Gitiles
Code Review Sign In
gerrit-public.fairphone.software / platform / external / python / cryptography / 7058eced3a27115f721887e836d16ee4fe4c7e9d / . / tests / test_x509_ext.py
blob: b8105a4bf14ad781de29499b69d78ab8dbaf092d [file] [log] [blame]
Paul Kehrer8cf26422015-03-21 09:50:24 -0500[diff] [blame]1# This file is dual licensed under the terms of the Apache License, Version
2# 2.0, and the BSD License. See the LICENSE file in the root of this repository
3# for complete details.
4
5from __future__ import absolute_import, division, print_function
6
Paul Kehrer1eb82a62015-03-31 20:00:33 -0500[diff] [blame]7import binascii
Paul Kehrer31bdf792015-03-25 14:11:00 -0500[diff] [blame]8import ipaddress
Paul Kehrerfbb7ac82015-03-16 19:26:29 -0500[diff] [blame]9import os
10
Paul Kehrer8cf26422015-03-21 09:50:24 -0500[diff] [blame]11import pytest
12
Paul Kehrercbfb1012015-04-10 20:57:20 -0400[diff] [blame]13import six
14
Paul Kehrer8cf26422015-03-21 09:50:24 -0500[diff] [blame]15from cryptography import x509
Paul Kehrerf22f6122015-08-05 12:57:13 +0100[diff] [blame]16from cryptography.hazmat.backends.interfaces import (
17 DSABackend, EllipticCurveBackend, RSABackend, X509Backend
18)
19from cryptography.hazmat.primitives.asymmetric import ec
Paul Kehrer9e102db2015-08-10 21:53:09 -0500[diff] [blame]20from cryptography.x509.oid import (
Nick Bastin326fc8e2015-12-12 19:08:12 -0800[diff] [blame]21 AuthorityInformationAccessOID, ExtendedKeyUsageOID, ExtensionOID,
22 NameOID, ObjectIdentifier
Paul Kehrer9e102db2015-08-10 21:53:09 -0500[diff] [blame]23)
Paul Kehrerfbb7ac82015-03-16 19:26:29 -0500[diff] [blame]24
Paul Kehrerf22f6122015-08-05 12:57:13 +0100[diff] [blame]25from .hazmat.primitives.test_ec import _skip_curve_unsupported
Paul Kehrerfbb7ac82015-03-16 19:26:29 -0500[diff] [blame]26from .test_x509 import _load_cert
Paul Kehrer8cf26422015-03-21 09:50:24 -0500[diff] [blame]27
28
Paul Kehrer85894662015-03-22 13:19:31 -0500[diff] [blame]29class TestExtension(object):
30 def test_not_an_oid(self):
Paul Kehrera5c6e9a2015-03-23 19:23:43 -0500[diff] [blame]31 bc = x509.BasicConstraints(ca=False, path_length=None)
Paul Kehrer85894662015-03-22 13:19:31 -0500[diff] [blame]32 with pytest.raises(TypeError):
33 x509.Extension("notanoid", True, bc)
34
35 def test_critical_not_a_bool(self):
Paul Kehrera5c6e9a2015-03-23 19:23:43 -0500[diff] [blame]36 bc = x509.BasicConstraints(ca=False, path_length=None)
Paul Kehrer85894662015-03-22 13:19:31 -0500[diff] [blame]37 with pytest.raises(TypeError):
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]38 x509.Extension(ExtensionOID.BASIC_CONSTRAINTS, "notabool", bc)
Paul Kehrer85894662015-03-22 13:19:31 -0500[diff] [blame]39
40 def test_repr(self):
Paul Kehrera5c6e9a2015-03-23 19:23:43 -0500[diff] [blame]41 bc = x509.BasicConstraints(ca=False, path_length=None)
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]42 ext = x509.Extension(ExtensionOID.BASIC_CONSTRAINTS, True, bc)
Paul Kehrer85894662015-03-22 13:19:31 -0500[diff] [blame]43 assert repr(ext) == (
44 "<Extension(oid=<ObjectIdentifier(oid=2.5.29.19, name=basicConst"
45 "raints)>, critical=True, value=<BasicConstraints(ca=False, path"
46 "_length=None)>)>"
47 )
48
Paul Kehrer58e870c2015-05-17 09:15:30 -0700[diff] [blame]49 def test_eq(self):
50 ext1 = x509.Extension(
51 x509.ObjectIdentifier('1.2.3.4'), False, 'value'
52 )
53 ext2 = x509.Extension(
54 x509.ObjectIdentifier('1.2.3.4'), False, 'value'
55 )
56 assert ext1 == ext2
57
58 def test_ne(self):
59 ext1 = x509.Extension(
60 x509.ObjectIdentifier('1.2.3.4'), False, 'value'
61 )
62 ext2 = x509.Extension(
63 x509.ObjectIdentifier('1.2.3.5'), False, 'value'
64 )
65 ext3 = x509.Extension(
66 x509.ObjectIdentifier('1.2.3.4'), True, 'value'
67 )
68 ext4 = x509.Extension(
69 x509.ObjectIdentifier('1.2.3.4'), False, 'value4'
70 )
71 assert ext1 != ext2
72 assert ext1 != ext3
73 assert ext1 != ext4
74 assert ext1 != object()
75
Paul Kehrer85894662015-03-22 13:19:31 -0500[diff] [blame]76
Paul Kehrer49bb7562015-12-25 16:17:40 -0600[diff] [blame]77class TestCertificateIssuer(object):
78 def test_iter_names(self):
79 ci = x509.CertificateIssuer([
80 x509.DNSName(u"cryptography.io"),
81 x509.DNSName(u"crypto.local"),
82 ])
83 assert len(ci) == 2
84 assert list(ci) == [
85 x509.DNSName(u"cryptography.io"),
86 x509.DNSName(u"crypto.local"),
87 ]
88
89 def test_eq(self):
90 ci1 = x509.CertificateIssuer([x509.DNSName(u"cryptography.io")])
91 ci2 = x509.CertificateIssuer([x509.DNSName(u"cryptography.io")])
92 assert ci1 == ci2
93
94 def test_ne(self):
95 ci1 = x509.CertificateIssuer([x509.DNSName(u"cryptography.io")])
96 ci2 = x509.CertificateIssuer([x509.DNSName(u"somethingelse.tld")])
97 assert ci1 != ci2
98 assert ci1 != object()
99
100 def test_repr(self):
101 ci = x509.CertificateIssuer([x509.DNSName(u"cryptography.io")])
102 assert repr(ci) == (
103 "<CertificateIssuer(<GeneralNames([<DNSName(value=cryptography.io"
104 ")>])>)>"
105 )
106
107 def test_get_values_for_type(self):
108 ci = x509.CertificateIssuer(
109 [x509.DNSName(u"cryptography.io")]
110 )
111 names = ci.get_values_for_type(x509.DNSName)
112 assert names == [u"cryptography.io"]
113
114
Paul Kehrer7058ece2015-12-25 22:28:29 -0600[diff] [blame^]115class TestCRLReason(object):
116 def test_invalid_reason_flags(self):
117 with pytest.raises(TypeError):
118 x509.CRLReason("notareason")
119
120 def test_eq(self):
121 reason1 = x509.CRLReason(x509.ReasonFlags.unspecified)
122 reason2 = x509.CRLReason(x509.ReasonFlags.unspecified)
123 assert reason1 == reason2
124
125 def test_ne(self):
126 reason1 = x509.CRLReason(x509.ReasonFlags.unspecified)
127 reason2 = x509.CRLReason(x509.ReasonFlags.ca_compromise)
128 assert reason1 != reason2
129 assert reason1 != object()
130
131 def test_repr(self):
132 reason1 = x509.CRLReason(x509.ReasonFlags.unspecified)
133 assert repr(reason1) == (
134 "<CRLReason(reason=ReasonFlags.unspecified)>"
135 )
136
137
Paul Kehrer2b622582015-04-15 11:04:29 -0400[diff] [blame]138class TestNoticeReference(object):
139 def test_notice_numbers_not_all_int(self):
140 with pytest.raises(TypeError):
141 x509.NoticeReference("org", [1, 2, "three"])
142
143 def test_notice_numbers_none(self):
Paul Kehrer6e198b02015-05-12 15:53:38 -0500[diff] [blame]144 with pytest.raises(TypeError):
145 x509.NoticeReference("org", None)
Paul Kehrer2b622582015-04-15 11:04:29 -0400[diff] [blame]146
147 def test_repr(self):
Paul Kehrer73be2ca2015-05-11 21:22:38 -0500[diff] [blame]148 nr = x509.NoticeReference(u"org", [1, 3, 4])
Paul Kehrer2b622582015-04-15 11:04:29 -0400[diff] [blame]149
Paul Kehrer73be2ca2015-05-11 21:22:38 -0500[diff] [blame]150 if six.PY3:
151 assert repr(nr) == (
152 "<NoticeReference(organization='org', notice_numbers=[1, 3, 4"
153 "])>"
154 )
155 else:
156 assert repr(nr) == (
157 "<NoticeReference(organization=u'org', notice_numbers=[1, 3, "
158 "4])>"
159 )
Paul Kehrer2b622582015-04-15 11:04:29 -0400[diff] [blame]160
Paul Kehrerc56ab622015-05-03 09:56:31 -0500[diff] [blame]161 def test_eq(self):
162 nr = x509.NoticeReference("org", [1, 2])
163 nr2 = x509.NoticeReference("org", [1, 2])
164 assert nr == nr2
165
166 def test_ne(self):
167 nr = x509.NoticeReference("org", [1, 2])
168 nr2 = x509.NoticeReference("org", [1])
169 nr3 = x509.NoticeReference(None, [1, 2])
170 assert nr != nr2
171 assert nr != nr3
172 assert nr != object()
173
Paul Kehrer2b622582015-04-15 11:04:29 -0400[diff] [blame]174
175class TestUserNotice(object):
176 def test_notice_reference_invalid(self):
177 with pytest.raises(TypeError):
178 x509.UserNotice("invalid", None)
179
180 def test_notice_reference_none(self):
181 un = x509.UserNotice(None, "text")
182 assert un.notice_reference is None
183 assert un.explicit_text == "text"
184
185 def test_repr(self):
Paul Kehrer6e198b02015-05-12 15:53:38 -0500[diff] [blame]186 un = x509.UserNotice(x509.NoticeReference(u"org", [1]), u"text")
Paul Kehrer73be2ca2015-05-11 21:22:38 -0500[diff] [blame]187 if six.PY3:
188 assert repr(un) == (
189 "<UserNotice(notice_reference=<NoticeReference(organization='"
Paul Kehrer6e198b02015-05-12 15:53:38 -0500[diff] [blame]190 "org', notice_numbers=[1])>, explicit_text='text')>"
Paul Kehrer73be2ca2015-05-11 21:22:38 -0500[diff] [blame]191 )
192 else:
193 assert repr(un) == (
194 "<UserNotice(notice_reference=<NoticeReference(organization=u"
Paul Kehrer6e198b02015-05-12 15:53:38 -0500[diff] [blame]195 "'org', notice_numbers=[1])>, explicit_text=u'text')>"
Paul Kehrer73be2ca2015-05-11 21:22:38 -0500[diff] [blame]196 )
Paul Kehrer2b622582015-04-15 11:04:29 -0400[diff] [blame]197
Paul Kehrerc56ab622015-05-03 09:56:31 -0500[diff] [blame]198 def test_eq(self):
199 nr = x509.NoticeReference("org", [1, 2])
200 nr2 = x509.NoticeReference("org", [1, 2])
201 un = x509.UserNotice(nr, "text")
202 un2 = x509.UserNotice(nr2, "text")
203 assert un == un2
204
205 def test_ne(self):
206 nr = x509.NoticeReference("org", [1, 2])
207 nr2 = x509.NoticeReference("org", [1])
208 un = x509.UserNotice(nr, "text")
209 un2 = x509.UserNotice(nr2, "text")
210 un3 = x509.UserNotice(nr, "text3")
211 assert un != un2
212 assert un != un3
213 assert un != object()
214
Paul Kehrer2b622582015-04-15 11:04:29 -0400[diff] [blame]215
Paul Kehrer2b622582015-04-15 11:04:29 -0400[diff] [blame]216class TestPolicyInformation(object):
217 def test_invalid_policy_identifier(self):
218 with pytest.raises(TypeError):
219 x509.PolicyInformation("notanoid", None)
220
221 def test_none_policy_qualifiers(self):
222 pi = x509.PolicyInformation(x509.ObjectIdentifier("1.2.3"), None)
223 assert pi.policy_identifier == x509.ObjectIdentifier("1.2.3")
224 assert pi.policy_qualifiers is None
225
226 def test_policy_qualifiers(self):
Paul Kehrerba35b3b2015-05-10 13:07:59 -0500[diff] [blame]227 pq = [u"string"]
Paul Kehrer2b622582015-04-15 11:04:29 -0400[diff] [blame]228 pi = x509.PolicyInformation(x509.ObjectIdentifier("1.2.3"), pq)
229 assert pi.policy_identifier == x509.ObjectIdentifier("1.2.3")
230 assert pi.policy_qualifiers == pq
231
232 def test_invalid_policy_identifiers(self):
233 with pytest.raises(TypeError):
234 x509.PolicyInformation(x509.ObjectIdentifier("1.2.3"), [1, 2])
235
236 def test_repr(self):
Paul Kehrer73be2ca2015-05-11 21:22:38 -0500[diff] [blame]237 pq = [u"string", x509.UserNotice(None, u"hi")]
Paul Kehrer2b622582015-04-15 11:04:29 -0400[diff] [blame]238 pi = x509.PolicyInformation(x509.ObjectIdentifier("1.2.3"), pq)
Paul Kehrerba35b3b2015-05-10 13:07:59 -0500[diff] [blame]239 if six.PY3:
240 assert repr(pi) == (
241 "<PolicyInformation(policy_identifier=<ObjectIdentifier(oid=1."
242 "2.3, name=Unknown OID)>, policy_qualifiers=['string', <UserNo"
Paul Kehrer9aaef9e2015-05-11 10:49:20 -0500[diff] [blame]243 "tice(notice_reference=None, explicit_text='hi')>])>"
Paul Kehrerba35b3b2015-05-10 13:07:59 -0500[diff] [blame]244 )
245 else:
246 assert repr(pi) == (
247 "<PolicyInformation(policy_identifier=<ObjectIdentifier(oid=1."
248 "2.3, name=Unknown OID)>, policy_qualifiers=[u'string', <UserN"
Paul Kehrer73be2ca2015-05-11 21:22:38 -0500[diff] [blame]249 "otice(notice_reference=None, explicit_text=u'hi')>])>"
Paul Kehrerba35b3b2015-05-10 13:07:59 -0500[diff] [blame]250 )
Paul Kehrer2b622582015-04-15 11:04:29 -0400[diff] [blame]251
Paul Kehrerc56ab622015-05-03 09:56:31 -0500[diff] [blame]252 def test_eq(self):
253 pi = x509.PolicyInformation(
254 x509.ObjectIdentifier("1.2.3"),
255 [u"string", x509.UserNotice(None, u"hi")]
256 )
257 pi2 = x509.PolicyInformation(
258 x509.ObjectIdentifier("1.2.3"),
259 [u"string", x509.UserNotice(None, u"hi")]
260 )
261 assert pi == pi2
262
263 def test_ne(self):
264 pi = x509.PolicyInformation(
265 x509.ObjectIdentifier("1.2.3"), [u"string"]
266 )
267 pi2 = x509.PolicyInformation(
268 x509.ObjectIdentifier("1.2.3"), [u"string2"]
269 )
270 pi3 = x509.PolicyInformation(
271 x509.ObjectIdentifier("1.2.3.4"), [u"string"]
272 )
273 assert pi != pi2
274 assert pi != pi3
275 assert pi != object()
276
Paul Kehrer2b622582015-04-15 11:04:29 -0400[diff] [blame]277
278class TestCertificatePolicies(object):
279 def test_invalid_policies(self):
Paul Kehrerba35b3b2015-05-10 13:07:59 -0500[diff] [blame]280 pq = [u"string"]
Paul Kehrer2b622582015-04-15 11:04:29 -0400[diff] [blame]281 pi = x509.PolicyInformation(x509.ObjectIdentifier("1.2.3"), pq)
282 with pytest.raises(TypeError):
283 x509.CertificatePolicies([1, pi])
284
285 def test_iter_len(self):
Paul Kehrerba35b3b2015-05-10 13:07:59 -0500[diff] [blame]286 pq = [u"string"]
Paul Kehrer2b622582015-04-15 11:04:29 -0400[diff] [blame]287 pi = x509.PolicyInformation(x509.ObjectIdentifier("1.2.3"), pq)
288 cp = x509.CertificatePolicies([pi])
289 assert len(cp) == 1
290 for policyinfo in cp:
291 assert policyinfo == pi
292
293 def test_repr(self):
Paul Kehrerba35b3b2015-05-10 13:07:59 -0500[diff] [blame]294 pq = [u"string"]
Paul Kehrer2b622582015-04-15 11:04:29 -0400[diff] [blame]295 pi = x509.PolicyInformation(x509.ObjectIdentifier("1.2.3"), pq)
296 cp = x509.CertificatePolicies([pi])
Paul Kehrerba35b3b2015-05-10 13:07:59 -0500[diff] [blame]297 if six.PY3:
298 assert repr(cp) == (
299 "<CertificatePolicies([<PolicyInformation(policy_identifier=<O"
300 "bjectIdentifier(oid=1.2.3, name=Unknown OID)>, policy_qualifi"
301 "ers=['string'])>])>"
302 )
303 else:
304 assert repr(cp) == (
305 "<CertificatePolicies([<PolicyInformation(policy_identifier=<O"
306 "bjectIdentifier(oid=1.2.3, name=Unknown OID)>, policy_qualifi"
307 "ers=[u'string'])>])>"
308 )
Paul Kehrer2b622582015-04-15 11:04:29 -0400[diff] [blame]309
Paul Kehrerc56ab622015-05-03 09:56:31 -0500[diff] [blame]310 def test_eq(self):
311 pi = x509.PolicyInformation(
312 x509.ObjectIdentifier("1.2.3"), [u"string"]
313 )
314 cp = x509.CertificatePolicies([pi])
315 pi2 = x509.PolicyInformation(
316 x509.ObjectIdentifier("1.2.3"), [u"string"]
317 )
318 cp2 = x509.CertificatePolicies([pi2])
319 assert cp == cp2
320
321 def test_ne(self):
322 pi = x509.PolicyInformation(
323 x509.ObjectIdentifier("1.2.3"), [u"string"]
324 )
325 cp = x509.CertificatePolicies([pi])
326 pi2 = x509.PolicyInformation(
327 x509.ObjectIdentifier("1.2.3"), [u"string2"]
328 )
329 cp2 = x509.CertificatePolicies([pi2])
330 assert cp != cp2
331 assert cp != object()
332
Paul Kehrer2b622582015-04-15 11:04:29 -0400[diff] [blame]333
Paul Kehrer11026fe2015-05-12 11:23:56 -0500[diff] [blame]334@pytest.mark.requires_backend_interface(interface=RSABackend)
335@pytest.mark.requires_backend_interface(interface=X509Backend)
336class TestCertificatePoliciesExtension(object):
337 def test_cps_uri_policy_qualifier(self, backend):
338 cert = _load_cert(
339 os.path.join("x509", "custom", "cp_cps_uri.pem"),
340 x509.load_pem_x509_certificate,
341 backend
342 )
343
344 cp = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]345 ExtensionOID.CERTIFICATE_POLICIES
Paul Kehrer11026fe2015-05-12 11:23:56 -0500[diff] [blame]346 ).value
347
348 assert cp == x509.CertificatePolicies([
349 x509.PolicyInformation(
350 x509.ObjectIdentifier("2.16.840.1.12345.1.2.3.4.1"),
351 [u"http://other.com/cps"]
352 )
353 ])
354
355 def test_user_notice_with_notice_reference(self, backend):
356 cert = _load_cert(
357 os.path.join(
358 "x509", "custom", "cp_user_notice_with_notice_reference.pem"
359 ),
360 x509.load_pem_x509_certificate,
361 backend
362 )
363
364 cp = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]365 ExtensionOID.CERTIFICATE_POLICIES
Paul Kehrer11026fe2015-05-12 11:23:56 -0500[diff] [blame]366 ).value
367
368 assert cp == x509.CertificatePolicies([
369 x509.PolicyInformation(
370 x509.ObjectIdentifier("2.16.840.1.12345.1.2.3.4.1"),
371 [
372 u"http://example.com/cps",
373 u"http://other.com/cps",
374 x509.UserNotice(
375 x509.NoticeReference(u"my org", [1, 2, 3, 4]),
376 u"thing"
377 )
378 ]
379 )
380 ])
381
382 def test_user_notice_with_explicit_text(self, backend):
383 cert = _load_cert(
384 os.path.join(
385 "x509", "custom", "cp_user_notice_with_explicit_text.pem"
386 ),
