diff options
| author | Paul Kehrer <paul.l.kehrer@gmail.com> | 2018-07-10 04:55:02 +0530 |
|---|---|---|
| committer | Alex Gaynor <alex.gaynor@gmail.com> | 2018-07-09 19:25:02 -0400 |
| commit | 20ae2c8084812bd218d2b1d2972774963c4d2041 (patch) | |
| tree | b8d38879064f3cc0856b9771a08524d15925d15c | |
| parent | 01c9dac7c0ac33fb3dd73ab32322f7fc1699c059 (diff) | |
| download | cryptography-20ae2c8084812bd218d2b1d2972774963c4d2041.tar.gz cryptography-20ae2c8084812bd218d2b1d2972774963c4d2041.tar.bz2 cryptography-20ae2c8084812bd218d2b1d2972774963c4d2041.zip | |
fix encoding BMPString in x509 name entries (#4321)
Previously we encoded them as UTF-8, but as best I can tell in reality a
BMPString is fixed-width basic multilingual plane big endian encoding.
This is basically UCS-2 (aka original Unicode). However, Python doesn't
support UCS-2 encoding so we need to use utf_16_be. This means you can encode
surrogate code points that are invalid in the context of what a
BMPString is supposed to be, but in reality I strongly suspect the sane
encoding ship has sailed and dozens if not hundreds of implementations
both do this and expect other systems to handle their nonsense.
| -rw-r--r-- | src/cryptography/hazmat/backends/openssl/encode_asn1.py | 9 | ||||
| -rw-r--r-- | tests/x509/test_x509.py | 18 |
2 files changed, 25 insertions, 2 deletions
diff --git a/src/cryptography/hazmat/backends/openssl/encode_asn1.py b/src/cryptography/hazmat/backends/openssl/encode_asn1.py index 4bea03e6..a2c7ed73 100644 --- a/src/cryptography/hazmat/backends/openssl/encode_asn1.py +++ b/src/cryptography/hazmat/backends/openssl/encode_asn1.py @@ -14,6 +14,7 @@ from cryptography.hazmat.backends.openssl.decode_asn1 import ( _CRL_ENTRY_REASON_ENUM_TO_CODE, _DISTPOINT_TYPE_FULLNAME, _DISTPOINT_TYPE_RELATIVENAME ) +from cryptography.x509.name import _ASN1Type from cryptography.x509.oid import CRLEntryExtensionOID, ExtensionOID @@ -116,11 +117,15 @@ def _encode_sk_name_entry(backend, attributes): def _encode_name_entry(backend, attribute): - value = attribute.value.encode('utf8') + if attribute._type is _ASN1Type.BMPString: + value = attribute.value.encode('utf_16_be') + else: + value = attribute.value.encode('utf8') + obj = _txt2obj_gc(backend, attribute.oid.dotted_string) name_entry = backend._lib.X509_NAME_ENTRY_create_by_OBJ( - backend._ffi.NULL, obj, attribute._type.value, value, -1 + backend._ffi.NULL, obj, attribute._type.value, value, len(value) ) return name_entry diff --git a/tests/x509/test_x509.py b/tests/x509/test_x509.py index 7f9f1830..fe57784a 100644 --- a/tests/x509/test_x509.py +++ b/tests/x509/test_x509.py @@ -4092,6 +4092,24 @@ class TestName(object): b"b060355040a0c0450794341" ) + @pytest.mark.requires_backend_interface(interface=X509Backend) + def test_bmpstring_bytes(self, backend): + # For this test we need an odd length string. BMPString is UCS-2 + # encoded so it will always be even length and OpenSSL will error if + # you pass an odd length string without encoding it properly first. + name = x509.Name([ + x509.NameAttribute( + NameOID.COMMON_NAME, + u'cryptography.io', + _ASN1Type.BMPString + ), + x509.NameAttribute(NameOID.ORGANIZATION_NAME, u'PyCA'), + ]) + assert name.public_bytes(backend) == binascii.unhexlify( + b"30383127302506035504031e1e00630072007900700074006f00670072006100" + b"7000680079002e0069006f310d300b060355040a0c0450794341" + ) + def test_random_serial_number(monkeypatch): sample_data = os.urandom(20) |