Gitiles
Code Review Sign In
gerrit-public.fairphone.software / platform / external / python / cryptography / 50e9dd8a9bb78e0da0e97cbed2fad7620ef997e4 / . / tests / test_x509_ext.py
blob: 7c5ca5f2ee148e4924e38a82407211d96b222fbd [file] [log] [blame]
Paul Kehrer8cf26422015-03-21 09:50:24 -0500[diff] [blame]1# This file is dual licensed under the terms of the Apache License, Version
2# 2.0, and the BSD License. See the LICENSE file in the root of this repository
3# for complete details.
4
5from __future__ import absolute_import, division, print_function
6
Paul Kehrer1eb82a62015-03-31 20:00:33 -0500[diff] [blame]7import binascii
Paul Kehrer23c0bbc2015-12-25 22:35:19 -0600[diff] [blame]8import datetime
Paul Kehrer31bdf792015-03-25 14:11:00 -0500[diff] [blame]9import ipaddress
Paul Kehrerfbb7ac82015-03-16 19:26:29 -0500[diff] [blame]10import os
11
Paul Kehrer8cf26422015-03-21 09:50:24 -0500[diff] [blame]12import pytest
13
Paul Kehrercbfb1012015-04-10 20:57:20 -0400[diff] [blame]14import six
15
Paul Kehrer8cf26422015-03-21 09:50:24 -0500[diff] [blame]16from cryptography import x509
Paul Kehrerf22f6122015-08-05 12:57:13 +0100[diff] [blame]17from cryptography.hazmat.backends.interfaces import (
18 DSABackend, EllipticCurveBackend, RSABackend, X509Backend
19)
20from cryptography.hazmat.primitives.asymmetric import ec
Paul Kehrer9e102db2015-08-10 21:53:09 -0500[diff] [blame]21from cryptography.x509.oid import (
Nick Bastin326fc8e2015-12-12 19:08:12 -0800[diff] [blame]22 AuthorityInformationAccessOID, ExtendedKeyUsageOID, ExtensionOID,
23 NameOID, ObjectIdentifier
Paul Kehrer9e102db2015-08-10 21:53:09 -0500[diff] [blame]24)
Paul Kehrerfbb7ac82015-03-16 19:26:29 -0500[diff] [blame]25
Paul Kehrerf22f6122015-08-05 12:57:13 +0100[diff] [blame]26from .hazmat.primitives.test_ec import _skip_curve_unsupported
Paul Kehrerfbb7ac82015-03-16 19:26:29 -0500[diff] [blame]27from .test_x509 import _load_cert
Paul Kehrer8cf26422015-03-21 09:50:24 -0500[diff] [blame]28
29
Paul Kehrer85894662015-03-22 13:19:31 -0500[diff] [blame]30class TestExtension(object):
31 def test_not_an_oid(self):
Paul Kehrera5c6e9a2015-03-23 19:23:43 -0500[diff] [blame]32 bc = x509.BasicConstraints(ca=False, path_length=None)
Paul Kehrer85894662015-03-22 13:19:31 -0500[diff] [blame]33 with pytest.raises(TypeError):
34 x509.Extension("notanoid", True, bc)
35
36 def test_critical_not_a_bool(self):
Paul Kehrera5c6e9a2015-03-23 19:23:43 -0500[diff] [blame]37 bc = x509.BasicConstraints(ca=False, path_length=None)
Paul Kehrer85894662015-03-22 13:19:31 -0500[diff] [blame]38 with pytest.raises(TypeError):
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]39 x509.Extension(ExtensionOID.BASIC_CONSTRAINTS, "notabool", bc)
Paul Kehrer85894662015-03-22 13:19:31 -0500[diff] [blame]40
41 def test_repr(self):
Paul Kehrera5c6e9a2015-03-23 19:23:43 -0500[diff] [blame]42 bc = x509.BasicConstraints(ca=False, path_length=None)
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]43 ext = x509.Extension(ExtensionOID.BASIC_CONSTRAINTS, True, bc)
Paul Kehrer85894662015-03-22 13:19:31 -0500[diff] [blame]44 assert repr(ext) == (
45 "<Extension(oid=<ObjectIdentifier(oid=2.5.29.19, name=basicConst"
46 "raints)>, critical=True, value=<BasicConstraints(ca=False, path"
47 "_length=None)>)>"
48 )
49
Paul Kehrer58e870c2015-05-17 09:15:30 -0700[diff] [blame]50 def test_eq(self):
51 ext1 = x509.Extension(
52 x509.ObjectIdentifier('1.2.3.4'), False, 'value'
53 )
54 ext2 = x509.Extension(
55 x509.ObjectIdentifier('1.2.3.4'), False, 'value'
56 )
57 assert ext1 == ext2
58
59 def test_ne(self):
60 ext1 = x509.Extension(
61 x509.ObjectIdentifier('1.2.3.4'), False, 'value'
62 )
63 ext2 = x509.Extension(
64 x509.ObjectIdentifier('1.2.3.5'), False, 'value'
65 )
66 ext3 = x509.Extension(
67 x509.ObjectIdentifier('1.2.3.4'), True, 'value'
68 )
69 ext4 = x509.Extension(
70 x509.ObjectIdentifier('1.2.3.4'), False, 'value4'
71 )
72 assert ext1 != ext2
73 assert ext1 != ext3
74 assert ext1 != ext4
75 assert ext1 != object()
76
Paul Kehrer85894662015-03-22 13:19:31 -0500[diff] [blame]77
Paul Kehrer14fd6972015-12-30 10:58:25 -0600[diff] [blame]78class TestUnrecognizedExtension(object):
79 def test_invalid_oid(self):
80 with pytest.raises(TypeError):
81 x509.UnrecognizedExtension("notanoid", b"somedata")
82
83 def test_eq(self):
84 ext1 = x509.UnrecognizedExtension(
85 x509.ObjectIdentifier("1.2.3.4"), b"\x03\x02\x01"
86 )
87 ext2 = x509.UnrecognizedExtension(
88 x509.ObjectIdentifier("1.2.3.4"), b"\x03\x02\x01"
89 )
90 assert ext1 == ext2
91
92 def test_ne(self):
93 ext1 = x509.UnrecognizedExtension(
94 x509.ObjectIdentifier("1.2.3.4"), b"\x03\x02\x01"
95 )
96 ext2 = x509.UnrecognizedExtension(
97 x509.ObjectIdentifier("1.2.3.4"), b"\x03\x02\x02"
98 )
99 ext3 = x509.UnrecognizedExtension(
100 x509.ObjectIdentifier("1.2.3.5"), b"\x03\x02\x01"
101 )
102 assert ext1 != ext2
103 assert ext1 != ext3
104 assert ext1 != object()
105
106 def test_repr(self):
107 ext1 = x509.UnrecognizedExtension(
108 x509.ObjectIdentifier("1.2.3.4"), b"\x03\x02\x01"
109 )
Paul Kehrer50e9dd82015-12-30 12:20:55 -0600[diff] [blame^]110 if six.PY3:
111 assert repr(ext1) == (
112 "<UnrecognizedExtension(oid=<ObjectIdentifier(oid=1.2.3.4, "
113 "name=Unknown OID)>, value=b'\\x03\\x02\\x01')>"
114 )
115 else:
116 assert repr(ext1) == (
117 "<UnrecognizedExtension(oid=<ObjectIdentifier(oid=1.2.3.4, "
118 "name=Unknown OID)>, value='\\x03\\x02\\x01')>"
119 )
Paul Kehrer14fd6972015-12-30 10:58:25 -0600[diff] [blame]120
121 def test_hash(self):
122 ext1 = x509.UnrecognizedExtension(
123 x509.ObjectIdentifier("1.2.3.4"), b"\x03\x02\x01"
124 )
125 ext2 = x509.UnrecognizedExtension(
126 x509.ObjectIdentifier("1.2.3.4"), b"\x03\x02\x01"
127 )
128 ext3 = x509.UnrecognizedExtension(
129 x509.ObjectIdentifier("1.2.3.5"), b"\x03\x02\x01"
130 )
131 assert hash(ext1) == hash(ext2)
132 assert hash(ext1) != hash(ext3)
133
134
Paul Kehrer49bb7562015-12-25 16:17:40 -0600[diff] [blame]135class TestCertificateIssuer(object):
136 def test_iter_names(self):
137 ci = x509.CertificateIssuer([
138 x509.DNSName(u"cryptography.io"),
139 x509.DNSName(u"crypto.local"),
140 ])
141 assert len(ci) == 2
142 assert list(ci) == [
143 x509.DNSName(u"cryptography.io"),
144 x509.DNSName(u"crypto.local"),
145 ]
146
Paul Kehrer5c999d32015-12-26 17:45:20 -0600[diff] [blame]147 def test_indexing(self):
148 ci = x509.CertificateIssuer([
149 x509.DNSName(u"cryptography.io"),
150 x509.DNSName(u"crypto.local"),
151 x509.DNSName(u"another.local"),
152 x509.RFC822Name(u"email@another.local"),
153 x509.UniformResourceIdentifier(u"http://another.local"),
154 ])
155 assert ci[-1] == ci[4]
156 assert ci[2:6:2] == [ci[2], ci[4]]
157
Paul Kehrer49bb7562015-12-25 16:17:40 -0600[diff] [blame]158 def test_eq(self):
159 ci1 = x509.CertificateIssuer([x509.DNSName(u"cryptography.io")])
160 ci2 = x509.CertificateIssuer([x509.DNSName(u"cryptography.io")])
161 assert ci1 == ci2
162
163 def test_ne(self):
164 ci1 = x509.CertificateIssuer([x509.DNSName(u"cryptography.io")])
165 ci2 = x509.CertificateIssuer([x509.DNSName(u"somethingelse.tld")])
166 assert ci1 != ci2
167 assert ci1 != object()
168
169 def test_repr(self):
170 ci = x509.CertificateIssuer([x509.DNSName(u"cryptography.io")])
171 assert repr(ci) == (
172 "<CertificateIssuer(<GeneralNames([<DNSName(value=cryptography.io"
173 ")>])>)>"
174 )
175
176 def test_get_values_for_type(self):
177 ci = x509.CertificateIssuer(
178 [x509.DNSName(u"cryptography.io")]
179 )
180 names = ci.get_values_for_type(x509.DNSName)
181 assert names == [u"cryptography.io"]
182
183
Paul Kehrer7058ece2015-12-25 22:28:29 -0600[diff] [blame]184class TestCRLReason(object):
185 def test_invalid_reason_flags(self):
186 with pytest.raises(TypeError):
187 x509.CRLReason("notareason")
188
189 def test_eq(self):
190 reason1 = x509.CRLReason(x509.ReasonFlags.unspecified)
191 reason2 = x509.CRLReason(x509.ReasonFlags.unspecified)
192 assert reason1 == reason2
193
194 def test_ne(self):
195 reason1 = x509.CRLReason(x509.ReasonFlags.unspecified)
196 reason2 = x509.CRLReason(x509.ReasonFlags.ca_compromise)
197 assert reason1 != reason2
198 assert reason1 != object()
199
Alex Gaynor07d5cae2015-12-27 15:30:39 -0500[diff] [blame]200 def test_hash(self):
201 reason1 = x509.CRLReason(x509.ReasonFlags.unspecified)
202 reason2 = x509.CRLReason(x509.ReasonFlags.unspecified)
203 reason3 = x509.CRLReason(x509.ReasonFlags.ca_compromise)
204
205 assert hash(reason1) == hash(reason2)
206 assert hash(reason1) != hash(reason3)
207
Paul Kehrer7058ece2015-12-25 22:28:29 -0600[diff] [blame]208 def test_repr(self):
209 reason1 = x509.CRLReason(x509.ReasonFlags.unspecified)
210 assert repr(reason1) == (
211 "<CRLReason(reason=ReasonFlags.unspecified)>"
212 )
213
214
Paul Kehrer23c0bbc2015-12-25 22:35:19 -0600[diff] [blame]215class TestInvalidityDate(object):
216 def test_invalid_invalidity_date(self):
217 with pytest.raises(TypeError):
218 x509.InvalidityDate("notadate")
219
220 def test_eq(self):
221 invalid1 = x509.InvalidityDate(datetime.datetime(2015, 1, 1, 1, 1))
222 invalid2 = x509.InvalidityDate(datetime.datetime(2015, 1, 1, 1, 1))
223 assert invalid1 == invalid2
224
225 def test_ne(self):
226 invalid1 = x509.InvalidityDate(datetime.datetime(2015, 1, 1, 1, 1))
227 invalid2 = x509.InvalidityDate(datetime.datetime(2015, 1, 1, 1, 2))
228 assert invalid1 != invalid2
229 assert invalid1 != object()
230
231 def test_repr(self):
232 invalid1 = x509.InvalidityDate(datetime.datetime(2015, 1, 1, 1, 1))
233 assert repr(invalid1) == (
234 "<InvalidityDate(invalidity_date=2015-01-01 01:01:00)>"
235 )
236
Paul Kehrer67cde762015-12-26 11:37:14 -0600[diff] [blame]237 def test_hash(self):
238 invalid1 = x509.InvalidityDate(datetime.datetime(2015, 1, 1, 1, 1))
239 invalid2 = x509.InvalidityDate(datetime.datetime(2015, 1, 1, 1, 1))
240 invalid3 = x509.InvalidityDate(datetime.datetime(2015, 1, 1, 1, 2))
241 assert hash(invalid1) == hash(invalid2)
242 assert hash(invalid1) != hash(invalid3)
Paul Kehrer23c0bbc2015-12-25 22:35:19 -0600[diff] [blame]243
Paul Kehrerc0297dd2015-12-26 11:37:57 -0600[diff] [blame]244
Paul Kehrer2b622582015-04-15 11:04:29 -0400[diff] [blame]245class TestNoticeReference(object):
246 def test_notice_numbers_not_all_int(self):
247 with pytest.raises(TypeError):
248 x509.NoticeReference("org", [1, 2, "three"])
249
250 def test_notice_numbers_none(self):
Paul Kehrer6e198b02015-05-12 15:53:38 -0500[diff] [blame]251 with pytest.raises(TypeError):
252 x509.NoticeReference("org", None)
Paul Kehrer2b622582015-04-15 11:04:29 -0400[diff] [blame]253
254 def test_repr(self):
Paul Kehrer73be2ca2015-05-11 21:22:38 -0500[diff] [blame]255 nr = x509.NoticeReference(u"org", [1, 3, 4])
Paul Kehrer2b622582015-04-15 11:04:29 -0400[diff] [blame]256
Paul Kehrer73be2ca2015-05-11 21:22:38 -0500[diff] [blame]257 if six.PY3:
258 assert repr(nr) == (
259 "<NoticeReference(organization='org', notice_numbers=[1, 3, 4"
260 "])>"
261 )
262 else:
263 assert repr(nr) == (
264 "<NoticeReference(organization=u'org', notice_numbers=[1, 3, "
265 "4])>"
266 )
Paul Kehrer2b622582015-04-15 11:04:29 -0400[diff] [blame]267
Paul Kehrerc56ab622015-05-03 09:56:31 -0500[diff] [blame]268 def test_eq(self):
269 nr = x509.NoticeReference("org", [1, 2])
270 nr2 = x509.NoticeReference("org", [1, 2])
271 assert nr == nr2
272
273 def test_ne(self):
274 nr = x509.NoticeReference("org", [1, 2])
275 nr2 = x509.NoticeReference("org", [1])
276 nr3 = x509.NoticeReference(None, [1, 2])
277 assert nr != nr2
278 assert nr != nr3
279 assert nr != object()
280
Paul Kehrer2b622582015-04-15 11:04:29 -0400[diff] [blame]281
282class TestUserNotice(object):
283 def test_notice_reference_invalid(self):
284 with pytest.raises(TypeError):
285 x509.UserNotice("invalid", None)
286
287 def test_notice_reference_none(self):
288 un = x509.UserNotice(None, "text")
289 assert un.notice_reference is None
290 assert un.explicit_text == "text"
291
292 def test_repr(self):
Paul Kehrer6e198b02015-05-12 15:53:38 -0500[diff] [blame]293 un = x509.UserNotice(x509.NoticeReference(u"org", [1]), u"text")
Paul Kehrer73be2ca2015-05-11 21:22:38 -0500[diff] [blame]294 if six.PY3:
295 assert repr(un) == (
296 "<UserNotice(notice_reference=<NoticeReference(organization='"
Paul Kehrer6e198b02015-05-12 15:53:38 -0500[diff] [blame]297 "org', notice_numbers=[1])>, explicit_text='text')>"
Paul Kehrer73be2ca2015-05-11 21:22:38 -0500[diff] [blame]298 )
299 else:
300 assert repr(un) == (
301 "<UserNotice(notice_reference=<NoticeReference(organization=u"
Paul Kehrer6e198b02015-05-12 15:53:38 -0500[diff] [blame]302 "'org', notice_numbers=[1])>, explicit_text=u'text')>"
Paul Kehrer73be2ca2015-05-11 21:22:38 -0500[diff] [blame]303 )
Paul Kehrer2b622582015-04-15 11:04:29 -0400[diff] [blame]304
Paul Kehrerc56ab622015-05-03 09:56:31 -0500[diff] [blame]305 def test_eq(self):
306 nr = x509.NoticeReference("org", [1, 2])
307 nr2 = x509.NoticeReference("org", [1, 2])
308 un = x509.UserNotice(nr, "text")
309 un2 = x509.UserNotice(nr2, "text")
310 assert un == un2
311
312 def test_ne(self):
313 nr = x509.NoticeReference("org", [1, 2])
314 nr2 = x509.NoticeReference("org", [1])
315 un = x509.UserNotice(nr, "text")
316 un2 = x509.UserNotice(nr2, "text")
317 un3 = x509.UserNotice(nr, "text3")
318 assert un != un2
319 assert un != un3
320 assert un != object()
321
Paul Kehrer2b622582015-04-15 11:04:29 -0400[diff] [blame]322
Paul Kehrer2b622582015-04-15 11:04:29 -0400[diff] [blame]323class TestPolicyInformation(object):
324 def test_invalid_policy_identifier(self):
325 with pytest.raises(TypeError):
326 x509.PolicyInformation("notanoid", None)
327
328 def test_none_policy_qualifiers(self):
329 pi = x509.PolicyInformation(x509.ObjectIdentifier("1.2.3"), None)
330 assert pi.policy_identifier == x509.ObjectIdentifier("1.2.3")
331 assert pi.policy_qualifiers is None
332
333 def test_policy_qualifiers(self):
Paul Kehrerba35b3b2015-05-10 13:07:59 -0500[diff] [blame]334 pq = [u"string"]
Paul Kehrer2b622582015-04-15 11:04:29 -0400[diff] [blame]335 pi = x509.PolicyInformation(x509.ObjectIdentifier("1.2.3"), pq)
336 assert pi.policy_identifier == x509.ObjectIdentifier("1.2.3")
337 assert pi.policy_qualifiers == pq
338
339 def test_invalid_policy_identifiers(self):
340 with pytest.raises(TypeError):
341 x509.PolicyInformation(x509.ObjectIdentifier("1.2.3"), [1, 2])
342
343 def test_repr(self):
Paul Kehrer73be2ca2015-05-11 21:22:38 -0500[diff] [blame]344 pq = [u"string", x509.UserNotice(None, u"hi")]
Paul Kehrer2b622582015-04-15 11:04:29 -0400[diff] [blame]345 pi = x509.PolicyInformation(x509.ObjectIdentifier("1.2.3"), pq)
Paul Kehrerba35b3b2015-05-10 13:07:59 -0500[diff] [blame]346 if six.PY3:
347 assert repr(pi) == (
348 "<PolicyInformation(policy_identifier=<ObjectIdentifier(oid=1."
349 "2.3, name=Unknown OID)>, policy_qualifiers=['string', <UserNo"
Paul Kehrer9aaef9e2015-05-11 10:49:20 -0500[diff] [blame]350 "tice(notice_reference=None, explicit_text='hi')>])>"
Paul Kehrerba35b3b2015-05-10 13:07:59 -0500[diff] [blame]351 )
352 else:
353 assert repr(pi) == (
354 "<PolicyInformation(policy_identifier=<ObjectIdentifier(oid=1."
