both parse and encode the ASN1 string type for Name attributes (#3896)

* both parse and encode the ASN1 string type for Name attributes

Previously cryptography encoded everything (except country names) as
UTF8String. This caused problems with chain building in libraries like
NSS where the subject and issuer are expected to match byte-for-byte.

With this change we now parse and store the ASN1 string type as a
private _type in NameAttribute. We then use this to encode when issuing
a new certificate. This allows the CertificateBuilder to properly
construct an identical issuer and fixes the issue with NSS.

* make the sentinel private too

1 files changed, 3 insertions, 1 deletions

diff --git a/src/cryptography/hazmat/backends/openssl/decode_asn1.py b/src/cryptography/hazmat/backends/openssl/decode_asn1.py
index ec55a9e8..2665fb22 100644
--- a/src/cryptography/hazmat/backends/openssl/decode_asn1.py
+++ b/src/cryptography/hazmat/backends/openssl/decode_asn1.py
@@ -11,6 +11,7 @@ from asn1crypto.core import Integer, SequenceOf
 
 from cryptography import x509
 from cryptography.x509.extensions import _TLS_FEATURE_TYPE_TO_ENUM
+from cryptography.x509.name import _ASN1_TYPE_TO_ENUM
 from cryptography.x509.oid import (
     CRLEntryExtensionOID, CertificatePoliciesOID, ExtensionOID
 )
@@ -51,8 +52,9 @@ def _decode_x509_name_entry(backend, x509_name_entry):
     backend.openssl_assert(data != backend._ffi.NULL)
     value = _asn1_string_to_utf8(backend, data)
     oid = _obj2txt(backend, obj)
+    type = _ASN1_TYPE_TO_ENUM[data.type]
 
-    return x509.NameAttribute(x509.ObjectIdentifier(oid), value)
+    return x509.NameAttribute(x509.ObjectIdentifier(oid), value, type)
 
 
 def _decode_x509_name(backend, x509_name):