Gitiles
Code Review Sign In
gerrit-public.fairphone.software / platform / external / python / cryptography / 8565f5ed4e76dbb9ff46cc9c112aa0eb6b259186 / . / tests / test_x509_ext.py
blob: e1312b6cefdcf20e0aa0e1c457d4f9f6f9e0a453 [file] [log] [blame]
Paul Kehrer8cf26422015-03-21 09:50:24 -0500[diff] [blame]1# This file is dual licensed under the terms of the Apache License, Version
2# 2.0, and the BSD License. See the LICENSE file in the root of this repository
3# for complete details.
4
5from __future__ import absolute_import, division, print_function
6
Paul Kehrer1eb82a62015-03-31 20:00:33 -0500[diff] [blame]7import binascii
Paul Kehrer31bdf792015-03-25 14:11:00 -0500[diff] [blame]8import ipaddress
Paul Kehrerfbb7ac82015-03-16 19:26:29 -0500[diff] [blame]9import os
10
Paul Kehrer8cf26422015-03-21 09:50:24 -0500[diff] [blame]11import pytest
12
Paul Kehrercbfb1012015-04-10 20:57:20 -0400[diff] [blame]13import six
14
Paul Kehrer8cf26422015-03-21 09:50:24 -0500[diff] [blame]15from cryptography import x509
Paul Kehrerfbb7ac82015-03-16 19:26:29 -0500[diff] [blame]16from cryptography.hazmat.backends.interfaces import RSABackend, X509Backend
17
18from .test_x509 import _load_cert
Paul Kehrer8cf26422015-03-21 09:50:24 -0500[diff] [blame]19
20
Paul Kehrer85894662015-03-22 13:19:31 -0500[diff] [blame]21class TestExtension(object):
22 def test_not_an_oid(self):
Paul Kehrera5c6e9a2015-03-23 19:23:43 -0500[diff] [blame]23 bc = x509.BasicConstraints(ca=False, path_length=None)
Paul Kehrer85894662015-03-22 13:19:31 -0500[diff] [blame]24 with pytest.raises(TypeError):
25 x509.Extension("notanoid", True, bc)
26
27 def test_critical_not_a_bool(self):
Paul Kehrera5c6e9a2015-03-23 19:23:43 -0500[diff] [blame]28 bc = x509.BasicConstraints(ca=False, path_length=None)
Paul Kehrer85894662015-03-22 13:19:31 -0500[diff] [blame]29 with pytest.raises(TypeError):
30 x509.Extension(x509.OID_BASIC_CONSTRAINTS, "notabool", bc)
31
32 def test_repr(self):
Paul Kehrera5c6e9a2015-03-23 19:23:43 -0500[diff] [blame]33 bc = x509.BasicConstraints(ca=False, path_length=None)
Paul Kehrer85894662015-03-22 13:19:31 -0500[diff] [blame]34 ext = x509.Extension(x509.OID_BASIC_CONSTRAINTS, True, bc)
35 assert repr(ext) == (
36 "<Extension(oid=<ObjectIdentifier(oid=2.5.29.19, name=basicConst"
37 "raints)>, critical=True, value=<BasicConstraints(ca=False, path"
38 "_length=None)>)>"
39 )
40
41
Paul Kehrer2b622582015-04-15 11:04:29 -0400[diff] [blame]42class TestNoticeReference(object):
43 def test_notice_numbers_not_all_int(self):
44 with pytest.raises(TypeError):
45 x509.NoticeReference("org", [1, 2, "three"])
46
47 def test_notice_numbers_none(self):
Paul Kehrer6e198b02015-05-12 15:53:38 -0500[diff] [blame]48 with pytest.raises(TypeError):
49 x509.NoticeReference("org", None)
Paul Kehrer2b622582015-04-15 11:04:29 -0400[diff] [blame]50
51 def test_repr(self):
Paul Kehrer73be2ca2015-05-11 21:22:38 -0500[diff] [blame]52 nr = x509.NoticeReference(u"org", [1, 3, 4])
Paul Kehrer2b622582015-04-15 11:04:29 -0400[diff] [blame]53
Paul Kehrer73be2ca2015-05-11 21:22:38 -0500[diff] [blame]54 if six.PY3:
55 assert repr(nr) == (
56 "<NoticeReference(organization='org', notice_numbers=[1, 3, 4"
57 "])>"
58 )
59 else:
60 assert repr(nr) == (
61 "<NoticeReference(organization=u'org', notice_numbers=[1, 3, "
62 "4])>"
63 )
Paul Kehrer2b622582015-04-15 11:04:29 -0400[diff] [blame]64
Paul Kehrerc56ab622015-05-03 09:56:31 -0500[diff] [blame]65 def test_eq(self):
66 nr = x509.NoticeReference("org", [1, 2])
67 nr2 = x509.NoticeReference("org", [1, 2])
68 assert nr == nr2
69
70 def test_ne(self):
71 nr = x509.NoticeReference("org", [1, 2])
72 nr2 = x509.NoticeReference("org", [1])
73 nr3 = x509.NoticeReference(None, [1, 2])
74 assert nr != nr2
75 assert nr != nr3
76 assert nr != object()
77
Paul Kehrer2b622582015-04-15 11:04:29 -0400[diff] [blame]78
79class TestUserNotice(object):
80 def test_notice_reference_invalid(self):
81 with pytest.raises(TypeError):
82 x509.UserNotice("invalid", None)
83
84 def test_notice_reference_none(self):
85 un = x509.UserNotice(None, "text")
86 assert un.notice_reference is None
87 assert un.explicit_text == "text"
88
89 def test_repr(self):
Paul Kehrer6e198b02015-05-12 15:53:38 -0500[diff] [blame]90 un = x509.UserNotice(x509.NoticeReference(u"org", [1]), u"text")
Paul Kehrer73be2ca2015-05-11 21:22:38 -0500[diff] [blame]91 if six.PY3:
92 assert repr(un) == (
93 "<UserNotice(notice_reference=<NoticeReference(organization='"
Paul Kehrer6e198b02015-05-12 15:53:38 -0500[diff] [blame]94 "org', notice_numbers=[1])>, explicit_text='text')>"
Paul Kehrer73be2ca2015-05-11 21:22:38 -0500[diff] [blame]95 )
96 else:
97 assert repr(un) == (
98 "<UserNotice(notice_reference=<NoticeReference(organization=u"
Paul Kehrer6e198b02015-05-12 15:53:38 -0500[diff] [blame]99 "'org', notice_numbers=[1])>, explicit_text=u'text')>"
Paul Kehrer73be2ca2015-05-11 21:22:38 -0500[diff] [blame]100 )
Paul Kehrer2b622582015-04-15 11:04:29 -0400[diff] [blame]101
Paul Kehrerc56ab622015-05-03 09:56:31 -0500[diff] [blame]102 def test_eq(self):
103 nr = x509.NoticeReference("org", [1, 2])
104 nr2 = x509.NoticeReference("org", [1, 2])
105 un = x509.UserNotice(nr, "text")
106 un2 = x509.UserNotice(nr2, "text")
107 assert un == un2
108
109 def test_ne(self):
110 nr = x509.NoticeReference("org", [1, 2])
111 nr2 = x509.NoticeReference("org", [1])
112 un = x509.UserNotice(nr, "text")
113 un2 = x509.UserNotice(nr2, "text")
114 un3 = x509.UserNotice(nr, "text3")
115 assert un != un2
116 assert un != un3
117 assert un != object()
118
Paul Kehrer2b622582015-04-15 11:04:29 -0400[diff] [blame]119
Paul Kehrer2b622582015-04-15 11:04:29 -0400[diff] [blame]120class TestPolicyInformation(object):
121 def test_invalid_policy_identifier(self):
122 with pytest.raises(TypeError):
123 x509.PolicyInformation("notanoid", None)
124
125 def test_none_policy_qualifiers(self):
126 pi = x509.PolicyInformation(x509.ObjectIdentifier("1.2.3"), None)
127 assert pi.policy_identifier == x509.ObjectIdentifier("1.2.3")
128 assert pi.policy_qualifiers is None
129
130 def test_policy_qualifiers(self):
Paul Kehrerba35b3b2015-05-10 13:07:59 -0500[diff] [blame]131 pq = [u"string"]
Paul Kehrer2b622582015-04-15 11:04:29 -0400[diff] [blame]132 pi = x509.PolicyInformation(x509.ObjectIdentifier("1.2.3"), pq)
133 assert pi.policy_identifier == x509.ObjectIdentifier("1.2.3")
134 assert pi.policy_qualifiers == pq
135
136 def test_invalid_policy_identifiers(self):
137 with pytest.raises(TypeError):
138 x509.PolicyInformation(x509.ObjectIdentifier("1.2.3"), [1, 2])
139
140 def test_repr(self):
Paul Kehrer73be2ca2015-05-11 21:22:38 -0500[diff] [blame]141 pq = [u"string", x509.UserNotice(None, u"hi")]
Paul Kehrer2b622582015-04-15 11:04:29 -0400[diff] [blame]142 pi = x509.PolicyInformation(x509.ObjectIdentifier("1.2.3"), pq)
Paul Kehrerba35b3b2015-05-10 13:07:59 -0500[diff] [blame]143 if six.PY3:
144 assert repr(pi) == (
145 "<PolicyInformation(policy_identifier=<ObjectIdentifier(oid=1."
146 "2.3, name=Unknown OID)>, policy_qualifiers=['string', <UserNo"
Paul Kehrer9aaef9e2015-05-11 10:49:20 -0500[diff] [blame]147 "tice(notice_reference=None, explicit_text='hi')>])>"
Paul Kehrerba35b3b2015-05-10 13:07:59 -0500[diff] [blame]148 )
149 else:
150 assert repr(pi) == (
151 "<PolicyInformation(policy_identifier=<ObjectIdentifier(oid=1."
