blob: 037512a499c2093784af35f64e0db0243943687f [file] [log] [blame]
Paul Kehrer8cf26422015-03-21 09:50:24 -05001# This file is dual licensed under the terms of the Apache License, Version
2# 2.0, and the BSD License. See the LICENSE file in the root of this repository
3# for complete details.
4
5from __future__ import absolute_import, division, print_function
6
Paul Kehrer1eb82a62015-03-31 20:00:33 -05007import binascii
Paul Kehrer31bdf792015-03-25 14:11:00 -05008import ipaddress
Paul Kehrerfbb7ac82015-03-16 19:26:29 -05009import os
10
Paul Kehrer8cf26422015-03-21 09:50:24 -050011import pytest
12
Paul Kehrercbfb1012015-04-10 20:57:20 -040013import six
14
Paul Kehrer8cf26422015-03-21 09:50:24 -050015from cryptography import x509
Paul Kehrerf22f6122015-08-05 12:57:13 +010016from cryptography.hazmat.backends.interfaces import (
17 DSABackend, EllipticCurveBackend, RSABackend, X509Backend
18)
19from cryptography.hazmat.primitives.asymmetric import ec
Paul Kehrer9e102db2015-08-10 21:53:09 -050020from cryptography.x509.oid import (
Nick Bastin326fc8e2015-12-12 19:08:12 -080021 AuthorityInformationAccessOID, ExtendedKeyUsageOID, ExtensionOID,
22 NameOID, ObjectIdentifier
Paul Kehrer9e102db2015-08-10 21:53:09 -050023)
Paul Kehrerfbb7ac82015-03-16 19:26:29 -050024
Paul Kehrerf22f6122015-08-05 12:57:13 +010025from .hazmat.primitives.test_ec import _skip_curve_unsupported
Paul Kehrerfbb7ac82015-03-16 19:26:29 -050026from .test_x509 import _load_cert
Paul Kehrer8cf26422015-03-21 09:50:24 -050027
28
Paul Kehrer85894662015-03-22 13:19:31 -050029class TestExtension(object):
30 def test_not_an_oid(self):
Paul Kehrera5c6e9a2015-03-23 19:23:43 -050031 bc = x509.BasicConstraints(ca=False, path_length=None)
Paul Kehrer85894662015-03-22 13:19:31 -050032 with pytest.raises(TypeError):
33 x509.Extension("notanoid", True, bc)
34
35 def test_critical_not_a_bool(self):
Paul Kehrera5c6e9a2015-03-23 19:23:43 -050036 bc = x509.BasicConstraints(ca=False, path_length=None)
Paul Kehrer85894662015-03-22 13:19:31 -050037 with pytest.raises(TypeError):
Paul Kehrerd44e4132015-08-10 19:13:13 -050038 x509.Extension(ExtensionOID.BASIC_CONSTRAINTS, "notabool", bc)
Paul Kehrer85894662015-03-22 13:19:31 -050039
40 def test_repr(self):
Paul Kehrera5c6e9a2015-03-23 19:23:43 -050041 bc = x509.BasicConstraints(ca=False, path_length=None)
Paul Kehrerd44e4132015-08-10 19:13:13 -050042 ext = x509.Extension(ExtensionOID.BASIC_CONSTRAINTS, True, bc)
Paul Kehrer85894662015-03-22 13:19:31 -050043 assert repr(ext) == (
44 "<Extension(oid=<ObjectIdentifier(oid=2.5.29.19, name=basicConst"
45 "raints)>, critical=True, value=<BasicConstraints(ca=False, path"
46 "_length=None)>)>"
47 )
48
Paul Kehrer58e870c2015-05-17 09:15:30 -070049 def test_eq(self):
50 ext1 = x509.Extension(
51 x509.ObjectIdentifier('1.2.3.4'), False, 'value'
52 )
53 ext2 = x509.Extension(
54 x509.ObjectIdentifier('1.2.3.4'), False, 'value'
55 )
56 assert ext1 == ext2
57
58 def test_ne(self):
59 ext1 = x509.Extension(
60 x509.ObjectIdentifier('1.2.3.4'), False, 'value'
61 )
62 ext2 = x509.Extension(
63 x509.ObjectIdentifier('1.2.3.5'), False, 'value'
64 )
65 ext3 = x509.Extension(
66 x509.ObjectIdentifier('1.2.3.4'), True, 'value'
67 )
68 ext4 = x509.Extension(
69 x509.ObjectIdentifier('1.2.3.4'), False, 'value4'
70 )
71 assert ext1 != ext2
72 assert ext1 != ext3
73 assert ext1 != ext4
74 assert ext1 != object()
75
Paul Kehrer85894662015-03-22 13:19:31 -050076
Paul Kehrer49bb7562015-12-25 16:17:40 -060077class TestCertificateIssuer(object):
78 def test_iter_names(self):
79 ci = x509.CertificateIssuer([
80 x509.DNSName(u"cryptography.io"),
81 x509.DNSName(u"crypto.local"),
82 ])
83 assert len(ci) == 2
84 assert list(ci) == [
85 x509.DNSName(u"cryptography.io"),
86 x509.DNSName(u"crypto.local"),
87 ]
88
89 def test_eq(self):
90 ci1 = x509.CertificateIssuer([x509.DNSName(u"cryptography.io")])
91 ci2 = x509.CertificateIssuer([x509.DNSName(u"cryptography.io")])
92 assert ci1 == ci2
93
94 def test_ne(self):
95 ci1 = x509.CertificateIssuer([x509.DNSName(u"cryptography.io")])
96 ci2 = x509.CertificateIssuer([x509.DNSName(u"somethingelse.tld")])
97 assert ci1 != ci2
98 assert ci1 != object()
99
100 def test_repr(self):
101 ci = x509.CertificateIssuer([x509.DNSName(u"cryptography.io")])
102 assert repr(ci) == (
103 "<CertificateIssuer(<GeneralNames([<DNSName(value=cryptography.io"
104 ")>])>)>"
105 )
106
107 def test_get_values_for_type(self):
108 ci = x509.CertificateIssuer(
109 [x509.DNSName(u"cryptography.io")]
110 )
111 names = ci.get_values_for_type(x509.DNSName)
112 assert names == [u"cryptography.io"]
113
114
Paul Kehrer2b622582015-04-15 11:04:29 -0400115class TestNoticeReference(object):
116 def test_notice_numbers_not_all_int(self):
117 with pytest.raises(TypeError):
118 x509.NoticeReference("org", [1, 2, "three"])
119
120 def test_notice_numbers_none(self):
Paul Kehrer6e198b02015-05-12 15:53:38 -0500121 with pytest.raises(TypeError):
122 x509.NoticeReference("org", None)
Paul Kehrer2b622582015-04-15 11:04:29 -0400123
124 def test_repr(self):
Paul Kehrer73be2ca2015-05-11 21:22:38 -0500125 nr = x509.NoticeReference(u"org", [1, 3, 4])
Paul Kehrer2b622582015-04-15 11:04:29 -0400126
Paul Kehrer73be2ca2015-05-11 21:22:38 -0500127 if six.PY3:
128 assert repr(nr) == (
129 "<NoticeReference(organization='org', notice_numbers=[1, 3, 4"
130 "])>"
131 )
132 else:
133 assert repr(nr) == (
134 "<NoticeReference(organization=u'org', notice_numbers=[1, 3, "
135 "4])>"
136 )
Paul Kehrer2b622582015-04-15 11:04:29 -0400137
Paul Kehrerc56ab622015-05-03 09:56:31 -0500138 def test_eq(self):
139 nr = x509.NoticeReference("org", [1, 2])
140 nr2 = x509.NoticeReference("org", [1, 2])
141 assert nr == nr2
142
143 def test_ne(self):
144 nr = x509.NoticeReference("org", [1, 2])
145 nr2 = x509.NoticeReference("org", [1])
146 nr3 = x509.NoticeReference(None, [1, 2])
147 assert nr != nr2
148 assert nr != nr3
149 assert nr != object()
150
Paul Kehrer2b622582015-04-15 11:04:29 -0400151
152class TestUserNotice(object):
153 def test_notice_reference_invalid(self):
154 with pytest.raises(TypeError):
155 x509.UserNotice("invalid", None)
156
157 def test_notice_reference_none(self):
158 un = x509.UserNotice(None, "text")
159 assert un.notice_reference is None
160 assert un.explicit_text == "text"
161
162 def test_repr(self):
Paul Kehrer6e198b02015-05-12 15:53:38 -0500163 un = x509.UserNotice(x509.NoticeReference(u"org", [1]), u"text")
Paul Kehrer73be2ca2015-05-11 21:22:38 -0500164 if six.PY3:
165 assert repr(un) == (
166 "<UserNotice(notice_reference=<NoticeReference(organization='"
Paul Kehrer6e198b02015-05-12 15:53:38 -0500167 "org', notice_numbers=[1])>, explicit_text='text')>"
Paul Kehrer73be2ca2015-05-11 21:22:38 -0500168 )
169 else:
170 assert repr(un) == (
171 "<UserNotice(notice_reference=<NoticeReference(organization=u"
Paul Kehrer6e198b02015-05-12 15:53:38 -0500172 "'org', notice_numbers=[1])>, explicit_text=u'text')>"
Paul Kehrer73be2ca2015-05-11 21:22:38 -0500173 )
Paul Kehrer2b622582015-04-15 11:04:29 -0400174
Paul Kehrerc56ab622015-05-03 09:56:31 -0500175 def test_eq(self):
176 nr = x509.NoticeReference("org", [1, 2])
177 nr2 = x509.NoticeReference("org", [1, 2])
178 un = x509.UserNotice(nr, "text")
179 un2 = x509.UserNotice(nr2, "text")
180 assert un == un2
181
182 def test_ne(self):
183 nr = x509.NoticeReference("org", [1, 2])
184 nr2 = x509.NoticeReference("org", [1])
185 un = x509.UserNotice(nr, "text")
186 un2 = x509.UserNotice(nr2, "text")
187 un3 = x509.UserNotice(nr, "text3")
188 assert un != un2
189 assert un != un3
190 assert un != object()
191
Paul Kehrer2b622582015-04-15 11:04:29 -0400192
Paul Kehrer2b622582015-04-15 11:04:29 -0400193class TestPolicyInformation(object):
194 def test_invalid_policy_identifier(self):
195 with pytest.raises(TypeError):
196 x509.PolicyInformation("notanoid", None)
197
198 def test_none_policy_qualifiers(self):
199 pi = x509.PolicyInformation(x509.ObjectIdentifier("1.2.3"), None)
200 assert pi.policy_identifier == x509.ObjectIdentifier("1.2.3")
201 assert pi.policy_qualifiers is None
202
203 def test_policy_qualifiers(self):
Paul Kehrerba35b3b2015-05-10 13:07:59 -0500204 pq = [u"string"]
Paul Kehrer2b622582015-04-15 11:04:29 -0400205 pi = x509.PolicyInformation(x509.ObjectIdentifier("1.2.3"), pq)
206 assert pi.policy_identifier == x509.ObjectIdentifier("1.2.3")
207 assert pi.policy_qualifiers == pq
208
209 def test_invalid_policy_identifiers(self):
210 with pytest.raises(TypeError):
211 x509.PolicyInformation(x509.ObjectIdentifier("1.2.3"), [1, 2])
212
213 def test_repr(self):
Paul Kehrer73be2ca2015-05-11 21:22:38 -0500214 pq = [u"string", x509.UserNotice(None, u"hi")]
Paul Kehrer2b622582015-04-15 11:04:29 -0400215 pi = x509.PolicyInformation(x509.ObjectIdentifier("1.2.3"), pq)
Paul Kehrerba35b3b2015-05-10 13:07:59 -0500216 if six.PY3:
217 assert repr(pi) == (
218 "<PolicyInformation(policy_identifier=<ObjectIdentifier(oid=1."
219 "2.3, name=Unknown OID)>, policy_qualifiers=['string', <UserNo"
Paul Kehrer9aaef9e2015-05-11 10:49:20 -0500220 "tice(notice_reference=None, explicit_text='hi')>])>"
Paul Kehrerba35b3b2015-05-10 13:07:59 -0500221 )
222 else:
223 assert repr(pi) == (
224 "<PolicyInformation(policy_identifier=<ObjectIdentifier(oid=1."
225 "2.3, name=Unknown OID)>, policy_qualifiers=[u'string', <UserN"
Paul Kehrer73be2ca2015-05-11 21:22:38 -0500226 "otice(notice_reference=None, explicit_text=u'hi')>])>"
Paul Kehrerba35b3b2015-05-10 13:07:59 -0500227 )
Paul Kehrer2b622582015-04-15 11:04:29 -0400228
Paul Kehrerc56ab622015-05-03 09:56:31 -0500229 def test_eq(self):
230 pi = x509.PolicyInformation(
231 x509.ObjectIdentifier("1.2.3"),
232 [u"string", x509.UserNotice(None, u"hi")]
233 )
234 pi2 = x509.PolicyInformation(
235 x509.ObjectIdentifier("1.2.3"),
236 [u"string", x509.UserNotice(None, u"hi")]
237 )
238 assert pi == pi2
239
240 def test_ne(self):
241 pi = x509.PolicyInformation(
242 x509.ObjectIdentifier("1.2.3"), [u"string"]
243 )
244 pi2 = x509.PolicyInformation(
245 x509.ObjectIdentifier("1.2.3"), [u"string2"]
246 )
247 pi3 = x509.PolicyInformation(
248 x509.ObjectIdentifier("1.2.3.4"), [u"string"]
249 )
250 assert pi != pi2
251 assert pi != pi3
252 assert pi != object()
253
Paul Kehrer2b622582015-04-15 11:04:29 -0400254
255class TestCertificatePolicies(object):
256 def test_invalid_policies(self):
Paul Kehrerba35b3b2015-05-10 13:07:59 -0500257 pq = [u"string"]
Paul Kehrer2b622582015-04-15 11:04:29 -0400258 pi = x509.PolicyInformation(x509.ObjectIdentifier("1.2.3"), pq)
259 with pytest.raises(TypeError):
260 x509.CertificatePolicies([1, pi])
261
262 def test_iter_len(self):
Paul Kehrerba35b3b2015-05-10 13:07:59 -0500263 pq = [u"string"]
Paul Kehrer2b622582015-04-15 11:04:29 -0400264 pi = x509.PolicyInformation(x509.ObjectIdentifier("1.2.3"), pq)
265 cp = x509.CertificatePolicies([pi])
266 assert len(cp) == 1
267 for policyinfo in cp:
268 assert policyinfo == pi
269
270 def test_repr(self):
Paul Kehrerba35b3b2015-05-10 13:07:59 -0500271 pq = [u"string"]
Paul Kehrer2b622582015-04-15 11:04:29 -0400272 pi = x509.PolicyInformation(x509.ObjectIdentifier("1.2.3"), pq)
273 cp = x509.CertificatePolicies([pi])
Paul Kehrerba35b3b2015-05-10 13:07:59 -0500274 if six.PY3:
275 assert repr(cp) == (
276 "<CertificatePolicies([<PolicyInformation(policy_identifier=<O"
277 "bjectIdentifier(oid=1.2.3, name=Unknown OID)>, policy_qualifi"
278 "ers=['string'])>])>"
279 )
280 else:
281 assert repr(cp) == (
282 "<CertificatePolicies([<PolicyInformation(policy_identifier=<O"
283 "bjectIdentifier(oid=1.2.3, name=Unknown OID)>, policy_qualifi"
284 "ers=[u'string'])>])>"
285 )
Paul Kehrer2b622582015-04-15 11:04:29 -0400286
Paul Kehrerc56ab622015-05-03 09:56:31 -0500287 def test_eq(self):
288 pi = x509.PolicyInformation(
289 x509.ObjectIdentifier("1.2.3"), [u"string"]
290 )
291 cp = x509.CertificatePolicies([pi])
292 pi2 = x509.PolicyInformation(
293 x509.ObjectIdentifier("1.2.3"), [u"string"]
294 )
295 cp2 = x509.CertificatePolicies([pi2])
296 assert cp == cp2
297
298 def test_ne(self):
299 pi = x509.PolicyInformation(
300 x509.ObjectIdentifier("1.2.3"), [u"string"]
301 )
302 cp = x509.CertificatePolicies([pi])
303 pi2 = x509.PolicyInformation(
304 x509.ObjectIdentifier("1.2.3"), [u"string2"]
305 )
306 cp2 = x509.CertificatePolicies([pi2])
307 assert cp != cp2
308 assert cp != object()
309
Paul Kehrer2b622582015-04-15 11:04:29 -0400310
Paul Kehrer11026fe2015-05-12 11:23:56 -0500311@pytest.mark.requires_backend_interface(interface=RSABackend)
312@pytest.mark.requires_backend_interface(interface=X509Backend)
313class TestCertificatePoliciesExtension(object):
314 def test_cps_uri_policy_qualifier(self, backend):
315 cert = _load_cert(
316 os.path.join("x509", "custom", "cp_cps_uri.pem"),
317 x509.load_pem_x509_certificate,
318 backend
319 )
320
321 cp = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500322 ExtensionOID.CERTIFICATE_POLICIES
Paul Kehrer11026fe2015-05-12 11:23:56 -0500323 ).value
324
325 assert cp == x509.CertificatePolicies([
326 x509.PolicyInformation(
327 x509.ObjectIdentifier("2.16.840.1.12345.1.2.3.4.1"),
328 [u"http://other.com/cps"]
329 )
330 ])
331
332 def test_user_notice_with_notice_reference(self, backend):
333 cert = _load_cert(
334 os.path.join(
335 "x509", "custom", "cp_user_notice_with_notice_reference.pem"
336 ),
337 x509.load_pem_x509_certificate,
338 backend
339 )
340
341 cp = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500342 ExtensionOID.CERTIFICATE_POLICIES
Paul Kehrer11026fe2015-05-12 11:23:56 -0500343 ).value
344
345 assert cp == x509.CertificatePolicies([
346 x509.PolicyInformation(
347 x509.ObjectIdentifier("2.16.840.1.12345.1.2.3.4.1"),
348 [
349 u"http://example.com/cps",
350 u"http://other.com/cps",
351 x509.UserNotice(
352 x509.NoticeReference(u"my org", [1, 2, 3, 4]),
353 u"thing"
354 )
355 ]
356 )
357 ])
358
359 def test_user_notice_with_explicit_text(self, backend):
360 cert = _load_cert(
361 os.path.join(
362 "x509", "custom", "cp_user_notice_with_explicit_text.pem"
363 ),
364 x509.load_pem_x509_certificate,
365 backend
366 )
367
368 cp = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500369 ExtensionOID.CERTIFICATE_POLICIES
Paul Kehrer11026fe2015-05-12 11:23:56 -0500370 ).value
371
372 assert cp == x509.CertificatePolicies([
373 x509.PolicyInformation(
374 x509.ObjectIdentifier("2.16.840.1.12345.1.2.3.4.1"),
375 [x509.UserNotice(None, u"thing")]
376 )
377 ])
378
379 def test_user_notice_no_explicit_text(self, backend):
380 cert = _load_cert(
381 os.path.join(
382 "x509", "custom", "cp_user_notice_no_explicit_text.pem"
383 ),
384 x509.load_pem_x509_certificate,
385 backend
386 )
387
388 cp = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500389 ExtensionOID.CERTIFICATE_POLICIES
Paul Kehrer11026fe2015-05-12 11:23:56 -0500390 ).value
