aboutsummaryrefslogtreecommitdiffstats
path: root/tests/test_x509_ext.py
diff options
context:
space:
mode:
Diffstat (limited to 'tests/test_x509_ext.py')
-rw-r--r--tests/test_x509_ext.py329
1 files changed, 327 insertions, 2 deletions
diff --git a/tests/test_x509_ext.py b/tests/test_x509_ext.py
index c2d33d92..bce6781f 100644
--- a/tests/test_x509_ext.py
+++ b/tests/test_x509_ext.py
@@ -5,6 +5,7 @@
from __future__ import absolute_import, division, print_function
import binascii
+import ipaddress
import os
import pytest
@@ -149,8 +150,8 @@ class TestKeyUsage(object):
assert repr(ku) == (
"<KeyUsage(digital_signature=True, content_commitment=True, key_en"
"cipherment=False, data_encipherment=False, key_agreement=False, k"
- "ey_cert_sign=True, crl_sign=False, encipher_only=N/A, decipher_on"
- "ly=N/A)>"
+ "ey_cert_sign=True, crl_sign=False, encipher_only=None, decipher_o"
+ "nly=None)>"
)
def test_repr_key_agreement_true(self):
@@ -219,6 +220,57 @@ class TestSubjectKeyIdentifier(object):
assert ski != object()
+class TestAuthorityKeyIdentifier(object):
+ def test_authority_cert_issuer_not_name(self):
+ with pytest.raises(TypeError):
+ x509.AuthorityKeyIdentifier(b"identifier", "notname", 3)
+
+ def test_authority_cert_serial_number_not_integer(self):
+ name = x509.Name([
+ x509.NameAttribute(x509.ObjectIdentifier('oid'), 'value1'),
+ x509.NameAttribute(x509.ObjectIdentifier('oid2'), 'value2'),
+ ])
+ with pytest.raises(TypeError):
+ x509.AuthorityKeyIdentifier(b"identifier", name, "notanint")
+
+ def test_authority_issuer_none_serial_not_none(self):
+ with pytest.raises(ValueError):
+ x509.AuthorityKeyIdentifier(b"identifier", None, 3)
+
+ def test_authority_issuer_not_none_serial_none(self):
+ name = x509.Name([
+ x509.NameAttribute(x509.ObjectIdentifier('oid'), 'value1'),
+ x509.NameAttribute(x509.ObjectIdentifier('oid2'), 'value2'),
+ ])
+ with pytest.raises(ValueError):
+ x509.AuthorityKeyIdentifier(b"identifier", name, None)
+
+ def test_authority_cert_serial_and_issuer_none(self):
+ aki = x509.AuthorityKeyIdentifier(b"id", None, None)
+ assert aki.key_identifier == b"id"
+ assert aki.authority_cert_issuer is None
+ assert aki.authority_cert_serial_number is None
+
+ def test_repr(self):
+ name = x509.Name([x509.NameAttribute(x509.OID_COMMON_NAME, 'myCN')])
+ aki = x509.AuthorityKeyIdentifier(b"digest", name, 1234)
+
+ if six.PY3:
+ assert repr(aki) == (
+ "<AuthorityKeyIdentifier(key_identifier=b'digest', authority_"
+ "cert_issuer=<Name([<NameAttribute(oid=<ObjectIdentifier(oid="
+ "2.5.4.3, name=commonName)>, value='myCN')>])>, authority_cer"
+ "t_serial_number=1234)>"
+ )
+ else:
+ assert repr(aki) == (
+ "<AuthorityKeyIdentifier(key_identifier='digest', authority_ce"
+ "rt_issuer=<Name([<NameAttribute(oid=<ObjectIdentifier(oid=2.5"
+ ".4.3, name=commonName)>, value='myCN')>])>, authority_cert_se"
+ "rial_number=1234)>"
+ )
+
+
class TestBasicConstraints(object):
def test_ca_not_boolean(self):
with pytest.raises(TypeError):
@@ -463,3 +515,276 @@ class TestSubjectKeyIdentifierExtension(object):
cert.extensions.get_extension_for_oid(
x509.OID_SUBJECT_KEY_IDENTIFIER
)
+
+
+@pytest.mark.requires_backend_interface(interface=RSABackend)
+@pytest.mark.requires_backend_interface(interface=X509Backend)
+class TestKeyUsageExtension(object):
+ def test_no_key_usage(self, backend):
+ cert = _load_cert(
+ os.path.join("x509", "verisign_md2_root.pem"),
+ x509.load_pem_x509_certificate,
+ backend
+ )
+ ext = cert.extensions
