diff options
33 files changed, 1017 insertions, 151 deletions
diff --git a/.travis.yml b/.travis.yml index b6f6f0cf..71efd8ff 100644 --- a/.travis.yml +++ b/.travis.yml @@ -1,29 +1,109 @@ -language: c -os: - - osx - - linux -compiler: - - clang - - gcc -env: - matrix: - - TOXENV=py26 - - TOXENV=py27 - - TOXENV=py32 - - TOXENV=py33 - - TOXENV=py34 - - TOXENV=pypy - - TOXENV=pypy3 - - TOXENV=py26 OPENSSL=0.9.8 - - TOXENV=py27 OPENSSL=0.9.8 - - TOXENV=py32 OPENSSL=0.9.8 - - TOXENV=py33 OPENSSL=0.9.8 - - TOXENV=py34 OPENSSL=0.9.8 - - TOXENV=pypy OPENSSL=0.9.8 - - TOXENV=pypy3 OPENSSL=0.9.8 - - TOXENV=docs - - TOXENV=pep8 - - TOXENV=py3pep8 +sudo: false +language: python +cache: + directories: + - $HOME/.cache/pip +matrix: + include: + - python: 2.6 # these are just to make travis's UI a bit prettier + env: TOXENV=py26 + - python: 2.7 + env: TOXENV=py27 + - python: 3.3 + env: TOXENV=py33 + - python: 3.4 + env: TOXENV=py34 + - python: pypy + env: TOXENV=pypy + - python: 2.6 + env: TOXENV=py26 OPENSSL=0.9.8 + addons: + apt: + sources: + - lucid + packages: + - libssl-dev/lucid + - python: 2.7 + env: TOXENV=py27 OPENSSL=0.9.8 + addons: + apt: + sources: + - lucid + packages: + - libssl-dev/lucid + - python: 3.3 + env: TOXENV=py33 OPENSSL=0.9.8 + addons: + apt: + sources: + - lucid + packages: + - libssl-dev/lucid + - python: 3.4 + env: TOXENV=py34 OPENSSL=0.9.8 + addons: + apt: + sources: + - lucid + packages: + - libssl-dev/lucid + - python: pypy + env: TOXENV=pypy OPENSSL=0.9.8 + addons: + apt: + sources: + - lucid + packages: + - libssl-dev/lucid + - python: 2.7 + env: TOXENV=docs + addons: + apt: + packages: + - libenchant-dev + - python: 2.7 + env: TOXENV=pep8 + - python: 3.3 + env: TOXENV=py3pep8 + - language: generic + os: osx + env: TOXENV=py26 + - language: generic + os: osx + env: TOXENV=py27 + - language: generic + os: osx + env: TOXENV=py33 + - language: generic + os: osx + env: TOXENV=py34 + - language: generic + os: osx + env: TOXENV=pypy + - language: generic + os: osx + env: TOXENV=pypy3 + - language: generic + os: osx + env: TOXENV=py26 OPENSSL=0.9.8 + - language: generic + os: osx + env: TOXENV=py27 OPENSSL=0.9.8 + - language: generic + os: osx + env: TOXENV=py33 OPENSSL=0.9.8 + - language: generic + os: osx + env: TOXENV=py34 OPENSSL=0.9.8 + - language: generic + os: osx + env: TOXENV=pypy OPENSSL=0.9.8 + - language: generic + os: osx + env: TOXENV=pypy3 OPENSSL=0.9.8 + - language: generic + os: osx + env: TOXENV=docs install: - ./.travis/install.sh @@ -40,31 +120,3 @@ notifications: - "irc.freenode.org#cryptography-dev" use_notice: true skip_join: true - webhooks: - - https://buildtimetrend.herokuapp.com/travis - -matrix: - exclude: - # excluding pypy3 from linux configs until the ubuntu ppa has pypy3 available. - - os: linux - env: TOXENV=pypy3 - - os: linux - env: TOXENV=pypy3 OPENSSL=0.9.8 - - os: osx - compiler: gcc - - os: osx - env: TOXENV=pep8 - compiler: clang - - os: osx - env: TOXENV=py3pep8 - compiler: clang - - - os: linux - env: TOXENV=docs - compiler: clang - - os: linux - env: TOXENV=pep8 - compiler: clang - - os: linux - env: TOXENV=py3pep8 - compiler: clang diff --git a/.travis/install.sh b/.travis/install.sh index aacfc5a0..9e14a92d 100755 --- a/.travis/install.sh +++ b/.travis/install.sh @@ -3,7 +3,6 @@ set -e set -x - if [[ "$(uname -s)" == 'Darwin' ]]; then brew update @@ -18,16 +17,11 @@ if [[ "$(uname -s)" == 'Darwin' ]]; then case "${TOXENV}" in py26) curl -O https://bootstrap.pypa.io/get-pip.py - sudo python get-pip.py + python get-pip.py --user ;; py27) curl -O https://bootstrap.pypa.io/get-pip.py - sudo python get-pip.py - ;; - py32) - brew upgrade pyenv - pyenv install 3.2.6 - pyenv global 3.2.6 + python get-pip.py --user ;; py33) brew upgrade pyenv @@ -51,55 +45,15 @@ if [[ "$(uname -s)" == 'Darwin' ]]; then ;; docs) curl -O https://bootstrap.pypa.io/get-pip.py - sudo python get-pip.py + python get-pip.py --user ;; esac pyenv rehash - + pip install --user virtualenv else - sudo add-apt-repository -y ppa:fkrull/deadsnakes - - if [[ "${TOXENV}" == "pypy" ]]; then - sudo add-apt-repository -y ppa:pypy/ppa - fi - - if [[ "${OPENSSL}" == "0.9.8" ]]; then - sudo add-apt-repository -y "deb http://archive.ubuntu.com/ubuntu/ lucid main" - fi - - # Retry `update` on failure, some of the servers aren't super reliable. - sudo apt-get -y update || sudo apt-get -y update || sudo apt-get -y update - - if [[ "${OPENSSL}" == "0.9.8" ]]; then - sudo apt-get install -y --force-yes libssl-dev/lucid - fi - - case "${TOXENV}" in - py26) - sudo apt-get install python2.6 python2.6-dev - ;; - py32) - sudo apt-get install python3.2 python3.2-dev - ;; - py33) - sudo apt-get install python3.3 python3.3-dev - ;; - py34) - sudo apt-get install python3.4 python3.4-dev - ;; - py3pep8) - sudo apt-get install python3.3 python3.3-dev - ;; - pypy) - sudo apt-get install --force-yes pypy pypy-dev - ;; - docs) - sudo apt-get install libenchant-dev - ;; - esac + pip install virtualenv fi -sudo pip install virtualenv -virtualenv ~/.venv +python -m virtualenv ~/.venv source ~/.venv/bin/activate pip install tox coveralls diff --git a/AUTHORS.rst b/AUTHORS.rst index adf51af2..6e92a84f 100644 --- a/AUTHORS.rst +++ b/AUTHORS.rst @@ -21,3 +21,4 @@ PGP key fingerprints are enclosed in parentheses. * Mark Adams <mark@markadams.me> (A18A 7DD3 283C CF2A B0CE FE0E C7A0 5E3F C972 098C) * Gregory Haynes <greg@greghaynes.net> (6FB6 44BF 9FD0 EBA2 1CE9 471F B08F 42F9 0DC6 599F) * Chelsea Winfree <chelsea.winfree@gmail.com> +* Steven Buss <steven.buss@gmail.com> (1FB9 2EC1 CF93 DFD6 B47F F583 B1A5 6C22 290D A4C3) diff --git a/CHANGELOG.rst b/CHANGELOG.rst index fd92a56b..c91b7c75 100644 --- a/CHANGELOG.rst +++ b/CHANGELOG.rst @@ -6,6 +6,8 @@ Changelog .. note:: This version is not yet released and is under active development. +* Removed support for Python 3.2. This version of Python is rarely used + and caused support headaches. Users affected by this should upgrade to 3.3+. * Deprecated support for Python 2.6. At the time there is no time table for actually dropping support, however we strongly encourage all users to upgrade their Python, as Python 2.6 no longer receives support from the Python core @@ -27,6 +29,10 @@ Changelog * Add support for parsing X.509 certificate signing requests (CSRs) with :func:`~cryptography.x509.load_pem_x509_csr` and :func:`~cryptography.x509.load_der_x509_csr`. +* Moved ``cryptography.exceptions.InvalidToken`` to + :class:`cryptography.hazmat.primitives.twofactor.InvalidToken` and deprecated + the old location. This was moved to minimize confusion between this exception + and :class:`cryptography.fernet.InvalidToken`. 