Gitiles
Code Review Sign In
gerrit-public.fairphone.software / platform / external / python / cryptography / 7f40239ea2a8ac276f8dbf07fd51d1ff5e98c565 / . / tests / test_x509_ext.py
blob: b707156ae1df7113fef5c89f943f8adeff1dfc51 [file] [log] [blame]
Paul Kehrer8cf26422015-03-21 09:50:24 -0500[diff] [blame]1# This file is dual licensed under the terms of the Apache License, Version
2# 2.0, and the BSD License. See the LICENSE file in the root of this repository
3# for complete details.
4
5from __future__ import absolute_import, division, print_function
6
Paul Kehrer1eb82a62015-03-31 20:00:33 -0500[diff] [blame]7import binascii
Paul Kehrer23c0bbc2015-12-25 22:35:19 -0600[diff] [blame]8import datetime
Paul Kehrer31bdf792015-03-25 14:11:00 -0500[diff] [blame]9import ipaddress
Paul Kehrerfbb7ac82015-03-16 19:26:29 -0500[diff] [blame]10import os
11
Paul Kehrer8cf26422015-03-21 09:50:24 -0500[diff] [blame]12import pytest
13
Paul Kehrercbfb1012015-04-10 20:57:20 -0400[diff] [blame]14import six
15
Alex Gaynorcdaf3ff2017-07-30 13:08:51 -0400[diff] [blame]16from cryptography import utils, x509
Paul Kehrerf22f6122015-08-05 12:57:13 +0100[diff] [blame]17from cryptography.hazmat.backends.interfaces import (
18 DSABackend, EllipticCurveBackend, RSABackend, X509Backend
19)
Marti4739cfc2016-08-02 04:03:25 +0300[diff] [blame]20from cryptography.hazmat.primitives import hashes
Paul Kehrerf22f6122015-08-05 12:57:13 +0100[diff] [blame]21from cryptography.hazmat.primitives.asymmetric import ec
Marti4739cfc2016-08-02 04:03:25 +0300[diff] [blame]22from cryptography.x509 import DNSName, NameConstraints, SubjectAlternativeName
Paul Kehrer9e102db2015-08-10 21:53:09 -0500[diff] [blame]23from cryptography.x509.oid import (
Nick Bastin326fc8e2015-12-12 19:08:12 -0800[diff] [blame]24 AuthorityInformationAccessOID, ExtendedKeyUsageOID, ExtensionOID,
25 NameOID, ObjectIdentifier
Paul Kehrer9e102db2015-08-10 21:53:09 -0500[diff] [blame]26)
Paul Kehrerfbb7ac82015-03-16 19:26:29 -0500[diff] [blame]27
Marti4739cfc2016-08-02 04:03:25 +0300[diff] [blame]28from .hazmat.primitives.fixtures_rsa import RSA_KEY_2048
Paul Kehrerf22f6122015-08-05 12:57:13 +0100[diff] [blame]29from .hazmat.primitives.test_ec import _skip_curve_unsupported
Paul Kehrerfbb7ac82015-03-16 19:26:29 -0500[diff] [blame]30from .test_x509 import _load_cert
Paul Kehrer8cf26422015-03-21 09:50:24 -0500[diff] [blame]31
32
Marti4739cfc2016-08-02 04:03:25 +0300[diff] [blame]33def _make_certbuilder(private_key):
34 name = x509.Name(
35 [x509.NameAttribute(NameOID.COMMON_NAME, u'example.org')])
36 return (
37 x509.CertificateBuilder()
38 .subject_name(name)
39 .issuer_name(name)
40 .public_key(private_key.public_key())
41 .serial_number(777)
42 .not_valid_before(datetime.datetime(1999, 1, 1))
43 .not_valid_after(datetime.datetime(2020, 1, 1))
44 )
45
46
Paul Kehrer85894662015-03-22 13:19:31 -0500[diff] [blame]47class TestExtension(object):
48 def test_not_an_oid(self):
Paul Kehrera5c6e9a2015-03-23 19:23:43 -0500[diff] [blame]49 bc = x509.BasicConstraints(ca=False, path_length=None)
Paul Kehrer85894662015-03-22 13:19:31 -0500[diff] [blame]50 with pytest.raises(TypeError):
51 x509.Extension("notanoid", True, bc)
52
53 def test_critical_not_a_bool(self):
Paul Kehrera5c6e9a2015-03-23 19:23:43 -0500[diff] [blame]54 bc = x509.BasicConstraints(ca=False, path_length=None)
Paul Kehrer85894662015-03-22 13:19:31 -0500[diff] [blame]55 with pytest.raises(TypeError):
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]56 x509.Extension(ExtensionOID.BASIC_CONSTRAINTS, "notabool", bc)
Paul Kehrer85894662015-03-22 13:19:31 -0500[diff] [blame]57
58 def test_repr(self):
Paul Kehrera5c6e9a2015-03-23 19:23:43 -0500[diff] [blame]59 bc = x509.BasicConstraints(ca=False, path_length=None)
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]60 ext = x509.Extension(ExtensionOID.BASIC_CONSTRAINTS, True, bc)
Paul Kehrer85894662015-03-22 13:19:31 -0500[diff] [blame]61 assert repr(ext) == (
62 "<Extension(oid=<ObjectIdentifier(oid=2.5.29.19, name=basicConst"
63 "raints)>, critical=True, value=<BasicConstraints(ca=False, path"
64 "_length=None)>)>"
65 )
66
Paul Kehrer58e870c2015-05-17 09:15:30 -0700[diff] [blame]67 def test_eq(self):
68 ext1 = x509.Extension(
69 x509.ObjectIdentifier('1.2.3.4'), False, 'value'
70 )
71 ext2 = x509.Extension(
72 x509.ObjectIdentifier('1.2.3.4'), False, 'value'
73 )
74 assert ext1 == ext2
75
76 def test_ne(self):
77 ext1 = x509.Extension(
78 x509.ObjectIdentifier('1.2.3.4'), False, 'value'
79 )
80 ext2 = x509.Extension(
81 x509.ObjectIdentifier('1.2.3.5'), False, 'value'
82 )
83 ext3 = x509.Extension(
84 x509.ObjectIdentifier('1.2.3.4'), True, 'value'
85 )
86 ext4 = x509.Extension(
87 x509.ObjectIdentifier('1.2.3.4'), False, 'value4'
88 )
89 assert ext1 != ext2
90 assert ext1 != ext3
91 assert ext1 != ext4
92 assert ext1 != object()
93
Paul Kehrer85894662015-03-22 13:19:31 -0500[diff] [blame]94
Paul Kehrer14fd6972015-12-30 10:58:25 -0600[diff] [blame]95class TestUnrecognizedExtension(object):
96 def test_invalid_oid(self):
97 with pytest.raises(TypeError):
98 x509.UnrecognizedExtension("notanoid", b"somedata")
99
100 def test_eq(self):
101 ext1 = x509.UnrecognizedExtension(
102 x509.ObjectIdentifier("1.2.3.4"), b"\x03\x02\x01"
103 )
104 ext2 = x509.UnrecognizedExtension(
105 x509.ObjectIdentifier("1.2.3.4"), b"\x03\x02\x01"
106 )
107 assert ext1 == ext2
108
109 def test_ne(self):
110 ext1 = x509.UnrecognizedExtension(
111 x509.ObjectIdentifier("1.2.3.4"), b"\x03\x02\x01"
112 )
113 ext2 = x509.UnrecognizedExtension(
114 x509.ObjectIdentifier("1.2.3.4"), b"\x03\x02\x02"
115 )
116 ext3 = x509.UnrecognizedExtension(
117 x509.ObjectIdentifier("1.2.3.5"), b"\x03\x02\x01"
118 )
119 assert ext1 != ext2
120 assert ext1 != ext3
121 assert ext1 != object()
122
123 def test_repr(self):
124 ext1 = x509.UnrecognizedExtension(
125 x509.ObjectIdentifier("1.2.3.4"), b"\x03\x02\x01"
126 )
Paul Kehrer50e9dd82015-12-30 12:20:55 -0600[diff] [blame]127 if six.PY3:
128 assert repr(ext1) == (
129 "<UnrecognizedExtension(oid=<ObjectIdentifier(oid=1.2.3.4, "
130 "name=Unknown OID)>, value=b'\\x03\\x02\\x01')>"
131 )
132 else:
133 assert repr(ext1) == (
134 "<UnrecognizedExtension(oid=<ObjectIdentifier(oid=1.2.3.4, "
135 "name=Unknown OID)>, value='\\x03\\x02\\x01')>"
136 )
Paul Kehrer14fd6972015-12-30 10:58:25 -0600[diff] [blame]137
138 def test_hash(self):
139 ext1 = x509.UnrecognizedExtension(
140 x509.ObjectIdentifier("1.2.3.4"), b"\x03\x02\x01"
141 )
142 ext2 = x509.UnrecognizedExtension(
143 x509.ObjectIdentifier("1.2.3.4"), b"\x03\x02\x01"
144 )
145 ext3 = x509.UnrecognizedExtension(
146 x509.ObjectIdentifier("1.2.3.5"), b"\x03\x02\x01"
147 )
148 assert hash(ext1) == hash(ext2)
149 assert hash(ext1) != hash(ext3)
150
151
Paul Kehrer49bb7562015-12-25 16:17:40 -0600[diff] [blame]152class TestCertificateIssuer(object):
153 def test_iter_names(self):
154 ci = x509.CertificateIssuer([
Alex Gaynorcdaf3ff2017-07-30 13:08:51 -0400[diff] [blame]155 x509.DNSName(b"cryptography.io"),
156 x509.DNSName(b"crypto.local"),
Paul Kehrer49bb7562015-12-25 16:17:40 -0600[diff] [blame]157 ])
158 assert len(ci) == 2
159 assert list(ci) == [
Alex Gaynorcdaf3ff2017-07-30 13:08:51 -0400[diff] [blame]160 x509.DNSName(b"cryptography.io"),
161 x509.DNSName(b"crypto.local"),
Paul Kehrer49bb7562015-12-25 16:17:40 -0600[diff] [blame]162 ]
163
Paul Kehrer5c999d32015-12-26 17:45:20 -0600[diff] [blame]164 def test_indexing(self):
165 ci = x509.CertificateIssuer([
Alex Gaynorcdaf3ff2017-07-30 13:08:51 -0400[diff] [blame]166 x509.DNSName(b"cryptography.io"),
167 x509.DNSName(b"crypto.local"),
168 x509.DNSName(b"another.local"),
Paul Kehrer5c999d32015-12-26 17:45:20 -0600[diff] [blame]169 x509.RFC822Name(u"email@another.local"),
170 x509.UniformResourceIdentifier(u"http://another.local"),
171 ])
172 assert ci[-1] == ci[4]
173 assert ci[2:6:2] == [ci[2], ci[4]]
174
Paul Kehrer49bb7562015-12-25 16:17:40 -0600[diff] [blame]175 def test_eq(self):
Alex Gaynorcdaf3ff2017-07-30 13:08:51 -0400[diff] [blame]176 ci1 = x509.CertificateIssuer([x509.DNSName(b"cryptography.io")])
177 ci2 = x509.CertificateIssuer([x509.DNSName(b"cryptography.io")])
Paul Kehrer49bb7562015-12-25 16:17:40 -0600[diff] [blame]178 assert ci1 == ci2
179
180 def test_ne(self):
Alex Gaynorcdaf3ff2017-07-30 13:08:51 -0400[diff] [blame]181 ci1 = x509.CertificateIssuer([x509.DNSName(b"cryptography.io")])
182 ci2 = x509.CertificateIssuer([x509.DNSName(b"somethingelse.tld")])
Paul Kehrer49bb7562015-12-25 16:17:40 -0600[diff] [blame]183 assert ci1 != ci2
184 assert ci1 != object()
185
186 def test_repr(self):
Alex Gaynorcdaf3ff2017-07-30 13:08:51 -0400[diff] [blame]187 ci = x509.CertificateIssuer([x509.DNSName(b"cryptography.io")])
188 if six.PY3:
189 assert repr(ci) == (
190 "<CertificateIssuer(<GeneralNames([<DNSName(bytes_value="
191 "b'cryptography.io')>])>)>"
192 )
193 else:
194 assert repr(ci) == (
195 "<CertificateIssuer(<GeneralNames([<DNSName(bytes_value="
196 "'cryptography.io')>])>)>"
197 )
Paul Kehrer49bb7562015-12-25 16:17:40 -0600[diff] [blame]198
199 def test_get_values_for_type(self):
200 ci = x509.CertificateIssuer(
Alex Gaynorcdaf3ff2017-07-30 13:08:51 -0400[diff] [blame]201 [x509.DNSName(b"cryptography.io")]
Paul Kehrer49bb7562015-12-25 16:17:40 -0600[diff] [blame]202 )
203 names = ci.get_values_for_type(x509.DNSName)
204 assert names == [u"cryptography.io"]
205
206
Paul Kehrer7058ece2015-12-25 22:28:29 -0600[diff] [blame]207class TestCRLReason(object):
208 def test_invalid_reason_flags(self):
209 with pytest.raises(TypeError):
210 x509.CRLReason("notareason")
211
212 def test_eq(self):
213 reason1 = x509.CRLReason(x509.ReasonFlags.unspecified)
214 reason2 = x509.CRLReason(x509.ReasonFlags.unspecified)
215 assert reason1 == reason2
216
217 def test_ne(self):
218 reason1 = x509.CRLReason(x509.ReasonFlags.unspecified)
219 reason2 = x509.CRLReason(x509.ReasonFlags.ca_compromise)
220 assert reason1 != reason2
221 assert reason1 != object()
222
Alex Gaynor07d5cae2015-12-27 15:30:39 -0500[diff] [blame]223 def test_hash(self):
224 reason1 = x509.CRLReason(x509.ReasonFlags.unspecified)
225 reason2 = x509.CRLReason(x509.ReasonFlags.unspecified)
226 reason3 = x509.CRLReason(x509.ReasonFlags.ca_compromise)
227
228 assert hash(reason1) == hash(reason2)
229 assert hash(reason1) != hash(reason3)
230
Paul Kehrer7058ece2015-12-25 22:28:29 -0600[diff] [blame]231 def test_repr(self):
232 reason1 = x509.CRLReason(x509.ReasonFlags.unspecified)
233 assert repr(reason1) == (
234 "<CRLReason(reason=ReasonFlags.unspecified)>"
235 )
236
237
Paul Kehrer23c0bbc2015-12-25 22:35:19 -0600[diff] [blame]238class TestInvalidityDate(object):
239 def test_invalid_invalidity_date(self):
240 with pytest.raises(TypeError):
241 x509.InvalidityDate("notadate")
242
243 def test_eq(self):
244 invalid1 = x509.InvalidityDate(datetime.datetime(2015, 1, 1, 1, 1))
245 invalid2 = x509.InvalidityDate(datetime.datetime(2015, 1, 1, 1, 1))
246 assert invalid1 == invalid2
247
248 def test_ne(self):
249 invalid1 = x509.InvalidityDate(datetime.datetime(2015, 1, 1, 1, 1))
250 invalid2 = x509.InvalidityDate(datetime.datetime(2015, 1, 1, 1, 2))
251 assert invalid1 != invalid2
252 assert invalid1 != object()
253
254 def test_repr(self):
255 invalid1 = x509.InvalidityDate(datetime.datetime(2015, 1, 1, 1, 1))
256 assert repr(invalid1) == (
257 "<InvalidityDate(invalidity_date=2015-01-01 01:01:00)>"
258 )
259
Paul Kehrer67cde762015-12-26 11:37:14 -0600[diff] [blame]260 def test_hash(self):
261 invalid1 = x509.InvalidityDate(datetime.datetime(2015, 1, 1, 1, 1))
262 invalid2 = x509.InvalidityDate(datetime.datetime(2015, 1, 1, 1, 1))
263 invalid3 = x509.InvalidityDate(datetime.datetime(2015, 1, 1, 1, 2))
264 assert hash(invalid1) == hash(invalid2)
265 assert hash(invalid1) != hash(invalid3)
Paul Kehrer23c0bbc2015-12-25 22:35:19 -0600[diff] [blame]266
Paul Kehrerc0297dd2015-12-26 11:37:57 -0600[diff] [blame]267
Paul Kehrer2b622582015-04-15 11:04:29 -0400[diff] [blame]268class TestNoticeReference(object):
269 def test_notice_numbers_not_all_int(self):
270 with pytest.raises(TypeError):
271 x509.NoticeReference("org", [1, 2, "three"])
272
273 def test_notice_numbers_none(self):
Paul Kehrer6e198b02015-05-12 15:53:38 -0500[diff] [blame]274 with pytest.raises(TypeError):
275 x509.NoticeReference("org", None)
Paul Kehrer2b622582015-04-15 11:04:29 -0400[diff] [blame]276
Marti40f19992016-08-26 04:26:31 +0300[diff] [blame]277 def test_iter_input(self):
278 numbers = [1, 3, 4]
279 nr = x509.NoticeReference(u"org", iter(numbers))
280 assert list(nr.notice_numbers) == numbers
281
Paul Kehrer2b622582015-04-15 11:04:29 -0400[diff] [blame]282 def test_repr(self):
Paul Kehrer73be2ca2015-05-11 21:22:38 -0500[diff] [blame]283 nr = x509.NoticeReference(u"org", [1, 3, 4])
Paul Kehrer2b622582015-04-15 11:04:29 -0400[diff] [blame]284
Paul Kehrer73be2ca2015-05-11 21:22:38 -0500[diff] [blame]285 if six.PY3:
286 assert repr(nr) == (
287 "<NoticeReference(organization='org', notice_numbers=[1, 3, 4"
288 "])>"
289 )
290 else:
291 assert repr(nr) == (
292 "<NoticeReference(organization=u'org', notice_numbers=[1, 3, "
293 "4])>"
294 )
Paul Kehrer2b622582015-04-15 11:04:29 -0400[diff] [blame]295
Paul Kehrerc56ab622015-05-03 09:56:31 -0500[diff] [blame]296 def test_eq(self):
297 nr = x509.NoticeReference("org", [1, 2])
298 nr2 = x509.NoticeReference("org", [1, 2])
299 assert nr == nr2
300
301 def test_ne(self):
302 nr = x509.NoticeReference("org", [1, 2])
303 nr2 = x509.NoticeReference("org", [1])
304 nr3 = x509.NoticeReference(None, [1, 2])
305 assert nr != nr2
306 assert nr != nr3
307 assert nr != object()
308
Paul Kehrer2b622582015-04-15 11:04:29 -0400[diff] [blame]309
310class TestUserNotice(object):
311 def test_notice_reference_invalid(self):
312 with pytest.raises(TypeError):
313 x509.UserNotice("invalid", None)
314
315 def test_notice_reference_none(self):
316 un = x509.UserNotice(None, "text")
317 assert un.notice_reference is None
318 assert un.explicit_text == "text"
319
320 def test_repr(self):
Paul Kehrer6e198b02015-05-12 15:53:38 -0500[diff] [blame]321 un = x509.UserNotice(x509.NoticeReference(u"org", [1]), u"text")
Paul Kehrer73be2ca2015-05-11 21:22:38 -0500[diff] [blame]322 if six.PY3:
323 assert repr(un) == (
324 "<UserNotice(notice_reference=<NoticeReference(organization='"
Paul Kehrer6e198b02015-05-12 15:53:38 -0500[diff] [blame]325 "org', notice_numbers=[1])>, explicit_text='text')>"
Paul Kehrer73be2ca2015-05-11 21:22:38 -0500[diff] [blame]326 )
327 else:
328 assert repr(un) == (
329 "<UserNotice(notice_reference=<NoticeReference(organization=u"
Paul Kehrer6e198b02015-05-12 15:53:38 -0500[diff] [blame]330 "'org', notice_numbers=[1])>, explicit_text=u'text')>"
Paul Kehrer73be2ca2015-05-11 21:22:38 -0500[diff] [blame]331 )
Paul Kehrer2b622582015-04-15 11:04:29 -0400[diff] [blame]332
Paul Kehrerc56ab622015-05-03 09:56:31 -0500[diff] [blame]333 def test_eq(self):
334 nr = x509.NoticeReference("org", [1, 2])
335 nr2 = x509.NoticeReference("org", [1, 2])
336 un = x509.UserNotice(nr, "text")
337 un2 = x509.UserNotice(nr2, "text")
338 assert un == un2
339
340 def test_ne(self):
341 nr = x509.NoticeReference("org", [1, 2])
342 nr2 = x509.NoticeReference("org", [1])
343 un = x509.UserNotice(nr, "text")
344 un2 = x509.UserNotice(nr2, "text")
345 un3 = x509.UserNotice(nr, "text3")
346 assert un != un2
347 assert un != un3
348 assert un != object()
349
Paul Kehrer2b622582015-04-15 11:04:29 -0400[diff] [blame]350
Paul Kehrer2b622582015-04-15 11:04:29 -0400[diff] [blame]351class TestPolicyInformation(object):
352 def test_invalid_policy_identifier(self):
353 with pytest.raises(TypeError):
354 x509.PolicyInformation("notanoid", None)
355
356 def test_none_policy_qualifiers(self):
357 pi = x509.PolicyInformation(x509.ObjectIdentifier("1.2.3"), None)
358 assert pi.policy_identifier == x509.ObjectIdentifier("1.2.3")
359 assert pi.policy_qualifiers is None
360
361 def test_policy_qualifiers(self):
Paul Kehrerba35b3b2015-05-10 13:07:59 -0500[diff] [blame]362 pq = [u"string"]
Paul Kehrer2b622582015-04-15 11:04:29 -0400[diff] [blame]363 pi = x509.PolicyInformation(x509.ObjectIdentifier("1.2.3"), pq)
364 assert pi.policy_identifier == x509.ObjectIdentifier("1.2.3")
365 assert pi.policy_qualifiers == pq
366
367 def test_invalid_policy_identifiers(self):
368 with pytest.raises(TypeError):
369 x509.PolicyInformation(x509.ObjectIdentifier("1.2.3"), [1, 2])
370
Marti40f19992016-08-26 04:26:31 +0300[diff] [blame]371 def test_iter_input(self):
372 qual = [u"foo", u"bar"]
373 pi = x509.PolicyInformation(x509.ObjectIdentifier("1.2.3"), iter(qual))
374 assert list(pi.policy_qualifiers) == qual
375
Paul Kehrer2b622582015-04-15 11:04:29 -0400[diff] [blame]376 def test_repr(self):
Paul Kehrer73be2ca2015-05-11 21:22:38 -0500[diff] [blame]377 pq = [u"string", x509.UserNotice(None, u"hi")]
Paul Kehrer2b622582015-04-15 11:04:29 -0400[diff] [blame]378 pi = x509.PolicyInformation(x509.ObjectIdentifier("1.2.3"), pq)
Paul Kehrerba35b3b2015-05-10 13:07:59 -0500[diff] [blame]379 if six.PY3:
380 assert repr(pi) == (
381 "<PolicyInformation(policy_identifier=<ObjectIdentifier(oid=1."
382 "2.3, name=Unknown OID)>, policy_qualifiers=['string', <UserNo"
Paul Kehrer9aaef9e2015-05-11 10:49:20 -0500[diff] [blame]383 "tice(notice_reference=None, explicit_text='hi')>])>"
Paul Kehrerba35b3b2015-05-10 13:07:59 -0500[diff] [blame]384 )
385 else:
386 assert repr(pi) == (
387 "<PolicyInformation(policy_identifier=<ObjectIdentifier(oid=1."
388 "2.3, name=Unknown OID)>, policy_qualifiers=[u'string', <UserN"
Paul Kehrer73be2ca2015-05-11 21:22:38 -0500[diff] [blame]389 "otice(notice_reference=None, explicit_text=u'hi')>])>"
Paul Kehrerba35b3b2015-05-10 13:07:59 -0500[diff] [blame]390 )
Paul Kehrer2b622582015-04-15 11:04:29 -0400[diff] [blame]391
Paul Kehrerc56ab622015-05-03 09:56:31 -0500[diff] [blame]392 def test_eq(self):
393 pi = x509.PolicyInformation(
394 x509.ObjectIdentifier("1.2.3"),
395 [u"string", x509.UserNotice(None, u"hi")]
396 )
397 pi2 = x509.PolicyInformation(
398 x509.ObjectIdentifier("1.2.3"),
399 [u"string", x509.UserNotice(None, u"hi")]
400 )
401 assert pi == pi2
402
403 def test_ne(self):
404 pi = x509.PolicyInformation(
405 x509.ObjectIdentifier("1.2.3"), [u"string"]
406 )
407 pi2 = x509.PolicyInformation(
408 x509.ObjectIdentifier("1.2.3"), [u"string2"]
409 )
410 pi3 = x509.PolicyInformation(
411 x509.ObjectIdentifier("1.2.3.4"), [u"string"]
412 )
413 assert pi != pi2
414 assert pi != pi3
415 assert pi != object()
416
Paul Kehrer2b622582015-04-15 11:04:29 -0400[diff] [blame]417
Fraser Tweedaled607dd72017-05-29 16:33:20 -0500[diff] [blame]418@pytest.mark.requires_backend_interface(interface=X509Backend)
Paul Kehrer2b622582015-04-15 11:04:29 -0400[diff] [blame]419class TestCertificatePolicies(object):
420 def test_invalid_policies(self):
Paul Kehrerba35b3b2015-05-10 13:07:59 -0500[diff] [blame]421 pq = [u"string"]
Paul Kehrer2b622582015-04-15 11:04:29 -0400[diff] [blame]422 pi = x509.PolicyInformation(x509.ObjectIdentifier("1.2.3"), pq)
423 with pytest.raises(TypeError):
424 x509.CertificatePolicies([1, pi])
425
426 def test_iter_len(self):
Paul Kehrerba35b3b2015-05-10 13:07:59 -0500[diff] [blame]427 pq = [u"string"]
Paul Kehrer2b622582015-04-15 11:04:29 -0400[diff] [blame]428 pi = x509.PolicyInformation(x509.ObjectIdentifier("1.2.3"), pq)
429 cp = x509.CertificatePolicies([pi])
430 assert len(cp) == 1
431 for policyinfo in cp:
432 assert policyinfo == pi
433
Marti40f19992016-08-26 04:26:31 +0300[diff] [blame]434 def test_iter_input(self):
435 policies = [
436 x509.PolicyInformation(x509.ObjectIdentifier("1.2.3"), [u"string"])
437 ]
438 cp = x509.CertificatePolicies(iter(policies))
439 assert list(cp) == policies
440
Paul Kehrer2b622582015-04-15 11:04:29 -0400[diff] [blame]441 def test_repr(self):
Paul Kehrerba35b3b2015-05-10 13:07:59 -0500[diff] [blame]442 pq = [u"string"]
Paul Kehrer2b622582015-04-15 11:04:29 -0400[diff] [blame]443 pi = x509.PolicyInformation(x509.ObjectIdentifier("1.2.3"), pq)
444 cp = x509.CertificatePolicies([pi])
Paul Kehrerba35b3b2015-05-10 13:07:59 -0500[diff] [blame]445 if six.PY3:
446 assert repr(cp) == (
447 "<CertificatePolicies([<PolicyInformation(policy_identifier=<O"
448 "bjectIdentifier(oid=1.2.3, name=Unknown OID)>, policy_qualifi"
449 "ers=['string'])>])>"
450 )
451 else:
452 assert repr(cp) == (
453 "<CertificatePolicies([<PolicyInformation(policy_identifier=<O"
454 "bjectIdentifier(oid=1.2.3, name=Unknown OID)>, policy_qualifi"
455 "ers=[u'string'])>])>"
456 )
Paul Kehrer2b622582015-04-15 11:04:29 -0400[diff] [blame]457
Paul Kehrerc56ab622015-05-03 09:56:31 -0500[diff] [blame]458 def test_eq(self):
459 pi = x509.PolicyInformation(
460 x509.ObjectIdentifier("1.2.3"), [u"string"]
461 )
462 cp = x509.CertificatePolicies([pi])
463 pi2 = x509.PolicyInformation(
464 x509.ObjectIdentifier("1.2.3"), [u"string"]
465 )
466 cp2 = x509.CertificatePolicies([pi2])
467 assert cp == cp2
468
469 def test_ne(self):
470 pi = x509.PolicyInformation(
471 x509.ObjectIdentifier("1.2.3"), [u"string"]
472 )
473 cp = x509.CertificatePolicies([pi])
474 pi2 = x509.PolicyInformation(
475 x509.ObjectIdentifier("1.2.3"), [u"string2"]
476 )
477 cp2 = x509.CertificatePolicies([pi2])
478 assert cp != cp2
479 assert cp != object()
480
Paul Kehrere8db7bd2015-12-27 17:32:57 -0600[diff] [blame]481 def test_indexing(self):
482 pi = x509.PolicyInformation(x509.ObjectIdentifier("1.2.3"), [u"test"])
483 pi2 = x509.PolicyInformation(x509.ObjectIdentifier("1.2.4"), [u"test"])
484 pi3 = x509.PolicyInformation(x509.ObjectIdentifier("1.2.5"), [u"test"])
485 pi4 = x509.PolicyInformation(x509.ObjectIdentifier("1.2.6"), [u"test"])
486 pi5 = x509.PolicyInformation(x509.ObjectIdentifier("1.2.7"), [u"test"])
487 cp = x509.CertificatePolicies([pi, pi2, pi3, pi4, pi5])
488 assert cp[-1] == cp[4]
489 assert cp[2:6:2] == [cp[2], cp[4]]
490
Fraser Tweedaled607dd72017-05-29 16:33:20 -0500[diff] [blame]491 def test_long_oid(self, backend):
492 """
493 Test that parsing a CertificatePolicies ext with
494 a very long OID succeeds.