355 "2.3, name=Unknown OID)>, policy_qualifiers=[u'string', <UserN"
Paul Kehrer73be2ca2015-05-11 21:22:38 -0500[diff] [blame]356 "otice(notice_reference=None, explicit_text=u'hi')>])>"
Paul Kehrerba35b3b2015-05-10 13:07:59 -0500[diff] [blame]357 )
Paul Kehrer2b622582015-04-15 11:04:29 -0400[diff] [blame]358
Paul Kehrerc56ab622015-05-03 09:56:31 -0500[diff] [blame]359 def test_eq(self):
360 pi = x509.PolicyInformation(
361 x509.ObjectIdentifier("1.2.3"),
362 [u"string", x509.UserNotice(None, u"hi")]
363 )
364 pi2 = x509.PolicyInformation(
365 x509.ObjectIdentifier("1.2.3"),
366 [u"string", x509.UserNotice(None, u"hi")]
367 )
368 assert pi == pi2
369
370 def test_ne(self):
371 pi = x509.PolicyInformation(
372 x509.ObjectIdentifier("1.2.3"), [u"string"]
373 )
374 pi2 = x509.PolicyInformation(
375 x509.ObjectIdentifier("1.2.3"), [u"string2"]
376 )
377 pi3 = x509.PolicyInformation(
378 x509.ObjectIdentifier("1.2.3.4"), [u"string"]
379 )
380 assert pi != pi2
381 assert pi != pi3
382 assert pi != object()
383
Paul Kehrer2b622582015-04-15 11:04:29 -0400[diff] [blame]384
385class TestCertificatePolicies(object):
386 def test_invalid_policies(self):
Paul Kehrerba35b3b2015-05-10 13:07:59 -0500[diff] [blame]387 pq = [u"string"]
Paul Kehrer2b622582015-04-15 11:04:29 -0400[diff] [blame]388 pi = x509.PolicyInformation(x509.ObjectIdentifier("1.2.3"), pq)
389 with pytest.raises(TypeError):
390 x509.CertificatePolicies([1, pi])
391
392 def test_iter_len(self):
Paul Kehrerba35b3b2015-05-10 13:07:59 -0500[diff] [blame]393 pq = [u"string"]
Paul Kehrer2b622582015-04-15 11:04:29 -0400[diff] [blame]394 pi = x509.PolicyInformation(x509.ObjectIdentifier("1.2.3"), pq)
395 cp = x509.CertificatePolicies([pi])
396 assert len(cp) == 1
397 for policyinfo in cp:
398 assert policyinfo == pi
399
400 def test_repr(self):
Paul Kehrerba35b3b2015-05-10 13:07:59 -0500[diff] [blame]401 pq = [u"string"]
Paul Kehrer2b622582015-04-15 11:04:29 -0400[diff] [blame]402 pi = x509.PolicyInformation(x509.ObjectIdentifier("1.2.3"), pq)
403 cp = x509.CertificatePolicies([pi])
Paul Kehrerba35b3b2015-05-10 13:07:59 -0500[diff] [blame]404 if six.PY3:
405 assert repr(cp) == (
406 "<CertificatePolicies([<PolicyInformation(policy_identifier=<O"
407 "bjectIdentifier(oid=1.2.3, name=Unknown OID)>, policy_qualifi"
408 "ers=['string'])>])>"
409 )
410 else:
411 assert repr(cp) == (
412 "<CertificatePolicies([<PolicyInformation(policy_identifier=<O"
413 "bjectIdentifier(oid=1.2.3, name=Unknown OID)>, policy_qualifi"
414 "ers=[u'string'])>])>"
415 )
Paul Kehrer2b622582015-04-15 11:04:29 -0400[diff] [blame]416
Paul Kehrerc56ab622015-05-03 09:56:31 -0500[diff] [blame]417 def test_eq(self):
418 pi = x509.PolicyInformation(
419 x509.ObjectIdentifier("1.2.3"), [u"string"]
420 )
421 cp = x509.CertificatePolicies([pi])
422 pi2 = x509.PolicyInformation(
423 x509.ObjectIdentifier("1.2.3"), [u"string"]
424 )
425 cp2 = x509.CertificatePolicies([pi2])
426 assert cp == cp2
427
428 def test_ne(self):
429 pi = x509.PolicyInformation(
430 x509.ObjectIdentifier("1.2.3"), [u"string"]
431 )
432 cp = x509.CertificatePolicies([pi])
433 pi2 = x509.PolicyInformation(
434 x509.ObjectIdentifier("1.2.3"), [u"string2"]
435 )
436 cp2 = x509.CertificatePolicies([pi2])
437 assert cp != cp2
438 assert cp != object()
439
Paul Kehrere8db7bd2015-12-27 17:32:57 -0600[diff] [blame]440 def test_indexing(self):
441 pi = x509.PolicyInformation(x509.ObjectIdentifier("1.2.3"), [u"test"])
442 pi2 = x509.PolicyInformation(x509.ObjectIdentifier("1.2.4"), [u"test"])
443 pi3 = x509.PolicyInformation(x509.ObjectIdentifier("1.2.5"), [u"test"])
444 pi4 = x509.PolicyInformation(x509.ObjectIdentifier("1.2.6"), [u"test"])
445 pi5 = x509.PolicyInformation(x509.ObjectIdentifier("1.2.7"), [u"test"])
446 cp = x509.CertificatePolicies([pi, pi2, pi3, pi4, pi5])
447 assert cp[-1] == cp[4]
448 assert cp[2:6:2] == [cp[2], cp[4]]
449
Paul Kehrer2b622582015-04-15 11:04:29 -0400[diff] [blame]450
Paul Kehrer11026fe2015-05-12 11:23:56 -0500[diff] [blame]451@pytest.mark.requires_backend_interface(interface=RSABackend)
452@pytest.mark.requires_backend_interface(interface=X509Backend)
453class TestCertificatePoliciesExtension(object):
454 def test_cps_uri_policy_qualifier(self, backend):
455 cert = _load_cert(
456 os.path.join("x509", "custom", "cp_cps_uri.pem"),
457 x509.load_pem_x509_certificate,
458 backend
459 )
460
461 cp = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]462 ExtensionOID.CERTIFICATE_POLICIES
Paul Kehrer11026fe2015-05-12 11:23:56 -0500[diff] [blame]463 ).value
464
465 assert cp == x509.CertificatePolicies([
466 x509.PolicyInformation(
467 x509.ObjectIdentifier("2.16.840.1.12345.1.2.3.4.1"),
468 [u"http://other.com/cps"]
469 )
470 ])
471
472 def test_user_notice_with_notice_reference(self, backend):
473 cert = _load_cert(
474 os.path.join(
475 "x509", "custom", "cp_user_notice_with_notice_reference.pem"
476 ),
477 x509.load_pem_x509_certificate,
478 backend
479 )
480
481 cp = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]482 ExtensionOID.CERTIFICATE_POLICIES
Paul Kehrer11026fe2015-05-12 11:23:56 -0500[diff] [blame]483 ).value
484
485 assert cp == x509.CertificatePolicies([
486 x509.PolicyInformation(
487 x509.ObjectIdentifier("2.16.840.1.12345.1.2.3.4.1"),
488 [
489 u"http://example.com/cps",
490 u"http://other.com/cps",
491 x509.UserNotice(
492 x509.NoticeReference(u"my org", [1, 2, 3, 4]),
493 u"thing"
494 )
495 ]
496 )
497 ])
498
499 def test_user_notice_with_explicit_text(self, backend):
500 cert = _load_cert(
501 os.path.join(
502 "x509", "custom", "cp_user_notice_with_explicit_text.pem"
503 ),
504 x509.load_pem_x509_certificate,
505 backend
506 )
507
508 cp = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]509 ExtensionOID.CERTIFICATE_POLICIES
Paul Kehrer11026fe2015-05-12 11:23:56 -0500[diff] [blame]510 ).value
511
512 assert cp == x509.CertificatePolicies([
513 x509.PolicyInformation(
514 x509.ObjectIdentifier("2.16.840.1.12345.1.2.3.4.1"),
515 [x509.UserNotice(None, u"thing")]
516 )
517 ])
518
519 def test_user_notice_no_explicit_text(self, backend):
520 cert = _load_cert(
521 os.path.join(
522 "x509", "custom", "cp_user_notice_no_explicit_text.pem"
523 ),
524 x509.load_pem_x509_certificate,
525 backend
526 )
527
528 cp = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]529 ExtensionOID.CERTIFICATE_POLICIES
Paul Kehrer11026fe2015-05-12 11:23:56 -0500[diff] [blame]530 ).value
531
532 assert cp == x509.CertificatePolicies([
533 x509.PolicyInformation(
534 x509.ObjectIdentifier("2.16.840.1.12345.1.2.3.4.1"),
535 [
536 x509.UserNotice(
537 x509.NoticeReference(u"my org", [1, 2, 3, 4]),
538 None
539 )
540 ]
541 )
542 ])
543
544
Paul Kehrercecbbba2015-03-30 14:58:38 -0500[diff] [blame]545class TestKeyUsage(object):
546 def test_key_agreement_false_encipher_decipher_true(self):
547 with pytest.raises(ValueError):
548 x509.KeyUsage(
549 digital_signature=False,
550 content_commitment=False,
551 key_encipherment=False,
552 data_encipherment=False,
553 key_agreement=False,
554 key_cert_sign=False,
555 crl_sign=False,
556 encipher_only=True,
557 decipher_only=False
558 )
559
560 with pytest.raises(ValueError):
561 x509.KeyUsage(
562 digital_signature=False,
563 content_commitment=False,
564 key_encipherment=False,
565 data_encipherment=False,
566 key_agreement=False,
567 key_cert_sign=False,
568 crl_sign=False,
569 encipher_only=True,
570 decipher_only=True
571 )
572
573 with pytest.raises(ValueError):
574 x509.KeyUsage(
575 digital_signature=False,
576 content_commitment=False,
577 key_encipherment=False,
578 data_encipherment=False,
579 key_agreement=False,
580 key_cert_sign=False,
581 crl_sign=False,
582 encipher_only=False,
583 decipher_only=True
584 )
585
586 def test_properties_key_agreement_true(self):
587 ku = x509.KeyUsage(
588 digital_signature=True,
589 content_commitment=True,
590 key_encipherment=False,
591 data_encipherment=False,
592 key_agreement=False,
593 key_cert_sign=True,
594 crl_sign=False,
595 encipher_only=False,
596 decipher_only=False
597 )
598 assert ku.digital_signature is True
599 assert ku.content_commitment is True
600 assert ku.key_encipherment is False
601 assert ku.data_encipherment is False
602 assert ku.key_agreement is False
603 assert ku.key_cert_sign is True
604 assert ku.crl_sign is False
605
606 def test_key_agreement_true_properties(self):
607 ku = x509.KeyUsage(
608 digital_signature=False,
609 content_commitment=False,
610 key_encipherment=False,
611 data_encipherment=False,
612 key_agreement=True,
613 key_cert_sign=False,
614 crl_sign=False,
615 encipher_only=False,
616 decipher_only=True
617 )
618 assert ku.key_agreement is True
619 assert ku.encipher_only is False
620 assert ku.decipher_only is True
621
622 def test_key_agreement_false_properties(self):
623 ku = x509.KeyUsage(
624 digital_signature=False,
625 content_commitment=False,
626 key_encipherment=False,
627 data_encipherment=False,
628 key_agreement=False,
629 key_cert_sign=False,
630 crl_sign=False,
631 encipher_only=False,
632 decipher_only=False
633 )
634 assert ku.key_agreement is False
635 with pytest.raises(ValueError):
636 ku.encipher_only
637
638 with pytest.raises(ValueError):
639 ku.decipher_only
640
Paul Kehrerac3e5bb2015-04-02 23:07:10 -0500[diff] [blame]641 def test_repr_key_agreement_false(self):
642 ku = x509.KeyUsage(
643 digital_signature=True,
644 content_commitment=True,
645 key_encipherment=False,
646 data_encipherment=False,
647 key_agreement=False,
648 key_cert_sign=True,
649 crl_sign=False,
650 encipher_only=False,
651 decipher_only=False
652 )
653 assert repr(ku) == (
654 "<KeyUsage(digital_signature=True, content_commitment=True, key_en"
655 "cipherment=False, data_encipherment=False, key_agreement=False, k"
Paul Kehrerb372e672015-04-15 11:05:24 -0400[diff] [blame]656 "ey_cert_sign=True, crl_sign=False, encipher_only=None, decipher_o"
657 "nly=None)>"
Paul Kehrerac3e5bb2015-04-02 23:07:10 -0500[diff] [blame]658 )
659
660 def test_repr_key_agreement_true(self):
661 ku = x509.KeyUsage(
662 digital_signature=True,
663 content_commitment=True,
664 key_encipherment=False,
665 data_encipherment=False,
666 key_agreement=True,
667 key_cert_sign=True,
668 crl_sign=False,
669 encipher_only=False,
670 decipher_only=False
671 )
672 assert repr(ku) == (
673 "<KeyUsage(digital_signature=True, content_commitment=True, key_en"
674 "cipherment=False, data_encipherment=False, key_agreement=True, k"
675 "ey_cert_sign=True, crl_sign=False, encipher_only=False, decipher_"
676 "only=False)>"
677 )
678
Paul Kehrer8565f5e2015-05-13 09:57:09 -0500[diff] [blame]679 def test_eq(self):
680 ku = x509.KeyUsage(
681 digital_signature=False,
682 content_commitment=False,
683 key_encipherment=False,
684 data_encipherment=False,
685 key_agreement=True,
686 key_cert_sign=False,
687 crl_sign=False,
688 encipher_only=False,
689 decipher_only=True
690 )
691 ku2 = x509.KeyUsage(
692 digital_signature=False,
693 content_commitment=False,
694 key_encipherment=False,
695 data_encipherment=False,
696 key_agreement=True,
697 key_cert_sign=False,
698 crl_sign=False,
699 encipher_only=False,
700 decipher_only=True
701 )
702 assert ku == ku2
703
704 def test_ne(self):
705 ku = x509.KeyUsage(
706 digital_signature=False,
707 content_commitment=False,
708 key_encipherment=False,
709 data_encipherment=False,
710 key_agreement=True,
711 key_cert_sign=False,
712 crl_sign=False,
713 encipher_only=False,
714 decipher_only=True
715 )
716 ku2 = x509.KeyUsage(
717 digital_signature=False,
718 content_commitment=False,
719 key_encipherment=False,
720 data_encipherment=False,
721 key_agreement=False,
722 key_cert_sign=False,
723 crl_sign=False,
724 encipher_only=False,
725 decipher_only=False
726 )
727 assert ku != ku2
728 assert ku != object()
729
Paul Kehrercecbbba2015-03-30 14:58:38 -0500[diff] [blame]730
Paul Kehrer1eb82a62015-03-31 20:00:33 -0500[diff] [blame]731class TestSubjectKeyIdentifier(object):
732 def test_properties(self):
Paul Kehrercbfb1012015-04-10 20:57:20 -0400[diff] [blame]733 value = binascii.unhexlify(b"092384932230498bc980aa8098456f6ff7ff3ac9")
Paul Kehrer1eb82a62015-03-31 20:00:33 -0500[diff] [blame]734 ski = x509.SubjectKeyIdentifier(value)
735 assert ski.digest == value
Paul Kehrer1eb82a62015-03-31 20:00:33 -0500[diff] [blame]736
737 def test_repr(self):
738 ski = x509.SubjectKeyIdentifier(
Paul Kehreree997262015-04-04 12:20:28 -0500[diff] [blame]739 binascii.unhexlify(b"092384932230498bc980aa8098456f6ff7ff3ac9")
Paul Kehrer1eb82a62015-03-31 20:00:33 -0500[diff] [blame]740 )
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]741 ext = x509.Extension(ExtensionOID.SUBJECT_KEY_IDENTIFIER, False, ski)
Paul Kehrercbfb1012015-04-10 20:57:20 -0400[diff] [blame]742 if six.PY3:
743 assert repr(ext) == (
744 "<Extension(oid=<ObjectIdentifier(oid=2.5.29.14, name=subjectK"
745 "eyIdentifier)>, critical=False, value=<SubjectKeyIdentifier(d"
746 "igest=b\'\\t#\\x84\\x93\"0I\\x8b\\xc9\\x80\\xaa\\x80\\x98Eoo"
747 "\\xf7\\xff:\\xc9\')>)>"
748 )
749 else:
750 assert repr(ext) == (
751 "<Extension(oid=<ObjectIdentifier(oid=2.5.29.14, name=subjectK"
752 "eyIdentifier)>, critical=False, value=<SubjectKeyIdentifier(d"
753 "igest=\'\\t#\\x84\\x93\"0I\\x8b\\xc9\\x80\\xaa\\x80\\x98Eoo"
754 "\\xf7\\xff:\\xc9\')>)>"
755 )
Paul Kehrer1eb82a62015-03-31 20:00:33 -0500[diff] [blame]756
757 def test_eq(self):
758 ski = x509.SubjectKeyIdentifier(
Paul Kehreree997262015-04-04 12:20:28 -0500[diff] [blame]759 binascii.unhexlify(b"092384932230498bc980aa8098456f6ff7ff3ac9")
Paul Kehrer1eb82a62015-03-31 20:00:33 -0500[diff] [blame]760 )
761 ski2 = x509.SubjectKeyIdentifier(
Paul Kehreree997262015-04-04 12:20:28 -0500[diff] [blame]762 binascii.unhexlify(b"092384932230498bc980aa8098456f6ff7ff3ac9")
Paul Kehrer1eb82a62015-03-31 20:00:33 -0500[diff] [blame]763 )
764 assert ski == ski2
765
766 def test_ne(self):
767 ski = x509.SubjectKeyIdentifier(
Paul Kehreree997262015-04-04 12:20:28 -0500[diff] [blame]768 binascii.unhexlify(b"092384932230498bc980aa8098456f6ff7ff3ac9")
Paul Kehrer1eb82a62015-03-31 20:00:33 -0500[diff] [blame]769 )
770 ski2 = x509.SubjectKeyIdentifier(
Paul Kehreree997262015-04-04 12:20:28 -0500[diff] [blame]771 binascii.unhexlify(b"aa8098456f6ff7ff3ac9092384932230498bc980")
Paul Kehrer1eb82a62015-03-31 20:00:33 -0500[diff] [blame]772 )
773 assert ski != ski2
774 assert ski != object()
775
Alex Gaynor410fe352015-12-26 15:01:25 -0500[diff] [blame]776 def test_hash(self):
777 ski1 = x509.SubjectKeyIdentifier(
778 binascii.unhexlify(b"092384932230498bc980aa8098456f6ff7ff3ac9")
779 )
780 ski2 = x509.SubjectKeyIdentifier(
781 binascii.unhexlify(b"092384932230498bc980aa8098456f6ff7ff3ac9")
782 )
783 ski3 = x509.SubjectKeyIdentifier(
784 binascii.unhexlify(b"aa8098456f6ff7ff3ac9092384932230498bc980")
785 )
786
787 assert hash(ski1) == hash(ski2)
788 assert hash(ski1) != hash(ski3)
789
Paul Kehrer1eb82a62015-03-31 20:00:33 -0500[diff] [blame]790
Paul Kehrer2eb4ed92015-04-11 15:33:45 -0400[diff] [blame]791class TestAuthorityKeyIdentifier(object):
Paul Kehrerc6e0f062015-05-03 11:04:34 -0500[diff] [blame]792 def test_authority_cert_issuer_not_generalname(self):
Paul Kehrer2eb4ed92015-04-11 15:33:45 -0400[diff] [blame]793 with pytest.raises(TypeError):
Paul Kehrerc6e0f062015-05-03 11:04:34 -0500[diff] [blame]794 x509.AuthorityKeyIdentifier(b"identifier", ["notname"], 3)
Paul Kehrer2eb4ed92015-04-11 15:33:45 -0400[diff] [blame]795
796 def test_authority_cert_serial_number_not_integer(self):
Paul Kehrerc6e0f062015-05-03 11:04:34 -0500[diff] [blame]797 dirname = x509.DirectoryName(
798 x509.Name([
Nick Bastin6721fb82015-12-14 12:26:24 -0800[diff] [blame]799 x509.NameAttribute(
800 x509.ObjectIdentifier('2.999.1'),
801 u'value1'
802 ),
803 x509.NameAttribute(
804 x509.ObjectIdentifier('2.999.2'),
805 u'value2'
806 ),
Paul Kehrerc6e0f062015-05-03 11:04:34 -0500[diff] [blame]807 ])
808 )
Paul Kehrer2eb4ed92015-04-11 15:33:45 -0400[diff] [blame]809 with pytest.raises(TypeError):
Paul Kehrerc6e0f062015-05-03 11:04:34 -0500[diff] [blame]810 x509.AuthorityKeyIdentifier(b"identifier", [dirname], "notanint")
Paul Kehrer2eb4ed92015-04-11 15:33:45 -0400[diff] [blame]811
812 def test_authority_issuer_none_serial_not_none(self):
813 with pytest.raises(ValueError):
814 x509.AuthorityKeyIdentifier(b"identifier", None, 3)
815
816 def test_authority_issuer_not_none_serial_none(self):
Paul Kehrerc6e0f062015-05-03 11:04:34 -0500[diff] [blame]817 dirname = x509.DirectoryName(
818 x509.Name([
Nick Bastin6721fb82015-12-14 12:26:24 -0800[diff] [blame]819 x509.NameAttribute(
820 x509.ObjectIdentifier('2.999.1'),
821 u'value1'
822 ),
823 x509.NameAttribute(
824 x509.ObjectIdentifier('2.999.2'),
825 u'value2'
826 ),
Paul Kehrerc6e0f062015-05-03 11:04:34 -0500[diff] [blame]827 ])
828 )
Paul Kehrer2eb4ed92015-04-11 15:33:45 -0400[diff] [blame]829 with pytest.raises(ValueError):
Paul Kehrerc6e0f062015-05-03 11:04:34 -0500[diff] [blame]830 x509.AuthorityKeyIdentifier(b"identifier", [dirname], None)
Paul Kehrer2eb4ed92015-04-11 15:33:45 -0400[diff] [blame]831
832 def test_authority_cert_serial_and_issuer_none(self):
833 aki = x509.AuthorityKeyIdentifier(b"id", None, None)
834 assert aki.key_identifier == b"id"
835 assert aki.authority_cert_issuer is None
836 assert aki.authority_cert_serial_number is None
837
838 def test_repr(self):
Paul Kehrerc6e0f062015-05-03 11:04:34 -0500[diff] [blame]839 dirname = x509.DirectoryName(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]840 x509.Name([x509.NameAttribute(NameOID.COMMON_NAME, u'myCN')])
Paul Kehrerc6e0f062015-05-03 11:04:34 -0500[diff] [blame]841 )
842 aki = x509.AuthorityKeyIdentifier(b"digest", [dirname], 1234)
Paul Kehrer2eb4ed92015-04-11 15:33:45 -0400[diff] [blame]843
844 if six.PY3:
845 assert repr(aki) == (
846 "<AuthorityKeyIdentifier(key_identifier=b'digest', authority_"
Paul Kehrerc6e0f062015-05-03 11:04:34 -0500[diff] [blame]847 "cert_issuer=[<DirectoryName(value=<Name([<NameAttribute(oid="
Ian Cordascoa908d692015-06-16 21:35:24 -0500[diff] [blame]848 "<ObjectIdentifier(oid=2.5.4.3, name=commonName)>, value='myC"
Paul Kehrerc6e0f062015-05-03 11:04:34 -0500[diff] [blame]849 "N')>])>)>], authority_cert_serial_number=1234)>"
