aboutsummaryrefslogtreecommitdiffstats
path: root/tests
diff options
context:
space:
mode:
Diffstat (limited to 'tests')
-rw-r--r--tests/hazmat/primitives/test_asym_utils.py5
-rw-r--r--tests/hazmat/primitives/twofactor/test_hotp.py3
-rw-r--r--tests/hazmat/primitives/twofactor/test_totp.py3
-rw-r--r--tests/test_x509_ext.py329
4 files changed, 336 insertions, 4 deletions
diff --git a/tests/hazmat/primitives/test_asym_utils.py b/tests/hazmat/primitives/test_asym_utils.py
index bf55bad8..c3fbedf9 100644
--- a/tests/hazmat/primitives/test_asym_utils.py
+++ b/tests/hazmat/primitives/test_asym_utils.py
@@ -63,3 +63,8 @@ def test_decode_rfc6979_invalid_asn1():
# This byte sequence has an invalid ASN.1 sequence length as well as
# an invalid integer length for the second integer.
decode_rfc6979_signature(b"0\x07\x02\x01\x01\x02\x02\x01")
+
+ with pytest.raises(ValueError):
+ # This is the BER "end-of-contents octets," which pyasn1 is
+ # wrongly willing to return from top-level DER decoding.
+ decode_rfc6979_signature(b"\x00\x00")
diff --git a/tests/hazmat/primitives/twofactor/test_hotp.py b/tests/hazmat/primitives/twofactor/test_hotp.py
index a76aa6e3..a5d1c284 100644
--- a/tests/hazmat/primitives/twofactor/test_hotp.py
+++ b/tests/hazmat/primitives/twofactor/test_hotp.py
@@ -8,10 +8,11 @@ import os
import pytest
-from cryptography.exceptions import InvalidToken, _Reasons
+from cryptography.exceptions import _Reasons
from cryptography.hazmat.backends.interfaces import HMACBackend
from cryptography.hazmat.primitives import hashes
from cryptography.hazmat.primitives.hashes import MD5, SHA1
+from cryptography.hazmat.primitives.twofactor import InvalidToken
from cryptography.hazmat.primitives.twofactor.hotp import HOTP
from ....utils import (
diff --git a/tests/hazmat/primitives/twofactor/test_totp.py b/tests/hazmat/primitives/twofactor/test_totp.py
index 05321089..6039983e 100644
--- a/tests/hazmat/primitives/twofactor/test_totp.py
+++ b/tests/hazmat/primitives/twofactor/test_totp.py
@@ -6,9 +6,10 @@ from __future__ import absolute_import, division, print_function
import pytest
-from cryptography.exceptions import InvalidToken, _Reasons
+from cryptography.exceptions import _Reasons
from cryptography.hazmat.backends.interfaces import HMACBackend
from cryptography.hazmat.primitives import hashes
+from cryptography.hazmat.primitives.twofactor import InvalidToken
from cryptography.hazmat.primitives.twofactor.totp import TOTP
from ....utils import (
diff --git a/tests/test_x509_ext.py b/tests/test_x509_ext.py
index c2d33d92..bce6781f 100644
--- a/tests/test_x509_ext.py
+++ b/tests/test_x509_ext.py
@@ -5,6 +5,7 @@
from __future__ import absolute_import, division, print_function
import binascii
+import ipaddress
import os
import pytest
@@ -149,8 +150,8 @@ class TestKeyUsage(object):
assert repr(ku) == (
"<KeyUsage(digital_signature=True, content_commitment=True, key_en"
"cipherment=False, data_encipherment=False, key_agreement=False, k"
- "ey_cert_sign=True, crl_sign=False, encipher_only=N/A, decipher_on"
- "ly=N/A)>"
+ "ey_cert_sign=True, crl_sign=False, encipher_only=None, decipher_o"
+ "nly=None)>"
)
def test_repr_key_agreement_true(self):
