Gitiles
Code Review Sign In
gerrit-public.fairphone.software / platform / external / python / cryptography / 4db9662ff1d25a0e5f974035c5a2b12b67cb2910 / . / tests / test_x509_ext.py
blob: bce6781f56f8ccc832c6ded1c0fb1dbca7977dd3 [file] [log] [blame]
Paul Kehrer8cf26422015-03-21 09:50:24 -0500[diff] [blame]1# This file is dual licensed under the terms of the Apache License, Version
2# 2.0, and the BSD License. See the LICENSE file in the root of this repository
3# for complete details.
4
5from __future__ import absolute_import, division, print_function
6
Paul Kehrer1eb82a62015-03-31 20:00:33 -0500[diff] [blame]7import binascii
Paul Kehrer31bdf792015-03-25 14:11:00 -0500[diff] [blame]8import ipaddress
Paul Kehrerfbb7ac82015-03-16 19:26:29 -0500[diff] [blame]9import os
10
Paul Kehrer8cf26422015-03-21 09:50:24 -0500[diff] [blame]11import pytest
12
Paul Kehrercbfb1012015-04-10 20:57:20 -0400[diff] [blame]13import six
14
Paul Kehrer8cf26422015-03-21 09:50:24 -0500[diff] [blame]15from cryptography import x509
Paul Kehrerfbb7ac82015-03-16 19:26:29 -0500[diff] [blame]16from cryptography.hazmat.backends.interfaces import RSABackend, X509Backend
17
18from .test_x509 import _load_cert
Paul Kehrer8cf26422015-03-21 09:50:24 -0500[diff] [blame]19
20
Paul Kehrer85894662015-03-22 13:19:31 -0500[diff] [blame]21class TestExtension(object):
22 def test_not_an_oid(self):
Paul Kehrera5c6e9a2015-03-23 19:23:43 -0500[diff] [blame]23 bc = x509.BasicConstraints(ca=False, path_length=None)
Paul Kehrer85894662015-03-22 13:19:31 -0500[diff] [blame]24 with pytest.raises(TypeError):
25 x509.Extension("notanoid", True, bc)
26
27 def test_critical_not_a_bool(self):
Paul Kehrera5c6e9a2015-03-23 19:23:43 -0500[diff] [blame]28 bc = x509.BasicConstraints(ca=False, path_length=None)
Paul Kehrer85894662015-03-22 13:19:31 -0500[diff] [blame]29 with pytest.raises(TypeError):
30 x509.Extension(x509.OID_BASIC_CONSTRAINTS, "notabool", bc)
31
32 def test_repr(self):
Paul Kehrera5c6e9a2015-03-23 19:23:43 -0500[diff] [blame]33 bc = x509.BasicConstraints(ca=False, path_length=None)
Paul Kehrer85894662015-03-22 13:19:31 -0500[diff] [blame]34 ext = x509.Extension(x509.OID_BASIC_CONSTRAINTS, True, bc)
35 assert repr(ext) == (
36 "<Extension(oid=<ObjectIdentifier(oid=2.5.29.19, name=basicConst"
37 "raints)>, critical=True, value=<BasicConstraints(ca=False, path"
38 "_length=None)>)>"
39 )
40
41
Paul Kehrercecbbba2015-03-30 14:58:38 -0500[diff] [blame]42class TestKeyUsage(object):
43 def test_key_agreement_false_encipher_decipher_true(self):
44 with pytest.raises(ValueError):
45 x509.KeyUsage(
46 digital_signature=False,
47 content_commitment=False,
48 key_encipherment=False,
49 data_encipherment=False,
50 key_agreement=False,
51 key_cert_sign=False,
52 crl_sign=False,
53 encipher_only=True,
54 decipher_only=False
55 )
56
57 with pytest.raises(ValueError):
58 x509.KeyUsage(
59 digital_signature=False,
60 content_commitment=False,
61 key_encipherment=False,
62 data_encipherment=False,
63 key_agreement=False,
64 key_cert_sign=False,
65 crl_sign=False,
66 encipher_only=True,
67 decipher_only=True
68 )
69
70 with pytest.raises(ValueError):
71 x509.KeyUsage(
72 digital_signature=False,
73 content_commitment=False,
74 key_encipherment=False,
75 data_encipherment=False,
76 key_agreement=False,
77 key_cert_sign=False,
78 crl_sign=False,
79 encipher_only=False,
80 decipher_only=True
81 )
82
83 def test_properties_key_agreement_true(self):
84 ku = x509.KeyUsage(
85 digital_signature=True,
86 content_commitment=True,