152 "2.3, name=Unknown OID)>, policy_qualifiers=[u'string', <UserN"
Paul Kehrer73be2ca2015-05-11 21:22:38 -0500[diff] [blame]153 "otice(notice_reference=None, explicit_text=u'hi')>])>"
Paul Kehrerba35b3b2015-05-10 13:07:59 -0500[diff] [blame]154 )
Paul Kehrer2b622582015-04-15 11:04:29 -0400[diff] [blame]155
Paul Kehrerc56ab622015-05-03 09:56:31 -0500[diff] [blame]156 def test_eq(self):
157 pi = x509.PolicyInformation(
158 x509.ObjectIdentifier("1.2.3"),
159 [u"string", x509.UserNotice(None, u"hi")]
160 )
161 pi2 = x509.PolicyInformation(
162 x509.ObjectIdentifier("1.2.3"),
163 [u"string", x509.UserNotice(None, u"hi")]
164 )
165 assert pi == pi2
166
167 def test_ne(self):
168 pi = x509.PolicyInformation(
169 x509.ObjectIdentifier("1.2.3"), [u"string"]
170 )
171 pi2 = x509.PolicyInformation(
172 x509.ObjectIdentifier("1.2.3"), [u"string2"]
173 )
174 pi3 = x509.PolicyInformation(
175 x509.ObjectIdentifier("1.2.3.4"), [u"string"]
176 )
177 assert pi != pi2
178 assert pi != pi3
179 assert pi != object()
180
Paul Kehrer2b622582015-04-15 11:04:29 -0400[diff] [blame]181
182class TestCertificatePolicies(object):
183 def test_invalid_policies(self):
Paul Kehrerba35b3b2015-05-10 13:07:59 -0500[diff] [blame]184 pq = [u"string"]
Paul Kehrer2b622582015-04-15 11:04:29 -0400[diff] [blame]185 pi = x509.PolicyInformation(x509.ObjectIdentifier("1.2.3"), pq)
186 with pytest.raises(TypeError):
187 x509.CertificatePolicies([1, pi])
188
189 def test_iter_len(self):
Paul Kehrerba35b3b2015-05-10 13:07:59 -0500[diff] [blame]190 pq = [u"string"]
Paul Kehrer2b622582015-04-15 11:04:29 -0400[diff] [blame]191 pi = x509.PolicyInformation(x509.ObjectIdentifier("1.2.3"), pq)
192 cp = x509.CertificatePolicies([pi])
193 assert len(cp) == 1
194 for policyinfo in cp:
195 assert policyinfo == pi
196
197 def test_repr(self):
Paul Kehrerba35b3b2015-05-10 13:07:59 -0500[diff] [blame]198 pq = [u"string"]
Paul Kehrer2b622582015-04-15 11:04:29 -0400[diff] [blame]199 pi = x509.PolicyInformation(x509.ObjectIdentifier("1.2.3"), pq)
200 cp = x509.CertificatePolicies([pi])
Paul Kehrerba35b3b2015-05-10 13:07:59 -0500[diff] [blame]201 if six.PY3:
202 assert repr(cp) == (
203 "<CertificatePolicies([<PolicyInformation(policy_identifier=<O"
204 "bjectIdentifier(oid=1.2.3, name=Unknown OID)>, policy_qualifi"
205 "ers=['string'])>])>"
206 )
207 else:
208 assert repr(cp) == (
209 "<CertificatePolicies([<PolicyInformation(policy_identifier=<O"
210 "bjectIdentifier(oid=1.2.3, name=Unknown OID)>, policy_qualifi"
211 "ers=[u'string'])>])>"
212 )
Paul Kehrer2b622582015-04-15 11:04:29 -0400[diff] [blame]213
Paul Kehrerc56ab622015-05-03 09:56:31 -0500[diff] [blame]214 def test_eq(self):
215 pi = x509.PolicyInformation(
216 x509.ObjectIdentifier("1.2.3"), [u"string"]
217 )
218 cp = x509.CertificatePolicies([pi])
219 pi2 = x509.PolicyInformation(
220 x509.ObjectIdentifier("1.2.3"), [u"string"]
221 )
222 cp2 = x509.CertificatePolicies([pi2])
223 assert cp == cp2
224
225 def test_ne(self):
226 pi = x509.PolicyInformation(
227 x509.ObjectIdentifier("1.2.3"), [u"string"]
228 )
229 cp = x509.CertificatePolicies([pi])
230 pi2 = x509.PolicyInformation(
231 x509.ObjectIdentifier("1.2.3"), [u"string2"]
232 )
233 cp2 = x509.CertificatePolicies([pi2])
234 assert cp != cp2
235 assert cp != object()
236
Paul Kehrer2b622582015-04-15 11:04:29 -0400[diff] [blame]237
Paul Kehrer11026fe2015-05-12 11:23:56 -0500[diff] [blame]238@pytest.mark.requires_backend_interface(interface=RSABackend)
239@pytest.mark.requires_backend_interface(interface=X509Backend)
240class TestCertificatePoliciesExtension(object):
241 def test_cps_uri_policy_qualifier(self, backend):
242 cert = _load_cert(
243 os.path.join("x509", "custom", "cp_cps_uri.pem"),
244 x509.load_pem_x509_certificate,
245 backend
246 )
247
248 cp = cert.extensions.get_extension_for_oid(
249 x509.OID_CERTIFICATE_POLICIES
250 ).value
251
252 assert cp == x509.CertificatePolicies([
253 x509.PolicyInformation(
254 x509.ObjectIdentifier("2.16.840.1.12345.1.2.3.4.1"),
255 [u"http://other.com/cps"]
256 )
257 ])
258
259 def test_user_notice_with_notice_reference(self, backend):
260 cert = _load_cert(
261 os.path.join(
262 "x509", "custom", "cp_user_notice_with_notice_reference.pem"
263 ),
264 x509.load_pem_x509_certificate,
265 backend
266 )
267
268 cp = cert.extensions.get_extension_for_oid(
269 x509.OID_CERTIFICATE_POLICIES
270 ).value
271
272 assert cp == x509.CertificatePolicies([
273 x509.PolicyInformation(
274 x509.ObjectIdentifier("2.16.840.1.12345.1.2.3.4.1"),
275 [
276 u"http://example.com/cps",
277 u"http://other.com/cps",
278 x509.UserNotice(
279 x509.NoticeReference(u"my org", [1, 2, 3, 4]),
280 u"thing"
281 )
282 ]
283 )
284 ])
285
286 def test_user_notice_with_explicit_text(self, backend):
287 cert = _load_cert(
288 os.path.join(
289 "x509", "custom", "cp_user_notice_with_explicit_text.pem"
290 ),
291 x509.load_pem_x509_certificate,
292 backend
293 )
294
295 cp = cert.extensions.get_extension_for_oid(
296 x509.OID_CERTIFICATE_POLICIES
297 ).value
298
299 assert cp == x509.CertificatePolicies([
300 x509.PolicyInformation(
301 x509.ObjectIdentifier("2.16.840.1.12345.1.2.3.4.1"),
302 [x509.UserNotice(None, u"thing")]
303 )
304 ])
305
306 def test_user_notice_no_explicit_text(self, backend):
307 cert = _load_cert(
308 os.path.join(
309 "x509", "custom", "cp_user_notice_no_explicit_text.pem"
310 ),
311 x509.load_pem_x509_certificate,
312 backend
313 )
314
315 cp = cert.extensions.get_extension_for_oid(
316 x509.OID_CERTIFICATE_POLICIES
317 ).value
318
319 assert cp == x509.CertificatePolicies([
320 x509.PolicyInformation(
321 x509.ObjectIdentifier("2.16.840.1.12345.1.2.3.4.1"),
322 [
323 x509.UserNotice(
324 x509.NoticeReference(u"my org", [1, 2, 3, 4]),
325 None
326 )
327 ]
328 )
329 ])
330
331
Paul Kehrercecbbba2015-03-30 14:58:38 -0500[diff] [blame]332class TestKeyUsage(object):
333 def test_key_agreement_false_encipher_decipher_true(self):
334 with pytest.raises(ValueError):
335 x509.KeyUsage(
336 digital_signature=False,
337 content_commitment=False,
338 key_encipherment=False,
339 data_encipherment=False,
340 key_agreement=False,
341 key_cert_sign=False,
342 crl_sign=False,
343 encipher_only=True,
344 decipher_only=False
345 )
346
347 with pytest.raises(ValueError):
348 x509.KeyUsage(
349 digital_signature=False,
350 content_commitment=False,
351 key_encipherment=False,
352 data_encipherment=False,
353 key_agreement=False,
354 key_cert_sign=False,
355 crl_sign=False,
356 encipher_only=True,
357 decipher_only=True
358 )
359
360 with pytest.raises(ValueError):
361 x509.KeyUsage(
362 digital_signature=False,
363 content_commitment=False,
364 key_encipherment=False,
365 data_encipherment=False,
366 key_agreement=False,
367 key_cert_sign=False,
368 crl_sign=False,
369 encipher_only=False,
370 decipher_only=True
371 )
372
373 def test_properties_key_agreement_true(self):
374 ku = x509.KeyUsage(
375 digital_signature=True,
376 content_commitment=True,
377 key_encipherment=False,
378 data_encipherment=False,
379 key_agreement=False,
380 key_cert_sign=True,
381 crl_sign=False,
382 encipher_only=False,
383 decipher_only=False
384 )
385 assert ku.digital_signature is True
386 assert ku.content_commitment is True
387 assert ku.key_encipherment is False
388 assert ku.data_encipherment is False
389 assert ku.key_agreement is False
390 assert ku.key_cert_sign is True
391 assert ku.crl_sign is False
392
393 def test_key_agreement_true_properties(self):
394 ku = x509.KeyUsage(
395 digital_signature=False,
396 content_commitment=False,
397 key_encipherment=False,
398 data_encipherment=False,
399 key_agreement=True,
400 key_cert_sign=False,
401 crl_sign=False,
402 encipher_only=False,
403 decipher_only=True
404 )
405 assert ku.key_agreement is True
406 assert ku.encipher_only is False
407 assert ku.decipher_only is True
408
409 def test_key_agreement_false_properties(self):
410 ku = x509.KeyUsage(
411 digital_signature=False,
412 content_commitment=False,
413 key_encipherment=False,
414 data_encipherment=False,
415 key_agreement=False,
416 key_cert_sign=False,
417 crl_sign=False,
418 encipher_only=False,
419 decipher_only=False
420 )
421 assert ku.key_agreement is False
422 with pytest.raises(ValueError):
423 ku.encipher_only
424
425 with pytest.raises(ValueError):
426 ku.decipher_only
427
Paul Kehrerac3e5bb2015-04-02 23:07:10 -0500[diff] [blame]428 def test_repr_key_agreement_false(self):
429 ku = x509.KeyUsage(
430 digital_signature=True,
431 content_commitment=True,
432 key_encipherment=False,
433 data_encipherment=False,
434 key_agreement=False,
435 key_cert_sign=True,
436 crl_sign=False,
437 encipher_only=False,
438 decipher_only=False
439 )
440 assert repr(ku) == (
441 "<KeyUsage(digital_signature=True, content_commitment=True, key_en"
442 "cipherment=False, data_encipherment=False, key_agreement=False, k"
Paul Kehrerb372e672015-04-15 11:05:24 -0400[diff] [blame]443 "ey_cert_sign=True, crl_sign=False, encipher_only=None, decipher_o"
444 "nly=None)>"
Paul Kehrerac3e5bb2015-04-02 23:07:10 -0500[diff] [blame]445 )
446
447 def test_repr_key_agreement_true(self):
448 ku = x509.KeyUsage(
449 digital_signature=True,
450 content_commitment=True,
451 key_encipherment=False,
452 data_encipherment=False,
453 key_agreement=True,
454 key_cert_sign=True,
455 crl_sign=False,
456 encipher_only=False,
457 decipher_only=False
458 )
459 assert repr(ku) == (
460 "<KeyUsage(digital_signature=True, content_commitment=True, key_en"
