Gitiles
Code Review Sign In
gerrit-public.fairphone.software / platform / external / python / cryptography / d44e413da192201a0db9506cd858a8bfe4bd8b82 / . / tests / test_x509_ext.py
blob: faf9086a1d106c15468e27c10f84e30cd95f44a0 [file] [log] [blame]
Paul Kehrer8cf26422015-03-21 09:50:24 -0500[diff] [blame]1# This file is dual licensed under the terms of the Apache License, Version
2# 2.0, and the BSD License. See the LICENSE file in the root of this repository
3# for complete details.
4
5from __future__ import absolute_import, division, print_function
6
Paul Kehrer1eb82a62015-03-31 20:00:33 -0500[diff] [blame]7import binascii
Paul Kehrer31bdf792015-03-25 14:11:00 -0500[diff] [blame]8import ipaddress
Paul Kehrerfbb7ac82015-03-16 19:26:29 -0500[diff] [blame]9import os
10
Paul Kehrer8cf26422015-03-21 09:50:24 -0500[diff] [blame]11import pytest
12
Paul Kehrercbfb1012015-04-10 20:57:20 -0400[diff] [blame]13import six
14
Paul Kehrer8cf26422015-03-21 09:50:24 -0500[diff] [blame]15from cryptography import x509
Paul Kehrerf22f6122015-08-05 12:57:13 +0100[diff] [blame]16from cryptography.hazmat.backends.interfaces import (
17 DSABackend, EllipticCurveBackend, RSABackend, X509Backend
18)
19from cryptography.hazmat.primitives.asymmetric import ec
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame^]20from cryptography.x509.oid import ExtensionOID, NameOID
Paul Kehrerfbb7ac82015-03-16 19:26:29 -0500[diff] [blame]21
Paul Kehrerf22f6122015-08-05 12:57:13 +0100[diff] [blame]22from .hazmat.primitives.test_ec import _skip_curve_unsupported
Paul Kehrerfbb7ac82015-03-16 19:26:29 -0500[diff] [blame]23from .test_x509 import _load_cert
Paul Kehrer8cf26422015-03-21 09:50:24 -0500[diff] [blame]24
25
Paul Kehrer85894662015-03-22 13:19:31 -0500[diff] [blame]26class TestExtension(object):
27 def test_not_an_oid(self):
Paul Kehrera5c6e9a2015-03-23 19:23:43 -0500[diff] [blame]28 bc = x509.BasicConstraints(ca=False, path_length=None)
Paul Kehrer85894662015-03-22 13:19:31 -0500[diff] [blame]29 with pytest.raises(TypeError):
30 x509.Extension("notanoid", True, bc)
31
32 def test_critical_not_a_bool(self):
Paul Kehrera5c6e9a2015-03-23 19:23:43 -0500[diff] [blame]33 bc = x509.BasicConstraints(ca=False, path_length=None)
Paul Kehrer85894662015-03-22 13:19:31 -0500[diff] [blame]34 with pytest.raises(TypeError):
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame^]35 x509.Extension(ExtensionOID.BASIC_CONSTRAINTS, "notabool", bc)
Paul Kehrer85894662015-03-22 13:19:31 -0500[diff] [blame]36
37 def test_repr(self):
Paul Kehrera5c6e9a2015-03-23 19:23:43 -0500[diff] [blame]38 bc = x509.BasicConstraints(ca=False, path_length=None)
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame^]39 ext = x509.Extension(ExtensionOID.BASIC_CONSTRAINTS, True, bc)
Paul Kehrer85894662015-03-22 13:19:31 -0500[diff] [blame]40 assert repr(ext) == (
41 "<Extension(oid=<ObjectIdentifier(oid=2.5.29.19, name=basicConst"
42 "raints)>, critical=True, value=<BasicConstraints(ca=False, path"
43 "_length=None)>)>"
44 )
45
Paul Kehrer58e870c2015-05-17 09:15:30 -0700[diff] [blame]46 def test_eq(self):
47 ext1 = x509.Extension(
48 x509.ObjectIdentifier('1.2.3.4'), False, 'value'
49 )
50 ext2 = x509.Extension(
51 x509.ObjectIdentifier('1.2.3.4'), False, 'value'
52 )
53 assert ext1 == ext2
54
55 def test_ne(self):
56 ext1 = x509.Extension(
57 x509.ObjectIdentifier('1.2.3.4'), False, 'value'
58 )
59 ext2 = x509.Extension(
60 x509.ObjectIdentifier('1.2.3.5'), False, 'value'
61 )
62 ext3 = x509.Extension(
63 x509.ObjectIdentifier('1.2.3.4'), True, 'value'
64 )
65 ext4 = x509.Extension(
66 x509.ObjectIdentifier('1.2.3.4'), False, 'value4'
67 )
68 assert ext1 != ext2
69 assert ext1 != ext3
70 assert ext1 != ext4
71 assert ext1 != object()
72
Paul Kehrer85894662015-03-22 13:19:31 -0500[diff] [blame]73
Paul Kehrer2b622582015-04-15 11:04:29 -0400[diff] [blame]74class TestNoticeReference(object):
75 def test_notice_numbers_not_all_int(self):
76 with pytest.raises(TypeError):
77 x509.NoticeReference("org", [1, 2, "three"])
78
79 def test_notice_numbers_none(self):
Paul Kehrer6e198b02015-05-12 15:53:38 -0500[diff] [blame]80 with pytest.raises(TypeError):
81 x509.NoticeReference("org", None)
Paul Kehrer2b622582015-04-15 11:04:29 -0400[diff] [blame]82
83 def test_repr(self):
Paul Kehrer73be2ca2015-05-11 21:22:38 -0500[diff] [blame]84 nr = x509.NoticeReference(u"org", [1, 3, 4])
Paul Kehrer2b622582015-04-15 11:04:29 -0400[diff] [blame]85
Paul Kehrer73be2ca2015-05-11 21:22:38 -0500[diff] [blame]86 if six.PY3:
87 assert repr(nr) == (
88 "<NoticeReference(organization='org', notice_numbers=[1, 3, 4"
89 "])>"
90 )
91 else:
92 assert repr(nr) == (
93 "<NoticeReference(organization=u'org', notice_numbers=[1, 3, "
94 "4])>"
95 )
Paul Kehrer2b622582015-04-15 11:04:29 -0400[diff] [blame]96
Paul Kehrerc56ab622015-05-03 09:56:31 -0500[diff] [blame]97 def test_eq(self):
98 nr = x509.NoticeReference("org", [1, 2])
99 nr2 = x509.NoticeReference("org", [1, 2])
100 assert nr == nr2
101
102 def test_ne(self):
103 nr = x509.NoticeReference("org", [1, 2])
104 nr2 = x509.NoticeReference("org", [1])
105 nr3 = x509.NoticeReference(None, [1, 2])
106 assert nr != nr2
107 assert nr != nr3
108 assert nr != object()
109
Paul Kehrer2b622582015-04-15 11:04:29 -0400[diff] [blame]110
111class TestUserNotice(object):
112 def test_notice_reference_invalid(self):
113 with pytest.raises(TypeError):
114 x509.UserNotice("invalid", None)
115
116 def test_notice_reference_none(self):
117 un = x509.UserNotice(None, "text")
118 assert un.notice_reference is None
119 assert un.explicit_text == "text"
120
121 def test_repr(self):
Paul Kehrer6e198b02015-05-12 15:53:38 -0500[diff] [blame]122 un = x509.UserNotice(x509.NoticeReference(u"org", [1]), u"text")
Paul Kehrer73be2ca2015-05-11 21:22:38 -0500[diff] [blame]123 if six.PY3:
124 assert repr(un) == (
125 "<UserNotice(notice_reference=<NoticeReference(organization='"
Paul Kehrer6e198b02015-05-12 15:53:38 -0500[diff] [blame]126 "org', notice_numbers=[1])>, explicit_text='text')>"
Paul Kehrer73be2ca2015-05-11 21:22:38 -0500[diff] [blame]127 )
128 else:
129 assert repr(un) == (
130 "<UserNotice(notice_reference=<NoticeReference(organization=u"
Paul Kehrer6e198b02015-05-12 15:53:38 -0500[diff] [blame]131 "'org', notice_numbers=[1])>, explicit_text=u'text')>"
Paul Kehrer73be2ca2015-05-11 21:22:38 -0500[diff] [blame]132 )
Paul Kehrer2b622582015-04-15 11:04:29 -0400[diff] [blame]133
Paul Kehrerc56ab622015-05-03 09:56:31 -0500[diff] [blame]134 def test_eq(self):
135 nr = x509.NoticeReference("org", [1, 2])
136 nr2 = x509.NoticeReference("org", [1, 2])
137 un = x509.UserNotice(nr, "text")
138 un2 = x509.UserNotice(nr2, "text")
139 assert un == un2
140
141 def test_ne(self):
142 nr = x509.NoticeReference("org", [1, 2])
143 nr2 = x509.NoticeReference("org", [1])
144 un = x509.UserNotice(nr, "text")
145 un2 = x509.UserNotice(nr2, "text")
146 un3 = x509.UserNotice(nr, "text3")
147 assert un != un2
148 assert un != un3
149 assert un != object()
150
Paul Kehrer2b622582015-04-15 11:04:29 -0400[diff] [blame]151
Paul Kehrer2b622582015-04-15 11:04:29 -0400[diff] [blame]152class TestPolicyInformation(object):
153 def test_invalid_policy_identifier(self):
154 with pytest.raises(TypeError):
155 x509.PolicyInformation("notanoid", None)
156
157 def test_none_policy_qualifiers(self):
158 pi = x509.PolicyInformation(x509.ObjectIdentifier("1.2.3"), None)
159 assert pi.policy_identifier == x509.ObjectIdentifier("1.2.3")
160 assert pi.policy_qualifiers is None
161
162 def test_policy_qualifiers(self):
Paul Kehrerba35b3b2015-05-10 13:07:59 -0500[diff] [blame]163 pq = [u"string"]
Paul Kehrer2b622582015-04-15 11:04:29 -0400[diff] [blame]164 pi = x509.PolicyInformation(x509.ObjectIdentifier("1.2.3"), pq)
165 assert pi.policy_identifier == x509.ObjectIdentifier("1.2.3")
166 assert pi.policy_qualifiers == pq
167
168 def test_invalid_policy_identifiers(self):
169 with pytest.raises(TypeError):
170 x509.PolicyInformation(x509.ObjectIdentifier("1.2.3"), [1, 2])
171
172 def test_repr(self):
Paul Kehrer73be2ca2015-05-11 21:22:38 -0500[diff] [blame]173 pq = [u"string", x509.UserNotice(None, u"hi")]
Paul Kehrer2b622582015-04-15 11:04:29 -0400[diff] [blame]174 pi = x509.PolicyInformation(x509.ObjectIdentifier("1.2.3"), pq)
Paul Kehrerba35b3b2015-05-10 13:07:59 -0500[diff] [blame]175 if six.PY3:
176 assert repr(pi) == (
177 "<PolicyInformation(policy_identifier=<ObjectIdentifier(oid=1."
178 "2.3, name=Unknown OID)>, policy_qualifiers=['string', <UserNo"
Paul Kehrer9aaef9e2015-05-11 10:49:20 -0500[diff] [blame]179 "tice(notice_reference=None, explicit_text='hi')>])>"
Paul Kehrerba35b3b2015-05-10 13:07:59 -0500[diff] [blame]180 )
181 else:
182 assert repr(pi) == (
183 "<PolicyInformation(policy_identifier=<ObjectIdentifier(oid=1."
184 "2.3, name=Unknown OID)>, policy_qualifiers=[u'string', <UserN"
Paul Kehrer73be2ca2015-05-11 21:22:38 -0500[diff] [blame]185 "otice(notice_reference=None, explicit_text=u'hi')>])>"
Paul Kehrerba35b3b2015-05-10 13:07:59 -0500[diff] [blame]186 )
Paul Kehrer2b622582015-04-15 11:04:29 -0400[diff] [blame]187
Paul Kehrerc56ab622015-05-03 09:56:31 -0500[diff] [blame]188 def test_eq(self):
189 pi = x509.PolicyInformation(
190 x509.ObjectIdentifier("1.2.3"),
191 [u"string", x509.UserNotice(None, u"hi")]
192 )
193 pi2 = x509.PolicyInformation(
194 x509.ObjectIdentifier("1.2.3"),
195 [u"string", x509.UserNotice(None, u"hi")]
196 )
197 assert pi == pi2
198
199 def test_ne(self):
200 pi = x509.PolicyInformation(
201 x509.ObjectIdentifier("1.2.3"), [u"string"]
202 )
203 pi2 = x509.PolicyInformation(
204 x509.ObjectIdentifier("1.2.3"), [u"string2"]
205 )
206 pi3 = x509.PolicyInformation(
207 x509.ObjectIdentifier("1.2.3.4"), [u"string"]
208 )
209 assert pi != pi2
210 assert pi != pi3
211 assert pi != object()
212
Paul Kehrer2b622582015-04-15 11:04:29 -0400[diff] [blame]213
214class TestCertificatePolicies(object):
215 def test_invalid_policies(self):
Paul Kehrerba35b3b2015-05-10 13:07:59 -0500[diff] [blame]216 pq = [u"string"]
Paul Kehrer2b622582015-04-15 11:04:29 -0400[diff] [blame]217 pi = x509.PolicyInformation(x509.ObjectIdentifier("1.2.3"), pq)
218 with pytest.raises(TypeError):
219 x509.CertificatePolicies([1, pi])
220
221 def test_iter_len(self):
Paul Kehrerba35b3b2015-05-10 13:07:59 -0500[diff] [blame]222 pq = [u"string"]
Paul Kehrer2b622582015-04-15 11:04:29 -0400[diff] [blame]223 pi = x509.PolicyInformation(x509.ObjectIdentifier("1.2.3"), pq)
224 cp = x509.CertificatePolicies([pi])
225 assert len(cp) == 1
226 for policyinfo in cp:
227 assert policyinfo == pi
228
229 def test_repr(self):
Paul Kehrerba35b3b2015-05-10 13:07:59 -0500[diff] [blame]230 pq = [u"string"]
Paul Kehrer2b622582015-04-15 11:04:29 -0400[diff] [blame]231 pi = x509.PolicyInformation(x509.ObjectIdentifier("1.2.3"), pq)
232 cp = x509.CertificatePolicies([pi])
Paul Kehrerba35b3b2015-05-10 13:07:59 -0500[diff] [blame]233 if six.PY3:
234 assert repr(cp) == (
235 "<CertificatePolicies([<PolicyInformation(policy_identifier=<O"
236 "bjectIdentifier(oid=1.2.3, name=Unknown OID)>, policy_qualifi"
237 "ers=['string'])>])>"
238 )
239 else:
240 assert repr(cp) == (
241 "<CertificatePolicies([<PolicyInformation(policy_identifier=<O"
242 "bjectIdentifier(oid=1.2.3, name=Unknown OID)>, policy_qualifi"
243 "ers=[u'string'])>])>"
244 )
Paul Kehrer2b622582015-04-15 11:04:29 -0400[diff] [blame]245
Paul Kehrerc56ab622015-05-03 09:56:31 -0500[diff] [blame]246 def test_eq(self):
247 pi = x509.PolicyInformation(
248 x509.ObjectIdentifier("1.2.3"), [u"string"]
249 )
250 cp = x509.CertificatePolicies([pi])
251 pi2 = x509.PolicyInformation(
252 x509.ObjectIdentifier("1.2.3"), [u"string"]
253 )
254 cp2 = x509.CertificatePolicies([pi2])
255 assert cp == cp2
256
257 def test_ne(self):
258 pi = x509.PolicyInformation(
259 x509.ObjectIdentifier("1.2.3"), [u"string"]
260 )
261 cp = x509.CertificatePolicies([pi])
262 pi2 = x509.PolicyInformation(
263 x509.ObjectIdentifier("1.2.3"), [u"string2"]
264 )
265 cp2 = x509.CertificatePolicies([pi2])
266 assert cp != cp2
267 assert cp != object()
268
Paul Kehrer2b622582015-04-15 11:04:29 -0400[diff] [blame]269
Paul Kehrer11026fe2015-05-12 11:23:56 -0500[diff] [blame]270@pytest.mark.requires_backend_interface(interface=RSABackend)
271@pytest.mark.requires_backend_interface(interface=X509Backend)
272class TestCertificatePoliciesExtension(object):
273 def test_cps_uri_policy_qualifier(self, backend):
274 cert = _load_cert(
275 os.path.join("x509", "custom", "cp_cps_uri.pem"),
276 x509.load_pem_x509_certificate,
277 backend
278 )
279
280 cp = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame^]281 ExtensionOID.CERTIFICATE_POLICIES
Paul Kehrer11026fe2015-05-12 11:23:56 -0500[diff] [blame]282 ).value
283
284 assert cp == x509.CertificatePolicies([
285 x509.PolicyInformation(
286 x509.ObjectIdentifier("2.16.840.1.12345.1.2.3.4.1"),
287 [u"http://other.com/cps"]
288 )
289 ])
290
291 def test_user_notice_with_notice_reference(self, backend):
292 cert = _load_cert(
293 os.path.join(
294 "x509", "custom", "cp_user_notice_with_notice_reference.pem"
295 ),
296 x509.load_pem_x509_certificate,
297 backend
298 )
299
300 cp = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame^]301 ExtensionOID.CERTIFICATE_POLICIES
Paul Kehrer11026fe2015-05-12 11:23:56 -0500[diff] [blame]302 ).value
303
304 assert cp == x509.CertificatePolicies([
305 x509.PolicyInformation(
306 x509.ObjectIdentifier("2.16.840.1.12345.1.2.3.4.1"),
307 [
308 u"http://example.com/cps",
309 u"http://other.com/cps",
310 x509.UserNotice(
311 x509.NoticeReference(u"my org", [1, 2, 3, 4]),
312 u"thing"
313 )
314 ]
315 )
316 ])
317
318 def test_user_notice_with_explicit_text(self, backend):
319 cert = _load_cert(
320 os.path.join(
321 "x509", "custom", "cp_user_notice_with_explicit_text.pem"
322 ),
323 x509.load_pem_x509_certificate,
324 backend
325 )
326
327 cp = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame^]328 ExtensionOID.CERTIFICATE_POLICIES
Paul Kehrer11026fe2015-05-12 11:23:56 -0500[diff] [blame]329 ).value
330
331 assert cp == x509.CertificatePolicies([
332 x509.PolicyInformation(
333 x509.ObjectIdentifier("2.16.840.1.12345.1.2.3.4.1"),
334 [x509.UserNotice(None, u"thing")]
335 )
336 ])
337
338 def test_user_notice_no_explicit_text(self, backend):
339 cert = _load_cert(
340 os.path.join(
341 "x509", "custom", "cp_user_notice_no_explicit_text.pem"
342 ),
343 x509.load_pem_x509_certificate,
344 backend
345 )
346
347 cp = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame^]348 ExtensionOID.CERTIFICATE_POLICIES
Paul Kehrer11026fe2015-05-12 11:23:56 -0500[diff] [blame]349 ).value
