def test_add_unsupported_extension(self, backend):
private_key = RSA_KEY_2048.private_key(backend)
last_update = datetime.datetime(2002, 1, 1, 12, 1)
next_update = datetime.datetime(2030, 1, 1, 12, 1)
builder = (x509.CertificateRevocationListBuilder().issuer_name(
x509.Name([
x509.NameAttribute(NameOID.COMMON_NAME, u"cryptography.io CA")
])).last_update(last_update).next_update(
next_update).add_extension(x509.OCSPNoCheck(), False))
with pytest.raises(NotImplementedError):
builder.sign(private_key, hashes.SHA256(), backend)
def _decode_ocsp_no_check(backend, ext):
return x509.OCSPNoCheck()
CRYPTOGRAPHY_VERSION = packaging.version.parse(
cryptography.__version__).release[:2]
NEWEST_PYTHON = sys.version_info[0:2] == (3, 7)
NEWEST_CRYPTOGRAPHY = CRYPTOGRAPHY_VERSION == (2, 7)
NEWEST_DJANGO = django.VERSION[:2] == (2, 2)
NEWEST_VERSIONS = NEWEST_PYTHON and NEWEST_CRYPTOGRAPHY and NEWEST_DJANGO
# PrecertPoison does not compare as equal until cryptography 2.7:
# https://github.com/pyca/cryptography/issues/4818
SKIP_PRECERT_POISON = not (hasattr(x509, 'PrecertPoison')
and x509.PrecertPoison() == x509.PrecertPoison()
) # pragma: only cryptography<2.7
# OCSPNoCheck does not compare as equal until cryptography 2.7:
# https://github.com/pyca/cryptography/issues/4818
SKIP_OCSP_NOCHECK = x509.OCSPNoCheck() != x509.OCSPNoCheck(
) # pragma: only cryptography<2.7
# For Selenium test cases
SKIP_SELENIUM_TESTS = os.environ.get(
'SKIP_SELENIUM_TESTS', 'n' if
(NEWEST_PYTHON and NEWEST_CRYPTOGRAPHY) else 'y').lower().strip() == 'y'
VIRTUAL_DISPLAY = os.environ.get('VIRTUAL_DISPLAY', 'y').lower().strip() == 'y'
GECKODRIVER_PATH = os.path.join(ROOT_DIR, 'contrib', 'selenium', 'geckodriver')
if not os.path.exists(GECKODRIVER_PATH):
raise ImproperlyConfigured(
'Please download geckodriver to %s: '
'https://selenium-python.readthedocs.io/installation.html#drivers' %
GECKODRIVER_PATH)
def install_extensions(self, builder):
"""Add common extensions to Cert- or CSR builder.
"""
# BasicConstraints, critical
if self.ca:
ext = x509.BasicConstraints(ca=True, path_length=self.path_length)
else:
ext = x509.BasicConstraints(ca=False, path_length=None)
builder = builder.add_extension(ext, critical=True)
# KeyUsage, critical
ku_args = {k: k in self.usage for k in KU_FIELDS}
if self.ca:
ku_args['key_cert_sign'] = True
ku_args['crl_sign'] = True
ext = make_key_usage(**ku_args)
else:
ku_args['digital_signature'] = True
ku_args['key_encipherment'] = True
ext = make_key_usage(**ku_args)
builder = builder.add_extension(ext, critical=True)
# ExtendedKeyUsage, critical
xku = [x for x in self.usage if x not in KU_FIELDS]
xku_bad = [x for x in xku if x not in XKU_CODE_TO_OID]
if xku_bad:
die("Unknown usage keywords: %s", ','.join(xku_bad))
if xku:
xku_oids = [XKU_CODE_TO_OID[x] for x in xku]
ext = x509.ExtendedKeyUsage(xku_oids)
builder = builder.add_extension(ext, critical=True)
# NameConstraints, critical
if (self.exclude_subtrees or self.permit_subtrees) and self.ca:
allow = self.load_gnames(self.permit_subtrees) or None
disallow = self.load_gnames(self.exclude_subtrees) or None
ext = x509.NameConstraints(allow, disallow)
builder = builder.add_extension(ext, critical=True)
# SubjectAlternativeName
if self.san:
ext = x509.SubjectAlternativeName(self.get_san_gnames())
builder = builder.add_extension(ext, critical=False)
# CRLDistributionPoints
if self.crl_urls:
full_names = self.get_crl_gnames()
reasons = None
crl_issuer = None
point = x509.DistributionPoint(full_names, None, reasons, crl_issuer)
ext = x509.CRLDistributionPoints([point])
builder = builder.add_extension(ext, critical=False)
# AuthorityInformationAccess
if self.ocsp_urls or self.issuer_urls:
oid = AuthorityInformationAccessOID.OCSP
ocsp_list = [x509.AccessDescription(oid, gn) for gn in self.get_ocsp_gnames()]
oid = AuthorityInformationAccessOID.CA_ISSUERS
ca_list = [x509.AccessDescription(oid, gn) for gn in self.get_issuer_urls_gnames()]
ext = x509.AuthorityInformationAccess(ocsp_list + ca_list)
builder = builder.add_extension(ext, critical=False)
# OCSPNoCheck
if self.ocsp_nocheck:
ext = x509.OCSPNoCheck()
builder = builder.add_extension(ext, critical=False)
# configured builder
return builder