Gitiles
Code Review Sign In
gerrit-public.fairphone.software / platform / external / python / cryptography / b39af8d7195757b5025417187376b04e387264a1 / . / tests / test_x509_ext.py
blob: 898f9bcf05ea91d233a7131635148d27022c96de [file] [log] [blame]
Paul Kehrer8cf26422015-03-21 09:50:24 -0500[diff] [blame]1# This file is dual licensed under the terms of the Apache License, Version
2# 2.0, and the BSD License. See the LICENSE file in the root of this repository
3# for complete details.
4
5from __future__ import absolute_import, division, print_function
6
Paul Kehrer1eb82a62015-03-31 20:00:33 -0500[diff] [blame]7import binascii
Paul Kehrer23c0bbc2015-12-25 22:35:19 -0600[diff] [blame]8import datetime
Paul Kehrer31bdf792015-03-25 14:11:00 -0500[diff] [blame]9import ipaddress
Paul Kehrerfbb7ac82015-03-16 19:26:29 -0500[diff] [blame]10import os
11
Paul Kehrer8cf26422015-03-21 09:50:24 -0500[diff] [blame]12import pytest
13
Paul Kehrercbfb1012015-04-10 20:57:20 -0400[diff] [blame]14import six
15
Paul Kehrer8cf26422015-03-21 09:50:24 -0500[diff] [blame]16from cryptography import x509
Paul Kehrerf22f6122015-08-05 12:57:13 +0100[diff] [blame]17from cryptography.hazmat.backends.interfaces import (
18 DSABackend, EllipticCurveBackend, RSABackend, X509Backend
19)
20from cryptography.hazmat.primitives.asymmetric import ec
Paul Kehrer9e102db2015-08-10 21:53:09 -0500[diff] [blame]21from cryptography.x509.oid import (
Nick Bastin326fc8e2015-12-12 19:08:12 -0800[diff] [blame]22 AuthorityInformationAccessOID, ExtendedKeyUsageOID, ExtensionOID,
23 NameOID, ObjectIdentifier
Paul Kehrer9e102db2015-08-10 21:53:09 -0500[diff] [blame]24)
Paul Kehrerfbb7ac82015-03-16 19:26:29 -0500[diff] [blame]25
Paul Kehrerf22f6122015-08-05 12:57:13 +0100[diff] [blame]26from .hazmat.primitives.test_ec import _skip_curve_unsupported
Paul Kehrerfbb7ac82015-03-16 19:26:29 -0500[diff] [blame]27from .test_x509 import _load_cert
Paul Kehrer8cf26422015-03-21 09:50:24 -0500[diff] [blame]28
29
Paul Kehrer85894662015-03-22 13:19:31 -0500[diff] [blame]30class TestExtension(object):
31 def test_not_an_oid(self):
Paul Kehrera5c6e9a2015-03-23 19:23:43 -0500[diff] [blame]32 bc = x509.BasicConstraints(ca=False, path_length=None)
Paul Kehrer85894662015-03-22 13:19:31 -0500[diff] [blame]33 with pytest.raises(TypeError):
34 x509.Extension("notanoid", True, bc)
35
36 def test_critical_not_a_bool(self):
Paul Kehrera5c6e9a2015-03-23 19:23:43 -0500[diff] [blame]37 bc = x509.BasicConstraints(ca=False, path_length=None)
Paul Kehrer85894662015-03-22 13:19:31 -0500[diff] [blame]38 with pytest.raises(TypeError):
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]39 x509.Extension(ExtensionOID.BASIC_CONSTRAINTS, "notabool", bc)
Paul Kehrer85894662015-03-22 13:19:31 -0500[diff] [blame]40
41 def test_repr(self):
Paul Kehrera5c6e9a2015-03-23 19:23:43 -0500[diff] [blame]42 bc = x509.BasicConstraints(ca=False, path_length=None)
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]43 ext = x509.Extension(ExtensionOID.BASIC_CONSTRAINTS, True, bc)
Paul Kehrer85894662015-03-22 13:19:31 -0500[diff] [blame]44 assert repr(ext) == (
45 "<Extension(oid=<ObjectIdentifier(oid=2.5.29.19, name=basicConst"
46 "raints)>, critical=True, value=<BasicConstraints(ca=False, path"
47 "_length=None)>)>"
48 )
49
Paul Kehrer58e870c2015-05-17 09:15:30 -0700[diff] [blame]50 def test_eq(self):
51 ext1 = x509.Extension(
52 x509.ObjectIdentifier('1.2.3.4'), False, 'value'
53 )
54 ext2 = x509.Extension(
55 x509.ObjectIdentifier('1.2.3.4'), False, 'value'
56 )
57 assert ext1 == ext2
58
59 def test_ne(self):
60 ext1 = x509.Extension(
61 x509.ObjectIdentifier('1.2.3.4'), False, 'value'
62 )
63 ext2 = x509.Extension(
64 x509.ObjectIdentifier('1.2.3.5'), False, 'value'
65 )
66 ext3 = x509.Extension(
67 x509.ObjectIdentifier('1.2.3.4'), True, 'value'
68 )
69 ext4 = x509.Extension(
70 x509.ObjectIdentifier('1.2.3.4'), False, 'value4'
71 )
72 assert ext1 != ext2
73 assert ext1 != ext3
74 assert ext1 != ext4
75 assert ext1 != object()
76
Paul Kehrer85894662015-03-22 13:19:31 -0500[diff] [blame]77
Paul Kehrer49bb7562015-12-25 16:17:40 -0600[diff] [blame]78class TestCertificateIssuer(object):
79 def test_iter_names(self):
80 ci = x509.CertificateIssuer([
81 x509.DNSName(u"cryptography.io"),
82 x509.DNSName(u"crypto.local"),
83 ])
84 assert len(ci) == 2
85 assert list(ci) == [
86 x509.DNSName(u"cryptography.io"),
87 x509.DNSName(u"crypto.local"),
88 ]
89
Paul Kehrer5c999d32015-12-26 17:45:20 -0600[diff] [blame]90 def test_indexing(self):
91 ci = x509.CertificateIssuer([
92 x509.DNSName(u"cryptography.io"),
93 x509.DNSName(u"crypto.local"),
94 x509.DNSName(u"another.local"),
95 x509.RFC822Name(u"email@another.local"),
96 x509.UniformResourceIdentifier(u"http://another.local"),
97 ])
98 assert ci[-1] == ci[4]
99 assert ci[2:6:2] == [ci[2], ci[4]]
100
Paul Kehrer49bb7562015-12-25 16:17:40 -0600[diff] [blame]101 def test_eq(self):
102 ci1 = x509.CertificateIssuer([x509.DNSName(u"cryptography.io")])
103 ci2 = x509.CertificateIssuer([x509.DNSName(u"cryptography.io")])
104 assert ci1 == ci2
105
106 def test_ne(self):
107 ci1 = x509.CertificateIssuer([x509.DNSName(u"cryptography.io")])
108 ci2 = x509.CertificateIssuer([x509.DNSName(u"somethingelse.tld")])
109 assert ci1 != ci2
110 assert ci1 != object()
111
112 def test_repr(self):
113 ci = x509.CertificateIssuer([x509.DNSName(u"cryptography.io")])
114 assert repr(ci) == (
115 "<CertificateIssuer(<GeneralNames([<DNSName(value=cryptography.io"
116 ")>])>)>"
117 )
118
119 def test_get_values_for_type(self):
120 ci = x509.CertificateIssuer(
121 [x509.DNSName(u"cryptography.io")]
122 )
123 names = ci.get_values_for_type(x509.DNSName)
124 assert names == [u"cryptography.io"]
125
126
Paul Kehrer7058ece2015-12-25 22:28:29 -0600[diff] [blame]127class TestCRLReason(object):
128 def test_invalid_reason_flags(self):
129 with pytest.raises(TypeError):
130 x509.CRLReason("notareason")
131
132 def test_eq(self):
133 reason1 = x509.CRLReason(x509.ReasonFlags.unspecified)
134 reason2 = x509.CRLReason(x509.ReasonFlags.unspecified)
135 assert reason1 == reason2
136
137 def test_ne(self):
138 reason1 = x509.CRLReason(x509.ReasonFlags.unspecified)
139 reason2 = x509.CRLReason(x509.ReasonFlags.ca_compromise)
140 assert reason1 != reason2
141 assert reason1 != object()
142
143 def test_repr(self):
144 reason1 = x509.CRLReason(x509.ReasonFlags.unspecified)
145 assert repr(reason1) == (
146 "<CRLReason(reason=ReasonFlags.unspecified)>"
147 )
148
149
Paul Kehrer23c0bbc2015-12-25 22:35:19 -0600[diff] [blame]150class TestInvalidityDate(object):
151 def test_invalid_invalidity_date(self):
152 with pytest.raises(TypeError):
153 x509.InvalidityDate("notadate")
154
155 def test_eq(self):
156 invalid1 = x509.InvalidityDate(datetime.datetime(2015, 1, 1, 1, 1))
157 invalid2 = x509.InvalidityDate(datetime.datetime(2015, 1, 1, 1, 1))
158 assert invalid1 == invalid2
159
160 def test_ne(self):
161 invalid1 = x509.InvalidityDate(datetime.datetime(2015, 1, 1, 1, 1))
162 invalid2 = x509.InvalidityDate(datetime.datetime(2015, 1, 1, 1, 2))
163 assert invalid1 != invalid2
164 assert invalid1 != object()
165
166 def test_repr(self):
167 invalid1 = x509.InvalidityDate(datetime.datetime(2015, 1, 1, 1, 1))
168 assert repr(invalid1) == (
169 "<InvalidityDate(invalidity_date=2015-01-01 01:01:00)>"
170 )
171
Paul Kehrer67cde762015-12-26 11:37:14 -0600[diff] [blame]172 def test_hash(self):
173 invalid1 = x509.InvalidityDate(datetime.datetime(2015, 1, 1, 1, 1))
174 invalid2 = x509.InvalidityDate(datetime.datetime(2015, 1, 1, 1, 1))
175 invalid3 = x509.InvalidityDate(datetime.datetime(2015, 1, 1, 1, 2))
176 assert hash(invalid1) == hash(invalid2)
177 assert hash(invalid1) != hash(invalid3)
Paul Kehrer23c0bbc2015-12-25 22:35:19 -0600[diff] [blame]178
Paul Kehrerc0297dd2015-12-26 11:37:57 -0600[diff] [blame]179
Paul Kehrer2b622582015-04-15 11:04:29 -0400[diff] [blame]180class TestNoticeReference(object):
181 def test_notice_numbers_not_all_int(self):
182 with pytest.raises(TypeError):
183 x509.NoticeReference("org", [1, 2, "three"])
184
185 def test_notice_numbers_none(self):
Paul Kehrer6e198b02015-05-12 15:53:38 -0500[diff] [blame]186 with pytest.raises(TypeError):
187 x509.NoticeReference("org", None)
Paul Kehrer2b622582015-04-15 11:04:29 -0400[diff] [blame]188
189 def test_repr(self):
Paul Kehrer73be2ca2015-05-11 21:22:38 -0500[diff] [blame]190 nr = x509.NoticeReference(u"org", [1, 3, 4])
Paul Kehrer2b622582015-04-15 11:04:29 -0400[diff] [blame]191
Paul Kehrer73be2ca2015-05-11 21:22:38 -0500[diff] [blame]192 if six.PY3:
193 assert repr(nr) == (
194 "<NoticeReference(organization='org', notice_numbers=[1, 3, 4"
195 "])>"
196 )
197 else:
198 assert repr(nr) == (
199 "<NoticeReference(organization=u'org', notice_numbers=[1, 3, "
200 "4])>"
201 )
Paul Kehrer2b622582015-04-15 11:04:29 -0400[diff] [blame]202
Paul Kehrerc56ab622015-05-03 09:56:31 -0500[diff] [blame]203 def test_eq(self):
204 nr = x509.NoticeReference("org", [1, 2])
205 nr2 = x509.NoticeReference("org", [1, 2])
206 assert nr == nr2
207
208 def test_ne(self):
209 nr = x509.NoticeReference("org", [1, 2])
210 nr2 = x509.NoticeReference("org", [1])
211 nr3 = x509.NoticeReference(None, [1, 2])
212 assert nr != nr2
213 assert nr != nr3
214 assert nr != object()
215
Paul Kehrer2b622582015-04-15 11:04:29 -0400[diff] [blame]216
217class TestUserNotice(object):
218 def test_notice_reference_invalid(self):
219 with pytest.raises(TypeError):
220 x509.UserNotice("invalid", None)
221
222 def test_notice_reference_none(self):
223 un = x509.UserNotice(None, "text")
224 assert un.notice_reference is None
225 assert un.explicit_text == "text"
226
227 def test_repr(self):
Paul Kehrer6e198b02015-05-12 15:53:38 -0500[diff] [blame]228 un = x509.UserNotice(x509.NoticeReference(u"org", [1]), u"text")
Paul Kehrer73be2ca2015-05-11 21:22:38 -0500[diff] [blame]229 if six.PY3:
230 assert repr(un) == (
231 "<UserNotice(notice_reference=<NoticeReference(organization='"
Paul Kehrer6e198b02015-05-12 15:53:38 -0500[diff] [blame]232 "org', notice_numbers=[1])>, explicit_text='text')>"
Paul Kehrer73be2ca2015-05-11 21:22:38 -0500[diff] [blame]233 )
234 else:
235 assert repr(un) == (
236 "<UserNotice(notice_reference=<NoticeReference(organization=u"
Paul Kehrer6e198b02015-05-12 15:53:38 -0500[diff] [blame]237 "'org', notice_numbers=[1])>, explicit_text=u'text')>"
Paul Kehrer73be2ca2015-05-11 21:22:38 -0500[diff] [blame]238 )
Paul Kehrer2b622582015-04-15 11:04:29 -0400[diff] [blame]239
Paul Kehrerc56ab622015-05-03 09:56:31 -0500[diff] [blame]240 def test_eq(self):
241 nr = x509.NoticeReference("org", [1, 2])
242 nr2 = x509.NoticeReference("org", [1, 2])
243 un = x509.UserNotice(nr, "text")
244 un2 = x509.UserNotice(nr2, "text")
245 assert un == un2
246
247 def test_ne(self):
248 nr = x509.NoticeReference("org", [1, 2])
249 nr2 = x509.NoticeReference("org", [1])
250 un = x509.UserNotice(nr, "text")
251 un2 = x509.UserNotice(nr2, "text")
252 un3 = x509.UserNotice(nr, "text3")
253 assert un != un2
254 assert un != un3
255 assert un != object()
256
Paul Kehrer2b622582015-04-15 11:04:29 -0400[diff] [blame]257
Paul Kehrer2b622582015-04-15 11:04:29 -0400[diff] [blame]258class TestPolicyInformation(object):
259 def test_invalid_policy_identifier(self):
260 with pytest.raises(TypeError):
261 x509.PolicyInformation("notanoid", None)
262
263 def test_none_policy_qualifiers(self):
264 pi = x509.PolicyInformation(x509.ObjectIdentifier("1.2.3"), None)
265 assert pi.policy_identifier == x509.ObjectIdentifier("1.2.3")
266 assert pi.policy_qualifiers is None
267
268 def test_policy_qualifiers(self):
Paul Kehrerba35b3b2015-05-10 13:07:59 -0500[diff] [blame]269 pq = [u"string"]
Paul Kehrer2b622582015-04-15 11:04:29 -0400[diff] [blame]270 pi = x509.PolicyInformation(x509.ObjectIdentifier("1.2.3"), pq)
271 assert pi.policy_identifier == x509.ObjectIdentifier("1.2.3")
272 assert pi.policy_qualifiers == pq
273
274 def test_invalid_policy_identifiers(self):
275 with pytest.raises(TypeError):
276 x509.PolicyInformation(x509.ObjectIdentifier("1.2.3"), [1, 2])
277
278 def test_repr(self):
Paul Kehrer73be2ca2015-05-11 21:22:38 -0500[diff] [blame]279 pq = [u"string", x509.UserNotice(None, u"hi")]
Paul Kehrer2b622582015-04-15 11:04:29 -0400[diff] [blame]280 pi = x509.PolicyInformation(x509.ObjectIdentifier("1.2.3"), pq)
Paul Kehrerba35b3b2015-05-10 13:07:59 -0500[diff] [blame]281 if six.PY3:
282 assert repr(pi) == (
283 "<PolicyInformation(policy_identifier=<ObjectIdentifier(oid=1."
284 "2.3, name=Unknown OID)>, policy_qualifiers=['string', <UserNo"
Paul Kehrer9aaef9e2015-05-11 10:49:20 -0500[diff] [blame]285 "tice(notice_reference=None, explicit_text='hi')>])>"
Paul Kehrerba35b3b2015-05-10 13:07:59 -0500[diff] [blame]286 )
287 else:
288 assert repr(pi) == (
289 "<PolicyInformation(policy_identifier=<ObjectIdentifier(oid=1."