350
351 assert cp == x509.CertificatePolicies([
352 x509.PolicyInformation(
353 x509.ObjectIdentifier("2.16.840.1.12345.1.2.3.4.1"),
354 [
355 x509.UserNotice(
356 x509.NoticeReference(u"my org", [1, 2, 3, 4]),
357 None
358 )
359 ]
360 )
361 ])
362
363
Paul Kehrercecbbba2015-03-30 14:58:38 -0500[diff] [blame]364class TestKeyUsage(object):
365 def test_key_agreement_false_encipher_decipher_true(self):
366 with pytest.raises(ValueError):
367 x509.KeyUsage(
368 digital_signature=False,
369 content_commitment=False,
370 key_encipherment=False,
371 data_encipherment=False,
372 key_agreement=False,
373 key_cert_sign=False,
374 crl_sign=False,
375 encipher_only=True,
376 decipher_only=False
377 )
378
379 with pytest.raises(ValueError):
380 x509.KeyUsage(
381 digital_signature=False,
382 content_commitment=False,
383 key_encipherment=False,
384 data_encipherment=False,
385 key_agreement=False,
386 key_cert_sign=False,
387 crl_sign=False,
388 encipher_only=True,
389 decipher_only=True
390 )
391
392 with pytest.raises(ValueError):
393 x509.KeyUsage(
394 digital_signature=False,
395 content_commitment=False,
396 key_encipherment=False,
397 data_encipherment=False,
398 key_agreement=False,
399 key_cert_sign=False,
400 crl_sign=False,
401 encipher_only=False,
402 decipher_only=True
403 )
404
405 def test_properties_key_agreement_true(self):
406 ku = x509.KeyUsage(
407 digital_signature=True,
408 content_commitment=True,
409 key_encipherment=False,
410 data_encipherment=False,
411 key_agreement=False,
412 key_cert_sign=True,
413 crl_sign=False,
414 encipher_only=False,
415 decipher_only=False
416 )
417 assert ku.digital_signature is True
418 assert ku.content_commitment is True
419 assert ku.key_encipherment is False
420 assert ku.data_encipherment is False
421 assert ku.key_agreement is False
422 assert ku.key_cert_sign is True
423 assert ku.crl_sign is False
424
425 def test_key_agreement_true_properties(self):
426 ku = x509.KeyUsage(
427 digital_signature=False,
428 content_commitment=False,
429 key_encipherment=False,
430 data_encipherment=False,
431 key_agreement=True,
432 key_cert_sign=False,
433 crl_sign=False,
434 encipher_only=False,
435 decipher_only=True
436 )
437 assert ku.key_agreement is True
438 assert ku.encipher_only is False
439 assert ku.decipher_only is True
440
441 def test_key_agreement_false_properties(self):
442 ku = x509.KeyUsage(
443 digital_signature=False,
444 content_commitment=False,
445 key_encipherment=False,
446 data_encipherment=False,
447 key_agreement=False,
448 key_cert_sign=False,
449 crl_sign=False,
450 encipher_only=False,
451 decipher_only=False
452 )
453 assert ku.key_agreement is False
454 with pytest.raises(ValueError):
455 ku.encipher_only
456
457 with pytest.raises(ValueError):
458 ku.decipher_only
459
Paul Kehrerac3e5bb2015-04-02 23:07:10 -0500[diff] [blame]460 def test_repr_key_agreement_false(self):
461 ku = x509.KeyUsage(
462 digital_signature=True,
463 content_commitment=True,
464 key_encipherment=False,
465 data_encipherment=False,
466 key_agreement=False,
467 key_cert_sign=True,
468 crl_sign=False,
469 encipher_only=False,
470 decipher_only=False
471 )
472 assert repr(ku) == (
473 "<KeyUsage(digital_signature=True, content_commitment=True, key_en"
474 "cipherment=False, data_encipherment=False, key_agreement=False, k"
Paul Kehrerb372e672015-04-15 11:05:24 -0400[diff] [blame]475 "ey_cert_sign=True, crl_sign=False, encipher_only=None, decipher_o"
476 "nly=None)>"
Paul Kehrerac3e5bb2015-04-02 23:07:10 -0500[diff] [blame]477 )
478
479 def test_repr_key_agreement_true(self):
480 ku = x509.KeyUsage(
481 digital_signature=True,
482 content_commitment=True,
483 key_encipherment=False,
484 data_encipherment=False,
485 key_agreement=True,
486 key_cert_sign=True,
487 crl_sign=False,
488 encipher_only=False,
489 decipher_only=False
490 )
491 assert repr(ku) == (
492 "<KeyUsage(digital_signature=True, content_commitment=True, key_en"
493 "cipherment=False, data_encipherment=False, key_agreement=True, k"
494 "ey_cert_sign=True, crl_sign=False, encipher_only=False, decipher_"
495 "only=False)>"
496 )
497
Paul Kehrer8565f5e2015-05-13 09:57:09 -0500[diff] [blame]498 def test_eq(self):
499 ku = x509.KeyUsage(
500 digital_signature=False,
501 content_commitment=False,
502 key_encipherment=False,
503 data_encipherment=False,
504 key_agreement=True,
505 key_cert_sign=False,
506 crl_sign=False,
507 encipher_only=False,
508 decipher_only=True
509 )
510 ku2 = x509.KeyUsage(
511 digital_signature=False,
512 content_commitment=False,
513 key_encipherment=False,
514 data_encipherment=False,
515 key_agreement=True,
516 key_cert_sign=False,
517 crl_sign=False,
518 encipher_only=False,
519 decipher_only=True
520 )
521 assert ku == ku2
522
523 def test_ne(self):
524 ku = x509.KeyUsage(
525 digital_signature=False,
526 content_commitment=False,
527 key_encipherment=False,
528 data_encipherment=False,
529 key_agreement=True,
530 key_cert_sign=False,
531 crl_sign=False,
532 encipher_only=False,
533 decipher_only=True
534 )
535 ku2 = x509.KeyUsage(
536 digital_signature=False,
537 content_commitment=False,
538 key_encipherment=False,
539 data_encipherment=False,
540 key_agreement=False,
541 key_cert_sign=False,
542 crl_sign=False,
543 encipher_only=False,
544 decipher_only=False
545 )
546 assert ku != ku2
547 assert ku != object()
548
Paul Kehrercecbbba2015-03-30 14:58:38 -0500[diff] [blame]549
Paul Kehrer1eb82a62015-03-31 20:00:33 -0500[diff] [blame]550class TestSubjectKeyIdentifier(object):
551 def test_properties(self):
Paul Kehrercbfb1012015-04-10 20:57:20 -0400[diff] [blame]552 value = binascii.unhexlify(b"092384932230498bc980aa8098456f6ff7ff3ac9")
Paul Kehrer1eb82a62015-03-31 20:00:33 -0500[diff] [blame]553 ski = x509.SubjectKeyIdentifier(value)
554 assert ski.digest == value
Paul Kehrer1eb82a62015-03-31 20:00:33 -0500[diff] [blame]555
556 def test_repr(self):
557 ski = x509.SubjectKeyIdentifier(
Paul Kehreree997262015-04-04 12:20:28 -0500[diff] [blame]558 binascii.unhexlify(b"092384932230498bc980aa8098456f6ff7ff3ac9")
Paul Kehrer1eb82a62015-03-31 20:00:33 -0500[diff] [blame]559 )
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame^]560 ext = x509.Extension(ExtensionOID.SUBJECT_KEY_IDENTIFIER, False, ski)
Paul Kehrercbfb1012015-04-10 20:57:20 -0400[diff] [blame]561 if six.PY3:
562 assert repr(ext) == (
563 "<Extension(oid=<ObjectIdentifier(oid=2.5.29.14, name=subjectK"
564 "eyIdentifier)>, critical=False, value=<SubjectKeyIdentifier(d"
565 "igest=b\'\\t#\\x84\\x93\"0I\\x8b\\xc9\\x80\\xaa\\x80\\x98Eoo"
566 "\\xf7\\xff:\\xc9\')>)>"
567 )
568 else:
569 assert repr(ext) == (
570 "<Extension(oid=<ObjectIdentifier(oid=2.5.29.14, name=subjectK"
571 "eyIdentifier)>, critical=False, value=<SubjectKeyIdentifier(d"
572 "igest=\'\\t#\\x84\\x93\"0I\\x8b\\xc9\\x80\\xaa\\x80\\x98Eoo"
573 "\\xf7\\xff:\\xc9\')>)>"
574 )
Paul Kehrer1eb82a62015-03-31 20:00:33 -0500[diff] [blame]575
576 def test_eq(self):
577 ski = x509.SubjectKeyIdentifier(
Paul Kehreree997262015-04-04 12:20:28 -0500[diff] [blame]578 binascii.unhexlify(b"092384932230498bc980aa8098456f6ff7ff3ac9")
Paul Kehrer1eb82a62015-03-31 20:00:33 -0500[diff] [blame]579 )
580 ski2 = x509.SubjectKeyIdentifier(
Paul Kehreree997262015-04-04 12:20:28 -0500[diff] [blame]581 binascii.unhexlify(b"092384932230498bc980aa8098456f6ff7ff3ac9")
Paul Kehrer1eb82a62015-03-31 20:00:33 -0500[diff] [blame]582 )
583 assert ski == ski2
584
585 def test_ne(self):
586 ski = x509.SubjectKeyIdentifier(
Paul Kehreree997262015-04-04 12:20:28 -0500[diff] [blame]587 binascii.unhexlify(b"092384932230498bc980aa8098456f6ff7ff3ac9")
Paul Kehrer1eb82a62015-03-31 20:00:33 -0500[diff] [blame]588 )
589 ski2 = x509.SubjectKeyIdentifier(
Paul Kehreree997262015-04-04 12:20:28 -0500[diff] [blame]590 binascii.unhexlify(b"aa8098456f6ff7ff3ac9092384932230498bc980")
Paul Kehrer1eb82a62015-03-31 20:00:33 -0500[diff] [blame]591 )
592 assert ski != ski2
593 assert ski != object()
594
595
Paul Kehrer2eb4ed92015-04-11 15:33:45 -0400[diff] [blame]596class TestAuthorityKeyIdentifier(object):
Paul Kehrerc6e0f062015-05-03 11:04:34 -0500[diff] [blame]597 def test_authority_cert_issuer_not_generalname(self):
Paul Kehrer2eb4ed92015-04-11 15:33:45 -0400[diff] [blame]598 with pytest.raises(TypeError):
Paul Kehrerc6e0f062015-05-03 11:04:34 -0500[diff] [blame]599 x509.AuthorityKeyIdentifier(b"identifier", ["notname"], 3)
Paul Kehrer2eb4ed92015-04-11 15:33:45 -0400[diff] [blame]600
601 def test_authority_cert_serial_number_not_integer(self):
Paul Kehrerc6e0f062015-05-03 11:04:34 -0500[diff] [blame]602 dirname = x509.DirectoryName(
603 x509.Name([
Ian Cordasco82fc3762015-06-16 20:59:50 -0500[diff] [blame]604 x509.NameAttribute(x509.ObjectIdentifier('oid'), u'value1'),
605 x509.NameAttribute(x509.ObjectIdentifier('oid2'), u'value2'),
Paul Kehrerc6e0f062015-05-03 11:04:34 -0500[diff] [blame]606 ])
607 )
Paul Kehrer2eb4ed92015-04-11 15:33:45 -0400[diff] [blame]608 with pytest.raises(TypeError):
Paul Kehrerc6e0f062015-05-03 11:04:34 -0500[diff] [blame]609 x509.AuthorityKeyIdentifier(b"identifier", [dirname], "notanint")
Paul Kehrer2eb4ed92015-04-11 15:33:45 -0400[diff] [blame]610
611 def test_authority_issuer_none_serial_not_none(self):
612 with pytest.raises(ValueError):
613 x509.AuthorityKeyIdentifier(b"identifier", None, 3)
614
615 def test_authority_issuer_not_none_serial_none(self):
Paul Kehrerc6e0f062015-05-03 11:04:34 -0500[diff] [blame]616 dirname = x509.DirectoryName(
617 x509.Name([
Ian Cordasco82fc3762015-06-16 20:59:50 -0500[diff] [blame]618 x509.NameAttribute(x509.ObjectIdentifier('oid'), u'value1'),
619 x509.NameAttribute(x509.ObjectIdentifier('oid2'), u'value2'),
Paul Kehrerc6e0f062015-05-03 11:04:34 -0500[diff] [blame]620 ])
621 )
Paul Kehrer2eb4ed92015-04-11 15:33:45 -0400[diff] [blame]622 with pytest.raises(ValueError):
Paul Kehrerc6e0f062015-05-03 11:04:34 -0500[diff] [blame]623 x509.AuthorityKeyIdentifier(b"identifier", [dirname], None)
Paul Kehrer2eb4ed92015-04-11 15:33:45 -0400[diff] [blame]624
625 def test_authority_cert_serial_and_issuer_none(self):
626 aki = x509.AuthorityKeyIdentifier(b"id", None, None)
627 assert aki.key_identifier == b"id"
628 assert aki.authority_cert_issuer is None
629 assert aki.authority_cert_serial_number is None
630
631 def test_repr(self):
Paul Kehrerc6e0f062015-05-03 11:04:34 -0500[diff] [blame]632 dirname = x509.DirectoryName(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]633 x509.Name([x509.NameAttribute(NameOID.COMMON_NAME, u'myCN')])
Paul Kehrerc6e0f062015-05-03 11:04:34 -0500[diff] [blame]634 )
635 aki = x509.AuthorityKeyIdentifier(b"digest", [dirname], 1234)
Paul Kehrer2eb4ed92015-04-11 15:33:45 -0400[diff] [blame]636
637 if six.PY3:
638 assert repr(aki) == (
639 "<AuthorityKeyIdentifier(key_identifier=b'digest', authority_"
Paul Kehrerc6e0f062015-05-03 11:04:34 -0500[diff] [blame]640 "cert_issuer=[<DirectoryName(value=<Name([<NameAttribute(oid="
Ian Cordascoa908d692015-06-16 21:35:24 -0500[diff] [blame]641 "<ObjectIdentifier(oid=2.5.4.3, name=commonName)>, value='myC"
Paul Kehrerc6e0f062015-05-03 11:04:34 -0500[diff] [blame]642 "N')>])>)>], authority_cert_serial_number=1234)>"
Paul Kehrer2eb4ed92015-04-11 15:33:45 -0400[diff] [blame]643 )
644 else:
645 assert repr(aki) == (
646 "<AuthorityKeyIdentifier(key_identifier='digest', authority_ce"
Paul Kehrerc6e0f062015-05-03 11:04:34 -0500[diff] [blame]647 "rt_issuer=[<DirectoryName(value=<Name([<NameAttribute(oid=<Ob"
Ian Cordasco82fc3762015-06-16 20:59:50 -0500[diff] [blame]648 "jectIdentifier(oid=2.5.4.3, name=commonName)>, value=u'myCN')"
649 ">])>)>], authority_cert_serial_number=1234)>"
Paul Kehrer2eb4ed92015-04-11 15:33:45 -0400[diff] [blame]650 )
651
Paul Kehrer2ca2eb32015-05-03 10:04:57 -0500[diff] [blame]652 def test_eq(self):
653 dirname = x509.DirectoryName(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]654 x509.Name([x509.NameAttribute(NameOID.COMMON_NAME, u'myCN')])
Paul Kehrer2ca2eb32015-05-03 10:04:57 -0500[diff] [blame]655 )
656 aki = x509.AuthorityKeyIdentifier(b"digest", [dirname], 1234)
657 dirname2 = x509.DirectoryName(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]658 x509.Name([x509.NameAttribute(NameOID.COMMON_NAME, u'myCN')])
Paul Kehrer2ca2eb32015-05-03 10:04:57 -0500[diff] [blame]659 )
660 aki2 = x509.AuthorityKeyIdentifier(b"digest", [dirname2], 1234)
661 assert aki == aki2
662
663 def test_ne(self):
664 dirname = x509.DirectoryName(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]665 x509.Name([x509.NameAttribute(NameOID.COMMON_NAME, u'myCN')])
Paul Kehrer2ca2eb32015-05-03 10:04:57 -0500[diff] [blame]666 )
667 dirname5 = x509.DirectoryName(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]668 x509.Name([x509.NameAttribute(NameOID.COMMON_NAME, u'aCN')])
Paul Kehrer2ca2eb32015-05-03 10:04:57 -0500[diff] [blame]669 )
670 aki = x509.AuthorityKeyIdentifier(b"digest", [dirname], 1234)
671 aki2 = x509.AuthorityKeyIdentifier(b"diges", [dirname], 1234)
672 aki3 = x509.AuthorityKeyIdentifier(b"digest", None, None)
673 aki4 = x509.AuthorityKeyIdentifier(b"digest", [dirname], 12345)
674 aki5 = x509.AuthorityKeyIdentifier(b"digest", [dirname5], 12345)
675 assert aki != aki2
676 assert aki != aki3
677 assert aki != aki4
678 assert aki != aki5
679 assert aki != object()
680
Paul Kehrer2eb4ed92015-04-11 15:33:45 -0400[diff] [blame]681
Paul Kehrer8cf26422015-03-21 09:50:24 -0500[diff] [blame]682class TestBasicConstraints(object):
683 def test_ca_not_boolean(self):
684 with pytest.raises(TypeError):
Paul Kehrera5c6e9a2015-03-23 19:23:43 -0500[diff] [blame]685 x509.BasicConstraints(ca="notbool", path_length=None)
Paul Kehrer8cf26422015-03-21 09:50:24 -0500[diff] [blame]686
687 def test_path_length_not_ca(self):
688 with pytest.raises(ValueError):
Paul Kehrera5c6e9a2015-03-23 19:23:43 -0500[diff] [blame]689 x509.BasicConstraints(ca=False, path_length=0)
Paul Kehrer8cf26422015-03-21 09:50:24 -0500[diff] [blame]690
691 def test_path_length_not_int(self):
692 with pytest.raises(TypeError):
Paul Kehrera5c6e9a2015-03-23 19:23:43 -0500[diff] [blame]693 x509.BasicConstraints(ca=True, path_length=1.1)
Paul Kehrer8cf26422015-03-21 09:50:24 -0500[diff] [blame]694
695 with pytest.raises(TypeError):
Paul Kehrera5c6e9a2015-03-23 19:23:43 -0500[diff] [blame]696 x509.BasicConstraints(ca=True, path_length="notint")
Paul Kehrer8cf26422015-03-21 09:50:24 -0500[diff] [blame]697
698 def test_path_length_negative(self):
699 with pytest.raises(TypeError):
Paul Kehrera5c6e9a2015-03-23 19:23:43 -0500[diff] [blame]700 x509.BasicConstraints(ca=True, path_length=-1)