391
392 assert cp == x509.CertificatePolicies([
393 x509.PolicyInformation(
394 x509.ObjectIdentifier("2.16.840.1.12345.1.2.3.4.1"),
395 [
396 x509.UserNotice(
397 x509.NoticeReference(u"my org", [1, 2, 3, 4]),
398 None
399 )
400 ]
401 )
402 ])
403
404
Paul Kehrercecbbba2015-03-30 14:58:38 -0500405class TestKeyUsage(object):
406 def test_key_agreement_false_encipher_decipher_true(self):
407 with pytest.raises(ValueError):
408 x509.KeyUsage(
409 digital_signature=False,
410 content_commitment=False,
411 key_encipherment=False,
412 data_encipherment=False,
413 key_agreement=False,
414 key_cert_sign=False,
415 crl_sign=False,
416 encipher_only=True,
417 decipher_only=False
418 )
419
420 with pytest.raises(ValueError):
421 x509.KeyUsage(
422 digital_signature=False,
423 content_commitment=False,
424 key_encipherment=False,
425 data_encipherment=False,
426 key_agreement=False,
427 key_cert_sign=False,
428 crl_sign=False,
429 encipher_only=True,
430 decipher_only=True
431 )
432
433 with pytest.raises(ValueError):
434 x509.KeyUsage(
435 digital_signature=False,
436 content_commitment=False,
437 key_encipherment=False,
438 data_encipherment=False,
439 key_agreement=False,
440 key_cert_sign=False,
441 crl_sign=False,
442 encipher_only=False,
443 decipher_only=True
444 )
445
446 def test_properties_key_agreement_true(self):
447 ku = x509.KeyUsage(
448 digital_signature=True,
449 content_commitment=True,
450 key_encipherment=False,
451 data_encipherment=False,
452 key_agreement=False,
453 key_cert_sign=True,
454 crl_sign=False,
455 encipher_only=False,
456 decipher_only=False
457 )
458 assert ku.digital_signature is True
459 assert ku.content_commitment is True
460 assert ku.key_encipherment is False
461 assert ku.data_encipherment is False
462 assert ku.key_agreement is False
463 assert ku.key_cert_sign is True
464 assert ku.crl_sign is False
465
466 def test_key_agreement_true_properties(self):
467 ku = x509.KeyUsage(
468 digital_signature=False,
469 content_commitment=False,
470 key_encipherment=False,
471 data_encipherment=False,
472 key_agreement=True,
473 key_cert_sign=False,
474 crl_sign=False,
475 encipher_only=False,
476 decipher_only=True
477 )
478 assert ku.key_agreement is True
479 assert ku.encipher_only is False
480 assert ku.decipher_only is True
481
482 def test_key_agreement_false_properties(self):
483 ku = x509.KeyUsage(
484 digital_signature=False,
485 content_commitment=False,
486 key_encipherment=False,
487 data_encipherment=False,
488 key_agreement=False,
489 key_cert_sign=False,
490 crl_sign=False,
491 encipher_only=False,
492 decipher_only=False
493 )
494 assert ku.key_agreement is False
495 with pytest.raises(ValueError):
496 ku.encipher_only
497
498 with pytest.raises(ValueError):
499 ku.decipher_only
500
Paul Kehrerac3e5bb2015-04-02 23:07:10 -0500501 def test_repr_key_agreement_false(self):
502 ku = x509.KeyUsage(
503 digital_signature=True,
504 content_commitment=True,
505 key_encipherment=False,
506 data_encipherment=False,
507 key_agreement=False,
508 key_cert_sign=True,
509 crl_sign=False,
510 encipher_only=False,
511 decipher_only=False
512 )
513 assert repr(ku) == (
514 "<KeyUsage(digital_signature=True, content_commitment=True, key_en"
515 "cipherment=False, data_encipherment=False, key_agreement=False, k"
Paul Kehrerb372e672015-04-15 11:05:24 -0400516 "ey_cert_sign=True, crl_sign=False, encipher_only=None, decipher_o"
517 "nly=None)>"
Paul Kehrerac3e5bb2015-04-02 23:07:10 -0500518 )
519
520 def test_repr_key_agreement_true(self):
521 ku = x509.KeyUsage(
522 digital_signature=True,
523 content_commitment=True,
524 key_encipherment=False,
525 data_encipherment=False,
526 key_agreement=True,
527 key_cert_sign=True,
528 crl_sign=False,
529 encipher_only=False,
530 decipher_only=False
531 )
532 assert repr(ku) == (
533 "<KeyUsage(digital_signature=True, content_commitment=True, key_en"
534 "cipherment=False, data_encipherment=False, key_agreement=True, k"
535 "ey_cert_sign=True, crl_sign=False, encipher_only=False, decipher_"
536 "only=False)>"
537 )
538
Paul Kehrer8565f5e2015-05-13 09:57:09 -0500539 def test_eq(self):
540 ku = x509.KeyUsage(
541 digital_signature=False,
542 content_commitment=False,
543 key_encipherment=False,
544 data_encipherment=False,
545 key_agreement=True,
546 key_cert_sign=False,
547 crl_sign=False,
548 encipher_only=False,
549 decipher_only=True
550 )
551 ku2 = x509.KeyUsage(
552 digital_signature=False,
553 content_commitment=False,
554 key_encipherment=False,
555 data_encipherment=False,
556 key_agreement=True,
557 key_cert_sign=False,
558 crl_sign=False,
559 encipher_only=False,
560 decipher_only=True
561 )
562 assert ku == ku2
563
564 def test_ne(self):
565 ku = x509.KeyUsage(
566 digital_signature=False,
567 content_commitment=False,
568 key_encipherment=False,
569 data_encipherment=False,
570 key_agreement=True,
571 key_cert_sign=False,
572 crl_sign=False,
573 encipher_only=False,
574 decipher_only=True
575 )
576 ku2 = x509.KeyUsage(
577 digital_signature=False,
578 content_commitment=False,
579 key_encipherment=False,
580 data_encipherment=False,
581 key_agreement=False,
582 key_cert_sign=False,
583 crl_sign=False,
584 encipher_only=False,
585 decipher_only=False
586 )
587 assert ku != ku2
588 assert ku != object()
589
Paul Kehrercecbbba2015-03-30 14:58:38 -0500590
Paul Kehrer1eb82a62015-03-31 20:00:33 -0500591class TestSubjectKeyIdentifier(object):
592 def test_properties(self):
Paul Kehrercbfb1012015-04-10 20:57:20 -0400593 value = binascii.unhexlify(b"092384932230498bc980aa8098456f6ff7ff3ac9")
Paul Kehrer1eb82a62015-03-31 20:00:33 -0500594 ski = x509.SubjectKeyIdentifier(value)
595 assert ski.digest == value
Paul Kehrer1eb82a62015-03-31 20:00:33 -0500596
597 def test_repr(self):
598 ski = x509.SubjectKeyIdentifier(
Paul Kehreree997262015-04-04 12:20:28 -0500599 binascii.unhexlify(b"092384932230498bc980aa8098456f6ff7ff3ac9")
Paul Kehrer1eb82a62015-03-31 20:00:33 -0500600 )
Paul Kehrerd44e4132015-08-10 19:13:13 -0500601 ext = x509.Extension(ExtensionOID.SUBJECT_KEY_IDENTIFIER, False, ski)
Paul Kehrercbfb1012015-04-10 20:57:20 -0400602 if six.PY3:
603 assert repr(ext) == (
604 "<Extension(oid=<ObjectIdentifier(oid=2.5.29.14, name=subjectK"
605 "eyIdentifier)>, critical=False, value=<SubjectKeyIdentifier(d"
606 "igest=b\'\\t#\\x84\\x93\"0I\\x8b\\xc9\\x80\\xaa\\x80\\x98Eoo"
607 "\\xf7\\xff:\\xc9\')>)>"
608 )
609 else:
610 assert repr(ext) == (
611 "<Extension(oid=<ObjectIdentifier(oid=2.5.29.14, name=subjectK"
612 "eyIdentifier)>, critical=False, value=<SubjectKeyIdentifier(d"
613 "igest=\'\\t#\\x84\\x93\"0I\\x8b\\xc9\\x80\\xaa\\x80\\x98Eoo"
614 "\\xf7\\xff:\\xc9\')>)>"
615 )
Paul Kehrer1eb82a62015-03-31 20:00:33 -0500616
617 def test_eq(self):
618 ski = x509.SubjectKeyIdentifier(
Paul Kehreree997262015-04-04 12:20:28 -0500619 binascii.unhexlify(b"092384932230498bc980aa8098456f6ff7ff3ac9")
Paul Kehrer1eb82a62015-03-31 20:00:33 -0500620 )
621 ski2 = x509.SubjectKeyIdentifier(
Paul Kehreree997262015-04-04 12:20:28 -0500622 binascii.unhexlify(b"092384932230498bc980aa8098456f6ff7ff3ac9")
Paul Kehrer1eb82a62015-03-31 20:00:33 -0500623 )
624 assert ski == ski2
625
626 def test_ne(self):
627 ski = x509.SubjectKeyIdentifier(
Paul Kehreree997262015-04-04 12:20:28 -0500628 binascii.unhexlify(b"092384932230498bc980aa8098456f6ff7ff3ac9")
Paul Kehrer1eb82a62015-03-31 20:00:33 -0500629 )
630 ski2 = x509.SubjectKeyIdentifier(
Paul Kehreree997262015-04-04 12:20:28 -0500631 binascii.unhexlify(b"aa8098456f6ff7ff3ac9092384932230498bc980")
Paul Kehrer1eb82a62015-03-31 20:00:33 -0500632 )
633 assert ski != ski2
634 assert ski != object()
635
636
Paul Kehrer2eb4ed92015-04-11 15:33:45 -0400637class TestAuthorityKeyIdentifier(object):
Paul Kehrerc6e0f062015-05-03 11:04:34 -0500638 def test_authority_cert_issuer_not_generalname(self):
Paul Kehrer2eb4ed92015-04-11 15:33:45 -0400639 with pytest.raises(TypeError):
Paul Kehrerc6e0f062015-05-03 11:04:34 -0500640 x509.AuthorityKeyIdentifier(b"identifier", ["notname"], 3)
Paul Kehrer2eb4ed92015-04-11 15:33:45 -0400641
642 def test_authority_cert_serial_number_not_integer(self):
Paul Kehrerc6e0f062015-05-03 11:04:34 -0500643 dirname = x509.DirectoryName(
644 x509.Name([
Nick Bastin6721fb82015-12-14 12:26:24 -0800645 x509.NameAttribute(
646 x509.ObjectIdentifier('2.999.1'),
647 u'value1'
648 ),
649 x509.NameAttribute(
650 x509.ObjectIdentifier('2.999.2'),
651 u'value2'
652 ),
Paul Kehrerc6e0f062015-05-03 11:04:34 -0500653 ])
654 )
Paul Kehrer2eb4ed92015-04-11 15:33:45 -0400655 with pytest.raises(TypeError):
Paul Kehrerc6e0f062015-05-03 11:04:34 -0500656 x509.AuthorityKeyIdentifier(b"identifier", [dirname], "notanint")
Paul Kehrer2eb4ed92015-04-11 15:33:45 -0400657
658 def test_authority_issuer_none_serial_not_none(self):
659 with pytest.raises(ValueError):
660 x509.AuthorityKeyIdentifier(b"identifier", None, 3)
661
662 def test_authority_issuer_not_none_serial_none(self):
Paul Kehrerc6e0f062015-05-03 11:04:34 -0500663 dirname = x509.DirectoryName(
664 x509.Name([
Nick Bastin6721fb82015-12-14 12:26:24 -0800665 x509.NameAttribute(
666 x509.ObjectIdentifier('2.999.1'),
667 u'value1'
668 ),
669 x509.NameAttribute(
670 x509.ObjectIdentifier('2.999.2'),
671 u'value2'
672 ),
Paul Kehrerc6e0f062015-05-03 11:04:34 -0500673 ])
674 )
Paul Kehrer2eb4ed92015-04-11 15:33:45 -0400675 with pytest.raises(ValueError):
Paul Kehrerc6e0f062015-05-03 11:04:34 -0500676 x509.AuthorityKeyIdentifier(b"identifier", [dirname], None)
Paul Kehrer2eb4ed92015-04-11 15:33:45 -0400677
678 def test_authority_cert_serial_and_issuer_none(self):
679 aki = x509.AuthorityKeyIdentifier(b"id", None, None)
680 assert aki.key_identifier == b"id"
681 assert aki.authority_cert_issuer is None
682 assert aki.authority_cert_serial_number is None
683
684 def test_repr(self):
Paul Kehrerc6e0f062015-05-03 11:04:34 -0500685 dirname = x509.DirectoryName(
Paul Kehrereba19e62015-08-10 18:44:24 -0500686 x509.Name([x509.NameAttribute(NameOID.COMMON_NAME, u'myCN')])
Paul Kehrerc6e0f062015-05-03 11:04:34 -0500687 )
688 aki = x509.AuthorityKeyIdentifier(b"digest", [dirname], 1234)
Paul Kehrer2eb4ed92015-04-11 15:33:45 -0400689
690 if six.PY3:
691 assert repr(aki) == (
692 "<AuthorityKeyIdentifier(key_identifier=b'digest', authority_"
Paul Kehrerc6e0f062015-05-03 11:04:34 -0500693 "cert_issuer=[<DirectoryName(value=<Name([<NameAttribute(oid="
Ian Cordascoa908d692015-06-16 21:35:24 -0500694 "<ObjectIdentifier(oid=2.5.4.3, name=commonName)>, value='myC"
Paul Kehrerc6e0f062015-05-03 11:04:34 -0500695 "N')>])>)>], authority_cert_serial_number=1234)>"
Paul Kehrer2eb4ed92015-04-11 15:33:45 -0400696 )
697 else:
698 assert repr(aki) == (
699 "<AuthorityKeyIdentifier(key_identifier='digest', authority_ce"
Paul Kehrerc6e0f062015-05-03 11:04:34 -0500700 "rt_issuer=[<DirectoryName(value=<Name([<NameAttribute(oid=<Ob"
Ian Cordasco82fc3762015-06-16 20:59:50 -0500701 "jectIdentifier(oid=2.5.4.3, name=commonName)>, value=u'myCN')"
702 ">])>)>], authority_cert_serial_number=1234)>"
Paul Kehrer2eb4ed92015-04-11 15:33:45 -0400703 )
704
Paul Kehrer2ca2eb32015-05-03 10:04:57 -0500705 def test_eq(self):
706 dirname = x509.DirectoryName(
Paul Kehrereba19e62015-08-10 18:44:24 -0500707 x509.Name([x509.NameAttribute(NameOID.COMMON_NAME, u'myCN')])
Paul Kehrer2ca2eb32015-05-03 10:04:57 -0500708 )
709 aki = x509.AuthorityKeyIdentifier(b"digest", [dirname], 1234)
710 dirname2 = x509.DirectoryName(
Paul Kehrereba19e62015-08-10 18:44:24 -0500711 x509.Name([x509.NameAttribute(NameOID.COMMON_NAME, u'myCN')])
Paul Kehrer2ca2eb32015-05-03 10:04:57 -0500712 )
713 aki2 = x509.AuthorityKeyIdentifier(b"digest", [dirname2], 1234)
714 assert aki == aki2
715
716 def test_ne(self):
717 dirname = x509.DirectoryName(
Paul Kehrereba19e62015-08-10 18:44:24 -0500718 x509.Name([x509.NameAttribute(NameOID.COMMON_NAME, u'myCN')])
Paul Kehrer2ca2eb32015-05-03 10:04:57 -0500719 )
720 dirname5 = x509.DirectoryName(
Paul Kehrereba19e62015-08-10 18:44:24 -0500721 x509.Name([x509.NameAttribute(NameOID.COMMON_NAME, u'aCN')])
Paul Kehrer2ca2eb32015-05-03 10:04:57 -0500722 )
723 aki = x509.AuthorityKeyIdentifier(b"digest", [dirname], 1234)
724 aki2 = x509.AuthorityKeyIdentifier(b"diges", [dirname], 1234)
725 aki3 = x509.AuthorityKeyIdentifier(b"digest", None, None)
726 aki4 = x509.AuthorityKeyIdentifier(b"digest", [dirname], 12345)
727 aki5 = x509.AuthorityKeyIdentifier(b"digest", [dirname5], 12345)
728 assert aki != aki2
729 assert aki != aki3
730 assert aki != aki4
731 assert aki != aki5
732 assert aki != object()
733
Paul Kehrer2eb4ed92015-04-11 15:33:45 -0400734
Paul Kehrer8cf26422015-03-21 09:50:24 -0500735class TestBasicConstraints(object):
736 def test_ca_not_boolean(self):
737 with pytest.raises(TypeError):
Paul Kehrera5c6e9a2015-03-23 19:23:43 -0500738 x509.BasicConstraints(ca="notbool", path_length=None)
Paul Kehrer8cf26422015-03-21 09:50:24 -0500739
740 def test_path_length_not_ca(self):
741 with pytest.raises(ValueError):
Paul Kehrera5c6e9a2015-03-23 19:23:43 -0500742 x509.BasicConstraints(ca=False, path_length=0)
Paul Kehrer8cf26422015-03-21 09:50:24 -0500743
744 def test_path_length_not_int(self):
745 with pytest.raises(TypeError):
Paul Kehrera5c6e9a2015-03-23 19:23:43 -0500746 x509.BasicConstraints(ca=True, path_length=1.1)
Paul Kehrer8cf26422015-03-21 09:50:24 -0500747
748 with pytest.raises(TypeError):
Paul Kehrera5c6e9a2015-03-23 19:23:43 -0500749 x509.BasicConstraints(ca=True, path_length="notint")
Paul Kehrer8cf26422015-03-21 09:50:24 -0500750
751 def test_path_length_negative(self):
752 with pytest.raises(TypeError):
Paul Kehrera5c6e9a2015-03-23 19:23:43 -0500753 x509.BasicConstraints(ca=True, path_length=-1)
Paul Kehrer8cf26422015-03-21 09:50:24 -0500754
755 def test_repr(self):
Paul Kehrera5c6e9a2015-03-23 19:23:43 -0500756 na = x509.BasicConstraints(ca=True, path_length=None)
Paul Kehrer8cf26422015-03-21 09:50:24 -0500757 assert repr(na) == (
Paul Kehrer85894662015-03-22 13:19:31 -0500758 "<BasicConstraints(ca=True, path_length=None)>"
Paul Kehrer8cf26422015-03-21 09:50:24 -0500759 )
Paul Kehrerfbb7ac82015-03-16 19:26:29 -0500760
Paul Kehrer3a69b132015-05-13 10:03:46 -0500761 def test_eq(self):
762 na = x509.BasicConstraints(ca=True, path_length=None)
763 na2 = x509.BasicConstraints(ca=True, path_length=None)
764 assert na == na2
765
766 def test_ne(self):
767 na = x509.BasicConstraints(ca=True, path_length=None)
768 na2 = x509.BasicConstraints(ca=True, path_length=1)
769 na3 = x509.BasicConstraints(ca=False, path_length=None)
770 assert na != na2
771 assert na != na3
772 assert na != object()
773
Paul Kehrerfbb7ac82015-03-16 19:26:29 -0500774
Paul Kehrerffa2a152015-03-31 08:18:25 -0500775class TestExtendedKeyUsage(object):
776 def test_not_all_oids(self):
777 with pytest.raises(TypeError):
778 x509.ExtendedKeyUsage(["notoid"])
779
