diff options
| author | Paul Kehrer <paul.l.kehrer@gmail.com> | 2017-10-11 11:47:46 +0800 |
|---|---|---|
| committer | Alex Gaynor <alex.gaynor@gmail.com> | 2017-10-10 23:47:46 -0400 |
| commit | 1b43b51599e4a3b39662b069af0140bf24ac3a43 (patch) | |
| tree | 538c53bf09577ba436587ccfa2b53db7a1d8ef24 /src/cryptography/hazmat/backends/openssl/decode_asn1.py | |
| parent | d3f73e0de5bf407f375c18b94f3f9535439ece3d (diff) | |
| download | cryptography-1b43b51599e4a3b39662b069af0140bf24ac3a43.tar.gz cryptography-1b43b51599e4a3b39662b069af0140bf24ac3a43.tar.bz2 cryptography-1b43b51599e4a3b39662b069af0140bf24ac3a43.zip | |
backwards incompatible change to UniformResourceIdentifier (#3954)
* backwards incompatible change to UniformResourceIdentifier
During this release cycle we decided to officially deprecate passing
U-labels to our GeneralName constructors. At first we tried changing
this in a purely backwards compatible way but get_values_for_type made
that untenable. This PR modifies URI to accept two types:
U-label strings (which raises a deprecation warning) and A-label strings
(the new preferred type). There is also a constructor for URI
that bypasses validation so we can parse garbage out of certificates
(and round trip it if necessary)
* nonsense empty commit 2.6 and codecov are the worst
Diffstat (limited to 'src/cryptography/hazmat/backends/openssl/decode_asn1.py')
| -rw-r--r-- | src/cryptography/hazmat/backends/openssl/decode_asn1.py | 12 |
1 files changed, 10 insertions, 2 deletions
diff --git a/src/cryptography/hazmat/backends/openssl/decode_asn1.py b/src/cryptography/hazmat/backends/openssl/decode_asn1.py index 86f8f8d4..24eb55b1 100644 --- a/src/cryptography/hazmat/backends/openssl/decode_asn1.py +++ b/src/cryptography/hazmat/backends/openssl/decode_asn1.py @@ -97,8 +97,16 @@ def _decode_general_name(backend, gn): # when a certificate (against the RFC) contains them. return x509.DNSName._init_without_validation(data) elif gn.type == backend._lib.GEN_URI: - data = _asn1_string_to_bytes(backend, gn.d.uniformResourceIdentifier) - return x509.UniformResourceIdentifier(data) + # Convert to bytes and then decode to utf8. We don't use + # asn1_string_to_utf8 here because it doesn't properly convert + # utf8 from ia5strings. + data = _asn1_string_to_bytes( + backend, gn.d.uniformResourceIdentifier + ).decode("utf8") + # We don't use the constructor for URI so we can bypass validation + # This allows us to create URI objects that have unicode chars + # when a certificate (against the RFC) contains them. + return x509.UniformResourceIdentifier._init_without_validation(data) elif gn.type == backend._lib.GEN_RID: oid = _obj2txt(backend, gn.d.registeredID) return x509.RegisteredID(x509.ObjectIdentifier(oid)) |