461 "cipherment=False, data_encipherment=False, key_agreement=True, k"
462 "ey_cert_sign=True, crl_sign=False, encipher_only=False, decipher_"
463 "only=False)>"
464 )
465
Paul Kehrer8565f5e2015-05-13 09:57:09 -0500[diff] [blame^]466 def test_eq(self):
467 ku = x509.KeyUsage(
468 digital_signature=False,
469 content_commitment=False,
470 key_encipherment=False,
471 data_encipherment=False,
472 key_agreement=True,
473 key_cert_sign=False,
474 crl_sign=False,
475 encipher_only=False,
476 decipher_only=True
477 )
478 ku2 = x509.KeyUsage(
479 digital_signature=False,
480 content_commitment=False,
481 key_encipherment=False,
482 data_encipherment=False,
483 key_agreement=True,
484 key_cert_sign=False,
485 crl_sign=False,
486 encipher_only=False,
487 decipher_only=True
488 )
489 assert ku == ku2
490
491 def test_ne(self):
492 ku = x509.KeyUsage(
493 digital_signature=False,
494 content_commitment=False,
495 key_encipherment=False,
496 data_encipherment=False,
497 key_agreement=True,
498 key_cert_sign=False,
499 crl_sign=False,
500 encipher_only=False,
501 decipher_only=True
502 )
503 ku2 = x509.KeyUsage(
504 digital_signature=False,
505 content_commitment=False,
506 key_encipherment=False,
507 data_encipherment=False,
508 key_agreement=False,
509 key_cert_sign=False,
510 crl_sign=False,
511 encipher_only=False,
512 decipher_only=False
513 )
514 assert ku != ku2
515 assert ku != object()
516
Paul Kehrercecbbba2015-03-30 14:58:38 -0500[diff] [blame]517
Paul Kehrer1eb82a62015-03-31 20:00:33 -0500[diff] [blame]518class TestSubjectKeyIdentifier(object):
519 def test_properties(self):
Paul Kehrercbfb1012015-04-10 20:57:20 -0400[diff] [blame]520 value = binascii.unhexlify(b"092384932230498bc980aa8098456f6ff7ff3ac9")
Paul Kehrer1eb82a62015-03-31 20:00:33 -0500[diff] [blame]521 ski = x509.SubjectKeyIdentifier(value)
522 assert ski.digest == value
Paul Kehrer1eb82a62015-03-31 20:00:33 -0500[diff] [blame]523
524 def test_repr(self):
525 ski = x509.SubjectKeyIdentifier(
Paul Kehreree997262015-04-04 12:20:28 -0500[diff] [blame]526 binascii.unhexlify(b"092384932230498bc980aa8098456f6ff7ff3ac9")
Paul Kehrer1eb82a62015-03-31 20:00:33 -0500[diff] [blame]527 )
528 ext = x509.Extension(x509.OID_SUBJECT_KEY_IDENTIFIER, False, ski)
Paul Kehrercbfb1012015-04-10 20:57:20 -0400[diff] [blame]529 if six.PY3:
530 assert repr(ext) == (
531 "<Extension(oid=<ObjectIdentifier(oid=2.5.29.14, name=subjectK"
532 "eyIdentifier)>, critical=False, value=<SubjectKeyIdentifier(d"
533 "igest=b\'\\t#\\x84\\x93\"0I\\x8b\\xc9\\x80\\xaa\\x80\\x98Eoo"
534 "\\xf7\\xff:\\xc9\')>)>"
535 )
536 else:
537 assert repr(ext) == (
538 "<Extension(oid=<ObjectIdentifier(oid=2.5.29.14, name=subjectK"
539 "eyIdentifier)>, critical=False, value=<SubjectKeyIdentifier(d"
540 "igest=\'\\t#\\x84\\x93\"0I\\x8b\\xc9\\x80\\xaa\\x80\\x98Eoo"
541 "\\xf7\\xff:\\xc9\')>)>"
542 )
Paul Kehrer1eb82a62015-03-31 20:00:33 -0500[diff] [blame]543
544 def test_eq(self):
545 ski = x509.SubjectKeyIdentifier(
Paul Kehreree997262015-04-04 12:20:28 -0500[diff] [blame]546 binascii.unhexlify(b"092384932230498bc980aa8098456f6ff7ff3ac9")
Paul Kehrer1eb82a62015-03-31 20:00:33 -0500[diff] [blame]547 )
548 ski2 = x509.SubjectKeyIdentifier(
Paul Kehreree997262015-04-04 12:20:28 -0500[diff] [blame]549 binascii.unhexlify(b"092384932230498bc980aa8098456f6ff7ff3ac9")
Paul Kehrer1eb82a62015-03-31 20:00:33 -0500[diff] [blame]550 )
551 assert ski == ski2
552
553 def test_ne(self):
554 ski = x509.SubjectKeyIdentifier(
Paul Kehreree997262015-04-04 12:20:28 -0500[diff] [blame]555 binascii.unhexlify(b"092384932230498bc980aa8098456f6ff7ff3ac9")
Paul Kehrer1eb82a62015-03-31 20:00:33 -0500[diff] [blame]556 )
557 ski2 = x509.SubjectKeyIdentifier(
Paul Kehreree997262015-04-04 12:20:28 -0500[diff] [blame]558 binascii.unhexlify(b"aa8098456f6ff7ff3ac9092384932230498bc980")
Paul Kehrer1eb82a62015-03-31 20:00:33 -0500[diff] [blame]559 )
560 assert ski != ski2
561 assert ski != object()
562
563
Paul Kehrer2eb4ed92015-04-11 15:33:45 -0400[diff] [blame]564class TestAuthorityKeyIdentifier(object):
Paul Kehrerc6e0f062015-05-03 11:04:34 -0500[diff] [blame]565 def test_authority_cert_issuer_not_generalname(self):
Paul Kehrer2eb4ed92015-04-11 15:33:45 -0400[diff] [blame]566 with pytest.raises(TypeError):
Paul Kehrerc6e0f062015-05-03 11:04:34 -0500[diff] [blame]567 x509.AuthorityKeyIdentifier(b"identifier", ["notname"], 3)
Paul Kehrer2eb4ed92015-04-11 15:33:45 -0400[diff] [blame]568
569 def test_authority_cert_serial_number_not_integer(self):
Paul Kehrerc6e0f062015-05-03 11:04:34 -0500[diff] [blame]570 dirname = x509.DirectoryName(
571 x509.Name([
572 x509.NameAttribute(x509.ObjectIdentifier('oid'), 'value1'),
573 x509.NameAttribute(x509.ObjectIdentifier('oid2'), 'value2'),
574 ])
575 )
Paul Kehrer2eb4ed92015-04-11 15:33:45 -0400[diff] [blame]576 with pytest.raises(TypeError):
Paul Kehrerc6e0f062015-05-03 11:04:34 -0500[diff] [blame]577 x509.AuthorityKeyIdentifier(b"identifier", [dirname], "notanint")
Paul Kehrer2eb4ed92015-04-11 15:33:45 -0400[diff] [blame]578
579 def test_authority_issuer_none_serial_not_none(self):
580 with pytest.raises(ValueError):
581 x509.AuthorityKeyIdentifier(b"identifier", None, 3)
582
583 def test_authority_issuer_not_none_serial_none(self):
Paul Kehrerc6e0f062015-05-03 11:04:34 -0500[diff] [blame]584 dirname = x509.DirectoryName(
585 x509.Name([
586 x509.NameAttribute(x509.ObjectIdentifier('oid'), 'value1'),
587 x509.NameAttribute(x509.ObjectIdentifier('oid2'), 'value2'),
588 ])
589 )
Paul Kehrer2eb4ed92015-04-11 15:33:45 -0400[diff] [blame]590 with pytest.raises(ValueError):
Paul Kehrerc6e0f062015-05-03 11:04:34 -0500[diff] [blame]591 x509.AuthorityKeyIdentifier(b"identifier", [dirname], None)
Paul Kehrer2eb4ed92015-04-11 15:33:45 -0400[diff] [blame]592
593 def test_authority_cert_serial_and_issuer_none(self):
594 aki = x509.AuthorityKeyIdentifier(b"id", None, None)
595 assert aki.key_identifier == b"id"
596 assert aki.authority_cert_issuer is None
597 assert aki.authority_cert_serial_number is None
598
599 def test_repr(self):
Paul Kehrerc6e0f062015-05-03 11:04:34 -0500[diff] [blame]600 dirname = x509.DirectoryName(
601 x509.Name([x509.NameAttribute(x509.OID_COMMON_NAME, 'myCN')])
602 )
603 aki = x509.AuthorityKeyIdentifier(b"digest", [dirname], 1234)
Paul Kehrer2eb4ed92015-04-11 15:33:45 -0400[diff] [blame]604
605 if six.PY3:
606 assert repr(aki) == (
607 "<AuthorityKeyIdentifier(key_identifier=b'digest', authority_"
Paul Kehrerc6e0f062015-05-03 11:04:34 -0500[diff] [blame]608 "cert_issuer=[<DirectoryName(value=<Name([<NameAttribute(oid="
609 "<ObjectIdentifier(oid=2.5.4.3, name=commonName)>, value='myC"
610 "N')>])>)>], authority_cert_serial_number=1234)>"
Paul Kehrer2eb4ed92015-04-11 15:33:45 -0400[diff] [blame]611 )
612 else:
613 assert repr(aki) == (
614 "<AuthorityKeyIdentifier(key_identifier='digest', authority_ce"
Paul Kehrerc6e0f062015-05-03 11:04:34 -0500[diff] [blame]615 "rt_issuer=[<DirectoryName(value=<Name([<NameAttribute(oid=<Ob"
616 "jectIdentifier(oid=2.5.4.3, name=commonName)>, value='myCN')>"
617 "])>)>], authority_cert_serial_number=1234)>"
Paul Kehrer2eb4ed92015-04-11 15:33:45 -0400[diff] [blame]618 )
619
Paul Kehrer2ca2eb32015-05-03 10:04:57 -0500[diff] [blame]620 def test_eq(self):
621 dirname = x509.DirectoryName(
622 x509.Name([x509.NameAttribute(x509.OID_COMMON_NAME, 'myCN')])
623 )
624 aki = x509.AuthorityKeyIdentifier(b"digest", [dirname], 1234)
625 dirname2 = x509.DirectoryName(
626 x509.Name([x509.NameAttribute(x509.OID_COMMON_NAME, 'myCN')])
627 )
628 aki2 = x509.AuthorityKeyIdentifier(b"digest", [dirname2], 1234)
629 assert aki == aki2
630
631 def test_ne(self):
632 dirname = x509.DirectoryName(
633 x509.Name([x509.NameAttribute(x509.OID_COMMON_NAME, 'myCN')])
634 )
635 dirname5 = x509.DirectoryName(
636 x509.Name([x509.NameAttribute(x509.OID_COMMON_NAME, 'aCN')])
637 )
638 aki = x509.AuthorityKeyIdentifier(b"digest", [dirname], 1234)
639 aki2 = x509.AuthorityKeyIdentifier(b"diges", [dirname], 1234)
640 aki3 = x509.AuthorityKeyIdentifier(b"digest", None, None)
641 aki4 = x509.AuthorityKeyIdentifier(b"digest", [dirname], 12345)
642 aki5 = x509.AuthorityKeyIdentifier(b"digest", [dirname5], 12345)
643 assert aki != aki2
644 assert aki != aki3
645 assert aki != aki4
646 assert aki != aki5
647 assert aki != object()
648
Paul Kehrer2eb4ed92015-04-11 15:33:45 -0400[diff] [blame]649
Paul Kehrer8cf26422015-03-21 09:50:24 -0500[diff] [blame]650class TestBasicConstraints(object):
651 def test_ca_not_boolean(self):
652 with pytest.raises(TypeError):
Paul Kehrera5c6e9a2015-03-23 19:23:43 -0500[diff] [blame]653 x509.BasicConstraints(ca="notbool", path_length=None)
Paul Kehrer8cf26422015-03-21 09:50:24 -0500[diff] [blame]654
655 def test_path_length_not_ca(self):
656 with pytest.raises(ValueError):
Paul Kehrera5c6e9a2015-03-23 19:23:43 -0500[diff] [blame]657 x509.BasicConstraints(ca=False, path_length=0)
Paul Kehrer8cf26422015-03-21 09:50:24 -0500[diff] [blame]658
659 def test_path_length_not_int(self):
660 with pytest.raises(TypeError):
Paul Kehrera5c6e9a2015-03-23 19:23:43 -0500[diff] [blame]661 x509.BasicConstraints(ca=True, path_length=1.1)
Paul Kehrer8cf26422015-03-21 09:50:24 -0500[diff] [blame]662
663 with pytest.raises(TypeError):
Paul Kehrera5c6e9a2015-03-23 19:23:43 -0500[diff] [blame]664 x509.BasicConstraints(ca=True, path_length="notint")
Paul Kehrer8cf26422015-03-21 09:50:24 -0500[diff] [blame]665
666 def test_path_length_negative(self):
