From 978a5e96473c2ce877151fa4e24917bac92ddaa8 Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Thu, 25 May 2017 21:11:09 -0400 Subject: jurisdictionCountryName also must be PrintableString (#3516) * jurisdictionCountryName also must be PrintableString * flake8 + citation * Write a test, which fails. If my analysis is correct, this is blocked on: https://github.com/openssl/openssl/pull/3284 * This is only true on 1.1.0 * clearly express the version requirement --- src/_cffi_src/openssl/cryptography.py | 7 ++++++- src/cryptography/hazmat/backends/openssl/encode_asn1.py | 7 +++++-- tests/test_x509.py | 11 +++++++++++ 3 files changed, 22 insertions(+), 3 deletions(-) diff --git a/src/_cffi_src/openssl/cryptography.py b/src/_cffi_src/openssl/cryptography.py index aa01c833..fe5055f1 100644 --- a/src/_cffi_src/openssl/cryptography.py +++ b/src/_cffi_src/openssl/cryptography.py @@ -27,8 +27,12 @@ INCLUDES = """ #define CRYPTOGRAPHY_OPENSSL_102BETA2_OR_GREATER \ (OPENSSL_VERSION_NUMBER >= 0x10002002 && !CRYPTOGRAPHY_IS_LIBRESSL) +#define CRYPTOGRAPHY_OPENSSL_102L_OR_GREATER \ + (OPENSSL_VERSION_NUMBER >= 0x100020cf && !CRYPTOGRAPHY_IS_LIBRESSL) #define CRYPTOGRAPHY_OPENSSL_110_OR_GREATER \ (OPENSSL_VERSION_NUMBER >= 0x10100000 && !CRYPTOGRAPHY_IS_LIBRESSL) +#define CRYPTOGRAPHY_OPENSSL_110F_OR_GREATER \ + (OPENSSL_VERSION_NUMBER >= 0x1010006f && !CRYPTOGRAPHY_IS_LIBRESSL) #define CRYPTOGRAPHY_OPENSSL_LESS_THAN_102 \ (OPENSSL_VERSION_NUMBER < 0x10002000 || CRYPTOGRAPHY_IS_LIBRESSL) @@ -47,10 +51,11 @@ INCLUDES = """ """ TYPES = """ +static const int CRYPTOGRAPHY_OPENSSL_102L_OR_GREATER; static const int CRYPTOGRAPHY_OPENSSL_110_OR_GREATER; +static const int CRYPTOGRAPHY_OPENSSL_110F_OR_GREATER; static const int CRYPTOGRAPHY_OPENSSL_LESS_THAN_102I; - static const int CRYPTOGRAPHY_OPENSSL_LESS_THAN_102; static const int CRYPTOGRAPHY_IS_LIBRESSL; diff --git a/src/cryptography/hazmat/backends/openssl/encode_asn1.py b/src/cryptography/hazmat/backends/openssl/encode_asn1.py index 3b784861..dc1f61a0 100644 --- a/src/cryptography/hazmat/backends/openssl/encode_asn1.py +++ b/src/cryptography/hazmat/backends/openssl/encode_asn1.py @@ -120,9 +120,12 @@ def _encode_sk_name_entry(backend, attributes): def _encode_name_entry(backend, attribute): value = attribute.value.encode('utf8') obj = _txt2obj_gc(backend, attribute.oid.dotted_string) - if attribute.oid == NameOID.COUNTRY_NAME: + if attribute.oid in [ + NameOID.COUNTRY_NAME, NameOID.JURISDICTION_COUNTRY_NAME + ]: # Per RFC5280 Appendix A.1 countryName should be encoded as - # PrintableString, not UTF8String + # PrintableString, not UTF8String. EV Guidelines section 9.2.5 says + # jurisdictionCountryName follows the same rules as countryName. type = backend._lib.MBSTRING_ASC else: type = backend._lib.MBSTRING_UTF8 diff --git a/tests/test_x509.py b/tests/test_x509.py index 110d8534..84108810 100644 --- a/tests/test_x509.py +++ b/tests/test_x509.py @@ -1440,9 +1440,11 @@ class TestRSACertificateRequest(object): 777 ).issuer_name(x509.Name([ x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'), + x509.NameAttribute(NameOID.JURISDICTION_COUNTRY_NAME, u'US'), x509.NameAttribute(NameOID.STATE_OR_PROVINCE_NAME, u'Texas'), ])).subject_name(x509.Name([ x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'), + x509.NameAttribute(NameOID.JURISDICTION_COUNTRY_NAME, u'US'), x509.NameAttribute(NameOID.STATE_OR_PROVINCE_NAME, u'Texas'), ])).public_key( subject_private_key.public_key() @@ -1460,6 +1462,15 @@ class TestRSACertificateRequest(object): # Check that each value was encoded as an ASN.1 PRINTABLESTRING. assert parsed.subject.chosen[0][0]['value'].chosen.tag == 19 assert parsed.issuer.chosen[0][0]['value'].chosen.tag == 19 + if ( + # This only works correctly in OpenSSL 1.1.0f+ and 1.0.2l+ + backend._lib.CRYPTOGRAPHY_OPENSSL_110F_OR_GREATER or ( + backend._lib.CRYPTOGRAPHY_OPENSSL_102L_OR_GREATER and + not backend._lib.CRYPTOGRAPHY_OPENSSL_110_OR_GREATER + ) + ): + assert parsed.subject.chosen[1][0]['value'].chosen.tag == 19 + assert parsed.issuer.chosen[1][0]['value'].chosen.tag == 19 class TestCertificateBuilder(object): -- cgit v1.2.3