Paul Kehrer8cf26422015-03-21 09:50:24 -0500[diff] [blame]701
702 def test_repr(self):
Paul Kehrera5c6e9a2015-03-23 19:23:43 -0500[diff] [blame]703 na = x509.BasicConstraints(ca=True, path_length=None)
Paul Kehrer8cf26422015-03-21 09:50:24 -0500[diff] [blame]704 assert repr(na) == (
Paul Kehrer85894662015-03-22 13:19:31 -0500[diff] [blame]705 "<BasicConstraints(ca=True, path_length=None)>"
Paul Kehrer8cf26422015-03-21 09:50:24 -0500[diff] [blame]706 )
Paul Kehrerfbb7ac82015-03-16 19:26:29 -0500[diff] [blame]707
Paul Kehrer3a69b132015-05-13 10:03:46 -0500[diff] [blame]708 def test_eq(self):
709 na = x509.BasicConstraints(ca=True, path_length=None)
710 na2 = x509.BasicConstraints(ca=True, path_length=None)
711 assert na == na2
712
713 def test_ne(self):
714 na = x509.BasicConstraints(ca=True, path_length=None)
715 na2 = x509.BasicConstraints(ca=True, path_length=1)
716 na3 = x509.BasicConstraints(ca=False, path_length=None)
717 assert na != na2
718 assert na != na3
719 assert na != object()
720
Paul Kehrerfbb7ac82015-03-16 19:26:29 -0500[diff] [blame]721
Paul Kehrerffa2a152015-03-31 08:18:25 -0500[diff] [blame]722class TestExtendedKeyUsage(object):
723 def test_not_all_oids(self):
724 with pytest.raises(TypeError):
725 x509.ExtendedKeyUsage(["notoid"])
726
727 def test_iter_len(self):
728 eku = x509.ExtendedKeyUsage([
729 x509.ObjectIdentifier("1.3.6.1.5.5.7.3.1"),
730 x509.ObjectIdentifier("1.3.6.1.5.5.7.3.2"),
731 ])
732 assert len(eku) == 2
733 assert list(eku) == [
734 x509.OID_SERVER_AUTH,
735 x509.OID_CLIENT_AUTH
736 ]
737
Paul Kehrer23d10c32015-04-02 23:12:32 -0500[diff] [blame]738 def test_repr(self):
739 eku = x509.ExtendedKeyUsage([
740 x509.ObjectIdentifier("1.3.6.1.5.5.7.3.1"),
741 x509.ObjectIdentifier("1.3.6.1.5.5.7.3.2"),
742 ])
743 assert repr(eku) == (
744 "<ExtendedKeyUsage([<ObjectIdentifier(oid=1.3.6.1.5.5.7.3.1, name="
745 "serverAuth)>, <ObjectIdentifier(oid=1.3.6.1.5.5.7.3.2, name=clien"
746 "tAuth)>])>"
747 )
748
Paul Kehrerb0476172015-05-02 19:34:51 -0500[diff] [blame]749 def test_eq(self):
750 eku = x509.ExtendedKeyUsage([
751 x509.ObjectIdentifier("1.3.6"), x509.ObjectIdentifier("1.3.7")
752 ])
753 eku2 = x509.ExtendedKeyUsage([
754 x509.ObjectIdentifier("1.3.6"), x509.ObjectIdentifier("1.3.7")
755 ])
756 assert eku == eku2
757
758 def test_ne(self):
759 eku = x509.ExtendedKeyUsage([x509.ObjectIdentifier("1.3.6")])
760 eku2 = x509.ExtendedKeyUsage([x509.ObjectIdentifier("1.3.6.1")])
761 assert eku != eku2
762 assert eku != object()
763
Paul Kehrerffa2a152015-03-31 08:18:25 -0500[diff] [blame]764
Paul Kehrerfbb7ac82015-03-16 19:26:29 -0500[diff] [blame]765@pytest.mark.requires_backend_interface(interface=RSABackend)
766@pytest.mark.requires_backend_interface(interface=X509Backend)
767class TestExtensions(object):
768 def test_no_extensions(self, backend):
769 cert = _load_cert(
770 os.path.join("x509", "verisign_md2_root.pem"),
771 x509.load_pem_x509_certificate,
772 backend
773 )
774 ext = cert.extensions
775 assert len(ext) == 0
776 assert list(ext) == []
Paul Kehrerfa56a232015-03-17 13:14:03 -0500[diff] [blame]777 with pytest.raises(x509.ExtensionNotFound) as exc:
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame^]778 ext.get_extension_for_oid(ExtensionOID.BASIC_CONSTRAINTS)
Paul Kehrerfa56a232015-03-17 13:14:03 -0500[diff] [blame]779
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame^]780 assert exc.value.oid == ExtensionOID.BASIC_CONSTRAINTS
Paul Kehrerfa56a232015-03-17 13:14:03 -0500[diff] [blame]781
782 def test_one_extension(self, backend):
783 cert = _load_cert(
784 os.path.join(
785 "x509", "custom", "basic_constraints_not_critical.pem"
786 ),
787 x509.load_pem_x509_certificate,
788 backend
789 )
790 extensions = cert.extensions
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame^]791 ext = extensions.get_extension_for_oid(ExtensionOID.BASIC_CONSTRAINTS)
Paul Kehrerfa56a232015-03-17 13:14:03 -0500[diff] [blame]792 assert ext is not None
793 assert ext.value.ca is False
Paul Kehrerfbb7ac82015-03-16 19:26:29 -0500[diff] [blame]794
795 def test_duplicate_extension(self, backend):
796 cert = _load_cert(
797 os.path.join(
798 "x509", "custom", "two_basic_constraints.pem"
799 ),
800 x509.load_pem_x509_certificate,
801 backend
802 )
803 with pytest.raises(x509.DuplicateExtension) as exc:
804 cert.extensions
805
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame^]806 assert exc.value.oid == ExtensionOID.BASIC_CONSTRAINTS
Paul Kehrerfbb7ac82015-03-16 19:26:29 -0500[diff] [blame]807
808 def test_unsupported_critical_extension(self, backend):
809 cert = _load_cert(
810 os.path.join(
811 "x509", "custom", "unsupported_extension_critical.pem"
812 ),
813 x509.load_pem_x509_certificate,
814 backend
815 )
816 with pytest.raises(x509.UnsupportedExtension) as exc:
817 cert.extensions
818
819 assert exc.value.oid == x509.ObjectIdentifier("1.2.3.4")
820
821 def test_unsupported_extension(self, backend):
822 # TODO: this will raise an exception when all extensions are complete
823 cert = _load_cert(
824 os.path.join(
825 "x509", "custom", "unsupported_extension.pem"
826 ),
827 x509.load_pem_x509_certificate,
828 backend
829 )
830 extensions = cert.extensions
831 assert len(extensions) == 0
Paul Kehrerfa56a232015-03-17 13:14:03 -0500[diff] [blame]832
833
834@pytest.mark.requires_backend_interface(interface=RSABackend)
835@pytest.mark.requires_backend_interface(interface=X509Backend)
Paul Kehrerde813ea2015-03-28 12:44:34 -0500[diff] [blame]836class TestBasicConstraintsExtension(object):
Paul Kehrerfa56a232015-03-17 13:14:03 -0500[diff] [blame]837 def test_ca_true_pathlen_6(self, backend):
838 cert = _load_cert(
839 os.path.join(
840 "x509", "PKITS_data", "certs", "pathLenConstraint6CACert.crt"
841 ),
842 x509.load_der_x509_certificate,
843 backend
844 )
845 ext = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame^]846 ExtensionOID.BASIC_CONSTRAINTS
Paul Kehrerfa56a232015-03-17 13:14:03 -0500[diff] [blame]847 )
848 assert ext is not None
849 assert ext.critical is True
850 assert ext.value.ca is True
851 assert ext.value.path_length == 6
852
853 def test_path_length_zero(self, backend):
854 cert = _load_cert(
855 os.path.join("x509", "custom", "bc_path_length_zero.pem"),
856 x509.load_pem_x509_certificate,
857 backend
858 )
859 ext = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame^]860 ExtensionOID.BASIC_CONSTRAINTS
Paul Kehrerfa56a232015-03-17 13:14:03 -0500[diff] [blame]861 )
862 assert ext is not None
863 assert ext.critical is True
864 assert ext.value.ca is True
865 assert ext.value.path_length == 0
866
867 def test_ca_true_no_pathlen(self, backend):
868 cert = _load_cert(
869 os.path.join("x509", "PKITS_data", "certs", "GoodCACert.crt"),
870 x509.load_der_x509_certificate,
871 backend
872 )
873 ext = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame^]874 ExtensionOID.BASIC_CONSTRAINTS
Paul Kehrerfa56a232015-03-17 13:14:03 -0500[diff] [blame]875 )
876 assert ext is not None
877 assert ext.critical is True
878 assert ext.value.ca is True
879 assert ext.value.path_length is None
880
881 def test_ca_false(self, backend):
882 cert = _load_cert(
883 os.path.join("x509", "cryptography.io.pem"),
884 x509.load_pem_x509_certificate,
885 backend
886 )
887 ext = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame^]888 ExtensionOID.BASIC_CONSTRAINTS
Paul Kehrerfa56a232015-03-17 13:14:03 -0500[diff] [blame]889 )
890 assert ext is not None
891 assert ext.critical is True
892 assert ext.value.ca is False
893 assert ext.value.path_length is None
894
895 def test_no_basic_constraints(self, backend):
896 cert = _load_cert(
897 os.path.join(
898 "x509",
899 "PKITS_data",
900 "certs",
901 "ValidCertificatePathTest1EE.crt"
902 ),
903 x509.load_der_x509_certificate,
904 backend
905 )
906 with pytest.raises(x509.ExtensionNotFound):
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame^]907 cert.extensions.get_extension_for_oid(
908 ExtensionOID.BASIC_CONSTRAINTS
909 )
Paul Kehrerfa56a232015-03-17 13:14:03 -0500[diff] [blame]910
911 def test_basic_constraint_not_critical(self, backend):
912 cert = _load_cert(
913 os.path.join(
914 "x509", "custom", "basic_constraints_not_critical.pem"
915 ),
916 x509.load_pem_x509_certificate,
917 backend
918 )
919 ext = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame^]920 ExtensionOID.BASIC_CONSTRAINTS
Paul Kehrerfa56a232015-03-17 13:14:03 -0500[diff] [blame]921 )
922 assert ext is not None
923 assert ext.critical is False
924 assert ext.value.ca is False
Paul Kehrer1eb82a62015-03-31 20:00:33 -0500[diff] [blame]925
926
Paul Kehrer1eb82a62015-03-31 20:00:33 -0500[diff] [blame]927class TestSubjectKeyIdentifierExtension(object):
Paul Kehrerf22f6122015-08-05 12:57:13 +0100[diff] [blame]928 @pytest.mark.requires_backend_interface(interface=RSABackend)
929 @pytest.mark.requires_backend_interface(interface=X509Backend)
Paul Kehrer1eb82a62015-03-31 20:00:33 -0500[diff] [blame]930 def test_subject_key_identifier(self, backend):
931 cert = _load_cert(
932 os.path.join("x509", "PKITS_data", "certs", "GoodCACert.crt"),
933 x509.load_der_x509_certificate,
934 backend
935 )
936 ext = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame^]937 ExtensionOID.SUBJECT_KEY_IDENTIFIER
Paul Kehrer1eb82a62015-03-31 20:00:33 -0500[diff] [blame]938 )
939 ski = ext.value
940 assert ext is not None
941 assert ext.critical is False
Paul Kehrer1eb82a62015-03-31 20:00:33 -0500[diff] [blame]942 assert ski.digest == binascii.unhexlify(
Paul Kehreree997262015-04-04 12:20:28 -0500[diff] [blame]943 b"580184241bbc2b52944a3da510721451f5af3ac9"
Paul Kehrer1eb82a62015-03-31 20:00:33 -0500[diff] [blame]944 )
945
Paul Kehrerf22f6122015-08-05 12:57:13 +0100[diff] [blame]946 @pytest.mark.requires_backend_interface(interface=RSABackend)
947 @pytest.mark.requires_backend_interface(interface=X509Backend)
Paul Kehrer1eb82a62015-03-31 20:00:33 -0500[diff] [blame]948 def test_no_subject_key_identifier(self, backend):
949 cert = _load_cert(
950 os.path.join("x509", "custom", "bc_path_length_zero.pem"),
951 x509.load_pem_x509_certificate,
952 backend
953 )
954 with pytest.raises(x509.ExtensionNotFound):
955 cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame^]956 ExtensionOID.SUBJECT_KEY_IDENTIFIER
Paul Kehrer1eb82a62015-03-31 20:00:33 -0500[diff] [blame]957 )
Paul Kehrer5508ee22015-04-02 19:31:03 -0500[diff] [blame]958
Paul Kehrerf22f6122015-08-05 12:57:13 +0100[diff] [blame]959 @pytest.mark.requires_backend_interface(interface=RSABackend)
960 @pytest.mark.requires_backend_interface(interface=X509Backend)
Paul Kehrerd4a7f062015-08-05 18:32:18 +0100[diff] [blame]961 def test_from_rsa_public_key(self, backend):
Paul Kehrerf22f6122015-08-05 12:57:13 +0100[diff] [blame]962 cert = _load_cert(
963 os.path.join("x509", "PKITS_data", "certs", "GoodCACert.crt"),
964 x509.load_der_x509_certificate,
965 backend
966 )
967 ext = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame^]968 ExtensionOID.SUBJECT_KEY_IDENTIFIER
Paul Kehrerf22f6122015-08-05 12:57:13 +0100[diff] [blame]969 )
Paul Kehrerd4a7f062015-08-05 18:32:18 +0100[diff] [blame]970 ski = x509.SubjectKeyIdentifier.from_public_key(
Paul Kehrerf22f6122015-08-05 12:57:13 +0100[diff] [blame]971 cert.public_key()
972 )
973 assert ext.value == ski
974
975 @pytest.mark.requires_backend_interface(interface=DSABackend)
976 @pytest.mark.requires_backend_interface(interface=X509Backend)
Paul Kehrerd4a7f062015-08-05 18:32:18 +0100[diff] [blame]977 def test_from_dsa_public_key(self, backend):
Paul Kehrerf22f6122015-08-05 12:57:13 +0100[diff] [blame]978 cert = _load_cert(
979 os.path.join("x509", "custom", "dsa_selfsigned_ca.pem"),
980 x509.load_pem_x509_certificate,
981 backend
982 )
983
984 ext = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame^]985 ExtensionOID.SUBJECT_KEY_IDENTIFIER
Paul Kehrerf22f6122015-08-05 12:57:13 +0100[diff] [blame]986 )
Paul Kehrerd4a7f062015-08-05 18:32:18 +0100[diff] [blame]987 ski = x509.SubjectKeyIdentifier.from_public_key(
Paul Kehrerf22f6122015-08-05 12:57:13 +0100[diff] [blame]988 cert.public_key()
989 )
990 assert ext.value == ski
991
992 @pytest.mark.requires_backend_interface(interface=EllipticCurveBackend)
993 @pytest.mark.requires_backend_interface(interface=X509Backend)
Paul Kehrerd4a7f062015-08-05 18:32:18 +0100[diff] [blame]994 def test_from_ec_public_key(self, backend):
Paul Kehrerf22f6122015-08-05 12:57:13 +0100[diff] [blame]995 _skip_curve_unsupported(backend, ec.SECP384R1())
996 cert = _load_cert(
997 os.path.join("x509", "ecdsa_root.pem"),
998 x509.load_pem_x509_certificate,
999 backend
1000 )
1001
1002 ext = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame^]1003 ExtensionOID.SUBJECT_KEY_IDENTIFIER
Paul Kehrerf22f6122015-08-05 12:57:13 +0100[diff] [blame]1004 )
Paul Kehrerd4a7f062015-08-05 18:32:18 +0100[diff] [blame]1005 ski = x509.SubjectKeyIdentifier.from_public_key(
Paul Kehrerf22f6122015-08-05 12:57:13 +0100[diff] [blame]1006 cert.public_key()
1007 )
1008 assert ext.value == ski
1009
Paul Kehrer5508ee22015-04-02 19:31:03 -0500[diff] [blame]1010
1011@pytest.mark.requires_backend_interface(interface=RSABackend)
1012@pytest.mark.requires_backend_interface(interface=X509Backend)
1013class TestKeyUsageExtension(object):
1014 def test_no_key_usage(self, backend):
1015 cert = _load_cert(
1016 os.path.join("x509", "verisign_md2_root.pem"),
1017 x509.load_pem_x509_certificate,
1018 backend
1019 )
1020 ext = cert.extensions
1021 with pytest.raises(x509.ExtensionNotFound) as exc:
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame^]1022 ext.get_extension_for_oid(ExtensionOID.KEY_USAGE)
Paul Kehrer5508ee22015-04-02 19:31:03 -0500[diff] [blame]1023
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame^]1024 assert exc.value.oid == ExtensionOID.KEY_USAGE
Paul Kehrer5508ee22015-04-02 19:31:03 -0500[diff] [blame]1025
1026 def test_all_purposes(self, backend):
1027 cert = _load_cert(
1028 os.path.join(
1029 "x509", "custom", "all_key_usages.pem"
1030 ),
1031 x509.load_pem_x509_certificate,
1032 backend
1033 )
1034 extensions = cert.extensions
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame^]1035 ext = extensions.get_extension_for_oid(ExtensionOID.KEY_USAGE)
Paul Kehrer5508ee22015-04-02 19:31:03 -0500[diff] [blame]1036 assert ext is not None
1037
1038 ku = ext.value
1039 assert ku.digital_signature is True
1040 assert ku.content_commitment is True
1041 assert ku.key_encipherment is True
1042 assert ku.data_encipherment is True
1043 assert ku.key_agreement is True
1044 assert ku.key_cert_sign is True
1045 assert ku.crl_sign is True
1046 assert ku.encipher_only is True
1047 assert ku.decipher_only is True