667 with pytest.raises(TypeError):
Paul Kehrera5c6e9a2015-03-23 19:23:43 -0500[diff] [blame]668 x509.BasicConstraints(ca=True, path_length=-1)
Paul Kehrer8cf26422015-03-21 09:50:24 -0500[diff] [blame]669
670 def test_repr(self):
Paul Kehrera5c6e9a2015-03-23 19:23:43 -0500[diff] [blame]671 na = x509.BasicConstraints(ca=True, path_length=None)
Paul Kehrer8cf26422015-03-21 09:50:24 -0500[diff] [blame]672 assert repr(na) == (
Paul Kehrer85894662015-03-22 13:19:31 -0500[diff] [blame]673 "<BasicConstraints(ca=True, path_length=None)>"
Paul Kehrer8cf26422015-03-21 09:50:24 -0500[diff] [blame]674 )
Paul Kehrerfbb7ac82015-03-16 19:26:29 -0500[diff] [blame]675
676
Paul Kehrerffa2a152015-03-31 08:18:25 -0500[diff] [blame]677class TestExtendedKeyUsage(object):
678 def test_not_all_oids(self):
679 with pytest.raises(TypeError):
680 x509.ExtendedKeyUsage(["notoid"])
681
682 def test_iter_len(self):
683 eku = x509.ExtendedKeyUsage([
684 x509.ObjectIdentifier("1.3.6.1.5.5.7.3.1"),
685 x509.ObjectIdentifier("1.3.6.1.5.5.7.3.2"),
686 ])
687 assert len(eku) == 2
688 assert list(eku) == [
689 x509.OID_SERVER_AUTH,
690 x509.OID_CLIENT_AUTH
691 ]
692
Paul Kehrer23d10c32015-04-02 23:12:32 -0500[diff] [blame]693 def test_repr(self):
694 eku = x509.ExtendedKeyUsage([
695 x509.ObjectIdentifier("1.3.6.1.5.5.7.3.1"),
696 x509.ObjectIdentifier("1.3.6.1.5.5.7.3.2"),
697 ])
698 assert repr(eku) == (
699 "<ExtendedKeyUsage([<ObjectIdentifier(oid=1.3.6.1.5.5.7.3.1, name="
700 "serverAuth)>, <ObjectIdentifier(oid=1.3.6.1.5.5.7.3.2, name=clien"
701 "tAuth)>])>"
702 )
703
Paul Kehrerb0476172015-05-02 19:34:51 -0500[diff] [blame]704 def test_eq(self):
705 eku = x509.ExtendedKeyUsage([
706 x509.ObjectIdentifier("1.3.6"), x509.ObjectIdentifier("1.3.7")
707 ])
708 eku2 = x509.ExtendedKeyUsage([
709 x509.ObjectIdentifier("1.3.6"), x509.ObjectIdentifier("1.3.7")
710 ])
711 assert eku == eku2
712
713 def test_ne(self):
714 eku = x509.ExtendedKeyUsage([x509.ObjectIdentifier("1.3.6")])
715 eku2 = x509.ExtendedKeyUsage([x509.ObjectIdentifier("1.3.6.1")])
716 assert eku != eku2
717 assert eku != object()
718
Paul Kehrerffa2a152015-03-31 08:18:25 -0500[diff] [blame]719
Paul Kehrerfbb7ac82015-03-16 19:26:29 -0500[diff] [blame]720@pytest.mark.requires_backend_interface(interface=RSABackend)
721@pytest.mark.requires_backend_interface(interface=X509Backend)
722class TestExtensions(object):
723 def test_no_extensions(self, backend):
724 cert = _load_cert(
725 os.path.join("x509", "verisign_md2_root.pem"),
726 x509.load_pem_x509_certificate,
727 backend
728 )
729 ext = cert.extensions
730 assert len(ext) == 0
731 assert list(ext) == []
Paul Kehrerfa56a232015-03-17 13:14:03 -0500[diff] [blame]732 with pytest.raises(x509.ExtensionNotFound) as exc:
733 ext.get_extension_for_oid(x509.OID_BASIC_CONSTRAINTS)
734
735 assert exc.value.oid == x509.OID_BASIC_CONSTRAINTS
736
737 def test_one_extension(self, backend):
738 cert = _load_cert(
739 os.path.join(
740 "x509", "custom", "basic_constraints_not_critical.pem"
741 ),
742 x509.load_pem_x509_certificate,
743 backend
744 )
745 extensions = cert.extensions
746 ext = extensions.get_extension_for_oid(x509.OID_BASIC_CONSTRAINTS)
747 assert ext is not None
748 assert ext.value.ca is False
Paul Kehrerfbb7ac82015-03-16 19:26:29 -0500[diff] [blame]749
750 def test_duplicate_extension(self, backend):
751 cert = _load_cert(
752 os.path.join(
753 "x509", "custom", "two_basic_constraints.pem"
754 ),
755 x509.load_pem_x509_certificate,
756 backend
757 )
758 with pytest.raises(x509.DuplicateExtension) as exc:
759 cert.extensions
760
761 assert exc.value.oid == x509.OID_BASIC_CONSTRAINTS
762
763 def test_unsupported_critical_extension(self, backend):
764 cert = _load_cert(
765 os.path.join(
766 "x509", "custom", "unsupported_extension_critical.pem"
767 ),
768 x509.load_pem_x509_certificate,
769 backend
770 )
771 with pytest.raises(x509.UnsupportedExtension) as exc:
772 cert.extensions
773
774 assert exc.value.oid == x509.ObjectIdentifier("1.2.3.4")
775
776 def test_unsupported_extension(self, backend):
777 # TODO: this will raise an exception when all extensions are complete
778 cert = _load_cert(
779 os.path.join(
780 "x509", "custom", "unsupported_extension.pem"
781 ),
782 x509.load_pem_x509_certificate,
783 backend
784 )
785 extensions = cert.extensions
786 assert len(extensions) == 0
Paul Kehrerfa56a232015-03-17 13:14:03 -0500[diff] [blame]787
788
789@pytest.mark.requires_backend_interface(interface=RSABackend)
790@pytest.mark.requires_backend_interface(interface=X509Backend)
Paul Kehrerde813ea2015-03-28 12:44:34 -0500[diff] [blame]791class TestBasicConstraintsExtension(object):
Paul Kehrerfa56a232015-03-17 13:14:03 -0500[diff] [blame]792 def test_ca_true_pathlen_6(self, backend):
793 cert = _load_cert(
794 os.path.join(
795 "x509", "PKITS_data", "certs", "pathLenConstraint6CACert.crt"
796 ),
797 x509.load_der_x509_certificate,
798 backend
799 )
800 ext = cert.extensions.get_extension_for_oid(
801 x509.OID_BASIC_CONSTRAINTS
802 )
803 assert ext is not None
804 assert ext.critical is True
805 assert ext.value.ca is True
806 assert ext.value.path_length == 6
807
808 def test_path_length_zero(self, backend):
809 cert = _load_cert(
810 os.path.join("x509", "custom", "bc_path_length_zero.pem"),
811 x509.load_pem_x509_certificate,
812 backend
813 )
814 ext = cert.extensions.get_extension_for_oid(
815 x509.OID_BASIC_CONSTRAINTS
816 )
817 assert ext is not None
818 assert ext.critical is True
819 assert ext.value.ca is True
820 assert ext.value.path_length == 0
821
822 def test_ca_true_no_pathlen(self, backend):
823 cert = _load_cert(
824 os.path.join("x509", "PKITS_data", "certs", "GoodCACert.crt"),
825 x509.load_der_x509_certificate,
826 backend
827 )
828 ext = cert.extensions.get_extension_for_oid(
829 x509.OID_BASIC_CONSTRAINTS
830 )
831 assert ext is not None
832 assert ext.critical is True
833 assert ext.value.ca is True
834 assert ext.value.path_length is None
835
836 def test_ca_false(self, backend):
837 cert = _load_cert(
838 os.path.join("x509", "cryptography.io.pem"),
839 x509.load_pem_x509_certificate,
840 backend
841 )
842 ext = cert.extensions.get_extension_for_oid(
843 x509.OID_BASIC_CONSTRAINTS
844 )
845 assert ext is not None
846 assert ext.critical is True
847 assert ext.value.ca is False
848 assert ext.value.path_length is None
849
850 def test_no_basic_constraints(self, backend):
851 cert = _load_cert(
852 os.path.join(
853 "x509",
854 "PKITS_data",
855 "certs",
856 "ValidCertificatePathTest1EE.crt"
857 ),
858 x509.load_der_x509_certificate,
859 backend
860 )
861 with pytest.raises(x509.ExtensionNotFound):
862 cert.extensions.get_extension_for_oid(x509.OID_BASIC_CONSTRAINTS)
863
864 def test_basic_constraint_not_critical(self, backend):
865 cert = _load_cert(
866 os.path.join(
867 "x509", "custom", "basic_constraints_not_critical.pem"
868 ),
869 x509.load_pem_x509_certificate,
870 backend
871 )
872 ext = cert.extensions.get_extension_for_oid(
873 x509.OID_BASIC_CONSTRAINTS
874 )
875 assert ext is not None
876 assert ext.critical is False
877 assert ext.value.ca is False
Paul Kehrer1eb82a62015-03-31 20:00:33 -0500[diff] [blame]878
879
880@pytest.mark.requires_backend_interface(interface=RSABackend)
881@pytest.mark.requires_backend_interface(interface=X509Backend)
882class TestSubjectKeyIdentifierExtension(object):
883 def test_subject_key_identifier(self, backend):
884 cert = _load_cert(
885 os.path.join("x509", "PKITS_data", "certs", "GoodCACert.crt"),
886 x509.load_der_x509_certificate,
887 backend
888 )
889 ext = cert.extensions.get_extension_for_oid(
890 x509.OID_SUBJECT_KEY_IDENTIFIER
891 )
892 ski = ext.value
893 assert ext is not None
894 assert ext.critical is False
Paul Kehrer1eb82a62015-03-31 20:00:33 -0500[diff] [blame]895 assert ski.digest == binascii.unhexlify(
Paul Kehreree997262015-04-04 12:20:28 -0500[diff] [blame]896 b"580184241bbc2b52944a3da510721451f5af3ac9"
Paul Kehrer1eb82a62015-03-31 20:00:33 -0500[diff] [blame]897 )
898
899 def test_no_subject_key_identifier(self, backend):
900 cert = _load_cert(
901 os.path.join("x509", "custom", "bc_path_length_zero.pem"),
902 x509.load_pem_x509_certificate,
903 backend
904 )
905 with pytest.raises(x509.ExtensionNotFound):
906 cert.extensions.get_extension_for_oid(
907 x509.OID_SUBJECT_KEY_IDENTIFIER
908 )
Paul Kehrer5508ee22015-04-02 19:31:03 -0500[diff] [blame]909
910
911@pytest.mark.requires_backend_interface(interface=RSABackend)
912@pytest.mark.requires_backend_interface(interface=X509Backend)
913class TestKeyUsageExtension(object):
914 def test_no_key_usage(self, backend):
915 cert = _load_cert(
916 os.path.join("x509", "verisign_md2_root.pem"),
917 x509.load_pem_x509_certificate,
918 backend
919 )
920 ext = cert.extensions
921 with pytest.raises(x509.ExtensionNotFound) as exc:
922 ext.get_extension_for_oid(x509.OID_KEY_USAGE)
923
924 assert exc.value.oid == x509.OID_KEY_USAGE
925
926 def test_all_purposes(self, backend):
927 cert = _load_cert(
928 os.path.join(
929 "x509", "custom", "all_key_usages.pem"
930 ),
931 x509.load_pem_x509_certificate,
932 backend
933 )
934 extensions = cert.extensions
935 ext = extensions.get_extension_for_oid(x509.OID_KEY_USAGE)
936 assert ext is not None
937
938 ku = ext.value
939 assert ku.digital_signature is True
940 assert ku.content_commitment is True
941 assert ku.key_encipherment is True
942 assert ku.data_encipherment is True
943 assert ku.key_agreement is True