Paul Kehrer2eb4ed92015-04-11 15:33:45 -0400[diff] [blame]850 )
851 else:
852 assert repr(aki) == (
853 "<AuthorityKeyIdentifier(key_identifier='digest', authority_ce"
Paul Kehrerc6e0f062015-05-03 11:04:34 -0500[diff] [blame]854 "rt_issuer=[<DirectoryName(value=<Name([<NameAttribute(oid=<Ob"
Ian Cordasco82fc3762015-06-16 20:59:50 -0500[diff] [blame]855 "jectIdentifier(oid=2.5.4.3, name=commonName)>, value=u'myCN')"
856 ">])>)>], authority_cert_serial_number=1234)>"
Paul Kehrer2eb4ed92015-04-11 15:33:45 -0400[diff] [blame]857 )
858
Paul Kehrer2ca2eb32015-05-03 10:04:57 -0500[diff] [blame]859 def test_eq(self):
860 dirname = x509.DirectoryName(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]861 x509.Name([x509.NameAttribute(NameOID.COMMON_NAME, u'myCN')])
Paul Kehrer2ca2eb32015-05-03 10:04:57 -0500[diff] [blame]862 )
863 aki = x509.AuthorityKeyIdentifier(b"digest", [dirname], 1234)
864 dirname2 = x509.DirectoryName(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]865 x509.Name([x509.NameAttribute(NameOID.COMMON_NAME, u'myCN')])
Paul Kehrer2ca2eb32015-05-03 10:04:57 -0500[diff] [blame]866 )
867 aki2 = x509.AuthorityKeyIdentifier(b"digest", [dirname2], 1234)
868 assert aki == aki2
869
870 def test_ne(self):
871 dirname = x509.DirectoryName(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]872 x509.Name([x509.NameAttribute(NameOID.COMMON_NAME, u'myCN')])
Paul Kehrer2ca2eb32015-05-03 10:04:57 -0500[diff] [blame]873 )
874 dirname5 = x509.DirectoryName(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]875 x509.Name([x509.NameAttribute(NameOID.COMMON_NAME, u'aCN')])
Paul Kehrer2ca2eb32015-05-03 10:04:57 -0500[diff] [blame]876 )
877 aki = x509.AuthorityKeyIdentifier(b"digest", [dirname], 1234)
878 aki2 = x509.AuthorityKeyIdentifier(b"diges", [dirname], 1234)
879 aki3 = x509.AuthorityKeyIdentifier(b"digest", None, None)
880 aki4 = x509.AuthorityKeyIdentifier(b"digest", [dirname], 12345)
881 aki5 = x509.AuthorityKeyIdentifier(b"digest", [dirname5], 12345)
882 assert aki != aki2
883 assert aki != aki3
884 assert aki != aki4
885 assert aki != aki5
886 assert aki != object()
887
Paul Kehrer2eb4ed92015-04-11 15:33:45 -0400[diff] [blame]888
Paul Kehrer8cf26422015-03-21 09:50:24 -0500[diff] [blame]889class TestBasicConstraints(object):
890 def test_ca_not_boolean(self):
891 with pytest.raises(TypeError):
Paul Kehrera5c6e9a2015-03-23 19:23:43 -0500[diff] [blame]892 x509.BasicConstraints(ca="notbool", path_length=None)
Paul Kehrer8cf26422015-03-21 09:50:24 -0500[diff] [blame]893
894 def test_path_length_not_ca(self):
895 with pytest.raises(ValueError):
Paul Kehrera5c6e9a2015-03-23 19:23:43 -0500[diff] [blame]896 x509.BasicConstraints(ca=False, path_length=0)
Paul Kehrer8cf26422015-03-21 09:50:24 -0500[diff] [blame]897
898 def test_path_length_not_int(self):
899 with pytest.raises(TypeError):
Paul Kehrera5c6e9a2015-03-23 19:23:43 -0500[diff] [blame]900 x509.BasicConstraints(ca=True, path_length=1.1)
Paul Kehrer8cf26422015-03-21 09:50:24 -0500[diff] [blame]901
902 with pytest.raises(TypeError):
Paul Kehrera5c6e9a2015-03-23 19:23:43 -0500[diff] [blame]903 x509.BasicConstraints(ca=True, path_length="notint")
Paul Kehrer8cf26422015-03-21 09:50:24 -0500[diff] [blame]904
905 def test_path_length_negative(self):
906 with pytest.raises(TypeError):
Paul Kehrera5c6e9a2015-03-23 19:23:43 -0500[diff] [blame]907 x509.BasicConstraints(ca=True, path_length=-1)
Paul Kehrer8cf26422015-03-21 09:50:24 -0500[diff] [blame]908
909 def test_repr(self):
Paul Kehrera5c6e9a2015-03-23 19:23:43 -0500[diff] [blame]910 na = x509.BasicConstraints(ca=True, path_length=None)
Paul Kehrer8cf26422015-03-21 09:50:24 -0500[diff] [blame]911 assert repr(na) == (
Paul Kehrer85894662015-03-22 13:19:31 -0500[diff] [blame]912 "<BasicConstraints(ca=True, path_length=None)>"
Paul Kehrer8cf26422015-03-21 09:50:24 -0500[diff] [blame]913 )
Paul Kehrerfbb7ac82015-03-16 19:26:29 -0500[diff] [blame]914
Paul Kehrer2eb69f62015-12-27 11:46:11 -0600[diff] [blame]915 def test_hash(self):
916 na = x509.BasicConstraints(ca=True, path_length=None)
917 na2 = x509.BasicConstraints(ca=True, path_length=None)
Paul Kehrerb39af8d2015-12-27 14:30:19 -0600[diff] [blame]918 na3 = x509.BasicConstraints(ca=True, path_length=0)
Paul Kehrer2eb69f62015-12-27 11:46:11 -0600[diff] [blame]919 assert hash(na) == hash(na2)
Paul Kehrerb39af8d2015-12-27 14:30:19 -0600[diff] [blame]920 assert hash(na) != hash(na3)
Paul Kehrer2eb69f62015-12-27 11:46:11 -0600[diff] [blame]921
Paul Kehrer3a69b132015-05-13 10:03:46 -0500[diff] [blame]922 def test_eq(self):
923 na = x509.BasicConstraints(ca=True, path_length=None)
924 na2 = x509.BasicConstraints(ca=True, path_length=None)
925 assert na == na2
926
927 def test_ne(self):
928 na = x509.BasicConstraints(ca=True, path_length=None)
929 na2 = x509.BasicConstraints(ca=True, path_length=1)
930 na3 = x509.BasicConstraints(ca=False, path_length=None)
931 assert na != na2
932 assert na != na3
933 assert na != object()
934
Paul Kehrerfbb7ac82015-03-16 19:26:29 -0500[diff] [blame]935
Paul Kehrerffa2a152015-03-31 08:18:25 -0500[diff] [blame]936class TestExtendedKeyUsage(object):
937 def test_not_all_oids(self):
938 with pytest.raises(TypeError):
939 x509.ExtendedKeyUsage(["notoid"])
940
941 def test_iter_len(self):
942 eku = x509.ExtendedKeyUsage([
943 x509.ObjectIdentifier("1.3.6.1.5.5.7.3.1"),
944 x509.ObjectIdentifier("1.3.6.1.5.5.7.3.2"),
945 ])
946 assert len(eku) == 2
947 assert list(eku) == [
Paul Kehrer9e102db2015-08-10 21:53:09 -0500[diff] [blame]948 ExtendedKeyUsageOID.SERVER_AUTH,
949 ExtendedKeyUsageOID.CLIENT_AUTH
Paul Kehrerffa2a152015-03-31 08:18:25 -0500[diff] [blame]950 ]
951
Paul Kehrer23d10c32015-04-02 23:12:32 -0500[diff] [blame]952 def test_repr(self):
953 eku = x509.ExtendedKeyUsage([
954 x509.ObjectIdentifier("1.3.6.1.5.5.7.3.1"),
955 x509.ObjectIdentifier("1.3.6.1.5.5.7.3.2"),
956 ])
957 assert repr(eku) == (
958 "<ExtendedKeyUsage([<ObjectIdentifier(oid=1.3.6.1.5.5.7.3.1, name="
959 "serverAuth)>, <ObjectIdentifier(oid=1.3.6.1.5.5.7.3.2, name=clien"
960 "tAuth)>])>"
961 )
962
Paul Kehrerb0476172015-05-02 19:34:51 -0500[diff] [blame]963 def test_eq(self):
964 eku = x509.ExtendedKeyUsage([
965 x509.ObjectIdentifier("1.3.6"), x509.ObjectIdentifier("1.3.7")
966 ])
967 eku2 = x509.ExtendedKeyUsage([
968 x509.ObjectIdentifier("1.3.6"), x509.ObjectIdentifier("1.3.7")
969 ])
970 assert eku == eku2
971
972 def test_ne(self):
973 eku = x509.ExtendedKeyUsage([x509.ObjectIdentifier("1.3.6")])
974 eku2 = x509.ExtendedKeyUsage([x509.ObjectIdentifier("1.3.6.1")])
975 assert eku != eku2
976 assert eku != object()
977
Paul Kehrerffa2a152015-03-31 08:18:25 -0500[diff] [blame]978
Paul Kehrerfbb7ac82015-03-16 19:26:29 -0500[diff] [blame]979@pytest.mark.requires_backend_interface(interface=RSABackend)
980@pytest.mark.requires_backend_interface(interface=X509Backend)
981class TestExtensions(object):
982 def test_no_extensions(self, backend):
983 cert = _load_cert(
984 os.path.join("x509", "verisign_md2_root.pem"),
985 x509.load_pem_x509_certificate,
986 backend
987 )
988 ext = cert.extensions
989 assert len(ext) == 0
990 assert list(ext) == []
Paul Kehrerfa56a232015-03-17 13:14:03 -0500[diff] [blame]991 with pytest.raises(x509.ExtensionNotFound) as exc:
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]992 ext.get_extension_for_oid(ExtensionOID.BASIC_CONSTRAINTS)
Paul Kehrerfa56a232015-03-17 13:14:03 -0500[diff] [blame]993
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]994 assert exc.value.oid == ExtensionOID.BASIC_CONSTRAINTS
Paul Kehrerfa56a232015-03-17 13:14:03 -0500[diff] [blame]995
996 def test_one_extension(self, backend):
997 cert = _load_cert(
998 os.path.join(
999 "x509", "custom", "basic_constraints_not_critical.pem"
1000 ),
1001 x509.load_pem_x509_certificate,
1002 backend
1003 )
1004 extensions = cert.extensions
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]1005 ext = extensions.get_extension_for_oid(ExtensionOID.BASIC_CONSTRAINTS)
Paul Kehrerfa56a232015-03-17 13:14:03 -0500[diff] [blame]1006 assert ext is not None
1007 assert ext.value.ca is False
Paul Kehrerfbb7ac82015-03-16 19:26:29 -0500[diff] [blame]1008
1009 def test_duplicate_extension(self, backend):
1010 cert = _load_cert(
1011 os.path.join(
1012 "x509", "custom", "two_basic_constraints.pem"
1013 ),
1014 x509.load_pem_x509_certificate,
1015 backend
1016 )
1017 with pytest.raises(x509.DuplicateExtension) as exc:
1018 cert.extensions
1019
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]1020 assert exc.value.oid == ExtensionOID.BASIC_CONSTRAINTS
Paul Kehrerfbb7ac82015-03-16 19:26:29 -0500[diff] [blame]1021
1022 def test_unsupported_critical_extension(self, backend):
1023 cert = _load_cert(
1024 os.path.join(
1025 "x509", "custom", "unsupported_extension_critical.pem"
1026 ),
1027 x509.load_pem_x509_certificate,
1028 backend
1029 )
1030 with pytest.raises(x509.UnsupportedExtension) as exc:
1031 cert.extensions
1032
1033 assert exc.value.oid == x509.ObjectIdentifier("1.2.3.4")
1034
1035 def test_unsupported_extension(self, backend):
1036 # TODO: this will raise an exception when all extensions are complete
1037 cert = _load_cert(
1038 os.path.join(
1039 "x509", "custom", "unsupported_extension.pem"
1040 ),
1041 x509.load_pem_x509_certificate,
1042 backend
1043 )
1044 extensions = cert.extensions
1045 assert len(extensions) == 0
Paul Kehrerfa56a232015-03-17 13:14:03 -0500[diff] [blame]1046
Phoebe Queenecae9812015-08-12 05:00:32 +0100[diff] [blame]1047 def test_no_extensions_get_for_class(self, backend):
1048 cert = _load_cert(
1049 os.path.join(
Phoebe Queencb5ec4e2015-08-12 15:06:26 +0100[diff] [blame]1050 "x509", "cryptography.io.pem"
Phoebe Queenecae9812015-08-12 05:00:32 +0100[diff] [blame]1051 ),
1052 x509.load_pem_x509_certificate,
1053 backend
1054 )
Phoebe Queenc93752b2015-08-12 10:54:46 +0100[diff] [blame]1055 exts = cert.extensions
Phoebe Queenecae9812015-08-12 05:00:32 +0100[diff] [blame]1056 with pytest.raises(x509.ExtensionNotFound) as exc:
Phoebe Queencb5ec4e2015-08-12 15:06:26 +0100[diff] [blame]1057 exts.get_extension_for_class(x509.IssuerAlternativeName)
1058 assert exc.value.oid == ExtensionOID.ISSUER_ALTERNATIVE_NAME
Phoebe Queenecae9812015-08-12 05:00:32 +0100[diff] [blame]1059
Paul Kehrer5b90c972015-12-26 00:52:58 -0600[diff] [blame]1060 def test_indexing(self, backend):
1061 cert = _load_cert(
1062 os.path.join("x509", "cryptography.io.pem"),
1063 x509.load_pem_x509_certificate,
1064 backend
1065 )
1066 exts = cert.extensions
1067 assert exts[-1] == exts[7]
Alex Gaynorf0dd2e72015-12-26 16:50:29 -0500[diff] [blame]1068 assert exts[2:6:2] == [exts[2], exts[4]]
Paul Kehrer5b90c972015-12-26 00:52:58 -0600[diff] [blame]1069
Phoebe Queen9fbb8892015-08-12 03:51:33 +0100[diff] [blame]1070 def test_one_extension_get_for_class(self, backend):
1071 cert = _load_cert(
Phoebe Queen2cc111a2015-08-12 04:14:22 +0100[diff] [blame]1072 os.path.join(
1073 "x509", "custom", "basic_constraints_not_critical.pem"
1074 ),
Phoebe Queen9fbb8892015-08-12 03:51:33 +0100[diff] [blame]1075 x509.load_pem_x509_certificate,
1076 backend
1077 )
1078 ext = cert.extensions.get_extension_for_class(x509.BasicConstraints)
1079 assert ext is not None
Phoebe Queen9fbb8892015-08-12 03:51:33 +0100[diff] [blame]1080 assert isinstance(ext.value, x509.BasicConstraints)
Paul Kehrerfa56a232015-03-17 13:14:03 -0500[diff] [blame]1081
Paul Kehrerafbe75b2015-10-20 08:08:43 -0500[diff] [blame]1082 def test_repr(self, backend):
1083 cert = _load_cert(
1084 os.path.join(
1085 "x509", "custom", "basic_constraints_not_critical.pem"
1086 ),
1087 x509.load_pem_x509_certificate,
1088 backend
1089 )
1090 assert repr(cert.extensions) == (
1091 "<Extensions([<Extension(oid=<ObjectIdentifier(oid=2.5.29.19, name"
1092 "=basicConstraints)>, critical=False, value=<BasicConstraints(ca=F"
1093 "alse, path_length=None)>)>])>"
1094 )
1095
Phoebe Queen2cc111a2015-08-12 04:14:22 +0100[diff] [blame]1096
Paul Kehrerfa56a232015-03-17 13:14:03 -0500[diff] [blame]1097@pytest.mark.requires_backend_interface(interface=RSABackend)
1098@pytest.mark.requires_backend_interface(interface=X509Backend)
Paul Kehrerde813ea2015-03-28 12:44:34 -0500[diff] [blame]1099class TestBasicConstraintsExtension(object):
Paul Kehrerfa56a232015-03-17 13:14:03 -0500[diff] [blame]1100 def test_ca_true_pathlen_6(self, backend):
1101 cert = _load_cert(
1102 os.path.join(
1103 "x509", "PKITS_data", "certs", "pathLenConstraint6CACert.crt"
1104 ),
1105 x509.load_der_x509_certificate,
1106 backend
1107 )
Phoebe Queen062dec72015-08-12 11:42:23 +0100[diff] [blame]1108 ext = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]1109 ExtensionOID.BASIC_CONSTRAINTS
Paul Kehrerfa56a232015-03-17 13:14:03 -0500[diff] [blame]1110 )
1111 assert ext is not None
1112 assert ext.critical is True
1113 assert ext.value.ca is True
1114 assert ext.value.path_length == 6
1115
1116 def test_path_length_zero(self, backend):
1117 cert = _load_cert(
1118 os.path.join("x509", "custom", "bc_path_length_zero.pem"),
1119 x509.load_pem_x509_certificate,
1120 backend
1121 )
1122 ext = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]1123 ExtensionOID.BASIC_CONSTRAINTS
Paul Kehrerfa56a232015-03-17 13:14:03 -0500[diff] [blame]1124 )
1125 assert ext is not None
1126 assert ext.critical is True
1127 assert ext.value.ca is True
1128 assert ext.value.path_length == 0
1129
1130 def test_ca_true_no_pathlen(self, backend):
1131 cert = _load_cert(
1132 os.path.join("x509", "PKITS_data", "certs", "GoodCACert.crt"),
1133 x509.load_der_x509_certificate,
1134 backend
1135 )
1136 ext = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]1137 ExtensionOID.BASIC_CONSTRAINTS
Paul Kehrerfa56a232015-03-17 13:14:03 -0500[diff] [blame]1138 )
1139 assert ext is not None
1140 assert ext.critical is True
1141 assert ext.value.ca is True
1142 assert ext.value.path_length is None
1143
1144 def test_ca_false(self, backend):
1145 cert = _load_cert(
1146 os.path.join("x509", "cryptography.io.pem"),
1147 x509.load_pem_x509_certificate,
1148 backend
1149 )
1150 ext = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]1151 ExtensionOID.BASIC_CONSTRAINTS
Paul Kehrerfa56a232015-03-17 13:14:03 -0500[diff] [blame]1152 )
1153 assert ext is not None
1154 assert ext.critical is True
1155 assert ext.value.ca is False
1156 assert ext.value.path_length is None
1157
1158 def test_no_basic_constraints(self, backend):
1159 cert = _load_cert(
1160 os.path.join(
1161 "x509",
1162 "PKITS_data",
1163 "certs",
1164 "ValidCertificatePathTest1EE.crt"
1165 ),
1166 x509.load_der_x509_certificate,
1167 backend
1168 )
1169 with pytest.raises(x509.ExtensionNotFound):
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]1170 cert.extensions.get_extension_for_oid(
1171 ExtensionOID.BASIC_CONSTRAINTS
1172 )
Paul Kehrerfa56a232015-03-17 13:14:03 -0500[diff] [blame]1173
1174 def test_basic_constraint_not_critical(self, backend):
1175 cert = _load_cert(
1176 os.path.join(
1177 "x509", "custom", "basic_constraints_not_critical.pem"
1178 ),
1179 x509.load_pem_x509_certificate,
1180 backend
1181 )
1182 ext = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]1183 ExtensionOID.BASIC_CONSTRAINTS
Paul Kehrerfa56a232015-03-17 13:14:03 -0500[diff] [blame]1184 )
1185 assert ext is not None
1186 assert ext.critical is False
1187 assert ext.value.ca is False
Paul Kehrer1eb82a62015-03-31 20:00:33 -0500[diff] [blame]1188
1189
Paul Kehrer1eb82a62015-03-31 20:00:33 -0500[diff] [blame]1190class TestSubjectKeyIdentifierExtension(object):
Paul Kehrerf22f6122015-08-05 12:57:13 +0100[diff] [blame]1191 @pytest.mark.requires_backend_interface(interface=RSABackend)
1192 @pytest.mark.requires_backend_interface(interface=X509Backend)
Paul Kehrer1eb82a62015-03-31 20:00:33 -0500[diff] [blame]1193 def test_subject_key_identifier(self, backend):
1194 cert = _load_cert(
1195 os.path.join("x509", "PKITS_data", "certs", "GoodCACert.crt"),
1196 x509.load_der_x509_certificate,
1197 backend
1198 )
1199 ext = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]1200 ExtensionOID.SUBJECT_KEY_IDENTIFIER
Paul Kehrer1eb82a62015-03-31 20:00:33 -0500[diff] [blame]1201 )
1202 ski = ext.value
1203 assert ext is not None
1204 assert ext.critical is False
Paul Kehrer1eb82a62015-03-31 20:00:33 -0500[diff] [blame]1205 assert ski.digest == binascii.unhexlify(
Paul Kehreree997262015-04-04 12:20:28 -0500[diff] [blame]1206 b"580184241bbc2b52944a3da510721451f5af3ac9"
Paul Kehrer1eb82a62015-03-31 20:00:33 -0500[diff] [blame]1207 )
1208
Paul Kehrerf22f6122015-08-05 12:57:13 +0100[diff] [blame]1209 @pytest.mark.requires_backend_interface(interface=RSABackend)
1210 @pytest.mark.requires_backend_interface(interface=X509Backend)
Paul Kehrer1eb82a62015-03-31 20:00:33 -0500[diff] [blame]1211 def test_no_subject_key_identifier(self, backend):
1212 cert = _load_cert(
1213 os.path.join("x509", "custom", "bc_path_length_zero.pem"),
1214 x509.load_pem_x509_certificate,
1215 backend
1216 )
1217 with pytest.raises(x509.ExtensionNotFound):
1218 cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]1219 ExtensionOID.SUBJECT_KEY_IDENTIFIER
Paul Kehrer1eb82a62015-03-31 20:00:33 -0500[diff] [blame]1220 )
Paul Kehrer5508ee22015-04-02 19:31:03 -0500[diff] [blame]1221
Paul Kehrerf22f6122015-08-05 12:57:13 +0100[diff] [blame]1222 @pytest.mark.requires_backend_interface(interface=RSABackend)
1223 @pytest.mark.requires_backend_interface(interface=X509Backend)
Paul Kehrerd4a7f062015-08-05 18:32:18 +0100[diff] [blame]1224 def test_from_rsa_public_key(self, backend):
Paul Kehrerf22f6122015-08-05 12:57:13 +0100[diff] [blame]1225 cert = _load_cert(
1226 os.path.join("x509", "PKITS_data", "certs", "GoodCACert.crt"),
1227 x509.load_der_x509_certificate,
1228 backend
1229 )
1230 ext = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]1231 ExtensionOID.SUBJECT_KEY_IDENTIFIER
Paul Kehrerf22f6122015-08-05 12:57:13 +0100[diff] [blame]1232 )
Paul Kehrerd4a7f062015-08-05 18:32:18 +0100[diff] [blame]1233 ski = x509.SubjectKeyIdentifier.from_public_key(
Paul Kehrerf22f6122015-08-05 12:57:13 +0100[diff] [blame]1234 cert.public_key()
1235 )
1236 assert ext.value == ski
1237
