Gitiles
Code Review Sign In
gerrit-public.fairphone.software / platform / external / python / cryptography / ee2e92d32a984ffebe508108f1266315945b5cc5 / . / tests / test_x509_ext.py
blob: 7e46e5a130fdea70f707f4fbdeebb4969e2f1ec7 [file] [log] [blame]
Paul Kehrer8cf26422015-03-21 09:50:24 -0500[diff] [blame]1# This file is dual licensed under the terms of the Apache License, Version
2# 2.0, and the BSD License. See the LICENSE file in the root of this repository
3# for complete details.
4
5from __future__ import absolute_import, division, print_function
6
Paul Kehrer1eb82a62015-03-31 20:00:33 -0500[diff] [blame]7import binascii
Paul Kehrer23c0bbc2015-12-25 22:35:19 -0600[diff] [blame]8import datetime
Paul Kehrer31bdf792015-03-25 14:11:00 -0500[diff] [blame]9import ipaddress
Paul Kehrerfbb7ac82015-03-16 19:26:29 -0500[diff] [blame]10import os
11
Paul Kehrer8cf26422015-03-21 09:50:24 -0500[diff] [blame]12import pytest
13
Paul Kehrercbfb1012015-04-10 20:57:20 -0400[diff] [blame]14import six
15
Paul Kehrer8cf26422015-03-21 09:50:24 -0500[diff] [blame]16from cryptography import x509
Paul Kehrerf22f6122015-08-05 12:57:13 +0100[diff] [blame]17from cryptography.hazmat.backends.interfaces import (
18 DSABackend, EllipticCurveBackend, RSABackend, X509Backend
19)
20from cryptography.hazmat.primitives.asymmetric import ec
Paul Kehrer9e102db2015-08-10 21:53:09 -0500[diff] [blame]21from cryptography.x509.oid import (
Nick Bastin326fc8e2015-12-12 19:08:12 -0800[diff] [blame]22 AuthorityInformationAccessOID, ExtendedKeyUsageOID, ExtensionOID,
23 NameOID, ObjectIdentifier
Paul Kehrer9e102db2015-08-10 21:53:09 -0500[diff] [blame]24)
Paul Kehrerfbb7ac82015-03-16 19:26:29 -0500[diff] [blame]25
Paul Kehrerf22f6122015-08-05 12:57:13 +0100[diff] [blame]26from .hazmat.primitives.test_ec import _skip_curve_unsupported
Paul Kehrerfbb7ac82015-03-16 19:26:29 -0500[diff] [blame]27from .test_x509 import _load_cert
Paul Kehrer8cf26422015-03-21 09:50:24 -0500[diff] [blame]28
29
Paul Kehrer85894662015-03-22 13:19:31 -0500[diff] [blame]30class TestExtension(object):
31 def test_not_an_oid(self):
Paul Kehrera5c6e9a2015-03-23 19:23:43 -0500[diff] [blame]32 bc = x509.BasicConstraints(ca=False, path_length=None)
Paul Kehrer85894662015-03-22 13:19:31 -0500[diff] [blame]33 with pytest.raises(TypeError):
34 x509.Extension("notanoid", True, bc)
35
36 def test_critical_not_a_bool(self):
Paul Kehrera5c6e9a2015-03-23 19:23:43 -0500[diff] [blame]37 bc = x509.BasicConstraints(ca=False, path_length=None)
Paul Kehrer85894662015-03-22 13:19:31 -0500[diff] [blame]38 with pytest.raises(TypeError):
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]39 x509.Extension(ExtensionOID.BASIC_CONSTRAINTS, "notabool", bc)
Paul Kehrer85894662015-03-22 13:19:31 -0500[diff] [blame]40
41 def test_repr(self):
Paul Kehrera5c6e9a2015-03-23 19:23:43 -0500[diff] [blame]42 bc = x509.BasicConstraints(ca=False, path_length=None)
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]43 ext = x509.Extension(ExtensionOID.BASIC_CONSTRAINTS, True, bc)
Paul Kehrer85894662015-03-22 13:19:31 -0500[diff] [blame]44 assert repr(ext) == (
45 "<Extension(oid=<ObjectIdentifier(oid=2.5.29.19, name=basicConst"
46 "raints)>, critical=True, value=<BasicConstraints(ca=False, path"
47 "_length=None)>)>"
48 )
49
Paul Kehrer58e870c2015-05-17 09:15:30 -0700[diff] [blame]50 def test_eq(self):
51 ext1 = x509.Extension(
52 x509.ObjectIdentifier('1.2.3.4'), False, 'value'
53 )
54 ext2 = x509.Extension(
55 x509.ObjectIdentifier('1.2.3.4'), False, 'value'
56 )
57 assert ext1 == ext2
58
59 def test_ne(self):
60 ext1 = x509.Extension(
61 x509.ObjectIdentifier('1.2.3.4'), False, 'value'
62 )
63 ext2 = x509.Extension(
64 x509.ObjectIdentifier('1.2.3.5'), False, 'value'
65 )
66 ext3 = x509.Extension(
67 x509.ObjectIdentifier('1.2.3.4'), True, 'value'
68 )
69 ext4 = x509.Extension(
70 x509.ObjectIdentifier('1.2.3.4'), False, 'value4'
71 )
72 assert ext1 != ext2
73 assert ext1 != ext3
74 assert ext1 != ext4
75 assert ext1 != object()
76
Paul Kehrer85894662015-03-22 13:19:31 -0500[diff] [blame]77
Paul Kehrer49bb7562015-12-25 16:17:40 -0600[diff] [blame]78class TestCertificateIssuer(object):
79 def test_iter_names(self):
80 ci = x509.CertificateIssuer([
81 x509.DNSName(u"cryptography.io"),
82 x509.DNSName(u"crypto.local"),
83 ])
84 assert len(ci) == 2
85 assert list(ci) == [
86 x509.DNSName(u"cryptography.io"),
87 x509.DNSName(u"crypto.local"),
88 ]
89
Paul Kehrer5c999d32015-12-26 17:45:20 -0600[diff] [blame]90 def test_indexing(self):
91 ci = x509.CertificateIssuer([
92 x509.DNSName(u"cryptography.io"),
93 x509.DNSName(u"crypto.local"),
94 x509.DNSName(u"another.local"),
95 x509.RFC822Name(u"email@another.local"),
96 x509.UniformResourceIdentifier(u"http://another.local"),
97 ])
98 assert ci[-1] == ci[4]
99 assert ci[2:6:2] == [ci[2], ci[4]]
100
Paul Kehrer49bb7562015-12-25 16:17:40 -0600[diff] [blame]101 def test_eq(self):
102 ci1 = x509.CertificateIssuer([x509.DNSName(u"cryptography.io")])
103 ci2 = x509.CertificateIssuer([x509.DNSName(u"cryptography.io")])
104 assert ci1 == ci2
105
106 def test_ne(self):
107 ci1 = x509.CertificateIssuer([x509.DNSName(u"cryptography.io")])
108 ci2 = x509.CertificateIssuer([x509.DNSName(u"somethingelse.tld")])
109 assert ci1 != ci2
110 assert ci1 != object()
111
112 def test_repr(self):
113 ci = x509.CertificateIssuer([x509.DNSName(u"cryptography.io")])
114 assert repr(ci) == (
115 "<CertificateIssuer(<GeneralNames([<DNSName(value=cryptography.io"
116 ")>])>)>"
117 )
118
119 def test_get_values_for_type(self):
120 ci = x509.CertificateIssuer(
121 [x509.DNSName(u"cryptography.io")]
122 )
123 names = ci.get_values_for_type(x509.DNSName)
124 assert names == [u"cryptography.io"]
125
126
Paul Kehrer7058ece2015-12-25 22:28:29 -0600[diff] [blame]127class TestCRLReason(object):
128 def test_invalid_reason_flags(self):
129 with pytest.raises(TypeError):
130 x509.CRLReason("notareason")
131
132 def test_eq(self):
133 reason1 = x509.CRLReason(x509.ReasonFlags.unspecified)
134 reason2 = x509.CRLReason(x509.ReasonFlags.unspecified)
135 assert reason1 == reason2
136
137 def test_ne(self):
138 reason1 = x509.CRLReason(x509.ReasonFlags.unspecified)
139 reason2 = x509.CRLReason(x509.ReasonFlags.ca_compromise)
140 assert reason1 != reason2
141 assert reason1 != object()
142
Alex Gaynor07d5cae2015-12-27 15:30:39 -0500[diff] [blame]143 def test_hash(self):
144 reason1 = x509.CRLReason(x509.ReasonFlags.unspecified)
145 reason2 = x509.CRLReason(x509.ReasonFlags.unspecified)
146 reason3 = x509.CRLReason(x509.ReasonFlags.ca_compromise)
147
148 assert hash(reason1) == hash(reason2)
149 assert hash(reason1) != hash(reason3)
150
Paul Kehrer7058ece2015-12-25 22:28:29 -0600[diff] [blame]151 def test_repr(self):
152 reason1 = x509.CRLReason(x509.ReasonFlags.unspecified)
153 assert repr(reason1) == (
154 "<CRLReason(reason=ReasonFlags.unspecified)>"
155 )
156
157
Paul Kehrer23c0bbc2015-12-25 22:35:19 -0600[diff] [blame]158class TestInvalidityDate(object):
159 def test_invalid_invalidity_date(self):
160 with pytest.raises(TypeError):
161 x509.InvalidityDate("notadate")
162
163 def test_eq(self):
164 invalid1 = x509.InvalidityDate(datetime.datetime(2015, 1, 1, 1, 1))
165 invalid2 = x509.InvalidityDate(datetime.datetime(2015, 1, 1, 1, 1))
166 assert invalid1 == invalid2
167
168 def test_ne(self):
169 invalid1 = x509.InvalidityDate(datetime.datetime(2015, 1, 1, 1, 1))
170 invalid2 = x509.InvalidityDate(datetime.datetime(2015, 1, 1, 1, 2))
171 assert invalid1 != invalid2
172 assert invalid1 != object()
173
174 def test_repr(self):
175 invalid1 = x509.InvalidityDate(datetime.datetime(2015, 1, 1, 1, 1))
176 assert repr(invalid1) == (
177 "<InvalidityDate(invalidity_date=2015-01-01 01:01:00)>"
178 )
179
Paul Kehrer67cde762015-12-26 11:37:14 -0600[diff] [blame]180 def test_hash(self):
181 invalid1 = x509.InvalidityDate(datetime.datetime(2015, 1, 1, 1, 1))
182 invalid2 = x509.InvalidityDate(datetime.datetime(2015, 1, 1, 1, 1))
183 invalid3 = x509.InvalidityDate(datetime.datetime(2015, 1, 1, 1, 2))
184 assert hash(invalid1) == hash(invalid2)
185 assert hash(invalid1) != hash(invalid3)
Paul Kehrer23c0bbc2015-12-25 22:35:19 -0600[diff] [blame]186
Paul Kehrerc0297dd2015-12-26 11:37:57 -0600[diff] [blame]187
Paul Kehrer2b622582015-04-15 11:04:29 -0400[diff] [blame]188class TestNoticeReference(object):
189 def test_notice_numbers_not_all_int(self):
190 with pytest.raises(TypeError):
191 x509.NoticeReference("org", [1, 2, "three"])
192
193 def test_notice_numbers_none(self):
Paul Kehrer6e198b02015-05-12 15:53:38 -0500[diff] [blame]194 with pytest.raises(TypeError):
195 x509.NoticeReference("org", None)
Paul Kehrer2b622582015-04-15 11:04:29 -0400[diff] [blame]196
197 def test_repr(self):
Paul Kehrer73be2ca2015-05-11 21:22:38 -0500[diff] [blame]198 nr = x509.NoticeReference(u"org", [1, 3, 4])
Paul Kehrer2b622582015-04-15 11:04:29 -0400[diff] [blame]199
Paul Kehrer73be2ca2015-05-11 21:22:38 -0500[diff] [blame]200 if six.PY3:
201 assert repr(nr) == (
202 "<NoticeReference(organization='org', notice_numbers=[1, 3, 4"
203 "])>"
204 )
205 else:
206 assert repr(nr) == (
207 "<NoticeReference(organization=u'org', notice_numbers=[1, 3, "
208 "4])>"
209 )
Paul Kehrer2b622582015-04-15 11:04:29 -0400[diff] [blame]210
Paul Kehrerc56ab622015-05-03 09:56:31 -0500[diff] [blame]211 def test_eq(self):
212 nr = x509.NoticeReference("org", [1, 2])
213 nr2 = x509.NoticeReference("org", [1, 2])
214 assert nr == nr2
215
216 def test_ne(self):
217 nr = x509.NoticeReference("org", [1, 2])
218 nr2 = x509.NoticeReference("org", [1])
219 nr3 = x509.NoticeReference(None, [1, 2])
220 assert nr != nr2
221 assert nr != nr3
222 assert nr != object()
223
Paul Kehrer2b622582015-04-15 11:04:29 -0400[diff] [blame]224
225class TestUserNotice(object):
226 def test_notice_reference_invalid(self):
227 with pytest.raises(TypeError):
228 x509.UserNotice("invalid", None)
229
230 def test_notice_reference_none(self):
231 un = x509.UserNotice(None, "text")
232 assert un.notice_reference is None
233 assert un.explicit_text == "text"
234
235 def test_repr(self):
Paul Kehrer6e198b02015-05-12 15:53:38 -0500[diff] [blame]236 un = x509.UserNotice(x509.NoticeReference(u"org", [1]), u"text")
Paul Kehrer73be2ca2015-05-11 21:22:38 -0500[diff] [blame]237 if six.PY3:
238 assert repr(un) == (
239 "<UserNotice(notice_reference=<NoticeReference(organization='"
Paul Kehrer6e198b02015-05-12 15:53:38 -0500[diff] [blame]240 "org', notice_numbers=[1])>, explicit_text='text')>"
Paul Kehrer73be2ca2015-05-11 21:22:38 -0500[diff] [blame]241 )
242 else:
243 assert repr(un) == (
244 "<UserNotice(notice_reference=<NoticeReference(organization=u"
Paul Kehrer6e198b02015-05-12 15:53:38 -0500[diff] [blame]245 "'org', notice_numbers=[1])>, explicit_text=u'text')>"
Paul Kehrer73be2ca2015-05-11 21:22:38 -0500[diff] [blame]246 )
Paul Kehrer2b622582015-04-15 11:04:29 -0400[diff] [blame]247
Paul Kehrerc56ab622015-05-03 09:56:31 -0500[diff] [blame]248 def test_eq(self):
249 nr = x509.NoticeReference("org", [1, 2])
250 nr2 = x509.NoticeReference("org", [1, 2])
251 un = x509.UserNotice(nr, "text")
252 un2 = x509.UserNotice(nr2, "text")
253 assert un == un2
254
255 def test_ne(self):
256 nr = x509.NoticeReference("org", [1, 2])
257 nr2 = x509.NoticeReference("org", [1])
258 un = x509.UserNotice(nr, "text")
259 un2 = x509.UserNotice(nr2, "text")
260 un3 = x509.UserNotice(nr, "text3")
261 assert un != un2
262 assert un != un3
263 assert un != object()
264
Paul Kehrer2b622582015-04-15 11:04:29 -0400[diff] [blame]265
Paul Kehrer2b622582015-04-15 11:04:29 -0400[diff] [blame]266class TestPolicyInformation(object):
267 def test_invalid_policy_identifier(self):
268 with pytest.raises(TypeError):
269 x509.PolicyInformation("notanoid", None)
270
271 def test_none_policy_qualifiers(self):
272 pi = x509.PolicyInformation(x509.ObjectIdentifier("1.2.3"), None)
273 assert pi.policy_identifier == x509.ObjectIdentifier("1.2.3")
274 assert pi.policy_qualifiers is None
275
276 def test_policy_qualifiers(self):
Paul Kehrerba35b3b2015-05-10 13:07:59 -0500[diff] [blame]277 pq = [u"string"]
Paul Kehrer2b622582015-04-15 11:04:29 -0400[diff] [blame]278 pi = x509.PolicyInformation(x509.ObjectIdentifier("1.2.3"), pq)
279 assert pi.policy_identifier == x509.ObjectIdentifier("1.2.3")
280 assert pi.policy_qualifiers == pq
281
282 def test_invalid_policy_identifiers(self):
283 with pytest.raises(TypeError):
284 x509.PolicyInformation(x509.ObjectIdentifier("1.2.3"), [1, 2])
285
286 def test_repr(self):
Paul Kehrer73be2ca2015-05-11 21:22:38 -0500[diff] [blame]287 pq = [u"string", x509.UserNotice(None, u"hi")]
Paul Kehrer2b622582015-04-15 11:04:29 -0400[diff] [blame]288 pi = x509.PolicyInformation(x509.ObjectIdentifier("1.2.3"), pq)
Paul Kehrerba35b3b2015-05-10 13:07:59 -0500[diff] [blame]289 if six.PY3:
290 assert repr(pi) == (
291 "<PolicyInformation(policy_identifier=<ObjectIdentifier(oid=1."
292 "2.3, name=Unknown OID)>, policy_qualifiers=['string', <UserNo"
Paul Kehrer9aaef9e2015-05-11 10:49:20 -0500[diff] [blame]293 "tice(notice_reference=None, explicit_text='hi')>])>"
Paul Kehrerba35b3b2015-05-10 13:07:59 -0500[diff] [blame]294 )
295 else:
296 assert repr(pi) == (
297 "<PolicyInformation(policy_identifier=<ObjectIdentifier(oid=1."
