diff options
| -rw-r--r-- | src/_cffi_src/openssl/x509.py | 44 | ||||
| -rw-r--r-- | src/cryptography/hazmat/backends/openssl/x509.py | 17 | 
2 files changed, 51 insertions, 10 deletions
| diff --git a/src/_cffi_src/openssl/x509.py b/src/_cffi_src/openssl/x509.py index 4cdc8274..2fe3a1bf 100644 --- a/src/_cffi_src/openssl/x509.py +++ b/src/_cffi_src/openssl/x509.py @@ -154,12 +154,6 @@ X509_EXTENSION *X509_EXTENSION_dup(X509_EXTENSION *);  X509_EXTENSION *X509_get_ext(X509 *, int);  int X509_get_ext_by_NID(X509 *, int, int); -/* CRYPTO_EX_DATA */ -int X509_get_ex_new_index(long, void *, CRYPTO_EX_new *, CRYPTO_EX_dup *, -                          CRYPTO_EX_free *); -int X509_set_ex_data(X509 *, int, void *); -void *X509_get_ex_data(X509 *, int); -  int X509_EXTENSION_get_critical(X509_EXTENSION *);  ASN1_OBJECT *X509_EXTENSION_get_object(X509_EXTENSION *);  void X509_EXTENSION_free(X509_EXTENSION *); @@ -272,12 +266,22 @@ void PKCS8_PRIV_KEY_INFO_free(PKCS8_PRIV_KEY_INFO *);  """  MACROS = """ +/* these CRYPTO_EX_DATA functions became macros in 1.1.0 */ +int X509_get_ex_new_index(long, void *, CRYPTO_EX_new *, CRYPTO_EX_dup *, +                          CRYPTO_EX_free *); +int X509_set_ex_data(X509 *, int, void *); +void *X509_get_ex_data(X509 *, int); +  X509_REVOKED *Cryptography_X509_REVOKED_dup(X509_REVOKED *);  int i2d_X509_CINF(X509_CINF *, unsigned char **);  int i2d_X509_CRL_INFO(X509_CRL_INFO *, unsigned char **);  int i2d_X509_REQ_INFO(X509_REQ_INFO *, unsigned char **); +/* new in 1.0.2 */ +int i2d_re_X509_tbs(X509 *, unsigned char **); +void X509_get0_signature(ASN1_BIT_STRING **, X509_ALGOR **, X509 *); +  long X509_get_version(X509 *);  ASN1_TIME *X509_get_notBefore(X509 *); @@ -352,6 +356,34 @@ int sk_ASN1_OBJECT_push(Cryptography_STACK_OF_ASN1_OBJECT *, ASN1_OBJECT *);  """  CUSTOMIZATIONS = """ +/* Added in 1.0.2 beta but we need it in all versions now due to the great +   opaquing. */ +#if OPENSSL_VERSION_NUMBER < 0x10002001L || defined(LIBRESSL_VERSION_NUMBER) +/* from x509/x_x509.c version 1.0.2 */ +void X509_get0_signature(ASN1_BIT_STRING **psig, X509_ALGOR **palg, +                         const X509 *x) +{ +    if (psig) +        *psig = x->signature; +    if (palg) +        *palg = x->sig_alg; +} +#endif +/* Added in 1.0.2 but we need it in all versions now due to the great +   opaquing. */ +#if OPENSSL_VERSION_NUMBER < 0x10002003L || defined(LIBRESSL_VERSION_NUMBER) +/* from x509/x_x509.c */ +int i2d_re_X509_tbs(X509 *x, unsigned char **pp) +{ +    /* in 1.0.2+ this function also sets x->cert_info->enc.modified = 1 +       but older OpenSSLs don't have the enc ASN1_ENCODING member in the +       X509 struct.  Setting modified to 1 marks the encoding +       (x->cert_info->enc.enc) as invalid, but since the entire struct isn't +       present we don't care. */ +    return i2d_X509_CINF(x->cert_info, pp); +} +#endif +  /* OpenSSL 0.9.8e does not have this definition. */  #if OPENSSL_VERSION_NUMBER <= 0x0090805fL  typedef STACK_OF(X509_EXTENSION) X509_EXTENSIONS; diff --git a/src/cryptography/hazmat/backends/openssl/x509.py b/src/cryptography/hazmat/backends/openssl/x509.py index c71f8d92..ced3e6f1 100644 --- a/src/cryptography/hazmat/backends/openssl/x509.py +++ b/src/cryptography/hazmat/backends/openssl/x509.py @@ -97,7 +97,12 @@ class _Certificate(object):      @property      def signature_hash_algorithm(self): -        oid = _obj2txt(self._backend, self._x509.sig_alg.algorithm) +        alg = self._backend._ffi.new("X509_ALGOR **") +        self._backend._lib.X509_get0_signature( +            self._backend._ffi.NULL, alg, self._x509 +        ) +        self._backend.openssl_assert(alg[0] != self._backend._ffi.NULL) +        oid = _obj2txt(self._backend, alg[0].algorithm)          try:              return x509._SIG_OIDS_TO_HASH[oid]          except KeyError: @@ -111,13 +116,17 @@ class _Certificate(object):      @property      def signature(self): -        return _asn1_string_to_bytes(self._backend, self._x509.signature) +        sig = self._backend._ffi.new("ASN1_BIT_STRING **") +        self._backend._lib.X509_get0_signature( +            sig, self._backend._ffi.NULL, self._x509 +        ) +        self._backend.openssl_assert(sig[0] != self._backend._ffi.NULL) +        return _asn1_string_to_bytes(self._backend, sig[0])      @property      def tbs_certificate_bytes(self):          pp = self._backend._ffi.new("unsigned char **") -        # the X509_CINF struct holds the tbsCertificate data -        res = self._backend._lib.i2d_X509_CINF(self._x509.cert_info, pp) +        res = self._backend._lib.i2d_re_X509_tbs(self._x509, pp)          self._backend.openssl_assert(res > 0)          pp = self._backend._ffi.gc(              pp, lambda pointer: self._backend._lib.OPENSSL_free(pointer[0]) | 