387 x509.load_pem_x509_certificate,
388 backend
389 )
390
391 cp = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]392 ExtensionOID.CERTIFICATE_POLICIES
Paul Kehrer11026fe2015-05-12 11:23:56 -0500[diff] [blame]393 ).value
394
395 assert cp == x509.CertificatePolicies([
396 x509.PolicyInformation(
397 x509.ObjectIdentifier("2.16.840.1.12345.1.2.3.4.1"),
398 [x509.UserNotice(None, u"thing")]
399 )
400 ])
401
402 def test_user_notice_no_explicit_text(self, backend):
403 cert = _load_cert(
404 os.path.join(
405 "x509", "custom", "cp_user_notice_no_explicit_text.pem"
406 ),
407 x509.load_pem_x509_certificate,
408 backend
409 )
410
411 cp = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]412 ExtensionOID.CERTIFICATE_POLICIES
Paul Kehrer11026fe2015-05-12 11:23:56 -0500[diff] [blame]413 ).value
414
415 assert cp == x509.CertificatePolicies([
416 x509.PolicyInformation(
417 x509.ObjectIdentifier("2.16.840.1.12345.1.2.3.4.1"),
418 [
419 x509.UserNotice(
420 x509.NoticeReference(u"my org", [1, 2, 3, 4]),
421 None
422 )
423 ]
424 )
425 ])
426
427
Paul Kehrercecbbba2015-03-30 14:58:38 -0500[diff] [blame]428class TestKeyUsage(object):
429 def test_key_agreement_false_encipher_decipher_true(self):
430 with pytest.raises(ValueError):
431 x509.KeyUsage(
432 digital_signature=False,
433 content_commitment=False,
434 key_encipherment=False,
435 data_encipherment=False,
436 key_agreement=False,
437 key_cert_sign=False,
438 crl_sign=False,
439 encipher_only=True,
440 decipher_only=False
441 )
442
443 with pytest.raises(ValueError):
444 x509.KeyUsage(
445 digital_signature=False,
446 content_commitment=False,
447 key_encipherment=False,
448 data_encipherment=False,
449 key_agreement=False,
450 key_cert_sign=False,
451 crl_sign=False,
452 encipher_only=True,
453 decipher_only=True
454 )
455
456 with pytest.raises(ValueError):
457 x509.KeyUsage(
458 digital_signature=False,
459 content_commitment=False,
460 key_encipherment=False,
461 data_encipherment=False,
462 key_agreement=False,
463 key_cert_sign=False,
464 crl_sign=False,
465 encipher_only=False,
466 decipher_only=True
467 )
468
469 def test_properties_key_agreement_true(self):
470 ku = x509.KeyUsage(
471 digital_signature=True,
472 content_commitment=True,
473 key_encipherment=False,
474 data_encipherment=False,
475 key_agreement=False,
476 key_cert_sign=True,
477 crl_sign=False,
478 encipher_only=False,
479 decipher_only=False
480 )
481 assert ku.digital_signature is True
482 assert ku.content_commitment is True
483 assert ku.key_encipherment is False
484 assert ku.data_encipherment is False
485 assert ku.key_agreement is False
486 assert ku.key_cert_sign is True
487 assert ku.crl_sign is False
488
489 def test_key_agreement_true_properties(self):
490 ku = x509.KeyUsage(
491 digital_signature=False,
492 content_commitment=False,
493 key_encipherment=False,
494 data_encipherment=False,
495 key_agreement=True,
496 key_cert_sign=False,
497 crl_sign=False,
498 encipher_only=False,
499 decipher_only=True
500 )
501 assert ku.key_agreement is True
502 assert ku.encipher_only is False
503 assert ku.decipher_only is True
504
505 def test_key_agreement_false_properties(self):
506 ku = x509.KeyUsage(
507 digital_signature=False,
508 content_commitment=False,
509 key_encipherment=False,
510 data_encipherment=False,
511 key_agreement=False,
512 key_cert_sign=False,
513 crl_sign=False,
514 encipher_only=False,
515 decipher_only=False
516 )
517 assert ku.key_agreement is False
518 with pytest.raises(ValueError):
519 ku.encipher_only
520
521 with pytest.raises(ValueError):
522 ku.decipher_only
523
Paul Kehrerac3e5bb2015-04-02 23:07:10 -0500[diff] [blame]524 def test_repr_key_agreement_false(self):
525 ku = x509.KeyUsage(
526 digital_signature=True,
527 content_commitment=True,
528 key_encipherment=False,
529 data_encipherment=False,
530 key_agreement=False,
531 key_cert_sign=True,
532 crl_sign=False,
533 encipher_only=False,
534 decipher_only=False
535 )
536 assert repr(ku) == (
537 "<KeyUsage(digital_signature=True, content_commitment=True, key_en"
538 "cipherment=False, data_encipherment=False, key_agreement=False, k"
Paul Kehrerb372e672015-04-15 11:05:24 -0400[diff] [blame]539 "ey_cert_sign=True, crl_sign=False, encipher_only=None, decipher_o"
540 "nly=None)>"
Paul Kehrerac3e5bb2015-04-02 23:07:10 -0500[diff] [blame]541 )
542
543 def test_repr_key_agreement_true(self):
544 ku = x509.KeyUsage(
545 digital_signature=True,
546 content_commitment=True,
547 key_encipherment=False,
548 data_encipherment=False,
549 key_agreement=True,
550 key_cert_sign=True,
551 crl_sign=False,
552 encipher_only=False,
553 decipher_only=False
554 )
555 assert repr(ku) == (
556 "<KeyUsage(digital_signature=True, content_commitment=True, key_en"
557 "cipherment=False, data_encipherment=False, key_agreement=True, k"
558 "ey_cert_sign=True, crl_sign=False, encipher_only=False, decipher_"
559 "only=False)>"
560 )
561
Paul Kehrer8565f5e2015-05-13 09:57:09 -0500[diff] [blame]562 def test_eq(self):
563 ku = x509.KeyUsage(
564 digital_signature=False,
565 content_commitment=False,
566 key_encipherment=False,
567 data_encipherment=False,
568 key_agreement=True,
569 key_cert_sign=False,
570 crl_sign=False,
571 encipher_only=False,
572 decipher_only=True
573 )
574 ku2 = x509.KeyUsage(
575 digital_signature=False,
576 content_commitment=False,
577 key_encipherment=False,
578 data_encipherment=False,
579 key_agreement=True,
580 key_cert_sign=False,
581 crl_sign=False,
582 encipher_only=False,
583 decipher_only=True
584 )
585 assert ku == ku2
586
587 def test_ne(self):
588 ku = x509.KeyUsage(
589 digital_signature=False,
590 content_commitment=False,
591 key_encipherment=False,
592 data_encipherment=False,
593 key_agreement=True,
594 key_cert_sign=False,
595 crl_sign=False,
596 encipher_only=False,
597 decipher_only=True
598 )
599 ku2 = x509.KeyUsage(
600 digital_signature=False,
601 content_commitment=False,
602 key_encipherment=False,
603 data_encipherment=False,
604 key_agreement=False,
605 key_cert_sign=False,
606 crl_sign=False,
607 encipher_only=False,
608 decipher_only=False
609 )
610 assert ku != ku2
611 assert ku != object()
612
Paul Kehrercecbbba2015-03-30 14:58:38 -0500[diff] [blame]613
Paul Kehrer1eb82a62015-03-31 20:00:33 -0500[diff] [blame]614class TestSubjectKeyIdentifier(object):
615 def test_properties(self):
Paul Kehrercbfb1012015-04-10 20:57:20 -0400[diff] [blame]616 value = binascii.unhexlify(b"092384932230498bc980aa8098456f6ff7ff3ac9")
Paul Kehrer1eb82a62015-03-31 20:00:33 -0500[diff] [blame]617 ski = x509.SubjectKeyIdentifier(value)
618 assert ski.digest == value
Paul Kehrer1eb82a62015-03-31 20:00:33 -0500[diff] [blame]619
620 def test_repr(self):
621 ski = x509.SubjectKeyIdentifier(
Paul Kehreree997262015-04-04 12:20:28 -0500[diff] [blame]622 binascii.unhexlify(b"092384932230498bc980aa8098456f6ff7ff3ac9")
Paul Kehrer1eb82a62015-03-31 20:00:33 -0500[diff] [blame]623 )
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]624 ext = x509.Extension(ExtensionOID.SUBJECT_KEY_IDENTIFIER, False, ski)
Paul Kehrercbfb1012015-04-10 20:57:20 -0400[diff] [blame]625 if six.PY3:
626 assert repr(ext) == (
627 "<Extension(oid=<ObjectIdentifier(oid=2.5.29.14, name=subjectK"
628 "eyIdentifier)>, critical=False, value=<SubjectKeyIdentifier(d"
629 "igest=b\'\\t#\\x84\\x93\"0I\\x8b\\xc9\\x80\\xaa\\x80\\x98Eoo"
630 "\\xf7\\xff:\\xc9\')>)>"
631 )
632 else:
633 assert repr(ext) == (
634 "<Extension(oid=<ObjectIdentifier(oid=2.5.29.14, name=subjectK"
635 "eyIdentifier)>, critical=False, value=<SubjectKeyIdentifier(d"
636 "igest=\'\\t#\\x84\\x93\"0I\\x8b\\xc9\\x80\\xaa\\x80\\x98Eoo"
637 "\\xf7\\xff:\\xc9\')>)>"
638 )
Paul Kehrer1eb82a62015-03-31 20:00:33 -0500[diff] [blame]639
640 def test_eq(self):
641 ski = x509.SubjectKeyIdentifier(
Paul Kehreree997262015-04-04 12:20:28 -0500[diff] [blame]642 binascii.unhexlify(b"092384932230498bc980aa8098456f6ff7ff3ac9")
Paul Kehrer1eb82a62015-03-31 20:00:33 -0500[diff] [blame]643 )
644 ski2 = x509.SubjectKeyIdentifier(
Paul Kehreree997262015-04-04 12:20:28 -0500[diff] [blame]645 binascii.unhexlify(b"092384932230498bc980aa8098456f6ff7ff3ac9")
Paul Kehrer1eb82a62015-03-31 20:00:33 -0500[diff] [blame]646 )
647 assert ski == ski2
648
649 def test_ne(self):
650 ski = x509.SubjectKeyIdentifier(
Paul Kehreree997262015-04-04 12:20:28 -0500[diff] [blame]651 binascii.unhexlify(b"092384932230498bc980aa8098456f6ff7ff3ac9")
Paul Kehrer1eb82a62015-03-31 20:00:33 -0500[diff] [blame]652 )
653 ski2 = x509.SubjectKeyIdentifier(
Paul Kehreree997262015-04-04 12:20:28 -0500[diff] [blame]654 binascii.unhexlify(b"aa8098456f6ff7ff3ac9092384932230498bc980")
Paul Kehrer1eb82a62015-03-31 20:00:33 -0500[diff] [blame]655 )
656 assert ski != ski2
657 assert ski != object()
658
659
Paul Kehrer2eb4ed92015-04-11 15:33:45 -0400[diff] [blame]660class TestAuthorityKeyIdentifier(object):
Paul Kehrerc6e0f062015-05-03 11:04:34 -0500[diff] [blame]661 def test_authority_cert_issuer_not_generalname(self):
Paul Kehrer2eb4ed92015-04-11 15:33:45 -0400[diff] [blame]662 with pytest.raises(TypeError):
Paul Kehrerc6e0f062015-05-03 11:04:34 -0500[diff] [blame]663 x509.AuthorityKeyIdentifier(b"identifier", ["notname"], 3)
Paul Kehrer2eb4ed92015-04-11 15:33:45 -0400[diff] [blame]664
665 def test_authority_cert_serial_number_not_integer(self):
Paul Kehrerc6e0f062015-05-03 11:04:34 -0500[diff] [blame]666 dirname = x509.DirectoryName(
667 x509.Name([
Nick Bastin6721fb82015-12-14 12:26:24 -0800[diff] [blame]668 x509.NameAttribute(
669 x509.ObjectIdentifier('2.999.1'),
670 u'value1'
671 ),
672 x509.NameAttribute(
673 x509.ObjectIdentifier('2.999.2'),
674 u'value2'
675 ),
Paul Kehrerc6e0f062015-05-03 11:04:34 -0500[diff] [blame]676 ])
677 )
Paul Kehrer2eb4ed92015-04-11 15:33:45 -0400[diff] [blame]678 with pytest.raises(TypeError):
Paul Kehrerc6e0f062015-05-03 11:04:34 -0500[diff] [blame]679 x509.AuthorityKeyIdentifier(b"identifier", [dirname], "notanint")
Paul Kehrer2eb4ed92015-04-11 15:33:45 -0400[diff] [blame]680
681 def test_authority_issuer_none_serial_not_none(self):
682 with pytest.raises(ValueError):
683 x509.AuthorityKeyIdentifier(b"identifier", None, 3)
684
685 def test_authority_issuer_not_none_serial_none(self):
Paul Kehrerc6e0f062015-05-03 11:04:34 -0500[diff] [blame]686 dirname = x509.DirectoryName(
687 x509.Name([
Nick Bastin6721fb82015-12-14 12:26:24 -0800[diff] [blame]688 x509.NameAttribute(
689 x509.ObjectIdentifier('2.999.1'),
690 u'value1'
691 ),
692 x509.NameAttribute(
693 x509.ObjectIdentifier('2.999.2'),
694 u'value2'
695 ),
Paul Kehrerc6e0f062015-05-03 11:04:34 -0500[diff] [blame]696 ])
697 )
Paul Kehrer2eb4ed92015-04-11 15:33:45 -0400[diff] [blame]698 with pytest.raises(ValueError):
Paul Kehrerc6e0f062015-05-03 11:04:34 -0500[diff] [blame]699 x509.AuthorityKeyIdentifier(b"identifier", [dirname], None)
Paul Kehrer2eb4ed92015-04-11 15:33:45 -0400[diff] [blame]700
701 def test_authority_cert_serial_and_issuer_none(self):
702 aki = x509.AuthorityKeyIdentifier(b"id", None, None)
703 assert aki.key_identifier == b"id"
704 assert aki.authority_cert_issuer is None
705 assert aki.authority_cert_serial_number is None
706
707 def test_repr(self):
Paul Kehrerc6e0f062015-05-03 11:04:34 -0500[diff] [blame]708 dirname = x509.DirectoryName(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]709 x509.Name([x509.NameAttribute(NameOID.COMMON_NAME, u'myCN')])
Paul Kehrerc6e0f062015-05-03 11:04:34 -0500[diff] [blame]710 )
711 aki = x509.AuthorityKeyIdentifier(b"digest", [dirname], 1234)
Paul Kehrer2eb4ed92015-04-11 15:33:45 -0400[diff] [blame]712
713 if six.PY3:
714 assert repr(aki) == (
715 "<AuthorityKeyIdentifier(key_identifier=b'digest', authority_"
Paul Kehrerc6e0f062015-05-03 11:04:34 -0500[diff] [blame]716 "cert_issuer=[<DirectoryName(value=<Name([<NameAttribute(oid="
Ian Cordascoa908d692015-06-16 21:35:24 -0500[diff] [blame]717 "<ObjectIdentifier(oid=2.5.4.3, name=commonName)>, value='myC"
Paul Kehrerc6e0f062015-05-03 11:04:34 -0500[diff] [blame]718 "N')>])>)>], authority_cert_serial_number=1234)>"
Paul Kehrer2eb4ed92015-04-11 15:33:45 -0400[diff] [blame]719 )
720 else:
721 assert repr(aki) == (
722 "<AuthorityKeyIdentifier(key_identifier='digest', authority_ce"
Paul Kehrerc6e0f062015-05-03 11:04:34 -0500[diff] [blame]723 "rt_issuer=[<DirectoryName(value=<Name([<NameAttribute(oid=<Ob"
Ian Cordasco82fc3762015-06-16 20:59:50 -0500[diff] [blame]724 "jectIdentifier(oid=2.5.4.3, name=commonName)>, value=u'myCN')"
725 ">])>)>], authority_cert_serial_number=1234)>"
Paul Kehrer2eb4ed92015-04-11 15:33:45 -0400[diff] [blame]726 )
727
Paul Kehrer2ca2eb32015-05-03 10:04:57 -0500[diff] [blame]728 def test_eq(self):
729 dirname = x509.DirectoryName(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]730 x509.Name([x509.NameAttribute(NameOID.COMMON_NAME, u'myCN')])
Paul Kehrer2ca2eb32015-05-03 10:04:57 -0500[diff] [blame]731 )
732 aki = x509.AuthorityKeyIdentifier(b"digest", [dirname], 1234)
733 dirname2 = x509.DirectoryName(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]734 x509.Name([x509.NameAttribute(NameOID.COMMON_NAME, u'myCN')])
Paul Kehrer2ca2eb32015-05-03 10:04:57 -0500[diff] [blame]735 )
736 aki2 = x509.AuthorityKeyIdentifier(b"digest", [dirname2], 1234)
737 assert aki == aki2
738
739 def test_ne(self):
740 dirname = x509.DirectoryName(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]741 x509.Name([x509.NameAttribute(NameOID.COMMON_NAME, u'myCN')])
Paul Kehrer2ca2eb32015-05-03 10:04:57 -0500[diff] [blame]742 )
743 dirname5 = x509.DirectoryName(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]744 x509.Name([x509.NameAttribute(NameOID.COMMON_NAME, u'aCN')])
Paul Kehrer2ca2eb32015-05-03 10:04:57 -0500[diff] [blame]745 )
746 aki = x509.AuthorityKeyIdentifier(b"digest", [dirname], 1234)
747 aki2 = x509.AuthorityKeyIdentifier(b"diges", [dirname], 1234)
748 aki3 = x509.AuthorityKeyIdentifier(b"digest", None, None)
749 aki4 = x509.AuthorityKeyIdentifier(b"digest", [dirname], 12345)
750 aki5 = x509.AuthorityKeyIdentifier(b"digest", [dirname5], 12345)
751 assert aki != aki2
752 assert aki != aki3
753 assert aki != aki4
754 assert aki != aki5
755 assert aki != object()
756
Paul Kehrer2eb4ed92015-04-11 15:33:45 -0400[diff] [blame]757
Paul Kehrer8cf26422015-03-21 09:50:24 -0500[diff] [blame]758class TestBasicConstraints(object):
759 def test_ca_not_boolean(self):
760 with pytest.raises(TypeError):
Paul Kehrera5c6e9a2015-03-23 19:23:43 -0500[diff] [blame]761 x509.BasicConstraints(ca="notbool", path_length=None)
Paul Kehrer8cf26422015-03-21 09:50:24 -0500[diff] [blame]762
763 def test_path_length_not_ca(self):
764 with pytest.raises(ValueError):
Paul Kehrera5c6e9a2015-03-23 19:23:43 -0500[diff] [blame]765 x509.BasicConstraints(ca=False, path_length=0)
Paul Kehrer8cf26422015-03-21 09:50:24 -0500[diff] [blame]766
767 def test_path_length_not_int(self):
768 with pytest.raises(TypeError):
Paul Kehrera5c6e9a2015-03-23 19:23:43 -0500[diff] [blame]769 x509.BasicConstraints(ca=True, path_length=1.1)
Paul Kehrer8cf26422015-03-21 09:50:24 -0500[diff] [blame]770
771 with pytest.raises(TypeError):
Paul Kehrera5c6e9a2015-03-23 19:23:43 -0500[diff] [blame]772 x509.BasicConstraints(ca=True, path_length="notint")
Paul Kehrer8cf26422015-03-21 09:50:24 -0500[diff] [blame]773
774 def test_path_length_negative(self):
775 with pytest.raises(TypeError):
Paul Kehrera5c6e9a2015-03-23 19:23:43 -0500[diff] [blame]776 x509.BasicConstraints(ca=True, path_length=-1)
Paul Kehrer8cf26422015-03-21 09:50:24 -0500[diff] [blame]777
778 def test_repr(self):
Paul Kehrera5c6e9a2015-03-23 19:23:43 -0500[diff] [blame]779 na = x509.BasicConstraints(ca=True, path_length=None)
Paul Kehrer8cf26422015-03-21 09:50:24 -0500[diff] [blame]780 assert repr(na) == (
Paul Kehrer85894662015-03-22 13:19:31 -0500[diff] [blame]781 "<BasicConstraints(ca=True, path_length=None)>"
Paul Kehrer8cf26422015-03-21 09:50:24 -0500[diff] [blame]782 )
Paul Kehrerfbb7ac82015-03-16 19:26:29 -0500[diff] [blame]783