298 "2.3, name=Unknown OID)>, policy_qualifiers=[u'string', <UserN"
Paul Kehrer73be2ca2015-05-11 21:22:38 -0500[diff] [blame]299 "otice(notice_reference=None, explicit_text=u'hi')>])>"
Paul Kehrerba35b3b2015-05-10 13:07:59 -0500[diff] [blame]300 )
Paul Kehrer2b622582015-04-15 11:04:29 -0400[diff] [blame]301
Paul Kehrerc56ab622015-05-03 09:56:31 -0500[diff] [blame]302 def test_eq(self):
303 pi = x509.PolicyInformation(
304 x509.ObjectIdentifier("1.2.3"),
305 [u"string", x509.UserNotice(None, u"hi")]
306 )
307 pi2 = x509.PolicyInformation(
308 x509.ObjectIdentifier("1.2.3"),
309 [u"string", x509.UserNotice(None, u"hi")]
310 )
311 assert pi == pi2
312
313 def test_ne(self):
314 pi = x509.PolicyInformation(
315 x509.ObjectIdentifier("1.2.3"), [u"string"]
316 )
317 pi2 = x509.PolicyInformation(
318 x509.ObjectIdentifier("1.2.3"), [u"string2"]
319 )
320 pi3 = x509.PolicyInformation(
321 x509.ObjectIdentifier("1.2.3.4"), [u"string"]
322 )
323 assert pi != pi2
324 assert pi != pi3
325 assert pi != object()
326
Paul Kehrer2b622582015-04-15 11:04:29 -0400[diff] [blame]327
328class TestCertificatePolicies(object):
329 def test_invalid_policies(self):
Paul Kehrerba35b3b2015-05-10 13:07:59 -0500[diff] [blame]330 pq = [u"string"]
Paul Kehrer2b622582015-04-15 11:04:29 -0400[diff] [blame]331 pi = x509.PolicyInformation(x509.ObjectIdentifier("1.2.3"), pq)
332 with pytest.raises(TypeError):
333 x509.CertificatePolicies([1, pi])
334
335 def test_iter_len(self):
Paul Kehrerba35b3b2015-05-10 13:07:59 -0500[diff] [blame]336 pq = [u"string"]
Paul Kehrer2b622582015-04-15 11:04:29 -0400[diff] [blame]337 pi = x509.PolicyInformation(x509.ObjectIdentifier("1.2.3"), pq)
338 cp = x509.CertificatePolicies([pi])
339 assert len(cp) == 1
340 for policyinfo in cp:
341 assert policyinfo == pi
342
343 def test_repr(self):
Paul Kehrerba35b3b2015-05-10 13:07:59 -0500[diff] [blame]344 pq = [u"string"]
Paul Kehrer2b622582015-04-15 11:04:29 -0400[diff] [blame]345 pi = x509.PolicyInformation(x509.ObjectIdentifier("1.2.3"), pq)
346 cp = x509.CertificatePolicies([pi])
Paul Kehrerba35b3b2015-05-10 13:07:59 -0500[diff] [blame]347 if six.PY3:
348 assert repr(cp) == (
349 "<CertificatePolicies([<PolicyInformation(policy_identifier=<O"
350 "bjectIdentifier(oid=1.2.3, name=Unknown OID)>, policy_qualifi"
351 "ers=['string'])>])>"
352 )
353 else:
354 assert repr(cp) == (
355 "<CertificatePolicies([<PolicyInformation(policy_identifier=<O"
356 "bjectIdentifier(oid=1.2.3, name=Unknown OID)>, policy_qualifi"
357 "ers=[u'string'])>])>"
358 )
Paul Kehrer2b622582015-04-15 11:04:29 -0400[diff] [blame]359
Paul Kehrerc56ab622015-05-03 09:56:31 -0500[diff] [blame]360 def test_eq(self):
361 pi = x509.PolicyInformation(
362 x509.ObjectIdentifier("1.2.3"), [u"string"]
363 )
364 cp = x509.CertificatePolicies([pi])
365 pi2 = x509.PolicyInformation(
366 x509.ObjectIdentifier("1.2.3"), [u"string"]
367 )
368 cp2 = x509.CertificatePolicies([pi2])
369 assert cp == cp2
370
371 def test_ne(self):
372 pi = x509.PolicyInformation(
373 x509.ObjectIdentifier("1.2.3"), [u"string"]
374 )
375 cp = x509.CertificatePolicies([pi])
376 pi2 = x509.PolicyInformation(
377 x509.ObjectIdentifier("1.2.3"), [u"string2"]
378 )
379 cp2 = x509.CertificatePolicies([pi2])
380 assert cp != cp2
381 assert cp != object()
382
Paul Kehrer2b622582015-04-15 11:04:29 -0400[diff] [blame]383
Paul Kehrer11026fe2015-05-12 11:23:56 -0500[diff] [blame]384@pytest.mark.requires_backend_interface(interface=RSABackend)
385@pytest.mark.requires_backend_interface(interface=X509Backend)
386class TestCertificatePoliciesExtension(object):
387 def test_cps_uri_policy_qualifier(self, backend):
388 cert = _load_cert(
389 os.path.join("x509", "custom", "cp_cps_uri.pem"),
390 x509.load_pem_x509_certificate,
391 backend
392 )
393
394 cp = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]395 ExtensionOID.CERTIFICATE_POLICIES
Paul Kehrer11026fe2015-05-12 11:23:56 -0500[diff] [blame]396 ).value
397
398 assert cp == x509.CertificatePolicies([
399 x509.PolicyInformation(
400 x509.ObjectIdentifier("2.16.840.1.12345.1.2.3.4.1"),
401 [u"http://other.com/cps"]
402 )
403 ])
404
405 def test_user_notice_with_notice_reference(self, backend):
406 cert = _load_cert(
407 os.path.join(
408 "x509", "custom", "cp_user_notice_with_notice_reference.pem"
409 ),
410 x509.load_pem_x509_certificate,
411 backend
412 )
413
414 cp = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]415 ExtensionOID.CERTIFICATE_POLICIES
Paul Kehrer11026fe2015-05-12 11:23:56 -0500[diff] [blame]416 ).value
417
418 assert cp == x509.CertificatePolicies([
419 x509.PolicyInformation(
420 x509.ObjectIdentifier("2.16.840.1.12345.1.2.3.4.1"),
421 [
422 u"http://example.com/cps",
423 u"http://other.com/cps",
424 x509.UserNotice(
425 x509.NoticeReference(u"my org", [1, 2, 3, 4]),
426 u"thing"
427 )
428 ]
429 )
430 ])
431
432 def test_user_notice_with_explicit_text(self, backend):
433 cert = _load_cert(
434 os.path.join(
435 "x509", "custom", "cp_user_notice_with_explicit_text.pem"
436 ),
437 x509.load_pem_x509_certificate,
438 backend
439 )
440
441 cp = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]442 ExtensionOID.CERTIFICATE_POLICIES
Paul Kehrer11026fe2015-05-12 11:23:56 -0500[diff] [blame]443 ).value
444
445 assert cp == x509.CertificatePolicies([
446 x509.PolicyInformation(
447 x509.ObjectIdentifier("2.16.840.1.12345.1.2.3.4.1"),
448 [x509.UserNotice(None, u"thing")]
449 )
450 ])
451
452 def test_user_notice_no_explicit_text(self, backend):
453 cert = _load_cert(
454 os.path.join(
455 "x509", "custom", "cp_user_notice_no_explicit_text.pem"
456 ),
457 x509.load_pem_x509_certificate,
458 backend
459 )
460
461 cp = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]462 ExtensionOID.CERTIFICATE_POLICIES
Paul Kehrer11026fe2015-05-12 11:23:56 -0500[diff] [blame]463 ).value
464
465 assert cp == x509.CertificatePolicies([
466 x509.PolicyInformation(
467 x509.ObjectIdentifier("2.16.840.1.12345.1.2.3.4.1"),
468 [
469 x509.UserNotice(
470 x509.NoticeReference(u"my org", [1, 2, 3, 4]),
471 None
472 )
473 ]
474 )
475 ])
476
477
Paul Kehrercecbbba2015-03-30 14:58:38 -0500[diff] [blame]478class TestKeyUsage(object):
479 def test_key_agreement_false_encipher_decipher_true(self):
480 with pytest.raises(ValueError):
481 x509.KeyUsage(
482 digital_signature=False,
483 content_commitment=False,
484 key_encipherment=False,
485 data_encipherment=False,
486 key_agreement=False,
487 key_cert_sign=False,
488 crl_sign=False,
489 encipher_only=True,
490 decipher_only=False
491 )
492
493 with pytest.raises(ValueError):
494 x509.KeyUsage(
495 digital_signature=False,
496 content_commitment=False,
497 key_encipherment=False,
498 data_encipherment=False,
499 key_agreement=False,
500 key_cert_sign=False,
501 crl_sign=False,
502 encipher_only=True,
503 decipher_only=True
504 )
505
506 with pytest.raises(ValueError):
507 x509.KeyUsage(
508 digital_signature=False,
509 content_commitment=False,
510 key_encipherment=False,
511 data_encipherment=False,
512 key_agreement=False,
513 key_cert_sign=False,
514 crl_sign=False,
515 encipher_only=False,
516 decipher_only=True
517 )
518
519 def test_properties_key_agreement_true(self):
520 ku = x509.KeyUsage(
521 digital_signature=True,
522 content_commitment=True,
523 key_encipherment=False,
524 data_encipherment=False,
525 key_agreement=False,
526 key_cert_sign=True,
527 crl_sign=False,
528 encipher_only=False,
529 decipher_only=False
530 )
531 assert ku.digital_signature is True
532 assert ku.content_commitment is True
533 assert ku.key_encipherment is False
534 assert ku.data_encipherment is False
535 assert ku.key_agreement is False
536 assert ku.key_cert_sign is True
537 assert ku.crl_sign is False
538
539 def test_key_agreement_true_properties(self):
540 ku = x509.KeyUsage(
541 digital_signature=False,
542 content_commitment=False,
543 key_encipherment=False,
544 data_encipherment=False,
545 key_agreement=True,
546 key_cert_sign=False,
547 crl_sign=False,
548 encipher_only=False,
549 decipher_only=True
550 )
551 assert ku.key_agreement is True
552 assert ku.encipher_only is False
553 assert ku.decipher_only is True
554
555 def test_key_agreement_false_properties(self):
556 ku = x509.KeyUsage(
557 digital_signature=False,
558 content_commitment=False,
559 key_encipherment=False,
560 data_encipherment=False,
561 key_agreement=False,
562 key_cert_sign=False,
563 crl_sign=False,
564 encipher_only=False,
565 decipher_only=False
566 )
567 assert ku.key_agreement is False
568 with pytest.raises(ValueError):
569 ku.encipher_only
570
571 with pytest.raises(ValueError):
572 ku.decipher_only
573
Paul Kehrerac3e5bb2015-04-02 23:07:10 -0500[diff] [blame]574 def test_repr_key_agreement_false(self):
575 ku = x509.KeyUsage(
576 digital_signature=True,
577 content_commitment=True,
578 key_encipherment=False,
579 data_encipherment=False,
580 key_agreement=False,
581 key_cert_sign=True,
582 crl_sign=False,
583 encipher_only=False,
584 decipher_only=False
585 )
586 assert repr(ku) == (
587 "<KeyUsage(digital_signature=True, content_commitment=True, key_en"
588 "cipherment=False, data_encipherment=False, key_agreement=False, k"
Paul Kehrerb372e672015-04-15 11:05:24 -0400[diff] [blame]589 "ey_cert_sign=True, crl_sign=False, encipher_only=None, decipher_o"
590 "nly=None)>"
Paul Kehrerac3e5bb2015-04-02 23:07:10 -0500[diff] [blame]591 )
592
593 def test_repr_key_agreement_true(self):
594 ku = x509.KeyUsage(
595 digital_signature=True,
596 content_commitment=True,
597 key_encipherment=False,
598 data_encipherment=False,
599 key_agreement=True,
600 key_cert_sign=True,
601 crl_sign=False,
602 encipher_only=False,
603 decipher_only=False
604 )
605 assert repr(ku) == (
606 "<KeyUsage(digital_signature=True, content_commitment=True, key_en"
607 "cipherment=False, data_encipherment=False, key_agreement=True, k"
608 "ey_cert_sign=True, crl_sign=False, encipher_only=False, decipher_"
609 "only=False)>"
610 )
611
Paul Kehrer8565f5e2015-05-13 09:57:09 -0500[diff] [blame]612 def test_eq(self):
613 ku = x509.KeyUsage(
614 digital_signature=False,
615 content_commitment=False,
616 key_encipherment=False,
617 data_encipherment=False,
618 key_agreement=True,
619 key_cert_sign=False,
620 crl_sign=False,
621 encipher_only=False,
622 decipher_only=True
623 )
624 ku2 = x509.KeyUsage(
625 digital_signature=False,
626 content_commitment=False,
627 key_encipherment=False,
628 data_encipherment=False,
629 key_agreement=True,
630 key_cert_sign=False,
631 crl_sign=False,
632 encipher_only=False,
633 decipher_only=True
634 )
635 assert ku == ku2
636
637 def test_ne(self):
638 ku = x509.KeyUsage(
639 digital_signature=False,
640 content_commitment=False,
641 key_encipherment=False,
642 data_encipherment=False,
643 key_agreement=True,
644 key_cert_sign=False,
645 crl_sign=False,
646 encipher_only=False,
647 decipher_only=True
648 )
649 ku2 = x509.KeyUsage(
650 digital_signature=False,
651 content_commitment=False,
652 key_encipherment=False,
653 data_encipherment=False,
654 key_agreement=False,
655 key_cert_sign=False,
656 crl_sign=False,
657 encipher_only=False,
658 decipher_only=False
659 )
660 assert ku != ku2
661 assert ku != object()
662
Paul Kehrercecbbba2015-03-30 14:58:38 -0500[diff] [blame]663
Paul Kehrer1eb82a62015-03-31 20:00:33 -0500[diff] [blame]664class TestSubjectKeyIdentifier(object):
665 def test_properties(self):
Paul Kehrercbfb1012015-04-10 20:57:20 -0400[diff] [blame]666 value = binascii.unhexlify(b"092384932230498bc980aa8098456f6ff7ff3ac9")
Paul Kehrer1eb82a62015-03-31 20:00:33 -0500[diff] [blame]667 ski = x509.SubjectKeyIdentifier(value)
668 assert ski.digest == value
Paul Kehrer1eb82a62015-03-31 20:00:33 -0500[diff] [blame]669
670 def test_repr(self):
671 ski = x509.SubjectKeyIdentifier(
Paul Kehreree997262015-04-04 12:20:28 -0500[diff] [blame]672 binascii.unhexlify(b"092384932230498bc980aa8098456f6ff7ff3ac9")
Paul Kehrer1eb82a62015-03-31 20:00:33 -0500[diff] [blame]673 )
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]674 ext = x509.Extension(ExtensionOID.SUBJECT_KEY_IDENTIFIER, False, ski)
Paul Kehrercbfb1012015-04-10 20:57:20 -0400[diff] [blame]675 if six.PY3:
676 assert repr(ext) == (
677 "<Extension(oid=<ObjectIdentifier(oid=2.5.29.14, name=subjectK"
678 "eyIdentifier)>, critical=False, value=<SubjectKeyIdentifier(d"
679 "igest=b\'\\t#\\x84\\x93\"0I\\x8b\\xc9\\x80\\xaa\\x80\\x98Eoo"
680 "\\xf7\\xff:\\xc9\')>)>"
681 )
682 else:
683 assert repr(ext) == (
684 "<Extension(oid=<ObjectIdentifier(oid=2.5.29.14, name=subjectK"
685 "eyIdentifier)>, critical=False, value=<SubjectKeyIdentifier(d"
686 "igest=\'\\t#\\x84\\x93\"0I\\x8b\\xc9\\x80\\xaa\\x80\\x98Eoo"
687 "\\xf7\\xff:\\xc9\')>)>"
688 )
Paul Kehrer1eb82a62015-03-31 20:00:33 -0500[diff] [blame]689
690 def test_eq(self):
691 ski = x509.SubjectKeyIdentifier(
Paul Kehreree997262015-04-04 12:20:28 -0500[diff] [blame]692 binascii.unhexlify(b"092384932230498bc980aa8098456f6ff7ff3ac9")
Paul Kehrer1eb82a62015-03-31 20:00:33 -0500[diff] [blame]693 )
694 ski2 = x509.SubjectKeyIdentifier(
Paul Kehreree997262015-04-04 12:20:28 -0500[diff] [blame]695 binascii.unhexlify(b"092384932230498bc980aa8098456f6ff7ff3ac9")
Paul Kehrer1eb82a62015-03-31 20:00:33 -0500[diff] [blame]696 )
697 assert ski == ski2
698
699 def test_ne(self):
700 ski = x509.SubjectKeyIdentifier(
Paul Kehreree997262015-04-04 12:20:28 -0500[diff] [blame]701 binascii.unhexlify(b"092384932230498bc980aa8098456f6ff7ff3ac9")
Paul Kehrer1eb82a62015-03-31 20:00:33 -0500[diff] [blame]702 )
703 ski2 = x509.SubjectKeyIdentifier(
Paul Kehreree997262015-04-04 12:20:28 -0500[diff] [blame]704 binascii.unhexlify(b"aa8098456f6ff7ff3ac9092384932230498bc980")
Paul Kehrer1eb82a62015-03-31 20:00:33 -0500[diff] [blame]705 )
706 assert ski != ski2
707 assert ski != object()
708
Alex Gaynor410fe352015-12-26 15:01:25 -0500[diff] [blame]709 def test_hash(self):
710 ski1 = x509.SubjectKeyIdentifier(
711 binascii.unhexlify(b"092384932230498bc980aa8098456f6ff7ff3ac9")
712 )
713 ski2 = x509.SubjectKeyIdentifier(
714 binascii.unhexlify(b"092384932230498bc980aa8098456f6ff7ff3ac9")
715 )
716 ski3 = x509.SubjectKeyIdentifier(
717 binascii.unhexlify(b"aa8098456f6ff7ff3ac9092384932230498bc980")
718 )
719
720 assert hash(ski1) == hash(ski2)
721 assert hash(ski1) != hash(ski3)
722
Paul Kehrer1eb82a62015-03-31 20:00:33 -0500[diff] [blame]723
Paul Kehrer2eb4ed92015-04-11 15:33:45 -0400[diff] [blame]724class TestAuthorityKeyIdentifier(object):
Paul Kehrerc6e0f062015-05-03 11:04:34 -0500[diff] [blame]725 def test_authority_cert_issuer_not_generalname(self):
Paul Kehrer2eb4ed92015-04-11 15:33:45 -0400[diff] [blame]726 with pytest.raises(TypeError):
Paul Kehrerc6e0f062015-05-03 11:04:34 -0500[diff] [blame]727 x509.AuthorityKeyIdentifier(b"identifier", ["notname"], 3)
Paul Kehrer2eb4ed92015-04-11 15:33:45 -0400[diff] [blame]728
729 def test_authority_cert_serial_number_not_integer(self):
Paul Kehrerc6e0f062015-05-03 11:04:34 -0500[diff] [blame]730 dirname = x509.DirectoryName(
731 x509.Name([
Nick Bastin6721fb82015-12-14 12:26:24 -0800[diff] [blame]732 x509.NameAttribute(
733 x509.ObjectIdentifier('2.999.1'),
734 u'value1'
735 ),
736 x509.NameAttribute(
737 x509.ObjectIdentifier('2.999.2'),
738 u'value2'
739 ),
Paul Kehrerc6e0f062015-05-03 11:04:34 -0500[diff] [blame]740 ])
741 )
Paul Kehrer2eb4ed92015-04-11 15:33:45 -0400[diff] [blame]742 with pytest.raises(TypeError):
Paul Kehrerc6e0f062015-05-03 11:04:34 -0500[diff] [blame]743 x509.AuthorityKeyIdentifier(b"identifier", [dirname], "notanint")
Paul Kehrer2eb4ed92015-04-11 15:33:45 -0400[diff] [blame]744
745 def test_authority_issuer_none_serial_not_none(self):
746 with pytest.raises(ValueError):
747 x509.AuthorityKeyIdentifier(b"identifier", None, 3)
748
749 def test_authority_issuer_not_none_serial_none(self):
Paul Kehrerc6e0f062015-05-03 11:04:34 -0500[diff] [blame]750 dirname = x509.DirectoryName(
751 x509.Name([
Nick Bastin6721fb82015-12-14 12:26:24 -0800[diff] [blame]752 x509.NameAttribute(
753 x509.ObjectIdentifier('2.999.1'),
754 u'value1'
755 ),
756 x509.NameAttribute(
757 x509.ObjectIdentifier('2.999.2'),
758 u'value2'
759 ),
Paul Kehrerc6e0f062015-05-03 11:04:34 -0500[diff] [blame]760 ])
761 )
Paul Kehrer2eb4ed92015-04-11 15:33:45 -0400[diff] [blame]762 with pytest.raises(ValueError):
Paul Kehrerc6e0f062015-05-03 11:04:34 -0500[diff] [blame]763 x509.AuthorityKeyIdentifier(b"identifier", [dirname], None)
Paul Kehrer2eb4ed92015-04-11 15:33:45 -0400[diff] [blame]764
765 def test_authority_cert_serial_and_issuer_none(self):
766 aki = x509.AuthorityKeyIdentifier(b"id", None, None)
767 assert aki.key_identifier == b"id"
768 assert aki.authority_cert_issuer is None
769 assert aki.authority_cert_serial_number is None
770
771 def test_repr(self):
Paul Kehrerc6e0f062015-05-03 11:04:34 -0500[diff] [blame]772 dirname = x509.DirectoryName(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]773 x509.Name([x509.NameAttribute(NameOID.COMMON_NAME, u'myCN')])
Paul Kehrerc6e0f062015-05-03 11:04:34 -0500[diff] [blame]774 )
775 aki = x509.AuthorityKeyIdentifier(b"digest", [dirname], 1234)
Paul Kehrer2eb4ed92015-04-11 15:33:45 -0400[diff] [blame]776
777 if six.PY3:
778 assert repr(aki) == (
779 "<AuthorityKeyIdentifier(key_identifier=b'digest', authority_"
Paul Kehrerc6e0f062015-05-03 11:04:34 -0500[diff] [blame]780 "cert_issuer=[<DirectoryName(value=<Name([<NameAttribute(oid="
Ian Cordascoa908d692015-06-16 21:35:24 -0500[diff] [blame]781 "<ObjectIdentifier(oid=2.5.4.3, name=commonName)>, value='myC"
Paul Kehrerc6e0f062015-05-03 11:04:34 -0500[diff] [blame]782 "N')>])>)>], authority_cert_serial_number=1234)>"
Paul Kehrer2eb4ed92015-04-11 15:33:45 -0400[diff] [blame]783 )
784 else:
785 assert repr(aki) == (
786 "<AuthorityKeyIdentifier(key_identifier='digest', authority_ce"
Paul Kehrerc6e0f062015-05-03 11:04:34 -0500[diff] [blame]787 "rt_issuer=[<DirectoryName(value=<Name([<NameAttribute(oid=<Ob"
Ian Cordasco82fc3762015-06-16 20:59:50 -0500[diff] [blame]788 "jectIdentifier(oid=2.5.4.3, name=commonName)>, value=u'myCN')"
