aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
Diffstat
-rw-r--r--docs/development/test-vectors.rst9
-rw-r--r--src/cryptography/hazmat/backends/openssl/x509.py13
-rw-r--r--tests/test_x509_ext.py17
-rw-r--r--vectors/cryptography_vectors/x509/custom/ian_uri.pem19
-rw-r--r--vectors/cryptography_vectors/x509/custom/nc_excluded.pem19
-rw-r--r--vectors/cryptography_vectors/x509/custom/nc_permitted.pem19
-rw-r--r--vectors/cryptography_vectors/x509/custom/nc_permitted_excluded.pem19
7 files changed, 115 insertions, 0 deletions
diff --git a/docs/development/test-vectors.rst b/docs/development/test-vectors.rst
index c9ee5dc1..3776cb1d 100644
--- a/docs/development/test-vectors.rst
+++ b/docs/development/test-vectors.rst
@@ -192,6 +192,13 @@ Custom X.509 Vectors
* ``cdp_reason_aa_compromise.pem`` - An RSA 1024 bit certificate containing a
CRL distribution points extension with the ``AACompromise`` ``reasons`` bit
set.
+* ``nc_permitted_excluded.pem`` - An RSA 2048 bit self-signed certificate
+ containing a name constraints extension with both permitted and excluded
+ elements.
+* ``nc_permitted.pem`` - An RSA 2048 bit self-signed certificate containing a
+ name constraints extension with permitted elements.
+* ``nc_excluded.pem`` - An RSA 2048 bit self-signed certificate containing a
+ name constraints extension with excluded elements.
* ``cp_user_notice_with_notice_reference.pem`` - An RSA 2048 bit self-signed
certificate containing a certificate policies extension with a
notice reference in the user notice.
@@ -203,6 +210,8 @@ Custom X.509 Vectors
* ``cp_user_notice_no_explicit_text.pem`` - An RSA 2048 bit self-signed
certificate containing a certificate policies extension with a user notice
with no explicit text.
+* ``ian_uri.pem`` - An RSA 2048 bit certificate containing an issuer
+ alternative name extension with a ``URI`` general name.
* ``ocsp_nocheck.pem`` - An RSA 2048 bit self-signed certificate containing
an ``OCSPNoCheck`` extension.
* ``pc_inhibit_require.pem`` - An RSA 2048 bit self-signed certificate
diff --git a/src/cryptography/hazmat/backends/openssl/x509.py b/src/cryptography/hazmat/backends/openssl/x509.py
index a836e6a7..3b0c2954 100644
--- a/src/cryptography/hazmat/backends/openssl/x509.py
+++ b/src/cryptography/hazmat/backends/openssl/x509.py
@@ -290,6 +290,8 @@ class _Certificate(object):
value = _decode_crl_distribution_points(self._backend, ext)
elif oid == x509.OID_OCSP_NO_CHECK:
