diff options
| author | Paul Kehrer <paul.l.kehrer@gmail.com> | 2017-10-11 08:11:44 +0800 |
|---|---|---|
| committer | Alex Gaynor <alex.gaynor@gmail.com> | 2017-10-10 20:11:44 -0400 |
| commit | ed32105be8daa27d39e5ef1f26e3f7bc672a7939 (patch) | |
| tree | f47159bbb207cb68a963420e5500e8c8627d5cb3 /src/cryptography/hazmat/backends/openssl/decode_asn1.py | |
| parent | 003f56fbd7fe676f6b6bd0a52bbf83f040b4a168 (diff) | |
| download | cryptography-ed32105be8daa27d39e5ef1f26e3f7bc672a7939.tar.gz cryptography-ed32105be8daa27d39e5ef1f26e3f7bc672a7939.tar.bz2 cryptography-ed32105be8daa27d39e5ef1f26e3f7bc672a7939.zip | |
Backwards incompatible change to DNSName (#3951)
* Backwards incompatible change to DNSName
During this release cycle we decided to officially deprecate passing
U-labels to our GeneralName constructors. At first we tried changing
this in a purely backwards compatible way but get_values_for_type made
that untenable. This PR modifies DNSName to take three different types.
U-label strings (which raises a deprecation warning), A-label strings
(the new preferred type), and bytes (which are assumed to be decodable
to unicode strings). The latter, while supported, is primarily intended
for use by our parser and allows us to return the actual encoded data in
a certificate even if it has not been properly encoded to A-label before
the certificate is created. (Of course, if the certificate contains
invalid utf8 sequences this will still fail, but let's handle one
catastrophic failure at a time).
* coverage
* don't delete that asterisk from a test. it does things.
* no bytes in DNSName. Private constructor for bypassing validation
* test unicode in dnsname (yuck)
* fix docs
* empty commit, you disappoint me codecov
* CI is the worst
Diffstat (limited to 'src/cryptography/hazmat/backends/openssl/decode_asn1.py')
| -rw-r--r-- | src/cryptography/hazmat/backends/openssl/decode_asn1.py | 10 |
1 files changed, 8 insertions, 2 deletions
diff --git a/src/cryptography/hazmat/backends/openssl/decode_asn1.py b/src/cryptography/hazmat/backends/openssl/decode_asn1.py index 2665fb22..aefb2422 100644 --- a/src/cryptography/hazmat/backends/openssl/decode_asn1.py +++ b/src/cryptography/hazmat/backends/openssl/decode_asn1.py @@ -88,8 +88,14 @@ def _decode_general_names(backend, gns): def _decode_general_name(backend, gn): if gn.type == backend._lib.GEN_DNS: - data = _asn1_string_to_bytes(backend, gn.d.dNSName) - return x509.DNSName(data) + # Convert to bytes and then decode to utf8. We don't use + # asn1_string_to_utf8 here because it doesn't properly convert + # utf8 from ia5strings. + data = _asn1_string_to_bytes(backend, gn.d.dNSName).decode("utf8") + # We don't use the constructor for DNSName so we can bypass validation + # This allows us to create DNSName objects that have unicode chars + # when a certificate (against the RFC) contains them. + return x509.DNSName._init_without_validation(data) elif gn.type == backend._lib.GEN_URI: data = _asn1_string_to_bytes(backend, gn.d.uniformResourceIdentifier) return x509.UniformResourceIdentifier(data) |