aboutsummaryrefslogtreecommitdiffstats
path: root/tests/test_x509_ext.py
diff options
context:
space:
mode:
Diffstat (limited to 'tests/test_x509_ext.py')
-rw-r--r--tests/test_x509_ext.py275
1 files changed, 173 insertions, 102 deletions
diff --git a/tests/test_x509_ext.py b/tests/test_x509_ext.py
index c3243972..b707156a 100644
--- a/tests/test_x509_ext.py
+++ b/tests/test_x509_ext.py
@@ -13,7 +13,7 @@ import pytest
import six
-from cryptography import x509
+from cryptography import utils, x509
from cryptography.hazmat.backends.interfaces import (
DSABackend, EllipticCurveBackend, RSABackend, X509Backend
)
@@ -152,20 +152,20 @@ class TestUnrecognizedExtension(object):
class TestCertificateIssuer(object):
def test_iter_names(self):
ci = x509.CertificateIssuer([
- x509.DNSName(u"cryptography.io"),
- x509.DNSName(u"crypto.local"),
+ x509.DNSName(b"cryptography.io"),
+ x509.DNSName(b"crypto.local"),
])
assert len(ci) == 2
assert list(ci) == [
- x509.DNSName(u"cryptography.io"),
- x509.DNSName(u"crypto.local"),
+ x509.DNSName(b"cryptography.io"),
+ x509.DNSName(b"crypto.local"),
]
def test_indexing(self):
ci = x509.CertificateIssuer([
- x509.DNSName(u"cryptography.io"),
- x509.DNSName(u"crypto.local"),
- x509.DNSName(u"another.local"),
+ x509.DNSName(b"cryptography.io"),
+ x509.DNSName(b"crypto.local"),
+ x509.DNSName(b"another.local"),
x509.RFC822Name(u"email@another.local"),
x509.UniformResourceIdentifier(u"http://another.local"),
])
@@ -173,26 +173,32 @@ class TestCertificateIssuer(object):
assert ci[2:6:2] == [ci[2], ci[4]]
def test_eq(self):
- ci1 = x509.CertificateIssuer([x509.DNSName(u"cryptography.io")])
- ci2 = x509.CertificateIssuer([x509.DNSName(u"cryptography.io")])
+ ci1 = x509.CertificateIssuer([x509.DNSName(b"cryptography.io")])
+ ci2 = x509.CertificateIssuer([x509.DNSName(b"cryptography.io")])
assert ci1 == ci2
def test_ne(self):
- ci1 = x509.CertificateIssuer([x509.DNSName(u"cryptography.io")])
- ci2 = x509.CertificateIssuer([x509.DNSName(u"somethingelse.tld")])
+ ci1 = x509.CertificateIssuer([x509.DNSName(b"cryptography.io")])
+ ci2 = x509.CertificateIssuer([x509.DNSName(b"somethingelse.tld")])
assert ci1 != ci2
assert ci1 != object()
def test_repr(self):
- ci = x509.CertificateIssuer([x509.DNSName(u"cryptography.io")])
- assert repr(ci) == (
- "<CertificateIssuer(<GeneralNames([<DNSName(value=cryptography.io"
- ")>])>)>"
- )
+ ci = x509.CertificateIssuer([x509.DNSName(b"cryptography.io")])
+ if six.PY3:
+ assert repr(ci) == (
+ "<CertificateIssuer(<GeneralNames([<DNSName(bytes_value="
+ "b'cryptography.io')>])>)>"
+ )
+ else:
+ assert repr(ci) == (
+ "<CertificateIssuer(<GeneralNames([<DNSName(bytes_value="
+ "'cryptography.io')>])>)>"
+ )
def test_get_values_for_type(self):
ci = x509.CertificateIssuer(
- [x509.DNSName(u"cryptography.io")]
+ [x509.DNSName(b"cryptography.io")]
)
names = ci.get_values_for_type(x509.DNSName)
assert names == [u"cryptography.io"]
@@ -891,7 +897,7 @@ class TestAuthorityKeyIdentifier(object):
