From d58b57991f73581da951c7c98b808dad7875f9b1 Mon Sep 17 00:00:00 2001 From: Paul Kehrer Date: Thu, 24 Dec 2015 22:30:42 -0600 Subject: a different approach to refactoring the x509 extension addition --- src/_cffi_src/openssl/x509.py | 1 + .../hazmat/backends/openssl/backend.py | 45 ++++++++++++---------- 2 files changed, 25 insertions(+), 21 deletions(-) (limited to 'src') diff --git a/src/_cffi_src/openssl/x509.py b/src/_cffi_src/openssl/x509.py index a08ef179..b58a1a27 100644 --- a/src/_cffi_src/openssl/x509.py +++ b/src/_cffi_src/openssl/x509.py @@ -292,6 +292,7 @@ X509_EXTENSIONS *sk_X509_EXTENSION_new_null(void); int sk_X509_EXTENSION_num(X509_EXTENSIONS *); X509_EXTENSION *sk_X509_EXTENSION_value(X509_EXTENSIONS *, int); int sk_X509_EXTENSION_push(X509_EXTENSIONS *, X509_EXTENSION *); +int sk_X509_EXTENSION_insert(X509_EXTENSIONS *, X509_EXTENSION *, int); X509_EXTENSION *sk_X509_EXTENSION_delete(X509_EXTENSIONS *, int); void sk_X509_EXTENSION_free(X509_EXTENSIONS *); diff --git a/src/cryptography/hazmat/backends/openssl/backend.py b/src/cryptography/hazmat/backends/openssl/backend.py index 9ba0f3db..86c1a813 100644 --- a/src/cryptography/hazmat/backends/openssl/backend.py +++ b/src/cryptography/hazmat/backends/openssl/backend.py @@ -1312,18 +1312,20 @@ class Backend(object): self.openssl_assert(res == 1) # Add extensions. - extensions = self._create_x509_extensions( - builder._extensions, _EXTENSION_ENCODE_HANDLERS - ) sk_extension = self._lib.sk_X509_EXTENSION_new_null() self.openssl_assert(sk_extension != self._ffi.NULL) sk_extension = self._ffi.gc( sk_extension, self._lib.sk_X509_EXTENSION_free ) - for extension in extensions: - res = self._lib.sk_X509_EXTENSION_push(sk_extension, extension) - self.openssl_assert(res >= 1) - + # gc is not necessary for CSRs, as sk_X509_EXTENSION_free + # will release all the X509_EXTENSIONs. + self._create_x509_extensions( + extensions=builder._extensions, + handlers=_EXTENSION_ENCODE_HANDLERS, + x509_obj=sk_extension, + add_func=self._lib.sk_X509_EXTENSION_insert, + gc=False + ) res = self._lib.X509_REQ_add_extensions(x509_req, sk_extension) self.openssl_assert(res == 1) @@ -1405,12 +1407,13 @@ class Backend(object): self.openssl_assert(res != self._ffi.NULL) # Add extensions. - extensions = self._create_x509_extensions( - builder._extensions, _EXTENSION_ENCODE_HANDLERS + self._create_x509_extensions( + extensions=builder._extensions, + handlers=_EXTENSION_ENCODE_HANDLERS, + x509_obj=x509_cert, + add_func=self._lib.X509_add_ext, + gc=True ) - for i, extension in enumerate(extensions): - res = self._lib.X509_add_ext(x509_cert, extension, i) - self.openssl_assert(res == 1) # Set the issuer name. res = self._lib.X509_set_issuer_name( @@ -1501,9 +1504,9 @@ class Backend(object): return _CertificateRevocationList(self, x509_crl) - def _create_x509_extensions(self, extensions, handlers): - x509_extensions = [] - for extension in extensions: + def _create_x509_extensions(self, extensions, handlers, x509_obj, + add_func, gc): + for i, extension in enumerate(extensions): try: encode = handlers[extension.oid] except KeyError: @@ -1520,12 +1523,12 @@ class Backend(object): _encode_asn1_str_gc(self, pp[0], r) ) self.openssl_assert(x509_extension != self._ffi.NULL) - x509_extension = self._ffi.gc( - x509_extension, self._lib.X509_EXTENSION_free - ) - x509_extensions.append(x509_extension) - - return x509_extensions + if gc: + x509_extension = self._ffi.gc( + x509_extension, self._lib.X509_EXTENSION_free + ) + res = add_func(x509_obj, x509_extension, i) + self.openssl_assert(res >= 1) def load_pem_private_key(self, data, password): return self._load_key( -- cgit v1.2.3