diff options
| -rw-r--r-- | docs/x509.rst | 6 | ||||
| -rw-r--r-- | setup.py | 1 | ||||
| -rw-r--r-- | src/cryptography/hazmat/backends/openssl/x509.py | 28 | ||||
| -rw-r--r-- | tests/test_x509_ext.py | 21 |
4 files changed, 53 insertions, 3 deletions
diff --git a/docs/x509.rst b/docs/x509.rst index da6bd85c..eed88b09 100644 --- a/docs/x509.rst +++ b/docs/x509.rst @@ -271,6 +271,9 @@ X.509 Certificate Object :raises cryptography.x509.DuplicateExtension: If more than one extension of the same type is found within the certificate. + :raises cryptography.x509.UnsupportedExtension: If the certificate + contains an extension that is not supported. + .. doctest:: >>> for ext in cert.extensions: @@ -492,9 +495,6 @@ X.509 Extensions :raises cryptography.x509.ExtensionNotFound: If the certificate does not have the extension requested. - :raises cryptography.x509.UnsupportedExtension: If the certificate - contains an extension that is not supported. - .. doctest:: >>> cert.extensions.get_extension_for_oid(x509.OID_BASIC_CONSTRAINTS) @@ -32,6 +32,7 @@ with open(os.path.join(src_dir, "cryptography", "__about__.py")) as f: VECTORS_DEPENDENCY = "cryptography_vectors=={0}".format(about['__version__']) requirements = [ + "idna", "pyasn1", "six>=1.4.1", "setuptools" diff --git a/src/cryptography/hazmat/backends/openssl/x509.py b/src/cryptography/hazmat/backends/openssl/x509.py index 57e6146b..dcde5e73 100644 --- a/src/cryptography/hazmat/backends/openssl/x509.py +++ b/src/cryptography/hazmat/backends/openssl/x509.py @@ -15,6 +15,8 @@ from __future__ import absolute_import, division, print_function import datetime +import idna + from cryptography import utils, x509 from cryptography.exceptions import UnsupportedAlgorithm from cryptography.hazmat.primitives import hashes @@ -57,6 +59,12 @@ def _build_x509_name(backend, x509_name): return x509.Name(attributes) +def _build_general_name(backend, gn): + if gn.type == backend._lib.GEN_DNS: + data = backend._ffi.buffer(gn.d.dNSName.data, gn.d.dNSName.length)[:] + return x509.DNSName(idna.decode(data)) + + @utils.register_interface(x509.Certificate) class _Certificate(object): def __init__(self, backend, x509): @@ -173,6 +181,8 @@ class _Certificate(object): value = self._build_subject_key_identifier(ext) elif oid == x509.OID_KEY_USAGE: value = self._build_key_usage(ext) + elif oid == x509.OID_SUBJECT_ALTERNATIVE_NAME: + value = self._build_subject_alt_name(ext) elif critical: raise x509.UnsupportedExtension( "{0} is not currently supported".format(oid), oid @@ -254,6 +264,24 @@ class _Certificate(object): decipher_only ) + def _build_subject_alt_name(self, ext): + gns = self._backend._ffi.cast( + "GENERAL_NAMES *", self._backend._lib.X509V3_EXT_d2i(ext) + ) + assert gns != self._backend._ffi.NULL + gns = self._backend._ffi.gc(gns, self._backend._lib.GENERAL_NAMES_free) + num = self._backend._lib.sk_GENERAL_NAME_num(gns) + general_names = [] + + for i in range(num): + gn = self._backend._lib.sk_GENERAL_NAME_value(gns, i) + assert gn != self._backend._ffi.NULL + value = _build_general_name(self._backend, gn) + + general_names.append(value) + + return x509.SubjectAlternativeName(general_names) + @utils.register_interface(x509.CertificateSigningRequest) class _CertificateSigningRequest(object): diff --git a/tests/test_x509_ext.py b/tests/test_x509_ext.py index 45d309db..a7e04156 100644 --- a/tests/test_x509_ext.py +++ b/tests/test_x509_ext.py @@ -736,3 +736,24 @@ class TestSubjectAlternativeName(object): assert repr(san) == ( "<SubjectAlternativeName([<DNSName(value=cryptography.io)>])>" ) + + +@pytest.mark.requires_backend_interface(interface=RSABackend) +@pytest.mark.requires_backend_interface(interface=X509Backend) +class TestRSASubjectAlternativeNameExtension(object): + def test_dns_name(self, backend): + cert = _load_cert( + os.path.join("x509", "cryptography.io.pem"), + x509.load_pem_x509_certificate, + backend + ) + ext = cert.extensions.get_extension_for_oid( + x509.OID_SUBJECT_ALTERNATIVE_NAME + ) + assert ext is not None + assert ext.critical is False + + san = ext.value + + dns = san.get_values_for_type(x509.DNSName) + assert dns == [u"www.cryptography.io", u"cryptography.io"] |