diff options
25 files changed, 350 insertions, 108 deletions
diff --git a/docs/development/test-vectors.rst b/docs/development/test-vectors.rst index 02cc122b..3776cb1d 100644 --- a/docs/development/test-vectors.rst +++ b/docs/development/test-vectors.rst @@ -192,6 +192,13 @@ Custom X.509 Vectors * ``cdp_reason_aa_compromise.pem`` - An RSA 1024 bit certificate containing a CRL distribution points extension with the ``AACompromise`` ``reasons`` bit set. +* ``nc_permitted_excluded.pem`` - An RSA 2048 bit self-signed certificate + containing a name constraints extension with both permitted and excluded + elements. +* ``nc_permitted.pem`` - An RSA 2048 bit self-signed certificate containing a + name constraints extension with permitted elements. +* ``nc_excluded.pem`` - An RSA 2048 bit self-signed certificate containing a + name constraints extension with excluded elements. * ``cp_user_notice_with_notice_reference.pem`` - An RSA 2048 bit self-signed certificate containing a certificate policies extension with a notice reference in the user notice. @@ -203,8 +210,17 @@ Custom X.509 Vectors * ``cp_user_notice_no_explicit_text.pem`` - An RSA 2048 bit self-signed certificate containing a certificate policies extension with a user notice with no explicit text. +* ``ian_uri.pem`` - An RSA 2048 bit certificate containing an issuer + alternative name extension with a ``URI`` general name. * ``ocsp_nocheck.pem`` - An RSA 2048 bit self-signed certificate containing an ``OCSPNoCheck`` extension. +* ``pc_inhibit_require.pem`` - An RSA 2048 bit self-signed certificate + containing a policy constraints extension with both inhibit policy mapping + and require explicit policy elements. +* ``pc_inhibit.pem`` - An RSA 2048 bit self-signed certificate containing a + policy constraints extension with an inhibit policy mapping element. +* ``pc_require.pem`` - An RSA 2048 bit self-signed certificate containing a + policy constraints extension with a require explicit policy element. Custom X.509 Request Vectors ~~~~~~~~~~~~~~~~~~~~~~~~~~~~ diff --git a/docs/hazmat/backends/openssl.rst b/docs/hazmat/backends/openssl.rst index 26ffea6a..03ac5570 100644 --- a/docs/hazmat/backends/openssl.rst +++ b/docs/hazmat/backends/openssl.rst @@ -79,6 +79,6 @@ seeded from the same pool as ``/dev/random``. .. _`OpenSSL`: https://www.openssl.org/ -.. _`initializing the RNG`: https://en.wikipedia.org/wiki/OpenSSL#Predictable_keys_.28Debian-specific.29 +.. _`initializing the RNG`: https://en.wikipedia.org/wiki/OpenSSL#Predictable_private_keys_.28Debian-specific.29 .. _`Yarrow`: https://en.wikipedia.org/wiki/Yarrow_algorithm .. _`Microsoft documentation`: https://msdn.microsoft.com/en-us/library/windows/desktop/aa379942(v=vs.85).aspx diff --git a/src/_cffi_src/build_constant_time.py b/src/_cffi_src/build_constant_time.py index eae0f21a..6d9a8f54 100644 --- a/src/_cffi_src/build_constant_time.py +++ b/src/_cffi_src/build_constant_time.py @@ -5,8 +5,9 @@ from __future__ import absolute_import, division, print_function import os +import sys -from _cffi_src.utils import build_ffi +from _cffi_src.utils import build_ffi, extra_link_args with open(os.path.join( @@ -22,5 +23,6 @@ with open(os.path.join( ffi = build_ffi( module_name="_constant_time", cdef_source=types, - verify_source=functions + verify_source=functions, + extra_link_args=extra_link_args(sys.platform), ) diff --git a/src/_cffi_src/build_openssl.py b/src/_cffi_src/build_openssl.py index 4c30fe48..1ebadccb 100644 --- a/src/_cffi_src/build_openssl.py +++ b/src/_cffi_src/build_openssl.py @@ -7,9 +7,7 @@ from __future__ import absolute_import, division, print_function import os import sys -from _cffi_src.utils import ( - build_ffi_for_binding -) +from _cffi_src.utils import build_ffi_for_binding, extra_link_args def _get_openssl_libraries(platform): @@ -94,5 +92,6 @@ ffi = build_ffi_for_binding( ], pre_include=_OSX_PRE_INCLUDE, post_include=_OSX_POST_INCLUDE, - libraries=_get_openssl_libraries(sys.platform) + libraries=_get_openssl_libraries(sys.platform), + extra_link_args=extra_link_args(sys.platform), ) diff --git a/src/_cffi_src/build_padding.py b/src/_cffi_src/build_padding.py index 3eeac2e2..5df93d80 100644 --- a/src/_cffi_src/build_padding.py +++ b/src/_cffi_src/build_padding.py @@ -5,8 +5,9 @@ from __future__ import absolute_import, division, print_function import os +import sys -from _cffi_src.utils import build_ffi +from _cffi_src.utils import build_ffi, extra_link_args with open(os.path.join( @@ -22,5 +23,6 @@ with open(os.path.join( ffi = build_ffi( module_name="_padding", cdef_source=types, - verify_source=functions + verify_source=functions, + extra_link_args=extra_link_args(sys.platform), ) diff --git a/src/_cffi_src/openssl/x509.py b/src/_cffi_src/openssl/x509.py index 534f5b08..6bd117b0 100644 --- a/src/_cffi_src/openssl/x509.py +++ b/src/_cffi_src/openssl/x509.py @@ -182,19 +182,21 @@ X509_EXTENSION *X509_REVOKED_get_ext(X509_REVOKED *, int); int X509_REVOKED_add_ext(X509_REVOKED *, X509_EXTENSION*, int); int X509_REVOKED_add1_ext_i2d(X509_REVOKED *, int, void *, int, unsigned long); -X509_CRL *d2i_X509_CRL_bio(BIO *, X509_CRL **); X509_CRL *X509_CRL_new(void); -void X509_CRL_free(X509_CRL *); +X509_CRL *d2i_X509_CRL_bio(BIO *, X509_CRL **); +X509_EXTENSION *X509_CRL_get_ext(X509_CRL *, int); int X509_CRL_add0_revoked(X509_CRL *, X509_REVOKED *); -int i2d_X509_CRL_bio(BIO *, X509_CRL *); +int X509_CRL_add_ext(X509_CRL *, X509_EXTENSION *, int); +int X509_CRL_cmp(const X509_CRL *, const X509_CRL *); +int X509_CRL_get_ext_count(X509_CRL *); int X509_CRL_print(BIO *, X509_CRL *); int X509_CRL_set_issuer_name(X509_CRL *, X509_NAME *); +int X509_CRL_set_version(X509_CRL *, long); int X509_CRL_sign(X509_CRL *, EVP_PKEY *, const EVP_MD *); +int X509_CRL_sort(X509_CRL *); int X509_CRL_verify(X509_CRL *, EVP_PKEY *); -int X509_CRL_get_ext_count(X509_CRL *); -X509_EXTENSION *X509_CRL_get_ext(X509_CRL *, int); -int X509_CRL_add_ext(X509_CRL *, X509_EXTENSION *, int); -int X509_CRL_cmp(const X509_CRL *, const X509_CRL *); +int i2d_X509_CRL_bio(BIO *, X509_CRL *); +void X509_CRL_free(X509_CRL *); int NETSCAPE_SPKI_verify(NETSCAPE_SPKI *, EVP_PKEY *); int NETSCAPE_SPKI_sign(NETSCAPE_SPKI *, EVP_PKEY *, const EVP_MD *); diff --git a/src/_cffi_src/openssl/x509_vfy.py b/src/_cffi_src/openssl/x509_vfy.py index 02631409..23ac8483 100644 --- a/src/_cffi_src/openssl/x509_vfy.py +++ b/src/_cffi_src/openssl/x509_vfy.py @@ -143,10 +143,14 @@ int X509_verify_cert(X509_STORE_CTX *); /* X509_STORE */ X509_STORE *X509_STORE_new(void); -void X509_STORE_free(X509_STORE *); int X509_STORE_add_cert(X509_STORE *, X509 *); +int X509_STORE_add_crl(X509_STORE *, X509_CRL *); int X509_STORE_load_locations(X509_STORE *, const char *, const char *); +int X509_STORE_set1_param(X509_STORE *, X509_VERIFY_PARAM *); int X509_STORE_set_default_paths(X509_STORE *); +int X509_STORE_set_flags(X509_STORE *, unsigned long); +void X509_STORE_free(X509_STORE *); + /* X509_STORE_CTX */ X509_STORE_CTX *X509_STORE_CTX_new(void); diff --git a/src/_cffi_src/utils.py b/src/_cffi_src/utils.py index b1ad74d4..65f9f120 100644 --- a/src/_cffi_src/utils.py +++ b/src/_cffi_src/utils.py @@ -80,3 +80,12 @@ def build_ffi(module_name, cdef_source, verify_source, libraries=[], extra_link_args=extra_link_args, ) return ffi + + +def extra_link_args(platform): + if platform != "win32": + return [] + else: + # Enable NX and ASLR for Windows builds. These are enabled by default + # on Python 3.3+ but not on 2.x. + return ["/NXCOMPAT", "/DYNAMICBASE"] diff --git a/src/cryptography/hazmat/backends/openssl/backend.py b/src/cryptography/hazmat/backends/openssl/backend.py index 665771a8..2fe88327 100644 --- a/src/cryptography/hazmat/backends/openssl/backend.py +++ b/src/cryptography/hazmat/backends/openssl/backend.py @@ -388,8 +388,9 @@ class Backend(object): rsa_cdata, key_size, bn, self._ffi.NULL ) assert res == 1 + evp_pkey = self._rsa_cdata_to_evp_pkey(rsa_cdata) - return _RSAPrivateKey(self, rsa_cdata) + return _RSAPrivateKey(self, rsa_cdata, evp_pkey) def generate_rsa_parameters_supported(self, public_exponent, key_size): return (public_exponent >= 3 and public_exponent & 1 != 0 and @@ -419,8 +420,9 @@ class Backend(object): rsa_cdata.n = self._int_to_bn(numbers.public_numbers.n) res = self._lib.RSA_blinding_on(rsa_cdata, self._ffi.NULL) assert res == 1 + evp_pkey = self._rsa_cdata_to_evp_pkey(rsa_cdata) - return _RSAPrivateKey(self, rsa_cdata) + return _RSAPrivateKey(self, rsa_cdata, evp_pkey) def load_rsa_public_numbers(self, numbers): rsa._check_public_key_components(numbers.e, numbers.n) @@ -431,8 +433,17 @@ class Backend(object): rsa_cdata.n = self._int_to_bn(numbers.n) res = self._lib.RSA_blinding_on(rsa_cdata, self._ffi.NULL) assert res == 1 + evp_pkey = self._rsa_cdata_to_evp_pkey(rsa_cdata) - return _RSAPublicKey(self, rsa_cdata) + return _RSAPublicKey(self, rsa_cdata, evp_pkey) + + def _rsa_cdata_to_evp_pkey(self, rsa_cdata): + evp_pkey = self._lib.EVP_PKEY_new() + assert evp_pkey != self._ffi.NULL + evp_pkey = self._ffi.gc(evp_pkey, self._lib.EVP_PKEY_free) + res = self._lib.EVP_PKEY_set1_RSA(evp_pkey, rsa_cdata) + assert res == 1 + return evp_pkey def _bytes_to_bio(self, data): """ @@ -483,18 +494,18 @@ class Backend(object): rsa_cdata = self._lib.EVP_PKEY_get1_RSA(evp_pkey) assert rsa_cdata != self._ffi.NULL rsa_cdata = self._ffi.gc(rsa_cdata, self._lib.RSA_free) - return _RSAPrivateKey(self, rsa_cdata) + return _RSAPrivateKey(self, rsa_cdata, evp_pkey) elif key_type == self._lib.EVP_PKEY_DSA: dsa_cdata = self._lib.EVP_PKEY_get1_DSA(evp_pkey) assert dsa_cdata != self._ffi.NULL