87 key_encipherment=False,
88 data_encipherment=False,
89 key_agreement=False,
90 key_cert_sign=True,
91 crl_sign=False,
92 encipher_only=False,
93 decipher_only=False
94 )
95 assert ku.digital_signature is True
96 assert ku.content_commitment is True
97 assert ku.key_encipherment is False
98 assert ku.data_encipherment is False
99 assert ku.key_agreement is False
100 assert ku.key_cert_sign is True
101 assert ku.crl_sign is False
102
103 def test_key_agreement_true_properties(self):
104 ku = x509.KeyUsage(
105 digital_signature=False,
106 content_commitment=False,
107 key_encipherment=False,
108 data_encipherment=False,
109 key_agreement=True,
110 key_cert_sign=False,
111 crl_sign=False,
112 encipher_only=False,
113 decipher_only=True
114 )
115 assert ku.key_agreement is True
116 assert ku.encipher_only is False
117 assert ku.decipher_only is True
118
119 def test_key_agreement_false_properties(self):
120 ku = x509.KeyUsage(
121 digital_signature=False,
122 content_commitment=False,
123 key_encipherment=False,
124 data_encipherment=False,
125 key_agreement=False,
126 key_cert_sign=False,
127 crl_sign=False,
128 encipher_only=False,
129 decipher_only=False
130 )
131 assert ku.key_agreement is False
132 with pytest.raises(ValueError):
133 ku.encipher_only
134
135 with pytest.raises(ValueError):
136 ku.decipher_only
137
Paul Kehrerac3e5bb2015-04-02 23:07:10 -0500[diff] [blame]138 def test_repr_key_agreement_false(self):
139 ku = x509.KeyUsage(
140 digital_signature=True,
141 content_commitment=True,
142 key_encipherment=False,
143 data_encipherment=False,
144 key_agreement=False,
145 key_cert_sign=True,
146 crl_sign=False,
147 encipher_only=False,
148 decipher_only=False
149 )
150 assert repr(ku) == (
151 "<KeyUsage(digital_signature=True, content_commitment=True, key_en"
152 "cipherment=False, data_encipherment=False, key_agreement=False, k"
Paul Kehrerb372e672015-04-15 11:05:24 -0400[diff] [blame]153 "ey_cert_sign=True, crl_sign=False, encipher_only=None, decipher_o"
154 "nly=None)>"
Paul Kehrerac3e5bb2015-04-02 23:07:10 -0500[diff] [blame]155 )
156
157 def test_repr_key_agreement_true(self):
158 ku = x509.KeyUsage(
159 digital_signature=True,
160 content_commitment=True,
161 key_encipherment=False,
162 data_encipherment=False,
163 key_agreement=True,
164 key_cert_sign=True,
165 crl_sign=False,
166 encipher_only=False,
167 decipher_only=False
168 )
169 assert repr(ku) == (
170 "<KeyUsage(digital_signature=True, content_commitment=True, key_en"
171 "cipherment=False, data_encipherment=False, key_agreement=True, k"
172 "ey_cert_sign=True, crl_sign=False, encipher_only=False, decipher_"
173 "only=False)>"
174 )
175
Paul Kehrercecbbba2015-03-30 14:58:38 -0500[diff] [blame]176
Paul Kehrer1eb82a62015-03-31 20:00:33 -0500[diff] [blame]177class TestSubjectKeyIdentifier(object):
178 def test_properties(self):
Paul Kehrercbfb1012015-04-10 20:57:20 -0400[diff] [blame]179 value = binascii.unhexlify(b"092384932230498bc980aa8098456f6ff7ff3ac9")
Paul Kehrer1eb82a62015-03-31 20:00:33 -0500[diff] [blame]180 ski = x509.SubjectKeyIdentifier(value)
181 assert ski.digest == value
Paul Kehrer1eb82a62015-03-31 20:00:33 -0500[diff] [blame]182
183 def test_repr(self):
184 ski = x509.SubjectKeyIdentifier(
Paul Kehreree997262015-04-04 12:20:28 -0500[diff] [blame]185 binascii.unhexlify(b"092384932230498bc980aa8098456f6ff7ff3ac9")
Paul Kehrer1eb82a62015-03-31 20:00:33 -0500[diff] [blame]186 )
187 ext = x509.Extension(x509.OID_SUBJECT_KEY_IDENTIFIER, False, ski)
