From e06cab4de07897fecf6da40b29b460f7d4c258d3 Mon Sep 17 00:00:00 2001 From: Paul Kehrer Date: Thu, 30 Apr 2015 10:23:33 -0500 Subject: add support for rfc822name general names --- tests/test_x509_ext.py | 88 ++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 88 insertions(+) (limited to 'tests/test_x509_ext.py') diff --git a/tests/test_x509_ext.py b/tests/test_x509_ext.py index d38fe573..7320b94e 100644 --- a/tests/test_x509_ext.py +++ b/tests/test_x509_ext.py @@ -856,3 +856,91 @@ class TestRSASubjectAlternativeNameExtension(object): x509.NameAttribute(x509.OID_STATE_OR_PROVINCE_NAME, 'Texas'), ]) ] == dirname + + def test_rfc822name(self, backend): + cert = _load_cert( + os.path.join( + "x509", "custom", "san_rfc822_idna.pem" + ), + x509.load_pem_x509_certificate, + backend + ) + ext = cert.extensions.get_extension_for_oid( + x509.OID_SUBJECT_ALTERNATIVE_NAME + ) + assert ext is not None + assert ext.critical is False + + san = ext.value + + rfc822name = san.get_values_for_type(x509.RFC822Name) + assert [u"email@em\xe5\xefl.com"] == rfc822name + + def test_unicode_rfc822_name_dns_name_uri(self, backend): + cert = _load_cert( + os.path.join( + "x509", "custom", "san_idna_names.pem" + ), + x509.load_pem_x509_certificate, + backend + ) + ext = cert.extensions.get_extension_for_oid( + x509.OID_SUBJECT_ALTERNATIVE_NAME + ) + assert ext is not None + rfc822_name = ext.value.get_values_for_type(x509.RFC822Name) + dns_name = ext.value.get_values_for_type(x509.DNSName) + uri = ext.value.get_values_for_type(x509.UniformResourceIdentifier) + assert rfc822_name == [u"email@\u043f\u044b\u043a\u0430.cryptography"] + assert dns_name == [u"\u043f\u044b\u043a\u0430.cryptography"] + assert uri == [u"https://www.\u043f\u044b\u043a\u0430.cryptography"] + + def test_rfc822name_dnsname_ipaddress_directoryname_uri(self, backend): + cert = _load_cert( + os.path.join( + "x509", "custom", "san_email_dns_ip_dirname_uri.pem" + ), + x509.load_pem_x509_certificate, + backend + ) + ext = cert.extensions.get_extension_for_oid( + x509.OID_SUBJECT_ALTERNATIVE_NAME + ) + assert ext is not None + assert ext.critical is False + + san = ext.value + + rfc822_name = san.get_values_for_type(x509.RFC822Name) + uri = san.get_values_for_type(x509.UniformResourceIdentifier) + dns = san.get_values_for_type(x509.DNSName) + ip = san.get_values_for_type(x509.IPAddress) + dirname = san.get_values_for_type(x509.DirectoryName) + assert [u"user@cryptography.io"] == rfc822_name + assert ["https://cryptography.io"] == uri + assert [u"cryptography.io"] == dns + assert [ + x509.Name([ + x509.NameAttribute(x509.OID_COMMON_NAME, 'dirCN'), + x509.NameAttribute( + x509.OID_ORGANIZATION_NAME, 'Cryptographic Authority' + ), + ]) + ] == dirname + assert [ + ipaddress.ip_address(u"127.0.0.1"), + ipaddress.ip_address(u"ff::") + ] == ip + + def test_invalid_rfc822name(self, backend): + cert = _load_cert( + os.path.join( + "x509", "custom", "san_rfc822_names.pem" + ), + x509.load_pem_x509_certificate, + backend + ) + with pytest.raises(ValueError) as exc: + cert.extensions + + assert 'Invalid rfc822name value' in str(exc.value) -- cgit v1.2.3 From e3a330cc10b9672cf91a77b89886a069357943f2 Mon Sep 17 00:00:00 2001 From: Paul Kehrer Date: Sat, 2 May 2015 16:42:52 -0500 Subject: missed a u --- tests/test_x509_ext.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'tests/test_x509_ext.py') diff --git a/tests/test_x509_ext.py b/tests/test_x509_ext.py index 7320b94e..c1d51e5e 100644 --- a/tests/test_x509_ext.py +++ b/tests/test_x509_ext.py @@ -917,7 +917,7 @@ class TestRSASubjectAlternativeNameExtension(object): ip = san.get_values_for_type(x509.IPAddress) dirname = san.get_values_for_type(x509.DirectoryName) assert [u"user@cryptography.io"] == rfc822_name - assert ["https://cryptography.io"] == uri + assert [u"https://cryptography.io"] == uri assert [u"cryptography.io"] == dns assert [ x509.Name([ -- cgit v1.2.3 From b047617df8aeb51efed4ed761ff84c8b49cfced0 Mon Sep 17 00:00:00 2001 From: Paul Kehrer Date: Sat, 2 May 2015 19:34:51 -0500 Subject: add eq/ne to ExtendedKeyUsage --- tests/test_x509_ext.py | 15 +++++++++++++++ 1 file changed, 15 insertions(+) (limited to 'tests/test_x509_ext.py') diff --git a/tests/test_x509_ext.py b/tests/test_x509_ext.py index d38fe573..c574aedb 100644 --- a/tests/test_x509_ext.py +++ b/tests/test_x509_ext.py @@ -325,6 +325,21 @@ class TestExtendedKeyUsage(object): "tAuth)>])>" ) + def test_eq(self): + eku = x509.ExtendedKeyUsage([ + x509.ObjectIdentifier("1.3.6"), x509.ObjectIdentifier("1.3.7") + ]) + eku2 = x509.ExtendedKeyUsage([ + x509.ObjectIdentifier("1.3.6"), x509.ObjectIdentifier("1.3.7") + ]) + assert eku == eku2 + + def test_ne(self): + eku = x509.ExtendedKeyUsage([x509.ObjectIdentifier("1.3.6")]) + eku2 = x509.ExtendedKeyUsage([x509.ObjectIdentifier("1.3.6.1")]) + assert eku != eku2 + assert eku != object() + @pytest.mark.requires_backend_interface(interface=RSABackend) @pytest.mark.requires_backend_interface(interface=X509Backend) -- cgit v1.2.3 From 94c6960ca70b3e5b2fcf8bed8aaf2fd983f8c1c5 Mon Sep 17 00:00:00 2001 From: Paul Kehrer Date: Sat, 2 May 2015 19:29:40 -0500 Subject: Extended key usage support for the openssl backend --- tests/test_x509_ext.py | 29 +++++++++++++++++++++++++++++ 1 file changed, 29 insertions(+) (limited to 'tests/test_x509_ext.py') diff --git a/tests/test_x509_ext.py b/tests/test_x509_ext.py index 05734b42..92e616e1 100644 --- a/tests/test_x509_ext.py +++ b/tests/test_x509_ext.py @@ -959,3 +959,32 @@ class TestRSASubjectAlternativeNameExtension(object): cert.extensions assert 'Invalid rfc822name value' in str(exc.value) + + +@pytest.mark.requires_backend_interface(interface=RSABackend) +@pytest.mark.requires_backend_interface(interface=X509Backend) +class TestExtendedKeyUsageExtension(object): + def test_eku(self, backend): + cert = _load_cert( + os.path.join( + "x509", "custom", "extended_key_usage.pem" + ), + x509.load_pem_x509_certificate, + backend + ) + ext = cert.extensions.get_extension_for_oid( + x509.OID_EXTENDED_KEY_USAGE + ) + assert ext is not None + assert ext.critical is False + + assert [ + x509.ObjectIdentifier("1.3.6.1.5.5.7.3.1"), + x509.ObjectIdentifier("1.3.6.1.5.5.7.3.2"), + x509.ObjectIdentifier("1.3.6.1.5.5.7.3.3"), + x509.ObjectIdentifier("1.3.6.1.5.5.7.3.4"), + x509.ObjectIdentifier("1.3.6.1.5.5.7.3.9"), + x509.ObjectIdentifier("1.3.6.1.5.5.7.3.8"), + x509.ObjectIdentifier("2.5.29.37.0"), + x509.ObjectIdentifier("2.16.840.1.113730.4.1"), + ] == list(ext.value) -- cgit v1.2.3 From 3e6d558d1b845cf2df31efec08235b15998174d4 Mon Sep 17 00:00:00 2001 From: Paul Kehrer Date: Sat, 2 May 2015 21:57:56 -0500 Subject: add authority information access classes --- tests/test_x509_ext.py | 142 +++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 142 insertions(+) (limited to 'tests/test_x509_ext.py') diff --git a/tests/test_x509_ext.py b/tests/test_x509_ext.py index 92e616e1..711b6b7e 100644 --- a/tests/test_x509_ext.py +++ b/tests/test_x509_ext.py @@ -988,3 +988,145 @@ class TestExtendedKeyUsageExtension(object): x509.ObjectIdentifier("2.5.29.37.0"), x509.ObjectIdentifier("2.16.840.1.113730.4.1"), ] == list(ext.value) + + +class TestAccessDescription(object): + def test_invalid_access_method(self): + with pytest.raises(TypeError): + x509.AccessDescription("notanoid", x509.DNSName(u"test")) + + def test_invalid_access_location(self): + with pytest.raises(TypeError): + x509.AccessDescription(x509.OID_CA_ISSUERS, "invalid") + + def test_repr(self): + ad = x509.AccessDescription( + x509.OID_OCSP, + x509.UniformResourceIdentifier(u"http://ocsp.domain.com") + ) + assert repr(ad) == ( + ", access_location=)>" + ) + + def test_eq(self): + ad = x509.AccessDescription( + x509.OID_OCSP, + x509.UniformResourceIdentifier(u"http://ocsp.domain.com") + ) + ad2 = x509.AccessDescription( + x509.OID_OCSP, + x509.UniformResourceIdentifier(u"http://ocsp.domain.com") + ) + assert ad == ad2 + + def test_ne(self): + ad = x509.AccessDescription( + x509.OID_OCSP, + x509.UniformResourceIdentifier(u"http://ocsp.domain.com") + ) + ad2 = x509.AccessDescription( + x509.OID_CA_ISSUERS, + x509.UniformResourceIdentifier(u"http://ocsp.domain.com") + ) + ad3 = x509.AccessDescription( + x509.OID_OCSP, + x509.UniformResourceIdentifier(u"http://notthesame") + ) + assert ad != ad2 + assert ad != ad3 + assert ad != object() + + +class TestAuthorityInformationAccess(object): + def test_invalid_descriptions(self): + with pytest.raises(TypeError): + x509.AuthorityInformationAccess(["notanAccessDescription"]) + + def test_iter_len(self): + aia = x509.AuthorityInformationAccess([ + x509.AccessDescription( + x509.OID_OCSP, + x509.UniformResourceIdentifier(u"http://ocsp.domain.com") + ), + x509.AccessDescription( + x509.OID_CA_ISSUERS, + x509.UniformResourceIdentifier(u"http://domain.com/ca.crt") + ) + ]) + assert len(aia) == 2 + assert list(aia) == [ + x509.AccessDescription( + x509.OID_OCSP, + x509.UniformResourceIdentifier(u"http://ocsp.domain.com") + ), + x509.AccessDescription( + x509.OID_CA_ISSUERS, + x509.UniformResourceIdentifier(u"http://domain.com/ca.crt") + ) + ] + + def test_repr(self): + aia = x509.AuthorityInformationAccess([ + x509.AccessDescription( + x509.OID_OCSP, + x509.UniformResourceIdentifier(u"http://ocsp.domain.com") + ), + x509.AccessDescription( + x509.OID_CA_ISSUERS, + x509.UniformResourceIdentifier(u"http://domain.com/ca.crt") + ) + ]) + assert repr(aia) == ( + ", access_locati" + "on=)>, <" + "AccessDescription(access_method=, access_location=)>])>" + ) + + def test_eq(self): + aia = x509.AuthorityInformationAccess([ + x509.AccessDescription( + x509.OID_OCSP, + x509.UniformResourceIdentifier(u"http://ocsp.domain.com") + ), + x509.AccessDescription( + x509.OID_CA_ISSUERS, + x509.UniformResourceIdentifier(u"http://domain.com/ca.crt") + ) + ]) + aia2 = x509.AuthorityInformationAccess([ + x509.AccessDescription( + x509.OID_OCSP, + x509.UniformResourceIdentifier(u"http://ocsp.domain.com") + ), + x509.AccessDescription( + x509.OID_CA_ISSUERS, + x509.UniformResourceIdentifier(u"http://domain.com/ca.crt") + ) + ]) + assert aia == aia2 + + def test_ne(self): + aia = x509.AuthorityInformationAccess([ + x509.AccessDescription( + x509.OID_OCSP, + x509.UniformResourceIdentifier(u"http://ocsp.domain.com") + ), + x509.AccessDescription( + x509.OID_CA_ISSUERS, + x509.UniformResourceIdentifier(u"http://domain.com/ca.crt") + ) + ]) + aia2 = x509.AuthorityInformationAccess([ + x509.AccessDescription( + x509.OID_OCSP, + x509.UniformResourceIdentifier(u"http://ocsp.domain.com") + ), + ]) + + assert aia != aia2 + assert aia != object() -- cgit v1.2.3 From f506bca3d2bb449c3889cbbaba11749304e81563 Mon Sep 17 00:00:00 2001 From: Paul Kehrer Date: Sat, 2 May 2015 22:31:47 -0500 Subject: updates based on review feedback --- tests/test_x509_ext.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'tests/test_x509_ext.py') diff --git a/tests/test_x509_ext.py b/tests/test_x509_ext.py index 711b6b7e..0e5cab50 100644 --- a/tests/test_x509_ext.py +++ b/tests/test_x509_ext.py @@ -992,7 +992,7 @@ class TestExtendedKeyUsageExtension(object): class TestAccessDescription(object): def test_invalid_access_method(self): - with pytest.raises(TypeError): + with pytest.raises(ValueError): x509.AccessDescription("notanoid", x509.DNSName(u"test")) def test_invalid_access_location(self): -- cgit v1.2.3 From c6e0f06135d36533a7543b0a24f144b44019a9dc Mon Sep 17 00:00:00 2001 From: Paul Kehrer Date: Sun, 3 May 2015 11:04:34 -0500 Subject: Fix AKI authority_cert_issuer type It was originally defined as an X509 Name, but in reality it is a list of GeneralName objects (albeit typically a list of one DirectoryName). --- tests/test_x509_ext.py | 46 ++++++++++++++++++++++++++-------------------- 1 file changed, 26 insertions(+), 20 deletions(-) (limited to 'tests/test_x509_ext.py') diff --git a/tests/test_x509_ext.py b/tests/test_x509_ext.py index 0e5cab50..ab6d6ffa 100644 --- a/tests/test_x509_ext.py +++ b/tests/test_x509_ext.py @@ -221,29 +221,33 @@ class TestSubjectKeyIdentifier(object): class TestAuthorityKeyIdentifier(object): - def test_authority_cert_issuer_not_name(self): + def test_authority_cert_issuer_not_generalname(self): with pytest.raises(TypeError): - x509.AuthorityKeyIdentifier(b"identifier", "notname", 3) + x509.AuthorityKeyIdentifier(b"identifier", ["notname"], 3) def test_authority_cert_serial_number_not_integer(self): - name = x509.Name([ - x509.NameAttribute(x509.ObjectIdentifier('oid'), 'value1'), - x509.NameAttribute(x509.ObjectIdentifier('oid2'), 'value2'), - ]) + dirname = x509.DirectoryName( + x509.Name([ + x509.NameAttribute(x509.ObjectIdentifier('oid'), 'value1'), + x509.NameAttribute(x509.ObjectIdentifier('oid2'), 'value2'), + ]) + ) with pytest.raises(TypeError): - x509.AuthorityKeyIdentifier(b"identifier", name, "notanint") + x509.AuthorityKeyIdentifier(b"identifier", [dirname], "notanint") def test_authority_issuer_none_serial_not_none(self): with pytest.raises(ValueError): x509.AuthorityKeyIdentifier(b"identifier", None, 3) def test_authority_issuer_not_none_serial_none(self): - name = x509.Name([ - x509.NameAttribute(x509.ObjectIdentifier('oid'), 'value1'), - x509.NameAttribute(x509.ObjectIdentifier('oid2'), 'value2'), - ]) + dirname = x509.DirectoryName( + x509.Name([ + x509.NameAttribute(x509.ObjectIdentifier('oid'), 'value1'), + x509.NameAttribute(x509.ObjectIdentifier('oid2'), 'value2'), + ]) + ) with pytest.raises(ValueError): - x509.AuthorityKeyIdentifier(b"identifier", name, None) + x509.AuthorityKeyIdentifier(b"identifier", [dirname], None) def test_authority_cert_serial_and_issuer_none(self): aki = x509.AuthorityKeyIdentifier(b"id", None, None) @@ -252,22 +256,24 @@ class TestAuthorityKeyIdentifier(object): assert aki.authority_cert_serial_number is None def test_repr(self): - name = x509.Name([x509.NameAttribute(x509.OID_COMMON_NAME, 'myCN')]) - aki = x509.AuthorityKeyIdentifier(b"digest", name, 1234) + dirname = x509.DirectoryName( + x509.Name([x509.NameAttribute(x509.OID_COMMON_NAME, 'myCN')]) + ) + aki = x509.AuthorityKeyIdentifier(b"digest", [dirname], 1234) if six.PY3: assert repr(aki) == ( ", value='myCN')>])>, authority_cer" - "t_serial_number=1234)>" + "cert_issuer=[, value='myC" + "N')>])>)>], authority_cert_serial_number=1234)>" ) else: assert repr(aki) == ( ", value='myCN')>])>, authority_cert_se" - "rial_number=1234)>" + "rt_issuer=[, value='myCN')>" + "])>)>], authority_cert_serial_number=1234)>" ) -- cgit v1.2.3 From d774de9d49512a16b58e1461dd982c072fd36b8e Mon Sep 17 00:00:00 2001 From: Paul Kehrer Date: Sun, 3 May 2015 10:52:25 -0500 Subject: authority key identifier support in the openssl backend --- tests/test_x509_ext.py | 84 ++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 84 insertions(+) (limited to 'tests/test_x509_ext.py') diff --git a/tests/test_x509_ext.py b/tests/test_x509_ext.py index ab6d6ffa..ad36b5c0 100644 --- a/tests/test_x509_ext.py +++ b/tests/test_x509_ext.py @@ -1136,3 +1136,87 @@ class TestAuthorityInformationAccess(object): assert aia != aia2 assert aia != object() + + +@pytest.mark.requires_backend_interface(interface=RSABackend) +@pytest.mark.requires_backend_interface(interface=X509Backend) +class TestAuthorityKeyIdentifierExtension(object): + def test_aki_keyid(self, backend): + cert = _load_cert( + os.path.join( + "x509", "cryptography.io.pem" + ), + x509.load_pem_x509_certificate, + backend + ) + ext = cert.extensions.get_extension_for_oid( + x509.OID_AUTHORITY_KEY_IDENTIFIER + ) + assert ext is not None + assert ext.critical is False + + assert ext.value.key_identifier == ( + b"\xc3\x9c\xf3\xfc\xd3F\x084\xbb\xceF\x7f\xa0|[\xf3\xe2\x08\xcbY" + ) + assert ext.value.authority_cert_issuer is None + assert ext.value.authority_cert_serial_number is None + + def test_aki_all_fields(self, backend): + cert = _load_cert( + os.path.join( + "x509", "custom", "authority_key_identifier.pem" + ), + x509.load_pem_x509_certificate, + backend + ) + ext = cert.extensions.get_extension_for_oid( + x509.OID_AUTHORITY_KEY_IDENTIFIER + ) + assert ext is not None + assert ext.critical is False + + assert ext.value.key_identifier == ( + b"9E>\xca=b\x1d\xea\x86I\xf6Z\xab@\xb7\xa4p\x98\xf1\xec" + ) + assert ext.value.authority_cert_issuer == [ + x509.DirectoryName( + x509.Name([ + x509.NameAttribute( + x509.OID_ORGANIZATION_NAME, u"PyCA" + ), + x509.NameAttribute( + x509.OID_COMMON_NAME, u"cryptography.io" + ) + ]) + ) + ] + assert ext.value.authority_cert_serial_number == 3 + + def test_aki_no_keyid(self, backend): + cert = _load_cert( + os.path.join( + "x509", "custom", "authority_key_identifier_no_keyid.pem" + ), + x509.load_pem_x509_certificate, + backend + ) + ext = cert.extensions.get_extension_for_oid( + x509.OID_AUTHORITY_KEY_IDENTIFIER + ) + assert ext is not None + assert ext.critical is False + + assert ext.value.key_identifier is None + assert ext.value.authority_cert_issuer == [ + x509.DirectoryName( + x509.Name([ + x509.NameAttribute( + x509.OID_ORGANIZATION_NAME, u"PyCA" + ), + x509.NameAttribute( + x509.OID_COMMON_NAME, u"cryptography.io" + ) + ]) + ) + ] + assert ext.value.authority_cert_serial_number == 3 -- cgit v1.2.3 From a147699cabf935b0c770d5c72fb8d2305737d66a Mon Sep 17 00:00:00 2001 From: Paul Kehrer Date: Mon, 4 May 2015 17:35:47 -0500 Subject: add support for authority information access in the openssl backend --- tests/test_x509_ext.py | 98 ++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 98 insertions(+) (limited to 'tests/test_x509_ext.py') diff --git a/tests/test_x509_ext.py b/tests/test_x509_ext.py index ad36b5c0..8a227953 100644 --- a/tests/test_x509_ext.py +++ b/tests/test_x509_ext.py @@ -1138,6 +1138,104 @@ class TestAuthorityInformationAccess(object): assert aia != object() +@pytest.mark.requires_backend_interface(interface=RSABackend) +@pytest.mark.requires_backend_interface(interface=X509Backend) +class TestAuthorityInformationAccessExtension(object): + def test_aia_ocsp_ca_issuers(self, backend): + cert = _load_cert( + os.path.join("x509", "cryptography.io.pem"), + x509.load_pem_x509_certificate, + backend + ) + ext = cert.extensions.get_extension_for_oid( + x509.OID_AUTHORITY_INFORMATION_ACCESS + ) + assert ext is not None + assert ext.critical is False + + assert ext.value == x509.AuthorityInformationAccess([ + x509.AccessDescription( + x509.OID_OCSP, + x509.UniformResourceIdentifier(u"http://gv.symcd.com") + ), + x509.AccessDescription( + x509.OID_CA_ISSUERS, + x509.UniformResourceIdentifier(u"http://gv.symcb.com/gv.crt") + ), + ]) + + def test_aia_multiple_ocsp_ca_issuers(self, backend): + cert = _load_cert( + os.path.join("x509", "custom", "aia_ocsp_ca_issuers.pem"), + x509.load_pem_x509_certificate, + backend + ) + ext = cert.extensions.get_extension_for_oid( + x509.OID_AUTHORITY_INFORMATION_ACCESS + ) + assert ext is not None + assert ext.critical is False + + assert ext.value == x509.AuthorityInformationAccess([ + x509.AccessDescription( + x509.OID_OCSP, + x509.UniformResourceIdentifier(u"http://ocsp.domain.com") + ), + x509.AccessDescription( + x509.OID_OCSP, + x509.UniformResourceIdentifier(u"http://ocsp2.domain.com") + ), + x509.AccessDescription( + x509.OID_CA_ISSUERS, + x509.DirectoryName(x509.Name([ + x509.NameAttribute(x509.OID_COMMON_NAME, "myCN"), + x509.NameAttribute(x509.OID_ORGANIZATION_NAME, "some Org"), + ])) + ), + ]) + + def test_aia_ocsp_only(self, backend): + cert = _load_cert( + os.path.join("x509", "custom", "aia_ocsp.pem"), + x509.load_pem_x509_certificate, + backend + ) + ext = cert.extensions.get_extension_for_oid( + x509.OID_AUTHORITY_INFORMATION_ACCESS + ) + assert ext is not None + assert ext.critical is False + + assert ext.value == x509.AuthorityInformationAccess([ + x509.AccessDescription( + x509.OID_OCSP, + x509.UniformResourceIdentifier(u"http://ocsp.domain.com") + ), + ]) + + def test_aia_ca_issuers_only(self, backend): + cert = _load_cert( + os.path.join("x509", "custom", "aia_ca_issuers.pem"), + x509.load_pem_x509_certificate, + backend + ) + ext = cert.extensions.get_extension_for_oid( + x509.OID_AUTHORITY_INFORMATION_ACCESS + ) + assert ext is not None + assert ext.critical is False + + assert ext.value == x509.AuthorityInformationAccess([ + x509.AccessDescription( + x509.OID_CA_ISSUERS, + x509.DirectoryName(x509.Name([ + x509.NameAttribute(x509.OID_COMMON_NAME, "myCN"), + x509.NameAttribute(x509.OID_ORGANIZATION_NAME, "some Org"), + ])) + ), + ]) + + @pytest.mark.requires_backend_interface(interface=RSABackend) @pytest.mark.requires_backend_interface(interface=X509Backend) class TestAuthorityKeyIdentifierExtension(object): -- cgit v1.2.3 From 5a48552b4b7fc4d108b6d45232769f111fe38896 Mon Sep 17 00:00:00 2001 From: Paul Kehrer Date: Wed, 6 May 2015 00:29:12 -0500 Subject: add CRLDistributionPoints and associated classes --- tests/test_x509_ext.py | 282 +++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 282 insertions(+) (limited to 'tests/test_x509_ext.py') diff --git a/tests/test_x509_ext.py b/tests/test_x509_ext.py index 8a227953..1ccb361b 100644 --- a/tests/test_x509_ext.py +++ b/tests/test_x509_ext.py @@ -1318,3 +1318,285 @@ class TestAuthorityKeyIdentifierExtension(object): ) ] assert ext.value.authority_cert_serial_number == 3 + + +class TestReasonFlags(object): + def test_flags(self): + flags = x509.ReasonFlags( + True, True, False, False, True, True, False, False + ) + assert flags.key_compromise is True + assert flags.ca_compromise is True + assert flags.affiliation_changed is False + assert flags.superseded is False + assert flags.cessation_of_operation is True + assert flags.certificate_hold is True + assert flags.privilege_withdrawn is False + assert flags.aa_compromise is False + + def test_eq(self): + flags = x509.ReasonFlags( + True, True, False, False, True, True, False, False + ) + flags2 = x509.ReasonFlags( + True, True, False, False, True, True, False, False + ) + assert flags == flags2 + + def test_ne(self): + flags = x509.ReasonFlags( + True, True, False, False, True, True, False, False + ) + flags2 = x509.ReasonFlags( + True, True, False, False, True, True, False, True + ) + assert flags != flags2 + assert flags != object() + + def test_repr(self): + flags = x509.ReasonFlags( + True, True, False, False, True, True, False, False + ) + assert repr(flags) == ( + "" + ) + + +class TestDistributionPoint(object): + def test_distribution_point_list_not_general_names(self): + with pytest.raises(TypeError): + x509.DistributionPoint(["notgn"], None, None) + + def test_distribution_point_not_name(self): + with pytest.raises(TypeError): + x509.DistributionPoint("notname", None, None) + + def test_crl_issuer_not_general_names(self): + with pytest.raises(TypeError): + x509.DistributionPoint(None, None, ["notgn"]) + + def test_reason_not_reasonflags(self): + with pytest.raises(TypeError): + x509.DistributionPoint( + [x509.UniformResourceIdentifier(u"http://crypt.og/crl")], + "notreasonflags", + None + ) + + def test_reason_only(self): + with pytest.raises(ValueError): + x509.DistributionPoint( + None, + x509.ReasonFlags( + True, True, False, False, True, True, False, False + ), + None + ) + + def test_eq(self): + dp = x509.DistributionPoint( + [x509.UniformResourceIdentifier(u"http://crypt.og/crl")], + x509.ReasonFlags( + False, False, False, False, False, True, False, False + ), + [ + x509.DirectoryName( + x509.Name([ + x509.NameAttribute( + x509.OID_COMMON_NAME, "Important CA" + ) + ]) + ) + ], + ) + dp2 = x509.DistributionPoint( + [x509.UniformResourceIdentifier(u"http://crypt.og/crl")], + x509.ReasonFlags( + False, False, False, False, False, True, False, False + ), + [ + x509.DirectoryName( + x509.Name([ + x509.NameAttribute( + x509.OID_COMMON_NAME, "Important CA" + ) + ]) + ) + ], + ) + assert dp == dp2 + + def test_ne(self): + dp = x509.DistributionPoint( + [x509.UniformResourceIdentifier(u"http://crypt.og/crl")], + x509.ReasonFlags( + False, False, False, False, False, True, False, False + ), + [ + x509.DirectoryName( + x509.Name([ + x509.NameAttribute( + x509.OID_COMMON_NAME, "Important CA" + ) + ]) + ) + ], + ) + dp2 = x509.DistributionPoint( + [x509.UniformResourceIdentifier(u"http://crypt.og/crl")], + None, + None + ) + assert dp != dp2 + assert dp != object() + + def test_repr(self): + dp = x509.DistributionPoint( + x509.Name([ + x509.NameAttribute(x509.OID_COMMON_NAME, "myCN") + ]), + x509.ReasonFlags( + False, False, False, False, False, True, False, False + ), + [ + x509.DirectoryName( + x509.Name([ + x509.NameAttribute( + x509.OID_COMMON_NAME, "Important CA" + ) + ]) + ) + ], + ) + assert repr(dp) == ( + ", value='myCN')>" + "])>, reasons=, crl_issuer=[, value='Important CA')>])>)>])>" + ) + + +class TestCRLDistributionPoints(object): + def test_invalid_distribution_points(self): + with pytest.raises(TypeError): + x509.CRLDistributionPoints(["notadistributionpoint"]) + + def test_iter_len(self): + cdp = x509.CRLDistributionPoints([ + x509.DistributionPoint( + [x509.UniformResourceIdentifier(u"http://domain")], + None, + None + ), + x509.DistributionPoint( + [x509.UniformResourceIdentifier(u"ftp://domain")], + x509.ReasonFlags( + True, True, True, True, True, True, True, True + ), + None + ), + ]) + assert len(cdp) == 2 + assert list(cdp) == [ + x509.DistributionPoint( + [x509.UniformResourceIdentifier(u"http://domain")], + None, + None + ), + x509.DistributionPoint( + [x509.UniformResourceIdentifier(u"ftp://domain")], + x509.ReasonFlags( + True, True, True, True, True, True, True, True + ), + None + ), + ] + + def test_repr(self): + cdp = x509.CRLDistributionPoints([ + x509.DistributionPoint( + [x509.UniformResourceIdentifier(u"ftp://domain")], + x509.ReasonFlags( + True, True, True, True, True, True, True, True + ), + None + ), + ]) + assert repr(cdp) == ( + "], reasons=, crl" + "_issuer=None)>])>" + ) + + def test_eq(self): + cdp = x509.CRLDistributionPoints([ + x509.DistributionPoint( + [x509.UniformResourceIdentifier(u"ftp://domain")], + x509.ReasonFlags( + True, True, True, True, True, True, True, True + ), + [x509.UniformResourceIdentifier(u"uri://thing")], + ), + ]) + cdp2 = x509.CRLDistributionPoints([ + x509.DistributionPoint( + [x509.UniformResourceIdentifier(u"ftp://domain")], + x509.ReasonFlags( + True, True, True, True, True, True, True, True + ), + [x509.UniformResourceIdentifier(u"uri://thing")], + ), + ]) + assert cdp == cdp2 + + def test_ne(self): + cdp = x509.CRLDistributionPoints([ + x509.DistributionPoint( + [x509.UniformResourceIdentifier(u"ftp://domain")], + x509.ReasonFlags( + True, True, True, True, True, True, True, True + ), + [x509.UniformResourceIdentifier(u"uri://thing")], + ), + ]) + cdp2 = x509.CRLDistributionPoints([ + x509.DistributionPoint( + [x509.UniformResourceIdentifier(u"ftp://domain2")], + x509.ReasonFlags( + True, True, True, True, True, True, True, True + ), + [x509.UniformResourceIdentifier(u"uri://thing")], + ), + ]) + cdp3 = x509.CRLDistributionPoints([ + x509.DistributionPoint( + [x509.UniformResourceIdentifier(u"ftp://domain")], + x509.ReasonFlags( + True, True, True, True, True, True, True, False + ), + [x509.UniformResourceIdentifier(u"uri://thing")], + ), + ]) + cdp4 = x509.CRLDistributionPoints([ + x509.DistributionPoint( + [x509.UniformResourceIdentifier(u"ftp://domain")], + x509.ReasonFlags( + True, True, True, True, True, True, True, True + ), + [x509.UniformResourceIdentifier(u"uri://thing2")], + ), + ]) + assert cdp != cdp2 + assert cdp != cdp3 + assert cdp != cdp4 + assert cdp != object() -- cgit v1.2.3 From 4e8dacd02ec4c4b8238e5ebdfcd5ab26348ec658 Mon Sep 17 00:00:00 