Merge remote-tracking branch 'upstream/master' into cert-builder
diff --git a/CHANGELOG.rst b/CHANGELOG.rst
index 85f8447..4506a46 100644
--- a/CHANGELOG.rst
+++ b/CHANGELOG.rst
@@ -24,8 +24,26 @@
and :class:`~cryptography.hazmat.primitives.kdf.concatkdf.ConcatKDFHMAC`.
* Raise a ``TypeError`` when passing objects that are not text as the value to
:class:`~cryptography.x509.NameAttribute`.
+* Add support for :class:`~cryptography.x509.OtherName` as a general name
+ type.
+* Added new X.509 extension support in :class:`~cryptography.x509.Certificate`
+ The following new extensions are now supported:
+
+ * :class:`~cryptography.x509.OCSPNoCheck`
+ * :class:`~cryptography.x509.InhibitAnyPolicy`
+ * :class:`~cryptography.x509.IssuerAlternativeName`
+ * :class:`~cryptography.x509.NameConstraints`
+
+* Extension support was added to
+ :class:`~cryptography.x509.CertificateSigningRequest`.
* Add support for creating certificate signing requests with
- :class:`~cryptography.x509.CertificateSigningRequestBuilder`.
+ :class:`~cryptography.x509.CertificateSigningRequestBuilder`. This includes
+ support for the following extensions:
+
+ * :class:`~cryptography.x509.BasicConstraints`
+ * :class:`~cryptography.x509.ExtendedKeyUsage`
+ * :class:`~cryptography.x509.KeyUsage`
+ * :class:`~cryptography.x509.SubjectAlternativeName`
0.9.3 - 2015-07-09
~~~~~~~~~~~~~~~~~~
diff --git a/docs/development/test-vectors.rst b/docs/development/test-vectors.rst
index ea44a46..d400e66 100644
--- a/docs/development/test-vectors.rst
+++ b/docs/development/test-vectors.rst
@@ -233,6 +233,8 @@
* ``cp_user_notice_no_explicit_text.pem`` - An RSA 2048 bit self-signed
certificate containing a certificate policies extension with a user notice
with no explicit text.
+* ``cp_invalid.pem`` - An RSA 2048 bit self-signed certificate containing a
+ certificate policies extension with invalid data.
* ``ian_uri.pem`` - An RSA 2048 bit certificate containing an issuer
alternative name extension with a ``URI`` general name.
* ``ocsp_nocheck.pem`` - An RSA 2048 bit self-signed certificate containing
diff --git a/docs/installation.rst b/docs/installation.rst
index 96e1e8d..becab6b 100644
--- a/docs/installation.rst
+++ b/docs/installation.rst
@@ -45,28 +45,18 @@
$ pip install cryptography
If you prefer to compile it yourself you'll need to have OpenSSL installed.
-There are `pre-compiled binaries`_ available. If your installation is in an
-unusual location set the ``LIB`` and ``INCLUDE`` environment variables to
-include the corresponding locations.For example:
+You can compile OpenSSL yourself as well or use the binaries we build for our
+release infrastructure (`32-bit`_ and `64-bit`_). Wherever you place your copy
+of OpenSSL you'll need to set the ``LIB`` and ``INCLUDE`` environment variables
+to include the proper locations. For example:
.. code-block:: console
C:\> \path\to\vcvarsall.bat x86_amd64
- C:\> set LIB=C:\OpenSSL\lib\VC\static;C:\OpenSSL\lib;%LIB%
- C:\> set INCLUDE=C:\OpenSSL\include;%INCLUDE%
+ C:\> set LIB=C:\OpenSSL-win64\lib;%LIB%
+ C:\> set INCLUDE=C:\OpenSSL-win64\include;%INCLUDE%
C:\> pip install cryptography
-You can also choose to build statically or dynamically using the
-``PYCA_WINDOWS_LINK_TYPE`` variable. Allowed values are ``static`` (default)
-and ``dynamic``.
-
-.. code-block:: console
-
- C:\> \path\to\vcvarsall.bat x86_amd64
- C:\> set LIB=C:\OpenSSL\lib\VC\static;C:\OpenSSL\lib;%LIB%
- C:\> set INCLUDE=C:\OpenSSL\include;%INCLUDE%
- C:\> set PYCA_WINDOWS_LINK_TYPE=dynamic
- C:\> pip install cryptography
Building cryptography on Linux
------------------------------
@@ -186,6 +176,7 @@
.. _`Homebrew`: http://brew.sh
.. _`MacPorts`: http://www.macports.org
-.. _`pre-compiled binaries`: https://www.openssl.org/related/binaries.html
+.. _`32-bit`: https://jenkins.cryptography.io/job/openssl-win32-release/
+.. _`64-bit`: https://jenkins.cryptography.io/job/openssl-win64-release/
.. _`bug in conda`: https://github.com/conda/conda-recipes/issues/110
.. _`Greg Wilson's blog post`: http://software-carpentry.org/blog/2014/04/mr-biczo-was-right.html
diff --git a/docs/x509/reference.rst b/docs/x509/reference.rst
index 5e58886..799126b 100644
--- a/docs/x509/reference.rst
+++ b/docs/x509/reference.rst
@@ -565,6 +565,25 @@
>>> isinstance(csr.signature_hash_algorithm, hashes.SHA1)
True
+ .. attribute:: extensions
+
+ :type: :class:`Extensions`
+
+ The extensions encoded in the certificate signing request.
+
+ :raises cryptography.x509.DuplicateExtension: If more than one
+ extension of the same type is found within the certificate signing request.
+
+ :raises cryptography.x509.UnsupportedExtension: If the certificate signing request
+ contains an extension that is not supported.
+
+ :raises cryptography.x509.UnsupportedGeneralNameType: If an extension
+ contains a general name that is not supported.
+
+ :raises UnicodeError: If an extension contains IDNA encoding that is
+ invalid or not compliant with IDNA 2008.
