add 5 accessor functions that exist in 1.1.0 to help opaque x509 structs
X509_REVOKED_get0_serialNumber
X509_REVOKED_get0_revocationDate
X509_CRL_get0_signature
i2d_re_X509_REQ_tbs
i2d_re_X509_CRL_tbs
X509_REQ_get0_signature
diff --git a/src/_cffi_src/openssl/x509.py b/src/_cffi_src/openssl/x509.py
index 4cdc827..72e63f7 100644
--- a/src/_cffi_src/openssl/x509.py
+++ b/src/_cffi_src/openssl/x509.py
@@ -349,6 +349,15 @@
void sk_ASN1_OBJECT_free(Cryptography_STACK_OF_ASN1_OBJECT *);
Cryptography_STACK_OF_ASN1_OBJECT *sk_ASN1_OBJECT_new_null(void);
int sk_ASN1_OBJECT_push(Cryptography_STACK_OF_ASN1_OBJECT *, ASN1_OBJECT *);
+
+/* these functions were added in 1.1.0 */
+ASN1_INTEGER *X509_REVOKED_get0_serialNumber(X509_REVOKED *);
+ASN1_TIME *X509_REVOKED_get0_revocationDate(X509_REVOKED *);
+void X509_CRL_get0_signature(ASN1_BIT_STRING **psig, X509_ALGOR **palg,
+ X509_CRL *crl);
+int i2d_re_X509_REQ_tbs(X509_REQ *, unsigned char **);
+int i2d_re_X509_CRL_tbs(X509_CRL *, unsigned char **);
+void X509_REQ_get0_signature(ASN1_BIT_STRING **, X509_ALGOR **, X509_REQ *);
"""
CUSTOMIZATIONS = """
@@ -377,4 +386,51 @@
return ASN1_item_dup(ASN1_ITEM_rptr(X509_REVOKED), rev);
}
+/* Added in 1.1.0 but we need it in all versions now due to the great
+ opaquing. */
+#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER)
+/* from x509/x509_req.c */
+void X509_REQ_get0_signature(ASN1_BIT_STRING **psig, X509_ALGOR **palg,
+ X509_REQ *req)
+{
+ if (psig != NULL)
+ *psig = req->signature;
+ if (palg != NULL)
+ /* In 1.0.2 and below sig_alg is a pointer in the struct, so
+ we don't want to pass by reference. */
+ *palg = req->sig_alg;
+}
+int i2d_re_X509_REQ_tbs(X509_REQ *req, unsigned char **pp)
+{
+ req->req_info->enc.modified = 1;
+ return i2d_X509_REQ_INFO(req->req_info, pp);
+}
+int i2d_re_X509_CRL_tbs(X509_CRL *crl, unsigned char **pp) {
+ crl->crl->enc.modified = 1;
+ return i2d_X509_CRL_INFO(crl->crl, pp);
+}
+
+void X509_CRL_get0_signature(ASN1_BIT_STRING **psig, X509_ALGOR **palg,
+ X509_CRL *crl)
+{
+ if (psig != NULL)
+ /* In 1.0.2 and below sigis a pointer in the struct, so
+ we don't want to pass by reference. */
+ *psig = crl->signature;
+ if (palg != NULL)
+ /* In 1.0.2 and below sig_alg is a pointer in the struct, so
+ we don't want to pass by reference. */
+ *palg = crl->sig_alg;
+}
+ASN1_TIME *X509_REVOKED_get0_revocationDate(X509_REVOKED *x)
+{
+ return x->revocationDate;
+}
+ASN1_INTEGER *X509_REVOKED_get0_serialNumber(X509_REVOKED *x)
+{
+ /* In 1.0.2 and below serialNumber is a pointer in the struct, so
+ we don't want to pass by reference. */
+ return x->serialNumber;
+}
+#endif
"""
diff --git a/src/cryptography/hazmat/backends/openssl/x509.py b/src/cryptography/hazmat/backends/openssl/x509.py
index c71f8d9..e97a96d 100644
--- a/src/cryptography/hazmat/backends/openssl/x509.py
+++ b/src/cryptography/hazmat/backends/openssl/x509.py
@@ -153,14 +153,20 @@
@property
def serial_number(self):
- asn1_int = self._x509_revoked.serialNumber