2001 From: Paul Kehrer Date: Sat, 9 May 2015 10:38:23 -0500 Subject: separate full_name/relative_name and change reasons to an enumeration --- tests/test_x509_ext.py | 207 ++++++++++++++++++++++++------------------------- 1 file changed, 100 insertions(+), 107 deletions(-) (limited to 'tests/test_x509_ext.py') diff --git a/tests/test_x509_ext.py b/tests/test_x509_ext.py index 1ccb361b..e0858c76 100644 --- a/tests/test_x509_ext.py +++ b/tests/test_x509_ext.py @@ -1320,69 +1320,46 @@ class TestAuthorityKeyIdentifierExtension(object): assert ext.value.authority_cert_serial_number == 3 -class TestReasonFlags(object): - def test_flags(self): - flags = x509.ReasonFlags( - True, True, False, False, True, True, False, False - ) - assert flags.key_compromise is True - assert flags.ca_compromise is True - assert flags.affiliation_changed is False - assert flags.superseded is False - assert flags.cessation_of_operation is True - assert flags.certificate_hold is True - assert flags.privilege_withdrawn is False - assert flags.aa_compromise is False - - def test_eq(self): - flags = x509.ReasonFlags( - True, True, False, False, True, True, False, False - ) - flags2 = x509.ReasonFlags( - True, True, False, False, True, True, False, False - ) - assert flags == flags2 - - def test_ne(self): - flags = x509.ReasonFlags( - True, True, False, False, True, True, False, False - ) - flags2 = x509.ReasonFlags( - True, True, False, False, True, True, False, True - ) - assert flags != flags2 - assert flags != object() - - def test_repr(self): - flags = x509.ReasonFlags( - True, True, False, False, True, True, False, False - ) - assert repr(flags) == ( - "" - ) - - class TestDistributionPoint(object): - def test_distribution_point_list_not_general_names(self): + def test_distribution_point_full_name_not_general_names(self): with pytest.raises(TypeError): - x509.DistributionPoint(["notgn"], None, None) + x509.DistributionPoint(["notgn"], None, None, None) - def test_distribution_point_not_name(self): + def test_distribution_point_relative_name_not_name(self): with pytest.raises(TypeError): - x509.DistributionPoint("notname", None, None) + x509.DistributionPoint(None, "notname", None, None) + + def test_distribution_point_full_and_relative_not_none(self): + with pytest.raises(ValueError): + x509.DistributionPoint("data", "notname", None, None) def test_crl_issuer_not_general_names(self): with pytest.raises(TypeError): - x509.DistributionPoint(None, None, ["notgn"]) + x509.DistributionPoint(None, None, None, ["notgn"]) def test_reason_not_reasonflags(self): with pytest.raises(TypeError): x509.DistributionPoint( [x509.UniformResourceIdentifier(u"http://crypt.og/crl")], - "notreasonflags", + None, + ["notreasonflags"], + None + ) + + def test_disallowed_reasons(self): + with pytest.raises(ValueError): + x509.DistributionPoint( + [x509.UniformResourceIdentifier(u"http://crypt.og/crl")], + None, + [x509.ReasonFlags.unspecified], + None + ) + + with pytest.raises(ValueError): + x509.DistributionPoint( + [x509.UniformResourceIdentifier(u"http://crypt.og/crl")], + None, + [x509.ReasonFlags.remove_from_crl], None ) @@ -1390,18 +1367,16 @@ class TestDistributionPoint(object): with pytest.raises(ValueError): x509.DistributionPoint( None, - x509.ReasonFlags( - True, True, False, False, True, True, False, False - ), + None, + [x509.ReasonFlags.aa_compromise], None ) def test_eq(self): dp = x509.DistributionPoint( [x509.UniformResourceIdentifier(u"http://crypt.og/crl")], - x509.ReasonFlags( - False, False, False, False, False, True, False, False - ), + None, + [x509.ReasonFlags.superseded], [ x509.DirectoryName( x509.Name([ @@ -1414,9 +1389,8 @@ class TestDistributionPoint(object): ) dp2 = x509.DistributionPoint( [x509.UniformResourceIdentifier(u"http://crypt.og/crl")], - x509.ReasonFlags( - False, False, False, False, False, True, False, False - ), + None, + [x509.ReasonFlags.superseded], [ x509.DirectoryName( x509.Name([ @@ -1432,9 +1406,10 @@ class TestDistributionPoint(object): def test_ne(self): dp = x509.DistributionPoint( [x509.UniformResourceIdentifier(u"http://crypt.og/crl")], - x509.ReasonFlags( - False, False, False, False, False, True, False, False - ), + None, + [ + x509.ReasonFlags.superseded, + ], [ x509.DirectoryName( x509.Name([ @@ -1448,6 +1423,7 @@ class TestDistributionPoint(object): dp2 = x509.DistributionPoint( [x509.UniformResourceIdentifier(u"http://crypt.og/crl")], None, + None, None ) assert dp != dp2 @@ -1455,12 +1431,14 @@ class TestDistributionPoint(object): def test_repr(self): dp = x509.DistributionPoint( + None, x509.Name([ x509.NameAttribute(x509.OID_COMMON_NAME, "myCN") ]), - x509.ReasonFlags( - False, False, False, False, False, True, False, False - ), + [ + x509.ReasonFlags.key_compromise, + x509.ReasonFlags.ca_compromise, + ], [ x509.DirectoryName( x509.Name([ @@ -1472,14 +1450,12 @@ class TestDistributionPoint(object): ], ) assert repr(dp) == ( - ", value='myCN')>" - "])>, reasons=, crl_issuer=[, value='Important CA')>])>)>])>" + ", val" + "ue='myCN')>])>, reasons=[, ], crl_issuer" + "=[, value='Important CA')>])>)>])>" ) @@ -1493,13 +1469,16 @@ class TestCRLDistributionPoints(object): x509.DistributionPoint( [x509.UniformResourceIdentifier(u"http://domain")], None, + None, None ), x509.DistributionPoint( [x509.UniformResourceIdentifier(u"ftp://domain")], - x509.ReasonFlags( - True, True, True, True, True, True, True, True - ), + None, + [ + x509.ReasonFlags.key_compromise, + x509.ReasonFlags.ca_compromise, + ], None ), ]) @@ -1508,13 +1487,16 @@ class TestCRLDistributionPoints(object): x509.DistributionPoint( [x509.UniformResourceIdentifier(u"http://domain")], None, + None, None ), x509.DistributionPoint( [x509.UniformResourceIdentifier(u"ftp://domain")], - x509.ReasonFlags( - True, True, True, True, True, True, True, True - ), + None, + [ + x509.ReasonFlags.key_compromise, + x509.ReasonFlags.ca_compromise, + ], None ), ] @@ -1523,37 +1505,41 @@ class TestCRLDistributionPoints(object): cdp = x509.CRLDistributionPoints([ x509.DistributionPoint( [x509.UniformResourceIdentifier(u"ftp://domain")], - x509.ReasonFlags( - True, True, True, True, True, True, True, True - ), + None, + [ + x509.ReasonFlags.key_compromise, + x509.ReasonFlags.ca_compromise, + ], None ), ]) assert repr(cdp) == ( - "], reasons=, crl" - "_issuer=None)>])>" + "], relative_name=None, reason" + "s=[, ], crl_issuer=None)>])>" ) def test_eq(self): cdp = x509.CRLDistributionPoints([ x509.DistributionPoint( [x509.UniformResourceIdentifier(u"ftp://domain")], - x509.ReasonFlags( - True, True, True, True, True, True, True, True - ), + None, + [ + x509.ReasonFlags.key_compromise, + x509.ReasonFlags.ca_compromise, + ], [x509.UniformResourceIdentifier(u"uri://thing")], ), ]) cdp2 = x509.CRLDistributionPoints([ x509.DistributionPoint( [x509.UniformResourceIdentifier(u"ftp://domain")], - x509.ReasonFlags( - True, True, True, True, True, True, True, True - ), + None, + [ + x509.ReasonFlags.key_compromise, + x509.ReasonFlags.ca_compromise, + ], [x509.UniformResourceIdentifier(u"uri://thing")], ), ]) @@ -1563,36 +1549,43 @@ class TestCRLDistributionPoints(object): cdp = x509.CRLDistributionPoints([ x509.DistributionPoint( [x509.UniformResourceIdentifier(u"ftp://domain")], - x509.ReasonFlags( - True, True, True, True, True, True, True, True - ), + None, + [ + x509.ReasonFlags.key_compromise, + x509.ReasonFlags.ca_compromise, + ], [x509.UniformResourceIdentifier(u"uri://thing")], ), ]) cdp2 = x509.CRLDistributionPoints([ x509.DistributionPoint( [x509.UniformResourceIdentifier(u"ftp://domain2")], - x509.ReasonFlags( - True, True, True, True, True, True, True, True - ), + None, + [ + x509.ReasonFlags.key_compromise, + x509.ReasonFlags.ca_compromise, + ], [x509.UniformResourceIdentifier(u"uri://thing")], ), ]) cdp3 = x509.CRLDistributionPoints([ x509.DistributionPoint( [x509.UniformResourceIdentifier(u"ftp://domain")], - x509.ReasonFlags( - True, True, True, True, True, True, True, False - ), + None, + [ + x509.ReasonFlags.key_compromise, + ], [x509.UniformResourceIdentifier(u"uri://thing")], ), ]) cdp4 = x509.CRLDistributionPoints([ x509.DistributionPoint( [x509.UniformResourceIdentifier(u"ftp://domain")], - x509.ReasonFlags( - True, True, True, True, True, True, True, True - ), + None, + [ + x509.ReasonFlags.key_compromise, + x509.ReasonFlags.ca_compromise, + ], [x509.UniformResourceIdentifier(u"uri://thing2")], ), ]) -- cgit v1.2.3 From 3fd0260a3dd110d99c0174c3937aa3d86b0d9ba0 Mon Sep 17 00:00:00 2001 From: Paul Kehrer Date: Sat, 9 May 2015 19:46:13 -0500 Subject: switch reasons to frozenset --- tests/test_x509_ext.py | 78 +++++++++++++++++++++++++++----------------------- 1 file changed, 42 insertions(+), 36 deletions(-) (limited to 'tests/test_x509_ext.py') diff --git a/tests/test_x509_ext.py b/tests/test_x509_ext.py index e0858c76..a18a443b 100644 --- a/tests/test_x509_ext.py +++ b/tests/test_x509_ext.py @@ -1342,7 +1342,16 @@ class TestDistributionPoint(object): x509.DistributionPoint( [x509.UniformResourceIdentifier(u"http://crypt.og/crl")], None, - ["notreasonflags"], + frozenset(["notreasonflags"]), + None + ) + + def test_reason_not_frozenset(self): + with