290 "2.3, name=Unknown OID)>, policy_qualifiers=[u'string', <UserN"
Paul Kehrer73be2ca2015-05-11 21:22:38 -0500[diff] [blame]291 "otice(notice_reference=None, explicit_text=u'hi')>])>"
Paul Kehrerba35b3b2015-05-10 13:07:59 -0500[diff] [blame]292 )
Paul Kehrer2b622582015-04-15 11:04:29 -0400[diff] [blame]293
Paul Kehrerc56ab622015-05-03 09:56:31 -0500[diff] [blame]294 def test_eq(self):
295 pi = x509.PolicyInformation(
296 x509.ObjectIdentifier("1.2.3"),
297 [u"string", x509.UserNotice(None, u"hi")]
298 )
299 pi2 = x509.PolicyInformation(
300 x509.ObjectIdentifier("1.2.3"),
301 [u"string", x509.UserNotice(None, u"hi")]
302 )
303 assert pi == pi2
304
305 def test_ne(self):
306 pi = x509.PolicyInformation(
307 x509.ObjectIdentifier("1.2.3"), [u"string"]
308 )
309 pi2 = x509.PolicyInformation(
310 x509.ObjectIdentifier("1.2.3"), [u"string2"]
311 )
312 pi3 = x509.PolicyInformation(
313 x509.ObjectIdentifier("1.2.3.4"), [u"string"]
314 )
315 assert pi != pi2
316 assert pi != pi3
317 assert pi != object()
318
Paul Kehrer2b622582015-04-15 11:04:29 -0400[diff] [blame]319
320class TestCertificatePolicies(object):
321 def test_invalid_policies(self):
Paul Kehrerba35b3b2015-05-10 13:07:59 -0500[diff] [blame]322 pq = [u"string"]
Paul Kehrer2b622582015-04-15 11:04:29 -0400[diff] [blame]323 pi = x509.PolicyInformation(x509.ObjectIdentifier("1.2.3"), pq)
324 with pytest.raises(TypeError):
325 x509.CertificatePolicies([1, pi])
326
327 def test_iter_len(self):
Paul Kehrerba35b3b2015-05-10 13:07:59 -0500[diff] [blame]328 pq = [u"string"]
Paul Kehrer2b622582015-04-15 11:04:29 -0400[diff] [blame]329 pi = x509.PolicyInformation(x509.ObjectIdentifier("1.2.3"), pq)
330 cp = x509.CertificatePolicies([pi])
331 assert len(cp) == 1
332 for policyinfo in cp:
333 assert policyinfo == pi
334
335 def test_repr(self):
Paul Kehrerba35b3b2015-05-10 13:07:59 -0500[diff] [blame]336 pq = [u"string"]
Paul Kehrer2b622582015-04-15 11:04:29 -0400[diff] [blame]337 pi = x509.PolicyInformation(x509.ObjectIdentifier("1.2.3"), pq)
338 cp = x509.CertificatePolicies([pi])
Paul Kehrerba35b3b2015-05-10 13:07:59 -0500[diff] [blame]339 if six.PY3:
340 assert repr(cp) == (
341 "<CertificatePolicies([<PolicyInformation(policy_identifier=<O"
342 "bjectIdentifier(oid=1.2.3, name=Unknown OID)>, policy_qualifi"
343 "ers=['string'])>])>"
344 )
345 else:
346 assert repr(cp) == (
347 "<CertificatePolicies([<PolicyInformation(policy_identifier=<O"
348 "bjectIdentifier(oid=1.2.3, name=Unknown OID)>, policy_qualifi"
349 "ers=[u'string'])>])>"
350 )
Paul Kehrer2b622582015-04-15 11:04:29 -0400[diff] [blame]351
Paul Kehrerc56ab622015-05-03 09:56:31 -0500[diff] [blame]352 def test_eq(self):
353 pi = x509.PolicyInformation(
354 x509.ObjectIdentifier("1.2.3"), [u"string"]
355 )
356 cp = x509.CertificatePolicies([pi])
357 pi2 = x509.PolicyInformation(
358 x509.ObjectIdentifier("1.2.3"), [u"string"]
359 )
360 cp2 = x509.CertificatePolicies([pi2])
361 assert cp == cp2
362
363 def test_ne(self):
364 pi = x509.PolicyInformation(
365 x509.ObjectIdentifier("1.2.3"), [u"string"]
366 )
367 cp = x509.CertificatePolicies([pi])
368 pi2 = x509.PolicyInformation(
369 x509.ObjectIdentifier("1.2.3"), [u"string2"]
370 )
371 cp2 = x509.CertificatePolicies([pi2])
372 assert cp != cp2
373 assert cp != object()
374
Paul Kehrer2b622582015-04-15 11:04:29 -0400[diff] [blame]375
Paul Kehrer11026fe2015-05-12 11:23:56 -0500[diff] [blame]376@pytest.mark.requires_backend_interface(interface=RSABackend)
377@pytest.mark.requires_backend_interface(interface=X509Backend)
378class TestCertificatePoliciesExtension(object):
379 def test_cps_uri_policy_qualifier(self, backend):
380 cert = _load_cert(
381 os.path.join("x509", "custom", "cp_cps_uri.pem"),
382 x509.load_pem_x509_certificate,
383 backend
384 )
385
386 cp = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]387 ExtensionOID.CERTIFICATE_POLICIES
Paul Kehrer11026fe2015-05-12 11:23:56 -0500[diff] [blame]388 ).value
389
390 assert cp == x509.CertificatePolicies([
391 x509.PolicyInformation(
392 x509.ObjectIdentifier("2.16.840.1.12345.1.2.3.4.1"),
393 [u"http://other.com/cps"]
394 )
395 ])
396
397 def test_user_notice_with_notice_reference(self, backend):
398 cert = _load_cert(
399 os.path.join(
400 "x509", "custom", "cp_user_notice_with_notice_reference.pem"
401 ),
402 x509.load_pem_x509_certificate,
403 backend
404 )
405
406 cp = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]407 ExtensionOID.CERTIFICATE_POLICIES
Paul Kehrer11026fe2015-05-12 11:23:56 -0500[diff] [blame]408 ).value
409
410 assert cp == x509.CertificatePolicies([
411 x509.PolicyInformation(
412 x509.ObjectIdentifier("2.16.840.1.12345.1.2.3.4.1"),
413 [
414 u"http://example.com/cps",
415 u"http://other.com/cps",
416 x509.UserNotice(
417 x509.NoticeReference(u"my org", [1, 2, 3, 4]),
418 u"thing"
419 )
420 ]
421 )
422 ])
423
424 def test_user_notice_with_explicit_text(self, backend):
425 cert = _load_cert(
426 os.path.join(
427 "x509", "custom", "cp_user_notice_with_explicit_text.pem"
428 ),
429 x509.load_pem_x509_certificate,
430 backend
431 )
432
433 cp = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]434 ExtensionOID.CERTIFICATE_POLICIES
Paul Kehrer11026fe2015-05-12 11:23:56 -0500[diff] [blame]435 ).value
436
437 assert cp == x509.CertificatePolicies([
438 x509.PolicyInformation(
439 x509.ObjectIdentifier("2.16.840.1.12345.1.2.3.4.1"),
440 [x509.UserNotice(None, u"thing")]
441 )
442 ])
443
444 def test_user_notice_no_explicit_text(self, backend):
445 cert = _load_cert(
446 os.path.join(
447 "x509", "custom", "cp_user_notice_no_explicit_text.pem"
448 ),
449 x509.load_pem_x509_certificate,
450 backend
451 )
452
453 cp = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]454 ExtensionOID.CERTIFICATE_POLICIES
Paul Kehrer11026fe2015-05-12 11:23:56 -0500[diff] [blame]455 ).value
456
457 assert cp == x509.CertificatePolicies([
458 x509.PolicyInformation(
459 x509.ObjectIdentifier("2.16.840.1.12345.1.2.3.4.1"),
460 [
461 x509.UserNotice(
462 x509.NoticeReference(u"my org", [1, 2, 3, 4]),
463 None
464 )
465 ]
466 )
467 ])
468
469
Paul Kehrercecbbba2015-03-30 14:58:38 -0500[diff] [blame]470class TestKeyUsage(object):
471 def test_key_agreement_false_encipher_decipher_true(self):
472 with pytest.raises(ValueError):
473 x509.KeyUsage(
474 digital_signature=False,
475 content_commitment=False,
476 key_encipherment=False,
477 data_encipherment=False,
478 key_agreement=False,
479 key_cert_sign=False,
480 crl_sign=False,
481 encipher_only=True,
482 decipher_only=False
483 )
484
485 with pytest.raises(ValueError):
486 x509.KeyUsage(
487 digital_signature=False,
488 content_commitment=False,
489 key_encipherment=False,
490 data_encipherment=False,
491 key_agreement=False,
492 key_cert_sign=False,
493 crl_sign=False,
494 encipher_only=True,
495 decipher_only=True
496 )
497
498 with pytest.raises(ValueError):
499 x509.KeyUsage(
500 digital_signature=False,
501 content_commitment=False,
502 key_encipherment=False,
503 data_encipherment=False,
504 key_agreement=False,
505 key_cert_sign=False,
506 crl_sign=False,
507 encipher_only=False,
508 decipher_only=True
509 )
510
511 def test_properties_key_agreement_true(self):
512 ku = x509.KeyUsage(
513 digital_signature=True,
514 content_commitment=True,
515 key_encipherment=False,
516 data_encipherment=False,
517 key_agreement=False,
518 key_cert_sign=True,
519 crl_sign=False,
520 encipher_only=False,
521 decipher_only=False
522 )
523 assert ku.digital_signature is True
524 assert ku.content_commitment is True
525 assert ku.key_encipherment is False
526 assert ku.data_encipherment is False
527 assert ku.key_agreement is False
528 assert ku.key_cert_sign is True
529 assert ku.crl_sign is False
530
531 def test_key_agreement_true_properties(self):
532 ku = x509.KeyUsage(
533 digital_signature=False,
534 content_commitment=False,
535 key_encipherment=False,
536 data_encipherment=False,
537 key_agreement=True,
538 key_cert_sign=False,
539 crl_sign=False,
540 encipher_only=False,
541 decipher_only=True
542 )
543 assert ku.key_agreement is True
544 assert ku.encipher_only is False
545 assert ku.decipher_only is True
546
547 def test_key_agreement_false_properties(self):
548 ku = x509.KeyUsage(
549 digital_signature=False,
550 content_commitment=False,
551 key_encipherment=False,
552 data_encipherment=False,
553 key_agreement=False,
554 key_cert_sign=False,
555 crl_sign=False,
556 encipher_only=False,
557 decipher_only=False
558 )
559 assert ku.key_agreement is False
560 with pytest.raises(ValueError):
561 ku.encipher_only
562
563 with pytest.raises(ValueError):
564 ku.decipher_only
565
Paul Kehrerac3e5bb2015-04-02 23:07:10 -0500[diff] [blame]566 def test_repr_key_agreement_false(self):
567 ku = x509.KeyUsage(
568 digital_signature=True,
569 content_commitment=True,
570 key_encipherment=False,
571 data_encipherment=False,
572 key_agreement=False,
573 key_cert_sign=True,
574 crl_sign=False,
575 encipher_only=False,
576 decipher_only=False
577 )
578 assert repr(ku) == (
579 "<KeyUsage(digital_signature=True, content_commitment=True, key_en"
580 "cipherment=False, data_encipherment=False, key_agreement=False, k"
Paul Kehrerb372e672015-04-15 11:05:24 -0400[diff] [blame]581 "ey_cert_sign=True, crl_sign=False, encipher_only=None, decipher_o"
582 "nly=None)>"
Paul Kehrerac3e5bb2015-04-02 23:07:10 -0500[diff] [blame]583 )
584
585 def test_repr_key_agreement_true(self):
586 ku = x509.KeyUsage(
587 digital_signature=True,
588 content_commitment=True,
589 key_encipherment=False,
590 data_encipherment=False,
591 key_agreement=True,
592 key_cert_sign=True,
593 crl_sign=False,
594 encipher_only=False,
595 decipher_only=False
596 )
597 assert repr(ku) == (
598 "<KeyUsage(digital_signature=True, content_commitment=True, key_en"
599 "cipherment=False, data_encipherment=False, key_agreement=True, k"
600 "ey_cert_sign=True, crl_sign=False, encipher_only=False, decipher_"
601 "only=False)>"
602 )
603
Paul Kehrer8565f5e2015-05-13 09:57:09 -0500[diff] [blame]604 def test_eq(self):
605 ku = x509.KeyUsage(
606 digital_signature=False,
607 content_commitment=False,
608 key_encipherment=False,
609 data_encipherment=False,
610 key_agreement=True,
611 key_cert_sign=False,
612 crl_sign=False,
613 encipher_only=False,
614 decipher_only=True
615 )
616 ku2 = x509.KeyUsage(
617 digital_signature=False,
618 content_commitment=False,
619 key_encipherment=False,
620 data_encipherment=False,
621 key_agreement=True,
622 key_cert_sign=False,
623 crl_sign=False,
624 encipher_only=False,
625 decipher_only=True
626 )
627 assert ku == ku2
628
629 def test_ne(self):
630 ku = x509.KeyUsage(
631 digital_signature=False,
632 content_commitment=False,
633 key_encipherment=False,
634 data_encipherment=False,
635 key_agreement=True,
636 key_cert_sign=False,
637 crl_sign=False,
638 encipher_only=False,
639 decipher_only=True
640 )
641 ku2 = x509.KeyUsage(
642 digital_signature=False,
643 content_commitment=False,
644 key_encipherment=False,
645 data_encipherment=False,
646 key_agreement=False,
647 key_cert_sign=False,
648 crl_sign=False,
649 encipher_only=False,
650 decipher_only=False
651 )
652 assert ku != ku2
653 assert ku != object()
654
Paul Kehrercecbbba2015-03-30 14:58:38 -0500[diff] [blame]655
Paul Kehrer1eb82a62015-03-31 20:00:33 -0500[diff] [blame]656class TestSubjectKeyIdentifier(object):
657 def test_properties(self):
Paul Kehrercbfb1012015-04-10 20:57:20 -0400[diff] [blame]658 value = binascii.unhexlify(b"092384932230498bc980aa8098456f6ff7ff3ac9")
Paul Kehrer1eb82a62015-03-31 20:00:33 -0500[diff] [blame]659 ski = x509.SubjectKeyIdentifier(value)
660 assert ski.digest == value
Paul Kehrer1eb82a62015-03-31 20:00:33 -0500[diff] [blame]661
662 def test_repr(self):
663 ski = x509.SubjectKeyIdentifier(
Paul Kehreree997262015-04-04 12:20:28 -0500[diff] [blame]664 binascii.unhexlify(b"092384932230498bc980aa8098456f6ff7ff3ac9")
Paul Kehrer1eb82a62015-03-31 20:00:33 -0500[diff] [blame]665 )
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]666 ext = x509.Extension(ExtensionOID.SUBJECT_KEY_IDENTIFIER, False, ski)
Paul Kehrercbfb1012015-04-10 20:57:20 -0400[diff] [blame]667 if six.PY3:
668 assert repr(ext) == (
669 "<Extension(oid=<ObjectIdentifier(oid=2.5.29.14, name=subjectK"
670 "eyIdentifier)>, critical=False, value=<SubjectKeyIdentifier(d"
671 "igest=b\'\\t#\\x84\\x93\"0I\\x8b\\xc9\\x80\\xaa\\x80\\x98Eoo"
672 "\\xf7\\xff:\\xc9\')>)>"
673 )
674 else:
675 assert repr(ext) == (
676 "<Extension(oid=<ObjectIdentifier(oid=2.5.29.14, name=subjectK"
677 "eyIdentifier)>, critical=False, value=<SubjectKeyIdentifier(d"
678 "igest=\'\\t#\\x84\\x93\"0I\\x8b\\xc9\\x80\\xaa\\x80\\x98Eoo"
679 "\\xf7\\xff:\\xc9\')>)>"
680 )
Paul Kehrer1eb82a62015-03-31 20:00:33 -0500[diff] [blame]681
682 def test_eq(self):
683 ski = x509.SubjectKeyIdentifier(
Paul Kehreree997262015-04-04 12:20:28 -0500[diff] [blame]684 binascii.unhexlify(b"092384932230498bc980aa8098456f6ff7ff3ac9")
Paul Kehrer1eb82a62015-03-31 20:00:33 -0500[diff] [blame]685 )
686 ski2 = x509.SubjectKeyIdentifier(
Paul Kehreree997262015-04-04 12:20:28 -0500[diff] [blame]687 binascii.unhexlify(b"092384932230498bc980aa8098456f6ff7ff3ac9")
Paul Kehrer1eb82a62015-03-31 20:00:33 -0500[diff] [blame]688 )
689 assert ski == ski2
690
691 def test_ne(self):
692 ski = x509.SubjectKeyIdentifier(
Paul Kehreree997262015-04-04 12:20:28 -0500[diff] [blame]693 binascii.unhexlify(b"092384932230498bc980aa8098456f6ff7ff3ac9")
Paul Kehrer1eb82a62015-03-31 20:00:33 -0500[diff] [blame]694 )
695 ski2 = x509.SubjectKeyIdentifier(
Paul Kehreree997262015-04-04 12:20:28 -0500[diff] [blame]696 binascii.unhexlify(b"aa8098456f6ff7ff3ac9092384932230498bc980")
Paul Kehrer1eb82a62015-03-31 20:00:33 -0500[diff] [blame]697 )
698 assert ski != ski2
699 assert ski != object()
700
Alex Gaynor410fe352015-12-26 15:01:25 -0500[diff] [blame]701 def test_hash(self):
702 ski1 = x509.SubjectKeyIdentifier(
703 binascii.unhexlify(b"092384932230498bc980aa8098456f6ff7ff3ac9")
704 )
705 ski2 = x509.SubjectKeyIdentifier(
706 binascii.unhexlify(b"092384932230498bc980aa8098456f6ff7ff3ac9")
707 )
708 ski3 = x509.SubjectKeyIdentifier(
709 binascii.unhexlify(b"aa8098456f6ff7ff3ac9092384932230498bc980")
710 )
711
712 assert hash(ski1) == hash(ski2)
713 assert hash(ski1) != hash(ski3)
714
Paul Kehrer1eb82a62015-03-31 20:00:33 -0500[diff] [blame]715
Paul Kehrer2eb4ed92015-04-11 15:33:45 -0400[diff] [blame]716class TestAuthorityKeyIdentifier(object):
Paul Kehrerc6e0f062015-05-03 11:04:34 -0500[diff] [blame]717 def test_authority_cert_issuer_not_generalname(self):
Paul Kehrer2eb4ed92015-04-11 15:33:45 -0400[diff] [blame]718 with pytest.raises(TypeError):
Paul Kehrerc6e0f062015-05-03 11:04:34 -0500[diff] [blame]719 x509.AuthorityKeyIdentifier(b"identifier", ["notname"], 3)
Paul Kehrer2eb4ed92015-04-11 15:33:45 -0400[diff] [blame]720
721 def test_authority_cert_serial_number_not_integer(self):
Paul Kehrerc6e0f062015-05-03 11:04:34 -0500[diff] [blame]722 dirname = x509.DirectoryName(
723 x509.Name([
Nick Bastin6721fb82015-12-14 12:26:24 -0800[diff] [blame]724 x509.NameAttribute(
725 x509.ObjectIdentifier('2.999.1'),
726 u'value1'
727 ),
728 x509.NameAttribute(
729 x509.ObjectIdentifier('2.999.2'),
730 u'value2'
731 ),
Paul Kehrerc6e0f062015-05-03 11:04:34 -0500[diff] [blame]732 ])
733 )
Paul Kehrer2eb4ed92015-04-11 15:33:45 -0400[diff] [blame]734 with pytest.raises(TypeError):
Paul Kehrerc6e0f062015-05-03 11:04:34 -0500[diff] [blame]735 x509.AuthorityKeyIdentifier(b"identifier", [dirname], "notanint")
Paul Kehrer2eb4ed92015-04-11 15:33:45 -0400[diff] [blame]736
737 def test_authority_issuer_none_serial_not_none(self):
738 with pytest.raises(ValueError):
739 x509.AuthorityKeyIdentifier(b"identifier", None, 3)
740
741 def test_authority_issuer_not_none_serial_none(self):
Paul Kehrerc6e0f062015-05-03 11:04:34 -0500[diff] [blame]742 dirname = x509.DirectoryName(
743 x509.Name([
Nick Bastin6721fb82015-12-14 12:26:24 -0800[diff] [blame]744 x509.NameAttribute(
745 x509.ObjectIdentifier('2.999.1'),
746 u'value1'
747 ),
748 x509.NameAttribute(
749 x509.ObjectIdentifier('2.999.2'),
750 u'value2'
751 ),
Paul Kehrerc6e0f062015-05-03 11:04:34 -0500[diff] [blame]752 ])
753 )
Paul Kehrer2eb4ed92015-04-11 15:33:45 -0400[diff] [blame]754 with pytest.raises(ValueError):
Paul Kehrerc6e0f062015-05-03 11:04:34 -0500[diff] [blame]755 x509.AuthorityKeyIdentifier(b"identifier", [dirname], None)
Paul Kehrer2eb4ed92015-04-11 15:33:45 -0400[diff] [blame]756
757 def test_authority_cert_serial_and_issuer_none(self):
758 aki = x509.AuthorityKeyIdentifier(b"id", None, None)
759 assert aki.key_identifier == b"id"
760 assert aki.authority_cert_issuer is None
761 assert aki.authority_cert_serial_number is None
762
763 def test_repr(self):
Paul Kehrerc6e0f062015-05-03 11:04:34 -0500[diff] [blame]764 dirname = x509.DirectoryName(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]765 x509.Name([x509.NameAttribute(NameOID.COMMON_NAME, u'myCN')])
Paul Kehrerc6e0f062015-05-03 11:04:34 -0500[diff] [blame]766 )
767 aki = x509.AuthorityKeyIdentifier(b"digest", [dirname], 1234)
Paul Kehrer2eb4ed92015-04-11 15:33:45 -0400[diff] [blame]768
769 if six.PY3:
770 assert repr(aki) == (
771 "<AuthorityKeyIdentifier(key_identifier=b'digest', authority_"
Paul Kehrerc6e0f062015-05-03 11:04:34 -0500[diff] [blame]772 "cert_issuer=[<DirectoryName(value=<Name([<NameAttribute(oid="
Ian Cordascoa908d692015-06-16 21:35:24 -0500[diff] [blame]773 "<ObjectIdentifier(oid=2.5.4.3, name=commonName)>, value='myC"
Paul Kehrerc6e0f062015-05-03 11:04:34 -0500[diff] [blame]774 "N')>])>)>], authority_cert_serial_number=1234)>"
Paul Kehrer2eb4ed92015-04-11 15:33:45 -0400[diff] [blame]775 )
776 else:
777 assert repr(aki) == (
778 "<AuthorityKeyIdentifier(key_identifier='digest', authority_ce"
Paul Kehrerc6e0f062015-05-03 11:04:34 -0500[diff] [blame]779 "rt_issuer=[<DirectoryName(value=<Name([<NameAttribute(oid=<Ob"
Ian Cordasco82fc3762015-06-16 20:59:50 -0500[diff] [blame]780 "jectIdentifier(oid=2.5.4.3, name=commonName)>, value=u'myCN')"
