509.load_pem_x509_certificate,
2581 backend
2582 )
2583 nc = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]2584 ExtensionOID.NAME_CONSTRAINTS
Paul Kehrer870d7e82015-06-21 22:20:44 -0500[diff] [blame]2585 ).value
2586 assert nc == x509.NameConstraints(
2587 permitted_subtrees=[
2588 x509.DNSName(u"zombo.local"),
2589 ],
2590 excluded_subtrees=None
2591 )
2592
Paul Kehrer42376832015-07-01 18:10:32 -0500[diff] [blame]2593 def test_permitted_with_leading_period(self, backend):
2594 cert = _load_cert(
2595 os.path.join(
2596 "x509", "custom", "nc_permitted.pem"
2597 ),
2598 x509.load_pem_x509_certificate,
2599 backend
2600 )
2601 nc = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]2602 ExtensionOID.NAME_CONSTRAINTS
Paul Kehrer42376832015-07-01 18:10:32 -0500[diff] [blame]2603 ).value
2604 assert nc == x509.NameConstraints(
2605 permitted_subtrees=[
2606 x509.DNSName(u".cryptography.io"),
2607 x509.UniformResourceIdentifier(u"ftp://cryptography.test")
2608 ],
2609 excluded_subtrees=None
2610 )
2611
2612 def test_excluded_with_leading_period(self, backend):
2613 cert = _load_cert(
2614 os.path.join(
2615 "x509", "custom", "nc_excluded.pem"
2616 ),
2617 x509.load_pem_x509_certificate,
2618 backend
2619 )
2620 nc = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]2621 ExtensionOID.NAME_CONSTRAINTS
Paul Kehrer42376832015-07-01 18:10:32 -0500[diff] [blame]2622 ).value
2623 assert nc == x509.NameConstraints(
2624 permitted_subtrees=None,
2625 excluded_subtrees=[
2626 x509.DNSName(u".cryptography.io"),
2627 x509.UniformResourceIdentifier(u"gopher://cryptography.test")
2628 ]
2629 )
2630
Paul Kehrercfb8aa22015-07-01 19:16:36 -0500[diff] [blame]2631 def test_permitted_excluded_with_ips(self, backend):
2632 cert = _load_cert(
2633 os.path.join(
2634 "x509", "custom", "nc_permitted_excluded.pem"
2635 ),
2636 x509.load_pem_x509_certificate,
2637 backend
2638 )
2639 nc = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]2640 ExtensionOID.NAME_CONSTRAINTS
Paul Kehrercfb8aa22015-07-01 19:16:36 -0500[diff] [blame]2641 ).value
2642 assert nc == x509.NameConstraints(
2643 permitted_subtrees=[
2644 x509.IPAddress(ipaddress.IPv4Network(u"192.168.0.0/24")),
2645 x509.IPAddress(ipaddress.IPv6Network(u"FF:0:0:0:0:0:0:0/96")),
2646 ],
2647 excluded_subtrees=[
2648 x509.DNSName(u".domain.com"),
2649 x509.UniformResourceIdentifier(u"http://test.local"),
2650 ]
2651 )
2652
Paul Kehrera72ebaf2015-07-01 21:07:37 -0500[diff] [blame]2653 def test_single_ip_netmask(self, backend):
2654 cert = _load_cert(
2655 os.path.join(
2656 "x509", "custom", "nc_single_ip_netmask.pem"
2657 ),
2658 x509.load_pem_x509_certificate,
2659 backend
2660 )
2661 nc = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]2662 ExtensionOID.NAME_CONSTRAINTS
Paul Kehrera72ebaf2015-07-01 21:07:37 -0500[diff] [blame]2663 ).value
2664 assert nc == x509.NameConstraints(
2665 permitted_subtrees=[
2666 x509.IPAddress(ipaddress.IPv6Network(u"FF:0:0:0:0:0:0:0/128")),
2667 x509.IPAddress(ipaddress.IPv4Network(u"192.168.0.1/32")),
2668 ],
2669 excluded_subtrees=None
2670 )
2671
Paul Kehrercfb8aa22015-07-01 19:16:36 -0500[diff] [blame]2672 def test_invalid_netmask(self, backend):
2673 cert = _load_cert(
2674 os.path.join(
2675 "x509", "custom", "nc_invalid_ip_netmask.pem"
2676 ),
2677 x509.load_pem_x509_certificate,
2678 backend
2679 )
2680 with pytest.raises(ValueError):
2681 cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]2682 ExtensionOID.NAME_CONSTRAINTS
Paul Kehrercfb8aa22015-07-01 19:16:36 -0500[diff] [blame]2683 )
2684
Paul Kehrer870d7e82015-06-21 22:20:44 -0500[diff] [blame]2685
Paul Kehrer5a485522015-05-06 00:29:12 -0500[diff] [blame]2686class TestDistributionPoint(object):
