Gitiles
Code Review Sign In
gerrit-public.fairphone.software / platform / external / python / cryptography / e8db7bd4bdc0a61214c8b6fe502d5d0ba9393749 / . / tests / test_x509_ext.py
blob: 475efbd18ef0ccb8028f106a380063d1fedf6075 [file] [log] [blame]
Paul Kehrer8cf26422015-03-21 09:50:24 -0500[diff] [blame]1# This file is dual licensed under the terms of the Apache License, Version
2# 2.0, and the BSD License. See the LICENSE file in the root of this repository
3# for complete details.
4
5from __future__ import absolute_import, division, print_function
6
Paul Kehrer1eb82a62015-03-31 20:00:33 -0500[diff] [blame]7import binascii
Paul Kehrer23c0bbc2015-12-25 22:35:19 -0600[diff] [blame]8import datetime
Paul Kehrer31bdf792015-03-25 14:11:00 -0500[diff] [blame]9import ipaddress
Paul Kehrerfbb7ac82015-03-16 19:26:29 -0500[diff] [blame]10import os
11
Paul Kehrer8cf26422015-03-21 09:50:24 -0500[diff] [blame]12import pytest
13
Paul Kehrercbfb1012015-04-10 20:57:20 -0400[diff] [blame]14import six
15
Paul Kehrer8cf26422015-03-21 09:50:24 -0500[diff] [blame]16from cryptography import x509
Paul Kehrerf22f6122015-08-05 12:57:13 +0100[diff] [blame]17from cryptography.hazmat.backends.interfaces import (
18 DSABackend, EllipticCurveBackend, RSABackend, X509Backend
19)
20from cryptography.hazmat.primitives.asymmetric import ec
Paul Kehrer9e102db2015-08-10 21:53:09 -0500[diff] [blame]21from cryptography.x509.oid import (
Nick Bastin326fc8e2015-12-12 19:08:12 -0800[diff] [blame]22 AuthorityInformationAccessOID, ExtendedKeyUsageOID, ExtensionOID,
23 NameOID, ObjectIdentifier
Paul Kehrer9e102db2015-08-10 21:53:09 -0500[diff] [blame]24)
Paul Kehrerfbb7ac82015-03-16 19:26:29 -0500[diff] [blame]25
Paul Kehrerf22f6122015-08-05 12:57:13 +0100[diff] [blame]26from .hazmat.primitives.test_ec import _skip_curve_unsupported
Paul Kehrerfbb7ac82015-03-16 19:26:29 -0500[diff] [blame]27from .test_x509 import _load_cert
Paul Kehrer8cf26422015-03-21 09:50:24 -0500[diff] [blame]28
29
Paul Kehrer85894662015-03-22 13:19:31 -0500[diff] [blame]30class TestExtension(object):
31 def test_not_an_oid(self):
Paul Kehrera5c6e9a2015-03-23 19:23:43 -0500[diff] [blame]32 bc = x509.BasicConstraints(ca=False, path_length=None)
Paul Kehrer85894662015-03-22 13:19:31 -0500[diff] [blame]33 with pytest.raises(TypeError):
34 x509.Extension("notanoid", True, bc)
35
36 def test_critical_not_a_bool(self):
Paul Kehrera5c6e9a2015-03-23 19:23:43 -0500[diff] [blame]37 bc = x509.BasicConstraints(ca=False, path_length=None)
Paul Kehrer85894662015-03-22 13:19:31 -0500[diff] [blame]38 with pytest.raises(TypeError):
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]39 x509.Extension(ExtensionOID.BASIC_CONSTRAINTS, "notabool", bc)
Paul Kehrer85894662015-03-22 13:19:31 -0500[diff] [blame]40
41 def test_repr(self):
Paul Kehrera5c6e9a2015-03-23 19:23:43 -0500[diff] [blame]42 bc = x509.BasicConstraints(ca=False, path_length=None)
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]43 ext = x509.Extension(ExtensionOID.BASIC_CONSTRAINTS, True, bc)
Paul Kehrer85894662015-03-22 13:19:31 -0500[diff] [blame]44 assert repr(ext) == (
45 "<Extension(oid=<ObjectIdentifier(oid=2.5.29.19, name=basicConst"
46 "raints)>, critical=True, value=<BasicConstraints(ca=False, path"
47 "_length=None)>)>"
48 )
49
Paul Kehrer58e870c2015-05-17 09:15:30 -0700[diff] [blame]50 def test_eq(self):
51 ext1 = x509.Extension(
52 x509.ObjectIdentifier('1.2.3.4'), False, 'value'
53 )
54 ext2 = x509.Extension(
55 x509.ObjectIdentifier('1.2.3.4'), False, 'value'
56 )
57 assert ext1 == ext2
58
59 def test_ne(self):
60 ext1 = x509.Extension(
61 x509.ObjectIdentifier('1.2.3.4'), False, 'value'
62 )
63 ext2 = x509.Extension(
64 x509.ObjectIdentifier('1.2.3.5'), False, 'value'
65 )
66 ext3 = x509.Extension(
67 x509.ObjectIdentifier('1.2.3.4'), True, 'value'
68 )
69 ext4 = x509.Extension(
70 x509.ObjectIdentifier('1.2.3.4'), False, 'value4'
71 )
72 assert ext1 != ext2
73 assert ext1 != ext3
74 assert ext1 != ext4
75 assert ext1 != object()
76
Paul Kehrer85894662015-03-22 13:19:31 -0500[diff] [blame]77
Paul Kehrer49bb7562015-12-25 16:17:40 -0600[diff] [blame]78class TestCertificateIssuer(object):
79 def test_iter_names(self):
80 ci = x509.CertificateIssuer([
81 x509.DNSName(u"cryptography.io"),
82 x509.DNSName(u"crypto.local"),
83 ])
84 assert len(ci) == 2
85 assert list(ci) == [
86 x509.DNSName(u"cryptography.io"),
87 x509.DNSName(u"crypto.local"),
88 ]
89
Paul Kehrer5c999d32015-12-26 17:45:20 -0600[diff] [blame]90 def test_indexing(self):
91 ci = x509.CertificateIssuer([
92 x509.DNSName(u"cryptography.io"),
93 x509.DNSName(u"crypto.local"),
94 x509.DNSName(u"another.local"),
95 x509.RFC822Name(u"email@another.local"),
96 x509.UniformResourceIdentifier(u"http://another.local"),
97 ])
98 assert ci[-1] == ci[4]
99 assert ci[2:6:2] == [ci[2], ci[4]]
100
Paul Kehrer49bb7562015-12-25 16:17:40 -0600[diff] [blame]101 def test_eq(self):
102 ci1 = x509.CertificateIssuer([x509.DNSName(u"cryptography.io")])
103 ci2 = x509.CertificateIssuer([x509.DNSName(u"cryptography.io")])
104 assert ci1 == ci2
105
106 def test_ne(self):
107 ci1 = x509.CertificateIssuer([x509.DNSName(u"cryptography.io")])
108 ci2 = x509.CertificateIssuer([x509.DNSName(u"somethingelse.tld")])
109 assert ci1 != ci2
110 assert ci1 != object()
111
112 def test_repr(self):
113 ci = x509.CertificateIssuer([x509.DNSName(u"cryptography.io")])
114 assert repr(ci) == (
115 "<CertificateIssuer(<GeneralNames([<DNSName(value=cryptography.io"
116 ")>])>)>"
117 )
118
119 def test_get_values_for_type(self):
120 ci = x509.CertificateIssuer(
121 [x509.DNSName(u"cryptography.io")]
122 )
123 names = ci.get_values_for_type(x509.DNSName)
124 assert names == [u"cryptography.io"]
125
126
Paul Kehrer7058ece2015-12-25 22:28:29 -0600[diff] [blame]127class TestCRLReason(object):
128 def test_invalid_reason_flags(self):
129 with pytest.raises(TypeError):
130 x509.CRLReason("notareason")
131
132 def test_eq(self):
133 reason1 = x509.CRLReason(x509.ReasonFlags.unspecified)
134 reason2 = x509.CRLReason(x509.ReasonFlags.unspecified)
135 assert reason1 == reason2
136
137 def test_ne(self):
138 reason1 = x509.CRLReason(x509.ReasonFlags.unspecified)
139 reason2 = x509.CRLReason(x509.ReasonFlags.ca_compromise)
140 assert reason1 != reason2
141 assert reason1 != object()
142
Alex Gaynor07d5cae2015-12-27 15:30:39 -0500[diff] [blame]143 def test_hash(self):
144 reason1 = x509.CRLReason(x509.ReasonFlags.unspecified)
145 reason2 = x509.CRLReason(x509.ReasonFlags.unspecified)
146 reason3 = x509.CRLReason(x509.ReasonFlags.ca_compromise)
147
148 assert hash(reason1) == hash(reason2)
149 assert hash(reason1) != hash(reason3)
150
Paul Kehrer7058ece2015-12-25 22:28:29 -0600[diff] [blame]151 def test_repr(self):
152 reason1 = x509.CRLReason(x509.ReasonFlags.unspecified)
153 assert repr(reason1) == (
154 "<CRLReason(reason=ReasonFlags.unspecified)>"
155 )
156
157
Paul Kehrer23c0bbc2015-12-25 22:35:19 -0600[diff] [blame]158class TestInvalidityDate(object):
159 def test_invalid_invalidity_date(self):
160 with pytest.raises(TypeError):
161 x509.InvalidityDate("notadate")
162
163 def test_eq(self):
164 invalid1 = x509.InvalidityDate(datetime.datetime(2015, 1, 1, 1, 1))
165 invalid2 = x509.InvalidityDate(datetime.datetime(2015, 1, 1, 1, 1))
166 assert invalid1 == invalid2
167
168 def test_ne(self):
169 invalid1 = x509.InvalidityDate(datetime.datetime(2015, 1, 1, 1, 1))
170 invalid2 = x509.InvalidityDate(datetime.datetime(2015, 1, 1, 1, 2))
171 assert invalid1 != invalid2
172 assert invalid1 != object()
173
174 def test_repr(self):
175 invalid1 = x509.InvalidityDate(datetime.datetime(2015, 1, 1, 1, 1))
176 assert repr(invalid1) == (
177 "<InvalidityDate(invalidity_date=2015-01-01 01:01:00)>"
178 )
179
Paul Kehrer67cde762015-12-26 11:37:14 -0600[diff] [blame]180 def test_hash(self):
181 invalid1 = x509.InvalidityDate(datetime.datetime(2015, 1, 1, 1, 1))
182 invalid2 = x509.InvalidityDate(datetime.datetime(2015, 1, 1, 1, 1))
183 invalid3 = x509.InvalidityDate(datetime.datetime(2015, 1, 1, 1, 2))
184 assert hash(invalid1) == hash(invalid2)
185 assert hash(invalid1) != hash(invalid3)
Paul Kehrer23c0bbc2015-12-25 22:35:19 -0600[diff] [blame]186
Paul Kehrerc0297dd2015-12-26 11:37:57 -0600[diff] [blame]187
Paul Kehrer2b622582015-04-15 11:04:29 -0400[diff] [blame]188class TestNoticeReference(object):
189 def test_notice_numbers_not_all_int(self):
190 with pytest.raises(TypeError):
191 x509.NoticeReference("org", [1, 2, "three"])
192
193 def test_notice_numbers_none(self):
Paul Kehrer6e198b02015-05-12 15:53:38 -0500[diff] [blame]194 with pytest.raises(TypeError):
195 x509.NoticeReference("org", None)
Paul Kehrer2b622582015-04-15 11:04:29 -0400[diff] [blame]196
197 def test_repr(self):
Paul Kehrer73be2ca2015-05-11 21:22:38 -0500[diff] [blame]198 nr = x509.NoticeReference(u"org", [1, 3, 4])
Paul Kehrer2b622582015-04-15 11:04:29 -0400[diff] [blame]199
Paul Kehrer73be2ca2015-05-11 21:22:38 -0500[diff] [blame]200 if six.PY3:
201 assert repr(nr) == (
202 "<NoticeReference(organization='org', notice_numbers=[1, 3, 4"
203 "])>"
204 )
205 else:
206 assert repr(nr) == (
207 "<NoticeReference(organization=u'org', notice_numbers=[1, 3, "
208 "4])>"
209 )
Paul Kehrer2b622582015-04-15 11:04:29 -0400[diff] [blame]210
Paul Kehrerc56ab622015-05-03 09:56:31 -0500[diff] [blame]211 def test_eq(self):
212 nr = x509.NoticeReference("org", [1, 2])
213 nr2 = x509.NoticeReference("org", [1, 2])
214 assert nr == nr2
215
216 def test_ne(self):
217 nr = x509.NoticeReference("org", [1, 2])
218 nr2 = x509.NoticeReference("org", [1])
219 nr3 = x509.NoticeReference(None, [1, 2])
220 assert nr != nr2
221 assert nr != nr3
222 assert nr != object()
223
Paul Kehrer2b622582015-04-15 11:04:29 -0400[diff] [blame]224
225class TestUserNotice(object):
226 def test_notice_reference_invalid(self):
227 with pytest.raises(TypeError):
228 x509.UserNotice("invalid", None)
229
230 def test_notice_reference_none(self):
231 un = x509.UserNotice(None, "text")
232 assert un.notice_reference is None
233 assert un.explicit_text == "text"
234
235 def test_repr(self):
Paul Kehrer6e198b02015-05-12 15:53:38 -0500[diff] [blame]236 un = x509.UserNotice(x509.NoticeReference(u"org", [1]), u"text")
Paul Kehrer73be2ca2015-05-11 21:22:38 -0500[diff] [blame]237 if six.PY3:
238 assert repr(un) == (
239 "<UserNotice(notice_reference=<NoticeReference(organization='"
Paul Kehrer6e198b02015-05-12 15:53:38 -0500[diff] [blame]240 "org', notice_numbers=[1])>, explicit_text='text')>"
Paul Kehrer73be2ca2015-05-11 21:22:38 -0500[diff] [blame]241 )
242 else:
243 assert repr(un) == (
244 "<UserNotice(notice_reference=<NoticeReference(organization=u"
Paul Kehrer6e198b02015-05-12 15:53:38 -0500[diff] [blame]245 "'org', notice_numbers=[1])>, explicit_text=u'text')>"
Paul Kehrer73be2ca2015-05-11 21:22:38 -0500[diff] [blame]246 )
Paul Kehrer2b622582015-04-15 11:04:29 -0400[diff] [blame]247
Paul Kehrerc56ab622015-05-03 09:56:31 -0500[diff] [blame]248 def test_eq(self):
249 nr = x509.NoticeReference("org", [1, 2])
250 nr2 = x509.NoticeReference("org", [1, 2])
251 un = x509.UserNotice(nr, "text")
252 un2 = x509.UserNotice(nr2, "text")
253 assert un == un2
254
255 def test_ne(self):
256 nr = x509.NoticeReference("org", [1, 2])
257 nr2 = x509.NoticeReference("org", [1])
258 un = x509.UserNotice(nr, "text")
259 un2 = x509.UserNotice(nr2, "text")
260 un3 = x509.UserNotice(nr, "text3")
261 assert un != un2
262 assert un != un3
263 assert un != object()
264
Paul Kehrer2b622582015-04-15 11:04:29 -0400[diff] [blame]265
Paul Kehrer2b622582015-04-15 11:04:29 -0400[diff] [blame]266class TestPolicyInformation(object):
267 def test_invalid_policy_identifier(self):
268 with pytest.raises(TypeError):
269 x509.PolicyInformation("notanoid", None)
270
271 def test_none_policy_qualifiers(self):
272 pi = x509.PolicyInformation(x509.ObjectIdentifier("1.2.3"), None)
273 assert pi.policy_identifier == x509.ObjectIdentifier("1.2.3")
274 assert pi.policy_qualifiers is None
275
276 def test_policy_qualifiers(self):
Paul Kehrerba35b3b2015-05-10 13:07:59 -0500[diff] [blame]277 pq = [u"string"]
Paul Kehrer2b622582015-04-15 11:04:29 -0400[diff] [blame]278 pi = x509.PolicyInformation(x509.ObjectIdentifier("1.2.3"), pq)
279 assert pi.policy_identifier == x509.ObjectIdentifier("1.2.3")
280 assert pi.policy_qualifiers == pq
281
282 def test_invalid_policy_identifiers(self):
283 with pytest.raises(TypeError):
284 x509.PolicyInformation(x509.ObjectIdentifier("1.2.3"), [1, 2])
285
286 def test_repr(self):
Paul Kehrer73be2ca2015-05-11 21:22:38 -0500[diff] [blame]287 pq = [u"string", x509.UserNotice(None, u"hi")]
Paul Kehrer2b622582015-04-15 11:04:29 -0400[diff] [blame]288 pi = x509.PolicyInformation(x509.ObjectIdentifier("1.2.3"), pq)
Paul Kehrerba35b3b2015-05-10 13:07:59 -0500[diff] [blame]289 if six.PY3:
290 assert repr(pi) == (
291 "<PolicyInformation(policy_identifier=<ObjectIdentifier(oid=1."
292 "2.3, name=Unknown OID)>, policy_qualifiers=['string', <UserNo"
Paul Kehrer9aaef9e2015-05-11 10:49:20 -0500[diff] [blame]293 "tice(notice_reference=None, explicit_text='hi')>])>"
Paul Kehrerba35b3b2015-05-10 13:07:59 -0500[diff] [blame]294 )
295 else:
296 assert repr(pi) == (
297 "<PolicyInformation(policy_identifier=<ObjectIdentifier(oid=1."
