Gitiles
Code Review Sign In
gerrit-public.fairphone.software / platform / external / python / cryptography / b0391810fb74bd098592b03ffbb937daeed4561f / . / tests / test_x509_ext.py
blob: 572aa30c759bfd9298f0a92d8502f7b02451e05e [file] [log] [blame]
Paul Kehrer8cf26422015-03-21 09:50:24 -0500[diff] [blame]1# This file is dual licensed under the terms of the Apache License, Version
2# 2.0, and the BSD License. See the LICENSE file in the root of this repository
3# for complete details.
4
5from __future__ import absolute_import, division, print_function
6
Paul Kehrer1eb82a62015-03-31 20:00:33 -0500[diff] [blame]7import binascii
Paul Kehrer31bdf792015-03-25 14:11:00 -0500[diff] [blame]8import ipaddress
Paul Kehrerfbb7ac82015-03-16 19:26:29 -0500[diff] [blame]9import os
10
Paul Kehrer8cf26422015-03-21 09:50:24 -0500[diff] [blame]11import pytest
12
Paul Kehrercbfb1012015-04-10 20:57:20 -0400[diff] [blame]13import six
14
Paul Kehrer8cf26422015-03-21 09:50:24 -0500[diff] [blame]15from cryptography import x509
Paul Kehrerfbb7ac82015-03-16 19:26:29 -0500[diff] [blame]16from cryptography.hazmat.backends.interfaces import RSABackend, X509Backend
17
18from .test_x509 import _load_cert
Paul Kehrer8cf26422015-03-21 09:50:24 -0500[diff] [blame]19
20
Paul Kehrer85894662015-03-22 13:19:31 -0500[diff] [blame]21class TestExtension(object):
22 def test_not_an_oid(self):
Paul Kehrera5c6e9a2015-03-23 19:23:43 -0500[diff] [blame]23 bc = x509.BasicConstraints(ca=False, path_length=None)
Paul Kehrer85894662015-03-22 13:19:31 -0500[diff] [blame]24 with pytest.raises(TypeError):
25 x509.Extension("notanoid", True, bc)
26
27 def test_critical_not_a_bool(self):
Paul Kehrera5c6e9a2015-03-23 19:23:43 -0500[diff] [blame]28 bc = x509.BasicConstraints(ca=False, path_length=None)
Paul Kehrer85894662015-03-22 13:19:31 -0500[diff] [blame]29 with pytest.raises(TypeError):
30 x509.Extension(x509.OID_BASIC_CONSTRAINTS, "notabool", bc)
31
32 def test_repr(self):
Paul Kehrera5c6e9a2015-03-23 19:23:43 -0500[diff] [blame]33 bc = x509.BasicConstraints(ca=False, path_length=None)
Paul Kehrer85894662015-03-22 13:19:31 -0500[diff] [blame]34 ext = x509.Extension(x509.OID_BASIC_CONSTRAINTS, True, bc)
35 assert repr(ext) == (
36 "<Extension(oid=<ObjectIdentifier(oid=2.5.29.19, name=basicConst"
37 "raints)>, critical=True, value=<BasicConstraints(ca=False, path"
38 "_length=None)>)>"
39 )
40
Paul Kehrer58e870c2015-05-17 09:15:30 -0700[diff] [blame]41 def test_eq(self):
42 ext1 = x509.Extension(
43 x509.ObjectIdentifier('1.2.3.4'), False, 'value'
44 )
45 ext2 = x509.Extension(
46 x509.ObjectIdentifier('1.2.3.4'), False, 'value'
47 )
48 assert ext1 == ext2
49
50 def test_ne(self):
51 ext1 = x509.Extension(
52 x509.ObjectIdentifier('1.2.3.4'), False, 'value'
53 )
54 ext2 = x509.Extension(
55 x509.ObjectIdentifier('1.2.3.5'), False, 'value'
56 )
57 ext3 = x509.Extension(
58 x509.ObjectIdentifier('1.2.3.4'), True, 'value'
59 )
60 ext4 = x509.Extension(
61 x509.ObjectIdentifier('1.2.3.4'), False, 'value4'
62 )
63 assert ext1 != ext2
64 assert ext1 != ext3
65 assert ext1 != ext4
66 assert ext1 != object()
67
Paul Kehrer85894662015-03-22 13:19:31 -0500[diff] [blame]68
Paul Kehrer2b622582015-04-15 11:04:29 -0400[diff] [blame]69class TestNoticeReference(object):
70 def test_notice_numbers_not_all_int(self):
71 with pytest.raises(TypeError):
72 x509.NoticeReference("org", [1, 2, "three"])
73
74 def test_notice_numbers_none(self):
Paul Kehrer6e198b02015-05-12 15:53:38 -0500[diff] [blame]75 with pytest.raises(TypeError):
76 x509.NoticeReference("org", None)
Paul Kehrer2b622582015-04-15 11:04:29 -0400[diff] [blame]77
78 def test_repr(self):
Paul Kehrer73be2ca2015-05-11 21:22:38 -0500[diff] [blame]79 nr = x509.NoticeReference(u"org", [1, 3, 4])
Paul Kehrer2b622582015-04-15 11:04:29 -0400[diff] [blame]80
Paul Kehrer73be2ca2015-05-11 21:22:38 -0500[diff] [blame]81 if six.PY3:
82 assert repr(nr) == (
83 "<NoticeReference(organization='org', notice_numbers=[1, 3, 4"
84 "])>"
85 )
86 else:
87 assert repr(nr) == (
88 "<NoticeReference(organization=u'org', notice_numbers=[1, 3, "
89 "4])>"
90 )
Paul Kehrer2b622582015-04-15 11:04:29 -0400[diff] [blame]91
Paul Kehrerc56ab622015-05-03 09:56:31 -0500[diff] [blame]92 def test_eq(self):
93 nr = x509.NoticeReference("org", [1, 2])
94 nr2 = x509.NoticeReference("org", [1, 2])
95 assert nr == nr2
96
97 def test_ne(self):
98 nr = x509.NoticeReference("org", [1, 2])
99 nr2 = x509.NoticeReference("org", [1])
100 nr3 = x509.NoticeReference(None, [1, 2])
101 assert nr != nr2
102 assert nr != nr3
103 assert nr != object()
104
Paul Kehrer2b622582015-04-15 11:04:29 -0400[diff] [blame]105
106class TestUserNotice(object):
107 def test_notice_reference_invalid(self):
108 with pytest.raises(TypeError):
109 x509.UserNotice("invalid", None)
110
111 def test_notice_reference_none(self):
112 un = x509.UserNotice(None, "text")
113 assert un.notice_reference is None
114 assert un.explicit_text == "text"
115
116 def test_repr(self):
Paul Kehrer6e198b02015-05-12 15:53:38 -0500[diff] [blame]117 un = x509.UserNotice(x509.NoticeReference(u"org", [1]), u"text")
Paul Kehrer73be2ca2015-05-11 21:22:38 -0500[diff] [blame]118 if six.PY3:
119 assert repr(un) == (
120 "<UserNotice(notice_reference=<NoticeReference(organization='"
Paul Kehrer6e198b02015-05-12 15:53:38 -0500[diff] [blame]121 "org', notice_numbers=[1])>, explicit_text='text')>"
Paul Kehrer73be2ca2015-05-11 21:22:38 -0500[diff] [blame]122 )
123 else:
124 assert repr(un) == (
125 "<UserNotice(notice_reference=<NoticeReference(organization=u"
Paul Kehrer6e198b02015-05-12 15:53:38 -0500[diff] [blame]126 "'org', notice_numbers=[1])>, explicit_text=u'text')>"
Paul Kehrer73be2ca2015-05-11 21:22:38 -0500[diff] [blame]127 )
Paul Kehrer2b622582015-04-15 11:04:29 -0400[diff] [blame]128
Paul Kehrerc56ab622015-05-03 09:56:31 -0500[diff] [blame]129 def test_eq(self):
130 nr = x509.NoticeReference("org", [1, 2])
131 nr2 = x509.NoticeReference("org", [1, 2])
132 un = x509.UserNotice(nr, "text")
133 un2 = x509.UserNotice(nr2, "text")
134 assert un == un2
135
136 def test_ne(self):
137 nr = x509.NoticeReference("org", [1, 2])
138 nr2 = x509.NoticeReference("org", [1])
139 un = x509.UserNotice(nr, "text")
140 un2 = x509.UserNotice(nr2, "text")
141 un3 = x509.UserNotice(nr, "text3")
142 assert un != un2
143 assert un != un3
144 assert un != object()
145
Paul Kehrer2b622582015-04-15 11:04:29 -0400[diff] [blame]146
Paul Kehrer2b622582015-04-15 11:04:29 -0400[diff] [blame]147class TestPolicyInformation(object):
148 def test_invalid_policy_identifier(self):
149 with pytest.raises(TypeError):
150 x509.PolicyInformation("notanoid", None)
151
152 def test_none_policy_qualifiers(self):
153 pi = x509.PolicyInformation(x509.ObjectIdentifier("1.2.3"), None)
154 assert pi.policy_identifier == x509.ObjectIdentifier("1.2.3")
155 assert pi.policy_qualifiers is None
156
157 def test_policy_qualifiers(self):
Paul Kehrerba35b3b2015-05-10 13:07:59 -0500[diff] [blame]158 pq = [u"string"]
Paul Kehrer2b622582015-04-15 11:04:29 -0400[diff] [blame]159 pi = x509.PolicyInformation(x509.ObjectIdentifier("1.2.3"), pq)
160 assert pi.policy_identifier == x509.ObjectIdentifier("1.2.3")
161 assert pi.policy_qualifiers == pq
162
163 def test_invalid_policy_identifiers(self):
164 with pytest.raises(TypeError):
165 x509.PolicyInformation(x509.ObjectIdentifier("1.2.3"), [1, 2])
166
167 def test_repr(self):
Paul Kehrer73be2ca2015-05-11 21:22:38 -0500[diff] [blame]168 pq = [u"string", x509.UserNotice(None, u"hi")]
Paul Kehrer2b622582015-04-15 11:04:29 -0400[diff] [blame]169 pi = x509.PolicyInformation(x509.ObjectIdentifier("1.2.3"), pq)
Paul Kehrerba35b3b2015-05-10 13:07:59 -0500[diff] [blame]170 if six.PY3:
171 assert repr(pi) == (
172 "<PolicyInformation(policy_identifier=<ObjectIdentifier(oid=1."
173 "2.3, name=Unknown OID)>, policy_qualifiers=['string', <UserNo"
Paul Kehrer9aaef9e2015-05-11 10:49:20 -0500[diff] [blame]174 "tice(notice_reference=None, explicit_text='hi')>])>"
Paul Kehrerba35b3b2015-05-10 13:07:59 -0500[diff] [blame]175 )
176 else:
177 assert repr(pi) == (
178 "<PolicyInformation(policy_identifier=<ObjectIdentifier(oid=1."
