From e5f152b0a93b105cc32fe5adf06899f4f5cd0936 Mon Sep 17 00:00:00 2001
From: Paul Kehrer <paul.l.kehrer@gmail.com>
Date: Fri, 25 Dec 2015 23:55:47 -0600
Subject: support CRL entry extension encoding in the RevokedCertificateBuilder

---
 tests/test_x509_crlbuilder.py         | 10 ++++-
 tests/test_x509_revokedcertbuilder.py | 74 +++++++++++++++++++++++++++++++++++
 2 files changed, 83 insertions(+), 1 deletion(-)

(limited to 'tests')

diff --git a/tests/test_x509_crlbuilder.py b/tests/test_x509_crlbuilder.py
index de3adcd4..763a6472 100644
--- a/tests/test_x509_crlbuilder.py
+++ b/tests/test_x509_crlbuilder.py
@@ -351,6 +351,9 @@ class TestCertificateRevocationListBuilder(object):
         private_key = RSA_KEY_2048.private_key(backend)
         last_update = datetime.datetime(2002, 1, 1, 12, 1)
         next_update = datetime.datetime(2030, 1, 1, 12, 1)
+        invalidity_date = x509.InvalidityDate(
+            datetime.datetime(2002, 1, 1, 0, 0)
+        )
         revoked_cert0 = x509.RevokedCertificateBuilder().serial_number(
             38
         ).revocation_date(
@@ -360,6 +363,8 @@ class TestCertificateRevocationListBuilder(object):
             2
         ).revocation_date(
             datetime.datetime(2012, 1, 1, 1, 1)
+        ).add_extension(
+            invalidity_date, False
         ).build(backend)
         builder = x509.CertificateRevocationListBuilder().issuer_name(
             x509.Name([
@@ -384,4 +389,7 @@ class TestCertificateRevocationListBuilder(object):
         assert len(crl[0].extensions) == 0
         assert crl[1].serial_number == revoked_cert1.serial_number
         assert crl[1].revocation_date == revoked_cert1.revocation_date
-        assert len(crl[1].extensions) == 0
+        assert len(crl[1].extensions) == 1
+        ext = crl[1].extensions.get_extension_for_class(x509.InvalidityDate)
+        assert ext.critical is False
+        assert ext.value == invalidity_date
diff --git a/tests/test_x509_revokedcertbuilder.py b/tests/test_x509_revokedcertbuilder.py
index 9f79387b..0ef92ff6 100644
--- a/tests/test_x509_revokedcertbuilder.py
+++ b/tests/test_x509_revokedcertbuilder.py
@@ -48,6 +48,16 @@ class TestRevokedCertificateBuilder(object):
         with pytest.raises(ValueError):
             builder.revocation_date(datetime.datetime(2002, 1, 1, 12, 1))
 
+    def test_add_extension_checks_for_duplicates(self):
+        builder = x509.RevokedCertificateBuilder().add_extension(
+            x509.CRLReason(x509.ReasonFlags.ca_compromise), False
+        )
+
+        with pytest.raises(ValueError):
+            builder.add_extension(
+                x509.CRLReason(x509.ReasonFlags.ca_compromise), False
+            )
+
     @pytest.mark.requires_backend_interface(interface=X509Backend)
     def test_no_serial_number(self, backend):
         builder = x509.RevokedCertificateBuilder().revocation_date(
@@ -78,3 +88,67 @@ class TestRevokedCertificateBuilder(object):
         assert revoked_certificate.serial_number == serial_number
         assert revoked_certificate.revocation_date == revocation_date
         assert len(revoked_certificate.extensions) == 0
+
+    @pytest.mark.parametrize(
+        "extension",
+        [
+            x509.InvalidityDate(datetime.datetime(2015, 1, 1, 0, 0)),
+            x509.CRLReason(x509.ReasonFlags.ca_compromise),
+            x509.CertificateIssuer([
+                x509.DNSName(u"cryptography.io"),
+            ])
+        ]
+    )
+    @pytest.mark.requires_backend_interface(interface=X509Backend)
+    def test_add_extensions(self, backend, extension):
+        serial_number = 333
+        revocation_date = datetime.datetime(2002, 1, 1, 12, 1)
+        builder = x509.RevokedCertificateBuilder().serial_number(
+            serial_number
+        ).revocation_date(
+            revocation_date
+        ).add_extension(
+            extension, False
+        )
+
+        revoked_certificate = builder.build(backend)
+        assert revoked_certificate.serial_number == serial_number
+        assert revoked_certificate.revocation_date == revocation_date
+        assert len(revoked_certificate.extensions) == 1
+        ext = revoked_certificate.extensions.get_extension_for_class(
+            type(extension)
+        )
+        assert ext.critical is False
+        assert ext.value == extension
+
+    @pytest.mark.requires_backend_interface(interface=X509Backend)
+    def test_add_multiple_extensions(self, backend):
+        serial_number = 333
+        revocation_date = datetime.datetime(2002, 1, 1, 12, 1)
+        invalidity_date = x509.InvalidityDate(
+            datetime.datetime(2015, 1, 1, 0, 0)
+        )
+        certificate_issuer = x509.CertificateIssuer([
+            x509.DNSName(u"cryptography.io"),
+        ])
+        crl_reason = x509.CRLReason(x509.ReasonFlags.aa_compromise)
+        builder = x509.RevokedCertificateBuilder().serial_number(
+            serial_number
+        ).revocation_date(
+            revocation_date
+        ).add_extension(
+            invalidity_date, True
+        ).add_extension(
+            crl_reason, True
+        ).add_extension(
+            certificate_issuer, True
+        )
+
+        revoked_certificate = builder.build(backend)
+        assert len(revoked_certificate.extensions) == 3
+        for ext_data in [invalidity_date, certificate_issuer, crl_reason]:
+            ext = revoked_certificate.extensions.get_extension_for_class(
+                type(ext_data)
+            )
+            assert ext.critical is True
+            assert ext.value == ext_data
-- 
cgit v1.2.3