diff options
| author | Paul Kehrer <paul.l.kehrer@gmail.com> | 2017-10-11 08:11:44 +0800 |
|---|---|---|
| committer | Alex Gaynor <alex.gaynor@gmail.com> | 2017-10-10 20:11:44 -0400 |
| commit | ed32105be8daa27d39e5ef1f26e3f7bc672a7939 (patch) | |
| tree | f47159bbb207cb68a963420e5500e8c8627d5cb3 /tests/x509/test_x509.py | |
| parent | 003f56fbd7fe676f6b6bd0a52bbf83f040b4a168 (diff) | |
| download | cryptography-ed32105be8daa27d39e5ef1f26e3f7bc672a7939.tar.gz cryptography-ed32105be8daa27d39e5ef1f26e3f7bc672a7939.tar.bz2 cryptography-ed32105be8daa27d39e5ef1f26e3f7bc672a7939.zip | |
Backwards incompatible change to DNSName (#3951)
* Backwards incompatible change to DNSName
During this release cycle we decided to officially deprecate passing
U-labels to our GeneralName constructors. At first we tried changing
this in a purely backwards compatible way but get_values_for_type made
that untenable. This PR modifies DNSName to take three different types.
U-label strings (which raises a deprecation warning), A-label strings
(the new preferred type), and bytes (which are assumed to be decodable
to unicode strings). The latter, while supported, is primarily intended
for use by our parser and allows us to return the actual encoded data in
a certificate even if it has not been properly encoded to A-label before
the certificate is created. (Of course, if the certificate contains
invalid utf8 sequences this will still fail, but let's handle one
catastrophic failure at a time).
* coverage
* don't delete that asterisk from a test. it does things.
* no bytes in DNSName. Private constructor for bypassing validation
* test unicode in dnsname (yuck)
* fix docs
* empty commit, you disappoint me codecov
* CI is the worst
Diffstat (limited to 'tests/x509/test_x509.py')
| -rw-r--r-- | tests/x509/test_x509.py | 55 |
1 files changed, 38 insertions, 17 deletions
diff --git a/tests/x509/test_x509.py b/tests/x509/test_x509.py index 0ce0a632..afe1c0e9 100644 --- a/tests/x509/test_x509.py +++ b/tests/x509/test_x509.py @@ -226,7 +226,7 @@ class TestCertificateRevocationList(object): assert aia.value == x509.AuthorityInformationAccess([ x509.AccessDescription( AuthorityInformationAccessOID.CA_ISSUERS, - x509.DNSName(b"cryptography.io") + x509.DNSName(u"cryptography.io") ) ]) assert ian.value == x509.IssuerAlternativeName([ @@ -777,6 +777,24 @@ class TestRSACertificate(object): ) ] + def test_non_ascii_dns_name(self, backend): + cert = _load_cert( + os.path.join("x509", "utf8-dnsname.pem"), + x509.load_pem_x509_certificate, + backend + ) + san = cert.extensions.get_extension_for_class( + x509.SubjectAlternativeName + ).value + + names = san.get_values_for_type(x509.DNSName) + + assert names == [ + u'partner.biztositas.hu', u'biztositas.hu', u'*.biztositas.hu', + u'biztos\xedt\xe1s.hu', u'*.biztos\xedt\xe1s.hu', + u'xn--biztosts-fza2j.hu', u'*.xn--biztosts-fza2j.hu' + ] + def test_all_subject_name_types(self, backend): cert = _load_cert( os.path.join( @@ -1243,8 +1261,8 @@ class TestRSACertificateRequest(object): ExtensionOID.SUBJECT_ALTERNATIVE_NAME ) assert list(ext.value) == [ - x509.DNSName(b"cryptography.io"), - x509.DNSName(b"sub.cryptography.io"), + x509.DNSName(u"cryptography.io"), + x509.DNSName(u"sub.cryptography.io"), ] def test_public_bytes_pem(self, backend): @@ -1472,7 +1490,7 @@ class TestRSACertificateRequest(object): ).add_extension( x509.BasicConstraints(ca=False, path_length=None), True, ).add_extension( - x509.SubjectAlternativeName([x509.DNSName(b"cryptography.io")]), + x509.SubjectAlternativeName([x509.DNSName(u"cryptography.io")]), critical=False, ).not_valid_before( not_valid_before @@ -1494,7 +1512,7 @@ class TestRSACertificateRequest(object): ExtensionOID.SUBJECT_ALTERNATIVE_NAME ) assert list(subject_alternative_name.value) == [ - x509.DNSName(b"cryptography.io"), + x509.DNSName(u"cryptography.io"), ] def