+
+
.. method:: public_bytes(encoding)
.. versionadded:: 1.0
diff --git a/src/_cffi_src/build_openssl.py b/src/_cffi_src/build_openssl.py
index dac3e4d..6a5bf2d 100644
--- a/src/_cffi_src/build_openssl.py
+++ b/src/_cffi_src/build_openssl.py
@@ -4,7 +4,6 @@
from __future__ import absolute_import, division, print_function
-import os
import sys
from _cffi_src.utils import build_ffi_for_binding, extra_link_args
@@ -19,20 +18,8 @@
# (http://marc.info/?l=openssl-users&m=135361825921871)
return ["ssl", "crypto"]
else:
- link_type = os.environ.get("PYCA_WINDOWS_LINK_TYPE", "static")
- return _get_openssl_windows_libraries(link_type)
-
-
-def _get_openssl_windows_libraries(link_type):
- if link_type == "dynamic":
- return ["libeay32", "ssleay32", "advapi32"]
- elif link_type == "static" or link_type == "":
- return ["libeay32mt", "ssleay32mt", "advapi32",
+ return ["libeay32", "ssleay32", "advapi32",
"crypt32", "gdi32", "user32", "ws2_32"]
- else:
- raise ValueError(
- "PYCA_WINDOWS_LINK_TYPE must be 'static' or 'dynamic'"
- )
_OSX_PRE_INCLUDE = """
diff --git a/src/_cffi_src/openssl/asn1.py b/src/_cffi_src/openssl/asn1.py
index 5f8ca69..96eff7d 100644
--- a/src/_cffi_src/openssl/asn1.py
+++ b/src/_cffi_src/openssl/asn1.py
@@ -125,7 +125,9 @@
"""
MACROS = """
+ASN1_BIT_STRING *ASN1_BIT_STRING_new(void);
void ASN1_BIT_STRING_free(ASN1_BIT_STRING *);
+int i2d_ASN1_BIT_STRING(ASN1_BIT_STRING *, unsigned char **);
/* This is not a macro, but is const on some versions of OpenSSL */
int ASN1_BIT_STRING_get_bit(ASN1_BIT_STRING *, int);
ASN1_TIME *M_ASN1_TIME_dup(void *);
diff --git a/src/_cffi_src/openssl/err.py b/src/_cffi_src/openssl/err.py
index eebf19b..73ce4e3 100644
--- a/src/_cffi_src/openssl/err.py
+++ b/src/_cffi_src/openssl/err.py
@@ -230,6 +230,7 @@
static const int RSA_R_BLOCK_TYPE_IS_NOT_01;
static const int RSA_R_BLOCK_TYPE_IS_NOT_02;
static const int RSA_R_PKCS_DECODING_ERROR;
+static const int RSA_F_RSA_SIGN;
"""
FUNCTIONS = """
diff --git a/src/_cffi_src/openssl/x509.py b/src/_cffi_src/openssl/x509.py
index 6bd117b..bdcc171 100644
--- a/src/_cffi_src/openssl/x509.py
+++ b/src/_cffi_src/openssl/x509.py
@@ -325,6 +325,8 @@
int sk_ASN1_OBJECT_num(Cryptography_STACK_OF_ASN1_OBJECT *);
ASN1_OBJECT *sk_ASN1_OBJECT_value(Cryptography_STACK_OF_ASN1_OBJECT *, int);
void sk_ASN1_OBJECT_free(Cryptography_STACK_OF_ASN1_OBJECT *);
+Cryptography_STACK_OF_ASN1_OBJECT *sk_ASN1_OBJECT_new_null(void);
+int sk_ASN1_OBJECT_push(Cryptography_STACK_OF_ASN1_OBJECT *, ASN1_OBJECT *);
"""
CUSTOMIZATIONS = """
diff --git a/src/_cffi_src/openssl/x509v3.py b/src/_cffi_src/openssl/x509v3.py
index 8e42b65..a61ad32 100644
--- a/src/_cffi_src/openssl/x509v3.py
+++ b/src/_cffi_src/openssl/x509v3.py
@@ -33,6 +33,7 @@
typedef ... Cryptography_STACK_OF_POLICYINFO;
typedef ... Cryptography_STACK_OF_ASN1_INTEGER;
typedef ... Cryptography_STACK_OF_GENERAL_SUBTREE;
+typedef ... EXTENDED_KEY_USAGE;
typedef struct {
X509 *issuer_cert;
@@ -200,6 +201,8 @@
int i2d_GENERAL_NAMES(GENERAL_NAMES *, unsigned char **);
+int i2d_EXTENDED_KEY_USAGE(EXTENDED_KEY_USAGE *, unsigned char **);
+
int sk_GENERAL_NAME_num(struct stack_st_GENERAL_NAME *);
int sk_GENERAL_NAME_push(struct stack_st_GENERAL_NAME *, GENERAL_NAME *);
GENERAL_NAME *sk_GENERAL_NAME_value(struct stack_st_GENERAL_NAME *, int);
@@ -220,19 +223,42 @@
const X509V3_EXT_METHOD *X509V3_EXT_get(X509_EXTENSION *);
const X509V3_EXT_METHOD *X509V3_EXT_get_nid(int);
+Cryptography_STACK_OF_DIST_POINT *sk_DIST_POINT_new_null(void);
void sk_DIST_POINT_free(Cryptography_STACK_OF_DIST_POINT *);
int sk_DIST_POINT_num(Cryptography_STACK_OF_DIST_POINT *);
DIST_POINT *sk_DIST_POINT_value(Cryptography_STACK_OF_DIST_POINT *, int);
+int sk_DIST_POINT_push(Cryptography_STACK_OF_DIST_POINT *, DIST_POINT *);
void sk_POLICYINFO_free(Cryptography_STACK_OF_POLICYINFO *);
int sk_POLICYINFO_num(Cryptography_STACK_OF_POLICYINFO *);
POLICYINFO *sk_POLICYINFO_value(Cryptography_STACK_OF_POLICYINFO *, int);
+int sk_POLICYINFO_push(Cryptography_STACK_OF_POLICYINFO *, POLICYINFO *);
+Cryptography_STACK_OF_POLICYINFO *sk_POLICYINFO_new_null(void);
+
+POLICYINFO *POLICYINFO_new(void);
+void POLICYINFO_free(POLICYINFO *);
+
+POLICYQUALINFO *POLICYQUALINFO_new(void);
+void POLICYQUALINFO_free(POLICYQUALINFO *);
+
+NOTICEREF *NOTICEREF_new(void);
+void NOTICEREF_free(NOTICEREF *);
+
+USERNOTICE *USERNOTICE_new(void);
+void USERNOTICE_free(USERNOTICE *);
+
+int i2d_CERTIFICATEPOLICIES(Cryptography_STACK_OF_POLICYINFO *,
+ unsigned char **);
void sk_POLICYQUALINFO_free(Cryptography_STACK_OF_POLICYQUALINFO *);
int sk_POLICYQUALINFO_num(Cryptography_STACK_OF_POLICYQUALINFO *);
POLICYQUALINFO *sk_POLICYQUALINFO_value(Cryptography_STACK_OF_POLICYQUALINFO *,
int);
+int sk_POLICYQUALINFO_push(Cryptography_STACK_OF_POLICYQUALINFO *,
+ POLICYQUALINFO *);
+Cryptography_STACK_OF_POLICYQUALINFO *sk_POLICYQUALINFO_new_null(void);
+Cryptography_STACK_OF_GENERAL_SUBTREE *sk_GENERAL_SUBTREE_new_null(void);
void sk_GENERAL_SUBTREE_free(Cryptography_STACK_OF_GENERAL_SUBTREE *);
int sk_GENERAL_SUBTREE_num(Cryptography_STACK_OF_GENERAL_SUBTREE *);
GENERAL_SUBTREE *sk_GENERAL_SUBTREE_value(
@@ -244,8 +270,14 @@
void sk_ASN1_INTEGER_free(Cryptography_STACK_OF_ASN1_INTEGER *);
int sk_ASN1_INTEGER_num(Cryptography_STACK_OF_ASN1_INTEGER *);
ASN1_INTEGER *sk_ASN1_INTEGER_value(Cryptography_STACK_OF_ASN1_INTEGER *, int);
+int sk_ASN1_INTEGER_push(Cryptography_STACK_OF_ASN1_INTEGER *, ASN1_INTEGER *);
X509_EXTENSION *X509V3_EXT_i2d(int, int, void *);
+
+DIST_POINT *DIST_POINT_new(void);
+void DIST_POINT_free(DIST_POINT *);
+
+int i2d_CRL_DIST_POINTS(Cryptography_STACK_OF_DIST_POINT *, unsigned char **);
"""
CUSTOMIZATIONS = """
diff --git a/src/cryptography/hazmat/backends/openssl/backend.py b/src/cryptography/hazmat/backends/openssl/backend.py
index c190f59..0176de2 100644
--- a/src/cryptography/hazmat/backends/openssl/backend.py
+++ b/src/cryptography/hazmat/backends/openssl/backend.py
