diff options
| -rw-r--r-- | docs/x509/reference.rst | 2 | ||||
| -rw-r--r-- | src/cryptography/hazmat/backends/openssl/decode_asn1.py | 10 | ||||
| -rw-r--r-- | src/cryptography/hazmat/backends/openssl/encode_asn1.py | 4 | ||||
| -rw-r--r-- | src/cryptography/x509/general_name.py | 67 | ||||
| -rw-r--r-- | tests/x509/test_x509.py | 55 | ||||
| -rw-r--r-- | tests/x509/test_x509_ext.py | 245 | ||||
| -rw-r--r-- | tests/x509/test_x509_revokedcertbuilder.py | 4 |
7 files changed, 193 insertions, 194 deletions
diff --git a/docs/x509/reference.rst b/docs/x509/reference.rst index 951e6b7d..238a24e5 100644 --- a/docs/x509/reference.rst +++ b/docs/x509/reference.rst @@ -611,7 +611,7 @@ X.509 Certificate Builder >>> builder = builder.public_key(public_key) >>> builder = builder.add_extension( ... x509.SubjectAlternativeName( - ... [x509.DNSName(b'cryptography.io')] + ... [x509.DNSName(u'cryptography.io')] ... ), ... critical=False ... ) diff --git a/src/cryptography/hazmat/backends/openssl/decode_asn1.py b/src/cryptography/hazmat/backends/openssl/decode_asn1.py index 2665fb22..aefb2422 100644 --- a/src/cryptography/hazmat/backends/openssl/decode_asn1.py +++ b/src/cryptography/hazmat/backends/openssl/decode_asn1.py @@ -88,8 +88,14 @@ def _decode_general_names(backend, gns): def _decode_general_name(backend, gn): if gn.type == backend._lib.GEN_DNS: - data = _asn1_string_to_bytes(backend, gn.d.dNSName) - return x509.DNSName(data) + # Convert to bytes and then decode to utf8. We don't use + # asn1_string_to_utf8 here because it doesn't properly convert + # utf8 from ia5strings. + data = _asn1_string_to_bytes(backend, gn.d.dNSName).decode("utf8") + # We don't use the constructor for DNSName so we can bypass validation + # This allows us to create DNSName objects that have unicode chars + # when a certificate (against the RFC) contains them. + return x509.DNSName._init_without_validation(data) elif gn.type == backend._lib.GEN_URI: data = _asn1_string_to_bytes(backend, gn.d.uniformResourceIdentifier) return x509.UniformResourceIdentifier(data) diff --git a/src/cryptography/hazmat/backends/openssl/encode_asn1.py b/src/cryptography/hazmat/backends/openssl/encode_asn1.py index e45e1050..3177cf96 100644 --- a/src/cryptography/hazmat/backends/openssl/encode_asn1.py +++ b/src/cryptography/hazmat/backends/openssl/encode_asn1.py @@ -368,7 +368,9 @@ def _encode_general_name(backend, name): ia5 = backend._lib.ASN1_IA5STRING_new() backend.openssl_assert(ia5 != backend._ffi.NULL) - value = name.bytes_value + # ia5strings are supposed to be ITU T.50 but to allow round-tripping + # of broken certs that encode utf8 we'll encode utf8 here too. + value = name.value.encode("utf8") res = backend._lib.ASN1_STRING_set(ia5, value, len(value)) backend.openssl_assert(res == 1) diff --git a/src/cryptography/x509/general_name.py b/src/cryptography/x509/general_name.py index 768be3bb..d4d92c88 100644 --- a/src/cryptography/x509/general_name.py +++ b/src/cryptography/x509/general_name.py @@ -131,8 +131,8 @@ def _idna_encode(value): for prefix in ['*.', '.']: if value.startswith(prefix): value = value[len(prefix):] - return prefix.encode('ascii') + idna.encode(value) - return idna.encode(value) + return prefix + idna.encode(value).decode("ascii") + return idna.encode(value).decode("ascii") @utils.register_interface(GeneralName) @@ -140,73 +140,44 @@ class DNSName(object): def __init__(self, value): if isinstance(value, six.text_type): try: - value = value.encode("ascii") + value.encode("ascii") except UnicodeEncodeError: value = _idna_encode(value) warnings.warn( - "DNSName values should be passed as idna-encoded bytes, " - "not strings. Support for passing unicode strings will be " - "removed in a future version.", - utils.DeprecatedIn21, - stacklevel=2, - ) - else: - warnings.warn( - "DNSName values should be passed as bytes, not strings. " - "Support for passing unicode strings will be removed in a " - "future version.", + "DNSName values should be passed as an A-label string. " + "This means unicode characters should be encoded via " + "idna. Support for passing unicode strings (aka U-label) " + " will be removed in a future version.", utils.DeprecatedIn21, stacklevel=2, ) - elif