781 ">])>)>], authority_cert_serial_number=1234)>"
Paul Kehrer2eb4ed92015-04-11 15:33:45 -0400[diff] [blame]782 )
783
Paul Kehrer2ca2eb32015-05-03 10:04:57 -0500[diff] [blame]784 def test_eq(self):
785 dirname = x509.DirectoryName(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]786 x509.Name([x509.NameAttribute(NameOID.COMMON_NAME, u'myCN')])
Paul Kehrer2ca2eb32015-05-03 10:04:57 -0500[diff] [blame]787 )
788 aki = x509.AuthorityKeyIdentifier(b"digest", [dirname], 1234)
789 dirname2 = x509.DirectoryName(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]790 x509.Name([x509.NameAttribute(NameOID.COMMON_NAME, u'myCN')])
Paul Kehrer2ca2eb32015-05-03 10:04:57 -0500[diff] [blame]791 )
792 aki2 = x509.AuthorityKeyIdentifier(b"digest", [dirname2], 1234)
793 assert aki == aki2
794
795 def test_ne(self):
796 dirname = x509.DirectoryName(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]797 x509.Name([x509.NameAttribute(NameOID.COMMON_NAME, u'myCN')])
Paul Kehrer2ca2eb32015-05-03 10:04:57 -0500[diff] [blame]798 )
799 dirname5 = x509.DirectoryName(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]800 x509.Name([x509.NameAttribute(NameOID.COMMON_NAME, u'aCN')])
Paul Kehrer2ca2eb32015-05-03 10:04:57 -0500[diff] [blame]801 )
802 aki = x509.AuthorityKeyIdentifier(b"digest", [dirname], 1234)
803 aki2 = x509.AuthorityKeyIdentifier(b"diges", [dirname], 1234)
804 aki3 = x509.AuthorityKeyIdentifier(b"digest", None, None)
805 aki4 = x509.AuthorityKeyIdentifier(b"digest", [dirname], 12345)
806 aki5 = x509.AuthorityKeyIdentifier(b"digest", [dirname5], 12345)
807 assert aki != aki2
808 assert aki != aki3
809 assert aki != aki4
810 assert aki != aki5
811 assert aki != object()
812
Paul Kehrer2eb4ed92015-04-11 15:33:45 -0400[diff] [blame]813
Paul Kehrer8cf26422015-03-21 09:50:24 -0500[diff] [blame]814class TestBasicConstraints(object):
815 def test_ca_not_boolean(self):
816 with pytest.raises(TypeError):
Paul Kehrera5c6e9a2015-03-23 19:23:43 -0500[diff] [blame]817 x509.BasicConstraints(ca="notbool", path_length=None)
Paul Kehrer8cf26422015-03-21 09:50:24 -0500[diff] [blame]818
819 def test_path_length_not_ca(self):
820 with pytest.raises(ValueError):
Paul Kehrera5c6e9a2015-03-23 19:23:43 -0500[diff] [blame]821 x509.BasicConstraints(ca=False, path_length=0)
Paul Kehrer8cf26422015-03-21 09:50:24 -0500[diff] [blame]822
823 def test_path_length_not_int(self):
824 with pytest.raises(TypeError):
Paul Kehrera5c6e9a2015-03-23 19:23:43 -0500[diff] [blame]825 x509.BasicConstraints(ca=True, path_length=1.1)
Paul Kehrer8cf26422015-03-21 09:50:24 -0500[diff] [blame]826
827 with pytest.raises(TypeError):
Paul Kehrera5c6e9a2015-03-23 19:23:43 -0500[diff] [blame]828 x509.BasicConstraints(ca=True, path_length="notint")
Paul Kehrer8cf26422015-03-21 09:50:24 -0500[diff] [blame]829
830 def test_path_length_negative(self):
831 with pytest.raises(TypeError):
Paul Kehrera5c6e9a2015-03-23 19:23:43 -0500[diff] [blame]832 x509.BasicConstraints(ca=True, path_length=-1)
Paul Kehrer8cf26422015-03-21 09:50:24 -0500[diff] [blame]833
834 def test_repr(self):
Paul Kehrera5c6e9a2015-03-23 19:23:43 -0500[diff] [blame]835 na = x509.BasicConstraints(ca=True, path_length=None)
Paul Kehrer8cf26422015-03-21 09:50:24 -0500[diff] [blame]836 assert repr(na) == (
Paul Kehrer85894662015-03-22 13:19:31 -0500[diff] [blame]837 "<BasicConstraints(ca=True, path_length=None)>"
Paul Kehrer8cf26422015-03-21 09:50:24 -0500[diff] [blame]838 )
Paul Kehrerfbb7ac82015-03-16 19:26:29 -0500[diff] [blame]839
Paul Kehrer2eb69f62015-12-27 11:46:11 -0600[diff] [blame]840 def test_hash(self):
841 na = x509.BasicConstraints(ca=True, path_length=None)
842 na2 = x509.BasicConstraints(ca=True, path_length=None)
Paul Kehrerb39af8d2015-12-27 14:30:19 -0600[diff] [blame^]843 na3 = x509.BasicConstraints(ca=True, path_length=0)
Paul Kehrer2eb69f62015-12-27 11:46:11 -0600[diff] [blame]844 assert hash(na) == hash(na2)
Paul Kehrerb39af8d2015-12-27 14:30:19 -0600[diff] [blame^]845 assert hash(na) != hash(na3)
Paul Kehrer2eb69f62015-12-27 11:46:11 -0600[diff] [blame]846
Paul Kehrer3a69b132015-05-13 10:03:46 -0500[diff] [blame]847 def test_eq(self):
848 na = x509.BasicConstraints(ca=True, path_length=None)
849 na2 = x509.BasicConstraints(ca=True, path_length=None)
850 assert na == na2
851
852 def test_ne(self):
853 na = x509.BasicConstraints(ca=True, path_length=None)
854 na2 = x509.BasicConstraints(ca=True, path_length=1)
855 na3 = x509.BasicConstraints(ca=False, path_length=None)
856 assert na != na2
857 assert na != na3
858 assert na != object()
859
Paul Kehrerfbb7ac82015-03-16 19:26:29 -0500[diff] [blame]860
Paul Kehrerffa2a152015-03-31 08:18:25 -0500[diff] [blame]861class TestExtendedKeyUsage(object):
862 def test_not_all_oids(self):
863 with pytest.raises(TypeError):
864 x509.ExtendedKeyUsage(["notoid"])
865
866 def test_iter_len(self):
867 eku = x509.ExtendedKeyUsage([
868 x509.ObjectIdentifier("1.3.6.1.5.5.7.3.1"),
869 x509.ObjectIdentifier("1.3.6.1.5.5.7.3.2"),
870 ])
871 assert len(eku) == 2
872 assert list(eku) == [
Paul Kehrer9e102db2015-08-10 21:53:09 -0500[diff] [blame]873 ExtendedKeyUsageOID.SERVER_AUTH,
874 ExtendedKeyUsageOID.CLIENT_AUTH
Paul Kehrerffa2a152015-03-31 08:18:25 -0500[diff] [blame]875 ]
876
Paul Kehrer23d10c32015-04-02 23:12:32 -0500[diff] [blame]877 def test_repr(self):
878 eku = x509.ExtendedKeyUsage([
879 x509.ObjectIdentifier("1.3.6.1.5.5.7.3.1"),
880 x509.ObjectIdentifier("1.3.6.1.5.5.7.3.2"),
881 ])
882 assert repr(eku) == (
883 "<ExtendedKeyUsage([<ObjectIdentifier(oid=1.3.6.1.5.5.7.3.1, name="
884 "serverAuth)>, <ObjectIdentifier(oid=1.3.6.1.5.5.7.3.2, name=clien"
885 "tAuth)>])>"
886 )
887
Paul Kehrerb0476172015-05-02 19:34:51 -0500[diff] [blame]888 def test_eq(self):
889 eku = x509.ExtendedKeyUsage([
890 x509.ObjectIdentifier("1.3.6"), x509.ObjectIdentifier("1.3.7")
891 ])
892 eku2 = x509.ExtendedKeyUsage([
893 x509.ObjectIdentifier("1.3.6"), x509.ObjectIdentifier("1.3.7")
894 ])
895 assert eku == eku2
896
897 def test_ne(self):
898 eku = x509.ExtendedKeyUsage([x509.ObjectIdentifier("1.3.6")])
899 eku2 = x509.ExtendedKeyUsage([x509.ObjectIdentifier("1.3.6.1")])
900 assert eku != eku2
901 assert eku != object()
902
Paul Kehrerffa2a152015-03-31 08:18:25 -0500[diff] [blame]903
Paul Kehrerfbb7ac82015-03-16 19:26:29 -0500[diff] [blame]904@pytest.mark.requires_backend_interface(interface=RSABackend)
905@pytest.mark.requires_backend_interface(interface=X509Backend)
906class TestExtensions(object):
907 def test_no_extensions(self, backend):
908 cert = _load_cert(
909 os.path.join("x509", "verisign_md2_root.pem"),
910 x509.load_pem_x509_certificate,
911 backend
912 )
913 ext = cert.extensions
914 assert len(ext) == 0
915 assert list(ext) == []
Paul Kehrerfa56a232015-03-17 13:14:03 -0500[diff] [blame]916 with pytest.raises(x509.ExtensionNotFound) as exc:
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]917 ext.get_extension_for_oid(ExtensionOID.BASIC_CONSTRAINTS)
Paul Kehrerfa56a232015-03-17 13:14:03 -0500[diff] [blame]918
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]919 assert exc.value.oid == ExtensionOID.BASIC_CONSTRAINTS
Paul Kehrerfa56a232015-03-17 13:14:03 -0500[diff] [blame]920
921 def test_one_extension(self, backend):
922 cert = _load_cert(
923 os.path.join(
924 "x509", "custom", "basic_constraints_not_critical.pem"
925 ),
926 x509.load_pem_x509_certificate,
927 backend
928 )
929 extensions = cert.extensions
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]930 ext = extensions.get_extension_for_oid(ExtensionOID.BASIC_CONSTRAINTS)
Paul Kehrerfa56a232015-03-17 13:14:03 -0500[diff] [blame]931 assert ext is not None
932 assert ext.value.ca is False
Paul Kehrerfbb7ac82015-03-16 19:26:29 -0500[diff] [blame]933
934 def test_duplicate_extension(self, backend):
935 cert = _load_cert(
936 os.path.join(
937 "x509", "custom", "two_basic_constraints.pem"
938 ),
939 x509.load_pem_x509_certificate,
940 backend
941 )
942 with pytest.raises(x509.DuplicateExtension) as exc:
943 cert.extensions
944
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]945 assert exc.value.oid == ExtensionOID.BASIC_CONSTRAINTS
Paul Kehrerfbb7ac82015-03-16 19:26:29 -0500[diff] [blame]946
947 def test_unsupported_critical_extension(self, backend):
948 cert = _load_cert(
949 os.path.join(
950 "x509", "custom", "unsupported_extension_critical.pem"
951 ),
952 x509.load_pem_x509_certificate,
953 backend
954 )
955 with pytest.raises(x509.UnsupportedExtension) as exc:
956 cert.extensions
957
958 assert exc.value.oid == x509.ObjectIdentifier("1.2.3.4")
959
960 def test_unsupported_extension(self, backend):
961 # TODO: this will raise an exception when all extensions are complete
962 cert = _load_cert(
963 os.path.join(
964 "x509", "custom", "unsupported_extension.pem"
965 ),
966 x509.load_pem_x509_certificate,
967 backend
968 )
969 extensions = cert.extensions
970 assert len(extensions) == 0
Paul Kehrerfa56a232015-03-17 13:14:03 -0500[diff] [blame]971
Phoebe Queenecae9812015-08-12 05:00:32 +0100[diff] [blame]972 def test_no_extensions_get_for_class(self, backend):
973 cert = _load_cert(
974 os.path.join(
Phoebe Queencb5ec4e2015-08-12 15:06:26 +0100[diff] [blame]975 "x509", "cryptography.io.pem"
Phoebe Queenecae9812015-08-12 05:00:32 +0100[diff] [blame]976 ),
977 x509.load_pem_x509_certificate,
978 backend
979 )
Phoebe Queenc93752b2015-08-12 10:54:46 +0100[diff] [blame]980 exts = cert.extensions
Phoebe Queenecae9812015-08-12 05:00:32 +0100[diff] [blame]981 with pytest.raises(x509.ExtensionNotFound) as exc:
Phoebe Queencb5ec4e2015-08-12 15:06:26 +0100[diff] [blame]982 exts.get_extension_for_class(x509.IssuerAlternativeName)
983 assert exc.value.oid == ExtensionOID.ISSUER_ALTERNATIVE_NAME
Phoebe Queenecae9812015-08-12 05:00:32 +0100[diff] [blame]984
Paul Kehrer5b90c972015-12-26 00:52:58 -0600[diff] [blame]985 def test_indexing(self, backend):
986 cert = _load_cert(
987 os.path.join("x509", "cryptography.io.pem"),
988 x509.load_pem_x509_certificate,
989 backend
990 )
991 exts = cert.extensions
992 assert exts[-1] == exts[7]
Alex Gaynorf0dd2e72015-12-26 16:50:29 -0500[diff] [blame]993 assert exts[2:6:2] == [exts[2], exts[4]]
Paul Kehrer5b90c972015-12-26 00:52:58 -0600[diff] [blame]994
Phoebe Queen9fbb8892015-08-12 03:51:33 +0100[diff] [blame]995 def test_one_extension_get_for_class(self, backend):
996 cert = _load_cert(
Phoebe Queen2cc111a2015-08-12 04:14:22 +0100[diff] [blame]997 os.path.join(
998 "x509", "custom", "basic_constraints_not_critical.pem"
999 ),
Phoebe Queen9fbb8892015-08-12 03:51:33 +0100[diff] [blame]1000 x509.load_pem_x509_certificate,
1001 backend
1002 )
1003 ext = cert.extensions.get_extension_for_class(x509.BasicConstraints)
1004 assert ext is not None
Phoebe Queen9fbb8892015-08-12 03:51:33 +0100[diff] [blame]1005 assert isinstance(ext.value, x509.BasicConstraints)
Paul Kehrerfa56a232015-03-17 13:14:03 -0500[diff] [blame]1006
Paul Kehrerafbe75b2015-10-20 08:08:43 -0500[diff] [blame]1007 def test_repr(self, backend):
1008 cert = _load_cert(
1009 os.path.join(
1010 "x509", "custom", "basic_constraints_not_critical.pem"
1011 ),
1012 x509.load_pem_x509_certificate,
1013 backend
1014 )
1015 assert repr(cert.extensions) == (
1016 "<Extensions([<Extension(oid=<ObjectIdentifier(oid=2.5.29.19, name"
1017 "=basicConstraints)>, critical=False, value=<BasicConstraints(ca=F"
1018 "alse, path_length=None)>)>])>"
1019 )
1020
Phoebe Queen2cc111a2015-08-12 04:14:22 +0100[diff] [blame]1021
Paul Kehrerfa56a232015-03-17 13:14:03 -0500[diff] [blame]1022@pytest.mark.requires_backend_interface(interface=RSABackend)
1023@pytest.mark.requires_backend_interface(interface=X509Backend)
Paul Kehrerde813ea2015-03-28 12:44:34 -0500[diff] [blame]1024class TestBasicConstraintsExtension(object):
Paul Kehrerfa56a232015-03-17 13:14:03 -0500[diff] [blame]1025 def test_ca_true_pathlen_6(self, backend):
1026 cert = _load_cert(
1027 os.path.join(
1028 "x509", "PKITS_data", "certs", "pathLenConstraint6CACert.crt"
1029 ),
1030 x509.load_der_x509_certificate,
1031 backend
1032 )
Phoebe Queen062dec72015-08-12 11:42:23 +0100[diff] [blame]1033 ext = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]1034 ExtensionOID.BASIC_CONSTRAINTS
Paul Kehrerfa56a232015-03-17 13:14:03 -0500[diff] [blame]1035 )
1036 assert ext is not None
1037 assert ext.critical is True
1038 assert ext.value.ca is True
1039 assert ext.value.path_length == 6
1040
1041 def test_path_length_zero(self, backend):
1042 cert = _load_cert(
1043 os.path.join("x509", "custom", "bc_path_length_zero.pem"),
1044 x509.load_pem_x509_certificate,
1045 backend
1046 )
1047 ext = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]1048 ExtensionOID.BASIC_CONSTRAINTS
Paul Kehrerfa56a232015-03-17 13:14:03 -0500[diff] [blame]1049 )
1050 assert ext is not None
1051 assert ext.critical is True
1052 assert ext.value.ca is True
1053 assert ext.value.path_length == 0
1054
1055 def test_ca_true_no_pathlen(self, backend):
1056 cert = _load_cert(
1057 os.path.join("x509", "PKITS_data", "certs", "GoodCACert.crt"),
1058 x509.load_der_x509_certificate,
1059 backend
1060 )
1061 ext = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]1062 ExtensionOID.BASIC_CONSTRAINTS
Paul Kehrerfa56a232015-03-17 13:14:03 -0500[diff] [blame]1063 )
1064 assert ext is not None
1065 assert ext.critical is True
1066 assert ext.value.ca is True
1067 assert ext.value.path_length is None
1068
1069 def test_ca_false(self, backend):
1070 cert = _load_cert(
1071 os.path.join("x509", "cryptography.io.pem"),
1072 x509.load_pem_x509_certificate,
1073 backend
1074 )
1075 ext = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]1076 ExtensionOID.BASIC_CONSTRAINTS
Paul Kehrerfa56a232015-03-17 13:14:03 -0500[diff] [blame]1077 )
1078 assert ext is not None
1079 assert ext.critical is True
1080 assert ext.value.ca is False
1081 assert ext.value.path_length is None
1082
1083 def test_no_basic_constraints(self, backend):
1084 cert = _load_cert(
1085 os.path.join(
1086 "x509",
1087 "PKITS_data",
1088 "certs",
1089 "ValidCertificatePathTest1EE.crt"
1090 ),
1091 x509.load_der_x509_certificate,
1092 backend
1093 )
1094 with pytest.raises(x509.ExtensionNotFound):
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]1095 cert.extensions.get_extension_for_oid(
1096 ExtensionOID.BASIC_CONSTRAINTS
1097 )
Paul Kehrerfa56a232015-03-17 13:14:03 -0500[diff] [blame]1098
1099 def test_basic_constraint_not_critical(self, backend):
1100 cert = _load_cert(
1101 os.path.join(
1102 "x509", "custom", "basic_constraints_not_critical.pem"
1103 ),
1104 x509.load_pem_x509_certificate,
1105 backend
1106 )
1107 ext = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]1108 ExtensionOID.BASIC_CONSTRAINTS
Paul Kehrerfa56a232015-03-17 13:14:03 -0500[diff] [blame]1109 )
1110 assert ext is not None
1111 assert ext.critical is False
1112 assert ext.value.ca is False
Paul Kehrer1eb82a62015-03-31 20:00:33 -0500[diff] [blame]1113
1114
Paul Kehrer1eb82a62015-03-31 20:00:33 -0500[diff] [blame]1115class TestSubjectKeyIdentifierExtension(object):
Paul Kehrerf22f6122015-08-05 12:57:13 +0100[diff] [blame]1116 @pytest.mark.requires_backend_interface(interface=RSABackend)
1117 @pytest.mark.requires_backend_interface(interface=X509Backend)
Paul Kehrer1eb82a62015-03-31 20:00:33 -0500[diff] [blame]1118 def test_subject_key_identifier(self, backend):
1119 cert = _load_cert(
1120 os.path.join("x509", "PKITS_data", "certs", "GoodCACert.crt"),
1121 x509.load_der_x509_certificate,
1122 backend
1123 )
1124 ext = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]1125 ExtensionOID.SUBJECT_KEY_IDENTIFIER
Paul Kehrer1eb82a62015-03-31 20:00:33 -0500[diff] [blame]1126 )
1127 ski = ext.value
1128 assert ext is not None
1129 assert ext.critical is False
Paul Kehrer1eb82a62015-03-31 20:00:33 -0500[diff] [blame]1130 assert ski.digest == binascii.unhexlify(
Paul Kehreree997262015-04-04 12:20:28 -0500[diff] [blame]1131 b"580184241bbc2b52944a3da510721451f5af3ac9"
Paul Kehrer1eb82a62015-03-31 20:00:33 -0500[diff] [blame]1132 )
1133
Paul Kehrerf22f6122015-08-05 12:57:13 +0100[diff] [blame]1134 @pytest.mark.requires_backend_interface(interface=RSABackend)
1135 @pytest.mark.requires_backend_interface(interface=X509Backend)
Paul Kehrer1eb82a62015-03-31 20:00:33 -0500[diff] [blame]1136 def test_no_subject_key_identifier(self, backend):
1137 cert = _load_cert(
1138 os.path.join("x509", "custom", "bc_path_length_zero.pem"),
1139 x509.load_pem_x509_certificate,
1140 backend
1141 )
1142 with pytest.raises(x509.ExtensionNotFound):
1143 cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]1144 ExtensionOID.SUBJECT_KEY_IDENTIFIER
Paul Kehrer1eb82a62015-03-31 20:00:33 -0500[diff] [blame]1145 )
Paul Kehrer5508ee22015-04-02 19:31:03 -0500[diff] [blame]1146
Paul Kehrerf22f6122015-08-05 12:57:13 +0100[diff] [blame]1147 @pytest.mark.requires_backend_interface(interface=RSABackend)
1148 @pytest.mark.requires_backend_interface(interface=X509Backend)
Paul Kehrerd4a7f062015-08-05 18:32:18 +0100[diff] [blame]1149 def test_from_rsa_public_key(self, backend):
Paul Kehrerf22f6122015-08-05 12:57:13 +0100[diff] [blame]1150 cert = _load_cert(
1151 os.path.join("x509", "PKITS_data", "certs", "GoodCACert.crt"),
1152 x509.load_der_x509_certificate,
1153 backend
1154 )
1155 ext = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]1156 ExtensionOID.SUBJECT_KEY_IDENTIFIER
Paul Kehrerf22f6122015-08-05 12:57:13 +0100[diff] [blame]1157 )
Paul Kehrerd4a7f062015-08-05 18:32:18 +0100[diff] [blame]1158 ski = x509.SubjectKeyIdentifier.from_public_key(
Paul Kehrerf22f6122015-08-05 12:57:13 +0100[diff] [blame]1159 cert.public_key()
1160 )
1161 assert ext.value == ski
1162
1163 @pytest.mark.requires_backend_interface(interface=DSABackend)
1164 @pytest.mark.requires_backend_interface(interface=X509Backend)
Paul Kehrerd4a7f062015-08-05 18:32:18 +0100[diff] [blame]1165 def test_from_dsa_public_key(self, backend):
Paul Kehrerf22f6122015-08-05 12:57:13 +0100[diff] [blame]1166 cert = _load_cert(