@@ -108,7 +108,7 @@
subject = backend._lib.X509_NAME_new()
for attribute in attributes:
value = attribute.value.encode('utf8')
- obj = _txt2obj(backend, attribute.oid.dotted_string)
+ obj = _txt2obj_gc(backend, attribute.oid.dotted_string)
res = backend._lib.X509_NAME_add_entry_by_OBJ(
subject,
obj,
@@ -134,10 +134,53 @@
name = name.encode('ascii')
obj = backend._lib.OBJ_txt2obj(name, 1)
assert obj != backend._ffi.NULL
+ return obj
+
+
+def _txt2obj_gc(backend, name):
+ obj = _txt2obj(backend, name)
obj = backend._ffi.gc(obj, backend._lib.ASN1_OBJECT_free)
return obj
+def _encode_key_usage(backend, key_usage):
+ set_bit = backend._lib.ASN1_BIT_STRING_set_bit
+ ku = backend._lib.ASN1_BIT_STRING_new()
+ ku = backend._ffi.gc(ku, backend._lib.ASN1_BIT_STRING_free)
+ res = set_bit(ku, 0, key_usage.digital_signature)
+ assert res == 1
+ res = set_bit(ku, 1, key_usage.content_commitment)
+ assert res == 1
+ res = set_bit(ku, 2, key_usage.key_encipherment)
+ assert res == 1
+ res = set_bit(ku, 3, key_usage.data_encipherment)
+ assert res == 1
+ res = set_bit(ku, 4, key_usage.key_agreement)
+ assert res == 1
+ res = set_bit(ku, 5, key_usage.key_cert_sign)
+ assert res == 1
+ res = set_bit(ku, 6, key_usage.crl_sign)
+ assert res == 1
+ if key_usage.key_agreement:
+ res = set_bit(ku, 7, key_usage.encipher_only)
+ assert res == 1
+ res = set_bit(ku, 8, key_usage.decipher_only)
+ assert res == 1
+ else:
+ res = set_bit(ku, 7, 0)
+ assert res == 1
+ res = set_bit(ku, 8, 0)
+ assert res == 1
+
+ pp = backend._ffi.new('unsigned char **')
+ r = backend._lib.i2d_ASN1_BIT_STRING(ku, pp)
+ assert r > 0
+ pp = backend._ffi.gc(
+ pp, lambda pointer: backend._lib.OPENSSL_free(pointer[0])
+ )
+ return pp, r
+
+
def _encode_basic_constraints(backend, basic_constraints):
constraints = backend._lib.BASIC_CONSTRAINTS_new()
constraints = backend._ffi.gc(
@@ -167,89 +210,7 @@
)
for alt_name in san:
- if isinstance(alt_name, x509.DNSName):
- gn = backend._lib.GENERAL_NAME_new()
- assert gn != backend._ffi.NULL
- gn.type = backend._lib.GEN_DNS
-
- ia5 = backend._lib.ASN1_IA5STRING_new()
- assert ia5 != backend._ffi.NULL
-
- if alt_name.value.startswith(u"*."):
- value = b"*." + idna.encode(alt_name.value[2:])
- else:
- value = idna.encode(alt_name.value)
-
- res = backend._lib.ASN1_STRING_set(ia5, value, len(value))
- assert res == 1
- gn.d.dNSName = ia5
- elif isinstance(alt_name, x509.RegisteredID):
- gn = backend._lib.GENERAL_NAME_new()
- assert gn != backend._ffi.NULL
- gn.type = backend._lib.GEN_RID
- obj = backend._lib.OBJ_txt2obj(
- alt_name.value.dotted_string.encode('ascii'), 1
- )
- assert obj != backend._ffi.NULL
- gn.d.registeredID = obj
- elif isinstance(alt_name, x509.DirectoryName):
- gn = backend._lib.GENERAL_NAME_new()
- assert gn != backend._ffi.NULL
- name = _encode_name(backend, alt_name.value)
- gn.type = backend._lib.GEN_DIRNAME
- gn.d.directoryName = name
- elif isinstance(alt_name, x509.IPAddress):
- gn = backend._lib.GENERAL_NAME_new()
- assert gn != backend._ffi.NULL
- ipaddr = _encode_asn1_str(
- backend, alt_name.value.packed, len(alt_name.value.packed)
- )
- gn.type = backend._lib.GEN_IPADD
- gn.d.iPAddress = ipaddr
- elif isinstance(alt_name, x509.OtherName):
- gn = backend._lib.GENERAL_NAME_new()
- assert gn != backend._ffi.NULL
- other_name = backend._lib.OTHERNAME_new()
- assert other_name != backend._ffi.NULL
-
- type_id = backend._lib.OBJ_txt2obj(
- alt_name.type_id.dotted_string.encode('ascii'), 1
- )
- assert type_id != backend._ffi.NULL
- data = backend._ffi.new("unsigned char[]", alt_name.value)
- data_ptr_ptr = backend._ffi.new("unsigned char **")
- data_ptr_ptr[0] = data
- value = backend._lib.d2i_ASN1_TYPE(
- backend._ffi.NULL, data_ptr_ptr, len(alt_name.value)
- )
- if value == backend._ffi.NULL:
- backend._consume_errors()
- raise ValueError("Invalid ASN.1 data")
- other_name.type_id = type_id
- other_name.value = value
- gn.type = backend._lib.GEN_OTHERNAME
- gn.d.otherName = other_name
- elif isinstance(alt_name, x509.RFC822Name):
- gn = backend._lib.GENERAL_NAME_new()
- assert gn != backend._ffi.NULL
- asn1_str = _encode_asn1_str(
- backend, alt_name._encoded, len(alt_name._encoded)
- )
- gn.type = backend._lib.GEN_EMAIL
- gn.d.rfc822Name = asn1_str
- elif isinstance(alt_name, x509.UniformResourceIdentifier):
- gn = backend._lib.GENERAL_NAME_new()
- assert gn != backend._ffi.NULL
- asn1_str = _encode_asn1_str(
- backend, alt_name._encoded, len(alt_name._encoded)
- )
- gn.type = backend._lib.GEN_URI
- gn.d.uniformResourceIdentifier = asn1_str
- else:
- raise ValueError(
- "{0} is an unknown GeneralName type".format(alt_name)
- )
-
+ gn = _encode_general_name(backend, alt_name)
res = backend._lib.sk_GENERAL_NAME_push(general_names, gn)
assert res != 0
@@ -262,6 +223,112 @@
return pp, r
+def _encode_general_name(backend, name):
+ if isinstance(name, x509.DNSName):
+ gn = backend._lib.GENERAL_NAME_new()
+ assert gn != backend._ffi.NULL
+ gn.type = backend._lib.GEN_DNS
+
+ ia5 = backend._lib.ASN1_IA5STRING_new()
+ assert ia5 != backend._ffi.NULL
+
+ if name.value.startswith(u"*."):
+ value = b"*." + idna.encode(name.value[2:])
+ else:
+ value = idna.encode(name.value)
+
+ res = backend._lib.ASN1_STRING_set(ia5, value, len(value))
+ assert res == 1
+ gn.d.dNSName = ia5
+ elif isinstance(name, x509.RegisteredID):
+ gn = backend._lib.GENERAL_NAME_new()
+ assert gn != backend._ffi.NULL
+ gn.type = backend._lib.GEN_RID
+ obj = backend._lib.OBJ_txt2obj(
+ name.value.dotted_string.encode('ascii'), 1
+ )
+ assert obj != backend._ffi.NULL
+ gn.d.registeredID = obj
+ elif isinstance(name, x509.DirectoryName):
+ gn = backend._lib.GENERAL_NAME_new()
+ assert gn != backend._ffi.NULL
+ dir_name = _encode_name(backend, name.value)
+ gn.type = backend._lib.GEN_DIRNAME
+ gn.d.directoryName = dir_name
+ elif isinstance(name, x509.IPAddress):
+ gn = backend._lib.GENERAL_NAME_new()
+ assert gn != backend._ffi.NULL
