diff options
| -rw-r--r-- | src/cryptography/hazmat/backends/openssl/x509.py | 13 | ||||
| -rw-r--r-- | tests/test_x509_ext.py | 17 |
2 files changed, 30 insertions, 0 deletions
diff --git a/src/cryptography/hazmat/backends/openssl/x509.py b/src/cryptography/hazmat/backends/openssl/x509.py index a836e6a7..3b0c2954 100644 --- a/src/cryptography/hazmat/backends/openssl/x509.py +++ b/src/cryptography/hazmat/backends/openssl/x509.py @@ -290,6 +290,8 @@ class _Certificate(object): value = _decode_crl_distribution_points(self._backend, ext) elif oid == x509.OID_OCSP_NO_CHECK: value = x509.OCSPNoCheck() + elif oid == x509.OID_INHIBIT_ANY_POLICY: + value = _decode_inhibit_any_policy(self._backend, ext) elif critical: raise x509.UnsupportedExtension( "{0} is not currently supported".format(oid), oid @@ -635,6 +637,17 @@ def _decode_crl_distribution_points(backend, ext): return x509.CRLDistributionPoints(dist_points) +def _decode_inhibit_any_policy(backend, ext): + asn1_int = backend._ffi.cast( + "ASN1_INTEGER *", + backend._lib.X509V3_EXT_d2i(ext) + ) + assert asn1_int != backend._ffi.NULL + asn1_int = backend._ffi.gc(asn1_int, backend._lib.ASN1_INTEGER_free) + skip_certs = _asn1_integer_to_int(backend, asn1_int) + return x509.InhibitAnyPolicy(skip_certs) + + @utils.register_interface(x509.CertificateSigningRequest) class _CertificateSigningRequest(object): def __init__(self, backend, x509_req): diff --git a/tests/test_x509_ext.py b/tests/test_x509_ext.py index c906f1e5..6a23479f 100644 --- a/tests/test_x509_ext.py +++ b/tests/test_x509_ext.py @@ -2435,3 +2435,20 @@ class TestInhibitAnyPolicy(object): iap2 = x509.InhibitAnyPolicy(4) assert iap != iap2 assert iap != object() + + +@pytest.mark.requires_backend_interface(interface=RSABackend) +@pytest.mark.requires_backend_interface(interface=X509Backend) +class TestInhibitAnyPolicyExtension(object): + def test_nocheck(self, backend): + cert = _load_cert( + os.path.join( + "x509", "custom", "inhibit_any_policy_5.pem" + ), + x509.load_pem_x509_certificate, + backend + ) + iap = cert.extensions.get_extension_for_oid( + x509.OID_INHIBIT_ANY_POLICY + ).value + assert iap.skip_certs == 5 |