Python cryptography.x509.UniformResourceIdentifier() Examples

The following are 9 code examples of cryptography.x509.UniformResourceIdentifier(). You can vote up the ones you like or vote down the ones you don't like, and go to the original project or source file by following the links above each example. You may also want to check out all available functions/classes of the module cryptography.x509 , or try the search function .
Example #1
Source File: managers.py    From django-ca with GNU General Public License v3.0 7 votes vote down vote up
def get_common_extensions(self, issuer_url=None, crl_url=None, ocsp_url=None):
        extensions = []
        if crl_url:
            urls = [x509.UniformResourceIdentifier(force_text(c)) for c in crl_url]
            dps = [x509.DistributionPoint(full_name=[c], relative_name=None, crl_issuer=None, reasons=None)
                   for c in urls]
            extensions.append((False, x509.CRLDistributionPoints(dps)))
        auth_info_access = []
        if ocsp_url:
            uri = x509.UniformResourceIdentifier(force_text(ocsp_url))
            auth_info_access.append(x509.AccessDescription(
                access_method=AuthorityInformationAccessOID.OCSP, access_location=uri))
        if issuer_url:
            uri = x509.UniformResourceIdentifier(force_text(issuer_url))
            auth_info_access.append(x509.AccessDescription(
                access_method=AuthorityInformationAccessOID.CA_ISSUERS, access_location=uri))
        if auth_info_access:
            extensions.append((False, x509.AuthorityInformationAccess(auth_info_access)))
        return extensions 
Example #2
Source File: test_verify.py    From lemur with Apache License 2.0 6 votes vote down vote up
def test_verify_crl_unknown_scheme(cert_builder, private_key):
    """Unknown distribution point URI schemes should be ignored."""
    ldap_uri = "ldap://ldap.example.org/cn=Example%20Certificate%20Authority?certificateRevocationList;binary"
    crl_dp = x509.DistributionPoint(
        [UniformResourceIdentifier(ldap_uri)],
        relative_name=None,
        reasons=None,
        crl_issuer=None,
    )
    cert = cert_builder.add_extension(
        x509.CRLDistributionPoints([crl_dp]), critical=False
    ).sign(private_key, hashes.SHA256(), default_backend())

    with mktempfile() as cert_tmp:
        with open(cert_tmp, "wb") as f:
            f.write(cert.public_bytes(serialization.Encoding.PEM))

        # Must not raise exception
        crl_verify(cert, cert_tmp) 
Example #3
Source File: test_verify.py    From lemur with Apache License 2.0 6 votes vote down vote up
def test_verify_crl_unreachable(cert_builder, private_key):
    """Unreachable CRL distribution point results in error."""
    ldap_uri = "http://invalid.example.org/crl/foobar.crl"
    crl_dp = x509.DistributionPoint(
        [UniformResourceIdentifier(ldap_uri)],
        relative_name=None,
        reasons=None,
        crl_issuer=None,
    )
    cert = cert_builder.add_extension(
        x509.CRLDistributionPoints([crl_dp]), critical=False
    ).sign(private_key, hashes.SHA256(), default_backend())

    with mktempfile() as cert_tmp:
        with open(cert_tmp, "wb") as f:
            f.write(cert.public_bytes(serialization.Encoding.PEM))

        with pytest.raises(Exception, match="Unable to retrieve CRL:"):
            crl_verify(cert, cert_tmp) 
Example #4
Source File: fields.py    From lemur with Apache License 2.0 5 votes vote down vote up
def _serialize(self, value, attr, obj):
        general_names = []
        name_type = None

        if value:
            for name in value._general_names:
                value = name.value

                if isinstance(name, x509.DNSName):
                    name_type = "DNSName"

                elif isinstance(name, x509.IPAddress):
                    if isinstance(value, ipaddress.IPv4Network):
                        name_type = "IPNetwork"
                    else:
                        name_type = "IPAddress"

                    value = str(value)

                elif isinstance(name, x509.UniformResourceIdentifier):
                    name_type = "uniformResourceIdentifier"

