Gitiles
Code Review Sign In
gerrit-public.fairphone.software / platform / external / python / cryptography / 49bb7565120b181752dc2574cd0e3660393c707c / . / tests / test_x509_ext.py
blob: f124a2861e8ea03a0dd1219600dcd4bfb7aed116 [file] [log] [blame]
Paul Kehrer8cf26422015-03-21 09:50:24 -0500[diff] [blame]1# This file is dual licensed under the terms of the Apache License, Version
2# 2.0, and the BSD License. See the LICENSE file in the root of this repository
3# for complete details.
4
5from __future__ import absolute_import, division, print_function
6
Paul Kehrer1eb82a62015-03-31 20:00:33 -0500[diff] [blame]7import binascii
Paul Kehrer31bdf792015-03-25 14:11:00 -0500[diff] [blame]8import ipaddress
Paul Kehrerfbb7ac82015-03-16 19:26:29 -0500[diff] [blame]9import os
10
Paul Kehrer8cf26422015-03-21 09:50:24 -0500[diff] [blame]11import pytest
12
Paul Kehrercbfb1012015-04-10 20:57:20 -0400[diff] [blame]13import six
14
Paul Kehrer8cf26422015-03-21 09:50:24 -0500[diff] [blame]15from cryptography import x509
Paul Kehrerf22f6122015-08-05 12:57:13 +0100[diff] [blame]16from cryptography.hazmat.backends.interfaces import (
17 DSABackend, EllipticCurveBackend, RSABackend, X509Backend
18)
19from cryptography.hazmat.primitives.asymmetric import ec
Paul Kehrer9e102db2015-08-10 21:53:09 -0500[diff] [blame]20from cryptography.x509.oid import (
Nick Bastin326fc8e2015-12-12 19:08:12 -0800[diff] [blame]21 AuthorityInformationAccessOID, ExtendedKeyUsageOID, ExtensionOID,
22 NameOID, ObjectIdentifier
Paul Kehrer9e102db2015-08-10 21:53:09 -0500[diff] [blame]23)
Paul Kehrerfbb7ac82015-03-16 19:26:29 -0500[diff] [blame]24
Paul Kehrerf22f6122015-08-05 12:57:13 +0100[diff] [blame]25from .hazmat.primitives.test_ec import _skip_curve_unsupported
Paul Kehrerfbb7ac82015-03-16 19:26:29 -0500[diff] [blame]26from .test_x509 import _load_cert
Paul Kehrer8cf26422015-03-21 09:50:24 -0500[diff] [blame]27
28
Paul Kehrer85894662015-03-22 13:19:31 -0500[diff] [blame]29class TestExtension(object):
30 def test_not_an_oid(self):
Paul Kehrera5c6e9a2015-03-23 19:23:43 -0500[diff] [blame]31 bc = x509.BasicConstraints(ca=False, path_length=None)
Paul Kehrer85894662015-03-22 13:19:31 -0500[diff] [blame]32 with pytest.raises(TypeError):
33 x509.Extension("notanoid", True, bc)
34
35 def test_critical_not_a_bool(self):
Paul Kehrera5c6e9a2015-03-23 19:23:43 -0500[diff] [blame]36 bc = x509.BasicConstraints(ca=False, path_length=None)
Paul Kehrer85894662015-03-22 13:19:31 -0500[diff] [blame]37 with pytest.raises(TypeError):
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]38 x509.Extension(ExtensionOID.BASIC_CONSTRAINTS, "notabool", bc)
Paul Kehrer85894662015-03-22 13:19:31 -0500[diff] [blame]39
40 def test_repr(self):
Paul Kehrera5c6e9a2015-03-23 19:23:43 -0500[diff] [blame]41 bc = x509.BasicConstraints(ca=False, path_length=None)
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]42 ext = x509.Extension(ExtensionOID.BASIC_CONSTRAINTS, True, bc)
Paul Kehrer85894662015-03-22 13:19:31 -0500[diff] [blame]43 assert repr(ext) == (
44 "<Extension(oid=<ObjectIdentifier(oid=2.5.29.19, name=basicConst"
45 "raints)>, critical=True, value=<BasicConstraints(ca=False, path"
46 "_length=None)>)>"
47 )
48
Paul Kehrer58e870c2015-05-17 09:15:30 -0700[diff] [blame]49 def test_eq(self):
50 ext1 = x509.Extension(
51 x509.ObjectIdentifier('1.2.3.4'), False, 'value'
52 )
53 ext2 = x509.Extension(
54 x509.ObjectIdentifier('1.2.3.4'), False, 'value'
55 )
56 assert ext1 == ext2
57
58 def test_ne(self):
59 ext1 = x509.Extension(
60 x509.ObjectIdentifier('1.2.3.4'), False, 'value'
61 )
62 ext2 = x509.Extension(
63 x509.ObjectIdentifier('1.2.3.5'), False, 'value'
64 )
65 ext3 = x509.Extension(
66 x509.ObjectIdentifier('1.2.3.4'), True, 'value'
67 )
68 ext4 = x509.Extension(
69 x509.ObjectIdentifier('1.2.3.4'), False, 'value4'
70 )
71 assert ext1 != ext2
72 assert ext1 != ext3
73 assert ext1 != ext4
74 assert ext1 != object()
75
Paul Kehrer85894662015-03-22 13:19:31 -0500[diff] [blame]76
Paul Kehrer49bb7562015-12-25 16:17:40 -0600[diff] [blame^]77class TestCertificateIssuer(object):
78 def test_iter_names(self):
79 ci = x509.CertificateIssuer([
80 x509.DNSName(u"cryptography.io"),
81 x509.DNSName(u"crypto.local"),
82 ])
83 assert len(ci) == 2
84 assert list(ci) == [
85 x509.DNSName(u"cryptography.io"),
86 x509.DNSName(u"crypto.local"),
87 ]
88
89 def test_eq(self):
90 ci1 = x509.CertificateIssuer([x509.DNSName(u"cryptography.io")])
91 ci2 = x509.CertificateIssuer([x509.DNSName(u"cryptography.io")])
92 assert ci1 == ci2
93
94 def test_ne(self):
95 ci1 = x509.CertificateIssuer([x509.DNSName(u"cryptography.io")])
96 ci2 = x509.CertificateIssuer([x509.DNSName(u"somethingelse.tld")])
97 assert ci1 != ci2
98 assert ci1 != object()
99
100 def test_repr(self):
101 ci = x509.CertificateIssuer([x509.DNSName(u"cryptography.io")])
102 assert repr(ci) == (
103 "<CertificateIssuer(<GeneralNames([<DNSName(value=cryptography.io"
104 ")>])>)>"
105 )
106
107 def test_get_values_for_type(self):
108 ci = x509.CertificateIssuer(
109 [x509.DNSName(u"cryptography.io")]
110 )
111 names = ci.get_values_for_type(x509.DNSName)
112 assert names == [u"cryptography.io"]
113
114
Paul Kehrer2b622582015-04-15 11:04:29 -0400[diff] [blame]115class TestNoticeReference(object):
116 def test_notice_numbers_not_all_int(self):
117 with pytest.raises(TypeError):
118 x509.NoticeReference("org", [1, 2, "three"])
119
120 def test_notice_numbers_none(self):
Paul Kehrer6e198b02015-05-12 15:53:38 -0500[diff] [blame]121 with pytest.raises(TypeError):
122 x509.NoticeReference("org", None)
Paul Kehrer2b622582015-04-15 11:04:29 -0400[diff] [blame]123
124 def test_repr(self):
Paul Kehrer73be2ca2015-05-11 21:22:38 -0500[diff] [blame]125 nr = x509.NoticeReference(u"org", [1, 3, 4])
Paul Kehrer2b622582015-04-15 11:04:29 -0400[diff] [blame]126
Paul Kehrer73be2ca2015-05-11 21:22:38 -0500[diff] [blame]127 if six.PY3:
128 assert repr(nr) == (
129 "<NoticeReference(organization='org', notice_numbers=[1, 3, 4"
130 "])>"
131 )
132 else:
133 assert repr(nr) == (
134 "<NoticeReference(organization=u'org', notice_numbers=[1, 3, "
135 "4])>"
136 )
Paul Kehrer2b622582015-04-15 11:04:29 -0400[diff] [blame]137
Paul Kehrerc56ab622015-05-03 09:56:31 -0500[diff] [blame]138 def test_eq(self):
139 nr = x509.NoticeReference("org", [1, 2])
140 nr2 = x509.NoticeReference("org", [1, 2])
141 assert nr == nr2
142
143 def test_ne(self):
144 nr = x509.NoticeReference("org", [1, 2])
145 nr2 = x509.NoticeReference("org", [1])
146 nr3 = x509.NoticeReference(None, [1, 2])
147 assert nr != nr2
148 assert nr != nr3
149 assert nr != object()
150
Paul Kehrer2b622582015-04-15 11:04:29 -0400[diff] [blame]151
152class TestUserNotice(object):
153 def test_notice_reference_invalid(self):
154 with pytest.raises(TypeError):
155 x509.UserNotice("invalid", None)
156
157 def test_notice_reference_none(self):
158 un = x509.UserNotice(None, "text")
159 assert un.notice_reference is None
160 assert un.explicit_text == "text"
161
162 def test_repr(self):
Paul Kehrer6e198b02015-05-12 15:53:38 -0500[diff] [blame]163 un = x509.UserNotice(x509.NoticeReference(u"org", [1]), u"text")
Paul Kehrer73be2ca2015-05-11 21:22:38 -0500[diff] [blame]164 if six.PY3:
165 assert repr(un) == (
166 "<UserNotice(notice_reference=<NoticeReference(organization='"
Paul Kehrer6e198b02015-05-12 15:53:38 -0500[diff] [blame]167 "org', notice_numbers=[1])>, explicit_text='text')>"
Paul Kehrer73be2ca2015-05-11 21:22:38 -0500[diff] [blame]168 )
169 else:
170 assert repr(un) == (
171 "<UserNotice(notice_reference=<NoticeReference(organization=u"
Paul Kehrer6e198b02015-05-12 15:53:38 -0500[diff] [blame]172 "'org', notice_numbers=[1])>, explicit_text=u'text')>"
Paul Kehrer73be2ca2015-05-11 21:22:38 -0500[diff] [blame]173 )
Paul Kehrer2b622582015-04-15 11:04:29 -0400[diff] [blame]174
Paul Kehrerc56ab622015-05-03 09:56:31 -0500[diff] [blame]175 def test_eq(self):
176 nr = x509.NoticeReference("org", [1, 2])
177 nr2 = x509.NoticeReference("org", [1, 2])
178 un = x509.UserNotice(nr, "text")
179 un2 = x509.UserNotice(nr2, "text")
180 assert un == un2
181
182 def test_ne(self):
183 nr = x509.NoticeReference("org", [1, 2])
184 nr2 = x509.NoticeReference("org", [1])
185 un = x509.UserNotice(nr, "text")
186 un2 = x509.UserNotice(nr2, "text")
187 un3 = x509.UserNotice(nr, "text3")
188 assert un != un2
189 assert un != un3
190 assert un != object()
191
Paul Kehrer2b622582015-04-15 11:04:29 -0400[diff] [blame]192
Paul Kehrer2b622582015-04-15 11:04:29 -0400[diff] [blame]193class TestPolicyInformation(object):
194 def test_invalid_policy_identifier(self):
195 with pytest.raises(TypeError):
196 x509.PolicyInformation("notanoid", None)
197
198 def test_none_policy_qualifiers(self):
199 pi = x509.PolicyInformation(x509.ObjectIdentifier("1.2.3"), None)
200 assert pi.policy_identifier == x509.ObjectIdentifier("1.2.3")
201 assert pi.policy_qualifiers is None
202
203 def test_policy_qualifiers(self):
Paul Kehrerba35b3b2015-05-10 13:07:59 -0500[diff] [blame]204 pq = [u"string"]
Paul Kehrer2b622582015-04-15 11:04:29 -0400[diff] [blame]205 pi = x509.PolicyInformation(x509.ObjectIdentifier("1.2.3"), pq)
206 assert pi.policy_identifier == x509.ObjectIdentifier("1.2.3")
207 assert pi.policy_qualifiers == pq
208
209 def test_invalid_policy_identifiers(self):
210 with pytest.raises(TypeError):
211 x509.PolicyInformation(x509.ObjectIdentifier("1.2.3"), [1, 2])
212
213 def test_repr(self):
Paul Kehrer73be2ca2015-05-11 21:22:38 -0500[diff] [blame]214 pq = [u"string", x509.UserNotice(None, u"hi")]
Paul Kehrer2b622582015-04-15 11:04:29 -0400[diff] [blame]215 pi = x509.PolicyInformation(x509.ObjectIdentifier("1.2.3"), pq)
Paul Kehrerba35b3b2015-05-10 13:07:59 -0500[diff] [blame]216 if six.PY3:
217 assert repr(pi) == (
218 "<PolicyInformation(policy_identifier=<ObjectIdentifier(oid=1."
219 "2.3, name=Unknown OID)>, policy_qualifiers=['string', <UserNo"
Paul Kehrer9aaef9e2015-05-11 10:49:20 -0500[diff] [blame]220 "tice(notice_reference=None, explicit_text='hi')>])>"
Paul Kehrerba35b3b2015-05-10 13:07:59 -0500[diff] [blame]221 )
222 else:
223 assert repr(pi) == (
224 "<PolicyInformation(policy_identifier=<ObjectIdentifier(oid=1."
225 "2.3, name=Unknown OID)>, policy_qualifiers=[u'string', <UserN"
Paul Kehrer73be2ca2015-05-11 21:22:38 -0500[diff] [blame]226 "otice(notice_reference=None, explicit_text=u'hi')>])>"
Paul Kehrerba35b3b2015-05-10 13:07:59 -0500[diff] [blame]227 )
Paul Kehrer2b622582015-04-15 11:04:29 -0400[diff] [blame]228
Paul Kehrerc56ab622015-05-03 09:56:31 -0500[diff] [blame]229 def test_eq(self):
230 pi = x509.PolicyInformation(
231 x509.ObjectIdentifier("1.2.3"),
232 [u"string", x509.UserNotice(None, u"hi")]
233 )
234 pi2 = x509.PolicyInformation(
235 x509.ObjectIdentifier("1.2.3"),
236 [u"string", x509.UserNotice(None, u"hi")]
237 )
238 assert pi == pi2
239
240 def test_ne(self):
241 pi = x509.PolicyInformation(
242 x509.ObjectIdentifier("1.2.3"), [u"string"]
243 )
244 pi2 = x509.PolicyInformation(
245 x509.ObjectIdentifier("1.2.3"), [u"string2"]
246 )
247 pi3 = x509.PolicyInformation(
248 x509.ObjectIdentifier("1.2.3.4"), [u"string"]
249 )
250 assert pi != pi2
251 assert pi != pi3
252 assert pi != object()
253
Paul Kehrer2b622582015-04-15 11:04:29 -0400[diff] [blame]254
255class TestCertificatePolicies(object):
256 def test_invalid_policies(self):
Paul Kehrerba35b3b2015-05-10 13:07:59 -0500[diff] [blame]257 pq = [u"string"]
Paul Kehrer2b622582015-04-15 11:04:29 -0400[diff] [blame]258 pi = x509.PolicyInformation(x509.ObjectIdentifier("1.2.3"), pq)
259 with pytest.raises(TypeError):
260 x509.CertificatePolicies([1, pi])
261
262 def test_iter_len(self):
Paul Kehrerba35b3b2015-05-10 13:07:59 -0500[diff] [blame]263 pq = [u"string"]
Paul Kehrer2b622582015-04-15 11:04:29 -0400[diff] [blame]264 pi = x509.PolicyInformation(x509.ObjectIdentifier("1.2.3"), pq)
265 cp = x509.CertificatePolicies([pi])
266 assert len(cp) == 1
267 for policyinfo in cp:
268 assert policyinfo == pi
269
270 def test_repr(self):
Paul Kehrerba35b3b2015-05-10 13:07:59 -0500[diff] [blame]271 pq = [u"string"]
Paul Kehrer2b622582015-04-15 11:04:29 -0400[diff] [blame]272 pi = x509.PolicyInformation(x509.ObjectIdentifier("1.2.3"), pq)
273 cp = x509.CertificatePolicies([pi])
Paul Kehrerba35b3b2015-05-10 13:07:59 -0500[diff] [blame]274 if six.PY3:
275 assert repr(cp) == (
276 "<CertificatePolicies([<PolicyInformation(policy_identifier=<O"
277 "bjectIdentifier(oid=1.2.3, name=Unknown OID)>, policy_qualifi"
278 "ers=['string'])>])>"
279 )
280 else:
281 assert repr(cp) == (
282 "<CertificatePolicies([<PolicyInformation(policy_identifier=<O"
283 "bjectIdentifier(oid=1.2.3, name=Unknown OID)>, policy_qualifi"
284 "ers=[u'string'])>])>"
285 )
Paul Kehrer2b622582015-04-15 11:04:29 -0400[diff] [blame]286
Paul Kehrerc56ab622015-05-03 09:56:31 -0500[diff] [blame]287 def test_eq(self):
288 pi = x509.PolicyInformation(
289 x509.ObjectIdentifier("1.2.3"), [u"string"]
290 )
291 cp = x509.CertificatePolicies([pi])
292 pi2 = x509.PolicyInformation(
293 x509.ObjectIdentifier("1.2.3"), [u"string"]
294 )
295 cp2 = x509.CertificatePolicies([pi2])
296 assert cp == cp2
297
298 def test_ne(self):
299 pi = x509.PolicyInformation(
300 x509.ObjectIdentifier("1.2.3"), [u"string"]
301 )
302 cp = x509.CertificatePolicies([pi])
303 pi2 = x509.PolicyInformation(
304 x509.ObjectIdentifier("1.2.3"), [u"string2"]
305 )
306 cp2 = x509.CertificatePolicies([pi2])
307 assert cp != cp2
308 assert cp != object()
309
Paul Kehrer2b622582015-04-15 11:04:29 -0400[diff] [blame]310
Paul Kehrer11026fe2015-05-12 11:23:56 -0500[diff] [blame]311@pytest.mark.requires_backend_interface(interface=RSABackend)
312@pytest.mark.requires_backend_interface(interface=X509Backend)
313class TestCertificatePoliciesExtension(object):
314 def test_cps_uri_policy_qualifier(self, backend):
315 cert = _load_cert(
316 os.path.join("x509", "custom", "cp_cps_uri.pem"),
317 x509.load_pem_x509_certificate,
318 backend
319 )
320
321 cp = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]322 ExtensionOID.CERTIFICATE_POLICIES
Paul Kehrer11026fe2015-05-12 11:23:56 -0500[diff] [blame]323 ).value
324
325 assert cp == x509.CertificatePolicies([
326 x509.PolicyInformation(
327 x509.ObjectIdentifier("2.16.840.1.12345.1.2.3.4.1"),
328 [u"http://other.com/cps"]
329 )
330 ])
331
332 def test_user_notice_with_notice_reference(self, backend):
333 cert = _load_cert(
334 os.path.join(
335 "x509", "custom", "cp_user_notice_with_notice_reference.pem"
336 ),
337 x509.load_pem_x509_certificate,
338 backend
339 )
340
341 cp = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]342 ExtensionOID.CERTIFICATE_POLICIES
Paul Kehrer11026fe2015-05-12 11:23:56 -0500[diff] [blame]343 ).value
344
345 assert cp == x509.CertificatePolicies([
346 x509.PolicyInformation(
347 x509.ObjectIdentifier("2.16.840.1.12345.1.2.3.4.1"),
348 [
349 u"http://example.com/cps",
350 u"http://other.com/cps",
351 x509.UserNotice(
352 x509.NoticeReference(u"my org", [1, 2, 3, 4]),
353 u"thing"
354 )
355 ]
356 )
357 ])
358
359 def test_user_notice_with_explicit_text(self, backend):
360 cert = _load_cert(
361 os.path.join(
362 "x509", "custom", "cp_user_notice_with_explicit_text.pem"
363 ),
364 x509.load_pem_x509_certificate,
365 backend
366 )
367
368 cp = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]369 ExtensionOID.CERTIFICATE_POLICIES
Paul Kehrer11026fe2015-05-12 11:23:56 -0500[diff] [blame]370 ).value
371
372 assert cp == x509.CertificatePolicies([
373 x509.PolicyInformation(
374 x509.ObjectIdentifier("2.16.840.1.12345.1.2.3.4.1"),
375 [x509.UserNotice(None, u"thing")]
376 )
377 ])
378
379 def test_user_notice_no_explicit_text(self, backend):
380 cert = _load_cert(
381 os.path.join(
