refactor x509 extension creation to make it a bit more reusable

Unfortunately X509 certs and CSRs add extensions differently, so we can't reuse quite as much as we'd like to...
author: Paul Kehrer <paul.l.kehrer@gmail.com> 2015-12-24 21:38:37 -0600
committer: Paul Kehrer <paul.l.kehrer@gmail.com> 2015-12-24 21:42:19 -0600
commit: 28d1dfaec4e39994340e156a387b7da90643f036 (patch)
tree: 772b5d9bab4f4d56ca36e6a9c24e17d8f5872eac
parent: fa431ca54dd5686855264d82d77fa2dbb061fa23 (diff)
download: cryptography-28d1dfaec4e39994340e156a387b7da90643f036.tar.gz
cryptography-28d1dfaec4e39994340e156a387b7da90643f036.tar.bz2
cryptography-28d1dfaec4e39994340e156a387b7da90643f036.zip
1 files changed, 39 insertions, 38 deletions
diff --git a/src/cryptography/hazmat/backends/openssl/backend.py b/src/cryptography/hazmat/backends/openssl/backend.py
index 6d19b806..0981b8e0 100644
--- a/src/cryptography/hazmat/backends/openssl/backend.py
+++ b/src/cryptography/hazmat/backends/openssl/backend.py
@@ -1312,30 +1312,19 @@ class Backend(object):
         self.openssl_assert(res == 1)
 
         # Add extensions.
-        extensions = self._lib.sk_X509_EXTENSION_new_null()
-        self.openssl_assert(extensions != self._ffi.NULL)
-        extensions = self._ffi.gc(
-            extensions,
-            self._lib.sk_X509_EXTENSION_free,
+        extensions = self._create_x509_extensions(
+            builder._extensions, _EXTENSION_ENCODE_HANDLERS
         )
-        for extension in builder._extensions:
-            try:
-                encode = _EXTENSION_ENCODE_HANDLERS[extension.oid]
-            except KeyError:
-                raise NotImplementedError('Extension not yet supported.')
-
-            pp, r = encode(self, extension.value)
-            obj = _txt2obj_gc(self, extension.oid.dotted_string)
-            extension = self._lib.X509_EXTENSION_create_by_OBJ(
-                self._ffi.NULL,
-                obj,
-                1 if extension.critical else 0,
-                _encode_asn1_str_gc(self, pp[0], r),
-            )
-            self.openssl_assert(extension != self._ffi.NULL)
-            res = self._lib.sk_X509_EXTENSION_push(extensions, extension)
+        sk_extension = self._lib.sk_X509_EXTENSION_new_null()
+        self.openssl_assert(sk_extension != self._ffi.NULL)
+        sk_extension = self._ffi.gc(
+            sk_extension, self._lib.sk_X509_EXTENSION_free
+        )
+        for extension in extensions:
+            res = self._lib.sk_X509_EXTENSION_push(sk_extension, extension)
             self.openssl_assert(res >= 1)
-        res = self._lib.X509_REQ_add_extensions(x509_req, extensions)
+
+        res = self._lib.X509_REQ_add_extensions(x509_req, sk_extension)
         self.openssl_assert(res == 1)
 
         # Sign the request using the requester's private key.
@@ -1416,22 +1405,10 @@ class Backend(object):
         self.openssl_assert(res != self._ffi.NULL)
 
         # Add extensions.
-        for i, extension in enumerate(builder._extensions):
-            try:
-                encode = _EXTENSION_ENCODE_HANDLERS[extension.oid]
-            except KeyError:
-                raise NotImplementedError('Extension not yet supported.')
-
-            pp, r = encode(self, extension.value)
-            obj = _txt2obj_gc(self, extension.oid.dotted_string)
-            extension = self._lib.X509_EXTENSION_create_by_OBJ(
-                self._ffi.NULL,
-                obj,
-                1 if extension.critical else 0,
-                _encode_asn1_str_gc(self, pp[0], r)
-            )
-            self.openssl_assert(extension != self._ffi.NULL)
-            extension = self._ffi.gc(extension, self._lib.X509_EXTENSION_free)
+        extensions = self._create_x509_extensions(
+            builder._extensions, _EXTENSION_ENCODE_HANDLERS
+        )
+        for i, extension in enumerate(extensions):
             res = self._lib.X509_add_ext(x509_cert, extension, i)
             self.openssl_assert(res == 1)
 
@@ -1524,6 +1501,30 @@ class Backend(object):
 
         return _CertificateRevocationList(self, x509_crl)
 
+    def _create_x509_extensions(self, extensions, handlers):
+        x509_extensions = []
+        for extension in extensions:
+            try:
+                encode = handlers[extension.oid]
+            except KeyError:
+                raise NotImplementedError(
+                    'Extension not supported: {0}'.format(extension.oid)
+                )
+
+            pp, r = encode(self, extension.value)
+            obj = _txt2obj_gc(self, extension.oid.dotted_string)
+            extension = self._lib.X509_EXTENSION_create_by_OBJ(
+                self._ffi.NULL,
+                obj,
+                1 if extension.critical else 0,
+                _encode_asn1_str_gc(self, pp[0], r)
+            )
+            self.openssl_assert(extension != self._ffi.NULL)
+            extension = self._ffi.gc(extension, self._lib.X509_EXTENSION_free)
+            x509_extensions.append(extension)
+
+        return x509_extensions
+
     def load_pem_private_key(self, data, password):
         return self._load_key(
             self._lib.PEM_read_bio_PrivateKey,
author	Paul Kehrer <paul.l.kehrer@gmail.com>	2015-12-24 21:38:37 -0600
committer	Paul Kehrer <paul.l.kehrer@gmail.com>	2015-12-24 21:42:19 -0600
commit	28d1dfaec4e39994340e156a387b7da90643f036 (patch)
tree	772b5d9bab4f4d56ca36e6a9c24e17d8f5872eac
parent	fa431ca54dd5686855264d82d77fa2dbb061fa23 (diff)
download	cryptography-28d1dfaec4e39994340e156a387b7da90643f036.tar.gz cryptography-28d1dfaec4e39994340e156a387b7da90643f036.tar.bz2 cryptography-28d1dfaec4e39994340e156a387b7da90643f036.zip