Gitiles
Code Review Sign In
gerrit-public.fairphone.software / platform / external / python / cryptography / c86fd1db1f8b459b720c62bdb94e7d9fb5c3b8be / . / tests / test_x509_ext.py
blob: 8a227953324ab59d489a11392f334490a9d05982 [file] [log] [blame]
Paul Kehrer8cf26422015-03-21 09:50:24 -0500[diff] [blame]1# This file is dual licensed under the terms of the Apache License, Version
2# 2.0, and the BSD License. See the LICENSE file in the root of this repository
3# for complete details.
4
5from __future__ import absolute_import, division, print_function
6
Paul Kehrer1eb82a62015-03-31 20:00:33 -0500[diff] [blame]7import binascii
Paul Kehrer31bdf792015-03-25 14:11:00 -0500[diff] [blame]8import ipaddress
Paul Kehrerfbb7ac82015-03-16 19:26:29 -0500[diff] [blame]9import os
10
Paul Kehrer8cf26422015-03-21 09:50:24 -0500[diff] [blame]11import pytest
12
Paul Kehrercbfb1012015-04-10 20:57:20 -0400[diff] [blame]13import six
14
Paul Kehrer8cf26422015-03-21 09:50:24 -0500[diff] [blame]15from cryptography import x509
Paul Kehrerfbb7ac82015-03-16 19:26:29 -0500[diff] [blame]16from cryptography.hazmat.backends.interfaces import RSABackend, X509Backend
17
18from .test_x509 import _load_cert
Paul Kehrer8cf26422015-03-21 09:50:24 -0500[diff] [blame]19
20
Paul Kehrer85894662015-03-22 13:19:31 -0500[diff] [blame]21class TestExtension(object):
22 def test_not_an_oid(self):
Paul Kehrera5c6e9a2015-03-23 19:23:43 -0500[diff] [blame]23 bc = x509.BasicConstraints(ca=False, path_length=None)
Paul Kehrer85894662015-03-22 13:19:31 -0500[diff] [blame]24 with pytest.raises(TypeError):
25 x509.Extension("notanoid", True, bc)
26
27 def test_critical_not_a_bool(self):
Paul Kehrera5c6e9a2015-03-23 19:23:43 -0500[diff] [blame]28 bc = x509.BasicConstraints(ca=False, path_length=None)
Paul Kehrer85894662015-03-22 13:19:31 -0500[diff] [blame]29 with pytest.raises(TypeError):
30 x509.Extension(x509.OID_BASIC_CONSTRAINTS, "notabool", bc)
31
32 def test_repr(self):
Paul Kehrera5c6e9a2015-03-23 19:23:43 -0500[diff] [blame]33 bc = x509.BasicConstraints(ca=False, path_length=None)
Paul Kehrer85894662015-03-22 13:19:31 -0500[diff] [blame]34 ext = x509.Extension(x509.OID_BASIC_CONSTRAINTS, True, bc)
35 assert repr(ext) == (
36 "<Extension(oid=<ObjectIdentifier(oid=2.5.29.19, name=basicConst"
37 "raints)>, critical=True, value=<BasicConstraints(ca=False, path"
38 "_length=None)>)>"
39 )
40
41
Paul Kehrercecbbba2015-03-30 14:58:38 -0500[diff] [blame]42class TestKeyUsage(object):
43 def test_key_agreement_false_encipher_decipher_true(self):
44 with pytest.raises(ValueError):
45 x509.KeyUsage(
46 digital_signature=False,
47 content_commitment=False,
48 key_encipherment=False,
49 data_encipherment=False,
50 key_agreement=False,
51 key_cert_sign=False,
52 crl_sign=False,
53 encipher_only=True,
54 decipher_only=False
55 )
56
57 with pytest.raises(ValueError):
58 x509.KeyUsage(
59 digital_signature=False,
60 content_commitment=False,
61 key_encipherment=False,
62 data_encipherment=False,
63 key_agreement=False,
64 key_cert_sign=False,
65 crl_sign=False,
66 encipher_only=True,
67 decipher_only=True
68 )
69
70 with pytest.raises(ValueError):
71 x509.KeyUsage(
72 digital_signature=False,
73 content_commitment=False,
74 key_encipherment=False,
75 data_encipherment=False,
76 key_agreement=False,
77 key_cert_sign=False,
78 crl_sign=False,
79 encipher_only=False,
80 decipher_only=True
81 )
82
83 def test_properties_key_agreement_true(self):
84 ku = x509.KeyUsage(
85 digital_signature=True,
86 content_commitment=True,
87 key_encipherment=False,
88 data_encipherment=False,
89 key_agreement=False,
90 key_cert_sign=True,
91 crl_sign=False,
92 encipher_only=False,
93 decipher_only=False
94 )
95 assert ku.digital_signature is True
96 assert ku.content_commitment is True
97 assert ku.key_encipherment is False
98 assert ku.data_encipherment is False
99 assert ku.key_agreement is False
100 assert ku.key_cert_sign is True
101 assert ku.crl_sign is False
102
103 def test_key_agreement_true_properties(self):
104 ku = x509.KeyUsage(
105 digital_signature=False,
106 content_commitment=False,
107 key_encipherment=False,
108 data_encipherment=False,
109 key_agreement=True,
110 key_cert_sign=False,
111 crl_sign=False,
112 encipher_only=False,
113 decipher_only=True
114 )
115 assert ku.key_agreement is True
116 assert ku.encipher_only is False
117 assert ku.decipher_only is True
118
119 def test_key_agreement_false_properties(self):
120 ku = x509.KeyUsage(
121 digital_signature=False,
122 content_commitment=False,
123 key_encipherment=False,
124 data_encipherment=False,
125 key_agreement=False,
126 key_cert_sign=False,
127 crl_sign=False,
128 encipher_only=False,
129 decipher_only=False
130 )
131 assert ku.key_agreement is False
132 with pytest.raises(ValueError):
133 ku.encipher_only
134
135 with pytest.raises(ValueError):
136 ku.decipher_only
137
Paul Kehrerac3e5bb2015-04-02 23:07:10 -0500[diff] [blame]138 def test_repr_key_agreement_false(self):
139 ku = x509.KeyUsage(
140 digital_signature=True,
141 content_commitment=True,
142 key_encipherment=False,
143 data_encipherment=False,
144 key_agreement=False,
145 key_cert_sign=True,
146 crl_sign=False,
147 encipher_only=False,
148 decipher_only=False
149 )
150 assert repr(ku) == (
151 "<KeyUsage(digital_signature=True, content_commitment=True, key_en"
152 "cipherment=False, data_encipherment=False, key_agreement=False, k"
Paul Kehrerb372e672015-04-15 11:05:24 -0400[diff] [blame]153 "ey_cert_sign=True, crl_sign=False, encipher_only=None, decipher_o"
154 "nly=None)>"
Paul Kehrerac3e5bb2015-04-02 23:07:10 -0500[diff] [blame]155 )
156
157 def test_repr_key_agreement_true(self):
158 ku = x509.KeyUsage(
159 digital_signature=True,
160 content_commitment=True,
161 key_encipherment=False,
162 data_encipherment=False,
163 key_agreement=True,
164 key_cert_sign=True,
165 crl_sign=False,