1048
1049 def test_key_cert_sign_crl_sign(self, backend):
1050 cert = _load_cert(
1051 os.path.join(
1052 "x509", "PKITS_data", "certs", "pathLenConstraint6CACert.crt"
1053 ),
1054 x509.load_der_x509_certificate,
1055 backend
1056 )
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame^]1057 ext = cert.extensions.get_extension_for_oid(ExtensionOID.KEY_USAGE)
Paul Kehrer5508ee22015-04-02 19:31:03 -0500[diff] [blame]1058 assert ext is not None
1059 assert ext.critical is True
1060
1061 ku = ext.value
1062 assert ku.digital_signature is False
1063 assert ku.content_commitment is False
1064 assert ku.key_encipherment is False
1065 assert ku.data_encipherment is False
1066 assert ku.key_agreement is False
1067 assert ku.key_cert_sign is True
1068 assert ku.crl_sign is True
Paul Kehrer31bdf792015-03-25 14:11:00 -0500[diff] [blame]1069
1070
1071@pytest.mark.parametrize(
1072 "name", [
1073 x509.RFC822Name,
1074 x509.DNSName,
1075 x509.UniformResourceIdentifier
1076 ]
1077)
1078class TestTextGeneralNames(object):
1079 def test_not_text(self, name):
1080 with pytest.raises(TypeError):
1081 name(b"notaunicodestring")
1082
1083 with pytest.raises(TypeError):
1084 name(1.3)
1085
1086 def test_repr(self, name):
Eeshan Gargf1234152015-04-29 18:41:00 +0530[diff] [blame]1087 gn = name(u"string")
Paul Kehrer31bdf792015-03-25 14:11:00 -0500[diff] [blame]1088 assert repr(gn) == "<{0}(value=string)>".format(name.__name__)
1089
1090 def test_eq(self, name):
Eeshan Gargf1234152015-04-29 18:41:00 +0530[diff] [blame]1091 gn = name(u"string")
1092 gn2 = name(u"string")
Paul Kehrer31bdf792015-03-25 14:11:00 -0500[diff] [blame]1093 assert gn == gn2
1094
1095 def test_ne(self, name):
Eeshan Gargf1234152015-04-29 18:41:00 +0530[diff] [blame]1096 gn = name(u"string")
1097 gn2 = name(u"string2")
Paul Kehrer31bdf792015-03-25 14:11:00 -0500[diff] [blame]1098 assert gn != gn2
1099 assert gn != object()
1100
1101
1102class TestDirectoryName(object):
1103 def test_not_name(self):
1104 with pytest.raises(TypeError):
1105 x509.DirectoryName(b"notaname")
1106
1107 with pytest.raises(TypeError):
1108 x509.DirectoryName(1.3)
1109
1110 def test_repr(self):
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1111 name = x509.Name([x509.NameAttribute(NameOID.COMMON_NAME, u'value1')])
Paul Kehrer31bdf792015-03-25 14:11:00 -0500[diff] [blame]1112 gn = x509.DirectoryName(x509.Name([name]))
Ian Cordascoa908d692015-06-16 21:35:24 -0500[diff] [blame]1113 if six.PY3:
1114 assert repr(gn) == (
1115 "<DirectoryName(value=<Name([<Name([<NameAttribute(oid=<Object"
1116 "Identifier(oid=2.5.4.3, name=commonName)>, value='value1')>])"
1117 ">])>)>"
1118 )
1119 else:
1120 assert repr(gn) == (
1121 "<DirectoryName(value=<Name([<Name([<NameAttribute(oid=<Object"
1122 "Identifier(oid=2.5.4.3, name=commonName)>, value=u'value1')>]"
1123 ")>])>)>"
1124 )
Paul Kehrer31bdf792015-03-25 14:11:00 -0500[diff] [blame]1125
1126 def test_eq(self):
1127 name = x509.Name([
Ian Cordasco82fc3762015-06-16 20:59:50 -0500[diff] [blame]1128 x509.NameAttribute(x509.ObjectIdentifier('oid'), u'value1')
Paul Kehrer31bdf792015-03-25 14:11:00 -0500[diff] [blame]1129 ])
1130 name2 = x509.Name([
Ian Cordasco82fc3762015-06-16 20:59:50 -0500[diff] [blame]1131 x509.NameAttribute(x509.ObjectIdentifier('oid'), u'value1')
Paul Kehrer31bdf792015-03-25 14:11:00 -0500[diff] [blame]1132 ])
1133 gn = x509.DirectoryName(x509.Name([name]))
1134 gn2 = x509.DirectoryName(x509.Name([name2]))
1135 assert gn == gn2
1136
1137 def test_ne(self):
1138 name = x509.Name([
Ian Cordasco82fc3762015-06-16 20:59:50 -0500[diff] [blame]1139 x509.NameAttribute(x509.ObjectIdentifier('oid'), u'value1')
Paul Kehrer31bdf792015-03-25 14:11:00 -0500[diff] [blame]1140 ])
1141 name2 = x509.Name([
Ian Cordasco82fc3762015-06-16 20:59:50 -0500[diff] [blame]1142 x509.NameAttribute(x509.ObjectIdentifier('oid'), u'value2')
Paul Kehrer31bdf792015-03-25 14:11:00 -0500[diff] [blame]1143 ])
1144 gn = x509.DirectoryName(x509.Name([name]))
1145 gn2 = x509.DirectoryName(x509.Name([name2]))
1146 assert gn != gn2
1147 assert gn != object()
1148
1149
Paul Kehrer01d5d0b2015-07-12 09:41:21 -0500[diff] [blame]1150class TestRFC822Name(object):
1151 def test_invalid_email(self):
1152 with pytest.raises(ValueError):
1153 x509.RFC822Name(u"Name <email>")
1154
1155 with pytest.raises(ValueError):
1156 x509.RFC822Name(u"")
1157
1158 def test_single_label(self):
1159 gn = x509.RFC822Name(u"administrator")
1160 assert gn.value == u"administrator"
1161
1162 def test_idna(self):
1163 gn = x509.RFC822Name(u"email@em\xe5\xefl.com")
1164 assert gn.value == u"email@em\xe5\xefl.com"
1165 assert gn._encoded == b"email@xn--eml-vla4c.com"
1166
1167
Paul Kehrere28d6c42015-07-12 14:59:37 -0500[diff] [blame]1168class TestUniformResourceIdentifier(object):
1169 def test_no_parsed_hostname(self):
1170 gn = x509.UniformResourceIdentifier(u"singlelabel")
1171 assert gn.value == u"singlelabel"
1172
1173 def test_with_port(self):
1174 gn = x509.UniformResourceIdentifier(u"singlelabel:443/test")
1175 assert gn.value == u"singlelabel:443/test"
1176
1177 def test_idna_no_port(self):
1178 gn = x509.UniformResourceIdentifier(
1179 u"http://\u043f\u044b\u043a\u0430.cryptography"
1180 )
1181 assert gn.value == u"http://\u043f\u044b\u043a\u0430.cryptography"
1182 assert gn._encoded == b"http://xn--80ato2c.cryptography"
1183
1184 def test_idna_with_port(self):
1185 gn = x509.UniformResourceIdentifier(
1186 u"gopher://\u043f\u044b\u043a\u0430.cryptography:70/some/path"
1187 )
1188 assert gn.value == (
1189 u"gopher://\u043f\u044b\u043a\u0430.cryptography:70/some/path"
1190 )
1191 assert gn._encoded == b"gopher://xn--80ato2c.cryptography:70/some/path"
1192
1193 def test_query_and_fragment(self):
1194 gn = x509.UniformResourceIdentifier(
1195 u"ldap://cryptography:90/path?query=true#somedata"
1196 )
1197 assert gn.value == u"ldap://cryptography:90/path?query=true#somedata"
1198
1199
Paul Kehrer31bdf792015-03-25 14:11:00 -0500[diff] [blame]1200class TestRegisteredID(object):
1201 def test_not_oid(self):
1202 with pytest.raises(TypeError):
1203 x509.RegisteredID(b"notanoid")
1204
1205 with pytest.raises(TypeError):
1206 x509.RegisteredID(1.3)
1207
1208 def test_repr(self):
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1209 gn = x509.RegisteredID(NameOID.COMMON_NAME)
Paul Kehrer31bdf792015-03-25 14:11:00 -0500[diff] [blame]1210 assert repr(gn) == (
1211 "<RegisteredID(value=<ObjectIdentifier(oid=2.5.4.3, name=commonNam"
1212 "e)>)>"
1213 )
1214
1215 def test_eq(self):
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1216 gn = x509.RegisteredID(NameOID.COMMON_NAME)
1217 gn2 = x509.RegisteredID(NameOID.COMMON_NAME)
Paul Kehrer31bdf792015-03-25 14:11:00 -0500[diff] [blame]1218 assert gn == gn2
1219
1220 def test_ne(self):
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1221 gn = x509.RegisteredID(NameOID.COMMON_NAME)
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame^]1222 gn2 = x509.RegisteredID(ExtensionOID.BASIC_CONSTRAINTS)
Paul Kehrer31bdf792015-03-25 14:11:00 -0500[diff] [blame]1223 assert gn != gn2
1224 assert gn != object()
1225
1226
1227class TestIPAddress(object):
1228 def test_not_ipaddress(self):
1229 with pytest.raises(TypeError):
1230 x509.IPAddress(b"notanipaddress")
1231
1232 with pytest.raises(TypeError):
1233 x509.IPAddress(1.3)
1234
1235 def test_repr(self):
Eeshan Gargf1234152015-04-29 18:41:00 +0530[diff] [blame]1236 gn = x509.IPAddress(ipaddress.IPv4Address(u"127.0.0.1"))
Paul Kehrer31bdf792015-03-25 14:11:00 -0500[diff] [blame]1237 assert repr(gn) == "<IPAddress(value=127.0.0.1)>"
1238
Eeshan Gargf1234152015-04-29 18:41:00 +0530[diff] [blame]1239 gn2 = x509.IPAddress(ipaddress.IPv6Address(u"ff::"))
Paul Kehrer31bdf792015-03-25 14:11:00 -0500[diff] [blame]1240 assert repr(gn2) == "<IPAddress(value=ff::)>"
1241
Paul Kehrereb177932015-05-17 18:33:33 -0700[diff] [blame]1242 gn3 = x509.IPAddress(ipaddress.IPv4Network(u"192.168.0.0/24"))
1243 assert repr(gn3) == "<IPAddress(value=192.168.0.0/24)>"
1244
1245 gn4 = x509.IPAddress(ipaddress.IPv6Network(u"ff::/96"))
1246 assert repr(gn4) == "<IPAddress(value=ff::/96)>"
1247
Paul Kehrer31bdf792015-03-25 14:11:00 -0500[diff] [blame]1248 def test_eq(self):
Eeshan Gargf1234152015-04-29 18:41:00 +0530[diff] [blame]1249 gn = x509.IPAddress(ipaddress.IPv4Address(u"127.0.0.1"))
1250 gn2 = x509.IPAddress(ipaddress.IPv4Address(u"127.0.0.1"))
Paul Kehrer31bdf792015-03-25 14:11:00 -0500[diff] [blame]1251 assert gn == gn2
1252
1253 def test_ne(self):
Eeshan Gargf1234152015-04-29 18:41:00 +0530[diff] [blame]1254 gn = x509.IPAddress(ipaddress.IPv4Address(u"127.0.0.1"))
1255 gn2 = x509.IPAddress(ipaddress.IPv4Address(u"127.0.0.2"))
Paul Kehrer31bdf792015-03-25 14:11:00 -0500[diff] [blame]1256 assert gn != gn2
1257 assert gn != object()
1258
1259
Joshua Tauberer18b6fc82015-07-05 21:44:51 +0000[diff] [blame]1260class TestOtherName(object):
1261 def test_invalid_args(self):
1262 with pytest.raises(TypeError):
1263 x509.OtherName(b"notanobjectidentifier", b"derdata")
1264
1265 with pytest.raises(TypeError):
1266 x509.OtherName(x509.ObjectIdentifier("1.2.3.4"), u"notderdata")
1267
1268 def test_repr(self):
1269 gn = x509.OtherName(x509.ObjectIdentifier("1.2.3.4"), b"derdata")
1270 if six.PY3:
1271 assert repr(gn) == (
1272 "<OtherName(type_id=<ObjectIdentifier(oid=1.2.3.4, "
1273 "name=Unknown OID)>, value=b'derdata')>"
1274 )
1275 else:
1276 assert repr(gn) == (
1277 "<OtherName(type_id=<ObjectIdentifier(oid=1.2.3.4, "
1278 "name=Unknown OID)>, value='derdata')>"
1279 )
1280
1281 gn = x509.OtherName(x509.ObjectIdentifier("2.5.4.65"), b"derdata")
1282 if six.PY3:
1283 assert repr(gn) == (
1284 "<OtherName(type_id=<ObjectIdentifier(oid=2.5.4.65, "
1285 "name=pseudonym)>, value=b'derdata')>"
1286 )
1287 else:
1288 assert repr(gn) == (
1289 "<OtherName(type_id=<ObjectIdentifier(oid=2.5.4.65, "
1290 "name=pseudonym)>, value='derdata')>"
1291 )
1292
1293 def test_eq(self):
1294 gn = x509.OtherName(x509.ObjectIdentifier("1.2.3.4"), b"derdata")
1295 gn2 = x509.OtherName(x509.ObjectIdentifier("1.2.3.4"), b"derdata")
1296 assert gn == gn2
1297
1298 def test_ne(self):
1299 gn = x509.OtherName(x509.ObjectIdentifier("1.2.3.4"), b"derdata")
1300 assert gn != object()
1301
1302 gn2 = x509.OtherName(x509.ObjectIdentifier("1.2.3.4"), b"derdata2")
1303 assert gn != gn2
1304
1305 gn2 = x509.OtherName(x509.ObjectIdentifier("1.2.3.5"), b"derdata")
1306 assert gn != gn2
1307
1308
Erik Trauschke2dcce902015-05-14 16:12:24 -0700[diff] [blame]1309class TestGeneralNames(object):
1310 def test_get_values_for_type(self):
1311 gns = x509.GeneralNames(
1312 [x509.DNSName(u"cryptography.io")]
1313 )
1314 names = gns.get_values_for_type(x509.DNSName)
1315 assert names == [u"cryptography.io"]
1316
1317 def test_iter_names(self):
1318 gns = x509.GeneralNames([
1319 x509.DNSName(u"cryptography.io"),
1320 x509.DNSName(u"crypto.local"),
1321 ])
1322 assert len(gns) == 2
1323 assert list(gns) == [
1324 x509.DNSName(u"cryptography.io"),
1325 x509.DNSName(u"crypto.local"),
1326 ]
1327
1328 def test_invalid_general_names(self):
1329 with pytest.raises(TypeError):
1330 x509.GeneralNames(
1331 [x509.DNSName(u"cryptography.io"), "invalid"]
1332 )
1333
1334 def test_repr(self):
1335 gns = x509.GeneralNames(
1336 [
1337 x509.DNSName(u"cryptography.io")
1338 ]
1339 )
1340 assert repr(gns) == (
1341 "<GeneralNames([<DNSName(value=cryptography.io)>])>"
1342 )
1343
1344 def test_eq(self):
1345 gns = x509.GeneralNames(
1346 [x509.DNSName(u"cryptography.io")]
1347 )
1348 gns2 = x509.GeneralNames(
1349 [x509.DNSName(u"cryptography.io")]
1350 )
1351 assert gns == gns2
1352
1353 def test_ne(self):
1354 gns = x509.GeneralNames(
1355 [x509.DNSName(u"cryptography.io")]
1356 )
1357 gns2 = x509.GeneralNames(
1358 [x509.RFC822Name(u"admin@cryptography.io")]
1359 )
1360 assert gns != gns2
1361 assert gns != object()
1362
1363
Paul Kehrer99125c92015-06-07 18:37:10 -0500[diff] [blame]1364class TestIssuerAlternativeName(object):
1365 def test_get_values_for_type(self):
1366 san = x509.IssuerAlternativeName(
1367 [x509.DNSName(u"cryptography.io")]
1368 )
1369 names = san.get_values_for_type(x509.DNSName)
1370 assert names == [u"cryptography.io"]
1371
1372 def test_iter_names(self):
1373 san = x509.IssuerAlternativeName([
1374 x509.DNSName(u"cryptography.io"),
1375 x509.DNSName(u"crypto.local"),
1376 ])
1377 assert len(san) == 2
1378 assert list(san) == [
1379 x509.DNSName(u"cryptography.io"),
1380 x509.DNSName(u"crypto.local"),
1381 ]
1382
1383 def test_invalid_general_names(self):
1384 with pytest.raises(TypeError):
1385 x509.IssuerAlternativeName(
1386 [x509.DNSName(u"cryptography.io"), "invalid"]
1387 )
1388
1389 def test_repr(self):
1390 san = x509.IssuerAlternativeName(
1391 [
1392 x509.DNSName(u"cryptography.io")
1393 ]
1394 )
1395 assert repr(san) == (
1396 "<IssuerAlternativeName("
1397 "<GeneralNames([<DNSName(value=cryptography.io)>])>)>"
1398 )
1399
1400 def test_eq(self):
1401 san = x509.IssuerAlternativeName(
1402 [x509.DNSName(u"cryptography.io")]
1403 )
1404 san2 = x509.IssuerAlternativeName(
1405 [x509.DNSName(u"cryptography.io")]
1406 )
1407 assert san == san2
1408
1409 def test_ne(self):
1410 san = x509.IssuerAlternativeName(
1411 [x509.DNSName(u"cryptography.io")]
1412 )
1413 san2 = x509.IssuerAlternativeName(
1414 [x509.RFC822Name(u"admin@cryptography.io")]
1415 )
1416 assert san != san2
1417 assert san != object()
1418
1419
Alex Gaynorf1c17672015-06-20 14:20:20 -0400[diff] [blame]1420@pytest.mark.requires_backend_interface(interface=RSABackend)
1421@pytest.mark.requires_backend_interface(interface=X509Backend)
1422class TestRSAIssuerAlternativeNameExtension(object):
1423 def test_uri(self, backend):
1424 cert = _load_cert(
1425 os.path.join("x509", "custom", "ian_uri.pem"),
1426 x509.load_pem_x509_certificate,
1427 backend,
1428 )
1429 ext = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame^]1430 ExtensionOID.ISSUER_ALTERNATIVE_NAME
Alex Gaynorf1c17672015-06-20 14:20:20 -0400[diff] [blame]1431 )
1432 assert list(ext.value) == [
1433 x509.UniformResourceIdentifier(u"http://path.to.root/root.crt"),
1434 ]
1435
1436
Paul Kehrer31bdf792015-03-25 14:11:00 -0500[diff] [blame]1437class TestSubjectAlternativeName(object):
1438 def test_get_values_for_type(self):
1439 san = x509.SubjectAlternativeName(
Eeshan Gargf1234152015-04-29 18:41:00 +0530[diff] [blame]1440 [x509.DNSName(u"cryptography.io")]
Paul Kehrer31bdf792015-03-25 14:11:00 -0500[diff] [blame]1441 )
1442 names = san.get_values_for_type(x509.DNSName)
Eeshan Gargf1234152015-04-29 18:41:00 +0530[diff] [blame]1443 assert names == [u"cryptography.io"]