Paul Kehrer4e8dacd2015-05-09 10:38:23 -0500[diff] [blame]2687 def test_distribution_point_full_name_not_general_names(self):
Paul Kehrer5a485522015-05-06 00:29:12 -0500[diff] [blame]2688 with pytest.raises(TypeError):
Paul Kehrer4e8dacd2015-05-09 10:38:23 -0500[diff] [blame]2689 x509.DistributionPoint(["notgn"], None, None, None)
Paul Kehrer5a485522015-05-06 00:29:12 -0500[diff] [blame]2690
Paul Kehrer4e8dacd2015-05-09 10:38:23 -0500[diff] [blame]2691 def test_distribution_point_relative_name_not_name(self):
Paul Kehrer5a485522015-05-06 00:29:12 -0500[diff] [blame]2692 with pytest.raises(TypeError):
Paul Kehrer4e8dacd2015-05-09 10:38:23 -0500[diff] [blame]2693 x509.DistributionPoint(None, "notname", None, None)
2694
2695 def test_distribution_point_full_and_relative_not_none(self):
2696 with pytest.raises(ValueError):
2697 x509.DistributionPoint("data", "notname", None, None)
Paul Kehrer5a485522015-05-06 00:29:12 -0500[diff] [blame]2698
2699 def test_crl_issuer_not_general_names(self):
2700 with pytest.raises(TypeError):
Paul Kehrer4e8dacd2015-05-09 10:38:23 -0500[diff] [blame]2701 x509.DistributionPoint(None, None, None, ["notgn"])
Paul Kehrer5a485522015-05-06 00:29:12 -0500[diff] [blame]2702
2703 def test_reason_not_reasonflags(self):
2704 with pytest.raises(TypeError):
2705 x509.DistributionPoint(
2706 [x509.UniformResourceIdentifier(u"http://crypt.og/crl")],
Paul Kehrer4e8dacd2015-05-09 10:38:23 -0500[diff] [blame]2707 None,
Paul Kehrer3fd02602015-05-09 19:46:13 -0500[diff] [blame]2708 frozenset(["notreasonflags"]),
2709 None
2710 )
2711
2712 def test_reason_not_frozenset(self):
2713 with pytest.raises(TypeError):
2714 x509.DistributionPoint(
2715 [x509.UniformResourceIdentifier(u"http://crypt.og/crl")],
2716 None,
2717 [x509.ReasonFlags.ca_compromise],
Paul Kehrer4e8dacd2015-05-09 10:38:23 -0500[diff] [blame]2718 None
2719 )
2720
2721 def test_disallowed_reasons(self):
2722 with pytest.raises(ValueError):
2723 x509.DistributionPoint(
2724 [x509.UniformResourceIdentifier(u"http://crypt.og/crl")],
2725 None,
Paul Kehrer3fd02602015-05-09 19:46:13 -0500[diff] [blame]2726 frozenset([x509.ReasonFlags.unspecified]),
Paul Kehrer4e8dacd2015-05-09 10:38:23 -0500[diff] [blame]2727 None
2728 )
2729
2730 with pytest.raises(ValueError):
2731 x509.DistributionPoint(
2732 [x509.UniformResourceIdentifier(u"http://crypt.og/crl")],
2733 None,
Paul Kehrer3fd02602015-05-09 19:46:13 -0500[diff] [blame]2734 frozenset([x509.ReasonFlags.remove_from_crl]),
Paul Kehrer5a485522015-05-06 00:29:12 -0500[diff] [blame]2735 None
2736 )
2737
2738 def test_reason_only(self):
2739 with pytest.raises(ValueError):
2740 x509.DistributionPoint(
2741 None,
Paul Kehrer4e8dacd2015-05-09 10:38:23 -0500[diff] [blame]2742 None,
Paul Kehrer3fd02602015-05-09 19:46:13 -0500[diff] [blame]2743 frozenset([x509.ReasonFlags.aa_compromise]),
Paul Kehrer5a485522015-05-06 00:29:12 -0500[diff] [blame]2744 None
2745 )
2746
2747 def test_eq(self):
2748 dp = x509.DistributionPoint(
2749 [x509.UniformResourceIdentifier(u"http://crypt.og/crl")],
Paul Kehrer4e8dacd2015-05-09 10:38:23 -0500[diff] [blame]2750 None,
Paul Kehrer3fd02602015-05-09 19:46:13 -0500[diff] [blame]2751 frozenset([x509.ReasonFlags.superseded]),
Paul Kehrer5a485522015-05-06 00:29:12 -0500[diff] [blame]2752 [
2753 x509.DirectoryName(
2754 x509.Name([
2755 x509.NameAttribute(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2756 NameOID.COMMON_NAME, u"Important CA"
Paul Kehrer5a485522015-05-06 00:29:12 -0500[diff] [blame]2757 )
2758 ])
2759 )
2760 ],
2761 )
2762 dp2 = x509.DistributionPoint(
2763 [x509.UniformResourceIdentifier(u"http://crypt.og/crl")],
Paul Kehrer4e8dacd2015-05-09 10:38:23 -0500[diff] [blame]2764 None,
