Test ExtensionPolicy with all extension types.

Author: deivse

tests/x509/verification/test_verification.py

@@ -6,13 +6,16 @@
 import os
 from functools import lru_cache
 from ipaddress import IPv4Address
-from typing import Optional
+from typing import Optional, Type
 
 import pytest
 
 from cryptography import utils, x509
 from cryptography.hazmat._oid import ExtendedKeyUsageOID
-from cryptography.x509.extensions import ExtendedKeyUsage
+from cryptography.x509.extensions import (
+    ExtendedKeyUsage,
+    ExtensionType,
+)
 from cryptography.x509.general_name import DNSName, IPAddress
 from cryptography.x509.verification import (
     Criticality,
@@ -300,6 +303,18 @@ def test_error_message(self):
             verifier.verify(leaf, [])
 
 
+TESTED_EXTENSION_TYPES = (
+    x509.AuthorityInformationAccess,
+    x509.AuthorityKeyIdentifier,
+    x509.SubjectKeyIdentifier,
+    x509.KeyUsage,
+    x509.SubjectAlternativeName,
+    x509.BasicConstraints,
+    x509.NameConstraints,
+    x509.ExtendedKeyUsage,
+)
+
+
 class TestCustomExtensionPolicies:
     leaf = _load_cert(
         os.path.join("x509", "cryptography.io.pem"),
@@ -345,71 +360,103 @@ class _Extension:
                 None,
             )
 
-    @staticmethod
-    def _eku_validator_cb(policy, cert, ext: Optional[ExtendedKeyUsage]):
-        assert isinstance(policy, Policy)
-        assert (
-            policy.validation_time
-            == TestCustomExtensionPolicies.validation_time.replace(tzinfo=None)
+    def test_unsupported_extension(self):
+        ext_policy = ExtensionPolicy.permit_all()
+        message = (
+            f"Unsupported extension OID: {x509.Admissions.oid.dotted_string}"
         )
-        assert isinstance(cert, x509.Certificate)
-        assert ext is None or isinstance(ext, x509.ExtendedKeyUsage)
+        with pytest.raises(
+            ValueError,
+            match=message,
+        ):
+            ext_policy.may_be_present(
+                x509.Admissions,
+                Criticality.AGNOSTIC,
+                None,
+            )
 
-    def test_custom_cb_pass(self):
-        ca_ext_policy = ExtensionPolicy.webpki_defaults_ca()
-        ee_ext_policy = ExtensionPolicy.webpki_defaults_ee()
+    @staticmethod
+    def _make_validator_cb(extension_type: Type[ExtensionType]):
+        def validator_cb(policy, cert, ext: Optional[ExtensionType]):
+            assert isinstance(policy, Policy)
+            assert (
+                policy.validation_time
+                == TestCustomExtensionPolicies.validation_time.replace(
+                    tzinfo=None
+                )
+            )
+            assert isinstance(cert, x509.Certificate)
+            assert ext is None or isinstance(ext, extension_type)
 
-        ee_ext_policy = ee_ext_policy.may_be_present(
-            ExtendedKeyUsage, Criticality.AGNOSTIC, self._eku_validator_cb
-        )
-        ca_ext_policy = ca_ext_policy.may_be_present(
-            ExtendedKeyUsage, Criticality.AGNOSTIC, self._eku_validator_cb
-        )
+        return validator_cb
 
-        ca_validator_called = False
+    # def test_all_extension_types(self):
+    #     ca_ext_policy = ExtensionPolicy.webpki_defaults_ca()
+    #     ee_ext_policy = ExtensionPolicy.webpki_defaults_ee()
 
-        def ca_basic_constraints_validator(policy, cert, ext):
-            assert cert == self.ca
-            assert isinstance(policy, Policy)
-            assert isinstance(cert, x509.Certificate)
-            assert isinstance(ext, x509.BasicConstraints)
-            nonlocal ca_validator_called
-            ca_validator_called = True
+    #     ca_validator_called = False
 
