Gitiles
Code Review Sign In
gerrit-public.fairphone.software / platform / external / python / cryptography / fca629c1c6eff5357fce52505947834cc7f4d277 / . / tests / test_x509_ext.py
blob: 40231b938605849a736c322612bb178b8993f754 [file] [log] [blame]
Paul Kehrer8cf26422015-03-21 09:50:24 -0500[diff] [blame]1# This file is dual licensed under the terms of the Apache License, Version
2# 2.0, and the BSD License. See the LICENSE file in the root of this repository
3# for complete details.
4
5from __future__ import absolute_import, division, print_function
6
Paul Kehrer1eb82a62015-03-31 20:00:33 -0500[diff] [blame]7import binascii
Paul Kehrer31bdf792015-03-25 14:11:00 -0500[diff] [blame]8import ipaddress
Paul Kehrerfbb7ac82015-03-16 19:26:29 -0500[diff] [blame]9import os
10
Paul Kehrer8cf26422015-03-21 09:50:24 -0500[diff] [blame]11import pytest
12
Paul Kehrercbfb1012015-04-10 20:57:20 -0400[diff] [blame]13import six
14
Paul Kehrer8cf26422015-03-21 09:50:24 -0500[diff] [blame]15from cryptography import x509
Paul Kehrerf22f6122015-08-05 12:57:13 +0100[diff] [blame]16from cryptography.hazmat.backends.interfaces import (
17 DSABackend, EllipticCurveBackend, RSABackend, X509Backend
18)
19from cryptography.hazmat.primitives.asymmetric import ec
Paul Kehrerfbb7ac82015-03-16 19:26:29 -0500[diff] [blame]20
Paul Kehrerf22f6122015-08-05 12:57:13 +0100[diff] [blame]21from .hazmat.primitives.test_ec import _skip_curve_unsupported
Paul Kehrerfbb7ac82015-03-16 19:26:29 -0500[diff] [blame]22from .test_x509 import _load_cert
Paul Kehrer8cf26422015-03-21 09:50:24 -0500[diff] [blame]23
24
Paul Kehrer85894662015-03-22 13:19:31 -0500[diff] [blame]25class TestExtension(object):
26 def test_not_an_oid(self):
Paul Kehrera5c6e9a2015-03-23 19:23:43 -0500[diff] [blame]27 bc = x509.BasicConstraints(ca=False, path_length=None)
Paul Kehrer85894662015-03-22 13:19:31 -0500[diff] [blame]28 with pytest.raises(TypeError):
29 x509.Extension("notanoid", True, bc)
30
31 def test_critical_not_a_bool(self):
Paul Kehrera5c6e9a2015-03-23 19:23:43 -0500[diff] [blame]32 bc = x509.BasicConstraints(ca=False, path_length=None)
Paul Kehrer85894662015-03-22 13:19:31 -0500[diff] [blame]33 with pytest.raises(TypeError):
34 x509.Extension(x509.OID_BASIC_CONSTRAINTS, "notabool", bc)
35
36 def test_repr(self):
Paul Kehrera5c6e9a2015-03-23 19:23:43 -0500[diff] [blame]37 bc = x509.BasicConstraints(ca=False, path_length=None)
Paul Kehrer85894662015-03-22 13:19:31 -0500[diff] [blame]38 ext = x509.Extension(x509.OID_BASIC_CONSTRAINTS, True, bc)
39 assert repr(ext) == (
40 "<Extension(oid=<ObjectIdentifier(oid=2.5.29.19, name=basicConst"
41 "raints)>, critical=True, value=<BasicConstraints(ca=False, path"
42 "_length=None)>)>"
43 )
44
Paul Kehrer58e870c2015-05-17 09:15:30 -0700[diff] [blame]45 def test_eq(self):
46 ext1 = x509.Extension(
47 x509.ObjectIdentifier('1.2.3.4'), False, 'value'
48 )
49 ext2 = x509.Extension(
50 x509.ObjectIdentifier('1.2.3.4'), False, 'value'
51 )
52 assert ext1 == ext2
53
54 def test_ne(self):
55 ext1 = x509.Extension(
56 x509.ObjectIdentifier('1.2.3.4'), False, 'value'
57 )
58 ext2 = x509.Extension(
59 x509.ObjectIdentifier('1.2.3.5'), False, 'value'
60 )
61 ext3 = x509.Extension(
62 x509.ObjectIdentifier('1.2.3.4'), True, 'value'
63 )
64 ext4 = x509.Extension(
65 x509.ObjectIdentifier('1.2.3.4'), False, 'value4'
66 )
67 assert ext1 != ext2
68 assert ext1 != ext3
69 assert ext1 != ext4
70 assert ext1 != object()
71
Paul Kehrer85894662015-03-22 13:19:31 -0500[diff] [blame]72
Paul Kehrer2b622582015-04-15 11:04:29 -0400[diff] [blame]73class TestNoticeReference(object):
74 def test_notice_numbers_not_all_int(self):
75 with pytest.raises(TypeError):
76 x509.NoticeReference("org", [1, 2, "three"])
77
78 def test_notice_numbers_none(self):
Paul Kehrer6e198b02015-05-12 15:53:38 -0500[diff] [blame]79 with pytest.raises(TypeError):
80 x509.NoticeReference("org", None)
Paul Kehrer2b622582015-04-15 11:04:29 -0400[diff] [blame]81
82 def test_repr(self):
Paul Kehrer73be2ca2015-05-11 21:22:38 -0500[diff] [blame]83 nr = x509.NoticeReference(u"org", [1, 3, 4])
Paul Kehrer2b622582015-04-15 11:04:29 -0400[diff] [blame]84
Paul Kehrer73be2ca2015-05-11 21:22:38 -0500[diff] [blame]85 if six.PY3:
86 assert repr(nr) == (
87 "<NoticeReference(organization='org', notice_numbers=[1, 3, 4"
88 "])>"
89 )
90 else:
91 assert repr(nr) == (
92 "<NoticeReference(organization=u'org', notice_numbers=[1, 3, "
93 "4])>"
94 )
Paul Kehrer2b622582015-04-15 11:04:29 -0400[diff] [blame]95
Paul Kehrerc56ab622015-05-03 09:56:31 -0500[diff] [blame]96 def test_eq(self):
97 nr = x509.NoticeReference("org", [1, 2])
98 nr2 = x509.NoticeReference("org", [1, 2])
99 assert nr == nr2
100
101 def test_ne(self):
102 nr = x509.NoticeReference("org", [1, 2])
103 nr2 = x509.NoticeReference("org", [1])
104 nr3 = x509.NoticeReference(None, [1, 2])
105 assert nr != nr2
106 assert nr != nr3
107 assert nr != object()
108
Paul Kehrer2b622582015-04-15 11:04:29 -0400[diff] [blame]109
110class TestUserNotice(object):
111 def test_notice_reference_invalid(self):
112 with pytest.raises(TypeError):
113 x509.UserNotice("invalid", None)
114
115 def test_notice_reference_none(self):
116 un = x509.UserNotice(None, "text")
117 assert un.notice_reference is None
118 assert un.explicit_text == "text"
119
120 def test_repr(self):
Paul Kehrer6e198b02015-05-12 15:53:38 -0500[diff] [blame]121 un = x509.UserNotice(x509.NoticeReference(u"org", [1]), u"text")
Paul Kehrer73be2ca2015-05-11 21:22:38 -0500[diff] [blame]122 if six.PY3:
123 assert repr(un) == (
124 "<UserNotice(notice_reference=<NoticeReference(organization='"
Paul Kehrer6e198b02015-05-12 15:53:38 -0500[diff] [blame]125 "org', notice_numbers=[1])>, explicit_text='text')>"
Paul Kehrer73be2ca2015-05-11 21:22:38 -0500[diff] [blame]126 )
127 else:
128 assert repr(un) == (
129 "<UserNotice(notice_reference=<NoticeReference(organization=u"
Paul Kehrer6e198b02015-05-12 15:53:38 -0500[diff] [blame]130 "'org', notice_numbers=[1])>, explicit_text=u'text')>"
Paul Kehrer73be2ca2015-05-11 21:22:38 -0500[diff] [blame]131 )
Paul Kehrer2b622582015-04-15 11:04:29 -0400[diff] [blame]132
Paul Kehrerc56ab622015-05-03 09:56:31 -0500[diff] [blame]133 def test_eq(self):
134 nr = x509.NoticeReference("org", [1, 2])
135 nr2 = x509.NoticeReference("org", [1, 2])
136 un = x509.UserNotice(nr, "text")
137 un2 = x509.UserNotice(nr2, "text")
138 assert un == un2
139
140 def test_ne(self):
141 nr = x509.NoticeReference("org", [1, 2])
142 nr2 = x509.NoticeReference("org", [1])
143 un = x509.UserNotice(nr, "text")
144 un2 = x509.UserNotice(nr2, "text")
145 un3 = x509.UserNotice(nr, "text3")
146 assert un != un2
147 assert un != un3
148 assert un != object()
149
Paul Kehrer2b622582015-04-15 11:04:29 -0400[diff] [blame]150
Paul Kehrer2b622582015-04-15 11:04:29 -0400[diff] [blame]151class TestPolicyInformation(object):
152 def test_invalid_policy_identifier(self):
153 with pytest.raises(TypeError):
154 x509.PolicyInformation("notanoid", None)
155
156 def test_none_policy_qualifiers(self):
157 pi = x509.PolicyInformation(x509.ObjectIdentifier("1.2.3"), None)
158 assert pi.policy_identifier == x509.ObjectIdentifier("1.2.3")
159 assert pi.policy_qualifiers is None
160
161 def test_policy_qualifiers(self):
Paul Kehrerba35b3b2015-05-10 13:07:59 -0500[diff] [blame]162 pq = [u"string"]
Paul Kehrer2b622582015-04-15 11:04:29 -0400[diff] [blame]163 pi = x509.PolicyInformation(x509.ObjectIdentifier("1.2.3"), pq)
164 assert pi.policy_identifier == x509.ObjectIdentifier("1.2.3")
165 assert pi.policy_qualifiers == pq
166
167 def test_invalid_policy_identifiers(self):
168 with pytest.raises(TypeError):
169 x509.PolicyInformation(x509.ObjectIdentifier("1.2.3"), [1, 2])
170
171 def test_repr(self):
Paul Kehrer73be2ca2015-05-11 21:22:38 -0500[diff] [blame]172 pq = [u"string", x509.UserNotice(None, u"hi")]
Paul Kehrer2b622582015-04-15 11:04:29 -0400[diff] [blame]173 pi = x509.PolicyInformation(x509.ObjectIdentifier("1.2.3"), pq)
Paul Kehrerba35b3b2015-05-10 13:07:59 -0500[diff] [blame]174 if six.PY3:
175 assert repr(pi) == (
176 "<PolicyInformation(policy_identifier=<ObjectIdentifier(oid=1."
177 "2.3, name=Unknown OID)>, policy_qualifiers=['string', <UserNo"
Paul Kehrer9aaef9e2015-05-11 10:49:20 -0500[diff] [blame]178 "tice(notice_reference=None, explicit_text='hi')>])>"
Paul Kehrerba35b3b2015-05-10 13:07:59 -0500[diff] [blame]179 )
180 else:
181 assert repr(pi) == (
182 "<PolicyInformation(policy_identifier=<ObjectIdentifier(oid=1."
183 "2.3, name=Unknown OID)>, policy_qualifiers=[u'string', <UserN"
Paul Kehrer73be2ca2015-05-11 21:22:38 -0500[diff] [blame]184 "otice(notice_reference=None, explicit_text=u'hi')>])>"
Paul Kehrerba35b3b2015-05-10 13:07:59 -0500[diff] [blame]185 )
Paul Kehrer2b622582015-04-15 11:04:29 -0400[diff] [blame]186
Paul Kehrerc56ab622015-05-03 09:56:31 -0500[diff] [blame]187 def test_eq(self):
188 pi = x509.PolicyInformation(
189 x509.ObjectIdentifier("1.2.3"),
190 [u"string", x509.UserNotice(None, u"hi")]
191 )
192 pi2 = x509.PolicyInformation(
193 x509.ObjectIdentifier("1.2.3"),
194 [u"string", x509.UserNotice(None, u"hi")]
195 )
196 assert pi == pi2
197
198 def test_ne(self):
199 pi = x509.PolicyInformation(
200 x509.ObjectIdentifier("1.2.3"), [u"string"]
201 )
202 pi2 = x509.PolicyInformation(
203 x509.ObjectIdentifier("1.2.3"), [u"string2"]
204 )
205 pi3 = x509.PolicyInformation(
206 x509.ObjectIdentifier("1.2.3.4"), [u"string"]
207 )
208 assert pi != pi2
209 assert pi != pi3
210 assert pi != object()
211
Paul Kehrer2b622582015-04-15 11:04:29 -0400[diff] [blame]212
213class TestCertificatePolicies(object):
214 def test_invalid_policies(self):
Paul Kehrerba35b3b2015-05-10 13:07:59 -0500[diff] [blame]215 pq = [u"string"]
Paul Kehrer2b622582015-04-15 11:04:29 -0400[diff] [blame]216 pi = x509.PolicyInformation(x509.ObjectIdentifier("1.2.3"), pq)
217 with pytest.raises(TypeError):
218 x509.CertificatePolicies([1, pi])
219
220 def test_iter_len(self):
Paul Kehrerba35b3b2015-05-10 13:07:59 -0500[diff] [blame]221 pq = [u"string"]
Paul Kehrer2b622582015-04-15 11:04:29 -0400[diff] [blame]222 pi = x509.PolicyInformation(x509.ObjectIdentifier("1.2.3"), pq)
223 cp = x509.CertificatePolicies([pi])
224 assert len(cp) == 1
225 for policyinfo in cp:
226 assert policyinfo == pi
227
228 def test_repr(self):
Paul Kehrerba35b3b2015-05-10 13:07:59 -0500[diff] [blame]229 pq = [u"string"]
Paul Kehrer2b622582015-04-15 11:04:29 -0400[diff] [blame]230 pi = x509.PolicyInformation(x509.ObjectIdentifier("1.2.3"), pq)
231 cp = x509.CertificatePolicies([pi])
Paul Kehrerba35b3b2015-05-10 13:07:59 -0500[diff] [blame]232 if six.PY3:
233 assert repr(cp) == (
234 "<CertificatePolicies([<PolicyInformation(policy_identifier=<O"
235 "bjectIdentifier(oid=1.2.3, name=Unknown OID)>, policy_qualifi"
236 "ers=['string'])>])>"
237 )
238 else:
239 assert repr(cp) == (
240 "<CertificatePolicies([<PolicyInformation(policy_identifier=<O"
241 "bjectIdentifier(oid=1.2.3, name=Unknown OID)>, policy_qualifi"
242 "ers=[u'string'])>])>"
243 )
Paul Kehrer2b622582015-04-15 11:04:29 -0400[diff] [blame]244
Paul Kehrerc56ab622015-05-03 09:56:31 -0500[diff] [blame]245 def test_eq(self):
246 pi = x509.PolicyInformation(
247 x509.ObjectIdentifier("1.2.3"), [u"string"]
248 )
249 cp = x509.CertificatePolicies([pi])
250 pi2 = x509.PolicyInformation(
251 x509.ObjectIdentifier("1.2.3"), [u"string"]
252 )
253 cp2 = x509.CertificatePolicies([pi2])
254 assert cp == cp2
255
256 def test_ne(self):
257 pi = x509.PolicyInformation(
258 x509.ObjectIdentifier("1.2.3"), [u"string"]
259 )
260 cp = x509.CertificatePolicies([pi])
261 pi2 = x509.PolicyInformation(
262 x509.ObjectIdentifier("1.2.3"), [u"string2"]
263 )
264 cp2 = x509.CertificatePolicies([pi2])
265 assert cp != cp2
266 assert cp != object()
267
Paul Kehrer2b622582015-04-15 11:04:29 -0400[diff] [blame]268
Paul Kehrer11026fe2015-05-12 11:23:56 -0500[diff] [blame]269@pytest.mark.requires_backend_interface(interface=RSABackend)
270@pytest.mark.requires_backend_interface(interface=X509Backend)
271class TestCertificatePoliciesExtension(object):
272 def test_cps_uri_policy_qualifier(self, backend):
273 cert = _load_cert(
274 os.path.join("x509", "custom", "cp_cps_uri.pem"),
275 x509.load_pem_x509_certificate,
276 backend
277 )
278
279 cp = cert.extensions.get_extension_for_oid(
280 x509.OID_CERTIFICATE_POLICIES
281 ).value
282
283 assert cp == x509.CertificatePolicies([
284 x509.PolicyInformation(
285 x509.ObjectIdentifier("2.16.840.1.12345.1.2.3.4.1"),
286 [u"http://other.com/cps"]
287 )
288 ])
289
290 def test_user_notice_with_notice_reference(self, backend):
291 cert = _load_cert(
292 os.path.join(
293 "x509", "custom", "cp_user_notice_with_notice_reference.pem"
294 ),
295 x509.load_pem_x509_certificate,
296 backend
297 )
298
299 cp = cert.extensions.get_extension_for_oid(
300 x509.OID_CERTIFICATE_POLICIES
301 ).value
302
303 assert cp == x509.CertificatePolicies([
304 x509.PolicyInformation(
305 x509.ObjectIdentifier("2.16.840.1.12345.1.2.3.4.1"),
306 [
307 u"http://example.com/cps",
308 u"http://other.com/cps",
309 x509.UserNotice(
310 x509.NoticeReference(u"my org", [1, 2, 3, 4]),
311 u"thing"
312 )
313 ]
314 )
315 ])
316
317 def test_user_notice_with_explicit_text(self, backend):
318 cert = _load_cert(
319 os.path.join(
320 "x509", "custom", "cp_user_notice_with_explicit_text.pem"
321 ),
322 x509.load_pem_x509_certificate,
323 backend
324 )
325
326 cp = cert.extensions.get_extension_for_oid(
327 x509.OID_CERTIFICATE_POLICIES
328 ).value
329
330 assert cp == x509.CertificatePolicies([
331 x509.PolicyInformation(
332 x509.ObjectIdentifier("2.16.840.1.12345.1.2.3.4.1"),
333 [x509.UserNotice(None, u"thing")]
334 )
335 ])
336
337 def test_user_notice_no_explicit_text(self, backend):
338 cert = _load_cert(
339 os.path.join(
340 "x509", "custom", "cp_user_notice_no_explicit_text.pem"
