diff options
Diffstat (limited to 'src')
| -rw-r--r-- | src/cryptography/hazmat/backends/openssl/backend.py | 47 | 
1 files changed, 32 insertions, 15 deletions
| diff --git a/src/cryptography/hazmat/backends/openssl/backend.py b/src/cryptography/hazmat/backends/openssl/backend.py index c6ede932..5ce2489c 100644 --- a/src/cryptography/hazmat/backends/openssl/backend.py +++ b/src/cryptography/hazmat/backends/openssl/backend.py @@ -31,8 +31,7 @@ from cryptography.hazmat.backends.openssl.ec import (  from cryptography.hazmat.backends.openssl.encode_asn1 import (      _CRL_ENTRY_EXTENSION_ENCODE_HANDLERS,      _CRL_EXTENSION_ENCODE_HANDLERS, _EXTENSION_ENCODE_HANDLERS, -    _encode_asn1_int_gc, _encode_asn1_str_gc, _encode_name_gc, -    _txt2obj_gc, +    _encode_asn1_int_gc, _encode_asn1_str_gc, _encode_name_gc, _txt2obj_gc,  )  from cryptography.hazmat.backends.openssl.hashes import _HashContext  from cryptography.hazmat.backends.openssl.hmac import _HMACContext @@ -968,6 +967,31 @@ class Backend(object):      def _create_x509_extensions(self, extensions, handlers, x509_obj,                                  add_func, gc):          for i, extension in enumerate(extensions): +            x509_extension = self._create_x509_extension( +                handlers, extension +            ) +            self.openssl_assert(x509_extension != self._ffi.NULL) + +            if gc: +                x509_extension = self._ffi.gc( +                    x509_extension, self._lib.X509_EXTENSION_free +                ) +            res = add_func(x509_obj, x509_extension, i) +            self.openssl_assert(res >= 1) + +    def _create_x509_extension(self, handlers, extension): +        if isinstance(extension.value, x509.UnrecognizedExtension): +            obj = _txt2obj_gc(self, extension.oid.dotted_string) +            value = _encode_asn1_str_gc( +                self, extension.value.value, len(extension.value.value) +            ) +            return self._lib.X509_EXTENSION_create_by_OBJ( +                self._ffi.NULL, +                obj, +                1 if extension.critical else 0, +                value +            ) +        else:              try:                  encode = handlers[extension.oid]              except KeyError: @@ -987,32 +1011,25 @@ class Backend(object):                  x509_extension == self._ffi.NULL and                  extension.oid == x509.OID_CERTIFICATE_ISSUER              ): -                # This path exists to support OpenSSL 0.9.8, which does -                # not know how to encode a CERTIFICATE_ISSUER for CRLs. Once we +                # This path exists to support OpenSSL 0.9.8, which does not +                # know how to encode a CERTIFICATE_ISSUER for CRLs. Once we                  # drop 0.9.8 support we can remove this.                  self._consume_errors()                  pp = backend._ffi.new("unsigned char **")                  r = self._lib.i2d_GENERAL_NAMES(ext_struct, pp)                  backend.openssl_assert(r > 0)                  pp = backend._ffi.gc( -                    pp, lambda pointer: backend._lib.OPENSSL_free(pointer[0]) +                    pp, +                    lambda pointer: backend._lib.OPENSSL_free(pointer[0])                  )                  obj = _txt2obj_gc(self, extension.oid.dotted_string) -                x509_extension = self._lib.X509_EXTENSION_create_by_OBJ( +                return self._lib.X509_EXTENSION_create_by_OBJ(                      self._ffi.NULL,                      obj,                      1 if extension.critical else 0,                      _encode_asn1_str_gc(self, pp[0], r)                  ) - -            self.openssl_assert(x509_extension != self._ffi.NULL) - -            if gc: -                x509_extension = self._ffi.gc( -                    x509_extension, self._lib.X509_EXTENSION_free -                ) -            res = add_func(x509_obj, x509_extension, i) -            self.openssl_assert(res >= 1) +            return x509_extension      def create_x509_revoked_certificate(self, builder):          if not isinstance(builder, x509.RevokedCertificateBuilder): | 