166 encipher_only=False,
167 decipher_only=False
168 )
169 assert repr(ku) == (
170 "<KeyUsage(digital_signature=True, content_commitment=True, key_en"
171 "cipherment=False, data_encipherment=False, key_agreement=True, k"
172 "ey_cert_sign=True, crl_sign=False, encipher_only=False, decipher_"
173 "only=False)>"
174 )
175
Paul Kehrercecbbba2015-03-30 14:58:38 -0500[diff] [blame]176
Paul Kehrer1eb82a62015-03-31 20:00:33 -0500[diff] [blame]177class TestSubjectKeyIdentifier(object):
178 def test_properties(self):
Paul Kehrercbfb1012015-04-10 20:57:20 -0400[diff] [blame]179 value = binascii.unhexlify(b"092384932230498bc980aa8098456f6ff7ff3ac9")
Paul Kehrer1eb82a62015-03-31 20:00:33 -0500[diff] [blame]180 ski = x509.SubjectKeyIdentifier(value)
181 assert ski.digest == value
Paul Kehrer1eb82a62015-03-31 20:00:33 -0500[diff] [blame]182
183 def test_repr(self):
184 ski = x509.SubjectKeyIdentifier(
Paul Kehreree997262015-04-04 12:20:28 -0500[diff] [blame]185 binascii.unhexlify(b"092384932230498bc980aa8098456f6ff7ff3ac9")
Paul Kehrer1eb82a62015-03-31 20:00:33 -0500[diff] [blame]186 )
187 ext = x509.Extension(x509.OID_SUBJECT_KEY_IDENTIFIER, False, ski)
Paul Kehrercbfb1012015-04-10 20:57:20 -0400[diff] [blame]188 if six.PY3:
189 assert repr(ext) == (
190 "<Extension(oid=<ObjectIdentifier(oid=2.5.29.14, name=subjectK"
191 "eyIdentifier)>, critical=False, value=<SubjectKeyIdentifier(d"
192 "igest=b\'\\t#\\x84\\x93\"0I\\x8b\\xc9\\x80\\xaa\\x80\\x98Eoo"
193 "\\xf7\\xff:\\xc9\')>)>"
194 )
195 else:
196 assert repr(ext) == (
197 "<Extension(oid=<ObjectIdentifier(oid=2.5.29.14, name=subjectK"
198 "eyIdentifier)>, critical=False, value=<SubjectKeyIdentifier(d"
199 "igest=\'\\t#\\x84\\x93\"0I\\x8b\\xc9\\x80\\xaa\\x80\\x98Eoo"
200 "\\xf7\\xff:\\xc9\')>)>"
201 )
Paul Kehrer1eb82a62015-03-31 20:00:33 -0500[diff] [blame]202
203 def test_eq(self):
204 ski = x509.SubjectKeyIdentifier(
Paul Kehreree997262015-04-04 12:20:28 -0500[diff] [blame]205 binascii.unhexlify(b"092384932230498bc980aa8098456f6ff7ff3ac9")
Paul Kehrer1eb82a62015-03-31 20:00:33 -0500[diff] [blame]206 )
207 ski2 = x509.SubjectKeyIdentifier(
Paul Kehreree997262015-04-04 12:20:28 -0500[diff] [blame]208 binascii.unhexlify(b"092384932230498bc980aa8098456f6ff7ff3ac9")
Paul Kehrer1eb82a62015-03-31 20:00:33 -0500[diff] [blame]209 )
210 assert ski == ski2
211
212 def test_ne(self):
213 ski = x509.SubjectKeyIdentifier(
Paul Kehreree997262015-04-04 12:20:28 -0500[diff] [blame]214 binascii.unhexlify(b"092384932230498bc980aa8098456f6ff7ff3ac9")
Paul Kehrer1eb82a62015-03-31 20:00:33 -0500[diff] [blame]215 )
216 ski2 = x509.SubjectKeyIdentifier(
Paul Kehreree997262015-04-04 12:20:28 -0500[diff] [blame]217 binascii.unhexlify(b"aa8098456f6ff7ff3ac9092384932230498bc980")
Paul Kehrer1eb82a62015-03-31 20:00:33 -0500[diff] [blame]218 )
219 assert ski != ski2
220 assert ski != object()
221
222
Paul Kehrer2eb4ed92015-04-11 15:33:45 -0400[diff] [blame]223class TestAuthorityKeyIdentifier(object):
Paul Kehrerc6e0f062015-05-03 11:04:34 -0500[diff] [blame]224 def test_authority_cert_issuer_not_generalname(self):
Paul Kehrer2eb4ed92015-04-11 15:33:45 -0400[diff] [blame]225 with pytest.raises(TypeError):
Paul Kehrerc6e0f062015-05-03 11:04:34 -0500[diff] [blame]226 x509.AuthorityKeyIdentifier(b"identifier", ["notname"], 3)
Paul Kehrer2eb4ed92015-04-11 15:33:45 -0400[diff] [blame]227
228 def test_authority_cert_serial_number_not_integer(self):
Paul Kehrerc6e0f062015-05-03 11:04:34 -0500[diff] [blame]229 dirname = x509.DirectoryName(
230 x509.Name([
231 x509.NameAttribute(x509.ObjectIdentifier('oid'), 'value1'),
232 x509.NameAttribute(x509.ObjectIdentifier('oid2'), 'value2'),
233 ])
234 )
Paul Kehrer2eb4ed92015-04-11 15:33:45 -0400[diff] [blame]235 with pytest.raises(TypeError):
Paul Kehrerc6e0f062015-05-03 11:04:34 -0500[diff] [blame]236 x509.AuthorityKeyIdentifier(b"identifier", [dirname], "notanint")
Paul Kehrer2eb4ed92015-04-11 15:33:45 -0400[diff] [blame]237
238 def test_authority_issuer_none_serial_not_none(self):
239 with pytest.raises(ValueError):
240 x509.AuthorityKeyIdentifier(b"identifier", None, 3)
241
242 def test_authority_issuer_not_none_serial_none(self):
Paul Kehrerc6e0f062015-05-03 11:04:34 -0500[diff] [blame]243 dirname = x509.DirectoryName(
244 x509.Name([
245 x509.NameAttribute(x509.ObjectIdentifier('oid'), 'value1'),
246 x509.NameAttribute(x509.ObjectIdentifier('oid2'), 'value2'),
247 ])
248 )
Paul Kehrer2eb4ed92015-04-11 15:33:45 -0400[diff] [blame]249 with pytest.raises(ValueError):
Paul Kehrerc6e0f062015-05-03 11:04:34 -0500[diff] [blame]250 x509.AuthorityKeyIdentifier(b"identifier", [dirname], None)
Paul Kehrer2eb4ed92015-04-11 15:33:45 -0400[diff] [blame]251
252 def test_authority_cert_serial_and_issuer_none(self):
253 aki = x509.AuthorityKeyIdentifier(b"id", None, None)
254 assert aki.key_identifier == b"id"
255 assert aki.authority_cert_issuer is None
256 assert aki.authority_cert_serial_number is None
257
258 def test_repr(self):
Paul Kehrerc6e0f062015-05-03 11:04:34 -0500[diff] [blame]259 dirname = x509.DirectoryName(
260 x509.Name([x509.NameAttribute(x509.OID_COMMON_NAME, 'myCN')])
261 )
262 aki = x509.AuthorityKeyIdentifier(b"digest", [dirname], 1234)
Paul Kehrer2eb4ed92015-04-11 15:33:45 -0400[diff] [blame]263
264 if six.PY3:
265 assert repr(aki) == (
266 "<AuthorityKeyIdentifier(key_identifier=b'digest', authority_"
Paul Kehrerc6e0f062015-05-03 11:04:34 -0500[diff] [blame]267 "cert_issuer=[<DirectoryName(value=<Name([<NameAttribute(oid="
268 "<ObjectIdentifier(oid=2.5.4.3, name=commonName)>, value='myC"
269 "N')>])>)>], authority_cert_serial_number=1234)>"
Paul Kehrer2eb4ed92015-04-11 15:33:45 -0400[diff] [blame]270 )
271 else:
272 assert repr(aki) == (
273 "<AuthorityKeyIdentifier(key_identifier='digest', authority_ce"
Paul Kehrerc6e0f062015-05-03 11:04:34 -0500[diff] [blame]274 "rt_issuer=[<DirectoryName(value=<Name([<NameAttribute(oid=<Ob"