298 "2.3, name=Unknown OID)>, policy_qualifiers=[u'string', <UserN"
Paul Kehrer73be2ca2015-05-11 21:22:38 -0500[diff] [blame]299 "otice(notice_reference=None, explicit_text=u'hi')>])>"
Paul Kehrerba35b3b2015-05-10 13:07:59 -0500[diff] [blame]300 )
Paul Kehrer2b622582015-04-15 11:04:29 -0400[diff] [blame]301
Paul Kehrerc56ab622015-05-03 09:56:31 -0500[diff] [blame]302 def test_eq(self):
303 pi = x509.PolicyInformation(
304 x509.ObjectIdentifier("1.2.3"),
305 [u"string", x509.UserNotice(None, u"hi")]
306 )
307 pi2 = x509.PolicyInformation(
308 x509.ObjectIdentifier("1.2.3"),
309 [u"string", x509.UserNotice(None, u"hi")]
310 )
311 assert pi == pi2
312
313 def test_ne(self):
314 pi = x509.PolicyInformation(
315 x509.ObjectIdentifier("1.2.3"), [u"string"]
316 )
317 pi2 = x509.PolicyInformation(
318 x509.ObjectIdentifier("1.2.3"), [u"string2"]
319 )
320 pi3 = x509.PolicyInformation(
321 x509.ObjectIdentifier("1.2.3.4"), [u"string"]
322 )
323 assert pi != pi2
324 assert pi != pi3
325 assert pi != object()
326
Paul Kehrer2b622582015-04-15 11:04:29 -0400[diff] [blame]327
328class TestCertificatePolicies(object):
329 def test_invalid_policies(self):
Paul Kehrerba35b3b2015-05-10 13:07:59 -0500[diff] [blame]330 pq = [u"string"]
Paul Kehrer2b622582015-04-15 11:04:29 -0400[diff] [blame]331 pi = x509.PolicyInformation(x509.ObjectIdentifier("1.2.3"), pq)
332 with pytest.raises(TypeError):
333 x509.CertificatePolicies([1, pi])
334
335 def test_iter_len(self):
Paul Kehrerba35b3b2015-05-10 13:07:59 -0500[diff] [blame]336 pq = [u"string"]
Paul Kehrer2b622582015-04-15 11:04:29 -0400[diff] [blame]337 pi = x509.PolicyInformation(x509.ObjectIdentifier("1.2.3"), pq)
338 cp = x509.CertificatePolicies([pi])
339 assert len(cp) == 1
340 for policyinfo in cp:
341 assert policyinfo == pi
342
343 def test_repr(self):
Paul Kehrerba35b3b2015-05-10 13:07:59 -0500[diff] [blame]344 pq = [u"string"]
Paul Kehrer2b622582015-04-15 11:04:29 -0400[diff] [blame]345 pi = x509.PolicyInformation(x509.ObjectIdentifier("1.2.3"), pq)
346 cp = x509.CertificatePolicies([pi])
Paul Kehrerba35b3b2015-05-10 13:07:59 -0500[diff] [blame]347 if six.PY3:
348 assert repr(cp) == (
349 "<CertificatePolicies([<PolicyInformation(policy_identifier=<O"
350 "bjectIdentifier(oid=1.2.3, name=Unknown OID)>, policy_qualifi"
351 "ers=['string'])>])>"
352 )
353 else:
354 assert repr(cp) == (
355 "<CertificatePolicies([<PolicyInformation(policy_identifier=<O"
356 "bjectIdentifier(oid=1.2.3, name=Unknown OID)>, policy_qualifi"
357 "ers=[u'string'])>])>"
358 )
Paul Kehrer2b622582015-04-15 11:04:29 -0400[diff] [blame]359
Paul Kehrerc56ab622015-05-03 09:56:31 -0500[diff] [blame]360 def test_eq(self):
361 pi = x509.PolicyInformation(
362 x509.ObjectIdentifier("1.2.3"), [u"string"]
363 )
364 cp = x509.CertificatePolicies([pi])
365 pi2 = x509.PolicyInformation(
366 x509.ObjectIdentifier("1.2.3"), [u"string"]
367 )
368 cp2 = x509.CertificatePolicies([pi2])
369 assert cp == cp2
370
371 def test_ne(self):
372 pi = x509.PolicyInformation(
373 x509.ObjectIdentifier("1.2.3"), [u"string"]
374 )
375 cp = x509.CertificatePolicies([pi])
376 pi2 = x509.PolicyInformation(
377 x509.ObjectIdentifier("1.2.3"), [u"string2"]
378 )
379 cp2 = x509.CertificatePolicies([pi2])
380 assert cp != cp2
381 assert cp != object()
382
Paul Kehrere8db7bd2015-12-27 17:32:57 -0600[diff] [blame^]383 def test_indexing(self):
384 pi = x509.PolicyInformation(x509.ObjectIdentifier("1.2.3"), [u"test"])
385 pi2 = x509.PolicyInformation(x509.ObjectIdentifier("1.2.4"), [u"test"])
386 pi3 = x509.PolicyInformation(x509.ObjectIdentifier("1.2.5"), [u"test"])
387 pi4 = x509.PolicyInformation(x509.ObjectIdentifier("1.2.6"), [u"test"])
388 pi5 = x509.PolicyInformation(x509.ObjectIdentifier("1.2.7"), [u"test"])
389 cp = x509.CertificatePolicies([pi, pi2, pi3, pi4, pi5])
390 assert cp[-1] == cp[4]
391 assert cp[2:6:2] == [cp[2], cp[4]]
392
Paul Kehrer2b622582015-04-15 11:04:29 -0400[diff] [blame]393
Paul Kehrer11026fe2015-05-12 11:23:56 -0500[diff] [blame]394@pytest.mark.requires_backend_interface(interface=RSABackend)
395@pytest.mark.requires_backend_interface(interface=X509Backend)
396class TestCertificatePoliciesExtension(object):
397 def test_cps_uri_policy_qualifier(self, backend):
398 cert = _load_cert(
399 os.path.join("x509", "custom", "cp_cps_uri.pem"),
400 x509.load_pem_x509_certificate,
401 backend
402 )
403
404 cp = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]405 ExtensionOID.CERTIFICATE_POLICIES
Paul Kehrer11026fe2015-05-12 11:23:56 -0500[diff] [blame]406 ).value
407
408 assert cp == x509.CertificatePolicies([
409 x509.PolicyInformation(
410 x509.ObjectIdentifier("2.16.840.1.12345.1.2.3.4.1"),
411 [u"http://other.com/cps"]
412 )
413 ])
414
415 def test_user_notice_with_notice_reference(self, backend):
416 cert = _load_cert(
417 os.path.join(
418 "x509", "custom", "cp_user_notice_with_notice_reference.pem"
419 ),
420 x509.load_pem_x509_certificate,
421 backend
422 )
423
424 cp = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]425 ExtensionOID.CERTIFICATE_POLICIES
Paul Kehrer11026fe2015-05-12 11:23:56 -0500[diff] [blame]426 ).value
427
428 assert cp == x509.CertificatePolicies([
429 x509.PolicyInformation(
430 x509.ObjectIdentifier("2.16.840.1.12345.1.2.3.4.1"),
431 [
432 u"http://example.com/cps",
433 u"http://other.com/cps",
434 x509.UserNotice(
435 x509.NoticeReference(u"my org", [1, 2, 3, 4]),
436 u"thing"
437 )
438 ]
439 )
440 ])
441
442 def test_user_notice_with_explicit_text(self, backend):
443 cert = _load_cert(
444 os.path.join(
445 "x509", "custom", "cp_user_notice_with_explicit_text.pem"
446 ),
447 x509.load_pem_x509_certificate,
448 backend
449 )
450
451 cp = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]452 ExtensionOID.CERTIFICATE_POLICIES
Paul Kehrer11026fe2015-05-12 11:23:56 -0500[diff] [blame]453 ).value
454
455 assert cp == x509.CertificatePolicies([
456 x509.PolicyInformation(
457 x509.ObjectIdentifier("2.16.840.1.12345.1.2.3.4.1"),
458 [x509.UserNotice(None, u"thing")]
459 )
460 ])
461
462 def test_user_notice_no_explicit_text(self, backend):
463 cert = _load_cert(
464 os.path.join(
465 "x509", "custom", "cp_user_notice_no_explicit_text.pem"
466 ),
467 x509.load_pem_x509_certificate,
468 backend
469 )
470
471 cp = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]472 ExtensionOID.CERTIFICATE_POLICIES
Paul Kehrer11026fe2015-05-12 11:23:56 -0500[diff] [blame]473 ).value
474
475 assert cp == x509.CertificatePolicies([
476 x509.PolicyInformation(
477 x509.ObjectIdentifier("2.16.840.1.12345.1.2.3.4.1"),
478 [
479 x509.UserNotice(
480 x509.NoticeReference(u"my org", [1, 2, 3, 4]),
481 None
482 )
483 ]
484 )
485 ])
486
487
Paul Kehrercecbbba2015-03-30 14:58:38 -0500[diff] [blame]488class TestKeyUsage(object):
489 def test_key_agreement_false_encipher_decipher_true(self):
490 with pytest.raises(ValueError):
491 x509.KeyUsage(
492 digital_signature=False,
493 content_commitment=False,
494 key_encipherment=False,
495 data_encipherment=False,
496 key_agreement=False,
497 key_cert_sign=False,
498 crl_sign=False,
499 encipher_only=True,
500 decipher_only=False
501 )
502
503 with pytest.raises(ValueError):
504 x509.KeyUsage(
505 digital_signature=False,
506 content_commitment=False,
507 key_encipherment=False,
508 data_encipherment=False,
509 key_agreement=False,
510 key_cert_sign=False,
511 crl_sign=False,
512 encipher_only=True,
513 decipher_only=True
514 )
515
516 with pytest.raises(ValueError):
517 x509.KeyUsage(
518 digital_signature=False,
519 content_commitment=False,
520 key_encipherment=False,
521 data_encipherment=False,
522 key_agreement=False,
523 key_cert_sign=False,
524 crl_sign=False,
525 encipher_only=False,
526 decipher_only=True
527 )
528
529 def test_properties_key_agreement_true(self):
530 ku = x509.KeyUsage(
531 digital_signature=True,
532 content_commitment=True,
533 key_encipherment=False,
534 data_encipherment=False,
535 key_agreement=False,
536 key_cert_sign=True,
537 crl_sign=False,
538 encipher_only=False,
539 decipher_only=False
540 )
541 assert ku.digital_signature is True
542 assert ku.content_commitment is True
543 assert ku.key_encipherment is False
544 assert ku.data_encipherment is False
545 assert ku.key_agreement is False
546 assert ku.key_cert_sign is True
547 assert ku.crl_sign is False
548
549 def test_key_agreement_true_properties(self):
550 ku = x509.KeyUsage(
551 digital_signature=False,
552 content_commitment=False,
553 key_encipherment=False,
554 data_encipherment=False,
555 key_agreement=True,
556 key_cert_sign=False,
557 crl_sign=False,
558 encipher_only=False,
559 decipher_only=True
560 )
561 assert ku.key_agreement is True
562 assert ku.encipher_only is False
563 assert ku.decipher_only is True
564
565 def test_key_agreement_false_properties(self):
566 ku = x509.KeyUsage(
567 digital_signature=False,
568 content_commitment=False,
569 key_encipherment=False,
570 data_encipherment=False,
571 key_agreement=False,
572 key_cert_sign=False,
573 crl_sign=False,
574 encipher_only=False,
575 decipher_only=False
576 )
577 assert ku.key_agreement is False
578 with pytest.raises(ValueError):
579 ku.encipher_only
580
581 with pytest.raises(ValueError):
582 ku.decipher_only
583
Paul Kehrerac3e5bb2015-04-02 23:07:10 -0500[diff] [blame]584 def test_repr_key_agreement_false(self):
585 ku = x509.KeyUsage(
586 digital_signature=True,
587 content_commitment=True,
588 key_encipherment=False,
589 data_encipherment=False,
590 key_agreement=False,
591 key_cert_sign=True,
592 crl_sign=False,
593 encipher_only=False,
594 decipher_only=False
595 )
596 assert repr(ku) == (
597 "<KeyUsage(digital_signature=True, content_commitment=True, key_en"
598 "cipherment=False, data_encipherment=False, key_agreement=False, k"
Paul Kehrerb372e672015-04-15 11:05:24 -0400[diff] [blame]599 "ey_cert_sign=True, crl_sign=False, encipher_only=None, decipher_o"
600 "nly=None)>"
Paul Kehrerac3e5bb2015-04-02 23:07:10 -0500[diff] [blame]601 )
602
603 def test_repr_key_agreement_true(self):
604 ku = x509.KeyUsage(
605 digital_signature=True,
606 content_commitment=True,
607 key_encipherment=False,
608 data_encipherment=False,
609 key_agreement=True,
610 key_cert_sign=True,
611 crl_sign=False,
612 encipher_only=False,
613 decipher_only=False
614 )
615 assert repr(ku) == (
616 "<KeyUsage(digital_signature=True, content_commitment=True, key_en"
617 "cipherment=False, data_encipherment=False, key_agreement=True, k"
618 "ey_cert_sign=True, crl_sign=False, encipher_only=False, decipher_"
619 "only=False)>"
620 )
621
Paul Kehrer8565f5e2015-05-13 09:57:09 -0500[diff] [blame]622 def test_eq(self):
623 ku = x509.KeyUsage(
624 digital_signature=False,
625 content_commitment=False,
626 key_encipherment=False,
627 data_encipherment=False,
628 key_agreement=True,
629 key_cert_sign=False,
630 crl_sign=False,
631 encipher_only=False,
632 decipher_only=True
633 )
634 ku2 = x509.KeyUsage(
635 digital_signature=False,
636 content_commitment=False,
637 key_encipherment=False,
638 data_encipherment=False,
639 key_agreement=True,
640 key_cert_sign=False,
641 crl_sign=False,
642 encipher_only=False,
643 decipher_only=True
644 )
645 assert ku == ku2
646
647 def test_ne(self):
648 ku = x509.KeyUsage(
649 digital_signature=False,
650 content_commitment=False,
651 key_encipherment=False,
652 data_encipherment=False,
653 key_agreement=True,
654 key_cert_sign=False,
655 crl_sign=False,
656 encipher_only=False,
657 decipher_only=True
658 )
659 ku2 = x509.KeyUsage(
660 digital_signature=False,
661 content_commitment=False,
662 key_encipherment=False,
663 data_encipherment=False,
664 key_agreement=False,
665 key_cert_sign=False,
666 crl_sign=False,
667 encipher_only=False,
668 decipher_only=False
669 )
670 assert ku != ku2
671 assert ku != object()
672
Paul Kehrercecbbba2015-03-30 14:58:38 -0500[diff] [blame]673
Paul Kehrer1eb82a62015-03-31 20:00:33 -0500[diff] [blame]674class TestSubjectKeyIdentifier(object):
675 def test_properties(self):
Paul Kehrercbfb1012015-04-10 20:57:20 -0400[diff] [blame]676 value = binascii.unhexlify(b"092384932230498bc980aa8098456f6ff7ff3ac9")
Paul Kehrer1eb82a62015-03-31 20:00:33 -0500[diff] [blame]677 ski = x509.SubjectKeyIdentifier(value)
678 assert ski.digest == value
Paul Kehrer1eb82a62015-03-31 20:00:33 -0500[diff] [blame]679
680 def test_repr(self):
681 ski = x509.SubjectKeyIdentifier(
Paul Kehreree997262015-04-04 12:20:28 -0500[diff] [blame]682 binascii.unhexlify(b"092384932230498bc980aa8098456f6ff7ff3ac9")
Paul Kehrer1eb82a62015-03-31 20:00:33 -0500[diff] [blame]683 )
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]684 ext = x509.Extension(ExtensionOID.SUBJECT_KEY_IDENTIFIER, False, ski)
Paul Kehrercbfb1012015-04-10 20:57:20 -0400[diff] [blame]685 if six.PY3:
686 assert repr(ext) == (
687 "<Extension(oid=<ObjectIdentifier(oid=2.5.29.14, name=subjectK"
688 "eyIdentifier)>, critical=False, value=<SubjectKeyIdentifier(d"
689 "igest=b\'\\t#\\x84\\x93\"0I\\x8b\\xc9\\x80\\xaa\\x80\\x98Eoo"
690 "\\xf7\\xff:\\xc9\')>)>"
691 )
692 else:
693 assert repr(ext) == (
694 "<Extension(oid=<ObjectIdentifier(oid=2.5.29.14, name=subjectK"
695 "eyIdentifier)>, critical=False, value=<SubjectKeyIdentifier(d"
696 "igest=\'\\t#\\x84\\x93\"0I\\x8b\\xc9\\x80\\xaa\\x80\\x98Eoo"
697 "\\xf7\\xff:\\xc9\')>)>"
698 )
Paul Kehrer1eb82a62015-03-31 20:00:33 -0500[diff] [blame]699
700 def test_eq(self):
701 ski = x509.SubjectKeyIdentifier(
Paul Kehreree997262015-04-04 12:20:28 -0500[diff] [blame]702 binascii.unhexlify(b"092384932230498bc980aa8098456f6ff7ff3ac9")
Paul Kehrer1eb82a62015-03-31 20:00:33 -0500[diff] [blame]703 )
704 ski2 = x509.SubjectKeyIdentifier(
Paul Kehreree997262015-04-04 12:20:28 -0500[diff] [blame]705 binascii.unhexlify(b"092384932230498bc980aa8098456f6ff7ff3ac9")
Paul Kehrer1eb82a62015-03-31 20:00:33 -0500[diff] [blame]706 )
707 assert ski == ski2
708
709 def test_ne(self):
710 ski = x509.SubjectKeyIdentifier(
Paul Kehreree997262015-04-04 12:20:28 -0500[diff] [blame]711 binascii.unhexlify(b"092384932230498bc980aa8098456f6ff7ff3ac9")
Paul Kehrer1eb82a62015-03-31 20:00:33 -0500[diff] [blame]712 )
713 ski2 = x509.SubjectKeyIdentifier(
Paul Kehreree997262015-04-04 12:20:28 -0500[diff] [blame]714 binascii.unhexlify(b"aa8098456f6ff7ff3ac9092384932230498bc980")
Paul Kehrer1eb82a62015-03-31 20:00:33 -0500[diff] [blame]715 )
716 assert ski != ski2
717 assert ski != object()
718
Alex Gaynor410fe352015-12-26 15:01:25 -0500[diff] [blame]719 def test_hash(self):
720 ski1 = x509.SubjectKeyIdentifier(
721 binascii.unhexlify(b"092384932230498bc980aa8098456f6ff7ff3ac9")
722 )
723 ski2 = x509.SubjectKeyIdentifier(
724 binascii.unhexlify(b"092384932230498bc980aa8098456f6ff7ff3ac9")
725 )
726 ski3 = x509.SubjectKeyIdentifier(
727 binascii.unhexlify(b"aa8098456f6ff7ff3ac9092384932230498bc980")
728 )
729
730 assert hash(ski1) == hash(ski2)
731 assert hash(ski1) != hash(ski3)
732
Paul Kehrer1eb82a62015-03-31 20:00:33 -0500[diff] [blame]733
Paul Kehrer2eb4ed92015-04-11 15:33:45 -0400[diff] [blame]734class TestAuthorityKeyIdentifier(object):
Paul Kehrerc6e0f062015-05-03 11:04:34 -0500[diff] [blame]735 def test_authority_cert_issuer_not_generalname(self):
Paul Kehrer2eb4ed92015-04-11 15:33:45 -0400[diff] [blame]736 with pytest.raises(TypeError):
Paul Kehrerc6e0f062015-05-03 11:04:34 -0500[diff] [blame]737 x509.AuthorityKeyIdentifier(b"identifier", ["notname"], 3)
Paul Kehrer2eb4ed92015-04-11 15:33:45 -0400[diff] [blame]738
739 def test_authority_cert_serial_number_not_integer(self):
Paul Kehrerc6e0f062015-05-03 11:04:34 -0500[diff] [blame]740 dirname = x509.DirectoryName(
741 x509.Name([
Nick Bastin6721fb82015-12-14 12:26:24 -0800[diff] [blame]742 x509.NameAttribute(
743 x509.ObjectIdentifier('2.999.1'),
744 u'value1'
745 ),
746 x509.NameAttribute(
747 x509.ObjectIdentifier('2.999.2'),
748 u'value2'
749 ),
Paul Kehrerc6e0f062015-05-03 11:04:34 -0500[diff] [blame]750 ])
751 )
Paul Kehrer2eb4ed92015-04-11 15:33:45 -0400[diff] [blame]752 with pytest.raises(TypeError):
Paul Kehrerc6e0f062015-05-03 11:04:34 -0500[diff] [blame]753 x509.AuthorityKeyIdentifier(b"identifier", [dirname], "notanint")
Paul Kehrer2eb4ed92015-04-11 15:33:45 -0400[diff] [blame]754
755 def test_authority_issuer_none_serial_not_none(self):
756 with pytest.raises(ValueError):
757 x509.AuthorityKeyIdentifier(b"identifier", None, 3)
758
759 def test_authority_issuer_not_none_serial_none(self):
Paul Kehrerc6e0f062015-05-03 11:04:34 -0500[diff] [blame]760 dirname = x509.DirectoryName(
761 x509.Name([
Nick Bastin6721fb82015-12-14 12:26:24 -0800[diff] [blame]762 x509.NameAttribute(
763 x509.ObjectIdentifier('2.999.1'),
764 u'value1'
765 ),
766 x509.NameAttribute(
767 x509.ObjectIdentifier('2.999.2'),
768 u'value2'
769 ),
Paul Kehrerc6e0f062015-05-03 11:04:34 -0500[diff] [blame]770 ])
771 )
Paul Kehrer2eb4ed92015-04-11 15:33:45 -0400[diff] [blame]772 with pytest.raises(ValueError):
Paul Kehrerc6e0f062015-05-03 11:04:34 -0500[diff] [blame]773 x509.AuthorityKeyIdentifier(b"identifier", [dirname], None)
Paul Kehrer2eb4ed92015-04-11 15:33:45 -0400[diff] [blame]774
775 def test_authority_cert_serial_and_issuer_none(self):
776 aki = x509.AuthorityKeyIdentifier(b"id", None, None)
777 assert aki.key_identifier == b"id"
778 assert aki.authority_cert_issuer is None
779 assert aki.authority_cert_serial_number is None
780
781 def test_repr(self):
Paul Kehrerc6e0f062015-05-03 11:04:34 -0500[diff] [blame]782 dirname = x509.DirectoryName(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]783 x509.Name([x509.NameAttribute(NameOID.COMMON_NAME, u'myCN')])
Paul Kehrerc6e0f062015-05-03 11:04:34 -0500[diff] [blame]784 )
785 aki = x509.AuthorityKeyIdentifier(b"digest", [dirname], 1234)
Paul Kehrer2eb4ed92015-04-11 15:33:45 -0400[diff] [blame]786
787 if six.PY3:
788 assert repr(aki) == (
789 "<AuthorityKeyIdentifier(key_identifier=b'digest', authority_"
Paul Kehrerc6e0f062015-05-03 11:04:34 -0500[diff] [blame]790 "cert_issuer=[<DirectoryName(value=<Name([<NameAttribute(oid="
Ian Cordascoa908d692015-06-16 21:35:24 -0500[diff] [blame]791 "<ObjectIdentifier(oid=2.5.4.3, name=commonName)>, value='myC"
Paul Kehrerc6e0f062015-05-03 11:04:34 -0500[diff] [blame]792 "N')>])>)>], authority_cert_serial_number=1234)>"