Paul Kehrer31bdf792015-03-25 14:11:00 -0500[diff] [blame]1444
1445 def test_iter_names(self):
1446 san = x509.SubjectAlternativeName([
Eeshan Gargf1234152015-04-29 18:41:00 +0530[diff] [blame]1447 x509.DNSName(u"cryptography.io"),
1448 x509.DNSName(u"crypto.local"),
Paul Kehrer31bdf792015-03-25 14:11:00 -0500[diff] [blame]1449 ])
1450 assert len(san) == 2
1451 assert list(san) == [
Eeshan Gargf1234152015-04-29 18:41:00 +0530[diff] [blame]1452 x509.DNSName(u"cryptography.io"),
1453 x509.DNSName(u"crypto.local"),
Paul Kehrer31bdf792015-03-25 14:11:00 -0500[diff] [blame]1454 ]
1455
Paul Kehrerd04b39b2015-04-21 08:44:17 -0500[diff] [blame]1456 def test_invalid_general_names(self):
1457 with pytest.raises(TypeError):
1458 x509.SubjectAlternativeName(
Eeshan Gargf1234152015-04-29 18:41:00 +0530[diff] [blame]1459 [x509.DNSName(u"cryptography.io"), "invalid"]
Paul Kehrerd04b39b2015-04-21 08:44:17 -0500[diff] [blame]1460 )
1461
Paul Kehrer31bdf792015-03-25 14:11:00 -0500[diff] [blame]1462 def test_repr(self):
1463 san = x509.SubjectAlternativeName(
1464 [
Eeshan Gargf1234152015-04-29 18:41:00 +0530[diff] [blame]1465 x509.DNSName(u"cryptography.io")
Paul Kehrer31bdf792015-03-25 14:11:00 -0500[diff] [blame]1466 ]
1467 )
1468 assert repr(san) == (
Erik Trauschke2dcce902015-05-14 16:12:24 -0700[diff] [blame]1469 "<SubjectAlternativeName("
1470 "<GeneralNames([<DNSName(value=cryptography.io)>])>)>"
Paul Kehrer31bdf792015-03-25 14:11:00 -0500[diff] [blame]1471 )
Paul Kehrer40f83382015-04-20 15:00:16 -0500[diff] [blame]1472
Paul Kehrer58cc3972015-05-13 10:00:41 -0500[diff] [blame]1473 def test_eq(self):
1474 san = x509.SubjectAlternativeName(
1475 [x509.DNSName(u"cryptography.io")]
1476 )
1477 san2 = x509.SubjectAlternativeName(
1478 [x509.DNSName(u"cryptography.io")]
1479 )
1480 assert san == san2
1481
1482 def test_ne(self):
1483 san = x509.SubjectAlternativeName(
1484 [x509.DNSName(u"cryptography.io")]
1485 )
1486 san2 = x509.SubjectAlternativeName(
1487 [x509.RFC822Name(u"admin@cryptography.io")]
1488 )
1489 assert san != san2
1490 assert san != object()
1491
Paul Kehrer40f83382015-04-20 15:00:16 -0500[diff] [blame]1492
1493@pytest.mark.requires_backend_interface(interface=RSABackend)
1494@pytest.mark.requires_backend_interface(interface=X509Backend)
1495class TestRSASubjectAlternativeNameExtension(object):
1496 def test_dns_name(self, backend):
1497 cert = _load_cert(
1498 os.path.join("x509", "cryptography.io.pem"),
1499 x509.load_pem_x509_certificate,
1500 backend
1501 )
1502 ext = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame^]1503 ExtensionOID.SUBJECT_ALTERNATIVE_NAME
Paul Kehrer40f83382015-04-20 15:00:16 -0500[diff] [blame]1504 )
1505 assert ext is not None
1506 assert ext.critical is False
1507
1508 san = ext.value
1509
1510 dns = san.get_values_for_type(x509.DNSName)
1511 assert dns == [u"www.cryptography.io", u"cryptography.io"]
Paul Kehrer9089c912015-04-20 22:15:20 -0500[diff] [blame]1512
Paul Kehrer3c6bba52015-06-26 18:43:26 -0500[diff] [blame]1513 def test_wildcard_dns_name(self, backend):
1514 cert = _load_cert(
1515 os.path.join("x509", "wildcard_san.pem"),
1516 x509.load_pem_x509_certificate,
1517 backend
1518 )
1519 ext = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame^]1520 ExtensionOID.SUBJECT_ALTERNATIVE_NAME
Paul Kehrer3c6bba52015-06-26 18:43:26 -0500[diff] [blame]1521 )
1522
1523 dns = ext.value.get_values_for_type(x509.DNSName)
1524 assert dns == [
1525 u'*.langui.sh',
1526 u'langui.sh',
1527 u'*.saseliminator.com',
1528 u'saseliminator.com'
1529 ]
1530
1531 def test_san_wildcard_idna_dns_name(self, backend):
1532 cert = _load_cert(
1533 os.path.join("x509", "custom", "san_wildcard_idna.pem"),
1534 x509.load_pem_x509_certificate,
1535 backend
1536 )
1537 ext = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame^]1538 ExtensionOID.SUBJECT_ALTERNATIVE_NAME
Paul Kehrer3c6bba52015-06-26 18:43:26 -0500[diff] [blame]1539 )
1540
1541 dns = ext.value.get_values_for_type(x509.DNSName)
1542 assert dns == [u'*.\u043f\u044b\u043a\u0430.cryptography']
1543
Paul Kehrer7bdf6572015-07-05 08:55:44 -0500[diff] [blame]1544 def test_unsupported_gn(self, backend):
Paul Kehrer9089c912015-04-20 22:15:20 -0500[diff] [blame]1545 cert = _load_cert(
Paul Kehrer7bdf6572015-07-05 08:55:44 -0500[diff] [blame]1546 os.path.join("x509", "san_x400address.der"),
1547 x509.load_der_x509_certificate,
Paul Kehrer9089c912015-04-20 22:15:20 -0500[diff] [blame]1548 backend
1549 )
Paul Kehrerbed07352015-04-21 08:31:10 -0500[diff] [blame]1550 with pytest.raises(x509.UnsupportedGeneralNameType) as exc:
Paul Kehrer9089c912015-04-20 22:15:20 -0500[diff] [blame]1551 cert.extensions
Paul Kehrerbed07352015-04-21 08:31:10 -0500[diff] [blame]1552
Paul Kehrer7bdf6572015-07-05 08:55:44 -0500[diff] [blame]1553 assert exc.value.type == 3
Paul Kehrer4db96622015-04-20 22:17:39 -0500[diff] [blame]1554
1555 def test_registered_id(self, backend):
1556 cert = _load_cert(
1557 os.path.join(
1558 "x509", "custom", "san_registered_id.pem"
1559 ),
1560 x509.load_pem_x509_certificate,
1561 backend
1562 )
1563 ext = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame^]1564 ExtensionOID.SUBJECT_ALTERNATIVE_NAME
Paul Kehrer4db96622015-04-20 22:17:39 -0500[diff] [blame]1565 )
1566 assert ext is not None
1567 assert ext.critical is False
1568
1569 san = ext.value
1570 rid = san.get_values_for_type(x509.RegisteredID)
1571 assert rid == [x509.ObjectIdentifier("1.2.3.4")]
Paul Kehrerb8ef82e2015-04-22 16:04:24 -0500[diff] [blame]1572
1573 def test_uri(self, backend):
1574 cert = _load_cert(
1575 os.path.join(
1576 "x509", "custom", "san_uri_with_port.pem"
1577 ),
1578 x509.load_pem_x509_certificate,
1579 backend
1580 )
1581 ext = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame^]1582 ExtensionOID.SUBJECT_ALTERNATIVE_NAME
Paul Kehrerb8ef82e2015-04-22 16:04:24 -0500[diff] [blame]1583 )
1584 assert ext is not None
1585 uri = ext.value.get_values_for_type(
1586 x509.UniformResourceIdentifier
1587 )
1588 assert uri == [
1589 u"gopher://\u043f\u044b\u043a\u0430.cryptography:70/path?q=s#hel"
1590 u"lo",
1591 u"http://someregulardomain.com",
1592 ]
Paul Kehrera5f030c2015-04-28 08:33:18 -0500[diff] [blame]1593
1594 def test_ipaddress(self, backend):
1595 cert = _load_cert(
1596 os.path.join(
1597 "x509", "custom", "san_ipaddr.pem"
1598 ),
1599 x509.load_pem_x509_certificate,
1600 backend
1601 )
1602 ext = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame^]1603 ExtensionOID.SUBJECT_ALTERNATIVE_NAME
Paul Kehrera5f030c2015-04-28 08:33:18 -0500[diff] [blame]1604 )
1605 assert ext is not None
1606 assert ext.critical is False
1607
1608 san = ext.value
1609
1610 ip = san.get_values_for_type(x509.IPAddress)
1611 assert [
1612 ipaddress.ip_address(u"127.0.0.1"),
1613 ipaddress.ip_address(u"ff::")
1614 ] == ip
Paul Kehrer2187a052015-04-30 08:22:07 -0500[diff] [blame]1615
1616 def test_dirname(self, backend):
1617 cert = _load_cert(
1618 os.path.join(
1619 "x509", "custom", "san_dirname.pem"
1620 ),
1621 x509.load_pem_x509_certificate,
1622 backend
1623 )
1624 ext = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame^]1625 ExtensionOID.SUBJECT_ALTERNATIVE_NAME
Paul Kehrer2187a052015-04-30 08:22:07 -0500[diff] [blame]1626 )
1627 assert ext is not None
1628 assert ext.critical is False
1629
1630 san = ext.value
1631
1632 dirname = san.get_values_for_type(x509.DirectoryName)
1633 assert [
1634 x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1635 x509.NameAttribute(NameOID.COMMON_NAME, u'test'),
1636 x509.NameAttribute(NameOID.ORGANIZATION_NAME, u'Org'),
1637 x509.NameAttribute(NameOID.STATE_OR_PROVINCE_NAME, u'Texas'),
Paul Kehrer2187a052015-04-30 08:22:07 -0500[diff] [blame]1638 ])
1639 ] == dirname
Paul Kehrere06cab42015-04-30 10:23:33 -0500[diff] [blame]1640
1641 def test_rfc822name(self, backend):
1642 cert = _load_cert(
1643 os.path.join(
1644 "x509", "custom", "san_rfc822_idna.pem"
1645 ),
1646 x509.load_pem_x509_certificate,
1647 backend
1648 )
1649 ext = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame^]1650 ExtensionOID.SUBJECT_ALTERNATIVE_NAME
Paul Kehrere06cab42015-04-30 10:23:33 -0500[diff] [blame]1651 )
1652 assert ext is not None
1653 assert ext.critical is False
1654
1655 san = ext.value
1656
1657 rfc822name = san.get_values_for_type(x509.RFC822Name)
1658 assert [u"email@em\xe5\xefl.com"] == rfc822name
1659
Paul Kehrerb8968812015-05-15 09:01:34 -0700[diff] [blame]1660 def test_idna2003_invalid(self, backend):
1661 cert = _load_cert(
1662 os.path.join(
1663 "x509", "custom", "san_idna2003_dnsname.pem"
1664 ),
1665 x509.load_pem_x509_certificate,
1666 backend
1667 )
1668 with pytest.raises(UnicodeError):
1669 cert.extensions
1670
Paul Kehrere06cab42015-04-30 10:23:33 -0500[diff] [blame]1671 def test_unicode_rfc822_name_dns_name_uri(self, backend):
1672 cert = _load_cert(
1673 os.path.join(
1674 "x509", "custom", "san_idna_names.pem"
1675 ),
1676 x509.load_pem_x509_certificate,
1677 backend
1678 )
1679 ext = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame^]1680 ExtensionOID.SUBJECT_ALTERNATIVE_NAME
Paul Kehrere06cab42015-04-30 10:23:33 -0500[diff] [blame]1681 )
1682 assert ext is not None
1683 rfc822_name = ext.value.get_values_for_type(x509.RFC822Name)
1684 dns_name = ext.value.get_values_for_type(x509.DNSName)
1685 uri = ext.value.get_values_for_type(x509.UniformResourceIdentifier)
1686 assert rfc822_name == [u"email@\u043f\u044b\u043a\u0430.cryptography"]
1687 assert dns_name == [u"\u043f\u044b\u043a\u0430.cryptography"]
1688 assert uri == [u"https://www.\u043f\u044b\u043a\u0430.cryptography"]
1689
1690 def test_rfc822name_dnsname_ipaddress_directoryname_uri(self, backend):
1691 cert = _load_cert(
1692 os.path.join(
1693 "x509", "custom", "san_email_dns_ip_dirname_uri.pem"
1694 ),
1695 x509.load_pem_x509_certificate,
1696 backend
1697 )
1698 ext = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame^]1699 ExtensionOID.SUBJECT_ALTERNATIVE_NAME
Paul Kehrere06cab42015-04-30 10:23:33 -0500[diff] [blame]1700 )
1701 assert ext is not None
1702 assert ext.critical is False
1703
1704 san = ext.value
1705
1706 rfc822_name = san.get_values_for_type(x509.RFC822Name)
1707 uri = san.get_values_for_type(x509.UniformResourceIdentifier)
1708 dns = san.get_values_for_type(x509.DNSName)
1709 ip = san.get_values_for_type(x509.IPAddress)
1710 dirname = san.get_values_for_type(x509.DirectoryName)
1711 assert [u"user@cryptography.io"] == rfc822_name
Paul Kehrere3a330c2015-05-02 16:42:52 -0500[diff] [blame]1712 assert [u"https://cryptography.io"] == uri
Paul Kehrere06cab42015-04-30 10:23:33 -0500[diff] [blame]1713 assert [u"cryptography.io"] == dns
1714 assert [
1715 x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1716 x509.NameAttribute(NameOID.COMMON_NAME, u'dirCN'),
Paul Kehrere06cab42015-04-30 10:23:33 -0500[diff] [blame]1717 x509.NameAttribute(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1718 NameOID.ORGANIZATION_NAME, u'Cryptographic Authority'
Paul Kehrere06cab42015-04-30 10:23:33 -0500[diff] [blame]1719 ),
1720 ])
1721 ] == dirname
1722 assert [
1723 ipaddress.ip_address(u"127.0.0.1"),
1724 ipaddress.ip_address(u"ff::")
1725 ] == ip
1726
1727 def test_invalid_rfc822name(self, backend):
1728 cert = _load_cert(
1729 os.path.join(
1730 "x509", "custom", "san_rfc822_names.pem"
1731 ),
1732 x509.load_pem_x509_certificate,
1733 backend
1734 )
1735 with pytest.raises(ValueError) as exc:
1736 cert.extensions
1737
1738 assert 'Invalid rfc822name value' in str(exc.value)
Paul Kehrer94c69602015-05-02 19:29:40 -0500[diff] [blame]1739
Joshua Tauberer2ee5e3c2015-07-04 20:09:46 +0000[diff] [blame]1740 def test_other_name(self, backend):
1741 cert = _load_cert(
1742 os.path.join(
1743 "x509", "custom", "san_other_name.pem"
1744 ),
1745 x509.load_pem_x509_certificate,
1746 backend
1747 )
1748
1749 ext = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame^]1750 ExtensionOID.SUBJECT_ALTERNATIVE_NAME
Joshua Tauberer2ee5e3c2015-07-04 20:09:46 +0000[diff] [blame]1751 )
1752 assert ext is not None
1753 assert ext.critical is False
1754
Joshua Taubererd2afad32015-07-06 22:37:53 +0000[diff] [blame]1755 expected = x509.OtherName(x509.ObjectIdentifier("1.2.3.4"),
1756 b'\x16\x0bHello World')
Joshua Tauberer2ee5e3c2015-07-04 20:09:46 +0000[diff] [blame]1757 assert len(ext.value) == 1
Joshua Taubererd2afad32015-07-06 22:37:53 +0000[diff] [blame]1758 assert list(ext.value)[0] == expected
Joshua Tauberer2ee5e3c2015-07-04 20:09:46 +0000[diff] [blame]1759
1760 othernames = ext.value.get_values_for_type(x509.OtherName)
Joshua Taubererd2afad32015-07-06 22:37:53 +0000[diff] [blame]1761 assert othernames == [expected]
Joshua Tauberer2ee5e3c2015-07-04 20:09:46 +0000[diff] [blame]1762
Paul Kehrer94c69602015-05-02 19:29:40 -0500[diff] [blame]1763
1764@pytest.mark.requires_backend_interface(interface=RSABackend)
1765@pytest.mark.requires_backend_interface(interface=X509Backend)
1766class TestExtendedKeyUsageExtension(object):
1767 def test_eku(self, backend):
1768 cert = _load_cert(
1769 os.path.join(
1770 "x509", "custom", "extended_key_usage.pem"
1771 ),
1772 x509.load_pem_x509_certificate,
1773 backend
1774 )
1775 ext = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame^]1776 ExtensionOID.EXTENDED_KEY_USAGE
Paul Kehrer94c69602015-05-02 19:29:40 -0500[diff] [blame]1777 )
1778 assert ext is not None
1779 assert ext.critical is False
1780
1781 assert [
1782 x509.ObjectIdentifier("1.3.6.1.5.5.7.3.1"),
1783 x509.ObjectIdentifier("1.3.6.1.5.5.7.3.2"),
1784 x509.ObjectIdentifier("1.3.6.1.5.5.7.3.3"),
1785 x509.ObjectIdentifier("1.3.6.1.5.5.7.3.4"),
1786 x509.ObjectIdentifier("1.3.6.1.5.5.7.3.9"),
1787 x509.ObjectIdentifier("1.3.6.1.5.5.7.3.8"),
1788 x509.ObjectIdentifier("2.5.29.37.0"),
1789 x509.ObjectIdentifier("2.16.840.1.113730.4.1"),
1790 ] == list(ext.value)
Paul Kehrer3e6d5582015-05-02 21:57:56 -0500[diff] [blame]1791
1792
1793class TestAccessDescription(object):
1794 def test_invalid_access_method(self):
Paul Kehrerf506bca2015-05-02 22:31:47 -0500[diff] [blame]1795 with pytest.raises(ValueError):
Paul Kehrer3e6d5582015-05-02 21:57:56 -0500[diff] [blame]1796 x509.AccessDescription("notanoid", x509.DNSName(u"test"))
1797
1798 def test_invalid_access_location(self):
1799 with pytest.raises(TypeError):
1800 x509.AccessDescription(x509.OID_CA_ISSUERS, "invalid")
1801
1802 def test_repr(self):
1803 ad = x509.AccessDescription(
1804 x509.OID_OCSP,
1805 x509.UniformResourceIdentifier(u"http://ocsp.domain.com")
1806 )
1807 assert repr(ad) == (
1808 "<AccessDescription(access_method=<ObjectIdentifier(oid=1.3.6.1.5."