275 "jectIdentifier(oid=2.5.4.3, name=commonName)>, value='myCN')>"
276 "])>)>], authority_cert_serial_number=1234)>"
Paul Kehrer2eb4ed92015-04-11 15:33:45 -0400[diff] [blame]277 )
278
279
Paul Kehrer8cf26422015-03-21 09:50:24 -0500[diff] [blame]280class TestBasicConstraints(object):
281 def test_ca_not_boolean(self):
282 with pytest.raises(TypeError):
Paul Kehrera5c6e9a2015-03-23 19:23:43 -0500[diff] [blame]283 x509.BasicConstraints(ca="notbool", path_length=None)
Paul Kehrer8cf26422015-03-21 09:50:24 -0500[diff] [blame]284
285 def test_path_length_not_ca(self):
286 with pytest.raises(ValueError):
Paul Kehrera5c6e9a2015-03-23 19:23:43 -0500[diff] [blame]287 x509.BasicConstraints(ca=False, path_length=0)
Paul Kehrer8cf26422015-03-21 09:50:24 -0500[diff] [blame]288
289 def test_path_length_not_int(self):
290 with pytest.raises(TypeError):
Paul Kehrera5c6e9a2015-03-23 19:23:43 -0500[diff] [blame]291 x509.BasicConstraints(ca=True, path_length=1.1)
Paul Kehrer8cf26422015-03-21 09:50:24 -0500[diff] [blame]292
293 with pytest.raises(TypeError):
Paul Kehrera5c6e9a2015-03-23 19:23:43 -0500[diff] [blame]294 x509.BasicConstraints(ca=True, path_length="notint")
Paul Kehrer8cf26422015-03-21 09:50:24 -0500[diff] [blame]295
296 def test_path_length_negative(self):
297 with pytest.raises(TypeError):
Paul Kehrera5c6e9a2015-03-23 19:23:43 -0500[diff] [blame]298 x509.BasicConstraints(ca=True, path_length=-1)
Paul Kehrer8cf26422015-03-21 09:50:24 -0500[diff] [blame]299
300 def test_repr(self):
Paul Kehrera5c6e9a2015-03-23 19:23:43 -0500[diff] [blame]301 na = x509.BasicConstraints(ca=True, path_length=None)
Paul Kehrer8cf26422015-03-21 09:50:24 -0500[diff] [blame]302 assert repr(na) == (
Paul Kehrer85894662015-03-22 13:19:31 -0500[diff] [blame]303 "<BasicConstraints(ca=True, path_length=None)>"
Paul Kehrer8cf26422015-03-21 09:50:24 -0500[diff] [blame]304 )
Paul Kehrerfbb7ac82015-03-16 19:26:29 -0500[diff] [blame]305
306
Paul Kehrerffa2a152015-03-31 08:18:25 -0500[diff] [blame]307class TestExtendedKeyUsage(object):
308 def test_not_all_oids(self):
309 with pytest.raises(TypeError):
310 x509.ExtendedKeyUsage(["notoid"])
311
312 def test_iter_len(self):
313 eku = x509.ExtendedKeyUsage([
314 x509.ObjectIdentifier("1.3.6.1.5.5.7.3.1"),
315 x509.ObjectIdentifier("1.3.6.1.5.5.7.3.2"),
316 ])
317 assert len(eku) == 2
318 assert list(eku) == [
319 x509.OID_SERVER_AUTH,
320 x509.OID_CLIENT_AUTH
321 ]
322
Paul Kehrer23d10c32015-04-02 23:12:32 -0500[diff] [blame]323 def test_repr(self):
324 eku = x509.ExtendedKeyUsage([
325 x509.ObjectIdentifier("1.3.6.1.5.5.7.3.1"),
326 x509.ObjectIdentifier("1.3.6.1.5.5.7.3.2"),
327 ])
328 assert repr(eku) == (
329 "<ExtendedKeyUsage([<ObjectIdentifier(oid=1.3.6.1.5.5.7.3.1, name="
330 "serverAuth)>, <ObjectIdentifier(oid=1.3.6.1.5.5.7.3.2, name=clien"
331 "tAuth)>])>"
332 )
333
Paul Kehrerb0476172015-05-02 19:34:51 -0500[diff] [blame]334 def test_eq(self):
335 eku = x509.ExtendedKeyUsage([
336 x509.ObjectIdentifier("1.3.6"), x509.ObjectIdentifier("1.3.7")
337 ])
338 eku2 = x509.ExtendedKeyUsage([
339 x509.ObjectIdentifier("1.3.6"), x509.ObjectIdentifier("1.3.7")
340 ])
341 assert eku == eku2
342
343 def test_ne(self):
344 eku = x509.ExtendedKeyUsage([x509.ObjectIdentifier("1.3.6")])
345 eku2 = x509.ExtendedKeyUsage([x509.ObjectIdentifier("1.3.6.1")])
346 assert eku != eku2
347 assert eku != object()
348
Paul Kehrerffa2a152015-03-31 08:18:25 -0500[diff] [blame]349
Paul Kehrerfbb7ac82015-03-16 19:26:29 -0500[diff] [blame]350@pytest.mark.requires_backend_interface(interface=RSABackend)
351@pytest.mark.requires_backend_interface(interface=X509Backend)
352class TestExtensions(object):
353 def test_no_extensions(self, backend):
354 cert = _load_cert(
355 os.path.join("x509", "verisign_md2_root.pem"),
356 x509.load_pem_x509_certificate,
357 backend
358 )
359 ext = cert.extensions
360 assert len(ext) == 0
361 assert list(ext) == []
Paul Kehrerfa56a232015-03-17 13:14:03 -0500[diff] [blame]362 with pytest.raises(x509.ExtensionNotFound) as exc:
363 ext.get_extension_for_oid(x509.OID_BASIC_CONSTRAINTS)
364
365 assert exc.value.oid == x509.OID_BASIC_CONSTRAINTS
366
367 def test_one_extension(self, backend):
368 cert = _load_cert(
369 os.path.join(
370 "x509", "custom", "basic_constraints_not_critical.pem"
371 ),
372 x509.load_pem_x509_certificate,
373 backend
374 )
375 extensions = cert.extensions
376 ext = extensions.get_extension_for_oid(x509.OID_BASIC_CONSTRAINTS)
377 assert ext is not None
378 assert ext.value.ca is False
Paul Kehrerfbb7ac82015-03-16 19:26:29 -0500[diff] [blame]379
380 def test_duplicate_extension(self, backend):
381 cert = _load_cert(
382 os.path.join(
383 "x509", "custom", "two_basic_constraints.pem"
384 ),
385 x509.load_pem_x509_certificate,
386 backend
387 )
388 with pytest.raises(x509.DuplicateExtension) as exc:
389 cert.extensions
390
391 assert exc.value.oid == x509.OID_BASIC_CONSTRAINTS
392
393 def test_unsupported_critical_extension(self, backend):
394 cert = _load_cert(
395 os.path.join(
396 "x509", "custom", "unsupported_extension_critical.pem"
397 ),
398 x509.load_pem_x509_certificate,
399 backend
400 )
401 with pytest.raises(x509.UnsupportedExtension) as exc:
402 cert.extensions
403
404 assert exc.value.oid == x509.ObjectIdentifier("1.2.3.4")
405
406 def test_unsupported_extension(self, backend):
407 # TODO: this will raise an exception when all extensions are complete
408 cert = _load_cert(
409 os.path.join(
410 "x509", "custom", "unsupported_extension.pem"
411 ),
412 x509.load_pem_x509_certificate,
413 backend
414 )
415 extensions = cert.extensions
416 assert len(extensions) == 0
Paul Kehrerfa56a232015-03-17 13:14:03 -0500[diff] [blame]417
418
419@pytest.mark.requires_backend_interface(interface=RSABackend)
420@pytest.mark.requires_backend_interface(interface=X509Backend)