0.8.2 - 2015-04-10 ~~~~~~~~~~~~~~~~~~ @@ -18,7 +18,7 @@ Cryptography ``cryptography`` is a package which provides cryptographic recipes and primitives to Python developers. Our goal is for it to be your "cryptographic -standard library". It supports Python 2.6-2.7, Python 3.2+, and PyPy. +standard library". It supports Python 2.6-2.7, Python 3.3+, and PyPy. ``cryptography`` includes both high level recipes, and low level interfaces to common cryptographic algorithms such as symmetric ciphers, message digests and diff --git a/docs/development/getting-started.rst b/docs/development/getting-started.rst index f5d6c190..b3474002 100644 --- a/docs/development/getting-started.rst +++ b/docs/development/getting-started.rst @@ -44,7 +44,6 @@ each supported Python version and run the tests. For example: ERROR: py26: InterpreterNotFound: python2.6 py27: commands succeeded ERROR: pypy: InterpreterNotFound: pypy - ERROR: py32: InterpreterNotFound: python3.2 py33: commands succeeded docs: commands succeeded pep8: commands succeeded diff --git a/docs/development/test-vectors.rst b/docs/development/test-vectors.rst index a102fa9f..69f54d3a 100644 --- a/docs/development/test-vectors.rst +++ b/docs/development/test-vectors.rst @@ -140,6 +140,14 @@ Custom X.509 Vectors subject alternative name extension with the ``registeredID`` general name. * ``all_key_usages.pem`` - An RSA 2048 bit self-signed certificate containing a key usage extension with all nine purposes set to true. +* ``san_idna_names.pem`` - An RSA 2048 bit self-signed certificate containing + a subject alternative name extension with ``rfc822Name``, ``dNSName``, and + ``uniformResourceIdentifier`` general names with IDNA (:rfc:`5895`) encoding. +* ``san_rfc822_names.pem`` - An RSA 2048 bit self-signed certificate containing + a subject alternative name extension with various ``rfc822Name`` values. +* ``san_uri_with_port.pem`` - An RSA 2048 bit self-signed certificate + containing a subject alternative name extension with various + ``uniformResourceIdentifier`` values. Custom X.509 Request Vectors ~~~~~~~~~~~~~~~~~~~~~~~~~~~~ diff --git a/docs/exceptions.rst b/docs/exceptions.rst index 28da8ecc..59d7d9d7 100644 --- a/docs/exceptions.rst +++ b/docs/exceptions.rst @@ -37,9 +37,3 @@ Exceptions This is raised when the verify method of a key derivation function's computed key does not match the expected key. - - -.. class:: InvalidToken - - This is raised when the verify method of a one time password function's - computed token does not match the expected token. diff --git a/docs/hazmat/primitives/asymmetric/rsa.rst b/docs/hazmat/primitives/asymmetric/rsa.rst index a5187749..3b5b677b 100644 --- a/docs/hazmat/primitives/asymmetric/rsa.rst +++ b/docs/hazmat/primitives/asymmetric/rsa.rst @@ -688,4 +688,4 @@ Key interfaces .. _`Chinese Remainder Theorem`: https://en.wikipedia.org/wiki/RSA_%28cryptosystem%29#Using_the_Chinese_remainder_algorithm .. _`security proof`: http://eprint.iacr.org/2001/062.pdf .. _`recommended padding algorithm`: http://www.daemonology.net/blog/2009-06-11-cryptographic-right-answers.html -.. _`proven secure`: http://cseweb.ucsd.edu/users/mihir/papers/oae.pdf +.. _`proven secure`: http://cseweb.ucsd.edu/~mihir/papers/oae.pdf diff --git a/docs/hazmat/primitives/asymmetric/utils.rst b/docs/hazmat/primitives/asymmetric/utils.rst index 6b348801..7380f0b5 100644 --- a/docs/hazmat/primitives/asymmetric/utils.rst +++ b/docs/hazmat/primitives/asymmetric/utils.rst @@ -15,6 +15,8 @@ Asymmetric Utilities :returns: The decoded tuple ``(r, s)``. + :raises ValueError: Raised if the signature is malformed. + .. function:: encode_rfc6979_signature(r, s) Creates an :rfc:`6979` byte string from raw signature values. diff --git a/docs/hazmat/primitives/twofactor.rst b/docs/hazmat/primitives/twofactor.rst index 89d81222..dd3e0250 100644 --- a/docs/hazmat/primitives/twofactor.rst +++ b/docs/hazmat/primitives/twofactor.rst @@ -11,6 +11,11 @@ Currently, it contains an algorithm for generating and verifying one time password values based on Hash-based message authentication codes (HMAC). +.. class:: InvalidToken + + This is raised when the verify method of a one time password function's + computed token does not match the expected token. + .. currentmodule:: cryptography.hazmat.primitives.twofactor.hotp .. class:: HOTP(key, length, algorithm, backend) @@ -66,8 +71,8 @@ codes (HMAC). :param bytes hotp: The one time password value to validate. :param int counter: The counter value to validate against. - :raises cryptography.exceptions.InvalidToken: This is raised when the - supplied HOTP does not match the expected HOTP. + :raises cryptography.hazmat.primitives.twofactor.InvalidToken: This + is raised when the supplied HOTP does not match the expected HOTP. Throttling ~~~~~~~~~~ @@ -164,5 +169,5 @@ similar to the following code. :param bytes totp: The one time password value to validate. :param int time: The time value to validate against. - :raises cryptography.exceptions.InvalidToken: This is raised when the - supplied TOTP does not match the expected TOTP. + :raises cryptography.hazmat.primitives.twofactor.InvalidToken: This + is raised when the supplied TOTP does not match the expected TOTP. diff --git a/docs/installation.rst b/docs/installation.rst index c061903e..1c25ff78 100644 --- a/docs/installation.rst +++ b/docs/installation.rst @@ -10,7 +10,7 @@ You can install ``cryptography`` with ``pip``: Supported platforms ------------------- -Currently we test ``cryptography`` on Python 2.6, 2.7, 3.2, 3.3, 3.4 and PyPy +Currently we test ``cryptography`` on Python 2.6, 2.7, 3.3, 3.4 and PyPy on these operating systems. * x86-64 CentOS 7.x, 6.4 and CentOS 5.x diff --git a/docs/spelling_wordlist.txt b/docs/spelling_wordlist.txt index f7b73b38..b7c4c6c2 100644 --- a/docs/spelling_wordlist.txt +++ b/docs/spelling_wordlist.txt @@ -36,6 +36,7 @@ iterable Koblitz Lange metadata +multi naïve namespace namespaces diff --git a/docs/x509.rst b/docs/x509.rst index d09651fb..035fa87f 100644 --- a/docs/x509.rst +++ b/docs/x509.rst @@ -271,11 +271,18 @@ X.509 Certificate Object :raises cryptography.x509.DuplicateExtension: If more than one extension of the same type is found within the