+ asn1_int = self._backend._lib.X509_REVOKED_get0_serialNumber(
+ self._x509_revoked
+ )
self._backend.openssl_assert(asn1_int != self._backend._ffi.NULL)
return _asn1_integer_to_int(self._backend, asn1_int)
@property
def revocation_date(self):
return _parse_asn1_time(
- self._backend, self._x509_revoked.revocationDate)
+ self._backend,
+ self._backend._lib.X509_REVOKED_get0_revocationDate(
+ self._x509_revoked
+ )
+ )
@property
def extensions(self):
@@ -198,7 +204,12 @@
@property
def signature_hash_algorithm(self):
- oid = _obj2txt(self._backend, self._x509_crl.sig_alg.algorithm)
+ alg = self._backend._ffi.new("X509_ALGOR **")
+ self._backend._lib.X509_CRL_get0_signature(
+ self._backend._ffi.NULL, alg, self._x509_crl
+ )
+ self._backend.openssl_assert(alg[0] != self._backend._ffi.NULL)
+ oid = _obj2txt(self._backend, alg[0].algorithm)
try:
return x509._SIG_OIDS_TO_HASH[oid]
except KeyError:
@@ -226,13 +237,17 @@
@property
def signature(self):
- return _asn1_string_to_bytes(self._backend, self._x509_crl.signature)
+ sig = self._backend._ffi.new("ASN1_BIT_STRING **")
+ self._backend._lib.X509_CRL_get0_signature(
+ sig, self._backend._ffi.NULL, self._x509_crl
+ )
+ self._backend.openssl_assert(sig[0] != self._backend._ffi.NULL)
+ return _asn1_string_to_bytes(self._backend, sig[0])
@property
def tbs_certlist_bytes(self):
pp = self._backend._ffi.new("unsigned char **")
- # the X509_CRL_INFO struct holds the tbsCertList data
- res = self._backend._lib.i2d_X509_CRL_INFO(self._x509_crl.crl, pp)
+ res = self._backend._lib.i2d_re_X509_CRL_tbs(self._x509_crl, pp)
self._backend.openssl_assert(res > 0)
pp = self._backend._ffi.gc(
pp, lambda pointer: self._backend._lib.OPENSSL_free(pointer[0])
@@ -321,7 +336,12 @@
@property
def signature_hash_algorithm(self):
- oid = _obj2txt(self._backend, self._x509_req.sig_alg.algorithm)
+ alg = self._backend._ffi.new("X509_ALGOR **")
+ self._backend._lib.X509_REQ_get0_signature(
+ self._backend._ffi.NULL, alg, self._x509_req
+ )
+ self._backend.openssl_assert(alg[0] != self._backend._ffi.NULL)
+ oid = _obj2txt(self._backend, alg[0].algorithm)
try:
return x509._SIG_OIDS_TO_HASH[oid]
except KeyError:
@@ -351,8 +371,7 @@
@property
def tbs_certrequest_bytes(self):
pp = self._backend._ffi.new("unsigned char **")
- # the X509_REQ_INFO struct holds the CertificateRequestInfo data
- res = self._backend._lib.i2d_X509_REQ_INFO(self._x509_req.req_info, pp)
+ res = self._backend._lib.i2d_re_X509_REQ_tbs(self._x509_req, pp)
self._backend.openssl_assert(res > 0)
pp = self._backend._ffi.gc(
pp, lambda pointer: self._backend._lib.OPENSSL_free(pointer[0])
@@ -361,7 +380,12 @@
@property
def signature(self):
- return _asn1_string_to_bytes(self._backend, self._x509_req.signature)
+ sig = self._backend._ffi.new("ASN1_BIT_STRING **")
+ self._backend._lib.X509_REQ_get0_signature(
+ sig, self._backend._ffi.NULL, self._x509_req
+ )
+ self._backend.openssl_assert(sig[0] != self._backend._ffi.NULL)
+ return _asn1_string_to_bytes(self._backend, sig[0])
@property
def is_signature_valid(self):