Paul Kehrerde813ea2015-03-28 12:44:34 -0500[diff] [blame]421class TestBasicConstraintsExtension(object):
Paul Kehrerfa56a232015-03-17 13:14:03 -0500[diff] [blame]422 def test_ca_true_pathlen_6(self, backend):
423 cert = _load_cert(
424 os.path.join(
425 "x509", "PKITS_data", "certs", "pathLenConstraint6CACert.crt"
426 ),
427 x509.load_der_x509_certificate,
428 backend
429 )
430 ext = cert.extensions.get_extension_for_oid(
431 x509.OID_BASIC_CONSTRAINTS
432 )
433 assert ext is not None
434 assert ext.critical is True
435 assert ext.value.ca is True
436 assert ext.value.path_length == 6
437
438 def test_path_length_zero(self, backend):
439 cert = _load_cert(
440 os.path.join("x509", "custom", "bc_path_length_zero.pem"),
441 x509.load_pem_x509_certificate,
442 backend
443 )
444 ext = cert.extensions.get_extension_for_oid(
445 x509.OID_BASIC_CONSTRAINTS
446 )
447 assert ext is not None
448 assert ext.critical is True
449 assert ext.value.ca is True
450 assert ext.value.path_length == 0
451
452 def test_ca_true_no_pathlen(self, backend):
453 cert = _load_cert(
454 os.path.join("x509", "PKITS_data", "certs", "GoodCACert.crt"),
455 x509.load_der_x509_certificate,
456 backend
457 )
458 ext = cert.extensions.get_extension_for_oid(
459 x509.OID_BASIC_CONSTRAINTS
460 )
461 assert ext is not None
462 assert ext.critical is True
463 assert ext.value.ca is True
464 assert ext.value.path_length is None
465
466 def test_ca_false(self, backend):
467 cert = _load_cert(
468 os.path.join("x509", "cryptography.io.pem"),
469 x509.load_pem_x509_certificate,
470 backend
471 )
472 ext = cert.extensions.get_extension_for_oid(
473 x509.OID_BASIC_CONSTRAINTS
474 )
475 assert ext is not None
476 assert ext.critical is True
477 assert ext.value.ca is False
478 assert ext.value.path_length is None
479
480 def test_no_basic_constraints(self, backend):
481 cert = _load_cert(
482 os.path.join(
483 "x509",
484 "PKITS_data",
485 "certs",
486 "ValidCertificatePathTest1EE.crt"
487 ),
488 x509.load_der_x509_certificate,
489 backend
490 )
491 with pytest.raises(x509.ExtensionNotFound):
492 cert.extensions.get_extension_for_oid(x509.OID_BASIC_CONSTRAINTS)
493
494 def test_basic_constraint_not_critical(self, backend):
495 cert = _load_cert(
496 os.path.join(
497 "x509", "custom", "basic_constraints_not_critical.pem"
498 ),
499 x509.load_pem_x509_certificate,
500 backend
501 )
502 ext = cert.extensions.get_extension_for_oid(
503 x509.OID_BASIC_CONSTRAINTS
504 )
505 assert ext is not None
506 assert ext.critical is False
507 assert ext.value.ca is False
Paul Kehrer1eb82a62015-03-31 20:00:33 -0500[diff] [blame]508
509
510@pytest.mark.requires_backend_interface(interface=RSABackend)
511@pytest.mark.requires_backend_interface(interface=X509Backend)
512class TestSubjectKeyIdentifierExtension(object):
513 def test_subject_key_identifier(self, backend):
514 cert = _load_cert(
515 os.path.join("x509", "PKITS_data", "certs", "GoodCACert.crt"),
516 x509.load_der_x509_certificate,
517 backend
518 )
519 ext = cert.extensions.get_extension_for_oid(
520 x509.OID_SUBJECT_KEY_IDENTIFIER
521 )
522 ski = ext.value
523 assert ext is not None
524 assert ext.critical is False
Paul Kehrer1eb82a62015-03-31 20:00:33 -0500[diff] [blame]525 assert ski.digest == binascii.unhexlify(
Paul Kehreree997262015-04-04 12:20:28 -0500[diff] [blame]526 b"580184241bbc2b52944a3da510721451f5af3ac9"
Paul Kehrer1eb82a62015-03-31 20:00:33 -0500[diff] [blame]527 )
528
529 def test_no_subject_key_identifier(self, backend):
530 cert = _load_cert(
531 os.path.join("x509", "custom", "bc_path_length_zero.pem"),
532 x509.load_pem_x509_certificate,
533 backend
534 )
535 with pytest.raises(x509.ExtensionNotFound):
536 cert.extensions.get_extension_for_oid(
537 x509.OID_SUBJECT_KEY_IDENTIFIER
538 )
Paul Kehrer5508ee22015-04-02 19:31:03 -0500[diff] [blame]539
540
541@pytest.mark.requires_backend_interface(interface=RSABackend)
542@pytest.mark.requires_backend_interface(interface=X509Backend)
543class TestKeyUsageExtension(object):
544 def test_no_key_usage(self, backend):
545 cert = _load_cert(
546 os.path.join("x509", "verisign_md2_root.pem"),
547 x509.load_pem_x509_certificate,
548 backend
549 )
550 ext = cert.extensions
551 with pytest.raises(x509.ExtensionNotFound) as exc:
552 ext.get_extension_for_oid(x509.OID_KEY_USAGE)
553
554 assert exc.value.oid == x509.OID_KEY_USAGE
555
556 def test_all_purposes(self, backend):
557 cert = _load_cert(
558 os.path.join(
559 "x509", "custom", "all_key_usages.pem"
560 ),
561 x509.load_pem_x509_certificate,
562 backend
563 )
564 extensions = cert.extensions
565 ext = extensions.get_extension_for_oid(x509.OID_KEY_USAGE)
566 assert ext is not None
567
568 ku = ext.value
569 assert ku.digital_signature is True
570 assert ku.content_commitment is True
571 assert ku.key_encipherment is True
572 assert ku.data_encipherment is True
573 assert ku.key_agreement is True
574 assert ku.key_cert_sign is True
575 assert ku.crl_sign is True
576 assert ku.encipher_only is True
577 assert ku.decipher_only is True
578
579 def test_key_cert_sign_crl_sign(self, backend):
580 cert = _load_cert(
581 os.path.join(
582 "x509", "PKITS_data", "certs", "pathLenConstraint6CACert.crt"
583 ),
584 x509.load_der_x509_certificate,
585 backend
586 )
587 ext = cert.extensions.get_extension_for_oid(x509.OID_KEY_USAGE)
588 assert ext is not None
589 assert ext.critical is True
590
591 ku = ext.value
592 assert ku.digital_signature is False
593 assert ku.content_commitment is False
594 assert ku.key_encipherment is False
595 assert ku.data_encipherment is False
596 assert ku.key_agreement is False
597 assert ku.key_cert_sign is True
598 assert ku.crl_sign is True
Paul Kehrer31bdf792015-03-25 14:11:00 -0500[diff] [blame]599
600
601@pytest.mark.parametrize(
602 "name", [
603 x509.RFC822Name,
604 x509.DNSName,
605 x509.UniformResourceIdentifier