assert aki.authority_cert_serial_number is None
def test_authority_cert_serial_zero(self):
- dns = x509.DNSName(u"SomeIssuer")
+ dns = x509.DNSName(b"SomeIssuer")
aki = x509.AuthorityKeyIdentifier(b"id", [dns], 0)
assert aki.key_identifier == b"id"
assert aki.authority_cert_issuer == [dns]
@@ -1434,7 +1440,6 @@ class TestKeyUsageExtension(object):
@pytest.mark.parametrize(
"name", [
x509.RFC822Name,
- x509.DNSName,
x509.UniformResourceIdentifier
]
)
@@ -1462,6 +1467,32 @@ class TestTextGeneralNames(object):
assert gn != object()
+class TestDNSName(object):
+ def test_init(self):
+ with pytest.warns(utils.DeprecatedIn21):
+ name = x509.DNSName(u"*.\xf5\xe4\xf6\xfc.example.com")
+ assert name.bytes_value == b"*.xn--4ca7aey.example.com"
+
+ with pytest.warns(utils.DeprecatedIn21):
+ name = x509.DNSName(u".\xf5\xe4\xf6\xfc.example.com")
+ assert name.bytes_value == b".xn--4ca7aey.example.com"
+ assert name.value == u".\xf5\xe4\xf6\xfc.example.com"
+
+ with pytest.warns(utils.DeprecatedIn21):
+ name = x509.DNSName(u"\xf5\xe4\xf6\xfc.example.com")
+ assert name.bytes_value == b"xn--4ca7aey.example.com"
+
+ with pytest.raises(TypeError):
+ x509.DNSName(1.3)
+
+ def test_ne(self):
+ n1 = x509.DNSName(b"test1")
+ n2 = x509.DNSName(b"test2")
+ n3 = x509.DNSName(b"test2")
+ assert n1 != n2
+ assert not (n2 != n3)
+
+
class TestDirectoryName(object):
def test_not_name(self):
with pytest.raises(TypeError):
@@ -1686,35 +1717,35 @@ class TestOtherName(object):
class TestGeneralNames(object):
def test_get_values_for_type(self):
gns = x509.GeneralNames(
- [x509.DNSName(u"cryptography.io")]
+ [x509.DNSName(b"cryptography.io")]
)
names = gns.get_values_for_type(x509.DNSName)
assert names == [u"cryptography.io"]
def test_iter_names(self):
gns = x509.GeneralNames([
- x509.DNSName(u"cryptography.io"),
- x509.DNSName(u"crypto.local"),
+ x509.DNSName(b"cryptography.io"),
+ x509.DNSName(b"crypto.local"),
])
assert len(gns) == 2
assert list(gns) == [
- x509.DNSName(u"cryptography.io"),
- x509.DNSName(u"crypto.local"),
+ x509.DNSName(b"cryptography.io"),
+ x509.DNSName(b"crypto.local"),
]
def test_iter_input(self):
names = [
- x509.DNSName(u"cryptography.io"),
- x509.DNSName(u"crypto.local"),
+ x509.DNSName(b"cryptography.io"),
+ x509.DNSName(b"crypto.local"),
]
gns = x509.GeneralNames(iter(names))
assert list(gns) == names
def test_indexing(self):
gn = x509.GeneralNames([
- x509.DNSName(u"cryptography.io"),
- x509.DNSName(u"crypto.local"),
- x509.DNSName(u"another.local"),
+ x509.DNSName(b"cryptography.io"),
+ x509.DNSName(b"crypto.local"),
+ x509.DNSName(b"another.local"),
x509.RFC822Name(u"email@another.local"),
x509.UniformResourceIdentifier(u"http://another.local"),
])
@@ -1724,31 +1755,36 @@ class TestGeneralNames(object):
def test_invalid_general_names(self):
with pytest.raises(TypeError):
x509.GeneralNames(
- [x509.DNSName(u"cryptography.io"), "invalid"]
+ [x509.DNSName(b"cryptography.io"), "invalid"]
)
