From 5d187402775bcb7bc8b0da1d972d36bf9ad9dbff Mon Sep 17 00:00:00 2001
From: Paul Kehrer <paul.l.kehrer@gmail.com>
Date: Mon, 16 Jul 2018 20:49:51 +0530
Subject: add crl.get_revoked_certificate method (#4331)

* add crl.get_revoked_certificate method

* lexicographic is the best ographic

* rename
---
 src/_cffi_src/openssl/x509.py                    |  2 ++
 src/cryptography/hazmat/backends/openssl/x509.py | 19 +++++++++++++++++++
 src/cryptography/x509/base.py                    |  7 +++++++
 3 files changed, 28 insertions(+)

(limited to 'src')

diff --git a/src/_cffi_src/openssl/x509.py b/src/_cffi_src/openssl/x509.py
index 97ade5bc..59fdbf7e 100644
--- a/src/_cffi_src/openssl/x509.py
+++ b/src/_cffi_src/openssl/x509.py
@@ -238,6 +238,8 @@ X509_EXTENSION *X509_REVOKED_get_ext(X509_REVOKED *, int);
 X509_EXTENSION *X509_CRL_get_ext(X509_CRL *, int);
 int X509_CRL_get_ext_count(X509_CRL *);
 
+int X509_CRL_get0_by_serial(X509_CRL *, X509_REVOKED **, ASN1_INTEGER *);
+
 /* these CRYPTO_EX_DATA functions became macros in 1.1.0 */
 int X509_get_ex_new_index(long, void *, CRYPTO_EX_new *, CRYPTO_EX_dup *,
                           CRYPTO_EX_free *);
diff --git a/src/cryptography/hazmat/backends/openssl/x509.py b/src/cryptography/hazmat/backends/openssl/x509.py
index 9637fc0e..b870eeb7 100644
--- a/src/cryptography/hazmat/backends/openssl/x509.py
+++ b/src/cryptography/hazmat/backends/openssl/x509.py
@@ -16,6 +16,9 @@ from cryptography.hazmat.backends.openssl.decode_asn1 import (
     _REVOKED_CERTIFICATE_EXTENSION_PARSER, _asn1_integer_to_int,
     _asn1_string_to_bytes, _decode_x509_name, _obj2txt, _parse_asn1_time
 )
+from cryptography.hazmat.backends.openssl.encode_asn1 import (
+    _encode_asn1_int_gc
+)
 from cryptography.hazmat.primitives import hashes, serialization
 from cryptography.hazmat.primitives.asymmetric import dsa, ec, rsa
 
@@ -235,6 +238,22 @@ class _CertificateRevocationList(object):
         h.update(der)
         return h.finalize()
 
+    def get_revoked_certificate_by_serial_number(self, serial_number):
+        revoked = self._backend._ffi.new("X509_REVOKED **")
+        asn1_int = _encode_asn1_int_gc(self._backend, serial_number)
+        res = self._backend._lib.X509_CRL_get0_by_serial(
+            self._x509_crl, revoked, asn1_int
+        )
+        if res == 0:
+            return None
+        else:
+            self._backend.openssl_assert(
+                revoked[0] != self._backend._ffi.NULL
+            )
+            return _RevokedCertificate(
+                self._backend, self._x509_crl, revoked[0]
+            )
+
     @property
     def signature_hash_algorithm(self):
         oid = self.signature_algorithm_oid
diff --git a/src/cryptography/x509/base.py b/src/cryptography/x509/base.py
index 45b603f0..b14499c9 100644
--- a/src/cryptography/x509/base.py
+++ b/src/cryptography/x509/base.py
@@ -189,6 +189,13 @@ class CertificateRevocationList(object):
         Returns bytes using digest passed.
         """
 
+    @abc.abstractmethod
+    def get_revoked_certificate_by_serial_number(self, serial_number):
+        """
+        Returns an instance of RevokedCertificate or None if the serial_number
+        is not in the CRL.
+        """
+
     @abc.abstractproperty
     def signature_hash_algorithm(self):
         """
-- 
cgit v1.2.3