certificate. + :raises cryptography.x509.UnsupportedExtension: If the certificate + contains an extension that is not supported. + + :raises cryptography.x509.UnsupportedGeneralNameType: If an extension + contains a general name that is not supported. + .. doctest:: >>> for ext in cert.extensions: ... print(ext) <Extension(oid=<ObjectIdentifier(oid=2.5.29.14, name=subjectKeyIdentifier)>, critical=False, value=<SubjectKeyIdentifier(digest='X\x01\x84$\x1b\xbc+R\x94J=\xa5\x10r\x14Q\xf5\xaf:\xc9')>)> + <Extension(oid=<ObjectIdentifier(oid=2.5.29.15, name=keyUsage)>, critical=True, value=<KeyUsage(digital_signature=False, content_commitment=False, key_encipherment=False, data_encipherment=False, key_agreement=False, key_cert_sign=True, crl_sign=True, encipher_only=None, decipher_only=None)>)> <Extension(oid=<ObjectIdentifier(oid=2.5.29.19, name=basicConstraints)>, critical=True, value=<BasicConstraints(ca=True, path_length=None)>)> X.509 CSR (Certificate Signing Request) Object @@ -398,6 +405,80 @@ X.509 CSR (Certificate Signing Request) Object The dotted string value of the OID (e.g. ``"2.5.4.3"``) +.. _general_name_classes: + +General Name Classes +~~~~~~~~~~~~~~~~~~~~ + +.. class:: GeneralName + + .. versionadded:: 0.9 + + This is the generic interface that all the following classes are registered + against. + +.. class:: RFC822Name + + .. versionadded:: 0.9 + + This corresponds to an email address. For example, ``user@example.com``. + + .. attribute:: value + + :type: :term:`text` + +.. class:: DNSName + + .. versionadded:: 0.9 + + This corresponds to a domain name. For example, ``cryptography.io``. + + .. attribute:: value + + :type: :term:`text` + +.. class:: DirectoryName + + .. versionadded:: 0.9 + + This corresponds to a directory name. + + .. attribute:: value + + :type: :class:`Name` + +.. class:: UniformResourceIdentifier + + .. versionadded:: 0.9 + + This corresponds to a uniform resource identifier. For example, + ``https://cryptography.io``. + + .. attribute:: value + + :type: :term:`text` + +.. class:: IPAddress + + .. versionadded:: 0.9 + + This corresponds to an IP address. + + .. attribute:: value + + :type: :class:`~ipaddress.IPv4Address` or + :class:`~ipaddress.IPv6Address`. + +.. class:: RegisteredID + + .. versionadded:: 0.9 + + This corresponds to a registered ID. + + .. attribute:: value + + :type: :class:`ObjectIdentifier` + X.509 Extensions ~~~~~~~~~~~~~~~~ @@ -417,9 +498,6 @@ X.509 Extensions :raises cryptography.x509.ExtensionNotFound: If the certificate does not have the extension requested. - :raises cryptography.x509.UnsupportedExtension: If the certificate - contains an extension that is not supported. - .. doctest:: >>> cert.extensions.get_extension_for_oid(x509.OID_BASIC_CONSTRAINTS) @@ -577,6 +655,35 @@ X.509 Extensions purposes indicated in the key usage extension. The object is iterable to obtain the list of :ref:`extended key usage OIDs <eku_oids>`. +.. class:: AuthorityKeyIdentifier + + .. versionadded:: 0.9 + + The authority key identifier extension provides a means of identifying the + public key corresponding to the private key used to sign a certificate. + This extension is typically used to assist in determining the appropriate + certificate chain. For more information about generation and use of this + extension see `RFC 5280 section 4.2.1.1`_. + + .. attribute:: key_identifier + + :type: bytes + + A value derived from the public key used to verify the certificate's + signature. + + .. attribute:: authority_cert_issuer + + :type: :class:`Name` or None + + The :class:`Name` of the issuer's issuer. + + .. attribute:: authority_cert_serial_number + + :type: int or None + + The serial number of the issuer's issuer. + .. class:: SubjectKeyIdentifier .. versionadded:: 0.9 @@ -590,6 +697,22 @@ X.509 Extensions The binary value of the identifier. +.. class:: SubjectAlternativeName + + .. versionadded:: 0.9 + + Subject alternative name is an X.509 extension that provides a list of + :ref:`general name <general_name_classes>` instances that provide a set + of identities for which the certificate is valid. The object is iterable to + get every element. + + .. method:: get_values_for_type(type) + + :param type: A :class:`GeneralName` provider. This is one of the + :ref:`general name classes <general_name_classes>`. + + :returns: A list of values extracted from the matched general names. + Object Identifiers ~~~~~~~~~~~~~~~~~~ @@ -844,6 +967,20 @@ Exceptions Returns the OID. +.. class:: UnsupportedGeneralNameType + + This is raised when a certificate contains an unsupported general name + type in an extension. + + .. attribute:: type + + :type: int + + The integer value of the unsupported type. The complete list of + types can be found in `RFC 5280 section 4.2.1.6`_. + .. _`public key infrastructure`: https://en.wikipedia.org/wiki/Public_key_infrastructure .. _`TLS`: https://en.wikipedia.org/wiki/Transport_Layer_Security +.. _`RFC 5280 section 4.2.1.1`: https://tools.ietf.org/html/rfc5280#section-4.2.1.1 +.. _`RFC 5280 section 4.2.1.6`: https://tools.ietf.org/html/rfc5280#section-4.2.1.6 @@ -29,22 +29,23 @@ with open(os.path.join(src_dir, "cryptography", "__about__.py")) as f: exec(f.read(), about) -SETUPTOOLS_DEPENDENCY = "setuptools" -CFFI_DEPENDENCY = "cffi>=0.8" -SIX_DEPENDENCY = "six>=1.4.1" VECTORS_DEPENDENCY = "cryptography_vectors=={0}".format(about['__version__']) requirements = [ + "idna", "pyasn1", - SIX_DEPENDENCY, - SETUPTOOLS_DEPENDENCY + "six>=1.4.1", + "setuptools" ] if sys.version_info < (3, 4): requirements.append("enum34") +if sys.version_info < (3, 3): + requirements.append("ipaddress") + if platform.python_implementation() != "PyPy": - requirements.append(CFFI_DEPENDENCY) + requirements.append("cffi>=0.8") # If you add a new dep here you probably need to add it in the tox.ini as well test_requirements = [ @@ -318,7 +319,6 @@ setup( "Programming Language :: Python :: 2.6", "Programming Language :: Python :: 2.7", "Programming Language :: Python :: 3", - "Programming Language :: Python :: 3.2", "Programming Language :: Python :: 3.3", "Programming Language :: Python :: 3.4", "Programming Language :: Python :: Implementation :: CPython", diff --git a/src/cryptography/exceptions.py b/src/cryptography/exceptions.py index 102165c7..a4292eb8 100644 --- a/src/cryptography/exceptions.py +++ b/src/cryptography/exceptions.py @@ -6,6 +6,9 @@ from __future__ import absolute_import, division, print_function