Merge pull request #2824 from reaperhulk/110-patch-34
remove some EC functions we don't use
diff --git a/CHANGELOG.rst b/CHANGELOG.rst
index 1c11f02..aad8d93 100644
--- a/CHANGELOG.rst
+++ b/CHANGELOG.rst
@@ -8,8 +8,10 @@
* Deprecated support for OpenSSL 0.9.8. Support will be removed in
``cryptography`` 1.4.
-* Added support for the :class:`~cryptography.x509.PolicyConstraints` X.509
- extension.
+* Added support for the :class:`~cryptography.x509.PolicyConstraints`
+ X.509 extension including both parsing and generation using
+ :class:`~cryptography.x509.CertificateBuilder` and
+ :class:`~cryptography.x509.CertificateSigningRequestBuilder`.
* Added :attr:`~cryptography.x509.CertificateSigningRequest.is_signature_valid`
to :class:`~cryptography.x509.CertificateSigningRequest`.
* Fixed an intermittent ``AssertionError`` when performing an RSA decryption on
diff --git a/src/_cffi_src/openssl/bio.py b/src/_cffi_src/openssl/bio.py
index c032f72..df9b1b4 100644
--- a/src/_cffi_src/openssl/bio.py
+++ b/src/_cffi_src/openssl/bio.py
@@ -68,8 +68,6 @@
static const int BIO_C_FILE_SEEK;
static const int BIO_C_FILE_TELL;
static const int BIO_TYPE_NONE;
-static const int BIO_TYPE_PROXY_CLIENT;
-static const int BIO_TYPE_PROXY_SERVER;
static const int BIO_TYPE_NBIO_TEST;
static const int BIO_TYPE_BER;
static const int BIO_TYPE_BIO;
diff --git a/src/_cffi_src/openssl/ec.py b/src/_cffi_src/openssl/ec.py
index 82476f1..9160309 100644
--- a/src/_cffi_src/openssl/ec.py
+++ b/src/_cffi_src/openssl/ec.py
@@ -76,8 +76,8 @@
void EC_KEY_set_flags(EC_KEY *, int);
void EC_KEY_clear_flags(EC_KEY *, int);
EC_KEY *EC_KEY_new_by_curve_name(int);
-EC_KEY *EC_KEY_copy(EC_KEY *, const EC_KEY *);
-EC_KEY *EC_KEY_dup(const EC_KEY *);
+EC_KEY *EC_KEY_copy(EC_KEY *, EC_KEY *);
+EC_KEY *EC_KEY_dup(EC_KEY *);
int EC_KEY_up_ref(EC_KEY *);
const EC_GROUP *EC_KEY_get0_group(const EC_KEY *);
int EC_GROUP_get_order(const EC_GROUP *, BIGNUM *, BN_CTX *);
diff --git a/src/_cffi_src/openssl/ssl.py b/src/_cffi_src/openssl/ssl.py
index 3238387..75b0f13 100644
--- a/src/_cffi_src/openssl/ssl.py
+++ b/src/_cffi_src/openssl/ssl.py
@@ -399,7 +399,7 @@
const unsigned char **, unsigned *);
int sk_SSL_CIPHER_num(Cryptography_STACK_OF_SSL_CIPHER *);
-SSL_CIPHER *sk_SSL_CIPHER_value(Cryptography_STACK_OF_SSL_CIPHER *, int);
+const SSL_CIPHER *sk_SSL_CIPHER_value(Cryptography_STACK_OF_SSL_CIPHER *, int);
/* ALPN APIs were introduced in OpenSSL 1.0.2. To continue to support earlier
* versions some special handling of these is necessary.
diff --git a/src/cryptography/hazmat/backends/openssl/encode_asn1.py b/src/cryptography/hazmat/backends/openssl/encode_asn1.py
index 0ede533..b0e2e73 100644
--- a/src/cryptography/hazmat/backends/openssl/encode_asn1.py
+++ b/src/cryptography/hazmat/backends/openssl/encode_asn1.py
@@ -526,6 +526,23 @@
return nc
+def _encode_policy_constraints(backend, policy_constraints):
+ pc = backend._lib.POLICY_CONSTRAINTS_new()
+ backend.openssl_assert(pc != backend._ffi.NULL)
+ pc = backend._ffi.gc(pc, backend._lib.POLICY_CONSTRAINTS_free)
+ if policy_constraints.require_explicit_policy is not None:
+ pc.requireExplicitPolicy = _encode_asn1_int(
+ backend, policy_constraints.require_explicit_policy
+ )
+
+ if policy_constraints.inhibit_policy_mapping is not None:
+ pc.inhibitPolicyMapping = _encode_asn1_int(
+ backend, policy_constraints.inhibit_policy_mapping
+ )
+
+ return pc
+
+
def _encode_general_subtree(backend, subtrees):
if subtrees is None:
return backend._ffi.NULL
@@ -556,6 +573,7 @@
ExtensionOID.INHIBIT_ANY_POLICY: _encode_inhibit_any_policy,
ExtensionOID.OCSP_NO_CHECK: _encode_ocsp_nocheck,
ExtensionOID.NAME_CONSTRAINTS: _encode_name_constraints,
+ ExtensionOID.POLICY_CONSTRAINTS: _encode_policy_constraints,
}
_CRL_EXTENSION_ENCODE_HANDLERS = {
diff --git a/tests/test_x509.py b/tests/test_x509.py
index c042169..a6398bb 100644
--- a/tests/test_x509.py
+++ b/tests/test_x509.py
@@ -2225,6 +2225,54 @@
)
assert ext.value == x509.InhibitAnyPolicy(3)
+ @pytest.mark.parametrize(
+ "pc",
+ [
+ x509.PolicyConstraints(
+ require_explicit_policy=None,
+ inhibit_policy_mapping=1
+ ),
+ x509.PolicyConstraints(
+ require_explicit_policy=3,
+ inhibit_policy_mapping=1
+ ),
+ x509.PolicyConstraints(
+ require_explicit_policy=0,
+ inhibit_policy_mapping=None
+ ),
+ ]
+ )
+ @pytest.mark.requires_backend_interface(interface=RSABackend)
+ @pytest.mark.requires_backend_interface(interface=X509Backend)
+ def test_policy_constraints(self, backend, pc):
+ issuer_private_key = RSA_KEY_2048.private_key(backend)
+ subject_private_key = RSA_KEY_2048.private_key(backend)
+
+ not_valid_before = datetime.datetime(2002, 1, 1, 12, 1)
+ not_valid_after = datetime.datetime(2030, 12, 31, 8, 30)
+
+ cert = x509.CertificateBuilder().subject_name(
+ x509.Name([x509.NameAttribute(NameOID.COUNTRY_NAME, u'US')])
+ ).issuer_name(
+ x509.Name([x509.NameAttribute(NameOID.COUNTRY_NAME, u'US')])
+ ).not_valid_before(
+ not_valid_before
+ ).not_valid_after(
+ not_valid_after
+ ).public_key(
+ subject_private_key.public_key()
+ ).serial_number(
+ 123
+ ).add_extension(
+ pc, critical=False
+ ).sign(issuer_private_key, hashes.SHA256(), backend)
+
+ ext = cert.extensions.get_extension_for_class(
+ x509.PolicyConstraints
+ )
+ assert ext.critical is False
+ assert ext.value == pc
+
@pytest.mark.requires_backend_interface(interface=RSABackend)
@pytest.mark.requires_backend_interface(interface=X509Backend)
def test_name_constraints(self, backend):