Paul Kehrercbfb1012015-04-10 20:57:20 -0400[diff] [blame]188 if six.PY3:
189 assert repr(ext) == (
190 "<Extension(oid=<ObjectIdentifier(oid=2.5.29.14, name=subjectK"
191 "eyIdentifier)>, critical=False, value=<SubjectKeyIdentifier(d"
192 "igest=b\'\\t#\\x84\\x93\"0I\\x8b\\xc9\\x80\\xaa\\x80\\x98Eoo"
193 "\\xf7\\xff:\\xc9\')>)>"
194 )
195 else:
196 assert repr(ext) == (
197 "<Extension(oid=<ObjectIdentifier(oid=2.5.29.14, name=subjectK"
198 "eyIdentifier)>, critical=False, value=<SubjectKeyIdentifier(d"
199 "igest=\'\\t#\\x84\\x93\"0I\\x8b\\xc9\\x80\\xaa\\x80\\x98Eoo"
200 "\\xf7\\xff:\\xc9\')>)>"
201 )
Paul Kehrer1eb82a62015-03-31 20:00:33 -0500[diff] [blame]202
203 def test_eq(self):
204 ski = x509.SubjectKeyIdentifier(
Paul Kehreree997262015-04-04 12:20:28 -0500[diff] [blame]205 binascii.unhexlify(b"092384932230498bc980aa8098456f6ff7ff3ac9")
Paul Kehrer1eb82a62015-03-31 20:00:33 -0500[diff] [blame]206 )
207 ski2 = x509.SubjectKeyIdentifier(
Paul Kehreree997262015-04-04 12:20:28 -0500[diff] [blame]208 binascii.unhexlify(b"092384932230498bc980aa8098456f6ff7ff3ac9")
Paul Kehrer1eb82a62015-03-31 20:00:33 -0500[diff] [blame]209 )
210 assert ski == ski2
211
212 def test_ne(self):
213 ski = x509.SubjectKeyIdentifier(
Paul Kehreree997262015-04-04 12:20:28 -0500[diff] [blame]214 binascii.unhexlify(b"092384932230498bc980aa8098456f6ff7ff3ac9")
Paul Kehrer1eb82a62015-03-31 20:00:33 -0500[diff] [blame]215 )
216 ski2 = x509.SubjectKeyIdentifier(
Paul Kehreree997262015-04-04 12:20:28 -0500[diff] [blame]217 binascii.unhexlify(b"aa8098456f6ff7ff3ac9092384932230498bc980")
Paul Kehrer1eb82a62015-03-31 20:00:33 -0500[diff] [blame]218 )
219 assert ski != ski2
220 assert ski != object()
221
222
Paul Kehrer2eb4ed92015-04-11 15:33:45 -0400[diff] [blame]223class TestAuthorityKeyIdentifier(object):
224 def test_authority_cert_issuer_not_name(self):
225 with pytest.raises(TypeError):
226 x509.AuthorityKeyIdentifier(b"identifier", "notname", 3)
227
228 def test_authority_cert_serial_number_not_integer(self):
229 name = x509.Name([
230 x509.NameAttribute(x509.ObjectIdentifier('oid'), 'value1'),
231 x509.NameAttribute(x509.ObjectIdentifier('oid2'), 'value2'),
232 ])
233 with pytest.raises(TypeError):
234 x509.AuthorityKeyIdentifier(b"identifier", name, "notanint")
235
236 def test_authority_issuer_none_serial_not_none(self):
237 with pytest.raises(ValueError):
238 x509.AuthorityKeyIdentifier(b"identifier", None, 3)
239
240 def test_authority_issuer_not_none_serial_none(self):
241 name = x509.Name([
242 x509.NameAttribute(x509.ObjectIdentifier('oid'), 'value1'),
243 x509.NameAttribute(x509.ObjectIdentifier('oid2'), 'value2'),
244 ])
245 with pytest.raises(ValueError):
246 x509.AuthorityKeyIdentifier(b"identifier", name, None)
247
248 def test_authority_cert_serial_and_issuer_none(self):
249 aki = x509.AuthorityKeyIdentifier(b"id", None, None)
250 assert aki.key_identifier == b"id"
251 assert aki.authority_cert_issuer is None
252 assert aki.authority_cert_serial_number is None
253
254 def test_repr(self):
255 name = x509.Name([x509.NameAttribute(x509.OID_COMMON_NAME, 'myCN')])
256 aki = x509.AuthorityKeyIdentifier(b"digest", name, 1234)
257
258 if six.PY3:
259 assert repr(aki) == (
260 "<AuthorityKeyIdentifier(key_identifier=b'digest', authority_"
261 "cert_issuer=<Name([<NameAttribute(oid=<ObjectIdentifier(oid="
262 "2.5.4.3, name=commonName)>, value='myCN')>])>, authority_cer"
263 "t_serial_number=1234)>"
264 )
265 else:
266 assert repr(aki) == (
