From 4c7fd5ffddf2abbca838c7c4ec0f5cdc05e5053c Mon Sep 17 00:00:00 2001 From: Paul Kehrer Date: Fri, 25 Dec 2015 13:40:55 -0600 Subject: support revoked certificates in CertificateRevocationListBuilder --- src/_cffi_src/openssl/x509.py | 1 + src/cryptography/hazmat/backends/openssl/backend.py | 9 +++++++++ src/cryptography/x509/base.py | 13 +++++++++++++ 3 files changed, 23 insertions(+) (limited to 'src') diff --git a/src/_cffi_src/openssl/x509.py b/src/_cffi_src/openssl/x509.py index b58a1a27..eb6dd28d 100644 --- a/src/_cffi_src/openssl/x509.py +++ b/src/_cffi_src/openssl/x509.py @@ -184,6 +184,7 @@ int X509V3_EXT_print(BIO *, X509_EXTENSION *, unsigned long, int); ASN1_OCTET_STRING *X509_EXTENSION_get_data(X509_EXTENSION *); X509_REVOKED *X509_REVOKED_new(void); +X509_REVOKED *X509_REVOKED_dup(X509_REVOKED *); void X509_REVOKED_free(X509_REVOKED *); int X509_REVOKED_set_serialNumber(X509_REVOKED *, ASN1_INTEGER *); diff --git a/src/cryptography/hazmat/backends/openssl/backend.py b/src/cryptography/hazmat/backends/openssl/backend.py index 81316da5..295fae13 100644 --- a/src/cryptography/hazmat/backends/openssl/backend.py +++ b/src/cryptography/hazmat/backends/openssl/backend.py @@ -1519,6 +1519,15 @@ class Backend(object): gc=True ) + # add revoked certificates + for revoked_cert in builder._revoked_certificates: + # Duplicating because the X509_CRL takes ownership and will free + # this memory when X509_CRL_free is called. + revoked = self._lib.X509_REVOKED_dup(revoked_cert._x509_revoked) + self.openssl_assert(revoked != self._ffi.NULL) + res = self._lib.X509_CRL_add0_revoked(x509_crl, revoked) + self.openssl_assert(res == 1) + res = self._lib.X509_CRL_sign( x509_crl, private_key._evp_pkey, evp_md ) diff --git a/src/cryptography/x509/base.py b/src/cryptography/x509/base.py index e29a3105..bc927e87 100644 --- a/src/cryptography/x509/base.py +++ b/src/cryptography/x509/base.py @@ -591,6 +591,19 @@ class CertificateRevocationListBuilder(object): self._extensions + [extension], self._revoked_certificates ) + def add_revoked_certificate(self, revoked_certificate): + """ + Adds a revoked certificate to the CRL. + """ + if not isinstance(revoked_certificate, RevokedCertificate): + raise TypeError("Must be an instance of RevokedCertificate") + + return CertificateRevocationListBuilder( + self._issuer_name, self._last_update, + self._next_update, self._extensions, + self._revoked_certificates + [revoked_certificate] + ) + def sign(self, private_key, algorithm, backend): if self._issuer_name is None: raise ValueError("A CRL must have an issuer name") -- cgit v1.2.3 From 14553ac531c21531c9ac2eaa13f52ce7a978120d Mon Sep 17 00:00:00 2001 From: Paul Kehrer Date: Fri, 25 Dec 2015 14:30:27 -0600 Subject: X509_REVOKED_dup isn't available everywhere, we get to define our own --- src/_cffi_src/openssl/x509.py | 11 ++++++++++- src/cryptography/hazmat/backends/openssl/backend.py | 4 +++- 2 files changed, 13 insertions(+), 2 deletions(-) (limited to 'src') diff --git a/src/_cffi_src/openssl/x509.py b/src/_cffi_src/openssl/x509.py index eb6dd28d..c5eb600a 100644 --- a/src/_cffi_src/openssl/x509.py +++ b/src/_cffi_src/openssl/x509.py @@ -184,7 +184,6 @@ int X509V3_EXT_print(BIO *, X509_EXTENSION *, unsigned long, int); ASN1_OCTET_STRING *X509_EXTENSION_get_data(X509_EXTENSION *); X509_REVOKED *X509_REVOKED_new(void); -X509_REVOKED *X509_REVOKED_dup(X509_REVOKED *); void X509_REVOKED_free(X509_REVOKED *); int X509_REVOKED_set_serialNumber(X509_REVOKED *, ASN1_INTEGER *); @@ -271,6 +270,8 @@ void PKCS8_PRIV_KEY_INFO_free(PKCS8_PRIV_KEY_INFO *); """ MACROS = """ +X509_REVOKED *Cryptography_X509_REVOKED_dup(X509_REVOKED *); + int i2d_X509_CINF(X509_CINF *, unsigned char **); int i2d_X509_CRL_INFO(X509_CRL_INFO *, unsigned char **); int i2d_X509_REQ_INFO(X509_REQ_INFO *, unsigned char **); @@ -366,4 +367,12 @@ int (*i2d_ECPrivateKey_bio)(BIO *, EC_KEY *) = NULL; EC_KEY *(*o2i_ECPublicKey)(EC_KEY **, const unsigned char **, long) = NULL; int (*i2o_ECPublicKey)(EC_KEY *, unsigned char **) = NULL; #endif + +/* X509_REVOKED_dup only exists on 1.0.2+. It is implemented using + IMPLEMENT_ASN1_DUP_FUNCTION. The below is the equivalent so we have + it available on all OpenSSLs. */ +X509_REVOKED *Cryptography_X509_REVOKED_dup(X509_REVOKED *rev) { + return ASN1_item_dup(ASN1_ITEM_rptr(X509_REVOKED), rev); +} + """ diff --git a/src/cryptography/hazmat/backends/openssl/backend.py b/src/cryptography/hazmat/backends/openssl/backend.py index 295fae13..7d8460c6 100644 --- a/src/cryptography/hazmat/backends/openssl/backend.py +++ b/src/cryptography/hazmat/backends/openssl/backend.py @@ -1523,7 +1523,9 @@ class Backend(object): for revoked_cert in builder._revoked_certificates: # Duplicating because the X509_CRL takes ownership and will free # this memory when X509_CRL_free is called. - revoked = self._lib.X509_REVOKED_dup(revoked_cert._x509_revoked) + revoked = self._lib.Cryptography_X509_REVOKED_dup( + revoked_cert._x509_revoked + ) self.openssl_assert(revoked != self._ffi.NULL) res = self._lib.X509_CRL_add0_revoked(x509_crl, revoked) self.openssl_assert(res == 1) -- cgit v1.2.3