Paul Kehrer2eb4ed92015-04-11 15:33:45 -0400[diff] [blame]793 )
794 else:
795 assert repr(aki) == (
796 "<AuthorityKeyIdentifier(key_identifier='digest', authority_ce"
Paul Kehrerc6e0f062015-05-03 11:04:34 -0500[diff] [blame]797 "rt_issuer=[<DirectoryName(value=<Name([<NameAttribute(oid=<Ob"
Ian Cordasco82fc3762015-06-16 20:59:50 -0500[diff] [blame]798 "jectIdentifier(oid=2.5.4.3, name=commonName)>, value=u'myCN')"
799 ">])>)>], authority_cert_serial_number=1234)>"
Paul Kehrer2eb4ed92015-04-11 15:33:45 -0400[diff] [blame]800 )
801
Paul Kehrer2ca2eb32015-05-03 10:04:57 -0500[diff] [blame]802 def test_eq(self):
803 dirname = x509.DirectoryName(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]804 x509.Name([x509.NameAttribute(NameOID.COMMON_NAME, u'myCN')])
Paul Kehrer2ca2eb32015-05-03 10:04:57 -0500[diff] [blame]805 )
806 aki = x509.AuthorityKeyIdentifier(b"digest", [dirname], 1234)
807 dirname2 = x509.DirectoryName(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]808 x509.Name([x509.NameAttribute(NameOID.COMMON_NAME, u'myCN')])
Paul Kehrer2ca2eb32015-05-03 10:04:57 -0500[diff] [blame]809 )
810 aki2 = x509.AuthorityKeyIdentifier(b"digest", [dirname2], 1234)
811 assert aki == aki2
812
813 def test_ne(self):
814 dirname = x509.DirectoryName(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]815 x509.Name([x509.NameAttribute(NameOID.COMMON_NAME, u'myCN')])
Paul Kehrer2ca2eb32015-05-03 10:04:57 -0500[diff] [blame]816 )
817 dirname5 = x509.DirectoryName(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]818 x509.Name([x509.NameAttribute(NameOID.COMMON_NAME, u'aCN')])
Paul Kehrer2ca2eb32015-05-03 10:04:57 -0500[diff] [blame]819 )
820 aki = x509.AuthorityKeyIdentifier(b"digest", [dirname], 1234)
821 aki2 = x509.AuthorityKeyIdentifier(b"diges", [dirname], 1234)
822 aki3 = x509.AuthorityKeyIdentifier(b"digest", None, None)
823 aki4 = x509.AuthorityKeyIdentifier(b"digest", [dirname], 12345)
824 aki5 = x509.AuthorityKeyIdentifier(b"digest", [dirname5], 12345)
825 assert aki != aki2
826 assert aki != aki3
827 assert aki != aki4
828 assert aki != aki5
829 assert aki != object()
830
Paul Kehrer2eb4ed92015-04-11 15:33:45 -0400[diff] [blame]831
Paul Kehrer8cf26422015-03-21 09:50:24 -0500[diff] [blame]832class TestBasicConstraints(object):
833 def test_ca_not_boolean(self):
834 with pytest.raises(TypeError):
Paul Kehrera5c6e9a2015-03-23 19:23:43 -0500[diff] [blame]835 x509.BasicConstraints(ca="notbool", path_length=None)
Paul Kehrer8cf26422015-03-21 09:50:24 -0500[diff] [blame]836
837 def test_path_length_not_ca(self):
838 with pytest.raises(ValueError):
Paul Kehrera5c6e9a2015-03-23 19:23:43 -0500[diff] [blame]839 x509.BasicConstraints(ca=False, path_length=0)
Paul Kehrer8cf26422015-03-21 09:50:24 -0500[diff] [blame]840
841 def test_path_length_not_int(self):
842 with pytest.raises(TypeError):
Paul Kehrera5c6e9a2015-03-23 19:23:43 -0500[diff] [blame]843 x509.BasicConstraints(ca=True, path_length=1.1)
Paul Kehrer8cf26422015-03-21 09:50:24 -0500[diff] [blame]844
845 with pytest.raises(TypeError):
Paul Kehrera5c6e9a2015-03-23 19:23:43 -0500[diff] [blame]846 x509.BasicConstraints(ca=True, path_length="notint")
Paul Kehrer8cf26422015-03-21 09:50:24 -0500[diff] [blame]847
848 def test_path_length_negative(self):
849 with pytest.raises(TypeError):
Paul Kehrera5c6e9a2015-03-23 19:23:43 -0500[diff] [blame]850 x509.BasicConstraints(ca=True, path_length=-1)
Paul Kehrer8cf26422015-03-21 09:50:24 -0500[diff] [blame]851
852 def test_repr(self):
Paul Kehrera5c6e9a2015-03-23 19:23:43 -0500[diff] [blame]853 na = x509.BasicConstraints(ca=True, path_length=None)
Paul Kehrer8cf26422015-03-21 09:50:24 -0500[diff] [blame]854 assert repr(na) == (
Paul Kehrer85894662015-03-22 13:19:31 -0500[diff] [blame]855 "<BasicConstraints(ca=True, path_length=None)>"
Paul Kehrer8cf26422015-03-21 09:50:24 -0500[diff] [blame]856 )
Paul Kehrerfbb7ac82015-03-16 19:26:29 -0500[diff] [blame]857
Paul Kehrer2eb69f62015-12-27 11:46:11 -0600[diff] [blame]858 def test_hash(self):
859 na = x509.BasicConstraints(ca=True, path_length=None)
860 na2 = x509.BasicConstraints(ca=True, path_length=None)
Paul Kehrerb39af8d2015-12-27 14:30:19 -0600[diff] [blame]861 na3 = x509.BasicConstraints(ca=True, path_length=0)
Paul Kehrer2eb69f62015-12-27 11:46:11 -0600[diff] [blame]862 assert hash(na) == hash(na2)
Paul Kehrerb39af8d2015-12-27 14:30:19 -0600[diff] [blame]863 assert hash(na) != hash(na3)
Paul Kehrer2eb69f62015-12-27 11:46:11 -0600[diff] [blame]864
Paul Kehrer3a69b132015-05-13 10:03:46 -0500[diff] [blame]865 def test_eq(self):
866 na = x509.BasicConstraints(ca=True, path_length=None)
867 na2 = x509.BasicConstraints(ca=True, path_length=None)
868 assert na == na2
869
870 def test_ne(self):
871 na = x509.BasicConstraints(ca=True, path_length=None)
872 na2 = x509.BasicConstraints(ca=True, path_length=1)
873 na3 = x509.BasicConstraints(ca=False, path_length=None)
874 assert na != na2
875 assert na != na3
876 assert na != object()
877
Paul Kehrerfbb7ac82015-03-16 19:26:29 -0500[diff] [blame]878
Paul Kehrerffa2a152015-03-31 08:18:25 -0500[diff] [blame]879class TestExtendedKeyUsage(object):
880 def test_not_all_oids(self):
881 with pytest.raises(TypeError):
882 x509.ExtendedKeyUsage(["notoid"])
883
884 def test_iter_len(self):
885 eku = x509.ExtendedKeyUsage([
886 x509.ObjectIdentifier("1.3.6.1.5.5.7.3.1"),
887 x509.ObjectIdentifier("1.3.6.1.5.5.7.3.2"),
888 ])
889 assert len(eku) == 2
890 assert list(eku) == [
Paul Kehrer9e102db2015-08-10 21:53:09 -0500[diff] [blame]891 ExtendedKeyUsageOID.SERVER_AUTH,
892 ExtendedKeyUsageOID.CLIENT_AUTH
Paul Kehrerffa2a152015-03-31 08:18:25 -0500[diff] [blame]893 ]
894
Paul Kehrer23d10c32015-04-02 23:12:32 -0500[diff] [blame]895 def test_repr(self):
896 eku = x509.ExtendedKeyUsage([
897 x509.ObjectIdentifier("1.3.6.1.5.5.7.3.1"),
898 x509.ObjectIdentifier("1.3.6.1.5.5.7.3.2"),
899 ])
900 assert repr(eku) == (
901 "<ExtendedKeyUsage([<ObjectIdentifier(oid=1.3.6.1.5.5.7.3.1, name="
902 "serverAuth)>, <ObjectIdentifier(oid=1.3.6.1.5.5.7.3.2, name=clien"
903 "tAuth)>])>"
904 )
905
Paul Kehrerb0476172015-05-02 19:34:51 -0500[diff] [blame]906 def test_eq(self):
907 eku = x509.ExtendedKeyUsage([
908 x509.ObjectIdentifier("1.3.6"), x509.ObjectIdentifier("1.3.7")
909 ])
910 eku2 = x509.ExtendedKeyUsage([
911 x509.ObjectIdentifier("1.3.6"), x509.ObjectIdentifier("1.3.7")
912 ])
913 assert eku == eku2
914
915 def test_ne(self):
916 eku = x509.ExtendedKeyUsage([x509.ObjectIdentifier("1.3.6")])
917 eku2 = x509.ExtendedKeyUsage([x509.ObjectIdentifier("1.3.6.1")])
918 assert eku != eku2
919 assert eku != object()
920
Paul Kehrerffa2a152015-03-31 08:18:25 -0500[diff] [blame]921
Paul Kehrerfbb7ac82015-03-16 19:26:29 -0500[diff] [blame]922@pytest.mark.requires_backend_interface(interface=RSABackend)
923@pytest.mark.requires_backend_interface(interface=X509Backend)
924class TestExtensions(object):
925 def test_no_extensions(self, backend):
926 cert = _load_cert(
927 os.path.join("x509", "verisign_md2_root.pem"),
928 x509.load_pem_x509_certificate,
929 backend
930 )
931 ext = cert.extensions
932 assert len(ext) == 0
933 assert list(ext) == []
Paul Kehrerfa56a232015-03-17 13:14:03 -0500[diff] [blame]934 with pytest.raises(x509.ExtensionNotFound) as exc:
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]935 ext.get_extension_for_oid(ExtensionOID.BASIC_CONSTRAINTS)
Paul Kehrerfa56a232015-03-17 13:14:03 -0500[diff] [blame]936
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]937 assert exc.value.oid == ExtensionOID.BASIC_CONSTRAINTS
Paul Kehrerfa56a232015-03-17 13:14:03 -0500[diff] [blame]938
939 def test_one_extension(self, backend):
940 cert = _load_cert(
941 os.path.join(
942 "x509", "custom", "basic_constraints_not_critical.pem"
943 ),
944 x509.load_pem_x509_certificate,
945 backend
946 )
947 extensions = cert.extensions
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]948 ext = extensions.get_extension_for_oid(ExtensionOID.BASIC_CONSTRAINTS)
Paul Kehrerfa56a232015-03-17 13:14:03 -0500[diff] [blame]949 assert ext is not None
950 assert ext.value.ca is False
Paul Kehrerfbb7ac82015-03-16 19:26:29 -0500[diff] [blame]951
952 def test_duplicate_extension(self, backend):
953 cert = _load_cert(
954 os.path.join(
955 "x509", "custom", "two_basic_constraints.pem"
956 ),
957 x509.load_pem_x509_certificate,
958 backend
959 )
960 with pytest.raises(x509.DuplicateExtension) as exc:
961 cert.extensions
962
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]963 assert exc.value.oid == ExtensionOID.BASIC_CONSTRAINTS
Paul Kehrerfbb7ac82015-03-16 19:26:29 -0500[diff] [blame]964
965 def test_unsupported_critical_extension(self, backend):
966 cert = _load_cert(
967 os.path.join(
968 "x509", "custom", "unsupported_extension_critical.pem"
969 ),
970 x509.load_pem_x509_certificate,
971 backend
972 )
973 with pytest.raises(x509.UnsupportedExtension) as exc:
974 cert.extensions
975
976 assert exc.value.oid == x509.ObjectIdentifier("1.2.3.4")
977
978 def test_unsupported_extension(self, backend):
979 # TODO: this will raise an exception when all extensions are complete
980 cert = _load_cert(
981 os.path.join(
982 "x509", "custom", "unsupported_extension.pem"
983 ),
984 x509.load_pem_x509_certificate,
985 backend
986 )
987 extensions = cert.extensions
988 assert len(extensions) == 0
Paul Kehrerfa56a232015-03-17 13:14:03 -0500[diff] [blame]989
Phoebe Queenecae9812015-08-12 05:00:32 +0100[diff] [blame]990 def test_no_extensions_get_for_class(self, backend):
991 cert = _load_cert(
992 os.path.join(
Phoebe Queencb5ec4e2015-08-12 15:06:26 +0100[diff] [blame]993 "x509", "cryptography.io.pem"
Phoebe Queenecae9812015-08-12 05:00:32 +0100[diff] [blame]994 ),
995 x509.load_pem_x509_certificate,
996 backend
997 )
Phoebe Queenc93752b2015-08-12 10:54:46 +0100[diff] [blame]998 exts = cert.extensions
Phoebe Queenecae9812015-08-12 05:00:32 +0100[diff] [blame]999 with pytest.raises(x509.ExtensionNotFound) as exc:
Phoebe Queencb5ec4e2015-08-12 15:06:26 +0100[diff] [blame]1000 exts.get_extension_for_class(x509.IssuerAlternativeName)
1001 assert exc.value.oid == ExtensionOID.ISSUER_ALTERNATIVE_NAME
Phoebe Queenecae9812015-08-12 05:00:32 +0100[diff] [blame]1002
Paul Kehrer5b90c972015-12-26 00:52:58 -0600[diff] [blame]1003 def test_indexing(self, backend):
1004 cert = _load_cert(
1005 os.path.join("x509", "cryptography.io.pem"),
1006 x509.load_pem_x509_certificate,
1007 backend
1008 )
1009 exts = cert.extensions
1010 assert exts[-1] == exts[7]
Alex Gaynorf0dd2e72015-12-26 16:50:29 -0500[diff] [blame]1011 assert exts[2:6:2] == [exts[2], exts[4]]
Paul Kehrer5b90c972015-12-26 00:52:58 -0600[diff] [blame]1012
Phoebe Queen9fbb8892015-08-12 03:51:33 +0100[diff] [blame]1013 def test_one_extension_get_for_class(self, backend):
1014 cert = _load_cert(
Phoebe Queen2cc111a2015-08-12 04:14:22 +0100[diff] [blame]1015 os.path.join(
1016 "x509", "custom", "basic_constraints_not_critical.pem"
1017 ),
Phoebe Queen9fbb8892015-08-12 03:51:33 +0100[diff] [blame]1018 x509.load_pem_x509_certificate,
1019 backend
1020 )
1021 ext = cert.extensions.get_extension_for_class(x509.BasicConstraints)
1022 assert ext is not None
Phoebe Queen9fbb8892015-08-12 03:51:33 +0100[diff] [blame]1023 assert isinstance(ext.value, x509.BasicConstraints)
Paul Kehrerfa56a232015-03-17 13:14:03 -0500[diff] [blame]1024
Paul Kehrerafbe75b2015-10-20 08:08:43 -0500[diff] [blame]1025 def test_repr(self, backend):
1026 cert = _load_cert(
1027 os.path.join(
1028 "x509", "custom", "basic_constraints_not_critical.pem"
1029 ),
1030 x509.load_pem_x509_certificate,
1031 backend
1032 )
1033 assert repr(cert.extensions) == (
1034 "<Extensions([<Extension(oid=<ObjectIdentifier(oid=2.5.29.19, name"
1035 "=basicConstraints)>, critical=False, value=<BasicConstraints(ca=F"
1036 "alse, path_length=None)>)>])>"
1037 )
1038
Phoebe Queen2cc111a2015-08-12 04:14:22 +0100[diff] [blame]1039
Paul Kehrerfa56a232015-03-17 13:14:03 -0500[diff] [blame]1040@pytest.mark.requires_backend_interface(interface=RSABackend)
1041@pytest.mark.requires_backend_interface(interface=X509Backend)
Paul Kehrerde813ea2015-03-28 12:44:34 -0500[diff] [blame]1042class TestBasicConstraintsExtension(object):
Paul Kehrerfa56a232015-03-17 13:14:03 -0500[diff] [blame]1043 def test_ca_true_pathlen_6(self, backend):
1044 cert = _load_cert(
1045 os.path.join(
1046 "x509", "PKITS_data", "certs", "pathLenConstraint6CACert.crt"
1047 ),
1048 x509.load_der_x509_certificate,
1049 backend
1050 )
Phoebe Queen062dec72015-08-12 11:42:23 +0100[diff] [blame]1051 ext = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]1052 ExtensionOID.BASIC_CONSTRAINTS
Paul Kehrerfa56a232015-03-17 13:14:03 -0500[diff] [blame]1053 )
1054 assert ext is not None
1055 assert ext.critical is True
1056 assert ext.value.ca is True
1057 assert ext.value.path_length == 6
1058
1059 def test_path_length_zero(self, backend):
1060 cert = _load_cert(
1061 os.path.join("x509", "custom", "bc_path_length_zero.pem"),
1062 x509.load_pem_x509_certificate,
1063 backend
1064 )
1065 ext = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]1066 ExtensionOID.BASIC_CONSTRAINTS
Paul Kehrerfa56a232015-03-17 13:14:03 -0500[diff] [blame]1067 )
1068 assert ext is not None
1069 assert ext.critical is True
1070 assert ext.value.ca is True
1071 assert ext.value.path_length == 0
1072
1073 def test_ca_true_no_pathlen(self, backend):
1074 cert = _load_cert(
1075 os.path.join("x509", "PKITS_data", "certs", "GoodCACert.crt"),
1076 x509.load_der_x509_certificate,
1077 backend
1078 )
1079 ext = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]1080 ExtensionOID.BASIC_CONSTRAINTS
Paul Kehrerfa56a232015-03-17 13:14:03 -0500[diff] [blame]1081 )
1082 assert ext is not None
1083 assert ext.critical is True
1084 assert ext.value.ca is True
1085 assert ext.value.path_length is None
1086
1087 def test_ca_false(self, backend):
1088 cert = _load_cert(
1089 os.path.join("x509", "cryptography.io.pem"),
1090 x509.load_pem_x509_certificate,
1091 backend
1092 )
1093 ext = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]1094 ExtensionOID.BASIC_CONSTRAINTS
Paul Kehrerfa56a232015-03-17 13:14:03 -0500[diff] [blame]1095 )
1096 assert ext is not None
1097 assert ext.critical is True
1098 assert ext.value.ca is False
1099 assert ext.value.path_length is None
1100
1101 def test_no_basic_constraints(self, backend):
1102 cert = _load_cert(
1103 os.path.join(
1104 "x509",
1105 "PKITS_data",
1106 "certs",
1107 "ValidCertificatePathTest1EE.crt"
1108 ),
1109 x509.load_der_x509_certificate,
1110 backend
1111 )
1112 with pytest.raises(x509.ExtensionNotFound):
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]1113 cert.extensions.get_extension_for_oid(
1114 ExtensionOID.BASIC_CONSTRAINTS
1115 )
Paul Kehrerfa56a232015-03-17 13:14:03 -0500[diff] [blame]1116
1117 def test_basic_constraint_not_critical(self, backend):
1118 cert = _load_cert(
1119 os.path.join(
1120 "x509", "custom", "basic_constraints_not_critical.pem"
1121 ),
1122 x509.load_pem_x509_certificate,
1123 backend
1124 )
1125 ext = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]1126 ExtensionOID.BASIC_CONSTRAINTS
Paul Kehrerfa56a232015-03-17 13:14:03 -0500[diff] [blame]1127 )
1128 assert ext is not None
1129 assert ext.critical is False
1130 assert ext.value.ca is False
Paul Kehrer1eb82a62015-03-31 20:00:33 -0500[diff] [blame]1131
1132
Paul Kehrer1eb82a62015-03-31 20:00:33 -0500[diff] [blame]1133class TestSubjectKeyIdentifierExtension(object):
Paul Kehrerf22f6122015-08-05 12:57:13 +0100[diff] [blame]1134 @pytest.mark.requires_backend_interface(interface=RSABackend)
1135 @pytest.mark.requires_backend_interface(interface=X509Backend)
Paul Kehrer1eb82a62015-03-31 20:00:33 -0500[diff] [blame]1136 def test_subject_key_identifier(self, backend):
1137 cert = _load_cert(
1138 os.path.join("x509", "PKITS_data", "certs", "GoodCACert.crt"),
1139 x509.load_der_x509_certificate,
1140 backend
1141 )
1142 ext = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]1143 ExtensionOID.SUBJECT_KEY_IDENTIFIER
Paul Kehrer1eb82a62015-03-31 20:00:33 -0500[diff] [blame]1144 )
1145 ski = ext.value
1146 assert ext is not None
1147 assert ext.critical is False
Paul Kehrer1eb82a62015-03-31 20:00:33 -0500[diff] [blame]1148 assert ski.digest == binascii.unhexlify(
Paul Kehreree997262015-04-04 12:20:28 -0500[diff] [blame]1149 b"580184241bbc2b52944a3da510721451f5af3ac9"
Paul Kehrer1eb82a62015-03-31 20:00:33 -0500[diff] [blame]1150 )
1151
Paul Kehrerf22f6122015-08-05 12:57:13 +0100[diff] [blame]1152 @pytest.mark.requires_backend_interface(interface=RSABackend)
1153 @pytest.mark.requires_backend_interface(interface=X509Backend)
Paul Kehrer1eb82a62015-03-31 20:00:33 -0500[diff] [blame]1154 def test_no_subject_key_identifier(self, backend):
1155 cert = _load_cert(
1156 os.path.join("x509", "custom", "bc_path_length_zero.pem"),
1157 x509.load_pem_x509_certificate,
1158 backend
1159 )
1160 with pytest.raises(x509.ExtensionNotFound):
1161 cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]1162 ExtensionOID.SUBJECT_KEY_IDENTIFIER
Paul Kehrer1eb82a62015-03-31 20:00:33 -0500[diff] [blame]1163 )
Paul Kehrer5508ee22015-04-02 19:31:03 -0500[diff] [blame]1164
Paul Kehrerf22f6122015-08-05 12:57:13 +0100[diff] [blame]1165 @pytest.mark.requires_backend_interface(interface=RSABackend)
1166 @pytest.mark.requires_backend_interface(interface=X509Backend)
Paul Kehrerd4a7f062015-08-05 18:32:18 +0100[diff] [blame]1167 def test_from_rsa_public_key(self, backend):
Paul Kehrerf22f6122015-08-05 12:57:13 +0100[diff] [blame]1168 cert = _load_cert(
1169 os.path.join("x509", "PKITS_data", "certs", "GoodCACert.crt"),
1170 x509.load_der_x509_certificate,
1171 backend
1172 )
1173 ext = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]1174 ExtensionOID.SUBJECT_KEY_IDENTIFIER
Paul Kehrerf22f6122015-08-05 12:57:13 +0100[diff] [blame]1175 )
Paul Kehrerd4a7f062015-08-05 18:32:18 +0100[diff] [blame]1176 ski = x509.SubjectKeyIdentifier.from_public_key(
Paul Kehrerf22f6122015-08-05 12:57:13 +0100[diff] [blame]1177 cert.public_key()
1178 )
1179 assert ext.value == ski
1180
1181 @pytest.mark.requires_backend_interface(interface=DSABackend)
