aboutsummaryrefslogtreecommitdiffstats
path: root/src
diff options
context:
space:
mode:
Diffstat (limited to 'src')
-rw-r--r--src/_cffi_src/build_constant_time.py6
-rw-r--r--src/_cffi_src/build_openssl.py7
-rw-r--r--src/_cffi_src/build_padding.py6
-rw-r--r--src/_cffi_src/openssl/x509.py16
-rw-r--r--src/_cffi_src/openssl/x509_vfy.py6
-rw-r--r--src/_cffi_src/utils.py9
-rw-r--r--src/cryptography/hazmat/backends/openssl/backend.py71
-rw-r--r--src/cryptography/hazmat/backends/openssl/dsa.py27
-rw-r--r--src/cryptography/hazmat/backends/openssl/ec.py30
-rw-r--r--src/cryptography/hazmat/backends/openssl/rsa.py23
-rw-r--r--src/cryptography/hazmat/backends/openssl/x509.py32
-rw-r--r--src/cryptography/hazmat/primitives/twofactor/hotp.py4
-rw-r--r--src/cryptography/hazmat/primitives/twofactor/totp.py4
-rw-r--r--src/cryptography/hazmat/primitives/twofactor/utils.py16
14 files changed, 151 insertions, 106 deletions
diff --git a/src/_cffi_src/build_constant_time.py b/src/_cffi_src/build_constant_time.py
index eae0f21a..6d9a8f54 100644
--- a/src/_cffi_src/build_constant_time.py
+++ b/src/_cffi_src/build_constant_time.py
@@ -5,8 +5,9 @@
from __future__ import absolute_import, division, print_function
import os
+import sys
-from _cffi_src.utils import build_ffi
+from _cffi_src.utils import build_ffi, extra_link_args
with open(os.path.join(
@@ -22,5 +23,6 @@ with open(os.path.join(
ffi = build_ffi(
module_name="_constant_time",
cdef_source=types,
- verify_source=functions
+ verify_source=functions,
+ extra_link_args=extra_link_args(sys.platform),
)
diff --git a/src/_cffi_src/build_openssl.py b/src/_cffi_src/build_openssl.py
index 4c30fe48..1ebadccb 100644
--- a/src/_cffi_src/build_openssl.py
+++ b/src/_cffi_src/build_openssl.py
@@ -7,9 +7,7 @@ from __future__ import absolute_import, division, print_function
import os
import sys
-from _cffi_src.utils import (
- build_ffi_for_binding
-)
+from _cffi_src.utils import build_ffi_for_binding, extra_link_args
def _get_openssl_libraries(platform):
@@ -94,5 +92,6 @@ ffi = build_ffi_for_binding(
],
pre_include=_OSX_PRE_INCLUDE,
post_include=_OSX_POST_INCLUDE,
- libraries=_get_openssl_libraries(sys.platform)
+ libraries=_get_openssl_libraries(sys.platform),
+ extra_link_args=extra_link_args(sys.platform),
)
diff --git a/src/_cffi_src/build_padding.py b/src/_cffi_src/build_padding.py
index 3eeac2e2..5df93d80 100644
--- a/src/_cffi_src/build_padding.py
+++ b/src/_cffi_src/build_padding.py
@@ -5,8 +5,9 @@
from __future__ import absolute_import, division, print_function
import os
+import sys
-from _cffi_src.utils import build_ffi
+from _cffi_src.utils import build_ffi, extra_link_args
with open(os.path.join(
@@ -22,5 +23,6 @@ with open(os.path.join(
ffi = build_ffi(
module_name="_padding",
cdef_source=types,
- verify_source=functions
+ verify_source=functions,