not isinstance(value, bytes): - raise TypeError("value must be bytes") + else: + raise TypeError("value must be string") - self._bytes_value = value + self._value = value - bytes_value = utils.read_only_property("_bytes_value") + value = utils.read_only_property("_value") - @property - def value(self): - warnings.warn( - "DNSName.bytes_value should be used instead of DNSName.value; it " - "contains the DNS name as raw bytes, instead of as an idna-decoded" - " unicode string. DNSName.value will be removed in a future " - "version.", - utils.DeprecatedIn21, - stacklevel=2 - ) - data = self._bytes_value - if not data: - decoded = u"" - elif data.startswith(b"*."): - # This is a wildcard name. We need to remove the leading wildcard, - # IDNA decode, then re-add the wildcard. Wildcard characters should - # always be left-most (RFC 2595 section 2.4). - decoded = u"*." + idna.decode(data[2:]) - else: - # Not a wildcard, decode away. If the string has a * in it anywhere - # invalid this will raise an InvalidCodePoint - decoded = idna.decode(data) - if data.startswith(b"."): - # idna strips leading periods. Name constraints can have that - # so we need to re-add it. Sigh. - decoded = u"." + decoded - return decoded + @classmethod + def _init_without_validation(cls, value): + instance = cls.__new__(cls) + instance._value = value + return instance def __repr__(self): - return "<DNSName(bytes_value={0!r})>".format(self.bytes_value) + return "<DNSName(value={0!r})>".format(self.value) def __eq__(self, other): if not isinstance(other, DNSName): return NotImplemented - return self.bytes_value == other.bytes_value + return self.value == other.value def __ne__(self, other): return not self == other def __hash__(self): - return hash(self.bytes_value) + return hash(self.value) @utils.register_interface(GeneralName) diff --git a/tests/x509/test_x509.py b/tests/x509/test_x509.py index 0ce0a632..afe1c0e9 100644 --- a/tests/x509/test_x509.py +++ b/tests/x509/test_x509.py @@ -226,7 +226,7 @@ class TestCertificateRevocationList(object): assert aia.value == x509.AuthorityInformationAccess([ x509.AccessDescription( AuthorityInformationAccessOID.CA_ISSUERS, - x509.DNSName(b"cryptography.io") + x509.DNSName(u"cryptography.io") ) ]) assert ian.value == x509.IssuerAlternativeName([ @@ -777,6 +777,24 @@ class TestRSACertificate(object): ) ] + def test_non_ascii_dns_name(self, backend): + cert = _load_cert( + os.path.join("x509", "utf8-dnsname.pem"), + x509.load_pem_x509_certificate, + backend + ) + san = cert.extensions.get_extension_for_class( + x509.SubjectAlternativeName + ).value + + names = san.get_values_for_type(x509.DNSName) + + assert names == [ + u'partner.biztositas.hu', u'biztositas.hu', u'*.biztositas.hu', + u'biztos\xedt\xe1s.hu', u'*.biztos\xedt\xe1s.hu', + u'xn--biztosts-fza2j.hu', u'*.xn--biztosts-fza2j.hu' + ] + def test_all_subject_name_types(self, backend): cert = _load_cert( os.path.join( @@ -1243,8 +1261,8 @@ class TestRSACertificateRequest(object): ExtensionOID.SUBJECT_ALTERNATIVE_NAME ) assert list(ext.value) == [ - x509.DNSName(b"cryptography.io"), - x509.DNSName(b"sub.cryptography.io"), + x509.DNSName(u"cryptography.io"), + x509.DNSName(u"sub.cryptography.io"), ] def test_public_bytes_pem(self, backend): @@ -1472,7 +1490,7 @@ class TestRSACertificateRequest(object): ).add_extension( x509.BasicConstraints(ca=False, path_length=None), True, ).add_extension( - x509.SubjectAlternativeName([x509.DNSName(b"cryptography.io")]), + x509.SubjectAlternativeName([x509.DNSName(u"cryptography.io")]), critical=False, ).not_valid_before( not_valid_before @@ -1494,7 +1512,7 @@ class TestRSACertificateRequest(object): ExtensionOID.SUBJECT_ALTERNATIVE_NAME ) assert list(subject_alternative_name.value) == [ - x509.DNSName(b"cryptography.io"), + x509.DNSName(u"cryptography.io"), ] def test_build_cert_private_type_encoding(self, backend): @@ -2122,7 +2140,7 @@ class TestCertificateBuilder(object): ).add_extension( x509.BasicConstraints(ca=False, path_length=None), True, ).add_extension( - x509.SubjectAlternativeName([x509.DNSName(b"cryptography.io")]), + x509.SubjectAlternativeName([x509.DNSName(u"cryptography.io")]), critical=False, ).not_valid_before( not_valid_before @@ -2144,7 +2162,7 @@ class TestCertificateBuilder(object): ExtensionOID.SUBJECT_ALTERNATIVE_NAME ) assert list(subject_alternative_name.value) == [ - x509.DNSName(b"cryptography.io"), + x509.DNSName(u"cryptography.io"), ] @pytest.mark.requires_backend_interface(interface=EllipticCurveBackend) @@ -2168,7 +2186,7 @@ class TestCertificateBuilder(object): ).add_extension( x509.BasicConstraints(ca=False, path_length=None), True, ).add_extension( - x509.SubjectAlternativeName([x509.DNSName(b"cryptography.io")]), + x509.SubjectAlternativeName([x509.DNSName(u"cryptography.io")]), critical=False, ).not_valid_before( not_valid_before @@ -2190,7 +2208,7 @@ class TestCertificateBuilder(object): ExtensionOID.SUBJECT_ALTERNATIVE_NAME ) assert list(subject_alternative_name.value) == [ - x509.DNSName(b"cryptography.io"), + x509.DNSName(u"cryptography.io"), ] @pytest.mark.requires_backend_interface(interface=RSABackend) @@ -2224,6 +2242,9 @@ class TestCertificateBuilder(object): @pytest.mark.parametrize( "add_ext", [ + x509.SubjectAlternativeName( + [x509.DNSName._init_without_validation(u'a\xedt\xe1s.test')] + ), x509.CertificatePolicies([ x509.PolicyInformation( x509.ObjectIdentifier("2.16.840.1.12345.1.2.3.4.1"), @@ -2279,7 +2300,7 @@ class TestCertificateBuilder(object): ) ]), x509.IssuerAlternativeName([ - x509.DNSName(b"myissuer"), + x509.DNSName(u"myissuer"), x509.RFC822Name(u"email@domain.com"), ]), x509.ExtendedKeyUsage([ @@ -2308,7 +2329,7 @@ class TestCertificateBuilder(object): ipaddress.IPv6Network(u"FF:FF:0:0:0:0:0:0/128") ), ], - excluded_subtrees=[x509.DNSName(b"name.local")] + excluded_subtrees=[x509.DNSName(u"name.local")] ), x509.NameConstraints( permitted_subtrees=[ @@ -2318,7 +2339,7 @@ class TestCertificateBuilder(object): ), x509.NameConstraints( permitted_subtrees=None, - excluded_subtrees=[x509.DNSName(b"name.local")] + excluded_subtrees=[x509.DNSName(u"name.local")] ), x509.PolicyConstraints( require_explicit_policy=None, @@ -2847,7 +2868,7 @@ class TestCertificateSigningRequestBuilder(object): x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'), ]) ).add_extension( - x509.SubjectAlternativeName([x509.DNSName(b"cryptography.io")]), + x509.SubjectAlternativeName([x509.DNSName(u"cryptography.io")]), critical=False, ).add_extension( DummyExtension(), False @@ -2933,7 +2954,7 @@ class TestCertificateSigningRequestBuilder(object): request = builder.subject_name( x509.Name([x509.NameAttribute(NameOID.COUNTRY_NAME, u'US')]) ).add_extension( - x509.SubjectAlternativeName([x509.DNSName(b"cryptography.io")]), + x509.SubjectAlternativeName([x509.DNSName(u"cryptography.io")]), critical=False, ).add_extension( x509.BasicConstraints(ca=True, path_length=2), critical=True @@ -2950,7 +2971,7 @@ class TestCertificateSigningRequestBuilder(object): ext = request.extensions.get_extension_for_oid( ExtensionOID.SUBJECT_ALTERNATIVE_NAME ) - assert list(ext.value) == [x509.DNSName(b"cryptography.io")] + assert list(ext.value) == [x509.DNSName(u"cryptography.io")] def test_set_subject_twice(self): builder = x509.CertificateSigningRequestBuilder() @@ -2970,8 +2991,8 @@ class TestCertificateSigningRequestBuilder(object): private_key = RSA_KEY_2048.private_key(backend) san = x509.SubjectAlternativeName([ - x509.DNSName(b"example.com"), - x509.DNSName(b"*.example.com"), + x509.DNSName(u"example.com"), + x509.DNSName(u"*.example.com"), x509.RegisteredID(x509.ObjectIdentifier("1.2.3.4.5.6.7")), x509.DirectoryName(x509.Name([ x509.NameAttribute(NameOID.COMMON_NAME, u'PyCA'), diff --git a/tests/x509/test_x509_ext.py b/tests/x509/test_x509_ext.py index 11e06eaf..6e376bb1 100644 --- a/tests/x509/test_x509_ext.py +++ b/tests/x509/test_x509_ext.py @@ -234,20 +234,20 @@ class TestUnrecognizedExtension(object): class TestCertificateIssuer(object): def test_iter_names(self): ci = x509.CertificateIssuer([ - x509.DNSName(b"cryptography.io"), - x509.DNSName(b"crypto.local"), + x509.DNSName(u"cryptography.io"), + x509.DNSName(u"crypto.local"), ]) assert len(ci) == 2 assert list(ci) == [ - x509.DNSName(b"cryptography.io"), - x509.DNSName(b"crypto.local"), + x509.DNSName(u"cryptography.io"), + x509.DNSName(u"crypto.local"), ] def