From 4fe9debd848dfed7afd61d1e2e3799311f93adbc Mon Sep 17 00:00:00 2001 From: Paul Kehrer Date: Thu, 10 Mar 2016 22:58:12 -0400 Subject: modify how revocation date is set on X509_REVOKED in the openssl backend In OpenSSL 1.1.0 there isn't a pre-existing ASN1_TIME object so we have ASN1_TIME_set make us a new one. In older OpenSSLs this is still safe because ASN1_TIME_set checks and frees any current value in the object. --- src/cryptography/hazmat/backends/openssl/backend.py | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) (limited to 'src') diff --git a/src/cryptography/hazmat/backends/openssl/backend.py b/src/cryptography/hazmat/backends/openssl/backend.py index e47f747c..064f9ad6 100644 --- a/src/cryptography/hazmat/backends/openssl/backend.py +++ b/src/cryptography/hazmat/backends/openssl/backend.py @@ -1003,11 +1003,14 @@ class Backend(object): x509_revoked, serial_number ) self.openssl_assert(res == 1) - res = self._lib.ASN1_TIME_set( - x509_revoked.revocationDate, + rev_date = self._lib.ASN1_TIME_set( + self._ffi.NULL, calendar.timegm(builder._revocation_date.timetuple()) ) - self.openssl_assert(res != self._ffi.NULL) + self.openssl_assert(rev_date != self._ffi.NULL) + rev_date = self._ffi.gc(rev_date, self._lib.ASN1_TIME_free) + res = self._lib.X509_REVOKED_set_revocationDate(x509_revoked, rev_date) + self.openssl_assert(res == 1) # add CRL entry extensions self._create_x509_extensions( extensions=builder._extensions, -- cgit v1.2.3