1238 @pytest.mark.requires_backend_interface(interface=DSABackend)
1239 @pytest.mark.requires_backend_interface(interface=X509Backend)
Paul Kehrerd4a7f062015-08-05 18:32:18 +0100[diff] [blame]1240 def test_from_dsa_public_key(self, backend):
Paul Kehrerf22f6122015-08-05 12:57:13 +0100[diff] [blame]1241 cert = _load_cert(
1242 os.path.join("x509", "custom", "dsa_selfsigned_ca.pem"),
1243 x509.load_pem_x509_certificate,
1244 backend
1245 )
1246
1247 ext = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]1248 ExtensionOID.SUBJECT_KEY_IDENTIFIER
Paul Kehrerf22f6122015-08-05 12:57:13 +0100[diff] [blame]1249 )
Paul Kehrerd4a7f062015-08-05 18:32:18 +0100[diff] [blame]1250 ski = x509.SubjectKeyIdentifier.from_public_key(
Paul Kehrerf22f6122015-08-05 12:57:13 +0100[diff] [blame]1251 cert.public_key()
1252 )
1253 assert ext.value == ski
1254
1255 @pytest.mark.requires_backend_interface(interface=EllipticCurveBackend)
1256 @pytest.mark.requires_backend_interface(interface=X509Backend)
Paul Kehrerd4a7f062015-08-05 18:32:18 +0100[diff] [blame]1257 def test_from_ec_public_key(self, backend):
Paul Kehrerf22f6122015-08-05 12:57:13 +0100[diff] [blame]1258 _skip_curve_unsupported(backend, ec.SECP384R1())
1259 cert = _load_cert(
1260 os.path.join("x509", "ecdsa_root.pem"),
1261 x509.load_pem_x509_certificate,
1262 backend
1263 )
1264
1265 ext = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]1266 ExtensionOID.SUBJECT_KEY_IDENTIFIER
Paul Kehrerf22f6122015-08-05 12:57:13 +0100[diff] [blame]1267 )
Paul Kehrerd4a7f062015-08-05 18:32:18 +0100[diff] [blame]1268 ski = x509.SubjectKeyIdentifier.from_public_key(
Paul Kehrerf22f6122015-08-05 12:57:13 +0100[diff] [blame]1269 cert.public_key()
1270 )
1271 assert ext.value == ski
1272
Paul Kehrer5508ee22015-04-02 19:31:03 -0500[diff] [blame]1273
1274@pytest.mark.requires_backend_interface(interface=RSABackend)
1275@pytest.mark.requires_backend_interface(interface=X509Backend)
1276class TestKeyUsageExtension(object):
1277 def test_no_key_usage(self, backend):
1278 cert = _load_cert(
1279 os.path.join("x509", "verisign_md2_root.pem"),
1280 x509.load_pem_x509_certificate,
1281 backend
1282 )
1283 ext = cert.extensions
1284 with pytest.raises(x509.ExtensionNotFound) as exc:
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]1285 ext.get_extension_for_oid(ExtensionOID.KEY_USAGE)
Paul Kehrer5508ee22015-04-02 19:31:03 -0500[diff] [blame]1286
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]1287 assert exc.value.oid == ExtensionOID.KEY_USAGE
Paul Kehrer5508ee22015-04-02 19:31:03 -0500[diff] [blame]1288
1289 def test_all_purposes(self, backend):
1290 cert = _load_cert(
1291 os.path.join(
1292 "x509", "custom", "all_key_usages.pem"
1293 ),
1294 x509.load_pem_x509_certificate,
1295 backend
1296 )
1297 extensions = cert.extensions
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]1298 ext = extensions.get_extension_for_oid(ExtensionOID.KEY_USAGE)
Paul Kehrer5508ee22015-04-02 19:31:03 -0500[diff] [blame]1299 assert ext is not None
1300
1301 ku = ext.value
1302 assert ku.digital_signature is True
1303 assert ku.content_commitment is True
1304 assert ku.key_encipherment is True
1305 assert ku.data_encipherment is True
1306 assert ku.key_agreement is True
1307 assert ku.key_cert_sign is True
1308 assert ku.crl_sign is True
1309 assert ku.encipher_only is True
1310 assert ku.decipher_only is True
1311
1312 def test_key_cert_sign_crl_sign(self, backend):
1313 cert = _load_cert(
1314 os.path.join(
1315 "x509", "PKITS_data", "certs", "pathLenConstraint6CACert.crt"
1316 ),
1317 x509.load_der_x509_certificate,
1318 backend
1319 )
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]1320 ext = cert.extensions.get_extension_for_oid(ExtensionOID.KEY_USAGE)
Paul Kehrer5508ee22015-04-02 19:31:03 -0500[diff] [blame]1321 assert ext is not None
1322 assert ext.critical is True
1323
1324 ku = ext.value
1325 assert ku.digital_signature is False
1326 assert ku.content_commitment is False
1327 assert ku.key_encipherment is False
1328 assert ku.data_encipherment is False
1329 assert ku.key_agreement is False
1330 assert ku.key_cert_sign is True
1331 assert ku.crl_sign is True
Paul Kehrer31bdf792015-03-25 14:11:00 -0500[diff] [blame]1332
1333
1334@pytest.mark.parametrize(
1335 "name", [
1336 x509.RFC822Name,
1337 x509.DNSName,
1338 x509.UniformResourceIdentifier
1339 ]
1340)
1341class TestTextGeneralNames(object):
1342 def test_not_text(self, name):
1343 with pytest.raises(TypeError):
1344 name(b"notaunicodestring")
1345
1346 with pytest.raises(TypeError):
1347 name(1.3)
1348
1349 def test_repr(self, name):
Eeshan Gargf1234152015-04-29 18:41:00 +0530[diff] [blame]1350 gn = name(u"string")
Paul Kehrer31bdf792015-03-25 14:11:00 -0500[diff] [blame]1351 assert repr(gn) == "<{0}(value=string)>".format(name.__name__)
1352
1353 def test_eq(self, name):
Eeshan Gargf1234152015-04-29 18:41:00 +0530[diff] [blame]1354 gn = name(u"string")
1355 gn2 = name(u"string")
Paul Kehrer31bdf792015-03-25 14:11:00 -0500[diff] [blame]1356 assert gn == gn2
1357
1358 def test_ne(self, name):
Eeshan Gargf1234152015-04-29 18:41:00 +0530[diff] [blame]1359 gn = name(u"string")
1360 gn2 = name(u"string2")
Paul Kehrer31bdf792015-03-25 14:11:00 -0500[diff] [blame]1361 assert gn != gn2
1362 assert gn != object()
1363
1364
1365class TestDirectoryName(object):
1366 def test_not_name(self):
1367 with pytest.raises(TypeError):
1368 x509.DirectoryName(b"notaname")
1369
1370 with pytest.raises(TypeError):
1371 x509.DirectoryName(1.3)
1372
1373 def test_repr(self):
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1374 name = x509.Name([x509.NameAttribute(NameOID.COMMON_NAME, u'value1')])
Paul Kehrer31bdf792015-03-25 14:11:00 -0500[diff] [blame]1375 gn = x509.DirectoryName(x509.Name([name]))
Ian Cordascoa908d692015-06-16 21:35:24 -0500[diff] [blame]1376 if six.PY3:
1377 assert repr(gn) == (
1378 "<DirectoryName(value=<Name([<Name([<NameAttribute(oid=<Object"
1379 "Identifier(oid=2.5.4.3, name=commonName)>, value='value1')>])"
1380 ">])>)>"
1381 )
1382 else:
1383 assert repr(gn) == (
1384 "<DirectoryName(value=<Name([<Name([<NameAttribute(oid=<Object"
1385 "Identifier(oid=2.5.4.3, name=commonName)>, value=u'value1')>]"
1386 ")>])>)>"
1387 )
Paul Kehrer31bdf792015-03-25 14:11:00 -0500[diff] [blame]1388
1389 def test_eq(self):
1390 name = x509.Name([
Nick Bastin6721fb82015-12-14 12:26:24 -0800[diff] [blame]1391 x509.NameAttribute(x509.ObjectIdentifier('2.999.1'), u'value1')
Paul Kehrer31bdf792015-03-25 14:11:00 -0500[diff] [blame]1392 ])
1393 name2 = x509.Name([
Nick Bastin6721fb82015-12-14 12:26:24 -0800[diff] [blame]1394 x509.NameAttribute(x509.ObjectIdentifier('2.999.1'), u'value1')
Paul Kehrer31bdf792015-03-25 14:11:00 -0500[diff] [blame]1395 ])
1396 gn = x509.DirectoryName(x509.Name([name]))
1397 gn2 = x509.DirectoryName(x509.Name([name2]))
1398 assert gn == gn2
1399
1400 def test_ne(self):
1401 name = x509.Name([
Nick Bastin6721fb82015-12-14 12:26:24 -0800[diff] [blame]1402 x509.NameAttribute(x509.ObjectIdentifier('2.999.1'), u'value1')
Paul Kehrer31bdf792015-03-25 14:11:00 -0500[diff] [blame]1403 ])
1404 name2 = x509.Name([
Nick Bastin6721fb82015-12-14 12:26:24 -0800[diff] [blame]1405 x509.NameAttribute(x509.ObjectIdentifier('2.999.2'), u'value2')
Paul Kehrer31bdf792015-03-25 14:11:00 -0500[diff] [blame]1406 ])
1407 gn = x509.DirectoryName(x509.Name([name]))
1408 gn2 = x509.DirectoryName(x509.Name([name2]))
1409 assert gn != gn2
1410 assert gn != object()
1411
1412
Paul Kehrer01d5d0b2015-07-12 09:41:21 -0500[diff] [blame]1413class TestRFC822Name(object):
1414 def test_invalid_email(self):
1415 with pytest.raises(ValueError):
1416 x509.RFC822Name(u"Name <email>")
1417
1418 with pytest.raises(ValueError):
1419 x509.RFC822Name(u"")
1420
1421 def test_single_label(self):
1422 gn = x509.RFC822Name(u"administrator")
1423 assert gn.value == u"administrator"
1424
1425 def test_idna(self):
1426 gn = x509.RFC822Name(u"email@em\xe5\xefl.com")
1427 assert gn.value == u"email@em\xe5\xefl.com"
1428 assert gn._encoded == b"email@xn--eml-vla4c.com"
1429
1430
Paul Kehrere28d6c42015-07-12 14:59:37 -0500[diff] [blame]1431class TestUniformResourceIdentifier(object):
1432 def test_no_parsed_hostname(self):
1433 gn = x509.UniformResourceIdentifier(u"singlelabel")
1434 assert gn.value == u"singlelabel"
1435
1436 def test_with_port(self):
1437 gn = x509.UniformResourceIdentifier(u"singlelabel:443/test")
1438 assert gn.value == u"singlelabel:443/test"
1439
1440 def test_idna_no_port(self):
1441 gn = x509.UniformResourceIdentifier(
1442 u"http://\u043f\u044b\u043a\u0430.cryptography"
1443 )
1444 assert gn.value == u"http://\u043f\u044b\u043a\u0430.cryptography"
1445 assert gn._encoded == b"http://xn--80ato2c.cryptography"
1446
1447 def test_idna_with_port(self):
1448 gn = x509.UniformResourceIdentifier(
1449 u"gopher://\u043f\u044b\u043a\u0430.cryptography:70/some/path"
1450 )
1451 assert gn.value == (
1452 u"gopher://\u043f\u044b\u043a\u0430.cryptography:70/some/path"
1453 )
1454 assert gn._encoded == b"gopher://xn--80ato2c.cryptography:70/some/path"
1455
1456 def test_query_and_fragment(self):
1457 gn = x509.UniformResourceIdentifier(
1458 u"ldap://cryptography:90/path?query=true#somedata"
1459 )
1460 assert gn.value == u"ldap://cryptography:90/path?query=true#somedata"
1461
1462
Paul Kehrer31bdf792015-03-25 14:11:00 -0500[diff] [blame]1463class TestRegisteredID(object):
1464 def test_not_oid(self):
1465 with pytest.raises(TypeError):
1466 x509.RegisteredID(b"notanoid")
1467
1468 with pytest.raises(TypeError):
1469 x509.RegisteredID(1.3)
1470
1471 def test_repr(self):
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1472 gn = x509.RegisteredID(NameOID.COMMON_NAME)
Paul Kehrer31bdf792015-03-25 14:11:00 -0500[diff] [blame]1473 assert repr(gn) == (
1474 "<RegisteredID(value=<ObjectIdentifier(oid=2.5.4.3, name=commonNam"
1475 "e)>)>"
1476 )
1477
1478 def test_eq(self):
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1479 gn = x509.RegisteredID(NameOID.COMMON_NAME)
1480 gn2 = x509.RegisteredID(NameOID.COMMON_NAME)
Paul Kehrer31bdf792015-03-25 14:11:00 -0500[diff] [blame]1481 assert gn == gn2
1482
1483 def test_ne(self):
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1484 gn = x509.RegisteredID(NameOID.COMMON_NAME)
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]1485 gn2 = x509.RegisteredID(ExtensionOID.BASIC_CONSTRAINTS)
Paul Kehrer31bdf792015-03-25 14:11:00 -0500[diff] [blame]1486 assert gn != gn2
1487 assert gn != object()
1488
1489
1490class TestIPAddress(object):
1491 def test_not_ipaddress(self):
1492 with pytest.raises(TypeError):
1493 x509.IPAddress(b"notanipaddress")
1494
1495 with pytest.raises(TypeError):
1496 x509.IPAddress(1.3)
1497
1498 def test_repr(self):
Eeshan Gargf1234152015-04-29 18:41:00 +0530[diff] [blame]1499 gn = x509.IPAddress(ipaddress.IPv4Address(u"127.0.0.1"))
Paul Kehrer31bdf792015-03-25 14:11:00 -0500[diff] [blame]1500 assert repr(gn) == "<IPAddress(value=127.0.0.1)>"
1501
Eeshan Gargf1234152015-04-29 18:41:00 +0530[diff] [blame]1502 gn2 = x509.IPAddress(ipaddress.IPv6Address(u"ff::"))
Paul Kehrer31bdf792015-03-25 14:11:00 -0500[diff] [blame]1503 assert repr(gn2) == "<IPAddress(value=ff::)>"
1504
Paul Kehrereb177932015-05-17 18:33:33 -0700[diff] [blame]1505 gn3 = x509.IPAddress(ipaddress.IPv4Network(u"192.168.0.0/24"))
1506 assert repr(gn3) == "<IPAddress(value=192.168.0.0/24)>"
1507
1508 gn4 = x509.IPAddress(ipaddress.IPv6Network(u"ff::/96"))
1509 assert repr(gn4) == "<IPAddress(value=ff::/96)>"
1510
Paul Kehrer31bdf792015-03-25 14:11:00 -0500[diff] [blame]1511 def test_eq(self):
Eeshan Gargf1234152015-04-29 18:41:00 +0530[diff] [blame]1512 gn = x509.IPAddress(ipaddress.IPv4Address(u"127.0.0.1"))
1513 gn2 = x509.IPAddress(ipaddress.IPv4Address(u"127.0.0.1"))
Paul Kehrer31bdf792015-03-25 14:11:00 -0500[diff] [blame]1514 assert gn == gn2
1515
1516 def test_ne(self):
Eeshan Gargf1234152015-04-29 18:41:00 +0530[diff] [blame]1517 gn = x509.IPAddress(ipaddress.IPv4Address(u"127.0.0.1"))
1518 gn2 = x509.IPAddress(ipaddress.IPv4Address(u"127.0.0.2"))
Paul Kehrer31bdf792015-03-25 14:11:00 -0500[diff] [blame]1519 assert gn != gn2
1520 assert gn != object()
1521
1522
Joshua Tauberer18b6fc82015-07-05 21:44:51 +0000[diff] [blame]1523class TestOtherName(object):
1524 def test_invalid_args(self):
1525 with pytest.raises(TypeError):
1526 x509.OtherName(b"notanobjectidentifier", b"derdata")
1527
1528 with pytest.raises(TypeError):
1529 x509.OtherName(x509.ObjectIdentifier("1.2.3.4"), u"notderdata")
1530
1531 def test_repr(self):
1532 gn = x509.OtherName(x509.ObjectIdentifier("1.2.3.4"), b"derdata")
1533 if six.PY3:
1534 assert repr(gn) == (
1535 "<OtherName(type_id=<ObjectIdentifier(oid=1.2.3.4, "
1536 "name=Unknown OID)>, value=b'derdata')>"
1537 )
1538 else:
1539 assert repr(gn) == (
1540 "<OtherName(type_id=<ObjectIdentifier(oid=1.2.3.4, "
1541 "name=Unknown OID)>, value='derdata')>"
1542 )
1543
1544 gn = x509.OtherName(x509.ObjectIdentifier("2.5.4.65"), b"derdata")
1545 if six.PY3:
1546 assert repr(gn) == (
1547 "<OtherName(type_id=<ObjectIdentifier(oid=2.5.4.65, "
1548 "name=pseudonym)>, value=b'derdata')>"
1549 )
1550 else:
1551 assert repr(gn) == (
1552 "<OtherName(type_id=<ObjectIdentifier(oid=2.5.4.65, "
1553 "name=pseudonym)>, value='derdata')>"
1554 )
1555
1556 def test_eq(self):
1557 gn = x509.OtherName(x509.ObjectIdentifier("1.2.3.4"), b"derdata")
1558 gn2 = x509.OtherName(x509.ObjectIdentifier("1.2.3.4"), b"derdata")
1559 assert gn == gn2
1560
1561 def test_ne(self):
1562 gn = x509.OtherName(x509.ObjectIdentifier("1.2.3.4"), b"derdata")
1563 assert gn != object()
1564
1565 gn2 = x509.OtherName(x509.ObjectIdentifier("1.2.3.4"), b"derdata2")
1566 assert gn != gn2
1567
1568 gn2 = x509.OtherName(x509.ObjectIdentifier("1.2.3.5"), b"derdata")
1569 assert gn != gn2
1570
1571
Erik Trauschke2dcce902015-05-14 16:12:24 -0700[diff] [blame]1572class TestGeneralNames(object):
1573 def test_get_values_for_type(self):
1574 gns = x509.GeneralNames(
1575 [x509.DNSName(u"cryptography.io")]
1576 )
1577 names = gns.get_values_for_type(x509.DNSName)
1578 assert names == [u"cryptography.io"]
1579
1580 def test_iter_names(self):
1581 gns = x509.GeneralNames([
1582 x509.DNSName(u"cryptography.io"),
1583 x509.DNSName(u"crypto.local"),
1584 ])
1585 assert len(gns) == 2
1586 assert list(gns) == [
1587 x509.DNSName(u"cryptography.io"),
1588 x509.DNSName(u"crypto.local"),
1589 ]
1590
Paul Kehrer8adb5962015-12-26 14:46:58 -0600[diff] [blame]1591 def test_indexing(self):
1592 gn = x509.GeneralNames([
1593 x509.DNSName(u"cryptography.io"),
1594 x509.DNSName(u"crypto.local"),
1595 x509.DNSName(u"another.local"),
1596 x509.RFC822Name(u"email@another.local"),
1597 x509.UniformResourceIdentifier(u"http://another.local"),
1598 ])
1599 assert gn[-1] == gn[4]
Alex Gaynorf0dd2e72015-12-26 16:50:29 -0500[diff] [blame]1600 assert gn[2:6:2] == [gn[2], gn[4]]
Paul Kehrer8adb5962015-12-26 14:46:58 -0600[diff] [blame]1601
Erik Trauschke2dcce902015-05-14 16:12:24 -0700[diff] [blame]1602 def test_invalid_general_names(self):
1603 with pytest.raises(TypeError):
1604 x509.GeneralNames(
1605 [x509.DNSName(u"cryptography.io"), "invalid"]
1606 )
1607
1608 def test_repr(self):
1609 gns = x509.GeneralNames(
1610 [
1611 x509.DNSName(u"cryptography.io")
1612 ]
1613 )
1614 assert repr(gns) == (
1615 "<GeneralNames([<DNSName(value=cryptography.io)>])>"
1616 )
1617
1618 def test_eq(self):
1619 gns = x509.GeneralNames(
1620 [x509.DNSName(u"cryptography.io")]
1621 )
1622 gns2 = x509.GeneralNames(
1623 [x509.DNSName(u"cryptography.io")]
1624 )
1625 assert gns == gns2
1626
1627 def test_ne(self):
1628 gns = x509.GeneralNames(
1629 [x509.DNSName(u"cryptography.io")]
1630 )
1631 gns2 = x509.GeneralNames(
1632 [x509.RFC822Name(u"admin@cryptography.io")]
1633 )
1634 assert gns != gns2
1635 assert gns != object()
1636
1637
Paul Kehrer99125c92015-06-07 18:37:10 -0500[diff] [blame]1638class TestIssuerAlternativeName(object):
1639 def test_get_values_for_type(self):
1640 san = x509.IssuerAlternativeName(
1641 [x509.DNSName(u"cryptography.io")]
1642 )
1643 names = san.get_values_for_type(x509.DNSName)
1644 assert names == [u"cryptography.io"]
1645
1646 def test_iter_names(self):
1647 san = x509.IssuerAlternativeName([
1648 x509.DNSName(u"cryptography.io"),
1649 x509.DNSName(u"crypto.local"),
1650 ])
1651 assert len(san) == 2
1652 assert list(san) == [
1653 x509.DNSName(u"cryptography.io"),
1654 x509.DNSName(u"crypto.local"),
1655 ]
1656
Paul Kehrer5c999d32015-12-26 17:45:20 -0600[diff] [blame]1657 def test_indexing(self):
1658 ian = x509.IssuerAlternativeName([
1659 x509.DNSName(u"cryptography.io"),
1660 x509.DNSName(u"crypto.local"),
1661 x509.DNSName(u"another.local"),
1662 x509.RFC822Name(u"email@another.local"),
1663 x509.UniformResourceIdentifier(u"http://another.local"),
1664 ])
1665 assert ian[-1] == ian[4]
1666 assert ian[2:6:2] == [ian[2], ian[4]]
1667
Paul Kehrer99125c92015-06-07 18:37:10 -0500[diff] [blame]1668 def test_invalid_general_names(self):
1669 with pytest.raises(TypeError):
1670 x509.IssuerAlternativeName(
1671 [x509.DNSName(u"cryptography.io"), "invalid"]
1672 )
1673
1674 def test_repr(self):
1675 san = x509.IssuerAlternativeName(
1676 [
1677 x509.DNSName(u"cryptography.io")
1678 ]
1679 )
1680 assert repr(san) == (
1681 "<IssuerAlternativeName("
1682 "<GeneralNames([<DNSName(value=cryptography.io)>])>)>"
1683 )
1684
1685 def test_eq(self):
1686 san = x509.IssuerAlternativeName(
1687 [x509.DNSName(u"cryptography.io")]
1688 )
1689 san2 = x509.IssuerAlternativeName(
1690 [x509.DNSName(u"cryptography.io")]
1691 )
1692 assert san == san2
1693
1694 def test_ne(self):
1695 san = x509.IssuerAlternativeName(
1696 [x509.DNSName(u"cryptography.io")]
1697 )
1698 san2 = x509.IssuerAlternativeName(
1699 [x509.RFC822Name(u"admin@cryptography.io")]
1700 )
1701 assert san != san2
1702 assert san != object()
1703
1704
Alex Gaynorf1c17672015-06-20 14:20:20 -0400[diff] [blame]1705@pytest.mark.requires_backend_interface(interface=RSABackend)
1706@pytest.mark.requires_backend_interface(interface=X509Backend)
1707class TestRSAIssuerAlternativeNameExtension(object):
1708 def test_uri(self, backend):