Paul Kehrer3fd02602015-05-09 19:46:13 -0500[diff] [blame]2765 frozenset([x509.ReasonFlags.superseded]),
Paul Kehrer5a485522015-05-06 00:29:12 -0500[diff] [blame]2766 [
2767 x509.DirectoryName(
2768 x509.Name([
2769 x509.NameAttribute(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2770 NameOID.COMMON_NAME, u"Important CA"
Paul Kehrer5a485522015-05-06 00:29:12 -0500[diff] [blame]2771 )
2772 ])
2773 )
2774 ],
2775 )
2776 assert dp == dp2
2777
2778 def test_ne(self):
2779 dp = x509.DistributionPoint(
2780 [x509.UniformResourceIdentifier(u"http://crypt.og/crl")],
Paul Kehrer4e8dacd2015-05-09 10:38:23 -0500[diff] [blame]2781 None,
Paul Kehrer3fd02602015-05-09 19:46:13 -0500[diff] [blame]2782 frozenset([x509.ReasonFlags.superseded]),
Paul Kehrer5a485522015-05-06 00:29:12 -0500[diff] [blame]2783 [
2784 x509.DirectoryName(
2785 x509.Name([
2786 x509.NameAttribute(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2787 NameOID.COMMON_NAME, u"Important CA"
Paul Kehrer5a485522015-05-06 00:29:12 -0500[diff] [blame]2788 )
2789 ])
2790 )
2791 ],
2792 )
2793 dp2 = x509.DistributionPoint(
2794 [x509.UniformResourceIdentifier(u"http://crypt.og/crl")],
2795 None,
Paul Kehrer4e8dacd2015-05-09 10:38:23 -0500[diff] [blame]2796 None,
Paul Kehrer5a485522015-05-06 00:29:12 -0500[diff] [blame]2797 None
2798 )
2799 assert dp != dp2
2800 assert dp != object()
2801
2802 def test_repr(self):
2803 dp = x509.DistributionPoint(
Paul Kehrer4e8dacd2015-05-09 10:38:23 -0500[diff] [blame]2804 None,
Paul Kehrer5a485522015-05-06 00:29:12 -0500[diff] [blame]2805 x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2806 x509.NameAttribute(NameOID.COMMON_NAME, u"myCN")
Paul Kehrer5a485522015-05-06 00:29:12 -0500[diff] [blame]2807 ]),
Paul Kehrer96ef63c2015-05-09 21:17:04 -0500[diff] [blame]2808 frozenset([x509.ReasonFlags.ca_compromise]),
Paul Kehrer5a485522015-05-06 00:29:12 -0500[diff] [blame]2809 [
2810 x509.DirectoryName(
2811 x509.Name([
2812 x509.NameAttribute(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2813 NameOID.COMMON_NAME, u"Important CA"
Paul Kehrer5a485522015-05-06 00:29:12 -0500[diff] [blame]2814 )
2815 ])
2816 )
2817 ],
2818 )
Paul Kehrer749da3b2015-05-10 09:58:29 -0500[diff] [blame]2819 if six.PY3:
2820 assert repr(dp) == (
2821 "<DistributionPoint(full_name=None, relative_name=<Name([<Name"
2822 "Attribute(oid=<ObjectIdentifier(oid=2.5.4.3, name=commonName)"
Ian Cordascoa908d692015-06-16 21:35:24 -0500[diff] [blame]2823 ">, value='myCN')>])>, reasons=frozenset({<ReasonFlags.ca_comp"
2824 "romise: 'cACompromise'>}), crl_issuer=[<DirectoryName(value=<"
2825 "Name([<NameAttribute(oid=<ObjectIdentifier(oid=2.5.4.3, name="
2826 "commonName)>, value='Important CA')>])>)>])>"
Paul Kehrer749da3b2015-05-10 09:58:29 -0500[diff] [blame]2827 )
2828 else:
2829 assert repr(dp) == (
2830 "<DistributionPoint(full_name=None, relative_name=<Name([<Name"
2831 "Attribute(oid=<ObjectIdentifier(oid=2.5.4.3, name=commonName)"
Ian Cordasco82fc3762015-06-16 20:59:50 -0500[diff] [blame]2832 ">, value=u'myCN')>])>, reasons=frozenset([<ReasonFlags.ca_com"
2833 "promise: 'cACompromise'>]), crl_issuer=[<DirectoryName(value="
2834 "<Name([<NameAttribute(oid=<ObjectIdentifier(oid=2.5.4.3, name"
2835 "=commonName)>, value=u'Important CA')>])>)>])>"
Paul Kehrer749da3b2015-05-10 09:58:29 -0500[diff] [blame]2836 )
Paul Kehrer5a485522015-05-06 00:29:12 -0500[diff] [blame]2837
2838
2839class TestCRLDistributionPoints(object):
2840 def test_invalid_distribution_points(self):
2841 with pytest.raises(TypeError):
2842 x509.CRLDistributionPoints(["notadistributionpoint"])
2843
2844 def test_iter_len(self):
2845 cdp = x509.CRLDistributionPoints([
2846 x509.DistributionPoint(
2847 [x509.UniformResourceIdentifier(u"http://domain")],
