add SubjectInformationAccess extension support (#5295)

* add SubjectInformationAccess extension support * fixes
author: Paul Kehrer <paul.l.kehrer@gmail.com> 2020-07-02 00:13:33 -0500
committer: GitHub <noreply@github.com> 2020-07-02 01:13:33 -0400
commit: 13fae162da9637009c3f21080e7d2fdbdffe8f36 (patch)
tree: 2cddfb049b16a02afd333215a2833506c35d5fbe /tests
parent: 63d337e5cc01c026e16b51a1c0b7aba40d9108ef (diff)
download: cryptography-13fae162da9637009c3f21080e7d2fdbdffe8f36.tar.gz
2 files changed, 267 insertions, 2 deletions
diff --git a/tests/x509/test_x509.py b/tests/x509/test_x509.py
index 35089c508..89d20c3b2 100644
--- a/tests/x509/test_x509.py
+++ b/tests/x509/test_x509.py
@@ -36,7 +36,7 @@ from cryptography.hazmat.primitives.asymmetric.utils import (
 from cryptography.x509.name import _ASN1Type
 from cryptography.x509.oid import (
     AuthorityInformationAccessOID, ExtendedKeyUsageOID, ExtensionOID,
-    NameOID, SignatureAlgorithmOID
+    NameOID, SignatureAlgorithmOID, SubjectInformationAccessOID,
 )
 
 from ..hazmat.primitives.fixtures_dsa import DSA_KEY_2048
@@ -1720,6 +1720,40 @@ class TestCertificateBuilder(object):
 
     @pytest.mark.requires_backend_interface(interface=RSABackend)
     @pytest.mark.requires_backend_interface(interface=X509Backend)
+    def test_encode_nonstandard_sia(self, backend):
+        private_key = RSA_KEY_2048.private_key(backend)
+
+        sia = x509.SubjectInformationAccess([
+            x509.AccessDescription(
+                x509.ObjectIdentifier("2.999.7"),
+                x509.UniformResourceIdentifier(u"http://example.com")
+            ),
+        ])
+
+        builder = x509.CertificateBuilder().subject_name(x509.Name([
+            x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
+        ])).issuer_name(x509.Name([
+            x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
+        ])).public_key(
+            private_key.public_key()
+        ).serial_number(
+            777
+        ).not_valid_before(
+            datetime.datetime(2015, 1, 1)
+        ).not_valid_after(
+            datetime.datetime(2040, 1, 1)
+        ).add_extension(
+            sia, False
+        )
+
+        cert = builder.sign(private_key, hashes.SHA256(), backend)
+        ext = cert.extensions.get_extension_for_oid(
+            ExtensionOID.SUBJECT_INFORMATION_ACCESS
+        )
+        assert ext.value == sia
+
+    @pytest.mark.requires_backend_interface(interface=RSABackend)
+    @pytest.mark.requires_backend_interface(interface=X509Backend)
     def test_subject_dn_asn1_types(self, backend):
         private_key = RSA_KEY_2048.private_key(backend)
 
@@ -3710,6 +3744,45 @@ class TestCertificateSigningRequestBuilder(object):
 
     @pytest.mark.requires_backend_interface(interface=RSABackend)
     @pytest.mark.requires_backend_interface(interface=X509Backend)
+    def test_build_cert_with_sia(self, backend):
+        issuer_private_key = RSA_KEY_2048.private_key(backend)
+        subject_private_key = RSA_KEY_2048.private_key(backend)
+
+        not_valid_before = datetime.datetime(2002, 1, 1, 12, 1)
+        not_valid_after = datetime.datetime(2030, 12, 31, 8, 30)
+
+        sia = x509.SubjectInformationAccess([
+            x509.AccessDescription(
+                SubjectInformationAccessOID.CA_REPOSITORY,
+                x509.UniformResourceIdentifier(u"http://ca.domain.com")
+            ),
+        ])
+
+        builder = x509.CertificateBuilder().serial_number(
+            777
+        ).issuer_name(x509.Name([
+            x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
+        ])).subject_name(x509.Name([
+            x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
+        ])).public_key(
+            subject_private_key.public_key()
+        ).add_extension(
+            sia, critical=False
+        ).not_valid_before(
+            not_valid_before
+        ).not_valid_after(
+            not_valid_after
+        )
+
+        cert = builder.sign(issuer_private_key, hashes.SHA256(), backend)
+
+        ext = cert.extensions.get_extension_for_oid(
+            ExtensionOID.SUBJECT_INFORMATION_ACCESS
+        )
+        assert ext.value == sia
+
+    @pytest.mark.requires_backend_interface(interface=RSABackend)
+    @pytest.mark.requires_backend_interface(interface=X509Backend)
     def test_build_cert_with_ski(self, backend):
         issuer_private_key = RSA_KEY_2048.private_key(backend)
         subject_private_key = RSA_KEY_2048.private_key(backend)
diff --git a/tests/x509/test_x509_ext.py b/tests/x509/test_x509_ext.py
index 19ce4363f..760cba5d9 100644
--- a/tests/x509/test_x509_ext.py
+++ b/tests/x509/test_x509_ext.py
@@ -26,7 +26,7 @@ from cryptography.x509.extensions import _key_identifier_from_public_key
 from cryptography.x509.general_name import _lazy_import_idna
 from cryptography.x509.oid import (
     AuthorityInformationAccessOID, ExtendedKeyUsageOID, ExtensionOID,
-    NameOID, ObjectIdentifier, _OID_NAMES
+    NameOID, ObjectIdentifier, SubjectInformationAccessOID, _OID_NAMES
 )
 