495 """
496 cert = _load_cert(
497 os.path.join("x509", "bigoid.pem"),
498 x509.load_pem_x509_certificate,
499 backend
500 )
501 ext = cert.extensions.get_extension_for_class(
502 x509.CertificatePolicies)
503
504 oid = x509.ObjectIdentifier(
505 "1.3.6.1.4.1.311.21.8.8950086.10656446.2706058"
506 ".12775672.480128.147.13466065.13029902"
507 )
508
509 assert ext.value[0].policy_identifier == oid
510
Paul Kehrer2b622582015-04-15 11:04:29 -0400[diff] [blame]511
Paul Kehrer11026fe2015-05-12 11:23:56 -0500[diff] [blame]512@pytest.mark.requires_backend_interface(interface=RSABackend)
513@pytest.mark.requires_backend_interface(interface=X509Backend)
514class TestCertificatePoliciesExtension(object):
515 def test_cps_uri_policy_qualifier(self, backend):
516 cert = _load_cert(
517 os.path.join("x509", "custom", "cp_cps_uri.pem"),
518 x509.load_pem_x509_certificate,
519 backend
520 )
521
522 cp = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]523 ExtensionOID.CERTIFICATE_POLICIES
Paul Kehrer11026fe2015-05-12 11:23:56 -0500[diff] [blame]524 ).value
525
526 assert cp == x509.CertificatePolicies([
527 x509.PolicyInformation(
528 x509.ObjectIdentifier("2.16.840.1.12345.1.2.3.4.1"),
529 [u"http://other.com/cps"]
530 )
531 ])
532
533 def test_user_notice_with_notice_reference(self, backend):
534 cert = _load_cert(
535 os.path.join(
536 "x509", "custom", "cp_user_notice_with_notice_reference.pem"
537 ),
538 x509.load_pem_x509_certificate,
539 backend
540 )
541
542 cp = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]543 ExtensionOID.CERTIFICATE_POLICIES
Paul Kehrer11026fe2015-05-12 11:23:56 -0500[diff] [blame]544 ).value
545
546 assert cp == x509.CertificatePolicies([
547 x509.PolicyInformation(
548 x509.ObjectIdentifier("2.16.840.1.12345.1.2.3.4.1"),
549 [
550 u"http://example.com/cps",
551 u"http://other.com/cps",
552 x509.UserNotice(
553 x509.NoticeReference(u"my org", [1, 2, 3, 4]),
554 u"thing"
555 )
556 ]
557 )
558 ])
559
560 def test_user_notice_with_explicit_text(self, backend):
561 cert = _load_cert(
562 os.path.join(
563 "x509", "custom", "cp_user_notice_with_explicit_text.pem"
564 ),
565 x509.load_pem_x509_certificate,
566 backend
567 )
568
569 cp = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]570 ExtensionOID.CERTIFICATE_POLICIES
Paul Kehrer11026fe2015-05-12 11:23:56 -0500[diff] [blame]571 ).value
572
573 assert cp == x509.CertificatePolicies([
574 x509.PolicyInformation(
575 x509.ObjectIdentifier("2.16.840.1.12345.1.2.3.4.1"),
576 [x509.UserNotice(None, u"thing")]
577 )
578 ])
579
580 def test_user_notice_no_explicit_text(self, backend):
581 cert = _load_cert(
582 os.path.join(
583 "x509", "custom", "cp_user_notice_no_explicit_text.pem"
584 ),
585 x509.load_pem_x509_certificate,
586 backend
587 )
588
589 cp = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]590 ExtensionOID.CERTIFICATE_POLICIES
Paul Kehrer11026fe2015-05-12 11:23:56 -0500[diff] [blame]591 ).value
592
593 assert cp == x509.CertificatePolicies([
594 x509.PolicyInformation(
595 x509.ObjectIdentifier("2.16.840.1.12345.1.2.3.4.1"),
596 [
597 x509.UserNotice(
598 x509.NoticeReference(u"my org", [1, 2, 3, 4]),
599 None
600 )
601 ]
602 )
603 ])
604
605
Paul Kehrercecbbba2015-03-30 14:58:38 -0500[diff] [blame]606class TestKeyUsage(object):
607 def test_key_agreement_false_encipher_decipher_true(self):
608 with pytest.raises(ValueError):
609 x509.KeyUsage(
610 digital_signature=False,
611 content_commitment=False,
612 key_encipherment=False,
613 data_encipherment=False,
614 key_agreement=False,
615 key_cert_sign=False,
616 crl_sign=False,
617 encipher_only=True,
618 decipher_only=False
619 )
620
621 with pytest.raises(ValueError):
622 x509.KeyUsage(
623 digital_signature=False,
624 content_commitment=False,
625 key_encipherment=False,
626 data_encipherment=False,
627 key_agreement=False,
628 key_cert_sign=False,
629 crl_sign=False,
630 encipher_only=True,
631 decipher_only=True
632 )
633
634 with pytest.raises(ValueError):
635 x509.KeyUsage(
636 digital_signature=False,
637 content_commitment=False,
638 key_encipherment=False,
639 data_encipherment=False,
640 key_agreement=False,
641 key_cert_sign=False,
642 crl_sign=False,
643 encipher_only=False,
644 decipher_only=True
645 )
646
647 def test_properties_key_agreement_true(self):
648 ku = x509.KeyUsage(
649 digital_signature=True,
650 content_commitment=True,
651 key_encipherment=False,
652 data_encipherment=False,
653 key_agreement=False,
654 key_cert_sign=True,
655 crl_sign=False,
656 encipher_only=False,
657 decipher_only=False
658 )
659 assert ku.digital_signature is True
660 assert ku.content_commitment is True
661 assert ku.key_encipherment is False
662 assert ku.data_encipherment is False
663 assert ku.key_agreement is False
664 assert ku.key_cert_sign is True
665 assert ku.crl_sign is False
666
667 def test_key_agreement_true_properties(self):
668 ku = x509.KeyUsage(
669 digital_signature=False,
670 content_commitment=False,
671 key_encipherment=False,
672 data_encipherment=False,
673 key_agreement=True,
674 key_cert_sign=False,
675 crl_sign=False,
676 encipher_only=False,
677 decipher_only=True
678 )
679 assert ku.key_agreement is True
680 assert ku.encipher_only is False
681 assert ku.decipher_only is True
682
683 def test_key_agreement_false_properties(self):
684 ku = x509.KeyUsage(
685 digital_signature=False,
686 content_commitment=False,
687 key_encipherment=False,
688 data_encipherment=False,
689 key_agreement=False,
690 key_cert_sign=False,
691 crl_sign=False,
692 encipher_only=False,
693 decipher_only=False
694 )
695 assert ku.key_agreement is False
696 with pytest.raises(ValueError):
697 ku.encipher_only
698
699 with pytest.raises(ValueError):
700 ku.decipher_only
701
Paul Kehrerac3e5bb2015-04-02 23:07:10 -0500[diff] [blame]702 def test_repr_key_agreement_false(self):
703 ku = x509.KeyUsage(
704 digital_signature=True,
705 content_commitment=True,
706 key_encipherment=False,
707 data_encipherment=False,
708 key_agreement=False,
709 key_cert_sign=True,
710 crl_sign=False,
711 encipher_only=False,
712 decipher_only=False
713 )
714 assert repr(ku) == (
715 "<KeyUsage(digital_signature=True, content_commitment=True, key_en"
716 "cipherment=False, data_encipherment=False, key_agreement=False, k"
Paul Kehrerb372e672015-04-15 11:05:24 -0400[diff] [blame]717 "ey_cert_sign=True, crl_sign=False, encipher_only=None, decipher_o"
718 "nly=None)>"
Paul Kehrerac3e5bb2015-04-02 23:07:10 -0500[diff] [blame]719 )
720
721 def test_repr_key_agreement_true(self):
722 ku = x509.KeyUsage(
723 digital_signature=True,
724 content_commitment=True,
725 key_encipherment=False,
726 data_encipherment=False,
727 key_agreement=True,
728 key_cert_sign=True,
729 crl_sign=False,
730 encipher_only=False,
731 decipher_only=False
732 )
733 assert repr(ku) == (
734 "<KeyUsage(digital_signature=True, content_commitment=True, key_en"
735 "cipherment=False, data_encipherment=False, key_agreement=True, k"
736 "ey_cert_sign=True, crl_sign=False, encipher_only=False, decipher_"
737 "only=False)>"
738 )
739
Paul Kehrer8565f5e2015-05-13 09:57:09 -0500[diff] [blame]740 def test_eq(self):
741 ku = x509.KeyUsage(
742 digital_signature=False,
743 content_commitment=False,
744 key_encipherment=False,
745 data_encipherment=False,
746 key_agreement=True,
747 key_cert_sign=False,
748 crl_sign=False,
749 encipher_only=False,
750 decipher_only=True
751 )
752 ku2 = x509.KeyUsage(
753 digital_signature=False,
754 content_commitment=False,
755 key_encipherment=False,
756 data_encipherment=False,
757 key_agreement=True,
758 key_cert_sign=False,
759 crl_sign=False,
760 encipher_only=False,
761 decipher_only=True
762 )
763 assert ku == ku2
764
765 def test_ne(self):
766 ku = x509.KeyUsage(
767 digital_signature=False,
768 content_commitment=False,
769 key_encipherment=False,
770 data_encipherment=False,
771 key_agreement=True,
772 key_cert_sign=False,
773 crl_sign=False,
774 encipher_only=False,
775 decipher_only=True
776 )
777 ku2 = x509.KeyUsage(
778 digital_signature=False,
779 content_commitment=False,
780 key_encipherment=False,
781 data_encipherment=False,
782 key_agreement=False,
783 key_cert_sign=False,
784 crl_sign=False,
785 encipher_only=False,
786 decipher_only=False
787 )
788 assert ku != ku2
789 assert ku != object()
790
Paul Kehrercecbbba2015-03-30 14:58:38 -0500[diff] [blame]791
Paul Kehrer1eb82a62015-03-31 20:00:33 -0500[diff] [blame]792class TestSubjectKeyIdentifier(object):
793 def test_properties(self):
Paul Kehrercbfb1012015-04-10 20:57:20 -0400[diff] [blame]794 value = binascii.unhexlify(b"092384932230498bc980aa8098456f6ff7ff3ac9")
Paul Kehrer1eb82a62015-03-31 20:00:33 -0500[diff] [blame]795 ski = x509.SubjectKeyIdentifier(value)
796 assert ski.digest == value
Paul Kehrer1eb82a62015-03-31 20:00:33 -0500[diff] [blame]797
798 def test_repr(self):
799 ski = x509.SubjectKeyIdentifier(
Paul Kehreree997262015-04-04 12:20:28 -0500[diff] [blame]800 binascii.unhexlify(b"092384932230498bc980aa8098456f6ff7ff3ac9")
Paul Kehrer1eb82a62015-03-31 20:00:33 -0500[diff] [blame]801 )
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]802 ext = x509.Extension(ExtensionOID.SUBJECT_KEY_IDENTIFIER, False, ski)
Paul Kehrercbfb1012015-04-10 20:57:20 -0400[diff] [blame]803 if six.PY3:
804 assert repr(ext) == (
805 "<Extension(oid=<ObjectIdentifier(oid=2.5.29.14, name=subjectK"
806 "eyIdentifier)>, critical=False, value=<SubjectKeyIdentifier(d"
807 "igest=b\'\\t#\\x84\\x93\"0I\\x8b\\xc9\\x80\\xaa\\x80\\x98Eoo"
808 "\\xf7\\xff:\\xc9\')>)>"
809 )
810 else:
811 assert repr(ext) == (
812 "<Extension(oid=<ObjectIdentifier(oid=2.5.29.14, name=subjectK"
813 "eyIdentifier)>, critical=False, value=<SubjectKeyIdentifier(d"
814 "igest=\'\\t#\\x84\\x93\"0I\\x8b\\xc9\\x80\\xaa\\x80\\x98Eoo"
815 "\\xf7\\xff:\\xc9\')>)>"
816 )
Paul Kehrer1eb82a62015-03-31 20:00:33 -0500[diff] [blame]817
818 def test_eq(self):
819 ski = x509.SubjectKeyIdentifier(
Paul Kehreree997262015-04-04 12:20:28 -0500[diff] [blame]820 binascii.unhexlify(b"092384932230498bc980aa8098456f6ff7ff3ac9")
Paul Kehrer1eb82a62015-03-31 20:00:33 -0500[diff] [blame]821 )
822 ski2 = x509.SubjectKeyIdentifier(
Paul Kehreree997262015-04-04 12:20:28 -0500[diff] [blame]823 binascii.unhexlify(b"092384932230498bc980aa8098456f6ff7ff3ac9")
Paul Kehrer1eb82a62015-03-31 20:00:33 -0500[diff] [blame]824 )
825 assert ski == ski2
826
827 def test_ne(self):
828 ski = x509.SubjectKeyIdentifier(
Paul Kehreree997262015-04-04 12:20:28 -0500[diff] [blame]829 binascii.unhexlify(b"092384932230498bc980aa8098456f6ff7ff3ac9")
Paul Kehrer1eb82a62015-03-31 20:00:33 -0500[diff] [blame]830 )
831 ski2 = x509.SubjectKeyIdentifier(
Paul Kehreree997262015-04-04 12:20:28 -0500[diff] [blame]832 binascii.unhexlify(b"aa8098456f6ff7ff3ac9092384932230498bc980")
Paul Kehrer1eb82a62015-03-31 20:00:33 -0500[diff] [blame]833 )
834 assert ski != ski2
835 assert ski != object()
836
Alex Gaynor410fe352015-12-26 15:01:25 -0500[diff] [blame]837 def test_hash(self):
838 ski1 = x509.SubjectKeyIdentifier(
839 binascii.unhexlify(b"092384932230498bc980aa8098456f6ff7ff3ac9")
840 )
841 ski2 = x509.SubjectKeyIdentifier(
842 binascii.unhexlify(b"092384932230498bc980aa8098456f6ff7ff3ac9")
843 )
844 ski3 = x509.SubjectKeyIdentifier(
845 binascii.unhexlify(b"aa8098456f6ff7ff3ac9092384932230498bc980")
846 )
847
848 assert hash(ski1) == hash(ski2)
849 assert hash(ski1) != hash(ski3)
850
Paul Kehrer1eb82a62015-03-31 20:00:33 -0500[diff] [blame]851
Paul Kehrer2eb4ed92015-04-11 15:33:45 -0400[diff] [blame]852class TestAuthorityKeyIdentifier(object):
Paul Kehrerc6e0f062015-05-03 11:04:34 -0500[diff] [blame]853 def test_authority_cert_issuer_not_generalname(self):
Paul Kehrer2eb4ed92015-04-11 15:33:45 -0400[diff] [blame]854 with pytest.raises(TypeError):
Paul Kehrerc6e0f062015-05-03 11:04:34 -0500[diff] [blame]855 x509.AuthorityKeyIdentifier(b"identifier", ["notname"], 3)
Paul Kehrer2eb4ed92015-04-11 15:33:45 -0400[diff] [blame]856
857 def test_authority_cert_serial_number_not_integer(self):
Paul Kehrerc6e0f062015-05-03 11:04:34 -0500[diff] [blame]858 dirname = x509.DirectoryName(
859 x509.Name([
Nick Bastin6721fb82015-12-14 12:26:24 -0800[diff] [blame]860 x509.NameAttribute(
861 x509.ObjectIdentifier('2.999.1'),
862 u'value1'
863 ),
864 x509.NameAttribute(
865 x509.ObjectIdentifier('2.999.2'),
866 u'value2'
867 ),
Paul Kehrerc6e0f062015-05-03 11:04:34 -0500[diff] [blame]868 ])
869 )
Paul Kehrer2eb4ed92015-04-11 15:33:45 -0400[diff] [blame]870 with pytest.raises(TypeError):
Paul Kehrerc6e0f062015-05-03 11:04:34 -0500[diff] [blame]871 x509.AuthorityKeyIdentifier(b"identifier", [dirname], "notanint")
Paul Kehrer2eb4ed92015-04-11 15:33:45 -0400[diff] [blame]872
873 def test_authority_issuer_none_serial_not_none(self):
874 with pytest.raises(ValueError):
875 x509.AuthorityKeyIdentifier(b"identifier", None, 3)
876
877 def test_authority_issuer_not_none_serial_none(self):
Paul Kehrerc6e0f062015-05-03 11:04:34 -0500[diff] [blame]878 dirname = x509.DirectoryName(
879 x509.Name([
Nick Bastin6721fb82015-12-14 12:26:24 -0800[diff] [blame]880 x509.NameAttribute(
881 x509.ObjectIdentifier('2.999.1'),
882 u'value1'
883 ),
884 x509.NameAttribute(
885 x509.ObjectIdentifier('2.999.2'),
886 u'value2'
887 ),
Paul Kehrerc6e0f062015-05-03 11:04:34 -0500[diff] [blame]888 ])
889 )
Paul Kehrer2eb4ed92015-04-11 15:33:45 -0400[diff] [blame]890 with pytest.raises(ValueError):
Paul Kehrerc6e0f062015-05-03 11:04:34 -0500[diff] [blame]891 x509.AuthorityKeyIdentifier(b"identifier", [dirname], None)
Paul Kehrer2eb4ed92015-04-11 15:33:45 -0400[diff] [blame]892
893 def test_authority_cert_serial_and_issuer_none(self):
894 aki = x509.AuthorityKeyIdentifier(b"id", None, None)
895 assert aki.key_identifier == b"id"
896 assert aki.authority_cert_issuer is None
897 assert aki.authority_cert_serial_number is None
898
Paul Kehrer0d943bb2016-01-05 19:02:32 -0600[diff] [blame]899 def test_authority_cert_serial_zero(self):
Alex Gaynorcdaf3ff2017-07-30 13:08:51 -0400[diff] [blame]900 dns = x509.DNSName(b"SomeIssuer")
Paul Kehrer0d943bb2016-01-05 19:02:32 -0600[diff] [blame]901 aki = x509.AuthorityKeyIdentifier(b"id", [dns], 0)
902 assert aki.key_identifier == b"id"
903 assert aki.authority_cert_issuer == [dns]
904 assert aki.authority_cert_serial_number == 0
905
Marti40f19992016-08-26 04:26:31 +0300[diff] [blame]906 def test_iter_input(self):
907 dirnames = [
908 x509.DirectoryName(
909 x509.Name([x509.NameAttribute(NameOID.COMMON_NAME, u'myCN')])
910 )
911 ]
912 aki = x509.AuthorityKeyIdentifier(b"digest", iter(dirnames), 1234)
913 assert list(aki.authority_cert_issuer) == dirnames
914
Paul Kehrer2eb4ed92015-04-11 15:33:45 -0400[diff] [blame]915 def test_repr(self):
Paul Kehrerc6e0f062015-05-03 11:04:34 -0500[diff] [blame]916 dirname = x509.DirectoryName(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]917 x509.Name([x509.NameAttribute(NameOID.COMMON_NAME, u'myCN')])
Paul Kehrerc6e0f062015-05-03 11:04:34 -0500[diff] [blame]918 )
919 aki = x509.AuthorityKeyIdentifier(b"digest", [dirname], 1234)
Paul Kehrer2eb4ed92015-04-11 15:33:45 -0400[diff] [blame]920
921 if six.PY3:
922 assert repr(aki) == (
923 "<AuthorityKeyIdentifier(key_identifier=b'digest', authority_"
Paul Kehrerc6e0f062015-05-03 11:04:34 -0500[diff] [blame]924 "cert_issuer=[<DirectoryName(value=<Name([<NameAttribute(oid="
Ian Cordascoa908d692015-06-16 21:35:24 -0500[diff] [blame]925 "<ObjectIdentifier(oid=2.5.4.3, name=commonName)>, value='myC"
Paul Kehrerc6e0f062015-05-03 11:04:34 -0500[diff] [blame]926 "N')>])>)>], authority_cert_serial_number=1234)>"
Paul Kehrer2eb4ed92015-04-11 15:33:45 -0400[diff] [blame]927 )
928 else:
929 assert repr(aki) == (
930 "<AuthorityKeyIdentifier(key_identifier='digest', authority_ce"
Paul Kehrerc6e0f062015-05-03 11:04:34 -0500[diff] [blame]931 "rt_issuer=[<DirectoryName(value=<Name([<NameAttribute(oid=<Ob"
Ian Cordasco82fc3762015-06-16 20:59:50 -0500[diff] [blame]932 "jectIdentifier(oid=2.5.4.3, name=commonName)>, value=u'myCN')"
933 ">])>)>], authority_cert_serial_number=1234)>"
Paul Kehrer2eb4ed92015-04-11 15:33:45 -0400[diff] [blame]934 )
935
Paul Kehrer2ca2eb32015-05-03 10:04:57 -0500[diff] [blame]936 def test_eq(self):
937 dirname = x509.DirectoryName(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]938 x509.Name([x509.NameAttribute(NameOID.COMMON_NAME, u'myCN')])
Paul Kehrer2ca2eb32015-05-03 10:04:57 -0500[diff] [blame]939 )
940 aki = x509.AuthorityKeyIdentifier(b"digest", [dirname], 1234)
941 dirname2 = x509.DirectoryName(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]942 x509.Name([x509.NameAttribute(NameOID.COMMON_NAME, u'myCN')])
Paul Kehrer2ca2eb32015-05-03 10:04:57 -0500[diff] [blame]943 )
944 aki2 = x509.AuthorityKeyIdentifier(b"digest", [dirname2], 1234)
945 assert aki == aki2
946
947 def test_ne(self):
948 dirname = x509.DirectoryName(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]949 x509.Name([x509.NameAttribute(NameOID.COMMON_NAME, u'myCN')])
Paul Kehrer2ca2eb32015-05-03 10:04:57 -0500[diff] [blame]950 )
951 dirname5 = x509.DirectoryName(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]952 x509.Name([x509.NameAttribute(NameOID.COMMON_NAME, u'aCN')])
Paul Kehrer2ca2eb32015-05-03 10:04:57 -0500[diff] [blame]953 )
954 aki = x509.AuthorityKeyIdentifier(b"digest", [dirname], 1234)
955 aki2 = x509.AuthorityKeyIdentifier(b"diges", [dirname], 1234)
956 aki3 = x509.AuthorityKeyIdentifier(b"digest", None, None)
957 aki4 = x509.AuthorityKeyIdentifier(b"digest", [dirname], 12345)
958 aki5 = x509.AuthorityKeyIdentifier(b"digest", [dirname5], 12345)
959 assert aki != aki2
960 assert aki != aki3
961 assert aki != aki4
962 assert aki != aki5
963 assert aki != object()
964
Paul Kehrer2eb4ed92015-04-11 15:33:45 -0400[diff] [blame]965
Paul Kehrer8cf26422015-03-21 09:50:24 -0500[diff] [blame]966class TestBasicConstraints(object):
967 def test_ca_not_boolean(self):
968 with pytest.raises(TypeError):
Paul Kehrera5c6e9a2015-03-23 19:23:43 -0500[diff] [blame]969 x509.BasicConstraints(ca="notbool", path_length=None)
Paul Kehrer8cf26422015-03-21 09:50:24 -0500[diff] [blame]970
971 def test_path_length_not_ca(self):
972 with pytest.raises(ValueError):
Paul Kehrera5c6e9a2015-03-23 19:23:43 -0500[diff] [blame]973 x509.BasicConstraints(ca=False, path_length=0)
Paul Kehrer8cf26422015-03-21 09:50:24 -0500[diff] [blame]974
975 def test_path_length_not_int(self):
976 with pytest.raises(TypeError):
Paul Kehrera5c6e9a2015-03-23 19:23:43 -0500[diff] [blame]977 x509.BasicConstraints(ca=True, path_length=1.1)
Paul Kehrer8cf26422015-03-21 09:50:24 -0500[diff] [blame]978
979 with pytest.raises(TypeError):
Paul Kehrera5c6e9a2015-03-23 19:23:43 -0500[diff] [blame]980 x509.BasicConstraints(ca=True, path_length="notint")
Paul Kehrer8cf26422015-03-21 09:50:24 -0500[diff] [blame]981
982 def test_path_length_negative(self):
983 with pytest.raises(TypeError):
Paul Kehrera5c6e9a2015-03-23 19:23:43 -0500[diff] [blame]984 x509.BasicConstraints(ca=True, path_length=-1)
Paul Kehrer8cf26422015-03-21 09:50:24 -0500[diff] [blame]985
986 def test_repr(self):
Paul Kehrera5c6e9a2015-03-23 19:23:43 -0500[diff] [blame]987 na = x509.BasicConstraints(ca=True, path_length=None)
Paul Kehrer8cf26422015-03-21 09:50:24 -0500[diff] [blame]988 assert repr(na) == (
Paul Kehrer85894662015-03-22 13:19:31 -0500[diff] [blame]989 "<BasicConstraints(ca=True, path_length=None)>"
Paul Kehrer8cf26422015-03-21 09:50:24 -0500[diff] [blame]990 )
Paul Kehrerfbb7ac82015-03-16 19:26:29 -0500[diff] [blame]991
Paul Kehrer2eb69f62015-12-27 11:46:11 -0600[diff] [blame]992 def test_hash(self):
993 na = x509.BasicConstraints(ca=True, path_length=None)
994 na2 = x509.BasicConstraints(ca=True, path_length=None)