267 "<AuthorityKeyIdentifier(key_identifier='digest', authority_ce"
268 "rt_issuer=<Name([<NameAttribute(oid=<ObjectIdentifier(oid=2.5"
269 ".4.3, name=commonName)>, value='myCN')>])>, authority_cert_se"
270 "rial_number=1234)>"
271 )
272
273
Paul Kehrer8cf26422015-03-21 09:50:24 -0500[diff] [blame]274class TestBasicConstraints(object):
275 def test_ca_not_boolean(self):
276 with pytest.raises(TypeError):
Paul Kehrera5c6e9a2015-03-23 19:23:43 -0500[diff] [blame]277 x509.BasicConstraints(ca="notbool", path_length=None)
Paul Kehrer8cf26422015-03-21 09:50:24 -0500[diff] [blame]278
279 def test_path_length_not_ca(self):
280 with pytest.raises(ValueError):
Paul Kehrera5c6e9a2015-03-23 19:23:43 -0500[diff] [blame]281 x509.BasicConstraints(ca=False, path_length=0)
Paul Kehrer8cf26422015-03-21 09:50:24 -0500[diff] [blame]282
283 def test_path_length_not_int(self):
284 with pytest.raises(TypeError):
Paul Kehrera5c6e9a2015-03-23 19:23:43 -0500[diff] [blame]285 x509.BasicConstraints(ca=True, path_length=1.1)
Paul Kehrer8cf26422015-03-21 09:50:24 -0500[diff] [blame]286
287 with pytest.raises(TypeError):
Paul Kehrera5c6e9a2015-03-23 19:23:43 -0500[diff] [blame]288 x509.BasicConstraints(ca=True, path_length="notint")
Paul Kehrer8cf26422015-03-21 09:50:24 -0500[diff] [blame]289
290 def test_path_length_negative(self):
291 with pytest.raises(TypeError):
Paul Kehrera5c6e9a2015-03-23 19:23:43 -0500[diff] [blame]292 x509.BasicConstraints(ca=True, path_length=-1)
Paul Kehrer8cf26422015-03-21 09:50:24 -0500[diff] [blame]293
294 def test_repr(self):
Paul Kehrera5c6e9a2015-03-23 19:23:43 -0500[diff] [blame]295 na = x509.BasicConstraints(ca=True, path_length=None)
Paul Kehrer8cf26422015-03-21 09:50:24 -0500[diff] [blame]296 assert repr(na) == (
Paul Kehrer85894662015-03-22 13:19:31 -0500[diff] [blame]297 "<BasicConstraints(ca=True, path_length=None)>"
Paul Kehrer8cf26422015-03-21 09:50:24 -0500[diff] [blame]298 )
Paul Kehrerfbb7ac82015-03-16 19:26:29 -0500[diff] [blame]299
300
Paul Kehrerffa2a152015-03-31 08:18:25 -0500[diff] [blame]301class TestExtendedKeyUsage(object):
302 def test_not_all_oids(self):
303 with pytest.raises(TypeError):
304 x509.ExtendedKeyUsage(["notoid"])
305
306 def test_iter_len(self):
307 eku = x509.ExtendedKeyUsage([
308 x509.ObjectIdentifier("1.3.6.1.5.5.7.3.1"),
309 x509.ObjectIdentifier("1.3.6.1.5.5.7.3.2"),
310 ])
311 assert len(eku) == 2
312 assert list(eku) == [
313 x509.OID_SERVER_AUTH,
314 x509.OID_CLIENT_AUTH
315 ]
316
Paul Kehrer23d10c32015-04-02 23:12:32 -0500[diff] [blame]317 def test_repr(self):
318 eku = x509.ExtendedKeyUsage([
319 x509.ObjectIdentifier("1.3.6.1.5.5.7.3.1"),
320 x509.ObjectIdentifier("1.3.6.1.5.5.7.3.2"),
321 ])
322 assert repr(eku) == (
323 "<ExtendedKeyUsage([<ObjectIdentifier(oid=1.3.6.1.5.5.7.3.1, name="
324 "serverAuth)>, <ObjectIdentifier(oid=1.3.6.1.5.5.7.3.2, name=clien"
325 "tAuth)>])>"
326 )
327
Paul Kehrerffa2a152015-03-31 08:18:25 -0500[diff] [blame]328
Paul Kehrerfbb7ac82015-03-16 19:26:29 -0500[diff] [blame]329@pytest.mark.requires_backend_interface(interface=RSABackend)
330@pytest.mark.requires_backend_interface(interface=X509Backend)
331class TestExtensions(object):
332 def test_no_extensions(self, backend):
333 cert = _load_cert(
334 os.path.join("x509", "verisign_md2_root.pem"),
335 x509.load_pem_x509_certificate,
336 backend
337 )
338 ext = cert.extensions
339 assert len(ext) == 0
340 assert list(ext) == []
Paul Kehrerfa56a232015-03-17 13:14:03 -0500[diff] [blame]341 with pytest.raises(x509.ExtensionNotFound) as exc:
342 ext.get_extension_for_oid(x509.OID_BASIC_CONSTRAINTS)
343
344 assert exc.value.oid == x509.OID_BASIC_CONSTRAINTS
345
346 def test_one_extension(self, backend):
347 cert = _load_cert(
348 os.path.join(
349 "x509", "custom", "basic_constraints_not_critical.pem"
350 ),
351 x509.load_pem_x509_certificate,
352 backend
353 )
354 extensions = cert.extensions
355 ext = extensions.get_extension_for_oid(x509.OID_BASIC_CONSTRAINTS)
356 assert ext is not None
357 assert ext.value.ca is False
Paul Kehrerfbb7ac82015-03-16 19:26:29 -0500[diff] [blame]358
359 def test_duplicate_extension(self, backend):
360 cert = _load_cert(
361 os.path.join(
362 "x509", "custom", "two_basic_constraints.pem"
363 ),
364 x509.load_pem_x509_certificate,
365 backend
366 )
367 with pytest.raises(x509.DuplicateExtension) as exc:
368 cert.extensions
369
370 assert exc.value.oid == x509.OID_BASIC_CONSTRAINTS
371
372 def test_unsupported_critical_extension(self, backend):
373 cert = _load_cert(
374 os.path.join(
375 "x509", "custom", "unsupported_extension_critical.pem"
376 ),
377 x509.load_pem_x509_certificate,
378 backend
379 )
380 with pytest.raises(x509.UnsupportedExtension) as exc:
381 cert.extensions
382
383 assert exc.value.oid == x509.ObjectIdentifier("1.2.3.4")
384
385 def test_unsupported_extension(self, backend):
386 # TODO: this will raise an exception when all extensions are complete
387 cert = _load_cert(
388 os.path.join(
389 "x509", "custom", "unsupported_extension.pem"
390 ),
391 x509.load_pem_x509_certificate,
392 backend
393 )
394 extensions = cert.extensions
395 assert len(extensions) == 0
Paul Kehrerfa56a232015-03-17 13:14:03 -0500[diff] [blame]396
397
398@pytest.mark.requires_backend_interface(interface=RSABackend)
399@pytest.mark.requires_backend_interface(interface=X509Backend)
Paul Kehrerde813ea2015-03-28 12:44:34 -0500[diff] [blame]400class TestBasicConstraintsExtension(object):
Paul Kehrerfa56a232015-03-17 13:14:03 -0500[diff] [blame]401 def test_ca_true_pathlen_6(self, backend):
402 cert = _load_cert(
403 os.path.join(
404 "x509", "PKITS_data", "certs", "pathLenConstraint6CACert.crt"
405 ),
406 x509.load_der_x509_certificate,
407 backend
408 )
409 ext = cert.extensions.get_extension_for_oid(
410 x509.OID_BASIC_CONSTRAINTS
411 )
412 assert ext is not None
413 assert ext.critical is True
414 assert ext.value.ca is True
415 assert ext.value.path_length == 6
416
417 def test_path_length_zero(self, backend):
418 cert = _load_cert(
419 os.path.join("x509", "custom", "bc_path_length_zero.pem"),
420 x509.load_pem_x509_certificate,
421 backend
422 )
423 ext = cert.extensions.get_extension_for_oid(
424 x509.OID_BASIC_CONSTRAINTS
425 )
426 assert ext is not None
427 assert ext.critical is True
428 assert ext.value.ca is True
429 assert ext.value.path_length == 0
430
431 def test_ca_true_no_pathlen(self, backend):
432 cert = _load_cert(
433 os.path.join("x509", "PKITS_data", "certs", "GoodCACert.crt"),
434 x509.load_der_x509_certificate,
435 backend
436 )
437 ext = cert.extensions.get_extension_for_oid(
438 x509.OID_BASIC_CONSTRAINTS
439 )
440 assert ext is not None
441 assert ext.critical is True
442 assert ext.value.ca is True
443 assert ext.value.path_length is None
444
445 def test_ca_false(self, backend):
446 cert = _load_cert(
447 os.path.join("x509", "cryptography.io.pem"),
448 x509.load_pem_x509_certificate,
449 backend
450 )
451 ext = cert.extensions.get_extension_for_oid(
452 x509.OID_BASIC_CONSTRAINTS
453 )
454 assert ext is not None
455 assert ext.critical is True
