X509_REVOKED_dup isn't available everywhere, we get to define our own
diff --git a/src/_cffi_src/openssl/x509.py b/src/_cffi_src/openssl/x509.py
index eb6dd28..c5eb600 100644
--- a/src/_cffi_src/openssl/x509.py
+++ b/src/_cffi_src/openssl/x509.py
@@ -184,7 +184,6 @@
ASN1_OCTET_STRING *X509_EXTENSION_get_data(X509_EXTENSION *);
X509_REVOKED *X509_REVOKED_new(void);
-X509_REVOKED *X509_REVOKED_dup(X509_REVOKED *);
void X509_REVOKED_free(X509_REVOKED *);
int X509_REVOKED_set_serialNumber(X509_REVOKED *, ASN1_INTEGER *);
@@ -271,6 +270,8 @@
"""
MACROS = """
+X509_REVOKED *Cryptography_X509_REVOKED_dup(X509_REVOKED *);
+
int i2d_X509_CINF(X509_CINF *, unsigned char **);
int i2d_X509_CRL_INFO(X509_CRL_INFO *, unsigned char **);
int i2d_X509_REQ_INFO(X509_REQ_INFO *, unsigned char **);
@@ -366,4 +367,12 @@
EC_KEY *(*o2i_ECPublicKey)(EC_KEY **, const unsigned char **, long) = NULL;
int (*i2o_ECPublicKey)(EC_KEY *, unsigned char **) = NULL;
#endif
+
+/* X509_REVOKED_dup only exists on 1.0.2+. It is implemented using
+ IMPLEMENT_ASN1_DUP_FUNCTION. The below is the equivalent so we have
+ it available on all OpenSSLs. */
+X509_REVOKED *Cryptography_X509_REVOKED_dup(X509_REVOKED *rev) {
+ return ASN1_item_dup(ASN1_ITEM_rptr(X509_REVOKED), rev);
+}
+
"""
diff --git a/src/cryptography/hazmat/backends/openssl/backend.py b/src/cryptography/hazmat/backends/openssl/backend.py
index 295fae1..7d8460c 100644
--- a/src/cryptography/hazmat/backends/openssl/backend.py
+++ b/src/cryptography/hazmat/backends/openssl/backend.py
@@ -1523,7 +1523,9 @@
for revoked_cert in builder._revoked_certificates:
# Duplicating because the X509_CRL takes ownership and will free
# this memory when X509_CRL_free is called.
- revoked = self._lib.X509_REVOKED_dup(revoked_cert._x509_revoked)
+ revoked = self._lib.Cryptography_X509_REVOKED_dup(
+ revoked_cert._x509_revoked
+ )
self.openssl_assert(revoked != self._ffi.NULL)
res = self._lib.X509_CRL_add0_revoked(x509_crl, revoked)
self.openssl_assert(res == 1)