789 ">])>)>], authority_cert_serial_number=1234)>"
Paul Kehrer2eb4ed92015-04-11 15:33:45 -0400[diff] [blame]790 )
791
Paul Kehrer2ca2eb32015-05-03 10:04:57 -0500[diff] [blame]792 def test_eq(self):
793 dirname = x509.DirectoryName(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]794 x509.Name([x509.NameAttribute(NameOID.COMMON_NAME, u'myCN')])
Paul Kehrer2ca2eb32015-05-03 10:04:57 -0500[diff] [blame]795 )
796 aki = x509.AuthorityKeyIdentifier(b"digest", [dirname], 1234)
797 dirname2 = x509.DirectoryName(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]798 x509.Name([x509.NameAttribute(NameOID.COMMON_NAME, u'myCN')])
Paul Kehrer2ca2eb32015-05-03 10:04:57 -0500[diff] [blame]799 )
800 aki2 = x509.AuthorityKeyIdentifier(b"digest", [dirname2], 1234)
801 assert aki == aki2
802
803 def test_ne(self):
804 dirname = x509.DirectoryName(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]805 x509.Name([x509.NameAttribute(NameOID.COMMON_NAME, u'myCN')])
Paul Kehrer2ca2eb32015-05-03 10:04:57 -0500[diff] [blame]806 )
807 dirname5 = x509.DirectoryName(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]808 x509.Name([x509.NameAttribute(NameOID.COMMON_NAME, u'aCN')])
Paul Kehrer2ca2eb32015-05-03 10:04:57 -0500[diff] [blame]809 )
810 aki = x509.AuthorityKeyIdentifier(b"digest", [dirname], 1234)
811 aki2 = x509.AuthorityKeyIdentifier(b"diges", [dirname], 1234)
812 aki3 = x509.AuthorityKeyIdentifier(b"digest", None, None)
813 aki4 = x509.AuthorityKeyIdentifier(b"digest", [dirname], 12345)
814 aki5 = x509.AuthorityKeyIdentifier(b"digest", [dirname5], 12345)
815 assert aki != aki2
816 assert aki != aki3
817 assert aki != aki4
818 assert aki != aki5
819 assert aki != object()
820
Paul Kehrer2eb4ed92015-04-11 15:33:45 -0400[diff] [blame]821
Paul Kehrer8cf26422015-03-21 09:50:24 -0500[diff] [blame]822class TestBasicConstraints(object):
823 def test_ca_not_boolean(self):
824 with pytest.raises(TypeError):
Paul Kehrera5c6e9a2015-03-23 19:23:43 -0500[diff] [blame]825 x509.BasicConstraints(ca="notbool", path_length=None)
Paul Kehrer8cf26422015-03-21 09:50:24 -0500[diff] [blame]826
827 def test_path_length_not_ca(self):
828 with pytest.raises(ValueError):
Paul Kehrera5c6e9a2015-03-23 19:23:43 -0500[diff] [blame]829 x509.BasicConstraints(ca=False, path_length=0)
Paul Kehrer8cf26422015-03-21 09:50:24 -0500[diff] [blame]830
831 def test_path_length_not_int(self):
832 with pytest.raises(TypeError):
Paul Kehrera5c6e9a2015-03-23 19:23:43 -0500[diff] [blame]833 x509.BasicConstraints(ca=True, path_length=1.1)
Paul Kehrer8cf26422015-03-21 09:50:24 -0500[diff] [blame]834
835 with pytest.raises(TypeError):
Paul Kehrera5c6e9a2015-03-23 19:23:43 -0500[diff] [blame]836 x509.BasicConstraints(ca=True, path_length="notint")
Paul Kehrer8cf26422015-03-21 09:50:24 -0500[diff] [blame]837
838 def test_path_length_negative(self):
839 with pytest.raises(TypeError):
Paul Kehrera5c6e9a2015-03-23 19:23:43 -0500[diff] [blame]840 x509.BasicConstraints(ca=True, path_length=-1)
Paul Kehrer8cf26422015-03-21 09:50:24 -0500[diff] [blame]841
842 def test_repr(self):
Paul Kehrera5c6e9a2015-03-23 19:23:43 -0500[diff] [blame]843 na = x509.BasicConstraints(ca=True, path_length=None)
Paul Kehrer8cf26422015-03-21 09:50:24 -0500[diff] [blame]844 assert repr(na) == (
Paul Kehrer85894662015-03-22 13:19:31 -0500[diff] [blame]845 "<BasicConstraints(ca=True, path_length=None)>"
Paul Kehrer8cf26422015-03-21 09:50:24 -0500[diff] [blame]846 )
Paul Kehrerfbb7ac82015-03-16 19:26:29 -0500[diff] [blame]847
Paul Kehrer2eb69f62015-12-27 11:46:11 -0600[diff] [blame]848 def test_hash(self):
849 na = x509.BasicConstraints(ca=True, path_length=None)
850 na2 = x509.BasicConstraints(ca=True, path_length=None)
Paul Kehrerb39af8d2015-12-27 14:30:19 -0600[diff] [blame]851 na3 = x509.BasicConstraints(ca=True, path_length=0)
Paul Kehrer2eb69f62015-12-27 11:46:11 -0600[diff] [blame]852 assert hash(na) == hash(na2)
Paul Kehrerb39af8d2015-12-27 14:30:19 -0600[diff] [blame]853 assert hash(na) != hash(na3)
Paul Kehrer2eb69f62015-12-27 11:46:11 -0600[diff] [blame]854
Paul Kehrer3a69b132015-05-13 10:03:46 -0500[diff] [blame]855 def test_eq(self):
856 na = x509.BasicConstraints(ca=True, path_length=None)
857 na2 = x509.BasicConstraints(ca=True, path_length=None)
858 assert na == na2
859
860 def test_ne(self):
861 na = x509.BasicConstraints(ca=True, path_length=None)
862 na2 = x509.BasicConstraints(ca=True, path_length=1)
863 na3 = x509.BasicConstraints(ca=False, path_length=None)
864 assert na != na2
865 assert na != na3
866 assert na != object()
867
Paul Kehrerfbb7ac82015-03-16 19:26:29 -0500[diff] [blame]868
Paul Kehrerffa2a152015-03-31 08:18:25 -0500[diff] [blame]869class TestExtendedKeyUsage(object):
870 def test_not_all_oids(self):
871 with pytest.raises(TypeError):
872 x509.ExtendedKeyUsage(["notoid"])
873
874 def test_iter_len(self):
875 eku = x509.ExtendedKeyUsage([
876 x509.ObjectIdentifier("1.3.6.1.5.5.7.3.1"),
877 x509.ObjectIdentifier("1.3.6.1.5.5.7.3.2"),
878 ])
879 assert len(eku) == 2
880 assert list(eku) == [
Paul Kehrer9e102db2015-08-10 21:53:09 -0500[diff] [blame]881 ExtendedKeyUsageOID.SERVER_AUTH,
882 ExtendedKeyUsageOID.CLIENT_AUTH
Paul Kehrerffa2a152015-03-31 08:18:25 -0500[diff] [blame]883 ]
884
Paul Kehrer23d10c32015-04-02 23:12:32 -0500[diff] [blame]885 def test_repr(self):
886 eku = x509.ExtendedKeyUsage([
887 x509.ObjectIdentifier("1.3.6.1.5.5.7.3.1"),
888 x509.ObjectIdentifier("1.3.6.1.5.5.7.3.2"),
889 ])
890 assert repr(eku) == (
891 "<ExtendedKeyUsage([<ObjectIdentifier(oid=1.3.6.1.5.5.7.3.1, name="
892 "serverAuth)>, <ObjectIdentifier(oid=1.3.6.1.5.5.7.3.2, name=clien"
893 "tAuth)>])>"
894 )
895
Paul Kehrerb0476172015-05-02 19:34:51 -0500[diff] [blame]896 def test_eq(self):
897 eku = x509.ExtendedKeyUsage([
898 x509.ObjectIdentifier("1.3.6"), x509.ObjectIdentifier("1.3.7")
899 ])
900 eku2 = x509.ExtendedKeyUsage([
901 x509.ObjectIdentifier("1.3.6"), x509.ObjectIdentifier("1.3.7")
902 ])
903 assert eku == eku2
904
905 def test_ne(self):
906 eku = x509.ExtendedKeyUsage([x509.ObjectIdentifier("1.3.6")])
907 eku2 = x509.ExtendedKeyUsage([x509.ObjectIdentifier("1.3.6.1")])
908 assert eku != eku2
909 assert eku != object()
910
Paul Kehrerffa2a152015-03-31 08:18:25 -0500[diff] [blame]911
Paul Kehrerfbb7ac82015-03-16 19:26:29 -0500[diff] [blame]912@pytest.mark.requires_backend_interface(interface=RSABackend)
913@pytest.mark.requires_backend_interface(interface=X509Backend)
914class TestExtensions(object):
915 def test_no_extensions(self, backend):
916 cert = _load_cert(
917 os.path.join("x509", "verisign_md2_root.pem"),
918 x509.load_pem_x509_certificate,
919 backend
920 )
921 ext = cert.extensions
922 assert len(ext) == 0
923 assert list(ext) == []
Paul Kehrerfa56a232015-03-17 13:14:03 -0500[diff] [blame]924 with pytest.raises(x509.ExtensionNotFound) as exc:
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]925 ext.get_extension_for_oid(ExtensionOID.BASIC_CONSTRAINTS)
Paul Kehrerfa56a232015-03-17 13:14:03 -0500[diff] [blame]926
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]927 assert exc.value.oid == ExtensionOID.BASIC_CONSTRAINTS
Paul Kehrerfa56a232015-03-17 13:14:03 -0500[diff] [blame]928
929 def test_one_extension(self, backend):
930 cert = _load_cert(
931 os.path.join(
932 "x509", "custom", "basic_constraints_not_critical.pem"
933 ),
934 x509.load_pem_x509_certificate,
935 backend
936 )
937 extensions = cert.extensions
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]938 ext = extensions.get_extension_for_oid(ExtensionOID.BASIC_CONSTRAINTS)
Paul Kehrerfa56a232015-03-17 13:14:03 -0500[diff] [blame]939 assert ext is not None
940 assert ext.value.ca is False
Paul Kehrerfbb7ac82015-03-16 19:26:29 -0500[diff] [blame]941
942 def test_duplicate_extension(self, backend):
943 cert = _load_cert(
944 os.path.join(
945 "x509", "custom", "two_basic_constraints.pem"
946 ),
947 x509.load_pem_x509_certificate,
948 backend
949 )
950 with pytest.raises(x509.DuplicateExtension) as exc:
951 cert.extensions
952
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]953 assert exc.value.oid == ExtensionOID.BASIC_CONSTRAINTS
Paul Kehrerfbb7ac82015-03-16 19:26:29 -0500[diff] [blame]954
955 def test_unsupported_critical_extension(self, backend):
956 cert = _load_cert(
957 os.path.join(
958 "x509", "custom", "unsupported_extension_critical.pem"
959 ),
960 x509.load_pem_x509_certificate,
961 backend
962 )
963 with pytest.raises(x509.UnsupportedExtension) as exc:
964 cert.extensions
965
966 assert exc.value.oid == x509.ObjectIdentifier("1.2.3.4")
967
968 def test_unsupported_extension(self, backend):
969 # TODO: this will raise an exception when all extensions are complete
970 cert = _load_cert(
971 os.path.join(
972 "x509", "custom", "unsupported_extension.pem"
973 ),
974 x509.load_pem_x509_certificate,
975 backend
976 )
977 extensions = cert.extensions
978 assert len(extensions) == 0
Paul Kehrerfa56a232015-03-17 13:14:03 -0500[diff] [blame]979
Phoebe Queenecae9812015-08-12 05:00:32 +0100[diff] [blame]980 def test_no_extensions_get_for_class(self, backend):
981 cert = _load_cert(
982 os.path.join(
Phoebe Queencb5ec4e2015-08-12 15:06:26 +0100[diff] [blame]983 "x509", "cryptography.io.pem"
Phoebe Queenecae9812015-08-12 05:00:32 +0100[diff] [blame]984 ),
985 x509.load_pem_x509_certificate,
986 backend
987 )
Phoebe Queenc93752b2015-08-12 10:54:46 +0100[diff] [blame]988 exts = cert.extensions
Phoebe Queenecae9812015-08-12 05:00:32 +0100[diff] [blame]989 with pytest.raises(x509.ExtensionNotFound) as exc:
Phoebe Queencb5ec4e2015-08-12 15:06:26 +0100[diff] [blame]990 exts.get_extension_for_class(x509.IssuerAlternativeName)
991 assert exc.value.oid == ExtensionOID.ISSUER_ALTERNATIVE_NAME
Phoebe Queenecae9812015-08-12 05:00:32 +0100[diff] [blame]992
Paul Kehrer5b90c972015-12-26 00:52:58 -0600[diff] [blame]993 def test_indexing(self, backend):
994 cert = _load_cert(
995 os.path.join("x509", "cryptography.io.pem"),
996 x509.load_pem_x509_certificate,
997 backend
998 )
999 exts = cert.extensions
1000 assert exts[-1] == exts[7]
Alex Gaynorf0dd2e72015-12-26 16:50:29 -0500[diff] [blame]1001 assert exts[2:6:2] == [exts[2], exts[4]]
Paul Kehrer5b90c972015-12-26 00:52:58 -0600[diff] [blame]1002
Phoebe Queen9fbb8892015-08-12 03:51:33 +0100[diff] [blame]1003 def test_one_extension_get_for_class(self, backend):
1004 cert = _load_cert(
Phoebe Queen2cc111a2015-08-12 04:14:22 +0100[diff] [blame]1005 os.path.join(
1006 "x509", "custom", "basic_constraints_not_critical.pem"
1007 ),
Phoebe Queen9fbb8892015-08-12 03:51:33 +0100[diff] [blame]1008 x509.load_pem_x509_certificate,
1009 backend
1010 )
1011 ext = cert.extensions.get_extension_for_class(x509.BasicConstraints)
1012 assert ext is not None
Phoebe Queen9fbb8892015-08-12 03:51:33 +0100[diff] [blame]1013 assert isinstance(ext.value, x509.BasicConstraints)
Paul Kehrerfa56a232015-03-17 13:14:03 -0500[diff] [blame]1014
Paul Kehrerafbe75b2015-10-20 08:08:43 -0500[diff] [blame]1015 def test_repr(self, backend):
1016 cert = _load_cert(
1017 os.path.join(
1018 "x509", "custom", "basic_constraints_not_critical.pem"
1019 ),
1020 x509.load_pem_x509_certificate,
1021 backend
1022 )
1023 assert repr(cert.extensions) == (
1024 "<Extensions([<Extension(oid=<ObjectIdentifier(oid=2.5.29.19, name"
1025 "=basicConstraints)>, critical=False, value=<BasicConstraints(ca=F"
1026 "alse, path_length=None)>)>])>"
1027 )
1028
Phoebe Queen2cc111a2015-08-12 04:14:22 +0100[diff] [blame]1029
Paul Kehrerfa56a232015-03-17 13:14:03 -0500[diff] [blame]1030@pytest.mark.requires_backend_interface(interface=RSABackend)
1031@pytest.mark.requires_backend_interface(interface=X509Backend)
Paul Kehrerde813ea2015-03-28 12:44:34 -0500[diff] [blame]1032class TestBasicConstraintsExtension(object):
Paul Kehrerfa56a232015-03-17 13:14:03 -0500[diff] [blame]1033 def test_ca_true_pathlen_6(self, backend):
1034 cert = _load_cert(
1035 os.path.join(
1036 "x509", "PKITS_data", "certs", "pathLenConstraint6CACert.crt"
1037 ),
1038 x509.load_der_x509_certificate,
1039 backend
1040 )
Phoebe Queen062dec72015-08-12 11:42:23 +0100[diff] [blame]1041 ext = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]1042 ExtensionOID.BASIC_CONSTRAINTS
Paul Kehrerfa56a232015-03-17 13:14:03 -0500[diff] [blame]1043 )
1044 assert ext is not None
1045 assert ext.critical is True
1046 assert ext.value.ca is True
1047 assert ext.value.path_length == 6
1048
1049 def test_path_length_zero(self, backend):
1050 cert = _load_cert(
1051 os.path.join("x509", "custom", "bc_path_length_zero.pem"),
1052 x509.load_pem_x509_certificate,
1053 backend
1054 )
1055 ext = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]1056 ExtensionOID.BASIC_CONSTRAINTS
Paul Kehrerfa56a232015-03-17 13:14:03 -0500[diff] [blame]1057 )
1058 assert ext is not None
1059 assert ext.critical is True
1060 assert ext.value.ca is True
1061 assert ext.value.path_length == 0
1062
1063 def test_ca_true_no_pathlen(self, backend):
1064 cert = _load_cert(
1065 os.path.join("x509", "PKITS_data", "certs", "GoodCACert.crt"),
1066 x509.load_der_x509_certificate,
1067 backend
1068 )
1069 ext = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]1070 ExtensionOID.BASIC_CONSTRAINTS
Paul Kehrerfa56a232015-03-17 13:14:03 -0500[diff] [blame]1071 )
1072 assert ext is not None
1073 assert ext.critical is True
1074 assert ext.value.ca is True
1075 assert ext.value.path_length is None
1076
1077 def test_ca_false(self, backend):
1078 cert = _load_cert(
1079 os.path.join("x509", "cryptography.io.pem"),
1080 x509.load_pem_x509_certificate,
1081 backend
1082 )
1083 ext = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]1084 ExtensionOID.BASIC_CONSTRAINTS
Paul Kehrerfa56a232015-03-17 13:14:03 -0500[diff] [blame]1085 )
1086 assert ext is not None
1087 assert ext.critical is True
1088 assert ext.value.ca is False
1089 assert ext.value.path_length is None
1090
1091 def test_no_basic_constraints(self, backend):
1092 cert = _load_cert(
1093 os.path.join(
1094 "x509",
1095 "PKITS_data",
1096 "certs",
1097 "ValidCertificatePathTest1EE.crt"
1098 ),
1099 x509.load_der_x509_certificate,
1100 backend
1101 )
1102 with pytest.raises(x509.ExtensionNotFound):
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]1103 cert.extensions.get_extension_for_oid(
1104 ExtensionOID.BASIC_CONSTRAINTS
1105 )
Paul Kehrerfa56a232015-03-17 13:14:03 -0500[diff] [blame]1106
1107 def test_basic_constraint_not_critical(self, backend):
1108 cert = _load_cert(
1109 os.path.join(
1110 "x509", "custom", "basic_constraints_not_critical.pem"
1111 ),
1112 x509.load_pem_x509_certificate,
1113 backend
1114 )
1115 ext = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]1116 ExtensionOID.BASIC_CONSTRAINTS
Paul Kehrerfa56a232015-03-17 13:14:03 -0500[diff] [blame]1117 )
1118 assert ext is not None
1119 assert ext.critical is False
1120 assert ext.value.ca is False
Paul Kehrer1eb82a62015-03-31 20:00:33 -0500[diff] [blame]1121
1122
Paul Kehrer1eb82a62015-03-31 20:00:33 -0500[diff] [blame]1123class TestSubjectKeyIdentifierExtension(object):
Paul Kehrerf22f6122015-08-05 12:57:13 +0100[diff] [blame]1124 @pytest.mark.requires_backend_interface(interface=RSABackend)
1125 @pytest.mark.requires_backend_interface(interface=X509Backend)
Paul Kehrer1eb82a62015-03-31 20:00:33 -0500[diff] [blame]1126 def test_subject_key_identifier(self, backend):
1127 cert = _load_cert(
1128 os.path.join("x509", "PKITS_data", "certs", "GoodCACert.crt"),
1129 x509.load_der_x509_certificate,
1130 backend
1131 )
1132 ext = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]1133 ExtensionOID.SUBJECT_KEY_IDENTIFIER
Paul Kehrer1eb82a62015-03-31 20:00:33 -0500[diff] [blame]1134 )
1135 ski = ext.value
1136 assert ext is not None
1137 assert ext.critical is False
Paul Kehrer1eb82a62015-03-31 20:00:33 -0500[diff] [blame]1138 assert ski.digest == binascii.unhexlify(
Paul Kehreree997262015-04-04 12:20:28 -0500[diff] [blame]1139 b"580184241bbc2b52944a3da510721451f5af3ac9"
Paul Kehrer1eb82a62015-03-31 20:00:33 -0500[diff] [blame]1140 )
1141
Paul Kehrerf22f6122015-08-05 12:57:13 +0100[diff] [blame]1142 @pytest.mark.requires_backend_interface(interface=RSABackend)
1143 @pytest.mark.requires_backend_interface(interface=X509Backend)
Paul Kehrer1eb82a62015-03-31 20:00:33 -0500[diff] [blame]1144 def test_no_subject_key_identifier(self, backend):
1145 cert = _load_cert(
1146 os.path.join("x509", "custom", "bc_path_length_zero.pem"),
1147 x509.load_pem_x509_certificate,
1148 backend
1149 )
1150 with pytest.raises(x509.ExtensionNotFound):
1151 cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]1152 ExtensionOID.SUBJECT_KEY_IDENTIFIER
Paul Kehrer1eb82a62015-03-31 20:00:33 -0500[diff] [blame]1153 )
Paul Kehrer5508ee22015-04-02 19:31:03 -0500[diff] [blame]1154
Paul Kehrerf22f6122015-08-05 12:57:13 +0100[diff] [blame]1155 @pytest.mark.requires_backend_interface(interface=RSABackend)
1156 @pytest.mark.requires_backend_interface(interface=X509Backend)
Paul Kehrerd4a7f062015-08-05 18:32:18 +0100[diff] [blame]1157 def test_from_rsa_public_key(self, backend):
Paul Kehrerf22f6122015-08-05 12:57:13 +0100[diff] [blame]1158 cert = _load_cert(
1159 os.path.join("x509", "PKITS_data", "certs", "GoodCACert.crt"),
1160 x509.load_der_x509_certificate,
1161 backend
1162 )
1163 ext = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]1164 ExtensionOID.SUBJECT_KEY_IDENTIFIER
Paul Kehrerf22f6122015-08-05 12:57:13 +0100[diff] [blame]1165 )
Paul Kehrerd4a7f062015-08-05 18:32:18 +0100[diff] [blame]1166 ski = x509.SubjectKeyIdentifier.from_public_key(
Paul Kehrerf22f6122015-08-05 12:57:13 +0100[diff] [blame]1167 cert.public_key()
1168 )
1169 assert ext.value == ski
1170
1171 @pytest.mark.requires_backend_interface(interface=DSABackend)
1172 @pytest.mark.requires_backend_interface(interface=X509Backend)
Paul Kehrerd4a7f062015-08-05 18:32:18 +0100[diff] [blame]1173 def test_from_dsa_public_key(self, backend):
Paul Kehrerf22f6122015-08-05 12:57:13 +0100[diff] [blame]1174 cert = _load_cert(