 from .test_x509 import _load_cert
@@ -3052,6 +3052,198 @@ class TestAuthorityInformationAccess(object):
         assert hash(aia) != hash(aia3)
 
 
+class TestSubjectInformationAccess(object):
+    def test_invalid_descriptions(self):
+        with pytest.raises(TypeError):
+            x509.SubjectInformationAccess(["notanAccessDescription"])
+
+    def test_iter_len(self):
+        sia = x509.SubjectInformationAccess([
+            x509.AccessDescription(
+                SubjectInformationAccessOID.CA_REPOSITORY,
+                x509.UniformResourceIdentifier(u"http://ca.domain.com")
+            ),
+            x509.AccessDescription(
+                SubjectInformationAccessOID.CA_REPOSITORY,
+                x509.UniformResourceIdentifier(u"http://ca2.domain.com")
+            )
+        ])
+        assert len(sia) == 2
+        assert list(sia) == [
+            x509.AccessDescription(
+                SubjectInformationAccessOID.CA_REPOSITORY,
+                x509.UniformResourceIdentifier(u"http://ca.domain.com")
+            ),
+            x509.AccessDescription(
+                SubjectInformationAccessOID.CA_REPOSITORY,
+                x509.UniformResourceIdentifier(u"http://ca2.domain.com")
+            )
+        ]
+
+    def test_iter_input(self):
+        desc = [
+            x509.AccessDescription(
+                SubjectInformationAccessOID.CA_REPOSITORY,
+                x509.UniformResourceIdentifier(u"http://ca.domain.com")
+            )
+        ]
+        sia = x509.SubjectInformationAccess(iter(desc))
+        assert list(sia) == desc
+
+    def test_repr(self):
+        sia = x509.SubjectInformationAccess([
+            x509.AccessDescription(
+                SubjectInformationAccessOID.CA_REPOSITORY,
+                x509.UniformResourceIdentifier(u"http://ca.domain.com")
+            )
+        ])
+        if not six.PY2:
+            assert repr(sia) == (
+                "<SubjectInformationAccess([<AccessDescription(access_method"
+                "=<ObjectIdentifier(oid=1.3.6.1.5.5.7.48.5, name=caRepositor"
+                "y)>, access_location=<UniformResourceIdentifier(value='http"
+                "://ca.domain.com')>)>])>"
+            )
+        else:
+            assert repr(sia) == (
+                "<SubjectInformationAccess([<AccessDescription(access_method"
+                "=<ObjectIdentifier(oid=1.3.6.1.5.5.7.48.5, name=caRepositor"
+                "y)>, access_location=<UniformResourceIdentifier(value=u'htt"
+                "p://ca.domain.com')>)>])>"
+            )
+
+    def test_eq(self):
+        sia = x509.SubjectInformationAccess([
+            x509.AccessDescription(
+                SubjectInformationAccessOID.CA_REPOSITORY,
+                x509.UniformResourceIdentifier(u"http://ca.domain.com")
+            ),
+            x509.AccessDescription(
+                SubjectInformationAccessOID.CA_REPOSITORY,
+                x509.UniformResourceIdentifier(u"http://ca2.domain.com")
+            )
+        ])
+        sia2 = x509.SubjectInformationAccess([
+            x509.AccessDescription(
+                SubjectInformationAccessOID.CA_REPOSITORY,
+                x509.UniformResourceIdentifier(u"http://ca.domain.com")
+            ),
+            x509.AccessDescription(
+                SubjectInformationAccessOID.CA_REPOSITORY,
+                x509.UniformResourceIdentifier(u"http://ca2.domain.com")
+            )
+        ])
+        assert sia == sia2
+
+    def test_ne(self):
+        sia = x509.SubjectInformationAccess([
+            x509.AccessDescription(
+                SubjectInformationAccessOID.CA_REPOSITORY,
+                x509.UniformResourceIdentifier(u"http://ca.domain.com")
+            ),
+            x509.AccessDescription(
+                SubjectInformationAccessOID.CA_REPOSITORY,
+                x509.UniformResourceIdentifier(u"http://ca2.domain.com")
+            )
+        ])
+        sia2 = x509.SubjectInformationAccess([
+            x509.AccessDescription(
+                SubjectInformationAccessOID.CA_REPOSITORY,
+                x509.UniformResourceIdentifier(u"http://ca.domain.com")