Paul Kehrer3a69b132015-05-13 10:03:46 -0500[diff] [blame]784 def test_eq(self):
785 na = x509.BasicConstraints(ca=True, path_length=None)
786 na2 = x509.BasicConstraints(ca=True, path_length=None)
787 assert na == na2
788
789 def test_ne(self):
790 na = x509.BasicConstraints(ca=True, path_length=None)
791 na2 = x509.BasicConstraints(ca=True, path_length=1)
792 na3 = x509.BasicConstraints(ca=False, path_length=None)
793 assert na != na2
794 assert na != na3
795 assert na != object()
796
Paul Kehrerfbb7ac82015-03-16 19:26:29 -0500[diff] [blame]797
Paul Kehrerffa2a152015-03-31 08:18:25 -0500[diff] [blame]798class TestExtendedKeyUsage(object):
799 def test_not_all_oids(self):
800 with pytest.raises(TypeError):
801 x509.ExtendedKeyUsage(["notoid"])
802
803 def test_iter_len(self):
804 eku = x509.ExtendedKeyUsage([
805 x509.ObjectIdentifier("1.3.6.1.5.5.7.3.1"),
806 x509.ObjectIdentifier("1.3.6.1.5.5.7.3.2"),
807 ])
808 assert len(eku) == 2
809 assert list(eku) == [
Paul Kehrer9e102db2015-08-10 21:53:09 -0500[diff] [blame]810 ExtendedKeyUsageOID.SERVER_AUTH,
811 ExtendedKeyUsageOID.CLIENT_AUTH
Paul Kehrerffa2a152015-03-31 08:18:25 -0500[diff] [blame]812 ]
813
Paul Kehrer23d10c32015-04-02 23:12:32 -0500[diff] [blame]814 def test_repr(self):
815 eku = x509.ExtendedKeyUsage([
816 x509.ObjectIdentifier("1.3.6.1.5.5.7.3.1"),
817 x509.ObjectIdentifier("1.3.6.1.5.5.7.3.2"),
818 ])
819 assert repr(eku) == (
820 "<ExtendedKeyUsage([<ObjectIdentifier(oid=1.3.6.1.5.5.7.3.1, name="
821 "serverAuth)>, <ObjectIdentifier(oid=1.3.6.1.5.5.7.3.2, name=clien"
822 "tAuth)>])>"
823 )
824
Paul Kehrerb0476172015-05-02 19:34:51 -0500[diff] [blame]825 def test_eq(self):
826 eku = x509.ExtendedKeyUsage([
827 x509.ObjectIdentifier("1.3.6"), x509.ObjectIdentifier("1.3.7")
828 ])
829 eku2 = x509.ExtendedKeyUsage([
830 x509.ObjectIdentifier("1.3.6"), x509.ObjectIdentifier("1.3.7")
831 ])
832 assert eku == eku2
833
834 def test_ne(self):
835 eku = x509.ExtendedKeyUsage([x509.ObjectIdentifier("1.3.6")])
836 eku2 = x509.ExtendedKeyUsage([x509.ObjectIdentifier("1.3.6.1")])
837 assert eku != eku2
838 assert eku != object()
839
Paul Kehrerffa2a152015-03-31 08:18:25 -0500[diff] [blame]840
Paul Kehrerfbb7ac82015-03-16 19:26:29 -0500[diff] [blame]841@pytest.mark.requires_backend_interface(interface=RSABackend)
842@pytest.mark.requires_backend_interface(interface=X509Backend)
843class TestExtensions(object):
844 def test_no_extensions(self, backend):
845 cert = _load_cert(
846 os.path.join("x509", "verisign_md2_root.pem"),
847 x509.load_pem_x509_certificate,
848 backend
849 )
850 ext = cert.extensions
851 assert len(ext) == 0
852 assert list(ext) == []
Paul Kehrerfa56a232015-03-17 13:14:03 -0500[diff] [blame]853 with pytest.raises(x509.ExtensionNotFound) as exc:
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]854 ext.get_extension_for_oid(ExtensionOID.BASIC_CONSTRAINTS)
Paul Kehrerfa56a232015-03-17 13:14:03 -0500[diff] [blame]855
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]856 assert exc.value.oid == ExtensionOID.BASIC_CONSTRAINTS
Paul Kehrerfa56a232015-03-17 13:14:03 -0500[diff] [blame]857
858 def test_one_extension(self, backend):
859 cert = _load_cert(
860 os.path.join(
861 "x509", "custom", "basic_constraints_not_critical.pem"
862 ),
863 x509.load_pem_x509_certificate,
864 backend
865 )
866 extensions = cert.extensions
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]867 ext = extensions.get_extension_for_oid(ExtensionOID.BASIC_CONSTRAINTS)
Paul Kehrerfa56a232015-03-17 13:14:03 -0500[diff] [blame]868 assert ext is not None
869 assert ext.value.ca is False
Paul Kehrerfbb7ac82015-03-16 19:26:29 -0500[diff] [blame]870
871 def test_duplicate_extension(self, backend):
872 cert = _load_cert(
873 os.path.join(
874 "x509", "custom", "two_basic_constraints.pem"
875 ),
876 x509.load_pem_x509_certificate,
877 backend
878 )
879 with pytest.raises(x509.DuplicateExtension) as exc:
880 cert.extensions
881
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]882 assert exc.value.oid == ExtensionOID.BASIC_CONSTRAINTS
Paul Kehrerfbb7ac82015-03-16 19:26:29 -0500[diff] [blame]883
884 def test_unsupported_critical_extension(self, backend):
885 cert = _load_cert(
886 os.path.join(
887 "x509", "custom", "unsupported_extension_critical.pem"
888 ),
889 x509.load_pem_x509_certificate,
890 backend
891 )
892 with pytest.raises(x509.UnsupportedExtension) as exc:
893 cert.extensions
894
895 assert exc.value.oid == x509.ObjectIdentifier("1.2.3.4")
896
897 def test_unsupported_extension(self, backend):
898 # TODO: this will raise an exception when all extensions are complete
899 cert = _load_cert(
900 os.path.join(
901 "x509", "custom", "unsupported_extension.pem"
902 ),
903 x509.load_pem_x509_certificate,
904 backend
905 )
906 extensions = cert.extensions
907 assert len(extensions) == 0
Paul Kehrerfa56a232015-03-17 13:14:03 -0500[diff] [blame]908
Phoebe Queenecae9812015-08-12 05:00:32 +0100[diff] [blame]909 def test_no_extensions_get_for_class(self, backend):
910 cert = _load_cert(
911 os.path.join(
Phoebe Queencb5ec4e2015-08-12 15:06:26 +0100[diff] [blame]912 "x509", "cryptography.io.pem"
Phoebe Queenecae9812015-08-12 05:00:32 +0100[diff] [blame]913 ),
914 x509.load_pem_x509_certificate,
915 backend
916 )
Phoebe Queenc93752b2015-08-12 10:54:46 +0100[diff] [blame]917 exts = cert.extensions
Phoebe Queenecae9812015-08-12 05:00:32 +0100[diff] [blame]918 with pytest.raises(x509.ExtensionNotFound) as exc:
Phoebe Queencb5ec4e2015-08-12 15:06:26 +0100[diff] [blame]919 exts.get_extension_for_class(x509.IssuerAlternativeName)
920 assert exc.value.oid == ExtensionOID.ISSUER_ALTERNATIVE_NAME
Phoebe Queenecae9812015-08-12 05:00:32 +0100[diff] [blame]921
Paul Kehrer5b90c972015-12-26 00:52:58 -0600[diff] [blame]922 def test_indexing(self, backend):
923 cert = _load_cert(
924 os.path.join("x509", "cryptography.io.pem"),
925 x509.load_pem_x509_certificate,
926 backend
927 )
928 exts = cert.extensions
929 assert exts[-1] == exts[7]
930 assert len(exts[3:5]) == 2
931 assert exts[2:4][0] == exts[2]
932 assert exts[2:4][1] == exts[3]
933
Phoebe Queen9fbb8892015-08-12 03:51:33 +0100[diff] [blame]934 def test_one_extension_get_for_class(self, backend):
935 cert = _load_cert(
Phoebe Queen2cc111a2015-08-12 04:14:22 +0100[diff] [blame]936 os.path.join(
937 "x509", "custom", "basic_constraints_not_critical.pem"
938 ),
Phoebe Queen9fbb8892015-08-12 03:51:33 +0100[diff] [blame]939 x509.load_pem_x509_certificate,
940 backend
941 )
942 ext = cert.extensions.get_extension_for_class(x509.BasicConstraints)
943 assert ext is not None
Phoebe Queen9fbb8892015-08-12 03:51:33 +0100[diff] [blame]944 assert isinstance(ext.value, x509.BasicConstraints)
Paul Kehrerfa56a232015-03-17 13:14:03 -0500[diff] [blame]945
Paul Kehrerafbe75b2015-10-20 08:08:43 -0500[diff] [blame]946 def test_repr(self, backend):
947 cert = _load_cert(
948 os.path.join(
949 "x509", "custom", "basic_constraints_not_critical.pem"
950 ),
951 x509.load_pem_x509_certificate,
952 backend
953 )
954 assert repr(cert.extensions) == (
955 "<Extensions([<Extension(oid=<ObjectIdentifier(oid=2.5.29.19, name"
956 "=basicConstraints)>, critical=False, value=<BasicConstraints(ca=F"
957 "alse, path_length=None)>)>])>"
958 )
959
Phoebe Queen2cc111a2015-08-12 04:14:22 +0100[diff] [blame]960
Paul Kehrerfa56a232015-03-17 13:14:03 -0500[diff] [blame]961@pytest.mark.requires_backend_interface(interface=RSABackend)
962@pytest.mark.requires_backend_interface(interface=X509Backend)
Paul Kehrerde813ea2015-03-28 12:44:34 -0500[diff] [blame]963class TestBasicConstraintsExtension(object):
Paul Kehrerfa56a232015-03-17 13:14:03 -0500[diff] [blame]964 def test_ca_true_pathlen_6(self, backend):
965 cert = _load_cert(
966 os.path.join(
967 "x509", "PKITS_data", "certs", "pathLenConstraint6CACert.crt"
968 ),
969 x509.load_der_x509_certificate,
970 backend
971 )
Phoebe Queen062dec72015-08-12 11:42:23 +0100[diff] [blame]972 ext = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]973 ExtensionOID.BASIC_CONSTRAINTS
Paul Kehrerfa56a232015-03-17 13:14:03 -0500[diff] [blame]974 )
975 assert ext is not None
976 assert ext.critical is True
977 assert ext.value.ca is True
978 assert ext.value.path_length == 6
979
980 def test_path_length_zero(self, backend):
981 cert = _load_cert(
982 os.path.join("x509", "custom", "bc_path_length_zero.pem"),
983 x509.load_pem_x509_certificate,
984 backend
985 )
986 ext = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]987 ExtensionOID.BASIC_CONSTRAINTS
Paul Kehrerfa56a232015-03-17 13:14:03 -0500[diff] [blame]988 )
989 assert ext is not None
990 assert ext.critical is True
991 assert ext.value.ca is True
992 assert ext.value.path_length == 0
993
994 def test_ca_true_no_pathlen(self, backend):
995 cert = _load_cert(
996 os.path.join("x509", "PKITS_data", "certs", "GoodCACert.crt"),
997 x509.load_der_x509_certificate,
998 backend
999 )
1000 ext = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]1001 ExtensionOID.BASIC_CONSTRAINTS
Paul Kehrerfa56a232015-03-17 13:14:03 -0500[diff] [blame]1002 )
1003 assert ext is not None
1004 assert ext.critical is True
1005 assert ext.value.ca is True
1006 assert ext.value.path_length is None
1007
1008 def test_ca_false(self, backend):
1009 cert = _load_cert(
1010 os.path.join("x509", "cryptography.io.pem"),
1011 x509.load_pem_x509_certificate,
1012 backend
1013 )
1014 ext = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]1015 ExtensionOID.BASIC_CONSTRAINTS
Paul Kehrerfa56a232015-03-17 13:14:03 -0500[diff] [blame]1016 )
1017 assert ext is not None
1018 assert ext.critical is True
1019 assert ext.value.ca is False
1020 assert ext.value.path_length is None
1021
1022 def test_no_basic_constraints(self, backend):
1023 cert = _load_cert(
1024 os.path.join(
1025 "x509",
1026 "PKITS_data",
1027 "certs",
1028 "ValidCertificatePathTest1EE.crt"
1029 ),
1030 x509.load_der_x509_certificate,
1031 backend
1032 )
1033 with pytest.raises(x509.ExtensionNotFound):
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]1034 cert.extensions.get_extension_for_oid(
1035 ExtensionOID.BASIC_CONSTRAINTS
1036 )
Paul Kehrerfa56a232015-03-17 13:14:03 -0500[diff] [blame]1037
1038 def test_basic_constraint_not_critical(self, backend):
1039 cert = _load_cert(
1040 os.path.join(
1041 "x509", "custom", "basic_constraints_not_critical.pem"
1042 ),
1043 x509.load_pem_x509_certificate,
1044 backend
1045 )
1046 ext = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]1047 ExtensionOID.BASIC_CONSTRAINTS
Paul Kehrerfa56a232015-03-17 13:14:03 -0500[diff] [blame]1048 )
1049 assert ext is not None
1050 assert ext.critical is False
1051 assert ext.value.ca is False
Paul Kehrer1eb82a62015-03-31 20:00:33 -0500[diff] [blame]1052
1053
Paul Kehrer1eb82a62015-03-31 20:00:33 -0500[diff] [blame]1054class TestSubjectKeyIdentifierExtension(object):
Paul Kehrerf22f6122015-08-05 12:57:13 +0100[diff] [blame]1055 @pytest.mark.requires_backend_interface(interface=RSABackend)
1056 @pytest.mark.requires_backend_interface(interface=X509Backend)
Paul Kehrer1eb82a62015-03-31 20:00:33 -0500[diff] [blame]1057 def test_subject_key_identifier(self, backend):
1058 cert = _load_cert(
1059 os.path.join("x509", "PKITS_data", "certs", "GoodCACert.crt"),
1060 x509.load_der_x509_certificate,
1061 backend
1062 )
1063 ext = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]1064 ExtensionOID.SUBJECT_KEY_IDENTIFIER
Paul Kehrer1eb82a62015-03-31 20:00:33 -0500[diff] [blame]1065 )
1066 ski = ext.value
1067 assert ext is not None
1068 assert ext.critical is False
Paul Kehrer1eb82a62015-03-31 20:00:33 -0500[diff] [blame]1069 assert ski.digest == binascii.unhexlify(
Paul Kehreree997262015-04-04 12:20:28 -0500[diff] [blame]1070 b"580184241bbc2b52944a3da510721451f5af3ac9"
Paul Kehrer1eb82a62015-03-31 20:00:33 -0500[diff] [blame]1071 )
1072
Paul Kehrerf22f6122015-08-05 12:57:13 +0100[diff] [blame]1073 @pytest.mark.requires_backend_interface(interface=RSABackend)
1074 @pytest.mark.requires_backend_interface(interface=X509Backend)
Paul Kehrer1eb82a62015-03-31 20:00:33 -0500[diff] [blame]1075 def test_no_subject_key_identifier(self, backend):
1076 cert = _load_cert(
1077 os.path.join("x509", "custom", "bc_path_length_zero.pem"),
1078 x509.load_pem_x509_certificate,
1079 backend
1080 )
1081 with pytest.raises(x509.ExtensionNotFound):
1082 cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]1083 ExtensionOID.SUBJECT_KEY_IDENTIFIER
Paul Kehrer1eb82a62015-03-31 20:00:33 -0500[diff] [blame]1084 )
Paul Kehrer5508ee22015-04-02 19:31:03 -0500[diff] [blame]1085
Paul Kehrerf22f6122015-08-05 12:57:13 +0100[diff] [blame]1086 @pytest.mark.requires_backend_interface(interface=RSABackend)
1087 @pytest.mark.requires_backend_interface(interface=X509Backend)
Paul Kehrerd4a7f062015-08-05 18:32:18 +0100[diff] [blame]1088 def test_from_rsa_public_key(self, backend):
Paul Kehrerf22f6122015-08-05 12:57:13 +0100[diff] [blame]1089 cert = _load_cert(
1090 os.path.join("x509", "PKITS_data", "certs", "GoodCACert.crt"),
1091 x509.load_der_x509_certificate,
1092 backend
1093 )
1094 ext = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]1095 ExtensionOID.SUBJECT_KEY_IDENTIFIER
Paul Kehrerf22f6122015-08-05 12:57:13 +0100[diff] [blame]1096 )
Paul Kehrerd4a7f062015-08-05 18:32:18 +0100[diff] [blame]1097 ski = x509.SubjectKeyIdentifier.from_public_key(
Paul Kehrerf22f6122015-08-05 12:57:13 +0100[diff] [blame]1098 cert.public_key()
1099 )
1100 assert ext.value == ski
1101
1102 @pytest.mark.requires_backend_interface(interface=DSABackend)
1103 @pytest.mark.requires_backend_interface(interface=X509Backend)
Paul Kehrerd4a7f062015-08-05 18:32:18 +0100[diff] [blame]1104 def test_from_dsa_public_key(self, backend):
Paul Kehrerf22f6122015-08-05 12:57:13 +0100[diff] [blame]1105 cert = _load_cert(
1106 os.path.join("x509", "custom", "dsa_selfsigned_ca.pem"),
1107 x509.load_pem_x509_certificate,
1108 backend
1109 )
1110
1111 ext = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]1112 ExtensionOID.SUBJECT_KEY_IDENTIFIER
Paul Kehrerf22f6122015-08-05 12:57:13 +0100[diff] [blame]1113 )
Paul Kehrerd4a7f062015-08-05 18:32:18 +0100[diff] [blame]1114 ski = x509.SubjectKeyIdentifier.from_public_key(
Paul Kehrerf22f6122015-08-05 12:57:13 +0100[diff] [blame]1115 cert.public_key()
1116 )
1117 assert ext.value == ski
1118
1119 @pytest.mark.requires_backend_interface(interface=EllipticCurveBackend)
1120 @pytest.mark.requires_backend_interface(interface=X509Backend)
Paul Kehrerd4a7f062015-08-05 18:32:18 +0100[diff] [blame]1121 def test_from_ec_public_key(self, backend):
Paul Kehrerf22f6122015-08-05 12:57:13 +0100[diff] [blame]1122 _skip_curve_unsupported(backend, ec.SECP384R1())
1123 cert = _load_cert(
1124 os.path.join("x509", "ecdsa_root.pem"),
1125 x509.load_pem_x509_certificate,
1126 backend
1127 )
1128
1129 ext = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]1130 ExtensionOID.SUBJECT_KEY_IDENTIFIER
Paul Kehrerf22f6122015-08-05 12:57:13 +0100[diff] [blame]1131 )
Paul Kehrerd4a7f062015-08-05 18:32:18 +0100[diff] [blame]1132 ski = x509.SubjectKeyIdentifier.from_public_key(
Paul Kehrerf22f6122015-08-05 12:57:13 +0100[diff] [blame]1133 cert.public_key()
1134 )
1135 assert ext.value == ski
1136
Paul Kehrer5508ee22015-04-02 19:31:03 -0500[diff] [blame]1137
1138@pytest.mark.requires_backend_interface(interface=RSABackend)
1139@pytest.mark.requires_backend_interface(interface=X509Backend)
1140class TestKeyUsageExtension(object):
1141 def test_no_key_usage(self, backend):
1142 cert = _load_cert(
1143 os.path.join("x509", "verisign_md2_root.pem"),
1144 x509.load_pem_x509_certificate,
1145 backend
1146 )
1147 ext = cert.extensions
1148 with pytest.raises(x509.ExtensionNotFound) as exc:
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]1149 ext.get_extension_for_oid(ExtensionOID.KEY_USAGE)
Paul Kehrer5508ee22015-04-02 19:31:03 -0500[diff] [blame]1150
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]1151 assert exc.value.oid == ExtensionOID.KEY_USAGE
