diff options
| -rw-r--r-- | CHANGELOG.rst | 2 | ||||
| -rw-r--r-- | docs/hazmat/primitives/asymmetric/serialization.rst | 36 | ||||
| -rw-r--r-- | docs/x509/reference.rst | 3 | ||||
| -rw-r--r-- | src/cryptography/hazmat/backends/openssl/x509.py | 9 | ||||
| -rw-r--r-- | src/cryptography/x509/extensions.py | 7 | ||||
| -rw-r--r-- | tests/test_x509.py | 6 | ||||
| -rw-r--r-- | tests/test_x509_ext.py | 27 |
7 files changed, 80 insertions, 10 deletions
diff --git a/CHANGELOG.rst b/CHANGELOG.rst index a882d26d..717c9e71 100644 --- a/CHANGELOG.rst +++ b/CHANGELOG.rst @@ -49,6 +49,8 @@ Changelog * Added :class:`~cryptography.x509.CertificateRevocationListBuilder` and :class:`~cryptography.x509.RevokedCertificateBuilder` to allow creation of CRLs. +* Unrecognized non-critical X.509 extensions are now parsed into an + :class:`~cryptography.x509.UnrecognizedExtension` object. 1.1.2 - 2015-12-10 ~~~~~~~~~~~~~~~~~~ diff --git a/docs/hazmat/primitives/asymmetric/serialization.rst b/docs/hazmat/primitives/asymmetric/serialization.rst index f14f4037..89028c8e 100644 --- a/docs/hazmat/primitives/asymmetric/serialization.rst +++ b/docs/hazmat/primitives/asymmetric/serialization.rst @@ -118,7 +118,12 @@ all begin with ``-----BEGIN {format}-----`` and end with ``-----END :class:`~cryptography.hazmat.backends.interfaces.PEMSerializationBackend` provider. - :returns: A new instance of a private key. + :returns: One of + :class:`~cryptography.hazmat.primitives.asymmetric.rsa.RSAPrivateKey`, + :class:`~cryptography.hazmat.primitives.asymmetric.dsa.DSAPrivateKey`, + or + :class:`~cryptography.hazmat.primitives.asymmetric.ec.EllipticCurvePrivateKey` + depending on the contents of ``data``. :raises ValueError: If the PEM data could not be decrypted or if its structure could not be decoded successfully. @@ -151,7 +156,13 @@ all begin with ``-----BEGIN {format}-----`` and end with ``-----END :class:`~cryptography.hazmat.backends.interfaces.PEMSerializationBackend` provider. - :returns: A new instance of a public key. + + :returns: One of + :class:`~cryptography.hazmat.primitives.asymmetric.rsa.RSAPublicKey`, + :class:`~cryptography.hazmat.primitives.asymmetric.dsa.DSAPublicKey`, + or + :class:`~cryptography.hazmat.primitives.asymmetric.ec.EllipticCurvePublicKey` + depending on the contents of ``data``. :raises ValueError: If the PEM data's structure could not be decoded successfully. @@ -183,7 +194,12 @@ the rest. :class:`~cryptography.hazmat.backends.interfaces.DERSerializationBackend` provider. - :returns: A new instance of a private key. + :returns: One of + :class:`~cryptography.hazmat.primitives.asymmetric.rsa.RSAPrivateKey`, + :class:`~cryptography.hazmat.primitives.asymmetric.dsa.DSAPrivateKey`, + or + :class:`~cryptography.hazmat.primitives.asymmetric.ec.EllipticCurvePrivateKey` + depending on the contents of ``data``. :raises ValueError: If the DER data could not be decrypted or if its structure could not be decoded successfully. @@ -218,7 +234,12 @@ the rest. :class:`~cryptography.hazmat.backends.interfaces.DERSerializationBackend` provider. - :returns: A new instance of a public key. + :returns: One of + :class:`~cryptography.hazmat.primitives.asymmetric.rsa.RSAPublicKey`, + :class:`~cryptography.hazmat.primitives.asymmetric.dsa.DSAPublicKey`, + or + :class:`~cryptography.hazmat.primitives.asymmetric.ec.EllipticCurvePublicKey` + depending on the contents of ``data``. :raises ValueError: If the DER data's structure could not be decoded successfully. @@ -275,7 +296,12 @@ DSA keys look almost identical but begin with ``ssh-dss`` rather than :class:`~cryptography.hazmat.backends.interfaces.EllipticCurveBackend` depending on the key's type. - :returns: A new instance of a public key type. + :returns: One of + :class:`~cryptography.hazmat.primitives.asymmetric.rsa.RSAPublicKey`, + :class:`~cryptography.hazmat.primitives.asymmetric.dsa.DSAPublicKey`, + or + :class:`~cryptography.hazmat.primitives.asymmetric.ec.EllipticCurvePublicKey` + depending on the contents of ``data``. :raises ValueError: If the OpenSSH data could not be properly decoded or if the key is not in the proper format. diff --git a/docs/x509/reference.rst