resolved merge conflict

4 files changed, 105 insertions, 105 deletions

diff --git a/src/cryptography/hazmat/backends/openssl/backend.py b/src/cryptography/hazmat/backends/openssl/backend.py
index 22179607..51f68899 100644
--- a/src/cryptography/hazmat/backends/openssl/backend.py
+++ b/src/cryptography/hazmat/backends/openssl/backend.py
@@ -117,6 +117,9 @@ def _txt2obj(backend, name):
 
 def _encode_basic_constraints(backend, basic_constraints):
     constraints = backend._lib.BASIC_CONSTRAINTS_new()
+    constraints = backend._ffi.gc(
+        constraints, backend._lib.BASIC_CONSTRAINTS_free
+    )
     constraints.ca = 255 if basic_constraints.ca else 0
     if basic_constraints.ca:
         constraints.pathlen = _encode_asn1_int(
diff --git a/src/cryptography/hazmat/backends/openssl/x509.py b/src/cryptography/hazmat/backends/openssl/x509.py
index b387b9ee..804bce66 100644
--- a/src/cryptography/hazmat/backends/openssl/x509.py
+++ b/src/cryptography/hazmat/backends/openssl/x509.py
@@ -163,6 +163,45 @@ def _decode_general_name(backend, gn):
         )
 
 
+def _decode_ocsp_no_check(backend, ext):
+    return x509.OCSPNoCheck()
+
+
+class _X509ExtensionParser(object):
+    def __init__(self, ext_count, get_ext, handlers):
+        self.ext_count = ext_count
+        self.get_ext = get_ext
+        self.handlers = handlers
+
+    def parse(self, backend, x509_obj):
+        extensions = []
+        seen_oids = set()
+        for i in range(self.ext_count(backend, x509_obj)):
+            ext = self.get_ext(backend, x509_obj, i)
+            assert ext != backend._ffi.NULL
+            crit = backend._lib.X509_EXTENSION_get_critical(ext)
+            critical = crit == 1
+            oid = x509.ObjectIdentifier(_obj2txt(backend, ext.object))
+            if oid in seen_oids:
+                raise x509.DuplicateExtension(
+                    "Duplicate {0} extension found".format(oid), oid
+                )
+            try:
+                handler = self.handlers[oid]
+            except KeyError:
+                if critical:
+                    raise x509.UnsupportedExtension(
+                        "{0} is not currently supported".format(oid), oid
+                    )
+            else:
+                value = handler(backend, ext)
+                extensions.append(x509.Extension(oid, critical, value))
+
+            seen_oids.add(oid)
+
+        return x509.Extensions(extensions)
+
+
 @utils.register_interface(x509.Certificate)
 class _Certificate(object):
     def __init__(self, backend, x509):
@@ -268,58 +307,7 @@ class _Certificate(object):
 
     @property
     def extensions(self):
-        extensions = []
-        seen_oids = set()
-        extcount = self._backend._lib.X509_get_ext_count(self._x509)
-        for i in range(0, extcount):
-            ext = self._backend._lib.X509_get_ext(self._x509, i)
-            assert ext != self._backend._ffi.NULL
-            crit = self._backend._lib.X509_EXTENSION_get_critical(ext)
-            critical = crit == 1
-            oid = x509.ObjectIdentifier(_obj2txt(self._backend, ext.object))
-            if oid in seen_oids:
-                raise x509.DuplicateExtension(
-                    "Duplicate {0} extension found".format(oid), oid
-                )
-            elif oid == x509.OID_BASIC_CONSTRAINTS:
-                value = _decode_basic_constraints(self._backend, ext)
-            elif oid == x509.OID_SUBJECT_KEY_IDENTIFIER:
-                value = _decode_subject_key_identifier(self._backend, ext)
-            elif oid == x509.OID_KEY_USAGE:
-                value = _decode_key_usage(self._backend, ext)
-            elif oid == x509.OID_SUBJECT_ALTERNATIVE_NAME:
-                value = _decode_subject_alt_name(self._backend, ext)
-            elif oid == x509.OID_EXTENDED_KEY_USAGE:
-                value = _decode_extended_key_usage(self._backend, ext)
-            elif oid == x509.OID_AUTHORITY_KEY_IDENTIFIER:
-                value = _decode_authority_key_identifier(self._backend, ext)
-            elif oid == x509.OID_AUTHORITY_INFORMATION_ACCESS:
-                value = _decode_authority_information_access(
-                    self._backend, ext
-                )
-            elif oid == x509.OID_CERTIFICATE_POLICIES:
-                value = _decode_certificate_policies(self._backend, ext)
-            elif oid == x509.OID_CRL_DISTRIBUTION_POINTS:
-                value = _decode_crl_distribution_points(self._backend, ext)
-            elif oid == x509.OID_OCSP_NO_CHECK:
-                value = x509.OCSPNoCheck()
-            elif oid == x509.OID_INHIBIT_ANY_POLICY:
-                value = _decode_inhibit_any_policy(self._backend, ext)
-            elif oid == x509.OID_ISSUER_ALTERNATIVE_NAME:
-                value = _decode_issuer_alt_name(self._backend, ext)
-            elif critical:
-                raise x509.UnsupportedExtension(
-                    "{0} is not currently supported".format(oid), oid
-                )
-            else:
-                # Unsupported non-critical extension, silently skipping for now
-                seen_oids.add(oid)
-                continue
-
-            seen_oids.add(oid)
-            extensions.append(x509.Extension(oid, critical, value))
-
-        return x509.Extensions(extensions)
+        return _CERTIFICATE_EXTENSION_PARSER.parse(self._backend, self._x509)
 
