From 426b48d9fbf86712407a9080fc327087c721f376 Mon Sep 17 00:00:00 2001 From: Paul Kehrer Date: Thu, 24 Dec 2015 20:50:43 -0600 Subject: add extension support to the CRLBuilder --- .../hazmat/backends/openssl/backend.py | 42 +++++++++++++++++++++- src/cryptography/x509/base.py | 18 ++++++++++ 2 files changed, 59 insertions(+), 1 deletion(-) (limited to 'src') diff --git a/src/cryptography/hazmat/backends/openssl/backend.py b/src/cryptography/hazmat/backends/openssl/backend.py index 86c1a813..7ea5fa75 100644 --- a/src/cryptography/hazmat/backends/openssl/backend.py +++ b/src/cryptography/hazmat/backends/openssl/backend.py @@ -153,6 +153,17 @@ def _encode_name_gc(backend, attributes): return subject +def _encode_crl_number(backend, crl_number): + asn1int = _encode_asn1_int_gc(backend, crl_number.crl_number) + pp = backend._ffi.new('unsigned char **') + r = backend._lib.i2d_ASN1_INTEGER(asn1int, pp) + backend.openssl_assert(r > 0) + pp = backend._ffi.gc( + pp, lambda pointer: backend._lib.OPENSSL_free(pointer[0]) + ) + return pp, r + + def _encode_certificate_policies(backend, certificate_policies): cp = backend._lib.sk_POLICYINFO_new_null() backend.openssl_assert(cp != backend._ffi.NULL) @@ -625,6 +636,15 @@ _EXTENSION_ENCODE_HANDLERS = { ExtensionOID.NAME_CONSTRAINTS: _encode_name_constraints, } +_CRL_EXTENSION_ENCODE_HANDLERS = { + ExtensionOID.ISSUER_ALTERNATIVE_NAME: _encode_alt_name, + ExtensionOID.AUTHORITY_KEY_IDENTIFIER: _encode_authority_key_identifier, + ExtensionOID.AUTHORITY_INFORMATION_ACCESS: ( + _encode_authority_information_access + ), + ExtensionOID.CRL_NUMBER: _encode_crl_number, +} + class _PasswordUserdata(object): def __init__(self, password): @@ -1490,7 +1510,27 @@ class Backend(object): self.openssl_assert(res == 1) # TODO: support revoked certificates - # TODO: add support for CRL extensions + for i, extension in enumerate(builder._extensions): + try: + encode = _CRL_EXTENSION_ENCODE_HANDLERS[extension.oid] + except KeyError: + raise NotImplementedError( + 'Extension not supported: {0}'.format(extension.oid) + ) + + pp, r = encode(self, extension.value) + obj = _txt2obj_gc(self, extension.oid.dotted_string) + extension = self._lib.X509_EXTENSION_create_by_OBJ( + self._ffi.NULL, + obj, + 1 if extension.critical else 0, + _encode_asn1_str_gc(self, pp[0], r) + ) + self.openssl_assert(extension != self._ffi.NULL) + extension = self._ffi.gc(extension, self._lib.X509_EXTENSION_free) + res = self._lib.X509_CRL_add_ext(x509_crl, extension, i) + self.openssl_assert(res == 1) + res = self._lib.X509_CRL_sign( x509_crl, private_key._evp_pkey, evp_md ) diff --git a/src/cryptography/x509/base.py b/src/cryptography/x509/base.py index 6bca2c52..49cbcf75 100644 --- a/src/cryptography/x509/base.py +++ b/src/cryptography/x509/base.py @@ -573,6 +573,24 @@ class CertificateRevocationListBuilder(object): self._extensions, self._revoked_certificates ) + def add_extension(self, extension, critical): + """ + Adds an X.509 extension to the certificate revocation list. + """ + if not isinstance(extension, ExtensionType): + raise TypeError("extension must be an ExtensionType") + + extension = Extension(extension.oid, critical, extension) + + # TODO: This is quadratic in the number of extensions + for e in self._extensions: + if e.oid == extension.oid: + raise ValueError('This extension has already been set.') + return CertificateRevocationListBuilder( + self._issuer_name, self._last_update, self._next_update, + self._extensions + [extension], self._revoked_certificates + ) + def sign(self, private_key, algorithm, backend): if self._issuer_name is None: raise ValueError("A CRL must have an issuer name") -- cgit v1.2.3 From b7b1289117d9cd8bd17f03c1f8c3f753260e5ccd Mon Sep 17 00:00:00 2001 From: Paul Kehrer Date: Fri, 25 Dec 2015 09:59:12 -0600 Subject: use _create_x509_extensions in create_x509_crl --- .../hazmat/backends/openssl/backend.py | 28 +++++++--------------- 1 file changed, 8 insertions(+), 20 deletions(-) (limited to 'src') diff --git a/src/cryptography/hazmat/backends/openssl/backend.py b/src/cryptography/hazmat/backends/openssl/backend.py index 7ea5fa75..65792c3b 100644 --- a/src/cryptography/hazmat/backends/openssl/backend.py +++ b/src/cryptography/hazmat/backends/openssl/backend.py @@ -1510,26 +1510,14 @@ class Backend(object): self.openssl_assert(res == 1) # TODO: support revoked certificates - for i, extension in enumerate(builder._extensions): - try: - encode = _CRL_EXTENSION_ENCODE_HANDLERS[extension.oid] - except KeyError: - raise NotImplementedError( - 'Extension not supported: {0}'.format(extension.oid) - ) - - pp, r = encode(self, extension.value) - obj = _txt2obj_gc(self, extension.oid.dotted_string) - extension = self._lib.X509_EXTENSION_create_by_OBJ( - self._ffi.NULL, - obj, - 1 if extension.critical else 0, - _encode_asn1_str_gc(self, pp[0], r) - ) - self.openssl_assert(extension != self._ffi.NULL) - extension = self._ffi.gc(extension, self._lib.X509_EXTENSION_free) - res = self._lib.X509_CRL_add_ext(x509_crl, extension, i) - self.openssl_assert(res == 1) + # Add extensions. + self._create_x509_extensions( + extensions=builder._extensions, + handlers=_CRL_EXTENSION_ENCODE_HANDLERS, + x509_obj=x509_crl, + add_func=self._lib.X509_CRL_add_ext, + gc=True + ) res = self._lib.X509_CRL_sign( x509_crl, private_key._evp_pkey, evp_md -- cgit v1.2.3