refactor x509 extension creation to make it a bit more reusable
Unfortunately X509 certs and CSRs add extensions differently, so
we can't reuse quite as much as we'd like to...
diff --git a/src/cryptography/hazmat/backends/openssl/backend.py b/src/cryptography/hazmat/backends/openssl/backend.py
index 6d19b80..0981b8e 100644
--- a/src/cryptography/hazmat/backends/openssl/backend.py
+++ b/src/cryptography/hazmat/backends/openssl/backend.py
@@ -1312,30 +1312,19 @@
self.openssl_assert(res == 1)
# Add extensions.
- extensions = self._lib.sk_X509_EXTENSION_new_null()
- self.openssl_assert(extensions != self._ffi.NULL)
- extensions = self._ffi.gc(
- extensions,
- self._lib.sk_X509_EXTENSION_free,
+ extensions = self._create_x509_extensions(
+ builder._extensions, _EXTENSION_ENCODE_HANDLERS
)
- for extension in builder._extensions:
- try:
- encode = _EXTENSION_ENCODE_HANDLERS[extension.oid]
- except KeyError:
- raise NotImplementedError('Extension not yet supported.')
-
- pp, r = encode(self, extension.value)
- obj = _txt2obj_gc(self, extension.oid.dotted_string)
- extension = self._lib.X509_EXTENSION_create_by_OBJ(
- self._ffi.NULL,
- obj,
- 1 if extension.critical else 0,
- _encode_asn1_str_gc(self, pp[0], r),
- )
- self.openssl_assert(extension != self._ffi.NULL)
- res = self._lib.sk_X509_EXTENSION_push(extensions, extension)
+ sk_extension = self._lib.sk_X509_EXTENSION_new_null()
+ self.openssl_assert(sk_extension != self._ffi.NULL)
+ sk_extension = self._ffi.gc(
+ sk_extension, self._lib.sk_X509_EXTENSION_free
+ )
+ for extension in extensions:
+ res = self._lib.sk_X509_EXTENSION_push(sk_extension, extension)
self.openssl_assert(res >= 1)
- res = self._lib.X509_REQ_add_extensions(x509_req, extensions)
+
+ res = self._lib.X509_REQ_add_extensions(x509_req, sk_extension)
self.openssl_assert(res == 1)
# Sign the request using the requester's private key.
@@ -1416,22 +1405,10 @@
self.openssl_assert(res != self._ffi.NULL)
# Add extensions.
- for i, extension in enumerate(builder._extensions):
- try:
- encode = _EXTENSION_ENCODE_HANDLERS[extension.oid]
- except KeyError:
- raise NotImplementedError('Extension not yet supported.')
-
- pp, r = encode(self, extension.value)
- obj = _txt2obj_gc(self, extension.oid.dotted_string)
- extension = self._lib.X509_EXTENSION_create_by_OBJ(
- self._ffi.NULL,
- obj,
- 1 if extension.critical else 0,
- _encode_asn1_str_gc(self, pp[0], r)
- )
- self.openssl_assert(extension != self._ffi.NULL)
- extension = self._ffi.gc(extension, self._lib.X509_EXTENSION_free)
+ extensions = self._create_x509_extensions(
+ builder._extensions, _EXTENSION_ENCODE_HANDLERS
+ )
+ for i, extension in enumerate(extensions):
res = self._lib.X509_add_ext(x509_cert, extension, i)
self.openssl_assert(res == 1)
@@ -1524,6 +1501,30 @@
return _CertificateRevocationList(self, x509_crl)
+ def _create_x509_extensions(self, extensions, handlers):
+ x509_extensions = []
+ for extension in extensions:
+ try:
+ encode = handlers[extension.oid]
+ except KeyError:
+ raise NotImplementedError(
+ 'Extension not supported: {0}'.format(extension.oid)
+ )
+
+ pp, r = encode(self, extension.value)
+ obj = _txt2obj_gc(self, extension.oid.dotted_string)
+ extension = self._lib.X509_EXTENSION_create_by_OBJ(
+ self._ffi.NULL,
+ obj,
+ 1 if extension.critical else 0,
+ _encode_asn1_str_gc(self, pp[0], r)
+ )
+ self.openssl_assert(extension != self._ffi.NULL)
+ extension = self._ffi.gc(extension, self._lib.X509_EXTENSION_free)
+ x509_extensions.append(extension)
+
+ return x509_extensions
+
def load_pem_private_key(self, data, password):
return self._load_key(
self._lib.PEM_read_bio_PrivateKey,