382 "x509", "custom", "cp_user_notice_no_explicit_text.pem"
383 ),
384 x509.load_pem_x509_certificate,
385 backend
386 )
387
388 cp = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]389 ExtensionOID.CERTIFICATE_POLICIES
Paul Kehrer11026fe2015-05-12 11:23:56 -0500[diff] [blame]390 ).value
391
392 assert cp == x509.CertificatePolicies([
393 x509.PolicyInformation(
394 x509.ObjectIdentifier("2.16.840.1.12345.1.2.3.4.1"),
395 [
396 x509.UserNotice(
397 x509.NoticeReference(u"my org", [1, 2, 3, 4]),
398 None
399 )
400 ]
401 )
402 ])
403
404
Paul Kehrercecbbba2015-03-30 14:58:38 -0500[diff] [blame]405class TestKeyUsage(object):
406 def test_key_agreement_false_encipher_decipher_true(self):
407 with pytest.raises(ValueError):
408 x509.KeyUsage(
409 digital_signature=False,
410 content_commitment=False,
411 key_encipherment=False,
412 data_encipherment=False,
413 key_agreement=False,
414 key_cert_sign=False,
415 crl_sign=False,
416 encipher_only=True,
417 decipher_only=False
418 )
419
420 with pytest.raises(ValueError):
421 x509.KeyUsage(
422 digital_signature=False,
423 content_commitment=False,
424 key_encipherment=False,
425 data_encipherment=False,
426 key_agreement=False,
427 key_cert_sign=False,
428 crl_sign=False,
429 encipher_only=True,
430 decipher_only=True
431 )
432
433 with pytest.raises(ValueError):
434 x509.KeyUsage(
435 digital_signature=False,
436 content_commitment=False,
437 key_encipherment=False,
438 data_encipherment=False,
439 key_agreement=False,
440 key_cert_sign=False,
441 crl_sign=False,
442 encipher_only=False,
443 decipher_only=True
444 )
445
446 def test_properties_key_agreement_true(self):
447 ku = x509.KeyUsage(
448 digital_signature=True,
449 content_commitment=True,
450 key_encipherment=False,
451 data_encipherment=False,
452 key_agreement=False,
453 key_cert_sign=True,
454 crl_sign=False,
455 encipher_only=False,
456 decipher_only=False
457 )
458 assert ku.digital_signature is True
459 assert ku.content_commitment is True
460 assert ku.key_encipherment is False
461 assert ku.data_encipherment is False
462 assert ku.key_agreement is False
463 assert ku.key_cert_sign is True
464 assert ku.crl_sign is False
465
466 def test_key_agreement_true_properties(self):
467 ku = x509.KeyUsage(
468 digital_signature=False,
469 content_commitment=False,
470 key_encipherment=False,
471 data_encipherment=False,
472 key_agreement=True,
473 key_cert_sign=False,
474 crl_sign=False,
475 encipher_only=False,
476 decipher_only=True
477 )
478 assert ku.key_agreement is True
479 assert ku.encipher_only is False
480 assert ku.decipher_only is True
481
482 def test_key_agreement_false_properties(self):
483 ku = x509.KeyUsage(
484 digital_signature=False,
485 content_commitment=False,
486 key_encipherment=False,
487 data_encipherment=False,
488 key_agreement=False,
489 key_cert_sign=False,
490 crl_sign=False,
491 encipher_only=False,
492 decipher_only=False
493 )
494 assert ku.key_agreement is False
495 with pytest.raises(ValueError):
496 ku.encipher_only
497
498 with pytest.raises(ValueError):
499 ku.decipher_only
500
Paul Kehrerac3e5bb2015-04-02 23:07:10 -0500[diff] [blame]501 def test_repr_key_agreement_false(self):
502 ku = x509.KeyUsage(
503 digital_signature=True,
504 content_commitment=True,
505 key_encipherment=False,
506 data_encipherment=False,
507 key_agreement=False,
508 key_cert_sign=True,
509 crl_sign=False,
510 encipher_only=False,
511 decipher_only=False
512 )
513 assert repr(ku) == (
514 "<KeyUsage(digital_signature=True, content_commitment=True, key_en"
515 "cipherment=False, data_encipherment=False, key_agreement=False, k"
Paul Kehrerb372e672015-04-15 11:05:24 -0400[diff] [blame]516 "ey_cert_sign=True, crl_sign=False, encipher_only=None, decipher_o"
517 "nly=None)>"
Paul Kehrerac3e5bb2015-04-02 23:07:10 -0500[diff] [blame]518 )
519
520 def test_repr_key_agreement_true(self):
521 ku = x509.KeyUsage(
522 digital_signature=True,
523 content_commitment=True,
524 key_encipherment=False,
525 data_encipherment=False,
526 key_agreement=True,
527 key_cert_sign=True,
528 crl_sign=False,
529 encipher_only=False,
530 decipher_only=False
531 )
532 assert repr(ku) == (
533 "<KeyUsage(digital_signature=True, content_commitment=True, key_en"
534 "cipherment=False, data_encipherment=False, key_agreement=True, k"
535 "ey_cert_sign=True, crl_sign=False, encipher_only=False, decipher_"
536 "only=False)>"
537 )
538
Paul Kehrer8565f5e2015-05-13 09:57:09 -0500[diff] [blame]539 def test_eq(self):
540 ku = x509.KeyUsage(
541 digital_signature=False,
542 content_commitment=False,
543 key_encipherment=False,
544 data_encipherment=False,
545 key_agreement=True,
546 key_cert_sign=False,
547 crl_sign=False,
548 encipher_only=False,
549 decipher_only=True
550 )
551 ku2 = x509.KeyUsage(
552 digital_signature=False,
553 content_commitment=False,
554 key_encipherment=False,
555 data_encipherment=False,
556 key_agreement=True,
557 key_cert_sign=False,
558 crl_sign=False,
559 encipher_only=False,
560 decipher_only=True
561 )
562 assert ku == ku2
563
564 def test_ne(self):
565 ku = x509.KeyUsage(
566 digital_signature=False,
567 content_commitment=False,
568 key_encipherment=False,
569 data_encipherment=False,
570 key_agreement=True,
571 key_cert_sign=False,
572 crl_sign=False,
573 encipher_only=False,
574 decipher_only=True
575 )
576 ku2 = x509.KeyUsage(
577 digital_signature=False,
578 content_commitment=False,
579 key_encipherment=False,
580 data_encipherment=False,
581 key_agreement=False,
582 key_cert_sign=False,
583 crl_sign=False,
584 encipher_only=False,
585 decipher_only=False
586 )
587 assert ku != ku2
588 assert ku != object()
589
Paul Kehrercecbbba2015-03-30 14:58:38 -0500[diff] [blame]590
Paul Kehrer1eb82a62015-03-31 20:00:33 -0500[diff] [blame]591class TestSubjectKeyIdentifier(object):
592 def test_properties(self):
Paul Kehrercbfb1012015-04-10 20:57:20 -0400[diff] [blame]593 value = binascii.unhexlify(b"092384932230498bc980aa8098456f6ff7ff3ac9")
Paul Kehrer1eb82a62015-03-31 20:00:33 -0500[diff] [blame]594 ski = x509.SubjectKeyIdentifier(value)
595 assert ski.digest == value
Paul Kehrer1eb82a62015-03-31 20:00:33 -0500[diff] [blame]596
597 def test_repr(self):
598 ski = x509.SubjectKeyIdentifier(
Paul Kehreree997262015-04-04 12:20:28 -0500[diff] [blame]599 binascii.unhexlify(b"092384932230498bc980aa8098456f6ff7ff3ac9")
Paul Kehrer1eb82a62015-03-31 20:00:33 -0500[diff] [blame]600 )
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]601 ext = x509.Extension(ExtensionOID.SUBJECT_KEY_IDENTIFIER, False, ski)
Paul Kehrercbfb1012015-04-10 20:57:20 -0400[diff] [blame]602 if six.PY3:
603 assert repr(ext) == (
604 "<Extension(oid=<ObjectIdentifier(oid=2.5.29.14, name=subjectK"
605 "eyIdentifier)>, critical=False, value=<SubjectKeyIdentifier(d"
606 "igest=b\'\\t#\\x84\\x93\"0I\\x8b\\xc9\\x80\\xaa\\x80\\x98Eoo"
607 "\\xf7\\xff:\\xc9\')>)>"
608 )
609 else:
610 assert repr(ext) == (
611 "<Extension(oid=<ObjectIdentifier(oid=2.5.29.14, name=subjectK"
612 "eyIdentifier)>, critical=False, value=<SubjectKeyIdentifier(d"
613 "igest=\'\\t#\\x84\\x93\"0I\\x8b\\xc9\\x80\\xaa\\x80\\x98Eoo"
614 "\\xf7\\xff:\\xc9\')>)>"
615 )
Paul Kehrer1eb82a62015-03-31 20:00:33 -0500[diff] [blame]616
617 def test_eq(self):
618 ski = x509.SubjectKeyIdentifier(
Paul Kehreree997262015-04-04 12:20:28 -0500[diff] [blame]619 binascii.unhexlify(b"092384932230498bc980aa8098456f6ff7ff3ac9")
Paul Kehrer1eb82a62015-03-31 20:00:33 -0500[diff] [blame]620 )
621 ski2 = x509.SubjectKeyIdentifier(
Paul Kehreree997262015-04-04 12:20:28 -0500[diff] [blame]622 binascii.unhexlify(b"092384932230498bc980aa8098456f6ff7ff3ac9")
Paul Kehrer1eb82a62015-03-31 20:00:33 -0500[diff] [blame]623 )
624 assert ski == ski2
625
626 def test_ne(self):
627 ski = x509.SubjectKeyIdentifier(
Paul Kehreree997262015-04-04 12:20:28 -0500[diff] [blame]628 binascii.unhexlify(b"092384932230498bc980aa8098456f6ff7ff3ac9")
Paul Kehrer1eb82a62015-03-31 20:00:33 -0500[diff] [blame]629 )
630 ski2 = x509.SubjectKeyIdentifier(
Paul Kehreree997262015-04-04 12:20:28 -0500[diff] [blame]631 binascii.unhexlify(b"aa8098456f6ff7ff3ac9092384932230498bc980")
Paul Kehrer1eb82a62015-03-31 20:00:33 -0500[diff] [blame]632 )
633 assert ski != ski2
634 assert ski != object()
635
636
Paul Kehrer2eb4ed92015-04-11 15:33:45 -0400[diff] [blame]637class TestAuthorityKeyIdentifier(object):
Paul Kehrerc6e0f062015-05-03 11:04:34 -0500[diff] [blame]638 def test_authority_cert_issuer_not_generalname(self):
Paul Kehrer2eb4ed92015-04-11 15:33:45 -0400[diff] [blame]639 with pytest.raises(TypeError):
Paul Kehrerc6e0f062015-05-03 11:04:34 -0500[diff] [blame]640 x509.AuthorityKeyIdentifier(b"identifier", ["notname"], 3)
Paul Kehrer2eb4ed92015-04-11 15:33:45 -0400[diff] [blame]641
642 def test_authority_cert_serial_number_not_integer(self):
Paul Kehrerc6e0f062015-05-03 11:04:34 -0500[diff] [blame]643 dirname = x509.DirectoryName(
644 x509.Name([
Nick Bastin6721fb82015-12-14 12:26:24 -0800[diff] [blame]645 x509.NameAttribute(
646 x509.ObjectIdentifier('2.999.1'),
647 u'value1'
648 ),
649 x509.NameAttribute(
650 x509.ObjectIdentifier('2.999.2'),
651 u'value2'
652 ),
Paul Kehrerc6e0f062015-05-03 11:04:34 -0500[diff] [blame]653 ])
654 )
Paul Kehrer2eb4ed92015-04-11 15:33:45 -0400[diff] [blame]655 with pytest.raises(TypeError):
Paul Kehrerc6e0f062015-05-03 11:04:34 -0500[diff] [blame]656 x509.AuthorityKeyIdentifier(b"identifier", [dirname], "notanint")
Paul Kehrer2eb4ed92015-04-11 15:33:45 -0400[diff] [blame]657
658 def test_authority_issuer_none_serial_not_none(self):
659 with pytest.raises(ValueError):
660 x509.AuthorityKeyIdentifier(b"identifier", None, 3)
661
662 def test_authority_issuer_not_none_serial_none(self):
Paul Kehrerc6e0f062015-05-03 11:04:34 -0500[diff] [blame]663 dirname = x509.DirectoryName(
664 x509.Name([
Nick Bastin6721fb82015-12-14 12:26:24 -0800[diff] [blame]665 x509.NameAttribute(
666 x509.ObjectIdentifier('2.999.1'),
667 u'value1'
668 ),
669 x509.NameAttribute(
670 x509.ObjectIdentifier('2.999.2'),
671 u'value2'
672 ),
Paul Kehrerc6e0f062015-05-03 11:04:34 -0500[diff] [blame]673 ])
674 )
Paul Kehrer2eb4ed92015-04-11 15:33:45 -0400[diff] [blame]675 with pytest.raises(ValueError):
Paul Kehrerc6e0f062015-05-03 11:04:34 -0500[diff] [blame]676 x509.AuthorityKeyIdentifier(b"identifier", [dirname], None)
Paul Kehrer2eb4ed92015-04-11 15:33:45 -0400[diff] [blame]677
678 def test_authority_cert_serial_and_issuer_none(self):
679 aki = x509.AuthorityKeyIdentifier(b"id", None, None)
680 assert aki.key_identifier == b"id"
681 assert aki.authority_cert_issuer is None
682 assert aki.authority_cert_serial_number is None
683
684 def test_repr(self):
Paul Kehrerc6e0f062015-05-03 11:04:34 -0500[diff] [blame]685 dirname = x509.DirectoryName(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]686 x509.Name([x509.NameAttribute(NameOID.COMMON_NAME, u'myCN')])
Paul Kehrerc6e0f062015-05-03 11:04:34 -0500[diff] [blame]687 )
688 aki = x509.AuthorityKeyIdentifier(b"digest", [dirname], 1234)
Paul Kehrer2eb4ed92015-04-11 15:33:45 -0400[diff] [blame]689
690 if six.PY3:
691 assert repr(aki) == (
692 "<AuthorityKeyIdentifier(key_identifier=b'digest', authority_"
Paul Kehrerc6e0f062015-05-03 11:04:34 -0500[diff] [blame]693 "cert_issuer=[<DirectoryName(value=<Name([<NameAttribute(oid="
Ian Cordascoa908d692015-06-16 21:35:24 -0500[diff] [blame]694 "<ObjectIdentifier(oid=2.5.4.3, name=commonName)>, value='myC"
Paul Kehrerc6e0f062015-05-03 11:04:34 -0500[diff] [blame]695 "N')>])>)>], authority_cert_serial_number=1234)>"
Paul Kehrer2eb4ed92015-04-11 15:33:45 -0400[diff] [blame]696 )
697 else:
698 assert repr(aki) == (
699 "<AuthorityKeyIdentifier(key_identifier='digest', authority_ce"
Paul Kehrerc6e0f062015-05-03 11:04:34 -0500[diff] [blame]700 "rt_issuer=[<DirectoryName(value=<Name([<NameAttribute(oid=<Ob"
Ian Cordasco82fc3762015-06-16 20:59:50 -0500[diff] [blame]701 "jectIdentifier(oid=2.5.4.3, name=commonName)>, value=u'myCN')"
702 ">])>)>], authority_cert_serial_number=1234)>"
Paul Kehrer2eb4ed92015-04-11 15:33:45 -0400[diff] [blame]703 )
704
Paul Kehrer2ca2eb32015-05-03 10:04:57 -0500[diff] [blame]705 def test_eq(self):
706 dirname = x509.DirectoryName(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]707 x509.Name([x509.NameAttribute(NameOID.COMMON_NAME, u'myCN')])
Paul Kehrer2ca2eb32015-05-03 10:04:57 -0500[diff] [blame]708 )
709 aki = x509.AuthorityKeyIdentifier(b"digest", [dirname], 1234)
710 dirname2 = x509.DirectoryName(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]711 x509.Name([x509.NameAttribute(NameOID.COMMON_NAME, u'myCN')])
Paul Kehrer2ca2eb32015-05-03 10:04:57 -0500[diff] [blame]712 )
713 aki2 = x509.AuthorityKeyIdentifier(b"digest", [dirname2], 1234)
714 assert aki == aki2
715
716 def test_ne(self):
717 dirname = x509.DirectoryName(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]718 x509.Name([x509.NameAttribute(NameOID.COMMON_NAME, u'myCN')])
Paul Kehrer2ca2eb32015-05-03 10:04:57 -0500[diff] [blame]719 )
720 dirname5 = x509.DirectoryName(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]721 x509.Name([x509.NameAttribute(NameOID.COMMON_NAME, u'aCN')])
Paul Kehrer2ca2eb32015-05-03 10:04:57 -0500[diff] [blame]722 )
723 aki = x509.AuthorityKeyIdentifier(b"digest", [dirname], 1234)
724 aki2 = x509.AuthorityKeyIdentifier(b"diges", [dirname], 1234)
725 aki3 = x509.AuthorityKeyIdentifier(b"digest", None, None)
726 aki4 = x509.AuthorityKeyIdentifier(b"digest", [dirname], 12345)
727 aki5 = x509.AuthorityKeyIdentifier(b"digest", [dirname5], 12345)
728 assert aki != aki2
729 assert aki != aki3
730 assert aki != aki4
731 assert aki != aki5
732 assert aki != object()
733
Paul Kehrer2eb4ed92015-04-11 15:33:45 -0400[diff] [blame]734
Paul Kehrer8cf26422015-03-21 09:50:24 -0500[diff] [blame]735class TestBasicConstraints(object):
736 def test_ca_not_boolean(self):
737 with pytest.raises(TypeError):
Paul Kehrera5c6e9a2015-03-23 19:23:43 -0500[diff] [blame]738 x509.BasicConstraints(ca="notbool", path_length=None)
Paul Kehrer8cf26422015-03-21 09:50:24 -0500[diff] [blame]739
740 def test_path_length_not_ca(self):
741 with pytest.raises(ValueError):
Paul Kehrera5c6e9a2015-03-23 19:23:43 -0500[diff] [blame]742 x509.BasicConstraints(ca=False, path_length=0)
Paul Kehrer8cf26422015-03-21 09:50:24 -0500[diff] [blame]743
744 def test_path_length_not_int(self):
745 with pytest.raises(TypeError):
Paul Kehrera5c6e9a2015-03-23 19:23:43 -0500[diff] [blame]746 x509.BasicConstraints(ca=True, path_length=1.1)
Paul Kehrer8cf26422015-03-21 09:50:24 -0500[diff] [blame]747
748 with pytest.raises(TypeError):
Paul Kehrera5c6e9a2015-03-23 19:23:43 -0500[diff] [blame]749 x509.BasicConstraints(ca=True, path_length="notint")
Paul Kehrer8cf26422015-03-21 09:50:24 -0500[diff] [blame]750
751 def test_path_length_negative(self):
752 with pytest.raises(TypeError):
Paul Kehrera5c6e9a2015-03-23 19:23:43 -0500[diff] [blame]753 x509.BasicConstraints(ca=True, path_length=-1)
Paul Kehrer8cf26422015-03-21 09:50:24 -0500[diff] [blame]754
755 def test_repr(self):
Paul Kehrera5c6e9a2015-03-23 19:23:43 -0500[diff] [blame]756 na = x509.BasicConstraints(ca=True, path_length=None)
Paul Kehrer8cf26422015-03-21 09:50:24 -0500[diff] [blame]757 assert repr(na) == (
Paul Kehrer85894662015-03-22 13:19:31 -0500[diff] [blame]758 "<BasicConstraints(ca=True, path_length=None)>"
Paul Kehrer8cf26422015-03-21 09:50:24 -0500[diff] [blame]759 )
Paul Kehrerfbb7ac82015-03-16 19:26:29 -0500[diff] [blame]760
Paul Kehrer3a69b132015-05-13 10:03:46 -0500[diff] [blame]761 def test_eq(self):
762 na = x509.BasicConstraints(ca=True, path_length=None)
763 na2 = x509.BasicConstraints(ca=True, path_length=None)
764 assert na == na2
765
766 def test_ne(self):
767 na = x509.BasicConstraints(ca=True, path_length=None)