1175 os.path.join("x509", "custom", "dsa_selfsigned_ca.pem"),
1176 x509.load_pem_x509_certificate,
1177 backend
1178 )
1179
1180 ext = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]1181 ExtensionOID.SUBJECT_KEY_IDENTIFIER
Paul Kehrerf22f6122015-08-05 12:57:13 +0100[diff] [blame]1182 )
Paul Kehrerd4a7f062015-08-05 18:32:18 +0100[diff] [blame]1183 ski = x509.SubjectKeyIdentifier.from_public_key(
Paul Kehrerf22f6122015-08-05 12:57:13 +0100[diff] [blame]1184 cert.public_key()
1185 )
1186 assert ext.value == ski
1187
1188 @pytest.mark.requires_backend_interface(interface=EllipticCurveBackend)
1189 @pytest.mark.requires_backend_interface(interface=X509Backend)
Paul Kehrerd4a7f062015-08-05 18:32:18 +0100[diff] [blame]1190 def test_from_ec_public_key(self, backend):
Paul Kehrerf22f6122015-08-05 12:57:13 +0100[diff] [blame]1191 _skip_curve_unsupported(backend, ec.SECP384R1())
1192 cert = _load_cert(
1193 os.path.join("x509", "ecdsa_root.pem"),
1194 x509.load_pem_x509_certificate,
1195 backend
1196 )
1197
1198 ext = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]1199 ExtensionOID.SUBJECT_KEY_IDENTIFIER
Paul Kehrerf22f6122015-08-05 12:57:13 +0100[diff] [blame]1200 )
Paul Kehrerd4a7f062015-08-05 18:32:18 +0100[diff] [blame]1201 ski = x509.SubjectKeyIdentifier.from_public_key(
Paul Kehrerf22f6122015-08-05 12:57:13 +0100[diff] [blame]1202 cert.public_key()
1203 )
1204 assert ext.value == ski
1205
Paul Kehrer5508ee22015-04-02 19:31:03 -0500[diff] [blame]1206
1207@pytest.mark.requires_backend_interface(interface=RSABackend)
1208@pytest.mark.requires_backend_interface(interface=X509Backend)
1209class TestKeyUsageExtension(object):
1210 def test_no_key_usage(self, backend):
1211 cert = _load_cert(
1212 os.path.join("x509", "verisign_md2_root.pem"),
1213 x509.load_pem_x509_certificate,
1214 backend
1215 )
1216 ext = cert.extensions
1217 with pytest.raises(x509.ExtensionNotFound) as exc:
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]1218 ext.get_extension_for_oid(ExtensionOID.KEY_USAGE)
Paul Kehrer5508ee22015-04-02 19:31:03 -0500[diff] [blame]1219
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]1220 assert exc.value.oid == ExtensionOID.KEY_USAGE
Paul Kehrer5508ee22015-04-02 19:31:03 -0500[diff] [blame]1221
1222 def test_all_purposes(self, backend):
1223 cert = _load_cert(
1224 os.path.join(
1225 "x509", "custom", "all_key_usages.pem"
1226 ),
1227 x509.load_pem_x509_certificate,
1228 backend
1229 )
1230 extensions = cert.extensions
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]1231 ext = extensions.get_extension_for_oid(ExtensionOID.KEY_USAGE)
Paul Kehrer5508ee22015-04-02 19:31:03 -0500[diff] [blame]1232 assert ext is not None
1233
1234 ku = ext.value
1235 assert ku.digital_signature is True
1236 assert ku.content_commitment is True
1237 assert ku.key_encipherment is True
1238 assert ku.data_encipherment is True
1239 assert ku.key_agreement is True
1240 assert ku.key_cert_sign is True
1241 assert ku.crl_sign is True
1242 assert ku.encipher_only is True
1243 assert ku.decipher_only is True
1244
1245 def test_key_cert_sign_crl_sign(self, backend):
1246 cert = _load_cert(
1247 os.path.join(
1248 "x509", "PKITS_data", "certs", "pathLenConstraint6CACert.crt"
1249 ),
1250 x509.load_der_x509_certificate,
1251 backend
1252 )
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]1253 ext = cert.extensions.get_extension_for_oid(ExtensionOID.KEY_USAGE)
Paul Kehrer5508ee22015-04-02 19:31:03 -0500[diff] [blame]1254 assert ext is not None
1255 assert ext.critical is True
1256
1257 ku = ext.value
1258 assert ku.digital_signature is False
1259 assert ku.content_commitment is False
1260 assert ku.key_encipherment is False
1261 assert ku.data_encipherment is False
1262 assert ku.key_agreement is False
1263 assert ku.key_cert_sign is True
1264 assert ku.crl_sign is True
Paul Kehrer31bdf792015-03-25 14:11:00 -0500[diff] [blame]1265
1266
1267@pytest.mark.parametrize(
1268 "name", [
1269 x509.RFC822Name,
1270 x509.DNSName,
1271 x509.UniformResourceIdentifier
1272 ]
1273)
1274class TestTextGeneralNames(object):
1275 def test_not_text(self, name):
1276 with pytest.raises(TypeError):
1277 name(b"notaunicodestring")
1278
1279 with pytest.raises(TypeError):
1280 name(1.3)
1281
1282 def test_repr(self, name):
Eeshan Gargf1234152015-04-29 18:41:00 +0530[diff] [blame]1283 gn = name(u"string")
Paul Kehrer31bdf792015-03-25 14:11:00 -0500[diff] [blame]1284 assert repr(gn) == "<{0}(value=string)>".format(name.__name__)
1285
1286 def test_eq(self, name):
Eeshan Gargf1234152015-04-29 18:41:00 +0530[diff] [blame]1287 gn = name(u"string")
1288 gn2 = name(u"string")
Paul Kehrer31bdf792015-03-25 14:11:00 -0500[diff] [blame]1289 assert gn == gn2
1290
1291 def test_ne(self, name):
Eeshan Gargf1234152015-04-29 18:41:00 +0530[diff] [blame]1292 gn = name(u"string")
1293 gn2 = name(u"string2")
Paul Kehrer31bdf792015-03-25 14:11:00 -0500[diff] [blame]1294 assert gn != gn2
1295 assert gn != object()
1296
1297
1298class TestDirectoryName(object):
1299 def test_not_name(self):
1300 with pytest.raises(TypeError):
1301 x509.DirectoryName(b"notaname")
1302
1303 with pytest.raises(TypeError):
1304 x509.DirectoryName(1.3)
1305
1306 def test_repr(self):
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1307 name = x509.Name([x509.NameAttribute(NameOID.COMMON_NAME, u'value1')])
Paul Kehrer31bdf792015-03-25 14:11:00 -0500[diff] [blame]1308 gn = x509.DirectoryName(x509.Name([name]))
Ian Cordascoa908d692015-06-16 21:35:24 -0500[diff] [blame]1309 if six.PY3:
1310 assert repr(gn) == (
1311 "<DirectoryName(value=<Name([<Name([<NameAttribute(oid=<Object"
1312 "Identifier(oid=2.5.4.3, name=commonName)>, value='value1')>])"
1313 ">])>)>"
1314 )
1315 else:
1316 assert repr(gn) == (
1317 "<DirectoryName(value=<Name([<Name([<NameAttribute(oid=<Object"
1318 "Identifier(oid=2.5.4.3, name=commonName)>, value=u'value1')>]"
1319 ")>])>)>"
1320 )
Paul Kehrer31bdf792015-03-25 14:11:00 -0500[diff] [blame]1321
1322 def test_eq(self):
1323 name = x509.Name([
Nick Bastin6721fb82015-12-14 12:26:24 -0800[diff] [blame]1324 x509.NameAttribute(x509.ObjectIdentifier('2.999.1'), u'value1')
Paul Kehrer31bdf792015-03-25 14:11:00 -0500[diff] [blame]1325 ])
1326 name2 = x509.Name([
Nick Bastin6721fb82015-12-14 12:26:24 -0800[diff] [blame]1327 x509.NameAttribute(x509.ObjectIdentifier('2.999.1'), u'value1')
Paul Kehrer31bdf792015-03-25 14:11:00 -0500[diff] [blame]1328 ])
1329 gn = x509.DirectoryName(x509.Name([name]))
1330 gn2 = x509.DirectoryName(x509.Name([name2]))
1331 assert gn == gn2
1332
1333 def test_ne(self):
1334 name = x509.Name([
Nick Bastin6721fb82015-12-14 12:26:24 -0800[diff] [blame]1335 x509.NameAttribute(x509.ObjectIdentifier('2.999.1'), u'value1')
Paul Kehrer31bdf792015-03-25 14:11:00 -0500[diff] [blame]1336 ])
1337 name2 = x509.Name([
Nick Bastin6721fb82015-12-14 12:26:24 -0800[diff] [blame]1338 x509.NameAttribute(x509.ObjectIdentifier('2.999.2'), u'value2')
Paul Kehrer31bdf792015-03-25 14:11:00 -0500[diff] [blame]1339 ])
1340 gn = x509.DirectoryName(x509.Name([name]))
1341 gn2 = x509.DirectoryName(x509.Name([name2]))
1342 assert gn != gn2
1343 assert gn != object()
1344
1345
Paul Kehrer01d5d0b2015-07-12 09:41:21 -0500[diff] [blame]1346class TestRFC822Name(object):
1347 def test_invalid_email(self):
1348 with pytest.raises(ValueError):
1349 x509.RFC822Name(u"Name <email>")
1350
1351 with pytest.raises(ValueError):
1352 x509.RFC822Name(u"")
1353
1354 def test_single_label(self):
1355 gn = x509.RFC822Name(u"administrator")
1356 assert gn.value == u"administrator"
1357
1358 def test_idna(self):
1359 gn = x509.RFC822Name(u"email@em\xe5\xefl.com")
1360 assert gn.value == u"email@em\xe5\xefl.com"
1361 assert gn._encoded == b"email@xn--eml-vla4c.com"
1362
1363
Paul Kehrere28d6c42015-07-12 14:59:37 -0500[diff] [blame]1364class TestUniformResourceIdentifier(object):
1365 def test_no_parsed_hostname(self):
1366 gn = x509.UniformResourceIdentifier(u"singlelabel")
1367 assert gn.value == u"singlelabel"
1368
1369 def test_with_port(self):
1370 gn = x509.UniformResourceIdentifier(u"singlelabel:443/test")
1371 assert gn.value == u"singlelabel:443/test"
1372
1373 def test_idna_no_port(self):
1374 gn = x509.UniformResourceIdentifier(
1375 u"http://\u043f\u044b\u043a\u0430.cryptography"
1376 )
1377 assert gn.value == u"http://\u043f\u044b\u043a\u0430.cryptography"
1378 assert gn._encoded == b"http://xn--80ato2c.cryptography"
1379
1380 def test_idna_with_port(self):
1381 gn = x509.UniformResourceIdentifier(
1382 u"gopher://\u043f\u044b\u043a\u0430.cryptography:70/some/path"
1383 )
1384 assert gn.value == (
1385 u"gopher://\u043f\u044b\u043a\u0430.cryptography:70/some/path"
1386 )
1387 assert gn._encoded == b"gopher://xn--80ato2c.cryptography:70/some/path"
1388
1389 def test_query_and_fragment(self):
1390 gn = x509.UniformResourceIdentifier(
1391 u"ldap://cryptography:90/path?query=true#somedata"
1392 )
1393 assert gn.value == u"ldap://cryptography:90/path?query=true#somedata"
1394
1395
Paul Kehrer31bdf792015-03-25 14:11:00 -0500[diff] [blame]1396class TestRegisteredID(object):
1397 def test_not_oid(self):
1398 with pytest.raises(TypeError):
1399 x509.RegisteredID(b"notanoid")
1400
1401 with pytest.raises(TypeError):
1402 x509.RegisteredID(1.3)
1403
1404 def test_repr(self):
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1405 gn = x509.RegisteredID(NameOID.COMMON_NAME)
Paul Kehrer31bdf792015-03-25 14:11:00 -0500[diff] [blame]1406 assert repr(gn) == (
1407 "<RegisteredID(value=<ObjectIdentifier(oid=2.5.4.3, name=commonNam"
1408 "e)>)>"
1409 )
1410
1411 def test_eq(self):
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1412 gn = x509.RegisteredID(NameOID.COMMON_NAME)
1413 gn2 = x509.RegisteredID(NameOID.COMMON_NAME)
Paul Kehrer31bdf792015-03-25 14:11:00 -0500[diff] [blame]1414 assert gn == gn2
1415
1416 def test_ne(self):
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1417 gn = x509.RegisteredID(NameOID.COMMON_NAME)
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]1418 gn2 = x509.RegisteredID(ExtensionOID.BASIC_CONSTRAINTS)
Paul Kehrer31bdf792015-03-25 14:11:00 -0500[diff] [blame]1419 assert gn != gn2
1420 assert gn != object()
1421
1422
1423class TestIPAddress(object):
1424 def test_not_ipaddress(self):
1425 with pytest.raises(TypeError):
1426 x509.IPAddress(b"notanipaddress")
1427
1428 with pytest.raises(TypeError):
1429 x509.IPAddress(1.3)
1430
1431 def test_repr(self):
Eeshan Gargf1234152015-04-29 18:41:00 +0530[diff] [blame]1432 gn = x509.IPAddress(ipaddress.IPv4Address(u"127.0.0.1"))
Paul Kehrer31bdf792015-03-25 14:11:00 -0500[diff] [blame]1433 assert repr(gn) == "<IPAddress(value=127.0.0.1)>"
1434
Eeshan Gargf1234152015-04-29 18:41:00 +0530[diff] [blame]1435 gn2 = x509.IPAddress(ipaddress.IPv6Address(u"ff::"))
Paul Kehrer31bdf792015-03-25 14:11:00 -0500[diff] [blame]1436 assert repr(gn2) == "<IPAddress(value=ff::)>"
1437
Paul Kehrereb177932015-05-17 18:33:33 -0700[diff] [blame]1438 gn3 = x509.IPAddress(ipaddress.IPv4Network(u"192.168.0.0/24"))
1439 assert repr(gn3) == "<IPAddress(value=192.168.0.0/24)>"
1440
1441 gn4 = x509.IPAddress(ipaddress.IPv6Network(u"ff::/96"))
1442 assert repr(gn4) == "<IPAddress(value=ff::/96)>"
1443
Paul Kehrer31bdf792015-03-25 14:11:00 -0500[diff] [blame]1444 def test_eq(self):
Eeshan Gargf1234152015-04-29 18:41:00 +0530[diff] [blame]1445 gn = x509.IPAddress(ipaddress.IPv4Address(u"127.0.0.1"))
1446 gn2 = x509.IPAddress(ipaddress.IPv4Address(u"127.0.0.1"))
Paul Kehrer31bdf792015-03-25 14:11:00 -0500[diff] [blame]1447 assert gn == gn2
1448
1449 def test_ne(self):
Eeshan Gargf1234152015-04-29 18:41:00 +0530[diff] [blame]1450 gn = x509.IPAddress(ipaddress.IPv4Address(u"127.0.0.1"))
1451 gn2 = x509.IPAddress(ipaddress.IPv4Address(u"127.0.0.2"))
Paul Kehrer31bdf792015-03-25 14:11:00 -0500[diff] [blame]1452 assert gn != gn2
1453 assert gn != object()
1454
1455
Joshua Tauberer18b6fc82015-07-05 21:44:51 +0000[diff] [blame]1456class TestOtherName(object):
1457 def test_invalid_args(self):
1458 with pytest.raises(TypeError):
1459 x509.OtherName(b"notanobjectidentifier", b"derdata")
1460
1461 with pytest.raises(TypeError):
1462 x509.OtherName(x509.ObjectIdentifier("1.2.3.4"), u"notderdata")
1463
1464 def test_repr(self):
1465 gn = x509.OtherName(x509.ObjectIdentifier("1.2.3.4"), b"derdata")
1466 if six.PY3:
1467 assert repr(gn) == (
1468 "<OtherName(type_id=<ObjectIdentifier(oid=1.2.3.4, "
1469 "name=Unknown OID)>, value=b'derdata')>"
1470 )
1471 else:
1472 assert repr(gn) == (
1473 "<OtherName(type_id=<ObjectIdentifier(oid=1.2.3.4, "
1474 "name=Unknown OID)>, value='derdata')>"
1475 )
1476
1477 gn = x509.OtherName(x509.ObjectIdentifier("2.5.4.65"), b"derdata")
1478 if six.PY3:
1479 assert repr(gn) == (
1480 "<OtherName(type_id=<ObjectIdentifier(oid=2.5.4.65, "
1481 "name=pseudonym)>, value=b'derdata')>"
1482 )
1483 else:
1484 assert repr(gn) == (
1485 "<OtherName(type_id=<ObjectIdentifier(oid=2.5.4.65, "
1486 "name=pseudonym)>, value='derdata')>"
1487 )
1488
1489 def test_eq(self):
1490 gn = x509.OtherName(x509.ObjectIdentifier("1.2.3.4"), b"derdata")
1491 gn2 = x509.OtherName(x509.ObjectIdentifier("1.2.3.4"), b"derdata")
1492 assert gn == gn2
1493
1494 def test_ne(self):
1495 gn = x509.OtherName(x509.ObjectIdentifier("1.2.3.4"), b"derdata")
1496 assert gn != object()
1497
1498 gn2 = x509.OtherName(x509.ObjectIdentifier("1.2.3.4"), b"derdata2")
1499 assert gn != gn2
1500
1501 gn2 = x509.OtherName(x509.ObjectIdentifier("1.2.3.5"), b"derdata")
1502 assert gn != gn2
1503
1504
Erik Trauschke2dcce902015-05-14 16:12:24 -0700[diff] [blame]1505class TestGeneralNames(object):
1506 def test_get_values_for_type(self):
1507 gns = x509.GeneralNames(
1508 [x509.DNSName(u"cryptography.io")]
1509 )
1510 names = gns.get_values_for_type(x509.DNSName)
1511 assert names == [u"cryptography.io"]
1512
1513 def test_iter_names(self):
1514 gns = x509.GeneralNames([
1515 x509.DNSName(u"cryptography.io"),
1516 x509.DNSName(u"crypto.local"),
1517 ])
1518 assert len(gns) == 2
1519 assert list(gns) == [
1520 x509.DNSName(u"cryptography.io"),
1521 x509.DNSName(u"crypto.local"),
1522 ]
1523
Paul Kehrer8adb5962015-12-26 14:46:58 -0600[diff] [blame]1524 def test_indexing(self):
1525 gn = x509.GeneralNames([
1526 x509.DNSName(u"cryptography.io"),
1527 x509.DNSName(u"crypto.local"),
1528 x509.DNSName(u"another.local"),
1529 x509.RFC822Name(u"email@another.local"),
1530 x509.UniformResourceIdentifier(u"http://another.local"),
1531 ])
1532 assert gn[-1] == gn[4]
Alex Gaynorf0dd2e72015-12-26 16:50:29 -0500[diff] [blame]1533 assert gn[2:6:2] == [gn[2], gn[4]]
Paul Kehrer8adb5962015-12-26 14:46:58 -0600[diff] [blame]1534
Erik Trauschke2dcce902015-05-14 16:12:24 -0700[diff] [blame]1535 def test_invalid_general_names(self):
1536 with pytest.raises(TypeError):
1537 x509.GeneralNames(
1538 [x509.DNSName(u"cryptography.io"), "invalid"]
1539 )
1540
1541 def test_repr(self):
1542 gns = x509.GeneralNames(
1543 [
1544 x509.DNSName(u"cryptography.io")
1545 ]
1546 )
1547 assert repr(gns) == (
1548 "<GeneralNames([<DNSName(value=cryptography.io)>])>"
1549 )
1550
1551 def test_eq(self):
1552 gns = x509.GeneralNames(
1553 [x509.DNSName(u"cryptography.io")]
1554 )
1555 gns2 = x509.GeneralNames(
1556 [x509.DNSName(u"cryptography.io")]
1557 )
1558 assert gns == gns2
1559
1560 def test_ne(self):
1561 gns = x509.GeneralNames(
1562 [x509.DNSName(u"cryptography.io")]
1563 )
1564 gns2 = x509.GeneralNames(
1565 [x509.RFC822Name(u"admin@cryptography.io")]
1566 )
1567 assert gns != gns2
1568 assert gns != object()
1569
1570
Paul Kehrer99125c92015-06-07 18:37:10 -0500[diff] [blame]1571class TestIssuerAlternativeName(object):
1572 def test_get_values_for_type(self):
1573 san = x509.IssuerAlternativeName(
1574 [x509.DNSName(u"cryptography.io")]
1575 )
1576 names = san.get_values_for_type(x509.DNSName)
1577 assert names == [u"cryptography.io"]
1578
1579 def test_iter_names(self):
1580 san = x509.IssuerAlternativeName([
1581 x509.DNSName(u"cryptography.io"),
1582 x509.DNSName(u"crypto.local"),
1583 ])
1584 assert len(san) == 2
1585 assert list(san) == [
1586 x509.DNSName(u"cryptography.io"),
1587 x509.DNSName(u"crypto.local"),
1588 ]
1589
Paul Kehrer5c999d32015-12-26 17:45:20 -0600[diff] [blame]1590 def test_indexing(self):
1591 ian = x509.IssuerAlternativeName([
1592 x509.DNSName(u"cryptography.io"),
1593 x509.DNSName(u"crypto.local"),
1594 x509.DNSName(u"another.local"),
1595 x509.RFC822Name(u"email@another.local"),
1596 x509.UniformResourceIdentifier(u"http://another.local"),
1597 ])
1598 assert ian[-1] == ian[4]
1599 assert ian[2:6:2] == [ian[2], ian[4]]
1600
Paul Kehrer99125c92015-06-07 18:37:10 -0500[diff] [blame]1601 def test_invalid_general_names(self):
1602 with pytest.raises(TypeError):
1603 x509.IssuerAlternativeName(
1604 [x509.DNSName(u"cryptography.io"), "invalid"]
1605 )
1606
1607 def test_repr(self):
1608 san = x509.IssuerAlternativeName(
1609 [
1610 x509.DNSName(u"cryptography.io")
1611 ]
1612 )
1613 assert repr(san) == (
1614 "<IssuerAlternativeName("
1615 "<GeneralNames([<DNSName(value=cryptography.io)>])>)>"
1616 )
1617
1618 def test_eq(self):
1619 san = x509.IssuerAlternativeName(
1620 [x509.DNSName(u"cryptography.io")]
1621 )
1622 san2 = x509.IssuerAlternativeName(
1623 [x509.DNSName(u"cryptography.io")]
1624 )
1625 assert san == san2
1626
1627 def test_ne(self):
1628 san = x509.IssuerAlternativeName(
1629 [x509.DNSName(u"cryptography.io")]
1630 )
1631 san2 = x509.IssuerAlternativeName(
1632 [x509.RFC822Name(u"admin@cryptography.io")]
1633 )
1634 assert san != san2
1635 assert san != object()
1636
1637
Alex Gaynorf1c17672015-06-20 14:20:20 -0400[diff] [blame]1638@pytest.mark.requires_backend_interface(interface=RSABackend)
1639@pytest.mark.requires_backend_interface(interface=X509Backend)
1640class TestRSAIssuerAlternativeNameExtension(object):
1641 def test_uri(self, backend):
1642 cert = _load_cert(
1643 os.path.join("x509", "custom", "ian_uri.pem"),
1644 x509.load_pem_x509_certificate,
1645 backend,
1646 )