Paul Kehrer5508ee22015-04-02 19:31:03 -0500[diff] [blame]1152
1153 def test_all_purposes(self, backend):
1154 cert = _load_cert(
1155 os.path.join(
1156 "x509", "custom", "all_key_usages.pem"
1157 ),
1158 x509.load_pem_x509_certificate,
1159 backend
1160 )
1161 extensions = cert.extensions
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]1162 ext = extensions.get_extension_for_oid(ExtensionOID.KEY_USAGE)
Paul Kehrer5508ee22015-04-02 19:31:03 -0500[diff] [blame]1163 assert ext is not None
1164
1165 ku = ext.value
1166 assert ku.digital_signature is True
1167 assert ku.content_commitment is True
1168 assert ku.key_encipherment is True
1169 assert ku.data_encipherment is True
1170 assert ku.key_agreement is True
1171 assert ku.key_cert_sign is True
1172 assert ku.crl_sign is True
1173 assert ku.encipher_only is True
1174 assert ku.decipher_only is True
1175
1176 def test_key_cert_sign_crl_sign(self, backend):
1177 cert = _load_cert(
1178 os.path.join(
1179 "x509", "PKITS_data", "certs", "pathLenConstraint6CACert.crt"
1180 ),
1181 x509.load_der_x509_certificate,
1182 backend
1183 )
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]1184 ext = cert.extensions.get_extension_for_oid(ExtensionOID.KEY_USAGE)
Paul Kehrer5508ee22015-04-02 19:31:03 -0500[diff] [blame]1185 assert ext is not None
1186 assert ext.critical is True
1187
1188 ku = ext.value
1189 assert ku.digital_signature is False
1190 assert ku.content_commitment is False
1191 assert ku.key_encipherment is False
1192 assert ku.data_encipherment is False
1193 assert ku.key_agreement is False
1194 assert ku.key_cert_sign is True
1195 assert ku.crl_sign is True
Paul Kehrer31bdf792015-03-25 14:11:00 -0500[diff] [blame]1196
1197
1198@pytest.mark.parametrize(
1199 "name", [
1200 x509.RFC822Name,
1201 x509.DNSName,
1202 x509.UniformResourceIdentifier
1203 ]
1204)
1205class TestTextGeneralNames(object):
1206 def test_not_text(self, name):
1207 with pytest.raises(TypeError):
1208 name(b"notaunicodestring")
1209
1210 with pytest.raises(TypeError):
1211 name(1.3)
1212
1213 def test_repr(self, name):
Eeshan Gargf1234152015-04-29 18:41:00 +0530[diff] [blame]1214 gn = name(u"string")
Paul Kehrer31bdf792015-03-25 14:11:00 -0500[diff] [blame]1215 assert repr(gn) == "<{0}(value=string)>".format(name.__name__)
1216
1217 def test_eq(self, name):
Eeshan Gargf1234152015-04-29 18:41:00 +0530[diff] [blame]1218 gn = name(u"string")
1219 gn2 = name(u"string")
Paul Kehrer31bdf792015-03-25 14:11:00 -0500[diff] [blame]1220 assert gn == gn2
1221
1222 def test_ne(self, name):
Eeshan Gargf1234152015-04-29 18:41:00 +0530[diff] [blame]1223 gn = name(u"string")
1224 gn2 = name(u"string2")
Paul Kehrer31bdf792015-03-25 14:11:00 -0500[diff] [blame]1225 assert gn != gn2
1226 assert gn != object()
1227
1228
1229class TestDirectoryName(object):
1230 def test_not_name(self):
1231 with pytest.raises(TypeError):
1232 x509.DirectoryName(b"notaname")
1233
1234 with pytest.raises(TypeError):
1235 x509.DirectoryName(1.3)
1236
1237 def test_repr(self):
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1238 name = x509.Name([x509.NameAttribute(NameOID.COMMON_NAME, u'value1')])
Paul Kehrer31bdf792015-03-25 14:11:00 -0500[diff] [blame]1239 gn = x509.DirectoryName(x509.Name([name]))
Ian Cordascoa908d692015-06-16 21:35:24 -0500[diff] [blame]1240 if six.PY3:
1241 assert repr(gn) == (
1242 "<DirectoryName(value=<Name([<Name([<NameAttribute(oid=<Object"
1243 "Identifier(oid=2.5.4.3, name=commonName)>, value='value1')>])"
1244 ">])>)>"
1245 )
1246 else:
1247 assert repr(gn) == (
1248 "<DirectoryName(value=<Name([<Name([<NameAttribute(oid=<Object"
1249 "Identifier(oid=2.5.4.3, name=commonName)>, value=u'value1')>]"
1250 ")>])>)>"
1251 )
Paul Kehrer31bdf792015-03-25 14:11:00 -0500[diff] [blame]1252
1253 def test_eq(self):
1254 name = x509.Name([
Nick Bastin6721fb82015-12-14 12:26:24 -0800[diff] [blame]1255 x509.NameAttribute(x509.ObjectIdentifier('2.999.1'), u'value1')
Paul Kehrer31bdf792015-03-25 14:11:00 -0500[diff] [blame]1256 ])
1257 name2 = x509.Name([
Nick Bastin6721fb82015-12-14 12:26:24 -0800[diff] [blame]1258 x509.NameAttribute(x509.ObjectIdentifier('2.999.1'), u'value1')
Paul Kehrer31bdf792015-03-25 14:11:00 -0500[diff] [blame]1259 ])
1260 gn = x509.DirectoryName(x509.Name([name]))
1261 gn2 = x509.DirectoryName(x509.Name([name2]))
1262 assert gn == gn2
1263
1264 def test_ne(self):
1265 name = x509.Name([
Nick Bastin6721fb82015-12-14 12:26:24 -0800[diff] [blame]1266 x509.NameAttribute(x509.ObjectIdentifier('2.999.1'), u'value1')
Paul Kehrer31bdf792015-03-25 14:11:00 -0500[diff] [blame]1267 ])
1268 name2 = x509.Name([
Nick Bastin6721fb82015-12-14 12:26:24 -0800[diff] [blame]1269 x509.NameAttribute(x509.ObjectIdentifier('2.999.2'), u'value2')
Paul Kehrer31bdf792015-03-25 14:11:00 -0500[diff] [blame]1270 ])
1271 gn = x509.DirectoryName(x509.Name([name]))
1272 gn2 = x509.DirectoryName(x509.Name([name2]))
1273 assert gn != gn2
1274 assert gn != object()
1275
1276
Paul Kehrer01d5d0b2015-07-12 09:41:21 -0500[diff] [blame]1277class TestRFC822Name(object):
1278 def test_invalid_email(self):
1279 with pytest.raises(ValueError):
1280 x509.RFC822Name(u"Name <email>")
1281
1282 with pytest.raises(ValueError):
1283 x509.RFC822Name(u"")
1284
1285 def test_single_label(self):
1286 gn = x509.RFC822Name(u"administrator")
1287 assert gn.value == u"administrator"
1288
1289 def test_idna(self):
1290 gn = x509.RFC822Name(u"email@em\xe5\xefl.com")
1291 assert gn.value == u"email@em\xe5\xefl.com"
1292 assert gn._encoded == b"email@xn--eml-vla4c.com"
1293
1294
Paul Kehrere28d6c42015-07-12 14:59:37 -0500[diff] [blame]1295class TestUniformResourceIdentifier(object):
1296 def test_no_parsed_hostname(self):
1297 gn = x509.UniformResourceIdentifier(u"singlelabel")
1298 assert gn.value == u"singlelabel"
1299
1300 def test_with_port(self):
1301 gn = x509.UniformResourceIdentifier(u"singlelabel:443/test")
1302 assert gn.value == u"singlelabel:443/test"
1303
1304 def test_idna_no_port(self):
1305 gn = x509.UniformResourceIdentifier(
1306 u"http://\u043f\u044b\u043a\u0430.cryptography"
1307 )
1308 assert gn.value == u"http://\u043f\u044b\u043a\u0430.cryptography"
1309 assert gn._encoded == b"http://xn--80ato2c.cryptography"
1310
1311 def test_idna_with_port(self):
1312 gn = x509.UniformResourceIdentifier(
1313 u"gopher://\u043f\u044b\u043a\u0430.cryptography:70/some/path"
1314 )
1315 assert gn.value == (
1316 u"gopher://\u043f\u044b\u043a\u0430.cryptography:70/some/path"
1317 )
1318 assert gn._encoded == b"gopher://xn--80ato2c.cryptography:70/some/path"
1319
1320 def test_query_and_fragment(self):
1321 gn = x509.UniformResourceIdentifier(
1322 u"ldap://cryptography:90/path?query=true#somedata"
1323 )
1324 assert gn.value == u"ldap://cryptography:90/path?query=true#somedata"
1325
1326
Paul Kehrer31bdf792015-03-25 14:11:00 -0500[diff] [blame]1327class TestRegisteredID(object):
1328 def test_not_oid(self):
1329 with pytest.raises(TypeError):
1330 x509.RegisteredID(b"notanoid")
1331
1332 with pytest.raises(TypeError):
1333 x509.RegisteredID(1.3)
1334
1335 def test_repr(self):
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1336 gn = x509.RegisteredID(NameOID.COMMON_NAME)
Paul Kehrer31bdf792015-03-25 14:11:00 -0500[diff] [blame]1337 assert repr(gn) == (
1338 "<RegisteredID(value=<ObjectIdentifier(oid=2.5.4.3, name=commonNam"
1339 "e)>)>"
1340 )
1341
1342 def test_eq(self):
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1343 gn = x509.RegisteredID(NameOID.COMMON_NAME)
1344 gn2 = x509.RegisteredID(NameOID.COMMON_NAME)
Paul Kehrer31bdf792015-03-25 14:11:00 -0500[diff] [blame]1345 assert gn == gn2
1346
1347 def test_ne(self):
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1348 gn = x509.RegisteredID(NameOID.COMMON_NAME)
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]1349 gn2 = x509.RegisteredID(ExtensionOID.BASIC_CONSTRAINTS)
Paul Kehrer31bdf792015-03-25 14:11:00 -0500[diff] [blame]1350 assert gn != gn2
1351 assert gn != object()
1352
1353
1354class TestIPAddress(object):
1355 def test_not_ipaddress(self):
1356 with pytest.raises(TypeError):
1357 x509.IPAddress(b"notanipaddress")
1358
1359 with pytest.raises(TypeError):
1360 x509.IPAddress(1.3)
1361
1362 def test_repr(self):
Eeshan Gargf1234152015-04-29 18:41:00 +0530[diff] [blame]1363 gn = x509.IPAddress(ipaddress.IPv4Address(u"127.0.0.1"))
Paul Kehrer31bdf792015-03-25 14:11:00 -0500[diff] [blame]1364 assert repr(gn) == "<IPAddress(value=127.0.0.1)>"
1365
Eeshan Gargf1234152015-04-29 18:41:00 +0530[diff] [blame]1366 gn2 = x509.IPAddress(ipaddress.IPv6Address(u"ff::"))
Paul Kehrer31bdf792015-03-25 14:11:00 -0500[diff] [blame]1367 assert repr(gn2) == "<IPAddress(value=ff::)>"
1368
Paul Kehrereb177932015-05-17 18:33:33 -0700[diff] [blame]1369 gn3 = x509.IPAddress(ipaddress.IPv4Network(u"192.168.0.0/24"))
1370 assert repr(gn3) == "<IPAddress(value=192.168.0.0/24)>"
1371
1372 gn4 = x509.IPAddress(ipaddress.IPv6Network(u"ff::/96"))
1373 assert repr(gn4) == "<IPAddress(value=ff::/96)>"
1374
Paul Kehrer31bdf792015-03-25 14:11:00 -0500[diff] [blame]1375 def test_eq(self):
Eeshan Gargf1234152015-04-29 18:41:00 +0530[diff] [blame]1376 gn = x509.IPAddress(ipaddress.IPv4Address(u"127.0.0.1"))
1377 gn2 = x509.IPAddress(ipaddress.IPv4Address(u"127.0.0.1"))
Paul Kehrer31bdf792015-03-25 14:11:00 -0500[diff] [blame]1378 assert gn == gn2
1379
1380 def test_ne(self):
Eeshan Gargf1234152015-04-29 18:41:00 +0530[diff] [blame]1381 gn = x509.IPAddress(ipaddress.IPv4Address(u"127.0.0.1"))
1382 gn2 = x509.IPAddress(ipaddress.IPv4Address(u"127.0.0.2"))
Paul Kehrer31bdf792015-03-25 14:11:00 -0500[diff] [blame]1383 assert gn != gn2
1384 assert gn != object()
1385
1386
Joshua Tauberer18b6fc82015-07-05 21:44:51 +0000[diff] [blame]1387class TestOtherName(object):
1388 def test_invalid_args(self):
1389 with pytest.raises(TypeError):
1390 x509.OtherName(b"notanobjectidentifier", b"derdata")
1391
1392 with pytest.raises(TypeError):
1393 x509.OtherName(x509.ObjectIdentifier("1.2.3.4"), u"notderdata")
1394
1395 def test_repr(self):
1396 gn = x509.OtherName(x509.ObjectIdentifier("1.2.3.4"), b"derdata")
1397 if six.PY3:
1398 assert repr(gn) == (
1399 "<OtherName(type_id=<ObjectIdentifier(oid=1.2.3.4, "
1400 "name=Unknown OID)>, value=b'derdata')>"
1401 )
1402 else:
1403 assert repr(gn) == (
1404 "<OtherName(type_id=<ObjectIdentifier(oid=1.2.3.4, "
1405 "name=Unknown OID)>, value='derdata')>"
1406 )
1407
1408 gn = x509.OtherName(x509.ObjectIdentifier("2.5.4.65"), b"derdata")
1409 if six.PY3:
1410 assert repr(gn) == (
1411 "<OtherName(type_id=<ObjectIdentifier(oid=2.5.4.65, "
1412 "name=pseudonym)>, value=b'derdata')>"
1413 )
1414 else:
1415 assert repr(gn) == (
1416 "<OtherName(type_id=<ObjectIdentifier(oid=2.5.4.65, "
1417 "name=pseudonym)>, value='derdata')>"
1418 )
1419
1420 def test_eq(self):
1421 gn = x509.OtherName(x509.ObjectIdentifier("1.2.3.4"), b"derdata")
1422 gn2 = x509.OtherName(x509.ObjectIdentifier("1.2.3.4"), b"derdata")
1423 assert gn == gn2
1424
1425 def test_ne(self):
1426 gn = x509.OtherName(x509.ObjectIdentifier("1.2.3.4"), b"derdata")
1427 assert gn != object()
1428
1429 gn2 = x509.OtherName(x509.ObjectIdentifier("1.2.3.4"), b"derdata2")
1430 assert gn != gn2
1431
1432 gn2 = x509.OtherName(x509.ObjectIdentifier("1.2.3.5"), b"derdata")
1433 assert gn != gn2
1434
1435
Erik Trauschke2dcce902015-05-14 16:12:24 -0700[diff] [blame]1436class TestGeneralNames(object):
1437 def test_get_values_for_type(self):
1438 gns = x509.GeneralNames(
1439 [x509.DNSName(u"cryptography.io")]
1440 )
1441 names = gns.get_values_for_type(x509.DNSName)
1442 assert names == [u"cryptography.io"]
1443
1444 def test_iter_names(self):
1445 gns = x509.GeneralNames([
1446 x509.DNSName(u"cryptography.io"),
1447 x509.DNSName(u"crypto.local"),
1448 ])
1449 assert len(gns) == 2
1450 assert list(gns) == [
1451 x509.DNSName(u"cryptography.io"),
1452 x509.DNSName(u"crypto.local"),
1453 ]
1454
1455 def test_invalid_general_names(self):
1456 with pytest.raises(TypeError):
1457 x509.GeneralNames(
1458 [x509.DNSName(u"cryptography.io"), "invalid"]
1459 )
1460
1461 def test_repr(self):
1462 gns = x509.GeneralNames(
1463 [
1464 x509.DNSName(u"cryptography.io")
1465 ]
1466 )
1467 assert repr(gns) == (
1468 "<GeneralNames([<DNSName(value=cryptography.io)>])>"
1469 )
1470
1471 def test_eq(self):
1472 gns = x509.GeneralNames(
1473 [x509.DNSName(u"cryptography.io")]
1474 )
1475 gns2 = x509.GeneralNames(
1476 [x509.DNSName(u"cryptography.io")]
1477 )
1478 assert gns == gns2
1479
1480 def test_ne(self):
1481 gns = x509.GeneralNames(
1482 [x509.DNSName(u"cryptography.io")]
1483 )
1484 gns2 = x509.GeneralNames(
1485 [x509.RFC822Name(u"admin@cryptography.io")]
1486 )
1487 assert gns != gns2
1488 assert gns != object()
1489
1490
Paul Kehrer99125c92015-06-07 18:37:10 -0500[diff] [blame]1491class TestIssuerAlternativeName(object):
1492 def test_get_values_for_type(self):
1493 san = x509.IssuerAlternativeName(
1494 [x509.DNSName(u"cryptography.io")]
1495 )
1496 names = san.get_values_for_type(x509.DNSName)
1497 assert names == [u"cryptography.io"]
1498
1499 def test_iter_names(self):
1500 san = x509.IssuerAlternativeName([
1501 x509.DNSName(u"cryptography.io"),
1502 x509.DNSName(u"crypto.local"),
1503 ])
1504 assert len(san) == 2
1505 assert list(san) == [
1506 x509.DNSName(u"cryptography.io"),
1507 x509.DNSName(u"crypto.local"),
1508 ]
1509
1510 def test_invalid_general_names(self):
1511 with pytest.raises(TypeError):
1512 x509.IssuerAlternativeName(
1513 [x509.DNSName(u"cryptography.io"), "invalid"]
1514 )
1515
1516 def test_repr(self):
1517 san = x509.IssuerAlternativeName(
1518 [
1519 x509.DNSName(u"cryptography.io")
1520 ]
1521 )
1522 assert repr(san) == (
1523 "<IssuerAlternativeName("
1524 "<GeneralNames([<DNSName(value=cryptography.io)>])>)>"
1525 )
1526
1527 def test_eq(self):
1528 san = x509.IssuerAlternativeName(
1529 [x509.DNSName(u"cryptography.io")]
1530 )
1531 san2 = x509.IssuerAlternativeName(
1532 [x509.DNSName(u"cryptography.io")]
1533 )
1534 assert san == san2
1535
1536 def test_ne(self):
1537 san = x509.IssuerAlternativeName(
1538 [x509.DNSName(u"cryptography.io")]
1539 )
1540 san2 = x509.IssuerAlternativeName(
1541 [x509.RFC822Name(u"admin@cryptography.io")]
1542 )
1543 assert san != san2
1544 assert san != object()
1545
1546
Alex Gaynorf1c17672015-06-20 14:20:20 -0400[diff] [blame]1547@pytest.mark.requires_backend_interface(interface=RSABackend)
1548@pytest.mark.requires_backend_interface(interface=X509Backend)
1549class TestRSAIssuerAlternativeNameExtension(object):
1550 def test_uri(self, backend):
1551 cert = _load_cert(
1552 os.path.join("x509", "custom", "ian_uri.pem"),
1553 x509.load_pem_x509_certificate,
1554 backend,
1555 )
1556 ext = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]1557 ExtensionOID.ISSUER_ALTERNATIVE_NAME
Alex Gaynorf1c17672015-06-20 14:20:20 -0400[diff] [blame]1558 )
1559 assert list(ext.value) == [
1560 x509.UniformResourceIdentifier(u"http://path.to.root/root.crt"),
1561 ]
1562
1563
Paul Kehrer3b95cd72015-12-22 21:40:20 -0600[diff] [blame]1564class TestCRLNumber(object):
1565 def test_eq(self):
1566 crl_number = x509.CRLNumber(15)
1567 assert crl_number == x509.CRLNumber(15)
1568
1569 def test_ne(self):
1570 crl_number = x509.CRLNumber(15)
1571 assert crl_number != x509.CRLNumber(14)
1572 assert crl_number != object()
1573
1574 def test_repr(self):
1575 crl_number = x509.CRLNumber(15)
1576 assert repr(crl_number) == "<CRLNumber(15)>"
1577
Paul Kehrera9718fc2015-12-22 22:55:35 -0600[diff] [blame]1578 def test_invalid_number(self):
1579 with pytest.raises(TypeError):
1580 x509.CRLNumber("notanumber")
1581
Paul Kehrer3b95cd72015-12-22 21:40:20 -0600[diff] [blame]1582
Paul Kehrer31bdf792015-03-25 14:11:00 -0500[diff] [blame]1583class TestSubjectAlternativeName(object):
1584 def test_get_values_for_type(self):
1585 san = x509.SubjectAlternativeName(
Eeshan Gargf1234152015-04-29 18:41:00 +0530[diff] [blame]1586 [x509.DNSName(u"cryptography.io")]