768 na2 = x509.BasicConstraints(ca=True, path_length=1)
769 na3 = x509.BasicConstraints(ca=False, path_length=None)
770 assert na != na2
771 assert na != na3
772 assert na != object()
773
Paul Kehrerfbb7ac82015-03-16 19:26:29 -0500[diff] [blame]774
Paul Kehrerffa2a152015-03-31 08:18:25 -0500[diff] [blame]775class TestExtendedKeyUsage(object):
776 def test_not_all_oids(self):
777 with pytest.raises(TypeError):
778 x509.ExtendedKeyUsage(["notoid"])
779
780 def test_iter_len(self):
781 eku = x509.ExtendedKeyUsage([
782 x509.ObjectIdentifier("1.3.6.1.5.5.7.3.1"),
783 x509.ObjectIdentifier("1.3.6.1.5.5.7.3.2"),
784 ])
785 assert len(eku) == 2
786 assert list(eku) == [
Paul Kehrer9e102db2015-08-10 21:53:09 -0500[diff] [blame]787 ExtendedKeyUsageOID.SERVER_AUTH,
788 ExtendedKeyUsageOID.CLIENT_AUTH
Paul Kehrerffa2a152015-03-31 08:18:25 -0500[diff] [blame]789 ]
790
Paul Kehrer23d10c32015-04-02 23:12:32 -0500[diff] [blame]791 def test_repr(self):
792 eku = x509.ExtendedKeyUsage([
793 x509.ObjectIdentifier("1.3.6.1.5.5.7.3.1"),
794 x509.ObjectIdentifier("1.3.6.1.5.5.7.3.2"),
795 ])
796 assert repr(eku) == (
797 "<ExtendedKeyUsage([<ObjectIdentifier(oid=1.3.6.1.5.5.7.3.1, name="
798 "serverAuth)>, <ObjectIdentifier(oid=1.3.6.1.5.5.7.3.2, name=clien"
799 "tAuth)>])>"
800 )
801
Paul Kehrerb0476172015-05-02 19:34:51 -0500[diff] [blame]802 def test_eq(self):
803 eku = x509.ExtendedKeyUsage([
804 x509.ObjectIdentifier("1.3.6"), x509.ObjectIdentifier("1.3.7")
805 ])
806 eku2 = x509.ExtendedKeyUsage([
807 x509.ObjectIdentifier("1.3.6"), x509.ObjectIdentifier("1.3.7")
808 ])
809 assert eku == eku2
810
811 def test_ne(self):
812 eku = x509.ExtendedKeyUsage([x509.ObjectIdentifier("1.3.6")])
813 eku2 = x509.ExtendedKeyUsage([x509.ObjectIdentifier("1.3.6.1")])
814 assert eku != eku2
815 assert eku != object()
816
Paul Kehrerffa2a152015-03-31 08:18:25 -0500[diff] [blame]817
Paul Kehrerfbb7ac82015-03-16 19:26:29 -0500[diff] [blame]818@pytest.mark.requires_backend_interface(interface=RSABackend)
819@pytest.mark.requires_backend_interface(interface=X509Backend)
820class TestExtensions(object):
821 def test_no_extensions(self, backend):
822 cert = _load_cert(
823 os.path.join("x509", "verisign_md2_root.pem"),
824 x509.load_pem_x509_certificate,
825 backend
826 )
827 ext = cert.extensions
828 assert len(ext) == 0
829 assert list(ext) == []
Paul Kehrerfa56a232015-03-17 13:14:03 -0500[diff] [blame]830 with pytest.raises(x509.ExtensionNotFound) as exc:
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]831 ext.get_extension_for_oid(ExtensionOID.BASIC_CONSTRAINTS)
Paul Kehrerfa56a232015-03-17 13:14:03 -0500[diff] [blame]832
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]833 assert exc.value.oid == ExtensionOID.BASIC_CONSTRAINTS
Paul Kehrerfa56a232015-03-17 13:14:03 -0500[diff] [blame]834
835 def test_one_extension(self, backend):
836 cert = _load_cert(
837 os.path.join(
838 "x509", "custom", "basic_constraints_not_critical.pem"
839 ),
840 x509.load_pem_x509_certificate,
841 backend
842 )
843 extensions = cert.extensions
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]844 ext = extensions.get_extension_for_oid(ExtensionOID.BASIC_CONSTRAINTS)
Paul Kehrerfa56a232015-03-17 13:14:03 -0500[diff] [blame]845 assert ext is not None
846 assert ext.value.ca is False
Paul Kehrerfbb7ac82015-03-16 19:26:29 -0500[diff] [blame]847
848 def test_duplicate_extension(self, backend):
849 cert = _load_cert(
850 os.path.join(
851 "x509", "custom", "two_basic_constraints.pem"
852 ),
853 x509.load_pem_x509_certificate,
854 backend
855 )
856 with pytest.raises(x509.DuplicateExtension) as exc:
857 cert.extensions
858
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]859 assert exc.value.oid == ExtensionOID.BASIC_CONSTRAINTS
Paul Kehrerfbb7ac82015-03-16 19:26:29 -0500[diff] [blame]860
861 def test_unsupported_critical_extension(self, backend):
862 cert = _load_cert(
863 os.path.join(
864 "x509", "custom", "unsupported_extension_critical.pem"
865 ),
866 x509.load_pem_x509_certificate,
867 backend
868 )
869 with pytest.raises(x509.UnsupportedExtension) as exc:
870 cert.extensions
871
872 assert exc.value.oid == x509.ObjectIdentifier("1.2.3.4")
873
874 def test_unsupported_extension(self, backend):
875 # TODO: this will raise an exception when all extensions are complete
876 cert = _load_cert(
877 os.path.join(
878 "x509", "custom", "unsupported_extension.pem"
879 ),
880 x509.load_pem_x509_certificate,
881 backend
882 )
883 extensions = cert.extensions
884 assert len(extensions) == 0
Paul Kehrerfa56a232015-03-17 13:14:03 -0500[diff] [blame]885
Phoebe Queenecae9812015-08-12 05:00:32 +0100[diff] [blame]886 def test_no_extensions_get_for_class(self, backend):
887 cert = _load_cert(
888 os.path.join(
Phoebe Queencb5ec4e2015-08-12 15:06:26 +0100[diff] [blame]889 "x509", "cryptography.io.pem"
Phoebe Queenecae9812015-08-12 05:00:32 +0100[diff] [blame]890 ),
891 x509.load_pem_x509_certificate,
892 backend
893 )
Phoebe Queenc93752b2015-08-12 10:54:46 +0100[diff] [blame]894 exts = cert.extensions
Phoebe Queenecae9812015-08-12 05:00:32 +0100[diff] [blame]895 with pytest.raises(x509.ExtensionNotFound) as exc:
Phoebe Queencb5ec4e2015-08-12 15:06:26 +0100[diff] [blame]896 exts.get_extension_for_class(x509.IssuerAlternativeName)
897 assert exc.value.oid == ExtensionOID.ISSUER_ALTERNATIVE_NAME
Phoebe Queenecae9812015-08-12 05:00:32 +0100[diff] [blame]898
Phoebe Queen9fbb8892015-08-12 03:51:33 +0100[diff] [blame]899 def test_one_extension_get_for_class(self, backend):
900 cert = _load_cert(
Phoebe Queen2cc111a2015-08-12 04:14:22 +0100[diff] [blame]901 os.path.join(
902 "x509", "custom", "basic_constraints_not_critical.pem"
903 ),
Phoebe Queen9fbb8892015-08-12 03:51:33 +0100[diff] [blame]904 x509.load_pem_x509_certificate,
905 backend
906 )
907 ext = cert.extensions.get_extension_for_class(x509.BasicConstraints)
908 assert ext is not None
Phoebe Queen9fbb8892015-08-12 03:51:33 +0100[diff] [blame]909 assert isinstance(ext.value, x509.BasicConstraints)
Paul Kehrerfa56a232015-03-17 13:14:03 -0500[diff] [blame]910
Paul Kehrerafbe75b2015-10-20 08:08:43 -0500[diff] [blame]911 def test_repr(self, backend):
912 cert = _load_cert(
913 os.path.join(
914 "x509", "custom", "basic_constraints_not_critical.pem"
915 ),
916 x509.load_pem_x509_certificate,
917 backend
918 )
919 assert repr(cert.extensions) == (
920 "<Extensions([<Extension(oid=<ObjectIdentifier(oid=2.5.29.19, name"
921 "=basicConstraints)>, critical=False, value=<BasicConstraints(ca=F"
922 "alse, path_length=None)>)>])>"
923 )
924
Phoebe Queen2cc111a2015-08-12 04:14:22 +0100[diff] [blame]925
Paul Kehrerfa56a232015-03-17 13:14:03 -0500[diff] [blame]926@pytest.mark.requires_backend_interface(interface=RSABackend)
927@pytest.mark.requires_backend_interface(interface=X509Backend)
Paul Kehrerde813ea2015-03-28 12:44:34 -0500[diff] [blame]928class TestBasicConstraintsExtension(object):
Paul Kehrerfa56a232015-03-17 13:14:03 -0500[diff] [blame]929 def test_ca_true_pathlen_6(self, backend):
930 cert = _load_cert(
931 os.path.join(
932 "x509", "PKITS_data", "certs", "pathLenConstraint6CACert.crt"
933 ),
934 x509.load_der_x509_certificate,
935 backend
936 )
Phoebe Queen062dec72015-08-12 11:42:23 +0100[diff] [blame]937 ext = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]938 ExtensionOID.BASIC_CONSTRAINTS
Paul Kehrerfa56a232015-03-17 13:14:03 -0500[diff] [blame]939 )
940 assert ext is not None
941 assert ext.critical is True
942 assert ext.value.ca is True
943 assert ext.value.path_length == 6
944
945 def test_path_length_zero(self, backend):
946 cert = _load_cert(
947 os.path.join("x509", "custom", "bc_path_length_zero.pem"),
948 x509.load_pem_x509_certificate,
949 backend
950 )
951 ext = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]952 ExtensionOID.BASIC_CONSTRAINTS
Paul Kehrerfa56a232015-03-17 13:14:03 -0500[diff] [blame]953 )
954 assert ext is not None
955 assert ext.critical is True
956 assert ext.value.ca is True
957 assert ext.value.path_length == 0
958
959 def test_ca_true_no_pathlen(self, backend):
960 cert = _load_cert(
961 os.path.join("x509", "PKITS_data", "certs", "GoodCACert.crt"),
962 x509.load_der_x509_certificate,
963 backend
964 )
965 ext = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]966 ExtensionOID.BASIC_CONSTRAINTS
Paul Kehrerfa56a232015-03-17 13:14:03 -0500[diff] [blame]967 )
968 assert ext is not None
969 assert ext.critical is True
970 assert ext.value.ca is True
971 assert ext.value.path_length is None
972
973 def test_ca_false(self, backend):
974 cert = _load_cert(
975 os.path.join("x509", "cryptography.io.pem"),
976 x509.load_pem_x509_certificate,
977 backend
978 )
979 ext = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]980 ExtensionOID.BASIC_CONSTRAINTS
Paul Kehrerfa56a232015-03-17 13:14:03 -0500[diff] [blame]981 )
982 assert ext is not None
983 assert ext.critical is True
984 assert ext.value.ca is False
985 assert ext.value.path_length is None
986
987 def test_no_basic_constraints(self, backend):
988 cert = _load_cert(
989 os.path.join(
990 "x509",
991 "PKITS_data",
992 "certs",
993 "ValidCertificatePathTest1EE.crt"
994 ),
995 x509.load_der_x509_certificate,
996 backend
997 )
998 with pytest.raises(x509.ExtensionNotFound):
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]999 cert.extensions.get_extension_for_oid(
1000 ExtensionOID.BASIC_CONSTRAINTS
1001 )
Paul Kehrerfa56a232015-03-17 13:14:03 -0500[diff] [blame]1002
1003 def test_basic_constraint_not_critical(self, backend):
1004 cert = _load_cert(
1005 os.path.join(
1006 "x509", "custom", "basic_constraints_not_critical.pem"
1007 ),
1008 x509.load_pem_x509_certificate,
1009 backend
1010 )
1011 ext = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]1012 ExtensionOID.BASIC_CONSTRAINTS
Paul Kehrerfa56a232015-03-17 13:14:03 -0500[diff] [blame]1013 )
1014 assert ext is not None
1015 assert ext.critical is False
1016 assert ext.value.ca is False
Paul Kehrer1eb82a62015-03-31 20:00:33 -0500[diff] [blame]1017
1018
Paul Kehrer1eb82a62015-03-31 20:00:33 -0500[diff] [blame]1019class TestSubjectKeyIdentifierExtension(object):
Paul Kehrerf22f6122015-08-05 12:57:13 +0100[diff] [blame]1020 @pytest.mark.requires_backend_interface(interface=RSABackend)
1021 @pytest.mark.requires_backend_interface(interface=X509Backend)
Paul Kehrer1eb82a62015-03-31 20:00:33 -0500[diff] [blame]1022 def test_subject_key_identifier(self, backend):
1023 cert = _load_cert(
1024 os.path.join("x509", "PKITS_data", "certs", "GoodCACert.crt"),
1025 x509.load_der_x509_certificate,
1026 backend
1027 )
1028 ext = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]1029 ExtensionOID.SUBJECT_KEY_IDENTIFIER
Paul Kehrer1eb82a62015-03-31 20:00:33 -0500[diff] [blame]1030 )
1031 ski = ext.value
1032 assert ext is not None
1033 assert ext.critical is False
Paul Kehrer1eb82a62015-03-31 20:00:33 -0500[diff] [blame]1034 assert ski.digest == binascii.unhexlify(
Paul Kehreree997262015-04-04 12:20:28 -0500[diff] [blame]1035 b"580184241bbc2b52944a3da510721451f5af3ac9"
Paul Kehrer1eb82a62015-03-31 20:00:33 -0500[diff] [blame]1036 )
1037
Paul Kehrerf22f6122015-08-05 12:57:13 +0100[diff] [blame]1038 @pytest.mark.requires_backend_interface(interface=RSABackend)
1039 @pytest.mark.requires_backend_interface(interface=X509Backend)
Paul Kehrer1eb82a62015-03-31 20:00:33 -0500[diff] [blame]1040 def test_no_subject_key_identifier(self, backend):
1041 cert = _load_cert(
1042 os.path.join("x509", "custom", "bc_path_length_zero.pem"),
1043 x509.load_pem_x509_certificate,
1044 backend
1045 )
1046 with pytest.raises(x509.ExtensionNotFound):
1047 cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]1048 ExtensionOID.SUBJECT_KEY_IDENTIFIER
Paul Kehrer1eb82a62015-03-31 20:00:33 -0500[diff] [blame]1049 )
Paul Kehrer5508ee22015-04-02 19:31:03 -0500[diff] [blame]1050
Paul Kehrerf22f6122015-08-05 12:57:13 +0100[diff] [blame]1051 @pytest.mark.requires_backend_interface(interface=RSABackend)
1052 @pytest.mark.requires_backend_interface(interface=X509Backend)
Paul Kehrerd4a7f062015-08-05 18:32:18 +0100[diff] [blame]1053 def test_from_rsa_public_key(self, backend):
Paul Kehrerf22f6122015-08-05 12:57:13 +0100[diff] [blame]1054 cert = _load_cert(
1055 os.path.join("x509", "PKITS_data", "certs", "GoodCACert.crt"),
1056 x509.load_der_x509_certificate,
1057 backend
1058 )
1059 ext = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]1060 ExtensionOID.SUBJECT_KEY_IDENTIFIER
Paul Kehrerf22f6122015-08-05 12:57:13 +0100[diff] [blame]1061 )
Paul Kehrerd4a7f062015-08-05 18:32:18 +0100[diff] [blame]1062 ski = x509.SubjectKeyIdentifier.from_public_key(
Paul Kehrerf22f6122015-08-05 12:57:13 +0100[diff] [blame]1063 cert.public_key()
1064 )
1065 assert ext.value == ski
1066
1067 @pytest.mark.requires_backend_interface(interface=DSABackend)
1068 @pytest.mark.requires_backend_interface(interface=X509Backend)
Paul Kehrerd4a7f062015-08-05 18:32:18 +0100[diff] [blame]1069 def test_from_dsa_public_key(self, backend):
Paul Kehrerf22f6122015-08-05 12:57:13 +0100[diff] [blame]1070 cert = _load_cert(
1071 os.path.join("x509", "custom", "dsa_selfsigned_ca.pem"),
1072 x509.load_pem_x509_certificate,
1073 backend
1074 )
1075
1076 ext = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]1077 ExtensionOID.SUBJECT_KEY_IDENTIFIER
Paul Kehrerf22f6122015-08-05 12:57:13 +0100[diff] [blame]1078 )
Paul Kehrerd4a7f062015-08-05 18:32:18 +0100[diff] [blame]1079 ski = x509.SubjectKeyIdentifier.from_public_key(
Paul Kehrerf22f6122015-08-05 12:57:13 +0100[diff] [blame]1080 cert.public_key()
1081 )
1082 assert ext.value == ski
1083
1084 @pytest.mark.requires_backend_interface(interface=EllipticCurveBackend)
1085 @pytest.mark.requires_backend_interface(interface=X509Backend)
Paul Kehrerd4a7f062015-08-05 18:32:18 +0100[diff] [blame]1086 def test_from_ec_public_key(self, backend):
Paul Kehrerf22f6122015-08-05 12:57:13 +0100[diff] [blame]1087 _skip_curve_unsupported(backend, ec.SECP384R1())
1088 cert = _load_cert(
1089 os.path.join("x509", "ecdsa_root.pem"),
1090 x509.load_pem_x509_certificate,
1091 backend
1092 )
1093
1094 ext = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]1095 ExtensionOID.SUBJECT_KEY_IDENTIFIER
Paul Kehrerf22f6122015-08-05 12:57:13 +0100[diff] [blame]1096 )
Paul Kehrerd4a7f062015-08-05 18:32:18 +0100[diff] [blame]1097 ski = x509.SubjectKeyIdentifier.from_public_key(
Paul Kehrerf22f6122015-08-05 12:57:13 +0100[diff] [blame]1098 cert.public_key()
1099 )
1100 assert ext.value == ski
1101
Paul Kehrer5508ee22015-04-02 19:31:03 -0500[diff] [blame]1102
1103@pytest.mark.requires_backend_interface(interface=RSABackend)
1104@pytest.mark.requires_backend_interface(interface=X509Backend)
1105class TestKeyUsageExtension(object):
1106 def test_no_key_usage(self, backend):
1107 cert = _load_cert(
1108 os.path.join("x509", "verisign_md2_root.pem"),
1109 x509.load_pem_x509_certificate,
1110 backend
1111 )
1112 ext = cert.extensions
1113 with pytest.raises(x509.ExtensionNotFound) as exc:
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]1114 ext.get_extension_for_oid(ExtensionOID.KEY_USAGE)
Paul Kehrer5508ee22015-04-02 19:31:03 -0500[diff] [blame]1115
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]1116 assert exc.value.oid == ExtensionOID.KEY_USAGE
Paul Kehrer5508ee22015-04-02 19:31:03 -0500[diff] [blame]1117
1118 def test_all_purposes(self, backend):
1119 cert = _load_cert(
1120 os.path.join(
1121 "x509", "custom", "all_key_usages.pem"
1122 ),
1123 x509.load_pem_x509_certificate,
1124 backend
1125 )
1126 extensions = cert.extensions
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]1127 ext = extensions.get_extension_for_oid(ExtensionOID.KEY_USAGE)
Paul Kehrer5508ee22015-04-02 19:31:03 -0500[diff] [blame]1128 assert ext is not None