606 ]
607)
608class TestTextGeneralNames(object):
609 def test_not_text(self, name):
610 with pytest.raises(TypeError):
611 name(b"notaunicodestring")
612
613 with pytest.raises(TypeError):
614 name(1.3)
615
616 def test_repr(self, name):
Eeshan Gargf1234152015-04-29 18:41:00 +0530[diff] [blame]617 gn = name(u"string")
Paul Kehrer31bdf792015-03-25 14:11:00 -0500[diff] [blame]618 assert repr(gn) == "<{0}(value=string)>".format(name.__name__)
619
620 def test_eq(self, name):
Eeshan Gargf1234152015-04-29 18:41:00 +0530[diff] [blame]621 gn = name(u"string")
622 gn2 = name(u"string")
Paul Kehrer31bdf792015-03-25 14:11:00 -0500[diff] [blame]623 assert gn == gn2
624
625 def test_ne(self, name):
Eeshan Gargf1234152015-04-29 18:41:00 +0530[diff] [blame]626 gn = name(u"string")
627 gn2 = name(u"string2")
Paul Kehrer31bdf792015-03-25 14:11:00 -0500[diff] [blame]628 assert gn != gn2
629 assert gn != object()
630
631
632class TestDirectoryName(object):
633 def test_not_name(self):
634 with pytest.raises(TypeError):
635 x509.DirectoryName(b"notaname")
636
637 with pytest.raises(TypeError):
638 x509.DirectoryName(1.3)
639
640 def test_repr(self):
641 name = x509.Name([x509.NameAttribute(x509.OID_COMMON_NAME, 'value1')])
642 gn = x509.DirectoryName(x509.Name([name]))
643 assert repr(gn) == (
644 "<DirectoryName(value=<Name([<Name([<NameAttribute(oid=<ObjectIden"
645 "tifier(oid=2.5.4.3, name=commonName)>, value='value1')>])>])>)>"
646 )
647
648 def test_eq(self):
649 name = x509.Name([
650 x509.NameAttribute(x509.ObjectIdentifier('oid'), 'value1')
651 ])
652 name2 = x509.Name([
653 x509.NameAttribute(x509.ObjectIdentifier('oid'), 'value1')
654 ])
655 gn = x509.DirectoryName(x509.Name([name]))
656 gn2 = x509.DirectoryName(x509.Name([name2]))
657 assert gn == gn2
658
659 def test_ne(self):
660 name = x509.Name([
661 x509.NameAttribute(x509.ObjectIdentifier('oid'), 'value1')
662 ])
663 name2 = x509.Name([
664 x509.NameAttribute(x509.ObjectIdentifier('oid'), 'value2')
665 ])
666 gn = x509.DirectoryName(x509.Name([name]))
667 gn2 = x509.DirectoryName(x509.Name([name2]))
668 assert gn != gn2
669 assert gn != object()
670
671
672class TestRegisteredID(object):
673 def test_not_oid(self):
674 with pytest.raises(TypeError):
675 x509.RegisteredID(b"notanoid")
676
677 with pytest.raises(TypeError):
678 x509.RegisteredID(1.3)
679
680 def test_repr(self):
681 gn = x509.RegisteredID(x509.OID_COMMON_NAME)
682 assert repr(gn) == (
683 "<RegisteredID(value=<ObjectIdentifier(oid=2.5.4.3, name=commonNam"
684 "e)>)>"
685 )
686
687 def test_eq(self):
688 gn = x509.RegisteredID(x509.OID_COMMON_NAME)
689 gn2 = x509.RegisteredID(x509.OID_COMMON_NAME)
690 assert gn == gn2
691
692 def test_ne(self):
693 gn = x509.RegisteredID(x509.OID_COMMON_NAME)
694 gn2 = x509.RegisteredID(x509.OID_BASIC_CONSTRAINTS)
695 assert gn != gn2
696 assert gn != object()
697
698
699class TestIPAddress(object):
700 def test_not_ipaddress(self):
701 with pytest.raises(TypeError):
702 x509.IPAddress(b"notanipaddress")
703
704 with pytest.raises(TypeError):
705 x509.IPAddress(1.3)
706
707 def test_repr(self):
Eeshan Gargf1234152015-04-29 18:41:00 +0530[diff] [blame]708 gn = x509.IPAddress(ipaddress.IPv4Address(u"127.0.0.1"))
Paul Kehrer31bdf792015-03-25 14:11:00 -0500[diff] [blame]709 assert repr(gn) == "<IPAddress(value=127.0.0.1)>"
710
Eeshan Gargf1234152015-04-29 18:41:00 +0530[diff] [blame]711 gn2 = x509.IPAddress(ipaddress.IPv6Address(u"ff::"))
Paul Kehrer31bdf792015-03-25 14:11:00 -0500[diff] [blame]712 assert repr(gn2) == "<IPAddress(value=ff::)>"
713
714 def test_eq(self):
Eeshan Gargf1234152015-04-29 18:41:00 +0530[diff] [blame]715 gn = x509.IPAddress(ipaddress.IPv4Address(u"127.0.0.1"))
716 gn2 = x509.IPAddress(ipaddress.IPv4Address(u"127.0.0.1"))
Paul Kehrer31bdf792015-03-25 14:11:00 -0500[diff] [blame]717 assert gn == gn2
718
719 def test_ne(self):
Eeshan Gargf1234152015-04-29 18:41:00 +0530[diff] [blame]720 gn = x509.IPAddress(ipaddress.IPv4Address(u"127.0.0.1"))
721 gn2 = x509.IPAddress(ipaddress.IPv4Address(u"127.0.0.2"))
Paul Kehrer31bdf792015-03-25 14:11:00 -0500[diff] [blame]722 assert gn != gn2
723 assert gn != object()
724
725
726class TestSubjectAlternativeName(object):
727 def test_get_values_for_type(self):
728 san = x509.SubjectAlternativeName(
Eeshan Gargf1234152015-04-29 18:41:00 +0530[diff] [blame]729 [x509.DNSName(u"cryptography.io")]
Paul Kehrer31bdf792015-03-25 14:11:00 -0500[diff] [blame]730 )
731 names = san.get_values_for_type(x509.DNSName)
Eeshan Gargf1234152015-04-29 18:41:00 +0530[diff] [blame]732 assert names == [u"cryptography.io"]
Paul Kehrer31bdf792015-03-25 14:11:00 -0500[diff] [blame]733
734 def test_iter_names(self):
735 san = x509.SubjectAlternativeName([
Eeshan Gargf1234152015-04-29 18:41:00 +0530[diff] [blame]736 x509.DNSName(u"cryptography.io"),
737 x509.DNSName(u"crypto.local"),
Paul Kehrer31bdf792015-03-25 14:11:00 -0500[diff] [blame]738 ])
739 assert len(san) == 2
740 assert list(san) == [
Eeshan Gargf1234152015-04-29 18:41:00 +0530[diff] [blame]741 x509.DNSName(u"cryptography.io"),
742 x509.DNSName(u"crypto.local"),
Paul Kehrer31bdf792015-03-25 14:11:00 -0500[diff] [blame]743 ]
744
Paul Kehrerd04b39b2015-04-21 08:44:17 -0500[diff] [blame]745 def test_invalid_general_names(self):
746 with pytest.raises(TypeError):
747 x509.SubjectAlternativeName(
Eeshan Gargf1234152015-04-29 18:41:00 +0530[diff] [blame]748 [x509.DNSName(u"cryptography.io"), "invalid"]
Paul Kehrerd04b39b2015-04-21 08:44:17 -0500[diff] [blame]749 )
750
Paul Kehrer31bdf792015-03-25 14:11:00 -0500[diff] [blame]751 def test_repr(self):
752 san = x509.SubjectAlternativeName(
753 [
Eeshan Gargf1234152015-04-29 18:41:00 +0530[diff] [blame]754 x509.DNSName(u"cryptography.io")
Paul Kehrer31bdf792015-03-25 14:11:00 -0500[diff] [blame]755 ]
756 )
757 assert repr(san) == (
758 "<SubjectAlternativeName([<DNSName(value=cryptography.io)>])>"