456 assert ext.value.ca is False
457 assert ext.value.path_length is None
458
459 def test_no_basic_constraints(self, backend):
460 cert = _load_cert(
461 os.path.join(
462 "x509",
463 "PKITS_data",
464 "certs",
465 "ValidCertificatePathTest1EE.crt"
466 ),
467 x509.load_der_x509_certificate,
468 backend
469 )
470 with pytest.raises(x509.ExtensionNotFound):
471 cert.extensions.get_extension_for_oid(x509.OID_BASIC_CONSTRAINTS)
472
473 def test_basic_constraint_not_critical(self, backend):
474 cert = _load_cert(
475 os.path.join(
476 "x509", "custom", "basic_constraints_not_critical.pem"
477 ),
478 x509.load_pem_x509_certificate,
479 backend
480 )
481 ext = cert.extensions.get_extension_for_oid(
482 x509.OID_BASIC_CONSTRAINTS
483 )
484 assert ext is not None
485 assert ext.critical is False
486 assert ext.value.ca is False
Paul Kehrer1eb82a62015-03-31 20:00:33 -0500[diff] [blame]487
488
489@pytest.mark.requires_backend_interface(interface=RSABackend)
490@pytest.mark.requires_backend_interface(interface=X509Backend)
491class TestSubjectKeyIdentifierExtension(object):
492 def test_subject_key_identifier(self, backend):
493 cert = _load_cert(
494 os.path.join("x509", "PKITS_data", "certs", "GoodCACert.crt"),
495 x509.load_der_x509_certificate,
496 backend
497 )
498 ext = cert.extensions.get_extension_for_oid(
499 x509.OID_SUBJECT_KEY_IDENTIFIER
500 )
501 ski = ext.value
502 assert ext is not None
503 assert ext.critical is False
Paul Kehrer1eb82a62015-03-31 20:00:33 -0500[diff] [blame]504 assert ski.digest == binascii.unhexlify(
Paul Kehreree997262015-04-04 12:20:28 -0500[diff] [blame]505 b"580184241bbc2b52944a3da510721451f5af3ac9"
Paul Kehrer1eb82a62015-03-31 20:00:33 -0500[diff] [blame]506 )
507
508 def test_no_subject_key_identifier(self, backend):
509 cert = _load_cert(
510 os.path.join("x509", "custom", "bc_path_length_zero.pem"),
511 x509.load_pem_x509_certificate,
512 backend
513 )
514 with pytest.raises(x509.ExtensionNotFound):
515 cert.extensions.get_extension_for_oid(
516 x509.OID_SUBJECT_KEY_IDENTIFIER
517 )
Paul Kehrer5508ee22015-04-02 19:31:03 -0500[diff] [blame]518
519
520@pytest.mark.requires_backend_interface(interface=RSABackend)
521@pytest.mark.requires_backend_interface(interface=X509Backend)
522class TestKeyUsageExtension(object):
523 def test_no_key_usage(self, backend):
524 cert = _load_cert(
525 os.path.join("x509", "verisign_md2_root.pem"),
526 x509.load_pem_x509_certificate,
527 backend
528 )
529 ext = cert.extensions
530 with pytest.raises(x509.ExtensionNotFound) as exc:
531 ext.get_extension_for_oid(x509.OID_KEY_USAGE)
532
533 assert exc.value.oid == x509.OID_KEY_USAGE
534
535 def test_all_purposes(self, backend):
536 cert = _load_cert(
537 os.path.join(
538 "x509", "custom", "all_key_usages.pem"
539 ),
540 x509.load_pem_x509_certificate,
541 backend
542 )
543 extensions = cert.extensions
544 ext = extensions.get_extension_for_oid(x509.OID_KEY_USAGE)
545 assert ext is not None
546
547 ku = ext.value
548 assert ku.digital_signature is True
549 assert ku.content_commitment is True
550 assert ku.key_encipherment is True
551 assert ku.data_encipherment is True
552 assert ku.key_agreement is True
553 assert ku.key_cert_sign is True
554 assert ku.crl_sign is True
555 assert ku.encipher_only is True
556 assert ku.decipher_only is True
557
558 def test_key_cert_sign_crl_sign(self, backend):
559 cert = _load_cert(
560 os.path.join(
561 "x509", "PKITS_data", "certs", "pathLenConstraint6CACert.crt"
562 ),
