Gitiles
Code Review Sign In
gerrit-public.fairphone.software / platform / external / python / cryptography / ad9d46ee7f9a7f74ee9a0345fe1c60fb8c49dcaf / . / tests / test_x509_ext.py
blob: 72f2f9e44a4a01ee0feb987b6f87900d0954f1a2 [file] [log] [blame]
Paul Kehrer8cf26422015-03-21 09:50:24 -0500[diff] [blame]1# This file is dual licensed under the terms of the Apache License, Version
2# 2.0, and the BSD License. See the LICENSE file in the root of this repository
3# for complete details.
4
5from __future__ import absolute_import, division, print_function
6
Paul Kehrer1eb82a62015-03-31 20:00:33 -0500[diff] [blame]7import binascii
Paul Kehrer31bdf792015-03-25 14:11:00 -0500[diff] [blame]8import ipaddress
Paul Kehrerfbb7ac82015-03-16 19:26:29 -0500[diff] [blame]9import os
10
Paul Kehrer8cf26422015-03-21 09:50:24 -0500[diff] [blame]11import pytest
12
Paul Kehrercbfb1012015-04-10 20:57:20 -0400[diff] [blame]13import six
14
Paul Kehrer8cf26422015-03-21 09:50:24 -0500[diff] [blame]15from cryptography import x509
Paul Kehrerfbb7ac82015-03-16 19:26:29 -0500[diff] [blame]16from cryptography.hazmat.backends.interfaces import RSABackend, X509Backend
17
18from .test_x509 import _load_cert
Paul Kehrer8cf26422015-03-21 09:50:24 -0500[diff] [blame]19
20
Paul Kehrer85894662015-03-22 13:19:31 -0500[diff] [blame]21class TestExtension(object):
22 def test_not_an_oid(self):
Paul Kehrera5c6e9a2015-03-23 19:23:43 -0500[diff] [blame]23 bc = x509.BasicConstraints(ca=False, path_length=None)
Paul Kehrer85894662015-03-22 13:19:31 -0500[diff] [blame]24 with pytest.raises(TypeError):
25 x509.Extension("notanoid", True, bc)
26
27 def test_critical_not_a_bool(self):
Paul Kehrera5c6e9a2015-03-23 19:23:43 -0500[diff] [blame]28 bc = x509.BasicConstraints(ca=False, path_length=None)
Paul Kehrer85894662015-03-22 13:19:31 -0500[diff] [blame]29 with pytest.raises(TypeError):
30 x509.Extension(x509.OID_BASIC_CONSTRAINTS, "notabool", bc)
31
32 def test_repr(self):
Paul Kehrera5c6e9a2015-03-23 19:23:43 -0500[diff] [blame]33 bc = x509.BasicConstraints(ca=False, path_length=None)
Paul Kehrer85894662015-03-22 13:19:31 -0500[diff] [blame]34 ext = x509.Extension(x509.OID_BASIC_CONSTRAINTS, True, bc)
35 assert repr(ext) == (
36 "<Extension(oid=<ObjectIdentifier(oid=2.5.29.19, name=basicConst"
37 "raints)>, critical=True, value=<BasicConstraints(ca=False, path"
38 "_length=None)>)>"
39 )
40
41
Paul Kehrer2b622582015-04-15 11:04:29 -0400[diff] [blame]42class TestNoticeReference(object):
43 def test_notice_numbers_not_all_int(self):
44 with pytest.raises(TypeError):
45 x509.NoticeReference("org", [1, 2, "three"])
46
47 def test_notice_numbers_none(self):
Paul Kehrer6e198b02015-05-12 15:53:38 -0500[diff] [blame]48 with pytest.raises(TypeError):
49 x509.NoticeReference("org", None)
Paul Kehrer2b622582015-04-15 11:04:29 -0400[diff] [blame]50
51 def test_repr(self):
Paul Kehrer73be2ca2015-05-11 21:22:38 -0500[diff] [blame]52 nr = x509.NoticeReference(u"org", [1, 3, 4])
Paul Kehrer2b622582015-04-15 11:04:29 -0400[diff] [blame]53
Paul Kehrer73be2ca2015-05-11 21:22:38 -0500[diff] [blame]54 if six.PY3:
55 assert repr(nr) == (
56 "<NoticeReference(organization='org', notice_numbers=[1, 3, 4"
57 "])>"
58 )
59 else:
60 assert repr(nr) == (
61 "<NoticeReference(organization=u'org', notice_numbers=[1, 3, "
62 "4])>"
63 )
Paul Kehrer2b622582015-04-15 11:04:29 -0400[diff] [blame]64
Paul Kehrerc56ab622015-05-03 09:56:31 -0500[diff] [blame]65 def test_eq(self):
66 nr = x509.NoticeReference("org", [1, 2])
67 nr2 = x509.NoticeReference("org", [1, 2])
68 assert nr == nr2
69
70 def test_ne(self):
71 nr = x509.NoticeReference("org", [1, 2])
72 nr2 = x509.NoticeReference("org", [1])
73 nr3 = x509.NoticeReference(None, [1, 2])
74 assert nr != nr2
75 assert nr != nr3
76 assert nr != object()
77
Paul Kehrer2b622582015-04-15 11:04:29 -0400[diff] [blame]78
79class TestUserNotice(object):
80 def test_notice_reference_invalid(self):
81 with pytest.raises(TypeError):
82 x509.UserNotice("invalid", None)
83
84 def test_notice_reference_none(self):
85 un = x509.UserNotice(None, "text")
86 assert un.notice_reference is None
87 assert un.explicit_text == "text"
88
89 def test_repr(self):
Paul Kehrer6e198b02015-05-12 15:53:38 -0500[diff] [blame]90 un = x509.UserNotice(x509.NoticeReference(u"org", [1]), u"text")
Paul Kehrer73be2ca2015-05-11 21:22:38 -0500[diff] [blame]91 if six.PY3:
92 assert repr(un) == (
93 "<UserNotice(notice_reference=<NoticeReference(organization='"
Paul Kehrer6e198b02015-05-12 15:53:38 -0500[diff] [blame]94 "org', notice_numbers=[1])>, explicit_text='text')>"
Paul Kehrer73be2ca2015-05-11 21:22:38 -0500[diff] [blame]95 )
96 else:
97 assert repr(un) == (
98 "<UserNotice(notice_reference=<NoticeReference(organization=u"
Paul Kehrer6e198b02015-05-12 15:53:38 -0500[diff] [blame]99 "'org', notice_numbers=[1])>, explicit_text=u'text')>"
Paul Kehrer73be2ca2015-05-11 21:22:38 -0500[diff] [blame]100 )
Paul Kehrer2b622582015-04-15 11:04:29 -0400[diff] [blame]101
Paul Kehrerc56ab622015-05-03 09:56:31 -0500[diff] [blame]102 def test_eq(self):
103 nr = x509.NoticeReference("org", [1, 2])
104 nr2 = x509.NoticeReference("org", [1, 2])
105 un = x509.UserNotice(nr, "text")
106 un2 = x509.UserNotice(nr2, "text")
107 assert un == un2
108
109 def test_ne(self):
110 nr = x509.NoticeReference("org", [1, 2])
111 nr2 = x509.NoticeReference("org", [1])
112 un = x509.UserNotice(nr, "text")
113 un2 = x509.UserNotice(nr2, "text")
114 un3 = x509.UserNotice(nr, "text3")
115 assert un != un2
116 assert un != un3
117 assert un != object()
118
Paul Kehrer2b622582015-04-15 11:04:29 -0400[diff] [blame]119
Paul Kehrer2b622582015-04-15 11:04:29 -0400[diff] [blame]120class TestPolicyInformation(object):
121 def test_invalid_policy_identifier(self):
122 with pytest.raises(TypeError):
123 x509.PolicyInformation("notanoid", None)
124
125 def test_none_policy_qualifiers(self):
126 pi = x509.PolicyInformation(x509.ObjectIdentifier("1.2.3"), None)
127 assert pi.policy_identifier == x509.ObjectIdentifier("1.2.3")
128 assert pi.policy_qualifiers is None
129
130 def test_policy_qualifiers(self):
Paul Kehrerba35b3b2015-05-10 13:07:59 -0500[diff] [blame]131 pq = [u"string"]
Paul Kehrer2b622582015-04-15 11:04:29 -0400[diff] [blame]132 pi = x509.PolicyInformation(x509.ObjectIdentifier("1.2.3"), pq)
133 assert pi.policy_identifier == x509.ObjectIdentifier("1.2.3")
134 assert pi.policy_qualifiers == pq
135
136 def test_invalid_policy_identifiers(self):
137 with pytest.raises(TypeError):
138 x509.PolicyInformation(x509.ObjectIdentifier("1.2.3"), [1, 2])
139
140 def test_repr(self):
Paul Kehrer73be2ca2015-05-11 21:22:38 -0500[diff] [blame]141 pq = [u"string", x509.UserNotice(None, u"hi")]
Paul Kehrer2b622582015-04-15 11:04:29 -0400[diff] [blame]142 pi = x509.PolicyInformation(x509.ObjectIdentifier("1.2.3"), pq)
Paul Kehrerba35b3b2015-05-10 13:07:59 -0500[diff] [blame]143 if six.PY3:
144 assert repr(pi) == (
145 "<PolicyInformation(policy_identifier=<ObjectIdentifier(oid=1."
146 "2.3, name=Unknown OID)>, policy_qualifiers=['string', <UserNo"
Paul Kehrer9aaef9e2015-05-11 10:49:20 -0500[diff] [blame]147 "tice(notice_reference=None, explicit_text='hi')>])>"
Paul Kehrerba35b3b2015-05-10 13:07:59 -0500[diff] [blame]148 )
149 else:
150 assert repr(pi) == (
151 "<PolicyInformation(policy_identifier=<ObjectIdentifier(oid=1."
