diff options
| author | Alex Gaynor <alex.gaynor@gmail.com> | 2017-07-30 13:08:51 -0400 |
|---|---|---|
| committer | Paul Kehrer <paul.l.kehrer@gmail.com> | 2017-07-30 12:08:51 -0500 |
| commit | cdaf3ff72f6fd562c275c04836cfaa230aabcdf4 (patch) | |
| tree | 8f1587293f9232d2d6ebbbfebd65f700ea93966b /tests/test_x509_ext.py | |
| parent | 2131b962c03c8787c8918f0672707cce3dca06f8 (diff) | |
| download | cryptography-cdaf3ff72f6fd562c275c04836cfaa230aabcdf4.tar.gz cryptography-cdaf3ff72f6fd562c275c04836cfaa230aabcdf4.tar.bz2 cryptography-cdaf3ff72f6fd562c275c04836cfaa230aabcdf4.zip | |
Begin the deprecation of auto-idna for x509.DNSName (#3830)
* Begin the deprecation of auto-idna for x509.DNSName
Refs #3357
* fix warning
* py3k fixes
* fix docs
* sigh
* flake8
* these are words
* words
* tests for coverage
* another test
* do idna things
* more idna things
Diffstat (limited to 'tests/test_x509_ext.py')
| -rw-r--r-- | tests/test_x509_ext.py | 275 |
1 files changed, 173 insertions, 102 deletions
diff --git a/tests/test_x509_ext.py b/tests/test_x509_ext.py index c3243972..b707156a 100644 --- a/tests/test_x509_ext.py +++ b/tests/test_x509_ext.py @@ -13,7 +13,7 @@ import pytest import six -from cryptography import x509 +from cryptography import utils, x509 from cryptography.hazmat.backends.interfaces import ( DSABackend, EllipticCurveBackend, RSABackend, X509Backend ) @@ -152,20 +152,20 @@ class TestUnrecognizedExtension(object): class TestCertificateIssuer(object): def test_iter_names(self): ci = x509.CertificateIssuer([ - x509.DNSName(u"cryptography.io"), - x509.DNSName(u"crypto.local"), + x509.DNSName(b"cryptography.io"), + x509.DNSName(b"crypto.local"), ]) assert len(ci) == 2 assert list(ci) == [ - x509.DNSName(u"cryptography.io"), - x509.DNSName(u"crypto.local"), + x509.DNSName(b"cryptography.io"), + x509.DNSName(b"crypto.local"), ] def test_indexing(self): ci = x509.CertificateIssuer([ - x509.DNSName(u"cryptography.io"), - x509.DNSName(u"crypto.local"), - x509.DNSName(u"another.local"), + x509.DNSName(b"cryptography.io"), + x509.DNSName(b"crypto.local"), + x509.DNSName(b"another.local"), x509.RFC822Name(u"email@another.local"), x509.UniformResourceIdentifier(u"http://another.local"), ]) @@ -173,26 +173,32 @@ class TestCertificateIssuer(object): assert ci[2:6:2] == [ci[2], ci[4]] def test_eq(self): - ci1 = x509.CertificateIssuer([x509.DNSName(u"cryptography.io")]) - ci2 = x509.CertificateIssuer([x509.DNSName(u"cryptography.io")]) + ci1 = x509.CertificateIssuer([x509.DNSName(b"cryptography.io")]) + ci2 = x509.CertificateIssuer([x509.DNSName(b"cryptography.io")]) assert ci1 == ci2 def test_ne(self): - ci1 = x509.CertificateIssuer([x509.DNSName(u"cryptography.io")]) - ci2 = x509.CertificateIssuer([x509.DNSName(u"somethingelse.tld")]) + ci1 = x509.CertificateIssuer([x509.DNSName(b"cryptography.io")]) + ci2 = x509.CertificateIssuer([x509.DNSName(b"somethingelse.tld")]) assert ci1 != ci2 assert ci1 != object() def test_repr(self): - ci = x509.CertificateIssuer([x509.DNSName(u"cryptography.io")]) - assert