diff options
| author | Paul Kehrer <paul.l.kehrer@gmail.com> | 2015-07-01 21:07:37 -0500 |
|---|---|---|
| committer | Paul Kehrer <paul.l.kehrer@gmail.com> | 2015-07-10 11:11:19 -0500 |
| commit | a72ebaf84b9f41dcd9535ce9481ecc1966a7a930 (patch) | |
| tree | 98a87d0ce87feea26171a09730ad340a486745c3 | |
| parent | cfb8aa2f39095d33d19b17123aed065dd5e9efd3 (diff) | |
| download | cryptography-a72ebaf84b9f41dcd9535ce9481ecc1966a7a930.tar.gz cryptography-a72ebaf84b9f41dcd9535ce9481ecc1966a7a930.tar.bz2 cryptography-a72ebaf84b9f41dcd9535ce9481ecc1966a7a930.zip | |
simplify and handle /32 and /128
| -rw-r--r-- | src/cryptography/hazmat/backends/openssl/x509.py | 10 | ||||
| -rw-r--r-- | tests/test_x509_ext.py | 19 |
2 files changed, 26 insertions, 3 deletions
diff --git a/src/cryptography/hazmat/backends/openssl/x509.py b/src/cryptography/hazmat/backends/openssl/x509.py index c2a32b2a..0aa2e2da 100644 --- a/src/cryptography/hazmat/backends/openssl/x509.py +++ b/src/cryptography/hazmat/backends/openssl/x509.py @@ -154,10 +154,14 @@ def _decode_general_name(backend, gn): # find the first 0 bit, which will be the prefix. If another 1 # bit is present after that the netmask is invalid. base = ipaddress.ip_address(data[:data_len // 2]) - netmask = utils.int_from_bytes(data[data_len // 2:], 'big') - bits = bin(netmask)[2:] + netmask = ipaddress.ip_address(data[data_len // 2:]) + bits = bin(int(netmask))[2:] prefix = bits.find('0') - if bits[prefix:].find('1') != -1: + # If no 0 bits are found it is a /32 or /128 + if prefix == -1: + prefix = len(bits) + + if b"1" in bits[prefix:]: raise ValueError("Invalid netmask") ip = ipaddress.ip_network(base.exploded + u"/{0}".format(prefix)) diff --git a/tests/test_x509_ext.py b/tests/test_x509_ext.py index 7a7e79e6..af0ffafb 100644 --- a/tests/test_x509_ext.py +++ b/tests/test_x509_ext.py @@ -2206,6 +2206,25 @@ class TestNameConstraintsExtension(object): ] ) + def test_single_ip_netmask(self, backend): + cert = _load_cert( + os.path.join( + "x509", "custom", "nc_single_ip_netmask.pem" + ), + x509.load_pem_x509_certificate, + backend + ) + nc = cert.extensions.get_extension_for_oid( + x509.OID_NAME_CONSTRAINTS + ).value + assert nc == x509.NameConstraints( + permitted_subtrees=[ + x509.IPAddress(ipaddress.IPv6Network(u"FF:0:0:0:0:0:0:0/128")), + x509.IPAddress(ipaddress.IPv4Network(u"192.168.0.1/32")), + ], + excluded_subtrees=None + ) + def test_invalid_netmask(self, backend): cert = _load_cert( os.path.join( |