aboutsummaryrefslogtreecommitdiffstats
path: root/src
diff options
context:
space:
mode:
Diffstat (limited to 'src')
-rw-r--r--src/_cffi_src/openssl/x509.py16
-rw-r--r--src/cryptography/hazmat/backends/openssl/backend.py71
-rw-r--r--src/cryptography/hazmat/backends/openssl/dsa.py27
-rw-r--r--src/cryptography/hazmat/backends/openssl/ec.py30
-rw-r--r--src/cryptography/hazmat/backends/openssl/rsa.py23
-rw-r--r--src/cryptography/hazmat/backends/openssl/x509.py17
6 files changed, 99 insertions, 85 deletions
diff --git a/src/_cffi_src/openssl/x509.py b/src/_cffi_src/openssl/x509.py
index 534f5b08..6bd117b0 100644
--- a/src/_cffi_src/openssl/x509.py
+++ b/src/_cffi_src/openssl/x509.py
@@ -182,19 +182,21 @@ X509_EXTENSION *X509_REVOKED_get_ext(X509_REVOKED *, int);
int X509_REVOKED_add_ext(X509_REVOKED *, X509_EXTENSION*, int);
int X509_REVOKED_add1_ext_i2d(X509_REVOKED *, int, void *, int, unsigned long);
-X509_CRL *d2i_X509_CRL_bio(BIO *, X509_CRL **);
X509_CRL *X509_CRL_new(void);
-void X509_CRL_free(X509_CRL *);
+X509_CRL *d2i_X509_CRL_bio(BIO *, X509_CRL **);
+X509_EXTENSION *X509_CRL_get_ext(X509_CRL *, int);
int X509_CRL_add0_revoked(X509_CRL *, X509_REVOKED *);
-int i2d_X509_CRL_bio(BIO *, X509_CRL *);
+int X509_CRL_add_ext(X509_CRL *, X509_EXTENSION *, int);
+int X509_CRL_cmp(const X509_CRL *, const X509_CRL *);
+int X509_CRL_get_ext_count(X509_CRL *);
int X509_CRL_print(BIO *, X509_CRL *);
int X509_CRL_set_issuer_name(X509_CRL *, X509_NAME *);
+int X509_CRL_set_version(X509_CRL *, long);
int X509_CRL_sign(X509_CRL *, EVP_PKEY *, const EVP_MD *);
+int X509_CRL_sort(X509_CRL *);
int X509_CRL_verify(X509_CRL *, EVP_PKEY *);
-int X509_CRL_get_ext_count(X509_CRL *);
-X509_EXTENSION *X509_CRL_get_ext(X509_CRL *, int);
-int X509_CRL_add_ext(X509_CRL *, X509_EXTENSION *, int);
-int X509_CRL_cmp(const X509_CRL *, const X509_CRL *);
+int i2d_X509_CRL_bio(BIO *, X509_CRL *);
+void X509_CRL_free(X509_CRL *);
int NETSCAPE_SPKI_verify(NETSCAPE_SPKI *, EVP_PKEY *);
int NETSCAPE_SPKI_sign(NETSCAPE_SPKI *, EVP_PKEY *, const EVP_MD *);
diff --git a/src/cryptography/hazmat/backends/openssl/backend.py b/src/cryptography/hazmat/backends/openssl/backend.py
index 665771a8..2fe88327 100644
--- a/src/cryptography/hazmat/backends/openssl/backend.py
+++ b/src/cryptography/hazmat/backends/openssl/backend.py
@@ -388,8 +388,9 @@ class Backend(object):
rsa_cdata, key_size, bn, self._ffi.NULL
)
assert res == 1
+ evp_pkey = self._rsa_cdata_to_evp_pkey(rsa_cdata)
- return _RSAPrivateKey(self, rsa_cdata)
+ return _RSAPrivateKey(self, rsa_cdata, evp_pkey)
def generate_rsa_parameters_supported(self, public_exponent, key_size):
return (public_exponent >= 3 and public_exponent & 1 != 0 and
@@ -419,8 +420,9 @@ class Backend(object):
rsa_cdata.n = self._int_to_bn(numbers.public_numbers.n)