1182 @pytest.mark.requires_backend_interface(interface=X509Backend)
Paul Kehrerd4a7f062015-08-05 18:32:18 +0100[diff] [blame]1183 def test_from_dsa_public_key(self, backend):
Paul Kehrerf22f6122015-08-05 12:57:13 +0100[diff] [blame]1184 cert = _load_cert(
1185 os.path.join("x509", "custom", "dsa_selfsigned_ca.pem"),
1186 x509.load_pem_x509_certificate,
1187 backend
1188 )
1189
1190 ext = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]1191 ExtensionOID.SUBJECT_KEY_IDENTIFIER
Paul Kehrerf22f6122015-08-05 12:57:13 +0100[diff] [blame]1192 )
Paul Kehrerd4a7f062015-08-05 18:32:18 +0100[diff] [blame]1193 ski = x509.SubjectKeyIdentifier.from_public_key(
Paul Kehrerf22f6122015-08-05 12:57:13 +0100[diff] [blame]1194 cert.public_key()
1195 )
1196 assert ext.value == ski
1197
1198 @pytest.mark.requires_backend_interface(interface=EllipticCurveBackend)
1199 @pytest.mark.requires_backend_interface(interface=X509Backend)
Paul Kehrerd4a7f062015-08-05 18:32:18 +0100[diff] [blame]1200 def test_from_ec_public_key(self, backend):
Paul Kehrerf22f6122015-08-05 12:57:13 +0100[diff] [blame]1201 _skip_curve_unsupported(backend, ec.SECP384R1())
1202 cert = _load_cert(
1203 os.path.join("x509", "ecdsa_root.pem"),
1204 x509.load_pem_x509_certificate,
1205 backend
1206 )
1207
1208 ext = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]1209 ExtensionOID.SUBJECT_KEY_IDENTIFIER
Paul Kehrerf22f6122015-08-05 12:57:13 +0100[diff] [blame]1210 )
Paul Kehrerd4a7f062015-08-05 18:32:18 +0100[diff] [blame]1211 ski = x509.SubjectKeyIdentifier.from_public_key(
Paul Kehrerf22f6122015-08-05 12:57:13 +0100[diff] [blame]1212 cert.public_key()
1213 )
1214 assert ext.value == ski
1215
Paul Kehrer5508ee22015-04-02 19:31:03 -0500[diff] [blame]1216
1217@pytest.mark.requires_backend_interface(interface=RSABackend)
1218@pytest.mark.requires_backend_interface(interface=X509Backend)
1219class TestKeyUsageExtension(object):
1220 def test_no_key_usage(self, backend):
1221 cert = _load_cert(
1222 os.path.join("x509", "verisign_md2_root.pem"),
1223 x509.load_pem_x509_certificate,
1224 backend
1225 )
1226 ext = cert.extensions
1227 with pytest.raises(x509.ExtensionNotFound) as exc:
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]1228 ext.get_extension_for_oid(ExtensionOID.KEY_USAGE)
Paul Kehrer5508ee22015-04-02 19:31:03 -0500[diff] [blame]1229
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]1230 assert exc.value.oid == ExtensionOID.KEY_USAGE
Paul Kehrer5508ee22015-04-02 19:31:03 -0500[diff] [blame]1231
1232 def test_all_purposes(self, backend):
1233 cert = _load_cert(
1234 os.path.join(
1235 "x509", "custom", "all_key_usages.pem"
1236 ),
1237 x509.load_pem_x509_certificate,
1238 backend
1239 )
1240 extensions = cert.extensions
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]1241 ext = extensions.get_extension_for_oid(ExtensionOID.KEY_USAGE)
Paul Kehrer5508ee22015-04-02 19:31:03 -0500[diff] [blame]1242 assert ext is not None
1243
1244 ku = ext.value
1245 assert ku.digital_signature is True
1246 assert ku.content_commitment is True
1247 assert ku.key_encipherment is True
1248 assert ku.data_encipherment is True
1249 assert ku.key_agreement is True
1250 assert ku.key_cert_sign is True
1251 assert ku.crl_sign is True
1252 assert ku.encipher_only is True
1253 assert ku.decipher_only is True
1254
1255 def test_key_cert_sign_crl_sign(self, backend):
1256 cert = _load_cert(
1257 os.path.join(
1258 "x509", "PKITS_data", "certs", "pathLenConstraint6CACert.crt"
1259 ),
1260 x509.load_der_x509_certificate,
1261 backend
1262 )
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]1263 ext = cert.extensions.get_extension_for_oid(ExtensionOID.KEY_USAGE)
Paul Kehrer5508ee22015-04-02 19:31:03 -0500[diff] [blame]1264 assert ext is not None
1265 assert ext.critical is True
1266
1267 ku = ext.value
1268 assert ku.digital_signature is False
1269 assert ku.content_commitment is False
1270 assert ku.key_encipherment is False
1271 assert ku.data_encipherment is False
1272 assert ku.key_agreement is False
1273 assert ku.key_cert_sign is True
1274 assert ku.crl_sign is True
Paul Kehrer31bdf792015-03-25 14:11:00 -0500[diff] [blame]1275
1276
1277@pytest.mark.parametrize(
1278 "name", [
1279 x509.RFC822Name,
1280 x509.DNSName,
1281 x509.UniformResourceIdentifier
1282 ]
1283)
1284class TestTextGeneralNames(object):
1285 def test_not_text(self, name):
1286 with pytest.raises(TypeError):
1287 name(b"notaunicodestring")
1288
1289 with pytest.raises(TypeError):
1290 name(1.3)
1291
1292 def test_repr(self, name):
Eeshan Gargf1234152015-04-29 18:41:00 +0530[diff] [blame]1293 gn = name(u"string")
Paul Kehrer31bdf792015-03-25 14:11:00 -0500[diff] [blame]1294 assert repr(gn) == "<{0}(value=string)>".format(name.__name__)
1295
1296 def test_eq(self, name):
Eeshan Gargf1234152015-04-29 18:41:00 +0530[diff] [blame]1297 gn = name(u"string")
1298 gn2 = name(u"string")
Paul Kehrer31bdf792015-03-25 14:11:00 -0500[diff] [blame]1299 assert gn == gn2
1300
1301 def test_ne(self, name):
Eeshan Gargf1234152015-04-29 18:41:00 +0530[diff] [blame]1302 gn = name(u"string")
1303 gn2 = name(u"string2")
Paul Kehrer31bdf792015-03-25 14:11:00 -0500[diff] [blame]1304 assert gn != gn2
1305 assert gn != object()
1306
1307
1308class TestDirectoryName(object):
1309 def test_not_name(self):
1310 with pytest.raises(TypeError):
1311 x509.DirectoryName(b"notaname")
1312
1313 with pytest.raises(TypeError):
1314 x509.DirectoryName(1.3)
1315
1316 def test_repr(self):
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1317 name = x509.Name([x509.NameAttribute(NameOID.COMMON_NAME, u'value1')])
Paul Kehrer31bdf792015-03-25 14:11:00 -0500[diff] [blame]1318 gn = x509.DirectoryName(x509.Name([name]))
Ian Cordascoa908d692015-06-16 21:35:24 -0500[diff] [blame]1319 if six.PY3:
1320 assert repr(gn) == (
1321 "<DirectoryName(value=<Name([<Name([<NameAttribute(oid=<Object"
1322 "Identifier(oid=2.5.4.3, name=commonName)>, value='value1')>])"
1323 ">])>)>"
1324 )
1325 else:
1326 assert repr(gn) == (
1327 "<DirectoryName(value=<Name([<Name([<NameAttribute(oid=<Object"
1328 "Identifier(oid=2.5.4.3, name=commonName)>, value=u'value1')>]"
1329 ")>])>)>"
1330 )
Paul Kehrer31bdf792015-03-25 14:11:00 -0500[diff] [blame]1331
1332 def test_eq(self):
1333 name = x509.Name([
Nick Bastin6721fb82015-12-14 12:26:24 -0800[diff] [blame]1334 x509.NameAttribute(x509.ObjectIdentifier('2.999.1'), u'value1')
Paul Kehrer31bdf792015-03-25 14:11:00 -0500[diff] [blame]1335 ])
1336 name2 = x509.Name([
Nick Bastin6721fb82015-12-14 12:26:24 -0800[diff] [blame]1337 x509.NameAttribute(x509.ObjectIdentifier('2.999.1'), u'value1')
Paul Kehrer31bdf792015-03-25 14:11:00 -0500[diff] [blame]1338 ])
1339 gn = x509.DirectoryName(x509.Name([name]))
1340 gn2 = x509.DirectoryName(x509.Name([name2]))
1341 assert gn == gn2
1342
1343 def test_ne(self):
1344 name = x509.Name([
Nick Bastin6721fb82015-12-14 12:26:24 -0800[diff] [blame]1345 x509.NameAttribute(x509.ObjectIdentifier('2.999.1'), u'value1')
Paul Kehrer31bdf792015-03-25 14:11:00 -0500[diff] [blame]1346 ])
1347 name2 = x509.Name([
Nick Bastin6721fb82015-12-14 12:26:24 -0800[diff] [blame]1348 x509.NameAttribute(x509.ObjectIdentifier('2.999.2'), u'value2')
Paul Kehrer31bdf792015-03-25 14:11:00 -0500[diff] [blame]1349 ])
1350 gn = x509.DirectoryName(x509.Name([name]))
1351 gn2 = x509.DirectoryName(x509.Name([name2]))
1352 assert gn != gn2
1353 assert gn != object()
1354
1355
Paul Kehrer01d5d0b2015-07-12 09:41:21 -0500[diff] [blame]1356class TestRFC822Name(object):
1357 def test_invalid_email(self):
1358 with pytest.raises(ValueError):
1359 x509.RFC822Name(u"Name <email>")
1360
1361 with pytest.raises(ValueError):
1362 x509.RFC822Name(u"")
1363
1364 def test_single_label(self):
1365 gn = x509.RFC822Name(u"administrator")
1366 assert gn.value == u"administrator"
1367
1368 def test_idna(self):
1369 gn = x509.RFC822Name(u"email@em\xe5\xefl.com")
1370 assert gn.value == u"email@em\xe5\xefl.com"
1371 assert gn._encoded == b"email@xn--eml-vla4c.com"
1372
1373
Paul Kehrere28d6c42015-07-12 14:59:37 -0500[diff] [blame]1374class TestUniformResourceIdentifier(object):
1375 def test_no_parsed_hostname(self):
1376 gn = x509.UniformResourceIdentifier(u"singlelabel")
1377 assert gn.value == u"singlelabel"
1378
1379 def test_with_port(self):
1380 gn = x509.UniformResourceIdentifier(u"singlelabel:443/test")
1381 assert gn.value == u"singlelabel:443/test"
1382
1383 def test_idna_no_port(self):
1384 gn = x509.UniformResourceIdentifier(
1385 u"http://\u043f\u044b\u043a\u0430.cryptography"
1386 )
1387 assert gn.value == u"http://\u043f\u044b\u043a\u0430.cryptography"
1388 assert gn._encoded == b"http://xn--80ato2c.cryptography"
1389
1390 def test_idna_with_port(self):
1391 gn = x509.UniformResourceIdentifier(
1392 u"gopher://\u043f\u044b\u043a\u0430.cryptography:70/some/path"
1393 )
1394 assert gn.value == (
1395 u"gopher://\u043f\u044b\u043a\u0430.cryptography:70/some/path"
1396 )
1397 assert gn._encoded == b"gopher://xn--80ato2c.cryptography:70/some/path"
1398
1399 def test_query_and_fragment(self):
1400 gn = x509.UniformResourceIdentifier(
1401 u"ldap://cryptography:90/path?query=true#somedata"
1402 )
1403 assert gn.value == u"ldap://cryptography:90/path?query=true#somedata"
1404
1405
Paul Kehrer31bdf792015-03-25 14:11:00 -0500[diff] [blame]1406class TestRegisteredID(object):
1407 def test_not_oid(self):
1408 with pytest.raises(TypeError):
1409 x509.RegisteredID(b"notanoid")
1410
1411 with pytest.raises(TypeError):
1412 x509.RegisteredID(1.3)
1413
1414 def test_repr(self):
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1415 gn = x509.RegisteredID(NameOID.COMMON_NAME)
Paul Kehrer31bdf792015-03-25 14:11:00 -0500[diff] [blame]1416 assert repr(gn) == (
1417 "<RegisteredID(value=<ObjectIdentifier(oid=2.5.4.3, name=commonNam"
1418 "e)>)>"
1419 )
1420
1421 def test_eq(self):
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1422 gn = x509.RegisteredID(NameOID.COMMON_NAME)
1423 gn2 = x509.RegisteredID(NameOID.COMMON_NAME)
Paul Kehrer31bdf792015-03-25 14:11:00 -0500[diff] [blame]1424 assert gn == gn2
1425
1426 def test_ne(self):
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1427 gn = x509.RegisteredID(NameOID.COMMON_NAME)
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]1428 gn2 = x509.RegisteredID(ExtensionOID.BASIC_CONSTRAINTS)
Paul Kehrer31bdf792015-03-25 14:11:00 -0500[diff] [blame]1429 assert gn != gn2
1430 assert gn != object()
1431
1432
1433class TestIPAddress(object):
1434 def test_not_ipaddress(self):
1435 with pytest.raises(TypeError):
1436 x509.IPAddress(b"notanipaddress")
1437
1438 with pytest.raises(TypeError):
1439 x509.IPAddress(1.3)
1440
1441 def test_repr(self):
Eeshan Gargf1234152015-04-29 18:41:00 +0530[diff] [blame]1442 gn = x509.IPAddress(ipaddress.IPv4Address(u"127.0.0.1"))
Paul Kehrer31bdf792015-03-25 14:11:00 -0500[diff] [blame]1443 assert repr(gn) == "<IPAddress(value=127.0.0.1)>"
1444
Eeshan Gargf1234152015-04-29 18:41:00 +0530[diff] [blame]1445 gn2 = x509.IPAddress(ipaddress.IPv6Address(u"ff::"))
Paul Kehrer31bdf792015-03-25 14:11:00 -0500[diff] [blame]1446 assert repr(gn2) == "<IPAddress(value=ff::)>"
1447
Paul Kehrereb177932015-05-17 18:33:33 -0700[diff] [blame]1448 gn3 = x509.IPAddress(ipaddress.IPv4Network(u"192.168.0.0/24"))
1449 assert repr(gn3) == "<IPAddress(value=192.168.0.0/24)>"
1450
1451 gn4 = x509.IPAddress(ipaddress.IPv6Network(u"ff::/96"))
1452 assert repr(gn4) == "<IPAddress(value=ff::/96)>"
1453
Paul Kehrer31bdf792015-03-25 14:11:00 -0500[diff] [blame]1454 def test_eq(self):
Eeshan Gargf1234152015-04-29 18:41:00 +0530[diff] [blame]1455 gn = x509.IPAddress(ipaddress.IPv4Address(u"127.0.0.1"))
1456 gn2 = x509.IPAddress(ipaddress.IPv4Address(u"127.0.0.1"))
Paul Kehrer31bdf792015-03-25 14:11:00 -0500[diff] [blame]1457 assert gn == gn2
1458
1459 def test_ne(self):
Eeshan Gargf1234152015-04-29 18:41:00 +0530[diff] [blame]1460 gn = x509.IPAddress(ipaddress.IPv4Address(u"127.0.0.1"))
1461 gn2 = x509.IPAddress(ipaddress.IPv4Address(u"127.0.0.2"))
Paul Kehrer31bdf792015-03-25 14:11:00 -0500[diff] [blame]1462 assert gn != gn2
1463 assert gn != object()
1464
1465
Joshua Tauberer18b6fc82015-07-05 21:44:51 +0000[diff] [blame]1466class TestOtherName(object):
1467 def test_invalid_args(self):
1468 with pytest.raises(TypeError):
1469 x509.OtherName(b"notanobjectidentifier", b"derdata")
1470
1471 with pytest.raises(TypeError):
1472 x509.OtherName(x509.ObjectIdentifier("1.2.3.4"), u"notderdata")
1473
1474 def test_repr(self):
1475 gn = x509.OtherName(x509.ObjectIdentifier("1.2.3.4"), b"derdata")
1476 if six.PY3:
1477 assert repr(gn) == (
1478 "<OtherName(type_id=<ObjectIdentifier(oid=1.2.3.4, "
1479 "name=Unknown OID)>, value=b'derdata')>"
1480 )
1481 else:
1482 assert repr(gn) == (
1483 "<OtherName(type_id=<ObjectIdentifier(oid=1.2.3.4, "
1484 "name=Unknown OID)>, value='derdata')>"
1485 )
1486
1487 gn = x509.OtherName(x509.ObjectIdentifier("2.5.4.65"), b"derdata")
1488 if six.PY3:
1489 assert repr(gn) == (
1490 "<OtherName(type_id=<ObjectIdentifier(oid=2.5.4.65, "
1491 "name=pseudonym)>, value=b'derdata')>"
1492 )
1493 else:
1494 assert repr(gn) == (
1495 "<OtherName(type_id=<ObjectIdentifier(oid=2.5.4.65, "
1496 "name=pseudonym)>, value='derdata')>"
1497 )
1498
1499 def test_eq(self):
1500 gn = x509.OtherName(x509.ObjectIdentifier("1.2.3.4"), b"derdata")
1501 gn2 = x509.OtherName(x509.ObjectIdentifier("1.2.3.4"), b"derdata")
1502 assert gn == gn2
1503
1504 def test_ne(self):
1505 gn = x509.OtherName(x509.ObjectIdentifier("1.2.3.4"), b"derdata")
1506 assert gn != object()
1507
1508 gn2 = x509.OtherName(x509.ObjectIdentifier("1.2.3.4"), b"derdata2")
1509 assert gn != gn2
1510
1511 gn2 = x509.OtherName(x509.ObjectIdentifier("1.2.3.5"), b"derdata")
1512 assert gn != gn2
1513
1514
Erik Trauschke2dcce902015-05-14 16:12:24 -0700[diff] [blame]1515class TestGeneralNames(object):
1516 def test_get_values_for_type(self):
1517 gns = x509.GeneralNames(
1518 [x509.DNSName(u"cryptography.io")]
1519 )
1520 names = gns.get_values_for_type(x509.DNSName)
1521 assert names == [u"cryptography.io"]
1522
1523 def test_iter_names(self):
1524 gns = x509.GeneralNames([
1525 x509.DNSName(u"cryptography.io"),
1526 x509.DNSName(u"crypto.local"),
1527 ])
1528 assert len(gns) == 2
1529 assert list(gns) == [
1530 x509.DNSName(u"cryptography.io"),
1531 x509.DNSName(u"crypto.local"),
1532 ]
1533
Paul Kehrer8adb5962015-12-26 14:46:58 -0600[diff] [blame]1534 def test_indexing(self):
1535 gn = x509.GeneralNames([
1536 x509.DNSName(u"cryptography.io"),
1537 x509.DNSName(u"crypto.local"),
1538 x509.DNSName(u"another.local"),
1539 x509.RFC822Name(u"email@another.local"),
1540 x509.UniformResourceIdentifier(u"http://another.local"),
1541 ])
1542 assert gn[-1] == gn[4]
Alex Gaynorf0dd2e72015-12-26 16:50:29 -0500[diff] [blame]1543 assert gn[2:6:2] == [gn[2], gn[4]]
Paul Kehrer8adb5962015-12-26 14:46:58 -0600[diff] [blame]1544
Erik Trauschke2dcce902015-05-14 16:12:24 -0700[diff] [blame]1545 def test_invalid_general_names(self):
1546 with pytest.raises(TypeError):
1547 x509.GeneralNames(
1548 [x509.DNSName(u"cryptography.io"), "invalid"]
1549 )
1550
1551 def test_repr(self):
1552 gns = x509.GeneralNames(
1553 [
1554 x509.DNSName(u"cryptography.io")
1555 ]
1556 )
1557 assert repr(gns) == (
1558 "<GeneralNames([<DNSName(value=cryptography.io)>])>"
1559 )
1560
1561 def test_eq(self):
1562 gns = x509.GeneralNames(
1563 [x509.DNSName(u"cryptography.io")]
1564 )
1565 gns2 = x509.GeneralNames(
1566 [x509.DNSName(u"cryptography.io")]
1567 )
1568 assert gns == gns2
1569
1570 def test_ne(self):
1571 gns = x509.GeneralNames(
1572 [x509.DNSName(u"cryptography.io")]
1573 )
1574 gns2 = x509.GeneralNames(
1575 [x509.RFC822Name(u"admin@cryptography.io")]
1576 )
1577 assert gns != gns2
1578 assert gns != object()
1579
1580
Paul Kehrer99125c92015-06-07 18:37:10 -0500[diff] [blame]1581class TestIssuerAlternativeName(object):
1582 def test_get_values_for_type(self):
1583 san = x509.IssuerAlternativeName(
1584 [x509.DNSName(u"cryptography.io")]
1585 )
1586 names = san.get_values_for_type(x509.DNSName)
1587 assert names == [u"cryptography.io"]
1588
1589 def test_iter_names(self):
1590 san = x509.IssuerAlternativeName([
1591 x509.DNSName(u"cryptography.io"),
1592 x509.DNSName(u"crypto.local"),
1593 ])
1594 assert len(san) == 2
1595 assert list(san) == [
1596 x509.DNSName(u"cryptography.io"),
1597 x509.DNSName(u"crypto.local"),
1598 ]
1599
Paul Kehrer5c999d32015-12-26 17:45:20 -0600[diff] [blame]1600 def test_indexing(self):
1601 ian = x509.IssuerAlternativeName([
1602 x509.DNSName(u"cryptography.io"),
1603 x509.DNSName(u"crypto.local"),
1604 x509.DNSName(u"another.local"),
1605 x509.RFC822Name(u"email@another.local"),
1606 x509.UniformResourceIdentifier(u"http://another.local"),
1607 ])
1608 assert ian[-1] == ian[4]
1609 assert ian[2:6:2] == [ian[2], ian[4]]
1610
Paul Kehrer99125c92015-06-07 18:37:10 -0500[diff] [blame]1611 def test_invalid_general_names(self):
1612 with pytest.raises(TypeError):
1613 x509.IssuerAlternativeName(
1614 [x509.DNSName(u"cryptography.io"), "invalid"]
1615 )
1616
1617 def test_repr(self):
1618 san = x509.IssuerAlternativeName(
1619 [
1620 x509.DNSName(u"cryptography.io")
1621 ]
1622 )
1623 assert repr(san) == (
1624 "<IssuerAlternativeName("
1625 "<GeneralNames([<DNSName(value=cryptography.io)>])>)>"
1626 )
1627
1628 def test_eq(self):
1629 san = x509.IssuerAlternativeName(
1630 [x509.DNSName(u"cryptography.io")]
1631 )
1632 san2 = x509.IssuerAlternativeName(
1633 [x509.DNSName(u"cryptography.io")]
1634 )
1635 assert san == san2
1636
1637 def test_ne(self):
1638 san = x509.IssuerAlternativeName(
1639 [x509.DNSName(u"cryptography.io")]
1640 )
1641 san2 = x509.IssuerAlternativeName(
1642 [x509.RFC822Name(u"admin@cryptography.io")]
1643 )
1644 assert san != san2
1645 assert san != object()
1646
1647
Alex Gaynorf1c17672015-06-20 14:20:20 -0400[diff] [blame]1648@pytest.mark.requires_backend_interface(interface=RSABackend)
1649@pytest.mark.requires_backend_interface(interface=X509Backend)
1650class TestRSAIssuerAlternativeNameExtension(object):
1651 def test_uri(self, backend):