179 "2.3, name=Unknown OID)>, policy_qualifiers=[u'string', <UserN"
Paul Kehrer73be2ca2015-05-11 21:22:38 -0500[diff] [blame]180 "otice(notice_reference=None, explicit_text=u'hi')>])>"
Paul Kehrerba35b3b2015-05-10 13:07:59 -0500[diff] [blame]181 )
Paul Kehrer2b622582015-04-15 11:04:29 -0400[diff] [blame]182
Paul Kehrerc56ab622015-05-03 09:56:31 -0500[diff] [blame]183 def test_eq(self):
184 pi = x509.PolicyInformation(
185 x509.ObjectIdentifier("1.2.3"),
186 [u"string", x509.UserNotice(None, u"hi")]
187 )
188 pi2 = x509.PolicyInformation(
189 x509.ObjectIdentifier("1.2.3"),
190 [u"string", x509.UserNotice(None, u"hi")]
191 )
192 assert pi == pi2
193
194 def test_ne(self):
195 pi = x509.PolicyInformation(
196 x509.ObjectIdentifier("1.2.3"), [u"string"]
197 )
198 pi2 = x509.PolicyInformation(
199 x509.ObjectIdentifier("1.2.3"), [u"string2"]
200 )
201 pi3 = x509.PolicyInformation(
202 x509.ObjectIdentifier("1.2.3.4"), [u"string"]
203 )
204 assert pi != pi2
205 assert pi != pi3
206 assert pi != object()
207
Paul Kehrer2b622582015-04-15 11:04:29 -0400[diff] [blame]208
209class TestCertificatePolicies(object):
210 def test_invalid_policies(self):
Paul Kehrerba35b3b2015-05-10 13:07:59 -0500[diff] [blame]211 pq = [u"string"]
Paul Kehrer2b622582015-04-15 11:04:29 -0400[diff] [blame]212 pi = x509.PolicyInformation(x509.ObjectIdentifier("1.2.3"), pq)
213 with pytest.raises(TypeError):
214 x509.CertificatePolicies([1, pi])
215
216 def test_iter_len(self):
Paul Kehrerba35b3b2015-05-10 13:07:59 -0500[diff] [blame]217 pq = [u"string"]
Paul Kehrer2b622582015-04-15 11:04:29 -0400[diff] [blame]218 pi = x509.PolicyInformation(x509.ObjectIdentifier("1.2.3"), pq)
219 cp = x509.CertificatePolicies([pi])
220 assert len(cp) == 1
221 for policyinfo in cp:
222 assert policyinfo == pi
223
224 def test_repr(self):
Paul Kehrerba35b3b2015-05-10 13:07:59 -0500[diff] [blame]225 pq = [u"string"]
Paul Kehrer2b622582015-04-15 11:04:29 -0400[diff] [blame]226 pi = x509.PolicyInformation(x509.ObjectIdentifier("1.2.3"), pq)
227 cp = x509.CertificatePolicies([pi])
Paul Kehrerba35b3b2015-05-10 13:07:59 -0500[diff] [blame]228 if six.PY3:
229 assert repr(cp) == (
230 "<CertificatePolicies([<PolicyInformation(policy_identifier=<O"
231 "bjectIdentifier(oid=1.2.3, name=Unknown OID)>, policy_qualifi"
232 "ers=['string'])>])>"
233 )
234 else:
235 assert repr(cp) == (
236 "<CertificatePolicies([<PolicyInformation(policy_identifier=<O"
237 "bjectIdentifier(oid=1.2.3, name=Unknown OID)>, policy_qualifi"
238 "ers=[u'string'])>])>"
239 )
Paul Kehrer2b622582015-04-15 11:04:29 -0400[diff] [blame]240
Paul Kehrerc56ab622015-05-03 09:56:31 -0500[diff] [blame]241 def test_eq(self):
242 pi = x509.PolicyInformation(
243 x509.ObjectIdentifier("1.2.3"), [u"string"]
244 )
245 cp = x509.CertificatePolicies([pi])
246 pi2 = x509.PolicyInformation(
247 x509.ObjectIdentifier("1.2.3"), [u"string"]
248 )
249 cp2 = x509.CertificatePolicies([pi2])
250 assert cp == cp2
251
252 def test_ne(self):
253 pi = x509.PolicyInformation(
254 x509.ObjectIdentifier("1.2.3"), [u"string"]
255 )
256 cp = x509.CertificatePolicies([pi])
257 pi2 = x509.PolicyInformation(
258 x509.ObjectIdentifier("1.2.3"), [u"string2"]
259 )
260 cp2 = x509.CertificatePolicies([pi2])
261 assert cp != cp2
262 assert cp != object()
263
Paul Kehrer2b622582015-04-15 11:04:29 -0400[diff] [blame]264
Paul Kehrer11026fe2015-05-12 11:23:56 -0500[diff] [blame]265@pytest.mark.requires_backend_interface(interface=RSABackend)
266@pytest.mark.requires_backend_interface(interface=X509Backend)
267class TestCertificatePoliciesExtension(object):
268 def test_cps_uri_policy_qualifier(self, backend):
269 cert = _load_cert(
270 os.path.join("x509", "custom", "cp_cps_uri.pem"),
271 x509.load_pem_x509_certificate,
272 backend
273 )
274
275 cp = cert.extensions.get_extension_for_oid(
276 x509.OID_CERTIFICATE_POLICIES
277 ).value
278
279 assert cp == x509.CertificatePolicies([
280 x509.PolicyInformation(
281 x509.ObjectIdentifier("2.16.840.1.12345.1.2.3.4.1"),
282 [u"http://other.com/cps"]
283 )
284 ])
285
286 def test_user_notice_with_notice_reference(self, backend):
287 cert = _load_cert(
288 os.path.join(
289 "x509", "custom", "cp_user_notice_with_notice_reference.pem"
290 ),
291 x509.load_pem_x509_certificate,
292 backend
293 )
294
295 cp = cert.extensions.get_extension_for_oid(
296 x509.OID_CERTIFICATE_POLICIES
297 ).value
298
299 assert cp == x509.CertificatePolicies([
300 x509.PolicyInformation(
301 x509.ObjectIdentifier("2.16.840.1.12345.1.2.3.4.1"),
302 [
303 u"http://example.com/cps",
304 u"http://other.com/cps",
305 x509.UserNotice(
306 x509.NoticeReference(u"my org", [1, 2, 3, 4]),
307 u"thing"
308 )
309 ]
310 )
311 ])
312
313 def test_user_notice_with_explicit_text(self, backend):
314 cert = _load_cert(
315 os.path.join(
316 "x509", "custom", "cp_user_notice_with_explicit_text.pem"
317 ),
318 x509.load_pem_x509_certificate,
319 backend
320 )
321
322 cp = cert.extensions.get_extension_for_oid(
323 x509.OID_CERTIFICATE_POLICIES
324 ).value
325
326 assert cp == x509.CertificatePolicies([
327 x509.PolicyInformation(
328 x509.ObjectIdentifier("2.16.840.1.12345.1.2.3.4.1"),
329 [x509.UserNotice(None, u"thing")]
330 )
331 ])
332
333 def test_user_notice_no_explicit_text(self, backend):
334 cert = _load_cert(
335 os.path.join(
336 "x509", "custom", "cp_user_notice_no_explicit_text.pem"
337 ),
338 x509.load_pem_x509_certificate,
339 backend
340 )
341
342 cp = cert.extensions.get_extension_for_oid(
343 x509.OID_CERTIFICATE_POLICIES
344 ).value
345
346 assert cp == x509.CertificatePolicies([
347 x509.PolicyInformation(
348 x509.ObjectIdentifier("2.16.840.1.12345.1.2.3.4.1"),
349 [
350 x509.UserNotice(
351 x509.NoticeReference(u"my org", [1, 2, 3, 4]),
352 None
353 )
354 ]
355 )
356 ])
357
358
Paul Kehrercecbbba2015-03-30 14:58:38 -0500[diff] [blame]359class TestKeyUsage(object):
360 def test_key_agreement_false_encipher_decipher_true(self):
361 with pytest.raises(ValueError):
362 x509.KeyUsage(
363 digital_signature=False,
364 content_commitment=False,
365 key_encipherment=False,
366 data_encipherment=False,
367 key_agreement=False,
368 key_cert_sign=False,
369 crl_sign=False,
370 encipher_only=True,
371 decipher_only=False
372 )
373
374 with pytest.raises(ValueError):
375 x509.KeyUsage(
376 digital_signature=False,
377 content_commitment=False,
378 key_encipherment=False,
379 data_encipherment=False,
380 key_agreement=False,
381 key_cert_sign=False,
382 crl_sign=False,
383 encipher_only=True,
384 decipher_only=True
385 )
386
387 with pytest.raises(ValueError):
388 x509.KeyUsage(
389 digital_signature=False,
390 content_commitment=False,
391 key_encipherment=False,
392 data_encipherment=False,
393 key_agreement=False,
394 key_cert_sign=False,
395 crl_sign=False,
396 encipher_only=False,
397 decipher_only=True
398 )
399
400 def test_properties_key_agreement_true(self):
401 ku = x509.KeyUsage(
402 digital_signature=True,
403 content_commitment=True,
404 key_encipherment=False,
405 data_encipherment=False,
406 key_agreement=False,
407 key_cert_sign=True,
408 crl_sign=False,
409 encipher_only=False,
410 decipher_only=False
411 )
412 assert ku.digital_signature is True
413 assert ku.content_commitment is True
414 assert ku.key_encipherment is False
415 assert ku.data_encipherment is False
416 assert ku.key_agreement is False
417 assert ku.key_cert_sign is True
418 assert ku.crl_sign is False
419
420 def test_key_agreement_true_properties(self):
421 ku = x509.KeyUsage(
422 digital_signature=False,
423 content_commitment=False,
424 key_encipherment=False,
425 data_encipherment=False,
426 key_agreement=True,
427 key_cert_sign=False,
428 crl_sign=False,
429 encipher_only=False,
430 decipher_only=True
431 )
432 assert ku.key_agreement is True
433 assert ku.encipher_only is False
434 assert ku.decipher_only is True
435
436 def test_key_agreement_false_properties(self):
437 ku = x509.KeyUsage(
438 digital_signature=False,
439 content_commitment=False,
440 key_encipherment=False,
441 data_encipherment=False,
442 key_agreement=False,
443 key_cert_sign=False,
444 crl_sign=False,
445 encipher_only=False,
446 decipher_only=False
447 )
448 assert ku.key_agreement is False
449 with pytest.raises(ValueError):
450 ku.encipher_only
451
452 with pytest.raises(ValueError):
453 ku.decipher_only
454
Paul Kehrerac3e5bb2015-04-02 23:07:10 -0500[diff] [blame]455 def test_repr_key_agreement_false(self):
456 ku = x509.KeyUsage(
457 digital_signature=True,
458 content_commitment=True,
459 key_encipherment=False,
460 data_encipherment=False,
461 key_agreement=False,
462 key_cert_sign=True,
463 crl_sign=False,
464 encipher_only=False,
465 decipher_only=False
466 )
467 assert repr(ku) == (
468 "<KeyUsage(digital_signature=True, content_commitment=True, key_en"
469 "cipherment=False, data_encipherment=False, key_agreement=False, k"
Paul Kehrerb372e672015-04-15 11:05:24 -0400[diff] [blame]470 "ey_cert_sign=True, crl_sign=False, encipher_only=None, decipher_o"
471 "nly=None)>"
Paul Kehrerac3e5bb2015-04-02 23:07:10 -0500[diff] [blame]472 )
473
474 def test_repr_key_agreement_true(self):
475 ku = x509.KeyUsage(
476 digital_signature=True,
477 content_commitment=True,
478 key_encipherment=False,
479 data_encipherment=False,
480 key_agreement=True,
481 key_cert_sign=True,
482 crl_sign=False,
483 encipher_only=False,
484 decipher_only=False
485 )
486 assert repr(ku) == (
487 "<KeyUsage(digital_signature=True, content_commitment=True, key_en"
488 "cipherment=False, data_encipherment=False, key_agreement=True, k"
489 "ey_cert_sign=True, crl_sign=False, encipher_only=False, decipher_"
490 "only=False)>"
491 )
492
Paul Kehrer8565f5e2015-05-13 09:57:09 -0500[diff] [blame]493 def test_eq(self):
494 ku = x509.KeyUsage(
495 digital_signature=False,
496 content_commitment=False,
497 key_encipherment=False,
498 data_encipherment=False,
499 key_agreement=True,
500 key_cert_sign=False,
501 crl_sign=False,
502 encipher_only=False,
503 decipher_only=True
504 )
505 ku2 = x509.KeyUsage(
506 digital_signature=False,
507 content_commitment=False,
508 key_encipherment=False,
509 data_encipherment=False,
510 key_agreement=True,
511 key_cert_sign=False,
512 crl_sign=False,
513 encipher_only=False,
514 decipher_only=True
515 )
516 assert ku == ku2
517
518 def test_ne(self):
519 ku = x509.KeyUsage(
520 digital_signature=False,
521 content_commitment=False,
522 key_encipherment=False,
523 data_encipherment=False,
524 key_agreement=True,
525 key_cert_sign=False,
526 crl_sign=False,
527 encipher_only=False,
528 decipher_only=True
529 )
530 ku2 = x509.KeyUsage(
531 digital_signature=False,
532 content_commitment=False,
533 key_encipherment=False,
534 data_encipherment=False,
535 key_agreement=False,
536 key_cert_sign=False,
537 crl_sign=False,
538 encipher_only=False,
539 decipher_only=False
540 )
541 assert ku != ku2
542 assert ku != object()
543
Paul Kehrercecbbba2015-03-30 14:58:38 -0500[diff] [blame]544
Paul Kehrer1eb82a62015-03-31 20:00:33 -0500[diff] [blame]545class TestSubjectKeyIdentifier(object):
546 def test_properties(self):
Paul Kehrercbfb1012015-04-10 20:57:20 -0400[diff] [blame]547 value = binascii.unhexlify(b"092384932230498bc980aa8098456f6ff7ff3ac9")
Paul Kehrer1eb82a62015-03-31 20:00:33 -0500[diff] [blame]548 ski = x509.SubjectKeyIdentifier(value)
