Don't raise an UnsupportedExtension for critical extensions. (#3550)

* Don't raise an UnsupportedExtension for critical extensions.

Fixes #2903
Fixes #2901
Fixes #3325

* Don't link

* Revert "Don't link"

This reverts commit 4fe847f91d9dd45cdc28a4984c4e44aad62a5de6.

* fix

* Revert "Revert "Don't link""

This reverts commit 856031b5a1fbad04ac218fa94ebf37dcd402f3ed.

* fix

* Deprecate this

* Better changelog entry

8 files changed, 39 insertions, 51 deletions

diff --git a/CHANGELOG.rst b/CHANGELOG.rst
index 8935285c..8332b8be 100644
--- a/CHANGELOG.rst
+++ b/CHANGELOG.rst
@@ -15,6 +15,11 @@ Changelog
   :meth:`~cryptography.hazmat.primitives.asymmetric.ec.EllipticCurvePublicKey.verify`
   has always been to check whether or not
   :class:`~cryptography.exceptions.InvalidSignature` was raised.
+* Accessing an unrecognized extension marked critical on an X.509 object will
+  no longer raise an ``UnsupportedExtension`` exception, instead an
+  :class:`~cryptography.x509.UnrecognizedExtension` object will be returned.
+  This behavior was based on a poor reading of the RFC, unknown critical
+  extensions only need to be rejected on certificate verification.
 
 
 1.8.1 - 2017-03-10
@@ -488,9 +493,9 @@ Changelog
   * :class:`~cryptography.x509.CertificatePolicies`
 
   Note that unsupported extensions with the critical flag raise
-  :class:`~cryptography.x509.UnsupportedExtension` while unsupported extensions
-  set to non-critical are silently ignored. Read the
-  :doc:`X.509 documentation</x509/index>` for more information.
+  ``UnsupportedExtension`` while unsupported extensions set to non-critical are
+  silently ignored. Read the :doc:`X.509 documentation</x509/index>` for more
+  information.
 
