diff options
| author | Paul Kehrer <paul.l.kehrer@gmail.com> | 2017-09-24 08:44:12 +0800 |
|---|---|---|
| committer | Alex Gaynor <alex.gaynor@gmail.com> | 2017-09-23 20:44:12 -0400 |
| commit | b76bcf88bd272dcde26858c936a743a229aefd5a (patch) | |
| tree | 3a6504ab0be963aceb49e95c1acb0f09ec3de84d /tests | |
| parent | 5e3cc98473ad54db390736ac81bb74210e85056d (diff) | |
| download | cryptography-b76bcf88bd272dcde26858c936a743a229aefd5a.tar.gz cryptography-b76bcf88bd272dcde26858c936a743a229aefd5a.tar.bz2 cryptography-b76bcf88bd272dcde26858c936a743a229aefd5a.zip | |
FreshestCRL extension support (#3937)
* add freshest CRL support
* add tests
* add changelog
* add tests for FreshestCRL generation
Diffstat (limited to 'tests')
| -rw-r--r-- | tests/x509/test_x509.py | 32 | ||||
| -rw-r--r-- | tests/x509/test_x509_ext.py | 227 |
2 files changed, 259 insertions, 0 deletions
diff --git a/tests/x509/test_x509.py b/tests/x509/test_x509.py index d0ce46d8..06aef666 100644 --- a/tests/x509/test_x509.py +++ b/tests/x509/test_x509.py @@ -2406,6 +2406,38 @@ class TestCertificateBuilder(object): crl_issuer=None ) ]), + x509.FreshestCRL([ + x509.DistributionPoint( + full_name=[x509.UniformResourceIdentifier( + u"http://domain.com/some.crl" + )], + relative_name=None, + reasons=frozenset([ + x509.ReasonFlags.key_compromise, + x509.ReasonFlags.ca_compromise, + x509.ReasonFlags.affiliation_changed, + x509.ReasonFlags.superseded, + x509.ReasonFlags.privilege_withdrawn, + x509.ReasonFlags.cessation_of_operation, + x509.ReasonFlags.aa_compromise, + x509.ReasonFlags.certificate_hold, + ]), + crl_issuer=None + ) + ]), + x509.FreshestCRL([ + x509.DistributionPoint( + full_name=None, + relative_name=x509.RelativeDistinguishedName([ + x509.NameAttribute( + NameOID.COMMON_NAME, + u"indirect CRL for indirectCRL CA3" + ), + ]), + reasons=None, + crl_issuer=None, + ) + ]), ] ) def test_ext(self, add_ext, backend): diff --git a/tests/x509/test_x509_ext.py b/tests/x509/test_x509_ext.py index 9f0b1b0b..11e06eaf 100644 --- a/tests/x509/test_x509_ext.py +++ b/tests/x509/test_x509_ext.py @@ -3700,6 +3700,193 @@ class TestDistributionPoint(object): assert hash(dp) != hash(dp3) +class TestFreshestCRL(object): + def test_invalid_distribution_points(self): + with pytest.raises(TypeError): + x509.FreshestCRL(["notadistributionpoint"]) + + def test_iter_len(self): + fcrl = x509.FreshestCRL([ + x509.DistributionPoint( + [x509.UniformResourceIdentifier(b"http://domain")], + None, None, None + ), + ]) + assert len(fcrl) == 1 + assert list(fcrl) == [ + x509.DistributionPoint( + [x509.UniformResourceIdentifier(b"http://domain")], + None, None, None + ), + ] + + def test_iter_input(self): + points = [ + x509.DistributionPoint( + [x509.UniformResourceIdentifier(b"http://domain")], + None, None, None + ), + ] + fcrl = x509.FreshestCRL(iter(points)) + assert list(fcrl) == points + + def test_repr(self): + fcrl = x509.FreshestCRL([ + x509.DistributionPoint( + [x509.UniformResourceIdentifier(b"ftp://domain")], + None, + frozenset([x509.ReasonFlags.key_compromise]), + None + ), + ]) + if six.PY3: + assert repr(fcrl) == ( + "<FreshestCRL([<DistributionPoint(full_name=[<Unifo" + "rmResourceIdentifier(bytes_value=b'ftp://domain')>], relative" + "_name=None, reasons=frozenset({<ReasonFlags.key_compromise: " + "'keyCompromise'>}), crl_issuer=None)>])>" + ) + else: + assert repr(fcrl) == ( + "<FreshestCRL([<DistributionPoint(full_name=[<Unifo" + "rmResourceIdentifier(bytes_value='ftp://domain')>], relative" + "_name=None, reasons=frozenset([<ReasonFlags.key_compromise: " + "'keyCompromise'>]), crl_issuer=None)>])>" + ) + + def test_eq(self): + fcrl = x509.FreshestCRL([ + x509.DistributionPoint( + [x509.UniformResourceIdentifier(b"ftp://domain")], + None, + frozenset([ + x509.ReasonFlags.key_compromise, + x509.ReasonFlags.ca_compromise, + ]), + [x509.UniformResourceIdentifier(b"uri://thing")], + ), + ]) + fcrl2 = x509.FreshestCRL([ + x509.DistributionPoint( + [x509.UniformResourceIdentifier(b"ftp://domain")], + None, + frozenset([ + x509.ReasonFlags.key_compromise, + x509.ReasonFlags.ca_compromise, + ]), + [x509.UniformResourceIdentifier(b"uri://thing")], + ), + ]) + assert fcrl == fcrl2 + + def test_ne(self): + fcrl = x509.FreshestCRL([ + x509.DistributionPoint( + [x509.UniformResourceIdentifier(b"ftp://domain")], + None, + frozenset([ + x509.ReasonFlags.key_compromise, + x509.ReasonFlags.ca_compromise, + ]), + [x509.UniformResourceIdentifier(b"uri://thing")], + ), + ]) + fcrl2 = x509.FreshestCRL([ + x509.DistributionPoint( + [x509.UniformResourceIdentifier(b"ftp://domain2")], + None, + frozenset([ + x509.ReasonFlags.key_compromise, + x509.ReasonFlags.ca_compromise, + ]), + [x509.UniformResourceIdentifier(b"uri://thing")], + ), + ]) + fcrl3 = x509.FreshestCRL([ + x509.DistributionPoint( + [x509.UniformResourceIdentifier(b"ftp://domain")], + None, + frozenset([x509.ReasonFlags.key_compromise]), + [x509.UniformResourceIdentifier(b"uri://thing")], + ), + ]) + fcrl4 = x509.FreshestCRL([ + x509.DistributionPoint( + [x509.UniformResourceIdentifier(b"ftp://domain")], + None, + frozenset([ + x509.ReasonFlags.key_compromise, + x509.ReasonFlags.ca_compromise, + ]), + [x509.UniformResourceIdentifier(b"uri://thing2")], + ), + ]) + assert fcrl != fcrl2 + assert fcrl != fcrl3 + assert fcrl != fcrl4 + assert fcrl != object() + + def test_hash(self): + fcrl = x509.FreshestCRL([ + x509.DistributionPoint( + [x509.UniformResourceIdentifier(b"ftp://domain")], + None, + frozenset([ + x509.ReasonFlags.key_compromise, + x509.ReasonFlags.ca_compromise, + ]), + [x509.UniformResourceIdentifier(b"uri://thing")], + ), + ]) + fcrl2 = x509.FreshestCRL([ + x509.DistributionPoint( + [x509.UniformResourceIdentifier(b"ftp://domain")], + None, + frozenset([ + x509.ReasonFlags.key_compromise, + x509.ReasonFlags.ca_compromise, + ]), + [x509.UniformResourceIdentifier(b"uri://thing")], + ), + ]) + fcrl3 = x509.FreshestCRL([ + x509.DistributionPoint( + [x509.UniformResourceIdentifier(b"ftp://domain")], + None, + frozenset([x509.ReasonFlags.key_compromise]), + [x509.UniformResourceIdentifier(b"uri://thing")], + ), + ]) + assert hash(fcrl) == hash(fcrl2) + assert hash(fcrl) != hash(fcrl3) + + def test_indexing(self): + fcrl = x509.FreshestCRL([ + x509.DistributionPoint( + None, None, None, + [x509.UniformResourceIdentifier(b"uri://thing")], + ), + x509.DistributionPoint( + None, None, None, + [x509.UniformResourceIdentifier(b"uri://thing2")], + ), + x509.DistributionPoint( + None, None, None, + [x509.UniformResourceIdentifier(b"uri://thing3")], + ), + x509.DistributionPoint( + None, None, None, + [x509.UniformResourceIdentifier(b"uri://thing4")], + ), + x509.DistributionPoint( + None, None, None, + [x509.UniformResourceIdentifier(b"uri://thing5")], + ), + ]) + assert fcrl[-1] == fcrl[4] + assert fcrl[2:6:2] == [fcrl[2], fcrl[4]] + + class TestCRLDistributionPoints(object): def test_invalid_distribution_points(self): with pytest.raises(TypeError): @@ -4152,6 +4339,46 @@ class TestCRLDistributionPointsExtension(object): @pytest.mark.requires_backend_interface(interface=RSABackend) @pytest.mark.requires_backend_interface(interface=X509Backend) +class TestFreshestCRLExtension(object): + def test_vector(self, backend): + cert = _load_cert( + os.path.join( + "x509", "custom", "freshestcrl.pem" + ), + x509.load_pem_x509_certificate, + backend + ) + + fcrl = cert.extensions.get_extension_for_class(x509.FreshestCRL).value + assert fcrl == x509.FreshestCRL([ + x509.DistributionPoint( + full_name=[ + x509.UniformResourceIdentifier( + b'http://myhost.com/myca.crl' + ), + x509.UniformResourceIdentifier( + b'http://backup.myhost.com/myca.crl' + ) + ], + relative_name=None, + reasons=frozenset([ + x509.ReasonFlags.ca_compromise, + x509.ReasonFlags.key_compromise + ]), + crl_issuer=[x509.DirectoryName( + x509.Name([ + x509.NameAttribute(NameOID.COUNTRY_NAME, u"US"), + x509.NameAttribute( + NameOID.COMMON_NAME, u"cryptography CA" + ), + ]) + )] + ) + ]) + + +@pytest.mark.requires_backend_interface(interface=RSABackend) +@pytest.mark.requires_backend_interface(interface=X509Backend) class TestOCSPNoCheckExtension(object): def test_nocheck(self, backend): cert = _load_cert( |