152 "2.3, name=Unknown OID)>, policy_qualifiers=[u'string', <UserN"
Paul Kehrer73be2ca2015-05-11 21:22:38 -0500[diff] [blame]153 "otice(notice_reference=None, explicit_text=u'hi')>])>"
Paul Kehrerba35b3b2015-05-10 13:07:59 -0500[diff] [blame]154 )
Paul Kehrer2b622582015-04-15 11:04:29 -0400[diff] [blame]155
Paul Kehrerc56ab622015-05-03 09:56:31 -0500[diff] [blame]156 def test_eq(self):
157 pi = x509.PolicyInformation(
158 x509.ObjectIdentifier("1.2.3"),
159 [u"string", x509.UserNotice(None, u"hi")]
160 )
161 pi2 = x509.PolicyInformation(
162 x509.ObjectIdentifier("1.2.3"),
163 [u"string", x509.UserNotice(None, u"hi")]
164 )
165 assert pi == pi2
166
167 def test_ne(self):
168 pi = x509.PolicyInformation(
169 x509.ObjectIdentifier("1.2.3"), [u"string"]
170 )
171 pi2 = x509.PolicyInformation(
172 x509.ObjectIdentifier("1.2.3"), [u"string2"]
173 )
174 pi3 = x509.PolicyInformation(
175 x509.ObjectIdentifier("1.2.3.4"), [u"string"]
176 )
177 assert pi != pi2
178 assert pi != pi3
179 assert pi != object()
180
Paul Kehrer2b622582015-04-15 11:04:29 -0400[diff] [blame]181
182class TestCertificatePolicies(object):
183 def test_invalid_policies(self):
Paul Kehrerba35b3b2015-05-10 13:07:59 -0500[diff] [blame]184 pq = [u"string"]
Paul Kehrer2b622582015-04-15 11:04:29 -0400[diff] [blame]185 pi = x509.PolicyInformation(x509.ObjectIdentifier("1.2.3"), pq)
186 with pytest.raises(TypeError):
187 x509.CertificatePolicies([1, pi])
188
189 def test_iter_len(self):
Paul Kehrerba35b3b2015-05-10 13:07:59 -0500[diff] [blame]190 pq = [u"string"]
Paul Kehrer2b622582015-04-15 11:04:29 -0400[diff] [blame]191 pi = x509.PolicyInformation(x509.ObjectIdentifier("1.2.3"), pq)
192 cp = x509.CertificatePolicies([pi])
193 assert len(cp) == 1
194 for policyinfo in cp:
195 assert policyinfo == pi
196
197 def test_repr(self):
Paul Kehrerba35b3b2015-05-10 13:07:59 -0500[diff] [blame]198 pq = [u"string"]
Paul Kehrer2b622582015-04-15 11:04:29 -0400[diff] [blame]199 pi = x509.PolicyInformation(x509.ObjectIdentifier("1.2.3"), pq)
200 cp = x509.CertificatePolicies([pi])
Paul Kehrerba35b3b2015-05-10 13:07:59 -0500[diff] [blame]201 if six.PY3:
202 assert repr(cp) == (
203 "<CertificatePolicies([<PolicyInformation(policy_identifier=<O"
204 "bjectIdentifier(oid=1.2.3, name=Unknown OID)>, policy_qualifi"
205 "ers=['string'])>])>"
206 )
207 else:
208 assert repr(cp) == (
209 "<CertificatePolicies([<PolicyInformation(policy_identifier=<O"
210 "bjectIdentifier(oid=1.2.3, name=Unknown OID)>, policy_qualifi"
211 "ers=[u'string'])>])>"
212 )
Paul Kehrer2b622582015-04-15 11:04:29 -0400[diff] [blame]213
Paul Kehrerc56ab622015-05-03 09:56:31 -0500[diff] [blame]214 def test_eq(self):
215 pi = x509.PolicyInformation(
216 x509.ObjectIdentifier("1.2.3"), [u"string"]
217 )
218 cp = x509.CertificatePolicies([pi])
219 pi2 = x509.PolicyInformation(
220 x509.ObjectIdentifier("1.2.3"), [u"string"]
221 )
222 cp2 = x509.CertificatePolicies([pi2])
223 assert cp == cp2
224
225 def test_ne(self):
226 pi = x509.PolicyInformation(
227 x509.ObjectIdentifier("1.2.3"), [u"string"]
228 )
229 cp = x509.CertificatePolicies([pi])
230 pi2 = x509.PolicyInformation(
231 x509.ObjectIdentifier("1.2.3"), [u"string2"]
232 )
233 cp2 = x509.CertificatePolicies([pi2])
234 assert cp != cp2
235 assert cp != object()
236
Paul Kehrer2b622582015-04-15 11:04:29 -0400[diff] [blame]237
Paul Kehrer11026fe2015-05-12 11:23:56 -0500[diff] [blame]238@pytest.mark.requires_backend_interface(interface=RSABackend)
239@pytest.mark.requires_backend_interface(interface=X509Backend)
240class TestCertificatePoliciesExtension(object):
241 def test_cps_uri_policy_qualifier(self, backend):
242 cert = _load_cert(
243 os.path.join("x509", "custom", "cp_cps_uri.pem"),
244 x509.load_pem_x509_certificate,
245 backend
246 )
247
248 cp = cert.extensions.get_extension_for_oid(
249 x509.OID_CERTIFICATE_POLICIES
250 ).value
251
252 assert cp == x509.CertificatePolicies([
253 x509.PolicyInformation(
254 x509.ObjectIdentifier("2.16.840.1.12345.1.2.3.4.1"),
255 [u"http://other.com/cps"]
256 )
257 ])
258
259 def test_user_notice_with_notice_reference(self, backend):
260 cert = _load_cert(
261 os.path.join(
262 "x509", "custom", "cp_user_notice_with_notice_reference.pem"
263 ),
264 x509.load_pem_x509_certificate,
265 backend
266 )
267
268 cp = cert.extensions.get_extension_for_oid(
269 x509.OID_CERTIFICATE_POLICIES
270 ).value
271
272 assert cp == x509.CertificatePolicies([
273 x509.PolicyInformation(
274 x509.ObjectIdentifier("2.16.840.1.12345.1.2.3.4.1"),
275 [
276 u"http://example.com/cps",
277 u"http://other.com/cps",
278 x509.UserNotice(
279 x509.NoticeReference(u"my org", [1, 2, 3, 4]),
280 u"thing"
281 )
282 ]
283 )
284 ])
285
286 def test_user_notice_with_explicit_text(self, backend):
287 cert = _load_cert(
288 os.path.join(
289 "x509", "custom", "cp_user_notice_with_explicit_text.pem"
290 ),
291 x509.load_pem_x509_certificate,
292 backend
293 )
294
295 cp = cert.extensions.get_extension_for_oid(
296 x509.OID_CERTIFICATE_POLICIES
297 ).value
298
299 assert cp == x509.CertificatePolicies([
300 x509.PolicyInformation(
301 x509.ObjectIdentifier("2.16.840.1.12345.1.2.3.4.1"),
302 [x509.UserNotice(None, u"thing")]
303 )
304 ])
305
306 def test_user_notice_no_explicit_text(self, backend):
307 cert = _load_cert(
308 os.path.join(
309 "x509", "custom", "cp_user_notice_no_explicit_text.pem"
310 ),
311 x509.load_pem_x509_certificate,
312 backend
313 )
314
315 cp = cert.extensions.get_extension_for_oid(
316 x509.OID_CERTIFICATE_POLICIES
317 ).value
318
319 assert cp == x509.CertificatePolicies([
320 x509.PolicyInformation(
321 x509.ObjectIdentifier("2.16.840.1.12345.1.2.3.4.1"),
322 [
323 x509.UserNotice(
324 x509.NoticeReference(u"my org", [1, 2, 3, 4]),
325 None
326 )
327 ]
328 )
329 ])
330
331
Paul Kehrercecbbba2015-03-30 14:58:38 -0500[diff] [blame]332class TestKeyUsage(object):
333 def test_key_agreement_false_encipher_decipher_true(self):
334 with pytest.raises(ValueError):
335 x509.KeyUsage(
336 digital_signature=False,
337 content_commitment=False,
338 key_encipherment=False,
339 data_encipherment=False,
340 key_agreement=False,
341 key_cert_sign=False,
342 crl_sign=False,
343 encipher_only=True,
344 decipher_only=False
345 )
346
347 with pytest.raises(ValueError):
348 x509.KeyUsage(
349 digital_signature=False,
350 content_commitment=False,
351 key_encipherment=False,
352 data_encipherment=False,
353 key_agreement=False,
354 key_cert_sign=False,
355 crl_sign=False,
356 encipher_only=True,
357 decipher_only=True
358 )
359
360 with pytest.raises(ValueError):
361 x509.KeyUsage(
362 digital_signature=False,
363 content_commitment=False,
364 key_encipherment=False,
365 data_encipherment=False,
366 key_agreement=False,
367 key_cert_sign=False,
368 crl_sign=False,
369 encipher_only=False,
370 decipher_only=True
371 )
372
373 def test_properties_key_agreement_true(self):
374 ku = x509.KeyUsage(
375 digital_signature=True,
376 content_commitment=True,
377 key_encipherment=False,
378 data_encipherment=False,
379 key_agreement=False,
380 key_cert_sign=True,
381 crl_sign=False,
382 encipher_only=False,
383 decipher_only=False
384 )
385 assert ku.digital_signature is True
386 assert ku.content_commitment is True
387 assert ku.key_encipherment is False
388 assert ku.data_encipherment is False
389 assert ku.key_agreement is False
390 assert ku.key_cert_sign is True
391 assert ku.crl_sign is False
392
393 def test_key_agreement_true_properties(self):
394 ku = x509.KeyUsage(
395 digital_signature=False,
396 content_commitment=False,
397 key_encipherment=False,
398 data_encipherment=False,
399 key_agreement=True,
400 key_cert_sign=False,
401 crl_sign=False,
402 encipher_only=False,
403 decipher_only=True
404 )
405 assert ku.key_agreement is True
406 assert ku.encipher_only is False
407 assert ku.decipher_only is True
408
409 def test_key_agreement_false_properties(self):
410 ku = x509.KeyUsage(
411 digital_signature=False,
412 content_commitment=False,
413 key_encipherment=False,
414 data_encipherment=False,
415 key_agreement=False,
416 key_cert_sign=False,
417 crl_sign=False,
418 encipher_only=False,
419 decipher_only=False
420 )
421 assert ku.key_agreement is False
422 with pytest.raises(ValueError):
423 ku.encipher_only
424
425 with pytest.raises(ValueError):
426 ku.decipher_only
427
Paul Kehrerac3e5bb2015-04-02 23:07:10 -0500[diff] [blame]428 def test_repr_key_agreement_false(self):
429 ku = x509.KeyUsage(
430 digital_signature=True,
431 content_commitment=True,
432 key_encipherment=False,
433 data_encipherment=False,
434 key_agreement=False,
435 key_cert_sign=True,
436 crl_sign=False,
437 encipher_only=False,
438 decipher_only=False
439 )
440 assert repr(ku) == (
441 "<KeyUsage(digital_signature=True, content_commitment=True, key_en"
442 "cipherment=False, data_encipherment=False, key_agreement=False, k"
Paul Kehrerb372e672015-04-15 11:05:24 -0400[diff] [blame]443 "ey_cert_sign=True, crl_sign=False, encipher_only=None, decipher_o"
444 "nly=None)>"
Paul Kehrerac3e5bb2015-04-02 23:07:10 -0500[diff] [blame]445 )
446
447 def test_repr_key_agreement_true(self):
448 ku = x509.KeyUsage(
449 digital_signature=True,
450 content_commitment=True,
451 key_encipherment=False,
452 data_encipherment=False,
453 key_agreement=True,
454 key_cert_sign=True,
455 crl_sign=False,
456 encipher_only=False,
457 decipher_only=False
458 )
459 assert repr(ku) == (
460 "<KeyUsage(digital_signature=True, content_commitment=True, key_en"
461 "cipherment=False, data_encipherment=False, key_agreement=True, k"
462 "ey_cert_sign=True, crl_sign=False, encipher_only=False, decipher_"
463 "only=False)>"
464 )
465
Paul Kehrer8565f5e2015-05-13 09:57:09 -0500[diff] [blame]466 def test_eq(self):
467 ku = x509.KeyUsage(
468 digital_signature=False,
469 content_commitment=False,
470 key_encipherment=False,
471 data_encipherment=False,
472 key_agreement=True,
473 key_cert_sign=False,
474 crl_sign=False,
475 encipher_only=False,
476 decipher_only=True
477 )
478 ku2 = x509.KeyUsage(
479 digital_signature=False,
480 content_commitment=False,
481 key_encipherment=False,
482 data_encipherment=False,
483 key_agreement=True,
484 key_cert_sign=False,
485 crl_sign=False,
486 encipher_only=False,
487 decipher_only=True
488 )
489 assert ku == ku2
490
491 def test_ne(self):
492 ku = x509.KeyUsage(
493 digital_signature=False,
494 content_commitment=False,
495 key_encipherment=False,
496 data_encipherment=False,
497 key_agreement=True,
498 key_cert_sign=False,
499 crl_sign=False,
500 encipher_only=False,
501 decipher_only=True
502 )
503 ku2 = x509.KeyUsage(
504 digital_signature=False,
505 content_commitment=False,
506 key_encipherment=False,
507 data_encipherment=False,
508 key_agreement=False,
509 key_cert_sign=False,
510 crl_sign=False,
511 encipher_only=False,
512 decipher_only=False
513 )
514 assert ku != ku2
515 assert ku != object()
516
Paul Kehrercecbbba2015-03-30 14:58:38 -0500[diff] [blame]517
Paul Kehrer1eb82a62015-03-31 20:00:33 -0500[diff] [blame]518class TestSubjectKeyIdentifier(object):
519 def test_properties(self):
Paul Kehrercbfb1012015-04-10 20:57:20 -0400[diff] [blame]520 value = binascii.unhexlify(b"092384932230498bc980aa8098456f6ff7ff3ac9")
Paul Kehrer1eb82a62015-03-31 20:00:33 -0500[diff] [blame]521 ski = x509.SubjectKeyIdentifier(value)
