diff options
| -rw-r--r-- | src/cryptography/hazmat/backends/openssl/x509.py | 20 | ||||
| -rw-r--r-- | src/cryptography/hazmat/bindings/openssl/x509.py | 5 | ||||
| -rw-r--r-- | tests/test_x509_ext.py | 29 |
3 files changed, 54 insertions, 0 deletions
diff --git a/src/cryptography/hazmat/backends/openssl/x509.py b/src/cryptography/hazmat/backends/openssl/x509.py index 4ba66bb7..dd2aba65 100644 --- a/src/cryptography/hazmat/backends/openssl/x509.py +++ b/src/cryptography/hazmat/backends/openssl/x509.py @@ -267,6 +267,8 @@ class _Certificate(object): value = self._build_key_usage(ext) elif oid == x509.OID_SUBJECT_ALTERNATIVE_NAME: value = self._build_subject_alt_name(ext) + elif oid == x509.OID_EXTENDED_KEY_USAGE: + value = self._build_extended_key_usage(ext) elif critical: raise x509.UnsupportedExtension( "{0} is not currently supported".format(oid), oid @@ -366,6 +368,24 @@ class _Certificate(object): return x509.SubjectAlternativeName(general_names) + def _build_extended_key_usage(self, ext): + sk = self._backend._ffi.cast( + "Cryptography_STACK_OF_ASN1_OBJECT *", + self._backend._lib.X509V3_EXT_d2i(ext) + ) + assert sk != self._backend._ffi.NULL + sk = self._backend._ffi.gc(sk, self._backend._lib.sk_ASN1_OBJECT_free) + num = self._backend._lib.sk_ASN1_OBJECT_num(sk) + ekus = [] + + for i in range(num): + obj = self._backend._lib.sk_ASN1_OBJECT_value(sk, i) + assert obj != self._backend._ffi.NULL + oid = x509.ObjectIdentifier(_obj2txt(self._backend, obj)) + ekus.append(oid) + + return x509.ExtendedKeyUsage(ekus) + @utils.register_interface(x509.CertificateSigningRequest) class _CertificateSigningRequest(object): diff --git a/src/cryptography/hazmat/bindings/openssl/x509.py b/src/cryptography/hazmat/bindings/openssl/x509.py index a1fb7ffb..fa6a16b3 100644 --- a/src/cryptography/hazmat/bindings/openssl/x509.py +++ b/src/cryptography/hazmat/bindings/openssl/x509.py @@ -303,6 +303,11 @@ EC_KEY *d2i_EC_PUBKEY_bio(BIO *, EC_KEY **); int i2d_EC_PUBKEY_bio(BIO *, EC_KEY *); EC_KEY *d2i_ECPrivateKey_bio(BIO *, EC_KEY **); int i2d_ECPrivateKey_bio(BIO *, EC_KEY *); + +// declared in safestack +int sk_ASN1_OBJECT_num(Cryptography_STACK_OF_ASN1_OBJECT *); +ASN1_OBJECT *sk_ASN1_OBJECT_value(Cryptography_STACK_OF_ASN1_OBJECT *, int); +void sk_ASN1_OBJECT_free(Cryptography_STACK_OF_ASN1_OBJECT *); """ CUSTOMIZATIONS = """ diff --git a/tests/test_x509_ext.py b/tests/test_x509_ext.py index 05734b42..92e616e1 100644 --- a/tests/test_x509_ext.py +++ b/tests/test_x509_ext.py @@ -959,3 +959,32 @@ class TestRSASubjectAlternativeNameExtension(object): cert.extensions assert 'Invalid rfc822name value' in str(exc.value) + + +@pytest.mark.requires_backend_interface(interface=RSABackend) +@pytest.mark.requires_backend_interface(interface=X509Backend) +class TestExtendedKeyUsageExtension(object): + def test_eku(self, backend): + cert = _load_cert( + os.path.join( + "x509", "custom", "extended_key_usage.pem" + ), + x509.load_pem_x509_certificate, + backend + ) + ext = cert.extensions.get_extension_for_oid( + x509.OID_EXTENDED_KEY_USAGE + ) + assert ext is not None + assert ext.critical is False + + assert [ + x509.ObjectIdentifier("1.3.6.1.5.5.7.3.1"), + x509.ObjectIdentifier("1.3.6.1.5.5.7.3.2"), + x509.ObjectIdentifier("1.3.6.1.5.5.7.3.3"), + x509.ObjectIdentifier("1.3.6.1.5.5.7.3.4"), + x509.ObjectIdentifier("1.3.6.1.5.5.7.3.9"), + x509.ObjectIdentifier("1.3.6.1.5.5.7.3.8"), + x509.ObjectIdentifier("2.5.29.37.0"), + x509.ObjectIdentifier("2.16.840.1.113730.4.1"), + ] == list(ext.value) |