+ extra_link_args=extra_link_args(sys.platform),
)
diff --git a/src/_cffi_src/openssl/x509.py b/src/_cffi_src/openssl/x509.py
index 534f5b08..6bd117b0 100644
--- a/src/_cffi_src/openssl/x509.py
+++ b/src/_cffi_src/openssl/x509.py
@@ -182,19 +182,21 @@ X509_EXTENSION *X509_REVOKED_get_ext(X509_REVOKED *, int);
int X509_REVOKED_add_ext(X509_REVOKED *, X509_EXTENSION*, int);
int X509_REVOKED_add1_ext_i2d(X509_REVOKED *, int, void *, int, unsigned long);
-X509_CRL *d2i_X509_CRL_bio(BIO *, X509_CRL **);
X509_CRL *X509_CRL_new(void);
-void X509_CRL_free(X509_CRL *);
+X509_CRL *d2i_X509_CRL_bio(BIO *, X509_CRL **);
+X509_EXTENSION *X509_CRL_get_ext(X509_CRL *, int);
int X509_CRL_add0_revoked(X509_CRL *, X509_REVOKED *);
-int i2d_X509_CRL_bio(BIO *, X509_CRL *);
+int X509_CRL_add_ext(X509_CRL *, X509_EXTENSION *, int);
+int X509_CRL_cmp(const X509_CRL *, const X509_CRL *);
+int X509_CRL_get_ext_count(X509_CRL *);
int X509_CRL_print(BIO *, X509_CRL *);
int X509_CRL_set_issuer_name(X509_CRL *, X509_NAME *);
+int X509_CRL_set_version(X509_CRL *, long);
int X509_CRL_sign(X509_CRL *, EVP_PKEY *, const EVP_MD *);
+int X509_CRL_sort(X509_CRL *);
int X509_CRL_verify(X509_CRL *, EVP_PKEY *);
-int X509_CRL_get_ext_count(X509_CRL *);
-X509_EXTENSION *X509_CRL_get_ext(X509_CRL *, int);
-int X509_CRL_add_ext(X509_CRL *, X509_EXTENSION *, int);
-int X509_CRL_cmp(const X509_CRL *, const X509_CRL *);
+int i2d_X509_CRL_bio(BIO *, X509_CRL *);
+void X509_CRL_free(X509_CRL *);
int NETSCAPE_SPKI_verify(NETSCAPE_SPKI *, EVP_PKEY *);
int NETSCAPE_SPKI_sign(NETSCAPE_SPKI *, EVP_PKEY *, const EVP_MD *);
diff --git a/src/_cffi_src/openssl/x509_vfy.py b/src/_cffi_src/openssl/x509_vfy.py
index 02631409..23ac8483 100644
--- a/src/_cffi_src/openssl/x509_vfy.py
+++ b/src/_cffi_src/openssl/x509_vfy.py
@@ -143,10 +143,14 @@ int X509_verify_cert(X509_STORE_CTX *);
/* X509_STORE */
X509_STORE *X509_STORE_new(void);
-void X509_STORE_free(X509_STORE *);
int X509_STORE_add_cert(X509_STORE *, X509 *);
+int X509_STORE_add_crl(X509_STORE *, X509_CRL *);
int X509_STORE_load_locations(X509_STORE *, const char *, const char *);
+int X509_STORE_set1_param(X509_STORE *, X509_VERIFY_PARAM *);
int X509_STORE_set_default_paths(X509_STORE *);
+int X509_STORE_set_flags(X509_STORE *, unsigned long);
+void X509_STORE_free(X509_STORE *);
+
/* X509_STORE_CTX */
X509_STORE_CTX *X509_STORE_CTX_new(void);
diff --git a/src/_cffi_src/utils.py b/src/_cffi_src/utils.py
index b1ad74d4..65f9f120 100644
--- a/src/_cffi_src/utils.py
+++ b/src/_cffi_src/utils.py
@@ -80,3 +80,12 @@ def build_ffi(module_name, cdef_source, verify_source, libraries=[],
extra_link_args=extra_link_args,
)
return ffi
+
+
+def extra_link_args(platform):
+ if platform != "win32":
+ return []
+ else:
+ # Enable NX and ASLR for Windows builds. These are enabled by default
+ # on Python 3.3+ but not on 2.x.