+ with pytest.raises(x509.ExtensionNotFound) as exc:
+ ext.get_extension_for_oid(x509.OID_KEY_USAGE)
+
+ assert exc.value.oid == x509.OID_KEY_USAGE
+
+ def test_all_purposes(self, backend):
+ cert = _load_cert(
+ os.path.join(
+ "x509", "custom", "all_key_usages.pem"
+ ),
+ x509.load_pem_x509_certificate,
+ backend
+ )
+ extensions = cert.extensions
+ ext = extensions.get_extension_for_oid(x509.OID_KEY_USAGE)
+ assert ext is not None
+
+ ku = ext.value
+ assert ku.digital_signature is True
+ assert ku.content_commitment is True
+ assert ku.key_encipherment is True
+ assert ku.data_encipherment is True
+ assert ku.key_agreement is True
+ assert ku.key_cert_sign is True
+ assert ku.crl_sign is True
+ assert ku.encipher_only is True
+ assert ku.decipher_only is True
+
+ def test_key_cert_sign_crl_sign(self, backend):
+ cert = _load_cert(
+ os.path.join(
+ "x509", "PKITS_data", "certs", "pathLenConstraint6CACert.crt"
+ ),
+ x509.load_der_x509_certificate,
+ backend
+ )
+ ext = cert.extensions.get_extension_for_oid(x509.OID_KEY_USAGE)
+ assert ext is not None
+ assert ext.critical is True
+
+ ku = ext.value
+ assert ku.digital_signature is False
+ assert ku.content_commitment is False
+ assert ku.key_encipherment is False
+ assert ku.data_encipherment is False
+ assert ku.key_agreement is False
+ assert ku.key_cert_sign is True
+ assert ku.crl_sign is True
+
+
+@pytest.mark.parametrize(
+ "name", [
+ x509.RFC822Name,
+ x509.DNSName,
+ x509.UniformResourceIdentifier
+ ]
+)
+class TestTextGeneralNames(object):
+ def test_not_text(self, name):
+ with pytest.raises(TypeError):
+ name(b"notaunicodestring")
+
+ with pytest.raises(TypeError):
+ name(1.3)
+
+ def test_repr(self, name):
+ gn = name(six.u("string"))
+ assert repr(gn) == "<{0}(value=string)>".format(name.__name__)
+
+ def test_eq(self, name):
+ gn = name(six.u("string"))
+ gn2 = name(six.u("string"))
+ assert gn == gn2
+
+ def test_ne(self, name):
+ gn = name(six.u("string"))
+ gn2 = name(six.u("string2"))
+ assert gn != gn2
+ assert gn != object()
+
+
+class TestDirectoryName(object):
+ def test_not_name(self):
+ with pytest.raises(TypeError):
+ x509.DirectoryName(b"notaname")
+
+ with pytest.raises(TypeError):
+ x509.DirectoryName(1.3)
+
+ def test_repr(self):
+ name = x509.Name([x509.NameAttribute(x509.OID_COMMON_NAME, 'value1')])
+ gn = x509.DirectoryName(x509.Name([name]))
+ assert repr(gn) == (
+ "<DirectoryName(value=<Name([<Name([<NameAttribute(oid=<ObjectIden"
+ "tifier(oid=2.5.4.3, name=commonName)>, value='value1')>])>])>)>"
+ )
+
+ def test_eq(self):
+ name = x509.Name([
+ x509.NameAttribute(x509.ObjectIdentifier('oid'), 'value1')
+ ])
+ name2 = x509.Name([
+ x509.NameAttribute(x509.ObjectIdentifier('oid'), 'value1')
+ ])
+ gn = x509.DirectoryName(x509.Name([name]))
+ gn2 = x509.DirectoryName(x509.Name([name2]))
+ assert gn == gn2
+
+ def test_ne(self):
+ name = x509.Name([
+ x509.NameAttribute(x509.ObjectIdentifier('oid'), 'value1')
+ ])
+ name2 = x509.Name([
+ x509.NameAttribute(x509.ObjectIdentifier('oid'), 'value2')
+ ])
+ gn = x509.DirectoryName(x509.Name([name]))
+ gn2 = x509.DirectoryName(x509.Name([name2]))
+ assert gn != gn2
+ assert gn != object()
+
+
+class TestRegisteredID(object):
+ def test_not_oid(self):
+ with pytest.raises(TypeError):
+ x509.RegisteredID(b"notanoid")
+
+ with pytest.raises(TypeError):
+ x509.RegisteredID(1.3)
+
+ def test_repr(self):
+ gn = x509.RegisteredID(x509.OID_COMMON_NAME)
+ assert repr(gn) == (
+ "<RegisteredID(value=<ObjectIdentifier(oid=2.5.4.3, name=commonNam"