944 assert ku.key_cert_sign is True
945 assert ku.crl_sign is True
946 assert ku.encipher_only is True
947 assert ku.decipher_only is True
948
949 def test_key_cert_sign_crl_sign(self, backend):
950 cert = _load_cert(
951 os.path.join(
952 "x509", "PKITS_data", "certs", "pathLenConstraint6CACert.crt"
953 ),
954 x509.load_der_x509_certificate,
955 backend
956 )
957 ext = cert.extensions.get_extension_for_oid(x509.OID_KEY_USAGE)
958 assert ext is not None
959 assert ext.critical is True
960
961 ku = ext.value
962 assert ku.digital_signature is False
963 assert ku.content_commitment is False
964 assert ku.key_encipherment is False
965 assert ku.data_encipherment is False
966 assert ku.key_agreement is False
967 assert ku.key_cert_sign is True
968 assert ku.crl_sign is True
Paul Kehrer31bdf792015-03-25 14:11:00 -0500[diff] [blame]969
970
971@pytest.mark.parametrize(
972 "name", [
973 x509.RFC822Name,
974 x509.DNSName,
975 x509.UniformResourceIdentifier
976 ]
977)
978class TestTextGeneralNames(object):
979 def test_not_text(self, name):
980 with pytest.raises(TypeError):
981 name(b"notaunicodestring")
982
983 with pytest.raises(TypeError):
984 name(1.3)
985
986 def test_repr(self, name):
Eeshan Gargf1234152015-04-29 18:41:00 +0530[diff] [blame]987 gn = name(u"string")
Paul Kehrer31bdf792015-03-25 14:11:00 -0500[diff] [blame]988 assert repr(gn) == "<{0}(value=string)>".format(name.__name__)
989
990 def test_eq(self, name):
Eeshan Gargf1234152015-04-29 18:41:00 +0530[diff] [blame]991 gn = name(u"string")
992 gn2 = name(u"string")
Paul Kehrer31bdf792015-03-25 14:11:00 -0500[diff] [blame]993 assert gn == gn2
994
995 def test_ne(self, name):
Eeshan Gargf1234152015-04-29 18:41:00 +0530[diff] [blame]996 gn = name(u"string")
997 gn2 = name(u"string2")
Paul Kehrer31bdf792015-03-25 14:11:00 -0500[diff] [blame]998 assert gn != gn2
999 assert gn != object()
1000
1001
1002class TestDirectoryName(object):
1003 def test_not_name(self):
1004 with pytest.raises(TypeError):
1005 x509.DirectoryName(b"notaname")
1006
1007 with pytest.raises(TypeError):
1008 x509.DirectoryName(1.3)
1009
1010 def test_repr(self):
1011 name = x509.Name([x509.NameAttribute(x509.OID_COMMON_NAME, 'value1')])
1012 gn = x509.DirectoryName(x509.Name([name]))
1013 assert repr(gn) == (
1014 "<DirectoryName(value=<Name([<Name([<NameAttribute(oid=<ObjectIden"
1015 "tifier(oid=2.5.4.3, name=commonName)>, value='value1')>])>])>)>"
1016 )
1017
1018 def test_eq(self):
1019 name = x509.Name([
1020 x509.NameAttribute(x509.ObjectIdentifier('oid'), 'value1')
1021 ])
1022 name2 = x509.Name([
1023 x509.NameAttribute(x509.ObjectIdentifier('oid'), 'value1')
1024 ])
1025 gn = x509.DirectoryName(x509.Name([name]))
1026 gn2 = x509.DirectoryName(x509.Name([name2]))
1027 assert gn == gn2
1028
1029 def test_ne(self):
1030 name = x509.Name([
1031 x509.NameAttribute(x509.ObjectIdentifier('oid'), 'value1')
1032 ])
1033 name2 = x509.Name([
1034 x509.NameAttribute(x509.ObjectIdentifier('oid'), 'value2')
1035 ])
1036 gn = x509.DirectoryName(x509.Name([name]))
1037 gn2 = x509.DirectoryName(x509.Name([name2]))
1038 assert gn != gn2
1039 assert gn != object()
1040
1041
1042class TestRegisteredID(object):
1043 def test_not_oid(self):
1044 with pytest.raises(TypeError):
1045 x509.RegisteredID(b"notanoid")
1046
1047 with pytest.raises(TypeError):
1048 x509.RegisteredID(1.3)
1049
1050 def test_repr(self):
1051 gn = x509.RegisteredID(x509.OID_COMMON_NAME)
1052 assert repr(gn) == (
1053 "<RegisteredID(value=<ObjectIdentifier(oid=2.5.4.3, name=commonNam"
1054 "e)>)>"
1055 )
1056
1057 def test_eq(self):
1058 gn = x509.RegisteredID(x509.OID_COMMON_NAME)
1059 gn2 = x509.RegisteredID(x509.OID_COMMON_NAME)
1060 assert gn == gn2
1061
1062 def test_ne(self):
1063 gn = x509.RegisteredID(x509.OID_COMMON_NAME)
1064 gn2 = x509.RegisteredID(x509.OID_BASIC_CONSTRAINTS)
1065 assert gn != gn2
1066 assert gn != object()
1067
1068
1069class TestIPAddress(object):
1070 def test_not_ipaddress(self):
1071 with pytest.raises(TypeError):
1072 x509.IPAddress(b"notanipaddress")
1073
1074 with pytest.raises(TypeError):
1075 x509.IPAddress(1.3)
1076
1077 def test_repr(self):
Eeshan Gargf1234152015-04-29 18:41:00 +0530[diff] [blame]1078 gn = x509.IPAddress(ipaddress.IPv4Address(u"127.0.0.1"))
Paul Kehrer31bdf792015-03-25 14:11:00 -0500[diff] [blame]1079 assert repr(gn) == "<IPAddress(value=127.0.0.1)>"
1080
Eeshan Gargf1234152015-04-29 18:41:00 +0530[diff] [blame]1081 gn2 = x509.IPAddress(ipaddress.IPv6Address(u"ff::"))
Paul Kehrer31bdf792015-03-25 14:11:00 -0500[diff] [blame]1082 assert repr(gn2) == "<IPAddress(value=ff::)>"
1083
1084 def test_eq(self):
Eeshan Gargf1234152015-04-29 18:41:00 +0530[diff] [blame]1085 gn = x509.IPAddress(ipaddress.IPv4Address(u"127.0.0.1"))
1086 gn2 = x509.IPAddress(ipaddress.IPv4Address(u"127.0.0.1"))
Paul Kehrer31bdf792015-03-25 14:11:00 -0500[diff] [blame]1087 assert gn == gn2
1088
1089 def test_ne(self):
Eeshan Gargf1234152015-04-29 18:41:00 +0530[diff] [blame]1090 gn = x509.IPAddress(ipaddress.IPv4Address(u"127.0.0.1"))
1091 gn2 = x509.IPAddress(ipaddress.IPv4Address(u"127.0.0.2"))
Paul Kehrer31bdf792015-03-25 14:11:00 -0500[diff] [blame]1092 assert gn != gn2
1093 assert gn != object()
1094
1095
1096class TestSubjectAlternativeName(object):
1097 def test_get_values_for_type(self):
1098 san = x509.SubjectAlternativeName(
Eeshan Gargf1234152015-04-29 18:41:00 +0530[diff] [blame]1099 [x509.DNSName(u"cryptography.io")]
Paul Kehrer31bdf792015-03-25 14:11:00 -0500[diff] [blame]1100 )
1101 names = san.get_values_for_type(x509.DNSName)
Eeshan Gargf1234152015-04-29 18:41:00 +0530[diff] [blame]1102 assert names == [u"cryptography.io"]
Paul Kehrer31bdf792015-03-25 14:11:00 -0500[diff] [blame]1103
1104 def test_iter_names(self):
1105 san = x509.SubjectAlternativeName([
Eeshan Gargf1234152015-04-29 18:41:00 +0530[diff] [blame]1106 x509.DNSName(u"cryptography.io"),
1107 x509.DNSName(u"crypto.local"),
Paul Kehrer31bdf792015-03-25 14:11:00 -0500[diff] [blame]1108 ])
1109 assert len(san) == 2
1110 assert list(san) == [
Eeshan Gargf1234152015-04-29 18:41:00 +0530[diff] [blame]1111 x509.DNSName(u"cryptography.io"),
1112 x509.DNSName(u"crypto.local"),
Paul Kehrer31bdf792015-03-25 14:11:00 -0500[diff] [blame]1113 ]
1114
Paul Kehrerd04b39b2015-04-21 08:44:17 -0500[diff] [blame]1115 def test_invalid_general_names(self):
1116 with pytest.raises(TypeError):
1117 x509.SubjectAlternativeName(
Eeshan Gargf1234152015-04-29 18:41:00 +0530[diff] [blame]1118 [x509.DNSName(u"cryptography.io"), "invalid"]
Paul Kehrerd04b39b2015-04-21 08:44:17 -0500[diff] [blame]1119 )
1120
Paul Kehrer31bdf792015-03-25 14:11:00 -0500[diff] [blame]1121 def test_repr(self):
1122 san = x509.SubjectAlternativeName(
1123 [
Eeshan Gargf1234152015-04-29 18:41:00 +0530[diff] [blame]1124 x509.DNSName(u"cryptography.io")
Paul Kehrer31bdf792015-03-25 14:11:00 -0500[diff] [blame]1125 ]
1126 )
1127 assert repr(san) == (
1128 "<SubjectAlternativeName([<DNSName(value=cryptography.io)>])>"
1129 )
Paul Kehrer40f83382015-04-20 15:00:16 -0500[diff] [blame]1130
1131
1132@pytest.mark.requires_backend_interface(interface=RSABackend)
1133@pytest.mark.requires_backend_interface(interface=X509Backend)
1134class TestRSASubjectAlternativeNameExtension(object):
1135 def test_dns_name(self, backend):
1136 cert = _load_cert(
1137 os.path.join("x509", "cryptography.io.pem"),
1138 x509.load_pem_x509_certificate,
1139 backend
1140 )
1141 ext = cert.extensions.get_extension_for_oid(
1142 x509.OID_SUBJECT_ALTERNATIVE_NAME
1143 )
1144 assert ext is not None
1145 assert ext.critical is False
1146
1147 san = ext.value
1148
1149 dns = san.get_values_for_type(x509.DNSName)
1150 assert dns == [u"www.cryptography.io", u"cryptography.io"]
Paul Kehrer9089c912015-04-20 22:15:20 -0500[diff] [blame]1151
1152 def test_unsupported_other_name(self, backend):
1153 cert = _load_cert(
1154 os.path.join(
1155 "x509", "custom", "san_other_name.pem"
1156 ),
1157 x509.load_pem_x509_certificate,
1158 backend
1159 )
Paul Kehrerbed07352015-04-21 08:31:10 -0500[diff] [blame]1160 with pytest.raises(x509.UnsupportedGeneralNameType) as exc:
Paul Kehrer9089c912015-04-20 22:15:20 -0500[diff] [blame]1161 cert.extensions
Paul Kehrerbed07352015-04-21 08:31:10 -0500[diff] [blame]1162
Paul Kehrer0a621bf2015-04-22 09:22:56 -0500[diff] [blame]1163 assert exc.value.type == 0
Paul Kehrer4db96622015-04-20 22:17:39 -0500[diff] [blame]1164
1165 def test_registered_id(self, backend):
1166 cert = _load_cert(
1167 os.path.join(
1168 "x509", "custom", "san_registered_id.pem"
1169 ),
1170 x509.load_pem_x509_certificate,
1171 backend
1172 )
1173 ext = cert.extensions.get_extension_for_oid(
1174 x509.OID_SUBJECT_ALTERNATIVE_NAME
1175 )
1176 assert ext is not None
1177 assert ext.critical is False
1178
1179 san = ext.value
1180 rid = san.get_values_for_type(x509.RegisteredID)
1181 assert rid == [x509.ObjectIdentifier("1.2.3.4")]
Paul Kehrerb8ef82e2015-04-22 16:04:24 -0500[diff] [blame]1182
1183 def test_uri(self, backend):
1184 cert = _load_cert(
1185 os.path.join(
1186 "x509", "custom", "san_uri_with_port.pem"
1187 ),
1188 x509.load_pem_x509_certificate,
1189 backend
1190 )
1191 ext = cert.extensions.get_extension_for_oid(
1192 x509.OID_SUBJECT_ALTERNATIVE_NAME
1193 )
1194 assert ext is not None
1195 uri = ext.value.get_values_for_type(
1196 x509.UniformResourceIdentifier
1197 )
1198 assert uri == [
1199 u"gopher://\u043f\u044b\u043a\u0430.cryptography:70/path?q=s#hel"