549 assert ski.digest == value
Paul Kehrer1eb82a62015-03-31 20:00:33 -0500[diff] [blame]550
551 def test_repr(self):
552 ski = x509.SubjectKeyIdentifier(
Paul Kehreree997262015-04-04 12:20:28 -0500[diff] [blame]553 binascii.unhexlify(b"092384932230498bc980aa8098456f6ff7ff3ac9")
Paul Kehrer1eb82a62015-03-31 20:00:33 -0500[diff] [blame]554 )
555 ext = x509.Extension(x509.OID_SUBJECT_KEY_IDENTIFIER, False, ski)
Paul Kehrercbfb1012015-04-10 20:57:20 -0400[diff] [blame]556 if six.PY3:
557 assert repr(ext) == (
558 "<Extension(oid=<ObjectIdentifier(oid=2.5.29.14, name=subjectK"
559 "eyIdentifier)>, critical=False, value=<SubjectKeyIdentifier(d"
560 "igest=b\'\\t#\\x84\\x93\"0I\\x8b\\xc9\\x80\\xaa\\x80\\x98Eoo"
561 "\\xf7\\xff:\\xc9\')>)>"
562 )
563 else:
564 assert repr(ext) == (
565 "<Extension(oid=<ObjectIdentifier(oid=2.5.29.14, name=subjectK"
566 "eyIdentifier)>, critical=False, value=<SubjectKeyIdentifier(d"
567 "igest=\'\\t#\\x84\\x93\"0I\\x8b\\xc9\\x80\\xaa\\x80\\x98Eoo"
568 "\\xf7\\xff:\\xc9\')>)>"
569 )
Paul Kehrer1eb82a62015-03-31 20:00:33 -0500[diff] [blame]570
571 def test_eq(self):
572 ski = x509.SubjectKeyIdentifier(
Paul Kehreree997262015-04-04 12:20:28 -0500[diff] [blame]573 binascii.unhexlify(b"092384932230498bc980aa8098456f6ff7ff3ac9")
Paul Kehrer1eb82a62015-03-31 20:00:33 -0500[diff] [blame]574 )
575 ski2 = x509.SubjectKeyIdentifier(
Paul Kehreree997262015-04-04 12:20:28 -0500[diff] [blame]576 binascii.unhexlify(b"092384932230498bc980aa8098456f6ff7ff3ac9")
Paul Kehrer1eb82a62015-03-31 20:00:33 -0500[diff] [blame]577 )
578 assert ski == ski2
579
580 def test_ne(self):
581 ski = x509.SubjectKeyIdentifier(
Paul Kehreree997262015-04-04 12:20:28 -0500[diff] [blame]582 binascii.unhexlify(b"092384932230498bc980aa8098456f6ff7ff3ac9")
Paul Kehrer1eb82a62015-03-31 20:00:33 -0500[diff] [blame]583 )
584 ski2 = x509.SubjectKeyIdentifier(
Paul Kehreree997262015-04-04 12:20:28 -0500[diff] [blame]585 binascii.unhexlify(b"aa8098456f6ff7ff3ac9092384932230498bc980")
Paul Kehrer1eb82a62015-03-31 20:00:33 -0500[diff] [blame]586 )
587 assert ski != ski2
588 assert ski != object()
589
590
Paul Kehrer2eb4ed92015-04-11 15:33:45 -0400[diff] [blame]591class TestAuthorityKeyIdentifier(object):
Paul Kehrerc6e0f062015-05-03 11:04:34 -0500[diff] [blame]592 def test_authority_cert_issuer_not_generalname(self):
Paul Kehrer2eb4ed92015-04-11 15:33:45 -0400[diff] [blame]593 with pytest.raises(TypeError):
Paul Kehrerc6e0f062015-05-03 11:04:34 -0500[diff] [blame]594 x509.AuthorityKeyIdentifier(b"identifier", ["notname"], 3)
Paul Kehrer2eb4ed92015-04-11 15:33:45 -0400[diff] [blame]595
596 def test_authority_cert_serial_number_not_integer(self):
Paul Kehrerc6e0f062015-05-03 11:04:34 -0500[diff] [blame]597 dirname = x509.DirectoryName(
598 x509.Name([
599 x509.NameAttribute(x509.ObjectIdentifier('oid'), 'value1'),
600 x509.NameAttribute(x509.ObjectIdentifier('oid2'), 'value2'),
601 ])
602 )
Paul Kehrer2eb4ed92015-04-11 15:33:45 -0400[diff] [blame]603 with pytest.raises(TypeError):
Paul Kehrerc6e0f062015-05-03 11:04:34 -0500[diff] [blame]604 x509.AuthorityKeyIdentifier(b"identifier", [dirname], "notanint")
Paul Kehrer2eb4ed92015-04-11 15:33:45 -0400[diff] [blame]605
606 def test_authority_issuer_none_serial_not_none(self):
607 with pytest.raises(ValueError):
608 x509.AuthorityKeyIdentifier(b"identifier", None, 3)
609
610 def test_authority_issuer_not_none_serial_none(self):
Paul Kehrerc6e0f062015-05-03 11:04:34 -0500[diff] [blame]611 dirname = x509.DirectoryName(
612 x509.Name([
613 x509.NameAttribute(x509.ObjectIdentifier('oid'), 'value1'),
614 x509.NameAttribute(x509.ObjectIdentifier('oid2'), 'value2'),
615 ])
616 )
Paul Kehrer2eb4ed92015-04-11 15:33:45 -0400[diff] [blame]617 with pytest.raises(ValueError):
Paul Kehrerc6e0f062015-05-03 11:04:34 -0500[diff] [blame]618 x509.AuthorityKeyIdentifier(b"identifier", [dirname], None)
Paul Kehrer2eb4ed92015-04-11 15:33:45 -0400[diff] [blame]619
620 def test_authority_cert_serial_and_issuer_none(self):
621 aki = x509.AuthorityKeyIdentifier(b"id", None, None)
622 assert aki.key_identifier == b"id"
623 assert aki.authority_cert_issuer is None
624 assert aki.authority_cert_serial_number is None
625
626 def test_repr(self):
Paul Kehrerc6e0f062015-05-03 11:04:34 -0500[diff] [blame]627 dirname = x509.DirectoryName(
628 x509.Name([x509.NameAttribute(x509.OID_COMMON_NAME, 'myCN')])
629 )
630 aki = x509.AuthorityKeyIdentifier(b"digest", [dirname], 1234)
Paul Kehrer2eb4ed92015-04-11 15:33:45 -0400[diff] [blame]631
632 if six.PY3:
633 assert repr(aki) == (
634 "<AuthorityKeyIdentifier(key_identifier=b'digest', authority_"
Paul Kehrerc6e0f062015-05-03 11:04:34 -0500[diff] [blame]635 "cert_issuer=[<DirectoryName(value=<Name([<NameAttribute(oid="
636 "<ObjectIdentifier(oid=2.5.4.3, name=commonName)>, value='myC"
637 "N')>])>)>], authority_cert_serial_number=1234)>"
Paul Kehrer2eb4ed92015-04-11 15:33:45 -0400[diff] [blame]638 )
639 else:
640 assert repr(aki) == (
641 "<AuthorityKeyIdentifier(key_identifier='digest', authority_ce"
Paul Kehrerc6e0f062015-05-03 11:04:34 -0500[diff] [blame]642 "rt_issuer=[<DirectoryName(value=<Name([<NameAttribute(oid=<Ob"
643 "jectIdentifier(oid=2.5.4.3, name=commonName)>, value='myCN')>"
644 "])>)>], authority_cert_serial_number=1234)>"
Paul Kehrer2eb4ed92015-04-11 15:33:45 -0400[diff] [blame]645 )
646
Paul Kehrer2ca2eb32015-05-03 10:04:57 -0500[diff] [blame]647 def test_eq(self):
648 dirname = x509.DirectoryName(
649 x509.Name([x509.NameAttribute(x509.OID_COMMON_NAME, 'myCN')])
650 )
651 aki = x509.AuthorityKeyIdentifier(b"digest", [dirname], 1234)
652 dirname2 = x509.DirectoryName(
653 x509.Name([x509.NameAttribute(x509.OID_COMMON_NAME, 'myCN')])
654 )
655 aki2 = x509.AuthorityKeyIdentifier(b"digest", [dirname2], 1234)
656 assert aki == aki2
657
658 def test_ne(self):
659 dirname = x509.DirectoryName(
660 x509.Name([x509.NameAttribute(x509.OID_COMMON_NAME, 'myCN')])
661 )
662 dirname5 = x509.DirectoryName(
663 x509.Name([x509.NameAttribute(x509.OID_COMMON_NAME, 'aCN')])
664 )
665 aki = x509.AuthorityKeyIdentifier(b"digest", [dirname], 1234)
666 aki2 = x509.AuthorityKeyIdentifier(b"diges", [dirname], 1234)
667 aki3 = x509.AuthorityKeyIdentifier(b"digest", None, None)
668 aki4 = x509.AuthorityKeyIdentifier(b"digest", [dirname], 12345)
669 aki5 = x509.AuthorityKeyIdentifier(b"digest", [dirname5], 12345)
670 assert aki != aki2
671 assert aki != aki3
672 assert aki != aki4
673 assert aki != aki5
674 assert aki != object()
675
Paul Kehrer2eb4ed92015-04-11 15:33:45 -0400[diff] [blame]676
Paul Kehrer8cf26422015-03-21 09:50:24 -0500[diff] [blame]677class TestBasicConstraints(object):
678 def test_ca_not_boolean(self):
679 with pytest.raises(TypeError):
Paul Kehrera5c6e9a2015-03-23 19:23:43 -0500[diff] [blame]680 x509.BasicConstraints(ca="notbool", path_length=None)
Paul Kehrer8cf26422015-03-21 09:50:24 -0500[diff] [blame]681
682 def test_path_length_not_ca(self):
683 with pytest.raises(ValueError):
Paul Kehrera5c6e9a2015-03-23 19:23:43 -0500[diff] [blame]684 x509.BasicConstraints(ca=False, path_length=0)
Paul Kehrer8cf26422015-03-21 09:50:24 -0500[diff] [blame]685
686 def test_path_length_not_int(self):
687 with pytest.raises(TypeError):
Paul Kehrera5c6e9a2015-03-23 19:23:43 -0500[diff] [blame]688 x509.BasicConstraints(ca=True, path_length=1.1)
Paul Kehrer8cf26422015-03-21 09:50:24 -0500[diff] [blame]689
690 with pytest.raises(TypeError):
Paul Kehrera5c6e9a2015-03-23 19:23:43 -0500[diff] [blame]691 x509.BasicConstraints(ca=True, path_length="notint")
Paul Kehrer8cf26422015-03-21 09:50:24 -0500[diff] [blame]692
693 def test_path_length_negative(self):
694 with pytest.raises(TypeError):
Paul Kehrera5c6e9a2015-03-23 19:23:43 -0500[diff] [blame]695 x509.BasicConstraints(ca=True, path_length=-1)
Paul Kehrer8cf26422015-03-21 09:50:24 -0500[diff] [blame]696
697 def test_repr(self):
Paul Kehrera5c6e9a2015-03-23 19:23:43 -0500[diff] [blame]698 na = x509.BasicConstraints(ca=True, path_length=None)
Paul Kehrer8cf26422015-03-21 09:50:24 -0500[diff] [blame]699 assert repr(na) == (
Paul Kehrer85894662015-03-22 13:19:31 -0500[diff] [blame]700 "<BasicConstraints(ca=True, path_length=None)>"
Paul Kehrer8cf26422015-03-21 09:50:24 -0500[diff] [blame]701 )
Paul Kehrerfbb7ac82015-03-16 19:26:29 -0500[diff] [blame]702
Paul Kehrer3a69b132015-05-13 10:03:46 -0500[diff] [blame]703 def test_eq(self):
704 na = x509.BasicConstraints(ca=True, path_length=None)
705 na2 = x509.BasicConstraints(ca=True, path_length=None)
706 assert na == na2
707
708 def test_ne(self):
709 na = x509.BasicConstraints(ca=True, path_length=None)
710 na2 = x509.BasicConstraints(ca=True, path_length=1)
711 na3 = x509.BasicConstraints(ca=False, path_length=None)
712 assert na != na2
713 assert na != na3
714 assert na != object()
715
Paul Kehrerfbb7ac82015-03-16 19:26:29 -0500[diff] [blame]716
Paul Kehrerffa2a152015-03-31 08:18:25 -0500[diff] [blame]717class TestExtendedKeyUsage(object):
718 def test_not_all_oids(self):
719 with pytest.raises(TypeError):
720 x509.ExtendedKeyUsage(["notoid"])
721
722 def test_iter_len(self):
723 eku = x509.ExtendedKeyUsage([
724 x509.ObjectIdentifier("1.3.6.1.5.5.7.3.1"),
725 x509.ObjectIdentifier("1.3.6.1.5.5.7.3.2"),
726 ])
727 assert len(eku) == 2
728 assert list(eku) == [
729 x509.OID_SERVER_AUTH,
730 x509.OID_CLIENT_AUTH
731 ]
732
Paul Kehrer23d10c32015-04-02 23:12:32 -0500[diff] [blame]733 def test_repr(self):
734 eku = x509.ExtendedKeyUsage([
735 x509.ObjectIdentifier("1.3.6.1.5.5.7.3.1"),
736 x509.ObjectIdentifier("1.3.6.1.5.5.7.3.2"),
737 ])
738 assert repr(eku) == (
739 "<ExtendedKeyUsage([<ObjectIdentifier(oid=1.3.6.1.5.5.7.3.1, name="
740 "serverAuth)>, <ObjectIdentifier(oid=1.3.6.1.5.5.7.3.2, name=clien"
741 "tAuth)>])>"
742 )
743
Paul Kehrerb0476172015-05-02 19:34:51 -0500[diff] [blame]744 def test_eq(self):
745 eku = x509.ExtendedKeyUsage([
746 x509.ObjectIdentifier("1.3.6"), x509.ObjectIdentifier("1.3.7")
747 ])
748 eku2 = x509.ExtendedKeyUsage([
749 x509.ObjectIdentifier("1.3.6"), x509.ObjectIdentifier("1.3.7")
750 ])
751 assert eku == eku2
752
753 def test_ne(self):
754 eku = x509.ExtendedKeyUsage([x509.ObjectIdentifier("1.3.6")])
755 eku2 = x509.ExtendedKeyUsage([x509.ObjectIdentifier("1.3.6.1")])
756 assert eku != eku2
757 assert eku != object()
758
Paul Kehrerffa2a152015-03-31 08:18:25 -0500[diff] [blame]759
Paul Kehrerfbb7ac82015-03-16 19:26:29 -0500[diff] [blame]760@pytest.mark.requires_backend_interface(interface=RSABackend)
761@pytest.mark.requires_backend_interface(interface=X509Backend)
762class TestExtensions(object):
763 def test_no_extensions(self, backend):
764 cert = _load_cert(
765 os.path.join("x509", "verisign_md2_root.pem"),
766 x509.load_pem_x509_certificate,
767 backend
768 )
769 ext = cert.extensions
770 assert len(ext) == 0
771 assert list(ext) == []
Paul Kehrerfa56a232015-03-17 13:14:03 -0500[diff] [blame]772 with pytest.raises(x509.ExtensionNotFound) as exc:
773 ext.get_extension_for_oid(x509.OID_BASIC_CONSTRAINTS)
774
775 assert exc.value.oid == x509.OID_BASIC_CONSTRAINTS
776
777 def test_one_extension(self, backend):
778 cert = _load_cert(
779 os.path.join(
780 "x509", "custom", "basic_constraints_not_critical.pem"
781 ),
782 x509.load_pem_x509_certificate,
783 backend
784 )
785 extensions = cert.extensions