from enum import Enum +from cryptography import utils +from cryptography.hazmat.primitives import twofactor + class _Reasons(Enum): BACKEND_MISSING_INTERFACE = 0 @@ -53,5 +56,12 @@ class InvalidKey(Exception): pass -class InvalidToken(Exception): - pass +InvalidToken = utils.deprecated( + twofactor.InvalidToken, + __name__, + ( + "The InvalidToken exception has moved to the " + "cryptography.hazmat.primitives.twofactor module" + ), + utils.DeprecatedIn09 +) diff --git a/src/cryptography/hazmat/backends/openssl/x509.py b/src/cryptography/hazmat/backends/openssl/x509.py index 5d47c5ea..c21aeeb1 100644 --- a/src/cryptography/hazmat/backends/openssl/x509.py +++ b/src/cryptography/hazmat/backends/openssl/x509.py @@ -14,7 +14,8 @@ from __future__ import absolute_import, division, print_function import datetime -import warnings + +import idna from cryptography import utils, x509 from cryptography.exceptions import UnsupportedAlgorithm @@ -58,6 +59,23 @@ def _build_x509_name(backend, x509_name): return x509.Name(attributes) +def _build_general_name(backend, gn): + if gn.type == backend._lib.GEN_DNS: + data = backend._ffi.buffer(gn.d.dNSName.data, gn.d.dNSName.length)[:] + return x509.DNSName(idna.decode(data)) + elif gn.type == backend._lib.GEN_RID: + oid = _obj2txt(backend, gn.d.registeredID) + return x509.RegisteredID(x509.ObjectIdentifier(oid)) + else: + # otherName, x400Address or ediPartyName + raise x509.UnsupportedGeneralNameType( + "{0} is not a supported type".format( + x509._GENERAL_NAMES.get(gn.type, gn.type) + ), + gn.type + ) + + @utils.register_interface(x509.Certificate) class _Certificate(object): def __init__(self, backend, x509): @@ -172,14 +190,10 @@ class _Certificate(object): value = self._build_basic_constraints(ext) elif oid == x509.OID_SUBJECT_KEY_IDENTIFIER: value = self._build_subject_key_identifier(ext) - elif oid == x509.OID_KEY_USAGE and critical: - # TODO: remove this obviously. - warnings.warn( - "Extension support is not fully implemented. A key usage " - "extension with the critical flag was seen and IGNORED." - ) - seen_oids.add(oid) - continue + elif oid == x509.OID_KEY_USAGE: + value = self._build_key_usage(ext) + elif oid == x509.OID_SUBJECT_ALTERNATIVE_NAME: + value = self._build_subject_alt_name(ext) elif critical: raise x509.UnsupportedExtension( "{0} is not currently supported".format(oid), oid @@ -232,6 +246,53 @@ class _Certificate(object): self._backend._ffi.buffer(asn1_string.data, asn1_string.length)[:] ) + def _build_key_usage(self, ext): + bit_string = self._backend._lib.X509V3_EXT_d2i(ext) + assert bit_string != self._backend._ffi.NULL + bit_string = self._backend._ffi.cast("ASN1_BIT_STRING *", bit_string) + bit_string = self._backend._ffi.gc( + bit_string, self._backend._lib.ASN1_BIT_STRING_free + ) + get_bit = self._backend._lib.ASN1_BIT_STRING_get_bit + digital_signature = get_bit(bit_string, 0) == 1 + content_commitment = get_bit(bit_string, 1) == 1 + key_encipherment = get_bit(bit_string, 2) == 1 + data_encipherment = get_bit(bit_string, 3) == 1 + key_agreement = get_bit(bit_string, 4) == 1 + key_cert_sign = get_bit(bit_string, 5) == 1 + crl_sign = get_bit(bit_string, 6) == 1 + encipher_only = get_bit(bit_string, 7) == 1 + decipher_only = get_bit(bit_string, 8) == 1 + return x509.KeyUsage( + digital_signature, + content_commitment, + key_encipherment, + data_encipherment, + key_agreement, + key_cert_sign, + crl_sign, + encipher_only, + decipher_only + ) + + def _build_subject_alt_name(self, ext): + gns = self._backend._ffi.cast( + "GENERAL_NAMES *", self._backend._lib.X509V3_EXT_d2i(ext) + ) + assert gns != self._backend._ffi.NULL + gns = self._backend._ffi.gc(gns, self._backend._lib.GENERAL_NAMES_free) + num = self._backend._lib.sk_GENERAL_NAME_num(gns) + general_names = [] + + for i in range(num): + gn = self._backend._lib.sk_GENERAL_NAME_value(gns, i) + assert gn != self._backend._ffi.NULL + value = _build_general_name(self._backend, gn) + + general_names.append(value) + + return x509.SubjectAlternativeName(general_names) + @utils.register_interface(x509.CertificateSigningRequest) class _CertificateSigningRequest(object): diff --git a/src/cryptography/hazmat/bindings/openssl/asn1.py b/src/cryptography/hazmat/bindings/openssl/asn1.py index 45dfe758..475bd052 100644 --- a/src/cryptography/hazmat/bindings/openssl/asn1.py +++ b/src/cryptography/hazmat/bindings/openssl/asn1.py @@ -120,6 +120,7 @@ int ASN1_BIT_STRING_set_bit(ASN1_BIT_STRING *, int, int); """ MACROS = """ +void ASN1_BIT_STRING_free(ASN1_BIT_STRING *); /* This is not a macro, but is const on some versions of OpenSSL */ int ASN1_BIT_STRING_get_bit(ASN1_BIT_STRING *, int); ASN1_TIME *M_ASN1_TIME_dup(void *); diff --git a/src/cryptography/hazmat/bindings/openssl/ssl.py b/src/cryptography/hazmat/bindings/openssl/ssl.py index d680c3a5..6161a9d1 100644 --- a/src/cryptography/hazmat/bindings/openssl/ssl.py +++ b/src/cryptography/hazmat/bindings/openssl/ssl.py @@ -526,7 +526,7 @@ static const long Cryptography_HAS_NEXTPROTONEG = 1; #endif /* ALPN was added in OpenSSL 1.0.2. */ -#if OPENSSL_VERSION_NUMBER < 0x10002001L +#if OPENSSL_VERSION_NUMBER < 0x10002001L && !defined(LIBRESSL_VERSION_NUMBER) int (*SSL_CTX_set_alpn_protos)(SSL_CTX *, const unsigned char *, unsigned) = NULL; diff --git a/src/cryptography/hazmat/primitives/asymmetric/utils.py b/src/cryptography/hazmat/primitives/asymmetric/utils.py index 71f4ff8e..29390e40 100644 --- a/src/cryptography/hazmat/primitives/asymmetric/utils.py +++ b/src/cryptography/hazmat/primitives/asymmetric/utils.py @@ -4,6 +4,7 @@ from __future__ import absolute_import, division, print_function +from pyasn1.codec.ber import eoo from pyasn1.codec.der import decoder, encoder from pyasn1.error import PyAsn1Error from pyasn1.type import namedtype, univ @@ -28,6 +29,12 @@ def decode_rfc6979_signature(signature): raise ValueError( "The signature contains bytes after the end of the ASN.1 sequence." ) + # pyasn1 can erroneously return this from top-level DER decoding. + # It's intended as a sentinel in recursive BER decoding, so it's + # returned even though an asn1Spec is provided. + if eoo.endOfOctets.isSameTypeWith(data) and data == eoo.endOfOctets: + raise ValueError("Invalid signature data. Unable to decode ASN.1") + r = int(data.getComponentByName('r')) s = int(data.getComponentByName('s')) return (r, s) diff --git a/src/cryptography/hazmat/primitives/twofactor/__init__.py