780 def test_iter_len(self):
781 eku = x509.ExtendedKeyUsage([
782 x509.ObjectIdentifier("1.3.6.1.5.5.7.3.1"),
783 x509.ObjectIdentifier("1.3.6.1.5.5.7.3.2"),
784 ])
785 assert len(eku) == 2
786 assert list(eku) == [
Paul Kehrer9e102db2015-08-10 21:53:09 -0500787 ExtendedKeyUsageOID.SERVER_AUTH,
788 ExtendedKeyUsageOID.CLIENT_AUTH
Paul Kehrerffa2a152015-03-31 08:18:25 -0500789 ]
790
Paul Kehrer23d10c32015-04-02 23:12:32 -0500791 def test_repr(self):
792 eku = x509.ExtendedKeyUsage([
793 x509.ObjectIdentifier("1.3.6.1.5.5.7.3.1"),
794 x509.ObjectIdentifier("1.3.6.1.5.5.7.3.2"),
795 ])
796 assert repr(eku) == (
797 "<ExtendedKeyUsage([<ObjectIdentifier(oid=1.3.6.1.5.5.7.3.1, name="
798 "serverAuth)>, <ObjectIdentifier(oid=1.3.6.1.5.5.7.3.2, name=clien"
799 "tAuth)>])>"
800 )
801
Paul Kehrerb0476172015-05-02 19:34:51 -0500802 def test_eq(self):
803 eku = x509.ExtendedKeyUsage([
804 x509.ObjectIdentifier("1.3.6"), x509.ObjectIdentifier("1.3.7")
805 ])
806 eku2 = x509.ExtendedKeyUsage([
807 x509.ObjectIdentifier("1.3.6"), x509.ObjectIdentifier("1.3.7")
808 ])
809 assert eku == eku2
810
811 def test_ne(self):
812 eku = x509.ExtendedKeyUsage([x509.ObjectIdentifier("1.3.6")])
813 eku2 = x509.ExtendedKeyUsage([x509.ObjectIdentifier("1.3.6.1")])
814 assert eku != eku2
815 assert eku != object()
816
Paul Kehrerffa2a152015-03-31 08:18:25 -0500817
Paul Kehrerfbb7ac82015-03-16 19:26:29 -0500818@pytest.mark.requires_backend_interface(interface=RSABackend)
819@pytest.mark.requires_backend_interface(interface=X509Backend)
820class TestExtensions(object):
821 def test_no_extensions(self, backend):
822 cert = _load_cert(
823 os.path.join("x509", "verisign_md2_root.pem"),
824 x509.load_pem_x509_certificate,
825 backend
826 )
827 ext = cert.extensions
828 assert len(ext) == 0
829 assert list(ext) == []
Paul Kehrerfa56a232015-03-17 13:14:03 -0500830 with pytest.raises(x509.ExtensionNotFound) as exc:
Paul Kehrerd44e4132015-08-10 19:13:13 -0500831 ext.get_extension_for_oid(ExtensionOID.BASIC_CONSTRAINTS)
Paul Kehrerfa56a232015-03-17 13:14:03 -0500832
Paul Kehrerd44e4132015-08-10 19:13:13 -0500833 assert exc.value.oid == ExtensionOID.BASIC_CONSTRAINTS
Paul Kehrerfa56a232015-03-17 13:14:03 -0500834
835 def test_one_extension(self, backend):
836 cert = _load_cert(
837 os.path.join(
838 "x509", "custom", "basic_constraints_not_critical.pem"
839 ),
840 x509.load_pem_x509_certificate,
841 backend
842 )
843 extensions = cert.extensions
Paul Kehrerd44e4132015-08-10 19:13:13 -0500844 ext = extensions.get_extension_for_oid(ExtensionOID.BASIC_CONSTRAINTS)
Paul Kehrerfa56a232015-03-17 13:14:03 -0500845 assert ext is not None
846 assert ext.value.ca is False
Paul Kehrerfbb7ac82015-03-16 19:26:29 -0500847
848 def test_duplicate_extension(self, backend):
849 cert = _load_cert(
850 os.path.join(
851 "x509", "custom", "two_basic_constraints.pem"
852 ),
853 x509.load_pem_x509_certificate,
854 backend
855 )
856 with pytest.raises(x509.DuplicateExtension) as exc:
857 cert.extensions
858
Paul Kehrerd44e4132015-08-10 19:13:13 -0500859 assert exc.value.oid == ExtensionOID.BASIC_CONSTRAINTS
Paul Kehrerfbb7ac82015-03-16 19:26:29 -0500860
861 def test_unsupported_critical_extension(self, backend):
862 cert = _load_cert(
863 os.path.join(
864 "x509", "custom", "unsupported_extension_critical.pem"
865 ),
866 x509.load_pem_x509_certificate,
867 backend
868 )
869 with pytest.raises(x509.UnsupportedExtension) as exc:
870 cert.extensions
871
872 assert exc.value.oid == x509.ObjectIdentifier("1.2.3.4")
873
874 def test_unsupported_extension(self, backend):
875 # TODO: this will raise an exception when all extensions are complete
876 cert = _load_cert(
877 os.path.join(
878 "x509", "custom", "unsupported_extension.pem"
879 ),
880 x509.load_pem_x509_certificate,
881 backend
882 )
883 extensions = cert.extensions
884 assert len(extensions) == 0
Paul Kehrerfa56a232015-03-17 13:14:03 -0500885
Phoebe Queenecae9812015-08-12 05:00:32 +0100886 def test_no_extensions_get_for_class(self, backend):
887 cert = _load_cert(
888 os.path.join(
Phoebe Queencb5ec4e2015-08-12 15:06:26 +0100889 "x509", "cryptography.io.pem"
Phoebe Queenecae9812015-08-12 05:00:32 +0100890 ),
891 x509.load_pem_x509_certificate,
892 backend
893 )
Phoebe Queenc93752b2015-08-12 10:54:46 +0100894 exts = cert.extensions
Phoebe Queenecae9812015-08-12 05:00:32 +0100895 with pytest.raises(x509.ExtensionNotFound) as exc:
Phoebe Queencb5ec4e2015-08-12 15:06:26 +0100896 exts.get_extension_for_class(x509.IssuerAlternativeName)
897 assert exc.value.oid == ExtensionOID.ISSUER_ALTERNATIVE_NAME
Phoebe Queenecae9812015-08-12 05:00:32 +0100898
Paul Kehrer5b90c972015-12-26 00:52:58 -0600899 def test_indexing(self, backend):
900 cert = _load_cert(
901 os.path.join("x509", "cryptography.io.pem"),
902 x509.load_pem_x509_certificate,
903 backend
904 )
905 exts = cert.extensions
906 assert exts[-1] == exts[7]
907 assert len(exts[3:5]) == 2
908 assert exts[2:4][0] == exts[2]
909 assert exts[2:4][1] == exts[3]
910
Phoebe Queen9fbb8892015-08-12 03:51:33 +0100911 def test_one_extension_get_for_class(self, backend):
912 cert = _load_cert(
Phoebe Queen2cc111a2015-08-12 04:14:22 +0100913 os.path.join(
914 "x509", "custom", "basic_constraints_not_critical.pem"
915 ),
Phoebe Queen9fbb8892015-08-12 03:51:33 +0100916 x509.load_pem_x509_certificate,
917 backend
918 )
919 ext = cert.extensions.get_extension_for_class(x509.BasicConstraints)
920 assert ext is not None
Phoebe Queen9fbb8892015-08-12 03:51:33 +0100921 assert isinstance(ext.value, x509.BasicConstraints)
Paul Kehrerfa56a232015-03-17 13:14:03 -0500922
Paul Kehrerafbe75b2015-10-20 08:08:43 -0500923 def test_repr(self, backend):
924 cert = _load_cert(
925 os.path.join(
926 "x509", "custom", "basic_constraints_not_critical.pem"
927 ),
928 x509.load_pem_x509_certificate,
929 backend
930 )
931 assert repr(cert.extensions) == (
932 "<Extensions([<Extension(oid=<ObjectIdentifier(oid=2.5.29.19, name"
933 "=basicConstraints)>, critical=False, value=<BasicConstraints(ca=F"
934 "alse, path_length=None)>)>])>"
935 )
936
Phoebe Queen2cc111a2015-08-12 04:14:22 +0100937
Paul Kehrerfa56a232015-03-17 13:14:03 -0500938@pytest.mark.requires_backend_interface(interface=RSABackend)
939@pytest.mark.requires_backend_interface(interface=X509Backend)
Paul Kehrerde813ea2015-03-28 12:44:34 -0500940class TestBasicConstraintsExtension(object):
Paul Kehrerfa56a232015-03-17 13:14:03 -0500941 def test_ca_true_pathlen_6(self, backend):
942 cert = _load_cert(
943 os.path.join(
944 "x509", "PKITS_data", "certs", "pathLenConstraint6CACert.crt"
945 ),
946 x509.load_der_x509_certificate,
947 backend
948 )
Phoebe Queen062dec72015-08-12 11:42:23 +0100949 ext = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500950 ExtensionOID.BASIC_CONSTRAINTS
Paul Kehrerfa56a232015-03-17 13:14:03 -0500951 )
952 assert ext is not None
953 assert ext.critical is True
954 assert ext.value.ca is True
955 assert ext.value.path_length == 6
956
957 def test_path_length_zero(self, backend):
958 cert = _load_cert(
959 os.path.join("x509", "custom", "bc_path_length_zero.pem"),
960 x509.load_pem_x509_certificate,
961 backend
962 )
963 ext = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500964 ExtensionOID.BASIC_CONSTRAINTS
Paul Kehrerfa56a232015-03-17 13:14:03 -0500965 )
966 assert ext is not None
967 assert ext.critical is True
968 assert ext.value.ca is True
969 assert ext.value.path_length == 0
970
971 def test_ca_true_no_pathlen(self, backend):
972 cert = _load_cert(
973 os.path.join("x509", "PKITS_data", "certs", "GoodCACert.crt"),
974 x509.load_der_x509_certificate,
975 backend
976 )
977 ext = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500978 ExtensionOID.BASIC_CONSTRAINTS
Paul Kehrerfa56a232015-03-17 13:14:03 -0500979 )
980 assert ext is not None
981 assert ext.critical is True
982 assert ext.value.ca is True
983 assert ext.value.path_length is None
984
985 def test_ca_false(self, backend):
986 cert = _load_cert(
987 os.path.join("x509", "cryptography.io.pem"),
988 x509.load_pem_x509_certificate,
989 backend
990 )
991 ext = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500992 ExtensionOID.BASIC_CONSTRAINTS
Paul Kehrerfa56a232015-03-17 13:14:03 -0500993 )
994 assert ext is not None
995 assert ext.critical is True
996 assert ext.value.ca is False
997 assert ext.value.path_length is None
998
999 def test_no_basic_constraints(self, backend):
1000 cert = _load_cert(
1001 os.path.join(
1002 "x509",
1003 "PKITS_data",
1004 "certs",
1005 "ValidCertificatePathTest1EE.crt"
1006 ),
1007 x509.load_der_x509_certificate,
1008 backend
1009 )
1010 with pytest.raises(x509.ExtensionNotFound):
Paul Kehrerd44e4132015-08-10 19:13:13 -05001011 cert.extensions.get_extension_for_oid(
1012 ExtensionOID.BASIC_CONSTRAINTS
1013 )
Paul Kehrerfa56a232015-03-17 13:14:03 -05001014
1015 def test_basic_constraint_not_critical(self, backend):
1016 cert = _load_cert(
1017 os.path.join(
1018 "x509", "custom", "basic_constraints_not_critical.pem"
1019 ),
1020 x509.load_pem_x509_certificate,
1021 backend
1022 )
1023 ext = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -05001024 ExtensionOID.BASIC_CONSTRAINTS
Paul Kehrerfa56a232015-03-17 13:14:03 -05001025 )
1026 assert ext is not None
1027 assert ext.critical is False
1028 assert ext.value.ca is False
Paul Kehrer1eb82a62015-03-31 20:00:33 -05001029
1030
Paul Kehrer1eb82a62015-03-31 20:00:33 -05001031class TestSubjectKeyIdentifierExtension(object):
Paul Kehrerf22f6122015-08-05 12:57:13 +01001032 @pytest.mark.requires_backend_interface(interface=RSABackend)
1033 @pytest.mark.requires_backend_interface(interface=X509Backend)
Paul Kehrer1eb82a62015-03-31 20:00:33 -05001034 def test_subject_key_identifier(self, backend):
1035 cert = _load_cert(
1036 os.path.join("x509", "PKITS_data", "certs", "GoodCACert.crt"),
1037 x509.load_der_x509_certificate,
1038 backend
1039 )
1040 ext = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -05001041 ExtensionOID.SUBJECT_KEY_IDENTIFIER
Paul Kehrer1eb82a62015-03-31 20:00:33 -05001042 )
1043 ski = ext.value
1044 assert ext is not None
1045 assert ext.critical is False
Paul Kehrer1eb82a62015-03-31 20:00:33 -05001046 assert ski.digest == binascii.unhexlify(
Paul Kehreree997262015-04-04 12:20:28 -05001047 b"580184241bbc2b52944a3da510721451f5af3ac9"
Paul Kehrer1eb82a62015-03-31 20:00:33 -05001048 )
1049
Paul Kehrerf22f6122015-08-05 12:57:13 +01001050 @pytest.mark.requires_backend_interface(interface=RSABackend)
1051 @pytest.mark.requires_backend_interface(interface=X509Backend)
Paul Kehrer1eb82a62015-03-31 20:00:33 -05001052 def test_no_subject_key_identifier(self, backend):
1053 cert = _load_cert(
1054 os.path.join("x509", "custom", "bc_path_length_zero.pem"),
1055 x509.load_pem_x509_certificate,
1056 backend
1057 )
1058 with pytest.raises(x509.ExtensionNotFound):
1059 cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -05001060 ExtensionOID.SUBJECT_KEY_IDENTIFIER
Paul Kehrer1eb82a62015-03-31 20:00:33 -05001061 )
Paul Kehrer5508ee22015-04-02 19:31:03 -05001062
Paul Kehrerf22f6122015-08-05 12:57:13 +01001063 @pytest.mark.requires_backend_interface(interface=RSABackend)
1064 @pytest.mark.requires_backend_interface(interface=X509Backend)
Paul Kehrerd4a7f062015-08-05 18:32:18 +01001065 def test_from_rsa_public_key(self, backend):
Paul Kehrerf22f6122015-08-05 12:57:13 +01001066 cert = _load_cert(
1067 os.path.join("x509", "PKITS_data", "certs", "GoodCACert.crt"),
1068 x509.load_der_x509_certificate,
1069 backend
1070 )
1071 ext = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -05001072 ExtensionOID.SUBJECT_KEY_IDENTIFIER
Paul Kehrerf22f6122015-08-05 12:57:13 +01001073 )
Paul Kehrerd4a7f062015-08-05 18:32:18 +01001074 ski = x509.SubjectKeyIdentifier.from_public_key(
Paul Kehrerf22f6122015-08-05 12:57:13 +01001075 cert.public_key()
1076 )
1077 assert ext.value == ski
1078
1079 @pytest.mark.requires_backend_interface(interface=DSABackend)
1080 @pytest.mark.requires_backend_interface(interface=X509Backend)
Paul Kehrerd4a7f062015-08-05 18:32:18 +01001081 def test_from_dsa_public_key(self, backend):
Paul Kehrerf22f6122015-08-05 12:57:13 +01001082 cert = _load_cert(
1083 os.path.join("x509", "custom", "dsa_selfsigned_ca.pem"),
1084 x509.load_pem_x509_certificate,
1085 backend
1086 )
1087
1088 ext = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -05001089 ExtensionOID.SUBJECT_KEY_IDENTIFIER
Paul Kehrerf22f6122015-08-05 12:57:13 +01001090 )
Paul Kehrerd4a7f062015-08-05 18:32:18 +01001091 ski = x509.SubjectKeyIdentifier.from_public_key(
Paul Kehrerf22f6122015-08-05 12:57:13 +01001092 cert.public_key()
1093 )
1094 assert ext.value == ski
1095
1096 @pytest.mark.requires_backend_interface(interface=EllipticCurveBackend)
1097 @pytest.mark.requires_backend_interface(interface=X509Backend)
Paul Kehrerd4a7f062015-08-05 18:32:18 +01001098 def test_from_ec_public_key(self, backend):
Paul Kehrerf22f6122015-08-05 12:57:13 +01001099 _skip_curve_unsupported(backend, ec.SECP384R1())
1100 cert = _load_cert(
1101 os.path.join("x509", "ecdsa_root.pem"),
1102 x509.load_pem_x509_certificate,
1103 backend
1104 )
1105
1106 ext = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -05001107 ExtensionOID.SUBJECT_KEY_IDENTIFIER
Paul Kehrerf22f6122015-08-05 12:57:13 +01001108 )
Paul Kehrerd4a7f062015-08-05 18:32:18 +01001109 ski = x509.SubjectKeyIdentifier.from_public_key(
Paul Kehrerf22f6122015-08-05 12:57:13 +01001110 cert.public_key()
1111 )
1112 assert ext.value == ski
1113
Paul Kehrer5508ee22015-04-02 19:31:03 -05001114
1115@pytest.mark.requires_backend_interface(interface=RSABackend)
1116@pytest.mark.requires_backend_interface(interface=X509Backend)
1117class TestKeyUsageExtension(object):
1118 def test_no_key_usage(self, backend):
1119 cert = _load_cert(
1120 os.path.join("x509", "verisign_md2_root.pem"),
1121 x509.load_pem_x509_certificate,
1122 backend
1123 )
1124 ext = cert.extensions
1125 with pytest.raises(x509.ExtensionNotFound) as exc:
Paul Kehrerd44e4132015-08-10 19:13:13 -05001126 ext.get_extension_for_oid(ExtensionOID.KEY_USAGE)
Paul Kehrer5508ee22015-04-02 19:31:03 -05001127
Paul Kehrerd44e4132015-08-10 19:13:13 -05001128 assert exc.value.oid == ExtensionOID.KEY_USAGE
Paul Kehrer5508ee22015-04-02 19:31:03 -05001129
1130 def test_all_purposes(self, backend):
1131 cert = _load_cert(
1132 os.path.join(
1133 "x509", "custom", "all_key_usages.pem"
1134 ),
1135 x509.load_pem_x509_certificate,
1136 backend
1137 )
1138 extensions = cert.extensions
Paul Kehrerd44e4132015-08-10 19:13:13 -05001139 ext = extensions.get_extension_for_oid(ExtensionOID.KEY_USAGE)
Paul Kehrer5508ee22015-04-02 19:31:03 -05001140 assert ext is not None
1141
1142 ku = ext.value
1143 assert ku.digital_signature is True
1144 assert ku.content_commitment is True
1145 assert ku.key_encipherment is True