341 ),
342 x509.load_pem_x509_certificate,
343 backend
344 )
345
346 cp = cert.extensions.get_extension_for_oid(
347 x509.OID_CERTIFICATE_POLICIES
348 ).value
349
350 assert cp == x509.CertificatePolicies([
351 x509.PolicyInformation(
352 x509.ObjectIdentifier("2.16.840.1.12345.1.2.3.4.1"),
353 [
354 x509.UserNotice(
355 x509.NoticeReference(u"my org", [1, 2, 3, 4]),
356 None
357 )
358 ]
359 )
360 ])
361
362
Paul Kehrercecbbba2015-03-30 14:58:38 -0500[diff] [blame]363class TestKeyUsage(object):
364 def test_key_agreement_false_encipher_decipher_true(self):
365 with pytest.raises(ValueError):
366 x509.KeyUsage(
367 digital_signature=False,
368 content_commitment=False,
369 key_encipherment=False,
370 data_encipherment=False,
371 key_agreement=False,
372 key_cert_sign=False,
373 crl_sign=False,
374 encipher_only=True,
375 decipher_only=False
376 )
377
378 with pytest.raises(ValueError):
379 x509.KeyUsage(
380 digital_signature=False,
381 content_commitment=False,
382 key_encipherment=False,
383 data_encipherment=False,
384 key_agreement=False,
385 key_cert_sign=False,
386 crl_sign=False,
387 encipher_only=True,
388 decipher_only=True
389 )
390
391 with pytest.raises(ValueError):
392 x509.KeyUsage(
393 digital_signature=False,
394 content_commitment=False,
395 key_encipherment=False,
396 data_encipherment=False,
397 key_agreement=False,
398 key_cert_sign=False,
399 crl_sign=False,
400 encipher_only=False,
401 decipher_only=True
402 )
403
404 def test_properties_key_agreement_true(self):
405 ku = x509.KeyUsage(
406 digital_signature=True,
407 content_commitment=True,
408 key_encipherment=False,
409 data_encipherment=False,
410 key_agreement=False,
411 key_cert_sign=True,
412 crl_sign=False,
413 encipher_only=False,
414 decipher_only=False
415 )
416 assert ku.digital_signature is True
417 assert ku.content_commitment is True
418 assert ku.key_encipherment is False
419 assert ku.data_encipherment is False
420 assert ku.key_agreement is False
421 assert ku.key_cert_sign is True
422 assert ku.crl_sign is False
423
424 def test_key_agreement_true_properties(self):
425 ku = x509.KeyUsage(
426 digital_signature=False,
427 content_commitment=False,
428 key_encipherment=False,
429 data_encipherment=False,
430 key_agreement=True,
431 key_cert_sign=False,
432 crl_sign=False,
433 encipher_only=False,
434 decipher_only=True
435 )
436 assert ku.key_agreement is True
437 assert ku.encipher_only is False
438 assert ku.decipher_only is True
439
440 def test_key_agreement_false_properties(self):
441 ku = x509.KeyUsage(
442 digital_signature=False,
443 content_commitment=False,
444 key_encipherment=False,
445 data_encipherment=False,
446 key_agreement=False,
447 key_cert_sign=False,
448 crl_sign=False,
449 encipher_only=False,
450 decipher_only=False
451 )
452 assert ku.key_agreement is False
453 with pytest.raises(ValueError):
454 ku.encipher_only
455
456 with pytest.raises(ValueError):
457 ku.decipher_only
458
Paul Kehrerac3e5bb2015-04-02 23:07:10 -0500[diff] [blame]459 def test_repr_key_agreement_false(self):
460 ku = x509.KeyUsage(
461 digital_signature=True,
462 content_commitment=True,
463 key_encipherment=False,
464 data_encipherment=False,
465 key_agreement=False,
466 key_cert_sign=True,
467 crl_sign=False,
468 encipher_only=False,
469 decipher_only=False
470 )
471 assert repr(ku) == (
472 "<KeyUsage(digital_signature=True, content_commitment=True, key_en"
473 "cipherment=False, data_encipherment=False, key_agreement=False, k"
Paul Kehrerb372e672015-04-15 11:05:24 -0400[diff] [blame]474 "ey_cert_sign=True, crl_sign=False, encipher_only=None, decipher_o"
475 "nly=None)>"
Paul Kehrerac3e5bb2015-04-02 23:07:10 -0500[diff] [blame]476 )
477
478 def test_repr_key_agreement_true(self):
479 ku = x509.KeyUsage(
480 digital_signature=True,
481 content_commitment=True,
482 key_encipherment=False,
483 data_encipherment=False,
484 key_agreement=True,
485 key_cert_sign=True,
486 crl_sign=False,
487 encipher_only=False,
488 decipher_only=False
489 )
490 assert repr(ku) == (
491 "<KeyUsage(digital_signature=True, content_commitment=True, key_en"
492 "cipherment=False, data_encipherment=False, key_agreement=True, k"
493 "ey_cert_sign=True, crl_sign=False, encipher_only=False, decipher_"
494 "only=False)>"
495 )
496
Paul Kehrer8565f5e2015-05-13 09:57:09 -0500[diff] [blame]497 def test_eq(self):
498 ku = x509.KeyUsage(
499 digital_signature=False,
500 content_commitment=False,
501 key_encipherment=False,
502 data_encipherment=False,
503 key_agreement=True,
504 key_cert_sign=False,
505 crl_sign=False,
506 encipher_only=False,
507 decipher_only=True
508 )
509 ku2 = x509.KeyUsage(
510 digital_signature=False,
511 content_commitment=False,
512 key_encipherment=False,
513 data_encipherment=False,
514 key_agreement=True,
515 key_cert_sign=False,
516 crl_sign=False,
517 encipher_only=False,
518 decipher_only=True
519 )
520 assert ku == ku2
521
522 def test_ne(self):
523 ku = x509.KeyUsage(
524 digital_signature=False,
525 content_commitment=False,
526 key_encipherment=False,
527 data_encipherment=False,
528 key_agreement=True,
529 key_cert_sign=False,
530 crl_sign=False,
531 encipher_only=False,
532 decipher_only=True
533 )
534 ku2 = x509.KeyUsage(
535 digital_signature=False,
536 content_commitment=False,
537 key_encipherment=False,
538 data_encipherment=False,
539 key_agreement=False,
540 key_cert_sign=False,
541 crl_sign=False,
542 encipher_only=False,
543 decipher_only=False
544 )
545 assert ku != ku2
546 assert ku != object()
547
Paul Kehrercecbbba2015-03-30 14:58:38 -0500[diff] [blame]548
Paul Kehrer1eb82a62015-03-31 20:00:33 -0500[diff] [blame]549class TestSubjectKeyIdentifier(object):
550 def test_properties(self):
Paul Kehrercbfb1012015-04-10 20:57:20 -0400[diff] [blame]551 value = binascii.unhexlify(b"092384932230498bc980aa8098456f6ff7ff3ac9")
Paul Kehrer1eb82a62015-03-31 20:00:33 -0500[diff] [blame]552 ski = x509.SubjectKeyIdentifier(value)
553 assert ski.digest == value
Paul Kehrer1eb82a62015-03-31 20:00:33 -0500[diff] [blame]554
555 def test_repr(self):
556 ski = x509.SubjectKeyIdentifier(
Paul Kehreree997262015-04-04 12:20:28 -0500[diff] [blame]557 binascii.unhexlify(b"092384932230498bc980aa8098456f6ff7ff3ac9")
Paul Kehrer1eb82a62015-03-31 20:00:33 -0500[diff] [blame]558 )
559 ext = x509.Extension(x509.OID_SUBJECT_KEY_IDENTIFIER, False, ski)
Paul Kehrercbfb1012015-04-10 20:57:20 -0400[diff] [blame]560 if six.PY3:
561 assert repr(ext) == (
562 "<Extension(oid=<ObjectIdentifier(oid=2.5.29.14, name=subjectK"
563 "eyIdentifier)>, critical=False, value=<SubjectKeyIdentifier(d"
564 "igest=b\'\\t#\\x84\\x93\"0I\\x8b\\xc9\\x80\\xaa\\x80\\x98Eoo"
565 "\\xf7\\xff:\\xc9\')>)>"
566 )
567 else:
568 assert repr(ext) == (
569 "<Extension(oid=<ObjectIdentifier(oid=2.5.29.14, name=subjectK"
570 "eyIdentifier)>, critical=False, value=<SubjectKeyIdentifier(d"
571 "igest=\'\\t#\\x84\\x93\"0I\\x8b\\xc9\\x80\\xaa\\x80\\x98Eoo"
572 "\\xf7\\xff:\\xc9\')>)>"
573 )
Paul Kehrer1eb82a62015-03-31 20:00:33 -0500[diff] [blame]574
575 def test_eq(self):
576 ski = x509.SubjectKeyIdentifier(
Paul Kehreree997262015-04-04 12:20:28 -0500[diff] [blame]577 binascii.unhexlify(b"092384932230498bc980aa8098456f6ff7ff3ac9")
Paul Kehrer1eb82a62015-03-31 20:00:33 -0500[diff] [blame]578 )
579 ski2 = x509.SubjectKeyIdentifier(
Paul Kehreree997262015-04-04 12:20:28 -0500[diff] [blame]580 binascii.unhexlify(b"092384932230498bc980aa8098456f6ff7ff3ac9")
Paul Kehrer1eb82a62015-03-31 20:00:33 -0500[diff] [blame]581 )
582 assert ski == ski2
583
584 def test_ne(self):
585 ski = x509.SubjectKeyIdentifier(
Paul Kehreree997262015-04-04 12:20:28 -0500[diff] [blame]586 binascii.unhexlify(b"092384932230498bc980aa8098456f6ff7ff3ac9")
Paul Kehrer1eb82a62015-03-31 20:00:33 -0500[diff] [blame]587 )
588 ski2 = x509.SubjectKeyIdentifier(
Paul Kehreree997262015-04-04 12:20:28 -0500[diff] [blame]589 binascii.unhexlify(b"aa8098456f6ff7ff3ac9092384932230498bc980")
Paul Kehrer1eb82a62015-03-31 20:00:33 -0500[diff] [blame]590 )
591 assert ski != ski2
592 assert ski != object()
593
594
Paul Kehrer2eb4ed92015-04-11 15:33:45 -0400[diff] [blame]595class TestAuthorityKeyIdentifier(object):
Paul Kehrerc6e0f062015-05-03 11:04:34 -0500[diff] [blame]596 def test_authority_cert_issuer_not_generalname(self):
Paul Kehrer2eb4ed92015-04-11 15:33:45 -0400[diff] [blame]597 with pytest.raises(TypeError):
Paul Kehrerc6e0f062015-05-03 11:04:34 -0500[diff] [blame]598 x509.AuthorityKeyIdentifier(b"identifier", ["notname"], 3)
Paul Kehrer2eb4ed92015-04-11 15:33:45 -0400[diff] [blame]599
600 def test_authority_cert_serial_number_not_integer(self):
Paul Kehrerc6e0f062015-05-03 11:04:34 -0500[diff] [blame]601 dirname = x509.DirectoryName(
602 x509.Name([
Ian Cordasco82fc3762015-06-16 20:59:50 -0500[diff] [blame]603 x509.NameAttribute(x509.ObjectIdentifier('oid'), u'value1'),
604 x509.NameAttribute(x509.ObjectIdentifier('oid2'), u'value2'),
Paul Kehrerc6e0f062015-05-03 11:04:34 -0500[diff] [blame]605 ])
606 )
Paul Kehrer2eb4ed92015-04-11 15:33:45 -0400[diff] [blame]607 with pytest.raises(TypeError):
Paul Kehrerc6e0f062015-05-03 11:04:34 -0500[diff] [blame]608 x509.AuthorityKeyIdentifier(b"identifier", [dirname], "notanint")
Paul Kehrer2eb4ed92015-04-11 15:33:45 -0400[diff] [blame]609
610 def test_authority_issuer_none_serial_not_none(self):
611 with pytest.raises(ValueError):
612 x509.AuthorityKeyIdentifier(b"identifier", None, 3)
613
614 def test_authority_issuer_not_none_serial_none(self):
Paul Kehrerc6e0f062015-05-03 11:04:34 -0500[diff] [blame]615 dirname = x509.DirectoryName(
616 x509.Name([
Ian Cordasco82fc3762015-06-16 20:59:50 -0500[diff] [blame]617 x509.NameAttribute(x509.ObjectIdentifier('oid'), u'value1'),
618 x509.NameAttribute(x509.ObjectIdentifier('oid2'), u'value2'),
Paul Kehrerc6e0f062015-05-03 11:04:34 -0500[diff] [blame]619 ])
620 )
Paul Kehrer2eb4ed92015-04-11 15:33:45 -0400[diff] [blame]621 with pytest.raises(ValueError):
Paul Kehrerc6e0f062015-05-03 11:04:34 -0500[diff] [blame]622 x509.AuthorityKeyIdentifier(b"identifier", [dirname], None)
Paul Kehrer2eb4ed92015-04-11 15:33:45 -0400[diff] [blame]623
624 def test_authority_cert_serial_and_issuer_none(self):
625 aki = x509.AuthorityKeyIdentifier(b"id", None, None)
626 assert aki.key_identifier == b"id"
627 assert aki.authority_cert_issuer is None
628 assert aki.authority_cert_serial_number is None
629
630 def test_repr(self):
Paul Kehrerc6e0f062015-05-03 11:04:34 -0500[diff] [blame]631 dirname = x509.DirectoryName(
Ian Cordasco82fc3762015-06-16 20:59:50 -0500[diff] [blame]632 x509.Name([x509.NameAttribute(x509.OID_COMMON_NAME, u'myCN')])
Paul Kehrerc6e0f062015-05-03 11:04:34 -0500[diff] [blame]633 )
634 aki = x509.AuthorityKeyIdentifier(b"digest", [dirname], 1234)
Paul Kehrer2eb4ed92015-04-11 15:33:45 -0400[diff] [blame]635
636 if six.PY3:
637 assert repr(aki) == (
638 "<AuthorityKeyIdentifier(key_identifier=b'digest', authority_"
Paul Kehrerc6e0f062015-05-03 11:04:34 -0500[diff] [blame]639 "cert_issuer=[<DirectoryName(value=<Name([<NameAttribute(oid="
Ian Cordascoa908d692015-06-16 21:35:24 -0500[diff] [blame]640 "<ObjectIdentifier(oid=2.5.4.3, name=commonName)>, value='myC"
Paul Kehrerc6e0f062015-05-03 11:04:34 -0500[diff] [blame]641 "N')>])>)>], authority_cert_serial_number=1234)>"
Paul Kehrer2eb4ed92015-04-11 15:33:45 -0400[diff] [blame]642 )
643 else:
644 assert repr(aki) == (
645 "<AuthorityKeyIdentifier(key_identifier='digest', authority_ce"
Paul Kehrerc6e0f062015-05-03 11:04:34 -0500[diff] [blame]646 "rt_issuer=[<DirectoryName(value=<Name([<NameAttribute(oid=<Ob"
Ian Cordasco82fc3762015-06-16 20:59:50 -0500[diff] [blame]647 "jectIdentifier(oid=2.5.4.3, name=commonName)>, value=u'myCN')"
648 ">])>)>], authority_cert_serial_number=1234)>"
Paul Kehrer2eb4ed92015-04-11 15:33:45 -0400[diff] [blame]649 )
650
Paul Kehrer2ca2eb32015-05-03 10:04:57 -0500[diff] [blame]651 def test_eq(self):
652 dirname = x509.DirectoryName(
Ian Cordasco82fc3762015-06-16 20:59:50 -0500[diff] [blame]653 x509.Name([x509.NameAttribute(x509.OID_COMMON_NAME, u'myCN')])
Paul Kehrer2ca2eb32015-05-03 10:04:57 -0500[diff] [blame]654 )
655 aki = x509.AuthorityKeyIdentifier(b"digest", [dirname], 1234)
656 dirname2 = x509.DirectoryName(
Ian Cordasco82fc3762015-06-16 20:59:50 -0500[diff] [blame]657 x509.Name([x509.NameAttribute(x509.OID_COMMON_NAME, u'myCN')])
Paul Kehrer2ca2eb32015-05-03 10:04:57 -0500[diff] [blame]658 )
659 aki2 = x509.AuthorityKeyIdentifier(b"digest", [dirname2], 1234)
660 assert aki == aki2
661
662 def test_ne(self):
663 dirname = x509.DirectoryName(
Ian Cordasco82fc3762015-06-16 20:59:50 -0500[diff] [blame]664 x509.Name([x509.NameAttribute(x509.OID_COMMON_NAME, u'myCN')])
Paul Kehrer2ca2eb32015-05-03 10:04:57 -0500[diff] [blame]665 )
666 dirname5 = x509.DirectoryName(
Ian Cordasco82fc3762015-06-16 20:59:50 -0500[diff] [blame]667 x509.Name([x509.NameAttribute(x509.OID_COMMON_NAME, u'aCN')])
Paul Kehrer2ca2eb32015-05-03 10:04:57 -0500[diff] [blame]668 )
669 aki = x509.AuthorityKeyIdentifier(b"digest", [dirname], 1234)
670 aki2 = x509.AuthorityKeyIdentifier(b"diges", [dirname], 1234)
671 aki3 = x509.AuthorityKeyIdentifier(b"digest", None, None)
672 aki4 = x509.AuthorityKeyIdentifier(b"digest", [dirname], 12345)
673 aki5 = x509.AuthorityKeyIdentifier(b"digest", [dirname5], 12345)
674 assert aki != aki2
675 assert aki != aki3
676 assert aki != aki4
677 assert aki != aki5
678 assert aki != object()
679
Paul Kehrer2eb4ed92015-04-11 15:33:45 -0400[diff] [blame]680
Paul Kehrer8cf26422015-03-21 09:50:24 -0500[diff] [blame]681class TestBasicConstraints(object):
682 def test_ca_not_boolean(self):
683 with pytest.raises(TypeError):
Paul Kehrera5c6e9a2015-03-23 19:23:43 -0500[diff] [blame]684 x509.BasicConstraints(ca="notbool", path_length=None)
Paul Kehrer8cf26422015-03-21 09:50:24 -0500[diff] [blame]685