+ ipaddr = _encode_asn1_str(
+ backend, name.value.packed, len(name.value.packed)
+ )
+ gn.type = backend._lib.GEN_IPADD
+ gn.d.iPAddress = ipaddr
+ elif isinstance(name, x509.OtherName):
+ gn = backend._lib.GENERAL_NAME_new()
+ assert gn != backend._ffi.NULL
+ other_name = backend._lib.OTHERNAME_new()
+ assert other_name != backend._ffi.NULL
+
+ type_id = backend._lib.OBJ_txt2obj(
+ name.type_id.dotted_string.encode('ascii'), 1
+ )
+ assert type_id != backend._ffi.NULL
+ data = backend._ffi.new("unsigned char[]", name.value)
+ data_ptr_ptr = backend._ffi.new("unsigned char **")
+ data_ptr_ptr[0] = data
+ value = backend._lib.d2i_ASN1_TYPE(
+ backend._ffi.NULL, data_ptr_ptr, len(name.value)
+ )
+ if value == backend._ffi.NULL:
+ backend._consume_errors()
+ raise ValueError("Invalid ASN.1 data")
+ other_name.type_id = type_id
+ other_name.value = value
+ gn.type = backend._lib.GEN_OTHERNAME
+ gn.d.otherName = other_name
+ elif isinstance(name, x509.RFC822Name):
+ gn = backend._lib.GENERAL_NAME_new()
+ assert gn != backend._ffi.NULL
+ asn1_str = _encode_asn1_str(
+ backend, name._encoded, len(name._encoded)
+ )
+ gn.type = backend._lib.GEN_EMAIL
+ gn.d.rfc822Name = asn1_str
+ elif isinstance(name, x509.UniformResourceIdentifier):
+ gn = backend._lib.GENERAL_NAME_new()
+ assert gn != backend._ffi.NULL
+ asn1_str = _encode_asn1_str(
+ backend, name._encoded, len(name._encoded)
+ )
+ gn.type = backend._lib.GEN_URI
+ gn.d.uniformResourceIdentifier = asn1_str
+ else:
+ raise ValueError(
+ "{0} is an unknown GeneralName type".format(name)
+ )
+
+ return gn
+
+
+def _encode_extended_key_usage(backend, extended_key_usage):
+ eku = backend._lib.sk_ASN1_OBJECT_new_null()
+ eku = backend._ffi.gc(eku, backend._lib.sk_ASN1_OBJECT_free)
+ for oid in extended_key_usage:
+ obj = _txt2obj(backend, oid.dotted_string)
+ res = backend._lib.sk_ASN1_OBJECT_push(eku, obj)
+ assert res >= 1
+
+ pp = backend._ffi.new('unsigned char **')
+ r = backend._lib.i2d_EXTENDED_KEY_USAGE(
+ backend._ffi.cast("EXTENDED_KEY_USAGE *", eku), pp
+ )
+ assert r > 0
+ pp = backend._ffi.gc(
+ pp, lambda pointer: backend._lib.OPENSSL_free(pointer[0])
+ )
+ return pp, r
+
+
@utils.register_interface(CipherBackend)
@utils.register_interface(CMACBackend)
@utils.register_interface(DERSerializationBackend)
@@ -971,10 +1038,14 @@
pp, r = _encode_basic_constraints(self, extension.value)
elif isinstance(extension.value, x509.SubjectAlternativeName):
pp, r = _encode_subject_alt_name(self, extension.value)
+ elif isinstance(extension.value, x509.KeyUsage):
+ pp, r = _encode_key_usage(self, extension.value)
+ elif isinstance(extension.value, x509.ExtendedKeyUsage):
+ pp, r = _encode_extended_key_usage(self, extension.value)
else:
raise NotImplementedError('Extension not yet supported.')
- obj = _txt2obj(self, extension.oid.dotted_string)
+ obj = _txt2obj_gc(self, extension.oid.dotted_string)
extension = self._lib.X509_EXTENSION_create_by_OBJ(
self._ffi.NULL,
obj,
@@ -983,7 +1054,7 @@
)
assert extension != self._ffi.NULL
res = self._lib.sk_X509_EXTENSION_push(extensions, extension)
- assert res == 1
+ assert res >= 1
res = self._lib.X509_REQ_add_extensions(x509_req, extensions)
assert res == 1
@@ -991,7 +1062,11 @@
res = self._lib.X509_REQ_sign(
x509_req, private_key._evp_pkey, evp_md
)
- assert res > 0
+ if res == 0:
+ errors = self._consume_errors()
+ assert errors[0][1] == self._lib.ERR_LIB_RSA
+ assert errors[0][3] == self._lib.RSA_R_DIGEST_TOO_BIG_FOR_RSA_KEY
+ raise ValueError("Digest too big for RSA key")
return _CertificateSigningRequest(self, x509_req)
@@ -1609,13 +1684,15 @@
if format is serialization.PrivateFormat.PKCS8:
write_bio = self._lib.PEM_write_bio_PKCS8PrivateKey
key = evp_pkey
- elif format is serialization.PrivateFormat.TraditionalOpenSSL:
+ else:
+ assert format is serialization.PrivateFormat.TraditionalOpenSSL
if evp_pkey.type == self._lib.EVP_PKEY_RSA:
write_bio = self._lib.PEM_write_bio_RSAPrivateKey
elif evp_pkey.type == self._lib.EVP_PKEY_DSA:
write_bio = self._lib.PEM_write_bio_DSAPrivateKey
- elif (self._lib.Cryptography_HAS_EC == 1 and
- evp_pkey.type == self._lib.EVP_PKEY_EC):
+ else:
+ assert self._lib.Cryptography_HAS_EC == 1
+ assert evp_pkey.type == self._lib.EVP_PKEY_EC
write_bio = self._lib.PEM_write_bio_ECPrivateKey
key = cdata
@@ -1632,7 +1709,8 @@
return self._private_key_bytes_traditional_der(
evp_pkey.type, cdata
)
- elif format is serialization.PrivateFormat.PKCS8:
+ else:
+ assert format is serialization.PrivateFormat.PKCS8
write_bio = self._lib.i2d_PKCS8PrivateKey_bio
key = evp_pkey
else:
@@ -1657,7 +1735,8 @@
elif (self._lib.Cryptography_HAS_EC == 1 and
key_type == self._lib.EVP_PKEY_EC):
write_bio = self._lib.i2d_ECPrivateKey_bio
- elif key_type == self._lib.EVP_PKEY_DSA:
+ else:
+ assert key_type == self._lib.EVP_PKEY_DSA
write_bio = self._lib.i2d_DSAPrivateKey_bio
bio = self._create_mem_bio()
@@ -1672,7 +1751,8 @@
if format is serialization.PublicFormat.SubjectPublicKeyInfo:
if encoding is serialization.Encoding.PEM:
write_bio = self._lib.PEM_write_bio_PUBKEY
- elif encoding is serialization.Encoding.DER:
+ else:
+ assert encoding is serialization.Encoding.DER
write_bio = self._lib.i2d_PUBKEY_bio
key = evp_pkey
@@ -1681,7 +1761,8 @@
assert evp_pkey.type == self._lib.EVP_PKEY_RSA
if encoding is serialization.Encoding.PEM:
write_bio = self._lib.PEM_write_bio_RSAPublicKey
- elif encoding is serialization.Encoding.DER:
+ else:
+ assert encoding is serialization.Encoding.DER
write_bio = self._lib.i2d_RSAPublicKey_bio
key = cdata
diff --git a/src/cryptography/hazmat/backends/openssl/rsa.py b/src/cryptography/hazmat/backends/openssl/rsa.py
index 21414c0..822c730 100644
--- a/src/cryptography/hazmat/backends/openssl/rsa.py
+++ b/src/cryptography/hazmat/backends/openssl/rsa.py
@@ -268,8 +268,9 @@
self._backend._lib.RSA_R_DATA_TOO_LARGE_FOR_KEY_SIZE):
reason = ("Salt length too long for key size. Try using "
"MAX_LENGTH instead.")