Paul Kehrerb39af8d2015-12-27 14:30:19 -0600[diff] [blame]995 na3 = x509.BasicConstraints(ca=True, path_length=0)
Paul Kehrer2eb69f62015-12-27 11:46:11 -0600[diff] [blame]996 assert hash(na) == hash(na2)
Paul Kehrerb39af8d2015-12-27 14:30:19 -0600[diff] [blame]997 assert hash(na) != hash(na3)
Paul Kehrer2eb69f62015-12-27 11:46:11 -0600[diff] [blame]998
Paul Kehrer3a69b132015-05-13 10:03:46 -0500[diff] [blame]999 def test_eq(self):
1000 na = x509.BasicConstraints(ca=True, path_length=None)
1001 na2 = x509.BasicConstraints(ca=True, path_length=None)
1002 assert na == na2
1003
1004 def test_ne(self):
1005 na = x509.BasicConstraints(ca=True, path_length=None)
1006 na2 = x509.BasicConstraints(ca=True, path_length=1)
1007 na3 = x509.BasicConstraints(ca=False, path_length=None)
1008 assert na != na2
1009 assert na != na3
1010 assert na != object()
1011
Paul Kehrerfbb7ac82015-03-16 19:26:29 -0500[diff] [blame]1012
Paul Kehrerffa2a152015-03-31 08:18:25 -0500[diff] [blame]1013class TestExtendedKeyUsage(object):
1014 def test_not_all_oids(self):
1015 with pytest.raises(TypeError):
1016 x509.ExtendedKeyUsage(["notoid"])
1017
1018 def test_iter_len(self):
1019 eku = x509.ExtendedKeyUsage([
1020 x509.ObjectIdentifier("1.3.6.1.5.5.7.3.1"),
1021 x509.ObjectIdentifier("1.3.6.1.5.5.7.3.2"),
1022 ])
1023 assert len(eku) == 2
1024 assert list(eku) == [
Paul Kehrer9e102db2015-08-10 21:53:09 -0500[diff] [blame]1025 ExtendedKeyUsageOID.SERVER_AUTH,
1026 ExtendedKeyUsageOID.CLIENT_AUTH
Paul Kehrerffa2a152015-03-31 08:18:25 -0500[diff] [blame]1027 ]
1028
Marti40f19992016-08-26 04:26:31 +0300[diff] [blame]1029 def test_iter_input(self):
1030 usages = [
1031 x509.ObjectIdentifier("1.3.6.1.5.5.7.3.1"),
1032 x509.ObjectIdentifier("1.3.6.1.5.5.7.3.2"),
1033 ]
1034 aia = x509.ExtendedKeyUsage(iter(usages))
1035 assert list(aia) == usages
1036
Paul Kehrer23d10c32015-04-02 23:12:32 -0500[diff] [blame]1037 def test_repr(self):
1038 eku = x509.ExtendedKeyUsage([
1039 x509.ObjectIdentifier("1.3.6.1.5.5.7.3.1"),
1040 x509.ObjectIdentifier("1.3.6.1.5.5.7.3.2"),
1041 ])
1042 assert repr(eku) == (
1043 "<ExtendedKeyUsage([<ObjectIdentifier(oid=1.3.6.1.5.5.7.3.1, name="
1044 "serverAuth)>, <ObjectIdentifier(oid=1.3.6.1.5.5.7.3.2, name=clien"
1045 "tAuth)>])>"
1046 )
1047
Paul Kehrerb0476172015-05-02 19:34:51 -0500[diff] [blame]1048 def test_eq(self):
1049 eku = x509.ExtendedKeyUsage([
1050 x509.ObjectIdentifier("1.3.6"), x509.ObjectIdentifier("1.3.7")
1051 ])
1052 eku2 = x509.ExtendedKeyUsage([
1053 x509.ObjectIdentifier("1.3.6"), x509.ObjectIdentifier("1.3.7")
1054 ])
1055 assert eku == eku2
1056
1057 def test_ne(self):
1058 eku = x509.ExtendedKeyUsage([x509.ObjectIdentifier("1.3.6")])
1059 eku2 = x509.ExtendedKeyUsage([x509.ObjectIdentifier("1.3.6.1")])
1060 assert eku != eku2
1061 assert eku != object()
1062
Paul Kehrerffa2a152015-03-31 08:18:25 -0500[diff] [blame]1063
Paul Kehrerfbb7ac82015-03-16 19:26:29 -0500[diff] [blame]1064@pytest.mark.requires_backend_interface(interface=RSABackend)
1065@pytest.mark.requires_backend_interface(interface=X509Backend)
1066class TestExtensions(object):
1067 def test_no_extensions(self, backend):
1068 cert = _load_cert(
1069 os.path.join("x509", "verisign_md2_root.pem"),
1070 x509.load_pem_x509_certificate,
1071 backend
1072 )
1073 ext = cert.extensions
1074 assert len(ext) == 0
1075 assert list(ext) == []
Paul Kehrerfa56a232015-03-17 13:14:03 -0500[diff] [blame]1076 with pytest.raises(x509.ExtensionNotFound) as exc:
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]1077 ext.get_extension_for_oid(ExtensionOID.BASIC_CONSTRAINTS)
Paul Kehrerfa56a232015-03-17 13:14:03 -0500[diff] [blame]1078
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]1079 assert exc.value.oid == ExtensionOID.BASIC_CONSTRAINTS
Paul Kehrerfa56a232015-03-17 13:14:03 -0500[diff] [blame]1080
1081 def test_one_extension(self, backend):
1082 cert = _load_cert(
1083 os.path.join(
1084 "x509", "custom", "basic_constraints_not_critical.pem"
1085 ),
1086 x509.load_pem_x509_certificate,
1087 backend
1088 )
1089 extensions = cert.extensions
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]1090 ext = extensions.get_extension_for_oid(ExtensionOID.BASIC_CONSTRAINTS)
Paul Kehrerfa56a232015-03-17 13:14:03 -0500[diff] [blame]1091 assert ext is not None
1092 assert ext.value.ca is False
Paul Kehrerfbb7ac82015-03-16 19:26:29 -0500[diff] [blame]1093
1094 def test_duplicate_extension(self, backend):
1095 cert = _load_cert(
1096 os.path.join(
1097 "x509", "custom", "two_basic_constraints.pem"
1098 ),
1099 x509.load_pem_x509_certificate,
1100 backend
1101 )
1102 with pytest.raises(x509.DuplicateExtension) as exc:
1103 cert.extensions
1104
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]1105 assert exc.value.oid == ExtensionOID.BASIC_CONSTRAINTS
Paul Kehrerfbb7ac82015-03-16 19:26:29 -0500[diff] [blame]1106
1107 def test_unsupported_critical_extension(self, backend):
1108 cert = _load_cert(
1109 os.path.join(
1110 "x509", "custom", "unsupported_extension_critical.pem"
1111 ),
1112 x509.load_pem_x509_certificate,
1113 backend
1114 )
Alex Gaynord08ddd52017-05-20 09:01:54 -0700[diff] [blame]1115 ext = cert.extensions.get_extension_for_oid(
1116 x509.ObjectIdentifier("1.2.3.4")
1117 )
1118 assert ext.value.value == b"value"
Paul Kehrerfbb7ac82015-03-16 19:26:29 -0500[diff] [blame]1119
Paul Kehrer58ddc112015-12-30 20:19:00 -0600[diff] [blame]1120 @pytest.mark.requires_backend_interface(interface=EllipticCurveBackend)
Paul Kehrerfbb7ac82015-03-16 19:26:29 -0500[diff] [blame]1121 def test_unsupported_extension(self, backend):
Paul Kehrerfbb7ac82015-03-16 19:26:29 -0500[diff] [blame]1122 cert = _load_cert(
1123 os.path.join(
Paul Kehrer58ddc112015-12-30 20:19:00 -0600[diff] [blame]1124 "x509", "custom", "unsupported_extension_2.pem"
Paul Kehrerfbb7ac82015-03-16 19:26:29 -0500[diff] [blame]1125 ),
1126 x509.load_pem_x509_certificate,
1127 backend
1128 )
1129 extensions = cert.extensions
Paul Kehrer58ddc112015-12-30 20:19:00 -0600[diff] [blame]1130 assert len(extensions) == 2
1131 assert extensions[0].critical is False
1132 assert extensions[0].oid == x509.ObjectIdentifier(
1133 "1.3.6.1.4.1.41482.2"
1134 )
1135 assert extensions[0].value == x509.UnrecognizedExtension(
1136 x509.ObjectIdentifier("1.3.6.1.4.1.41482.2"),
1137 b"1.3.6.1.4.1.41482.1.2"
1138 )
1139 assert extensions[1].critical is False
1140 assert extensions[1].oid == x509.ObjectIdentifier(
1141 "1.3.6.1.4.1.45724.2.1.1"
1142 )
1143 assert extensions[1].value == x509.UnrecognizedExtension(
1144 x509.ObjectIdentifier("1.3.6.1.4.1.45724.2.1.1"),
1145 b"\x03\x02\x040"
1146 )
Paul Kehrerfa56a232015-03-17 13:14:03 -0500[diff] [blame]1147
Phoebe Queenecae9812015-08-12 05:00:32 +0100[diff] [blame]1148 def test_no_extensions_get_for_class(self, backend):
1149 cert = _load_cert(
1150 os.path.join(
Phoebe Queencb5ec4e2015-08-12 15:06:26 +0100[diff] [blame]1151 "x509", "cryptography.io.pem"
Phoebe Queenecae9812015-08-12 05:00:32 +0100[diff] [blame]1152 ),
1153 x509.load_pem_x509_certificate,
1154 backend
1155 )
Phoebe Queenc93752b2015-08-12 10:54:46 +0100[diff] [blame]1156 exts = cert.extensions
Phoebe Queenecae9812015-08-12 05:00:32 +0100[diff] [blame]1157 with pytest.raises(x509.ExtensionNotFound) as exc:
Phoebe Queencb5ec4e2015-08-12 15:06:26 +0100[diff] [blame]1158 exts.get_extension_for_class(x509.IssuerAlternativeName)
1159 assert exc.value.oid == ExtensionOID.ISSUER_ALTERNATIVE_NAME
Phoebe Queenecae9812015-08-12 05:00:32 +0100[diff] [blame]1160
Paul Kehrere69c5fe2015-12-30 21:03:26 -0600[diff] [blame]1161 def test_unrecognized_extension_for_class(self):
1162 exts = x509.Extensions([])
1163 with pytest.raises(TypeError):
1164 exts.get_extension_for_class(x509.UnrecognizedExtension)
1165
Paul Kehrer5b90c972015-12-26 00:52:58 -0600[diff] [blame]1166 def test_indexing(self, backend):
1167 cert = _load_cert(
1168 os.path.join("x509", "cryptography.io.pem"),
1169 x509.load_pem_x509_certificate,
1170 backend
1171 )
1172 exts = cert.extensions
1173 assert exts[-1] == exts[7]
Alex Gaynorf0dd2e72015-12-26 16:50:29 -0500[diff] [blame]1174 assert exts[2:6:2] == [exts[2], exts[4]]
Paul Kehrer5b90c972015-12-26 00:52:58 -0600[diff] [blame]1175
Phoebe Queen9fbb8892015-08-12 03:51:33 +0100[diff] [blame]1176 def test_one_extension_get_for_class(self, backend):
1177 cert = _load_cert(
Phoebe Queen2cc111a2015-08-12 04:14:22 +0100[diff] [blame]1178 os.path.join(
1179 "x509", "custom", "basic_constraints_not_critical.pem"
1180 ),
Phoebe Queen9fbb8892015-08-12 03:51:33 +0100[diff] [blame]1181 x509.load_pem_x509_certificate,
1182 backend
1183 )
1184 ext = cert.extensions.get_extension_for_class(x509.BasicConstraints)
1185 assert ext is not None
Phoebe Queen9fbb8892015-08-12 03:51:33 +0100[diff] [blame]1186 assert isinstance(ext.value, x509.BasicConstraints)
Paul Kehrerfa56a232015-03-17 13:14:03 -0500[diff] [blame]1187
Paul Kehrerafbe75b2015-10-20 08:08:43 -0500[diff] [blame]1188 def test_repr(self, backend):
1189 cert = _load_cert(
1190 os.path.join(
1191 "x509", "custom", "basic_constraints_not_critical.pem"
1192 ),
1193 x509.load_pem_x509_certificate,
1194 backend
1195 )
1196 assert repr(cert.extensions) == (
1197 "<Extensions([<Extension(oid=<ObjectIdentifier(oid=2.5.29.19, name"
1198 "=basicConstraints)>, critical=False, value=<BasicConstraints(ca=F"
1199 "alse, path_length=None)>)>])>"
1200 )
1201
Phoebe Queen2cc111a2015-08-12 04:14:22 +0100[diff] [blame]1202
Paul Kehrerfa56a232015-03-17 13:14:03 -0500[diff] [blame]1203@pytest.mark.requires_backend_interface(interface=RSABackend)
1204@pytest.mark.requires_backend_interface(interface=X509Backend)
Paul Kehrerde813ea2015-03-28 12:44:34 -0500[diff] [blame]1205class TestBasicConstraintsExtension(object):
Paul Kehrerfa56a232015-03-17 13:14:03 -0500[diff] [blame]1206 def test_ca_true_pathlen_6(self, backend):
1207 cert = _load_cert(
1208 os.path.join(
1209 "x509", "PKITS_data", "certs", "pathLenConstraint6CACert.crt"
1210 ),
1211 x509.load_der_x509_certificate,
1212 backend
1213 )
Phoebe Queen062dec72015-08-12 11:42:23 +0100[diff] [blame]1214 ext = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]1215 ExtensionOID.BASIC_CONSTRAINTS
Paul Kehrerfa56a232015-03-17 13:14:03 -0500[diff] [blame]1216 )
1217 assert ext is not None
1218 assert ext.critical is True
1219 assert ext.value.ca is True
1220 assert ext.value.path_length == 6
1221
1222 def test_path_length_zero(self, backend):
1223 cert = _load_cert(
1224 os.path.join("x509", "custom", "bc_path_length_zero.pem"),
1225 x509.load_pem_x509_certificate,
1226 backend
1227 )
1228 ext = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]1229 ExtensionOID.BASIC_CONSTRAINTS
Paul Kehrerfa56a232015-03-17 13:14:03 -0500[diff] [blame]1230 )
1231 assert ext is not None
1232 assert ext.critical is True
1233 assert ext.value.ca is True
1234 assert ext.value.path_length == 0
1235
1236 def test_ca_true_no_pathlen(self, backend):
1237 cert = _load_cert(
1238 os.path.join("x509", "PKITS_data", "certs", "GoodCACert.crt"),
1239 x509.load_der_x509_certificate,
1240 backend
1241 )
1242 ext = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]1243 ExtensionOID.BASIC_CONSTRAINTS
Paul Kehrerfa56a232015-03-17 13:14:03 -0500[diff] [blame]1244 )
1245 assert ext is not None
1246 assert ext.critical is True
1247 assert ext.value.ca is True
1248 assert ext.value.path_length is None
1249
1250 def test_ca_false(self, backend):
1251 cert = _load_cert(
1252 os.path.join("x509", "cryptography.io.pem"),
1253 x509.load_pem_x509_certificate,
1254 backend
1255 )
1256 ext = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]1257 ExtensionOID.BASIC_CONSTRAINTS
Paul Kehrerfa56a232015-03-17 13:14:03 -0500[diff] [blame]1258 )
1259 assert ext is not None
1260 assert ext.critical is True
1261 assert ext.value.ca is False
1262 assert ext.value.path_length is None
1263
1264 def test_no_basic_constraints(self, backend):
1265 cert = _load_cert(
1266 os.path.join(
1267 "x509",
1268 "PKITS_data",
1269 "certs",
1270 "ValidCertificatePathTest1EE.crt"
1271 ),
1272 x509.load_der_x509_certificate,
1273 backend
1274 )
1275 with pytest.raises(x509.ExtensionNotFound):
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]1276 cert.extensions.get_extension_for_oid(
1277 ExtensionOID.BASIC_CONSTRAINTS
1278 )
Paul Kehrerfa56a232015-03-17 13:14:03 -0500[diff] [blame]1279
1280 def test_basic_constraint_not_critical(self, backend):
1281 cert = _load_cert(
1282 os.path.join(
1283 "x509", "custom", "basic_constraints_not_critical.pem"
1284 ),
1285 x509.load_pem_x509_certificate,
1286 backend
1287 )
1288 ext = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]1289 ExtensionOID.BASIC_CONSTRAINTS
Paul Kehrerfa56a232015-03-17 13:14:03 -0500[diff] [blame]1290 )
1291 assert ext is not None
1292 assert ext.critical is False
1293 assert ext.value.ca is False
Paul Kehrer1eb82a62015-03-31 20:00:33 -0500[diff] [blame]1294
1295
Paul Kehrer1eb82a62015-03-31 20:00:33 -0500[diff] [blame]1296class TestSubjectKeyIdentifierExtension(object):
Paul Kehrerf22f6122015-08-05 12:57:13 +0100[diff] [blame]1297 @pytest.mark.requires_backend_interface(interface=RSABackend)
1298 @pytest.mark.requires_backend_interface(interface=X509Backend)
Paul Kehrer1eb82a62015-03-31 20:00:33 -0500[diff] [blame]1299 def test_subject_key_identifier(self, backend):
1300 cert = _load_cert(
1301 os.path.join("x509", "PKITS_data", "certs", "GoodCACert.crt"),
1302 x509.load_der_x509_certificate,
1303 backend
1304 )
1305 ext = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]1306 ExtensionOID.SUBJECT_KEY_IDENTIFIER
Paul Kehrer1eb82a62015-03-31 20:00:33 -0500[diff] [blame]1307 )
1308 ski = ext.value
1309 assert ext is not None
1310 assert ext.critical is False
Paul Kehrer1eb82a62015-03-31 20:00:33 -0500[diff] [blame]1311 assert ski.digest == binascii.unhexlify(
Paul Kehreree997262015-04-04 12:20:28 -0500[diff] [blame]1312 b"580184241bbc2b52944a3da510721451f5af3ac9"
Paul Kehrer1eb82a62015-03-31 20:00:33 -0500[diff] [blame]1313 )
1314
Paul Kehrerf22f6122015-08-05 12:57:13 +0100[diff] [blame]1315 @pytest.mark.requires_backend_interface(interface=RSABackend)
1316 @pytest.mark.requires_backend_interface(interface=X509Backend)
Paul Kehrer1eb82a62015-03-31 20:00:33 -0500[diff] [blame]1317 def test_no_subject_key_identifier(self, backend):
1318 cert = _load_cert(
1319 os.path.join("x509", "custom", "bc_path_length_zero.pem"),
1320 x509.load_pem_x509_certificate,
1321 backend
1322 )
1323 with pytest.raises(x509.ExtensionNotFound):
1324 cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]1325 ExtensionOID.SUBJECT_KEY_IDENTIFIER
Paul Kehrer1eb82a62015-03-31 20:00:33 -0500[diff] [blame]1326 )
Paul Kehrer5508ee22015-04-02 19:31:03 -0500[diff] [blame]1327
Paul Kehrerf22f6122015-08-05 12:57:13 +0100[diff] [blame]1328 @pytest.mark.requires_backend_interface(interface=RSABackend)
1329 @pytest.mark.requires_backend_interface(interface=X509Backend)
Paul Kehrerd4a7f062015-08-05 18:32:18 +0100[diff] [blame]1330 def test_from_rsa_public_key(self, backend):
Paul Kehrerf22f6122015-08-05 12:57:13 +0100[diff] [blame]1331 cert = _load_cert(
1332 os.path.join("x509", "PKITS_data", "certs", "GoodCACert.crt"),
1333 x509.load_der_x509_certificate,
1334 backend
1335 )
1336 ext = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]1337 ExtensionOID.SUBJECT_KEY_IDENTIFIER
Paul Kehrerf22f6122015-08-05 12:57:13 +0100[diff] [blame]1338 )
Paul Kehrerd4a7f062015-08-05 18:32:18 +0100[diff] [blame]1339 ski = x509.SubjectKeyIdentifier.from_public_key(
Paul Kehrerf22f6122015-08-05 12:57:13 +0100[diff] [blame]1340 cert.public_key()
1341 )
1342 assert ext.value == ski
1343
1344 @pytest.mark.requires_backend_interface(interface=DSABackend)
1345 @pytest.mark.requires_backend_interface(interface=X509Backend)
Paul Kehrerd4a7f062015-08-05 18:32:18 +0100[diff] [blame]1346 def test_from_dsa_public_key(self, backend):
Paul Kehrerf22f6122015-08-05 12:57:13 +0100[diff] [blame]1347 cert = _load_cert(
1348 os.path.join("x509", "custom", "dsa_selfsigned_ca.pem"),
1349 x509.load_pem_x509_certificate,
1350 backend
1351 )
1352
1353 ext = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]1354 ExtensionOID.SUBJECT_KEY_IDENTIFIER
Paul Kehrerf22f6122015-08-05 12:57:13 +0100[diff] [blame]1355 )
Paul Kehrerd4a7f062015-08-05 18:32:18 +0100[diff] [blame]1356 ski = x509.SubjectKeyIdentifier.from_public_key(
Paul Kehrerf22f6122015-08-05 12:57:13 +0100[diff] [blame]1357 cert.public_key()
1358 )
1359 assert ext.value == ski
1360
1361 @pytest.mark.requires_backend_interface(interface=EllipticCurveBackend)
1362 @pytest.mark.requires_backend_interface(interface=X509Backend)
Paul Kehrerd4a7f062015-08-05 18:32:18 +0100[diff] [blame]1363 def test_from_ec_public_key(self, backend):
Paul Kehrerf22f6122015-08-05 12:57:13 +0100[diff] [blame]1364 _skip_curve_unsupported(backend, ec.SECP384R1())
1365 cert = _load_cert(
1366 os.path.join("x509", "ecdsa_root.pem"),
1367 x509.load_pem_x509_certificate,
1368 backend
1369 )
1370
1371 ext = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]1372 ExtensionOID.SUBJECT_KEY_IDENTIFIER
Paul Kehrerf22f6122015-08-05 12:57:13 +0100[diff] [blame]1373 )
Paul Kehrerd4a7f062015-08-05 18:32:18 +0100[diff] [blame]1374 ski = x509.SubjectKeyIdentifier.from_public_key(
Paul Kehrerf22f6122015-08-05 12:57:13 +0100[diff] [blame]1375 cert.public_key()
1376 )
1377 assert ext.value == ski
1378
Paul Kehrer5508ee22015-04-02 19:31:03 -0500[diff] [blame]1379
1380@pytest.mark.requires_backend_interface(interface=RSABackend)
1381@pytest.mark.requires_backend_interface(interface=X509Backend)
1382class TestKeyUsageExtension(object):
1383 def test_no_key_usage(self, backend):
1384 cert = _load_cert(
1385 os.path.join("x509", "verisign_md2_root.pem"),
1386 x509.load_pem_x509_certificate,
1387 backend
1388 )
1389 ext = cert.extensions
1390 with pytest.raises(x509.ExtensionNotFound) as exc:
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]1391 ext.get_extension_for_oid(ExtensionOID.KEY_USAGE)
Paul Kehrer5508ee22015-04-02 19:31:03 -0500[diff] [blame]1392
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]1393 assert exc.value.oid == ExtensionOID.KEY_USAGE
Paul Kehrer5508ee22015-04-02 19:31:03 -0500[diff] [blame]1394
1395 def test_all_purposes(self, backend):
1396 cert = _load_cert(
1397 os.path.join(
1398 "x509", "custom", "all_key_usages.pem"
1399 ),
1400 x509.load_pem_x509_certificate,
1401 backend
1402 )
1403 extensions = cert.extensions
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]1404 ext = extensions.get_extension_for_oid(ExtensionOID.KEY_USAGE)
Paul Kehrer5508ee22015-04-02 19:31:03 -0500[diff] [blame]1405 assert ext is not None
1406
1407 ku = ext.value
1408 assert ku.digital_signature is True
1409 assert ku.content_commitment is True
1410 assert ku.key_encipherment is True
1411 assert ku.data_encipherment is True
1412 assert ku.key_agreement is True
1413 assert ku.key_cert_sign is True
1414 assert ku.crl_sign is True
1415 assert ku.encipher_only is True
1416 assert ku.decipher_only is True
1417
1418 def test_key_cert_sign_crl_sign(self, backend):
1419 cert = _load_cert(
1420 os.path.join(
1421 "x509", "PKITS_data", "certs", "pathLenConstraint6CACert.crt"
1422 ),
1423 x509.load_der_x509_certificate,
1424 backend
1425 )
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]1426 ext = cert.extensions.get_extension_for_oid(ExtensionOID.KEY_USAGE)
Paul Kehrer5508ee22015-04-02 19:31:03 -0500[diff] [blame]1427 assert ext is not None
1428 assert ext.critical is True
1429
1430 ku = ext.value
1431 assert ku.digital_signature is False
1432 assert ku.content_commitment is False
1433 assert ku.key_encipherment is False