1647 ext = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]1648 ExtensionOID.ISSUER_ALTERNATIVE_NAME
Alex Gaynorf1c17672015-06-20 14:20:20 -0400[diff] [blame]1649 )
1650 assert list(ext.value) == [
1651 x509.UniformResourceIdentifier(u"http://path.to.root/root.crt"),
1652 ]
1653
1654
Paul Kehrer3b95cd72015-12-22 21:40:20 -0600[diff] [blame]1655class TestCRLNumber(object):
1656 def test_eq(self):
1657 crl_number = x509.CRLNumber(15)
1658 assert crl_number == x509.CRLNumber(15)
1659
1660 def test_ne(self):
1661 crl_number = x509.CRLNumber(15)
1662 assert crl_number != x509.CRLNumber(14)
1663 assert crl_number != object()
1664
1665 def test_repr(self):
1666 crl_number = x509.CRLNumber(15)
1667 assert repr(crl_number) == "<CRLNumber(15)>"
1668
Paul Kehrera9718fc2015-12-22 22:55:35 -0600[diff] [blame]1669 def test_invalid_number(self):
1670 with pytest.raises(TypeError):
1671 x509.CRLNumber("notanumber")
1672
Alex Gaynorf9a77b62015-12-26 12:14:25 -0500[diff] [blame]1673 def test_hash(self):
1674 c1 = x509.CRLNumber(1)
1675 c2 = x509.CRLNumber(1)
1676 c3 = x509.CRLNumber(2)
1677 assert hash(c1) == hash(c2)
1678 assert hash(c1) != hash(c3)
1679
Paul Kehrer3b95cd72015-12-22 21:40:20 -0600[diff] [blame]1680
Paul Kehrer31bdf792015-03-25 14:11:00 -0500[diff] [blame]1681class TestSubjectAlternativeName(object):
1682 def test_get_values_for_type(self):
1683 san = x509.SubjectAlternativeName(
Eeshan Gargf1234152015-04-29 18:41:00 +0530[diff] [blame]1684 [x509.DNSName(u"cryptography.io")]
Paul Kehrer31bdf792015-03-25 14:11:00 -0500[diff] [blame]1685 )
1686 names = san.get_values_for_type(x509.DNSName)
Eeshan Gargf1234152015-04-29 18:41:00 +0530[diff] [blame]1687 assert names == [u"cryptography.io"]
Paul Kehrer31bdf792015-03-25 14:11:00 -0500[diff] [blame]1688
1689 def test_iter_names(self):
1690 san = x509.SubjectAlternativeName([
Eeshan Gargf1234152015-04-29 18:41:00 +0530[diff] [blame]1691 x509.DNSName(u"cryptography.io"),
1692 x509.DNSName(u"crypto.local"),
Paul Kehrer31bdf792015-03-25 14:11:00 -0500[diff] [blame]1693 ])
1694 assert len(san) == 2
1695 assert list(san) == [
Eeshan Gargf1234152015-04-29 18:41:00 +0530[diff] [blame]1696 x509.DNSName(u"cryptography.io"),
1697 x509.DNSName(u"crypto.local"),
Paul Kehrer31bdf792015-03-25 14:11:00 -0500[diff] [blame]1698 ]
1699
Paul Kehrer8adb5962015-12-26 14:46:58 -0600[diff] [blame]1700 def test_indexing(self):
1701 san = x509.SubjectAlternativeName([
1702 x509.DNSName(u"cryptography.io"),
1703 x509.DNSName(u"crypto.local"),
1704 x509.DNSName(u"another.local"),
1705 x509.RFC822Name(u"email@another.local"),
1706 x509.UniformResourceIdentifier(u"http://another.local"),
1707 ])
1708 assert san[-1] == san[4]
Alex Gaynorf0dd2e72015-12-26 16:50:29 -0500[diff] [blame]1709 assert san[2:6:2] == [san[2], san[4]]
Paul Kehrer8adb5962015-12-26 14:46:58 -0600[diff] [blame]1710
Paul Kehrerd04b39b2015-04-21 08:44:17 -0500[diff] [blame]1711 def test_invalid_general_names(self):
1712 with pytest.raises(TypeError):
1713 x509.SubjectAlternativeName(
Eeshan Gargf1234152015-04-29 18:41:00 +0530[diff] [blame]1714 [x509.DNSName(u"cryptography.io"), "invalid"]
Paul Kehrerd04b39b2015-04-21 08:44:17 -0500[diff] [blame]1715 )
1716
Paul Kehrer31bdf792015-03-25 14:11:00 -0500[diff] [blame]1717 def test_repr(self):
1718 san = x509.SubjectAlternativeName(
1719 [
Eeshan Gargf1234152015-04-29 18:41:00 +0530[diff] [blame]1720 x509.DNSName(u"cryptography.io")
Paul Kehrer31bdf792015-03-25 14:11:00 -0500[diff] [blame]1721 ]
1722 )
1723 assert repr(san) == (
Erik Trauschke2dcce902015-05-14 16:12:24 -0700[diff] [blame]1724 "<SubjectAlternativeName("
1725 "<GeneralNames([<DNSName(value=cryptography.io)>])>)>"
Paul Kehrer31bdf792015-03-25 14:11:00 -0500[diff] [blame]1726 )
Paul Kehrer40f83382015-04-20 15:00:16 -0500[diff] [blame]1727
Paul Kehrer58cc3972015-05-13 10:00:41 -0500[diff] [blame]1728 def test_eq(self):
1729 san = x509.SubjectAlternativeName(
1730 [x509.DNSName(u"cryptography.io")]
1731 )
1732 san2 = x509.SubjectAlternativeName(
1733 [x509.DNSName(u"cryptography.io")]
1734 )
1735 assert san == san2
1736
1737 def test_ne(self):
1738 san = x509.SubjectAlternativeName(
1739 [x509.DNSName(u"cryptography.io")]
1740 )
1741 san2 = x509.SubjectAlternativeName(
1742 [x509.RFC822Name(u"admin@cryptography.io")]
1743 )
1744 assert san != san2
1745 assert san != object()
1746
Paul Kehrer40f83382015-04-20 15:00:16 -0500[diff] [blame]1747
1748@pytest.mark.requires_backend_interface(interface=RSABackend)
1749@pytest.mark.requires_backend_interface(interface=X509Backend)
1750class TestRSASubjectAlternativeNameExtension(object):
1751 def test_dns_name(self, backend):
1752 cert = _load_cert(
1753 os.path.join("x509", "cryptography.io.pem"),
1754 x509.load_pem_x509_certificate,
1755 backend
1756 )
1757 ext = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]1758 ExtensionOID.SUBJECT_ALTERNATIVE_NAME
Paul Kehrer40f83382015-04-20 15:00:16 -0500[diff] [blame]1759 )
1760 assert ext is not None
1761 assert ext.critical is False
1762
1763 san = ext.value
1764
1765 dns = san.get_values_for_type(x509.DNSName)
1766 assert dns == [u"www.cryptography.io", u"cryptography.io"]
Paul Kehrer9089c912015-04-20 22:15:20 -0500[diff] [blame]1767
Paul Kehrer3c6bba52015-06-26 18:43:26 -0500[diff] [blame]1768 def test_wildcard_dns_name(self, backend):
1769 cert = _load_cert(
1770 os.path.join("x509", "wildcard_san.pem"),
1771 x509.load_pem_x509_certificate,
1772 backend
1773 )
1774 ext = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]1775 ExtensionOID.SUBJECT_ALTERNATIVE_NAME
Paul Kehrer3c6bba52015-06-26 18:43:26 -0500[diff] [blame]1776 )
1777
1778 dns = ext.value.get_values_for_type(x509.DNSName)
1779 assert dns == [
1780 u'*.langui.sh',
1781 u'langui.sh',
1782 u'*.saseliminator.com',
1783 u'saseliminator.com'
1784 ]
1785
Dominic Chen87bb9572015-10-09 00:23:07 -0400[diff] [blame]1786 def test_san_empty_hostname(self, backend):
1787 cert = _load_cert(
1788 os.path.join(
1789 "x509", "custom", "san_empty_hostname.pem"
1790 ),
1791 x509.load_pem_x509_certificate,
1792 backend
1793 )
1794 san = cert.extensions.get_extension_for_oid(
1795 ExtensionOID.SUBJECT_ALTERNATIVE_NAME
1796 )
1797
1798 dns = san.value.get_values_for_type(x509.DNSName)
1799 assert dns == [u'']
1800
Paul Kehrer3c6bba52015-06-26 18:43:26 -0500[diff] [blame]1801 def test_san_wildcard_idna_dns_name(self, backend):
1802 cert = _load_cert(
1803 os.path.join("x509", "custom", "san_wildcard_idna.pem"),
1804 x509.load_pem_x509_certificate,
1805 backend
1806 )
1807 ext = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]1808 ExtensionOID.SUBJECT_ALTERNATIVE_NAME
Paul Kehrer3c6bba52015-06-26 18:43:26 -0500[diff] [blame]1809 )
1810
1811 dns = ext.value.get_values_for_type(x509.DNSName)
1812 assert dns == [u'*.\u043f\u044b\u043a\u0430.cryptography']
1813
Paul Kehrer7bdf6572015-07-05 08:55:44 -0500[diff] [blame]1814 def test_unsupported_gn(self, backend):
Paul Kehrer9089c912015-04-20 22:15:20 -0500[diff] [blame]1815 cert = _load_cert(
Paul Kehrer7bdf6572015-07-05 08:55:44 -0500[diff] [blame]1816 os.path.join("x509", "san_x400address.der"),
1817 x509.load_der_x509_certificate,
Paul Kehrer9089c912015-04-20 22:15:20 -0500[diff] [blame]1818 backend
1819 )
Paul Kehrerbed07352015-04-21 08:31:10 -0500[diff] [blame]1820 with pytest.raises(x509.UnsupportedGeneralNameType) as exc:
Paul Kehrer9089c912015-04-20 22:15:20 -0500[diff] [blame]1821 cert.extensions
Paul Kehrerbed07352015-04-21 08:31:10 -0500[diff] [blame]1822
Paul Kehrer7bdf6572015-07-05 08:55:44 -0500[diff] [blame]1823 assert exc.value.type == 3
Paul Kehrer4db96622015-04-20 22:17:39 -0500[diff] [blame]1824
1825 def test_registered_id(self, backend):
1826 cert = _load_cert(
1827 os.path.join(
1828 "x509", "custom", "san_registered_id.pem"
1829 ),
1830 x509.load_pem_x509_certificate,
1831 backend
1832 )
1833 ext = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]1834 ExtensionOID.SUBJECT_ALTERNATIVE_NAME
Paul Kehrer4db96622015-04-20 22:17:39 -0500[diff] [blame]1835 )
1836 assert ext is not None
1837 assert ext.critical is False
1838
1839 san = ext.value
1840 rid = san.get_values_for_type(x509.RegisteredID)
1841 assert rid == [x509.ObjectIdentifier("1.2.3.4")]
Paul Kehrerb8ef82e2015-04-22 16:04:24 -0500[diff] [blame]1842
1843 def test_uri(self, backend):
1844 cert = _load_cert(
1845 os.path.join(
1846 "x509", "custom", "san_uri_with_port.pem"
1847 ),
1848 x509.load_pem_x509_certificate,
1849 backend
1850 )
1851 ext = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]1852 ExtensionOID.SUBJECT_ALTERNATIVE_NAME
Paul Kehrerb8ef82e2015-04-22 16:04:24 -0500[diff] [blame]1853 )
1854 assert ext is not None
1855 uri = ext.value.get_values_for_type(
1856 x509.UniformResourceIdentifier
1857 )
1858 assert uri == [
1859 u"gopher://\u043f\u044b\u043a\u0430.cryptography:70/path?q=s#hel"
1860 u"lo",
1861 u"http://someregulardomain.com",
1862 ]
Paul Kehrera5f030c2015-04-28 08:33:18 -0500[diff] [blame]1863
1864 def test_ipaddress(self, backend):
1865 cert = _load_cert(
1866 os.path.join(
1867 "x509", "custom", "san_ipaddr.pem"
1868 ),
1869 x509.load_pem_x509_certificate,
1870 backend
1871 )
1872 ext = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]1873 ExtensionOID.SUBJECT_ALTERNATIVE_NAME
Paul Kehrera5f030c2015-04-28 08:33:18 -0500[diff] [blame]1874 )
1875 assert ext is not None
1876 assert ext.critical is False
1877
1878 san = ext.value
1879
1880 ip = san.get_values_for_type(x509.IPAddress)
1881 assert [
1882 ipaddress.ip_address(u"127.0.0.1"),
1883 ipaddress.ip_address(u"ff::")
1884 ] == ip
Paul Kehrer2187a052015-04-30 08:22:07 -0500[diff] [blame]1885
1886 def test_dirname(self, backend):
1887 cert = _load_cert(
1888 os.path.join(
1889 "x509", "custom", "san_dirname.pem"
1890 ),
1891 x509.load_pem_x509_certificate,
1892 backend
1893 )
1894 ext = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]1895 ExtensionOID.SUBJECT_ALTERNATIVE_NAME
Paul Kehrer2187a052015-04-30 08:22:07 -0500[diff] [blame]1896 )
1897 assert ext is not None
1898 assert ext.critical is False
1899
1900 san = ext.value
1901
1902 dirname = san.get_values_for_type(x509.DirectoryName)
1903 assert [
1904 x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1905 x509.NameAttribute(NameOID.COMMON_NAME, u'test'),
1906 x509.NameAttribute(NameOID.ORGANIZATION_NAME, u'Org'),
1907 x509.NameAttribute(NameOID.STATE_OR_PROVINCE_NAME, u'Texas'),
Paul Kehrer2187a052015-04-30 08:22:07 -0500[diff] [blame]1908 ])
1909 ] == dirname
Paul Kehrere06cab42015-04-30 10:23:33 -0500[diff] [blame]1910
1911 def test_rfc822name(self, backend):
1912 cert = _load_cert(
1913 os.path.join(
1914 "x509", "custom", "san_rfc822_idna.pem"
1915 ),
1916 x509.load_pem_x509_certificate,
1917 backend
1918 )
1919 ext = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]1920 ExtensionOID.SUBJECT_ALTERNATIVE_NAME
Paul Kehrere06cab42015-04-30 10:23:33 -0500[diff] [blame]1921 )
1922 assert ext is not None
1923 assert ext.critical is False
1924
1925 san = ext.value
1926
1927 rfc822name = san.get_values_for_type(x509.RFC822Name)
1928 assert [u"email@em\xe5\xefl.com"] == rfc822name
1929
Paul Kehrerb8968812015-05-15 09:01:34 -0700[diff] [blame]1930 def test_idna2003_invalid(self, backend):
1931 cert = _load_cert(
1932 os.path.join(
1933 "x509", "custom", "san_idna2003_dnsname.pem"
1934 ),
1935 x509.load_pem_x509_certificate,
1936 backend
1937 )
1938 with pytest.raises(UnicodeError):
1939 cert.extensions
1940
Paul Kehrere06cab42015-04-30 10:23:33 -0500[diff] [blame]1941 def test_unicode_rfc822_name_dns_name_uri(self, backend):
1942 cert = _load_cert(
1943 os.path.join(
1944 "x509", "custom", "san_idna_names.pem"
1945 ),
1946 x509.load_pem_x509_certificate,
1947 backend
1948 )
1949 ext = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]1950 ExtensionOID.SUBJECT_ALTERNATIVE_NAME
Paul Kehrere06cab42015-04-30 10:23:33 -0500[diff] [blame]1951 )
1952 assert ext is not None
1953 rfc822_name = ext.value.get_values_for_type(x509.RFC822Name)
1954 dns_name = ext.value.get_values_for_type(x509.DNSName)
1955 uri = ext.value.get_values_for_type(x509.UniformResourceIdentifier)
1956 assert rfc822_name == [u"email@\u043f\u044b\u043a\u0430.cryptography"]
1957 assert dns_name == [u"\u043f\u044b\u043a\u0430.cryptography"]
1958 assert uri == [u"https://www.\u043f\u044b\u043a\u0430.cryptography"]
1959
1960 def test_rfc822name_dnsname_ipaddress_directoryname_uri(self, backend):
1961 cert = _load_cert(
1962 os.path.join(
1963 "x509", "custom", "san_email_dns_ip_dirname_uri.pem"
1964 ),
1965 x509.load_pem_x509_certificate,
1966 backend
1967 )
1968 ext = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]1969 ExtensionOID.SUBJECT_ALTERNATIVE_NAME
Paul Kehrere06cab42015-04-30 10:23:33 -0500[diff] [blame]1970 )
1971 assert ext is not None
1972 assert ext.critical is False
1973
1974 san = ext.value
1975
1976 rfc822_name = san.get_values_for_type(x509.RFC822Name)
1977 uri = san.get_values_for_type(x509.UniformResourceIdentifier)
1978 dns = san.get_values_for_type(x509.DNSName)
1979 ip = san.get_values_for_type(x509.IPAddress)
1980 dirname = san.get_values_for_type(x509.DirectoryName)
1981 assert [u"user@cryptography.io"] == rfc822_name
Paul Kehrere3a330c2015-05-02 16:42:52 -0500[diff] [blame]1982 assert [u"https://cryptography.io"] == uri
Paul Kehrere06cab42015-04-30 10:23:33 -0500[diff] [blame]1983 assert [u"cryptography.io"] == dns
1984 assert [
1985 x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1986 x509.NameAttribute(NameOID.COMMON_NAME, u'dirCN'),
Paul Kehrere06cab42015-04-30 10:23:33 -0500[diff] [blame]1987 x509.NameAttribute(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]1988 NameOID.ORGANIZATION_NAME, u'Cryptographic Authority'
Paul Kehrere06cab42015-04-30 10:23:33 -0500[diff] [blame]1989 ),
1990 ])
1991 ] == dirname
1992 assert [
1993 ipaddress.ip_address(u"127.0.0.1"),
1994 ipaddress.ip_address(u"ff::")
1995 ] == ip
1996
1997 def test_invalid_rfc822name(self, backend):
1998 cert = _load_cert(
1999 os.path.join(
2000 "x509", "custom", "san_rfc822_names.pem"
2001 ),
2002 x509.load_pem_x509_certificate,
2003 backend
2004 )
2005 with pytest.raises(ValueError) as exc:
2006 cert.extensions
2007
2008 assert 'Invalid rfc822name value' in str(exc.value)
Paul Kehrer94c69602015-05-02 19:29:40 -0500[diff] [blame]2009
Joshua Tauberer2ee5e3c2015-07-04 20:09:46 +0000[diff] [blame]2010 def test_other_name(self, backend):
2011 cert = _load_cert(
2012 os.path.join(
2013 "x509", "custom", "san_other_name.pem"
2014 ),
2015 x509.load_pem_x509_certificate,
2016 backend
2017 )
2018
2019 ext = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]2020 ExtensionOID.SUBJECT_ALTERNATIVE_NAME
Joshua Tauberer2ee5e3c2015-07-04 20:09:46 +0000[diff] [blame]2021 )
2022 assert ext is not None
2023 assert ext.critical is False
2024
Joshua Taubererd2afad32015-07-06 22:37:53 +0000[diff] [blame]2025 expected = x509.OtherName(x509.ObjectIdentifier("1.2.3.4"),
2026 b'\x16\x0bHello World')
Joshua Tauberer2ee5e3c2015-07-04 20:09:46 +0000[diff] [blame]2027 assert len(ext.value) == 1
Joshua Taubererd2afad32015-07-06 22:37:53 +0000[diff] [blame]2028 assert list(ext.value)[0] == expected
Joshua Tauberer2ee5e3c2015-07-04 20:09:46 +0000[diff] [blame]2029
2030 othernames = ext.value.get_values_for_type(x509.OtherName)
Joshua Taubererd2afad32015-07-06 22:37:53 +0000[diff] [blame]2031 assert othernames == [expected]
Joshua Tauberer2ee5e3c2015-07-04 20:09:46 +0000[diff] [blame]2032
Paul Kehrer94c69602015-05-02 19:29:40 -0500[diff] [blame]2033
2034@pytest.mark.requires_backend_interface(interface=RSABackend)
2035@pytest.mark.requires_backend_interface(interface=X509Backend)
2036class TestExtendedKeyUsageExtension(object):
2037 def test_eku(self, backend):
2038 cert = _load_cert(
2039 os.path.join(
2040 "x509", "custom", "extended_key_usage.pem"
2041 ),
2042 x509.load_pem_x509_certificate,
2043 backend
2044 )
2045 ext = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]2046 ExtensionOID.EXTENDED_KEY_USAGE
Paul Kehrer94c69602015-05-02 19:29:40 -0500[diff] [blame]2047 )
2048 assert ext is not None
2049 assert ext.critical is False
2050
2051 assert [
2052 x509.ObjectIdentifier("1.3.6.1.5.5.7.3.1"),
2053 x509.ObjectIdentifier("1.3.6.1.5.5.7.3.2"),
2054 x509.ObjectIdentifier("1.3.6.1.5.5.7.3.3"),
2055 x509.ObjectIdentifier("1.3.6.1.5.5.7.3.4"),
2056 x509.ObjectIdentifier("1.3.6.1.5.5.7.3.9"),
2057 x509.ObjectIdentifier("1.3.6.1.5.5.7.3.8"),
2058 x509.ObjectIdentifier("2.5.29.37.0"),
2059 x509.ObjectIdentifier("2.16.840.1.113730.4.1"),
2060 ] == list(ext.value)
Paul Kehrer3e6d5582015-05-02 21:57:56 -0500[diff] [blame]2061
2062
2063class TestAccessDescription(object):
2064 def test_invalid_access_method(self):
Nick Bastind06763d2015-12-12 18:32:59 -0800[diff] [blame]2065 with pytest.raises(TypeError):
Paul Kehrer3e6d5582015-05-02 21:57:56 -0500[diff] [blame]2066 x509.AccessDescription("notanoid", x509.DNSName(u"test"))
2067
2068 def test_invalid_access_location(self):
2069 with pytest.raises(TypeError):
Paul Kehrer9e102db2015-08-10 21:53:09 -0500[diff] [blame]2070 x509.AccessDescription(
2071 AuthorityInformationAccessOID.CA_ISSUERS, "invalid"
2072 )
Paul Kehrer3e6d5582015-05-02 21:57:56 -0500[diff] [blame]2073
Nick Bastind2ecf862015-12-13 05:44:46 -0800[diff] [blame]2074 def test_valid_nonstandard_method(self):
Nick Bastin326fc8e2015-12-12 19:08:12 -0800[diff] [blame]2075 ad = x509.AccessDescription(
2076 ObjectIdentifier("2.999.1"),
2077 x509.UniformResourceIdentifier(u"http://example.com")
2078 )
Nick Bastin11f0f8a2015-12-12 18:54:12 -0800[diff] [blame]2079 assert ad is not None
2080
Paul Kehrer3e6d5582015-05-02 21:57:56 -0500[diff] [blame]2081 def test_repr(self):
2082 ad = x509.AccessDescription(
Paul Kehrer9e102db2015-08-10 21:53:09 -0500[diff] [blame]2083 AuthorityInformationAccessOID.OCSP,
Paul Kehrer3e6d5582015-05-02 21:57:56 -0500[diff] [blame]2084 x509.UniformResourceIdentifier(u"http://ocsp.domain.com")
2085 )
2086 assert repr(ad) == (
2087 "<AccessDescription(access_method=<ObjectIdentifier(oid=1.3.6.1.5."