- elif (errors[0].reason ==
- self._backend._lib.RSA_R_DIGEST_TOO_BIG_FOR_RSA_KEY):
+ else:
+ assert (errors[0].reason ==
+ self._backend._lib.RSA_R_DIGEST_TOO_BIG_FOR_RSA_KEY)
reason = "Digest too large for key size. Use a larger key."
assert reason is not None
raise ValueError(reason)
diff --git a/src/cryptography/hazmat/backends/openssl/x509.py b/src/cryptography/hazmat/backends/openssl/x509.py
index 472d8a7..ee9a3bb 100644
--- a/src/cryptography/hazmat/backends/openssl/x509.py
+++ b/src/cryptography/hazmat/backends/openssl/x509.py
@@ -234,7 +234,15 @@
"{0} is not currently supported".format(oid), oid
)
else:
- value = handler(backend, ext)
+ d2i = backend._lib.X509V3_EXT_d2i(ext)
+ if d2i == backend._ffi.NULL:
+ backend._consume_errors()
+ raise ValueError(
+ "The {0} extension is invalid and can't be "
+ "parsed".format(oid)
+ )
+
+ value = handler(backend, d2i)
extensions.append(x509.Extension(oid, critical, value))
seen_oids.add(oid)
@@ -358,12 +366,8 @@
return self._backend._read_mem_bio(bio)
-def _decode_certificate_policies(backend, ext):
- cp = backend._ffi.cast(
- "Cryptography_STACK_OF_POLICYINFO *",
- backend._lib.X509V3_EXT_d2i(ext)
- )
- assert cp != backend._ffi.NULL
+def _decode_certificate_policies(backend, cp):
+ cp = backend._ffi.cast("Cryptography_STACK_OF_POLICYINFO *", cp)
cp = backend._ffi.gc(cp, backend._lib.sk_POLICYINFO_free)
num = backend._lib.sk_POLICYINFO_num(cp)
certificate_policies = []
@@ -386,7 +390,8 @@
pqi.d.cpsuri.data, pqi.d.cpsuri.length
)[:].decode('ascii')
qualifiers.append(cpsuri)
- elif pqualid == x509.OID_CPS_USER_NOTICE:
+ else:
+ assert pqualid == x509.OID_CPS_USER_NOTICE
user_notice = _decode_user_notice(
backend, pqi.d.usernotice
)
@@ -431,12 +436,8 @@
return x509.UserNotice(notice_reference, explicit_text)
-def _decode_basic_constraints(backend, ext):
- bc_st = backend._lib.X509V3_EXT_d2i(ext)
- assert bc_st != backend._ffi.NULL
- basic_constraints = backend._ffi.cast(
- "BASIC_CONSTRAINTS *", bc_st
- )
+def _decode_basic_constraints(backend, bc_st):
+ basic_constraints = backend._ffi.cast("BASIC_CONSTRAINTS *", bc_st)
basic_constraints = backend._ffi.gc(
basic_constraints, backend._lib.BASIC_CONSTRAINTS_free
)
@@ -447,19 +448,13 @@
if basic_constraints.pathlen == backend._ffi.NULL:
path_length = None
else:
- path_length = _asn1_integer_to_int(
- backend, basic_constraints.pathlen
- )
+ path_length = _asn1_integer_to_int(backend, basic_constraints.pathlen)
return x509.BasicConstraints(ca, path_length)
-def _decode_subject_key_identifier(backend, ext):
- asn1_string = backend._lib.X509V3_EXT_d2i(ext)
- assert asn1_string != backend._ffi.NULL
- asn1_string = backend._ffi.cast(
- "ASN1_OCTET_STRING *", asn1_string
- )
+def _decode_subject_key_identifier(backend, asn1_string):
+ asn1_string = backend._ffi.cast("ASN1_OCTET_STRING *", asn1_string)
asn1_string = backend._ffi.gc(
asn1_string, backend._lib.ASN1_OCTET_STRING_free
)
@@ -468,13 +463,9 @@
)
-def _decode_authority_key_identifier(backend, ext):
- akid = backend._lib.X509V3_EXT_d2i(ext)
- assert akid != backend._ffi.NULL
+def _decode_authority_key_identifier(backend, akid):
akid = backend._ffi.cast("AUTHORITY_KEYID *", akid)
- akid = backend._ffi.gc(
- akid, backend._lib.AUTHORITY_KEYID_free
- )
+ akid = backend._ffi.gc(akid, backend._lib.AUTHORITY_KEYID_free)
key_identifier = None
authority_cert_issuer = None
authority_cert_serial_number = None
@@ -499,15 +490,9 @@
)
-def _decode_authority_information_access(backend, ext):
- aia = backend._lib.X509V3_EXT_d2i(ext)
- assert aia != backend._ffi.NULL
- aia = backend._ffi.cast(
- "Cryptography_STACK_OF_ACCESS_DESCRIPTION *", aia
- )
- aia = backend._ffi.gc(
- aia, backend._lib.sk_ACCESS_DESCRIPTION_free
- )
+def _decode_authority_information_access(backend, aia):
+ aia = backend._ffi.cast("Cryptography_STACK_OF_ACCESS_DESCRIPTION *", aia)
+ aia = backend._ffi.gc(aia, backend._lib.sk_ACCESS_DESCRIPTION_free)
num = backend._lib.sk_ACCESS_DESCRIPTION_num(aia)
access_descriptions = []
for i in range(num):
@@ -521,13 +506,9 @@
return x509.AuthorityInformationAccess(access_descriptions)
-def _decode_key_usage(backend, ext):
- bit_string = backend._lib.X509V3_EXT_d2i(ext)
- assert bit_string != backend._ffi.NULL
+def _decode_key_usage(backend, bit_string):
bit_string = backend._ffi.cast("ASN1_BIT_STRING *", bit_string)
- bit_string = backend._ffi.gc(
- bit_string, backend._lib.ASN1_BIT_STRING_free
- )
+ bit_string = backend._ffi.gc(bit_string, backend._lib.ASN1_BIT_STRING_free)
get_bit = backend._lib.ASN1_BIT_STRING_get_bit
digital_signature = get_bit(bit_string, 0) == 1
content_commitment = get_bit(bit_string, 1) == 1
@@ -551,11 +532,8 @@
)
-def _decode_general_names_extension(backend, ext):
- gns = backend._ffi.cast(
- "GENERAL_NAMES *", backend._lib.X509V3_EXT_d2i(ext)
- )
- assert gns != backend._ffi.NULL
+def _decode_general_names_extension(backend, gns):
+ gns = backend._ffi.cast("GENERAL_NAMES *", gns)
gns = backend._ffi.gc(gns, backend._lib.GENERAL_NAMES_free)
general_names = _decode_general_names(backend, gns)
return general_names
@@ -573,11 +551,8 @@