1809 "5.7.48.1, name=OCSP)>, access_location=<UniformResourceIdentifier"
1810 "(value=http://ocsp.domain.com)>)>"
1811 )
1812
1813 def test_eq(self):
1814 ad = x509.AccessDescription(
1815 x509.OID_OCSP,
1816 x509.UniformResourceIdentifier(u"http://ocsp.domain.com")
1817 )
1818 ad2 = x509.AccessDescription(
1819 x509.OID_OCSP,
1820 x509.UniformResourceIdentifier(u"http://ocsp.domain.com")
1821 )
1822 assert ad == ad2
1823
1824 def test_ne(self):
1825 ad = x509.AccessDescription(
1826 x509.OID_OCSP,
1827 x509.UniformResourceIdentifier(u"http://ocsp.domain.com")
1828 )
1829 ad2 = x509.AccessDescription(
1830 x509.OID_CA_ISSUERS,
1831 x509.UniformResourceIdentifier(u"http://ocsp.domain.com")
1832 )
1833 ad3 = x509.AccessDescription(
1834 x509.OID_OCSP,
1835 x509.UniformResourceIdentifier(u"http://notthesame")
1836 )
1837 assert ad != ad2
1838 assert ad != ad3
1839 assert ad != object()
1840
1841
1842class TestAuthorityInformationAccess(object):
1843 def test_invalid_descriptions(self):
1844 with pytest.raises(TypeError):
1845 x509.AuthorityInformationAccess(["notanAccessDescription"])
1846
1847 def test_iter_len(self):
1848 aia = x509.AuthorityInformationAccess([
1849 x509.AccessDescription(
1850 x509.OID_OCSP,
1851 x509.UniformResourceIdentifier(u"http://ocsp.domain.com")
1852 ),
1853 x509.AccessDescription(
1854 x509.OID_CA_ISSUERS,
1855 x509.UniformResourceIdentifier(u"http://domain.com/ca.crt")
1856 )
1857 ])
1858 assert len(aia) == 2
1859 assert list(aia) == [
1860 x509.AccessDescription(
1861 x509.OID_OCSP,
1862 x509.UniformResourceIdentifier(u"http://ocsp.domain.com")
1863 ),
1864 x509.AccessDescription(
1865 x509.OID_CA_ISSUERS,
1866 x509.UniformResourceIdentifier(u"http://domain.com/ca.crt")
1867 )
1868 ]
1869
1870 def test_repr(self):
1871 aia = x509.AuthorityInformationAccess([
1872 x509.AccessDescription(
1873 x509.OID_OCSP,
1874 x509.UniformResourceIdentifier(u"http://ocsp.domain.com")
1875 ),
1876 x509.AccessDescription(
1877 x509.OID_CA_ISSUERS,
1878 x509.UniformResourceIdentifier(u"http://domain.com/ca.crt")
1879 )
1880 ])
1881 assert repr(aia) == (
1882 "<AuthorityInformationAccess([<AccessDescription(access_method=<Ob"
1883 "jectIdentifier(oid=1.3.6.1.5.5.7.48.1, name=OCSP)>, access_locati"
1884 "on=<UniformResourceIdentifier(value=http://ocsp.domain.com)>)>, <"
1885 "AccessDescription(access_method=<ObjectIdentifier(oid=1.3.6.1.5.5"
1886 ".7.48.2, name=caIssuers)>, access_location=<UniformResourceIdenti"
1887 "fier(value=http://domain.com/ca.crt)>)>])>"
1888 )
1889
1890 def test_eq(self):
1891 aia = x509.AuthorityInformationAccess([
1892 x509.AccessDescription(
1893 x509.OID_OCSP,
1894 x509.UniformResourceIdentifier(u"http://ocsp.domain.com")
1895 ),
1896 x509.AccessDescription(
1897 x509.OID_CA_ISSUERS,
1898 x509.UniformResourceIdentifier(u"http://domain.com/ca.crt")
1899 )
1900 ])
1901 aia2 = x509.AuthorityInformationAccess([
1902 x509.AccessDescription(
1903 x509.OID_OCSP,
1904 x509.UniformResourceIdentifier(u"http://ocsp.domain.com")
1905 ),
1906 x509.AccessDescription(
1907 x509.OID_CA_ISSUERS,
1908 x509.UniformResourceIdentifier(u"http://domain.com/ca.crt")
1909 )
1910 ])
1911 assert aia == aia2
1912
1913 def test_ne(self):
1914 aia = x509.AuthorityInformationAccess([
1915 x509.AccessDescription(
1916 x509.OID_OCSP,
1917 x509.UniformResourceIdentifier(u"http://ocsp.domain.com")
1918 ),
1919 x509.AccessDescription(
1920 x509.OID_CA_ISSUERS,
1921 x509.UniformResourceIdentifier(u"http://domain.com/ca.crt")
1922 )
1923 ])
1924 aia2 = x509.AuthorityInformationAccess([
1925 x509.AccessDescription(
1926 x509.OID_OCSP,
1927 x509.UniformResourceIdentifier(u"http://ocsp.domain.com")
1928 ),
1929 ])
1930
1931 assert aia != aia2
1932 assert aia != object()
Paul Kehrerd774de92015-05-03 10:52:25 -0500[diff] [blame]1933
1934
1935@pytest.mark.requires_backend_interface(interface=RSABackend)
1936@pytest.mark.requires_backend_interface(interface=X509Backend)
Paul Kehrera1476992015-05-04 17:35:47 -0500[diff] [blame]1937class TestAuthorityInformationAccessExtension(object):
1938 def test_aia_ocsp_ca_issuers(self, backend):
1939 cert = _load_cert(
1940 os.path.join("x509", "cryptography.io.pem"),
1941 x509.load_pem_x509_certificate,
1942 backend
1943 )
1944 ext = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame^]1945 ExtensionOID.AUTHORITY_INFORMATION_ACCESS
Paul Kehrera1476992015-05-04 17:35:47 -0500[diff] [blame]1946 )
1947 assert ext is not None
1948 assert ext.critical is False
1949
1950 assert ext.value == x509.AuthorityInformationAccess([
1951 x509.AccessDescription(
1952 x509.OID_OCSP,
1953 x509.UniformResourceIdentifier(u"http://gv.symcd.com")
1954 ),
1955 x509.AccessDescription(
1956 x509.OID_CA_ISSUERS,
1957 x509.UniformResourceIdentifier(u"http://gv.symcb.com/gv.crt")
1958 ),
1959 ])
1960
1961 def test_aia_multiple_ocsp_ca_issuers(self, backend):
1962 cert = _load_cert(
1963 os.path.join("x509", "custom", "aia_ocsp_ca_issuers.pem"),
1964 x509.load_pem_x509_certificate,
1965 backend
1966 )
1967 ext = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame^]1968 ExtensionOID.AUTHORITY_INFORMATION_ACCESS
Paul Kehrera1476992015-05-04 17:35:47 -0500[diff] [blame]1969 )
1970 assert ext is not None
1971 assert ext.critical is False
1972
1973 assert ext.value == x509.AuthorityInformationAccess([
1974 x509.AccessDescription(
1975 x509.OID_OCSP,
1976 x509.UniformResourceIdentifier(u"http://ocsp.domain.com")
1977 ),
1978 x509.AccessDescription(
1979 x509.OID_OCSP,
1980 x509.UniformResourceIdentifier(u"http://ocsp2.domain.com")
1981 ),
1982 x509.AccessDescription(
1983 x509.OID_CA_ISSUERS,
1984 x509.DirectoryName(x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1985 x509.NameAttribute(NameOID.COMMON_NAME, u"myCN"),
1986 x509.NameAttribute(NameOID.ORGANIZATION_NAME,
Ian Cordasco82fc3762015-06-16 20:59:50 -0500[diff] [blame]1987 u"some Org"),
Paul Kehrera1476992015-05-04 17:35:47 -0500[diff] [blame]1988 ]))
1989 ),
1990 ])
1991
1992 def test_aia_ocsp_only(self, backend):
1993 cert = _load_cert(
1994 os.path.join("x509", "custom", "aia_ocsp.pem"),
1995 x509.load_pem_x509_certificate,
1996 backend
1997 )
1998 ext = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame^]1999 ExtensionOID.AUTHORITY_INFORMATION_ACCESS
Paul Kehrera1476992015-05-04 17:35:47 -0500[diff] [blame]2000 )
2001 assert ext is not None
2002 assert ext.critical is False
2003
2004 assert ext.value == x509.AuthorityInformationAccess([
2005 x509.AccessDescription(
2006 x509.OID_OCSP,
2007 x509.UniformResourceIdentifier(u"http://ocsp.domain.com")
2008 ),
2009 ])
2010
2011 def test_aia_ca_issuers_only(self, backend):
2012 cert = _load_cert(
2013 os.path.join("x509", "custom", "aia_ca_issuers.pem"),
2014 x509.load_pem_x509_certificate,
2015 backend
2016 )
2017 ext = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame^]2018 ExtensionOID.AUTHORITY_INFORMATION_ACCESS
Paul Kehrera1476992015-05-04 17:35:47 -0500[diff] [blame]2019 )
2020 assert ext is not None
2021 assert ext.critical is False
2022
2023 assert ext.value == x509.AuthorityInformationAccess([
2024 x509.AccessDescription(
2025 x509.OID_CA_ISSUERS,
2026 x509.DirectoryName(x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2027 x509.NameAttribute(NameOID.COMMON_NAME, u"myCN"),
2028 x509.NameAttribute(NameOID.ORGANIZATION_NAME,
Ian Cordasco82fc3762015-06-16 20:59:50 -0500[diff] [blame]2029 u"some Org"),
Paul Kehrera1476992015-05-04 17:35:47 -0500[diff] [blame]2030 ]))
2031 ),
2032 ])
2033
2034
2035@pytest.mark.requires_backend_interface(interface=RSABackend)
2036@pytest.mark.requires_backend_interface(interface=X509Backend)
Paul Kehrerd774de92015-05-03 10:52:25 -0500[diff] [blame]2037class TestAuthorityKeyIdentifierExtension(object):
2038 def test_aki_keyid(self, backend):
2039 cert = _load_cert(
2040 os.path.join(
2041 "x509", "cryptography.io.pem"
2042 ),
2043 x509.load_pem_x509_certificate,
2044 backend
2045 )
2046 ext = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame^]2047 ExtensionOID.AUTHORITY_KEY_IDENTIFIER
Paul Kehrerd774de92015-05-03 10:52:25 -0500[diff] [blame]2048 )
2049 assert ext is not None
2050 assert ext.critical is False
2051
2052 assert ext.value.key_identifier == (
2053 b"\xc3\x9c\xf3\xfc\xd3F\x084\xbb\xceF\x7f\xa0|[\xf3\xe2\x08\xcbY"
2054 )
2055 assert ext.value.authority_cert_issuer is None
2056 assert ext.value.authority_cert_serial_number is None
2057
2058 def test_aki_all_fields(self, backend):
2059 cert = _load_cert(
2060 os.path.join(
2061 "x509", "custom", "authority_key_identifier.pem"
2062 ),
2063 x509.load_pem_x509_certificate,
2064 backend
2065 )
2066 ext = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame^]2067 ExtensionOID.AUTHORITY_KEY_IDENTIFIER
Paul Kehrerd774de92015-05-03 10:52:25 -0500[diff] [blame]2068 )
2069 assert ext is not None
2070 assert ext.critical is False
2071
2072 assert ext.value.key_identifier == (
2073 b"9E>\xca=b\x1d\xea\x86I\xf6Z\xab@\xb7\xa4p\x98\xf1\xec"
2074 )
2075 assert ext.value.authority_cert_issuer == [
2076 x509.DirectoryName(
2077 x509.Name([
2078 x509.NameAttribute(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2079 NameOID.ORGANIZATION_NAME, u"PyCA"
Paul Kehrerd774de92015-05-03 10:52:25 -0500[diff] [blame]2080 ),
2081 x509.NameAttribute(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2082 NameOID.COMMON_NAME, u"cryptography.io"
Paul Kehrerd774de92015-05-03 10:52:25 -0500[diff] [blame]2083 )
2084 ])
2085 )
2086 ]
2087 assert ext.value.authority_cert_serial_number == 3
2088
2089 def test_aki_no_keyid(self, backend):
2090 cert = _load_cert(
2091 os.path.join(
2092 "x509", "custom", "authority_key_identifier_no_keyid.pem"
2093 ),
2094 x509.load_pem_x509_certificate,
2095 backend
2096 )
2097 ext = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame^]2098 ExtensionOID.AUTHORITY_KEY_IDENTIFIER
Paul Kehrerd774de92015-05-03 10:52:25 -0500[diff] [blame]2099 )
2100 assert ext is not None
2101 assert ext.critical is False
2102
2103 assert ext.value.key_identifier is None
2104 assert ext.value.authority_cert_issuer == [
2105 x509.DirectoryName(
2106 x509.Name([
2107 x509.NameAttribute(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2108 NameOID.ORGANIZATION_NAME, u"PyCA"
Paul Kehrerd774de92015-05-03 10:52:25 -0500[diff] [blame]2109 ),
2110 x509.NameAttribute(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2111 NameOID.COMMON_NAME, u"cryptography.io"
Paul Kehrerd774de92015-05-03 10:52:25 -0500[diff] [blame]2112 )
2113 ])
2114 )
2115 ]
2116 assert ext.value.authority_cert_serial_number == 3
Paul Kehrer5a485522015-05-06 00:29:12 -0500[diff] [blame]2117
Paul Kehrer253929a2015-08-05 17:30:39 +0100[diff] [blame]2118 def test_from_certificate(self, backend):
2119 issuer_cert = _load_cert(
2120 os.path.join("x509", "rapidssl_sha256_ca_g3.pem"),
2121 x509.load_pem_x509_certificate,
2122 backend
2123 )
2124 cert = _load_cert(
2125 os.path.join("x509", "cryptography.io.pem"),
2126 x509.load_pem_x509_certificate,
2127 backend
2128 )
2129 ext = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame^]2130 ExtensionOID.AUTHORITY_KEY_IDENTIFIER
Paul Kehrer253929a2015-08-05 17:30:39 +0100[diff] [blame]2131 )
2132 aki = x509.AuthorityKeyIdentifier.from_issuer_public_key(
2133 issuer_cert.public_key()
2134 )
2135 assert ext.value == aki
2136
Paul Kehrer5a485522015-05-06 00:29:12 -0500[diff] [blame]2137
Paul Kehrere0017be2015-05-17 20:39:40 -0600[diff] [blame]2138class TestNameConstraints(object):
2139 def test_ipaddress_wrong_type(self):
2140 with pytest.raises(TypeError):
2141 x509.NameConstraints(
2142 permitted_subtrees=[
2143 x509.IPAddress(ipaddress.IPv4Address(u"127.0.0.1"))
2144 ],
2145 excluded_subtrees=None
2146 )
2147
2148 with pytest.raises(TypeError):
2149 x509.NameConstraints(
2150 permitted_subtrees=None,
2151 excluded_subtrees=[
2152 x509.IPAddress(ipaddress.IPv4Address(u"127.0.0.1"))
2153 ]
2154 )
2155
2156 def test_ipaddress_allowed_type(self):
2157 permitted = [x509.IPAddress(ipaddress.IPv4Network(u"192.168.0.0/29"))]
2158 excluded = [x509.IPAddress(ipaddress.IPv4Network(u"10.10.0.0/24"))]
2159 nc = x509.NameConstraints(
2160 permitted_subtrees=permitted,
2161 excluded_subtrees=excluded
2162 )
2163 assert nc.permitted_subtrees == permitted
2164 assert nc.excluded_subtrees == excluded
2165
2166 def test_invalid_permitted_subtrees(self):
2167 with pytest.raises(TypeError):
2168 x509.NameConstraints("badpermitted", None)
2169
2170 def test_invalid_excluded_subtrees(self):
2171 with pytest.raises(TypeError):
2172 x509.NameConstraints(None, "badexcluded")
2173
2174 def test_no_subtrees(self):
2175 with pytest.raises(ValueError):
2176 x509.NameConstraints(None, None)
2177
2178 def test_permitted_none(self):
2179 excluded = [x509.DNSName(u"name.local")]
2180 nc = x509.NameConstraints(
2181 permitted_subtrees=None, excluded_subtrees=excluded
2182 )
2183 assert nc.permitted_subtrees is None
2184 assert nc.excluded_subtrees is not None
2185
2186 def test_excluded_none(self):
2187 permitted = [x509.DNSName(u"name.local")]
2188 nc = x509.NameConstraints(
2189 permitted_subtrees=permitted, excluded_subtrees=None
2190 )
2191 assert nc.permitted_subtrees is not None
2192 assert nc.excluded_subtrees is None
2193
2194 def test_repr(self):
2195 permitted = [x509.DNSName(u"name.local"), x509.DNSName(u"name2.local")]
2196 nc = x509.NameConstraints(
2197 permitted_subtrees=permitted,
2198 excluded_subtrees=None
2199 )
2200 assert repr(nc) == (
2201 "<NameConstraints(permitted_subtrees=[<DNSName(value=name.local)>"
2202 ", <DNSName(value=name2.local)>], excluded_subtrees=None)>"
2203 )
2204
Paul Kehrer31894282015-06-21 21:46:41 -0500[diff] [blame]2205 def test_eq(self):
2206 nc = x509.NameConstraints(
2207 permitted_subtrees=[x509.DNSName(u"name.local")],
2208 excluded_subtrees=[x509.DNSName(u"name2.local")]
2209 )
2210 nc2 = x509.NameConstraints(
2211 permitted_subtrees=[x509.DNSName(u"name.local")],
2212 excluded_subtrees=[x509.DNSName(u"name2.local")]
2213 )
2214 assert nc == nc2
2215
2216 def test_ne(self):
2217 nc = x509.NameConstraints(
2218 permitted_subtrees=[x509.DNSName(u"name.local")],
2219 excluded_subtrees=[x509.DNSName(u"name2.local")]
2220 )
2221 nc2 = x509.NameConstraints(
2222 permitted_subtrees=[x509.DNSName(u"name.local")],
2223 excluded_subtrees=None
2224 )
2225 nc3 = x509.NameConstraints(
2226 permitted_subtrees=None,
2227 excluded_subtrees=[x509.DNSName(u"name2.local")]
2228 )
2229
2230 assert nc != nc2
2231 assert nc != nc3
2232 assert nc != object()
2233
Paul Kehrere0017be2015-05-17 20:39:40 -0600[diff] [blame]2234
Paul Kehrer870d7e82015-06-21 22:20:44 -0500[diff] [blame]2235@pytest.mark.requires_backend_interface(interface=RSABackend)