2848 None,
Paul Kehrer4e8dacd2015-05-09 10:38:23 -0500[diff] [blame]2849 None,
Paul Kehrer5a485522015-05-06 00:29:12 -0500[diff] [blame]2850 None
2851 ),
2852 x509.DistributionPoint(
2853 [x509.UniformResourceIdentifier(u"ftp://domain")],
Paul Kehrer4e8dacd2015-05-09 10:38:23 -0500[diff] [blame]2854 None,
Paul Kehrer3fd02602015-05-09 19:46:13 -0500[diff] [blame]2855 frozenset([
Paul Kehrer4e8dacd2015-05-09 10:38:23 -0500[diff] [blame]2856 x509.ReasonFlags.key_compromise,
2857 x509.ReasonFlags.ca_compromise,
Paul Kehrer3fd02602015-05-09 19:46:13 -0500[diff] [blame]2858 ]),
Paul Kehrer5a485522015-05-06 00:29:12 -0500[diff] [blame]2859 None
2860 ),
2861 ])
2862 assert len(cdp) == 2
2863 assert list(cdp) == [
2864 x509.DistributionPoint(
2865 [x509.UniformResourceIdentifier(u"http://domain")],
2866 None,
Paul Kehrer4e8dacd2015-05-09 10:38:23 -0500[diff] [blame]2867 None,
Paul Kehrer5a485522015-05-06 00:29:12 -0500[diff] [blame]2868 None
2869 ),
2870 x509.DistributionPoint(
2871 [x509.UniformResourceIdentifier(u"ftp://domain")],
Paul Kehrer4e8dacd2015-05-09 10:38:23 -0500[diff] [blame]2872 None,
Paul Kehrer3fd02602015-05-09 19:46:13 -0500[diff] [blame]2873 frozenset([
Paul Kehrer4e8dacd2015-05-09 10:38:23 -0500[diff] [blame]2874 x509.ReasonFlags.key_compromise,
2875 x509.ReasonFlags.ca_compromise,
Paul Kehrer3fd02602015-05-09 19:46:13 -0500[diff] [blame]2876 ]),
Paul Kehrer5a485522015-05-06 00:29:12 -0500[diff] [blame]2877 None
2878 ),
2879 ]
2880
2881 def test_repr(self):
2882 cdp = x509.CRLDistributionPoints([
2883 x509.DistributionPoint(
2884 [x509.UniformResourceIdentifier(u"ftp://domain")],
Paul Kehrer4e8dacd2015-05-09 10:38:23 -0500[diff] [blame]2885 None,
Paul Kehrer96ef63c2015-05-09 21:17:04 -0500[diff] [blame]2886 frozenset([x509.ReasonFlags.key_compromise]),
Paul Kehrer5a485522015-05-06 00:29:12 -0500[diff] [blame]2887 None
2888 ),
2889 ])
Paul Kehrer749da3b2015-05-10 09:58:29 -0500[diff] [blame]2890 if six.PY3:
2891 assert repr(cdp) == (
2892 "<CRLDistributionPoints([<DistributionPoint(full_name=[<Unifo"
2893 "rmResourceIdentifier(value=ftp://domain)>], relative_name=No"
2894 "ne, reasons=frozenset({<ReasonFlags.key_compromise: 'keyComp"
2895 "romise'>}), crl_issuer=None)>])>"
2896 )
2897 else:
2898 assert repr(cdp) == (
2899 "<CRLDistributionPoints([<DistributionPoint(full_name=[<Unifo"
2900 "rmResourceIdentifier(value=ftp://domain)>], relative_name=No"
2901 "ne, reasons=frozenset([<ReasonFlags.key_compromise: 'keyComp"
2902 "romise'>]), crl_issuer=None)>])>"
2903 )
Paul Kehrer5a485522015-05-06 00:29:12 -0500[diff] [blame]2904
2905 def test_eq(self):
2906 cdp = x509.CRLDistributionPoints([
2907 x509.DistributionPoint(
2908 [x509.UniformResourceIdentifier(u"ftp://domain")],
Paul Kehrer4e8dacd2015-05-09 10:38:23 -0500[diff] [blame]2909 None,
Paul Kehrer3fd02602015-05-09 19:46:13 -0500[diff] [blame]2910 frozenset([
Paul Kehrer4e8dacd2015-05-09 10:38:23 -0500[diff] [blame]2911 x509.ReasonFlags.key_compromise,
2912 x509.ReasonFlags.ca_compromise,
Paul Kehrer3fd02602015-05-09 19:46:13 -0500[diff] [blame]2913 ]),
Paul Kehrer5a485522015-05-06 00:29:12 -0500[diff] [blame]2914 [x509.UniformResourceIdentifier(u"uri://thing")],
2915 ),
2916 ])
2917 cdp2 = x509.CRLDistributionPoints([
2918 x509.DistributionPoint(
2919 [x509.UniformResourceIdentifier(u"ftp://domain")],
Paul Kehrer4e8dacd2015-05-09 10:38:23 -0500[diff] [blame]2920 None,
Paul Kehrer3fd02602015-05-09 19:46:13 -0500[diff] [blame]2921 frozenset([
Paul Kehrer4e8dacd2015-05-09 10:38:23 -0500[diff] [blame]2922 x509.ReasonFlags.key_compromise,
2923 x509.ReasonFlags.ca_compromise,
Paul Kehrer3fd02602015-05-09 19:46:13 -0500[diff] [blame]2924 ]),