1146 assert ku.data_encipherment is True
1147 assert ku.key_agreement is True
1148 assert ku.key_cert_sign is True
1149 assert ku.crl_sign is True
1150 assert ku.encipher_only is True
1151 assert ku.decipher_only is True
1152
1153 def test_key_cert_sign_crl_sign(self, backend):
1154 cert = _load_cert(
1155 os.path.join(
1156 "x509", "PKITS_data", "certs", "pathLenConstraint6CACert.crt"
1157 ),
1158 x509.load_der_x509_certificate,
1159 backend
1160 )
Paul Kehrerd44e4132015-08-10 19:13:13 -05001161 ext = cert.extensions.get_extension_for_oid(ExtensionOID.KEY_USAGE)
Paul Kehrer5508ee22015-04-02 19:31:03 -05001162 assert ext is not None
1163 assert ext.critical is True
1164
1165 ku = ext.value
1166 assert ku.digital_signature is False
1167 assert ku.content_commitment is False
1168 assert ku.key_encipherment is False
1169 assert ku.data_encipherment is False
1170 assert ku.key_agreement is False
1171 assert ku.key_cert_sign is True
1172 assert ku.crl_sign is True
Paul Kehrer31bdf792015-03-25 14:11:00 -05001173
1174
1175@pytest.mark.parametrize(
1176 "name", [
1177 x509.RFC822Name,
1178 x509.DNSName,
1179 x509.UniformResourceIdentifier
1180 ]
1181)
1182class TestTextGeneralNames(object):
1183 def test_not_text(self, name):
1184 with pytest.raises(TypeError):
1185 name(b"notaunicodestring")
1186
1187 with pytest.raises(TypeError):
1188 name(1.3)
1189
1190 def test_repr(self, name):
Eeshan Gargf1234152015-04-29 18:41:00 +05301191 gn = name(u"string")
Paul Kehrer31bdf792015-03-25 14:11:00 -05001192 assert repr(gn) == "<{0}(value=string)>".format(name.__name__)
1193
1194 def test_eq(self, name):
Eeshan Gargf1234152015-04-29 18:41:00 +05301195 gn = name(u"string")
1196 gn2 = name(u"string")
Paul Kehrer31bdf792015-03-25 14:11:00 -05001197 assert gn == gn2
1198
1199 def test_ne(self, name):
Eeshan Gargf1234152015-04-29 18:41:00 +05301200 gn = name(u"string")
1201 gn2 = name(u"string2")
Paul Kehrer31bdf792015-03-25 14:11:00 -05001202 assert gn != gn2
1203 assert gn != object()
1204
1205
1206class TestDirectoryName(object):
1207 def test_not_name(self):
1208 with pytest.raises(TypeError):
1209 x509.DirectoryName(b"notaname")
1210
1211 with pytest.raises(TypeError):
1212 x509.DirectoryName(1.3)
1213
1214 def test_repr(self):
Paul Kehrereba19e62015-08-10 18:44:24 -05001215 name = x509.Name([x509.NameAttribute(NameOID.COMMON_NAME, u'value1')])
Paul Kehrer31bdf792015-03-25 14:11:00 -05001216 gn = x509.DirectoryName(x509.Name([name]))
Ian Cordascoa908d692015-06-16 21:35:24 -05001217 if six.PY3:
1218 assert repr(gn) == (
1219 "<DirectoryName(value=<Name([<Name([<NameAttribute(oid=<Object"
1220 "Identifier(oid=2.5.4.3, name=commonName)>, value='value1')>])"
1221 ">])>)>"
1222 )
1223 else:
1224 assert repr(gn) == (
1225 "<DirectoryName(value=<Name([<Name([<NameAttribute(oid=<Object"
1226 "Identifier(oid=2.5.4.3, name=commonName)>, value=u'value1')>]"
1227 ")>])>)>"
1228 )
Paul Kehrer31bdf792015-03-25 14:11:00 -05001229
1230 def test_eq(self):
1231 name = x509.Name([
Nick Bastin6721fb82015-12-14 12:26:24 -08001232 x509.NameAttribute(x509.ObjectIdentifier('2.999.1'), u'value1')
Paul Kehrer31bdf792015-03-25 14:11:00 -05001233 ])
1234 name2 = x509.Name([
Nick Bastin6721fb82015-12-14 12:26:24 -08001235 x509.NameAttribute(x509.ObjectIdentifier('2.999.1'), u'value1')
Paul Kehrer31bdf792015-03-25 14:11:00 -05001236 ])
1237 gn = x509.DirectoryName(x509.Name([name]))
1238 gn2 = x509.DirectoryName(x509.Name([name2]))
1239 assert gn == gn2
1240
1241 def test_ne(self):
1242 name = x509.Name([
Nick Bastin6721fb82015-12-14 12:26:24 -08001243 x509.NameAttribute(x509.ObjectIdentifier('2.999.1'), u'value1')
Paul Kehrer31bdf792015-03-25 14:11:00 -05001244 ])
1245 name2 = x509.Name([
Nick Bastin6721fb82015-12-14 12:26:24 -08001246 x509.NameAttribute(x509.ObjectIdentifier('2.999.2'), u'value2')
Paul Kehrer31bdf792015-03-25 14:11:00 -05001247 ])
1248 gn = x509.DirectoryName(x509.Name([name]))
1249 gn2 = x509.DirectoryName(x509.Name([name2]))
1250 assert gn != gn2
1251 assert gn != object()
1252
1253
Paul Kehrer01d5d0b2015-07-12 09:41:21 -05001254class TestRFC822Name(object):
1255 def test_invalid_email(self):
1256 with pytest.raises(ValueError):
1257 x509.RFC822Name(u"Name <email>")
1258
1259 with pytest.raises(ValueError):
1260 x509.RFC822Name(u"")
1261
1262 def test_single_label(self):
1263 gn = x509.RFC822Name(u"administrator")
1264 assert gn.value == u"administrator"
1265
1266 def test_idna(self):
1267 gn = x509.RFC822Name(u"email@em\xe5\xefl.com")
1268 assert gn.value == u"email@em\xe5\xefl.com"
1269 assert gn._encoded == b"email@xn--eml-vla4c.com"
1270
1271
Paul Kehrere28d6c42015-07-12 14:59:37 -05001272class TestUniformResourceIdentifier(object):
1273 def test_no_parsed_hostname(self):
1274 gn = x509.UniformResourceIdentifier(u"singlelabel")
1275 assert gn.value == u"singlelabel"
1276
1277 def test_with_port(self):
1278 gn = x509.UniformResourceIdentifier(u"singlelabel:443/test")
1279 assert gn.value == u"singlelabel:443/test"
1280
1281 def test_idna_no_port(self):
1282 gn = x509.UniformResourceIdentifier(
1283 u"http://\u043f\u044b\u043a\u0430.cryptography"
1284 )
1285 assert gn.value == u"http://\u043f\u044b\u043a\u0430.cryptography"
1286 assert gn._encoded == b"http://xn--80ato2c.cryptography"
1287
1288 def test_idna_with_port(self):
1289 gn = x509.UniformResourceIdentifier(
1290 u"gopher://\u043f\u044b\u043a\u0430.cryptography:70/some/path"
1291 )
1292 assert gn.value == (
1293 u"gopher://\u043f\u044b\u043a\u0430.cryptography:70/some/path"
1294 )
1295 assert gn._encoded == b"gopher://xn--80ato2c.cryptography:70/some/path"
1296
1297 def test_query_and_fragment(self):
1298 gn = x509.UniformResourceIdentifier(
1299 u"ldap://cryptography:90/path?query=true#somedata"
1300 )
1301 assert gn.value == u"ldap://cryptography:90/path?query=true#somedata"
1302
1303
Paul Kehrer31bdf792015-03-25 14:11:00 -05001304class TestRegisteredID(object):
1305 def test_not_oid(self):
1306 with pytest.raises(TypeError):
1307 x509.RegisteredID(b"notanoid")
1308
1309 with pytest.raises(TypeError):
1310 x509.RegisteredID(1.3)
1311
1312 def test_repr(self):
Paul Kehrereba19e62015-08-10 18:44:24 -05001313 gn = x509.RegisteredID(NameOID.COMMON_NAME)
Paul Kehrer31bdf792015-03-25 14:11:00 -05001314 assert repr(gn) == (
1315 "<RegisteredID(value=<ObjectIdentifier(oid=2.5.4.3, name=commonNam"
1316 "e)>)>"
1317 )
1318
1319 def test_eq(self):
Paul Kehrereba19e62015-08-10 18:44:24 -05001320 gn = x509.RegisteredID(NameOID.COMMON_NAME)
1321 gn2 = x509.RegisteredID(NameOID.COMMON_NAME)
Paul Kehrer31bdf792015-03-25 14:11:00 -05001322 assert gn == gn2
1323
1324 def test_ne(self):
Paul Kehrereba19e62015-08-10 18:44:24 -05001325 gn = x509.RegisteredID(NameOID.COMMON_NAME)
Paul Kehrerd44e4132015-08-10 19:13:13 -05001326 gn2 = x509.RegisteredID(ExtensionOID.BASIC_CONSTRAINTS)
Paul Kehrer31bdf792015-03-25 14:11:00 -05001327 assert gn != gn2
1328 assert gn != object()
1329
1330
1331class TestIPAddress(object):
1332 def test_not_ipaddress(self):
1333 with pytest.raises(TypeError):
1334 x509.IPAddress(b"notanipaddress")
1335
1336 with pytest.raises(TypeError):
1337 x509.IPAddress(1.3)
1338
1339 def test_repr(self):
Eeshan Gargf1234152015-04-29 18:41:00 +05301340 gn = x509.IPAddress(ipaddress.IPv4Address(u"127.0.0.1"))
Paul Kehrer31bdf792015-03-25 14:11:00 -05001341 assert repr(gn) == "<IPAddress(value=127.0.0.1)>"
1342
Eeshan Gargf1234152015-04-29 18:41:00 +05301343 gn2 = x509.IPAddress(ipaddress.IPv6Address(u"ff::"))
Paul Kehrer31bdf792015-03-25 14:11:00 -05001344 assert repr(gn2) == "<IPAddress(value=ff::)>"
1345
Paul Kehrereb177932015-05-17 18:33:33 -07001346 gn3 = x509.IPAddress(ipaddress.IPv4Network(u"192.168.0.0/24"))
1347 assert repr(gn3) == "<IPAddress(value=192.168.0.0/24)>"
1348
1349 gn4 = x509.IPAddress(ipaddress.IPv6Network(u"ff::/96"))
1350 assert repr(gn4) == "<IPAddress(value=ff::/96)>"
1351
Paul Kehrer31bdf792015-03-25 14:11:00 -05001352 def test_eq(self):
Eeshan Gargf1234152015-04-29 18:41:00 +05301353 gn = x509.IPAddress(ipaddress.IPv4Address(u"127.0.0.1"))
1354 gn2 = x509.IPAddress(ipaddress.IPv4Address(u"127.0.0.1"))
Paul Kehrer31bdf792015-03-25 14:11:00 -05001355 assert gn == gn2
1356
1357 def test_ne(self):
Eeshan Gargf1234152015-04-29 18:41:00 +05301358 gn = x509.IPAddress(ipaddress.IPv4Address(u"127.0.0.1"))
1359 gn2 = x509.IPAddress(ipaddress.IPv4Address(u"127.0.0.2"))
Paul Kehrer31bdf792015-03-25 14:11:00 -05001360 assert gn != gn2
1361 assert gn != object()
1362
1363
Joshua Tauberer18b6fc82015-07-05 21:44:51 +00001364class TestOtherName(object):
1365 def test_invalid_args(self):
1366 with pytest.raises(TypeError):
1367 x509.OtherName(b"notanobjectidentifier", b"derdata")
1368
1369 with pytest.raises(TypeError):
1370 x509.OtherName(x509.ObjectIdentifier("1.2.3.4"), u"notderdata")
1371
1372 def test_repr(self):
1373 gn = x509.OtherName(x509.ObjectIdentifier("1.2.3.4"), b"derdata")
1374 if six.PY3:
1375 assert repr(gn) == (
1376 "<OtherName(type_id=<ObjectIdentifier(oid=1.2.3.4, "
1377 "name=Unknown OID)>, value=b'derdata')>"
1378 )
1379 else:
1380 assert repr(gn) == (
1381 "<OtherName(type_id=<ObjectIdentifier(oid=1.2.3.4, "
1382 "name=Unknown OID)>, value='derdata')>"
1383 )
1384
1385 gn = x509.OtherName(x509.ObjectIdentifier("2.5.4.65"), b"derdata")
1386 if six.PY3:
1387 assert repr(gn) == (
1388 "<OtherName(type_id=<ObjectIdentifier(oid=2.5.4.65, "
1389 "name=pseudonym)>, value=b'derdata')>"
1390 )
1391 else:
1392 assert repr(gn) == (
1393 "<OtherName(type_id=<ObjectIdentifier(oid=2.5.4.65, "
1394 "name=pseudonym)>, value='derdata')>"
1395 )
1396
1397 def test_eq(self):
1398 gn = x509.OtherName(x509.ObjectIdentifier("1.2.3.4"), b"derdata")
1399 gn2 = x509.OtherName(x509.ObjectIdentifier("1.2.3.4"), b"derdata")
1400 assert gn == gn2
1401
1402 def test_ne(self):
1403 gn = x509.OtherName(x509.ObjectIdentifier("1.2.3.4"), b"derdata")
1404 assert gn != object()
1405
1406 gn2 = x509.OtherName(x509.ObjectIdentifier("1.2.3.4"), b"derdata2")
1407 assert gn != gn2
1408
1409 gn2 = x509.OtherName(x509.ObjectIdentifier("1.2.3.5"), b"derdata")
1410 assert gn != gn2
1411
1412
Erik Trauschke2dcce902015-05-14 16:12:24 -07001413class TestGeneralNames(object):
1414 def test_get_values_for_type(self):
1415 gns = x509.GeneralNames(
1416 [x509.DNSName(u"cryptography.io")]
1417 )
1418 names = gns.get_values_for_type(x509.DNSName)
1419 assert names == [u"cryptography.io"]
1420
1421 def test_iter_names(self):
1422 gns = x509.GeneralNames([
1423 x509.DNSName(u"cryptography.io"),
1424 x509.DNSName(u"crypto.local"),
1425 ])
1426 assert len(gns) == 2
1427 assert list(gns) == [
1428 x509.DNSName(u"cryptography.io"),
1429 x509.DNSName(u"crypto.local"),
1430 ]
1431
1432 def test_invalid_general_names(self):
1433 with pytest.raises(TypeError):
1434 x509.GeneralNames(
1435 [x509.DNSName(u"cryptography.io"), "invalid"]
1436 )
1437
1438 def test_repr(self):
1439 gns = x509.GeneralNames(
1440 [
1441 x509.DNSName(u"cryptography.io")
1442 ]
1443 )
1444 assert repr(gns) == (
1445 "<GeneralNames([<DNSName(value=cryptography.io)>])>"
1446 )
1447
1448 def test_eq(self):
1449 gns = x509.GeneralNames(
1450 [x509.DNSName(u"cryptography.io")]
1451 )
1452 gns2 = x509.GeneralNames(
1453 [x509.DNSName(u"cryptography.io")]
1454 )
1455 assert gns == gns2
1456
1457 def test_ne(self):
1458 gns = x509.GeneralNames(
1459 [x509.DNSName(u"cryptography.io")]
1460 )
1461 gns2 = x509.GeneralNames(
1462 [x509.RFC822Name(u"admin@cryptography.io")]
1463 )
1464 assert gns != gns2
1465 assert gns != object()
1466
1467
Paul Kehrer99125c92015-06-07 18:37:10 -05001468class TestIssuerAlternativeName(object):
1469 def test_get_values_for_type(self):
1470 san = x509.IssuerAlternativeName(
1471 [x509.DNSName(u"cryptography.io")]
1472 )
1473 names = san.get_values_for_type(x509.DNSName)
1474 assert names == [u"cryptography.io"]
1475
1476 def test_iter_names(self):
1477 san = x509.IssuerAlternativeName([
1478 x509.DNSName(u"cryptography.io"),
1479 x509.DNSName(u"crypto.local"),
1480 ])
1481 assert len(san) == 2
1482 assert list(san) == [
1483 x509.DNSName(u"cryptography.io"),
1484 x509.DNSName(u"crypto.local"),
1485 ]
1486
1487 def test_invalid_general_names(self):
1488 with pytest.raises(TypeError):
1489 x509.IssuerAlternativeName(
1490 [x509.DNSName(u"cryptography.io"), "invalid"]
1491 )
1492
1493 def test_repr(self):
1494 san = x509.IssuerAlternativeName(
1495 [
1496 x509.DNSName(u"cryptography.io")
1497 ]
1498 )
1499 assert repr(san) == (
1500 "<IssuerAlternativeName("
1501 "<GeneralNames([<DNSName(value=cryptography.io)>])>)>"
1502 )
1503
1504 def test_eq(self):
1505 san = x509.IssuerAlternativeName(
1506 [x509.DNSName(u"cryptography.io")]
1507 )
1508 san2 = x509.IssuerAlternativeName(
1509 [x509.DNSName(u"cryptography.io")]
1510 )
1511 assert san == san2
1512
1513 def test_ne(self):
1514 san = x509.IssuerAlternativeName(
1515 [x509.DNSName(u"cryptography.io")]
1516 )
1517 san2 = x509.IssuerAlternativeName(
1518 [x509.RFC822Name(u"admin@cryptography.io")]
1519 )
1520 assert san != san2
1521 assert san != object()
1522
1523
Alex Gaynorf1c17672015-06-20 14:20:20 -04001524@pytest.mark.requires_backend_interface(interface=RSABackend)
1525@pytest.mark.requires_backend_interface(interface=X509Backend)
1526class TestRSAIssuerAlternativeNameExtension(object):
1527 def test_uri(self, backend):
1528 cert = _load_cert(
1529 os.path.join("x509", "custom", "ian_uri.pem"),
1530 x509.load_pem_x509_certificate,
1531 backend,
1532 )
1533 ext = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -05001534 ExtensionOID.ISSUER_ALTERNATIVE_NAME
Alex Gaynorf1c17672015-06-20 14:20:20 -04001535 )
1536 assert list(ext.value) == [
1537 x509.UniformResourceIdentifier(u"http://path.to.root/root.crt"),
1538 ]
1539
1540
Paul Kehrer3b95cd72015-12-22 21:40:20 -06001541class TestCRLNumber(object):
1542 def test_eq(self):
1543 crl_number = x509.CRLNumber(15)
1544 assert crl_number == x509.CRLNumber(15)
1545
1546 def test_ne(self):
1547 crl_number = x509.CRLNumber(15)
1548 assert crl_number != x509.CRLNumber(14)
1549 assert crl_number != object()
1550
1551 def test_repr(self):
1552 crl_number = x509.CRLNumber(15)
1553 assert repr(crl_number) == "<CRLNumber(15)>"
1554
Paul Kehrera9718fc2015-12-22 22:55:35 -06001555 def test_invalid_number(self):
1556 with pytest.raises(TypeError):
1557 x509.CRLNumber("notanumber")
1558
Paul Kehrer3b95cd72015-12-22 21:40:20 -06001559
Paul Kehrer31bdf792015-03-25 14:11:00 -05001560class TestSubjectAlternativeName(object):
1561 def test_get_values_for_type(self):
1562 san = x509.SubjectAlternativeName(
Eeshan Gargf1234152015-04-29 18:41:00 +05301563 [x509.DNSName(u"cryptography.io")]
Paul Kehrer31bdf792015-03-25 14:11:00 -05001564 )
1565 names = san.get_values_for_type(x509.DNSName)
Eeshan Gargf1234152015-04-29 18:41:00 +05301566 assert names == [u"cryptography.io"]