1434 assert ku.data_encipherment is False
1435 assert ku.key_agreement is False
1436 assert ku.key_cert_sign is True
1437 assert ku.crl_sign is True
Paul Kehrer31bdf792015-03-25 14:11:00 -0500[diff] [blame]1438
1439
1440@pytest.mark.parametrize(
1441 "name", [
1442 x509.RFC822Name,
Paul Kehrer31bdf792015-03-25 14:11:00 -0500[diff] [blame]1443 x509.UniformResourceIdentifier
1444 ]
1445)
1446class TestTextGeneralNames(object):
1447 def test_not_text(self, name):
1448 with pytest.raises(TypeError):
1449 name(b"notaunicodestring")
1450
1451 with pytest.raises(TypeError):
1452 name(1.3)
1453
1454 def test_repr(self, name):
Eeshan Gargf1234152015-04-29 18:41:00 +0530[diff] [blame]1455 gn = name(u"string")
Paul Kehrer31bdf792015-03-25 14:11:00 -0500[diff] [blame]1456 assert repr(gn) == "<{0}(value=string)>".format(name.__name__)
1457
1458 def test_eq(self, name):
Eeshan Gargf1234152015-04-29 18:41:00 +0530[diff] [blame]1459 gn = name(u"string")
1460 gn2 = name(u"string")
Paul Kehrer31bdf792015-03-25 14:11:00 -0500[diff] [blame]1461 assert gn == gn2
1462
1463 def test_ne(self, name):
Eeshan Gargf1234152015-04-29 18:41:00 +0530[diff] [blame]1464 gn = name(u"string")
1465 gn2 = name(u"string2")
Paul Kehrer31bdf792015-03-25 14:11:00 -0500[diff] [blame]1466 assert gn != gn2
1467 assert gn != object()
1468
1469
Alex Gaynorcdaf3ff2017-07-30 13:08:51 -0400[diff] [blame]1470class TestDNSName(object):
1471 def test_init(self):
1472 with pytest.warns(utils.DeprecatedIn21):
1473 name = x509.DNSName(u"*.\xf5\xe4\xf6\xfc.example.com")
1474 assert name.bytes_value == b"*.xn--4ca7aey.example.com"
1475
1476 with pytest.warns(utils.DeprecatedIn21):
1477 name = x509.DNSName(u".\xf5\xe4\xf6\xfc.example.com")
1478 assert name.bytes_value == b".xn--4ca7aey.example.com"
1479 assert name.value == u".\xf5\xe4\xf6\xfc.example.com"
1480
1481 with pytest.warns(utils.DeprecatedIn21):
1482 name = x509.DNSName(u"\xf5\xe4\xf6\xfc.example.com")
1483 assert name.bytes_value == b"xn--4ca7aey.example.com"
1484
1485 with pytest.raises(TypeError):
1486 x509.DNSName(1.3)
1487
1488 def test_ne(self):
1489 n1 = x509.DNSName(b"test1")
1490 n2 = x509.DNSName(b"test2")
1491 n3 = x509.DNSName(b"test2")
1492 assert n1 != n2
1493 assert not (n2 != n3)
1494
1495
Paul Kehrer31bdf792015-03-25 14:11:00 -0500[diff] [blame]1496class TestDirectoryName(object):
1497 def test_not_name(self):
1498 with pytest.raises(TypeError):
1499 x509.DirectoryName(b"notaname")
1500
1501 with pytest.raises(TypeError):
1502 x509.DirectoryName(1.3)
1503
1504 def test_repr(self):
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1505 name = x509.Name([x509.NameAttribute(NameOID.COMMON_NAME, u'value1')])
Marti40f19992016-08-26 04:26:31 +0300[diff] [blame]1506 gn = x509.DirectoryName(name)
Ian Cordascoa908d692015-06-16 21:35:24 -0500[diff] [blame]1507 if six.PY3:
1508 assert repr(gn) == (
Marti40f19992016-08-26 04:26:31 +0300[diff] [blame]1509 "<DirectoryName(value=<Name([<NameAttribute(oid=<ObjectIdentif"
1510 "ier(oid=2.5.4.3, name=commonName)>, value='value1')>])>)>"
Ian Cordascoa908d692015-06-16 21:35:24 -0500[diff] [blame]1511 )
1512 else:
1513 assert repr(gn) == (
Marti40f19992016-08-26 04:26:31 +0300[diff] [blame]1514 "<DirectoryName(value=<Name([<NameAttribute(oid=<ObjectIdentif"
1515 "ier(oid=2.5.4.3, name=commonName)>, value=u'value1')>])>)>"
Ian Cordascoa908d692015-06-16 21:35:24 -0500[diff] [blame]1516 )
Paul Kehrer31bdf792015-03-25 14:11:00 -0500[diff] [blame]1517
1518 def test_eq(self):
1519 name = x509.Name([
Nick Bastin6721fb82015-12-14 12:26:24 -0800[diff] [blame]1520 x509.NameAttribute(x509.ObjectIdentifier('2.999.1'), u'value1')
Paul Kehrer31bdf792015-03-25 14:11:00 -0500[diff] [blame]1521 ])
1522 name2 = x509.Name([
Nick Bastin6721fb82015-12-14 12:26:24 -0800[diff] [blame]1523 x509.NameAttribute(x509.ObjectIdentifier('2.999.1'), u'value1')
Paul Kehrer31bdf792015-03-25 14:11:00 -0500[diff] [blame]1524 ])
Marti40f19992016-08-26 04:26:31 +0300[diff] [blame]1525 gn = x509.DirectoryName(name)
1526 gn2 = x509.DirectoryName(name2)
Paul Kehrer31bdf792015-03-25 14:11:00 -0500[diff] [blame]1527 assert gn == gn2
1528
1529 def test_ne(self):
1530 name = x509.Name([
Nick Bastin6721fb82015-12-14 12:26:24 -0800[diff] [blame]1531 x509.NameAttribute(x509.ObjectIdentifier('2.999.1'), u'value1')
Paul Kehrer31bdf792015-03-25 14:11:00 -0500[diff] [blame]1532 ])
1533 name2 = x509.Name([
Nick Bastin6721fb82015-12-14 12:26:24 -0800[diff] [blame]1534 x509.NameAttribute(x509.ObjectIdentifier('2.999.2'), u'value2')
Paul Kehrer31bdf792015-03-25 14:11:00 -0500[diff] [blame]1535 ])
Marti40f19992016-08-26 04:26:31 +0300[diff] [blame]1536 gn = x509.DirectoryName(name)
1537 gn2 = x509.DirectoryName(name2)
Paul Kehrer31bdf792015-03-25 14:11:00 -0500[diff] [blame]1538 assert gn != gn2
1539 assert gn != object()
1540
1541
Paul Kehrer01d5d0b2015-07-12 09:41:21 -0500[diff] [blame]1542class TestRFC822Name(object):
1543 def test_invalid_email(self):
1544 with pytest.raises(ValueError):
1545 x509.RFC822Name(u"Name <email>")
1546
1547 with pytest.raises(ValueError):
1548 x509.RFC822Name(u"")
1549
1550 def test_single_label(self):
1551 gn = x509.RFC822Name(u"administrator")
1552 assert gn.value == u"administrator"
1553
1554 def test_idna(self):
1555 gn = x509.RFC822Name(u"email@em\xe5\xefl.com")
1556 assert gn.value == u"email@em\xe5\xefl.com"
1557 assert gn._encoded == b"email@xn--eml-vla4c.com"
1558
Alex Gaynorb642dee2016-01-03 15:12:23 -0500[diff] [blame]1559 def test_hash(self):
1560 g1 = x509.RFC822Name(u"email@host.com")
1561 g2 = x509.RFC822Name(u"email@host.com")
1562 g3 = x509.RFC822Name(u"admin@host.com")
1563
1564 assert hash(g1) == hash(g2)
1565 assert hash(g1) != hash(g3)
1566
Paul Kehrer01d5d0b2015-07-12 09:41:21 -0500[diff] [blame]1567
Paul Kehrere28d6c42015-07-12 14:59:37 -0500[diff] [blame]1568class TestUniformResourceIdentifier(object):
1569 def test_no_parsed_hostname(self):
1570 gn = x509.UniformResourceIdentifier(u"singlelabel")
1571 assert gn.value == u"singlelabel"
1572
1573 def test_with_port(self):
1574 gn = x509.UniformResourceIdentifier(u"singlelabel:443/test")
1575 assert gn.value == u"singlelabel:443/test"
1576
1577 def test_idna_no_port(self):
1578 gn = x509.UniformResourceIdentifier(
1579 u"http://\u043f\u044b\u043a\u0430.cryptography"
1580 )
1581 assert gn.value == u"http://\u043f\u044b\u043a\u0430.cryptography"
1582 assert gn._encoded == b"http://xn--80ato2c.cryptography"
1583
1584 def test_idna_with_port(self):
1585 gn = x509.UniformResourceIdentifier(
1586 u"gopher://\u043f\u044b\u043a\u0430.cryptography:70/some/path"
1587 )
1588 assert gn.value == (
1589 u"gopher://\u043f\u044b\u043a\u0430.cryptography:70/some/path"
1590 )
1591 assert gn._encoded == b"gopher://xn--80ato2c.cryptography:70/some/path"
1592
1593 def test_query_and_fragment(self):
1594 gn = x509.UniformResourceIdentifier(
1595 u"ldap://cryptography:90/path?query=true#somedata"
1596 )
1597 assert gn.value == u"ldap://cryptography:90/path?query=true#somedata"
1598
Alex Gaynord1b56812016-01-03 15:14:34 -0500[diff] [blame]1599 def test_hash(self):
1600 g1 = x509.UniformResourceIdentifier(u"http://host.com")
1601 g2 = x509.UniformResourceIdentifier(u"http://host.com")
1602 g3 = x509.UniformResourceIdentifier(u"http://other.com")
1603
1604 assert hash(g1) == hash(g2)
1605 assert hash(g1) != hash(g3)
1606
Paul Kehrere28d6c42015-07-12 14:59:37 -0500[diff] [blame]1607
Paul Kehrer31bdf792015-03-25 14:11:00 -0500[diff] [blame]1608class TestRegisteredID(object):
1609 def test_not_oid(self):
1610 with pytest.raises(TypeError):
1611 x509.RegisteredID(b"notanoid")
1612
1613 with pytest.raises(TypeError):
1614 x509.RegisteredID(1.3)
1615
1616 def test_repr(self):
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1617 gn = x509.RegisteredID(NameOID.COMMON_NAME)
Paul Kehrer31bdf792015-03-25 14:11:00 -0500[diff] [blame]1618 assert repr(gn) == (
1619 "<RegisteredID(value=<ObjectIdentifier(oid=2.5.4.3, name=commonNam"
1620 "e)>)>"
1621 )
1622
1623 def test_eq(self):
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1624 gn = x509.RegisteredID(NameOID.COMMON_NAME)
1625 gn2 = x509.RegisteredID(NameOID.COMMON_NAME)
Paul Kehrer31bdf792015-03-25 14:11:00 -0500[diff] [blame]1626 assert gn == gn2
1627
1628 def test_ne(self):
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1629 gn = x509.RegisteredID(NameOID.COMMON_NAME)
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]1630 gn2 = x509.RegisteredID(ExtensionOID.BASIC_CONSTRAINTS)
Paul Kehrer31bdf792015-03-25 14:11:00 -0500[diff] [blame]1631 assert gn != gn2
1632 assert gn != object()
1633
1634
1635class TestIPAddress(object):
1636 def test_not_ipaddress(self):
1637 with pytest.raises(TypeError):
1638 x509.IPAddress(b"notanipaddress")
1639
1640 with pytest.raises(TypeError):
1641 x509.IPAddress(1.3)
1642
1643 def test_repr(self):
Eeshan Gargf1234152015-04-29 18:41:00 +0530[diff] [blame]1644 gn = x509.IPAddress(ipaddress.IPv4Address(u"127.0.0.1"))
Paul Kehrer31bdf792015-03-25 14:11:00 -0500[diff] [blame]1645 assert repr(gn) == "<IPAddress(value=127.0.0.1)>"
1646
Eeshan Gargf1234152015-04-29 18:41:00 +0530[diff] [blame]1647 gn2 = x509.IPAddress(ipaddress.IPv6Address(u"ff::"))
Paul Kehrer31bdf792015-03-25 14:11:00 -0500[diff] [blame]1648 assert repr(gn2) == "<IPAddress(value=ff::)>"
1649
Paul Kehrereb177932015-05-17 18:33:33 -0700[diff] [blame]1650 gn3 = x509.IPAddress(ipaddress.IPv4Network(u"192.168.0.0/24"))
1651 assert repr(gn3) == "<IPAddress(value=192.168.0.0/24)>"
1652
1653 gn4 = x509.IPAddress(ipaddress.IPv6Network(u"ff::/96"))
1654 assert repr(gn4) == "<IPAddress(value=ff::/96)>"
1655
Paul Kehrer31bdf792015-03-25 14:11:00 -0500[diff] [blame]1656 def test_eq(self):
Eeshan Gargf1234152015-04-29 18:41:00 +0530[diff] [blame]1657 gn = x509.IPAddress(ipaddress.IPv4Address(u"127.0.0.1"))
1658 gn2 = x509.IPAddress(ipaddress.IPv4Address(u"127.0.0.1"))
Paul Kehrer31bdf792015-03-25 14:11:00 -0500[diff] [blame]1659 assert gn == gn2
1660
1661 def test_ne(self):
Eeshan Gargf1234152015-04-29 18:41:00 +0530[diff] [blame]1662 gn = x509.IPAddress(ipaddress.IPv4Address(u"127.0.0.1"))
1663 gn2 = x509.IPAddress(ipaddress.IPv4Address(u"127.0.0.2"))
Paul Kehrer31bdf792015-03-25 14:11:00 -0500[diff] [blame]1664 assert gn != gn2
1665 assert gn != object()
1666
1667
Joshua Tauberer18b6fc82015-07-05 21:44:51 +0000[diff] [blame]1668class TestOtherName(object):
1669 def test_invalid_args(self):
1670 with pytest.raises(TypeError):
1671 x509.OtherName(b"notanobjectidentifier", b"derdata")
1672
1673 with pytest.raises(TypeError):
1674 x509.OtherName(x509.ObjectIdentifier("1.2.3.4"), u"notderdata")
1675
1676 def test_repr(self):
1677 gn = x509.OtherName(x509.ObjectIdentifier("1.2.3.4"), b"derdata")
1678 if six.PY3:
1679 assert repr(gn) == (
1680 "<OtherName(type_id=<ObjectIdentifier(oid=1.2.3.4, "
1681 "name=Unknown OID)>, value=b'derdata')>"
1682 )
1683 else:
1684 assert repr(gn) == (
1685 "<OtherName(type_id=<ObjectIdentifier(oid=1.2.3.4, "
1686 "name=Unknown OID)>, value='derdata')>"
1687 )
1688
1689 gn = x509.OtherName(x509.ObjectIdentifier("2.5.4.65"), b"derdata")
1690 if six.PY3:
1691 assert repr(gn) == (
1692 "<OtherName(type_id=<ObjectIdentifier(oid=2.5.4.65, "
1693 "name=pseudonym)>, value=b'derdata')>"
1694 )
1695 else:
1696 assert repr(gn) == (
1697 "<OtherName(type_id=<ObjectIdentifier(oid=2.5.4.65, "
1698 "name=pseudonym)>, value='derdata')>"
1699 )
1700
1701 def test_eq(self):
1702 gn = x509.OtherName(x509.ObjectIdentifier("1.2.3.4"), b"derdata")
1703 gn2 = x509.OtherName(x509.ObjectIdentifier("1.2.3.4"), b"derdata")
1704 assert gn == gn2
1705
1706 def test_ne(self):
1707 gn = x509.OtherName(x509.ObjectIdentifier("1.2.3.4"), b"derdata")
1708 assert gn != object()
1709
1710 gn2 = x509.OtherName(x509.ObjectIdentifier("1.2.3.4"), b"derdata2")
1711 assert gn != gn2
1712
1713 gn2 = x509.OtherName(x509.ObjectIdentifier("1.2.3.5"), b"derdata")
1714 assert gn != gn2
1715
1716
Erik Trauschke2dcce902015-05-14 16:12:24 -0700[diff] [blame]1717class TestGeneralNames(object):
1718 def test_get_values_for_type(self):
1719 gns = x509.GeneralNames(
Alex Gaynorcdaf3ff2017-07-30 13:08:51 -0400[diff] [blame]1720 [x509.DNSName(b"cryptography.io")]
Erik Trauschke2dcce902015-05-14 16:12:24 -0700[diff] [blame]1721 )
1722 names = gns.get_values_for_type(x509.DNSName)
1723 assert names == [u"cryptography.io"]
1724
1725 def test_iter_names(self):
1726 gns = x509.GeneralNames([
Alex Gaynorcdaf3ff2017-07-30 13:08:51 -0400[diff] [blame]1727 x509.DNSName(b"cryptography.io"),
1728 x509.DNSName(b"crypto.local"),
Erik Trauschke2dcce902015-05-14 16:12:24 -0700[diff] [blame]1729 ])
1730 assert len(gns) == 2
1731 assert list(gns) == [
Alex Gaynorcdaf3ff2017-07-30 13:08:51 -0400[diff] [blame]1732 x509.DNSName(b"cryptography.io"),
1733 x509.DNSName(b"crypto.local"),
Erik Trauschke2dcce902015-05-14 16:12:24 -0700[diff] [blame]1734 ]
1735
Marti40f19992016-08-26 04:26:31 +0300[diff] [blame]1736 def test_iter_input(self):
1737 names = [
Alex Gaynorcdaf3ff2017-07-30 13:08:51 -0400[diff] [blame]1738 x509.DNSName(b"cryptography.io"),
1739 x509.DNSName(b"crypto.local"),
Marti40f19992016-08-26 04:26:31 +0300[diff] [blame]1740 ]
1741 gns = x509.GeneralNames(iter(names))
1742 assert list(gns) == names
1743
Paul Kehrer8adb5962015-12-26 14:46:58 -0600[diff] [blame]1744 def test_indexing(self):
1745 gn = x509.GeneralNames([
Alex Gaynorcdaf3ff2017-07-30 13:08:51 -0400[diff] [blame]1746 x509.DNSName(b"cryptography.io"),
1747 x509.DNSName(b"crypto.local"),
1748 x509.DNSName(b"another.local"),
Paul Kehrer8adb5962015-12-26 14:46:58 -0600[diff] [blame]1749 x509.RFC822Name(u"email@another.local"),
1750 x509.UniformResourceIdentifier(u"http://another.local"),
1751 ])
1752 assert gn[-1] == gn[4]
Alex Gaynorf0dd2e72015-12-26 16:50:29 -0500[diff] [blame]1753 assert gn[2:6:2] == [gn[2], gn[4]]
Paul Kehrer8adb5962015-12-26 14:46:58 -0600[diff] [blame]1754
Erik Trauschke2dcce902015-05-14 16:12:24 -0700[diff] [blame]1755 def test_invalid_general_names(self):
1756 with pytest.raises(TypeError):
1757 x509.GeneralNames(
Alex Gaynorcdaf3ff2017-07-30 13:08:51 -0400[diff] [blame]1758 [x509.DNSName(b"cryptography.io"), "invalid"]
Erik Trauschke2dcce902015-05-14 16:12:24 -0700[diff] [blame]1759 )
1760
1761 def test_repr(self):
1762 gns = x509.GeneralNames(
1763 [
Alex Gaynorcdaf3ff2017-07-30 13:08:51 -0400[diff] [blame]1764 x509.DNSName(b"cryptography.io")
Erik Trauschke2dcce902015-05-14 16:12:24 -0700[diff] [blame]1765 ]
1766 )
Alex Gaynorcdaf3ff2017-07-30 13:08:51 -0400[diff] [blame]1767 if six.PY3:
1768 assert repr(gns) == (
1769 "<GeneralNames([<DNSName(bytes_value=b'cryptography.io')>])>"
1770 )
1771 else:
1772 assert repr(gns) == (
1773 "<GeneralNames([<DNSName(bytes_value='cryptography.io')>])>"
1774 )
Erik Trauschke2dcce902015-05-14 16:12:24 -0700[diff] [blame]1775
1776 def test_eq(self):
1777 gns = x509.GeneralNames(
Alex Gaynorcdaf3ff2017-07-30 13:08:51 -0400[diff] [blame]1778 [x509.DNSName(b"cryptography.io")]
Erik Trauschke2dcce902015-05-14 16:12:24 -0700[diff] [blame]1779 )
1780 gns2 = x509.GeneralNames(
Alex Gaynorcdaf3ff2017-07-30 13:08:51 -0400[diff] [blame]1781 [x509.DNSName(b"cryptography.io")]
Erik Trauschke2dcce902015-05-14 16:12:24 -0700[diff] [blame]1782 )
1783 assert gns == gns2
1784
1785 def test_ne(self):
1786 gns = x509.GeneralNames(
Alex Gaynorcdaf3ff2017-07-30 13:08:51 -0400[diff] [blame]1787 [x509.DNSName(b"cryptography.io")]
Erik Trauschke2dcce902015-05-14 16:12:24 -0700[diff] [blame]1788 )
1789 gns2 = x509.GeneralNames(
1790 [x509.RFC822Name(u"admin@cryptography.io")]
1791 )
1792 assert gns != gns2
1793 assert gns != object()
1794
1795
Paul Kehrer99125c92015-06-07 18:37:10 -0500[diff] [blame]1796class TestIssuerAlternativeName(object):
1797 def test_get_values_for_type(self):
1798 san = x509.IssuerAlternativeName(
Alex Gaynorcdaf3ff2017-07-30 13:08:51 -0400[diff] [blame]1799 [x509.DNSName(b"cryptography.io")]
Paul Kehrer99125c92015-06-07 18:37:10 -0500[diff] [blame]1800 )
1801 names = san.get_values_for_type(x509.DNSName)
1802 assert names == [u"cryptography.io"]
1803
1804 def test_iter_names(self):
1805 san = x509.IssuerAlternativeName([
Alex Gaynorcdaf3ff2017-07-30 13:08:51 -0400[diff] [blame]1806 x509.DNSName(b"cryptography.io"),
1807 x509.DNSName(b"crypto.local"),
Paul Kehrer99125c92015-06-07 18:37:10 -0500[diff] [blame]1808 ])
1809 assert len(san) == 2
1810 assert list(san) == [
Alex Gaynorcdaf3ff2017-07-30 13:08:51 -0400[diff] [blame]1811 x509.DNSName(b"cryptography.io"),
1812 x509.DNSName(b"crypto.local"),
Paul Kehrer99125c92015-06-07 18:37:10 -0500[diff] [blame]1813 ]
1814
Paul Kehrer5c999d32015-12-26 17:45:20 -0600[diff] [blame]1815 def test_indexing(self):
1816 ian = x509.IssuerAlternativeName([
Alex Gaynorcdaf3ff2017-07-30 13:08:51 -0400[diff] [blame]1817 x509.DNSName(b"cryptography.io"),
1818 x509.DNSName(b"crypto.local"),
1819 x509.DNSName(b"another.local"),
Paul Kehrer5c999d32015-12-26 17:45:20 -0600[diff] [blame]1820 x509.RFC822Name(u"email@another.local"),
1821 x509.UniformResourceIdentifier(u"http://another.local"),
1822 ])
1823 assert ian[-1] == ian[4]
1824 assert ian[2:6:2] == [ian[2], ian[4]]
1825
Paul Kehrer99125c92015-06-07 18:37:10 -0500[diff] [blame]1826 def test_invalid_general_names(self):
1827 with pytest.raises(TypeError):
1828 x509.IssuerAlternativeName(
Alex Gaynorcdaf3ff2017-07-30 13:08:51 -0400[diff] [blame]1829 [x509.DNSName(b"cryptography.io"), "invalid"]
Paul Kehrer99125c92015-06-07 18:37:10 -0500[diff] [blame]1830 )
1831
1832 def test_repr(self):
1833 san = x509.IssuerAlternativeName(
1834 [
Alex Gaynorcdaf3ff2017-07-30 13:08:51 -0400[diff] [blame]1835 x509.DNSName(b"cryptography.io")
Paul Kehrer99125c92015-06-07 18:37:10 -0500[diff] [blame]1836 ]
1837 )
Alex Gaynorcdaf3ff2017-07-30 13:08:51 -0400[diff] [blame]1838 if six.PY3:
1839 assert repr(san) == (
1840 "<IssuerAlternativeName("
1841 "<GeneralNames([<DNSName(bytes_value=b'cryptography.io')>])>)>"
1842 )
1843 else:
1844 assert repr(san) == (
1845 "<IssuerAlternativeName("
1846 "<GeneralNames([<DNSName(bytes_value='cryptography.io')>])>)>"
1847 )
Paul Kehrer99125c92015-06-07 18:37:10 -0500[diff] [blame]1848
1849 def test_eq(self):
1850 san = x509.IssuerAlternativeName(
Alex Gaynorcdaf3ff2017-07-30 13:08:51 -0400[diff] [blame]1851 [x509.DNSName(b"cryptography.io")]
Paul Kehrer99125c92015-06-07 18:37:10 -0500[diff] [blame]1852 )
1853 san2 = x509.IssuerAlternativeName(
Alex Gaynorcdaf3ff2017-07-30 13:08:51 -0400[diff] [blame]1854 [x509.DNSName(b"cryptography.io")]
Paul Kehrer99125c92015-06-07 18:37:10 -0500[diff] [blame]1855 )
1856 assert san == san2
1857
1858 def test_ne(self):
1859 san = x509.IssuerAlternativeName(
Alex Gaynorcdaf3ff2017-07-30 13:08:51 -0400[diff] [blame]1860 [x509.DNSName(b"cryptography.io")]
Paul Kehrer99125c92015-06-07 18:37:10 -0500[diff] [blame]1861 )
1862 san2 = x509.IssuerAlternativeName(
1863 [x509.RFC822Name(u"admin@cryptography.io")]
1864 )
1865 assert san != san2
1866 assert san != object()
1867
1868
Alex Gaynorf1c17672015-06-20 14:20:20 -0400[diff] [blame]1869@pytest.mark.requires_backend_interface(interface=RSABackend)
1870@pytest.mark.requires_backend_interface(interface=X509Backend)
1871class TestRSAIssuerAlternativeNameExtension(object):
1872 def test_uri(self, backend):
1873 cert = _load_cert(
1874 os.path.join("x509", "custom", "ian_uri.pem"),
1875 x509.load_pem_x509_certificate,
1876 backend,
1877 )
1878 ext = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]1879 ExtensionOID.ISSUER_ALTERNATIVE_NAME
Alex Gaynorf1c17672015-06-20 14:20:20 -0400[diff] [blame]1880 )
1881 assert list(ext.value) == [
1882 x509.UniformResourceIdentifier(u"http://path.to.root/root.crt"),
