From 9fac155adcd593289f7a97577b3a2782da65d663 Mon Sep 17 00:00:00 2001
From: Paul Kehrer <paul.l.kehrer@gmail.com>
Date: Fri, 11 Mar 2016 17:31:06 -0400
Subject: add 5 accessor functions that exist in 1.1.0 to help opaque x509
 structs

X509_REVOKED_get0_serialNumber
X509_REVOKED_get0_revocationDate
X509_CRL_get0_signature
i2d_re_X509_REQ_tbs
i2d_re_X509_CRL_tbs
X509_REQ_get0_signature
---
 src/_cffi_src/openssl/x509.py                    | 56 ++++++++++++++++++++++++
 src/cryptography/hazmat/backends/openssl/x509.py | 44 ++++++++++++++-----
 2 files changed, 90 insertions(+), 10 deletions(-)

diff --git a/src/_cffi_src/openssl/x509.py b/src/_cffi_src/openssl/x509.py
index 4cdc8274..72e63f7f 100644
--- a/src/_cffi_src/openssl/x509.py
+++ b/src/_cffi_src/openssl/x509.py
@@ -349,6 +349,15 @@ ASN1_OBJECT *sk_ASN1_OBJECT_value(Cryptography_STACK_OF_ASN1_OBJECT *, int);
 void sk_ASN1_OBJECT_free(Cryptography_STACK_OF_ASN1_OBJECT *);
 Cryptography_STACK_OF_ASN1_OBJECT *sk_ASN1_OBJECT_new_null(void);
 int sk_ASN1_OBJECT_push(Cryptography_STACK_OF_ASN1_OBJECT *, ASN1_OBJECT *);
+
+/* these functions were added in 1.1.0 */
+ASN1_INTEGER *X509_REVOKED_get0_serialNumber(X509_REVOKED *);
+ASN1_TIME *X509_REVOKED_get0_revocationDate(X509_REVOKED *);
+void X509_CRL_get0_signature(ASN1_BIT_STRING **psig, X509_ALGOR **palg,
+                             X509_CRL *crl);
+int i2d_re_X509_REQ_tbs(X509_REQ *, unsigned char **);
+int i2d_re_X509_CRL_tbs(X509_CRL *, unsigned char **);
+void X509_REQ_get0_signature(ASN1_BIT_STRING **, X509_ALGOR **, X509_REQ *);
 """
 
 CUSTOMIZATIONS = """
@@ -377,4 +386,51 @@ X509_REVOKED *Cryptography_X509_REVOKED_dup(X509_REVOKED *rev) {
     return ASN1_item_dup(ASN1_ITEM_rptr(X509_REVOKED), rev);
 }
 
+/* Added in 1.1.0 but we need it in all versions now due to the great
+   opaquing. */
+#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER)
+/* from x509/x509_req.c */
+void X509_REQ_get0_signature(ASN1_BIT_STRING **psig, X509_ALGOR **palg,
+                             X509_REQ *req)
+{
+    if (psig != NULL)
+        *psig = req->signature;
+    if (palg != NULL)
+        /* In 1.0.2 and below sig_alg is a pointer in the struct, so
+           we don't want to pass by reference. */
+        *palg = req->sig_alg;
+}
+int i2d_re_X509_REQ_tbs(X509_REQ *req, unsigned char **pp)
+{
+    req->req_info->enc.modified = 1;
+    return i2d_X509_REQ_INFO(req->req_info, pp);
+}
+int i2d_re_X509_CRL_tbs(X509_CRL *crl, unsigned char **pp) {
+    crl->crl->enc.modified = 1;
+    return i2d_X509_CRL_INFO(crl->crl, pp);
+}
+
+void X509_CRL_get0_signature(ASN1_BIT_STRING **psig, X509_ALGOR **palg,
+                             X509_CRL *crl)
+{
+    if (psig != NULL)
+        /* In 1.0.2 and below sigis a pointer in the struct, so
+           we don't want to pass by reference. */
+        *psig = crl->signature;
+    if (palg != NULL)
+        /* In 1.0.2 and below sig_alg is a pointer in the struct, so
+           we don't want to pass by reference. */
+        *palg = crl->sig_alg;
+}
+ASN1_TIME *X509_REVOKED_get0_revocationDate(X509_REVOKED *x)
+{
+    return x->revocationDate;
+}
+ASN1_INTEGER *X509_REVOKED_get0_serialNumber(X509_REVOKED *x)
+{
+    /* In 1.0.2 and below serialNumber is a pointer in the struct, so
+       we don't want to pass by reference. */
+    return x->serialNumber;
+}
+#endif
 """
diff --git a/src/cryptography/hazmat/backends/openssl/x509.py b/src/cryptography/hazmat/backends/openssl/x509.py
index c71f8d92..e97a96d3 100644
--- a/src/cryptography/hazmat/backends/openssl/x509.py
+++ b/src/cryptography/hazmat/backends/openssl/x509.py
@@ -153,14 +153,20 @@ class _RevokedCertificate(object):
 