Paul Kehrer31bdf792015-03-25 14:11:00 -05001567
1568 def test_iter_names(self):
1569 san = x509.SubjectAlternativeName([
Eeshan Gargf1234152015-04-29 18:41:00 +05301570 x509.DNSName(u"cryptography.io"),
1571 x509.DNSName(u"crypto.local"),
Paul Kehrer31bdf792015-03-25 14:11:00 -05001572 ])
1573 assert len(san) == 2
1574 assert list(san) == [
Eeshan Gargf1234152015-04-29 18:41:00 +05301575 x509.DNSName(u"cryptography.io"),
1576 x509.DNSName(u"crypto.local"),
Paul Kehrer31bdf792015-03-25 14:11:00 -05001577 ]
1578
Paul Kehrerd04b39b2015-04-21 08:44:17 -05001579 def test_invalid_general_names(self):
1580 with pytest.raises(TypeError):
1581 x509.SubjectAlternativeName(
Eeshan Gargf1234152015-04-29 18:41:00 +05301582 [x509.DNSName(u"cryptography.io"), "invalid"]
Paul Kehrerd04b39b2015-04-21 08:44:17 -05001583 )
1584
Paul Kehrer31bdf792015-03-25 14:11:00 -05001585 def test_repr(self):
1586 san = x509.SubjectAlternativeName(
1587 [
Eeshan Gargf1234152015-04-29 18:41:00 +05301588 x509.DNSName(u"cryptography.io")
Paul Kehrer31bdf792015-03-25 14:11:00 -05001589 ]
1590 )
1591 assert repr(san) == (
Erik Trauschke2dcce902015-05-14 16:12:24 -07001592 "<SubjectAlternativeName("
1593 "<GeneralNames([<DNSName(value=cryptography.io)>])>)>"
Paul Kehrer31bdf792015-03-25 14:11:00 -05001594 )
Paul Kehrer40f83382015-04-20 15:00:16 -05001595
Paul Kehrer58cc3972015-05-13 10:00:41 -05001596 def test_eq(self):
1597 san = x509.SubjectAlternativeName(
1598 [x509.DNSName(u"cryptography.io")]
1599 )
1600 san2 = x509.SubjectAlternativeName(
1601 [x509.DNSName(u"cryptography.io")]
1602 )
1603 assert san == san2
1604
1605 def test_ne(self):
1606 san = x509.SubjectAlternativeName(
1607 [x509.DNSName(u"cryptography.io")]
1608 )
1609 san2 = x509.SubjectAlternativeName(
1610 [x509.RFC822Name(u"admin@cryptography.io")]
1611 )
1612 assert san != san2
1613 assert san != object()
1614
Paul Kehrer40f83382015-04-20 15:00:16 -05001615
1616@pytest.mark.requires_backend_interface(interface=RSABackend)
1617@pytest.mark.requires_backend_interface(interface=X509Backend)
1618class TestRSASubjectAlternativeNameExtension(object):
1619 def test_dns_name(self, backend):
1620 cert = _load_cert(
1621 os.path.join("x509", "cryptography.io.pem"),
1622 x509.load_pem_x509_certificate,
1623 backend
1624 )
1625 ext = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -05001626 ExtensionOID.SUBJECT_ALTERNATIVE_NAME
Paul Kehrer40f83382015-04-20 15:00:16 -05001627 )
1628 assert ext is not None
1629 assert ext.critical is False
1630
1631 san = ext.value
1632
1633 dns = san.get_values_for_type(x509.DNSName)
1634 assert dns == [u"www.cryptography.io", u"cryptography.io"]
Paul Kehrer9089c912015-04-20 22:15:20 -05001635
Paul Kehrer3c6bba52015-06-26 18:43:26 -05001636 def test_wildcard_dns_name(self, backend):
1637 cert = _load_cert(
1638 os.path.join("x509", "wildcard_san.pem"),
1639 x509.load_pem_x509_certificate,
1640 backend
1641 )
1642 ext = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -05001643 ExtensionOID.SUBJECT_ALTERNATIVE_NAME
Paul Kehrer3c6bba52015-06-26 18:43:26 -05001644 )
1645
1646 dns = ext.value.get_values_for_type(x509.DNSName)
1647 assert dns == [
1648 u'*.langui.sh',
1649 u'langui.sh',
1650 u'*.saseliminator.com',
1651 u'saseliminator.com'
1652 ]
1653
Dominic Chen87bb9572015-10-09 00:23:07 -04001654 def test_san_empty_hostname(self, backend):
1655 cert = _load_cert(
1656 os.path.join(
1657 "x509", "custom", "san_empty_hostname.pem"
1658 ),
1659 x509.load_pem_x509_certificate,
1660 backend
1661 )
1662 san = cert.extensions.get_extension_for_oid(
1663 ExtensionOID.SUBJECT_ALTERNATIVE_NAME
1664 )
1665
1666 dns = san.value.get_values_for_type(x509.DNSName)
1667 assert dns == [u'']
1668
Paul Kehrer3c6bba52015-06-26 18:43:26 -05001669 def test_san_wildcard_idna_dns_name(self, backend):
1670 cert = _load_cert(
1671 os.path.join("x509", "custom", "san_wildcard_idna.pem"),
1672 x509.load_pem_x509_certificate,
1673 backend
1674 )
1675 ext = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -05001676 ExtensionOID.SUBJECT_ALTERNATIVE_NAME
Paul Kehrer3c6bba52015-06-26 18:43:26 -05001677 )
1678
1679 dns = ext.value.get_values_for_type(x509.DNSName)
1680 assert dns == [u'*.\u043f\u044b\u043a\u0430.cryptography']
1681
Paul Kehrer7bdf6572015-07-05 08:55:44 -05001682 def test_unsupported_gn(self, backend):
Paul Kehrer9089c912015-04-20 22:15:20 -05001683 cert = _load_cert(
Paul Kehrer7bdf6572015-07-05 08:55:44 -05001684 os.path.join("x509", "san_x400address.der"),
1685 x509.load_der_x509_certificate,
Paul Kehrer9089c912015-04-20 22:15:20 -05001686 backend
1687 )
Paul Kehrerbed07352015-04-21 08:31:10 -05001688 with pytest.raises(x509.UnsupportedGeneralNameType) as exc:
Paul Kehrer9089c912015-04-20 22:15:20 -05001689 cert.extensions
Paul Kehrerbed07352015-04-21 08:31:10 -05001690
Paul Kehrer7bdf6572015-07-05 08:55:44 -05001691 assert exc.value.type == 3
Paul Kehrer4db96622015-04-20 22:17:39 -05001692
1693 def test_registered_id(self, backend):
1694 cert = _load_cert(
1695 os.path.join(
1696 "x509", "custom", "san_registered_id.pem"
1697 ),
1698 x509.load_pem_x509_certificate,
1699 backend
1700 )
1701 ext = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -05001702 ExtensionOID.SUBJECT_ALTERNATIVE_NAME
Paul Kehrer4db96622015-04-20 22:17:39 -05001703 )
1704 assert ext is not None
1705 assert ext.critical is False
1706
1707 san = ext.value
1708 rid = san.get_values_for_type(x509.RegisteredID)
1709 assert rid == [x509.ObjectIdentifier("1.2.3.4")]
Paul Kehrerb8ef82e2015-04-22 16:04:24 -05001710
1711 def test_uri(self, backend):
1712 cert = _load_cert(
1713 os.path.join(
1714 "x509", "custom", "san_uri_with_port.pem"
1715 ),
1716 x509.load_pem_x509_certificate,
1717 backend
1718 )
1719 ext = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -05001720 ExtensionOID.SUBJECT_ALTERNATIVE_NAME
Paul Kehrerb8ef82e2015-04-22 16:04:24 -05001721 )
1722 assert ext is not None
1723 uri = ext.value.get_values_for_type(
1724 x509.UniformResourceIdentifier
1725 )
1726 assert uri == [
1727 u"gopher://\u043f\u044b\u043a\u0430.cryptography:70/path?q=s#hel"
1728 u"lo",
1729 u"http://someregulardomain.com",
1730 ]
Paul Kehrera5f030c2015-04-28 08:33:18 -05001731
1732 def test_ipaddress(self, backend):
1733 cert = _load_cert(
1734 os.path.join(
1735 "x509", "custom", "san_ipaddr.pem"
1736 ),
1737 x509.load_pem_x509_certificate,
1738 backend
1739 )
1740 ext = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -05001741 ExtensionOID.SUBJECT_ALTERNATIVE_NAME
Paul Kehrera5f030c2015-04-28 08:33:18 -05001742 )
1743 assert ext is not None
1744 assert ext.critical is False
1745
1746 san = ext.value
1747
1748 ip = san.get_values_for_type(x509.IPAddress)
1749 assert [
1750 ipaddress.ip_address(u"127.0.0.1"),
1751 ipaddress.ip_address(u"ff::")
1752 ] == ip
Paul Kehrer2187a052015-04-30 08:22:07 -05001753
1754 def test_dirname(self, backend):
1755 cert = _load_cert(
1756 os.path.join(
1757 "x509", "custom", "san_dirname.pem"
1758 ),
1759 x509.load_pem_x509_certificate,
1760 backend
1761 )
1762 ext = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -05001763 ExtensionOID.SUBJECT_ALTERNATIVE_NAME
Paul Kehrer2187a052015-04-30 08:22:07 -05001764 )
1765 assert ext is not None
1766 assert ext.critical is False
1767
1768 san = ext.value
1769
1770 dirname = san.get_values_for_type(x509.DirectoryName)
1771 assert [
1772 x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -05001773 x509.NameAttribute(NameOID.COMMON_NAME, u'test'),
1774 x509.NameAttribute(NameOID.ORGANIZATION_NAME, u'Org'),
1775 x509.NameAttribute(NameOID.STATE_OR_PROVINCE_NAME, u'Texas'),
Paul Kehrer2187a052015-04-30 08:22:07 -05001776 ])
1777 ] == dirname
Paul Kehrere06cab42015-04-30 10:23:33 -05001778
1779 def test_rfc822name(self, backend):
1780 cert = _load_cert(
1781 os.path.join(
1782 "x509", "custom", "san_rfc822_idna.pem"
1783 ),
1784 x509.load_pem_x509_certificate,
1785 backend
1786 )
1787 ext = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -05001788 ExtensionOID.SUBJECT_ALTERNATIVE_NAME
Paul Kehrere06cab42015-04-30 10:23:33 -05001789 )
1790 assert ext is not None
1791 assert ext.critical is False
1792
1793 san = ext.value
1794
1795 rfc822name = san.get_values_for_type(x509.RFC822Name)
1796 assert [u"email@em\xe5\xefl.com"] == rfc822name
1797
Paul Kehrerb8968812015-05-15 09:01:34 -07001798 def test_idna2003_invalid(self, backend):
1799 cert = _load_cert(
1800 os.path.join(
1801 "x509", "custom", "san_idna2003_dnsname.pem"
1802 ),
1803 x509.load_pem_x509_certificate,
1804 backend
1805 )
1806 with pytest.raises(UnicodeError):
1807 cert.extensions
1808
Paul Kehrere06cab42015-04-30 10:23:33 -05001809 def test_unicode_rfc822_name_dns_name_uri(self, backend):
1810 cert = _load_cert(
1811 os.path.join(
1812 "x509", "custom", "san_idna_names.pem"
1813 ),
1814 x509.load_pem_x509_certificate,
1815 backend
1816 )
1817 ext = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -05001818 ExtensionOID.SUBJECT_ALTERNATIVE_NAME
Paul Kehrere06cab42015-04-30 10:23:33 -05001819 )
1820 assert ext is not None
1821 rfc822_name = ext.value.get_values_for_type(x509.RFC822Name)
1822 dns_name = ext.value.get_values_for_type(x509.DNSName)
1823 uri = ext.value.get_values_for_type(x509.UniformResourceIdentifier)
1824 assert rfc822_name == [u"email@\u043f\u044b\u043a\u0430.cryptography"]
1825 assert dns_name == [u"\u043f\u044b\u043a\u0430.cryptography"]
1826 assert uri == [u"https://www.\u043f\u044b\u043a\u0430.cryptography"]
1827
1828 def test_rfc822name_dnsname_ipaddress_directoryname_uri(self, backend):
1829 cert = _load_cert(
1830 os.path.join(
1831 "x509", "custom", "san_email_dns_ip_dirname_uri.pem"
1832 ),
1833 x509.load_pem_x509_certificate,
1834 backend
1835 )
1836 ext = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -05001837 ExtensionOID.SUBJECT_ALTERNATIVE_NAME
Paul Kehrere06cab42015-04-30 10:23:33 -05001838 )
1839 assert ext is not None
1840 assert ext.critical is False
1841
1842 san = ext.value
1843
1844 rfc822_name = san.get_values_for_type(x509.RFC822Name)
1845 uri = san.get_values_for_type(x509.UniformResourceIdentifier)
1846 dns = san.get_values_for_type(x509.DNSName)
1847 ip = san.get_values_for_type(x509.IPAddress)
1848 dirname = san.get_values_for_type(x509.DirectoryName)
1849 assert [u"user@cryptography.io"] == rfc822_name
Paul Kehrere3a330c2015-05-02 16:42:52 -05001850 assert [u"https://cryptography.io"] == uri
Paul Kehrere06cab42015-04-30 10:23:33 -05001851 assert [u"cryptography.io"] == dns
1852 assert [
1853 x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -05001854 x509.NameAttribute(NameOID.COMMON_NAME, u'dirCN'),
Paul Kehrere06cab42015-04-30 10:23:33 -05001855 x509.NameAttribute(
Paul Kehrereba19e62015-08-10 18:44:24 -05001856 NameOID.ORGANIZATION_NAME, u'Cryptographic Authority'
Paul Kehrere06cab42015-04-30 10:23:33 -05001857 ),
1858 ])
1859 ] == dirname
1860 assert [
1861 ipaddress.ip_address(u"127.0.0.1"),
1862 ipaddress.ip_address(u"ff::")
1863 ] == ip
1864
1865 def test_invalid_rfc822name(self, backend):
1866 cert = _load_cert(
1867 os.path.join(
1868 "x509", "custom", "san_rfc822_names.pem"
1869 ),
1870 x509.load_pem_x509_certificate,
1871 backend
1872 )
1873 with pytest.raises(ValueError) as exc:
1874 cert.extensions
1875
1876 assert 'Invalid rfc822name value' in str(exc.value)
Paul Kehrer94c69602015-05-02 19:29:40 -05001877
Joshua Tauberer2ee5e3c2015-07-04 20:09:46 +00001878 def test_other_name(self, backend):
1879 cert = _load_cert(
1880 os.path.join(
1881 "x509", "custom", "san_other_name.pem"
1882 ),
1883 x509.load_pem_x509_certificate,
1884 backend
1885 )
1886
1887 ext = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -05001888 ExtensionOID.SUBJECT_ALTERNATIVE_NAME
Joshua Tauberer2ee5e3c2015-07-04 20:09:46 +00001889 )
1890 assert ext is not None
1891 assert ext.critical is False
1892
Joshua Taubererd2afad32015-07-06 22:37:53 +00001893 expected = x509.OtherName(x509.ObjectIdentifier("1.2.3.4"),
1894 b'\x16\x0bHello World')
Joshua Tauberer2ee5e3c2015-07-04 20:09:46 +00001895 assert len(ext.value) == 1
Joshua Taubererd2afad32015-07-06 22:37:53 +00001896 assert list(ext.value)[0] == expected
Joshua Tauberer2ee5e3c2015-07-04 20:09:46 +00001897
1898 othernames = ext.value.get_values_for_type(x509.OtherName)
Joshua Taubererd2afad32015-07-06 22:37:53 +00001899 assert othernames == [expected]
Joshua Tauberer2ee5e3c2015-07-04 20:09:46 +00001900
Paul Kehrer94c69602015-05-02 19:29:40 -05001901
1902@pytest.mark.requires_backend_interface(interface=RSABackend)
1903@pytest.mark.requires_backend_interface(interface=X509Backend)
1904class TestExtendedKeyUsageExtension(object):
1905 def test_eku(self, backend):
1906 cert = _load_cert(
1907 os.path.join(
1908 "x509", "custom", "extended_key_usage.pem"
1909 ),
1910 x509.load_pem_x509_certificate,
1911 backend
1912 )
1913 ext = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -05001914 ExtensionOID.EXTENDED_KEY_USAGE
Paul Kehrer94c69602015-05-02 19:29:40 -05001915 )
1916 assert ext is not None
1917 assert ext.critical is False
1918
1919 assert [
1920 x509.ObjectIdentifier("1.3.6.1.5.5.7.3.1"),
1921 x509.ObjectIdentifier("1.3.6.1.5.5.7.3.2"),
1922 x509.ObjectIdentifier("1.3.6.1.5.5.7.3.3"),
1923 x509.ObjectIdentifier("1.3.6.1.5.5.7.3.4"),
1924 x509.ObjectIdentifier("1.3.6.1.5.5.7.3.9"),
1925 x509.ObjectIdentifier("1.3.6.1.5.5.7.3.8"),
1926 x509.ObjectIdentifier("2.5.29.37.0"),
1927 x509.ObjectIdentifier("2.16.840.1.113730.4.1"),
1928 ] == list(ext.value)
Paul Kehrer3e6d5582015-05-02 21:57:56 -05001929
1930
1931class TestAccessDescription(object):
1932 def test_invalid_access_method(self):
Nick Bastind06763d2015-12-12 18:32:59 -08001933 with pytest.raises(TypeError):
Paul Kehrer3e6d5582015-05-02 21:57:56 -05001934 x509.AccessDescription("notanoid", x509.DNSName(u"test"))
1935
1936 def test_invalid_access_location(self):
1937 with pytest.raises(TypeError):
Paul Kehrer9e102db2015-08-10 21:53:09 -05001938 x509.AccessDescription(
1939 AuthorityInformationAccessOID.CA_ISSUERS, "invalid"
1940 )
Paul Kehrer3e6d5582015-05-02 21:57:56 -05001941
Nick Bastind2ecf862015-12-13 05:44:46 -08001942 def test_valid_nonstandard_method(self):
Nick Bastin326fc8e2015-12-12 19:08:12 -08001943 ad = x509.AccessDescription(
1944 ObjectIdentifier("2.999.1"),
1945 x509.UniformResourceIdentifier(u"http://example.com")
1946 )
Nick Bastin11f0f8a2015-12-12 18:54:12 -08001947 assert ad is not None
1948
Paul Kehrer3e6d5582015-05-02 21:57:56 -05001949 def test_repr(self):
1950 ad = x509.AccessDescription(
Paul Kehrer9e102db2015-08-10 21:53:09 -05001951 AuthorityInformationAccessOID.OCSP,
Paul Kehrer3e6d5582015-05-02 21:57:56 -05001952 x509.UniformResourceIdentifier(u"http://ocsp.domain.com")
1953 )
1954 assert repr(ad) == (
1955 "<AccessDescription(access_method=<ObjectIdentifier(oid=1.3.6.1.5."