+ return ["/NXCOMPAT", "/DYNAMICBASE"]
diff --git a/src/cryptography/hazmat/backends/openssl/backend.py b/src/cryptography/hazmat/backends/openssl/backend.py
index 665771a8..2fe88327 100644
--- a/src/cryptography/hazmat/backends/openssl/backend.py
+++ b/src/cryptography/hazmat/backends/openssl/backend.py
@@ -388,8 +388,9 @@ class Backend(object):
rsa_cdata, key_size, bn, self._ffi.NULL
)
assert res == 1
+ evp_pkey = self._rsa_cdata_to_evp_pkey(rsa_cdata)
- return _RSAPrivateKey(self, rsa_cdata)
+ return _RSAPrivateKey(self, rsa_cdata, evp_pkey)
def generate_rsa_parameters_supported(self, public_exponent, key_size):
return (public_exponent >= 3 and public_exponent & 1 != 0 and
@@ -419,8 +420,9 @@ class Backend(object):
rsa_cdata.n = self._int_to_bn(numbers.public_numbers.n)
res = self._lib.RSA_blinding_on(rsa_cdata, self._ffi.NULL)
assert res == 1
+ evp_pkey = self._rsa_cdata_to_evp_pkey(rsa_cdata)
- return _RSAPrivateKey(self, rsa_cdata)
+ return _RSAPrivateKey(self, rsa_cdata, evp_pkey)
def load_rsa_public_numbers(self, numbers):
rsa._check_public_key_components(numbers.e, numbers.n)
@@ -431,8 +433,17 @@ class Backend(object):
rsa_cdata.n = self._int_to_bn(numbers.n)
res = self._lib.RSA_blinding_on(rsa_cdata, self._ffi.NULL)
assert res == 1
+ evp_pkey = self._rsa_cdata_to_evp_pkey(rsa_cdata)
- return _RSAPublicKey(self, rsa_cdata)
+ return _RSAPublicKey(self, rsa_cdata, evp_pkey)
+
+ def _rsa_cdata_to_evp_pkey(self, rsa_cdata):
+ evp_pkey = self._lib.EVP_PKEY_new()
+ assert evp_pkey != self._ffi.NULL
+ evp_pkey = self._ffi.gc(evp_pkey, self._lib.EVP_PKEY_free)
+ res = self._lib.EVP_PKEY_set1_RSA(evp_pkey, rsa_cdata)
+ assert res == 1
+ return evp_pkey
def _bytes_to_bio(self, data):
"""
@@ -483,18 +494,18 @@ class Backend(object):
rsa_cdata = self._lib.EVP_PKEY_get1_RSA(evp_pkey)
assert rsa_cdata != self._ffi.NULL
rsa_cdata = self._ffi.gc(rsa_cdata, self._lib.RSA_free)
- return _RSAPrivateKey(self, rsa_cdata)
+ return _RSAPrivateKey(self, rsa_cdata, evp_pkey)
elif key_type == self._lib.EVP_PKEY_DSA:
dsa_cdata = self._lib.EVP_PKEY_get1_DSA(evp_pkey)
assert dsa_cdata != self._ffi.NULL
dsa_cdata = self._ffi.gc(dsa_cdata, self._lib.DSA_free)
- return _DSAPrivateKey(self, dsa_cdata)
+ return _DSAPrivateKey(self, dsa_cdata, evp_pkey)
elif (self._lib.Cryptography_HAS_EC == 1 and
key_type == self._lib.EVP_PKEY_EC):
ec_cdata = self._lib.EVP_PKEY_get1_EC_KEY(evp_pkey)
assert ec_cdata != self._ffi.NULL
ec_cdata = self._ffi.gc(ec_cdata, self._lib.EC_KEY_free)
- return _EllipticCurvePrivateKey(self, ec_cdata)
+ return _EllipticCurvePrivateKey(self, ec_cdata, evp_pkey)
else:
raise UnsupportedAlgorithm("Unsupported key type.")
@@ -510,18 +521,18 @@ class Backend(object):
rsa_cdata = self._lib.EVP_PKEY_get1_RSA(evp_pkey)
assert rsa_cdata != self._ffi.NULL
rsa_cdata = self._ffi.gc(rsa_cdata, self._lib.RSA_free)
- return _RSAPublicKey(self, rsa_cdata)
+ return _RSAPublicKey(self, rsa_cdata, evp_pkey)
elif key_type == self._lib.EVP_PKEY_DSA:
dsa_cdata = self._lib.EVP_PKEY_get1_DSA(evp_pkey)
assert dsa_cdata != self._ffi.NULL
dsa_cdata = self._ffi.gc(dsa_cdata, self._lib.DSA_free)
- return _DSAPublicKey(self, dsa_cdata)
+ return _DSAPublicKey(self, dsa_cdata, evp_pkey)
elif (self._lib.Cryptography_HAS_EC == 1 and
key_type == self._lib.EVP_PKEY_EC):
ec_cdata = self._lib.EVP_PKEY_get1_EC_KEY(evp_pkey)
assert ec_cdata != self._ffi.NULL
ec_cdata = self._ffi.gc(ec_cdata, self._lib.EC_KEY_free)
- return _EllipticCurvePublicKey(self, ec_cdata)
+ return _EllipticCurvePublicKey(self, ec_cdata, evp_pkey)
else:
raise UnsupportedAlgorithm("Unsupported key type.")