786 ext = extensions.get_extension_for_oid(x509.OID_BASIC_CONSTRAINTS)
787 assert ext is not None
788 assert ext.value.ca is False
Paul Kehrerfbb7ac82015-03-16 19:26:29 -0500[diff] [blame]789
790 def test_duplicate_extension(self, backend):
791 cert = _load_cert(
792 os.path.join(
793 "x509", "custom", "two_basic_constraints.pem"
794 ),
795 x509.load_pem_x509_certificate,
796 backend
797 )
798 with pytest.raises(x509.DuplicateExtension) as exc:
799 cert.extensions
800
801 assert exc.value.oid == x509.OID_BASIC_CONSTRAINTS
802
803 def test_unsupported_critical_extension(self, backend):
804 cert = _load_cert(
805 os.path.join(
806 "x509", "custom", "unsupported_extension_critical.pem"
807 ),
808 x509.load_pem_x509_certificate,
809 backend
810 )
811 with pytest.raises(x509.UnsupportedExtension) as exc:
812 cert.extensions
813
814 assert exc.value.oid == x509.ObjectIdentifier("1.2.3.4")
815
816 def test_unsupported_extension(self, backend):
817 # TODO: this will raise an exception when all extensions are complete
818 cert = _load_cert(
819 os.path.join(
820 "x509", "custom", "unsupported_extension.pem"
821 ),
822 x509.load_pem_x509_certificate,
823 backend
824 )
825 extensions = cert.extensions
826 assert len(extensions) == 0
Paul Kehrerfa56a232015-03-17 13:14:03 -0500[diff] [blame]827
828
829@pytest.mark.requires_backend_interface(interface=RSABackend)
830@pytest.mark.requires_backend_interface(interface=X509Backend)
Paul Kehrerde813ea2015-03-28 12:44:34 -0500[diff] [blame]831class TestBasicConstraintsExtension(object):
Paul Kehrerfa56a232015-03-17 13:14:03 -0500[diff] [blame]832 def test_ca_true_pathlen_6(self, backend):
833 cert = _load_cert(
834 os.path.join(
835 "x509", "PKITS_data", "certs", "pathLenConstraint6CACert.crt"
836 ),
837 x509.load_der_x509_certificate,
838 backend
839 )
840 ext = cert.extensions.get_extension_for_oid(
841 x509.OID_BASIC_CONSTRAINTS
842 )
843 assert ext is not None
844 assert ext.critical is True
845 assert ext.value.ca is True
846 assert ext.value.path_length == 6
847
848 def test_path_length_zero(self, backend):
849 cert = _load_cert(
850 os.path.join("x509", "custom", "bc_path_length_zero.pem"),
851 x509.load_pem_x509_certificate,
852 backend
853 )
854 ext = cert.extensions.get_extension_for_oid(
855 x509.OID_BASIC_CONSTRAINTS
856 )
857 assert ext is not None
858 assert ext.critical is True
859 assert ext.value.ca is True
860 assert ext.value.path_length == 0
861
862 def test_ca_true_no_pathlen(self, backend):
863 cert = _load_cert(
864 os.path.join("x509", "PKITS_data", "certs", "GoodCACert.crt"),
865 x509.load_der_x509_certificate,
866 backend
867 )
868 ext = cert.extensions.get_extension_for_oid(
869 x509.OID_BASIC_CONSTRAINTS
870 )
871 assert ext is not None
872 assert ext.critical is True
873 assert ext.value.ca is True
874 assert ext.value.path_length is None
875
876 def test_ca_false(self, backend):
877 cert = _load_cert(
878 os.path.join("x509", "cryptography.io.pem"),
879 x509.load_pem_x509_certificate,
880 backend
881 )
882 ext = cert.extensions.get_extension_for_oid(
883 x509.OID_BASIC_CONSTRAINTS
884 )
885 assert ext is not None
886 assert ext.critical is True
887 assert ext.value.ca is False
888 assert ext.value.path_length is None
889
890 def test_no_basic_constraints(self, backend):
891 cert = _load_cert(
892 os.path.join(
893 "x509",
894 "PKITS_data",
895 "certs",
896 "ValidCertificatePathTest1EE.crt"
897 ),
898 x509.load_der_x509_certificate,
899 backend
900 )
901 with pytest.raises(x509.ExtensionNotFound):
902 cert.extensions.get_extension_for_oid(x509.OID_BASIC_CONSTRAINTS)
903
904 def test_basic_constraint_not_critical(self, backend):
905 cert = _load_cert(
906 os.path.join(
907 "x509", "custom", "basic_constraints_not_critical.pem"
908 ),
909 x509.load_pem_x509_certificate,
910 backend
911 )
912 ext = cert.extensions.get_extension_for_oid(
913 x509.OID_BASIC_CONSTRAINTS
914 )
915 assert ext is not None
916 assert ext.critical is False
917 assert ext.value.ca is False
Paul Kehrer1eb82a62015-03-31 20:00:33 -0500[diff] [blame]918
919
920@pytest.mark.requires_backend_interface(interface=RSABackend)
921@pytest.mark.requires_backend_interface(interface=X509Backend)
922class TestSubjectKeyIdentifierExtension(object):
923 def test_subject_key_identifier(self, backend):
924 cert = _load_cert(
925 os.path.join("x509", "PKITS_data", "certs", "GoodCACert.crt"),
926 x509.load_der_x509_certificate,
927 backend
928 )
929 ext = cert.extensions.get_extension_for_oid(
930 x509.OID_SUBJECT_KEY_IDENTIFIER
931 )
932 ski = ext.value
933 assert ext is not None
934 assert ext.critical is False
Paul Kehrer1eb82a62015-03-31 20:00:33 -0500[diff] [blame]935 assert ski.digest == binascii.unhexlify(
Paul Kehreree997262015-04-04 12:20:28 -0500[diff] [blame]936 b"580184241bbc2b52944a3da510721451f5af3ac9"
Paul Kehrer1eb82a62015-03-31 20:00:33 -0500[diff] [blame]937 )
938
939 def test_no_subject_key_identifier(self, backend):
940 cert = _load_cert(
941 os.path.join("x509", "custom", "bc_path_length_zero.pem"),
942 x509.load_pem_x509_certificate,
943 backend
944 )
945 with pytest.raises(x509.ExtensionNotFound):
946 cert.extensions.get_extension_for_oid(
947 x509.OID_SUBJECT_KEY_IDENTIFIER
948 )
Paul Kehrer5508ee22015-04-02 19:31:03 -0500[diff] [blame]949
950
951@pytest.mark.requires_backend_interface(interface=RSABackend)
952@pytest.mark.requires_backend_interface(interface=X509Backend)
953class TestKeyUsageExtension(object):
954 def test_no_key_usage(self, backend):
955 cert = _load_cert(
956 os.path.join("x509", "verisign_md2_root.pem"),
957 x509.load_pem_x509_certificate,
958 backend
959 )
960 ext = cert.extensions
961 with pytest.raises(x509.ExtensionNotFound) as exc:
962 ext.get_extension_for_oid(x509.OID_KEY_USAGE)
963
964 assert exc.value.oid == x509.OID_KEY_USAGE
965
966 def test_all_purposes(self, backend):
967 cert = _load_cert(
968 os.path.join(
969 "x509", "custom", "all_key_usages.pem"
970 ),
971 x509.load_pem_x509_certificate,
972 backend
973 )
974 extensions = cert.extensions
975 ext = extensions.get_extension_for_oid(x509.OID_KEY_USAGE)
976 assert ext is not None
977
978 ku = ext.value
979 assert ku.digital_signature is True
980 assert ku.content_commitment is True
981 assert ku.key_encipherment is True
982 assert ku.data_encipherment is True
983 assert ku.key_agreement is True
984 assert ku.key_cert_sign is True
985 assert ku.crl_sign is True
986 assert ku.encipher_only is True
987 assert ku.decipher_only is True
988
989 def test_key_cert_sign_crl_sign(self, backend):
990 cert = _load_cert(
991 os.path.join(
992 "x509", "PKITS_data", "certs", "pathLenConstraint6CACert.crt"
993 ),
994 x509.load_der_x509_certificate,
995 backend
996 )
997 ext = cert.extensions.get_extension_for_oid(x509.OID_KEY_USAGE)
998 assert ext is not None
999 assert ext.critical is True
1000
1001 ku = ext.value
1002 assert ku.digital_signature is False
1003 assert ku.content_commitment is False
1004 assert ku.key_encipherment is False
1005 assert ku.data_encipherment is False
1006 assert ku.key_agreement is False
1007 assert ku.key_cert_sign is True
1008 assert ku.crl_sign is True
Paul Kehrer31bdf792015-03-25 14:11:00 -0500[diff] [blame]1009
1010
1011@pytest.mark.parametrize(
1012 "name", [
1013 x509.RFC822Name,
1014 x509.DNSName,
1015 x509.UniformResourceIdentifier
1016 ]
1017)
1018class TestTextGeneralNames(object):
1019 def test_not_text(self, name):
1020 with pytest.raises(TypeError):
1021 name(b"notaunicodestring")
1022
1023 with pytest.raises(TypeError):
1024 name(1.3)
1025
1026 def test_repr(self, name):
Eeshan Gargf1234152015-04-29 18:41:00 +0530[diff] [blame]1027 gn = name(u"string")
Paul Kehrer31bdf792015-03-25 14:11:00 -0500[diff] [blame]1028 assert repr(gn) == "<{0}(value=string)>".format(name.__name__)
1029
1030 def test_eq(self, name):
Eeshan Gargf1234152015-04-29 18:41:00 +0530[diff] [blame]1031 gn = name(u"string")
1032 gn2 = name(u"string")
Paul Kehrer31bdf792015-03-25 14:11:00 -0500[diff] [blame]1033 assert gn == gn2
1034
1035 def test_ne(self, name):
Eeshan Gargf1234152015-04-29 18:41:00 +0530[diff] [blame]1036 gn = name(u"string")
1037 gn2 = name(u"string2")
Paul Kehrer31bdf792015-03-25 14:11:00 -0500[diff] [blame]1038 assert gn != gn2
1039 assert gn != object()
1040
1041
1042class TestDirectoryName(object):
1043 def test_not_name(self):
1044 with pytest.raises(TypeError):
1045 x509.DirectoryName(b"notaname")
1046
1047 with pytest.raises(TypeError):
1048 x509.DirectoryName(1.3)
1049
1050 def test_repr(self):
1051 name = x509.Name([x509.NameAttribute(x509.OID_COMMON_NAME, 'value1')])
1052 gn = x509.DirectoryName(x509.Name([name]))
1053 assert repr(gn) == (
1054 "<DirectoryName(value=<Name([<Name([<NameAttribute(oid=<ObjectIden"
1055 "tifier(oid=2.5.4.3, name=commonName)>, value='value1')>])>])>)>"
1056 )
1057
1058 def test_eq(self):
1059 name = x509.Name([
1060 x509.NameAttribute(x509.ObjectIdentifier('oid'), 'value1')
1061 ])
1062 name2 = x509.Name([
1063 x509.NameAttribute(x509.ObjectIdentifier('oid'), 'value1')
1064 ])
1065 gn = x509.DirectoryName(x509.Name([name]))
1066 gn2 = x509.DirectoryName(x509.Name([name2]))
1067 assert gn == gn2
1068
1069 def test_ne(self):
1070 name = x509.Name([
1071 x509.NameAttribute(x509.ObjectIdentifier('oid'), 'value1')
1072 ])
1073 name2 = x509.Name([
1074 x509.NameAttribute(x509.ObjectIdentifier('oid'), 'value2')
1075 ])
1076 gn = x509.DirectoryName(x509.Name([name]))
1077 gn2 = x509.DirectoryName(x509.Name([name2]))
1078 assert gn != gn2
1079 assert gn != object()
1080
1081
1082class TestRegisteredID(object):
1083 def test_not_oid(self):
1084 with pytest.raises(TypeError):
1085 x509.RegisteredID(b"notanoid")
1086
1087 with pytest.raises(TypeError):
1088 x509.RegisteredID(1.3)
1089
1090 def test_repr(self):
1091 gn = x509.RegisteredID(x509.OID_COMMON_NAME)
1092 assert repr(gn) == (
1093 "<RegisteredID(value=<ObjectIdentifier(oid=2.5.4.3, name=commonNam"
1094 "e)>)>"
1095 )
1096
1097 def test_eq(self):
1098 gn = x509.RegisteredID(x509.OID_COMMON_NAME)
1099 gn2 = x509.RegisteredID(x509.OID_COMMON_NAME)
1100 assert gn == gn2
1101
1102 def test_ne(self):
1103 gn = x509.RegisteredID(x509.OID_COMMON_NAME)
1104 gn2 = x509.RegisteredID(x509.OID_BASIC_CONSTRAINTS)
1105 assert gn != gn2
1106 assert gn != object()
1107
1108
1109class TestIPAddress(object):
1110 def test_not_ipaddress(self):
1111 with pytest.raises(TypeError):
1112 x509.IPAddress(b"notanipaddress")
1113
1114 with pytest.raises(TypeError):
1115 x509.IPAddress(1.3)
1116
1117 def test_repr(self):
Eeshan Gargf1234152015-04-29 18:41:00 +0530[diff] [blame]1118 gn = x509.IPAddress(ipaddress.IPv4Address(u"127.0.0.1"))
Paul Kehrer31bdf792015-03-25 14:11:00 -0500[diff] [blame]1119 assert repr(gn) == "<IPAddress(value=127.0.0.1)>"
1120
Eeshan Gargf1234152015-04-29 18:41:00 +0530[diff] [blame]1121 gn2 = x509.IPAddress(ipaddress.IPv6Address(u"ff::"))
Paul Kehrer31bdf792015-03-25 14:11:00 -0500[diff] [blame]1122 assert repr(gn2) == "<IPAddress(value=ff::)>"
1123
1124 def test_eq(self):
Eeshan Gargf1234152015-04-29 18:41:00 +0530[diff] [blame]1125 gn = x509.IPAddress(ipaddress.IPv4Address(u"127.0.0.1"))
1126 gn2 = x509.IPAddress(ipaddress.IPv4Address(u"127.0.0.1"))
Paul Kehrer31bdf792015-03-25 14:11:00 -0500[diff] [blame]1127 assert gn == gn2
