From 978a5e96473c2ce877151fa4e24917bac92ddaa8 Mon Sep 17 00:00:00 2001
From: Alex Gaynor <alex.gaynor@gmail.com>
Date: Thu, 25 May 2017 21:11:09 -0400
Subject: jurisdictionCountryName also must be PrintableString (#3516)

* jurisdictionCountryName also must be PrintableString

* flake8 + citation

* Write a test, which fails. If my analysis is correct, this is blocked on:

https://github.com/openssl/openssl/pull/3284

* This is only true on 1.1.0

* clearly express the version requirement
---
 src/_cffi_src/openssl/cryptography.py                   | 7 ++++++-
 src/cryptography/hazmat/backends/openssl/encode_asn1.py | 7 +++++--
 2 files changed, 11 insertions(+), 3 deletions(-)

(limited to 'src')

diff --git a/src/_cffi_src/openssl/cryptography.py b/src/_cffi_src/openssl/cryptography.py
index aa01c833..fe5055f1 100644
--- a/src/_cffi_src/openssl/cryptography.py
+++ b/src/_cffi_src/openssl/cryptography.py
@@ -27,8 +27,12 @@ INCLUDES = """
 
 #define CRYPTOGRAPHY_OPENSSL_102BETA2_OR_GREATER \
     (OPENSSL_VERSION_NUMBER >= 0x10002002 && !CRYPTOGRAPHY_IS_LIBRESSL)
+#define CRYPTOGRAPHY_OPENSSL_102L_OR_GREATER \
+    (OPENSSL_VERSION_NUMBER >= 0x100020cf && !CRYPTOGRAPHY_IS_LIBRESSL)
 #define CRYPTOGRAPHY_OPENSSL_110_OR_GREATER \
     (OPENSSL_VERSION_NUMBER >= 0x10100000 && !CRYPTOGRAPHY_IS_LIBRESSL)
+#define CRYPTOGRAPHY_OPENSSL_110F_OR_GREATER \
+    (OPENSSL_VERSION_NUMBER >= 0x1010006f && !CRYPTOGRAPHY_IS_LIBRESSL)
 
 #define CRYPTOGRAPHY_OPENSSL_LESS_THAN_102 \
     (OPENSSL_VERSION_NUMBER < 0x10002000 || CRYPTOGRAPHY_IS_LIBRESSL)
@@ -47,10 +51,11 @@ INCLUDES = """
 """
 
 TYPES = """
+static const int CRYPTOGRAPHY_OPENSSL_102L_OR_GREATER;
 static const int CRYPTOGRAPHY_OPENSSL_110_OR_GREATER;
+static const int CRYPTOGRAPHY_OPENSSL_110F_OR_GREATER;
 
 static const int CRYPTOGRAPHY_OPENSSL_LESS_THAN_102I;
-
 static const int CRYPTOGRAPHY_OPENSSL_LESS_THAN_102;
 
 static const int CRYPTOGRAPHY_IS_LIBRESSL;
diff --git a/src/cryptography/hazmat/backends/openssl/encode_asn1.py b/src/cryptography/hazmat/backends/openssl/encode_asn1.py
index 3b784861..dc1f61a0 100644
--- a/src/cryptography/hazmat/backends/openssl/encode_asn1.py
+++ b/src/cryptography/hazmat/backends/openssl/encode_asn1.py
@@ -120,9 +120,12 @@ def _encode_sk_name_entry(backend, attributes):
 def _encode_name_entry(backend, attribute):
     value = attribute.value.encode('utf8')
     obj = _txt2obj_gc(backend, attribute.oid.dotted_string)
-    if attribute.oid == NameOID.COUNTRY_NAME:
+    if attribute.oid in [
+        NameOID.COUNTRY_NAME, NameOID.JURISDICTION_COUNTRY_NAME
+    ]:
         # Per RFC5280 Appendix A.1 countryName should be encoded as
-        # PrintableString, not UTF8String
+        # PrintableString, not UTF8String. EV Guidelines section 9.2.5 says
+        # jurisdictionCountryName follows the same rules as countryName.
         type = backend._lib.MBSTRING_ASC
     else:
         type = backend._lib.MBSTRING_UTF8
-- 
cgit v1.2.3