@@ -615,8 +626,9 @@ class Backend(object):
ctx.g = self._lib.BN_dup(parameters._dsa_cdata.g)
self._lib.DSA_generate_key(ctx)
+ evp_pkey = self._dsa_cdata_to_evp_pkey(ctx)
- return _DSAPrivateKey(self, ctx)
+ return _DSAPrivateKey(self, ctx, evp_pkey)
def generate_dsa_private_key_and_parameters(self, key_size):
parameters = self.generate_dsa_parameters(key_size)
@@ -636,7 +648,9 @@ class Backend(object):
dsa_cdata.pub_key = self._int_to_bn(numbers.public_numbers.y)
dsa_cdata.priv_key = self._int_to_bn(numbers.x)
- return _DSAPrivateKey(self, dsa_cdata)
+ evp_pkey = self._dsa_cdata_to_evp_pkey(dsa_cdata)
+
+ return _DSAPrivateKey(self, dsa_cdata, evp_pkey)
def load_dsa_public_numbers(self, numbers):
dsa._check_dsa_parameters(numbers.parameter_numbers)
@@ -649,7 +663,9 @@ class Backend(object):
dsa_cdata.g = self._int_to_bn(numbers.parameter_numbers.g)
dsa_cdata.pub_key = self._int_to_bn(numbers.y)
- return _DSAPublicKey(self, dsa_cdata)
+ evp_pkey = self._dsa_cdata_to_evp_pkey(dsa_cdata)
+
+ return _DSAPublicKey(self, dsa_cdata, evp_pkey)
def load_dsa_parameter_numbers(self, numbers):
dsa._check_dsa_parameters(numbers)
@@ -663,6 +679,14 @@ class Backend(object):
return _DSAParameters(self, dsa_cdata)
+ def _dsa_cdata_to_evp_pkey(self, dsa_cdata):
+ evp_pkey = self._lib.EVP_PKEY_new()
+ assert evp_pkey != self._ffi.NULL
+ evp_pkey = self._ffi.gc(evp_pkey, self._lib.EVP_PKEY_free)
+ res = self._lib.EVP_PKEY_set1_DSA(evp_pkey, dsa_cdata)
+ assert res == 1
+ return evp_pkey
+
def dsa_hash_supported(self, algorithm):
if self._lib.OPENSSL_VERSION_NUMBER < 0x1000000f:
return isinstance(algorithm, hashes.SHA1)
@@ -714,7 +738,8 @@ class Backend(object):
)
if rsa_cdata != self._ffi.NULL:
rsa_cdata = self._ffi.gc(rsa_cdata, self._lib.RSA_free)
- return _RSAPublicKey(self, rsa_cdata)
+ evp_pkey = self._rsa_cdata_to_evp_pkey(rsa_cdata)
+ return _RSAPublicKey(self, rsa_cdata, evp_pkey)
else:
self._handle_key_loading_error()
@@ -796,7 +821,8 @@ class Backend(object):
)
if rsa_cdata != self._ffi.NULL:
rsa_cdata = self._ffi.gc(rsa_cdata, self._lib.RSA_free)
- return _RSAPublicKey(self, rsa_cdata)
+ evp_pkey = self._rsa_cdata_to_evp_pkey(rsa_cdata)
+ return _RSAPublicKey(self, rsa_cdata, evp_pkey)
else:
self._handle_key_loading_error()
@@ -1000,7 +1026,9 @@ class Backend(object):
res = self._lib.EC_KEY_check_key(ec_cdata)
assert res == 1
- return _EllipticCurvePrivateKey(self, ec_cdata)
+ evp_pkey = self._ec_cdata_to_evp_pkey(ec_cdata)
+
+ return _EllipticCurvePrivateKey(self, ec_cdata, evp_pkey)
else:
raise UnsupportedAlgorithm(
"Backend object does not support {0}.".format(curve.name),
@@ -1022,8 +1050,9 @@ class Backend(object):
res = self._lib.EC_KEY_set_private_key(
ec_cdata, self._int_to_bn(numbers.private_value))
assert res == 1
+ evp_pkey = self._ec_cdata_to_evp_pkey(ec_cdata)
- return _EllipticCurvePrivateKey(self, ec_cdata)
+ return _EllipticCurvePrivateKey(self, ec_cdata, evp_pkey)
def load_elliptic_curve_public_numbers(self, numbers):
curve_nid = self._elliptic_curve_to_nid(numbers.curve)
@@ -1034,8 +1063,16 @@ class Backend(object):