1128
1129 def test_ne(self):
Eeshan Gargf1234152015-04-29 18:41:00 +0530[diff] [blame]1130 gn = x509.IPAddress(ipaddress.IPv4Address(u"127.0.0.1"))
1131 gn2 = x509.IPAddress(ipaddress.IPv4Address(u"127.0.0.2"))
Paul Kehrer31bdf792015-03-25 14:11:00 -0500[diff] [blame]1132 assert gn != gn2
1133 assert gn != object()
1134
1135
1136class TestSubjectAlternativeName(object):
1137 def test_get_values_for_type(self):
1138 san = x509.SubjectAlternativeName(
Eeshan Gargf1234152015-04-29 18:41:00 +0530[diff] [blame]1139 [x509.DNSName(u"cryptography.io")]
Paul Kehrer31bdf792015-03-25 14:11:00 -0500[diff] [blame]1140 )
1141 names = san.get_values_for_type(x509.DNSName)
Eeshan Gargf1234152015-04-29 18:41:00 +0530[diff] [blame]1142 assert names == [u"cryptography.io"]
Paul Kehrer31bdf792015-03-25 14:11:00 -0500[diff] [blame]1143
1144 def test_iter_names(self):
1145 san = x509.SubjectAlternativeName([
Eeshan Gargf1234152015-04-29 18:41:00 +0530[diff] [blame]1146 x509.DNSName(u"cryptography.io"),
1147 x509.DNSName(u"crypto.local"),
Paul Kehrer31bdf792015-03-25 14:11:00 -0500[diff] [blame]1148 ])
1149 assert len(san) == 2
1150 assert list(san) == [
Eeshan Gargf1234152015-04-29 18:41:00 +0530[diff] [blame]1151 x509.DNSName(u"cryptography.io"),
1152 x509.DNSName(u"crypto.local"),
Paul Kehrer31bdf792015-03-25 14:11:00 -0500[diff] [blame]1153 ]
1154
Paul Kehrerd04b39b2015-04-21 08:44:17 -0500[diff] [blame]1155 def test_invalid_general_names(self):
1156 with pytest.raises(TypeError):
1157 x509.SubjectAlternativeName(
Eeshan Gargf1234152015-04-29 18:41:00 +0530[diff] [blame]1158 [x509.DNSName(u"cryptography.io"), "invalid"]
Paul Kehrerd04b39b2015-04-21 08:44:17 -0500[diff] [blame]1159 )
1160
Paul Kehrer31bdf792015-03-25 14:11:00 -0500[diff] [blame]1161 def test_repr(self):
1162 san = x509.SubjectAlternativeName(
1163 [
Eeshan Gargf1234152015-04-29 18:41:00 +0530[diff] [blame]1164 x509.DNSName(u"cryptography.io")
Paul Kehrer31bdf792015-03-25 14:11:00 -0500[diff] [blame]1165 ]
1166 )
1167 assert repr(san) == (
1168 "<SubjectAlternativeName([<DNSName(value=cryptography.io)>])>"
1169 )
Paul Kehrer40f83382015-04-20 15:00:16 -0500[diff] [blame]1170
Paul Kehrer58cc3972015-05-13 10:00:41 -0500[diff] [blame]1171 def test_eq(self):
1172 san = x509.SubjectAlternativeName(
1173 [x509.DNSName(u"cryptography.io")]
1174 )
1175 san2 = x509.SubjectAlternativeName(
1176 [x509.DNSName(u"cryptography.io")]
1177 )
1178 assert san == san2
1179
1180 def test_ne(self):
1181 san = x509.SubjectAlternativeName(
1182 [x509.DNSName(u"cryptography.io")]
1183 )
1184 san2 = x509.SubjectAlternativeName(
1185 [x509.RFC822Name(u"admin@cryptography.io")]
1186 )
1187 assert san != san2
1188 assert san != object()
1189
Paul Kehrer40f83382015-04-20 15:00:16 -0500[diff] [blame]1190
1191@pytest.mark.requires_backend_interface(interface=RSABackend)
1192@pytest.mark.requires_backend_interface(interface=X509Backend)
1193class TestRSASubjectAlternativeNameExtension(object):
1194 def test_dns_name(self, backend):
1195 cert = _load_cert(
1196 os.path.join("x509", "cryptography.io.pem"),
1197 x509.load_pem_x509_certificate,
1198 backend
1199 )
1200 ext = cert.extensions.get_extension_for_oid(
1201 x509.OID_SUBJECT_ALTERNATIVE_NAME
1202 )
1203 assert ext is not None
1204 assert ext.critical is False
1205
1206 san = ext.value
1207
1208 dns = san.get_values_for_type(x509.DNSName)
1209 assert dns == [u"www.cryptography.io", u"cryptography.io"]
Paul Kehrer9089c912015-04-20 22:15:20 -0500[diff] [blame]1210
1211 def test_unsupported_other_name(self, backend):
1212 cert = _load_cert(
1213 os.path.join(
1214 "x509", "custom", "san_other_name.pem"
1215 ),
1216 x509.load_pem_x509_certificate,
1217 backend
1218 )
Paul Kehrerbed07352015-04-21 08:31:10 -0500[diff] [blame]1219 with pytest.raises(x509.UnsupportedGeneralNameType) as exc:
Paul Kehrer9089c912015-04-20 22:15:20 -0500[diff] [blame]1220 cert.extensions
Paul Kehrerbed07352015-04-21 08:31:10 -0500[diff] [blame]1221
Paul Kehrer0a621bf2015-04-22 09:22:56 -0500[diff] [blame]1222 assert exc.value.type == 0
Paul Kehrer4db96622015-04-20 22:17:39 -0500[diff] [blame]1223
1224 def test_registered_id(self, backend):
1225 cert = _load_cert(
1226 os.path.join(
1227 "x509", "custom", "san_registered_id.pem"
1228 ),
1229 x509.load_pem_x509_certificate,
1230 backend
1231 )
1232 ext = cert.extensions.get_extension_for_oid(
1233 x509.OID_SUBJECT_ALTERNATIVE_NAME
1234 )
1235 assert ext is not None
1236 assert ext.critical is False
1237
1238 san = ext.value
1239 rid = san.get_values_for_type(x509.RegisteredID)
1240 assert rid == [x509.ObjectIdentifier("1.2.3.4")]
Paul Kehrerb8ef82e2015-04-22 16:04:24 -0500[diff] [blame]1241
1242 def test_uri(self, backend):
1243 cert = _load_cert(
1244 os.path.join(
1245 "x509", "custom", "san_uri_with_port.pem"
1246 ),
1247 x509.load_pem_x509_certificate,
1248 backend
1249 )
1250 ext = cert.extensions.get_extension_for_oid(
1251 x509.OID_SUBJECT_ALTERNATIVE_NAME
1252 )
1253 assert ext is not None
1254 uri = ext.value.get_values_for_type(
1255 x509.UniformResourceIdentifier
1256 )
1257 assert uri == [
1258 u"gopher://\u043f\u044b\u043a\u0430.cryptography:70/path?q=s#hel"
1259 u"lo",
1260 u"http://someregulardomain.com",
1261 ]
Paul Kehrera5f030c2015-04-28 08:33:18 -0500[diff] [blame]1262
1263 def test_ipaddress(self, backend):
1264 cert = _load_cert(
1265 os.path.join(
1266 "x509", "custom", "san_ipaddr.pem"
1267 ),
1268 x509.load_pem_x509_certificate,
1269 backend
1270 )
1271 ext = cert.extensions.get_extension_for_oid(
1272 x509.OID_SUBJECT_ALTERNATIVE_NAME
1273 )
1274 assert ext is not None
1275 assert ext.critical is False
1276
1277 san = ext.value
1278
1279 ip = san.get_values_for_type(x509.IPAddress)
1280 assert [
1281 ipaddress.ip_address(u"127.0.0.1"),
1282 ipaddress.ip_address(u"ff::")
1283 ] == ip
Paul Kehrer2187a052015-04-30 08:22:07 -0500[diff] [blame]1284
1285 def test_dirname(self, backend):
1286 cert = _load_cert(
1287 os.path.join(
1288 "x509", "custom", "san_dirname.pem"
1289 ),
1290 x509.load_pem_x509_certificate,
1291 backend
1292 )
1293 ext = cert.extensions.get_extension_for_oid(
1294 x509.OID_SUBJECT_ALTERNATIVE_NAME
1295 )
1296 assert ext is not None
1297 assert ext.critical is False
1298
1299 san = ext.value
1300
1301 dirname = san.get_values_for_type(x509.DirectoryName)
1302 assert [
1303 x509.Name([
1304 x509.NameAttribute(x509.OID_COMMON_NAME, 'test'),
1305 x509.NameAttribute(x509.OID_ORGANIZATION_NAME, 'Org'),
1306 x509.NameAttribute(x509.OID_STATE_OR_PROVINCE_NAME, 'Texas'),
1307 ])
1308 ] == dirname
Paul Kehrere06cab42015-04-30 10:23:33 -0500[diff] [blame]1309
1310 def test_rfc822name(self, backend):
1311 cert = _load_cert(
1312 os.path.join(
1313 "x509", "custom", "san_rfc822_idna.pem"
1314 ),
1315 x509.load_pem_x509_certificate,
1316 backend
1317 )
1318 ext = cert.extensions.get_extension_for_oid(
1319 x509.OID_SUBJECT_ALTERNATIVE_NAME
1320 )
1321 assert ext is not None
1322 assert ext.critical is False
1323
1324 san = ext.value
1325
1326 rfc822name = san.get_values_for_type(x509.RFC822Name)
1327 assert [u"email@em\xe5\xefl.com"] == rfc822name
1328
1329 def test_unicode_rfc822_name_dns_name_uri(self, backend):
1330 cert = _load_cert(
1331 os.path.join(
1332 "x509", "custom", "san_idna_names.pem"
1333 ),
1334 x509.load_pem_x509_certificate,
1335 backend
1336 )
1337 ext = cert.extensions.get_extension_for_oid(
1338 x509.OID_SUBJECT_ALTERNATIVE_NAME
1339 )
1340 assert ext is not None
1341 rfc822_name = ext.value.get_values_for_type(x509.RFC822Name)
1342 dns_name = ext.value.get_values_for_type(x509.DNSName)
1343 uri = ext.value.get_values_for_type(x509.UniformResourceIdentifier)
1344 assert rfc822_name == [u"email@\u043f\u044b\u043a\u0430.cryptography"]
1345 assert dns_name == [u"\u043f\u044b\u043a\u0430.cryptography"]
1346 assert uri == [u"https://www.\u043f\u044b\u043a\u0430.cryptography"]
1347
1348 def test_rfc822name_dnsname_ipaddress_directoryname_uri(self, backend):
1349 cert = _load_cert(
1350 os.path.join(
1351 "x509", "custom", "san_email_dns_ip_dirname_uri.pem"
1352 ),
1353 x509.load_pem_x509_certificate,
1354 backend
1355 )
1356 ext = cert.extensions.get_extension_for_oid(
1357 x509.OID_SUBJECT_ALTERNATIVE_NAME
1358 )
1359 assert ext is not None
1360 assert ext.critical is False
1361
1362 san = ext.value
1363
1364 rfc822_name = san.get_values_for_type(x509.RFC822Name)
1365 uri = san.get_values_for_type(x509.UniformResourceIdentifier)
1366 dns = san.get_values_for_type(x509.DNSName)
1367 ip = san.get_values_for_type(x509.IPAddress)
1368 dirname = san.get_values_for_type(x509.DirectoryName)
1369 assert [u"user@cryptography.io"] == rfc822_name
Paul Kehrere3a330c2015-05-02 16:42:52 -0500[diff] [blame]1370 assert [u"https://cryptography.io"] == uri
Paul Kehrere06cab42015-04-30 10:23:33 -0500[diff] [blame]1371 assert [u"cryptography.io"] == dns
1372 assert [
1373 x509.Name([
1374 x509.NameAttribute(x509.OID_COMMON_NAME, 'dirCN'),
1375 x509.NameAttribute(
1376 x509.OID_ORGANIZATION_NAME, 'Cryptographic Authority'
1377 ),
1378 ])
1379 ] == dirname
1380 assert [
1381 ipaddress.ip_address(u"127.0.0.1"),
1382 ipaddress.ip_address(u"ff::")
1383 ] == ip
1384
1385 def test_invalid_rfc822name(self, backend):
1386 cert = _load_cert(
1387 os.path.join(
1388 "x509", "custom", "san_rfc822_names.pem"
1389 ),
1390 x509.load_pem_x509_certificate,
1391 backend
1392 )
1393 with pytest.raises(ValueError) as exc:
1394 cert.extensions
1395
1396 assert 'Invalid rfc822name value' in str(exc.value)
Paul Kehrer94c69602015-05-02 19:29:40 -0500[diff] [blame]1397
1398
1399@pytest.mark.requires_backend_interface(interface=RSABackend)
1400@pytest.mark.requires_backend_interface(interface=X509Backend)
1401class TestExtendedKeyUsageExtension(object):
1402 def test_eku(self, backend):
1403 cert = _load_cert(
1404 os.path.join(
1405 "x509", "custom", "extended_key_usage.pem"
1406 ),
1407 x509.load_pem_x509_certificate,
1408 backend
1409 )
1410 ext = cert.extensions.get_extension_for_oid(
1411 x509.OID_EXTENDED_KEY_USAGE
1412 )
1413 assert ext is not None
1414 assert ext.critical is False
1415
1416 assert [
1417 x509.ObjectIdentifier("1.3.6.1.5.5.7.3.1"),
1418 x509.ObjectIdentifier("1.3.6.1.5.5.7.3.2"),
1419 x509.ObjectIdentifier("1.3.6.1.5.5.7.3.3"),
1420 x509.ObjectIdentifier("1.3.6.1.5.5.7.3.4"),
1421 x509.ObjectIdentifier("1.3.6.1.5.5.7.3.9"),
1422 x509.ObjectIdentifier("1.3.6.1.5.5.7.3.8"),
1423 x509.ObjectIdentifier("2.5.29.37.0"),
1424 x509.ObjectIdentifier("2.16.840.1.113730.4.1"),
1425 ] == list(ext.value)
Paul Kehrer3e6d5582015-05-02 21:57:56 -0500[diff] [blame]1426
1427
1428class TestAccessDescription(object):
1429 def test_invalid_access_method(self):
Paul Kehrerf506bca2015-05-02 22:31:47 -0500[diff] [blame]1430 with pytest.raises(ValueError):
Paul Kehrer3e6d5582015-05-02 21:57:56 -0500[diff] [blame]1431 x509.AccessDescription("notanoid", x509.DNSName(u"test"))
1432
1433 def test_invalid_access_location(self):
1434 with pytest.raises(TypeError):
1435 x509.AccessDescription(x509.OID_CA_ISSUERS, "invalid")
1436
1437 def test_repr(self):
1438 ad = x509.AccessDescription(
1439 x509.OID_OCSP,
1440 x509.UniformResourceIdentifier(u"http://ocsp.domain.com")
1441 )
1442 assert repr(ad) == (
1443 "<AccessDescription(access_method=<ObjectIdentifier(oid=1.3.6.1.5."
