diff options
| -rw-r--r-- | CHANGELOG.rst | 2 | ||||
| -rw-r--r-- | docs/x509/reference.rst | 446 | ||||
| -rw-r--r-- | docs/x509/tutorial.rst | 11 | ||||
| -rw-r--r-- | src/cryptography/hazmat/backends/openssl/backend.py | 23 | ||||
| -rw-r--r-- | src/cryptography/hazmat/backends/openssl/x509.py | 31 | ||||
| -rw-r--r-- | src/cryptography/x509/__init__.py | 64 | ||||
| -rw-r--r-- | src/cryptography/x509/base.py | 899 | ||||
| -rw-r--r-- | src/cryptography/x509/extensions.py | 912 | ||||
| -rw-r--r-- | src/cryptography/x509/oid.py | 61 | ||||
| -rw-r--r-- | tests/test_x509.py | 475 | ||||
| -rw-r--r-- | tests/test_x509_ext.py | 279 |
11 files changed, 1636 insertions, 1567 deletions
diff --git a/CHANGELOG.rst b/CHANGELOG.rst index f06aea07..99c0884a 100644 --- a/CHANGELOG.rst +++ b/CHANGELOG.rst @@ -50,6 +50,8 @@ Changelog * :class:`~cryptography.x509.AuthorityInformationAccess` * :class:`~cryptography.x509.CRLDistributionPoints` * :class:`~cryptography.x509.InhibitAnyPolicy` + * :class:`~cryptography.x509.IssuerAlternativeName` + * :class:`~cryptography.x509.OCSPNoCheck` * Add support for creating certificate signing requests with :class:`~cryptography.x509.CertificateSigningRequestBuilder`. This includes diff --git a/docs/x509/reference.rst b/docs/x509/reference.rst index d86ebbe8..8d5d6a6f 100644 --- a/docs/x509/reference.rst +++ b/docs/x509/reference.rst @@ -401,6 +401,7 @@ X.509 Certificate Builder >>> from cryptography.hazmat.backends import default_backend >>> from cryptography.hazmat.primitives import hashes >>> from cryptography.hazmat.primitives.asymmetric import rsa + >>> from cryptography.x509.oid import NameOID >>> import datetime >>> import uuid >>> one_day = datetime.timedelta(1, 0, 0) @@ -416,10 +417,10 @@ X.509 Certificate Builder ... ).public_key() >>> builder = x509.CertificateBuilder() >>> builder = builder.subject_name(x509.Name([ - ... x509.NameAttribute(x509.OID_COMMON_NAME, u'cryptography.io'), + ... x509.NameAttribute(NameOID.COMMON_NAME, u'cryptography.io'), ... ])) >>> builder = builder.issuer_name(x509.Name([ - ... x509.NameAttribute(x509.OID_COMMON_NAME, u'cryptography.io'), + ... x509.NameAttribute(NameOID.COMMON_NAME, u'cryptography.io'), ... ])) >>> builder = builder.not_valid_before(datetime.datetime.today() - one_day) >>> builder = builder.not_valid_after(datetime.datetime(2018, 8, 2)) @@ -634,6 +635,7 @@ X.509 CSR (Certificate Signing Request) Builder Object >>> from cryptography.hazmat.backends import default_backend >>> from cryptography.hazmat.primitives import hashes >>> from cryptography.hazmat.primitives.asymmetric import rsa + >>> from cryptography.x509.oid import NameOID >>> private_key = rsa.generate_private_key( ... public_exponent=65537, ... key_size=2048, @@ -641,7 +643,7 @@ X.509 CSR (Certificate Signing Request) Builder Object ... ) >>> builder = x509.CertificateSigningRequestBuilder() >>> builder = builder.subject_name(x509.Name([ - ... x509.NameAttribute(x509.OID_COMMON_NAME, u'cryptography.io'), + ... x509.NameAttribute(NameOID.COMMON_NAME, u'cryptography.io'), ... ])) >>> builder = builder.add_extension( ... x509.BasicConstraints(ca=False, path_length=None), critical=True, @@ -720,7 +722,7 @@ X.509 CSR (Certificate Signing Request) Builder Object .. doctest:: - >>> cert.subject.get_attributes_for_oid(x509.OID_COMMON_NAME) + >>> cert.subject.get_attributes_for_oid(NameOID.COMMON_NAME) [<NameAttribute(oid=<ObjectIdentifier(oid=2.5.4.3, name=commonName)>, value=u'Good CA')>] .. class:: Version @@ -883,7 +885,8 @@ X.509 Extensions .. doctest:: - >>> cert.extensions.get_extension_for_oid(x509.OID_BASIC_CONSTRAINTS) + >>> from cryptography.x509.oid import ExtensionOID + >>> cert.extensions.get_extension_for_oid(ExtensionOID.BASIC_CONSTRAINTS) <Extension(oid=<ObjectIdentifier(oid=2.5.29.19, name=basicConstraints)>, critical=True, value=<BasicConstraints(ca=True, path_length=None)>)> .. class:: Extension @@ -894,7 +897,7 @@ X.509 Extensions :type: :class:`ObjectIdentifier` - The :ref:`extension OID <extension_oids>`. + One of the :class:`~cryptography.x509.oid.ExtensionOID` OIDs. .. attribute:: critical @@ -930,7 +933,7 @@ X.509 Extensions :type: :class:`ObjectIdentifier` - Returns :data:`OID_KEY_USAGE`. + Returns :attr:`~cryptography.x509.oid.ExtensionOID.KEY_USAGE`. .. attribute:: digital_signature @@ -1029,7 +1032,7 @@ X.509 Extensions :type: :class:`ObjectIdentifier` - Returns :data:`OID_BASIC_CONSTRAINTS`. + Returns :attr:`~cryptography.x509.oid.ExtensionOID.BASIC_CONSTRAINTS`. .. attribute:: ca @@ -1057,7 +1060,8 @@ X.509 Extensions This extension indicates one or more purposes for which the certified public key may be used, in addition to or in place of the basic purposes indicated in the key usage extension. The object is - iterable to obtain the list of :ref:`extended key usage OIDs <eku_oids>`. + iterable to obtain the list of + :class:`~cryptography.x509.oid.ExtendedKeyUsageOID` OIDs present. .. attribute:: oid @@ -1065,7 +1069,7 @@ X.509 Extensions :type: :class:`ObjectIdentifier` - Returns :data:`OID_EXTENDED_KEY_USAGE`. + Returns :attr:`~cryptography.x509.oid.ExtensionOID.EXTENDED_KEY_USAGE`. .. class:: OCSPNoCheck @@ -1087,7 +1091,7 @@ X.509 Extensions :type: :class:`ObjectIdentifier` - Returns :data:`OID_OCSP_NO_CHECK`. + Returns :attr:`~cryptography.x509.oid.ExtensionOID.OCSP_NO_CHECK`. .. class:: NameConstraints @@ -1104,7 +1108,7 @@ X.509 Extensions :type: :class:`ObjectIdentifier` - Returns :data:`OID_NAME_CONSTRAINTS`. + Returns :attr:`~cryptography.x509.oid.ExtensionOID.NAME_CONSTRAINTS`. .. attribute:: permitted_subtrees @@ -1139,7 +1143,8 @@ X.509 Extensions :type: :class:`ObjectIdentifier` - Returns :data:`OID_AUTHORITY_KEY_IDENTIFIER`. + Returns + :attr:`~cryptography.x509.oid.ExtensionOID.AUTHORITY_KEY_IDENTIFIER`. .. attribute:: key_identifier @@ -1204,7 +1209,8 @@ X.509 Extensions :type: :class:`ObjectIdentifier` - Returns :data:`OID_SUBJECT_KEY_IDENTIFIER`. + Returns + :attr:`~cryptography.x509.oid.ExtensionOID.SUBJECT_KEY_IDENTIFIER`. .. attribute:: digest @@ -1252,7 +1258,8 @@ X.509 Extensions :type: :class:`ObjectIdentifier` - Returns :data:`OID_SUBJECT_ALTERNATIVE_NAME`. + Returns + :attr:`~cryptography.x509.oid.ExtensionOID.SUBJECT_ALTERNATIVE_NAME`. .. method:: get_values_for_type(type) @@ -1269,7 +1276,7 @@ X.509 Extensions >>> from cryptography.hazmat.primitives import hashes >>> cert = x509.load_pem_x509_certificate(cryptography_cert_pem, default_backend()) >>> # Get the subjectAltName extension from the certificate - >>> ext = cert.extensions.get_extension_for_oid(x509.OID_SUBJECT_ALTERNATIVE_NAME) + >>> ext = cert.extensions.get_extension_for_oid(ExtensionOID.SUBJECT_ALTERNATIVE_NAME) >>> # Get the dNSName entries from the SAN extension >>> ext.value.get_values_for_type(x509.DNSName) [u'www.cryptography.io', u'cryptography.io'] @@ -1290,7 +1297,8 @@ X.509 Extensions :type: :class:`ObjectIdentifier` - Returns :data:`OID_ISSUER_ALTERNATIVE_NAME`. + Returns + :attr:`~cryptography.x509.oid.ExtensionOID.ISSUER_ALTERNATIVE_NAME`. .. method:: get_values_for_type(type) @@ -1308,7 +1316,8 @@ X.509 Extensions information and services for the issuer of the certificate in which the extension appears. Information and services may include online validation services (such as OCSP) and issuer data. It is an iterable, - containing one or more :class:`AccessDescription` instances. + containing one or more :class:`~cryptography.x509.AccessDescription` + instances. .. attribute:: oid @@ -1316,7 +1325,8 @@ X.509 Extensions :type: :class:`ObjectIdentifier` - Returns :data:`OID_AUTHORITY_INFORMATION_ACCESS`. + Returns + :attr:`~cryptography.x509.oid.ExtensionOID.AUTHORITY_INFORMATION_ACCESS`. .. class:: AccessDescription @@ -1328,11 +1338,16 @@ X.509 Extensions :type: :class:`ObjectIdentifier` The access method defines what the ``access_location`` means. It must - be either :data:`OID_OCSP` or :data:`OID_CA_ISSUERS`. If it is - :data:`OID_OCSP` the access location will be where to obtain OCSP - information for the certificate. If it is :data:`OID_CA_ISSUERS` the - access location will provide additional information about the issuing - certificate. + be either + :attr:`~cryptography.x509.oid.AuthorityInformationAccessOID.OCSP` or + :attr:`~cryptography.x509.oid.AuthorityInformationAccessOID.CA_ISSUERS`. + If it is + :attr:`~cryptography.x509.oid.AuthorityInformationAccessOID.OCSP` + the access location will be where to obtain OCSP + information for the certificate. If it is + :attr:`~cryptography.x509.oid.AuthorityInformationAccessOID.CA_ISSUERS` + the access location will provide additional information about the + issuing certificate. .. attribute:: access_location @@ -1354,7 +1369,8 @@ X.509 Extensions :type: :class:`ObjectIdentifier` - Returns :data:`OID_CRL_DISTRIBUTION_POINTS`. + Returns + :attr:`~cryptography.x509.oid.ExtensionOID.CRL_DISTRIBUTION_POINTS`. .. class:: DistributionPoint @@ -1445,14 +1461,16 @@ X.509 Extensions .. versionadded:: 1.0 The inhibit ``anyPolicy`` extension indicates that the special OID - :data:`OID_ANY_POLICY`, is not considered an explicit match for other - :class:`CertificatePolicies` except when it appears in an intermediate - self-issued CA certificate. The value indicates the number of additional - non-self-issued certificates that may appear in the path before - :data:`OID_ANY_POLICY` is no longer permitted. For example, a value - of one indicates that :data:`OID_ANY_POLICY` may be processed in - certificates issued by the subject of this certificate, but not in - additional certificates in the path. + :attr:`~cryptography.x509.oid.CertificatePoliciesOID.ANY_POLICY`, is not + considered an explicit match for other :class:`CertificatePolicies` except + when it appears in an intermediate self-issued CA certificate. The value + indicates the number of additional non-self-issued certificates that may + appear in the path before + :attr:`~cryptography.x509.oid.CertificatePoliciesOID.ANY_POLICY` is no + longer permitted. For example, a value of one indicates that + :attr:`~cryptography.x509.oid.CertificatePoliciesOID.ANY_POLICY` may be + processed in certificates issued by the subject of this certificate, but + not in additional certificates in the path. .. attribute:: oid @@ -1460,7 +1478,8 @@ X.509 Extensions :type: :class:`ObjectIdentifier` - Returns :data:`OID_INHIBIT_ANY_POLICY`. + Returns + :attr:`~cryptography.x509.oid.ExtensionOID.INHIBIT_ANY_POLICY`. .. attribute:: skip_certs @@ -1479,7 +1498,8 @@ X.509 Extensions :type: :class:`ObjectIdentifier` - Returns :data:`OID_CERTIFICATE_POLICIES`. + Returns + :attr:`~cryptography.x509.oid.ExtensionOID.CERTIFICATE_POLICIES`. Certificate Policies Classes ~~~~~~~~~~~~~~~~~~~~~~~~~~~~ @@ -1555,297 +1575,303 @@ Object Identifiers X.509 elements are frequently identified by :class:`ObjectIdentifier` instances. The following common OIDs are available as constants. -Name OIDs -~~~~~~~~~ +.. currentmodule:: cryptography.x509.oid -.. data:: OID_COMMON_NAME +.. class:: NameOID - Corresponds to the dotted string ``"2.5.4.3"``. Historically the domain - name would be encoded here for server certificates. :rfc:`2818` deprecates - this practice and names of that type should now be located in a - SubjectAlternativeName extension. This OID is typically seen in X.509 names. + These OIDs are typically seen in X.509 names. -.. data:: OID_COUNTRY_NAME + .. versionadded:: 1.0 - Corresponds to the dotted string ``"2.5.4.6"``. This OID is typically seen - in X.509 names. + .. attribute:: COMMON_NAME -.. data:: OID_LOCALITY_NAME + Corresponds to the dotted string ``"2.5.4.3"``. Historically the domain + name would be encoded here for server certificates. :rfc:`2818` + deprecates this practice and names of that type should now be located + in a :class:`~cryptography.x509.SubjectAlternativeName` extension. - Corresponds to the dotted string ``"2.5.4.7"``. This OID is typically seen - in X.509 names. + .. attribute:: COUNTRY_NAME -.. data:: OID_STATE_OR_PROVINCE_NAME + Corresponds to the dotted string ``"2.5.4.6"``. - Corresponds to the dotted string ``"2.5.4.8"``. This OID is typically seen - in X.509 names. + .. attribute:: LOCALITY_NAME -.. data:: OID_ORGANIZATION_NAME + Corresponds to the dotted string ``"2.5.4.7"``. - Corresponds to the dotted string ``"2.5.4.10"``. This OID is typically seen - in X.509 names. + .. attribute:: STATE_OR_PROVINCE_NAME -.. data:: OID_ORGANIZATIONAL_UNIT_NAME + Corresponds to the dotted string ``"2.5.4.8"``. - Corresponds to the dotted string ``"2.5.4.11"``. This OID is typically seen - in X.509 names. + .. attribute:: ORGANIZATION_NAME -.. data:: OID_SERIAL_NUMBER + Corresponds to the dotted string ``"2.5.4.10"``. - Corresponds to the dotted string ``"2.5.4.5"``. This is distinct from the - serial number of the certificate itself (which can be obtained with - :func:`Certificate.serial`). This OID is typically seen in X.509 names. + .. attribute:: ORGANIZATIONAL_UNIT_NAME -.. data:: OID_SURNAME + Corresponds to the dotted string ``"2.5.4.11"``. - Corresponds to the dotted string ``"2.5.4.4"``. This OID is typically seen - in X.509 names. + .. attribute:: SERIAL_NUMBER -.. data:: OID_GIVEN_NAME + Corresponds to the dotted string ``"2.5.4.5"``. This is distinct from + the serial number of the certificate itself (which can be obtained with + :func:`~cryptography.x509.Certificate.serial`). - Corresponds to the dotted string ``"2.5.4.42"``. This OID is typically seen - in X.509 names. + .. attribute:: SURNAME -.. data:: OID_TITLE + Corresponds to the dotted string ``"2.5.4.4"``. - Corresponds to the dotted string ``"2.5.4.12"``. This OID is typically seen - in X.509 names. + .. attribute:: GIVEN_NAME -.. data:: OID_GENERATION_QUALIFIER + Corresponds to the dotted string ``"2.5.4.42"``. - Corresponds to the dotted string ``"2.5.4.44"``. This OID is typically seen - in X.509 names. + .. attribute:: TITLE -.. data:: OID_DN_QUALIFIER + Corresponds to the dotted string ``"2.5.4.12"``. - Corresponds to the dotted string ``"2.5.4.46"``. This specifies - disambiguating information to add to the relative distinguished name of an - entry. See :rfc:`2256`. This OID is typically seen in X.509 names. + .. attribute:: GENERATION_QUALIFIER -.. data:: OID_PSEUDONYM + Corresponds to the dotted string ``"2.5.4.44"``. - Corresponds to the dotted string ``"2.5.4.65"``. This OID is typically seen - in X.509 names. + .. attribute:: DN_QUALIFIER -.. data:: OID_DOMAIN_COMPONENT + Corresponds to the dotted string ``"2.5.4.46"``. This specifies + disambiguating information to add to the relative distinguished name of an + entry. See :rfc:`2256`. - Corresponds to the dotted string ``"0.9.2342.19200300.100.1.25"``. A string - holding one component of a domain name. See :rfc:`4519`. This OID is - typically seen in X.509 names. + .. attribute:: PSEUDONYM -.. data:: OID_EMAIL_ADDRESS + Corresponds to the dotted string ``"2.5.4.65"``. - Corresponds to the dotted string ``"1.2.840.113549.1.9.1"``. This OID is - typically seen in X.509 names. + .. attribute:: DOMAIN_COMPONENT -Signature Algorithm OIDs -~~~~~~~~~~~~~~~~~~~~~~~~ + Corresponds to the dotted string ``"0.9.2342.19200300.100.1.25"``. A string + holding one component of a domain name. See :rfc:`4519`. + + .. attribute:: EMAIL_ADDRESS + + Corresponds to the dotted string ``"1.2.840.113549.1.9.1"``. + + +.. class:: SignatureAlgorithmOID + + .. versionadded:: 1.0 + + .. attribute:: RSA_WITH_MD5 -.. data:: OID_RSA_WITH_MD5 + Corresponds to the dotted string ``"1.2.840.113549.1.1.4"``. This is + an MD5 digest signed by an RSA key. - Corresponds to the dotted string ``"1.2.840.113549.1.1.4"``. This is - an MD5 digest signed by an RSA key. + .. attribute:: RSA_WITH_SHA1 -.. data:: OID_RSA_WITH_SHA1 + Corresponds to the dotted string ``"1.2.840.113549.1.1.5"``. This is + a SHA1 digest signed by an RSA key. - Corresponds to the dotted string ``"1.2.840.113549.1.1.5"``. This is - a SHA1 digest signed by an RSA key. + .. attribute:: RSA_WITH_SHA224 -.. data:: OID_RSA_WITH_SHA224 + Corresponds to the dotted string ``"1.2.840.113549.1.1.14"``. This is + a SHA224 digest signed by an RSA key. - Corresponds to the dotted string ``"1.2.840.113549.1.1.14"``. This is - a SHA224 digest signed by an RSA key. + .. attribute:: RSA_WITH_SHA256 -.. data:: OID_RSA_WITH_SHA256 + Corresponds to the dotted string ``"1.2.840.113549.1.1.11"``. This is + a SHA256 digest signed by an RSA key. - Corresponds to the dotted string ``"1.2.840.113549.1.1.11"``. This is - a SHA256 digest signed by an RSA key. + .. attribute:: RSA_WITH_SHA384 -.. data:: OID_RSA_WITH_SHA384 + Corresponds to the dotted string ``"1.2.840.113549.1.1.12"``. This is + a SHA384 digest signed by an RSA key. - Corresponds to the dotted string ``"1.2.840.113549.1.1.12"``. This is - a SHA384 digest signed by an RSA key. + .. attribute:: RSA_WITH_SHA512 -.. data:: OID_RSA_WITH_SHA512 + Corresponds to the dotted string ``"1.2.840.113549.1.1.13"``. This is + a SHA512 digest signed by an RSA key. - Corresponds to the dotted string ``"1.2.840.113549.1.1.13"``. This is - a SHA512 digest signed by an RSA key. + .. attribute:: ECDSA_WITH_SHA1 -.. data:: OID_ECDSA_WITH_SHA1 + Corresponds to the dotted string ``"1.2.840.10045.4.1"``. This is a SHA1 + digest signed by an ECDSA key. - Corresponds to the dotted string ``"1.2.840.10045.4.1"``. This is a SHA1 - digest signed by an ECDSA key. + .. attribute:: ECDSA_WITH_SHA224 -.. data:: OID_ECDSA_WITH_SHA224 + Corresponds to the dotted string ``"1.2.840.10045.4.3.1"``. This is + a SHA224 digest signed by an ECDSA key. - Corresponds to the dotted string ``"1.2.840.10045.4.3.1"``. This is - a SHA224 digest signed by an ECDSA key. + .. attribute:: ECDSA_WITH_SHA256 -.. data:: OID_ECDSA_WITH_SHA256 + Corresponds to the dotted string ``"1.2.840.10045.4.3.2"``. This is + a SHA256 digest signed by an ECDSA key. - Corresponds to the dotted string ``"1.2.840.10045.4.3.2"``. This is - a SHA256 digest signed by an ECDSA key. + .. attribute:: ECDSA_WITH_SHA384 -.. data:: OID_ECDSA_WITH_SHA384 + Corresponds to the dotted string ``"1.2.840.10045.4.3.3"``. This is + a SHA384 digest signed by an ECDSA key. - Corresponds to the dotted string ``"1.2.840.10045.4.3.3"``. This is - a SHA384 digest signed by an ECDSA key. + .. attribute:: ECDSA_WITH_SHA512 -.. data:: OID_ECDSA_WITH_SHA512 + Corresponds to the dotted string ``"1.2.840.10045.4.3.4"``. This is + a SHA512 digest signed by an ECDSA key. - Corresponds to the dotted string ``"1.2.840.10045.4.3.4"``. This is - a SHA512 digest signed by an ECDSA key. + .. attribute:: DSA_WITH_SHA1 -.. data:: OID_DSA_WITH_SHA1 + Corresponds to the dotted string ``"1.2.840.10040.4.3"``. This is + a SHA1 digest signed by a DSA key. - Corresponds to the dotted string ``"1.2.840.10040.4.3"``. This is - a SHA1 digest signed by a DSA key. + .. attribute:: DSA_WITH_SHA224 -.. data:: OID_DSA_WITH_SHA224 + Corresponds to the dotted string ``"2.16.840.1.101.3.4.3.1"``. This is + a SHA224 digest signed by a DSA key. - Corresponds to the dotted string ``"2.16.840.1.101.3.4.3.1"``. This is - a SHA224 digest signed by a DSA key. + .. attribute:: DSA_WITH_SHA256 -.. data:: OID_DSA_WITH_SHA256 + Corresponds to the dotted string ``"2.16.840.1.101.3.4.3.2"``. This is + a SHA256 digest signed by a DSA key. - Corresponds to the dotted string ``"2.16.840.1.101.3.4.3.2"``. This is - a SHA256 digest signed by a DSA key. -.. _eku_oids: +.. class:: ExtendedKeyUsageOID -Extended Key Usage OIDs -~~~~~~~~~~~~~~~~~~~~~~~ + .. versionadded:: 1.0 + + .. attribute:: SERVER_AUTH + + Corresponds to the dotted string ``"1.3.6.1.5.5.7.3.1"``. This is used + to denote that a certificate may be used for TLS web server + authentication. + + .. attribute:: CLIENT_AUTH + + Corresponds to the dotted string ``"1.3.6.1.5.5.7.3.2"``. This is used + to denote that a certificate may be used for TLS web client + authentication. -.. data:: OID_SERVER_AUTH + .. attribute:: CODE_SIGNING - Corresponds to the dotted string ``"1.3.6.1.5.5.7.3.1"``. This is used to - denote that a certificate may be used for TLS web server authentication. + Corresponds to the dotted string ``"1.3.6.1.5.5.7.3.3"``. This is used + to denote that a certificate may be used for code signing. -.. data:: OID_CLIENT_AUTH + .. attribute:: EMAIL_PROTECTION - Corresponds to the dotted string ``"1.3.6.1.5.5.7.3.2"``. This is used to - denote that a certificate may be used for TLS web client authentication. + Corresponds to the dotted string ``"1.3.6.1.5.5.7.3.4"``. This is used + to denote that a certificate may be used for email protection. -.. data:: OID_CODE_SIGNING + .. attribute:: TIME_STAMPING - Corresponds to the dotted string ``"1.3.6.1.5.5.7.3.3"``. This is used to - denote that a certificate may be used for code signing. + Corresponds to the dotted string ``"1.3.6.1.5.5.7.3.8"``. This is used + to denote that a certificate may be used for time stamping. -.. data:: OID_EMAIL_PROTECTION + .. attribute:: OCSP_SIGNING - Corresponds to the dotted string ``"1.3.6.1.5.5.7.3.4"``. This is used to - denote that a certificate may be used for email protection. + Corresponds to the dotted string ``"1.3.6.1.5.5.7.3.9"``. This is used + to denote that a certificate may be used for signing OCSP responses. -.. data:: OID_TIME_STAMPING - Corresponds to the dotted string ``"1.3.6.1.5.5.7.3.8"``. This is used to - denote that a certificate may be used for time stamping. +.. class:: AuthorityInformationAccessOID -.. data:: OID_OCSP_SIGNING + .. versionadded:: 1.0 - Corresponds to the dotted string ``"1.3.6.1.5.5.7.3.9"``. This is used to - denote that a certificate may be used for signing OCSP responses. + .. attribute:: OCSP -Authority Information Access OIDs -~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + Corresponds to the dotted string ``"1.3.6.1.5.5.7.48.1"``. Used as the + identifier for OCSP data in + :class:`~cryptography.x509.AccessDescription` objects. -.. data:: OID_OCSP + .. attribute:: CA_ISSUERS - Corresponds to the dotted string ``"1.3.6.1.5.5.7.48.1"``. Used as the - identifier for OCSP data in :class:`AccessDescription` objects. + Corresponds to the dotted string ``"1.3.6.1.5.5.7.48.2"``. Used as the + identifier for CA issuer data in + :class:`~cryptography.x509.AccessDescription` objects. -.. data:: OID_CA_ISSUERS - Corresponds to the dotted string ``"1.3.6.1.5.5.7.48.2"``. Used as the - identifier for CA issuer data in :class:`AccessDescription` objects. +.. class:: CertificatePoliciesOID -Policy Qualifier OIDs -~~~~~~~~~~~~~~~~~~~~~ + .. versionadded:: 1.0 -.. data:: OID_CPS_QUALIFIER + .. attribute:: CPS_QUALIFIER - Corresponds to the dotted string ``"1.3.6.1.5.5.7.2.1"``. + Corresponds to the dotted string ``"1.3.6.1.5.5.7.2.1"``. -.. data:: OID_CPS_USER_NOTICE + .. attribute:: CPS_USER_NOTICE - Corresponds to the dotted string ``"1.3.6.1.5.5.7.2.2"``. + Corresponds to the dotted string ``"1.3.6.1.5.5.7.2.2"``. -.. data:: OID_ANY_POLICY + .. attribute:: ANY_POLICY - Corresponds to the dotted string ``"2.5.29.32.0"``. + Corresponds to the dotted string ``"2.5.29.32.0"``. -.. _extension_oids: -Extension OIDs -~~~~~~~~~~~~~~ +.. class:: ExtensionOID -.. data:: OID_BASIC_CONSTRAINTS + .. versionadded:: 1.0 - Corresponds to the dotted string ``"2.5.29.19"``. The identifier for the - :class:`BasicConstraints` extension type. + .. attribute:: BASIC_CONSTRAINTS -.. data:: OID_KEY_USAGE + Corresponds to the dotted string ``"2.5.29.19"``. The identifier for the + :class:`~cryptography.x509.BasicConstraints` extension type. - Corresponds to the dotted string ``"2.5.29.15"``. The identifier for the - :class:`KeyUsage` extension type. + .. attribute:: KEY_USAGE -.. data:: OID_SUBJECT_ALTERNATIVE_NAME + Corresponds to the dotted string ``"2.5.29.15"``. The identifier for the + :class:`~cryptography.x509.KeyUsage` extension type. - Corresponds to the dotted string ``"2.5.29.17"``. The identifier for the - :class:`SubjectAlternativeName` extension type. + .. attribute:: SUBJECT_ALTERNATIVE_NAME -.. data:: OID_ISSUER_ALTERNATIVE_NAME + Corresponds to the dotted string ``"2.5.29.17"``. The identifier for the + :class:`~cryptography.x509.SubjectAlternativeName` extension type. - Corresponds to the dotted string ``"2.5.29.18"``. The identifier for the - :class:`IssuerAlternativeName` extension type. + .. attribute:: ISSUER_ALTERNATIVE_NAME -.. data:: OID_SUBJECT_KEY_IDENTIFIER + Corresponds to the dotted string ``"2.5.29.18"``. The identifier for the + :class:`~cryptography.x509.IssuerAlternativeName` extension type. - Corresponds to the dotted string ``"2.5.29.14"``. The identifier for the - :class:`SubjectKeyIdentifier` extension type. + .. attribute:: SUBJECT_KEY_IDENTIFIER -.. data:: OID_NAME_CONSTRAINTS + Corresponds to the dotted string ``"2.5.29.14"``. The identifier for the + :class:`~cryptography.x509.SubjectKeyIdentifier` extension type. - Corresponds to the dotted string ``"2.5.29.30"``. The identifier for the - :class:`NameConstraints` extension type. + .. attribute:: NAME_CONSTRAINTS -.. data:: OID_CRL_DISTRIBUTION_POINTS + Corresponds to the dotted string ``"2.5.29.30"``. The identifier for the + :class:`~cryptography.x509.NameConstraints` extension type. - Corresponds to the dotted string ``"2.5.29.31"``. The identifier for the - :class:`CRLDistributionPoints` extension type. + .. attribute:: CRL_DISTRIBUTION_POINTS -.. data:: OID_CERTIFICATE_POLICIES + Corresponds to the dotted string ``"2.5.29.31"``. The identifier for the + :class:`~cryptography.x509.CRLDistributionPoints` extension type. - Corresponds to the dotted string ``"2.5.29.32"``. The identifier for the - :class:`CertificatePolicies` extension type. + .. attribute:: CERTIFICATE_POLICIES -.. data:: OID_AUTHORITY_KEY_IDENTIFIER + Corresponds to the dotted string ``"2.5.29.32"``. The identifier for the + :class:`~cryptography.x509.CertificatePolicies` extension type. - Corresponds to the dotted string ``"2.5.29.35"``. The identifier for the - :class:`AuthorityKeyIdentifier` extension type. + .. attribute:: AUTHORITY_KEY_IDENTIFIER -.. data:: OID_EXTENDED_KEY_USAGE + Corresponds to the dotted string ``"2.5.29.35"``. The identifier for the + :class:`~cryptography.x509.AuthorityKeyIdentifier` extension type. - Corresponds to the dotted string ``"2.5.29.37"``. The identifier for the - :class:`ExtendedKeyUsage` extension type. + .. attribute:: EXTENDED_KEY_USAGE -.. data:: OID_AUTHORITY_INFORMATION_ACCESS + Corresponds to the dotted string ``"2.5.29.37"``. The identifier for the + :class:`~cryptography.x509.ExtendedKeyUsage` extension type. - Corresponds to the dotted string ``"1.3.6.1.5.5.7.1.1"``. The identifier - for the :class:`AuthorityInformationAccess` extension type. + .. attribute:: AUTHORITY_INFORMATION_ACCESS -.. data:: OID_INHIBIT_ANY_POLICY + Corresponds to the dotted string ``"1.3.6.1.5.5.7.1.1"``. The identifier + for the :class:`~cryptography.x509.AuthorityInformationAccess` extension + type. - Corresponds to the dotted string ``"2.5.29.54"``. The identifier - for the :class:`InhibitAnyPolicy` extension type. + .. attribute:: INHIBIT_ANY_POLICY -.. data:: OID_OCSP_NO_CHECK + Corresponds to the dotted string ``"2.5.29.54"``. The identifier + for the :class:`~cryptography.x509.InhibitAnyPolicy` extension type. - Corresponds to the dotted string ``"1.3.6.1.5.5.7.48.1.5"``. The identifier - for the :class:`OCSPNoCheck` extension type. + .. attribute:: OCSP_NO_CHECK + + Corresponds to the dotted string ``"1.3.6.1.5.5.7.48.1.5"``. The + identifier for the :class:`~cryptography.x509.OCSPNoCheck` extension + type. Exceptions ~~~~~~~~~~ +.. currentmodule:: cryptography.x509 .. class:: InvalidVersion diff --git a/docs/x509/tutorial.rst b/docs/x509/tutorial.rst index bcaec809..5e8d54eb 100644 --- a/docs/x509/tutorial.rst +++ b/docs/x509/tutorial.rst @@ -57,14 +57,15 @@ a few details: .. code-block:: pycon >>> from cryptography import x509 + >>> from cryptography.x509.oid import NameOID >>> # Generate a CSR >>> csr = x509.CertificateSigningRequestBuilder().subject_name(x509.Name([ ... # Provide various details about who we are. - ... x509.NameAttribute(x509.OID_COUNTRY_NAME, u"US"), - ... x509.NameAttribute(x509.OID_STATE_OR_PROVINCE_NAME, u"CA"), - ... x509.NameAttribute(x509.OID_LOCALITY_NAME, u"San Francisco"), - ... x509.NameAttribute(x509.OID_ORGANIZATION_NAME, u"My Company"), - ... x509.NameAttribute(x509.COMMON_NAME, u"mysite.com"), + ... x509.NameAttribute(NameOID.COUNTRY_NAME, u"US"), + ... x509.NameAttribute(NameOID.STATE_OR_PROVINCE_NAME, u"CA"), + ... x509.NameAttribute(NameOID.LOCALITY_NAME, u"San Francisco"), + ... x509.NameAttribute(NameOID.ORGANIZATION_NAME, u"My Company"), + ... x509.NameAttribute(NameOID.COMMON_NAME, u"mysite.com"), ... ])).add_extension(x509.SubjectAlternativeName([ ... # Describe what sites we want this certificate for. ... x509.DNSName(u"mysite.com"), diff --git a/src/cryptography/hazmat/backends/openssl/backend.py b/src/cryptography/hazmat/backends/openssl/backend.py index 3866c0d4..9eae69c7 100644 --- a/src/cryptography/hazmat/backends/openssl/backend.py +++ b/src/cryptography/hazmat/backends/openssl/backend.py @@ -53,6 +53,7 @@ from cryptography.hazmat.primitives.ciphers.algorithms import ( from cryptography.hazmat.primitives.ciphers.modes import ( CBC, CFB, CFB8, CTR, ECB, GCM, OFB ) +from cryptography.x509.oid import ExtensionOID _MemoryBIO = collections.namedtuple("_MemoryBIO", ["bio", "char_ptr"]) @@ -482,19 +483,19 @@ def _encode_crl_distribution_points(backend, crl_distribution_points): _EXTENSION_ENCODE_HANDLERS = { - x509.OID_BASIC_CONSTRAINTS: _encode_basic_constraints, - x509.OID_SUBJECT_KEY_IDENTIFIER: _encode_subject_key_identifier, - x509.OID_KEY_USAGE: _encode_key_usage, - x509.OID_SUBJECT_ALTERNATIVE_NAME: _encode_alt_name, - x509.OID_ISSUER_ALTERNATIVE_NAME: _encode_alt_name, - x509.OID_EXTENDED_KEY_USAGE: _encode_extended_key_usage, - x509.OID_AUTHORITY_KEY_IDENTIFIER: _encode_authority_key_identifier, - x509.OID_AUTHORITY_INFORMATION_ACCESS: ( + ExtensionOID.BASIC_CONSTRAINTS: _encode_basic_constraints, + ExtensionOID.SUBJECT_KEY_IDENTIFIER: _encode_subject_key_identifier, + ExtensionOID.KEY_USAGE: _encode_key_usage, + ExtensionOID.SUBJECT_ALTERNATIVE_NAME: _encode_alt_name, + ExtensionOID.ISSUER_ALTERNATIVE_NAME: _encode_alt_name, + ExtensionOID.EXTENDED_KEY_USAGE: _encode_extended_key_usage, + ExtensionOID.AUTHORITY_KEY_IDENTIFIER: _encode_authority_key_identifier, + ExtensionOID.AUTHORITY_INFORMATION_ACCESS: ( _encode_authority_information_access ), - x509.OID_CRL_DISTRIBUTION_POINTS: _encode_crl_distribution_points, - x509.OID_INHIBIT_ANY_POLICY: _encode_inhibit_any_policy, - x509.OID_OCSP_NO_CHECK: _encode_ocsp_nocheck, + ExtensionOID.CRL_DISTRIBUTION_POINTS: _encode_crl_distribution_points, + ExtensionOID.INHIBIT_ANY_POLICY: _encode_inhibit_any_policy, + ExtensionOID.OCSP_NO_CHECK: _encode_ocsp_nocheck, } diff --git a/src/cryptography/hazmat/backends/openssl/x509.py b/src/cryptography/hazmat/backends/openssl/x509.py index 564b2680..e9af97f3 100644 --- a/src/cryptography/hazmat/backends/openssl/x509.py +++ b/src/cryptography/hazmat/backends/openssl/x509.py @@ -17,6 +17,7 @@ from six.moves import urllib_parse from cryptography import utils, x509 from cryptography.exceptions import UnsupportedAlgorithm from cryptography.hazmat.primitives import hashes, serialization +from cryptography.x509.oid import CertificatePoliciesOID, ExtensionOID def _obj2txt(backend, obj): @@ -385,13 +386,13 @@ def _decode_certificate_policies(backend, cp): pqualid = x509.ObjectIdentifier( _obj2txt(backend, pqi.pqualid) ) - if pqualid == x509.OID_CPS_QUALIFIER: + if pqualid == CertificatePoliciesOID.CPS_QUALIFIER: cpsuri = backend._ffi.buffer( pqi.d.cpsuri.data, pqi.d.cpsuri.length )[:].decode('ascii') qualifiers.append(cpsuri) else: - assert pqualid == x509.OID_CPS_USER_NOTICE + assert pqualid == CertificatePoliciesOID.CPS_USER_NOTICE user_notice = _decode_user_notice( backend, pqi.d.usernotice ) @@ -756,21 +757,21 @@ class _CertificateSigningRequest(object): _EXTENSION_HANDLERS = { - x509.OID_BASIC_CONSTRAINTS: _decode_basic_constraints, - x509.OID_SUBJECT_KEY_IDENTIFIER: _decode_subject_key_identifier, - x509.OID_KEY_USAGE: _decode_key_usage, - x509.OID_SUBJECT_ALTERNATIVE_NAME: _decode_subject_alt_name, - x509.OID_EXTENDED_KEY_USAGE: _decode_extended_key_usage, - x509.OID_AUTHORITY_KEY_IDENTIFIER: _decode_authority_key_identifier, - x509.OID_AUTHORITY_INFORMATION_ACCESS: ( + ExtensionOID.BASIC_CONSTRAINTS: _decode_basic_constraints, + ExtensionOID.SUBJECT_KEY_IDENTIFIER: _decode_subject_key_identifier, + ExtensionOID.KEY_USAGE: _decode_key_usage, + ExtensionOID.SUBJECT_ALTERNATIVE_NAME: _decode_subject_alt_name, + ExtensionOID.EXTENDED_KEY_USAGE: _decode_extended_key_usage, + ExtensionOID.AUTHORITY_KEY_IDENTIFIER: _decode_authority_key_identifier, + ExtensionOID.AUTHORITY_INFORMATION_ACCESS: ( _decode_authority_information_access ), - x509.OID_CERTIFICATE_POLICIES: _decode_certificate_policies, - x509.OID_CRL_DISTRIBUTION_POINTS: _decode_crl_distribution_points, - x509.OID_OCSP_NO_CHECK: _decode_ocsp_no_check, - x509.OID_INHIBIT_ANY_POLICY: _decode_inhibit_any_policy, - x509.OID_ISSUER_ALTERNATIVE_NAME: _decode_issuer_alt_name, - x509.OID_NAME_CONSTRAINTS: _decode_name_constraints, + ExtensionOID.CERTIFICATE_POLICIES: _decode_certificate_policies, + ExtensionOID.CRL_DISTRIBUTION_POINTS: _decode_crl_distribution_points, + ExtensionOID.OCSP_NO_CHECK: _decode_ocsp_no_check, + ExtensionOID.INHIBIT_ANY_POLICY: _decode_inhibit_any_policy, + ExtensionOID.ISSUER_ALTERNATIVE_NAME: _decode_issuer_alt_name, + ExtensionOID.NAME_CONSTRAINTS: _decode_name_constraints, } diff --git a/src/cryptography/x509/__init__.py b/src/cryptography/x509/__init__.py index 82e83616..1aa2598b 100644 --- a/src/cryptography/x509/__init__.py +++ b/src/cryptography/x509/__init__.py @@ -5,18 +5,21 @@ from __future__ import absolute_import, division, print_function from cryptography.x509.base import ( - AccessDescription, AuthorityInformationAccess, AuthorityKeyIdentifier, - BasicConstraints, CRLDistributionPoints, Certificate, CertificateBuilder, - CertificatePolicies, CertificateRevocationList, CertificateSigningRequest, - CertificateSigningRequestBuilder, DistributionPoint, - DuplicateExtension, ExtendedKeyUsage, Extension, ExtensionNotFound, - ExtensionType, Extensions, GeneralNames, InhibitAnyPolicy, - InvalidVersion, IssuerAlternativeName, KeyUsage, NameConstraints, - NoticeReference, OCSPNoCheck, ObjectIdentifier, - PolicyInformation, ReasonFlags, - RevokedCertificate, SubjectAlternativeName, SubjectKeyIdentifier, - UnsupportedExtension, UserNotice, Version, load_der_x509_certificate, - load_der_x509_csr, load_pem_x509_certificate, load_pem_x509_csr, + Certificate, CertificateBuilder, CertificateRevocationList, + CertificateSigningRequest, CertificateSigningRequestBuilder, + InvalidVersion, RevokedCertificate, + Version, load_der_x509_certificate, load_der_x509_csr, + load_pem_x509_certificate, load_pem_x509_csr, +) +from cryptography.x509.extensions import ( + AccessDescription, AuthorityInformationAccess, + AuthorityKeyIdentifier, BasicConstraints, CRLDistributionPoints, + CertificatePolicies, DistributionPoint, DuplicateExtension, + ExtendedKeyUsage, Extension, ExtensionNotFound, ExtensionType, Extensions, + GeneralNames, InhibitAnyPolicy, IssuerAlternativeName, KeyUsage, + NameConstraints, NoticeReference, OCSPNoCheck, PolicyInformation, + ReasonFlags, SubjectAlternativeName, SubjectKeyIdentifier, + UnsupportedExtension, UserNotice ) from cryptography.x509.general_name import ( DNSName, DirectoryName, GeneralName, IPAddress, OtherName, RFC822Name, @@ -25,11 +28,8 @@ from cryptography.x509.general_name import ( ) from cryptography.x509.name import Name, NameAttribute from cryptography.x509.oid import ( - ExtensionOID, NameOID, OID_ANY_POLICY, - OID_CA_ISSUERS, OID_CERTIFICATE_ISSUER, OID_CLIENT_AUTH, - OID_CODE_SIGNING, OID_CPS_QUALIFIER, OID_CPS_USER_NOTICE, OID_CRL_REASON, - OID_EMAIL_PROTECTION, OID_INVALIDITY_DATE, OID_OCSP, OID_OCSP_SIGNING, - OID_SERVER_AUTH, OID_TIME_STAMPING, + AuthorityInformationAccessOID, CRLExtensionOID, CertificatePoliciesOID, + ExtendedKeyUsageOID, ExtensionOID, NameOID, ObjectIdentifier, SignatureAlgorithmOID, _SIG_OIDS_TO_HASH ) @@ -84,6 +84,24 @@ OID_STATE_OR_PROVINCE_NAME = NameOID.STATE_OR_PROVINCE_NAME OID_SURNAME = NameOID.SURNAME OID_TITLE = NameOID.TITLE +OID_CLIENT_AUTH = ExtendedKeyUsageOID.CLIENT_AUTH +OID_CODE_SIGNING = ExtendedKeyUsageOID.CODE_SIGNING +OID_EMAIL_PROTECTION = ExtendedKeyUsageOID.EMAIL_PROTECTION +OID_OCSP_SIGNING = ExtendedKeyUsageOID.OCSP_SIGNING +OID_SERVER_AUTH = ExtendedKeyUsageOID.SERVER_AUTH +OID_TIME_STAMPING = ExtendedKeyUsageOID.TIME_STAMPING + +OID_ANY_POLICY = CertificatePoliciesOID.ANY_POLICY +OID_CPS_QUALIFIER = CertificatePoliciesOID.CPS_QUALIFIER +OID_CPS_USER_NOTICE = CertificatePoliciesOID.CPS_USER_NOTICE + +OID_CERTIFICATE_ISSUER = CRLExtensionOID.CERTIFICATE_ISSUER +OID_CRL_REASON = CRLExtensionOID.CRL_REASON +OID_INVALIDITY_DATE = CRLExtensionOID.INVALIDITY_DATE + +OID_CA_ISSUERS = AuthorityInformationAccessOID.CA_ISSUERS +OID_OCSP = AuthorityInformationAccessOID.OCSP + __all__ = [ "load_pem_x509_certificate", @@ -136,20 +154,8 @@ __all__ = [ "CertificateSigningRequestBuilder", "CertificateBuilder", "Version", - "OID_CRL_REASON", - "OID_INVALIDITY_DATE", - "OID_CERTIFICATE_ISSUER", "_SIG_OIDS_TO_HASH", - "OID_CPS_QUALIFIER", - "OID_CPS_USER_NOTICE", - "OID_ANY_POLICY", "OID_CA_ISSUERS", "OID_OCSP", - "OID_SERVER_AUTH", - "OID_CLIENT_AUTH", - "OID_CODE_SIGNING", - "OID_EMAIL_PROTECTION", - "OID_TIME_STAMPING", - "OID_OCSP_SIGNING", "_GENERAL_NAMES", ] diff --git a/src/cryptography/x509/base.py b/src/cryptography/x509/base.py index 8eabee88..27eafac6 100644 --- a/src/cryptography/x509/base.py +++ b/src/cryptography/x509/base.py @@ -6,51 +6,14 @@ from __future__ import absolute_import, division, print_function import abc import datetime -import hashlib -import ipaddress from enum import Enum -from pyasn1.codec.der import decoder -from pyasn1.type import namedtype, univ - import six from cryptography import utils -from cryptography.hazmat.primitives import serialization from cryptography.hazmat.primitives.asymmetric import dsa, ec, rsa -from cryptography.x509.general_name import GeneralName, IPAddress, OtherName +from cryptography.x509.extensions import Extension, ExtensionType from cryptography.x509.name import Name -from cryptography.x509.oid import ( - ExtensionOID, OID_CA_ISSUERS, OID_OCSP, ObjectIdentifier -) - - -class _SubjectPublicKeyInfo(univ.Sequence): - componentType = namedtype.NamedTypes( - namedtype.NamedType('algorithm', univ.Sequence()), - namedtype.NamedType('subjectPublicKey', univ.BitString()) - ) - - -def _key_identifier_from_public_key(public_key): - # This is a very slow way to do this. - serialized = public_key.public_bytes( - serialization.Encoding.DER, - serialization.PublicFormat.SubjectPublicKeyInfo - ) - spki, remaining = decoder.decode( - serialized, asn1Spec=_SubjectPublicKeyInfo() - ) - assert not remaining - # the univ.BitString object is a tuple of bits. We need bytes and - # pyasn1 really doesn't want to give them to us. To get it we'll - # build an integer and convert that to bytes. - bits = 0 - for bit in spki.getComponentByName("subjectPublicKey"): - bits = bits << 1 | bit - - data = utils.int_to_bytes(bits) - return hashlib.sha1(data).digest() _UNIX_EPOCH = datetime.datetime(1970, 1, 1) @@ -83,866 +46,6 @@ class InvalidVersion(Exception): self.parsed_version = parsed_version -class DuplicateExtension(Exception): - def __init__(self, msg, oid): - super(DuplicateExtension, self).__init__(msg) - self.oid = oid - - -class UnsupportedExtension(Exception): - def __init__(self, msg, oid): - super(UnsupportedExtension, self).__init__(msg) - self.oid = oid - - -class ExtensionNotFound(Exception): - def __init__(self, msg, oid): - super(ExtensionNotFound, self).