Merge pull request #2489 from etrauschke/crl_verify

add tbsCertList and signature interfaces to CRLs
author: Paul Kehrer <paul.l.kehrer@gmail.com> 2015-11-19 14:59:06 -0600
committer: Paul Kehrer <paul.l.kehrer@gmail.com> 2015-11-19 14:59:06 -0600
commit: cc1962d9ece2496548032074499e2aed475b5271 (patch)
tree: 5fe5150bfc4313b610a416491f259fd3aca80d7c /src
parent: a06e0cf66906a723682731af53e295179d5c9f4d (diff)
parent: 569aa6a847cf6f533d41240d574c8f56512d2324 (diff)
download: cryptography-cc1962d9ece2496548032074499e2aed475b5271.tar.gz
cryptography-cc1962d9ece2496548032074499e2aed475b5271.tar.bz2
cryptography-cc1962d9ece2496548032074499e2aed475b5271.zip
3 files changed, 30 insertions, 0 deletions
diff --git a/src/_cffi_src/openssl/x509.py b/src/_cffi_src/openssl/x509.py
index 2024101b..ebb78a31 100644
--- a/src/_cffi_src/openssl/x509.py
+++ b/src/_cffi_src/openssl/x509.py
@@ -65,6 +65,7 @@ typedef struct {
 typedef struct {
     X509_CRL_INFO *crl;
     X509_ALGOR *sig_alg;
+    ASN1_BIT_STRING *signature;
     ...;
 } X509_CRL;
 
@@ -259,6 +260,8 @@ void PKCS8_PRIV_KEY_INFO_free(PKCS8_PRIV_KEY_INFO *);
 
 MACROS = """
 int i2d_X509_CINF(X509_CINF *, unsigned char **);
+int i2d_X509_CRL_INFO(X509_CRL_INFO *, unsigned char **);
+
 long X509_get_version(X509 *);
 
 ASN1_TIME *X509_get_notBefore(X509 *);
diff --git a/src/cryptography/hazmat/backends/openssl/x509.py b/src/cryptography/hazmat/backends/openssl/x509.py
index 3afbc40f..8fa43ea8 100644
--- a/src/cryptography/hazmat/backends/openssl/x509.py
+++ b/src/cryptography/hazmat/backends/openssl/x509.py
@@ -818,6 +818,21 @@ class _CertificateRevocationList(object):
         self._backend.openssl_assert(lu != self._backend._ffi.NULL)
         return self._backend._parse_asn1_time(lu)
 
+    @property
+    def signature(self):
+        return self._backend._asn1_string_to_bytes(self._x509_crl.signature)
+
+    @property
+    def tbs_certlist_bytes(self):
+        pp = self._backend._ffi.new("unsigned char **")
+        # the X509_CRL_INFO struct holds the tbsCertList data
+        res = self._backend._lib.i2d_X509_CRL_INFO(self._x509_crl.crl, pp)
+        self._backend.openssl_assert(res > 0)
+        pp = self._backend._ffi.gc(
+            pp, lambda pointer: self._backend._lib.OPENSSL_free(pointer[0])
+        )
+        return self._backend._ffi.buffer(pp[0], res)[:]
+
     def _revoked_certificates(self):
         revoked = self._backend._lib.X509_CRL_get_REVOKED(self._x509_crl)
         self._backend.openssl_assert(revoked != self._backend._ffi.NULL)
diff --git a/src/cryptography/x509/base.py b/src/cryptography/x509/base.py
index ad561b94..6c2386f6 100644
--- a/src/cryptography/x509/base.py
+++ b/src/cryptography/x509/base.py
@@ -194,6 +194,18 @@ class CertificateRevocationList(object):
         Returns an Extensions object containing a list of CRL extensions.
         """
 
+    @abc.abstractproperty
+    def signature(self):
+        """
+        Returns the signature bytes.
+        """
+
+    @abc.abstractproperty
+    def tbs_certlist_bytes(self):
+        """
+        Returns the tbsCertList payload bytes as defined in RFC 5280.
+        """
+
     @abc.abstractmethod
     def __eq__(self, other):
         """
author	Paul Kehrer <paul.l.kehrer@gmail.com>	2015-11-19 14:59:06 -0600
committer	Paul Kehrer <paul.l.kehrer@gmail.com>	2015-11-19 14:59:06 -0600
commit	cc1962d9ece2496548032074499e2aed475b5271 (patch)
tree	5fe5150bfc4313b610a416491f259fd3aca80d7c /src
parent	a06e0cf66906a723682731af53e295179d5c9f4d (diff)
parent	569aa6a847cf6f533d41240d574c8f56512d2324 (diff)
download	cryptography-cc1962d9ece2496548032074499e2aed475b5271.tar.gz cryptography-cc1962d9ece2496548032074499e2aed475b5271.tar.bz2 cryptography-cc1962d9ece2496548032074499e2aed475b5271.zip