1444 "5.7.48.1, name=OCSP)>, access_location=<UniformResourceIdentifier"
1445 "(value=http://ocsp.domain.com)>)>"
1446 )
1447
1448 def test_eq(self):
1449 ad = x509.AccessDescription(
1450 x509.OID_OCSP,
1451 x509.UniformResourceIdentifier(u"http://ocsp.domain.com")
1452 )
1453 ad2 = x509.AccessDescription(
1454 x509.OID_OCSP,
1455 x509.UniformResourceIdentifier(u"http://ocsp.domain.com")
1456 )
1457 assert ad == ad2
1458
1459 def test_ne(self):
1460 ad = x509.AccessDescription(
1461 x509.OID_OCSP,
1462 x509.UniformResourceIdentifier(u"http://ocsp.domain.com")
1463 )
1464 ad2 = x509.AccessDescription(
1465 x509.OID_CA_ISSUERS,
1466 x509.UniformResourceIdentifier(u"http://ocsp.domain.com")
1467 )
1468 ad3 = x509.AccessDescription(
1469 x509.OID_OCSP,
1470 x509.UniformResourceIdentifier(u"http://notthesame")
1471 )
1472 assert ad != ad2
1473 assert ad != ad3
1474 assert ad != object()
1475
1476
1477class TestAuthorityInformationAccess(object):
1478 def test_invalid_descriptions(self):
1479 with pytest.raises(TypeError):
1480 x509.AuthorityInformationAccess(["notanAccessDescription"])
1481
1482 def test_iter_len(self):
1483 aia = x509.AuthorityInformationAccess([
1484 x509.AccessDescription(
1485 x509.OID_OCSP,
1486 x509.UniformResourceIdentifier(u"http://ocsp.domain.com")
1487 ),
1488 x509.AccessDescription(
1489 x509.OID_CA_ISSUERS,
1490 x509.UniformResourceIdentifier(u"http://domain.com/ca.crt")
1491 )
1492 ])
1493 assert len(aia) == 2
1494 assert list(aia) == [
1495 x509.AccessDescription(
1496 x509.OID_OCSP,
1497 x509.UniformResourceIdentifier(u"http://ocsp.domain.com")
1498 ),
1499 x509.AccessDescription(
1500 x509.OID_CA_ISSUERS,
1501 x509.UniformResourceIdentifier(u"http://domain.com/ca.crt")
1502 )
1503 ]
1504
1505 def test_repr(self):
1506 aia = x509.AuthorityInformationAccess([
1507 x509.AccessDescription(
1508 x509.OID_OCSP,
1509 x509.UniformResourceIdentifier(u"http://ocsp.domain.com")
1510 ),
1511 x509.AccessDescription(
1512 x509.OID_CA_ISSUERS,
1513 x509.UniformResourceIdentifier(u"http://domain.com/ca.crt")
1514 )
1515 ])
1516 assert repr(aia) == (
1517 "<AuthorityInformationAccess([<AccessDescription(access_method=<Ob"
1518 "jectIdentifier(oid=1.3.6.1.5.5.7.48.1, name=OCSP)>, access_locati"
1519 "on=<UniformResourceIdentifier(value=http://ocsp.domain.com)>)>, <"
1520 "AccessDescription(access_method=<ObjectIdentifier(oid=1.3.6.1.5.5"
1521 ".7.48.2, name=caIssuers)>, access_location=<UniformResourceIdenti"
1522 "fier(value=http://domain.com/ca.crt)>)>])>"
1523 )
1524
1525 def test_eq(self):
1526 aia = x509.AuthorityInformationAccess([
1527 x509.AccessDescription(
1528 x509.OID_OCSP,
1529 x509.UniformResourceIdentifier(u"http://ocsp.domain.com")
1530 ),
1531 x509.AccessDescription(
1532 x509.OID_CA_ISSUERS,
1533 x509.UniformResourceIdentifier(u"http://domain.com/ca.crt")
1534 )
1535 ])
1536 aia2 = x509.AuthorityInformationAccess([
1537 x509.AccessDescription(
1538 x509.OID_OCSP,
1539 x509.UniformResourceIdentifier(u"http://ocsp.domain.com")
1540 ),
1541 x509.AccessDescription(
1542 x509.OID_CA_ISSUERS,
1543 x509.UniformResourceIdentifier(u"http://domain.com/ca.crt")
1544 )
1545 ])
1546 assert aia == aia2
1547
1548 def test_ne(self):
1549 aia = x509.AuthorityInformationAccess([
1550 x509.AccessDescription(
1551 x509.OID_OCSP,
1552 x509.UniformResourceIdentifier(u"http://ocsp.domain.com")
1553 ),
1554 x509.AccessDescription(
1555 x509.OID_CA_ISSUERS,
1556 x509.UniformResourceIdentifier(u"http://domain.com/ca.crt")
1557 )
1558 ])
1559 aia2 = x509.AuthorityInformationAccess([
1560 x509.AccessDescription(
1561 x509.OID_OCSP,
1562 x509.UniformResourceIdentifier(u"http://ocsp.domain.com")
1563 ),
1564 ])
1565
1566 assert aia != aia2
1567 assert aia != object()
Paul Kehrerd774de92015-05-03 10:52:25 -0500[diff] [blame]1568
1569
1570@pytest.mark.requires_backend_interface(interface=RSABackend)
1571@pytest.mark.requires_backend_interface(interface=X509Backend)
Paul Kehrera1476992015-05-04 17:35:47 -0500[diff] [blame]1572class TestAuthorityInformationAccessExtension(object):
1573 def test_aia_ocsp_ca_issuers(self, backend):
1574 cert = _load_cert(
1575 os.path.join("x509", "cryptography.io.pem"),
1576 x509.load_pem_x509_certificate,
1577 backend
1578 )
1579 ext = cert.extensions.get_extension_for_oid(
1580 x509.OID_AUTHORITY_INFORMATION_ACCESS
1581 )
1582 assert ext is not None
1583 assert ext.critical is False
1584
1585 assert ext.value == x509.AuthorityInformationAccess([
1586 x509.AccessDescription(
1587 x509.OID_OCSP,
1588 x509.UniformResourceIdentifier(u"http://gv.symcd.com")
1589 ),
1590 x509.AccessDescription(
1591 x509.OID_CA_ISSUERS,
1592 x509.UniformResourceIdentifier(u"http://gv.symcb.com/gv.crt")
1593 ),
1594 ])
1595
1596 def test_aia_multiple_ocsp_ca_issuers(self, backend):
1597 cert = _load_cert(
1598 os.path.join("x509", "custom", "aia_ocsp_ca_issuers.pem"),
1599 x509.load_pem_x509_certificate,
1600 backend
1601 )
1602 ext = cert.extensions.get_extension_for_oid(
1603 x509.OID_AUTHORITY_INFORMATION_ACCESS
1604 )
1605 assert ext is not None
1606 assert ext.critical is False
1607
1608 assert ext.value == x509.AuthorityInformationAccess([
1609 x509.AccessDescription(
1610 x509.OID_OCSP,
1611 x509.UniformResourceIdentifier(u"http://ocsp.domain.com")
1612 ),
1613 x509.AccessDescription(
1614 x509.OID_OCSP,
1615 x509.UniformResourceIdentifier(u"http://ocsp2.domain.com")
1616 ),
1617 x509.AccessDescription(
1618 x509.OID_CA_ISSUERS,
1619 x509.DirectoryName(x509.Name([
1620 x509.NameAttribute(x509.OID_COMMON_NAME, "myCN"),
1621 x509.NameAttribute(x509.OID_ORGANIZATION_NAME, "some Org"),
1622 ]))
1623 ),
1624 ])
1625
1626 def test_aia_ocsp_only(self, backend):
1627 cert = _load_cert(
1628 os.path.join("x509", "custom", "aia_ocsp.pem"),
1629 x509.load_pem_x509_certificate,
1630 backend
1631 )
1632 ext = cert.extensions.get_extension_for_oid(
1633 x509.OID_AUTHORITY_INFORMATION_ACCESS
1634 )
1635 assert ext is not None
1636 assert ext.critical is False
1637
1638 assert ext.value == x509.AuthorityInformationAccess([
1639 x509.AccessDescription(
1640 x509.OID_OCSP,
1641 x509.UniformResourceIdentifier(u"http://ocsp.domain.com")
1642 ),
1643 ])
1644
1645 def test_aia_ca_issuers_only(self, backend):
1646 cert = _load_cert(
1647 os.path.join("x509", "custom", "aia_ca_issuers.pem"),
1648 x509.load_pem_x509_certificate,
1649 backend
1650 )
1651 ext = cert.extensions.get_extension_for_oid(
1652 x509.OID_AUTHORITY_INFORMATION_ACCESS
1653 )
1654 assert ext is not None
1655 assert ext.critical is False
1656
1657 assert ext.value == x509.AuthorityInformationAccess([
1658 x509.AccessDescription(
1659 x509.OID_CA_ISSUERS,
1660 x509.DirectoryName(x509.Name([
1661 x509.NameAttribute(x509.OID_COMMON_NAME, "myCN"),
1662 x509.NameAttribute(x509.OID_ORGANIZATION_NAME, "some Org"),
1663 ]))
1664 ),
1665 ])
1666
1667
1668@pytest.mark.requires_backend_interface(interface=RSABackend)
1669@pytest.mark.requires_backend_interface(interface=X509Backend)
Paul Kehrerd774de92015-05-03 10:52:25 -0500[diff] [blame]1670class TestAuthorityKeyIdentifierExtension(object):
1671 def test_aki_keyid(self, backend):
1672 cert = _load_cert(
1673 os.path.join(
1674 "x509", "cryptography.io.pem"
1675 ),
1676 x509.load_pem_x509_certificate,
1677 backend
1678 )
1679 ext = cert.extensions.get_extension_for_oid(
1680 x509.OID_AUTHORITY_KEY_IDENTIFIER
1681 )
1682 assert ext is not None
1683 assert ext.critical is False
1684
1685 assert ext.value.key_identifier == (
1686 b"\xc3\x9c\xf3\xfc\xd3F\x084\xbb\xceF\x7f\xa0|[\xf3\xe2\x08\xcbY"
1687 )
1688 assert ext.value.authority_cert_issuer is None
1689 assert ext.value.authority_cert_serial_number is None
1690
1691 def test_aki_all_fields(self, backend):
1692 cert = _load_cert(
1693 os.path.join(
1694 "x509", "custom", "authority_key_identifier.pem"
1695 ),
1696 x509.load_pem_x509_certificate,
1697 backend
1698 )
1699 ext = cert.extensions.get_extension_for_oid(
1700 x509.OID_AUTHORITY_KEY_IDENTIFIER
1701 )
1702 assert ext is not None
1703 assert ext.critical is False
1704
1705 assert ext.value.key_identifier == (
1706 b"9E>\xca=b\x1d\xea\x86I\xf6Z\xab@\xb7\xa4p\x98\xf1\xec"
1707 )
1708 assert ext.value.authority_cert_issuer == [
1709 x509.DirectoryName(
1710 x509.Name([
1711 x509.NameAttribute(
1712 x509.OID_ORGANIZATION_NAME, u"PyCA"
1713 ),
1714 x509.NameAttribute(
1715 x509.OID_COMMON_NAME, u"cryptography.io"
1716 )
1717 ])
1718 )
1719 ]
1720 assert ext.value.authority_cert_serial_number == 3
1721
1722 def test_aki_no_keyid(self, backend):
1723 cert = _load_cert(
1724 os.path.join(
1725 "x509", "custom", "authority_key_identifier_no_keyid.pem"
1726 ),
1727 x509.load_pem_x509_certificate,
1728 backend
1729 )
1730 ext = cert.extensions.get_extension_for_oid(
1731 x509.OID_AUTHORITY_KEY_IDENTIFIER
1732 )
1733 assert ext is not None
1734 assert ext.critical is False
1735
1736 assert ext.value.key_identifier is None
1737 assert ext.value.authority_cert_issuer == [
1738 x509.DirectoryName(
1739 x509.Name([
1740 x509.NameAttribute(
1741 x509.OID_ORGANIZATION_NAME, u"PyCA"
1742 ),
1743 x509.NameAttribute(
1744 x509.OID_COMMON_NAME, u"cryptography.io"
1745 )
1746 ])
1747 )
1748 ]
1749 assert ext.value.authority_cert_serial_number == 3
Paul Kehrer5a485522015-05-06 00:29:12 -0500[diff] [blame]1750
1751