1709 cert = _load_cert(
1710 os.path.join("x509", "custom", "ian_uri.pem"),
1711 x509.load_pem_x509_certificate,
1712 backend,
1713 )
1714 ext = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]1715 ExtensionOID.ISSUER_ALTERNATIVE_NAME
Alex Gaynorf1c17672015-06-20 14:20:20 -0400[diff] [blame]1716 )
1717 assert list(ext.value) == [
1718 x509.UniformResourceIdentifier(u"http://path.to.root/root.crt"),
1719 ]
1720
1721
Paul Kehrer3b95cd72015-12-22 21:40:20 -0600[diff] [blame]1722class TestCRLNumber(object):
1723 def test_eq(self):
1724 crl_number = x509.CRLNumber(15)
1725 assert crl_number == x509.CRLNumber(15)
1726
1727 def test_ne(self):
1728 crl_number = x509.CRLNumber(15)
1729 assert crl_number != x509.CRLNumber(14)
1730 assert crl_number != object()
1731
1732 def test_repr(self):
1733 crl_number = x509.CRLNumber(15)
1734 assert repr(crl_number) == "<CRLNumber(15)>"
1735
Paul Kehrera9718fc2015-12-22 22:55:35 -0600[diff] [blame]1736 def test_invalid_number(self):
1737 with pytest.raises(TypeError):
1738 x509.CRLNumber("notanumber")
1739
Alex Gaynorf9a77b62015-12-26 12:14:25 -0500[diff] [blame]1740 def test_hash(self):
1741 c1 = x509.CRLNumber(1)
1742 c2 = x509.CRLNumber(1)
1743 c3 = x509.CRLNumber(2)
1744 assert hash(c1) == hash(c2)
1745 assert hash(c1) != hash(c3)
1746
Paul Kehrer3b95cd72015-12-22 21:40:20 -0600[diff] [blame]1747
Paul Kehrer31bdf792015-03-25 14:11:00 -0500[diff] [blame]1748class TestSubjectAlternativeName(object):
1749 def test_get_values_for_type(self):
1750 san = x509.SubjectAlternativeName(
Eeshan Gargf1234152015-04-29 18:41:00 +0530[diff] [blame]1751 [x509.DNSName(u"cryptography.io")]
Paul Kehrer31bdf792015-03-25 14:11:00 -0500[diff] [blame]1752 )
1753 names = san.get_values_for_type(x509.DNSName)
Eeshan Gargf1234152015-04-29 18:41:00 +0530[diff] [blame]1754 assert names == [u"cryptography.io"]
Paul Kehrer31bdf792015-03-25 14:11:00 -0500[diff] [blame]1755
1756 def test_iter_names(self):
1757 san = x509.SubjectAlternativeName([
Eeshan Gargf1234152015-04-29 18:41:00 +0530[diff] [blame]1758 x509.DNSName(u"cryptography.io"),
1759 x509.DNSName(u"crypto.local"),
Paul Kehrer31bdf792015-03-25 14:11:00 -0500[diff] [blame]1760 ])
1761 assert len(san) == 2
1762 assert list(san) == [
Eeshan Gargf1234152015-04-29 18:41:00 +0530[diff] [blame]1763 x509.DNSName(u"cryptography.io"),
1764 x509.DNSName(u"crypto.local"),
Paul Kehrer31bdf792015-03-25 14:11:00 -0500[diff] [blame]1765 ]
1766
Paul Kehrer8adb5962015-12-26 14:46:58 -0600[diff] [blame]1767 def test_indexing(self):
1768 san = x509.SubjectAlternativeName([
1769 x509.DNSName(u"cryptography.io"),
1770 x509.DNSName(u"crypto.local"),
1771 x509.DNSName(u"another.local"),
1772 x509.RFC822Name(u"email@another.local"),
1773 x509.UniformResourceIdentifier(u"http://another.local"),
1774 ])
1775 assert san[-1] == san[4]
Alex Gaynorf0dd2e72015-12-26 16:50:29 -0500[diff] [blame]1776 assert san[2:6:2] == [san[2], san[4]]
Paul Kehrer8adb5962015-12-26 14:46:58 -0600[diff] [blame]1777
Paul Kehrerd04b39b2015-04-21 08:44:17 -0500[diff] [blame]1778 def test_invalid_general_names(self):
1779 with pytest.raises(TypeError):
1780 x509.SubjectAlternativeName(
Eeshan Gargf1234152015-04-29 18:41:00 +0530[diff] [blame]1781 [x509.DNSName(u"cryptography.io"), "invalid"]
Paul Kehrerd04b39b2015-04-21 08:44:17 -0500[diff] [blame]1782 )
1783
Paul Kehrer31bdf792015-03-25 14:11:00 -0500[diff] [blame]1784 def test_repr(self):
1785 san = x509.SubjectAlternativeName(
1786 [
Eeshan Gargf1234152015-04-29 18:41:00 +0530[diff] [blame]1787 x509.DNSName(u"cryptography.io")
Paul Kehrer31bdf792015-03-25 14:11:00 -0500[diff] [blame]1788 ]
1789 )
1790 assert repr(san) == (
Erik Trauschke2dcce902015-05-14 16:12:24 -0700[diff] [blame]1791 "<SubjectAlternativeName("
1792 "<GeneralNames([<DNSName(value=cryptography.io)>])>)>"
Paul Kehrer31bdf792015-03-25 14:11:00 -0500[diff] [blame]1793 )
Paul Kehrer40f83382015-04-20 15:00:16 -0500[diff] [blame]1794
Paul Kehrer58cc3972015-05-13 10:00:41 -0500[diff] [blame]1795 def test_eq(self):
1796 san = x509.SubjectAlternativeName(
1797 [x509.DNSName(u"cryptography.io")]
1798 )
1799 san2 = x509.SubjectAlternativeName(
1800 [x509.DNSName(u"cryptography.io")]
1801 )
1802 assert san == san2
1803
1804 def test_ne(self):
1805 san = x509.SubjectAlternativeName(
1806 [x509.DNSName(u"cryptography.io")]
1807 )
1808 san2 = x509.SubjectAlternativeName(
1809 [x509.RFC822Name(u"admin@cryptography.io")]
1810 )
1811 assert san != san2
1812 assert san != object()
1813
Paul Kehrer40f83382015-04-20 15:00:16 -0500[diff] [blame]1814
1815@pytest.mark.requires_backend_interface(interface=RSABackend)
1816@pytest.mark.requires_backend_interface(interface=X509Backend)
1817class TestRSASubjectAlternativeNameExtension(object):
1818 def test_dns_name(self, backend):
1819 cert = _load_cert(
1820 os.path.join("x509", "cryptography.io.pem"),
1821 x509.load_pem_x509_certificate,
1822 backend
1823 )
1824 ext = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]1825 ExtensionOID.SUBJECT_ALTERNATIVE_NAME
Paul Kehrer40f83382015-04-20 15:00:16 -0500[diff] [blame]1826 )
1827 assert ext is not None
1828 assert ext.critical is False
1829
1830 san = ext.value
1831
1832 dns = san.get_values_for_type(x509.DNSName)
1833 assert dns == [u"www.cryptography.io", u"cryptography.io"]
Paul Kehrer9089c912015-04-20 22:15:20 -0500[diff] [blame]1834
Paul Kehrer3c6bba52015-06-26 18:43:26 -0500[diff] [blame]1835 def test_wildcard_dns_name(self, backend):
1836 cert = _load_cert(
1837 os.path.join("x509", "wildcard_san.pem"),
1838 x509.load_pem_x509_certificate,
1839 backend
1840 )
1841 ext = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]1842 ExtensionOID.SUBJECT_ALTERNATIVE_NAME
Paul Kehrer3c6bba52015-06-26 18:43:26 -0500[diff] [blame]1843 )
1844
1845 dns = ext.value.get_values_for_type(x509.DNSName)
1846 assert dns == [
1847 u'*.langui.sh',
1848 u'langui.sh',
1849 u'*.saseliminator.com',
1850 u'saseliminator.com'
1851 ]
1852
Dominic Chen87bb9572015-10-09 00:23:07 -0400[diff] [blame]1853 def test_san_empty_hostname(self, backend):
1854 cert = _load_cert(
1855 os.path.join(
1856 "x509", "custom", "san_empty_hostname.pem"
1857 ),
1858 x509.load_pem_x509_certificate,
1859 backend
1860 )
1861 san = cert.extensions.get_extension_for_oid(
1862 ExtensionOID.SUBJECT_ALTERNATIVE_NAME
1863 )
1864
1865 dns = san.value.get_values_for_type(x509.DNSName)
1866 assert dns == [u'']
1867
Paul Kehrer3c6bba52015-06-26 18:43:26 -0500[diff] [blame]1868 def test_san_wildcard_idna_dns_name(self, backend):
1869 cert = _load_cert(
1870 os.path.join("x509", "custom", "san_wildcard_idna.pem"),
1871 x509.load_pem_x509_certificate,
1872 backend
1873 )
1874 ext = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]1875 ExtensionOID.SUBJECT_ALTERNATIVE_NAME
Paul Kehrer3c6bba52015-06-26 18:43:26 -0500[diff] [blame]1876 )
1877
1878 dns = ext.value.get_values_for_type(x509.DNSName)
1879 assert dns == [u'*.\u043f\u044b\u043a\u0430.cryptography']
1880
Paul Kehrer7bdf6572015-07-05 08:55:44 -0500[diff] [blame]1881 def test_unsupported_gn(self, backend):
Paul Kehrer9089c912015-04-20 22:15:20 -0500[diff] [blame]1882 cert = _load_cert(
Paul Kehrer7bdf6572015-07-05 08:55:44 -0500[diff] [blame]1883 os.path.join("x509", "san_x400address.der"),
1884 x509.load_der_x509_certificate,
Paul Kehrer9089c912015-04-20 22:15:20 -0500[diff] [blame]1885 backend
1886 )
Paul Kehrerbed07352015-04-21 08:31:10 -0500[diff] [blame]1887 with pytest.raises(x509.UnsupportedGeneralNameType) as exc:
Paul Kehrer9089c912015-04-20 22:15:20 -0500[diff] [blame]1888 cert.extensions
Paul Kehrerbed07352015-04-21 08:31:10 -0500[diff] [blame]1889
Paul Kehrer7bdf6572015-07-05 08:55:44 -0500[diff] [blame]1890 assert exc.value.type == 3
Paul Kehrer4db96622015-04-20 22:17:39 -0500[diff] [blame]1891
1892 def test_registered_id(self, backend):
1893 cert = _load_cert(
1894 os.path.join(
1895 "x509", "custom", "san_registered_id.pem"
1896 ),
1897 x509.load_pem_x509_certificate,
1898 backend
1899 )
1900 ext = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]1901 ExtensionOID.SUBJECT_ALTERNATIVE_NAME
Paul Kehrer4db96622015-04-20 22:17:39 -0500[diff] [blame]1902 )
1903 assert ext is not None
1904 assert ext.critical is False
1905
1906 san = ext.value
1907 rid = san.get_values_for_type(x509.RegisteredID)
1908 assert rid == [x509.ObjectIdentifier("1.2.3.4")]
Paul Kehrerb8ef82e2015-04-22 16:04:24 -0500[diff] [blame]1909
1910 def test_uri(self, backend):
1911 cert = _load_cert(
1912 os.path.join(
1913 "x509", "custom", "san_uri_with_port.pem"
1914 ),
1915 x509.load_pem_x509_certificate,
1916 backend
1917 )
1918 ext = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]1919 ExtensionOID.SUBJECT_ALTERNATIVE_NAME
Paul Kehrerb8ef82e2015-04-22 16:04:24 -0500[diff] [blame]1920 )
1921 assert ext is not None
1922 uri = ext.value.get_values_for_type(
1923 x509.UniformResourceIdentifier
1924 )
1925 assert uri == [
1926 u"gopher://\u043f\u044b\u043a\u0430.cryptography:70/path?q=s#hel"
1927 u"lo",
1928 u"http://someregulardomain.com",
1929 ]
Paul Kehrera5f030c2015-04-28 08:33:18 -0500[diff] [blame]1930
1931 def test_ipaddress(self, backend):
1932 cert = _load_cert(
1933 os.path.join(
1934 "x509", "custom", "san_ipaddr.pem"
1935 ),
1936 x509.load_pem_x509_certificate,
1937 backend
1938 )
1939 ext = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]1940 ExtensionOID.SUBJECT_ALTERNATIVE_NAME
Paul Kehrera5f030c2015-04-28 08:33:18 -0500[diff] [blame]1941 )
1942 assert ext is not None
1943 assert ext.critical is False
1944
1945 san = ext.value
1946
1947 ip = san.get_values_for_type(x509.IPAddress)
1948 assert [
1949 ipaddress.ip_address(u"127.0.0.1"),
1950 ipaddress.ip_address(u"ff::")
1951 ] == ip
Paul Kehrer2187a052015-04-30 08:22:07 -0500[diff] [blame]1952
1953 def test_dirname(self, backend):
1954 cert = _load_cert(
1955 os.path.join(
1956 "x509", "custom", "san_dirname.pem"
1957 ),
1958 x509.load_pem_x509_certificate,
1959 backend
1960 )
1961 ext = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]1962 ExtensionOID.SUBJECT_ALTERNATIVE_NAME
Paul Kehrer2187a052015-04-30 08:22:07 -0500[diff] [blame]1963 )
1964 assert ext is not None
1965 assert ext.critical is False
1966
1967 san = ext.value
1968
1969 dirname = san.get_values_for_type(x509.DirectoryName)
1970 assert [
1971 x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1972 x509.NameAttribute(NameOID.COMMON_NAME, u'test'),
1973 x509.NameAttribute(NameOID.ORGANIZATION_NAME, u'Org'),
1974 x509.NameAttribute(NameOID.STATE_OR_PROVINCE_NAME, u'Texas'),
Paul Kehrer2187a052015-04-30 08:22:07 -0500[diff] [blame]1975 ])
1976 ] == dirname
Paul Kehrere06cab42015-04-30 10:23:33 -0500[diff] [blame]1977
1978 def test_rfc822name(self, backend):
1979 cert = _load_cert(
1980 os.path.join(
1981 "x509", "custom", "san_rfc822_idna.pem"
1982 ),
1983 x509.load_pem_x509_certificate,
1984 backend
1985 )
1986 ext = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]1987 ExtensionOID.SUBJECT_ALTERNATIVE_NAME
Paul Kehrere06cab42015-04-30 10:23:33 -0500[diff] [blame]1988 )
1989 assert ext is not None
1990 assert ext.critical is False
1991
1992 san = ext.value
1993
1994 rfc822name = san.get_values_for_type(x509.RFC822Name)
1995 assert [u"email@em\xe5\xefl.com"] == rfc822name
1996
Paul Kehrerb8968812015-05-15 09:01:34 -0700[diff] [blame]1997 def test_idna2003_invalid(self, backend):
1998 cert = _load_cert(
1999 os.path.join(
2000 "x509", "custom", "san_idna2003_dnsname.pem"
2001 ),
2002 x509.load_pem_x509_certificate,
2003 backend
2004 )
2005 with pytest.raises(UnicodeError):
2006 cert.extensions
2007
Paul Kehrere06cab42015-04-30 10:23:33 -0500[diff] [blame]2008 def test_unicode_rfc822_name_dns_name_uri(self, backend):
2009 cert = _load_cert(
2010 os.path.join(
2011 "x509", "custom", "san_idna_names.pem"
2012 ),
2013 x509.load_pem_x509_certificate,
2014 backend
2015 )
2016 ext = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]2017 ExtensionOID.SUBJECT_ALTERNATIVE_NAME
Paul Kehrere06cab42015-04-30 10:23:33 -0500[diff] [blame]2018 )
2019 assert ext is not None
2020 rfc822_name = ext.value.get_values_for_type(x509.RFC822Name)
2021 dns_name = ext.value.get_values_for_type(x509.DNSName)
2022 uri = ext.value.get_values_for_type(x509.UniformResourceIdentifier)
2023 assert rfc822_name == [u"email@\u043f\u044b\u043a\u0430.cryptography"]
2024 assert dns_name == [u"\u043f\u044b\u043a\u0430.cryptography"]
2025 assert uri == [u"https://www.\u043f\u044b\u043a\u0430.cryptography"]
2026
2027 def test_rfc822name_dnsname_ipaddress_directoryname_uri(self, backend):
2028 cert = _load_cert(
2029 os.path.join(
2030 "x509", "custom", "san_email_dns_ip_dirname_uri.pem"
2031 ),
2032 x509.load_pem_x509_certificate,
2033 backend
2034 )
2035 ext = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]2036 ExtensionOID.SUBJECT_ALTERNATIVE_NAME
Paul Kehrere06cab42015-04-30 10:23:33 -0500[diff] [blame]2037 )
2038 assert ext is not None
2039 assert ext.critical is False
2040
2041 san = ext.value
2042
2043 rfc822_name = san.get_values_for_type(x509.RFC822Name)
2044 uri = san.get_values_for_type(x509.UniformResourceIdentifier)
2045 dns = san.get_values_for_type(x509.DNSName)
2046 ip = san.get_values_for_type(x509.IPAddress)
2047 dirname = san.get_values_for_type(x509.DirectoryName)
2048 assert [u"user@cryptography.io"] == rfc822_name
Paul Kehrere3a330c2015-05-02 16:42:52 -0500[diff] [blame]2049 assert [u"https://cryptography.io"] == uri
Paul Kehrere06cab42015-04-30 10:23:33 -0500[diff] [blame]2050 assert [u"cryptography.io"] == dns
2051 assert [
2052 x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2053 x509.NameAttribute(NameOID.COMMON_NAME, u'dirCN'),
Paul Kehrere06cab42015-04-30 10:23:33 -0500[diff] [blame]2054 x509.NameAttribute(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2055 NameOID.ORGANIZATION_NAME, u'Cryptographic Authority'
Paul Kehrere06cab42015-04-30 10:23:33 -0500[diff] [blame]2056 ),
2057 ])
2058 ] == dirname
2059 assert [
2060 ipaddress.ip_address(u"127.0.0.1"),
2061 ipaddress.ip_address(u"ff::")
2062 ] == ip
2063
2064 def test_invalid_rfc822name(self, backend):
2065 cert = _load_cert(
2066 os.path.join(
2067 "x509", "custom", "san_rfc822_names.pem"
2068 ),
2069 x509.load_pem_x509_certificate,
2070 backend
2071 )
2072 with pytest.raises(ValueError) as exc:
2073 cert.extensions
2074
2075 assert 'Invalid rfc822name value' in str(exc.value)
Paul Kehrer94c69602015-05-02 19:29:40 -0500[diff] [blame]2076
Joshua Tauberer2ee5e3c2015-07-04 20:09:46 +0000[diff] [blame]2077 def test_other_name(self, backend):
2078 cert = _load_cert(
2079 os.path.join(
2080 "x509", "custom", "san_other_name.pem"
2081 ),
2082 x509.load_pem_x509_certificate,
2083 backend
2084 )
2085
2086 ext = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]2087 ExtensionOID.SUBJECT_ALTERNATIVE_NAME
Joshua Tauberer2ee5e3c2015-07-04 20:09:46 +0000[diff] [blame]2088 )
2089 assert ext is not None
2090 assert ext.critical is False
2091
Joshua Taubererd2afad32015-07-06 22:37:53 +0000[diff] [blame]2092 expected = x509.OtherName(x509.ObjectIdentifier("1.2.3.4"),
2093 b'\x16\x0bHello World')
Joshua Tauberer2ee5e3c2015-07-04 20:09:46 +0000[diff] [blame]2094 assert len(ext.value) == 1
Joshua Taubererd2afad32015-07-06 22:37:53 +0000[diff] [blame]2095 assert list(ext.value)[0] == expected
Joshua Tauberer2ee5e3c2015-07-04 20:09:46 +0000[diff] [blame]2096
2097 othernames = ext.value.get_values_for_type(x509.OtherName)
Joshua Taubererd2afad32015-07-06 22:37:53 +0000[diff] [blame]2098 assert othernames == [expected]
Joshua Tauberer2ee5e3c2015-07-04 20:09:46 +0000[diff] [blame]2099
Paul Kehrer94c69602015-05-02 19:29:40 -0500[diff] [blame]2100
2101@pytest.mark.requires_backend_interface(interface=RSABackend)
2102@pytest.mark.requires_backend_interface(interface=X509Backend)
2103class TestExtendedKeyUsageExtension(object):
2104 def test_eku(self, backend):
2105 cert = _load_cert(
2106 os.path.join(
2107 "x509", "custom", "extended_key_usage.pem"
2108 ),
2109 x509.load_pem_x509_certificate,
2110 backend
2111 )
2112 ext = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]2113 ExtensionOID.EXTENDED_KEY_USAGE
Paul Kehrer94c69602015-05-02 19:29:40 -0500[diff] [blame]2114 )
2115 assert ext is not None
2116 assert ext.critical is False
2117
2118 assert [
2119 x509.ObjectIdentifier("1.3.6.1.5.5.7.3.1"),
2120 x509.ObjectIdentifier("1.3.6.1.5.5.7.3.2"),
2121 x509.ObjectIdentifier("1.3.6.1.5.5.7.3.3"),
2122 x509.ObjectIdentifier("1.3.6.1.5.5.7.3.4"),
2123 x509.ObjectIdentifier("1.3.6.1.5.5.7.3.9"),
2124 x509.ObjectIdentifier("1.3.6.1.5.5.7.3.8"),
2125 x509.ObjectIdentifier("2.5.29.37.0"),
2126 x509.ObjectIdentifier("2.16.840.1.113730.4.1"),
2127 ] == list(ext.value)
Paul Kehrer3e6d5582015-05-02 21:57:56 -0500[diff] [blame]2128
2129
2130class TestAccessDescription(object):
2131 def test_invalid_access_method(self):
Nick Bastind06763d2015-12-12 18:32:59 -0800[diff] [blame]2132 with pytest.raises(TypeError):
Paul Kehrer3e6d5582015-05-02 21:57:56 -0500[diff] [blame]2133 x509.AccessDescription("notanoid", x509.DNSName(u"test"))
2134
2135 def test_invalid_access_location(self):
2136 with pytest.raises(TypeError):
Paul Kehrer9e102db2015-08-10 21:53:09 -0500[diff] [blame]2137 x509.AccessDescription(
2138 AuthorityInformationAccessOID.CA_ISSUERS, "invalid"
2139 )
Paul Kehrer3e6d5582015-05-02 21:57:56 -0500[diff] [blame]2140
Nick Bastind2ecf862015-12-13 05:44:46 -0800[diff] [blame]2141 def test_valid_nonstandard_method(self):
Nick Bastin326fc8e2015-12-12 19:08:12 -0800[diff] [blame]2142 ad = x509.AccessDescription(
2143 ObjectIdentifier("2.999.1"),
2144 x509.UniformResourceIdentifier(u"http://example.com")
2145 )
Nick Bastin11f0f8a2015-12-12 18:54:12 -0800[diff] [blame]2146 assert ad is not None
2147
Paul Kehrer3e6d5582015-05-02 21:57:56 -0500[diff] [blame]2148 def test_repr(self):
2149 ad = x509.AccessDescription(
Paul Kehrer9e102db2015-08-10 21:53:09 -0500[diff] [blame]2150 AuthorityInformationAccessOID.OCSP,
Paul Kehrer3e6d5582015-05-02 21:57:56 -0500[diff] [blame]2151 x509.UniformResourceIdentifier(u"http://ocsp.domain.com")
2152 )
2153 assert repr(ad) == (
2154 "<AccessDescription(access_method=<ObjectIdentifier(oid=1.3.6.1.5."