1652 cert = _load_cert(
1653 os.path.join("x509", "custom", "ian_uri.pem"),
1654 x509.load_pem_x509_certificate,
1655 backend,
1656 )
1657 ext = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]1658 ExtensionOID.ISSUER_ALTERNATIVE_NAME
Alex Gaynorf1c17672015-06-20 14:20:20 -0400[diff] [blame]1659 )
1660 assert list(ext.value) == [
1661 x509.UniformResourceIdentifier(u"http://path.to.root/root.crt"),
1662 ]
1663
1664
Paul Kehrer3b95cd72015-12-22 21:40:20 -0600[diff] [blame]1665class TestCRLNumber(object):
1666 def test_eq(self):
1667 crl_number = x509.CRLNumber(15)
1668 assert crl_number == x509.CRLNumber(15)
1669
1670 def test_ne(self):
1671 crl_number = x509.CRLNumber(15)
1672 assert crl_number != x509.CRLNumber(14)
1673 assert crl_number != object()
1674
1675 def test_repr(self):
1676 crl_number = x509.CRLNumber(15)
1677 assert repr(crl_number) == "<CRLNumber(15)>"
1678
Paul Kehrera9718fc2015-12-22 22:55:35 -0600[diff] [blame]1679 def test_invalid_number(self):
1680 with pytest.raises(TypeError):
1681 x509.CRLNumber("notanumber")
1682
Alex Gaynorf9a77b62015-12-26 12:14:25 -0500[diff] [blame]1683 def test_hash(self):
1684 c1 = x509.CRLNumber(1)
1685 c2 = x509.CRLNumber(1)
1686 c3 = x509.CRLNumber(2)
1687 assert hash(c1) == hash(c2)
1688 assert hash(c1) != hash(c3)
1689
Paul Kehrer3b95cd72015-12-22 21:40:20 -0600[diff] [blame]1690
Paul Kehrer31bdf792015-03-25 14:11:00 -0500[diff] [blame]1691class TestSubjectAlternativeName(object):
1692 def test_get_values_for_type(self):
1693 san = x509.SubjectAlternativeName(
Eeshan Gargf1234152015-04-29 18:41:00 +0530[diff] [blame]1694 [x509.DNSName(u"cryptography.io")]
Paul Kehrer31bdf792015-03-25 14:11:00 -0500[diff] [blame]1695 )
1696 names = san.get_values_for_type(x509.DNSName)
Eeshan Gargf1234152015-04-29 18:41:00 +0530[diff] [blame]1697 assert names == [u"cryptography.io"]
Paul Kehrer31bdf792015-03-25 14:11:00 -0500[diff] [blame]1698
1699 def test_iter_names(self):
1700 san = x509.SubjectAlternativeName([
Eeshan Gargf1234152015-04-29 18:41:00 +0530[diff] [blame]1701 x509.DNSName(u"cryptography.io"),
1702 x509.DNSName(u"crypto.local"),
Paul Kehrer31bdf792015-03-25 14:11:00 -0500[diff] [blame]1703 ])
1704 assert len(san) == 2
1705 assert list(san) == [
Eeshan Gargf1234152015-04-29 18:41:00 +0530[diff] [blame]1706 x509.DNSName(u"cryptography.io"),
1707 x509.DNSName(u"crypto.local"),
Paul Kehrer31bdf792015-03-25 14:11:00 -0500[diff] [blame]1708 ]
1709
Paul Kehrer8adb5962015-12-26 14:46:58 -0600[diff] [blame]1710 def test_indexing(self):
1711 san = x509.SubjectAlternativeName([
1712 x509.DNSName(u"cryptography.io"),
1713 x509.DNSName(u"crypto.local"),
1714 x509.DNSName(u"another.local"),
1715 x509.RFC822Name(u"email@another.local"),
1716 x509.UniformResourceIdentifier(u"http://another.local"),
1717 ])
1718 assert san[-1] == san[4]
Alex Gaynorf0dd2e72015-12-26 16:50:29 -0500[diff] [blame]1719 assert san[2:6:2] == [san[2], san[4]]
Paul Kehrer8adb5962015-12-26 14:46:58 -0600[diff] [blame]1720
Paul Kehrerd04b39b2015-04-21 08:44:17 -0500[diff] [blame]1721 def test_invalid_general_names(self):
1722 with pytest.raises(TypeError):
1723 x509.SubjectAlternativeName(
Eeshan Gargf1234152015-04-29 18:41:00 +0530[diff] [blame]1724 [x509.DNSName(u"cryptography.io"), "invalid"]
Paul Kehrerd04b39b2015-04-21 08:44:17 -0500[diff] [blame]1725 )
1726
Paul Kehrer31bdf792015-03-25 14:11:00 -0500[diff] [blame]1727 def test_repr(self):
1728 san = x509.SubjectAlternativeName(
1729 [
Eeshan Gargf1234152015-04-29 18:41:00 +0530[diff] [blame]1730 x509.DNSName(u"cryptography.io")
Paul Kehrer31bdf792015-03-25 14:11:00 -0500[diff] [blame]1731 ]
1732 )
1733 assert repr(san) == (
Erik Trauschke2dcce902015-05-14 16:12:24 -0700[diff] [blame]1734 "<SubjectAlternativeName("
1735 "<GeneralNames([<DNSName(value=cryptography.io)>])>)>"
Paul Kehrer31bdf792015-03-25 14:11:00 -0500[diff] [blame]1736 )
Paul Kehrer40f83382015-04-20 15:00:16 -0500[diff] [blame]1737
Paul Kehrer58cc3972015-05-13 10:00:41 -0500[diff] [blame]1738 def test_eq(self):
1739 san = x509.SubjectAlternativeName(
1740 [x509.DNSName(u"cryptography.io")]
1741 )
1742 san2 = x509.SubjectAlternativeName(
1743 [x509.DNSName(u"cryptography.io")]
1744 )
1745 assert san == san2
1746
1747 def test_ne(self):
1748 san = x509.SubjectAlternativeName(
1749 [x509.DNSName(u"cryptography.io")]
1750 )
1751 san2 = x509.SubjectAlternativeName(
1752 [x509.RFC822Name(u"admin@cryptography.io")]
1753 )
1754 assert san != san2
1755 assert san != object()
1756
Paul Kehrer40f83382015-04-20 15:00:16 -0500[diff] [blame]1757
1758@pytest.mark.requires_backend_interface(interface=RSABackend)
1759@pytest.mark.requires_backend_interface(interface=X509Backend)
1760class TestRSASubjectAlternativeNameExtension(object):
1761 def test_dns_name(self, backend):
1762 cert = _load_cert(
1763 os.path.join("x509", "cryptography.io.pem"),
1764 x509.load_pem_x509_certificate,
1765 backend
1766 )
1767 ext = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]1768 ExtensionOID.SUBJECT_ALTERNATIVE_NAME
Paul Kehrer40f83382015-04-20 15:00:16 -0500[diff] [blame]1769 )
1770 assert ext is not None
1771 assert ext.critical is False
1772
1773 san = ext.value
1774
1775 dns = san.get_values_for_type(x509.DNSName)
1776 assert dns == [u"www.cryptography.io", u"cryptography.io"]
Paul Kehrer9089c912015-04-20 22:15:20 -0500[diff] [blame]1777
Paul Kehrer3c6bba52015-06-26 18:43:26 -0500[diff] [blame]1778 def test_wildcard_dns_name(self, backend):
1779 cert = _load_cert(
1780 os.path.join("x509", "wildcard_san.pem"),
1781 x509.load_pem_x509_certificate,
1782 backend
1783 )
1784 ext = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]1785 ExtensionOID.SUBJECT_ALTERNATIVE_NAME
Paul Kehrer3c6bba52015-06-26 18:43:26 -0500[diff] [blame]1786 )
1787
1788 dns = ext.value.get_values_for_type(x509.DNSName)
1789 assert dns == [
1790 u'*.langui.sh',
1791 u'langui.sh',
1792 u'*.saseliminator.com',
1793 u'saseliminator.com'
1794 ]
1795
Dominic Chen87bb9572015-10-09 00:23:07 -0400[diff] [blame]1796 def test_san_empty_hostname(self, backend):
1797 cert = _load_cert(
1798 os.path.join(
1799 "x509", "custom", "san_empty_hostname.pem"
1800 ),
1801 x509.load_pem_x509_certificate,
1802 backend
1803 )
1804 san = cert.extensions.get_extension_for_oid(
1805 ExtensionOID.SUBJECT_ALTERNATIVE_NAME
1806 )
1807
1808 dns = san.value.get_values_for_type(x509.DNSName)
1809 assert dns == [u'']
1810
Paul Kehrer3c6bba52015-06-26 18:43:26 -0500[diff] [blame]1811 def test_san_wildcard_idna_dns_name(self, backend):
1812 cert = _load_cert(
1813 os.path.join("x509", "custom", "san_wildcard_idna.pem"),
1814 x509.load_pem_x509_certificate,
1815 backend
1816 )
1817 ext = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]1818 ExtensionOID.SUBJECT_ALTERNATIVE_NAME
Paul Kehrer3c6bba52015-06-26 18:43:26 -0500[diff] [blame]1819 )
1820
1821 dns = ext.value.get_values_for_type(x509.DNSName)
1822 assert dns == [u'*.\u043f\u044b\u043a\u0430.cryptography']
1823
Paul Kehrer7bdf6572015-07-05 08:55:44 -0500[diff] [blame]1824 def test_unsupported_gn(self, backend):
Paul Kehrer9089c912015-04-20 22:15:20 -0500[diff] [blame]1825 cert = _load_cert(
Paul Kehrer7bdf6572015-07-05 08:55:44 -0500[diff] [blame]1826 os.path.join("x509", "san_x400address.der"),
1827 x509.load_der_x509_certificate,
Paul Kehrer9089c912015-04-20 22:15:20 -0500[diff] [blame]1828 backend
1829 )
Paul Kehrerbed07352015-04-21 08:31:10 -0500[diff] [blame]1830 with pytest.raises(x509.UnsupportedGeneralNameType) as exc:
Paul Kehrer9089c912015-04-20 22:15:20 -0500[diff] [blame]1831 cert.extensions
Paul Kehrerbed07352015-04-21 08:31:10 -0500[diff] [blame]1832
Paul Kehrer7bdf6572015-07-05 08:55:44 -0500[diff] [blame]1833 assert exc.value.type == 3
Paul Kehrer4db96622015-04-20 22:17:39 -0500[diff] [blame]1834
1835 def test_registered_id(self, backend):
1836 cert = _load_cert(
1837 os.path.join(
1838 "x509", "custom", "san_registered_id.pem"
1839 ),
1840 x509.load_pem_x509_certificate,
1841 backend
1842 )
1843 ext = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]1844 ExtensionOID.SUBJECT_ALTERNATIVE_NAME
Paul Kehrer4db96622015-04-20 22:17:39 -0500[diff] [blame]1845 )
1846 assert ext is not None
1847 assert ext.critical is False
1848
1849 san = ext.value
1850 rid = san.get_values_for_type(x509.RegisteredID)
1851 assert rid == [x509.ObjectIdentifier("1.2.3.4")]
Paul Kehrerb8ef82e2015-04-22 16:04:24 -0500[diff] [blame]1852
1853 def test_uri(self, backend):
1854 cert = _load_cert(
1855 os.path.join(
1856 "x509", "custom", "san_uri_with_port.pem"
1857 ),
1858 x509.load_pem_x509_certificate,
1859 backend
1860 )
1861 ext = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]1862 ExtensionOID.SUBJECT_ALTERNATIVE_NAME
Paul Kehrerb8ef82e2015-04-22 16:04:24 -0500[diff] [blame]1863 )
1864 assert ext is not None
1865 uri = ext.value.get_values_for_type(
1866 x509.UniformResourceIdentifier
1867 )
1868 assert uri == [
1869 u"gopher://\u043f\u044b\u043a\u0430.cryptography:70/path?q=s#hel"
1870 u"lo",
1871 u"http://someregulardomain.com",
1872 ]
Paul Kehrera5f030c2015-04-28 08:33:18 -0500[diff] [blame]1873
1874 def test_ipaddress(self, backend):
1875 cert = _load_cert(
1876 os.path.join(
1877 "x509", "custom", "san_ipaddr.pem"
1878 ),
1879 x509.load_pem_x509_certificate,
1880 backend
1881 )
1882 ext = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]1883 ExtensionOID.SUBJECT_ALTERNATIVE_NAME
Paul Kehrera5f030c2015-04-28 08:33:18 -0500[diff] [blame]1884 )
1885 assert ext is not None
1886 assert ext.critical is False
1887
1888 san = ext.value
1889
1890 ip = san.get_values_for_type(x509.IPAddress)
1891 assert [
1892 ipaddress.ip_address(u"127.0.0.1"),
1893 ipaddress.ip_address(u"ff::")
1894 ] == ip
Paul Kehrer2187a052015-04-30 08:22:07 -0500[diff] [blame]1895
1896 def test_dirname(self, backend):
1897 cert = _load_cert(
1898 os.path.join(
1899 "x509", "custom", "san_dirname.pem"
1900 ),
1901 x509.load_pem_x509_certificate,
1902 backend
1903 )
1904 ext = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]1905 ExtensionOID.SUBJECT_ALTERNATIVE_NAME
Paul Kehrer2187a052015-04-30 08:22:07 -0500[diff] [blame]1906 )
1907 assert ext is not None
1908 assert ext.critical is False
1909
1910 san = ext.value
1911
1912 dirname = san.get_values_for_type(x509.DirectoryName)
1913 assert [
1914 x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1915 x509.NameAttribute(NameOID.COMMON_NAME, u'test'),
1916 x509.NameAttribute(NameOID.ORGANIZATION_NAME, u'Org'),
1917 x509.NameAttribute(NameOID.STATE_OR_PROVINCE_NAME, u'Texas'),
Paul Kehrer2187a052015-04-30 08:22:07 -0500[diff] [blame]1918 ])
1919 ] == dirname
Paul Kehrere06cab42015-04-30 10:23:33 -0500[diff] [blame]1920
1921 def test_rfc822name(self, backend):
1922 cert = _load_cert(
1923 os.path.join(
1924 "x509", "custom", "san_rfc822_idna.pem"
1925 ),
1926 x509.load_pem_x509_certificate,
1927 backend
1928 )
1929 ext = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]1930 ExtensionOID.SUBJECT_ALTERNATIVE_NAME
Paul Kehrere06cab42015-04-30 10:23:33 -0500[diff] [blame]1931 )
1932 assert ext is not None
1933 assert ext.critical is False
1934
1935 san = ext.value
1936
1937 rfc822name = san.get_values_for_type(x509.RFC822Name)
1938 assert [u"email@em\xe5\xefl.com"] == rfc822name
1939
Paul Kehrerb8968812015-05-15 09:01:34 -0700[diff] [blame]1940 def test_idna2003_invalid(self, backend):
1941 cert = _load_cert(
1942 os.path.join(
1943 "x509", "custom", "san_idna2003_dnsname.pem"
1944 ),
1945 x509.load_pem_x509_certificate,
1946 backend
1947 )
1948 with pytest.raises(UnicodeError):
1949 cert.extensions
1950
Paul Kehrere06cab42015-04-30 10:23:33 -0500[diff] [blame]1951 def test_unicode_rfc822_name_dns_name_uri(self, backend):
1952 cert = _load_cert(
1953 os.path.join(
1954 "x509", "custom", "san_idna_names.pem"
1955 ),
1956 x509.load_pem_x509_certificate,
1957 backend
1958 )
1959 ext = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]1960 ExtensionOID.SUBJECT_ALTERNATIVE_NAME
Paul Kehrere06cab42015-04-30 10:23:33 -0500[diff] [blame]1961 )
1962 assert ext is not None
1963 rfc822_name = ext.value.get_values_for_type(x509.RFC822Name)
1964 dns_name = ext.value.get_values_for_type(x509.DNSName)
1965 uri = ext.value.get_values_for_type(x509.UniformResourceIdentifier)
1966 assert rfc822_name == [u"email@\u043f\u044b\u043a\u0430.cryptography"]
1967 assert dns_name == [u"\u043f\u044b\u043a\u0430.cryptography"]
1968 assert uri == [u"https://www.\u043f\u044b\u043a\u0430.cryptography"]
1969
1970 def test_rfc822name_dnsname_ipaddress_directoryname_uri(self, backend):
1971 cert = _load_cert(
1972 os.path.join(
1973 "x509", "custom", "san_email_dns_ip_dirname_uri.pem"
1974 ),
1975 x509.load_pem_x509_certificate,
1976 backend
1977 )
1978 ext = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]1979 ExtensionOID.SUBJECT_ALTERNATIVE_NAME
Paul Kehrere06cab42015-04-30 10:23:33 -0500[diff] [blame]1980 )
1981 assert ext is not None
1982 assert ext.critical is False
1983
1984 san = ext.value
1985
1986 rfc822_name = san.get_values_for_type(x509.RFC822Name)
1987 uri = san.get_values_for_type(x509.UniformResourceIdentifier)
1988 dns = san.get_values_for_type(x509.DNSName)
1989 ip = san.get_values_for_type(x509.IPAddress)
1990 dirname = san.get_values_for_type(x509.DirectoryName)
1991 assert [u"user@cryptography.io"] == rfc822_name
Paul Kehrere3a330c2015-05-02 16:42:52 -0500[diff] [blame]1992 assert [u"https://cryptography.io"] == uri
Paul Kehrere06cab42015-04-30 10:23:33 -0500[diff] [blame]1993 assert [u"cryptography.io"] == dns
1994 assert [
1995 x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1996 x509.NameAttribute(NameOID.COMMON_NAME, u'dirCN'),
Paul Kehrere06cab42015-04-30 10:23:33 -0500[diff] [blame]1997 x509.NameAttribute(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1998 NameOID.ORGANIZATION_NAME, u'Cryptographic Authority'
Paul Kehrere06cab42015-04-30 10:23:33 -0500[diff] [blame]1999 ),
2000 ])
2001 ] == dirname
2002 assert [
2003 ipaddress.ip_address(u"127.0.0.1"),
2004 ipaddress.ip_address(u"ff::")
2005 ] == ip
2006
2007 def test_invalid_rfc822name(self, backend):
2008 cert = _load_cert(
2009 os.path.join(
2010 "x509", "custom", "san_rfc822_names.pem"
2011 ),
2012 x509.load_pem_x509_certificate,
2013 backend
2014 )
2015 with pytest.raises(ValueError) as exc:
2016 cert.extensions
2017
2018 assert 'Invalid rfc822name value' in str(exc.value)
Paul Kehrer94c69602015-05-02 19:29:40 -0500[diff] [blame]2019
Joshua Tauberer2ee5e3c2015-07-04 20:09:46 +0000[diff] [blame]2020 def test_other_name(self, backend):
2021 cert = _load_cert(
2022 os.path.join(
2023 "x509", "custom", "san_other_name.pem"
2024 ),
2025 x509.load_pem_x509_certificate,
2026 backend
2027 )
2028
2029 ext = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]2030 ExtensionOID.SUBJECT_ALTERNATIVE_NAME
Joshua Tauberer2ee5e3c2015-07-04 20:09:46 +0000[diff] [blame]2031 )
2032 assert ext is not None
2033 assert ext.critical is False
2034
Joshua Taubererd2afad32015-07-06 22:37:53 +0000[diff] [blame]2035 expected = x509.OtherName(x509.ObjectIdentifier("1.2.3.4"),
2036 b'\x16\x0bHello World')
Joshua Tauberer2ee5e3c2015-07-04 20:09:46 +0000[diff] [blame]2037 assert len(ext.value) == 1
Joshua Taubererd2afad32015-07-06 22:37:53 +0000[diff] [blame]2038 assert list(ext.value)[0] == expected
Joshua Tauberer2ee5e3c2015-07-04 20:09:46 +0000[diff] [blame]2039
2040 othernames = ext.value.get_values_for_type(x509.OtherName)
Joshua Taubererd2afad32015-07-06 22:37:53 +0000[diff] [blame]2041 assert othernames == [expected]
Joshua Tauberer2ee5e3c2015-07-04 20:09:46 +0000[diff] [blame]2042
Paul Kehrer94c69602015-05-02 19:29:40 -0500[diff] [blame]2043
2044@pytest.mark.requires_backend_interface(interface=RSABackend)
2045@pytest.mark.requires_backend_interface(interface=X509Backend)
2046class TestExtendedKeyUsageExtension(object):
2047 def test_eku(self, backend):
2048 cert = _load_cert(
2049 os.path.join(
2050 "x509", "custom", "extended_key_usage.pem"
2051 ),
2052 x509.load_pem_x509_certificate,
2053 backend
2054 )
2055 ext = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]2056 ExtensionOID.EXTENDED_KEY_USAGE
Paul Kehrer94c69602015-05-02 19:29:40 -0500[diff] [blame]2057 )
2058 assert ext is not None
2059 assert ext.critical is False
2060
2061 assert [
2062 x509.ObjectIdentifier("1.3.6.1.5.5.7.3.1"),
2063 x509.ObjectIdentifier("1.3.6.1.5.5.7.3.2"),
2064 x509.ObjectIdentifier("1.3.6.1.5.5.7.3.3"),
2065 x509.ObjectIdentifier("1.3.6.1.5.5.7.3.4"),
2066 x509.ObjectIdentifier("1.3.6.1.5.5.7.3.9"),
2067 x509.ObjectIdentifier("1.3.6.1.5.5.7.3.8"),
2068 x509.ObjectIdentifier("2.5.29.37.0"),
2069 x509.ObjectIdentifier("2.16.840.1.113730.4.1"),
2070 ] == list(ext.value)
Paul Kehrer3e6d5582015-05-02 21:57:56 -0500[diff] [blame]2071
2072
2073class TestAccessDescription(object):
2074 def test_invalid_access_method(self):
Nick Bastind06763d2015-12-12 18:32:59 -0800[diff] [blame]2075 with pytest.raises(TypeError):
Paul Kehrer3e6d5582015-05-02 21:57:56 -0500[diff] [blame]2076 x509.AccessDescription("notanoid", x509.DNSName(u"test"))
2077
2078 def test_invalid_access_location(self):
2079 with pytest.raises(TypeError):
Paul Kehrer9e102db2015-08-10 21:53:09 -0500[diff] [blame]2080 x509.AccessDescription(
2081 AuthorityInformationAccessOID.CA_ISSUERS, "invalid"
2082 )
Paul Kehrer3e6d5582015-05-02 21:57:56 -0500[diff] [blame]2083
Nick Bastind2ecf862015-12-13 05:44:46 -0800[diff] [blame]2084 def test_valid_nonstandard_method(self):
Nick Bastin326fc8e2015-12-12 19:08:12 -0800[diff] [blame]2085 ad = x509.AccessDescription(
2086 ObjectIdentifier("2.999.1"),
2087 x509.UniformResourceIdentifier(u"http://example.com")
2088 )
Nick Bastin11f0f8a2015-12-12 18:54:12 -0800[diff] [blame]2089 assert ad is not None
2090
Paul Kehrer3e6d5582015-05-02 21:57:56 -0500[diff] [blame]2091 def test_repr(self):
2092 ad = x509.AccessDescription(
Paul Kehrer9e102db2015-08-10 21:53:09 -0500[diff] [blame]2093 AuthorityInformationAccessOID.OCSP,
Paul Kehrer3e6d5582015-05-02 21:57:56 -0500[diff] [blame]2094 x509.UniformResourceIdentifier(u"http://ocsp.domain.com")
2095 )
2096 assert repr(ad) == (
2097 "<AccessDescription(access_method=<ObjectIdentifier(oid=1.3.6.1.5."