b/src/cryptography/hazmat/primitives/twofactor/__init__.py index 4b540884..e71f9e67 100644 --- a/src/cryptography/hazmat/primitives/twofactor/__init__.py +++ b/src/cryptography/hazmat/primitives/twofactor/__init__.py @@ -3,3 +3,7 @@ # for complete details. from __future__ import absolute_import, division, print_function + + +class InvalidToken(Exception): + pass diff --git a/src/cryptography/hazmat/primitives/twofactor/hotp.py b/src/cryptography/hazmat/primitives/twofactor/hotp.py index 1dac920f..ba228b40 100644 --- a/src/cryptography/hazmat/primitives/twofactor/hotp.py +++ b/src/cryptography/hazmat/primitives/twofactor/hotp.py @@ -9,11 +9,12 @@ import struct import six from cryptography.exceptions import ( - InvalidToken, UnsupportedAlgorithm, _Reasons + UnsupportedAlgorithm, _Reasons ) from cryptography.hazmat.backends.interfaces import HMACBackend from cryptography.hazmat.primitives import constant_time, hmac from cryptography.hazmat.primitives.hashes import SHA1, SHA256, SHA512 +from cryptography.hazmat.primitives.twofactor import InvalidToken class HOTP(object): diff --git a/src/cryptography/hazmat/primitives/twofactor/totp.py b/src/cryptography/hazmat/primitives/twofactor/totp.py index 0b04a131..03df9292 100644 --- a/src/cryptography/hazmat/primitives/twofactor/totp.py +++ b/src/cryptography/hazmat/primitives/twofactor/totp.py @@ -5,10 +5,11 @@ from __future__ import absolute_import, division, print_function from cryptography.exceptions import ( - InvalidToken, UnsupportedAlgorithm, _Reasons + UnsupportedAlgorithm, _Reasons ) from cryptography.hazmat.backends.interfaces import HMACBackend from cryptography.hazmat.primitives import constant_time +from cryptography.hazmat.primitives.twofactor import InvalidToken from cryptography.hazmat.primitives.twofactor.hotp import HOTP diff --git a/src/cryptography/utils.py b/src/cryptography/utils.py index 0f8cbb27..445554ec 100644 --- a/src/cryptography/utils.py +++ b/src/cryptography/utils.py @@ -11,6 +11,7 @@ import warnings DeprecatedIn08 = DeprecationWarning +DeprecatedIn09 = PendingDeprecationWarning def read_only_property(name): diff --git a/src/cryptography/x509.py b/src/cryptography/x509.py index a9b6f8bd..dd6ea926 100644 --- a/src/cryptography/x509.py +++ b/src/cryptography/x509.py @@ -5,6 +5,7 @@ from __future__ import absolute_import, division, print_function import abc +import ipaddress from enum import Enum import six @@ -69,6 +70,19 @@ _OID_NAMES = { } +_GENERAL_NAMES = { + 0: "otherName", + 1: "rfc822Name", + 2: "dNSName", + 3: "x400Address", + 4: "directoryName", + 5: "ediPartyName", + 6: "uniformResourceIdentifier", + 7: "iPAddress", + 8: "registeredID", +} + + class Version(Enum): v1 = 0 v3 = 2 @@ -114,6 +128,12 @@ class ExtensionNotFound(Exception): self.oid = oid +class UnsupportedGeneralNameType(Exception): + def __init__(self, msg, type): + super(UnsupportedGeneralNameType, self).__init__(msg) + self.type = type + + class NameAttribute(object): def __init__(self, oid, value): if not isinstance(oid, ObjectIdentifier): @@ -353,8 +373,8 @@ class KeyUsage(object): encipher_only = self.encipher_only decipher_only = self.decipher_only except ValueError: - encipher_only = "N/A" - decipher_only = "N/A" + encipher_only = None + decipher_only = None return ("<KeyUsage(digital_signature={0.digital_signature}, " "content_commitment={0.content_commitment}, " @@ -387,6 +407,218 @@ class SubjectKeyIdentifier(object): return not self == other +@six.add_metaclass(abc.ABCMeta) +class GeneralName(object): + @abc.abstractproperty + def value(self): + """ + Return the value of the object + """ + + +@utils.register_interface(GeneralName) +class RFC822Name(object): + def __init__(self, value): + if not isinstance(value, six.text_type): + raise TypeError("value must be a unicode string") + + self._value = value + + value = utils.read_only_property("_value") + + def __repr__(self): + return "<RFC822Name(value={0})>".format(self.value) + + def __eq__(self, other): + if not isinstance(other, RFC822Name): + return NotImplemented + + return self.value == other.value + + def __ne__(self, other): + return not self == other + + +@utils.register_interface(GeneralName) +class DNSName(object): + def __init__(self, value): + if not isinstance(value, six.text_type): + raise TypeError("value must be a unicode string") + + self._value = value + + value = utils.read_only_property("_value") + + def __repr__(self): + return "<DNSName(value={0})>".format(self.value) + + def __eq__(self, other): + if not isinstance(other, DNSName): + return NotImplemented + + return self.value == other.value + + def __ne__(self, other): + return not self == other + + +@utils.register_interface(GeneralName) +class UniformResourceIdentifier(object): + def __init__(self, value): + if not isinstance(value, six.text_type): + raise TypeError("value must be a unicode string") + + self._value = value + + value = utils.read_only_property("_value") + + def __repr__(self): + return "<UniformResourceIdentifier(value={0})>".format(self.value) + + def __eq__(self, other): + if not isinstance(other, UniformResourceIdentifier): + return NotImplemented + + return self.value == other.value + + def __ne__(self, other): + return not self == other + + +@utils.register_interface(GeneralName) +class DirectoryName(object): + def __init__(self, value): + if not isinstance(value, Name): + raise TypeError("value must be a Name") + + self._value = value + + value = utils.read_only_property("_value") + + def __repr__(self): + return "<DirectoryName(value={0})>".format(self.value) + + def __eq__(self, other): + if not isinstance(other, DirectoryName): + return NotImplemented + + return self.value == other.value + + def __ne__(self, other): + return not self == other + + +@utils.register_interface(GeneralName) +class RegisteredID(object): + def __init__(self, value): + if not isinstance(value, ObjectIdentifier): + raise TypeError("value must be an ObjectIdentifier") + + self._value = value + + value = utils.read_only_property("_value") + + def __repr__(self): + return "<RegisteredID(value={0})>".format(self.value) + + def __eq__(self, other): + if not isinstance(other, RegisteredID): + return NotImplemented + + return self.value == other.value + + def __ne__(self, other): + return not self == other + + +@utils.register_interface(GeneralName) +class IPAddress(object): + def __init__(self, value): + if not isinstance( + value, (ipaddress.IPv4Address, ipaddress.IPv6Address) + ): + raise