1167 os.path.join("x509", "custom", "dsa_selfsigned_ca.pem"),
1168 x509.load_pem_x509_certificate,
1169 backend
1170 )
1171
1172 ext = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]1173 ExtensionOID.SUBJECT_KEY_IDENTIFIER
Paul Kehrerf22f6122015-08-05 12:57:13 +0100[diff] [blame]1174 )
Paul Kehrerd4a7f062015-08-05 18:32:18 +0100[diff] [blame]1175 ski = x509.SubjectKeyIdentifier.from_public_key(
Paul Kehrerf22f6122015-08-05 12:57:13 +0100[diff] [blame]1176 cert.public_key()
1177 )
1178 assert ext.value == ski
1179
1180 @pytest.mark.requires_backend_interface(interface=EllipticCurveBackend)
1181 @pytest.mark.requires_backend_interface(interface=X509Backend)
Paul Kehrerd4a7f062015-08-05 18:32:18 +0100[diff] [blame]1182 def test_from_ec_public_key(self, backend):
Paul Kehrerf22f6122015-08-05 12:57:13 +0100[diff] [blame]1183 _skip_curve_unsupported(backend, ec.SECP384R1())
1184 cert = _load_cert(
1185 os.path.join("x509", "ecdsa_root.pem"),
1186 x509.load_pem_x509_certificate,
1187 backend
1188 )
1189
1190 ext = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]1191 ExtensionOID.SUBJECT_KEY_IDENTIFIER
Paul Kehrerf22f6122015-08-05 12:57:13 +0100[diff] [blame]1192 )
Paul Kehrerd4a7f062015-08-05 18:32:18 +0100[diff] [blame]1193 ski = x509.SubjectKeyIdentifier.from_public_key(
Paul Kehrerf22f6122015-08-05 12:57:13 +0100[diff] [blame]1194 cert.public_key()
1195 )
1196 assert ext.value == ski
1197
Paul Kehrer5508ee22015-04-02 19:31:03 -0500[diff] [blame]1198
1199@pytest.mark.requires_backend_interface(interface=RSABackend)
1200@pytest.mark.requires_backend_interface(interface=X509Backend)
1201class TestKeyUsageExtension(object):
1202 def test_no_key_usage(self, backend):
1203 cert = _load_cert(
1204 os.path.join("x509", "verisign_md2_root.pem"),
1205 x509.load_pem_x509_certificate,
1206 backend
1207 )
1208 ext = cert.extensions
1209 with pytest.raises(x509.ExtensionNotFound) as exc:
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]1210 ext.get_extension_for_oid(ExtensionOID.KEY_USAGE)
Paul Kehrer5508ee22015-04-02 19:31:03 -0500[diff] [blame]1211
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]1212 assert exc.value.oid == ExtensionOID.KEY_USAGE
Paul Kehrer5508ee22015-04-02 19:31:03 -0500[diff] [blame]1213
1214 def test_all_purposes(self, backend):
1215 cert = _load_cert(
1216 os.path.join(
1217 "x509", "custom", "all_key_usages.pem"
1218 ),
1219 x509.load_pem_x509_certificate,
1220 backend
1221 )
1222 extensions = cert.extensions
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]1223 ext = extensions.get_extension_for_oid(ExtensionOID.KEY_USAGE)
Paul Kehrer5508ee22015-04-02 19:31:03 -0500[diff] [blame]1224 assert ext is not None
1225
1226 ku = ext.value
1227 assert ku.digital_signature is True
1228 assert ku.content_commitment is True
1229 assert ku.key_encipherment is True
1230 assert ku.data_encipherment is True
1231 assert ku.key_agreement is True
1232 assert ku.key_cert_sign is True
1233 assert ku.crl_sign is True
1234 assert ku.encipher_only is True
1235 assert ku.decipher_only is True
1236
1237 def test_key_cert_sign_crl_sign(self, backend):
1238 cert = _load_cert(
1239 os.path.join(
1240 "x509", "PKITS_data", "certs", "pathLenConstraint6CACert.crt"
1241 ),
1242 x509.load_der_x509_certificate,
1243 backend
1244 )
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]1245 ext = cert.extensions.get_extension_for_oid(ExtensionOID.KEY_USAGE)
Paul Kehrer5508ee22015-04-02 19:31:03 -0500[diff] [blame]1246 assert ext is not None
1247 assert ext.critical is True
1248
1249 ku = ext.value
1250 assert ku.digital_signature is False
1251 assert ku.content_commitment is False
1252 assert ku.key_encipherment is False
1253 assert ku.data_encipherment is False
1254 assert ku.key_agreement is False
1255 assert ku.key_cert_sign is True
1256 assert ku.crl_sign is True
Paul Kehrer31bdf792015-03-25 14:11:00 -0500[diff] [blame]1257
1258
1259@pytest.mark.parametrize(
1260 "name", [
1261 x509.RFC822Name,
1262 x509.DNSName,
1263 x509.UniformResourceIdentifier
1264 ]
1265)
1266class TestTextGeneralNames(object):
1267 def test_not_text(self, name):
1268 with pytest.raises(TypeError):
1269 name(b"notaunicodestring")
1270
1271 with pytest.raises(TypeError):
1272 name(1.3)
1273
1274 def test_repr(self, name):
Eeshan Gargf1234152015-04-29 18:41:00 +0530[diff] [blame]1275 gn = name(u"string")
Paul Kehrer31bdf792015-03-25 14:11:00 -0500[diff] [blame]1276 assert repr(gn) == "<{0}(value=string)>".format(name.__name__)
1277
1278 def test_eq(self, name):
Eeshan Gargf1234152015-04-29 18:41:00 +0530[diff] [blame]1279 gn = name(u"string")
1280 gn2 = name(u"string")
Paul Kehrer31bdf792015-03-25 14:11:00 -0500[diff] [blame]1281 assert gn == gn2
1282
1283 def test_ne(self, name):
Eeshan Gargf1234152015-04-29 18:41:00 +0530[diff] [blame]1284 gn = name(u"string")
1285 gn2 = name(u"string2")
Paul Kehrer31bdf792015-03-25 14:11:00 -0500[diff] [blame]1286 assert gn != gn2
1287 assert gn != object()
1288
1289
1290class TestDirectoryName(object):
1291 def test_not_name(self):
1292 with pytest.raises(TypeError):
1293 x509.DirectoryName(b"notaname")
1294
1295 with pytest.raises(TypeError):
1296 x509.DirectoryName(1.3)
1297
1298 def test_repr(self):
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1299 name = x509.Name([x509.NameAttribute(NameOID.COMMON_NAME, u'value1')])
Paul Kehrer31bdf792015-03-25 14:11:00 -0500[diff] [blame]1300 gn = x509.DirectoryName(x509.Name([name]))
Ian Cordascoa908d692015-06-16 21:35:24 -0500[diff] [blame]1301 if six.PY3:
1302 assert repr(gn) == (
1303 "<DirectoryName(value=<Name([<Name([<NameAttribute(oid=<Object"
1304 "Identifier(oid=2.5.4.3, name=commonName)>, value='value1')>])"
1305 ">])>)>"
1306 )
1307 else:
1308 assert repr(gn) == (
1309 "<DirectoryName(value=<Name([<Name([<NameAttribute(oid=<Object"
1310 "Identifier(oid=2.5.4.3, name=commonName)>, value=u'value1')>]"
1311 ")>])>)>"
1312 )
Paul Kehrer31bdf792015-03-25 14:11:00 -0500[diff] [blame]1313
1314 def test_eq(self):
1315 name = x509.Name([
Nick Bastin6721fb82015-12-14 12:26:24 -0800[diff] [blame]1316 x509.NameAttribute(x509.ObjectIdentifier('2.999.1'), u'value1')
Paul Kehrer31bdf792015-03-25 14:11:00 -0500[diff] [blame]1317 ])
1318 name2 = x509.Name([
Nick Bastin6721fb82015-12-14 12:26:24 -0800[diff] [blame]1319 x509.NameAttribute(x509.ObjectIdentifier('2.999.1'), u'value1')
Paul Kehrer31bdf792015-03-25 14:11:00 -0500[diff] [blame]1320 ])
1321 gn = x509.DirectoryName(x509.Name([name]))
1322 gn2 = x509.DirectoryName(x509.Name([name2]))
1323 assert gn == gn2
1324
1325 def test_ne(self):
1326 name = x509.Name([
Nick Bastin6721fb82015-12-14 12:26:24 -0800[diff] [blame]1327 x509.NameAttribute(x509.ObjectIdentifier('2.999.1'), u'value1')
Paul Kehrer31bdf792015-03-25 14:11:00 -0500[diff] [blame]1328 ])
1329 name2 = x509.Name([
Nick Bastin6721fb82015-12-14 12:26:24 -0800[diff] [blame]1330 x509.NameAttribute(x509.ObjectIdentifier('2.999.2'), u'value2')
Paul Kehrer31bdf792015-03-25 14:11:00 -0500[diff] [blame]1331 ])
1332 gn = x509.DirectoryName(x509.Name([name]))
1333 gn2 = x509.DirectoryName(x509.Name([name2]))
1334 assert gn != gn2
1335 assert gn != object()
1336
1337
Paul Kehrer01d5d0b2015-07-12 09:41:21 -0500[diff] [blame]1338class TestRFC822Name(object):
1339 def test_invalid_email(self):
1340 with pytest.raises(ValueError):
1341 x509.RFC822Name(u"Name <email>")
1342
1343 with pytest.raises(ValueError):
1344 x509.RFC822Name(u"")
1345
1346 def test_single_label(self):
1347 gn = x509.RFC822Name(u"administrator")
1348 assert gn.value == u"administrator"
1349
1350 def test_idna(self):
1351 gn = x509.RFC822Name(u"email@em\xe5\xefl.com")
1352 assert gn.value == u"email@em\xe5\xefl.com"
1353 assert gn._encoded == b"email@xn--eml-vla4c.com"
1354
1355
Paul Kehrere28d6c42015-07-12 14:59:37 -0500[diff] [blame]1356class TestUniformResourceIdentifier(object):
1357 def test_no_parsed_hostname(self):
1358 gn = x509.UniformResourceIdentifier(u"singlelabel")
1359 assert gn.value == u"singlelabel"
1360
1361 def test_with_port(self):
1362 gn = x509.UniformResourceIdentifier(u"singlelabel:443/test")
1363 assert gn.value == u"singlelabel:443/test"
1364
1365 def test_idna_no_port(self):
1366 gn = x509.UniformResourceIdentifier(
1367 u"http://\u043f\u044b\u043a\u0430.cryptography"
1368 )
1369 assert gn.value == u"http://\u043f\u044b\u043a\u0430.cryptography"
1370 assert gn._encoded == b"http://xn--80ato2c.cryptography"
1371
1372 def test_idna_with_port(self):
1373 gn = x509.UniformResourceIdentifier(
1374 u"gopher://\u043f\u044b\u043a\u0430.cryptography:70/some/path"
1375 )
1376 assert gn.value == (
1377 u"gopher://\u043f\u044b\u043a\u0430.cryptography:70/some/path"
1378 )
1379 assert gn._encoded == b"gopher://xn--80ato2c.cryptography:70/some/path"
1380
1381 def test_query_and_fragment(self):
1382 gn = x509.UniformResourceIdentifier(
1383 u"ldap://cryptography:90/path?query=true#somedata"
1384 )
1385 assert gn.value == u"ldap://cryptography:90/path?query=true#somedata"
1386
1387
Paul Kehrer31bdf792015-03-25 14:11:00 -0500[diff] [blame]1388class TestRegisteredID(object):
1389 def test_not_oid(self):
1390 with pytest.raises(TypeError):
1391 x509.RegisteredID(b"notanoid")
1392
1393 with pytest.raises(TypeError):
1394 x509.RegisteredID(1.3)
1395
1396 def test_repr(self):
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1397 gn = x509.RegisteredID(NameOID.COMMON_NAME)
Paul Kehrer31bdf792015-03-25 14:11:00 -0500[diff] [blame]1398 assert repr(gn) == (
1399 "<RegisteredID(value=<ObjectIdentifier(oid=2.5.4.3, name=commonNam"
1400 "e)>)>"
1401 )
1402
1403 def test_eq(self):
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1404 gn = x509.RegisteredID(NameOID.COMMON_NAME)
1405 gn2 = x509.RegisteredID(NameOID.COMMON_NAME)
Paul Kehrer31bdf792015-03-25 14:11:00 -0500[diff] [blame]1406 assert gn == gn2
1407
1408 def test_ne(self):
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1409 gn = x509.RegisteredID(NameOID.COMMON_NAME)
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]1410 gn2 = x509.RegisteredID(ExtensionOID.BASIC_CONSTRAINTS)
Paul Kehrer31bdf792015-03-25 14:11:00 -0500[diff] [blame]1411 assert gn != gn2
1412 assert gn != object()
1413
1414
1415class TestIPAddress(object):
1416 def test_not_ipaddress(self):
1417 with pytest.raises(TypeError):
1418 x509.IPAddress(b"notanipaddress")
1419
1420 with pytest.raises(TypeError):
1421 x509.IPAddress(1.3)
1422
1423 def test_repr(self):
Eeshan Gargf1234152015-04-29 18:41:00 +0530[diff] [blame]1424 gn = x509.IPAddress(ipaddress.IPv4Address(u"127.0.0.1"))
Paul Kehrer31bdf792015-03-25 14:11:00 -0500[diff] [blame]1425 assert repr(gn) == "<IPAddress(value=127.0.0.1)>"
1426
Eeshan Gargf1234152015-04-29 18:41:00 +0530[diff] [blame]1427 gn2 = x509.IPAddress(ipaddress.IPv6Address(u"ff::"))
Paul Kehrer31bdf792015-03-25 14:11:00 -0500[diff] [blame]1428 assert repr(gn2) == "<IPAddress(value=ff::)>"
1429
Paul Kehrereb177932015-05-17 18:33:33 -0700[diff] [blame]1430 gn3 = x509.IPAddress(ipaddress.IPv4Network(u"192.168.0.0/24"))
1431 assert repr(gn3) == "<IPAddress(value=192.168.0.0/24)>"
1432
1433 gn4 = x509.IPAddress(ipaddress.IPv6Network(u"ff::/96"))
1434 assert repr(gn4) == "<IPAddress(value=ff::/96)>"
1435
Paul Kehrer31bdf792015-03-25 14:11:00 -0500[diff] [blame]1436 def test_eq(self):
Eeshan Gargf1234152015-04-29 18:41:00 +0530[diff] [blame]1437 gn = x509.IPAddress(ipaddress.IPv4Address(u"127.0.0.1"))
1438 gn2 = x509.IPAddress(ipaddress.IPv4Address(u"127.0.0.1"))
Paul Kehrer31bdf792015-03-25 14:11:00 -0500[diff] [blame]1439 assert gn == gn2
1440
1441 def test_ne(self):
Eeshan Gargf1234152015-04-29 18:41:00 +0530[diff] [blame]1442 gn = x509.IPAddress(ipaddress.IPv4Address(u"127.0.0.1"))
1443 gn2 = x509.IPAddress(ipaddress.IPv4Address(u"127.0.0.2"))
Paul Kehrer31bdf792015-03-25 14:11:00 -0500[diff] [blame]1444 assert gn != gn2
1445 assert gn != object()
1446
1447
Joshua Tauberer18b6fc82015-07-05 21:44:51 +0000[diff] [blame]1448class TestOtherName(object):
1449 def test_invalid_args(self):
1450 with pytest.raises(TypeError):
1451 x509.OtherName(b"notanobjectidentifier", b"derdata")
1452
1453 with pytest.raises(TypeError):
1454 x509.OtherName(x509.ObjectIdentifier("1.2.3.4"), u"notderdata")
1455
1456 def test_repr(self):
1457 gn = x509.OtherName(x509.ObjectIdentifier("1.2.3.4"), b"derdata")
1458 if six.PY3:
1459 assert repr(gn) == (
1460 "<OtherName(type_id=<ObjectIdentifier(oid=1.2.3.4, "
1461 "name=Unknown OID)>, value=b'derdata')>"
1462 )
1463 else:
1464 assert repr(gn) == (
1465 "<OtherName(type_id=<ObjectIdentifier(oid=1.2.3.4, "
1466 "name=Unknown OID)>, value='derdata')>"
1467 )
1468
1469 gn = x509.OtherName(x509.ObjectIdentifier("2.5.4.65"), b"derdata")
1470 if six.PY3:
1471 assert repr(gn) == (
1472 "<OtherName(type_id=<ObjectIdentifier(oid=2.5.4.65, "
1473 "name=pseudonym)>, value=b'derdata')>"
1474 )
1475 else:
1476 assert repr(gn) == (
1477 "<OtherName(type_id=<ObjectIdentifier(oid=2.5.4.65, "
1478 "name=pseudonym)>, value='derdata')>"
1479 )
1480
1481 def test_eq(self):
1482 gn = x509.OtherName(x509.ObjectIdentifier("1.2.3.4"), b"derdata")
1483 gn2 = x509.OtherName(x509.ObjectIdentifier("1.2.3.4"), b"derdata")
1484 assert gn == gn2
1485
1486 def test_ne(self):
1487 gn = x509.OtherName(x509.ObjectIdentifier("1.2.3.4"), b"derdata")
1488 assert gn != object()
1489
1490 gn2 = x509.OtherName(x509.ObjectIdentifier("1.2.3.4"), b"derdata2")
1491 assert gn != gn2
1492
1493 gn2 = x509.OtherName(x509.ObjectIdentifier("1.2.3.5"), b"derdata")
1494 assert gn != gn2
1495
1496
Erik Trauschke2dcce902015-05-14 16:12:24 -0700[diff] [blame]1497class TestGeneralNames(object):
1498 def test_get_values_for_type(self):
1499 gns = x509.GeneralNames(
1500 [x509.DNSName(u"cryptography.io")]
1501 )
1502 names = gns.get_values_for_type(x509.DNSName)
1503 assert names == [u"cryptography.io"]
1504
1505 def test_iter_names(self):
1506 gns = x509.GeneralNames([
1507 x509.DNSName(u"cryptography.io"),
1508 x509.DNSName(u"crypto.local"),
1509 ])
1510 assert len(gns) == 2
1511 assert list(gns) == [
1512 x509.DNSName(u"cryptography.io"),
1513 x509.DNSName(u"crypto.local"),
1514 ]
1515
Paul Kehrer8adb5962015-12-26 14:46:58 -0600[diff] [blame]1516 def test_indexing(self):
1517 gn = x509.GeneralNames([
1518 x509.DNSName(u"cryptography.io"),
1519 x509.DNSName(u"crypto.local"),
1520 x509.DNSName(u"another.local"),
1521 x509.RFC822Name(u"email@another.local"),
1522 x509.UniformResourceIdentifier(u"http://another.local"),
1523 ])
1524 assert gn[-1] == gn[4]
Alex Gaynorf0dd2e72015-12-26 16:50:29 -0500[diff] [blame]1525 assert gn[2:6:2] == [gn[2], gn[4]]
Paul Kehrer8adb5962015-12-26 14:46:58 -0600[diff] [blame]1526
Erik Trauschke2dcce902015-05-14 16:12:24 -0700[diff] [blame]1527 def test_invalid_general_names(self):
1528 with pytest.raises(TypeError):
1529 x509.GeneralNames(
1530 [x509.DNSName(u"cryptography.io"), "invalid"]
1531 )
1532
1533 def test_repr(self):
1534 gns = x509.GeneralNames(
1535 [
1536 x509.DNSName(u"cryptography.io")
1537 ]
1538 )
1539 assert repr(gns) == (
1540 "<GeneralNames([<DNSName(value=cryptography.io)>])>"
1541 )
1542
1543 def test_eq(self):
1544 gns = x509.GeneralNames(
1545 [x509.DNSName(u"cryptography.io")]
1546 )
1547 gns2 = x509.GeneralNames(
1548 [x509.DNSName(u"cryptography.io")]
1549 )
1550 assert gns == gns2
1551
1552 def test_ne(self):
1553 gns = x509.GeneralNames(
1554 [x509.DNSName(u"cryptography.io")]
1555 )
1556 gns2 = x509.GeneralNames(
1557 [x509.RFC822Name(u"admin@cryptography.io")]
1558 )
1559 assert gns != gns2
1560 assert gns != object()
1561
1562
Paul Kehrer99125c92015-06-07 18:37:10 -0500[diff] [blame]1563class TestIssuerAlternativeName(object):
1564 def test_get_values_for_type(self):
1565 san = x509.IssuerAlternativeName(
1566 [x509.DNSName(u"cryptography.io")]
1567 )
1568 names = san.get_values_for_type(x509.DNSName)
1569 assert names == [u"cryptography.io"]
1570
1571 def test_iter_names(self):
1572 san = x509.IssuerAlternativeName([
1573 x509.DNSName(u"cryptography.io"),
1574 x509.DNSName(u"crypto.local"),
1575 ])
1576 assert len(san) == 2
1577 assert list(san) == [
1578 x509.DNSName(u"cryptography.io"),
1579 x509.DNSName(u"crypto.local"),
1580 ]
1581
Paul Kehrer5c999d32015-12-26 17:45:20 -0600[diff] [blame]1582 def test_indexing(self):
1583 ian = x509.IssuerAlternativeName([
1584 x509.DNSName(u"cryptography.io"),
1585 x509.DNSName(u"crypto.local"),
1586 x509.DNSName(u"another.local"),
1587 x509.RFC822Name(u"email@another.local"),
1588 x509.UniformResourceIdentifier(u"http://another.local"),
1589 ])
1590 assert ian[-1] == ian[4]
1591 assert ian[2:6:2] == [ian[2], ian[4]]
1592
Paul Kehrer99125c92015-06-07 18:37:10 -0500[diff] [blame]1593 def test_invalid_general_names(self):
1594 with pytest.raises(TypeError):
1595 x509.IssuerAlternativeName(
1596 [x509.DNSName(u"cryptography.io"), "invalid"]
1597 )
1598
1599 def test_repr(self):
1600 san = x509.IssuerAlternativeName(
1601 [
1602 x509.DNSName(u"cryptography.io")
1603 ]
1604 )
1605 assert repr(san) == (
1606 "<IssuerAlternativeName("
1607 "<GeneralNames([<DNSName(value=cryptography.io)>])>)>"
1608 )
1609
1610 def test_eq(self):
1611 san = x509.IssuerAlternativeName(
1612 [x509.DNSName(u"cryptography.io")]
1613 )
1614 san2 = x509.IssuerAlternativeName(
1615 [x509.DNSName(u"cryptography.io")]
1616 )
1617 assert san == san2
1618
1619 def test_ne(self):
1620 san = x509.IssuerAlternativeName(
1621 [x509.DNSName(u"cryptography.io")]
1622 )
1623 san2 = x509.IssuerAlternativeName(
1624 [x509.RFC822Name(u"admin@cryptography.io")]
1625 )
1626 assert san != san2
1627 assert san != object()
1628
1629
Alex Gaynorf1c17672015-06-20 14:20:20 -0400[diff] [blame]1630@pytest.mark.requires_backend_interface(interface=RSABackend)
1631@pytest.mark.requires_backend_interface(interface=X509Backend)
1632class TestRSAIssuerAlternativeNameExtension(object):
1633 def test_uri(self, backend):
1634 cert = _load_cert(
1635 os.path.join("x509", "custom", "ian_uri.pem"),
1636 x509.load_pem_x509_certificate,
1637 backend,
1638 )