__init__(msg) - self.oid = oid - - -class Extensions(object): - def __init__(self, extensions): - self._extensions = extensions - - def get_extension_for_oid(self, oid): - for ext in self: - if ext.oid == oid: - return ext - - raise ExtensionNotFound("No {0} extension was found".format(oid), oid) - - def __iter__(self): - return iter(self._extensions) - - def __len__(self): - return len(self._extensions) - - -class Extension(object): - def __init__(self, oid, critical, value): - if not isinstance(oid, ObjectIdentifier): - raise TypeError( - "oid argument must be an ObjectIdentifier instance." - ) - - if not isinstance(critical, bool): - raise TypeError("critical must be a boolean value") - - self._oid = oid - self._critical = critical - self._value = value - - oid = utils.read_only_property("_oid") - critical = utils.read_only_property("_critical") - value = utils.read_only_property("_value") - - def __repr__(self): - return ("<Extension(oid={0.oid}, critical={0.critical}, " - "value={0.value})>").format(self) - - def __eq__(self, other): - if not isinstance(other, Extension): - return NotImplemented - - return ( - self.oid == other.oid and - self.critical == other.critical and - self.value == other.value - ) - - def __ne__(self, other): - return not self == other - - -@six.add_metaclass(abc.ABCMeta) -class ExtensionType(object): - @abc.abstractproperty - def oid(self): - """ - Returns the oid associated with the given extension type. - """ - - -@utils.register_interface(ExtensionType) -class ExtendedKeyUsage(object): - oid = ExtensionOID.EXTENDED_KEY_USAGE - - def __init__(self, usages): - if not all(isinstance(x, ObjectIdentifier) for x in usages): - raise TypeError( - "Every item in the usages list must be an ObjectIdentifier" - ) - - self._usages = usages - - def __iter__(self): - return iter(self._usages) - - def __len__(self): - return len(self._usages) - - def __repr__(self): - return "<ExtendedKeyUsage({0})>".format(self._usages) - - def __eq__(self, other): - if not isinstance(other, ExtendedKeyUsage): - return NotImplemented - - return self._usages == other._usages - - def __ne__(self, other): - return not self == other - - -@utils.register_interface(ExtensionType) -class OCSPNoCheck(object): - oid = ExtensionOID.OCSP_NO_CHECK - - -@utils.register_interface(ExtensionType) -class BasicConstraints(object): - oid = ExtensionOID.BASIC_CONSTRAINTS - - def __init__(self, ca, path_length): - if not isinstance(ca, bool): - raise TypeError("ca must be a boolean value") - - if path_length is not None and not ca: - raise ValueError("path_length must be None when ca is False") - - if ( - path_length is not None and - (not isinstance(path_length, six.integer_types) or path_length < 0) - ): - raise TypeError( - "path_length must be a non-negative integer or None" - ) - - self._ca = ca - self._path_length = path_length - - ca = utils.read_only_property("_ca") - path_length = utils.read_only_property("_path_length") - - def __repr__(self): - return ("<BasicConstraints(ca={0.ca}, " - "path_length={0.path_length})>").format(self) - - def __eq__(self, other): - if not isinstance(other, BasicConstraints): - return NotImplemented - - return self.ca == other.ca and self.path_length == other.path_length - - def __ne__(self, other): - return not self == other - - -@utils.register_interface(ExtensionType) -class KeyUsage(object): - oid = ExtensionOID.KEY_USAGE - - def __init__(self, digital_signature, content_commitment, key_encipherment, - data_encipherment, key_agreement, key_cert_sign, crl_sign, - encipher_only, decipher_only): - if not key_agreement and (encipher_only or decipher_only): - raise ValueError( - "encipher_only and decipher_only can only be true when " - "key_agreement is true" - ) - - self._digital_signature = digital_signature - self._content_commitment = content_commitment - self._key_encipherment = key_encipherment - self._data_encipherment = data_encipherment - self._key_agreement = key_agreement - self._key_cert_sign = key_cert_sign - self._crl_sign = crl_sign - self._encipher_only = encipher_only - self._decipher_only = decipher_only - - digital_signature = utils.read_only_property("_digital_signature") - content_commitment = utils.read_only_property("_content_commitment") - key_encipherment = utils.read_only_property("_key_encipherment") - data_encipherment = utils.read_only_property("_data_encipherment") - key_agreement = utils.read_only_property("_key_agreement") - key_cert_sign = utils.read_only_property("_key_cert_sign") - crl_sign = utils.read_only_property("_crl_sign") - - @property - def encipher_only(self): - if not self.key_agreement: - raise ValueError( - "encipher_only is undefined unless key_agreement is true" - ) - else: - return self._encipher_only - - @property - def decipher_only(self): - if not self.key_agreement: - raise ValueError( - "decipher_only is undefined unless key_agreement is true" - ) - else: - return self._decipher_only - - def __repr__(self): - try: - encipher_only = self.encipher_only - decipher_only = self.decipher_only - except ValueError: - encipher_only = None - decipher_only = None - - return ("<KeyUsage(digital_signature={0.digital_signature}, " - "content_commitment={0.content_commitment}, " - "key_encipherment={0.key_encipherment}, " - "data_encipherment={0.data_encipherment}, " - "key_agreement={0.key_agreement}, " - "key_cert_sign={0.key_cert_sign}, crl_sign={0.crl_sign}, " - "encipher_only={1}, decipher_only={2})>").format( - self, encipher_only, decipher_only) - - def __eq__(self, other): - if not isinstance(other, KeyUsage): - return NotImplemented - - return ( - self.digital_signature == other.digital_signature and - self.content_commitment == other.content_commitment and - self.key_encipherment == other.key_encipherment and - self.data_encipherment == other.data_encipherment and - self.key_agreement == other.key_agreement and - self.key_cert_sign == other.key_cert_sign and - self.crl_sign == other.crl_sign and - self._encipher_only == other._encipher_only and - self._decipher_only == other._decipher_only - ) - - def __ne__(self, other): - return not self == other - - -@utils.register_interface(ExtensionType) -class AuthorityInformationAccess(object): - oid = ExtensionOID.AUTHORITY_INFORMATION_ACCESS - - def __init__(self, descriptions): - if not all(isinstance(x, AccessDescription) for x in descriptions): - raise TypeError( - "Every item in the descriptions list must be an " - "AccessDescription" - ) - - self._descriptions = descriptions - - def __iter__(self): - return iter(self._descriptions) - - def __len__(self): - return len(self._descriptions) - - def __repr__(self): - return "<AuthorityInformationAccess({0})>".format(self._descriptions) - - def __eq__(self, other): - if not isinstance(other, AuthorityInformationAccess): - return NotImplemented - - return self._descriptions == other._descriptions - - def __ne__(self, other): - return not self == other - - -class AccessDescription(object): - def __init__(self, access_method, access_location): - if not (access_method == OID_OCSP or access_method == OID_CA_ISSUERS): - raise ValueError( - "access_method must be OID_OCSP or OID_CA_ISSUERS" - ) - - if not isinstance(access_location, GeneralName): - raise TypeError("access_location must be a GeneralName") - - self._access_method = access_method - self._access_location = access_location - - def __repr__(self): - return ( - "<AccessDescription(access_method={0.access_method}, access_locati" - "on={0.access_location})>".format(self) - ) - - def __eq__(self, other): - if not isinstance(other, AccessDescription): - return NotImplemented - - return ( - self.access_method == other.access_method and - self.access_location == other.access_location - ) - - def __ne__(self, other): - return not self == other - - access_method = utils.read_only_property("_access_method") - access_location = utils.read_only_property("_access_location") - - -@utils.register_interface(ExtensionType) -class CertificatePolicies(object): - oid = ExtensionOID.CERTIFICATE_POLICIES - - def __init__(self, policies): - if not all(isinstance(x, PolicyInformation) for x in policies): - raise TypeError( - "Every item in the policies list must be a " - "PolicyInformation" - ) - - self._policies = policies - - def __iter__(self): - return iter(self._policies) - - def __len__(self): - return len(self._policies) - - def __repr__(self): - return "<CertificatePolicies({0})>".format(self._policies) - - def __eq__(self, other): - if not isinstance(other, CertificatePolicies): - return NotImplemented - - return self._policies == other._policies - - def __ne__(self, other): - return not self == other - - -class PolicyInformation(object): - def __init__(self, policy_identifier, policy_qualifiers): - if not isinstance(policy_identifier, ObjectIdentifier): - raise TypeError("policy_identifier must be an ObjectIdentifier") - - self._policy_identifier = policy_identifier - if policy_qualifiers and not all( - isinstance( - x, (six.text_type, UserNotice) - ) for x in policy_qualifiers - ): - raise TypeError( - "policy_qualifiers must be a list of strings and/or UserNotice" - " objects or None" - ) - - self._policy_qualifiers = policy_qualifiers - - def __repr__(self): - return ( - "<PolicyInformation(policy_identifier={0.policy_identifier}, polic" - "y_qualifiers={0.policy_qualifiers})>".format(self) - ) - - def __eq__(self, other): - if not isinstance(other, PolicyInformation): - return NotImplemented - - return ( - self.policy_identifier == other.policy_identifier and - self.policy_qualifiers == other.policy_qualifiers - ) - - def __ne__(self, other): - return not self == other - - policy_identifier = utils.read_only_property("_policy_identifier") - policy_qualifiers = utils.read_only_property("_policy_qualifiers") - - -class UserNotice(object): - def __init__(self, notice_reference, explicit_text): - if notice_reference and not isinstance( - notice_reference, NoticeReference - ): - raise TypeError( - "notice_reference must be None or a NoticeReference" - ) - - self._notice_reference = notice_reference - self._explicit_text = explicit_text - - def __repr__(self): - return ( - "<UserNotice(notice_reference={0.notice_reference}, explicit_text=" - "{0.explicit_text!r})>".format(self) - ) - - def __eq__(self, other): - if not isinstance(other, UserNotice): - return NotImplemented - - return ( - self.notice_reference == other.notice_reference and - self.explicit_text == other.explicit_text - ) - - def __ne__(self, other): - return not self == other - - notice_reference = utils.read_only_property("_notice_reference") - explicit_text = utils.read_only_property("_explicit_text") - - -class NoticeReference(object): - def __init__(self, organization, notice_numbers): - self._organization = organization - if not isinstance(notice_numbers, list) or not all( - isinstance(x, int) for x in notice_numbers - ): - raise TypeError( - "notice_numbers must be a list of integers" - ) - - self._notice_numbers = notice_numbers - - def __repr__(self): - return ( - "<NoticeReference(organization={0.organization!r}, notice_numbers=" - "{0.notice_numbers})>".format(self) - ) - - def __eq__(self, other): - if not isinstance(other, NoticeReference): - return NotImplemented - - return ( - self.organization == other.organization and - self.notice_numbers == other.notice_numbers - ) - - def __ne__(self, other): - return not self == other - - organization = utils.read_only_property("_organization") - notice_numbers = utils.read_only_property("_notice_numbers") - - -@utils.register_interface(ExtensionType) -class SubjectKeyIdentifier(object): - oid = ExtensionOID.SUBJECT_KEY_IDENTIFIER - - def __init__(self, digest): - self._digest = digest - - @classmethod - def from_public_key(cls, public_key): - return cls(_key_identifier_from_public_key(public_key)) - - digest = utils.read_only_property("_digest") - - def __repr__(self): - return "<SubjectKeyIdentifier(digest={0!r})>".format(self.digest) - - def __eq__(self, other): - if not isinstance(other, SubjectKeyIdentifier): - return NotImplemented - - return ( - self.digest == other.digest - ) - - def __ne__(self, other): - return not self == other - - -@utils.register_interface(ExtensionType) -class NameConstraints(object): - oid = ExtensionOID.NAME_CONSTRAINTS - - def __init__(self, permitted_subtrees, excluded_subtrees): - if permitted_subtrees is not None: - if not all( - isinstance(x, GeneralName) for x in permitted_subtrees - ): - raise TypeError( - "permitted_subtrees must be a list of GeneralName objects " - "or None" - ) - - self._validate_ip_name(permitted_subtrees) - - if excluded_subtrees is not None: - if not all( - isinstance(x, GeneralName) for x in excluded_subtrees - ): - raise TypeError( - "excluded_subtrees must be a list of GeneralName objects " - "or None" - ) - - self._validate_ip_name(excluded_subtrees) - - if permitted_subtrees is None and excluded_subtrees is None: - raise ValueError( - "At least one of permitted_subtrees and excluded_subtrees " - "must not be None" - ) - - self._permitted_subtrees = permitted_subtrees - self._excluded_subtrees = excluded_subtrees - - def __eq__(self, other): - if not isinstance(other, NameConstraints): - return NotImplemented - - return ( - self.excluded_subtrees == other.excluded_subtrees and - self.permitted_subtrees == other.permitted_subtrees - ) - - def __ne__(self, other): - return not self == other - - def _validate_ip_name(self, tree): - if any(isinstance(name, IPAddress) and not isinstance( - name.value, (ipaddress.IPv4Network, ipaddress.IPv6Network) - ) for name in tree): - raise TypeError( - "IPAddress name constraints must be an IPv4Network or" - " IPv6Network object" - ) - - def __repr__(self): - return ( - u"<NameConstraints(permitted_subtrees={0.permitted_subtrees}, " - u"excluded_subtrees={0.excluded_subtrees})>".format(self) - ) - - permitted_subtrees = utils.read_only_property("_permitted_subtrees") - excluded_subtrees = utils.read_only_property("_excluded_subtrees") - - -@utils.register_interface(ExtensionType) -class CRLDistributionPoints(object): - oid = ExtensionOID.CRL_DISTRIBUTION_POINTS - - def __init__(self, distribution_points): - if not all( - isinstance(x, DistributionPoint) for x in distribution_points - ): - raise TypeError( - "distribution_points must be a list of DistributionPoint " - "objects" - ) - - self._distribution_points = distribution_points - - def __iter__(self): - return iter(self._distribution_points) - - def __len__(self): - return len(self._distribution_points) - - def __repr__(self): - return "<CRLDistributionPoints({0})>".format(self._distribution_points) - - def __eq__(self, other): - if not isinstance(other, CRLDistributionPoints): - return NotImplemented - - return self._distribution_points == other._distribution_points - - def __ne__(self, other): - return not self == other - - -class DistributionPoint(object): - def __init__(self, full_name, relative_name, reasons, crl_issuer): - if full_name and relative_name: - raise ValueError( - "You cannot provide both full_name and relative_name, at " - "least one must be None." - ) - - if full_name and not all( - isinstance(x, GeneralName) for x in full_name - ): - raise TypeError( - "full_name must be a list of GeneralName objects" - ) - - if relative_name and not isinstance(relative_name, Name): - raise TypeError("relative_name must be a Name") - - if crl_issuer and not all( - isinstance(x, GeneralName) for x in crl_issuer - ): - raise TypeError( - "crl_issuer must be None or a list of general names" - ) - - if reasons and (not isinstance(reasons, frozenset) or not all( - isinstance(x, ReasonFlags) for x in reasons - )): - raise TypeError("reasons must be None or frozenset of ReasonFlags") - - if reasons and ( - ReasonFlags.unspecified in reasons or - ReasonFlags.remove_from_crl in reasons - ): - raise ValueError( - "unspecified and remove_from_crl are not valid reasons in a " - "DistributionPoint" - ) - - if reasons and not crl_issuer and not (full_name or relative_name): - raise ValueError( - "You must supply crl_issuer, full_name, or relative_name when " - "reasons is not None" - ) - - self._full_name = full_name - self._relative_name = relative_name - self._reasons = reasons - self._crl_issuer = crl_issuer - - def __repr__(self): - return ( - "<DistributionPoint(full_name={0.full_name}, relative_name={0.rela" - "tive_name}, reasons={0.reasons}, crl_issuer={0.crl_is" - "suer})>".format(self) - ) - - def __eq__(self, other): - if not isinstance(other, DistributionPoint): - return NotImplemented - - return ( - self.full_name == other.full_name and - self.relative_name == other.relative_name and - self.reasons == other.reasons and - self.crl_issuer == other.crl_issuer - ) - - def __ne__(self, other): - return not self == other - - full_name = utils.read_only_property("_full_name") - relative_name = utils.read_only_property("_relative_name") - reasons = utils.read_only_property("_reasons") - crl_issuer = utils.read_only_property("_crl_issuer") - - -class ReasonFlags(Enum): - unspecified = "unspecified" - key_compromise = "keyCompromise" - ca_compromise = "cACompromise" - affiliation_changed = "affiliationChanged" - superseded = "superseded" - cessation_of_operation = "cessationOfOperation" - certificate_hold = "certificateHold" - privilege_withdrawn = "privilegeWithdrawn" - aa_compromise = "aACompromise" - remove_from_crl = "removeFromCRL" - - -@utils.register_interface(ExtensionType) -class InhibitAnyPolicy(object): - oid = ExtensionOID.INHIBIT_ANY_POLICY - - def __init__(self, skip_certs): - if not isinstance(skip_certs, six.integer_types): - raise TypeError("skip_certs must be an integer") - - if skip_certs < 0: - raise ValueError("skip_certs must be a non-negative integer") - - self._skip_certs = skip_certs - - def __repr__(self): - return "<InhibitAnyPolicy(skip_certs={0.skip_certs})>".format(self) - - def __eq__(self, other): - if not isinstance(other, InhibitAnyPolicy): - return NotImplemented - - return self.skip_certs == other.skip_certs - - def __ne__(self, other): - return not self == other - - skip_certs = utils.read_only_property("_skip_certs") - - -class GeneralNames(object): - def __init__(self, general_names): - if not all(isinstance(x, GeneralName) for x in general_names): - raise TypeError( - "Every item in the general_names list must be an " - "object conforming to the GeneralName interface" - ) - - self._general_names = general_names - - def __iter__(self): - return iter(self._general_names) - - def __len__(self): - return len(self._general_names) - - def get_values_for_type(self, type): - # Return the value of each GeneralName, except for OtherName instances - # which we return directly because it has two important properties not - # just one value. - objs = (i for i in self if isinstance(i, type)) - if type != OtherName: - objs = (i.value for i in objs) - return list(objs) - - def __repr__(self): - return "<GeneralNames({0})>".format(self._general_names) - - def __eq__(self, other): - if not isinstance(other, GeneralNames): - return NotImplemented - - return self._general_names == other._general_names - - def __ne__(self, other): - return not self == other - - -@utils.register_interface(ExtensionType) -class SubjectAlternativeName(object): - oid = ExtensionOID.SUBJECT_ALTERNATIVE_NAME - - def __init__(self, general_names): - self._general_names = GeneralNames(general_names) - - def __iter__(self): - return iter(self._general_names) - - def __len__(self): - return len(self._general_names) - - def get_values_for_type(self, type): - return self._general_names.get_values_for_type(type) - - def __repr__(self): - return "<SubjectAlternativeName({0})>".format(self._general_names) - - def __eq__(self, other): - if not isinstance(other, SubjectAlternativeName): - return NotImplemented - - return self._general_names == other._general_names - - def __ne__(self, other): - return not self == other - - -@utils.register_interface(ExtensionType) -class IssuerAlternativeName(object): - oid = ExtensionOID.ISSUER_ALTERNATIVE_NAME - - def __init__(self, general_names): - self._general_names = GeneralNames(general_names) - - def __iter__(self): - return iter(self._general_names) - - def __len__(self): - return len(self._general_names) - - def get_values_for_type(self, type): - return self._general_names.get_values_for_type(type) - - def __repr__(self): - return "<IssuerAlternativeName({0})>".format(self._general_names) - - def __eq__(self, other): - if not isinstance(other, IssuerAlternativeName): - return NotImplemented - - return self._general_names == other._general_names - - def __ne__(self, other): - return not self == other - - -@utils.register_interface(ExtensionType) -class AuthorityKeyIdentifier(object): - oid = ExtensionOID.AUTHORITY_KEY_IDENTIFIER - - def __init__(self, key_identifier, authority_cert_issuer, - authority_cert_serial_number): - if authority_cert_issuer or authority_cert_serial_number: - if not authority_cert_issuer or not authority_cert_serial_number: - raise ValueError( - "authority_cert_issuer and authority_cert_serial_number " - "must both be present or both None" - ) - - if not all( - isinstance(x, GeneralName) for x in authority_cert_issuer - ): - raise TypeError( - "authority_cert_issuer must be a list of GeneralName " - "objects" - ) - - if not isinstance(authority_cert_serial_number, six.integer_types): - raise TypeError( - "authority_cert_serial_number must be an integer" - ) - - self._key_identifier = key_identifier - self._authority_cert_issuer = authority_cert_issuer - self._authority_cert_serial_number = authority_cert_serial_number - - @classmethod - def from_issuer_public_key(cls, public_key): - digest = _key_identifier_from_public_key(public_key) - return cls( - key_identifier=digest, - authority_cert_issuer=None, - authority_cert_serial_number=None - ) - - def __repr__(self): - return ( - "<AuthorityKeyIdentifier(key_identifier={0.key_identifier!r}, " - "authority_cert_issuer={0.authority_cert_issuer}, " - "authority_cert_serial_number={0.authority_cert_serial_number}" - ")>".format(self) - ) - - def __eq__(self, other): - if not isinstance(other, AuthorityKeyIdentifier): - return NotImplemented - - return ( - self.key_identifier == other.key_identifier and - self.authority_cert_issuer == other.authority_cert_issuer and - self.authority_cert_serial_number == - other.authority_cert_serial_number - ) - - def __ne__(self, other): - return not self == other - - key_identifier = utils.read_only_property("_key_identifier") - authority_cert_issuer = utils.read_only_property("_authority_cert_issuer") - authority_cert_serial_number = utils.read_only_property( - "_authority_cert_serial_number" - ) - - @six.add_metaclass(abc.ABCMeta) class Certificate(object): @abc.abstractmethod diff --git a/src/cryptography/x509/extensions.py b/src/cryptography/x509/extensions.py new file mode 100644 index 00000000..798a0e3a --- /dev/null +++ b/src/cryptography/x509/extensions.py @@ -0,0 +1,912 @@ +# This file is dual licensed under the terms of the Apache License, Version +# 2.0, and the BSD License. See the LICENSE file in the root of this repository +# for complete details. + +from __future__ import absolute_import, division, print_function + +import abc +import hashlib +import ipaddress +from enum import Enum + +from pyasn1.codec.der import decoder +from pyasn1.type import namedtype, univ + +import six + +from cryptography import utils +from cryptography.hazmat.primitives import serialization +from cryptography.x509.general_name import GeneralName, IPAddress, OtherName +from cryptography.x509.name import Name +from cryptography.x509.oid import ( + AuthorityInformationAccessOID, ExtensionOID, ObjectIdentifier +) + + +class _SubjectPublicKeyInfo(univ.Sequence): + componentType = namedtype.NamedTypes( + namedtype.NamedType('algorithm', univ.Sequence()), + namedtype.NamedType('subjectPublicKey', univ.BitString()) + ) + + +def _key_identifier_from_public_key(public_key): + # This is a very slow way to do this. + serialized = public_key.public_bytes( + serialization.Encoding.DER, + serialization.PublicFormat.SubjectPublicKeyInfo + ) + spki, remaining = decoder.decode( + serialized, asn1Spec=_SubjectPublicKeyInfo() + ) + assert not remaining + # the univ.BitString object is a tuple of bits. We need bytes and + # pyasn1 really doesn't want to give them to us. To get it we'll + # build an integer and convert that to bytes. + bits = 0 + for bit in spki.getComponentByName("subjectPublicKey"): + bits = bits << 1 | bit + + data = utils.int_to_bytes(bits) + return hashlib.sha1(data).digest() + + +class DuplicateExtension(Exception): + def __init__(self, msg, oid): + super(DuplicateExtension, self).