@@ -219,6 +220,57 @@ class TestSubjectKeyIdentifier(object):
assert ski != object()
+class TestAuthorityKeyIdentifier(object):
+ def test_authority_cert_issuer_not_name(self):
+ with pytest.raises(TypeError):
+ x509.AuthorityKeyIdentifier(b"identifier", "notname", 3)
+
+ def test_authority_cert_serial_number_not_integer(self):
+ name = x509.Name([
+ x509.NameAttribute(x509.ObjectIdentifier('oid'), 'value1'),
+ x509.NameAttribute(x509.ObjectIdentifier('oid2'), 'value2'),
+ ])
+ with pytest.raises(TypeError):
+ x509.AuthorityKeyIdentifier(b"identifier", name, "notanint")
+
+ def test_authority_issuer_none_serial_not_none(self):
+ with pytest.raises(ValueError):
+ x509.AuthorityKeyIdentifier(b"identifier", None, 3)
+
+ def test_authority_issuer_not_none_serial_none(self):
+ name = x509.Name([
+ x509.NameAttribute(x509.ObjectIdentifier('oid'), 'value1'),
+ x509.NameAttribute(x509.ObjectIdentifier('oid2'), 'value2'),
+ ])
+ with pytest.raises(ValueError):
+ x509.AuthorityKeyIdentifier(b"identifier", name, None)
+
+ def test_authority_cert_serial_and_issuer_none(self):
+ aki = x509.AuthorityKeyIdentifier(b"id", None, None)
+ assert aki.key_identifier == b"id"
+ assert aki.authority_cert_issuer is None
+ assert aki.authority_cert_serial_number is None
+
+ def test_repr(self):
+ name = x509.Name([x509.NameAttribute(x509.OID_COMMON_NAME, 'myCN')])
+ aki = x509.AuthorityKeyIdentifier(b"digest", name, 1234)
+
+ if six.PY3:
+ assert repr(aki) == (
+ "<AuthorityKeyIdentifier(key_identifier=b'digest', authority_"
+ "cert_issuer=<Name([<NameAttribute(oid=<ObjectIdentifier(oid="
+ "2.5.4.3, name=commonName)>, value='myCN')>])>, authority_cer"
+ "t_serial_number=1234)>"
+ )
+ else:
+ assert repr(aki) == (
+ "<AuthorityKeyIdentifier(key_identifier='digest', authority_ce"
+ "rt_issuer=<Name([<NameAttribute(oid=<ObjectIdentifier(oid=2.5"
+ ".4.3, name=commonName)>, value='myCN')>])>, authority_cert_se"
+ "rial_number=1234)>"
+ )
+
+
class TestBasicConstraints(object):
def test_ca_not_boolean(self):
with pytest.raises(TypeError):
@@ -463,3 +515,276 @@ class TestSubjectKeyIdentifierExtension(object):
cert.extensions.get_extension_for_oid(
x509.OID_SUBJECT_KEY_IDENTIFIER
)
+
+
+@pytest.mark.requires_backend_interface(interface=RSABackend)
+@pytest.mark.requires_backend_interface(interface=X509Backend)
+class TestKeyUsageExtension(object):
+ def test_no_key_usage(self, backend):
+ cert = _load_cert(
+ os.path.join("x509", "verisign_md2_root.pem"),
+ x509.load_pem_x509_certificate,
+ backend
+ )
+ ext = cert.extensions
+ with pytest.raises(x509.ExtensionNotFound) as exc:
+ ext.get_extension_for_oid(x509.OID_KEY_USAGE)
+
+ assert exc.value.oid == x509.OID_KEY_USAGE
+
+ def test_all_purposes(self, backend):
+ cert = _load_cert(
+ os.path.join(
+ "x509", "custom", "all_key_usages.pem"
+ ),
+ x509.load_pem_x509_certificate,
+ backend
+ )
+ extensions = cert.extensions
+ ext = extensions.get_extension_for_oid(x509.OID_KEY_USAGE)
+ assert ext is not None
+
+ ku = ext.value
+ assert ku.digital_signature is True
+ assert ku.content_commitment is True
+ assert ku.key_encipherment is True
+ assert ku.data_encipherment is True
+ assert ku.key_agreement is True