759 )
Paul Kehrer40f83382015-04-20 15:00:16 -0500[diff] [blame]760
761
762@pytest.mark.requires_backend_interface(interface=RSABackend)
763@pytest.mark.requires_backend_interface(interface=X509Backend)
764class TestRSASubjectAlternativeNameExtension(object):
765 def test_dns_name(self, backend):
766 cert = _load_cert(
767 os.path.join("x509", "cryptography.io.pem"),
768 x509.load_pem_x509_certificate,
769 backend
770 )
771 ext = cert.extensions.get_extension_for_oid(
772 x509.OID_SUBJECT_ALTERNATIVE_NAME
773 )
774 assert ext is not None
775 assert ext.critical is False
776
777 san = ext.value
778
779 dns = san.get_values_for_type(x509.DNSName)
780 assert dns == [u"www.cryptography.io", u"cryptography.io"]
Paul Kehrer9089c912015-04-20 22:15:20 -0500[diff] [blame]781
782 def test_unsupported_other_name(self, backend):
783 cert = _load_cert(
784 os.path.join(
785 "x509", "custom", "san_other_name.pem"
786 ),
787 x509.load_pem_x509_certificate,
788 backend
789 )
Paul Kehrerbed07352015-04-21 08:31:10 -0500[diff] [blame]790 with pytest.raises(x509.UnsupportedGeneralNameType) as exc:
Paul Kehrer9089c912015-04-20 22:15:20 -0500[diff] [blame]791 cert.extensions
Paul Kehrerbed07352015-04-21 08:31:10 -0500[diff] [blame]792
Paul Kehrer0a621bf2015-04-22 09:22:56 -0500[diff] [blame]793 assert exc.value.type == 0
Paul Kehrer4db96622015-04-20 22:17:39 -0500[diff] [blame]794
795 def test_registered_id(self, backend):
796 cert = _load_cert(
797 os.path.join(
798 "x509", "custom", "san_registered_id.pem"
799 ),
800 x509.load_pem_x509_certificate,
801 backend
802 )
803 ext = cert.extensions.get_extension_for_oid(
804 x509.OID_SUBJECT_ALTERNATIVE_NAME
805 )
806 assert ext is not None
807 assert ext.critical is False
808
809 san = ext.value
810 rid = san.get_values_for_type(x509.RegisteredID)
811 assert rid == [x509.ObjectIdentifier("1.2.3.4")]
Paul Kehrerb8ef82e2015-04-22 16:04:24 -0500[diff] [blame]812
813 def test_uri(self, backend):
814 cert = _load_cert(
815 os.path.join(
816 "x509", "custom", "san_uri_with_port.pem"
817 ),
818 x509.load_pem_x509_certificate,
819 backend
820 )
821 ext = cert.extensions.get_extension_for_oid(
822 x509.OID_SUBJECT_ALTERNATIVE_NAME
823 )
824 assert ext is not None
825 uri = ext.value.get_values_for_type(
826 x509.UniformResourceIdentifier
827 )
828 assert uri == [
829 u"gopher://\u043f\u044b\u043a\u0430.cryptography:70/path?q=s#hel"
830 u"lo",
831 u"http://someregulardomain.com",
832 ]
Paul Kehrera5f030c2015-04-28 08:33:18 -0500[diff] [blame]833
834 def test_ipaddress(self, backend):
835 cert = _load_cert(
836 os.path.join(
837 "x509", "custom", "san_ipaddr.pem"
838 ),
839 x509.load_pem_x509_certificate,
840 backend
841 )
842 ext = cert.extensions.get_extension_for_oid(
843 x509.OID_SUBJECT_ALTERNATIVE_NAME
844 )
845 assert ext is not None
846 assert ext.critical is False
847
848 san = ext.value
849
850 ip = san.get_values_for_type(x509.IPAddress)
851 assert [
852 ipaddress.ip_address(u"127.0.0.1"),
853 ipaddress.ip_address(u"ff::")
854 ] == ip
Paul Kehrer2187a052015-04-30 08:22:07 -0500[diff] [blame]855
856 def test_dirname(self, backend):
857 cert = _load_cert(
858 os.path.join(
859 "x509", "custom", "san_dirname.pem"
860 ),
861 x509.load_pem_x509_certificate,
862 backend
863 )
864 ext = cert.extensions.get_extension_for_oid(
865 x509.OID_SUBJECT_ALTERNATIVE_NAME
866 )
867 assert ext is not None
868 assert ext.critical is False
869
870 san = ext.value
871
872 dirname = san.get_values_for_type(x509.DirectoryName)
873 assert [
874 x509.Name([
875 x509.NameAttribute(x509.OID_COMMON_NAME, 'test'),
876 x509.NameAttribute(x509.OID_ORGANIZATION_NAME, 'Org'),
877 x509.NameAttribute(x509.OID_STATE_OR_PROVINCE_NAME, 'Texas'),
878 ])
879 ] == dirname
Paul Kehrere06cab42015-04-30 10:23:33 -0500[diff] [blame]880
881 def test_rfc822name(self, backend):
882 cert = _load_cert(
883 os.path.join(
884 "x509", "custom", "san_rfc822_idna.pem"
885 ),
886 x509.load_pem_x509_certificate,
887 backend
888 )
889 ext = cert.extensions.get_extension_for_oid(
890 x509.OID_SUBJECT_ALTERNATIVE_NAME
891 )
892 assert ext is not None
893 assert ext.critical is False
894
895 san = ext.value
896
897 rfc822name = san.get_values_for_type(x509.RFC822Name)
898 assert [u"email@em\xe5\xefl.com"] == rfc822name
899
900 def test_unicode_rfc822_name_dns_name_uri(self, backend):
901 cert = _load_cert(
902 os.path.join(
903 "x509", "custom", "san_idna_names.pem"
904 ),
905 x509.load_pem_x509_certificate,
906 backend
907 )
908 ext = cert.extensions.get_extension_for_oid(
909 x509.OID_SUBJECT_ALTERNATIVE_NAME
910 )
911 assert ext is not None
912 rfc822_name = ext.value.get_values_for_type(x509.RFC822Name)
913 dns_name = ext.value.get_values_for_type(x509.DNSName)
914 uri = ext.value.get_values_for_type(x509.UniformResourceIdentifier)
915 assert rfc822_name == [u"email@\u043f\u044b\u043a\u0430.cryptography"]
916 assert dns_name == [u"\u043f\u044b\u043a\u0430.cryptography"]
917 assert uri == [u"https://www.\u043f\u044b\u043a\u0430.cryptography"]
918
919 def test_rfc822name_dnsname_ipaddress_directoryname_uri(self, backend):
920 cert = _load_cert(
921 os.path.join(
922 "x509", "custom", "san_email_dns_ip_dirname_uri.pem"
923 ),
924 x509.load_pem_x509_certificate,
925 backend
926 )
927 ext = cert.extensions.get_extension_for_oid(
928 x509.OID_SUBJECT_ALTERNATIVE_NAME
929 )
930 assert ext is not None
931 assert ext.critical is False
932
933 san = ext.value
934
935 rfc822_name = san.get_values_for_type(x509.RFC822Name)
936 uri = san.get_values_for_type(x509.UniformResourceIdentifier)
937 dns = san.get_values_for_type(x509.DNSName)
938 ip = san.get_values_for_type(x509.IPAddress)
939 dirname = san.get_values_for_type(x509.DirectoryName)
940 assert [u"user@cryptography.io"] == rfc822_name
Paul Kehrere3a330c2015-05-02 16:42:52 -0500[diff] [blame]941 assert [u"https://cryptography.io"] == uri