)
-def _decode_name_constraints(backend, ext):
- nc = backend._ffi.cast(
- "NAME_CONSTRAINTS *", backend._lib.X509V3_EXT_d2i(ext)
- )
- assert nc != backend._ffi.NULL
+def _decode_name_constraints(backend, nc):
+ nc = backend._ffi.cast("NAME_CONSTRAINTS *", nc)
nc = backend._ffi.gc(nc, backend._lib.NAME_CONSTRAINTS_free)
permitted = _decode_general_subtrees(backend, nc.permittedSubtrees)
excluded = _decode_general_subtrees(backend, nc.excludedSubtrees)
@@ -602,12 +577,8 @@
return subtrees
-def _decode_extended_key_usage(backend, ext):
- sk = backend._ffi.cast(
- "Cryptography_STACK_OF_ASN1_OBJECT *",
- backend._lib.X509V3_EXT_d2i(ext)
- )
- assert sk != backend._ffi.NULL
+def _decode_extended_key_usage(backend, sk):
+ sk = backend._ffi.cast("Cryptography_STACK_OF_ASN1_OBJECT *", sk)
sk = backend._ffi.gc(sk, backend._lib.sk_ASN1_OBJECT_free)
num = backend._lib.sk_ASN1_OBJECT_num(sk)
ekus = []
@@ -621,14 +592,9 @@
return x509.ExtendedKeyUsage(ekus)
-def _decode_crl_distribution_points(backend, ext):
- cdps = backend._ffi.cast(
- "Cryptography_STACK_OF_DIST_POINT *",
- backend._lib.X509V3_EXT_d2i(ext)
- )
- assert cdps != backend._ffi.NULL
- cdps = backend._ffi.gc(
- cdps, backend._lib.sk_DIST_POINT_free)
+def _decode_crl_distribution_points(backend, cdps):
+ cdps = backend._ffi.cast("Cryptography_STACK_OF_DIST_POINT *", cdps)
+ cdps = backend._ffi.gc(cdps, backend._lib.sk_DIST_POINT_free)
num = backend._lib.sk_DIST_POINT_num(cdps)
dist_points = []
@@ -716,12 +682,8 @@
return x509.CRLDistributionPoints(dist_points)
-def _decode_inhibit_any_policy(backend, ext):
- asn1_int = backend._ffi.cast(
- "ASN1_INTEGER *",
- backend._lib.X509V3_EXT_d2i(ext)
- )
- assert asn1_int != backend._ffi.NULL
+def _decode_inhibit_any_policy(backend, asn1_int):
+ asn1_int = backend._ffi.cast("ASN1_INTEGER *", asn1_int)
asn1_int = backend._ffi.gc(asn1_int, backend._lib.ASN1_INTEGER_free)
skip_certs = _asn1_integer_to_int(backend, asn1_int)
return x509.InhibitAnyPolicy(skip_certs)
@@ -789,33 +751,33 @@
return self._backend._read_mem_bio(bio)
+_EXTENSION_HANDLERS = {
+ x509.OID_BASIC_CONSTRAINTS: _decode_basic_constraints,
+ x509.OID_SUBJECT_KEY_IDENTIFIER: _decode_subject_key_identifier,
+ x509.OID_KEY_USAGE: _decode_key_usage,
+ x509.OID_SUBJECT_ALTERNATIVE_NAME: _decode_subject_alt_name,
+ x509.OID_EXTENDED_KEY_USAGE: _decode_extended_key_usage,
+ x509.OID_AUTHORITY_KEY_IDENTIFIER: _decode_authority_key_identifier,
+ x509.OID_AUTHORITY_INFORMATION_ACCESS: (
+ _decode_authority_information_access
+ ),
+ x509.OID_CERTIFICATE_POLICIES: _decode_certificate_policies,
+ x509.OID_CRL_DISTRIBUTION_POINTS: _decode_crl_distribution_points,
+ x509.OID_OCSP_NO_CHECK: _decode_ocsp_no_check,
+ x509.OID_INHIBIT_ANY_POLICY: _decode_inhibit_any_policy,
+ x509.OID_ISSUER_ALTERNATIVE_NAME: _decode_issuer_alt_name,
+ x509.OID_NAME_CONSTRAINTS: _decode_name_constraints,
+}
+
+
_CERTIFICATE_EXTENSION_PARSER = _X509ExtensionParser(
ext_count=lambda backend, x: backend._lib.X509_get_ext_count(x),
get_ext=lambda backend, x, i: backend._lib.X509_get_ext(x, i),
- handlers={
- x509.OID_BASIC_CONSTRAINTS: _decode_basic_constraints,
- x509.OID_SUBJECT_KEY_IDENTIFIER: _decode_subject_key_identifier,
- x509.OID_KEY_USAGE: _decode_key_usage,
- x509.OID_SUBJECT_ALTERNATIVE_NAME: _decode_subject_alt_name,
- x509.OID_EXTENDED_KEY_USAGE: _decode_extended_key_usage,
- x509.OID_AUTHORITY_KEY_IDENTIFIER: _decode_authority_key_identifier,
- x509.OID_AUTHORITY_INFORMATION_ACCESS: (
- _decode_authority_information_access
- ),
- x509.OID_CERTIFICATE_POLICIES: _decode_certificate_policies,
- x509.OID_CRL_DISTRIBUTION_POINTS: _decode_crl_distribution_points,
- x509.OID_OCSP_NO_CHECK: _decode_ocsp_no_check,
- x509.OID_INHIBIT_ANY_POLICY: _decode_inhibit_any_policy,
- x509.OID_ISSUER_ALTERNATIVE_NAME: _decode_issuer_alt_name,
- x509.OID_NAME_CONSTRAINTS: _decode_name_constraints,
- }
+ handlers=_EXTENSION_HANDLERS
)
_CSR_EXTENSION_PARSER = _X509ExtensionParser(
ext_count=lambda backend, x: backend._lib.sk_X509_EXTENSION_num(x),
get_ext=lambda backend, x, i: backend._lib.sk_X509_EXTENSION_value(x, i),
- handlers={
- x509.OID_BASIC_CONSTRAINTS: _decode_basic_constraints,
- x509.OID_SUBJECT_ALTERNATIVE_NAME: _decode_subject_alt_name,
- }
+ handlers=_EXTENSION_HANDLERS
)
diff --git a/src/cryptography/x509.py b/src/cryptography/x509.py
index 9f6cda1..a831506 100644
--- a/src/cryptography/x509.py
+++ b/src/cryptography/x509.py
@@ -1575,12 +1575,16 @@
"""
if isinstance(extension, BasicConstraints):
extension = Extension(OID_BASIC_CONSTRAINTS, critical, extension)
+ elif isinstance(extension, ExtendedKeyUsage):
+ extension = Extension(OID_EXTENDED_KEY_USAGE, critical, extension)
elif isinstance(extension, SubjectAlternativeName):
extension = Extension(
OID_SUBJECT_ALTERNATIVE_NAME, critical, extension
)
elif isinstance(extension, KeyUsage):
extension = Extension(OID_KEY_USAGE, critical, extension)
+ elif isinstance(extension, InhibitAnyPolicy):
+ extension = Extension(OID_INHIBIT_ANY_POLICY, critical, extension)
else:
raise NotImplementedError('Unsupported X.509 extension.')