1639 ext = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]1640 ExtensionOID.ISSUER_ALTERNATIVE_NAME
Alex Gaynorf1c17672015-06-20 14:20:20 -0400[diff] [blame]1641 )
1642 assert list(ext.value) == [
1643 x509.UniformResourceIdentifier(u"http://path.to.root/root.crt"),
1644 ]
1645
1646
Paul Kehrer3b95cd72015-12-22 21:40:20 -0600[diff] [blame]1647class TestCRLNumber(object):
1648 def test_eq(self):
1649 crl_number = x509.CRLNumber(15)
1650 assert crl_number == x509.CRLNumber(15)
1651
1652 def test_ne(self):
1653 crl_number = x509.CRLNumber(15)
1654 assert crl_number != x509.CRLNumber(14)
1655 assert crl_number != object()
1656
1657 def test_repr(self):
1658 crl_number = x509.CRLNumber(15)
1659 assert repr(crl_number) == "<CRLNumber(15)>"
1660
Paul Kehrera9718fc2015-12-22 22:55:35 -0600[diff] [blame]1661 def test_invalid_number(self):
1662 with pytest.raises(TypeError):
1663 x509.CRLNumber("notanumber")
1664
Alex Gaynorf9a77b62015-12-26 12:14:25 -0500[diff] [blame]1665 def test_hash(self):
1666 c1 = x509.CRLNumber(1)
1667 c2 = x509.CRLNumber(1)
1668 c3 = x509.CRLNumber(2)
1669 assert hash(c1) == hash(c2)
1670 assert hash(c1) != hash(c3)
1671
Paul Kehrer3b95cd72015-12-22 21:40:20 -0600[diff] [blame]1672
Paul Kehrer31bdf792015-03-25 14:11:00 -0500[diff] [blame]1673class TestSubjectAlternativeName(object):
1674 def test_get_values_for_type(self):
1675 san = x509.SubjectAlternativeName(
Eeshan Gargf1234152015-04-29 18:41:00 +0530[diff] [blame]1676 [x509.DNSName(u"cryptography.io")]
Paul Kehrer31bdf792015-03-25 14:11:00 -0500[diff] [blame]1677 )
1678 names = san.get_values_for_type(x509.DNSName)
Eeshan Gargf1234152015-04-29 18:41:00 +0530[diff] [blame]1679 assert names == [u"cryptography.io"]
Paul Kehrer31bdf792015-03-25 14:11:00 -0500[diff] [blame]1680
1681 def test_iter_names(self):
1682 san = x509.SubjectAlternativeName([
Eeshan Gargf1234152015-04-29 18:41:00 +0530[diff] [blame]1683 x509.DNSName(u"cryptography.io"),
1684 x509.DNSName(u"crypto.local"),
Paul Kehrer31bdf792015-03-25 14:11:00 -0500[diff] [blame]1685 ])
1686 assert len(san) == 2
1687 assert list(san) == [
Eeshan Gargf1234152015-04-29 18:41:00 +0530[diff] [blame]1688 x509.DNSName(u"cryptography.io"),
1689 x509.DNSName(u"crypto.local"),
Paul Kehrer31bdf792015-03-25 14:11:00 -0500[diff] [blame]1690 ]
1691
Paul Kehrer8adb5962015-12-26 14:46:58 -0600[diff] [blame]1692 def test_indexing(self):
1693 san = x509.SubjectAlternativeName([
1694 x509.DNSName(u"cryptography.io"),
1695 x509.DNSName(u"crypto.local"),
1696 x509.DNSName(u"another.local"),
1697 x509.RFC822Name(u"email@another.local"),
1698 x509.UniformResourceIdentifier(u"http://another.local"),
1699 ])
1700 assert san[-1] == san[4]
Alex Gaynorf0dd2e72015-12-26 16:50:29 -0500[diff] [blame]1701 assert san[2:6:2] == [san[2], san[4]]
Paul Kehrer8adb5962015-12-26 14:46:58 -0600[diff] [blame]1702
Paul Kehrerd04b39b2015-04-21 08:44:17 -0500[diff] [blame]1703 def test_invalid_general_names(self):
1704 with pytest.raises(TypeError):
1705 x509.SubjectAlternativeName(
Eeshan Gargf1234152015-04-29 18:41:00 +0530[diff] [blame]1706 [x509.DNSName(u"cryptography.io"), "invalid"]
Paul Kehrerd04b39b2015-04-21 08:44:17 -0500[diff] [blame]1707 )
1708
Paul Kehrer31bdf792015-03-25 14:11:00 -0500[diff] [blame]1709 def test_repr(self):
1710 san = x509.SubjectAlternativeName(
1711 [
Eeshan Gargf1234152015-04-29 18:41:00 +0530[diff] [blame]1712 x509.DNSName(u"cryptography.io")
Paul Kehrer31bdf792015-03-25 14:11:00 -0500[diff] [blame]1713 ]
1714 )
1715 assert repr(san) == (
Erik Trauschke2dcce902015-05-14 16:12:24 -0700[diff] [blame]1716 "<SubjectAlternativeName("
1717 "<GeneralNames([<DNSName(value=cryptography.io)>])>)>"
Paul Kehrer31bdf792015-03-25 14:11:00 -0500[diff] [blame]1718 )
Paul Kehrer40f83382015-04-20 15:00:16 -0500[diff] [blame]1719
Paul Kehrer58cc3972015-05-13 10:00:41 -0500[diff] [blame]1720 def test_eq(self):
1721 san = x509.SubjectAlternativeName(
1722 [x509.DNSName(u"cryptography.io")]
1723 )
1724 san2 = x509.SubjectAlternativeName(
1725 [x509.DNSName(u"cryptography.io")]
1726 )
1727 assert san == san2
1728
1729 def test_ne(self):
1730 san = x509.SubjectAlternativeName(
1731 [x509.DNSName(u"cryptography.io")]
1732 )
1733 san2 = x509.SubjectAlternativeName(
1734 [x509.RFC822Name(u"admin@cryptography.io")]
1735 )
1736 assert san != san2
1737 assert san != object()
1738
Paul Kehrer40f83382015-04-20 15:00:16 -0500[diff] [blame]1739
1740@pytest.mark.requires_backend_interface(interface=RSABackend)
1741@pytest.mark.requires_backend_interface(interface=X509Backend)
1742class TestRSASubjectAlternativeNameExtension(object):
1743 def test_dns_name(self, backend):
1744 cert = _load_cert(
1745 os.path.join("x509", "cryptography.io.pem"),
1746 x509.load_pem_x509_certificate,
1747 backend
1748 )
1749 ext = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]1750 ExtensionOID.SUBJECT_ALTERNATIVE_NAME
Paul Kehrer40f83382015-04-20 15:00:16 -0500[diff] [blame]1751 )
1752 assert ext is not None
1753 assert ext.critical is False
1754
1755 san = ext.value
1756
1757 dns = san.get_values_for_type(x509.DNSName)
1758 assert dns == [u"www.cryptography.io", u"cryptography.io"]
Paul Kehrer9089c912015-04-20 22:15:20 -0500[diff] [blame]1759
Paul Kehrer3c6bba52015-06-26 18:43:26 -0500[diff] [blame]1760 def test_wildcard_dns_name(self, backend):
1761 cert = _load_cert(
1762 os.path.join("x509", "wildcard_san.pem"),
1763 x509.load_pem_x509_certificate,
1764 backend
1765 )
1766 ext = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]1767 ExtensionOID.SUBJECT_ALTERNATIVE_NAME
Paul Kehrer3c6bba52015-06-26 18:43:26 -0500[diff] [blame]1768 )
1769
1770 dns = ext.value.get_values_for_type(x509.DNSName)
1771 assert dns == [
1772 u'*.langui.sh',
1773 u'langui.sh',
1774 u'*.saseliminator.com',
1775 u'saseliminator.com'
1776 ]
1777
Dominic Chen87bb9572015-10-09 00:23:07 -0400[diff] [blame]1778 def test_san_empty_hostname(self, backend):
1779 cert = _load_cert(
1780 os.path.join(
1781 "x509", "custom", "san_empty_hostname.pem"
1782 ),
1783 x509.load_pem_x509_certificate,
1784 backend
1785 )
1786 san = cert.extensions.get_extension_for_oid(
1787 ExtensionOID.SUBJECT_ALTERNATIVE_NAME
1788 )
1789
1790 dns = san.value.get_values_for_type(x509.DNSName)
1791 assert dns == [u'']
1792
Paul Kehrer3c6bba52015-06-26 18:43:26 -0500[diff] [blame]1793 def test_san_wildcard_idna_dns_name(self, backend):
1794 cert = _load_cert(
1795 os.path.join("x509", "custom", "san_wildcard_idna.pem"),
1796 x509.load_pem_x509_certificate,
1797 backend
1798 )
1799 ext = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]1800 ExtensionOID.SUBJECT_ALTERNATIVE_NAME
Paul Kehrer3c6bba52015-06-26 18:43:26 -0500[diff] [blame]1801 )
1802
1803 dns = ext.value.get_values_for_type(x509.DNSName)
1804 assert dns == [u'*.\u043f\u044b\u043a\u0430.cryptography']
1805
Paul Kehrer7bdf6572015-07-05 08:55:44 -0500[diff] [blame]1806 def test_unsupported_gn(self, backend):
Paul Kehrer9089c912015-04-20 22:15:20 -0500[diff] [blame]1807 cert = _load_cert(
Paul Kehrer7bdf6572015-07-05 08:55:44 -0500[diff] [blame]1808 os.path.join("x509", "san_x400address.der"),
1809 x509.load_der_x509_certificate,
Paul Kehrer9089c912015-04-20 22:15:20 -0500[diff] [blame]1810 backend
1811 )
Paul Kehrerbed07352015-04-21 08:31:10 -0500[diff] [blame]1812 with pytest.raises(x509.UnsupportedGeneralNameType) as exc:
Paul Kehrer9089c912015-04-20 22:15:20 -0500[diff] [blame]1813 cert.extensions
Paul Kehrerbed07352015-04-21 08:31:10 -0500[diff] [blame]1814
Paul Kehrer7bdf6572015-07-05 08:55:44 -0500[diff] [blame]1815 assert exc.value.type == 3
Paul Kehrer4db96622015-04-20 22:17:39 -0500[diff] [blame]1816
1817 def test_registered_id(self, backend):
1818 cert = _load_cert(
1819 os.path.join(
1820 "x509", "custom", "san_registered_id.pem"
1821 ),
1822 x509.load_pem_x509_certificate,
1823 backend
1824 )
1825 ext = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]1826 ExtensionOID.SUBJECT_ALTERNATIVE_NAME
Paul Kehrer4db96622015-04-20 22:17:39 -0500[diff] [blame]1827 )
1828 assert ext is not None
1829 assert ext.critical is False
1830
1831 san = ext.value
1832 rid = san.get_values_for_type(x509.RegisteredID)
1833 assert rid == [x509.ObjectIdentifier("1.2.3.4")]
Paul Kehrerb8ef82e2015-04-22 16:04:24 -0500[diff] [blame]1834
1835 def test_uri(self, backend):
1836 cert = _load_cert(
1837 os.path.join(
1838 "x509", "custom", "san_uri_with_port.pem"
1839 ),
1840 x509.load_pem_x509_certificate,
1841 backend
1842 )
1843 ext = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]1844 ExtensionOID.SUBJECT_ALTERNATIVE_NAME
Paul Kehrerb8ef82e2015-04-22 16:04:24 -0500[diff] [blame]1845 )
1846 assert ext is not None
1847 uri = ext.value.get_values_for_type(
1848 x509.UniformResourceIdentifier
1849 )
1850 assert uri == [
1851 u"gopher://\u043f\u044b\u043a\u0430.cryptography:70/path?q=s#hel"
1852 u"lo",
1853 u"http://someregulardomain.com",
1854 ]
Paul Kehrera5f030c2015-04-28 08:33:18 -0500[diff] [blame]1855
1856 def test_ipaddress(self, backend):
1857 cert = _load_cert(
1858 os.path.join(
1859 "x509", "custom", "san_ipaddr.pem"
1860 ),
1861 x509.load_pem_x509_certificate,
1862 backend
1863 )
1864 ext = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]1865 ExtensionOID.SUBJECT_ALTERNATIVE_NAME
Paul Kehrera5f030c2015-04-28 08:33:18 -0500[diff] [blame]1866 )
1867 assert ext is not None
1868 assert ext.critical is False
1869
1870 san = ext.value
1871
1872 ip = san.get_values_for_type(x509.IPAddress)
1873 assert [
1874 ipaddress.ip_address(u"127.0.0.1"),
1875 ipaddress.ip_address(u"ff::")
1876 ] == ip
Paul Kehrer2187a052015-04-30 08:22:07 -0500[diff] [blame]1877
1878 def test_dirname(self, backend):
1879 cert = _load_cert(
1880 os.path.join(
1881 "x509", "custom", "san_dirname.pem"
1882 ),
1883 x509.load_pem_x509_certificate,
1884 backend
1885 )
1886 ext = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]1887 ExtensionOID.SUBJECT_ALTERNATIVE_NAME
Paul Kehrer2187a052015-04-30 08:22:07 -0500[diff] [blame]1888 )
1889 assert ext is not None
1890 assert ext.critical is False
1891
1892 san = ext.value
1893
1894 dirname = san.get_values_for_type(x509.DirectoryName)
1895 assert [
1896 x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1897 x509.NameAttribute(NameOID.COMMON_NAME, u'test'),
1898 x509.NameAttribute(NameOID.ORGANIZATION_NAME, u'Org'),
1899 x509.NameAttribute(NameOID.STATE_OR_PROVINCE_NAME, u'Texas'),
Paul Kehrer2187a052015-04-30 08:22:07 -0500[diff] [blame]1900 ])
1901 ] == dirname
Paul Kehrere06cab42015-04-30 10:23:33 -0500[diff] [blame]1902
1903 def test_rfc822name(self, backend):
1904 cert = _load_cert(
1905 os.path.join(
1906 "x509", "custom", "san_rfc822_idna.pem"
1907 ),
1908 x509.load_pem_x509_certificate,
1909 backend
1910 )
1911 ext = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]1912 ExtensionOID.SUBJECT_ALTERNATIVE_NAME
Paul Kehrere06cab42015-04-30 10:23:33 -0500[diff] [blame]1913 )
1914 assert ext is not None
1915 assert ext.critical is False
1916
1917 san = ext.value
1918
1919 rfc822name = san.get_values_for_type(x509.RFC822Name)
1920 assert [u"email@em\xe5\xefl.com"] == rfc822name
1921
Paul Kehrerb8968812015-05-15 09:01:34 -0700[diff] [blame]1922 def test_idna2003_invalid(self, backend):
1923 cert = _load_cert(
1924 os.path.join(
1925 "x509", "custom", "san_idna2003_dnsname.pem"
1926 ),
1927 x509.load_pem_x509_certificate,
1928 backend
1929 )
1930 with pytest.raises(UnicodeError):
1931 cert.extensions
1932
Paul Kehrere06cab42015-04-30 10:23:33 -0500[diff] [blame]1933 def test_unicode_rfc822_name_dns_name_uri(self, backend):
1934 cert = _load_cert(
1935 os.path.join(
1936 "x509", "custom", "san_idna_names.pem"
1937 ),
1938 x509.load_pem_x509_certificate,
1939 backend
1940 )
1941 ext = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]1942 ExtensionOID.SUBJECT_ALTERNATIVE_NAME
Paul Kehrere06cab42015-04-30 10:23:33 -0500[diff] [blame]1943 )
1944 assert ext is not None
1945 rfc822_name = ext.value.get_values_for_type(x509.RFC822Name)
1946 dns_name = ext.value.get_values_for_type(x509.DNSName)
1947 uri = ext.value.get_values_for_type(x509.UniformResourceIdentifier)
1948 assert rfc822_name == [u"email@\u043f\u044b\u043a\u0430.cryptography"]
1949 assert dns_name == [u"\u043f\u044b\u043a\u0430.cryptography"]
1950 assert uri == [u"https://www.\u043f\u044b\u043a\u0430.cryptography"]
1951
1952 def test_rfc822name_dnsname_ipaddress_directoryname_uri(self, backend):
1953 cert = _load_cert(
1954 os.path.join(
1955 "x509", "custom", "san_email_dns_ip_dirname_uri.pem"
1956 ),
1957 x509.load_pem_x509_certificate,
1958 backend
1959 )
1960 ext = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]1961 ExtensionOID.SUBJECT_ALTERNATIVE_NAME
Paul Kehrere06cab42015-04-30 10:23:33 -0500[diff] [blame]1962 )
1963 assert ext is not None
1964 assert ext.critical is False
1965
1966 san = ext.value
1967
1968 rfc822_name = san.get_values_for_type(x509.RFC822Name)
1969 uri = san.get_values_for_type(x509.UniformResourceIdentifier)
1970 dns = san.get_values_for_type(x509.DNSName)
1971 ip = san.get_values_for_type(x509.IPAddress)
1972 dirname = san.get_values_for_type(x509.DirectoryName)
1973 assert [u"user@cryptography.io"] == rfc822_name
Paul Kehrere3a330c2015-05-02 16:42:52 -0500[diff] [blame]1974 assert [u"https://cryptography.io"] == uri
Paul Kehrere06cab42015-04-30 10:23:33 -0500[diff] [blame]1975 assert [u"cryptography.io"] == dns
1976 assert [
1977 x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1978 x509.NameAttribute(NameOID.COMMON_NAME, u'dirCN'),
Paul Kehrere06cab42015-04-30 10:23:33 -0500[diff] [blame]1979 x509.NameAttribute(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1980 NameOID.ORGANIZATION_NAME, u'Cryptographic Authority'
Paul Kehrere06cab42015-04-30 10:23:33 -0500[diff] [blame]1981 ),
1982 ])
1983 ] == dirname
1984 assert [
1985 ipaddress.ip_address(u"127.0.0.1"),
1986 ipaddress.ip_address(u"ff::")
1987 ] == ip
1988
1989 def test_invalid_rfc822name(self, backend):
1990 cert = _load_cert(
1991 os.path.join(
1992 "x509", "custom", "san_rfc822_names.pem"
1993 ),
1994 x509.load_pem_x509_certificate,
1995 backend
1996 )
1997 with pytest.raises(ValueError) as exc:
1998 cert.extensions
1999
2000 assert 'Invalid rfc822name value' in str(exc.value)
Paul Kehrer94c69602015-05-02 19:29:40 -0500[diff] [blame]2001
Joshua Tauberer2ee5e3c2015-07-04 20:09:46 +0000[diff] [blame]2002 def test_other_name(self, backend):
2003 cert = _load_cert(
2004 os.path.join(
2005 "x509", "custom", "san_other_name.pem"
2006 ),
2007 x509.load_pem_x509_certificate,
2008 backend
2009 )
2010
2011 ext = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]2012 ExtensionOID.SUBJECT_ALTERNATIVE_NAME
Joshua Tauberer2ee5e3c2015-07-04 20:09:46 +0000[diff] [blame]2013 )
2014 assert ext is not None
2015 assert ext.critical is False
2016
Joshua Taubererd2afad32015-07-06 22:37:53 +0000[diff] [blame]2017 expected = x509.OtherName(x509.ObjectIdentifier("1.2.3.4"),
2018 b'\x16\x0bHello World')
Joshua Tauberer2ee5e3c2015-07-04 20:09:46 +0000[diff] [blame]2019 assert len(ext.value) == 1
Joshua Taubererd2afad32015-07-06 22:37:53 +0000[diff] [blame]2020 assert list(ext.value)[0] == expected
Joshua Tauberer2ee5e3c2015-07-04 20:09:46 +0000[diff] [blame]2021
2022 othernames = ext.value.get_values_for_type(x509.OtherName)
Joshua Taubererd2afad32015-07-06 22:37:53 +0000[diff] [blame]2023 assert othernames == [expected]
Joshua Tauberer2ee5e3c2015-07-04 20:09:46 +0000[diff] [blame]2024
Paul Kehrer94c69602015-05-02 19:29:40 -0500[diff] [blame]2025
2026@pytest.mark.requires_backend_interface(interface=RSABackend)
2027@pytest.mark.requires_backend_interface(interface=X509Backend)
2028class TestExtendedKeyUsageExtension(object):
2029 def test_eku(self, backend):
2030 cert = _load_cert(
2031 os.path.join(
2032 "x509", "custom", "extended_key_usage.pem"
2033 ),
2034 x509.load_pem_x509_certificate,
2035 backend
2036 )
2037 ext = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]2038 ExtensionOID.EXTENDED_KEY_USAGE
Paul Kehrer94c69602015-05-02 19:29:40 -0500[diff] [blame]2039 )
2040 assert ext is not None
2041 assert ext.critical is False
2042
2043 assert [
2044 x509.ObjectIdentifier("1.3.6.1.5.5.7.3.1"),
2045 x509.ObjectIdentifier("1.3.6.1.5.5.7.3.2"),
2046 x509.ObjectIdentifier("1.3.6.1.5.5.7.3.3"),
2047 x509.ObjectIdentifier("1.3.6.1.5.5.7.3.4"),
2048 x509.ObjectIdentifier("1.3.6.1.5.5.7.3.9"),
2049 x509.ObjectIdentifier("1.3.6.1.5.5.7.3.8"),
2050 x509.ObjectIdentifier("2.5.29.37.0"),
2051 x509.ObjectIdentifier("2.16.840.1.113730.4.1"),
2052 ] == list(ext.value)
Paul Kehrer3e6d5582015-05-02 21:57:56 -0500[diff] [blame]2053
2054
2055class TestAccessDescription(object):
2056 def test_invalid_access_method(self):
Nick Bastind06763d2015-12-12 18:32:59 -0800[diff] [blame]2057 with pytest.raises(TypeError):
Paul Kehrer3e6d5582015-05-02 21:57:56 -0500[diff] [blame]2058 x509.AccessDescription("notanoid", x509.DNSName(u"test"))
2059
2060 def test_invalid_access_location(self):
2061 with pytest.raises(TypeError):
Paul Kehrer9e102db2015-08-10 21:53:09 -0500[diff] [blame]2062 x509.AccessDescription(
2063 AuthorityInformationAccessOID.CA_ISSUERS, "invalid"
2064 )
Paul Kehrer3e6d5582015-05-02 21:57:56 -0500[diff] [blame]2065
Nick Bastind2ecf862015-12-13 05:44:46 -0800[diff] [blame]2066 def test_valid_nonstandard_method(self):
Nick Bastin326fc8e2015-12-12 19:08:12 -0800[diff] [blame]2067 ad = x509.AccessDescription(
2068 ObjectIdentifier("2.999.1"),
2069 x509.UniformResourceIdentifier(u"http://example.com")
2070 )
Nick Bastin11f0f8a2015-12-12 18:54:12 -0800[diff] [blame]2071 assert ad is not None
2072
Paul Kehrer3e6d5582015-05-02 21:57:56 -0500[diff] [blame]2073 def test_repr(self):
2074 ad = x509.AccessDescription(
Paul Kehrer9e102db2015-08-10 21:53:09 -0500[diff] [blame]2075 AuthorityInformationAccessOID.OCSP,
Paul Kehrer3e6d5582015-05-02 21:57:56 -0500[diff] [blame]2076 x509.UniformResourceIdentifier(u"http://ocsp.domain.com")
2077 )
2078 assert repr(ad) == (
2079 "<AccessDescription(access_method=<ObjectIdentifier(oid=1.3.6.1.5."
