Merge pull request #1822 from reaperhulk/x509-keyusage-ossl

keyusage support in the OpenSSL backend

2 files changed, 32 insertions, 9 deletions

diff --git a/src/cryptography/hazmat/backends/openssl/x509.py b/src/cryptography/hazmat/backends/openssl/x509.py
index 5d47c5ea..57e6146b 100644
--- a/src/cryptography/hazmat/backends/openssl/x509.py
+++ b/src/cryptography/hazmat/backends/openssl/x509.py
@@ -14,7 +14,6 @@
 from __future__ import absolute_import, division, print_function
 
 import datetime
-import warnings
 
 from cryptography import utils, x509
 from cryptography.exceptions import UnsupportedAlgorithm
@@ -172,14 +171,8 @@ class _Certificate(object):
                 value = self._build_basic_constraints(ext)
             elif oid == x509.OID_SUBJECT_KEY_IDENTIFIER:
                 value = self._build_subject_key_identifier(ext)
-            elif oid == x509.OID_KEY_USAGE and critical:
-                # TODO: remove this obviously.
-                warnings.warn(
-                    "Extension support is not fully implemented. A key usage "
-                    "extension with the critical flag was seen and IGNORED."
-                )
-                seen_oids.add(oid)
-                continue
+            elif oid == x509.OID_KEY_USAGE:
+                value = self._build_key_usage(ext)
             elif critical:
                 raise x509.UnsupportedExtension(
                     "{0} is not currently supported".format(oid), oid
@@ -232,6 +225,35 @@ class _Certificate(object):
             self._backend._ffi.buffer(asn1_string.data, asn1_string.length)[:]
         )
 
+    def _build_key_usage(self, ext):
+        bit_string = self._backend._lib.X509V3_EXT_d2i(ext)
+        assert bit_string != self._backend._ffi.NULL
+        bit_string = self._backend._ffi.cast("ASN1_BIT_STRING *", bit_string)
+        bit_string = self._backend._ffi.gc(
+            bit_string, self._backend._lib.ASN1_BIT_STRING_free
+        )
+        get_bit = self._backend._lib.ASN1_BIT_STRING_get_bit
+        digital_signature = get_bit(bit_string, 0) == 1
+        content_commitment = get_bit(bit_string, 1) == 1
+        key_encipherment = get_bit(bit_string, 2) == 1
+        data_encipherment = get_bit(bit_string, 3) == 1
+        key_agreement = get_bit(bit_string, 4) == 1
+        key_cert_sign = get_bit(bit_string, 5) == 1
+        crl_sign = get_bit(bit_string, 6) == 1
+        encipher_only = get_bit(bit_string, 7) == 1
+        decipher_only = get_bit(bit_string, 8) == 1
+        return x509.KeyUsage(
+            digital_signature,
+            content_commitment,
+            key_encipherment,
+            data_encipherment,
+            key_agreement,
+            key_cert_sign,
+            crl_sign,
+            encipher_only,
+            decipher_only
+        )
+
 
 @utils.register_interface(x509.CertificateSigningRequest)
 class _CertificateSigningRequest(object):
diff --git a/src/cryptography/hazmat/bindings/openssl/asn1.py b/src/cryptography/hazmat/bindings/openssl/asn1.py
index 45dfe758..475bd052 100644
--- a/src/cryptography/hazmat/bindings/openssl/asn1.py
+++ b/src/cryptography/hazmat/bindings/openssl/asn1.py
@@ -120,6 +120,7 @@ int ASN1_BIT_STRING_set_bit(ASN1_BIT_STRING *, int, int);
 """
 
 MACROS = """
+void ASN1_BIT_STRING_free(ASN1_BIT_STRING *);
 /* This is not a macro, but is const on some versions of OpenSSL */
 int ASN1_BIT_STRING_get_bit(ASN1_BIT_STRING *, int);
 ASN1_TIME *M_ASN1_TIME_dup(void *);