diff options
author | Erik Trauschke <erik.trauschke@gmail.com> | 2015-10-15 14:45:38 -0700 |
---|---|---|
committer | Erik Trauschke <erik.trauschke@gmail.com> | 2015-10-15 14:45:38 -0700 |
commit | d4e7d43416077f18a37008298abdc566bd3f069d (patch) | |
tree | 8052c19063d69fe93ac301e1c3d03fda99e06086 /src | |
parent | 164bae538cfe5fcb320ebe5ee7e080598ad7ec5f (diff) | |
download | cryptography-d4e7d43416077f18a37008298abdc566bd3f069d.tar.gz cryptography-d4e7d43416077f18a37008298abdc566bd3f069d.tar.bz2 cryptography-d4e7d43416077f18a37008298abdc566bd3f069d.zip |
removing caching mechanism for x509 properties
undo name change of CRLExtensionOID
use custom parsing mechanism for certIssuer entry extension
add new crl to vectors for testing invalid certIssuer entry ext
Diffstat (limited to 'src')
-rw-r--r-- | src/_cffi_src/openssl/x509v3.py | 2 | ||||
-rw-r--r-- | src/cryptography/hazmat/backends/openssl/x509.py | 107 | ||||
-rw-r--r-- | src/cryptography/x509/__init__.py | 10 | ||||
-rw-r--r-- | src/cryptography/x509/oid.py | 8 |
4 files changed, 51 insertions, 76 deletions
diff --git a/src/_cffi_src/openssl/x509v3.py b/src/_cffi_src/openssl/x509v3.py index 84e49640..51cac62b 100644 --- a/src/_cffi_src/openssl/x509v3.py +++ b/src/_cffi_src/openssl/x509v3.py @@ -290,6 +290,8 @@ DIST_POINT_NAME *DIST_POINT_NAME_new(void); void DIST_POINT_NAME_free(DIST_POINT_NAME *); int i2d_CRL_DIST_POINTS(Cryptography_STACK_OF_DIST_POINT *, unsigned char **); +GENERAL_NAMES *d2i_GENERAL_NAMES(GENERAL_NAMES **, const unsigned char **, + long); """ CUSTOMIZATIONS = """ diff --git a/src/cryptography/hazmat/backends/openssl/x509.py b/src/cryptography/hazmat/backends/openssl/x509.py index 7f7be545..073dfb1e 100644 --- a/src/cryptography/hazmat/backends/openssl/x509.py +++ b/src/cryptography/hazmat/backends/openssl/x509.py @@ -19,7 +19,7 @@ from cryptography import utils, x509 from cryptography.exceptions import UnsupportedAlgorithm from cryptography.hazmat.primitives import hashes, serialization from cryptography.x509.oid import ( - CertificatePoliciesOID, ExtensionOID, RevokedExtensionOID + CRLExtensionOID, CertificatePoliciesOID, ExtensionOID ) @@ -175,11 +175,11 @@ def _decode_ocsp_no_check(backend, ext): class _X509ExtensionParser(object): - def __init__(self, ext_count, get_ext, handlers, supported_versions=None): + def __init__(self, ext_count, get_ext, handlers, unsupported_exts=None): self.ext_count = ext_count self.get_ext = get_ext self.handlers = handlers - self.supported_versions = supported_versions + self.unsupported_exts = unsupported_exts def parse(self, backend, x509_obj): extensions = [] @@ -190,13 +190,6 @@ class _X509ExtensionParser(object): crit = backend._lib.X509_EXTENSION_get_critical(ext) critical = crit == 1 oid = x509.ObjectIdentifier(_obj2txt(backend, ext.object)) - - # Filter out extensions we know are not supported by the backend - if (self.supported_versions and oid in self.supported_versions and - self.supported_versions[oid] > - backend._lib.OPENSSL_VERSION_NUMBER): - self.handlers.pop(oid, None) - if oid in seen_oids: raise x509.DuplicateExtension( "Duplicate {0} extension found".format(oid), oid @@ -210,15 +203,18 @@ class _X509ExtensionParser(object): .format(oid), oid ) else: - d2i = backend._lib.X509V3_EXT_d2i(ext) - if d2i == backend._ffi.NULL: - backend._consume_errors() - raise ValueError( - "The {0} extension is invalid and can't be " - "parsed".format(oid) - ) - - value = handler(backend, d2i) + if self.unsupported_exts and oid in self.unsupported_exts: + ext_data = ext + else: + ext_data = backend._lib.X509V3_EXT_d2i(ext) + if ext_data == backend._ffi.NULL: + backend._consume_errors() + raise ValueError( + "The {0} extension is invalid and can't be " + "parsed".format(oid) + ) + + value = handler(backend, ext_data) extensions.append(x509.Extension(oid, critical, value)) seen_oids.add(oid) @@ -687,8 +683,18 @@ def _decode_invalidity_date(backend, inv_date): return datetime.datetime.strptime(time, "%Y%m%d%H%M%SZ") -def _decode_cert_issuer(backend, issuer): - gns = backend._ffi.cast("GENERAL_NAMES *", issuer) +def _decode_cert_issuer(backend, ext): + data_ptr_ptr = backend._ffi.new("const unsigned char **") + data_ptr_ptr[0] = ext.value.data + gns = backend._lib.d2i_GENERAL_NAMES( + backend._ffi.NULL, data_ptr_ptr, ext.value.length + ) + if gns == backend._ffi.NULL: + backend._consume_errors() + raise ValueError( + "The {0} extension is corrupted and can't be parsed".format( + CRLExtensionOID.CERTIFICATE_ISSUER)) + gns = backend._ffi.gc(gns, backend._lib.GENERAL_NAMES_free) return x509.GeneralNames(_decode_general_names(backend, gns)) @@ -699,28 +705,16 @@ class _RevokedCertificate(object): self._backend = backend self._x509_revoked = x509_revoked - self._serial_number = None - self._revocation_date = None - self._extensions = None - @property def serial_number(self): - if self._serial_number: - return self._serial_number - asn1_int = self._x509_revoked.serialNumber self._backend.openssl_assert(asn1_int != self._backend._ffi.NULL) - self._serial_number = self._backend._asn1_integer_to_int(asn1_int) - return self._serial_number + return self._backend._asn1_integer_to_int(asn1_int) @property def revocation_date(self): - if self._revocation_date: - return self._revocation_date - - self._revocation_date = self._backend._parse_asn1_time( + return self._backend._parse_asn1_time( self._x509_revoked.revocationDate) - return self._revocation_date @property def extensions(self): @@ -765,11 +759,6 @@ class _CertificateRevocationList(object): self._backend = backend self._x509_crl = x509_crl - self._revoked = None - self._issuer = None - self._next_update = None - self._last_update = None - def __eq__(self, other): if not isinstance(other, x509.CertificateRevocationList): return NotImplemented @@ -803,38 +792,23 @@ class _CertificateRevocationList(object): @property def issuer(self): - if self._issuer: - return self._issuer - issuer = self._backend._lib.X509_CRL_get_issuer(self._x509_crl) self._backend.openssl_assert(issuer != self._backend._ffi.NULL) - self._issuer = _decode_x509_name(self._backend, issuer) - return self._issuer + return _decode_x509_name(self._backend, issuer) @property def next_update(self): - if self._next_update: - return self._next_update - nu = self._backend._lib.X509_CRL_get_nextUpdate(self._x509_crl) self._backend.openssl_assert(nu != self._backend._ffi.NULL) - self._next_update = self._backend._parse_asn1_time(nu) - return self._next_update + return self._backend._parse_asn1_time(nu) @property def last_update(self): - if self._last_update: - return self._last_update - lu = self._backend._lib.X509_CRL_get_lastUpdate(self._x509_crl) self._backend.openssl_assert(lu != self._backend._ffi.NULL) - self._last_update = self._backend._parse_asn1_time(lu) - return self._last_update + return self._backend._parse_asn1_time(lu) def _revoked_certificates(self): - if self._revoked: - return self._revoked - revoked = self._backend._lib.X509_CRL_get_REVOKED(self._x509_crl) self._backend.openssl_assert(revoked != self._backend._ffi.NULL) @@ -845,8 +819,7 @@ class _CertificateRevocationList(object): self._backend.openssl_assert(r != self._backend._ffi.NULL) revoked_list.append(_RevokedCertificate(self._backend, r)) - self._revoked = revoked_list - return self._revoked + return revoked_list def __iter__(self): return iter(self._revoked_certificates()) @@ -943,14 +916,14 @@ _EXTENSION_HANDLERS = { } _REVOKED_EXTENSION_HANDLERS = { - RevokedExtensionOID.CRL_REASON: _decode_crl_reason, - RevokedExtensionOID.INVALIDITY_DATE: _decode_invalidity_date, - RevokedExtensionOID.CERTIFICATE_ISSUER: _decode_cert_issuer, + CRLExtensionOID.CRL_REASON: _decode_crl_reason, + CRLExtensionOID.INVALIDITY_DATE: _decode_invalidity_date, + CRLExtensionOID.CERTIFICATE_ISSUER: _decode_cert_issuer, } -_REVOKED_SUPPORTED_VERSIONS = { - RevokedExtensionOID.CERTIFICATE_ISSUER: 0x10000000, -} +_REVOKED_UNSUPPORTED_EXTENSIONS = set([ + CRLExtensionOID.CERTIFICATE_ISSUER, +]) _CERTIFICATE_EXTENSION_PARSER = _X509ExtensionParser( ext_count=lambda backend, x: backend._lib.X509_get_ext_count(x), @@ -968,5 +941,5 @@ _REVOKED_CERTIFICATE_EXTENSION_PARSER = _X509ExtensionParser( ext_count=lambda backend, x: backend._lib.X509_REVOKED_get_ext_count(x), get_ext=lambda backend, x, i: backend._lib.X509_REVOKED_get_ext(x, i), handlers=_REVOKED_EXTENSION_HANDLERS, - supported_versions=_REVOKED_SUPPORTED_VERSIONS + unsupported_exts=_REVOKED_UNSUPPORTED_EXTENSIONS ) diff --git a/src/cryptography/x509/__init__.py b/src/cryptography/x509/__init__.py index 6438da9c..70e1d3da 100644 --- a/src/cryptography/x509/__init__.py +++ b/src/cryptography/x509/__init__.py @@ -28,8 +28,8 @@ from cryptography.x509.general_name import ( ) from cryptography.x509.name import Name, NameAttribute from cryptography.x509.oid import ( - AuthorityInformationAccessOID, CertificatePoliciesOID, ExtendedKeyUsageOID, - ExtensionOID, NameOID, ObjectIdentifier, RevokedExtensionOID, + AuthorityInformationAccessOID, CRLExtensionOID, CertificatePoliciesOID, + ExtendedKeyUsageOID, ExtensionOID, NameOID, ObjectIdentifier, SignatureAlgorithmOID, _SIG_OIDS_TO_HASH ) @@ -95,9 +95,9 @@ OID_ANY_POLICY = CertificatePoliciesOID.ANY_POLICY OID_CPS_QUALIFIER = CertificatePoliciesOID.CPS_QUALIFIER OID_CPS_USER_NOTICE = CertificatePoliciesOID.CPS_USER_NOTICE -OID_CERTIFICATE_ISSUER = RevokedExtensionOID.CERTIFICATE_ISSUER -OID_CRL_REASON = RevokedExtensionOID.CRL_REASON -OID_INVALIDITY_DATE = RevokedExtensionOID.INVALIDITY_DATE +OID_CERTIFICATE_ISSUER = CRLExtensionOID.CERTIFICATE_ISSUER +OID_CRL_REASON = CRLExtensionOID.CRL_REASON +OID_INVALIDITY_DATE = CRLExtensionOID.INVALIDITY_DATE OID_CA_ISSUERS = AuthorityInformationAccessOID.CA_ISSUERS OID_OCSP = AuthorityInformationAccessOID.OCSP diff --git a/src/cryptography/x509/oid.py b/src/cryptography/x509/oid.py index 667045af..ead40169 100644 --- a/src/cryptography/x509/oid.py +++ b/src/cryptography/x509/oid.py @@ -58,7 +58,7 @@ class ExtensionOID(object): OCSP_NO_CHECK = ObjectIdentifier("1.3.6.1.5.5.7.48.1.5") -class RevokedExtensionOID(object): +class CRLExtensionOID(object): CERTIFICATE_ISSUER = ObjectIdentifier("2.5.29.29") CRL_REASON = ObjectIdentifier("2.5.29.21") INVALIDITY_DATE = ObjectIdentifier("2.5.29.24") @@ -177,9 +177,9 @@ _OID_NAMES = { ExtensionOID.SUBJECT_ALTERNATIVE_NAME: "subjectAltName", ExtensionOID.ISSUER_ALTERNATIVE_NAME: "issuerAltName", ExtensionOID.BASIC_CONSTRAINTS: "basicConstraints", - RevokedExtensionOID.CRL_REASON: "cRLReason", - RevokedExtensionOID.INVALIDITY_DATE: "invalidityDate", - RevokedExtensionOID.CERTIFICATE_ISSUER: "certificateIssuer", + CRLExtensionOID.CRL_REASON: "cRLReason", + CRLExtensionOID.INVALIDITY_DATE: "invalidityDate", + CRLExtensionOID.CERTIFICATE_ISSUER: "certificateIssuer", ExtensionOID.NAME_CONSTRAINTS: "nameConstraints", ExtensionOID.CRL_DISTRIBUTION_POINTS: "cRLDistributionPoints", ExtensionOID.CERTIFICATE_POLICIES: "certificatePolicies", |