2155 "5.7.48.1, name=OCSP)>, access_location=<UniformResourceIdentifier"
2156 "(value=http://ocsp.domain.com)>)>"
2157 )
2158
2159 def test_eq(self):
2160 ad = x509.AccessDescription(
Paul Kehrer9e102db2015-08-10 21:53:09 -0500[diff] [blame]2161 AuthorityInformationAccessOID.OCSP,
Paul Kehrer3e6d5582015-05-02 21:57:56 -0500[diff] [blame]2162 x509.UniformResourceIdentifier(u"http://ocsp.domain.com")
2163 )
2164 ad2 = x509.AccessDescription(
Paul Kehrer9e102db2015-08-10 21:53:09 -0500[diff] [blame]2165 AuthorityInformationAccessOID.OCSP,
Paul Kehrer3e6d5582015-05-02 21:57:56 -0500[diff] [blame]2166 x509.UniformResourceIdentifier(u"http://ocsp.domain.com")
2167 )
2168 assert ad == ad2
2169
2170 def test_ne(self):
2171 ad = x509.AccessDescription(
Paul Kehrer9e102db2015-08-10 21:53:09 -0500[diff] [blame]2172 AuthorityInformationAccessOID.OCSP,
Paul Kehrer3e6d5582015-05-02 21:57:56 -0500[diff] [blame]2173 x509.UniformResourceIdentifier(u"http://ocsp.domain.com")
2174 )
2175 ad2 = x509.AccessDescription(
Paul Kehrer9e102db2015-08-10 21:53:09 -0500[diff] [blame]2176 AuthorityInformationAccessOID.CA_ISSUERS,
Paul Kehrer3e6d5582015-05-02 21:57:56 -0500[diff] [blame]2177 x509.UniformResourceIdentifier(u"http://ocsp.domain.com")
2178 )
2179 ad3 = x509.AccessDescription(
Paul Kehrer9e102db2015-08-10 21:53:09 -0500[diff] [blame]2180 AuthorityInformationAccessOID.OCSP,
Paul Kehrer3e6d5582015-05-02 21:57:56 -0500[diff] [blame]2181 x509.UniformResourceIdentifier(u"http://notthesame")
2182 )
2183 assert ad != ad2
2184 assert ad != ad3
2185 assert ad != object()
2186
2187
2188class TestAuthorityInformationAccess(object):
2189 def test_invalid_descriptions(self):
2190 with pytest.raises(TypeError):
2191 x509.AuthorityInformationAccess(["notanAccessDescription"])
2192
2193 def test_iter_len(self):
2194 aia = x509.AuthorityInformationAccess([
2195 x509.AccessDescription(
Paul Kehrer9e102db2015-08-10 21:53:09 -0500[diff] [blame]2196 AuthorityInformationAccessOID.OCSP,
Paul Kehrer3e6d5582015-05-02 21:57:56 -0500[diff] [blame]2197 x509.UniformResourceIdentifier(u"http://ocsp.domain.com")
2198 ),
2199 x509.AccessDescription(
Paul Kehrer9e102db2015-08-10 21:53:09 -0500[diff] [blame]2200 AuthorityInformationAccessOID.CA_ISSUERS,
Paul Kehrer3e6d5582015-05-02 21:57:56 -0500[diff] [blame]2201 x509.UniformResourceIdentifier(u"http://domain.com/ca.crt")
2202 )
2203 ])
2204 assert len(aia) == 2
2205 assert list(aia) == [
2206 x509.AccessDescription(
Paul Kehrer9e102db2015-08-10 21:53:09 -0500[diff] [blame]2207 AuthorityInformationAccessOID.OCSP,
Paul Kehrer3e6d5582015-05-02 21:57:56 -0500[diff] [blame]2208 x509.UniformResourceIdentifier(u"http://ocsp.domain.com")
2209 ),
2210 x509.AccessDescription(
Paul Kehrer9e102db2015-08-10 21:53:09 -0500[diff] [blame]2211 AuthorityInformationAccessOID.CA_ISSUERS,
Paul Kehrer3e6d5582015-05-02 21:57:56 -0500[diff] [blame]2212 x509.UniformResourceIdentifier(u"http://domain.com/ca.crt")
2213 )
2214 ]
2215
2216 def test_repr(self):
2217 aia = x509.AuthorityInformationAccess([
2218 x509.AccessDescription(
Paul Kehrer9e102db2015-08-10 21:53:09 -0500[diff] [blame]2219 AuthorityInformationAccessOID.OCSP,
Paul Kehrer3e6d5582015-05-02 21:57:56 -0500[diff] [blame]2220 x509.UniformResourceIdentifier(u"http://ocsp.domain.com")
2221 ),
2222 x509.AccessDescription(
Paul Kehrer9e102db2015-08-10 21:53:09 -0500[diff] [blame]2223 AuthorityInformationAccessOID.CA_ISSUERS,
Paul Kehrer3e6d5582015-05-02 21:57:56 -0500[diff] [blame]2224 x509.UniformResourceIdentifier(u"http://domain.com/ca.crt")
2225 )
2226 ])
2227 assert repr(aia) == (
2228 "<AuthorityInformationAccess([<AccessDescription(access_method=<Ob"
2229 "jectIdentifier(oid=1.3.6.1.5.5.7.48.1, name=OCSP)>, access_locati"
2230 "on=<UniformResourceIdentifier(value=http://ocsp.domain.com)>)>, <"
2231 "AccessDescription(access_method=<ObjectIdentifier(oid=1.3.6.1.5.5"
2232 ".7.48.2, name=caIssuers)>, access_location=<UniformResourceIdenti"
2233 "fier(value=http://domain.com/ca.crt)>)>])>"
2234 )
2235
2236 def test_eq(self):
2237 aia = x509.AuthorityInformationAccess([
2238 x509.AccessDescription(
Paul Kehrer9e102db2015-08-10 21:53:09 -0500[diff] [blame]2239 AuthorityInformationAccessOID.OCSP,
Paul Kehrer3e6d5582015-05-02 21:57:56 -0500[diff] [blame]2240 x509.UniformResourceIdentifier(u"http://ocsp.domain.com")
2241 ),
2242 x509.AccessDescription(
Paul Kehrer9e102db2015-08-10 21:53:09 -0500[diff] [blame]2243 AuthorityInformationAccessOID.CA_ISSUERS,
Paul Kehrer3e6d5582015-05-02 21:57:56 -0500[diff] [blame]2244 x509.UniformResourceIdentifier(u"http://domain.com/ca.crt")
2245 )
2246 ])
2247 aia2 = x509.AuthorityInformationAccess([
2248 x509.AccessDescription(
Paul Kehrer9e102db2015-08-10 21:53:09 -0500[diff] [blame]2249 AuthorityInformationAccessOID.OCSP,
Paul Kehrer3e6d5582015-05-02 21:57:56 -0500[diff] [blame]2250 x509.UniformResourceIdentifier(u"http://ocsp.domain.com")
2251 ),
2252 x509.AccessDescription(
Paul Kehrer9e102db2015-08-10 21:53:09 -0500[diff] [blame]2253 AuthorityInformationAccessOID.CA_ISSUERS,
Paul Kehrer3e6d5582015-05-02 21:57:56 -0500[diff] [blame]2254 x509.UniformResourceIdentifier(u"http://domain.com/ca.crt")
2255 )
2256 ])
2257 assert aia == aia2
2258
2259 def test_ne(self):
2260 aia = x509.AuthorityInformationAccess([
2261 x509.AccessDescription(
Paul Kehrer9e102db2015-08-10 21:53:09 -0500[diff] [blame]2262 AuthorityInformationAccessOID.OCSP,
Paul Kehrer3e6d5582015-05-02 21:57:56 -0500[diff] [blame]2263 x509.UniformResourceIdentifier(u"http://ocsp.domain.com")
2264 ),
2265 x509.AccessDescription(
Paul Kehrer9e102db2015-08-10 21:53:09 -0500[diff] [blame]2266 AuthorityInformationAccessOID.CA_ISSUERS,
Paul Kehrer3e6d5582015-05-02 21:57:56 -0500[diff] [blame]2267 x509.UniformResourceIdentifier(u"http://domain.com/ca.crt")
2268 )
2269 ])
2270 aia2 = x509.AuthorityInformationAccess([
2271 x509.AccessDescription(
Paul Kehrer9e102db2015-08-10 21:53:09 -0500[diff] [blame]2272 AuthorityInformationAccessOID.OCSP,
Paul Kehrer3e6d5582015-05-02 21:57:56 -0500[diff] [blame]2273 x509.UniformResourceIdentifier(u"http://ocsp.domain.com")
2274 ),
2275 ])
2276
2277 assert aia != aia2
2278 assert aia != object()
Paul Kehrerd774de92015-05-03 10:52:25 -0500[diff] [blame]2279
Paul Kehrerad4b3592015-12-27 17:27:40 -0600[diff] [blame]2280 def test_indexing(self):
2281 aia = x509.AuthorityInformationAccess([
2282 x509.AccessDescription(
2283 AuthorityInformationAccessOID.OCSP,
2284 x509.UniformResourceIdentifier(u"http://ocsp.domain.com")
2285 ),
2286 x509.AccessDescription(
2287 AuthorityInformationAccessOID.CA_ISSUERS,
2288 x509.UniformResourceIdentifier(u"http://domain.com/ca.crt")
2289 ),
2290 x509.AccessDescription(
2291 AuthorityInformationAccessOID.OCSP,
2292 x509.UniformResourceIdentifier(u"http://ocsp2.domain.com")
2293 ),
2294 x509.AccessDescription(
2295 AuthorityInformationAccessOID.OCSP,
2296 x509.UniformResourceIdentifier(u"http://ocsp3.domain.com")
2297 ),
2298 x509.AccessDescription(
2299 AuthorityInformationAccessOID.OCSP,
2300 x509.UniformResourceIdentifier(u"http://ocsp4.domain.com")
2301 ),
2302 ])
2303 assert aia[-1] == aia[4]
2304 assert aia[2:6:2] == [aia[2], aia[4]]
2305
Paul Kehrerd774de92015-05-03 10:52:25 -0500[diff] [blame]2306
2307@pytest.mark.requires_backend_interface(interface=RSABackend)
2308@pytest.mark.requires_backend_interface(interface=X509Backend)
Paul Kehrera1476992015-05-04 17:35:47 -0500[diff] [blame]2309class TestAuthorityInformationAccessExtension(object):
2310 def test_aia_ocsp_ca_issuers(self, backend):
2311 cert = _load_cert(
2312 os.path.join("x509", "cryptography.io.pem"),
2313 x509.load_pem_x509_certificate,
2314 backend
2315 )
2316 ext = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]2317 ExtensionOID.AUTHORITY_INFORMATION_ACCESS
Paul Kehrera1476992015-05-04 17:35:47 -0500[diff] [blame]2318 )
2319 assert ext is not None
2320 assert ext.critical is False
2321
2322 assert ext.value == x509.AuthorityInformationAccess([
2323 x509.AccessDescription(
Paul Kehrer9e102db2015-08-10 21:53:09 -0500[diff] [blame]2324 AuthorityInformationAccessOID.OCSP,
Paul Kehrera1476992015-05-04 17:35:47 -0500[diff] [blame]2325 x509.UniformResourceIdentifier(u"http://gv.symcd.com")
2326 ),
2327 x509.AccessDescription(
Paul Kehrer9e102db2015-08-10 21:53:09 -0500[diff] [blame]2328 AuthorityInformationAccessOID.CA_ISSUERS,
Paul Kehrera1476992015-05-04 17:35:47 -0500[diff] [blame]2329 x509.UniformResourceIdentifier(u"http://gv.symcb.com/gv.crt")
2330 ),
2331 ])
2332
2333 def test_aia_multiple_ocsp_ca_issuers(self, backend):
2334 cert = _load_cert(
2335 os.path.join("x509", "custom", "aia_ocsp_ca_issuers.pem"),
2336 x509.load_pem_x509_certificate,
2337 backend
2338 )
2339 ext = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]2340 ExtensionOID.AUTHORITY_INFORMATION_ACCESS
Paul Kehrera1476992015-05-04 17:35:47 -0500[diff] [blame]2341 )
2342 assert ext is not None
2343 assert ext.critical is False
2344
2345 assert ext.value == x509.AuthorityInformationAccess([
2346 x509.AccessDescription(
Paul Kehrer9e102db2015-08-10 21:53:09 -0500[diff] [blame]2347 AuthorityInformationAccessOID.OCSP,
Paul Kehrera1476992015-05-04 17:35:47 -0500[diff] [blame]2348 x509.UniformResourceIdentifier(u"http://ocsp.domain.com")
2349 ),
2350 x509.AccessDescription(
Paul Kehrer9e102db2015-08-10 21:53:09 -0500[diff] [blame]2351 AuthorityInformationAccessOID.OCSP,
Paul Kehrera1476992015-05-04 17:35:47 -0500[diff] [blame]2352 x509.UniformResourceIdentifier(u"http://ocsp2.domain.com")
2353 ),
2354 x509.AccessDescription(
Paul Kehrer9e102db2015-08-10 21:53:09 -0500[diff] [blame]2355 AuthorityInformationAccessOID.CA_ISSUERS,
Paul Kehrera1476992015-05-04 17:35:47 -0500[diff] [blame]2356 x509.DirectoryName(x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2357 x509.NameAttribute(NameOID.COMMON_NAME, u"myCN"),
2358 x509.NameAttribute(NameOID.ORGANIZATION_NAME,
Ian Cordasco82fc3762015-06-16 20:59:50 -0500[diff] [blame]2359 u"some Org"),
Paul Kehrera1476992015-05-04 17:35:47 -0500[diff] [blame]2360 ]))
2361 ),
2362 ])
2363
2364 def test_aia_ocsp_only(self, backend):
2365 cert = _load_cert(
2366 os.path.join("x509", "custom", "aia_ocsp.pem"),
2367 x509.load_pem_x509_certificate,
2368 backend
2369 )
2370 ext = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]2371 ExtensionOID.AUTHORITY_INFORMATION_ACCESS
Paul Kehrera1476992015-05-04 17:35:47 -0500[diff] [blame]2372 )
2373 assert ext is not None
2374 assert ext.critical is False
2375
2376 assert ext.value == x509.AuthorityInformationAccess([
2377 x509.AccessDescription(
Paul Kehrer9e102db2015-08-10 21:53:09 -0500[diff] [blame]2378 AuthorityInformationAccessOID.OCSP,
Paul Kehrera1476992015-05-04 17:35:47 -0500[diff] [blame]2379 x509.UniformResourceIdentifier(u"http://ocsp.domain.com")
2380 ),
2381 ])
2382
2383 def test_aia_ca_issuers_only(self, backend):
2384 cert = _load_cert(
2385 os.path.join("x509", "custom", "aia_ca_issuers.pem"),
2386 x509.load_pem_x509_certificate,
2387 backend
2388 )
2389 ext = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]2390 ExtensionOID.AUTHORITY_INFORMATION_ACCESS
Paul Kehrera1476992015-05-04 17:35:47 -0500[diff] [blame]2391 )
2392 assert ext is not None
2393 assert ext.critical is False
2394
2395 assert ext.value == x509.AuthorityInformationAccess([
2396 x509.AccessDescription(
Paul Kehrer9e102db2015-08-10 21:53:09 -0500[diff] [blame]2397 AuthorityInformationAccessOID.CA_ISSUERS,
Paul Kehrera1476992015-05-04 17:35:47 -0500[diff] [blame]2398 x509.DirectoryName(x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2399 x509.NameAttribute(NameOID.COMMON_NAME, u"myCN"),
2400 x509.NameAttribute(NameOID.ORGANIZATION_NAME,
Ian Cordasco82fc3762015-06-16 20:59:50 -0500[diff] [blame]2401 u"some Org"),
Paul Kehrera1476992015-05-04 17:35:47 -0500[diff] [blame]2402 ]))
2403 ),
2404 ])
2405
2406
2407@pytest.mark.requires_backend_interface(interface=RSABackend)
2408@pytest.mark.requires_backend_interface(interface=X509Backend)
Paul Kehrerd774de92015-05-03 10:52:25 -0500[diff] [blame]2409class TestAuthorityKeyIdentifierExtension(object):
2410 def test_aki_keyid(self, backend):
2411 cert = _load_cert(
2412 os.path.join(
2413 "x509", "cryptography.io.pem"
2414 ),
2415 x509.load_pem_x509_certificate,
2416 backend
2417 )
2418 ext = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]2419 ExtensionOID.AUTHORITY_KEY_IDENTIFIER
Paul Kehrerd774de92015-05-03 10:52:25 -0500[diff] [blame]2420 )
2421 assert ext is not None
2422 assert ext.critical is False
2423
2424 assert ext.value.key_identifier == (
2425 b"\xc3\x9c\xf3\xfc\xd3F\x084\xbb\xceF\x7f\xa0|[\xf3\xe2\x08\xcbY"
2426 )
2427 assert ext.value.authority_cert_issuer is None
2428 assert ext.value.authority_cert_serial_number is None
2429
2430 def test_aki_all_fields(self, backend):
2431 cert = _load_cert(
2432 os.path.join(
2433 "x509", "custom", "authority_key_identifier.pem"
2434 ),
2435 x509.load_pem_x509_certificate,
2436 backend
2437 )
2438 ext = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]2439 ExtensionOID.AUTHORITY_KEY_IDENTIFIER
Paul Kehrerd774de92015-05-03 10:52:25 -0500[diff] [blame]2440 )
2441 assert ext is not None
2442 assert ext.critical is False
2443
2444 assert ext.value.key_identifier == (
2445 b"9E>\xca=b\x1d\xea\x86I\xf6Z\xab@\xb7\xa4p\x98\xf1\xec"
2446 )
2447 assert ext.value.authority_cert_issuer == [
2448 x509.DirectoryName(
2449 x509.Name([
2450 x509.NameAttribute(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2451 NameOID.ORGANIZATION_NAME, u"PyCA"
Paul Kehrerd774de92015-05-03 10:52:25 -0500[diff] [blame]2452 ),
2453 x509.NameAttribute(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2454 NameOID.COMMON_NAME, u"cryptography.io"
Paul Kehrerd774de92015-05-03 10:52:25 -0500[diff] [blame]2455 )
2456 ])
2457 )
2458 ]
2459 assert ext.value.authority_cert_serial_number == 3
2460
2461 def test_aki_no_keyid(self, backend):
2462 cert = _load_cert(
2463 os.path.join(
2464 "x509", "custom", "authority_key_identifier_no_keyid.pem"
2465 ),
2466 x509.load_pem_x509_certificate,
2467 backend
2468 )
2469 ext = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]2470 ExtensionOID.AUTHORITY_KEY_IDENTIFIER
Paul Kehrerd774de92015-05-03 10:52:25 -0500[diff] [blame]2471 )
2472 assert ext is not None
2473 assert ext.critical is False
2474
2475 assert ext.value.key_identifier is None
2476 assert ext.value.authority_cert_issuer == [
2477 x509.DirectoryName(
2478 x509.Name([
2479 x509.NameAttribute(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2480 NameOID.ORGANIZATION_NAME, u"PyCA"
Paul Kehrerd774de92015-05-03 10:52:25 -0500[diff] [blame]2481 ),
2482 x509.NameAttribute(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2483 NameOID.COMMON_NAME, u"cryptography.io"
Paul Kehrerd774de92015-05-03 10:52:25 -0500[diff] [blame]2484 )
2485 ])
2486 )
2487 ]
2488 assert ext.value.authority_cert_serial_number == 3
Paul Kehrer5a485522015-05-06 00:29:12 -0500[diff] [blame]2489
Paul Kehrer253929a2015-08-05 17:30:39 +0100[diff] [blame]2490 def test_from_certificate(self, backend):
2491 issuer_cert = _load_cert(
2492 os.path.join("x509", "rapidssl_sha256_ca_g3.pem"),
2493 x509.load_pem_x509_certificate,
2494 backend
2495 )
2496 cert = _load_cert(
2497 os.path.join("x509", "cryptography.io.pem"),
2498 x509.load_pem_x509_certificate,
2499 backend
2500 )
2501 ext = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]2502 ExtensionOID.AUTHORITY_KEY_IDENTIFIER
Paul Kehrer253929a2015-08-05 17:30:39 +0100[diff] [blame]2503 )
2504 aki = x509.AuthorityKeyIdentifier.from_issuer_public_key(
2505 issuer_cert.public_key()
2506 )
2507 assert ext.value == aki
2508
Paul Kehrer5a485522015-05-06 00:29:12 -0500[diff] [blame]2509
Paul Kehrere0017be2015-05-17 20:39:40 -0600[diff] [blame]2510class TestNameConstraints(object):
2511 def test_ipaddress_wrong_type(self):
2512 with pytest.raises(TypeError):
2513 x509.NameConstraints(
2514 permitted_subtrees=[
2515 x509.IPAddress(ipaddress.IPv4Address(u"127.0.0.1"))
2516 ],
2517 excluded_subtrees=None
2518 )
2519
2520 with pytest.raises(TypeError):
2521 x509.NameConstraints(
2522 permitted_subtrees=None,
2523 excluded_subtrees=[
2524 x509.IPAddress(ipaddress.IPv4Address(u"127.0.0.1"))
2525 ]
2526 )
2527
2528 def test_ipaddress_allowed_type(self):
2529 permitted = [x509.IPAddress(ipaddress.IPv4Network(u"192.168.0.0/29"))]
2530 excluded = [x509.IPAddress(ipaddress.IPv4Network(u"10.10.0.0/24"))]
2531 nc = x509.NameConstraints(
2532 permitted_subtrees=permitted,
2533 excluded_subtrees=excluded
2534 )
2535 assert nc.permitted_subtrees == permitted
