From 9089c91294497aaff3e5204b73365ba687c6ab7e Mon Sep 17 00:00:00 2001 From: Paul Kehrer Date: Mon, 20 Apr 2015 22:15:20 -0500 Subject: handle otherName, x400Address, and ediPartyName in OpenSSL backend --- docs/x509.rst | 5 +++++ src/cryptography/hazmat/backends/openssl/x509.py | 7 +++++++ src/cryptography/x509.py | 17 +++++++++++++++++ tests/test_x509_ext.py | 11 +++++++++++ 4 files changed, 40 insertions(+) diff --git a/docs/x509.rst b/docs/x509.rst index eed88b09..0ce90168 100644 --- a/docs/x509.rst +++ b/docs/x509.rst @@ -964,6 +964,11 @@ Exceptions Returns the OID. +.. class:: UnsupportedGeneralNameType + + This is raised when a certificate contains an unsupported general name + type in an extension. + .. _`public key infrastructure`: https://en.wikipedia.org/wiki/Public_key_infrastructure .. _`TLS`: https://en.wikipedia.org/wiki/Transport_Layer_Security diff --git a/src/cryptography/hazmat/backends/openssl/x509.py b/src/cryptography/hazmat/backends/openssl/x509.py index dcde5e73..affb79da 100644 --- a/src/cryptography/hazmat/backends/openssl/x509.py +++ b/src/cryptography/hazmat/backends/openssl/x509.py @@ -63,6 +63,13 @@ def _build_general_name(backend, gn): if gn.type == backend._lib.GEN_DNS: data = backend._ffi.buffer(gn.d.dNSName.data, gn.d.dNSName.length)[:] return x509.DNSName(idna.decode(data)) + else: + # otherName, x400Address or ediPartyName + raise x509.UnsupportedGeneralNameType( + "{0} is not a supported type".format( + x509._GENERAL_NAMES.get(gn.type, gn.type) + ) + ) @utils.register_interface(x509.Certificate) diff --git a/src/cryptography/x509.py b/src/cryptography/x509.py index 898ab6c7..3dc066fa 100644 --- a/src/cryptography/x509.py +++ b/src/cryptography/x509.py @@ -70,6 +70,19 @@ _OID_NAMES = { } +_GENERAL_NAMES = { + 0: "otherName", + 1: "rfc822Name", + 2: "dNSName", + 3: "x400Address", + 4: "directoryName", + 5: "ediPartyName", + 6: "uniformResourceIdentifier", + 7: "iPAddress", + 8: "registeredID", +} + + class Version(Enum): v1 = 0 v3 = 2 @@ -115,6 +128,10 @@ class ExtensionNotFound(Exception): self.oid = oid +class UnsupportedGeneralNameType(Exception): + pass + + class NameAttribute(object): def __init__(self, oid, value): if not isinstance(oid, ObjectIdentifier): diff --git a/tests/test_x509_ext.py b/tests/test_x509_ext.py index a7e04156..5f175c4d 100644 --- a/tests/test_x509_ext.py +++ b/tests/test_x509_ext.py @@ -757,3 +757,14 @@ class TestRSASubjectAlternativeNameExtension(object): dns = san.get_values_for_type(x509.DNSName) assert dns == [u"www.cryptography.io", u"cryptography.io"] + + def test_unsupported_other_name(self, backend): + cert = _load_cert( + os.path.join( + "x509", "custom", "san_other_name.pem" + ), + x509.load_pem_x509_certificate, + backend + ) + with pytest.raises(x509.UnsupportedGeneralNameType): + cert.extensions -- cgit v1.2.3 From bed07357a90237ee92cedba788066f87a63e34b6 Mon Sep 17 00:00:00 2001 From: Paul Kehrer Date: Tue, 21 Apr 2015 08:31:10 -0500 Subject: update exception to contain detail --- docs/x509.rst | 7 +++++++ src/cryptography/hazmat/backends/openssl/x509.py | 3 ++- src/cryptography/x509.py | 4 +++- tests/test_x509_ext.py | 4 +++- 4 files changed, 15 insertions(+), 3 deletions(-) diff --git a/docs/x509.rst b/docs/x509.rst index 0ce90168..2e4a0efb 100644 --- a/docs/x509.rst +++ b/docs/x509.rst @@ -274,6 +274,9 @@ X.509 Certificate Object :raises cryptography.x509.UnsupportedExtension: If the certificate contains an extension that is not supported. + :raises cryptography.x509.UnsupportedGeneralNameType: If an extension + contains a general name that is not