686 def test_path_length_not_ca(self):
687 with pytest.raises(ValueError):
Paul Kehrera5c6e9a2015-03-23 19:23:43 -0500[diff] [blame]688 x509.BasicConstraints(ca=False, path_length=0)
Paul Kehrer8cf26422015-03-21 09:50:24 -0500[diff] [blame]689
690 def test_path_length_not_int(self):
691 with pytest.raises(TypeError):
Paul Kehrera5c6e9a2015-03-23 19:23:43 -0500[diff] [blame]692 x509.BasicConstraints(ca=True, path_length=1.1)
Paul Kehrer8cf26422015-03-21 09:50:24 -0500[diff] [blame]693
694 with pytest.raises(TypeError):
Paul Kehrera5c6e9a2015-03-23 19:23:43 -0500[diff] [blame]695 x509.BasicConstraints(ca=True, path_length="notint")
Paul Kehrer8cf26422015-03-21 09:50:24 -0500[diff] [blame]696
697 def test_path_length_negative(self):
698 with pytest.raises(TypeError):
Paul Kehrera5c6e9a2015-03-23 19:23:43 -0500[diff] [blame]699 x509.BasicConstraints(ca=True, path_length=-1)
Paul Kehrer8cf26422015-03-21 09:50:24 -0500[diff] [blame]700
701 def test_repr(self):
Paul Kehrera5c6e9a2015-03-23 19:23:43 -0500[diff] [blame]702 na = x509.BasicConstraints(ca=True, path_length=None)
Paul Kehrer8cf26422015-03-21 09:50:24 -0500[diff] [blame]703 assert repr(na) == (
Paul Kehrer85894662015-03-22 13:19:31 -0500[diff] [blame]704 "<BasicConstraints(ca=True, path_length=None)>"
Paul Kehrer8cf26422015-03-21 09:50:24 -0500[diff] [blame]705 )
Paul Kehrerfbb7ac82015-03-16 19:26:29 -0500[diff] [blame]706
Paul Kehrer3a69b132015-05-13 10:03:46 -0500[diff] [blame]707 def test_eq(self):
708 na = x509.BasicConstraints(ca=True, path_length=None)
709 na2 = x509.BasicConstraints(ca=True, path_length=None)
710 assert na == na2
711
712 def test_ne(self):
713 na = x509.BasicConstraints(ca=True, path_length=None)
714 na2 = x509.BasicConstraints(ca=True, path_length=1)
715 na3 = x509.BasicConstraints(ca=False, path_length=None)
716 assert na != na2
717 assert na != na3
718 assert na != object()
719
Paul Kehrerfbb7ac82015-03-16 19:26:29 -0500[diff] [blame]720
Paul Kehrerffa2a152015-03-31 08:18:25 -0500[diff] [blame]721class TestExtendedKeyUsage(object):
722 def test_not_all_oids(self):
723 with pytest.raises(TypeError):
724 x509.ExtendedKeyUsage(["notoid"])
725
726 def test_iter_len(self):
727 eku = x509.ExtendedKeyUsage([
728 x509.ObjectIdentifier("1.3.6.1.5.5.7.3.1"),
729 x509.ObjectIdentifier("1.3.6.1.5.5.7.3.2"),
730 ])
731 assert len(eku) == 2
732 assert list(eku) == [
733 x509.OID_SERVER_AUTH,
734 x509.OID_CLIENT_AUTH
735 ]
736
Paul Kehrer23d10c32015-04-02 23:12:32 -0500[diff] [blame]737 def test_repr(self):
738 eku = x509.ExtendedKeyUsage([
739 x509.ObjectIdentifier("1.3.6.1.5.5.7.3.1"),
740 x509.ObjectIdentifier("1.3.6.1.5.5.7.3.2"),
741 ])
742 assert repr(eku) == (
743 "<ExtendedKeyUsage([<ObjectIdentifier(oid=1.3.6.1.5.5.7.3.1, name="
744 "serverAuth)>, <ObjectIdentifier(oid=1.3.6.1.5.5.7.3.2, name=clien"
745 "tAuth)>])>"
746 )
747
Paul Kehrerb0476172015-05-02 19:34:51 -0500[diff] [blame]748 def test_eq(self):
749 eku = x509.ExtendedKeyUsage([
750 x509.ObjectIdentifier("1.3.6"), x509.ObjectIdentifier("1.3.7")
751 ])
752 eku2 = x509.ExtendedKeyUsage([
753 x509.ObjectIdentifier("1.3.6"), x509.ObjectIdentifier("1.3.7")
754 ])
755 assert eku == eku2
756
757 def test_ne(self):
758 eku = x509.ExtendedKeyUsage([x509.ObjectIdentifier("1.3.6")])
759 eku2 = x509.ExtendedKeyUsage([x509.ObjectIdentifier("1.3.6.1")])
760 assert eku != eku2
761 assert eku != object()
762
Paul Kehrerffa2a152015-03-31 08:18:25 -0500[diff] [blame]763
Paul Kehrerfbb7ac82015-03-16 19:26:29 -0500[diff] [blame]764@pytest.mark.requires_backend_interface(interface=RSABackend)
765@pytest.mark.requires_backend_interface(interface=X509Backend)
766class TestExtensions(object):
767 def test_no_extensions(self, backend):
768 cert = _load_cert(
769 os.path.join("x509", "verisign_md2_root.pem"),
770 x509.load_pem_x509_certificate,
771 backend
772 )
773 ext = cert.extensions
774 assert len(ext) == 0
775 assert list(ext) == []
Paul Kehrerfa56a232015-03-17 13:14:03 -0500[diff] [blame]776 with pytest.raises(x509.ExtensionNotFound) as exc:
777 ext.get_extension_for_oid(x509.OID_BASIC_CONSTRAINTS)
778
779 assert exc.value.oid == x509.OID_BASIC_CONSTRAINTS
780
781 def test_one_extension(self, backend):
782 cert = _load_cert(
783 os.path.join(
784 "x509", "custom", "basic_constraints_not_critical.pem"
785 ),
786 x509.load_pem_x509_certificate,
787 backend
788 )
789 extensions = cert.extensions
790 ext = extensions.get_extension_for_oid(x509.OID_BASIC_CONSTRAINTS)
791 assert ext is not None
792 assert ext.value.ca is False
Paul Kehrerfbb7ac82015-03-16 19:26:29 -0500[diff] [blame]793
794 def test_duplicate_extension(self, backend):
795 cert = _load_cert(
796 os.path.join(
797 "x509", "custom", "two_basic_constraints.pem"
798 ),
799 x509.load_pem_x509_certificate,
800 backend
801 )
802 with pytest.raises(x509.DuplicateExtension) as exc:
803 cert.extensions
804
805 assert exc.value.oid == x509.OID_BASIC_CONSTRAINTS
806
807 def test_unsupported_critical_extension(self, backend):
808 cert = _load_cert(
809 os.path.join(
810 "x509", "custom", "unsupported_extension_critical.pem"
811 ),
812 x509.load_pem_x509_certificate,
813 backend
814 )
815 with pytest.raises(x509.UnsupportedExtension) as exc:
816 cert.extensions
817
818 assert exc.value.oid == x509.ObjectIdentifier("1.2.3.4")
819
820 def test_unsupported_extension(self, backend):
821 # TODO: this will raise an exception when all extensions are complete
822 cert = _load_cert(
823 os.path.join(
824 "x509", "custom", "unsupported_extension.pem"
825 ),
826 x509.load_pem_x509_certificate,
827 backend
828 )
829 extensions = cert.extensions
830 assert len(extensions) == 0
Paul Kehrerfa56a232015-03-17 13:14:03 -0500[diff] [blame]831
832
833@pytest.mark.requires_backend_interface(interface=RSABackend)
834@pytest.mark.requires_backend_interface(interface=X509Backend)
Paul Kehrerde813ea2015-03-28 12:44:34 -0500[diff] [blame]835class TestBasicConstraintsExtension(object):
Paul Kehrerfa56a232015-03-17 13:14:03 -0500[diff] [blame]836 def test_ca_true_pathlen_6(self, backend):
837 cert = _load_cert(
838 os.path.join(
839 "x509", "PKITS_data", "certs", "pathLenConstraint6CACert.crt"
840 ),
841 x509.load_der_x509_certificate,
842 backend
843 )
844 ext = cert.extensions.get_extension_for_oid(
845 x509.OID_BASIC_CONSTRAINTS
846 )
847 assert ext is not None
848 assert ext.critical is True
849 assert ext.value.ca is True
850 assert ext.value.path_length == 6
851
852 def test_path_length_zero(self, backend):
853 cert = _load_cert(
854 os.path.join("x509", "custom", "bc_path_length_zero.pem"),
855 x509.load_pem_x509_certificate,
856 backend
857 )
858 ext = cert.extensions.get_extension_for_oid(
859 x509.OID_BASIC_CONSTRAINTS
860 )
861 assert ext is not None
862 assert ext.critical is True
863 assert ext.value.ca is True
864 assert ext.value.path_length == 0
865
866 def test_ca_true_no_pathlen(self, backend):
867 cert = _load_cert(
868 os.path.join("x509", "PKITS_data", "certs", "GoodCACert.crt"),
869 x509.load_der_x509_certificate,
870 backend
871 )
872 ext = cert.extensions.get_extension_for_oid(
873 x509.OID_BASIC_CONSTRAINTS
874 )
875 assert ext is not None
876 assert ext.critical is True
877 assert ext.value.ca is True
878 assert ext.value.path_length is None
879
880 def test_ca_false(self, backend):
881 cert = _load_cert(
882 os.path.join("x509", "cryptography.io.pem"),
883 x509.load_pem_x509_certificate,
884 backend
885 )
886 ext = cert.extensions.get_extension_for_oid(
887 x509.OID_BASIC_CONSTRAINTS
888 )
889 assert ext is not None
890 assert ext.critical is True
891 assert ext.value.ca is False
892 assert ext.value.path_length is None
893
894 def test_no_basic_constraints(self, backend):
895 cert = _load_cert(
896 os.path.join(
897 "x509",
898 "PKITS_data",
899 "certs",
900 "ValidCertificatePathTest1EE.crt"
901 ),
902 x509.load_der_x509_certificate,
903 backend
904 )
905 with pytest.raises(x509.ExtensionNotFound):
906 cert.extensions.get_extension_for_oid(x509.OID_BASIC_CONSTRAINTS)
907
908 def test_basic_constraint_not_critical(self, backend):
909 cert = _load_cert(
910 os.path.join(
911 "x509", "custom", "basic_constraints_not_critical.pem"
912 ),
913 x509.load_pem_x509_certificate,
914 backend
915 )
916 ext = cert.extensions.get_extension_for_oid(
917 x509.OID_BASIC_CONSTRAINTS
918 )
919 assert ext is not None
920 assert ext.critical is False
921 assert ext.value.ca is False
Paul Kehrer1eb82a62015-03-31 20:00:33 -0500[diff] [blame]922
923
Paul Kehrer1eb82a62015-03-31 20:00:33 -0500[diff] [blame]924class TestSubjectKeyIdentifierExtension(object):
Paul Kehrerf22f6122015-08-05 12:57:13 +0100[diff] [blame]925 @pytest.mark.requires_backend_interface(interface=RSABackend)
926 @pytest.mark.requires_backend_interface(interface=X509Backend)
Paul Kehrer1eb82a62015-03-31 20:00:33 -0500[diff] [blame]927 def test_subject_key_identifier(self, backend):
928 cert = _load_cert(
929 os.path.join("x509", "PKITS_data", "certs", "GoodCACert.crt"),
930 x509.load_der_x509_certificate,
931 backend
932 )
933 ext = cert.extensions.get_extension_for_oid(
934 x509.OID_SUBJECT_KEY_IDENTIFIER
935 )
936 ski = ext.value
937 assert ext is not None
938 assert ext.critical is False
Paul Kehrer1eb82a62015-03-31 20:00:33 -0500[diff] [blame]939 assert ski.digest == binascii.unhexlify(
Paul Kehreree997262015-04-04 12:20:28 -0500[diff] [blame]940 b"580184241bbc2b52944a3da510721451f5af3ac9"
Paul Kehrer1eb82a62015-03-31 20:00:33 -0500[diff] [blame]941 )
942
Paul Kehrerf22f6122015-08-05 12:57:13 +0100[diff] [blame]943 @pytest.mark.requires_backend_interface(interface=RSABackend)
944 @pytest.mark.requires_backend_interface(interface=X509Backend)
Paul Kehrer1eb82a62015-03-31 20:00:33 -0500[diff] [blame]945 def test_no_subject_key_identifier(self, backend):
946 cert = _load_cert(
947 os.path.join("x509", "custom", "bc_path_length_zero.pem"),
948 x509.load_pem_x509_certificate,
949 backend
950 )
951 with pytest.raises(x509.ExtensionNotFound):
952 cert.extensions.get_extension_for_oid(
953 x509.OID_SUBJECT_KEY_IDENTIFIER
954 )
Paul Kehrer5508ee22015-04-02 19:31:03 -0500[diff] [blame]955
Paul Kehrerf22f6122015-08-05 12:57:13 +0100[diff] [blame]956 @pytest.mark.requires_backend_interface(interface=RSABackend)
957 @pytest.mark.requires_backend_interface(interface=X509Backend)
Paul Kehrerd4a7f062015-08-05 18:32:18 +0100[diff] [blame]958 def test_from_rsa_public_key(self, backend):
Paul Kehrerf22f6122015-08-05 12:57:13 +0100[diff] [blame]959 cert = _load_cert(
960 os.path.join("x509", "PKITS_data", "certs", "GoodCACert.crt"),
961 x509.load_der_x509_certificate,
962 backend
963 )
964 ext = cert.extensions.get_extension_for_oid(
965 x509.OID_SUBJECT_KEY_IDENTIFIER
966 )
Paul Kehrerd4a7f062015-08-05 18:32:18 +0100[diff] [blame]967 ski = x509.SubjectKeyIdentifier.from_public_key(
Paul Kehrerf22f6122015-08-05 12:57:13 +0100[diff] [blame]968 cert.public_key()
969 )
970 assert ext.value == ski
971
972 @pytest.mark.requires_backend_interface(interface=DSABackend)
973 @pytest.mark.requires_backend_interface(interface=X509Backend)
Paul Kehrerd4a7f062015-08-05 18:32:18 +0100[diff] [blame]974 def test_from_dsa_public_key(self, backend):
Paul Kehrerf22f6122015-08-05 12:57:13 +0100[diff] [blame]975 cert = _load_cert(
976 os.path.join("x509", "custom", "dsa_selfsigned_ca.pem"),
977 x509.load_pem_x509_certificate,
978 backend
979 )
980
981 ext = cert.extensions.get_extension_for_oid(
982 x509.OID_SUBJECT_KEY_IDENTIFIER
983 )
Paul Kehrerd4a7f062015-08-05 18:32:18 +0100[diff] [blame]984 ski = x509.SubjectKeyIdentifier.from_public_key(
Paul Kehrerf22f6122015-08-05 12:57:13 +0100[diff] [blame]985 cert.public_key()
986 )
987 assert ext.value == ski
988
989 @pytest.mark.requires_backend_interface(interface=EllipticCurveBackend)
990 @pytest.mark.requires_backend_interface(interface=X509Backend)
Paul Kehrerd4a7f062015-08-05 18:32:18 +0100[diff] [blame]991 def test_from_ec_public_key(self, backend):
Paul Kehrerf22f6122015-08-05 12:57:13 +0100[diff] [blame]992 _skip_curve_unsupported(backend, ec.SECP384R1())
993 cert = _load_cert(
994 os.path.join("x509", "ecdsa_root.pem"),
995 x509.load_pem_x509_certificate,
996 backend
997 )
998
999 ext = cert.extensions.get_extension_for_oid(
1000 x509.OID_SUBJECT_KEY_IDENTIFIER
1001 )
Paul Kehrerd4a7f062015-08-05 18:32:18 +0100[diff] [blame]1002 ski = x509.SubjectKeyIdentifier.from_public_key(
Paul Kehrerf22f6122015-08-05 12:57:13 +0100[diff] [blame]1003 cert.public_key()
1004 )
1005 assert ext.value == ski
1006
Paul Kehrer5508ee22015-04-02 19:31:03 -0500[diff] [blame]1007
1008@pytest.mark.requires_backend_interface(interface=RSABackend)
1009@pytest.mark.requires_backend_interface(interface=X509Backend)
1010class TestKeyUsageExtension(object):
1011 def test_no_key_usage(self, backend):
1012 cert = _load_cert(
1013 os.path.join("x509", "verisign_md2_root.pem"),
1014 x509.load_pem_x509_certificate,
1015 backend
1016 )
1017 ext = cert.extensions
1018 with pytest.raises(x509.ExtensionNotFound) as exc:
1019 ext.get_extension_for_oid(x509.OID_KEY_USAGE)
1020
1021 assert exc.value.oid == x509.OID_KEY_USAGE
1022
1023 def test_all_purposes(self, backend):
1024 cert = _load_cert(
1025 os.path.join(
1026 "x509", "custom", "all_key_usages.pem"
1027 ),
1028 x509.load_pem_x509_certificate,
1029 backend
1030 )
1031 extensions = cert.extensions
1032 ext = extensions.get_extension_for_oid(x509.OID_KEY_USAGE)
1033 assert ext is not None
1034
1035 ku = ext.value
1036 assert ku.digital_signature is True
1037 assert ku.content_commitment is True
1038 assert ku.key_encipherment is True
1039 assert ku.data_encipherment is True
1040 assert ku.key_agreement is True
1041 assert ku.key_cert_sign is True
1042 assert ku.crl_sign is True
1043 assert ku.encipher_only is True
1044 assert ku.decipher_only is True
1045
1046 def test_key_cert_sign_crl_sign(self, backend):