2536 assert nc.excluded_subtrees == excluded
2537
2538 def test_invalid_permitted_subtrees(self):
2539 with pytest.raises(TypeError):
2540 x509.NameConstraints("badpermitted", None)
2541
2542 def test_invalid_excluded_subtrees(self):
2543 with pytest.raises(TypeError):
2544 x509.NameConstraints(None, "badexcluded")
2545
2546 def test_no_subtrees(self):
2547 with pytest.raises(ValueError):
2548 x509.NameConstraints(None, None)
2549
2550 def test_permitted_none(self):
2551 excluded = [x509.DNSName(u"name.local")]
2552 nc = x509.NameConstraints(
2553 permitted_subtrees=None, excluded_subtrees=excluded
2554 )
2555 assert nc.permitted_subtrees is None
2556 assert nc.excluded_subtrees is not None
2557
2558 def test_excluded_none(self):
2559 permitted = [x509.DNSName(u"name.local")]
2560 nc = x509.NameConstraints(
2561 permitted_subtrees=permitted, excluded_subtrees=None
2562 )
2563 assert nc.permitted_subtrees is not None
2564 assert nc.excluded_subtrees is None
2565
2566 def test_repr(self):
2567 permitted = [x509.DNSName(u"name.local"), x509.DNSName(u"name2.local")]
2568 nc = x509.NameConstraints(
2569 permitted_subtrees=permitted,
2570 excluded_subtrees=None
2571 )
2572 assert repr(nc) == (
2573 "<NameConstraints(permitted_subtrees=[<DNSName(value=name.local)>"
2574 ", <DNSName(value=name2.local)>], excluded_subtrees=None)>"
2575 )
2576
Paul Kehrer31894282015-06-21 21:46:41 -0500[diff] [blame]2577 def test_eq(self):
2578 nc = x509.NameConstraints(
2579 permitted_subtrees=[x509.DNSName(u"name.local")],
2580 excluded_subtrees=[x509.DNSName(u"name2.local")]
2581 )
2582 nc2 = x509.NameConstraints(
2583 permitted_subtrees=[x509.DNSName(u"name.local")],
2584 excluded_subtrees=[x509.DNSName(u"name2.local")]
2585 )
2586 assert nc == nc2
2587
2588 def test_ne(self):
2589 nc = x509.NameConstraints(
2590 permitted_subtrees=[x509.DNSName(u"name.local")],
2591 excluded_subtrees=[x509.DNSName(u"name2.local")]
2592 )
2593 nc2 = x509.NameConstraints(
2594 permitted_subtrees=[x509.DNSName(u"name.local")],
2595 excluded_subtrees=None
2596 )
2597 nc3 = x509.NameConstraints(
2598 permitted_subtrees=None,
2599 excluded_subtrees=[x509.DNSName(u"name2.local")]
2600 )
2601
2602 assert nc != nc2
2603 assert nc != nc3
2604 assert nc != object()
2605
Paul Kehrere0017be2015-05-17 20:39:40 -0600[diff] [blame]2606
Paul Kehrer870d7e82015-06-21 22:20:44 -0500[diff] [blame]2607@pytest.mark.requires_backend_interface(interface=RSABackend)
2608@pytest.mark.requires_backend_interface(interface=X509Backend)
2609class TestNameConstraintsExtension(object):
2610 def test_permitted_excluded(self, backend):
2611 cert = _load_cert(
2612 os.path.join(
2613 "x509", "custom", "nc_permitted_excluded_2.pem"
2614 ),
2615 x509.load_pem_x509_certificate,
2616 backend
2617 )
2618 nc = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]2619 ExtensionOID.NAME_CONSTRAINTS
Paul Kehrer870d7e82015-06-21 22:20:44 -0500[diff] [blame]2620 ).value
2621 assert nc == x509.NameConstraints(
2622 permitted_subtrees=[
2623 x509.DNSName(u"zombo.local"),
2624 ],
2625 excluded_subtrees=[
2626 x509.DirectoryName(x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2627 x509.NameAttribute(NameOID.COMMON_NAME, u"zombo")
Paul Kehrer870d7e82015-06-21 22:20:44 -0500[diff] [blame]2628 ]))
2629 ]
2630 )
2631
2632 def test_permitted(self, backend):
2633 cert = _load_cert(
2634 os.path.join(
2635 "x509", "custom", "nc_permitted_2.pem"
2636 ),
2637 x509.load_pem_x509_certificate,
2638 backend
2639 )
2640 nc = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]2641 ExtensionOID.NAME_CONSTRAINTS
Paul Kehrer870d7e82015-06-21 22:20:44 -0500[diff] [blame]2642 ).value
2643 assert nc == x509.NameConstraints(
2644 permitted_subtrees=[
2645 x509.DNSName(u"zombo.local"),
2646 ],
2647 excluded_subtrees=None
2648 )
2649
Paul Kehrer42376832015-07-01 18:10:32 -0500[diff] [blame]2650 def test_permitted_with_leading_period(self, backend):
2651 cert = _load_cert(
2652 os.path.join(
2653 "x509", "custom", "nc_permitted.pem"
2654 ),
2655 x509.load_pem_x509_certificate,
2656 backend
2657 )
2658 nc = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]2659 ExtensionOID.NAME_CONSTRAINTS
Paul Kehrer42376832015-07-01 18:10:32 -0500[diff] [blame]2660 ).value
2661 assert nc == x509.NameConstraints(
2662 permitted_subtrees=[
2663 x509.DNSName(u".cryptography.io"),
2664 x509.UniformResourceIdentifier(u"ftp://cryptography.test")
2665 ],
2666 excluded_subtrees=None
2667 )
2668
2669 def test_excluded_with_leading_period(self, backend):
2670 cert = _load_cert(
2671 os.path.join(
2672 "x509", "custom", "nc_excluded.pem"
2673 ),
2674 x509.load_pem_x509_certificate,
2675 backend
2676 )
2677 nc = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]2678 ExtensionOID.NAME_CONSTRAINTS
Paul Kehrer42376832015-07-01 18:10:32 -0500[diff] [blame]2679 ).value
2680 assert nc == x509.NameConstraints(
2681 permitted_subtrees=None,
2682 excluded_subtrees=[
2683 x509.DNSName(u".cryptography.io"),
2684 x509.UniformResourceIdentifier(u"gopher://cryptography.test")
2685 ]
2686 )
2687
Paul Kehrercfb8aa22015-07-01 19:16:36 -0500[diff] [blame]2688 def test_permitted_excluded_with_ips(self, backend):
2689 cert = _load_cert(
2690 os.path.join(
2691 "x509", "custom", "nc_permitted_excluded.pem"
2692 ),
2693 x509.load_pem_x509_certificate,
2694 backend
2695 )
2696 nc = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]2697 ExtensionOID.NAME_CONSTRAINTS
Paul Kehrercfb8aa22015-07-01 19:16:36 -0500[diff] [blame]2698 ).value
2699 assert nc == x509.NameConstraints(
2700 permitted_subtrees=[
2701 x509.IPAddress(ipaddress.IPv4Network(u"192.168.0.0/24")),
2702 x509.IPAddress(ipaddress.IPv6Network(u"FF:0:0:0:0:0:0:0/96")),
2703 ],
2704 excluded_subtrees=[
2705 x509.DNSName(u".domain.com"),
2706 x509.UniformResourceIdentifier(u"http://test.local"),
2707 ]
2708 )
2709
Paul Kehrera72ebaf2015-07-01 21:07:37 -0500[diff] [blame]2710 def test_single_ip_netmask(self, backend):
2711 cert = _load_cert(
2712 os.path.join(
2713 "x509", "custom", "nc_single_ip_netmask.pem"
2714 ),
2715 x509.load_pem_x509_certificate,
2716 backend
2717 )
2718 nc = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]2719 ExtensionOID.NAME_CONSTRAINTS
Paul Kehrera72ebaf2015-07-01 21:07:37 -0500[diff] [blame]2720 ).value
2721 assert nc == x509.NameConstraints(
2722 permitted_subtrees=[
2723 x509.IPAddress(ipaddress.IPv6Network(u"FF:0:0:0:0:0:0:0/128")),
2724 x509.IPAddress(ipaddress.IPv4Network(u"192.168.0.1/32")),
2725 ],
2726 excluded_subtrees=None
2727 )
2728
Paul Kehrercfb8aa22015-07-01 19:16:36 -0500[diff] [blame]2729 def test_invalid_netmask(self, backend):
2730 cert = _load_cert(
2731 os.path.join(
2732 "x509", "custom", "nc_invalid_ip_netmask.pem"
2733 ),
2734 x509.load_pem_x509_certificate,
2735 backend
2736 )
2737 with pytest.raises(ValueError):
2738 cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]2739 ExtensionOID.NAME_CONSTRAINTS
Paul Kehrercfb8aa22015-07-01 19:16:36 -0500[diff] [blame]2740 )
2741
Paul Kehrer870d7e82015-06-21 22:20:44 -0500[diff] [blame]2742
Paul Kehrer5a485522015-05-06 00:29:12 -0500[diff] [blame]2743class TestDistributionPoint(object):
Paul Kehrer4e8dacd2015-05-09 10:38:23 -0500[diff] [blame]2744 def test_distribution_point_full_name_not_general_names(self):
Paul Kehrer5a485522015-05-06 00:29:12 -0500[diff] [blame]2745 with pytest.raises(TypeError):
Paul Kehrer4e8dacd2015-05-09 10:38:23 -0500[diff] [blame]2746 x509.DistributionPoint(["notgn"], None, None, None)
Paul Kehrer5a485522015-05-06 00:29:12 -0500[diff] [blame]2747
Paul Kehrer4e8dacd2015-05-09 10:38:23 -0500[diff] [blame]2748 def test_distribution_point_relative_name_not_name(self):
Paul Kehrer5a485522015-05-06 00:29:12 -0500[diff] [blame]2749 with pytest.raises(TypeError):
Paul Kehrer4e8dacd2015-05-09 10:38:23 -0500[diff] [blame]2750 x509.DistributionPoint(None, "notname", None, None)
2751
2752 def test_distribution_point_full_and_relative_not_none(self):
2753 with pytest.raises(ValueError):
2754 x509.DistributionPoint("data", "notname", None, None)
Paul Kehrer5a485522015-05-06 00:29:12 -0500[diff] [blame]2755
2756 def test_crl_issuer_not_general_names(self):
2757 with pytest.raises(TypeError):
Paul Kehrer4e8dacd2015-05-09 10:38:23 -0500[diff] [blame]2758 x509.DistributionPoint(None, None, None, ["notgn"])
Paul Kehrer5a485522015-05-06 00:29:12 -0500[diff] [blame]2759
2760 def test_reason_not_reasonflags(self):
2761 with pytest.raises(TypeError):
2762 x509.DistributionPoint(
2763 [x509.UniformResourceIdentifier(u"http://crypt.og/crl")],
Paul Kehrer4e8dacd2015-05-09 10:38:23 -0500[diff] [blame]2764 None,
Paul Kehrer3fd02602015-05-09 19:46:13 -0500[diff] [blame]2765 frozenset(["notreasonflags"]),
2766 None
2767 )
2768
2769 def test_reason_not_frozenset(self):
2770 with pytest.raises(TypeError):
2771 x509.DistributionPoint(
2772 [x509.UniformResourceIdentifier(u"http://crypt.og/crl")],
2773 None,
2774 [x509.ReasonFlags.ca_compromise],
Paul Kehrer4e8dacd2015-05-09 10:38:23 -0500[diff] [blame]2775 None
2776 )
2777
2778 def test_disallowed_reasons(self):
2779 with pytest.raises(ValueError):
2780 x509.DistributionPoint(
2781 [x509.UniformResourceIdentifier(u"http://crypt.og/crl")],
2782 None,
Paul Kehrer3fd02602015-05-09 19:46:13 -0500[diff] [blame]2783 frozenset([x509.ReasonFlags.unspecified]),
Paul Kehrer4e8dacd2015-05-09 10:38:23 -0500[diff] [blame]2784 None
2785 )
2786
2787 with pytest.raises(ValueError):
2788 x509.DistributionPoint(
2789 [x509.UniformResourceIdentifier(u"http://crypt.og/crl")],
2790 None,
Paul Kehrer3fd02602015-05-09 19:46:13 -0500[diff] [blame]2791 frozenset([x509.ReasonFlags.remove_from_crl]),
Paul Kehrer5a485522015-05-06 00:29:12 -0500[diff] [blame]2792 None
2793 )
2794
2795 def test_reason_only(self):
2796 with pytest.raises(ValueError):
2797 x509.DistributionPoint(
2798 None,
Paul Kehrer4e8dacd2015-05-09 10:38:23 -0500[diff] [blame]2799 None,
Paul Kehrer3fd02602015-05-09 19:46:13 -0500[diff] [blame]2800 frozenset([x509.ReasonFlags.aa_compromise]),
Paul Kehrer5a485522015-05-06 00:29:12 -0500[diff] [blame]2801 None
2802 )
2803
2804 def test_eq(self):
2805 dp = x509.DistributionPoint(
2806 [x509.UniformResourceIdentifier(u"http://crypt.og/crl")],
Paul Kehrer4e8dacd2015-05-09 10:38:23 -0500[diff] [blame]2807 None,
Paul Kehrer3fd02602015-05-09 19:46:13 -0500[diff] [blame]2808 frozenset([x509.ReasonFlags.superseded]),
Paul Kehrer5a485522015-05-06 00:29:12 -0500[diff] [blame]2809 [
2810 x509.DirectoryName(
2811 x509.Name([
2812 x509.NameAttribute(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2813 NameOID.COMMON_NAME, u"Important CA"
Paul Kehrer5a485522015-05-06 00:29:12 -0500[diff] [blame]2814 )
2815 ])
2816 )
2817 ],
2818 )
2819 dp2 = x509.DistributionPoint(
2820 [x509.UniformResourceIdentifier(u"http://crypt.og/crl")],
Paul Kehrer4e8dacd2015-05-09 10:38:23 -0500[diff] [blame]2821 None,
Paul Kehrer3fd02602015-05-09 19:46:13 -0500[diff] [blame]2822 frozenset([x509.ReasonFlags.superseded]),
Paul Kehrer5a485522015-05-06 00:29:12 -0500[diff] [blame]2823 [
2824 x509.DirectoryName(
2825 x509.Name([
2826 x509.NameAttribute(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2827 NameOID.COMMON_NAME, u"Important CA"
Paul Kehrer5a485522015-05-06 00:29:12 -0500[diff] [blame]2828 )
2829 ])
2830 )
2831 ],
2832 )
2833 assert dp == dp2
2834
2835 def test_ne(self):
2836 dp = x509.DistributionPoint(
2837 [x509.UniformResourceIdentifier(u"http://crypt.og/crl")],
Paul Kehrer4e8dacd2015-05-09 10:38:23 -0500[diff] [blame]2838 None,
Paul Kehrer3fd02602015-05-09 19:46:13 -0500[diff] [blame]2839 frozenset([x509.ReasonFlags.superseded]),
Paul Kehrer5a485522015-05-06 00:29:12 -0500[diff] [blame]2840 [
2841 x509.DirectoryName(
2842 x509.Name([
2843 x509.NameAttribute(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2844 NameOID.COMMON_NAME, u"Important CA"
Paul Kehrer5a485522015-05-06 00:29:12 -0500[diff] [blame]2845 )
2846 ])
2847 )
2848 ],
2849 )
2850 dp2 = x509.DistributionPoint(
2851 [x509.UniformResourceIdentifier(u"http://crypt.og/crl")],
2852 None,
Paul Kehrer4e8dacd2015-05-09 10:38:23 -0500[diff] [blame]2853 None,
Paul Kehrer5a485522015-05-06 00:29:12 -0500[diff] [blame]2854 None
2855 )
2856 assert dp != dp2
2857 assert dp != object()
2858
2859 def test_repr(self):
2860 dp = x509.DistributionPoint(
Paul Kehrer4e8dacd2015-05-09 10:38:23 -0500[diff] [blame]2861 None,
Paul Kehrer5a485522015-05-06 00:29:12 -0500[diff] [blame]2862 x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2863 x509.NameAttribute(NameOID.COMMON_NAME, u"myCN")
Paul Kehrer5a485522015-05-06 00:29:12 -0500[diff] [blame]2864 ]),
Paul Kehrer96ef63c2015-05-09 21:17:04 -0500[diff] [blame]2865 frozenset([x509.ReasonFlags.ca_compromise]),
Paul Kehrer5a485522015-05-06 00:29:12 -0500[diff] [blame]2866 [
2867 x509.DirectoryName(
2868 x509.Name([
2869 x509.NameAttribute(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2870 NameOID.COMMON_NAME, u"Important CA"
Paul Kehrer5a485522015-05-06 00:29:12 -0500[diff] [blame]2871 )
2872 ])
2873 )
2874 ],
2875 )
Paul Kehrer749da3b2015-05-10 09:58:29 -0500[diff] [blame]2876 if six.PY3:
2877 assert repr(dp) == (
2878 "<DistributionPoint(full_name=None, relative_name=<Name([<Name"
2879 "Attribute(oid=<ObjectIdentifier(oid=2.5.4.3, name=commonName)"
Ian Cordascoa908d692015-06-16 21:35:24 -0500[diff] [blame]2880 ">, value='myCN')>])>, reasons=frozenset({<ReasonFlags.ca_comp"
2881 "romise: 'cACompromise'>}), crl_issuer=[<DirectoryName(value=<"
2882 "Name([<NameAttribute(oid=<ObjectIdentifier(oid=2.5.4.3, name="
2883 "commonName)>, value='Important CA')>])>)>])>"
Paul Kehrer749da3b2015-05-10 09:58:29 -0500[diff] [blame]2884 )
2885 else:
2886 assert repr(dp) == (
2887 "<DistributionPoint(full_name=None, relative_name=<Name([<Name"
2888 "Attribute(oid=<ObjectIdentifier(oid=2.5.4.3, name=commonName)"
Ian Cordasco82fc3762015-06-16 20:59:50 -0500[diff] [blame]2889 ">, value=u'myCN')>])>, reasons=frozenset([<ReasonFlags.ca_com"
2890 "promise: 'cACompromise'>]), crl_issuer=[<DirectoryName(value="
2891 "<Name([<NameAttribute(oid=<ObjectIdentifier(oid=2.5.4.3, name"
2892 "=commonName)>, value=u'Important CA')>])>)>])>"
Paul Kehrer749da3b2015-05-10 09:58:29 -0500[diff] [blame]2893 )
Paul Kehrer5a485522015-05-06 00:29:12 -0500[diff] [blame]2894
2895
2896class TestCRLDistributionPoints(object):
2897 def test_invalid_distribution_points(self):
2898 with pytest.raises(TypeError):
2899 x509.CRLDistributionPoints(["notadistributionpoint"])
2900
2901 def test_iter_len(self):
2902 cdp = x509.CRLDistributionPoints([
2903 x509.DistributionPoint(
2904 [x509.UniformResourceIdentifier(u"http://domain")],
2905 None,
Paul Kehrer4e8dacd2015-05-09 10:38:23 -0500[diff] [blame]2906 None,
Paul Kehrer5a485522015-05-06 00:29:12 -0500[diff] [blame]2907 None
2908 ),
2909 x509.DistributionPoint(
2910 [x509.UniformResourceIdentifier(u"ftp://domain")],
Paul Kehrer4e8dacd2015-05-09 10:38:23 -0500[diff] [blame]2911 None,
Paul Kehrer3fd02602015-05-09 19:46:13 -0500[diff] [blame]2912 frozenset([
Paul Kehrer4e8dacd2015-05-09 10:38:23 -0500[diff] [blame]2913 x509.ReasonFlags.key_compromise,
2914 x509.ReasonFlags.ca_compromise,
Paul Kehrer3fd02602015-05-09 19:46:13 -0500[diff] [blame]2915 ]),
Paul Kehrer5a485522015-05-06 00:29:12 -0500[diff] [blame]2916 None
2917 ),
2918 ])
2919 assert len(cdp) == 2
2920 assert list(cdp) == [
2921 x509.DistributionPoint(
2922 [x509.UniformResourceIdentifier(u"http://domain")],
2923 None,
Paul Kehrer4e8dacd2015-05-09 10:38:23 -0500[diff] [blame]2924 None,
Paul Kehrer5a485522015-05-06 00:29:12 -0500[diff] [blame]2925 None
2926 ),
2927 x509.DistributionPoint(
2928 [x509.UniformResourceIdentifier(u"ftp://domain")],
Paul Kehrer4e8dacd2015-05-09 10:38:23 -0500[diff] [blame]2929 None,
Paul Kehrer3fd02602015-05-09 19:46:13 -0500[diff] [blame]2930 frozenset([
Paul Kehrer4e8dacd2015-05-09 10:38:23 -0500[diff] [blame]2931 x509.ReasonFlags.key_compromise,
2932 x509.ReasonFlags.ca_compromise,
Paul Kehrer3fd02602015-05-09 19:46:13 -0500[diff] [blame]2933 ]),
Paul Kehrer5a485522015-05-06 00:29:12 -0500[diff] [blame]2934 None
2935 ),
2936 ]
2937
2938 def test_repr(self):
2939 cdp = x509.CRLDistributionPoints([
2940 x509.DistributionPoint(
2941 [x509.UniformResourceIdentifier(u"ftp://domain")],
Paul Kehrer4e8dacd2015-05-09 10:38:23 -0500[diff] [blame]2942 None,
Paul Kehrer96ef63c2015-05-09 21:17:04 -0500[diff] [blame]2943 frozenset([x509.ReasonFlags.key_compromise]),
Paul Kehrer5a485522015-05-06 00:29:12 -0500[diff] [blame]2944 None
2945 ),
2946 ])
Paul Kehrer749da3b2015-05-10 09:58:29 -0500[diff] [blame]2947 if six.PY3:
2948 assert repr(cdp) == (