+ "e)>)>"
+ )
+
+ def test_eq(self):
+ gn = x509.RegisteredID(x509.OID_COMMON_NAME)
+ gn2 = x509.RegisteredID(x509.OID_COMMON_NAME)
+ assert gn == gn2
+
+ def test_ne(self):
+ gn = x509.RegisteredID(x509.OID_COMMON_NAME)
+ gn2 = x509.RegisteredID(x509.OID_BASIC_CONSTRAINTS)
+ assert gn != gn2
+ assert gn != object()
+
+
+class TestIPAddress(object):
+ def test_not_ipaddress(self):
+ with pytest.raises(TypeError):
+ x509.IPAddress(b"notanipaddress")
+
+ with pytest.raises(TypeError):
+ x509.IPAddress(1.3)
+
+ def test_repr(self):
+ gn = x509.IPAddress(ipaddress.IPv4Address(six.u("127.0.0.1")))
+ assert repr(gn) == "<IPAddress(value=127.0.0.1)>"
+
+ gn2 = x509.IPAddress(ipaddress.IPv6Address(six.u("ff::")))
+ assert repr(gn2) == "<IPAddress(value=ff::)>"
+
+ def test_eq(self):
+ gn = x509.IPAddress(ipaddress.IPv4Address(six.u("127.0.0.1")))
+ gn2 = x509.IPAddress(ipaddress.IPv4Address(six.u("127.0.0.1")))
+ assert gn == gn2
+
+ def test_ne(self):
+ gn = x509.IPAddress(ipaddress.IPv4Address(six.u("127.0.0.1")))
+ gn2 = x509.IPAddress(ipaddress.IPv4Address(six.u("127.0.0.2")))
+ assert gn != gn2
+ assert gn != object()
+
+
+class TestSubjectAlternativeName(object):
+ def test_get_values_for_type(self):
+ san = x509.SubjectAlternativeName(
+ [x509.DNSName(six.u("cryptography.io"))]
+ )
+ names = san.get_values_for_type(x509.DNSName)
+ assert names == [six.u("cryptography.io")]
+
+ def test_iter_names(self):
+ san = x509.SubjectAlternativeName([
+ x509.DNSName(six.u("cryptography.io")),
+ x509.DNSName(six.u("crypto.local")),
+ ])
+ assert len(san) == 2
+ assert list(san) == [
+ x509.DNSName(six.u("cryptography.io")),
+ x509.DNSName(six.u("crypto.local")),
+ ]
+
+ def test_invalid_general_names(self):
+ with pytest.raises(TypeError):
+ x509.SubjectAlternativeName(
+ [x509.DNSName(six.u("cryptography.io")), "invalid"]
+ )
+
+ def test_repr(self):
+ san = x509.SubjectAlternativeName(
+ [
+ x509.DNSName(six.u("cryptography.io"))
+ ]
+ )
+ assert repr(san) == (
+ "<SubjectAlternativeName([<DNSName(value=cryptography.io)>])>"
+ )
+
+
+@pytest.mark.requires_backend_interface(interface=RSABackend)
+@pytest.mark.requires_backend_interface(interface=X509Backend)
+class TestRSASubjectAlternativeNameExtension(object):
+ def test_dns_name(self, backend):
+ cert = _load_cert(
+ os.path.join("x509", "cryptography.io.pem"),
+ x509.load_pem_x509_certificate,
+ backend
+ )
+ ext = cert.extensions.get_extension_for_oid(
+ x509.OID_SUBJECT_ALTERNATIVE_NAME
+ )
+ assert ext is not None
+ assert ext.critical is False
+
+ san = ext.value
+
+ dns = san.get_values_for_type(x509.DNSName)
+ assert dns == [u"www.cryptography.io", u"cryptography.io"]
+
+ def test_unsupported_other_name(self, backend):
+ cert = _load_cert(
+ os.path.join(
+ "x509", "custom", "san_other_name.pem"
+ ),
+ x509.load_pem_x509_certificate,
+ backend
+ )
+ with pytest.raises(x509.UnsupportedGeneralNameType) as exc:
+ cert.extensions
+
+ assert exc.value.type == 0
+
+ def test_registered_id(self, backend):
+ cert = _load_cert(
+ os.path.join(
+ "x509", "custom", "san_registered_id.pem"
+ ),
+ x509.load_pem_x509_certificate,
+ backend
+ )
+ ext = cert.extensions.get_extension_for_oid(
+ x509.OID_SUBJECT_ALTERNATIVE_NAME
+ )
+ assert ext is not None
+ assert ext.critical is False
+
+ san = ext.value
+ rid = san.get_values_for_type(x509.RegisteredID)
+ assert rid == [x509.ObjectIdentifier("1.2.3.4")]
generated by cgit v1.2.3 (git 2.25.1) at 2025-05-01 03:07:01 +0000