ec_cdata = self._ec_key_set_public_key_affine_coordinates(
ec_cdata, numbers.x, numbers.y)
+ evp_pkey = self._ec_cdata_to_evp_pkey(ec_cdata)
- return _EllipticCurvePublicKey(self, ec_cdata)
+ return _EllipticCurvePublicKey(self, ec_cdata, evp_pkey)
+
+ def _ec_cdata_to_evp_pkey(self, ec_cdata):
+ evp_pkey = self._lib.EVP_PKEY_new()
+ assert evp_pkey != self._ffi.NULL
+ evp_pkey = self._ffi.gc(evp_pkey, self._lib.EVP_PKEY_free)
+ res = self._lib.EVP_PKEY_set1_EC_KEY(evp_pkey, ec_cdata)
+ assert res == 1
def _elliptic_curve_to_nid(self, curve):
"""
diff --git a/src/cryptography/hazmat/backends/openssl/dsa.py b/src/cryptography/hazmat/backends/openssl/dsa.py
index 254d29ed..f84857ff 100644
--- a/src/cryptography/hazmat/backends/openssl/dsa.py
+++ b/src/cryptography/hazmat/backends/openssl/dsa.py
@@ -107,9 +107,10 @@ class _DSAParameters(object):
@utils.register_interface(dsa.DSAPrivateKeyWithSerialization)
class _DSAPrivateKey(object):
- def __init__(self, backend, dsa_cdata):
+ def __init__(self, backend, dsa_cdata, evp_pkey):
self._backend = backend
self._dsa_cdata = dsa_cdata
+ self._evp_pkey = evp_pkey
self._key_size = self._backend._lib.BN_num_bits(self._dsa_cdata.p)
key_size = utils.read_only_property("_key_size")
@@ -140,7 +141,8 @@ class _DSAPrivateKey(object):
dsa_cdata.q = self._backend._lib.BN_dup(self._dsa_cdata.q)
dsa_cdata.g = self._backend._lib.BN_dup(self._dsa_cdata.g)
dsa_cdata.pub_key = self._backend._lib.BN_dup(self._dsa_cdata.pub_key)
- return _DSAPublicKey(self._backend, dsa_cdata)
+ evp_pkey = self._backend._dsa_cdata_to_evp_pkey(dsa_cdata)
+ return _DSAPublicKey(self._backend, dsa_cdata, evp_pkey)
def parameters(self):
dsa_cdata = self._backend._lib.DSA_new()
@@ -154,27 +156,21 @@ class _DSAPrivateKey(object):
return _DSAParameters(self._backend, dsa_cdata)
def private_bytes(self, encoding, format, encryption_algorithm):
- evp_pkey = self._backend._lib.EVP_PKEY_new()
- assert evp_pkey != self._backend._ffi.NULL
- evp_pkey = self._backend._ffi.gc(
- evp_pkey, self._backend._lib.EVP_PKEY_free
- )
- res = self._backend._lib.EVP_PKEY_set1_DSA(evp_pkey, self._dsa_cdata)
- assert res == 1
return self._backend._private_key_bytes(
encoding,
format,
encryption_algorithm,
- evp_pkey,
+ self._evp_pkey,
self._dsa_cdata
)
@utils.register_interface(dsa.DSAPublicKeyWithSerialization)
class _DSAPublicKey(object):
- def __init__(self, backend, dsa_cdata):
+ def __init__(self, backend, dsa_cdata, evp_pkey):
self._backend = backend
self._dsa_cdata = dsa_cdata
+ self._evp_pkey = evp_pkey
self._key_size = self._backend._lib.BN_num_bits(self._dsa_cdata.p)
key_size = utils.read_only_property("_key_size")
@@ -211,16 +207,9 @@ class _DSAPublicKey(object):
"DSA public keys do not support PKCS1 serialization"
)
- evp_pkey = self._backend._lib.EVP_PKEY_new()
- assert evp_pkey != self._backend._ffi.NULL
- evp_pkey = self._backend._ffi.gc(
- evp_pkey, self._backend._lib.EVP_PKEY_free
- )
- res = self._backend._lib.EVP_PKEY_set1_DSA(evp_pkey, self._dsa_cdata)
- assert res == 1
return self._backend._public_key_bytes(
encoding,
format,
- evp_pkey,
+ self._evp_pkey,
None
)