1129
1130 ku = ext.value
1131 assert ku.digital_signature is True
1132 assert ku.content_commitment is True
1133 assert ku.key_encipherment is True
1134 assert ku.data_encipherment is True
1135 assert ku.key_agreement is True
1136 assert ku.key_cert_sign is True
1137 assert ku.crl_sign is True
1138 assert ku.encipher_only is True
1139 assert ku.decipher_only is True
1140
1141 def test_key_cert_sign_crl_sign(self, backend):
1142 cert = _load_cert(
1143 os.path.join(
1144 "x509", "PKITS_data", "certs", "pathLenConstraint6CACert.crt"
1145 ),
1146 x509.load_der_x509_certificate,
1147 backend
1148 )
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]1149 ext = cert.extensions.get_extension_for_oid(ExtensionOID.KEY_USAGE)
Paul Kehrer5508ee22015-04-02 19:31:03 -0500[diff] [blame]1150 assert ext is not None
1151 assert ext.critical is True
1152
1153 ku = ext.value
1154 assert ku.digital_signature is False
1155 assert ku.content_commitment is False
1156 assert ku.key_encipherment is False
1157 assert ku.data_encipherment is False
1158 assert ku.key_agreement is False
1159 assert ku.key_cert_sign is True
1160 assert ku.crl_sign is True
Paul Kehrer31bdf792015-03-25 14:11:00 -0500[diff] [blame]1161
1162
1163@pytest.mark.parametrize(
1164 "name", [
1165 x509.RFC822Name,
1166 x509.DNSName,
1167 x509.UniformResourceIdentifier
1168 ]
1169)
1170class TestTextGeneralNames(object):
1171 def test_not_text(self, name):
1172 with pytest.raises(TypeError):
1173 name(b"notaunicodestring")
1174
1175 with pytest.raises(TypeError):
1176 name(1.3)
1177
1178 def test_repr(self, name):
Eeshan Gargf1234152015-04-29 18:41:00 +0530[diff] [blame]1179 gn = name(u"string")
Paul Kehrer31bdf792015-03-25 14:11:00 -0500[diff] [blame]1180 assert repr(gn) == "<{0}(value=string)>".format(name.__name__)
1181
1182 def test_eq(self, name):
Eeshan Gargf1234152015-04-29 18:41:00 +0530[diff] [blame]1183 gn = name(u"string")
1184 gn2 = name(u"string")
Paul Kehrer31bdf792015-03-25 14:11:00 -0500[diff] [blame]1185 assert gn == gn2
1186
1187 def test_ne(self, name):
Eeshan Gargf1234152015-04-29 18:41:00 +0530[diff] [blame]1188 gn = name(u"string")
1189 gn2 = name(u"string2")
Paul Kehrer31bdf792015-03-25 14:11:00 -0500[diff] [blame]1190 assert gn != gn2
1191 assert gn != object()
1192
1193
1194class TestDirectoryName(object):
1195 def test_not_name(self):
1196 with pytest.raises(TypeError):
1197 x509.DirectoryName(b"notaname")
1198
1199 with pytest.raises(TypeError):
1200 x509.DirectoryName(1.3)
1201
1202 def test_repr(self):
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1203 name = x509.Name([x509.NameAttribute(NameOID.COMMON_NAME, u'value1')])
Paul Kehrer31bdf792015-03-25 14:11:00 -0500[diff] [blame]1204 gn = x509.DirectoryName(x509.Name([name]))
Ian Cordascoa908d692015-06-16 21:35:24 -0500[diff] [blame]1205 if six.PY3:
1206 assert repr(gn) == (
1207 "<DirectoryName(value=<Name([<Name([<NameAttribute(oid=<Object"
1208 "Identifier(oid=2.5.4.3, name=commonName)>, value='value1')>])"
1209 ">])>)>"
1210 )
1211 else:
1212 assert repr(gn) == (
1213 "<DirectoryName(value=<Name([<Name([<NameAttribute(oid=<Object"
1214 "Identifier(oid=2.5.4.3, name=commonName)>, value=u'value1')>]"
1215 ")>])>)>"
1216 )
Paul Kehrer31bdf792015-03-25 14:11:00 -0500[diff] [blame]1217
1218 def test_eq(self):
1219 name = x509.Name([
Nick Bastin6721fb82015-12-14 12:26:24 -0800[diff] [blame]1220 x509.NameAttribute(x509.ObjectIdentifier('2.999.1'), u'value1')
Paul Kehrer31bdf792015-03-25 14:11:00 -0500[diff] [blame]1221 ])
1222 name2 = x509.Name([
Nick Bastin6721fb82015-12-14 12:26:24 -0800[diff] [blame]1223 x509.NameAttribute(x509.ObjectIdentifier('2.999.1'), u'value1')
Paul Kehrer31bdf792015-03-25 14:11:00 -0500[diff] [blame]1224 ])
1225 gn = x509.DirectoryName(x509.Name([name]))
1226 gn2 = x509.DirectoryName(x509.Name([name2]))
1227 assert gn == gn2
1228
1229 def test_ne(self):
1230 name = x509.Name([
Nick Bastin6721fb82015-12-14 12:26:24 -0800[diff] [blame]1231 x509.NameAttribute(x509.ObjectIdentifier('2.999.1'), u'value1')
Paul Kehrer31bdf792015-03-25 14:11:00 -0500[diff] [blame]1232 ])
1233 name2 = x509.Name([
Nick Bastin6721fb82015-12-14 12:26:24 -0800[diff] [blame]1234 x509.NameAttribute(x509.ObjectIdentifier('2.999.2'), u'value2')
Paul Kehrer31bdf792015-03-25 14:11:00 -0500[diff] [blame]1235 ])
1236 gn = x509.DirectoryName(x509.Name([name]))
1237 gn2 = x509.DirectoryName(x509.Name([name2]))
1238 assert gn != gn2
1239 assert gn != object()
1240
1241
Paul Kehrer01d5d0b2015-07-12 09:41:21 -0500[diff] [blame]1242class TestRFC822Name(object):
1243 def test_invalid_email(self):
1244 with pytest.raises(ValueError):
1245 x509.RFC822Name(u"Name <email>")
1246
1247 with pytest.raises(ValueError):
1248 x509.RFC822Name(u"")
1249
1250 def test_single_label(self):
1251 gn = x509.RFC822Name(u"administrator")
1252 assert gn.value == u"administrator"
1253
1254 def test_idna(self):
1255 gn = x509.RFC822Name(u"email@em\xe5\xefl.com")
1256 assert gn.value == u"email@em\xe5\xefl.com"
1257 assert gn._encoded == b"email@xn--eml-vla4c.com"
1258
1259
Paul Kehrere28d6c42015-07-12 14:59:37 -0500[diff] [blame]1260class TestUniformResourceIdentifier(object):
1261 def test_no_parsed_hostname(self):
1262 gn = x509.UniformResourceIdentifier(u"singlelabel")
1263 assert gn.value == u"singlelabel"
1264
1265 def test_with_port(self):
1266 gn = x509.UniformResourceIdentifier(u"singlelabel:443/test")
1267 assert gn.value == u"singlelabel:443/test"
1268
1269 def test_idna_no_port(self):
1270 gn = x509.UniformResourceIdentifier(
1271 u"http://\u043f\u044b\u043a\u0430.cryptography"
1272 )
1273 assert gn.value == u"http://\u043f\u044b\u043a\u0430.cryptography"
1274 assert gn._encoded == b"http://xn--80ato2c.cryptography"
1275
1276 def test_idna_with_port(self):
1277 gn = x509.UniformResourceIdentifier(
1278 u"gopher://\u043f\u044b\u043a\u0430.cryptography:70/some/path"
1279 )
1280 assert gn.value == (
1281 u"gopher://\u043f\u044b\u043a\u0430.cryptography:70/some/path"
1282 )
1283 assert gn._encoded == b"gopher://xn--80ato2c.cryptography:70/some/path"
1284
1285 def test_query_and_fragment(self):
1286 gn = x509.UniformResourceIdentifier(
1287 u"ldap://cryptography:90/path?query=true#somedata"
1288 )
1289 assert gn.value == u"ldap://cryptography:90/path?query=true#somedata"
1290
1291
Paul Kehrer31bdf792015-03-25 14:11:00 -0500[diff] [blame]1292class TestRegisteredID(object):
1293 def test_not_oid(self):
1294 with pytest.raises(TypeError):
1295 x509.RegisteredID(b"notanoid")
1296
1297 with pytest.raises(TypeError):
1298 x509.RegisteredID(1.3)
1299
1300 def test_repr(self):
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1301 gn = x509.RegisteredID(NameOID.COMMON_NAME)
Paul Kehrer31bdf792015-03-25 14:11:00 -0500[diff] [blame]1302 assert repr(gn) == (
1303 "<RegisteredID(value=<ObjectIdentifier(oid=2.5.4.3, name=commonNam"
1304 "e)>)>"
1305 )
1306
1307 def test_eq(self):
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1308 gn = x509.RegisteredID(NameOID.COMMON_NAME)
1309 gn2 = x509.RegisteredID(NameOID.COMMON_NAME)
Paul Kehrer31bdf792015-03-25 14:11:00 -0500[diff] [blame]1310 assert gn == gn2
1311
1312 def test_ne(self):
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1313 gn = x509.RegisteredID(NameOID.COMMON_NAME)
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]1314 gn2 = x509.RegisteredID(ExtensionOID.BASIC_CONSTRAINTS)
Paul Kehrer31bdf792015-03-25 14:11:00 -0500[diff] [blame]1315 assert gn != gn2
1316 assert gn != object()
1317
1318
1319class TestIPAddress(object):
1320 def test_not_ipaddress(self):
1321 with pytest.raises(TypeError):
1322 x509.IPAddress(b"notanipaddress")
1323
1324 with pytest.raises(TypeError):
1325 x509.IPAddress(1.3)
1326
1327 def test_repr(self):
Eeshan Gargf1234152015-04-29 18:41:00 +0530[diff] [blame]1328 gn = x509.IPAddress(ipaddress.IPv4Address(u"127.0.0.1"))
Paul Kehrer31bdf792015-03-25 14:11:00 -0500[diff] [blame]1329 assert repr(gn) == "<IPAddress(value=127.0.0.1)>"
1330
Eeshan Gargf1234152015-04-29 18:41:00 +0530[diff] [blame]1331 gn2 = x509.IPAddress(ipaddress.IPv6Address(u"ff::"))
Paul Kehrer31bdf792015-03-25 14:11:00 -0500[diff] [blame]1332 assert repr(gn2) == "<IPAddress(value=ff::)>"
1333
Paul Kehrereb177932015-05-17 18:33:33 -0700[diff] [blame]1334 gn3 = x509.IPAddress(ipaddress.IPv4Network(u"192.168.0.0/24"))
1335 assert repr(gn3) == "<IPAddress(value=192.168.0.0/24)>"
1336
1337 gn4 = x509.IPAddress(ipaddress.IPv6Network(u"ff::/96"))
1338 assert repr(gn4) == "<IPAddress(value=ff::/96)>"
1339
Paul Kehrer31bdf792015-03-25 14:11:00 -0500[diff] [blame]1340 def test_eq(self):
Eeshan Gargf1234152015-04-29 18:41:00 +0530[diff] [blame]1341 gn = x509.IPAddress(ipaddress.IPv4Address(u"127.0.0.1"))
1342 gn2 = x509.IPAddress(ipaddress.IPv4Address(u"127.0.0.1"))
Paul Kehrer31bdf792015-03-25 14:11:00 -0500[diff] [blame]1343 assert gn == gn2
1344
1345 def test_ne(self):
Eeshan Gargf1234152015-04-29 18:41:00 +0530[diff] [blame]1346 gn = x509.IPAddress(ipaddress.IPv4Address(u"127.0.0.1"))
1347 gn2 = x509.IPAddress(ipaddress.IPv4Address(u"127.0.0.2"))
Paul Kehrer31bdf792015-03-25 14:11:00 -0500[diff] [blame]1348 assert gn != gn2
1349 assert gn != object()
1350
1351
Joshua Tauberer18b6fc82015-07-05 21:44:51 +0000[diff] [blame]1352class TestOtherName(object):
1353 def test_invalid_args(self):
1354 with pytest.raises(TypeError):
1355 x509.OtherName(b"notanobjectidentifier", b"derdata")
1356
1357 with pytest.raises(TypeError):
1358 x509.OtherName(x509.ObjectIdentifier("1.2.3.4"), u"notderdata")
1359
1360 def test_repr(self):
1361 gn = x509.OtherName(x509.ObjectIdentifier("1.2.3.4"), b"derdata")
1362 if six.PY3:
1363 assert repr(gn) == (
1364 "<OtherName(type_id=<ObjectIdentifier(oid=1.2.3.4, "
1365 "name=Unknown OID)>, value=b'derdata')>"
1366 )
1367 else:
1368 assert repr(gn) == (
1369 "<OtherName(type_id=<ObjectIdentifier(oid=1.2.3.4, "
1370 "name=Unknown OID)>, value='derdata')>"
1371 )
1372
1373 gn = x509.OtherName(x509.ObjectIdentifier("2.5.4.65"), b"derdata")
1374 if six.PY3:
1375 assert repr(gn) == (
1376 "<OtherName(type_id=<ObjectIdentifier(oid=2.5.4.65, "
1377 "name=pseudonym)>, value=b'derdata')>"
1378 )
1379 else:
1380 assert repr(gn) == (
1381 "<OtherName(type_id=<ObjectIdentifier(oid=2.5.4.65, "
1382 "name=pseudonym)>, value='derdata')>"
1383 )
1384
1385 def test_eq(self):
1386 gn = x509.OtherName(x509.ObjectIdentifier("1.2.3.4"), b"derdata")
1387 gn2 = x509.OtherName(x509.ObjectIdentifier("1.2.3.4"), b"derdata")
1388 assert gn == gn2
1389
1390 def test_ne(self):
1391 gn = x509.OtherName(x509.ObjectIdentifier("1.2.3.4"), b"derdata")
1392 assert gn != object()
1393
1394 gn2 = x509.OtherName(x509.ObjectIdentifier("1.2.3.4"), b"derdata2")
1395 assert gn != gn2
1396
1397 gn2 = x509.OtherName(x509.ObjectIdentifier("1.2.3.5"), b"derdata")
1398 assert gn != gn2
1399
1400
Erik Trauschke2dcce902015-05-14 16:12:24 -0700[diff] [blame]1401class TestGeneralNames(object):
1402 def test_get_values_for_type(self):
1403 gns = x509.GeneralNames(
1404 [x509.DNSName(u"cryptography.io")]
1405 )
1406 names = gns.get_values_for_type(x509.DNSName)
1407 assert names == [u"cryptography.io"]
1408
1409 def test_iter_names(self):
1410 gns = x509.GeneralNames([
1411 x509.DNSName(u"cryptography.io"),
1412 x509.DNSName(u"crypto.local"),
1413 ])
1414 assert len(gns) == 2
1415 assert list(gns) == [
1416 x509.DNSName(u"cryptography.io"),
1417 x509.DNSName(u"crypto.local"),
1418 ]
1419
1420 def test_invalid_general_names(self):
1421 with pytest.raises(TypeError):
1422 x509.GeneralNames(
1423 [x509.DNSName(u"cryptography.io"), "invalid"]
1424 )
1425
1426 def test_repr(self):
1427 gns = x509.GeneralNames(
1428 [
1429 x509.DNSName(u"cryptography.io")
1430 ]
1431 )
1432 assert repr(gns) == (
1433 "<GeneralNames([<DNSName(value=cryptography.io)>])>"
1434 )
1435
1436 def test_eq(self):
1437 gns = x509.GeneralNames(
1438 [x509.DNSName(u"cryptography.io")]
1439 )
1440 gns2 = x509.GeneralNames(
1441 [x509.DNSName(u"cryptography.io")]
1442 )
1443 assert gns == gns2
1444
1445 def test_ne(self):
1446 gns = x509.GeneralNames(
1447 [x509.DNSName(u"cryptography.io")]
1448 )
1449 gns2 = x509.GeneralNames(
1450 [x509.RFC822Name(u"admin@cryptography.io")]
1451 )
1452 assert gns != gns2
1453 assert gns != object()
1454
1455
Paul Kehrer99125c92015-06-07 18:37:10 -0500[diff] [blame]1456class TestIssuerAlternativeName(object):
1457 def test_get_values_for_type(self):
1458 san = x509.IssuerAlternativeName(
1459 [x509.DNSName(u"cryptography.io")]
1460 )
1461 names = san.get_values_for_type(x509.DNSName)
1462 assert names == [u"cryptography.io"]
1463
1464 def test_iter_names(self):
1465 san = x509.IssuerAlternativeName([
1466 x509.DNSName(u"cryptography.io"),
1467 x509.DNSName(u"crypto.local"),
1468 ])
1469 assert len(san) == 2
1470 assert list(san) == [
1471 x509.DNSName(u"cryptography.io"),
1472 x509.DNSName(u"crypto.local"),
1473 ]
1474
1475 def test_invalid_general_names(self):
1476 with pytest.raises(TypeError):
1477 x509.IssuerAlternativeName(
1478 [x509.DNSName(u"cryptography.io"), "invalid"]
1479 )
1480
1481 def test_repr(self):
1482 san = x509.IssuerAlternativeName(
1483 [
1484 x509.DNSName(u"cryptography.io")
1485 ]
1486 )
1487 assert repr(san) == (
1488 "<IssuerAlternativeName("
1489 "<GeneralNames([<DNSName(value=cryptography.io)>])>)>"
1490 )
1491
1492 def test_eq(self):
1493 san = x509.IssuerAlternativeName(
1494 [x509.DNSName(u"cryptography.io")]
1495 )
1496 san2 = x509.IssuerAlternativeName(
1497 [x509.DNSName(u"cryptography.io")]
1498 )
1499 assert san == san2
1500
1501 def test_ne(self):
1502 san = x509.IssuerAlternativeName(
1503 [x509.DNSName(u"cryptography.io")]
1504 )
1505 san2 = x509.IssuerAlternativeName(
1506 [x509.RFC822Name(u"admin@cryptography.io")]
1507 )
1508 assert san != san2
1509 assert san != object()
1510
1511
Alex Gaynorf1c17672015-06-20 14:20:20 -0400[diff] [blame]1512@pytest.mark.requires_backend_interface(interface=RSABackend)
1513@pytest.mark.requires_backend_interface(interface=X509Backend)
1514class TestRSAIssuerAlternativeNameExtension(object):
1515 def test_uri(self, backend):
1516 cert = _load_cert(
1517 os.path.join("x509", "custom", "ian_uri.pem"),
1518 x509.load_pem_x509_certificate,
1519 backend,
1520 )
1521 ext = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]1522 ExtensionOID.ISSUER_ALTERNATIVE_NAME
Alex Gaynorf1c17672015-06-20 14:20:20 -0400[diff] [blame]1523 )
1524 assert list(ext.value) == [
1525 x509.UniformResourceIdentifier(u"http://path.to.root/root.crt"),
1526 ]
1527
1528
Paul Kehrer3b95cd72015-12-22 21:40:20 -0600[diff] [blame]1529class TestCRLNumber(object):
1530 def test_eq(self):
1531 crl_number = x509.CRLNumber(15)
1532 assert crl_number == x509.CRLNumber(15)
1533
1534 def test_ne(self):
1535 crl_number = x509.CRLNumber(15)
1536 assert crl_number != x509.CRLNumber(14)
1537 assert crl_number != object()
1538
1539 def test_repr(self):
1540 crl_number = x509.CRLNumber(15)
1541 assert repr(crl_number) == "<CRLNumber(15)>"
1542
Paul Kehrera9718fc2015-12-22 22:55:35 -0600[diff] [blame]1543 def test_invalid_number(self):
1544 with pytest.raises(TypeError):
1545 x509.CRLNumber("notanumber")
1546
Paul Kehrer3b95cd72015-12-22 21:40:20 -0600[diff] [blame]1547
Paul Kehrer31bdf792015-03-25 14:11:00 -0500[diff] [blame]1548class TestSubjectAlternativeName(object):
1549 def test_get_values_for_type(self):
1550 san = x509.SubjectAlternativeName(
Eeshan Gargf1234152015-04-29 18:41:00 +0530[diff] [blame]1551 [x509.DNSName(u"cryptography.io")]
Paul Kehrer31bdf792015-03-25 14:11:00 -0500[diff] [blame]1552 )
1553 names = san.get_values_for_type(x509.DNSName)
Eeshan Gargf1234152015-04-29 18:41:00 +0530[diff] [blame]1554 assert names == [u"cryptography.io"]