def test_repr(self):
gns = x509.GeneralNames(
[
- x509.DNSName(u"cryptography.io")
+ x509.DNSName(b"cryptography.io")
]
)
- assert repr(gns) == (
- "<GeneralNames([<DNSName(value=cryptography.io)>])>"
- )
+ if six.PY3:
+ assert repr(gns) == (
+ "<GeneralNames([<DNSName(bytes_value=b'cryptography.io')>])>"
+ )
+ else:
+ assert repr(gns) == (
+ "<GeneralNames([<DNSName(bytes_value='cryptography.io')>])>"
+ )
def test_eq(self):
gns = x509.GeneralNames(
- [x509.DNSName(u"cryptography.io")]
+ [x509.DNSName(b"cryptography.io")]
)
gns2 = x509.GeneralNames(
- [x509.DNSName(u"cryptography.io")]
+ [x509.DNSName(b"cryptography.io")]
)
assert gns == gns2
def test_ne(self):
gns = x509.GeneralNames(
- [x509.DNSName(u"cryptography.io")]
+ [x509.DNSName(b"cryptography.io")]
)
gns2 = x509.GeneralNames(
[x509.RFC822Name(u"admin@cryptography.io")]
@@ -1760,27 +1796,27 @@ class TestGeneralNames(object):
class TestIssuerAlternativeName(object):
def test_get_values_for_type(self):
san = x509.IssuerAlternativeName(
- [x509.DNSName(u"cryptography.io")]
+ [x509.DNSName(b"cryptography.io")]
)
names = san.get_values_for_type(x509.DNSName)
assert names == [u"cryptography.io"]
def test_iter_names(self):
san = x509.IssuerAlternativeName([
- x509.DNSName(u"cryptography.io"),
- x509.DNSName(u"crypto.local"),
+ x509.DNSName(b"cryptography.io"),
+ x509.DNSName(b"crypto.local"),
])
assert len(san) == 2
assert list(san) == [
- x509.DNSName(u"cryptography.io"),
- x509.DNSName(u"crypto.local"),
+ x509.DNSName(b"cryptography.io"),
+ x509.DNSName(b"crypto.local"),
]
def test_indexing(self):
ian = x509.IssuerAlternativeName([
- x509.DNSName(u"cryptography.io"),
- x509.DNSName(u"crypto.local"),
- x509.DNSName(u"another.local"),
+ x509.DNSName(b"cryptography.io"),
+ x509.DNSName(b"crypto.local"),
+ x509.DNSName(b"another.local"),
x509.RFC822Name(u"email@another.local"),
x509.UniformResourceIdentifier(u"http://another.local"),
])
@@ -1790,32 +1826,38 @@ class TestIssuerAlternativeName(object):
def test_invalid_general_names(self):
with pytest.raises(TypeError):
x509.IssuerAlternativeName(
- [x509.DNSName(u"cryptography.io"), "invalid"]
+ [x509.DNSName(b"cryptography.io"), "invalid"]
)
def test_repr(self):
san = x509.IssuerAlternativeName(
[
- x509.DNSName(u"cryptography.io")
+ x509.DNSName(b"cryptography.io")
]
)
- assert repr(san) == (
- "<IssuerAlternativeName("
- "<GeneralNames([<DNSName(value=cryptography.io)>])>)>"
- )
+ if six.PY3:
+ assert repr(san) == (
+ "<IssuerAlternativeName("
+ "<GeneralNames([<DNSName(bytes_value=b'cryptography.io')>])>)>"
+ )
+ else:
+ assert repr(san) == (
+ "<IssuerAlternativeName("
+ "<GeneralNames([<DNSName(bytes_value='cryptography.io')>])>)>"
+ )
def test_eq(self):
san = x509.IssuerAlternativeName(
- [x509.DNSName(u"cryptography.io")]
+ [x509.DNSName(b"cryptography.io")]
)
san2 = x509.IssuerAlternativeName(
- [x509.DNSName(u"cryptography.io")]
+ [x509.DNSName(b"cryptography.io")]
)
assert san == san2
def test_ne(self):