value = x509.OCSPNoCheck()
+ elif oid == x509.OID_INHIBIT_ANY_POLICY:
+ value = _decode_inhibit_any_policy(self._backend, ext)
elif critical:
raise x509.UnsupportedExtension(
"{0} is not currently supported".format(oid), oid
@@ -635,6 +637,17 @@ def _decode_crl_distribution_points(backend, ext):
return x509.CRLDistributionPoints(dist_points)
+def _decode_inhibit_any_policy(backend, ext):
+ asn1_int = backend._ffi.cast(
+ "ASN1_INTEGER *",
+ backend._lib.X509V3_EXT_d2i(ext)
+ )
+ assert asn1_int != backend._ffi.NULL
+ asn1_int = backend._ffi.gc(asn1_int, backend._lib.ASN1_INTEGER_free)
+ skip_certs = _asn1_integer_to_int(backend, asn1_int)
+ return x509.InhibitAnyPolicy(skip_certs)
+
+
@utils.register_interface(x509.CertificateSigningRequest)
class _CertificateSigningRequest(object):
def __init__(self, backend, x509_req):
diff --git a/tests/test_x509_ext.py b/tests/test_x509_ext.py
index c906f1e5..6a23479f 100644
--- a/tests/test_x509_ext.py
+++ b/tests/test_x509_ext.py
@@ -2435,3 +2435,20 @@ class TestInhibitAnyPolicy(object):
iap2 = x509.InhibitAnyPolicy(4)
assert iap != iap2
assert iap != object()
+
+
+@pytest.mark.requires_backend_interface(interface=RSABackend)
+@pytest.mark.requires_backend_interface(interface=X509Backend)
+class TestInhibitAnyPolicyExtension(object):
+ def test_nocheck(self, backend):
+ cert = _load_cert(
+ os.path.join(
+ "x509", "custom", "inhibit_any_policy_5.pem"
+ ),
+ x509.load_pem_x509_certificate,
+ backend
+ )
+ iap = cert.extensions.get_extension_for_oid(
+ x509.OID_INHIBIT_ANY_POLICY
+ ).value
+ assert iap.skip_certs == 5
diff --git a/vectors/cryptography_vectors/x509/custom/ian_uri.pem b/vectors/cryptography_vectors/x509/custom/ian_uri.pem
new file mode 100644
index 00000000..83b3ff54
--- /dev/null
+++ b/vectors/cryptography_vectors/x509/custom/ian_uri.pem
@@ -0,0 +1,19 @@
+-----BEGIN CERTIFICATE-----
+MIIDATCCAemgAwIBAgIBAzANBgkqhkiG9w0BAQUFADBbMQswCQYDVQQGEwJBVTET
+MBEGA1UECBMKU29tZS1TdGF0ZTEhMB8GA1UEChMYSW50ZXJuZXQgV2lkZ2l0cyBQ
+dHkgTHRkMRQwEgYDVQQDEwtUZXN0SW5mcmFDQTAeFw0xNTA2MTgwNDI2MzFaFw0x
+NjA2MTcwNDI2MzFaMAAwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDf
+LkjBhv4bpxSITJXXgB9gxszfwcwRYyvbTEJmD1lLWhOk13gnILagQgupZB33902u
+3lChgQPY4418NQkivJJeMw4jfl/Use7gFxax5n/6YlU3A93CxNY+2ei2ejgWBD8w
+tEdvFi9FSsaR+2ds5/vyONJdHkC6DR3aZdokCaU0X1h11JxKhJgsPPP41pL8P0A1
+scje090lfoGbVttD6ayxvccr+9GwkWVfHgYWUGOcAi/4e7wqXpvqZqlCOH7QnVUC