Paul Kehrer31bdf792015-03-25 14:11:00 -0500[diff] [blame]1555
1556 def test_iter_names(self):
1557 san = x509.SubjectAlternativeName([
Eeshan Gargf1234152015-04-29 18:41:00 +0530[diff] [blame]1558 x509.DNSName(u"cryptography.io"),
1559 x509.DNSName(u"crypto.local"),
Paul Kehrer31bdf792015-03-25 14:11:00 -0500[diff] [blame]1560 ])
1561 assert len(san) == 2
1562 assert list(san) == [
Eeshan Gargf1234152015-04-29 18:41:00 +0530[diff] [blame]1563 x509.DNSName(u"cryptography.io"),
1564 x509.DNSName(u"crypto.local"),
Paul Kehrer31bdf792015-03-25 14:11:00 -0500[diff] [blame]1565 ]
1566
Paul Kehrerd04b39b2015-04-21 08:44:17 -0500[diff] [blame]1567 def test_invalid_general_names(self):
1568 with pytest.raises(TypeError):
1569 x509.SubjectAlternativeName(
Eeshan Gargf1234152015-04-29 18:41:00 +0530[diff] [blame]1570 [x509.DNSName(u"cryptography.io"), "invalid"]
Paul Kehrerd04b39b2015-04-21 08:44:17 -0500[diff] [blame]1571 )
1572
Paul Kehrer31bdf792015-03-25 14:11:00 -0500[diff] [blame]1573 def test_repr(self):
1574 san = x509.SubjectAlternativeName(
1575 [
Eeshan Gargf1234152015-04-29 18:41:00 +0530[diff] [blame]1576 x509.DNSName(u"cryptography.io")
Paul Kehrer31bdf792015-03-25 14:11:00 -0500[diff] [blame]1577 ]
1578 )
1579 assert repr(san) == (
Erik Trauschke2dcce902015-05-14 16:12:24 -0700[diff] [blame]1580 "<SubjectAlternativeName("
1581 "<GeneralNames([<DNSName(value=cryptography.io)>])>)>"
Paul Kehrer31bdf792015-03-25 14:11:00 -0500[diff] [blame]1582 )
Paul Kehrer40f83382015-04-20 15:00:16 -0500[diff] [blame]1583
Paul Kehrer58cc3972015-05-13 10:00:41 -0500[diff] [blame]1584 def test_eq(self):
1585 san = x509.SubjectAlternativeName(
1586 [x509.DNSName(u"cryptography.io")]
1587 )
1588 san2 = x509.SubjectAlternativeName(
1589 [x509.DNSName(u"cryptography.io")]
1590 )
1591 assert san == san2
1592
1593 def test_ne(self):
1594 san = x509.SubjectAlternativeName(
1595 [x509.DNSName(u"cryptography.io")]
1596 )
1597 san2 = x509.SubjectAlternativeName(
1598 [x509.RFC822Name(u"admin@cryptography.io")]
1599 )
1600 assert san != san2
1601 assert san != object()
1602
Paul Kehrer40f83382015-04-20 15:00:16 -0500[diff] [blame]1603
1604@pytest.mark.requires_backend_interface(interface=RSABackend)
1605@pytest.mark.requires_backend_interface(interface=X509Backend)
1606class TestRSASubjectAlternativeNameExtension(object):
1607 def test_dns_name(self, backend):
1608 cert = _load_cert(
1609 os.path.join("x509", "cryptography.io.pem"),
1610 x509.load_pem_x509_certificate,
1611 backend
1612 )
1613 ext = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]1614 ExtensionOID.SUBJECT_ALTERNATIVE_NAME
Paul Kehrer40f83382015-04-20 15:00:16 -0500[diff] [blame]1615 )
1616 assert ext is not None
1617 assert ext.critical is False
1618
1619 san = ext.value
1620
1621 dns = san.get_values_for_type(x509.DNSName)
1622 assert dns == [u"www.cryptography.io", u"cryptography.io"]
Paul Kehrer9089c912015-04-20 22:15:20 -0500[diff] [blame]1623
Paul Kehrer3c6bba52015-06-26 18:43:26 -0500[diff] [blame]1624 def test_wildcard_dns_name(self, backend):
1625 cert = _load_cert(
1626 os.path.join("x509", "wildcard_san.pem"),
1627 x509.load_pem_x509_certificate,
1628 backend
1629 )
1630 ext = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]1631 ExtensionOID.SUBJECT_ALTERNATIVE_NAME
Paul Kehrer3c6bba52015-06-26 18:43:26 -0500[diff] [blame]1632 )
1633
1634 dns = ext.value.get_values_for_type(x509.DNSName)
1635 assert dns == [
1636 u'*.langui.sh',
1637 u'langui.sh',
1638 u'*.saseliminator.com',
1639 u'saseliminator.com'
1640 ]
1641
Dominic Chen87bb9572015-10-09 00:23:07 -0400[diff] [blame]1642 def test_san_empty_hostname(self, backend):
1643 cert = _load_cert(
1644 os.path.join(
1645 "x509", "custom", "san_empty_hostname.pem"
1646 ),
1647 x509.load_pem_x509_certificate,
1648 backend
1649 )
1650 san = cert.extensions.get_extension_for_oid(
1651 ExtensionOID.SUBJECT_ALTERNATIVE_NAME
1652 )
1653
1654 dns = san.value.get_values_for_type(x509.DNSName)
1655 assert dns == [u'']
1656
Paul Kehrer3c6bba52015-06-26 18:43:26 -0500[diff] [blame]1657 def test_san_wildcard_idna_dns_name(self, backend):
1658 cert = _load_cert(
1659 os.path.join("x509", "custom", "san_wildcard_idna.pem"),
1660 x509.load_pem_x509_certificate,
1661 backend
1662 )
1663 ext = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]1664 ExtensionOID.SUBJECT_ALTERNATIVE_NAME
Paul Kehrer3c6bba52015-06-26 18:43:26 -0500[diff] [blame]1665 )
1666
1667 dns = ext.value.get_values_for_type(x509.DNSName)
1668 assert dns == [u'*.\u043f\u044b\u043a\u0430.cryptography']
1669
Paul Kehrer7bdf6572015-07-05 08:55:44 -0500[diff] [blame]1670 def test_unsupported_gn(self, backend):
Paul Kehrer9089c912015-04-20 22:15:20 -0500[diff] [blame]1671 cert = _load_cert(
Paul Kehrer7bdf6572015-07-05 08:55:44 -0500[diff] [blame]1672 os.path.join("x509", "san_x400address.der"),
1673 x509.load_der_x509_certificate,
Paul Kehrer9089c912015-04-20 22:15:20 -0500[diff] [blame]1674 backend
1675 )
Paul Kehrerbed07352015-04-21 08:31:10 -0500[diff] [blame]1676 with pytest.raises(x509.UnsupportedGeneralNameType) as exc:
Paul Kehrer9089c912015-04-20 22:15:20 -0500[diff] [blame]1677 cert.extensions
Paul Kehrerbed07352015-04-21 08:31:10 -0500[diff] [blame]1678
Paul Kehrer7bdf6572015-07-05 08:55:44 -0500[diff] [blame]1679 assert exc.value.type == 3
Paul Kehrer4db96622015-04-20 22:17:39 -0500[diff] [blame]1680
1681 def test_registered_id(self, backend):
1682 cert = _load_cert(
1683 os.path.join(
1684 "x509", "custom", "san_registered_id.pem"
1685 ),
1686 x509.load_pem_x509_certificate,
1687 backend
1688 )
1689 ext = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]1690 ExtensionOID.SUBJECT_ALTERNATIVE_NAME
Paul Kehrer4db96622015-04-20 22:17:39 -0500[diff] [blame]1691 )
1692 assert ext is not None
1693 assert ext.critical is False
1694
1695 san = ext.value
1696 rid = san.get_values_for_type(x509.RegisteredID)
1697 assert rid == [x509.ObjectIdentifier("1.2.3.4")]
Paul Kehrerb8ef82e2015-04-22 16:04:24 -0500[diff] [blame]1698
1699 def test_uri(self, backend):
1700 cert = _load_cert(
1701 os.path.join(
1702 "x509", "custom", "san_uri_with_port.pem"
1703 ),
1704 x509.load_pem_x509_certificate,
1705 backend
1706 )
1707 ext = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]1708 ExtensionOID.SUBJECT_ALTERNATIVE_NAME
Paul Kehrerb8ef82e2015-04-22 16:04:24 -0500[diff] [blame]1709 )
1710 assert ext is not None
1711 uri = ext.value.get_values_for_type(
1712 x509.UniformResourceIdentifier
1713 )
1714 assert uri == [
1715 u"gopher://\u043f\u044b\u043a\u0430.cryptography:70/path?q=s#hel"
1716 u"lo",
1717 u"http://someregulardomain.com",
1718 ]
Paul Kehrera5f030c2015-04-28 08:33:18 -0500[diff] [blame]1719
1720 def test_ipaddress(self, backend):
1721 cert = _load_cert(
1722 os.path.join(
1723 "x509", "custom", "san_ipaddr.pem"
1724 ),
1725 x509.load_pem_x509_certificate,
1726 backend
1727 )
1728 ext = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]1729 ExtensionOID.SUBJECT_ALTERNATIVE_NAME
Paul Kehrera5f030c2015-04-28 08:33:18 -0500[diff] [blame]1730 )
1731 assert ext is not None
1732 assert ext.critical is False
1733
1734 san = ext.value
1735
1736 ip = san.get_values_for_type(x509.IPAddress)
1737 assert [
1738 ipaddress.ip_address(u"127.0.0.1"),
1739 ipaddress.ip_address(u"ff::")
1740 ] == ip
Paul Kehrer2187a052015-04-30 08:22:07 -0500[diff] [blame]1741
1742 def test_dirname(self, backend):
1743 cert = _load_cert(
1744 os.path.join(
1745 "x509", "custom", "san_dirname.pem"
1746 ),
1747 x509.load_pem_x509_certificate,
1748 backend
1749 )
1750 ext = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]1751 ExtensionOID.SUBJECT_ALTERNATIVE_NAME
Paul Kehrer2187a052015-04-30 08:22:07 -0500[diff] [blame]1752 )
1753 assert ext is not None
1754 assert ext.critical is False
1755
1756 san = ext.value
1757
1758 dirname = san.get_values_for_type(x509.DirectoryName)
1759 assert [
1760 x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1761 x509.NameAttribute(NameOID.COMMON_NAME, u'test'),
1762 x509.NameAttribute(NameOID.ORGANIZATION_NAME, u'Org'),
1763 x509.NameAttribute(NameOID.STATE_OR_PROVINCE_NAME, u'Texas'),
Paul Kehrer2187a052015-04-30 08:22:07 -0500[diff] [blame]1764 ])
1765 ] == dirname
Paul Kehrere06cab42015-04-30 10:23:33 -0500[diff] [blame]1766
1767 def test_rfc822name(self, backend):
1768 cert = _load_cert(
1769 os.path.join(
1770 "x509", "custom", "san_rfc822_idna.pem"
1771 ),
1772 x509.load_pem_x509_certificate,
1773 backend
1774 )
1775 ext = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]1776 ExtensionOID.SUBJECT_ALTERNATIVE_NAME
Paul Kehrere06cab42015-04-30 10:23:33 -0500[diff] [blame]1777 )
1778 assert ext is not None
1779 assert ext.critical is False
1780
1781 san = ext.value
1782
1783 rfc822name = san.get_values_for_type(x509.RFC822Name)
1784 assert [u"email@em\xe5\xefl.com"] == rfc822name
1785
Paul Kehrerb8968812015-05-15 09:01:34 -0700[diff] [blame]1786 def test_idna2003_invalid(self, backend):
1787 cert = _load_cert(
1788 os.path.join(
1789 "x509", "custom", "san_idna2003_dnsname.pem"
1790 ),
1791 x509.load_pem_x509_certificate,
1792 backend
1793 )
1794 with pytest.raises(UnicodeError):
1795 cert.extensions
1796
Paul Kehrere06cab42015-04-30 10:23:33 -0500[diff] [blame]1797 def test_unicode_rfc822_name_dns_name_uri(self, backend):
1798 cert = _load_cert(
1799 os.path.join(
1800 "x509", "custom", "san_idna_names.pem"
1801 ),
1802 x509.load_pem_x509_certificate,
1803 backend
1804 )
1805 ext = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]1806 ExtensionOID.SUBJECT_ALTERNATIVE_NAME
Paul Kehrere06cab42015-04-30 10:23:33 -0500[diff] [blame]1807 )
1808 assert ext is not None
1809 rfc822_name = ext.value.get_values_for_type(x509.RFC822Name)
1810 dns_name = ext.value.get_values_for_type(x509.DNSName)
1811 uri = ext.value.get_values_for_type(x509.UniformResourceIdentifier)
1812 assert rfc822_name == [u"email@\u043f\u044b\u043a\u0430.cryptography"]
1813 assert dns_name == [u"\u043f\u044b\u043a\u0430.cryptography"]
1814 assert uri == [u"https://www.\u043f\u044b\u043a\u0430.cryptography"]
1815
1816 def test_rfc822name_dnsname_ipaddress_directoryname_uri(self, backend):
1817 cert = _load_cert(
1818 os.path.join(
1819 "x509", "custom", "san_email_dns_ip_dirname_uri.pem"
1820 ),
1821 x509.load_pem_x509_certificate,
1822 backend
1823 )
1824 ext = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]1825 ExtensionOID.SUBJECT_ALTERNATIVE_NAME
Paul Kehrere06cab42015-04-30 10:23:33 -0500[diff] [blame]1826 )
1827 assert ext is not None
1828 assert ext.critical is False
1829
1830 san = ext.value
1831
1832 rfc822_name = san.get_values_for_type(x509.RFC822Name)
1833 uri = san.get_values_for_type(x509.UniformResourceIdentifier)
1834 dns = san.get_values_for_type(x509.DNSName)
1835 ip = san.get_values_for_type(x509.IPAddress)
1836 dirname = san.get_values_for_type(x509.DirectoryName)
1837 assert [u"user@cryptography.io"] == rfc822_name
Paul Kehrere3a330c2015-05-02 16:42:52 -0500[diff] [blame]1838 assert [u"https://cryptography.io"] == uri
Paul Kehrere06cab42015-04-30 10:23:33 -0500[diff] [blame]1839 assert [u"cryptography.io"] == dns
1840 assert [
1841 x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1842 x509.NameAttribute(NameOID.COMMON_NAME, u'dirCN'),
Paul Kehrere06cab42015-04-30 10:23:33 -0500[diff] [blame]1843 x509.NameAttribute(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1844 NameOID.ORGANIZATION_NAME, u'Cryptographic Authority'
Paul Kehrere06cab42015-04-30 10:23:33 -0500[diff] [blame]1845 ),
1846 ])
1847 ] == dirname
1848 assert [
1849 ipaddress.ip_address(u"127.0.0.1"),
1850 ipaddress.ip_address(u"ff::")
1851 ] == ip
1852
1853 def test_invalid_rfc822name(self, backend):
1854 cert = _load_cert(
1855 os.path.join(
1856 "x509", "custom", "san_rfc822_names.pem"
1857 ),
1858 x509.load_pem_x509_certificate,
1859 backend
1860 )
1861 with pytest.raises(ValueError) as exc:
1862 cert.extensions
1863
1864 assert 'Invalid rfc822name value' in str(exc.value)
Paul Kehrer94c69602015-05-02 19:29:40 -0500[diff] [blame]1865
Joshua Tauberer2ee5e3c2015-07-04 20:09:46 +0000[diff] [blame]1866 def test_other_name(self, backend):
1867 cert = _load_cert(
1868 os.path.join(
1869 "x509", "custom", "san_other_name.pem"
1870 ),
1871 x509.load_pem_x509_certificate,
1872 backend
1873 )
1874
1875 ext = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]1876 ExtensionOID.SUBJECT_ALTERNATIVE_NAME
Joshua Tauberer2ee5e3c2015-07-04 20:09:46 +0000[diff] [blame]1877 )
1878 assert ext is not None
1879 assert ext.critical is False
1880
Joshua Taubererd2afad32015-07-06 22:37:53 +0000[diff] [blame]1881 expected = x509.OtherName(x509.ObjectIdentifier("1.2.3.4"),
1882 b'\x16\x0bHello World')
Joshua Tauberer2ee5e3c2015-07-04 20:09:46 +0000[diff] [blame]1883 assert len(ext.value) == 1
Joshua Taubererd2afad32015-07-06 22:37:53 +0000[diff] [blame]1884 assert list(ext.value)[0] == expected
Joshua Tauberer2ee5e3c2015-07-04 20:09:46 +0000[diff] [blame]1885
1886 othernames = ext.value.get_values_for_type(x509.OtherName)
Joshua Taubererd2afad32015-07-06 22:37:53 +0000[diff] [blame]1887 assert othernames == [expected]
Joshua Tauberer2ee5e3c2015-07-04 20:09:46 +0000[diff] [blame]1888
Paul Kehrer94c69602015-05-02 19:29:40 -0500[diff] [blame]1889
1890@pytest.mark.requires_backend_interface(interface=RSABackend)
1891@pytest.mark.requires_backend_interface(interface=X509Backend)
1892class TestExtendedKeyUsageExtension(object):
1893 def test_eku(self, backend):
1894 cert = _load_cert(
1895 os.path.join(
1896 "x509", "custom", "extended_key_usage.pem"
1897 ),
1898 x509.load_pem_x509_certificate,
1899 backend
1900 )
1901 ext = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]1902 ExtensionOID.EXTENDED_KEY_USAGE
Paul Kehrer94c69602015-05-02 19:29:40 -0500[diff] [blame]1903 )
1904 assert ext is not None
1905 assert ext.critical is False
1906
1907 assert [
1908 x509.ObjectIdentifier("1.3.6.1.5.5.7.3.1"),
1909 x509.ObjectIdentifier("1.3.6.1.5.5.7.3.2"),
1910 x509.ObjectIdentifier("1.3.6.1.5.5.7.3.3"),
1911 x509.ObjectIdentifier("1.3.6.1.5.5.7.3.4"),
1912 x509.ObjectIdentifier("1.3.6.1.5.5.7.3.9"),
1913 x509.ObjectIdentifier("1.3.6.1.5.5.7.3.8"),
1914 x509.ObjectIdentifier("2.5.29.37.0"),
1915 x509.ObjectIdentifier("2.16.840.1.113730.4.1"),
1916 ] == list(ext.value)
Paul Kehrer3e6d5582015-05-02 21:57:56 -0500[diff] [blame]1917
1918
1919class TestAccessDescription(object):
1920 def test_invalid_access_method(self):
Nick Bastind06763d2015-12-12 18:32:59 -0800[diff] [blame]1921 with pytest.raises(TypeError):
Paul Kehrer3e6d5582015-05-02 21:57:56 -0500[diff] [blame]1922 x509.AccessDescription("notanoid", x509.DNSName(u"test"))
1923
1924 def test_invalid_access_location(self):
1925 with pytest.raises(TypeError):
Paul Kehrer9e102db2015-08-10 21:53:09 -0500[diff] [blame]1926 x509.AccessDescription(
1927 AuthorityInformationAccessOID.CA_ISSUERS, "invalid"
1928 )
Paul Kehrer3e6d5582015-05-02 21:57:56 -0500[diff] [blame]1929
Nick Bastind2ecf862015-12-13 05:44:46 -0800[diff] [blame]1930 def test_valid_nonstandard_method(self):
Nick Bastin326fc8e2015-12-12 19:08:12 -0800[diff] [blame]1931 ad = x509.AccessDescription(
1932 ObjectIdentifier("2.999.1"),
1933 x509.UniformResourceIdentifier(u"http://example.com")
1934 )
Nick Bastin11f0f8a2015-12-12 18:54:12 -0800[diff] [blame]1935 assert ad is not None
1936
Paul Kehrer3e6d5582015-05-02 21:57:56 -0500[diff] [blame]1937 def test_repr(self):
1938 ad = x509.AccessDescription(
Paul Kehrer9e102db2015-08-10 21:53:09 -0500[diff] [blame]1939 AuthorityInformationAccessOID.OCSP,
Paul Kehrer3e6d5582015-05-02 21:57:56 -0500[diff] [blame]1940 x509.UniformResourceIdentifier(u"http://ocsp.domain.com")
1941 )
1942 assert repr(ad) == (
1943 "<AccessDescription(access_method=<ObjectIdentifier(oid=1.3.6.1.5."
