From 0e94257d4396a16efe8ff3170886b80489ea94f8 Mon Sep 17 00:00:00 2001 From: Manoel Domingues Junior Date: Thu, 1 Oct 2015 14:45:48 -0300 Subject: Handling path_length when ca is True Using CertificateBuilder: builder = builder.add_extension(x509.BasicConstraints(ca=True,path_length=None), critical=True) return TypeError in line 792 because None can't be converted to hex. In https://tools.ietf.org/html/rfc5280.html#section-4.2.1.9: CAs MUST NOT include the pathLenConstraint field unless the cA boolean is asserted and the key usage extension asserts the keyCertSign bit. --- src/cryptography/hazmat/backends/openssl/backend.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/cryptography/hazmat/backends/openssl/backend.py b/src/cryptography/hazmat/backends/openssl/backend.py index d30bfc29..715624bf 100644 --- a/src/cryptography/hazmat/backends/openssl/backend.py +++ b/src/cryptography/hazmat/backends/openssl/backend.py @@ -235,7 +235,7 @@ def _encode_basic_constraints(backend, basic_constraints): constraints, backend._lib.BASIC_CONSTRAINTS_free ) constraints.ca = 255 if basic_constraints.ca else 0 - if basic_constraints.ca: + if basic_constraints.ca and basic_constraints.path_length != None: constraints.pathlen = _encode_asn1_int( backend, basic_constraints.path_length ) -- cgit v1.2.3 From 415889a7eb0c47415236a80b3e71f5415401f579 Mon Sep 17 00:00:00 2001 From: Manoel Domingues Junior Date: Thu, 1 Oct 2015 17:55:11 -0300 Subject: Change '!=' to 'is not' --- src/cryptography/hazmat/backends/openssl/backend.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/cryptography/hazmat/backends/openssl/backend.py b/src/cryptography/hazmat/backends/openssl/backend.py index 715624bf..ac025e95 100644 --- a/src/cryptography/hazmat/backends/openssl/backend.py +++ b/src/cryptography/hazmat/backends/openssl/backend.py @@ -235,7 +235,7 @@ def _encode_basic_constraints(backend, basic_constraints): constraints, backend._lib.BASIC_CONSTRAINTS_free ) constraints.ca = 255 if basic_constraints.ca else 0 - if basic_constraints.ca and basic_constraints.path_length != None: + if basic_constraints.ca and basic_constraints.path_length is not None: constraints.pathlen = _encode_asn1_int( backend, basic_constraints.path_length ) -- cgit v1.2.3 From 6b55c4e42125dd9a01aaf83aa39b1fabfdcfa0b4 Mon Sep 17 00:00:00 2001 From: "vicente.fiebig" Date: Thu, 1 Oct 2015 18:24:58 -0300 Subject: test build ca request with path_length None --- tests/test_x509.py | 24 ++++++++++++++++++++++++ 1 file changed, 24 insertions(+) diff --git a/tests/test_x509.py b/tests/test_x509.py index 220e71a5..0c022df1 100644 --- a/tests/test_x509.py +++ b/tests/test_x509.py @@ -1601,6 +1601,30 @@ class TestCertificateBuilder(object): decipher_only=False ) + @pytest.mark.requires_backend_interface(interface=RSABackend) + @pytest.mark.requires_backend_interface(interface=X509Backend) + def test_build_ca_request_with_path_length_none(self, backend): + private_key = RSA_KEY_2048.private_key(backend) + + request = x509.CertificateSigningRequestBuilder().subject_name( + x509.Name([ + x509.NameAttribute(NameOID.ORGANIZATION_NAME, + u'PyCA'), + ]) + ).add_extension( + x509.BasicConstraints(ca=True, path_length=None), critical=True + ).sign(private_key, hashes.SHA1(), backend) + + loaded_request = x509.load_pem_x509_csr( + request.public_bytes(encoding=serialization.Encoding.PEM), backend + ) + subject = loaded_request.subject + assert isinstance(subject, x509.Name) + basic_constraints = request.extensions.get_extension_for_oid( + ExtensionOID.BASIC_CONSTRAINTS + ) + assert basic_constraints.value.path_length is None + @pytest.mark.requires_backend_interface(interface=X509Backend) class TestCertificateSigningRequestBuilder(object): -- cgit v1.2.3