Paul Kehrer31bdf792015-03-25 14:11:00 -0500[diff] [blame]1587 )
1588 names = san.get_values_for_type(x509.DNSName)
Eeshan Gargf1234152015-04-29 18:41:00 +0530[diff] [blame]1589 assert names == [u"cryptography.io"]
Paul Kehrer31bdf792015-03-25 14:11:00 -0500[diff] [blame]1590
1591 def test_iter_names(self):
1592 san = x509.SubjectAlternativeName([
Eeshan Gargf1234152015-04-29 18:41:00 +0530[diff] [blame]1593 x509.DNSName(u"cryptography.io"),
1594 x509.DNSName(u"crypto.local"),
Paul Kehrer31bdf792015-03-25 14:11:00 -0500[diff] [blame]1595 ])
1596 assert len(san) == 2
1597 assert list(san) == [
Eeshan Gargf1234152015-04-29 18:41:00 +0530[diff] [blame]1598 x509.DNSName(u"cryptography.io"),
1599 x509.DNSName(u"crypto.local"),
Paul Kehrer31bdf792015-03-25 14:11:00 -0500[diff] [blame]1600 ]
1601
Paul Kehrerd04b39b2015-04-21 08:44:17 -0500[diff] [blame]1602 def test_invalid_general_names(self):
1603 with pytest.raises(TypeError):
1604 x509.SubjectAlternativeName(
Eeshan Gargf1234152015-04-29 18:41:00 +0530[diff] [blame]1605 [x509.DNSName(u"cryptography.io"), "invalid"]
Paul Kehrerd04b39b2015-04-21 08:44:17 -0500[diff] [blame]1606 )
1607
Paul Kehrer31bdf792015-03-25 14:11:00 -0500[diff] [blame]1608 def test_repr(self):
1609 san = x509.SubjectAlternativeName(
1610 [
Eeshan Gargf1234152015-04-29 18:41:00 +0530[diff] [blame]1611 x509.DNSName(u"cryptography.io")
Paul Kehrer31bdf792015-03-25 14:11:00 -0500[diff] [blame]1612 ]
1613 )
1614 assert repr(san) == (
Erik Trauschke2dcce902015-05-14 16:12:24 -0700[diff] [blame]1615 "<SubjectAlternativeName("
1616 "<GeneralNames([<DNSName(value=cryptography.io)>])>)>"
Paul Kehrer31bdf792015-03-25 14:11:00 -0500[diff] [blame]1617 )
Paul Kehrer40f83382015-04-20 15:00:16 -0500[diff] [blame]1618
Paul Kehrer58cc3972015-05-13 10:00:41 -0500[diff] [blame]1619 def test_eq(self):
1620 san = x509.SubjectAlternativeName(
1621 [x509.DNSName(u"cryptography.io")]
1622 )
1623 san2 = x509.SubjectAlternativeName(
1624 [x509.DNSName(u"cryptography.io")]
1625 )
1626 assert san == san2
1627
1628 def test_ne(self):
1629 san = x509.SubjectAlternativeName(
1630 [x509.DNSName(u"cryptography.io")]
1631 )
1632 san2 = x509.SubjectAlternativeName(
1633 [x509.RFC822Name(u"admin@cryptography.io")]
1634 )
1635 assert san != san2
1636 assert san != object()
1637
Paul Kehrer40f83382015-04-20 15:00:16 -0500[diff] [blame]1638
1639@pytest.mark.requires_backend_interface(interface=RSABackend)
1640@pytest.mark.requires_backend_interface(interface=X509Backend)
1641class TestRSASubjectAlternativeNameExtension(object):
1642 def test_dns_name(self, backend):
1643 cert = _load_cert(
1644 os.path.join("x509", "cryptography.io.pem"),
1645 x509.load_pem_x509_certificate,
1646 backend
1647 )
1648 ext = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]1649 ExtensionOID.SUBJECT_ALTERNATIVE_NAME
Paul Kehrer40f83382015-04-20 15:00:16 -0500[diff] [blame]1650 )
1651 assert ext is not None
1652 assert ext.critical is False
1653
1654 san = ext.value
1655
1656 dns = san.get_values_for_type(x509.DNSName)
1657 assert dns == [u"www.cryptography.io", u"cryptography.io"]
Paul Kehrer9089c912015-04-20 22:15:20 -0500[diff] [blame]1658
Paul Kehrer3c6bba52015-06-26 18:43:26 -0500[diff] [blame]1659 def test_wildcard_dns_name(self, backend):
1660 cert = _load_cert(
1661 os.path.join("x509", "wildcard_san.pem"),
1662 x509.load_pem_x509_certificate,
1663 backend
1664 )
1665 ext = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]1666 ExtensionOID.SUBJECT_ALTERNATIVE_NAME
Paul Kehrer3c6bba52015-06-26 18:43:26 -0500[diff] [blame]1667 )
1668
1669 dns = ext.value.get_values_for_type(x509.DNSName)
1670 assert dns == [
1671 u'*.langui.sh',
1672 u'langui.sh',
1673 u'*.saseliminator.com',
1674 u'saseliminator.com'
1675 ]
1676
Dominic Chen87bb9572015-10-09 00:23:07 -0400[diff] [blame]1677 def test_san_empty_hostname(self, backend):
1678 cert = _load_cert(
1679 os.path.join(
1680 "x509", "custom", "san_empty_hostname.pem"
1681 ),
1682 x509.load_pem_x509_certificate,
1683 backend
1684 )
1685 san = cert.extensions.get_extension_for_oid(
1686 ExtensionOID.SUBJECT_ALTERNATIVE_NAME
1687 )
1688
1689 dns = san.value.get_values_for_type(x509.DNSName)
1690 assert dns == [u'']
1691
Paul Kehrer3c6bba52015-06-26 18:43:26 -0500[diff] [blame]1692 def test_san_wildcard_idna_dns_name(self, backend):
1693 cert = _load_cert(
1694 os.path.join("x509", "custom", "san_wildcard_idna.pem"),
1695 x509.load_pem_x509_certificate,
1696 backend
1697 )
1698 ext = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]1699 ExtensionOID.SUBJECT_ALTERNATIVE_NAME
Paul Kehrer3c6bba52015-06-26 18:43:26 -0500[diff] [blame]1700 )
1701
1702 dns = ext.value.get_values_for_type(x509.DNSName)
1703 assert dns == [u'*.\u043f\u044b\u043a\u0430.cryptography']
1704
Paul Kehrer7bdf6572015-07-05 08:55:44 -0500[diff] [blame]1705 def test_unsupported_gn(self, backend):
Paul Kehrer9089c912015-04-20 22:15:20 -0500[diff] [blame]1706 cert = _load_cert(
Paul Kehrer7bdf6572015-07-05 08:55:44 -0500[diff] [blame]1707 os.path.join("x509", "san_x400address.der"),
1708 x509.load_der_x509_certificate,
Paul Kehrer9089c912015-04-20 22:15:20 -0500[diff] [blame]1709 backend
1710 )
Paul Kehrerbed07352015-04-21 08:31:10 -0500[diff] [blame]1711 with pytest.raises(x509.UnsupportedGeneralNameType) as exc:
Paul Kehrer9089c912015-04-20 22:15:20 -0500[diff] [blame]1712 cert.extensions
Paul Kehrerbed07352015-04-21 08:31:10 -0500[diff] [blame]1713
Paul Kehrer7bdf6572015-07-05 08:55:44 -0500[diff] [blame]1714 assert exc.value.type == 3
Paul Kehrer4db96622015-04-20 22:17:39 -0500[diff] [blame]1715
1716 def test_registered_id(self, backend):
1717 cert = _load_cert(
1718 os.path.join(
1719 "x509", "custom", "san_registered_id.pem"
1720 ),
1721 x509.load_pem_x509_certificate,
1722 backend
1723 )
1724 ext = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]1725 ExtensionOID.SUBJECT_ALTERNATIVE_NAME
Paul Kehrer4db96622015-04-20 22:17:39 -0500[diff] [blame]1726 )
1727 assert ext is not None
1728 assert ext.critical is False
1729
1730 san = ext.value
1731 rid = san.get_values_for_type(x509.RegisteredID)
1732 assert rid == [x509.ObjectIdentifier("1.2.3.4")]
Paul Kehrerb8ef82e2015-04-22 16:04:24 -0500[diff] [blame]1733
1734 def test_uri(self, backend):
1735 cert = _load_cert(
1736 os.path.join(
1737 "x509", "custom", "san_uri_with_port.pem"
1738 ),
1739 x509.load_pem_x509_certificate,
1740 backend
1741 )
1742 ext = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]1743 ExtensionOID.SUBJECT_ALTERNATIVE_NAME
Paul Kehrerb8ef82e2015-04-22 16:04:24 -0500[diff] [blame]1744 )
1745 assert ext is not None
1746 uri = ext.value.get_values_for_type(
1747 x509.UniformResourceIdentifier
1748 )
1749 assert uri == [
1750 u"gopher://\u043f\u044b\u043a\u0430.cryptography:70/path?q=s#hel"
1751 u"lo",
1752 u"http://someregulardomain.com",
1753 ]
Paul Kehrera5f030c2015-04-28 08:33:18 -0500[diff] [blame]1754
1755 def test_ipaddress(self, backend):
1756 cert = _load_cert(
1757 os.path.join(
1758 "x509", "custom", "san_ipaddr.pem"
1759 ),
1760 x509.load_pem_x509_certificate,
1761 backend
1762 )
1763 ext = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]1764 ExtensionOID.SUBJECT_ALTERNATIVE_NAME
Paul Kehrera5f030c2015-04-28 08:33:18 -0500[diff] [blame]1765 )
1766 assert ext is not None
1767 assert ext.critical is False
1768
1769 san = ext.value
1770
1771 ip = san.get_values_for_type(x509.IPAddress)
1772 assert [
1773 ipaddress.ip_address(u"127.0.0.1"),
1774 ipaddress.ip_address(u"ff::")
1775 ] == ip
Paul Kehrer2187a052015-04-30 08:22:07 -0500[diff] [blame]1776
1777 def test_dirname(self, backend):
1778 cert = _load_cert(
1779 os.path.join(
1780 "x509", "custom", "san_dirname.pem"
1781 ),
1782 x509.load_pem_x509_certificate,
1783 backend
1784 )
1785 ext = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]1786 ExtensionOID.SUBJECT_ALTERNATIVE_NAME
Paul Kehrer2187a052015-04-30 08:22:07 -0500[diff] [blame]1787 )
1788 assert ext is not None
1789 assert ext.critical is False
1790
1791 san = ext.value
1792
1793 dirname = san.get_values_for_type(x509.DirectoryName)
1794 assert [
1795 x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1796 x509.NameAttribute(NameOID.COMMON_NAME, u'test'),
1797 x509.NameAttribute(NameOID.ORGANIZATION_NAME, u'Org'),
1798 x509.NameAttribute(NameOID.STATE_OR_PROVINCE_NAME, u'Texas'),
Paul Kehrer2187a052015-04-30 08:22:07 -0500[diff] [blame]1799 ])
1800 ] == dirname
Paul Kehrere06cab42015-04-30 10:23:33 -0500[diff] [blame]1801
1802 def test_rfc822name(self, backend):
1803 cert = _load_cert(
1804 os.path.join(
1805 "x509", "custom", "san_rfc822_idna.pem"
1806 ),
1807 x509.load_pem_x509_certificate,
1808 backend
1809 )
1810 ext = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]1811 ExtensionOID.SUBJECT_ALTERNATIVE_NAME
Paul Kehrere06cab42015-04-30 10:23:33 -0500[diff] [blame]1812 )
1813 assert ext is not None
1814 assert ext.critical is False
1815
1816 san = ext.value
1817
1818 rfc822name = san.get_values_for_type(x509.RFC822Name)
1819 assert [u"email@em\xe5\xefl.com"] == rfc822name
1820
Paul Kehrerb8968812015-05-15 09:01:34 -0700[diff] [blame]1821 def test_idna2003_invalid(self, backend):
1822 cert = _load_cert(
1823 os.path.join(
1824 "x509", "custom", "san_idna2003_dnsname.pem"
1825 ),
1826 x509.load_pem_x509_certificate,
1827 backend
1828 )
1829 with pytest.raises(UnicodeError):
1830 cert.extensions
1831
Paul Kehrere06cab42015-04-30 10:23:33 -0500[diff] [blame]1832 def test_unicode_rfc822_name_dns_name_uri(self, backend):
1833 cert = _load_cert(
1834 os.path.join(
1835 "x509", "custom", "san_idna_names.pem"
1836 ),
1837 x509.load_pem_x509_certificate,
1838 backend
1839 )
1840 ext = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]1841 ExtensionOID.SUBJECT_ALTERNATIVE_NAME
Paul Kehrere06cab42015-04-30 10:23:33 -0500[diff] [blame]1842 )
1843 assert ext is not None
1844 rfc822_name = ext.value.get_values_for_type(x509.RFC822Name)
1845 dns_name = ext.value.get_values_for_type(x509.DNSName)
1846 uri = ext.value.get_values_for_type(x509.UniformResourceIdentifier)
1847 assert rfc822_name == [u"email@\u043f\u044b\u043a\u0430.cryptography"]
1848 assert dns_name == [u"\u043f\u044b\u043a\u0430.cryptography"]
1849 assert uri == [u"https://www.\u043f\u044b\u043a\u0430.cryptography"]
1850
1851 def test_rfc822name_dnsname_ipaddress_directoryname_uri(self, backend):
1852 cert = _load_cert(
1853 os.path.join(
1854 "x509", "custom", "san_email_dns_ip_dirname_uri.pem"
1855 ),
1856 x509.load_pem_x509_certificate,
1857 backend
1858 )
1859 ext = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]1860 ExtensionOID.SUBJECT_ALTERNATIVE_NAME
Paul Kehrere06cab42015-04-30 10:23:33 -0500[diff] [blame]1861 )
1862 assert ext is not None
1863 assert ext.critical is False
1864
1865 san = ext.value
1866
1867 rfc822_name = san.get_values_for_type(x509.RFC822Name)
1868 uri = san.get_values_for_type(x509.UniformResourceIdentifier)
1869 dns = san.get_values_for_type(x509.DNSName)
1870 ip = san.get_values_for_type(x509.IPAddress)
1871 dirname = san.get_values_for_type(x509.DirectoryName)
1872 assert [u"user@cryptography.io"] == rfc822_name
Paul Kehrere3a330c2015-05-02 16:42:52 -0500[diff] [blame]1873 assert [u"https://cryptography.io"] == uri
Paul Kehrere06cab42015-04-30 10:23:33 -0500[diff] [blame]1874 assert [u"cryptography.io"] == dns
1875 assert [
1876 x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1877 x509.NameAttribute(NameOID.COMMON_NAME, u'dirCN'),
Paul Kehrere06cab42015-04-30 10:23:33 -0500[diff] [blame]1878 x509.NameAttribute(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1879 NameOID.ORGANIZATION_NAME, u'Cryptographic Authority'
Paul Kehrere06cab42015-04-30 10:23:33 -0500[diff] [blame]1880 ),
1881 ])
1882 ] == dirname
1883 assert [
1884 ipaddress.ip_address(u"127.0.0.1"),
1885 ipaddress.ip_address(u"ff::")
1886 ] == ip
1887
1888 def test_invalid_rfc822name(self, backend):
1889 cert = _load_cert(
1890 os.path.join(
1891 "x509", "custom", "san_rfc822_names.pem"
1892 ),
1893 x509.load_pem_x509_certificate,
1894 backend
1895 )
1896 with pytest.raises(ValueError) as exc:
1897 cert.extensions
1898
1899 assert 'Invalid rfc822name value' in str(exc.value)
Paul Kehrer94c69602015-05-02 19:29:40 -0500[diff] [blame]1900
Joshua Tauberer2ee5e3c2015-07-04 20:09:46 +0000[diff] [blame]1901 def test_other_name(self, backend):
1902 cert = _load_cert(
1903 os.path.join(
1904 "x509", "custom", "san_other_name.pem"
1905 ),
1906 x509.load_pem_x509_certificate,
1907 backend
1908 )
1909
1910 ext = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]1911 ExtensionOID.SUBJECT_ALTERNATIVE_NAME
Joshua Tauberer2ee5e3c2015-07-04 20:09:46 +0000[diff] [blame]1912 )
1913 assert ext is not None
1914 assert ext.critical is False
1915
Joshua Taubererd2afad32015-07-06 22:37:53 +0000[diff] [blame]1916 expected = x509.OtherName(x509.ObjectIdentifier("1.2.3.4"),
1917 b'\x16\x0bHello World')
Joshua Tauberer2ee5e3c2015-07-04 20:09:46 +0000[diff] [blame]1918 assert len(ext.value) == 1
Joshua Taubererd2afad32015-07-06 22:37:53 +0000[diff] [blame]1919 assert list(ext.value)[0] == expected
Joshua Tauberer2ee5e3c2015-07-04 20:09:46 +0000[diff] [blame]1920
1921 othernames = ext.value.get_values_for_type(x509.OtherName)
Joshua Taubererd2afad32015-07-06 22:37:53 +0000[diff] [blame]1922 assert othernames == [expected]
Joshua Tauberer2ee5e3c2015-07-04 20:09:46 +0000[diff] [blame]1923
Paul Kehrer94c69602015-05-02 19:29:40 -0500[diff] [blame]1924
1925@pytest.mark.requires_backend_interface(interface=RSABackend)
1926@pytest.mark.requires_backend_interface(interface=X509Backend)
1927class TestExtendedKeyUsageExtension(object):
1928 def test_eku(self, backend):
1929 cert = _load_cert(
1930 os.path.join(
1931 "x509", "custom", "extended_key_usage.pem"
1932 ),
1933 x509.load_pem_x509_certificate,
1934 backend
1935 )
1936 ext = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]1937 ExtensionOID.EXTENDED_KEY_USAGE
Paul Kehrer94c69602015-05-02 19:29:40 -0500[diff] [blame]1938 )
1939 assert ext is not None
1940 assert ext.critical is False
1941
1942 assert [
1943 x509.ObjectIdentifier("1.3.6.1.5.5.7.3.1"),
1944 x509.ObjectIdentifier("1.3.6.1.5.5.7.3.2"),
1945 x509.ObjectIdentifier("1.3.6.1.5.5.7.3.3"),
1946 x509.ObjectIdentifier("1.3.6.1.5.5.7.3.4"),
1947 x509.ObjectIdentifier("1.3.6.1.5.5.7.3.9"),
1948 x509.ObjectIdentifier("1.3.6.1.5.5.7.3.8"),
1949 x509.ObjectIdentifier("2.5.29.37.0"),
1950 x509.ObjectIdentifier("2.16.840.1.113730.4.1"),
1951 ] == list(ext.value)
Paul Kehrer3e6d5582015-05-02 21:57:56 -0500[diff] [blame]1952
1953
1954class TestAccessDescription(object):
1955 def test_invalid_access_method(self):
Nick Bastind06763d2015-12-12 18:32:59 -0800[diff] [blame]1956 with pytest.raises(TypeError):
Paul Kehrer3e6d5582015-05-02 21:57:56 -0500[diff] [blame]1957 x509.AccessDescription("notanoid", x509.DNSName(u"test"))
1958
1959 def test_invalid_access_location(self):
1960 with pytest.raises(TypeError):
Paul Kehrer9e102db2015-08-10 21:53:09 -0500[diff] [blame]1961 x509.AccessDescription(
1962 AuthorityInformationAccessOID.CA_ISSUERS, "invalid"
1963 )
Paul Kehrer3e6d5582015-05-02 21:57:56 -0500[diff] [blame]1964
Nick Bastind2ecf862015-12-13 05:44:46 -0800[diff] [blame]1965 def test_valid_nonstandard_method(self):
Nick Bastin326fc8e2015-12-12 19:08:12 -0800[diff] [blame]1966 ad = x509.AccessDescription(
1967 ObjectIdentifier("2.999.1"),
1968 x509.UniformResourceIdentifier(u"http://example.com")
1969 )
Nick Bastin11f0f8a2015-12-12 18:54:12 -0800[diff] [blame]1970 assert ad is not None
1971
Paul Kehrer3e6d5582015-05-02 21:57:56 -0500[diff] [blame]1972 def test_repr(self):
1973 ad = x509.AccessDescription(
Paul Kehrer9e102db2015-08-10 21:53:09 -0500[diff] [blame]1974 AuthorityInformationAccessOID.OCSP,
Paul Kehrer3e6d5582015-05-02 21:57:56 -0500[diff] [blame]1975 x509.UniformResourceIdentifier(u"http://ocsp.domain.com")
1976 )
1977 assert repr(ad) == (
1978 "<AccessDescription(access_method=<ObjectIdentifier(oid=1.3.6.1.5."
