diff options
| -rw-r--r-- | docs/x509.rst | 16 | ||||
| -rw-r--r-- | src/cryptography/hazmat/backends/openssl/x509.py | 8 | ||||
| -rw-r--r-- | src/cryptography/x509.py | 19 | ||||
| -rw-r--r-- | tests/test_x509_ext.py | 13 |
4 files changed, 56 insertions, 0 deletions
diff --git a/docs/x509.rst b/docs/x509.rst index eed88b09..035fa87f 100644 --- a/docs/x509.rst +++ b/docs/x509.rst @@ -274,6 +274,9 @@ X.509 Certificate Object :raises cryptography.x509.UnsupportedExtension: If the certificate contains an extension that is not supported. + :raises cryptography.x509.UnsupportedGeneralNameType: If an extension + contains a general name that is not supported. + .. doctest:: >>> for ext in cert.extensions: @@ -964,7 +967,20 @@ Exceptions Returns the OID. +.. class:: UnsupportedGeneralNameType + + This is raised when a certificate contains an unsupported general name + type in an extension. + + .. attribute:: type + + :type: int + + The integer value of the unsupported type. The complete list of + types can be found in `RFC 5280 section 4.2.1.6`_. + .. _`public key infrastructure`: https://en.wikipedia.org/wiki/Public_key_infrastructure .. _`TLS`: https://en.wikipedia.org/wiki/Transport_Layer_Security .. _`RFC 5280 section 4.2.1.1`: https://tools.ietf.org/html/rfc5280#section-4.2.1.1 +.. _`RFC 5280 section 4.2.1.6`: https://tools.ietf.org/html/rfc5280#section-4.2.1.6 diff --git a/src/cryptography/hazmat/backends/openssl/x509.py b/src/cryptography/hazmat/backends/openssl/x509.py index dcde5e73..cc4a92a6 100644 --- a/src/cryptography/hazmat/backends/openssl/x509.py +++ b/src/cryptography/hazmat/backends/openssl/x509.py @@ -63,6 +63,14 @@ def _build_general_name(backend, gn): if gn.type == backend._lib.GEN_DNS: data = backend._ffi.buffer(gn.d.dNSName.data, gn.d.dNSName.length)[:] return x509.DNSName(idna.decode(data)) + else: + # otherName, x400Address or ediPartyName + raise x509.UnsupportedGeneralNameType( + "{0} is not a supported type".format( + x509._GENERAL_NAMES.get(gn.type, gn.type) + ), + gn.type + ) @utils.register_interface(x509.Certificate) diff --git a/src/cryptography/x509.py b/src/cryptography/x509.py index 898ab6c7..dd6ea926 100644 --- a/src/cryptography/x509.py +++ b/src/cryptography/x509.py @@ -70,6 +70,19 @@ _OID_NAMES = { } +_GENERAL_NAMES = { + 0: "otherName", + 1: "rfc822Name", + 2: "dNSName", + 3: "x400Address", + 4: "directoryName", + 5: "ediPartyName", + 6: "uniformResourceIdentifier", + 7: "iPAddress", + 8: "registeredID", +} + + class Version(Enum): v1 = 0 v3 = 2 @@ -115,6 +128,12 @@ class ExtensionNotFound(Exception): self.oid = oid +class UnsupportedGeneralNameType(Exception): + def __init__(self, msg, type): + super(UnsupportedGeneralNameType, self).__init__(msg) + self.type = type + + class NameAttribute(object): def __init__(self, oid, value): if not isinstance(oid, ObjectIdentifier): diff --git a/tests/test_x509_ext.py b/tests/test_x509_ext.py index a7e04156..1283fca7 100644 --- a/tests/test_x509_ext.py +++ b/tests/test_x509_ext.py @@ -757,3 +757,16 @@ class TestRSASubjectAlternativeNameExtension(object): dns = san.get_values_for_type(x509.DNSName) assert dns == [u"www.cryptography.io", u"cryptography.io"] + + def test_unsupported_other_name(self, backend): + cert = _load_cert( + os.path.join( + "x509", "custom", "san_other_name.pem" + ), + x509.load_pem_x509_certificate, + backend + ) + with pytest.raises(x509.UnsupportedGeneralNameType) as exc: + cert.extensions + + assert exc.value.type == 0 |