__init__(msg) + self.oid = oid + + +class UnsupportedExtension(Exception): + def __init__(self, msg, oid): + super(UnsupportedExtension, self).__init__(msg) + self.oid = oid + + +class ExtensionNotFound(Exception): + def __init__(self, msg, oid): + super(ExtensionNotFound, self).__init__(msg) + self.oid = oid + + +@six.add_metaclass(abc.ABCMeta) +class ExtensionType(object): + @abc.abstractproperty + def oid(self): + """ + Returns the oid associated with the given extension type. + """ + + +class Extensions(object): + def __init__(self, extensions): + self._extensions = extensions + + def get_extension_for_oid(self, oid): + for ext in self: + if ext.oid == oid: + return ext + + raise ExtensionNotFound("No {0} extension was found".format(oid), oid) + + def __iter__(self): + return iter(self._extensions) + + def __len__(self): + return len(self._extensions) + + +@utils.register_interface(ExtensionType) +class AuthorityKeyIdentifier(object): + oid = ExtensionOID.AUTHORITY_KEY_IDENTIFIER + + def __init__(self, key_identifier, authority_cert_issuer, + authority_cert_serial_number): + if authority_cert_issuer or authority_cert_serial_number: + if not authority_cert_issuer or not authority_cert_serial_number: + raise ValueError( + "authority_cert_issuer and authority_cert_serial_number " + "must both be present or both None" + ) + + if not all( + isinstance(x, GeneralName) for x in authority_cert_issuer + ): + raise TypeError( + "authority_cert_issuer must be a list of GeneralName " + "objects" + ) + + if not isinstance(authority_cert_serial_number, six.integer_types): + raise TypeError( + "authority_cert_serial_number must be an integer" + ) + + self._key_identifier = key_identifier + self._authority_cert_issuer = authority_cert_issuer + self._authority_cert_serial_number = authority_cert_serial_number + + @classmethod + def from_issuer_public_key(cls, public_key): + digest = _key_identifier_from_public_key(public_key) + return cls( + key_identifier=digest, + authority_cert_issuer=None, + authority_cert_serial_number=None + ) + + def __repr__(self): + return ( + "<AuthorityKeyIdentifier(key_identifier={0.key_identifier!r}, " + "authority_cert_issuer={0.authority_cert_issuer}, " + "authority_cert_serial_number={0.authority_cert_serial_number}" + ")>".format(self) + ) + + def __eq__(self, other): + if not isinstance(other, AuthorityKeyIdentifier): + return NotImplemented + + return ( + self.key_identifier == other.key_identifier and + self.authority_cert_issuer == other.authority_cert_issuer and + self.authority_cert_serial_number == + other.authority_cert_serial_number + ) + + def __ne__(self, other): + return not self == other + + key_identifier = utils.read_only_property("_key_identifier") + authority_cert_issuer = utils.read_only_property("_authority_cert_issuer") + authority_cert_serial_number = utils.read_only_property( + "_authority_cert_serial_number" + ) + + +@utils.register_interface(ExtensionType) +class SubjectKeyIdentifier(object): + oid = ExtensionOID.SUBJECT_KEY_IDENTIFIER + + def __init__(self, digest): + self._digest = digest + + @classmethod + def from_public_key(cls, public_key): + return cls(_key_identifier_from_public_key(public_key)) + + digest = utils.read_only_property("_digest") + + def __repr__(self): + return "<SubjectKeyIdentifier(digest={0!r})>".format(self.digest) + + def __eq__(self, other): + if not isinstance(other, SubjectKeyIdentifier): + return NotImplemented + + return ( + self.digest == other.digest + ) + + def __ne__(self, other): + return not self == other + + +@utils.register_interface(ExtensionType) +class AuthorityInformationAccess(object): + oid = ExtensionOID.AUTHORITY_INFORMATION_ACCESS + + def __init__(self, descriptions): + if not all(isinstance(x, AccessDescription) for x in descriptions): + raise TypeError( + "Every item in the descriptions list must be an " + "AccessDescription" + ) + + self._descriptions = descriptions + + def __iter__(self): + return iter(self._descriptions) + + def __len__(self): + return len(self._descriptions) + + def __repr__(self): + return "<AuthorityInformationAccess({0})>".format(self._descriptions) + + def __eq__(self, other): + if not isinstance(other, AuthorityInformationAccess): + return NotImplemented + + return self._descriptions == other._descriptions + + def __ne__(self, other): + return not self == other + + +class AccessDescription(object): + def __init__(self, access_method, access_location): + if not (access_method == AuthorityInformationAccessOID.OCSP or + access_method == AuthorityInformationAccessOID.CA_ISSUERS): + raise ValueError( + "access_method must be OID_OCSP or OID_CA_ISSUERS" + ) + + if not isinstance(access_location, GeneralName): + raise TypeError("access_location must be a GeneralName") + + self._access_method = access_method + self._access_location = access_location + + def __repr__(self): + return ( + "<AccessDescription(access_method={0.access_method}, access_locati" + "on={0.access_location})>".format(self) + ) + + def __eq__(self, other): + if not isinstance(other, AccessDescription): + return NotImplemented + + return ( + self.access_method == other.access_method and + self.access_location == other.access_location + ) + + def __ne__(self, other): + return not self == other + + access_method = utils.read_only_property("_access_method") + access_location = utils.read_only_property("_access_location") + + +@utils.register_interface(ExtensionType) +class BasicConstraints(object): + oid = ExtensionOID.BASIC_CONSTRAINTS + + def __init__(self, ca, path_length): + if not isinstance(ca, bool): + raise TypeError("ca must be a boolean value") + + if path_length is not None and not ca: + raise ValueError("path_length must be None when ca is False") + + if ( + path_length is not None and + (not isinstance(path_length, six.integer_types) or path_length < 0) + ): + raise TypeError( + "path_length must be a non-negative integer or None" + ) + + self._ca = ca + self._path_length = path_length + + ca = utils.read_only_property("_ca") + path_length = utils.read_only_property("_path_length") + + def __repr__(self): + return ("<BasicConstraints(ca={0.ca}, " + "path_length={0.path_length})>").format(self) + + def __eq__(self, other): + if not isinstance(other, BasicConstraints): + return NotImplemented + + return self.ca == other.ca and self.path_length == other.path_length + + def __ne__(self, other): + return not self == other + + +@utils.register_interface(ExtensionType) +class CRLDistributionPoints(object): + oid = ExtensionOID.CRL_DISTRIBUTION_POINTS + + def __init__(self, distribution_points): + if not all( + isinstance(x, DistributionPoint) for x in distribution_points + ): + raise TypeError( + "distribution_points must be a list of DistributionPoint " + "objects" + ) + + self._distribution_points = distribution_points + + def __iter__(self): + return iter(self._distribution_points) + + def __len__(self): + return len(self._distribution_points) + + def __repr__(self): + return "<CRLDistributionPoints({0})>".format(self._distribution_points) + + def __eq__(self, other): + if not isinstance(other, CRLDistributionPoints): + return NotImplemented + + return self._distribution_points == other._distribution_points + + def __ne__(self, other): + return not self == other + + +class DistributionPoint(object): + def __init__(self, full_name, relative_name, reasons, crl_issuer): + if full_name and relative_name: + raise ValueError( + "You cannot provide both full_name and relative_name, at " + "least one must be None." + ) + + if full_name and not all( + isinstance(x, GeneralName) for x in full_name + ): + raise TypeError( + "full_name must be a list of GeneralName objects" + ) + + if relative_name and not isinstance(relative_name, Name): + raise TypeError("relative_name must be a Name") + + if crl_issuer and not all( + isinstance(x, GeneralName) for x in crl_issuer + ): + raise TypeError( + "crl_issuer must be None or a list of general names" + ) + + if reasons and (not isinstance(reasons, frozenset) or not all( + isinstance(x, ReasonFlags) for x in reasons + )): + raise TypeError("reasons must be None or frozenset of ReasonFlags") + + if reasons and ( + ReasonFlags.unspecified in reasons or + ReasonFlags.remove_from_crl in reasons + ): + raise ValueError( + "unspecified and remove_from_crl are not valid reasons in a " + "DistributionPoint" + ) + + if reasons and not crl_issuer and not (full_name or relative_name): + raise ValueError( + "You must supply crl_issuer, full_name, or relative_name when " + "reasons is not None" + ) + + self._full_name = full_name + self._relative_name = relative_name + self._reasons = reasons + self._crl_issuer = crl_issuer + + def __repr__(self): + return ( + "<DistributionPoint(full_name={0.full_name}, relative_name={0.rela" + "tive_name}, reasons={0.reasons}, crl_issuer={0.crl_is" + "suer})>".format(self) + ) + + def __eq__(self, other): + if not isinstance(other, DistributionPoint): + return NotImplemented + + return ( + self.full_name == other.full_name and + self.relative_name == other.relative_name and + self.reasons == other.reasons and + self.crl_issuer == other.crl_issuer + ) + + def __ne__(self, other): + return not self == other + + full_name = utils.read_only_property("_full_name") + relative_name = utils.read_only_property("_relative_name") + reasons = utils.read_only_property("_reasons") + crl_issuer = utils.read_only_property("_crl_issuer") + + +class ReasonFlags(Enum): + unspecified = "unspecified" + key_compromise = "keyCompromise" + ca_compromise = "cACompromise" + affiliation_changed = "affiliationChanged" + superseded = "superseded" + cessation_of_operation = "cessationOfOperation" + certificate_hold = "certificateHold" + privilege_withdrawn = "privilegeWithdrawn" + aa_compromise = "aACompromise" + remove_from_crl = "removeFromCRL" + + +@utils.register_interface(ExtensionType) +class CertificatePolicies(object): + oid = ExtensionOID.CERTIFICATE_POLICIES + + def __init__(self, policies): + if not all(isinstance(x, PolicyInformation) for x in policies): + raise TypeError( + "Every item in the policies list must be a " + "PolicyInformation" + ) + + self._policies = policies + + def __iter__(self): + return iter(self._policies) + + def __len__(self): + return len(self._policies) + + def __repr__(self): + return "<CertificatePolicies({0})>".format(self._policies) + + def __eq__(self, other): + if not isinstance(other, CertificatePolicies): + return NotImplemented + + return self._policies == other._policies + + def __ne__(self, other): + return not self == other + + +class PolicyInformation(object): + def __init__(self, policy_identifier, policy_qualifiers): + if not isinstance(policy_identifier, ObjectIdentifier): + raise TypeError("policy_identifier must be an ObjectIdentifier") + + self._policy_identifier = policy_identifier + if policy_qualifiers and not all( + isinstance( + x, (six.text_type, UserNotice) + ) for x in policy_qualifiers + ): + raise TypeError( + "policy_qualifiers must be a list of strings and/or UserNotice" + " objects or None" + ) + + self._policy_qualifiers = policy_qualifiers + + def __repr__(self): + return ( + "<PolicyInformation(policy_identifier={0.policy_identifier}, polic" + "y_qualifiers={0.policy_qualifiers})>".format(self) + ) + + def __eq__(self, other): + if not isinstance(other, PolicyInformation): + return NotImplemented + + return ( + self.policy_identifier == other.policy_identifier and + self.policy_qualifiers == other.policy_qualifiers + ) + + def __ne__(self, other): + return not self == other + + policy_identifier = utils.read_only_property("_policy_identifier") + policy_qualifiers = utils.read_only_property("_policy_qualifiers") + + +class UserNotice(object): + def __init__(self, notice_reference, explicit_text): + if notice_reference and not isinstance( + notice_reference, NoticeReference + ): + raise TypeError( + "notice_reference must be None or a NoticeReference" + ) + + self._notice_reference = notice_reference + self._explicit_text = explicit_text + + def __repr__(self): + return ( + "<UserNotice(notice_reference={0.notice_reference}, explicit_text=" + "{0.explicit_text!r})>".format(self) + ) + + def __eq__(self, other): + if not isinstance(other, UserNotice): + return NotImplemented + + return ( + self.notice_reference == other.notice_reference and + self.explicit_text == other.explicit_text + ) + + def __ne__(self, other): + return not self == other + + notice_reference = utils.read_only_property("_notice_reference") + explicit_text = utils.read_only_property("_explicit_text") + + +class NoticeReference(object): + def __init__(self, organization, notice_numbers): + self._organization = organization + if not isinstance(notice_numbers, list) or not all( + isinstance(x, int) for x in notice_numbers + ): + raise TypeError( + "notice_numbers must be a list of integers" + ) + + self._notice_numbers = notice_numbers + + def __repr__(self): + return ( + "<NoticeReference(organization={0.organization!r}, notice_numbers=" + "{0.notice_numbers})>".format(self) + ) + + def __eq__(self, other): + if not isinstance(other, NoticeReference): + return NotImplemented + + return ( + self.organization == other.organization and + self.notice_numbers == other.notice_numbers + ) + + def __ne__(self, other): + return not self == other + + organization = utils.read_only_property("_organization") + notice_numbers = utils.read_only_property("_notice_numbers") + + +@utils.register_interface(ExtensionType) +class ExtendedKeyUsage(object): + oid = ExtensionOID.EXTENDED_KEY_USAGE + + def __init__(self, usages): + if not all(isinstance(x, ObjectIdentifier) for x in usages): + raise TypeError( + "Every item in the usages list must be an ObjectIdentifier" + ) + + self._usages = usages + + def __iter__(self): + return iter(self._usages) + + def __len__(self): + return len(self._usages) + + def __repr__(self): + return "<ExtendedKeyUsage({0})>".format(self._usages) + + def __eq__(self, other): + if not isinstance(other, ExtendedKeyUsage): + return NotImplemented + + return self._usages == other._usages + + def __ne__(self, other): + return not self == other + + +@utils.register_interface(ExtensionType) +class OCSPNoCheck(object): + oid = ExtensionOID.OCSP_NO_CHECK + + +@utils.register_interface(ExtensionType) +class InhibitAnyPolicy(object): + oid = ExtensionOID.INHIBIT_ANY_POLICY + + def __init__(self, skip_certs): + if not isinstance(skip_certs, six.integer_types): + raise TypeError("skip_certs must be an integer") + + if skip_certs < 0: + raise ValueError("skip_certs must be a non-negative integer") + + self._skip_certs = skip_certs + + def __repr__(self): + return "<InhibitAnyPolicy(skip_certs={0.skip_certs})>".format(self) + + def __eq__(self, other): + if not isinstance(other, InhibitAnyPolicy): + return NotImplemented + + return self.skip_certs == other.skip_certs + + def __ne__(self, other): + return not self == other + + skip_certs = utils.read_only_property("_skip_certs") + + +@utils.register_interface(ExtensionType) +class KeyUsage(object): + oid = ExtensionOID.KEY_USAGE + + def __init__(self, digital_signature, content_commitment, key_encipherment, + data_encipherment, key_agreement, key_cert_sign, crl_sign, + encipher_only, decipher_only): + if not key_agreement and (encipher_only or decipher_only): + raise ValueError( + "encipher_only and decipher_only can only be true when " + "key_agreement is true" + ) + + self._digital_signature = digital_signature + self._content_commitment = content_commitment + self._key_encipherment = key_encipherment + self._data_encipherment = data_encipherment + self._key_agreement = key_agreement + self._key_cert_sign = key_cert_sign + self._crl_sign = crl_sign + self._encipher_only = encipher_only + self._decipher_only = decipher_only + + digital_signature = utils.read_only_property("_digital_signature") + content_commitment = utils.read_only_property("_content_commitment") + key_encipherment = utils.read_only_property("_key_encipherment") + data_encipherment = utils.read_only_property("_data_encipherment") + key_agreement = utils.read_only_property("_key_agreement") + key_cert_sign = utils.read_only_property("_key_cert_sign") + crl_sign = utils.read_only_property("_crl_sign") + + @property + def encipher_only(self): + if not self.key_agreement: + raise ValueError( + "encipher_only is undefined unless key_agreement is true" + ) + else: + return self._encipher_only + + @property + def decipher_only(self): + if not self.key_agreement: + raise ValueError( + "decipher_only is undefined unless key_agreement is true" + ) + else: + return self._decipher_only + + def __repr__(self): + try: + encipher_only = self.encipher_only + decipher_only = self.decipher_only + except ValueError: + encipher_only = None + decipher_only = None + + return ("<KeyUsage(digital_signature={0.digital_signature}, " + "content_commitment={0.content_commitment}, " + "key_encipherment={0.key_encipherment}, " + "data_encipherment={0.data_encipherment}, " + "key_agreement={0.key_agreement}, " + "key_cert_sign={0.key_cert_sign}, crl_sign={0.crl_sign}, " + "encipher_only={1}, decipher_only={2})>").format( + self, encipher_only, decipher_only) + + def __eq__(self, other): + if not isinstance(other, KeyUsage): + return NotImplemented + + return ( + self.digital_signature == other.digital_signature and + self.content_commitment == other.content_commitment and + self.key_encipherment == other.key_encipherment and + self.data_encipherment == other.data_encipherment and + self.key_agreement == other.key_agreement and + self.key_cert_sign == other.key_cert_sign and + self.crl_sign == other.crl_sign and + self._encipher_only == other._encipher_only and + self._decipher_only == other._decipher_only + ) + + def __ne__(self, other): + return not self == other + + +@utils.register_interface(ExtensionType) +class NameConstraints(object): + oid = ExtensionOID.NAME_CONSTRAINTS + + def __init__(self, permitted_subtrees, excluded_subtrees): + if permitted_subtrees is not None: + if not all( + isinstance(x, GeneralName) for x in permitted_subtrees + ): + raise TypeError( + "permitted_subtrees must be a list of GeneralName objects " + "or None" + ) + + self._validate_ip_name(permitted_subtrees) + + if excluded_subtrees is not None: + if not all( + isinstance(x, GeneralName) for x in excluded_subtrees + ): + raise TypeError( + "excluded_subtrees must be a list of GeneralName objects " + "or None" + ) + + self._validate_ip_name(excluded_subtrees) + + if permitted_subtrees is None and excluded_subtrees is None: + raise ValueError( + "At least one of permitted_subtrees and excluded_subtrees " + "must not be None" + ) + + self._permitted_subtrees = permitted_subtrees + self._excluded_subtrees = excluded_subtrees + + def __eq__(self, other): + if not isinstance(other, NameConstraints): + return NotImplemented + + return ( + self.excluded_subtrees == other.excluded_subtrees and + self.permitted_subtrees == other.permitted_subtrees + ) + + def __ne__(self, other): + return not self == other + + def _validate_ip_name(self, tree): + if any(isinstance(name, IPAddress) and not isinstance( + name.value, (ipaddress.IPv4Network, ipaddress.IPv6Network) + ) for