Merge pull request #1940 from reaperhulk/x509-ossl-cp

support certificate policies in the openssl backend

1 files changed, 94 insertions, 0 deletions

diff --git a/tests/test_x509_ext.py b/tests/test_x509_ext.py
index 701ea167..2852776b 100644
--- a/tests/test_x509_ext.py
+++ b/tests/test_x509_ext.py
@@ -235,6 +235,100 @@ class TestCertificatePolicies(object):
         assert cp != object()
 
 
+@pytest.mark.requires_backend_interface(interface=RSABackend)
+@pytest.mark.requires_backend_interface(interface=X509Backend)
+class TestCertificatePoliciesExtension(object):
+    def test_cps_uri_policy_qualifier(self, backend):
+        cert = _load_cert(
+            os.path.join("x509", "custom", "cp_cps_uri.pem"),
+            x509.load_pem_x509_certificate,
+            backend
+        )
+
+        cp = cert.extensions.get_extension_for_oid(
+            x509.OID_CERTIFICATE_POLICIES
+        ).value
+
+        assert cp == x509.CertificatePolicies([
+            x509.PolicyInformation(
+                x509.ObjectIdentifier("2.16.840.1.12345.1.2.3.4.1"),
+                [u"http://other.com/cps"]
+            )
+        ])
+
+    def test_user_notice_with_notice_reference(self, backend):
+        cert = _load_cert(
+            os.path.join(
+                "x509", "custom", "cp_user_notice_with_notice_reference.pem"
+            ),
+            x509.load_pem_x509_certificate,
+            backend
+        )
+
+        cp = cert.extensions.get_extension_for_oid(
+            x509.OID_CERTIFICATE_POLICIES
+        ).value
+
+        assert cp == x509.CertificatePolicies([
+            x509.PolicyInformation(
+                x509.ObjectIdentifier("2.16.840.1.12345.1.2.3.4.1"),
+                [
+                    u"http://example.com/cps",
+                    u"http://other.com/cps",
+                    x509.UserNotice(
+                        x509.NoticeReference(u"my org", [1, 2, 3, 4]),
+                        u"thing"
+                    )
+                ]
+            )
+        ])
+
+    def test_user_notice_with_explicit_text(self, backend):
+        cert = _load_cert(
+            os.path.join(
+                "x509", "custom", "cp_user_notice_with_explicit_text.pem"
+            ),
+            x509.load_pem_x509_certificate,
+            backend
+        )
+
+        cp = cert.extensions.get_extension_for_oid(
+            x509.OID_CERTIFICATE_POLICIES
+        ).value
+
+        assert cp == x509.CertificatePolicies([
+            x509.PolicyInformation(
+                x509.ObjectIdentifier("2.16.840.1.12345.1.2.3.4.1"),
+                [x509.UserNotice(None, u"thing")]
+            )
+        ])
+
+    def test_user_notice_no_explicit_text(self, backend):
+        cert = _load_cert(
+            os.path.join(
+                "x509", "custom", "cp_user_notice_no_explicit_text.pem"
+            ),
+            x509.load_pem_x509_certificate,
+            backend
+        )
+
+        cp = cert.extensions.get_extension_for_oid(
+            x509.OID_CERTIFICATE_POLICIES
+        ).value
+
+        assert cp == x509.CertificatePolicies([
+            x509.PolicyInformation(
+                x509.ObjectIdentifier("2.16.840.1.12345.1.2.3.4.1"),
+                [
+                    x509.UserNotice(
+                        x509.NoticeReference(u"my org", [1, 2, 3, 4]),
+                        None
+                    )
+                ]
+            )
+        ])
+
+
 class TestKeyUsage(object):
     def test_key_agreement_false_encipher_decipher_true(self):
         with pytest.raises(ValueError):