1956 "5.7.48.1, name=OCSP)>, access_location=<UniformResourceIdentifier"
1957 "(value=http://ocsp.domain.com)>)>"
1958 )
1959
1960 def test_eq(self):
1961 ad = x509.AccessDescription(
Paul Kehrer9e102db2015-08-10 21:53:09 -05001962 AuthorityInformationAccessOID.OCSP,
Paul Kehrer3e6d5582015-05-02 21:57:56 -05001963 x509.UniformResourceIdentifier(u"http://ocsp.domain.com")
1964 )
1965 ad2 = x509.AccessDescription(
Paul Kehrer9e102db2015-08-10 21:53:09 -05001966 AuthorityInformationAccessOID.OCSP,
Paul Kehrer3e6d5582015-05-02 21:57:56 -05001967 x509.UniformResourceIdentifier(u"http://ocsp.domain.com")
1968 )
1969 assert ad == ad2
1970
1971 def test_ne(self):
1972 ad = x509.AccessDescription(
Paul Kehrer9e102db2015-08-10 21:53:09 -05001973 AuthorityInformationAccessOID.OCSP,
Paul Kehrer3e6d5582015-05-02 21:57:56 -05001974 x509.UniformResourceIdentifier(u"http://ocsp.domain.com")
1975 )
1976 ad2 = x509.AccessDescription(
Paul Kehrer9e102db2015-08-10 21:53:09 -05001977 AuthorityInformationAccessOID.CA_ISSUERS,
Paul Kehrer3e6d5582015-05-02 21:57:56 -05001978 x509.UniformResourceIdentifier(u"http://ocsp.domain.com")
1979 )
1980 ad3 = x509.AccessDescription(
Paul Kehrer9e102db2015-08-10 21:53:09 -05001981 AuthorityInformationAccessOID.OCSP,
Paul Kehrer3e6d5582015-05-02 21:57:56 -05001982 x509.UniformResourceIdentifier(u"http://notthesame")
1983 )
1984 assert ad != ad2
1985 assert ad != ad3
1986 assert ad != object()
1987
1988
1989class TestAuthorityInformationAccess(object):
1990 def test_invalid_descriptions(self):
1991 with pytest.raises(TypeError):
1992 x509.AuthorityInformationAccess(["notanAccessDescription"])
1993
1994 def test_iter_len(self):
1995 aia = x509.AuthorityInformationAccess([
1996 x509.AccessDescription(
Paul Kehrer9e102db2015-08-10 21:53:09 -05001997 AuthorityInformationAccessOID.OCSP,
Paul Kehrer3e6d5582015-05-02 21:57:56 -05001998 x509.UniformResourceIdentifier(u"http://ocsp.domain.com")
1999 ),
2000 x509.AccessDescription(
Paul Kehrer9e102db2015-08-10 21:53:09 -05002001 AuthorityInformationAccessOID.CA_ISSUERS,
Paul Kehrer3e6d5582015-05-02 21:57:56 -05002002 x509.UniformResourceIdentifier(u"http://domain.com/ca.crt")
2003 )
2004 ])
2005 assert len(aia) == 2
2006 assert list(aia) == [
2007 x509.AccessDescription(
Paul Kehrer9e102db2015-08-10 21:53:09 -05002008 AuthorityInformationAccessOID.OCSP,
Paul Kehrer3e6d5582015-05-02 21:57:56 -05002009 x509.UniformResourceIdentifier(u"http://ocsp.domain.com")
2010 ),
2011 x509.AccessDescription(
Paul Kehrer9e102db2015-08-10 21:53:09 -05002012 AuthorityInformationAccessOID.CA_ISSUERS,
Paul Kehrer3e6d5582015-05-02 21:57:56 -05002013 x509.UniformResourceIdentifier(u"http://domain.com/ca.crt")
2014 )
2015 ]
2016
2017 def test_repr(self):
2018 aia = x509.AuthorityInformationAccess([
2019 x509.AccessDescription(
Paul Kehrer9e102db2015-08-10 21:53:09 -05002020 AuthorityInformationAccessOID.OCSP,
Paul Kehrer3e6d5582015-05-02 21:57:56 -05002021 x509.UniformResourceIdentifier(u"http://ocsp.domain.com")
2022 ),
2023 x509.AccessDescription(
Paul Kehrer9e102db2015-08-10 21:53:09 -05002024 AuthorityInformationAccessOID.CA_ISSUERS,
Paul Kehrer3e6d5582015-05-02 21:57:56 -05002025 x509.UniformResourceIdentifier(u"http://domain.com/ca.crt")
2026 )
2027 ])
2028 assert repr(aia) == (
2029 "<AuthorityInformationAccess([<AccessDescription(access_method=<Ob"
2030 "jectIdentifier(oid=1.3.6.1.5.5.7.48.1, name=OCSP)>, access_locati"
2031 "on=<UniformResourceIdentifier(value=http://ocsp.domain.com)>)>, <"
2032 "AccessDescription(access_method=<ObjectIdentifier(oid=1.3.6.1.5.5"
2033 ".7.48.2, name=caIssuers)>, access_location=<UniformResourceIdenti"
2034 "fier(value=http://domain.com/ca.crt)>)>])>"
2035 )
2036
2037 def test_eq(self):
2038 aia = x509.AuthorityInformationAccess([
2039 x509.AccessDescription(
Paul Kehrer9e102db2015-08-10 21:53:09 -05002040 AuthorityInformationAccessOID.OCSP,
Paul Kehrer3e6d5582015-05-02 21:57:56 -05002041 x509.UniformResourceIdentifier(u"http://ocsp.domain.com")
2042 ),
2043 x509.AccessDescription(
Paul Kehrer9e102db2015-08-10 21:53:09 -05002044 AuthorityInformationAccessOID.CA_ISSUERS,
Paul Kehrer3e6d5582015-05-02 21:57:56 -05002045 x509.UniformResourceIdentifier(u"http://domain.com/ca.crt")
2046 )
2047 ])
2048 aia2 = x509.AuthorityInformationAccess([
2049 x509.AccessDescription(
Paul Kehrer9e102db2015-08-10 21:53:09 -05002050 AuthorityInformationAccessOID.OCSP,
Paul Kehrer3e6d5582015-05-02 21:57:56 -05002051 x509.UniformResourceIdentifier(u"http://ocsp.domain.com")
2052 ),
2053 x509.AccessDescription(
Paul Kehrer9e102db2015-08-10 21:53:09 -05002054 AuthorityInformationAccessOID.CA_ISSUERS,
Paul Kehrer3e6d5582015-05-02 21:57:56 -05002055 x509.UniformResourceIdentifier(u"http://domain.com/ca.crt")
2056 )
2057 ])
2058 assert aia == aia2
2059
2060 def test_ne(self):
2061 aia = x509.AuthorityInformationAccess([
2062 x509.AccessDescription(
Paul Kehrer9e102db2015-08-10 21:53:09 -05002063 AuthorityInformationAccessOID.OCSP,
Paul Kehrer3e6d5582015-05-02 21:57:56 -05002064 x509.UniformResourceIdentifier(u"http://ocsp.domain.com")
2065 ),
2066 x509.AccessDescription(
Paul Kehrer9e102db2015-08-10 21:53:09 -05002067 AuthorityInformationAccessOID.CA_ISSUERS,
Paul Kehrer3e6d5582015-05-02 21:57:56 -05002068 x509.UniformResourceIdentifier(u"http://domain.com/ca.crt")
2069 )
2070 ])
2071 aia2 = x509.AuthorityInformationAccess([
2072 x509.AccessDescription(
Paul Kehrer9e102db2015-08-10 21:53:09 -05002073 AuthorityInformationAccessOID.OCSP,
Paul Kehrer3e6d5582015-05-02 21:57:56 -05002074 x509.UniformResourceIdentifier(u"http://ocsp.domain.com")
2075 ),
2076 ])
2077
2078 assert aia != aia2
2079 assert aia != object()
Paul Kehrerd774de92015-05-03 10:52:25 -05002080
2081
2082@pytest.mark.requires_backend_interface(interface=RSABackend)
2083@pytest.mark.requires_backend_interface(interface=X509Backend)
Paul Kehrera1476992015-05-04 17:35:47 -05002084class TestAuthorityInformationAccessExtension(object):
2085 def test_aia_ocsp_ca_issuers(self, backend):
2086 cert = _load_cert(
2087 os.path.join("x509", "cryptography.io.pem"),
2088 x509.load_pem_x509_certificate,
2089 backend
2090 )
2091 ext = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -05002092 ExtensionOID.AUTHORITY_INFORMATION_ACCESS
Paul Kehrera1476992015-05-04 17:35:47 -05002093 )
2094 assert ext is not None
2095 assert ext.critical is False
2096
2097 assert ext.value == x509.AuthorityInformationAccess([
2098 x509.AccessDescription(
Paul Kehrer9e102db2015-08-10 21:53:09 -05002099 AuthorityInformationAccessOID.OCSP,
Paul Kehrera1476992015-05-04 17:35:47 -05002100 x509.UniformResourceIdentifier(u"http://gv.symcd.com")
2101 ),
2102 x509.AccessDescription(
Paul Kehrer9e102db2015-08-10 21:53:09 -05002103 AuthorityInformationAccessOID.CA_ISSUERS,
Paul Kehrera1476992015-05-04 17:35:47 -05002104 x509.UniformResourceIdentifier(u"http://gv.symcb.com/gv.crt")
2105 ),
2106 ])
2107
2108 def test_aia_multiple_ocsp_ca_issuers(self, backend):
2109 cert = _load_cert(
2110 os.path.join("x509", "custom", "aia_ocsp_ca_issuers.pem"),
2111 x509.load_pem_x509_certificate,
2112 backend
2113 )
2114 ext = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -05002115 ExtensionOID.AUTHORITY_INFORMATION_ACCESS
Paul Kehrera1476992015-05-04 17:35:47 -05002116 )
2117 assert ext is not None
2118 assert ext.critical is False
2119
2120 assert ext.value == x509.AuthorityInformationAccess([
2121 x509.AccessDescription(
Paul Kehrer9e102db2015-08-10 21:53:09 -05002122 AuthorityInformationAccessOID.OCSP,
Paul Kehrera1476992015-05-04 17:35:47 -05002123 x509.UniformResourceIdentifier(u"http://ocsp.domain.com")
2124 ),
2125 x509.AccessDescription(
Paul Kehrer9e102db2015-08-10 21:53:09 -05002126 AuthorityInformationAccessOID.OCSP,
Paul Kehrera1476992015-05-04 17:35:47 -05002127 x509.UniformResourceIdentifier(u"http://ocsp2.domain.com")
2128 ),
2129 x509.AccessDescription(
Paul Kehrer9e102db2015-08-10 21:53:09 -05002130 AuthorityInformationAccessOID.CA_ISSUERS,
Paul Kehrera1476992015-05-04 17:35:47 -05002131 x509.DirectoryName(x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -05002132 x509.NameAttribute(NameOID.COMMON_NAME, u"myCN"),
2133 x509.NameAttribute(NameOID.ORGANIZATION_NAME,
Ian Cordasco82fc3762015-06-16 20:59:50 -05002134 u"some Org"),
Paul Kehrera1476992015-05-04 17:35:47 -05002135 ]))
2136 ),
2137 ])
2138
2139 def test_aia_ocsp_only(self, backend):
2140 cert = _load_cert(
2141 os.path.join("x509", "custom", "aia_ocsp.pem"),
2142 x509.load_pem_x509_certificate,
2143 backend
2144 )
2145 ext = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -05002146 ExtensionOID.AUTHORITY_INFORMATION_ACCESS
Paul Kehrera1476992015-05-04 17:35:47 -05002147 )
2148 assert ext is not None
2149 assert ext.critical is False
2150
2151 assert ext.value == x509.AuthorityInformationAccess([
2152 x509.AccessDescription(
Paul Kehrer9e102db2015-08-10 21:53:09 -05002153 AuthorityInformationAccessOID.OCSP,
Paul Kehrera1476992015-05-04 17:35:47 -05002154 x509.UniformResourceIdentifier(u"http://ocsp.domain.com")
2155 ),
2156 ])
2157
2158 def test_aia_ca_issuers_only(self, backend):
2159 cert = _load_cert(
2160 os.path.join("x509", "custom", "aia_ca_issuers.pem"),
2161 x509.load_pem_x509_certificate,
2162 backend
2163 )
2164 ext = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -05002165 ExtensionOID.AUTHORITY_INFORMATION_ACCESS
Paul Kehrera1476992015-05-04 17:35:47 -05002166 )
2167 assert ext is not None
2168 assert ext.critical is False
2169
2170 assert ext.value == x509.AuthorityInformationAccess([
2171 x509.AccessDescription(
Paul Kehrer9e102db2015-08-10 21:53:09 -05002172 AuthorityInformationAccessOID.CA_ISSUERS,
Paul Kehrera1476992015-05-04 17:35:47 -05002173 x509.DirectoryName(x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -05002174 x509.NameAttribute(NameOID.COMMON_NAME, u"myCN"),
2175 x509.NameAttribute(NameOID.ORGANIZATION_NAME,
Ian Cordasco82fc3762015-06-16 20:59:50 -05002176 u"some Org"),
Paul Kehrera1476992015-05-04 17:35:47 -05002177 ]))
2178 ),
2179 ])
2180
2181
2182@pytest.mark.requires_backend_interface(interface=RSABackend)
2183@pytest.mark.requires_backend_interface(interface=X509Backend)
Paul Kehrerd774de92015-05-03 10:52:25 -05002184class TestAuthorityKeyIdentifierExtension(object):
2185 def test_aki_keyid(self, backend):
2186 cert = _load_cert(
2187 os.path.join(
2188 "x509", "cryptography.io.pem"
2189 ),
2190 x509.load_pem_x509_certificate,
2191 backend
2192 )
2193 ext = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -05002194 ExtensionOID.AUTHORITY_KEY_IDENTIFIER
Paul Kehrerd774de92015-05-03 10:52:25 -05002195 )
2196 assert ext is not None
2197 assert ext.critical is False
2198
2199 assert ext.value.key_identifier == (
2200 b"\xc3\x9c\xf3\xfc\xd3F\x084\xbb\xceF\x7f\xa0|[\xf3\xe2\x08\xcbY"
2201 )
2202 assert ext.value.authority_cert_issuer is None
2203 assert ext.value.authority_cert_serial_number is None
2204
2205 def test_aki_all_fields(self, backend):
2206 cert = _load_cert(
2207 os.path.join(
2208 "x509", "custom", "authority_key_identifier.pem"
2209 ),
2210 x509.load_pem_x509_certificate,
2211 backend
2212 )
2213 ext = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -05002214 ExtensionOID.AUTHORITY_KEY_IDENTIFIER
Paul Kehrerd774de92015-05-03 10:52:25 -05002215 )
2216 assert ext is not None
2217 assert ext.critical is False
2218
2219 assert ext.value.key_identifier == (
2220 b"9E>\xca=b\x1d\xea\x86I\xf6Z\xab@\xb7\xa4p\x98\xf1\xec"
2221 )
2222 assert ext.value.authority_cert_issuer == [
2223 x509.DirectoryName(
2224 x509.Name([
2225 x509.NameAttribute(
Paul Kehrereba19e62015-08-10 18:44:24 -05002226 NameOID.ORGANIZATION_NAME, u"PyCA"
Paul Kehrerd774de92015-05-03 10:52:25 -05002227 ),
2228 x509.NameAttribute(
Paul Kehrereba19e62015-08-10 18:44:24 -05002229 NameOID.COMMON_NAME, u"cryptography.io"
Paul Kehrerd774de92015-05-03 10:52:25 -05002230 )
2231 ])
2232 )
2233 ]
2234 assert ext.value.authority_cert_serial_number == 3
2235
2236 def test_aki_no_keyid(self, backend):
2237 cert = _load_cert(
2238 os.path.join(
2239 "x509", "custom", "authority_key_identifier_no_keyid.pem"
2240 ),
2241 x509.load_pem_x509_certificate,
2242 backend
2243 )
2244 ext = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -05002245 ExtensionOID.AUTHORITY_KEY_IDENTIFIER
Paul Kehrerd774de92015-05-03 10:52:25 -05002246 )
2247 assert ext is not None
2248 assert ext.critical is False
2249
2250 assert ext.value.key_identifier is None
2251 assert ext.value.authority_cert_issuer == [
2252 x509.DirectoryName(
2253 x509.Name([
2254 x509.NameAttribute(
Paul Kehrereba19e62015-08-10 18:44:24 -05002255 NameOID.ORGANIZATION_NAME, u"PyCA"
Paul Kehrerd774de92015-05-03 10:52:25 -05002256 ),
2257 x509.NameAttribute(
Paul Kehrereba19e62015-08-10 18:44:24 -05002258 NameOID.COMMON_NAME, u"cryptography.io"
Paul Kehrerd774de92015-05-03 10:52:25 -05002259 )
2260 ])
2261 )
2262 ]
2263 assert ext.value.authority_cert_serial_number == 3
Paul Kehrer5a485522015-05-06 00:29:12 -05002264
Paul Kehrer253929a2015-08-05 17:30:39 +01002265 def test_from_certificate(self, backend):
2266 issuer_cert = _load_cert(
2267 os.path.join("x509", "rapidssl_sha256_ca_g3.pem"),
2268 x509.load_pem_x509_certificate,
2269 backend
2270 )
2271 cert = _load_cert(
2272 os.path.join("x509", "cryptography.io.pem"),
2273 x509.load_pem_x509_certificate,
2274 backend
2275 )
2276 ext = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -05002277 ExtensionOID.AUTHORITY_KEY_IDENTIFIER
Paul Kehrer253929a2015-08-05 17:30:39 +01002278 )
2279 aki = x509.AuthorityKeyIdentifier.from_issuer_public_key(
2280 issuer_cert.public_key()
2281 )
2282 assert ext.value == aki
2283
Paul Kehrer5a485522015-05-06 00:29:12 -05002284
Paul Kehrere0017be2015-05-17 20:39:40 -06002285class TestNameConstraints(object):
2286 def test_ipaddress_wrong_type(self):
2287 with pytest.raises(TypeError):
2288 x509.NameConstraints(
2289 permitted_subtrees=[
2290 x509.IPAddress(ipaddress.IPv4Address(u"127.0.0.1"))
2291 ],
2292 excluded_subtrees=None
2293 )
2294
2295 with pytest.raises(TypeError):
2296 x509.NameConstraints(
2297 permitted_subtrees=None,
2298 excluded_subtrees=[
2299 x509.IPAddress(ipaddress.IPv4Address(u"127.0.0.1"))
2300 ]
2301 )
2302
2303 def test_ipaddress_allowed_type(self):
2304 permitted = [x509.IPAddress(ipaddress.IPv4Network(u"192.168.0.0/29"))]
2305 excluded = [x509.IPAddress(ipaddress.IPv4Network(u"10.10.0.0/24"))]
2306 nc = x509.NameConstraints(
2307 permitted_subtrees=permitted,
2308 excluded_subtrees=excluded
2309 )
2310 assert nc.permitted_subtrees == permitted
2311 assert nc.excluded_subtrees == excluded
2312
2313 def test_invalid_permitted_subtrees(self):
2314 with pytest.raises(TypeError):
2315 x509.NameConstraints("badpermitted", None)
2316
2317 def test_invalid_excluded_subtrees(self):
2318 with pytest.raises(TypeError):
2319 x509.NameConstraints(None, "badexcluded")
2320
2321 def test_no_subtrees(self):