diff --git a/src/cryptography/hazmat/backends/openssl/ec.py b/src/cryptography/hazmat/backends/openssl/ec.py
index c2af2be9..7d3afb94 100644
--- a/src/cryptography/hazmat/backends/openssl/ec.py
+++ b/src/cryptography/hazmat/backends/openssl/ec.py
@@ -150,10 +150,11 @@ class _ECDSAVerificationContext(object):
@utils.register_interface(ec.EllipticCurvePrivateKeyWithSerialization)
class _EllipticCurvePrivateKey(object):
- def __init__(self, backend, ec_key_cdata):
+ def __init__(self, backend, ec_key_cdata, evp_pkey):
self._backend = backend
_mark_asn1_named_ec_curve(backend, ec_key_cdata)
self._ec_key = ec_key_cdata
+ self._evp_pkey = evp_pkey
sn = _ec_key_curve_sn(backend, ec_key_cdata)
self._curve = _sn_to_elliptic_curve(backend, sn)
@@ -188,9 +189,9 @@ class _EllipticCurvePrivateKey(object):
res = self._backend._lib.EC_KEY_set_public_key(public_ec_key, point)
assert res == 1
- return _EllipticCurvePublicKey(
- self._backend, public_ec_key
- )
+ evp_pkey = self._backend._ec_cdata_to_evp_pkey(public_ec_key)
+
+ return _EllipticCurvePublicKey(self._backend, public_ec_key, evp_pkey)
def private_numbers(self):
bn = self._backend._lib.EC_KEY_get0_private_key(self._ec_key)
@@ -201,28 +202,22 @@ class _EllipticCurvePrivateKey(object):
)
def private_bytes(self, encoding, format, encryption_algorithm):
- evp_pkey = self._backend._lib.EVP_PKEY_new()
- assert evp_pkey != self._backend._ffi.NULL
- evp_pkey = self._backend._ffi.gc(
- evp_pkey, self._backend._lib.EVP_PKEY_free
- )
- res = self._backend._lib.EVP_PKEY_set1_EC_KEY(evp_pkey, self._ec_key)
- assert res == 1
return self._backend._private_key_bytes(
encoding,
format,
encryption_algorithm,
- evp_pkey,
+ self._evp_pkey,
self._ec_key
)
@utils.register_interface(ec.EllipticCurvePublicKeyWithSerialization)
class _EllipticCurvePublicKey(object):
- def __init__(self, backend, ec_key_cdata):
+ def __init__(self, backend, ec_key_cdata, evp_pkey):
self._backend = backend
_mark_asn1_named_ec_curve(backend, ec_key_cdata)
self._ec_key = ec_key_cdata
+ self._evp_pkey = evp_pkey
sn = _ec_key_curve_sn(backend, ec_key_cdata)
self._curve = _sn_to_elliptic_curve(backend, sn)
@@ -268,16 +263,9 @@ class _EllipticCurvePublicKey(object):
"EC public keys do not support PKCS1 serialization"
)
- evp_pkey = self._backend._lib.EVP_PKEY_new()
- assert evp_pkey != self._backend._ffi.NULL
- evp_pkey = self._backend._ffi.gc(
- evp_pkey, self._backend._lib.EVP_PKEY_free
- )
- res = self._backend._lib.EVP_PKEY_set1_EC_KEY(evp_pkey, self._ec_key)
- assert res == 1
return self._backend._public_key_bytes(
encoding,
format,
- evp_pkey,
+ self._evp_pkey,
None
)
diff --git a/src/cryptography/hazmat/backends/openssl/rsa.py b/src/cryptography/hazmat/backends/openssl/rsa.py
index 1dbbb844..21414c05 100644
--- a/src/cryptography/hazmat/backends/openssl/rsa.py
+++ b/src/cryptography/hazmat/backends/openssl/rsa.py
@@ -508,17 +508,9 @@ class _RSAVerificationContext(object):
@utils.register_interface(RSAPrivateKeyWithSerialization)
class _RSAPrivateKey(object):
- def __init__(self, backend, rsa_cdata):
+ def __init__(self, backend, rsa_cdata, evp_pkey):