test_build_cert_private_type_encoding(self, backend): @@ -2122,7 +2140,7 @@ class TestCertificateBuilder(object): ).add_extension( x509.BasicConstraints(ca=False, path_length=None), True, ).add_extension( - x509.SubjectAlternativeName([x509.DNSName(b"cryptography.io")]), + x509.SubjectAlternativeName([x509.DNSName(u"cryptography.io")]), critical=False, ).not_valid_before( not_valid_before @@ -2144,7 +2162,7 @@ class TestCertificateBuilder(object): ExtensionOID.SUBJECT_ALTERNATIVE_NAME ) assert list(subject_alternative_name.value) == [ - x509.DNSName(b"cryptography.io"), + x509.DNSName(u"cryptography.io"), ] @pytest.mark.requires_backend_interface(interface=EllipticCurveBackend) @@ -2168,7 +2186,7 @@ class TestCertificateBuilder(object): ).add_extension( x509.BasicConstraints(ca=False, path_length=None), True, ).add_extension( - x509.SubjectAlternativeName([x509.DNSName(b"cryptography.io")]), + x509.SubjectAlternativeName([x509.DNSName(u"cryptography.io")]), critical=False, ).not_valid_before( not_valid_before @@ -2190,7 +2208,7 @@ class TestCertificateBuilder(object): ExtensionOID.SUBJECT_ALTERNATIVE_NAME ) assert list(subject_alternative_name.value) == [ - x509.DNSName(b"cryptography.io"), + x509.DNSName(u"cryptography.io"), ] @pytest.mark.requires_backend_interface(interface=RSABackend) @@ -2224,6 +2242,9 @@ class TestCertificateBuilder(object): @pytest.mark.parametrize( "add_ext", [ + x509.SubjectAlternativeName( + [x509.DNSName._init_without_validation(u'a\xedt\xe1s.test')] + ), x509.CertificatePolicies([ x509.PolicyInformation( x509.ObjectIdentifier("2.16.840.1.12345.1.2.3.4.1"), @@ -2279,7 +2300,7 @@ class TestCertificateBuilder(object): ) ]), x509.IssuerAlternativeName([ - x509.DNSName(b"myissuer"), + x509.DNSName(u"myissuer"), x509.RFC822Name(u"email@domain.com"), ]), x509.ExtendedKeyUsage([ @@ -2308,7 +2329,7 @@ class TestCertificateBuilder(object): ipaddress.IPv6Network(u"FF:FF:0:0:0:0:0:0/128") ), ], - excluded_subtrees=[x509.DNSName(b"name.local")] + excluded_subtrees=[x509.DNSName(u"name.local")] ), x509.NameConstraints( permitted_subtrees=[ @@ -2318,7 +2339,7 @@ class TestCertificateBuilder(object): ), x509.NameConstraints( permitted_subtrees=None, - excluded_subtrees=[x509.DNSName(b"name.local")] + excluded_subtrees=[x509.DNSName(u"name.local")] ), x509.PolicyConstraints( require_explicit_policy=None, @@ -2847,7 +2868,7 @@ class TestCertificateSigningRequestBuilder(object): x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'), ]) ).add_extension( - x509.SubjectAlternativeName([x509.DNSName(b"cryptography.io")]), + x509.SubjectAlternativeName([x509.DNSName(u"cryptography.io")]), critical=False, ).add_extension( DummyExtension(), False @@ -2933,7 +2954,7 @@ class TestCertificateSigningRequestBuilder(object): request = builder.subject_name( x509.Name([x509.NameAttribute(NameOID.COUNTRY_NAME, u'US')]) ).add_extension( - x509.SubjectAlternativeName([x509.DNSName(b"cryptography.io")]), + x509.SubjectAlternativeName([x509.DNSName(u"cryptography.io")]), critical=False, ).add_extension( x509.BasicConstraints(ca=True, path_length=2), critical=True @@ -2950,7 +2971,7 @@ class TestCertificateSigningRequestBuilder(object): ext = request.extensions.get_extension_for_oid( ExtensionOID.SUBJECT_ALTERNATIVE_NAME ) - assert list(ext.value) == [x509.DNSName(b"cryptography.io")] + assert list(ext.value) == [x509.DNSName(u"cryptography.io")] def test_set_subject_twice(self): builder = x509.CertificateSigningRequestBuilder() @@ -2970,8 +2991,8 @@ class TestCertificateSigningRequestBuilder(object): private_key = RSA_KEY_2048.private_key(backend) san = x509.SubjectAlternativeName([ - x509.DNSName(b"example.com"), - x509.DNSName(b"*.example.com"), + x509.DNSName(u"example.com"), + x509.DNSName(u"*.example.com"), x509.RegisteredID(x509.ObjectIdentifier("1.2.3.4.5.6.7")), x509.DirectoryName(x509.Name([ x509.NameAttribute(NameOID.COMMON_NAME, u'PyCA'), |