522 assert ski.digest == value
Paul Kehrer1eb82a62015-03-31 20:00:33 -0500[diff] [blame]523
524 def test_repr(self):
525 ski = x509.SubjectKeyIdentifier(
Paul Kehreree997262015-04-04 12:20:28 -0500[diff] [blame]526 binascii.unhexlify(b"092384932230498bc980aa8098456f6ff7ff3ac9")
Paul Kehrer1eb82a62015-03-31 20:00:33 -0500[diff] [blame]527 )
528 ext = x509.Extension(x509.OID_SUBJECT_KEY_IDENTIFIER, False, ski)
Paul Kehrercbfb1012015-04-10 20:57:20 -0400[diff] [blame]529 if six.PY3:
530 assert repr(ext) == (
531 "<Extension(oid=<ObjectIdentifier(oid=2.5.29.14, name=subjectK"
532 "eyIdentifier)>, critical=False, value=<SubjectKeyIdentifier(d"
533 "igest=b\'\\t#\\x84\\x93\"0I\\x8b\\xc9\\x80\\xaa\\x80\\x98Eoo"
534 "\\xf7\\xff:\\xc9\')>)>"
535 )
536 else:
537 assert repr(ext) == (
538 "<Extension(oid=<ObjectIdentifier(oid=2.5.29.14, name=subjectK"
539 "eyIdentifier)>, critical=False, value=<SubjectKeyIdentifier(d"
540 "igest=\'\\t#\\x84\\x93\"0I\\x8b\\xc9\\x80\\xaa\\x80\\x98Eoo"
541 "\\xf7\\xff:\\xc9\')>)>"
542 )
Paul Kehrer1eb82a62015-03-31 20:00:33 -0500[diff] [blame]543
544 def test_eq(self):
545 ski = x509.SubjectKeyIdentifier(
Paul Kehreree997262015-04-04 12:20:28 -0500[diff] [blame]546 binascii.unhexlify(b"092384932230498bc980aa8098456f6ff7ff3ac9")
Paul Kehrer1eb82a62015-03-31 20:00:33 -0500[diff] [blame]547 )
548 ski2 = x509.SubjectKeyIdentifier(
Paul Kehreree997262015-04-04 12:20:28 -0500[diff] [blame]549 binascii.unhexlify(b"092384932230498bc980aa8098456f6ff7ff3ac9")
Paul Kehrer1eb82a62015-03-31 20:00:33 -0500[diff] [blame]550 )
551 assert ski == ski2
552
553 def test_ne(self):
554 ski = x509.SubjectKeyIdentifier(
Paul Kehreree997262015-04-04 12:20:28 -0500[diff] [blame]555 binascii.unhexlify(b"092384932230498bc980aa8098456f6ff7ff3ac9")
Paul Kehrer1eb82a62015-03-31 20:00:33 -0500[diff] [blame]556 )
557 ski2 = x509.SubjectKeyIdentifier(
Paul Kehreree997262015-04-04 12:20:28 -0500[diff] [blame]558 binascii.unhexlify(b"aa8098456f6ff7ff3ac9092384932230498bc980")
Paul Kehrer1eb82a62015-03-31 20:00:33 -0500[diff] [blame]559 )
560 assert ski != ski2
561 assert ski != object()
562
563
Paul Kehrer2eb4ed92015-04-11 15:33:45 -0400[diff] [blame]564class TestAuthorityKeyIdentifier(object):
Paul Kehrerc6e0f062015-05-03 11:04:34 -0500[diff] [blame]565 def test_authority_cert_issuer_not_generalname(self):
Paul Kehrer2eb4ed92015-04-11 15:33:45 -0400[diff] [blame]566 with pytest.raises(TypeError):
Paul Kehrerc6e0f062015-05-03 11:04:34 -0500[diff] [blame]567 x509.AuthorityKeyIdentifier(b"identifier", ["notname"], 3)
Paul Kehrer2eb4ed92015-04-11 15:33:45 -0400[diff] [blame]568
569 def test_authority_cert_serial_number_not_integer(self):
Paul Kehrerc6e0f062015-05-03 11:04:34 -0500[diff] [blame]570 dirname = x509.DirectoryName(
571 x509.Name([
572 x509.NameAttribute(x509.ObjectIdentifier('oid'), 'value1'),
573 x509.NameAttribute(x509.ObjectIdentifier('oid2'), 'value2'),
574 ])
575 )
Paul Kehrer2eb4ed92015-04-11 15:33:45 -0400[diff] [blame]576 with pytest.raises(TypeError):
Paul Kehrerc6e0f062015-05-03 11:04:34 -0500[diff] [blame]577 x509.AuthorityKeyIdentifier(b"identifier", [dirname], "notanint")
Paul Kehrer2eb4ed92015-04-11 15:33:45 -0400[diff] [blame]578
579 def test_authority_issuer_none_serial_not_none(self):
580 with pytest.raises(ValueError):
581 x509.AuthorityKeyIdentifier(b"identifier", None, 3)
582
583 def test_authority_issuer_not_none_serial_none(self):
Paul Kehrerc6e0f062015-05-03 11:04:34 -0500[diff] [blame]584 dirname = x509.DirectoryName(
585 x509.Name([
586 x509.NameAttribute(x509.ObjectIdentifier('oid'), 'value1'),
587 x509.NameAttribute(x509.ObjectIdentifier('oid2'), 'value2'),
588 ])
589 )
Paul Kehrer2eb4ed92015-04-11 15:33:45 -0400[diff] [blame]590 with pytest.raises(ValueError):
Paul Kehrerc6e0f062015-05-03 11:04:34 -0500[diff] [blame]591 x509.AuthorityKeyIdentifier(b"identifier", [dirname], None)
Paul Kehrer2eb4ed92015-04-11 15:33:45 -0400[diff] [blame]592
593 def test_authority_cert_serial_and_issuer_none(self):
594 aki = x509.AuthorityKeyIdentifier(b"id", None, None)
595 assert aki.key_identifier == b"id"
596 assert aki.authority_cert_issuer is None
597 assert aki.authority_cert_serial_number is None
598
599 def test_repr(self):
Paul Kehrerc6e0f062015-05-03 11:04:34 -0500[diff] [blame]600 dirname = x509.DirectoryName(
601 x509.Name([x509.NameAttribute(x509.OID_COMMON_NAME, 'myCN')])
602 )
603 aki = x509.AuthorityKeyIdentifier(b"digest", [dirname], 1234)
Paul Kehrer2eb4ed92015-04-11 15:33:45 -0400[diff] [blame]604
605 if six.PY3:
606 assert repr(aki) == (
607 "<AuthorityKeyIdentifier(key_identifier=b'digest', authority_"
Paul Kehrerc6e0f062015-05-03 11:04:34 -0500[diff] [blame]608 "cert_issuer=[<DirectoryName(value=<Name([<NameAttribute(oid="
609 "<ObjectIdentifier(oid=2.5.4.3, name=commonName)>, value='myC"
610 "N')>])>)>], authority_cert_serial_number=1234)>"
Paul Kehrer2eb4ed92015-04-11 15:33:45 -0400[diff] [blame]611 )
612 else:
613 assert repr(aki) == (
614 "<AuthorityKeyIdentifier(key_identifier='digest', authority_ce"
Paul Kehrerc6e0f062015-05-03 11:04:34 -0500[diff] [blame]615 "rt_issuer=[<DirectoryName(value=<Name([<NameAttribute(oid=<Ob"
616 "jectIdentifier(oid=2.5.4.3, name=commonName)>, value='myCN')>"
617 "])>)>], authority_cert_serial_number=1234)>"
Paul Kehrer2eb4ed92015-04-11 15:33:45 -0400[diff] [blame]618 )
619
Paul Kehrer2ca2eb32015-05-03 10:04:57 -0500[diff] [blame]620 def test_eq(self):
621 dirname = x509.DirectoryName(
622 x509.Name([x509.NameAttribute(x509.OID_COMMON_NAME, 'myCN')])
623 )
624 aki = x509.AuthorityKeyIdentifier(b"digest", [dirname], 1234)
625 dirname2 = x509.DirectoryName(
626 x509.Name([x509.NameAttribute(x509.OID_COMMON_NAME, 'myCN')])
627 )
628 aki2 = x509.AuthorityKeyIdentifier(b"digest", [dirname2], 1234)
629 assert aki == aki2
630
631 def test_ne(self):
632 dirname = x509.DirectoryName(
633 x509.Name([x509.NameAttribute(x509.OID_COMMON_NAME, 'myCN')])
634 )
635 dirname5 = x509.DirectoryName(
636 x509.Name([x509.NameAttribute(x509.OID_COMMON_NAME, 'aCN')])
637 )
638 aki = x509.AuthorityKeyIdentifier(b"digest", [dirname], 1234)
639 aki2 = x509.AuthorityKeyIdentifier(b"diges", [dirname], 1234)
640 aki3 = x509.AuthorityKeyIdentifier(b"digest", None, None)
641 aki4 = x509.AuthorityKeyIdentifier(b"digest", [dirname], 12345)
642 aki5 = x509.AuthorityKeyIdentifier(b"digest", [dirname5], 12345)
643 assert aki != aki2
644 assert aki != aki3
645 assert aki != aki4
646 assert aki != aki5
647 assert aki != object()
648
Paul Kehrer2eb4ed92015-04-11 15:33:45 -0400[diff] [blame]649
Paul Kehrer8cf26422015-03-21 09:50:24 -0500[diff] [blame]650class TestBasicConstraints(object):
651 def test_ca_not_boolean(self):
652 with pytest.raises(TypeError):
Paul Kehrera5c6e9a2015-03-23 19:23:43 -0500[diff] [blame]653 x509.BasicConstraints(ca="notbool", path_length=None)
Paul Kehrer8cf26422015-03-21 09:50:24 -0500[diff] [blame]654
655 def test_path_length_not_ca(self):
656 with pytest.raises(ValueError):
Paul Kehrera5c6e9a2015-03-23 19:23:43 -0500[diff] [blame]657 x509.BasicConstraints(ca=False, path_length=0)
Paul Kehrer8cf26422015-03-21 09:50:24 -0500[diff] [blame]658
659 def test_path_length_not_int(self):
660 with pytest.raises(TypeError):
Paul Kehrera5c6e9a2015-03-23 19:23:43 -0500[diff] [blame]661 x509.BasicConstraints(ca=True, path_length=1.1)
Paul Kehrer8cf26422015-03-21 09:50:24 -0500[diff] [blame]662
663 with pytest.raises(TypeError):
Paul Kehrera5c6e9a2015-03-23 19:23:43 -0500[diff] [blame]664 x509.BasicConstraints(ca=True, path_length="notint")
Paul Kehrer8cf26422015-03-21 09:50:24 -0500[diff] [blame]665
666 def test_path_length_negative(self):
667 with pytest.raises(TypeError):
Paul Kehrera5c6e9a2015-03-23 19:23:43 -0500[diff] [blame]668 x509.BasicConstraints(ca=True, path_length=-1)
Paul Kehrer8cf26422015-03-21 09:50:24 -0500[diff] [blame]669
670 def test_repr(self):
Paul Kehrera5c6e9a2015-03-23 19:23:43 -0500[diff] [blame]671 na = x509.BasicConstraints(ca=True, path_length=None)
Paul Kehrer8cf26422015-03-21 09:50:24 -0500[diff] [blame]672 assert repr(na) == (
Paul Kehrer85894662015-03-22 13:19:31 -0500[diff] [blame]673 "<BasicConstraints(ca=True, path_length=None)>"
Paul Kehrer8cf26422015-03-21 09:50:24 -0500[diff] [blame]674 )
Paul Kehrerfbb7ac82015-03-16 19:26:29 -0500[diff] [blame]675
Paul Kehrer3a69b132015-05-13 10:03:46 -0500[diff] [blame]676 def test_eq(self):
677 na = x509.BasicConstraints(ca=True, path_length=None)
678 na2 = x509.BasicConstraints(ca=True, path_length=None)
679 assert na == na2
680
681 def test_ne(self):
682 na = x509.BasicConstraints(ca=True, path_length=None)
683 na2 = x509.BasicConstraints(ca=True, path_length=1)
684 na3 = x509.BasicConstraints(ca=False, path_length=None)
685 assert na != na2
686 assert na != na3
687 assert na != object()
688
Paul Kehrerfbb7ac82015-03-16 19:26:29 -0500[diff] [blame]689
Paul Kehrerffa2a152015-03-31 08:18:25 -0500[diff] [blame]690class TestExtendedKeyUsage(object):
691 def test_not_all_oids(self):
692 with pytest.raises(TypeError):
693 x509.ExtendedKeyUsage(["notoid"])
694
695 def test_iter_len(self):
696 eku = x509.ExtendedKeyUsage([
697 x509.ObjectIdentifier("1.3.6.1.5.5.7.3.1"),
698 x509.ObjectIdentifier("1.3.6.1.5.5.7.3.2"),
699 ])
700 assert len(eku) == 2
701 assert list(eku) == [
702 x509.OID_SERVER_AUTH,
703 x509.OID_CLIENT_AUTH
704 ]
705
Paul Kehrer23d10c32015-04-02 23:12:32 -0500[diff] [blame]706 def test_repr(self):
707 eku = x509.ExtendedKeyUsage([
708 x509.ObjectIdentifier("1.3.6.1.5.5.7.3.1"),
709 x509.ObjectIdentifier("1.3.6.1.5.5.7.3.2"),
710 ])
711 assert repr(eku) == (
712 "<ExtendedKeyUsage([<ObjectIdentifier(oid=1.3.6.1.5.5.7.3.1, name="
713 "serverAuth)>, <ObjectIdentifier(oid=1.3.6.1.5.5.7.3.2, name=clien"
714 "tAuth)>])>"
715 )
716
Paul Kehrerb0476172015-05-02 19:34:51 -0500[diff] [blame]717 def test_eq(self):
718 eku = x509.ExtendedKeyUsage([
719 x509.ObjectIdentifier("1.3.6"), x509.ObjectIdentifier("1.3.7")
720 ])
721 eku2 = x509.ExtendedKeyUsage([
722 x509.ObjectIdentifier("1.3.6"), x509.ObjectIdentifier("1.3.7")
723 ])
724 assert eku == eku2
725
726 def test_ne(self):
727 eku = x509.ExtendedKeyUsage([x509.ObjectIdentifier("1.3.6")])
728 eku2 = x509.ExtendedKeyUsage([x509.ObjectIdentifier("1.3.6.1")])
729 assert eku != eku2
730 assert eku != object()
731
Paul Kehrerffa2a152015-03-31 08:18:25 -0500[diff] [blame]732
Paul Kehrerfbb7ac82015-03-16 19:26:29 -0500[diff] [blame]733@pytest.mark.requires_backend_interface(interface=RSABackend)
734@pytest.mark.requires_backend_interface(interface=X509Backend)
735class TestExtensions(object):
736 def test_no_extensions(self, backend):
737 cert = _load_cert(
738 os.path.join("x509", "verisign_md2_root.pem"),
739 x509.load_pem_x509_certificate,
740 backend
741 )
742 ext = cert.extensions
743 assert len(ext) == 0
744 assert list(ext) == []
Paul Kehrerfa56a232015-03-17 13:14:03 -0500[diff] [blame]745 with pytest.raises(x509.ExtensionNotFound) as exc:
746 ext.get_extension_for_oid(x509.OID_BASIC_CONSTRAINTS)
747
748 assert exc.value.oid == x509.OID_BASIC_CONSTRAINTS
749
750 def test_one_extension(self, backend):
751 cert = _load_cert(
752 os.path.join(
753 "x509", "custom", "basic_constraints_not_critical.pem"
754 ),
755 x509.load_pem_x509_certificate,
756 backend
757 )