2949 "<CRLDistributionPoints([<DistributionPoint(full_name=[<Unifo"
2950 "rmResourceIdentifier(value=ftp://domain)>], relative_name=No"
2951 "ne, reasons=frozenset({<ReasonFlags.key_compromise: 'keyComp"
2952 "romise'>}), crl_issuer=None)>])>"
2953 )
2954 else:
2955 assert repr(cdp) == (
2956 "<CRLDistributionPoints([<DistributionPoint(full_name=[<Unifo"
2957 "rmResourceIdentifier(value=ftp://domain)>], relative_name=No"
2958 "ne, reasons=frozenset([<ReasonFlags.key_compromise: 'keyComp"
2959 "romise'>]), crl_issuer=None)>])>"
2960 )
Paul Kehrer5a485522015-05-06 00:29:12 -0500[diff] [blame]2961
2962 def test_eq(self):
2963 cdp = x509.CRLDistributionPoints([
2964 x509.DistributionPoint(
2965 [x509.UniformResourceIdentifier(u"ftp://domain")],
Paul Kehrer4e8dacd2015-05-09 10:38:23 -0500[diff] [blame]2966 None,
Paul Kehrer3fd02602015-05-09 19:46:13 -0500[diff] [blame]2967 frozenset([
Paul Kehrer4e8dacd2015-05-09 10:38:23 -0500[diff] [blame]2968 x509.ReasonFlags.key_compromise,
2969 x509.ReasonFlags.ca_compromise,
Paul Kehrer3fd02602015-05-09 19:46:13 -0500[diff] [blame]2970 ]),
Paul Kehrer5a485522015-05-06 00:29:12 -0500[diff] [blame]2971 [x509.UniformResourceIdentifier(u"uri://thing")],
2972 ),
2973 ])
2974 cdp2 = x509.CRLDistributionPoints([
2975 x509.DistributionPoint(
2976 [x509.UniformResourceIdentifier(u"ftp://domain")],
Paul Kehrer4e8dacd2015-05-09 10:38:23 -0500[diff] [blame]2977 None,
Paul Kehrer3fd02602015-05-09 19:46:13 -0500[diff] [blame]2978 frozenset([
Paul Kehrer4e8dacd2015-05-09 10:38:23 -0500[diff] [blame]2979 x509.ReasonFlags.key_compromise,
2980 x509.ReasonFlags.ca_compromise,
Paul Kehrer3fd02602015-05-09 19:46:13 -0500[diff] [blame]2981 ]),
Paul Kehrer5a485522015-05-06 00:29:12 -0500[diff] [blame]2982 [x509.UniformResourceIdentifier(u"uri://thing")],
2983 ),
2984 ])
2985 assert cdp == cdp2
2986
2987 def test_ne(self):
2988 cdp = x509.CRLDistributionPoints([
2989 x509.DistributionPoint(
2990 [x509.UniformResourceIdentifier(u"ftp://domain")],
Paul Kehrer4e8dacd2015-05-09 10:38:23 -0500[diff] [blame]2991 None,
Paul Kehrer3fd02602015-05-09 19:46:13 -0500[diff] [blame]2992 frozenset([
Paul Kehrer4e8dacd2015-05-09 10:38:23 -0500[diff] [blame]2993 x509.ReasonFlags.key_compromise,
2994 x509.ReasonFlags.ca_compromise,
Paul Kehrer3fd02602015-05-09 19:46:13 -0500[diff] [blame]2995 ]),
Paul Kehrer5a485522015-05-06 00:29:12 -0500[diff] [blame]2996 [x509.UniformResourceIdentifier(u"uri://thing")],
2997 ),
2998 ])
2999 cdp2 = x509.CRLDistributionPoints([
3000 x509.DistributionPoint(
3001 [x509.UniformResourceIdentifier(u"ftp://domain2")],
Paul Kehrer4e8dacd2015-05-09 10:38:23 -0500[diff] [blame]3002 None,
Paul Kehrer3fd02602015-05-09 19:46:13 -0500[diff] [blame]3003 frozenset([
Paul Kehrer4e8dacd2015-05-09 10:38:23 -0500[diff] [blame]3004 x509.ReasonFlags.key_compromise,
3005 x509.ReasonFlags.ca_compromise,
Paul Kehrer3fd02602015-05-09 19:46:13 -0500[diff] [blame]3006 ]),
Paul Kehrer5a485522015-05-06 00:29:12 -0500[diff] [blame]3007 [x509.UniformResourceIdentifier(u"uri://thing")],
3008 ),
3009 ])
3010 cdp3 = x509.CRLDistributionPoints([
3011 x509.DistributionPoint(
3012 [x509.UniformResourceIdentifier(u"ftp://domain")],
Paul Kehrer4e8dacd2015-05-09 10:38:23 -0500[diff] [blame]3013 None,
Paul Kehrer3fd02602015-05-09 19:46:13 -0500[diff] [blame]3014 frozenset([x509.ReasonFlags.key_compromise]),
Paul Kehrer5a485522015-05-06 00:29:12 -0500[diff] [blame]3015 [x509.UniformResourceIdentifier(u"uri://thing")],
3016 ),
3017 ])
3018 cdp4 = x509.CRLDistributionPoints([
3019 x509.DistributionPoint(
3020 [x509.UniformResourceIdentifier(u"ftp://domain")],
Paul Kehrer4e8dacd2015-05-09 10:38:23 -0500[diff] [blame]3021 None,
Paul Kehrer3fd02602015-05-09 19:46:13 -0500[diff] [blame]3022 frozenset([
Paul Kehrer4e8dacd2015-05-09 10:38:23 -0500[diff] [blame]3023 x509.ReasonFlags.key_compromise,
3024 x509.ReasonFlags.ca_compromise,
Paul Kehrer3fd02602015-05-09 19:46:13 -0500[diff] [blame]3025 ]),
Paul Kehrer5a485522015-05-06 00:29:12 -0500[diff] [blame]3026 [x509.UniformResourceIdentifier(u"uri://thing2")],
3027 ),
3028 ])
3029 assert cdp != cdp2
3030 assert cdp != cdp3
3031 assert cdp != cdp4
3032 assert cdp != object()
Paul Kehrer9a10d592015-05-10 14:55:51 -0500[diff] [blame]3033
Paul Kehreree2e92d2015-12-27 17:29:37 -0600[diff] [blame]3034 def test_indexing(self):
3035 ci = x509.CRLDistributionPoints([
3036 x509.DistributionPoint(
3037 None, None, None,
3038 [x509.UniformResourceIdentifier(u"uri://thing")],
3039 ),
3040 x509.DistributionPoint(
3041 None, None, None,
3042 [x509.UniformResourceIdentifier(u"uri://thing2")],
3043 ),
3044 x509.DistributionPoint(
3045 None, None, None,
3046 [x509.UniformResourceIdentifier(u"uri://thing3")],
3047 ),
3048 x509.DistributionPoint(
3049 None, None, None,
3050 [x509.UniformResourceIdentifier(u"uri://thing4")],
3051 ),
3052 x509.DistributionPoint(
3053 None, None, None,
3054 [x509.UniformResourceIdentifier(u"uri://thing5")],
3055 ),
3056 ])
3057 assert ci[-1] == ci[4]
3058 assert ci[2:6:2] == [ci[2], ci[4]]
3059
Paul Kehrer9a10d592015-05-10 14:55:51 -0500[diff] [blame]3060
3061@pytest.mark.requires_backend_interface(interface=RSABackend)
3062@pytest.mark.requires_backend_interface(interface=X509Backend)
3063class TestCRLDistributionPointsExtension(object):
3064 def test_fullname_and_crl_issuer(self, backend):
3065 cert = _load_cert(
3066 os.path.join(
3067 "x509", "PKITS_data", "certs", "ValidcRLIssuerTest28EE.crt"
3068 ),
3069 x509.load_der_x509_certificate,
3070 backend
3071 )
3072
3073 cdps = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]3074 ExtensionOID.CRL_DISTRIBUTION_POINTS
Paul Kehrer9a10d592015-05-10 14:55:51 -0500[diff] [blame]3075 ).value
3076
3077 assert cdps == x509.CRLDistributionPoints([
3078 x509.DistributionPoint(
3079 full_name=[x509.DirectoryName(
3080 x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]3081 x509.NameAttribute(NameOID.COUNTRY_NAME, u"US"),
Paul Kehrer9a10d592015-05-10 14:55:51 -0500[diff] [blame]3082 x509.NameAttribute(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]3083 NameOID.ORGANIZATION_NAME,
Ian Cordasco82fc3762015-06-16 20:59:50 -0500[diff] [blame]3084 u"Test Certificates 2011"
Paul Kehrer9a10d592015-05-10 14:55:51 -0500[diff] [blame]3085 ),
3086 x509.NameAttribute(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]3087 NameOID.ORGANIZATIONAL_UNIT_NAME,
Ian Cordasco82fc3762015-06-16 20:59:50 -0500[diff] [blame]3088 u"indirectCRL CA3 cRLIssuer"
Paul Kehrer9a10d592015-05-10 14:55:51 -0500[diff] [blame]3089 ),
3090 x509.NameAttribute(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]3091 NameOID.COMMON_NAME,
Ian Cordasco82fc3762015-06-16 20:59:50 -0500[diff] [blame]3092 u"indirect CRL for indirectCRL CA3"
Paul Kehrer9a10d592015-05-10 14:55:51 -0500[diff] [blame]3093 ),
3094 ])
3095 )],
3096 relative_name=None,
3097 reasons=None,
3098 crl_issuer=[x509.DirectoryName(
3099 x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]3100 x509.NameAttribute(NameOID.COUNTRY_NAME, u"US"),
Paul Kehrer9a10d592015-05-10 14:55:51 -0500[diff] [blame]3101 x509.NameAttribute(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]3102 NameOID.ORGANIZATION_NAME,
Ian Cordasco82fc3762015-06-16 20:59:50 -0500[diff] [blame]3103 u"Test Certificates 2011"
Paul Kehrer9a10d592015-05-10 14:55:51 -0500[diff] [blame]3104 ),
3105 x509.NameAttribute(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]3106 NameOID.ORGANIZATIONAL_UNIT_NAME,
Ian Cordasco82fc3762015-06-16 20:59:50 -0500[diff] [blame]3107 u"indirectCRL CA3 cRLIssuer"
Paul Kehrer9a10d592015-05-10 14:55:51 -0500[diff] [blame]3108 ),
3109 ])
3110 )],
3111 )
3112 ])
3113
3114 def test_relativename_and_crl_issuer(self, backend):
3115 cert = _load_cert(
3116 os.path.join(
3117 "x509", "PKITS_data", "certs", "ValidcRLIssuerTest29EE.crt"
3118 ),
3119 x509.load_der_x509_certificate,
3120 backend
3121 )
3122
3123 cdps = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]3124 ExtensionOID.CRL_DISTRIBUTION_POINTS
Paul Kehrer9a10d592015-05-10 14:55:51 -0500[diff] [blame]3125 ).value
3126
3127 assert cdps == x509.CRLDistributionPoints([
3128 x509.DistributionPoint(
3129 full_name=None,
3130 relative_name=x509.Name([
3131 x509.NameAttribute(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]3132 NameOID.COMMON_NAME,
Ian Cordasco82fc3762015-06-16 20:59:50 -0500[diff] [blame]3133 u"indirect CRL for indirectCRL CA3"
Paul Kehrer9a10d592015-05-10 14:55:51 -0500[diff] [blame]3134 ),
3135 ]),
3136 reasons=None,
3137 crl_issuer=[x509.DirectoryName(
3138 x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]3139 x509.NameAttribute(NameOID.COUNTRY_NAME, u"US"),
Paul Kehrer9a10d592015-05-10 14:55:51 -0500[diff] [blame]3140 x509.NameAttribute(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]3141 NameOID.ORGANIZATION_NAME,
Ian Cordasco82fc3762015-06-16 20:59:50 -0500[diff] [blame]3142 u"Test Certificates 2011"
Paul Kehrer9a10d592015-05-10 14:55:51 -0500[diff] [blame]3143 ),
3144 x509.NameAttribute(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]3145 NameOID.ORGANIZATIONAL_UNIT_NAME,
Ian Cordasco82fc3762015-06-16 20:59:50 -0500[diff] [blame]3146 u"indirectCRL CA3 cRLIssuer"
Paul Kehrer9a10d592015-05-10 14:55:51 -0500[diff] [blame]3147 ),
3148 ])
3149 )],
3150 )
3151 ])
3152
3153 def test_fullname_crl_issuer_reasons(self, backend):
3154 cert = _load_cert(
3155 os.path.join(
3156 "x509", "custom", "cdp_fullname_reasons_crl_issuer.pem"
3157 ),
3158 x509.load_pem_x509_certificate,
3159 backend
3160 )
3161
3162 cdps = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]3163 ExtensionOID.CRL_DISTRIBUTION_POINTS
Paul Kehrer9a10d592015-05-10 14:55:51 -0500[diff] [blame]3164 ).value
3165
3166 assert cdps == x509.CRLDistributionPoints([
3167 x509.DistributionPoint(
3168 full_name=[x509.UniformResourceIdentifier(
3169 u"http://myhost.com/myca.crl"
3170 )],
3171 relative_name=None,
3172 reasons=frozenset([
3173 x509.ReasonFlags.key_compromise,
3174 x509.ReasonFlags.ca_compromise
3175 ]),
3176 crl_issuer=[x509.DirectoryName(
3177 x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]3178 x509.NameAttribute(NameOID.COUNTRY_NAME, u"US"),
Paul Kehrer9a10d592015-05-10 14:55:51 -0500[diff] [blame]3179 x509.NameAttribute(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]3180 NameOID.ORGANIZATION_NAME, u"PyCA"
Paul Kehrer9a10d592015-05-10 14:55:51 -0500[diff] [blame]3181 ),
3182 x509.NameAttribute(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]3183 NameOID.COMMON_NAME, u"cryptography CA"
Paul Kehrer9a10d592015-05-10 14:55:51 -0500[diff] [blame]3184 ),
3185 ])
3186 )],
3187 )
3188 ])
3189
Paul Kehrer594a2ed2015-05-12 23:27:32 -0500[diff] [blame]3190 def test_all_reasons(self, backend):
3191 cert = _load_cert(
3192 os.path.join(
3193 "x509", "custom", "cdp_all_reasons.pem"
3194 ),
3195 x509.load_pem_x509_certificate,
3196 backend
3197 )
3198
3199 cdps = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]3200 ExtensionOID.CRL_DISTRIBUTION_POINTS
Paul Kehrer594a2ed2015-05-12 23:27:32 -0500[diff] [blame]3201 ).value
3202
3203 assert cdps == x509.CRLDistributionPoints([
3204 x509.DistributionPoint(
3205 full_name=[x509.UniformResourceIdentifier(
3206 u"http://domain.com/some.crl"
3207 )],
3208 relative_name=None,
3209 reasons=frozenset([
3210 x509.ReasonFlags.key_compromise,
3211 x509.ReasonFlags.ca_compromise,
3212 x509.ReasonFlags.affiliation_changed,
3213 x509.ReasonFlags.superseded,
3214 x509.ReasonFlags.privilege_withdrawn,
3215 x509.ReasonFlags.cessation_of_operation,
3216 x509.ReasonFlags.aa_compromise,
3217 x509.ReasonFlags.certificate_hold,
3218 ]),
3219 crl_issuer=None
3220 )
3221 ])
3222
3223 def test_single_reason(self, backend):
3224 cert = _load_cert(
3225 os.path.join(
3226 "x509", "custom", "cdp_reason_aa_compromise.pem"
3227 ),
3228 x509.load_pem_x509_certificate,
3229 backend
3230 )
3231
3232 cdps = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]3233 ExtensionOID.CRL_DISTRIBUTION_POINTS
Paul Kehrer594a2ed2015-05-12 23:27:32 -0500[diff] [blame]3234 ).value
3235
3236 assert cdps == x509.CRLDistributionPoints([
3237 x509.DistributionPoint(
3238 full_name=[x509.UniformResourceIdentifier(
3239 u"http://domain.com/some.crl"
3240 )],
3241 relative_name=None,
3242 reasons=frozenset([x509.ReasonFlags.aa_compromise]),
3243 crl_issuer=None
3244 )
3245 ])
3246
Paul Kehrer9a10d592015-05-10 14:55:51 -0500[diff] [blame]3247 def test_crl_issuer_only(self, backend):
3248 cert = _load_cert(
3249 os.path.join(
3250 "x509", "custom", "cdp_crl_issuer.pem"
3251 ),
3252 x509.load_pem_x509_certificate,
3253 backend
3254 )
3255
3256 cdps = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]3257 ExtensionOID.CRL_DISTRIBUTION_POINTS
Paul Kehrer9a10d592015-05-10 14:55:51 -0500[diff] [blame]3258 ).value
3259
3260 assert cdps == x509.CRLDistributionPoints([
3261 x509.DistributionPoint(
3262 full_name=None,
3263 relative_name=None,
3264 reasons=None,
3265 crl_issuer=[x509.DirectoryName(
3266 x509.Name([
3267 x509.NameAttribute(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]3268 NameOID.COMMON_NAME, u"cryptography CA"
Paul Kehrer9a10d592015-05-10 14:55:51 -0500[diff] [blame]3269 ),
3270 ])
3271 )],
3272 )
3273 ])
Paul Kehrer16fae762015-05-01 23:14:20 -0500[diff] [blame]3274
Dominic Chen87bb9572015-10-09 00:23:07 -0400[diff] [blame]3275 def test_crl_empty_hostname(self, backend):
3276 cert = _load_cert(
3277 os.path.join(
3278 "x509", "custom", "cdp_empty_hostname.pem"
3279 ),
3280 x509.load_pem_x509_certificate,
3281 backend
3282 )
3283
3284 cdps = cert.extensions.get_extension_for_oid(
3285 ExtensionOID.CRL_DISTRIBUTION_POINTS
3286 ).value
3287
3288 assert cdps == x509.CRLDistributionPoints([
3289 x509.DistributionPoint(
3290 full_name=[x509.UniformResourceIdentifier(
3291 u"ldap:/CN=A,OU=B,dc=C,DC=D?E?F?G?H=I"
3292 )],
3293 relative_name=None,
3294 reasons=None,
3295 crl_issuer=None
3296 )
3297 ])
3298
Paul Kehrer16fae762015-05-01 23:14:20 -0500[diff] [blame]3299
Paul Kehrerf54a50b2015-06-17 18:31:26 -0600[diff] [blame]3300@pytest.mark.requires_backend_interface(interface=RSABackend)
3301@pytest.mark.requires_backend_interface(interface=X509Backend)
3302class TestOCSPNoCheckExtension(object):
3303 def test_nocheck(self, backend):
3304 cert = _load_cert(
3305 os.path.join(
3306 "x509", "custom", "ocsp_nocheck.pem"
3307 ),
3308 x509.load_pem_x509_certificate,
3309 backend
3310 )
3311 ext = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]3312 ExtensionOID.OCSP_NO_CHECK
Paul Kehrerf54a50b2015-06-17 18:31:26 -0600[diff] [blame]3313 )
3314 assert isinstance(ext.value, x509.OCSPNoCheck)
3315
3316
Paul Kehrer16fae762015-05-01 23:14:20 -0500[diff] [blame]3317class TestInhibitAnyPolicy(object):
3318 def test_not_int(self):
3319 with pytest.raises(TypeError):
3320 x509.InhibitAnyPolicy("notint")
3321
3322 def test_negative_int(self):
3323 with pytest.raises(ValueError):
3324 x509.InhibitAnyPolicy(-1)
3325
3326 def test_repr(self):
3327 iap = x509.InhibitAnyPolicy(0)
3328 assert repr(iap) == "<InhibitAnyPolicy(skip_certs=0)>"
3329
3330 def test_eq(self):
3331 iap = x509.InhibitAnyPolicy(1)
3332 iap2 = x509.InhibitAnyPolicy(1)
3333 assert iap == iap2
3334
3335 def test_ne(self):
3336 iap = x509.InhibitAnyPolicy(1)
3337 iap2 = x509.InhibitAnyPolicy(4)
3338 assert iap != iap2
3339 assert iap != object()
Paul Kehrerca6ce992015-06-17 22:13:15 -0600[diff] [blame]3340
3341
3342@pytest.mark.requires_backend_interface(interface=RSABackend)
3343@pytest.mark.requires_backend_interface(interface=X509Backend)
3344class TestInhibitAnyPolicyExtension(object):
3345 def test_nocheck(self, backend):
3346 cert = _load_cert(
3347 os.path.join(
3348 "x509", "custom", "inhibit_any_policy_5.pem"
3349 ),
3350 x509.load_pem_x509_certificate,
3351 backend
3352 )
3353 iap = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]3354 ExtensionOID.INHIBIT_ANY_POLICY
Paul Kehrerca6ce992015-06-17 22:13:15 -0600[diff] [blame]3355 ).value
3356 assert iap.skip_certs == 5
Paul Kehrera08693f2015-08-01 20:45:21 +0100[diff] [blame]3357
3358
3359@pytest.mark.requires_backend_interface(interface=RSABackend)
3360@pytest.mark.requires_backend_interface(interface=X509Backend)
Paul Kehrer1b7500f2015-08-01 20:56:27 +0100[diff] [blame]3361class TestInvalidExtension(object):
Paul Kehrera08693f2015-08-01 20:45:21 +0100[diff] [blame]3362 def test_invalid_certificate_policies_data(self, backend):
3363 cert = _load_cert(
3364 os.path.join(
3365 "x509", "custom", "cp_invalid.pem"
3366 ),
3367 x509.load_pem_x509_certificate,
3368 backend
3369 )
3370 with pytest.raises(ValueError):
3371 cert.extensions