1944 "5.7.48.1, name=OCSP)>, access_location=<UniformResourceIdentifier"
1945 "(value=http://ocsp.domain.com)>)>"
1946 )
1947
1948 def test_eq(self):
1949 ad = x509.AccessDescription(
Paul Kehrer9e102db2015-08-10 21:53:09 -0500[diff] [blame]1950 AuthorityInformationAccessOID.OCSP,
Paul Kehrer3e6d5582015-05-02 21:57:56 -0500[diff] [blame]1951 x509.UniformResourceIdentifier(u"http://ocsp.domain.com")
1952 )
1953 ad2 = x509.AccessDescription(
Paul Kehrer9e102db2015-08-10 21:53:09 -0500[diff] [blame]1954 AuthorityInformationAccessOID.OCSP,
Paul Kehrer3e6d5582015-05-02 21:57:56 -0500[diff] [blame]1955 x509.UniformResourceIdentifier(u"http://ocsp.domain.com")
1956 )
1957 assert ad == ad2
1958
1959 def test_ne(self):
1960 ad = x509.AccessDescription(
Paul Kehrer9e102db2015-08-10 21:53:09 -0500[diff] [blame]1961 AuthorityInformationAccessOID.OCSP,
Paul Kehrer3e6d5582015-05-02 21:57:56 -0500[diff] [blame]1962 x509.UniformResourceIdentifier(u"http://ocsp.domain.com")
1963 )
1964 ad2 = x509.AccessDescription(
Paul Kehrer9e102db2015-08-10 21:53:09 -0500[diff] [blame]1965 AuthorityInformationAccessOID.CA_ISSUERS,
Paul Kehrer3e6d5582015-05-02 21:57:56 -0500[diff] [blame]1966 x509.UniformResourceIdentifier(u"http://ocsp.domain.com")
1967 )
1968 ad3 = x509.AccessDescription(
Paul Kehrer9e102db2015-08-10 21:53:09 -0500[diff] [blame]1969 AuthorityInformationAccessOID.OCSP,
Paul Kehrer3e6d5582015-05-02 21:57:56 -0500[diff] [blame]1970 x509.UniformResourceIdentifier(u"http://notthesame")
1971 )
1972 assert ad != ad2
1973 assert ad != ad3
1974 assert ad != object()
1975
1976
1977class TestAuthorityInformationAccess(object):
1978 def test_invalid_descriptions(self):
1979 with pytest.raises(TypeError):
1980 x509.AuthorityInformationAccess(["notanAccessDescription"])
1981
1982 def test_iter_len(self):
1983 aia = x509.AuthorityInformationAccess([
1984 x509.AccessDescription(
Paul Kehrer9e102db2015-08-10 21:53:09 -0500[diff] [blame]1985 AuthorityInformationAccessOID.OCSP,
Paul Kehrer3e6d5582015-05-02 21:57:56 -0500[diff] [blame]1986 x509.UniformResourceIdentifier(u"http://ocsp.domain.com")
1987 ),
1988 x509.AccessDescription(
Paul Kehrer9e102db2015-08-10 21:53:09 -0500[diff] [blame]1989 AuthorityInformationAccessOID.CA_ISSUERS,
Paul Kehrer3e6d5582015-05-02 21:57:56 -0500[diff] [blame]1990 x509.UniformResourceIdentifier(u"http://domain.com/ca.crt")
1991 )
1992 ])
1993 assert len(aia) == 2
1994 assert list(aia) == [
1995 x509.AccessDescription(
Paul Kehrer9e102db2015-08-10 21:53:09 -0500[diff] [blame]1996 AuthorityInformationAccessOID.OCSP,
Paul Kehrer3e6d5582015-05-02 21:57:56 -0500[diff] [blame]1997 x509.UniformResourceIdentifier(u"http://ocsp.domain.com")
1998 ),
1999 x509.AccessDescription(
Paul Kehrer9e102db2015-08-10 21:53:09 -0500[diff] [blame]2000 AuthorityInformationAccessOID.CA_ISSUERS,
Paul Kehrer3e6d5582015-05-02 21:57:56 -0500[diff] [blame]2001 x509.UniformResourceIdentifier(u"http://domain.com/ca.crt")
2002 )
2003 ]
2004
2005 def test_repr(self):
2006 aia = x509.AuthorityInformationAccess([
2007 x509.AccessDescription(
Paul Kehrer9e102db2015-08-10 21:53:09 -0500[diff] [blame]2008 AuthorityInformationAccessOID.OCSP,
Paul Kehrer3e6d5582015-05-02 21:57:56 -0500[diff] [blame]2009 x509.UniformResourceIdentifier(u"http://ocsp.domain.com")
2010 ),
2011 x509.AccessDescription(
Paul Kehrer9e102db2015-08-10 21:53:09 -0500[diff] [blame]2012 AuthorityInformationAccessOID.CA_ISSUERS,
Paul Kehrer3e6d5582015-05-02 21:57:56 -0500[diff] [blame]2013 x509.UniformResourceIdentifier(u"http://domain.com/ca.crt")
2014 )
2015 ])
2016 assert repr(aia) == (
2017 "<AuthorityInformationAccess([<AccessDescription(access_method=<Ob"
2018 "jectIdentifier(oid=1.3.6.1.5.5.7.48.1, name=OCSP)>, access_locati"
2019 "on=<UniformResourceIdentifier(value=http://ocsp.domain.com)>)>, <"
2020 "AccessDescription(access_method=<ObjectIdentifier(oid=1.3.6.1.5.5"
2021 ".7.48.2, name=caIssuers)>, access_location=<UniformResourceIdenti"
2022 "fier(value=http://domain.com/ca.crt)>)>])>"
2023 )
2024
2025 def test_eq(self):
2026 aia = x509.AuthorityInformationAccess([
2027 x509.AccessDescription(
Paul Kehrer9e102db2015-08-10 21:53:09 -0500[diff] [blame]2028 AuthorityInformationAccessOID.OCSP,
Paul Kehrer3e6d5582015-05-02 21:57:56 -0500[diff] [blame]2029 x509.UniformResourceIdentifier(u"http://ocsp.domain.com")
2030 ),
2031 x509.AccessDescription(
Paul Kehrer9e102db2015-08-10 21:53:09 -0500[diff] [blame]2032 AuthorityInformationAccessOID.CA_ISSUERS,
Paul Kehrer3e6d5582015-05-02 21:57:56 -0500[diff] [blame]2033 x509.UniformResourceIdentifier(u"http://domain.com/ca.crt")
2034 )
2035 ])
2036 aia2 = x509.AuthorityInformationAccess([
2037 x509.AccessDescription(
Paul Kehrer9e102db2015-08-10 21:53:09 -0500[diff] [blame]2038 AuthorityInformationAccessOID.OCSP,
Paul Kehrer3e6d5582015-05-02 21:57:56 -0500[diff] [blame]2039 x509.UniformResourceIdentifier(u"http://ocsp.domain.com")
2040 ),
2041 x509.AccessDescription(
Paul Kehrer9e102db2015-08-10 21:53:09 -0500[diff] [blame]2042 AuthorityInformationAccessOID.CA_ISSUERS,
Paul Kehrer3e6d5582015-05-02 21:57:56 -0500[diff] [blame]2043 x509.UniformResourceIdentifier(u"http://domain.com/ca.crt")
2044 )
2045 ])
2046 assert aia == aia2
2047
2048 def test_ne(self):
2049 aia = x509.AuthorityInformationAccess([
2050 x509.AccessDescription(
Paul Kehrer9e102db2015-08-10 21:53:09 -0500[diff] [blame]2051 AuthorityInformationAccessOID.OCSP,
Paul Kehrer3e6d5582015-05-02 21:57:56 -0500[diff] [blame]2052 x509.UniformResourceIdentifier(u"http://ocsp.domain.com")
2053 ),
2054 x509.AccessDescription(
Paul Kehrer9e102db2015-08-10 21:53:09 -0500[diff] [blame]2055 AuthorityInformationAccessOID.CA_ISSUERS,
Paul Kehrer3e6d5582015-05-02 21:57:56 -0500[diff] [blame]2056 x509.UniformResourceIdentifier(u"http://domain.com/ca.crt")
2057 )
2058 ])
2059 aia2 = x509.AuthorityInformationAccess([
2060 x509.AccessDescription(
Paul Kehrer9e102db2015-08-10 21:53:09 -0500[diff] [blame]2061 AuthorityInformationAccessOID.OCSP,
Paul Kehrer3e6d5582015-05-02 21:57:56 -0500[diff] [blame]2062 x509.UniformResourceIdentifier(u"http://ocsp.domain.com")
2063 ),
2064 ])
2065
2066 assert aia != aia2
2067 assert aia != object()
Paul Kehrerd774de92015-05-03 10:52:25 -0500[diff] [blame]2068
2069
2070@pytest.mark.requires_backend_interface(interface=RSABackend)
2071@pytest.mark.requires_backend_interface(interface=X509Backend)
Paul Kehrera1476992015-05-04 17:35:47 -0500[diff] [blame]2072class TestAuthorityInformationAccessExtension(object):
2073 def test_aia_ocsp_ca_issuers(self, backend):
2074 cert = _load_cert(
2075 os.path.join("x509", "cryptography.io.pem"),
2076 x509.load_pem_x509_certificate,
2077 backend
2078 )
2079 ext = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]2080 ExtensionOID.AUTHORITY_INFORMATION_ACCESS
Paul Kehrera1476992015-05-04 17:35:47 -0500[diff] [blame]2081 )
2082 assert ext is not None
2083 assert ext.critical is False
2084
2085 assert ext.value == x509.AuthorityInformationAccess([
2086 x509.AccessDescription(
Paul Kehrer9e102db2015-08-10 21:53:09 -0500[diff] [blame]2087 AuthorityInformationAccessOID.OCSP,
Paul Kehrera1476992015-05-04 17:35:47 -0500[diff] [blame]2088 x509.UniformResourceIdentifier(u"http://gv.symcd.com")
2089 ),
2090 x509.AccessDescription(
Paul Kehrer9e102db2015-08-10 21:53:09 -0500[diff] [blame]2091 AuthorityInformationAccessOID.CA_ISSUERS,
Paul Kehrera1476992015-05-04 17:35:47 -0500[diff] [blame]2092 x509.UniformResourceIdentifier(u"http://gv.symcb.com/gv.crt")
2093 ),
2094 ])
2095
2096 def test_aia_multiple_ocsp_ca_issuers(self, backend):
2097 cert = _load_cert(
2098 os.path.join("x509", "custom", "aia_ocsp_ca_issuers.pem"),
2099 x509.load_pem_x509_certificate,
2100 backend
2101 )
2102 ext = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]2103 ExtensionOID.AUTHORITY_INFORMATION_ACCESS
Paul Kehrera1476992015-05-04 17:35:47 -0500[diff] [blame]2104 )
2105 assert ext is not None
2106 assert ext.critical is False
2107
2108 assert ext.value == x509.AuthorityInformationAccess([
2109 x509.AccessDescription(
Paul Kehrer9e102db2015-08-10 21:53:09 -0500[diff] [blame]2110 AuthorityInformationAccessOID.OCSP,
Paul Kehrera1476992015-05-04 17:35:47 -0500[diff] [blame]2111 x509.UniformResourceIdentifier(u"http://ocsp.domain.com")
2112 ),
2113 x509.AccessDescription(
Paul Kehrer9e102db2015-08-10 21:53:09 -0500[diff] [blame]2114 AuthorityInformationAccessOID.OCSP,
Paul Kehrera1476992015-05-04 17:35:47 -0500[diff] [blame]2115 x509.UniformResourceIdentifier(u"http://ocsp2.domain.com")
2116 ),
2117 x509.AccessDescription(
Paul Kehrer9e102db2015-08-10 21:53:09 -0500[diff] [blame]2118 AuthorityInformationAccessOID.CA_ISSUERS,
Paul Kehrera1476992015-05-04 17:35:47 -0500[diff] [blame]2119 x509.DirectoryName(x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2120 x509.NameAttribute(NameOID.COMMON_NAME, u"myCN"),
2121 x509.NameAttribute(NameOID.ORGANIZATION_NAME,
Ian Cordasco82fc3762015-06-16 20:59:50 -0500[diff] [blame]2122 u"some Org"),
Paul Kehrera1476992015-05-04 17:35:47 -0500[diff] [blame]2123 ]))
2124 ),
2125 ])
2126
2127 def test_aia_ocsp_only(self, backend):
2128 cert = _load_cert(
2129 os.path.join("x509", "custom", "aia_ocsp.pem"),
2130 x509.load_pem_x509_certificate,
2131 backend
2132 )
2133 ext = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]2134 ExtensionOID.AUTHORITY_INFORMATION_ACCESS
Paul Kehrera1476992015-05-04 17:35:47 -0500[diff] [blame]2135 )
2136 assert ext is not None
2137 assert ext.critical is False
2138
2139 assert ext.value == x509.AuthorityInformationAccess([
2140 x509.AccessDescription(
Paul Kehrer9e102db2015-08-10 21:53:09 -0500[diff] [blame]2141 AuthorityInformationAccessOID.OCSP,
Paul Kehrera1476992015-05-04 17:35:47 -0500[diff] [blame]2142 x509.UniformResourceIdentifier(u"http://ocsp.domain.com")
2143 ),
2144 ])
2145
2146 def test_aia_ca_issuers_only(self, backend):
2147 cert = _load_cert(
2148 os.path.join("x509", "custom", "aia_ca_issuers.pem"),
2149 x509.load_pem_x509_certificate,
2150 backend
2151 )
2152 ext = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]2153 ExtensionOID.AUTHORITY_INFORMATION_ACCESS
Paul Kehrera1476992015-05-04 17:35:47 -0500[diff] [blame]2154 )
2155 assert ext is not None
2156 assert ext.critical is False
2157
2158 assert ext.value == x509.AuthorityInformationAccess([
2159 x509.AccessDescription(
Paul Kehrer9e102db2015-08-10 21:53:09 -0500[diff] [blame]2160 AuthorityInformationAccessOID.CA_ISSUERS,
Paul Kehrera1476992015-05-04 17:35:47 -0500[diff] [blame]2161 x509.DirectoryName(x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2162 x509.NameAttribute(NameOID.COMMON_NAME, u"myCN"),
2163 x509.NameAttribute(NameOID.ORGANIZATION_NAME,
Ian Cordasco82fc3762015-06-16 20:59:50 -0500[diff] [blame]2164 u"some Org"),
Paul Kehrera1476992015-05-04 17:35:47 -0500[diff] [blame]2165 ]))
2166 ),
2167 ])
2168
2169
2170@pytest.mark.requires_backend_interface(interface=RSABackend)
2171@pytest.mark.requires_backend_interface(interface=X509Backend)
Paul Kehrerd774de92015-05-03 10:52:25 -0500[diff] [blame]2172class TestAuthorityKeyIdentifierExtension(object):
2173 def test_aki_keyid(self, backend):
2174 cert = _load_cert(
2175 os.path.join(
2176 "x509", "cryptography.io.pem"
2177 ),
2178 x509.load_pem_x509_certificate,
2179 backend
2180 )
2181 ext = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]2182 ExtensionOID.AUTHORITY_KEY_IDENTIFIER
Paul Kehrerd774de92015-05-03 10:52:25 -0500[diff] [blame]2183 )
2184 assert ext is not None
2185 assert ext.critical is False
2186
2187 assert ext.value.key_identifier == (
2188 b"\xc3\x9c\xf3\xfc\xd3F\x084\xbb\xceF\x7f\xa0|[\xf3\xe2\x08\xcbY"
2189 )
2190 assert ext.value.authority_cert_issuer is None
2191 assert ext.value.authority_cert_serial_number is None
2192
2193 def test_aki_all_fields(self, backend):
2194 cert = _load_cert(
2195 os.path.join(
2196 "x509", "custom", "authority_key_identifier.pem"
2197 ),
2198 x509.load_pem_x509_certificate,
2199 backend
2200 )
2201 ext = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]2202 ExtensionOID.AUTHORITY_KEY_IDENTIFIER
Paul Kehrerd774de92015-05-03 10:52:25 -0500[diff] [blame]2203 )
2204 assert ext is not None
2205 assert ext.critical is False
2206
2207 assert ext.value.key_identifier == (
2208 b"9E>\xca=b\x1d\xea\x86I\xf6Z\xab@\xb7\xa4p\x98\xf1\xec"
2209 )
2210 assert ext.value.authority_cert_issuer == [
2211 x509.DirectoryName(
2212 x509.Name([
2213 x509.NameAttribute(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2214 NameOID.ORGANIZATION_NAME, u"PyCA"
Paul Kehrerd774de92015-05-03 10:52:25 -0500[diff] [blame]2215 ),
2216 x509.NameAttribute(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2217 NameOID.COMMON_NAME, u"cryptography.io"
Paul Kehrerd774de92015-05-03 10:52:25 -0500[diff] [blame]2218 )
2219 ])
2220 )
2221 ]
2222 assert ext.value.authority_cert_serial_number == 3
2223
2224 def test_aki_no_keyid(self, backend):
2225 cert = _load_cert(
2226 os.path.join(
2227 "x509", "custom", "authority_key_identifier_no_keyid.pem"
2228 ),
2229 x509.load_pem_x509_certificate,
2230 backend
2231 )
2232 ext = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]2233 ExtensionOID.AUTHORITY_KEY_IDENTIFIER
Paul Kehrerd774de92015-05-03 10:52:25 -0500[diff] [blame]2234 )
2235 assert ext is not None
2236 assert ext.critical is False
2237
2238 assert ext.value.key_identifier is None
2239 assert ext.value.authority_cert_issuer == [
2240 x509.DirectoryName(
2241 x509.Name([
2242 x509.NameAttribute(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2243 NameOID.ORGANIZATION_NAME, u"PyCA"
Paul Kehrerd774de92015-05-03 10:52:25 -0500[diff] [blame]2244 ),
2245 x509.NameAttribute(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2246 NameOID.COMMON_NAME, u"cryptography.io"
Paul Kehrerd774de92015-05-03 10:52:25 -0500[diff] [blame]2247 )
2248 ])
2249 )
2250 ]
2251 assert ext.value.authority_cert_serial_number == 3
Paul Kehrer5a485522015-05-06 00:29:12 -0500[diff] [blame]2252
Paul Kehrer253929a2015-08-05 17:30:39 +0100[diff] [blame]2253 def test_from_certificate(self, backend):
2254 issuer_cert = _load_cert(
2255 os.path.join("x509", "rapidssl_sha256_ca_g3.pem"),
2256 x509.load_pem_x509_certificate,
2257 backend
2258 )
2259 cert = _load_cert(
2260 os.path.join("x509", "cryptography.io.pem"),
2261 x509.load_pem_x509_certificate,
2262 backend
2263 )
2264 ext = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]2265 ExtensionOID.AUTHORITY_KEY_IDENTIFIER
Paul Kehrer253929a2015-08-05 17:30:39 +0100[diff] [blame]2266 )
2267 aki = x509.AuthorityKeyIdentifier.from_issuer_public_key(
2268 issuer_cert.public_key()
2269 )
2270 assert ext.value == aki
2271
Paul Kehrer5a485522015-05-06 00:29:12 -0500[diff] [blame]2272
Paul Kehrere0017be2015-05-17 20:39:40 -0600[diff] [blame]2273class TestNameConstraints(object):
2274 def test_ipaddress_wrong_type(self):
2275 with pytest.raises(TypeError):
2276 x509.NameConstraints(
2277 permitted_subtrees=[
2278 x509.IPAddress(ipaddress.IPv4Address(u"127.0.0.1"))
2279 ],
2280 excluded_subtrees=None
2281 )
2282
2283 with pytest.raises(TypeError):
2284 x509.NameConstraints(
2285 permitted_subtrees=None,
2286 excluded_subtrees=[
2287 x509.IPAddress(ipaddress.IPv4Address(u"127.0.0.1"))
2288 ]
2289 )
2290
2291 def test_ipaddress_allowed_type(self):
2292 permitted = [x509.IPAddress(ipaddress.IPv4Network(u"192.168.0.0/29"))]
2293 excluded = [x509.IPAddress(ipaddress.IPv4Network(u"10.10.0.0/24"))]
2294 nc = x509.NameConstraints(
2295 permitted_subtrees=permitted,
2296 excluded_subtrees=excluded
2297 )
2298 assert nc.permitted_subtrees == permitted
2299 assert nc.excluded_subtrees == excluded
2300
2301 def test_invalid_permitted_subtrees(self):
2302 with pytest.raises(TypeError):
2303 x509.NameConstraints("badpermitted", None)
2304
2305 def test_invalid_excluded_subtrees(self):
2306 with pytest.raises(TypeError):
2307 x509.NameConstraints(None, "badexcluded")
2308
2309 def test_no_subtrees(self):
2310 with pytest.raises(ValueError):
