diff options
author | Paul Kehrer <paul.l.kehrer@gmail.com> | 2019-11-11 13:40:11 +0800 |
---|---|---|
committer | Alex Gaynor <alex.gaynor@gmail.com> | 2019-11-11 00:40:11 -0500 |
commit | 2e86983a77d02a38ef0485ebe7ab05c1c98a7685 (patch) | |
tree | d871fb70f5313bbd3919fe2f594890dd183521f2 /src/cryptography/hazmat | |
parent | c7ba7be8fe67c099339fcbcd90012fc257308628 (diff) | |
download | cryptography-2e86983a77d02a38ef0485ebe7ab05c1c98a7685.tar.gz cryptography-2e86983a77d02a38ef0485ebe7ab05c1c98a7685.tar.bz2 cryptography-2e86983a77d02a38ef0485ebe7ab05c1c98a7685.zip |
Parse single_extensions in OCSP responses (#5059)
* add single_extensions to OCSPResponse (#4753)
* new vector, updateed docs, more stringent parser, changelog, etc
* simplify PR (no SCT for now)
* add a comment
* finish pulling out the sct stuff so tests might actually run
Diffstat (limited to 'src/cryptography/hazmat')
-rw-r--r-- | src/cryptography/hazmat/backends/openssl/decode_asn1.py | 10 | ||||
-rw-r--r-- | src/cryptography/hazmat/backends/openssl/ocsp.py | 10 |
2 files changed, 19 insertions, 1 deletions
diff --git a/src/cryptography/hazmat/backends/openssl/decode_asn1.py b/src/cryptography/hazmat/backends/openssl/decode_asn1.py index 47c6c654..87a3cc73 100644 --- a/src/cryptography/hazmat/backends/openssl/decode_asn1.py +++ b/src/cryptography/hazmat/backends/openssl/decode_asn1.py @@ -857,6 +857,10 @@ _OCSP_BASICRESP_EXTENSION_HANDLERS = { OCSPExtensionOID.NONCE: _decode_nonce, } +# All revoked extensions are valid single response extensions, see: +# https://tools.ietf.org/html/rfc6960#section-4.4.5 +_OCSP_SINGLERESP_EXTENSION_HANDLERS = _REVOKED_EXTENSION_HANDLERS.copy() + _CERTIFICATE_EXTENSION_PARSER_NO_SCT = _X509ExtensionParser( ext_count=lambda backend, x: backend._lib.X509_get_ext_count(x), get_ext=lambda backend, x, i: backend._lib.X509_get_ext(x, i), @@ -898,3 +902,9 @@ _OCSP_BASICRESP_EXT_PARSER = _X509ExtensionParser( get_ext=lambda backend, x, i: backend._lib.OCSP_BASICRESP_get_ext(x, i), handlers=_OCSP_BASICRESP_EXTENSION_HANDLERS, ) + +_OCSP_SINGLERESP_EXT_PARSER = _X509ExtensionParser( + ext_count=lambda backend, x: backend._lib.OCSP_SINGLERESP_get_ext_count(x), + get_ext=lambda backend, x, i: backend._lib.OCSP_SINGLERESP_get_ext(x, i), + handlers=_OCSP_SINGLERESP_EXTENSION_HANDLERS, +) diff --git a/src/cryptography/hazmat/backends/openssl/ocsp.py b/src/cryptography/hazmat/backends/openssl/ocsp.py index 7420f657..e42565ef 100644 --- a/src/cryptography/hazmat/backends/openssl/ocsp.py +++ b/src/cryptography/hazmat/backends/openssl/ocsp.py @@ -10,7 +10,8 @@ from cryptography import utils, x509 from cryptography.exceptions import UnsupportedAlgorithm from cryptography.hazmat.backends.openssl.decode_asn1 import ( _CRL_ENTRY_REASON_CODE_TO_ENUM, _OCSP_BASICRESP_EXT_PARSER, - _OCSP_REQ_EXT_PARSER, _asn1_integer_to_int, + _OCSP_REQ_EXT_PARSER, _OCSP_SINGLERESP_EXT_PARSER, + _asn1_integer_to_int, _asn1_string_to_bytes, _decode_x509_name, _obj2txt, _parse_asn1_generalized_time, ) @@ -319,6 +320,13 @@ class _OCSPResponse(object): def extensions(self): return _OCSP_BASICRESP_EXT_PARSER.parse(self._backend, self._basic) + @utils.cached_property + @_requires_successful_response + def single_extensions(self): + return _OCSP_SINGLERESP_EXT_PARSER.parse( + self._backend, self._single + ) + def public_bytes(self, encoding): if encoding is not serialization.Encoding.DER: raise ValueError( |