1200 u"lo",
1201 u"http://someregulardomain.com",
1202 ]
Paul Kehrera5f030c2015-04-28 08:33:18 -0500[diff] [blame]1203
1204 def test_ipaddress(self, backend):
1205 cert = _load_cert(
1206 os.path.join(
1207 "x509", "custom", "san_ipaddr.pem"
1208 ),
1209 x509.load_pem_x509_certificate,
1210 backend
1211 )
1212 ext = cert.extensions.get_extension_for_oid(
1213 x509.OID_SUBJECT_ALTERNATIVE_NAME
1214 )
1215 assert ext is not None
1216 assert ext.critical is False
1217
1218 san = ext.value
1219
1220 ip = san.get_values_for_type(x509.IPAddress)
1221 assert [
1222 ipaddress.ip_address(u"127.0.0.1"),
1223 ipaddress.ip_address(u"ff::")
1224 ] == ip
Paul Kehrer2187a052015-04-30 08:22:07 -0500[diff] [blame]1225
1226 def test_dirname(self, backend):
1227 cert = _load_cert(
1228 os.path.join(
1229 "x509", "custom", "san_dirname.pem"
1230 ),
1231 x509.load_pem_x509_certificate,
1232 backend
1233 )
1234 ext = cert.extensions.get_extension_for_oid(
1235 x509.OID_SUBJECT_ALTERNATIVE_NAME
1236 )
1237 assert ext is not None
1238 assert ext.critical is False
1239
1240 san = ext.value
1241
1242 dirname = san.get_values_for_type(x509.DirectoryName)
1243 assert [
1244 x509.Name([
1245 x509.NameAttribute(x509.OID_COMMON_NAME, 'test'),
1246 x509.NameAttribute(x509.OID_ORGANIZATION_NAME, 'Org'),
1247 x509.NameAttribute(x509.OID_STATE_OR_PROVINCE_NAME, 'Texas'),
1248 ])
1249 ] == dirname
Paul Kehrere06cab42015-04-30 10:23:33 -0500[diff] [blame]1250
1251 def test_rfc822name(self, backend):
1252 cert = _load_cert(
1253 os.path.join(
1254 "x509", "custom", "san_rfc822_idna.pem"
1255 ),
1256 x509.load_pem_x509_certificate,
1257 backend
1258 )
1259 ext = cert.extensions.get_extension_for_oid(
1260 x509.OID_SUBJECT_ALTERNATIVE_NAME
1261 )
1262 assert ext is not None
1263 assert ext.critical is False
1264
1265 san = ext.value
1266
1267 rfc822name = san.get_values_for_type(x509.RFC822Name)
1268 assert [u"email@em\xe5\xefl.com"] == rfc822name
1269
1270 def test_unicode_rfc822_name_dns_name_uri(self, backend):
1271 cert = _load_cert(
1272 os.path.join(
1273 "x509", "custom", "san_idna_names.pem"
1274 ),
1275 x509.load_pem_x509_certificate,
1276 backend
1277 )
1278 ext = cert.extensions.get_extension_for_oid(
1279 x509.OID_SUBJECT_ALTERNATIVE_NAME
1280 )
1281 assert ext is not None
1282 rfc822_name = ext.value.get_values_for_type(x509.RFC822Name)
1283 dns_name = ext.value.get_values_for_type(x509.DNSName)
1284 uri = ext.value.get_values_for_type(x509.UniformResourceIdentifier)
1285 assert rfc822_name == [u"email@\u043f\u044b\u043a\u0430.cryptography"]
1286 assert dns_name == [u"\u043f\u044b\u043a\u0430.cryptography"]
1287 assert uri == [u"https://www.\u043f\u044b\u043a\u0430.cryptography"]
1288
1289 def test_rfc822name_dnsname_ipaddress_directoryname_uri(self, backend):
1290 cert = _load_cert(
1291 os.path.join(
1292 "x509", "custom", "san_email_dns_ip_dirname_uri.pem"
1293 ),
1294 x509.load_pem_x509_certificate,
1295 backend
1296 )
1297 ext = cert.extensions.get_extension_for_oid(
1298 x509.OID_SUBJECT_ALTERNATIVE_NAME
1299 )
1300 assert ext is not None
1301 assert ext.critical is False
1302
1303 san = ext.value
1304
1305 rfc822_name = san.get_values_for_type(x509.RFC822Name)
1306 uri = san.get_values_for_type(x509.UniformResourceIdentifier)
1307 dns = san.get_values_for_type(x509.DNSName)
1308 ip = san.get_values_for_type(x509.IPAddress)
1309 dirname = san.get_values_for_type(x509.DirectoryName)
1310 assert [u"user@cryptography.io"] == rfc822_name
Paul Kehrere3a330c2015-05-02 16:42:52 -0500[diff] [blame]1311 assert [u"https://cryptography.io"] == uri
Paul Kehrere06cab42015-04-30 10:23:33 -0500[diff] [blame]1312 assert [u"cryptography.io"] == dns
1313 assert [
1314 x509.Name([
1315 x509.NameAttribute(x509.OID_COMMON_NAME, 'dirCN'),
1316 x509.NameAttribute(
1317 x509.OID_ORGANIZATION_NAME, 'Cryptographic Authority'
1318 ),
1319 ])
1320 ] == dirname
1321 assert [
1322 ipaddress.ip_address(u"127.0.0.1"),
1323 ipaddress.ip_address(u"ff::")
1324 ] == ip
1325
1326 def test_invalid_rfc822name(self, backend):
1327 cert = _load_cert(
1328 os.path.join(
1329 "x509", "custom", "san_rfc822_names.pem"
1330 ),
1331 x509.load_pem_x509_certificate,
1332 backend
1333 )
1334 with pytest.raises(ValueError) as exc:
1335 cert.extensions
1336
1337 assert 'Invalid rfc822name value' in str(exc.value)
Paul Kehrer94c69602015-05-02 19:29:40 -0500[diff] [blame]1338
1339
1340@pytest.mark.requires_backend_interface(interface=RSABackend)
1341@pytest.mark.requires_backend_interface(interface=X509Backend)
1342class TestExtendedKeyUsageExtension(object):
1343 def test_eku(self, backend):
1344 cert = _load_cert(
1345 os.path.join(
1346 "x509", "custom", "extended_key_usage.pem"
1347 ),
1348 x509.load_pem_x509_certificate,
1349 backend
1350 )
1351 ext = cert.extensions.get_extension_for_oid(
1352 x509.OID_EXTENDED_KEY_USAGE
1353 )
1354 assert ext is not None
1355 assert ext.critical is False
1356
1357 assert [
1358 x509.ObjectIdentifier("1.3.6.1.5.5.7.3.1"),
1359 x509.ObjectIdentifier("1.3.6.1.5.5.7.3.2"),
1360 x509.ObjectIdentifier("1.3.6.1.5.5.7.3.3"),
1361 x509.ObjectIdentifier("1.3.6.1.5.5.7.3.4"),
1362 x509.ObjectIdentifier("1.3.6.1.5.5.7.3.9"),
1363 x509.ObjectIdentifier("1.3.6.1.5.5.7.3.8"),
1364 x509.ObjectIdentifier("2.5.29.37.0"),
1365 x509.ObjectIdentifier("2.16.840.1.113730.4.1"),
1366 ] == list(ext.value)
Paul Kehrer3e6d5582015-05-02 21:57:56 -0500[diff] [blame]1367
1368
1369class TestAccessDescription(object):
1370 def test_invalid_access_method(self):
Paul Kehrerf506bca2015-05-02 22:31:47 -0500[diff] [blame]1371 with pytest.raises(ValueError):
Paul Kehrer3e6d5582015-05-02 21:57:56 -0500[diff] [blame]1372 x509.AccessDescription("notanoid", x509.DNSName(u"test"))
1373
1374 def test_invalid_access_location(self):
1375 with pytest.raises(TypeError):
1376 x509.AccessDescription(x509.OID_CA_ISSUERS, "invalid")
1377
1378 def test_repr(self):
1379 ad = x509.AccessDescription(
1380 x509.OID_OCSP,
1381 x509.UniformResourceIdentifier(u"http://ocsp.domain.com")
1382 )
1383 assert repr(ad) == (
1384 "<AccessDescription(access_method=<ObjectIdentifier(oid=1.3.6.1.5."
1385 "5.7.48.1, name=OCSP)>, access_location=<UniformResourceIdentifier"
1386 "(value=http://ocsp.domain.com)>)>"
1387 )
1388
1389 def test_eq(self):
1390 ad = x509.AccessDescription(
1391 x509.OID_OCSP,
1392 x509.UniformResourceIdentifier(u"http://ocsp.domain.com")
1393 )
1394 ad2 = x509.AccessDescription(
1395 x509.OID_OCSP,
1396 x509.UniformResourceIdentifier(u"http://ocsp.domain.com")
1397 )
1398 assert ad == ad2
1399
1400 def test_ne(self):
1401 ad = x509.AccessDescription(
1402 x509.OID_OCSP,
1403 x509.UniformResourceIdentifier(u"http://ocsp.domain.com")
1404 )
1405 ad2 = x509.AccessDescription(
1406 x509.OID_CA_ISSUERS,
1407 x509.UniformResourceIdentifier(u"http://ocsp.domain.com")
1408 )
1409 ad3 = x509.AccessDescription(
1410 x509.OID_OCSP,
1411 x509.UniformResourceIdentifier(u"http://notthesame")
1412 )
1413 assert ad != ad2
1414 assert ad != ad3
1415 assert ad != object()
1416
1417
1418class TestAuthorityInformationAccess(object):
1419 def test_invalid_descriptions(self):
1420 with pytest.raises(TypeError):
1421 x509.AuthorityInformationAccess(["notanAccessDescription"])
1422
1423 def test_iter_len(self):
1424 aia = x509.AuthorityInformationAccess([
1425 x509.AccessDescription(
1426 x509.OID_OCSP,
1427 x509.UniformResourceIdentifier(u"http://ocsp.domain.com")
1428 ),
1429 x509.AccessDescription(
1430 x509.OID_CA_ISSUERS,
1431 x509.UniformResourceIdentifier(u"http://domain.com/ca.crt")
1432 )
1433 ])
1434 assert len(aia) == 2
1435 assert list(aia) == [
1436 x509.AccessDescription(
1437 x509.OID_OCSP,
1438 x509.UniformResourceIdentifier(u"http://ocsp.domain.com")
1439 ),
1440 x509.AccessDescription(
1441 x509.OID_CA_ISSUERS,
1442 x509.UniformResourceIdentifier(u"http://domain.com/ca.crt")
1443 )
1444 ]
1445
1446 def test_repr(self):
1447 aia = x509.AuthorityInformationAccess([
1448 x509.AccessDescription(
1449 x509.OID_OCSP,
1450 x509.UniformResourceIdentifier(u"http://ocsp.domain.com")
1451 ),
1452 x509.AccessDescription(
1453 x509.OID_CA_ISSUERS,
1454 x509.UniformResourceIdentifier(u"http://domain.com/ca.crt")
1455 )
1456 ])
1457 assert repr(aia) == (
1458 "<AuthorityInformationAccess([<AccessDescription(access_method=<Ob"
1459 "jectIdentifier(oid=1.3.6.1.5.5.7.48.1, name=OCSP)>, access_locati"
1460 "on=<UniformResourceIdentifier(value=http://ocsp.domain.com)>)>, <"
1461 "AccessDescription(access_method=<ObjectIdentifier(oid=1.3.6.1.5.5"
1462 ".7.48.2, name=caIssuers)>, access_location=<UniformResourceIdenti"
1463 "fier(value=http://domain.com/ca.crt)>)>])>"
1464 )
1465
1466 def test_eq(self):
1467 aia = x509.AuthorityInformationAccess([
1468 x509.AccessDescription(
1469 x509.OID_OCSP,
1470 x509.UniformResourceIdentifier(u"http://ocsp.domain.com")
1471 ),
1472 x509.AccessDescription(
1473 x509.OID_CA_ISSUERS,
1474 x509.UniformResourceIdentifier(u"http://domain.com/ca.crt")
1475 )
1476 ])
1477 aia2 = x509.AuthorityInformationAccess([
1478 x509.AccessDescription(
1479 x509.OID_OCSP,
1480 x509.UniformResourceIdentifier(u"http://ocsp.domain.com")
1481 ),
1482 x509.AccessDescription(
1483 x509.OID_CA_ISSUERS,
1484 x509.UniformResourceIdentifier(u"http://domain.com/ca.crt")
1485 )
1486 ])
1487 assert aia == aia2
1488
1489 def test_ne(self):
1490 aia = x509.AuthorityInformationAccess([
1491 x509.AccessDescription(
1492 x509.OID_OCSP,