+            ),
+        ])
+
+        assert sia != sia2
+        assert sia != object()
+
+    def test_indexing(self):
+        sia = x509.SubjectInformationAccess([
+            x509.AccessDescription(
+                SubjectInformationAccessOID.CA_REPOSITORY,
+                x509.UniformResourceIdentifier(u"http://ca.domain.com")
+            ),
+            x509.AccessDescription(
+                SubjectInformationAccessOID.CA_REPOSITORY,
+                x509.UniformResourceIdentifier(u"http://ca2.domain.com")
+            ),
+            x509.AccessDescription(
+                SubjectInformationAccessOID.CA_REPOSITORY,
+                x509.UniformResourceIdentifier(u"http://ca3.domain.com")
+            ),
+            x509.AccessDescription(
+                SubjectInformationAccessOID.CA_REPOSITORY,
+                x509.UniformResourceIdentifier(u"http://ca4.domain.com")
+            ),
+            x509.AccessDescription(
+                SubjectInformationAccessOID.CA_REPOSITORY,
+                x509.UniformResourceIdentifier(u"http://ca5.domain.com")
+            ),
+        ])
+        assert sia[-1] == sia[4]
+        assert sia[2:6:2] == [sia[2], sia[4]]
+
+    def test_hash(self):
+        sia = x509.SubjectInformationAccess([
+            x509.AccessDescription(
+                SubjectInformationAccessOID.CA_REPOSITORY,
+                x509.UniformResourceIdentifier(u"http://ca.domain.com")
+            ),
+            x509.AccessDescription(
+                SubjectInformationAccessOID.CA_REPOSITORY,
+                x509.UniformResourceIdentifier(u"http://ca2.domain.com")
+            ),
+        ])
+        sia2 = x509.SubjectInformationAccess([
+            x509.AccessDescription(
+                SubjectInformationAccessOID.CA_REPOSITORY,
+                x509.UniformResourceIdentifier(u"http://ca.domain.com")
+            ),
+            x509.AccessDescription(
+                SubjectInformationAccessOID.CA_REPOSITORY,
+                x509.UniformResourceIdentifier(u"http://ca2.domain.com")
+            ),
+        ])
+        sia3 = x509.SubjectInformationAccess([
+            x509.AccessDescription(
+                SubjectInformationAccessOID.CA_REPOSITORY,
+                x509.UniformResourceIdentifier(u"http://ca.domain.com")
+            ),
+            x509.AccessDescription(
+                SubjectInformationAccessOID.CA_REPOSITORY,
+                x509.UniformResourceIdentifier(u"http://ca3.domain.com")
+            ),
+        ])
+        assert hash(sia) == hash(sia2)
+        assert hash(sia) != hash(sia3)
+
+
+@pytest.mark.requires_backend_interface(interface=RSABackend)
+@pytest.mark.requires_backend_interface(interface=X509Backend)
+class TestSubjectInformationAccessExtension(object):
+    def test_sia(self, backend):
+        cert = _load_cert(
+            os.path.join("x509", "custom", "sia.pem"),
+            x509.load_pem_x509_certificate,
+            backend
+        )
+        ext = cert.extensions.get_extension_for_oid(
+            ExtensionOID.SUBJECT_INFORMATION_ACCESS
+        )
+        assert ext is not None
+        assert ext.critical is False
+
+        assert ext.value == x509.SubjectInformationAccess([
+            x509.AccessDescription(
+                SubjectInformationAccessOID.CA_REPOSITORY,
+                x509.UniformResourceIdentifier(u"https://my.ca.issuer/")
+            ),
+            x509.AccessDescription(
+                x509.ObjectIdentifier("2.999.7"),
+                x509.UniformResourceIdentifier(u"gopher://info-mac-archive")
+            ),
+        ])
+
+
 @pytest.mark.requires_backend_interface(interface=RSABackend)
 @pytest.mark.requires_backend_interface(interface=X509Backend)
 class TestAuthorityInformationAccessExtension(object):
author	Paul Kehrer <paul.l.kehrer@gmail.com>	2020-07-02 00:13:33 -0500
committer	GitHub <noreply@github.com>	2020-07-02 01:13:33 -0400
commit	13fae162da9637009c3f21080e7d2fdbdffe8f36 (patch)
tree	2cddfb049b16a02afd333215a2833506c35d5fbe /tests
parent	63d337e5cc01c026e16b51a1c0b7aba40d9108ef (diff)
download	cryptography-13fae162da9637009c3f21080e7d2fdbdffe8f36.tar.gz