diff options
Diffstat (limited to 'src')
| -rw-r--r-- | src/_cffi_src/openssl/x509v3.py | 2 | ||||
| -rw-r--r-- | src/cryptography/hazmat/backends/openssl/x509.py | 107 | ||||
| -rw-r--r-- | src/cryptography/x509/__init__.py | 10 | ||||
| -rw-r--r-- | src/cryptography/x509/oid.py | 8 |
4 files changed, 51 insertions, 76 deletions
diff --git a/src/_cffi_src/openssl/x509v3.py b/src/_cffi_src/openssl/x509v3.py index 84e49640..51cac62b 100644 --- a/src/_cffi_src/openssl/x509v3.py +++ b/src/_cffi_src/openssl/x509v3.py @@ -290,6 +290,8 @@ DIST_POINT_NAME *DIST_POINT_NAME_new(void); void DIST_POINT_NAME_free(DIST_POINT_NAME *); int i2d_CRL_DIST_POINTS(Cryptography_STACK_OF_DIST_POINT *, unsigned char **); +GENERAL_NAMES *d2i_GENERAL_NAMES(GENERAL_NAMES **, const unsigned char **, + long); """ CUSTOMIZATIONS = """ diff --git a/src/cryptography/hazmat/backends/openssl/x509.py b/src/cryptography/hazmat/backends/openssl/x509.py index 7f7be545..073dfb1e 100644 --- a/src/cryptography/hazmat/backends/openssl/x509.py +++ b/src/cryptography/hazmat/backends/openssl/x509.py @@ -19,7 +19,7 @@ from cryptography import utils, x509 from cryptography.exceptions import UnsupportedAlgorithm from cryptography.hazmat.primitives import hashes, serialization from cryptography.x509.oid import ( - CertificatePoliciesOID, ExtensionOID, RevokedExtensionOID + CRLExtensionOID, CertificatePoliciesOID, ExtensionOID ) @@ -175,11 +175,11 @@ def _decode_ocsp_no_check(backend, ext): class _X509ExtensionParser(object): - def __init__(self, ext_count, get_ext, handlers, supported_versions=None): + def __init__(self, ext_count, get_ext, handlers, unsupported_exts=None): self.ext_count = ext_count self.get_ext = get_ext self.handlers = handlers - self.supported_versions = supported_versions + self.unsupported_exts = unsupported_exts def parse(self, backend, x509_obj): extensions = [] @@ -190,13 +190,6 @@ class _X509ExtensionParser(object): crit = backend._lib.X509_EXTENSION_get_critical(ext) critical = crit == 1 oid = x509.ObjectIdentifier(_obj2txt(backend, ext.object)) - - # Filter out extensions we know are not supported by the backend - if (self.supported_versions and oid in self.supported_versions and - self.supported_versions[oid] > - backend._lib.OPENSSL_VERSION_NUMBER): - self.handlers.pop(oid, None) - if oid in seen_oids: raise x509.DuplicateExtension( "Duplicate {0} extension found".format(oid), oid @@ -210,15 +203,18 @@ class _X509ExtensionParser(object): .format(oid), oid ) else: - d2i = backend._lib.X509V3_EXT_d2i(ext) - if d2i == backend._ffi.NULL: - backend._consume_errors() - raise ValueError( - "The {0} extension is invalid and can't be " - "parsed".format(oid) - ) - - value = handler(backend, d2i) + if self.unsupported_exts and oid in self.unsupported_exts: + ext_data = ext + else: + ext_data = backend._lib.X509V3_EXT_d2i(ext) + if ext_data == backend._ffi.NULL: + backend._consume_errors() + raise ValueError( + "The {0} extension is invalid and can't be " + "parsed".format(oid) + ) + + value = handler(backend, ext_data) extensions.append(x509.Extension(oid, critical, value)) seen_oids.add(oid) @@ -687,8 +683,18 @@ def _decode_invalidity_date(backend, inv_date): return datetime.datetime.strptime(time, "%Y%m%d%H%M%SZ") -def _decode_cert_issuer(backend, issuer): - gns = backend._ffi.cast("GENERAL_NAMES *", issuer) +def _decode_cert_issuer(backend, ext): + data_ptr_ptr = backend._ffi.new("const unsigned char **") + data_ptr_ptr[0] = ext.value.data + gns = backend._lib.d2i_GENERAL_NAMES( + backend._ffi.NULL, data_ptr_ptr, ext.value.length + ) + if gns == backend._ffi.NULL: + backend._consume_errors() + raise ValueError( + "The {0} extension is corrupted and can't be parsed".format( + CRLExtensionOID.CERTIFICATE_ISSUER)) + gns = backend._ffi.gc(gns, backend._lib.GENERAL_NAMES_free) return x509.GeneralNames(_decode_general_names(backend, gns)) @@ -699,28 +705,16 @@ class _RevokedCertificate(object): self._backend = backend self._x509_revoked = x509_revoked - self._serial_number = None - self._revocation_date = None - self._extensions = None - @property def serial_number(self): - if self._serial_number: - return self._serial_number - asn1_int = self._x509_revoked.serialNumber self._backend.openssl_assert(asn1_int != self._backend._ffi.NULL) - self._serial_number = self._backend._asn1_integer_to_int(asn1_int) - return self._serial_number + return self._backend._asn1_integer_to_int(asn1_int) @property def revocation_date(self): - if self._revocation_date: - return self._revocation_date - - self._revocation_date = self._backend._parse_asn1_time( + return self._backend._parse_asn1_time( self._x509_revoked.revocationDate) - return self._revocation_date @property def extensions(self): @@ -765,11 +759,6 @@ class _CertificateRevocationList(object): self._backend = backend self._x509_crl = x509_crl - self._revoked = None - self._issuer = None - self._next_update = None - self._last_update = None - def __eq__(self, other): if not isinstance(other, x509.CertificateRevocationList): return NotImplemented @@ -803,38 +792,23 @@ class _CertificateRevocationList(object): @property def issuer(self): - if self._issuer: - return self._issuer - issuer = self._backend._lib.X509_CRL_get_issuer(self._x509_crl) self._backend.openssl_assert(issuer != self._backend._ffi.NULL) - self._issuer = _decode_x509_name(self._backend, issuer) - return self._issuer + return _decode_x509_name(self._backend, issuer) @property def next_update(self): - if self._next_update: - return self._next_update - nu = self._backend._lib.X509_CRL_get_nextUpdate(self._x509_crl) self._backend.openssl_assert(nu != self._backend._ffi.NULL) - self._next_update = self._backend._parse_asn1_time(nu) - return self._next_update + return self._backend._parse_asn1_time(nu) @property def last_update(self): - if self._last_update: - return self._last_update - lu = self._backend._lib.X509_CRL_get_lastUpdate(self._x509_crl) self._backend.openssl_assert(lu != self._backend._ffi.NULL) - self._last_update = self._backend._parse_asn1_time(lu) - return self._last_update + return self._backend._parse_asn1_time(lu) def _revoked_certificates(self): - if self._revoked: - return self._revoked - revoked = self._backend._lib.X509_CRL_get_REVOKED(self._x509_crl) self._backend.openssl_assert(revoked != self._backend._ffi.NULL) @@ -845,8 +819,7 @@ class _CertificateRevocationList(object): self._backend.openssl_assert(r != self._backend._ffi.NULL) revoked_list.append(_RevokedCertificate(self._backend, r)) - self._revoked = revoked_list - return self._revoked + return revoked_list def __iter__(self): return iter(self._revoked_certificates()) @@ -943,14 +916,14 @@ _EXTENSION_HANDLERS = { } _REVOKED_EXTENSION_HANDLERS = { - RevokedExtensionOID.CRL_REASON: _decode_crl_reason, - RevokedExtensionOID.INVALIDITY_DATE: _decode_invalidity_date, - RevokedExtensionOID.CERTIFICATE_ISSUER: _decode_cert_issuer, + CRLExtensionOID.CRL_REASON: _decode_crl_reason, + CRLExtensionOID.INVALIDITY_DATE: _decode_invalidity_date, + CRLExtensionOID.CERTIFICATE_ISSUER: _decode_cert_issuer, } -_REVOKED_SUPPORTED_VERSIONS = { - RevokedExtensionOID.CERTIFICATE_ISSUER: 0x10000000, -} +_REVOKED_UNSUPPORTED_EXTENSIONS = set([ + CRLExtensionOID.CERTIFICATE_ISSUER, +]) _CERTIFICATE_EXTENSION_PARSER = _X509ExtensionParser( ext_count=lambda backend, x: backend._lib.X509_get_ext_count(x), @@ -968,5 +941,5 @@ _REVOKED_CERTIFICATE_EXTENSION_PARSER = _X509ExtensionParser( ext_count=lambda backend, x: backend._lib.X509_REVOKED_get_ext_count(x), get_ext=lambda backend, x, i: backend._lib.X509_REVOKED_get_ext(x, i), handlers=_REVOKED_EXTENSION_HANDLERS, - supported_versions=_REVOKED_SUPPORTED_VERSIONS + unsupported_exts=_REVOKED_UNSUPPORTED_EXTENSIONS ) diff --git a/src/cryptography/x509/__init__.py b/src/cryptography/x509/__init__.py index 6438da9c..70e1d3da 100644 --- a/src/cryptography/x509/__init__.py +++ b/src/cryptography/x509/__init__.py @@ -28,8 +28,8 @@ from cryptography.x509.general_name import ( ) from cryptography.x509.name import Name, NameAttribute from cryptography.x509.oid import ( - AuthorityInformationAccessOID, CertificatePoliciesOID, ExtendedKeyUsageOID, - ExtensionOID, NameOID, ObjectIdentifier, RevokedExtensionOID, + AuthorityInformationAccessOID, CRLExtensionOID, CertificatePoliciesOID, + ExtendedKeyUsageOID, ExtensionOID, NameOID, ObjectIdentifier, SignatureAlgorithmOID, _SIG_OIDS_TO_HASH ) @@ -95,9 +95,9 @@ OID_ANY_POLICY = CertificatePoliciesOID.ANY_POLICY OID_CPS_QUALIFIER = CertificatePoliciesOID.CPS_QUALIFIER OID_CPS_USER_NOTICE = CertificatePoliciesOID.CPS_USER_NOTICE -OID_CERTIFICATE_ISSUER = RevokedExtensionOID.CERTIFICATE_ISSUER -OID_CRL_REASON = RevokedExtensionOID.CRL_REASON -OID_INVALIDITY_DATE = RevokedExtensionOID.INVALIDITY_DATE +OID_CERTIFICATE_ISSUER = CRLExtensionOID.CERTIFICATE_ISSUER +OID_CRL_REASON = CRLExtensionOID.CRL_REASON +OID_INVALIDITY_DATE = CRLExtensionOID.INVALIDITY_DATE OID_CA_ISSUERS = AuthorityInformationAccessOID.CA_ISSUERS OID_OCSP = AuthorityInformationAccessOID.OCSP diff --git a/src/cryptography/x509/oid.py b/src/cryptography/x509/oid.py index 667045af..ead40169 100644 --- a/src/cryptography/x509/oid.py +++ b/src/cryptography/x509/oid.py @@ -58,7 +58,7 @@ class ExtensionOID(object): OCSP_NO_CHECK = ObjectIdentifier("1.3.6.1.5.5.7.48.1.5") -class RevokedExtensionOID(object): +class CRLExtensionOID(object): CERTIFICATE_ISSUER = ObjectIdentifier("2.5.29.29") CRL_REASON = ObjectIdentifier("2.5.29.21") INVALIDITY_DATE = ObjectIdentifier("2.5.29.24") @@ -177,9 +177,9 @@ _OID_NAMES = { ExtensionOID.SUBJECT_ALTERNATIVE_NAME: "subjectAltName", ExtensionOID.ISSUER_ALTERNATIVE_NAME: "issuerAltName", ExtensionOID.BASIC_CONSTRAINTS: "basicConstraints", - RevokedExtensionOID.CRL_REASON: "cRLReason", - RevokedExtensionOID.INVALIDITY_DATE: "invalidityDate", - RevokedExtensionOID.CERTIFICATE_ISSUER: "certificateIssuer", + CRLExtensionOID.CRL_REASON: "cRLReason", + CRLExtensionOID.INVALIDITY_DATE: "invalidityDate", + CRLExtensionOID.CERTIFICATE_ISSUER: "certificateIssuer", ExtensionOID.NAME_CONSTRAINTS: "nameConstraints", ExtensionOID.CRL_DISTRIBUTION_POINTS: "cRLDistributionPoints", ExtensionOID.CERTIFICATE_POLICIES: "certificatePolicies", |