     def public_bytes(self, encoding):
         bio = self._backend._create_mem_bio()
@@ -704,37 +692,8 @@ class _CertificateSigningRequest(object):
 
     @property
     def extensions(self):
-        extensions = []
-        seen_oids = set()
         x509_exts = self._backend._lib.X509_REQ_get_extensions(self._x509_req)
-        extcount = self._backend._lib.sk_X509_EXTENSION_num(x509_exts)
-        for i in range(0, extcount):
-            ext = self._backend._lib.sk_X509_EXTENSION_value(x509_exts, i)
-            assert ext != self._backend._ffi.NULL
-            crit = self._backend._lib.X509_EXTENSION_get_critical(ext)
-            critical = crit == 1
-            oid = x509.ObjectIdentifier(_obj2txt(self._backend, ext.object))
-            if oid in seen_oids:
-                raise x509.DuplicateExtension(
-                    "Duplicate {0} extension found".format(oid), oid
-                )
-            elif oid == x509.OID_BASIC_CONSTRAINTS:
-                value = _decode_basic_constraints(self._backend, ext)
-            elif oid == x509.OID_SUBJECT_ALTERNATIVE_NAME:
-                value = _decode_subject_alt_name(self._backend, ext)
-            elif critical:
-                raise x509.UnsupportedExtension(
-                    "{0} is not currently supported".format(oid), oid
-                )
-            else:
-                # Unsupported non-critical extension, silently skipping for now
-                seen_oids.add(oid)
-                continue
-
-            seen_oids.add(oid)
-            extensions.append(x509.Extension(oid, critical, value))
-
-        return x509.Extensions(extensions)
+        return _CSR_EXTENSION_PARSER.parse(self._backend, x509_exts)
 
     def public_bytes(self, encoding):
         bio = self._backend._create_mem_bio()
@@ -749,3 +708,34 @@ class _CertificateSigningRequest(object):
 