                elif isinstance(name, x509.DirectoryName):
                    name_type = "directoryName"

                elif isinstance(name, x509.RFC822Name):
                    name_type = "rfc822Name"

                elif isinstance(name, x509.RegisteredID):
                    name_type = "registeredID"
                    value = value.dotted_string
                else:
                    current_app.logger.warning(
                        "Unknown SubAltName type: {name}".format(name=name)
                    )
                    continue

                general_names.append({"nameType": name_type, "value": value})

        return general_names 
Example #5
Source File: tests_models.py    From django-ca with GNU General Public License v3.0 5 votes vote down vote up
def test_full_crl(self):
        ca = self.cas['root']
        child = self.cas['child']
        cert = self.certs['root-cert']
        full_name = 'http://localhost/crl'
        idp = self.get_idp(full_name=[x509.UniformResourceIdentifier(value=full_name)])

        crl = ca.get_crl(full_name=[full_name]).public_bytes(Encoding.PEM)
        self.assertCRL(crl, idp=idp, signer=ca)

        ca.crl_url = full_name
        ca.save()
        crl = ca.get_crl().public_bytes(Encoding.PEM)
        self.assertCRL(crl, idp=idp, crl_number=1, signer=ca)

        # revoke a cert
        cert.revoke()
        crl = ca.get_crl().public_bytes(Encoding.PEM)
        self.assertCRL(crl, idp=idp, certs=[cert], crl_number=2, signer=ca)

        # also revoke a CA
        child.revoke()
        crl = ca.get_crl().public_bytes(Encoding.PEM)
        self.assertCRL(crl, idp=idp, certs=[cert, child], crl_number=3, signer=ca)

        # unrevoke cert (so we have all three combinations)
        cert.revoked = False
        cert.revoked_date = None
        cert.revoked_reason = ''
        cert.save()

        crl = ca.get_crl().public_bytes(Encoding.PEM)
        self.assertCRL(crl, idp=idp, certs=[child], crl_number=4, signer=ca) 
Example #6
Source File: tests_models.py    From django-ca with GNU General Public License v3.0 5 votes vote down vote up
def test_no_auth_key_identifier(self):
        # All CAs have a authority key identifier, so we mock that this exception is not present
        def side_effect(cls):
            raise x509.ExtensionNotFound('mocked', x509.AuthorityKeyIdentifier.oid)

        ca = self.cas['child']
        full_name = 'http://localhost/crl'
        idp = self.get_idp(full_name=[x509.UniformResourceIdentifier(value=full_name)])

        with mock.patch('cryptography.x509.extensions.Extensions.get_extension_for_oid',
                        side_effect=side_effect):
            crl = ca.get_crl(full_name=[full_name]).public_bytes(Encoding.PEM)
        self.assertCRL(crl, idp=idp, signer=ca, skip_authority_key_identifier=True) 
Example #7
Source File: tests_utils.py    From django-ca with GNU General Public License v3.0 5 votes vote down vote up
def test_uri(self):
        url = 'https://example.com'
        self.assertEqual(parse_general_name(url), x509.UniformResourceIdentifier(url))
        self.assertEqual(parse_general_name('uri:%s' % url), x509.UniformResourceIdentifier(url)) 
Example #8
Source File: base.py    From django-ca with GNU General Public License v3.0 5 votes vote down vote up
def uri(u):  # just a shortcut
    return x509.UniformResourceIdentifier(u) 
Example #9
Source File: tests_views.py    From django-ca with GNU General Public License v3.0 5 votes vote down vote up
def test_full_scope(self):
        full_name = 'http://localhost/crl'
        idp = self.get_idp(full_name=[x509.UniformResourceIdentifier(value=full_name)])

        self.ca.crl_url = full_name
        self.ca.save()

        response = self.client.get(reverse('full', kwargs={'serial': self.ca.serial}))
        self.assertEqual(response.status_code, 200)
        self.assertEqual(response['Content-Type'], 'application/pkix-crl')
        self.assertCRL(response.content, encoding=Encoding.DER, expires=600, idp=idp)