1883 ]
1884
1885
Paul Kehrer3b95cd72015-12-22 21:40:20 -0600[diff] [blame]1886class TestCRLNumber(object):
1887 def test_eq(self):
1888 crl_number = x509.CRLNumber(15)
1889 assert crl_number == x509.CRLNumber(15)
1890
1891 def test_ne(self):
1892 crl_number = x509.CRLNumber(15)
1893 assert crl_number != x509.CRLNumber(14)
1894 assert crl_number != object()
1895
1896 def test_repr(self):
1897 crl_number = x509.CRLNumber(15)
1898 assert repr(crl_number) == "<CRLNumber(15)>"
1899
Paul Kehrera9718fc2015-12-22 22:55:35 -0600[diff] [blame]1900 def test_invalid_number(self):
1901 with pytest.raises(TypeError):
1902 x509.CRLNumber("notanumber")
1903
Alex Gaynorf9a77b62015-12-26 12:14:25 -0500[diff] [blame]1904 def test_hash(self):
1905 c1 = x509.CRLNumber(1)
1906 c2 = x509.CRLNumber(1)
1907 c3 = x509.CRLNumber(2)
1908 assert hash(c1) == hash(c2)
1909 assert hash(c1) != hash(c3)
1910
Paul Kehrer3b95cd72015-12-22 21:40:20 -0600[diff] [blame]1911
Paul Kehrer31bdf792015-03-25 14:11:00 -0500[diff] [blame]1912class TestSubjectAlternativeName(object):
1913 def test_get_values_for_type(self):
1914 san = x509.SubjectAlternativeName(
Alex Gaynorcdaf3ff2017-07-30 13:08:51 -0400[diff] [blame]1915 [x509.DNSName(b"cryptography.io")]
Paul Kehrer31bdf792015-03-25 14:11:00 -0500[diff] [blame]1916 )
1917 names = san.get_values_for_type(x509.DNSName)
Eeshan Gargf1234152015-04-29 18:41:00 +0530[diff] [blame]1918 assert names == [u"cryptography.io"]
Paul Kehrer31bdf792015-03-25 14:11:00 -0500[diff] [blame]1919
1920 def test_iter_names(self):
1921 san = x509.SubjectAlternativeName([
Alex Gaynorcdaf3ff2017-07-30 13:08:51 -0400[diff] [blame]1922 x509.DNSName(b"cryptography.io"),
1923 x509.DNSName(b"crypto.local"),
Paul Kehrer31bdf792015-03-25 14:11:00 -0500[diff] [blame]1924 ])
1925 assert len(san) == 2
1926 assert list(san) == [
Alex Gaynorcdaf3ff2017-07-30 13:08:51 -0400[diff] [blame]1927 x509.DNSName(b"cryptography.io"),
1928 x509.DNSName(b"crypto.local"),
Paul Kehrer31bdf792015-03-25 14:11:00 -0500[diff] [blame]1929 ]
1930
Paul Kehrer8adb5962015-12-26 14:46:58 -0600[diff] [blame]1931 def test_indexing(self):
1932 san = x509.SubjectAlternativeName([
Alex Gaynorcdaf3ff2017-07-30 13:08:51 -0400[diff] [blame]1933 x509.DNSName(b"cryptography.io"),
1934 x509.DNSName(b"crypto.local"),
1935 x509.DNSName(b"another.local"),
Paul Kehrer8adb5962015-12-26 14:46:58 -0600[diff] [blame]1936 x509.RFC822Name(u"email@another.local"),
1937 x509.UniformResourceIdentifier(u"http://another.local"),
1938 ])
1939 assert san[-1] == san[4]
Alex Gaynorf0dd2e72015-12-26 16:50:29 -0500[diff] [blame]1940 assert san[2:6:2] == [san[2], san[4]]
Paul Kehrer8adb5962015-12-26 14:46:58 -0600[diff] [blame]1941
Paul Kehrerd04b39b2015-04-21 08:44:17 -0500[diff] [blame]1942 def test_invalid_general_names(self):
1943 with pytest.raises(TypeError):
1944 x509.SubjectAlternativeName(
Alex Gaynorcdaf3ff2017-07-30 13:08:51 -0400[diff] [blame]1945 [x509.DNSName(b"cryptography.io"), "invalid"]
Paul Kehrerd04b39b2015-04-21 08:44:17 -0500[diff] [blame]1946 )
1947
Paul Kehrer31bdf792015-03-25 14:11:00 -0500[diff] [blame]1948 def test_repr(self):
1949 san = x509.SubjectAlternativeName(
1950 [
Alex Gaynorcdaf3ff2017-07-30 13:08:51 -0400[diff] [blame]1951 x509.DNSName(b"cryptography.io")
Paul Kehrer31bdf792015-03-25 14:11:00 -0500[diff] [blame]1952 ]
1953 )
Alex Gaynorcdaf3ff2017-07-30 13:08:51 -0400[diff] [blame]1954 if six.PY3:
1955 assert repr(san) == (
1956 "<SubjectAlternativeName("
1957 "<GeneralNames([<DNSName(bytes_value=b'cryptography.io')>])>)>"
1958 )
1959 else:
1960 assert repr(san) == (
1961 "<SubjectAlternativeName("
1962 "<GeneralNames([<DNSName(bytes_value='cryptography.io')>])>)>"
1963 )
Paul Kehrer40f83382015-04-20 15:00:16 -0500[diff] [blame]1964
Paul Kehrer58cc3972015-05-13 10:00:41 -0500[diff] [blame]1965 def test_eq(self):
1966 san = x509.SubjectAlternativeName(
Alex Gaynorcdaf3ff2017-07-30 13:08:51 -0400[diff] [blame]1967 [x509.DNSName(b"cryptography.io")]
Paul Kehrer58cc3972015-05-13 10:00:41 -0500[diff] [blame]1968 )
1969 san2 = x509.SubjectAlternativeName(
Alex Gaynorcdaf3ff2017-07-30 13:08:51 -0400[diff] [blame]1970 [x509.DNSName(b"cryptography.io")]
Paul Kehrer58cc3972015-05-13 10:00:41 -0500[diff] [blame]1971 )
1972 assert san == san2
1973
1974 def test_ne(self):
1975 san = x509.SubjectAlternativeName(
Alex Gaynorcdaf3ff2017-07-30 13:08:51 -0400[diff] [blame]1976 [x509.DNSName(b"cryptography.io")]
Paul Kehrer58cc3972015-05-13 10:00:41 -0500[diff] [blame]1977 )
1978 san2 = x509.SubjectAlternativeName(
1979 [x509.RFC822Name(u"admin@cryptography.io")]
1980 )
1981 assert san != san2
1982 assert san != object()
1983
Paul Kehrer40f83382015-04-20 15:00:16 -0500[diff] [blame]1984
1985@pytest.mark.requires_backend_interface(interface=RSABackend)
1986@pytest.mark.requires_backend_interface(interface=X509Backend)
1987class TestRSASubjectAlternativeNameExtension(object):
1988 def test_dns_name(self, backend):
1989 cert = _load_cert(
1990 os.path.join("x509", "cryptography.io.pem"),
1991 x509.load_pem_x509_certificate,
1992 backend
1993 )
1994 ext = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]1995 ExtensionOID.SUBJECT_ALTERNATIVE_NAME
Paul Kehrer40f83382015-04-20 15:00:16 -0500[diff] [blame]1996 )
1997 assert ext is not None
1998 assert ext.critical is False
1999
2000 san = ext.value
2001
2002 dns = san.get_values_for_type(x509.DNSName)
2003 assert dns == [u"www.cryptography.io", u"cryptography.io"]
Paul Kehrer9089c912015-04-20 22:15:20 -0500[diff] [blame]2004
Paul Kehrer3c6bba52015-06-26 18:43:26 -0500[diff] [blame]2005 def test_wildcard_dns_name(self, backend):
2006 cert = _load_cert(
2007 os.path.join("x509", "wildcard_san.pem"),
2008 x509.load_pem_x509_certificate,
2009 backend
2010 )
2011 ext = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]2012 ExtensionOID.SUBJECT_ALTERNATIVE_NAME
Paul Kehrer3c6bba52015-06-26 18:43:26 -0500[diff] [blame]2013 )
2014
2015 dns = ext.value.get_values_for_type(x509.DNSName)
2016 assert dns == [
2017 u'*.langui.sh',
2018 u'langui.sh',
2019 u'*.saseliminator.com',
2020 u'saseliminator.com'
2021 ]
2022
Dominic Chen87bb9572015-10-09 00:23:07 -0400[diff] [blame]2023 def test_san_empty_hostname(self, backend):
2024 cert = _load_cert(
2025 os.path.join(
2026 "x509", "custom", "san_empty_hostname.pem"
2027 ),
2028 x509.load_pem_x509_certificate,
2029 backend
2030 )
2031 san = cert.extensions.get_extension_for_oid(
2032 ExtensionOID.SUBJECT_ALTERNATIVE_NAME
2033 )
2034
2035 dns = san.value.get_values_for_type(x509.DNSName)
2036 assert dns == [u'']
2037
Paul Kehrer3c6bba52015-06-26 18:43:26 -0500[diff] [blame]2038 def test_san_wildcard_idna_dns_name(self, backend):
2039 cert = _load_cert(
2040 os.path.join("x509", "custom", "san_wildcard_idna.pem"),
2041 x509.load_pem_x509_certificate,
2042 backend
2043 )
2044 ext = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]2045 ExtensionOID.SUBJECT_ALTERNATIVE_NAME
Paul Kehrer3c6bba52015-06-26 18:43:26 -0500[diff] [blame]2046 )
2047
2048 dns = ext.value.get_values_for_type(x509.DNSName)
2049 assert dns == [u'*.\u043f\u044b\u043a\u0430.cryptography']
2050
Paul Kehrer7bdf6572015-07-05 08:55:44 -0500[diff] [blame]2051 def test_unsupported_gn(self, backend):
Paul Kehrer9089c912015-04-20 22:15:20 -0500[diff] [blame]2052 cert = _load_cert(
Paul Kehrer7bdf6572015-07-05 08:55:44 -0500[diff] [blame]2053 os.path.join("x509", "san_x400address.der"),
2054 x509.load_der_x509_certificate,
Paul Kehrer9089c912015-04-20 22:15:20 -0500[diff] [blame]2055 backend
2056 )
Paul Kehrerbed07352015-04-21 08:31:10 -0500[diff] [blame]2057 with pytest.raises(x509.UnsupportedGeneralNameType) as exc:
Paul Kehrer9089c912015-04-20 22:15:20 -0500[diff] [blame]2058 cert.extensions
Paul Kehrerbed07352015-04-21 08:31:10 -0500[diff] [blame]2059
Paul Kehrer7bdf6572015-07-05 08:55:44 -0500[diff] [blame]2060 assert exc.value.type == 3
Paul Kehrer4db96622015-04-20 22:17:39 -0500[diff] [blame]2061
2062 def test_registered_id(self, backend):
2063 cert = _load_cert(
2064 os.path.join(
2065 "x509", "custom", "san_registered_id.pem"
2066 ),
2067 x509.load_pem_x509_certificate,
2068 backend
2069 )
2070 ext = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]2071 ExtensionOID.SUBJECT_ALTERNATIVE_NAME
Paul Kehrer4db96622015-04-20 22:17:39 -0500[diff] [blame]2072 )
2073 assert ext is not None
2074 assert ext.critical is False
2075
2076 san = ext.value
2077 rid = san.get_values_for_type(x509.RegisteredID)
2078 assert rid == [x509.ObjectIdentifier("1.2.3.4")]
Paul Kehrerb8ef82e2015-04-22 16:04:24 -0500[diff] [blame]2079
2080 def test_uri(self, backend):
2081 cert = _load_cert(
2082 os.path.join(
2083 "x509", "custom", "san_uri_with_port.pem"
2084 ),
2085 x509.load_pem_x509_certificate,
2086 backend
2087 )
2088 ext = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]2089 ExtensionOID.SUBJECT_ALTERNATIVE_NAME
Paul Kehrerb8ef82e2015-04-22 16:04:24 -0500[diff] [blame]2090 )
2091 assert ext is not None
2092 uri = ext.value.get_values_for_type(
2093 x509.UniformResourceIdentifier
2094 )
2095 assert uri == [
2096 u"gopher://\u043f\u044b\u043a\u0430.cryptography:70/path?q=s#hel"
2097 u"lo",
2098 u"http://someregulardomain.com",
2099 ]
Paul Kehrera5f030c2015-04-28 08:33:18 -0500[diff] [blame]2100
2101 def test_ipaddress(self, backend):
2102 cert = _load_cert(
2103 os.path.join(
2104 "x509", "custom", "san_ipaddr.pem"
2105 ),
2106 x509.load_pem_x509_certificate,
2107 backend
2108 )
2109 ext = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]2110 ExtensionOID.SUBJECT_ALTERNATIVE_NAME
Paul Kehrera5f030c2015-04-28 08:33:18 -0500[diff] [blame]2111 )
2112 assert ext is not None
2113 assert ext.critical is False
2114
2115 san = ext.value
2116
2117 ip = san.get_values_for_type(x509.IPAddress)
2118 assert [
2119 ipaddress.ip_address(u"127.0.0.1"),
2120 ipaddress.ip_address(u"ff::")
2121 ] == ip
Paul Kehrer2187a052015-04-30 08:22:07 -0500[diff] [blame]2122
2123 def test_dirname(self, backend):
2124 cert = _load_cert(
2125 os.path.join(
2126 "x509", "custom", "san_dirname.pem"
2127 ),
2128 x509.load_pem_x509_certificate,
2129 backend
2130 )
2131 ext = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]2132 ExtensionOID.SUBJECT_ALTERNATIVE_NAME
Paul Kehrer2187a052015-04-30 08:22:07 -0500[diff] [blame]2133 )
2134 assert ext is not None
2135 assert ext.critical is False
2136
2137 san = ext.value
2138
2139 dirname = san.get_values_for_type(x509.DirectoryName)
2140 assert [
2141 x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2142 x509.NameAttribute(NameOID.COMMON_NAME, u'test'),
2143 x509.NameAttribute(NameOID.ORGANIZATION_NAME, u'Org'),
2144 x509.NameAttribute(NameOID.STATE_OR_PROVINCE_NAME, u'Texas'),
Paul Kehrer2187a052015-04-30 08:22:07 -0500[diff] [blame]2145 ])
2146 ] == dirname
Paul Kehrere06cab42015-04-30 10:23:33 -0500[diff] [blame]2147
2148 def test_rfc822name(self, backend):
2149 cert = _load_cert(
2150 os.path.join(
2151 "x509", "custom", "san_rfc822_idna.pem"
2152 ),
2153 x509.load_pem_x509_certificate,
2154 backend
2155 )
2156 ext = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]2157 ExtensionOID.SUBJECT_ALTERNATIVE_NAME
Paul Kehrere06cab42015-04-30 10:23:33 -0500[diff] [blame]2158 )
2159 assert ext is not None
2160 assert ext.critical is False
2161
2162 san = ext.value
2163
2164 rfc822name = san.get_values_for_type(x509.RFC822Name)
2165 assert [u"email@em\xe5\xefl.com"] == rfc822name
2166
Paul Kehrerb8968812015-05-15 09:01:34 -0700[diff] [blame]2167 def test_idna2003_invalid(self, backend):
2168 cert = _load_cert(
2169 os.path.join(
2170 "x509", "custom", "san_idna2003_dnsname.pem"
2171 ),
2172 x509.load_pem_x509_certificate,
2173 backend
2174 )
Alex Gaynorcdaf3ff2017-07-30 13:08:51 -0400[diff] [blame]2175 san = cert.extensions.get_extension_for_class(
2176 x509.SubjectAlternativeName
2177 ).value
2178
2179 assert len(san) == 1
2180 [name] = san
2181 assert name.bytes_value == b"xn--k4h.ws"
Paul Kehrerb8968812015-05-15 09:01:34 -0700[diff] [blame]2182 with pytest.raises(UnicodeError):
Alex Gaynorcdaf3ff2017-07-30 13:08:51 -0400[diff] [blame]2183 name.value
Paul Kehrerb8968812015-05-15 09:01:34 -0700[diff] [blame]2184
Paul Kehrere06cab42015-04-30 10:23:33 -0500[diff] [blame]2185 def test_unicode_rfc822_name_dns_name_uri(self, backend):
2186 cert = _load_cert(
2187 os.path.join(
2188 "x509", "custom", "san_idna_names.pem"
2189 ),
2190 x509.load_pem_x509_certificate,
2191 backend
2192 )
2193 ext = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]2194 ExtensionOID.SUBJECT_ALTERNATIVE_NAME
Paul Kehrere06cab42015-04-30 10:23:33 -0500[diff] [blame]2195 )
2196 assert ext is not None
2197 rfc822_name = ext.value.get_values_for_type(x509.RFC822Name)
2198 dns_name = ext.value.get_values_for_type(x509.DNSName)
2199 uri = ext.value.get_values_for_type(x509.UniformResourceIdentifier)
2200 assert rfc822_name == [u"email@\u043f\u044b\u043a\u0430.cryptography"]
2201 assert dns_name == [u"\u043f\u044b\u043a\u0430.cryptography"]
2202 assert uri == [u"https://www.\u043f\u044b\u043a\u0430.cryptography"]
2203
2204 def test_rfc822name_dnsname_ipaddress_directoryname_uri(self, backend):
2205 cert = _load_cert(
2206 os.path.join(
2207 "x509", "custom", "san_email_dns_ip_dirname_uri.pem"
2208 ),
2209 x509.load_pem_x509_certificate,
2210 backend
2211 )
2212 ext = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]2213 ExtensionOID.SUBJECT_ALTERNATIVE_NAME
Paul Kehrere06cab42015-04-30 10:23:33 -0500[diff] [blame]2214 )
2215 assert ext is not None
2216 assert ext.critical is False
2217
2218 san = ext.value
2219
2220 rfc822_name = san.get_values_for_type(x509.RFC822Name)
2221 uri = san.get_values_for_type(x509.UniformResourceIdentifier)
2222 dns = san.get_values_for_type(x509.DNSName)
2223 ip = san.get_values_for_type(x509.IPAddress)
2224 dirname = san.get_values_for_type(x509.DirectoryName)
2225 assert [u"user@cryptography.io"] == rfc822_name
Paul Kehrere3a330c2015-05-02 16:42:52 -0500[diff] [blame]2226 assert [u"https://cryptography.io"] == uri
Paul Kehrere06cab42015-04-30 10:23:33 -0500[diff] [blame]2227 assert [u"cryptography.io"] == dns
2228 assert [
2229 x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2230 x509.NameAttribute(NameOID.COMMON_NAME, u'dirCN'),
Paul Kehrere06cab42015-04-30 10:23:33 -0500[diff] [blame]2231 x509.NameAttribute(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2232 NameOID.ORGANIZATION_NAME, u'Cryptographic Authority'
Paul Kehrere06cab42015-04-30 10:23:33 -0500[diff] [blame]2233 ),
2234 ])
2235 ] == dirname
2236 assert [
2237 ipaddress.ip_address(u"127.0.0.1"),
2238 ipaddress.ip_address(u"ff::")
2239 ] == ip
2240
2241 def test_invalid_rfc822name(self, backend):
2242 cert = _load_cert(
2243 os.path.join(
2244 "x509", "custom", "san_rfc822_names.pem"
2245 ),
2246 x509.load_pem_x509_certificate,
2247 backend
2248 )
2249 with pytest.raises(ValueError) as exc:
2250 cert.extensions
2251
2252 assert 'Invalid rfc822name value' in str(exc.value)
Paul Kehrer94c69602015-05-02 19:29:40 -0500[diff] [blame]2253
Joshua Tauberer2ee5e3c2015-07-04 20:09:46 +0000[diff] [blame]2254 def test_other_name(self, backend):
2255 cert = _load_cert(
2256 os.path.join(
2257 "x509", "custom", "san_other_name.pem"
2258 ),
2259 x509.load_pem_x509_certificate,
2260 backend
2261 )
2262
2263 ext = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]2264 ExtensionOID.SUBJECT_ALTERNATIVE_NAME
Joshua Tauberer2ee5e3c2015-07-04 20:09:46 +0000[diff] [blame]2265 )
2266 assert ext is not None
2267 assert ext.critical is False
2268
Joshua Taubererd2afad32015-07-06 22:37:53 +0000[diff] [blame]2269 expected = x509.OtherName(x509.ObjectIdentifier("1.2.3.4"),
2270 b'\x16\x0bHello World')
Joshua Tauberer2ee5e3c2015-07-04 20:09:46 +0000[diff] [blame]2271 assert len(ext.value) == 1
Joshua Taubererd2afad32015-07-06 22:37:53 +0000[diff] [blame]2272 assert list(ext.value)[0] == expected
Joshua Tauberer2ee5e3c2015-07-04 20:09:46 +0000[diff] [blame]2273
2274 othernames = ext.value.get_values_for_type(x509.OtherName)
Joshua Taubererd2afad32015-07-06 22:37:53 +0000[diff] [blame]2275 assert othernames == [expected]
Joshua Tauberer2ee5e3c2015-07-04 20:09:46 +0000[diff] [blame]2276
Marti4739cfc2016-08-02 04:03:25 +0300[diff] [blame]2277 def test_certbuilder(self, backend):
Alex Gaynorcdaf3ff2017-07-30 13:08:51 -0400[diff] [blame]2278 sans = [b'*.example.org', b'*.xn--4ca7aey.example.com',
2279 b'foobar.example.net']
Marti4739cfc2016-08-02 04:03:25 +0300[diff] [blame]2280 private_key = RSA_KEY_2048.private_key(backend)
2281 builder = _make_certbuilder(private_key)
2282 builder = builder.add_extension(
2283 SubjectAlternativeName(list(map(DNSName, sans))), True)
2284
2285 cert = builder.sign(private_key, hashes.SHA1(), backend)
Alex Gaynorcdaf3ff2017-07-30 13:08:51 -0400[diff] [blame]2286 result = [
2287 x.bytes_value
2288 for x in cert.extensions.get_extension_for_class(
2289 SubjectAlternativeName
2290 ).value
2291 ]
Marti4739cfc2016-08-02 04:03:25 +0300[diff] [blame]2292 assert result == sans
2293
Paul Kehrer94c69602015-05-02 19:29:40 -0500[diff] [blame]2294
2295@pytest.mark.requires_backend_interface(interface=RSABackend)
2296@pytest.mark.requires_backend_interface(interface=X509Backend)
2297class TestExtendedKeyUsageExtension(object):
2298 def test_eku(self, backend):
2299 cert = _load_cert(
2300 os.path.join(
2301 "x509", "custom", "extended_key_usage.pem"
2302 ),
2303 x509.load_pem_x509_certificate,
2304 backend
2305 )
2306 ext = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]2307 ExtensionOID.EXTENDED_KEY_USAGE
Paul Kehrer94c69602015-05-02 19:29:40 -0500[diff] [blame]2308 )
2309 assert ext is not None
2310 assert ext.critical is False
2311
2312 assert [
2313 x509.ObjectIdentifier("1.3.6.1.5.5.7.3.1"),
2314 x509.ObjectIdentifier("1.3.6.1.5.5.7.3.2"),
2315 x509.ObjectIdentifier("1.3.6.1.5.5.7.3.3"),
2316 x509.ObjectIdentifier("1.3.6.1.5.5.7.3.4"),
2317 x509.ObjectIdentifier("1.3.6.1.5.5.7.3.9"),
2318 x509.ObjectIdentifier("1.3.6.1.5.5.7.3.8"),
2319 x509.ObjectIdentifier("2.5.29.37.0"),
2320 x509.ObjectIdentifier("2.16.840.1.113730.4.1"),
2321 ] == list(ext.value)
Paul Kehrer3e6d5582015-05-02 21:57:56 -0500[diff] [blame]2322
2323
2324class TestAccessDescription(object):
2325 def test_invalid_access_method(self):
Nick Bastind06763d2015-12-12 18:32:59 -0800[diff] [blame]2326 with pytest.raises(TypeError):
Alex Gaynorcdaf3ff2017-07-30 13:08:51 -0400[diff] [blame]2327 x509.AccessDescription("notanoid", x509.DNSName(b"test"))
Paul Kehrer3e6d5582015-05-02 21:57:56 -0500[diff] [blame]2328
2329 def test_invalid_access_location(self):
2330 with pytest.raises(TypeError):
Paul Kehrer9e102db2015-08-10 21:53:09 -0500[diff] [blame]2331 x509.AccessDescription(
2332 AuthorityInformationAccessOID.CA_ISSUERS, "invalid"
2333 )
Paul Kehrer3e6d5582015-05-02 21:57:56 -0500[diff] [blame]2334
Nick Bastind2ecf862015-12-13 05:44:46 -0800[diff] [blame]2335 def test_valid_nonstandard_method(self):
Nick Bastin326fc8e2015-12-12 19:08:12 -0800[diff] [blame]2336 ad = x509.AccessDescription(
2337 ObjectIdentifier("2.999.1"),
2338 x509.UniformResourceIdentifier(u"http://example.com")
2339 )
Nick Bastin11f0f8a2015-12-12 18:54:12 -0800[diff] [blame]2340 assert ad is not None
2341
Paul Kehrer3e6d5582015-05-02 21:57:56 -0500[diff] [blame]2342 def test_repr(self):
2343 ad = x509.AccessDescription(
Paul Kehrer9e102db2015-08-10 21:53:09 -0500[diff] [blame]2344 AuthorityInformationAccessOID.OCSP,
Paul Kehrer3e6d5582015-05-02 21:57:56 -0500[diff] [blame]2345 x509.UniformResourceIdentifier(u"http://ocsp.domain.com")
2346 )
2347 assert repr(ad) == (
2348 "<AccessDescription(access_method=<ObjectIdentifier(oid=1.3.6.1.5."