pytest.raises(TypeError): + x509.DistributionPoint( + [x509.UniformResourceIdentifier(u"http://crypt.og/crl")], + None, + [x509.ReasonFlags.ca_compromise], None ) @@ -1351,7 +1360,7 @@ class TestDistributionPoint(object): x509.DistributionPoint( [x509.UniformResourceIdentifier(u"http://crypt.og/crl")], None, - [x509.ReasonFlags.unspecified], + frozenset([x509.ReasonFlags.unspecified]), None ) @@ -1359,7 +1368,7 @@ class TestDistributionPoint(object): x509.DistributionPoint( [x509.UniformResourceIdentifier(u"http://crypt.og/crl")], None, - [x509.ReasonFlags.remove_from_crl], + frozenset([x509.ReasonFlags.remove_from_crl]), None ) @@ -1368,7 +1377,7 @@ class TestDistributionPoint(object): x509.DistributionPoint( None, None, - [x509.ReasonFlags.aa_compromise], + frozenset([x509.ReasonFlags.aa_compromise]), None ) @@ -1376,7 +1385,7 @@ class TestDistributionPoint(object): dp = x509.DistributionPoint( [x509.UniformResourceIdentifier(u"http://crypt.og/crl")], None, - [x509.ReasonFlags.superseded], + frozenset([x509.ReasonFlags.superseded]), [ x509.DirectoryName( x509.Name([ @@ -1390,7 +1399,7 @@ class TestDistributionPoint(object): dp2 = x509.DistributionPoint( [x509.UniformResourceIdentifier(u"http://crypt.og/crl")], None, - [x509.ReasonFlags.superseded], + frozenset([x509.ReasonFlags.superseded]), [ x509.DirectoryName( x509.Name([ @@ -1407,9 +1416,7 @@ class TestDistributionPoint(object): dp = x509.DistributionPoint( [x509.UniformResourceIdentifier(u"http://crypt.og/crl")], None, - [ - x509.ReasonFlags.superseded, - ], + frozenset([x509.ReasonFlags.superseded]), [ x509.DirectoryName( x509.Name([ @@ -1435,10 +1442,10 @@ class TestDistributionPoint(object): x509.Name([ x509.NameAttribute(x509.OID_COMMON_NAME, "myCN") ]), - [ + frozenset([ x509.ReasonFlags.key_compromise, x509.ReasonFlags.ca_compromise, - ], + ]), [ x509.DirectoryName( x509.Name([ @@ -1452,10 +1459,11 @@ class TestDistributionPoint(object): assert repr(dp) == ( ", val" - "ue='myCN')>])>, reasons=[, ], crl_issuer" - "=[, value='Important CA')>])>)>])>" + "ue='myCN')>])>, reasons=frozenset([, ])," + " crl_issuer=[, value='Important C" + "A')>])>)>])>" ) @@ -1475,10 +1483,10 @@ class TestCRLDistributionPoints(object): x509.DistributionPoint( [x509.UniformResourceIdentifier(u"ftp://domain")], None, - [ + frozenset([ x509.ReasonFlags.key_compromise, x509.ReasonFlags.ca_compromise, - ], + ]), None ), ]) @@ -1493,10 +1501,10 @@ class TestCRLDistributionPoints(object): x509.DistributionPoint( [x509.UniformResourceIdentifier(u"ftp://domain")], None, - [ + frozenset([ x509.ReasonFlags.key_compromise, x509.ReasonFlags.ca_compromise, - ], + ]), None ), ] @@ -1506,18 +1514,18 @@ class TestCRLDistributionPoints(object): x509.DistributionPoint( [x509.UniformResourceIdentifier(u"ftp://domain")], None, - [ + frozenset([ x509.ReasonFlags.key_compromise, x509.ReasonFlags.ca_compromise, - ], + ]), None ), ]) assert repr(cdp) == ( "], relative_name=None, reason" - "s=[, ], crl_issuer=None)>])>" + "s=frozenset([, ]), crl_issuer=None)>])>" ) def test_eq(self): @@ -1525,10 +1533,10 @@ class TestCRLDistributionPoints(object): x509.DistributionPoint( [x509.UniformResourceIdentifier(u"ftp://domain")], None, - [ + frozenset([ x509.ReasonFlags.key_compromise, x509.ReasonFlags.ca_compromise, - ], + ]), [x509.UniformResourceIdentifier(u"uri://thing")], ), ]) @@ -1536,10 +1544,10 @@ class TestCRLDistributionPoints(object): x509.DistributionPoint( [x509.UniformResourceIdentifier(u"ftp://domain")], None, - [ + frozenset([ x509.ReasonFlags.key_compromise, x509.ReasonFlags.ca_compromise, - ], + ]), [x509.UniformResourceIdentifier(u"uri://thing")], ), ]) @@ -1550,10 +1558,10 @@ class TestCRLDistributionPoints(object): x509.DistributionPoint( [x509.UniformResourceIdentifier(u"ftp://domain")], None, - [ + frozenset([ x509.ReasonFlags.key_compromise, x509.ReasonFlags.ca_compromise, - ], + ]), [x509.UniformResourceIdentifier(u"uri://thing")], ), ]) @@ -1561,10 +1569,10 @@ class TestCRLDistributionPoints(object): x509.DistributionPoint( [x509.UniformResourceIdentifier(u"ftp://domain2")], None, - [ + frozenset([ x509.ReasonFlags.key_compromise, x509.ReasonFlags.ca_compromise, - ], + ]), [x509.UniformResourceIdentifier(u"uri://thing")], ), ]) @@ -1572,9 +1580,7 @@ class TestCRLDistributionPoints(object): x509.DistributionPoint( [x509.UniformResourceIdentifier(u"ftp://domain")], None, - [ - x509.ReasonFlags.key_compromise, - ], + frozenset([x509.ReasonFlags.key_compromise]), [x509.UniformResourceIdentifier(u"uri://thing")], ), ]) @@ -1582,10 +1588,10 @@ class TestCRLDistributionPoints(object): x509.DistributionPoint( [x509.UniformResourceIdentifier(u"ftp://domain")], None, - [ + frozenset([ x509.ReasonFlags.key_compromise, x509.ReasonFlags.ca_compromise, - ], + ]), [x509.UniformResourceIdentifier(u"uri://thing2")], ), ]) -- cgit v1.2.3 From 96ef63c9996612caea7342cf78c0abb57564989c Mon Sep 17 00:00:00 2001 From: Paul Kehrer Date: Sat, 9 May 2015 21:17:04 -0500 Subject: fix repr tests --- tests/test_x509_ext.py | 23 ++++++++--------------- 1 file changed, 8 insertions(+), 15 deletions(-) (limited to 'tests/test_x509_ext.py') diff --git a/tests/test_x509_ext.py b/tests/test_x509_ext.py index a18a443b..58fb3c46 100644 --- a/tests/test_x509_ext.py +++ b/tests/test_x509_ext.py @@ -1442,10 +1442,7 @@ class TestDistributionPoint(object): x509.Name([ x509.NameAttribute(x509.OID_COMMON_NAME, "myCN") ]), - frozenset([ - x509.ReasonFlags.key_compromise, - x509.ReasonFlags.ca_compromise, - ]), + frozenset([x509.ReasonFlags.ca_compromise]), [ x509.DirectoryName( x509.Name([ @@ -1459,11 +1456,10 @@ class TestDistributionPoint(object): assert repr(dp) == ( ", val" - "ue='myCN')>])>, reasons=frozenset([, ])," - " crl_issuer=[, value='Important C" - "A')>])>)>])>" + "ue='myCN')>])>, reasons=frozenset([]), crl_issuer=[, v" + "alue='Important CA')>])>)>])>" ) @@ -1514,18 +1510,15 @@ class TestCRLDistributionPoints(object): x509.DistributionPoint( [x509.UniformResourceIdentifier(u"ftp://domain")], None, - frozenset([ - x509.ReasonFlags.key_compromise, - x509.ReasonFlags.ca_compromise, - ]), + frozenset([x509.ReasonFlags.key_compromise]), None ), ]) assert repr(cdp) == ( "], relative_name=None, reason" - "s=frozenset([, ]), crl_issuer=None)>])>" + "s=frozenset([]), crl" + "_issuer=None)>])>" ) def test_eq(self): -- cgit v1.2.3 From 749da3b67c76ca7172eef88b2624b46cb99510a9 Mon Sep 17 00:00:00 2001 From: Paul Kehrer Date: Sun, 10 May 2015 09:58:29 -0500 Subject: repr tests are the worst. frozenset has diff repr on py3 --- tests/test_x509_ext.py | 46 ++++++++++++++++++++++++++++++++-------------- 1 file changed, 32 insertions(+), 14 deletions(-) (limited to 'tests/test_x509_ext.py') diff --git a/tests/test_x509_ext.py b/tests/test_x509_ext.py index 58fb3c46..06a68600 100644 --- a/tests/test_x509_ext.py +++ b/tests/test_x509_ext.py @@ -1453,14 +1453,24 @@ class TestDistributionPoint(object): ) ], ) - assert repr(dp) == ( - ", val" - "ue='myCN')>])>, reasons=frozenset([]), crl_issuer=[, v" - "alue='Important CA')>])>)>])>" - ) + if six.PY3: + assert repr(dp) == ( + ", value='myCN')>])>, reasons=frozenset({}), crl_issuer=[, value='Important CA')>])>)>])>" + ) + else: + assert repr(dp) == ( + ", value='myCN')>])>, reasons=frozenset([]), crl_issuer=[, value='Important CA')>])>)>])>" + ) class TestCRLDistributionPoints(object): @@ -1514,12 +1524,20 @@ class TestCRLDistributionPoints(object): None ), ]) - assert repr(cdp) == ( - "], relative_name=None, reason" - "s=frozenset([]), crl" - "_issuer=None)>])>" - ) + if six.PY3: + assert repr(cdp) == ( + "], relative_name=No" + "ne, reasons=frozenset({}), crl_issuer=None)>])>" + ) + else: + assert repr(cdp) == ( + "], relative_name=No" + "ne, reasons=frozenset([]), crl_issuer=None)>])>" + ) def test_eq(self): cdp = x509.CRLDistributionPoints([ -- cgit v1.2.3 From 2b62258a39880518403456bab487360b46ff02f7 Mon Sep 17 00:00:00 2001 From: Paul Kehrer Date: Wed, 15 Apr 2015 11:04:29 -0400 Subject: certificate policies extension support Adds a bunch of ancillary classes to support this. --- tests/test_x509_ext.py | 117 +++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 117 insertions(+) (limited to 'tests/test_x509_ext.py') diff --git a/tests/test_x509_ext.py b/tests/test_x509_ext.py index 06a68600..c6303432 100644 --- a/tests/test_x509_ext.py +++ b/tests/test_x509_ext.py @@ -39,6 +39,123 @@ class TestExtension(object): ) +class TestNoticeReference(object): + def test_notice_numbers_not_all_int(self): + with pytest.raises(TypeError): + x509.NoticeReference("org", [1, 2, "three"]) + + def test_notice_numbers_none(self): + nr = x509.NoticeReference("org", None) + assert nr.organization == "org" + assert nr.notice_numbers is None + + def test_repr(self): + nr = x509.NoticeReference("org", [1, 3, 4]) + + assert repr(nr) == ( + "" + ) + + +class TestUserNotice(object): + def test_notice_reference_invalid(self): + with pytest.raises(TypeError): + x509.UserNotice("invalid", None) + + def test_notice_reference_none(self): + un = x509.UserNotice(None, "text") + assert un.notice_reference is None + assert un.explicit_text == "text" + + def test_repr(self): + un = x509.UserNotice(x509.NoticeReference("org", None), "text") + assert