2098 "5.7.48.1, name=OCSP)>, access_location=<UniformResourceIdentifier"
2099 "(value=http://ocsp.domain.com)>)>"
2100 )
2101
2102 def test_eq(self):
2103 ad = x509.AccessDescription(
Paul Kehrer9e102db2015-08-10 21:53:09 -0500[diff] [blame]2104 AuthorityInformationAccessOID.OCSP,
Paul Kehrer3e6d5582015-05-02 21:57:56 -0500[diff] [blame]2105 x509.UniformResourceIdentifier(u"http://ocsp.domain.com")
2106 )
2107 ad2 = x509.AccessDescription(
Paul Kehrer9e102db2015-08-10 21:53:09 -0500[diff] [blame]2108 AuthorityInformationAccessOID.OCSP,
Paul Kehrer3e6d5582015-05-02 21:57:56 -0500[diff] [blame]2109 x509.UniformResourceIdentifier(u"http://ocsp.domain.com")
2110 )
2111 assert ad == ad2
2112
2113 def test_ne(self):
2114 ad = x509.AccessDescription(
Paul Kehrer9e102db2015-08-10 21:53:09 -0500[diff] [blame]2115 AuthorityInformationAccessOID.OCSP,
Paul Kehrer3e6d5582015-05-02 21:57:56 -0500[diff] [blame]2116 x509.UniformResourceIdentifier(u"http://ocsp.domain.com")
2117 )
2118 ad2 = x509.AccessDescription(
Paul Kehrer9e102db2015-08-10 21:53:09 -0500[diff] [blame]2119 AuthorityInformationAccessOID.CA_ISSUERS,
Paul Kehrer3e6d5582015-05-02 21:57:56 -0500[diff] [blame]2120 x509.UniformResourceIdentifier(u"http://ocsp.domain.com")
2121 )
2122 ad3 = x509.AccessDescription(
Paul Kehrer9e102db2015-08-10 21:53:09 -0500[diff] [blame]2123 AuthorityInformationAccessOID.OCSP,
Paul Kehrer3e6d5582015-05-02 21:57:56 -0500[diff] [blame]2124 x509.UniformResourceIdentifier(u"http://notthesame")
2125 )
2126 assert ad != ad2
2127 assert ad != ad3
2128 assert ad != object()
2129
2130
2131class TestAuthorityInformationAccess(object):
2132 def test_invalid_descriptions(self):
2133 with pytest.raises(TypeError):
2134 x509.AuthorityInformationAccess(["notanAccessDescription"])
2135
2136 def test_iter_len(self):
2137 aia = x509.AuthorityInformationAccess([
2138 x509.AccessDescription(
Paul Kehrer9e102db2015-08-10 21:53:09 -0500[diff] [blame]2139 AuthorityInformationAccessOID.OCSP,
Paul Kehrer3e6d5582015-05-02 21:57:56 -0500[diff] [blame]2140 x509.UniformResourceIdentifier(u"http://ocsp.domain.com")
2141 ),
2142 x509.AccessDescription(
Paul Kehrer9e102db2015-08-10 21:53:09 -0500[diff] [blame]2143 AuthorityInformationAccessOID.CA_ISSUERS,
Paul Kehrer3e6d5582015-05-02 21:57:56 -0500[diff] [blame]2144 x509.UniformResourceIdentifier(u"http://domain.com/ca.crt")
2145 )
2146 ])
2147 assert len(aia) == 2
2148 assert list(aia) == [
2149 x509.AccessDescription(
Paul Kehrer9e102db2015-08-10 21:53:09 -0500[diff] [blame]2150 AuthorityInformationAccessOID.OCSP,
Paul Kehrer3e6d5582015-05-02 21:57:56 -0500[diff] [blame]2151 x509.UniformResourceIdentifier(u"http://ocsp.domain.com")
2152 ),
2153 x509.AccessDescription(
Paul Kehrer9e102db2015-08-10 21:53:09 -0500[diff] [blame]2154 AuthorityInformationAccessOID.CA_ISSUERS,
Paul Kehrer3e6d5582015-05-02 21:57:56 -0500[diff] [blame]2155 x509.UniformResourceIdentifier(u"http://domain.com/ca.crt")
2156 )
2157 ]
2158
2159 def test_repr(self):
2160 aia = x509.AuthorityInformationAccess([
2161 x509.AccessDescription(
Paul Kehrer9e102db2015-08-10 21:53:09 -0500[diff] [blame]2162 AuthorityInformationAccessOID.OCSP,
Paul Kehrer3e6d5582015-05-02 21:57:56 -0500[diff] [blame]2163 x509.UniformResourceIdentifier(u"http://ocsp.domain.com")
2164 ),
2165 x509.AccessDescription(
Paul Kehrer9e102db2015-08-10 21:53:09 -0500[diff] [blame]2166 AuthorityInformationAccessOID.CA_ISSUERS,
Paul Kehrer3e6d5582015-05-02 21:57:56 -0500[diff] [blame]2167 x509.UniformResourceIdentifier(u"http://domain.com/ca.crt")
2168 )
2169 ])
2170 assert repr(aia) == (
2171 "<AuthorityInformationAccess([<AccessDescription(access_method=<Ob"
2172 "jectIdentifier(oid=1.3.6.1.5.5.7.48.1, name=OCSP)>, access_locati"
2173 "on=<UniformResourceIdentifier(value=http://ocsp.domain.com)>)>, <"
2174 "AccessDescription(access_method=<ObjectIdentifier(oid=1.3.6.1.5.5"
2175 ".7.48.2, name=caIssuers)>, access_location=<UniformResourceIdenti"
2176 "fier(value=http://domain.com/ca.crt)>)>])>"
2177 )
2178
2179 def test_eq(self):
2180 aia = x509.AuthorityInformationAccess([
2181 x509.AccessDescription(
Paul Kehrer9e102db2015-08-10 21:53:09 -0500[diff] [blame]2182 AuthorityInformationAccessOID.OCSP,
Paul Kehrer3e6d5582015-05-02 21:57:56 -0500[diff] [blame]2183 x509.UniformResourceIdentifier(u"http://ocsp.domain.com")
2184 ),
2185 x509.AccessDescription(
Paul Kehrer9e102db2015-08-10 21:53:09 -0500[diff] [blame]2186 AuthorityInformationAccessOID.CA_ISSUERS,
Paul Kehrer3e6d5582015-05-02 21:57:56 -0500[diff] [blame]2187 x509.UniformResourceIdentifier(u"http://domain.com/ca.crt")
2188 )
2189 ])
2190 aia2 = x509.AuthorityInformationAccess([
2191 x509.AccessDescription(
Paul Kehrer9e102db2015-08-10 21:53:09 -0500[diff] [blame]2192 AuthorityInformationAccessOID.OCSP,
Paul Kehrer3e6d5582015-05-02 21:57:56 -0500[diff] [blame]2193 x509.UniformResourceIdentifier(u"http://ocsp.domain.com")
2194 ),
2195 x509.AccessDescription(
Paul Kehrer9e102db2015-08-10 21:53:09 -0500[diff] [blame]2196 AuthorityInformationAccessOID.CA_ISSUERS,
Paul Kehrer3e6d5582015-05-02 21:57:56 -0500[diff] [blame]2197 x509.UniformResourceIdentifier(u"http://domain.com/ca.crt")
2198 )
2199 ])
2200 assert aia == aia2
2201
2202 def test_ne(self):
2203 aia = x509.AuthorityInformationAccess([
2204 x509.AccessDescription(
Paul Kehrer9e102db2015-08-10 21:53:09 -0500[diff] [blame]2205 AuthorityInformationAccessOID.OCSP,
Paul Kehrer3e6d5582015-05-02 21:57:56 -0500[diff] [blame]2206 x509.UniformResourceIdentifier(u"http://ocsp.domain.com")
2207 ),
2208 x509.AccessDescription(
Paul Kehrer9e102db2015-08-10 21:53:09 -0500[diff] [blame]2209 AuthorityInformationAccessOID.CA_ISSUERS,
Paul Kehrer3e6d5582015-05-02 21:57:56 -0500[diff] [blame]2210 x509.UniformResourceIdentifier(u"http://domain.com/ca.crt")
2211 )
2212 ])
2213 aia2 = x509.AuthorityInformationAccess([
2214 x509.AccessDescription(
Paul Kehrer9e102db2015-08-10 21:53:09 -0500[diff] [blame]2215 AuthorityInformationAccessOID.OCSP,
Paul Kehrer3e6d5582015-05-02 21:57:56 -0500[diff] [blame]2216 x509.UniformResourceIdentifier(u"http://ocsp.domain.com")
2217 ),
2218 ])
2219
2220 assert aia != aia2
2221 assert aia != object()
Paul Kehrerd774de92015-05-03 10:52:25 -0500[diff] [blame]2222
2223
2224@pytest.mark.requires_backend_interface(interface=RSABackend)
2225@pytest.mark.requires_backend_interface(interface=X509Backend)
Paul Kehrera1476992015-05-04 17:35:47 -0500[diff] [blame]2226class TestAuthorityInformationAccessExtension(object):
2227 def test_aia_ocsp_ca_issuers(self, backend):
2228 cert = _load_cert(
2229 os.path.join("x509", "cryptography.io.pem"),
2230 x509.load_pem_x509_certificate,
2231 backend
2232 )
2233 ext = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]2234 ExtensionOID.AUTHORITY_INFORMATION_ACCESS
Paul Kehrera1476992015-05-04 17:35:47 -0500[diff] [blame]2235 )
2236 assert ext is not None
2237 assert ext.critical is False
2238
2239 assert ext.value == x509.AuthorityInformationAccess([
2240 x509.AccessDescription(
Paul Kehrer9e102db2015-08-10 21:53:09 -0500[diff] [blame]2241 AuthorityInformationAccessOID.OCSP,
Paul Kehrera1476992015-05-04 17:35:47 -0500[diff] [blame]2242 x509.UniformResourceIdentifier(u"http://gv.symcd.com")
2243 ),
2244 x509.AccessDescription(
Paul Kehrer9e102db2015-08-10 21:53:09 -0500[diff] [blame]2245 AuthorityInformationAccessOID.CA_ISSUERS,
Paul Kehrera1476992015-05-04 17:35:47 -0500[diff] [blame]2246 x509.UniformResourceIdentifier(u"http://gv.symcb.com/gv.crt")
2247 ),
2248 ])
2249
2250 def test_aia_multiple_ocsp_ca_issuers(self, backend):
2251 cert = _load_cert(
2252 os.path.join("x509", "custom", "aia_ocsp_ca_issuers.pem"),
2253 x509.load_pem_x509_certificate,
2254 backend
2255 )
2256 ext = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]2257 ExtensionOID.AUTHORITY_INFORMATION_ACCESS
Paul Kehrera1476992015-05-04 17:35:47 -0500[diff] [blame]2258 )
2259 assert ext is not None
2260 assert ext.critical is False
2261
2262 assert ext.value == x509.AuthorityInformationAccess([
2263 x509.AccessDescription(
Paul Kehrer9e102db2015-08-10 21:53:09 -0500[diff] [blame]2264 AuthorityInformationAccessOID.OCSP,
Paul Kehrera1476992015-05-04 17:35:47 -0500[diff] [blame]2265 x509.UniformResourceIdentifier(u"http://ocsp.domain.com")
2266 ),
2267 x509.AccessDescription(
Paul Kehrer9e102db2015-08-10 21:53:09 -0500[diff] [blame]2268 AuthorityInformationAccessOID.OCSP,
Paul Kehrera1476992015-05-04 17:35:47 -0500[diff] [blame]2269 x509.UniformResourceIdentifier(u"http://ocsp2.domain.com")
2270 ),
2271 x509.AccessDescription(
Paul Kehrer9e102db2015-08-10 21:53:09 -0500[diff] [blame]2272 AuthorityInformationAccessOID.CA_ISSUERS,
Paul Kehrera1476992015-05-04 17:35:47 -0500[diff] [blame]2273 x509.DirectoryName(x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2274 x509.NameAttribute(NameOID.COMMON_NAME, u"myCN"),
2275 x509.NameAttribute(NameOID.ORGANIZATION_NAME,
Ian Cordasco82fc3762015-06-16 20:59:50 -0500[diff] [blame]2276 u"some Org"),
Paul Kehrera1476992015-05-04 17:35:47 -0500[diff] [blame]2277 ]))
2278 ),
2279 ])
2280
2281 def test_aia_ocsp_only(self, backend):
2282 cert = _load_cert(
2283 os.path.join("x509", "custom", "aia_ocsp.pem"),
2284 x509.load_pem_x509_certificate,
2285 backend
2286 )
2287 ext = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]2288 ExtensionOID.AUTHORITY_INFORMATION_ACCESS
Paul Kehrera1476992015-05-04 17:35:47 -0500[diff] [blame]2289 )
2290 assert ext is not None
2291 assert ext.critical is False
2292
2293 assert ext.value == x509.AuthorityInformationAccess([
2294 x509.AccessDescription(
Paul Kehrer9e102db2015-08-10 21:53:09 -0500[diff] [blame]2295 AuthorityInformationAccessOID.OCSP,
Paul Kehrera1476992015-05-04 17:35:47 -0500[diff] [blame]2296 x509.UniformResourceIdentifier(u"http://ocsp.domain.com")
2297 ),
2298 ])
2299
2300 def test_aia_ca_issuers_only(self, backend):
2301 cert = _load_cert(
2302 os.path.join("x509", "custom", "aia_ca_issuers.pem"),
2303 x509.load_pem_x509_certificate,
2304 backend
2305 )
2306 ext = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]2307 ExtensionOID.AUTHORITY_INFORMATION_ACCESS
Paul Kehrera1476992015-05-04 17:35:47 -0500[diff] [blame]2308 )
2309 assert ext is not None
2310 assert ext.critical is False
2311
2312 assert ext.value == x509.AuthorityInformationAccess([
2313 x509.AccessDescription(
Paul Kehrer9e102db2015-08-10 21:53:09 -0500[diff] [blame]2314 AuthorityInformationAccessOID.CA_ISSUERS,
Paul Kehrera1476992015-05-04 17:35:47 -0500[diff] [blame]2315 x509.DirectoryName(x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2316 x509.NameAttribute(NameOID.COMMON_NAME, u"myCN"),
2317 x509.NameAttribute(NameOID.ORGANIZATION_NAME,
Ian Cordasco82fc3762015-06-16 20:59:50 -0500[diff] [blame]2318 u"some Org"),
Paul Kehrera1476992015-05-04 17:35:47 -0500[diff] [blame]2319 ]))
2320 ),
2321 ])
2322
2323
2324@pytest.mark.requires_backend_interface(interface=RSABackend)
2325@pytest.mark.requires_backend_interface(interface=X509Backend)
Paul Kehrerd774de92015-05-03 10:52:25 -0500[diff] [blame]2326class TestAuthorityKeyIdentifierExtension(object):
2327 def test_aki_keyid(self, backend):
2328 cert = _load_cert(
2329 os.path.join(
2330 "x509", "cryptography.io.pem"
2331 ),
2332 x509.load_pem_x509_certificate,
2333 backend
2334 )
2335 ext = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]2336 ExtensionOID.AUTHORITY_KEY_IDENTIFIER
Paul Kehrerd774de92015-05-03 10:52:25 -0500[diff] [blame]2337 )
2338 assert ext is not None
2339 assert ext.critical is False
2340
2341 assert ext.value.key_identifier == (
2342 b"\xc3\x9c\xf3\xfc\xd3F\x084\xbb\xceF\x7f\xa0|[\xf3\xe2\x08\xcbY"
2343 )
2344 assert ext.value.authority_cert_issuer is None
2345 assert ext.value.authority_cert_serial_number is None
2346
2347 def test_aki_all_fields(self, backend):
2348 cert = _load_cert(
2349 os.path.join(
2350 "x509", "custom", "authority_key_identifier.pem"
2351 ),
2352 x509.load_pem_x509_certificate,
2353 backend
2354 )
2355 ext = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]2356 ExtensionOID.AUTHORITY_KEY_IDENTIFIER
Paul Kehrerd774de92015-05-03 10:52:25 -0500[diff] [blame]2357 )
2358 assert ext is not None
2359 assert ext.critical is False
2360
2361 assert ext.value.key_identifier == (
2362 b"9E>\xca=b\x1d\xea\x86I\xf6Z\xab@\xb7\xa4p\x98\xf1\xec"
2363 )
2364 assert ext.value.authority_cert_issuer == [
2365 x509.DirectoryName(
2366 x509.Name([
2367 x509.NameAttribute(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2368 NameOID.ORGANIZATION_NAME, u"PyCA"
Paul Kehrerd774de92015-05-03 10:52:25 -0500[diff] [blame]2369 ),
2370 x509.NameAttribute(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2371 NameOID.COMMON_NAME, u"cryptography.io"
Paul Kehrerd774de92015-05-03 10:52:25 -0500[diff] [blame]2372 )
2373 ])
2374 )
2375 ]
2376 assert ext.value.authority_cert_serial_number == 3
2377
2378 def test_aki_no_keyid(self, backend):
2379 cert = _load_cert(
2380 os.path.join(
2381 "x509", "custom", "authority_key_identifier_no_keyid.pem"
2382 ),
2383 x509.load_pem_x509_certificate,
2384 backend
2385 )
2386 ext = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]2387 ExtensionOID.AUTHORITY_KEY_IDENTIFIER
Paul Kehrerd774de92015-05-03 10:52:25 -0500[diff] [blame]2388 )
2389 assert ext is not None
2390 assert ext.critical is False
2391
2392 assert ext.value.key_identifier is None
2393 assert ext.value.authority_cert_issuer == [
2394 x509.DirectoryName(
2395 x509.Name([
2396 x509.NameAttribute(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2397 NameOID.ORGANIZATION_NAME, u"PyCA"
Paul Kehrerd774de92015-05-03 10:52:25 -0500[diff] [blame]2398 ),
2399 x509.NameAttribute(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2400 NameOID.COMMON_NAME, u"cryptography.io"
Paul Kehrerd774de92015-05-03 10:52:25 -0500[diff] [blame]2401 )
2402 ])
2403 )
2404 ]
2405 assert ext.value.authority_cert_serial_number == 3
Paul Kehrer5a485522015-05-06 00:29:12 -0500[diff] [blame]2406
Paul Kehrer253929a2015-08-05 17:30:39 +0100[diff] [blame]2407 def test_from_certificate(self, backend):
2408 issuer_cert = _load_cert(
2409 os.path.join("x509", "rapidssl_sha256_ca_g3.pem"),
2410 x509.load_pem_x509_certificate,
2411 backend
2412 )
2413 cert = _load_cert(
2414 os.path.join("x509", "cryptography.io.pem"),
2415 x509.load_pem_x509_certificate,
2416 backend
2417 )
2418 ext = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]2419 ExtensionOID.AUTHORITY_KEY_IDENTIFIER
Paul Kehrer253929a2015-08-05 17:30:39 +0100[diff] [blame]2420 )
2421 aki = x509.AuthorityKeyIdentifier.from_issuer_public_key(
2422 issuer_cert.public_key()
2423 )
2424 assert ext.value == aki
2425
Paul Kehrer5a485522015-05-06 00:29:12 -0500[diff] [blame]2426
Paul Kehrere0017be2015-05-17 20:39:40 -0600[diff] [blame]2427class TestNameConstraints(object):
2428 def test_ipaddress_wrong_type(self):
2429 with pytest.raises(TypeError):
2430 x509.NameConstraints(
2431 permitted_subtrees=[
2432 x509.IPAddress(ipaddress.IPv4Address(u"127.0.0.1"))
2433 ],
2434 excluded_subtrees=None
2435 )
2436
2437 with pytest.raises(TypeError):
2438 x509.NameConstraints(
2439 permitted_subtrees=None,
2440 excluded_subtrees=[
2441 x509.IPAddress(ipaddress.IPv4Address(u"127.0.0.1"))
2442 ]
2443 )
2444
2445 def test_ipaddress_allowed_type(self):
2446 permitted = [x509.IPAddress(ipaddress.IPv4Network(u"192.168.0.0/29"))]
2447 excluded = [x509.IPAddress(ipaddress.IPv4Network(u"10.10.0.0/24"))]
2448 nc = x509.NameConstraints(
2449 permitted_subtrees=permitted,
2450 excluded_subtrees=excluded
2451 )
2452 assert nc.permitted_subtrees == permitted
2453 assert nc.excluded_subtrees == excluded
2454
2455 def test_invalid_permitted_subtrees(self):
2456 with pytest.raises(TypeError):
2457 x509.NameConstraints("badpermitted", None)
2458
2459 def test_invalid_excluded_subtrees(self):
2460 with pytest.raises(TypeError):
2461 x509.NameConstraints(None, "badexcluded")
2462
2463 def test_no_subtrees(self):
2464 with pytest.raises(ValueError):