Paul Kehrer5a485522015-05-06 00:29:12 -0500[diff] [blame]2925 [x509.UniformResourceIdentifier(u"uri://thing")],
2926 ),
2927 ])
2928 assert cdp == cdp2
2929
2930 def test_ne(self):
2931 cdp = x509.CRLDistributionPoints([
2932 x509.DistributionPoint(
2933 [x509.UniformResourceIdentifier(u"ftp://domain")],
Paul Kehrer4e8dacd2015-05-09 10:38:23 -0500[diff] [blame]2934 None,
Paul Kehrer3fd02602015-05-09 19:46:13 -0500[diff] [blame]2935 frozenset([
Paul Kehrer4e8dacd2015-05-09 10:38:23 -0500[diff] [blame]2936 x509.ReasonFlags.key_compromise,
2937 x509.ReasonFlags.ca_compromise,
Paul Kehrer3fd02602015-05-09 19:46:13 -0500[diff] [blame]2938 ]),
Paul Kehrer5a485522015-05-06 00:29:12 -0500[diff] [blame]2939 [x509.UniformResourceIdentifier(u"uri://thing")],
2940 ),
2941 ])
2942 cdp2 = x509.CRLDistributionPoints([
2943 x509.DistributionPoint(
2944 [x509.UniformResourceIdentifier(u"ftp://domain2")],
Paul Kehrer4e8dacd2015-05-09 10:38:23 -0500[diff] [blame]2945 None,
Paul Kehrer3fd02602015-05-09 19:46:13 -0500[diff] [blame]2946 frozenset([
Paul Kehrer4e8dacd2015-05-09 10:38:23 -0500[diff] [blame]2947 x509.ReasonFlags.key_compromise,
2948 x509.ReasonFlags.ca_compromise,
Paul Kehrer3fd02602015-05-09 19:46:13 -0500[diff] [blame]2949 ]),
Paul Kehrer5a485522015-05-06 00:29:12 -0500[diff] [blame]2950 [x509.UniformResourceIdentifier(u"uri://thing")],
2951 ),
2952 ])
2953 cdp3 = x509.CRLDistributionPoints([
2954 x509.DistributionPoint(
2955 [x509.UniformResourceIdentifier(u"ftp://domain")],
Paul Kehrer4e8dacd2015-05-09 10:38:23 -0500[diff] [blame]2956 None,
Paul Kehrer3fd02602015-05-09 19:46:13 -0500[diff] [blame]2957 frozenset([x509.ReasonFlags.key_compromise]),
Paul Kehrer5a485522015-05-06 00:29:12 -0500[diff] [blame]2958 [x509.UniformResourceIdentifier(u"uri://thing")],
2959 ),
2960 ])
2961 cdp4 = x509.CRLDistributionPoints([
2962 x509.DistributionPoint(
2963 [x509.UniformResourceIdentifier(u"ftp://domain")],
Paul Kehrer4e8dacd2015-05-09 10:38:23 -0500[diff] [blame]2964 None,
Paul Kehrer3fd02602015-05-09 19:46:13 -0500[diff] [blame]2965 frozenset([
Paul Kehrer4e8dacd2015-05-09 10:38:23 -0500[diff] [blame]2966 x509.ReasonFlags.key_compromise,
2967 x509.ReasonFlags.ca_compromise,
Paul Kehrer3fd02602015-05-09 19:46:13 -0500[diff] [blame]2968 ]),
Paul Kehrer5a485522015-05-06 00:29:12 -0500[diff] [blame]2969 [x509.UniformResourceIdentifier(u"uri://thing2")],
2970 ),
2971 ])
2972 assert cdp != cdp2
2973 assert cdp != cdp3
2974 assert cdp != cdp4
2975 assert cdp != object()
Paul Kehrer9a10d592015-05-10 14:55:51 -0500[diff] [blame]2976
Paul Kehreree2e92d2015-12-27 17:29:37 -0600[diff] [blame]2977 def test_indexing(self):
2978 ci = x509.CRLDistributionPoints([
2979 x509.DistributionPoint(
2980 None, None, None,
2981 [x509.UniformResourceIdentifier(u"uri://thing")],
2982 ),
2983 x509.DistributionPoint(
2984 None, None, None,
2985 [x509.UniformResourceIdentifier(u"uri://thing2")],
2986 ),
2987 x509.DistributionPoint(
2988 None, None, None,
2989 [x509.UniformResourceIdentifier(u"uri://thing3")],
2990 ),
2991 x509.DistributionPoint(
2992 None, None, None,
2993 [x509.UniformResourceIdentifier(u"uri://thing4")],
2994 ),
2995 x509.DistributionPoint(
2996 None, None, None,
2997 [x509.UniformResourceIdentifier(u"uri://thing5")],
2998 ),
2999 ])
3000 assert ci[-1] == ci[4]
3001 assert ci[2:6:2] == [ci[2], ci[4]]
3002
Paul Kehrer9a10d592015-05-10 14:55:51 -0500[diff] [blame]3003
3004@pytest.mark.requires_backend_interface(interface=RSABackend)
3005@pytest.mark.requires_backend_interface(interface=X509Backend)
3006class TestCRLDistributionPointsExtension(object):
3007 def test_fullname_and_crl_issuer(self, backend):
3008 cert = _load_cert(
3009 os.path.join(
3010 "x509", "PKITS_data", "certs", "ValidcRLIssuerTest28EE.crt"
