diff options
Diffstat (limited to 'src')
| -rw-r--r-- | src/_cffi_src/openssl/x509.py | 48 | ||||
| -rw-r--r-- | src/cryptography/hazmat/backends/openssl/x509.py | 44 |
2 files changed, 82 insertions, 10 deletions
diff --git a/src/_cffi_src/openssl/x509.py b/src/_cffi_src/openssl/x509.py index 2fe3a1bf..b0ff9844 100644 --- a/src/_cffi_src/openssl/x509.py +++ b/src/_cffi_src/openssl/x509.py @@ -353,6 +353,15 @@ ASN1_OBJECT *sk_ASN1_OBJECT_value(Cryptography_STACK_OF_ASN1_OBJECT *, int); void sk_ASN1_OBJECT_free(Cryptography_STACK_OF_ASN1_OBJECT *); Cryptography_STACK_OF_ASN1_OBJECT *sk_ASN1_OBJECT_new_null(void); int sk_ASN1_OBJECT_push(Cryptography_STACK_OF_ASN1_OBJECT *, ASN1_OBJECT *); + +/* these functions were added in 1.1.0 */ +ASN1_INTEGER *X509_REVOKED_get0_serialNumber(X509_REVOKED *); +ASN1_TIME *X509_REVOKED_get0_revocationDate(X509_REVOKED *); +void X509_CRL_get0_signature(ASN1_BIT_STRING **psig, X509_ALGOR **palg, + X509_CRL *crl); +int i2d_re_X509_REQ_tbs(X509_REQ *, unsigned char **); +int i2d_re_X509_CRL_tbs(X509_CRL *, unsigned char **); +void X509_REQ_get0_signature(ASN1_BIT_STRING **, X509_ALGOR **, X509_REQ *); """ CUSTOMIZATIONS = """ @@ -409,4 +418,43 @@ X509_REVOKED *Cryptography_X509_REVOKED_dup(X509_REVOKED *rev) { return ASN1_item_dup(ASN1_ITEM_rptr(X509_REVOKED), rev); } +/* Added in 1.1.0 but we need it in all versions now due to the great + opaquing. */ +#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER) +/* from x509/x509_req.c */ +void X509_REQ_get0_signature(ASN1_BIT_STRING **psig, X509_ALGOR **palg, + X509_REQ *req) +{ + if (psig != NULL) + *psig = req->signature; + if (palg != NULL) + *palg = req->sig_alg; +} +int i2d_re_X509_REQ_tbs(X509_REQ *req, unsigned char **pp) +{ + req->req_info->enc.modified = 1; + return i2d_X509_REQ_INFO(req->req_info, pp); +} +int i2d_re_X509_CRL_tbs(X509_CRL *crl, unsigned char **pp) { + crl->crl->enc.modified = 1; + return i2d_X509_CRL_INFO(crl->crl, pp); +} + +void X509_CRL_get0_signature(ASN1_BIT_STRING **psig, X509_ALGOR **palg, + X509_CRL *crl) +{ + if (psig != NULL) + *psig = crl->signature; + if (palg != NULL) + *palg = crl->sig_alg; +} +ASN1_TIME *X509_REVOKED_get0_revocationDate(X509_REVOKED *x) +{ + return x->revocationDate; +} +ASN1_INTEGER *X509_REVOKED_get0_serialNumber(X509_REVOKED *x) +{ + return x->serialNumber; +} +#endif """ diff --git a/src/cryptography/hazmat/backends/openssl/x509.py b/src/cryptography/hazmat/backends/openssl/x509.py index ced3e6f1..71a2fb78 100644 --- a/src/cryptography/hazmat/backends/openssl/x509.py +++ b/src/cryptography/hazmat/backends/openssl/x509.py @@ -162,14 +162,20 @@ class _RevokedCertificate(object): @property def serial_number(self): - asn1_int = self._x509_revoked.serialNumber + asn1_int = self._backend._lib.X509_REVOKED_get0_serialNumber( + self._x509_revoked + ) self._backend.openssl_assert(asn1_int != self._backend._ffi.NULL) return _asn1_integer_to_int(self._backend, asn1_int) @property def revocation_date(self): return _parse_asn1_time( - self._backend, self._x509_revoked.revocationDate) + self._backend, + self._backend._lib.X509_REVOKED_get0_revocationDate( + self._x509_revoked + ) + ) @property def extensions(self): @@ -207,7 +213,12 @@ class _CertificateRevocationList(object): @property def signature_hash_algorithm(self): - oid = _obj2txt(self._backend, self._x509_crl.sig_alg.algorithm) + alg = self._backend._ffi.new("X509_ALGOR **") + self._backend._lib.X509_CRL_get0_signature( + self._backend._ffi.NULL, alg, self._x509_crl + ) + self._backend.openssl_assert(alg[0] != self._backend._ffi.NULL) + oid = _obj2txt(self._backend, alg[0].algorithm) try: return x509._SIG_OIDS_TO_HASH[oid] except KeyError: @@ -235,13 +246,17 @@ class _CertificateRevocationList(object): @property def signature(self): - return _asn1_string_to_bytes(self._backend, self._x509_crl.signature) + sig = self._backend._ffi.new("ASN1_BIT_STRING **") + self._backend._lib.X509_CRL_get0_signature( + sig, self._backend._ffi.NULL, self._x509_crl + ) + self._backend.openssl_assert(sig[0] != self._backend._ffi.NULL) + return _asn1_string_to_bytes(self._backend, sig[0]) @property def tbs_certlist_bytes(self): pp = self._backend._ffi.new("unsigned char **") - # the X509_CRL_INFO struct holds the tbsCertList data - res = self._backend._lib.i2d_X509_CRL_INFO(self._x509_crl.crl, pp) + res = self._backend._lib.i2d_re_X509_CRL_tbs(self._x509_crl, pp) self._backend.openssl_assert(res > 0) pp = self._backend._ffi.gc( pp, lambda pointer: self._backend._lib.OPENSSL_free(pointer[0]) @@ -330,7 +345,12 @@ class _CertificateSigningRequest(object): @property def signature_hash_algorithm(self): - oid = _obj2txt(self._backend, self._x509_req.sig_alg.algorithm) + alg = self._backend._ffi.new("X509_ALGOR **") + self._backend._lib.X509_REQ_get0_signature( + self._backend._ffi.NULL, alg, self._x509_req + ) + self._backend.openssl_assert(alg[0] != self._backend._ffi.NULL) + oid = _obj2txt(self._backend, alg[0].algorithm) try: return x509._SIG_OIDS_TO_HASH[oid] except KeyError: @@ -360,8 +380,7 @@ class _CertificateSigningRequest(object): @property def tbs_certrequest_bytes(self): pp = self._backend._ffi.new("unsigned char **") - # the X509_REQ_INFO struct holds the CertificateRequestInfo data - res = self._backend._lib.i2d_X509_REQ_INFO(self._x509_req.req_info, pp) + res = self._backend._lib.i2d_re_X509_REQ_tbs(self._x509_req, pp) self._backend.openssl_assert(res > 0) pp = self._backend._ffi.gc( pp, lambda pointer: self._backend._lib.OPENSSL_free(pointer[0]) @@ -370,7 +389,12 @@ class _CertificateSigningRequest(object): @property def signature(self): - return _asn1_string_to_bytes(self._backend, self._x509_req.signature) + sig = self._backend._ffi.new("ASN1_BIT_STRING **") + self._backend._lib.X509_REQ_get0_signature( + sig, self._backend._ffi.NULL, self._x509_req + ) + self._backend.openssl_assert(sig[0] != self._backend._ffi.NULL) + return _asn1_string_to_bytes(self._backend, sig[0]) @property def is_signature_valid(self): |