Allow any OID for access_method, validate OIDs at creation time, fix tests.

4 files changed, 46 insertions, 41 deletions

diff --git a/src/cryptography/x509/extensions.py b/src/cryptography/x509/extensions.py
index 46ba5a28..017e0989 100644
--- a/src/cryptography/x509/extensions.py
+++ b/src/cryptography/x509/extensions.py
@@ -238,11 +238,8 @@ class AuthorityInformationAccess(object):
 
 class AccessDescription(object):
     def __init__(self, access_method, access_location):
-        if not (access_method == AuthorityInformationAccessOID.OCSP or
-                access_method == AuthorityInformationAccessOID.CA_ISSUERS):
-            raise ValueError(
-                "access_method must be OID_OCSP or OID_CA_ISSUERS"
-            )
+        if not isinstance(access_method, ObjectIdentifier):
+          raise TypeError("access_method must be an ObjectIdentifier")
 
         if not isinstance(access_location, GeneralName):
             raise TypeError("access_location must be a GeneralName")
diff --git a/src/cryptography/x509/oid.py b/src/cryptography/x509/oid.py
index ead40169..977d770f 100644
--- a/src/cryptography/x509/oid.py
+++ b/src/cryptography/x509/oid.py
@@ -12,6 +12,13 @@ class ObjectIdentifier(object):
     def __init__(self, dotted_string):
         self._dotted_string = dotted_string
 
+        # Basic validation for being well-formed
+        for part in self._dotted_string.split("."):
+            try:
+                val = int(part, 0)
+            except ValueError:
+                raise ValueError("Malformed OID: %s" % (self._dotted_string))
+
     def __eq__(self, other):
         if not isinstance(other, ObjectIdentifier):
             return NotImplemented
diff --git a/tests/test_x509.py b/tests/test_x509.py
index 0a1870d5..02201a37 100644
--- a/tests/test_x509.py
+++ b/tests/test_x509.py
@@ -3188,15 +3188,15 @@ class TestNameAttribute(object):
     def test_init_bad_value(self):
         with pytest.raises(TypeError):
             x509.NameAttribute(
-                x509.ObjectIdentifier('oid'),
+                x509.ObjectIdentifier('2.999.1'),
                 b'bytes'
             )
 
     def test_eq(self):
         assert x509.NameAttribute(
-            x509.ObjectIdentifier('oid'), u'value'
+            x509.ObjectIdentifier('2.999.1'), u'value'
         ) == x509.NameAttribute(
-            x509.ObjectIdentifier('oid'), u'value'
+            x509.ObjectIdentifier('2.999.1'), u'value'
         )
 
     def test_ne(self):
@@ -3206,12 +3206,12 @@ class TestNameAttribute(object):
             x509.ObjectIdentifier('2.5.4.5'), u'value'
         )
         assert x509.NameAttribute(
-            x509.ObjectIdentifier('oid'), u'value'
+            x509.ObjectIdentifier('2.999.1'), u'value'
         ) != x509.NameAttribute(
-            x509.ObjectIdentifier('oid'), u'value2'
+            x509.ObjectIdentifier('2.999.1'), u'value2'
         )
         assert x509.NameAttribute(
-            x509.ObjectIdentifier('oid'), u'value'
+            x509.ObjectIdentifier('2.999.2'), u'value'
         ) != object()
 
     def test_repr(self):
@@ -3230,64 +3230,64 @@ class TestNameAttribute(object):
 
 class TestObjectIdentifier(object):
     def test_eq(self):
-        oid1 = x509.ObjectIdentifier('oid')
-        oid2 = x509.ObjectIdentifier('oid')
+        oid1 = x509.ObjectIdentifier('2.999.1')
+        oid2 = x509.ObjectIdentifier('2.999.1')
         assert oid1 == oid2
 
     def test_ne(self):
-        oid1 = x509.ObjectIdentifier('oid')
-        assert oid1 != x509.ObjectIdentifier('oid1')
+        oid1 = x509.ObjectIdentifier('2.999.1')
+        assert oid1 != x509.ObjectIdentifier('2.999.2')
         assert oid1 != object()
 
     def test_repr(self):
         oid = x509.ObjectIdentifier("2.5.4.3")
         assert repr(oid) == "<ObjectIdentifier(oid=2.5.4.3, name=commonName)>"
-        oid = x509.ObjectIdentifier("oid1")
-        assert repr(oid) == "<ObjectIdentifier(oid=oid1, name=Unknown OID)>"
+        oid = x509.ObjectIdentifier("2.999.1")
+        assert repr(oid) == "<ObjectIdentifier(oid=2.999.1, name=Unknown OID)>"
 
     def test_name_property(self):
         oid = x509.ObjectIdentifier("2.5.4.3")
         assert oid._name == 'commonName'
-        oid = x509.ObjectIdentifier("oid1")
+        oid = x509.ObjectIdentifier("2.999.1")
         assert oid._name == 'Unknown OID'
 
 
 class TestName(object):
     def test_eq(self):
         name1 = x509.Name([
-            x509.NameAttribute(x509.ObjectIdentifier('oid'), u'value1'),
-            x509.NameAttribute(x509.ObjectIdentifier('oid2'), u'value2'),
+            x509.NameAttribute(x509.ObjectIdentifier('2.999.1'), u'value1'),
+            x509.NameAttribute(x509.ObjectIdentifier('2.999.2'), u'value2'),
         ])
         name2 = x509.Name([
-            x509.NameAttribute(x509.ObjectIdentifier('oid'), u'value1'),
-            x509.NameAttribute(x509.ObjectIdentifier('oid2'), u'value2'),
+            x509.NameAttribute(x509.ObjectIdentifier('2.999.1'), u'value1'),
+            x509.NameAttribute(x509.ObjectIdentifier('2.999.2'), u'value2'),
         ])
         assert name1 == name2
 