     @property
     def serial_number(self):
-        asn1_int = self._x509_revoked.serialNumber
+        asn1_int = self._backend._lib.X509_REVOKED_get0_serialNumber(
+            self._x509_revoked
+        )
         self._backend.openssl_assert(asn1_int != self._backend._ffi.NULL)
         return _asn1_integer_to_int(self._backend, asn1_int)
 
     @property
     def revocation_date(self):
         return _parse_asn1_time(
-            self._backend, self._x509_revoked.revocationDate)
+            self._backend,
+            self._backend._lib.X509_REVOKED_get0_revocationDate(
+                self._x509_revoked
+            )
+        )
 
     @property
     def extensions(self):
@@ -198,7 +204,12 @@ class _CertificateRevocationList(object):
 
     @property
     def signature_hash_algorithm(self):
-        oid = _obj2txt(self._backend, self._x509_crl.sig_alg.algorithm)
+        alg = self._backend._ffi.new("X509_ALGOR **")
+        self._backend._lib.X509_CRL_get0_signature(
+            self._backend._ffi.NULL, alg, self._x509_crl
+        )
+        self._backend.openssl_assert(alg[0] != self._backend._ffi.NULL)
+        oid = _obj2txt(self._backend, alg[0].algorithm)
         try:
             return x509._SIG_OIDS_TO_HASH[oid]
         except KeyError:
@@ -226,13 +237,17 @@ class _CertificateRevocationList(object):
 
     @property
     def signature(self):
-        return _asn1_string_to_bytes(self._backend, self._x509_crl.signature)
+        sig = self._backend._ffi.new("ASN1_BIT_STRING **")
+        self._backend._lib.X509_CRL_get0_signature(
+            sig, self._backend._ffi.NULL, self._x509_crl
+        )
+        self._backend.openssl_assert(sig[0] != self._backend._ffi.NULL)
+        return _asn1_string_to_bytes(self._backend, sig[0])
 
     @property
     def tbs_certlist_bytes(self):
         pp = self._backend._ffi.new("unsigned char **")
-        # the X509_CRL_INFO struct holds the tbsCertList data
-        res = self._backend._lib.i2d_X509_CRL_INFO(self._x509_crl.crl, pp)
+        res = self._backend._lib.i2d_re_X509_CRL_tbs(self._x509_crl, pp)
         self._backend.openssl_assert(res > 0)
         pp = self._backend._ffi.gc(
             pp, lambda pointer: self._backend._lib.OPENSSL_free(pointer[0])
@@ -321,7 +336,12 @@ class _CertificateSigningRequest(object):
 