dsa_cdata = self._ffi.gc(dsa_cdata, self._lib.DSA_free) - return _DSAPrivateKey(self, dsa_cdata) + return _DSAPrivateKey(self, dsa_cdata, evp_pkey) elif (self._lib.Cryptography_HAS_EC == 1 and key_type == self._lib.EVP_PKEY_EC): ec_cdata = self._lib.EVP_PKEY_get1_EC_KEY(evp_pkey) assert ec_cdata != self._ffi.NULL ec_cdata = self._ffi.gc(ec_cdata, self._lib.EC_KEY_free) - return _EllipticCurvePrivateKey(self, ec_cdata) + return _EllipticCurvePrivateKey(self, ec_cdata, evp_pkey) else: raise UnsupportedAlgorithm("Unsupported key type.") @@ -510,18 +521,18 @@ class Backend(object): rsa_cdata = self._lib.EVP_PKEY_get1_RSA(evp_pkey) assert rsa_cdata != self._ffi.NULL rsa_cdata = self._ffi.gc(rsa_cdata, self._lib.RSA_free) - return _RSAPublicKey(self, rsa_cdata) + return _RSAPublicKey(self, rsa_cdata, evp_pkey) elif key_type == self._lib.EVP_PKEY_DSA: dsa_cdata = self._lib.EVP_PKEY_get1_DSA(evp_pkey) assert dsa_cdata != self._ffi.NULL dsa_cdata = self._ffi.gc(dsa_cdata, self._lib.DSA_free) - return _DSAPublicKey(self, dsa_cdata) + return _DSAPublicKey(self, dsa_cdata, evp_pkey) elif (self._lib.Cryptography_HAS_EC == 1 and key_type == self._lib.EVP_PKEY_EC): ec_cdata = self._lib.EVP_PKEY_get1_EC_KEY(evp_pkey) assert ec_cdata != self._ffi.NULL ec_cdata = self._ffi.gc(ec_cdata, self._lib.EC_KEY_free) - return _EllipticCurvePublicKey(self, ec_cdata) + return _EllipticCurvePublicKey(self, ec_cdata, evp_pkey) else: raise UnsupportedAlgorithm("Unsupported key type.") @@ -615,8 +626,9 @@ class Backend(object): ctx.g = self._lib.BN_dup(parameters._dsa_cdata.g) self._lib.DSA_generate_key(ctx) + evp_pkey = self._dsa_cdata_to_evp_pkey(ctx) - return _DSAPrivateKey(self, ctx) + return _DSAPrivateKey(self, ctx, evp_pkey) def generate_dsa_private_key_and_parameters(self, key_size): parameters = self.generate_dsa_parameters(key_size) @@ -636,7 +648,9 @@ class Backend(object): dsa_cdata.pub_key = self._int_to_bn(numbers.public_numbers.y) dsa_cdata.priv_key = self._int_to_bn(numbers.x) - return _DSAPrivateKey(self, dsa_cdata) + evp_pkey = self._dsa_cdata_to_evp_pkey(dsa_cdata) + + return _DSAPrivateKey(self, dsa_cdata, evp_pkey) def load_dsa_public_numbers(self, numbers): dsa._check_dsa_parameters(numbers.parameter_numbers) @@ -649,7 +663,9 @@ class Backend(object): dsa_cdata.g = self._int_to_bn(numbers.parameter_numbers.g) dsa_cdata.pub_key = self._int_to_bn(numbers.y) - return _DSAPublicKey(self, dsa_cdata) + evp_pkey = self._dsa_cdata_to_evp_pkey(dsa_cdata) + + return _DSAPublicKey(self, dsa_cdata, evp_pkey) def load_dsa_parameter_numbers(self, numbers): dsa._check_dsa_parameters(numbers) @@ -663,6 +679,14 @@ class Backend(object): return _DSAParameters(self, dsa_cdata) + def _dsa_cdata_to_evp_pkey(self, dsa_cdata): + evp_pkey = self._lib.EVP_PKEY_new() + assert evp_pkey != self._ffi.NULL + evp_pkey = self._ffi.gc(evp_pkey, self._lib.EVP_PKEY_free) + res = self._lib.EVP_PKEY_set1_DSA(evp_pkey, dsa_cdata) + assert res == 1 + return evp_pkey + def dsa_hash_supported(self, algorithm): if self._lib.OPENSSL_VERSION_NUMBER < 0x1000000f: return isinstance(algorithm, hashes.SHA1) @@ -714,7 +738,8 @@ class Backend(object): ) if rsa_cdata != self._ffi.NULL: rsa_cdata = self._ffi.gc(rsa_cdata, self._lib.RSA_free) - return _RSAPublicKey(self, rsa_cdata) + evp_pkey = self._rsa_cdata_to_evp_pkey(rsa_cdata) + return _RSAPublicKey(self, rsa_cdata, evp_pkey) else: self._handle_key_loading_error() @@ -796,7 +821,8 @@ class Backend(object): ) if rsa_cdata != self._ffi.NULL: rsa_cdata = self._ffi.gc(rsa_cdata, self._lib.RSA_free) - return _RSAPublicKey(self, rsa_cdata) + evp_pkey = self._rsa_cdata_to_evp_pkey(rsa_cdata) + return _RSAPublicKey(self, rsa_cdata, evp_pkey) else: self._handle_key_loading_error() @@ -1000,7 +1026,9 @@ class Backend(object): res = self._lib.EC_KEY_check_key(ec_cdata) assert res == 1 - return _EllipticCurvePrivateKey(self, ec_cdata) + evp_pkey = self._ec_cdata_to_evp_pkey(ec_cdata) + + return _EllipticCurvePrivateKey(self, ec_cdata, evp_pkey) else: raise UnsupportedAlgorithm( "Backend object does not support {0}.".format(curve.name), @@ -1022,8 +1050,9 @@ class Backend(object): res = self._lib.EC_KEY_set_private_key( ec_cdata, self._int_to_bn(numbers.private_value)) assert res == 1 + evp_pkey = self._ec_cdata_to_evp_pkey(ec_cdata) - return _EllipticCurvePrivateKey(self, ec_cdata) + return _EllipticCurvePrivateKey(self, ec_cdata, evp_pkey) def load_elliptic_curve_public_numbers(self, numbers): curve_nid = self._elliptic_curve_to_nid(numbers.curve) @@ -1034,8 +1063,16 @@ class Backend(object): ec_cdata = self._ec_key_set_public_key_affine_coordinates( ec_cdata, numbers.x, numbers.y) + evp_pkey = self._ec_cdata_to_evp_pkey(ec_cdata) - return _EllipticCurvePublicKey(self, ec_cdata) + return _EllipticCurvePublicKey(self, ec_cdata, evp_pkey) + + def _ec_cdata_to_evp_pkey(self, ec_cdata): + evp_pkey = self._lib.EVP_PKEY_new() + assert evp_pkey != self._ffi.NULL + evp_pkey = self._ffi.gc(evp_pkey, self._lib.EVP_PKEY_free) + res = self._lib.EVP_PKEY_set1_EC_KEY(evp_pkey, ec_cdata) + assert res == 1 def _elliptic_curve_to_nid(self, curve): """ diff --git a/src/cryptography/hazmat/backends/openssl/dsa.py b/src/cryptography/hazmat/backends/openssl/dsa.py index 254d29ed..f84857ff 100644 --- a/src/cryptography/hazmat/backends/openssl/dsa.py +++ b/src/cryptography/hazmat/backends/openssl/dsa.py @@ -107,9 +107,10 @@ class _DSAParameters(object): @utils.register_interface(dsa.DSAPrivateKeyWithSerialization) class _DSAPrivateKey(object): - def __init__(self, backend, dsa_cdata): + def __init__(self, backend, dsa_cdata, evp_pkey): self._backend = backend self._dsa_cdata = dsa_cdata + self._evp_pkey = evp_pkey self._key_size = self._backend._lib.BN_num_bits(self._dsa_cdata.p) key_size = utils.read_only_property("_key_size") @@ -140,7 +141,8 @@ class _DSAPrivateKey(object): dsa_cdata.q = self._backend._lib.BN_dup(self._dsa_cdata.q) dsa_cdata.g = self._backend._lib.BN_dup(self._dsa_cdata.g) dsa_cdata.pub_key = self._backend._lib.BN_dup(self._dsa_cdata.pub_key) - return _DSAPublicKey(self._backend, dsa_cdata) + evp_pkey = self._backend._dsa_cdata_to_evp_pkey(dsa_cdata) + return _DSAPublicKey(self._backend, dsa_cdata, evp_pkey) def parameters(self): dsa_cdata = self._backend._lib.DSA_new() @@ -154,27 +156,21 @@ class _DSAPrivateKey(object): return _DSAParameters(self._backend, dsa_cdata) def private_bytes(self, encoding, format, encryption_algorithm): - evp_pkey = self._backend._lib.EVP_PKEY_new() - assert evp_pkey != self._backend._ffi.NULL - evp_pkey = self._backend._ffi.gc( - evp_pkey, self._backend._lib.EVP_PKEY_free - ) - res = self._backend._lib.EVP_PKEY_set1_DSA(evp_pkey, self._dsa_cdata) - assert res == 1 return self._backend._private_key_bytes( encoding, format, encryption_algorithm, - evp_pkey, + self._evp_pkey, self._dsa_cdata ) @utils.register_interface(dsa.DSAPublicKeyWithSerialization) class _DSAPublicKey(object): - def __init__(self, backend, dsa_cdata): + def __init__(self, backend, dsa_cdata, evp_pkey): self._backend = backend self._dsa_cdata = dsa_cdata + self._evp_pkey = evp_pkey self._key_size = self._backend._lib.BN_num_bits(self._dsa_cdata.p) key_size = utils.read_only_property("_key_size") @@ -211,16 +207,9 @@ class _DSAPublicKey(object): "DSA public keys do not support PKCS1 serialization" ) - evp_pkey = self._backend._lib.EVP_PKEY_new() - assert evp_pkey != self._backend._ffi.NULL - evp_pkey = self._backend._ffi.gc( - evp_pkey, self._backend._lib.EVP_PKEY_free - ) - res = self._backend._lib.EVP_PKEY_set1_DSA(evp_pkey, self._dsa_cdata) - assert res == 1 return self._backend._public_key_bytes( encoding, format, - evp_pkey, + self._evp_pkey, None ) diff --git a/src/cryptography/hazmat/backends/openssl/ec.py b/src/cryptography/hazmat/backends/openssl/ec.py index c2af2be9..7d3afb94 100644 --- a/src/cryptography/hazmat/backends/openssl/ec.py +++ b/src/cryptography/hazmat/backends/openssl/ec.py @@ -150,10 +150,11 @@ class _ECDSAVerificationContext(object): @utils.register_interface(ec.EllipticCurvePrivateKeyWithSerialization) class _EllipticCurvePrivateKey(object): - def __init__(self, backend, ec_key_cdata): + def __init__(self, backend, ec_key_cdata, evp_pkey): self._backend = backend _mark_asn1_named_ec_curve(backend, ec_key_cdata) self._ec_key = ec_key_cdata + self._evp_pkey = evp_pkey sn = _ec_key_curve_sn(backend, ec_key_cdata) self._curve = _sn_to_elliptic_curve(backend, sn) @@ -188,9 +189,9 @@ class _EllipticCurvePrivateKey(object): res = self._backend._lib.EC_KEY_set_public_key(public_ec_key, point) assert res == 1 - return _EllipticCurvePublicKey( - self._backend, public_ec_key - ) + evp_pkey = self._backend._ec_cdata_to_evp_pkey(public_ec_key) + + return _EllipticCurvePublicKey(self._backend, public_ec_key, evp_pkey) def private_numbers(self): bn = self._backend._lib.EC_KEY_get0_private_key(self._ec_key) @@ -201,28 +202,22 @@ class _EllipticCurvePrivateKey(object): ) def private_bytes(self, encoding, format, encryption_algorithm): - evp_pkey = self._backend._lib.EVP_PKEY_new() - assert evp_pkey != self._backend._ffi.NULL - evp_pkey = self._backend._ffi.gc( - evp_pkey, self._backend._lib.EVP_PKEY_free - ) - res = self._backend._lib.EVP_PKEY_set1_EC_KEY(evp_pkey, self._ec_key) - assert res == 1 return self._backend._private_key_bytes( encoding, format, encryption_algorithm, - evp_pkey, + self._evp_pkey, self._ec_key ) @utils.register_interface(ec.EllipticCurvePublicKeyWithSerialization) class _EllipticCurvePublicKey(object): - def __init__(self, backend, ec_key_cdata): + def __init__(self, backend, ec_key_cdata, evp_pkey): self._backend = backend _mark_asn1_named_ec_curve(backend, ec_key_cdata) self._ec_key = ec_key_cdata + self._evp_pkey = evp_pkey sn = _ec_key_curve_sn(backend, ec_key_cdata) self._curve = _sn_to_elliptic_curve(backend, sn) @@ -268,16 +263,9 @@ class _EllipticCurvePublicKey(object): "EC public keys do not support PKCS1 serialization" ) - evp_pkey = self._backend._lib.EVP_PKEY_new() - assert evp_pkey != self._backend._ffi.NULL - evp_pkey = self._backend._ffi.gc( - evp_pkey, self._backend._lib.EVP_PKEY_free - ) - res = self._backend._lib.EVP_PKEY_set1_EC_KEY(evp_pkey, self._ec_key) - assert res == 1 return self._backend._public_key_bytes( encoding, format, - evp_pkey, + self._evp_pkey, None ) diff --git a/src/cryptography/hazmat/backends/openssl/rsa.py b/src/cryptography/hazmat/backends/openssl/rsa.py index 1dbbb844..21414c05 100644 --- a/src/cryptography/hazmat/backends/openssl/rsa.py +++ b/src/cryptography/hazmat/backends/openssl/rsa.py @@ -508,17 +508,9 @@ class _RSAVerificationContext(object): @utils.register_interface(RSAPrivateKeyWithSerialization) class _RSAPrivateKey(object): - def __init__(self, backend, rsa_cdata): + def __init__(self, backend, rsa_cdata, evp_pkey): self._backend = backend self._rsa_cdata = rsa_cdata - - evp_pkey = self._backend._lib.EVP_PKEY_new() - assert evp_pkey != self._backend._ffi.NULL - evp_pkey = self._backend._ffi.gc( - evp_pkey, self._backend._lib.EVP_PKEY_free - ) - res = self._backend._lib.EVP_PKEY_set1_RSA(evp_pkey, rsa_cdata) - assert res == 1 self._evp_pkey = evp_pkey self._key_size = self._backend._lib.BN_num_bits(self._rsa_cdata.n) @@ -543,7 +535,8 @@ class _RSAPrivateKey(object): ctx.n = self._backend._lib.BN_dup(self._rsa_cdata.n) res = self._backend._lib.RSA_blinding_on(ctx, self._backend._ffi.NULL) assert res == 1 - return _RSAPublicKey(self._backend, ctx) + evp_pkey = self._backend._rsa_cdata_to_evp_pkey(ctx) + return _RSAPublicKey(self._backend, ctx, evp_pkey) def private_numbers(self): return rsa.RSAPrivateNumbers( @@ -571,17 +564,9 @@ class _RSAPrivateKey(object): @utils.register_interface(RSAPublicKeyWithSerialization) class _RSAPublicKey(object): - def __init__(self, backend, rsa_cdata): + def __init__(self, backend, rsa_cdata, evp_pkey): self._backend = backend self._rsa_cdata = rsa_cdata - - evp_pkey = self._backend._lib.EVP_PKEY_new() - assert evp_pkey != self._backend._ffi.NULL - evp_pkey = self._backend._ffi.gc( - evp_pkey, self._backend._lib.EVP_PKEY_free - ) - res = self._backend._lib.EVP_PKEY_set1_RSA(evp_pkey, rsa_cdata) - assert res == 1 self._evp_pkey = evp_pkey self._key_size = self._backend._lib.BN_num_bits(self._rsa_cdata.n) diff --git a/src/cryptography/hazmat/backends/openssl/x509.py b/src/cryptography/hazmat/backends/openssl/x509.py index 9cd35087..a03414c8 100644 --- a/src/cryptography/hazmat/backends/openssl/x509.py +++ b/src/cryptography/hazmat/backends/openssl/x509.py @@ -291,6 +291,12 @@ class _Certificate(object): value = _decode_certificate_policies(self._backend, ext) elif oid == x509.OID_CRL_DISTRIBUTION_POINTS: value = _decode_crl_distribution_points(self._backend, ext) + elif oid == x509.OID_OCSP_NO_CHECK: + value = x509.OCSPNoCheck() + elif oid == x509.OID_INHIBIT_ANY_POLICY: + value = _decode_inhibit_any_policy(self._backend, ext) + elif oid == x509.OID_ISSUER_ALTERNATIVE_NAME: + value = _decode_issuer_alt_name(self._backend, ext) elif critical: raise x509.UnsupportedExtension( "{0} is not currently supported".format(oid), oid @@ -511,15 +517,26 @@ def _decode_key_usage(backend, ext): ) -def _decode_subject_alt_name(backend, ext): +def _decode_general_names_extension(backend, ext): gns = backend._ffi.cast( "GENERAL_NAMES *", backend._lib.X509V3_EXT_d2i(ext) ) assert gns != backend._ffi.NULL gns = backend._ffi.gc(gns, backend._lib.GENERAL_NAMES_free) general_names = _decode_general_names(backend, gns) + return general_names + + +def _decode_subject_alt_name(backend, ext): + return x509.SubjectAlternativeName( + _decode_general_names_extension(backend, ext) + ) - return x509.SubjectAlternativeName(general_names) + +def _decode_issuer_alt_name(backend, ext): + return x509.IssuerAlternativeName( + _decode_general_names_extension(backend, ext) + ) def _decode_extended_key_usage(backend, ext): @@ -636,6 +653,17 @@ def _decode_crl_distribution_points(backend, ext): return x509.CRLDistributionPoints(dist_points) +def _decode_inhibit_any_policy(backend, ext): + asn1_int = backend._ffi.cast( + "ASN1_INTEGER *", + backend._lib.X509V3_EXT_d2i(ext) + ) + assert asn1_int != backend._ffi.NULL + asn1_int = backend._ffi.gc(asn1_int, backend._lib.ASN1_INTEGER_free) + skip_certs = _asn1_integer_to_int(backend, asn1_int) + return x509.InhibitAnyPolicy(skip_certs) + + @utils.register_interface(x509.CertificateSigningRequest) class _CertificateSigningRequest(object): def __init__(self, backend, x509_req): diff --git a/src/cryptography/hazmat/primitives/twofactor/hotp.py b/src/cryptography/hazmat/primitives/twofactor/hotp.py index 8c0cec14..12bc7661 100644 --- a/src/cryptography/hazmat/primitives/twofactor/hotp.py +++ b/src/cryptography/hazmat/primitives/twofactor/hotp.py @@ -62,6 +62,6 @@ class HOTP(object): return struct.unpack(">I", p)[0] & 0x7fffffff def get_provisioning_uri(self, account_name, counter, issuer): - return _generate_uri(self, 'hotp', account_name, issuer, [ - ('counter', int(counter)), + return _generate_uri(self, "hotp", account_name, issuer, [ + ("counter", int(counter)), ]) diff --git a/src/cryptography/hazmat/primitives/twofactor/totp.py b/src/cryptography/hazmat/primitives/twofactor/totp.py index 98493b6d..60705901 100644 --- a/src/cryptography/hazmat/primitives/twofactor/totp.py +++ b/src/cryptography/hazmat/primitives/twofactor/totp.py @@ -34,6 +34,6 @@ class TOTP(object): raise InvalidToken("Supplied TOTP value does not match.") def get_provisioning_uri(self, account_name, issuer): - return _generate_uri(self._hotp, 'totp', account_name, issuer, [ - ('period', int(self._time_step)), + return _generate_uri(self._hotp, "totp", account_name, issuer, [ + ("period", int(self._time_step)), ]) diff --git a/src/cryptography/hazmat/primitives/twofactor/utils.py b/src/cryptography/hazmat/primitives/twofactor/utils.py index 91d2e148..0ed8c4c8 100644 --- a/src/cryptography/hazmat/primitives/twofactor/utils.py +++ b/src/cryptography/hazmat/primitives/twofactor/utils.py @@ -11,20 +11,20 @@ from six.moves.urllib.parse import quote, urlencode def _generate_uri(hotp, type_name, account_name, issuer, extra_parameters): parameters = [ - ('digits', hotp._length), - ('secret', base64.b32encode(hotp._key)), - ('algorithm', hotp._algorithm.name.upper()), + ("digits", hotp._length), + ("secret", base64.b32encode(hotp._key)), + ("algorithm", hotp._algorithm.name.upper()), ] if issuer is not None: - parameters.append(('issuer', issuer)) + parameters.append(("issuer", issuer)) parameters.extend(extra_parameters) uriparts = { - 'type': type_name, - 'label': ('%s:%s' % (quote(issuer), quote(account_name)) if issuer + "type": type_name, + "label": ("%s:%s" % (quote(issuer), quote(account_name)) if issuer else quote(account_name)), - 'parameters': urlencode(parameters), + "parameters": urlencode(parameters), } - return 'otpauth://{type}/{label}?{parameters}'.format(**uriparts) + return "otpauth://{type}/{label}?{parameters}".format(**uriparts) diff --git a/tests/test_x509_ext.py b/tests/test_x509_ext.py index d836164b..62d9f83d 100644 --- a/tests/test_x509_ext.py +++ b/tests/test_x509_ext.py @@ -1258,6 +1258,23 @@ class TestIssuerAlternativeName(object): assert san != object() +@pytest.mark.requires_backend_interface(interface=RSABackend) +@pytest.mark.requires_backend_interface(interface=X509Backend) +class TestRSAIssuerAlternativeNameExtension(object): + def test_uri(self, backend): + cert = _load_cert( + os.path.join("x509", "custom", "ian_uri.pem"), + x509.load_pem_x509_certificate, + backend, + ) + ext = cert.extensions.get_extension_for_oid( + x509.OID_ISSUER_ALTERNATIVE_NAME + ) + assert list(ext.value) == [ + x509.UniformResourceIdentifier(u"http://path.to.root/root.crt"), + ] + + class TestSubjectAlternativeName(object): def test_get_values_for_type(self): san = x509.SubjectAlternativeName( @@ -2395,6 +2412,23 @@ class TestCRLDistributionPointsExtension(object): ]) +@pytest.mark.requires_backend_interface(interface=RSABackend) +@pytest.mark.requires_backend_interface(interface=X509Backend) +class TestOCSPNoCheckExtension(object): + def test_nocheck(self, backend): + cert = _load_cert( + os.path.join( + "x509", "custom", "ocsp_nocheck.pem" + ), + x509.load_pem_x509_certificate, + backend + ) + ext = cert.extensions.get_extension_for_oid( + x509.OID_OCSP_NO_CHECK + ) + assert isinstance(ext.value, x509.OCSPNoCheck) + + class TestInhibitAnyPolicy(object): def test_not_int(self): with pytest.raises(TypeError): @@ -2418,3 +2452,20 @@ class TestInhibitAnyPolicy(object): iap2 = x509.InhibitAnyPolicy(4) assert iap != iap2 assert iap != object() + + +@pytest.mark.requires_backend_interface(interface=RSABackend) +@pytest.mark.requires_backend_interface(interface=X509Backend) +class TestInhibitAnyPolicyExtension(object): + def test_nocheck(self, backend): + cert = _load_cert( + os.path.join( + "x509", "custom", "inhibit_any_policy_5.pem" + ), + x509.load_pem_x509_certificate, + backend + ) + iap = cert.extensions.get_extension_for_oid( + x509.OID_INHIBIT_ANY_POLICY + ).value + assert iap.skip_certs == 5 @@ -85,7 +85,7 @@ commands = py.test --capture=no --strict --random {posargs} [flake8] -exclude = .tox,*.egg +exclude = .tox,*.egg,.git,_build select = E,W,F,N,I application-import-names = cryptography,cryptography_vectors,tests