test_indexing(self): ci = x509.CertificateIssuer([ - x509.DNSName(b"cryptography.io"), - x509.DNSName(b"crypto.local"), - x509.DNSName(b"another.local"), + x509.DNSName(u"cryptography.io"), + x509.DNSName(u"crypto.local"), + x509.DNSName(u"another.local"), x509.RFC822Name(b"email@another.local"), x509.UniformResourceIdentifier(b"http://another.local"), ]) @@ -255,39 +255,39 @@ class TestCertificateIssuer(object): assert ci[2:6:2] == [ci[2], ci[4]] def test_eq(self): - ci1 = x509.CertificateIssuer([x509.DNSName(b"cryptography.io")]) - ci2 = x509.CertificateIssuer([x509.DNSName(b"cryptography.io")]) + ci1 = x509.CertificateIssuer([x509.DNSName(u"cryptography.io")]) + ci2 = x509.CertificateIssuer([x509.DNSName(u"cryptography.io")]) assert ci1 == ci2 def test_ne(self): - ci1 = x509.CertificateIssuer([x509.DNSName(b"cryptography.io")]) - ci2 = x509.CertificateIssuer([x509.DNSName(b"somethingelse.tld")]) + ci1 = x509.CertificateIssuer([x509.DNSName(u"cryptography.io")]) + ci2 = x509.CertificateIssuer([x509.DNSName(u"somethingelse.tld")]) assert ci1 != ci2 assert ci1 != object() def test_repr(self): - ci = x509.CertificateIssuer([x509.DNSName(b"cryptography.io")]) + ci = x509.CertificateIssuer([x509.DNSName(u"cryptography.io")]) if six.PY3: assert repr(ci) == ( - "<CertificateIssuer(<GeneralNames([<DNSName(bytes_value=" - "b'cryptography.io')>])>)>" + "<CertificateIssuer(<GeneralNames([<DNSName(value=" + "'cryptography.io')>])>)>" ) else: assert repr(ci) == ( - "<CertificateIssuer(<GeneralNames([<DNSName(bytes_value=" - "'cryptography.io')>])>)>" + "<CertificateIssuer(<GeneralNames([<DNSName(value=" + "u'cryptography.io')>])>)>" ) def test_get_values_for_type(self): ci = x509.CertificateIssuer( - [x509.DNSName(b"cryptography.io")] + [x509.DNSName(u"cryptography.io")] ) names = ci.get_values_for_type(x509.DNSName) assert names == [u"cryptography.io"] def test_hash(self): - ci1 = x509.CertificateIssuer([x509.DNSName(b"cryptography.io")]) - ci2 = x509.CertificateIssuer([x509.DNSName(b"cryptography.io")]) + ci1 = x509.CertificateIssuer([x509.DNSName(u"cryptography.io")]) + ci2 = x509.CertificateIssuer([x509.DNSName(u"cryptography.io")]) ci3 = x509.CertificateIssuer( [x509.UniformResourceIdentifier(b"http://something")] ) @@ -1099,7 +1099,7 @@ class TestAuthorityKeyIdentifier(object): assert aki.authority_cert_serial_number is None def test_authority_cert_serial_zero(self): - dns = x509.DNSName(b"SomeIssuer") + dns = x509.DNSName(u"SomeIssuer") aki = x509.AuthorityKeyIdentifier(b"id", [dns], 0) assert aki.key_identifier == b"id" assert aki.authority_cert_issuer == [dns] @@ -1662,33 +1662,34 @@ class TestKeyUsageExtension(object): class TestDNSName(object): def test_init(self): - with pytest.warns(utils.DeprecatedIn21): - name = x509.DNSName(u"*.\xf5\xe4\xf6\xfc.example.com") - assert name.bytes_value == b"*.xn--4ca7aey.example.com" + name = x509.DNSName(u"*.xn--4ca7aey.example.com") + assert name.value == u"*.xn--4ca7aey.example.com" with pytest.warns(utils.DeprecatedIn21): name = x509.DNSName(u".\xf5\xe4\xf6\xfc.example.com") - assert name.bytes_value == b".xn--4ca7aey.example.com" - assert name.value == u".\xf5\xe4\xf6\xfc.example.com" + assert name.value == u".xn--4ca7aey.example.com" with pytest.warns(utils.DeprecatedIn21): name = x509.DNSName(u"\xf5\xe4\xf6\xfc.example.com") - assert name.bytes_value == b"xn--4ca7aey.example.com" + assert name.value == u"xn--4ca7aey.example.com" with pytest.raises(TypeError): x509.DNSName(1.3) + with pytest.raises(TypeError): + x509.DNSName(b"bytes not allowed") + def test_ne(self): - n1 = x509.DNSName(b"test1") - n2 = x509.DNSName(b"test2") - n3 = x509.DNSName(b"test2") + n1 = x509.DNSName(u"test1") + n2 = x509.DNSName(u"test2") + n3 = x509.DNSName(u"test2") assert n1 != n2 assert not (n2 != n3) def test_hash(self): - n1 = x509.DNSName(b"test1") - n2 = x509.DNSName(b"test2") - n3 = x509.DNSName(b"test2") + n1 = x509.DNSName(u"test1") + n2 = x509.DNSName(u"test2") + n3 = x509.DNSName(u"test2") assert hash(n1) != hash(n2) assert hash(n2) == hash(n3) @@ -2016,35 +2017,35 @@ class TestOtherName(object): class TestGeneralNames(object): def test_get_values_for_type(self): gns = x509.GeneralNames( - [x509.DNSName(b"cryptography.io")] + [x509.DNSName(u"cryptography.io")] ) names = gns.get_values_for_type(x509.DNSName) assert names == [u"cryptography.io"] def test_iter_names(self): gns = x509.GeneralNames([ - x509.DNSName(b"cryptography.io"), - x509.DNSName(b"crypto.local"), + x509.DNSName(u"cryptography.io"), + x509.DNSName(u"crypto.local"), ]) assert len(gns) == 2 assert list(gns) == [ - x509.DNSName(b"cryptography.io"), - x509.DNSName(b"crypto.local"), + x509.DNSName(u"cryptography.io"), + x509.DNSName(u"crypto.local"), ] def test_iter_input(self): names = [ - x509.DNSName(b"cryptography.io"), - x509.DNSName(b"crypto.local"), + x509.DNSName(u"cryptography.io"), + x509.DNSName(u"crypto.local"), ] gns = x509.GeneralNames(iter(names)) assert list(gns) == names def test_indexing(self): gn = x509.GeneralNames([ - x509.DNSName(b"cryptography.io"), - x509.DNSName(b"crypto.local"), - x509.DNSName(b"another.local"), + x509.DNSName(u"cryptography.io"), + x509.DNSName(u"crypto.local"), + x509.DNSName(u"another.local"), x509.RFC822Name(b"email@another.local"), x509.UniformResourceIdentifier(b"http://another.local"), ]) @@ -2054,36 +2055,36 @@ class TestGeneralNames(object): def test_invalid_general_names(self): with pytest.raises(TypeError): x509.GeneralNames( - [x509.DNSName(b"cryptography.io"), "invalid"] + [x509.DNSName(u"cryptography.io"), "invalid"] ) def test_repr(self): gns = x509.GeneralNames( [ - x509.DNSName(b"cryptography.io") + x509.DNSName(u"cryptography.io") ] ) if six.PY3: assert repr(gns) == ( - "<GeneralNames([<DNSName(bytes_value=b'cryptography.io')>])>" + "<GeneralNames([<DNSName(value='cryptography.io')>])>" ) else: assert repr(gns) == ( - "<GeneralNames([<DNSName(bytes_value='cryptography.io')>])>" + "<GeneralNames([<DNSName(value=u'cryptography.io')>])>" ) def test_eq(self): gns = x509.GeneralNames( - [x509.DNSName(b"cryptography.io")] + [x509.DNSName(u"cryptography.io")] ) gns2 = x509.GeneralNames( - [x509.DNSName(b"cryptography.io")] + [x509.DNSName(u"cryptography.io")] ) assert gns == gns2 def test_ne(self): gns = x509.GeneralNames( - [x509.DNSName(b"cryptography.io")] + [x509.DNSName(u"cryptography.io")] ) gns2 = x509.GeneralNames( [x509.RFC822Name(b"admin@cryptography.io")] @@ -2092,8 +2093,8 @@ class TestGeneralNames(object): assert gns != object() def test_hash(self): - gns = x509.GeneralNames([x509.DNSName(b"cryptography.io")]) - gns2 = x509.GeneralNames([x509.DNSName(b"cryptography.io")]) + gns = x509.GeneralNames([x509.DNSName(u"cryptography.io")]) + gns2 = x509.GeneralNames([x509.DNSName(u"cryptography.io")]) gns3 = x509.GeneralNames([x509.RFC822Name(b"admin@cryptography.io")]) assert hash(gns) == hash(gns2) assert hash(gns) != hash(gns3) @@ -2102,27 +2103,27 @@ class TestGeneralNames(object): class TestIssuerAlternativeName(object): def test_get_values_for_type(self): san = x509.IssuerAlternativeName( - [x509.DNSName(b"cryptography.io")] + [x509.DNSName(u"cryptography.io")] ) names = san.get_values_for_type(x509.DNSName) assert names == [u"cryptography.io"] def test_iter_names(self): san = x509.IssuerAlternativeName([ - x509.DNSName(b"cryptography.io"), - x509.DNSName(b"crypto.local"), + x509.DNSName(u"cryptography.io"), + x509.DNSName(u"crypto.local"), ]) assert len(san) == 2 assert list(san) == [ - x509.DNSName(b"cryptography.io"), - x509.DNSName(b"crypto.local"), + x509.DNSName(u"cryptography.io"), + x509.DNSName(u"crypto.local"), ] def test_indexing(self): ian = x509.IssuerAlternativeName([ - x509.DNSName(b"cryptography.io"), - x509.DNSName(b"crypto.local"), - x509.DNSName(b"another.local"), + x509.DNSName(u"cryptography.io"), + x509.DNSName(u"crypto.local"), + x509.DNSName(u"another.local"), x509.RFC822Name(b"email@another.local"), x509.UniformResourceIdentifier(b"http://another.local"), ]) @@ -2132,38 +2133,38 @@ class TestIssuerAlternativeName(object): def test_invalid_general_names(self): with pytest.raises(TypeError): x509.IssuerAlternativeName( - [x509.DNSName(b"cryptography.io"), "invalid"] + [x509.DNSName(u"cryptography.io"), "invalid"] ) def test_repr(self): san = x509.IssuerAlternativeName( [ - x509.DNSName(b"cryptography.io") + x509.DNSName(u"cryptography.io") ] ) if six.PY3: assert