3011 ),
3012 x509.load_der_x509_certificate,
3013 backend
3014 )
3015
3016 cdps = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]3017 ExtensionOID.CRL_DISTRIBUTION_POINTS
Paul Kehrer9a10d592015-05-10 14:55:51 -0500[diff] [blame]3018 ).value
3019
3020 assert cdps == x509.CRLDistributionPoints([
3021 x509.DistributionPoint(
3022 full_name=[x509.DirectoryName(
3023 x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]3024 x509.NameAttribute(NameOID.COUNTRY_NAME, u"US"),
Paul Kehrer9a10d592015-05-10 14:55:51 -0500[diff] [blame]3025 x509.NameAttribute(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]3026 NameOID.ORGANIZATION_NAME,
Ian Cordasco82fc3762015-06-16 20:59:50 -0500[diff] [blame]3027 u"Test Certificates 2011"
Paul Kehrer9a10d592015-05-10 14:55:51 -0500[diff] [blame]3028 ),
3029 x509.NameAttribute(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]3030 NameOID.ORGANIZATIONAL_UNIT_NAME,
Ian Cordasco82fc3762015-06-16 20:59:50 -0500[diff] [blame]3031 u"indirectCRL CA3 cRLIssuer"
Paul Kehrer9a10d592015-05-10 14:55:51 -0500[diff] [blame]3032 ),
3033 x509.NameAttribute(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]3034 NameOID.COMMON_NAME,
Ian Cordasco82fc3762015-06-16 20:59:50 -0500[diff] [blame]3035 u"indirect CRL for indirectCRL CA3"
Paul Kehrer9a10d592015-05-10 14:55:51 -0500[diff] [blame]3036 ),
3037 ])
3038 )],
3039 relative_name=None,
3040 reasons=None,
3041 crl_issuer=[x509.DirectoryName(
3042 x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]3043 x509.NameAttribute(NameOID.COUNTRY_NAME, u"US"),
Paul Kehrer9a10d592015-05-10 14:55:51 -0500[diff] [blame]3044 x509.NameAttribute(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]3045 NameOID.ORGANIZATION_NAME,
Ian Cordasco82fc3762015-06-16 20:59:50 -0500[diff] [blame]3046 u"Test Certificates 2011"
Paul Kehrer9a10d592015-05-10 14:55:51 -0500[diff] [blame]3047 ),
3048 x509.NameAttribute(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]3049 NameOID.ORGANIZATIONAL_UNIT_NAME,
Ian Cordasco82fc3762015-06-16 20:59:50 -0500[diff] [blame]3050 u"indirectCRL CA3 cRLIssuer"
Paul Kehrer9a10d592015-05-10 14:55:51 -0500[diff] [blame]3051 ),
3052 ])
3053 )],
3054 )
3055 ])
3056
3057 def test_relativename_and_crl_issuer(self, backend):
3058 cert = _load_cert(
3059 os.path.join(
3060 "x509", "PKITS_data", "certs", "ValidcRLIssuerTest29EE.crt"
3061 ),
3062 x509.load_der_x509_certificate,
3063 backend
3064 )
3065
3066 cdps = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]3067 ExtensionOID.CRL_DISTRIBUTION_POINTS
Paul Kehrer9a10d592015-05-10 14:55:51 -0500[diff] [blame]3068 ).value
3069
3070 assert cdps == x509.CRLDistributionPoints([
3071 x509.DistributionPoint(
3072 full_name=None,
3073 relative_name=x509.Name([
3074 x509.NameAttribute(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]3075 NameOID.COMMON_NAME,
Ian Cordasco82fc3762015-06-16 20:59:50 -0500[diff] [blame]3076 u"indirect CRL for indirectCRL CA3"
Paul Kehrer9a10d592015-05-10 14:55:51 -0500[diff] [blame]3077 ),
3078 ]),
3079 reasons=None,
3080 crl_issuer=[x509.DirectoryName(
3081 x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]3082 x509.NameAttribute(NameOID.COUNTRY_NAME, u"US"),
Paul Kehrer9a10d592015-05-10 14:55:51 -0500[diff] [blame]3083 x509.NameAttribute(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]3084 NameOID.ORGANIZATION_NAME,
Ian Cordasco82fc3762015-06-16 20:59:50 -0500[diff] [blame]3085 u"Test Certificates 2011"
Paul Kehrer9a10d592015-05-10 14:55:51 -0500[diff] [blame]3086 ),
3087 x509.NameAttribute(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]3088 NameOID.ORGANIZATIONAL_UNIT_NAME,
Ian Cordasco82fc3762015-06-16 20:59:50 -0500[diff] [blame]3089 u"indirectCRL CA3 cRLIssuer"