1047 cert = _load_cert(
1048 os.path.join(
1049 "x509", "PKITS_data", "certs", "pathLenConstraint6CACert.crt"
1050 ),
1051 x509.load_der_x509_certificate,
1052 backend
1053 )
1054 ext = cert.extensions.get_extension_for_oid(x509.OID_KEY_USAGE)
1055 assert ext is not None
1056 assert ext.critical is True
1057
1058 ku = ext.value
1059 assert ku.digital_signature is False
1060 assert ku.content_commitment is False
1061 assert ku.key_encipherment is False
1062 assert ku.data_encipherment is False
1063 assert ku.key_agreement is False
1064 assert ku.key_cert_sign is True
1065 assert ku.crl_sign is True
Paul Kehrer31bdf792015-03-25 14:11:00 -0500[diff] [blame]1066
1067
1068@pytest.mark.parametrize(
1069 "name", [
1070 x509.RFC822Name,
1071 x509.DNSName,
1072 x509.UniformResourceIdentifier
1073 ]
1074)
1075class TestTextGeneralNames(object):
1076 def test_not_text(self, name):
1077 with pytest.raises(TypeError):
1078 name(b"notaunicodestring")
1079
1080 with pytest.raises(TypeError):
1081 name(1.3)
1082
1083 def test_repr(self, name):
Eeshan Gargf1234152015-04-29 18:41:00 +0530[diff] [blame]1084 gn = name(u"string")
Paul Kehrer31bdf792015-03-25 14:11:00 -0500[diff] [blame]1085 assert repr(gn) == "<{0}(value=string)>".format(name.__name__)
1086
1087 def test_eq(self, name):
Eeshan Gargf1234152015-04-29 18:41:00 +0530[diff] [blame]1088 gn = name(u"string")
1089 gn2 = name(u"string")
Paul Kehrer31bdf792015-03-25 14:11:00 -0500[diff] [blame]1090 assert gn == gn2
1091
1092 def test_ne(self, name):
Eeshan Gargf1234152015-04-29 18:41:00 +0530[diff] [blame]1093 gn = name(u"string")
1094 gn2 = name(u"string2")
Paul Kehrer31bdf792015-03-25 14:11:00 -0500[diff] [blame]1095 assert gn != gn2
1096 assert gn != object()
1097
1098
1099class TestDirectoryName(object):
1100 def test_not_name(self):
1101 with pytest.raises(TypeError):
1102 x509.DirectoryName(b"notaname")
1103
1104 with pytest.raises(TypeError):
1105 x509.DirectoryName(1.3)
1106
1107 def test_repr(self):
Ian Cordasco82fc3762015-06-16 20:59:50 -0500[diff] [blame]1108 name = x509.Name([x509.NameAttribute(x509.OID_COMMON_NAME, u'value1')])
Paul Kehrer31bdf792015-03-25 14:11:00 -0500[diff] [blame]1109 gn = x509.DirectoryName(x509.Name([name]))
Ian Cordascoa908d692015-06-16 21:35:24 -0500[diff] [blame]1110 if six.PY3:
1111 assert repr(gn) == (
1112 "<DirectoryName(value=<Name([<Name([<NameAttribute(oid=<Object"
1113 "Identifier(oid=2.5.4.3, name=commonName)>, value='value1')>])"
1114 ">])>)>"
1115 )
1116 else:
1117 assert repr(gn) == (
1118 "<DirectoryName(value=<Name([<Name([<NameAttribute(oid=<Object"
1119 "Identifier(oid=2.5.4.3, name=commonName)>, value=u'value1')>]"
1120 ")>])>)>"
1121 )
Paul Kehrer31bdf792015-03-25 14:11:00 -0500[diff] [blame]1122
1123 def test_eq(self):
1124 name = x509.Name([
Ian Cordasco82fc3762015-06-16 20:59:50 -0500[diff] [blame]1125 x509.NameAttribute(x509.ObjectIdentifier('oid'), u'value1')
Paul Kehrer31bdf792015-03-25 14:11:00 -0500[diff] [blame]1126 ])
1127 name2 = x509.Name([
Ian Cordasco82fc3762015-06-16 20:59:50 -0500[diff] [blame]1128 x509.NameAttribute(x509.ObjectIdentifier('oid'), u'value1')
Paul Kehrer31bdf792015-03-25 14:11:00 -0500[diff] [blame]1129 ])
1130 gn = x509.DirectoryName(x509.Name([name]))
1131 gn2 = x509.DirectoryName(x509.Name([name2]))
1132 assert gn == gn2
1133
1134 def test_ne(self):
1135 name = x509.Name([
Ian Cordasco82fc3762015-06-16 20:59:50 -0500[diff] [blame]1136 x509.NameAttribute(x509.ObjectIdentifier('oid'), u'value1')
Paul Kehrer31bdf792015-03-25 14:11:00 -0500[diff] [blame]1137 ])
1138 name2 = x509.Name([
Ian Cordasco82fc3762015-06-16 20:59:50 -0500[diff] [blame]1139 x509.NameAttribute(x509.ObjectIdentifier('oid'), u'value2')
Paul Kehrer31bdf792015-03-25 14:11:00 -0500[diff] [blame]1140 ])
1141 gn = x509.DirectoryName(x509.Name([name]))
1142 gn2 = x509.DirectoryName(x509.Name([name2]))
1143 assert gn != gn2
1144 assert gn != object()
1145
1146
Paul Kehrer01d5d0b2015-07-12 09:41:21 -0500[diff] [blame]1147class TestRFC822Name(object):
1148 def test_invalid_email(self):
1149 with pytest.raises(ValueError):
1150 x509.RFC822Name(u"Name <email>")
1151
1152 with pytest.raises(ValueError):
1153 x509.RFC822Name(u"")
1154
1155 def test_single_label(self):
1156 gn = x509.RFC822Name(u"administrator")
1157 assert gn.value == u"administrator"
1158
1159 def test_idna(self):
1160 gn = x509.RFC822Name(u"email@em\xe5\xefl.com")
1161 assert gn.value == u"email@em\xe5\xefl.com"
1162 assert gn._encoded == b"email@xn--eml-vla4c.com"
1163
1164
Paul Kehrere28d6c42015-07-12 14:59:37 -0500[diff] [blame]1165class TestUniformResourceIdentifier(object):
1166 def test_no_parsed_hostname(self):
1167 gn = x509.UniformResourceIdentifier(u"singlelabel")
1168 assert gn.value == u"singlelabel"
1169
1170 def test_with_port(self):
1171 gn = x509.UniformResourceIdentifier(u"singlelabel:443/test")
1172 assert gn.value == u"singlelabel:443/test"
1173
1174 def test_idna_no_port(self):
1175 gn = x509.UniformResourceIdentifier(
1176 u"http://\u043f\u044b\u043a\u0430.cryptography"
1177 )
1178 assert gn.value == u"http://\u043f\u044b\u043a\u0430.cryptography"
1179 assert gn._encoded == b"http://xn--80ato2c.cryptography"
1180
1181 def test_idna_with_port(self):
1182 gn = x509.UniformResourceIdentifier(
1183 u"gopher://\u043f\u044b\u043a\u0430.cryptography:70/some/path"
1184 )
1185 assert gn.value == (
1186 u"gopher://\u043f\u044b\u043a\u0430.cryptography:70/some/path"
1187 )
1188 assert gn._encoded == b"gopher://xn--80ato2c.cryptography:70/some/path"
1189
1190 def test_query_and_fragment(self):
1191 gn = x509.UniformResourceIdentifier(
1192 u"ldap://cryptography:90/path?query=true#somedata"
1193 )
1194 assert gn.value == u"ldap://cryptography:90/path?query=true#somedata"
1195
1196
Paul Kehrer31bdf792015-03-25 14:11:00 -0500[diff] [blame]1197class TestRegisteredID(object):
1198 def test_not_oid(self):
1199 with pytest.raises(TypeError):
1200 x509.RegisteredID(b"notanoid")
1201
1202 with pytest.raises(TypeError):
1203 x509.RegisteredID(1.3)
1204
1205 def test_repr(self):
1206 gn = x509.RegisteredID(x509.OID_COMMON_NAME)
1207 assert repr(gn) == (
1208 "<RegisteredID(value=<ObjectIdentifier(oid=2.5.4.3, name=commonNam"
1209 "e)>)>"
1210 )
1211
1212 def test_eq(self):
1213 gn = x509.RegisteredID(x509.OID_COMMON_NAME)
1214 gn2 = x509.RegisteredID(x509.OID_COMMON_NAME)
1215 assert gn == gn2
1216
1217 def test_ne(self):
1218 gn = x509.RegisteredID(x509.OID_COMMON_NAME)
1219 gn2 = x509.RegisteredID(x509.OID_BASIC_CONSTRAINTS)
1220 assert gn != gn2
1221 assert gn != object()
1222
1223
1224class TestIPAddress(object):
1225 def test_not_ipaddress(self):
1226 with pytest.raises(TypeError):
1227 x509.IPAddress(b"notanipaddress")
1228
1229 with pytest.raises(TypeError):
1230 x509.IPAddress(1.3)
1231
1232 def test_repr(self):
Eeshan Gargf1234152015-04-29 18:41:00 +0530[diff] [blame]1233 gn = x509.IPAddress(ipaddress.IPv4Address(u"127.0.0.1"))
Paul Kehrer31bdf792015-03-25 14:11:00 -0500[diff] [blame]1234 assert repr(gn) == "<IPAddress(value=127.0.0.1)>"
1235
Eeshan Gargf1234152015-04-29 18:41:00 +0530[diff] [blame]1236 gn2 = x509.IPAddress(ipaddress.IPv6Address(u"ff::"))
Paul Kehrer31bdf792015-03-25 14:11:00 -0500[diff] [blame]1237 assert repr(gn2) == "<IPAddress(value=ff::)>"
1238
Paul Kehrereb177932015-05-17 18:33:33 -0700[diff] [blame]1239 gn3 = x509.IPAddress(ipaddress.IPv4Network(u"192.168.0.0/24"))
1240 assert repr(gn3) == "<IPAddress(value=192.168.0.0/24)>"
1241
1242 gn4 = x509.IPAddress(ipaddress.IPv6Network(u"ff::/96"))
1243 assert repr(gn4) == "<IPAddress(value=ff::/96)>"
1244
Paul Kehrer31bdf792015-03-25 14:11:00 -0500[diff] [blame]1245 def test_eq(self):
Eeshan Gargf1234152015-04-29 18:41:00 +0530[diff] [blame]1246 gn = x509.IPAddress(ipaddress.IPv4Address(u"127.0.0.1"))
1247 gn2 = x509.IPAddress(ipaddress.IPv4Address(u"127.0.0.1"))
Paul Kehrer31bdf792015-03-25 14:11:00 -0500[diff] [blame]1248 assert gn == gn2
1249
1250 def test_ne(self):
Eeshan Gargf1234152015-04-29 18:41:00 +0530[diff] [blame]1251 gn = x509.IPAddress(ipaddress.IPv4Address(u"127.0.0.1"))
1252 gn2 = x509.IPAddress(ipaddress.IPv4Address(u"127.0.0.2"))
Paul Kehrer31bdf792015-03-25 14:11:00 -0500[diff] [blame]1253 assert gn != gn2
1254 assert gn != object()
1255
1256
Joshua Tauberer18b6fc82015-07-05 21:44:51 +0000[diff] [blame]1257class TestOtherName(object):
1258 def test_invalid_args(self):
1259 with pytest.raises(TypeError):
1260 x509.OtherName(b"notanobjectidentifier", b"derdata")
1261
1262 with pytest.raises(TypeError):
1263 x509.OtherName(x509.ObjectIdentifier("1.2.3.4"), u"notderdata")
1264
1265 def test_repr(self):
1266 gn = x509.OtherName(x509.ObjectIdentifier("1.2.3.4"), b"derdata")
1267 if six.PY3:
1268 assert repr(gn) == (
1269 "<OtherName(type_id=<ObjectIdentifier(oid=1.2.3.4, "
1270 "name=Unknown OID)>, value=b'derdata')>"
1271 )
1272 else:
1273 assert repr(gn) == (
1274 "<OtherName(type_id=<ObjectIdentifier(oid=1.2.3.4, "
1275 "name=Unknown OID)>, value='derdata')>"
1276 )
1277
1278 gn = x509.OtherName(x509.ObjectIdentifier("2.5.4.65"), b"derdata")
1279 if six.PY3:
1280 assert repr(gn) == (
1281 "<OtherName(type_id=<ObjectIdentifier(oid=2.5.4.65, "
1282 "name=pseudonym)>, value=b'derdata')>"
1283 )
1284 else:
1285 assert repr(gn) == (
1286 "<OtherName(type_id=<ObjectIdentifier(oid=2.5.4.65, "
1287 "name=pseudonym)>, value='derdata')>"
1288 )
1289
1290 def test_eq(self):
1291 gn = x509.OtherName(x509.ObjectIdentifier("1.2.3.4"), b"derdata")
1292 gn2 = x509.OtherName(x509.ObjectIdentifier("1.2.3.4"), b"derdata")
1293 assert gn == gn2
1294
1295 def test_ne(self):
1296 gn = x509.OtherName(x509.ObjectIdentifier("1.2.3.4"), b"derdata")
1297 assert gn != object()
1298
1299 gn2 = x509.OtherName(x509.ObjectIdentifier("1.2.3.4"), b"derdata2")
1300 assert gn != gn2
1301
1302 gn2 = x509.OtherName(x509.ObjectIdentifier("1.2.3.5"), b"derdata")
1303 assert gn != gn2
1304
1305
Erik Trauschke2dcce902015-05-14 16:12:24 -0700[diff] [blame]1306class TestGeneralNames(object):
1307 def test_get_values_for_type(self):
1308 gns = x509.GeneralNames(
1309 [x509.DNSName(u"cryptography.io")]
1310 )
1311 names = gns.get_values_for_type(x509.DNSName)
1312 assert names == [u"cryptography.io"]
1313
1314 def test_iter_names(self):
1315 gns = x509.GeneralNames([
1316 x509.DNSName(u"cryptography.io"),
1317 x509.DNSName(u"crypto.local"),
1318 ])
1319 assert len(gns) == 2
1320 assert list(gns) == [
1321 x509.DNSName(u"cryptography.io"),
1322 x509.DNSName(u"crypto.local"),
1323 ]
1324
1325 def test_invalid_general_names(self):
1326 with pytest.raises(TypeError):
1327 x509.GeneralNames(
1328 [x509.DNSName(u"cryptography.io"), "invalid"]
1329 )
1330
1331 def test_repr(self):
1332 gns = x509.GeneralNames(
1333 [
1334 x509.DNSName(u"cryptography.io")
1335 ]
1336 )
1337 assert repr(gns) == (
1338 "<GeneralNames([<DNSName(value=cryptography.io)>])>"
1339 )
1340
1341 def test_eq(self):
1342 gns = x509.GeneralNames(
1343 [x509.DNSName(u"cryptography.io")]
1344 )
1345 gns2 = x509.GeneralNames(
1346 [x509.DNSName(u"cryptography.io")]
1347 )
1348 assert gns == gns2
1349
1350 def test_ne(self):
1351 gns = x509.GeneralNames(
1352 [x509.DNSName(u"cryptography.io")]
1353 )
1354 gns2 = x509.GeneralNames(
1355 [x509.RFC822Name(u"admin@cryptography.io")]
1356 )
1357 assert gns != gns2
1358 assert gns != object()
1359
1360
Paul Kehrer99125c92015-06-07 18:37:10 -0500[diff] [blame]1361class TestIssuerAlternativeName(object):
1362 def test_get_values_for_type(self):
1363 san = x509.IssuerAlternativeName(
1364 [x509.DNSName(u"cryptography.io")]
1365 )
1366 names = san.get_values_for_type(x509.DNSName)
1367 assert names == [u"cryptography.io"]
1368
1369 def test_iter_names(self):
1370 san = x509.IssuerAlternativeName([
1371 x509.DNSName(u"cryptography.io"),
1372 x509.DNSName(u"crypto.local"),
1373 ])
1374 assert len(san) == 2
1375 assert list(san) == [
1376 x509.DNSName(u"cryptography.io"),
1377 x509.DNSName(u"crypto.local"),
1378 ]
1379
1380 def test_invalid_general_names(self):
1381 with pytest.raises(TypeError):
1382 x509.IssuerAlternativeName(
1383 [x509.DNSName(u"cryptography.io"), "invalid"]
1384 )
1385
1386 def test_repr(self):
1387 san = x509.IssuerAlternativeName(
1388 [
1389 x509.DNSName(u"cryptography.io")
1390 ]
1391 )
1392 assert repr(san) == (
1393 "<IssuerAlternativeName("
1394 "<GeneralNames([<DNSName(value=cryptography.io)>])>)>"
1395 )
1396
1397 def test_eq(self):
1398 san = x509.IssuerAlternativeName(
1399 [x509.DNSName(u"cryptography.io")]
1400 )
1401 san2 = x509.IssuerAlternativeName(
1402 [x509.DNSName(u"cryptography.io")]
1403 )
1404 assert san == san2
1405
1406 def test_ne(self):
1407 san = x509.IssuerAlternativeName(
1408 [x509.DNSName(u"cryptography.io")]
1409 )
1410 san2 = x509.IssuerAlternativeName(
1411 [x509.RFC822Name(u"admin@cryptography.io")]
1412 )
1413 assert san != san2
1414 assert san != object()
1415
1416
Alex Gaynorf1c17672015-06-20 14:20:20 -0400[diff] [blame]1417@pytest.mark.requires_backend_interface(interface=RSABackend)
1418@pytest.mark.requires_backend_interface(interface=X509Backend)
1419class TestRSAIssuerAlternativeNameExtension(object):
1420 def test_uri(self, backend):
1421 cert = _load_cert(
1422 os.path.join("x509", "custom", "ian_uri.pem"),
1423 x509.load_pem_x509_certificate,
1424 backend,
1425 )
1426 ext = cert.extensions.get_extension_for_oid(
1427 x509.OID_ISSUER_ALTERNATIVE_NAME
1428 )
1429 assert list(ext.value) == [
1430 x509.UniformResourceIdentifier(u"http://path.to.root/root.crt"),
1431 ]
1432
1433
Paul Kehrer31bdf792015-03-25 14:11:00 -0500[diff] [blame]1434class TestSubjectAlternativeName(object):
1435 def test_get_values_for_type(self):
1436 san = x509.SubjectAlternativeName(
Eeshan Gargf1234152015-04-29 18:41:00 +0530[diff] [blame]1437 [x509.DNSName(u"cryptography.io")]
Paul Kehrer31bdf792015-03-25 14:11:00 -0500[diff] [blame]1438 )