san = x509.IssuerAlternativeName(
- [x509.DNSName(u"cryptography.io")]
+ [x509.DNSName(b"cryptography.io")]
)
san2 = x509.IssuerAlternativeName(
[x509.RFC822Name(u"admin@cryptography.io")]
@@ -1870,27 +1912,27 @@ class TestCRLNumber(object):
class TestSubjectAlternativeName(object):
def test_get_values_for_type(self):
san = x509.SubjectAlternativeName(
- [x509.DNSName(u"cryptography.io")]
+ [x509.DNSName(b"cryptography.io")]
)
names = san.get_values_for_type(x509.DNSName)
assert names == [u"cryptography.io"]
def test_iter_names(self):
san = x509.SubjectAlternativeName([
- x509.DNSName(u"cryptography.io"),
- x509.DNSName(u"crypto.local"),
+ x509.DNSName(b"cryptography.io"),
+ x509.DNSName(b"crypto.local"),
])
assert len(san) == 2
assert list(san) == [
- x509.DNSName(u"cryptography.io"),
- x509.DNSName(u"crypto.local"),
+ x509.DNSName(b"cryptography.io"),
+ x509.DNSName(b"crypto.local"),
]
def test_indexing(self):
san = x509.SubjectAlternativeName([
- x509.DNSName(u"cryptography.io"),
- x509.DNSName(u"crypto.local"),
- x509.DNSName(u"another.local"),
+ x509.DNSName(b"cryptography.io"),
+ x509.DNSName(b"crypto.local"),
+ x509.DNSName(b"another.local"),
x509.RFC822Name(u"email@another.local"),
x509.UniformResourceIdentifier(u"http://another.local"),
])
@@ -1900,32 +1942,38 @@ class TestSubjectAlternativeName(object):
def test_invalid_general_names(self):
with pytest.raises(TypeError):
x509.SubjectAlternativeName(
- [x509.DNSName(u"cryptography.io"), "invalid"]
+ [x509.DNSName(b"cryptography.io"), "invalid"]
)
def test_repr(self):
san = x509.SubjectAlternativeName(
[
- x509.DNSName(u"cryptography.io")
+ x509.DNSName(b"cryptography.io")
]
)
- assert repr(san) == (
- "<SubjectAlternativeName("
- "<GeneralNames([<DNSName(value=cryptography.io)>])>)>"
- )
+ if six.PY3:
+ assert repr(san) == (
+ "<SubjectAlternativeName("
+ "<GeneralNames([<DNSName(bytes_value=b'cryptography.io')>])>)>"
+ )
+ else:
+ assert repr(san) == (
+ "<SubjectAlternativeName("
+ "<GeneralNames([<DNSName(bytes_value='cryptography.io')>])>)>"
+ )
def test_eq(self):
san = x509.SubjectAlternativeName(
- [x509.DNSName(u"cryptography.io")]
+ [x509.DNSName(b"cryptography.io")]
)
san2 = x509.SubjectAlternativeName(
- [x509.DNSName(u"cryptography.io")]
+ [x509.DNSName(b"cryptography.io")]
)
assert san == san2
def test_ne(self):
san = x509.SubjectAlternativeName(
- [x509.DNSName(u"cryptography.io")]
+ [x509.DNSName(b"cryptography.io")]
)
san2 = x509.SubjectAlternativeName(
[x509.RFC822Name(u"admin@cryptography.io")]
@@ -2124,8 +2172,15 @@ class TestRSASubjectAlternativeNameExtension(object):
x509.load_pem_x509_certificate,
backend
)
+ san = cert.extensions.get_extension_for_class(
+ x509.SubjectAlternativeName
+ ).value
+
+ assert len(san) == 1
+ [name] = san
+ assert name.bytes_value == b"xn--k4h.ws"
with pytest.raises(UnicodeError):
- cert.extensions
+ name.value
def test_unicode_rfc822_name_dns_name_uri(self, backend):
cert = _load_cert(