2349 "5.7.48.1, name=OCSP)>, access_location=<UniformResourceIdentifier"
2350 "(value=http://ocsp.domain.com)>)>"
2351 )
2352
2353 def test_eq(self):
2354 ad = x509.AccessDescription(
Paul Kehrer9e102db2015-08-10 21:53:09 -0500[diff] [blame]2355 AuthorityInformationAccessOID.OCSP,
Paul Kehrer3e6d5582015-05-02 21:57:56 -0500[diff] [blame]2356 x509.UniformResourceIdentifier(u"http://ocsp.domain.com")
2357 )
2358 ad2 = x509.AccessDescription(
Paul Kehrer9e102db2015-08-10 21:53:09 -0500[diff] [blame]2359 AuthorityInformationAccessOID.OCSP,
Paul Kehrer3e6d5582015-05-02 21:57:56 -0500[diff] [blame]2360 x509.UniformResourceIdentifier(u"http://ocsp.domain.com")
2361 )
2362 assert ad == ad2
2363
2364 def test_ne(self):
2365 ad = x509.AccessDescription(
Paul Kehrer9e102db2015-08-10 21:53:09 -0500[diff] [blame]2366 AuthorityInformationAccessOID.OCSP,
Paul Kehrer3e6d5582015-05-02 21:57:56 -0500[diff] [blame]2367 x509.UniformResourceIdentifier(u"http://ocsp.domain.com")
2368 )
2369 ad2 = x509.AccessDescription(
Paul Kehrer9e102db2015-08-10 21:53:09 -0500[diff] [blame]2370 AuthorityInformationAccessOID.CA_ISSUERS,
Paul Kehrer3e6d5582015-05-02 21:57:56 -0500[diff] [blame]2371 x509.UniformResourceIdentifier(u"http://ocsp.domain.com")
2372 )
2373 ad3 = x509.AccessDescription(
Paul Kehrer9e102db2015-08-10 21:53:09 -0500[diff] [blame]2374 AuthorityInformationAccessOID.OCSP,
Paul Kehrer3e6d5582015-05-02 21:57:56 -0500[diff] [blame]2375 x509.UniformResourceIdentifier(u"http://notthesame")
2376 )
2377 assert ad != ad2
2378 assert ad != ad3
2379 assert ad != object()
2380
Eeshan Gargd8e0d852016-01-31 16:46:22 -0330[diff] [blame]2381 def test_hash(self):
2382 ad = x509.AccessDescription(
2383 AuthorityInformationAccessOID.OCSP,
2384 x509.UniformResourceIdentifier(u"http://ocsp.domain.com")
2385 )
2386 ad2 = x509.AccessDescription(
2387 AuthorityInformationAccessOID.OCSP,
2388 x509.UniformResourceIdentifier(u"http://ocsp.domain.com")
2389 )
2390 ad3 = x509.AccessDescription(
2391 AuthorityInformationAccessOID.CA_ISSUERS,
2392 x509.UniformResourceIdentifier(u"http://ocsp.domain.com")
2393 )
2394 assert hash(ad) == hash(ad2)
2395 assert hash(ad) != hash(ad3)
2396
Paul Kehrer3e6d5582015-05-02 21:57:56 -0500[diff] [blame]2397
Paul Kehrer7e8fe9d2015-05-18 09:53:47 -0700[diff] [blame]2398class TestPolicyConstraints(object):
2399 def test_invalid_explicit_policy(self):
2400 with pytest.raises(TypeError):
2401 x509.PolicyConstraints("invalid", None)
2402
2403 def test_invalid_inhibit_policy(self):
2404 with pytest.raises(TypeError):
2405 x509.PolicyConstraints(None, "invalid")
2406
2407 def test_both_none(self):
2408 with pytest.raises(ValueError):
2409 x509.PolicyConstraints(None, None)
2410
2411 def test_repr(self):
2412 pc = x509.PolicyConstraints(0, None)
2413
2414 assert repr(pc) == (
2415 u"<PolicyConstraints(require_explicit_policy=0, inhibit_policy_ma"
2416 u"pping=None)>"
2417 )
2418
2419 def test_eq(self):
2420 pc = x509.PolicyConstraints(2, 1)
2421 pc2 = x509.PolicyConstraints(2, 1)
2422 assert pc == pc2
2423
2424 def test_ne(self):
2425 pc = x509.PolicyConstraints(2, 1)
2426 pc2 = x509.PolicyConstraints(2, 2)
2427 pc3 = x509.PolicyConstraints(3, 1)
2428 assert pc != pc2
2429 assert pc != pc3
2430 assert pc != object()
2431
2432
Alex Gaynora9885602016-02-27 09:53:46 -0500[diff] [blame]2433@pytest.mark.requires_backend_interface(interface=RSABackend)
2434@pytest.mark.requires_backend_interface(interface=X509Backend)
2435class TestPolicyConstraintsExtension(object):
Alex Gaynor3f040c42016-02-27 10:01:00 -0500[diff] [blame]2436 def test_inhibit_policy_mapping(self, backend):
Alex Gaynora9885602016-02-27 09:53:46 -0500[diff] [blame]2437 cert = _load_cert(
Alex Gaynorebb7fa12016-02-27 13:36:22 -0500[diff] [blame]2438 os.path.join("x509", "department-of-state-root.pem"),
Alex Gaynora9885602016-02-27 09:53:46 -0500[diff] [blame]2439 x509.load_pem_x509_certificate,
2440 backend
2441 )
2442 ext = cert.extensions.get_extension_for_oid(
2443 ExtensionOID.POLICY_CONSTRAINTS,
2444 )
2445 assert ext.critical is True
2446
2447 assert ext.value == x509.PolicyConstraints(
2448 require_explicit_policy=None, inhibit_policy_mapping=0,
2449 )
2450
Alex Gaynorebb7fa12016-02-27 13:36:22 -0500[diff] [blame]2451 def test_require_explicit_policy(self, backend):
2452 cert = _load_cert(
2453 os.path.join("x509", "custom", "policy_constraints_explicit.pem"),
2454 x509.load_pem_x509_certificate,
2455 backend
2456 )
2457 ext = cert.extensions.get_extension_for_oid(
2458 ExtensionOID.POLICY_CONSTRAINTS
2459 )
2460 assert ext.critical is True
2461 assert ext.value == x509.PolicyConstraints(
2462 require_explicit_policy=1, inhibit_policy_mapping=None,
2463 )
2464
Alex Gaynora9885602016-02-27 09:53:46 -0500[diff] [blame]2465
Paul Kehrer3e6d5582015-05-02 21:57:56 -0500[diff] [blame]2466class TestAuthorityInformationAccess(object):
2467 def test_invalid_descriptions(self):
2468 with pytest.raises(TypeError):
2469 x509.AuthorityInformationAccess(["notanAccessDescription"])
2470
2471 def test_iter_len(self):
2472 aia = x509.AuthorityInformationAccess([
2473 x509.AccessDescription(
Paul Kehrer9e102db2015-08-10 21:53:09 -0500[diff] [blame]2474 AuthorityInformationAccessOID.OCSP,
Paul Kehrer3e6d5582015-05-02 21:57:56 -0500[diff] [blame]2475 x509.UniformResourceIdentifier(u"http://ocsp.domain.com")
2476 ),
2477 x509.AccessDescription(
Paul Kehrer9e102db2015-08-10 21:53:09 -0500[diff] [blame]2478 AuthorityInformationAccessOID.CA_ISSUERS,
Paul Kehrer3e6d5582015-05-02 21:57:56 -0500[diff] [blame]2479 x509.UniformResourceIdentifier(u"http://domain.com/ca.crt")
2480 )
2481 ])
2482 assert len(aia) == 2
2483 assert list(aia) == [
2484 x509.AccessDescription(
Paul Kehrer9e102db2015-08-10 21:53:09 -0500[diff] [blame]2485 AuthorityInformationAccessOID.OCSP,
Paul Kehrer3e6d5582015-05-02 21:57:56 -0500[diff] [blame]2486 x509.UniformResourceIdentifier(u"http://ocsp.domain.com")
2487 ),
2488 x509.AccessDescription(
Paul Kehrer9e102db2015-08-10 21:53:09 -0500[diff] [blame]2489 AuthorityInformationAccessOID.CA_ISSUERS,
Paul Kehrer3e6d5582015-05-02 21:57:56 -0500[diff] [blame]2490 x509.UniformResourceIdentifier(u"http://domain.com/ca.crt")
2491 )
2492 ]
2493
Marti40f19992016-08-26 04:26:31 +0300[diff] [blame]2494 def test_iter_input(self):
2495 desc = [
2496 x509.AccessDescription(
2497 AuthorityInformationAccessOID.OCSP,
2498 x509.UniformResourceIdentifier(u"http://ocsp.domain.com")
2499 )
2500 ]
2501 aia = x509.AuthorityInformationAccess(iter(desc))
2502 assert list(aia) == desc
2503
Paul Kehrer3e6d5582015-05-02 21:57:56 -0500[diff] [blame]2504 def test_repr(self):
2505 aia = x509.AuthorityInformationAccess([
2506 x509.AccessDescription(
Paul Kehrer9e102db2015-08-10 21:53:09 -0500[diff] [blame]2507 AuthorityInformationAccessOID.OCSP,
Paul Kehrer3e6d5582015-05-02 21:57:56 -0500[diff] [blame]2508 x509.UniformResourceIdentifier(u"http://ocsp.domain.com")
2509 ),
2510 x509.AccessDescription(
Paul Kehrer9e102db2015-08-10 21:53:09 -0500[diff] [blame]2511 AuthorityInformationAccessOID.CA_ISSUERS,
Paul Kehrer3e6d5582015-05-02 21:57:56 -0500[diff] [blame]2512 x509.UniformResourceIdentifier(u"http://domain.com/ca.crt")
2513 )
2514 ])
2515 assert repr(aia) == (
2516 "<AuthorityInformationAccess([<AccessDescription(access_method=<Ob"
2517 "jectIdentifier(oid=1.3.6.1.5.5.7.48.1, name=OCSP)>, access_locati"
2518 "on=<UniformResourceIdentifier(value=http://ocsp.domain.com)>)>, <"
2519 "AccessDescription(access_method=<ObjectIdentifier(oid=1.3.6.1.5.5"
2520 ".7.48.2, name=caIssuers)>, access_location=<UniformResourceIdenti"
2521 "fier(value=http://domain.com/ca.crt)>)>])>"
2522 )
2523
2524 def test_eq(self):
2525 aia = x509.AuthorityInformationAccess([
2526 x509.AccessDescription(
Paul Kehrer9e102db2015-08-10 21:53:09 -0500[diff] [blame]2527 AuthorityInformationAccessOID.OCSP,
Paul Kehrer3e6d5582015-05-02 21:57:56 -0500[diff] [blame]2528 x509.UniformResourceIdentifier(u"http://ocsp.domain.com")
2529 ),
2530 x509.AccessDescription(
Paul Kehrer9e102db2015-08-10 21:53:09 -0500[diff] [blame]2531 AuthorityInformationAccessOID.CA_ISSUERS,
Paul Kehrer3e6d5582015-05-02 21:57:56 -0500[diff] [blame]2532 x509.UniformResourceIdentifier(u"http://domain.com/ca.crt")
2533 )
2534 ])
2535 aia2 = x509.AuthorityInformationAccess([
2536 x509.AccessDescription(
Paul Kehrer9e102db2015-08-10 21:53:09 -0500[diff] [blame]2537 AuthorityInformationAccessOID.OCSP,
Paul Kehrer3e6d5582015-05-02 21:57:56 -0500[diff] [blame]2538 x509.UniformResourceIdentifier(u"http://ocsp.domain.com")
2539 ),
2540 x509.AccessDescription(
Paul Kehrer9e102db2015-08-10 21:53:09 -0500[diff] [blame]2541 AuthorityInformationAccessOID.CA_ISSUERS,
Paul Kehrer3e6d5582015-05-02 21:57:56 -0500[diff] [blame]2542 x509.UniformResourceIdentifier(u"http://domain.com/ca.crt")
2543 )
2544 ])
2545 assert aia == aia2
2546
2547 def test_ne(self):
2548 aia = x509.AuthorityInformationAccess([
2549 x509.AccessDescription(
Paul Kehrer9e102db2015-08-10 21:53:09 -0500[diff] [blame]2550 AuthorityInformationAccessOID.OCSP,
Paul Kehrer3e6d5582015-05-02 21:57:56 -0500[diff] [blame]2551 x509.UniformResourceIdentifier(u"http://ocsp.domain.com")
2552 ),
2553 x509.AccessDescription(
Paul Kehrer9e102db2015-08-10 21:53:09 -0500[diff] [blame]2554 AuthorityInformationAccessOID.CA_ISSUERS,
Paul Kehrer3e6d5582015-05-02 21:57:56 -0500[diff] [blame]2555 x509.UniformResourceIdentifier(u"http://domain.com/ca.crt")
2556 )
2557 ])
2558 aia2 = x509.AuthorityInformationAccess([
2559 x509.AccessDescription(
Paul Kehrer9e102db2015-08-10 21:53:09 -0500[diff] [blame]2560 AuthorityInformationAccessOID.OCSP,
Paul Kehrer3e6d5582015-05-02 21:57:56 -0500[diff] [blame]2561 x509.UniformResourceIdentifier(u"http://ocsp.domain.com")
2562 ),
2563 ])
2564
2565 assert aia != aia2
2566 assert aia != object()
Paul Kehrerd774de92015-05-03 10:52:25 -0500[diff] [blame]2567
Paul Kehrerad4b3592015-12-27 17:27:40 -0600[diff] [blame]2568 def test_indexing(self):
2569 aia = x509.AuthorityInformationAccess([
2570 x509.AccessDescription(
2571 AuthorityInformationAccessOID.OCSP,
2572 x509.UniformResourceIdentifier(u"http://ocsp.domain.com")
2573 ),
2574 x509.AccessDescription(
2575 AuthorityInformationAccessOID.CA_ISSUERS,
2576 x509.UniformResourceIdentifier(u"http://domain.com/ca.crt")
2577 ),
2578 x509.AccessDescription(
2579 AuthorityInformationAccessOID.OCSP,
2580 x509.UniformResourceIdentifier(u"http://ocsp2.domain.com")
2581 ),
2582 x509.AccessDescription(
2583 AuthorityInformationAccessOID.OCSP,
2584 x509.UniformResourceIdentifier(u"http://ocsp3.domain.com")
2585 ),
2586 x509.AccessDescription(
2587 AuthorityInformationAccessOID.OCSP,
2588 x509.UniformResourceIdentifier(u"http://ocsp4.domain.com")
2589 ),
2590 ])
2591 assert aia[-1] == aia[4]
2592 assert aia[2:6:2] == [aia[2], aia[4]]
2593
Paul Kehrerd774de92015-05-03 10:52:25 -0500[diff] [blame]2594
2595@pytest.mark.requires_backend_interface(interface=RSABackend)
2596@pytest.mark.requires_backend_interface(interface=X509Backend)
Paul Kehrera1476992015-05-04 17:35:47 -0500[diff] [blame]2597class TestAuthorityInformationAccessExtension(object):
2598 def test_aia_ocsp_ca_issuers(self, backend):
2599 cert = _load_cert(
2600 os.path.join("x509", "cryptography.io.pem"),
2601 x509.load_pem_x509_certificate,
2602 backend
2603 )
2604 ext = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]2605 ExtensionOID.AUTHORITY_INFORMATION_ACCESS
Paul Kehrera1476992015-05-04 17:35:47 -0500[diff] [blame]2606 )
2607 assert ext is not None
2608 assert ext.critical is False
2609
2610 assert ext.value == x509.AuthorityInformationAccess([
2611 x509.AccessDescription(
Paul Kehrer9e102db2015-08-10 21:53:09 -0500[diff] [blame]2612 AuthorityInformationAccessOID.OCSP,
Paul Kehrera1476992015-05-04 17:35:47 -0500[diff] [blame]2613 x509.UniformResourceIdentifier(u"http://gv.symcd.com")
2614 ),
2615 x509.AccessDescription(
Paul Kehrer9e102db2015-08-10 21:53:09 -0500[diff] [blame]2616 AuthorityInformationAccessOID.CA_ISSUERS,
Paul Kehrera1476992015-05-04 17:35:47 -0500[diff] [blame]2617 x509.UniformResourceIdentifier(u"http://gv.symcb.com/gv.crt")
2618 ),
2619 ])
2620
2621 def test_aia_multiple_ocsp_ca_issuers(self, backend):
2622 cert = _load_cert(
2623 os.path.join("x509", "custom", "aia_ocsp_ca_issuers.pem"),
2624 x509.load_pem_x509_certificate,
2625 backend
2626 )
2627 ext = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]2628 ExtensionOID.AUTHORITY_INFORMATION_ACCESS
Paul Kehrera1476992015-05-04 17:35:47 -0500[diff] [blame]2629 )
2630 assert ext is not None
2631 assert ext.critical is False
2632
2633 assert ext.value == x509.AuthorityInformationAccess([
2634 x509.AccessDescription(
Paul Kehrer9e102db2015-08-10 21:53:09 -0500[diff] [blame]2635 AuthorityInformationAccessOID.OCSP,
Paul Kehrera1476992015-05-04 17:35:47 -0500[diff] [blame]2636 x509.UniformResourceIdentifier(u"http://ocsp.domain.com")
2637 ),
2638 x509.AccessDescription(
Paul Kehrer9e102db2015-08-10 21:53:09 -0500[diff] [blame]2639 AuthorityInformationAccessOID.OCSP,
Paul Kehrera1476992015-05-04 17:35:47 -0500[diff] [blame]2640 x509.UniformResourceIdentifier(u"http://ocsp2.domain.com")
2641 ),
2642 x509.AccessDescription(
Paul Kehrer9e102db2015-08-10 21:53:09 -0500[diff] [blame]2643 AuthorityInformationAccessOID.CA_ISSUERS,
Paul Kehrera1476992015-05-04 17:35:47 -0500[diff] [blame]2644 x509.DirectoryName(x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2645 x509.NameAttribute(NameOID.COMMON_NAME, u"myCN"),
2646 x509.NameAttribute(NameOID.ORGANIZATION_NAME,
Ian Cordasco82fc3762015-06-16 20:59:50 -0500[diff] [blame]2647 u"some Org"),
Paul Kehrera1476992015-05-04 17:35:47 -0500[diff] [blame]2648 ]))
2649 ),
2650 ])
2651
2652 def test_aia_ocsp_only(self, backend):
2653 cert = _load_cert(
2654 os.path.join("x509", "custom", "aia_ocsp.pem"),
2655 x509.load_pem_x509_certificate,
2656 backend
2657 )
2658 ext = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]2659 ExtensionOID.AUTHORITY_INFORMATION_ACCESS
Paul Kehrera1476992015-05-04 17:35:47 -0500[diff] [blame]2660 )
2661 assert ext is not None
2662 assert ext.critical is False
2663
2664 assert ext.value == x509.AuthorityInformationAccess([
2665 x509.AccessDescription(
Paul Kehrer9e102db2015-08-10 21:53:09 -0500[diff] [blame]2666 AuthorityInformationAccessOID.OCSP,
Paul Kehrera1476992015-05-04 17:35:47 -0500[diff] [blame]2667 x509.UniformResourceIdentifier(u"http://ocsp.domain.com")
2668 ),
2669 ])
2670
2671 def test_aia_ca_issuers_only(self, backend):
2672 cert = _load_cert(
2673 os.path.join("x509", "custom", "aia_ca_issuers.pem"),
2674 x509.load_pem_x509_certificate,
2675 backend
2676 )
2677 ext = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]2678 ExtensionOID.AUTHORITY_INFORMATION_ACCESS
Paul Kehrera1476992015-05-04 17:35:47 -0500[diff] [blame]2679 )
2680 assert ext is not None
2681 assert ext.critical is False
2682
2683 assert ext.value == x509.AuthorityInformationAccess([
2684 x509.AccessDescription(
Paul Kehrer9e102db2015-08-10 21:53:09 -0500[diff] [blame]2685 AuthorityInformationAccessOID.CA_ISSUERS,
Paul Kehrera1476992015-05-04 17:35:47 -0500[diff] [blame]2686 x509.DirectoryName(x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2687 x509.NameAttribute(NameOID.COMMON_NAME, u"myCN"),
2688 x509.NameAttribute(NameOID.ORGANIZATION_NAME,
Ian Cordasco82fc3762015-06-16 20:59:50 -0500[diff] [blame]2689 u"some Org"),
Paul Kehrera1476992015-05-04 17:35:47 -0500[diff] [blame]2690 ]))
2691 ),
2692 ])
2693
2694
2695@pytest.mark.requires_backend_interface(interface=RSABackend)
2696@pytest.mark.requires_backend_interface(interface=X509Backend)
Paul Kehrerd774de92015-05-03 10:52:25 -0500[diff] [blame]2697class TestAuthorityKeyIdentifierExtension(object):
2698 def test_aki_keyid(self, backend):
2699 cert = _load_cert(
2700 os.path.join(
2701 "x509", "cryptography.io.pem"
2702 ),
2703 x509.load_pem_x509_certificate,
2704 backend
2705 )
2706 ext = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]2707 ExtensionOID.AUTHORITY_KEY_IDENTIFIER
Paul Kehrerd774de92015-05-03 10:52:25 -0500[diff] [blame]2708 )
2709 assert ext is not None
2710 assert ext.critical is False
2711
2712 assert ext.value.key_identifier == (
2713 b"\xc3\x9c\xf3\xfc\xd3F\x084\xbb\xceF\x7f\xa0|[\xf3\xe2\x08\xcbY"
2714 )
2715 assert ext.value.authority_cert_issuer is None
2716 assert ext.value.authority_cert_serial_number is None
2717
2718 def test_aki_all_fields(self, backend):
2719 cert = _load_cert(
2720 os.path.join(
2721 "x509", "custom", "authority_key_identifier.pem"
2722 ),
2723 x509.load_pem_x509_certificate,
2724 backend
2725 )
2726 ext = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]2727 ExtensionOID.AUTHORITY_KEY_IDENTIFIER
Paul Kehrerd774de92015-05-03 10:52:25 -0500[diff] [blame]2728 )
2729 assert ext is not None
2730 assert ext.critical is False
2731
2732 assert ext.value.key_identifier == (
2733 b"9E>\xca=b\x1d\xea\x86I\xf6Z\xab@\xb7\xa4p\x98\xf1\xec"
2734 )
2735 assert ext.value.authority_cert_issuer == [
2736 x509.DirectoryName(
2737 x509.Name([
2738 x509.NameAttribute(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2739 NameOID.ORGANIZATION_NAME, u"PyCA"
Paul Kehrerd774de92015-05-03 10:52:25 -0500[diff] [blame]2740 ),
2741 x509.NameAttribute(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2742 NameOID.COMMON_NAME, u"cryptography.io"
Paul Kehrerd774de92015-05-03 10:52:25 -0500[diff] [blame]2743 )
2744 ])
2745 )
2746 ]
2747 assert ext.value.authority_cert_serial_number == 3
2748
2749 def test_aki_no_keyid(self, backend):
2750 cert = _load_cert(
2751 os.path.join(
2752 "x509", "custom", "authority_key_identifier_no_keyid.pem"
2753 ),
2754 x509.load_pem_x509_certificate,
2755 backend
2756 )
2757 ext = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]2758 ExtensionOID.AUTHORITY_KEY_IDENTIFIER
Paul Kehrerd774de92015-05-03 10:52:25 -0500[diff] [blame]2759 )
2760 assert ext is not None
2761 assert ext.critical is False
2762
2763 assert ext.value.key_identifier is None
2764 assert ext.value.authority_cert_issuer == [
2765 x509.DirectoryName(
2766 x509.Name([
2767 x509.NameAttribute(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2768 NameOID.ORGANIZATION_NAME, u"PyCA"
Paul Kehrerd774de92015-05-03 10:52:25 -0500[diff] [blame]2769 ),
2770 x509.NameAttribute(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2771 NameOID.COMMON_NAME, u"cryptography.io"
Paul Kehrerd774de92015-05-03 10:52:25 -0500[diff] [blame]2772 )
2773 ])
2774 )
2775 ]
2776 assert ext.value.authority_cert_serial_number == 3
Paul Kehrer5a485522015-05-06 00:29:12 -0500[diff] [blame]2777
Paul Kehrer253929a2015-08-05 17:30:39 +0100[diff] [blame]2778 def test_from_certificate(self, backend):
2779 issuer_cert = _load_cert(
2780 os.path.join("x509", "rapidssl_sha256_ca_g3.pem"),
2781 x509.load_pem_x509_certificate,
2782 backend
2783 )
2784 cert = _load_cert(
2785 os.path.join("x509", "cryptography.io.pem"),
2786 x509.load_pem_x509_certificate,
2787 backend
2788 )
2789 ext = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]2790 ExtensionOID.AUTHORITY_KEY_IDENTIFIER
Paul Kehrer253929a2015-08-05 17:30:39 +0100[diff] [blame]2791 )
2792 aki = x509.AuthorityKeyIdentifier.from_issuer_public_key(
2793 issuer_cert.public_key()
2794 )
2795 assert ext.value == aki
2796