Paul Kehrer9a10d592015-05-10 14:55:51 -0500[diff] [blame]3090 ),
3091 ])
3092 )],
3093 )
3094 ])
3095
3096 def test_fullname_crl_issuer_reasons(self, backend):
3097 cert = _load_cert(
3098 os.path.join(
3099 "x509", "custom", "cdp_fullname_reasons_crl_issuer.pem"
3100 ),
3101 x509.load_pem_x509_certificate,
3102 backend
3103 )
3104
3105 cdps = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]3106 ExtensionOID.CRL_DISTRIBUTION_POINTS
Paul Kehrer9a10d592015-05-10 14:55:51 -0500[diff] [blame]3107 ).value
3108
3109 assert cdps == x509.CRLDistributionPoints([
3110 x509.DistributionPoint(
3111 full_name=[x509.UniformResourceIdentifier(
3112 u"http://myhost.com/myca.crl"
3113 )],
3114 relative_name=None,
3115 reasons=frozenset([
3116 x509.ReasonFlags.key_compromise,
3117 x509.ReasonFlags.ca_compromise
3118 ]),
3119 crl_issuer=[x509.DirectoryName(
3120 x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]3121 x509.NameAttribute(NameOID.COUNTRY_NAME, u"US"),
Paul Kehrer9a10d592015-05-10 14:55:51 -0500[diff] [blame]3122 x509.NameAttribute(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]3123 NameOID.ORGANIZATION_NAME, u"PyCA"
Paul Kehrer9a10d592015-05-10 14:55:51 -0500[diff] [blame]3124 ),
3125 x509.NameAttribute(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]3126 NameOID.COMMON_NAME, u"cryptography CA"
Paul Kehrer9a10d592015-05-10 14:55:51 -0500[diff] [blame]3127 ),
3128 ])
3129 )],
3130 )
3131 ])
3132
Paul Kehrer594a2ed2015-05-12 23:27:32 -0500[diff] [blame]3133 def test_all_reasons(self, backend):
3134 cert = _load_cert(
3135 os.path.join(
3136 "x509", "custom", "cdp_all_reasons.pem"
3137 ),
3138 x509.load_pem_x509_certificate,
3139 backend
3140 )
3141
3142 cdps = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]3143 ExtensionOID.CRL_DISTRIBUTION_POINTS
Paul Kehrer594a2ed2015-05-12 23:27:32 -0500[diff] [blame]3144 ).value
3145
3146 assert cdps == x509.CRLDistributionPoints([
3147 x509.DistributionPoint(
3148 full_name=[x509.UniformResourceIdentifier(
3149 u"http://domain.com/some.crl"
3150 )],
3151 relative_name=None,
3152 reasons=frozenset([
3153 x509.ReasonFlags.key_compromise,
3154 x509.ReasonFlags.ca_compromise,
3155 x509.ReasonFlags.affiliation_changed,
3156 x509.ReasonFlags.superseded,
3157 x509.ReasonFlags.privilege_withdrawn,
3158 x509.ReasonFlags.cessation_of_operation,
3159 x509.ReasonFlags.aa_compromise,
3160 x509.ReasonFlags.certificate_hold,
3161 ]),
3162 crl_issuer=None
3163 )
3164 ])
3165
3166 def test_single_reason(self, backend):
3167 cert = _load_cert(
3168 os.path.join(
3169 "x509", "custom", "cdp_reason_aa_compromise.pem"
3170 ),
3171 x509.load_pem_x509_certificate,
3172 backend
3173 )
3174
3175 cdps = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]3176 ExtensionOID.CRL_DISTRIBUTION_POINTS
Paul Kehrer594a2ed2015-05-12 23:27:32 -0500[diff] [blame]3177 ).value
3178
3179 assert cdps == x509.CRLDistributionPoints([
3180 x509.DistributionPoint(
3181 full_name=[x509.UniformResourceIdentifier(
3182 u"http://domain.com/some.crl"
3183 )],
3184 relative_name=None,
3185 reasons=frozenset([x509.ReasonFlags.aa_compromise]),
3186 crl_issuer=None
3187 )
3188 ])
3189
Paul Kehrer9a10d592015-05-10 14:55:51 -0500[diff] [blame]3190 def test_crl_issuer_only(self, backend):
3191 cert = _load_cert(
3192 os.path.join(
3193 "x509", "custom", "cdp_crl_issuer.pem"
3194 ),
3195 x509.load_pem_x509_certificate,
3196 backend
3197 )
3198
3199 cdps = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]3200 ExtensionOID.CRL_DISTRIBUTION_POINTS
Paul Kehrer9a10d592015-05-10 14:55:51 -0500[diff] [blame]3201 ).value
3202
3203 assert cdps == x509.CRLDistributionPoints([
3204 x509.DistributionPoint(
3205 full_name=None,