Paul Kehrere06cab42015-04-30 10:23:33 -0500[diff] [blame]942 assert [u"cryptography.io"] == dns
943 assert [
944 x509.Name([
945 x509.NameAttribute(x509.OID_COMMON_NAME, 'dirCN'),
946 x509.NameAttribute(
947 x509.OID_ORGANIZATION_NAME, 'Cryptographic Authority'
948 ),
949 ])
950 ] == dirname
951 assert [
952 ipaddress.ip_address(u"127.0.0.1"),
953 ipaddress.ip_address(u"ff::")
954 ] == ip
955
956 def test_invalid_rfc822name(self, backend):
957 cert = _load_cert(
958 os.path.join(
959 "x509", "custom", "san_rfc822_names.pem"
960 ),
961 x509.load_pem_x509_certificate,
962 backend
963 )
964 with pytest.raises(ValueError) as exc:
965 cert.extensions
966
967 assert 'Invalid rfc822name value' in str(exc.value)
Paul Kehrer94c69602015-05-02 19:29:40 -0500[diff] [blame]968
969
970@pytest.mark.requires_backend_interface(interface=RSABackend)
971@pytest.mark.requires_backend_interface(interface=X509Backend)
972class TestExtendedKeyUsageExtension(object):
973 def test_eku(self, backend):
974 cert = _load_cert(
975 os.path.join(
976 "x509", "custom", "extended_key_usage.pem"
977 ),
978 x509.load_pem_x509_certificate,
979 backend
980 )
981 ext = cert.extensions.get_extension_for_oid(
982 x509.OID_EXTENDED_KEY_USAGE
983 )
984 assert ext is not None
985 assert ext.critical is False
986
987 assert [
988 x509.ObjectIdentifier("1.3.6.1.5.5.7.3.1"),
989 x509.ObjectIdentifier("1.3.6.1.5.5.7.3.2"),
990 x509.ObjectIdentifier("1.3.6.1.5.5.7.3.3"),
991 x509.ObjectIdentifier("1.3.6.1.5.5.7.3.4"),
992 x509.ObjectIdentifier("1.3.6.1.5.5.7.3.9"),
993 x509.ObjectIdentifier("1.3.6.1.5.5.7.3.8"),
994 x509.ObjectIdentifier("2.5.29.37.0"),
995 x509.ObjectIdentifier("2.16.840.1.113730.4.1"),
996 ] == list(ext.value)
Paul Kehrer3e6d5582015-05-02 21:57:56 -0500[diff] [blame]997
998
999class TestAccessDescription(object):
1000 def test_invalid_access_method(self):
Paul Kehrerf506bca2015-05-02 22:31:47 -0500[diff] [blame]1001 with pytest.raises(ValueError):
Paul Kehrer3e6d5582015-05-02 21:57:56 -0500[diff] [blame]1002 x509.AccessDescription("notanoid", x509.DNSName(u"test"))
1003
1004 def test_invalid_access_location(self):
1005 with pytest.raises(TypeError):
1006 x509.AccessDescription(x509.OID_CA_ISSUERS, "invalid")
1007
1008 def test_repr(self):
1009 ad = x509.AccessDescription(
1010 x509.OID_OCSP,
1011 x509.UniformResourceIdentifier(u"http://ocsp.domain.com")
1012 )
1013 assert repr(ad) == (
1014 "<AccessDescription(access_method=<ObjectIdentifier(oid=1.3.6.1.5."
1015 "5.7.48.1, name=OCSP)>, access_location=<UniformResourceIdentifier"
1016 "(value=http://ocsp.domain.com)>)>"
1017 )
1018
1019 def test_eq(self):
1020 ad = x509.AccessDescription(
1021 x509.OID_OCSP,
1022 x509.UniformResourceIdentifier(u"http://ocsp.domain.com")
1023 )
1024 ad2 = x509.AccessDescription(
1025 x509.OID_OCSP,
1026 x509.UniformResourceIdentifier(u"http://ocsp.domain.com")
1027 )
1028 assert ad == ad2
1029
1030 def test_ne(self):
1031 ad = x509.AccessDescription(
1032 x509.OID_OCSP,
1033 x509.UniformResourceIdentifier(u"http://ocsp.domain.com")
1034 )
1035 ad2 = x509.AccessDescription(
1036 x509.OID_CA_ISSUERS,
1037 x509.UniformResourceIdentifier(u"http://ocsp.domain.com")
1038 )
1039 ad3 = x509.AccessDescription(
1040 x509.OID_OCSP,
1041 x509.UniformResourceIdentifier(u"http://notthesame")
1042 )
1043 assert ad != ad2
1044 assert ad != ad3
1045 assert ad != object()
1046
1047
1048class TestAuthorityInformationAccess(object):
1049 def test_invalid_descriptions(self):
1050 with pytest.raises(TypeError):
1051 x509.AuthorityInformationAccess(["notanAccessDescription"])
1052
1053 def test_iter_len(self):
1054 aia = x509.AuthorityInformationAccess([
1055 x509.AccessDescription(
1056 x509.OID_OCSP,
1057 x509.UniformResourceIdentifier(u"http://ocsp.domain.com")
1058 ),
1059 x509.AccessDescription(
1060 x509.OID_CA_ISSUERS,
1061 x509.UniformResourceIdentifier(u"http://domain.com/ca.crt")
1062 )
1063 ])
1064 assert len(aia) == 2
1065 assert list(aia) == [
1066 x509.AccessDescription(
1067 x509.OID_OCSP,
1068 x509.UniformResourceIdentifier(u"http://ocsp.domain.com")
1069 ),
1070 x509.AccessDescription(
1071 x509.OID_CA_ISSUERS,
1072 x509.UniformResourceIdentifier(u"http://domain.com/ca.crt")
1073 )
1074 ]
1075
1076 def test_repr(self):
1077 aia = x509.AuthorityInformationAccess([
1078 x509.AccessDescription(
1079 x509.OID_OCSP,
1080 x509.UniformResourceIdentifier(u"http://ocsp.domain.com")
1081 ),
1082 x509.AccessDescription(
1083 x509.OID_CA_ISSUERS,
1084 x509.UniformResourceIdentifier(u"http://domain.com/ca.crt")
1085 )
1086 ])
1087 assert repr(aia) == (
1088 "<AuthorityInformationAccess([<AccessDescription(access_method=<Ob"
1089 "jectIdentifier(oid=1.3.6.1.5.5.7.48.1, name=OCSP)>, access_locati"
1090 "on=<UniformResourceIdentifier(value=http://ocsp.domain.com)>)>, <"
1091 "AccessDescription(access_method=<ObjectIdentifier(oid=1.3.6.1.5.5"
1092 ".7.48.2, name=caIssuers)>, access_location=<UniformResourceIdenti"
1093 "fier(value=http://domain.com/ca.crt)>)>])>"
1094 )
1095
1096 def test_eq(self):
1097 aia = x509.AuthorityInformationAccess([
1098 x509.AccessDescription(
1099 x509.OID_OCSP,
1100 x509.UniformResourceIdentifier(u"http://ocsp.domain.com")
1101 ),
1102 x509.AccessDescription(
1103 x509.OID_CA_ISSUERS,
1104 x509.UniformResourceIdentifier(u"http://domain.com/ca.crt")
1105 )
1106 ])
1107 aia2 = x509.AuthorityInformationAccess([
1108 x509.AccessDescription(
1109 x509.OID_OCSP,
1110 x509.UniformResourceIdentifier(u"http://ocsp.domain.com")
1111 ),
1112 x509.AccessDescription(
1113 x509.OID_CA_ISSUERS,
1114 x509.UniformResourceIdentifier(u"http://domain.com/ca.crt")
1115 )
1116 ])
1117 assert aia == aia2
1118
1119 def test_ne(self):
1120 aia = x509.AuthorityInformationAccess([
1121 x509.AccessDescription(
1122 x509.OID_OCSP,
1123 x509.UniformResourceIdentifier(u"http://ocsp.domain.com")