2088 "5.7.48.1, name=OCSP)>, access_location=<UniformResourceIdentifier"
2089 "(value=http://ocsp.domain.com)>)>"
2090 )
2091
2092 def test_eq(self):
2093 ad = x509.AccessDescription(
Paul Kehrer9e102db2015-08-10 21:53:09 -0500[diff] [blame]2094 AuthorityInformationAccessOID.OCSP,
Paul Kehrer3e6d5582015-05-02 21:57:56 -0500[diff] [blame]2095 x509.UniformResourceIdentifier(u"http://ocsp.domain.com")
2096 )
2097 ad2 = x509.AccessDescription(
Paul Kehrer9e102db2015-08-10 21:53:09 -0500[diff] [blame]2098 AuthorityInformationAccessOID.OCSP,
Paul Kehrer3e6d5582015-05-02 21:57:56 -0500[diff] [blame]2099 x509.UniformResourceIdentifier(u"http://ocsp.domain.com")
2100 )
2101 assert ad == ad2
2102
2103 def test_ne(self):
2104 ad = x509.AccessDescription(
Paul Kehrer9e102db2015-08-10 21:53:09 -0500[diff] [blame]2105 AuthorityInformationAccessOID.OCSP,
Paul Kehrer3e6d5582015-05-02 21:57:56 -0500[diff] [blame]2106 x509.UniformResourceIdentifier(u"http://ocsp.domain.com")
2107 )
2108 ad2 = x509.AccessDescription(
Paul Kehrer9e102db2015-08-10 21:53:09 -0500[diff] [blame]2109 AuthorityInformationAccessOID.CA_ISSUERS,
Paul Kehrer3e6d5582015-05-02 21:57:56 -0500[diff] [blame]2110 x509.UniformResourceIdentifier(u"http://ocsp.domain.com")
2111 )
2112 ad3 = x509.AccessDescription(
Paul Kehrer9e102db2015-08-10 21:53:09 -0500[diff] [blame]2113 AuthorityInformationAccessOID.OCSP,
Paul Kehrer3e6d5582015-05-02 21:57:56 -0500[diff] [blame]2114 x509.UniformResourceIdentifier(u"http://notthesame")
2115 )
2116 assert ad != ad2
2117 assert ad != ad3
2118 assert ad != object()
2119
2120
2121class TestAuthorityInformationAccess(object):
2122 def test_invalid_descriptions(self):
2123 with pytest.raises(TypeError):
2124 x509.AuthorityInformationAccess(["notanAccessDescription"])
2125
2126 def test_iter_len(self):
2127 aia = x509.AuthorityInformationAccess([
2128 x509.AccessDescription(
Paul Kehrer9e102db2015-08-10 21:53:09 -0500[diff] [blame]2129 AuthorityInformationAccessOID.OCSP,
Paul Kehrer3e6d5582015-05-02 21:57:56 -0500[diff] [blame]2130 x509.UniformResourceIdentifier(u"http://ocsp.domain.com")
2131 ),
2132 x509.AccessDescription(
Paul Kehrer9e102db2015-08-10 21:53:09 -0500[diff] [blame]2133 AuthorityInformationAccessOID.CA_ISSUERS,
Paul Kehrer3e6d5582015-05-02 21:57:56 -0500[diff] [blame]2134 x509.UniformResourceIdentifier(u"http://domain.com/ca.crt")
2135 )
2136 ])
2137 assert len(aia) == 2
2138 assert list(aia) == [
2139 x509.AccessDescription(
Paul Kehrer9e102db2015-08-10 21:53:09 -0500[diff] [blame]2140 AuthorityInformationAccessOID.OCSP,
Paul Kehrer3e6d5582015-05-02 21:57:56 -0500[diff] [blame]2141 x509.UniformResourceIdentifier(u"http://ocsp.domain.com")
2142 ),
2143 x509.AccessDescription(
Paul Kehrer9e102db2015-08-10 21:53:09 -0500[diff] [blame]2144 AuthorityInformationAccessOID.CA_ISSUERS,
Paul Kehrer3e6d5582015-05-02 21:57:56 -0500[diff] [blame]2145 x509.UniformResourceIdentifier(u"http://domain.com/ca.crt")
2146 )
2147 ]
2148
2149 def test_repr(self):
2150 aia = x509.AuthorityInformationAccess([
2151 x509.AccessDescription(
Paul Kehrer9e102db2015-08-10 21:53:09 -0500[diff] [blame]2152 AuthorityInformationAccessOID.OCSP,
Paul Kehrer3e6d5582015-05-02 21:57:56 -0500[diff] [blame]2153 x509.UniformResourceIdentifier(u"http://ocsp.domain.com")
2154 ),
2155 x509.AccessDescription(
Paul Kehrer9e102db2015-08-10 21:53:09 -0500[diff] [blame]2156 AuthorityInformationAccessOID.CA_ISSUERS,
Paul Kehrer3e6d5582015-05-02 21:57:56 -0500[diff] [blame]2157 x509.UniformResourceIdentifier(u"http://domain.com/ca.crt")
2158 )
2159 ])
2160 assert repr(aia) == (
2161 "<AuthorityInformationAccess([<AccessDescription(access_method=<Ob"
2162 "jectIdentifier(oid=1.3.6.1.5.5.7.48.1, name=OCSP)>, access_locati"
2163 "on=<UniformResourceIdentifier(value=http://ocsp.domain.com)>)>, <"
2164 "AccessDescription(access_method=<ObjectIdentifier(oid=1.3.6.1.5.5"
2165 ".7.48.2, name=caIssuers)>, access_location=<UniformResourceIdenti"
2166 "fier(value=http://domain.com/ca.crt)>)>])>"
2167 )
2168
2169 def test_eq(self):
2170 aia = x509.AuthorityInformationAccess([
2171 x509.AccessDescription(
Paul Kehrer9e102db2015-08-10 21:53:09 -0500[diff] [blame]2172 AuthorityInformationAccessOID.OCSP,
Paul Kehrer3e6d5582015-05-02 21:57:56 -0500[diff] [blame]2173 x509.UniformResourceIdentifier(u"http://ocsp.domain.com")
2174 ),
2175 x509.AccessDescription(
Paul Kehrer9e102db2015-08-10 21:53:09 -0500[diff] [blame]2176 AuthorityInformationAccessOID.CA_ISSUERS,
Paul Kehrer3e6d5582015-05-02 21:57:56 -0500[diff] [blame]2177 x509.UniformResourceIdentifier(u"http://domain.com/ca.crt")
2178 )
2179 ])
2180 aia2 = x509.AuthorityInformationAccess([
2181 x509.AccessDescription(
Paul Kehrer9e102db2015-08-10 21:53:09 -0500[diff] [blame]2182 AuthorityInformationAccessOID.OCSP,
Paul Kehrer3e6d5582015-05-02 21:57:56 -0500[diff] [blame]2183 x509.UniformResourceIdentifier(u"http://ocsp.domain.com")
2184 ),
2185 x509.AccessDescription(
Paul Kehrer9e102db2015-08-10 21:53:09 -0500[diff] [blame]2186 AuthorityInformationAccessOID.CA_ISSUERS,
Paul Kehrer3e6d5582015-05-02 21:57:56 -0500[diff] [blame]2187 x509.UniformResourceIdentifier(u"http://domain.com/ca.crt")
2188 )
2189 ])
2190 assert aia == aia2
2191
2192 def test_ne(self):
2193 aia = x509.AuthorityInformationAccess([
2194 x509.AccessDescription(
Paul Kehrer9e102db2015-08-10 21:53:09 -0500[diff] [blame]2195 AuthorityInformationAccessOID.OCSP,
Paul Kehrer3e6d5582015-05-02 21:57:56 -0500[diff] [blame]2196 x509.UniformResourceIdentifier(u"http://ocsp.domain.com")
2197 ),
2198 x509.AccessDescription(
Paul Kehrer9e102db2015-08-10 21:53:09 -0500[diff] [blame]2199 AuthorityInformationAccessOID.CA_ISSUERS,
Paul Kehrer3e6d5582015-05-02 21:57:56 -0500[diff] [blame]2200 x509.UniformResourceIdentifier(u"http://domain.com/ca.crt")
2201 )
2202 ])
2203 aia2 = x509.AuthorityInformationAccess([
2204 x509.AccessDescription(
Paul Kehrer9e102db2015-08-10 21:53:09 -0500[diff] [blame]2205 AuthorityInformationAccessOID.OCSP,
Paul Kehrer3e6d5582015-05-02 21:57:56 -0500[diff] [blame]2206 x509.UniformResourceIdentifier(u"http://ocsp.domain.com")
2207 ),
2208 ])
2209
2210 assert aia != aia2
2211 assert aia != object()
Paul Kehrerd774de92015-05-03 10:52:25 -0500[diff] [blame]2212
2213
2214@pytest.mark.requires_backend_interface(interface=RSABackend)
2215@pytest.mark.requires_backend_interface(interface=X509Backend)
Paul Kehrera1476992015-05-04 17:35:47 -0500[diff] [blame]2216class TestAuthorityInformationAccessExtension(object):
2217 def test_aia_ocsp_ca_issuers(self, backend):
2218 cert = _load_cert(
2219 os.path.join("x509", "cryptography.io.pem"),
2220 x509.load_pem_x509_certificate,
2221 backend
2222 )
2223 ext = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]2224 ExtensionOID.AUTHORITY_INFORMATION_ACCESS
Paul Kehrera1476992015-05-04 17:35:47 -0500[diff] [blame]2225 )
2226 assert ext is not None
2227 assert ext.critical is False
2228
2229 assert ext.value == x509.AuthorityInformationAccess([
2230 x509.AccessDescription(
Paul Kehrer9e102db2015-08-10 21:53:09 -0500[diff] [blame]2231 AuthorityInformationAccessOID.OCSP,
Paul Kehrera1476992015-05-04 17:35:47 -0500[diff] [blame]2232 x509.UniformResourceIdentifier(u"http://gv.symcd.com")
2233 ),
2234 x509.AccessDescription(
Paul Kehrer9e102db2015-08-10 21:53:09 -0500[diff] [blame]2235 AuthorityInformationAccessOID.CA_ISSUERS,
Paul Kehrera1476992015-05-04 17:35:47 -0500[diff] [blame]2236 x509.UniformResourceIdentifier(u"http://gv.symcb.com/gv.crt")
2237 ),
2238 ])
2239
2240 def test_aia_multiple_ocsp_ca_issuers(self, backend):
2241 cert = _load_cert(
2242 os.path.join("x509", "custom", "aia_ocsp_ca_issuers.pem"),
2243 x509.load_pem_x509_certificate,
2244 backend
2245 )
2246 ext = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]2247 ExtensionOID.AUTHORITY_INFORMATION_ACCESS
Paul Kehrera1476992015-05-04 17:35:47 -0500[diff] [blame]2248 )
2249 assert ext is not None
2250 assert ext.critical is False
2251
2252 assert ext.value == x509.AuthorityInformationAccess([
2253 x509.AccessDescription(
Paul Kehrer9e102db2015-08-10 21:53:09 -0500[diff] [blame]2254 AuthorityInformationAccessOID.OCSP,
Paul Kehrera1476992015-05-04 17:35:47 -0500[diff] [blame]2255 x509.UniformResourceIdentifier(u"http://ocsp.domain.com")
2256 ),
2257 x509.AccessDescription(
Paul Kehrer9e102db2015-08-10 21:53:09 -0500[diff] [blame]2258 AuthorityInformationAccessOID.OCSP,
Paul Kehrera1476992015-05-04 17:35:47 -0500[diff] [blame]2259 x509.UniformResourceIdentifier(u"http://ocsp2.domain.com")
2260 ),
2261 x509.AccessDescription(
Paul Kehrer9e102db2015-08-10 21:53:09 -0500[diff] [blame]2262 AuthorityInformationAccessOID.CA_ISSUERS,
Paul Kehrera1476992015-05-04 17:35:47 -0500[diff] [blame]2263 x509.DirectoryName(x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2264 x509.NameAttribute(NameOID.COMMON_NAME, u"myCN"),
2265 x509.NameAttribute(NameOID.ORGANIZATION_NAME,
Ian Cordasco82fc3762015-06-16 20:59:50 -0500[diff] [blame]2266 u"some Org"),
Paul Kehrera1476992015-05-04 17:35:47 -0500[diff] [blame]2267 ]))
2268 ),
2269 ])
2270
2271 def test_aia_ocsp_only(self, backend):
2272 cert = _load_cert(
2273 os.path.join("x509", "custom", "aia_ocsp.pem"),
2274 x509.load_pem_x509_certificate,
2275 backend
2276 )
2277 ext = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]2278 ExtensionOID.AUTHORITY_INFORMATION_ACCESS
Paul Kehrera1476992015-05-04 17:35:47 -0500[diff] [blame]2279 )
2280 assert ext is not None
2281 assert ext.critical is False
2282
2283 assert ext.value == x509.AuthorityInformationAccess([
2284 x509.AccessDescription(
Paul Kehrer9e102db2015-08-10 21:53:09 -0500[diff] [blame]2285 AuthorityInformationAccessOID.OCSP,
Paul Kehrera1476992015-05-04 17:35:47 -0500[diff] [blame]2286 x509.UniformResourceIdentifier(u"http://ocsp.domain.com")
2287 ),
2288 ])
2289
2290 def test_aia_ca_issuers_only(self, backend):
2291 cert = _load_cert(
2292 os.path.join("x509", "custom", "aia_ca_issuers.pem"),
2293 x509.load_pem_x509_certificate,
2294 backend
2295 )
2296 ext = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]2297 ExtensionOID.AUTHORITY_INFORMATION_ACCESS
Paul Kehrera1476992015-05-04 17:35:47 -0500[diff] [blame]2298 )
2299 assert ext is not None
2300 assert ext.critical is False
2301
2302 assert ext.value == x509.AuthorityInformationAccess([
2303 x509.AccessDescription(
Paul Kehrer9e102db2015-08-10 21:53:09 -0500[diff] [blame]2304 AuthorityInformationAccessOID.CA_ISSUERS,
Paul Kehrera1476992015-05-04 17:35:47 -0500[diff] [blame]2305 x509.DirectoryName(x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2306 x509.NameAttribute(NameOID.COMMON_NAME, u"myCN"),
2307 x509.NameAttribute(NameOID.ORGANIZATION_NAME,
Ian Cordasco82fc3762015-06-16 20:59:50 -0500[diff] [blame]2308 u"some Org"),
Paul Kehrera1476992015-05-04 17:35:47 -0500[diff] [blame]2309 ]))
2310 ),
2311 ])
2312
2313
2314@pytest.mark.requires_backend_interface(interface=RSABackend)
2315@pytest.mark.requires_backend_interface(interface=X509Backend)
Paul Kehrerd774de92015-05-03 10:52:25 -0500[diff] [blame]2316class TestAuthorityKeyIdentifierExtension(object):
2317 def test_aki_keyid(self, backend):
2318 cert = _load_cert(
2319 os.path.join(
2320 "x509", "cryptography.io.pem"
2321 ),
2322 x509.load_pem_x509_certificate,
2323 backend
2324 )
2325 ext = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]2326 ExtensionOID.AUTHORITY_KEY_IDENTIFIER
Paul Kehrerd774de92015-05-03 10:52:25 -0500[diff] [blame]2327 )
2328 assert ext is not None
2329 assert ext.critical is False
2330
2331 assert ext.value.key_identifier == (
2332 b"\xc3\x9c\xf3\xfc\xd3F\x084\xbb\xceF\x7f\xa0|[\xf3\xe2\x08\xcbY"
2333 )
2334 assert ext.value.authority_cert_issuer is None
2335 assert ext.value.authority_cert_serial_number is None
2336
2337 def test_aki_all_fields(self, backend):
2338 cert = _load_cert(
2339 os.path.join(
2340 "x509", "custom", "authority_key_identifier.pem"
2341 ),
2342 x509.load_pem_x509_certificate,
2343 backend
2344 )
2345 ext = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]2346 ExtensionOID.AUTHORITY_KEY_IDENTIFIER
Paul Kehrerd774de92015-05-03 10:52:25 -0500[diff] [blame]2347 )
2348 assert ext is not None
2349 assert ext.critical is False
2350
2351 assert ext.value.key_identifier == (
2352 b"9E>\xca=b\x1d\xea\x86I\xf6Z\xab@\xb7\xa4p\x98\xf1\xec"
2353 )
2354 assert ext.value.authority_cert_issuer == [
2355 x509.DirectoryName(
2356 x509.Name([
2357 x509.NameAttribute(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2358 NameOID.ORGANIZATION_NAME, u"PyCA"
Paul Kehrerd774de92015-05-03 10:52:25 -0500[diff] [blame]2359 ),
2360 x509.NameAttribute(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2361 NameOID.COMMON_NAME, u"cryptography.io"
Paul Kehrerd774de92015-05-03 10:52:25 -0500[diff] [blame]2362 )
2363 ])
2364 )
2365 ]
2366 assert ext.value.authority_cert_serial_number == 3
2367
2368 def test_aki_no_keyid(self, backend):
2369 cert = _load_cert(
2370 os.path.join(
2371 "x509", "custom", "authority_key_identifier_no_keyid.pem"
2372 ),
2373 x509.load_pem_x509_certificate,
2374 backend
2375 )
2376 ext = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]2377 ExtensionOID.AUTHORITY_KEY_IDENTIFIER
Paul Kehrerd774de92015-05-03 10:52:25 -0500[diff] [blame]2378 )
2379 assert ext is not None
2380 assert ext.critical is False
2381
2382 assert ext.value.key_identifier is None
2383 assert ext.value.authority_cert_issuer == [
2384 x509.DirectoryName(
2385 x509.Name([
2386 x509.NameAttribute(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2387 NameOID.ORGANIZATION_NAME, u"PyCA"
Paul Kehrerd774de92015-05-03 10:52:25 -0500[diff] [blame]2388 ),
2389 x509.NameAttribute(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2390 NameOID.COMMON_NAME, u"cryptography.io"
Paul Kehrerd774de92015-05-03 10:52:25 -0500[diff] [blame]2391 )
2392 ])
2393 )
2394 ]
2395 assert ext.value.authority_cert_serial_number == 3
Paul Kehrer5a485522015-05-06 00:29:12 -0500[diff] [blame]2396
Paul Kehrer253929a2015-08-05 17:30:39 +0100[diff] [blame]2397 def test_from_certificate(self, backend):
2398 issuer_cert = _load_cert(
2399 os.path.join("x509", "rapidssl_sha256_ca_g3.pem"),
2400 x509.load_pem_x509_certificate,
2401 backend
2402 )
2403 cert = _load_cert(
2404 os.path.join("x509", "cryptography.io.pem"),
2405 x509.load_pem_x509_certificate,
2406 backend
2407 )
2408 ext = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]2409 ExtensionOID.AUTHORITY_KEY_IDENTIFIER
Paul Kehrer253929a2015-08-05 17:30:39 +0100[diff] [blame]2410 )
2411 aki = x509.AuthorityKeyIdentifier.from_issuer_public_key(
2412 issuer_cert.public_key()
2413 )
2414 assert ext.value == aki
2415
Paul Kehrer5a485522015-05-06 00:29:12 -0500[diff] [blame]2416
Paul Kehrere0017be2015-05-17 20:39:40 -0600[diff] [blame]2417class TestNameConstraints(object):
2418 def test_ipaddress_wrong_type(self):
2419 with pytest.raises(TypeError):
2420 x509.NameConstraints(
2421 permitted_subtrees=[
2422 x509.IPAddress(ipaddress.IPv4Address(u"127.0.0.1"))
2423 ],
2424 excluded_subtrees=None
2425 )
2426
2427 with pytest.raises(TypeError):
2428 x509.NameConstraints(
2429 permitted_subtrees=None,
2430 excluded_subtrees=[
2431 x509.IPAddress(ipaddress.IPv4Address(u"127.0.0.1"))
2432 ]
2433 )
2434
2435 def test_ipaddress_allowed_type(self):
2436 permitted = [x509.IPAddress(ipaddress.IPv4Network(u"192.168.0.0/29"))]
2437 excluded = [x509.IPAddress(ipaddress.IPv4Network(u"10.10.0.0/24"))]
2438 nc = x509.NameConstraints(
2439 permitted_subtrees=permitted,
2440 excluded_subtrees=excluded
2441 )
2442 assert nc.permitted_subtrees == permitted
2443 assert nc.excluded_subtrees == excluded
2444
2445 def test_invalid_permitted_subtrees(self):
2446 with pytest.raises(TypeError):
2447 x509.NameConstraints("badpermitted", None)
2448
2449 def test_invalid_excluded_subtrees(self):
2450 with pytest.raises(TypeError):
2451 x509.NameConstraints(None, "badexcluded")
2452
2453 def test_no_subtrees(self):
2454 with pytest.raises(ValueError):
2455 x509.NameConstraints(None, None)
2456
2457 def test_permitted_none(self):
2458 excluded = [x509.DNSName(u"name.local")]
2459 nc = x509.NameConstraints(
2460 permitted_subtrees=None, excluded_subtrees=excluded
2461 )
2462 assert nc.permitted_subtrees is None
2463 assert nc.excluded_subtrees is not None
