# This file is dual licensed under the terms of the Apache License, Version # 2.0, and the BSD License. See the LICENSE file in the root of this repository # for complete details. from __future__ import absolute_import, division, print_function import os import pytest from cryptography import x509 from cryptography.hazmat.backends.interfaces import RSABackend, X509Backend from .test_x509 import _load_cert class TestExtension(object): def test_not_an_oid(self): bc = x509.BasicConstraints(ca=False, path_length=None) with pytest.raises(TypeError): x509.Extension("notanoid", True, bc) def test_critical_not_a_bool(self): bc = x509.BasicConstraints(ca=False, path_length=None) with pytest.raises(TypeError): x509.Extension(x509.OID_BASIC_CONSTRAINTS, "notabool", bc) def test_repr(self): bc = x509.BasicConstraints(ca=False, path_length=None) ext = x509.Extension(x509.OID_BASIC_CONSTRAINTS, True, bc) assert repr(ext) == ( ", critical=True, value=)>" ) class TestBasicConstraints(object): def test_ca_not_boolean(self): with pytest.raises(TypeError): x509.BasicConstraints(ca="notbool", path_length=None) def test_path_length_not_ca(self): with pytest.raises(ValueError): x509.BasicConstraints(ca=False, path_length=0) def test_path_length_not_int(self): with pytest.raises(TypeError): x509.BasicConstraints(ca=True, path_length=1.1) with pytest.raises(TypeError): x509.BasicConstraints(ca=True, path_length="notint") def test_path_length_negative(self): with pytest.raises(TypeError): x509.BasicConstraints(ca=True, path_length=-1) def test_repr(self): na = x509.BasicConstraints(ca=True, path_length=None) assert repr(na) == ( "" ) @pytest.mark.requires_backend_interface(interface=RSABackend) @pytest.mark.requires_backend_interface(interface=X509Backend) class TestExtensions(object): def test_no_extensions(self, backend): cert = _load_cert( os.path.join("x509", "verisign_md2_root.pem"), x509.load_pem_x509_certificate, backend ) ext = cert.extensions assert len(ext) == 0 assert list(ext) == [] with pytest.raises(x509.ExtensionNotFound) as exc: ext.get_extension_for_oid(x509.OID_BASIC_CONSTRAINTS) assert exc.value.oid == x509.OID_BASIC_CONSTRAINTS def test_one_extension(self, backend): cert = _load_cert( os.path.join( "x509", "custom", "basic_constraints_not_critical.pem" ), x509.load_pem_x509_certificate, backend ) extensions = cert.extensions ext = extensions.get_extension_for_oid(x509.OID_BASIC_CONSTRAINTS) assert ext is not None assert ext.value.ca is False def test_duplicate_extension(self, backend): cert = _load_cert( os.path.join( "x509", "custom", "two_basic_constraints.pem" ), x509.load_pem_x509_certificate, backend ) with pytest.raises(x509.DuplicateExtension) as exc: cert.extensions assert exc.value.oid == x509.OID_BASIC_CONSTRAINTS def test_unsupported_critical_extension(self, backend): cert = _load_cert( os.path.join( "x509", "custom", "unsupported_extension_critical.pem" ), x509.load_pem_x509_certificate, backend ) with pytest.raises(x509.UnsupportedExtension) as exc: cert.extensions assert exc.value.oid == x509.ObjectIdentifier("1.2.3.4") def test_unsupported_extension(self, backend): # TODO: this will raise an exception when all extensions are complete cert = _load_cert( os.path.join( "x509", "custom", "unsupported_extension.pem" ), x509.load_pem_x509_certificate, backend ) extensions = cert.extensions assert len(extensions) == 0 @pytest.mark.requires_backend_interface(interface=RSABackend) @pytest.mark.requires_backend_interface(interface=X509Backend) class TestBasicConstraintsExtension(object): def test_ca_true_pathlen_6(self, backend): cert = _load_cert( os.path.join( "x509", "PKITS_data", "certs", "pathLenConstraint6CACert.crt" ), x509.load_der_x509_certificate, backend ) ext = cert.extensions.get_extension_for_oid( x509.OID_BASIC_CONSTRAINTS ) assert ext is not None assert ext.critical is True assert ext.value.ca is True assert ext.value.path_length == 6 def test_path_length_zero(self, backend): cert = _load_cert( os.path.join("x509", "custom", "bc_path_length_zero.pem"), x509.load_pem_x509_certificate, backend ) ext = cert.extensions.get_extension_for_oid( x509.OID_BASIC_CONSTRAINTS ) assert ext is not None assert ext.critical is True assert ext.value.ca is True assert ext.value.path_length == 0 def test_ca_true_no_pathlen(self, backend): cert = _load_cert( os.path.join("x509", "PKITS_data", "certs", "GoodCACert.crt"), x509.load_der_x509_certificate, backend ) ext = cert.extensions.get_extension_for_oid( x509.OID_BASIC_CONSTRAINTS ) assert ext is not None assert ext.critical is True assert ext.value.ca is True assert ext.value.path_length is None def test_ca_false(self, backend): cert = _load_cert( os.path.join("x509", "cryptography.io.pem"), x509.load_pem_x509_certificate, backend ) ext = cert.extensions.get_extension_for_oid( x509.OID_BASIC_CONSTRAINTS ) assert ext is not None assert ext.critical is True assert ext.value.ca is False assert ext.value.path_length is None def test_no_basic_constraints(self, backend): cert = _load_cert( os.path.join( "x509", "PKITS_data", "certs", "ValidCertificatePathTest1EE.crt" ), x509.load_der_x509_certificate, backend ) with pytest.raises(x509.ExtensionNotFound): cert.extensions.get_extension_for_oid(x509.OID_BASIC_CONSTRAINTS) def test_basic_constraint_not_critical(self, backend): cert = _load_cert( os.path.join( "x509", "custom", "basic_constraints_not_critical.pem" ), x509.load_pem_x509_certificate, backend ) ext = cert.extensions.get_extension_for_oid( x509.OID_BASIC_CONSTRAINTS ) assert ext is not None assert ext.critical is False assert ext.value.ca is False