Fixes #4333 -- added support for precert poison extension (#4442)

* Fixes #4333 -- added support for precert poison extension

* Make work on all OpenSSL versions

* fixed flake8 + docs

* fix for older OpenSSLs

* document this

* spell

5 files changed, 33 insertions, 6 deletions

diff --git a/src/cryptography/hazmat/backends/openssl/backend.py b/src/cryptography/hazmat/backends/openssl/backend.py
index 64d26afd..58fe492f 100644
--- a/src/cryptography/hazmat/backends/openssl/backend.py
+++ b/src/cryptography/hazmat/backends/openssl/backend.py
@@ -11,6 +11,8 @@ import contextlib
 import itertools
 from contextlib import contextmanager
 
+import asn1crypto.core
+
 import six
 
 from cryptography import utils, x509
@@ -965,6 +967,10 @@ class Backend(object):
             asn1 = _Integers([x.value for x in extension.value]).dump()
             value = _encode_asn1_str_gc(self, asn1, len(asn1))
             return self._create_raw_x509_extension(extension, value)
+        elif isinstance(extension.value, x509.PrecertPoison):
+            asn1 = asn1crypto.core.Null().dump()
+            value = _encode_asn1_str_gc(self, asn1, len(asn1))
+            return self._create_raw_x509_extension(extension, value)
         else:
             try:
                 encode = handlers[extension.oid]
diff --git a/src/cryptography/hazmat/backends/openssl/decode_asn1.py b/src/cryptography/hazmat/backends/openssl/decode_asn1.py
index 31fb8cfc..47fa911e 100644
--- a/src/cryptography/hazmat/backends/openssl/decode_asn1.py
+++ b/src/cryptography/hazmat/backends/openssl/decode_asn1.py
@@ -7,7 +7,7 @@ from __future__ import absolute_import, division, print_function
 import datetime
 import ipaddress
 
-from asn1crypto.core import Integer, SequenceOf
+import asn1crypto.core
 
 from cryptography import x509
 from cryptography.x509.extensions import _TLS_FEATURE_TYPE_TO_ENUM
@@ -17,8 +17,8 @@ from cryptography.x509.oid import (
 )
 
 
-class _Integers(SequenceOf):
-    _child_spec = Integer
+class _Integers(asn1crypto.core.SequenceOf):
+    _child_spec = asn1crypto.core.Integer
 
 
 def _obj2txt(backend, obj):
@@ -202,8 +202,8 @@ class _X509ExtensionParser(object):
                     "Duplicate {0} extension found".format(oid), oid
                 )
 
-            # This OID is only supported in OpenSSL 1.1.0+ but we want
-            # to support it in all versions of OpenSSL so we decode it
+            # These OIDs are only supported in OpenSSL 1.1.0+ but we want
+            # to support them in all versions of OpenSSL so we decode them
             # ourselves.
             if oid == ExtensionOID.TLS_FEATURE:
                 data = backend._lib.X509_EXTENSION_get_data(ext)
@@ -214,6 +214,17 @@ class _X509ExtensionParser(object):
                 extensions.append(x509.Extension(oid, critical, value))
                 seen_oids.add(oid)
                 continue
+            elif oid == ExtensionOID.PRECERT_POISON:
+                data = backend._lib.X509_EXTENSION_get_data(ext)
+                parsed = asn1crypto.core.Null.load(
+                    _asn1_string_to_bytes(backend, data)
+                )
+                assert parsed == asn1crypto.core.Null()
+                extensions.append(x509.Extension(
+                    oid, critical, x509.PrecertPoison()
+                ))
+                seen_oids.add(oid)
+                continue
 
             try:
                 handler = self.handlers[oid]
diff --git a/src/cryptography/x509/__init__.py b/src/cryptography/x509/__init__.py
index d2f9b049..15459a12 100644
--- a/src/cryptography/x509/__init__.py
+++ b/src/cryptography/x509/__init__.py
@@ -22,7 +22,8 @@ from cryptography.x509.extensions import (
     Extension, ExtensionNotFound, ExtensionType, Extensions, FreshestCRL,
     GeneralNames, InhibitAnyPolicy, InvalidityDate, IssuerAlternativeName,
     KeyUsage, NameConstraints, NoticeReference, OCSPNoCheck, PolicyConstraints,
-    PolicyInformation, PrecertificateSignedCertificateTimestamps, ReasonFlags,
+    PolicyInformation, PrecertPoison,
+    PrecertificateSignedCertificateTimestamps, ReasonFlags,
     SubjectAlternativeName, SubjectKeyIdentifier, TLSFeature, TLSFeatureType,
     UnrecognizedExtension, UserNotice
 )
@@ -182,4 +183,5 @@ __all__ = [
     "UnrecognizedExtension",
     "PolicyConstraints",
     "PrecertificateSignedCertificateTimestamps",
+    "PrecertPoison",
 ]
diff --git a/src/cryptography/x509/extensions.py b/src/cryptography/x509/extensions.py
index eb4b927f..08af03c8 100644
--- a/src/cryptography/x509/extensions.py
+++ b/src/cryptography/x509/extensions.py
@@ -855,6 +855,11 @@ class OCSPNoCheck(object):
 
 
 @utils.register_interface(ExtensionType)
+class PrecertPoison(object):
+    oid = ExtensionOID.PRECERT_POISON
+
+
+@utils.register_interface(ExtensionType)
 class TLSFeature(object):
     oid = ExtensionOID.TLS_FEATURE
 
diff --git a/src/cryptography/x509/oid.py b/src/cryptography/x509/oid.py
index 90003d79..77e3fa63 100644
--- a/src/cryptography/x509/oid.py
+++ b/src/cryptography/x509/oid.py
@@ -91,6 +91,9 @@ class ExtensionOID(object):
     PRECERT_SIGNED_CERTIFICATE_TIMESTAMPS = (
         ObjectIdentifier("1.3.6.1.4.1.11129.2.4.2")
     )
+    PRECERT_POISON = (
+        ObjectIdentifier("1.3.6.1.4.1.11129.2.4.3")
+    )
 
 
 class CRLEntryExtensionOID(object):