diff --git a/vectors/cryptography_vectors/x509/custom/ian_uri.pem b/vectors/cryptography_vectors/x509/custom/ian_uri.pem new file mode 100644 index 00000000..83b3ff54 --- /dev/null +++ b/vectors/cryptography_vectors/x509/custom/ian_uri.pem @@ -0,0 +1,19 @@ +-----BEGIN CERTIFICATE----- +MIIDATCCAemgAwIBAgIBAzANBgkqhkiG9w0BAQUFADBbMQswCQYDVQQGEwJBVTET +MBEGA1UECBMKU29tZS1TdGF0ZTEhMB8GA1UEChMYSW50ZXJuZXQgV2lkZ2l0cyBQ +dHkgTHRkMRQwEgYDVQQDEwtUZXN0SW5mcmFDQTAeFw0xNTA2MTgwNDI2MzFaFw0x +NjA2MTcwNDI2MzFaMAAwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDf +LkjBhv4bpxSITJXXgB9gxszfwcwRYyvbTEJmD1lLWhOk13gnILagQgupZB33902u +3lChgQPY4418NQkivJJeMw4jfl/Use7gFxax5n/6YlU3A93CxNY+2ei2ejgWBD8w +tEdvFi9FSsaR+2ds5/vyONJdHkC6DR3aZdokCaU0X1h11JxKhJgsPPP41pL8P0A1 +scje090lfoGbVttD6ayxvccr+9GwkWVfHgYWUGOcAi/4e7wqXpvqZqlCOH7QnVUC +xyknyPjETiW2ki4RacjAZh5gEw6q9mNFO4Xeo30vmDx/7VWPBqdi7MLPVCiIaHs+ +YnDkSWV0qp3auI+MZqVjAgMBAAGjKzApMCcGA1UdEgQgMB6GHGh0dHA6Ly9wYXRo +LnRvLnJvb3Qvcm9vdC5jcnQwDQYJKoZIhvcNAQEFBQADggEBAMiTTyKTErcmDlbn +fkc4y+IsL1GuS1yGcurIy0zghptsdZXA5v3VqkOtFCxLgk/syWVDfhAPwM4aBfeI +6Fe1kwPQk0xvdvPZ62lev0ELBOsceM2kge1obCc/ZyhXPYo1r7rmXxTvc8gxyASh +L9r+0AglSId8YJFscF+siTuTg/5SSHALT/DwGdeYv/rmnOeeHW4pv3WXPS32XUOG +D605kXQ/9HCujxCU3VGYUbkBWjsdqj9vZXQk1OVeMwWpH3O0AdFMQXgY7vpzkLuD +e+/zmLFDlI3k0p3UajtxsBft8AMNJaenknuQiMOryALRkfeyu5qhYlJ5bJFKUKn9 +K7X9MIA= +-----END CERTIFICATE----- diff --git a/vectors/cryptography_vectors/x509/custom/nc_excluded.pem b/vectors/cryptography_vectors/x509/custom/nc_excluded.pem new file mode 100644 index 00000000..69f416e9 --- /dev/null +++ b/vectors/cryptography_vectors/x509/custom/nc_excluded.pem @@ -0,0 +1,19 @@ +-----BEGIN CERTIFICATE----- +MIIDADCCAeigAwIBAgITBm7Xt1PqHBXFuN+BRDTMZ+XpWzANBgkqhkiG9w0BAQsF +ADAXMRUwEwYDVQQDDAxjcnlwdG9ncmFwaHkwHhcNMTUwNjE3MjIzNzUwWhcNMTYw +NjE2MjIzNzUwWjAXMRUwEwYDVQQDDAxjcnlwdG9ncmFwaHkwggEiMA0GCSqGSIb3 +DQEBAQUAA4IBDwAwggEKAoIBAQCylTa0WkLvIXB4sWoPdv5iL3idlVHKR+ncODKL +nwQ2Jtd990MfakOFRLrJFF1tfPL4qyRbbyMyrgCOoKBCAuIdBZfBDH3JWFjxGy8J +Yls8yVeAVKreV18HmLvAsBL3bnr7Gk3vpznrfoG5rn5T/fL0cqqTXFV8zQhjHiEo +zftSaoq0LOxsSgFdxXS8e8K6RMvLCZPcMpI4fo1Kq2QBT2J1x1/Hq/VnK132cs0g +TOyiTyyJfvRmlqdXowh7Jf8LQB4mM6gc023fEdQ+HH6JYX1vDQVxaiTM6KMYJNv/ +l4gchP3jknOfZffwGGdXQrtUMhQmltnSqV5nY/G2OGm/Z0pdAgMBAAGjRTBDMEEG +A1UdHgEB/wQ3MDWhMzATghEqLmNyeXB0b2dyYXBoeS5pbzAchhpnb3BoZXI6Ly9j +cnlwdG9ncmFwaHkudGVzdDANBgkqhkiG9w0BAQsFAAOCAQEAcCcidJm7Wmc9ZdzF +AlP/9Gd5bXBlNswcq1wCmS9S6fgM0oGDgK2duY72Jr5Qqz66yqfzmIO7TtAhaegp +zCYar3Mmy7rwJHtJNRhBY+PYVLWXmUTf4yJhL+RcH6S+69PkqGQWjBa50vknIHt3 +dPtqadewocO7FuPWCdYDFLmMHM8S/ueMhSSJfFaGlYfy4UrnQhjuSpn6V/Gh5ED7 +tSqoncpHELItkvoS2LUTrpVDmQifuy3X78g7dYAGkjotCqddb90Y/MNSoM8BFS6i +Fmh8kn8kj6ct1csFLaBzATWby4/NHkuD9vuj9Z941szqpvvZSZhQ/8pEBevs2CNE +l2Sb0g== +-----END CERTIFICATE----- diff --git a/vectors/cryptography_vectors/x509/custom/nc_permitted.pem b/vectors/cryptography_vectors/x509/custom/nc_permitted.pem new file mode 100644 index 00000000..a68096e7 --- /dev/null +++ b/vectors/cryptography_vectors/x509/custom/nc_permitted.pem @@ -0,0 +1,19 @@ +-----BEGIN CERTIFICATE----- +MIIC/TCCAeWgAwIBAgITBm7XungOGlx+YwUFD5Z/Pzj7KTANBgkqhkiG9w0BAQsF +ADAXMRUwEwYDVQQDDAxjcnlwdG9ncmFwaHkwHhcNMTUwNjE3MjIzODMyWhcNMTYw +NjE2MjIzODMyWjAXMRUwEwYDVQQDDAxjcnlwdG9ncmFwaHkwggEiMA0GCSqGSIb3 +DQEBAQUAA4IBDwAwggEKAoIBAQCylTa0WkLvIXB4sWoPdv5iL3idlVHKR+ncODKL +nwQ2Jtd990MfakOFRLrJFF1tfPL4qyRbbyMyrgCOoKBCAuIdBZfBDH3JWFjxGy8J +Yls8yVeAVKreV18HmLvAsBL3bnr7Gk3vpznrfoG5rn5T/fL0cqqTXFV8zQhjHiEo +zftSaoq0LOxsSgFdxXS8e8K6RMvLCZPcMpI4fo1Kq2QBT2J1x1/Hq/VnK132cs0g +TOyiTyyJfvRmlqdXowh7Jf8LQB4mM6gc023fEdQ+HH6JYX1vDQVxaiTM6KMYJNv/ +l4gchP3jknOfZffwGGdXQrtUMhQmltnSqV5nY/G2OGm/Z0pdAgMBAAGjQjBAMD4G +A1UdHgEB/wQ0MDKgMDATghEqLmNyeXB0b2dyYXBoeS5pbzAZhhdmdHA6Ly9jcnlw +dG9ncmFwaHkudGVzdDANBgkqhkiG9w0BAQsFAAOCAQEAkQItRDBDmQLlhnyeqYvh +I5urSAsvAoSMiuXSekM5hv6HtOrpZECUS4SDU3RaSsjTf4uNpebRAgP/Uj5JVgL6 +byWSpQBRGVtFRtORTIldxhexeSJtg675+4DQ/kUjiFawM2AlwUluz7WUJavbrz1H +4HJTKCFTH5gj27ynfdTUVNkW1tKRiffwdKG9xq+po0FlaAgMNzUlvcNBZKxG5CuT +C1e08/sEFeZEYtFCxuqqrl7wvk0l/7ayNjdld2Mkk//jKhzvScy6d1lBaxUurOn1 +UAxkdnQ65Jw86oebie8C5Faw43U0p42dMqXeXqhXfXmNpMs5p/FumRUHcr9bs+G4 +hw== +-----END CERTIFICATE----- diff --git a/vectors/cryptography_vectors/x509/custom/nc_permitted_excluded.pem b/vectors/cryptography_vectors/x509/custom/nc_permitted_excluded.pem new file mode 100644 index 00000000..726b3b88 --- /dev/null +++ b/vectors/cryptography_vectors/x509/custom/nc_permitted_excluded.pem @@ -0,0 +1,19 @@ +-----BEGIN CERTIFICATE----- +MIIDJDCCAgygAwIBAgITBm7Xr09L6ZOQw9RfzgaA+R4ROjANBgkqhkiG9w0BAQsF +ADAXMRUwEwYDVQQDDAxjcnlwdG9ncmFwaHkwHhcNMTUwNjE3MjIzNjAzWhcNMTYw +NjE2MjIzNjAzWjAXMRUwEwYDVQQDDAxjcnlwdG9ncmFwaHkwggEiMA0GCSqGSIb3 +DQEBAQUAA4IBDwAwggEKAoIBAQCylTa0WkLvIXB4sWoPdv5iL3idlVHKR+ncODKL +nwQ2Jtd990MfakOFRLrJFF1tfPL4qyRbbyMyrgCOoKBCAuIdBZfBDH3JWFjxGy8J +Yls8yVeAVKreV18HmLvAsBL3bnr7Gk3vpznrfoG5rn5T/fL0cqqTXFV8zQhjHiEo +zftSaoq0LOxsSgFdxXS8e8K6RMvLCZPcMpI4fo1Kq2QBT2J1x1/Hq/VnK132cs0g +TOyiTyyJfvRmlqdXowh7Jf8LQB4mM6gc023fEdQ+HH6JYX1vDQVxaiTM6KMYJNv/ +l4gchP3jknOfZffwGGdXQrtUMhQmltnSqV5nY/G2OGm/Z0pdAgMBAAGjaTBnMGUG +A1UdHgEB/wRbMFmgMDAKhwjAqAAA////ADAihyAA/wAAAAAAAAAAAAAAAAAAAP8A +AAAAAAAAAAAAAAAA/6ElMA6CDCouZG9tYWluLmNvbTAThhFodHRwOi8vdGVzdC5s +b2NhbDANBgkqhkiG9w0BAQsFAAOCAQEAqMvB4gK4XFrDtdEXE4eq3LcAbuII4loK +2CD0D3gMygTXG7KJ9gVjckWMTzGwW0n/honog6L2T8xF77a4HcbHkMsrY5wU2z5m +MoJWa5z/kQWKMcL6nCaRHzPm2dj/UcEIoZrgJwlrp42OVYNE/4LeSQTF7xBG6V2C +GNRpNKZFWwZA8Kgxxp4FUpy3jkspCuKsY2r6bm9IutUy6Mx/AQaSNxz4qDWojiYc +AA/UXvX6lssK+gHWHMc2SmdN2wCa+dJvZyaGGUZOfxoVXwllpnLO2Upslgs8DrOD +3FOw7Bi/d1zkcPr6Gtq0z8Nf7hHAs9mRXoLmRHKhyBkA9jmkla0wGw== +-----END CERTIFICATE----- diff --git a/vectors/cryptography_vectors/x509/custom/pc_inhibit.pem b/vectors/cryptography_vectors/x509/custom/pc_inhibit.pem new file mode 100644 index 00000000..95245a91 --- /dev/null +++ b/vectors/cryptography_vectors/x509/custom/pc_inhibit.pem @@ -0,0 +1,18 @@ +-----BEGIN CERTIFICATE----- +MIICzjCCAbagAwIBAgITBm7W468Txw7iiF9Jyd7CNKQ2NzANBgkqhkiG9w0BAQsF +ADAXMRUwEwYDVQQDDAxjcnlwdG9ncmFwaHkwHhcNMTUwNjE3MjE1MDU3WhcNMTYw +NjE2MjE1MDU3WjAXMRUwEwYDVQQDDAxjcnlwdG9ncmFwaHkwggEiMA0GCSqGSIb3 +DQEBAQUAA4IBDwAwggEKAoIBAQCylTa0WkLvIXB4sWoPdv5iL3idlVHKR+ncODKL +nwQ2Jtd990MfakOFRLrJFF1tfPL4qyRbbyMyrgCOoKBCAuIdBZfBDH3JWFjxGy8J +Yls8yVeAVKreV18HmLvAsBL3bnr7Gk3vpznrfoG5rn5T/fL0cqqTXFV8zQhjHiEo +zftSaoq0LOxsSgFdxXS8e8K6RMvLCZPcMpI4fo1Kq2QBT2J1x1/Hq/VnK132cs0g +TOyiTyyJfvRmlqdXowh7Jf8LQB4mM6gc023fEdQ+HH6JYX1vDQVxaiTM6KMYJNv/ +l4gchP3jknOfZffwGGdXQrtUMhQmltnSqV5nY/G2OGm/Z0pdAgMBAAGjEzARMA8G +A1UdJAEB/wQFMAOBAQEwDQYJKoZIhvcNAQELBQADggEBADWtdmob6aFscj2AhUB4 +s2zGFmfPdhh0Q/dBsQGX27UhOlF9loZxMwVvCIma/iMtxh1kOLoUsqu1fAkOLAuC +KQfED30bxYVYS+G/866A+TVUdFs6i7ZlAI7I10ojH4nfHcGaaofHObvQ5XI0NpiJ +9Pzi55qJJ2Yv/x8xvFZZZ7F/SkPzjfSLg+FnzqPspsNFPUzN/s9nZ3TJuHItc+AP +9zQCWyIo0z5AexLjxrbXlPwcOgXirbhR/VPEc5/LrFc3VNv27Z6NNgHEY/ahmjL5 +ig/ObITiDMh/KWqwPbGpSK0xEYdmWaVRnHMOfKjy78oYMNrPHZHx0StzIUJRCa6J +wNs= +-----END CERTIFICATE----- diff --git a/vectors/cryptography_vectors/x509/custom/pc_inhibit_require.pem b/vectors/cryptography_vectors/x509/custom/pc_inhibit_require.pem new file mode 100644 index 00000000..6475afc3 --- /dev/null +++ b/vectors/cryptography_vectors/x509/custom/pc_inhibit_require.pem @@ -0,0 +1,18 @@ +-----BEGIN CERTIFICATE----- +MIIC0TCCAbmgAwIBAgITBm7W5plm/+MNl9v4WkUqdcxmjjANBgkqhkiG9w0BAQsF +ADAXMRUwEwYDVQQDDAxjcnlwdG9ncmFwaHkwHhcNMTUwNjE3MjE1MTM1WhcNMTYw +NjE2MjE1MTM1WjAXMRUwEwYDVQQDDAxjcnlwdG9ncmFwaHkwggEiMA0GCSqGSIb3 +DQEBAQUAA4IBDwAwggEKAoIBAQCylTa0WkLvIXB4sWoPdv5iL3idlVHKR+ncODKL +nwQ2Jtd990MfakOFRLrJFF1tfPL4qyRbbyMyrgCOoKBCAuIdBZfBDH3JWFjxGy8J +Yls8yVeAVKreV18HmLvAsBL3bnr7Gk3vpznrfoG5rn5T/fL0cqqTXFV8zQhjHiEo +zftSaoq0LOxsSgFdxXS8e8K6RMvLCZPcMpI4fo1Kq2QBT2J1x1/Hq/VnK132cs0g +TOyiTyyJfvRmlqdXowh7Jf8LQB4mM6gc023fEdQ+HH6JYX1vDQVxaiTM6KMYJNv/ +l4gchP3jknOfZffwGGdXQrtUMhQmltnSqV5nY/G2OGm/Z0pdAgMBAAGjFjAUMBIG +A1UdJAEB/wQIMAaAAQGBAQEwDQYJKoZIhvcNAQELBQADggEBAF2vihRcIlDO+aAZ +yjpwSTZH0J0mw5yJKxo8oJ/Ij26d2vjhu/xKhPV1L8dTgVQsSU8RVJK5+MRSog+C +jP81YaTTgktHxu1JIXEdTJJ9HZlTvsXvMHq1y3XYxzu8i8Lsj9mf+NFAb+ecLfhF +mVDwFY+TrPT2jcCPD7PcV8fgSio6MXRP2jrqFKBTRAJTsZMpWJg4Jn1vDRgLWqwZ +VOd4G4IfmuN2n92kd0UT6flvbpJEDQJr5elqeU9Mp1PjN3UwSnox1D+fAd2Rqknn +6FPfjjJO+j6RFtqlzPH8A3/Pps1C61U947oawS/tk9P4WVrDVto3tHH5jxOPp/wA +EqtmA1c= +-----END CERTIFICATE----- diff --git a/vectors/cryptography_vectors/x509/custom/pc_require.pem b/vectors/cryptography_vectors/x509/custom/pc_require.pem new file mode 100644 index 00000000..d41e1dc9 --- /dev/null +++ b/vectors/cryptography_vectors/x509/custom/pc_require.pem @@ -0,0 +1,18 @@ +-----BEGIN CERTIFICATE----- +MIICzjCCAbagAwIBAgITBm7W5SWig9xJ0Sqde+PhIPV4QzANBgkqhkiG9w0BAQsF +ADAXMRUwEwYDVQQDDAxjcnlwdG9ncmFwaHkwHhcNMTUwNjE3MjE1MTE2WhcNMTYw +NjE2MjE1MTE2WjAXMRUwEwYDVQQDDAxjcnlwdG9ncmFwaHkwggEiMA0GCSqGSIb3 +DQEBAQUAA4IBDwAwggEKAoIBAQCylTa0WkLvIXB4sWoPdv5iL3idlVHKR+ncODKL +nwQ2Jtd990MfakOFRLrJFF1tfPL4qyRbbyMyrgCOoKBCAuIdBZfBDH3JWFjxGy8J +Yls8yVeAVKreV18HmLvAsBL3bnr7Gk3vpznrfoG5rn5T/fL0cqqTXFV8zQhjHiEo +zftSaoq0LOxsSgFdxXS8e8K6RMvLCZPcMpI4fo1Kq2QBT2J1x1/Hq/VnK132cs0g +TOyiTyyJfvRmlqdXowh7Jf8LQB4mM6gc023fEdQ+HH6JYX1vDQVxaiTM6KMYJNv/ +l4gchP3jknOfZffwGGdXQrtUMhQmltnSqV5nY/G2OGm/Z0pdAgMBAAGjEzARMA8G +A1UdJAEB/wQFMAOAAQEwDQYJKoZIhvcNAQELBQADggEBAB1WST/bEzDX6ws3xRLt +kfe12ZzMXkxGjAWM3Ai2VigqUqVOZRsB70Zekv/NXAmz+et6hdlzg1b3S+2Kffe/ +1aDGvIHqoFtbokctJyrX7eCjhENdKb/yR8CYWOWCWTdWe6ij4TjxkkEbBxajeR1V +hzSOHG8l3r5OTqFdBknsbLBIiE0NlxyHoYzklunmjS468B/JpAgJ9seKkrVGHN2H +J6wDMMe1i+3qKtqv0+xeTII2W4fPX/Uvhyh0jXa6QbggdjqO4q1pAyC0ruYDmuo1 +D7k5lbVU9j4BRUnK6s8wno/p1sRG61eQDdHj6Ri/svcstk03ZFmTSORE/RaI1pYB +8QU= +-----END CERTIFICATE----- |