repr(ci) == ( - "<CertificateIssuer(<GeneralNames([<DNSName(value=cryptography.io" - ")>])>)>" - ) + ci = x509.CertificateIssuer([x509.DNSName(b"cryptography.io")]) + if six.PY3: + assert repr(ci) == ( + "<CertificateIssuer(<GeneralNames([<DNSName(bytes_value=" + "b'cryptography.io')>])>)>" + ) + else: + assert repr(ci) == ( + "<CertificateIssuer(<GeneralNames([<DNSName(bytes_value=" + "'cryptography.io')>])>)>" + ) def test_get_values_for_type(self): ci = x509.CertificateIssuer( - [x509.DNSName(u"cryptography.io")] + [x509.DNSName(b"cryptography.io")] ) names = ci.get_values_for_type(x509.DNSName) assert names == [u"cryptography.io"] @@ -891,7 +897,7 @@ class TestAuthorityKeyIdentifier(object): assert aki.authority_cert_serial_number is None def test_authority_cert_serial_zero(self): - dns = x509.DNSName(u"SomeIssuer") + dns = x509.DNSName(b"SomeIssuer") aki = x509.AuthorityKeyIdentifier(b"id", [dns], 0) assert aki.key_identifier == b"id" assert aki.authority_cert_issuer == [dns] @@ -1434,7 +1440,6 @@ class TestKeyUsageExtension(object): @pytest.mark.parametrize( "name", [ x509.RFC822Name, - x509.DNSName, x509.UniformResourceIdentifier ] ) @@ -1462,6 +1467,32 @@ class TestTextGeneralNames(object): assert gn != object() +class TestDNSName(object): + def test_init(self): + with pytest.warns(utils.DeprecatedIn21): + name = x509.DNSName(u"*.\xf5\xe4\xf6\xfc.example.com") + assert name.bytes_value == b"*.xn--4ca7aey.example.com" + + with pytest.warns(utils.DeprecatedIn21): + name = x509.DNSName(u".\xf5\xe4\xf6\xfc.example.com") + assert name.bytes_value == b".xn--4ca7aey.example.com" + assert name.value == u".\xf5\xe4\xf6\xfc.example.com" + + with pytest.warns(utils.DeprecatedIn21): + name = x509.DNSName(u"\xf5\xe4\xf6\xfc.example.com") + assert name.bytes_value == b"xn--4ca7aey.example.com" + + with pytest.raises(TypeError): + x509.DNSName(1.3) + + def test_ne(self): + n1 = x509.DNSName(b"test1") + n2 = x509.DNSName(b"test2") + n3 = x509.DNSName(b"test2") + assert n1 != n2 + assert not (n2 != n3) + + class TestDirectoryName(object): def test_not_name(self): with pytest.raises(TypeError): @@ -1686,35 +1717,35 @@ class TestOtherName(object): class TestGeneralNames(object): def test_get_values_for_type(self): gns = x509.GeneralNames( - [x509.DNSName(u"cryptography.io")] + [x509.DNSName(b"cryptography.io")] ) names = gns.get_values_for_type(x509.DNSName) assert names == [u"cryptography.io"] def test_iter_names(self): gns = x509.GeneralNames([ - x509.DNSName(u"cryptography.io"), - x509.DNSName(u"crypto.local"), + x509.DNSName(b"cryptography.io"), + x509.DNSName(b"crypto.local"), ]) assert len(gns) == 2 assert list(gns) == [ - x509.DNSName(u"cryptography.io"), - x509.DNSName(u"crypto.local"), + x509.DNSName(b"cryptography.io"), + x509.DNSName(b"crypto.local"), ] def test_iter_input(self): names = [ - x509.DNSName(u"cryptography.io"), - x509.DNSName(u"crypto.local"), + x509.DNSName(b"cryptography.io"), + x509.DNSName(b"crypto.local"), ] gns = x509.GeneralNames(iter(names)) assert list(gns) == names def test_indexing(self): gn = x509.GeneralNames([ - x509.DNSName(u"cryptography.io"), - x509.DNSName(u"crypto.local"), - x509.DNSName(u"another.local"), + x509.DNSName(b"cryptography.io"), + x509.DNSName(b"crypto.local"), + x509.DNSName(b"another.local"), x509.RFC822Name(u"email@another.local"), x509.UniformResourceIdentifier(u"http://another.local"), ]) @@ -1724,31 +1755,36 @@ class TestGeneralNames(object): def test_invalid_general_names(self): with pytest.raises(TypeError): x509.GeneralNames( - [x509.DNSName(u"cryptography.io"), "invalid"] + [x509.DNSName(b"cryptography.io"), "invalid"] ) def test_repr(self): gns = x509.GeneralNames( [ - x509.DNSName(u"cryptography.io") + x509.DNSName(b"cryptography.io") ] ) - assert repr(gns) == ( - "<GeneralNames([<DNSName(value=cryptography.io)>])>" - ) + if six.PY3: + assert repr(gns) == ( + "<GeneralNames([<DNSName(bytes_value=b'cryptography.io')>])>" + ) + else: + assert repr(gns) == ( + "<GeneralNames([<DNSName(bytes_value='cryptography.io')>])>" + ) def test_eq(self): gns = x509.GeneralNames( - [x509.DNSName(u"cryptography.io")] + [x509.DNSName(b"cryptography.io")] ) gns2 = x509.GeneralNames( - [x509.DNSName(u"cryptography.io")] + [x509.DNSName(b"cryptography.io")] ) assert gns == gns2 def test_ne(self): gns = x509.GeneralNames( - [x509.DNSName(u"cryptography.io")] + [x509.DNSName(b"cryptography.io")] ) gns2 = x509.GeneralNames( [x509.RFC822Name(u"admin@cryptography.io")] @@ -1760,27 +1796,27 @@ class TestGeneralNames(object): class TestIssuerAlternativeName(object): def test_get_values_for_type(self): san = x509.IssuerAlternativeName( - [x509.DNSName(u"cryptography.io")] + [x509.DNSName(b"cryptography.io")] ) names = san.get_values_for_type(x509.DNSName) assert names == [u"cryptography.io"] def test_iter_names(self): san = x509.IssuerAlternativeName([ - x509.DNSName(u"cryptography.io"), - x509.DNSName(u"crypto.local"), + x509.DNSName(b"cryptography.io"), + x509.DNSName(b"crypto.local"), ]) assert len(san) == 2 assert list(san) == [ - x509.DNSName(u"cryptography.io"), - x509.DNSName(u"crypto.local"), + x509.DNSName(b"cryptography.io"), + x509.DNSName(b"crypto.local"), ] def test_indexing(self): ian = x509.IssuerAlternativeName([ - x509.DNSName(u"cryptography.io"), - x509.DNSName(u"crypto.local"), - x509.DNSName(u"another.local"), + x509.DNSName(b"cryptography.io"), + x509.DNSName(b"crypto.local"), + x509.DNSName(b"another.local"), x509.RFC822Name(u"email@another.local"), x509.UniformResourceIdentifier(u"http://another.local"), ]) @@ -1790,32 +1826,38 @@ class TestIssuerAlternativeName(object): def test_invalid_general_names(self): with pytest.raises(TypeError): x509.IssuerAlternativeName( - [x509.DNSName(u"cryptography.io"), "invalid"] + [x509.DNSName(b"cryptography.io"), "invalid"] ) def test_repr(self): san = x509.IssuerAlternativeName( [ - x509.DNSName(u"cryptography.io") + x509.DNSName(b"cryptography.io") ] ) - assert repr(san) == ( - "<IssuerAlternativeName(" - "<GeneralNames([<DNSName(value=cryptography.io)>])>)>" - ) + if six.PY3: + assert repr(san) == ( + "<IssuerAlternativeName(" + "<GeneralNames([<DNSName(bytes_value=b'cryptography.io')>])>)>" + ) + else: + assert repr(san) == ( + "<IssuerAlternativeName(" + "<GeneralNames([<DNSName(bytes_value='cryptography.io')>])>)>" + ) def test_eq(self): san = x509.IssuerAlternativeName( - [x509.DNSName(u"cryptography.io")] + [x509.DNSName(b"cryptography.io")] ) san2 = x509.IssuerAlternativeName( - [x509.DNSName(u"cryptography.io")] + [x509.DNSName(b"cryptography.io")] ) assert san == san2 def test_ne(self): san = x509.IssuerAlternativeName( - [x509.DNSName(u"cryptography.io")] + [x509.DNSName(b"cryptography.io")] ) san2 = x509.IssuerAlternativeName( [x509.RFC822Name(u"admin@cryptography.io")] @@ -1870,27 +1912,27 @@ class TestCRLNumber(object): class TestSubjectAlternativeName(object): def test_get_values_for_type(self): san = x509.SubjectAlternativeName( - [x509.DNSName(u"cryptography.io")] + [x509.DNSName(b"cryptography.io")] ) names = san.get_values_for_type(x509.DNSName) assert names == [u"cryptography.io"] def test_iter_names(self): san = x509.SubjectAlternativeName([ - x509.DNSName(u"cryptography.io"), - x509.DNSName(u"crypto.local"), + x509.DNSName(b"cryptography.io"), + x509.DNSName(b"crypto.local"), ]) assert len(san) == 2 assert list(san) == [ - x509.DNSName(u"cryptography.io"), - x509.DNSName(u"crypto.local"), + x509.DNSName(b"cryptography.io"), + x509.DNSName(b"crypto.local"), ] def test_indexing(self): san = x509.SubjectAlternativeName([ - x509.DNSName(u"cryptography.io"), - x509.DNSName(u"crypto.local"), - x509.DNSName(u"another.local"), + x509.DNSName(b"cryptography.io"), + x509.DNSName(b"crypto.local"), + x509.DNSName(b"another.local"), x509.RFC822Name(u"email@another.local"), x509.UniformResourceIdentifier(u"http://another.local"), ]) @@ -1900,32 +1942,38 @@ class TestSubjectAlternativeName(object): def test_invalid_general_names(self): with pytest.raises(TypeError): x509.SubjectAlternativeName( - [x509.DNSName(u"cryptography.io"), "invalid"] + [x509.DNSName(b"cryptography.io"), "invalid"] ) def test_repr(self): san = x509.SubjectAlternativeName( [ - x509.DNSName(u"cryptography.io") + x509.DNSName(b"cryptography.io") ] ) - assert repr(san) == ( - "<SubjectAlternativeName(" - "<GeneralNames([<DNSName(value=cryptography.io)>])>)>" - ) + if six.PY3: + assert repr(san) == ( + "<SubjectAlternativeName(" + "<GeneralNames([<DNSName(bytes_value=b'cryptography.io')>])>)>" + ) + else: + assert repr(san) == ( + "<SubjectAlternativeName(" + "<GeneralNames([<DNSName(bytes_value='cryptography.io')>])>)>" + ) def test_eq(self): san = x509.SubjectAlternativeName( - [x509.DNSName(u"cryptography.io")] + [x509.DNSName(b"cryptography.io")] ) san2 = x509.SubjectAlternativeName( - [x509.DNSName(u"cryptography.io")] + [x509.DNSName(b"cryptography.io")] ) assert san == san2 def test_ne(self): san = x509.SubjectAlternativeName( - [x509.DNSName(u"cryptography.io")] + [x509.DNSName(b"cryptography.io")] ) san2 = x509.SubjectAlternativeName( [x509.RFC822Name(u"admin@cryptography.io")] @@ -2124,8 +2172,15 @@ class TestRSASubjectAlternativeNameExtension(object): x509.load_pem_x509_certificate, backend ) + san = cert.extensions.get_extension_for_class( + x509.SubjectAlternativeName + ).value + + assert len(san) == 1 + [name] = san + assert name.bytes_value == b"xn--k4h.ws" with pytest.raises(UnicodeError): - cert.extensions + name.value def test_unicode_rfc822_name_dns_name_uri(self, backend): cert = _load_cert( @@ -2220,16 +2275,20 @@ class TestRSASubjectAlternativeNameExtension(object): assert othernames == [expected] def test_certbuilder(self, backend): - sans = [u'*.example.org', u'*.