repr(un) == ( + ", explicit_text=text)>" + ) + + +class TestPolicyQualifierInfo(object): + def test_invalid_qualifier(self): + with pytest.raises(ValueError): + x509.PolicyQualifierInfo(None) + + def test_string_qualifier(self): + pqi = x509.PolicyQualifierInfo("1.2.3") + assert pqi.policy_qualifier_id == x509.OID_CPS_QUALIFIER + assert pqi.qualifier == "1.2.3" + + def test_user_notice_qualifier(self): + pqi = x509.PolicyQualifierInfo(x509.UserNotice(None, "text")) + assert pqi.policy_qualifier_id == x509.OID_CPS_USER_NOTICE + assert isinstance(pqi.qualifier, x509.UserNotice) + + def test_repr(self): + pqi = x509.PolicyQualifierInfo("1.2.3.4") + assert repr(pqi) == ( + ", qualifier=1.2.3.4)>" + ) + + +class TestPolicyInformation(object): + def test_invalid_policy_identifier(self): + with pytest.raises(TypeError): + x509.PolicyInformation("notanoid", None) + + def test_none_policy_qualifiers(self): + pi = x509.PolicyInformation(x509.ObjectIdentifier("1.2.3"), None) + assert pi.policy_identifier == x509.ObjectIdentifier("1.2.3") + assert pi.policy_qualifiers is None + + def test_policy_qualifiers(self): + pq = [x509.PolicyQualifierInfo("string")] + pi = x509.PolicyInformation(x509.ObjectIdentifier("1.2.3"), pq) + assert pi.policy_identifier == x509.ObjectIdentifier("1.2.3") + assert pi.policy_qualifiers == pq + + def test_invalid_policy_identifiers(self): + with pytest.raises(TypeError): + x509.PolicyInformation(x509.ObjectIdentifier("1.2.3"), [1, 2]) + + def test_repr(self): + pq = [x509.PolicyQualifierInfo("string")] + pi = x509.PolicyInformation(x509.ObjectIdentifier("1.2.3"), pq) + assert repr(pi) == ( + ", policy_qualifiers=[, qualifier=string)>])>" + ) + + +class TestCertificatePolicies(object): + def test_invalid_policies(self): + pq = [x509.PolicyQualifierInfo("string")] + pi = x509.PolicyInformation(x509.ObjectIdentifier("1.2.3"), pq) + with pytest.raises(TypeError): + x509.CertificatePolicies([1, pi]) + + def test_iter_len(self): + pq = [x509.PolicyQualifierInfo("string")] + pi = x509.PolicyInformation(x509.ObjectIdentifier("1.2.3"), pq) + cp = x509.CertificatePolicies([pi]) + assert len(cp) == 1 + for policyinfo in cp: + assert policyinfo == pi + + def test_repr(self): + pq = [x509.PolicyQualifierInfo("string")] + pi = x509.PolicyInformation(x509.ObjectIdentifier("1.2.3"), pq) + cp = x509.CertificatePolicies([pi]) + assert repr(cp) == ( + ", policy_qualifiers=[, qualifier=string)>])>])>" + ) + + class TestKeyUsage(object): def test_key_agreement_false_encipher_decipher_true(self): with pytest.raises(ValueError): -- cgit v1.2.3 From ba35b3ba85c374dfd0659992cae01255c530679d Mon Sep 17 00:00:00 2001 From: Paul Kehrer Date: Sun, 10 May 2015 13:07:59 -0500 Subject: remove policyqualifierinfo object --- tests/test_x509_ext.py | 69 +++++++++++++++++++++----------------------------- 1 file changed, 29 insertions(+), 40 deletions(-) (limited to 'tests/test_x509_ext.py') diff --git a/tests/test_x509_ext.py b/tests/test_x509_ext.py index c6303432..10afa1b7 100644 --- a/tests/test_x509_ext.py +++ b/tests/test_x509_ext.py @@ -75,29 +75,6 @@ class TestUserNotice(object): ) -class TestPolicyQualifierInfo(object): - def test_invalid_qualifier(self): - with pytest.raises(ValueError): - x509.PolicyQualifierInfo(None) - - def test_string_qualifier(self): - pqi = x509.PolicyQualifierInfo("1.2.3") - assert pqi.policy_qualifier_id == x509.OID_CPS_QUALIFIER - assert pqi.qualifier == "1.2.3" - - def test_user_notice_qualifier(self): - pqi = x509.PolicyQualifierInfo(x509.UserNotice(None, "text")) - assert pqi.policy_qualifier_id == x509.OID_CPS_USER_NOTICE - assert isinstance(pqi.qualifier, x509.UserNotice) - - def test_repr(self): - pqi = x509.PolicyQualifierInfo("1.2.3.4") - assert repr(pqi) == ( - ", qualifier=1.2.3.4)>" - ) - - class TestPolicyInformation(object): def test_invalid_policy_identifier(self): with pytest.raises(TypeError): @@ -109,7 +86,7 @@ class TestPolicyInformation(object): assert pi.policy_qualifiers is None def test_policy_qualifiers(self): - pq = [x509.PolicyQualifierInfo("string")] + pq = [u"string"] pi = x509.PolicyInformation(x509.ObjectIdentifier("1.2.3"), pq) assert pi.policy_identifier == x509.ObjectIdentifier("1.2.3") assert pi.policy_qualifiers == pq @@ -119,25 +96,31 @@ class TestPolicyInformation(object): x509.PolicyInformation(x509.ObjectIdentifier("1.2.3"), [1, 2]) def test_repr(self): - pq = [x509.PolicyQualifierInfo("string")] + pq = [u"string", x509.UserNotice(None, "hi")] pi = x509.PolicyInformation(x509.ObjectIdentifier("1.2.3"), pq) - assert repr(pi) == ( - ", policy_qualifiers=[, qualifier=string)>])>" - ) + if six.PY3: + assert repr(pi) == ( + ", policy_qualifiers=['string', ])>" + ) + else: + assert repr(pi) == ( + ", policy_qualifiers=[u'string', ])>" + ) class TestCertificatePolicies(object): def test_invalid_policies(self): - pq = [x509.PolicyQualifierInfo("string")] + pq = [u"string"] pi = x509.PolicyInformation(x509.ObjectIdentifier("1.2.3"), pq) with pytest.raises(TypeError): x509.CertificatePolicies([1, pi]) def test_iter_len(self): - pq = [x509.PolicyQualifierInfo("string")] + pq = [u"string"] pi = x509.PolicyInformation(x509.ObjectIdentifier("1.2.3"), pq) cp = x509.CertificatePolicies([pi]) assert len(cp) == 1 @@ -145,15 +128,21 @@ class TestCertificatePolicies(object): assert policyinfo == pi def test_repr(self): - pq = [x509.PolicyQualifierInfo("string")] + pq = [u"string"] pi = x509.PolicyInformation(x509.ObjectIdentifier("1.2.3"), pq) cp = x509.CertificatePolicies([pi]) - assert repr(cp) == ( - ", policy_qualifiers=[, qualifier=string)>])>])>" - ) + if six.PY3: + assert repr(cp) == ( + ", policy_qualifi" + "ers=['string'])>])>" + ) + else: + assert repr(cp) == ( + ", policy_qualifi" + "ers=[u'string'])>])>" + ) class TestKeyUsage(object): -- cgit v1.2.3 From 9aaef9e516ae1c54c79f07b0441c21c29f8aeb15 Mon Sep 17 00:00:00 2001 From: Paul Kehrer Date: Mon, 11 May 2015 10:49:20 -0500 Subject: use !r for explicit_text in NoticeReference repr --- tests/test_x509_ext.py | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) (limited to 'tests/test_x509_ext.py') diff --git a/tests/test_x509_ext.py b/tests/test_x509_ext.py index 10afa1b7..fa025d9c 100644 --- a/tests/test_x509_ext.py +++ b/tests/test_x509_ext.py @@ -71,7 +71,7 @@ class TestUserNotice(object): un = x509.UserNotice(x509.NoticeReference("org", None), "text") assert repr(un) == ( ", explicit_text=text)>" + "notice_numbers=None)>, explicit_text='text')>" ) @@ -102,13 +102,13 @@ class TestPolicyInformation(object): assert repr(pi) == ( ", policy_qualifiers=['string', ])>" + "tice(notice_reference=None, explicit_text='hi')>])>" ) else: assert repr(pi) == ( ", policy_qualifiers=[u'string', ])>" + "otice(notice_reference=None, explicit_text='hi')>])>" ) -- cgit v1.2.3 From 73be2ca86049fd15f1ab37d7201a9b32264402ab Mon Sep 17 00:00:00 2001 From: Paul Kehrer Date: Mon, 11 May 2015 21:22:38 -0500 Subject: alter the repr a bit, pass unicode everywhere --- tests/test_x509_ext.py | 35 ++++++++++++++++++++++++----------- 1 file changed, 24 insertions(+), 11 deletions(-) (limited to 'tests/test_x509_ext.py') diff --git a/tests/test_x509_ext.py b/tests/test_x509_ext.py index fa025d9c..ae69f5fc 100644 --- a/tests/test_x509_ext.py +++ b/tests/test_x509_ext.py @@ -50,11 +50,18 @@ class TestNoticeReference(object): assert nr.notice_numbers is None def test_repr(self): - nr = x509.NoticeReference("org", [1, 3, 4]) + nr = x509.NoticeReference(u"org", [1, 3, 4]) - assert repr(nr) == ( - "" - ) + if six.PY3: + assert repr(nr) == ( + "" + ) + else: + assert repr(nr) == ( + "" + ) class TestUserNotice(object): @@ -68,11 +75,17 @@ class TestUserNotice(object): assert un.explicit_text == "text" def test_repr(self): - un = x509.UserNotice(x509.NoticeReference("org", None), "text") - assert repr(un) == ( - ", explicit_text='text')>" - ) + un = x509.UserNotice(x509.NoticeReference(u"org", None), u"text") + if six.PY3: + assert repr(un) == ( + ", explicit_text='text')>" + ) + else: + assert repr(un) == ( + ", explicit_text=u'text')>" + ) class TestPolicyInformation(object): @@ -96,7 +109,7 @@ class TestPolicyInformation(object): x509.PolicyInformation(x509.ObjectIdentifier("1.2.3"), [1, 2]) def test_repr(self): - pq = [u"string", x509.UserNotice(None, "hi")] + pq = [u"string", x509.UserNotice(None, u"hi")] pi = x509.PolicyInformation(x509.ObjectIdentifier("1.2.3"), pq) if six.PY3: assert repr(pi) == ( @@ -108,7 +121,7 @@ class TestPolicyInformation(object): assert repr(pi) == ( ", policy_qualifiers=[u'string', ])>" + "otice(notice_reference=None, explicit_text=u'hi')>])>" ) -- cgit v1.2.3 From c56ab62c5bce544948825051cdcbf039093d1da4 Mon Sep 17 00:00:00 2001 From: Paul Kehrer Date: Sun, 3 May 2015 09:56:31 -0500 Subject: add eq/ne methods for all certificate policies classes --- tests/test_x509_ext.py | 78 ++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 78 insertions(+) (limited to 'tests/test_x509_ext.py') diff --git a/tests/test_x509_ext.py b/tests/test_x509_ext.py index ae69f5fc..f07792d5 100644 --- a/tests/test_x509_ext.py +++ b/tests/test_x509_ext.py @@ -63,6 +63,19 @@ class TestNoticeReference(object): "4])>" ) + def