1439 names = san.get_values_for_type(x509.DNSName)
Eeshan Gargf1234152015-04-29 18:41:00 +0530[diff] [blame]1440 assert names == [u"cryptography.io"]
Paul Kehrer31bdf792015-03-25 14:11:00 -0500[diff] [blame]1441
1442 def test_iter_names(self):
1443 san = x509.SubjectAlternativeName([
Eeshan Gargf1234152015-04-29 18:41:00 +0530[diff] [blame]1444 x509.DNSName(u"cryptography.io"),
1445 x509.DNSName(u"crypto.local"),
Paul Kehrer31bdf792015-03-25 14:11:00 -0500[diff] [blame]1446 ])
1447 assert len(san) == 2
1448 assert list(san) == [
Eeshan Gargf1234152015-04-29 18:41:00 +0530[diff] [blame]1449 x509.DNSName(u"cryptography.io"),
1450 x509.DNSName(u"crypto.local"),
Paul Kehrer31bdf792015-03-25 14:11:00 -0500[diff] [blame]1451 ]
1452
Paul Kehrerd04b39b2015-04-21 08:44:17 -0500[diff] [blame]1453 def test_invalid_general_names(self):
1454 with pytest.raises(TypeError):
1455 x509.SubjectAlternativeName(
Eeshan Gargf1234152015-04-29 18:41:00 +0530[diff] [blame]1456 [x509.DNSName(u"cryptography.io"), "invalid"]
Paul Kehrerd04b39b2015-04-21 08:44:17 -0500[diff] [blame]1457 )
1458
Paul Kehrer31bdf792015-03-25 14:11:00 -0500[diff] [blame]1459 def test_repr(self):
1460 san = x509.SubjectAlternativeName(
1461 [
Eeshan Gargf1234152015-04-29 18:41:00 +0530[diff] [blame]1462 x509.DNSName(u"cryptography.io")
Paul Kehrer31bdf792015-03-25 14:11:00 -0500[diff] [blame]1463 ]
1464 )
1465 assert repr(san) == (
Erik Trauschke2dcce902015-05-14 16:12:24 -0700[diff] [blame]1466 "<SubjectAlternativeName("
1467 "<GeneralNames([<DNSName(value=cryptography.io)>])>)>"
Paul Kehrer31bdf792015-03-25 14:11:00 -0500[diff] [blame]1468 )
Paul Kehrer40f83382015-04-20 15:00:16 -0500[diff] [blame]1469
Paul Kehrer58cc3972015-05-13 10:00:41 -0500[diff] [blame]1470 def test_eq(self):
1471 san = x509.SubjectAlternativeName(
1472 [x509.DNSName(u"cryptography.io")]
1473 )
1474 san2 = x509.SubjectAlternativeName(
1475 [x509.DNSName(u"cryptography.io")]
1476 )
1477 assert san == san2
1478
1479 def test_ne(self):
1480 san = x509.SubjectAlternativeName(
1481 [x509.DNSName(u"cryptography.io")]
1482 )
1483 san2 = x509.SubjectAlternativeName(
1484 [x509.RFC822Name(u"admin@cryptography.io")]
1485 )
1486 assert san != san2
1487 assert san != object()
1488
Paul Kehrer40f83382015-04-20 15:00:16 -0500[diff] [blame]1489
1490@pytest.mark.requires_backend_interface(interface=RSABackend)
1491@pytest.mark.requires_backend_interface(interface=X509Backend)
1492class TestRSASubjectAlternativeNameExtension(object):
1493 def test_dns_name(self, backend):
1494 cert = _load_cert(
1495 os.path.join("x509", "cryptography.io.pem"),
1496 x509.load_pem_x509_certificate,
1497 backend
1498 )
1499 ext = cert.extensions.get_extension_for_oid(
1500 x509.OID_SUBJECT_ALTERNATIVE_NAME
1501 )
1502 assert ext is not None
1503 assert ext.critical is False
1504
1505 san = ext.value
1506
1507 dns = san.get_values_for_type(x509.DNSName)
1508 assert dns == [u"www.cryptography.io", u"cryptography.io"]
Paul Kehrer9089c912015-04-20 22:15:20 -0500[diff] [blame]1509
Paul Kehrer3c6bba52015-06-26 18:43:26 -0500[diff] [blame]1510 def test_wildcard_dns_name(self, backend):
1511 cert = _load_cert(
1512 os.path.join("x509", "wildcard_san.pem"),
1513 x509.load_pem_x509_certificate,
1514 backend
1515 )
1516 ext = cert.extensions.get_extension_for_oid(
1517 x509.OID_SUBJECT_ALTERNATIVE_NAME
1518 )
1519
1520 dns = ext.value.get_values_for_type(x509.DNSName)
1521 assert dns == [
1522 u'*.langui.sh',
1523 u'langui.sh',
1524 u'*.saseliminator.com',
1525 u'saseliminator.com'
1526 ]
1527
1528 def test_san_wildcard_idna_dns_name(self, backend):
1529 cert = _load_cert(
1530 os.path.join("x509", "custom", "san_wildcard_idna.pem"),
1531 x509.load_pem_x509_certificate,
1532 backend
1533 )
1534 ext = cert.extensions.get_extension_for_oid(
1535 x509.OID_SUBJECT_ALTERNATIVE_NAME
1536 )
1537
1538 dns = ext.value.get_values_for_type(x509.DNSName)
1539 assert dns == [u'*.\u043f\u044b\u043a\u0430.cryptography']
1540
Paul Kehrer7bdf6572015-07-05 08:55:44 -0500[diff] [blame]1541 def test_unsupported_gn(self, backend):
Paul Kehrer9089c912015-04-20 22:15:20 -0500[diff] [blame]1542 cert = _load_cert(
Paul Kehrer7bdf6572015-07-05 08:55:44 -0500[diff] [blame]1543 os.path.join("x509", "san_x400address.der"),
1544 x509.load_der_x509_certificate,
Paul Kehrer9089c912015-04-20 22:15:20 -0500[diff] [blame]1545 backend
1546 )
Paul Kehrerbed07352015-04-21 08:31:10 -0500[diff] [blame]1547 with pytest.raises(x509.UnsupportedGeneralNameType) as exc:
Paul Kehrer9089c912015-04-20 22:15:20 -0500[diff] [blame]1548 cert.extensions
Paul Kehrerbed07352015-04-21 08:31:10 -0500[diff] [blame]1549
Paul Kehrer7bdf6572015-07-05 08:55:44 -0500[diff] [blame]1550 assert exc.value.type == 3
Paul Kehrer4db96622015-04-20 22:17:39 -0500[diff] [blame]1551
1552 def test_registered_id(self, backend):
1553 cert = _load_cert(
1554 os.path.join(
1555 "x509", "custom", "san_registered_id.pem"
1556 ),
1557 x509.load_pem_x509_certificate,
1558 backend
1559 )
1560 ext = cert.extensions.get_extension_for_oid(
1561 x509.OID_SUBJECT_ALTERNATIVE_NAME
1562 )
1563 assert ext is not None
1564 assert ext.critical is False
1565
1566 san = ext.value
1567 rid = san.get_values_for_type(x509.RegisteredID)
1568 assert rid == [x509.ObjectIdentifier("1.2.3.4")]
Paul Kehrerb8ef82e2015-04-22 16:04:24 -0500[diff] [blame]1569
1570 def test_uri(self, backend):
1571 cert = _load_cert(
1572 os.path.join(
1573 "x509", "custom", "san_uri_with_port.pem"
1574 ),
1575 x509.load_pem_x509_certificate,
1576 backend
1577 )
1578 ext = cert.extensions.get_extension_for_oid(
1579 x509.OID_SUBJECT_ALTERNATIVE_NAME
1580 )
1581 assert ext is not None
1582 uri = ext.value.get_values_for_type(
1583 x509.UniformResourceIdentifier
1584 )
1585 assert uri == [
1586 u"gopher://\u043f\u044b\u043a\u0430.cryptography:70/path?q=s#hel"
1587 u"lo",
1588 u"http://someregulardomain.com",
1589 ]
Paul Kehrera5f030c2015-04-28 08:33:18 -0500[diff] [blame]1590
1591 def test_ipaddress(self, backend):
1592 cert = _load_cert(
1593 os.path.join(
1594 "x509", "custom", "san_ipaddr.pem"
1595 ),
1596 x509.load_pem_x509_certificate,
1597 backend
1598 )
1599 ext = cert.extensions.get_extension_for_oid(
1600 x509.OID_SUBJECT_ALTERNATIVE_NAME
1601 )
1602 assert ext is not None
1603 assert ext.critical is False
1604
1605 san = ext.value
1606
1607 ip = san.get_values_for_type(x509.IPAddress)
1608 assert [
1609 ipaddress.ip_address(u"127.0.0.1"),
1610 ipaddress.ip_address(u"ff::")
1611 ] == ip
Paul Kehrer2187a052015-04-30 08:22:07 -0500[diff] [blame]1612
1613 def test_dirname(self, backend):
1614 cert = _load_cert(
1615 os.path.join(
1616 "x509", "custom", "san_dirname.pem"
1617 ),
1618 x509.load_pem_x509_certificate,
1619 backend
1620 )
1621 ext = cert.extensions.get_extension_for_oid(
1622 x509.OID_SUBJECT_ALTERNATIVE_NAME
1623 )
1624 assert ext is not None
1625 assert ext.critical is False
1626
1627 san = ext.value
1628
1629 dirname = san.get_values_for_type(x509.DirectoryName)
1630 assert [
1631 x509.Name([
Ian Cordasco82fc3762015-06-16 20:59:50 -0500[diff] [blame]1632 x509.NameAttribute(x509.OID_COMMON_NAME, u'test'),
1633 x509.NameAttribute(x509.OID_ORGANIZATION_NAME, u'Org'),
1634 x509.NameAttribute(x509.OID_STATE_OR_PROVINCE_NAME, u'Texas'),
Paul Kehrer2187a052015-04-30 08:22:07 -0500[diff] [blame]1635 ])
1636 ] == dirname
Paul Kehrere06cab42015-04-30 10:23:33 -0500[diff] [blame]1637
1638 def test_rfc822name(self, backend):
1639 cert = _load_cert(
1640 os.path.join(
1641 "x509", "custom", "san_rfc822_idna.pem"
1642 ),
1643 x509.load_pem_x509_certificate,
1644 backend
1645 )
1646 ext = cert.extensions.get_extension_for_oid(
1647 x509.OID_SUBJECT_ALTERNATIVE_NAME
1648 )
1649 assert ext is not None
1650 assert ext.critical is False
1651
1652 san = ext.value
1653
1654 rfc822name = san.get_values_for_type(x509.RFC822Name)
1655 assert [u"email@em\xe5\xefl.com"] == rfc822name
1656
Paul Kehrerb8968812015-05-15 09:01:34 -0700[diff] [blame]1657 def test_idna2003_invalid(self, backend):
1658 cert = _load_cert(
1659 os.path.join(
1660 "x509", "custom", "san_idna2003_dnsname.pem"
1661 ),
1662 x509.load_pem_x509_certificate,
1663 backend
1664 )
1665 with pytest.raises(UnicodeError):
1666 cert.extensions
1667
Paul Kehrere06cab42015-04-30 10:23:33 -0500[diff] [blame]1668 def test_unicode_rfc822_name_dns_name_uri(self, backend):
1669 cert = _load_cert(
1670 os.path.join(
1671 "x509", "custom", "san_idna_names.pem"
1672 ),
1673 x509.load_pem_x509_certificate,
1674 backend
1675 )
1676 ext = cert.extensions.get_extension_for_oid(
1677 x509.OID_SUBJECT_ALTERNATIVE_NAME
1678 )
1679 assert ext is not None
1680 rfc822_name = ext.value.get_values_for_type(x509.RFC822Name)
1681 dns_name = ext.value.get_values_for_type(x509.DNSName)
1682 uri = ext.value.get_values_for_type(x509.UniformResourceIdentifier)
1683 assert rfc822_name == [u"email@\u043f\u044b\u043a\u0430.cryptography"]
1684 assert dns_name == [u"\u043f\u044b\u043a\u0430.cryptography"]
1685 assert uri == [u"https://www.\u043f\u044b\u043a\u0430.cryptography"]
1686
1687 def test_rfc822name_dnsname_ipaddress_directoryname_uri(self, backend):
1688 cert = _load_cert(
1689 os.path.join(
1690 "x509", "custom", "san_email_dns_ip_dirname_uri.pem"
1691 ),
1692 x509.load_pem_x509_certificate,
1693 backend
1694 )
1695 ext = cert.extensions.get_extension_for_oid(
1696 x509.OID_SUBJECT_ALTERNATIVE_NAME
1697 )
1698 assert ext is not None
1699 assert ext.critical is False
1700
1701 san = ext.value
1702
1703 rfc822_name = san.get_values_for_type(x509.RFC822Name)
1704 uri = san.get_values_for_type(x509.UniformResourceIdentifier)
1705 dns = san.get_values_for_type(x509.DNSName)
1706 ip = san.get_values_for_type(x509.IPAddress)
1707 dirname = san.get_values_for_type(x509.DirectoryName)
1708 assert [u"user@cryptography.io"] == rfc822_name
Paul Kehrere3a330c2015-05-02 16:42:52 -0500[diff] [blame]1709 assert [u"https://cryptography.io"] == uri
Paul Kehrere06cab42015-04-30 10:23:33 -0500[diff] [blame]1710 assert [u"cryptography.io"] == dns
1711 assert [
1712 x509.Name([
Ian Cordasco82fc3762015-06-16 20:59:50 -0500[diff] [blame]1713 x509.NameAttribute(x509.OID_COMMON_NAME, u'dirCN'),
Paul Kehrere06cab42015-04-30 10:23:33 -0500[diff] [blame]1714 x509.NameAttribute(
Ian Cordasco82fc3762015-06-16 20:59:50 -0500[diff] [blame]1715 x509.OID_ORGANIZATION_NAME, u'Cryptographic Authority'
Paul Kehrere06cab42015-04-30 10:23:33 -0500[diff] [blame]1716 ),
1717 ])
1718 ] == dirname
1719 assert [
1720 ipaddress.ip_address(u"127.0.0.1"),
1721 ipaddress.ip_address(u"ff::")
1722 ] == ip
1723
1724 def test_invalid_rfc822name(self, backend):
1725 cert = _load_cert(
1726 os.path.join(
1727 "x509", "custom", "san_rfc822_names.pem"
1728 ),
1729 x509.load_pem_x509_certificate,
1730 backend
1731 )
1732 with pytest.raises(ValueError) as exc:
1733 cert.extensions
1734
1735 assert 'Invalid rfc822name value' in str(exc.value)
Paul Kehrer94c69602015-05-02 19:29:40 -0500[diff] [blame]1736
Joshua Tauberer2ee5e3c2015-07-04 20:09:46 +0000[diff] [blame]1737 def test_other_name(self, backend):
1738 cert = _load_cert(
1739 os.path.join(
1740 "x509", "custom", "san_other_name.pem"
1741 ),
1742 x509.load_pem_x509_certificate,
1743 backend
1744 )
1745
1746 ext = cert.extensions.get_extension_for_oid(
1747 x509.OID_SUBJECT_ALTERNATIVE_NAME
1748 )
1749 assert ext is not None
1750 assert ext.critical is False
1751
Joshua Taubererd2afad32015-07-06 22:37:53 +0000[diff] [blame]1752 expected = x509.OtherName(x509.ObjectIdentifier("1.2.3.4"),
1753 b'\x16\x0bHello World')
Joshua Tauberer2ee5e3c2015-07-04 20:09:46 +0000[diff] [blame]1754 assert len(ext.value) == 1
Joshua Taubererd2afad32015-07-06 22:37:53 +0000[diff] [blame]1755 assert list(ext.value)[0] == expected
Joshua Tauberer2ee5e3c2015-07-04 20:09:46 +0000[diff] [blame]1756
1757 othernames = ext.value.get_values_for_type(x509.OtherName)
Joshua Taubererd2afad32015-07-06 22:37:53 +0000[diff] [blame]1758 assert othernames == [expected]
Joshua Tauberer2ee5e3c2015-07-04 20:09:46 +0000[diff] [blame]1759
Paul Kehrer94c69602015-05-02 19:29:40 -0500[diff] [blame]1760
1761@pytest.mark.requires_backend_interface(interface=RSABackend)
1762@pytest.mark.requires_backend_interface(interface=X509Backend)
1763class TestExtendedKeyUsageExtension(object):
1764 def test_eku(self, backend):
1765 cert = _load_cert(
1766 os.path.join(
1767 "x509", "custom", "extended_key_usage.pem"
1768 ),
1769 x509.load_pem_x509_certificate,
1770 backend
1771 )
1772 ext = cert.extensions.get_extension_for_oid(
1773 x509.OID_EXTENDED_KEY_USAGE
1774 )
1775 assert ext is not None
1776 assert ext.critical is False
1777
1778 assert [
1779 x509.ObjectIdentifier("1.3.6.1.5.5.7.3.1"),
1780 x509.ObjectIdentifier("1.3.6.1.5.5.7.3.2"),
1781 x509.ObjectIdentifier("1.3.6.1.5.5.7.3.3"),
1782 x509.ObjectIdentifier("1.3.6.1.5.5.7.3.4"),
1783 x509.ObjectIdentifier("1.3.6.1.5.5.7.3.9"),
1784 x509.ObjectIdentifier("1.3.6.1.5.5.7.3.8"),
1785 x509.ObjectIdentifier("2.5.29.37.0"),
1786 x509.ObjectIdentifier("2.16.840.1.113730.4.1"),
1787 ] == list(ext.value)
Paul Kehrer3e6d5582015-05-02 21:57:56 -0500[diff] [blame]1788
1789
1790class TestAccessDescription(object):
1791 def test_invalid_access_method(self):
Paul Kehrerf506bca2015-05-02 22:31:47 -0500[diff] [blame]1792 with pytest.raises(ValueError):
Paul Kehrer3e6d5582015-05-02 21:57:56 -0500[diff] [blame]1793 x509.AccessDescription("notanoid", x509.DNSName(u"test"))
1794
1795 def test_invalid_access_location(self):
1796 with pytest.raises(TypeError):
1797 x509.AccessDescription(x509.OID_CA_ISSUERS, "invalid")
1798
1799 def test_repr(self):
1800 ad = x509.AccessDescription(
1801 x509.OID_OCSP,
1802 x509.UniformResourceIdentifier(u"http://ocsp.domain.com")
1803 )
1804 assert repr(ad) == (
1805 "<AccessDescription(access_method=<ObjectIdentifier(oid=1.3.6.1.5."