res = self._lib.RSA_blinding_on(rsa_cdata, self._ffi.NULL)
assert res == 1
+ evp_pkey = self._rsa_cdata_to_evp_pkey(rsa_cdata)
- return _RSAPrivateKey(self, rsa_cdata)
+ return _RSAPrivateKey(self, rsa_cdata, evp_pkey)
def load_rsa_public_numbers(self, numbers):
rsa._check_public_key_components(numbers.e, numbers.n)
@@ -431,8 +433,17 @@ class Backend(object):
rsa_cdata.n = self._int_to_bn(numbers.n)
res = self._lib.RSA_blinding_on(rsa_cdata, self._ffi.NULL)
assert res == 1
+ evp_pkey = self._rsa_cdata_to_evp_pkey(rsa_cdata)
- return _RSAPublicKey(self, rsa_cdata)
+ return _RSAPublicKey(self, rsa_cdata, evp_pkey)
+
+ def _rsa_cdata_to_evp_pkey(self, rsa_cdata):
+ evp_pkey = self._lib.EVP_PKEY_new()
+ assert evp_pkey != self._ffi.NULL
+ evp_pkey = self._ffi.gc(evp_pkey, self._lib.EVP_PKEY_free)
+ res = self._lib.EVP_PKEY_set1_RSA(evp_pkey, rsa_cdata)
+ assert res == 1
+ return evp_pkey
def _bytes_to_bio(self, data):
"""
@@ -483,18 +494,18 @@ class Backend(object):
rsa_cdata = self._lib.EVP_PKEY_get1_RSA(evp_pkey)
assert rsa_cdata != self._ffi.NULL
rsa_cdata = self._ffi.gc(rsa_cdata, self._lib.RSA_free)
- return _RSAPrivateKey(self, rsa_cdata)
+ return _RSAPrivateKey(self, rsa_cdata, evp_pkey)
elif key_type == self._lib.EVP_PKEY_DSA:
dsa_cdata = self._lib.EVP_PKEY_get1_DSA(evp_pkey)
assert dsa_cdata != self._ffi.NULL
dsa_cdata = self._ffi.gc(dsa_cdata, self._lib.DSA_free)
- return _DSAPrivateKey(self, dsa_cdata)
+ return _DSAPrivateKey(self, dsa_cdata, evp_pkey)
elif (self._lib.Cryptography_HAS_EC == 1 and
key_type == self._lib.EVP_PKEY_EC):
ec_cdata = self._lib.EVP_PKEY_get1_EC_KEY(evp_pkey)
assert ec_cdata != self._ffi.NULL
ec_cdata = self._ffi.gc(ec_cdata, self._lib.EC_KEY_free)
- return _EllipticCurvePrivateKey(self, ec_cdata)
+ return _EllipticCurvePrivateKey(self, ec_cdata, evp_pkey)
else:
raise UnsupportedAlgorithm("Unsupported key type.")
@@ -510,18 +521,18 @@ class Backend(object):
rsa_cdata = self._lib.EVP_PKEY_get1_RSA(evp_pkey)
assert rsa_cdata != self._ffi.NULL
rsa_cdata = self._ffi.gc(rsa_cdata, self._lib.RSA_free)
- return _RSAPublicKey(self, rsa_cdata)
+ return _RSAPublicKey(self, rsa_cdata, evp_pkey)
elif key_type == self._lib.EVP_PKEY_DSA:
dsa_cdata = self._lib.EVP_PKEY_get1_DSA(evp_pkey)
assert dsa_cdata != self._ffi.NULL
dsa_cdata = self._ffi.gc(dsa_cdata, self._lib.DSA_free)
- return _DSAPublicKey(self, dsa_cdata)
+ return _DSAPublicKey(self, dsa_cdata, evp_pkey)
elif (self._lib.Cryptography_HAS_EC == 1 and
key_type == self._lib.EVP_PKEY_EC):
ec_cdata = self._lib.EVP_PKEY_get1_EC_KEY(evp_pkey)
assert ec_cdata != self._ffi.NULL
ec_cdata = self._ffi.gc(ec_cdata, self._lib.EC_KEY_free)
- return _EllipticCurvePublicKey(self, ec_cdata)
+ return _EllipticCurvePublicKey(self, ec_cdata, evp_pkey)
else:
raise UnsupportedAlgorithm("Unsupported key type.")