Paul Kehrer61ff3562016-03-11 22:51:27 -0400[diff] [blame]2797 def test_from_issuer_subject_key_identifier(self, backend):
2798 issuer_cert = _load_cert(
2799 os.path.join("x509", "rapidssl_sha256_ca_g3.pem"),
2800 x509.load_pem_x509_certificate,
2801 backend
2802 )
2803 cert = _load_cert(
2804 os.path.join("x509", "cryptography.io.pem"),
2805 x509.load_pem_x509_certificate,
2806 backend
2807 )
2808 ext = cert.extensions.get_extension_for_oid(
2809 ExtensionOID.AUTHORITY_KEY_IDENTIFIER
2810 )
2811 ski = issuer_cert.extensions.get_extension_for_class(
2812 x509.SubjectKeyIdentifier
2813 )
2814 aki = x509.AuthorityKeyIdentifier.from_issuer_subject_key_identifier(
2815 ski
2816 )
2817 assert ext.value == aki
2818
Paul Kehrer5a485522015-05-06 00:29:12 -0500[diff] [blame]2819
Paul Kehrere0017be2015-05-17 20:39:40 -0600[diff] [blame]2820class TestNameConstraints(object):
2821 def test_ipaddress_wrong_type(self):
2822 with pytest.raises(TypeError):
2823 x509.NameConstraints(
2824 permitted_subtrees=[
2825 x509.IPAddress(ipaddress.IPv4Address(u"127.0.0.1"))
2826 ],
2827 excluded_subtrees=None
2828 )
2829
2830 with pytest.raises(TypeError):
2831 x509.NameConstraints(
2832 permitted_subtrees=None,
2833 excluded_subtrees=[
2834 x509.IPAddress(ipaddress.IPv4Address(u"127.0.0.1"))
2835 ]
2836 )
2837
2838 def test_ipaddress_allowed_type(self):
2839 permitted = [x509.IPAddress(ipaddress.IPv4Network(u"192.168.0.0/29"))]
2840 excluded = [x509.IPAddress(ipaddress.IPv4Network(u"10.10.0.0/24"))]
2841 nc = x509.NameConstraints(
2842 permitted_subtrees=permitted,
2843 excluded_subtrees=excluded
2844 )
2845 assert nc.permitted_subtrees == permitted
2846 assert nc.excluded_subtrees == excluded
2847
2848 def test_invalid_permitted_subtrees(self):
2849 with pytest.raises(TypeError):
2850 x509.NameConstraints("badpermitted", None)
2851
2852 def test_invalid_excluded_subtrees(self):
2853 with pytest.raises(TypeError):
2854 x509.NameConstraints(None, "badexcluded")
2855
2856 def test_no_subtrees(self):
2857 with pytest.raises(ValueError):
2858 x509.NameConstraints(None, None)
2859
2860 def test_permitted_none(self):
Alex Gaynorcdaf3ff2017-07-30 13:08:51 -0400[diff] [blame]2861 excluded = [x509.DNSName(b"name.local")]
Paul Kehrere0017be2015-05-17 20:39:40 -0600[diff] [blame]2862 nc = x509.NameConstraints(
2863 permitted_subtrees=None, excluded_subtrees=excluded
2864 )
2865 assert nc.permitted_subtrees is None
2866 assert nc.excluded_subtrees is not None
2867
2868 def test_excluded_none(self):
Alex Gaynorcdaf3ff2017-07-30 13:08:51 -0400[diff] [blame]2869 permitted = [x509.DNSName(b"name.local")]
Paul Kehrere0017be2015-05-17 20:39:40 -0600[diff] [blame]2870 nc = x509.NameConstraints(
2871 permitted_subtrees=permitted, excluded_subtrees=None
2872 )
2873 assert nc.permitted_subtrees is not None
2874 assert nc.excluded_subtrees is None
2875
Marti40f19992016-08-26 04:26:31 +0300[diff] [blame]2876 def test_iter_input(self):
2877 subtrees = [x509.IPAddress(ipaddress.IPv4Network(u"192.168.0.0/24"))]
2878 nc = x509.NameConstraints(iter(subtrees), iter(subtrees))
2879 assert list(nc.permitted_subtrees) == subtrees
2880 assert list(nc.excluded_subtrees) == subtrees
2881
Paul Kehrere0017be2015-05-17 20:39:40 -0600[diff] [blame]2882 def test_repr(self):
Alex Gaynorcdaf3ff2017-07-30 13:08:51 -0400[diff] [blame]2883 permitted = [x509.DNSName(b"name.local"), x509.DNSName(b"name2.local")]
Paul Kehrere0017be2015-05-17 20:39:40 -0600[diff] [blame]2884 nc = x509.NameConstraints(
2885 permitted_subtrees=permitted,
2886 excluded_subtrees=None
2887 )
Alex Gaynorcdaf3ff2017-07-30 13:08:51 -0400[diff] [blame]2888 if six.PY3:
2889 assert repr(nc) == (
2890 "<NameConstraints(permitted_subtrees=[<DNSName("
2891 "bytes_value=b'name.local')>, <DNSName(bytes_value="
2892 "b'name2.local')>], excluded_subtrees=None)>"
2893 )
2894 else:
2895 assert repr(nc) == (
2896 "<NameConstraints(permitted_subtrees=[<DNSName("
2897 "bytes_value='name.local')>, <DNSName(bytes_value="
2898 "'name2.local')>], excluded_subtrees=None)>"
2899 )
Paul Kehrere0017be2015-05-17 20:39:40 -0600[diff] [blame]2900
Paul Kehrer31894282015-06-21 21:46:41 -0500[diff] [blame]2901 def test_eq(self):
2902 nc = x509.NameConstraints(
Alex Gaynorcdaf3ff2017-07-30 13:08:51 -0400[diff] [blame]2903 permitted_subtrees=[x509.DNSName(b"name.local")],
2904 excluded_subtrees=[x509.DNSName(b"name2.local")]
Paul Kehrer31894282015-06-21 21:46:41 -0500[diff] [blame]2905 )
2906 nc2 = x509.NameConstraints(
Alex Gaynorcdaf3ff2017-07-30 13:08:51 -0400[diff] [blame]2907 permitted_subtrees=[x509.DNSName(b"name.local")],
2908 excluded_subtrees=[x509.DNSName(b"name2.local")]
Paul Kehrer31894282015-06-21 21:46:41 -0500[diff] [blame]2909 )
2910 assert nc == nc2
2911
2912 def test_ne(self):
2913 nc = x509.NameConstraints(
Alex Gaynorcdaf3ff2017-07-30 13:08:51 -0400[diff] [blame]2914 permitted_subtrees=[x509.DNSName(b"name.local")],
2915 excluded_subtrees=[x509.DNSName(b"name2.local")]
Paul Kehrer31894282015-06-21 21:46:41 -0500[diff] [blame]2916 )
2917 nc2 = x509.NameConstraints(
Alex Gaynorcdaf3ff2017-07-30 13:08:51 -0400[diff] [blame]2918 permitted_subtrees=[x509.DNSName(b"name.local")],
Paul Kehrer31894282015-06-21 21:46:41 -0500[diff] [blame]2919 excluded_subtrees=None
2920 )
2921 nc3 = x509.NameConstraints(
2922 permitted_subtrees=None,
Alex Gaynorcdaf3ff2017-07-30 13:08:51 -0400[diff] [blame]2923 excluded_subtrees=[x509.DNSName(b"name2.local")]
Paul Kehrer31894282015-06-21 21:46:41 -0500[diff] [blame]2924 )
2925
2926 assert nc != nc2
2927 assert nc != nc3
2928 assert nc != object()
2929
Paul Kehrere0017be2015-05-17 20:39:40 -0600[diff] [blame]2930
Paul Kehrer870d7e82015-06-21 22:20:44 -0500[diff] [blame]2931@pytest.mark.requires_backend_interface(interface=RSABackend)
2932@pytest.mark.requires_backend_interface(interface=X509Backend)
2933class TestNameConstraintsExtension(object):
2934 def test_permitted_excluded(self, backend):
2935 cert = _load_cert(
2936 os.path.join(
2937 "x509", "custom", "nc_permitted_excluded_2.pem"
2938 ),
2939 x509.load_pem_x509_certificate,
2940 backend
2941 )
2942 nc = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]2943 ExtensionOID.NAME_CONSTRAINTS
Paul Kehrer870d7e82015-06-21 22:20:44 -0500[diff] [blame]2944 ).value
2945 assert nc == x509.NameConstraints(
2946 permitted_subtrees=[
Alex Gaynorcdaf3ff2017-07-30 13:08:51 -0400[diff] [blame]2947 x509.DNSName(b"zombo.local"),
Paul Kehrer870d7e82015-06-21 22:20:44 -0500[diff] [blame]2948 ],
2949 excluded_subtrees=[
2950 x509.DirectoryName(x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2951 x509.NameAttribute(NameOID.COMMON_NAME, u"zombo")
Paul Kehrer870d7e82015-06-21 22:20:44 -0500[diff] [blame]2952 ]))
2953 ]
2954 )
2955
2956 def test_permitted(self, backend):
2957 cert = _load_cert(
2958 os.path.join(
2959 "x509", "custom", "nc_permitted_2.pem"
2960 ),
2961 x509.load_pem_x509_certificate,
2962 backend
2963 )
2964 nc = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]2965 ExtensionOID.NAME_CONSTRAINTS
Paul Kehrer870d7e82015-06-21 22:20:44 -0500[diff] [blame]2966 ).value
2967 assert nc == x509.NameConstraints(
2968 permitted_subtrees=[
Alex Gaynorcdaf3ff2017-07-30 13:08:51 -0400[diff] [blame]2969 x509.DNSName(b"zombo.local"),
Paul Kehrer870d7e82015-06-21 22:20:44 -0500[diff] [blame]2970 ],
2971 excluded_subtrees=None
2972 )
2973
Paul Kehrer42376832015-07-01 18:10:32 -0500[diff] [blame]2974 def test_permitted_with_leading_period(self, backend):
2975 cert = _load_cert(
2976 os.path.join(
2977 "x509", "custom", "nc_permitted.pem"
2978 ),
2979 x509.load_pem_x509_certificate,
2980 backend
2981 )
2982 nc = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]2983 ExtensionOID.NAME_CONSTRAINTS
Paul Kehrer42376832015-07-01 18:10:32 -0500[diff] [blame]2984 ).value
2985 assert nc == x509.NameConstraints(
2986 permitted_subtrees=[
Alex Gaynorcdaf3ff2017-07-30 13:08:51 -0400[diff] [blame]2987 x509.DNSName(b".cryptography.io"),
Paul Kehrer42376832015-07-01 18:10:32 -0500[diff] [blame]2988 x509.UniformResourceIdentifier(u"ftp://cryptography.test")
2989 ],
2990 excluded_subtrees=None
2991 )
2992
2993 def test_excluded_with_leading_period(self, backend):
2994 cert = _load_cert(
2995 os.path.join(
2996 "x509", "custom", "nc_excluded.pem"
2997 ),
2998 x509.load_pem_x509_certificate,
2999 backend
3000 )
3001 nc = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]3002 ExtensionOID.NAME_CONSTRAINTS
Paul Kehrer42376832015-07-01 18:10:32 -0500[diff] [blame]3003 ).value
3004 assert nc == x509.NameConstraints(
3005 permitted_subtrees=None,
3006 excluded_subtrees=[
Alex Gaynorcdaf3ff2017-07-30 13:08:51 -0400[diff] [blame]3007 x509.DNSName(b".cryptography.io"),
Paul Kehrer42376832015-07-01 18:10:32 -0500[diff] [blame]3008 x509.UniformResourceIdentifier(u"gopher://cryptography.test")
3009 ]
3010 )
3011
Paul Kehrercfb8aa22015-07-01 19:16:36 -0500[diff] [blame]3012 def test_permitted_excluded_with_ips(self, backend):
3013 cert = _load_cert(
3014 os.path.join(
3015 "x509", "custom", "nc_permitted_excluded.pem"
3016 ),
3017 x509.load_pem_x509_certificate,
3018 backend
3019 )
3020 nc = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]3021 ExtensionOID.NAME_CONSTRAINTS
Paul Kehrercfb8aa22015-07-01 19:16:36 -0500[diff] [blame]3022 ).value
3023 assert nc == x509.NameConstraints(
3024 permitted_subtrees=[
3025 x509.IPAddress(ipaddress.IPv4Network(u"192.168.0.0/24")),
3026 x509.IPAddress(ipaddress.IPv6Network(u"FF:0:0:0:0:0:0:0/96")),
3027 ],
3028 excluded_subtrees=[
Alex Gaynorcdaf3ff2017-07-30 13:08:51 -0400[diff] [blame]3029 x509.DNSName(b".domain.com"),
Paul Kehrercfb8aa22015-07-01 19:16:36 -0500[diff] [blame]3030 x509.UniformResourceIdentifier(u"http://test.local"),
3031 ]
3032 )
3033
Paul Kehrera72ebaf2015-07-01 21:07:37 -0500[diff] [blame]3034 def test_single_ip_netmask(self, backend):
3035 cert = _load_cert(
3036 os.path.join(
3037 "x509", "custom", "nc_single_ip_netmask.pem"
3038 ),
3039 x509.load_pem_x509_certificate,
3040 backend
3041 )
3042 nc = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]3043 ExtensionOID.NAME_CONSTRAINTS
Paul Kehrera72ebaf2015-07-01 21:07:37 -0500[diff] [blame]3044 ).value
3045 assert nc == x509.NameConstraints(
3046 permitted_subtrees=[
3047 x509.IPAddress(ipaddress.IPv6Network(u"FF:0:0:0:0:0:0:0/128")),
3048 x509.IPAddress(ipaddress.IPv4Network(u"192.168.0.1/32")),
3049 ],
3050 excluded_subtrees=None
3051 )
3052
Paul Kehrercfb8aa22015-07-01 19:16:36 -0500[diff] [blame]3053 def test_invalid_netmask(self, backend):
3054 cert = _load_cert(
3055 os.path.join(
3056 "x509", "custom", "nc_invalid_ip_netmask.pem"
3057 ),
3058 x509.load_pem_x509_certificate,
3059 backend
3060 )
3061 with pytest.raises(ValueError):
3062 cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]3063 ExtensionOID.NAME_CONSTRAINTS
Paul Kehrercfb8aa22015-07-01 19:16:36 -0500[diff] [blame]3064 )
3065
Marti4739cfc2016-08-02 04:03:25 +0300[diff] [blame]3066 def test_certbuilder(self, backend):
Alex Gaynorcdaf3ff2017-07-30 13:08:51 -0400[diff] [blame]3067 permitted = [b'.example.org', b'.xn--4ca7aey.example.com',
3068 b'foobar.example.net']
Marti4739cfc2016-08-02 04:03:25 +0300[diff] [blame]3069 private_key = RSA_KEY_2048.private_key(backend)
3070 builder = _make_certbuilder(private_key)
3071 builder = builder.add_extension(
3072 NameConstraints(permitted_subtrees=list(map(DNSName, permitted)),
3073 excluded_subtrees=[]), True)
3074
3075 cert = builder.sign(private_key, hashes.SHA1(), backend)
Alex Gaynorcdaf3ff2017-07-30 13:08:51 -0400[diff] [blame]3076 result = [
3077 x.bytes_value
3078 for x in cert.extensions.get_extension_for_class(
3079 NameConstraints
3080 ).value.permitted_subtrees
3081 ]
Marti4739cfc2016-08-02 04:03:25 +0300[diff] [blame]3082 assert result == permitted
3083
Paul Kehrer870d7e82015-06-21 22:20:44 -0500[diff] [blame]3084
Paul Kehrer5a485522015-05-06 00:29:12 -0500[diff] [blame]3085class TestDistributionPoint(object):
Paul Kehrer4e8dacd2015-05-09 10:38:23 -0500[diff] [blame]3086 def test_distribution_point_full_name_not_general_names(self):
Paul Kehrer5a485522015-05-06 00:29:12 -0500[diff] [blame]3087 with pytest.raises(TypeError):
Paul Kehrer4e8dacd2015-05-09 10:38:23 -0500[diff] [blame]3088 x509.DistributionPoint(["notgn"], None, None, None)
Paul Kehrer5a485522015-05-06 00:29:12 -0500[diff] [blame]3089
Paul Kehrer4e8dacd2015-05-09 10:38:23 -0500[diff] [blame]3090 def test_distribution_point_relative_name_not_name(self):
Paul Kehrer5a485522015-05-06 00:29:12 -0500[diff] [blame]3091 with pytest.raises(TypeError):
Paul Kehrer4e8dacd2015-05-09 10:38:23 -0500[diff] [blame]3092 x509.DistributionPoint(None, "notname", None, None)
3093
3094 def test_distribution_point_full_and_relative_not_none(self):
3095 with pytest.raises(ValueError):
3096 x509.DistributionPoint("data", "notname", None, None)
Paul Kehrer5a485522015-05-06 00:29:12 -0500[diff] [blame]3097
3098 def test_crl_issuer_not_general_names(self):
3099 with pytest.raises(TypeError):
Paul Kehrer4e8dacd2015-05-09 10:38:23 -0500[diff] [blame]3100 x509.DistributionPoint(None, None, None, ["notgn"])
Paul Kehrer5a485522015-05-06 00:29:12 -0500[diff] [blame]3101
3102 def test_reason_not_reasonflags(self):
3103 with pytest.raises(TypeError):
3104 x509.DistributionPoint(
3105 [x509.UniformResourceIdentifier(u"http://crypt.og/crl")],
Paul Kehrer4e8dacd2015-05-09 10:38:23 -0500[diff] [blame]3106 None,
Paul Kehrer3fd02602015-05-09 19:46:13 -0500[diff] [blame]3107 frozenset(["notreasonflags"]),
3108 None
3109 )
3110
3111 def test_reason_not_frozenset(self):
3112 with pytest.raises(TypeError):
3113 x509.DistributionPoint(
3114 [x509.UniformResourceIdentifier(u"http://crypt.og/crl")],
3115 None,
3116 [x509.ReasonFlags.ca_compromise],
Paul Kehrer4e8dacd2015-05-09 10:38:23 -0500[diff] [blame]3117 None
3118 )
3119
3120 def test_disallowed_reasons(self):
3121 with pytest.raises(ValueError):
3122 x509.DistributionPoint(
3123 [x509.UniformResourceIdentifier(u"http://crypt.og/crl")],
3124 None,
Paul Kehrer3fd02602015-05-09 19:46:13 -0500[diff] [blame]3125 frozenset([x509.ReasonFlags.unspecified]),
Paul Kehrer4e8dacd2015-05-09 10:38:23 -0500[diff] [blame]3126 None
3127 )
3128
3129 with pytest.raises(ValueError):
3130 x509.DistributionPoint(
3131 [x509.UniformResourceIdentifier(u"http://crypt.og/crl")],
3132 None,
Paul Kehrer3fd02602015-05-09 19:46:13 -0500[diff] [blame]3133 frozenset([x509.ReasonFlags.remove_from_crl]),
Paul Kehrer5a485522015-05-06 00:29:12 -0500[diff] [blame]3134 None
3135 )
3136
3137 def test_reason_only(self):
3138 with pytest.raises(ValueError):
3139 x509.DistributionPoint(
3140 None,
Paul Kehrer4e8dacd2015-05-09 10:38:23 -0500[diff] [blame]3141 None,
Paul Kehrer3fd02602015-05-09 19:46:13 -0500[diff] [blame]3142 frozenset([x509.ReasonFlags.aa_compromise]),
Paul Kehrer5a485522015-05-06 00:29:12 -0500[diff] [blame]3143 None
3144 )
3145
3146 def test_eq(self):
3147 dp = x509.DistributionPoint(
3148 [x509.UniformResourceIdentifier(u"http://crypt.og/crl")],
Paul Kehrer4e8dacd2015-05-09 10:38:23 -0500[diff] [blame]3149 None,
Paul Kehrer3fd02602015-05-09 19:46:13 -0500[diff] [blame]3150 frozenset([x509.ReasonFlags.superseded]),
Paul Kehrer5a485522015-05-06 00:29:12 -0500[diff] [blame]3151 [
3152 x509.DirectoryName(
3153 x509.Name([
3154 x509.NameAttribute(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]3155 NameOID.COMMON_NAME, u"Important CA"
Paul Kehrer5a485522015-05-06 00:29:12 -0500[diff] [blame]3156 )
3157 ])
3158 )
3159 ],
3160 )
3161 dp2 = x509.DistributionPoint(
3162 [x509.UniformResourceIdentifier(u"http://crypt.og/crl")],
Paul Kehrer4e8dacd2015-05-09 10:38:23 -0500[diff] [blame]3163 None,
Paul Kehrer3fd02602015-05-09 19:46:13 -0500[diff] [blame]3164 frozenset([x509.ReasonFlags.superseded]),
Paul Kehrer5a485522015-05-06 00:29:12 -0500[diff] [blame]3165 [
3166 x509.DirectoryName(
3167 x509.Name([
3168 x509.NameAttribute(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]3169 NameOID.COMMON_NAME, u"Important CA"
Paul Kehrer5a485522015-05-06 00:29:12 -0500[diff] [blame]3170 )
3171 ])
3172 )
3173 ],
3174 )
3175 assert dp == dp2
3176
3177 def test_ne(self):
3178 dp = x509.DistributionPoint(
3179 [x509.UniformResourceIdentifier(u"http://crypt.og/crl")],
Paul Kehrer4e8dacd2015-05-09 10:38:23 -0500[diff] [blame]3180 None,
Paul Kehrer3fd02602015-05-09 19:46:13 -0500[diff] [blame]3181 frozenset([x509.ReasonFlags.superseded]),
Paul Kehrer5a485522015-05-06 00:29:12 -0500[diff] [blame]3182 [
3183 x509.DirectoryName(
3184 x509.Name([
3185 x509.NameAttribute(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]3186 NameOID.COMMON_NAME, u"Important CA"
Paul Kehrer5a485522015-05-06 00:29:12 -0500[diff] [blame]3187 )
3188 ])
3189 )
3190 ],
3191 )
3192 dp2 = x509.DistributionPoint(
3193 [x509.UniformResourceIdentifier(u"http://crypt.og/crl")],
3194 None,
Paul Kehrer4e8dacd2015-05-09 10:38:23 -0500[diff] [blame]3195 None,
Paul Kehrer5a485522015-05-06 00:29:12 -0500[diff] [blame]3196 None
3197 )
3198 assert dp != dp2
3199 assert dp != object()
3200
Marti40f19992016-08-26 04:26:31 +0300[diff] [blame]3201 def test_iter_input(self):
3202 name = [x509.UniformResourceIdentifier(u"http://crypt.og/crl")]
3203 issuer = [
3204 x509.DirectoryName(
3205 x509.Name([
3206 x509.NameAttribute(NameOID.COMMON_NAME, u"Important CA")
3207 ])
3208 )
3209 ]
3210 dp = x509.DistributionPoint(
3211 iter(name),
3212 None,
3213 frozenset([x509.ReasonFlags.ca_compromise]),
3214 iter(issuer),
3215 )
3216 assert list(dp.full_name) == name
3217 assert list(dp.crl_issuer) == issuer
3218
Paul Kehrer5a485522015-05-06 00:29:12 -0500[diff] [blame]3219 def test_repr(self):
3220 dp = x509.DistributionPoint(
Paul Kehrer4e8dacd2015-05-09 10:38:23 -0500[diff] [blame]3221 None,
Fraser Tweedale02467dd2016-11-07 15:54:04 +1000[diff] [blame]3222 x509.RelativeDistinguishedName([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]3223 x509.NameAttribute(NameOID.COMMON_NAME, u"myCN")
Paul Kehrer5a485522015-05-06 00:29:12 -0500[diff] [blame]3224 ]),
Paul Kehrer96ef63c2015-05-09 21:17:04 -0500[diff] [blame]3225 frozenset([x509.ReasonFlags.ca_compromise]),
Paul Kehrer5a485522015-05-06 00:29:12 -0500[diff] [blame]3226 [
3227 x509.DirectoryName(
3228 x509.Name([
3229 x509.NameAttribute(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]3230 NameOID.COMMON_NAME, u"Important CA"
Paul Kehrer5a485522015-05-06 00:29:12 -0500[diff] [blame]3231 )
3232 ])
3233 )
3234 ],
3235 )
Paul Kehrer749da3b2015-05-10 09:58:29 -0500[diff] [blame]3236 if six.PY3:
3237 assert repr(dp) == (
Fraser Tweedale02467dd2016-11-07 15:54:04 +1000[diff] [blame]3238 "<DistributionPoint(full_name=None, relative_name=<RelativeDis"
3239 "tinguishedName([<NameAttribute(oid=<ObjectIdentifier(oid=2.5."
3240 "4.3, name=commonName)>, value='myCN')>])>, reasons=frozenset("
3241 "{<ReasonFlags.ca_compromise: 'cACompromise'>}), crl_issuer=[<"
3242 "DirectoryName(value=<Name([<NameAttribute(oid=<ObjectIdentifi"
3243 "er(oid=2.5.4.3, name=commonName)>, value='Important CA')>])>)"
3244 ">])>"
Paul Kehrer749da3b2015-05-10 09:58:29 -0500[diff] [blame]3245 )
3246 else:
3247 assert repr(dp) == (
Fraser Tweedale02467dd2016-11-07 15:54:04 +1000[diff] [blame]3248 "<DistributionPoint(full_name=None, relative_name=<RelativeDis"
3249 "tinguishedName([<NameAttribute(oid=<ObjectIdentifier(oid=2.5."