Paul Kehrer5a485522015-05-06 00:29:12 -0500[diff] [blame]1752class TestDistributionPoint(object):
Paul Kehrer4e8dacd2015-05-09 10:38:23 -0500[diff] [blame]1753 def test_distribution_point_full_name_not_general_names(self):
Paul Kehrer5a485522015-05-06 00:29:12 -0500[diff] [blame]1754 with pytest.raises(TypeError):
Paul Kehrer4e8dacd2015-05-09 10:38:23 -0500[diff] [blame]1755 x509.DistributionPoint(["notgn"], None, None, None)
Paul Kehrer5a485522015-05-06 00:29:12 -0500[diff] [blame]1756
Paul Kehrer4e8dacd2015-05-09 10:38:23 -0500[diff] [blame]1757 def test_distribution_point_relative_name_not_name(self):
Paul Kehrer5a485522015-05-06 00:29:12 -0500[diff] [blame]1758 with pytest.raises(TypeError):
Paul Kehrer4e8dacd2015-05-09 10:38:23 -0500[diff] [blame]1759 x509.DistributionPoint(None, "notname", None, None)
1760
1761 def test_distribution_point_full_and_relative_not_none(self):
1762 with pytest.raises(ValueError):
1763 x509.DistributionPoint("data", "notname", None, None)
Paul Kehrer5a485522015-05-06 00:29:12 -0500[diff] [blame]1764
1765 def test_crl_issuer_not_general_names(self):
1766 with pytest.raises(TypeError):
Paul Kehrer4e8dacd2015-05-09 10:38:23 -0500[diff] [blame]1767 x509.DistributionPoint(None, None, None, ["notgn"])
Paul Kehrer5a485522015-05-06 00:29:12 -0500[diff] [blame]1768
1769 def test_reason_not_reasonflags(self):
1770 with pytest.raises(TypeError):
1771 x509.DistributionPoint(
1772 [x509.UniformResourceIdentifier(u"http://crypt.og/crl")],
Paul Kehrer4e8dacd2015-05-09 10:38:23 -0500[diff] [blame]1773 None,
Paul Kehrer3fd02602015-05-09 19:46:13 -0500[diff] [blame]1774 frozenset(["notreasonflags"]),
1775 None
1776 )
1777
1778 def test_reason_not_frozenset(self):
1779 with pytest.raises(TypeError):
1780 x509.DistributionPoint(
1781 [x509.UniformResourceIdentifier(u"http://crypt.og/crl")],
1782 None,
1783 [x509.ReasonFlags.ca_compromise],
Paul Kehrer4e8dacd2015-05-09 10:38:23 -0500[diff] [blame]1784 None
1785 )
1786
1787 def test_disallowed_reasons(self):
1788 with pytest.raises(ValueError):
1789 x509.DistributionPoint(
1790 [x509.UniformResourceIdentifier(u"http://crypt.og/crl")],
1791 None,
Paul Kehrer3fd02602015-05-09 19:46:13 -0500[diff] [blame]1792 frozenset([x509.ReasonFlags.unspecified]),
Paul Kehrer4e8dacd2015-05-09 10:38:23 -0500[diff] [blame]1793 None
1794 )
1795
1796 with pytest.raises(ValueError):
1797 x509.DistributionPoint(
1798 [x509.UniformResourceIdentifier(u"http://crypt.og/crl")],
1799 None,
Paul Kehrer3fd02602015-05-09 19:46:13 -0500[diff] [blame]1800 frozenset([x509.ReasonFlags.remove_from_crl]),
Paul Kehrer5a485522015-05-06 00:29:12 -0500[diff] [blame]1801 None
1802 )
1803
1804 def test_reason_only(self):
1805 with pytest.raises(ValueError):
1806 x509.DistributionPoint(
1807 None,
Paul Kehrer4e8dacd2015-05-09 10:38:23 -0500[diff] [blame]1808 None,
Paul Kehrer3fd02602015-05-09 19:46:13 -0500[diff] [blame]1809 frozenset([x509.ReasonFlags.aa_compromise]),
Paul Kehrer5a485522015-05-06 00:29:12 -0500[diff] [blame]1810 None
1811 )
1812
1813 def test_eq(self):
1814 dp = x509.DistributionPoint(
1815 [x509.UniformResourceIdentifier(u"http://crypt.og/crl")],
Paul Kehrer4e8dacd2015-05-09 10:38:23 -0500[diff] [blame]1816 None,
Paul Kehrer3fd02602015-05-09 19:46:13 -0500[diff] [blame]1817 frozenset([x509.ReasonFlags.superseded]),
Paul Kehrer5a485522015-05-06 00:29:12 -0500[diff] [blame]1818 [
1819 x509.DirectoryName(
1820 x509.Name([
1821 x509.NameAttribute(
1822 x509.OID_COMMON_NAME, "Important CA"
1823 )
1824 ])
1825 )
1826 ],
1827 )
1828 dp2 = x509.DistributionPoint(
1829 [x509.UniformResourceIdentifier(u"http://crypt.og/crl")],
Paul Kehrer4e8dacd2015-05-09 10:38:23 -0500[diff] [blame]1830 None,
Paul Kehrer3fd02602015-05-09 19:46:13 -0500[diff] [blame]1831 frozenset([x509.ReasonFlags.superseded]),
Paul Kehrer5a485522015-05-06 00:29:12 -0500[diff] [blame]1832 [
1833 x509.DirectoryName(
1834 x509.Name([
1835 x509.NameAttribute(
1836 x509.OID_COMMON_NAME, "Important CA"
1837 )
1838 ])
1839 )
1840 ],
1841 )
1842 assert dp == dp2
1843
1844 def test_ne(self):
1845 dp = x509.DistributionPoint(
1846 [x509.UniformResourceIdentifier(u"http://crypt.og/crl")],
Paul Kehrer4e8dacd2015-05-09 10:38:23 -0500[diff] [blame]1847 None,
Paul Kehrer3fd02602015-05-09 19:46:13 -0500[diff] [blame]1848 frozenset([x509.ReasonFlags.superseded]),
Paul Kehrer5a485522015-05-06 00:29:12 -0500[diff] [blame]1849 [
1850 x509.DirectoryName(
1851 x509.Name([
1852 x509.NameAttribute(
1853 x509.OID_COMMON_NAME, "Important CA"
1854 )
1855 ])
1856 )
1857 ],
1858 )
1859 dp2 = x509.DistributionPoint(
1860 [x509.UniformResourceIdentifier(u"http://crypt.og/crl")],
1861 None,
Paul Kehrer4e8dacd2015-05-09 10:38:23 -0500[diff] [blame]1862 None,
Paul Kehrer5a485522015-05-06 00:29:12 -0500[diff] [blame]1863 None
1864 )
1865 assert dp != dp2
1866 assert dp != object()
1867
1868 def test_repr(self):
1869 dp = x509.DistributionPoint(
Paul Kehrer4e8dacd2015-05-09 10:38:23 -0500[diff] [blame]1870 None,
Paul Kehrer5a485522015-05-06 00:29:12 -0500[diff] [blame]1871 x509.Name([
1872 x509.NameAttribute(x509.OID_COMMON_NAME, "myCN")
1873 ]),
Paul Kehrer96ef63c2015-05-09 21:17:04 -0500[diff] [blame]1874 frozenset([x509.ReasonFlags.ca_compromise]),
Paul Kehrer5a485522015-05-06 00:29:12 -0500[diff] [blame]1875 [
1876 x509.DirectoryName(
1877 x509.Name([
1878 x509.NameAttribute(
1879 x509.OID_COMMON_NAME, "Important CA"
1880 )
1881 ])
1882 )
1883 ],
1884 )
Paul Kehrer749da3b2015-05-10 09:58:29 -0500[diff] [blame]1885 if six.PY3:
1886 assert repr(dp) == (
1887 "<DistributionPoint(full_name=None, relative_name=<Name([<Name"
1888 "Attribute(oid=<ObjectIdentifier(oid=2.5.4.3, name=commonName)"
1889 ">, value='myCN')>])>, reasons=frozenset({<ReasonFlags.ca_comp"
1890 "romise: 'cACompromise'>}), crl_issuer=[<DirectoryName(value=<"
1891 "Name([<NameAttribute(oid=<ObjectIdentifier(oid=2.5.4.3, name="
1892 "commonName)>, value='Important CA')>])>)>])>"
1893 )
1894 else:
1895 assert repr(dp) == (
1896 "<DistributionPoint(full_name=None, relative_name=<Name([<Name"
1897 "Attribute(oid=<ObjectIdentifier(oid=2.5.4.3, name=commonName)"
1898 ">, value='myCN')>])>, reasons=frozenset([<ReasonFlags.ca_comp"
1899 "romise: 'cACompromise'>]), crl_issuer=[<DirectoryName(value=<"
1900 "Name([<NameAttribute(oid=<ObjectIdentifier(oid=2.5.4.3, name="
1901 "commonName)>, value='Important CA')>])>)>])>"
1902 )
Paul Kehrer5a485522015-05-06 00:29:12 -0500[diff] [blame]1903
1904
1905class TestCRLDistributionPoints(object):
1906 def test_invalid_distribution_points(self):
1907 with pytest.raises(TypeError):
1908 x509.CRLDistributionPoints(["notadistributionpoint"])
1909
1910 def test_iter_len(self):
1911 cdp = x509.CRLDistributionPoints([
1912 x509.DistributionPoint(
1913 [x509.UniformResourceIdentifier(u"http://domain")],
1914 None,
Paul Kehrer4e8dacd2015-05-09 10:38:23 -0500[diff] [blame]1915 None,
Paul Kehrer5a485522015-05-06 00:29:12 -0500[diff] [blame]1916 None
1917 ),
1918 x509.DistributionPoint(
1919 [x509.UniformResourceIdentifier(u"ftp://domain")],
Paul Kehrer4e8dacd2015-05-09 10:38:23 -0500[diff] [blame]1920 None,
Paul Kehrer3fd02602015-05-09 19:46:13 -0500[diff] [blame]1921 frozenset([
Paul Kehrer4e8dacd2015-05-09 10:38:23 -0500[diff] [blame]1922 x509.ReasonFlags.key_compromise,
1923 x509.ReasonFlags.ca_compromise,
Paul Kehrer3fd02602015-05-09 19:46:13 -0500[diff] [blame]1924 ]),
Paul Kehrer5a485522015-05-06 00:29:12 -0500[diff] [blame]1925 None
1926 ),
1927 ])
1928 assert len(cdp) == 2
1929 assert list(cdp) == [
1930 x509.DistributionPoint(
1931 [x509.UniformResourceIdentifier(u"http://domain")],
1932 None,
Paul Kehrer4e8dacd2015-05-09 10:38:23 -0500[diff] [blame]1933 None,
Paul Kehrer5a485522015-05-06 00:29:12 -0500[diff] [blame]1934 None
1935 ),
1936 x509.DistributionPoint(
1937 [x509.UniformResourceIdentifier(u"ftp://domain")],
Paul Kehrer4e8dacd2015-05-09 10:38:23 -0500[diff] [blame]1938 None,
Paul Kehrer3fd02602015-05-09 19:46:13 -0500[diff] [blame]1939 frozenset([
Paul Kehrer4e8dacd2015-05-09 10:38:23 -0500[diff] [blame]1940 x509.ReasonFlags.key_compromise,
1941 x509.ReasonFlags.ca_compromise,
Paul Kehrer3fd02602015-05-09 19:46:13 -0500[diff] [blame]1942 ]),
Paul Kehrer5a485522015-05-06 00:29:12 -0500[diff] [blame]1943 None
1944 ),
1945 ]
1946
1947 def test_repr(self):
1948 cdp = x509.CRLDistributionPoints([
1949 x509.DistributionPoint(
1950 [x509.UniformResourceIdentifier(u"ftp://domain")],
Paul Kehrer4e8dacd2015-05-09 10:38:23 -0500[diff] [blame]1951 None,
Paul Kehrer96ef63c2015-05-09 21:17:04 -0500[diff] [blame]1952 frozenset([x509.ReasonFlags.key_compromise]),
Paul Kehrer5a485522015-05-06 00:29:12 -0500[diff] [blame]1953 None
1954 ),
1955 ])
Paul Kehrer749da3b2015-05-10 09:58:29 -0500[diff] [blame]1956 if six.PY3:
1957 assert repr(cdp) == (
1958 "<CRLDistributionPoints([<DistributionPoint(full_name=[<Unifo"
1959 "rmResourceIdentifier(value=ftp://domain)>], relative_name=No"
1960 "ne, reasons=frozenset({<ReasonFlags.key_compromise: 'keyComp"
1961 "romise'>}), crl_issuer=None)>])>"
1962 )
1963 else:
1964 assert repr(cdp) == (
1965 "<CRLDistributionPoints([<DistributionPoint(full_name=[<Unifo"
1966 "rmResourceIdentifier(value=ftp://domain)>], relative_name=No"
1967 "ne, reasons=frozenset([<ReasonFlags.key_compromise: 'keyComp"
1968 "romise'>]), crl_issuer=None)>])>"