@@ -615,8 +626,9 @@ class Backend(object):
ctx.g = self._lib.BN_dup(parameters._dsa_cdata.g)
self._lib.DSA_generate_key(ctx)
+ evp_pkey = self._dsa_cdata_to_evp_pkey(ctx)
- return _DSAPrivateKey(self, ctx)
+ return _DSAPrivateKey(self, ctx, evp_pkey)
def generate_dsa_private_key_and_parameters(self, key_size):
parameters = self.generate_dsa_parameters(key_size)
@@ -636,7 +648,9 @@ class Backend(object):
dsa_cdata.pub_key = self._int_to_bn(numbers.public_numbers.y)
dsa_cdata.priv_key = self._int_to_bn(numbers.x)
- return _DSAPrivateKey(self, dsa_cdata)
+ evp_pkey = self._dsa_cdata_to_evp_pkey(dsa_cdata)
+
+ return _DSAPrivateKey(self, dsa_cdata, evp_pkey)
def load_dsa_public_numbers(self, numbers):
dsa._check_dsa_parameters(numbers.parameter_numbers)
@@ -649,7 +663,9 @@ class Backend(object):
dsa_cdata.g = self._int_to_bn(numbers.parameter_numbers.g)
dsa_cdata.pub_key = self._int_to_bn(numbers.y)
- return _DSAPublicKey(self, dsa_cdata)
+ evp_pkey = self._dsa_cdata_to_evp_pkey(dsa_cdata)
+
+ return _DSAPublicKey(self, dsa_cdata, evp_pkey)
def load_dsa_parameter_numbers(self, numbers):
dsa._check_dsa_parameters(numbers)
@@ -663,6 +679,14 @@ class Backend(object):
return _DSAParameters(self, dsa_cdata)
+ def _dsa_cdata_to_evp_pkey(self, dsa_cdata):
+ evp_pkey = self._lib.EVP_PKEY_new()
+ assert evp_pkey != self._ffi.NULL
+ evp_pkey = self._ffi.gc(evp_pkey, self._lib.EVP_PKEY_free)
+ res = self._lib.EVP_PKEY_set1_DSA(evp_pkey, dsa_cdata)
+ assert res == 1
+ return evp_pkey
+
def dsa_hash_supported(self, algorithm):
if self._lib.OPENSSL_VERSION_NUMBER < 0x1000000f:
return isinstance(algorithm, hashes.SHA1)
@@ -714,7 +738,8 @@ class Backend(object):
)
if rsa_cdata != self._ffi.NULL:
rsa_cdata = self._ffi.gc(rsa_cdata, self._lib.RSA_free)
- return _RSAPublicKey(self, rsa_cdata)
+ evp_pkey = self._rsa_cdata_to_evp_pkey(rsa_cdata)
+ return _RSAPublicKey(self, rsa_cdata, evp_pkey)
else:
self._handle_key_loading_error()
@@ -796,7 +821,8 @@ class Backend(object):
)
if rsa_cdata != self._ffi.NULL:
rsa_cdata = self._ffi.gc(rsa_cdata, self._lib.RSA_free)
- return _RSAPublicKey(self, rsa_cdata)
+ evp_pkey = self._rsa_cdata_to_evp_pkey(rsa_cdata)
+ return _RSAPublicKey(self, rsa_cdata, evp_pkey)
else:
self._handle_key_loading_error()
@@ -1000,7 +1026,9 @@ class Backend(object):
res = self._lib.EC_KEY_check_key(ec_cdata)
assert res == 1
- return _EllipticCurvePrivateKey(self, ec_cdata)
+ evp_pkey = self._ec_cdata_to_evp_pkey(ec_cdata)
+
+ return _EllipticCurvePrivateKey(self, ec_cdata, evp_pkey)
else:
raise UnsupportedAlgorithm(
"Backend object does not support {0}.".format(curve.name),
@@ -1022,8 +1050,9 @@ class Backend(object):
res = self._lib.EC_KEY_set_private_key(
ec_cdata, self._int_to_bn(numbers.private_value))
assert res == 1
+ evp_pkey = self._ec_cdata_to_evp_pkey(ec_cdata)
- return _EllipticCurvePrivateKey(self, ec_cdata)
+ return _EllipticCurvePrivateKey(self, ec_cdata, evp_pkey)
def load_elliptic_curve_public_numbers(self, numbers):
curve_nid = self._elliptic_curve_to_nid(numbers.curve)