2080 "5.7.48.1, name=OCSP)>, access_location=<UniformResourceIdentifier"
2081 "(value=http://ocsp.domain.com)>)>"
2082 )
2083
2084 def test_eq(self):
2085 ad = x509.AccessDescription(
Paul Kehrer9e102db2015-08-10 21:53:09 -0500[diff] [blame]2086 AuthorityInformationAccessOID.OCSP,
Paul Kehrer3e6d5582015-05-02 21:57:56 -0500[diff] [blame]2087 x509.UniformResourceIdentifier(u"http://ocsp.domain.com")
2088 )
2089 ad2 = x509.AccessDescription(
Paul Kehrer9e102db2015-08-10 21:53:09 -0500[diff] [blame]2090 AuthorityInformationAccessOID.OCSP,
Paul Kehrer3e6d5582015-05-02 21:57:56 -0500[diff] [blame]2091 x509.UniformResourceIdentifier(u"http://ocsp.domain.com")
2092 )
2093 assert ad == ad2
2094
2095 def test_ne(self):
2096 ad = x509.AccessDescription(
Paul Kehrer9e102db2015-08-10 21:53:09 -0500[diff] [blame]2097 AuthorityInformationAccessOID.OCSP,
Paul Kehrer3e6d5582015-05-02 21:57:56 -0500[diff] [blame]2098 x509.UniformResourceIdentifier(u"http://ocsp.domain.com")
2099 )
2100 ad2 = x509.AccessDescription(
Paul Kehrer9e102db2015-08-10 21:53:09 -0500[diff] [blame]2101 AuthorityInformationAccessOID.CA_ISSUERS,
Paul Kehrer3e6d5582015-05-02 21:57:56 -0500[diff] [blame]2102 x509.UniformResourceIdentifier(u"http://ocsp.domain.com")
2103 )
2104 ad3 = x509.AccessDescription(
Paul Kehrer9e102db2015-08-10 21:53:09 -0500[diff] [blame]2105 AuthorityInformationAccessOID.OCSP,
Paul Kehrer3e6d5582015-05-02 21:57:56 -0500[diff] [blame]2106 x509.UniformResourceIdentifier(u"http://notthesame")
2107 )
2108 assert ad != ad2
2109 assert ad != ad3
2110 assert ad != object()
2111
2112
2113class TestAuthorityInformationAccess(object):
2114 def test_invalid_descriptions(self):
2115 with pytest.raises(TypeError):
2116 x509.AuthorityInformationAccess(["notanAccessDescription"])
2117
2118 def test_iter_len(self):
2119 aia = x509.AuthorityInformationAccess([
2120 x509.AccessDescription(
Paul Kehrer9e102db2015-08-10 21:53:09 -0500[diff] [blame]2121 AuthorityInformationAccessOID.OCSP,
Paul Kehrer3e6d5582015-05-02 21:57:56 -0500[diff] [blame]2122 x509.UniformResourceIdentifier(u"http://ocsp.domain.com")
2123 ),
2124 x509.AccessDescription(
Paul Kehrer9e102db2015-08-10 21:53:09 -0500[diff] [blame]2125 AuthorityInformationAccessOID.CA_ISSUERS,
Paul Kehrer3e6d5582015-05-02 21:57:56 -0500[diff] [blame]2126 x509.UniformResourceIdentifier(u"http://domain.com/ca.crt")
2127 )
2128 ])
2129 assert len(aia) == 2
2130 assert list(aia) == [
2131 x509.AccessDescription(
Paul Kehrer9e102db2015-08-10 21:53:09 -0500[diff] [blame]2132 AuthorityInformationAccessOID.OCSP,
Paul Kehrer3e6d5582015-05-02 21:57:56 -0500[diff] [blame]2133 x509.UniformResourceIdentifier(u"http://ocsp.domain.com")
2134 ),
2135 x509.AccessDescription(
Paul Kehrer9e102db2015-08-10 21:53:09 -0500[diff] [blame]2136 AuthorityInformationAccessOID.CA_ISSUERS,
Paul Kehrer3e6d5582015-05-02 21:57:56 -0500[diff] [blame]2137 x509.UniformResourceIdentifier(u"http://domain.com/ca.crt")
2138 )
2139 ]
2140
2141 def test_repr(self):
2142 aia = x509.AuthorityInformationAccess([
2143 x509.AccessDescription(
Paul Kehrer9e102db2015-08-10 21:53:09 -0500[diff] [blame]2144 AuthorityInformationAccessOID.OCSP,
Paul Kehrer3e6d5582015-05-02 21:57:56 -0500[diff] [blame]2145 x509.UniformResourceIdentifier(u"http://ocsp.domain.com")
2146 ),
2147 x509.AccessDescription(
Paul Kehrer9e102db2015-08-10 21:53:09 -0500[diff] [blame]2148 AuthorityInformationAccessOID.CA_ISSUERS,
Paul Kehrer3e6d5582015-05-02 21:57:56 -0500[diff] [blame]2149 x509.UniformResourceIdentifier(u"http://domain.com/ca.crt")
2150 )
2151 ])
2152 assert repr(aia) == (
2153 "<AuthorityInformationAccess([<AccessDescription(access_method=<Ob"
2154 "jectIdentifier(oid=1.3.6.1.5.5.7.48.1, name=OCSP)>, access_locati"
2155 "on=<UniformResourceIdentifier(value=http://ocsp.domain.com)>)>, <"
2156 "AccessDescription(access_method=<ObjectIdentifier(oid=1.3.6.1.5.5"
2157 ".7.48.2, name=caIssuers)>, access_location=<UniformResourceIdenti"
2158 "fier(value=http://domain.com/ca.crt)>)>])>"
2159 )
2160
2161 def test_eq(self):
2162 aia = x509.AuthorityInformationAccess([
2163 x509.AccessDescription(
Paul Kehrer9e102db2015-08-10 21:53:09 -0500[diff] [blame]2164 AuthorityInformationAccessOID.OCSP,
Paul Kehrer3e6d5582015-05-02 21:57:56 -0500[diff] [blame]2165 x509.UniformResourceIdentifier(u"http://ocsp.domain.com")
2166 ),
2167 x509.AccessDescription(
Paul Kehrer9e102db2015-08-10 21:53:09 -0500[diff] [blame]2168 AuthorityInformationAccessOID.CA_ISSUERS,
Paul Kehrer3e6d5582015-05-02 21:57:56 -0500[diff] [blame]2169 x509.UniformResourceIdentifier(u"http://domain.com/ca.crt")
2170 )
2171 ])
2172 aia2 = x509.AuthorityInformationAccess([
2173 x509.AccessDescription(
Paul Kehrer9e102db2015-08-10 21:53:09 -0500[diff] [blame]2174 AuthorityInformationAccessOID.OCSP,
Paul Kehrer3e6d5582015-05-02 21:57:56 -0500[diff] [blame]2175 x509.UniformResourceIdentifier(u"http://ocsp.domain.com")
2176 ),
2177 x509.AccessDescription(
Paul Kehrer9e102db2015-08-10 21:53:09 -0500[diff] [blame]2178 AuthorityInformationAccessOID.CA_ISSUERS,
Paul Kehrer3e6d5582015-05-02 21:57:56 -0500[diff] [blame]2179 x509.UniformResourceIdentifier(u"http://domain.com/ca.crt")
2180 )
2181 ])
2182 assert aia == aia2
2183
2184 def test_ne(self):
2185 aia = x509.AuthorityInformationAccess([
2186 x509.AccessDescription(
Paul Kehrer9e102db2015-08-10 21:53:09 -0500[diff] [blame]2187 AuthorityInformationAccessOID.OCSP,
Paul Kehrer3e6d5582015-05-02 21:57:56 -0500[diff] [blame]2188 x509.UniformResourceIdentifier(u"http://ocsp.domain.com")
2189 ),
2190 x509.AccessDescription(
Paul Kehrer9e102db2015-08-10 21:53:09 -0500[diff] [blame]2191 AuthorityInformationAccessOID.CA_ISSUERS,
Paul Kehrer3e6d5582015-05-02 21:57:56 -0500[diff] [blame]2192 x509.UniformResourceIdentifier(u"http://domain.com/ca.crt")
2193 )
2194 ])
2195 aia2 = x509.AuthorityInformationAccess([
2196 x509.AccessDescription(
Paul Kehrer9e102db2015-08-10 21:53:09 -0500[diff] [blame]2197 AuthorityInformationAccessOID.OCSP,
Paul Kehrer3e6d5582015-05-02 21:57:56 -0500[diff] [blame]2198 x509.UniformResourceIdentifier(u"http://ocsp.domain.com")
2199 ),
2200 ])
2201
2202 assert aia != aia2
2203 assert aia != object()
Paul Kehrerd774de92015-05-03 10:52:25 -0500[diff] [blame]2204
2205
2206@pytest.mark.requires_backend_interface(interface=RSABackend)
2207@pytest.mark.requires_backend_interface(interface=X509Backend)
Paul Kehrera1476992015-05-04 17:35:47 -0500[diff] [blame]2208class TestAuthorityInformationAccessExtension(object):
2209 def test_aia_ocsp_ca_issuers(self, backend):
2210 cert = _load_cert(
2211 os.path.join("x509", "cryptography.io.pem"),
2212 x509.load_pem_x509_certificate,
2213 backend
2214 )
2215 ext = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]2216 ExtensionOID.AUTHORITY_INFORMATION_ACCESS
Paul Kehrera1476992015-05-04 17:35:47 -0500[diff] [blame]2217 )
2218 assert ext is not None
2219 assert ext.critical is False
2220
2221 assert ext.value == x509.AuthorityInformationAccess([
2222 x509.AccessDescription(
Paul Kehrer9e102db2015-08-10 21:53:09 -0500[diff] [blame]2223 AuthorityInformationAccessOID.OCSP,
Paul Kehrera1476992015-05-04 17:35:47 -0500[diff] [blame]2224 x509.UniformResourceIdentifier(u"http://gv.symcd.com")
2225 ),
2226 x509.AccessDescription(
Paul Kehrer9e102db2015-08-10 21:53:09 -0500[diff] [blame]2227 AuthorityInformationAccessOID.CA_ISSUERS,
Paul Kehrera1476992015-05-04 17:35:47 -0500[diff] [blame]2228 x509.UniformResourceIdentifier(u"http://gv.symcb.com/gv.crt")
2229 ),
2230 ])
2231
2232 def test_aia_multiple_ocsp_ca_issuers(self, backend):
2233 cert = _load_cert(
2234 os.path.join("x509", "custom", "aia_ocsp_ca_issuers.pem"),
2235 x509.load_pem_x509_certificate,
2236 backend
2237 )
2238 ext = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]2239 ExtensionOID.AUTHORITY_INFORMATION_ACCESS
Paul Kehrera1476992015-05-04 17:35:47 -0500[diff] [blame]2240 )
2241 assert ext is not None
2242 assert ext.critical is False
2243
2244 assert ext.value == x509.AuthorityInformationAccess([
2245 x509.AccessDescription(
Paul Kehrer9e102db2015-08-10 21:53:09 -0500[diff] [blame]2246 AuthorityInformationAccessOID.OCSP,
Paul Kehrera1476992015-05-04 17:35:47 -0500[diff] [blame]2247 x509.UniformResourceIdentifier(u"http://ocsp.domain.com")
2248 ),
2249 x509.AccessDescription(
Paul Kehrer9e102db2015-08-10 21:53:09 -0500[diff] [blame]2250 AuthorityInformationAccessOID.OCSP,
Paul Kehrera1476992015-05-04 17:35:47 -0500[diff] [blame]2251 x509.UniformResourceIdentifier(u"http://ocsp2.domain.com")
2252 ),
2253 x509.AccessDescription(
Paul Kehrer9e102db2015-08-10 21:53:09 -0500[diff] [blame]2254 AuthorityInformationAccessOID.CA_ISSUERS,
Paul Kehrera1476992015-05-04 17:35:47 -0500[diff] [blame]2255 x509.DirectoryName(x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2256 x509.NameAttribute(NameOID.COMMON_NAME, u"myCN"),
2257 x509.NameAttribute(NameOID.ORGANIZATION_NAME,
Ian Cordasco82fc3762015-06-16 20:59:50 -0500[diff] [blame]2258 u"some Org"),
Paul Kehrera1476992015-05-04 17:35:47 -0500[diff] [blame]2259 ]))
2260 ),
2261 ])
2262
2263 def test_aia_ocsp_only(self, backend):
2264 cert = _load_cert(
2265 os.path.join("x509", "custom", "aia_ocsp.pem"),
2266 x509.load_pem_x509_certificate,
2267 backend
2268 )
2269 ext = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]2270 ExtensionOID.AUTHORITY_INFORMATION_ACCESS
Paul Kehrera1476992015-05-04 17:35:47 -0500[diff] [blame]2271 )
2272 assert ext is not None
2273 assert ext.critical is False
2274
2275 assert ext.value == x509.AuthorityInformationAccess([
2276 x509.AccessDescription(
Paul Kehrer9e102db2015-08-10 21:53:09 -0500[diff] [blame]2277 AuthorityInformationAccessOID.OCSP,
Paul Kehrera1476992015-05-04 17:35:47 -0500[diff] [blame]2278 x509.UniformResourceIdentifier(u"http://ocsp.domain.com")
2279 ),
2280 ])
2281
2282 def test_aia_ca_issuers_only(self, backend):
2283 cert = _load_cert(
2284 os.path.join("x509", "custom", "aia_ca_issuers.pem"),
2285 x509.load_pem_x509_certificate,
2286 backend
2287 )
2288 ext = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]2289 ExtensionOID.AUTHORITY_INFORMATION_ACCESS
Paul Kehrera1476992015-05-04 17:35:47 -0500[diff] [blame]2290 )
2291 assert ext is not None
2292 assert ext.critical is False
2293
2294 assert ext.value == x509.AuthorityInformationAccess([
2295 x509.AccessDescription(
Paul Kehrer9e102db2015-08-10 21:53:09 -0500[diff] [blame]2296 AuthorityInformationAccessOID.CA_ISSUERS,
Paul Kehrera1476992015-05-04 17:35:47 -0500[diff] [blame]2297 x509.DirectoryName(x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2298 x509.NameAttribute(NameOID.COMMON_NAME, u"myCN"),
2299 x509.NameAttribute(NameOID.ORGANIZATION_NAME,
Ian Cordasco82fc3762015-06-16 20:59:50 -0500[diff] [blame]2300 u"some Org"),
Paul Kehrera1476992015-05-04 17:35:47 -0500[diff] [blame]2301 ]))
2302 ),
2303 ])
2304
2305
2306@pytest.mark.requires_backend_interface(interface=RSABackend)
2307@pytest.mark.requires_backend_interface(interface=X509Backend)
Paul Kehrerd774de92015-05-03 10:52:25 -0500[diff] [blame]2308class TestAuthorityKeyIdentifierExtension(object):
2309 def test_aki_keyid(self, backend):
2310 cert = _load_cert(
2311 os.path.join(
2312 "x509", "cryptography.io.pem"
2313 ),
2314 x509.load_pem_x509_certificate,
2315 backend
2316 )
2317 ext = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]2318 ExtensionOID.AUTHORITY_KEY_IDENTIFIER
Paul Kehrerd774de92015-05-03 10:52:25 -0500[diff] [blame]2319 )
2320 assert ext is not None
2321 assert ext.critical is False
2322
2323 assert ext.value.key_identifier == (
2324 b"\xc3\x9c\xf3\xfc\xd3F\x084\xbb\xceF\x7f\xa0|[\xf3\xe2\x08\xcbY"
2325 )
2326 assert ext.value.authority_cert_issuer is None
2327 assert ext.value.authority_cert_serial_number is None
2328
2329 def test_aki_all_fields(self, backend):
2330 cert = _load_cert(
2331 os.path.join(
2332 "x509", "custom", "authority_key_identifier.pem"
2333 ),
2334 x509.load_pem_x509_certificate,
2335 backend
2336 )
2337 ext = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]2338 ExtensionOID.AUTHORITY_KEY_IDENTIFIER
Paul Kehrerd774de92015-05-03 10:52:25 -0500[diff] [blame]2339 )
2340 assert ext is not None
2341 assert ext.critical is False
2342
2343 assert ext.value.key_identifier == (
2344 b"9E>\xca=b\x1d\xea\x86I\xf6Z\xab@\xb7\xa4p\x98\xf1\xec"
2345 )
2346 assert ext.value.authority_cert_issuer == [
2347 x509.DirectoryName(
2348 x509.Name([
2349 x509.NameAttribute(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2350 NameOID.ORGANIZATION_NAME, u"PyCA"
Paul Kehrerd774de92015-05-03 10:52:25 -0500[diff] [blame]2351 ),
2352 x509.NameAttribute(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2353 NameOID.COMMON_NAME, u"cryptography.io"
Paul Kehrerd774de92015-05-03 10:52:25 -0500[diff] [blame]2354 )
2355 ])
2356 )
2357 ]
2358 assert ext.value.authority_cert_serial_number == 3
2359
2360 def test_aki_no_keyid(self, backend):
2361 cert = _load_cert(
2362 os.path.join(
2363 "x509", "custom", "authority_key_identifier_no_keyid.pem"
2364 ),
2365 x509.load_pem_x509_certificate,
2366 backend
2367 )
2368 ext = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]2369 ExtensionOID.AUTHORITY_KEY_IDENTIFIER
Paul Kehrerd774de92015-05-03 10:52:25 -0500[diff] [blame]2370 )
2371 assert ext is not None
2372 assert ext.critical is False
2373
2374 assert ext.value.key_identifier is None
2375 assert ext.value.authority_cert_issuer == [
2376 x509.DirectoryName(
2377 x509.Name([
2378 x509.NameAttribute(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2379 NameOID.ORGANIZATION_NAME, u"PyCA"
Paul Kehrerd774de92015-05-03 10:52:25 -0500[diff] [blame]2380 ),
2381 x509.NameAttribute(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2382 NameOID.COMMON_NAME, u"cryptography.io"
Paul Kehrerd774de92015-05-03 10:52:25 -0500[diff] [blame]2383 )
2384 ])
2385 )
2386 ]
2387 assert ext.value.authority_cert_serial_number == 3
Paul Kehrer5a485522015-05-06 00:29:12 -0500[diff] [blame]2388
Paul Kehrer253929a2015-08-05 17:30:39 +0100[diff] [blame]2389 def test_from_certificate(self, backend):
2390 issuer_cert = _load_cert(
2391 os.path.join("x509", "rapidssl_sha256_ca_g3.pem"),
2392 x509.load_pem_x509_certificate,
2393 backend
2394 )
2395 cert = _load_cert(
2396 os.path.join("x509", "cryptography.io.pem"),
2397 x509.load_pem_x509_certificate,
2398 backend
2399 )
2400 ext = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]2401 ExtensionOID.AUTHORITY_KEY_IDENTIFIER
Paul Kehrer253929a2015-08-05 17:30:39 +0100[diff] [blame]2402 )
2403 aki = x509.AuthorityKeyIdentifier.from_issuer_public_key(
2404 issuer_cert.public_key()
2405 )
2406 assert ext.value == aki
2407
Paul Kehrer5a485522015-05-06 00:29:12 -0500[diff] [blame]2408
Paul Kehrere0017be2015-05-17 20:39:40 -0600[diff] [blame]2409class TestNameConstraints(object):
2410 def test_ipaddress_wrong_type(self):
2411 with pytest.raises(TypeError):
2412 x509.NameConstraints(
2413 permitted_subtrees=[
2414 x509.IPAddress(ipaddress.IPv4Address(u"127.0.0.1"))
2415 ],
2416 excluded_subtrees=None
2417 )
2418
2419 with pytest.raises(TypeError):
2420 x509.NameConstraints(
2421 permitted_subtrees=None,
2422 excluded_subtrees=[
2423 x509.IPAddress(ipaddress.IPv4Address(u"127.0.0.1"))
2424 ]
2425 )
2426
2427 def test_ipaddress_allowed_type(self):
2428 permitted = [x509.IPAddress(ipaddress.IPv4Network(u"192.168.0.0/29"))]
2429 excluded = [x509.IPAddress(ipaddress.IPv4Network(u"10.10.0.0/24"))]
2430 nc = x509.NameConstraints(
2431 permitted_subtrees=permitted,
2432 excluded_subtrees=excluded
2433 )
2434 assert nc.permitted_subtrees == permitted
2435 assert nc.excluded_subtrees == excluded
2436
2437 def test_invalid_permitted_subtrees(self):
2438 with pytest.raises(TypeError):
2439 x509.NameConstraints("badpermitted", None)
2440
2441 def test_invalid_excluded_subtrees(self):
2442 with pytest.raises(TypeError):
2443 x509.NameConstraints(None, "badexcluded")
2444
2445 def test_no_subtrees(self):
2446 with pytest.raises(ValueError):