758 extensions = cert.extensions
759 ext = extensions.get_extension_for_oid(x509.OID_BASIC_CONSTRAINTS)
760 assert ext is not None
761 assert ext.value.ca is False
Paul Kehrerfbb7ac82015-03-16 19:26:29 -0500[diff] [blame]762
763 def test_duplicate_extension(self, backend):
764 cert = _load_cert(
765 os.path.join(
766 "x509", "custom", "two_basic_constraints.pem"
767 ),
768 x509.load_pem_x509_certificate,
769 backend
770 )
771 with pytest.raises(x509.DuplicateExtension) as exc:
772 cert.extensions
773
774 assert exc.value.oid == x509.OID_BASIC_CONSTRAINTS
775
776 def test_unsupported_critical_extension(self, backend):
777 cert = _load_cert(
778 os.path.join(
779 "x509", "custom", "unsupported_extension_critical.pem"
780 ),
781 x509.load_pem_x509_certificate,
782 backend
783 )
784 with pytest.raises(x509.UnsupportedExtension) as exc:
785 cert.extensions
786
787 assert exc.value.oid == x509.ObjectIdentifier("1.2.3.4")
788
789 def test_unsupported_extension(self, backend):
790 # TODO: this will raise an exception when all extensions are complete
791 cert = _load_cert(
792 os.path.join(
793 "x509", "custom", "unsupported_extension.pem"
794 ),
795 x509.load_pem_x509_certificate,
796 backend
797 )
798 extensions = cert.extensions
799 assert len(extensions) == 0
Paul Kehrerfa56a232015-03-17 13:14:03 -0500[diff] [blame]800
801
802@pytest.mark.requires_backend_interface(interface=RSABackend)
803@pytest.mark.requires_backend_interface(interface=X509Backend)
Paul Kehrerde813ea2015-03-28 12:44:34 -0500[diff] [blame]804class TestBasicConstraintsExtension(object):
Paul Kehrerfa56a232015-03-17 13:14:03 -0500[diff] [blame]805 def test_ca_true_pathlen_6(self, backend):
806 cert = _load_cert(
807 os.path.join(
808 "x509", "PKITS_data", "certs", "pathLenConstraint6CACert.crt"
809 ),
810 x509.load_der_x509_certificate,
811 backend
812 )
813 ext = cert.extensions.get_extension_for_oid(
814 x509.OID_BASIC_CONSTRAINTS
815 )
816 assert ext is not None
817 assert ext.critical is True
818 assert ext.value.ca is True
819 assert ext.value.path_length == 6
820
821 def test_path_length_zero(self, backend):
822 cert = _load_cert(
823 os.path.join("x509", "custom", "bc_path_length_zero.pem"),
824 x509.load_pem_x509_certificate,
825 backend
826 )
827 ext = cert.extensions.get_extension_for_oid(
828 x509.OID_BASIC_CONSTRAINTS
829 )
830 assert ext is not None
831 assert ext.critical is True
832 assert ext.value.ca is True
833 assert ext.value.path_length == 0
834
835 def test_ca_true_no_pathlen(self, backend):
836 cert = _load_cert(
837 os.path.join("x509", "PKITS_data", "certs", "GoodCACert.crt"),
838 x509.load_der_x509_certificate,
839 backend
840 )
841 ext = cert.extensions.get_extension_for_oid(
842 x509.OID_BASIC_CONSTRAINTS
843 )
844 assert ext is not None
845 assert ext.critical is True
846 assert ext.value.ca is True
847 assert ext.value.path_length is None
848
849 def test_ca_false(self, backend):
850 cert = _load_cert(
851 os.path.join("x509", "cryptography.io.pem"),
852 x509.load_pem_x509_certificate,
853 backend
854 )
855 ext = cert.extensions.get_extension_for_oid(
856 x509.OID_BASIC_CONSTRAINTS
857 )
858 assert ext is not None
859 assert ext.critical is True
860 assert ext.value.ca is False
861 assert ext.value.path_length is None
862
863 def test_no_basic_constraints(self, backend):
864 cert = _load_cert(
865 os.path.join(
866 "x509",
867 "PKITS_data",
868 "certs",
869 "ValidCertificatePathTest1EE.crt"
870 ),
871 x509.load_der_x509_certificate,
872 backend
873 )
874 with pytest.raises(x509.ExtensionNotFound):
875 cert.extensions.get_extension_for_oid(x509.OID_BASIC_CONSTRAINTS)
876
877 def test_basic_constraint_not_critical(self, backend):
878 cert = _load_cert(
879 os.path.join(
880 "x509", "custom", "basic_constraints_not_critical.pem"
881 ),
882 x509.load_pem_x509_certificate,
883 backend
884 )
885 ext = cert.extensions.get_extension_for_oid(
886 x509.OID_BASIC_CONSTRAINTS
887 )
888 assert ext is not None
889 assert ext.critical is False
890 assert ext.value.ca is False
Paul Kehrer1eb82a62015-03-31 20:00:33 -0500[diff] [blame]891
892
893@pytest.mark.requires_backend_interface(interface=RSABackend)
894@pytest.mark.requires_backend_interface(interface=X509Backend)
895class TestSubjectKeyIdentifierExtension(object):
896 def test_subject_key_identifier(self, backend):
897 cert = _load_cert(
898 os.path.join("x509", "PKITS_data", "certs", "GoodCACert.crt"),
899 x509.load_der_x509_certificate,
900 backend
901 )
902 ext = cert.extensions.get_extension_for_oid(
903 x509.OID_SUBJECT_KEY_IDENTIFIER
904 )
905 ski = ext.value
906 assert ext is not None
907 assert ext.critical is False
Paul Kehrer1eb82a62015-03-31 20:00:33 -0500[diff] [blame]908 assert ski.digest == binascii.unhexlify(
Paul Kehreree997262015-04-04 12:20:28 -0500[diff] [blame]909 b"580184241bbc2b52944a3da510721451f5af3ac9"
Paul Kehrer1eb82a62015-03-31 20:00:33 -0500[diff] [blame]910 )
911
912 def test_no_subject_key_identifier(self, backend):
913 cert = _load_cert(
914 os.path.join("x509", "custom", "bc_path_length_zero.pem"),
915 x509.load_pem_x509_certificate,
916 backend
917 )
918 with pytest.raises(x509.ExtensionNotFound):
919 cert.extensions.get_extension_for_oid(
920 x509.OID_SUBJECT_KEY_IDENTIFIER
921 )
Paul Kehrer5508ee22015-04-02 19:31:03 -0500[diff] [blame]922
923
924@pytest.mark.requires_backend_interface(interface=RSABackend)
925@pytest.mark.requires_backend_interface(interface=X509Backend)
926class TestKeyUsageExtension(object):
927 def test_no_key_usage(self, backend):
928 cert = _load_cert(
929 os.path.join("x509", "verisign_md2_root.pem"),
930 x509.load_pem_x509_certificate,
931 backend
932 )
933 ext = cert.extensions
934 with pytest.raises(x509.ExtensionNotFound) as exc:
935 ext.get_extension_for_oid(x509.OID_KEY_USAGE)
936
937 assert exc.value.oid == x509.OID_KEY_USAGE
938
939 def test_all_purposes(self, backend):
940 cert = _load_cert(
941 os.path.join(
942 "x509", "custom", "all_key_usages.pem"
943 ),
944 x509.load_pem_x509_certificate,
945 backend
946 )
947 extensions = cert.extensions
948 ext = extensions.get_extension_for_oid(x509.OID_KEY_USAGE)
949 assert ext is not None
950
951 ku = ext.value
952 assert ku.digital_signature is True
953 assert ku.content_commitment is True
954 assert ku.key_encipherment is True
955 assert ku.data_encipherment is True
956 assert ku.key_agreement is True
957 assert ku.key_cert_sign is True
958 assert ku.crl_sign is True
959 assert ku.encipher_only is True
960 assert ku.decipher_only is True
961
962 def test_key_cert_sign_crl_sign(self, backend):
963 cert = _load_cert(
964 os.path.join(
965 "x509", "PKITS_data", "certs", "pathLenConstraint6CACert.crt"
966 ),
967 x509.load_der_x509_certificate,
968 backend
969 )
970 ext = cert.extensions.get_extension_for_oid(x509.OID_KEY_USAGE)
971 assert ext is not None
972 assert ext.critical is True
973
974 ku = ext.value
975 assert ku.digital_signature is False
976 assert ku.content_commitment is False
977 assert ku.key_encipherment is False
978 assert ku.data_encipherment is False
979 assert ku.key_agreement is False
980 assert ku.key_cert_sign is True
981 assert ku.crl_sign is True
Paul Kehrer31bdf792015-03-25 14:11:00 -0500[diff] [blame]982
983
984@pytest.mark.parametrize(
985 "name", [
986 x509.RFC822Name,
987 x509.DNSName,
988 x509.UniformResourceIdentifier
989 ]
990)
991class TestTextGeneralNames(object):
992 def test_not_text(self, name):
993 with pytest.raises(TypeError):
994 name(b"notaunicodestring")
995
996 with pytest.raises(TypeError):
997 name(1.3)
998
999 def test_repr(self, name):
Eeshan Gargf1234152015-04-29 18:41:00 +0530[diff] [blame]1000 gn = name(u"string")
Paul Kehrer31bdf792015-03-25 14:11:00 -0500[diff] [blame]1001 assert repr(gn) == "<{0}(value=string)>".format(name.__name__)
1002
1003 def test_eq(self, name):
Eeshan Gargf1234152015-04-29 18:41:00 +0530[diff] [blame]1004 gn = name(u"string")
1005 gn2 = name(u"string")
Paul Kehrer31bdf792015-03-25 14:11:00 -0500[diff] [blame]1006 assert gn == gn2
1007
1008 def test_ne(self, name):
Eeshan Gargf1234152015-04-29 18:41:00 +0530[diff] [blame]1009 gn = name(u"string")
1010 gn2 = name(u"string2")
Paul Kehrer31bdf792015-03-25 14:11:00 -0500[diff] [blame]1011 assert gn != gn2
1012 assert gn != object()
1013
1014
1015class TestDirectoryName(object):
1016 def test_not_name(self):
1017 with pytest.raises(TypeError):
1018 x509.DirectoryName(b"notaname")
1019
1020 with pytest.raises(TypeError):
1021 x509.DirectoryName(1.3)
1022
1023 def test_repr(self):
1024 name = x509.Name([x509.NameAttribute(x509.OID_COMMON_NAME, 'value1')])
1025 gn = x509.DirectoryName(x509.Name([name]))
1026 assert repr(gn) == (
1027 "<DirectoryName(value=<Name([<Name([<NameAttribute(oid=<ObjectIden"
1028 "tifier(oid=2.5.4.3, name=commonName)>, value='value1')>])>])>)>"
1029 )
1030
1031 def test_eq(self):
1032 name = x509.Name([
1033 x509.NameAttribute(x509.ObjectIdentifier('oid'), 'value1')
1034 ])
1035 name2 = x509.Name([
1036 x509.NameAttribute(x509.ObjectIdentifier('oid'), 'value1')
1037 ])
1038 gn = x509.DirectoryName(x509.Name([name]))
1039 gn2 = x509.DirectoryName(x509.Name([name2]))
1040 assert gn == gn2
1041
1042 def test_ne(self):
1043 name = x509.Name([
1044 x509.NameAttribute(x509.ObjectIdentifier('oid'), 'value1')
1045 ])
1046 name2 = x509.Name([
1047 x509.NameAttribute(x509.ObjectIdentifier('oid'), 'value2')
1048 ])
1049 gn = x509.DirectoryName(x509.Name([name]))
1050 gn2 = x509.DirectoryName(x509.Name([name2]))
1051 assert gn != gn2
1052 assert gn != object()
1053
1054
1055class TestRegisteredID(object):
1056 def test_not_oid(self):
1057 with pytest.raises(TypeError):
1058 x509.RegisteredID(b"notanoid")
1059
1060 with pytest.raises(TypeError):
1061 x509.RegisteredID(1.3)
1062
1063 def test_repr(self):
1064 gn = x509.RegisteredID(x509.OID_COMMON_NAME)
1065 assert repr(gn) == (
1066 "<RegisteredID(value=<ObjectIdentifier(oid=2.5.4.3, name=commonNam"
1067 "e)>)>"
1068 )
1069
1070 def test_eq(self):
1071 gn = x509.RegisteredID(x509.OID_COMMON_NAME)
1072 gn2 = x509.RegisteredID(x509.OID_COMMON_NAME)
1073 assert gn == gn2
1074
1075 def test_ne(self):
1076 gn = x509.RegisteredID(x509.OID_COMMON_NAME)
1077 gn2 = x509.RegisteredID(x509.OID_BASIC_CONSTRAINTS)
1078 assert gn != gn2
1079 assert gn != object()
1080
1081
1082class TestIPAddress(object):
1083 def test_not_ipaddress(self):
1084 with pytest.raises(TypeError):
1085 x509.IPAddress(b"notanipaddress")
1086
1087 with pytest.raises(TypeError):
1088 x509.IPAddress(1.3)
1089
1090 def test_repr(self):
Eeshan Gargf1234152015-04-29 18:41:00 +0530[diff] [blame]1091 gn = x509.IPAddress(ipaddress.IPv4Address(u"127.0.0.1"))
Paul Kehrer31bdf792015-03-25 14:11:00 -0500[diff] [blame]1092 assert repr(gn) == "<IPAddress(value=127.0.0.1)>"
1093
Eeshan Gargf1234152015-04-29 18:41:00 +0530[diff] [blame]1094 gn2 = x509.IPAddress(ipaddress.IPv6Address(u"ff::"))
Paul Kehrer31bdf792015-03-25 14:11:00 -0500[diff] [blame]1095 assert repr(gn2) == "<IPAddress(value=ff::)>"
1096
1097 def test_eq(self):
Eeshan Gargf1234152015-04-29 18:41:00 +0530[diff] [blame]1098 gn = x509.IPAddress(ipaddress.IPv4Address(u"127.0.0.1"))
1099 gn2 = x509.IPAddress(ipaddress.IPv4Address(u"127.0.0.1"))
Paul Kehrer31bdf792015-03-25 14:11:00 -0500[diff] [blame]1100 assert gn == gn2
1101