2465 x509.NameConstraints(None, None)
2466
2467 def test_permitted_none(self):
2468 excluded = [x509.DNSName(u"name.local")]
2469 nc = x509.NameConstraints(
2470 permitted_subtrees=None, excluded_subtrees=excluded
2471 )
2472 assert nc.permitted_subtrees is None
2473 assert nc.excluded_subtrees is not None
2474
2475 def test_excluded_none(self):
2476 permitted = [x509.DNSName(u"name.local")]
2477 nc = x509.NameConstraints(
2478 permitted_subtrees=permitted, excluded_subtrees=None
2479 )
2480 assert nc.permitted_subtrees is not None
2481 assert nc.excluded_subtrees is None
2482
2483 def test_repr(self):
2484 permitted = [x509.DNSName(u"name.local"), x509.DNSName(u"name2.local")]
2485 nc = x509.NameConstraints(
2486 permitted_subtrees=permitted,
2487 excluded_subtrees=None
2488 )
2489 assert repr(nc) == (
2490 "<NameConstraints(permitted_subtrees=[<DNSName(value=name.local)>"
2491 ", <DNSName(value=name2.local)>], excluded_subtrees=None)>"
2492 )
2493
Paul Kehrer31894282015-06-21 21:46:41 -0500[diff] [blame]2494 def test_eq(self):
2495 nc = x509.NameConstraints(
2496 permitted_subtrees=[x509.DNSName(u"name.local")],
2497 excluded_subtrees=[x509.DNSName(u"name2.local")]
2498 )
2499 nc2 = x509.NameConstraints(
2500 permitted_subtrees=[x509.DNSName(u"name.local")],
2501 excluded_subtrees=[x509.DNSName(u"name2.local")]
2502 )
2503 assert nc == nc2
2504
2505 def test_ne(self):
2506 nc = x509.NameConstraints(
2507 permitted_subtrees=[x509.DNSName(u"name.local")],
2508 excluded_subtrees=[x509.DNSName(u"name2.local")]
2509 )
2510 nc2 = x509.NameConstraints(
2511 permitted_subtrees=[x509.DNSName(u"name.local")],
2512 excluded_subtrees=None
2513 )
2514 nc3 = x509.NameConstraints(
2515 permitted_subtrees=None,
2516 excluded_subtrees=[x509.DNSName(u"name2.local")]
2517 )
2518
2519 assert nc != nc2
2520 assert nc != nc3
2521 assert nc != object()
2522
Paul Kehrere0017be2015-05-17 20:39:40 -0600[diff] [blame]2523
Paul Kehrer870d7e82015-06-21 22:20:44 -0500[diff] [blame]2524@pytest.mark.requires_backend_interface(interface=RSABackend)
2525@pytest.mark.requires_backend_interface(interface=X509Backend)
2526class TestNameConstraintsExtension(object):
2527 def test_permitted_excluded(self, backend):
2528 cert = _load_cert(
2529 os.path.join(
2530 "x509", "custom", "nc_permitted_excluded_2.pem"
2531 ),
2532 x509.load_pem_x509_certificate,
2533 backend
2534 )
2535 nc = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]2536 ExtensionOID.NAME_CONSTRAINTS
Paul Kehrer870d7e82015-06-21 22:20:44 -0500[diff] [blame]2537 ).value
2538 assert nc == x509.NameConstraints(
2539 permitted_subtrees=[
2540 x509.DNSName(u"zombo.local"),
2541 ],
2542 excluded_subtrees=[
2543 x509.DirectoryName(x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2544 x509.NameAttribute(NameOID.COMMON_NAME, u"zombo")
Paul Kehrer870d7e82015-06-21 22:20:44 -0500[diff] [blame]2545 ]))
2546 ]
2547 )
2548
2549 def test_permitted(self, backend):
2550 cert = _load_cert(
2551 os.path.join(
2552 "x509", "custom", "nc_permitted_2.pem"
2553 ),
2554 x509.load_pem_x509_certificate,
2555 backend
2556 )
2557 nc = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]2558 ExtensionOID.NAME_CONSTRAINTS
Paul Kehrer870d7e82015-06-21 22:20:44 -0500[diff] [blame]2559 ).value
2560 assert nc == x509.NameConstraints(
2561 permitted_subtrees=[
2562 x509.DNSName(u"zombo.local"),
2563 ],
2564 excluded_subtrees=None
2565 )
2566
Paul Kehrer42376832015-07-01 18:10:32 -0500[diff] [blame]2567 def test_permitted_with_leading_period(self, backend):
2568 cert = _load_cert(
2569 os.path.join(
2570 "x509", "custom", "nc_permitted.pem"
2571 ),
2572 x509.load_pem_x509_certificate,
2573 backend
2574 )
2575 nc = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]2576 ExtensionOID.NAME_CONSTRAINTS
Paul Kehrer42376832015-07-01 18:10:32 -0500[diff] [blame]2577 ).value
2578 assert nc == x509.NameConstraints(
2579 permitted_subtrees=[
2580 x509.DNSName(u".cryptography.io"),
2581 x509.UniformResourceIdentifier(u"ftp://cryptography.test")
2582 ],
2583 excluded_subtrees=None
2584 )
2585
2586 def test_excluded_with_leading_period(self, backend):
2587 cert = _load_cert(
2588 os.path.join(
2589 "x509", "custom", "nc_excluded.pem"
2590 ),
2591 x509.load_pem_x509_certificate,
2592 backend
2593 )
2594 nc = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]2595 ExtensionOID.NAME_CONSTRAINTS
Paul Kehrer42376832015-07-01 18:10:32 -0500[diff] [blame]2596 ).value
2597 assert nc == x509.NameConstraints(
2598 permitted_subtrees=None,
2599 excluded_subtrees=[
2600 x509.DNSName(u".cryptography.io"),
2601 x509.UniformResourceIdentifier(u"gopher://cryptography.test")
2602 ]
2603 )
2604
Paul Kehrercfb8aa22015-07-01 19:16:36 -0500[diff] [blame]2605 def test_permitted_excluded_with_ips(self, backend):
2606 cert = _load_cert(
2607 os.path.join(
2608 "x509", "custom", "nc_permitted_excluded.pem"
2609 ),
2610 x509.load_pem_x509_certificate,
2611 backend
2612 )
2613 nc = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]2614 ExtensionOID.NAME_CONSTRAINTS
Paul Kehrercfb8aa22015-07-01 19:16:36 -0500[diff] [blame]2615 ).value
2616 assert nc == x509.NameConstraints(
2617 permitted_subtrees=[
2618 x509.IPAddress(ipaddress.IPv4Network(u"192.168.0.0/24")),
2619 x509.IPAddress(ipaddress.IPv6Network(u"FF:0:0:0:0:0:0:0/96")),
2620 ],
2621 excluded_subtrees=[
2622 x509.DNSName(u".domain.com"),
2623 x509.UniformResourceIdentifier(u"http://test.local"),
2624 ]
2625 )
2626
Paul Kehrera72ebaf2015-07-01 21:07:37 -0500[diff] [blame]2627 def test_single_ip_netmask(self, backend):
2628 cert = _load_cert(
2629 os.path.join(
2630 "x509", "custom", "nc_single_ip_netmask.pem"
2631 ),
2632 x509.load_pem_x509_certificate,
2633 backend
2634 )
2635 nc = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]2636 ExtensionOID.NAME_CONSTRAINTS
Paul Kehrera72ebaf2015-07-01 21:07:37 -0500[diff] [blame]2637 ).value
2638 assert nc == x509.NameConstraints(
2639 permitted_subtrees=[
2640 x509.IPAddress(ipaddress.IPv6Network(u"FF:0:0:0:0:0:0:0/128")),
2641 x509.IPAddress(ipaddress.IPv4Network(u"192.168.0.1/32")),
2642 ],
2643 excluded_subtrees=None
2644 )
2645
Paul Kehrercfb8aa22015-07-01 19:16:36 -0500[diff] [blame]2646 def test_invalid_netmask(self, backend):
2647 cert = _load_cert(
2648 os.path.join(
2649 "x509", "custom", "nc_invalid_ip_netmask.pem"
2650 ),
2651 x509.load_pem_x509_certificate,
2652 backend
2653 )
2654 with pytest.raises(ValueError):
2655 cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]2656 ExtensionOID.NAME_CONSTRAINTS
Paul Kehrercfb8aa22015-07-01 19:16:36 -0500[diff] [blame]2657 )
2658
Paul Kehrer870d7e82015-06-21 22:20:44 -0500[diff] [blame]2659
Paul Kehrer5a485522015-05-06 00:29:12 -0500[diff] [blame]2660class TestDistributionPoint(object):
Paul Kehrer4e8dacd2015-05-09 10:38:23 -0500[diff] [blame]2661 def test_distribution_point_full_name_not_general_names(self):
Paul Kehrer5a485522015-05-06 00:29:12 -0500[diff] [blame]2662 with pytest.raises(TypeError):
Paul Kehrer4e8dacd2015-05-09 10:38:23 -0500[diff] [blame]2663 x509.DistributionPoint(["notgn"], None, None, None)
Paul Kehrer5a485522015-05-06 00:29:12 -0500[diff] [blame]2664
Paul Kehrer4e8dacd2015-05-09 10:38:23 -0500[diff] [blame]2665 def test_distribution_point_relative_name_not_name(self):
Paul Kehrer5a485522015-05-06 00:29:12 -0500[diff] [blame]2666 with pytest.raises(TypeError):
Paul Kehrer4e8dacd2015-05-09 10:38:23 -0500[diff] [blame]2667 x509.DistributionPoint(None, "notname", None, None)
2668
2669 def test_distribution_point_full_and_relative_not_none(self):
2670 with pytest.raises(ValueError):
2671 x509.DistributionPoint("data", "notname", None, None)
Paul Kehrer5a485522015-05-06 00:29:12 -0500[diff] [blame]2672
2673 def test_crl_issuer_not_general_names(self):
2674 with pytest.raises(TypeError):
Paul Kehrer4e8dacd2015-05-09 10:38:23 -0500[diff] [blame]2675 x509.DistributionPoint(None, None, None, ["notgn"])
Paul Kehrer5a485522015-05-06 00:29:12 -0500[diff] [blame]2676
2677 def test_reason_not_reasonflags(self):
2678 with pytest.raises(TypeError):
2679 x509.DistributionPoint(
2680 [x509.UniformResourceIdentifier(u"http://crypt.og/crl")],
Paul Kehrer4e8dacd2015-05-09 10:38:23 -0500[diff] [blame]2681 None,
Paul Kehrer3fd02602015-05-09 19:46:13 -0500[diff] [blame]2682 frozenset(["notreasonflags"]),
2683 None
2684 )
2685
2686 def test_reason_not_frozenset(self):
2687 with pytest.raises(TypeError):
2688 x509.DistributionPoint(
2689 [x509.UniformResourceIdentifier(u"http://crypt.og/crl")],
2690 None,
2691 [x509.ReasonFlags.ca_compromise],
Paul Kehrer4e8dacd2015-05-09 10:38:23 -0500[diff] [blame]2692 None
2693 )
2694
2695 def test_disallowed_reasons(self):
2696 with pytest.raises(ValueError):
2697 x509.DistributionPoint(
2698 [x509.UniformResourceIdentifier(u"http://crypt.og/crl")],
2699 None,
Paul Kehrer3fd02602015-05-09 19:46:13 -0500[diff] [blame]2700 frozenset([x509.ReasonFlags.unspecified]),
Paul Kehrer4e8dacd2015-05-09 10:38:23 -0500[diff] [blame]2701 None
2702 )
2703
2704 with pytest.raises(ValueError):
2705 x509.DistributionPoint(
2706 [x509.UniformResourceIdentifier(u"http://crypt.og/crl")],
2707 None,
Paul Kehrer3fd02602015-05-09 19:46:13 -0500[diff] [blame]2708 frozenset([x509.ReasonFlags.remove_from_crl]),
Paul Kehrer5a485522015-05-06 00:29:12 -0500[diff] [blame]2709 None
2710 )
2711
2712 def test_reason_only(self):
2713 with pytest.raises(ValueError):
2714 x509.DistributionPoint(
2715 None,
Paul Kehrer4e8dacd2015-05-09 10:38:23 -0500[diff] [blame]2716 None,
Paul Kehrer3fd02602015-05-09 19:46:13 -0500[diff] [blame]2717 frozenset([x509.ReasonFlags.aa_compromise]),
Paul Kehrer5a485522015-05-06 00:29:12 -0500[diff] [blame]2718 None
2719 )
2720
2721 def test_eq(self):
2722 dp = x509.DistributionPoint(
2723 [x509.UniformResourceIdentifier(u"http://crypt.og/crl")],
Paul Kehrer4e8dacd2015-05-09 10:38:23 -0500[diff] [blame]2724 None,
Paul Kehrer3fd02602015-05-09 19:46:13 -0500[diff] [blame]2725 frozenset([x509.ReasonFlags.superseded]),
Paul Kehrer5a485522015-05-06 00:29:12 -0500[diff] [blame]2726 [
2727 x509.DirectoryName(
2728 x509.Name([
2729 x509.NameAttribute(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2730 NameOID.COMMON_NAME, u"Important CA"
Paul Kehrer5a485522015-05-06 00:29:12 -0500[diff] [blame]2731 )
2732 ])
2733 )
2734 ],
2735 )
2736 dp2 = x509.DistributionPoint(
2737 [x509.UniformResourceIdentifier(u"http://crypt.og/crl")],
Paul Kehrer4e8dacd2015-05-09 10:38:23 -0500[diff] [blame]2738 None,
Paul Kehrer3fd02602015-05-09 19:46:13 -0500[diff] [blame]2739 frozenset([x509.ReasonFlags.superseded]),
Paul Kehrer5a485522015-05-06 00:29:12 -0500[diff] [blame]2740 [
2741 x509.DirectoryName(
2742 x509.Name([
2743 x509.NameAttribute(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2744 NameOID.COMMON_NAME, u"Important CA"
Paul Kehrer5a485522015-05-06 00:29:12 -0500[diff] [blame]2745 )
2746 ])
2747 )
2748 ],
2749 )
2750 assert dp == dp2
2751
2752 def test_ne(self):
2753 dp = x509.DistributionPoint(
2754 [x509.UniformResourceIdentifier(u"http://crypt.og/crl")],
Paul Kehrer4e8dacd2015-05-09 10:38:23 -0500[diff] [blame]2755 None,
Paul Kehrer3fd02602015-05-09 19:46:13 -0500[diff] [blame]2756 frozenset([x509.ReasonFlags.superseded]),
Paul Kehrer5a485522015-05-06 00:29:12 -0500[diff] [blame]2757 [
2758 x509.DirectoryName(
2759 x509.Name([
2760 x509.NameAttribute(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2761 NameOID.COMMON_NAME, u"Important CA"
Paul Kehrer5a485522015-05-06 00:29:12 -0500[diff] [blame]2762 )
2763 ])
2764 )
2765 ],
2766 )
2767 dp2 = x509.DistributionPoint(
2768 [x509.UniformResourceIdentifier(u"http://crypt.og/crl")],
2769 None,
Paul Kehrer4e8dacd2015-05-09 10:38:23 -0500[diff] [blame]2770 None,
Paul Kehrer5a485522015-05-06 00:29:12 -0500[diff] [blame]2771 None
2772 )
2773 assert dp != dp2
2774 assert dp != object()
2775
2776 def test_repr(self):
2777 dp = x509.DistributionPoint(
Paul Kehrer4e8dacd2015-05-09 10:38:23 -0500[diff] [blame]2778 None,
Paul Kehrer5a485522015-05-06 00:29:12 -0500[diff] [blame]2779 x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2780 x509.NameAttribute(NameOID.COMMON_NAME, u"myCN")
Paul Kehrer5a485522015-05-06 00:29:12 -0500[diff] [blame]2781 ]),
Paul Kehrer96ef63c2015-05-09 21:17:04 -0500[diff] [blame]2782 frozenset([x509.ReasonFlags.ca_compromise]),
Paul Kehrer5a485522015-05-06 00:29:12 -0500[diff] [blame]2783 [
2784 x509.DirectoryName(
2785 x509.Name([
2786 x509.NameAttribute(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2787 NameOID.COMMON_NAME, u"Important CA"
Paul Kehrer5a485522015-05-06 00:29:12 -0500[diff] [blame]2788 )
2789 ])
2790 )
2791 ],
2792 )
Paul Kehrer749da3b2015-05-10 09:58:29 -0500[diff] [blame]2793 if six.PY3:
2794 assert repr(dp) == (
2795 "<DistributionPoint(full_name=None, relative_name=<Name([<Name"
2796 "Attribute(oid=<ObjectIdentifier(oid=2.5.4.3, name=commonName)"
Ian Cordascoa908d692015-06-16 21:35:24 -0500[diff] [blame]2797 ">, value='myCN')>])>, reasons=frozenset({<ReasonFlags.ca_comp"
2798 "romise: 'cACompromise'>}), crl_issuer=[<DirectoryName(value=<"
2799 "Name([<NameAttribute(oid=<ObjectIdentifier(oid=2.5.4.3, name="
2800 "commonName)>, value='Important CA')>])>)>])>"
Paul Kehrer749da3b2015-05-10 09:58:29 -0500[diff] [blame]2801 )
2802 else:
2803 assert repr(dp) == (
2804 "<DistributionPoint(full_name=None, relative_name=<Name([<Name"
2805 "Attribute(oid=<ObjectIdentifier(oid=2.5.4.3, name=commonName)"
Ian Cordasco82fc3762015-06-16 20:59:50 -0500[diff] [blame]2806 ">, value=u'myCN')>])>, reasons=frozenset([<ReasonFlags.ca_com"
2807 "promise: 'cACompromise'>]), crl_issuer=[<DirectoryName(value="
2808 "<Name([<NameAttribute(oid=<ObjectIdentifier(oid=2.5.4.3, name"
2809 "=commonName)>, value=u'Important CA')>])>)>])>"
Paul Kehrer749da3b2015-05-10 09:58:29 -0500[diff] [blame]2810 )
Paul Kehrer5a485522015-05-06 00:29:12 -0500[diff] [blame]2811
2812
2813class TestCRLDistributionPoints(object):
2814 def test_invalid_distribution_points(self):
2815 with pytest.raises(TypeError):
2816 x509.CRLDistributionPoints(["notadistributionpoint"])
2817
2818 def test_iter_len(self):
2819 cdp = x509.CRLDistributionPoints([
2820 x509.DistributionPoint(
2821 [x509.UniformResourceIdentifier(u"http://domain")],
2822 None,
Paul Kehrer4e8dacd2015-05-09 10:38:23 -0500[diff] [blame]2823 None,
Paul Kehrer5a485522015-05-06 00:29:12 -0500[diff] [blame]2824 None
2825 ),
2826 x509.DistributionPoint(
2827 [x509.UniformResourceIdentifier(u"ftp://domain")],
Paul Kehrer4e8dacd2015-05-09 10:38:23 -0500[diff] [blame]2828 None,
Paul Kehrer3fd02602015-05-09 19:46:13 -0500[diff] [blame]2829 frozenset([
Paul Kehrer4e8dacd2015-05-09 10:38:23 -0500[diff] [blame]2830 x509.ReasonFlags.key_compromise,
2831 x509.ReasonFlags.ca_compromise,
Paul Kehrer3fd02602015-05-09 19:46:13 -0500[diff] [blame]2832 ]),
Paul Kehrer5a485522015-05-06 00:29:12 -0500[diff] [blame]2833 None
2834 ),
2835 ])
2836 assert len(cdp) == 2
2837 assert list(cdp) == [
2838 x509.DistributionPoint(
2839 [x509.UniformResourceIdentifier(u"http://domain")],
2840 None,
Paul Kehrer4e8dacd2015-05-09 10:38:23 -0500[diff] [blame]2841 None,
Paul Kehrer5a485522015-05-06 00:29:12 -0500[diff] [blame]2842 None
2843 ),
2844 x509.DistributionPoint(
2845 [x509.UniformResourceIdentifier(u"ftp://domain")],
Paul Kehrer4e8dacd2015-05-09 10:38:23 -0500[diff] [blame]2846 None,
Paul Kehrer3fd02602015-05-09 19:46:13 -0500[diff] [blame]2847 frozenset([
Paul Kehrer4e8dacd2015-05-09 10:38:23 -0500[diff] [blame]2848 x509.ReasonFlags.key_compromise,
2849 x509.ReasonFlags.ca_compromise,
Paul Kehrer3fd02602015-05-09 19:46:13 -0500[diff] [blame]2850 ]),
Paul Kehrer5a485522015-05-06 00:29:12 -0500[diff] [blame]2851 None
2852 ),
2853 ]
2854
2855 def test_repr(self):
2856 cdp = x509.CRLDistributionPoints([
2857 x509.DistributionPoint(
2858 [x509.UniformResourceIdentifier(u"ftp://domain")],
Paul Kehrer4e8dacd2015-05-09 10:38:23 -0500[diff] [blame]2859 None,
Paul Kehrer96ef63c2015-05-09 21:17:04 -0500[diff] [blame]2860 frozenset([x509.ReasonFlags.key_compromise]),