# TODO: This is quadratic in the number of extensions
diff --git a/tests/hazmat/backends/test_openssl.py b/tests/hazmat/backends/test_openssl.py
index 5b611cd..c2a4f54 100644
--- a/tests/hazmat/backends/test_openssl.py
+++ b/tests/hazmat/backends/test_openssl.py
@@ -36,6 +36,20 @@
from ...utils import load_vectors_from_file, raises_unsupported_algorithm
+def skip_if_libre_ssl(openssl_version):
+ if u'LibreSSL' in openssl_version:
+ pytest.skip("LibreSSL hard-codes RAND_bytes to use arc4random.")
+
+
+class TestLibreSkip(object):
+ def test_skip_no(self):
+ assert skip_if_libre_ssl(u"OpenSSL 0.9.8zf 19 Mar 2015") is None
+
+ def test_skip_yes(self):
+ with pytest.raises(pytest.skip.Exception):
+ skip_if_libre_ssl(u"LibreSSL 2.1.6")
+
+
@utils.register_interface(Mode)
class DummyMode(object):
name = "dummy-mode"
@@ -218,6 +232,19 @@
bn = backend._int_to_bn(0)
assert backend._bn_to_int(bn) == 0
+ def test_actual_osrandom_bytes(self, monkeypatch):
+ skip_if_libre_ssl(backend.openssl_version_text())
+ sample_data = (b"\x01\x02\x03\x04" * 4)
+ length = len(sample_data)
+
+ def notrandom(size):
+ assert size == length
+ return sample_data
+ monkeypatch.setattr(os, "urandom", notrandom)
+ buf = backend._ffi.new("char[]", length)
+ backend._lib.RAND_bytes(buf, length)
+ assert backend._ffi.buffer(buf)[0:length] == sample_data
+
class TestOpenSSLRandomEngine(object):
def teardown_method(self, method):
diff --git a/tests/hazmat/bindings/test_openssl.py b/tests/hazmat/bindings/test_openssl.py
index f3f2eaf..75a8e3f 100644
--- a/tests/hazmat/bindings/test_openssl.py
+++ b/tests/hazmat/bindings/test_openssl.py
@@ -4,27 +4,11 @@
from __future__ import absolute_import, division, print_function
-import os
-
import pytest
from cryptography.hazmat.bindings.openssl.binding import Binding
-def skip_if_libre_ssl(openssl_version):
- if b'LibreSSL' in openssl_version:
- pytest.skip("LibreSSL hard-codes RAND_bytes to use arc4random.")
-
-
-class TestLibreSkip(object):
- def test_skip_no(self):
- assert skip_if_libre_ssl(b"OpenSSL 0.9.8zf 19 Mar 2015") is None
-
- def test_skip_yes(self):
- with pytest.raises(pytest.skip.Exception):
- skip_if_libre_ssl(b"LibreSSL 2.1.6")
-
-
class TestOpenSSL(object):
def test_binding_loads(self):
binding = Binding()
@@ -108,20 +92,6 @@
with pytest.raises(RuntimeError):
b._register_osrandom_engine()
- def test_actual_osrandom_bytes(self, monkeypatch):
- b = Binding()
- skip_if_libre_ssl(b.ffi.string(b.lib.OPENSSL_VERSION_TEXT))
- sample_data = (b"\x01\x02\x03\x04" * 4)
- length = len(sample_data)
-
- def notrandom(size):
- assert size == length
- return sample_data
- monkeypatch.setattr(os, "urandom", notrandom)
- buf = b.ffi.new("char[]", length)
- b.lib.RAND_bytes(buf, length)
- assert b.ffi.buffer(buf)[0:length] == sample_data
-
def test_ssl_ctx_options(self):
# Test that we're properly handling 32-bit unsigned on all platforms.
b = Binding()
diff --git a/tests/test_utils.py b/tests/test_utils.py
index f71264e..210e929 100644
--- a/tests/test_utils.py
+++ b/tests/test_utils.py
@@ -3045,8 +3045,13 @@
assert expected == load_kasvs_dh_vectors(vector_data)
+def test_load_kasvs_ecdh_vectors_empty_vector_data():
+ assert [] == load_kasvs_ecdh_vectors([])
+
+
def test_load_kasvs_ecdh_vectors():
vector_data = textwrap.dedent("""
+ # CAVS 11.0
# Parameter set(s) supported: EA EB EC ED EE
# CAVSid: CAVSid (in hex: 434156536964)
# IUTid: In hex: a1b2c3d4e5
diff --git a/tests/test_x509.py b/tests/test_x509.py
index fb58396..ac20f64 100644
--- a/tests/test_x509.py
+++ b/tests/test_x509.py
@@ -1306,6 +1306,20 @@
x509.SubjectAlternativeName([x509.DNSName(u"cryptography.io")]),
critical=False,
).add_extension(
+ x509.InhibitAnyPolicy(0),
+ critical=False
+ )
+ with pytest.raises(NotImplementedError):
+ builder.sign(private_key, hashes.SHA256(), backend)
+
+ def test_key_usage(self, backend):
+ private_key = RSA_KEY_2048.private_key(backend)
+ builder = x509.CertificateSigningRequestBuilder()
+ request = builder.subject_name(
+ x509.Name([
+ x509.NameAttribute(x509.OID_COUNTRY_NAME, u'US'),
+ ])
+ ).add_extension(
x509.KeyUsage(
digital_signature=True,
content_commitment=True,
@@ -1318,9 +1332,82 @@
decipher_only=False
),
critical=False
+ ).sign(private_key, hashes.SHA256(), backend)
+ assert len(request.extensions) == 1
+ ext = request.extensions.get_extension_for_oid(x509.OID_KEY_USAGE)
+ assert ext.critical is False
+ assert ext.value == x509.KeyUsage(
+ digital_signature=True,
+ content_commitment=True,
+ key_encipherment=False,
+ data_encipherment=False,
+ key_agreement=False,
+ key_cert_sign=True,
+ crl_sign=False,
+ encipher_only=False,
+ decipher_only=False
)
- with pytest.raises(NotImplementedError):
- builder.sign(private_key, hashes.SHA256(), backend)
+
+ def test_key_usage_key_agreement_bit(self, backend):
+ private_key = RSA_KEY_2048.private_key(backend)
+ builder = x509.CertificateSigningRequestBuilder()
+ request = builder.subject_name(
+ x509.Name([
+ x509.NameAttribute(x509.OID_COUNTRY_NAME, u'US'),
+ ])
+ ).add_extension(
+ x509.KeyUsage(
+ digital_signature=False,
+ content_commitment=False,
+ key_encipherment=False,
+ data_encipherment=False,
+ key_agreement=True,
+ key_cert_sign=True,
+ crl_sign=False,
+ encipher_only=False,
+ decipher_only=True
+ ),
+ critical=False
+ ).sign(private_key, hashes.SHA256(), backend)
+ assert len(request.extensions) == 1
+ ext = request.extensions.get_extension_for_oid(x509.OID_KEY_USAGE)
+ assert ext.critical is False