1806 "5.7.48.1, name=OCSP)>, access_location=<UniformResourceIdentifier"
1807 "(value=http://ocsp.domain.com)>)>"
1808 )
1809
1810 def test_eq(self):
1811 ad = x509.AccessDescription(
1812 x509.OID_OCSP,
1813 x509.UniformResourceIdentifier(u"http://ocsp.domain.com")
1814 )
1815 ad2 = x509.AccessDescription(
1816 x509.OID_OCSP,
1817 x509.UniformResourceIdentifier(u"http://ocsp.domain.com")
1818 )
1819 assert ad == ad2
1820
1821 def test_ne(self):
1822 ad = x509.AccessDescription(
1823 x509.OID_OCSP,
1824 x509.UniformResourceIdentifier(u"http://ocsp.domain.com")
1825 )
1826 ad2 = x509.AccessDescription(
1827 x509.OID_CA_ISSUERS,
1828 x509.UniformResourceIdentifier(u"http://ocsp.domain.com")
1829 )
1830 ad3 = x509.AccessDescription(
1831 x509.OID_OCSP,
1832 x509.UniformResourceIdentifier(u"http://notthesame")
1833 )
1834 assert ad != ad2
1835 assert ad != ad3
1836 assert ad != object()
1837
1838
1839class TestAuthorityInformationAccess(object):
1840 def test_invalid_descriptions(self):
1841 with pytest.raises(TypeError):
1842 x509.AuthorityInformationAccess(["notanAccessDescription"])
1843
1844 def test_iter_len(self):
1845 aia = x509.AuthorityInformationAccess([
1846 x509.AccessDescription(
1847 x509.OID_OCSP,
1848 x509.UniformResourceIdentifier(u"http://ocsp.domain.com")
1849 ),
1850 x509.AccessDescription(
1851 x509.OID_CA_ISSUERS,
1852 x509.UniformResourceIdentifier(u"http://domain.com/ca.crt")
1853 )
1854 ])
1855 assert len(aia) == 2
1856 assert list(aia) == [
1857 x509.AccessDescription(
1858 x509.OID_OCSP,
1859 x509.UniformResourceIdentifier(u"http://ocsp.domain.com")
1860 ),
1861 x509.AccessDescription(
1862 x509.OID_CA_ISSUERS,
1863 x509.UniformResourceIdentifier(u"http://domain.com/ca.crt")
1864 )
1865 ]
1866
1867 def test_repr(self):
1868 aia = x509.AuthorityInformationAccess([
1869 x509.AccessDescription(
1870 x509.OID_OCSP,
1871 x509.UniformResourceIdentifier(u"http://ocsp.domain.com")
1872 ),
1873 x509.AccessDescription(
1874 x509.OID_CA_ISSUERS,
1875 x509.UniformResourceIdentifier(u"http://domain.com/ca.crt")
1876 )
1877 ])
1878 assert repr(aia) == (
1879 "<AuthorityInformationAccess([<AccessDescription(access_method=<Ob"
1880 "jectIdentifier(oid=1.3.6.1.5.5.7.48.1, name=OCSP)>, access_locati"
1881 "on=<UniformResourceIdentifier(value=http://ocsp.domain.com)>)>, <"
1882 "AccessDescription(access_method=<ObjectIdentifier(oid=1.3.6.1.5.5"
1883 ".7.48.2, name=caIssuers)>, access_location=<UniformResourceIdenti"
1884 "fier(value=http://domain.com/ca.crt)>)>])>"
1885 )
1886
1887 def test_eq(self):
1888 aia = x509.AuthorityInformationAccess([
1889 x509.AccessDescription(
1890 x509.OID_OCSP,
1891 x509.UniformResourceIdentifier(u"http://ocsp.domain.com")
1892 ),
1893 x509.AccessDescription(
1894 x509.OID_CA_ISSUERS,
1895 x509.UniformResourceIdentifier(u"http://domain.com/ca.crt")
1896 )
1897 ])
1898 aia2 = x509.AuthorityInformationAccess([
1899 x509.AccessDescription(
1900 x509.OID_OCSP,
1901 x509.UniformResourceIdentifier(u"http://ocsp.domain.com")
1902 ),
1903 x509.AccessDescription(
1904 x509.OID_CA_ISSUERS,
1905 x509.UniformResourceIdentifier(u"http://domain.com/ca.crt")
1906 )
1907 ])
1908 assert aia == aia2
1909
1910 def test_ne(self):
1911 aia = x509.AuthorityInformationAccess([
1912 x509.AccessDescription(
1913 x509.OID_OCSP,
1914 x509.UniformResourceIdentifier(u"http://ocsp.domain.com")
1915 ),
1916 x509.AccessDescription(
1917 x509.OID_CA_ISSUERS,
1918 x509.UniformResourceIdentifier(u"http://domain.com/ca.crt")
1919 )
1920 ])
1921 aia2 = x509.AuthorityInformationAccess([
1922 x509.AccessDescription(
1923 x509.OID_OCSP,
1924 x509.UniformResourceIdentifier(u"http://ocsp.domain.com")
1925 ),
1926 ])
1927
1928 assert aia != aia2
1929 assert aia != object()
Paul Kehrerd774de92015-05-03 10:52:25 -0500[diff] [blame]1930
1931
1932@pytest.mark.requires_backend_interface(interface=RSABackend)
1933@pytest.mark.requires_backend_interface(interface=X509Backend)
Paul Kehrera1476992015-05-04 17:35:47 -0500[diff] [blame]1934class TestAuthorityInformationAccessExtension(object):
1935 def test_aia_ocsp_ca_issuers(self, backend):
1936 cert = _load_cert(
1937 os.path.join("x509", "cryptography.io.pem"),
1938 x509.load_pem_x509_certificate,
1939 backend
1940 )
1941 ext = cert.extensions.get_extension_for_oid(
1942 x509.OID_AUTHORITY_INFORMATION_ACCESS
1943 )
1944 assert ext is not None
1945 assert ext.critical is False
1946
1947 assert ext.value == x509.AuthorityInformationAccess([
1948 x509.AccessDescription(
1949 x509.OID_OCSP,
1950 x509.UniformResourceIdentifier(u"http://gv.symcd.com")
1951 ),
1952 x509.AccessDescription(
1953 x509.OID_CA_ISSUERS,
1954 x509.UniformResourceIdentifier(u"http://gv.symcb.com/gv.crt")
1955 ),
1956 ])
1957
1958 def test_aia_multiple_ocsp_ca_issuers(self, backend):
1959 cert = _load_cert(
1960 os.path.join("x509", "custom", "aia_ocsp_ca_issuers.pem"),
1961 x509.load_pem_x509_certificate,
1962 backend
1963 )
1964 ext = cert.extensions.get_extension_for_oid(
1965 x509.OID_AUTHORITY_INFORMATION_ACCESS
1966 )
1967 assert ext is not None
1968 assert ext.critical is False
1969
1970 assert ext.value == x509.AuthorityInformationAccess([
1971 x509.AccessDescription(
1972 x509.OID_OCSP,
1973 x509.UniformResourceIdentifier(u"http://ocsp.domain.com")
1974 ),
1975 x509.AccessDescription(
1976 x509.OID_OCSP,
1977 x509.UniformResourceIdentifier(u"http://ocsp2.domain.com")
1978 ),
1979 x509.AccessDescription(
1980 x509.OID_CA_ISSUERS,
1981 x509.DirectoryName(x509.Name([
Ian Cordasco82fc3762015-06-16 20:59:50 -0500[diff] [blame]1982 x509.NameAttribute(x509.OID_COMMON_NAME, u"myCN"),
1983 x509.NameAttribute(x509.OID_ORGANIZATION_NAME,
1984 u"some Org"),
Paul Kehrera1476992015-05-04 17:35:47 -0500[diff] [blame]1985 ]))
1986 ),
1987 ])
1988
1989 def test_aia_ocsp_only(self, backend):
1990 cert = _load_cert(
1991 os.path.join("x509", "custom", "aia_ocsp.pem"),
1992 x509.load_pem_x509_certificate,
1993 backend
1994 )
1995 ext = cert.extensions.get_extension_for_oid(
1996 x509.OID_AUTHORITY_INFORMATION_ACCESS
1997 )
1998 assert ext is not None
1999 assert ext.critical is False
2000
2001 assert ext.value == x509.AuthorityInformationAccess([
2002 x509.AccessDescription(
2003 x509.OID_OCSP,
2004 x509.UniformResourceIdentifier(u"http://ocsp.domain.com")
2005 ),
2006 ])
2007
2008 def test_aia_ca_issuers_only(self, backend):
2009 cert = _load_cert(
2010 os.path.join("x509", "custom", "aia_ca_issuers.pem"),
2011 x509.load_pem_x509_certificate,
2012 backend
2013 )
2014 ext = cert.extensions.get_extension_for_oid(
2015 x509.OID_AUTHORITY_INFORMATION_ACCESS
2016 )
2017 assert ext is not None
2018 assert ext.critical is False
2019
2020 assert ext.value == x509.AuthorityInformationAccess([
2021 x509.AccessDescription(
2022 x509.OID_CA_ISSUERS,
2023 x509.DirectoryName(x509.Name([
Ian Cordasco82fc3762015-06-16 20:59:50 -0500[diff] [blame]2024 x509.NameAttribute(x509.OID_COMMON_NAME, u"myCN"),
2025 x509.NameAttribute(x509.OID_ORGANIZATION_NAME,
2026 u"some Org"),
Paul Kehrera1476992015-05-04 17:35:47 -0500[diff] [blame]2027 ]))
2028 ),
2029 ])
2030
2031
2032@pytest.mark.requires_backend_interface(interface=RSABackend)
2033@pytest.mark.requires_backend_interface(interface=X509Backend)
Paul Kehrerd774de92015-05-03 10:52:25 -0500[diff] [blame]2034class TestAuthorityKeyIdentifierExtension(object):
2035 def test_aki_keyid(self, backend):
2036 cert = _load_cert(
2037 os.path.join(
2038 "x509", "cryptography.io.pem"
2039 ),
2040 x509.load_pem_x509_certificate,
2041 backend
2042 )
2043 ext = cert.extensions.get_extension_for_oid(
2044 x509.OID_AUTHORITY_KEY_IDENTIFIER
2045 )
2046 assert ext is not None
2047 assert ext.critical is False
2048
2049 assert ext.value.key_identifier == (
2050 b"\xc3\x9c\xf3\xfc\xd3F\x084\xbb\xceF\x7f\xa0|[\xf3\xe2\x08\xcbY"
2051 )
2052 assert ext.value.authority_cert_issuer is None
2053 assert ext.value.authority_cert_serial_number is None
2054
2055 def test_aki_all_fields(self, backend):
2056 cert = _load_cert(
2057 os.path.join(
2058 "x509", "custom", "authority_key_identifier.pem"
2059 ),
2060 x509.load_pem_x509_certificate,
2061 backend
2062 )
2063 ext = cert.extensions.get_extension_for_oid(
2064 x509.OID_AUTHORITY_KEY_IDENTIFIER
2065 )
2066 assert ext is not None
2067 assert ext.critical is False
2068
2069 assert ext.value.key_identifier == (
2070 b"9E>\xca=b\x1d\xea\x86I\xf6Z\xab@\xb7\xa4p\x98\xf1\xec"
2071 )
2072 assert ext.value.authority_cert_issuer == [
2073 x509.DirectoryName(
2074 x509.Name([
2075 x509.NameAttribute(
2076 x509.OID_ORGANIZATION_NAME, u"PyCA"
2077 ),
2078 x509.NameAttribute(
2079 x509.OID_COMMON_NAME, u"cryptography.io"
2080 )
2081 ])
2082 )
2083 ]
2084 assert ext.value.authority_cert_serial_number == 3
2085
2086 def test_aki_no_keyid(self, backend):
2087 cert = _load_cert(
2088 os.path.join(
2089 "x509", "custom", "authority_key_identifier_no_keyid.pem"
2090 ),
2091 x509.load_pem_x509_certificate,
2092 backend
2093 )
2094 ext = cert.extensions.get_extension_for_oid(
2095 x509.OID_AUTHORITY_KEY_IDENTIFIER
2096 )
2097 assert ext is not None
2098 assert ext.critical is False
2099
2100 assert ext.value.key_identifier is None
2101 assert ext.value.authority_cert_issuer == [
2102 x509.DirectoryName(
2103 x509.Name([
2104 x509.NameAttribute(
2105 x509.OID_ORGANIZATION_NAME, u"PyCA"
2106 ),
2107 x509.NameAttribute(
2108 x509.OID_COMMON_NAME, u"cryptography.io"
2109 )
2110 ])
2111 )
2112 ]
2113 assert ext.value.authority_cert_serial_number == 3
Paul Kehrer5a485522015-05-06 00:29:12 -0500[diff] [blame]2114
Paul Kehrer253929a2015-08-05 17:30:39 +0100[diff] [blame]2115 def test_from_certificate(self, backend):
2116 issuer_cert = _load_cert(
2117 os.path.join("x509", "rapidssl_sha256_ca_g3.pem"),
2118 x509.load_pem_x509_certificate,
2119 backend
2120 )
2121 cert = _load_cert(
2122 os.path.join("x509", "cryptography.io.pem"),
2123 x509.load_pem_x509_certificate,
2124 backend
2125 )
2126 ext = cert.extensions.get_extension_for_oid(
2127 x509.OID_AUTHORITY_KEY_IDENTIFIER
2128 )
2129 aki = x509.AuthorityKeyIdentifier.from_issuer_public_key(
2130 issuer_cert.public_key()
2131 )
2132 assert ext.value == aki
2133
Paul Kehrer5a485522015-05-06 00:29:12 -0500[diff] [blame]2134
Paul Kehrere0017be2015-05-17 20:39:40 -0600[diff] [blame]2135class TestNameConstraints(object):
2136 def test_ipaddress_wrong_type(self):
2137 with pytest.raises(TypeError):
2138 x509.NameConstraints(
2139 permitted_subtrees=[
2140 x509.IPAddress(ipaddress.IPv4Address(u"127.0.0.1"))
2141 ],
2142 excluded_subtrees=None
2143 )
2144
2145 with pytest.raises(TypeError):
2146 x509.NameConstraints(
2147 permitted_subtrees=None,
2148 excluded_subtrees=[
2149 x509.IPAddress(ipaddress.IPv4Address(u"127.0.0.1"))
2150 ]
2151 )
2152
2153 def test_ipaddress_allowed_type(self):
2154 permitted = [x509.IPAddress(ipaddress.IPv4Network(u"192.168.0.0/29"))]
2155 excluded = [x509.IPAddress(ipaddress.IPv4Network(u"10.10.0.0/24"))]
2156 nc = x509.NameConstraints(
2157 permitted_subtrees=permitted,
2158 excluded_subtrees=excluded
2159 )
2160 assert nc.permitted_subtrees == permitted
2161 assert nc.excluded_subtrees == excluded
2162
2163 def test_invalid_permitted_subtrees(self):
2164 with pytest.raises(TypeError):
2165 x509.NameConstraints("badpermitted", None)
2166
2167 def test_invalid_excluded_subtrees(self):
2168 with pytest.raises(TypeError):
2169 x509.NameConstraints(None, "badexcluded")
2170
2171 def test_no_subtrees(self):
2172 with pytest.raises(ValueError):
2173 x509.NameConstraints(None, None)
2174
2175 def test_permitted_none(self):
2176 excluded = [x509.DNSName(u"name.local")]
2177 nc = x509.NameConstraints(
2178 permitted_subtrees=None, excluded_subtrees=excluded
2179 )
2180 assert nc.permitted_subtrees is None
2181 assert nc.excluded_subtrees is not None
2182
2183 def test_excluded_none(self):
2184 permitted = [x509.DNSName(u"name.local")]
2185 nc = x509.NameConstraints(
2186 permitted_subtrees=permitted, excluded_subtrees=None
2187 )
2188 assert nc.permitted_subtrees is not None
2189 assert nc.excluded_subtrees is None
2190
2191 def test_repr(self):
2192 permitted = [x509.DNSName(u"name.local"), x509.DNSName(u"name2.local")]
2193 nc = x509.NameConstraints(
2194 permitted_subtrees=permitted,
2195 excluded_subtrees=None
2196 )
2197 assert repr(nc) == (
2198 "<NameConstraints(permitted_subtrees=[<DNSName(value=name.local)>"
2199 ", <DNSName(value=name2.local)>], excluded_subtrees=None)>"
2200 )
2201
Paul Kehrer31894282015-06-21 21:46:41 -0500[diff] [blame]2202 def test_eq(self):
2203 nc = x509.NameConstraints(
2204 permitted_subtrees=[x509.DNSName(u"name.local")],
2205 excluded_subtrees=[x509.DNSName(u"name2.local")]
2206 )
2207 nc2 = x509.NameConstraints(
2208 permitted_subtrees=[x509.DNSName(u"name.local")],
2209 excluded_subtrees=[x509.DNSName(u"name2.local")]
2210 )
2211 assert nc == nc2
2212
2213 def test_ne(self):
2214 nc = x509.NameConstraints(
2215 permitted_subtrees=[x509.DNSName(u"name.local")],
2216 excluded_subtrees=[x509.DNSName(u"name2.local")]
2217 )
2218 nc2 = x509.NameConstraints(
2219 permitted_subtrees=[x509.DNSName(u"name.local")],
2220 excluded_subtrees=None
2221 )
2222 nc3 = x509.NameConstraints(
2223 permitted_subtrees=None,
2224 excluded_subtrees=[x509.DNSName(u"name2.local")]
2225 )
2226
2227 assert nc != nc2
2228 assert nc != nc3
2229 assert nc != object()
2230
Paul Kehrere0017be2015-05-17 20:39:40 -0600[diff] [blame]2231
Paul Kehrer870d7e82015-06-21 22:20:44 -0500[diff] [blame]2232@pytest.mark.requires_backend_interface(interface=RSABackend)
2233@pytest.mark.requires_backend_interface(interface=X509Backend)
2234class TestNameConstraintsExtension(object):
2235 def test_permitted_excluded(self, backend):
2236 cert = _load_cert(
2237 os.path.join(