self._backend = backend
self._rsa_cdata = rsa_cdata
-
- evp_pkey = self._backend._lib.EVP_PKEY_new()
- assert evp_pkey != self._backend._ffi.NULL
- evp_pkey = self._backend._ffi.gc(
- evp_pkey, self._backend._lib.EVP_PKEY_free
- )
- res = self._backend._lib.EVP_PKEY_set1_RSA(evp_pkey, rsa_cdata)
- assert res == 1
self._evp_pkey = evp_pkey
self._key_size = self._backend._lib.BN_num_bits(self._rsa_cdata.n)
@@ -543,7 +535,8 @@ class _RSAPrivateKey(object):
ctx.n = self._backend._lib.BN_dup(self._rsa_cdata.n)
res = self._backend._lib.RSA_blinding_on(ctx, self._backend._ffi.NULL)
assert res == 1
- return _RSAPublicKey(self._backend, ctx)
+ evp_pkey = self._backend._rsa_cdata_to_evp_pkey(ctx)
+ return _RSAPublicKey(self._backend, ctx, evp_pkey)
def private_numbers(self):
return rsa.RSAPrivateNumbers(
@@ -571,17 +564,9 @@ class _RSAPrivateKey(object):
@utils.register_interface(RSAPublicKeyWithSerialization)
class _RSAPublicKey(object):
- def __init__(self, backend, rsa_cdata):
+ def __init__(self, backend, rsa_cdata, evp_pkey):
self._backend = backend
self._rsa_cdata = rsa_cdata
-
- evp_pkey = self._backend._lib.EVP_PKEY_new()
- assert evp_pkey != self._backend._ffi.NULL
- evp_pkey = self._backend._ffi.gc(
- evp_pkey, self._backend._lib.EVP_PKEY_free
- )
- res = self._backend._lib.EVP_PKEY_set1_RSA(evp_pkey, rsa_cdata)
- assert res == 1
self._evp_pkey = evp_pkey
self._key_size = self._backend._lib.BN_num_bits(self._rsa_cdata.n)
diff --git a/src/cryptography/hazmat/backends/openssl/x509.py b/src/cryptography/hazmat/backends/openssl/x509.py
index 9cd35087..a03414c8 100644
--- a/src/cryptography/hazmat/backends/openssl/x509.py
+++ b/src/cryptography/hazmat/backends/openssl/x509.py
@@ -291,6 +291,12 @@ class _Certificate(object):
value = _decode_certificate_policies(self._backend, ext)
elif oid == x509.OID_CRL_DISTRIBUTION_POINTS:
value = _decode_crl_distribution_points(self._backend, ext)
+ elif oid == x509.OID_OCSP_NO_CHECK:
+ value = x509.OCSPNoCheck()
+ elif oid == x509.OID_INHIBIT_ANY_POLICY:
+ value = _decode_inhibit_any_policy(self._backend, ext)
+ elif oid == x509.OID_ISSUER_ALTERNATIVE_NAME:
+ value = _decode_issuer_alt_name(self._backend, ext)
elif critical:
raise x509.UnsupportedExtension(
"{0} is not currently supported".format(oid), oid
@@ -511,15 +517,26 @@ def _decode_key_usage(backend, ext):
)
-def _decode_subject_alt_name(backend, ext):
+def _decode_general_names_extension(backend, ext):
gns = backend._ffi.cast(
"GENERAL_NAMES *", backend._lib.X509V3_EXT_d2i(ext)
)
assert gns != backend._ffi.NULL
gns = backend._ffi.gc(gns, backend._lib.GENERAL_NAMES_free)
general_names = _decode_general_names(backend, gns)
+ return general_names
+
+
+def _decode_subject_alt_name(backend, ext):
+ return x509.SubjectAlternativeName(
+ _decode_general_names_extension(backend, ext)
+ )
- return x509.SubjectAlternativeName(general_names)
+
+def _decode_issuer_alt_name(backend, ext):
+ return x509.IssuerAlternativeName(
+ _decode_general_names_extension(backend, ext)
+ )
def _decode_extended_key_usage(backend, ext):
@@ -636,6 +653,17 @@ def _decode_crl_distribution_points(backend, ext):
