Merge pull request #2230 from reaperhulk/encode-iap

support InhibitAnyPolicy in CertificateBuilder
author: Alex Gaynor <alex.gaynor@gmail.com> 2015-08-08 23:46:38 -0400
committer: Alex Gaynor <alex.gaynor@gmail.com> 2015-08-08 23:46:38 -0400
commit: ba62a0ba66cdf7476dd741a0bf0f08cab518524c (patch)
tree: e8db8b3700443db0565d70ce170a1380cb92a9ff
parent: 57df4852891c509917bffca53dffad88a4e914ab (diff)
parent: aedeedb8ce32caedf68ae0bf0066a70175c9f694 (diff)
download: cryptography-ba62a0ba66cdf7476dd741a0bf0f08cab518524c.tar.gz
cryptography-ba62a0ba66cdf7476dd741a0bf0f08cab518524c.tar.bz2
cryptography-ba62a0ba66cdf7476dd741a0bf0f08cab518524c.zip
6 files changed, 52 insertions, 3 deletions
diff --git a/CHANGELOG.rst b/CHANGELOG.rst
index 5c808f39..738c0552 100644
--- a/CHANGELOG.rst
+++ b/CHANGELOG.rst
@@ -58,6 +58,7 @@ Changelog
   * :class:`~cryptography.x509.AuthorityKeyIdentifier`
   * :class:`~cryptography.x509.AuthorityInformationAccess`
   * :class:`~cryptography.x509.CRLDistributionPoints`
+  * :class:`~cryptography.x509.InhibitAnyPolicy`
 
 0.9.3 - 2015-07-09
 ~~~~~~~~~~~~~~~~~~
diff --git a/src/_cffi_src/openssl/asn1.py b/src/_cffi_src/openssl/asn1.py
index 96084721..bbbffd8f 100644
--- a/src/_cffi_src/openssl/asn1.py
+++ b/src/_cffi_src/openssl/asn1.py
@@ -133,6 +133,7 @@ ASN1_BIT_STRING *ASN1_BIT_STRING_new(void);
 void ASN1_BIT_STRING_free(ASN1_BIT_STRING *);
 int i2d_ASN1_BIT_STRING(ASN1_BIT_STRING *, unsigned char **);
 int i2d_ASN1_OCTET_STRING(ASN1_OCTET_STRING *, unsigned char **);
+int i2d_ASN1_INTEGER(ASN1_INTEGER *, unsigned char **);
 /* This is not a macro, but is const on some versions of OpenSSL */
 int ASN1_BIT_STRING_get_bit(ASN1_BIT_STRING *, int);
 ASN1_TIME *M_ASN1_TIME_dup(void *);
diff --git a/src/cryptography/hazmat/backends/openssl/backend.py b/src/cryptography/hazmat/backends/openssl/backend.py
index 6675f677..c583214d 100644
--- a/src/cryptography/hazmat/backends/openssl/backend.py
+++ b/src/cryptography/hazmat/backends/openssl/backend.py
@@ -102,6 +102,17 @@ def _encode_asn1_str_gc(backend, data, length):
     return s
 
 
+def _encode_inhibit_any_policy(backend, inhibit_any_policy):
+    asn1int = _encode_asn1_int_gc(backend, inhibit_any_policy.skip_certs)
+    pp = backend._ffi.new('unsigned char **')
+    r = backend._lib.i2d_ASN1_INTEGER(asn1int, pp)
+    assert r > 0
+    pp = backend._ffi.gc(
+        pp, lambda pointer: backend._lib.OPENSSL_free(pointer[0])
+    )
+    return pp, r
+
+
 def _encode_name(backend, attributes):
     """
     The X509_NAME created will not be gc'd. Use _encode_name_gc if needed.