@@ -2220,16 +2275,20 @@ class TestRSASubjectAlternativeNameExtension(object):
assert othernames == [expected]
def test_certbuilder(self, backend):
- sans = [u'*.example.org', u'*.\xf5\xe4\xf6\xfc.example.com',
- u'foobar.example.net']
+ sans = [b'*.example.org', b'*.xn--4ca7aey.example.com',
+ b'foobar.example.net']
private_key = RSA_KEY_2048.private_key(backend)
builder = _make_certbuilder(private_key)
builder = builder.add_extension(
SubjectAlternativeName(list(map(DNSName, sans))), True)
cert = builder.sign(private_key, hashes.SHA1(), backend)
- result = [x.value for x in cert.extensions.get_extension_for_class(
- SubjectAlternativeName).value]
+ result = [
+ x.bytes_value
+ for x in cert.extensions.get_extension_for_class(
+ SubjectAlternativeName
+ ).value
+ ]
assert result == sans
@@ -2265,7 +2324,7 @@ class TestExtendedKeyUsageExtension(object):
class TestAccessDescription(object):
def test_invalid_access_method(self):
with pytest.raises(TypeError):
- x509.AccessDescription("notanoid", x509.DNSName(u"test"))
+ x509.AccessDescription("notanoid", x509.DNSName(b"test"))
def test_invalid_access_location(self):
with pytest.raises(TypeError):
@@ -2799,7 +2858,7 @@ class TestNameConstraints(object):
x509.NameConstraints(None, None)
def test_permitted_none(self):
- excluded = [x509.DNSName(u"name.local")]
+ excluded = [x509.DNSName(b"name.local")]
nc = x509.NameConstraints(
permitted_subtrees=None, excluded_subtrees=excluded
)
@@ -2807,7 +2866,7 @@ class TestNameConstraints(object):
assert nc.excluded_subtrees is not None
def test_excluded_none(self):
- permitted = [x509.DNSName(u"name.local")]
+ permitted = [x509.DNSName(b"name.local")]
nc = x509.NameConstraints(
permitted_subtrees=permitted, excluded_subtrees=None
)
@@ -2821,39 +2880,47 @@ class TestNameConstraints(object):
assert list(nc.excluded_subtrees) == subtrees
def test_repr(self):
- permitted = [x509.DNSName(u"name.local"), x509.DNSName(u"name2.local")]
+ permitted = [x509.DNSName(b"name.local"), x509.DNSName(b"name2.local")]
nc = x509.NameConstraints(
permitted_subtrees=permitted,
excluded_subtrees=None
)
- assert repr(nc) == (
- "<NameConstraints(permitted_subtrees=[<DNSName(value=name.local)>"
- ", <DNSName(value=name2.local)>], excluded_subtrees=None)>"
- )
+ if six.PY3:
+ assert repr(nc) == (
+ "<NameConstraints(permitted_subtrees=[<DNSName("
+ "bytes_value=b'name.local')>, <DNSName(bytes_value="
+ "b'name2.local')>], excluded_subtrees=None)>"
+ )
+ else:
+ assert repr(nc) == (
+ "<NameConstraints(permitted_subtrees=[<DNSName("
+ "bytes_value='name.local')>, <DNSName(bytes_value="
+ "'name2.local')>], excluded_subtrees=None)>"
+ )
def test_eq(self):
nc = x509.NameConstraints(
- permitted_subtrees=[x509.DNSName(u"name.local")],
- excluded_subtrees=[x509.DNSName(u"name2.local")]
+ permitted_subtrees=[x509.DNSName(b"name.local")],
+ excluded_subtrees=[x509.DNSName(b"name2.local")]
)
nc2 = x509.NameConstraints(
- permitted_subtrees=[x509.DNSName(u"name.local")],
