diff options
| author | Paul Kehrer <paul.l.kehrer@gmail.com> | 2018-08-31 10:47:56 -0400 |
|---|---|---|
| committer | Alex Gaynor <alex.gaynor@gmail.com> | 2018-08-31 10:47:56 -0400 |
| commit | 0f629bbdbb7ff595bffe43209490cc2647763fd3 (patch) | |
| tree | 40a0c92380cb77bdefc0828b12e6ebfdeb3404ca /src/cryptography | |
| parent | 5a54f1aec2d9b739c95ed862661efe7b8ff75d31 (diff) | |
| download | cryptography-0f629bbdbb7ff595bffe43209490cc2647763fd3.tar.gz cryptography-0f629bbdbb7ff595bffe43209490cc2647763fd3.tar.bz2 cryptography-0f629bbdbb7ff595bffe43209490cc2647763fd3.zip | |
refactor ocsp request parsing and generation to support only one cert (#4439)
* refactor ocsp request parsing and generation to support only one cert
* small doc change
* notimplementederror
Diffstat (limited to 'src/cryptography')
| -rw-r--r-- | src/cryptography/hazmat/backends/openssl/backend.py | 20 | ||||
| -rw-r--r-- | src/cryptography/hazmat/backends/openssl/ocsp.py | 52 | ||||
| -rw-r--r-- | src/cryptography/x509/ocsp.py | 47 |
3 files changed, 36 insertions, 83 deletions
diff --git a/src/cryptography/hazmat/backends/openssl/backend.py b/src/cryptography/hazmat/backends/openssl/backend.py index cfd7c89f..64d26afd 100644 --- a/src/cryptography/hazmat/backends/openssl/backend.py +++ b/src/cryptography/hazmat/backends/openssl/backend.py @@ -1439,16 +1439,16 @@ class Backend(object): ocsp_req = self._lib.OCSP_REQUEST_new() self.openssl_assert(ocsp_req != self._ffi.NULL) ocsp_req = self._ffi.gc(ocsp_req, self._lib.OCSP_REQUEST_free) - for cert, issuer, algorithm in builder._requests: - evp_md = self._lib.EVP_get_digestbyname( - algorithm.name.encode("ascii")) - self.openssl_assert(evp_md != self._ffi.NULL) - certid = self._lib.OCSP_cert_to_id( - evp_md, cert._x509, issuer._x509 - ) - self.openssl_assert(certid != self._ffi.NULL) - onereq = self._lib.OCSP_request_add0_id(ocsp_req, certid) - self.openssl_assert(onereq != self._ffi.NULL) + cert, issuer, algorithm = builder._request + evp_md = self._lib.EVP_get_digestbyname( + algorithm.name.encode("ascii")) + self.openssl_assert(evp_md != self._ffi.NULL) + certid = self._lib.OCSP_cert_to_id( + evp_md, cert._x509, issuer._x509 + ) + self.openssl_assert(certid != self._ffi.NULL) + onereq = self._lib.OCSP_request_add0_id(ocsp_req, certid) + self.openssl_assert(onereq != self._ffi.NULL) return _OCSPRequest(self, ocsp_req) def elliptic_curve_exchange_algorithm_supported(self, algorithm, curve): diff --git a/src/cryptography/hazmat/backends/openssl/ocsp.py b/src/cryptography/hazmat/backends/openssl/ocsp.py index 38e871ec..dd66e36d 100644 --- a/src/cryptography/hazmat/backends/openssl/ocsp.py +++ b/src/cryptography/hazmat/backends/openssl/ocsp.py @@ -4,23 +4,28 @@ from __future__ import absolute_import, division, print_function -import operator - from cryptography import utils from cryptography.exceptions import UnsupportedAlgorithm from cryptography.hazmat.backends.openssl.decode_asn1 import ( _asn1_integer_to_int, _asn1_string_to_bytes, _obj2txt ) from cryptography.hazmat.primitives import serialization -from cryptography.x509.ocsp import OCSPRequest, Request, _OIDS_TO_HASH +from cryptography.x509.ocsp import OCSPRequest, _OIDS_TO_HASH -@utils.register_interface(Request) -class _Request(object): - def __init__(self, backend, ocsp_request, request): +@utils.register_interface(OCSPRequest) +class _OCSPRequest(object): + def __init__(self, backend, ocsp_request): + if backend._lib.OCSP_request_onereq_count(ocsp_request) > 1: + raise NotImplementedError( + 'OCSP request contains more than one request' + ) self._backend = backend self._ocsp_request = ocsp_request - self._request = request + self._request = self._backend._lib.OCSP_request_onereq_get0( + self._ocsp_request, 0 + ) + self._backend.openssl_assert(self._request != self._backend._ffi.NULL) self._cert_id = self._backend._lib.OCSP_onereq_get0_id(self._request) self._backend.openssl_assert(self._cert_id != self._backend._ffi.NULL) @@ -74,23 +79,6 @@ class _Request(object): "Signature algorithm OID: {0} not recognized".format(oid) ) - -@utils.register_interface(OCSPRequest) -class _OCSPRequest(object): - def __init__(self, backend, ocsp_request): - self._backend = backend - self._ocsp_request = ocsp_request - - def __len__(self): - return self._backend._lib.OCSP_request_onereq_count(self._ocsp_request) - - def _request(self, idx): - request = self._backend._lib.OCSP_request_onereq_get0( - self._ocsp_request, idx - ) - self._backend.openssl_assert(request != self._backend._ffi.NULL) - return _Request(self._backend, self._ocsp_request, request) - def public_bytes(self, encoding): if encoding is not serialization.Encoding.DER: raise ValueError( @@ -101,19 +89,3 @@ class _OCSPRequest(object): res = self._backend._lib.i2d_OCSP_REQUEST_bio(bio, self._ocsp_request) self._backend.openssl_assert(res > 0) return self._backend._read_mem_bio(bio) - - def __iter__(self): - for i in range(len(self)): - yield self._request(i) - - def __getitem__(self, idx): - if isinstance(idx, slice): - start, stop, step = idx.indices(len(self)) - return [self._request(i) for i in range(start, stop, step)] - else: - idx = operator.index(idx) - if idx < 0: - idx += len(self) - if not 0 <= idx < len(self): - raise IndexError - return self._request(idx) diff --git a/src/cryptography/x509/ocsp.py b/src/cryptography/x509/ocsp.py index 0567197d..c3225daa 100644 --- a/src/cryptography/x509/ocsp.py +++ b/src/cryptography/x509/ocsp.py @@ -27,10 +27,13 @@ def load_der_ocsp_request(data): class OCSPRequestBuilder(object): - def __init__(self, requests=[]): - self._requests = requests + def __init__(self, request=None): + self._request = request + + def add_certificate(self, cert, issuer, algorithm): + if self._request is not None: + raise ValueError("Only one certificate can be added to a request") - def add_request(self, cert, issuer, algorithm): allowed_hashes = ( hashes.SHA1, hashes.SHA224, hashes.SHA256, hashes.SHA384, hashes.SHA512 @@ -45,45 +48,18 @@ class OCSPRequestBuilder(object): ): raise TypeError("cert and issuer must be a Certificate") - return OCSPRequestBuilder(self._requests + [(cert, issuer, algorithm)]) + return OCSPRequestBuilder((cert, issuer, algorithm)) def build(self): from cryptography.hazmat.backends.openssl.backend import backend - if len(self._requests) == 0: - raise ValueError("You must add a request before building") + if self._request is None: + raise ValueError("You must add a certificate before building") return backend.create_ocsp_request(self) @six.add_metaclass(abc.ABCMeta) class OCSPRequest(object): - @abc.abstractmethod - def __iter__(self): - """ - Iteration of Requests - """ - - @abc.abstractmethod - def __len__(self): - """ - Number of Requests inside the OCSPRequest object - """ - - @abc.abstractmethod - def __getitem__(self, idx): - """ - Returns a Request or range of Requests - """ - - @abc.abstractmethod - def public_bytes(self, encoding): - """ - Serializes the request to DER - """ - - -@six.add_metaclass(abc.ABCMeta) -class Request(object): @abc.abstractproperty def issuer_key_hash(self): """ @@ -107,3 +83,8 @@ class Request(object): """ The serial number of the cert whose status is being checked """ + @abc.abstractmethod + def public_bytes(self, encoding): + """ + Serializes the request to DER + """ |