+ assert ku.key_cert_sign is True
+ assert ku.crl_sign is True
+ assert ku.encipher_only is True
+ assert ku.decipher_only is True
+
+ def test_key_cert_sign_crl_sign(self, backend):
+ cert = _load_cert(
+ os.path.join(
+ "x509", "PKITS_data", "certs", "pathLenConstraint6CACert.crt"
+ ),
+ x509.load_der_x509_certificate,
+ backend
+ )
+ ext = cert.extensions.get_extension_for_oid(x509.OID_KEY_USAGE)
+ assert ext is not None
+ assert ext.critical is True
+
+ ku = ext.value
+ assert ku.digital_signature is False
+ assert ku.content_commitment is False
+ assert ku.key_encipherment is False
+ assert ku.data_encipherment is False
+ assert ku.key_agreement is False
+ assert ku.key_cert_sign is True
+ assert ku.crl_sign is True
+
+
+@pytest.mark.parametrize(
+ "name", [
+ x509.RFC822Name,
+ x509.DNSName,
+ x509.UniformResourceIdentifier
+ ]
+)
+class TestTextGeneralNames(object):
+ def test_not_text(self, name):
+ with pytest.raises(TypeError):
+ name(b"notaunicodestring")
+
+ with pytest.raises(TypeError):
+ name(1.3)
+
+ def test_repr(self, name):
+ gn = name(six.u("string"))
+ assert repr(gn) == "<{0}(value=string)>".format(name.__name__)
+
+ def test_eq(self, name):
+ gn = name(six.u("string"))
+ gn2 = name(six.u("string"))
+ assert gn == gn2
+
+ def test_ne(self, name):
+ gn = name(six.u("string"))
+ gn2 = name(six.u("string2"))
+ assert gn != gn2
+ assert gn != object()
+
+
+class TestDirectoryName(object):
+ def test_not_name(self):
+ with pytest.raises(TypeError):
+ x509.DirectoryName(b"notaname")
+
+ with pytest.raises(TypeError):
+ x509.DirectoryName(1.3)
+
+ def test_repr(self):
+ name = x509.Name([x509.NameAttribute(x509.OID_COMMON_NAME, 'value1')])
+ gn = x509.DirectoryName(x509.Name([name]))
+ assert repr(gn) == (
+ "<DirectoryName(value=<Name([<Name([<NameAttribute(oid=<ObjectIden"
+ "tifier(oid=2.5.4.3, name=commonName)>, value='value1')>])>])>)>"
+ )
+
+ def test_eq(self):
+ name = x509.Name([
+ x509.NameAttribute(x509.ObjectIdentifier('oid'), 'value1')
+ ])
+ name2 = x509.Name([
+ x509.NameAttribute(x509.ObjectIdentifier('oid'), 'value1')
+ ])
+ gn = x509.DirectoryName(x509.Name([name]))
+ gn2 = x509.DirectoryName(x509.Name([name2]))
+ assert gn == gn2
+
+ def test_ne(self):
+ name = x509.Name([
+ x509.NameAttribute(x509.ObjectIdentifier('oid'), 'value1')
+ ])
+ name2 = x509.Name([
+ x509.NameAttribute(x509.ObjectIdentifier('oid'), 'value2')
+ ])
+ gn = x509.DirectoryName(x509.Name([name]))
+ gn2 = x509.DirectoryName(x509.Name([name2]))
+ assert gn != gn2
+ assert gn != object()
+
+
+class TestRegisteredID(object):
+ def test_not_oid(self):
+ with pytest.raises(TypeError):
+ x509.RegisteredID(b"notanoid")
+
+ with pytest.raises(TypeError):
+ x509.RegisteredID(1.3)
+
+ def test_repr(self):
+ gn = x509.RegisteredID(x509.OID_COMMON_NAME)
+ assert repr(gn) == (
+ "<RegisteredID(value=<ObjectIdentifier(oid=2.5.4.3, name=commonNam"
+ "e)>)>"
+ )
+
+ def test_eq(self):
+ gn = x509.RegisteredID(x509.OID_COMMON_NAME)
+ gn2 = x509.RegisteredID(x509.OID_COMMON_NAME)
+ assert gn == gn2
+
+ def test_ne(self):
+ gn = x509.RegisteredID(x509.OID_COMMON_NAME)
+ gn2 = x509.RegisteredID(x509.OID_BASIC_CONSTRAINTS)
+ assert gn != gn2
