diff options
-rw-r--r-- | src/cryptography/hazmat/backends/openssl/x509.py | 10 | ||||
-rw-r--r-- | tests/test_x509_ext.py | 19 |
2 files changed, 26 insertions, 3 deletions
diff --git a/src/cryptography/hazmat/backends/openssl/x509.py b/src/cryptography/hazmat/backends/openssl/x509.py index c2a32b2a..0aa2e2da 100644 --- a/src/cryptography/hazmat/backends/openssl/x509.py +++ b/src/cryptography/hazmat/backends/openssl/x509.py @@ -154,10 +154,14 @@ def _decode_general_name(backend, gn): # find the first 0 bit, which will be the prefix. If another 1 # bit is present after that the netmask is invalid. base = ipaddress.ip_address(data[:data_len // 2]) - netmask = utils.int_from_bytes(data[data_len // 2:], 'big') - bits = bin(netmask)[2:] + netmask = ipaddress.ip_address(data[data_len // 2:]) + bits = bin(int(netmask))[2:] prefix = bits.find('0') - if bits[prefix:].find('1') != -1: + # If no 0 bits are found it is a /32 or /128 + if prefix == -1: + prefix = len(bits) + + if b"1" in bits[prefix:]: raise ValueError("Invalid netmask") ip = ipaddress.ip_network(base.exploded + u"/{0}".format(prefix)) diff --git a/tests/test_x509_ext.py b/tests/test_x509_ext.py index 7a7e79e6..af0ffafb 100644 --- a/tests/test_x509_ext.py +++ b/tests/test_x509_ext.py @@ -2206,6 +2206,25 @@ class TestNameConstraintsExtension(object): ] ) + def test_single_ip_netmask(self, backend): + cert = _load_cert( + os.path.join( + "x509", "custom", "nc_single_ip_netmask.pem" + ), + x509.load_pem_x509_certificate, + backend + ) + nc = cert.extensions.get_extension_for_oid( + x509.OID_NAME_CONSTRAINTS + ).value + assert nc == x509.NameConstraints( + permitted_subtrees=[ + x509.IPAddress(ipaddress.IPv6Network(u"FF:0:0:0:0:0:0:0/128")), + x509.IPAddress(ipaddress.IPv4Network(u"192.168.0.1/32")), + ], + excluded_subtrees=None + ) + def test_invalid_netmask(self, backend): cert = _load_cert( os.path.join( |