1124 ),
1125 x509.AccessDescription(
1126 x509.OID_CA_ISSUERS,
1127 x509.UniformResourceIdentifier(u"http://domain.com/ca.crt")
1128 )
1129 ])
1130 aia2 = x509.AuthorityInformationAccess([
1131 x509.AccessDescription(
1132 x509.OID_OCSP,
1133 x509.UniformResourceIdentifier(u"http://ocsp.domain.com")
1134 ),
1135 ])
1136
1137 assert aia != aia2
1138 assert aia != object()
Paul Kehrerd774de92015-05-03 10:52:25 -0500[diff] [blame]1139
1140
1141@pytest.mark.requires_backend_interface(interface=RSABackend)
1142@pytest.mark.requires_backend_interface(interface=X509Backend)
Paul Kehrera1476992015-05-04 17:35:47 -0500[diff] [blame]1143class TestAuthorityInformationAccessExtension(object):
1144 def test_aia_ocsp_ca_issuers(self, backend):
1145 cert = _load_cert(
1146 os.path.join("x509", "cryptography.io.pem"),
1147 x509.load_pem_x509_certificate,
1148 backend
1149 )
1150 ext = cert.extensions.get_extension_for_oid(
1151 x509.OID_AUTHORITY_INFORMATION_ACCESS
1152 )
1153 assert ext is not None
1154 assert ext.critical is False
1155
1156 assert ext.value == x509.AuthorityInformationAccess([
1157 x509.AccessDescription(
1158 x509.OID_OCSP,
1159 x509.UniformResourceIdentifier(u"http://gv.symcd.com")
1160 ),
1161 x509.AccessDescription(
1162 x509.OID_CA_ISSUERS,
1163 x509.UniformResourceIdentifier(u"http://gv.symcb.com/gv.crt")
1164 ),
1165 ])
1166
1167 def test_aia_multiple_ocsp_ca_issuers(self, backend):
1168 cert = _load_cert(
1169 os.path.join("x509", "custom", "aia_ocsp_ca_issuers.pem"),
1170 x509.load_pem_x509_certificate,
1171 backend
1172 )
1173 ext = cert.extensions.get_extension_for_oid(
1174 x509.OID_AUTHORITY_INFORMATION_ACCESS
1175 )
1176 assert ext is not None
1177 assert ext.critical is False
1178
1179 assert ext.value == x509.AuthorityInformationAccess([
1180 x509.AccessDescription(
1181 x509.OID_OCSP,
1182 x509.UniformResourceIdentifier(u"http://ocsp.domain.com")
1183 ),
1184 x509.AccessDescription(
1185 x509.OID_OCSP,
1186 x509.UniformResourceIdentifier(u"http://ocsp2.domain.com")
1187 ),
1188 x509.AccessDescription(
1189 x509.OID_CA_ISSUERS,
1190 x509.DirectoryName(x509.Name([
1191 x509.NameAttribute(x509.OID_COMMON_NAME, "myCN"),
1192 x509.NameAttribute(x509.OID_ORGANIZATION_NAME, "some Org"),
1193 ]))
1194 ),
1195 ])
1196
1197 def test_aia_ocsp_only(self, backend):
1198 cert = _load_cert(
1199 os.path.join("x509", "custom", "aia_ocsp.pem"),
1200 x509.load_pem_x509_certificate,
1201 backend
1202 )
1203 ext = cert.extensions.get_extension_for_oid(
1204 x509.OID_AUTHORITY_INFORMATION_ACCESS
1205 )
1206 assert ext is not None
1207 assert ext.critical is False
1208
1209 assert ext.value == x509.AuthorityInformationAccess([
1210 x509.AccessDescription(
1211 x509.OID_OCSP,
1212 x509.UniformResourceIdentifier(u"http://ocsp.domain.com")
1213 ),
1214 ])
1215
1216 def test_aia_ca_issuers_only(self, backend):
1217 cert = _load_cert(
1218 os.path.join("x509", "custom", "aia_ca_issuers.pem"),
1219 x509.load_pem_x509_certificate,
1220 backend
1221 )
1222 ext = cert.extensions.get_extension_for_oid(
1223 x509.OID_AUTHORITY_INFORMATION_ACCESS
1224 )
1225 assert ext is not None
1226 assert ext.critical is False
1227
1228 assert ext.value == x509.AuthorityInformationAccess([
1229 x509.AccessDescription(
1230 x509.OID_CA_ISSUERS,
1231 x509.DirectoryName(x509.Name([
1232 x509.NameAttribute(x509.OID_COMMON_NAME, "myCN"),
1233 x509.NameAttribute(x509.OID_ORGANIZATION_NAME, "some Org"),
1234 ]))
1235 ),
1236 ])
1237
1238
1239@pytest.mark.requires_backend_interface(interface=RSABackend)
1240@pytest.mark.requires_backend_interface(interface=X509Backend)
Paul Kehrerd774de92015-05-03 10:52:25 -0500[diff] [blame]1241class TestAuthorityKeyIdentifierExtension(object):
1242 def test_aki_keyid(self, backend):
1243 cert = _load_cert(
1244 os.path.join(
1245 "x509", "cryptography.io.pem"
1246 ),
1247 x509.load_pem_x509_certificate,
1248 backend
1249 )
1250 ext = cert.extensions.get_extension_for_oid(
1251 x509.OID_AUTHORITY_KEY_IDENTIFIER
1252 )
1253 assert ext is not None
1254 assert ext.critical is False
1255
1256 assert ext.value.key_identifier == (
1257 b"\xc3\x9c\xf3\xfc\xd3F\x084\xbb\xceF\x7f\xa0|[\xf3\xe2\x08\xcbY"
1258 )
1259 assert ext.value.authority_cert_issuer is None
1260 assert ext.value.authority_cert_serial_number is None
1261
1262 def test_aki_all_fields(self, backend):
1263 cert = _load_cert(
1264 os.path.join(
1265 "x509", "custom", "authority_key_identifier.pem"
1266 ),
1267 x509.load_pem_x509_certificate,
1268 backend
1269 )
1270 ext = cert.extensions.get_extension_for_oid(
1271 x509.OID_AUTHORITY_KEY_IDENTIFIER
1272 )
1273 assert ext is not None
1274 assert ext.critical is False
1275
1276 assert ext.value.key_identifier == (
1277 b"9E>\xca=b\x1d\xea\x86I\xf6Z\xab@\xb7\xa4p\x98\xf1\xec"
1278 )
1279 assert ext.value.authority_cert_issuer == [
1280 x509.DirectoryName(
1281 x509.Name([
1282 x509.NameAttribute(
1283 x509.OID_ORGANIZATION_NAME, u"PyCA"
1284 ),
1285 x509.NameAttribute(
1286 x509.OID_COMMON_NAME, u"cryptography.io"
1287 )
1288 ])
1289 )
1290 ]
1291 assert ext.value.authority_cert_serial_number == 3
1292
1293 def test_aki_no_keyid(self, backend):
1294 cert = _load_cert(
1295 os.path.join(
1296 "x509", "custom", "authority_key_identifier_no_keyid.pem"
1297 ),
1298 x509.load_pem_x509_certificate,
1299 backend
1300 )
1301 ext = cert.extensions.get_extension_for_oid(
1302 x509.OID_AUTHORITY_KEY_IDENTIFIER
1303 )
1304 assert ext is not None
1305 assert ext.critical is False
1306
1307 assert ext.value.key_identifier is None
1308 assert ext.value.authority_cert_issuer == [
1309 x509.DirectoryName(
1310 x509.Name([
1311 x509.NameAttribute(
1312 x509.OID_ORGANIZATION_NAME, u"PyCA"
1313 ),
1314 x509.NameAttribute(
1315 x509.OID_COMMON_NAME, u"cryptography.io"
1316 )
1317 ])
1318 )
1319 ]
1320 assert ext.value.authority_cert_serial_number == 3