563 x509.load_der_x509_certificate,
564 backend
565 )
566 ext = cert.extensions.get_extension_for_oid(x509.OID_KEY_USAGE)
567 assert ext is not None
568 assert ext.critical is True
569
570 ku = ext.value
571 assert ku.digital_signature is False
572 assert ku.content_commitment is False
573 assert ku.key_encipherment is False
574 assert ku.data_encipherment is False
575 assert ku.key_agreement is False
576 assert ku.key_cert_sign is True
577 assert ku.crl_sign is True
Paul Kehrer31bdf792015-03-25 14:11:00 -0500[diff] [blame]578
579
580@pytest.mark.parametrize(
581 "name", [
582 x509.RFC822Name,
583 x509.DNSName,
584 x509.UniformResourceIdentifier
585 ]
586)
587class TestTextGeneralNames(object):
588 def test_not_text(self, name):
589 with pytest.raises(TypeError):
590 name(b"notaunicodestring")
591
592 with pytest.raises(TypeError):
593 name(1.3)
594
595 def test_repr(self, name):
596 gn = name(six.u("string"))
597 assert repr(gn) == "<{0}(value=string)>".format(name.__name__)
598
599 def test_eq(self, name):
600 gn = name(six.u("string"))
601 gn2 = name(six.u("string"))
602 assert gn == gn2
603
604 def test_ne(self, name):
605 gn = name(six.u("string"))
606 gn2 = name(six.u("string2"))
607 assert gn != gn2
608 assert gn != object()
609
610
611class TestDirectoryName(object):
612 def test_not_name(self):
613 with pytest.raises(TypeError):
614 x509.DirectoryName(b"notaname")
615
616 with pytest.raises(TypeError):
617 x509.DirectoryName(1.3)
618
619 def test_repr(self):
620 name = x509.Name([x509.NameAttribute(x509.OID_COMMON_NAME, 'value1')])
621 gn = x509.DirectoryName(x509.Name([name]))
622 assert repr(gn) == (
623 "<DirectoryName(value=<Name([<Name([<NameAttribute(oid=<ObjectIden"
624 "tifier(oid=2.5.4.3, name=commonName)>, value='value1')>])>])>)>"
625 )
626
627 def test_eq(self):
628 name = x509.Name([
629 x509.NameAttribute(x509.ObjectIdentifier('oid'), 'value1')
630 ])
631 name2 = x509.Name([
632 x509.NameAttribute(x509.ObjectIdentifier('oid'), 'value1')
633 ])
634 gn = x509.DirectoryName(x509.Name([name]))
635 gn2 = x509.DirectoryName(x509.Name([name2]))
636 assert gn == gn2
637
638 def test_ne(self):
639 name = x509.Name([
640 x509.NameAttribute(x509.ObjectIdentifier('oid'), 'value1')
641 ])
642 name2 = x509.Name([
643 x509.NameAttribute(x509.ObjectIdentifier('oid'), 'value2')
644 ])
645 gn = x509.DirectoryName(x509.Name([name]))
646 gn2 = x509.DirectoryName(x509.Name([name2]))
647 assert gn != gn2
648 assert gn != object()
649
650
651class TestRegisteredID(object):
652 def test_not_oid(self):
653 with pytest.raises(TypeError):
654 x509.RegisteredID(b"notanoid")
655
656 with pytest.raises(TypeError):
657 x509.RegisteredID(1.3)
658
659 def test_repr(self):
660 gn = x509.RegisteredID(x509.OID_COMMON_NAME)
661 assert repr(gn) == (
662 "<RegisteredID(value=<ObjectIdentifier(oid=2.5.4.3, name=commonNam"
663 "e)>)>"
664 )
665
666 def test_eq(self):
667 gn = x509.RegisteredID(x509.OID_COMMON_NAME)
668 gn2 = x509.RegisteredID(x509.OID_COMMON_NAME)
669 assert gn == gn2
670
671 def test_ne(self):
672 gn = x509.RegisteredID(x509.OID_COMMON_NAME)
673 gn2 = x509.RegisteredID(x509.OID_BASIC_CONSTRAINTS)
674 assert gn != gn2
675 assert gn != object()
676
677
678class TestIPAddress(object):
679 def test_not_ipaddress(self):
680 with pytest.raises(TypeError):
681 x509.IPAddress(b"notanipaddress")
682
683 with pytest.raises(TypeError):
684 x509.IPAddress(1.3)
685
686 def test_repr(self):
687 gn = x509.IPAddress(ipaddress.IPv4Address(six.u("127.0.0.1")))
