diff options
| -rw-r--r-- | docs/development/test-vectors.rst | 2 | ||||
| -rw-r--r-- | src/cryptography/hazmat/backends/openssl/x509.py | 13 | ||||
| -rw-r--r-- | tests/test_x509_ext.py | 17 | ||||
| -rw-r--r-- | vectors/cryptography_vectors/x509/custom/ian_uri.pem | 19 |
4 files changed, 51 insertions, 0 deletions
diff --git a/docs/development/test-vectors.rst b/docs/development/test-vectors.rst index 257b1514..91699bc9 100644 --- a/docs/development/test-vectors.rst +++ b/docs/development/test-vectors.rst @@ -210,6 +210,8 @@ Custom X.509 Vectors * ``cp_user_notice_no_explicit_text.pem`` - An RSA 2048 bit self-signed certificate containing a certificate policies extension with a user notice with no explicit text. +* ``ian_uri.pem`` - An RSA 2048 bit certificate containing an issuer + alternative name extension with a ``URI`` general name. * ``ocsp_nocheck.pem`` - An RSA 2048 bit self-signed certificate containing an ``OCSPNoCheck`` extension. diff --git a/src/cryptography/hazmat/backends/openssl/x509.py b/src/cryptography/hazmat/backends/openssl/x509.py index a836e6a7..3b0c2954 100644 --- a/src/cryptography/hazmat/backends/openssl/x509.py +++ b/src/cryptography/hazmat/backends/openssl/x509.py @@ -290,6 +290,8 @@ class _Certificate(object): value = _decode_crl_distribution_points(self._backend, ext) elif oid == x509.OID_OCSP_NO_CHECK: value = x509.OCSPNoCheck() + elif oid == x509.OID_INHIBIT_ANY_POLICY: + value = _decode_inhibit_any_policy(self._backend, ext) elif critical: raise x509.UnsupportedExtension( "{0} is not currently supported".format(oid), oid @@ -635,6 +637,17 @@ def _decode_crl_distribution_points(backend, ext): return x509.CRLDistributionPoints(dist_points) +def _decode_inhibit_any_policy(backend, ext): + asn1_int = backend._ffi.cast( + "ASN1_INTEGER *", + backend._lib.X509V3_EXT_d2i(ext) + ) + assert asn1_int != backend._ffi.NULL + asn1_int = backend._ffi.gc(asn1_int, backend._lib.ASN1_INTEGER_free) + skip_certs = _asn1_integer_to_int(backend, asn1_int) + return x509.InhibitAnyPolicy(skip_certs) + + @utils.register_interface(x509.CertificateSigningRequest) class _CertificateSigningRequest(object): def __init__(self, backend, x509_req): diff --git a/tests/test_x509_ext.py b/tests/test_x509_ext.py index c906f1e5..6a23479f 100644 --- a/tests/test_x509_ext.py +++ b/tests/test_x509_ext.py @@ -2435,3 +2435,20 @@ class TestInhibitAnyPolicy(object): iap2 = x509.InhibitAnyPolicy(4) assert iap != iap2 assert iap != object() + + +@pytest.mark.requires_backend_interface(interface=RSABackend) +@pytest.mark.requires_backend_interface(interface=X509Backend) +class TestInhibitAnyPolicyExtension(object): + def test_nocheck(self, backend): + cert = _load_cert( + os.path.join( + "x509", "custom", "inhibit_any_policy_5.pem" + ), + x509.load_pem_x509_certificate, + backend + ) + iap = cert.extensions.get_extension_for_oid( + x509.OID_INHIBIT_ANY_POLICY + ).value + assert iap.skip_certs == 5 diff --git a/vectors/cryptography_vectors/x509/custom/ian_uri.pem b/vectors/cryptography_vectors/x509/custom/ian_uri.pem new file mode 100644 index 00000000..83b3ff54 --- /dev/null +++ b/vectors/cryptography_vectors/x509/custom/ian_uri.pem @@ -0,0 +1,19 @@ +-----BEGIN CERTIFICATE----- +MIIDATCCAemgAwIBAgIBAzANBgkqhkiG9w0BAQUFADBbMQswCQYDVQQGEwJBVTET +MBEGA1UECBMKU29tZS1TdGF0ZTEhMB8GA1UEChMYSW50ZXJuZXQgV2lkZ2l0cyBQ +dHkgTHRkMRQwEgYDVQQDEwtUZXN0SW5mcmFDQTAeFw0xNTA2MTgwNDI2MzFaFw0x +NjA2MTcwNDI2MzFaMAAwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDf +LkjBhv4bpxSITJXXgB9gxszfwcwRYyvbTEJmD1lLWhOk13gnILagQgupZB33902u +3lChgQPY4418NQkivJJeMw4jfl/Use7gFxax5n/6YlU3A93CxNY+2ei2ejgWBD8w +tEdvFi9FSsaR+2ds5/vyONJdHkC6DR3aZdokCaU0X1h11JxKhJgsPPP41pL8P0A1 +scje090lfoGbVttD6ayxvccr+9GwkWVfHgYWUGOcAi/4e7wqXpvqZqlCOH7QnVUC +xyknyPjETiW2ki4RacjAZh5gEw6q9mNFO4Xeo30vmDx/7VWPBqdi7MLPVCiIaHs+ +YnDkSWV0qp3auI+MZqVjAgMBAAGjKzApMCcGA1UdEgQgMB6GHGh0dHA6Ly9wYXRo +LnRvLnJvb3Qvcm9vdC5jcnQwDQYJKoZIhvcNAQEFBQADggEBAMiTTyKTErcmDlbn +fkc4y+IsL1GuS1yGcurIy0zghptsdZXA5v3VqkOtFCxLgk/syWVDfhAPwM4aBfeI +6Fe1kwPQk0xvdvPZ62lev0ELBOsceM2kge1obCc/ZyhXPYo1r7rmXxTvc8gxyASh +L9r+0AglSId8YJFscF+siTuTg/5SSHALT/DwGdeYv/rmnOeeHW4pv3WXPS32XUOG +D605kXQ/9HCujxCU3VGYUbkBWjsdqj9vZXQk1OVeMwWpH3O0AdFMQXgY7vpzkLuD +e+/zmLFDlI3k0p3UajtxsBft8AMNJaenknuQiMOryALRkfeyu5qhYlJ5bJFKUKn9 +K7X9MIA= +-----END CERTIFICATE----- |