     def test_ne(self):
         name1 = x509.Name([
-            x509.NameAttribute(x509.ObjectIdentifier('oid'), u'value1'),
-            x509.NameAttribute(x509.ObjectIdentifier('oid2'), u'value2'),
+            x509.NameAttribute(x509.ObjectIdentifier('2.999.1'), u'value1'),
+            x509.NameAttribute(x509.ObjectIdentifier('2.999.2'), u'value2'),
         ])
         name2 = x509.Name([
-            x509.NameAttribute(x509.ObjectIdentifier('oid2'), u'value2'),
-            x509.NameAttribute(x509.ObjectIdentifier('oid'), u'value1'),
+            x509.NameAttribute(x509.ObjectIdentifier('2.999.2'), u'value2'),
+            x509.NameAttribute(x509.ObjectIdentifier('2.999.1'), u'value1'),
         ])
         assert name1 != name2
         assert name1 != object()
 
     def test_hash(self):
         name1 = x509.Name([
-            x509.NameAttribute(x509.ObjectIdentifier('oid'), u'value1'),
-            x509.NameAttribute(x509.ObjectIdentifier('oid2'), u'value2'),
+            x509.NameAttribute(x509.ObjectIdentifier('2.999.1'), u'value1'),
+            x509.NameAttribute(x509.ObjectIdentifier('2.999.2'), u'value2'),
         ])
         name2 = x509.Name([
-            x509.NameAttribute(x509.ObjectIdentifier('oid'), u'value1'),
-            x509.NameAttribute(x509.ObjectIdentifier('oid2'), u'value2'),
+            x509.NameAttribute(x509.ObjectIdentifier('2.999.1'), u'value1'),
+            x509.NameAttribute(x509.ObjectIdentifier('2.999.2'), u'value2'),
         ])
         name3 = x509.Name([
-            x509.NameAttribute(x509.ObjectIdentifier('oid2'), u'value2'),
-            x509.NameAttribute(x509.ObjectIdentifier('oid'), u'value1'),
+            x509.NameAttribute(x509.ObjectIdentifier('2.999.2'), u'value2'),
+            x509.NameAttribute(x509.ObjectIdentifier('2.999.1'), u'value1'),
         ])
 
         assert hash(name1) == hash(name2)
diff --git a/tests/test_x509_ext.py b/tests/test_x509_ext.py
index 8f469366..8cbce10b 100644
--- a/tests/test_x509_ext.py
+++ b/tests/test_x509_ext.py
@@ -603,8 +603,8 @@ class TestAuthorityKeyIdentifier(object):
     def test_authority_cert_serial_number_not_integer(self):
         dirname = x509.DirectoryName(
             x509.Name([
-                x509.NameAttribute(x509.ObjectIdentifier('oid'), u'value1'),
-                x509.NameAttribute(x509.ObjectIdentifier('oid2'), u'value2'),
+                x509.NameAttribute(x509.ObjectIdentifier('2.999.1'), u'value1'),
+                x509.NameAttribute(x509.ObjectIdentifier('2.999.2'), u'value2'),
             ])
         )
         with pytest.raises(TypeError):
@@ -617,8 +617,8 @@ class TestAuthorityKeyIdentifier(object):
     def test_authority_issuer_not_none_serial_none(self):
         dirname = x509.DirectoryName(
             x509.Name([
-                x509.NameAttribute(x509.ObjectIdentifier('oid'), u'value1'),
-                x509.NameAttribute(x509.ObjectIdentifier('oid2'), u'value2'),
+                x509.NameAttribute(x509.ObjectIdentifier('2.999.1'), u'value1'),
+                x509.NameAttribute(x509.ObjectIdentifier('2.999.2'), u'value2'),
             ])
         )
         with pytest.raises(ValueError):
@@ -1166,10 +1166,10 @@ class TestDirectoryName(object):
 
     def test_eq(self):
         name = x509.Name([
-            x509.NameAttribute(x509.ObjectIdentifier('oid'), u'value1')
+            x509.NameAttribute(x509.ObjectIdentifier('2.999.1'), u'value1')
         ])
         name2 = x509.Name([
-            x509.NameAttribute(x509.ObjectIdentifier('oid'), u'value1')
+            x509.NameAttribute(x509.ObjectIdentifier('2.999.1'), u'value1')
         ])
         gn = x509.DirectoryName(x509.Name([name]))
         gn2 = x509.DirectoryName(x509.Name([name2]))
@@ -1177,10 +1177,10 @@ class TestDirectoryName(object):
 
     def test_ne(self):
         name = x509.Name([
-            x509.NameAttribute(x509.ObjectIdentifier('oid'), u'value1')
+            x509.NameAttribute(x509.ObjectIdentifier('2.999.1'), u'value1')
         ])
         name2 = x509.Name([
-            x509.NameAttribute(x509.ObjectIdentifier('oid'), u'value2')
+            x509.NameAttribute(x509.ObjectIdentifier('2.999.2'), u'value2')
         ])
         gn = x509.DirectoryName(x509.Name([name]))
         gn2 = x509.DirectoryName(x509.Name([name2]))
@@ -1848,7 +1848,8 @@ class TestExtendedKeyUsageExtension(object):
 
 class TestAccessDescription(object):
     def test_invalid_access_method(self):
-        with pytest.raises(ValueError):
+        # access_method can be *any* valid OID
+        with pytest.raises(TypeError):
             x509.AccessDescription("notanoid", x509.DNSName(u"test"))
 
     def test_invalid_access_location(self):