+xyknyPjETiW2ki4RacjAZh5gEw6q9mNFO4Xeo30vmDx/7VWPBqdi7MLPVCiIaHs+
+YnDkSWV0qp3auI+MZqVjAgMBAAGjKzApMCcGA1UdEgQgMB6GHGh0dHA6Ly9wYXRo
+LnRvLnJvb3Qvcm9vdC5jcnQwDQYJKoZIhvcNAQEFBQADggEBAMiTTyKTErcmDlbn
+fkc4y+IsL1GuS1yGcurIy0zghptsdZXA5v3VqkOtFCxLgk/syWVDfhAPwM4aBfeI
+6Fe1kwPQk0xvdvPZ62lev0ELBOsceM2kge1obCc/ZyhXPYo1r7rmXxTvc8gxyASh
+L9r+0AglSId8YJFscF+siTuTg/5SSHALT/DwGdeYv/rmnOeeHW4pv3WXPS32XUOG
+D605kXQ/9HCujxCU3VGYUbkBWjsdqj9vZXQk1OVeMwWpH3O0AdFMQXgY7vpzkLuD
+e+/zmLFDlI3k0p3UajtxsBft8AMNJaenknuQiMOryALRkfeyu5qhYlJ5bJFKUKn9
+K7X9MIA=
+-----END CERTIFICATE-----
diff --git a/vectors/cryptography_vectors/x509/custom/nc_excluded.pem b/vectors/cryptography_vectors/x509/custom/nc_excluded.pem
new file mode 100644
index 00000000..69f416e9
--- /dev/null
+++ b/vectors/cryptography_vectors/x509/custom/nc_excluded.pem
@@ -0,0 +1,19 @@
+-----BEGIN CERTIFICATE-----
+MIIDADCCAeigAwIBAgITBm7Xt1PqHBXFuN+BRDTMZ+XpWzANBgkqhkiG9w0BAQsF
+ADAXMRUwEwYDVQQDDAxjcnlwdG9ncmFwaHkwHhcNMTUwNjE3MjIzNzUwWhcNMTYw
+NjE2MjIzNzUwWjAXMRUwEwYDVQQDDAxjcnlwdG9ncmFwaHkwggEiMA0GCSqGSIb3
+DQEBAQUAA4IBDwAwggEKAoIBAQCylTa0WkLvIXB4sWoPdv5iL3idlVHKR+ncODKL
+nwQ2Jtd990MfakOFRLrJFF1tfPL4qyRbbyMyrgCOoKBCAuIdBZfBDH3JWFjxGy8J
+Yls8yVeAVKreV18HmLvAsBL3bnr7Gk3vpznrfoG5rn5T/fL0cqqTXFV8zQhjHiEo
+zftSaoq0LOxsSgFdxXS8e8K6RMvLCZPcMpI4fo1Kq2QBT2J1x1/Hq/VnK132cs0g
+TOyiTyyJfvRmlqdXowh7Jf8LQB4mM6gc023fEdQ+HH6JYX1vDQVxaiTM6KMYJNv/
+l4gchP3jknOfZffwGGdXQrtUMhQmltnSqV5nY/G2OGm/Z0pdAgMBAAGjRTBDMEEG
+A1UdHgEB/wQ3MDWhMzATghEqLmNyeXB0b2dyYXBoeS5pbzAchhpnb3BoZXI6Ly9j
+cnlwdG9ncmFwaHkudGVzdDANBgkqhkiG9w0BAQsFAAOCAQEAcCcidJm7Wmc9ZdzF
+AlP/9Gd5bXBlNswcq1wCmS9S6fgM0oGDgK2duY72Jr5Qqz66yqfzmIO7TtAhaegp
+zCYar3Mmy7rwJHtJNRhBY+PYVLWXmUTf4yJhL+RcH6S+69PkqGQWjBa50vknIHt3
+dPtqadewocO7FuPWCdYDFLmMHM8S/ueMhSSJfFaGlYfy4UrnQhjuSpn6V/Gh5ED7
+tSqoncpHELItkvoS2LUTrpVDmQifuy3X78g7dYAGkjotCqddb90Y/MNSoM8BFS6i
+Fmh8kn8kj6ct1csFLaBzATWby4/NHkuD9vuj9Z941szqpvvZSZhQ/8pEBevs2CNE
+l2Sb0g==
+-----END CERTIFICATE-----
diff --git a/vectors/cryptography_vectors/x509/custom/nc_permitted.pem b/vectors/cryptography_vectors/x509/custom/nc_permitted.pem
new file mode 100644
index 00000000..a68096e7
--- /dev/null
+++ b/vectors/cryptography_vectors/x509/custom/nc_permitted.pem
@@ -0,0 +1,19 @@
+-----BEGIN CERTIFICATE-----
+MIIC/TCCAeWgAwIBAgITBm7XungOGlx+YwUFD5Z/Pzj7KTANBgkqhkiG9w0BAQsF
+ADAXMRUwEwYDVQQDDAxjcnlwdG9ncmFwaHkwHhcNMTUwNjE3MjIzODMyWhcNMTYw
+NjE2MjIzODMyWjAXMRUwEwYDVQQDDAxjcnlwdG9ncmFwaHkwggEiMA0GCSqGSIb3
