diff options
| author | Paul Kehrer <paul.l.kehrer@gmail.com> | 2017-07-04 15:59:38 -0500 |
|---|---|---|
| committer | Alex Gaynor <alex.gaynor@gmail.com> | 2017-07-04 16:59:38 -0400 |
| commit | ce69b82858b2dfc7f8dfe6818749285cc84bd2ec (patch) | |
| tree | 3233ee602d8dcff9211f403f9f3707763b4d381d /src | |
| parent | a509496e485ed79b5ae93ba2657bc15150e0d147 (diff) | |
| download | cryptography-ce69b82858b2dfc7f8dfe6818749285cc84bd2ec.tar.gz cryptography-ce69b82858b2dfc7f8dfe6818749285cc84bd2ec.tar.bz2 cryptography-ce69b82858b2dfc7f8dfe6818749285cc84bd2ec.zip | |
don't parse SCTs on older openssl (#3749)
* don't parse SCTs on older openssl
* use two diff extension parsers because why not
* review feedback
Diffstat (limited to 'src')
| -rw-r--r-- | src/cryptography/hazmat/backends/openssl/decode_asn1.py | 16 | ||||
| -rw-r--r-- | src/cryptography/hazmat/backends/openssl/x509.py | 17 |
2 files changed, 24 insertions, 9 deletions
diff --git a/src/cryptography/hazmat/backends/openssl/decode_asn1.py b/src/cryptography/hazmat/backends/openssl/decode_asn1.py index ab97dc19..a55b5880 100644 --- a/src/cryptography/hazmat/backends/openssl/decode_asn1.py +++ b/src/cryptography/hazmat/backends/openssl/decode_asn1.py @@ -749,7 +749,7 @@ def _parse_asn1_generalized_time(backend, generalized_time): return datetime.datetime.strptime(time, "%Y%m%d%H%M%SZ") -_EXTENSION_HANDLERS = { +_EXTENSION_HANDLERS_NO_SCT = { ExtensionOID.BASIC_CONSTRAINTS: _decode_basic_constraints, ExtensionOID.SUBJECT_KEY_IDENTIFIER: _decode_subject_key_identifier, ExtensionOID.KEY_USAGE: _decode_key_usage, @@ -766,10 +766,12 @@ _EXTENSION_HANDLERS = { ExtensionOID.ISSUER_ALTERNATIVE_NAME: _decode_issuer_alt_name, ExtensionOID.NAME_CONSTRAINTS: _decode_name_constraints, ExtensionOID.POLICY_CONSTRAINTS: _decode_policy_constraints, - ExtensionOID.PRECERT_SIGNED_CERTIFICATE_TIMESTAMPS: ( - _decode_precert_signed_certificate_timestamps - ), } +_EXTENSION_HANDLERS = _EXTENSION_HANDLERS_NO_SCT.copy() +_EXTENSION_HANDLERS[ + ExtensionOID.PRECERT_SIGNED_CERTIFICATE_TIMESTAMPS +] = _decode_precert_signed_certificate_timestamps + _REVOKED_EXTENSION_HANDLERS = { CRLEntryExtensionOID.CRL_REASON: _decode_crl_reason, @@ -786,6 +788,12 @@ _CRL_EXTENSION_HANDLERS = { ), } +_CERTIFICATE_EXTENSION_PARSER_NO_SCT = _X509ExtensionParser( + ext_count=lambda backend, x: backend._lib.X509_get_ext_count(x), + get_ext=lambda backend, x, i: backend._lib.X509_get_ext(x, i), + handlers=_EXTENSION_HANDLERS_NO_SCT +) + _CERTIFICATE_EXTENSION_PARSER = _X509ExtensionParser( ext_count=lambda backend, x: backend._lib.X509_get_ext_count(x), get_ext=lambda backend, x, i: backend._lib.X509_get_ext(x, i), diff --git a/src/cryptography/hazmat/backends/openssl/x509.py b/src/cryptography/hazmat/backends/openssl/x509.py index 43456382..a04d6d53 100644 --- a/src/cryptography/hazmat/backends/openssl/x509.py +++ b/src/cryptography/hazmat/backends/openssl/x509.py @@ -11,10 +11,10 @@ import warnings from cryptography import utils, x509 from cryptography.exceptions import UnsupportedAlgorithm from cryptography.hazmat.backends.openssl.decode_asn1 import ( - _CERTIFICATE_EXTENSION_PARSER, _CRL_EXTENSION_PARSER, - _CSR_EXTENSION_PARSER, _REVOKED_CERTIFICATE_EXTENSION_PARSER, - _asn1_integer_to_int, _asn1_string_to_bytes, _decode_x509_name, _obj2txt, - _parse_asn1_time + _CERTIFICATE_EXTENSION_PARSER, _CERTIFICATE_EXTENSION_PARSER_NO_SCT, + _CRL_EXTENSION_PARSER, _CSR_EXTENSION_PARSER, + _REVOKED_CERTIFICATE_EXTENSION_PARSER, _asn1_integer_to_int, + _asn1_string_to_bytes, _decode_x509_name, _obj2txt, _parse_asn1_time ) from cryptography.hazmat.primitives import hashes, serialization @@ -128,7 +128,14 @@ class _Certificate(object): @property def extensions(self): - return _CERTIFICATE_EXTENSION_PARSER.parse(self._backend, self._x509) + if self._backend._lib.CRYPTOGRAPHY_OPENSSL_110_OR_GREATER: + return _CERTIFICATE_EXTENSION_PARSER.parse( + self._backend, self._x509 + ) + else: + return _CERTIFICATE_EXTENSION_PARSER_NO_SCT.parse( + self._backend, self._x509 + ) @property def signature(self): |