2238 "x509", "custom", "nc_permitted_excluded_2.pem"
2239 ),
2240 x509.load_pem_x509_certificate,
2241 backend
2242 )
2243 nc = cert.extensions.get_extension_for_oid(
2244 x509.OID_NAME_CONSTRAINTS
2245 ).value
2246 assert nc == x509.NameConstraints(
2247 permitted_subtrees=[
2248 x509.DNSName(u"zombo.local"),
2249 ],
2250 excluded_subtrees=[
2251 x509.DirectoryName(x509.Name([
2252 x509.NameAttribute(x509.OID_COMMON_NAME, u"zombo")
2253 ]))
2254 ]
2255 )
2256
2257 def test_permitted(self, backend):
2258 cert = _load_cert(
2259 os.path.join(
2260 "x509", "custom", "nc_permitted_2.pem"
2261 ),
2262 x509.load_pem_x509_certificate,
2263 backend
2264 )
2265 nc = cert.extensions.get_extension_for_oid(
2266 x509.OID_NAME_CONSTRAINTS
2267 ).value
2268 assert nc == x509.NameConstraints(
2269 permitted_subtrees=[
2270 x509.DNSName(u"zombo.local"),
2271 ],
2272 excluded_subtrees=None
2273 )
2274
Paul Kehrer42376832015-07-01 18:10:32 -0500[diff] [blame]2275 def test_permitted_with_leading_period(self, backend):
2276 cert = _load_cert(
2277 os.path.join(
2278 "x509", "custom", "nc_permitted.pem"
2279 ),
2280 x509.load_pem_x509_certificate,
2281 backend
2282 )
2283 nc = cert.extensions.get_extension_for_oid(
2284 x509.OID_NAME_CONSTRAINTS
2285 ).value
2286 assert nc == x509.NameConstraints(
2287 permitted_subtrees=[
2288 x509.DNSName(u".cryptography.io"),
2289 x509.UniformResourceIdentifier(u"ftp://cryptography.test")
2290 ],
2291 excluded_subtrees=None
2292 )
2293
2294 def test_excluded_with_leading_period(self, backend):
2295 cert = _load_cert(
2296 os.path.join(
2297 "x509", "custom", "nc_excluded.pem"
2298 ),
2299 x509.load_pem_x509_certificate,
2300 backend
2301 )
2302 nc = cert.extensions.get_extension_for_oid(
2303 x509.OID_NAME_CONSTRAINTS
2304 ).value
2305 assert nc == x509.NameConstraints(
2306 permitted_subtrees=None,
2307 excluded_subtrees=[
2308 x509.DNSName(u".cryptography.io"),
2309 x509.UniformResourceIdentifier(u"gopher://cryptography.test")
2310 ]
2311 )
2312
Paul Kehrercfb8aa22015-07-01 19:16:36 -0500[diff] [blame]2313 def test_permitted_excluded_with_ips(self, backend):
2314 cert = _load_cert(
2315 os.path.join(
2316 "x509", "custom", "nc_permitted_excluded.pem"
2317 ),
2318 x509.load_pem_x509_certificate,
2319 backend
2320 )
2321 nc = cert.extensions.get_extension_for_oid(
2322 x509.OID_NAME_CONSTRAINTS
2323 ).value
2324 assert nc == x509.NameConstraints(
2325 permitted_subtrees=[
2326 x509.IPAddress(ipaddress.IPv4Network(u"192.168.0.0/24")),
2327 x509.IPAddress(ipaddress.IPv6Network(u"FF:0:0:0:0:0:0:0/96")),
2328 ],
2329 excluded_subtrees=[
2330 x509.DNSName(u".domain.com"),
2331 x509.UniformResourceIdentifier(u"http://test.local"),
2332 ]
2333 )
2334
Paul Kehrera72ebaf2015-07-01 21:07:37 -0500[diff] [blame]2335 def test_single_ip_netmask(self, backend):
2336 cert = _load_cert(
2337 os.path.join(
2338 "x509", "custom", "nc_single_ip_netmask.pem"
2339 ),
2340 x509.load_pem_x509_certificate,
2341 backend
2342 )
2343 nc = cert.extensions.get_extension_for_oid(
2344 x509.OID_NAME_CONSTRAINTS
2345 ).value
2346 assert nc == x509.NameConstraints(
2347 permitted_subtrees=[
2348 x509.IPAddress(ipaddress.IPv6Network(u"FF:0:0:0:0:0:0:0/128")),
2349 x509.IPAddress(ipaddress.IPv4Network(u"192.168.0.1/32")),
2350 ],
2351 excluded_subtrees=None
2352 )
2353
Paul Kehrercfb8aa22015-07-01 19:16:36 -0500[diff] [blame]2354 def test_invalid_netmask(self, backend):
2355 cert = _load_cert(
2356 os.path.join(
2357 "x509", "custom", "nc_invalid_ip_netmask.pem"
2358 ),
2359 x509.load_pem_x509_certificate,
2360 backend
2361 )
2362 with pytest.raises(ValueError):
2363 cert.extensions.get_extension_for_oid(
2364 x509.OID_NAME_CONSTRAINTS
2365 )
2366
Paul Kehrer870d7e82015-06-21 22:20:44 -0500[diff] [blame]2367
Paul Kehrer5a485522015-05-06 00:29:12 -0500[diff] [blame]2368class TestDistributionPoint(object):
Paul Kehrer4e8dacd2015-05-09 10:38:23 -0500[diff] [blame]2369 def test_distribution_point_full_name_not_general_names(self):
Paul Kehrer5a485522015-05-06 00:29:12 -0500[diff] [blame]2370 with pytest.raises(TypeError):
Paul Kehrer4e8dacd2015-05-09 10:38:23 -0500[diff] [blame]2371 x509.DistributionPoint(["notgn"], None, None, None)
Paul Kehrer5a485522015-05-06 00:29:12 -0500[diff] [blame]2372
Paul Kehrer4e8dacd2015-05-09 10:38:23 -0500[diff] [blame]2373 def test_distribution_point_relative_name_not_name(self):
Paul Kehrer5a485522015-05-06 00:29:12 -0500[diff] [blame]2374 with pytest.raises(TypeError):
Paul Kehrer4e8dacd2015-05-09 10:38:23 -0500[diff] [blame]2375 x509.DistributionPoint(None, "notname", None, None)
2376
2377 def test_distribution_point_full_and_relative_not_none(self):
2378 with pytest.raises(ValueError):
2379 x509.DistributionPoint("data", "notname", None, None)
Paul Kehrer5a485522015-05-06 00:29:12 -0500[diff] [blame]2380
2381 def test_crl_issuer_not_general_names(self):
2382 with pytest.raises(TypeError):
Paul Kehrer4e8dacd2015-05-09 10:38:23 -0500[diff] [blame]2383 x509.DistributionPoint(None, None, None, ["notgn"])
Paul Kehrer5a485522015-05-06 00:29:12 -0500[diff] [blame]2384
2385 def test_reason_not_reasonflags(self):
2386 with pytest.raises(TypeError):
2387 x509.DistributionPoint(
2388 [x509.UniformResourceIdentifier(u"http://crypt.og/crl")],
Paul Kehrer4e8dacd2015-05-09 10:38:23 -0500[diff] [blame]2389 None,
Paul Kehrer3fd02602015-05-09 19:46:13 -0500[diff] [blame]2390 frozenset(["notreasonflags"]),
2391 None
2392 )
2393
2394 def test_reason_not_frozenset(self):
2395 with pytest.raises(TypeError):
2396 x509.DistributionPoint(
2397 [x509.UniformResourceIdentifier(u"http://crypt.og/crl")],
2398 None,
2399 [x509.ReasonFlags.ca_compromise],
Paul Kehrer4e8dacd2015-05-09 10:38:23 -0500[diff] [blame]2400 None
2401 )
2402
2403 def test_disallowed_reasons(self):
2404 with pytest.raises(ValueError):
2405 x509.DistributionPoint(
2406 [x509.UniformResourceIdentifier(u"http://crypt.og/crl")],
2407 None,
Paul Kehrer3fd02602015-05-09 19:46:13 -0500[diff] [blame]2408 frozenset([x509.ReasonFlags.unspecified]),
Paul Kehrer4e8dacd2015-05-09 10:38:23 -0500[diff] [blame]2409 None
2410 )
2411
2412 with pytest.raises(ValueError):
2413 x509.DistributionPoint(
2414 [x509.UniformResourceIdentifier(u"http://crypt.og/crl")],
2415 None,
Paul Kehrer3fd02602015-05-09 19:46:13 -0500[diff] [blame]2416 frozenset([x509.ReasonFlags.remove_from_crl]),
Paul Kehrer5a485522015-05-06 00:29:12 -0500[diff] [blame]2417 None
2418 )
2419
2420 def test_reason_only(self):
2421 with pytest.raises(ValueError):
2422 x509.DistributionPoint(
2423 None,
Paul Kehrer4e8dacd2015-05-09 10:38:23 -0500[diff] [blame]2424 None,
Paul Kehrer3fd02602015-05-09 19:46:13 -0500[diff] [blame]2425 frozenset([x509.ReasonFlags.aa_compromise]),
Paul Kehrer5a485522015-05-06 00:29:12 -0500[diff] [blame]2426 None
2427 )
2428
2429 def test_eq(self):
2430 dp = x509.DistributionPoint(
2431 [x509.UniformResourceIdentifier(u"http://crypt.og/crl")],
Paul Kehrer4e8dacd2015-05-09 10:38:23 -0500[diff] [blame]2432 None,
Paul Kehrer3fd02602015-05-09 19:46:13 -0500[diff] [blame]2433 frozenset([x509.ReasonFlags.superseded]),
Paul Kehrer5a485522015-05-06 00:29:12 -0500[diff] [blame]2434 [
2435 x509.DirectoryName(
2436 x509.Name([
2437 x509.NameAttribute(
Ian Cordasco82fc3762015-06-16 20:59:50 -0500[diff] [blame]2438 x509.OID_COMMON_NAME, u"Important CA"
Paul Kehrer5a485522015-05-06 00:29:12 -0500[diff] [blame]2439 )
2440 ])
2441 )
2442 ],
2443 )
2444 dp2 = x509.DistributionPoint(
2445 [x509.UniformResourceIdentifier(u"http://crypt.og/crl")],
Paul Kehrer4e8dacd2015-05-09 10:38:23 -0500[diff] [blame]2446 None,
Paul Kehrer3fd02602015-05-09 19:46:13 -0500[diff] [blame]2447 frozenset([x509.ReasonFlags.superseded]),
Paul Kehrer5a485522015-05-06 00:29:12 -0500[diff] [blame]2448 [
2449 x509.DirectoryName(
2450 x509.Name([
2451 x509.NameAttribute(
Ian Cordasco82fc3762015-06-16 20:59:50 -0500[diff] [blame]2452 x509.OID_COMMON_NAME, u"Important CA"
Paul Kehrer5a485522015-05-06 00:29:12 -0500[diff] [blame]2453 )
2454 ])
2455 )
2456 ],
2457 )
2458 assert dp == dp2
2459
2460 def test_ne(self):
2461 dp = x509.DistributionPoint(
2462 [x509.UniformResourceIdentifier(u"http://crypt.og/crl")],
Paul Kehrer4e8dacd2015-05-09 10:38:23 -0500[diff] [blame]2463 None,
Paul Kehrer3fd02602015-05-09 19:46:13 -0500[diff] [blame]2464 frozenset([x509.ReasonFlags.superseded]),
Paul Kehrer5a485522015-05-06 00:29:12 -0500[diff] [blame]2465 [
2466 x509.DirectoryName(
2467 x509.Name([
2468 x509.NameAttribute(
Ian Cordasco82fc3762015-06-16 20:59:50 -0500[diff] [blame]2469 x509.OID_COMMON_NAME, u"Important CA"
Paul Kehrer5a485522015-05-06 00:29:12 -0500[diff] [blame]2470 )
2471 ])
2472 )
2473 ],
2474 )
2475 dp2 = x509.DistributionPoint(
2476 [x509.UniformResourceIdentifier(u"http://crypt.og/crl")],
2477 None,
Paul Kehrer4e8dacd2015-05-09 10:38:23 -0500[diff] [blame]2478 None,
Paul Kehrer5a485522015-05-06 00:29:12 -0500[diff] [blame]2479 None
2480 )
2481 assert dp != dp2
2482 assert dp != object()
2483
2484 def test_repr(self):
2485 dp = x509.DistributionPoint(
Paul Kehrer4e8dacd2015-05-09 10:38:23 -0500[diff] [blame]2486 None,
Paul Kehrer5a485522015-05-06 00:29:12 -0500[diff] [blame]2487 x509.Name([
Ian Cordasco82fc3762015-06-16 20:59:50 -0500[diff] [blame]2488 x509.NameAttribute(x509.OID_COMMON_NAME, u"myCN")
Paul Kehrer5a485522015-05-06 00:29:12 -0500[diff] [blame]2489 ]),
Paul Kehrer96ef63c2015-05-09 21:17:04 -0500[diff] [blame]2490 frozenset([x509.ReasonFlags.ca_compromise]),
Paul Kehrer5a485522015-05-06 00:29:12 -0500[diff] [blame]2491 [
2492 x509.DirectoryName(
2493 x509.Name([
2494 x509.NameAttribute(
Ian Cordasco82fc3762015-06-16 20:59:50 -0500[diff] [blame]2495 x509.OID_COMMON_NAME, u"Important CA"
Paul Kehrer5a485522015-05-06 00:29:12 -0500[diff] [blame]2496 )
2497 ])
2498 )
2499 ],
2500 )
Paul Kehrer749da3b2015-05-10 09:58:29 -0500[diff] [blame]2501 if six.PY3:
2502 assert repr(dp) == (
2503 "<DistributionPoint(full_name=None, relative_name=<Name([<Name"
2504 "Attribute(oid=<ObjectIdentifier(oid=2.5.4.3, name=commonName)"
Ian Cordascoa908d692015-06-16 21:35:24 -0500[diff] [blame]2505 ">, value='myCN')>])>, reasons=frozenset({<ReasonFlags.ca_comp"
2506 "romise: 'cACompromise'>}), crl_issuer=[<DirectoryName(value=<"
2507 "Name([<NameAttribute(oid=<ObjectIdentifier(oid=2.5.4.3, name="
2508 "commonName)>, value='Important CA')>])>)>])>"
Paul Kehrer749da3b2015-05-10 09:58:29 -0500[diff] [blame]2509 )
2510 else:
2511 assert repr(dp) == (
2512 "<DistributionPoint(full_name=None, relative_name=<Name([<Name"
2513 "Attribute(oid=<ObjectIdentifier(oid=2.5.4.3, name=commonName)"
Ian Cordasco82fc3762015-06-16 20:59:50 -0500[diff] [blame]2514 ">, value=u'myCN')>])>, reasons=frozenset([<ReasonFlags.ca_com"
2515 "promise: 'cACompromise'>]), crl_issuer=[<DirectoryName(value="
2516 "<Name([<NameAttribute(oid=<ObjectIdentifier(oid=2.5.4.3, name"
2517 "=commonName)>, value=u'Important CA')>])>)>])>"
Paul Kehrer749da3b2015-05-10 09:58:29 -0500[diff] [blame]2518 )
Paul Kehrer5a485522015-05-06 00:29:12 -0500[diff] [blame]2519
2520
2521class TestCRLDistributionPoints(object):
2522 def test_invalid_distribution_points(self):
2523 with pytest.raises(TypeError):
2524 x509.CRLDistributionPoints(["notadistributionpoint"])
2525
2526 def test_iter_len(self):
2527 cdp = x509.CRLDistributionPoints([
2528 x509.DistributionPoint(
2529 [x509.UniformResourceIdentifier(u"http://domain")],
2530 None,
Paul Kehrer4e8dacd2015-05-09 10:38:23 -0500[diff] [blame]2531 None,
Paul Kehrer5a485522015-05-06 00:29:12 -0500[diff] [blame]2532 None
2533 ),
2534 x509.DistributionPoint(
2535 [x509.UniformResourceIdentifier(u"ftp://domain")],
Paul Kehrer4e8dacd2015-05-09 10:38:23 -0500[diff] [blame]2536 None,
Paul Kehrer3fd02602015-05-09 19:46:13 -0500[diff] [blame]2537 frozenset([
Paul Kehrer4e8dacd2015-05-09 10:38:23 -0500[diff] [blame]2538 x509.ReasonFlags.key_compromise,
2539 x509.ReasonFlags.ca_compromise,
Paul Kehrer3fd02602015-05-09 19:46:13 -0500[diff] [blame]2540 ]),
Paul Kehrer5a485522015-05-06 00:29:12 -0500[diff] [blame]2541 None
2542 ),
2543 ])
2544 assert len(cdp) == 2
2545 assert list(cdp) == [
2546 x509.DistributionPoint(
2547 [x509.UniformResourceIdentifier(u"http://domain")],
2548 None,
Paul Kehrer4e8dacd2015-05-09 10:38:23 -0500[diff] [blame]2549 None,
Paul Kehrer5a485522015-05-06 00:29:12 -0500[diff] [blame]2550 None
2551 ),
2552 x509.DistributionPoint(
2553 [x509.UniformResourceIdentifier(u"ftp://domain")],
Paul Kehrer4e8dacd2015-05-09 10:38:23 -0500[diff] [blame]2554 None,
Paul Kehrer3fd02602015-05-09 19:46:13 -0500[diff] [blame]2555 frozenset([
Paul Kehrer4e8dacd2015-05-09 10:38:23 -0500[diff] [blame]2556 x509.ReasonFlags.key_compromise,
2557 x509.ReasonFlags.ca_compromise,
Paul Kehrer3fd02602015-05-09 19:46:13 -0500[diff] [blame]2558 ]),
Paul Kehrer5a485522015-05-06 00:29:12 -0500[diff] [blame]2559 None
2560 ),
2561 ]
2562
2563 def test_repr(self):
2564 cdp = x509.CRLDistributionPoints([
2565 x509.DistributionPoint(
2566 [x509.UniformResourceIdentifier(u"ftp://domain")],
Paul Kehrer4e8dacd2015-05-09 10:38:23 -0500[diff] [blame]2567 None,
Paul Kehrer96ef63c2015-05-09 21:17:04 -0500[diff] [blame]2568 frozenset([x509.ReasonFlags.key_compromise]),
Paul Kehrer5a485522015-05-06 00:29:12 -0500[diff] [blame]2569 None
2570 ),
2571 ])
Paul Kehrer749da3b2015-05-10 09:58:29 -0500[diff] [blame]2572 if six.PY3:
2573 assert repr(cdp) == (
2574 "<CRLDistributionPoints([<DistributionPoint(full_name=[<Unifo"
2575 "rmResourceIdentifier(value=ftp://domain)>], relative_name=No"
2576 "ne, reasons=frozenset({<ReasonFlags.key_compromise: 'keyComp"
2577 "romise'>}), crl_issuer=None)>])>"
2578 )
2579 else:
2580 assert repr(cdp) == (
2581 "<CRLDistributionPoints([<DistributionPoint(full_name=[<Unifo"