+DQEBAQUAA4IBDwAwggEKAoIBAQCylTa0WkLvIXB4sWoPdv5iL3idlVHKR+ncODKL
+nwQ2Jtd990MfakOFRLrJFF1tfPL4qyRbbyMyrgCOoKBCAuIdBZfBDH3JWFjxGy8J
+Yls8yVeAVKreV18HmLvAsBL3bnr7Gk3vpznrfoG5rn5T/fL0cqqTXFV8zQhjHiEo
+zftSaoq0LOxsSgFdxXS8e8K6RMvLCZPcMpI4fo1Kq2QBT2J1x1/Hq/VnK132cs0g
+TOyiTyyJfvRmlqdXowh7Jf8LQB4mM6gc023fEdQ+HH6JYX1vDQVxaiTM6KMYJNv/
+l4gchP3jknOfZffwGGdXQrtUMhQmltnSqV5nY/G2OGm/Z0pdAgMBAAGjQjBAMD4G
+A1UdHgEB/wQ0MDKgMDATghEqLmNyeXB0b2dyYXBoeS5pbzAZhhdmdHA6Ly9jcnlw
+dG9ncmFwaHkudGVzdDANBgkqhkiG9w0BAQsFAAOCAQEAkQItRDBDmQLlhnyeqYvh
+I5urSAsvAoSMiuXSekM5hv6HtOrpZECUS4SDU3RaSsjTf4uNpebRAgP/Uj5JVgL6
+byWSpQBRGVtFRtORTIldxhexeSJtg675+4DQ/kUjiFawM2AlwUluz7WUJavbrz1H
+4HJTKCFTH5gj27ynfdTUVNkW1tKRiffwdKG9xq+po0FlaAgMNzUlvcNBZKxG5CuT
+C1e08/sEFeZEYtFCxuqqrl7wvk0l/7ayNjdld2Mkk//jKhzvScy6d1lBaxUurOn1
+UAxkdnQ65Jw86oebie8C5Faw43U0p42dMqXeXqhXfXmNpMs5p/FumRUHcr9bs+G4
+hw==
+-----END CERTIFICATE-----
diff --git a/vectors/cryptography_vectors/x509/custom/nc_permitted_excluded.pem b/vectors/cryptography_vectors/x509/custom/nc_permitted_excluded.pem
new file mode 100644
index 00000000..726b3b88
--- /dev/null
+++ b/vectors/cryptography_vectors/x509/custom/nc_permitted_excluded.pem
@@ -0,0 +1,19 @@
+-----BEGIN CERTIFICATE-----
+MIIDJDCCAgygAwIBAgITBm7Xr09L6ZOQw9RfzgaA+R4ROjANBgkqhkiG9w0BAQsF
+ADAXMRUwEwYDVQQDDAxjcnlwdG9ncmFwaHkwHhcNMTUwNjE3MjIzNjAzWhcNMTYw
+NjE2MjIzNjAzWjAXMRUwEwYDVQQDDAxjcnlwdG9ncmFwaHkwggEiMA0GCSqGSIb3
+DQEBAQUAA4IBDwAwggEKAoIBAQCylTa0WkLvIXB4sWoPdv5iL3idlVHKR+ncODKL
+nwQ2Jtd990MfakOFRLrJFF1tfPL4qyRbbyMyrgCOoKBCAuIdBZfBDH3JWFjxGy8J
+Yls8yVeAVKreV18HmLvAsBL3bnr7Gk3vpznrfoG5rn5T/fL0cqqTXFV8zQhjHiEo
+zftSaoq0LOxsSgFdxXS8e8K6RMvLCZPcMpI4fo1Kq2QBT2J1x1/Hq/VnK132cs0g
+TOyiTyyJfvRmlqdXowh7Jf8LQB4mM6gc023fEdQ+HH6JYX1vDQVxaiTM6KMYJNv/
+l4gchP3jknOfZffwGGdXQrtUMhQmltnSqV5nY/G2OGm/Z0pdAgMBAAGjaTBnMGUG
+A1UdHgEB/wRbMFmgMDAKhwjAqAAA////ADAihyAA/wAAAAAAAAAAAAAAAAAAAP8A
+AAAAAAAAAAAAAAAA/6ElMA6CDCouZG9tYWluLmNvbTAThhFodHRwOi8vdGVzdC5s
+b2NhbDANBgkqhkiG9w0BAQsFAAOCAQEAqMvB4gK4XFrDtdEXE4eq3LcAbuII4loK
+2CD0D3gMygTXG7KJ9gVjckWMTzGwW0n/honog6L2T8xF77a4HcbHkMsrY5wU2z5m
+MoJWa5z/kQWKMcL6nCaRHzPm2dj/UcEIoZrgJwlrp42OVYNE/4LeSQTF7xBG6V2C
+GNRpNKZFWwZA8Kgxxp4FUpy3jkspCuKsY2r6bm9IutUy6Mx/AQaSNxz4qDWojiYc
+AA/UXvX6lssK+gHWHMc2SmdN2wCa+dJvZyaGGUZOfxoVXwllpnLO2Upslgs8DrOD
+3FOw7Bi/d1zkcPr6Gtq0z8Nf7hHAs9mRXoLmRHKhyBkA9jmkla0wGw==
+-----END CERTIFICATE-----
generated by cgit v1.2.3 (git 2.25.1) at 2025-04-01 23:36:36 +0000