@@ -1034,8 +1063,16 @@ class Backend(object):
ec_cdata = self._ec_key_set_public_key_affine_coordinates(
ec_cdata, numbers.x, numbers.y)
+ evp_pkey = self._ec_cdata_to_evp_pkey(ec_cdata)
- return _EllipticCurvePublicKey(self, ec_cdata)
+ return _EllipticCurvePublicKey(self, ec_cdata, evp_pkey)
+
+ def _ec_cdata_to_evp_pkey(self, ec_cdata):
+ evp_pkey = self._lib.EVP_PKEY_new()
+ assert evp_pkey != self._ffi.NULL
+ evp_pkey = self._ffi.gc(evp_pkey, self._lib.EVP_PKEY_free)
+ res = self._lib.EVP_PKEY_set1_EC_KEY(evp_pkey, ec_cdata)
+ assert res == 1
def _elliptic_curve_to_nid(self, curve):
"""
diff --git a/src/cryptography/hazmat/backends/openssl/dsa.py b/src/cryptography/hazmat/backends/openssl/dsa.py
index 254d29ed..f84857ff 100644
--- a/src/cryptography/hazmat/backends/openssl/dsa.py
+++ b/src/cryptography/hazmat/backends/openssl/dsa.py
@@ -107,9 +107,10 @@ class _DSAParameters(object):
@utils.register_interface(dsa.DSAPrivateKeyWithSerialization)
class _DSAPrivateKey(object):
- def __init__(self, backend, dsa_cdata):
+ def __init__(self, backend, dsa_cdata, evp_pkey):
self._backend = backend
self._dsa_cdata = dsa_cdata
+ self._evp_pkey = evp_pkey
self._key_size = self._backend._lib.BN_num_bits(self._dsa_cdata.p)
key_size = utils.read_only_property("_key_size")
@@ -140,7 +141,8 @@ class _DSAPrivateKey(object):
dsa_cdata.q = self._backend._lib.BN_dup(self._dsa_cdata.q)
dsa_cdata.g = self._backend._lib.BN_dup(self._dsa_cdata.g)
dsa_cdata.pub_key = self._backend._lib.BN_dup(self._dsa_cdata.pub_key)
- return _DSAPublicKey(self._backend, dsa_cdata)
+ evp_pkey = self._backend._dsa_cdata_to_evp_pkey(dsa_cdata)
+ return _DSAPublicKey(self._backend, dsa_cdata, evp_pkey)
def parameters(self):
dsa_cdata = self._backend._lib.DSA_new()
@@ -154,27 +156,21 @@ class _DSAPrivateKey(object):
return _DSAParameters(self._backend, dsa_cdata)
def private_bytes(self, encoding, format, encryption_algorithm):
- evp_pkey = self._backend._lib.EVP_PKEY_new()
- assert evp_pkey != self._backend._ffi.NULL
- evp_pkey = self._backend._ffi.gc(
- evp_pkey, self._backend._lib.EVP_PKEY_free
- )
- res = self._backend._lib.EVP_PKEY_set1_DSA(evp_pkey, self._dsa_cdata)
- assert res == 1
return self._backend._private_key_bytes(
encoding,
format,
encryption_algorithm,
- evp_pkey,
+ self._evp_pkey,
self._dsa_cdata
)
@utils.register_interface(dsa.DSAPublicKeyWithSerialization)
class _DSAPublicKey(object):
- def __init__(self, backend, dsa_cdata):
+ def __init__(self, backend, dsa_cdata, evp_pkey):
self._backend = backend
self._dsa_cdata = dsa_cdata
+ self._evp_pkey = evp_pkey
self._key_size = self._backend._lib.BN_num_bits(self._dsa_cdata.p)
key_size = utils.read_only_property("_key_size")
@@ -211,16 +207,9 @@ class _DSAPublicKey(object):
"DSA public keys do not support PKCS1 serialization"
)
- evp_pkey = self._backend._lib.EVP_PKEY_new()
- assert evp_pkey != self._backend._ffi.NULL
- evp_pkey = self._backend._ffi.gc(
- evp_pkey, self._backend._lib.EVP_PKEY_free
- )
- res = self._backend._lib.EVP_PKEY_set1_DSA(evp_pkey, self._dsa_cdata)
- assert res == 1
