diff options
| -rw-r--r-- | src/_cffi_src/openssl/cryptography.py | 7 | ||||
| -rw-r--r-- | src/cryptography/hazmat/backends/openssl/encode_asn1.py | 7 | ||||
| -rw-r--r-- | tests/test_x509.py | 11 |
3 files changed, 22 insertions, 3 deletions
diff --git a/src/_cffi_src/openssl/cryptography.py b/src/_cffi_src/openssl/cryptography.py index aa01c833..fe5055f1 100644 --- a/src/_cffi_src/openssl/cryptography.py +++ b/src/_cffi_src/openssl/cryptography.py @@ -27,8 +27,12 @@ INCLUDES = """ #define CRYPTOGRAPHY_OPENSSL_102BETA2_OR_GREATER \ (OPENSSL_VERSION_NUMBER >= 0x10002002 && !CRYPTOGRAPHY_IS_LIBRESSL) +#define CRYPTOGRAPHY_OPENSSL_102L_OR_GREATER \ + (OPENSSL_VERSION_NUMBER >= 0x100020cf && !CRYPTOGRAPHY_IS_LIBRESSL) #define CRYPTOGRAPHY_OPENSSL_110_OR_GREATER \ (OPENSSL_VERSION_NUMBER >= 0x10100000 && !CRYPTOGRAPHY_IS_LIBRESSL) +#define CRYPTOGRAPHY_OPENSSL_110F_OR_GREATER \ + (OPENSSL_VERSION_NUMBER >= 0x1010006f && !CRYPTOGRAPHY_IS_LIBRESSL) #define CRYPTOGRAPHY_OPENSSL_LESS_THAN_102 \ (OPENSSL_VERSION_NUMBER < 0x10002000 || CRYPTOGRAPHY_IS_LIBRESSL) @@ -47,10 +51,11 @@ INCLUDES = """ """ TYPES = """ +static const int CRYPTOGRAPHY_OPENSSL_102L_OR_GREATER; static const int CRYPTOGRAPHY_OPENSSL_110_OR_GREATER; +static const int CRYPTOGRAPHY_OPENSSL_110F_OR_GREATER; static const int CRYPTOGRAPHY_OPENSSL_LESS_THAN_102I; - static const int CRYPTOGRAPHY_OPENSSL_LESS_THAN_102; static const int CRYPTOGRAPHY_IS_LIBRESSL; diff --git a/src/cryptography/hazmat/backends/openssl/encode_asn1.py b/src/cryptography/hazmat/backends/openssl/encode_asn1.py index 3b784861..dc1f61a0 100644 --- a/src/cryptography/hazmat/backends/openssl/encode_asn1.py +++ b/src/cryptography/hazmat/backends/openssl/encode_asn1.py @@ -120,9 +120,12 @@ def _encode_sk_name_entry(backend, attributes): def _encode_name_entry(backend, attribute): value = attribute.value.encode('utf8') obj = _txt2obj_gc(backend, attribute.oid.dotted_string) - if attribute.oid == NameOID.COUNTRY_NAME: + if attribute.oid in [ + NameOID.COUNTRY_NAME, NameOID.JURISDICTION_COUNTRY_NAME + ]: # Per RFC5280 Appendix A.1 countryName should be encoded as - # PrintableString, not UTF8String + # PrintableString, not UTF8String. EV Guidelines section 9.2.5 says + # jurisdictionCountryName follows the same rules as countryName. type = backend._lib.MBSTRING_ASC else: type = backend._lib.MBSTRING_UTF8 diff --git a/tests/test_x509.py b/tests/test_x509.py index 110d8534..84108810 100644 --- a/tests/test_x509.py +++ b/tests/test_x509.py @@ -1440,9 +1440,11 @@ class TestRSACertificateRequest(object): 777 ).issuer_name(x509.Name([ x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'), + x509.NameAttribute(NameOID.JURISDICTION_COUNTRY_NAME, u'US'), x509.NameAttribute(NameOID.STATE_OR_PROVINCE_NAME, u'Texas'), ])).subject_name(x509.Name([ x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'), + x509.NameAttribute(NameOID.JURISDICTION_COUNTRY_NAME, u'US'), x509.NameAttribute(NameOID.STATE_OR_PROVINCE_NAME, u'Texas'), ])).public_key( subject_private_key.public_key() @@ -1460,6 +1462,15 @@ class TestRSACertificateRequest(object): # Check that each value was encoded as an ASN.1 PRINTABLESTRING. assert parsed.subject.chosen[0][0]['value'].chosen.tag == 19 assert parsed.issuer.chosen[0][0]['value'].chosen.tag == 19 + if ( + # This only works correctly in OpenSSL 1.1.0f+ and 1.0.2l+ + backend._lib.CRYPTOGRAPHY_OPENSSL_110F_OR_GREATER or ( + backend._lib.CRYPTOGRAPHY_OPENSSL_102L_OR_GREATER and + not backend._lib.CRYPTOGRAPHY_OPENSSL_110_OR_GREATER + ) + ): + assert parsed.subject.chosen[1][0]['value'].chosen.tag == 19 + assert parsed.issuer.chosen[1][0]['value'].chosen.tag == 19 class TestCertificateBuilder(object): |