1979 "5.7.48.1, name=OCSP)>, access_location=<UniformResourceIdentifier"
1980 "(value=http://ocsp.domain.com)>)>"
1981 )
1982
1983 def test_eq(self):
1984 ad = x509.AccessDescription(
Paul Kehrer9e102db2015-08-10 21:53:09 -0500[diff] [blame]1985 AuthorityInformationAccessOID.OCSP,
Paul Kehrer3e6d5582015-05-02 21:57:56 -0500[diff] [blame]1986 x509.UniformResourceIdentifier(u"http://ocsp.domain.com")
1987 )
1988 ad2 = x509.AccessDescription(
Paul Kehrer9e102db2015-08-10 21:53:09 -0500[diff] [blame]1989 AuthorityInformationAccessOID.OCSP,
Paul Kehrer3e6d5582015-05-02 21:57:56 -0500[diff] [blame]1990 x509.UniformResourceIdentifier(u"http://ocsp.domain.com")
1991 )
1992 assert ad == ad2
1993
1994 def test_ne(self):
1995 ad = x509.AccessDescription(
Paul Kehrer9e102db2015-08-10 21:53:09 -0500[diff] [blame]1996 AuthorityInformationAccessOID.OCSP,
Paul Kehrer3e6d5582015-05-02 21:57:56 -0500[diff] [blame]1997 x509.UniformResourceIdentifier(u"http://ocsp.domain.com")
1998 )
1999 ad2 = x509.AccessDescription(
Paul Kehrer9e102db2015-08-10 21:53:09 -0500[diff] [blame]2000 AuthorityInformationAccessOID.CA_ISSUERS,
Paul Kehrer3e6d5582015-05-02 21:57:56 -0500[diff] [blame]2001 x509.UniformResourceIdentifier(u"http://ocsp.domain.com")
2002 )
2003 ad3 = x509.AccessDescription(
Paul Kehrer9e102db2015-08-10 21:53:09 -0500[diff] [blame]2004 AuthorityInformationAccessOID.OCSP,
Paul Kehrer3e6d5582015-05-02 21:57:56 -0500[diff] [blame]2005 x509.UniformResourceIdentifier(u"http://notthesame")
2006 )
2007 assert ad != ad2
2008 assert ad != ad3
2009 assert ad != object()
2010
2011
2012class TestAuthorityInformationAccess(object):
2013 def test_invalid_descriptions(self):
2014 with pytest.raises(TypeError):
2015 x509.AuthorityInformationAccess(["notanAccessDescription"])
2016
2017 def test_iter_len(self):
2018 aia = x509.AuthorityInformationAccess([
2019 x509.AccessDescription(
Paul Kehrer9e102db2015-08-10 21:53:09 -0500[diff] [blame]2020 AuthorityInformationAccessOID.OCSP,
Paul Kehrer3e6d5582015-05-02 21:57:56 -0500[diff] [blame]2021 x509.UniformResourceIdentifier(u"http://ocsp.domain.com")
2022 ),
2023 x509.AccessDescription(
Paul Kehrer9e102db2015-08-10 21:53:09 -0500[diff] [blame]2024 AuthorityInformationAccessOID.CA_ISSUERS,
Paul Kehrer3e6d5582015-05-02 21:57:56 -0500[diff] [blame]2025 x509.UniformResourceIdentifier(u"http://domain.com/ca.crt")
2026 )
2027 ])
2028 assert len(aia) == 2
2029 assert list(aia) == [
2030 x509.AccessDescription(
Paul Kehrer9e102db2015-08-10 21:53:09 -0500[diff] [blame]2031 AuthorityInformationAccessOID.OCSP,
Paul Kehrer3e6d5582015-05-02 21:57:56 -0500[diff] [blame]2032 x509.UniformResourceIdentifier(u"http://ocsp.domain.com")
2033 ),
2034 x509.AccessDescription(
Paul Kehrer9e102db2015-08-10 21:53:09 -0500[diff] [blame]2035 AuthorityInformationAccessOID.CA_ISSUERS,
Paul Kehrer3e6d5582015-05-02 21:57:56 -0500[diff] [blame]2036 x509.UniformResourceIdentifier(u"http://domain.com/ca.crt")
2037 )
2038 ]
2039
2040 def test_repr(self):
2041 aia = x509.AuthorityInformationAccess([
2042 x509.AccessDescription(
Paul Kehrer9e102db2015-08-10 21:53:09 -0500[diff] [blame]2043 AuthorityInformationAccessOID.OCSP,
Paul Kehrer3e6d5582015-05-02 21:57:56 -0500[diff] [blame]2044 x509.UniformResourceIdentifier(u"http://ocsp.domain.com")
2045 ),
2046 x509.AccessDescription(
Paul Kehrer9e102db2015-08-10 21:53:09 -0500[diff] [blame]2047 AuthorityInformationAccessOID.CA_ISSUERS,
Paul Kehrer3e6d5582015-05-02 21:57:56 -0500[diff] [blame]2048 x509.UniformResourceIdentifier(u"http://domain.com/ca.crt")
2049 )
2050 ])
2051 assert repr(aia) == (
2052 "<AuthorityInformationAccess([<AccessDescription(access_method=<Ob"
2053 "jectIdentifier(oid=1.3.6.1.5.5.7.48.1, name=OCSP)>, access_locati"
2054 "on=<UniformResourceIdentifier(value=http://ocsp.domain.com)>)>, <"
2055 "AccessDescription(access_method=<ObjectIdentifier(oid=1.3.6.1.5.5"
2056 ".7.48.2, name=caIssuers)>, access_location=<UniformResourceIdenti"
2057 "fier(value=http://domain.com/ca.crt)>)>])>"
2058 )
2059
2060 def test_eq(self):
2061 aia = x509.AuthorityInformationAccess([
2062 x509.AccessDescription(
Paul Kehrer9e102db2015-08-10 21:53:09 -0500[diff] [blame]2063 AuthorityInformationAccessOID.OCSP,
Paul Kehrer3e6d5582015-05-02 21:57:56 -0500[diff] [blame]2064 x509.UniformResourceIdentifier(u"http://ocsp.domain.com")
2065 ),
2066 x509.AccessDescription(
Paul Kehrer9e102db2015-08-10 21:53:09 -0500[diff] [blame]2067 AuthorityInformationAccessOID.CA_ISSUERS,
Paul Kehrer3e6d5582015-05-02 21:57:56 -0500[diff] [blame]2068 x509.UniformResourceIdentifier(u"http://domain.com/ca.crt")
2069 )
2070 ])
2071 aia2 = x509.AuthorityInformationAccess([
2072 x509.AccessDescription(
Paul Kehrer9e102db2015-08-10 21:53:09 -0500[diff] [blame]2073 AuthorityInformationAccessOID.OCSP,
Paul Kehrer3e6d5582015-05-02 21:57:56 -0500[diff] [blame]2074 x509.UniformResourceIdentifier(u"http://ocsp.domain.com")
2075 ),
2076 x509.AccessDescription(
Paul Kehrer9e102db2015-08-10 21:53:09 -0500[diff] [blame]2077 AuthorityInformationAccessOID.CA_ISSUERS,
Paul Kehrer3e6d5582015-05-02 21:57:56 -0500[diff] [blame]2078 x509.UniformResourceIdentifier(u"http://domain.com/ca.crt")
2079 )
2080 ])
2081 assert aia == aia2
2082
2083 def test_ne(self):
2084 aia = x509.AuthorityInformationAccess([
2085 x509.AccessDescription(
Paul Kehrer9e102db2015-08-10 21:53:09 -0500[diff] [blame]2086 AuthorityInformationAccessOID.OCSP,
Paul Kehrer3e6d5582015-05-02 21:57:56 -0500[diff] [blame]2087 x509.UniformResourceIdentifier(u"http://ocsp.domain.com")
2088 ),
2089 x509.AccessDescription(
Paul Kehrer9e102db2015-08-10 21:53:09 -0500[diff] [blame]2090 AuthorityInformationAccessOID.CA_ISSUERS,
Paul Kehrer3e6d5582015-05-02 21:57:56 -0500[diff] [blame]2091 x509.UniformResourceIdentifier(u"http://domain.com/ca.crt")
2092 )
2093 ])
2094 aia2 = x509.AuthorityInformationAccess([
2095 x509.AccessDescription(
Paul Kehrer9e102db2015-08-10 21:53:09 -0500[diff] [blame]2096 AuthorityInformationAccessOID.OCSP,
Paul Kehrer3e6d5582015-05-02 21:57:56 -0500[diff] [blame]2097 x509.UniformResourceIdentifier(u"http://ocsp.domain.com")
2098 ),
2099 ])
2100
2101 assert aia != aia2
2102 assert aia != object()
Paul Kehrerd774de92015-05-03 10:52:25 -0500[diff] [blame]2103
2104
2105@pytest.mark.requires_backend_interface(interface=RSABackend)
2106@pytest.mark.requires_backend_interface(interface=X509Backend)
Paul Kehrera1476992015-05-04 17:35:47 -0500[diff] [blame]2107class TestAuthorityInformationAccessExtension(object):
2108 def test_aia_ocsp_ca_issuers(self, backend):
2109 cert = _load_cert(
2110 os.path.join("x509", "cryptography.io.pem"),
2111 x509.load_pem_x509_certificate,
2112 backend
2113 )
2114 ext = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]2115 ExtensionOID.AUTHORITY_INFORMATION_ACCESS
Paul Kehrera1476992015-05-04 17:35:47 -0500[diff] [blame]2116 )
2117 assert ext is not None
2118 assert ext.critical is False
2119
2120 assert ext.value == x509.AuthorityInformationAccess([
2121 x509.AccessDescription(
Paul Kehrer9e102db2015-08-10 21:53:09 -0500[diff] [blame]2122 AuthorityInformationAccessOID.OCSP,
Paul Kehrera1476992015-05-04 17:35:47 -0500[diff] [blame]2123 x509.UniformResourceIdentifier(u"http://gv.symcd.com")
2124 ),
2125 x509.AccessDescription(
Paul Kehrer9e102db2015-08-10 21:53:09 -0500[diff] [blame]2126 AuthorityInformationAccessOID.CA_ISSUERS,
Paul Kehrera1476992015-05-04 17:35:47 -0500[diff] [blame]2127 x509.UniformResourceIdentifier(u"http://gv.symcb.com/gv.crt")
2128 ),
2129 ])
2130
2131 def test_aia_multiple_ocsp_ca_issuers(self, backend):
2132 cert = _load_cert(
2133 os.path.join("x509", "custom", "aia_ocsp_ca_issuers.pem"),
2134 x509.load_pem_x509_certificate,
2135 backend
2136 )
2137 ext = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]2138 ExtensionOID.AUTHORITY_INFORMATION_ACCESS
Paul Kehrera1476992015-05-04 17:35:47 -0500[diff] [blame]2139 )
2140 assert ext is not None
2141 assert ext.critical is False
2142
2143 assert ext.value == x509.AuthorityInformationAccess([
2144 x509.AccessDescription(
Paul Kehrer9e102db2015-08-10 21:53:09 -0500[diff] [blame]2145 AuthorityInformationAccessOID.OCSP,
Paul Kehrera1476992015-05-04 17:35:47 -0500[diff] [blame]2146 x509.UniformResourceIdentifier(u"http://ocsp.domain.com")
2147 ),
2148 x509.AccessDescription(
Paul Kehrer9e102db2015-08-10 21:53:09 -0500[diff] [blame]2149 AuthorityInformationAccessOID.OCSP,
Paul Kehrera1476992015-05-04 17:35:47 -0500[diff] [blame]2150 x509.UniformResourceIdentifier(u"http://ocsp2.domain.com")
2151 ),
2152 x509.AccessDescription(
Paul Kehrer9e102db2015-08-10 21:53:09 -0500[diff] [blame]2153 AuthorityInformationAccessOID.CA_ISSUERS,
Paul Kehrera1476992015-05-04 17:35:47 -0500[diff] [blame]2154 x509.DirectoryName(x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2155 x509.NameAttribute(NameOID.COMMON_NAME, u"myCN"),
2156 x509.NameAttribute(NameOID.ORGANIZATION_NAME,
Ian Cordasco82fc3762015-06-16 20:59:50 -0500[diff] [blame]2157 u"some Org"),
Paul Kehrera1476992015-05-04 17:35:47 -0500[diff] [blame]2158 ]))
2159 ),
2160 ])
2161
2162 def test_aia_ocsp_only(self, backend):
2163 cert = _load_cert(
2164 os.path.join("x509", "custom", "aia_ocsp.pem"),
2165 x509.load_pem_x509_certificate,
2166 backend
2167 )
2168 ext = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]2169 ExtensionOID.AUTHORITY_INFORMATION_ACCESS
Paul Kehrera1476992015-05-04 17:35:47 -0500[diff] [blame]2170 )
2171 assert ext is not None
2172 assert ext.critical is False
2173
2174 assert ext.value == x509.AuthorityInformationAccess([
2175 x509.AccessDescription(
Paul Kehrer9e102db2015-08-10 21:53:09 -0500[diff] [blame]2176 AuthorityInformationAccessOID.OCSP,
Paul Kehrera1476992015-05-04 17:35:47 -0500[diff] [blame]2177 x509.UniformResourceIdentifier(u"http://ocsp.domain.com")
2178 ),
2179 ])
2180
2181 def test_aia_ca_issuers_only(self, backend):
2182 cert = _load_cert(
2183 os.path.join("x509", "custom", "aia_ca_issuers.pem"),
2184 x509.load_pem_x509_certificate,
2185 backend
2186 )
2187 ext = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]2188 ExtensionOID.AUTHORITY_INFORMATION_ACCESS
Paul Kehrera1476992015-05-04 17:35:47 -0500[diff] [blame]2189 )
2190 assert ext is not None
2191 assert ext.critical is False
2192
2193 assert ext.value == x509.AuthorityInformationAccess([
2194 x509.AccessDescription(
Paul Kehrer9e102db2015-08-10 21:53:09 -0500[diff] [blame]2195 AuthorityInformationAccessOID.CA_ISSUERS,
Paul Kehrera1476992015-05-04 17:35:47 -0500[diff] [blame]2196 x509.DirectoryName(x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2197 x509.NameAttribute(NameOID.COMMON_NAME, u"myCN"),
2198 x509.NameAttribute(NameOID.ORGANIZATION_NAME,
Ian Cordasco82fc3762015-06-16 20:59:50 -0500[diff] [blame]2199 u"some Org"),
Paul Kehrera1476992015-05-04 17:35:47 -0500[diff] [blame]2200 ]))
2201 ),
2202 ])
2203
2204
2205@pytest.mark.requires_backend_interface(interface=RSABackend)
2206@pytest.mark.requires_backend_interface(interface=X509Backend)
Paul Kehrerd774de92015-05-03 10:52:25 -0500[diff] [blame]2207class TestAuthorityKeyIdentifierExtension(object):
2208 def test_aki_keyid(self, backend):
2209 cert = _load_cert(
2210 os.path.join(
2211 "x509", "cryptography.io.pem"
2212 ),
2213 x509.load_pem_x509_certificate,
2214 backend
2215 )
2216 ext = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]2217 ExtensionOID.AUTHORITY_KEY_IDENTIFIER
Paul Kehrerd774de92015-05-03 10:52:25 -0500[diff] [blame]2218 )
2219 assert ext is not None
2220 assert ext.critical is False
2221
2222 assert ext.value.key_identifier == (
2223 b"\xc3\x9c\xf3\xfc\xd3F\x084\xbb\xceF\x7f\xa0|[\xf3\xe2\x08\xcbY"
2224 )
2225 assert ext.value.authority_cert_issuer is None
2226 assert ext.value.authority_cert_serial_number is None
2227
2228 def test_aki_all_fields(self, backend):
2229 cert = _load_cert(
2230 os.path.join(
2231 "x509", "custom", "authority_key_identifier.pem"
2232 ),
2233 x509.load_pem_x509_certificate,
2234 backend
2235 )
2236 ext = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]2237 ExtensionOID.AUTHORITY_KEY_IDENTIFIER
Paul Kehrerd774de92015-05-03 10:52:25 -0500[diff] [blame]2238 )
2239 assert ext is not None
2240 assert ext.critical is False
2241
2242 assert ext.value.key_identifier == (
2243 b"9E>\xca=b\x1d\xea\x86I\xf6Z\xab@\xb7\xa4p\x98\xf1\xec"
2244 )
2245 assert ext.value.authority_cert_issuer == [
2246 x509.DirectoryName(
2247 x509.Name([
2248 x509.NameAttribute(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2249 NameOID.ORGANIZATION_NAME, u"PyCA"
Paul Kehrerd774de92015-05-03 10:52:25 -0500[diff] [blame]2250 ),
2251 x509.NameAttribute(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2252 NameOID.COMMON_NAME, u"cryptography.io"
Paul Kehrerd774de92015-05-03 10:52:25 -0500[diff] [blame]2253 )
2254 ])
2255 )
2256 ]
2257 assert ext.value.authority_cert_serial_number == 3
2258
2259 def test_aki_no_keyid(self, backend):
2260 cert = _load_cert(
2261 os.path.join(
2262 "x509", "custom", "authority_key_identifier_no_keyid.pem"
2263 ),
2264 x509.load_pem_x509_certificate,
2265 backend
2266 )
2267 ext = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]2268 ExtensionOID.AUTHORITY_KEY_IDENTIFIER
Paul Kehrerd774de92015-05-03 10:52:25 -0500[diff] [blame]2269 )
2270 assert ext is not None
2271 assert ext.critical is False
2272
2273 assert ext.value.key_identifier is None
2274 assert ext.value.authority_cert_issuer == [
2275 x509.DirectoryName(
2276 x509.Name([
2277 x509.NameAttribute(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2278 NameOID.ORGANIZATION_NAME, u"PyCA"
Paul Kehrerd774de92015-05-03 10:52:25 -0500[diff] [blame]2279 ),
2280 x509.NameAttribute(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2281 NameOID.COMMON_NAME, u"cryptography.io"
Paul Kehrerd774de92015-05-03 10:52:25 -0500[diff] [blame]2282 )
2283 ])
2284 )
2285 ]
2286 assert ext.value.authority_cert_serial_number == 3
Paul Kehrer5a485522015-05-06 00:29:12 -0500[diff] [blame]2287
Paul Kehrer253929a2015-08-05 17:30:39 +0100[diff] [blame]2288 def test_from_certificate(self, backend):
2289 issuer_cert = _load_cert(
2290 os.path.join("x509", "rapidssl_sha256_ca_g3.pem"),
2291 x509.load_pem_x509_certificate,
2292 backend
2293 )
2294 cert = _load_cert(
2295 os.path.join("x509", "cryptography.io.pem"),
2296 x509.load_pem_x509_certificate,
2297 backend
2298 )
2299 ext = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]2300 ExtensionOID.AUTHORITY_KEY_IDENTIFIER
Paul Kehrer253929a2015-08-05 17:30:39 +0100[diff] [blame]2301 )
2302 aki = x509.AuthorityKeyIdentifier.from_issuer_public_key(
2303 issuer_cert.public_key()
2304 )
2305 assert ext.value == aki
2306
Paul Kehrer5a485522015-05-06 00:29:12 -0500[diff] [blame]2307
Paul Kehrere0017be2015-05-17 20:39:40 -0600[diff] [blame]2308class TestNameConstraints(object):
2309 def test_ipaddress_wrong_type(self):
2310 with pytest.raises(TypeError):
2311 x509.NameConstraints(
2312 permitted_subtrees=[
2313 x509.IPAddress(ipaddress.IPv4Address(u"127.0.0.1"))
2314 ],
2315 excluded_subtrees=None
2316 )
2317
2318 with pytest.raises(TypeError):
2319 x509.NameConstraints(
2320 permitted_subtrees=None,
2321 excluded_subtrees=[
2322 x509.IPAddress(ipaddress.IPv4Address(u"127.0.0.1"))
2323 ]
2324 )
2325
2326 def test_ipaddress_allowed_type(self):
2327 permitted = [x509.IPAddress(ipaddress.IPv4Network(u"192.168.0.0/29"))]
2328 excluded = [x509.IPAddress(ipaddress.IPv4Network(u"10.10.0.0/24"))]
2329 nc = x509.NameConstraints(
2330 permitted_subtrees=permitted,
2331 excluded_subtrees=excluded
2332 )
2333 assert nc.permitted_subtrees == permitted
2334 assert nc.excluded_subtrees == excluded
2335
2336 def test_invalid_permitted_subtrees(self):
2337 with pytest.raises(TypeError):
2338 x509.NameConstraints("badpermitted", None)
2339
2340 def test_invalid_excluded_subtrees(self):
2341 with pytest.raises(TypeError):
2342 x509.NameConstraints(None, "badexcluded")
2343
2344 def test_no_subtrees(self):
2345 with pytest.raises(ValueError):