repr(san) == ( "<IssuerAlternativeName(" - "<GeneralNames([<DNSName(bytes_value=b'cryptography.io')>])>)>" + "<GeneralNames([<DNSName(value='cryptography.io')>])>)>" ) else: assert repr(san) == ( "<IssuerAlternativeName(" - "<GeneralNames([<DNSName(bytes_value='cryptography.io')>])>)>" + "<GeneralNames([<DNSName(value=u'cryptography.io')>])>)>" ) def test_eq(self): san = x509.IssuerAlternativeName( - [x509.DNSName(b"cryptography.io")] + [x509.DNSName(u"cryptography.io")] ) san2 = x509.IssuerAlternativeName( - [x509.DNSName(b"cryptography.io")] + [x509.DNSName(u"cryptography.io")] ) assert san == san2 def test_ne(self): san = x509.IssuerAlternativeName( - [x509.DNSName(b"cryptography.io")] + [x509.DNSName(u"cryptography.io")] ) san2 = x509.IssuerAlternativeName( [x509.RFC822Name(b"admin@cryptography.io")] @@ -2172,8 +2173,8 @@ class TestIssuerAlternativeName(object): assert san != object() def test_hash(self): - ian = x509.IssuerAlternativeName([x509.DNSName(b"cryptography.io")]) - ian2 = x509.IssuerAlternativeName([x509.DNSName(b"cryptography.io")]) + ian = x509.IssuerAlternativeName([x509.DNSName(u"cryptography.io")]) + ian2 = x509.IssuerAlternativeName([x509.DNSName(u"cryptography.io")]) ian3 = x509.IssuerAlternativeName( [x509.RFC822Name(b"admin@cryptography.io")] ) @@ -2227,27 +2228,27 @@ class TestCRLNumber(object): class TestSubjectAlternativeName(object): def test_get_values_for_type(self): san = x509.SubjectAlternativeName( - [x509.DNSName(b"cryptography.io")] + [x509.DNSName(u"cryptography.io")] ) names = san.get_values_for_type(x509.DNSName) assert names == [u"cryptography.io"] def test_iter_names(self): san = x509.SubjectAlternativeName([ - x509.DNSName(b"cryptography.io"), - x509.DNSName(b"crypto.local"), + x509.DNSName(u"cryptography.io"), + x509.DNSName(u"crypto.local"), ]) assert len(san) == 2 assert list(san) == [ - x509.DNSName(b"cryptography.io"), - x509.DNSName(b"crypto.local"), + x509.DNSName(u"cryptography.io"), + x509.DNSName(u"crypto.local"), ] def test_indexing(self): san = x509.SubjectAlternativeName([ - x509.DNSName(b"cryptography.io"), - x509.DNSName(b"crypto.local"), - x509.DNSName(b"another.local"), + x509.DNSName(u"cryptography.io"), + x509.DNSName(u"crypto.local"), + x509.DNSName(u"another.local"), x509.RFC822Name(b"email@another.local"), x509.UniformResourceIdentifier(b"http://another.local"), ]) @@ -2257,38 +2258,38 @@ class TestSubjectAlternativeName(object): def test_invalid_general_names(self): with pytest.raises(TypeError): x509.SubjectAlternativeName( - [x509.DNSName(b"cryptography.io"), "invalid"] + [x509.DNSName(u"cryptography.io"), "invalid"] ) def test_repr(self): san = x509.SubjectAlternativeName( [ - x509.DNSName(b"cryptography.io") + x509.DNSName(u"cryptography.io") ] ) if six.PY3: assert repr(san) == ( "<SubjectAlternativeName(" - "<GeneralNames([<DNSName(bytes_value=b'cryptography.io')>])>)>" + "<GeneralNames([<DNSName(value='cryptography.io')>])>)>" ) else: assert repr(san) == ( "<SubjectAlternativeName(" - "<GeneralNames([<DNSName(bytes_value='cryptography.io')>])>)>" + "<GeneralNames([<DNSName(value=u'cryptography.io')>])>)>" ) def test_eq(self): san = x509.SubjectAlternativeName( - [x509.DNSName(b"cryptography.io")] + [x509.DNSName(u"cryptography.io")] ) san2 = x509.SubjectAlternativeName( - [x509.DNSName(b"cryptography.io")] + [x509.DNSName(u"cryptography.io")] ) assert san == san2 def test_ne(self): san = x509.SubjectAlternativeName( - [x509.DNSName(b"cryptography.io")] + [x509.DNSName(u"cryptography.io")] ) san2 = x509.SubjectAlternativeName( [x509.RFC822Name(b"admin@cryptography.io")] @@ -2297,8 +2298,8 @@ class TestSubjectAlternativeName(object): assert san != object() def test_hash(self): - san = x509.SubjectAlternativeName([x509.DNSName(b"cryptography.io")]) - san2 = x509.SubjectAlternativeName([x509.DNSName(b"cryptography.io")]) + san = x509.SubjectAlternativeName([x509.DNSName(u"cryptography.io")]) + san2 = x509.SubjectAlternativeName([x509.DNSName(u"cryptography.io")]) san3 = x509.SubjectAlternativeName( [x509.RFC822Name(b"admin@cryptography.io")] ) @@ -2370,7 +2371,7 @@ class TestRSASubjectAlternativeNameExtension(object): ) dns = ext.value.get_values_for_type(x509.DNSName) - assert dns == [u'*.