1102 def test_ne(self):
Eeshan Gargf1234152015-04-29 18:41:00 +0530[diff] [blame]1103 gn = x509.IPAddress(ipaddress.IPv4Address(u"127.0.0.1"))
1104 gn2 = x509.IPAddress(ipaddress.IPv4Address(u"127.0.0.2"))
Paul Kehrer31bdf792015-03-25 14:11:00 -0500[diff] [blame]1105 assert gn != gn2
1106 assert gn != object()
1107
1108
1109class TestSubjectAlternativeName(object):
1110 def test_get_values_for_type(self):
1111 san = x509.SubjectAlternativeName(
Eeshan Gargf1234152015-04-29 18:41:00 +0530[diff] [blame]1112 [x509.DNSName(u"cryptography.io")]
Paul Kehrer31bdf792015-03-25 14:11:00 -0500[diff] [blame]1113 )
1114 names = san.get_values_for_type(x509.DNSName)
Eeshan Gargf1234152015-04-29 18:41:00 +0530[diff] [blame]1115 assert names == [u"cryptography.io"]
Paul Kehrer31bdf792015-03-25 14:11:00 -0500[diff] [blame]1116
1117 def test_iter_names(self):
1118 san = x509.SubjectAlternativeName([
Eeshan Gargf1234152015-04-29 18:41:00 +0530[diff] [blame]1119 x509.DNSName(u"cryptography.io"),
1120 x509.DNSName(u"crypto.local"),
Paul Kehrer31bdf792015-03-25 14:11:00 -0500[diff] [blame]1121 ])
1122 assert len(san) == 2
1123 assert list(san) == [
Eeshan Gargf1234152015-04-29 18:41:00 +0530[diff] [blame]1124 x509.DNSName(u"cryptography.io"),
1125 x509.DNSName(u"crypto.local"),
Paul Kehrer31bdf792015-03-25 14:11:00 -0500[diff] [blame]1126 ]
1127
Paul Kehrerd04b39b2015-04-21 08:44:17 -0500[diff] [blame]1128 def test_invalid_general_names(self):
1129 with pytest.raises(TypeError):
1130 x509.SubjectAlternativeName(
Eeshan Gargf1234152015-04-29 18:41:00 +0530[diff] [blame]1131 [x509.DNSName(u"cryptography.io"), "invalid"]
Paul Kehrerd04b39b2015-04-21 08:44:17 -0500[diff] [blame]1132 )
1133
Paul Kehrer31bdf792015-03-25 14:11:00 -0500[diff] [blame]1134 def test_repr(self):
1135 san = x509.SubjectAlternativeName(
1136 [
Eeshan Gargf1234152015-04-29 18:41:00 +0530[diff] [blame]1137 x509.DNSName(u"cryptography.io")
Paul Kehrer31bdf792015-03-25 14:11:00 -0500[diff] [blame]1138 ]
1139 )
1140 assert repr(san) == (
1141 "<SubjectAlternativeName([<DNSName(value=cryptography.io)>])>"
1142 )
Paul Kehrer40f83382015-04-20 15:00:16 -0500[diff] [blame]1143
Paul Kehrer58cc3972015-05-13 10:00:41 -0500[diff] [blame]1144 def test_eq(self):
1145 san = x509.SubjectAlternativeName(
1146 [x509.DNSName(u"cryptography.io")]
1147 )
1148 san2 = x509.SubjectAlternativeName(
1149 [x509.DNSName(u"cryptography.io")]
1150 )
1151 assert san == san2
1152
1153 def test_ne(self):
1154 san = x509.SubjectAlternativeName(
1155 [x509.DNSName(u"cryptography.io")]
1156 )
1157 san2 = x509.SubjectAlternativeName(
1158 [x509.RFC822Name(u"admin@cryptography.io")]
1159 )
1160 assert san != san2
1161 assert san != object()
1162
Paul Kehrer40f83382015-04-20 15:00:16 -0500[diff] [blame]1163
1164@pytest.mark.requires_backend_interface(interface=RSABackend)
1165@pytest.mark.requires_backend_interface(interface=X509Backend)
1166class TestRSASubjectAlternativeNameExtension(object):
1167 def test_dns_name(self, backend):
1168 cert = _load_cert(
1169 os.path.join("x509", "cryptography.io.pem"),
1170 x509.load_pem_x509_certificate,
1171 backend
1172 )
1173 ext = cert.extensions.get_extension_for_oid(
1174 x509.OID_SUBJECT_ALTERNATIVE_NAME
1175 )
1176 assert ext is not None
1177 assert ext.critical is False
1178
1179 san = ext.value
1180
1181 dns = san.get_values_for_type(x509.DNSName)
1182 assert dns == [u"www.cryptography.io", u"cryptography.io"]
Paul Kehrer9089c912015-04-20 22:15:20 -0500[diff] [blame]1183
1184 def test_unsupported_other_name(self, backend):
1185 cert = _load_cert(
1186 os.path.join(
1187 "x509", "custom", "san_other_name.pem"
1188 ),
1189 x509.load_pem_x509_certificate,
1190 backend
1191 )
Paul Kehrerbed07352015-04-21 08:31:10 -0500[diff] [blame]1192 with pytest.raises(x509.UnsupportedGeneralNameType) as exc:
Paul Kehrer9089c912015-04-20 22:15:20 -0500[diff] [blame]1193 cert.extensions
Paul Kehrerbed07352015-04-21 08:31:10 -0500[diff] [blame]1194
Paul Kehrer0a621bf2015-04-22 09:22:56 -0500[diff] [blame]1195 assert exc.value.type == 0
Paul Kehrer4db96622015-04-20 22:17:39 -0500[diff] [blame]1196
1197 def test_registered_id(self, backend):
1198 cert = _load_cert(
1199 os.path.join(
1200 "x509", "custom", "san_registered_id.pem"
1201 ),
1202 x509.load_pem_x509_certificate,
1203 backend
1204 )
1205 ext = cert.extensions.get_extension_for_oid(
1206 x509.OID_SUBJECT_ALTERNATIVE_NAME
1207 )
1208 assert ext is not None
1209 assert ext.critical is False
1210
1211 san = ext.value
1212 rid = san.get_values_for_type(x509.RegisteredID)
1213 assert rid == [x509.ObjectIdentifier("1.2.3.4")]
Paul Kehrerb8ef82e2015-04-22 16:04:24 -0500[diff] [blame]1214
1215 def test_uri(self, backend):
1216 cert = _load_cert(
1217 os.path.join(
1218 "x509", "custom", "san_uri_with_port.pem"
1219 ),
1220 x509.load_pem_x509_certificate,
1221 backend
1222 )
1223 ext = cert.extensions.get_extension_for_oid(
1224 x509.OID_SUBJECT_ALTERNATIVE_NAME
1225 )
1226 assert ext is not None
1227 uri = ext.value.get_values_for_type(
1228 x509.UniformResourceIdentifier
1229 )
1230 assert uri == [
1231 u"gopher://\u043f\u044b\u043a\u0430.cryptography:70/path?q=s#hel"
1232 u"lo",
1233 u"http://someregulardomain.com",
1234 ]
Paul Kehrera5f030c2015-04-28 08:33:18 -0500[diff] [blame]1235
1236 def test_ipaddress(self, backend):
1237 cert = _load_cert(
1238 os.path.join(
1239 "x509", "custom", "san_ipaddr.pem"
1240 ),
1241 x509.load_pem_x509_certificate,
1242 backend
1243 )
1244 ext = cert.extensions.get_extension_for_oid(
1245 x509.OID_SUBJECT_ALTERNATIVE_NAME
1246 )
1247 assert ext is not None
1248 assert ext.critical is False
1249
1250 san = ext.value
1251
1252 ip = san.get_values_for_type(x509.IPAddress)
1253 assert [
1254 ipaddress.ip_address(u"127.0.0.1"),
1255 ipaddress.ip_address(u"ff::")
1256 ] == ip
Paul Kehrer2187a052015-04-30 08:22:07 -0500[diff] [blame]1257
1258 def test_dirname(self, backend):
1259 cert = _load_cert(
1260 os.path.join(
1261 "x509", "custom", "san_dirname.pem"
1262 ),
1263 x509.load_pem_x509_certificate,
1264 backend
1265 )
1266 ext = cert.extensions.get_extension_for_oid(
1267 x509.OID_SUBJECT_ALTERNATIVE_NAME
1268 )
1269 assert ext is not None
1270 assert ext.critical is False
1271
1272 san = ext.value
1273
1274 dirname = san.get_values_for_type(x509.DirectoryName)
1275 assert [
1276 x509.Name([
1277 x509.NameAttribute(x509.OID_COMMON_NAME, 'test'),
1278 x509.NameAttribute(x509.OID_ORGANIZATION_NAME, 'Org'),
1279 x509.NameAttribute(x509.OID_STATE_OR_PROVINCE_NAME, 'Texas'),
1280 ])
1281 ] == dirname
Paul Kehrere06cab42015-04-30 10:23:33 -0500[diff] [blame]1282
1283 def test_rfc822name(self, backend):
1284 cert = _load_cert(
1285 os.path.join(
1286 "x509", "custom", "san_rfc822_idna.pem"
1287 ),
1288 x509.load_pem_x509_certificate,
1289 backend
1290 )
1291 ext = cert.extensions.get_extension_for_oid(
1292 x509.OID_SUBJECT_ALTERNATIVE_NAME
1293 )
1294 assert ext is not None
1295 assert ext.critical is False
1296
1297 san = ext.value
1298
1299 rfc822name = san.get_values_for_type(x509.RFC822Name)
1300 assert [u"email@em\xe5\xefl.com"] == rfc822name
1301
1302 def test_unicode_rfc822_name_dns_name_uri(self, backend):
1303 cert = _load_cert(
1304 os.path.join(
1305 "x509", "custom", "san_idna_names.pem"
1306 ),
1307 x509.load_pem_x509_certificate,
1308 backend
1309 )
1310 ext = cert.extensions.get_extension_for_oid(
1311 x509.OID_SUBJECT_ALTERNATIVE_NAME
1312 )
1313 assert ext is not None
1314 rfc822_name = ext.value.get_values_for_type(x509.RFC822Name)
1315 dns_name = ext.value.get_values_for_type(x509.DNSName)
1316 uri = ext.value.get_values_for_type(x509.UniformResourceIdentifier)
1317 assert rfc822_name == [u"email@\u043f\u044b\u043a\u0430.cryptography"]
1318 assert dns_name == [u"\u043f\u044b\u043a\u0430.cryptography"]
1319 assert uri == [u"https://www.\u043f\u044b\u043a\u0430.cryptography"]
1320
1321 def test_rfc822name_dnsname_ipaddress_directoryname_uri(self, backend):
1322 cert = _load_cert(
1323 os.path.join(
1324 "x509", "custom", "san_email_dns_ip_dirname_uri.pem"
1325 ),
1326 x509.load_pem_x509_certificate,
1327 backend
1328 )
1329 ext = cert.extensions.get_extension_for_oid(
1330 x509.OID_SUBJECT_ALTERNATIVE_NAME
1331 )
1332 assert ext is not None
1333 assert ext.critical is False
1334
1335 san = ext.value
1336
1337 rfc822_name = san.get_values_for_type(x509.RFC822Name)
1338 uri = san.get_values_for_type(x509.UniformResourceIdentifier)
1339 dns = san.get_values_for_type(x509.DNSName)
1340 ip = san.get_values_for_type(x509.IPAddress)
1341 dirname = san.get_values_for_type(x509.DirectoryName)
1342 assert [u"user@cryptography.io"] == rfc822_name
Paul Kehrere3a330c2015-05-02 16:42:52 -0500[diff] [blame]1343 assert [u"https://cryptography.io"] == uri
Paul Kehrere06cab42015-04-30 10:23:33 -0500[diff] [blame]1344 assert [u"cryptography.io"] == dns
1345 assert [
1346 x509.Name([
1347 x509.NameAttribute(x509.OID_COMMON_NAME, 'dirCN'),
1348 x509.NameAttribute(
1349 x509.OID_ORGANIZATION_NAME, 'Cryptographic Authority'
1350 ),
1351 ])
1352 ] == dirname
1353 assert [
1354 ipaddress.ip_address(u"127.0.0.1"),
1355 ipaddress.ip_address(u"ff::")
1356 ] == ip
1357
1358 def test_invalid_rfc822name(self, backend):
1359 cert = _load_cert(
1360 os.path.join(
1361 "x509", "custom", "san_rfc822_names.pem"
1362 ),
1363 x509.load_pem_x509_certificate,
1364 backend
1365 )
1366 with pytest.raises(ValueError) as exc:
1367 cert.extensions
1368
1369 assert 'Invalid rfc822name value' in str(exc.value)
Paul Kehrer94c69602015-05-02 19:29:40 -0500[diff] [blame]1370
1371
1372@pytest.mark.requires_backend_interface(interface=RSABackend)
1373@pytest.mark.requires_backend_interface(interface=X509Backend)
1374class TestExtendedKeyUsageExtension(object):
1375 def test_eku(self, backend):
1376 cert = _load_cert(
1377 os.path.join(
1378 "x509", "custom", "extended_key_usage.pem"
1379 ),
1380 x509.load_pem_x509_certificate,
1381 backend
1382 )
1383 ext = cert.extensions.get_extension_for_oid(
1384 x509.OID_EXTENDED_KEY_USAGE
1385 )
1386 assert ext is not None
1387 assert ext.critical is False
1388
1389 assert [
1390 x509.ObjectIdentifier("1.3.6.1.5.5.7.3.1"),
1391 x509.ObjectIdentifier("1.3.6.1.5.5.7.3.2"),
1392 x509.ObjectIdentifier("1.3.6.1.5.5.7.3.3"),
1393 x509.ObjectIdentifier("1.3.6.1.5.5.7.3.4"),
1394 x509.ObjectIdentifier("1.3.6.1.5.5.7.3.9"),
1395 x509.ObjectIdentifier("1.3.6.1.5.5.7.3.8"),
1396 x509.ObjectIdentifier("2.5.29.37.0"),
1397 x509.ObjectIdentifier("2.16.840.1.113730.4.1"),
1398 ] == list(ext.value)
Paul Kehrer3e6d5582015-05-02 21:57:56 -0500[diff] [blame]1399
1400
1401class TestAccessDescription(object):
1402 def test_invalid_access_method(self):
Paul Kehrerf506bca2015-05-02 22:31:47 -0500[diff] [blame]1403 with pytest.raises(ValueError):
Paul Kehrer3e6d5582015-05-02 21:57:56 -0500[diff] [blame]1404 x509.AccessDescription("notanoid", x509.DNSName(u"test"))
1405
1406 def test_invalid_access_location(self):
1407 with pytest.raises(TypeError):
1408 x509.AccessDescription(x509.OID_CA_ISSUERS, "invalid")
1409
1410 def test_repr(self):
1411 ad = x509.AccessDescription(
1412 x509.OID_OCSP,
1413 x509.UniformResourceIdentifier(u"http://ocsp.domain.com")
1414 )
1415 assert repr(ad) == (
1416 "<AccessDescription(access_method=<ObjectIdentifier(oid=1.3.6.1.5."