return x509.CRLDistributionPoints(dist_points)
+def _decode_inhibit_any_policy(backend, ext):
+ asn1_int = backend._ffi.cast(
+ "ASN1_INTEGER *",
+ backend._lib.X509V3_EXT_d2i(ext)
+ )
+ assert asn1_int != backend._ffi.NULL
+ asn1_int = backend._ffi.gc(asn1_int, backend._lib.ASN1_INTEGER_free)
+ skip_certs = _asn1_integer_to_int(backend, asn1_int)
+ return x509.InhibitAnyPolicy(skip_certs)
+
+
@utils.register_interface(x509.CertificateSigningRequest)
class _CertificateSigningRequest(object):
def __init__(self, backend, x509_req):
diff --git a/src/cryptography/hazmat/primitives/twofactor/hotp.py b/src/cryptography/hazmat/primitives/twofactor/hotp.py
index 8c0cec14..12bc7661 100644
--- a/src/cryptography/hazmat/primitives/twofactor/hotp.py
+++ b/src/cryptography/hazmat/primitives/twofactor/hotp.py
@@ -62,6 +62,6 @@ class HOTP(object):
return struct.unpack(">I", p)[0] & 0x7fffffff
def get_provisioning_uri(self, account_name, counter, issuer):
- return _generate_uri(self, 'hotp', account_name, issuer, [
- ('counter', int(counter)),
+ return _generate_uri(self, "hotp", account_name, issuer, [
+ ("counter", int(counter)),
])
diff --git a/src/cryptography/hazmat/primitives/twofactor/totp.py b/src/cryptography/hazmat/primitives/twofactor/totp.py
index 98493b6d..60705901 100644
--- a/src/cryptography/hazmat/primitives/twofactor/totp.py
+++ b/src/cryptography/hazmat/primitives/twofactor/totp.py
@@ -34,6 +34,6 @@ class TOTP(object):
raise InvalidToken("Supplied TOTP value does not match.")
def get_provisioning_uri(self, account_name, issuer):
- return _generate_uri(self._hotp, 'totp', account_name, issuer, [
- ('period', int(self._time_step)),
+ return _generate_uri(self._hotp, "totp", account_name, issuer, [
+ ("period", int(self._time_step)),
])
diff --git a/src/cryptography/hazmat/primitives/twofactor/utils.py b/src/cryptography/hazmat/primitives/twofactor/utils.py
index 91d2e148..0ed8c4c8 100644
--- a/src/cryptography/hazmat/primitives/twofactor/utils.py
+++ b/src/cryptography/hazmat/primitives/twofactor/utils.py
@@ -11,20 +11,20 @@ from six.moves.urllib.parse import quote, urlencode
def _generate_uri(hotp, type_name, account_name, issuer, extra_parameters):
parameters = [
- ('digits', hotp._length),
- ('secret', base64.b32encode(hotp._key)),
- ('algorithm', hotp._algorithm.name.upper()),
+ ("digits", hotp._length),
+ ("secret", base64.b32encode(hotp._key)),
+ ("algorithm", hotp._algorithm.name.upper()),
]
if issuer is not None:
- parameters.append(('issuer', issuer))
+ parameters.append(("issuer", issuer))
parameters.extend(extra_parameters)
uriparts = {
- 'type': type_name,
- 'label': ('%s:%s' % (quote(issuer), quote(account_name)) if issuer
+ "type": type_name,
+ "label": ("%s:%s" % (quote(issuer), quote(account_name)) if issuer
else quote(account_name)),
- 'parameters': urlencode(parameters),
+ "parameters": urlencode(parameters),
}
- return 'otpauth://{type}/{label}?{parameters}'.format(**uriparts)
+ return "otpauth://{type}/{label}?{parameters}".format(**uriparts)
generated by cgit v1.2.3 (git 2.25.1) at 2025-04-06 18:19:28 +0000