\xf5\xe4\xf6\xfc.example.com', - u'foobar.example.net'] + sans = [b'*.example.org', b'*.xn--4ca7aey.example.com', + b'foobar.example.net'] private_key = RSA_KEY_2048.private_key(backend) builder = _make_certbuilder(private_key) builder = builder.add_extension( SubjectAlternativeName(list(map(DNSName, sans))), True) cert = builder.sign(private_key, hashes.SHA1(), backend) - result = [x.value for x in cert.extensions.get_extension_for_class( - SubjectAlternativeName).value] + result = [ + x.bytes_value + for x in cert.extensions.get_extension_for_class( + SubjectAlternativeName + ).value + ] assert result == sans @@ -2265,7 +2324,7 @@ class TestExtendedKeyUsageExtension(object): class TestAccessDescription(object): def test_invalid_access_method(self): with pytest.raises(TypeError): - x509.AccessDescription("notanoid", x509.DNSName(u"test")) + x509.AccessDescription("notanoid", x509.DNSName(b"test")) def test_invalid_access_location(self): with pytest.raises(TypeError): @@ -2799,7 +2858,7 @@ class TestNameConstraints(object): x509.NameConstraints(None, None) def test_permitted_none(self): - excluded = [x509.DNSName(u"name.local")] + excluded = [x509.DNSName(b"name.local")] nc = x509.NameConstraints( permitted_subtrees=None, excluded_subtrees=excluded ) @@ -2807,7 +2866,7 @@ class TestNameConstraints(object): assert nc.excluded_subtrees is not None def test_excluded_none(self): - permitted = [x509.DNSName(u"name.local")] + permitted = [x509.DNSName(b"name.local")] nc = x509.NameConstraints( permitted_subtrees=permitted, excluded_subtrees=None ) @@ -2821,39 +2880,47 @@ class TestNameConstraints(object): assert list(nc.excluded_subtrees) == subtrees def test_repr(self): - permitted = [x509.DNSName(u"name.local"), x509.DNSName(u"name2.local")] + permitted = [x509.DNSName(b"name.local"), x509.DNSName(b"name2.local")] nc = x509.NameConstraints( permitted_subtrees=permitted, excluded_subtrees=None ) - assert repr(nc) == ( - "<NameConstraints(permitted_subtrees=[<DNSName(value=name.local)>" - ", <DNSName(value=name2.local)>], excluded_subtrees=None)>" - ) + if six.PY3: + assert repr(nc) == ( + "<NameConstraints(permitted_subtrees=[<DNSName(" + "bytes_value=b'name.local')>, <DNSName(bytes_value=" + "b'name2.local')>], excluded_subtrees=None)>" + ) + else: + assert repr(nc) == ( + "<NameConstraints(permitted_subtrees=[<DNSName(" + "bytes_value='name.local')>, <DNSName(bytes_value=" + "'name2.local')>], excluded_subtrees=None)>" + ) def test_eq(self): nc = x509.NameConstraints( - permitted_subtrees=[x509.DNSName(u"name.local")], - excluded_subtrees=[x509.DNSName(u"name2.local")] + permitted_subtrees=[x509.DNSName(b"name.local")], + excluded_subtrees=[x509.DNSName(b"name2.local")] ) nc2 = x509.NameConstraints( - permitted_subtrees=[x509.DNSName(u"name.local")], - excluded_subtrees=[x509.DNSName(u"name2.local")] + permitted_subtrees=[x509.DNSName(b"name.local")], + excluded_subtrees=[x509.DNSName(b"name2.local")] ) assert nc == nc2 def test_ne(self): nc = x509.NameConstraints( - permitted_subtrees=[x509.DNSName(u"name.local")], - excluded_subtrees=[x509.DNSName(u"name2.local")] + permitted_subtrees=[x509.DNSName(b"name.local")], + excluded_subtrees=[x509.DNSName(b"name2.local")] ) nc2 = x509.NameConstraints( - permitted_subtrees=[x509.DNSName(u"name.local")], + permitted_subtrees=[x509.DNSName(b"name.local")], excluded_subtrees=None ) nc3 = x509.NameConstraints( permitted_subtrees=None, - excluded_subtrees=[x509.DNSName(u"name2.local")] + excluded_subtrees=[x509.DNSName(b"name2.local")] ) assert nc != nc2 @@ -2877,7 +2944,7 @@ class TestNameConstraintsExtension(object): ).value assert nc == x509.NameConstraints( permitted_subtrees=[ - x509.DNSName(u"zombo.local"), + x509.DNSName(b"zombo.local"), ], excluded_subtrees=[ x509.DirectoryName(x509.Name([ @@ -2899,7 +2966,7 @@ class TestNameConstraintsExtension(object): ).value assert nc == x509.NameConstraints( permitted_subtrees=[ - x509.DNSName(u"zombo.local"), + x509.DNSName(b"zombo.local"), ], excluded_subtrees=None ) @@ -2917,7 +2984,7 @@ class TestNameConstraintsExtension(object): ).value assert nc == x509.NameConstraints( permitted_subtrees=[ - x509.DNSName(u".cryptography.io"), + x509.DNSName(b".cryptography.io"), x509.UniformResourceIdentifier(u"ftp://cryptography.test") ], excluded_subtrees=None @@ -2937,7 +3004,7 @@ class TestNameConstraintsExtension(object): assert nc == x509.NameConstraints( permitted_subtrees=None, excluded_subtrees=[ - x509.DNSName(u".cryptography.io"), + x509.DNSName(b".cryptography.io"), x509.UniformResourceIdentifier(u"gopher://cryptography.test") ] ) @@ -2959,7 +3026,7 @@ class TestNameConstraintsExtension(object): x509.IPAddress(ipaddress.IPv6Network(u"FF:0:0:0:0:0:0:0/96")), ], excluded_subtrees=[ - x509.DNSName(u".domain.com"), + x509.DNSName(b".domain.com"), x509.UniformResourceIdentifier(u"http://test.local"), ] ) @@ -2997,8 +3064,8 @@ class TestNameConstraintsExtension(object): ) def test_certbuilder(self, backend): - permitted = [u'.example.org', u'.\xf5\xe4\xf6\xfc.example.com', - u'foobar.example.net'] + permitted = [b'.example.org', b'.xn--4ca7aey.example.com', + b'foobar.example.net'] private_key = RSA_KEY_2048.private_key(backend) builder = _make_certbuilder(private_key) builder = builder.add_extension( @@ -3006,8 +3073,12 @@ class TestNameConstraintsExtension(object): excluded_subtrees=[]), True) cert = builder.sign(private_key, hashes.SHA1(), backend) - result = [x.value for x in cert.extensions.get_extension_for_class( - NameConstraints).value.permitted_subtrees] + result = [ + x.bytes_value + for x in cert.extensions.get_extension_for_class( + NameConstraints + ).value.permitted_subtrees + ] assert result == permitted |