\u043f\u044b\u043a\u0430.cryptography'] + assert dns == [u'*.xn--80ato2c.cryptography'] def test_unsupported_gn(self, backend): cert = _load_cert( @@ -2502,9 +2503,7 @@ class TestRSASubjectAlternativeNameExtension(object): assert len(san) == 1 [name] = san - assert name.bytes_value == b"xn--k4h.ws" - with pytest.raises(UnicodeError): - name.value + assert name.value == u"xn--k4h.ws" def test_unicode_rfc822_name_dns_name_uri(self, backend): cert = _load_cert( @@ -2522,7 +2521,7 @@ class TestRSASubjectAlternativeNameExtension(object): dns_name = ext.value.get_values_for_type(x509.DNSName) uri = ext.value.get_values_for_type(x509.UniformResourceIdentifier) assert rfc822_name == [u"email@\u043f\u044b\u043a\u0430.cryptography"] - assert dns_name == [u"\u043f\u044b\u043a\u0430.cryptography"] + assert dns_name == [u"xn--80ato2c.cryptography"] assert uri == [u"https://www.\u043f\u044b\u043a\u0430.cryptography"] def test_rfc822name_dnsname_ipaddress_directoryname_uri(self, backend): @@ -2599,8 +2598,8 @@ class TestRSASubjectAlternativeNameExtension(object): assert othernames == [expected] def test_certbuilder(self, backend): - sans = [b'*.example.org', b'*.xn--4ca7aey.example.com', - b'foobar.example.net'] + sans = [u'*.example.org', u'*.xn--4ca7aey.example.com', + u'foobar.example.net'] private_key = RSA_KEY_2048.private_key(backend) builder = _make_certbuilder(private_key) builder = builder.add_extension( @@ -2608,7 +2607,7 @@ class TestRSASubjectAlternativeNameExtension(object): cert = builder.sign(private_key, hashes.SHA1(), backend) result = [ - x.bytes_value + x.value for x in cert.extensions.get_extension_for_class( SubjectAlternativeName ).value @@ -2648,7 +2647,7 @@ class TestExtendedKeyUsageExtension(object): class TestAccessDescription(object): def test_invalid_access_method(self): with pytest.raises(TypeError): - x509.AccessDescription("notanoid", x509.DNSName(b"test")) + x509.AccessDescription("notanoid", x509.DNSName(u"test")) def test_invalid_access_location(self): with pytest.raises(TypeError): @@ -3242,7 +3241,7 @@ class TestNameConstraints(object): x509.NameConstraints(None, None) def test_permitted_none(self): - excluded = [x509.DNSName(b"name.local")] + excluded = [x509.DNSName(u"name.local")] nc = x509.NameConstraints( permitted_subtrees=None, excluded_subtrees=excluded ) @@ -3250,7 +3249,7 @@ class TestNameConstraints(object): assert nc.excluded_subtrees is not None def test_excluded_none(self): - permitted = [x509.DNSName(b"name.local")] + permitted = [x509.DNSName(u"name.local")] nc = x509.NameConstraints( permitted_subtrees=permitted, excluded_subtrees=None ) @@ -3264,7 +3263,7 @@ class TestNameConstraints(object): assert list(nc.excluded_subtrees) == subtrees def test_repr(self): - permitted = [x509.DNSName(b"name.local"), x509.DNSName(b"name2.local")] + permitted = [x509.DNSName(u"name.local"), x509.DNSName(u"name2.local")] nc = x509.NameConstraints( permitted_subtrees=permitted, excluded_subtrees=None @@ -3272,39 +3271,39 @@ class TestNameConstraints(object): if six.PY3: assert repr(nc) == ( "<NameConstraints(permitted_subtrees=[<DNSName(" - "bytes_value=b'name.local')>, <DNSName(bytes_value=" - "b'name2.local')>], excluded_subtrees=None)>" + "value='name.local')>, <DNSName(value=" + "'name2.local')>], excluded_subtrees=None)>" ) else: assert repr(nc) == ( "<NameConstraints(permitted_subtrees=[<DNSName(" - "bytes_value='name.local')>, <DNSName(bytes_value=" - "'name2.local')>], excluded_subtrees=None)>" + "value=u'name.local')>, <DNSName(value=" + "u'name2.local')>], excluded_subtrees=None)>" ) def test_eq(self): nc = x509.NameConstraints( - permitted_subtrees=[x509.DNSName(b"name.local")], - excluded_subtrees=[x509.DNSName(b"name2.local")] + permitted_subtrees=[x509.DNSName(u"name.local")], + excluded_subtrees=[x509.DNSName(u"name2.local")] ) nc2 = x509.NameConstraints( - permitted_subtrees=[x509.DNSName(b"name.local")], - excluded_subtrees=[x509.DNSName(b"name2.local")] + permitted_subtrees=[x509.DNSName(u"name.local")], + excluded_subtrees=[x509.DNSName(u"name2.local")] ) assert nc == nc2 def test_ne(self): nc = x509.NameConstraints( - permitted_subtrees=[x509.DNSName(b"name.local")], - excluded_subtrees=[x509.DNSName(b"name2.local")] + permitted_subtrees=[x509.DNSName(u"name.local")], + excluded_subtrees=[x509.DNSName(u"name2.local")] ) nc2 = x509.NameConstraints( - permitted_subtrees=[x509.DNSName(b"name.local")], + permitted_subtrees=[x509.DNSName(u"name.local")], excluded_subtrees=None ) nc3 = x509.NameConstraints( permitted_subtrees=None, - excluded_subtrees=[x509.DNSName(b"name2.local")] + excluded_subtrees=[x509.DNSName(u"name2.local")] ) assert nc != nc2 @@ -3313,20 +3312,20 @@ class TestNameConstraints(object): def test_hash(self): nc = x509.NameConstraints( - permitted_subtrees=[x509.DNSName(b"name.local")], - excluded_subtrees=[x509.DNSName(b"name2.local")] + permitted_subtrees=[x509.DNSName(u"name.local")], + excluded_subtrees=[x509.DNSName(u"name2.local")] ) nc2 = x509.NameConstraints( - permitted_subtrees=[x509.DNSName(b"name.local")], - excluded_subtrees=[x509.DNSName(b"name2.local")] + permitted_subtrees=[x509.DNSName(u"name.local")], + excluded_subtrees=[x509.DNSName(u"name2.local")] ) nc3 = x509.NameConstraints( - permitted_subtrees=[x509.DNSName(b"name.local")], + permitted_subtrees=[x509.DNSName(u"name.local")], excluded_subtrees=None ) nc4 = x509.NameConstraints( permitted_subtrees=None, - excluded_subtrees=[x509.DNSName(b"name.local")] + excluded_subtrees=[x509.DNSName(u"name.local")] ) assert hash(nc) == hash(nc2) assert hash(nc) != hash(nc3) @@ -3349,7 +3348,7 @@ class TestNameConstraintsExtension(object): ).value assert nc == x509.NameConstraints( permitted_subtrees=[ - x509.DNSName(b"zombo.local"), + x509.DNSName(u"zombo.local"), ], excluded_subtrees=[ x509.DirectoryName(x509.Name([ @@ -3371,7 +3370,7 @@ class TestNameConstraintsExtension(object): ).value assert nc == x509.NameConstraints( permitted_subtrees=[ - x509.DNSName(b"zombo.local"), + x509.DNSName(u"zombo.local"), ], excluded_subtrees=None ) @@ -3389,7 +3388,7 @@ class TestNameConstraintsExtension(object): ).value assert nc == x509.NameConstraints( permitted_subtrees=[ - x509.DNSName(b".cryptography.io"), + x509.DNSName(u".cryptography.io"), x509.UniformResourceIdentifier(b"ftp://cryptography.test") ], excluded_subtrees=None @@ -3409,7 +3408,7 @@ class TestNameConstraintsExtension(object): assert nc == x509.NameConstraints( permitted_subtrees=None, excluded_subtrees=[ - x509.DNSName(b".cryptography.io"), + x509.DNSName(u".cryptography.io"), x509.UniformResourceIdentifier(b"gopher://cryptography.test") ] ) @@ -3431,7 +3430,7 @@ class TestNameConstraintsExtension(object): x509.IPAddress(ipaddress.IPv6Network(u"FF:0:0:0:0:0:0:0/96")), ], excluded_subtrees=[ - x509.DNSName(b".domain.com"), + x509.DNSName(u".domain.com"), x509.UniformResourceIdentifier(b"http://test.local"), ] ) @@ -3469,8 +3468,8 @@ class TestNameConstraintsExtension(object): ) def test_certbuilder(self, backend): - permitted = [b'.example.org', b'.xn--4ca7aey.example.com', - b'foobar.example.net'] + permitted = [u'.example.org', u'.xn--4ca7aey.example.com', + u'foobar.example.net'] private_key = RSA_KEY_2048.private_key(backend) builder = _make_certbuilder(private_key) builder = builder.add_extension( @@ -3479,7 +3478,7 @@ class TestNameConstraintsExtension(object): cert = builder.sign(private_key, hashes.SHA1(), backend) result = [ - x.bytes_value + x.value for x in cert.extensions.get_extension_for_class( NameConstraints ).value.permitted_subtrees diff --git a/tests/x509/test_x509_revokedcertbuilder.py b/tests/x509/test_x509_revokedcertbuilder.py index 9fc5eaa7..e3a06509 100644 --- a/tests/x509/test_x509_revokedcertbuilder.py +++ b/tests/x509/test_x509_revokedcertbuilder.py @@ -146,7 +146,7 @@ class TestRevokedCertificateBuilder(object): x509.InvalidityDate(datetime.datetime(2015, 1, 1, 0, 0)), x509.CRLReason(x509.ReasonFlags.ca_compromise), x509.CertificateIssuer([ - x509.DNSName(b"cryptography.io"), + x509.DNSName(u"cryptography.io"), ]) ] ) @@ -180,7 +180,7 @@ class TestRevokedCertificateBuilder(object): datetime.datetime(2015, 1, 1, 0, 0) ) certificate_issuer = x509.CertificateIssuer([ - x509.DNSName(b"cryptography.io"), + x509.DNSName(u"cryptography.io"), ]) crl_reason = x509.CRLReason(x509.ReasonFlags.aa_compromise) builder = x509.RevokedCertificateBuilder().serial_number( |