1417 "5.7.48.1, name=OCSP)>, access_location=<UniformResourceIdentifier"
1418 "(value=http://ocsp.domain.com)>)>"
1419 )
1420
1421 def test_eq(self):
1422 ad = x509.AccessDescription(
1423 x509.OID_OCSP,
1424 x509.UniformResourceIdentifier(u"http://ocsp.domain.com")
1425 )
1426 ad2 = x509.AccessDescription(
1427 x509.OID_OCSP,
1428 x509.UniformResourceIdentifier(u"http://ocsp.domain.com")
1429 )
1430 assert ad == ad2
1431
1432 def test_ne(self):
1433 ad = x509.AccessDescription(
1434 x509.OID_OCSP,
1435 x509.UniformResourceIdentifier(u"http://ocsp.domain.com")
1436 )
1437 ad2 = x509.AccessDescription(
1438 x509.OID_CA_ISSUERS,
1439 x509.UniformResourceIdentifier(u"http://ocsp.domain.com")
1440 )
1441 ad3 = x509.AccessDescription(
1442 x509.OID_OCSP,
1443 x509.UniformResourceIdentifier(u"http://notthesame")
1444 )
1445 assert ad != ad2
1446 assert ad != ad3
1447 assert ad != object()
1448
1449
1450class TestAuthorityInformationAccess(object):
1451 def test_invalid_descriptions(self):
1452 with pytest.raises(TypeError):
1453 x509.AuthorityInformationAccess(["notanAccessDescription"])
1454
1455 def test_iter_len(self):
1456 aia = x509.AuthorityInformationAccess([
1457 x509.AccessDescription(
1458 x509.OID_OCSP,
1459 x509.UniformResourceIdentifier(u"http://ocsp.domain.com")
1460 ),
1461 x509.AccessDescription(
1462 x509.OID_CA_ISSUERS,
1463 x509.UniformResourceIdentifier(u"http://domain.com/ca.crt")
1464 )
1465 ])
1466 assert len(aia) == 2
1467 assert list(aia) == [
1468 x509.AccessDescription(
1469 x509.OID_OCSP,
1470 x509.UniformResourceIdentifier(u"http://ocsp.domain.com")
1471 ),
1472 x509.AccessDescription(
1473 x509.OID_CA_ISSUERS,
1474 x509.UniformResourceIdentifier(u"http://domain.com/ca.crt")
1475 )
1476 ]
1477
1478 def test_repr(self):
1479 aia = x509.AuthorityInformationAccess([
1480 x509.AccessDescription(
1481 x509.OID_OCSP,
1482 x509.UniformResourceIdentifier(u"http://ocsp.domain.com")
1483 ),
1484 x509.AccessDescription(
1485 x509.OID_CA_ISSUERS,
1486 x509.UniformResourceIdentifier(u"http://domain.com/ca.crt")
1487 )
1488 ])
1489 assert repr(aia) == (
1490 "<AuthorityInformationAccess([<AccessDescription(access_method=<Ob"
1491 "jectIdentifier(oid=1.3.6.1.5.5.7.48.1, name=OCSP)>, access_locati"
1492 "on=<UniformResourceIdentifier(value=http://ocsp.domain.com)>)>, <"
1493 "AccessDescription(access_method=<ObjectIdentifier(oid=1.3.6.1.5.5"
1494 ".7.48.2, name=caIssuers)>, access_location=<UniformResourceIdenti"
1495 "fier(value=http://domain.com/ca.crt)>)>])>"
1496 )
1497
1498 def test_eq(self):
1499 aia = x509.AuthorityInformationAccess([
1500 x509.AccessDescription(
1501 x509.OID_OCSP,
1502 x509.UniformResourceIdentifier(u"http://ocsp.domain.com")
1503 ),
1504 x509.AccessDescription(
1505 x509.OID_CA_ISSUERS,
1506 x509.UniformResourceIdentifier(u"http://domain.com/ca.crt")
1507 )
1508 ])
1509 aia2 = x509.AuthorityInformationAccess([
1510 x509.AccessDescription(
1511 x509.OID_OCSP,
1512 x509.UniformResourceIdentifier(u"http://ocsp.domain.com")
1513 ),
1514 x509.AccessDescription(
1515 x509.OID_CA_ISSUERS,
1516 x509.UniformResourceIdentifier(u"http://domain.com/ca.crt")
1517 )
1518 ])
1519 assert aia == aia2
1520
1521 def test_ne(self):
1522 aia = x509.AuthorityInformationAccess([
1523 x509.AccessDescription(
1524 x509.OID_OCSP,
1525 x509.UniformResourceIdentifier(u"http://ocsp.domain.com")
1526 ),
1527 x509.AccessDescription(
1528 x509.OID_CA_ISSUERS,
1529 x509.UniformResourceIdentifier(u"http://domain.com/ca.crt")
1530 )
1531 ])
1532 aia2 = x509.AuthorityInformationAccess([
1533 x509.AccessDescription(
1534 x509.OID_OCSP,
1535 x509.UniformResourceIdentifier(u"http://ocsp.domain.com")
1536 ),
1537 ])
1538
1539 assert aia != aia2
1540 assert aia != object()
Paul Kehrerd774de92015-05-03 10:52:25 -0500[diff] [blame]1541
1542
1543@pytest.mark.requires_backend_interface(interface=RSABackend)
1544@pytest.mark.requires_backend_interface(interface=X509Backend)
Paul Kehrera1476992015-05-04 17:35:47 -0500[diff] [blame]1545class TestAuthorityInformationAccessExtension(object):
1546 def test_aia_ocsp_ca_issuers(self, backend):
1547 cert = _load_cert(
1548 os.path.join("x509", "cryptography.io.pem"),
1549 x509.load_pem_x509_certificate,
1550 backend
1551 )
1552 ext = cert.extensions.get_extension_for_oid(
1553 x509.OID_AUTHORITY_INFORMATION_ACCESS
1554 )
1555 assert ext is not None
1556 assert ext.critical is False
1557
1558 assert ext.value == x509.AuthorityInformationAccess([
1559 x509.AccessDescription(
1560 x509.OID_OCSP,
1561 x509.UniformResourceIdentifier(u"http://gv.symcd.com")
1562 ),
1563 x509.AccessDescription(
1564 x509.OID_CA_ISSUERS,
1565 x509.UniformResourceIdentifier(u"http://gv.symcb.com/gv.crt")
1566 ),
1567 ])
1568
1569 def test_aia_multiple_ocsp_ca_issuers(self, backend):
1570 cert = _load_cert(
1571 os.path.join("x509", "custom", "aia_ocsp_ca_issuers.pem"),
1572 x509.load_pem_x509_certificate,
1573 backend
1574 )
1575 ext = cert.extensions.get_extension_for_oid(
1576 x509.OID_AUTHORITY_INFORMATION_ACCESS
1577 )
1578 assert ext is not None
1579 assert ext.critical is False
1580
1581 assert ext.value == x509.AuthorityInformationAccess([
1582 x509.AccessDescription(
1583 x509.OID_OCSP,
1584 x509.UniformResourceIdentifier(u"http://ocsp.domain.com")
1585 ),
1586 x509.AccessDescription(
1587 x509.OID_OCSP,
1588 x509.UniformResourceIdentifier(u"http://ocsp2.domain.com")
1589 ),
1590 x509.AccessDescription(
1591 x509.OID_CA_ISSUERS,
1592 x509.DirectoryName(x509.Name([
1593 x509.NameAttribute(x509.OID_COMMON_NAME, "myCN"),
1594 x509.NameAttribute(x509.OID_ORGANIZATION_NAME, "some Org"),
1595 ]))
1596 ),
1597 ])
1598
1599 def test_aia_ocsp_only(self, backend):
1600 cert = _load_cert(
1601 os.path.join("x509", "custom", "aia_ocsp.pem"),
1602 x509.load_pem_x509_certificate,
1603 backend
1604 )
1605 ext = cert.extensions.get_extension_for_oid(
1606 x509.OID_AUTHORITY_INFORMATION_ACCESS
1607 )
1608 assert ext is not None
1609 assert ext.critical is False
1610
1611 assert ext.value == x509.AuthorityInformationAccess([
1612 x509.AccessDescription(
1613 x509.OID_OCSP,
1614 x509.UniformResourceIdentifier(u"http://ocsp.domain.com")
1615 ),
1616 ])
1617
1618 def test_aia_ca_issuers_only(self, backend):
1619 cert = _load_cert(
1620 os.path.join("x509", "custom", "aia_ca_issuers.pem"),
1621 x509.load_pem_x509_certificate,
1622 backend
1623 )
1624 ext = cert.extensions.get_extension_for_oid(
1625 x509.OID_AUTHORITY_INFORMATION_ACCESS
1626 )
1627 assert ext is not None
1628 assert ext.critical is False
1629
1630 assert ext.value == x509.AuthorityInformationAccess([
1631 x509.AccessDescription(
1632 x509.OID_CA_ISSUERS,
1633 x509.DirectoryName(x509.Name([
1634 x509.NameAttribute(x509.OID_COMMON_NAME, "myCN"),
1635 x509.NameAttribute(x509.OID_ORGANIZATION_NAME, "some Org"),
1636 ]))
1637 ),
1638 ])
1639
1640
1641@pytest.mark.requires_backend_interface(interface=RSABackend)
1642@pytest.mark.requires_backend_interface(interface=X509Backend)
Paul Kehrerd774de92015-05-03 10:52:25 -0500[diff] [blame]1643class TestAuthorityKeyIdentifierExtension(object):
1644 def test_aki_keyid(self, backend):
1645 cert = _load_cert(
1646 os.path.join(
1647 "x509", "cryptography.io.pem"
1648 ),
1649 x509.load_pem_x509_certificate,
1650 backend
1651 )
1652 ext = cert.extensions.get_extension_for_oid(
1653 x509.OID_AUTHORITY_KEY_IDENTIFIER
1654 )
1655 assert ext is not None
1656 assert ext.critical is False
1657
1658 assert ext.value.key_identifier == (
1659 b"\xc3\x9c\xf3\xfc\xd3F\x084\xbb\xceF\x7f\xa0|[\xf3\xe2\x08\xcbY"
1660 )
1661 assert ext.value.authority_cert_issuer is None
1662 assert ext.value.authority_cert_serial_number is None
1663
1664 def test_aki_all_fields(self, backend):
1665 cert = _load_cert(
1666 os.path.join(
1667 "x509", "custom", "authority_key_identifier.pem"
1668 ),
1669 x509.load_pem_x509_certificate,
1670 backend
1671 )
1672 ext = cert.extensions.get_extension_for_oid(
1673 x509.OID_AUTHORITY_KEY_IDENTIFIER
1674 )
1675 assert ext is not None
1676 assert ext.critical is False
1677
1678 assert ext.value.key_identifier == (
1679 b"9E>\xca=b\x1d\xea\x86I\xf6Z\xab@\xb7\xa4p\x98\xf1\xec"
1680 )
1681 assert ext.value.authority_cert_issuer == [
1682 x509.DirectoryName(
1683 x509.Name([
1684 x509.NameAttribute(
1685 x509.OID_ORGANIZATION_NAME, u"PyCA"
1686 ),
1687 x509.NameAttribute(
1688 x509.OID_COMMON_NAME, u"cryptography.io"
1689 )
1690 ])
1691 )
1692 ]
1693 assert ext.value.authority_cert_serial_number == 3
1694
1695 def test_aki_no_keyid(self, backend):
1696 cert = _load_cert(
1697 os.path.join(
1698 "x509", "custom", "authority_key_identifier_no_keyid.pem"
1699 ),
1700 x509.load_pem_x509_certificate,
1701 backend
1702 )
1703 ext = cert.extensions.get_extension_for_oid(
1704 x509.OID_AUTHORITY_KEY_IDENTIFIER
1705 )
1706 assert ext is not None
1707 assert ext.critical is False
1708
1709 assert ext.value.key_identifier is None
1710 assert ext.value.authority_cert_issuer == [
1711 x509.DirectoryName(
1712 x509.Name([
1713 x509.NameAttribute(
1714 x509.OID_ORGANIZATION_NAME, u"PyCA"
1715 ),
1716 x509.NameAttribute(
1717 x509.OID_COMMON_NAME, u"cryptography.io"
1718 )
1719 ])
1720 )
1721 ]
1722 assert ext.value.authority_cert_serial_number == 3
Paul Kehrer5a485522015-05-06 00:29:12 -0500[diff] [blame]1723
1724