1493 x509.UniformResourceIdentifier(u"http://ocsp.domain.com")
1494 ),
1495 x509.AccessDescription(
1496 x509.OID_CA_ISSUERS,
1497 x509.UniformResourceIdentifier(u"http://domain.com/ca.crt")
1498 )
1499 ])
1500 aia2 = x509.AuthorityInformationAccess([
1501 x509.AccessDescription(
1502 x509.OID_OCSP,
1503 x509.UniformResourceIdentifier(u"http://ocsp.domain.com")
1504 ),
1505 ])
1506
1507 assert aia != aia2
1508 assert aia != object()
Paul Kehrerd774de92015-05-03 10:52:25 -0500[diff] [blame]1509
1510
1511@pytest.mark.requires_backend_interface(interface=RSABackend)
1512@pytest.mark.requires_backend_interface(interface=X509Backend)
Paul Kehrera1476992015-05-04 17:35:47 -0500[diff] [blame]1513class TestAuthorityInformationAccessExtension(object):
1514 def test_aia_ocsp_ca_issuers(self, backend):
1515 cert = _load_cert(
1516 os.path.join("x509", "cryptography.io.pem"),
1517 x509.load_pem_x509_certificate,
1518 backend
1519 )
1520 ext = cert.extensions.get_extension_for_oid(
1521 x509.OID_AUTHORITY_INFORMATION_ACCESS
1522 )
1523 assert ext is not None
1524 assert ext.critical is False
1525
1526 assert ext.value == x509.AuthorityInformationAccess([
1527 x509.AccessDescription(
1528 x509.OID_OCSP,
1529 x509.UniformResourceIdentifier(u"http://gv.symcd.com")
1530 ),
1531 x509.AccessDescription(
1532 x509.OID_CA_ISSUERS,
1533 x509.UniformResourceIdentifier(u"http://gv.symcb.com/gv.crt")
1534 ),
1535 ])
1536
1537 def test_aia_multiple_ocsp_ca_issuers(self, backend):
1538 cert = _load_cert(
1539 os.path.join("x509", "custom", "aia_ocsp_ca_issuers.pem"),
1540 x509.load_pem_x509_certificate,
1541 backend
1542 )
1543 ext = cert.extensions.get_extension_for_oid(
1544 x509.OID_AUTHORITY_INFORMATION_ACCESS
1545 )
1546 assert ext is not None
1547 assert ext.critical is False
1548
1549 assert ext.value == x509.AuthorityInformationAccess([
1550 x509.AccessDescription(
1551 x509.OID_OCSP,
1552 x509.UniformResourceIdentifier(u"http://ocsp.domain.com")
1553 ),
1554 x509.AccessDescription(
1555 x509.OID_OCSP,
1556 x509.UniformResourceIdentifier(u"http://ocsp2.domain.com")
1557 ),
1558 x509.AccessDescription(
1559 x509.OID_CA_ISSUERS,
1560 x509.DirectoryName(x509.Name([
1561 x509.NameAttribute(x509.OID_COMMON_NAME, "myCN"),
1562 x509.NameAttribute(x509.OID_ORGANIZATION_NAME, "some Org"),
1563 ]))
1564 ),
1565 ])
1566
1567 def test_aia_ocsp_only(self, backend):
1568 cert = _load_cert(
1569 os.path.join("x509", "custom", "aia_ocsp.pem"),
1570 x509.load_pem_x509_certificate,
1571 backend
1572 )
1573 ext = cert.extensions.get_extension_for_oid(
1574 x509.OID_AUTHORITY_INFORMATION_ACCESS
1575 )
1576 assert ext is not None
1577 assert ext.critical is False
1578
1579 assert ext.value == x509.AuthorityInformationAccess([
1580 x509.AccessDescription(
1581 x509.OID_OCSP,
1582 x509.UniformResourceIdentifier(u"http://ocsp.domain.com")
1583 ),
1584 ])
1585
1586 def test_aia_ca_issuers_only(self, backend):
1587 cert = _load_cert(
1588 os.path.join("x509", "custom", "aia_ca_issuers.pem"),
1589 x509.load_pem_x509_certificate,
1590 backend
1591 )
1592 ext = cert.extensions.get_extension_for_oid(
1593 x509.OID_AUTHORITY_INFORMATION_ACCESS
1594 )
1595 assert ext is not None
1596 assert ext.critical is False
1597
1598 assert ext.value == x509.AuthorityInformationAccess([
1599 x509.AccessDescription(
1600 x509.OID_CA_ISSUERS,
1601 x509.DirectoryName(x509.Name([
1602 x509.NameAttribute(x509.OID_COMMON_NAME, "myCN"),
1603 x509.NameAttribute(x509.OID_ORGANIZATION_NAME, "some Org"),
1604 ]))
1605 ),
1606 ])
1607
1608
1609@pytest.mark.requires_backend_interface(interface=RSABackend)
1610@pytest.mark.requires_backend_interface(interface=X509Backend)
Paul Kehrerd774de92015-05-03 10:52:25 -0500[diff] [blame]1611class TestAuthorityKeyIdentifierExtension(object):
1612 def test_aki_keyid(self, backend):
1613 cert = _load_cert(
1614 os.path.join(
1615 "x509", "cryptography.io.pem"
1616 ),
1617 x509.load_pem_x509_certificate,
1618 backend
1619 )
1620 ext = cert.extensions.get_extension_for_oid(
1621 x509.OID_AUTHORITY_KEY_IDENTIFIER
1622 )
1623 assert ext is not None
1624 assert ext.critical is False
1625
1626 assert ext.value.key_identifier == (
1627 b"\xc3\x9c\xf3\xfc\xd3F\x084\xbb\xceF\x7f\xa0|[\xf3\xe2\x08\xcbY"
1628 )
1629 assert ext.value.authority_cert_issuer is None
1630 assert ext.value.authority_cert_serial_number is None
1631
1632 def test_aki_all_fields(self, backend):
1633 cert = _load_cert(
1634 os.path.join(
1635 "x509", "custom", "authority_key_identifier.pem"
1636 ),
1637 x509.load_pem_x509_certificate,
1638 backend
1639 )
1640 ext = cert.extensions.get_extension_for_oid(
1641 x509.OID_AUTHORITY_KEY_IDENTIFIER
1642 )
1643 assert ext is not None
1644 assert ext.critical is False
1645
1646 assert ext.value.key_identifier == (
1647 b"9E>\xca=b\x1d\xea\x86I\xf6Z\xab@\xb7\xa4p\x98\xf1\xec"
1648 )
1649 assert ext.value.authority_cert_issuer == [
1650 x509.DirectoryName(
1651 x509.Name([
1652 x509.NameAttribute(
1653 x509.OID_ORGANIZATION_NAME, u"PyCA"
1654 ),
1655 x509.NameAttribute(
1656 x509.OID_COMMON_NAME, u"cryptography.io"
1657 )
1658 ])
1659 )
1660 ]
1661 assert ext.value.authority_cert_serial_number == 3
1662
1663 def test_aki_no_keyid(self, backend):
1664 cert = _load_cert(
1665 os.path.join(
1666 "x509", "custom", "authority_key_identifier_no_keyid.pem"
1667 ),
1668 x509.load_pem_x509_certificate,
1669 backend
1670 )
1671 ext = cert.extensions.get_extension_for_oid(
1672 x509.OID_AUTHORITY_KEY_IDENTIFIER
1673 )
1674 assert ext is not None
1675 assert ext.critical is False
1676
1677 assert ext.value.key_identifier is None
1678 assert ext.value.authority_cert_issuer == [
1679 x509.DirectoryName(
1680 x509.Name([
1681 x509.NameAttribute(
1682 x509.OID_ORGANIZATION_NAME, u"PyCA"
1683 ),
1684 x509.NameAttribute(
1685 x509.OID_COMMON_NAME, u"cryptography.io"
1686 )
1687 ])
1688 )
1689 ]
1690 assert ext.value.authority_cert_serial_number == 3
Paul Kehrer5a485522015-05-06 00:29:12 -0500[diff] [blame]1691
1692
Paul Kehrer5a485522015-05-06 00:29:12 -0500[diff] [blame]1693class TestDistributionPoint(object):
Paul Kehrer4e8dacd2015-05-09 10:38:23 -0500[diff] [blame]1694 def test_distribution_point_full_name_not_general_names(self):
Paul Kehrer5a485522015-05-06 00:29:12 -0500[diff] [blame]1695 with pytest.raises(TypeError):
Paul Kehrer4e8dacd2015-05-09 10:38:23 -0500[diff] [blame]1696 x509.DistributionPoint(["notgn"], None, None, None)
Paul Kehrer5a485522015-05-06 00:29:12 -0500[diff] [blame]1697
Paul Kehrer4e8dacd2015-05-09 10:38:23 -0500[diff] [blame]1698 def test_distribution_point_relative_name_not_name(self):
Paul Kehrer5a485522015-05-06 00:29:12 -0500[diff] [blame]1699 with pytest.raises(TypeError):
Paul Kehrer4e8dacd2015-05-09 10:38:23 -0500[diff] [blame]1700 x509.DistributionPoint(None, "notname", None, None)
1701
1702 def test_distribution_point_full_and_relative_not_none(self):
1703 with pytest.raises(ValueError):
1704 x509.DistributionPoint("data", "notname", None, None)
Paul Kehrer5a485522015-05-06 00:29:12 -0500[diff] [blame]1705
1706 def test_crl_issuer_not_general_names(self):
1707 with pytest.raises(TypeError):
Paul Kehrer4e8dacd2015-05-09 10:38:23 -0500[diff] [blame]1708 x509.DistributionPoint(None, None, None, ["notgn"])
Paul Kehrer5a485522015-05-06 00:29:12 -0500[diff] [blame]1709
1710 def test_reason_not_reasonflags(self):
1711 with pytest.raises(TypeError):
1712 x509.DistributionPoint(
1713 [x509.UniformResourceIdentifier(u"http://crypt.og/crl")],
Paul Kehrer4e8dacd2015-05-09 10:38:23 -0500[diff] [blame]1714 None,
Paul Kehrer3fd02602015-05-09 19:46:13 -0500[diff] [blame]1715 frozenset(["notreasonflags"]),
1716 None
1717 )
1718
1719 def test_reason_not_frozenset(self):
1720 with pytest.raises(TypeError):
1721 x509.DistributionPoint(
1722 [x509.UniformResourceIdentifier(u"http://crypt.og/crl")],
1723 None,
1724 [x509.ReasonFlags.ca_compromise],
Paul Kehrer4e8dacd2015-05-09 10:38:23 -0500[diff] [blame]1725 None
1726 )
1727
1728 def test_disallowed_reasons(self):
1729 with pytest.raises(ValueError):
1730 x509.DistributionPoint(
1731 [x509.UniformResourceIdentifier(u"http://crypt.og/crl")],
1732 None,
Paul Kehrer3fd02602015-05-09 19:46:13 -0500[diff] [blame]1733 frozenset([x509.ReasonFlags.unspecified]),
Paul Kehrer4e8dacd2015-05-09 10:38:23 -0500[diff] [blame]1734 None
1735 )
1736
1737 with pytest.raises(ValueError):
1738 x509.DistributionPoint(
1739 [x509.UniformResourceIdentifier(u"http://crypt.og/crl")],
1740 None,
Paul Kehrer3fd02602015-05-09 19:46:13 -0500[diff] [blame]1741 frozenset([x509.ReasonFlags.remove_from_crl]),
Paul Kehrer5a485522015-05-06 00:29:12 -0500[diff] [blame]1742 None
1743 )
1744
1745 def test_reason_only(self):
1746 with pytest.raises(ValueError):
1747 x509.DistributionPoint(
1748 None,
Paul Kehrer4e8dacd2015-05-09 10:38:23 -0500[diff] [blame]1749 None,
Paul Kehrer3fd02602015-05-09 19:46:13 -0500[diff] [blame]1750 frozenset([x509.ReasonFlags.aa_compromise]),
Paul Kehrer5a485522015-05-06 00:29:12 -0500[diff] [blame]1751 None
1752 )
1753
1754 def test_eq(self):
1755 dp = x509.DistributionPoint(
1756 [x509.UniformResourceIdentifier(u"http://crypt.og/crl")],
Paul Kehrer4e8dacd2015-05-09 10:38:23 -0500[diff] [blame]1757 None,
Paul Kehrer3fd02602015-05-09 19:46:13 -0500[diff] [blame]1758 frozenset([x509.ReasonFlags.superseded]),
Paul Kehrer5a485522015-05-06 00:29:12 -0500[diff] [blame]1759 [
1760 x509.DirectoryName(
1761 x509.Name([
1762 x509.NameAttribute(
1763 x509.OID_COMMON_NAME, "Important CA"
1764 )