     @property
     def signature_hash_algorithm(self):
-        oid = _obj2txt(self._backend, self._x509_req.sig_alg.algorithm)
+        alg = self._backend._ffi.new("X509_ALGOR **")
+        self._backend._lib.X509_REQ_get0_signature(
+            self._backend._ffi.NULL, alg, self._x509_req
+        )
+        self._backend.openssl_assert(alg[0] != self._backend._ffi.NULL)
+        oid = _obj2txt(self._backend, alg[0].algorithm)
         try:
             return x509._SIG_OIDS_TO_HASH[oid]
         except KeyError:
@@ -351,8 +371,7 @@ class _CertificateSigningRequest(object):
     @property
     def tbs_certrequest_bytes(self):
         pp = self._backend._ffi.new("unsigned char **")
-        # the X509_REQ_INFO struct holds the CertificateRequestInfo data
-        res = self._backend._lib.i2d_X509_REQ_INFO(self._x509_req.req_info, pp)
+        res = self._backend._lib.i2d_re_X509_REQ_tbs(self._x509_req, pp)
         self._backend.openssl_assert(res > 0)
         pp = self._backend._ffi.gc(
             pp, lambda pointer: self._backend._lib.OPENSSL_free(pointer[0])
@@ -361,7 +380,12 @@ class _CertificateSigningRequest(object):
 
     @property
     def signature(self):
-        return _asn1_string_to_bytes(self._backend, self._x509_req.signature)
+        sig = self._backend._ffi.new("ASN1_BIT_STRING **")
+        self._backend._lib.X509_REQ_get0_signature(
+            sig, self._backend._ffi.NULL, self._x509_req
+        )
+        self._backend.openssl_assert(sig[0] != self._backend._ffi.NULL)
+        return _asn1_string_to_bytes(self._backend, sig[0])
 
     @property
     def is_signature_valid(self):
-- 
cgit v1.2.3


From 03200124da98b78edb2b31d96989bb35dbab6f8c Mon Sep 17 00:00:00 2001
From: Paul Kehrer <paul.l.kehrer@gmail.com>
Date: Sun, 13 Mar 2016 10:28:24 -0400
Subject: remove pointless comments

---
 src/_cffi_src/openssl/x509.py | 8 --------
 1 file changed, 8 deletions(-)

diff --git a/src/_cffi_src/openssl/x509.py b/src/_cffi_src/openssl/x509.py
index 72e63f7f..7acbf6e7 100644
--- a/src/_cffi_src/openssl/x509.py
+++ b/src/_cffi_src/openssl/x509.py
@@ -396,8 +396,6 @@ void X509_REQ_get0_signature(ASN1_BIT_STRING **psig, X509_ALGOR **palg,
     if (psig != NULL)
         *psig = req->signature;
     if (palg != NULL)
-        /* In 1.0.2 and below sig_alg is a pointer in the struct, so
-           we don't want to pass by reference. */
         *palg = req->sig_alg;
 }
 int i2d_re_X509_REQ_tbs(X509_REQ *req, unsigned char **pp)
@@ -414,12 +412,8 @@ void X509_CRL_get0_signature(ASN1_BIT_STRING **psig, X509_ALGOR **palg,
                              X509_CRL *crl)
 {
     if (psig != NULL)
-        /* In 1.0.2 and below sigis a pointer in the struct, so
-           we don't want to pass by reference. */
         *psig = crl->signature;
     if (palg != NULL)
-        /* In 1.0.2 and below sig_alg is a pointer in the struct, so
-           we don't want to pass by reference. */
         *palg = crl->sig_alg;
 }
 ASN1_TIME *X509_REVOKED_get0_revocationDate(X509_REVOKED *x)
@@ -428,8 +422,6 @@ ASN1_TIME *X509_REVOKED_get0_revocationDate(X509_REVOKED *x)
 }
 ASN1_INTEGER *X509_REVOKED_get0_serialNumber(X509_REVOKED *x)
 {
-    /* In 1.0.2 and below serialNumber is a pointer in the struct, so
-       we don't want to pass by reference. */
     return x->serialNumber;
 }
 #endif
-- 
cgit v1.2.3