2311 x509.NameConstraints(None, None)
2312
2313 def test_permitted_none(self):
2314 excluded = [x509.DNSName(u"name.local")]
2315 nc = x509.NameConstraints(
2316 permitted_subtrees=None, excluded_subtrees=excluded
2317 )
2318 assert nc.permitted_subtrees is None
2319 assert nc.excluded_subtrees is not None
2320
2321 def test_excluded_none(self):
2322 permitted = [x509.DNSName(u"name.local")]
2323 nc = x509.NameConstraints(
2324 permitted_subtrees=permitted, excluded_subtrees=None
2325 )
2326 assert nc.permitted_subtrees is not None
2327 assert nc.excluded_subtrees is None
2328
2329 def test_repr(self):
2330 permitted = [x509.DNSName(u"name.local"), x509.DNSName(u"name2.local")]
2331 nc = x509.NameConstraints(
2332 permitted_subtrees=permitted,
2333 excluded_subtrees=None
2334 )
2335 assert repr(nc) == (
2336 "<NameConstraints(permitted_subtrees=[<DNSName(value=name.local)>"
2337 ", <DNSName(value=name2.local)>], excluded_subtrees=None)>"
2338 )
2339
Paul Kehrer31894282015-06-21 21:46:41 -0500[diff] [blame]2340 def test_eq(self):
2341 nc = x509.NameConstraints(
2342 permitted_subtrees=[x509.DNSName(u"name.local")],
2343 excluded_subtrees=[x509.DNSName(u"name2.local")]
2344 )
2345 nc2 = x509.NameConstraints(
2346 permitted_subtrees=[x509.DNSName(u"name.local")],
2347 excluded_subtrees=[x509.DNSName(u"name2.local")]
2348 )
2349 assert nc == nc2
2350
2351 def test_ne(self):
2352 nc = x509.NameConstraints(
2353 permitted_subtrees=[x509.DNSName(u"name.local")],
2354 excluded_subtrees=[x509.DNSName(u"name2.local")]
2355 )
2356 nc2 = x509.NameConstraints(
2357 permitted_subtrees=[x509.DNSName(u"name.local")],
2358 excluded_subtrees=None
2359 )
2360 nc3 = x509.NameConstraints(
2361 permitted_subtrees=None,
2362 excluded_subtrees=[x509.DNSName(u"name2.local")]
2363 )
2364
2365 assert nc != nc2
2366 assert nc != nc3
2367 assert nc != object()
2368
Paul Kehrere0017be2015-05-17 20:39:40 -0600[diff] [blame]2369
Paul Kehrer870d7e82015-06-21 22:20:44 -0500[diff] [blame]2370@pytest.mark.requires_backend_interface(interface=RSABackend)
2371@pytest.mark.requires_backend_interface(interface=X509Backend)
2372class TestNameConstraintsExtension(object):
2373 def test_permitted_excluded(self, backend):
2374 cert = _load_cert(
2375 os.path.join(
2376 "x509", "custom", "nc_permitted_excluded_2.pem"
2377 ),
2378 x509.load_pem_x509_certificate,
2379 backend
2380 )
2381 nc = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]2382 ExtensionOID.NAME_CONSTRAINTS
Paul Kehrer870d7e82015-06-21 22:20:44 -0500[diff] [blame]2383 ).value
2384 assert nc == x509.NameConstraints(
2385 permitted_subtrees=[
2386 x509.DNSName(u"zombo.local"),
2387 ],
2388 excluded_subtrees=[
2389 x509.DirectoryName(x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2390 x509.NameAttribute(NameOID.COMMON_NAME, u"zombo")
Paul Kehrer870d7e82015-06-21 22:20:44 -0500[diff] [blame]2391 ]))
2392 ]
2393 )
2394
2395 def test_permitted(self, backend):
2396 cert = _load_cert(
2397 os.path.join(
2398 "x509", "custom", "nc_permitted_2.pem"
2399 ),
2400 x509.load_pem_x509_certificate,
2401 backend
2402 )
2403 nc = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]2404 ExtensionOID.NAME_CONSTRAINTS
Paul Kehrer870d7e82015-06-21 22:20:44 -0500[diff] [blame]2405 ).value
2406 assert nc == x509.NameConstraints(
2407 permitted_subtrees=[
2408 x509.DNSName(u"zombo.local"),
2409 ],
2410 excluded_subtrees=None
2411 )
2412
Paul Kehrer42376832015-07-01 18:10:32 -0500[diff] [blame]2413 def test_permitted_with_leading_period(self, backend):
2414 cert = _load_cert(
2415 os.path.join(
2416 "x509", "custom", "nc_permitted.pem"
2417 ),
2418 x509.load_pem_x509_certificate,
2419 backend
2420 )
2421 nc = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]2422 ExtensionOID.NAME_CONSTRAINTS
Paul Kehrer42376832015-07-01 18:10:32 -0500[diff] [blame]2423 ).value
2424 assert nc == x509.NameConstraints(
2425 permitted_subtrees=[
2426 x509.DNSName(u".cryptography.io"),
2427 x509.UniformResourceIdentifier(u"ftp://cryptography.test")
2428 ],
2429 excluded_subtrees=None
2430 )
2431
2432 def test_excluded_with_leading_period(self, backend):
2433 cert = _load_cert(
2434 os.path.join(
2435 "x509", "custom", "nc_excluded.pem"
2436 ),
2437 x509.load_pem_x509_certificate,
2438 backend
2439 )
2440 nc = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]2441 ExtensionOID.NAME_CONSTRAINTS
Paul Kehrer42376832015-07-01 18:10:32 -0500[diff] [blame]2442 ).value
2443 assert nc == x509.NameConstraints(
2444 permitted_subtrees=None,
2445 excluded_subtrees=[
2446 x509.DNSName(u".cryptography.io"),
2447 x509.UniformResourceIdentifier(u"gopher://cryptography.test")
2448 ]
2449 )
2450
Paul Kehrercfb8aa22015-07-01 19:16:36 -0500[diff] [blame]2451 def test_permitted_excluded_with_ips(self, backend):
2452 cert = _load_cert(
2453 os.path.join(
2454 "x509", "custom", "nc_permitted_excluded.pem"
2455 ),
2456 x509.load_pem_x509_certificate,
2457 backend
2458 )
2459 nc = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]2460 ExtensionOID.NAME_CONSTRAINTS
Paul Kehrercfb8aa22015-07-01 19:16:36 -0500[diff] [blame]2461 ).value
2462 assert nc == x509.NameConstraints(
2463 permitted_subtrees=[
2464 x509.IPAddress(ipaddress.IPv4Network(u"192.168.0.0/24")),
2465 x509.IPAddress(ipaddress.IPv6Network(u"FF:0:0:0:0:0:0:0/96")),
2466 ],
2467 excluded_subtrees=[
2468 x509.DNSName(u".domain.com"),
2469 x509.UniformResourceIdentifier(u"http://test.local"),
2470 ]
2471 )
2472
Paul Kehrera72ebaf2015-07-01 21:07:37 -0500[diff] [blame]2473 def test_single_ip_netmask(self, backend):
2474 cert = _load_cert(
2475 os.path.join(
2476 "x509", "custom", "nc_single_ip_netmask.pem"
2477 ),
2478 x509.load_pem_x509_certificate,
2479 backend
2480 )
2481 nc = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]2482 ExtensionOID.NAME_CONSTRAINTS
Paul Kehrera72ebaf2015-07-01 21:07:37 -0500[diff] [blame]2483 ).value
2484 assert nc == x509.NameConstraints(
2485 permitted_subtrees=[
2486 x509.IPAddress(ipaddress.IPv6Network(u"FF:0:0:0:0:0:0:0/128")),
2487 x509.IPAddress(ipaddress.IPv4Network(u"192.168.0.1/32")),
2488 ],
2489 excluded_subtrees=None
2490 )
2491
Paul Kehrercfb8aa22015-07-01 19:16:36 -0500[diff] [blame]2492 def test_invalid_netmask(self, backend):
2493 cert = _load_cert(
2494 os.path.join(
2495 "x509", "custom", "nc_invalid_ip_netmask.pem"
2496 ),
2497 x509.load_pem_x509_certificate,
2498 backend
2499 )
2500 with pytest.raises(ValueError):
2501 cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]2502 ExtensionOID.NAME_CONSTRAINTS
Paul Kehrercfb8aa22015-07-01 19:16:36 -0500[diff] [blame]2503 )
2504
Paul Kehrer870d7e82015-06-21 22:20:44 -0500[diff] [blame]2505
Paul Kehrer5a485522015-05-06 00:29:12 -0500[diff] [blame]2506class TestDistributionPoint(object):
Paul Kehrer4e8dacd2015-05-09 10:38:23 -0500[diff] [blame]2507 def test_distribution_point_full_name_not_general_names(self):
Paul Kehrer5a485522015-05-06 00:29:12 -0500[diff] [blame]2508 with pytest.raises(TypeError):
Paul Kehrer4e8dacd2015-05-09 10:38:23 -0500[diff] [blame]2509 x509.DistributionPoint(["notgn"], None, None, None)
Paul Kehrer5a485522015-05-06 00:29:12 -0500[diff] [blame]2510
Paul Kehrer4e8dacd2015-05-09 10:38:23 -0500[diff] [blame]2511 def test_distribution_point_relative_name_not_name(self):
Paul Kehrer5a485522015-05-06 00:29:12 -0500[diff] [blame]2512 with pytest.raises(TypeError):
Paul Kehrer4e8dacd2015-05-09 10:38:23 -0500[diff] [blame]2513 x509.DistributionPoint(None, "notname", None, None)
2514
2515 def test_distribution_point_full_and_relative_not_none(self):
2516 with pytest.raises(ValueError):
2517 x509.DistributionPoint("data", "notname", None, None)
Paul Kehrer5a485522015-05-06 00:29:12 -0500[diff] [blame]2518
2519 def test_crl_issuer_not_general_names(self):
2520 with pytest.raises(TypeError):
Paul Kehrer4e8dacd2015-05-09 10:38:23 -0500[diff] [blame]2521 x509.DistributionPoint(None, None, None, ["notgn"])
Paul Kehrer5a485522015-05-06 00:29:12 -0500[diff] [blame]2522
2523 def test_reason_not_reasonflags(self):
2524 with pytest.raises(TypeError):
2525 x509.DistributionPoint(
2526 [x509.UniformResourceIdentifier(u"http://crypt.og/crl")],
Paul Kehrer4e8dacd2015-05-09 10:38:23 -0500[diff] [blame]2527 None,
Paul Kehrer3fd02602015-05-09 19:46:13 -0500[diff] [blame]2528 frozenset(["notreasonflags"]),
2529 None
2530 )
2531
2532 def test_reason_not_frozenset(self):
2533 with pytest.raises(TypeError):
2534 x509.DistributionPoint(
2535 [x509.UniformResourceIdentifier(u"http://crypt.og/crl")],
2536 None,
2537 [x509.ReasonFlags.ca_compromise],
Paul Kehrer4e8dacd2015-05-09 10:38:23 -0500[diff] [blame]2538 None
2539 )
2540
2541 def test_disallowed_reasons(self):
2542 with pytest.raises(ValueError):
2543 x509.DistributionPoint(
2544 [x509.UniformResourceIdentifier(u"http://crypt.og/crl")],
2545 None,
Paul Kehrer3fd02602015-05-09 19:46:13 -0500[diff] [blame]2546 frozenset([x509.ReasonFlags.unspecified]),
Paul Kehrer4e8dacd2015-05-09 10:38:23 -0500[diff] [blame]2547 None
2548 )
2549
2550 with pytest.raises(ValueError):
2551 x509.DistributionPoint(
2552 [x509.UniformResourceIdentifier(u"http://crypt.og/crl")],
2553 None,
Paul Kehrer3fd02602015-05-09 19:46:13 -0500[diff] [blame]2554 frozenset([x509.ReasonFlags.remove_from_crl]),
Paul Kehrer5a485522015-05-06 00:29:12 -0500[diff] [blame]2555 None
2556 )
2557
2558 def test_reason_only(self):
2559 with pytest.raises(ValueError):
2560 x509.DistributionPoint(
2561 None,
Paul Kehrer4e8dacd2015-05-09 10:38:23 -0500[diff] [blame]2562 None,
Paul Kehrer3fd02602015-05-09 19:46:13 -0500[diff] [blame]2563 frozenset([x509.ReasonFlags.aa_compromise]),
Paul Kehrer5a485522015-05-06 00:29:12 -0500[diff] [blame]2564 None
2565 )
2566
2567 def test_eq(self):
2568 dp = x509.DistributionPoint(
2569 [x509.UniformResourceIdentifier(u"http://crypt.og/crl")],
Paul Kehrer4e8dacd2015-05-09 10:38:23 -0500[diff] [blame]2570 None,
Paul Kehrer3fd02602015-05-09 19:46:13 -0500[diff] [blame]2571 frozenset([x509.ReasonFlags.superseded]),
Paul Kehrer5a485522015-05-06 00:29:12 -0500[diff] [blame]2572 [
2573 x509.DirectoryName(
2574 x509.Name([
2575 x509.NameAttribute(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2576 NameOID.COMMON_NAME, u"Important CA"
Paul Kehrer5a485522015-05-06 00:29:12 -0500[diff] [blame]2577 )
2578 ])
2579 )
2580 ],
2581 )
2582 dp2 = x509.DistributionPoint(
2583 [x509.UniformResourceIdentifier(u"http://crypt.og/crl")],
Paul Kehrer4e8dacd2015-05-09 10:38:23 -0500[diff] [blame]2584 None,
Paul Kehrer3fd02602015-05-09 19:46:13 -0500[diff] [blame]2585 frozenset([x509.ReasonFlags.superseded]),
Paul Kehrer5a485522015-05-06 00:29:12 -0500[diff] [blame]2586 [
2587 x509.DirectoryName(
2588 x509.Name([
2589 x509.NameAttribute(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2590 NameOID.COMMON_NAME, u"Important CA"
Paul Kehrer5a485522015-05-06 00:29:12 -0500[diff] [blame]2591 )
2592 ])
2593 )
2594 ],
2595 )
2596 assert dp == dp2
2597
2598 def test_ne(self):
2599 dp = x509.DistributionPoint(
2600 [x509.UniformResourceIdentifier(u"http://crypt.og/crl")],
Paul Kehrer4e8dacd2015-05-09 10:38:23 -0500[diff] [blame]2601 None,
Paul Kehrer3fd02602015-05-09 19:46:13 -0500[diff] [blame]2602 frozenset([x509.ReasonFlags.superseded]),
Paul Kehrer5a485522015-05-06 00:29:12 -0500[diff] [blame]2603 [
2604 x509.DirectoryName(
2605 x509.Name([
2606 x509.NameAttribute(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2607 NameOID.COMMON_NAME, u"Important CA"
Paul Kehrer5a485522015-05-06 00:29:12 -0500[diff] [blame]2608 )
2609 ])
2610 )
2611 ],
2612 )
2613 dp2 = x509.DistributionPoint(
2614 [x509.UniformResourceIdentifier(u"http://crypt.og/crl")],
2615 None,
Paul Kehrer4e8dacd2015-05-09 10:38:23 -0500[diff] [blame]2616 None,
Paul Kehrer5a485522015-05-06 00:29:12 -0500[diff] [blame]2617 None
2618 )
2619 assert dp != dp2
2620 assert dp != object()
2621
2622 def test_repr(self):
2623 dp = x509.DistributionPoint(
Paul Kehrer4e8dacd2015-05-09 10:38:23 -0500[diff] [blame]2624 None,
Paul Kehrer5a485522015-05-06 00:29:12 -0500[diff] [blame]2625 x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2626 x509.NameAttribute(NameOID.COMMON_NAME, u"myCN")
Paul Kehrer5a485522015-05-06 00:29:12 -0500[diff] [blame]2627 ]),
Paul Kehrer96ef63c2015-05-09 21:17:04 -0500[diff] [blame]2628 frozenset([x509.ReasonFlags.ca_compromise]),
Paul Kehrer5a485522015-05-06 00:29:12 -0500[diff] [blame]2629 [
2630 x509.DirectoryName(
2631 x509.Name([
2632 x509.NameAttribute(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2633 NameOID.COMMON_NAME, u"Important CA"
Paul Kehrer5a485522015-05-06 00:29:12 -0500[diff] [blame]2634 )
2635 ])
2636 )
2637 ],
2638 )
Paul Kehrer749da3b2015-05-10 09:58:29 -0500[diff] [blame]2639 if six.PY3:
2640 assert repr(dp) == (
2641 "<DistributionPoint(full_name=None, relative_name=<Name([<Name"
2642 "Attribute(oid=<ObjectIdentifier(oid=2.5.4.3, name=commonName)"
Ian Cordascoa908d692015-06-16 21:35:24 -0500[diff] [blame]2643 ">, value='myCN')>])>, reasons=frozenset({<ReasonFlags.ca_comp"
2644 "romise: 'cACompromise'>}), crl_issuer=[<DirectoryName(value=<"
2645 "Name([<NameAttribute(oid=<ObjectIdentifier(oid=2.5.4.3, name="
2646 "commonName)>, value='Important CA')>])>)>])>"
Paul Kehrer749da3b2015-05-10 09:58:29 -0500[diff] [blame]2647 )
2648 else:
2649 assert repr(dp) == (
2650 "<DistributionPoint(full_name=None, relative_name=<Name([<Name"
2651 "Attribute(oid=<ObjectIdentifier(oid=2.5.4.3, name=commonName)"
Ian Cordasco82fc3762015-06-16 20:59:50 -0500[diff] [blame]2652 ">, value=u'myCN')>])>, reasons=frozenset([<ReasonFlags.ca_com"
2653 "promise: 'cACompromise'>]), crl_issuer=[<DirectoryName(value="
2654 "<Name([<NameAttribute(oid=<ObjectIdentifier(oid=2.5.4.3, name"
2655 "=commonName)>, value=u'Important CA')>])>)>])>"
Paul Kehrer749da3b2015-05-10 09:58:29 -0500[diff] [blame]2656 )
Paul Kehrer5a485522015-05-06 00:29:12 -0500[diff] [blame]2657
2658
2659class TestCRLDistributionPoints(object):
2660 def test_invalid_distribution_points(self):
2661 with pytest.raises(TypeError):
2662 x509.CRLDistributionPoints(["notadistributionpoint"])
2663
2664 def test_iter_len(self):
2665 cdp = x509.CRLDistributionPoints([
2666 x509.DistributionPoint(
2667 [x509.UniformResourceIdentifier(u"http://domain")],
2668 None,
Paul Kehrer4e8dacd2015-05-09 10:38:23 -0500[diff] [blame]2669 None,
Paul Kehrer5a485522015-05-06 00:29:12 -0500[diff] [blame]2670 None
2671 ),
2672 x509.DistributionPoint(
2673 [x509.UniformResourceIdentifier(u"ftp://domain")],
Paul Kehrer4e8dacd2015-05-09 10:38:23 -0500[diff] [blame]2674 None,
Paul Kehrer3fd02602015-05-09 19:46:13 -0500[diff] [blame]2675 frozenset([
Paul Kehrer4e8dacd2015-05-09 10:38:23 -0500[diff] [blame]2676 x509.ReasonFlags.key_compromise,
2677 x509.ReasonFlags.ca_compromise,
Paul Kehrer3fd02602015-05-09 19:46:13 -0500[diff] [blame]2678 ]),
Paul Kehrer5a485522015-05-06 00:29:12 -0500[diff] [blame]2679 None
2680 ),
2681 ])
2682 assert len(cdp) == 2
2683 assert list(cdp) == [
2684 x509.DistributionPoint(
2685 [x509.UniformResourceIdentifier(u"http://domain")],
2686 None,
Paul Kehrer4e8dacd2015-05-09 10:38:23 -0500[diff] [blame]2687 None,
Paul Kehrer5a485522015-05-06 00:29:12 -0500[diff] [blame]2688 None
2689 ),
2690 x509.DistributionPoint(
2691 [x509.UniformResourceIdentifier(u"ftp://domain")],
Paul Kehrer4e8dacd2015-05-09 10:38:23 -0500[diff] [blame]2692 None,
Paul Kehrer3fd02602015-05-09 19:46:13 -0500[diff] [blame]2693 frozenset([
Paul Kehrer4e8dacd2015-05-09 10:38:23 -0500[diff] [blame]2694 x509.ReasonFlags.key_compromise,
2695 x509.ReasonFlags.ca_compromise,
Paul Kehrer3fd02602015-05-09 19:46:13 -0500[diff] [blame]2696 ]),
Paul Kehrer5a485522015-05-06 00:29:12 -0500[diff] [blame]2697 None
2698 ),
2699 ]
2700
2701 def test_repr(self):
2702 cdp = x509.CRLDistributionPoints([
2703 x509.DistributionPoint(
2704 [x509.UniformResourceIdentifier(u"ftp://domain")],
Paul Kehrer4e8dacd2015-05-09 10:38:23 -0500[diff] [blame]2705 None,