Paul Kehrer5a485522015-05-06 00:29:12 -0500[diff] [blame]1725class TestDistributionPoint(object):
Paul Kehrer4e8dacd2015-05-09 10:38:23 -0500[diff] [blame]1726 def test_distribution_point_full_name_not_general_names(self):
Paul Kehrer5a485522015-05-06 00:29:12 -0500[diff] [blame]1727 with pytest.raises(TypeError):
Paul Kehrer4e8dacd2015-05-09 10:38:23 -0500[diff] [blame]1728 x509.DistributionPoint(["notgn"], None, None, None)
Paul Kehrer5a485522015-05-06 00:29:12 -0500[diff] [blame]1729
Paul Kehrer4e8dacd2015-05-09 10:38:23 -0500[diff] [blame]1730 def test_distribution_point_relative_name_not_name(self):
Paul Kehrer5a485522015-05-06 00:29:12 -0500[diff] [blame]1731 with pytest.raises(TypeError):
Paul Kehrer4e8dacd2015-05-09 10:38:23 -0500[diff] [blame]1732 x509.DistributionPoint(None, "notname", None, None)
1733
1734 def test_distribution_point_full_and_relative_not_none(self):
1735 with pytest.raises(ValueError):
1736 x509.DistributionPoint("data", "notname", None, None)
Paul Kehrer5a485522015-05-06 00:29:12 -0500[diff] [blame]1737
1738 def test_crl_issuer_not_general_names(self):
1739 with pytest.raises(TypeError):
Paul Kehrer4e8dacd2015-05-09 10:38:23 -0500[diff] [blame]1740 x509.DistributionPoint(None, None, None, ["notgn"])
Paul Kehrer5a485522015-05-06 00:29:12 -0500[diff] [blame]1741
1742 def test_reason_not_reasonflags(self):
1743 with pytest.raises(TypeError):
1744 x509.DistributionPoint(
1745 [x509.UniformResourceIdentifier(u"http://crypt.og/crl")],
Paul Kehrer4e8dacd2015-05-09 10:38:23 -0500[diff] [blame]1746 None,
Paul Kehrer3fd02602015-05-09 19:46:13 -0500[diff] [blame]1747 frozenset(["notreasonflags"]),
1748 None
1749 )
1750
1751 def test_reason_not_frozenset(self):
1752 with pytest.raises(TypeError):
1753 x509.DistributionPoint(
1754 [x509.UniformResourceIdentifier(u"http://crypt.og/crl")],
1755 None,
1756 [x509.ReasonFlags.ca_compromise],
Paul Kehrer4e8dacd2015-05-09 10:38:23 -0500[diff] [blame]1757 None
1758 )
1759
1760 def test_disallowed_reasons(self):
1761 with pytest.raises(ValueError):
1762 x509.DistributionPoint(
1763 [x509.UniformResourceIdentifier(u"http://crypt.og/crl")],
1764 None,
Paul Kehrer3fd02602015-05-09 19:46:13 -0500[diff] [blame]1765 frozenset([x509.ReasonFlags.unspecified]),
Paul Kehrer4e8dacd2015-05-09 10:38:23 -0500[diff] [blame]1766 None
1767 )
1768
1769 with pytest.raises(ValueError):
1770 x509.DistributionPoint(
1771 [x509.UniformResourceIdentifier(u"http://crypt.og/crl")],
1772 None,
Paul Kehrer3fd02602015-05-09 19:46:13 -0500[diff] [blame]1773 frozenset([x509.ReasonFlags.remove_from_crl]),
Paul Kehrer5a485522015-05-06 00:29:12 -0500[diff] [blame]1774 None
1775 )
1776
1777 def test_reason_only(self):
1778 with pytest.raises(ValueError):
1779 x509.DistributionPoint(
1780 None,
Paul Kehrer4e8dacd2015-05-09 10:38:23 -0500[diff] [blame]1781 None,
Paul Kehrer3fd02602015-05-09 19:46:13 -0500[diff] [blame]1782 frozenset([x509.ReasonFlags.aa_compromise]),
Paul Kehrer5a485522015-05-06 00:29:12 -0500[diff] [blame]1783 None
1784 )
1785
1786 def test_eq(self):
1787 dp = x509.DistributionPoint(
1788 [x509.UniformResourceIdentifier(u"http://crypt.og/crl")],
Paul Kehrer4e8dacd2015-05-09 10:38:23 -0500[diff] [blame]1789 None,
Paul Kehrer3fd02602015-05-09 19:46:13 -0500[diff] [blame]1790 frozenset([x509.ReasonFlags.superseded]),
Paul Kehrer5a485522015-05-06 00:29:12 -0500[diff] [blame]1791 [
1792 x509.DirectoryName(
1793 x509.Name([
1794 x509.NameAttribute(
1795 x509.OID_COMMON_NAME, "Important CA"
1796 )
1797 ])
1798 )
1799 ],
1800 )
1801 dp2 = x509.DistributionPoint(
1802 [x509.UniformResourceIdentifier(u"http://crypt.og/crl")],
Paul Kehrer4e8dacd2015-05-09 10:38:23 -0500[diff] [blame]1803 None,
Paul Kehrer3fd02602015-05-09 19:46:13 -0500[diff] [blame]1804 frozenset([x509.ReasonFlags.superseded]),
Paul Kehrer5a485522015-05-06 00:29:12 -0500[diff] [blame]1805 [
1806 x509.DirectoryName(
1807 x509.Name([
1808 x509.NameAttribute(
1809 x509.OID_COMMON_NAME, "Important CA"
1810 )
1811 ])
1812 )
1813 ],
1814 )
1815 assert dp == dp2
1816
1817 def test_ne(self):
1818 dp = x509.DistributionPoint(
1819 [x509.UniformResourceIdentifier(u"http://crypt.og/crl")],
Paul Kehrer4e8dacd2015-05-09 10:38:23 -0500[diff] [blame]1820 None,
Paul Kehrer3fd02602015-05-09 19:46:13 -0500[diff] [blame]1821 frozenset([x509.ReasonFlags.superseded]),
Paul Kehrer5a485522015-05-06 00:29:12 -0500[diff] [blame]1822 [
1823 x509.DirectoryName(
1824 x509.Name([
1825 x509.NameAttribute(
1826 x509.OID_COMMON_NAME, "Important CA"
1827 )
1828 ])
1829 )
1830 ],
1831 )
1832 dp2 = x509.DistributionPoint(
1833 [x509.UniformResourceIdentifier(u"http://crypt.og/crl")],
1834 None,
Paul Kehrer4e8dacd2015-05-09 10:38:23 -0500[diff] [blame]1835 None,
Paul Kehrer5a485522015-05-06 00:29:12 -0500[diff] [blame]1836 None
1837 )
1838 assert dp != dp2
1839 assert dp != object()
1840
1841 def test_repr(self):
1842 dp = x509.DistributionPoint(
Paul Kehrer4e8dacd2015-05-09 10:38:23 -0500[diff] [blame]1843 None,
Paul Kehrer5a485522015-05-06 00:29:12 -0500[diff] [blame]1844 x509.Name([
1845 x509.NameAttribute(x509.OID_COMMON_NAME, "myCN")
1846 ]),
Paul Kehrer96ef63c2015-05-09 21:17:04 -0500[diff] [blame]1847 frozenset([x509.ReasonFlags.ca_compromise]),
Paul Kehrer5a485522015-05-06 00:29:12 -0500[diff] [blame]1848 [
1849 x509.DirectoryName(
1850 x509.Name([
1851 x509.NameAttribute(
1852 x509.OID_COMMON_NAME, "Important CA"
1853 )
1854 ])
1855 )
1856 ],
1857 )
Paul Kehrer749da3b2015-05-10 09:58:29 -0500[diff] [blame]1858 if six.PY3:
1859 assert repr(dp) == (
1860 "<DistributionPoint(full_name=None, relative_name=<Name([<Name"
1861 "Attribute(oid=<ObjectIdentifier(oid=2.5.4.3, name=commonName)"
1862 ">, value='myCN')>])>, reasons=frozenset({<ReasonFlags.ca_comp"
1863 "romise: 'cACompromise'>}), crl_issuer=[<DirectoryName(value=<"
1864 "Name([<NameAttribute(oid=<ObjectIdentifier(oid=2.5.4.3, name="
1865 "commonName)>, value='Important CA')>])>)>])>"
1866 )
1867 else:
1868 assert repr(dp) == (
1869 "<DistributionPoint(full_name=None, relative_name=<Name([<Name"
1870 "Attribute(oid=<ObjectIdentifier(oid=2.5.4.3, name=commonName)"
1871 ">, value='myCN')>])>, reasons=frozenset([<ReasonFlags.ca_comp"
1872 "romise: 'cACompromise'>]), crl_issuer=[<DirectoryName(value=<"
1873 "Name([<NameAttribute(oid=<ObjectIdentifier(oid=2.5.4.3, name="
1874 "commonName)>, value='Important CA')>])>)>])>"
1875 )
Paul Kehrer5a485522015-05-06 00:29:12 -0500[diff] [blame]1876
1877
1878class TestCRLDistributionPoints(object):
1879 def test_invalid_distribution_points(self):
1880 with pytest.raises(TypeError):
1881 x509.CRLDistributionPoints(["notadistributionpoint"])
1882
1883 def test_iter_len(self):
1884 cdp = x509.CRLDistributionPoints([
1885 x509.DistributionPoint(
1886 [x509.UniformResourceIdentifier(u"http://domain")],
1887 None,
Paul Kehrer4e8dacd2015-05-09 10:38:23 -0500[diff] [blame]1888 None,
Paul Kehrer5a485522015-05-06 00:29:12 -0500[diff] [blame]1889 None
1890 ),
1891 x509.DistributionPoint(
1892 [x509.UniformResourceIdentifier(u"ftp://domain")],
Paul Kehrer4e8dacd2015-05-09 10:38:23 -0500[diff] [blame]1893 None,
Paul Kehrer3fd02602015-05-09 19:46:13 -0500[diff] [blame]1894 frozenset([
Paul Kehrer4e8dacd2015-05-09 10:38:23 -0500[diff] [blame]1895 x509.ReasonFlags.key_compromise,
1896 x509.ReasonFlags.ca_compromise,
Paul Kehrer3fd02602015-05-09 19:46:13 -0500[diff] [blame]1897 ]),
Paul Kehrer5a485522015-05-06 00:29:12 -0500[diff] [blame]1898 None
1899 ),
1900 ])
1901 assert len(cdp) == 2
1902 assert list(cdp) == [
1903 x509.DistributionPoint(
1904 [x509.UniformResourceIdentifier(u"http://domain")],
1905 None,
Paul Kehrer4e8dacd2015-05-09 10:38:23 -0500[diff] [blame]1906 None,
Paul Kehrer5a485522015-05-06 00:29:12 -0500[diff] [blame]1907 None
1908 ),
1909 x509.DistributionPoint(
1910 [x509.UniformResourceIdentifier(u"ftp://domain")],
Paul Kehrer4e8dacd2015-05-09 10:38:23 -0500[diff] [blame]1911 None,
Paul Kehrer3fd02602015-05-09 19:46:13 -0500[diff] [blame]1912 frozenset([
Paul Kehrer4e8dacd2015-05-09 10:38:23 -0500[diff] [blame]1913 x509.ReasonFlags.key_compromise,
1914 x509.ReasonFlags.ca_compromise,
Paul Kehrer3fd02602015-05-09 19:46:13 -0500[diff] [blame]1915 ]),
Paul Kehrer5a485522015-05-06 00:29:12 -0500[diff] [blame]1916 None
1917 ),
1918 ]
1919
1920 def test_repr(self):
1921 cdp = x509.CRLDistributionPoints([
1922 x509.DistributionPoint(
1923 [x509.UniformResourceIdentifier(u"ftp://domain")],
Paul Kehrer4e8dacd2015-05-09 10:38:23 -0500[diff] [blame]1924 None,
Paul Kehrer96ef63c2015-05-09 21:17:04 -0500[diff] [blame]1925 frozenset([x509.ReasonFlags.key_compromise]),
Paul Kehrer5a485522015-05-06 00:29:12 -0500[diff] [blame]1926 None
1927 ),
1928 ])
Paul Kehrer749da3b2015-05-10 09:58:29 -0500[diff] [blame]1929 if six.PY3:
1930 assert repr(cdp) == (
1931 "<CRLDistributionPoints([<DistributionPoint(full_name=[<Unifo"
1932 "rmResourceIdentifier(value=ftp://domain)>], relative_name=No"
1933 "ne, reasons=frozenset({<ReasonFlags.key_compromise: 'keyComp"
1934 "romise'>}), crl_issuer=None)>])>"
1935 )
1936 else:
1937 assert repr(cdp) == (
1938 "<CRLDistributionPoints([<DistributionPoint(full_name=[<Unifo"
1939 "rmResourceIdentifier(value=ftp://domain)>], relative_name=No"
1940 "ne, reasons=frozenset([<ReasonFlags.key_compromise: 'keyComp"
1941 "romise'>]), crl_issuer=None)>])>"