3250 "4.3, name=commonName)>, value=u'myCN')>])>, reasons=frozenset"
3251 "([<ReasonFlags.ca_compromise: 'cACompromise'>]), crl_issuer=["
3252 "<DirectoryName(value=<Name([<NameAttribute(oid=<ObjectIdentif"
3253 "ier(oid=2.5.4.3, name=commonName)>, value=u'Important CA')>])"
3254 ">)>])>"
Paul Kehrer749da3b2015-05-10 09:58:29 -0500[diff] [blame]3255 )
Paul Kehrer5a485522015-05-06 00:29:12 -0500[diff] [blame]3256
3257
3258class TestCRLDistributionPoints(object):
3259 def test_invalid_distribution_points(self):
3260 with pytest.raises(TypeError):
3261 x509.CRLDistributionPoints(["notadistributionpoint"])
3262
3263 def test_iter_len(self):
3264 cdp = x509.CRLDistributionPoints([
3265 x509.DistributionPoint(
3266 [x509.UniformResourceIdentifier(u"http://domain")],
3267 None,
Paul Kehrer4e8dacd2015-05-09 10:38:23 -0500[diff] [blame]3268 None,
Paul Kehrer5a485522015-05-06 00:29:12 -0500[diff] [blame]3269 None
3270 ),
3271 x509.DistributionPoint(
3272 [x509.UniformResourceIdentifier(u"ftp://domain")],
Paul Kehrer4e8dacd2015-05-09 10:38:23 -0500[diff] [blame]3273 None,
Paul Kehrer3fd02602015-05-09 19:46:13 -0500[diff] [blame]3274 frozenset([
Paul Kehrer4e8dacd2015-05-09 10:38:23 -0500[diff] [blame]3275 x509.ReasonFlags.key_compromise,
3276 x509.ReasonFlags.ca_compromise,
Paul Kehrer3fd02602015-05-09 19:46:13 -0500[diff] [blame]3277 ]),
Paul Kehrer5a485522015-05-06 00:29:12 -0500[diff] [blame]3278 None
3279 ),
3280 ])
3281 assert len(cdp) == 2
3282 assert list(cdp) == [
3283 x509.DistributionPoint(
3284 [x509.UniformResourceIdentifier(u"http://domain")],
3285 None,
Paul Kehrer4e8dacd2015-05-09 10:38:23 -0500[diff] [blame]3286 None,
Paul Kehrer5a485522015-05-06 00:29:12 -0500[diff] [blame]3287 None
3288 ),
3289 x509.DistributionPoint(
3290 [x509.UniformResourceIdentifier(u"ftp://domain")],
Paul Kehrer4e8dacd2015-05-09 10:38:23 -0500[diff] [blame]3291 None,
Paul Kehrer3fd02602015-05-09 19:46:13 -0500[diff] [blame]3292 frozenset([
Paul Kehrer4e8dacd2015-05-09 10:38:23 -0500[diff] [blame]3293 x509.ReasonFlags.key_compromise,
3294 x509.ReasonFlags.ca_compromise,
Paul Kehrer3fd02602015-05-09 19:46:13 -0500[diff] [blame]3295 ]),
Paul Kehrer5a485522015-05-06 00:29:12 -0500[diff] [blame]3296 None
3297 ),
3298 ]
3299
Marti40f19992016-08-26 04:26:31 +0300[diff] [blame]3300 def test_iter_input(self):
3301 points = [
3302 x509.DistributionPoint(
3303 [x509.UniformResourceIdentifier(u"http://domain")],
3304 None,
3305 None,
3306 None
3307 ),
3308 ]
3309 cdp = x509.CRLDistributionPoints(iter(points))
3310 assert list(cdp) == points
3311
Paul Kehrer5a485522015-05-06 00:29:12 -0500[diff] [blame]3312 def test_repr(self):
3313 cdp = x509.CRLDistributionPoints([
3314 x509.DistributionPoint(
3315 [x509.UniformResourceIdentifier(u"ftp://domain")],
Paul Kehrer4e8dacd2015-05-09 10:38:23 -0500[diff] [blame]3316 None,
Paul Kehrer96ef63c2015-05-09 21:17:04 -0500[diff] [blame]3317 frozenset([x509.ReasonFlags.key_compromise]),
Paul Kehrer5a485522015-05-06 00:29:12 -0500[diff] [blame]3318 None
3319 ),
3320 ])
Paul Kehrer749da3b2015-05-10 09:58:29 -0500[diff] [blame]3321 if six.PY3:
3322 assert repr(cdp) == (
3323 "<CRLDistributionPoints([<DistributionPoint(full_name=[<Unifo"
3324 "rmResourceIdentifier(value=ftp://domain)>], relative_name=No"
3325 "ne, reasons=frozenset({<ReasonFlags.key_compromise: 'keyComp"
3326 "romise'>}), crl_issuer=None)>])>"
3327 )
3328 else:
3329 assert repr(cdp) == (
3330 "<CRLDistributionPoints([<DistributionPoint(full_name=[<Unifo"
3331 "rmResourceIdentifier(value=ftp://domain)>], relative_name=No"
3332 "ne, reasons=frozenset([<ReasonFlags.key_compromise: 'keyComp"
3333 "romise'>]), crl_issuer=None)>])>"
3334 )
Paul Kehrer5a485522015-05-06 00:29:12 -0500[diff] [blame]3335
3336 def test_eq(self):
3337 cdp = x509.CRLDistributionPoints([
3338 x509.DistributionPoint(
3339 [x509.UniformResourceIdentifier(u"ftp://domain")],
Paul Kehrer4e8dacd2015-05-09 10:38:23 -0500[diff] [blame]3340 None,
Paul Kehrer3fd02602015-05-09 19:46:13 -0500[diff] [blame]3341 frozenset([
Paul Kehrer4e8dacd2015-05-09 10:38:23 -0500[diff] [blame]3342 x509.ReasonFlags.key_compromise,
3343 x509.ReasonFlags.ca_compromise,
Paul Kehrer3fd02602015-05-09 19:46:13 -0500[diff] [blame]3344 ]),
Paul Kehrer5a485522015-05-06 00:29:12 -0500[diff] [blame]3345 [x509.UniformResourceIdentifier(u"uri://thing")],
3346 ),
3347 ])
3348 cdp2 = x509.CRLDistributionPoints([
3349 x509.DistributionPoint(
3350 [x509.UniformResourceIdentifier(u"ftp://domain")],
Paul Kehrer4e8dacd2015-05-09 10:38:23 -0500[diff] [blame]3351 None,
Paul Kehrer3fd02602015-05-09 19:46:13 -0500[diff] [blame]3352 frozenset([
Paul Kehrer4e8dacd2015-05-09 10:38:23 -0500[diff] [blame]3353 x509.ReasonFlags.key_compromise,
3354 x509.ReasonFlags.ca_compromise,
Paul Kehrer3fd02602015-05-09 19:46:13 -0500[diff] [blame]3355 ]),
Paul Kehrer5a485522015-05-06 00:29:12 -0500[diff] [blame]3356 [x509.UniformResourceIdentifier(u"uri://thing")],
3357 ),
3358 ])
3359 assert cdp == cdp2
3360
3361 def test_ne(self):
3362 cdp = x509.CRLDistributionPoints([
3363 x509.DistributionPoint(
3364 [x509.UniformResourceIdentifier(u"ftp://domain")],
Paul Kehrer4e8dacd2015-05-09 10:38:23 -0500[diff] [blame]3365 None,
Paul Kehrer3fd02602015-05-09 19:46:13 -0500[diff] [blame]3366 frozenset([
Paul Kehrer4e8dacd2015-05-09 10:38:23 -0500[diff] [blame]3367 x509.ReasonFlags.key_compromise,
3368 x509.ReasonFlags.ca_compromise,
Paul Kehrer3fd02602015-05-09 19:46:13 -0500[diff] [blame]3369 ]),
Paul Kehrer5a485522015-05-06 00:29:12 -0500[diff] [blame]3370 [x509.UniformResourceIdentifier(u"uri://thing")],
3371 ),
3372 ])
3373 cdp2 = x509.CRLDistributionPoints([
3374 x509.DistributionPoint(
3375 [x509.UniformResourceIdentifier(u"ftp://domain2")],
Paul Kehrer4e8dacd2015-05-09 10:38:23 -0500[diff] [blame]3376 None,
Paul Kehrer3fd02602015-05-09 19:46:13 -0500[diff] [blame]3377 frozenset([
Paul Kehrer4e8dacd2015-05-09 10:38:23 -0500[diff] [blame]3378 x509.ReasonFlags.key_compromise,
3379 x509.ReasonFlags.ca_compromise,
Paul Kehrer3fd02602015-05-09 19:46:13 -0500[diff] [blame]3380 ]),
Paul Kehrer5a485522015-05-06 00:29:12 -0500[diff] [blame]3381 [x509.UniformResourceIdentifier(u"uri://thing")],
3382 ),
3383 ])
3384 cdp3 = x509.CRLDistributionPoints([
3385 x509.DistributionPoint(
3386 [x509.UniformResourceIdentifier(u"ftp://domain")],
Paul Kehrer4e8dacd2015-05-09 10:38:23 -0500[diff] [blame]3387 None,
Paul Kehrer3fd02602015-05-09 19:46:13 -0500[diff] [blame]3388 frozenset([x509.ReasonFlags.key_compromise]),
Paul Kehrer5a485522015-05-06 00:29:12 -0500[diff] [blame]3389 [x509.UniformResourceIdentifier(u"uri://thing")],
3390 ),
3391 ])
3392 cdp4 = x509.CRLDistributionPoints([
3393 x509.DistributionPoint(
3394 [x509.UniformResourceIdentifier(u"ftp://domain")],
Paul Kehrer4e8dacd2015-05-09 10:38:23 -0500[diff] [blame]3395 None,
Paul Kehrer3fd02602015-05-09 19:46:13 -0500[diff] [blame]3396 frozenset([
Paul Kehrer4e8dacd2015-05-09 10:38:23 -0500[diff] [blame]3397 x509.ReasonFlags.key_compromise,
3398 x509.ReasonFlags.ca_compromise,
Paul Kehrer3fd02602015-05-09 19:46:13 -0500[diff] [blame]3399 ]),
Paul Kehrer5a485522015-05-06 00:29:12 -0500[diff] [blame]3400 [x509.UniformResourceIdentifier(u"uri://thing2")],
3401 ),
3402 ])
3403 assert cdp != cdp2
3404 assert cdp != cdp3
3405 assert cdp != cdp4
3406 assert cdp != object()
Paul Kehrer9a10d592015-05-10 14:55:51 -0500[diff] [blame]3407
Paul Kehreree2e92d2015-12-27 17:29:37 -0600[diff] [blame]3408 def test_indexing(self):
3409 ci = x509.CRLDistributionPoints([
3410 x509.DistributionPoint(
3411 None, None, None,
3412 [x509.UniformResourceIdentifier(u"uri://thing")],
3413 ),
3414 x509.DistributionPoint(
3415 None, None, None,
3416 [x509.UniformResourceIdentifier(u"uri://thing2")],
3417 ),
3418 x509.DistributionPoint(
3419 None, None, None,
3420 [x509.UniformResourceIdentifier(u"uri://thing3")],
3421 ),
3422 x509.DistributionPoint(
3423 None, None, None,
3424 [x509.UniformResourceIdentifier(u"uri://thing4")],
3425 ),
3426 x509.DistributionPoint(
3427 None, None, None,
3428 [x509.UniformResourceIdentifier(u"uri://thing5")],
3429 ),
3430 ])
3431 assert ci[-1] == ci[4]
3432 assert ci[2:6:2] == [ci[2], ci[4]]
3433
Paul Kehrer9a10d592015-05-10 14:55:51 -0500[diff] [blame]3434
3435@pytest.mark.requires_backend_interface(interface=RSABackend)
3436@pytest.mark.requires_backend_interface(interface=X509Backend)
3437class TestCRLDistributionPointsExtension(object):
3438 def test_fullname_and_crl_issuer(self, backend):
3439 cert = _load_cert(
3440 os.path.join(
3441 "x509", "PKITS_data", "certs", "ValidcRLIssuerTest28EE.crt"
3442 ),
3443 x509.load_der_x509_certificate,
3444 backend
3445 )
3446
3447 cdps = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]3448 ExtensionOID.CRL_DISTRIBUTION_POINTS
Paul Kehrer9a10d592015-05-10 14:55:51 -0500[diff] [blame]3449 ).value
3450
3451 assert cdps == x509.CRLDistributionPoints([
3452 x509.DistributionPoint(
3453 full_name=[x509.DirectoryName(
3454 x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]3455 x509.NameAttribute(NameOID.COUNTRY_NAME, u"US"),
Paul Kehrer9a10d592015-05-10 14:55:51 -0500[diff] [blame]3456 x509.NameAttribute(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]3457 NameOID.ORGANIZATION_NAME,
Ian Cordasco82fc3762015-06-16 20:59:50 -0500[diff] [blame]3458 u"Test Certificates 2011"
Paul Kehrer9a10d592015-05-10 14:55:51 -0500[diff] [blame]3459 ),
3460 x509.NameAttribute(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]3461 NameOID.ORGANIZATIONAL_UNIT_NAME,
Ian Cordasco82fc3762015-06-16 20:59:50 -0500[diff] [blame]3462 u"indirectCRL CA3 cRLIssuer"
Paul Kehrer9a10d592015-05-10 14:55:51 -0500[diff] [blame]3463 ),
3464 x509.NameAttribute(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]3465 NameOID.COMMON_NAME,
Ian Cordasco82fc3762015-06-16 20:59:50 -0500[diff] [blame]3466 u"indirect CRL for indirectCRL CA3"
Paul Kehrer9a10d592015-05-10 14:55:51 -0500[diff] [blame]3467 ),
3468 ])
3469 )],
3470 relative_name=None,
3471 reasons=None,
3472 crl_issuer=[x509.DirectoryName(
3473 x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]3474 x509.NameAttribute(NameOID.COUNTRY_NAME, u"US"),
Paul Kehrer9a10d592015-05-10 14:55:51 -0500[diff] [blame]3475 x509.NameAttribute(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]3476 NameOID.ORGANIZATION_NAME,
Ian Cordasco82fc3762015-06-16 20:59:50 -0500[diff] [blame]3477 u"Test Certificates 2011"
Paul Kehrer9a10d592015-05-10 14:55:51 -0500[diff] [blame]3478 ),
3479 x509.NameAttribute(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]3480 NameOID.ORGANIZATIONAL_UNIT_NAME,
Ian Cordasco82fc3762015-06-16 20:59:50 -0500[diff] [blame]3481 u"indirectCRL CA3 cRLIssuer"
Paul Kehrer9a10d592015-05-10 14:55:51 -0500[diff] [blame]3482 ),
3483 ])
3484 )],
3485 )
3486 ])
3487
3488 def test_relativename_and_crl_issuer(self, backend):
3489 cert = _load_cert(
3490 os.path.join(
3491 "x509", "PKITS_data", "certs", "ValidcRLIssuerTest29EE.crt"
3492 ),
3493 x509.load_der_x509_certificate,
3494 backend
3495 )
3496
3497 cdps = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]3498 ExtensionOID.CRL_DISTRIBUTION_POINTS
Paul Kehrer9a10d592015-05-10 14:55:51 -0500[diff] [blame]3499 ).value
3500
3501 assert cdps == x509.CRLDistributionPoints([
3502 x509.DistributionPoint(
3503 full_name=None,
Fraser Tweedale02467dd2016-11-07 15:54:04 +1000[diff] [blame]3504 relative_name=x509.RelativeDistinguishedName([
Paul Kehrer9a10d592015-05-10 14:55:51 -0500[diff] [blame]3505 x509.NameAttribute(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]3506 NameOID.COMMON_NAME,
Ian Cordasco82fc3762015-06-16 20:59:50 -0500[diff] [blame]3507 u"indirect CRL for indirectCRL CA3"
Paul Kehrer9a10d592015-05-10 14:55:51 -0500[diff] [blame]3508 ),
3509 ]),
3510 reasons=None,
3511 crl_issuer=[x509.DirectoryName(
3512 x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]3513 x509.NameAttribute(NameOID.COUNTRY_NAME, u"US"),
Paul Kehrer9a10d592015-05-10 14:55:51 -0500[diff] [blame]3514 x509.NameAttribute(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]3515 NameOID.ORGANIZATION_NAME,
Ian Cordasco82fc3762015-06-16 20:59:50 -0500[diff] [blame]3516 u"Test Certificates 2011"
Paul Kehrer9a10d592015-05-10 14:55:51 -0500[diff] [blame]3517 ),
3518 x509.NameAttribute(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]3519 NameOID.ORGANIZATIONAL_UNIT_NAME,
Ian Cordasco82fc3762015-06-16 20:59:50 -0500[diff] [blame]3520 u"indirectCRL CA3 cRLIssuer"
Paul Kehrer9a10d592015-05-10 14:55:51 -0500[diff] [blame]3521 ),
3522 ])
3523 )],
3524 )
3525 ])
3526
3527 def test_fullname_crl_issuer_reasons(self, backend):
3528 cert = _load_cert(
3529 os.path.join(
3530 "x509", "custom", "cdp_fullname_reasons_crl_issuer.pem"
3531 ),
3532 x509.load_pem_x509_certificate,
3533 backend
3534 )
3535
3536 cdps = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]3537 ExtensionOID.CRL_DISTRIBUTION_POINTS
Paul Kehrer9a10d592015-05-10 14:55:51 -0500[diff] [blame]3538 ).value
3539
3540 assert cdps == x509.CRLDistributionPoints([
3541 x509.DistributionPoint(
3542 full_name=[x509.UniformResourceIdentifier(
3543 u"http://myhost.com/myca.crl"
3544 )],
3545 relative_name=None,
3546 reasons=frozenset([
3547 x509.ReasonFlags.key_compromise,
3548 x509.ReasonFlags.ca_compromise
3549 ]),
3550 crl_issuer=[x509.DirectoryName(
3551 x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]3552 x509.NameAttribute(NameOID.COUNTRY_NAME, u"US"),
Paul Kehrer9a10d592015-05-10 14:55:51 -0500[diff] [blame]3553 x509.NameAttribute(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]3554 NameOID.ORGANIZATION_NAME, u"PyCA"
Paul Kehrer9a10d592015-05-10 14:55:51 -0500[diff] [blame]3555 ),
3556 x509.NameAttribute(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]3557 NameOID.COMMON_NAME, u"cryptography CA"
Paul Kehrer9a10d592015-05-10 14:55:51 -0500[diff] [blame]3558 ),
3559 ])
3560 )],
3561 )
3562 ])
3563
Paul Kehrer594a2ed2015-05-12 23:27:32 -0500[diff] [blame]3564 def test_all_reasons(self, backend):
3565 cert = _load_cert(
3566 os.path.join(
3567 "x509", "custom", "cdp_all_reasons.pem"
3568 ),
3569 x509.load_pem_x509_certificate,
3570 backend
3571 )
3572
3573 cdps = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]3574 ExtensionOID.CRL_DISTRIBUTION_POINTS
Paul Kehrer594a2ed2015-05-12 23:27:32 -0500[diff] [blame]3575 ).value
3576
3577 assert cdps == x509.CRLDistributionPoints([
3578 x509.DistributionPoint(
3579 full_name=[x509.UniformResourceIdentifier(
3580 u"http://domain.com/some.crl"
3581 )],
3582 relative_name=None,
3583 reasons=frozenset([
3584 x509.ReasonFlags.key_compromise,
3585 x509.ReasonFlags.ca_compromise,
3586 x509.ReasonFlags.affiliation_changed,
3587 x509.ReasonFlags.superseded,
3588 x509.ReasonFlags.privilege_withdrawn,
3589 x509.ReasonFlags.cessation_of_operation,
3590 x509.ReasonFlags.aa_compromise,
3591 x509.ReasonFlags.certificate_hold,
3592 ]),
3593 crl_issuer=None
3594 )
3595 ])
3596
3597 def test_single_reason(self, backend):
3598 cert = _load_cert(
3599 os.path.join(
3600 "x509", "custom", "cdp_reason_aa_compromise.pem"
3601 ),
3602 x509.load_pem_x509_certificate,
3603 backend
3604 )
3605
3606 cdps = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]3607 ExtensionOID.CRL_DISTRIBUTION_POINTS
Paul Kehrer594a2ed2015-05-12 23:27:32 -0500[diff] [blame]3608 ).value
3609
3610 assert cdps == x509.CRLDistributionPoints([
3611 x509.DistributionPoint(
3612 full_name=[x509.UniformResourceIdentifier(
3613 u"http://domain.com/some.crl"
3614 )],
3615 relative_name=None,
3616 reasons=frozenset([x509.ReasonFlags.aa_compromise]),
3617 crl_issuer=None
3618 )
3619 ])
3620
Paul Kehrer9a10d592015-05-10 14:55:51 -0500[diff] [blame]3621 def test_crl_issuer_only(self, backend):
3622 cert = _load_cert(
3623 os.path.join(
3624 "x509", "custom", "cdp_crl_issuer.pem"
3625 ),
3626 x509.load_pem_x509_certificate,
3627 backend
3628 )
3629
3630 cdps = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]3631 ExtensionOID.CRL_DISTRIBUTION_POINTS
Paul Kehrer9a10d592015-05-10 14:55:51 -0500[diff] [blame]3632 ).value
3633
3634 assert cdps == x509.CRLDistributionPoints([
3635 x509.DistributionPoint(
3636 full_name=None,
3637 relative_name=None,
3638 reasons=None,
3639 crl_issuer=[x509.DirectoryName(
3640 x509.Name([
3641 x509.NameAttribute(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]3642 NameOID.COMMON_NAME, u"cryptography CA"
Paul Kehrer9a10d592015-05-10 14:55:51 -0500[diff] [blame]3643 ),
3644 ])
3645 )],
3646 )
3647 ])
Paul Kehrer16fae762015-05-01 23:14:20 -0500[diff] [blame]3648
Dominic Chen87bb9572015-10-09 00:23:07 -0400[diff] [blame]3649 def test_crl_empty_hostname(self, backend):
3650 cert = _load_cert(
3651 os.path.join(
3652 "x509", "custom", "cdp_empty_hostname.pem"
3653 ),
3654 x509.load_pem_x509_certificate,
3655 backend
3656 )
3657
3658 cdps = cert.extensions.get_extension_for_oid(
3659 ExtensionOID.CRL_DISTRIBUTION_POINTS
3660 ).value
3661
3662 assert cdps == x509.CRLDistributionPoints([
3663 x509.DistributionPoint(
3664 full_name=[x509.UniformResourceIdentifier(
3665 u"ldap:/CN=A,OU=B,dc=C,DC=D?E?F?G?H=I"
3666 )],
3667 relative_name=None,
3668 reasons=None,
3669 crl_issuer=None
3670 )
3671 ])
3672
Paul Kehrer16fae762015-05-01 23:14:20 -0500[diff] [blame]3673
Paul Kehrerf54a50b2015-06-17 18:31:26 -0600[diff] [blame]3674@pytest.mark.requires_backend_interface(interface=RSABackend)
3675@pytest.mark.requires_backend_interface(interface=X509Backend)
3676class TestOCSPNoCheckExtension(object):
3677 def test_nocheck(self, backend):
3678 cert = _load_cert(
3679 os.path.join(
3680 "x509", "custom", "ocsp_nocheck.pem"
3681 ),
3682 x509.load_pem_x509_certificate,
3683 backend
3684 )
3685 ext = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]3686 ExtensionOID.OCSP_NO_CHECK
Paul Kehrerf54a50b2015-06-17 18:31:26 -0600[diff] [blame]3687 )
3688 assert isinstance(ext.value, x509.OCSPNoCheck)
3689
3690
Paul Kehrer16fae762015-05-01 23:14:20 -0500[diff] [blame]3691class TestInhibitAnyPolicy(object):
3692 def test_not_int(self):
3693 with pytest.raises(TypeError):
3694 x509.InhibitAnyPolicy("notint")
3695
3696 def test_negative_int(self):
3697 with pytest.raises(ValueError):
3698 x509.InhibitAnyPolicy(-1)
3699
3700 def test_repr(self):
3701 iap = x509.InhibitAnyPolicy(0)
3702 assert repr(iap) == "<InhibitAnyPolicy(skip_certs=0)>"
3703
3704 def test_eq(self):
3705 iap = x509.InhibitAnyPolicy(1)
3706 iap2 = x509.InhibitAnyPolicy(1)
3707 assert iap == iap2
3708
3709 def test_ne(self):
3710 iap = x509.InhibitAnyPolicy(1)
3711 iap2 = x509.InhibitAnyPolicy(4)
3712 assert iap != iap2
3713 assert iap != object()
Paul Kehrerca6ce992015-06-17 22:13:15 -0600[diff] [blame]3714
Eeshan Garg0a0293e2016-02-01 12:56:40 -0330[diff] [blame]3715 def test_hash(self):
3716 iap = x509.InhibitAnyPolicy(1)
3717 iap2 = x509.InhibitAnyPolicy(1)
3718 iap3 = x509.InhibitAnyPolicy(4)
3719 assert hash(iap) == hash(iap2)
3720 assert hash(iap) != hash(iap3)
3721
Paul Kehrerca6ce992015-06-17 22:13:15 -0600[diff] [blame]3722
3723@pytest.mark.requires_backend_interface(interface=RSABackend)
3724@pytest.mark.requires_backend_interface(interface=X509Backend)
3725class TestInhibitAnyPolicyExtension(object):
3726 def test_nocheck(self, backend):
3727 cert = _load_cert(
3728 os.path.join(
3729 "x509", "custom", "inhibit_any_policy_5.pem"
3730 ),
3731 x509.load_pem_x509_certificate,
3732 backend
3733 )
3734 iap = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]3735 ExtensionOID.INHIBIT_ANY_POLICY
Paul Kehrerca6ce992015-06-17 22:13:15 -0600[diff] [blame]3736 ).value
3737 assert iap.skip_certs == 5
Paul Kehrera08693f2015-08-01 20:45:21 +0100[diff] [blame]3738
3739
3740@pytest.mark.requires_backend_interface(interface=RSABackend)
3741@pytest.mark.requires_backend_interface(interface=X509Backend)
Alex Gaynor6a0718f2017-06-04 13:36:58 -0400[diff] [blame]3742class TestPrecertificateSignedCertificateTimestampsExtension(object):
3743 def test_init(self):
3744 with pytest.raises(TypeError):
3745 x509.PrecertificateSignedCertificateTimestamps([object()])
3746
3747 def test_repr(self):
3748 assert repr(x509.PrecertificateSignedCertificateTimestamps([])) == (
3749 "<PrecertificateSignedCertificateTimestamps([])>"
3750 )
3751
Paul Kehrerce69b822017-07-04 15:59:38 -0500[diff] [blame]3752 @pytest.mark.supported(
3753 only_if=lambda backend: (
3754 backend._lib.CRYPTOGRAPHY_OPENSSL_110F_OR_GREATER),
3755 skip_message="Requires OpenSSL 1.1.0f+",
3756 )
Alex Gaynor6a0718f2017-06-04 13:36:58 -0400[diff] [blame]3757 def test_simple(self, backend):
3758 cert = _load_cert(
3759 os.path.join("x509", "badssl-sct.pem"),
3760 x509.load_pem_x509_certificate,
3761 backend
3762 )
3763 scts = cert.extensions.get_extension_for_class(
3764 x509.PrecertificateSignedCertificateTimestamps
3765 ).value
3766 assert len(scts) == 1
3767 [sct] = scts
3768 assert scts[0] == sct
3769 assert sct.version == x509.certificate_transparency.Version.v1
3770 assert sct.log_id == (
3771 b"\xa7\xceJNb\x07\xe0\xad\xde\xe5\xfd\xaaK\x1f\x86v\x87g\xb5\xd0"
3772 b"\x02\xa5]G1\x0e~g\n\x95\xea\xb2"
3773 )
3774 assert sct.timestamp == datetime.datetime(
3775 2016, 11, 17, 1, 56, 25, 396000
3776 )
3777 assert (
3778 sct.entry_type ==
3779 x509.certificate_transparency.LogEntryType.PRE_CERTIFICATE
3780 )
3781
Paul Kehrerce69b822017-07-04 15:59:38 -0500[diff] [blame]3782 @pytest.mark.supported(
3783 only_if=lambda backend: (
3784 not backend._lib.CRYPTOGRAPHY_OPENSSL_110_OR_GREATER),
3785 skip_message="Requires OpenSSL < 1.1.0",
3786 )
3787 def test_skips_scts_if_unsupported(self, backend):
3788 cert = _load_cert(
3789 os.path.join("x509", "badssl-sct.pem"),
3790 x509.load_pem_x509_certificate,
3791 backend
3792 )
3793 assert len(cert.extensions) == 10
3794 with pytest.raises(x509.ExtensionNotFound):
3795 cert.extensions.get_extension_for_class(
3796 x509.PrecertificateSignedCertificateTimestamps
3797 )
3798
3799 ext = cert.extensions.get_extension_for_oid(
3800 x509.ExtensionOID.PRECERT_SIGNED_CERTIFICATE_TIMESTAMPS
3801 )
3802 assert isinstance(ext.value, x509.UnrecognizedExtension)
3803
Alex Gaynor6a0718f2017-06-04 13:36:58 -0400[diff] [blame]3804
3805@pytest.mark.requires_backend_interface(interface=RSABackend)
3806@pytest.mark.requires_backend_interface(interface=X509Backend)
Paul Kehrer1b7500f2015-08-01 20:56:27 +0100[diff] [blame]3807class TestInvalidExtension(object):
Paul Kehrera08693f2015-08-01 20:45:21 +0100[diff] [blame]3808 def test_invalid_certificate_policies_data(self, backend):
3809 cert = _load_cert(
3810 os.path.join(
3811 "x509", "custom", "cp_invalid.pem"
3812 ),
3813 x509.load_pem_x509_certificate,
3814 backend
3815 )
3816 with pytest.raises(ValueError):
3817 cert.extensions