 0.8.2 - 2015-04-10
 ~~~~~~~~~~~~~~~~~~
diff --git a/docs/x509/reference.rst b/docs/x509/reference.rst
index 1177dba4..24d1c07b 100644
--- a/docs/x509/reference.rst
+++ b/docs/x509/reference.rst
@@ -379,9 +379,6 @@ X.509 Certificate Object
         :raises cryptography.x509.DuplicateExtension: If more than one
             extension of the same type is found within the certificate.
 
-        :raises cryptography.x509.UnsupportedExtension: If the certificate
-            contains an extension that is not supported.
-
         :raises cryptography.x509.UnsupportedGeneralNameType: If an extension
             contains a general name that is not supported.
 
@@ -773,9 +770,6 @@ X.509 CSR (Certificate Signing Request) Object
         :raises cryptography.x509.DuplicateExtension: If more than one
             extension of the same type is found within the certificate signing request.
 
-        :raises cryptography.x509.UnsupportedExtension: If the certificate signing request
-            contains an extension that is not supported.
-
         :raises cryptography.x509.UnsupportedGeneralNameType: If an extension
             contains a general name that is not supported.
 
@@ -2067,10 +2061,8 @@ X.509 Extensions
 
     .. versionadded:: 1.2
 
-    A generic extension class used to hold the raw value of **non-critical**
-    extensions that ``cryptography`` does not know how to parse. Extensions
-    marked critical will raise
-    :class:`~cryptography.x509.UnsupportedExtension`.
+    A generic extension class used to hold the raw value of extensions that
+    ``cryptography`` does not know how to parse.
 
     .. attribute:: oid
 
@@ -2669,17 +2661,6 @@ Exceptions
 
         Returns the OID.
 
-.. class:: UnsupportedExtension
-
-    This is raised when a certificate contains an unsupported extension type
-    that is marked ``critical``.
-
-    .. attribute:: oid
-
-        :type: :class:`ObjectIdentifier`
-
-        Returns the OID.
-
 .. class:: ExtensionNotFound
 
     This is raised when calling :meth:`Extensions.get_extension_for_oid` with
diff --git a/src/cryptography/hazmat/backends/openssl/decode_asn1.py b/src/cryptography/hazmat/backends/openssl/decode_asn1.py
index b6910d9c..19df4c8c 100644
--- a/src/cryptography/hazmat/backends/openssl/decode_asn1.py
+++ b/src/cryptography/hazmat/backends/openssl/decode_asn1.py
@@ -215,20 +215,14 @@ class _X509ExtensionParser(object):
             try:
                 handler = self.handlers[oid]
             except KeyError:
-                if critical:
-                    raise x509.UnsupportedExtension(
-                        "Critical extension {0} is not currently supported"
-                        .format(oid), oid
-                    )
-                else:
-                    # Dump the DER payload into an UnrecognizedExtension object
-                    data = backend._lib.X509_EXTENSION_get_data(ext)
-                    backend.openssl_assert(data != backend._ffi.NULL)
-                    der = backend._ffi.buffer(data.data, data.length)[:]
-                    unrecognized = x509.UnrecognizedExtension(oid, der)
-                    extensions.append(
-                        x509.Extension(oid, critical, unrecognized)
-                    )
+                # Dump the DER payload into an UnrecognizedExtension object
+                data = backend._lib.X509_EXTENSION_get_data(ext)
+                backend.openssl_assert(data != backend._ffi.NULL)
+                der = backend._ffi.buffer(data.data, data.length)[:]
+                unrecognized = x509.UnrecognizedExtension(oid, der)
+                extensions.append(
+                    x509.Extension(oid, critical, unrecognized)
+                )
             else:
                 ext_data = backend._lib.X509V3_EXT_d2i(ext)
                 if ext_data == backend._ffi.NULL:
diff --git a/src/cryptography/utils.py b/src/cryptography/utils.py
index bec56d5b..16c05003 100644
--- a/src/cryptography/utils.py
+++ b/src/cryptography/utils.py
@@ -15,6 +15,7 @@ import warnings
 # ubiquity of their use. They should not be removed until we agree on when that
 # cycle ends.
 PersistentlyDeprecated = DeprecationWarning
+DeprecatedIn19 = PendingDeprecationWarning
 
 
 def read_only_property(name):
diff --git a/src/cryptography/x509/__init__.py b/src/cryptography/x509/__init__.py
index 38ae0f07..c5465fbb 100644
--- a/src/cryptography/x509/__init__.py
+++ b/src/cryptography/x509/__init__.py
@@ -4,6 +4,7 @@
 
 from __future__ import absolute_import, division, print_function
 
+from cryptography import utils
 from cryptography.x509 import certificate_transparency
 from cryptography.x509.base import (
     Certificate, CertificateBuilder, CertificateRevocationList,
@@ -109,6 +110,12 @@ OID_INVALIDITY_DATE = CRLEntryExtensionOID.INVALIDITY_DATE
 OID_CA_ISSUERS = AuthorityInformationAccessOID.CA_ISSUERS
 OID_OCSP = AuthorityInformationAccessOID.OCSP
 
+UnsupportedExtension = utils.deprecated(
+    UnsupportedExtension,
+    __name__,
+    "UnsupportedExtension is no longer necessary, it is never raised",
+    utils.DeprecatedIn19
+)
 
 __all__ = [
     "certificate_transparency",
diff --git a/src/cryptography/x509/extensions.py b/src/cryptography/x509/extensions.py
index ba19b3a3..aa30f8ff 100644
--- a/src/cryptography/x509/extensions.py
+++ b/src/cryptography/x509/extensions.py
@@ -52,9 +52,7 @@ class DuplicateExtension(Exception):
 
 
 class UnsupportedExtension(Exception):
-    def __init__(self, msg, oid):
-        super(UnsupportedExtension, self).__init__(msg)
-        self.oid = oid
+    pass
 
 
 class ExtensionNotFound(Exception):
diff --git a/tests/test_x509.py b/tests/test_x509.py
index de19d0d3..c15940e3 100644
--- a/tests/test_x509.py
+++ b/tests/test_x509.py
@@ -438,8 +438,10 @@ class TestRevokedCertificate(object):
             backend
         )
 
-        with pytest.raises(x509.UnsupportedExtension):
-            crl[0].extensions
+        ext = crl[0].extensions.get_extension_for_oid(
+            x509.ObjectIdentifier("1.2.3.4")
+        )
+        assert ext.value.value == b"\n\x01\x00"
 
     def test_unsupported_reason(self, backend):
         crl = _load_cert(
@@ -1129,10 +1131,10 @@ class TestRSACertificateRequest(object):
             x509.load_pem_x509_csr,
             backend
         )
-        with pytest.raises(x509.UnsupportedExtension) as exc:
-            request.extensions
-
-        assert exc.value.oid == x509.ObjectIdentifier('1.2.3.4')
+        ext = request.extensions.get_extension_for_oid(
+            x509.ObjectIdentifier('1.2.3.4')
+        )
+        assert ext.value.value == b"value"
 
     def test_unsupported_extension(self, backend):
         request = _load_cert(
diff --git a/tests/test_x509_ext.py b/tests/test_x509_ext.py
index 8210b058..eaf5a51a 100644
--- a/tests/test_x509_ext.py
+++ b/tests/test_x509_ext.py
@@ -1085,10 +1085,10 @@ class TestExtensions(object):
             x509.load_pem_x509_certificate,
             backend
         )
-        with pytest.raises(x509.UnsupportedExtension) as exc:
-            cert.extensions
-
-        assert exc.value.oid == x509.ObjectIdentifier("1.2.3.4")
+        ext = cert.extensions.get_extension_for_oid(
+            x509.ObjectIdentifier("1.2.3.4")
+        )
+        assert ext.value.value == b"value"
 
     @pytest.mark.requires_backend_interface(interface=EllipticCurveBackend)
     def test_unsupported_extension(self, backend):