2346 x509.NameConstraints(None, None)
2347
2348 def test_permitted_none(self):
2349 excluded = [x509.DNSName(u"name.local")]
2350 nc = x509.NameConstraints(
2351 permitted_subtrees=None, excluded_subtrees=excluded
2352 )
2353 assert nc.permitted_subtrees is None
2354 assert nc.excluded_subtrees is not None
2355
2356 def test_excluded_none(self):
2357 permitted = [x509.DNSName(u"name.local")]
2358 nc = x509.NameConstraints(
2359 permitted_subtrees=permitted, excluded_subtrees=None
2360 )
2361 assert nc.permitted_subtrees is not None
2362 assert nc.excluded_subtrees is None
2363
2364 def test_repr(self):
2365 permitted = [x509.DNSName(u"name.local"), x509.DNSName(u"name2.local")]
2366 nc = x509.NameConstraints(
2367 permitted_subtrees=permitted,
2368 excluded_subtrees=None
2369 )
2370 assert repr(nc) == (
2371 "<NameConstraints(permitted_subtrees=[<DNSName(value=name.local)>"
2372 ", <DNSName(value=name2.local)>], excluded_subtrees=None)>"
2373 )
2374
Paul Kehrer31894282015-06-21 21:46:41 -0500[diff] [blame]2375 def test_eq(self):
2376 nc = x509.NameConstraints(
2377 permitted_subtrees=[x509.DNSName(u"name.local")],
2378 excluded_subtrees=[x509.DNSName(u"name2.local")]
2379 )
2380 nc2 = x509.NameConstraints(
2381 permitted_subtrees=[x509.DNSName(u"name.local")],
2382 excluded_subtrees=[x509.DNSName(u"name2.local")]
2383 )
2384 assert nc == nc2
2385
2386 def test_ne(self):
2387 nc = x509.NameConstraints(
2388 permitted_subtrees=[x509.DNSName(u"name.local")],
2389 excluded_subtrees=[x509.DNSName(u"name2.local")]
2390 )
2391 nc2 = x509.NameConstraints(
2392 permitted_subtrees=[x509.DNSName(u"name.local")],
2393 excluded_subtrees=None
2394 )
2395 nc3 = x509.NameConstraints(
2396 permitted_subtrees=None,
2397 excluded_subtrees=[x509.DNSName(u"name2.local")]
2398 )
2399
2400 assert nc != nc2
2401 assert nc != nc3
2402 assert nc != object()
2403
Paul Kehrere0017be2015-05-17 20:39:40 -0600[diff] [blame]2404
Paul Kehrer870d7e82015-06-21 22:20:44 -0500[diff] [blame]2405@pytest.mark.requires_backend_interface(interface=RSABackend)
2406@pytest.mark.requires_backend_interface(interface=X509Backend)
2407class TestNameConstraintsExtension(object):
2408 def test_permitted_excluded(self, backend):
2409 cert = _load_cert(
2410 os.path.join(
2411 "x509", "custom", "nc_permitted_excluded_2.pem"
2412 ),
2413 x509.load_pem_x509_certificate,
2414 backend
2415 )
2416 nc = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]2417 ExtensionOID.NAME_CONSTRAINTS
Paul Kehrer870d7e82015-06-21 22:20:44 -0500[diff] [blame]2418 ).value
2419 assert nc == x509.NameConstraints(
2420 permitted_subtrees=[
2421 x509.DNSName(u"zombo.local"),
2422 ],
2423 excluded_subtrees=[
2424 x509.DirectoryName(x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2425 x509.NameAttribute(NameOID.COMMON_NAME, u"zombo")
Paul Kehrer870d7e82015-06-21 22:20:44 -0500[diff] [blame]2426 ]))
2427 ]
2428 )
2429
2430 def test_permitted(self, backend):
2431 cert = _load_cert(
2432 os.path.join(
2433 "x509", "custom", "nc_permitted_2.pem"
2434 ),
2435 x509.load_pem_x509_certificate,
2436 backend
2437 )
2438 nc = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]2439 ExtensionOID.NAME_CONSTRAINTS
Paul Kehrer870d7e82015-06-21 22:20:44 -0500[diff] [blame]2440 ).value
2441 assert nc == x509.NameConstraints(
2442 permitted_subtrees=[
2443 x509.DNSName(u"zombo.local"),
2444 ],
2445 excluded_subtrees=None
2446 )
2447
Paul Kehrer42376832015-07-01 18:10:32 -0500[diff] [blame]2448 def test_permitted_with_leading_period(self, backend):
2449 cert = _load_cert(
2450 os.path.join(
2451 "x509", "custom", "nc_permitted.pem"
2452 ),
2453 x509.load_pem_x509_certificate,
2454 backend
2455 )
2456 nc = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]2457 ExtensionOID.NAME_CONSTRAINTS
Paul Kehrer42376832015-07-01 18:10:32 -0500[diff] [blame]2458 ).value
2459 assert nc == x509.NameConstraints(
2460 permitted_subtrees=[
2461 x509.DNSName(u".cryptography.io"),
2462 x509.UniformResourceIdentifier(u"ftp://cryptography.test")
2463 ],
2464 excluded_subtrees=None
2465 )
2466
2467 def test_excluded_with_leading_period(self, backend):
2468 cert = _load_cert(
2469 os.path.join(
2470 "x509", "custom", "nc_excluded.pem"
2471 ),
2472 x509.load_pem_x509_certificate,
2473 backend
2474 )
2475 nc = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]2476 ExtensionOID.NAME_CONSTRAINTS
Paul Kehrer42376832015-07-01 18:10:32 -0500[diff] [blame]2477 ).value
2478 assert nc == x509.NameConstraints(
2479 permitted_subtrees=None,
2480 excluded_subtrees=[
2481 x509.DNSName(u".cryptography.io"),
2482 x509.UniformResourceIdentifier(u"gopher://cryptography.test")
2483 ]
2484 )
2485
Paul Kehrercfb8aa22015-07-01 19:16:36 -0500[diff] [blame]2486 def test_permitted_excluded_with_ips(self, backend):
2487 cert = _load_cert(
2488 os.path.join(
2489 "x509", "custom", "nc_permitted_excluded.pem"
2490 ),
2491 x509.load_pem_x509_certificate,
2492 backend
2493 )
2494 nc = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]2495 ExtensionOID.NAME_CONSTRAINTS
Paul Kehrercfb8aa22015-07-01 19:16:36 -0500[diff] [blame]2496 ).value
2497 assert nc == x509.NameConstraints(
2498 permitted_subtrees=[
2499 x509.IPAddress(ipaddress.IPv4Network(u"192.168.0.0/24")),
2500 x509.IPAddress(ipaddress.IPv6Network(u"FF:0:0:0:0:0:0:0/96")),
2501 ],
2502 excluded_subtrees=[
2503 x509.DNSName(u".domain.com"),
2504 x509.UniformResourceIdentifier(u"http://test.local"),
2505 ]
2506 )
2507
Paul Kehrera72ebaf2015-07-01 21:07:37 -0500[diff] [blame]2508 def test_single_ip_netmask(self, backend):
2509 cert = _load_cert(
2510 os.path.join(
2511 "x509", "custom", "nc_single_ip_netmask.pem"
2512 ),
2513 x509.load_pem_x509_certificate,
2514 backend
2515 )
2516 nc = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]2517 ExtensionOID.NAME_CONSTRAINTS
Paul Kehrera72ebaf2015-07-01 21:07:37 -0500[diff] [blame]2518 ).value
2519 assert nc == x509.NameConstraints(
2520 permitted_subtrees=[
2521 x509.IPAddress(ipaddress.IPv6Network(u"FF:0:0:0:0:0:0:0/128")),
2522 x509.IPAddress(ipaddress.IPv4Network(u"192.168.0.1/32")),
2523 ],
2524 excluded_subtrees=None
2525 )
2526
Paul Kehrercfb8aa22015-07-01 19:16:36 -0500[diff] [blame]2527 def test_invalid_netmask(self, backend):
2528 cert = _load_cert(
2529 os.path.join(
2530 "x509", "custom", "nc_invalid_ip_netmask.pem"
2531 ),
2532 x509.load_pem_x509_certificate,
2533 backend
2534 )
2535 with pytest.raises(ValueError):
2536 cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]2537 ExtensionOID.NAME_CONSTRAINTS
Paul Kehrercfb8aa22015-07-01 19:16:36 -0500[diff] [blame]2538 )
2539
Paul Kehrer870d7e82015-06-21 22:20:44 -0500[diff] [blame]2540
Paul Kehrer5a485522015-05-06 00:29:12 -0500[diff] [blame]2541class TestDistributionPoint(object):
Paul Kehrer4e8dacd2015-05-09 10:38:23 -0500[diff] [blame]2542 def test_distribution_point_full_name_not_general_names(self):
Paul Kehrer5a485522015-05-06 00:29:12 -0500[diff] [blame]2543 with pytest.raises(TypeError):
Paul Kehrer4e8dacd2015-05-09 10:38:23 -0500[diff] [blame]2544 x509.DistributionPoint(["notgn"], None, None, None)
Paul Kehrer5a485522015-05-06 00:29:12 -0500[diff] [blame]2545
Paul Kehrer4e8dacd2015-05-09 10:38:23 -0500[diff] [blame]2546 def test_distribution_point_relative_name_not_name(self):
Paul Kehrer5a485522015-05-06 00:29:12 -0500[diff] [blame]2547 with pytest.raises(TypeError):
Paul Kehrer4e8dacd2015-05-09 10:38:23 -0500[diff] [blame]2548 x509.DistributionPoint(None, "notname", None, None)
2549
2550 def test_distribution_point_full_and_relative_not_none(self):
2551 with pytest.raises(ValueError):
2552 x509.DistributionPoint("data", "notname", None, None)
Paul Kehrer5a485522015-05-06 00:29:12 -0500[diff] [blame]2553
2554 def test_crl_issuer_not_general_names(self):
2555 with pytest.raises(TypeError):
Paul Kehrer4e8dacd2015-05-09 10:38:23 -0500[diff] [blame]2556 x509.DistributionPoint(None, None, None, ["notgn"])
Paul Kehrer5a485522015-05-06 00:29:12 -0500[diff] [blame]2557
2558 def test_reason_not_reasonflags(self):
2559 with pytest.raises(TypeError):
2560 x509.DistributionPoint(
2561 [x509.UniformResourceIdentifier(u"http://crypt.og/crl")],
Paul Kehrer4e8dacd2015-05-09 10:38:23 -0500[diff] [blame]2562 None,
Paul Kehrer3fd02602015-05-09 19:46:13 -0500[diff] [blame]2563 frozenset(["notreasonflags"]),
2564 None
2565 )
2566
2567 def test_reason_not_frozenset(self):
2568 with pytest.raises(TypeError):
2569 x509.DistributionPoint(
2570 [x509.UniformResourceIdentifier(u"http://crypt.og/crl")],
2571 None,
2572 [x509.ReasonFlags.ca_compromise],
Paul Kehrer4e8dacd2015-05-09 10:38:23 -0500[diff] [blame]2573 None
2574 )
2575
2576 def test_disallowed_reasons(self):
2577 with pytest.raises(ValueError):
2578 x509.DistributionPoint(
2579 [x509.UniformResourceIdentifier(u"http://crypt.og/crl")],
2580 None,
Paul Kehrer3fd02602015-05-09 19:46:13 -0500[diff] [blame]2581 frozenset([x509.ReasonFlags.unspecified]),
Paul Kehrer4e8dacd2015-05-09 10:38:23 -0500[diff] [blame]2582 None
2583 )
2584
2585 with pytest.raises(ValueError):
2586 x509.DistributionPoint(
2587 [x509.UniformResourceIdentifier(u"http://crypt.og/crl")],
2588 None,
Paul Kehrer3fd02602015-05-09 19:46:13 -0500[diff] [blame]2589 frozenset([x509.ReasonFlags.remove_from_crl]),
Paul Kehrer5a485522015-05-06 00:29:12 -0500[diff] [blame]2590 None
2591 )
2592
2593 def test_reason_only(self):
2594 with pytest.raises(ValueError):
2595 x509.DistributionPoint(
2596 None,
Paul Kehrer4e8dacd2015-05-09 10:38:23 -0500[diff] [blame]2597 None,
Paul Kehrer3fd02602015-05-09 19:46:13 -0500[diff] [blame]2598 frozenset([x509.ReasonFlags.aa_compromise]),
Paul Kehrer5a485522015-05-06 00:29:12 -0500[diff] [blame]2599 None
2600 )
2601
2602 def test_eq(self):
2603 dp = x509.DistributionPoint(
2604 [x509.UniformResourceIdentifier(u"http://crypt.og/crl")],
Paul Kehrer4e8dacd2015-05-09 10:38:23 -0500[diff] [blame]2605 None,
Paul Kehrer3fd02602015-05-09 19:46:13 -0500[diff] [blame]2606 frozenset([x509.ReasonFlags.superseded]),
Paul Kehrer5a485522015-05-06 00:29:12 -0500[diff] [blame]2607 [
2608 x509.DirectoryName(
2609 x509.Name([
2610 x509.NameAttribute(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2611 NameOID.COMMON_NAME, u"Important CA"
Paul Kehrer5a485522015-05-06 00:29:12 -0500[diff] [blame]2612 )
2613 ])
2614 )
2615 ],
2616 )
2617 dp2 = x509.DistributionPoint(
2618 [x509.UniformResourceIdentifier(u"http://crypt.og/crl")],
Paul Kehrer4e8dacd2015-05-09 10:38:23 -0500[diff] [blame]2619 None,
Paul Kehrer3fd02602015-05-09 19:46:13 -0500[diff] [blame]2620 frozenset([x509.ReasonFlags.superseded]),
Paul Kehrer5a485522015-05-06 00:29:12 -0500[diff] [blame]2621 [
2622 x509.DirectoryName(
2623 x509.Name([
2624 x509.NameAttribute(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2625 NameOID.COMMON_NAME, u"Important CA"
Paul Kehrer5a485522015-05-06 00:29:12 -0500[diff] [blame]2626 )
2627 ])
2628 )
2629 ],
2630 )
2631 assert dp == dp2
2632
2633 def test_ne(self):
2634 dp = x509.DistributionPoint(
2635 [x509.UniformResourceIdentifier(u"http://crypt.og/crl")],
Paul Kehrer4e8dacd2015-05-09 10:38:23 -0500[diff] [blame]2636 None,
Paul Kehrer3fd02602015-05-09 19:46:13 -0500[diff] [blame]2637 frozenset([x509.ReasonFlags.superseded]),
Paul Kehrer5a485522015-05-06 00:29:12 -0500[diff] [blame]2638 [
2639 x509.DirectoryName(
2640 x509.Name([
2641 x509.NameAttribute(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2642 NameOID.COMMON_NAME, u"Important CA"
Paul Kehrer5a485522015-05-06 00:29:12 -0500[diff] [blame]2643 )
2644 ])
2645 )
2646 ],
2647 )
2648 dp2 = x509.DistributionPoint(
2649 [x509.UniformResourceIdentifier(u"http://crypt.og/crl")],
2650 None,
Paul Kehrer4e8dacd2015-05-09 10:38:23 -0500[diff] [blame]2651 None,
Paul Kehrer5a485522015-05-06 00:29:12 -0500[diff] [blame]2652 None
2653 )
2654 assert dp != dp2
2655 assert dp != object()
2656
2657 def test_repr(self):
2658 dp = x509.DistributionPoint(
Paul Kehrer4e8dacd2015-05-09 10:38:23 -0500[diff] [blame]2659 None,
Paul Kehrer5a485522015-05-06 00:29:12 -0500[diff] [blame]2660 x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2661 x509.NameAttribute(NameOID.COMMON_NAME, u"myCN")
Paul Kehrer5a485522015-05-06 00:29:12 -0500[diff] [blame]2662 ]),
Paul Kehrer96ef63c2015-05-09 21:17:04 -0500[diff] [blame]2663 frozenset([x509.ReasonFlags.ca_compromise]),
Paul Kehrer5a485522015-05-06 00:29:12 -0500[diff] [blame]2664 [
2665 x509.DirectoryName(
2666 x509.Name([
2667 x509.NameAttribute(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2668 NameOID.COMMON_NAME, u"Important CA"
Paul Kehrer5a485522015-05-06 00:29:12 -0500[diff] [blame]2669 )
2670 ])
2671 )
2672 ],
2673 )
Paul Kehrer749da3b2015-05-10 09:58:29 -0500[diff] [blame]2674 if six.PY3:
2675 assert repr(dp) == (
2676 "<DistributionPoint(full_name=None, relative_name=<Name([<Name"
2677 "Attribute(oid=<ObjectIdentifier(oid=2.5.4.3, name=commonName)"
Ian Cordascoa908d692015-06-16 21:35:24 -0500[diff] [blame]2678 ">, value='myCN')>])>, reasons=frozenset({<ReasonFlags.ca_comp"
2679 "romise: 'cACompromise'>}), crl_issuer=[<DirectoryName(value=<"
2680 "Name([<NameAttribute(oid=<ObjectIdentifier(oid=2.5.4.3, name="
2681 "commonName)>, value='Important CA')>])>)>])>"
Paul Kehrer749da3b2015-05-10 09:58:29 -0500[diff] [blame]2682 )
2683 else:
2684 assert repr(dp) == (
2685 "<DistributionPoint(full_name=None, relative_name=<Name([<Name"
2686 "Attribute(oid=<ObjectIdentifier(oid=2.5.4.3, name=commonName)"
Ian Cordasco82fc3762015-06-16 20:59:50 -0500[diff] [blame]2687 ">, value=u'myCN')>])>, reasons=frozenset([<ReasonFlags.ca_com"
2688 "promise: 'cACompromise'>]), crl_issuer=[<DirectoryName(value="
2689 "<Name([<NameAttribute(oid=<ObjectIdentifier(oid=2.5.4.3, name"
2690 "=commonName)>, value=u'Important CA')>])>)>])>"
Paul Kehrer749da3b2015-05-10 09:58:29 -0500[diff] [blame]2691 )
Paul Kehrer5a485522015-05-06 00:29:12 -0500[diff] [blame]2692
2693
2694class TestCRLDistributionPoints(object):
2695 def test_invalid_distribution_points(self):
2696 with pytest.raises(TypeError):
2697 x509.CRLDistributionPoints(["notadistributionpoint"])
2698
2699 def test_iter_len(self):
2700 cdp = x509.CRLDistributionPoints([
2701 x509.DistributionPoint(
2702 [x509.UniformResourceIdentifier(u"http://domain")],
2703 None,
Paul Kehrer4e8dacd2015-05-09 10:38:23 -0500[diff] [blame]2704 None,
Paul Kehrer5a485522015-05-06 00:29:12 -0500[diff] [blame]2705 None
2706 ),
2707 x509.DistributionPoint(
2708 [x509.UniformResourceIdentifier(u"ftp://domain")],
Paul Kehrer4e8dacd2015-05-09 10:38:23 -0500[diff] [blame]2709 None,
Paul Kehrer3fd02602015-05-09 19:46:13 -0500[diff] [blame]2710 frozenset([
Paul Kehrer4e8dacd2015-05-09 10:38:23 -0500[diff] [blame]2711 x509.ReasonFlags.key_compromise,
2712 x509.ReasonFlags.ca_compromise,
Paul Kehrer3fd02602015-05-09 19:46:13 -0500[diff] [blame]2713 ]),
Paul Kehrer5a485522015-05-06 00:29:12 -0500[diff] [blame]2714 None
2715 ),
2716 ])
2717 assert len(cdp) == 2
2718 assert list(cdp) == [
2719 x509.DistributionPoint(
2720 [x509.UniformResourceIdentifier(u"http://domain")],
2721 None,
Paul Kehrer4e8dacd2015-05-09 10:38:23 -0500[diff] [blame]2722 None,
Paul Kehrer5a485522015-05-06 00:29:12 -0500[diff] [blame]2723 None
2724 ),
2725 x509.DistributionPoint(
2726 [x509.UniformResourceIdentifier(u"ftp://domain")],
Paul Kehrer4e8dacd2015-05-09 10:38:23 -0500[diff] [blame]2727 None,
Paul Kehrer3fd02602015-05-09 19:46:13 -0500[diff] [blame]2728 frozenset([
Paul Kehrer4e8dacd2015-05-09 10:38:23 -0500[diff] [blame]2729 x509.ReasonFlags.key_compromise,
2730 x509.ReasonFlags.ca_compromise,
Paul Kehrer3fd02602015-05-09 19:46:13 -0500[diff] [blame]2731 ]),
Paul Kehrer5a485522015-05-06 00:29:12 -0500[diff] [blame]2732 None
2733 ),
2734 ]
2735
2736 def test_repr(self):
2737 cdp = x509.CRLDistributionPoints([
2738 x509.DistributionPoint(
2739 [x509.UniformResourceIdentifier(u"ftp://domain")],
Paul Kehrer4e8dacd2015-05-09 10:38:23 -0500[diff] [blame]2740 None,
