From 3b54ce272df125430907f27c61c86d27531b7f33 Mon Sep 17 00:00:00 2001 From: Paul Kehrer Date: Mon, 3 Aug 2015 16:44:57 +0100 Subject: add support for AIA to CertificateBuilder and OpenSSL backend --- .../hazmat/backends/openssl/backend.py | 8 +++- src/cryptography/x509.py | 4 ++ tests/test_x509.py | 43 ++++++++++++++++++++++ 3 files changed, 54 insertions(+), 1 deletion(-) diff --git a/src/cryptography/hazmat/backends/openssl/backend.py b/src/cryptography/hazmat/backends/openssl/backend.py index 7917402f..570782a2 100644 --- a/src/cryptography/hazmat/backends/openssl/backend.py +++ b/src/cryptography/hazmat/backends/openssl/backend.py @@ -210,7 +210,9 @@ def _encode_authority_information_access(backend, authority_info_access): ) for access_description in authority_info_access: ad = backend._lib.ACCESS_DESCRIPTION_new() - method = _txt2obj(backend, access_description.access_method) + method = _txt2obj( + backend, access_description.access_method.dotted_string + ) gn = _encode_general_name(backend, access_description.access_location) ad.method = method ad.location = gn @@ -1163,6 +1165,10 @@ class Backend(object): pp, r = _encode_basic_constraints(self, extension.value) elif isinstance(extension.value, x509.SubjectAlternativeName): pp, r = _encode_subject_alt_name(self, extension.value) + elif isinstance(extension.value, x509.AuthorityInformationAccess): + pp, r = _encode_authority_information_access( + self, extension.value + ) else: raise NotImplementedError('Extension not yet supported.') diff --git a/src/cryptography/x509.py b/src/cryptography/x509.py index f35582b0..6e27cdb7 100644 --- a/src/cryptography/x509.py +++ b/src/cryptography/x509.py @@ -1724,6 +1724,10 @@ class CertificateBuilder(object): extension = Extension( OID_SUBJECT_ALTERNATIVE_NAME, critical, extension ) + elif isinstance(extension, AuthorityInformationAccess): + extension = Extension( + OID_AUTHORITY_INFORMATION_ACCESS, critical, extension + ) elif isinstance(extension, InhibitAnyPolicy): extension = Extension(OID_INHIBIT_ANY_POLICY, critical, extension) else: diff --git a/tests/test_x509.py b/tests/test_x509.py index ba35f64d..0c63670d 100644 --- a/tests/test_x509.py +++ b/tests/test_x509.py @@ -1563,6 +1563,49 @@ class TestCertificateSigningRequestBuilder(object): assert str(exc.value) == "Digest too big for RSA key" + @pytest.mark.requires_backend_interface(interface=RSABackend) + @pytest.mark.requires_backend_interface(interface=X509Backend) + def test_build_cert_with_aia(self, backend): + issuer_private_key = RSA_KEY_2048.private_key(backend) + subject_private_key = RSA_KEY_2048.private_key(backend) + + not_valid_before = datetime.datetime(2002, 1, 1, 12, 1) + not_valid_after = datetime.datetime(2030, 12, 31, 8, 30) + + aia = x509.AuthorityInformationAccess([ + x509.AccessDescription( + x509.OID_OCSP, + x509.UniformResourceIdentifier(u"http://ocsp.domain.com") + ), + x509.AccessDescription( + x509.OID_CA_ISSUERS, + x509.UniformResourceIdentifier(u"http://domain.com/ca.crt") + ) + ]) + + builder = x509.CertificateBuilder().serial_number( + 777 + ).issuer_name(x509.Name([ + x509.NameAttribute(x509.OID_COUNTRY_NAME, u'US'), + ])).subject_name(x509.Name([ + x509.NameAttribute(x509.OID_COUNTRY_NAME, u'US'), + ])).public_key( + subject_private_key.public_key() + ).add_extension( + aia, critical=False + ).not_valid_before( + not_valid_before + ).not_valid_after( + not_valid_after + ) + + cert = builder.sign(issuer_private_key, hashes.SHA1(), backend) + + ext = cert.extensions.get_extension_for_oid( + x509.OID_AUTHORITY_INFORMATION_ACCESS + ) + assert ext.value == aia + @pytest.mark.requires_backend_interface(interface=DSABackend) @pytest.mark.requires_backend_interface(interface=X509Backend) -- cgit v1.2.3