2322 with pytest.raises(ValueError):
2323 x509.NameConstraints(None, None)
2324
2325 def test_permitted_none(self):
2326 excluded = [x509.DNSName(u"name.local")]
2327 nc = x509.NameConstraints(
2328 permitted_subtrees=None, excluded_subtrees=excluded
2329 )
2330 assert nc.permitted_subtrees is None
2331 assert nc.excluded_subtrees is not None
2332
2333 def test_excluded_none(self):
2334 permitted = [x509.DNSName(u"name.local")]
2335 nc = x509.NameConstraints(
2336 permitted_subtrees=permitted, excluded_subtrees=None
2337 )
2338 assert nc.permitted_subtrees is not None
2339 assert nc.excluded_subtrees is None
2340
2341 def test_repr(self):
2342 permitted = [x509.DNSName(u"name.local"), x509.DNSName(u"name2.local")]
2343 nc = x509.NameConstraints(
2344 permitted_subtrees=permitted,
2345 excluded_subtrees=None
2346 )
2347 assert repr(nc) == (
2348 "<NameConstraints(permitted_subtrees=[<DNSName(value=name.local)>"
2349 ", <DNSName(value=name2.local)>], excluded_subtrees=None)>"
2350 )
2351
Paul Kehrer31894282015-06-21 21:46:41 -05002352 def test_eq(self):
2353 nc = x509.NameConstraints(
2354 permitted_subtrees=[x509.DNSName(u"name.local")],
2355 excluded_subtrees=[x509.DNSName(u"name2.local")]
2356 )
2357 nc2 = x509.NameConstraints(
2358 permitted_subtrees=[x509.DNSName(u"name.local")],
2359 excluded_subtrees=[x509.DNSName(u"name2.local")]
2360 )
2361 assert nc == nc2
2362
2363 def test_ne(self):
2364 nc = x509.NameConstraints(
2365 permitted_subtrees=[x509.DNSName(u"name.local")],
2366 excluded_subtrees=[x509.DNSName(u"name2.local")]
2367 )
2368 nc2 = x509.NameConstraints(
2369 permitted_subtrees=[x509.DNSName(u"name.local")],
2370 excluded_subtrees=None
2371 )
2372 nc3 = x509.NameConstraints(
2373 permitted_subtrees=None,
2374 excluded_subtrees=[x509.DNSName(u"name2.local")]
2375 )
2376
2377 assert nc != nc2
2378 assert nc != nc3
2379 assert nc != object()
2380
Paul Kehrere0017be2015-05-17 20:39:40 -06002381
Paul Kehrer870d7e82015-06-21 22:20:44 -05002382@pytest.mark.requires_backend_interface(interface=RSABackend)
2383@pytest.mark.requires_backend_interface(interface=X509Backend)
2384class TestNameConstraintsExtension(object):
2385 def test_permitted_excluded(self, backend):
2386 cert = _load_cert(
2387 os.path.join(
2388 "x509", "custom", "nc_permitted_excluded_2.pem"
2389 ),
2390 x509.load_pem_x509_certificate,
2391 backend
2392 )
2393 nc = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -05002394 ExtensionOID.NAME_CONSTRAINTS
Paul Kehrer870d7e82015-06-21 22:20:44 -05002395 ).value
2396 assert nc == x509.NameConstraints(
2397 permitted_subtrees=[
2398 x509.DNSName(u"zombo.local"),
2399 ],
2400 excluded_subtrees=[
2401 x509.DirectoryName(x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -05002402 x509.NameAttribute(NameOID.COMMON_NAME, u"zombo")
Paul Kehrer870d7e82015-06-21 22:20:44 -05002403 ]))
2404 ]
2405 )
2406
2407 def test_permitted(self, backend):
2408 cert = _load_cert(
2409 os.path.join(
2410 "x509", "custom", "nc_permitted_2.pem"
2411 ),
2412 x509.load_pem_x509_certificate,
2413 backend
2414 )
2415 nc = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -05002416 ExtensionOID.NAME_CONSTRAINTS
Paul Kehrer870d7e82015-06-21 22:20:44 -05002417 ).value
2418 assert nc == x509.NameConstraints(
2419 permitted_subtrees=[
2420 x509.DNSName(u"zombo.local"),
2421 ],
2422 excluded_subtrees=None
2423 )
2424
Paul Kehrer42376832015-07-01 18:10:32 -05002425 def test_permitted_with_leading_period(self, backend):
2426 cert = _load_cert(
2427 os.path.join(
2428 "x509", "custom", "nc_permitted.pem"
2429 ),
2430 x509.load_pem_x509_certificate,
2431 backend
2432 )
2433 nc = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -05002434 ExtensionOID.NAME_CONSTRAINTS
Paul Kehrer42376832015-07-01 18:10:32 -05002435 ).value
2436 assert nc == x509.NameConstraints(
2437 permitted_subtrees=[
2438 x509.DNSName(u".cryptography.io"),
2439 x509.UniformResourceIdentifier(u"ftp://cryptography.test")
2440 ],
2441 excluded_subtrees=None
2442 )
2443
2444 def test_excluded_with_leading_period(self, backend):
2445 cert = _load_cert(
2446 os.path.join(
2447 "x509", "custom", "nc_excluded.pem"
2448 ),
2449 x509.load_pem_x509_certificate,
2450 backend
2451 )
2452 nc = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -05002453 ExtensionOID.NAME_CONSTRAINTS
Paul Kehrer42376832015-07-01 18:10:32 -05002454 ).value
2455 assert nc == x509.NameConstraints(
2456 permitted_subtrees=None,
2457 excluded_subtrees=[
2458 x509.DNSName(u".cryptography.io"),
2459 x509.UniformResourceIdentifier(u"gopher://cryptography.test")
2460 ]
2461 )
2462
Paul Kehrercfb8aa22015-07-01 19:16:36 -05002463 def test_permitted_excluded_with_ips(self, backend):
2464 cert = _load_cert(
2465 os.path.join(
2466 "x509", "custom", "nc_permitted_excluded.pem"
2467 ),
2468 x509.load_pem_x509_certificate,
2469 backend
2470 )
2471 nc = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -05002472 ExtensionOID.NAME_CONSTRAINTS
Paul Kehrercfb8aa22015-07-01 19:16:36 -05002473 ).value
2474 assert nc == x509.NameConstraints(
2475 permitted_subtrees=[
2476 x509.IPAddress(ipaddress.IPv4Network(u"192.168.0.0/24")),
2477 x509.IPAddress(ipaddress.IPv6Network(u"FF:0:0:0:0:0:0:0/96")),
2478 ],
2479 excluded_subtrees=[
2480 x509.DNSName(u".domain.com"),
2481 x509.UniformResourceIdentifier(u"http://test.local"),
2482 ]
2483 )
2484
Paul Kehrera72ebaf2015-07-01 21:07:37 -05002485 def test_single_ip_netmask(self, backend):
2486 cert = _load_cert(
2487 os.path.join(
2488 "x509", "custom", "nc_single_ip_netmask.pem"
2489 ),
2490 x509.load_pem_x509_certificate,
2491 backend
2492 )
2493 nc = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -05002494 ExtensionOID.NAME_CONSTRAINTS
Paul Kehrera72ebaf2015-07-01 21:07:37 -05002495 ).value
2496 assert nc == x509.NameConstraints(
2497 permitted_subtrees=[
2498 x509.IPAddress(ipaddress.IPv6Network(u"FF:0:0:0:0:0:0:0/128")),
2499 x509.IPAddress(ipaddress.IPv4Network(u"192.168.0.1/32")),
2500 ],
2501 excluded_subtrees=None
2502 )
2503
Paul Kehrercfb8aa22015-07-01 19:16:36 -05002504 def test_invalid_netmask(self, backend):
2505 cert = _load_cert(
2506 os.path.join(
2507 "x509", "custom", "nc_invalid_ip_netmask.pem"
2508 ),
2509 x509.load_pem_x509_certificate,
2510 backend
2511 )
2512 with pytest.raises(ValueError):
2513 cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -05002514 ExtensionOID.NAME_CONSTRAINTS
Paul Kehrercfb8aa22015-07-01 19:16:36 -05002515 )
2516
Paul Kehrer870d7e82015-06-21 22:20:44 -05002517
Paul Kehrer5a485522015-05-06 00:29:12 -05002518class TestDistributionPoint(object):
Paul Kehrer4e8dacd2015-05-09 10:38:23 -05002519 def test_distribution_point_full_name_not_general_names(self):
Paul Kehrer5a485522015-05-06 00:29:12 -05002520 with pytest.raises(TypeError):
Paul Kehrer4e8dacd2015-05-09 10:38:23 -05002521 x509.DistributionPoint(["notgn"], None, None, None)
Paul Kehrer5a485522015-05-06 00:29:12 -05002522
Paul Kehrer4e8dacd2015-05-09 10:38:23 -05002523 def test_distribution_point_relative_name_not_name(self):
Paul Kehrer5a485522015-05-06 00:29:12 -05002524 with pytest.raises(TypeError):
Paul Kehrer4e8dacd2015-05-09 10:38:23 -05002525 x509.DistributionPoint(None, "notname", None, None)
2526
2527 def test_distribution_point_full_and_relative_not_none(self):
2528 with pytest.raises(ValueError):
2529 x509.DistributionPoint("data", "notname", None, None)
Paul Kehrer5a485522015-05-06 00:29:12 -05002530
2531 def test_crl_issuer_not_general_names(self):
2532 with pytest.raises(TypeError):
Paul Kehrer4e8dacd2015-05-09 10:38:23 -05002533 x509.DistributionPoint(None, None, None, ["notgn"])
Paul Kehrer5a485522015-05-06 00:29:12 -05002534
2535 def test_reason_not_reasonflags(self):
2536 with pytest.raises(TypeError):
2537 x509.DistributionPoint(
2538 [x509.UniformResourceIdentifier(u"http://crypt.og/crl")],
Paul Kehrer4e8dacd2015-05-09 10:38:23 -05002539 None,
Paul Kehrer3fd02602015-05-09 19:46:13 -05002540 frozenset(["notreasonflags"]),
2541 None
2542 )
2543
2544 def test_reason_not_frozenset(self):
2545 with pytest.raises(TypeError):
2546 x509.DistributionPoint(
2547 [x509.UniformResourceIdentifier(u"http://crypt.og/crl")],
2548 None,
2549 [x509.ReasonFlags.ca_compromise],
Paul Kehrer4e8dacd2015-05-09 10:38:23 -05002550 None
2551 )
2552
2553 def test_disallowed_reasons(self):
2554 with pytest.raises(ValueError):
2555 x509.DistributionPoint(
2556 [x509.UniformResourceIdentifier(u"http://crypt.og/crl")],
2557 None,
Paul Kehrer3fd02602015-05-09 19:46:13 -05002558 frozenset([x509.ReasonFlags.unspecified]),
Paul Kehrer4e8dacd2015-05-09 10:38:23 -05002559 None
2560 )
2561
2562 with pytest.raises(ValueError):
2563 x509.DistributionPoint(
2564 [x509.UniformResourceIdentifier(u"http://crypt.og/crl")],
2565 None,
Paul Kehrer3fd02602015-05-09 19:46:13 -05002566 frozenset([x509.ReasonFlags.remove_from_crl]),
Paul Kehrer5a485522015-05-06 00:29:12 -05002567 None
2568 )
2569
2570 def test_reason_only(self):
2571 with pytest.raises(ValueError):
2572 x509.DistributionPoint(
2573 None,
Paul Kehrer4e8dacd2015-05-09 10:38:23 -05002574 None,
Paul Kehrer3fd02602015-05-09 19:46:13 -05002575 frozenset([x509.ReasonFlags.aa_compromise]),
Paul Kehrer5a485522015-05-06 00:29:12 -05002576 None
2577 )
2578
2579 def test_eq(self):
2580 dp = x509.DistributionPoint(
2581 [x509.UniformResourceIdentifier(u"http://crypt.og/crl")],
Paul Kehrer4e8dacd2015-05-09 10:38:23 -05002582 None,
Paul Kehrer3fd02602015-05-09 19:46:13 -05002583 frozenset([x509.ReasonFlags.superseded]),
Paul Kehrer5a485522015-05-06 00:29:12 -05002584 [
2585 x509.DirectoryName(
2586 x509.Name([
2587 x509.NameAttribute(
Paul Kehrereba19e62015-08-10 18:44:24 -05002588 NameOID.COMMON_NAME, u"Important CA"
Paul Kehrer5a485522015-05-06 00:29:12 -05002589 )
2590 ])
2591 )
2592 ],
2593 )
2594 dp2 = x509.DistributionPoint(
2595 [x509.UniformResourceIdentifier(u"http://crypt.og/crl")],
Paul Kehrer4e8dacd2015-05-09 10:38:23 -05002596 None,
Paul Kehrer3fd02602015-05-09 19:46:13 -05002597 frozenset([x509.ReasonFlags.superseded]),
Paul Kehrer5a485522015-05-06 00:29:12 -05002598 [
2599 x509.DirectoryName(
2600 x509.Name([
2601 x509.NameAttribute(
Paul Kehrereba19e62015-08-10 18:44:24 -05002602 NameOID.COMMON_NAME, u"Important CA"
Paul Kehrer5a485522015-05-06 00:29:12 -05002603 )
2604 ])
2605 )
2606 ],
2607 )
2608 assert dp == dp2
2609
2610 def test_ne(self):
2611 dp = x509.DistributionPoint(
2612 [x509.UniformResourceIdentifier(u"http://crypt.og/crl")],
Paul Kehrer4e8dacd2015-05-09 10:38:23 -05002613 None,
Paul Kehrer3fd02602015-05-09 19:46:13 -05002614 frozenset([x509.ReasonFlags.superseded]),
Paul Kehrer5a485522015-05-06 00:29:12 -05002615 [
2616 x509.DirectoryName(
2617 x509.Name([
2618 x509.NameAttribute(
Paul Kehrereba19e62015-08-10 18:44:24 -05002619 NameOID.COMMON_NAME, u"Important CA"
Paul Kehrer5a485522015-05-06 00:29:12 -05002620 )
2621 ])
2622 )
2623 ],
2624 )
2625 dp2 = x509.DistributionPoint(
2626 [x509.UniformResourceIdentifier(u"http://crypt.og/crl")],
2627 None,
Paul Kehrer4e8dacd2015-05-09 10:38:23 -05002628 None,
Paul Kehrer5a485522015-05-06 00:29:12 -05002629 None
2630 )
2631 assert dp != dp2
2632 assert dp != object()
2633
2634 def test_repr(self):
2635 dp = x509.DistributionPoint(
Paul Kehrer4e8dacd2015-05-09 10:38:23 -05002636 None,
Paul Kehrer5a485522015-05-06 00:29:12 -05002637 x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -05002638 x509.NameAttribute(NameOID.COMMON_NAME, u"myCN")
Paul Kehrer5a485522015-05-06 00:29:12 -05002639 ]),
Paul Kehrer96ef63c2015-05-09 21:17:04 -05002640 frozenset([x509.ReasonFlags.ca_compromise]),
Paul Kehrer5a485522015-05-06 00:29:12 -05002641 [
2642 x509.DirectoryName(
2643 x509.Name([
2644 x509.NameAttribute(
Paul Kehrereba19e62015-08-10 18:44:24 -05002645 NameOID.COMMON_NAME, u"Important CA"
Paul Kehrer5a485522015-05-06 00:29:12 -05002646 )
2647 ])
2648 )
2649 ],
2650 )
Paul Kehrer749da3b2015-05-10 09:58:29 -05002651 if six.PY3:
2652 assert repr(dp) == (
2653 "<DistributionPoint(full_name=None, relative_name=<Name([<Name"
2654 "Attribute(oid=<ObjectIdentifier(oid=2.5.4.3, name=commonName)"
Ian Cordascoa908d692015-06-16 21:35:24 -05002655 ">, value='myCN')>])>, reasons=frozenset({<ReasonFlags.ca_comp"
2656 "romise: 'cACompromise'>}), crl_issuer=[<DirectoryName(value=<"
2657 "Name([<NameAttribute(oid=<ObjectIdentifier(oid=2.5.4.3, name="
2658 "commonName)>, value='Important CA')>])>)>])>"
Paul Kehrer749da3b2015-05-10 09:58:29 -05002659 )
2660 else:
2661 assert repr(dp) == (
2662 "<DistributionPoint(full_name=None, relative_name=<Name([<Name"
2663 "Attribute(oid=<ObjectIdentifier(oid=2.5.4.3, name=commonName)"
Ian Cordasco82fc3762015-06-16 20:59:50 -05002664 ">, value=u'myCN')>])>, reasons=frozenset([<ReasonFlags.ca_com"
2665 "promise: 'cACompromise'>]), crl_issuer=[<DirectoryName(value="
2666 "<Name([<NameAttribute(oid=<ObjectIdentifier(oid=2.5.4.3, name"
2667 "=commonName)>, value=u'Important CA')>])>)>])>"
Paul Kehrer749da3b2015-05-10 09:58:29 -05002668 )
Paul Kehrer5a485522015-05-06 00:29:12 -05002669
2670
2671class TestCRLDistributionPoints(object):
2672 def test_invalid_distribution_points(self):
2673 with pytest.raises(TypeError):
2674 x509.CRLDistributionPoints(["notadistributionpoint"])
2675
2676 def test_iter_len(self):
2677 cdp = x509.CRLDistributionPoints([
2678 x509.DistributionPoint(
2679 [x509.UniformResourceIdentifier(u"http://domain")],
2680 None,
Paul Kehrer4e8dacd2015-05-09 10:38:23 -05002681 None,
Paul Kehrer5a485522015-05-06 00:29:12 -05002682 None
2683 ),
2684 x509.DistributionPoint(
2685 [x509.UniformResourceIdentifier(u"ftp://domain")],
Paul Kehrer4e8dacd2015-05-09 10:38:23 -05002686 None,
Paul Kehrer3fd02602015-05-09 19:46:13 -05002687 frozenset([
Paul Kehrer4e8dacd2015-05-09 10:38:23 -05002688 x509.ReasonFlags.key_compromise,
2689 x509.ReasonFlags.ca_compromise,
Paul Kehrer3fd02602015-05-09 19:46:13 -05002690 ]),
Paul Kehrer5a485522015-05-06 00:29:12 -05002691 None
2692 ),
2693 ])
2694 assert len(cdp) == 2
2695 assert list(cdp) == [
2696 x509.DistributionPoint(
2697 [x509.UniformResourceIdentifier(u"http://domain")],
2698 None,
Paul Kehrer4e8dacd2015-05-09 10:38:23 -05002699 None,
Paul Kehrer5a485522015-05-06 00:29:12 -05002700 None
2701 ),
2702 x509.DistributionPoint(
2703 [x509.UniformResourceIdentifier(u"ftp://domain")],
Paul Kehrer4e8dacd2015-05-09 10:38:23 -05002704 None,
Paul Kehrer3fd02602015-05-09 19:46:13 -05002705 frozenset([
Paul Kehrer4e8dacd2015-05-09 10:38:23 -05002706 x509.ReasonFlags.key_compromise,
2707 x509.ReasonFlags.ca_compromise,
Paul Kehrer3fd02602015-05-09 19:46:13 -05002708 ]),
Paul Kehrer5a485522015-05-06 00:29:12 -05002709 None
2710 ),
2711 ]
2712
2713 def test_repr(self):
2714 cdp = x509.CRLDistributionPoints([
2715 x509.DistributionPoint(
2716 [x509.UniformResourceIdentifier(u"ftp://domain")],
Paul Kehrer4e8dacd2015-05-09 10:38:23 -05002717 None,
