diff options
| -rw-r--r-- | src/cryptography/hazmat/backends/openssl/backend.py | 9 | ||||
| -rw-r--r-- | tests/test_x509.py | 30 |
2 files changed, 39 insertions, 0 deletions
diff --git a/src/cryptography/hazmat/backends/openssl/backend.py b/src/cryptography/hazmat/backends/openssl/backend.py index 569d025f..3866c0d4 100644 --- a/src/cryptography/hazmat/backends/openssl/backend.py +++ b/src/cryptography/hazmat/backends/openssl/backend.py @@ -155,6 +155,14 @@ def _txt2obj_gc(backend, name): return obj +def _encode_ocsp_nocheck(backend, ext): + """ + The OCSP No Check extension is defined as a null ASN.1 value. Rather than + calling OpenSSL we can return a Python bytestring value in a list. + """ + return [b"\x05\x00"], 2 + + def _encode_key_usage(backend, key_usage): set_bit = backend._lib.ASN1_BIT_STRING_set_bit ku = backend._lib.ASN1_BIT_STRING_new() @@ -486,6 +494,7 @@ _EXTENSION_ENCODE_HANDLERS = { ), x509.OID_CRL_DISTRIBUTION_POINTS: _encode_crl_distribution_points, x509.OID_INHIBIT_ANY_POLICY: _encode_inhibit_any_policy, + x509.OID_OCSP_NO_CHECK: _encode_ocsp_nocheck, } diff --git a/tests/test_x509.py b/tests/test_x509.py index ce52ffac..94340579 100644 --- a/tests/test_x509.py +++ b/tests/test_x509.py @@ -2194,6 +2194,36 @@ class TestCertificateSigningRequestBuilder(object): ) assert ext.value == aki + def test_ocsp_nocheck(self, backend): + issuer_private_key = RSA_KEY_2048.private_key(backend) + subject_private_key = RSA_KEY_2048.private_key(backend) + + not_valid_before = datetime.datetime(2002, 1, 1, 12, 1) + not_valid_after = datetime.datetime(2030, 12, 31, 8, 30) + + builder = x509.CertificateBuilder().serial_number( + 777 + ).issuer_name(x509.Name([ + x509.NameAttribute(x509.OID_COUNTRY_NAME, u'US'), + ])).subject_name(x509.Name([ + x509.NameAttribute(x509.OID_COUNTRY_NAME, u'US'), + ])).public_key( + subject_private_key.public_key() + ).add_extension( + x509.OCSPNoCheck(), critical=False + ).not_valid_before( + not_valid_before + ).not_valid_after( + not_valid_after + ) + + cert = builder.sign(issuer_private_key, hashes.SHA256(), backend) + + ext = cert.extensions.get_extension_for_oid( + x509.OID_OCSP_NO_CHECK + ) + assert isinstance(ext.value, x509.OCSPNoCheck) + @pytest.mark.requires_backend_interface(interface=DSABackend) @pytest.mark.requires_backend_interface(interface=X509Backend) |