2464
2465 def test_excluded_none(self):
2466 permitted = [x509.DNSName(u"name.local")]
2467 nc = x509.NameConstraints(
2468 permitted_subtrees=permitted, excluded_subtrees=None
2469 )
2470 assert nc.permitted_subtrees is not None
2471 assert nc.excluded_subtrees is None
2472
2473 def test_repr(self):
2474 permitted = [x509.DNSName(u"name.local"), x509.DNSName(u"name2.local")]
2475 nc = x509.NameConstraints(
2476 permitted_subtrees=permitted,
2477 excluded_subtrees=None
2478 )
2479 assert repr(nc) == (
2480 "<NameConstraints(permitted_subtrees=[<DNSName(value=name.local)>"
2481 ", <DNSName(value=name2.local)>], excluded_subtrees=None)>"
2482 )
2483
Paul Kehrer31894282015-06-21 21:46:41 -0500[diff] [blame]2484 def test_eq(self):
2485 nc = x509.NameConstraints(
2486 permitted_subtrees=[x509.DNSName(u"name.local")],
2487 excluded_subtrees=[x509.DNSName(u"name2.local")]
2488 )
2489 nc2 = x509.NameConstraints(
2490 permitted_subtrees=[x509.DNSName(u"name.local")],
2491 excluded_subtrees=[x509.DNSName(u"name2.local")]
2492 )
2493 assert nc == nc2
2494
2495 def test_ne(self):
2496 nc = x509.NameConstraints(
2497 permitted_subtrees=[x509.DNSName(u"name.local")],
2498 excluded_subtrees=[x509.DNSName(u"name2.local")]
2499 )
2500 nc2 = x509.NameConstraints(
2501 permitted_subtrees=[x509.DNSName(u"name.local")],
2502 excluded_subtrees=None
2503 )
2504 nc3 = x509.NameConstraints(
2505 permitted_subtrees=None,
2506 excluded_subtrees=[x509.DNSName(u"name2.local")]
2507 )
2508
2509 assert nc != nc2
2510 assert nc != nc3
2511 assert nc != object()
2512
Paul Kehrere0017be2015-05-17 20:39:40 -0600[diff] [blame]2513
Paul Kehrer870d7e82015-06-21 22:20:44 -0500[diff] [blame]2514@pytest.mark.requires_backend_interface(interface=RSABackend)
2515@pytest.mark.requires_backend_interface(interface=X509Backend)
2516class TestNameConstraintsExtension(object):
2517 def test_permitted_excluded(self, backend):
2518 cert = _load_cert(
2519 os.path.join(
2520 "x509", "custom", "nc_permitted_excluded_2.pem"
2521 ),
2522 x509.load_pem_x509_certificate,
2523 backend
2524 )
2525 nc = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]2526 ExtensionOID.NAME_CONSTRAINTS
Paul Kehrer870d7e82015-06-21 22:20:44 -0500[diff] [blame]2527 ).value
2528 assert nc == x509.NameConstraints(
2529 permitted_subtrees=[
2530 x509.DNSName(u"zombo.local"),
2531 ],
2532 excluded_subtrees=[
2533 x509.DirectoryName(x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2534 x509.NameAttribute(NameOID.COMMON_NAME, u"zombo")
Paul Kehrer870d7e82015-06-21 22:20:44 -0500[diff] [blame]2535 ]))
2536 ]
2537 )
2538
2539 def test_permitted(self, backend):
2540 cert = _load_cert(
2541 os.path.join(
2542 "x509", "custom", "nc_permitted_2.pem"
2543 ),
2544 x509.load_pem_x509_certificate,
2545 backend
2546 )
2547 nc = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]2548 ExtensionOID.NAME_CONSTRAINTS
Paul Kehrer870d7e82015-06-21 22:20:44 -0500[diff] [blame]2549 ).value
2550 assert nc == x509.NameConstraints(
2551 permitted_subtrees=[
2552 x509.DNSName(u"zombo.local"),
2553 ],
2554 excluded_subtrees=None
2555 )
2556
Paul Kehrer42376832015-07-01 18:10:32 -0500[diff] [blame]2557 def test_permitted_with_leading_period(self, backend):
2558 cert = _load_cert(
2559 os.path.join(
2560 "x509", "custom", "nc_permitted.pem"
2561 ),
2562 x509.load_pem_x509_certificate,
2563 backend
2564 )
2565 nc = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]2566 ExtensionOID.NAME_CONSTRAINTS
Paul Kehrer42376832015-07-01 18:10:32 -0500[diff] [blame]2567 ).value
2568 assert nc == x509.NameConstraints(
2569 permitted_subtrees=[
2570 x509.DNSName(u".cryptography.io"),
2571 x509.UniformResourceIdentifier(u"ftp://cryptography.test")
2572 ],
2573 excluded_subtrees=None
2574 )
2575
2576 def test_excluded_with_leading_period(self, backend):
2577 cert = _load_cert(
2578 os.path.join(
2579 "x509", "custom", "nc_excluded.pem"
2580 ),
2581 x509.load_pem_x509_certificate,
2582 backend
2583 )
2584 nc = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]2585 ExtensionOID.NAME_CONSTRAINTS
Paul Kehrer42376832015-07-01 18:10:32 -0500[diff] [blame]2586 ).value
2587 assert nc == x509.NameConstraints(
2588 permitted_subtrees=None,
2589 excluded_subtrees=[
2590 x509.DNSName(u".cryptography.io"),
2591 x509.UniformResourceIdentifier(u"gopher://cryptography.test")
2592 ]
2593 )
2594
Paul Kehrercfb8aa22015-07-01 19:16:36 -0500[diff] [blame]2595 def test_permitted_excluded_with_ips(self, backend):
2596 cert = _load_cert(
2597 os.path.join(
2598 "x509", "custom", "nc_permitted_excluded.pem"
2599 ),
2600 x509.load_pem_x509_certificate,
2601 backend
2602 )
2603 nc = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]2604 ExtensionOID.NAME_CONSTRAINTS
Paul Kehrercfb8aa22015-07-01 19:16:36 -0500[diff] [blame]2605 ).value
2606 assert nc == x509.NameConstraints(
2607 permitted_subtrees=[
2608 x509.IPAddress(ipaddress.IPv4Network(u"192.168.0.0/24")),
2609 x509.IPAddress(ipaddress.IPv6Network(u"FF:0:0:0:0:0:0:0/96")),
2610 ],
2611 excluded_subtrees=[
2612 x509.DNSName(u".domain.com"),
2613 x509.UniformResourceIdentifier(u"http://test.local"),
2614 ]
2615 )
2616
Paul Kehrera72ebaf2015-07-01 21:07:37 -0500[diff] [blame]2617 def test_single_ip_netmask(self, backend):
2618 cert = _load_cert(
2619 os.path.join(
2620 "x509", "custom", "nc_single_ip_netmask.pem"
2621 ),
2622 x509.load_pem_x509_certificate,
2623 backend
2624 )
2625 nc = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]2626 ExtensionOID.NAME_CONSTRAINTS
Paul Kehrera72ebaf2015-07-01 21:07:37 -0500[diff] [blame]2627 ).value
2628 assert nc == x509.NameConstraints(
2629 permitted_subtrees=[
2630 x509.IPAddress(ipaddress.IPv6Network(u"FF:0:0:0:0:0:0:0/128")),
2631 x509.IPAddress(ipaddress.IPv4Network(u"192.168.0.1/32")),
2632 ],
2633 excluded_subtrees=None
2634 )
2635
Paul Kehrercfb8aa22015-07-01 19:16:36 -0500[diff] [blame]2636 def test_invalid_netmask(self, backend):
2637 cert = _load_cert(
2638 os.path.join(
2639 "x509", "custom", "nc_invalid_ip_netmask.pem"
2640 ),
2641 x509.load_pem_x509_certificate,
2642 backend
2643 )
2644 with pytest.raises(ValueError):
2645 cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]2646 ExtensionOID.NAME_CONSTRAINTS
Paul Kehrercfb8aa22015-07-01 19:16:36 -0500[diff] [blame]2647 )
2648
Paul Kehrer870d7e82015-06-21 22:20:44 -0500[diff] [blame]2649
Paul Kehrer5a485522015-05-06 00:29:12 -0500[diff] [blame]2650class TestDistributionPoint(object):
Paul Kehrer4e8dacd2015-05-09 10:38:23 -0500[diff] [blame]2651 def test_distribution_point_full_name_not_general_names(self):
Paul Kehrer5a485522015-05-06 00:29:12 -0500[diff] [blame]2652 with pytest.raises(TypeError):
Paul Kehrer4e8dacd2015-05-09 10:38:23 -0500[diff] [blame]2653 x509.DistributionPoint(["notgn"], None, None, None)
Paul Kehrer5a485522015-05-06 00:29:12 -0500[diff] [blame]2654
Paul Kehrer4e8dacd2015-05-09 10:38:23 -0500[diff] [blame]2655 def test_distribution_point_relative_name_not_name(self):
Paul Kehrer5a485522015-05-06 00:29:12 -0500[diff] [blame]2656 with pytest.raises(TypeError):
Paul Kehrer4e8dacd2015-05-09 10:38:23 -0500[diff] [blame]2657 x509.DistributionPoint(None, "notname", None, None)
2658
2659 def test_distribution_point_full_and_relative_not_none(self):
2660 with pytest.raises(ValueError):
2661 x509.DistributionPoint("data", "notname", None, None)
Paul Kehrer5a485522015-05-06 00:29:12 -0500[diff] [blame]2662
2663 def test_crl_issuer_not_general_names(self):
2664 with pytest.raises(TypeError):
Paul Kehrer4e8dacd2015-05-09 10:38:23 -0500[diff] [blame]2665 x509.DistributionPoint(None, None, None, ["notgn"])
Paul Kehrer5a485522015-05-06 00:29:12 -0500[diff] [blame]2666
2667 def test_reason_not_reasonflags(self):
2668 with pytest.raises(TypeError):
2669 x509.DistributionPoint(
2670 [x509.UniformResourceIdentifier(u"http://crypt.og/crl")],
Paul Kehrer4e8dacd2015-05-09 10:38:23 -0500[diff] [blame]2671 None,
Paul Kehrer3fd02602015-05-09 19:46:13 -0500[diff] [blame]2672 frozenset(["notreasonflags"]),
2673 None
2674 )
2675
2676 def test_reason_not_frozenset(self):
2677 with pytest.raises(TypeError):
2678 x509.DistributionPoint(
2679 [x509.UniformResourceIdentifier(u"http://crypt.og/crl")],
2680 None,
2681 [x509.ReasonFlags.ca_compromise],
Paul Kehrer4e8dacd2015-05-09 10:38:23 -0500[diff] [blame]2682 None
2683 )
2684
2685 def test_disallowed_reasons(self):
2686 with pytest.raises(ValueError):
2687 x509.DistributionPoint(
2688 [x509.UniformResourceIdentifier(u"http://crypt.og/crl")],
2689 None,
Paul Kehrer3fd02602015-05-09 19:46:13 -0500[diff] [blame]2690 frozenset([x509.ReasonFlags.unspecified]),
Paul Kehrer4e8dacd2015-05-09 10:38:23 -0500[diff] [blame]2691 None
2692 )
2693
2694 with pytest.raises(ValueError):
2695 x509.DistributionPoint(
2696 [x509.UniformResourceIdentifier(u"http://crypt.og/crl")],
2697 None,
Paul Kehrer3fd02602015-05-09 19:46:13 -0500[diff] [blame]2698 frozenset([x509.ReasonFlags.remove_from_crl]),
Paul Kehrer5a485522015-05-06 00:29:12 -0500[diff] [blame]2699 None
2700 )
2701
2702 def test_reason_only(self):
2703 with pytest.raises(ValueError):
2704 x509.DistributionPoint(
2705 None,
Paul Kehrer4e8dacd2015-05-09 10:38:23 -0500[diff] [blame]2706 None,
Paul Kehrer3fd02602015-05-09 19:46:13 -0500[diff] [blame]2707 frozenset([x509.ReasonFlags.aa_compromise]),
Paul Kehrer5a485522015-05-06 00:29:12 -0500[diff] [blame]2708 None
2709 )
2710
2711 def test_eq(self):
2712 dp = x509.DistributionPoint(
2713 [x509.UniformResourceIdentifier(u"http://crypt.og/crl")],
Paul Kehrer4e8dacd2015-05-09 10:38:23 -0500[diff] [blame]2714 None,
Paul Kehrer3fd02602015-05-09 19:46:13 -0500[diff] [blame]2715 frozenset([x509.ReasonFlags.superseded]),
Paul Kehrer5a485522015-05-06 00:29:12 -0500[diff] [blame]2716 [
2717 x509.DirectoryName(
2718 x509.Name([
2719 x509.NameAttribute(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2720 NameOID.COMMON_NAME, u"Important CA"
Paul Kehrer5a485522015-05-06 00:29:12 -0500[diff] [blame]2721 )
2722 ])
2723 )
2724 ],
2725 )
2726 dp2 = x509.DistributionPoint(
2727 [x509.UniformResourceIdentifier(u"http://crypt.og/crl")],
Paul Kehrer4e8dacd2015-05-09 10:38:23 -0500[diff] [blame]2728 None,
Paul Kehrer3fd02602015-05-09 19:46:13 -0500[diff] [blame]2729 frozenset([x509.ReasonFlags.superseded]),
Paul Kehrer5a485522015-05-06 00:29:12 -0500[diff] [blame]2730 [
2731 x509.DirectoryName(
2732 x509.Name([
2733 x509.NameAttribute(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2734 NameOID.COMMON_NAME, u"Important CA"
Paul Kehrer5a485522015-05-06 00:29:12 -0500[diff] [blame]2735 )
2736 ])
2737 )
2738 ],
2739 )
2740 assert dp == dp2
2741
2742 def test_ne(self):
2743 dp = x509.DistributionPoint(
2744 [x509.UniformResourceIdentifier(u"http://crypt.og/crl")],
Paul Kehrer4e8dacd2015-05-09 10:38:23 -0500[diff] [blame]2745 None,
Paul Kehrer3fd02602015-05-09 19:46:13 -0500[diff] [blame]2746 frozenset([x509.ReasonFlags.superseded]),
Paul Kehrer5a485522015-05-06 00:29:12 -0500[diff] [blame]2747 [
2748 x509.DirectoryName(
2749 x509.Name([
2750 x509.NameAttribute(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2751 NameOID.COMMON_NAME, u"Important CA"
Paul Kehrer5a485522015-05-06 00:29:12 -0500[diff] [blame]2752 )
2753 ])
2754 )
2755 ],
2756 )
2757 dp2 = x509.DistributionPoint(
2758 [x509.UniformResourceIdentifier(u"http://crypt.og/crl")],
2759 None,
Paul Kehrer4e8dacd2015-05-09 10:38:23 -0500[diff] [blame]2760 None,
Paul Kehrer5a485522015-05-06 00:29:12 -0500[diff] [blame]2761 None
2762 )
2763 assert dp != dp2
2764 assert dp != object()
2765
2766 def test_repr(self):
2767 dp = x509.DistributionPoint(
Paul Kehrer4e8dacd2015-05-09 10:38:23 -0500[diff] [blame]2768 None,
Paul Kehrer5a485522015-05-06 00:29:12 -0500[diff] [blame]2769 x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2770 x509.NameAttribute(NameOID.COMMON_NAME, u"myCN")
Paul Kehrer5a485522015-05-06 00:29:12 -0500[diff] [blame]2771 ]),
Paul Kehrer96ef63c2015-05-09 21:17:04 -0500[diff] [blame]2772 frozenset([x509.ReasonFlags.ca_compromise]),
Paul Kehrer5a485522015-05-06 00:29:12 -0500[diff] [blame]2773 [
2774 x509.DirectoryName(
2775 x509.Name([
2776 x509.NameAttribute(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2777 NameOID.COMMON_NAME, u"Important CA"
Paul Kehrer5a485522015-05-06 00:29:12 -0500[diff] [blame]2778 )
2779 ])
2780 )
2781 ],
2782 )
Paul Kehrer749da3b2015-05-10 09:58:29 -0500[diff] [blame]2783 if six.PY3:
2784 assert repr(dp) == (
2785 "<DistributionPoint(full_name=None, relative_name=<Name([<Name"
2786 "Attribute(oid=<ObjectIdentifier(oid=2.5.4.3, name=commonName)"
Ian Cordascoa908d692015-06-16 21:35:24 -0500[diff] [blame]2787 ">, value='myCN')>])>, reasons=frozenset({<ReasonFlags.ca_comp"
2788 "romise: 'cACompromise'>}), crl_issuer=[<DirectoryName(value=<"
2789 "Name([<NameAttribute(oid=<ObjectIdentifier(oid=2.5.4.3, name="
2790 "commonName)>, value='Important CA')>])>)>])>"
Paul Kehrer749da3b2015-05-10 09:58:29 -0500[diff] [blame]2791 )
2792 else:
2793 assert repr(dp) == (
2794 "<DistributionPoint(full_name=None, relative_name=<Name([<Name"
2795 "Attribute(oid=<ObjectIdentifier(oid=2.5.4.3, name=commonName)"
Ian Cordasco82fc3762015-06-16 20:59:50 -0500[diff] [blame]2796 ">, value=u'myCN')>])>, reasons=frozenset([<ReasonFlags.ca_com"
2797 "promise: 'cACompromise'>]), crl_issuer=[<DirectoryName(value="
2798 "<Name([<NameAttribute(oid=<ObjectIdentifier(oid=2.5.4.3, name"
2799 "=commonName)>, value=u'Important CA')>])>)>])>"
Paul Kehrer749da3b2015-05-10 09:58:29 -0500[diff] [blame]2800 )
Paul Kehrer5a485522015-05-06 00:29:12 -0500[diff] [blame]2801
2802
2803class TestCRLDistributionPoints(object):
2804 def test_invalid_distribution_points(self):
2805 with pytest.raises(TypeError):
2806 x509.CRLDistributionPoints(["notadistributionpoint"])
2807
2808 def test_iter_len(self):
2809 cdp = x509.CRLDistributionPoints([
2810 x509.DistributionPoint(
2811 [x509.UniformResourceIdentifier(u"http://domain")],
2812 None,
Paul Kehrer4e8dacd2015-05-09 10:38:23 -0500[diff] [blame]2813 None,
Paul Kehrer5a485522015-05-06 00:29:12 -0500[diff] [blame]2814 None
2815 ),
2816 x509.DistributionPoint(
2817 [x509.UniformResourceIdentifier(u"ftp://domain")],
Paul Kehrer4e8dacd2015-05-09 10:38:23 -0500[diff] [blame]2818 None,
Paul Kehrer3fd02602015-05-09 19:46:13 -0500[diff] [blame]2819 frozenset([
Paul Kehrer4e8dacd2015-05-09 10:38:23 -0500[diff] [blame]2820 x509.ReasonFlags.key_compromise,
2821 x509.ReasonFlags.ca_compromise,
Paul Kehrer3fd02602015-05-09 19:46:13 -0500[diff] [blame]2822 ]),
Paul Kehrer5a485522015-05-06 00:29:12 -0500[diff] [blame]2823 None
2824 ),
2825 ])
2826 assert len(cdp) == 2
2827 assert list(cdp) == [
2828 x509.DistributionPoint(
2829 [x509.UniformResourceIdentifier(u"http://domain")],
2830 None,
Paul Kehrer4e8dacd2015-05-09 10:38:23 -0500[diff] [blame]2831 None,
Paul Kehrer5a485522015-05-06 00:29:12 -0500[diff] [blame]2832 None
2833 ),
2834 x509.DistributionPoint(
2835 [x509.UniformResourceIdentifier(u"ftp://domain")],
Paul Kehrer4e8dacd2015-05-09 10:38:23 -0500[diff] [blame]2836 None,
Paul Kehrer3fd02602015-05-09 19:46:13 -0500[diff] [blame]2837 frozenset([
Paul Kehrer4e8dacd2015-05-09 10:38:23 -0500[diff] [blame]2838 x509.ReasonFlags.key_compromise,
2839 x509.ReasonFlags.ca_compromise,
Paul Kehrer3fd02602015-05-09 19:46:13 -0500[diff] [blame]2840 ]),
Paul Kehrer5a485522015-05-06 00:29:12 -0500[diff] [blame]2841 None
2842 ),
2843 ]
2844
2845 def test_repr(self):
2846 cdp = x509.CRLDistributionPoints([
2847 x509.DistributionPoint(
2848 [x509.UniformResourceIdentifier(u"ftp://domain")],
Paul Kehrer4e8dacd2015-05-09 10:38:23 -0500[diff] [blame]2849 None,
Paul Kehrer96ef63c2015-05-09 21:17:04 -0500[diff] [blame]2850 frozenset([x509.ReasonFlags.key_compromise]),
Paul Kehrer5a485522015-05-06 00:29:12 -0500[diff] [blame]2851 None
2852 ),
2853 ])
Paul Kehrer749da3b2015-05-10 09:58:29 -0500[diff] [blame]2854 if six.PY3:
2855 assert repr(cdp) == (
2856 "<CRLDistributionPoints([<DistributionPoint(full_name=[<Unifo"
2857 "rmResourceIdentifier(value=ftp://domain)>], relative_name=No"
2858 "ne, reasons=frozenset({<ReasonFlags.key_compromise: 'keyComp"
2859 "romise'>}), crl_issuer=None)>])>"
2860 )
2861 else:
2862 assert repr(cdp) == (
2863 "<CRLDistributionPoints([<DistributionPoint(full_name=[<Unifo"