1969 )
Paul Kehrer5a485522015-05-06 00:29:12 -0500[diff] [blame]1970
1971 def test_eq(self):
1972 cdp = x509.CRLDistributionPoints([
1973 x509.DistributionPoint(
1974 [x509.UniformResourceIdentifier(u"ftp://domain")],
Paul Kehrer4e8dacd2015-05-09 10:38:23 -0500[diff] [blame]1975 None,
Paul Kehrer3fd02602015-05-09 19:46:13 -0500[diff] [blame]1976 frozenset([
Paul Kehrer4e8dacd2015-05-09 10:38:23 -0500[diff] [blame]1977 x509.ReasonFlags.key_compromise,
1978 x509.ReasonFlags.ca_compromise,
Paul Kehrer3fd02602015-05-09 19:46:13 -0500[diff] [blame]1979 ]),
Paul Kehrer5a485522015-05-06 00:29:12 -0500[diff] [blame]1980 [x509.UniformResourceIdentifier(u"uri://thing")],
1981 ),
1982 ])
1983 cdp2 = x509.CRLDistributionPoints([
1984 x509.DistributionPoint(
1985 [x509.UniformResourceIdentifier(u"ftp://domain")],
Paul Kehrer4e8dacd2015-05-09 10:38:23 -0500[diff] [blame]1986 None,
Paul Kehrer3fd02602015-05-09 19:46:13 -0500[diff] [blame]1987 frozenset([
Paul Kehrer4e8dacd2015-05-09 10:38:23 -0500[diff] [blame]1988 x509.ReasonFlags.key_compromise,
1989 x509.ReasonFlags.ca_compromise,
Paul Kehrer3fd02602015-05-09 19:46:13 -0500[diff] [blame]1990 ]),
Paul Kehrer5a485522015-05-06 00:29:12 -0500[diff] [blame]1991 [x509.UniformResourceIdentifier(u"uri://thing")],
1992 ),
1993 ])
1994 assert cdp == cdp2
1995
1996 def test_ne(self):
1997 cdp = x509.CRLDistributionPoints([
1998 x509.DistributionPoint(
1999 [x509.UniformResourceIdentifier(u"ftp://domain")],
Paul Kehrer4e8dacd2015-05-09 10:38:23 -0500[diff] [blame]2000 None,
Paul Kehrer3fd02602015-05-09 19:46:13 -0500[diff] [blame]2001 frozenset([
Paul Kehrer4e8dacd2015-05-09 10:38:23 -0500[diff] [blame]2002 x509.ReasonFlags.key_compromise,
2003 x509.ReasonFlags.ca_compromise,
Paul Kehrer3fd02602015-05-09 19:46:13 -0500[diff] [blame]2004 ]),
Paul Kehrer5a485522015-05-06 00:29:12 -0500[diff] [blame]2005 [x509.UniformResourceIdentifier(u"uri://thing")],
2006 ),
2007 ])
2008 cdp2 = x509.CRLDistributionPoints([
2009 x509.DistributionPoint(
2010 [x509.UniformResourceIdentifier(u"ftp://domain2")],
Paul Kehrer4e8dacd2015-05-09 10:38:23 -0500[diff] [blame]2011 None,
Paul Kehrer3fd02602015-05-09 19:46:13 -0500[diff] [blame]2012 frozenset([
Paul Kehrer4e8dacd2015-05-09 10:38:23 -0500[diff] [blame]2013 x509.ReasonFlags.key_compromise,
2014 x509.ReasonFlags.ca_compromise,
Paul Kehrer3fd02602015-05-09 19:46:13 -0500[diff] [blame]2015 ]),
Paul Kehrer5a485522015-05-06 00:29:12 -0500[diff] [blame]2016 [x509.UniformResourceIdentifier(u"uri://thing")],
2017 ),
2018 ])
2019 cdp3 = x509.CRLDistributionPoints([
2020 x509.DistributionPoint(
2021 [x509.UniformResourceIdentifier(u"ftp://domain")],
Paul Kehrer4e8dacd2015-05-09 10:38:23 -0500[diff] [blame]2022 None,
Paul Kehrer3fd02602015-05-09 19:46:13 -0500[diff] [blame]2023 frozenset([x509.ReasonFlags.key_compromise]),
Paul Kehrer5a485522015-05-06 00:29:12 -0500[diff] [blame]2024 [x509.UniformResourceIdentifier(u"uri://thing")],
2025 ),
2026 ])
2027 cdp4 = x509.CRLDistributionPoints([
2028 x509.DistributionPoint(
2029 [x509.UniformResourceIdentifier(u"ftp://domain")],
Paul Kehrer4e8dacd2015-05-09 10:38:23 -0500[diff] [blame]2030 None,
Paul Kehrer3fd02602015-05-09 19:46:13 -0500[diff] [blame]2031 frozenset([
Paul Kehrer4e8dacd2015-05-09 10:38:23 -0500[diff] [blame]2032 x509.ReasonFlags.key_compromise,
2033 x509.ReasonFlags.ca_compromise,
Paul Kehrer3fd02602015-05-09 19:46:13 -0500[diff] [blame]2034 ]),
Paul Kehrer5a485522015-05-06 00:29:12 -0500[diff] [blame]2035 [x509.UniformResourceIdentifier(u"uri://thing2")],
2036 ),
2037 ])
2038 assert cdp != cdp2
2039 assert cdp != cdp3
2040 assert cdp != cdp4
2041 assert cdp != object()
Paul Kehrer9a10d592015-05-10 14:55:51 -0500[diff] [blame]2042
2043
2044@pytest.mark.requires_backend_interface(interface=RSABackend)
2045@pytest.mark.requires_backend_interface(interface=X509Backend)
2046class TestCRLDistributionPointsExtension(object):
2047 def test_fullname_and_crl_issuer(self, backend):
2048 cert = _load_cert(
2049 os.path.join(
2050 "x509", "PKITS_data", "certs", "ValidcRLIssuerTest28EE.crt"
2051 ),
2052 x509.load_der_x509_certificate,
2053 backend
2054 )
2055
2056 cdps = cert.extensions.get_extension_for_oid(
2057 x509.OID_CRL_DISTRIBUTION_POINTS
2058 ).value
2059
2060 assert cdps == x509.CRLDistributionPoints([
2061 x509.DistributionPoint(
2062 full_name=[x509.DirectoryName(
2063 x509.Name([
2064 x509.NameAttribute(x509.OID_COUNTRY_NAME, "US"),
2065 x509.NameAttribute(
2066 x509.OID_ORGANIZATION_NAME,
2067 "Test Certificates 2011"
2068 ),
2069 x509.NameAttribute(
2070 x509.OID_ORGANIZATIONAL_UNIT_NAME,
2071 "indirectCRL CA3 cRLIssuer"
2072 ),
2073 x509.NameAttribute(
2074 x509.OID_COMMON_NAME,
2075 "indirect CRL for indirectCRL CA3"
2076 ),
2077 ])
2078 )],
2079 relative_name=None,
2080 reasons=None,
2081 crl_issuer=[x509.DirectoryName(
2082 x509.Name([
2083 x509.NameAttribute(x509.OID_COUNTRY_NAME, "US"),
2084 x509.NameAttribute(
2085 x509.OID_ORGANIZATION_NAME,
2086 "Test Certificates 2011"
2087 ),
2088 x509.NameAttribute(
2089 x509.OID_ORGANIZATIONAL_UNIT_NAME,
2090 "indirectCRL CA3 cRLIssuer"
2091 ),
2092 ])
2093 )],
2094 )
2095 ])
2096
2097 def test_relativename_and_crl_issuer(self, backend):
2098 cert = _load_cert(
2099 os.path.join(
2100 "x509", "PKITS_data", "certs", "ValidcRLIssuerTest29EE.crt"
2101 ),
2102 x509.load_der_x509_certificate,
2103 backend
2104 )
2105
2106 cdps = cert.extensions.get_extension_for_oid(
2107 x509.OID_CRL_DISTRIBUTION_POINTS
2108 ).value
2109
2110 assert cdps == x509.CRLDistributionPoints([
2111 x509.DistributionPoint(
2112 full_name=None,
2113 relative_name=x509.Name([
2114 x509.NameAttribute(
2115 x509.OID_COMMON_NAME,
2116 "indirect CRL for indirectCRL CA3"
2117 ),
2118 ]),
2119 reasons=None,
2120 crl_issuer=[x509.DirectoryName(
2121 x509.Name([
2122 x509.NameAttribute(x509.OID_COUNTRY_NAME, "US"),
2123 x509.NameAttribute(
2124 x509.OID_ORGANIZATION_NAME,
2125 "Test Certificates 2011"
2126 ),
2127 x509.NameAttribute(
2128 x509.OID_ORGANIZATIONAL_UNIT_NAME,
2129 "indirectCRL CA3 cRLIssuer"
2130 ),
2131 ])
2132 )],
2133 )
2134 ])
2135
2136 def test_fullname_crl_issuer_reasons(self, backend):
2137 cert = _load_cert(
2138 os.path.join(
2139 "x509", "custom", "cdp_fullname_reasons_crl_issuer.pem"
2140 ),
2141 x509.load_pem_x509_certificate,
2142 backend
2143 )
2144
2145 cdps = cert.extensions.get_extension_for_oid(
2146 x509.OID_CRL_DISTRIBUTION_POINTS
2147 ).value
2148
2149 assert cdps == x509.CRLDistributionPoints([
2150 x509.DistributionPoint(
2151 full_name=[x509.UniformResourceIdentifier(
2152 u"http://myhost.com/myca.crl"
2153 )],
2154 relative_name=None,
2155 reasons=frozenset([
2156 x509.ReasonFlags.key_compromise,
2157 x509.ReasonFlags.ca_compromise
2158 ]),
2159 crl_issuer=[x509.DirectoryName(
2160 x509.Name([
2161 x509.NameAttribute(x509.OID_COUNTRY_NAME, "US"),
2162 x509.NameAttribute(
2163 x509.OID_ORGANIZATION_NAME, "PyCA"
2164 ),
2165 x509.NameAttribute(
2166 x509.OID_COMMON_NAME, "cryptography CA"
2167 ),
2168 ])
2169 )],
2170 )
2171 ])
2172
Paul Kehrer594a2ed2015-05-12 23:27:32 -0500[diff] [blame]2173 def test_all_reasons(self, backend):
2174 cert = _load_cert(
2175 os.path.join(
2176 "x509", "custom", "cdp_all_reasons.pem"
2177 ),
2178 x509.load_pem_x509_certificate,
2179 backend
2180 )
2181
2182 cdps = cert.extensions.get_extension_for_oid(
2183 x509.OID_CRL_DISTRIBUTION_POINTS
2184 ).value
2185
2186 assert cdps == x509.CRLDistributionPoints([
2187 x509.DistributionPoint(
2188 full_name=[x509.UniformResourceIdentifier(
2189 u"http://domain.com/some.crl"
2190 )],
2191 relative_name=None,
2192 reasons=frozenset([
2193 x509.ReasonFlags.key_compromise,
2194 x509.ReasonFlags.ca_compromise,
2195 x509.ReasonFlags.affiliation_changed,
2196 x509.ReasonFlags.superseded,
2197 x509.ReasonFlags.privilege_withdrawn,
2198 x509.ReasonFlags.cessation_of_operation,
2199 x509.ReasonFlags.aa_compromise,
2200 x509.ReasonFlags.certificate_hold,
2201 ]),
2202 crl_issuer=None
2203 )
2204 ])
2205
2206 def test_single_reason(self, backend):
2207 cert = _load_cert(
2208 os.path.join(
2209 "x509", "custom", "cdp_reason_aa_compromise.pem"
2210 ),
2211 x509.load_pem_x509_certificate,
2212 backend
2213 )
2214
2215 cdps = cert.extensions.get_extension_for_oid(
2216 x509.OID_CRL_DISTRIBUTION_POINTS
2217 ).value
2218
2219 assert cdps == x509.CRLDistributionPoints([
2220 x509.DistributionPoint(
2221 full_name=[x509.UniformResourceIdentifier(
2222 u"http://domain.com/some.crl"
2223 )],
2224 relative_name=None,
2225 reasons=frozenset([x509.ReasonFlags.aa_compromise]),
2226 crl_issuer=None
2227 )
2228 ])
2229
Paul Kehrer9a10d592015-05-10 14:55:51 -0500[diff] [blame]2230 def test_crl_issuer_only(self, backend):
2231 cert = _load_cert(
2232 os.path.join(
2233 "x509", "custom", "cdp_crl_issuer.pem"
2234 ),
2235 x509.load_pem_x509_certificate,
2236 backend
2237 )
2238
2239 cdps = cert.extensions.get_extension_for_oid(
2240 x509.OID_CRL_DISTRIBUTION_POINTS
2241 ).value
2242
2243 assert cdps == x509.CRLDistributionPoints([
2244 x509.DistributionPoint(
2245 full_name=None,
2246 relative_name=None,
2247 reasons=None,
2248 crl_issuer=[x509.DirectoryName(
2249 x509.Name([
2250 x509.NameAttribute(
2251 x509.OID_COMMON_NAME, "cryptography CA"
2252 ),
2253 ])
2254 )],
2255 )
2256 ])