- excluded_subtrees=[x509.DNSName(u"name2.local")]
+ permitted_subtrees=[x509.DNSName(b"name.local")],
+ excluded_subtrees=[x509.DNSName(b"name2.local")]
)
assert nc == nc2
def test_ne(self):
nc = x509.NameConstraints(
- permitted_subtrees=[x509.DNSName(u"name.local")],
- excluded_subtrees=[x509.DNSName(u"name2.local")]
+ permitted_subtrees=[x509.DNSName(b"name.local")],
+ excluded_subtrees=[x509.DNSName(b"name2.local")]
)
nc2 = x509.NameConstraints(
- permitted_subtrees=[x509.DNSName(u"name.local")],
+ permitted_subtrees=[x509.DNSName(b"name.local")],
excluded_subtrees=None
)
nc3 = x509.NameConstraints(
permitted_subtrees=None,
- excluded_subtrees=[x509.DNSName(u"name2.local")]
+ excluded_subtrees=[x509.DNSName(b"name2.local")]
)
assert nc != nc2
@@ -2877,7 +2944,7 @@ class TestNameConstraintsExtension(object):
).value
assert nc == x509.NameConstraints(
permitted_subtrees=[
- x509.DNSName(u"zombo.local"),
+ x509.DNSName(b"zombo.local"),
],
excluded_subtrees=[
x509.DirectoryName(x509.Name([
@@ -2899,7 +2966,7 @@ class TestNameConstraintsExtension(object):
).value
assert nc == x509.NameConstraints(
permitted_subtrees=[
- x509.DNSName(u"zombo.local"),
+ x509.DNSName(b"zombo.local"),
],
excluded_subtrees=None
)
@@ -2917,7 +2984,7 @@ class TestNameConstraintsExtension(object):
).value
assert nc == x509.NameConstraints(
permitted_subtrees=[
- x509.DNSName(u".cryptography.io"),
+ x509.DNSName(b".cryptography.io"),
x509.UniformResourceIdentifier(u"ftp://cryptography.test")
],
excluded_subtrees=None
@@ -2937,7 +3004,7 @@ class TestNameConstraintsExtension(object):
assert nc == x509.NameConstraints(
permitted_subtrees=None,
excluded_subtrees=[
- x509.DNSName(u".cryptography.io"),
+ x509.DNSName(b".cryptography.io"),
x509.UniformResourceIdentifier(u"gopher://cryptography.test")
]
)
@@ -2959,7 +3026,7 @@ class TestNameConstraintsExtension(object):
x509.IPAddress(ipaddress.IPv6Network(u"FF:0:0:0:0:0:0:0/96")),
],
excluded_subtrees=[
- x509.DNSName(u".domain.com"),
+ x509.DNSName(b".domain.com"),
x509.UniformResourceIdentifier(u"http://test.local"),
]
)
@@ -2997,8 +3064,8 @@ class TestNameConstraintsExtension(object):
)
def test_certbuilder(self, backend):
- permitted = [u'.example.org', u'.\xf5\xe4\xf6\xfc.example.com',
- u'foobar.example.net']
+ permitted = [b'.example.org', b'.xn--4ca7aey.example.com',
+ b'foobar.example.net']
private_key = RSA_KEY_2048.private_key(backend)
builder = _make_certbuilder(private_key)
builder = builder.add_extension(
@@ -3006,8 +3073,12 @@ class TestNameConstraintsExtension(object):
excluded_subtrees=[]), True)
cert = builder.sign(private_key, hashes.SHA1(), backend)
- result = [x.value for x in cert.extensions.get_extension_for_class(
- NameConstraints).value.permitted_subtrees]
+ result = [
+ x.bytes_value
+ for x in cert.extensions.get_extension_for_class(
+ NameConstraints
+ ).value.permitted_subtrees
+ ]
assert result == permitted
generated by cgit v1.2.3 (git 2.25.1) at 2024-09-28 15:30:50 +0000