2582 "rmResourceIdentifier(value=ftp://domain)>], relative_name=No"
2583 "ne, reasons=frozenset([<ReasonFlags.key_compromise: 'keyComp"
2584 "romise'>]), crl_issuer=None)>])>"
2585 )
Paul Kehrer5a485522015-05-06 00:29:12 -0500[diff] [blame]2586
2587 def test_eq(self):
2588 cdp = x509.CRLDistributionPoints([
2589 x509.DistributionPoint(
2590 [x509.UniformResourceIdentifier(u"ftp://domain")],
Paul Kehrer4e8dacd2015-05-09 10:38:23 -0500[diff] [blame]2591 None,
Paul Kehrer3fd02602015-05-09 19:46:13 -0500[diff] [blame]2592 frozenset([
Paul Kehrer4e8dacd2015-05-09 10:38:23 -0500[diff] [blame]2593 x509.ReasonFlags.key_compromise,
2594 x509.ReasonFlags.ca_compromise,
Paul Kehrer3fd02602015-05-09 19:46:13 -0500[diff] [blame]2595 ]),
Paul Kehrer5a485522015-05-06 00:29:12 -0500[diff] [blame]2596 [x509.UniformResourceIdentifier(u"uri://thing")],
2597 ),
2598 ])
2599 cdp2 = x509.CRLDistributionPoints([
2600 x509.DistributionPoint(
2601 [x509.UniformResourceIdentifier(u"ftp://domain")],
Paul Kehrer4e8dacd2015-05-09 10:38:23 -0500[diff] [blame]2602 None,
Paul Kehrer3fd02602015-05-09 19:46:13 -0500[diff] [blame]2603 frozenset([
Paul Kehrer4e8dacd2015-05-09 10:38:23 -0500[diff] [blame]2604 x509.ReasonFlags.key_compromise,
2605 x509.ReasonFlags.ca_compromise,
Paul Kehrer3fd02602015-05-09 19:46:13 -0500[diff] [blame]2606 ]),
Paul Kehrer5a485522015-05-06 00:29:12 -0500[diff] [blame]2607 [x509.UniformResourceIdentifier(u"uri://thing")],
2608 ),
2609 ])
2610 assert cdp == cdp2
2611
2612 def test_ne(self):
2613 cdp = x509.CRLDistributionPoints([
2614 x509.DistributionPoint(
2615 [x509.UniformResourceIdentifier(u"ftp://domain")],
Paul Kehrer4e8dacd2015-05-09 10:38:23 -0500[diff] [blame]2616 None,
Paul Kehrer3fd02602015-05-09 19:46:13 -0500[diff] [blame]2617 frozenset([
Paul Kehrer4e8dacd2015-05-09 10:38:23 -0500[diff] [blame]2618 x509.ReasonFlags.key_compromise,
2619 x509.ReasonFlags.ca_compromise,
Paul Kehrer3fd02602015-05-09 19:46:13 -0500[diff] [blame]2620 ]),
Paul Kehrer5a485522015-05-06 00:29:12 -0500[diff] [blame]2621 [x509.UniformResourceIdentifier(u"uri://thing")],
2622 ),
2623 ])
2624 cdp2 = x509.CRLDistributionPoints([
2625 x509.DistributionPoint(
2626 [x509.UniformResourceIdentifier(u"ftp://domain2")],
Paul Kehrer4e8dacd2015-05-09 10:38:23 -0500[diff] [blame]2627 None,
Paul Kehrer3fd02602015-05-09 19:46:13 -0500[diff] [blame]2628 frozenset([
Paul Kehrer4e8dacd2015-05-09 10:38:23 -0500[diff] [blame]2629 x509.ReasonFlags.key_compromise,
2630 x509.ReasonFlags.ca_compromise,
Paul Kehrer3fd02602015-05-09 19:46:13 -0500[diff] [blame]2631 ]),
Paul Kehrer5a485522015-05-06 00:29:12 -0500[diff] [blame]2632 [x509.UniformResourceIdentifier(u"uri://thing")],
2633 ),
2634 ])
2635 cdp3 = x509.CRLDistributionPoints([
2636 x509.DistributionPoint(
2637 [x509.UniformResourceIdentifier(u"ftp://domain")],
Paul Kehrer4e8dacd2015-05-09 10:38:23 -0500[diff] [blame]2638 None,
Paul Kehrer3fd02602015-05-09 19:46:13 -0500[diff] [blame]2639 frozenset([x509.ReasonFlags.key_compromise]),
Paul Kehrer5a485522015-05-06 00:29:12 -0500[diff] [blame]2640 [x509.UniformResourceIdentifier(u"uri://thing")],
2641 ),
2642 ])
2643 cdp4 = x509.CRLDistributionPoints([
2644 x509.DistributionPoint(
2645 [x509.UniformResourceIdentifier(u"ftp://domain")],
Paul Kehrer4e8dacd2015-05-09 10:38:23 -0500[diff] [blame]2646 None,
Paul Kehrer3fd02602015-05-09 19:46:13 -0500[diff] [blame]2647 frozenset([
Paul Kehrer4e8dacd2015-05-09 10:38:23 -0500[diff] [blame]2648 x509.ReasonFlags.key_compromise,
2649 x509.ReasonFlags.ca_compromise,
Paul Kehrer3fd02602015-05-09 19:46:13 -0500[diff] [blame]2650 ]),
Paul Kehrer5a485522015-05-06 00:29:12 -0500[diff] [blame]2651 [x509.UniformResourceIdentifier(u"uri://thing2")],
2652 ),
2653 ])
2654 assert cdp != cdp2
2655 assert cdp != cdp3
2656 assert cdp != cdp4
2657 assert cdp != object()
Paul Kehrer9a10d592015-05-10 14:55:51 -0500[diff] [blame]2658
2659
2660@pytest.mark.requires_backend_interface(interface=RSABackend)
2661@pytest.mark.requires_backend_interface(interface=X509Backend)
2662class TestCRLDistributionPointsExtension(object):
2663 def test_fullname_and_crl_issuer(self, backend):
2664 cert = _load_cert(
2665 os.path.join(
2666 "x509", "PKITS_data", "certs", "ValidcRLIssuerTest28EE.crt"
2667 ),
2668 x509.load_der_x509_certificate,
2669 backend
2670 )
2671
2672 cdps = cert.extensions.get_extension_for_oid(
2673 x509.OID_CRL_DISTRIBUTION_POINTS
2674 ).value
2675
2676 assert cdps == x509.CRLDistributionPoints([
2677 x509.DistributionPoint(
2678 full_name=[x509.DirectoryName(
2679 x509.Name([
Ian Cordasco82fc3762015-06-16 20:59:50 -0500[diff] [blame]2680 x509.NameAttribute(x509.OID_COUNTRY_NAME, u"US"),
Paul Kehrer9a10d592015-05-10 14:55:51 -0500[diff] [blame]2681 x509.NameAttribute(
2682 x509.OID_ORGANIZATION_NAME,
Ian Cordasco82fc3762015-06-16 20:59:50 -0500[diff] [blame]2683 u"Test Certificates 2011"
Paul Kehrer9a10d592015-05-10 14:55:51 -0500[diff] [blame]2684 ),
2685 x509.NameAttribute(
2686 x509.OID_ORGANIZATIONAL_UNIT_NAME,
Ian Cordasco82fc3762015-06-16 20:59:50 -0500[diff] [blame]2687 u"indirectCRL CA3 cRLIssuer"
Paul Kehrer9a10d592015-05-10 14:55:51 -0500[diff] [blame]2688 ),
2689 x509.NameAttribute(
2690 x509.OID_COMMON_NAME,
Ian Cordasco82fc3762015-06-16 20:59:50 -0500[diff] [blame]2691 u"indirect CRL for indirectCRL CA3"
Paul Kehrer9a10d592015-05-10 14:55:51 -0500[diff] [blame]2692 ),
2693 ])
2694 )],
2695 relative_name=None,
2696 reasons=None,
2697 crl_issuer=[x509.DirectoryName(
2698 x509.Name([
Ian Cordasco82fc3762015-06-16 20:59:50 -0500[diff] [blame]2699 x509.NameAttribute(x509.OID_COUNTRY_NAME, u"US"),
Paul Kehrer9a10d592015-05-10 14:55:51 -0500[diff] [blame]2700 x509.NameAttribute(
2701 x509.OID_ORGANIZATION_NAME,
Ian Cordasco82fc3762015-06-16 20:59:50 -0500[diff] [blame]2702 u"Test Certificates 2011"
Paul Kehrer9a10d592015-05-10 14:55:51 -0500[diff] [blame]2703 ),
2704 x509.NameAttribute(
2705 x509.OID_ORGANIZATIONAL_UNIT_NAME,
Ian Cordasco82fc3762015-06-16 20:59:50 -0500[diff] [blame]2706 u"indirectCRL CA3 cRLIssuer"
Paul Kehrer9a10d592015-05-10 14:55:51 -0500[diff] [blame]2707 ),
2708 ])
2709 )],
2710 )
2711 ])
2712
2713 def test_relativename_and_crl_issuer(self, backend):
2714 cert = _load_cert(
2715 os.path.join(
2716 "x509", "PKITS_data", "certs", "ValidcRLIssuerTest29EE.crt"
2717 ),
2718 x509.load_der_x509_certificate,
2719 backend
2720 )
2721
2722 cdps = cert.extensions.get_extension_for_oid(
2723 x509.OID_CRL_DISTRIBUTION_POINTS
2724 ).value
2725
2726 assert cdps == x509.CRLDistributionPoints([
2727 x509.DistributionPoint(
2728 full_name=None,
2729 relative_name=x509.Name([
2730 x509.NameAttribute(
2731 x509.OID_COMMON_NAME,
Ian Cordasco82fc3762015-06-16 20:59:50 -0500[diff] [blame]2732 u"indirect CRL for indirectCRL CA3"
Paul Kehrer9a10d592015-05-10 14:55:51 -0500[diff] [blame]2733 ),
2734 ]),
2735 reasons=None,
2736 crl_issuer=[x509.DirectoryName(
2737 x509.Name([
Ian Cordasco82fc3762015-06-16 20:59:50 -0500[diff] [blame]2738 x509.NameAttribute(x509.OID_COUNTRY_NAME, u"US"),
Paul Kehrer9a10d592015-05-10 14:55:51 -0500[diff] [blame]2739 x509.NameAttribute(
2740 x509.OID_ORGANIZATION_NAME,
Ian Cordasco82fc3762015-06-16 20:59:50 -0500[diff] [blame]2741 u"Test Certificates 2011"
Paul Kehrer9a10d592015-05-10 14:55:51 -0500[diff] [blame]2742 ),
2743 x509.NameAttribute(
2744 x509.OID_ORGANIZATIONAL_UNIT_NAME,
Ian Cordasco82fc3762015-06-16 20:59:50 -0500[diff] [blame]2745 u"indirectCRL CA3 cRLIssuer"
Paul Kehrer9a10d592015-05-10 14:55:51 -0500[diff] [blame]2746 ),
2747 ])
2748 )],
2749 )
2750 ])
2751
2752 def test_fullname_crl_issuer_reasons(self, backend):
2753 cert = _load_cert(
2754 os.path.join(
2755 "x509", "custom", "cdp_fullname_reasons_crl_issuer.pem"
2756 ),
2757 x509.load_pem_x509_certificate,
2758 backend
2759 )
2760
2761 cdps = cert.extensions.get_extension_for_oid(
2762 x509.OID_CRL_DISTRIBUTION_POINTS
2763 ).value
2764
2765 assert cdps == x509.CRLDistributionPoints([
2766 x509.DistributionPoint(
2767 full_name=[x509.UniformResourceIdentifier(
2768 u"http://myhost.com/myca.crl"
2769 )],
2770 relative_name=None,
2771 reasons=frozenset([
2772 x509.ReasonFlags.key_compromise,
2773 x509.ReasonFlags.ca_compromise
2774 ]),
2775 crl_issuer=[x509.DirectoryName(
2776 x509.Name([
Ian Cordasco82fc3762015-06-16 20:59:50 -0500[diff] [blame]2777 x509.NameAttribute(x509.OID_COUNTRY_NAME, u"US"),
Paul Kehrer9a10d592015-05-10 14:55:51 -0500[diff] [blame]2778 x509.NameAttribute(
Ian Cordasco82fc3762015-06-16 20:59:50 -0500[diff] [blame]2779 x509.OID_ORGANIZATION_NAME, u"PyCA"
Paul Kehrer9a10d592015-05-10 14:55:51 -0500[diff] [blame]2780 ),
2781 x509.NameAttribute(
Ian Cordasco82fc3762015-06-16 20:59:50 -0500[diff] [blame]2782 x509.OID_COMMON_NAME, u"cryptography CA"
Paul Kehrer9a10d592015-05-10 14:55:51 -0500[diff] [blame]2783 ),
2784 ])
2785 )],
2786 )
2787 ])
2788
Paul Kehrer594a2ed2015-05-12 23:27:32 -0500[diff] [blame]2789 def test_all_reasons(self, backend):
2790 cert = _load_cert(
2791 os.path.join(
2792 "x509", "custom", "cdp_all_reasons.pem"
2793 ),
2794 x509.load_pem_x509_certificate,
2795 backend
2796 )
2797
2798 cdps = cert.extensions.get_extension_for_oid(
2799 x509.OID_CRL_DISTRIBUTION_POINTS
2800 ).value
2801
2802 assert cdps == x509.CRLDistributionPoints([
2803 x509.DistributionPoint(
2804 full_name=[x509.UniformResourceIdentifier(
2805 u"http://domain.com/some.crl"
2806 )],
2807 relative_name=None,
2808 reasons=frozenset([
2809 x509.ReasonFlags.key_compromise,
2810 x509.ReasonFlags.ca_compromise,
2811 x509.ReasonFlags.affiliation_changed,
2812 x509.ReasonFlags.superseded,
2813 x509.ReasonFlags.privilege_withdrawn,
2814 x509.ReasonFlags.cessation_of_operation,
2815 x509.ReasonFlags.aa_compromise,
2816 x509.ReasonFlags.certificate_hold,
2817 ]),
2818 crl_issuer=None
2819 )
2820 ])
2821
2822 def test_single_reason(self, backend):
2823 cert = _load_cert(
2824 os.path.join(
2825 "x509", "custom", "cdp_reason_aa_compromise.pem"
2826 ),
2827 x509.load_pem_x509_certificate,
2828 backend
2829 )
2830
2831 cdps = cert.extensions.get_extension_for_oid(
2832 x509.OID_CRL_DISTRIBUTION_POINTS
2833 ).value
2834
2835 assert cdps == x509.CRLDistributionPoints([
2836 x509.DistributionPoint(
2837 full_name=[x509.UniformResourceIdentifier(
2838 u"http://domain.com/some.crl"
2839 )],
2840 relative_name=None,
2841 reasons=frozenset([x509.ReasonFlags.aa_compromise]),
2842 crl_issuer=None
2843 )
2844 ])
2845
Paul Kehrer9a10d592015-05-10 14:55:51 -0500[diff] [blame]2846 def test_crl_issuer_only(self, backend):
2847 cert = _load_cert(
2848 os.path.join(
2849 "x509", "custom", "cdp_crl_issuer.pem"
2850 ),
2851 x509.load_pem_x509_certificate,
2852 backend
2853 )
2854
2855 cdps = cert.extensions.get_extension_for_oid(
2856 x509.OID_CRL_DISTRIBUTION_POINTS
2857 ).value
2858
2859 assert cdps == x509.CRLDistributionPoints([
2860 x509.DistributionPoint(
2861 full_name=None,
2862 relative_name=None,
2863 reasons=None,
2864 crl_issuer=[x509.DirectoryName(
2865 x509.Name([
2866 x509.NameAttribute(
Ian Cordasco82fc3762015-06-16 20:59:50 -0500[diff] [blame]2867 x509.OID_COMMON_NAME, u"cryptography CA"
Paul Kehrer9a10d592015-05-10 14:55:51 -0500[diff] [blame]2868 ),
2869 ])
2870 )],
2871 )
2872 ])
Paul Kehrer16fae762015-05-01 23:14:20 -0500[diff] [blame]2873
2874
Paul Kehrerf54a50b2015-06-17 18:31:26 -0600[diff] [blame]2875@pytest.mark.requires_backend_interface(interface=RSABackend)
2876@pytest.mark.requires_backend_interface(interface=X509Backend)
2877class TestOCSPNoCheckExtension(object):
2878 def test_nocheck(self, backend):
2879 cert = _load_cert(
2880 os.path.join(
2881 "x509", "custom", "ocsp_nocheck.pem"
2882 ),
2883 x509.load_pem_x509_certificate,
2884 backend
2885 )
2886 ext = cert.extensions.get_extension_for_oid(
2887 x509.OID_OCSP_NO_CHECK
2888 )
2889 assert isinstance(ext.value, x509.OCSPNoCheck)
2890
2891
Paul Kehrer16fae762015-05-01 23:14:20 -0500[diff] [blame]2892class TestInhibitAnyPolicy(object):
2893 def test_not_int(self):
2894 with pytest.raises(TypeError):
2895 x509.InhibitAnyPolicy("notint")
2896
2897 def test_negative_int(self):
2898 with pytest.raises(ValueError):
2899 x509.InhibitAnyPolicy(-1)
2900
2901 def test_repr(self):
2902 iap = x509.InhibitAnyPolicy(0)
2903 assert repr(iap) == "<InhibitAnyPolicy(skip_certs=0)>"
2904
2905 def test_eq(self):
2906 iap = x509.InhibitAnyPolicy(1)
2907 iap2 = x509.InhibitAnyPolicy(1)
2908 assert iap == iap2
2909
2910 def test_ne(self):
2911 iap = x509.InhibitAnyPolicy(1)
2912 iap2 = x509.InhibitAnyPolicy(4)
2913 assert iap != iap2
2914 assert iap != object()
Paul Kehrerca6ce992015-06-17 22:13:15 -0600[diff] [blame]2915
2916
2917@pytest.mark.requires_backend_interface(interface=RSABackend)
2918@pytest.mark.requires_backend_interface(interface=X509Backend)
2919class TestInhibitAnyPolicyExtension(object):
2920 def test_nocheck(self, backend):
2921 cert = _load_cert(
2922 os.path.join(
2923 "x509", "custom", "inhibit_any_policy_5.pem"
2924 ),
2925 x509.load_pem_x509_certificate,
2926 backend
2927 )
2928 iap = cert.extensions.get_extension_for_oid(
2929 x509.OID_INHIBIT_ANY_POLICY
2930 ).value
2931 assert iap.skip_certs == 5
Paul Kehrera08693f2015-08-01 20:45:21 +0100[diff] [blame]2932
2933
2934@pytest.mark.requires_backend_interface(interface=RSABackend)
2935@pytest.mark.requires_backend_interface(interface=X509Backend)
Paul Kehrer1b7500f2015-08-01 20:56:27 +0100[diff] [blame]2936class TestInvalidExtension(object):
Paul Kehrera08693f2015-08-01 20:45:21 +0100[diff] [blame]2937 def test_invalid_certificate_policies_data(self, backend):
2938 cert = _load_cert(
2939 os.path.join(
2940 "x509", "custom", "cp_invalid.pem"
2941 ),
2942 x509.load_pem_x509_certificate,
2943 backend
2944 )
2945 with pytest.raises(ValueError):
2946 cert.extensions