Paul Kehrer96ef63c2015-05-09 21:17:04 -0500[diff] [blame]2741 frozenset([x509.ReasonFlags.key_compromise]),
Paul Kehrer5a485522015-05-06 00:29:12 -0500[diff] [blame]2742 None
2743 ),
2744 ])
Paul Kehrer749da3b2015-05-10 09:58:29 -0500[diff] [blame]2745 if six.PY3:
2746 assert repr(cdp) == (
2747 "<CRLDistributionPoints([<DistributionPoint(full_name=[<Unifo"
2748 "rmResourceIdentifier(value=ftp://domain)>], relative_name=No"
2749 "ne, reasons=frozenset({<ReasonFlags.key_compromise: 'keyComp"
2750 "romise'>}), crl_issuer=None)>])>"
2751 )
2752 else:
2753 assert repr(cdp) == (
2754 "<CRLDistributionPoints([<DistributionPoint(full_name=[<Unifo"
2755 "rmResourceIdentifier(value=ftp://domain)>], relative_name=No"
2756 "ne, reasons=frozenset([<ReasonFlags.key_compromise: 'keyComp"
2757 "romise'>]), crl_issuer=None)>])>"
2758 )
Paul Kehrer5a485522015-05-06 00:29:12 -0500[diff] [blame]2759
2760 def test_eq(self):
2761 cdp = x509.CRLDistributionPoints([
2762 x509.DistributionPoint(
2763 [x509.UniformResourceIdentifier(u"ftp://domain")],
Paul Kehrer4e8dacd2015-05-09 10:38:23 -0500[diff] [blame]2764 None,
Paul Kehrer3fd02602015-05-09 19:46:13 -0500[diff] [blame]2765 frozenset([
Paul Kehrer4e8dacd2015-05-09 10:38:23 -0500[diff] [blame]2766 x509.ReasonFlags.key_compromise,
2767 x509.ReasonFlags.ca_compromise,
Paul Kehrer3fd02602015-05-09 19:46:13 -0500[diff] [blame]2768 ]),
Paul Kehrer5a485522015-05-06 00:29:12 -0500[diff] [blame]2769 [x509.UniformResourceIdentifier(u"uri://thing")],
2770 ),
2771 ])
2772 cdp2 = x509.CRLDistributionPoints([
2773 x509.DistributionPoint(
2774 [x509.UniformResourceIdentifier(u"ftp://domain")],
Paul Kehrer4e8dacd2015-05-09 10:38:23 -0500[diff] [blame]2775 None,
Paul Kehrer3fd02602015-05-09 19:46:13 -0500[diff] [blame]2776 frozenset([
Paul Kehrer4e8dacd2015-05-09 10:38:23 -0500[diff] [blame]2777 x509.ReasonFlags.key_compromise,
2778 x509.ReasonFlags.ca_compromise,
Paul Kehrer3fd02602015-05-09 19:46:13 -0500[diff] [blame]2779 ]),
Paul Kehrer5a485522015-05-06 00:29:12 -0500[diff] [blame]2780 [x509.UniformResourceIdentifier(u"uri://thing")],
2781 ),
2782 ])
2783 assert cdp == cdp2
2784
2785 def test_ne(self):
2786 cdp = x509.CRLDistributionPoints([
2787 x509.DistributionPoint(
2788 [x509.UniformResourceIdentifier(u"ftp://domain")],
Paul Kehrer4e8dacd2015-05-09 10:38:23 -0500[diff] [blame]2789 None,
Paul Kehrer3fd02602015-05-09 19:46:13 -0500[diff] [blame]2790 frozenset([
Paul Kehrer4e8dacd2015-05-09 10:38:23 -0500[diff] [blame]2791 x509.ReasonFlags.key_compromise,
2792 x509.ReasonFlags.ca_compromise,
Paul Kehrer3fd02602015-05-09 19:46:13 -0500[diff] [blame]2793 ]),
Paul Kehrer5a485522015-05-06 00:29:12 -0500[diff] [blame]2794 [x509.UniformResourceIdentifier(u"uri://thing")],
2795 ),
2796 ])
2797 cdp2 = x509.CRLDistributionPoints([
2798 x509.DistributionPoint(
2799 [x509.UniformResourceIdentifier(u"ftp://domain2")],
Paul Kehrer4e8dacd2015-05-09 10:38:23 -0500[diff] [blame]2800 None,
Paul Kehrer3fd02602015-05-09 19:46:13 -0500[diff] [blame]2801 frozenset([
Paul Kehrer4e8dacd2015-05-09 10:38:23 -0500[diff] [blame]2802 x509.ReasonFlags.key_compromise,
2803 x509.ReasonFlags.ca_compromise,
Paul Kehrer3fd02602015-05-09 19:46:13 -0500[diff] [blame]2804 ]),
Paul Kehrer5a485522015-05-06 00:29:12 -0500[diff] [blame]2805 [x509.UniformResourceIdentifier(u"uri://thing")],
2806 ),
2807 ])
2808 cdp3 = x509.CRLDistributionPoints([
2809 x509.DistributionPoint(
2810 [x509.UniformResourceIdentifier(u"ftp://domain")],
Paul Kehrer4e8dacd2015-05-09 10:38:23 -0500[diff] [blame]2811 None,
Paul Kehrer3fd02602015-05-09 19:46:13 -0500[diff] [blame]2812 frozenset([x509.ReasonFlags.key_compromise]),
Paul Kehrer5a485522015-05-06 00:29:12 -0500[diff] [blame]2813 [x509.UniformResourceIdentifier(u"uri://thing")],
2814 ),
2815 ])
2816 cdp4 = x509.CRLDistributionPoints([
2817 x509.DistributionPoint(
2818 [x509.UniformResourceIdentifier(u"ftp://domain")],
Paul Kehrer4e8dacd2015-05-09 10:38:23 -0500[diff] [blame]2819 None,
Paul Kehrer3fd02602015-05-09 19:46:13 -0500[diff] [blame]2820 frozenset([
Paul Kehrer4e8dacd2015-05-09 10:38:23 -0500[diff] [blame]2821 x509.ReasonFlags.key_compromise,
2822 x509.ReasonFlags.ca_compromise,
Paul Kehrer3fd02602015-05-09 19:46:13 -0500[diff] [blame]2823 ]),
Paul Kehrer5a485522015-05-06 00:29:12 -0500[diff] [blame]2824 [x509.UniformResourceIdentifier(u"uri://thing2")],
2825 ),
2826 ])
2827 assert cdp != cdp2
2828 assert cdp != cdp3
2829 assert cdp != cdp4
2830 assert cdp != object()
Paul Kehrer9a10d592015-05-10 14:55:51 -0500[diff] [blame]2831
2832
2833@pytest.mark.requires_backend_interface(interface=RSABackend)
2834@pytest.mark.requires_backend_interface(interface=X509Backend)
2835class TestCRLDistributionPointsExtension(object):
2836 def test_fullname_and_crl_issuer(self, backend):
2837 cert = _load_cert(
2838 os.path.join(
2839 "x509", "PKITS_data", "certs", "ValidcRLIssuerTest28EE.crt"
2840 ),
2841 x509.load_der_x509_certificate,
2842 backend
2843 )
2844
2845 cdps = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]2846 ExtensionOID.CRL_DISTRIBUTION_POINTS
Paul Kehrer9a10d592015-05-10 14:55:51 -0500[diff] [blame]2847 ).value
2848
2849 assert cdps == x509.CRLDistributionPoints([
2850 x509.DistributionPoint(
2851 full_name=[x509.DirectoryName(
2852 x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2853 x509.NameAttribute(NameOID.COUNTRY_NAME, u"US"),
Paul Kehrer9a10d592015-05-10 14:55:51 -0500[diff] [blame]2854 x509.NameAttribute(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2855 NameOID.ORGANIZATION_NAME,
Ian Cordasco82fc3762015-06-16 20:59:50 -0500[diff] [blame]2856 u"Test Certificates 2011"
Paul Kehrer9a10d592015-05-10 14:55:51 -0500[diff] [blame]2857 ),
2858 x509.NameAttribute(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2859 NameOID.ORGANIZATIONAL_UNIT_NAME,
Ian Cordasco82fc3762015-06-16 20:59:50 -0500[diff] [blame]2860 u"indirectCRL CA3 cRLIssuer"
Paul Kehrer9a10d592015-05-10 14:55:51 -0500[diff] [blame]2861 ),
2862 x509.NameAttribute(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2863 NameOID.COMMON_NAME,
Ian Cordasco82fc3762015-06-16 20:59:50 -0500[diff] [blame]2864 u"indirect CRL for indirectCRL CA3"
Paul Kehrer9a10d592015-05-10 14:55:51 -0500[diff] [blame]2865 ),
2866 ])
2867 )],
2868 relative_name=None,
2869 reasons=None,
2870 crl_issuer=[x509.DirectoryName(
2871 x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2872 x509.NameAttribute(NameOID.COUNTRY_NAME, u"US"),
Paul Kehrer9a10d592015-05-10 14:55:51 -0500[diff] [blame]2873 x509.NameAttribute(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2874 NameOID.ORGANIZATION_NAME,
Ian Cordasco82fc3762015-06-16 20:59:50 -0500[diff] [blame]2875 u"Test Certificates 2011"
Paul Kehrer9a10d592015-05-10 14:55:51 -0500[diff] [blame]2876 ),
2877 x509.NameAttribute(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2878 NameOID.ORGANIZATIONAL_UNIT_NAME,
Ian Cordasco82fc3762015-06-16 20:59:50 -0500[diff] [blame]2879 u"indirectCRL CA3 cRLIssuer"
Paul Kehrer9a10d592015-05-10 14:55:51 -0500[diff] [blame]2880 ),
2881 ])
2882 )],
2883 )
2884 ])
2885
2886 def test_relativename_and_crl_issuer(self, backend):
2887 cert = _load_cert(
2888 os.path.join(
2889 "x509", "PKITS_data", "certs", "ValidcRLIssuerTest29EE.crt"
2890 ),
2891 x509.load_der_x509_certificate,
2892 backend
2893 )
2894
2895 cdps = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]2896 ExtensionOID.CRL_DISTRIBUTION_POINTS
Paul Kehrer9a10d592015-05-10 14:55:51 -0500[diff] [blame]2897 ).value
2898
2899 assert cdps == x509.CRLDistributionPoints([
2900 x509.DistributionPoint(
2901 full_name=None,
2902 relative_name=x509.Name([
2903 x509.NameAttribute(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2904 NameOID.COMMON_NAME,
Ian Cordasco82fc3762015-06-16 20:59:50 -0500[diff] [blame]2905 u"indirect CRL for indirectCRL CA3"
Paul Kehrer9a10d592015-05-10 14:55:51 -0500[diff] [blame]2906 ),
2907 ]),
2908 reasons=None,
2909 crl_issuer=[x509.DirectoryName(
2910 x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2911 x509.NameAttribute(NameOID.COUNTRY_NAME, u"US"),
Paul Kehrer9a10d592015-05-10 14:55:51 -0500[diff] [blame]2912 x509.NameAttribute(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2913 NameOID.ORGANIZATION_NAME,
Ian Cordasco82fc3762015-06-16 20:59:50 -0500[diff] [blame]2914 u"Test Certificates 2011"
Paul Kehrer9a10d592015-05-10 14:55:51 -0500[diff] [blame]2915 ),
2916 x509.NameAttribute(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2917 NameOID.ORGANIZATIONAL_UNIT_NAME,
Ian Cordasco82fc3762015-06-16 20:59:50 -0500[diff] [blame]2918 u"indirectCRL CA3 cRLIssuer"
Paul Kehrer9a10d592015-05-10 14:55:51 -0500[diff] [blame]2919 ),
2920 ])
2921 )],
2922 )
2923 ])
2924
2925 def test_fullname_crl_issuer_reasons(self, backend):
2926 cert = _load_cert(
2927 os.path.join(
2928 "x509", "custom", "cdp_fullname_reasons_crl_issuer.pem"
2929 ),
2930 x509.load_pem_x509_certificate,
2931 backend
2932 )
2933
2934 cdps = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]2935 ExtensionOID.CRL_DISTRIBUTION_POINTS
Paul Kehrer9a10d592015-05-10 14:55:51 -0500[diff] [blame]2936 ).value
2937
2938 assert cdps == x509.CRLDistributionPoints([
2939 x509.DistributionPoint(
2940 full_name=[x509.UniformResourceIdentifier(
2941 u"http://myhost.com/myca.crl"
2942 )],
2943 relative_name=None,
2944 reasons=frozenset([
2945 x509.ReasonFlags.key_compromise,
2946 x509.ReasonFlags.ca_compromise
2947 ]),
2948 crl_issuer=[x509.DirectoryName(
2949 x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2950 x509.NameAttribute(NameOID.COUNTRY_NAME, u"US"),
Paul Kehrer9a10d592015-05-10 14:55:51 -0500[diff] [blame]2951 x509.NameAttribute(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2952 NameOID.ORGANIZATION_NAME, u"PyCA"
Paul Kehrer9a10d592015-05-10 14:55:51 -0500[diff] [blame]2953 ),
2954 x509.NameAttribute(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2955 NameOID.COMMON_NAME, u"cryptography CA"
Paul Kehrer9a10d592015-05-10 14:55:51 -0500[diff] [blame]2956 ),
2957 ])
2958 )],
2959 )
2960 ])
2961
Paul Kehrer594a2ed2015-05-12 23:27:32 -0500[diff] [blame]2962 def test_all_reasons(self, backend):
2963 cert = _load_cert(
2964 os.path.join(
2965 "x509", "custom", "cdp_all_reasons.pem"
2966 ),
2967 x509.load_pem_x509_certificate,
2968 backend
2969 )
2970
2971 cdps = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]2972 ExtensionOID.CRL_DISTRIBUTION_POINTS
Paul Kehrer594a2ed2015-05-12 23:27:32 -0500[diff] [blame]2973 ).value
2974
2975 assert cdps == x509.CRLDistributionPoints([
2976 x509.DistributionPoint(
2977 full_name=[x509.UniformResourceIdentifier(
2978 u"http://domain.com/some.crl"
2979 )],
2980 relative_name=None,
2981 reasons=frozenset([
2982 x509.ReasonFlags.key_compromise,
2983 x509.ReasonFlags.ca_compromise,
2984 x509.ReasonFlags.affiliation_changed,
2985 x509.ReasonFlags.superseded,
2986 x509.ReasonFlags.privilege_withdrawn,
2987 x509.ReasonFlags.cessation_of_operation,
2988 x509.ReasonFlags.aa_compromise,
2989 x509.ReasonFlags.certificate_hold,
2990 ]),
2991 crl_issuer=None
2992 )
2993 ])
2994
2995 def test_single_reason(self, backend):
2996 cert = _load_cert(
2997 os.path.join(
2998 "x509", "custom", "cdp_reason_aa_compromise.pem"
2999 ),
3000 x509.load_pem_x509_certificate,
3001 backend
3002 )
3003
3004 cdps = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]3005 ExtensionOID.CRL_DISTRIBUTION_POINTS
Paul Kehrer594a2ed2015-05-12 23:27:32 -0500[diff] [blame]3006 ).value
3007
3008 assert cdps == x509.CRLDistributionPoints([
3009 x509.DistributionPoint(
3010 full_name=[x509.UniformResourceIdentifier(
3011 u"http://domain.com/some.crl"
3012 )],
3013 relative_name=None,
3014 reasons=frozenset([x509.ReasonFlags.aa_compromise]),
3015 crl_issuer=None
3016 )
3017 ])
3018
Paul Kehrer9a10d592015-05-10 14:55:51 -0500[diff] [blame]3019 def test_crl_issuer_only(self, backend):
3020 cert = _load_cert(
3021 os.path.join(
3022 "x509", "custom", "cdp_crl_issuer.pem"
3023 ),
3024 x509.load_pem_x509_certificate,
3025 backend
3026 )
3027
3028 cdps = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]3029 ExtensionOID.CRL_DISTRIBUTION_POINTS
Paul Kehrer9a10d592015-05-10 14:55:51 -0500[diff] [blame]3030 ).value
3031
3032 assert cdps == x509.CRLDistributionPoints([
3033 x509.DistributionPoint(
3034 full_name=None,
3035 relative_name=None,
3036 reasons=None,
3037 crl_issuer=[x509.DirectoryName(
3038 x509.Name([
3039 x509.NameAttribute(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]3040 NameOID.COMMON_NAME, u"cryptography CA"
Paul Kehrer9a10d592015-05-10 14:55:51 -0500[diff] [blame]3041 ),
3042 ])
3043 )],
3044 )
3045 ])
Paul Kehrer16fae762015-05-01 23:14:20 -0500[diff] [blame]3046
Dominic Chen87bb9572015-10-09 00:23:07 -0400[diff] [blame]3047 def test_crl_empty_hostname(self, backend):
3048 cert = _load_cert(
3049 os.path.join(
3050 "x509", "custom", "cdp_empty_hostname.pem"
3051 ),
3052 x509.load_pem_x509_certificate,
3053 backend
3054 )
3055
3056 cdps = cert.extensions.get_extension_for_oid(
3057 ExtensionOID.CRL_DISTRIBUTION_POINTS
3058 ).value
3059
3060 assert cdps == x509.CRLDistributionPoints([
3061 x509.DistributionPoint(
3062 full_name=[x509.UniformResourceIdentifier(
3063 u"ldap:/CN=A,OU=B,dc=C,DC=D?E?F?G?H=I"
3064 )],
3065 relative_name=None,
3066 reasons=None,
3067 crl_issuer=None
3068 )
3069 ])
3070
Paul Kehrer16fae762015-05-01 23:14:20 -0500[diff] [blame]3071
Paul Kehrerf54a50b2015-06-17 18:31:26 -0600[diff] [blame]3072@pytest.mark.requires_backend_interface(interface=RSABackend)
3073@pytest.mark.requires_backend_interface(interface=X509Backend)
3074class TestOCSPNoCheckExtension(object):
3075 def test_nocheck(self, backend):
3076 cert = _load_cert(
3077 os.path.join(
3078 "x509", "custom", "ocsp_nocheck.pem"
3079 ),
3080 x509.load_pem_x509_certificate,
3081 backend
3082 )
3083 ext = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]3084 ExtensionOID.OCSP_NO_CHECK
Paul Kehrerf54a50b2015-06-17 18:31:26 -0600[diff] [blame]3085 )
3086 assert isinstance(ext.value, x509.OCSPNoCheck)
3087
3088
Paul Kehrer16fae762015-05-01 23:14:20 -0500[diff] [blame]3089class TestInhibitAnyPolicy(object):
3090 def test_not_int(self):
3091 with pytest.raises(TypeError):
3092 x509.InhibitAnyPolicy("notint")
3093
3094 def test_negative_int(self):
3095 with pytest.raises(ValueError):
3096 x509.InhibitAnyPolicy(-1)
3097
3098 def test_repr(self):
3099 iap = x509.InhibitAnyPolicy(0)
3100 assert repr(iap) == "<InhibitAnyPolicy(skip_certs=0)>"
3101
3102 def test_eq(self):
3103 iap = x509.InhibitAnyPolicy(1)
3104 iap2 = x509.InhibitAnyPolicy(1)
3105 assert iap == iap2
3106
3107 def test_ne(self):
3108 iap = x509.InhibitAnyPolicy(1)
3109 iap2 = x509.InhibitAnyPolicy(4)
3110 assert iap != iap2
3111 assert iap != object()
Paul Kehrerca6ce992015-06-17 22:13:15 -0600[diff] [blame]3112
3113
3114@pytest.mark.requires_backend_interface(interface=RSABackend)
3115@pytest.mark.requires_backend_interface(interface=X509Backend)
3116class TestInhibitAnyPolicyExtension(object):
3117 def test_nocheck(self, backend):
3118 cert = _load_cert(
3119 os.path.join(
3120 "x509", "custom", "inhibit_any_policy_5.pem"
3121 ),
3122 x509.load_pem_x509_certificate,
3123 backend
3124 )
3125 iap = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]3126 ExtensionOID.INHIBIT_ANY_POLICY
Paul Kehrerca6ce992015-06-17 22:13:15 -0600[diff] [blame]3127 ).value
3128 assert iap.skip_certs == 5
Paul Kehrera08693f2015-08-01 20:45:21 +0100[diff] [blame]3129
3130
3131@pytest.mark.requires_backend_interface(interface=RSABackend)
3132@pytest.mark.requires_backend_interface(interface=X509Backend)
Paul Kehrer1b7500f2015-08-01 20:56:27 +0100[diff] [blame]3133class TestInvalidExtension(object):
Paul Kehrera08693f2015-08-01 20:45:21 +0100[diff] [blame]3134 def test_invalid_certificate_policies_data(self, backend):
3135 cert = _load_cert(
3136 os.path.join(
3137 "x509", "custom", "cp_invalid.pem"
3138 ),
3139 x509.load_pem_x509_certificate,
3140 backend
3141 )
3142 with pytest.raises(ValueError):
3143 cert.extensions