diff options
| -rw-r--r-- | src/cryptography/hazmat/backends/openssl/backend.py | 54 | ||||
| -rw-r--r-- | src/cryptography/hazmat/backends/openssl/x509.py | 2 |
2 files changed, 20 insertions, 36 deletions
diff --git a/src/cryptography/hazmat/backends/openssl/backend.py b/src/cryptography/hazmat/backends/openssl/backend.py index c2a3dc2d..22179607 100644 --- a/src/cryptography/hazmat/backends/openssl/backend.py +++ b/src/cryptography/hazmat/backends/openssl/backend.py @@ -115,9 +115,7 @@ def _txt2obj(backend, name): return obj -def _encode_basic_constraints(backend, basic_constraints, critical): - obj = _txt2obj(backend, x509.OID_BASIC_CONSTRAINTS.dotted_string) - assert obj is not None +def _encode_basic_constraints(backend, basic_constraints): constraints = backend._lib.BASIC_CONSTRAINTS_new() constraints.ca = 255 if basic_constraints.ca else 0 if basic_constraints.ca: @@ -132,24 +130,10 @@ def _encode_basic_constraints(backend, basic_constraints, critical): pp = backend._ffi.gc( pp, lambda pointer: backend._lib.OPENSSL_free(pointer[0]) ) - - # Wrap that in an X509 extension object. - extension = backend._lib.X509_EXTENSION_create_by_OBJ( - backend._ffi.NULL, - obj, - 1 if critical else 0, - _encode_asn1_str(backend, pp[0], r), - ) - assert extension != backend._ffi.NULL - - # Return the wrapped extension. - return extension + return pp, r -def _encode_subject_alt_name(backend, san, critical): - obj = _txt2obj(backend, x509.OID_SUBJECT_ALTERNATIVE_NAME.dotted_string) - assert obj is not None - +def _encode_subject_alt_name(backend, san): general_names = backend._lib.GENERAL_NAMES_new() assert general_names != backend._ffi.NULL # TODO: GC @@ -176,15 +160,7 @@ def _encode_subject_alt_name(backend, san, critical): pp = backend._ffi.gc( pp, lambda pointer: backend._lib.OPENSSL_free(pointer[0]) ) - - extension = backend._lib.X509_EXTENSION_create_by_OBJ( - backend._ffi.NULL, - obj, - 1 if critical else 0, - _encode_asn1_str(backend, pp[0], r) - ) - assert extension != backend._ffi.NULL - return extension + return pp, r @utils.register_interface(CipherBackend) @@ -893,19 +869,25 @@ class Backend(object): ) for extension in builder._extensions: if isinstance(extension.value, x509.BasicConstraints): - extension = _encode_basic_constraints( - self, - extension.value, - extension.critical + pp, r = _encode_basic_constraints( + self, extension.value, ) elif isinstance(extension.value, x509.SubjectAlternativeName): - extension = _encode_subject_alt_name( - self, - extension.value, - extension.critical, + pp, r = _encode_subject_alt_name( + self, extension.value, ) else: raise NotImplementedError('Extension not yet supported.') + + obj = _txt2obj(self, extension.oid.dotted_string) + extension = backend._lib.X509_EXTENSION_create_by_OBJ( + backend._ffi.NULL, + obj, + 1 if extension.critical else 0, + _encode_asn1_str(backend, pp[0], r) + ) + assert extension != backend._ffi.NULL + res = self._lib.sk_X509_EXTENSION_push(extensions, extension) assert res == 1 res = self._lib.X509_REQ_add_extensions(x509_req, extensions) diff --git a/src/cryptography/hazmat/backends/openssl/x509.py b/src/cryptography/hazmat/backends/openssl/x509.py index 8e361fa2..b387b9ee 100644 --- a/src/cryptography/hazmat/backends/openssl/x509.py +++ b/src/cryptography/hazmat/backends/openssl/x509.py @@ -720,6 +720,8 @@ class _CertificateSigningRequest(object): ) elif oid == x509.OID_BASIC_CONSTRAINTS: value = _decode_basic_constraints(self._backend, ext) + elif oid == x509.OID_SUBJECT_ALTERNATIVE_NAME: + value = _decode_subject_alt_name(self._backend, ext) elif critical: raise x509.UnsupportedExtension( "{0} is not currently supported".format(oid), oid |