3206 relative_name=None,
3207 reasons=None,
3208 crl_issuer=[x509.DirectoryName(
3209 x509.Name([
3210 x509.NameAttribute(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]3211 NameOID.COMMON_NAME, u"cryptography CA"
Paul Kehrer9a10d592015-05-10 14:55:51 -0500[diff] [blame]3212 ),
3213 ])
3214 )],
3215 )
3216 ])
Paul Kehrer16fae762015-05-01 23:14:20 -0500[diff] [blame]3217
Dominic Chen87bb9572015-10-09 00:23:07 -0400[diff] [blame]3218 def test_crl_empty_hostname(self, backend):
3219 cert = _load_cert(
3220 os.path.join(
3221 "x509", "custom", "cdp_empty_hostname.pem"
3222 ),
3223 x509.load_pem_x509_certificate,
3224 backend
3225 )
3226
3227 cdps = cert.extensions.get_extension_for_oid(
3228 ExtensionOID.CRL_DISTRIBUTION_POINTS
3229 ).value
3230
3231 assert cdps == x509.CRLDistributionPoints([
3232 x509.DistributionPoint(
3233 full_name=[x509.UniformResourceIdentifier(
3234 u"ldap:/CN=A,OU=B,dc=C,DC=D?E?F?G?H=I"
3235 )],
3236 relative_name=None,
3237 reasons=None,
3238 crl_issuer=None
3239 )
3240 ])
3241
Paul Kehrer16fae762015-05-01 23:14:20 -0500[diff] [blame]3242
Paul Kehrerf54a50b2015-06-17 18:31:26 -0600[diff] [blame]3243@pytest.mark.requires_backend_interface(interface=RSABackend)
3244@pytest.mark.requires_backend_interface(interface=X509Backend)
3245class TestOCSPNoCheckExtension(object):
3246 def test_nocheck(self, backend):
3247 cert = _load_cert(
3248 os.path.join(
3249 "x509", "custom", "ocsp_nocheck.pem"
3250 ),
3251 x509.load_pem_x509_certificate,
3252 backend
3253 )
3254 ext = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]3255 ExtensionOID.OCSP_NO_CHECK
Paul Kehrerf54a50b2015-06-17 18:31:26 -0600[diff] [blame]3256 )
3257 assert isinstance(ext.value, x509.OCSPNoCheck)
3258
3259
Paul Kehrer16fae762015-05-01 23:14:20 -0500[diff] [blame]3260class TestInhibitAnyPolicy(object):
3261 def test_not_int(self):
3262 with pytest.raises(TypeError):
3263 x509.InhibitAnyPolicy("notint")
3264
3265 def test_negative_int(self):
3266 with pytest.raises(ValueError):
3267 x509.InhibitAnyPolicy(-1)
3268
3269 def test_repr(self):
3270 iap = x509.InhibitAnyPolicy(0)
3271 assert repr(iap) == "<InhibitAnyPolicy(skip_certs=0)>"
3272
3273 def test_eq(self):
3274 iap = x509.InhibitAnyPolicy(1)
3275 iap2 = x509.InhibitAnyPolicy(1)
3276 assert iap == iap2
3277
3278 def test_ne(self):
3279 iap = x509.InhibitAnyPolicy(1)
3280 iap2 = x509.InhibitAnyPolicy(4)
3281 assert iap != iap2
3282 assert iap != object()
Paul Kehrerca6ce992015-06-17 22:13:15 -0600[diff] [blame]3283
3284
3285@pytest.mark.requires_backend_interface(interface=RSABackend)
3286@pytest.mark.requires_backend_interface(interface=X509Backend)
3287class TestInhibitAnyPolicyExtension(object):
3288 def test_nocheck(self, backend):
3289 cert = _load_cert(
3290 os.path.join(
3291 "x509", "custom", "inhibit_any_policy_5.pem"
3292 ),
3293 x509.load_pem_x509_certificate,
3294 backend
3295 )
3296 iap = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]3297 ExtensionOID.INHIBIT_ANY_POLICY
Paul Kehrerca6ce992015-06-17 22:13:15 -0600[diff] [blame]3298 ).value
3299 assert iap.skip_certs == 5
Paul Kehrera08693f2015-08-01 20:45:21 +0100[diff] [blame]3300
3301
3302@pytest.mark.requires_backend_interface(interface=RSABackend)
3303@pytest.mark.requires_backend_interface(interface=X509Backend)
Paul Kehrer1b7500f2015-08-01 20:56:27 +0100[diff] [blame]3304class TestInvalidExtension(object):
Paul Kehrera08693f2015-08-01 20:45:21 +0100[diff] [blame]3305 def test_invalid_certificate_policies_data(self, backend):
3306 cert = _load_cert(
3307 os.path.join(
3308 "x509", "custom", "cp_invalid.pem"
3309 ),
3310 x509.load_pem_x509_certificate,
3311 backend
3312 )
3313 with pytest.raises(ValueError):
3314 cert.extensions