         assert res == 1
         return self._backend._read_mem_bio(bio)
+
+
+_CERTIFICATE_EXTENSION_PARSER = _X509ExtensionParser(
+    ext_count=lambda backend, x: backend._lib.X509_get_ext_count(x),
+    get_ext=lambda backend, x, i: backend._lib.X509_get_ext(x, i),
+    handlers={
+        x509.OID_BASIC_CONSTRAINTS: _decode_basic_constraints,
+        x509.OID_SUBJECT_KEY_IDENTIFIER: _decode_subject_key_identifier,
+        x509.OID_KEY_USAGE: _decode_key_usage,
+        x509.OID_SUBJECT_ALTERNATIVE_NAME: _decode_subject_alt_name,
+        x509.OID_EXTENDED_KEY_USAGE: _decode_extended_key_usage,
+        x509.OID_AUTHORITY_KEY_IDENTIFIER: _decode_authority_key_identifier,
+        x509.OID_AUTHORITY_INFORMATION_ACCESS: (
+            _decode_authority_information_access
+        ),
+        x509.OID_CERTIFICATE_POLICIES: _decode_certificate_policies,
+        x509.OID_CRL_DISTRIBUTION_POINTS: _decode_crl_distribution_points,
+        x509.OID_OCSP_NO_CHECK: _decode_ocsp_no_check,
+        x509.OID_INHIBIT_ANY_POLICY: _decode_inhibit_any_policy,
+        x509.OID_ISSUER_ALTERNATIVE_NAME: _decode_issuer_alt_name,
+    }
+)
+
+_CSR_EXTENSION_PARSER = _X509ExtensionParser(
+    ext_count=lambda backend, x: backend._lib.sk_X509_EXTENSION_num(x),
+    get_ext=lambda backend, x, i: backend._lib.sk_X509_EXTENSION_value(x, i),
+    handlers={
+        x509.OID_BASIC_CONSTRAINTS: _decode_basic_constraints,
+        x509.OID_SUBJECT_ALTERNATIVE_NAME: _decode_subject_alt_name,
+    }
+)
diff --git a/src/cryptography/hazmat/primitives/serialization.py b/src/cryptography/hazmat/primitives/serialization.py
index 9fbc32b1..098b31dc 100644
--- a/src/cryptography/hazmat/primitives/serialization.py
+++ b/src/cryptography/hazmat/primitives/serialization.py
@@ -122,8 +122,12 @@ def _load_ssh_ecdsa_public_key(expected_key_type, decoded_data, backend):
     if len(data) != 1 + 2 * ((curve.key_size + 7) // 8):
         raise ValueError("Malformed key bytes")
 
-    x = _int_from_bytes(data[1:1 + (curve.key_size + 7) // 8], byteorder='big')
-    y = _int_from_bytes(data[1 + (curve.key_size + 7) // 8:], byteorder='big')
+    x = utils.int_from_bytes(
+        data[1:1 + (curve.key_size + 7) // 8], byteorder='big'
+    )
+    y = utils.int_from_bytes(
+        data[1 + (curve.key_size + 7) // 8:], byteorder='big'
+    )
     return ec.EllipticCurvePublicNumbers(x, y, curve).public_key(backend)
 
 
@@ -145,27 +149,9 @@ def _read_next_mpint(data):
     """
     mpint_data, rest = _read_next_string(data)
 
-    return _int_from_bytes(mpint_data, byteorder='big', signed=False), rest
-
-
-if hasattr(int, "from_bytes"):
-    _int_from_bytes = int.from_bytes
-else:
-    def _int_from_bytes(data, byteorder, signed=False):
-        assert byteorder == 'big'
-        assert not signed
-
-        if len(data) % 4 != 0:
-            data = (b'\x00' * (4 - (len(data) % 4))) + data
-
-        result = 0
-
-        while len(data) > 0:
-            digit, = struct.unpack('>I', data[:4])
-            result = (result << 32) + digit
-            data = data[4:]
-
-        return result
+    return (
+        utils.int_from_bytes(mpint_data, byteorder='big', signed=False), rest
+    )
 
 
 class Encoding(Enum):
diff --git a/src/cryptography/utils.py b/src/cryptography/utils.py
index 0bf8c0ea..24afe612 100644
--- a/src/cryptography/utils.py
+++ b/src/cryptography/utils.py
@@ -6,6 +6,7 @@ from __future__ import absolute_import, division, print_function
 
 import abc
 import inspect
+import struct
 import sys
 import warnings
 
@@ -25,6 +26,26 @@ def register_interface(iface):
     return register_decorator
 
 
+if hasattr(int, "from_bytes"):
+    int_from_bytes = int.from_bytes
+else:
+    def int_from_bytes(data, byteorder, signed=False):
+        assert byteorder == 'big'
+        assert not signed
+
+        if len(data) % 4 != 0:
+            data = (b'\x00' * (4 - (len(data) % 4))) + data
+
+        result = 0
+
+        while len(data) > 0:
+            digit, = struct.unpack('>I', data[:4])
+            result = (result << 32) + digit
+            data = data[4:]
+
+        return result
+
+
 class InterfaceNotImplemented(Exception):
     pass