2864 "rmResourceIdentifier(value=ftp://domain)>], relative_name=No"
2865 "ne, reasons=frozenset([<ReasonFlags.key_compromise: 'keyComp"
2866 "romise'>]), crl_issuer=None)>])>"
2867 )
Paul Kehrer5a485522015-05-06 00:29:12 -0500[diff] [blame]2868
2869 def test_eq(self):
2870 cdp = x509.CRLDistributionPoints([
2871 x509.DistributionPoint(
2872 [x509.UniformResourceIdentifier(u"ftp://domain")],
Paul Kehrer4e8dacd2015-05-09 10:38:23 -0500[diff] [blame]2873 None,
Paul Kehrer3fd02602015-05-09 19:46:13 -0500[diff] [blame]2874 frozenset([
Paul Kehrer4e8dacd2015-05-09 10:38:23 -0500[diff] [blame]2875 x509.ReasonFlags.key_compromise,
2876 x509.ReasonFlags.ca_compromise,
Paul Kehrer3fd02602015-05-09 19:46:13 -0500[diff] [blame]2877 ]),
Paul Kehrer5a485522015-05-06 00:29:12 -0500[diff] [blame]2878 [x509.UniformResourceIdentifier(u"uri://thing")],
2879 ),
2880 ])
2881 cdp2 = x509.CRLDistributionPoints([
2882 x509.DistributionPoint(
2883 [x509.UniformResourceIdentifier(u"ftp://domain")],
Paul Kehrer4e8dacd2015-05-09 10:38:23 -0500[diff] [blame]2884 None,
Paul Kehrer3fd02602015-05-09 19:46:13 -0500[diff] [blame]2885 frozenset([
Paul Kehrer4e8dacd2015-05-09 10:38:23 -0500[diff] [blame]2886 x509.ReasonFlags.key_compromise,
2887 x509.ReasonFlags.ca_compromise,
Paul Kehrer3fd02602015-05-09 19:46:13 -0500[diff] [blame]2888 ]),
Paul Kehrer5a485522015-05-06 00:29:12 -0500[diff] [blame]2889 [x509.UniformResourceIdentifier(u"uri://thing")],
2890 ),
2891 ])
2892 assert cdp == cdp2
2893
2894 def test_ne(self):
2895 cdp = x509.CRLDistributionPoints([
2896 x509.DistributionPoint(
2897 [x509.UniformResourceIdentifier(u"ftp://domain")],
Paul Kehrer4e8dacd2015-05-09 10:38:23 -0500[diff] [blame]2898 None,
Paul Kehrer3fd02602015-05-09 19:46:13 -0500[diff] [blame]2899 frozenset([
Paul Kehrer4e8dacd2015-05-09 10:38:23 -0500[diff] [blame]2900 x509.ReasonFlags.key_compromise,
2901 x509.ReasonFlags.ca_compromise,
Paul Kehrer3fd02602015-05-09 19:46:13 -0500[diff] [blame]2902 ]),
Paul Kehrer5a485522015-05-06 00:29:12 -0500[diff] [blame]2903 [x509.UniformResourceIdentifier(u"uri://thing")],
2904 ),
2905 ])
2906 cdp2 = x509.CRLDistributionPoints([
2907 x509.DistributionPoint(
2908 [x509.UniformResourceIdentifier(u"ftp://domain2")],
Paul Kehrer4e8dacd2015-05-09 10:38:23 -0500[diff] [blame]2909 None,
Paul Kehrer3fd02602015-05-09 19:46:13 -0500[diff] [blame]2910 frozenset([
Paul Kehrer4e8dacd2015-05-09 10:38:23 -0500[diff] [blame]2911 x509.ReasonFlags.key_compromise,
2912 x509.ReasonFlags.ca_compromise,
Paul Kehrer3fd02602015-05-09 19:46:13 -0500[diff] [blame]2913 ]),
Paul Kehrer5a485522015-05-06 00:29:12 -0500[diff] [blame]2914 [x509.UniformResourceIdentifier(u"uri://thing")],
2915 ),
2916 ])
2917 cdp3 = x509.CRLDistributionPoints([
2918 x509.DistributionPoint(
2919 [x509.UniformResourceIdentifier(u"ftp://domain")],
Paul Kehrer4e8dacd2015-05-09 10:38:23 -0500[diff] [blame]2920 None,
Paul Kehrer3fd02602015-05-09 19:46:13 -0500[diff] [blame]2921 frozenset([x509.ReasonFlags.key_compromise]),
Paul Kehrer5a485522015-05-06 00:29:12 -0500[diff] [blame]2922 [x509.UniformResourceIdentifier(u"uri://thing")],
2923 ),
2924 ])
2925 cdp4 = x509.CRLDistributionPoints([
2926 x509.DistributionPoint(
2927 [x509.UniformResourceIdentifier(u"ftp://domain")],
Paul Kehrer4e8dacd2015-05-09 10:38:23 -0500[diff] [blame]2928 None,
Paul Kehrer3fd02602015-05-09 19:46:13 -0500[diff] [blame]2929 frozenset([
Paul Kehrer4e8dacd2015-05-09 10:38:23 -0500[diff] [blame]2930 x509.ReasonFlags.key_compromise,
2931 x509.ReasonFlags.ca_compromise,
Paul Kehrer3fd02602015-05-09 19:46:13 -0500[diff] [blame]2932 ]),
Paul Kehrer5a485522015-05-06 00:29:12 -0500[diff] [blame]2933 [x509.UniformResourceIdentifier(u"uri://thing2")],
2934 ),
2935 ])
2936 assert cdp != cdp2
2937 assert cdp != cdp3
2938 assert cdp != cdp4
2939 assert cdp != object()
Paul Kehrer9a10d592015-05-10 14:55:51 -0500[diff] [blame]2940
Paul Kehreree2e92d2015-12-27 17:29:37 -0600[diff] [blame^]2941 def test_indexing(self):
2942 ci = x509.CRLDistributionPoints([
2943 x509.DistributionPoint(
2944 None, None, None,
2945 [x509.UniformResourceIdentifier(u"uri://thing")],
2946 ),
2947 x509.DistributionPoint(
2948 None, None, None,
2949 [x509.UniformResourceIdentifier(u"uri://thing2")],
2950 ),
2951 x509.DistributionPoint(
2952 None, None, None,
2953 [x509.UniformResourceIdentifier(u"uri://thing3")],
2954 ),
2955 x509.DistributionPoint(
2956 None, None, None,
2957 [x509.UniformResourceIdentifier(u"uri://thing4")],
2958 ),
2959 x509.DistributionPoint(
2960 None, None, None,
2961 [x509.UniformResourceIdentifier(u"uri://thing5")],
2962 ),
2963 ])
2964 assert ci[-1] == ci[4]
2965 assert ci[2:6:2] == [ci[2], ci[4]]
2966
Paul Kehrer9a10d592015-05-10 14:55:51 -0500[diff] [blame]2967
2968@pytest.mark.requires_backend_interface(interface=RSABackend)
2969@pytest.mark.requires_backend_interface(interface=X509Backend)
2970class TestCRLDistributionPointsExtension(object):
2971 def test_fullname_and_crl_issuer(self, backend):
2972 cert = _load_cert(
2973 os.path.join(
2974 "x509", "PKITS_data", "certs", "ValidcRLIssuerTest28EE.crt"
2975 ),
2976 x509.load_der_x509_certificate,
2977 backend
2978 )
2979
2980 cdps = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]2981 ExtensionOID.CRL_DISTRIBUTION_POINTS
Paul Kehrer9a10d592015-05-10 14:55:51 -0500[diff] [blame]2982 ).value
2983
2984 assert cdps == x509.CRLDistributionPoints([
2985 x509.DistributionPoint(
2986 full_name=[x509.DirectoryName(
2987 x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2988 x509.NameAttribute(NameOID.COUNTRY_NAME, u"US"),
Paul Kehrer9a10d592015-05-10 14:55:51 -0500[diff] [blame]2989 x509.NameAttribute(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2990 NameOID.ORGANIZATION_NAME,
Ian Cordasco82fc3762015-06-16 20:59:50 -0500[diff] [blame]2991 u"Test Certificates 2011"
Paul Kehrer9a10d592015-05-10 14:55:51 -0500[diff] [blame]2992 ),
2993 x509.NameAttribute(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2994 NameOID.ORGANIZATIONAL_UNIT_NAME,
Ian Cordasco82fc3762015-06-16 20:59:50 -0500[diff] [blame]2995 u"indirectCRL CA3 cRLIssuer"
Paul Kehrer9a10d592015-05-10 14:55:51 -0500[diff] [blame]2996 ),
2997 x509.NameAttribute(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]2998 NameOID.COMMON_NAME,
Ian Cordasco82fc3762015-06-16 20:59:50 -0500[diff] [blame]2999 u"indirect CRL for indirectCRL CA3"
Paul Kehrer9a10d592015-05-10 14:55:51 -0500[diff] [blame]3000 ),
3001 ])
3002 )],
3003 relative_name=None,
3004 reasons=None,
3005 crl_issuer=[x509.DirectoryName(
3006 x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]3007 x509.NameAttribute(NameOID.COUNTRY_NAME, u"US"),
Paul Kehrer9a10d592015-05-10 14:55:51 -0500[diff] [blame]3008 x509.NameAttribute(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]3009 NameOID.ORGANIZATION_NAME,
Ian Cordasco82fc3762015-06-16 20:59:50 -0500[diff] [blame]3010 u"Test Certificates 2011"
Paul Kehrer9a10d592015-05-10 14:55:51 -0500[diff] [blame]3011 ),
3012 x509.NameAttribute(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]3013 NameOID.ORGANIZATIONAL_UNIT_NAME,
Ian Cordasco82fc3762015-06-16 20:59:50 -0500[diff] [blame]3014 u"indirectCRL CA3 cRLIssuer"
Paul Kehrer9a10d592015-05-10 14:55:51 -0500[diff] [blame]3015 ),
3016 ])
3017 )],
3018 )
3019 ])
3020
3021 def test_relativename_and_crl_issuer(self, backend):
3022 cert = _load_cert(
3023 os.path.join(
3024 "x509", "PKITS_data", "certs", "ValidcRLIssuerTest29EE.crt"
3025 ),
3026 x509.load_der_x509_certificate,
3027 backend
3028 )
3029
3030 cdps = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]3031 ExtensionOID.CRL_DISTRIBUTION_POINTS
Paul Kehrer9a10d592015-05-10 14:55:51 -0500[diff] [blame]3032 ).value
3033
3034 assert cdps == x509.CRLDistributionPoints([
3035 x509.DistributionPoint(
3036 full_name=None,
3037 relative_name=x509.Name([
3038 x509.NameAttribute(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]3039 NameOID.COMMON_NAME,
Ian Cordasco82fc3762015-06-16 20:59:50 -0500[diff] [blame]3040 u"indirect CRL for indirectCRL CA3"
Paul Kehrer9a10d592015-05-10 14:55:51 -0500[diff] [blame]3041 ),
3042 ]),
3043 reasons=None,
3044 crl_issuer=[x509.DirectoryName(
3045 x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]3046 x509.NameAttribute(NameOID.COUNTRY_NAME, u"US"),
Paul Kehrer9a10d592015-05-10 14:55:51 -0500[diff] [blame]3047 x509.NameAttribute(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]3048 NameOID.ORGANIZATION_NAME,
Ian Cordasco82fc3762015-06-16 20:59:50 -0500[diff] [blame]3049 u"Test Certificates 2011"
Paul Kehrer9a10d592015-05-10 14:55:51 -0500[diff] [blame]3050 ),
3051 x509.NameAttribute(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]3052 NameOID.ORGANIZATIONAL_UNIT_NAME,
Ian Cordasco82fc3762015-06-16 20:59:50 -0500[diff] [blame]3053 u"indirectCRL CA3 cRLIssuer"
Paul Kehrer9a10d592015-05-10 14:55:51 -0500[diff] [blame]3054 ),
3055 ])
3056 )],
3057 )
3058 ])
3059
3060 def test_fullname_crl_issuer_reasons(self, backend):
3061 cert = _load_cert(
3062 os.path.join(
3063 "x509", "custom", "cdp_fullname_reasons_crl_issuer.pem"
3064 ),
3065 x509.load_pem_x509_certificate,
3066 backend
3067 )
3068
3069 cdps = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]3070 ExtensionOID.CRL_DISTRIBUTION_POINTS
Paul Kehrer9a10d592015-05-10 14:55:51 -0500[diff] [blame]3071 ).value
3072
3073 assert cdps == x509.CRLDistributionPoints([
3074 x509.DistributionPoint(
3075 full_name=[x509.UniformResourceIdentifier(
3076 u"http://myhost.com/myca.crl"
3077 )],
3078 relative_name=None,
3079 reasons=frozenset([
3080 x509.ReasonFlags.key_compromise,
3081 x509.ReasonFlags.ca_compromise
3082 ]),
3083 crl_issuer=[x509.DirectoryName(
3084 x509.Name([
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]3085 x509.NameAttribute(NameOID.COUNTRY_NAME, u"US"),
Paul Kehrer9a10d592015-05-10 14:55:51 -0500[diff] [blame]3086 x509.NameAttribute(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]3087 NameOID.ORGANIZATION_NAME, u"PyCA"
Paul Kehrer9a10d592015-05-10 14:55:51 -0500[diff] [blame]3088 ),
3089 x509.NameAttribute(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]3090 NameOID.COMMON_NAME, u"cryptography CA"
Paul Kehrer9a10d592015-05-10 14:55:51 -0500[diff] [blame]3091 ),
3092 ])
3093 )],
3094 )
3095 ])
3096
Paul Kehrer594a2ed2015-05-12 23:27:32 -0500[diff] [blame]3097 def test_all_reasons(self, backend):
3098 cert = _load_cert(
3099 os.path.join(
3100 "x509", "custom", "cdp_all_reasons.pem"
3101 ),
3102 x509.load_pem_x509_certificate,
3103 backend
3104 )
3105
3106 cdps = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]3107 ExtensionOID.CRL_DISTRIBUTION_POINTS
Paul Kehrer594a2ed2015-05-12 23:27:32 -0500[diff] [blame]3108 ).value
3109
3110 assert cdps == x509.CRLDistributionPoints([
3111 x509.DistributionPoint(
3112 full_name=[x509.UniformResourceIdentifier(
3113 u"http://domain.com/some.crl"
3114 )],
3115 relative_name=None,
3116 reasons=frozenset([
3117 x509.ReasonFlags.key_compromise,
3118 x509.ReasonFlags.ca_compromise,
3119 x509.ReasonFlags.affiliation_changed,
3120 x509.ReasonFlags.superseded,
3121 x509.ReasonFlags.privilege_withdrawn,
3122 x509.ReasonFlags.cessation_of_operation,
3123 x509.ReasonFlags.aa_compromise,
3124 x509.ReasonFlags.certificate_hold,
3125 ]),
3126 crl_issuer=None
3127 )
3128 ])
3129
3130 def test_single_reason(self, backend):
3131 cert = _load_cert(
3132 os.path.join(
3133 "x509", "custom", "cdp_reason_aa_compromise.pem"
3134 ),
3135 x509.load_pem_x509_certificate,
3136 backend
3137 )
3138
3139 cdps = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]3140 ExtensionOID.CRL_DISTRIBUTION_POINTS
Paul Kehrer594a2ed2015-05-12 23:27:32 -0500[diff] [blame]3141 ).value
3142
3143 assert cdps == x509.CRLDistributionPoints([
3144 x509.DistributionPoint(
3145 full_name=[x509.UniformResourceIdentifier(
3146 u"http://domain.com/some.crl"
3147 )],
3148 relative_name=None,
3149 reasons=frozenset([x509.ReasonFlags.aa_compromise]),
3150 crl_issuer=None
3151 )
3152 ])
3153
Paul Kehrer9a10d592015-05-10 14:55:51 -0500[diff] [blame]3154 def test_crl_issuer_only(self, backend):
3155 cert = _load_cert(
3156 os.path.join(
3157 "x509", "custom", "cdp_crl_issuer.pem"
3158 ),
3159 x509.load_pem_x509_certificate,
3160 backend
3161 )
3162
3163 cdps = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]3164 ExtensionOID.CRL_DISTRIBUTION_POINTS
Paul Kehrer9a10d592015-05-10 14:55:51 -0500[diff] [blame]3165 ).value
3166
3167 assert cdps == x509.CRLDistributionPoints([
3168 x509.DistributionPoint(
3169 full_name=None,
3170 relative_name=None,
3171 reasons=None,
3172 crl_issuer=[x509.DirectoryName(
3173 x509.Name([
3174 x509.NameAttribute(
Paul Kehrereba19e62015-08-10 18:44:24 -0500[diff] [blame]3175 NameOID.COMMON_NAME, u"cryptography CA"
Paul Kehrer9a10d592015-05-10 14:55:51 -0500[diff] [blame]3176 ),
3177 ])
3178 )],
3179 )
3180 ])
Paul Kehrer16fae762015-05-01 23:14:20 -0500[diff] [blame]3181
Dominic Chen87bb9572015-10-09 00:23:07 -0400[diff] [blame]3182 def test_crl_empty_hostname(self, backend):
3183 cert = _load_cert(
3184 os.path.join(
3185 "x509", "custom", "cdp_empty_hostname.pem"
3186 ),
3187 x509.load_pem_x509_certificate,
3188 backend
3189 )
3190
3191 cdps = cert.extensions.get_extension_for_oid(
3192 ExtensionOID.CRL_DISTRIBUTION_POINTS
3193 ).value
3194
3195 assert cdps == x509.CRLDistributionPoints([
3196 x509.DistributionPoint(
3197 full_name=[x509.UniformResourceIdentifier(
3198 u"ldap:/CN=A,OU=B,dc=C,DC=D?E?F?G?H=I"
3199 )],
3200 relative_name=None,
3201 reasons=None,
3202 crl_issuer=None
3203 )
3204 ])
3205
Paul Kehrer16fae762015-05-01 23:14:20 -0500[diff] [blame]3206
Paul Kehrerf54a50b2015-06-17 18:31:26 -0600[diff] [blame]3207@pytest.mark.requires_backend_interface(interface=RSABackend)
3208@pytest.mark.requires_backend_interface(interface=X509Backend)
3209class TestOCSPNoCheckExtension(object):
3210 def test_nocheck(self, backend):
3211 cert = _load_cert(
3212 os.path.join(
3213 "x509", "custom", "ocsp_nocheck.pem"
3214 ),
3215 x509.load_pem_x509_certificate,
3216 backend
3217 )
3218 ext = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]3219 ExtensionOID.OCSP_NO_CHECK
Paul Kehrerf54a50b2015-06-17 18:31:26 -0600[diff] [blame]3220 )
3221 assert isinstance(ext.value, x509.OCSPNoCheck)
3222
3223
Paul Kehrer16fae762015-05-01 23:14:20 -0500[diff] [blame]3224class TestInhibitAnyPolicy(object):
3225 def test_not_int(self):
3226 with pytest.raises(TypeError):
3227 x509.InhibitAnyPolicy("notint")
3228
3229 def test_negative_int(self):
3230 with pytest.raises(ValueError):
3231 x509.InhibitAnyPolicy(-1)
3232
3233 def test_repr(self):
3234 iap = x509.InhibitAnyPolicy(0)
3235 assert repr(iap) == "<InhibitAnyPolicy(skip_certs=0)>"
3236
3237 def test_eq(self):
3238 iap = x509.InhibitAnyPolicy(1)
3239 iap2 = x509.InhibitAnyPolicy(1)
3240 assert iap == iap2
3241
3242 def test_ne(self):
3243 iap = x509.InhibitAnyPolicy(1)
3244 iap2 = x509.InhibitAnyPolicy(4)
3245 assert iap != iap2
3246 assert iap != object()
Paul Kehrerca6ce992015-06-17 22:13:15 -0600[diff] [blame]3247
3248
3249@pytest.mark.requires_backend_interface(interface=RSABackend)
3250@pytest.mark.requires_backend_interface(interface=X509Backend)
3251class TestInhibitAnyPolicyExtension(object):
3252 def test_nocheck(self, backend):
3253 cert = _load_cert(
3254 os.path.join(
3255 "x509", "custom", "inhibit_any_policy_5.pem"
3256 ),
3257 x509.load_pem_x509_certificate,
3258 backend
3259 )
3260 iap = cert.extensions.get_extension_for_oid(
Paul Kehrerd44e4132015-08-10 19:13:13 -0500[diff] [blame]3261 ExtensionOID.INHIBIT_ANY_POLICY
Paul Kehrerca6ce992015-06-17 22:13:15 -0600[diff] [blame]3262 ).value
3263 assert iap.skip_certs == 5
Paul Kehrera08693f2015-08-01 20:45:21 +0100[diff] [blame]3264
3265
3266@pytest.mark.requires_backend_interface(interface=RSABackend)
3267@pytest.mark.requires_backend_interface(interface=X509Backend)
Paul Kehrer1b7500f2015-08-01 20:56:27 +0100[diff] [blame]3268class TestInvalidExtension(object):
Paul Kehrera08693f2015-08-01 20:45:21 +0100[diff] [blame]3269 def test_invalid_certificate_policies_data(self, backend):
3270 cert = _load_cert(
3271 os.path.join(
3272 "x509", "custom", "cp_invalid.pem"
3273 ),
3274 x509.load_pem_x509_certificate,
3275 backend
3276 )
3277 with pytest.raises(ValueError):
3278 cert.extensions