Paul Kehrer96ef63c2015-05-09 21:17:04 -05002718 frozenset([x509.ReasonFlags.key_compromise]),
Paul Kehrer5a485522015-05-06 00:29:12 -05002719 None
2720 ),
2721 ])
Paul Kehrer749da3b2015-05-10 09:58:29 -05002722 if six.PY3:
2723 assert repr(cdp) == (
2724 "<CRLDistributionPoints([<DistributionPoint(full_name=[<Unifo"
2725 "rmResourceIdentifier(value=ftp://domain)>], relative_name=No"
2726 "ne, reasons=frozenset({<ReasonFlags.key_compromise: 'keyComp"
2727 "romise'>}), crl_issuer=None)>])>"
2728 )
2729 else:
2730 assert repr(cdp) == (
2731 "<CRLDistributionPoints([<DistributionPoint(full_name=[<Unifo"
2732 "rmResourceIdentifier(value=ftp://domain)>], relative_name=No"
2733 "ne, reasons=frozenset([<ReasonFlags.key_compromise: 'keyComp"
2734 "romise'>]), crl_issuer=None)>])>"
2735 )
Paul Kehrer5a485522015-05-06 00:29:12 -05002736
2737 def test_eq(self):
2738 cdp = x509.CRLDistributionPoints([
2739 x509.DistributionPoint(
2740 [x509.UniformResourceIdentifier(u"ftp://domain")],
Paul Kehrer4e8dacd2015-05-09 10:38:23 -05002741 None,
Paul Kehrer3fd02602015-05-09 19:46:13 -05002742 frozenset([
Paul Kehrer4e8dacd2015-05-09 10:38:23 -05002743 x509.ReasonFlags.key_compromise,
2744 x509.ReasonFlags.ca_compromise,
Paul Kehrer3fd02602015-05-09 19:46:13 -05002745 ]),
Paul Kehrer5a485522015-05-06 00:29:12 -05002746 [x509.UniformResourceIdentifier(u"uri://thing")],
2747 ),
2748 ])
2749 cdp2 = x509.CRLDistributionPoints([
2750 x509.DistributionPoint(
2751 [x509.UniformResourceIdentifier(u"ftp://domain")],
Paul Kehrer4e8dacd2015-05-09 10:38:23 -05002752 None,
Paul Kehrer3fd02602015-05-09 19:46:13 -05002753 frozenset([
Paul Kehrer4e8dacd2015-05-09 10:38:23 -05002754 x509.ReasonFlags.key_compromise,
2755 x509.ReasonFlags.ca_compromise,
Paul Kehrer3fd02602015-05-09 19:46:13 -05002756 ]),
Paul Kehrer5a485522015-05-06 00:29:12 -05002757 [x509.UniformResourceIdentifier(u"uri://thing")],
2758 ),
2759 ])
2760 assert cdp == cdp2
2761
2762 def test_ne(self):
2763 cdp = x509.CRLDistributionPoints([
2764 x509.DistributionPoint(
2765 [x509.UniformResourceIdentifier(u"ftp://domain")],
Paul Kehrer4e8dacd2015-05-09 10:38:23 -05002766 None,
Paul Kehrer3fd02602015-05-09 19:46:13 -05002767 frozenset([
Paul Kehrer4e8dacd2015-05-09 10:38:23 -05002768 x509.ReasonFlags.key_compromise,
2769 x509.ReasonFlags.ca_compromise,
Paul Kehrer3fd02602015-05-09 19:46:13 -05002770 ]),
Paul Kehrer5a485522015-05-06 00:29:12 -05002771 [x509.UniformResourceIdentifier(u"uri://thing")],
2772 ),
2773 ])
2774 cdp2 = x509.CRLDistributionPoints([
2775 x509.DistributionPoint(
2776 [x509.UniformResourceIdentifier(u"ftp://domain2")],
Paul Kehrer4e8dacd2015-05-09 10:38:23 -05002777 None,
Paul Kehrer3fd02602015-05-09 19:46:13 -05002778 frozenset([
Paul Kehrer4e8dacd2015-05-09 10:38:23 -05002779 x509.ReasonFlags.key_compromise,
2780 x509.ReasonFlags.ca_compromise,
Paul Kehrer3fd02602015-05-09 19:46:13 -05002781 ]),
Paul Kehrer5a485522015-05-06 00:29:12 -05002782 [x509.UniformResourceIdentifier(u"uri://thing")],
2783 ),
2784 ])
2785 cdp3 = x509.CRLDistributionPoints([
2786 x509.DistributionPoint(
2787 [x509.UniformResourceIdentifier(u"ftp://domain")],
Paul Kehrer4e8dacd2015-05-09 10:38:23 -05002788 None,
Paul Kehrer3fd02602015-05-09 19:46:13 -05002789 frozenset([x509.ReasonFlags.key_compromise]),
Paul Kehrer5a485522015-05-06 00:29:12 -05002790 [x509.UniformResourceIdentifier(u"uri://thing")],
2791 ),
2792 ])
2793 cdp4 = x509.CRLDistributionPoints([
2794 x509.DistributionPoint(
2795 [x509.UniformResourceIdentifier(u"ftp://domain")],
Paul Kehrer4e8dacd2015-05-09 10:38:23 -05002796 None,
Paul Kehrer3fd02602015-05-09 19:46:13 -05002797 frozenset([
Paul Kehrer4e8dacd2015-05-09 10:38:23 -05002798 x509.ReasonFlags.key_compromise,
2799 x509.ReasonFlags.ca_compromise,
Paul Kehrer3fd02602015-05-09 19:46:13 -05002800 ]),
Paul Kehrer5a485522015-05-06 00:29:12 -05002801 [x509.UniformResourceIdentifier(u"uri://thing2")],
2802 ),
2803 ])
2804 assert cdp != cdp2
2805 assert cdp != cdp3
2806 assert cdp != cdp4
2807 assert cdp != object()
Paul Kehrer9a10d592015-05-10 14:55:51 -05002808
2809
2810@pytest.mark.requires_backend_interface(interface=RSABackend)
2811@pytest.mark.requires_backend_interface(interface=X509Backend)
2812class TestCRLDistributionPointsExtension(object):
2813 def test_fullname_and_crl_issuer(self, backend):
2814 cert = _load_cert(
2815 os.path.join(
2816 "x509", "PKITS_data", "certs", "ValidcRLIssuerTest28EE.crt"
2817 ),
2818 x509.load_der_x509_certificate,
2819 backend
2820 )
2821
2822 cdps = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -05002823 ExtensionOID.CRL_DISTRIBUTION_POINTS
Paul Kehrer9a10d592015-05-10 14:55:51 -05002824 ).value
2825
2826 assert cdps == x509.CRLDistributionPoints([
2827 x509.DistributionPoint(
2828 full_name=[x509.DirectoryName(
2829 x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -05002830 x509.NameAttribute(NameOID.COUNTRY_NAME, u"US"),
Paul Kehrer9a10d592015-05-10 14:55:51 -05002831 x509.NameAttribute(
Paul Kehrereba19e62015-08-10 18:44:24 -05002832 NameOID.ORGANIZATION_NAME,
Ian Cordasco82fc3762015-06-16 20:59:50 -05002833 u"Test Certificates 2011"
Paul Kehrer9a10d592015-05-10 14:55:51 -05002834 ),
2835 x509.NameAttribute(
Paul Kehrereba19e62015-08-10 18:44:24 -05002836 NameOID.ORGANIZATIONAL_UNIT_NAME,
Ian Cordasco82fc3762015-06-16 20:59:50 -05002837 u"indirectCRL CA3 cRLIssuer"
Paul Kehrer9a10d592015-05-10 14:55:51 -05002838 ),
2839 x509.NameAttribute(
Paul Kehrereba19e62015-08-10 18:44:24 -05002840 NameOID.COMMON_NAME,
Ian Cordasco82fc3762015-06-16 20:59:50 -05002841 u"indirect CRL for indirectCRL CA3"
Paul Kehrer9a10d592015-05-10 14:55:51 -05002842 ),
2843 ])
2844 )],
2845 relative_name=None,
2846 reasons=None,
2847 crl_issuer=[x509.DirectoryName(
2848 x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -05002849 x509.NameAttribute(NameOID.COUNTRY_NAME, u"US"),
Paul Kehrer9a10d592015-05-10 14:55:51 -05002850 x509.NameAttribute(
Paul Kehrereba19e62015-08-10 18:44:24 -05002851 NameOID.ORGANIZATION_NAME,
Ian Cordasco82fc3762015-06-16 20:59:50 -05002852 u"Test Certificates 2011"
Paul Kehrer9a10d592015-05-10 14:55:51 -05002853 ),
2854 x509.NameAttribute(
Paul Kehrereba19e62015-08-10 18:44:24 -05002855 NameOID.ORGANIZATIONAL_UNIT_NAME,
Ian Cordasco82fc3762015-06-16 20:59:50 -05002856 u"indirectCRL CA3 cRLIssuer"
Paul Kehrer9a10d592015-05-10 14:55:51 -05002857 ),
2858 ])
2859 )],
2860 )
2861 ])
2862
2863 def test_relativename_and_crl_issuer(self, backend):
2864 cert = _load_cert(
2865 os.path.join(
2866 "x509", "PKITS_data", "certs", "ValidcRLIssuerTest29EE.crt"
2867 ),
2868 x509.load_der_x509_certificate,
2869 backend
2870 )
2871
2872 cdps = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -05002873 ExtensionOID.CRL_DISTRIBUTION_POINTS
Paul Kehrer9a10d592015-05-10 14:55:51 -05002874 ).value
2875
2876 assert cdps == x509.CRLDistributionPoints([
2877 x509.DistributionPoint(
2878 full_name=None,
2879 relative_name=x509.Name([
2880 x509.NameAttribute(
Paul Kehrereba19e62015-08-10 18:44:24 -05002881 NameOID.COMMON_NAME,
Ian Cordasco82fc3762015-06-16 20:59:50 -05002882 u"indirect CRL for indirectCRL CA3"
Paul Kehrer9a10d592015-05-10 14:55:51 -05002883 ),
2884 ]),
2885 reasons=None,
2886 crl_issuer=[x509.DirectoryName(
2887 x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -05002888 x509.NameAttribute(NameOID.COUNTRY_NAME, u"US"),
Paul Kehrer9a10d592015-05-10 14:55:51 -05002889 x509.NameAttribute(
Paul Kehrereba19e62015-08-10 18:44:24 -05002890 NameOID.ORGANIZATION_NAME,
Ian Cordasco82fc3762015-06-16 20:59:50 -05002891 u"Test Certificates 2011"
Paul Kehrer9a10d592015-05-10 14:55:51 -05002892 ),
2893 x509.NameAttribute(
Paul Kehrereba19e62015-08-10 18:44:24 -05002894 NameOID.ORGANIZATIONAL_UNIT_NAME,
Ian Cordasco82fc3762015-06-16 20:59:50 -05002895 u"indirectCRL CA3 cRLIssuer"
Paul Kehrer9a10d592015-05-10 14:55:51 -05002896 ),
2897 ])
2898 )],
2899 )
2900 ])
2901
2902 def test_fullname_crl_issuer_reasons(self, backend):
2903 cert = _load_cert(
2904 os.path.join(
2905 "x509", "custom", "cdp_fullname_reasons_crl_issuer.pem"
2906 ),
2907 x509.load_pem_x509_certificate,
2908 backend
2909 )
2910
2911 cdps = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -05002912 ExtensionOID.CRL_DISTRIBUTION_POINTS
Paul Kehrer9a10d592015-05-10 14:55:51 -05002913 ).value
2914
2915 assert cdps == x509.CRLDistributionPoints([
2916 x509.DistributionPoint(
2917 full_name=[x509.UniformResourceIdentifier(
2918 u"http://myhost.com/myca.crl"
2919 )],
2920 relative_name=None,
2921 reasons=frozenset([
2922 x509.ReasonFlags.key_compromise,
2923 x509.ReasonFlags.ca_compromise
2924 ]),
2925 crl_issuer=[x509.DirectoryName(
2926 x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -05002927 x509.NameAttribute(NameOID.COUNTRY_NAME, u"US"),
Paul Kehrer9a10d592015-05-10 14:55:51 -05002928 x509.NameAttribute(
Paul Kehrereba19e62015-08-10 18:44:24 -05002929 NameOID.ORGANIZATION_NAME, u"PyCA"
Paul Kehrer9a10d592015-05-10 14:55:51 -05002930 ),
2931 x509.NameAttribute(
Paul Kehrereba19e62015-08-10 18:44:24 -05002932 NameOID.COMMON_NAME, u"cryptography CA"
Paul Kehrer9a10d592015-05-10 14:55:51 -05002933 ),
2934 ])
2935 )],
2936 )
2937 ])
2938
Paul Kehrer594a2ed2015-05-12 23:27:32 -05002939 def test_all_reasons(self, backend):
2940 cert = _load_cert(
2941 os.path.join(
2942 "x509", "custom", "cdp_all_reasons.pem"
2943 ),
2944 x509.load_pem_x509_certificate,
2945 backend
2946 )
2947
2948 cdps = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -05002949 ExtensionOID.CRL_DISTRIBUTION_POINTS
Paul Kehrer594a2ed2015-05-12 23:27:32 -05002950 ).value
2951
2952 assert cdps == x509.CRLDistributionPoints([
2953 x509.DistributionPoint(
2954 full_name=[x509.UniformResourceIdentifier(
2955 u"http://domain.com/some.crl"
2956 )],
2957 relative_name=None,
2958 reasons=frozenset([
2959 x509.ReasonFlags.key_compromise,
2960 x509.ReasonFlags.ca_compromise,
2961 x509.ReasonFlags.affiliation_changed,
2962 x509.ReasonFlags.superseded,
2963 x509.ReasonFlags.privilege_withdrawn,
2964 x509.ReasonFlags.cessation_of_operation,
2965 x509.ReasonFlags.aa_compromise,
2966 x509.ReasonFlags.certificate_hold,
2967 ]),
2968 crl_issuer=None
2969 )
2970 ])
2971
2972 def test_single_reason(self, backend):
2973 cert = _load_cert(
2974 os.path.join(
2975 "x509", "custom", "cdp_reason_aa_compromise.pem"
2976 ),
2977 x509.load_pem_x509_certificate,
2978 backend
2979 )
2980
2981 cdps = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -05002982 ExtensionOID.CRL_DISTRIBUTION_POINTS
Paul Kehrer594a2ed2015-05-12 23:27:32 -05002983 ).value
2984
2985 assert cdps == x509.CRLDistributionPoints([
2986 x509.DistributionPoint(
2987 full_name=[x509.UniformResourceIdentifier(
2988 u"http://domain.com/some.crl"
2989 )],
2990 relative_name=None,
2991 reasons=frozenset([x509.ReasonFlags.aa_compromise]),
2992 crl_issuer=None
2993 )
2994 ])
2995
Paul Kehrer9a10d592015-05-10 14:55:51 -05002996 def test_crl_issuer_only(self, backend):
2997 cert = _load_cert(
2998 os.path.join(
2999 "x509", "custom", "cdp_crl_issuer.pem"
3000 ),
3001 x509.load_pem_x509_certificate,
3002 backend
3003 )
3004
3005 cdps = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -05003006 ExtensionOID.CRL_DISTRIBUTION_POINTS
Paul Kehrer9a10d592015-05-10 14:55:51 -05003007 ).value
3008
3009 assert cdps == x509.CRLDistributionPoints([
3010 x509.DistributionPoint(
3011 full_name=None,
3012 relative_name=None,
3013 reasons=None,
3014 crl_issuer=[x509.DirectoryName(
3015 x509.Name([
3016 x509.NameAttribute(
Paul Kehrereba19e62015-08-10 18:44:24 -05003017 NameOID.COMMON_NAME, u"cryptography CA"
Paul Kehrer9a10d592015-05-10 14:55:51 -05003018 ),
3019 ])
3020 )],
3021 )
3022 ])
Paul Kehrer16fae762015-05-01 23:14:20 -05003023
Dominic Chen87bb9572015-10-09 00:23:07 -04003024 def test_crl_empty_hostname(self, backend):
3025 cert = _load_cert(
3026 os.path.join(
3027 "x509", "custom", "cdp_empty_hostname.pem"
3028 ),
3029 x509.load_pem_x509_certificate,
3030 backend
3031 )
3032
3033 cdps = cert.extensions.get_extension_for_oid(
3034 ExtensionOID.CRL_DISTRIBUTION_POINTS
3035 ).value
3036
3037 assert cdps == x509.CRLDistributionPoints([
3038 x509.DistributionPoint(
3039 full_name=[x509.UniformResourceIdentifier(
3040 u"ldap:/CN=A,OU=B,dc=C,DC=D?E?F?G?H=I"
3041 )],
3042 relative_name=None,
3043 reasons=None,
3044 crl_issuer=None
3045 )
3046 ])
3047
Paul Kehrer16fae762015-05-01 23:14:20 -05003048
Paul Kehrerf54a50b2015-06-17 18:31:26 -06003049@pytest.mark.requires_backend_interface(interface=RSABackend)
3050@pytest.mark.requires_backend_interface(interface=X509Backend)
3051class TestOCSPNoCheckExtension(object):
3052 def test_nocheck(self, backend):
3053 cert = _load_cert(
3054 os.path.join(
3055 "x509", "custom", "ocsp_nocheck.pem"
3056 ),
3057 x509.load_pem_x509_certificate,
3058 backend
3059 )
3060 ext = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -05003061 ExtensionOID.OCSP_NO_CHECK
Paul Kehrerf54a50b2015-06-17 18:31:26 -06003062 )
3063 assert isinstance(ext.value, x509.OCSPNoCheck)
3064
3065
Paul Kehrer16fae762015-05-01 23:14:20 -05003066class TestInhibitAnyPolicy(object):
3067 def test_not_int(self):
3068 with pytest.raises(TypeError):
3069 x509.InhibitAnyPolicy("notint")
3070
3071 def test_negative_int(self):
3072 with pytest.raises(ValueError):
3073 x509.InhibitAnyPolicy(-1)
3074
3075 def test_repr(self):
3076 iap = x509.InhibitAnyPolicy(0)
3077 assert repr(iap) == "<InhibitAnyPolicy(skip_certs=0)>"
3078
3079 def test_eq(self):
3080 iap = x509.InhibitAnyPolicy(1)
3081 iap2 = x509.InhibitAnyPolicy(1)
3082 assert iap == iap2
3083
3084 def test_ne(self):
3085 iap = x509.InhibitAnyPolicy(1)
3086 iap2 = x509.InhibitAnyPolicy(4)
3087 assert iap != iap2
3088 assert iap != object()
Paul Kehrerca6ce992015-06-17 22:13:15 -06003089
3090
3091@pytest.mark.requires_backend_interface(interface=RSABackend)
3092@pytest.mark.requires_backend_interface(interface=X509Backend)
3093class TestInhibitAnyPolicyExtension(object):
3094 def test_nocheck(self, backend):
3095 cert = _load_cert(
3096 os.path.join(
3097 "x509", "custom", "inhibit_any_policy_5.pem"
3098 ),
3099 x509.load_pem_x509_certificate,
3100 backend
3101 )
3102 iap = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -05003103 ExtensionOID.INHIBIT_ANY_POLICY
Paul Kehrerca6ce992015-06-17 22:13:15 -06003104 ).value
3105 assert iap.skip_certs == 5
Paul Kehrera08693f2015-08-01 20:45:21 +01003106
3107
3108@pytest.mark.requires_backend_interface(interface=RSABackend)
3109@pytest.mark.requires_backend_interface(interface=X509Backend)
Paul Kehrer1b7500f2015-08-01 20:56:27 +01003110class TestInvalidExtension(object):
Paul Kehrera08693f2015-08-01 20:45:21 +01003111 def test_invalid_certificate_policies_data(self, backend):
3112 cert = _load_cert(
3113 os.path.join(
3114 "x509", "custom", "cp_invalid.pem"
3115 ),
3116 x509.load_pem_x509_certificate,
3117 backend
3118 )
3119 with pytest.raises(ValueError):
3120 cert.extensions