return self._backend._public_key_bytes(
encoding,
format,
- evp_pkey,
+ self._evp_pkey,
None
)
diff --git a/src/cryptography/hazmat/backends/openssl/ec.py b/src/cryptography/hazmat/backends/openssl/ec.py
index c2af2be9..7d3afb94 100644
--- a/src/cryptography/hazmat/backends/openssl/ec.py
+++ b/src/cryptography/hazmat/backends/openssl/ec.py
@@ -150,10 +150,11 @@ class _ECDSAVerificationContext(object):
@utils.register_interface(ec.EllipticCurvePrivateKeyWithSerialization)
class _EllipticCurvePrivateKey(object):
- def __init__(self, backend, ec_key_cdata):
+ def __init__(self, backend, ec_key_cdata, evp_pkey):
self._backend = backend
_mark_asn1_named_ec_curve(backend, ec_key_cdata)
self._ec_key = ec_key_cdata
+ self._evp_pkey = evp_pkey
sn = _ec_key_curve_sn(backend, ec_key_cdata)
self._curve = _sn_to_elliptic_curve(backend, sn)
@@ -188,9 +189,9 @@ class _EllipticCurvePrivateKey(object):
res = self._backend._lib.EC_KEY_set_public_key(public_ec_key, point)
assert res == 1
- return _EllipticCurvePublicKey(
- self._backend, public_ec_key
- )
+ evp_pkey = self._backend._ec_cdata_to_evp_pkey(public_ec_key)
+
+ return _EllipticCurvePublicKey(self._backend, public_ec_key, evp_pkey)
def private_numbers(self):
bn = self._backend._lib.EC_KEY_get0_private_key(self._ec_key)
@@ -201,28 +202,22 @@ class _EllipticCurvePrivateKey(object):
)
def private_bytes(self, encoding, format, encryption_algorithm):
- evp_pkey = self._backend._lib.EVP_PKEY_new()
- assert evp_pkey != self._backend._ffi.NULL
- evp_pkey = self._backend._ffi.gc(
- evp_pkey, self._backend._lib.EVP_PKEY_free
- )
- res = self._backend._lib.EVP_PKEY_set1_EC_KEY(evp_pkey, self._ec_key)
- assert res == 1
return self._backend._private_key_bytes(
encoding,
format,
encryption_algorithm,
- evp_pkey,
+ self._evp_pkey,
self._ec_key
)
@utils.register_interface(ec.EllipticCurvePublicKeyWithSerialization)
class _EllipticCurvePublicKey(object):
- def __init__(self, backend, ec_key_cdata):
+ def __init__(self, backend, ec_key_cdata, evp_pkey):
self._backend = backend
_mark_asn1_named_ec_curve(backend, ec_key_cdata)
self._ec_key = ec_key_cdata
+ self._evp_pkey = evp_pkey
sn = _ec_key_curve_sn(backend, ec_key_cdata)
self._curve = _sn_to_elliptic_curve(backend, sn)
@@ -268,16 +263,9 @@ class _EllipticCurvePublicKey(object):
"EC public keys do not support PKCS1 serialization"
)
- evp_pkey = self._backend._lib.EVP_PKEY_new()
- assert evp_pkey != self._backend._ffi.NULL
- evp_pkey = self._backend._ffi.gc(
- evp_pkey, self._backend._lib.EVP_PKEY_free
- )
- res = self._backend._lib.EVP_PKEY_set1_EC_KEY(evp_pkey, self._ec_key)
- assert res == 1
return self._backend._public_key_bytes(
encoding,
format,
- evp_pkey,
+ self._evp_pkey,
None
)
diff --git a/src/cryptography/hazmat/backends/openssl/rsa.py b/src/cryptography/hazmat/backends/openssl/rsa.py
index 1dbbb844..21414c05 100644
--- a/src/cryptography/hazmat/backends/openssl/rsa.py
+++ b/src/cryptography/hazmat/backends/openssl/rsa.py
@@ -508,17 +508,9 @@ class _RSAVerificationContext(object):
@utils.register_interface(RSAPrivateKeyWithSerialization)