2447 x509.NameConstraints(None, None)
2448
2449 def test_permitted_none(self):
2450 excluded = [x509.DNSName(u"name.local")]
2451 nc = x509.NameConstraints(
2452 permitted_subtrees=None, excluded_subtrees=excluded
2453 )
2454 assert nc.permitted_subtrees is None
2455 assert nc.excluded_subtrees is not None
2456
2457 def test_excluded_none(self):
2458 permitted = [x509.DNSName(u"name.local")]
2459 nc = x509.NameConstraints(
2460 permitted_subtrees=permitted, excluded_subtrees=None
2461 )
2462 assert nc.permitted_subtrees is not None
2463 assert nc.excluded_subtrees is None
2464
2465 def test_repr(self):
2466 permitted = [x509.DNSName(u"name.local"), x509.DNSName(u"name2.local")]
2467 nc = x509.NameConstraints(
2468 permitted_subtrees=permitted,
2469 excluded_subtrees=None
2470 )
2471 assert repr(nc) == (
2472 "<NameConstraints(permitted_subtrees=[<DNSName(value=name.local)>"
2473 ", <DNSName(value=name2.local)>], excluded_subtrees=None)>"
2474 )
2475
Paul Kehrer31894282015-06-21 21:46:41 -0500[diff] [blame]2476 def test_eq(self):
2477 nc = x509.NameConstraints(
2478 permitted_subtrees=[x509.DNSName(u"name.local")],
2479 excluded_subtrees=[x509.DNSName(u"name2.local")]
2480 )
2481 nc2 = x509.NameConstraints(
2482 permitted_subtrees=[x509.DNSName(u"name.local")],
2483 excluded_subtrees=[x509.DNSName(u"name2.local")]
2484 )
2485 assert nc == nc2
2486
2487 def test_ne(self):
2488 nc = x509.NameConstraints(
2489 permitted_subtrees=[x509.DNSName(u"name.local")],
2490 excluded_subtrees=[x509.DNSName(u"name2.local")]
2491 )
2492 nc2 = x509.NameConstraints(
2493 permitted_subtrees=[x509.DNSName(u"name.local")],
2494 excluded_subtrees=None
2495 )
2496 nc3 = x509.NameConstraints(
2497 permitted_subtrees=None,
2498 excluded_subtrees=[x509.DNSName(u"name2.local")]
2499 )
2500
2501 assert nc != nc2
2502 assert nc != nc3
2503 assert nc != object()
2504
Paul Kehrere0017be2015-05-17 20:39:40 -0600[diff] [blame]2505
Paul Kehrer870d7e82015-06-21 22:20:44 -0500[diff] [blame]2506@pytest.mark.requires_backend_interface(interface=RSABackend)
2507@pytest.mark.requires_backend_interface(interface=X509Backend)
2508class TestNameConstraintsExtension(object):
2509 def test_permitted_excluded(self, backend):
2510 cert = _load_cert(
2511 os.path.join(
2512 "x509", "custom", "nc_permitted_excluded_2.pem"
2513 ),
2514 x509.load_pem_x509_certificate,
2515 backend
2516 )
2517 nc = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]2518 ExtensionOID.NAME_CONSTRAINTS
Paul Kehrer870d7e82015-06-21 22:20:44 -0500[diff] [blame]2519 ).value
2520 assert nc == x509.NameConstraints(
2521 permitted_subtrees=[
2522 x509.DNSName(u"zombo.local"),
2523 ],
2524 excluded_subtrees=[
2525 x509.DirectoryName(x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2526 x509.NameAttribute(NameOID.COMMON_NAME, u"zombo")
Paul Kehrer870d7e82015-06-21 22:20:44 -0500[diff] [blame]2527 ]))
2528 ]
2529 )
2530
2531 def test_permitted(self, backend):
2532 cert = _load_cert(
2533 os.path.join(
2534 "x509", "custom", "nc_permitted_2.pem"
2535 ),
2536 x509.load_pem_x509_certificate,
2537 backend
2538 )
2539 nc = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]2540 ExtensionOID.NAME_CONSTRAINTS
Paul Kehrer870d7e82015-06-21 22:20:44 -0500[diff] [blame]2541 ).value
2542 assert nc == x509.NameConstraints(
2543 permitted_subtrees=[
2544 x509.DNSName(u"zombo.local"),
2545 ],
2546 excluded_subtrees=None
2547 )
2548
Paul Kehrer42376832015-07-01 18:10:32 -0500[diff] [blame]2549 def test_permitted_with_leading_period(self, backend):
2550 cert = _load_cert(
2551 os.path.join(
2552 "x509", "custom", "nc_permitted.pem"
2553 ),
2554 x509.load_pem_x509_certificate,
2555 backend
2556 )
2557 nc = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]2558 ExtensionOID.NAME_CONSTRAINTS
Paul Kehrer42376832015-07-01 18:10:32 -0500[diff] [blame]2559 ).value
2560 assert nc == x509.NameConstraints(
2561 permitted_subtrees=[
2562 x509.DNSName(u".cryptography.io"),
2563 x509.UniformResourceIdentifier(u"ftp://cryptography.test")
2564 ],
2565 excluded_subtrees=None
2566 )
2567
2568 def test_excluded_with_leading_period(self, backend):
2569 cert = _load_cert(
2570 os.path.join(
2571 "x509", "custom", "nc_excluded.pem"
2572 ),
2573 x509.load_pem_x509_certificate,
2574 backend
2575 )
2576 nc = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]2577 ExtensionOID.NAME_CONSTRAINTS
Paul Kehrer42376832015-07-01 18:10:32 -0500[diff] [blame]2578 ).value
2579 assert nc == x509.NameConstraints(
2580 permitted_subtrees=None,
2581 excluded_subtrees=[
2582 x509.DNSName(u".cryptography.io"),
2583 x509.UniformResourceIdentifier(u"gopher://cryptography.test")
2584 ]
2585 )
2586
Paul Kehrercfb8aa22015-07-01 19:16:36 -0500[diff] [blame]2587 def test_permitted_excluded_with_ips(self, backend):
2588 cert = _load_cert(
2589 os.path.join(
2590 "x509", "custom", "nc_permitted_excluded.pem"
2591 ),
2592 x509.load_pem_x509_certificate,
2593 backend
2594 )
2595 nc = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]2596 ExtensionOID.NAME_CONSTRAINTS
Paul Kehrercfb8aa22015-07-01 19:16:36 -0500[diff] [blame]2597 ).value
2598 assert nc == x509.NameConstraints(
2599 permitted_subtrees=[
2600 x509.IPAddress(ipaddress.IPv4Network(u"192.168.0.0/24")),
2601 x509.IPAddress(ipaddress.IPv6Network(u"FF:0:0:0:0:0:0:0/96")),
2602 ],
2603 excluded_subtrees=[
2604 x509.DNSName(u".domain.com"),
2605 x509.UniformResourceIdentifier(u"http://test.local"),
2606 ]
2607 )
2608
Paul Kehrera72ebaf2015-07-01 21:07:37 -0500[diff] [blame]2609 def test_single_ip_netmask(self, backend):
2610 cert = _load_cert(
2611 os.path.join(
2612 "x509", "custom", "nc_single_ip_netmask.pem"
2613 ),
2614 x509.load_pem_x509_certificate,
2615 backend
2616 )
2617 nc = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]2618 ExtensionOID.NAME_CONSTRAINTS
Paul Kehrera72ebaf2015-07-01 21:07:37 -0500[diff] [blame]2619 ).value
2620 assert nc == x509.NameConstraints(
2621 permitted_subtrees=[
2622 x509.IPAddress(ipaddress.IPv6Network(u"FF:0:0:0:0:0:0:0/128")),
2623 x509.IPAddress(ipaddress.IPv4Network(u"192.168.0.1/32")),
2624 ],
2625 excluded_subtrees=None
2626 )
2627
Paul Kehrercfb8aa22015-07-01 19:16:36 -0500[diff] [blame]2628 def test_invalid_netmask(self, backend):
2629 cert = _load_cert(
2630 os.path.join(
2631 "x509", "custom", "nc_invalid_ip_netmask.pem"
2632 ),
2633 x509.load_pem_x509_certificate,
2634 backend
2635 )
2636 with pytest.raises(ValueError):
2637 cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]2638 ExtensionOID.NAME_CONSTRAINTS
Paul Kehrercfb8aa22015-07-01 19:16:36 -0500[diff] [blame]2639 )
2640
Paul Kehrer870d7e82015-06-21 22:20:44 -0500[diff] [blame]2641
Paul Kehrer5a485522015-05-06 00:29:12 -0500[diff] [blame]2642class TestDistributionPoint(object):
Paul Kehrer4e8dacd2015-05-09 10:38:23 -0500[diff] [blame]2643 def test_distribution_point_full_name_not_general_names(self):
Paul Kehrer5a485522015-05-06 00:29:12 -0500[diff] [blame]2644 with pytest.raises(TypeError):
Paul Kehrer4e8dacd2015-05-09 10:38:23 -0500[diff] [blame]2645 x509.DistributionPoint(["notgn"], None, None, None)
Paul Kehrer5a485522015-05-06 00:29:12 -0500[diff] [blame]2646
Paul Kehrer4e8dacd2015-05-09 10:38:23 -0500[diff] [blame]2647 def test_distribution_point_relative_name_not_name(self):
Paul Kehrer5a485522015-05-06 00:29:12 -0500[diff] [blame]2648 with pytest.raises(TypeError):
Paul Kehrer4e8dacd2015-05-09 10:38:23 -0500[diff] [blame]2649 x509.DistributionPoint(None, "notname", None, None)
2650
2651 def test_distribution_point_full_and_relative_not_none(self):
2652 with pytest.raises(ValueError):
2653 x509.DistributionPoint("data", "notname", None, None)
Paul Kehrer5a485522015-05-06 00:29:12 -0500[diff] [blame]2654
2655 def test_crl_issuer_not_general_names(self):
2656 with pytest.raises(TypeError):
Paul Kehrer4e8dacd2015-05-09 10:38:23 -0500[diff] [blame]2657 x509.DistributionPoint(None, None, None, ["notgn"])
Paul Kehrer5a485522015-05-06 00:29:12 -0500[diff] [blame]2658
2659 def test_reason_not_reasonflags(self):
2660 with pytest.raises(TypeError):
2661 x509.DistributionPoint(
2662 [x509.UniformResourceIdentifier(u"http://crypt.og/crl")],
Paul Kehrer4e8dacd2015-05-09 10:38:23 -0500[diff] [blame]2663 None,
Paul Kehrer3fd02602015-05-09 19:46:13 -0500[diff] [blame]2664 frozenset(["notreasonflags"]),
2665 None
2666 )
2667
2668 def test_reason_not_frozenset(self):
2669 with pytest.raises(TypeError):
2670 x509.DistributionPoint(
2671 [x509.UniformResourceIdentifier(u"http://crypt.og/crl")],
2672 None,
2673 [x509.ReasonFlags.ca_compromise],
Paul Kehrer4e8dacd2015-05-09 10:38:23 -0500[diff] [blame]2674 None
2675 )
2676
2677 def test_disallowed_reasons(self):
2678 with pytest.raises(ValueError):
2679 x509.DistributionPoint(
2680 [x509.UniformResourceIdentifier(u"http://crypt.og/crl")],
2681 None,
Paul Kehrer3fd02602015-05-09 19:46:13 -0500[diff] [blame]2682 frozenset([x509.ReasonFlags.unspecified]),
Paul Kehrer4e8dacd2015-05-09 10:38:23 -0500[diff] [blame]2683 None
2684 )
2685
2686 with pytest.raises(ValueError):
2687 x509.DistributionPoint(
2688 [x509.UniformResourceIdentifier(u"http://crypt.og/crl")],
2689 None,
Paul Kehrer3fd02602015-05-09 19:46:13 -0500[diff] [blame]2690 frozenset([x509.ReasonFlags.remove_from_crl]),
Paul Kehrer5a485522015-05-06 00:29:12 -0500[diff] [blame]2691 None
2692 )
2693
2694 def test_reason_only(self):
2695 with pytest.raises(ValueError):
2696 x509.DistributionPoint(
2697 None,
Paul Kehrer4e8dacd2015-05-09 10:38:23 -0500[diff] [blame]2698 None,
Paul Kehrer3fd02602015-05-09 19:46:13 -0500[diff] [blame]2699 frozenset([x509.ReasonFlags.aa_compromise]),
Paul Kehrer5a485522015-05-06 00:29:12 -0500[diff] [blame]2700 None
2701 )
2702
2703 def test_eq(self):
2704 dp = x509.DistributionPoint(
2705 [x509.UniformResourceIdentifier(u"http://crypt.og/crl")],
Paul Kehrer4e8dacd2015-05-09 10:38:23 -0500[diff] [blame]2706 None,
Paul Kehrer3fd02602015-05-09 19:46:13 -0500[diff] [blame]2707 frozenset([x509.ReasonFlags.superseded]),
Paul Kehrer5a485522015-05-06 00:29:12 -0500[diff] [blame]2708 [
2709 x509.DirectoryName(
2710 x509.Name([
2711 x509.NameAttribute(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2712 NameOID.COMMON_NAME, u"Important CA"
Paul Kehrer5a485522015-05-06 00:29:12 -0500[diff] [blame]2713 )
2714 ])
2715 )
2716 ],
2717 )
2718 dp2 = x509.DistributionPoint(
2719 [x509.UniformResourceIdentifier(u"http://crypt.og/crl")],
Paul Kehrer4e8dacd2015-05-09 10:38:23 -0500[diff] [blame]2720 None,
Paul Kehrer3fd02602015-05-09 19:46:13 -0500[diff] [blame]2721 frozenset([x509.ReasonFlags.superseded]),
Paul Kehrer5a485522015-05-06 00:29:12 -0500[diff] [blame]2722 [
2723 x509.DirectoryName(
2724 x509.Name([
2725 x509.NameAttribute(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2726 NameOID.COMMON_NAME, u"Important CA"
Paul Kehrer5a485522015-05-06 00:29:12 -0500[diff] [blame]2727 )
2728 ])
2729 )
2730 ],
2731 )
2732 assert dp == dp2
2733
2734 def test_ne(self):
2735 dp = x509.DistributionPoint(
2736 [x509.UniformResourceIdentifier(u"http://crypt.og/crl")],
Paul Kehrer4e8dacd2015-05-09 10:38:23 -0500[diff] [blame]2737 None,
Paul Kehrer3fd02602015-05-09 19:46:13 -0500[diff] [blame]2738 frozenset([x509.ReasonFlags.superseded]),
Paul Kehrer5a485522015-05-06 00:29:12 -0500[diff] [blame]2739 [
2740 x509.DirectoryName(
2741 x509.Name([
2742 x509.NameAttribute(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2743 NameOID.COMMON_NAME, u"Important CA"
Paul Kehrer5a485522015-05-06 00:29:12 -0500[diff] [blame]2744 )
2745 ])
2746 )
2747 ],
2748 )
2749 dp2 = x509.DistributionPoint(
2750 [x509.UniformResourceIdentifier(u"http://crypt.og/crl")],
2751 None,
Paul Kehrer4e8dacd2015-05-09 10:38:23 -0500[diff] [blame]2752 None,
Paul Kehrer5a485522015-05-06 00:29:12 -0500[diff] [blame]2753 None
2754 )
2755 assert dp != dp2
2756 assert dp != object()
2757
2758 def test_repr(self):
2759 dp = x509.DistributionPoint(
Paul Kehrer4e8dacd2015-05-09 10:38:23 -0500[diff] [blame]2760 None,
Paul Kehrer5a485522015-05-06 00:29:12 -0500[diff] [blame]2761 x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2762 x509.NameAttribute(NameOID.COMMON_NAME, u"myCN")
Paul Kehrer5a485522015-05-06 00:29:12 -0500[diff] [blame]2763 ]),
Paul Kehrer96ef63c2015-05-09 21:17:04 -0500[diff] [blame]2764 frozenset([x509.ReasonFlags.ca_compromise]),
Paul Kehrer5a485522015-05-06 00:29:12 -0500[diff] [blame]2765 [
2766 x509.DirectoryName(
2767 x509.Name([
2768 x509.NameAttribute(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2769 NameOID.COMMON_NAME, u"Important CA"
Paul Kehrer5a485522015-05-06 00:29:12 -0500[diff] [blame]2770 )
2771 ])
2772 )
2773 ],
2774 )
Paul Kehrer749da3b2015-05-10 09:58:29 -0500[diff] [blame]2775 if six.PY3:
2776 assert repr(dp) == (
2777 "<DistributionPoint(full_name=None, relative_name=<Name([<Name"
2778 "Attribute(oid=<ObjectIdentifier(oid=2.5.4.3, name=commonName)"
Ian Cordascoa908d692015-06-16 21:35:24 -0500[diff] [blame]2779 ">, value='myCN')>])>, reasons=frozenset({<ReasonFlags.ca_comp"
2780 "romise: 'cACompromise'>}), crl_issuer=[<DirectoryName(value=<"
2781 "Name([<NameAttribute(oid=<ObjectIdentifier(oid=2.5.4.3, name="
2782 "commonName)>, value='Important CA')>])>)>])>"
Paul Kehrer749da3b2015-05-10 09:58:29 -0500[diff] [blame]2783 )
2784 else:
2785 assert repr(dp) == (
2786 "<DistributionPoint(full_name=None, relative_name=<Name([<Name"
2787 "Attribute(oid=<ObjectIdentifier(oid=2.5.4.3, name=commonName)"
Ian Cordasco82fc3762015-06-16 20:59:50 -0500[diff] [blame]2788 ">, value=u'myCN')>])>, reasons=frozenset([<ReasonFlags.ca_com"
2789 "promise: 'cACompromise'>]), crl_issuer=[<DirectoryName(value="
2790 "<Name([<NameAttribute(oid=<ObjectIdentifier(oid=2.5.4.3, name"
2791 "=commonName)>, value=u'Important CA')>])>)>])>"
Paul Kehrer749da3b2015-05-10 09:58:29 -0500[diff] [blame]2792 )
Paul Kehrer5a485522015-05-06 00:29:12 -0500[diff] [blame]2793
2794
2795class TestCRLDistributionPoints(object):
2796 def test_invalid_distribution_points(self):
2797 with pytest.raises(TypeError):
2798 x509.CRLDistributionPoints(["notadistributionpoint"])
2799
2800 def test_iter_len(self):
2801 cdp = x509.CRLDistributionPoints([
2802 x509.DistributionPoint(
2803 [x509.UniformResourceIdentifier(u"http://domain")],
2804 None,
Paul Kehrer4e8dacd2015-05-09 10:38:23 -0500[diff] [blame]2805 None,
Paul Kehrer5a485522015-05-06 00:29:12 -0500[diff] [blame]2806 None
2807 ),
2808 x509.DistributionPoint(
2809 [x509.UniformResourceIdentifier(u"ftp://domain")],
Paul Kehrer4e8dacd2015-05-09 10:38:23 -0500[diff] [blame]2810 None,
Paul Kehrer3fd02602015-05-09 19:46:13 -0500[diff] [blame]2811 frozenset([
Paul Kehrer4e8dacd2015-05-09 10:38:23 -0500[diff] [blame]2812 x509.ReasonFlags.key_compromise,
2813 x509.ReasonFlags.ca_compromise,
Paul Kehrer3fd02602015-05-09 19:46:13 -0500[diff] [blame]2814 ]),
Paul Kehrer5a485522015-05-06 00:29:12 -0500[diff] [blame]2815 None
2816 ),
2817 ])
2818 assert len(cdp) == 2
2819 assert list(cdp) == [
2820 x509.DistributionPoint(
2821 [x509.UniformResourceIdentifier(u"http://domain")],
2822 None,
Paul Kehrer4e8dacd2015-05-09 10:38:23 -0500[diff] [blame]2823 None,
Paul Kehrer5a485522015-05-06 00:29:12 -0500[diff] [blame]2824 None
2825 ),
2826 x509.DistributionPoint(
2827 [x509.UniformResourceIdentifier(u"ftp://domain")],
Paul Kehrer4e8dacd2015-05-09 10:38:23 -0500[diff] [blame]2828 None,
Paul Kehrer3fd02602015-05-09 19:46:13 -0500[diff] [blame]2829 frozenset([
Paul Kehrer4e8dacd2015-05-09 10:38:23 -0500[diff] [blame]2830 x509.ReasonFlags.key_compromise,
2831 x509.ReasonFlags.ca_compromise,
Paul Kehrer3fd02602015-05-09 19:46:13 -0500[diff] [blame]2832 ]),
Paul Kehrer5a485522015-05-06 00:29:12 -0500[diff] [blame]2833 None
2834 ),
2835 ]
2836
2837 def test_repr(self):
2838 cdp = x509.CRLDistributionPoints([
2839 x509.DistributionPoint(
2840 [x509.UniformResourceIdentifier(u"ftp://domain")],
Paul Kehrer4e8dacd2015-05-09 10:38:23 -0500[diff] [blame]2841 None,
Paul Kehrer96ef63c2015-05-09 21:17:04 -0500[diff] [blame]2842 frozenset([x509.ReasonFlags.key_compromise]),