2236@pytest.mark.requires_backend_interface(interface=X509Backend)
2237class TestNameConstraintsExtension(object):
2238 def test_permitted_excluded(self, backend):
2239 cert = _load_cert(
2240 os.path.join(
2241 "x509", "custom", "nc_permitted_excluded_2.pem"
2242 ),
2243 x509.load_pem_x509_certificate,
2244 backend
2245 )
2246 nc = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame^]2247 ExtensionOID.NAME_CONSTRAINTS
Paul Kehrer870d7e82015-06-21 22:20:44 -0500[diff] [blame]2248 ).value
2249 assert nc == x509.NameConstraints(
2250 permitted_subtrees=[
2251 x509.DNSName(u"zombo.local"),
2252 ],
2253 excluded_subtrees=[
2254 x509.DirectoryName(x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2255 x509.NameAttribute(NameOID.COMMON_NAME, u"zombo")
Paul Kehrer870d7e82015-06-21 22:20:44 -0500[diff] [blame]2256 ]))
2257 ]
2258 )
2259
2260 def test_permitted(self, backend):
2261 cert = _load_cert(
2262 os.path.join(
2263 "x509", "custom", "nc_permitted_2.pem"
2264 ),
2265 x509.load_pem_x509_certificate,
2266 backend
2267 )
2268 nc = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame^]2269 ExtensionOID.NAME_CONSTRAINTS
Paul Kehrer870d7e82015-06-21 22:20:44 -0500[diff] [blame]2270 ).value
2271 assert nc == x509.NameConstraints(
2272 permitted_subtrees=[
2273 x509.DNSName(u"zombo.local"),
2274 ],
2275 excluded_subtrees=None
2276 )
2277
Paul Kehrer42376832015-07-01 18:10:32 -0500[diff] [blame]2278 def test_permitted_with_leading_period(self, backend):
2279 cert = _load_cert(
2280 os.path.join(
2281 "x509", "custom", "nc_permitted.pem"
2282 ),
2283 x509.load_pem_x509_certificate,
2284 backend
2285 )
2286 nc = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame^]2287 ExtensionOID.NAME_CONSTRAINTS
Paul Kehrer42376832015-07-01 18:10:32 -0500[diff] [blame]2288 ).value
2289 assert nc == x509.NameConstraints(
2290 permitted_subtrees=[
2291 x509.DNSName(u".cryptography.io"),
2292 x509.UniformResourceIdentifier(u"ftp://cryptography.test")
2293 ],
2294 excluded_subtrees=None
2295 )
2296
2297 def test_excluded_with_leading_period(self, backend):
2298 cert = _load_cert(
2299 os.path.join(
2300 "x509", "custom", "nc_excluded.pem"
2301 ),
2302 x509.load_pem_x509_certificate,
2303 backend
2304 )
2305 nc = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame^]2306 ExtensionOID.NAME_CONSTRAINTS
Paul Kehrer42376832015-07-01 18:10:32 -0500[diff] [blame]2307 ).value
2308 assert nc == x509.NameConstraints(
2309 permitted_subtrees=None,
2310 excluded_subtrees=[
2311 x509.DNSName(u".cryptography.io"),
2312 x509.UniformResourceIdentifier(u"gopher://cryptography.test")
2313 ]
2314 )
2315
Paul Kehrercfb8aa22015-07-01 19:16:36 -0500[diff] [blame]2316 def test_permitted_excluded_with_ips(self, backend):
2317 cert = _load_cert(
2318 os.path.join(
2319 "x509", "custom", "nc_permitted_excluded.pem"
2320 ),
2321 x509.load_pem_x509_certificate,
2322 backend
2323 )
2324 nc = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame^]2325 ExtensionOID.NAME_CONSTRAINTS
Paul Kehrercfb8aa22015-07-01 19:16:36 -0500[diff] [blame]2326 ).value
2327 assert nc == x509.NameConstraints(
2328 permitted_subtrees=[
2329 x509.IPAddress(ipaddress.IPv4Network(u"192.168.0.0/24")),
2330 x509.IPAddress(ipaddress.IPv6Network(u"FF:0:0:0:0:0:0:0/96")),
2331 ],
2332 excluded_subtrees=[
2333 x509.DNSName(u".domain.com"),
2334 x509.UniformResourceIdentifier(u"http://test.local"),
2335 ]
2336 )
2337
Paul Kehrera72ebaf2015-07-01 21:07:37 -0500[diff] [blame]2338 def test_single_ip_netmask(self, backend):
2339 cert = _load_cert(
2340 os.path.join(
2341 "x509", "custom", "nc_single_ip_netmask.pem"
2342 ),
2343 x509.load_pem_x509_certificate,
2344 backend
2345 )
2346 nc = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame^]2347 ExtensionOID.NAME_CONSTRAINTS
Paul Kehrera72ebaf2015-07-01 21:07:37 -0500[diff] [blame]2348 ).value
2349 assert nc == x509.NameConstraints(
2350 permitted_subtrees=[
2351 x509.IPAddress(ipaddress.IPv6Network(u"FF:0:0:0:0:0:0:0/128")),
2352 x509.IPAddress(ipaddress.IPv4Network(u"192.168.0.1/32")),
2353 ],
2354 excluded_subtrees=None
2355 )
2356
Paul Kehrercfb8aa22015-07-01 19:16:36 -0500[diff] [blame]2357 def test_invalid_netmask(self, backend):
2358 cert = _load_cert(
2359 os.path.join(
2360 "x509", "custom", "nc_invalid_ip_netmask.pem"
2361 ),
2362 x509.load_pem_x509_certificate,
2363 backend
2364 )
2365 with pytest.raises(ValueError):
2366 cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame^]2367 ExtensionOID.NAME_CONSTRAINTS
Paul Kehrercfb8aa22015-07-01 19:16:36 -0500[diff] [blame]2368 )
2369
Paul Kehrer870d7e82015-06-21 22:20:44 -0500[diff] [blame]2370
Paul Kehrer5a485522015-05-06 00:29:12 -0500[diff] [blame]2371class TestDistributionPoint(object):
Paul Kehrer4e8dacd2015-05-09 10:38:23 -0500[diff] [blame]2372 def test_distribution_point_full_name_not_general_names(self):
Paul Kehrer5a485522015-05-06 00:29:12 -0500[diff] [blame]2373 with pytest.raises(TypeError):
Paul Kehrer4e8dacd2015-05-09 10:38:23 -0500[diff] [blame]2374 x509.DistributionPoint(["notgn"], None, None, None)
Paul Kehrer5a485522015-05-06 00:29:12 -0500[diff] [blame]2375
Paul Kehrer4e8dacd2015-05-09 10:38:23 -0500[diff] [blame]2376 def test_distribution_point_relative_name_not_name(self):
Paul Kehrer5a485522015-05-06 00:29:12 -0500[diff] [blame]2377 with pytest.raises(TypeError):
Paul Kehrer4e8dacd2015-05-09 10:38:23 -0500[diff] [blame]2378 x509.DistributionPoint(None, "notname", None, None)
2379
2380 def test_distribution_point_full_and_relative_not_none(self):
2381 with pytest.raises(ValueError):
2382 x509.DistributionPoint("data", "notname", None, None)
Paul Kehrer5a485522015-05-06 00:29:12 -0500[diff] [blame]2383
2384 def test_crl_issuer_not_general_names(self):
2385 with pytest.raises(TypeError):
Paul Kehrer4e8dacd2015-05-09 10:38:23 -0500[diff] [blame]2386 x509.DistributionPoint(None, None, None, ["notgn"])
Paul Kehrer5a485522015-05-06 00:29:12 -0500[diff] [blame]2387
2388 def test_reason_not_reasonflags(self):
2389 with pytest.raises(TypeError):
2390 x509.DistributionPoint(
2391 [x509.UniformResourceIdentifier(u"http://crypt.og/crl")],
Paul Kehrer4e8dacd2015-05-09 10:38:23 -0500[diff] [blame]2392 None,
Paul Kehrer3fd02602015-05-09 19:46:13 -0500[diff] [blame]2393 frozenset(["notreasonflags"]),
2394 None
2395 )
2396
2397 def test_reason_not_frozenset(self):
2398 with pytest.raises(TypeError):
2399 x509.DistributionPoint(
2400 [x509.UniformResourceIdentifier(u"http://crypt.og/crl")],
2401 None,
2402 [x509.ReasonFlags.ca_compromise],
Paul Kehrer4e8dacd2015-05-09 10:38:23 -0500[diff] [blame]2403 None
2404 )
2405
2406 def test_disallowed_reasons(self):
2407 with pytest.raises(ValueError):
2408 x509.DistributionPoint(
2409 [x509.UniformResourceIdentifier(u"http://crypt.og/crl")],
2410 None,
Paul Kehrer3fd02602015-05-09 19:46:13 -0500[diff] [blame]2411 frozenset([x509.ReasonFlags.unspecified]),
Paul Kehrer4e8dacd2015-05-09 10:38:23 -0500[diff] [blame]2412 None
2413 )
2414
2415 with pytest.raises(ValueError):
2416 x509.DistributionPoint(
2417 [x509.UniformResourceIdentifier(u"http://crypt.og/crl")],
2418 None,
Paul Kehrer3fd02602015-05-09 19:46:13 -0500[diff] [blame]2419 frozenset([x509.ReasonFlags.remove_from_crl]),
Paul Kehrer5a485522015-05-06 00:29:12 -0500[diff] [blame]2420 None
2421 )
2422
2423 def test_reason_only(self):
2424 with pytest.raises(ValueError):
2425 x509.DistributionPoint(
2426 None,
Paul Kehrer4e8dacd2015-05-09 10:38:23 -0500[diff] [blame]2427 None,
Paul Kehrer3fd02602015-05-09 19:46:13 -0500[diff] [blame]2428 frozenset([x509.ReasonFlags.aa_compromise]),
Paul Kehrer5a485522015-05-06 00:29:12 -0500[diff] [blame]2429 None
2430 )
2431
2432 def test_eq(self):
2433 dp = x509.DistributionPoint(
2434 [x509.UniformResourceIdentifier(u"http://crypt.og/crl")],
Paul Kehrer4e8dacd2015-05-09 10:38:23 -0500[diff] [blame]2435 None,
Paul Kehrer3fd02602015-05-09 19:46:13 -0500[diff] [blame]2436 frozenset([x509.ReasonFlags.superseded]),
Paul Kehrer5a485522015-05-06 00:29:12 -0500[diff] [blame]2437 [
2438 x509.DirectoryName(
2439 x509.Name([
2440 x509.NameAttribute(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2441 NameOID.COMMON_NAME, u"Important CA"
Paul Kehrer5a485522015-05-06 00:29:12 -0500[diff] [blame]2442 )
2443 ])
2444 )
2445 ],
2446 )
2447 dp2 = x509.DistributionPoint(
2448 [x509.UniformResourceIdentifier(u"http://crypt.og/crl")],
Paul Kehrer4e8dacd2015-05-09 10:38:23 -0500[diff] [blame]2449 None,
Paul Kehrer3fd02602015-05-09 19:46:13 -0500[diff] [blame]2450 frozenset([x509.ReasonFlags.superseded]),
Paul Kehrer5a485522015-05-06 00:29:12 -0500[diff] [blame]2451 [
2452 x509.DirectoryName(
2453 x509.Name([
2454 x509.NameAttribute(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2455 NameOID.COMMON_NAME, u"Important CA"
Paul Kehrer5a485522015-05-06 00:29:12 -0500[diff] [blame]2456 )
2457 ])
2458 )
2459 ],
2460 )
2461 assert dp == dp2
2462
2463 def test_ne(self):
2464 dp = x509.DistributionPoint(
2465 [x509.UniformResourceIdentifier(u"http://crypt.og/crl")],
Paul Kehrer4e8dacd2015-05-09 10:38:23 -0500[diff] [blame]2466 None,
Paul Kehrer3fd02602015-05-09 19:46:13 -0500[diff] [blame]2467 frozenset([x509.ReasonFlags.superseded]),
Paul Kehrer5a485522015-05-06 00:29:12 -0500[diff] [blame]2468 [
2469 x509.DirectoryName(
2470 x509.Name([
2471 x509.NameAttribute(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2472 NameOID.COMMON_NAME, u"Important CA"
Paul Kehrer5a485522015-05-06 00:29:12 -0500[diff] [blame]2473 )
2474 ])
2475 )
2476 ],
2477 )
2478 dp2 = x509.DistributionPoint(
2479 [x509.UniformResourceIdentifier(u"http://crypt.og/crl")],
2480 None,
Paul Kehrer4e8dacd2015-05-09 10:38:23 -0500[diff] [blame]2481 None,
Paul Kehrer5a485522015-05-06 00:29:12 -0500[diff] [blame]2482 None
2483 )
2484 assert dp != dp2
2485 assert dp != object()
2486
2487 def test_repr(self):
2488 dp = x509.DistributionPoint(
Paul Kehrer4e8dacd2015-05-09 10:38:23 -0500[diff] [blame]2489 None,
Paul Kehrer5a485522015-05-06 00:29:12 -0500[diff] [blame]2490 x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2491 x509.NameAttribute(NameOID.COMMON_NAME, u"myCN")
Paul Kehrer5a485522015-05-06 00:29:12 -0500[diff] [blame]2492 ]),
Paul Kehrer96ef63c2015-05-09 21:17:04 -0500[diff] [blame]2493 frozenset([x509.ReasonFlags.ca_compromise]),
Paul Kehrer5a485522015-05-06 00:29:12 -0500[diff] [blame]2494 [
2495 x509.DirectoryName(
2496 x509.Name([
2497 x509.NameAttribute(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2498 NameOID.COMMON_NAME, u"Important CA"
Paul Kehrer5a485522015-05-06 00:29:12 -0500[diff] [blame]2499 )
2500 ])
2501 )
2502 ],
2503 )
Paul Kehrer749da3b2015-05-10 09:58:29 -0500[diff] [blame]2504 if six.PY3:
2505 assert repr(dp) == (
2506 "<DistributionPoint(full_name=None, relative_name=<Name([<Name"
2507 "Attribute(oid=<ObjectIdentifier(oid=2.5.4.3, name=commonName)"
Ian Cordascoa908d692015-06-16 21:35:24 -0500[diff] [blame]2508 ">, value='myCN')>])>, reasons=frozenset({<ReasonFlags.ca_comp"
2509 "romise: 'cACompromise'>}), crl_issuer=[<DirectoryName(value=<"
2510 "Name([<NameAttribute(oid=<ObjectIdentifier(oid=2.5.4.3, name="
2511 "commonName)>, value='Important CA')>])>)>])>"
Paul Kehrer749da3b2015-05-10 09:58:29 -0500[diff] [blame]2512 )
2513 else:
2514 assert repr(dp) == (
2515 "<DistributionPoint(full_name=None, relative_name=<Name([<Name"
2516 "Attribute(oid=<ObjectIdentifier(oid=2.5.4.3, name=commonName)"
Ian Cordasco82fc3762015-06-16 20:59:50 -0500[diff] [blame]2517 ">, value=u'myCN')>])>, reasons=frozenset([<ReasonFlags.ca_com"
2518 "promise: 'cACompromise'>]), crl_issuer=[<DirectoryName(value="
2519 "<Name([<NameAttribute(oid=<ObjectIdentifier(oid=2.5.4.3, name"
2520 "=commonName)>, value=u'Important CA')>])>)>])>"
Paul Kehrer749da3b2015-05-10 09:58:29 -0500[diff] [blame]2521 )
Paul Kehrer5a485522015-05-06 00:29:12 -0500[diff] [blame]2522
2523
2524class TestCRLDistributionPoints(object):
2525 def test_invalid_distribution_points(self):
2526 with pytest.raises(TypeError):
2527 x509.CRLDistributionPoints(["notadistributionpoint"])
2528
2529 def test_iter_len(self):
2530 cdp = x509.CRLDistributionPoints([
2531 x509.DistributionPoint(
2532 [x509.UniformResourceIdentifier(u"http://domain")],
2533 None,
Paul Kehrer4e8dacd2015-05-09 10:38:23 -0500[diff] [blame]2534 None,
Paul Kehrer5a485522015-05-06 00:29:12 -0500[diff] [blame]2535 None
2536 ),
2537 x509.DistributionPoint(
2538 [x509.UniformResourceIdentifier(u"ftp://domain")],
Paul Kehrer4e8dacd2015-05-09 10:38:23 -0500[diff] [blame]2539 None,
Paul Kehrer3fd02602015-05-09 19:46:13 -0500[diff] [blame]2540 frozenset([
Paul Kehrer4e8dacd2015-05-09 10:38:23 -0500[diff] [blame]2541 x509.ReasonFlags.key_compromise,
2542 x509.ReasonFlags.ca_compromise,
Paul Kehrer3fd02602015-05-09 19:46:13 -0500[diff] [blame]2543 ]),
Paul Kehrer5a485522015-05-06 00:29:12 -0500[diff] [blame]2544 None
2545 ),
2546 ])
2547 assert len(cdp) == 2
2548 assert list(cdp) == [
2549 x509.DistributionPoint(
2550 [x509.UniformResourceIdentifier(u"http://domain")],
2551 None,
Paul Kehrer4e8dacd2015-05-09 10:38:23 -0500[diff] [blame]2552 None,
Paul Kehrer5a485522015-05-06 00:29:12 -0500[diff] [blame]2553 None
2554 ),
2555 x509.DistributionPoint(
2556 [x509.UniformResourceIdentifier(u"ftp://domain")],
Paul Kehrer4e8dacd2015-05-09 10:38:23 -0500[diff] [blame]2557 None,
Paul Kehrer3fd02602015-05-09 19:46:13 -0500[diff] [blame]2558 frozenset([
Paul Kehrer4e8dacd2015-05-09 10:38:23 -0500[diff] [blame]2559 x509.ReasonFlags.key_compromise,
2560 x509.ReasonFlags.ca_compromise,
Paul Kehrer3fd02602015-05-09 19:46:13 -0500[diff] [blame]2561 ]),
Paul Kehrer5a485522015-05-06 00:29:12 -0500[diff] [blame]2562 None
2563 ),
2564 ]
2565
2566 def test_repr(self):
2567 cdp = x509.CRLDistributionPoints([
2568 x509.DistributionPoint(
2569 [x509.UniformResourceIdentifier(u"ftp://domain")],
Paul Kehrer4e8dacd2015-05-09 10:38:23 -0500[diff] [blame]2570 None,
Paul Kehrer96ef63c2015-05-09 21:17:04 -0500[diff] [blame]2571 frozenset([x509.ReasonFlags.key_compromise]),
Paul Kehrer5a485522015-05-06 00:29:12 -0500[diff] [blame]2572 None
2573 ),
2574 ])
Paul Kehrer749da3b2015-05-10 09:58:29 -0500[diff] [blame]2575 if six.PY3:
2576 assert repr(cdp) == (
2577 "<CRLDistributionPoints([<DistributionPoint(full_name=[<Unifo"
2578 "rmResourceIdentifier(value=ftp://domain)>], relative_name=No"
2579 "ne, reasons=frozenset({<ReasonFlags.key_compromise: 'keyComp"
2580 "romise'>}), crl_issuer=None)>])>"
2581 )
2582 else:
2583 assert repr(cdp) == (
2584 "<CRLDistributionPoints([<DistributionPoint(full_name=[<Unifo"
2585 "rmResourceIdentifier(value=ftp://domain)>], relative_name=No"