1942 )
Paul Kehrer5a485522015-05-06 00:29:12 -0500[diff] [blame]1943
1944 def test_eq(self):
1945 cdp = x509.CRLDistributionPoints([
1946 x509.DistributionPoint(
1947 [x509.UniformResourceIdentifier(u"ftp://domain")],
Paul Kehrer4e8dacd2015-05-09 10:38:23 -0500[diff] [blame]1948 None,
Paul Kehrer3fd02602015-05-09 19:46:13 -0500[diff] [blame]1949 frozenset([
Paul Kehrer4e8dacd2015-05-09 10:38:23 -0500[diff] [blame]1950 x509.ReasonFlags.key_compromise,
1951 x509.ReasonFlags.ca_compromise,
Paul Kehrer3fd02602015-05-09 19:46:13 -0500[diff] [blame]1952 ]),
Paul Kehrer5a485522015-05-06 00:29:12 -0500[diff] [blame]1953 [x509.UniformResourceIdentifier(u"uri://thing")],
1954 ),
1955 ])
1956 cdp2 = x509.CRLDistributionPoints([
1957 x509.DistributionPoint(
1958 [x509.UniformResourceIdentifier(u"ftp://domain")],
Paul Kehrer4e8dacd2015-05-09 10:38:23 -0500[diff] [blame]1959 None,
Paul Kehrer3fd02602015-05-09 19:46:13 -0500[diff] [blame]1960 frozenset([
Paul Kehrer4e8dacd2015-05-09 10:38:23 -0500[diff] [blame]1961 x509.ReasonFlags.key_compromise,
1962 x509.ReasonFlags.ca_compromise,
Paul Kehrer3fd02602015-05-09 19:46:13 -0500[diff] [blame]1963 ]),
Paul Kehrer5a485522015-05-06 00:29:12 -0500[diff] [blame]1964 [x509.UniformResourceIdentifier(u"uri://thing")],
1965 ),
1966 ])
1967 assert cdp == cdp2
1968
1969 def test_ne(self):
1970 cdp = x509.CRLDistributionPoints([
1971 x509.DistributionPoint(
1972 [x509.UniformResourceIdentifier(u"ftp://domain")],
Paul Kehrer4e8dacd2015-05-09 10:38:23 -0500[diff] [blame]1973 None,
Paul Kehrer3fd02602015-05-09 19:46:13 -0500[diff] [blame]1974 frozenset([
Paul Kehrer4e8dacd2015-05-09 10:38:23 -0500[diff] [blame]1975 x509.ReasonFlags.key_compromise,
1976 x509.ReasonFlags.ca_compromise,
Paul Kehrer3fd02602015-05-09 19:46:13 -0500[diff] [blame]1977 ]),
Paul Kehrer5a485522015-05-06 00:29:12 -0500[diff] [blame]1978 [x509.UniformResourceIdentifier(u"uri://thing")],
1979 ),
1980 ])
1981 cdp2 = x509.CRLDistributionPoints([
1982 x509.DistributionPoint(
1983 [x509.UniformResourceIdentifier(u"ftp://domain2")],
Paul Kehrer4e8dacd2015-05-09 10:38:23 -0500[diff] [blame]1984 None,
Paul Kehrer3fd02602015-05-09 19:46:13 -0500[diff] [blame]1985 frozenset([
Paul Kehrer4e8dacd2015-05-09 10:38:23 -0500[diff] [blame]1986 x509.ReasonFlags.key_compromise,
1987 x509.ReasonFlags.ca_compromise,
Paul Kehrer3fd02602015-05-09 19:46:13 -0500[diff] [blame]1988 ]),
Paul Kehrer5a485522015-05-06 00:29:12 -0500[diff] [blame]1989 [x509.UniformResourceIdentifier(u"uri://thing")],
1990 ),
1991 ])
1992 cdp3 = x509.CRLDistributionPoints([
1993 x509.DistributionPoint(
1994 [x509.UniformResourceIdentifier(u"ftp://domain")],
Paul Kehrer4e8dacd2015-05-09 10:38:23 -0500[diff] [blame]1995 None,
Paul Kehrer3fd02602015-05-09 19:46:13 -0500[diff] [blame]1996 frozenset([x509.ReasonFlags.key_compromise]),
Paul Kehrer5a485522015-05-06 00:29:12 -0500[diff] [blame]1997 [x509.UniformResourceIdentifier(u"uri://thing")],
1998 ),
1999 ])
2000 cdp4 = x509.CRLDistributionPoints([
2001 x509.DistributionPoint(
2002 [x509.UniformResourceIdentifier(u"ftp://domain")],
Paul Kehrer4e8dacd2015-05-09 10:38:23 -0500[diff] [blame]2003 None,
Paul Kehrer3fd02602015-05-09 19:46:13 -0500[diff] [blame]2004 frozenset([
Paul Kehrer4e8dacd2015-05-09 10:38:23 -0500[diff] [blame]2005 x509.ReasonFlags.key_compromise,
2006 x509.ReasonFlags.ca_compromise,
Paul Kehrer3fd02602015-05-09 19:46:13 -0500[diff] [blame]2007 ]),
Paul Kehrer5a485522015-05-06 00:29:12 -0500[diff] [blame]2008 [x509.UniformResourceIdentifier(u"uri://thing2")],
2009 ),
2010 ])
2011 assert cdp != cdp2
2012 assert cdp != cdp3
2013 assert cdp != cdp4
2014 assert cdp != object()
Paul Kehrer9a10d592015-05-10 14:55:51 -0500[diff] [blame]2015
2016
2017@pytest.mark.requires_backend_interface(interface=RSABackend)
2018@pytest.mark.requires_backend_interface(interface=X509Backend)
2019class TestCRLDistributionPointsExtension(object):
2020 def test_fullname_and_crl_issuer(self, backend):
2021 cert = _load_cert(
2022 os.path.join(
2023 "x509", "PKITS_data", "certs", "ValidcRLIssuerTest28EE.crt"
2024 ),
2025 x509.load_der_x509_certificate,
2026 backend
2027 )
2028
2029 cdps = cert.extensions.get_extension_for_oid(
2030 x509.OID_CRL_DISTRIBUTION_POINTS
2031 ).value
2032
2033 assert cdps == x509.CRLDistributionPoints([
2034 x509.DistributionPoint(
2035 full_name=[x509.DirectoryName(
2036 x509.Name([
2037 x509.NameAttribute(x509.OID_COUNTRY_NAME, "US"),
2038 x509.NameAttribute(
2039 x509.OID_ORGANIZATION_NAME,
2040 "Test Certificates 2011"
2041 ),
2042 x509.NameAttribute(
2043 x509.OID_ORGANIZATIONAL_UNIT_NAME,
2044 "indirectCRL CA3 cRLIssuer"
2045 ),
2046 x509.NameAttribute(
2047 x509.OID_COMMON_NAME,
2048 "indirect CRL for indirectCRL CA3"
2049 ),
2050 ])
2051 )],
2052 relative_name=None,
2053 reasons=None,
2054 crl_issuer=[x509.DirectoryName(
2055 x509.Name([
2056 x509.NameAttribute(x509.OID_COUNTRY_NAME, "US"),
2057 x509.NameAttribute(
2058 x509.OID_ORGANIZATION_NAME,
2059 "Test Certificates 2011"
2060 ),
2061 x509.NameAttribute(
2062 x509.OID_ORGANIZATIONAL_UNIT_NAME,
2063 "indirectCRL CA3 cRLIssuer"
2064 ),
2065 ])
2066 )],
2067 )
2068 ])
2069
2070 def test_relativename_and_crl_issuer(self, backend):
2071 cert = _load_cert(
2072 os.path.join(
2073 "x509", "PKITS_data", "certs", "ValidcRLIssuerTest29EE.crt"
2074 ),
2075 x509.load_der_x509_certificate,
2076 backend
2077 )
2078
2079 cdps = cert.extensions.get_extension_for_oid(
2080 x509.OID_CRL_DISTRIBUTION_POINTS
2081 ).value
2082
2083 assert cdps == x509.CRLDistributionPoints([
2084 x509.DistributionPoint(
2085 full_name=None,
2086 relative_name=x509.Name([
2087 x509.NameAttribute(
2088 x509.OID_COMMON_NAME,
2089 "indirect CRL for indirectCRL CA3"
2090 ),
2091 ]),
2092 reasons=None,
2093 crl_issuer=[x509.DirectoryName(
2094 x509.Name([
2095 x509.NameAttribute(x509.OID_COUNTRY_NAME, "US"),
2096 x509.NameAttribute(
2097 x509.OID_ORGANIZATION_NAME,
2098 "Test Certificates 2011"
2099 ),
2100 x509.NameAttribute(
2101 x509.OID_ORGANIZATIONAL_UNIT_NAME,
2102 "indirectCRL CA3 cRLIssuer"
2103 ),
2104 ])
2105 )],
2106 )
2107 ])
2108
2109 def test_fullname_crl_issuer_reasons(self, backend):
2110 cert = _load_cert(
2111 os.path.join(
2112 "x509", "custom", "cdp_fullname_reasons_crl_issuer.pem"
2113 ),
2114 x509.load_pem_x509_certificate,
2115 backend
2116 )
2117
2118 cdps = cert.extensions.get_extension_for_oid(
2119 x509.OID_CRL_DISTRIBUTION_POINTS
2120 ).value
2121
2122 assert cdps == x509.CRLDistributionPoints([
2123 x509.DistributionPoint(
2124 full_name=[x509.UniformResourceIdentifier(
2125 u"http://myhost.com/myca.crl"
2126 )],
2127 relative_name=None,
2128 reasons=frozenset([
2129 x509.ReasonFlags.key_compromise,
2130 x509.ReasonFlags.ca_compromise
2131 ]),
2132 crl_issuer=[x509.DirectoryName(
2133 x509.Name([
2134 x509.NameAttribute(x509.OID_COUNTRY_NAME, "US"),
2135 x509.NameAttribute(
2136 x509.OID_ORGANIZATION_NAME, "PyCA"
2137 ),
2138 x509.NameAttribute(
2139 x509.OID_COMMON_NAME, "cryptography CA"
2140 ),
2141 ])
2142 )],
2143 )
2144 ])
2145
Paul Kehrer594a2ed2015-05-12 23:27:32 -0500[diff] [blame]2146 def test_all_reasons(self, backend):
2147 cert = _load_cert(
2148 os.path.join(
2149 "x509", "custom", "cdp_all_reasons.pem"
2150 ),
2151 x509.load_pem_x509_certificate,
2152 backend
2153 )
2154
2155 cdps = cert.extensions.get_extension_for_oid(
2156 x509.OID_CRL_DISTRIBUTION_POINTS
2157 ).value
2158
2159 assert cdps == x509.CRLDistributionPoints([
2160 x509.DistributionPoint(
2161 full_name=[x509.UniformResourceIdentifier(
2162 u"http://domain.com/some.crl"
2163 )],
2164 relative_name=None,
2165 reasons=frozenset([
2166 x509.ReasonFlags.key_compromise,
2167 x509.ReasonFlags.ca_compromise,
2168 x509.ReasonFlags.affiliation_changed,
2169 x509.ReasonFlags.superseded,
2170 x509.ReasonFlags.privilege_withdrawn,
2171 x509.ReasonFlags.cessation_of_operation,
2172 x509.ReasonFlags.aa_compromise,
2173 x509.ReasonFlags.certificate_hold,
2174 ]),
2175 crl_issuer=None
2176 )
2177 ])
2178
2179 def test_single_reason(self, backend):
2180 cert = _load_cert(
2181 os.path.join(
2182 "x509", "custom", "cdp_reason_aa_compromise.pem"
2183 ),
2184 x509.load_pem_x509_certificate,
2185 backend
2186 )
2187
2188 cdps = cert.extensions.get_extension_for_oid(
2189 x509.OID_CRL_DISTRIBUTION_POINTS
2190 ).value
2191
2192 assert cdps == x509.CRLDistributionPoints([
2193 x509.DistributionPoint(
2194 full_name=[x509.UniformResourceIdentifier(
2195 u"http://domain.com/some.crl"
2196 )],
2197 relative_name=None,
2198 reasons=frozenset([x509.ReasonFlags.aa_compromise]),
2199 crl_issuer=None
2200 )
2201 ])
2202
Paul Kehrer9a10d592015-05-10 14:55:51 -0500[diff] [blame]2203 def test_crl_issuer_only(self, backend):
2204 cert = _load_cert(
2205 os.path.join(
2206 "x509", "custom", "cdp_crl_issuer.pem"
2207 ),
2208 x509.load_pem_x509_certificate,
2209 backend
2210 )
2211
2212 cdps = cert.extensions.get_extension_for_oid(
2213 x509.OID_CRL_DISTRIBUTION_POINTS
2214 ).value
2215
2216 assert cdps == x509.CRLDistributionPoints([
2217 x509.DistributionPoint(
2218 full_name=None,
2219 relative_name=None,
2220 reasons=None,
2221 crl_issuer=[x509.DirectoryName(
2222 x509.Name([
2223 x509.NameAttribute(
2224 x509.OID_COMMON_NAME, "cryptography CA"
2225 ),
2226 ])
2227 )],
2228 )
2229 ])