1765 ])
1766 )
1767 ],
1768 )
1769 dp2 = x509.DistributionPoint(
1770 [x509.UniformResourceIdentifier(u"http://crypt.og/crl")],
Paul Kehrer4e8dacd2015-05-09 10:38:23 -0500[diff] [blame]1771 None,
Paul Kehrer3fd02602015-05-09 19:46:13 -0500[diff] [blame]1772 frozenset([x509.ReasonFlags.superseded]),
Paul Kehrer5a485522015-05-06 00:29:12 -0500[diff] [blame]1773 [
1774 x509.DirectoryName(
1775 x509.Name([
1776 x509.NameAttribute(
1777 x509.OID_COMMON_NAME, "Important CA"
1778 )
1779 ])
1780 )
1781 ],
1782 )
1783 assert dp == dp2
1784
1785 def test_ne(self):
1786 dp = x509.DistributionPoint(
1787 [x509.UniformResourceIdentifier(u"http://crypt.og/crl")],
Paul Kehrer4e8dacd2015-05-09 10:38:23 -0500[diff] [blame]1788 None,
Paul Kehrer3fd02602015-05-09 19:46:13 -0500[diff] [blame]1789 frozenset([x509.ReasonFlags.superseded]),
Paul Kehrer5a485522015-05-06 00:29:12 -0500[diff] [blame]1790 [
1791 x509.DirectoryName(
1792 x509.Name([
1793 x509.NameAttribute(
1794 x509.OID_COMMON_NAME, "Important CA"
1795 )
1796 ])
1797 )
1798 ],
1799 )
1800 dp2 = x509.DistributionPoint(
1801 [x509.UniformResourceIdentifier(u"http://crypt.og/crl")],
1802 None,
Paul Kehrer4e8dacd2015-05-09 10:38:23 -0500[diff] [blame]1803 None,
Paul Kehrer5a485522015-05-06 00:29:12 -0500[diff] [blame]1804 None
1805 )
1806 assert dp != dp2
1807 assert dp != object()
1808
1809 def test_repr(self):
1810 dp = x509.DistributionPoint(
Paul Kehrer4e8dacd2015-05-09 10:38:23 -0500[diff] [blame]1811 None,
Paul Kehrer5a485522015-05-06 00:29:12 -0500[diff] [blame]1812 x509.Name([
1813 x509.NameAttribute(x509.OID_COMMON_NAME, "myCN")
1814 ]),
Paul Kehrer96ef63c2015-05-09 21:17:04 -0500[diff] [blame]1815 frozenset([x509.ReasonFlags.ca_compromise]),
Paul Kehrer5a485522015-05-06 00:29:12 -0500[diff] [blame]1816 [
1817 x509.DirectoryName(
1818 x509.Name([
1819 x509.NameAttribute(
1820 x509.OID_COMMON_NAME, "Important CA"
1821 )
1822 ])
1823 )
1824 ],
1825 )
Paul Kehrer749da3b2015-05-10 09:58:29 -0500[diff] [blame]1826 if six.PY3:
1827 assert repr(dp) == (
1828 "<DistributionPoint(full_name=None, relative_name=<Name([<Name"
1829 "Attribute(oid=<ObjectIdentifier(oid=2.5.4.3, name=commonName)"
1830 ">, value='myCN')>])>, reasons=frozenset({<ReasonFlags.ca_comp"
1831 "romise: 'cACompromise'>}), crl_issuer=[<DirectoryName(value=<"
1832 "Name([<NameAttribute(oid=<ObjectIdentifier(oid=2.5.4.3, name="
1833 "commonName)>, value='Important CA')>])>)>])>"
1834 )
1835 else:
1836 assert repr(dp) == (
1837 "<DistributionPoint(full_name=None, relative_name=<Name([<Name"
1838 "Attribute(oid=<ObjectIdentifier(oid=2.5.4.3, name=commonName)"
1839 ">, value='myCN')>])>, reasons=frozenset([<ReasonFlags.ca_comp"
1840 "romise: 'cACompromise'>]), crl_issuer=[<DirectoryName(value=<"
1841 "Name([<NameAttribute(oid=<ObjectIdentifier(oid=2.5.4.3, name="
1842 "commonName)>, value='Important CA')>])>)>])>"
1843 )
Paul Kehrer5a485522015-05-06 00:29:12 -0500[diff] [blame]1844
1845
1846class TestCRLDistributionPoints(object):
1847 def test_invalid_distribution_points(self):
1848 with pytest.raises(TypeError):
1849 x509.CRLDistributionPoints(["notadistributionpoint"])
1850
1851 def test_iter_len(self):
1852 cdp = x509.CRLDistributionPoints([
1853 x509.DistributionPoint(
1854 [x509.UniformResourceIdentifier(u"http://domain")],
1855 None,
Paul Kehrer4e8dacd2015-05-09 10:38:23 -0500[diff] [blame]1856 None,
Paul Kehrer5a485522015-05-06 00:29:12 -0500[diff] [blame]1857 None
1858 ),
1859 x509.DistributionPoint(
1860 [x509.UniformResourceIdentifier(u"ftp://domain")],
Paul Kehrer4e8dacd2015-05-09 10:38:23 -0500[diff] [blame]1861 None,
Paul Kehrer3fd02602015-05-09 19:46:13 -0500[diff] [blame]1862 frozenset([
Paul Kehrer4e8dacd2015-05-09 10:38:23 -0500[diff] [blame]1863 x509.ReasonFlags.key_compromise,
1864 x509.ReasonFlags.ca_compromise,
Paul Kehrer3fd02602015-05-09 19:46:13 -0500[diff] [blame]1865 ]),
Paul Kehrer5a485522015-05-06 00:29:12 -0500[diff] [blame]1866 None
1867 ),
1868 ])
1869 assert len(cdp) == 2
1870 assert list(cdp) == [
1871 x509.DistributionPoint(
1872 [x509.UniformResourceIdentifier(u"http://domain")],
1873 None,
Paul Kehrer4e8dacd2015-05-09 10:38:23 -0500[diff] [blame]1874 None,
Paul Kehrer5a485522015-05-06 00:29:12 -0500[diff] [blame]1875 None
1876 ),
1877 x509.DistributionPoint(
1878 [x509.UniformResourceIdentifier(u"ftp://domain")],
Paul Kehrer4e8dacd2015-05-09 10:38:23 -0500[diff] [blame]1879 None,
Paul Kehrer3fd02602015-05-09 19:46:13 -0500[diff] [blame]1880 frozenset([
Paul Kehrer4e8dacd2015-05-09 10:38:23 -0500[diff] [blame]1881 x509.ReasonFlags.key_compromise,
1882 x509.ReasonFlags.ca_compromise,
Paul Kehrer3fd02602015-05-09 19:46:13 -0500[diff] [blame]1883 ]),
Paul Kehrer5a485522015-05-06 00:29:12 -0500[diff] [blame]1884 None
1885 ),
1886 ]
1887
1888 def test_repr(self):
1889 cdp = x509.CRLDistributionPoints([
1890 x509.DistributionPoint(
1891 [x509.UniformResourceIdentifier(u"ftp://domain")],
Paul Kehrer4e8dacd2015-05-09 10:38:23 -0500[diff] [blame]1892 None,
Paul Kehrer96ef63c2015-05-09 21:17:04 -0500[diff] [blame]1893 frozenset([x509.ReasonFlags.key_compromise]),
Paul Kehrer5a485522015-05-06 00:29:12 -0500[diff] [blame]1894 None
1895 ),
1896 ])
Paul Kehrer749da3b2015-05-10 09:58:29 -0500[diff] [blame]1897 if six.PY3:
1898 assert repr(cdp) == (
1899 "<CRLDistributionPoints([<DistributionPoint(full_name=[<Unifo"
1900 "rmResourceIdentifier(value=ftp://domain)>], relative_name=No"
1901 "ne, reasons=frozenset({<ReasonFlags.key_compromise: 'keyComp"
1902 "romise'>}), crl_issuer=None)>])>"
1903 )
1904 else:
1905 assert repr(cdp) == (
1906 "<CRLDistributionPoints([<DistributionPoint(full_name=[<Unifo"
1907 "rmResourceIdentifier(value=ftp://domain)>], relative_name=No"
1908 "ne, reasons=frozenset([<ReasonFlags.key_compromise: 'keyComp"
1909 "romise'>]), crl_issuer=None)>])>"
1910 )
Paul Kehrer5a485522015-05-06 00:29:12 -0500[diff] [blame]1911
1912 def test_eq(self):
1913 cdp = x509.CRLDistributionPoints([
1914 x509.DistributionPoint(
1915 [x509.UniformResourceIdentifier(u"ftp://domain")],
Paul Kehrer4e8dacd2015-05-09 10:38:23 -0500[diff] [blame]1916 None,
Paul Kehrer3fd02602015-05-09 19:46:13 -0500[diff] [blame]1917 frozenset([
Paul Kehrer4e8dacd2015-05-09 10:38:23 -0500[diff] [blame]1918 x509.ReasonFlags.key_compromise,
1919 x509.ReasonFlags.ca_compromise,
Paul Kehrer3fd02602015-05-09 19:46:13 -0500[diff] [blame]1920 ]),
Paul Kehrer5a485522015-05-06 00:29:12 -0500[diff] [blame]1921 [x509.UniformResourceIdentifier(u"uri://thing")],
1922 ),
1923 ])
1924 cdp2 = x509.CRLDistributionPoints([
1925 x509.DistributionPoint(
1926 [x509.UniformResourceIdentifier(u"ftp://domain")],
Paul Kehrer4e8dacd2015-05-09 10:38:23 -0500[diff] [blame]1927 None,
Paul Kehrer3fd02602015-05-09 19:46:13 -0500[diff] [blame]1928 frozenset([
Paul Kehrer4e8dacd2015-05-09 10:38:23 -0500[diff] [blame]1929 x509.ReasonFlags.key_compromise,
1930 x509.ReasonFlags.ca_compromise,
Paul Kehrer3fd02602015-05-09 19:46:13 -0500[diff] [blame]1931 ]),
Paul Kehrer5a485522015-05-06 00:29:12 -0500[diff] [blame]1932 [x509.UniformResourceIdentifier(u"uri://thing")],
1933 ),
1934 ])
1935 assert cdp == cdp2
1936
1937 def test_ne(self):
1938 cdp = x509.CRLDistributionPoints([
1939 x509.DistributionPoint(
1940 [x509.UniformResourceIdentifier(u"ftp://domain")],
Paul Kehrer4e8dacd2015-05-09 10:38:23 -0500[diff] [blame]1941 None,
Paul Kehrer3fd02602015-05-09 19:46:13 -0500[diff] [blame]1942 frozenset([
Paul Kehrer4e8dacd2015-05-09 10:38:23 -0500[diff] [blame]1943 x509.ReasonFlags.key_compromise,
1944 x509.ReasonFlags.ca_compromise,
Paul Kehrer3fd02602015-05-09 19:46:13 -0500[diff] [blame]1945 ]),
Paul Kehrer5a485522015-05-06 00:29:12 -0500[diff] [blame]1946 [x509.UniformResourceIdentifier(u"uri://thing")],
1947 ),
1948 ])
1949 cdp2 = x509.CRLDistributionPoints([
1950 x509.DistributionPoint(
1951 [x509.UniformResourceIdentifier(u"ftp://domain2")],
Paul Kehrer4e8dacd2015-05-09 10:38:23 -0500[diff] [blame]1952 None,
Paul Kehrer3fd02602015-05-09 19:46:13 -0500[diff] [blame]1953 frozenset([
Paul Kehrer4e8dacd2015-05-09 10:38:23 -0500[diff] [blame]1954 x509.ReasonFlags.key_compromise,
1955 x509.ReasonFlags.ca_compromise,
Paul Kehrer3fd02602015-05-09 19:46:13 -0500[diff] [blame]1956 ]),
Paul Kehrer5a485522015-05-06 00:29:12 -0500[diff] [blame]1957 [x509.UniformResourceIdentifier(u"uri://thing")],
1958 ),
1959 ])
1960 cdp3 = x509.CRLDistributionPoints([
1961 x509.DistributionPoint(
1962 [x509.UniformResourceIdentifier(u"ftp://domain")],
Paul Kehrer4e8dacd2015-05-09 10:38:23 -0500[diff] [blame]1963 None,
Paul Kehrer3fd02602015-05-09 19:46:13 -0500[diff] [blame]1964 frozenset([x509.ReasonFlags.key_compromise]),
Paul Kehrer5a485522015-05-06 00:29:12 -0500[diff] [blame]1965 [x509.UniformResourceIdentifier(u"uri://thing")],
1966 ),
1967 ])
1968 cdp4 = x509.CRLDistributionPoints([
1969 x509.DistributionPoint(
1970 [x509.UniformResourceIdentifier(u"ftp://domain")],
Paul Kehrer4e8dacd2015-05-09 10:38:23 -0500[diff] [blame]1971 None,
Paul Kehrer3fd02602015-05-09 19:46:13 -0500[diff] [blame]1972 frozenset([
Paul Kehrer4e8dacd2015-05-09 10:38:23 -0500[diff] [blame]1973 x509.ReasonFlags.key_compromise,
1974 x509.ReasonFlags.ca_compromise,
Paul Kehrer3fd02602015-05-09 19:46:13 -0500[diff] [blame]1975 ]),
Paul Kehrer5a485522015-05-06 00:29:12 -0500[diff] [blame]1976 [x509.UniformResourceIdentifier(u"uri://thing2")],
1977 ),
1978 ])
1979 assert cdp != cdp2
1980 assert cdp != cdp3
1981 assert cdp != cdp4
1982 assert cdp != object()