TypeError( + "value must be an instance of ipaddress.IPv4Address or " + "ipaddress.IPv6Address" + ) + + self._value = value + + value = utils.read_only_property("_value") + + def __repr__(self): + return "<IPAddress(value={0})>".format(self.value) + + def __eq__(self, other): + if not isinstance(other, IPAddress): + return NotImplemented + + return self.value == other.value + + def __ne__(self, other): + return not self == other + + +class SubjectAlternativeName(object): + def __init__(self, general_names): + if not all(isinstance(x, GeneralName) for x in general_names): + raise TypeError( + "Every item in the general_names list must be an " + "object conforming to the GeneralName interface" + ) + + self._general_names = general_names + + def __iter__(self): + return iter(self._general_names) + + def __len__(self): + return len(self._general_names) + + def get_values_for_type(self, type): + return [i.value for i in self if isinstance(i, type)] + + def __repr__(self): + return "<SubjectAlternativeName({0})>".format(self._general_names) + + +class AuthorityKeyIdentifier(object): + def __init__(self, key_identifier, authority_cert_issuer, + authority_cert_serial_number): + if authority_cert_issuer or authority_cert_serial_number: + if not authority_cert_issuer or not authority_cert_serial_number: + raise ValueError( + "authority_cert_issuer and authority_cert_serial_number " + "must both be present or both None" + ) + + if not isinstance(authority_cert_issuer, Name): + raise TypeError("authority_cert_issuer must be a Name") + + if not isinstance(authority_cert_serial_number, six.integer_types): + raise TypeError( + "authority_cert_serial_number must be an integer" + ) + + self._key_identifier = key_identifier + self._authority_cert_issuer = authority_cert_issuer + self._authority_cert_serial_number = authority_cert_serial_number + + def __repr__(self): + return ( + "<AuthorityKeyIdentifier(key_identifier={0.key_identifier!r}, " + "authority_cert_issuer={0.authority_cert_issuer}, " + "authority_cert_serial_number={0.authority_cert_serial_number}" + ")>".format(self) + ) + + key_identifier = utils.read_only_property("_key_identifier") + authority_cert_issuer = utils.read_only_property("_authority_cert_issuer") + authority_cert_serial_number = utils.read_only_property( + "_authority_cert_serial_number" + ) + + OID_COMMON_NAME = ObjectIdentifier("2.5.4.3") OID_COUNTRY_NAME = ObjectIdentifier("2.5.4.6") OID_LOCALITY_NAME = ObjectIdentifier("2.5.4.7") diff --git a/tests/hazmat/primitives/test_asym_utils.py b/tests/hazmat/primitives/test_asym_utils.py index bf55bad8..c3fbedf9 100644 --- a/tests/hazmat/primitives/test_asym_utils.py +++ b/tests/hazmat/primitives/test_asym_utils.py @@ -63,3 +63,8 @@ def test_decode_rfc6979_invalid_asn1(): # This byte sequence has an invalid ASN.1 sequence length as well as # an invalid integer length for the second integer. decode_rfc6979_signature(b"0\x07\x02\x01\x01\x02\x02\x01") + + with pytest.raises(ValueError): + # This is the BER "end-of-contents octets," which pyasn1 is + # wrongly willing to return from top-level DER decoding. + decode_rfc6979_signature(b"\x00\x00") diff --git a/tests/hazmat/primitives/twofactor/test_hotp.py b/tests/hazmat/primitives/twofactor/test_hotp.py index a76aa6e3..a5d1c284 100644 --- a/tests/hazmat/primitives/twofactor/test_hotp.py +++ b/tests/hazmat/primitives/twofactor/test_hotp.py @@ -8,10 +8,11 @@ import os import pytest -from cryptography.exceptions import InvalidToken, _Reasons +from cryptography.exceptions import _Reasons from cryptography.hazmat.backends.interfaces import HMACBackend from cryptography.hazmat.primitives import hashes from cryptography.hazmat.primitives.hashes import MD5, SHA1 +from cryptography.hazmat.primitives.twofactor import InvalidToken from cryptography.hazmat.primitives.twofactor.hotp import HOTP from ....utils import ( diff --git a/tests/hazmat/primitives/twofactor/test_totp.py b/tests/hazmat/primitives/twofactor/test_totp.py index 05321089..6039983e 100644 --- a/tests/hazmat/primitives/twofactor/test_totp.py +++ b/tests/hazmat/primitives/twofactor/test_totp.py @@ -6,9 +6,10 @@ from __future__ import absolute_import, division, print_function import pytest -from cryptography.exceptions import InvalidToken, _Reasons +from cryptography.exceptions import _Reasons from cryptography.hazmat.backends.interfaces import HMACBackend from cryptography.hazmat.primitives import hashes +from cryptography.hazmat.primitives.twofactor import InvalidToken from cryptography.hazmat.primitives.twofactor.totp import TOTP from ....utils import ( diff --git a/tests/test_x509_ext.py b/tests/test_x509_ext.py index c2d33d92..bce6781f 100644 --- a/tests/test_x509_ext.py +++ b/tests/test_x509_ext.py @@ -5,6 +5,7 @@ from __future__ import absolute_import, division, print_function import binascii +import ipaddress import os import pytest @@ -149,8 +150,8 @@ class TestKeyUsage(object): assert repr(ku) == ( "<KeyUsage(digital_signature=True, content_commitment=True, key_en" "cipherment=False, data_encipherment=False, key_agreement=False, k" - "ey_cert_sign=True, crl_sign=False, encipher_only=N/A, decipher_on" - "ly=N/A)>" + "ey_cert_sign=True, crl_sign=False, encipher_only=None, decipher_o" + "nly=None)>" ) def test_repr_key_agreement_true(self): @@ -219,6 +220,57 @@ class TestSubjectKeyIdentifier(object): assert ski != object() +class TestAuthorityKeyIdentifier(object): + def test_authority_cert_issuer_not_name(self): + with pytest.raises(TypeError): + x509.AuthorityKeyIdentifier(b"identifier", "notname", 3) + + def test_authority_cert_serial_number_not_integer(self): + name = x509.Name([ + x509.NameAttribute(x509.ObjectIdentifier('oid'), 'value1'), + x509.NameAttribute(x509.ObjectIdentifier('oid2'), 'value2'), + ]) + with pytest.raises(TypeError): + x509.AuthorityKeyIdentifier(b"identifier", name, "notanint") + + def test_authority_issuer_none_serial_not_none(self): + with pytest.raises(ValueError): + x509.AuthorityKeyIdentifier(b"identifier", None, 3) + + def test_authority_issuer_not_none_serial_none(self): + name = x509.Name([ + x509.NameAttribute(x509.ObjectIdentifier('oid'), 'value1'), + x509.NameAttribute(x509.ObjectIdentifier('oid2'), 'value2'), + ]) + with pytest.raises(ValueError): + x509.AuthorityKeyIdentifier(b"identifier", name, None) + + def test_authority_cert_serial_and_issuer_none(self): + aki = x509.AuthorityKeyIdentifier(b"id", None, None) + assert