diff options
author | Paul Kehrer <paul.l.kehrer@gmail.com> | 2015-04-20 22:15:20 -0500 |
---|---|---|
committer | Paul Kehrer <paul.l.kehrer@gmail.com> | 2015-04-21 22:54:33 -0500 |
commit | 9089c91294497aaff3e5204b73365ba687c6ab7e (patch) | |
tree | e0dd71ca9767ba57de90d1e7cafed2c2d168a4b3 | |
parent | e37ca984fcf093f4382eb3f19abf10b0862600da (diff) | |
download | cryptography-9089c91294497aaff3e5204b73365ba687c6ab7e.tar.gz cryptography-9089c91294497aaff3e5204b73365ba687c6ab7e.tar.bz2 cryptography-9089c91294497aaff3e5204b73365ba687c6ab7e.zip |
handle otherName, x400Address, and ediPartyName in OpenSSL backend
-rw-r--r-- | docs/x509.rst | 5 | ||||
-rw-r--r-- | src/cryptography/hazmat/backends/openssl/x509.py | 7 | ||||
-rw-r--r-- | src/cryptography/x509.py | 17 | ||||
-rw-r--r-- | tests/test_x509_ext.py | 11 |
4 files changed, 40 insertions, 0 deletions
diff --git a/docs/x509.rst b/docs/x509.rst index eed88b09..0ce90168 100644 --- a/docs/x509.rst +++ b/docs/x509.rst @@ -964,6 +964,11 @@ Exceptions Returns the OID. +.. class:: UnsupportedGeneralNameType + + This is raised when a certificate contains an unsupported general name + type in an extension. + .. _`public key infrastructure`: https://en.wikipedia.org/wiki/Public_key_infrastructure .. _`TLS`: https://en.wikipedia.org/wiki/Transport_Layer_Security diff --git a/src/cryptography/hazmat/backends/openssl/x509.py b/src/cryptography/hazmat/backends/openssl/x509.py index dcde5e73..affb79da 100644 --- a/src/cryptography/hazmat/backends/openssl/x509.py +++ b/src/cryptography/hazmat/backends/openssl/x509.py @@ -63,6 +63,13 @@ def _build_general_name(backend, gn): if gn.type == backend._lib.GEN_DNS: data = backend._ffi.buffer(gn.d.dNSName.data, gn.d.dNSName.length)[:] return x509.DNSName(idna.decode(data)) + else: + # otherName, x400Address or ediPartyName + raise x509.UnsupportedGeneralNameType( + "{0} is not a supported type".format( + x509._GENERAL_NAMES.get(gn.type, gn.type) + ) + ) @utils.register_interface(x509.Certificate) diff --git a/src/cryptography/x509.py b/src/cryptography/x509.py index 898ab6c7..3dc066fa 100644 --- a/src/cryptography/x509.py +++ b/src/cryptography/x509.py @@ -70,6 +70,19 @@ _OID_NAMES = { } +_GENERAL_NAMES = { + 0: "otherName", + 1: "rfc822Name", + 2: "dNSName", + 3: "x400Address", + 4: "directoryName", + 5: "ediPartyName", + 6: "uniformResourceIdentifier", + 7: "iPAddress", + 8: "registeredID", +} + + class Version(Enum): v1 = 0 v3 = 2 @@ -115,6 +128,10 @@ class ExtensionNotFound(Exception): self.oid = oid +class UnsupportedGeneralNameType(Exception): + pass + + class NameAttribute(object): def __init__(self, oid, value): if not isinstance(oid, ObjectIdentifier): diff --git a/tests/test_x509_ext.py b/tests/test_x509_ext.py index a7e04156..5f175c4d 100644 --- a/tests/test_x509_ext.py +++ b/tests/test_x509_ext.py @@ -757,3 +757,14 @@ class TestRSASubjectAlternativeNameExtension(object): dns = san.get_values_for_type(x509.DNSName) assert dns == [u"www.cryptography.io", u"cryptography.io"] + + def test_unsupported_other_name(self, backend): + cert = _load_cert( + os.path.join( + "x509", "custom", "san_other_name.pem" + ), + x509.load_pem_x509_certificate, + backend + ) + with pytest.raises(x509.UnsupportedGeneralNameType): + cert.extensions |