b/docs/x509/reference.rst index df17f954..8bb3f40d 100644 --- a/docs/x509/reference.rst +++ b/docs/x509/reference.rst @@ -2435,7 +2435,8 @@ Exceptions .. class:: UnsupportedExtension - This is raised when a certificate contains an unsupported extension type. + This is raised when a certificate contains an unsupported extension type + that is marked ``critical``. .. attribute:: oid diff --git a/src/cryptography/hazmat/backends/openssl/x509.py b/src/cryptography/hazmat/backends/openssl/x509.py index 293c6288..b8614e0b 100644 --- a/src/cryptography/hazmat/backends/openssl/x509.py +++ b/src/cryptography/hazmat/backends/openssl/x509.py @@ -213,6 +213,15 @@ class _X509ExtensionParser(object): "Critical extension {0} is not currently supported" .format(oid), oid ) + else: + # Dump the DER payload into an UnrecognizedExtension object + data = backend._lib.X509_EXTENSION_get_data(ext) + backend.openssl_assert(data != backend._ffi.NULL) + der = backend._ffi.buffer(data.data, data.length)[:] + unrecognized = x509.UnrecognizedExtension(oid, der) + extensions.append( + x509.Extension(oid, critical, unrecognized) + ) else: # For extensions which are not supported by OpenSSL we pass the # extension object directly to the parsing routine so it can diff --git a/src/cryptography/x509/extensions.py b/src/cryptography/x509/extensions.py index 0c5b5523..f7b5d7f5 100644 --- a/src/cryptography/x509/extensions.py +++ b/src/cryptography/x509/extensions.py @@ -91,6 +91,13 @@ class Extensions(object): raise ExtensionNotFound("No {0} extension was found".format(oid), oid) def get_extension_for_class(self, extclass): + if extclass is UnrecognizedExtension: + raise TypeError( + "UnrecognizedExtension can't be used with " + "get_extension_for_class because more than one instance of the" + " class may be present." + ) + for ext in self: if isinstance(ext.value, extclass): return ext diff --git a/tests/test_x509.py b/tests/test_x509.py index 578015ec..6145edb1 100644 --- a/tests/test_x509.py +++ b/tests/test_x509.py @@ -1093,7 +1093,11 @@ class TestRSACertificateRequest(object): backend ) extensions = request.extensions - assert len(extensions) == 0 + assert len(extensions) == 1 + assert extensions[0].oid == x509.ObjectIdentifier("1.2.3.4") + assert extensions[0].value == x509.UnrecognizedExtension( + x509.ObjectIdentifier("1.2.3.4"), b"value" + ) def test_request_basic_constraints(self, backend): request = _load_cert( diff --git a/tests/test_x509_ext.py b/tests/test_x509_ext.py index 7c5ca5f2..03a3730a 100644 --- a/tests/test_x509_ext.py +++ b/tests/test_x509_ext.py @@ -1032,17 +1032,33 @@ class TestExtensions(object): assert exc.value.oid == x509.ObjectIdentifier("1.2.3.4") + @pytest.mark.requires_backend_interface(interface=EllipticCurveBackend) def test_unsupported_extension(self, backend): - # TODO: this will raise an exception when all extensions are complete cert = _load_cert( os.path.join( - "x509", "custom", "unsupported_extension.pem" + "x509", "custom", "unsupported_extension_2.pem" ), x509.load_pem_x509_certificate, backend ) extensions = cert.extensions - assert len(extensions) == 0 + assert len(extensions) == 2 + assert extensions[0].critical is False + assert extensions[0].oid == x509.ObjectIdentifier( + "1.3.6.1.4.1.41482.2" + ) + assert extensions[0].value == x509.UnrecognizedExtension( + x509.ObjectIdentifier("1.3.6.1.4.1.41482.2"), + b"1.3.6.1.4.1.41482.1.2" + ) + assert extensions[1].critical is False + assert extensions[1].oid == x509.ObjectIdentifier( + "1.3.6.1.4.1.45724.2.1.1" + ) + assert extensions[1].value == x509.UnrecognizedExtension( + x509.ObjectIdentifier("1.3.6.1.4.1.45724.2.1.1"), + b"\x03\x02\x040" + ) def test_no_extensions_get_for_class(self, backend): cert = _load_cert( @@ -1057,6 +1073,11 @@ class TestExtensions(object): exts.get_extension_for_class(x509.IssuerAlternativeName) assert exc.value.oid == ExtensionOID.ISSUER_ALTERNATIVE_NAME + def test_unrecognized_extension_for_class(self): + exts = x509.Extensions([]) + with pytest.raises(TypeError): + exts.get_extension_for_class(x509.UnrecognizedExtension) + def test_indexing(self, backend): cert = _load_cert( os.path.join("x509", "cryptography.io.pem"), |