class _RSAPrivateKey(object):
- def __init__(self, backend, rsa_cdata):
+ def __init__(self, backend, rsa_cdata, evp_pkey):
self._backend = backend
self._rsa_cdata = rsa_cdata
-
- evp_pkey = self._backend._lib.EVP_PKEY_new()
- assert evp_pkey != self._backend._ffi.NULL
- evp_pkey = self._backend._ffi.gc(
- evp_pkey, self._backend._lib.EVP_PKEY_free
- )
- res = self._backend._lib.EVP_PKEY_set1_RSA(evp_pkey, rsa_cdata)
- assert res == 1
self._evp_pkey = evp_pkey
self._key_size = self._backend._lib.BN_num_bits(self._rsa_cdata.n)
@@ -543,7 +535,8 @@ class _RSAPrivateKey(object):
ctx.n = self._backend._lib.BN_dup(self._rsa_cdata.n)
res = self._backend._lib.RSA_blinding_on(ctx, self._backend._ffi.NULL)
assert res == 1
- return _RSAPublicKey(self._backend, ctx)
+ evp_pkey = self._backend._rsa_cdata_to_evp_pkey(ctx)
+ return _RSAPublicKey(self._backend, ctx, evp_pkey)
def private_numbers(self):
return rsa.RSAPrivateNumbers(
@@ -571,17 +564,9 @@ class _RSAPrivateKey(object):
@utils.register_interface(RSAPublicKeyWithSerialization)
class _RSAPublicKey(object):
- def __init__(self, backend, rsa_cdata):
+ def __init__(self, backend, rsa_cdata, evp_pkey):
self._backend = backend
self._rsa_cdata = rsa_cdata
-
- evp_pkey = self._backend._lib.EVP_PKEY_new()
- assert evp_pkey != self._backend._ffi.NULL
- evp_pkey = self._backend._ffi.gc(
- evp_pkey, self._backend._lib.EVP_PKEY_free
- )
- res = self._backend._lib.EVP_PKEY_set1_RSA(evp_pkey, rsa_cdata)
- assert res == 1
self._evp_pkey = evp_pkey
self._key_size = self._backend._lib.BN_num_bits(self._rsa_cdata.n)
diff --git a/src/cryptography/hazmat/backends/openssl/x509.py b/src/cryptography/hazmat/backends/openssl/x509.py
index 3b0c2954..38dc8e70 100644
--- a/src/cryptography/hazmat/backends/openssl/x509.py
+++ b/src/cryptography/hazmat/backends/openssl/x509.py
@@ -292,6 +292,8 @@ class _Certificate(object):
value = x509.OCSPNoCheck()
elif oid == x509.OID_INHIBIT_ANY_POLICY:
value = _decode_inhibit_any_policy(self._backend, ext)
+ elif oid == x509.OID_ISSUER_ALTERNATIVE_NAME:
+ value = _decode_issuer_alt_name(self._backend, ext)
elif critical:
raise x509.UnsupportedExtension(
"{0} is not currently supported".format(oid), oid
@@ -512,15 +514,26 @@ def _decode_key_usage(backend, ext):
)
-def _decode_subject_alt_name(backend, ext):
+def _decode_general_names_extension(backend, ext):
gns = backend._ffi.cast(
"GENERAL_NAMES *", backend._lib.X509V3_EXT_d2i(ext)
)
assert gns != backend._ffi.NULL
gns = backend._ffi.gc(gns, backend._lib.GENERAL_NAMES_free)
general_names = _decode_general_names(backend, gns)
+ return general_names
+
- return x509.SubjectAlternativeName(general_names)
+def _decode_subject_alt_name(backend, ext):
+ return x509.SubjectAlternativeName(
+ _decode_general_names_extension(backend, ext)
+ )
+
+
+def _decode_issuer_alt_name(backend, ext):
+ return x509.IssuerAlternativeName(
+ _decode_general_names_extension(backend, ext)
+ )
def _decode_extended_key_usage(backend, ext):
generated by cgit v1.2.3 (git 2.25.1) at 2025-05-06 07:16:54 +0000