688 assert repr(gn) == "<IPAddress(value=127.0.0.1)>"
689
690 gn2 = x509.IPAddress(ipaddress.IPv6Address(six.u("ff::")))
691 assert repr(gn2) == "<IPAddress(value=ff::)>"
692
693 def test_eq(self):
694 gn = x509.IPAddress(ipaddress.IPv4Address(six.u("127.0.0.1")))
695 gn2 = x509.IPAddress(ipaddress.IPv4Address(six.u("127.0.0.1")))
696 assert gn == gn2
697
698 def test_ne(self):
699 gn = x509.IPAddress(ipaddress.IPv4Address(six.u("127.0.0.1")))
700 gn2 = x509.IPAddress(ipaddress.IPv4Address(six.u("127.0.0.2")))
701 assert gn != gn2
702 assert gn != object()
703
704
705class TestSubjectAlternativeName(object):
706 def test_get_values_for_type(self):
707 san = x509.SubjectAlternativeName(
708 [x509.DNSName(six.u("cryptography.io"))]
709 )
710 names = san.get_values_for_type(x509.DNSName)
711 assert names == [six.u("cryptography.io")]
712
713 def test_iter_names(self):
714 san = x509.SubjectAlternativeName([
715 x509.DNSName(six.u("cryptography.io")),
716 x509.DNSName(six.u("crypto.local")),
717 ])
718 assert len(san) == 2
719 assert list(san) == [
720 x509.DNSName(six.u("cryptography.io")),
721 x509.DNSName(six.u("crypto.local")),
722 ]
723
Paul Kehrerd04b39b2015-04-21 08:44:17 -0500[diff] [blame]724 def test_invalid_general_names(self):
725 with pytest.raises(TypeError):
726 x509.SubjectAlternativeName(
727 [x509.DNSName(six.u("cryptography.io")), "invalid"]
728 )
729
Paul Kehrer31bdf792015-03-25 14:11:00 -0500[diff] [blame]730 def test_repr(self):
731 san = x509.SubjectAlternativeName(
732 [
733 x509.DNSName(six.u("cryptography.io"))
734 ]
735 )
736 assert repr(san) == (
737 "<SubjectAlternativeName([<DNSName(value=cryptography.io)>])>"
738 )
Paul Kehrer40f83382015-04-20 15:00:16 -0500[diff] [blame]739
740
741@pytest.mark.requires_backend_interface(interface=RSABackend)
742@pytest.mark.requires_backend_interface(interface=X509Backend)
743class TestRSASubjectAlternativeNameExtension(object):
744 def test_dns_name(self, backend):
745 cert = _load_cert(
746 os.path.join("x509", "cryptography.io.pem"),
747 x509.load_pem_x509_certificate,
748 backend
749 )
750 ext = cert.extensions.get_extension_for_oid(
751 x509.OID_SUBJECT_ALTERNATIVE_NAME
752 )
753 assert ext is not None
754 assert ext.critical is False
755
756 san = ext.value
757
758 dns = san.get_values_for_type(x509.DNSName)
759 assert dns == [u"www.cryptography.io", u"cryptography.io"]
Paul Kehrer9089c912015-04-20 22:15:20 -0500[diff] [blame]760
761 def test_unsupported_other_name(self, backend):
762 cert = _load_cert(
763 os.path.join(
764 "x509", "custom", "san_other_name.pem"
765 ),
766 x509.load_pem_x509_certificate,
767 backend
768 )
Paul Kehrerbed07352015-04-21 08:31:10 -0500[diff] [blame]769 with pytest.raises(x509.UnsupportedGeneralNameType) as exc:
Paul Kehrer9089c912015-04-20 22:15:20 -0500[diff] [blame]770 cert.extensions
Paul Kehrerbed07352015-04-21 08:31:10 -0500[diff] [blame]771
Paul Kehrer0a621bf2015-04-22 09:22:56 -0500[diff] [blame]772 assert exc.value.type == 0
Paul Kehrer4db96622015-04-20 22:17:39 -0500[diff] [blame^]773
774 def test_registered_id(self, backend):
775 cert = _load_cert(
776 os.path.join(
777 "x509", "custom", "san_registered_id.pem"
778 ),
779 x509.load_pem_x509_certificate,
780 backend
781 )
782 ext = cert.extensions.get_extension_for_oid(
783 x509.OID_SUBJECT_ALTERNATIVE_NAME
784 )
785 assert ext is not None
786 assert ext.critical is False
787
788 san = ext.value
789 rid = san.get_values_for_type(x509.RegisteredID)
790 assert rid == [x509.ObjectIdentifier("1.2.3.4")]