test_eq(self): + nr = x509.NoticeReference("org", [1, 2]) + nr2 = x509.NoticeReference("org", [1, 2]) + assert nr == nr2 + + def test_ne(self): + nr = x509.NoticeReference("org", [1, 2]) + nr2 = x509.NoticeReference("org", [1]) + nr3 = x509.NoticeReference(None, [1, 2]) + assert nr != nr2 + assert nr != nr3 + assert nr != object() + class TestUserNotice(object): def test_notice_reference_invalid(self): @@ -87,6 +100,23 @@ class TestUserNotice(object): "'org', notice_numbers=None)>, explicit_text=u'text')>" ) + def test_eq(self): + nr = x509.NoticeReference("org", [1, 2]) + nr2 = x509.NoticeReference("org", [1, 2]) + un = x509.UserNotice(nr, "text") + un2 = x509.UserNotice(nr2, "text") + assert un == un2 + + def test_ne(self): + nr = x509.NoticeReference("org", [1, 2]) + nr2 = x509.NoticeReference("org", [1]) + un = x509.UserNotice(nr, "text") + un2 = x509.UserNotice(nr2, "text") + un3 = x509.UserNotice(nr, "text3") + assert un != un2 + assert un != un3 + assert un != object() + class TestPolicyInformation(object): def test_invalid_policy_identifier(self): @@ -124,6 +154,31 @@ class TestPolicyInformation(object): "otice(notice_reference=None, explicit_text=u'hi')>])>" ) + def test_eq(self): + pi = x509.PolicyInformation( + x509.ObjectIdentifier("1.2.3"), + [u"string", x509.UserNotice(None, u"hi")] + ) + pi2 = x509.PolicyInformation( + x509.ObjectIdentifier("1.2.3"), + [u"string", x509.UserNotice(None, u"hi")] + ) + assert pi == pi2 + + def test_ne(self): + pi = x509.PolicyInformation( + x509.ObjectIdentifier("1.2.3"), [u"string"] + ) + pi2 = x509.PolicyInformation( + x509.ObjectIdentifier("1.2.3"), [u"string2"] + ) + pi3 = x509.PolicyInformation( + x509.ObjectIdentifier("1.2.3.4"), [u"string"] + ) + assert pi != pi2 + assert pi != pi3 + assert pi != object() + class TestCertificatePolicies(object): def test_invalid_policies(self): @@ -157,6 +212,29 @@ class TestCertificatePolicies(object): "ers=[u'string'])>])>" ) + def test_eq(self): + pi = x509.PolicyInformation( + x509.ObjectIdentifier("1.2.3"), [u"string"] + ) + cp = x509.CertificatePolicies([pi]) + pi2 = x509.PolicyInformation( + x509.ObjectIdentifier("1.2.3"), [u"string"] + ) + cp2 = x509.CertificatePolicies([pi2]) + assert cp == cp2 + + def test_ne(self): + pi = x509.PolicyInformation( + x509.ObjectIdentifier("1.2.3"), [u"string"] + ) + cp = x509.CertificatePolicies([pi]) + pi2 = x509.PolicyInformation( + x509.ObjectIdentifier("1.2.3"), [u"string2"] + ) + cp2 = x509.CertificatePolicies([pi2]) + assert cp != cp2 + assert cp != object() + class TestKeyUsage(object): def test_key_agreement_false_encipher_decipher_true(self): -- cgit v1.2.3 From 2ca2eb3cfd2dff414fdf200bd53f5c82f3b6bc9d Mon Sep 17 00:00:00 2001 From: Paul Kehrer Date: Sun, 3 May 2015 10:04:57 -0500 Subject: add eq/ne methods for AuthorityKeyIdentifier --- tests/test_x509_ext.py | 29 +++++++++++++++++++++++++++++ 1 file changed, 29 insertions(+) (limited to 'tests/test_x509_ext.py') diff --git a/tests/test_x509_ext.py b/tests/test_x509_ext.py index f07792d5..a366265c 100644 --- a/tests/test_x509_ext.py +++ b/tests/test_x509_ext.py @@ -473,6 +473,35 @@ class TestAuthorityKeyIdentifier(object): "])>)>], authority_cert_serial_number=1234)>" ) + def test_eq(self): + dirname = x509.DirectoryName( + x509.Name([x509.NameAttribute(x509.OID_COMMON_NAME, 'myCN')]) + ) + aki = x509.AuthorityKeyIdentifier(b"digest", [dirname], 1234) + dirname2 = x509.DirectoryName( + x509.Name([x509.NameAttribute(x509.OID_COMMON_NAME, 'myCN')]) + ) + aki2 = x509.AuthorityKeyIdentifier(b"digest", [dirname2], 1234) + assert aki == aki2 + + def test_ne(self): + dirname = x509.DirectoryName( + x509.Name([x509.NameAttribute(x509.OID_COMMON_NAME, 'myCN')]) + ) + dirname5 = x509.DirectoryName( + x509.Name([x509.NameAttribute(x509.OID_COMMON_NAME, 'aCN')]) + ) + aki = x509.AuthorityKeyIdentifier(b"digest", [dirname], 1234) + aki2 = x509.AuthorityKeyIdentifier(b"diges", [dirname], 1234) + aki3 = x509.AuthorityKeyIdentifier(b"digest", None, None) + aki4 = x509.AuthorityKeyIdentifier(b"digest", [dirname], 12345) + aki5 = x509.AuthorityKeyIdentifier(b"digest", [dirname5], 12345) + assert aki != aki2 + assert aki != aki3 + assert aki != aki4 + assert aki != aki5 + assert aki != object() + class TestBasicConstraints(object): def test_ca_not_boolean(self): -- cgit v1.2.3 From 6e198b0092a2a320887a234db5227a8c1daa49be Mon Sep 17 00:00:00 2001 From: Paul Kehrer Date: Tue, 12 May 2015 15:53:38 -0500 Subject: notice_numbers are not optional in NoticeReference --- tests/test_x509_ext.py | 11 +++++------ 1 file changed, 5 insertions(+), 6 deletions(-) (limited to 'tests/test_x509_ext.py') diff --git a/tests/test_x509_ext.py b/tests/test_x509_ext.py index a366265c..701ea167 100644 --- a/tests/test_x509_ext.py +++ b/tests/test_x509_ext.py @@ -45,9 +45,8 @@ class TestNoticeReference(object): x509.NoticeReference("org", [1, 2, "three"]) def test_notice_numbers_none(self): - nr = x509.NoticeReference("org", None) - assert nr.organization == "org" - assert nr.notice_numbers is None + with pytest.raises(TypeError): + x509.NoticeReference("org", None) def test_repr(self): nr = x509.NoticeReference(u"org", [1, 3, 4]) @@ -88,16 +87,16 @@ class TestUserNotice(object): assert un.explicit_text == "text" def test_repr(self): - un = x509.UserNotice(x509.NoticeReference(u"org", None), u"text") + un = x509.UserNotice(x509.NoticeReference(u"org", [1]), u"text") if six.PY3: assert repr(un) == ( ", explicit_text='text')>" + "org', notice_numbers=[1])>, explicit_text='text')>" ) else: assert repr(un) == ( ", explicit_text=u'text')>" + "'org', notice_numbers=[1])>, explicit_text=u'text')>" ) def test_eq(self): -- cgit v1.2.3 From 11026fec3dc7dd920de512c1c66ff59c656de139 Mon Sep 17 00:00:00 2001 From: Paul Kehrer Date: Tue, 12 May 2015 11:23:56 -0500 Subject: support certificate policies in the openssl backend --- tests/test_x509_ext.py | 94 ++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 94 insertions(+) (limited to 'tests/test_x509_ext.py') diff --git a/tests/test_x509_ext.py b/tests/test_x509_ext.py index 701ea167..2852776b 100644 --- a/tests/test_x509_ext.py +++ b/tests/test_x509_ext.py @@ -235,6 +235,100 @@ class TestCertificatePolicies(object): assert cp != object() +@pytest.mark.requires_backend_interface(interface=RSABackend) +@pytest.mark.requires_backend_interface(interface=X509Backend) +class TestCertificatePoliciesExtension(object): + def test_cps_uri_policy_qualifier(self, backend): + cert = _load_cert( + os.path.join("x509", "custom", "cp_cps_uri.pem"), + x509.load_pem_x509_certificate, + backend + ) + + cp = cert.extensions.get_extension_for_oid( + x509.OID_CERTIFICATE_POLICIES + ).value + + assert cp == x509.CertificatePolicies([ + x509.PolicyInformation( + x509.ObjectIdentifier("2.16.840.1.12345.1.2.3.4.1"), + [u"http://other.com/cps"] + ) + ]) + + def test_user_notice_with_notice_reference(self, backend): + cert = _load_cert( + os.path.join( + "x509", "custom", "cp_user_notice_with_notice_reference.pem" + ), + x509.load_pem_x509_certificate, + backend + ) + + cp = cert.extensions.get_extension_for_oid( + x509.OID_CERTIFICATE_POLICIES + ).value + + assert cp == x509.CertificatePolicies([ + x509.PolicyInformation( + x509.ObjectIdentifier("2.16.840.1.12345.1.2.3.4.1"), + [ + u"http://example.com/cps", + u"http://other.com/cps", + x509.UserNotice( + x509.NoticeReference(u"my org", [1, 2, 3, 4]), + u"thing" + ) + ] + ) + ]) + + def test_user_notice_with_explicit_text(self, backend): + cert = _load_cert( + os.path.join( + "x509", "custom", "cp_user_notice_with_explicit_text.pem" + ), + x509.load_pem_x509_certificate, + backend + ) + + cp = cert.extensions.get_extension_for_oid( + x509.OID_CERTIFICATE_POLICIES + ).value + + assert cp == x509.CertificatePolicies([ + x509.PolicyInformation( + x509.ObjectIdentifier("2.16.840.1.12345.1.2.3.4.1"), + [x509.UserNotice(None, u"thing")] + ) + ]) + + def test_user_notice_no_explicit_text(self, backend): + cert = _load_cert( + os.path.join( + "x509", "custom", "cp_user_notice_no_explicit_text.pem" + ), + x509.load_pem_x509_certificate, + backend + ) + + cp = cert.extensions.get_extension_for_oid( + x509.OID_CERTIFICATE_POLICIES + ).value + + assert cp == x509.CertificatePolicies([ + x509.PolicyInformation( + x509.ObjectIdentifier("2.16.840.1.12345.1.2.3.4.1"), + [ + x509.UserNotice( + x509.NoticeReference(u"my org", [1, 2, 3, 4]), + None + ) + ] + ) + ]) + + class TestKeyUsage(object): def test_key_agreement_false_encipher_decipher_true(self): with pytest.raises(ValueError): -- cgit v1.2.3 From 9a10d59aaaf805a2aecef40df5338d2fc0602be9 Mon Sep 17 00:00:00 2001 From: Paul Kehrer Date: Sun, 10 May 2015 14:55:51 -0500 Subject: support CRLDistributionPoints in the OpenSSL backend --- tests/test_x509_ext.py | 158 +++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 158 insertions(+) (limited to 'tests/test_x509_ext.py') diff --git a/tests/test_x509_ext.py b/tests/test_x509_ext.py index 2852776b..94b33aeb 100644 --- a/tests/test_x509_ext.py +++ b/tests/test_x509_ext.py @@ -1929,3 +1929,161 @@ class TestCRLDistributionPoints(object): assert cdp != cdp3 assert cdp != cdp4 assert cdp != object() + + +@pytest.mark.requires_backend_interface(interface=RSABackend) +@pytest.mark.requires_backend_interface(interface=X509Backend) +class TestCRLDistributionPointsExtension(object): + def test_fullname_and_crl_issuer(self, backend): + cert = _load_cert( + os.path.join( + "x509", "PKITS_data", "certs", "ValidcRLIssuerTest28EE.crt" + ), + x509.load_der_x509_certificate, + backend + ) + + cdps = cert.extensions.get_extension_for_oid( + x509.OID_CRL_DISTRIBUTION_POINTS + ).value + + assert cdps == x509.CRLDistributionPoints([ + x509.DistributionPoint( + full_name=[x509.DirectoryName( + x509.Name([ + x509.NameAttribute(x509.OID_COUNTRY_NAME, "US"), + x509.NameAttribute( + x509.OID_ORGANIZATION_NAME, + "Test Certificates 2011" + ), + x509.NameAttribute( + x509.OID_ORGANIZATIONAL_UNIT_NAME, + "indirectCRL CA3 cRLIssuer" + ), + x509.NameAttribute( + x509.OID_COMMON_NAME, + "indirect CRL for indirectCRL CA3" + ), + ]) + )], + relative_name=None, + reasons=None, + crl_issuer=[x509.DirectoryName( + x509.Name([ + x509.NameAttribute(x509.OID_COUNTRY_NAME, "US"), + x509.NameAttribute( + x509.OID_ORGANIZATION_NAME, + "Test Certificates 2011" + ), + x509.NameAttribute( + x509.OID_ORGANIZATIONAL_UNIT_NAME, + "indirectCRL CA3 cRLIssuer" + ), + ]) + )], + ) + ]) + + def test_relativename_and_crl_issuer(self, backend): + cert = _load_cert( + os.path.join( + "x509", "PKITS_data", "certs", "ValidcRLIssuerTest29EE.crt" + ), + x509.load_der_x509_certificate, + backend + ) + + cdps = cert.extensions.get_extension_for_oid( + x509.OID_CRL_DISTRIBUTION_POINTS + ).value + + assert cdps == x509.CRLDistributionPoints([ + x509.DistributionPoint( + full_name=None, + relative_name=x509.Name([ + x509.NameAttribute( + x509.OID_COMMON_NAME, + "indirect CRL for indirectCRL CA3" + ), + ]), + reasons=None, + crl_issuer=[x509.DirectoryName( + x509.Name([ + x509.NameAttribute(x509.OID_COUNTRY_NAME, "US"), + x509.NameAttribute( + x509.OID_ORGANIZATION_NAME, + "Test Certificates 2011" + ), + x509.NameAttribute( + x509.OID_ORGANIZATIONAL_UNIT_NAME, + "indirectCRL CA3 cRLIssuer" + ), + ]) + )], + ) + ]) + + def test_fullname_crl_issuer_reasons(self, backend): + cert = _load_cert( + os.path.join( + "x509", "custom", "cdp_fullname_reasons_crl_issuer.pem" + ), + x509.load_pem_x509_certificate, + backend + ) + + cdps = cert.extensions.get_extension_for_oid( + x509.OID_CRL_DISTRIBUTION_POINTS + ).value + + assert cdps == x509.CRLDistributionPoints([ + x509.DistributionPoint( + full_name=[x509.UniformResourceIdentifier( + u"http://myhost.com/myca.crl" + )], + relative_name=None, + reasons=frozenset([ + x509.ReasonFlags.key_compromise, + x509.ReasonFlags.ca_compromise + ]), + crl_issuer=[x509.DirectoryName( + x509.Name([ + x509.NameAttribute(x509.OID_COUNTRY_NAME, "US"), + x509.NameAttribute( + x509.OID_ORGANIZATION_NAME, "PyCA" + ), + x509.NameAttribute( + x509.OID_COMMON_NAME, "cryptography CA" + ), + ]) + )], + ) + ]) + + def test_crl_issuer_only(self, backend): + cert = _load_cert( + os.path.join( + "x509", "custom", "cdp_crl_issuer.pem" + ), + x509.load_pem_x509_certificate, + backend + ) + + cdps = cert.extensions.get_extension_for_oid( + x509.OID_CRL_DISTRIBUTION_POINTS + ).value + + assert cdps == x509.CRLDistributionPoints([ + x509.DistributionPoint( + full_name=None, + relative_name=None, + reasons=None, + crl_issuer=[x509.DirectoryName( + x509.Name([ + x509.NameAttribute( + x509.OID_COMMON_NAME, "cryptography CA" + ), + ]) + )], + ) + ]) -- cgit v1.2.3 From 594a2edf1ead6b7ce3f4e217bada30f2f323dc36 Mon Sep 17 00:00:00 2001 From: Paul Kehrer Date: Tue, 12 May 2015 23:27:32 -0500 Subject: change approach for parsing CDP reason flags --- tests/test_x509_ext.py | 57 ++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 57 insertions(+) (limited to 'tests/test_x509_ext.py') diff --git a/tests/test_x509_ext.py b/tests/test_x509_ext.py index 94b33aeb..cf698efa 100644 --- a/tests/test_x509_ext.py +++ b/tests/test_x509_ext.py @@ -2060,6 +2060,63 @@ class TestCRLDistributionPointsExtension(object): ) ]) + def test_all_reasons(self, backend): + cert = _load_cert( + os.path.join( + "x509", "custom", "cdp_all_reasons.pem" + ), + x509.load_pem_x509_certificate, + backend + ) + + cdps = cert.extensions.get_extension_for_oid( + x509.OID_CRL_DISTRIBUTION_POINTS + ).value + + assert cdps == x509.CRLDistributionPoints([ + x509.DistributionPoint( + full_name=[x509.UniformResourceIdentifier( + u"http://domain.com/some.crl" + )], + relative_name=None, + reasons=frozenset([ + x509.ReasonFlags.key_compromise, + x509.ReasonFlags.ca_compromise, + x509.ReasonFlags.affiliation_changed, + x509.ReasonFlags.superseded, + x509.ReasonFlags.privilege_withdrawn, + x509.ReasonFlags.cessation_of_operation, + x509.ReasonFlags.aa_compromise, + x509.ReasonFlags.certificate_hold, + ]), + crl_issuer=None + ) + ]) + + def test_single_reason(self, backend): + cert = _load_cert( + os.path.join( + "x509", "custom", "cdp_reason_aa_compromise.pem" + ), + x509.load_pem_x509_certificate, + backend + ) + + cdps = cert.extensions.get_extension_for_oid( + x509.OID_CRL_DISTRIBUTION_POINTS + ).value + + assert cdps == x509.CRLDistributionPoints([ + x509.DistributionPoint( + full_name=[x509.UniformResourceIdentifier( + u"http://domain.com/some.crl" + )], + relative_name=None, + reasons=frozenset([x509.ReasonFlags.aa_compromise]), + crl_issuer=None + ) + ]) + def test_crl_issuer_only(self, backend): cert = _load_cert( os.path.join( -- cgit v1.2.3 From 8565f5ed4e76dbb9ff46cc9c112aa0eb6b259186 Mon Sep 17 00:00:00 2001 From: Paul Kehrer Date: Wed, 13 May 2015 09:57:09 -0500 Subject: add eq/ne support to KeyUsage --- tests/test_x509_ext.py | 51 ++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 51 insertions(+) (limited to 'tests/test_x509_ext.py') diff --git a/tests/test_x509_ext.py b/tests/test_x509_ext.py index 2852776b..e1312b6c 100644 --- a/tests/test_x509_ext.py +++ b/tests/test_x509_ext.py @@ -463,6 +463,57 @@ class TestKeyUsage(object): "only=False)>" ) + def test_eq(self): + ku = x509.KeyUsage( + digital_signature=False, + content_commitment=False, + key_encipherment=False, + data_encipherment=False, + key_agreement=True, + key_cert_sign=False, + crl_sign=False, + encipher_only=False, + decipher_only=True + ) + ku2 = x509.KeyUsage( + digital_signature=False, + content_commitment=False, + key_encipherment=False, + data_encipherment=False, + key_agreement=True, + key_cert_sign=False, + crl_sign=False, + encipher_only=False, + decipher_only=True + ) + assert ku == ku2 + + def test_ne(self): + ku = x509.KeyUsage( + digital_signature=False, + content_commitment=False, + key_encipherment=False, + data_encipherment=False, + key_agreement=True, + key_cert_sign=False, + crl_sign=False, + encipher_only=False, + decipher_only=True + ) + ku2 = x509.KeyUsage( + digital_signature=False, + content_commitment=False, + key_encipherment=False, + data_encipherment=False, + key_agreement=False, + key_cert_sign=False, + crl_sign=False, + encipher_only=False, + decipher_only=False + ) + assert ku != ku2 + assert ku != object() + class TestSubjectKeyIdentifier(object): def test_properties(self): -- cgit v1.2.3 From 58cc3973cf3c3e83d5cb9e1d29e1a4fd9b88eff7 Mon Sep 17 00:00:00 2001 From: Paul Kehrer Date: Wed, 13 May 2015 10:00:41 -0500 Subject: add eq/ne support to SubjectAlternativeName --- tests/test_x509_ext.py | 19 +++++++++++++++++++ 1 file changed, 19 insertions(+) (limited to 'tests/test_x509_ext.py') diff --git a/tests/test_x509_ext.py b/tests/test_x509_ext.py index 2852776b..5d54da1e 100644 --- a/tests/test_x509_ext.py +++ b/tests/test_x509_ext.py @@ -1077,6 +1077,25 @@ class TestSubjectAlternativeName(object): "])>" ) + def test_eq(self): + san = x509.SubjectAlternativeName( + [x509.DNSName(u"cryptography.io")] + ) + san2 = x509.SubjectAlternativeName( + [x509.DNSName(u"cryptography.io")] + ) + assert san == san2 + + def test_ne(self): + san = x509.SubjectAlternativeName( + [x509.DNSName(u"cryptography.io")] + ) + san2 = x509.SubjectAlternativeName( + [x509.RFC822Name(u"admin@cryptography.io")] + ) + assert san != san2 + assert san != object() + @pytest.mark.requires_backend_interface(interface=RSABackend) @pytest.mark.requires_backend_interface(interface=X509Backend) -- cgit v1.2.3 From 3a69b13c38002bc319c5f73df183b8bb558c442a Mon Sep 17 00:00:00 2001 From: Paul Kehrer Date: Wed, 13 May 2015 10:03:46 -0500 Subject: add eq/ne support to BasicConstraints --- tests/test_x509_ext.py | 13 +++++++++++++ 1 file changed, 13 insertions(+) (limited to 'tests/test_x509_ext.py') diff --git a/tests/test_x509_ext.py b/tests/test_x509_ext.py index 2852776b..281beeb1 100644 --- a/tests/test_x509_ext.py +++ b/tests/test_x509_ext.py @@ -622,6 +622,19 @@ class TestBasicConstraints(object): "" ) + def test_eq(self): + na = x509.BasicConstraints(ca=True, path_length=None) + na2 = x509.BasicConstraints(ca=True, path_length=None) + assert na == na2 + + def test_ne(self): + na = x509.BasicConstraints(ca=True, path_length=None) + na2 = x509.BasicConstraints(ca=True, path_length=1) + na3 = x509.BasicConstraints(ca=False, path_length=None) + assert na != na2 + assert na != na3 + assert na != object() + class TestExtendedKeyUsage(object): def test_not_all_oids(self): -- cgit v1.2.3