diff options
| author | Paul Kehrer <paul.l.kehrer@gmail.com> | 2016-03-14 22:24:58 -0400 |
|---|---|---|
| committer | Paul Kehrer <paul.l.kehrer@gmail.com> | 2016-03-14 22:24:58 -0400 |
| commit | 9d7196d7f8a45667b27ae0d7378d7486b60c9229 (patch) | |
| tree | 39115367a69165310f08b97045ca24020da92512 | |
| parent | e8d6a9c262950b8dd6f7671b61383e8c5fe396f7 (diff) | |
| parent | b2729914013900c276d559165e479896649a1b5c (diff) | |
| download | cryptography-9d7196d7f8a45667b27ae0d7378d7486b60c9229.tar.gz cryptography-9d7196d7f8a45667b27ae0d7378d7486b60c9229.tar.bz2 cryptography-9d7196d7f8a45667b27ae0d7378d7486b60c9229.zip | |
Merge pull request #2828 from alex/unreocgnized-extension
Fixed #2747 -- allow creating x509 exts with unknown extensions
| -rw-r--r-- | src/cryptography/hazmat/backends/openssl/backend.py | 47 | ||||
| -rw-r--r-- | tests/test_x509.py | 33 |
2 files changed, 65 insertions, 15 deletions
diff --git a/src/cryptography/hazmat/backends/openssl/backend.py b/src/cryptography/hazmat/backends/openssl/backend.py index c6ede932..5ce2489c 100644 --- a/src/cryptography/hazmat/backends/openssl/backend.py +++ b/src/cryptography/hazmat/backends/openssl/backend.py @@ -31,8 +31,7 @@ from cryptography.hazmat.backends.openssl.ec import ( from cryptography.hazmat.backends.openssl.encode_asn1 import ( _CRL_ENTRY_EXTENSION_ENCODE_HANDLERS, _CRL_EXTENSION_ENCODE_HANDLERS, _EXTENSION_ENCODE_HANDLERS, - _encode_asn1_int_gc, _encode_asn1_str_gc, _encode_name_gc, - _txt2obj_gc, + _encode_asn1_int_gc, _encode_asn1_str_gc, _encode_name_gc, _txt2obj_gc, ) from cryptography.hazmat.backends.openssl.hashes import _HashContext from cryptography.hazmat.backends.openssl.hmac import _HMACContext @@ -968,6 +967,31 @@ class Backend(object): def _create_x509_extensions(self, extensions, handlers, x509_obj, add_func, gc): for i, extension in enumerate(extensions): + x509_extension = self._create_x509_extension( + handlers, extension + ) + self.openssl_assert(x509_extension != self._ffi.NULL) + + if gc: + x509_extension = self._ffi.gc( + x509_extension, self._lib.X509_EXTENSION_free + ) + res = add_func(x509_obj, x509_extension, i) + self.openssl_assert(res >= 1) + + def _create_x509_extension(self, handlers, extension): + if isinstance(extension.value, x509.UnrecognizedExtension): + obj = _txt2obj_gc(self, extension.oid.dotted_string) + value = _encode_asn1_str_gc( + self, extension.value.value, len(extension.value.value) + ) + return self._lib.X509_EXTENSION_create_by_OBJ( + self._ffi.NULL, + obj, + 1 if extension.critical else 0, + value + ) + else: try: encode = handlers[extension.oid] except KeyError: @@ -987,32 +1011,25 @@ class Backend(object): x509_extension == self._ffi.NULL and extension.oid == x509.OID_CERTIFICATE_ISSUER ): - # This path exists to support OpenSSL 0.9.8, which does - # not know how to encode a CERTIFICATE_ISSUER for CRLs. Once we + # This path exists to support OpenSSL 0.9.8, which does not + # know how to encode a CERTIFICATE_ISSUER for CRLs. Once we # drop 0.9.8 support we can remove this. self._consume_errors() pp = backend._ffi.new("unsigned char **") r = self._lib.i2d_GENERAL_NAMES(ext_struct, pp) backend.openssl_assert(r > 0) pp = backend._ffi.gc( - pp, lambda pointer: backend._lib.OPENSSL_free(pointer[0]) + pp, + lambda pointer: backend._lib.OPENSSL_free(pointer[0]) ) obj = _txt2obj_gc(self, extension.oid.dotted_string) - x509_extension = self._lib.X509_EXTENSION_create_by_OBJ( + return self._lib.X509_EXTENSION_create_by_OBJ( self._ffi.NULL, obj, 1 if extension.critical else 0, _encode_asn1_str_gc(self, pp[0], r) ) - - self.openssl_assert(x509_extension != self._ffi.NULL) - - if gc: - x509_extension = self._ffi.gc( - x509_extension, self._lib.X509_EXTENSION_free - ) - res = add_func(x509_obj, x509_extension, i) - self.openssl_assert(res >= 1) + return x509_extension def create_x509_revoked_certificate(self, builder): if not isinstance(builder, x509.RevokedCertificateBuilder): diff --git a/tests/test_x509.py b/tests/test_x509.py index a6398bb3..aaeefae9 100644 --- a/tests/test_x509.py +++ b/tests/test_x509.py @@ -2382,6 +2382,39 @@ class TestCertificateBuilder(object): ) assert basic_constraints.value.path_length is None + @pytest.mark.parametrize( + "unrecognized", [ + x509.UnrecognizedExtension( + x509.ObjectIdentifier("1.2.3.4.5"), + b"abcdef", + ) + ] + ) + @pytest.mark.requires_backend_interface(interface=RSABackend) + @pytest.mark.requires_backend_interface(interface=X509Backend) + def test_unrecognized_extension(self, backend, unrecognized): + private_key = RSA_KEY_2048.private_key(backend) + + cert = x509.CertificateBuilder().subject_name( + x509.Name([x509.NameAttribute(x509.OID_COUNTRY_NAME, u'US')]) + ).issuer_name( + x509.Name([x509.NameAttribute(x509.OID_COUNTRY_NAME, u'US')]) + ).not_valid_before( + datetime.datetime(2002, 1, 1, 12, 1) + ).not_valid_after( + datetime.datetime(2030, 12, 31, 8, 30) + ).public_key( + private_key.public_key() + ).serial_number( + 123 + ).add_extension( + unrecognized, critical=False + ).sign(private_key, hashes.SHA256(), backend) + + ext = cert.extensions.get_extension_for_oid(unrecognized.oid) + + assert ext.value == unrecognized + @pytest.mark.requires_backend_interface(interface=X509Backend) class TestCertificateSigningRequestBuilder(object): |