diff options
| author | Paul Kehrer <paul.l.kehrer@gmail.com> | 2015-07-23 19:10:28 +0100 |
|---|---|---|
| committer | Paul Kehrer <paul.l.kehrer@gmail.com> | 2015-07-23 19:10:28 +0100 |
| commit | 8bfbacef9cb973115c0cf0f4185c8f47812c37bc (patch) | |
| tree | b55cce2d6132a82a8aac9308d493cdcdda9ef8d1 | |
| parent | 32a92b6afaf0086f2b0e6b9cf7235576b06503b0 (diff) | |
| download | cryptography-8bfbacef9cb973115c0cf0f4185c8f47812c37bc.tar.gz cryptography-8bfbacef9cb973115c0cf0f4185c8f47812c37bc.tar.bz2 cryptography-8bfbacef9cb973115c0cf0f4185c8f47812c37bc.zip | |
when building a CSR adding > 1 extension would trigger a bug
We were checking sk_X509_EXTENSION_push for a value == 1, but
in reality it returns the number of extensions on the stack. We
now assert >= 1 and added a test.
| -rw-r--r-- | src/cryptography/hazmat/backends/openssl/backend.py | 2 | ||||
| -rw-r--r-- | tests/test_x509.py | 25 |
2 files changed, 26 insertions, 1 deletions
diff --git a/src/cryptography/hazmat/backends/openssl/backend.py b/src/cryptography/hazmat/backends/openssl/backend.py index 7ccb39a4..9cfe73c1 100644 --- a/src/cryptography/hazmat/backends/openssl/backend.py +++ b/src/cryptography/hazmat/backends/openssl/backend.py @@ -976,7 +976,7 @@ class Backend(object): ) assert extension != self._ffi.NULL res = self._lib.sk_X509_EXTENSION_push(extensions, extension) - assert res == 1 + assert res >= 1 res = self._lib.X509_REQ_add_extensions(x509_req, extensions) assert res == 1 diff --git a/tests/test_x509.py b/tests/test_x509.py index 94eeab2b..b2262c71 100644 --- a/tests/test_x509.py +++ b/tests/test_x509.py @@ -978,6 +978,31 @@ class TestCertificateSigningRequestBuilder(object): with pytest.raises(NotImplementedError): builder.sign(private_key, hashes.SHA256(), backend) + def test_add_two_extensions(self, backend): + private_key = RSA_KEY_2048.private_key(backend) + builder = x509.CertificateSigningRequestBuilder() + request = builder.subject_name( + x509.Name([x509.NameAttribute(x509.OID_COUNTRY_NAME, u'US')]) + ).add_extension( + x509.SubjectAlternativeName([x509.DNSName(u"cryptography.io")]), + critical=False, + ).add_extension( + x509.BasicConstraints(ca=True, path_length=2), critical=True + ).sign(private_key, hashes.SHA1(), backend) + + assert isinstance(request.signature_hash_algorithm, hashes.SHA1) + public_key = request.public_key() + assert isinstance(public_key, rsa.RSAPublicKey) + basic_constraints = request.extensions.get_extension_for_oid( + x509.OID_BASIC_CONSTRAINTS + ) + assert basic_constraints.value.ca is True + assert basic_constraints.value.path_length == 2 + ext = request.extensions.get_extension_for_oid( + x509.OID_SUBJECT_ALTERNATIVE_NAME + ) + assert list(ext.value) == [x509.DNSName(u"cryptography.io")] + def test_set_subject_twice(self): builder = x509.CertificateSigningRequestBuilder() builder = builder.subject_name( |