2586 "ne, reasons=frozenset([<ReasonFlags.key_compromise: 'keyComp"
2587 "romise'>]), crl_issuer=None)>])>"
2588 )
Paul Kehrer5a485522015-05-06 00:29:12 -0500[diff] [blame]2589
2590 def test_eq(self):
2591 cdp = x509.CRLDistributionPoints([
2592 x509.DistributionPoint(
2593 [x509.UniformResourceIdentifier(u"ftp://domain")],
Paul Kehrer4e8dacd2015-05-09 10:38:23 -0500[diff] [blame]2594 None,
Paul Kehrer3fd02602015-05-09 19:46:13 -0500[diff] [blame]2595 frozenset([
Paul Kehrer4e8dacd2015-05-09 10:38:23 -0500[diff] [blame]2596 x509.ReasonFlags.key_compromise,
2597 x509.ReasonFlags.ca_compromise,
Paul Kehrer3fd02602015-05-09 19:46:13 -0500[diff] [blame]2598 ]),
Paul Kehrer5a485522015-05-06 00:29:12 -0500[diff] [blame]2599 [x509.UniformResourceIdentifier(u"uri://thing")],
2600 ),
2601 ])
2602 cdp2 = x509.CRLDistributionPoints([
2603 x509.DistributionPoint(
2604 [x509.UniformResourceIdentifier(u"ftp://domain")],
Paul Kehrer4e8dacd2015-05-09 10:38:23 -0500[diff] [blame]2605 None,
Paul Kehrer3fd02602015-05-09 19:46:13 -0500[diff] [blame]2606 frozenset([
Paul Kehrer4e8dacd2015-05-09 10:38:23 -0500[diff] [blame]2607 x509.ReasonFlags.key_compromise,
2608 x509.ReasonFlags.ca_compromise,
Paul Kehrer3fd02602015-05-09 19:46:13 -0500[diff] [blame]2609 ]),
Paul Kehrer5a485522015-05-06 00:29:12 -0500[diff] [blame]2610 [x509.UniformResourceIdentifier(u"uri://thing")],
2611 ),
2612 ])
2613 assert cdp == cdp2
2614
2615 def test_ne(self):
2616 cdp = x509.CRLDistributionPoints([
2617 x509.DistributionPoint(
2618 [x509.UniformResourceIdentifier(u"ftp://domain")],
Paul Kehrer4e8dacd2015-05-09 10:38:23 -0500[diff] [blame]2619 None,
Paul Kehrer3fd02602015-05-09 19:46:13 -0500[diff] [blame]2620 frozenset([
Paul Kehrer4e8dacd2015-05-09 10:38:23 -0500[diff] [blame]2621 x509.ReasonFlags.key_compromise,
2622 x509.ReasonFlags.ca_compromise,
Paul Kehrer3fd02602015-05-09 19:46:13 -0500[diff] [blame]2623 ]),
Paul Kehrer5a485522015-05-06 00:29:12 -0500[diff] [blame]2624 [x509.UniformResourceIdentifier(u"uri://thing")],
2625 ),
2626 ])
2627 cdp2 = x509.CRLDistributionPoints([
2628 x509.DistributionPoint(
2629 [x509.UniformResourceIdentifier(u"ftp://domain2")],
Paul Kehrer4e8dacd2015-05-09 10:38:23 -0500[diff] [blame]2630 None,
Paul Kehrer3fd02602015-05-09 19:46:13 -0500[diff] [blame]2631 frozenset([
Paul Kehrer4e8dacd2015-05-09 10:38:23 -0500[diff] [blame]2632 x509.ReasonFlags.key_compromise,
2633 x509.ReasonFlags.ca_compromise,
Paul Kehrer3fd02602015-05-09 19:46:13 -0500[diff] [blame]2634 ]),
Paul Kehrer5a485522015-05-06 00:29:12 -0500[diff] [blame]2635 [x509.UniformResourceIdentifier(u"uri://thing")],
2636 ),
2637 ])
2638 cdp3 = x509.CRLDistributionPoints([
2639 x509.DistributionPoint(
2640 [x509.UniformResourceIdentifier(u"ftp://domain")],
Paul Kehrer4e8dacd2015-05-09 10:38:23 -0500[diff] [blame]2641 None,
Paul Kehrer3fd02602015-05-09 19:46:13 -0500[diff] [blame]2642 frozenset([x509.ReasonFlags.key_compromise]),
Paul Kehrer5a485522015-05-06 00:29:12 -0500[diff] [blame]2643 [x509.UniformResourceIdentifier(u"uri://thing")],
2644 ),
2645 ])
2646 cdp4 = x509.CRLDistributionPoints([
2647 x509.DistributionPoint(
2648 [x509.UniformResourceIdentifier(u"ftp://domain")],
Paul Kehrer4e8dacd2015-05-09 10:38:23 -0500[diff] [blame]2649 None,
Paul Kehrer3fd02602015-05-09 19:46:13 -0500[diff] [blame]2650 frozenset([
Paul Kehrer4e8dacd2015-05-09 10:38:23 -0500[diff] [blame]2651 x509.ReasonFlags.key_compromise,
2652 x509.ReasonFlags.ca_compromise,
Paul Kehrer3fd02602015-05-09 19:46:13 -0500[diff] [blame]2653 ]),
Paul Kehrer5a485522015-05-06 00:29:12 -0500[diff] [blame]2654 [x509.UniformResourceIdentifier(u"uri://thing2")],
2655 ),
2656 ])
2657 assert cdp != cdp2
2658 assert cdp != cdp3
2659 assert cdp != cdp4
2660 assert cdp != object()
Paul Kehrer9a10d592015-05-10 14:55:51 -0500[diff] [blame]2661
2662
2663@pytest.mark.requires_backend_interface(interface=RSABackend)
2664@pytest.mark.requires_backend_interface(interface=X509Backend)
2665class TestCRLDistributionPointsExtension(object):
2666 def test_fullname_and_crl_issuer(self, backend):
2667 cert = _load_cert(
2668 os.path.join(
2669 "x509", "PKITS_data", "certs", "ValidcRLIssuerTest28EE.crt"
2670 ),
2671 x509.load_der_x509_certificate,
2672 backend
2673 )
2674
2675 cdps = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame^]2676 ExtensionOID.CRL_DISTRIBUTION_POINTS
Paul Kehrer9a10d592015-05-10 14:55:51 -0500[diff] [blame]2677 ).value
2678
2679 assert cdps == x509.CRLDistributionPoints([
2680 x509.DistributionPoint(
2681 full_name=[x509.DirectoryName(
2682 x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2683 x509.NameAttribute(NameOID.COUNTRY_NAME, u"US"),
Paul Kehrer9a10d592015-05-10 14:55:51 -0500[diff] [blame]2684 x509.NameAttribute(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2685 NameOID.ORGANIZATION_NAME,
Ian Cordasco82fc3762015-06-16 20:59:50 -0500[diff] [blame]2686 u"Test Certificates 2011"
Paul Kehrer9a10d592015-05-10 14:55:51 -0500[diff] [blame]2687 ),
2688 x509.NameAttribute(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2689 NameOID.ORGANIZATIONAL_UNIT_NAME,
Ian Cordasco82fc3762015-06-16 20:59:50 -0500[diff] [blame]2690 u"indirectCRL CA3 cRLIssuer"
Paul Kehrer9a10d592015-05-10 14:55:51 -0500[diff] [blame]2691 ),
2692 x509.NameAttribute(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2693 NameOID.COMMON_NAME,
Ian Cordasco82fc3762015-06-16 20:59:50 -0500[diff] [blame]2694 u"indirect CRL for indirectCRL CA3"
Paul Kehrer9a10d592015-05-10 14:55:51 -0500[diff] [blame]2695 ),
2696 ])
2697 )],
2698 relative_name=None,
2699 reasons=None,
2700 crl_issuer=[x509.DirectoryName(
2701 x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2702 x509.NameAttribute(NameOID.COUNTRY_NAME, u"US"),
Paul Kehrer9a10d592015-05-10 14:55:51 -0500[diff] [blame]2703 x509.NameAttribute(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2704 NameOID.ORGANIZATION_NAME,
Ian Cordasco82fc3762015-06-16 20:59:50 -0500[diff] [blame]2705 u"Test Certificates 2011"
Paul Kehrer9a10d592015-05-10 14:55:51 -0500[diff] [blame]2706 ),
2707 x509.NameAttribute(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2708 NameOID.ORGANIZATIONAL_UNIT_NAME,
Ian Cordasco82fc3762015-06-16 20:59:50 -0500[diff] [blame]2709 u"indirectCRL CA3 cRLIssuer"
Paul Kehrer9a10d592015-05-10 14:55:51 -0500[diff] [blame]2710 ),
2711 ])
2712 )],
2713 )
2714 ])
2715
2716 def test_relativename_and_crl_issuer(self, backend):
2717 cert = _load_cert(
2718 os.path.join(
2719 "x509", "PKITS_data", "certs", "ValidcRLIssuerTest29EE.crt"
2720 ),
2721 x509.load_der_x509_certificate,
2722 backend
2723 )
2724
2725 cdps = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame^]2726 ExtensionOID.CRL_DISTRIBUTION_POINTS
Paul Kehrer9a10d592015-05-10 14:55:51 -0500[diff] [blame]2727 ).value
2728
2729 assert cdps == x509.CRLDistributionPoints([
2730 x509.DistributionPoint(
2731 full_name=None,
2732 relative_name=x509.Name([
2733 x509.NameAttribute(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2734 NameOID.COMMON_NAME,
Ian Cordasco82fc3762015-06-16 20:59:50 -0500[diff] [blame]2735 u"indirect CRL for indirectCRL CA3"
Paul Kehrer9a10d592015-05-10 14:55:51 -0500[diff] [blame]2736 ),
2737 ]),
2738 reasons=None,
2739 crl_issuer=[x509.DirectoryName(
2740 x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2741 x509.NameAttribute(NameOID.COUNTRY_NAME, u"US"),
Paul Kehrer9a10d592015-05-10 14:55:51 -0500[diff] [blame]2742 x509.NameAttribute(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2743 NameOID.ORGANIZATION_NAME,
Ian Cordasco82fc3762015-06-16 20:59:50 -0500[diff] [blame]2744 u"Test Certificates 2011"
Paul Kehrer9a10d592015-05-10 14:55:51 -0500[diff] [blame]2745 ),
2746 x509.NameAttribute(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2747 NameOID.ORGANIZATIONAL_UNIT_NAME,
Ian Cordasco82fc3762015-06-16 20:59:50 -0500[diff] [blame]2748 u"indirectCRL CA3 cRLIssuer"
Paul Kehrer9a10d592015-05-10 14:55:51 -0500[diff] [blame]2749 ),
2750 ])
2751 )],
2752 )
2753 ])
2754
2755 def test_fullname_crl_issuer_reasons(self, backend):
2756 cert = _load_cert(
2757 os.path.join(
2758 "x509", "custom", "cdp_fullname_reasons_crl_issuer.pem"
2759 ),
2760 x509.load_pem_x509_certificate,
2761 backend
2762 )
2763
2764 cdps = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame^]2765 ExtensionOID.CRL_DISTRIBUTION_POINTS
Paul Kehrer9a10d592015-05-10 14:55:51 -0500[diff] [blame]2766 ).value
2767
2768 assert cdps == x509.CRLDistributionPoints([
2769 x509.DistributionPoint(
2770 full_name=[x509.UniformResourceIdentifier(
2771 u"http://myhost.com/myca.crl"
2772 )],
2773 relative_name=None,
2774 reasons=frozenset([
2775 x509.ReasonFlags.key_compromise,
2776 x509.ReasonFlags.ca_compromise
2777 ]),
2778 crl_issuer=[x509.DirectoryName(
2779 x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2780 x509.NameAttribute(NameOID.COUNTRY_NAME, u"US"),
Paul Kehrer9a10d592015-05-10 14:55:51 -0500[diff] [blame]2781 x509.NameAttribute(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2782 NameOID.ORGANIZATION_NAME, u"PyCA"
Paul Kehrer9a10d592015-05-10 14:55:51 -0500[diff] [blame]2783 ),
2784 x509.NameAttribute(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2785 NameOID.COMMON_NAME, u"cryptography CA"
Paul Kehrer9a10d592015-05-10 14:55:51 -0500[diff] [blame]2786 ),
2787 ])
2788 )],
2789 )
2790 ])
2791
Paul Kehrer594a2ed2015-05-12 23:27:32 -0500[diff] [blame]2792 def test_all_reasons(self, backend):
2793 cert = _load_cert(
2794 os.path.join(
2795 "x509", "custom", "cdp_all_reasons.pem"
2796 ),
2797 x509.load_pem_x509_certificate,
2798 backend
2799 )
2800
2801 cdps = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame^]2802 ExtensionOID.CRL_DISTRIBUTION_POINTS
Paul Kehrer594a2ed2015-05-12 23:27:32 -0500[diff] [blame]2803 ).value
2804
2805 assert cdps == x509.CRLDistributionPoints([
2806 x509.DistributionPoint(
2807 full_name=[x509.UniformResourceIdentifier(
2808 u"http://domain.com/some.crl"
2809 )],
2810 relative_name=None,
2811 reasons=frozenset([
2812 x509.ReasonFlags.key_compromise,
2813 x509.ReasonFlags.ca_compromise,
2814 x509.ReasonFlags.affiliation_changed,
2815 x509.ReasonFlags.superseded,
2816 x509.ReasonFlags.privilege_withdrawn,
2817 x509.ReasonFlags.cessation_of_operation,
2818 x509.ReasonFlags.aa_compromise,
2819 x509.ReasonFlags.certificate_hold,
2820 ]),
2821 crl_issuer=None
2822 )
2823 ])
2824
2825 def test_single_reason(self, backend):
2826 cert = _load_cert(
2827 os.path.join(
2828 "x509", "custom", "cdp_reason_aa_compromise.pem"
2829 ),
2830 x509.load_pem_x509_certificate,
2831 backend
2832 )
2833
2834 cdps = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame^]2835 ExtensionOID.CRL_DISTRIBUTION_POINTS
Paul Kehrer594a2ed2015-05-12 23:27:32 -0500[diff] [blame]2836 ).value
2837
2838 assert cdps == x509.CRLDistributionPoints([
2839 x509.DistributionPoint(
2840 full_name=[x509.UniformResourceIdentifier(
2841 u"http://domain.com/some.crl"
2842 )],
2843 relative_name=None,
2844 reasons=frozenset([x509.ReasonFlags.aa_compromise]),
2845 crl_issuer=None
2846 )
2847 ])
2848
Paul Kehrer9a10d592015-05-10 14:55:51 -0500[diff] [blame]2849 def test_crl_issuer_only(self, backend):
2850 cert = _load_cert(
2851 os.path.join(
2852 "x509", "custom", "cdp_crl_issuer.pem"
2853 ),
2854 x509.load_pem_x509_certificate,
2855 backend
2856 )
2857
2858 cdps = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame^]2859 ExtensionOID.CRL_DISTRIBUTION_POINTS
Paul Kehrer9a10d592015-05-10 14:55:51 -0500[diff] [blame]2860 ).value
2861
2862 assert cdps == x509.CRLDistributionPoints([
2863 x509.DistributionPoint(
2864 full_name=None,
2865 relative_name=None,
2866 reasons=None,
2867 crl_issuer=[x509.DirectoryName(
2868 x509.Name([
2869 x509.NameAttribute(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2870 NameOID.COMMON_NAME, u"cryptography CA"
Paul Kehrer9a10d592015-05-10 14:55:51 -0500[diff] [blame]2871 ),
2872 ])
2873 )],
2874 )
2875 ])
Paul Kehrer16fae762015-05-01 23:14:20 -0500[diff] [blame]2876
2877
Paul Kehrerf54a50b2015-06-17 18:31:26 -0600[diff] [blame]2878@pytest.mark.requires_backend_interface(interface=RSABackend)
2879@pytest.mark.requires_backend_interface(interface=X509Backend)
2880class TestOCSPNoCheckExtension(object):
2881 def test_nocheck(self, backend):
2882 cert = _load_cert(
2883 os.path.join(
2884 "x509", "custom", "ocsp_nocheck.pem"
2885 ),
2886 x509.load_pem_x509_certificate,
2887 backend
2888 )
2889 ext = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame^]2890 ExtensionOID.OCSP_NO_CHECK
Paul Kehrerf54a50b2015-06-17 18:31:26 -0600[diff] [blame]2891 )
2892 assert isinstance(ext.value, x509.OCSPNoCheck)
2893
2894
Paul Kehrer16fae762015-05-01 23:14:20 -0500[diff] [blame]2895class TestInhibitAnyPolicy(object):
2896 def test_not_int(self):
2897 with pytest.raises(TypeError):
2898 x509.InhibitAnyPolicy("notint")
2899
2900 def test_negative_int(self):
2901 with pytest.raises(ValueError):
2902 x509.InhibitAnyPolicy(-1)
2903
2904 def test_repr(self):
2905 iap = x509.InhibitAnyPolicy(0)
2906 assert repr(iap) == "<InhibitAnyPolicy(skip_certs=0)>"
2907
2908 def test_eq(self):
2909 iap = x509.InhibitAnyPolicy(1)
2910 iap2 = x509.InhibitAnyPolicy(1)
2911 assert iap == iap2
2912
2913 def test_ne(self):
2914 iap = x509.InhibitAnyPolicy(1)
2915 iap2 = x509.InhibitAnyPolicy(4)
2916 assert iap != iap2
2917 assert iap != object()
Paul Kehrerca6ce992015-06-17 22:13:15 -0600[diff] [blame]2918
2919
2920@pytest.mark.requires_backend_interface(interface=RSABackend)
2921@pytest.mark.requires_backend_interface(interface=X509Backend)
2922class TestInhibitAnyPolicyExtension(object):
2923 def test_nocheck(self, backend):
2924 cert = _load_cert(
2925 os.path.join(
2926 "x509", "custom", "inhibit_any_policy_5.pem"
2927 ),
2928 x509.load_pem_x509_certificate,
2929 backend
2930 )
2931 iap = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame^]2932 ExtensionOID.INHIBIT_ANY_POLICY
Paul Kehrerca6ce992015-06-17 22:13:15 -0600[diff] [blame]2933 ).value
2934 assert iap.skip_certs == 5
Paul Kehrera08693f2015-08-01 20:45:21 +0100[diff] [blame]2935
2936
2937@pytest.mark.requires_backend_interface(interface=RSABackend)
2938@pytest.mark.requires_backend_interface(interface=X509Backend)
Paul Kehrer1b7500f2015-08-01 20:56:27 +0100[diff] [blame]2939class TestInvalidExtension(object):
Paul Kehrera08693f2015-08-01 20:45:21 +0100[diff] [blame]2940 def test_invalid_certificate_policies_data(self, backend):
2941 cert = _load_cert(
2942 os.path.join(
2943 "x509", "custom", "cp_invalid.pem"
2944 ),
2945 x509.load_pem_x509_certificate,
2946 backend
2947 )
2948 with pytest.raises(ValueError):
2949 cert.extensions