Paul Kehrer5a485522015-05-06 00:29:12 -0500[diff] [blame]2843 None
2844 ),
2845 ])
Paul Kehrer749da3b2015-05-10 09:58:29 -0500[diff] [blame]2846 if six.PY3:
2847 assert repr(cdp) == (
2848 "<CRLDistributionPoints([<DistributionPoint(full_name=[<Unifo"
2849 "rmResourceIdentifier(value=ftp://domain)>], relative_name=No"
2850 "ne, reasons=frozenset({<ReasonFlags.key_compromise: 'keyComp"
2851 "romise'>}), crl_issuer=None)>])>"
2852 )
2853 else:
2854 assert repr(cdp) == (
2855 "<CRLDistributionPoints([<DistributionPoint(full_name=[<Unifo"
2856 "rmResourceIdentifier(value=ftp://domain)>], relative_name=No"
2857 "ne, reasons=frozenset([<ReasonFlags.key_compromise: 'keyComp"
2858 "romise'>]), crl_issuer=None)>])>"
2859 )
Paul Kehrer5a485522015-05-06 00:29:12 -0500[diff] [blame]2860
2861 def test_eq(self):
2862 cdp = x509.CRLDistributionPoints([
2863 x509.DistributionPoint(
2864 [x509.UniformResourceIdentifier(u"ftp://domain")],
Paul Kehrer4e8dacd2015-05-09 10:38:23 -0500[diff] [blame]2865 None,
Paul Kehrer3fd02602015-05-09 19:46:13 -0500[diff] [blame]2866 frozenset([
Paul Kehrer4e8dacd2015-05-09 10:38:23 -0500[diff] [blame]2867 x509.ReasonFlags.key_compromise,
2868 x509.ReasonFlags.ca_compromise,
Paul Kehrer3fd02602015-05-09 19:46:13 -0500[diff] [blame]2869 ]),
Paul Kehrer5a485522015-05-06 00:29:12 -0500[diff] [blame]2870 [x509.UniformResourceIdentifier(u"uri://thing")],
2871 ),
2872 ])
2873 cdp2 = x509.CRLDistributionPoints([
2874 x509.DistributionPoint(
2875 [x509.UniformResourceIdentifier(u"ftp://domain")],
Paul Kehrer4e8dacd2015-05-09 10:38:23 -0500[diff] [blame]2876 None,
Paul Kehrer3fd02602015-05-09 19:46:13 -0500[diff] [blame]2877 frozenset([
Paul Kehrer4e8dacd2015-05-09 10:38:23 -0500[diff] [blame]2878 x509.ReasonFlags.key_compromise,
2879 x509.ReasonFlags.ca_compromise,
Paul Kehrer3fd02602015-05-09 19:46:13 -0500[diff] [blame]2880 ]),
Paul Kehrer5a485522015-05-06 00:29:12 -0500[diff] [blame]2881 [x509.UniformResourceIdentifier(u"uri://thing")],
2882 ),
2883 ])
2884 assert cdp == cdp2
2885
2886 def test_ne(self):
2887 cdp = x509.CRLDistributionPoints([
2888 x509.DistributionPoint(
2889 [x509.UniformResourceIdentifier(u"ftp://domain")],
Paul Kehrer4e8dacd2015-05-09 10:38:23 -0500[diff] [blame]2890 None,
Paul Kehrer3fd02602015-05-09 19:46:13 -0500[diff] [blame]2891 frozenset([
Paul Kehrer4e8dacd2015-05-09 10:38:23 -0500[diff] [blame]2892 x509.ReasonFlags.key_compromise,
2893 x509.ReasonFlags.ca_compromise,
Paul Kehrer3fd02602015-05-09 19:46:13 -0500[diff] [blame]2894 ]),
Paul Kehrer5a485522015-05-06 00:29:12 -0500[diff] [blame]2895 [x509.UniformResourceIdentifier(u"uri://thing")],
2896 ),
2897 ])
2898 cdp2 = x509.CRLDistributionPoints([
2899 x509.DistributionPoint(
2900 [x509.UniformResourceIdentifier(u"ftp://domain2")],
Paul Kehrer4e8dacd2015-05-09 10:38:23 -0500[diff] [blame]2901 None,
Paul Kehrer3fd02602015-05-09 19:46:13 -0500[diff] [blame]2902 frozenset([
Paul Kehrer4e8dacd2015-05-09 10:38:23 -0500[diff] [blame]2903 x509.ReasonFlags.key_compromise,
2904 x509.ReasonFlags.ca_compromise,
Paul Kehrer3fd02602015-05-09 19:46:13 -0500[diff] [blame]2905 ]),
Paul Kehrer5a485522015-05-06 00:29:12 -0500[diff] [blame]2906 [x509.UniformResourceIdentifier(u"uri://thing")],
2907 ),
2908 ])
2909 cdp3 = x509.CRLDistributionPoints([
2910 x509.DistributionPoint(
2911 [x509.UniformResourceIdentifier(u"ftp://domain")],
Paul Kehrer4e8dacd2015-05-09 10:38:23 -0500[diff] [blame]2912 None,
Paul Kehrer3fd02602015-05-09 19:46:13 -0500[diff] [blame]2913 frozenset([x509.ReasonFlags.key_compromise]),
Paul Kehrer5a485522015-05-06 00:29:12 -0500[diff] [blame]2914 [x509.UniformResourceIdentifier(u"uri://thing")],
2915 ),
2916 ])
2917 cdp4 = x509.CRLDistributionPoints([
2918 x509.DistributionPoint(
2919 [x509.UniformResourceIdentifier(u"ftp://domain")],
Paul Kehrer4e8dacd2015-05-09 10:38:23 -0500[diff] [blame]2920 None,
Paul Kehrer3fd02602015-05-09 19:46:13 -0500[diff] [blame]2921 frozenset([
Paul Kehrer4e8dacd2015-05-09 10:38:23 -0500[diff] [blame]2922 x509.ReasonFlags.key_compromise,
2923 x509.ReasonFlags.ca_compromise,
Paul Kehrer3fd02602015-05-09 19:46:13 -0500[diff] [blame]2924 ]),
Paul Kehrer5a485522015-05-06 00:29:12 -0500[diff] [blame]2925 [x509.UniformResourceIdentifier(u"uri://thing2")],
2926 ),
2927 ])
2928 assert cdp != cdp2
2929 assert cdp != cdp3
2930 assert cdp != cdp4
2931 assert cdp != object()
Paul Kehrer9a10d592015-05-10 14:55:51 -0500[diff] [blame]2932
2933
2934@pytest.mark.requires_backend_interface(interface=RSABackend)
2935@pytest.mark.requires_backend_interface(interface=X509Backend)
2936class TestCRLDistributionPointsExtension(object):
2937 def test_fullname_and_crl_issuer(self, backend):
2938 cert = _load_cert(
2939 os.path.join(
2940 "x509", "PKITS_data", "certs", "ValidcRLIssuerTest28EE.crt"
2941 ),
2942 x509.load_der_x509_certificate,
2943 backend
2944 )
2945
2946 cdps = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]2947 ExtensionOID.CRL_DISTRIBUTION_POINTS
Paul Kehrer9a10d592015-05-10 14:55:51 -0500[diff] [blame]2948 ).value
2949
2950 assert cdps == x509.CRLDistributionPoints([
2951 x509.DistributionPoint(
2952 full_name=[x509.DirectoryName(
2953 x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2954 x509.NameAttribute(NameOID.COUNTRY_NAME, u"US"),
Paul Kehrer9a10d592015-05-10 14:55:51 -0500[diff] [blame]2955 x509.NameAttribute(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2956 NameOID.ORGANIZATION_NAME,
Ian Cordasco82fc3762015-06-16 20:59:50 -0500[diff] [blame]2957 u"Test Certificates 2011"
Paul Kehrer9a10d592015-05-10 14:55:51 -0500[diff] [blame]2958 ),
2959 x509.NameAttribute(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2960 NameOID.ORGANIZATIONAL_UNIT_NAME,
Ian Cordasco82fc3762015-06-16 20:59:50 -0500[diff] [blame]2961 u"indirectCRL CA3 cRLIssuer"
Paul Kehrer9a10d592015-05-10 14:55:51 -0500[diff] [blame]2962 ),
2963 x509.NameAttribute(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2964 NameOID.COMMON_NAME,
Ian Cordasco82fc3762015-06-16 20:59:50 -0500[diff] [blame]2965 u"indirect CRL for indirectCRL CA3"
Paul Kehrer9a10d592015-05-10 14:55:51 -0500[diff] [blame]2966 ),
2967 ])
2968 )],
2969 relative_name=None,
2970 reasons=None,
2971 crl_issuer=[x509.DirectoryName(
2972 x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2973 x509.NameAttribute(NameOID.COUNTRY_NAME, u"US"),
Paul Kehrer9a10d592015-05-10 14:55:51 -0500[diff] [blame]2974 x509.NameAttribute(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2975 NameOID.ORGANIZATION_NAME,
Ian Cordasco82fc3762015-06-16 20:59:50 -0500[diff] [blame]2976 u"Test Certificates 2011"
Paul Kehrer9a10d592015-05-10 14:55:51 -0500[diff] [blame]2977 ),
2978 x509.NameAttribute(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2979 NameOID.ORGANIZATIONAL_UNIT_NAME,
Ian Cordasco82fc3762015-06-16 20:59:50 -0500[diff] [blame]2980 u"indirectCRL CA3 cRLIssuer"
Paul Kehrer9a10d592015-05-10 14:55:51 -0500[diff] [blame]2981 ),
2982 ])
2983 )],
2984 )
2985 ])
2986
2987 def test_relativename_and_crl_issuer(self, backend):
2988 cert = _load_cert(
2989 os.path.join(
2990 "x509", "PKITS_data", "certs", "ValidcRLIssuerTest29EE.crt"
2991 ),
2992 x509.load_der_x509_certificate,
2993 backend
2994 )
2995
2996 cdps = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]2997 ExtensionOID.CRL_DISTRIBUTION_POINTS
Paul Kehrer9a10d592015-05-10 14:55:51 -0500[diff] [blame]2998 ).value
2999
3000 assert cdps == x509.CRLDistributionPoints([
3001 x509.DistributionPoint(
3002 full_name=None,
3003 relative_name=x509.Name([
3004 x509.NameAttribute(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]3005 NameOID.COMMON_NAME,
Ian Cordasco82fc3762015-06-16 20:59:50 -0500[diff] [blame]3006 u"indirect CRL for indirectCRL CA3"
Paul Kehrer9a10d592015-05-10 14:55:51 -0500[diff] [blame]3007 ),
3008 ]),
3009 reasons=None,
3010 crl_issuer=[x509.DirectoryName(
3011 x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]3012 x509.NameAttribute(NameOID.COUNTRY_NAME, u"US"),
Paul Kehrer9a10d592015-05-10 14:55:51 -0500[diff] [blame]3013 x509.NameAttribute(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]3014 NameOID.ORGANIZATION_NAME,
Ian Cordasco82fc3762015-06-16 20:59:50 -0500[diff] [blame]3015 u"Test Certificates 2011"
Paul Kehrer9a10d592015-05-10 14:55:51 -0500[diff] [blame]3016 ),
3017 x509.NameAttribute(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]3018 NameOID.ORGANIZATIONAL_UNIT_NAME,
Ian Cordasco82fc3762015-06-16 20:59:50 -0500[diff] [blame]3019 u"indirectCRL CA3 cRLIssuer"
Paul Kehrer9a10d592015-05-10 14:55:51 -0500[diff] [blame]3020 ),
3021 ])
3022 )],
3023 )
3024 ])
3025
3026 def test_fullname_crl_issuer_reasons(self, backend):
3027 cert = _load_cert(
3028 os.path.join(
3029 "x509", "custom", "cdp_fullname_reasons_crl_issuer.pem"
3030 ),
3031 x509.load_pem_x509_certificate,
3032 backend
3033 )
3034
3035 cdps = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]3036 ExtensionOID.CRL_DISTRIBUTION_POINTS
Paul Kehrer9a10d592015-05-10 14:55:51 -0500[diff] [blame]3037 ).value
3038
3039 assert cdps == x509.CRLDistributionPoints([
3040 x509.DistributionPoint(
3041 full_name=[x509.UniformResourceIdentifier(
3042 u"http://myhost.com/myca.crl"
3043 )],
3044 relative_name=None,
3045 reasons=frozenset([
3046 x509.ReasonFlags.key_compromise,
3047 x509.ReasonFlags.ca_compromise
3048 ]),
3049 crl_issuer=[x509.DirectoryName(
3050 x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]3051 x509.NameAttribute(NameOID.COUNTRY_NAME, u"US"),
Paul Kehrer9a10d592015-05-10 14:55:51 -0500[diff] [blame]3052 x509.NameAttribute(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]3053 NameOID.ORGANIZATION_NAME, u"PyCA"
Paul Kehrer9a10d592015-05-10 14:55:51 -0500[diff] [blame]3054 ),
3055 x509.NameAttribute(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]3056 NameOID.COMMON_NAME, u"cryptography CA"
Paul Kehrer9a10d592015-05-10 14:55:51 -0500[diff] [blame]3057 ),
3058 ])
3059 )],
3060 )
3061 ])
3062
Paul Kehrer594a2ed2015-05-12 23:27:32 -0500[diff] [blame]3063 def test_all_reasons(self, backend):
3064 cert = _load_cert(
3065 os.path.join(
3066 "x509", "custom", "cdp_all_reasons.pem"
3067 ),
3068 x509.load_pem_x509_certificate,
3069 backend
3070 )
3071
3072 cdps = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]3073 ExtensionOID.CRL_DISTRIBUTION_POINTS
Paul Kehrer594a2ed2015-05-12 23:27:32 -0500[diff] [blame]3074 ).value
3075
3076 assert cdps == x509.CRLDistributionPoints([
3077 x509.DistributionPoint(
3078 full_name=[x509.UniformResourceIdentifier(
3079 u"http://domain.com/some.crl"
3080 )],
3081 relative_name=None,
3082 reasons=frozenset([
3083 x509.ReasonFlags.key_compromise,
3084 x509.ReasonFlags.ca_compromise,
3085 x509.ReasonFlags.affiliation_changed,
3086 x509.ReasonFlags.superseded,
3087 x509.ReasonFlags.privilege_withdrawn,
3088 x509.ReasonFlags.cessation_of_operation,
3089 x509.ReasonFlags.aa_compromise,
3090 x509.ReasonFlags.certificate_hold,
3091 ]),
3092 crl_issuer=None
3093 )
3094 ])
3095
3096 def test_single_reason(self, backend):
3097 cert = _load_cert(
3098 os.path.join(
3099 "x509", "custom", "cdp_reason_aa_compromise.pem"
3100 ),
3101 x509.load_pem_x509_certificate,
3102 backend
3103 )
3104
3105 cdps = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]3106 ExtensionOID.CRL_DISTRIBUTION_POINTS
Paul Kehrer594a2ed2015-05-12 23:27:32 -0500[diff] [blame]3107 ).value
3108
3109 assert cdps == x509.CRLDistributionPoints([
3110 x509.DistributionPoint(
3111 full_name=[x509.UniformResourceIdentifier(
3112 u"http://domain.com/some.crl"
3113 )],
3114 relative_name=None,
3115 reasons=frozenset([x509.ReasonFlags.aa_compromise]),
3116 crl_issuer=None
3117 )
3118 ])
3119
Paul Kehrer9a10d592015-05-10 14:55:51 -0500[diff] [blame]3120 def test_crl_issuer_only(self, backend):
3121 cert = _load_cert(
3122 os.path.join(
3123 "x509", "custom", "cdp_crl_issuer.pem"
3124 ),
3125 x509.load_pem_x509_certificate,
3126 backend
3127 )
3128
3129 cdps = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]3130 ExtensionOID.CRL_DISTRIBUTION_POINTS
Paul Kehrer9a10d592015-05-10 14:55:51 -0500[diff] [blame]3131 ).value
3132
3133 assert cdps == x509.CRLDistributionPoints([
3134 x509.DistributionPoint(
3135 full_name=None,
3136 relative_name=None,
3137 reasons=None,
3138 crl_issuer=[x509.DirectoryName(
3139 x509.Name([
3140 x509.NameAttribute(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]3141 NameOID.COMMON_NAME, u"cryptography CA"
Paul Kehrer9a10d592015-05-10 14:55:51 -0500[diff] [blame]3142 ),
3143 ])
3144 )],
3145 )
3146 ])
Paul Kehrer16fae762015-05-01 23:14:20 -0500[diff] [blame]3147
Dominic Chen87bb9572015-10-09 00:23:07 -0400[diff] [blame]3148 def test_crl_empty_hostname(self, backend):
3149 cert = _load_cert(
3150 os.path.join(
3151 "x509", "custom", "cdp_empty_hostname.pem"
3152 ),
3153 x509.load_pem_x509_certificate,
3154 backend
3155 )
3156
3157 cdps = cert.extensions.get_extension_for_oid(
3158 ExtensionOID.CRL_DISTRIBUTION_POINTS
3159 ).value
3160
3161 assert cdps == x509.CRLDistributionPoints([
3162 x509.DistributionPoint(
3163 full_name=[x509.UniformResourceIdentifier(
3164 u"ldap:/CN=A,OU=B,dc=C,DC=D?E?F?G?H=I"
3165 )],
3166 relative_name=None,
3167 reasons=None,
3168 crl_issuer=None
3169 )
3170 ])
3171
Paul Kehrer16fae762015-05-01 23:14:20 -0500[diff] [blame]3172
Paul Kehrerf54a50b2015-06-17 18:31:26 -0600[diff] [blame]3173@pytest.mark.requires_backend_interface(interface=RSABackend)
3174@pytest.mark.requires_backend_interface(interface=X509Backend)
3175class TestOCSPNoCheckExtension(object):
3176 def test_nocheck(self, backend):
3177 cert = _load_cert(
3178 os.path.join(
3179 "x509", "custom", "ocsp_nocheck.pem"
3180 ),
3181 x509.load_pem_x509_certificate,
3182 backend
3183 )
3184 ext = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]3185 ExtensionOID.OCSP_NO_CHECK
Paul Kehrerf54a50b2015-06-17 18:31:26 -0600[diff] [blame]3186 )
3187 assert isinstance(ext.value, x509.OCSPNoCheck)
3188
3189
Paul Kehrer16fae762015-05-01 23:14:20 -0500[diff] [blame]3190class TestInhibitAnyPolicy(object):
3191 def test_not_int(self):
3192 with pytest.raises(TypeError):
3193 x509.InhibitAnyPolicy("notint")
3194
3195 def test_negative_int(self):
3196 with pytest.raises(ValueError):
3197 x509.InhibitAnyPolicy(-1)
3198
3199 def test_repr(self):
3200 iap = x509.InhibitAnyPolicy(0)
3201 assert repr(iap) == "<InhibitAnyPolicy(skip_certs=0)>"
3202
3203 def test_eq(self):
3204 iap = x509.InhibitAnyPolicy(1)
3205 iap2 = x509.InhibitAnyPolicy(1)
3206 assert iap == iap2
3207
3208 def test_ne(self):
3209 iap = x509.InhibitAnyPolicy(1)
3210 iap2 = x509.InhibitAnyPolicy(4)
3211 assert iap != iap2
3212 assert iap != object()
Paul Kehrerca6ce992015-06-17 22:13:15 -0600[diff] [blame]3213
3214
3215@pytest.mark.requires_backend_interface(interface=RSABackend)
3216@pytest.mark.requires_backend_interface(interface=X509Backend)
3217class TestInhibitAnyPolicyExtension(object):
3218 def test_nocheck(self, backend):
3219 cert = _load_cert(
3220 os.path.join(
3221 "x509", "custom", "inhibit_any_policy_5.pem"
3222 ),
3223 x509.load_pem_x509_certificate,
3224 backend
3225 )
3226 iap = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]3227 ExtensionOID.INHIBIT_ANY_POLICY
Paul Kehrerca6ce992015-06-17 22:13:15 -0600[diff] [blame]3228 ).value
3229 assert iap.skip_certs == 5
Paul Kehrera08693f2015-08-01 20:45:21 +0100[diff] [blame]3230
3231
3232@pytest.mark.requires_backend_interface(interface=RSABackend)
3233@pytest.mark.requires_backend_interface(interface=X509Backend)
Paul Kehrer1b7500f2015-08-01 20:56:27 +0100[diff] [blame]3234class TestInvalidExtension(object):
Paul Kehrera08693f2015-08-01 20:45:21 +0100[diff] [blame]3235 def test_invalid_certificate_policies_data(self, backend):
3236 cert = _load_cert(
3237 os.path.join(
3238 "x509", "custom", "cp_invalid.pem"
3239 ),
3240 x509.load_pem_x509_certificate,
3241 backend
3242 )
3243 with pytest.raises(ValueError):
3244 cert.extensions