-        ca_ext_policy = ca_ext_policy.may_be_present(
-            x509.BasicConstraints,
+    #     extension_types = [
+    #         AuthorityInformationAccess,
+    #         AuthorityKeyIdentifier,
+    #         SubjectKeyIdentifier,
+    #         KeyUsage,
+    #         SubjectAlternativeName,
+    #         BasicConstraints,
+    #     ]
+
+    #     for
+
+    #     ca_ext_policy = ca_ext_policy.may_be_present(
+    #         x509.BasicConstraints,
+    #         Criticality.AGNOSTIC,
+    #         ca_basic_constraints_validator,
+    #     )
+
+    #     builder = PolicyBuilder().store(self.store)
+    #     builder = builder.time(self.validation_time)
+    #     builder = builder.extension_policies(ca_ext_policy, ee_ext_policy)
+
+    #     builder.build_client_verifier().verify(self.leaf, [])
+
+    @pytest.mark.parametrize(
+        "extension_type",
+        TESTED_EXTENSION_TYPES,
+    )
+    def test_custom_cb_pass(self, extension_type: Type[x509.ExtensionType]):
+        ca_ext_policy = ExtensionPolicy.webpki_defaults_ca()
+        ee_ext_policy = ExtensionPolicy.webpki_defaults_ee()
+
+        ee_ext_policy = ee_ext_policy.may_be_present(
+            extension_type,
             Criticality.AGNOSTIC,
-            ca_basic_constraints_validator,
+            self._make_validator_cb(extension_type),
         )
 
         builder = PolicyBuilder().store(self.store)
         builder = builder.time(self.validation_time).max_chain_depth(16)
         builder = builder.extension_policies(ca_ext_policy, ee_ext_policy)
 
         builder.build_client_verifier().verify(self.leaf, [])
-        assert ca_validator_called
-        ca_validator_called = False
 
         path = builder.build_server_verifier(
             DNSName("cryptography.io")
         ).verify(self.leaf, [])
-        assert ca_validator_called
         assert path == [self.leaf, self.ca]
 
-    def test_custom_cb_no_retval_enforced(self):
+    @pytest.mark.parametrize(
+        "extension_type",
+        TESTED_EXTENSION_TYPES,
+    )
+    def test_custom_cb_exception_fails_verification(self, extension_type):
         ca_ext_policy = ExtensionPolicy.webpki_defaults_ca()
         ee_ext_policy = ExtensionPolicy.webpki_defaults_ee()
 
         def validator(*_):
-            return False
+            raise ValueError("test")
 
         ca_ext_policy = ca_ext_policy.may_be_present(
-            x509.BasicConstraints,
-            Criticality.AGNOSTIC,
-            validator,
-        )
-        ee_ext_policy = ee_ext_policy.may_be_present(
-            ExtendedKeyUsage,
+            extension_type,
             Criticality.AGNOSTIC,
             validator,
         )
@@ -423,22 +470,17 @@ def validator(*_):
         ):
             with pytest.raises(
                 VerificationError,
-                match="Python validator must return None.",
+                match="Python extension validator failed: ValueError: test",
             ):
                 verifier.verify(self.leaf, [])
 
-    def test_custom_cb_exception_fails_verification(self):
+    def test_custom_cb_no_retval_enforced(self):
         ca_ext_policy = ExtensionPolicy.webpki_defaults_ca()
         ee_ext_policy = ExtensionPolicy.webpki_defaults_ee()
 
         def validator(*_):
-            raise ValueError("test")
+            return False
 
-        ca_ext_policy = ca_ext_policy.may_be_present(
-            x509.BasicConstraints,
-            Criticality.AGNOSTIC,
-            validator,
-        )
         ee_ext_policy = ee_ext_policy.may_be_present(
             ExtendedKeyUsage,
             Criticality.AGNOSTIC,
@@ -454,6 +496,6 @@ def validator(*_):
         ):
             with pytest.raises(
                 VerificationError,
-                match="Python extension validator failed: ValueError: test",
+                match="Python validator must return None.",
             ):
                 verifier.verify(self.leaf, [])