diff options
-rw-r--r-- | docs/development/test-vectors.rst | 3 | ||||
-rw-r--r-- | docs/x509.rst | 3 | ||||
-rw-r--r-- | setup.py | 2 | ||||
-rw-r--r-- | tests/test_x509_ext.py | 11 | ||||
-rw-r--r-- | vectors/cryptography_vectors/x509/custom/san_idna2003_dnsname.pem | 17 |
5 files changed, 35 insertions, 1 deletions
diff --git a/docs/development/test-vectors.rst b/docs/development/test-vectors.rst index 4c0063b5..b4f23eda 100644 --- a/docs/development/test-vectors.rst +++ b/docs/development/test-vectors.rst @@ -151,6 +151,9 @@ Custom X.509 Vectors * ``san_idna_names.pem`` - An RSA 2048 bit self-signed certificate containing a subject alternative name extension with ``rfc822Name``, ``dNSName``, and ``uniformResourceIdentifier`` general names with IDNA (:rfc:`5895`) encoding. +* ``san_idna2003_dnsname.pem`` - An RSA 2048 bit self-signed certificate + containing a subject alternative name extension with an IDNA 2003 + (:rfc:`3490`) ``dNSName``. * ``san_rfc822_names.pem`` - An RSA 2048 bit self-signed certificate containing a subject alternative name extension with various ``rfc822Name`` values. * ``san_rfc822_idna.pem`` - An RSA 2048 bit self-signed certificate containing diff --git a/docs/x509.rst b/docs/x509.rst index c8505a87..c570f196 100644 --- a/docs/x509.rst +++ b/docs/x509.rst @@ -313,6 +313,9 @@ X.509 Certificate Object :raises cryptography.x509.UnsupportedGeneralNameType: If an extension contains a general name that is not supported. + :raises UnicodeError: If an extension contains IDNA encoding that is + invalid or not compliant with IDNA 2008. + .. doctest:: >>> for ext in cert.extensions: @@ -32,7 +32,7 @@ with open(os.path.join(src_dir, "cryptography", "__about__.py")) as f: VECTORS_DEPENDENCY = "cryptography_vectors=={0}".format(about['__version__']) requirements = [ - "idna", + "idna>=2.0", "pyasn1", "six>=1.4.1", "setuptools" diff --git a/tests/test_x509_ext.py b/tests/test_x509_ext.py index d3488a9f..20a016b6 100644 --- a/tests/test_x509_ext.py +++ b/tests/test_x509_ext.py @@ -1332,6 +1332,17 @@ class TestRSASubjectAlternativeNameExtension(object): rfc822name = san.get_values_for_type(x509.RFC822Name) assert [u"email@em\xe5\xefl.com"] == rfc822name + def test_idna2003_invalid(self, backend): + cert = _load_cert( + os.path.join( + "x509", "custom", "san_idna2003_dnsname.pem" + ), + x509.load_pem_x509_certificate, + backend + ) + with pytest.raises(UnicodeError): + cert.extensions + def test_unicode_rfc822_name_dns_name_uri(self, backend): cert = _load_cert( os.path.join( diff --git a/vectors/cryptography_vectors/x509/custom/san_idna2003_dnsname.pem b/vectors/cryptography_vectors/x509/custom/san_idna2003_dnsname.pem new file mode 100644 index 00000000..42ad9ff3 --- /dev/null +++ b/vectors/cryptography_vectors/x509/custom/san_idna2003_dnsname.pem @@ -0,0 +1,17 @@ +-----BEGIN CERTIFICATE----- +MIICyjCCAbKgAwIBAgITBmuEOcehqQ0T8RSnZfjR7vyzcTANBgkqhkiG9w0BAQUF +ADASMRAwDgYDVQQDDAdQeUNBIENBMB4XDTE1MDUxNTA5NDYzOFoXDTE2MDUxNDA5 +NDYzOFowEjEQMA4GA1UEAwwHUHlDQSBDQTCCASIwDQYJKoZIhvcNAQEBBQADggEP +ADCCAQoCggEBAKILkg/zRXCemIUAy9NxKfLkiP640nVLEHOyQagPtWacyu4VS56s +lozj4SFybkz3sZMid/agQagM7JhnXer+6j4BL/76KM74RSf1onb6AnRYb3Mo0nIz +l1dT5w4fRGgbpoW+Z+GjuQnlwVteIvg0/V6uqETp1T9tYkpv+SJKlJJ2TtNHz6Fv +AOcJcqagnKmbOTyMuk5vog83/nVVm2fEPOaKYrjUymgmfiWCXrMD/US5bUq1+Hr1 +10m8D8vhyaQhxSsX2Z+v63PhWrybJLUFHfmw7G4c6jM2Ojv9/Mbuh+UmEm0SFvZf +Ltq8ts5chqpAAsdaYYuUOEbGpHeuCtsH2c0CAwEAAaMZMBcwFQYDVR0RBA4wDIIK +eG4tLWs0aC53czANBgkqhkiG9w0BAQUFAAOCAQEAAylbqwHOUkqkWJ1USyIoPjra +Si2O3XmQ2h7BSDeTP7hi8bHeKisjdGX5RlZvuQb/VCEnLpnQeyo0jP8rVoGX+hl/ +LAqpTWQhXQYAfCfWHENs0f+HJw0VB/I7/K6JfQfgZKhfaG7Lb3ZUYN6weM+DDS7E +cUbmnk4fAyPLBTPR4nOw0hWF1IhqZ4x9Vr6s1VlmEaQ/sJi3zhFQx2mb8Lb/3h9b +/WvYRvniEUYxGZ/q1fRmf+gGIacVTJtzpTxSDdSJugfhbm2wRQaXlSojRL+wO5Kg +rDGwi9y5y+zWOFtQQCDEdhFLsw0ae3HPBQxxv85PzpuQD3EDgO0UolhAdZlIZg== +-----END CERTIFICATE----- |