+ assert ext.value == x509.KeyUsage(
+ digital_signature=False,
+ content_commitment=False,
+ key_encipherment=False,
+ data_encipherment=False,
+ key_agreement=True,
+ key_cert_sign=True,
+ crl_sign=False,
+ encipher_only=False,
+ decipher_only=True
+ )
+
+ def test_add_two_extensions(self, backend):
+ private_key = RSA_KEY_2048.private_key(backend)
+ builder = x509.CertificateSigningRequestBuilder()
+ request = builder.subject_name(
+ x509.Name([x509.NameAttribute(x509.OID_COUNTRY_NAME, u'US')])
+ ).add_extension(
+ x509.SubjectAlternativeName([x509.DNSName(u"cryptography.io")]),
+ critical=False,
+ ).add_extension(
+ x509.BasicConstraints(ca=True, path_length=2), critical=True
+ ).sign(private_key, hashes.SHA1(), backend)
+
+ assert isinstance(request.signature_hash_algorithm, hashes.SHA1)
+ public_key = request.public_key()
+ assert isinstance(public_key, rsa.RSAPublicKey)
+ basic_constraints = request.extensions.get_extension_for_oid(
+ x509.OID_BASIC_CONSTRAINTS
+ )
+ assert basic_constraints.value.ca is True
+ assert basic_constraints.value.path_length == 2
+ ext = request.extensions.get_extension_for_oid(
+ x509.OID_SUBJECT_ALTERNATIVE_NAME
+ )
+ assert list(ext.value) == [x509.DNSName(u"cryptography.io")]
def test_set_subject_twice(self):
builder = x509.CertificateSigningRequestBuilder()
@@ -1440,6 +1527,42 @@
with pytest.raises(ValueError):
builder.sign(private_key, hashes.SHA256(), backend)
+ def test_extended_key_usage(self, backend):
+ private_key = RSA_KEY_2048.private_key(backend)
+ builder = x509.CertificateSigningRequestBuilder()
+ request = builder.subject_name(
+ x509.Name([x509.NameAttribute(x509.OID_COUNTRY_NAME, u'US')])
+ ).add_extension(
+ x509.ExtendedKeyUsage([
+ x509.OID_CLIENT_AUTH,
+ x509.OID_SERVER_AUTH,
+ x509.OID_CODE_SIGNING,
+ ]), critical=False
+ ).sign(private_key, hashes.SHA256(), backend)
+
+ eku = request.extensions.get_extension_for_oid(
+ x509.OID_EXTENDED_KEY_USAGE
+ )
+ assert eku.critical is False
+ assert eku.value == x509.ExtendedKeyUsage([
+ x509.OID_CLIENT_AUTH,
+ x509.OID_SERVER_AUTH,
+ x509.OID_CODE_SIGNING,
+ ])
+
+ @pytest.mark.requires_backend_interface(interface=RSABackend)
+ def test_rsa_key_too_small(self, backend):
+ private_key = rsa.generate_private_key(65537, 512, backend)
+ builder = x509.CertificateSigningRequestBuilder()
+ builder = builder.subject_name(
+ x509.Name([x509.NameAttribute(x509.OID_COUNTRY_NAME, u'US')])
+ )
+
+ with pytest.raises(ValueError) as exc:
+ builder.sign(private_key, hashes.SHA512(), backend)
+
+ assert str(exc.value) == "Digest too big for RSA key"
+
@pytest.mark.requires_backend_interface(interface=DSABackend)
@pytest.mark.requires_backend_interface(interface=X509Backend)
diff --git a/tests/test_x509_ext.py b/tests/test_x509_ext.py
index 7b13582..890709a 100644
--- a/tests/test_x509_ext.py
+++ b/tests/test_x509_ext.py
@@ -2853,3 +2853,18 @@
x509.OID_INHIBIT_ANY_POLICY
).value
assert iap.skip_certs == 5
+
+
+@pytest.mark.requires_backend_interface(interface=RSABackend)
+@pytest.mark.requires_backend_interface(interface=X509Backend)
+class TestInvalidExtension(object):
+ def test_invalid_certificate_policies_data(self, backend):
+ cert = _load_cert(
+ os.path.join(
+ "x509", "custom", "cp_invalid.pem"
+ ),
+ x509.load_pem_x509_certificate,
+ backend
+ )
+ with pytest.raises(ValueError):
+ cert.extensions
diff --git a/tests/utils.py b/tests/utils.py
index 5083d48..7e7abdf 100644
--- a/tests/utils.py
+++ b/tests/utils.py
@@ -539,8 +539,8 @@
elif line.startswith("Qy = "):
key_data["y"] = int(line.split("=")[1], 16)
- if key_data is not None:
- vectors.append(key_data)
+ assert key_data is not None
+ vectors.append(key_data)
return vectors
@@ -559,9 +559,6 @@
for line in vector_data:
line = line.strip()
- if not line or line.startswith("#"):
- continue
-
curve_match = curve_rx.match(line)
if curve_match:
curve_name = _ECDSA_CURVE_NAMES[curve_match.group("curve")]
@@ -593,8 +590,8 @@
elif line.startswith("Result = "):
data["fail"] = line.split("=")[1].strip()[0] == "F"
- if data is not None:
- vectors.append(data)
+ assert data is not None
+ vectors.append(data)
return vectors
diff --git a/vectors/cryptography_vectors/x509/custom/cp_invalid.pem b/vectors/cryptography_vectors/x509/custom/cp_invalid.pem
new file mode 100644
index 0000000..b7bcc07
--- /dev/null
+++ b/vectors/cryptography_vectors/x509/custom/cp_invalid.pem
@@ -0,0 +1,16 @@
+-----BEGIN CERTIFICATE-----
+MIIC8TCCAdmgAwIBAgITBmsoYWX1PCELRmm8qB2WJ2QdDjANBgkqhkiG9w0BAQUFADASMRAwDgYD
+VQQDDAdQeUNBIENBMB4XDTE1MDUxMTE4NTc0NVoXDTE2MDUxMDE4NTc0NVowEjEQMA4GA1UEAwwH
+UHlDQSBDQTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAK3FTRITEY4b/Y1Uv4CtH61Y
+19TPxK2+H/XuqHwtYlPRyD35LLFES0wykf0V2m1DUmf9jQa9R63jBZxzCgJ/oIJzV28PgSg9P/Nn
+417fNASDduY2GPvYuwwKXcLY2fBBFjBrz7z/5tyXCADjLDkzoUTzQlYPbhOrFU5QwaqlckXBgt/4
+8GRDujoHy4RSMEDNjLUDgwx7Z/JK2ujbGJDguLRuBsHirk2h6xXEmSWxquKDXw4NnakwBqp8kKhQ
+2xTSWXxabNps8FCBM4sC78gKgONy3lbYdHFt/2BU4yAMyowJwtDEYHCqe1g4sVsB839Ol0SXb6vl
+eXQ6dx+zbi8UzTsCAwEAAaNAMD4wPAYDVR0gBDUwMzAxBgtghkgB4DkBAgMEATAiMCAGCCsGAQUF
+BwICFhRodHRwOi8vb3RoZXIuY29tL2NwczANBgkqhkiG9w0BAQUFAAOCAQEADpZIjHvu02euPNI8
+nzzDufRXEnjrF09xc9pudxTjWU2mSVApXPmTDyWzOD+2HmsNKHRE6sWjca5qPDeDbGq4JOw+TzYq
+9eoqwK2Sh0QHUpg5ZaAmIJ1qe5/sNETH5RFlXrlzW9S0rwViLgUaJp6MreTdGZbxdpNsfdkuNd+S
+Tz0MA/3ScbdUcj6uwQQ4JxQiTuPwD35pKwxfUzHjeTmqIEHDuCk17KqIRORdbeD3vFx0R5IQ3mQ6
+9zSGY2AGB0A9oS0qQ2/Mh59A6xyjbPH3Rr7g5MW58PPTWp2FSXkloy7Ze+doQ7wXE6PVmaeKz5qA
+9OGaCHIiC2iG9UcqWxfeWw==
+-----END CERTIFICATE-----