jurisdictionCountryName also must be PrintableString (#3516)

* jurisdictionCountryName also must be PrintableString * flake8 + citation * Write a test, which fails. If my analysis is correct, this is blocked on: https://github.com/openssl/openssl/pull/3284 * This is only true on 1.1.0 * clearly express the version requirement
author: Alex Gaynor <alex.gaynor@gmail.com> 2017-05-25 21:11:09 -0400
committer: Paul Kehrer <paul.l.kehrer@gmail.com> 2017-05-25 20:11:09 -0500
commit: 978a5e96473c2ce877151fa4e24917bac92ddaa8 (patch)
tree: 84813a8a8567a732e7f494f562bbe05d3d8df273
parent: febbfb36a17d42a927a4ac7d5e53a80d9b8e6fdb (diff)
download: cryptography-978a5e96473c2ce877151fa4e24917bac92ddaa8.tar.gz
cryptography-978a5e96473c2ce877151fa4e24917bac92ddaa8.tar.bz2
cryptography-978a5e96473c2ce877151fa4e24917bac92ddaa8.zip
3 files changed, 22 insertions, 3 deletions
diff --git a/src/_cffi_src/openssl/cryptography.py b/src/_cffi_src/openssl/cryptography.py
index aa01c833..fe5055f1 100644
--- a/src/_cffi_src/openssl/cryptography.py
+++ b/src/_cffi_src/openssl/cryptography.py
@@ -27,8 +27,12 @@ INCLUDES = """
 
 #define CRYPTOGRAPHY_OPENSSL_102BETA2_OR_GREATER \
     (OPENSSL_VERSION_NUMBER >= 0x10002002 && !CRYPTOGRAPHY_IS_LIBRESSL)
+#define CRYPTOGRAPHY_OPENSSL_102L_OR_GREATER \
+    (OPENSSL_VERSION_NUMBER >= 0x100020cf && !CRYPTOGRAPHY_IS_LIBRESSL)
 #define CRYPTOGRAPHY_OPENSSL_110_OR_GREATER \
     (OPENSSL_VERSION_NUMBER >= 0x10100000 && !CRYPTOGRAPHY_IS_LIBRESSL)
+#define CRYPTOGRAPHY_OPENSSL_110F_OR_GREATER \
+    (OPENSSL_VERSION_NUMBER >= 0x1010006f && !CRYPTOGRAPHY_IS_LIBRESSL)
 
 #define CRYPTOGRAPHY_OPENSSL_LESS_THAN_102 \
     (OPENSSL_VERSION_NUMBER < 0x10002000 || CRYPTOGRAPHY_IS_LIBRESSL)
@@ -47,10 +51,11 @@ INCLUDES = """
 """
 
 TYPES = """
+static const int CRYPTOGRAPHY_OPENSSL_102L_OR_GREATER;
 static const int CRYPTOGRAPHY_OPENSSL_110_OR_GREATER;
+static const int CRYPTOGRAPHY_OPENSSL_110F_OR_GREATER;
 
 static const int CRYPTOGRAPHY_OPENSSL_LESS_THAN_102I;
-
 static const int CRYPTOGRAPHY_OPENSSL_LESS_THAN_102;
 
 static const int CRYPTOGRAPHY_IS_LIBRESSL;
diff --git a/src/cryptography/hazmat/backends/openssl/encode_asn1.py b/src/cryptography/hazmat/backends/openssl/encode_asn1.py
index 3b784861..dc1f61a0 100644
--- a/src/cryptography/hazmat/backends/openssl/encode_asn1.py
+++ b/src/cryptography/hazmat/backends/openssl/encode_asn1.py
@@ -120,9 +120,12 @@ def _encode_sk_name_entry(backend, attributes):
 def _encode_name_entry(backend, attribute):
     value = attribute.value.encode('utf8')
     obj = _txt2obj_gc(backend, attribute.oid.dotted_string)
-    if attribute.oid == NameOID.COUNTRY_NAME:
+    if attribute.oid in [
+        NameOID.COUNTRY_NAME, NameOID.JURISDICTION_COUNTRY_NAME
+    ]:
         # Per RFC5280 Appendix A.1 countryName should be encoded as
-        # PrintableString, not UTF8String
+        # PrintableString, not UTF8String. EV Guidelines section 9.2.5 says
+        # jurisdictionCountryName follows the same rules as countryName.
         type = backend._lib.MBSTRING_ASC
     else:
         type = backend._lib.MBSTRING_UTF8
diff --git a/tests/test_x509.py b/tests/test_x509.py
index 110d8534..84108810 100644
--- a/tests/test_x509.py
+++ b/tests/test_x509.py
@@ -1440,9 +1440,11 @@ class TestRSACertificateRequest(object):
             777
         ).issuer_name(x509.Name([
             x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
+            x509.NameAttribute(NameOID.JURISDICTION_COUNTRY_NAME, u'US'),
             x509.NameAttribute(NameOID.STATE_OR_PROVINCE_NAME, u'Texas'),
         ])).subject_name(x509.Name([
             x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'),
+            x509.NameAttribute(NameOID.JURISDICTION_COUNTRY_NAME, u'US'),
             x509.NameAttribute(NameOID.STATE_OR_PROVINCE_NAME, u'Texas'),
         ])).public_key(
             subject_private_key.public_key()
@@ -1460,6 +1462,15 @@ class TestRSACertificateRequest(object):
         # Check that each value was encoded as an ASN.1 PRINTABLESTRING.
         assert parsed.subject.chosen[0][0]['value'].chosen.tag == 19
         assert parsed.issuer.chosen[0][0]['value'].chosen.tag == 19
+        if (
+            # This only works correctly in OpenSSL 1.1.0f+ and 1.0.2l+
+            backend._lib.CRYPTOGRAPHY_OPENSSL_110F_OR_GREATER or (
+                backend._lib.CRYPTOGRAPHY_OPENSSL_102L_OR_GREATER and
+                not backend._lib.CRYPTOGRAPHY_OPENSSL_110_OR_GREATER
+            )
+        ):
+            assert parsed.subject.chosen[1][0]['value'].chosen.tag == 19
+            assert parsed.issuer.chosen[1][0]['value'].chosen.tag == 19
 
 
 class TestCertificateBuilder(object):
author	Alex Gaynor <alex.gaynor@gmail.com>	2017-05-25 21:11:09 -0400
committer	Paul Kehrer <paul.l.kehrer@gmail.com>	2017-05-25 20:11:09 -0500
commit	978a5e96473c2ce877151fa4e24917bac92ddaa8 (patch)
tree	84813a8a8567a732e7f494f562bbe05d3d8df273
parent	febbfb36a17d42a927a4ac7d5e53a80d9b8e6fdb (diff)
download	cryptography-978a5e96473c2ce877151fa4e24917bac92ddaa8.tar.gz cryptography-978a5e96473c2ce877151fa4e24917bac92ddaa8.tar.bz2 cryptography-978a5e96473c2ce877151fa4e24917bac92ddaa8.zip