aki.key_identifier == b"id" + assert aki.authority_cert_issuer is None + assert aki.authority_cert_serial_number is None + + def test_repr(self): + name = x509.Name([x509.NameAttribute(x509.OID_COMMON_NAME, 'myCN')]) + aki = x509.AuthorityKeyIdentifier(b"digest", name, 1234) + + if six.PY3: + assert repr(aki) == ( + "<AuthorityKeyIdentifier(key_identifier=b'digest', authority_" + "cert_issuer=<Name([<NameAttribute(oid=<ObjectIdentifier(oid=" + "2.5.4.3, name=commonName)>, value='myCN')>])>, authority_cer" + "t_serial_number=1234)>" + ) + else: + assert repr(aki) == ( + "<AuthorityKeyIdentifier(key_identifier='digest', authority_ce" + "rt_issuer=<Name([<NameAttribute(oid=<ObjectIdentifier(oid=2.5" + ".4.3, name=commonName)>, value='myCN')>])>, authority_cert_se" + "rial_number=1234)>" + ) + + class TestBasicConstraints(object): def test_ca_not_boolean(self): with pytest.raises(TypeError): @@ -463,3 +515,276 @@ class TestSubjectKeyIdentifierExtension(object): cert.extensions.get_extension_for_oid( x509.OID_SUBJECT_KEY_IDENTIFIER ) + + +@pytest.mark.requires_backend_interface(interface=RSABackend) +@pytest.mark.requires_backend_interface(interface=X509Backend) +class TestKeyUsageExtension(object): + def test_no_key_usage(self, backend): + cert = _load_cert( + os.path.join("x509", "verisign_md2_root.pem"), + x509.load_pem_x509_certificate, + backend + ) + ext = cert.extensions + with pytest.raises(x509.ExtensionNotFound) as exc: + ext.get_extension_for_oid(x509.OID_KEY_USAGE) + + assert exc.value.oid == x509.OID_KEY_USAGE + + def test_all_purposes(self, backend): + cert = _load_cert( + os.path.join( + "x509", "custom", "all_key_usages.pem" + ), + x509.load_pem_x509_certificate, + backend + ) + extensions = cert.extensions + ext = extensions.get_extension_for_oid(x509.OID_KEY_USAGE) + assert ext is not None + + ku = ext.value + assert ku.digital_signature is True + assert ku.content_commitment is True + assert ku.key_encipherment is True + assert ku.data_encipherment is True + assert ku.key_agreement is True + assert ku.key_cert_sign is True + assert ku.crl_sign is True + assert ku.encipher_only is True + assert ku.decipher_only is True + + def test_key_cert_sign_crl_sign(self, backend): + cert = _load_cert( + os.path.join( + "x509", "PKITS_data", "certs", "pathLenConstraint6CACert.crt" + ), + x509.load_der_x509_certificate, + backend + ) + ext = cert.extensions.get_extension_for_oid(x509.OID_KEY_USAGE) + assert ext is not None + assert ext.critical is True + + ku = ext.value + assert ku.digital_signature is False + assert ku.content_commitment is False + assert ku.key_encipherment is False + assert ku.data_encipherment is False + assert ku.key_agreement is False + assert ku.key_cert_sign is True + assert ku.crl_sign is True + + +@pytest.mark.parametrize( + "name", [ + x509.RFC822Name, + x509.DNSName, + x509.UniformResourceIdentifier + ] +) +class TestTextGeneralNames(object): + def test_not_text(self, name): + with pytest.raises(TypeError): + name(b"notaunicodestring") + + with pytest.raises(TypeError): + name(1.3) + + def test_repr(self, name): + gn = name(six.u("string")) + assert repr(gn) == "<{0}(value=string)>".format(name.__name__) + + def test_eq(self, name): + gn = name(six.u("string")) + gn2 = name(six.u("string")) + assert gn == gn2 + + def test_ne(self, name): + gn = name(six.u("string")) + gn2 = name(six.u("string2")) + assert gn != gn2 + assert gn != object() + + +class TestDirectoryName(object): + def test_not_name(self): + with pytest.raises(TypeError): + x509.DirectoryName(b"notaname") + + with pytest.raises(TypeError): + x509.DirectoryName(1.3) + + def test_repr(self): + name = x509.Name([x509.NameAttribute(x509.OID_COMMON_NAME, 'value1')]) + gn = x509.DirectoryName(x509.Name([name])) + assert repr(gn) == ( + "<DirectoryName(value=<Name([<Name([<NameAttribute(oid=<ObjectIden" + "tifier(oid=2.5.4.3, name=commonName)>, value='value1')>])>])>)>" + ) + + def test_eq(self): + name = x509.Name([ + x509.NameAttribute(x509.ObjectIdentifier('oid'), 'value1') + ]) + name2 = x509.Name([ + x509.NameAttribute(x509.ObjectIdentifier('oid'), 'value1') + ]) + gn = x509.DirectoryName(x509.Name([name])) + gn2 = x509.DirectoryName(x509.Name([name2])) + assert gn == gn2 + + def test_ne(self): + name = x509.Name([ + x509.NameAttribute(x509.ObjectIdentifier('oid'), 'value1') + ]) + name2 = x509.Name([ + x509.NameAttribute(x509.ObjectIdentifier('oid'), 'value2') + ]) + gn = x509.DirectoryName(x509.Name([name])) + gn2 = x509.DirectoryName(x509.Name([name2])) + assert gn != gn2 + assert gn != object() + + +class TestRegisteredID(object): + def test_not_oid(self): + with pytest.raises(TypeError): + x509.RegisteredID(b"notanoid") + + with pytest.raises(TypeError): + x509.RegisteredID(1.3) + + def test_repr(self): + gn = x509.RegisteredID(x509.OID_COMMON_NAME) + assert repr(gn) == ( + "<RegisteredID(value=<ObjectIdentifier(oid=2.5.4.3, name=commonNam" + "e)>)>" + ) + + def test_eq(self): + gn = x509.RegisteredID(x509.OID_COMMON_NAME) + gn2 = x509.RegisteredID(x509.OID_COMMON_NAME) + assert gn == gn2 + + def test_ne(self): + gn = x509.RegisteredID(x509.OID_COMMON_NAME) + gn2 = x509.RegisteredID(x509.OID_BASIC_CONSTRAINTS) + assert gn != gn2 + assert gn != object() + + +class TestIPAddress(object): + def test_not_ipaddress(self): + with pytest.raises(TypeError): + x509.IPAddress(b"notanipaddress") + + with pytest.raises(TypeError): + x509.IPAddress(1.3) + + def test_repr(self): + gn = x509.IPAddress(ipaddress.IPv4Address(six.u("127.0.0.1"))) + assert repr(gn) == "<IPAddress(value=127.0.0.1)>" + + gn2 = x509.IPAddress(ipaddress.IPv6Address(six.u("ff::"))) + assert repr(gn2) == "<IPAddress(value=ff::)>" + + def test_eq(self): + gn = x509.IPAddress(ipaddress.IPv4Address(six.u("127.0.0.1"))) + gn2 = x509.IPAddress(ipaddress.IPv4Address(six.u("127.0.0.1"))) + assert gn == gn2 + + def test_ne(self): + gn = x509.IPAddress(ipaddress.IPv4Address(six.u("127.0.0.1"))) + gn2 = x509.IPAddress(ipaddress.IPv4Address(six.u("127.0.0.2"))) + assert gn != gn2 + assert gn != object() + + +class TestSubjectAlternativeName(object): + def test_get_values_for_type(self): + san = x509.SubjectAlternativeName( + [x509.DNSName(six.u("cryptography.io"))] + ) + names = san.get_values_for_type(x509.DNSName) + assert names == [six.u("cryptography.io")] + + def test_iter_names(self): + san = x509.SubjectAlternativeName([ + x509.DNSName(six.u("cryptography.io")), + x509.DNSName(six.u("crypto.local")), + ]) + assert len(san) == 2 + assert list(san) == [ + x509.DNSName(six.u("cryptography.io")), + x509.DNSName(six.u("crypto.local")), + ] + + def test_invalid_general_names(self): + with pytest.raises(TypeError): + x509.SubjectAlternativeName( + [x509.DNSName(six.u("cryptography.io")), "invalid"] + ) + + def test_repr(self): + san = x509.SubjectAlternativeName( + [ + x509.DNSName(six.u("cryptography.io")) + ] + ) + assert repr(san) == ( + "<SubjectAlternativeName([<DNSName(value=cryptography.io)>])>" + ) + + +@pytest.mark.requires_backend_interface(interface=RSABackend) +@pytest.mark.requires_backend_interface(interface=X509Backend) +class TestRSASubjectAlternativeNameExtension(object): + def test_dns_name(self, backend): + cert = _load_cert( + os.path.join("x509", "cryptography.io.pem"), + x509.load_pem_x509_certificate, + backend + ) + ext = cert.extensions.get_extension_for_oid( + x509.OID_SUBJECT_ALTERNATIVE_NAME + ) + assert ext is not None + assert ext.critical is False + + san = ext.value + + dns = san.get_values_for_type(x509.DNSName) + assert dns == [u"www.cryptography.io", u"cryptography.io"] + + def test_unsupported_other_name(self, backend): + cert = _load_cert( + os.path.join( + "x509", "custom", "san_other_name.pem" + ), + x509.load_pem_x509_certificate, + backend + ) + with pytest.raises(x509.UnsupportedGeneralNameType) as exc: + cert.extensions + + assert exc.value.type == 0 + + def test_registered_id(self, backend): + cert = _load_cert( + os.path.join( + "x509", "custom", "san_registered_id.pem" + ), + x509.load_pem_x509_certificate, + backend + ) + ext = cert.extensions.get_extension_for_oid( + x509.OID_SUBJECT_ALTERNATIVE_NAME + ) + assert ext is not None + assert ext.critical is False + + san = ext.value + rid = san.get_values_for_type(x509.RegisteredID) + assert rid == [x509.ObjectIdentifier("1.2.3.4")] @@ -1,5 +1,5 @@ [tox] -envlist = py26,py27,pypy,py32,py33,py34,docs,pep8,py3pep8 +envlist = py26,py27,pypy,py33,py34,docs,pep8,py3pep8 [testenv] # If you add a new dep here you probably need to add it in setup.py as well diff --git a/vectors/cryptography_vectors/x509/custom/san_idna_names.pem b/vectors/cryptography_vectors/x509/custom/san_idna_names.pem new file mode 100644 index 00000000..29034b85 --- /dev/null +++ b/vectors/cryptography_vectors/x509/custom/san_idna_names.pem @@ -0,0 +1,19 @@ +-----BEGIN CERTIFICATE----- +MIIDGDCCAgCgAwIBAgITBmkKn/MvOUXQk1/lN2si9LdhbTANBgkqhkiG9w0BAQUF +ADAPMQ0wCwYDVQQKDARQeUNBMB4XDTE1MDQyMDEwNTI0NloXDTE2MDQxOTEwNTI0 +NlowDzENMAsGA1UECgwEUHlDQTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoC +ggEBALKXpkqcSgZeT5NpvKzMdbVy2zJZUaCqF6ghWHAEhebCl9FgS7CY/RcBjZj2 +lPS6Xep614zDQbV17q2WliZNJH7s3Q3tq7mhlYDsScd5cZPyM/p+0dCzVTeUp0NE +636TDzobcqRk6qWT53vBgvWvS3RF4UfanUB+l6KwsD0YXOX82TmHIzX2CQApD9m7 +rTPvB4L5hbqo2lwlHzRZM3Ejh0X5vazBKU4nADS/ePY7KQjGM/UUD37Sm7ApxQa3 +EaMx+QQvmWHC/J53wY1fOAAWj60baZ6+24/GZJzThXPdcFIB5Jh6+iFoPUr/iF8R +N54C7pZJ3G1wV37zp1Dv/32FPqkCAwEAAaNtMGswaQYDVR0RBGIwYIEeZW1haWxA +eG4tLTgwYXRvMmMuY3J5cHRvZ3JhcGh5ghh4bi0tODBhdG8yYy5jcnlwdG9ncmFw +aHmGJGh0dHBzOi8vd3d3LnhuLS04MGF0bzJjLmNyeXB0b2dyYXBoeTANBgkqhkiG +9w0BAQUFAAOCAQEAHovYDe4tb+/fHOtOgskw0iyXmVLFrZ6Y6Yng5PKFaWIKd9ew +dkErdNs9ZcQwo+SFdql2pxOCb6sHxo9XukVIHZZzr3so8so18c5f2TaZKzYL0bzv +znfINwkSbF80seuW/dsR+4wGvtEz5ox/96MkTsnP3tFjNS+2zF9ghtTg/XABtNBD +dCDIeD0fX4zEdMKb2tME1lsyra7fy6K1ZOYW+NefCABNer59SON+G8a0DzkaB6DO +jT8yAu85NvHtnHXYGl4nsE7/HndFZSU8GQHYsTAr1kJUfU3CZfoLSRvjlHnNFwWn +ddn9wNOpNYiILGwg1FFtGUuqi9z/rZb3zZlA3g== +-----END CERTIFICATE----- diff --git a/vectors/cryptography_vectors/x509/custom/san_rfc822_names.pem b/vectors/cryptography_vectors/x509/custom/san_rfc822_names.pem new file mode 100644 index 00000000..f07e6bab --- /dev/null +++ b/vectors/cryptography_vectors/x509/custom/san_rfc822_names.pem @@ -0,0 +1,19 @@ +-----BEGIN CERTIFICATE----- +MIIDDjCCAfagAwIBAgITBmkNiyOeghKn10MwmYC7ggPHDjANBgkqhkiG9w0BAQUF +ADAPMQ0wCwYDVQQKDARQeUNBMB4XDTE1MDQyMDEzMzgxOFoXDTE2MDQxOTEzMzgx +OFowDzENMAsGA1UECgwEUHlDQTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoC +ggEBALKXpkqcSgZeT5NpvKzMdbVy2zJZUaCqF6ghWHAEhebCl9FgS7CY/RcBjZj2 +lPS6Xep614zDQbV17q2WliZNJH7s3Q3tq7mhlYDsScd5cZPyM/p+0dCzVTeUp0NE +636TDzobcqRk6qWT53vBgvWvS3RF4UfanUB+l6KwsD0YXOX82TmHIzX2CQApD9m7 +rTPvB4L5hbqo2lwlHzRZM3Ejh0X5vazBKU4nADS/ePY7KQjGM/UUD37Sm7ApxQa3 +EaMx+QQvmWHC/J53wY1fOAAWj60baZ6+24/GZJzThXPdcFIB5Jh6+iFoPUr/iF8R +N54C7pZJ3G1wV37zp1Dv/32FPqkCAwEAAaNjMGEwXwYDVR0RBFgwVoEFZW1haWyB +DWVtYWlsIDxlbWFpbD6BE2VtYWlsIDxlbWFpbEBlbWFpbD6BH2VtYWlsIDxlbWFp +bEB4bi0tZW1sLXZsYTRjLmNvbT6BCG15ZW1haWw6MA0GCSqGSIb3DQEBBQUAA4IB +AQCeV4X93YQMWRZpSUdxDSFUpu3GOXvJeDB+rUWnTEoRohjWU3QO8qOVqS+WqkP1 +EkYSTJc4bs50NCIK8QS1LJPt3jMfYDiVW0WP4sV57XzoLE6qtuaTKn0oAqz5Vn9c +5LG5MTPcYlDEuGQet4DvqtF+oAqjOeAm/rELW22K/JxAR6nZT3wnH5WyaK7nQItR +LFarWRraA8q8sIOVs1HR+vubEYk/5u6n3AXmzxZztWLp5Ow0/8x6XU/IwJlqg+rj +fDJeYJCW8p8G/lStcKSPsBvJC45fZFFI2oOUNs0J+FsKoCihzN3ShbirxMbMY+Hy +ZLL0a0t1JexOoqEvUORZXAFL +-----END CERTIFICATE----- diff --git a/vectors/cryptography_vectors/x509/custom/san_uri_with_port.pem b/vectors/cryptography_vectors/x509/custom/san_uri_with_port.pem new file mode 100644 index 00000000..ef5469c9 --- /dev/null +++ b/vectors/cryptography_vectors/x509/custom/san_uri_with_port.pem @@ -0,0 +1,19 @@ +-----BEGIN CERTIFICATE----- +MIIDCzCCAfOgAwIBAgITBmkNrLuW5WVCtzoww7S9wuDJgzANBgkqhkiG9w0BAQUF +ADAPMQ0wCwYDVQQKDARQeUNBMB4XDTE1MDQyMDEzNDU0NFoXDTE2MDQxOTEzNDU0 +NFowDzENMAsGA1UECgwEUHlDQTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoC +ggEBALKXpkqcSgZeT5NpvKzMdbVy2zJZUaCqF6ghWHAEhebCl9FgS7CY/RcBjZj2 +lPS6Xep614zDQbV17q2WliZNJH7s3Q3tq7mhlYDsScd5cZPyM/p+0dCzVTeUp0NE +636TDzobcqRk6qWT53vBgvWvS3RF4UfanUB+l6KwsD0YXOX82TmHIzX2CQApD9m7 +rTPvB4L5hbqo2lwlHzRZM3Ejh0X5vazBKU4nADS/ePY7KQjGM/UUD37Sm7ApxQa3 +EaMx+QQvmWHC/J53wY1fOAAWj60baZ6+24/GZJzThXPdcFIB5Jh6+iFoPUr/iF8R +N54C7pZJ3G1wV37zp1Dv/32FPqkCAwEAAaNgMF4wXAYDVR0RBFUwU4YzZ29waGVy +Oi8veG4tLTgwYXRvMmMuY3J5cHRvZ3JhcGh5OjcwL3BhdGg/cT1zI2hlbGxvhhxo +dHRwOi8vc29tZXJlZ3VsYXJkb21haW4uY29tMA0GCSqGSIb3DQEBBQUAA4IBAQAx +iR2laJvCh4B6BQ8H7Fytcr8sXf3ih4aA6LQIYy/a2eNpIc58DJimg13rXo8YQ35Z +9Xh6nfhyg3CIrq63UMbIi7NAKzKJMhcMTvcfgXp2TIQWvpFAfothvHL+0cjiOF17 +hG+BwcV/MawDZbtJmFjA97XzPJkkgku0dggd91xIi4PEcNLvjCqb81QMExokfa9U +/LkSanGCZHMR0OkfsIFjsNCwj01wYUI0nVoMuLCELer+1rPP03lS2ibiQujZ6C1c +2PC3wZ9Ymy3ysfDzB9+9tgIhqDE6RZ+QWa/2m1Qf10LtAG1EEPA8aWgWU0zcYPEX +vpZ0upM8Tx81CkAGf/3m +-----END CERTIFICATE----- |