@@ -1274,6 +1285,8 @@ class Backend(object):
                 pp, r = _encode_authority_key_identifier(self, extension.value)
             elif isinstance(extension.value, x509.KeyUsage):
                 pp, r = _encode_key_usage(self, extension.value)
+            elif isinstance(extension.value, x509.InhibitAnyPolicy):
+                pp, r = _encode_inhibit_any_policy(self, extension.value)
             elif isinstance(extension.value, x509.ExtendedKeyUsage):
                 pp, r = _encode_extended_key_usage(self, extension.value)
             elif isinstance(extension.value, x509.SubjectAlternativeName):
diff --git a/src/cryptography/x509.py b/src/cryptography/x509.py
index 397274e8..bcda7217 100644
--- a/src/cryptography/x509.py
+++ b/src/cryptography/x509.py
@@ -1818,6 +1818,8 @@ class CertificateBuilder(object):
             )
         elif isinstance(extension, KeyUsage):
             extension = Extension(OID_KEY_USAGE, critical, extension)
+        elif isinstance(extension, InhibitAnyPolicy):
+            extension = Extension(OID_INHIBIT_ANY_POLICY, critical, extension)
         elif isinstance(extension, ExtendedKeyUsage):
             extension = Extension(OID_EXTENDED_KEY_USAGE, critical, extension)
         elif isinstance(extension, SubjectAlternativeName):
@@ -1832,12 +1834,14 @@ class CertificateBuilder(object):
             extension = Extension(
                 OID_SUBJECT_KEY_IDENTIFIER, critical, extension
             )
-        elif isinstance(extension, InhibitAnyPolicy):
-            extension = Extension(OID_INHIBIT_ANY_POLICY, critical, extension)
         elif isinstance(extension, CRLDistributionPoints):
             extension = Extension(
                 OID_CRL_DISTRIBUTION_POINTS, critical, extension
             )
+        elif isinstance(extension, IssuerAlternativeName):
+            extension = Extension(
+                OID_ISSUER_ALTERNATIVE_NAME, critical, extension
+            )
         else:
             raise NotImplementedError('Unsupported X.509 extension.')
 
diff --git a/tests/hazmat/backends/test_openssl.py b/tests/hazmat/backends/test_openssl.py
index 051827af..8f559c84 100644
--- a/tests/hazmat/backends/test_openssl.py
+++ b/tests/hazmat/backends/test_openssl.py
@@ -529,7 +529,7 @@ class TestOpenSSLSignX509Certificate(object):
         ).not_valid_after(
             datetime.datetime(2020, 1, 1)
         ).add_extension(
-            x509.InhibitAnyPolicy(0), False
+            x509.IssuerAlternativeName([x509.DNSName(u"crypto.io")]), False
         )
 
         with pytest.raises(NotImplementedError):
diff --git a/tests/test_x509.py b/tests/test_x509.py
index 9ca8931d..b630e337 100644
--- a/tests/test_x509.py
+++ b/tests/test_x509.py
@@ -1455,6 +1455,36 @@ class TestCertificateBuilder(object):
 
     @pytest.mark.requires_backend_interface(interface=RSABackend)
     @pytest.mark.requires_backend_interface(interface=X509Backend)
+    def test_inhibit_any_policy(self, backend):
+        issuer_private_key = RSA_KEY_2048.private_key(backend)
+        subject_private_key = RSA_KEY_2048.private_key(backend)
+
+        not_valid_before = datetime.datetime(2002, 1, 1, 12, 1)
+        not_valid_after = datetime.datetime(2030, 12, 31, 8, 30)
+
+        cert = x509.CertificateBuilder().subject_name(
+            x509.Name([x509.NameAttribute(x509.OID_COUNTRY_NAME, u'US')])
+        ).issuer_name(
+            x509.Name([x509.NameAttribute(x509.OID_COUNTRY_NAME, u'US')])
+        ).not_valid_before(
+            not_valid_before
+        ).not_valid_after(
+            not_valid_after
+        ).public_key(
+            subject_private_key.public_key()
+        ).serial_number(
+            123
+        ).add_extension(
+            x509.InhibitAnyPolicy(3), critical=False
+        ).sign(issuer_private_key, hashes.SHA256(), backend)
+
+        ext = cert.extensions.get_extension_for_oid(
+            x509.OID_INHIBIT_ANY_POLICY
+        )
+        assert ext.value == x509.InhibitAnyPolicy(3)
+
+    @pytest.mark.requires_backend_interface(interface=RSABackend)
+    @pytest.mark.requires_backend_interface(interface=X509Backend)
     def test_key_usage(self, backend):
         issuer_private_key = RSA_KEY_2048.private_key(backend)
         subject_private_key = RSA_KEY_2048.private_key(backend)
author	Alex Gaynor <alex.gaynor@gmail.com>	2015-08-08 23:46:38 -0400
committer	Alex Gaynor <alex.gaynor@gmail.com>	2015-08-08 23:46:38 -0400
commit	ba62a0ba66cdf7476dd741a0bf0f08cab518524c (patch)
tree	e8db8b3700443db0565d70ce170a1380cb92a9ff
parent	57df4852891c509917bffca53dffad88a4e914ab (diff)
parent	aedeedb8ce32caedf68ae0bf0066a70175c9f694 (diff)
download	cryptography-ba62a0ba66cdf7476dd741a0bf0f08cab518524c.tar.gz cryptography-ba62a0ba66cdf7476dd741a0bf0f08cab518524c.tar.bz2 cryptography-ba62a0ba66cdf7476dd741a0bf0f08cab518524c.zip