Paul Kehrer96ef63c2015-05-09 21:17:04 -0500[diff] [blame]2706 frozenset([x509.ReasonFlags.key_compromise]),
Paul Kehrer5a485522015-05-06 00:29:12 -0500[diff] [blame]2707 None
2708 ),
2709 ])
Paul Kehrer749da3b2015-05-10 09:58:29 -0500[diff] [blame]2710 if six.PY3:
2711 assert repr(cdp) == (
2712 "<CRLDistributionPoints([<DistributionPoint(full_name=[<Unifo"
2713 "rmResourceIdentifier(value=ftp://domain)>], relative_name=No"
2714 "ne, reasons=frozenset({<ReasonFlags.key_compromise: 'keyComp"
2715 "romise'>}), crl_issuer=None)>])>"
2716 )
2717 else:
2718 assert repr(cdp) == (
2719 "<CRLDistributionPoints([<DistributionPoint(full_name=[<Unifo"
2720 "rmResourceIdentifier(value=ftp://domain)>], relative_name=No"
2721 "ne, reasons=frozenset([<ReasonFlags.key_compromise: 'keyComp"
2722 "romise'>]), crl_issuer=None)>])>"
2723 )
Paul Kehrer5a485522015-05-06 00:29:12 -0500[diff] [blame]2724
2725 def test_eq(self):
2726 cdp = x509.CRLDistributionPoints([
2727 x509.DistributionPoint(
2728 [x509.UniformResourceIdentifier(u"ftp://domain")],
Paul Kehrer4e8dacd2015-05-09 10:38:23 -0500[diff] [blame]2729 None,
Paul Kehrer3fd02602015-05-09 19:46:13 -0500[diff] [blame]2730 frozenset([
Paul Kehrer4e8dacd2015-05-09 10:38:23 -0500[diff] [blame]2731 x509.ReasonFlags.key_compromise,
2732 x509.ReasonFlags.ca_compromise,
Paul Kehrer3fd02602015-05-09 19:46:13 -0500[diff] [blame]2733 ]),
Paul Kehrer5a485522015-05-06 00:29:12 -0500[diff] [blame]2734 [x509.UniformResourceIdentifier(u"uri://thing")],
2735 ),
2736 ])
2737 cdp2 = x509.CRLDistributionPoints([
2738 x509.DistributionPoint(
2739 [x509.UniformResourceIdentifier(u"ftp://domain")],
Paul Kehrer4e8dacd2015-05-09 10:38:23 -0500[diff] [blame]2740 None,
Paul Kehrer3fd02602015-05-09 19:46:13 -0500[diff] [blame]2741 frozenset([
Paul Kehrer4e8dacd2015-05-09 10:38:23 -0500[diff] [blame]2742 x509.ReasonFlags.key_compromise,
2743 x509.ReasonFlags.ca_compromise,
Paul Kehrer3fd02602015-05-09 19:46:13 -0500[diff] [blame]2744 ]),
Paul Kehrer5a485522015-05-06 00:29:12 -0500[diff] [blame]2745 [x509.UniformResourceIdentifier(u"uri://thing")],
2746 ),
2747 ])
2748 assert cdp == cdp2
2749
2750 def test_ne(self):
2751 cdp = x509.CRLDistributionPoints([
2752 x509.DistributionPoint(
2753 [x509.UniformResourceIdentifier(u"ftp://domain")],
Paul Kehrer4e8dacd2015-05-09 10:38:23 -0500[diff] [blame]2754 None,
Paul Kehrer3fd02602015-05-09 19:46:13 -0500[diff] [blame]2755 frozenset([
Paul Kehrer4e8dacd2015-05-09 10:38:23 -0500[diff] [blame]2756 x509.ReasonFlags.key_compromise,
2757 x509.ReasonFlags.ca_compromise,
Paul Kehrer3fd02602015-05-09 19:46:13 -0500[diff] [blame]2758 ]),
Paul Kehrer5a485522015-05-06 00:29:12 -0500[diff] [blame]2759 [x509.UniformResourceIdentifier(u"uri://thing")],
2760 ),
2761 ])
2762 cdp2 = x509.CRLDistributionPoints([
2763 x509.DistributionPoint(
2764 [x509.UniformResourceIdentifier(u"ftp://domain2")],
Paul Kehrer4e8dacd2015-05-09 10:38:23 -0500[diff] [blame]2765 None,
Paul Kehrer3fd02602015-05-09 19:46:13 -0500[diff] [blame]2766 frozenset([
Paul Kehrer4e8dacd2015-05-09 10:38:23 -0500[diff] [blame]2767 x509.ReasonFlags.key_compromise,
2768 x509.ReasonFlags.ca_compromise,
Paul Kehrer3fd02602015-05-09 19:46:13 -0500[diff] [blame]2769 ]),
Paul Kehrer5a485522015-05-06 00:29:12 -0500[diff] [blame]2770 [x509.UniformResourceIdentifier(u"uri://thing")],
2771 ),
2772 ])
2773 cdp3 = x509.CRLDistributionPoints([
2774 x509.DistributionPoint(
2775 [x509.UniformResourceIdentifier(u"ftp://domain")],
Paul Kehrer4e8dacd2015-05-09 10:38:23 -0500[diff] [blame]2776 None,
Paul Kehrer3fd02602015-05-09 19:46:13 -0500[diff] [blame]2777 frozenset([x509.ReasonFlags.key_compromise]),
Paul Kehrer5a485522015-05-06 00:29:12 -0500[diff] [blame]2778 [x509.UniformResourceIdentifier(u"uri://thing")],
2779 ),
2780 ])
2781 cdp4 = x509.CRLDistributionPoints([
2782 x509.DistributionPoint(
2783 [x509.UniformResourceIdentifier(u"ftp://domain")],
Paul Kehrer4e8dacd2015-05-09 10:38:23 -0500[diff] [blame]2784 None,
Paul Kehrer3fd02602015-05-09 19:46:13 -0500[diff] [blame]2785 frozenset([
Paul Kehrer4e8dacd2015-05-09 10:38:23 -0500[diff] [blame]2786 x509.ReasonFlags.key_compromise,
2787 x509.ReasonFlags.ca_compromise,
Paul Kehrer3fd02602015-05-09 19:46:13 -0500[diff] [blame]2788 ]),
Paul Kehrer5a485522015-05-06 00:29:12 -0500[diff] [blame]2789 [x509.UniformResourceIdentifier(u"uri://thing2")],
2790 ),
2791 ])
2792 assert cdp != cdp2
2793 assert cdp != cdp3
2794 assert cdp != cdp4
2795 assert cdp != object()
Paul Kehrer9a10d592015-05-10 14:55:51 -0500[diff] [blame]2796
2797
2798@pytest.mark.requires_backend_interface(interface=RSABackend)
2799@pytest.mark.requires_backend_interface(interface=X509Backend)
2800class TestCRLDistributionPointsExtension(object):
2801 def test_fullname_and_crl_issuer(self, backend):
2802 cert = _load_cert(
2803 os.path.join(
2804 "x509", "PKITS_data", "certs", "ValidcRLIssuerTest28EE.crt"
2805 ),
2806 x509.load_der_x509_certificate,
2807 backend
2808 )
2809
2810 cdps = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]2811 ExtensionOID.CRL_DISTRIBUTION_POINTS
Paul Kehrer9a10d592015-05-10 14:55:51 -0500[diff] [blame]2812 ).value
2813
2814 assert cdps == x509.CRLDistributionPoints([
2815 x509.DistributionPoint(
2816 full_name=[x509.DirectoryName(
2817 x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2818 x509.NameAttribute(NameOID.COUNTRY_NAME, u"US"),
Paul Kehrer9a10d592015-05-10 14:55:51 -0500[diff] [blame]2819 x509.NameAttribute(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2820 NameOID.ORGANIZATION_NAME,
Ian Cordasco82fc3762015-06-16 20:59:50 -0500[diff] [blame]2821 u"Test Certificates 2011"
Paul Kehrer9a10d592015-05-10 14:55:51 -0500[diff] [blame]2822 ),
2823 x509.NameAttribute(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2824 NameOID.ORGANIZATIONAL_UNIT_NAME,
Ian Cordasco82fc3762015-06-16 20:59:50 -0500[diff] [blame]2825 u"indirectCRL CA3 cRLIssuer"
Paul Kehrer9a10d592015-05-10 14:55:51 -0500[diff] [blame]2826 ),
2827 x509.NameAttribute(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2828 NameOID.COMMON_NAME,
Ian Cordasco82fc3762015-06-16 20:59:50 -0500[diff] [blame]2829 u"indirect CRL for indirectCRL CA3"
Paul Kehrer9a10d592015-05-10 14:55:51 -0500[diff] [blame]2830 ),
2831 ])
2832 )],
2833 relative_name=None,
2834 reasons=None,
2835 crl_issuer=[x509.DirectoryName(
2836 x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2837 x509.NameAttribute(NameOID.COUNTRY_NAME, u"US"),
Paul Kehrer9a10d592015-05-10 14:55:51 -0500[diff] [blame]2838 x509.NameAttribute(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2839 NameOID.ORGANIZATION_NAME,
Ian Cordasco82fc3762015-06-16 20:59:50 -0500[diff] [blame]2840 u"Test Certificates 2011"
Paul Kehrer9a10d592015-05-10 14:55:51 -0500[diff] [blame]2841 ),
2842 x509.NameAttribute(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2843 NameOID.ORGANIZATIONAL_UNIT_NAME,
Ian Cordasco82fc3762015-06-16 20:59:50 -0500[diff] [blame]2844 u"indirectCRL CA3 cRLIssuer"
Paul Kehrer9a10d592015-05-10 14:55:51 -0500[diff] [blame]2845 ),
2846 ])
2847 )],
2848 )
2849 ])
2850
2851 def test_relativename_and_crl_issuer(self, backend):
2852 cert = _load_cert(
2853 os.path.join(
2854 "x509", "PKITS_data", "certs", "ValidcRLIssuerTest29EE.crt"
2855 ),
2856 x509.load_der_x509_certificate,
2857 backend
2858 )
2859
2860 cdps = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]2861 ExtensionOID.CRL_DISTRIBUTION_POINTS
Paul Kehrer9a10d592015-05-10 14:55:51 -0500[diff] [blame]2862 ).value
2863
2864 assert cdps == x509.CRLDistributionPoints([
2865 x509.DistributionPoint(
2866 full_name=None,
2867 relative_name=x509.Name([
2868 x509.NameAttribute(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2869 NameOID.COMMON_NAME,
Ian Cordasco82fc3762015-06-16 20:59:50 -0500[diff] [blame]2870 u"indirect CRL for indirectCRL CA3"
Paul Kehrer9a10d592015-05-10 14:55:51 -0500[diff] [blame]2871 ),
2872 ]),
2873 reasons=None,
2874 crl_issuer=[x509.DirectoryName(
2875 x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2876 x509.NameAttribute(NameOID.COUNTRY_NAME, u"US"),
Paul Kehrer9a10d592015-05-10 14:55:51 -0500[diff] [blame]2877 x509.NameAttribute(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2878 NameOID.ORGANIZATION_NAME,
Ian Cordasco82fc3762015-06-16 20:59:50 -0500[diff] [blame]2879 u"Test Certificates 2011"
Paul Kehrer9a10d592015-05-10 14:55:51 -0500[diff] [blame]2880 ),
2881 x509.NameAttribute(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2882 NameOID.ORGANIZATIONAL_UNIT_NAME,
Ian Cordasco82fc3762015-06-16 20:59:50 -0500[diff] [blame]2883 u"indirectCRL CA3 cRLIssuer"
Paul Kehrer9a10d592015-05-10 14:55:51 -0500[diff] [blame]2884 ),
2885 ])
2886 )],
2887 )
2888 ])
2889
2890 def test_fullname_crl_issuer_reasons(self, backend):
2891 cert = _load_cert(
2892 os.path.join(
2893 "x509", "custom", "cdp_fullname_reasons_crl_issuer.pem"
2894 ),
2895 x509.load_pem_x509_certificate,
2896 backend
2897 )
2898
2899 cdps = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]2900 ExtensionOID.CRL_DISTRIBUTION_POINTS
Paul Kehrer9a10d592015-05-10 14:55:51 -0500[diff] [blame]2901 ).value
2902
2903 assert cdps == x509.CRLDistributionPoints([
2904 x509.DistributionPoint(
2905 full_name=[x509.UniformResourceIdentifier(
2906 u"http://myhost.com/myca.crl"
2907 )],
2908 relative_name=None,
2909 reasons=frozenset([
2910 x509.ReasonFlags.key_compromise,
2911 x509.ReasonFlags.ca_compromise
2912 ]),
2913 crl_issuer=[x509.DirectoryName(
2914 x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2915 x509.NameAttribute(NameOID.COUNTRY_NAME, u"US"),
Paul Kehrer9a10d592015-05-10 14:55:51 -0500[diff] [blame]2916 x509.NameAttribute(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2917 NameOID.ORGANIZATION_NAME, u"PyCA"
Paul Kehrer9a10d592015-05-10 14:55:51 -0500[diff] [blame]2918 ),
2919 x509.NameAttribute(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2920 NameOID.COMMON_NAME, u"cryptography CA"
Paul Kehrer9a10d592015-05-10 14:55:51 -0500[diff] [blame]2921 ),
2922 ])
2923 )],
2924 )
2925 ])
2926
Paul Kehrer594a2ed2015-05-12 23:27:32 -0500[diff] [blame]2927 def test_all_reasons(self, backend):
2928 cert = _load_cert(
2929 os.path.join(
2930 "x509", "custom", "cdp_all_reasons.pem"
2931 ),
2932 x509.load_pem_x509_certificate,
2933 backend
2934 )
2935
2936 cdps = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]2937 ExtensionOID.CRL_DISTRIBUTION_POINTS
Paul Kehrer594a2ed2015-05-12 23:27:32 -0500[diff] [blame]2938 ).value
2939
2940 assert cdps == x509.CRLDistributionPoints([
2941 x509.DistributionPoint(
2942 full_name=[x509.UniformResourceIdentifier(
2943 u"http://domain.com/some.crl"
2944 )],
2945 relative_name=None,
2946 reasons=frozenset([
2947 x509.ReasonFlags.key_compromise,
2948 x509.ReasonFlags.ca_compromise,
2949 x509.ReasonFlags.affiliation_changed,
2950 x509.ReasonFlags.superseded,
2951 x509.ReasonFlags.privilege_withdrawn,
2952 x509.ReasonFlags.cessation_of_operation,
2953 x509.ReasonFlags.aa_compromise,
2954 x509.ReasonFlags.certificate_hold,
2955 ]),
2956 crl_issuer=None
2957 )
2958 ])
2959
2960 def test_single_reason(self, backend):
2961 cert = _load_cert(
2962 os.path.join(
2963 "x509", "custom", "cdp_reason_aa_compromise.pem"
2964 ),
2965 x509.load_pem_x509_certificate,
2966 backend
2967 )
2968
2969 cdps = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]2970 ExtensionOID.CRL_DISTRIBUTION_POINTS
Paul Kehrer594a2ed2015-05-12 23:27:32 -0500[diff] [blame]2971 ).value
2972
2973 assert cdps == x509.CRLDistributionPoints([
2974 x509.DistributionPoint(
2975 full_name=[x509.UniformResourceIdentifier(
2976 u"http://domain.com/some.crl"
2977 )],
2978 relative_name=None,
2979 reasons=frozenset([x509.ReasonFlags.aa_compromise]),
2980 crl_issuer=None
2981 )
2982 ])
2983
Paul Kehrer9a10d592015-05-10 14:55:51 -0500[diff] [blame]2984 def test_crl_issuer_only(self, backend):
2985 cert = _load_cert(
2986 os.path.join(
2987 "x509", "custom", "cdp_crl_issuer.pem"
2988 ),
2989 x509.load_pem_x509_certificate,
2990 backend
2991 )
2992
2993 cdps = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]2994 ExtensionOID.CRL_DISTRIBUTION_POINTS
Paul Kehrer9a10d592015-05-10 14:55:51 -0500[diff] [blame]2995 ).value
2996
2997 assert cdps == x509.CRLDistributionPoints([
2998 x509.DistributionPoint(
2999 full_name=None,
3000 relative_name=None,
3001 reasons=None,
3002 crl_issuer=[x509.DirectoryName(
3003 x509.Name([
3004 x509.NameAttribute(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]3005 NameOID.COMMON_NAME, u"cryptography CA"
Paul Kehrer9a10d592015-05-10 14:55:51 -0500[diff] [blame]3006 ),
3007 ])
3008 )],
3009 )
3010 ])
Paul Kehrer16fae762015-05-01 23:14:20 -0500[diff] [blame]3011
Dominic Chen87bb9572015-10-09 00:23:07 -0400[diff] [blame]3012 def test_crl_empty_hostname(self, backend):
3013 cert = _load_cert(
3014 os.path.join(
3015 "x509", "custom", "cdp_empty_hostname.pem"
3016 ),
3017 x509.load_pem_x509_certificate,
3018 backend
3019 )
3020
3021 cdps = cert.extensions.get_extension_for_oid(
3022 ExtensionOID.CRL_DISTRIBUTION_POINTS
3023 ).value
3024
3025 assert cdps == x509.CRLDistributionPoints([
3026 x509.DistributionPoint(
3027 full_name=[x509.UniformResourceIdentifier(
3028 u"ldap:/CN=A,OU=B,dc=C,DC=D?E?F?G?H=I"
3029 )],
3030 relative_name=None,
3031 reasons=None,
3032 crl_issuer=None
3033 )
3034 ])
3035
Paul Kehrer16fae762015-05-01 23:14:20 -0500[diff] [blame]3036
Paul Kehrerf54a50b2015-06-17 18:31:26 -0600[diff] [blame]3037@pytest.mark.requires_backend_interface(interface=RSABackend)
3038@pytest.mark.requires_backend_interface(interface=X509Backend)
3039class TestOCSPNoCheckExtension(object):
3040 def test_nocheck(self, backend):
3041 cert = _load_cert(
3042 os.path.join(
3043 "x509", "custom", "ocsp_nocheck.pem"
3044 ),
3045 x509.load_pem_x509_certificate,
3046 backend
3047 )
3048 ext = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]3049 ExtensionOID.OCSP_NO_CHECK
Paul Kehrerf54a50b2015-06-17 18:31:26 -0600[diff] [blame]3050 )
3051 assert isinstance(ext.value, x509.OCSPNoCheck)
3052
3053
Paul Kehrer16fae762015-05-01 23:14:20 -0500[diff] [blame]3054class TestInhibitAnyPolicy(object):
3055 def test_not_int(self):
3056 with pytest.raises(TypeError):
3057 x509.InhibitAnyPolicy("notint")
3058
3059 def test_negative_int(self):
3060 with pytest.raises(ValueError):
3061 x509.InhibitAnyPolicy(-1)
3062
3063 def test_repr(self):
3064 iap = x509.InhibitAnyPolicy(0)
3065 assert repr(iap) == "<InhibitAnyPolicy(skip_certs=0)>"
3066
3067 def test_eq(self):
3068 iap = x509.InhibitAnyPolicy(1)
3069 iap2 = x509.InhibitAnyPolicy(1)
3070 assert iap == iap2
3071
3072 def test_ne(self):
3073 iap = x509.InhibitAnyPolicy(1)
3074 iap2 = x509.InhibitAnyPolicy(4)
3075 assert iap != iap2
3076 assert iap != object()
Paul Kehrerca6ce992015-06-17 22:13:15 -0600[diff] [blame]3077
3078
3079@pytest.mark.requires_backend_interface(interface=RSABackend)
3080@pytest.mark.requires_backend_interface(interface=X509Backend)
3081class TestInhibitAnyPolicyExtension(object):
3082 def test_nocheck(self, backend):
3083 cert = _load_cert(
3084 os.path.join(
3085 "x509", "custom", "inhibit_any_policy_5.pem"
3086 ),
3087 x509.load_pem_x509_certificate,
3088 backend
3089 )
3090 iap = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]3091 ExtensionOID.INHIBIT_ANY_POLICY
Paul Kehrerca6ce992015-06-17 22:13:15 -0600[diff] [blame]3092 ).value
3093 assert iap.skip_certs == 5
Paul Kehrera08693f2015-08-01 20:45:21 +0100[diff] [blame]3094
3095
3096@pytest.mark.requires_backend_interface(interface=RSABackend)
3097@pytest.mark.requires_backend_interface(interface=X509Backend)
Paul Kehrer1b7500f2015-08-01 20:56:27 +0100[diff] [blame]3098class TestInvalidExtension(object):
Paul Kehrera08693f2015-08-01 20:45:21 +0100[diff] [blame]3099 def test_invalid_certificate_policies_data(self, backend):
3100 cert = _load_cert(
3101 os.path.join(
3102 "x509", "custom", "cp_invalid.pem"
3103 ),
3104 x509.load_pem_x509_certificate,
3105 backend
3106 )
3107 with pytest.raises(ValueError):
3108 cert.extensions