+ assert gn != object()
+
+
+class TestIPAddress(object):
+ def test_not_ipaddress(self):
+ with pytest.raises(TypeError):
+ x509.IPAddress(b"notanipaddress")
+
+ with pytest.raises(TypeError):
+ x509.IPAddress(1.3)
+
+ def test_repr(self):
+ gn = x509.IPAddress(ipaddress.IPv4Address(six.u("127.0.0.1")))
+ assert repr(gn) == "<IPAddress(value=127.0.0.1)>"
+
+ gn2 = x509.IPAddress(ipaddress.IPv6Address(six.u("ff::")))
+ assert repr(gn2) == "<IPAddress(value=ff::)>"
+
+ def test_eq(self):
+ gn = x509.IPAddress(ipaddress.IPv4Address(six.u("127.0.0.1")))
+ gn2 = x509.IPAddress(ipaddress.IPv4Address(six.u("127.0.0.1")))
+ assert gn == gn2
+
+ def test_ne(self):
+ gn = x509.IPAddress(ipaddress.IPv4Address(six.u("127.0.0.1")))
+ gn2 = x509.IPAddress(ipaddress.IPv4Address(six.u("127.0.0.2")))
+ assert gn != gn2
+ assert gn != object()
+
+
+class TestSubjectAlternativeName(object):
+ def test_get_values_for_type(self):
+ san = x509.SubjectAlternativeName(
+ [x509.DNSName(six.u("cryptography.io"))]
+ )
+ names = san.get_values_for_type(x509.DNSName)
+ assert names == [six.u("cryptography.io")]
+
+ def test_iter_names(self):
+ san = x509.SubjectAlternativeName([
+ x509.DNSName(six.u("cryptography.io")),
+ x509.DNSName(six.u("crypto.local")),
+ ])
+ assert len(san) == 2
+ assert list(san) == [
+ x509.DNSName(six.u("cryptography.io")),
+ x509.DNSName(six.u("crypto.local")),
+ ]
+
+ def test_invalid_general_names(self):
+ with pytest.raises(TypeError):
+ x509.SubjectAlternativeName(
+ [x509.DNSName(six.u("cryptography.io")), "invalid"]
+ )
+
+ def test_repr(self):
+ san = x509.SubjectAlternativeName(
+ [
+ x509.DNSName(six.u("cryptography.io"))
+ ]
+ )
+ assert repr(san) == (
+ "<SubjectAlternativeName([<DNSName(value=cryptography.io)>])>"
+ )
+
+
+@pytest.mark.requires_backend_interface(interface=RSABackend)
+@pytest.mark.requires_backend_interface(interface=X509Backend)
+class TestRSASubjectAlternativeNameExtension(object):
+ def test_dns_name(self, backend):
+ cert = _load_cert(
+ os.path.join("x509", "cryptography.io.pem"),
+ x509.load_pem_x509_certificate,
+ backend
+ )
+ ext = cert.extensions.get_extension_for_oid(
+ x509.OID_SUBJECT_ALTERNATIVE_NAME
+ )
+ assert ext is not None
+ assert ext.critical is False
+
+ san = ext.value
+
+ dns = san.get_values_for_type(x509.DNSName)
+ assert dns == [u"www.cryptography.io", u"cryptography.io"]
+
+ def test_unsupported_other_name(self, backend):
+ cert = _load_cert(
+ os.path.join(
+ "x509", "custom", "san_other_name.pem"
+ ),
+ x509.load_pem_x509_certificate,
+ backend
+ )
+ with pytest.raises(x509.UnsupportedGeneralNameType) as exc:
+ cert.extensions
+
+ assert exc.value.type == 0
+
+ def test_registered_id(self, backend):
+ cert = _load_cert(
+ os.path.join(
+ "x509", "custom", "san_registered_id.pem"
+ ),
+ x509.load_pem_x509_certificate,
+ backend
+ )
+ ext = cert.extensions.get_extension_for_oid(
+ x509.OID_SUBJECT_ALTERNATIVE_NAME
+ )
+ assert ext is not None
+ assert ext.critical is False
+
+ san = ext.value
+ rid = san.get_values_for_type(x509.RegisteredID)
+ assert rid == [x509.ObjectIdentifier("1.2.3.4")]
generated by cgit v1.2.3 (git 2.25.1) at 2025-04-05 09:11:33 +0000