supported. + .. doctest:: >>> for ext in cert.extensions: @@ -969,6 +972,10 @@ Exceptions This is raised when a certificate contains an unsupported general name type in an extension. + .. attribute:: type + + :type: :term:`text` or int + .. _`public key infrastructure`: https://en.wikipedia.org/wiki/Public_key_infrastructure .. _`TLS`: https://en.wikipedia.org/wiki/Transport_Layer_Security diff --git a/src/cryptography/hazmat/backends/openssl/x509.py b/src/cryptography/hazmat/backends/openssl/x509.py index affb79da..07e79fed 100644 --- a/src/cryptography/hazmat/backends/openssl/x509.py +++ b/src/cryptography/hazmat/backends/openssl/x509.py @@ -68,7 +68,8 @@ def _build_general_name(backend, gn): raise x509.UnsupportedGeneralNameType( "{0} is not a supported type".format( x509._GENERAL_NAMES.get(gn.type, gn.type) - ) + ), + x509._GENERAL_NAMES.get(gn.type, gn.type) ) diff --git a/src/cryptography/x509.py b/src/cryptography/x509.py index 3dc066fa..dd6ea926 100644 --- a/src/cryptography/x509.py +++ b/src/cryptography/x509.py @@ -129,7 +129,9 @@ class ExtensionNotFound(Exception): class UnsupportedGeneralNameType(Exception): - pass + def __init__(self, msg, type): + super(UnsupportedGeneralNameType, self).__init__(msg) + self.type = type class NameAttribute(object): diff --git a/tests/test_x509_ext.py b/tests/test_x509_ext.py index 5f175c4d..c17beba5 100644 --- a/tests/test_x509_ext.py +++ b/tests/test_x509_ext.py @@ -766,5 +766,7 @@ class TestRSASubjectAlternativeNameExtension(object): x509.load_pem_x509_certificate, backend ) - with pytest.raises(x509.UnsupportedGeneralNameType): + with pytest.raises(x509.UnsupportedGeneralNameType) as exc: cert.extensions + + assert exc.value.type == "otherName" -- cgit v1.2.3 From 0a621bf5da576d7aab394e5bdc342e2e8b1cbaa2 Mon Sep 17 00:00:00 2001 From: Paul Kehrer Date: Wed, 22 Apr 2015 09:22:56 -0500 Subject: return only an int for unsupported general name type, update docs --- docs/x509.rst | 6 +++++- src/cryptography/hazmat/backends/openssl/x509.py | 2 +- tests/test_x509_ext.py | 2 +- 3 files changed, 7 insertions(+), 3 deletions(-) diff --git a/docs/x509.rst b/docs/x509.rst index 2e4a0efb..035fa87f 100644 --- a/docs/x509.rst +++ b/docs/x509.rst @@ -974,9 +974,13 @@ Exceptions .. attribute:: type - :type: :term:`text` or int + :type: int + + The integer value of the unsupported type. The complete list of + types can be found in `RFC 5280 section 4.2.1.6`_. .. _`public key infrastructure`: https://en.wikipedia.org/wiki/Public_key_infrastructure .. _`TLS`: https://en.wikipedia.org/wiki/Transport_Layer_Security .. _`RFC 5280 section 4.2.1.1`: https://tools.ietf.org/html/rfc5280#section-4.2.1.1 +.. _`RFC 5280 section 4.2.1.6`: https://tools.ietf.org/html/rfc5280#section-4.2.1.6 diff --git a/src/cryptography/hazmat/backends/openssl/x509.py b/src/cryptography/hazmat/backends/openssl/x509.py index 07e79fed..cc4a92a6 100644 --- a/src/cryptography/hazmat/backends/openssl/x509.py +++ b/src/cryptography/hazmat/backends/openssl/x509.py @@ -69,7 +69,7 @@ def _build_general_name(backend, gn): "{0} is not a supported type".format( x509._GENERAL_NAMES.get(gn.type, gn.type) ), - x509._GENERAL_NAMES.get(gn.type, gn.type) + gn.type ) diff --git a/tests/test_x509_ext.py b/tests/test_x509_ext.py index c17beba5..1283fca7 100644 --- a/tests/test_x509_ext.py +++ b/tests/test_x509_ext.py @@ -769,4 +769,4 @@ class TestRSASubjectAlternativeNameExtension(object): with pytest.raises(x509.UnsupportedGeneralNameType) as exc: cert.extensions - assert exc.value.type == "otherName" + assert exc.value.type == 0 -- cgit v1.2.3