name in tree): + raise TypeError( + "IPAddress name constraints must be an IPv4Network or" + " IPv6Network object" + ) + + def __repr__(self): + return ( + u"<NameConstraints(permitted_subtrees={0.permitted_subtrees}, " + u"excluded_subtrees={0.excluded_subtrees})>".format(self) + ) + + permitted_subtrees = utils.read_only_property("_permitted_subtrees") + excluded_subtrees = utils.read_only_property("_excluded_subtrees") + + +class Extension(object): + def __init__(self, oid, critical, value): + if not isinstance(oid, ObjectIdentifier): + raise TypeError( + "oid argument must be an ObjectIdentifier instance." + ) + + if not isinstance(critical, bool): + raise TypeError("critical must be a boolean value") + + self._oid = oid + self._critical = critical + self._value = value + + oid = utils.read_only_property("_oid") + critical = utils.read_only_property("_critical") + value = utils.read_only_property("_value") + + def __repr__(self): + return ("<Extension(oid={0.oid}, critical={0.critical}, " + "value={0.value})>").format(self) + + def __eq__(self, other): + if not isinstance(other, Extension): + return NotImplemented + + return ( + self.oid == other.oid and + self.critical == other.critical and + self.value == other.value + ) + + def __ne__(self, other): + return not self == other + + +class GeneralNames(object): + def __init__(self, general_names): + if not all(isinstance(x, GeneralName) for x in general_names): + raise TypeError( + "Every item in the general_names list must be an " + "object conforming to the GeneralName interface" + ) + + self._general_names = general_names + + def __iter__(self): + return iter(self._general_names) + + def __len__(self): + return len(self._general_names) + + def get_values_for_type(self, type): + # Return the value of each GeneralName, except for OtherName instances + # which we return directly because it has two important properties not + # just one value. + objs = (i for i in self if isinstance(i, type)) + if type != OtherName: + objs = (i.value for i in objs) + return list(objs) + + def __repr__(self): + return "<GeneralNames({0})>".format(self._general_names) + + def __eq__(self, other): + if not isinstance(other, GeneralNames): + return NotImplemented + + return self._general_names == other._general_names + + def __ne__(self, other): + return not self == other + + +@utils.register_interface(ExtensionType) +class SubjectAlternativeName(object): + oid = ExtensionOID.SUBJECT_ALTERNATIVE_NAME + + def __init__(self, general_names): + self._general_names = GeneralNames(general_names) + + def __iter__(self): + return iter(self._general_names) + + def __len__(self): + return len(self._general_names) + + def get_values_for_type(self, type): + return self._general_names.get_values_for_type(type) + + def __repr__(self): + return "<SubjectAlternativeName({0})>".format(self._general_names) + + def __eq__(self, other): + if not isinstance(other, SubjectAlternativeName): + return NotImplemented + + return self._general_names == other._general_names + + def __ne__(self, other): + return not self == other + + +@utils.register_interface(ExtensionType) +class IssuerAlternativeName(object): + oid = ExtensionOID.ISSUER_ALTERNATIVE_NAME + + def __init__(self, general_names): + self._general_names = GeneralNames(general_names) + + def __iter__(self): + return iter(self._general_names) + + def __len__(self): + return len(self._general_names) + + def get_values_for_type(self, type): + return self._general_names.get_values_for_type(type) + + def __repr__(self): + return "<IssuerAlternativeName({0})>".format(self._general_names) + + def __eq__(self, other): + if not isinstance(other, IssuerAlternativeName): + return NotImplemented + + return self._general_names == other._general_names + + def __ne__(self, other): + return not self == other diff --git a/src/cryptography/x509/oid.py b/src/cryptography/x509/oid.py index 911343e3..9fabab72 100644 --- a/src/cryptography/x509/oid.py +++ b/src/cryptography/x509/oid.py @@ -54,9 +54,10 @@ class ExtensionOID(object): OCSP_NO_CHECK = ObjectIdentifier("1.3.6.1.5.5.7.48.1.5") -OID_CRL_REASON = ObjectIdentifier("2.5.29.21") -OID_INVALIDITY_DATE = ObjectIdentifier("2.5.29.24") -OID_CERTIFICATE_ISSUER = ObjectIdentifier("2.5.29.29") +class CRLExtensionOID(object): + CERTIFICATE_ISSUER = ObjectIdentifier("2.5.29.29") + CRL_REASON = ObjectIdentifier("2.5.29.21") + INVALIDITY_DATE = ObjectIdentifier("2.5.29.24") class NameOID(object): @@ -110,19 +111,25 @@ _SIG_OIDS_TO_HASH = { SignatureAlgorithmOID.DSA_WITH_SHA256.dotted_string: hashes.SHA256() } -OID_SERVER_AUTH = ObjectIdentifier("1.3.6.1.5.5.7.3.1") -OID_CLIENT_AUTH = ObjectIdentifier("1.3.6.1.5.5.7.3.2") -OID_CODE_SIGNING = ObjectIdentifier("1.3.6.1.5.5.7.3.3") -OID_EMAIL_PROTECTION = ObjectIdentifier("1.3.6.1.5.5.7.3.4") -OID_TIME_STAMPING = ObjectIdentifier("1.3.6.1.5.5.7.3.8") -OID_OCSP_SIGNING = ObjectIdentifier("1.3.6.1.5.5.7.3.9") -OID_CA_ISSUERS = ObjectIdentifier("1.3.6.1.5.5.7.48.2") -OID_OCSP = ObjectIdentifier("1.3.6.1.5.5.7.48.1") +class ExtendedKeyUsageOID(object): + SERVER_AUTH = ObjectIdentifier("1.3.6.1.5.5.7.3.1") + CLIENT_AUTH = ObjectIdentifier("1.3.6.1.5.5.7.3.2") + CODE_SIGNING = ObjectIdentifier("1.3.6.1.5.5.7.3.3") + EMAIL_PROTECTION = ObjectIdentifier("1.3.6.1.5.5.7.3.4") + TIME_STAMPING = ObjectIdentifier("1.3.6.1.5.5.7.3.8") + OCSP_SIGNING = ObjectIdentifier("1.3.6.1.5.5.7.3.9") -OID_CPS_QUALIFIER = ObjectIdentifier("1.3.6.1.5.5.7.2.1") -OID_CPS_USER_NOTICE = ObjectIdentifier("1.3.6.1.5.5.7.2.2") -OID_ANY_POLICY = ObjectIdentifier("2.5.29.32.0") + +class AuthorityInformationAccessOID(object): + CA_ISSUERS = ObjectIdentifier("1.3.6.1.5.5.7.48.2") + OCSP = ObjectIdentifier("1.3.6.1.5.5.7.48.1") + + +class CertificatePoliciesOID(object): + CPS_QUALIFIER = ObjectIdentifier("1.3.6.1.5.5.7.2.1") + CPS_USER_NOTICE = ObjectIdentifier("1.3.6.1.5.5.7.2.2") + ANY_POLICY = ObjectIdentifier("2.5.29.32.0") _OID_NAMES = { NameOID.COMMON_NAME: "commonName", @@ -154,21 +161,21 @@ _OID_NAMES = { SignatureAlgorithmOID.DSA_WITH_SHA1: "dsa-with-sha1", SignatureAlgorithmOID.DSA_WITH_SHA224: "dsa-with-sha224", SignatureAlgorithmOID.DSA_WITH_SHA256: "dsa-with-sha256", - OID_SERVER_AUTH: "serverAuth", - OID_CLIENT_AUTH: "clientAuth", - OID_CODE_SIGNING: "codeSigning", - OID_EMAIL_PROTECTION: "emailProtection", - OID_TIME_STAMPING: "timeStamping", - OID_OCSP_SIGNING: "OCSPSigning", + ExtendedKeyUsageOID.SERVER_AUTH: "serverAuth", + ExtendedKeyUsageOID.CLIENT_AUTH: "clientAuth", + ExtendedKeyUsageOID.CODE_SIGNING: "codeSigning", + ExtendedKeyUsageOID.EMAIL_PROTECTION: "emailProtection", + ExtendedKeyUsageOID.TIME_STAMPING: "timeStamping", + ExtendedKeyUsageOID.OCSP_SIGNING: "OCSPSigning", ExtensionOID.SUBJECT_DIRECTORY_ATTRIBUTES: "subjectDirectoryAttributes", ExtensionOID.SUBJECT_KEY_IDENTIFIER: "subjectKeyIdentifier", ExtensionOID.KEY_USAGE: "keyUsage", ExtensionOID.SUBJECT_ALTERNATIVE_NAME: "subjectAltName", ExtensionOID.ISSUER_ALTERNATIVE_NAME: "issuerAltName", ExtensionOID.BASIC_CONSTRAINTS: "basicConstraints", - OID_CRL_REASON: "cRLReason", - OID_INVALIDITY_DATE: "invalidityDate", - OID_CERTIFICATE_ISSUER: "certificateIssuer", + CRLExtensionOID.CRL_REASON: "cRLReason", + CRLExtensionOID.INVALIDITY_DATE: "invalidityDate", + CRLExtensionOID.CERTIFICATE_ISSUER: "certificateIssuer", ExtensionOID.NAME_CONSTRAINTS: "nameConstraints", ExtensionOID.CRL_DISTRIBUTION_POINTS: "cRLDistributionPoints", ExtensionOID.CERTIFICATE_POLICIES: "certificatePolicies", @@ -181,8 +188,8 @@ _OID_NAMES = { ExtensionOID.AUTHORITY_INFORMATION_ACCESS: "authorityInfoAccess", ExtensionOID.SUBJECT_INFORMATION_ACCESS: "subjectInfoAccess", ExtensionOID.OCSP_NO_CHECK: "OCSPNoCheck", - OID_OCSP: "OCSP", - OID_CA_ISSUERS: "caIssuers", - OID_CPS_QUALIFIER: "id-qt-cps", - OID_CPS_USER_NOTICE: "id-qt-unotice", + AuthorityInformationAccessOID.OCSP: "OCSP", + AuthorityInformationAccessOID.CA_ISSUERS: "caIssuers", + CertificatePoliciesOID.CPS_QUALIFIER: "id-qt-cps", + CertificatePoliciesOID.CPS_USER_NOTICE: "id-qt-unotice", } diff --git a/tests/test_x509.py b/tests/test_x509.py index 94340579..b7602d18 100644 --- a/tests/test_x509.py +++ b/tests/test_x509.py @@ -20,6 +20,9 @@ from cryptography.hazmat.backends.interfaces import ( ) from cryptography.hazmat.primitives import hashes, serialization from cryptography.hazmat.primitives.asymmetric import dsa, ec, rsa +from cryptography.x509.oid import ( + AuthorityInformationAccessOID, ExtendedKeyUsageOID, ExtensionOID, NameOID +) from .hazmat.primitives.fixtures_dsa import DSA_KEY_2048 from .hazmat.primitives.fixtures_rsa import RSA_KEY_2048, RSA_KEY_512 @@ -88,14 +91,14 @@ class TestRSACertificate(object): issuer = cert.issuer assert isinstance(issuer, x509.Name) assert list(issuer) == [ - x509.NameAttribute(x509.OID_COUNTRY_NAME, u'US'), + x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'), x509.NameAttribute( - x509.OID_ORGANIZATION_NAME, u'Test Certificates 2011' + NameOID.ORGANIZATION_NAME, u'Test Certificates 2011' ), - x509.NameAttribute(x509.OID_COMMON_NAME, u'Good CA') + x509.NameAttribute(NameOID.COMMON_NAME, u'Good CA') ] - assert issuer.get_attributes_for_oid(x509.OID_COMMON_NAME) == [ - x509.NameAttribute(x509.OID_COMMON_NAME, u'Good CA') + assert issuer.get_attributes_for_oid(NameOID.COMMON_NAME) == [ + x509.NameAttribute(NameOID.COMMON_NAME, u'Good CA') ] def test_all_issuer_name_types(self, backend): @@ -111,36 +114,36 @@ class TestRSACertificate(object): assert isinstance(issuer, x509.Name) assert list(issuer) == [ - x509.NameAttribute(x509.OID_COUNTRY_NAME, u'US'), - x509.NameAttribute(x509.OID_COUNTRY_NAME, u'CA'), - x509.NameAttribute(x509.OID_STATE_OR_PROVINCE_NAME, u'Texas'), - x509.NameAttribute(x509.OID_STATE_OR_PROVINCE_NAME, u'Illinois'), - x509.NameAttribute(x509.OID_LOCALITY_NAME, u'Chicago'), - x509.NameAttribute(x509.OID_LOCALITY_NAME, u'Austin'), - x509.NameAttribute(x509.OID_ORGANIZATION_NAME, u'Zero, LLC'), - x509.NameAttribute(x509.OID_ORGANIZATION_NAME, u'One, LLC'), - x509.NameAttribute(x509.OID_COMMON_NAME, u'common name 0'), - x509.NameAttribute(x509.OID_COMMON_NAME, u'common name 1'), - x509.NameAttribute(x509.OID_ORGANIZATIONAL_UNIT_NAME, u'OU 0'), - x509.NameAttribute(x509.OID_ORGANIZATIONAL_UNIT_NAME, u'OU 1'), - x509.NameAttribute(x509.OID_DN_QUALIFIER, u'dnQualifier0'), - x509.NameAttribute(x509.OID_DN_QUALIFIER, u'dnQualifier1'), - x509.NameAttribute(x509.OID_SERIAL_NUMBER, u'123'), - x509.NameAttribute(x509.OID_SERIAL_NUMBER, u'456'), - x509.NameAttribute(x509.OID_TITLE, u'Title 0'), - x509.NameAttribute(x509.OID_TITLE, u'Title 1'), - x509.NameAttribute(x509.OID_SURNAME, u'Surname 0'), - x509.NameAttribute(x509.OID_SURNAME, u'Surname 1'), - x509.NameAttribute(x509.OID_GIVEN_NAME, u'Given Name 0'), - x509.NameAttribute(x509.OID_GIVEN_NAME, u'Given Name 1'), - x509.NameAttribute(x509.OID_PSEUDONYM, u'Incognito 0'), - x509.NameAttribute(x509.OID_PSEUDONYM, u'Incognito 1'), - x509.NameAttribute(x509.OID_GENERATION_QUALIFIER, u'Last Gen'), - x509.NameAttribute(x509.OID_GENERATION_QUALIFIER, u'Next Gen'), - x509.NameAttribute(x509.OID_DOMAIN_COMPONENT, u'dc0'), - x509.NameAttribute(x509.OID_DOMAIN_COMPONENT, u'dc1'), - x509.NameAttribute(x509.OID_EMAIL_ADDRESS, u'test0@test.local'), - x509.NameAttribute(x509.OID_EMAIL_ADDRESS, u'test1@test.local'), + x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'), + x509.NameAttribute(NameOID.COUNTRY_NAME, u'CA'), + x509.NameAttribute(NameOID.STATE_OR_PROVINCE_NAME, u'Texas'), + x509.NameAttribute(NameOID.STATE_OR_PROVINCE_NAME, u'Illinois'), + x509.NameAttribute(NameOID.LOCALITY_NAME, u'Chicago'), + x509.NameAttribute(NameOID.LOCALITY_NAME, u'Austin'), + x509.NameAttribute(NameOID.ORGANIZATION_NAME, u'Zero, LLC'), + x509.NameAttribute(NameOID.ORGANIZATION_NAME, u'One, LLC'), + x509.NameAttribute(NameOID.COMMON_NAME, u'common name 0'), + x509.NameAttribute(NameOID.COMMON_NAME, u'common name 1'), + x509.NameAttribute(NameOID.ORGANIZATIONAL_UNIT_NAME, u'OU 0'), + x509.NameAttribute(NameOID.ORGANIZATIONAL_UNIT_NAME, u'OU 1'), + x509.NameAttribute(NameOID.DN_QUALIFIER, u'dnQualifier0'), + x509.NameAttribute(NameOID.DN_QUALIFIER, u'dnQualifier1'), + x509.NameAttribute(NameOID.SERIAL_NUMBER, u'123'), + x509.NameAttribute(NameOID.SERIAL_NUMBER, u'456'), + x509.NameAttribute(NameOID.TITLE, u'Title 0'), + x509.NameAttribute(NameOID.TITLE, u'Title 1'), + x509.NameAttribute(NameOID.SURNAME, u'Surname 0'), + x509.NameAttribute(NameOID.SURNAME, u'Surname 1'), + x509.NameAttribute(NameOID.GIVEN_NAME, u'Given Name 0'), + x509.NameAttribute(NameOID.GIVEN_NAME, u'Given Name 1'), + x509.NameAttribute(NameOID.PSEUDONYM, u'Incognito 0'), + x509.NameAttribute(NameOID.PSEUDONYM, u'Incognito 1'), + x509.NameAttribute(NameOID.GENERATION_QUALIFIER, u'Last Gen'), + x509.NameAttribute(NameOID.GENERATION_QUALIFIER, u'Next Gen'), + x509.NameAttribute(NameOID.DOMAIN_COMPONENT, u'dc0'), + x509.NameAttribute(NameOID.DOMAIN_COMPONENT, u'dc1'), + x509.NameAttribute(NameOID.EMAIL_ADDRESS, u'test0@test.local'), + x509.NameAttribute(NameOID.EMAIL_ADDRESS, u'test1@test.local'), ] def test_subject(self, backend): @@ -155,18 +158,18 @@ class TestRSACertificate(object): subject = cert.subject assert isinstance(subject, x509.Name) assert list(subject) == [ - x509.NameAttribute(x509.OID_COUNTRY_NAME, u'US'), + x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'), x509.NameAttribute( - x509.OID_ORGANIZATION_NAME, u'Test Certificates 2011' + NameOID.ORGANIZATION_NAME, u'Test Certificates 2011' ), x509.NameAttribute( - x509.OID_COMMON_NAME, + NameOID.COMMON_NAME, u'Valid pre2000 UTC notBefore Date EE Certificate Test3' ) ] - assert subject.get_attributes_for_oid(x509.OID_COMMON_NAME) == [ + assert subject.get_attributes_for_oid(NameOID.COMMON_NAME) == [ x509.NameAttribute( - x509.OID_COMMON_NAME, + NameOID.COMMON_NAME, u'Valid pre2000 UTC notBefore Date EE Certificate Test3' ) ] @@ -180,15 +183,15 @@ class TestRSACertificate(object): x509.load_pem_x509_certificate, backend ) - assert cert.subject.get_attributes_for_oid(x509.OID_COMMON_NAME) == [ + assert cert.subject.get_attributes_for_oid(NameOID.COMMON_NAME) == [ x509.NameAttribute( - x509.OID_COMMON_NAME, + NameOID.COMMON_NAME, u'We heart UTF8!\u2122' ) ] - assert cert.issuer.get_attributes_for_oid(x509.OID_COMMON_NAME) == [ + assert cert.issuer.get_attributes_for_oid(NameOID.COMMON_NAME) == [ x509.NameAttribute( - x509.OID_COMMON_NAME, + NameOID.COMMON_NAME, u'We heart UTF8!\u2122' ) ] @@ -205,40 +208,40 @@ class TestRSACertificate(object): subject = cert.subject assert isinstance(subject, x509.Name) assert list(subject) == [ - x509.NameAttribute(x509.OID_COUNTRY_NAME, u'AU'), - x509.NameAttribute(x509.OID_COUNTRY_NAME, u'DE'), - x509.NameAttribute(x509.OID_STATE_OR_PROVINCE_NAME, u'California'), - x509.NameAttribute(x509.OID_STATE_OR_PROVINCE_NAME, u'New York'), - x509.NameAttribute(x509.OID_LOCALITY_NAME, u'San Francisco'), - x509.NameAttribute(x509.OID_LOCALITY_NAME, u'Ithaca'), - x509.NameAttribute(x509.OID_ORGANIZATION_NAME, u'Org Zero, LLC'), - x509.NameAttribute(x509.OID_ORGANIZATION_NAME, u'Org One, LLC'), - x509.NameAttribute(x509.OID_COMMON_NAME, u'CN 0'), - x509.NameAttribute(x509.OID_COMMON_NAME, u'CN 1'), + x509.NameAttribute(NameOID.COUNTRY_NAME, u'AU'), + x509.NameAttribute(NameOID.COUNTRY_NAME, u'DE'), + x509.NameAttribute(NameOID.STATE_OR_PROVINCE_NAME, u'California'), + x509.NameAttribute(NameOID.STATE_OR_PROVINCE_NAME, u'New York'), + x509.NameAttribute(NameOID.LOCALITY_NAME, u'San Francisco'), + x509.NameAttribute(NameOID.LOCALITY_NAME, u'Ithaca'), + x509.NameAttribute(NameOID.ORGANIZATION_NAME, u'Org Zero, LLC'), + x509.NameAttribute(NameOID.ORGANIZATION_NAME, u'Org One, LLC'), + x509.NameAttribute(NameOID.COMMON_NAME, u'CN 0'), + x509.NameAttribute(NameOID.COMMON_NAME, u'CN 1'), x509.NameAttribute( - x509.OID_ORGANIZATIONAL_UNIT_NAME, u'Engineering 0' + NameOID.ORGANIZATIONAL_UNIT_NAME, u'Engineering 0' ), x509.NameAttribute( - x509.OID_ORGANIZATIONAL_UNIT_NAME, u'Engineering 1' + NameOID.ORGANIZATIONAL_UNIT_NAME, u'Engineering 1' ), - x509.NameAttribute(x509.OID_DN_QUALIFIER, u'qualified0'), - x509.NameAttribute(x509.OID_DN_QUALIFIER, u'qualified1'), - x509.NameAttribute(x509.OID_SERIAL_NUMBER, u'789'), - x509.NameAttribute(x509.OID_SERIAL_NUMBER, u'012'), - x509.NameAttribute(x509.OID_TITLE, u'Title IX'), - x509.NameAttribute(x509.OID_TITLE, u'Title X'), - x509.NameAttribute(x509.OID_SURNAME, u'Last 0'), - x509.NameAttribute(x509.OID_SURNAME, u'Last 1'), - x509.NameAttribute(x509.OID_GIVEN_NAME, u'First 0'), - x509.NameAttribute(x509.OID_GIVEN_NAME, u'First 1'), - x509.NameAttribute(x509.OID_PSEUDONYM, u'Guy Incognito 0'), - x509.NameAttribute(x509.OID_PSEUDONYM, u'Guy Incognito 1'), - x509.NameAttribute(x509.OID_GENERATION_QUALIFIER, u'32X'), - x509.NameAttribute(x509.OID_GENERATION_QUALIFIER, u'Dreamcast'), - x509.NameAttribute(x509.OID_DOMAIN_COMPONENT, u'dc2'), - x509.NameAttribute(x509.OID_DOMAIN_COMPONENT, u'dc3'), - x509.NameAttribute(x509.OID_EMAIL_ADDRESS, u'test2@test.local'), - x509.NameAttribute(x509.OID_EMAIL_ADDRESS, u'test3@test.local'), + x509.NameAttribute(NameOID.DN_QUALIFIER, u'qualified0'), + x509.NameAttribute(NameOID.DN_QUALIFIER, u'qualified1'), + x509.NameAttribute(NameOID.SERIAL_NUMBER, u'789'), + x509.NameAttribute(NameOID.SERIAL_NUMBER, u'012'), + x509.NameAttribute(NameOID.TITLE, u'Title IX'), + x509.NameAttribute(NameOID.TITLE, u'Title X'), + x509.NameAttribute(NameOID.SURNAME, u'Last 0'), + x509.NameAttribute(NameOID.SURNAME, u'Last 1'), + x509.NameAttribute(NameOID.GIVEN_NAME, u'First 0'), + x509.NameAttribute(NameOID.GIVEN_NAME, u'First 1'), + x509.NameAttribute(NameOID.PSEUDONYM, u'Guy Incognito 0'), + x509.NameAttribute(NameOID.PSEUDONYM, u'Guy Incognito 1'), + x509.NameAttribute(NameOID.GENERATION_QUALIFIER, u'32X'), + x509.NameAttribute(NameOID.GENERATION_QUALIFIER, u'Dreamcast'), + x509.NameAttribute(NameOID.DOMAIN_COMPONENT, u'dc2'), + x509.NameAttribute(NameOID.DOMAIN_COMPONENT, u'dc3'), + x509.NameAttribute(NameOID.EMAIL_ADDRESS, u'test2@test.local'), + x509.NameAttribute(NameOID.EMAIL_ADDRESS, u'test3@test.local'), ] def test_load_good_ca_cert(self, backend): @@ -547,11 +550,11 @@ class TestRSACertificateRequest(object): subject = request.subject assert isinstance(subject, x509.Name) assert list(subject) == [ - x509.NameAttribute(x509.OID_COUNTRY_NAME, u'US'), - x509.NameAttribute(x509.OID_STATE_OR_PROVINCE_NAME, u'Texas'), - x509.NameAttribute(x509.OID_LOCALITY_NAME, u'Austin'), - x509.NameAttribute(x509.OID_ORGANIZATION_NAME, u'PyCA'), - x509.NameAttribute(x509.OID_COMMON_NAME, u'cryptography.io'), + x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'), + x509.NameAttribute(NameOID.STATE_OR_PROVINCE_NAME, u'Texas'), + x509.NameAttribute(NameOID.LOCALITY_NAME, u'Austin'), + x509.NameAttribute(NameOID.ORGANIZATION_NAME, u'PyCA'), + x509.NameAttribute(NameOID.COMMON_NAME, u'cryptography.io'), ] extensions = request.extensions assert isinstance(extensions, x509.Extensions) @@ -585,7 +588,7 @@ class TestRSACertificateRequest(object): with pytest.raises(x509.DuplicateExtension) as exc: request.extensions - assert exc.value.oid == x509.OID_BASIC_CONSTRAINTS + assert exc.value.oid == ExtensionOID.BASIC_CONSTRAINTS def test_unsupported_critical_extension(self, backend): request = _load_cert( @@ -623,7 +626,7 @@ class TestRSACertificateRequest(object): assert isinstance(extensions, x509.Extensions) assert list(extensions) == [ x509.Extension( - x509.OID_BASIC_CONSTRAINTS, + ExtensionOID.BASIC_CONSTRAINTS, True, x509.BasicConstraints(ca=True, path_length=1), ), @@ -636,7 +639,7 @@ class TestRSACertificateRequest(object): backend, ) ext = request.extensions.get_extension_for_oid( - x509.OID_SUBJECT_ALTERNATIVE_NAME + ExtensionOID.SUBJECT_ALTERNATIVE_NAME ) assert list(ext.value) == [ x509.DNSName(u"cryptography.io"), @@ -663,11 +666,11 @@ class TestRSACertificateRequest(object): subject = request.subject assert isinstance(subject, x509.Name) assert list(subject) == [ - x509.NameAttribute(x509.OID_COUNTRY_NAME, u'US'), - x509.NameAttribute(x509.OID_STATE_OR_PROVINCE_NAME, u'Texas'), - x509.NameAttribute(x509.OID_LOCALITY_NAME, u'Austin'), - x509.NameAttribute(x509.OID_ORGANIZATION_NAME, u'PyCA'), - x509.NameAttribute(x509.OID_COMMON_NAME, u'cryptography.io'), + x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'), + x509.NameAttribute(NameOID.STATE_OR_PROVINCE_NAME, u'Texas'), + x509.NameAttribute(NameOID.LOCALITY_NAME, u'Austin'), + x509.NameAttribute(NameOID.ORGANIZATION_NAME, u'PyCA'), + x509.NameAttribute(NameOID.COMMON_NAME, u'cryptography.io'), ] def test_public_bytes_der(self, backend): @@ -690,11 +693,11 @@ class TestRSACertificateRequest(object): subject = request.subject assert isinstance(subject, x509.Name) assert list(subject) == [ - x509.NameAttribute(x509.OID_COUNTRY_NAME, u'US'), - x509.NameAttribute(x509.OID_STATE_OR_PROVINCE_NAME, u'Texas'), - x509.NameAttribute(x509.OID_LOCALITY_NAME, u'Austin'), - x509.NameAttribute(x509.OID_ORGANIZATION_NAME, u'PyCA'), - x509.NameAttribute(x509.OID_COMMON_NAME, u'cryptography.io'), + x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'), + x509.NameAttribute(NameOID.STATE_OR_PROVINCE_NAME, u'Texas'), + x509.NameAttribute(NameOID.LOCALITY_NAME, u'Austin'), + x509.NameAttribute(NameOID.ORGANIZATION_NAME, u'PyCA'), + x509.NameAttribute(NameOID.COMMON_NAME, u'cryptography.io'), ] def test_public_bytes_invalid_encoding(self, backend): @@ -790,17 +793,17 @@ class TestRSACertificateRequest(object): builder = x509.CertificateBuilder().serial_number( 777 ).issuer_name(x509.Name([ - x509.NameAttribute(x509.OID_COUNTRY_NAME, u'US'), - x509.NameAttribute(x509.OID_STATE_OR_PROVINCE_NAME, u'Texas'), - x509.NameAttribute(x509.OID_LOCALITY_NAME, u'Austin'), - x509.NameAttribute(x509.OID_ORGANIZATION_NAME, u'PyCA'), - x509.NameAttribute(x509.OID_COMMON_NAME, u'cryptography.io'), + x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'), + x509.NameAttribute(NameOID.STATE_OR_PROVINCE_NAME, u'Texas'), + x509.NameAttribute(NameOID.LOCALITY_NAME, u'Austin'), + x509.NameAttribute(NameOID.ORGANIZATION_NAME, u'PyCA'), + x509.NameAttribute(NameOID.COMMON_NAME, u'cryptography.io'), ])).subject_name(x509.Name([ - x509.NameAttribute(x509.OID_COUNTRY_NAME, u'US'), - x509.NameAttribute(x509.OID_STATE_OR_PROVINCE_NAME, u'Texas'), - x509.NameAttribute(x509.OID_LOCALITY_NAME, u'Austin'), - x509.NameAttribute(x509.OID_ORGANIZATION_NAME, u'PyCA'), - x509.NameAttribute(x509.OID_COMMON_NAME, u'cryptography.io'), + x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'), + x509.NameAttribute(NameOID.STATE_OR_PROVINCE_NAME, u'Texas'), + x509.NameAttribute(NameOID.LOCALITY_NAME, u'Austin'), + x509.NameAttribute(NameOID.ORGANIZATION_NAME, u'PyCA'), + x509.NameAttribute(NameOID.COMMON_NAME, u'cryptography.io'), ])).public_key( subject_private_key.public_key() ).add_extension( @@ -820,12 +823,12 @@ class TestRSACertificateRequest(object): assert cert.not_valid_before == not_valid_before assert cert.not_valid_after == not_valid_after basic_constraints = cert.extensions.get_extension_for_oid( - x509.OID_BASIC_CONSTRAINTS + ExtensionOID.BASIC_CONSTRAINTS ) assert basic_constraints.value.ca is False assert basic_constraints.value.path_length is None subject_alternative_name = cert.extensions.get_extension_for_oid( - x509.OID_SUBJECT_ALTERNATIVE_NAME + ExtensionOID.SUBJECT_ALTERNATIVE_NAME ) assert list(subject_alternative_name.value) == [ x509.DNSName(u"cryptography.io"), @@ -838,9 +841,9 @@ class TestCertificateBuilder(object): def test_checks_for_unsupported_extensions(self, backend): private_key = RSA_KEY_2048.private_key(backend) builder = x509.CertificateBuilder().subject_name(x509.Name([ - x509.NameAttribute(x509.OID_COUNTRY_NAME, u'US'), + x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'), ])).issuer_name(x509.Name([ - x509.NameAttribute(x509.OID_COUNTRY_NAME, u'US'), + x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'), ])).public_key( private_key.public_key() ).serial_number( @@ -863,7 +866,7 @@ class TestCertificateBuilder(object): builder = x509.CertificateBuilder().serial_number( 777 ).issuer_name(x509.Name([ - x509.NameAttribute(x509.OID_COUNTRY_NAME, u'US'), + x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'), ])).public_key( subject_private_key.public_key() ).not_valid_before( @@ -881,7 +884,7 @@ class TestCertificateBuilder(object): builder = x509.CertificateBuilder().serial_number( 777 ).subject_name(x509.Name([ - x509.NameAttribute(x509.OID_COUNTRY_NAME, u'US'), + x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'), ])).public_key( subject_private_key.public_key() ).not_valid_before( @@ -899,9 +902,9 @@ class TestCertificateBuilder(object): builder = x509.CertificateBuilder().serial_number( 777 ).issuer_name(x509.Name([ - x509.NameAttribute(x509.OID_COUNTRY_NAME, u'US'), + x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'), ])).subject_name(x509.Name([ - x509.NameAttribute(x509.OID_COUNTRY_NAME, u'US'), + x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'), ])).not_valid_before( datetime.datetime(2002, 1, 1, 12, 1) ).not_valid_after( @@ -917,9 +920,9 @@ class TestCertificateBuilder(object): builder = x509.CertificateBuilder().serial_number( 777 ).issuer_name(x509.Name([ - x509.NameAttribute(x509.OID_COUNTRY_NAME, u'US'), + x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'), ])).subject_name(x509.Name([ - x509.NameAttribute(x509.OID_COUNTRY_NAME, u'US'), + x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'), ])).public_key( subject_private_key.public_key() ).not_valid_after( @@ -935,9 +938,9 @@ class TestCertificateBuilder(object): builder = x509.CertificateBuilder().serial_number( 777 ).issuer_name(x509.Name([ - x509.NameAttribute(x509.OID_COUNTRY_NAME, u'US'), + x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'), ])).subject_name(x509.Name([ - x509.NameAttribute(x509.OID_COUNTRY_NAME, u'US'), + x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'), ])).public_key( subject_private_key.public_key() ).not_valid_before( @@ -951,9 +954,9 @@ class TestCertificateBuilder(object): def test_no_serial_number(self, backend): subject_private_key = RSA_KEY_2048.private_key(backend) builder = x509.CertificateBuilder().issuer_name(x509.Name([ - x509.NameAttribute(x509.OID_COUNTRY_NAME, u'US'), + x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'), ])).subject_name(x509.Name([ - x509.NameAttribute(x509.OID_COUNTRY_NAME, u'US'), + x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'), ])).public_key( subject_private_key.public_key() ).not_valid_before( @@ -975,7 +978,7 @@ class TestCertificateBuilder(object): def test_issuer_name_may_only_be_set_once(self): name = x509.Name([ - x509.NameAttribute(x509.OID_COUNTRY_NAME, u'US'), + x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'), ]) builder = x509.CertificateBuilder().issuer_name(name) @@ -993,7 +996,7 @@ class TestCertificateBuilder(object): def test_subject_name_may_only_be_set_once(self): name = x509.Name([ - x509.NameAttribute(x509.OID_COUNTRY_NAME, u'US'), + x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'), ]) builder = x509.CertificateBuilder().subject_name(name) @@ -1104,9 +1107,9 @@ class TestCertificateBuilder(object): private_key = RSA_KEY_2048.private_key(backend) builder = x509.CertificateBuilder() builder = builder.subject_name( - x509.Name([x509.NameAttribute(x509.OID_COUNTRY_NAME, u'US')]) + x509.Name([x509.NameAttribute(NameOID.COUNTRY_NAME, u'US')]) ).issuer_name( - x509.Name([x509.NameAttribute(x509.OID_COUNTRY_NAME, u'US')]) + x509.Name([x509.NameAttribute(NameOID.COUNTRY_NAME, u'US')]) ).serial_number( 1 ).public_key( @@ -1129,9 +1132,9 @@ class TestCertificateBuilder(object): private_key = DSA_KEY_2048.private_key(backend) builder = x509.CertificateBuilder() builder = builder.subject_name( - x509.Name([x509.NameAttribute(x509.OID_COUNTRY_NAME, u'US')]) + x509.Name([x509.NameAttribute(NameOID.COUNTRY_NAME, u'US')]) ).issuer_name( - x509.Name([x509.NameAttribute(x509.OID_COUNTRY_NAME, u'US')]) + x509.Name([x509.NameAttribute(NameOID.COUNTRY_NAME, u'US')]) ).serial_number( 1 ).public_key( @@ -1155,9 +1158,9 @@ class TestCertificateBuilder(object): private_key = ec.generate_private_key(ec.SECP256R1(), backend) builder = x509.CertificateBuilder() builder = builder.subject_name( - x509.Name([x509.NameAttribute(x509.OID_COUNTRY_NAME, u'US')]) + x509.Name([x509.NameAttribute(NameOID.COUNTRY_NAME, u'US')]) ).issuer_name( - x509.Name([x509.NameAttribute(x509.OID_COUNTRY_NAME, u'US')]) + x509.Name([x509.NameAttribute(NameOID.COUNTRY_NAME, u'US')]) ).serial_number( 1 ).public_key( @@ -1179,20 +1182,20 @@ class TestCertificateBuilder(object): full_name=None, relative_name=x509.Name([ x509.NameAttribute( - x509.OID_COMMON_NAME, + NameOID.COMMON_NAME, u"indirect CRL for indirectCRL CA3" ), ]), reasons=None, crl_issuer=[x509.DirectoryName( x509.Name([ - x509.NameAttribute(x509.OID_COUNTRY_NAME, u"US"), + x509.NameAttribute(NameOID.COUNTRY_NAME, u"US"), x509.NameAttribute( - x509.OID_ORGANIZATION_NAME, + NameOID.ORGANIZATION_NAME, u"Test Certificates 2011" ), x509.NameAttribute( - x509.OID_ORGANIZATIONAL_UNIT_NAME, + NameOID.ORGANIZATIONAL_UNIT_NAME, u"indirectCRL CA3 cRLIssuer" ), ]) @@ -1203,7 +1206,7 @@ class TestCertificateBuilder(object): x509.DistributionPoint( full_name=[x509.DirectoryName( x509.Name([ - x509.NameAttribute(x509.OID_COUNTRY_NAME, u"US"), + x509.NameAttribute(NameOID.COUNTRY_NAME, u"US"), ]) )], relative_name=None, @@ -1211,7 +1214,7 @@ class TestCertificateBuilder(object): crl_issuer=[x509.DirectoryName( x509.Name([ x509.NameAttribute( - x509.OID_ORGANIZATION_NAME, + NameOID.ORGANIZATION_NAME, u"cryptography Testing" ), ]) @@ -1235,9 +1238,9 @@ class TestCertificateBuilder(object): ]), crl_issuer=[x509.DirectoryName( x509.Name([ - x509.NameAttribute(x509.OID_COUNTRY_NAME, u"US"), + x509.NameAttribute(NameOID.COUNTRY_NAME, u"US"), x509.NameAttribute( - x509.OID_COMMON_NAME, u"cryptography CA" + NameOID.COMMON_NAME, u"cryptography CA" ), ]) )], @@ -1270,7 +1273,7 @@ class TestCertificateBuilder(object): crl_issuer=[x509.DirectoryName( x509.Name([ x509.NameAttribute( - x509.OID_COMMON_NAME, u"cryptography CA" + NameOID.COMMON_NAME, u"cryptography CA" ), ]) )], @@ -1297,9 +1300,9 @@ class TestCertificateBuilder(object): builder = x509.CertificateBuilder().serial_number( 4444444 ).issuer_name(x509.Name([ - x509.NameAttribute(x509.OID_LOCALITY_NAME, u'Austin'), + x509.NameAttribute(NameOID.LOCALITY_NAME, u'Austin'), ])).subject_name(x509.Name([ - x509.NameAttribute(x509.OID_LOCALITY_NAME, u'Austin'), + x509.NameAttribute(NameOID.LOCALITY_NAME, u'Austin'), ])).public_key( subject_private_key.public_key() ).add_extension( @@ -1314,7 +1317,7 @@ class TestCertificateBuilder(object): cert = builder.sign(issuer_private_key, hashes.SHA1(), backend) ext = cert.extensions.get_extension_for_oid( - x509.OID_CRL_DISTRIBUTION_POINTS + ExtensionOID.CRL_DISTRIBUTION_POINTS ) assert ext.critical is False assert ext.value == cdp @@ -1334,9 +1337,9 @@ class TestCertificateBuilder(object): builder = x509.CertificateBuilder().serial_number( 777 ).issuer_name(x509.Name([ - x509.NameAttribute(x509.OID_COUNTRY_NAME, u'US'), + x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'), ])).subject_name(x509.Name([ - x509.NameAttribute(x509.OID_COUNTRY_NAME, u'US'), + x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'), ])).public_key( subject_private_key.public_key() ).add_extension( @@ -1356,12 +1359,12 @@ class TestCertificateBuilder(object): assert cert.not_valid_before == not_valid_before assert cert.not_valid_after == not_valid_after basic_constraints = cert.extensions.get_extension_for_oid( - x509.OID_BASIC_CONSTRAINTS + ExtensionOID.BASIC_CONSTRAINTS ) assert basic_constraints.value.ca is False assert basic_constraints.value.path_length is None subject_alternative_name = cert.extensions.get_extension_for_oid( - x509.OID_SUBJECT_ALTERNATIVE_NAME + ExtensionOID.SUBJECT_ALTERNATIVE_NAME ) assert list(subject_alternative_name.value) == [ x509.DNSName(u"cryptography.io"), @@ -1383,9 +1386,9 @@ class TestCertificateBuilder(object): builder = x509.CertificateBuilder().serial_number( 777 ).issuer_name(x509.Name([ - x509.NameAttribute(x509.OID_COUNTRY_NAME, u'US'), + x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'), ])).subject_name(x509.Name([ - x509.NameAttribute(x509.OID_COUNTRY_NAME, u'US'), + x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'), ])).public_key( subject_private_key.public_key() ).add_extension( @@ -1405,12 +1408,12 @@ class TestCertificateBuilder(object): assert cert.not_valid_before == not_valid_before assert cert.not_valid_after == not_valid_after basic_constraints = cert.extensions.get_extension_for_oid( - x509.OID_BASIC_CONSTRAINTS + ExtensionOID.BASIC_CONSTRAINTS ) assert basic_constraints.value.ca is False assert basic_constraints.value.path_length is None subject_alternative_name = cert.extensions.get_extension_for_oid( - x509.OID_SUBJECT_ALTERNATIVE_NAME + ExtensionOID.SUBJECT_ALTERNATIVE_NAME ) assert list(subject_alternative_name.value) == [ x509.DNSName(u"cryptography.io"), @@ -1428,9 +1431,9 @@ class TestCertificateBuilder(object): builder = x509.CertificateBuilder().serial_number( 777 ).issuer_name(x509.Name([ - x509.NameAttribute(x509.OID_COUNTRY_NAME, u'US'), + x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'), ])).subject_name(x509.Name([ - x509.NameAttribute(x509.OID_COUNTRY_NAME, u'US'), + x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'), ])).public_key( subject_private_key.public_key() ).not_valid_before( @@ -1452,9 +1455,9 @@ class TestCertificateBuilder(object): not_valid_after = datetime.datetime(2030, 12, 31, 8, 30) cert = x509.CertificateBuilder().subject_name( - x509.Name([x509.NameAttribute(x509.OID_COUNTRY_NAME, u'US')]) + x509.Name([x509.NameAttribute(NameOID.COUNTRY_NAME, u'US')]) ).issuer_name( - x509.Name([x509.NameAttribute(x509.OID_COUNTRY_NAME, u'US')]) + x509.Name([x509.NameAttribute(NameOID.COUNTRY_NAME, u'US')]) ).not_valid_before( not_valid_before ).not_valid_after( @@ -1471,7 +1474,7 @@ class TestCertificateBuilder(object): ).sign(issuer_private_key, hashes.SHA256(), backend) ext = cert.extensions.get_extension_for_oid( - x509.OID_ISSUER_ALTERNATIVE_NAME + ExtensionOID.ISSUER_ALTERNATIVE_NAME ) assert ext.critical is False assert ext.value == x509.IssuerAlternativeName([ @@ -1489,9 +1492,9 @@ class TestCertificateBuilder(object): not_valid_after = datetime.datetime(2030, 12, 31, 8, 30) cert = x509.CertificateBuilder().subject_name( - x509.Name([x509.NameAttribute(x509.OID_COUNTRY_NAME, u'US')]) + x509.Name([x509.NameAttribute(NameOID.COUNTRY_NAME, u'US')]) ).issuer_name( - x509.Name([x509.NameAttribute(x509.OID_COUNTRY_NAME, u'US')]) + x509.Name([x509.NameAttribute(NameOID.COUNTRY_NAME, u'US')]) ).not_valid_before( not_valid_before ).not_valid_after( @@ -1502,20 +1505,20 @@ class TestCertificateBuilder(object): 123 ).add_extension( x509.ExtendedKeyUsage([ - x509.OID_CLIENT_AUTH, - x509.OID_SERVER_AUTH, - x509.OID_CODE_SIGNING, + ExtendedKeyUsageOID.CLIENT_AUTH, + ExtendedKeyUsageOID.SERVER_AUTH, + ExtendedKeyUsageOID.CODE_SIGNING, ]), critical=False ).sign(issuer_private_key, hashes.SHA256(), backend) eku = cert.extensions.get_extension_for_oid( - x509.OID_EXTENDED_KEY_USAGE + ExtensionOID.EXTENDED_KEY_USAGE ) assert eku.critical is False assert eku.value == x509.ExtendedKeyUsage([ - x509.OID_CLIENT_AUTH, - x509.OID_SERVER_AUTH, - x509.OID_CODE_SIGNING, + ExtendedKeyUsageOID.CLIENT_AUTH, + ExtendedKeyUsageOID.SERVER_AUTH, + ExtendedKeyUsageOID.CODE_SIGNING, ]) @pytest.mark.requires_backend_interface(interface=RSABackend) @@ -1528,9 +1531,9 @@ class TestCertificateBuilder(object): not_valid_after = datetime.datetime(2030, 12, 31, 8, 30) cert = x509.CertificateBuilder().subject_name( - x509.Name([x509.NameAttribute(x509.OID_COUNTRY_NAME, u'US')]) + x509.Name([x509.NameAttribute(NameOID.COUNTRY_NAME, u'US')]) ).issuer_name( - x509.Name([x509.NameAttribute(x509.OID_COUNTRY_NAME, u'US')]) + x509.Name([x509.NameAttribute(NameOID.COUNTRY_NAME, u'US')]) ).not_valid_before( not_valid_before ).not_valid_after( @@ -1544,7 +1547,7 @@ class TestCertificateBuilder(object): ).sign(issuer_private_key, hashes.SHA256(), backend) ext = cert.extensions.get_extension_for_oid( - x509.OID_INHIBIT_ANY_POLICY + ExtensionOID.INHIBIT_ANY_POLICY ) assert ext.value == x509.InhibitAnyPolicy(3) @@ -1558,9 +1561,9 @@ class TestCertificateBuilder(object): not_valid_after = datetime.datetime(2030, 12, 31, 8, 30) cert = x509.CertificateBuilder().subject_name( - x509.Name([x509.NameAttribute(x509.OID_COUNTRY_NAME, u'US')]) + x509.Name([x509.NameAttribute(NameOID.COUNTRY_NAME, u'US')]) ).issuer_name( - x509.Name([x509.NameAttribute(x509.OID_COUNTRY_NAME, u'US')]) + x509.Name([x509.NameAttribute(NameOID.COUNTRY_NAME, u'US')]) ).not_valid_before( not_valid_before ).not_valid_after( @@ -1584,7 +1587,7 @@ class TestCertificateBuilder(object): critical=False ).sign(issuer_private_key, hashes.SHA256(), backend) - ext = cert.extensions.get_extension_for_oid(x509.OID_KEY_USAGE) + ext = cert.extensions.get_extension_for_oid(ExtensionOID.KEY_USAGE) assert ext.critical is False assert ext.value == x509.KeyUsage( digital_signature=True, @@ -1625,7 +1628,7 @@ class TestCertificateSigningRequestBuilder(object): request = x509.CertificateSigningRequestBuilder().subject_name( x509.Name([ - x509.NameAttribute(x509.OID_ORGANIZATION_NAME, u'PyCA'), + x509.NameAttribute(NameOID.ORGANIZATION_NAME, u'PyCA'), ]) ).add_extension( x509.BasicConstraints(ca=True, path_length=2), critical=True @@ -1637,10 +1640,10 @@ class TestCertificateSigningRequestBuilder(object): subject = request.subject assert isinstance(subject, x509.Name) assert list(subject) == [ - x509.NameAttribute(x509.OID_ORGANIZATION_NAME, u'PyCA'), + x509.NameAttribute(NameOID.ORGANIZATION_NAME, u'PyCA'), ] basic_constraints = request.extensions.get_extension_for_oid( - x509.OID_BASIC_CONSTRAINTS + ExtensionOID.BASIC_CONSTRAINTS ) assert basic_constraints.value.ca is True assert basic_constraints.value.path_length == 2 @@ -1651,7 +1654,7 @@ class TestCertificateSigningRequestBuilder(object): request = x509.CertificateSigningRequestBuilder().subject_name( x509.Name([ - x509.NameAttribute(x509.OID_ORGANIZATION_NAME, + x509.NameAttribute(NameOID.ORGANIZATION_NAME, u'PyCA\U0001f37a'), ]) ).add_extension( @@ -1664,7 +1667,7 @@ class TestCertificateSigningRequestBuilder(object): subject = loaded_request.subject assert isinstance(subject, x509.Name) assert list(subject) == [ - x509.NameAttribute(x509.OID_ORGANIZATION_NAME, u'PyCA\U0001f37a'), + x509.NameAttribute(NameOID.ORGANIZATION_NAME, u'PyCA\U0001f37a'), ] @pytest.mark.requires_backend_interface(interface=RSABackend) @@ -1673,7 +1676,7 @@ class TestCertificateSigningRequestBuilder(object): request = x509.CertificateSigningRequestBuilder().subject_name( x509.Name([ - x509.NameAttribute(x509.OID_COUNTRY_NAME, u'US'), + x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'), ]) ).add_extension( x509.BasicConstraints(ca=False, path_length=None), critical=True, @@ -1685,10 +1688,10 @@ class TestCertificateSigningRequestBuilder(object): subject = request.subject assert isinstance(subject, x509.Name) assert list(subject) == [ - x509.NameAttribute(x509.OID_COUNTRY_NAME, u'US'), + x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'), ] basic_constraints = request.extensions.get_extension_for_oid( - x509.OID_BASIC_CONSTRAINTS + ExtensionOID.BASIC_CONSTRAINTS ) assert basic_constraints.value.ca is False assert basic_constraints.value.path_length is None @@ -1703,7 +1706,7 @@ class TestCertificateSigningRequestBuilder(object): request = x509.CertificateSigningRequestBuilder().subject_name( x509.Name([ - x509.NameAttribute(x509.OID_STATE_OR_PROVINCE_NAME, u'Texas'), + x509.NameAttribute(NameOID.STATE_OR_PROVINCE_NAME, u'Texas'), ]) ).add_extension( x509.BasicConstraints(ca=True, path_length=2), critical=True @@ -1715,10 +1718,10 @@ class TestCertificateSigningRequestBuilder(object): subject = request.subject assert isinstance(subject, x509.Name) assert list(subject) == [ - x509.NameAttribute(x509.OID_STATE_OR_PROVINCE_NAME, u'Texas'), + x509.NameAttribute(NameOID.STATE_OR_PROVINCE_NAME, u'Texas'), ] basic_constraints = request.extensions.get_extension_for_oid( - x509.OID_BASIC_CONSTRAINTS + ExtensionOID.BASIC_CONSTRAINTS ) assert basic_constraints.value.ca is True assert basic_constraints.value.path_length == 2 @@ -1732,7 +1735,7 @@ class TestCertificateSigningRequestBuilder(object): request = x509.CertificateSigningRequestBuilder().subject_name( x509.Name([ - x509.NameAttribute(x509.OID_COUNTRY_NAME, u'US'), + x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'), ]) ).add_extension( x509.BasicConstraints(ca=True, path_length=2), critical=True @@ -1744,10 +1747,10 @@ class TestCertificateSigningRequestBuilder(object): subject = request.subject assert isinstance(subject, x509.Name) assert list(subject) == [ - x509.NameAttribute(x509.OID_COUNTRY_NAME, u'US'), + x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'), ] basic_constraints = request.extensions.get_extension_for_oid( - x509.OID_BASIC_CONSTRAINTS + ExtensionOID.BASIC_CONSTRAINTS ) assert basic_constraints.value.ca is True assert basic_constraints.value.path_length == 2 @@ -1777,7 +1780,7 @@ class TestCertificateSigningRequestBuilder(object): builder = x509.CertificateSigningRequestBuilder() builder = builder.subject_name( x509.Name([ - x509.NameAttribute(x509.OID_COUNTRY_NAME, u'US'), + x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'), ]) ).add_extension( x509.SubjectAlternativeName([x509.DNSName(u"cryptography.io")]), @@ -1793,7 +1796,7 @@ class TestCertificateSigningRequestBuilder(object): builder = x509.CertificateSigningRequestBuilder() request = builder.subject_name( x509.Name([ - x509.NameAttribute(x509.OID_COUNTRY_NAME, u'US'), + x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'), ]) ).add_extension( x509.KeyUsage( @@ -1810,7 +1813,7 @@ class TestCertificateSigningRequestBuilder(object): critical=False ).sign(private_key, hashes.SHA256(), backend) assert len(request.extensions) == 1 - ext = request.extensions.get_extension_for_oid(x509.OID_KEY_USAGE) + ext = request.extensions.get_extension_for_oid(ExtensionOID.KEY_USAGE) assert ext.critical is False assert ext.value == x509.KeyUsage( digital_signature=True, @@ -1829,7 +1832,7 @@ class TestCertificateSigningRequestBuilder(object): builder = x509.CertificateSigningRequestBuilder() request = builder.subject_name( x509.Name([ - x509.NameAttribute(x509.OID_COUNTRY_NAME, u'US'), + x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'), ]) ).add_extension( x509.KeyUsage( @@ -1846,7 +1849,7 @@ class TestCertificateSigningRequestBuilder(object): critical=False ).sign(private_key, hashes.SHA256(), backend) assert len(request.extensions) == 1 - ext = request.extensions.get_extension_for_oid(x509.OID_KEY_USAGE) + ext = request.extensions.get_extension_for_oid(ExtensionOID.KEY_USAGE) assert ext.critical is False assert ext.value == x509.KeyUsage( digital_signature=False, @@ -1864,7 +1867,7 @@ class TestCertificateSigningRequestBuilder(object): private_key = RSA_KEY_2048.private_key(backend) builder = x509.CertificateSigningRequestBuilder() request = builder.subject_name( - x509.Name([x509.NameAttribute(x509.OID_COUNTRY_NAME, u'US')]) + x509.Name([x509.NameAttribute(NameOID.COUNTRY_NAME, u'US')]) ).add_extension( x509.SubjectAlternativeName([x509.DNSName(u"cryptography.io")]), critical=False, @@ -1876,12 +1879,12 @@ class TestCertificateSigningRequestBuilder(object): public_key = request.public_key() assert isinstance(public_key, rsa.RSAPublicKey) basic_constraints = request.extensions.get_extension_for_oid( - x509.OID_BASIC_CONSTRAINTS + ExtensionOID.BASIC_CONSTRAINTS ) assert basic_constraints.value.ca is True assert basic_constraints.value.path_length == 2 ext = request.extensions.get_extension_for_oid( - x509.OID_SUBJECT_ALTERNATIVE_NAME + ExtensionOID.SUBJECT_ALTERNATIVE_NAME ) assert list(ext.value) == [x509.DNSName(u"cryptography.io")] @@ -1889,13 +1892,13 @@ class TestCertificateSigningRequestBuilder(object): builder = x509.CertificateSigningRequestBuilder() builder = builder.subject_name( x509.Name([ - x509.NameAttribute(x509.OID_COUNTRY_NAME, u'US'), + x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'), ]) ) with pytest.raises(ValueError): builder.subject_name( x509.Name([ - x509.NameAttribute(x509.OID_COUNTRY_NAME, u'US'), + x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'), ]) ) @@ -1904,7 +1907,7 @@ class TestCertificateSigningRequestBuilder(object): csr = x509.CertificateSigningRequestBuilder().subject_name( x509.Name([ - x509.NameAttribute(x509.OID_COMMON_NAME, u"SAN"), + x509.NameAttribute(NameOID.COMMON_NAME, u"SAN"), ]) ).add_extension( x509.SubjectAlternativeName([ @@ -1912,9 +1915,9 @@ class TestCertificateSigningRequestBuilder(object): x509.DNSName(u"*.example.com"), x509.RegisteredID(x509.ObjectIdentifier("1.2.3.4.5.6.7")), x509.DirectoryName(x509.Name([ - x509.NameAttribute(x509.OID_COMMON_NAME, u'PyCA'), + x509.NameAttribute(NameOID.COMMON_NAME, u'PyCA'), x509.NameAttribute( - x509.OID_ORGANIZATION_NAME, u'We heart UTF8!\u2122' + NameOID.ORGANIZATION_NAME, u'We heart UTF8!\u2122' ) ])), x509.IPAddress(ipaddress.ip_address(u"127.0.0.1")), @@ -1938,18 +1941,18 @@ class TestCertificateSigningRequestBuilder(object): assert len(csr.extensions) == 1 ext = csr.extensions.get_extension_for_oid( - x509.OID_SUBJECT_ALTERNATIVE_NAME + ExtensionOID.SUBJECT_ALTERNATIVE_NAME ) assert not ext.critical - assert ext.oid == x509.OID_SUBJECT_ALTERNATIVE_NAME + assert ext.oid == ExtensionOID.SUBJECT_ALTERNATIVE_NAME assert list(ext.value) == [ x509.DNSName(u"example.com"), x509.DNSName(u"*.example.com"), x509.RegisteredID(x509.ObjectIdentifier("1.2.3.4.5.6.7")), x509.DirectoryName(x509.Name([ - x509.NameAttribute(x509.OID_COMMON_NAME, u'PyCA'), + x509.NameAttribute(NameOID.COMMON_NAME, u'PyCA'), x509.NameAttribute( - x509.OID_ORGANIZATION_NAME, u'We heart UTF8!\u2122' + NameOID.ORGANIZATION_NAME, u'We heart UTF8!\u2122' ), ])), x509.IPAddress(ipaddress.ip_address(u"127.0.0.1")), @@ -1974,7 +1977,7 @@ class TestCertificateSigningRequestBuilder(object): builder = x509.CertificateSigningRequestBuilder().subject_name( x509.Name([ - x509.NameAttribute(x509.OID_COMMON_NAME, u"SAN"), + x509.NameAttribute(NameOID.COMMON_NAME, u"SAN"), ]) ).add_extension( x509.SubjectAlternativeName([ @@ -1993,7 +1996,7 @@ class TestCertificateSigningRequestBuilder(object): builder = x509.CertificateSigningRequestBuilder().subject_name( x509.Name([ - x509.NameAttribute(x509.OID_COMMON_NAME, u"SAN"), + x509.NameAttribute(NameOID.COMMON_NAME, u"SAN"), ]) ).add_extension( x509.SubjectAlternativeName([FakeGeneralName("")]), @@ -2007,23 +2010,23 @@ class TestCertificateSigningRequestBuilder(object): private_key = RSA_KEY_2048.private_key(backend) builder = x509.CertificateSigningRequestBuilder() request = builder.subject_name( - x509.Name([x509.NameAttribute(x509.OID_COUNTRY_NAME, u'US')]) + x509.Name([x509.NameAttribute(NameOID.COUNTRY_NAME, u'US')]) ).add_extension( x509.ExtendedKeyUsage([ - x509.OID_CLIENT_AUTH, - x509.OID_SERVER_AUTH, - x509.OID_CODE_SIGNING, + ExtendedKeyUsageOID.CLIENT_AUTH, + ExtendedKeyUsageOID.SERVER_AUTH, + ExtendedKeyUsageOID.CODE_SIGNING, ]), critical=False ).sign(private_key, hashes.SHA256(), backend) eku = request.extensions.get_extension_for_oid( - x509.OID_EXTENDED_KEY_USAGE + ExtensionOID.EXTENDED_KEY_USAGE ) assert eku.critical is False assert eku.value == x509.ExtendedKeyUsage([ - x509.OID_CLIENT_AUTH, - x509.OID_SERVER_AUTH, - x509.OID_CODE_SIGNING, + ExtendedKeyUsageOID.CLIENT_AUTH, + ExtendedKeyUsageOID.SERVER_AUTH, + ExtendedKeyUsageOID.CODE_SIGNING, ]) @pytest.mark.requires_backend_interface(interface=RSABackend) @@ -2031,7 +2034,7 @@ class TestCertificateSigningRequestBuilder(object): private_key = rsa.generate_private_key(65537, 512, backend) builder = x509.CertificateSigningRequestBuilder() builder = builder.subject_name( - x509.Name([x509.NameAttribute(x509.OID_COUNTRY_NAME, u'US')]) + x509.Name([x509.NameAttribute(NameOID.COUNTRY_NAME, u'US')]) ) with pytest.raises(ValueError) as exc: @@ -2050,11 +2053,11 @@ class TestCertificateSigningRequestBuilder(object): aia = x509.AuthorityInformationAccess([ x509.AccessDescription( - x509.OID_OCSP, + AuthorityInformationAccessOID.OCSP, x509.UniformResourceIdentifier(u"http://ocsp.domain.com") ), x509.AccessDescription( - x509.OID_CA_ISSUERS, + AuthorityInformationAccessOID.CA_ISSUERS, x509.UniformResourceIdentifier(u"http://domain.com/ca.crt") ) ]) @@ -2062,9 +2065,9 @@ class TestCertificateSigningRequestBuilder(object): builder = x509.CertificateBuilder().serial_number( 777 ).issuer_name(x509.Name([ - x509.NameAttribute(x509.OID_COUNTRY_NAME, u'US'), + x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'), ])).subject_name(x509.Name([ - x509.NameAttribute(x509.OID_COUNTRY_NAME, u'US'), + x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'), ])).public_key( subject_private_key.public_key() ).add_extension( @@ -2078,7 +2081,7 @@ class TestCertificateSigningRequestBuilder(object): cert = builder.sign(issuer_private_key, hashes.SHA1(), backend) ext = cert.extensions.get_extension_for_oid( - x509.OID_AUTHORITY_INFORMATION_ACCESS + ExtensionOID.AUTHORITY_INFORMATION_ACCESS ) assert ext.value == aia @@ -2098,9 +2101,9 @@ class TestCertificateSigningRequestBuilder(object): builder = x509.CertificateBuilder().serial_number( 777 ).issuer_name(x509.Name([ - x509.NameAttribute(x509.OID_COUNTRY_NAME, u'US'), + x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'), ])).subject_name(x509.Name([ - x509.NameAttribute(x509.OID_COUNTRY_NAME, u'US'), + x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'), ])).public_key( subject_private_key.public_key() ).add_extension( @@ -2114,7 +2117,7 @@ class TestCertificateSigningRequestBuilder(object): cert = builder.sign(issuer_private_key, hashes.SHA1(), backend) ext = cert.extensions.get_extension_for_oid( - x509.OID_SUBJECT_KEY_IDENTIFIER + ExtensionOID.SUBJECT_KEY_IDENTIFIER ) assert ext.value == ski @@ -2134,10 +2137,10 @@ class TestCertificateSigningRequestBuilder(object): x509.DirectoryName( x509.Name([ x509.NameAttribute( - x509.OID_ORGANIZATION_NAME, u"PyCA" + NameOID.ORGANIZATION_NAME, u"PyCA" ), x509.NameAttribute( - x509.OID_COMMON_NAME, u"cryptography CA" + NameOID.COMMON_NAME, u"cryptography CA" ) ]) ) @@ -2150,10 +2153,10 @@ class TestCertificateSigningRequestBuilder(object): x509.DirectoryName( x509.Name([ x509.NameAttribute( - x509.OID_ORGANIZATION_NAME, u"PyCA" + NameOID.ORGANIZATION_NAME, u"PyCA" ), x509.NameAttribute( - x509.OID_COMMON_NAME, u"cryptography CA" + NameOID.COMMON_NAME, u"cryptography CA" ) ]) ) @@ -2174,9 +2177,9 @@ class TestCertificateSigningRequestBuilder(object): builder = x509.CertificateBuilder().serial_number( 777 ).issuer_name(x509.Name([ - x509.NameAttribute(x509.OID_COUNTRY_NAME, u'US'), + x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'), ])).subject_name(x509.Name([ - x509.NameAttribute(x509.OID_COUNTRY_NAME, u'US'), + x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'), ])).public_key( subject_private_key.public_key() ).add_extension( @@ -2190,7 +2193,7 @@ class TestCertificateSigningRequestBuilder(object): cert = builder.sign(issuer_private_key, hashes.SHA256(), backend) ext = cert.extensions.get_extension_for_oid( - x509.OID_AUTHORITY_KEY_IDENTIFIER + ExtensionOID.AUTHORITY_KEY_IDENTIFIER ) assert ext.value == aki @@ -2204,9 +2207,9 @@ class TestCertificateSigningRequestBuilder(object): builder = x509.CertificateBuilder().serial_number( 777 ).issuer_name(x509.Name([ - x509.NameAttribute(x509.OID_COUNTRY_NAME, u'US'), + x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'), ])).subject_name(x509.Name([ - x509.NameAttribute(x509.OID_COUNTRY_NAME, u'US'), + x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'), ])).public_key( subject_private_key.public_key() ).add_extension( @@ -2220,7 +2223,7 @@ class TestCertificateSigningRequestBuilder(object): cert = builder.sign(issuer_private_key, hashes.SHA256(), backend) ext = cert.extensions.get_extension_for_oid( - x509.OID_OCSP_NO_CHECK + ExtensionOID.OCSP_NO_CHECK ) assert isinstance(ext.value, x509.OCSPNoCheck) @@ -2296,11 +2299,11 @@ class TestDSACertificate(object): subject = request.subject assert isinstance(subject, x509.Name) assert list(subject) == [ - x509.NameAttribute(x509.OID_COMMON_NAME, u'cryptography.io'), - x509.NameAttribute(x509.OID_ORGANIZATION_NAME, u'PyCA'), - x509.NameAttribute(x509.OID_COUNTRY_NAME, u'US'), - x509.NameAttribute(x509.OID_STATE_OR_PROVINCE_NAME, u'Texas'), - x509.NameAttribute(x509.OID_LOCALITY_NAME, u'Austin'), + x509.NameAttribute(NameOID.COMMON_NAME, u'cryptography.io'), + x509.NameAttribute(NameOID.ORGANIZATION_NAME, u'PyCA'), + x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'), + x509.NameAttribute(NameOID.STATE_OR_PROVINCE_NAME, u'Texas'), + x509.NameAttribute(NameOID.LOCALITY_NAME, u'Austin'), ] @@ -2360,11 +2363,11 @@ class TestECDSACertificate(object): subject = request.subject assert isinstance(subject, x509.Name) assert list(subject) == [ - x509.NameAttribute(x509.OID_COMMON_NAME, u'cryptography.io'), - x509.NameAttribute(x509.OID_ORGANIZATION_NAME, u'PyCA'), - x509.NameAttribute(x509.OID_COUNTRY_NAME, u'US'), - x509.NameAttribute(x509.OID_STATE_OR_PROVINCE_NAME, u'Texas'), - x509.NameAttribute(x509.OID_LOCALITY_NAME, u'Austin'), + x509.NameAttribute(NameOID.COMMON_NAME, u'cryptography.io'), + x509.NameAttribute(NameOID.ORGANIZATION_NAME, u'PyCA'), + x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'), + x509.NameAttribute(NameOID.STATE_OR_PROVINCE_NAME, u'Texas'), + x509.NameAttribute(NameOID.LOCALITY_NAME, u'Austin'), ] @@ -2460,8 +2463,8 @@ class TestName(object): def test_repr(self): name = x509.Name([ - x509.NameAttribute(x509.OID_COMMON_NAME, u'cryptography.io'), - x509.NameAttribute(x509.OID_ORGANIZATION_NAME, u'PyCA'), + x509.NameAttribute(NameOID.COMMON_NAME, u'cryptography.io'), + x509.NameAttribute(NameOID.ORGANIZATION_NAME, u'PyCA'), ]) if six.PY3: diff --git a/tests/test_x509_ext.py b/tests/test_x509_ext.py index 40231b93..2c5438a9 100644 --- a/tests/test_x509_ext.py +++ b/tests/test_x509_ext.py @@ -17,6 +17,9 @@ from cryptography.hazmat.backends.interfaces import ( DSABackend, EllipticCurveBackend, RSABackend, X509Backend ) from cryptography.hazmat.primitives.asymmetric import ec +from cryptography.x509.oid import ( + AuthorityInformationAccessOID, ExtendedKeyUsageOID, ExtensionOID, NameOID +) from .hazmat.primitives.test_ec import _skip_curve_unsupported from .test_x509 import _load_cert @@ -31,11 +34,11 @@ class TestExtension(object): def test_critical_not_a_bool(self): bc = x509.BasicConstraints(ca=False, path_length=None) with pytest.raises(TypeError): - x509.Extension(x509.OID_BASIC_CONSTRAINTS, "notabool", bc) + x509.Extension(ExtensionOID.BASIC_CONSTRAINTS, "notabool", bc) def test_repr(self): bc = x509.BasicConstraints(ca=False, path_length=None) - ext = x509.Extension(x509.OID_BASIC_CONSTRAINTS, True, bc) + ext = x509.Extension(ExtensionOID.BASIC_CONSTRAINTS, True, bc) assert repr(ext) == ( "<Extension(oid=<ObjectIdentifier(oid=2.5.29.19, name=basicConst" "raints)>, critical=True, value=<BasicConstraints(ca=False, path" @@ -277,7 +280,7 @@ class TestCertificatePoliciesExtension(object): ) cp = cert.extensions.get_extension_for_oid( - x509.OID_CERTIFICATE_POLICIES + ExtensionOID.CERTIFICATE_POLICIES ).value assert cp == x509.CertificatePolicies([ @@ -297,7 +300,7 @@ class TestCertificatePoliciesExtension(object): ) cp = cert.extensions.get_extension_for_oid( - x509.OID_CERTIFICATE_POLICIES + ExtensionOID.CERTIFICATE_POLICIES ).value assert cp == x509.CertificatePolicies([ @@ -324,7 +327,7 @@ class TestCertificatePoliciesExtension(object): ) cp = cert.extensions.get_extension_for_oid( - x509.OID_CERTIFICATE_POLICIES + ExtensionOID.CERTIFICATE_POLICIES ).value assert cp == x509.CertificatePolicies([ @@ -344,7 +347,7 @@ class TestCertificatePoliciesExtension(object): ) cp = cert.extensions.get_extension_for_oid( - x509.OID_CERTIFICATE_POLICIES + ExtensionOID.CERTIFICATE_POLICIES ).value assert cp == x509.CertificatePolicies([ @@ -556,7 +559,7 @@ class TestSubjectKeyIdentifier(object): ski = x509.SubjectKeyIdentifier( binascii.unhexlify(b"092384932230498bc980aa8098456f6ff7ff3ac9") ) - ext = x509.Extension(x509.OID_SUBJECT_KEY_IDENTIFIER, False, ski) + ext = x509.Extension(ExtensionOID.SUBJECT_KEY_IDENTIFIER, False, ski) if six.PY3: assert repr(ext) == ( "<Extension(oid=<ObjectIdentifier(oid=2.5.29.14, name=subjectK" @@ -629,7 +632,7 @@ class TestAuthorityKeyIdentifier(object): def test_repr(self): dirname = x509.DirectoryName( - x509.Name([x509.NameAttribute(x509.OID_COMMON_NAME, u'myCN')]) + x509.Name([x509.NameAttribute(NameOID.COMMON_NAME, u'myCN')]) ) aki = x509.AuthorityKeyIdentifier(b"digest", [dirname], 1234) @@ -650,21 +653,21 @@ class TestAuthorityKeyIdentifier(object): def test_eq(self): dirname = x509.DirectoryName( - x509.Name([x509.NameAttribute(x509.OID_COMMON_NAME, u'myCN')]) + x509.Name([x509.NameAttribute(NameOID.COMMON_NAME, u'myCN')]) ) aki = x509.AuthorityKeyIdentifier(b"digest", [dirname], 1234) dirname2 = x509.DirectoryName( - x509.Name([x509.NameAttribute(x509.OID_COMMON_NAME, u'myCN')]) + x509.Name([x509.NameAttribute(NameOID.COMMON_NAME, u'myCN')]) ) aki2 = x509.AuthorityKeyIdentifier(b"digest", [dirname2], 1234) assert aki == aki2 def test_ne(self): dirname = x509.DirectoryName( - x509.Name([x509.NameAttribute(x509.OID_COMMON_NAME, u'myCN')]) + x509.Name([x509.NameAttribute(NameOID.COMMON_NAME, u'myCN')]) ) dirname5 = x509.DirectoryName( - x509.Name([x509.NameAttribute(x509.OID_COMMON_NAME, u'aCN')]) + x509.Name([x509.NameAttribute(NameOID.COMMON_NAME, u'aCN')]) ) aki = x509.AuthorityKeyIdentifier(b"digest", [dirname], 1234) aki2 = x509.AuthorityKeyIdentifier(b"diges", [dirname], 1234) @@ -730,8 +733,8 @@ class TestExtendedKeyUsage(object): ]) assert len(eku) == 2 assert list(eku) == [ - x509.OID_SERVER_AUTH, - x509.OID_CLIENT_AUTH + ExtendedKeyUsageOID.SERVER_AUTH, + ExtendedKeyUsageOID.CLIENT_AUTH ] def test_repr(self): @@ -774,9 +777,9 @@ class TestExtensions(object): assert len(ext) == 0 assert list(ext) == [] with pytest.raises(x509.ExtensionNotFound) as exc: - ext.get_extension_for_oid(x509.OID_BASIC_CONSTRAINTS) + ext.get_extension_for_oid(ExtensionOID.BASIC_CONSTRAINTS) - assert exc.value.oid == x509.OID_BASIC_CONSTRAINTS + assert exc.value.oid == ExtensionOID.BASIC_CONSTRAINTS def test_one_extension(self, backend): cert = _load_cert( @@ -787,7 +790,7 @@ class TestExtensions(object): backend ) extensions = cert.extensions - ext = extensions.get_extension_for_oid(x509.OID_BASIC_CONSTRAINTS) + ext = extensions.get_extension_for_oid(ExtensionOID.BASIC_CONSTRAINTS) assert ext is not None assert ext.value.ca is False @@ -802,7 +805,7 @@ class TestExtensions(object): with pytest.raises(x509.DuplicateExtension) as exc: cert.extensions - assert exc.value.oid == x509.OID_BASIC_CONSTRAINTS + assert exc.value.oid == ExtensionOID.BASIC_CONSTRAINTS def test_unsupported_critical_extension(self, backend): cert = _load_cert( @@ -842,7 +845,7 @@ class TestBasicConstraintsExtension(object): backend ) ext = cert.extensions.get_extension_for_oid( - x509.OID_BASIC_CONSTRAINTS + ExtensionOID.BASIC_CONSTRAINTS ) assert ext is not None assert ext.critical is True @@ -856,7 +859,7 @@ class TestBasicConstraintsExtension(object): backend ) ext = cert.extensions.get_extension_for_oid( - x509.OID_BASIC_CONSTRAINTS + ExtensionOID.BASIC_CONSTRAINTS ) assert ext is not None assert ext.critical is True @@ -870,7 +873,7 @@ class TestBasicConstraintsExtension(object): backend ) ext = cert.extensions.get_extension_for_oid( - x509.OID_BASIC_CONSTRAINTS + ExtensionOID.BASIC_CONSTRAINTS ) assert ext is not None assert ext.critical is True @@ -884,7 +887,7 @@ class TestBasicConstraintsExtension(object): backend ) ext = cert.extensions.get_extension_for_oid( - x509.OID_BASIC_CONSTRAINTS + ExtensionOID.BASIC_CONSTRAINTS ) assert ext is not None assert ext.critical is True @@ -903,7 +906,9 @@ class TestBasicConstraintsExtension(object): backend ) with pytest.raises(x509.ExtensionNotFound): - cert.extensions.get_extension_for_oid(x509.OID_BASIC_CONSTRAINTS) + cert.extensions.get_extension_for_oid( + ExtensionOID.BASIC_CONSTRAINTS + ) def test_basic_constraint_not_critical(self, backend): cert = _load_cert( @@ -914,7 +919,7 @@ class TestBasicConstraintsExtension(object): backend ) ext = cert.extensions.get_extension_for_oid( - x509.OID_BASIC_CONSTRAINTS + ExtensionOID.BASIC_CONSTRAINTS ) assert ext is not None assert ext.critical is False @@ -931,7 +936,7 @@ class TestSubjectKeyIdentifierExtension(object): backend ) ext = cert.extensions.get_extension_for_oid( - x509.OID_SUBJECT_KEY_IDENTIFIER + ExtensionOID.SUBJECT_KEY_IDENTIFIER ) ski = ext.value assert ext is not None @@ -950,7 +955,7 @@ class TestSubjectKeyIdentifierExtension(object): ) with pytest.raises(x509.ExtensionNotFound): cert.extensions.get_extension_for_oid( - x509.OID_SUBJECT_KEY_IDENTIFIER + ExtensionOID.SUBJECT_KEY_IDENTIFIER ) @pytest.mark.requires_backend_interface(interface=RSABackend) @@ -962,7 +967,7 @@ class TestSubjectKeyIdentifierExtension(object): backend ) ext = cert.extensions.get_extension_for_oid( - x509.OID_SUBJECT_KEY_IDENTIFIER + ExtensionOID.SUBJECT_KEY_IDENTIFIER ) ski = x509.SubjectKeyIdentifier.from_public_key( cert.public_key() @@ -979,7 +984,7 @@ class TestSubjectKeyIdentifierExtension(object): ) ext = cert.extensions.get_extension_for_oid( - x509.OID_SUBJECT_KEY_IDENTIFIER + ExtensionOID.SUBJECT_KEY_IDENTIFIER ) ski = x509.SubjectKeyIdentifier.from_public_key( cert.public_key() @@ -997,7 +1002,7 @@ class TestSubjectKeyIdentifierExtension(object): ) ext = cert.extensions.get_extension_for_oid( - x509.OID_SUBJECT_KEY_IDENTIFIER + ExtensionOID.SUBJECT_KEY_IDENTIFIER ) ski = x509.SubjectKeyIdentifier.from_public_key( cert.public_key() @@ -1016,9 +1021,9 @@ class TestKeyUsageExtension(object): ) ext = cert.extensions with pytest.raises(x509.ExtensionNotFound) as exc: - ext.get_extension_for_oid(x509.OID_KEY_USAGE) + ext.get_extension_for_oid(ExtensionOID.KEY_USAGE) - assert exc.value.oid == x509.OID_KEY_USAGE + assert exc.value.oid == ExtensionOID.KEY_USAGE def test_all_purposes(self, backend): cert = _load_cert( @@ -1029,7 +1034,7 @@ class TestKeyUsageExtension(object): backend ) extensions = cert.extensions - ext = extensions.get_extension_for_oid(x509.OID_KEY_USAGE) + ext = extensions.get_extension_for_oid(ExtensionOID.KEY_USAGE) assert ext is not None ku = ext.value @@ -1051,7 +1056,7 @@ class TestKeyUsageExtension(object): x509.load_der_x509_certificate, backend ) - ext = cert.extensions.get_extension_for_oid(x509.OID_KEY_USAGE) + ext = cert.extensions.get_extension_for_oid(ExtensionOID.KEY_USAGE) assert ext is not None assert ext.critical is True @@ -1105,7 +1110,7 @@ class TestDirectoryName(object): x509.DirectoryName(1.3) def test_repr(self): - name = x509.Name([x509.NameAttribute(x509.OID_COMMON_NAME, u'value1')]) + name = x509.Name([x509.NameAttribute(NameOID.COMMON_NAME, u'value1')]) gn = x509.DirectoryName(x509.Name([name])) if six.PY3: assert repr(gn) == ( @@ -1203,20 +1208,20 @@ class TestRegisteredID(object): x509.RegisteredID(1.3) def test_repr(self): - gn = x509.RegisteredID(x509.OID_COMMON_NAME) + gn = x509.RegisteredID(NameOID.COMMON_NAME) assert repr(gn) == ( "<RegisteredID(value=<ObjectIdentifier(oid=2.5.4.3, name=commonNam" "e)>)>" ) def test_eq(self): - gn = x509.RegisteredID(x509.OID_COMMON_NAME) - gn2 = x509.RegisteredID(x509.OID_COMMON_NAME) + gn = x509.RegisteredID(NameOID.COMMON_NAME) + gn2 = x509.RegisteredID(NameOID.COMMON_NAME) assert gn == gn2 def test_ne(self): - gn = x509.RegisteredID(x509.OID_COMMON_NAME) - gn2 = x509.RegisteredID(x509.OID_BASIC_CONSTRAINTS) + gn = x509.RegisteredID(NameOID.COMMON_NAME) + gn2 = x509.RegisteredID(ExtensionOID.BASIC_CONSTRAINTS) assert gn != gn2 assert gn != object() @@ -1424,7 +1429,7 @@ class TestRSAIssuerAlternativeNameExtension(object): backend, ) ext = cert.extensions.get_extension_for_oid( - x509.OID_ISSUER_ALTERNATIVE_NAME + ExtensionOID.ISSUER_ALTERNATIVE_NAME ) assert list(ext.value) == [ x509.UniformResourceIdentifier(u"http://path.to.root/root.crt"), @@ -1497,7 +1502,7 @@ class TestRSASubjectAlternativeNameExtension(object): backend ) ext = cert.extensions.get_extension_for_oid( - x509.OID_SUBJECT_ALTERNATIVE_NAME + ExtensionOID.SUBJECT_ALTERNATIVE_NAME ) assert ext is not None assert ext.critical is False @@ -1514,7 +1519,7 @@ class TestRSASubjectAlternativeNameExtension(object): backend ) ext = cert.extensions.get_extension_for_oid( - x509.OID_SUBJECT_ALTERNATIVE_NAME + ExtensionOID.SUBJECT_ALTERNATIVE_NAME ) dns = ext.value.get_values_for_type(x509.DNSName) @@ -1532,7 +1537,7 @@ class TestRSASubjectAlternativeNameExtension(object): backend ) ext = cert.extensions.get_extension_for_oid( - x509.OID_SUBJECT_ALTERNATIVE_NAME + ExtensionOID.SUBJECT_ALTERNATIVE_NAME ) dns = ext.value.get_values_for_type(x509.DNSName) @@ -1558,7 +1563,7 @@ class TestRSASubjectAlternativeNameExtension(object): backend ) ext = cert.extensions.get_extension_for_oid( - x509.OID_SUBJECT_ALTERNATIVE_NAME + ExtensionOID.SUBJECT_ALTERNATIVE_NAME ) assert ext is not None assert ext.critical is False @@ -1576,7 +1581,7 @@ class TestRSASubjectAlternativeNameExtension(object): backend ) ext = cert.extensions.get_extension_for_oid( - x509.OID_SUBJECT_ALTERNATIVE_NAME + ExtensionOID.SUBJECT_ALTERNATIVE_NAME ) assert ext is not None uri = ext.value.get_values_for_type( @@ -1597,7 +1602,7 @@ class TestRSASubjectAlternativeNameExtension(object): backend ) ext = cert.extensions.get_extension_for_oid( - x509.OID_SUBJECT_ALTERNATIVE_NAME + ExtensionOID.SUBJECT_ALTERNATIVE_NAME ) assert ext is not None assert ext.critical is False @@ -1619,7 +1624,7 @@ class TestRSASubjectAlternativeNameExtension(object): backend ) ext = cert.extensions.get_extension_for_oid( - x509.OID_SUBJECT_ALTERNATIVE_NAME + ExtensionOID.SUBJECT_ALTERNATIVE_NAME ) assert ext is not None assert ext.critical is False @@ -1629,9 +1634,9 @@ class TestRSASubjectAlternativeNameExtension(object): dirname = san.get_values_for_type(x509.DirectoryName) assert [ x509.Name([ - x509.NameAttribute(x509.OID_COMMON_NAME, u'test'), - x509.NameAttribute(x509.OID_ORGANIZATION_NAME, u'Org'), - x509.NameAttribute(x509.OID_STATE_OR_PROVINCE_NAME, u'Texas'), + x509.NameAttribute(NameOID.COMMON_NAME, u'test'), + x509.NameAttribute(NameOID.ORGANIZATION_NAME, u'Org'), + x509.NameAttribute(NameOID.STATE_OR_PROVINCE_NAME, u'Texas'), ]) ] == dirname @@ -1644,7 +1649,7 @@ class TestRSASubjectAlternativeNameExtension(object): backend ) ext = cert.extensions.get_extension_for_oid( - x509.OID_SUBJECT_ALTERNATIVE_NAME + ExtensionOID.SUBJECT_ALTERNATIVE_NAME ) assert ext is not None assert ext.critical is False @@ -1674,7 +1679,7 @@ class TestRSASubjectAlternativeNameExtension(object): backend ) ext = cert.extensions.get_extension_for_oid( - x509.OID_SUBJECT_ALTERNATIVE_NAME + ExtensionOID.SUBJECT_ALTERNATIVE_NAME ) assert ext is not None rfc822_name = ext.value.get_values_for_type(x509.RFC822Name) @@ -1693,7 +1698,7 @@ class TestRSASubjectAlternativeNameExtension(object): backend ) ext = cert.extensions.get_extension_for_oid( - x509.OID_SUBJECT_ALTERNATIVE_NAME + ExtensionOID.SUBJECT_ALTERNATIVE_NAME ) assert ext is not None assert ext.critical is False @@ -1710,9 +1715,9 @@ class TestRSASubjectAlternativeNameExtension(object): assert [u"cryptography.io"] == dns assert [ x509.Name([ - x509.NameAttribute(x509.OID_COMMON_NAME, u'dirCN'), + x509.NameAttribute(NameOID.COMMON_NAME, u'dirCN'), x509.NameAttribute( - x509.OID_ORGANIZATION_NAME, u'Cryptographic Authority' + NameOID.ORGANIZATION_NAME, u'Cryptographic Authority' ), ]) ] == dirname @@ -1744,7 +1749,7 @@ class TestRSASubjectAlternativeNameExtension(object): ) ext = cert.extensions.get_extension_for_oid( - x509.OID_SUBJECT_ALTERNATIVE_NAME + ExtensionOID.SUBJECT_ALTERNATIVE_NAME ) assert ext is not None assert ext.critical is False @@ -1770,7 +1775,7 @@ class TestExtendedKeyUsageExtension(object): backend ) ext = cert.extensions.get_extension_for_oid( - x509.OID_EXTENDED_KEY_USAGE + ExtensionOID.EXTENDED_KEY_USAGE ) assert ext is not None assert ext.critical is False @@ -1794,11 +1799,13 @@ class TestAccessDescription(object): def test_invalid_access_location(self): with pytest.raises(TypeError): - x509.AccessDescription(x509.OID_CA_ISSUERS, "invalid") + x509.AccessDescription( + AuthorityInformationAccessOID.CA_ISSUERS, "invalid" + ) def test_repr(self): ad = x509.AccessDescription( - x509.OID_OCSP, + AuthorityInformationAccessOID.OCSP, x509.UniformResourceIdentifier(u"http://ocsp.domain.com") ) assert repr(ad) == ( @@ -1809,26 +1816,26 @@ class TestAccessDescription(object): def test_eq(self): ad = x509.AccessDescription( - x509.OID_OCSP, + AuthorityInformationAccessOID.OCSP, x509.UniformResourceIdentifier(u"http://ocsp.domain.com") ) ad2 = x509.AccessDescription( - x509.OID_OCSP, + AuthorityInformationAccessOID.OCSP, x509.UniformResourceIdentifier(u"http://ocsp.domain.com") ) assert ad == ad2 def test_ne(self): ad = x509.AccessDescription( - x509.OID_OCSP, + AuthorityInformationAccessOID.OCSP, x509.UniformResourceIdentifier(u"http://ocsp.domain.com") ) ad2 = x509.AccessDescription( - x509.OID_CA_ISSUERS, + AuthorityInformationAccessOID.CA_ISSUERS, x509.UniformResourceIdentifier(u"http://ocsp.domain.com") ) ad3 = x509.AccessDescription( - x509.OID_OCSP, + AuthorityInformationAccessOID.OCSP, x509.UniformResourceIdentifier(u"http://notthesame") ) assert ad != ad2 @@ -1844,22 +1851,22 @@ class TestAuthorityInformationAccess(object): def test_iter_len(self): aia = x509.AuthorityInformationAccess([ x509.AccessDescription( - x509.OID_OCSP, + AuthorityInformationAccessOID.OCSP, x509.UniformResourceIdentifier(u"http://ocsp.domain.com") ), x509.AccessDescription( - x509.OID_CA_ISSUERS, + AuthorityInformationAccessOID.CA_ISSUERS, x509.UniformResourceIdentifier(u"http://domain.com/ca.crt") ) ]) assert len(aia) == 2 assert list(aia) == [ x509.AccessDescription( - x509.OID_OCSP, + AuthorityInformationAccessOID.OCSP, x509.UniformResourceIdentifier(u"http://ocsp.domain.com") ), x509.AccessDescription( - x509.OID_CA_ISSUERS, + AuthorityInformationAccessOID.CA_ISSUERS, x509.UniformResourceIdentifier(u"http://domain.com/ca.crt") ) ] @@ -1867,11 +1874,11 @@ class TestAuthorityInformationAccess(object): def test_repr(self): aia = x509.AuthorityInformationAccess([ x509.AccessDescription( - x509.OID_OCSP, + AuthorityInformationAccessOID.OCSP, x509.UniformResourceIdentifier(u"http://ocsp.domain.com") ), x509.AccessDescription( - x509.OID_CA_ISSUERS, + AuthorityInformationAccessOID.CA_ISSUERS, x509.UniformResourceIdentifier(u"http://domain.com/ca.crt") ) ]) @@ -1887,21 +1894,21 @@ class TestAuthorityInformationAccess(object): def test_eq(self): aia = x509.AuthorityInformationAccess([ x509.AccessDescription( - x509.OID_OCSP, + AuthorityInformationAccessOID.OCSP, x509.UniformResourceIdentifier(u"http://ocsp.domain.com") ), x509.AccessDescription( - x509.OID_CA_ISSUERS, + AuthorityInformationAccessOID.CA_ISSUERS, x509.UniformResourceIdentifier(u"http://domain.com/ca.crt") ) ]) aia2 = x509.AuthorityInformationAccess([ x509.AccessDescription( - x509.OID_OCSP, + AuthorityInformationAccessOID.OCSP, x509.UniformResourceIdentifier(u"http://ocsp.domain.com") ), x509.AccessDescription( - x509.OID_CA_ISSUERS, + AuthorityInformationAccessOID.CA_ISSUERS, x509.UniformResourceIdentifier(u"http://domain.com/ca.crt") ) ]) @@ -1910,17 +1917,17 @@ class TestAuthorityInformationAccess(object): def test_ne(self): aia = x509.AuthorityInformationAccess([ x509.AccessDescription( - x509.OID_OCSP, + AuthorityInformationAccessOID.OCSP, x509.UniformResourceIdentifier(u"http://ocsp.domain.com") ), x509.AccessDescription( - x509.OID_CA_ISSUERS, + AuthorityInformationAccessOID.CA_ISSUERS, x509.UniformResourceIdentifier(u"http://domain.com/ca.crt") ) ]) aia2 = x509.AuthorityInformationAccess([ x509.AccessDescription( - x509.OID_OCSP, + AuthorityInformationAccessOID.OCSP, x509.UniformResourceIdentifier(u"http://ocsp.domain.com") ), ]) @@ -1939,18 +1946,18 @@ class TestAuthorityInformationAccessExtension(object): backend ) ext = cert.extensions.get_extension_for_oid( - x509.OID_AUTHORITY_INFORMATION_ACCESS + ExtensionOID.AUTHORITY_INFORMATION_ACCESS ) assert ext is not None assert ext.critical is False assert ext.value == x509.AuthorityInformationAccess([ x509.AccessDescription( - x509.OID_OCSP, + AuthorityInformationAccessOID.OCSP, x509.UniformResourceIdentifier(u"http://gv.symcd.com") ), x509.AccessDescription( - x509.OID_CA_ISSUERS, + AuthorityInformationAccessOID.CA_ISSUERS, x509.UniformResourceIdentifier(u"http://gv.symcb.com/gv.crt") ), ]) @@ -1962,25 +1969,25 @@ class TestAuthorityInformationAccessExtension(object): backend ) ext = cert.extensions.get_extension_for_oid( - x509.OID_AUTHORITY_INFORMATION_ACCESS + ExtensionOID.AUTHORITY_INFORMATION_ACCESS ) assert ext is not None assert ext.critical is False assert ext.value == x509.AuthorityInformationAccess([ x509.AccessDescription( - x509.OID_OCSP, + AuthorityInformationAccessOID.OCSP, x509.UniformResourceIdentifier(u"http://ocsp.domain.com") ), x509.AccessDescription( - x509.OID_OCSP, + AuthorityInformationAccessOID.OCSP, x509.UniformResourceIdentifier(u"http://ocsp2.domain.com") ), x509.AccessDescription( - x509.OID_CA_ISSUERS, + AuthorityInformationAccessOID.CA_ISSUERS, x509.DirectoryName(x509.Name([ - x509.NameAttribute(x509.OID_COMMON_NAME, u"myCN"), - x509.NameAttribute(x509.OID_ORGANIZATION_NAME, + x509.NameAttribute(NameOID.COMMON_NAME, u"myCN"), + x509.NameAttribute(NameOID.ORGANIZATION_NAME, u"some Org"), ])) ), @@ -1993,14 +2000,14 @@ class TestAuthorityInformationAccessExtension(object): backend ) ext = cert.extensions.get_extension_for_oid( - x509.OID_AUTHORITY_INFORMATION_ACCESS + ExtensionOID.AUTHORITY_INFORMATION_ACCESS ) assert ext is not None assert ext.critical is False assert ext.value == x509.AuthorityInformationAccess([ x509.AccessDescription( - x509.OID_OCSP, + AuthorityInformationAccessOID.OCSP, x509.UniformResourceIdentifier(u"http://ocsp.domain.com") ), ]) @@ -2012,17 +2019,17 @@ class TestAuthorityInformationAccessExtension(object): backend ) ext = cert.extensions.get_extension_for_oid( - x509.OID_AUTHORITY_INFORMATION_ACCESS + ExtensionOID.AUTHORITY_INFORMATION_ACCESS ) assert ext is not None assert ext.critical is False assert ext.value == x509.AuthorityInformationAccess([ x509.AccessDescription( - x509.OID_CA_ISSUERS, + AuthorityInformationAccessOID.CA_ISSUERS, x509.DirectoryName(x509.Name([ - x509.NameAttribute(x509.OID_COMMON_NAME, u"myCN"), - x509.NameAttribute(x509.OID_ORGANIZATION_NAME, + x509.NameAttribute(NameOID.COMMON_NAME, u"myCN"), + x509.NameAttribute(NameOID.ORGANIZATION_NAME, u"some Org"), ])) ), @@ -2041,7 +2048,7 @@ class TestAuthorityKeyIdentifierExtension(object): backend ) ext = cert.extensions.get_extension_for_oid( - x509.OID_AUTHORITY_KEY_IDENTIFIER + ExtensionOID.AUTHORITY_KEY_IDENTIFIER ) assert ext is not None assert ext.critical is False @@ -2061,7 +2068,7 @@ class TestAuthorityKeyIdentifierExtension(object): backend ) ext = cert.extensions.get_extension_for_oid( - x509.OID_AUTHORITY_KEY_IDENTIFIER + ExtensionOID.AUTHORITY_KEY_IDENTIFIER ) assert ext is not None assert ext.critical is False @@ -2073,10 +2080,10 @@ class TestAuthorityKeyIdentifierExtension(object): x509.DirectoryName( x509.Name([ x509.NameAttribute( - x509.OID_ORGANIZATION_NAME, u"PyCA" + NameOID.ORGANIZATION_NAME, u"PyCA" ), x509.NameAttribute( - x509.OID_COMMON_NAME, u"cryptography.io" + NameOID.COMMON_NAME, u"cryptography.io" ) ]) ) @@ -2092,7 +2099,7 @@ class TestAuthorityKeyIdentifierExtension(object): backend ) ext = cert.extensions.get_extension_for_oid( - x509.OID_AUTHORITY_KEY_IDENTIFIER + ExtensionOID.AUTHORITY_KEY_IDENTIFIER ) assert ext is not None assert ext.critical is False @@ -2102,10 +2109,10 @@ class TestAuthorityKeyIdentifierExtension(object): x509.DirectoryName( x509.Name([ x509.NameAttribute( - x509.OID_ORGANIZATION_NAME, u"PyCA" + NameOID.ORGANIZATION_NAME, u"PyCA" ), x509.NameAttribute( - x509.OID_COMMON_NAME, u"cryptography.io" + NameOID.COMMON_NAME, u"cryptography.io" ) ]) ) @@ -2124,7 +2131,7 @@ class TestAuthorityKeyIdentifierExtension(object): backend ) ext = cert.extensions.get_extension_for_oid( - x509.OID_AUTHORITY_KEY_IDENTIFIER + ExtensionOID.AUTHORITY_KEY_IDENTIFIER ) aki = x509.AuthorityKeyIdentifier.from_issuer_public_key( issuer_cert.public_key() @@ -2241,7 +2248,7 @@ class TestNameConstraintsExtension(object): backend ) nc = cert.extensions.get_extension_for_oid( - x509.OID_NAME_CONSTRAINTS + ExtensionOID.NAME_CONSTRAINTS ).value assert nc == x509.NameConstraints( permitted_subtrees=[ @@ -2249,7 +2256,7 @@ class TestNameConstraintsExtension(object): ], excluded_subtrees=[ x509.DirectoryName(x509.Name([ - x509.NameAttribute(x509.OID_COMMON_NAME, u"zombo") + x509.NameAttribute(NameOID.COMMON_NAME, u"zombo") ])) ] ) @@ -2263,7 +2270,7 @@ class TestNameConstraintsExtension(object): backend ) nc = cert.extensions.get_extension_for_oid( - x509.OID_NAME_CONSTRAINTS + ExtensionOID.NAME_CONSTRAINTS ).value assert nc == x509.NameConstraints( permitted_subtrees=[ @@ -2281,7 +2288,7 @@ class TestNameConstraintsExtension(object): backend ) nc = cert.extensions.get_extension_for_oid( - x509.OID_NAME_CONSTRAINTS + ExtensionOID.NAME_CONSTRAINTS ).value assert nc == x509.NameConstraints( permitted_subtrees=[ @@ -2300,7 +2307,7 @@ class TestNameConstraintsExtension(object): backend ) nc = cert.extensions.get_extension_for_oid( - x509.OID_NAME_CONSTRAINTS + ExtensionOID.NAME_CONSTRAINTS ).value assert nc == x509.NameConstraints( permitted_subtrees=None, @@ -2319,7 +2326,7 @@ class TestNameConstraintsExtension(object): backend ) nc = cert.extensions.get_extension_for_oid( - x509.OID_NAME_CONSTRAINTS + ExtensionOID.NAME_CONSTRAINTS ).value assert nc == x509.NameConstraints( permitted_subtrees=[ @@ -2341,7 +2348,7 @@ class TestNameConstraintsExtension(object): backend ) nc = cert.extensions.get_extension_for_oid( - x509.OID_NAME_CONSTRAINTS + ExtensionOID.NAME_CONSTRAINTS ).value assert nc == x509.NameConstraints( permitted_subtrees=[ @@ -2361,7 +2368,7 @@ class TestNameConstraintsExtension(object): ) with pytest.raises(ValueError): cert.extensions.get_extension_for_oid( - x509.OID_NAME_CONSTRAINTS + ExtensionOID.NAME_CONSTRAINTS ) @@ -2435,7 +2442,7 @@ class TestDistributionPoint(object): x509.DirectoryName( x509.Name([ x509.NameAttribute( - x509.OID_COMMON_NAME, u"Important CA" + NameOID.COMMON_NAME, u"Important CA" ) ]) ) @@ -2449,7 +2456,7 @@ class TestDistributionPoint(object): x509.DirectoryName( x509.Name([ x509.NameAttribute( - x509.OID_COMMON_NAME, u"Important CA" + NameOID.COMMON_NAME, u"Important CA" ) ]) ) @@ -2466,7 +2473,7 @@ class TestDistributionPoint(object): x509.DirectoryName( x509.Name([ x509.NameAttribute( - x509.OID_COMMON_NAME, u"Important CA" + NameOID.COMMON_NAME, u"Important CA" ) ]) ) @@ -2485,14 +2492,14 @@ class TestDistributionPoint(object): dp = x509.DistributionPoint( None, x509.Name([ - x509.NameAttribute(x509.OID_COMMON_NAME, u"myCN") + x509.NameAttribute(NameOID.COMMON_NAME, u"myCN") ]), frozenset([x509.ReasonFlags.ca_compromise]), [ x509.DirectoryName( x509.Name([ x509.NameAttribute( - x509.OID_COMMON_NAME, u"Important CA" + NameOID.COMMON_NAME, u"Important CA" ) ]) ) @@ -2670,24 +2677,24 @@ class TestCRLDistributionPointsExtension(object): ) cdps = cert.extensions.get_extension_for_oid( - x509.OID_CRL_DISTRIBUTION_POINTS + ExtensionOID.CRL_DISTRIBUTION_POINTS ).value assert cdps == x509.CRLDistributionPoints([ x509.DistributionPoint( full_name=[x509.DirectoryName( x509.Name([ - x509.NameAttribute(x509.OID_COUNTRY_NAME, u"US"), + x509.NameAttribute(NameOID.COUNTRY_NAME, u"US"), x509.NameAttribute( - x509.OID_ORGANIZATION_NAME, + NameOID.ORGANIZATION_NAME, u"Test Certificates 2011" ), x509.NameAttribute( - x509.OID_ORGANIZATIONAL_UNIT_NAME, + NameOID.ORGANIZATIONAL_UNIT_NAME, u"indirectCRL CA3 cRLIssuer" ), x509.NameAttribute( - x509.OID_COMMON_NAME, + NameOID.COMMON_NAME, u"indirect CRL for indirectCRL CA3" ), ]) @@ -2696,13 +2703,13 @@ class TestCRLDistributionPointsExtension(object): reasons=None, crl_issuer=[x509.DirectoryName( x509.Name([ - x509.NameAttribute(x509.OID_COUNTRY_NAME, u"US"), + x509.NameAttribute(NameOID.COUNTRY_NAME, u"US"), x509.NameAttribute( - x509.OID_ORGANIZATION_NAME, + NameOID.ORGANIZATION_NAME, u"Test Certificates 2011" ), x509.NameAttribute( - x509.OID_ORGANIZATIONAL_UNIT_NAME, + NameOID.ORGANIZATIONAL_UNIT_NAME, u"indirectCRL CA3 cRLIssuer" ), ]) @@ -2720,7 +2727,7 @@ class TestCRLDistributionPointsExtension(object): ) cdps = cert.extensions.get_extension_for_oid( - x509.OID_CRL_DISTRIBUTION_POINTS + ExtensionOID.CRL_DISTRIBUTION_POINTS ).value assert cdps == x509.CRLDistributionPoints([ @@ -2728,20 +2735,20 @@ class TestCRLDistributionPointsExtension(object): full_name=None, relative_name=x509.Name([ x509.NameAttribute( - x509.OID_COMMON_NAME, + NameOID.COMMON_NAME, u"indirect CRL for indirectCRL CA3" ), ]), reasons=None, crl_issuer=[x509.DirectoryName( x509.Name([ - x509.NameAttribute(x509.OID_COUNTRY_NAME, u"US"), + x509.NameAttribute(NameOID.COUNTRY_NAME, u"US"), x509.NameAttribute( - x509.OID_ORGANIZATION_NAME, + NameOID.ORGANIZATION_NAME, u"Test Certificates 2011" ), x509.NameAttribute( - x509.OID_ORGANIZATIONAL_UNIT_NAME, + NameOID.ORGANIZATIONAL_UNIT_NAME, u"indirectCRL CA3 cRLIssuer" ), ]) @@ -2759,7 +2766,7 @@ class TestCRLDistributionPointsExtension(object): ) cdps = cert.extensions.get_extension_for_oid( - x509.OID_CRL_DISTRIBUTION_POINTS + ExtensionOID.CRL_DISTRIBUTION_POINTS ).value assert cdps == x509.CRLDistributionPoints([ @@ -2774,12 +2781,12 @@ class TestCRLDistributionPointsExtension(object): ]), crl_issuer=[x509.DirectoryName( x509.Name([ - x509.NameAttribute(x509.OID_COUNTRY_NAME, u"US"), + x509.NameAttribute(NameOID.COUNTRY_NAME, u"US"), x509.NameAttribute( - x509.OID_ORGANIZATION_NAME, u"PyCA" + NameOID.ORGANIZATION_NAME, u"PyCA" ), x509.NameAttribute( - x509.OID_COMMON_NAME, u"cryptography CA" + NameOID.COMMON_NAME, u"cryptography CA" ), ]) )], @@ -2796,7 +2803,7 @@ class TestCRLDistributionPointsExtension(object): ) cdps = cert.extensions.get_extension_for_oid( - x509.OID_CRL_DISTRIBUTION_POINTS + ExtensionOID.CRL_DISTRIBUTION_POINTS ).value assert cdps == x509.CRLDistributionPoints([ @@ -2829,7 +2836,7 @@ class TestCRLDistributionPointsExtension(object): ) cdps = cert.extensions.get_extension_for_oid( - x509.OID_CRL_DISTRIBUTION_POINTS + ExtensionOID.CRL_DISTRIBUTION_POINTS ).value assert cdps == x509.CRLDistributionPoints([ @@ -2853,7 +2860,7 @@ class TestCRLDistributionPointsExtension(object): ) cdps = cert.extensions.get_extension_for_oid( - x509.OID_CRL_DISTRIBUTION_POINTS + ExtensionOID.CRL_DISTRIBUTION_POINTS ).value assert cdps == x509.CRLDistributionPoints([ @@ -2864,7 +2871,7 @@ class TestCRLDistributionPointsExtension(object): crl_issuer=[x509.DirectoryName( x509.Name([ x509.NameAttribute( - x509.OID_COMMON_NAME, u"cryptography CA" + NameOID.COMMON_NAME, u"cryptography CA" ), ]) )], @@ -2884,7 +2891,7 @@ class TestOCSPNoCheckExtension(object): backend ) ext = cert.extensions.get_extension_for_oid( - x509.OID_OCSP_NO_CHECK + ExtensionOID.OCSP_NO_CHECK ) assert isinstance(ext.value, x509.OCSPNoCheck) @@ -2926,7 +2933,7 @@ class TestInhibitAnyPolicyExtension(object): backend ) iap = cert.extensions.get_extension_for_oid( - x509.OID_INHIBIT_ANY_POLICY + ExtensionOID.INHIBIT_ANY_POLICY ).value assert iap.skip_certs == 5 |