Merge pull request #2549 from reaperhulk/more-crl-extensions
More CRL extensions
diff --git a/CHANGELOG.rst b/CHANGELOG.rst
index 742d411..3dc5249 100644
--- a/CHANGELOG.rst
+++ b/CHANGELOG.rst
@@ -25,7 +25,12 @@
:class:`~cryptography.x509.CertificateRevocationList`.
* Add support for parsing :class:`~cryptography.x509.CertificateRevocationList`
:meth:`~cryptography.x509.CertificateRevocationList.extensions` in the
- OpenSSL backend.
+ OpenSSL backend. The following extensions are currently supported:
+
+ * :class:`~cryptography.x509.AuthorityInformationAccess`
+ * :class:`~cryptography.x509.AuthorityKeyIdentifier`
+ * ``CRLNumber``
+ * :class:`~cryptography.x509.IssuerAlternativeName`
1.1.2 - 2015-12-10
~~~~~~~~~~~~~~~~~~
diff --git a/src/cryptography/hazmat/backends/openssl/x509.py b/src/cryptography/hazmat/backends/openssl/x509.py
index 6f335f4..45c0df5 100644
--- a/src/cryptography/hazmat/backends/openssl/x509.py
+++ b/src/cryptography/hazmat/backends/openssl/x509.py
@@ -987,6 +987,10 @@
_CRL_EXTENSION_HANDLERS = {
ExtensionOID.CRL_NUMBER: _decode_crl_number,
ExtensionOID.AUTHORITY_KEY_IDENTIFIER: _decode_authority_key_identifier,
+ ExtensionOID.ISSUER_ALTERNATIVE_NAME: _decode_issuer_alt_name,
+ ExtensionOID.AUTHORITY_INFORMATION_ACCESS: (
+ _decode_authority_information_access
+ ),
}
_CERTIFICATE_EXTENSION_PARSER = _X509ExtensionParser(
diff --git a/tests/test_x509.py b/tests/test_x509.py
index 8d94322..b39e189 100644
--- a/tests/test_x509.py
+++ b/tests/test_x509.py
@@ -175,8 +175,8 @@
def test_extensions(self, backend):
crl = _load_cert(
- os.path.join("x509", "PKITS_data", "crls", "GoodCACRL.crl"),
- x509.load_der_x509_crl,
+ os.path.join("x509", "custom", "crl_ian_aia_aki.pem"),
+ x509.load_pem_x509_crl,
backend
)
@@ -186,15 +186,30 @@
aki = crl.extensions.get_extension_for_class(
x509.AuthorityKeyIdentifier
)
+ aia = crl.extensions.get_extension_for_class(
+ x509.AuthorityInformationAccess
+ )
+ ian = crl.extensions.get_extension_for_class(
+ x509.IssuerAlternativeName
+ )
assert crl_number.value == 1
assert crl_number.critical is False
assert aki.value == x509.AuthorityKeyIdentifier(
key_identifier=(
- b'X\x01\x84$\x1b\xbc+R\x94J=\xa5\x10r\x14Q\xf5\xaf:\xc9'
+ b'yu\xbb\x84:\xcb,\xdez\t\xbe1\x1bC\xbc\x1c*MSX'
),
authority_cert_issuer=None,
authority_cert_serial_number=None
)
+ assert aia.value == x509.AuthorityInformationAccess([
+ x509.AccessDescription(
+ AuthorityInformationAccessOID.CA_ISSUERS,
+ x509.DNSName(u"cryptography.io")
+ )
+ ])
+ assert ian.value == x509.IssuerAlternativeName([
+ x509.UniformResourceIdentifier(u"https://cryptography.io"),
+ ])
def test_signature(self, backend):
crl = _load_cert(