Paul Kehrer5a485522015-05-06 00:29:12 -0500[diff] [blame]2861 None
2862 ),
2863 ])
Paul Kehrer749da3b2015-05-10 09:58:29 -0500[diff] [blame]2864 if six.PY3:
2865 assert repr(cdp) == (
2866 "<CRLDistributionPoints([<DistributionPoint(full_name=[<Unifo"
2867 "rmResourceIdentifier(value=ftp://domain)>], relative_name=No"
2868 "ne, reasons=frozenset({<ReasonFlags.key_compromise: 'keyComp"
2869 "romise'>}), crl_issuer=None)>])>"
2870 )
2871 else:
2872 assert repr(cdp) == (
2873 "<CRLDistributionPoints([<DistributionPoint(full_name=[<Unifo"
2874 "rmResourceIdentifier(value=ftp://domain)>], relative_name=No"
2875 "ne, reasons=frozenset([<ReasonFlags.key_compromise: 'keyComp"
2876 "romise'>]), crl_issuer=None)>])>"
2877 )
Paul Kehrer5a485522015-05-06 00:29:12 -0500[diff] [blame]2878
2879 def test_eq(self):
2880 cdp = x509.CRLDistributionPoints([
2881 x509.DistributionPoint(
2882 [x509.UniformResourceIdentifier(u"ftp://domain")],
Paul Kehrer4e8dacd2015-05-09 10:38:23 -0500[diff] [blame]2883 None,
Paul Kehrer3fd02602015-05-09 19:46:13 -0500[diff] [blame]2884 frozenset([
Paul Kehrer4e8dacd2015-05-09 10:38:23 -0500[diff] [blame]2885 x509.ReasonFlags.key_compromise,
2886 x509.ReasonFlags.ca_compromise,
Paul Kehrer3fd02602015-05-09 19:46:13 -0500[diff] [blame]2887 ]),
Paul Kehrer5a485522015-05-06 00:29:12 -0500[diff] [blame]2888 [x509.UniformResourceIdentifier(u"uri://thing")],
2889 ),
2890 ])
2891 cdp2 = x509.CRLDistributionPoints([
2892 x509.DistributionPoint(
2893 [x509.UniformResourceIdentifier(u"ftp://domain")],
Paul Kehrer4e8dacd2015-05-09 10:38:23 -0500[diff] [blame]2894 None,
Paul Kehrer3fd02602015-05-09 19:46:13 -0500[diff] [blame]2895 frozenset([
Paul Kehrer4e8dacd2015-05-09 10:38:23 -0500[diff] [blame]2896 x509.ReasonFlags.key_compromise,
2897 x509.ReasonFlags.ca_compromise,
Paul Kehrer3fd02602015-05-09 19:46:13 -0500[diff] [blame]2898 ]),
Paul Kehrer5a485522015-05-06 00:29:12 -0500[diff] [blame]2899 [x509.UniformResourceIdentifier(u"uri://thing")],
2900 ),
2901 ])
2902 assert cdp == cdp2
2903
2904 def test_ne(self):
2905 cdp = x509.CRLDistributionPoints([
2906 x509.DistributionPoint(
2907 [x509.UniformResourceIdentifier(u"ftp://domain")],
Paul Kehrer4e8dacd2015-05-09 10:38:23 -0500[diff] [blame]2908 None,
Paul Kehrer3fd02602015-05-09 19:46:13 -0500[diff] [blame]2909 frozenset([
Paul Kehrer4e8dacd2015-05-09 10:38:23 -0500[diff] [blame]2910 x509.ReasonFlags.key_compromise,
2911 x509.ReasonFlags.ca_compromise,
Paul Kehrer3fd02602015-05-09 19:46:13 -0500[diff] [blame]2912 ]),
Paul Kehrer5a485522015-05-06 00:29:12 -0500[diff] [blame]2913 [x509.UniformResourceIdentifier(u"uri://thing")],
2914 ),
2915 ])
2916 cdp2 = x509.CRLDistributionPoints([
2917 x509.DistributionPoint(
2918 [x509.UniformResourceIdentifier(u"ftp://domain2")],
Paul Kehrer4e8dacd2015-05-09 10:38:23 -0500[diff] [blame]2919 None,
Paul Kehrer3fd02602015-05-09 19:46:13 -0500[diff] [blame]2920 frozenset([
Paul Kehrer4e8dacd2015-05-09 10:38:23 -0500[diff] [blame]2921 x509.ReasonFlags.key_compromise,
2922 x509.ReasonFlags.ca_compromise,
Paul Kehrer3fd02602015-05-09 19:46:13 -0500[diff] [blame]2923 ]),
Paul Kehrer5a485522015-05-06 00:29:12 -0500[diff] [blame]2924 [x509.UniformResourceIdentifier(u"uri://thing")],
2925 ),
2926 ])
2927 cdp3 = x509.CRLDistributionPoints([
2928 x509.DistributionPoint(
2929 [x509.UniformResourceIdentifier(u"ftp://domain")],
Paul Kehrer4e8dacd2015-05-09 10:38:23 -0500[diff] [blame]2930 None,
Paul Kehrer3fd02602015-05-09 19:46:13 -0500[diff] [blame]2931 frozenset([x509.ReasonFlags.key_compromise]),
Paul Kehrer5a485522015-05-06 00:29:12 -0500[diff] [blame]2932 [x509.UniformResourceIdentifier(u"uri://thing")],
2933 ),
2934 ])
2935 cdp4 = x509.CRLDistributionPoints([
2936 x509.DistributionPoint(
2937 [x509.UniformResourceIdentifier(u"ftp://domain")],
Paul Kehrer4e8dacd2015-05-09 10:38:23 -0500[diff] [blame]2938 None,
Paul Kehrer3fd02602015-05-09 19:46:13 -0500[diff] [blame]2939 frozenset([
Paul Kehrer4e8dacd2015-05-09 10:38:23 -0500[diff] [blame]2940 x509.ReasonFlags.key_compromise,
2941 x509.ReasonFlags.ca_compromise,
Paul Kehrer3fd02602015-05-09 19:46:13 -0500[diff] [blame]2942 ]),
Paul Kehrer5a485522015-05-06 00:29:12 -0500[diff] [blame]2943 [x509.UniformResourceIdentifier(u"uri://thing2")],
2944 ),
2945 ])
2946 assert cdp != cdp2
2947 assert cdp != cdp3
2948 assert cdp != cdp4
2949 assert cdp != object()
Paul Kehrer9a10d592015-05-10 14:55:51 -0500[diff] [blame]2950
2951
2952@pytest.mark.requires_backend_interface(interface=RSABackend)
2953@pytest.mark.requires_backend_interface(interface=X509Backend)
2954class TestCRLDistributionPointsExtension(object):
2955 def test_fullname_and_crl_issuer(self, backend):
2956 cert = _load_cert(
2957 os.path.join(
2958 "x509", "PKITS_data", "certs", "ValidcRLIssuerTest28EE.crt"
2959 ),
2960 x509.load_der_x509_certificate,
2961 backend
2962 )
2963
2964 cdps = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]2965 ExtensionOID.CRL_DISTRIBUTION_POINTS
Paul Kehrer9a10d592015-05-10 14:55:51 -0500[diff] [blame]2966 ).value
2967
2968 assert cdps == x509.CRLDistributionPoints([
2969 x509.DistributionPoint(
2970 full_name=[x509.DirectoryName(
2971 x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2972 x509.NameAttribute(NameOID.COUNTRY_NAME, u"US"),
Paul Kehrer9a10d592015-05-10 14:55:51 -0500[diff] [blame]2973 x509.NameAttribute(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2974 NameOID.ORGANIZATION_NAME,
Ian Cordasco82fc3762015-06-16 20:59:50 -0500[diff] [blame]2975 u"Test Certificates 2011"
Paul Kehrer9a10d592015-05-10 14:55:51 -0500[diff] [blame]2976 ),
2977 x509.NameAttribute(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2978 NameOID.ORGANIZATIONAL_UNIT_NAME,
Ian Cordasco82fc3762015-06-16 20:59:50 -0500[diff] [blame]2979 u"indirectCRL CA3 cRLIssuer"
Paul Kehrer9a10d592015-05-10 14:55:51 -0500[diff] [blame]2980 ),
2981 x509.NameAttribute(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2982 NameOID.COMMON_NAME,
Ian Cordasco82fc3762015-06-16 20:59:50 -0500[diff] [blame]2983 u"indirect CRL for indirectCRL CA3"
Paul Kehrer9a10d592015-05-10 14:55:51 -0500[diff] [blame]2984 ),
2985 ])
2986 )],
2987 relative_name=None,
2988 reasons=None,
2989 crl_issuer=[x509.DirectoryName(
2990 x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2991 x509.NameAttribute(NameOID.COUNTRY_NAME, u"US"),
Paul Kehrer9a10d592015-05-10 14:55:51 -0500[diff] [blame]2992 x509.NameAttribute(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2993 NameOID.ORGANIZATION_NAME,
Ian Cordasco82fc3762015-06-16 20:59:50 -0500[diff] [blame]2994 u"Test Certificates 2011"
Paul Kehrer9a10d592015-05-10 14:55:51 -0500[diff] [blame]2995 ),
2996 x509.NameAttribute(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2997 NameOID.ORGANIZATIONAL_UNIT_NAME,
Ian Cordasco82fc3762015-06-16 20:59:50 -0500[diff] [blame]2998 u"indirectCRL CA3 cRLIssuer"
Paul Kehrer9a10d592015-05-10 14:55:51 -0500[diff] [blame]2999 ),
3000 ])
3001 )],
3002 )
3003 ])
3004
3005 def test_relativename_and_crl_issuer(self, backend):
3006 cert = _load_cert(
3007 os.path.join(
3008 "x509", "PKITS_data", "certs", "ValidcRLIssuerTest29EE.crt"
3009 ),
3010 x509.load_der_x509_certificate,
3011 backend
3012 )
3013
3014 cdps = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]3015 ExtensionOID.CRL_DISTRIBUTION_POINTS
Paul Kehrer9a10d592015-05-10 14:55:51 -0500[diff] [blame]3016 ).value
3017
3018 assert cdps == x509.CRLDistributionPoints([
3019 x509.DistributionPoint(
3020 full_name=None,
3021 relative_name=x509.Name([
3022 x509.NameAttribute(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]3023 NameOID.COMMON_NAME,
Ian Cordasco82fc3762015-06-16 20:59:50 -0500[diff] [blame]3024 u"indirect CRL for indirectCRL CA3"
Paul Kehrer9a10d592015-05-10 14:55:51 -0500[diff] [blame]3025 ),
3026 ]),
3027 reasons=None,
3028 crl_issuer=[x509.DirectoryName(
3029 x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]3030 x509.NameAttribute(NameOID.COUNTRY_NAME, u"US"),
Paul Kehrer9a10d592015-05-10 14:55:51 -0500[diff] [blame]3031 x509.NameAttribute(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]3032 NameOID.ORGANIZATION_NAME,
Ian Cordasco82fc3762015-06-16 20:59:50 -0500[diff] [blame]3033 u"Test Certificates 2011"
Paul Kehrer9a10d592015-05-10 14:55:51 -0500[diff] [blame]3034 ),
3035 x509.NameAttribute(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]3036 NameOID.ORGANIZATIONAL_UNIT_NAME,
Ian Cordasco82fc3762015-06-16 20:59:50 -0500[diff] [blame]3037 u"indirectCRL CA3 cRLIssuer"
Paul Kehrer9a10d592015-05-10 14:55:51 -0500[diff] [blame]3038 ),
3039 ])
3040 )],
3041 )
3042 ])
3043
3044 def test_fullname_crl_issuer_reasons(self, backend):
3045 cert = _load_cert(
3046 os.path.join(
3047 "x509", "custom", "cdp_fullname_reasons_crl_issuer.pem"
3048 ),
3049 x509.load_pem_x509_certificate,
3050 backend
3051 )
3052
3053 cdps = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]3054 ExtensionOID.CRL_DISTRIBUTION_POINTS
Paul Kehrer9a10d592015-05-10 14:55:51 -0500[diff] [blame]3055 ).value
3056
3057 assert cdps == x509.CRLDistributionPoints([
3058 x509.DistributionPoint(
3059 full_name=[x509.UniformResourceIdentifier(
3060 u"http://myhost.com/myca.crl"
3061 )],
3062 relative_name=None,
3063 reasons=frozenset([
3064 x509.ReasonFlags.key_compromise,
3065 x509.ReasonFlags.ca_compromise
3066 ]),
3067 crl_issuer=[x509.DirectoryName(
3068 x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]3069 x509.NameAttribute(NameOID.COUNTRY_NAME, u"US"),
Paul Kehrer9a10d592015-05-10 14:55:51 -0500[diff] [blame]3070 x509.NameAttribute(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]3071 NameOID.ORGANIZATION_NAME, u"PyCA"
Paul Kehrer9a10d592015-05-10 14:55:51 -0500[diff] [blame]3072 ),
3073 x509.NameAttribute(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]3074 NameOID.COMMON_NAME, u"cryptography CA"
Paul Kehrer9a10d592015-05-10 14:55:51 -0500[diff] [blame]3075 ),
3076 ])
3077 )],
3078 )
3079 ])
3080
Paul Kehrer594a2ed2015-05-12 23:27:32 -0500[diff] [blame]3081 def test_all_reasons(self, backend):
3082 cert = _load_cert(
3083 os.path.join(
3084 "x509", "custom", "cdp_all_reasons.pem"
3085 ),
3086 x509.load_pem_x509_certificate,
3087 backend
3088 )
3089
3090 cdps = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]3091 ExtensionOID.CRL_DISTRIBUTION_POINTS
Paul Kehrer594a2ed2015-05-12 23:27:32 -0500[diff] [blame]3092 ).value
3093
3094 assert cdps == x509.CRLDistributionPoints([
3095 x509.DistributionPoint(
3096 full_name=[x509.UniformResourceIdentifier(
3097 u"http://domain.com/some.crl"
3098 )],
3099 relative_name=None,
3100 reasons=frozenset([
3101 x509.ReasonFlags.key_compromise,
3102 x509.ReasonFlags.ca_compromise,
3103 x509.ReasonFlags.affiliation_changed,
3104 x509.ReasonFlags.superseded,
3105 x509.ReasonFlags.privilege_withdrawn,
3106 x509.ReasonFlags.cessation_of_operation,
3107 x509.ReasonFlags.aa_compromise,
3108 x509.ReasonFlags.certificate_hold,
3109 ]),
3110 crl_issuer=None
3111 )
3112 ])
3113
3114 def test_single_reason(self, backend):
3115 cert = _load_cert(
3116 os.path.join(
3117 "x509", "custom", "cdp_reason_aa_compromise.pem"
3118 ),
3119 x509.load_pem_x509_certificate,
3120 backend
3121 )
3122
3123 cdps = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]3124 ExtensionOID.CRL_DISTRIBUTION_POINTS
Paul Kehrer594a2ed2015-05-12 23:27:32 -0500[diff] [blame]3125 ).value
3126
3127 assert cdps == x509.CRLDistributionPoints([
3128 x509.DistributionPoint(
3129 full_name=[x509.UniformResourceIdentifier(
3130 u"http://domain.com/some.crl"
3131 )],
3132 relative_name=None,
3133 reasons=frozenset([x509.ReasonFlags.aa_compromise]),
3134 crl_issuer=None
3135 )
3136 ])
3137
Paul Kehrer9a10d592015-05-10 14:55:51 -0500[diff] [blame]3138 def test_crl_issuer_only(self, backend):
3139 cert = _load_cert(
3140 os.path.join(
3141 "x509", "custom", "cdp_crl_issuer.pem"
3142 ),
3143 x509.load_pem_x509_certificate,
3144 backend
3145 )
3146
3147 cdps = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]3148 ExtensionOID.CRL_DISTRIBUTION_POINTS
Paul Kehrer9a10d592015-05-10 14:55:51 -0500[diff] [blame]3149 ).value
3150
3151 assert cdps == x509.CRLDistributionPoints([
3152 x509.DistributionPoint(
3153 full_name=None,
3154 relative_name=None,
3155 reasons=None,
3156 crl_issuer=[x509.DirectoryName(
3157 x509.Name([
3158 x509.NameAttribute(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]3159 NameOID.COMMON_NAME, u"cryptography CA"
Paul Kehrer9a10d592015-05-10 14:55:51 -0500[diff] [blame]3160 ),
3161 ])
3162 )],
3163 )
3164 ])
Paul Kehrer16fae762015-05-01 23:14:20 -0500[diff] [blame]3165
Dominic Chen87bb9572015-10-09 00:23:07 -0400[diff] [blame]3166 def test_crl_empty_hostname(self, backend):
3167 cert = _load_cert(
3168 os.path.join(
3169 "x509", "custom", "cdp_empty_hostname.pem"
3170 ),
3171 x509.load_pem_x509_certificate,
3172 backend
3173 )
3174
3175 cdps = cert.extensions.get_extension_for_oid(
3176 ExtensionOID.CRL_DISTRIBUTION_POINTS
3177 ).value
3178
3179 assert cdps == x509.CRLDistributionPoints([
3180 x509.DistributionPoint(
3181 full_name=[x509.UniformResourceIdentifier(
3182 u"ldap:/CN=A,OU=B,dc=C,DC=D?E?F?G?H=I"
3183 )],
3184 relative_name=None,
3185 reasons=None,
3186 crl_issuer=None
3187 )
3188 ])
3189
Paul Kehrer16fae762015-05-01 23:14:20 -0500[diff] [blame]3190
Paul Kehrerf54a50b2015-06-17 18:31:26 -0600[diff] [blame]3191@pytest.mark.requires_backend_interface(interface=RSABackend)
3192@pytest.mark.requires_backend_interface(interface=X509Backend)
3193class TestOCSPNoCheckExtension(object):
3194 def test_nocheck(self, backend):
3195 cert = _load_cert(
3196 os.path.join(
3197 "x509", "custom", "ocsp_nocheck.pem"
3198 ),
3199 x509.load_pem_x509_certificate,
3200 backend
3201 )
3202 ext = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]3203 ExtensionOID.OCSP_NO_CHECK
Paul Kehrerf54a50b2015-06-17 18:31:26 -0600[diff] [blame]3204 )
3205 assert isinstance(ext.value, x509.OCSPNoCheck)
3206
3207
Paul Kehrer16fae762015-05-01 23:14:20 -0500[diff] [blame]3208class TestInhibitAnyPolicy(object):
3209 def test_not_int(self):
3210 with pytest.raises(TypeError):
3211 x509.InhibitAnyPolicy("notint")
3212
3213 def test_negative_int(self):
3214 with pytest.raises(ValueError):
3215 x509.InhibitAnyPolicy(-1)
3216
3217 def test_repr(self):
3218 iap = x509.InhibitAnyPolicy(0)
3219 assert repr(iap) == "<InhibitAnyPolicy(skip_certs=0)>"
3220
3221 def test_eq(self):
3222 iap = x509.InhibitAnyPolicy(1)
3223 iap2 = x509.InhibitAnyPolicy(1)
3224 assert iap == iap2
3225
3226 def test_ne(self):
3227 iap = x509.InhibitAnyPolicy(1)
3228 iap2 = x509.InhibitAnyPolicy(4)
3229 assert iap != iap2
3230 assert iap != object()
Paul Kehrerca6ce992015-06-17 22:13:15 -0600[diff] [blame]3231
3232
3233@pytest.mark.requires_backend_interface(interface=RSABackend)
3234@pytest.mark.requires_backend_interface(interface=X509Backend)
3235class TestInhibitAnyPolicyExtension(object):
3236 def test_nocheck(self, backend):
3237 cert = _load_cert(
3238 os.path.join(
3239 "x509", "custom", "inhibit_any_policy_5.pem"
3240 ),
3241 x509.load_pem_x509_certificate,
3242 backend
3243 )
3244 iap = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]3245 ExtensionOID.INHIBIT_ANY_POLICY
Paul Kehrerca6ce992015-06-17 22:13:15 -0600[diff] [blame]3246 ).value
3247 assert iap.skip_certs == 5
Paul Kehrera08693f2015-08-01 20:45:21 +0100[diff] [blame]3248
3249
3250@pytest.mark.requires_backend_interface(interface=RSABackend)
3251@pytest.mark.requires_backend_interface(interface=X509Backend)
Paul Kehrer1b7500f2015-08-01 20:56:27 +0100[diff] [blame]3252class TestInvalidExtension(object):
Paul Kehrera08693f2015-08-01 20:45:21 +0100[diff] [blame]3253 def test_invalid_certificate_policies_data(self, backend):
3254 cert = _load_cert(
3255 os.path.join(
3256 "x509", "custom", "cp_invalid.pem"
3257 ),
3258 x509.load_pem_x509_certificate,
3259 backend
3260 )
3261 with pytest.raises(ValueError):
3262 cert.extensions