commit a9885600b5ccb1054aa1ebdad216cb29e0f32b16
author Alex Gaynor <alex.gaynor@gmail.com> Sat Feb 27 09:53:46 2016 -0500
committer Alex Gaynor <alex.gaynor@gmail.com> Sat Feb 27 09:53:46 2016 -0500
tree 5b330e88ab6dab9e0d67e68d5356bcebf1676a91
parent af95980e394a27355531c9aad474d39253755f81

Fixed #2732 -- added support for x.509 policy constraints extension

src/cryptography/hazmat/backends/openssl/decode_asn1.py

diff --git a/src/cryptography/hazmat/backends/openssl/decode_asn1.py b/src/cryptography/hazmat/backends/openssl/decode_asn1.py
index 42d6c85..24fbef8 100644
--- a/src/cryptography/hazmat/backends/openssl/decode_asn1.py
+++ b/src/cryptography/hazmat/backends/openssl/decode_asn1.py
@@ -452,6 +452,29 @@
     return subtrees
 
 
+def _decode_policy_constraints(backend, pc):
+    pc = backend._ffi.cast("POLICY_CONSTRAINTS *", pc)
+    pc = backend._ffi.gc(pc, backend._lib.POLICY_CONSTRAINTS_free)
+
+    if pc.requireExplicitPolicy == backend._ffi.NULL:
+        require_explicit_policy = None
+    else:
+        require_explicit_policy = _asn1_integer_to_int(
+            backend, pc.requireExplicitPolicy
+        )
+
+    if pc.inhibitPolicyMapping == backend._ffi.NULL:
+        inhibit_policy_mapping = None
+    else:
+        inhibit_policy_mapping = _asn1_integer_to_int(
+            backend, pc.inhibitPolicyMapping
+        )
+
+    return x509.PolicyConstraints(
+        require_explicit_policy, inhibit_policy_mapping
+    )
+
+
 def _decode_extended_key_usage(backend, sk):
     sk = backend._ffi.cast("Cryptography_STACK_OF_ASN1_OBJECT *", sk)
     sk = backend._ffi.gc(sk, backend._lib.sk_ASN1_OBJECT_free)
@@ -729,6 +752,7 @@
     ExtensionOID.INHIBIT_ANY_POLICY: _decode_inhibit_any_policy,
     ExtensionOID.ISSUER_ALTERNATIVE_NAME: _decode_issuer_alt_name,
     ExtensionOID.NAME_CONSTRAINTS: _decode_name_constraints,
+    ExtensionOID.POLICY_CONSTRAINTS: _decode_policy_constraints,
 }
 
 _REVOKED_EXTENSION_HANDLERS = {

tests/test_x509_ext.py

diff --git a/tests/test_x509_ext.py b/tests/test_x509_ext.py
index ceb11df..1a633b4 100644
--- a/tests/test_x509_ext.py
+++ b/tests/test_x509_ext.py
@@ -2280,6 +2280,28 @@
         assert pc != object()
 
 
+
+@pytest.mark.requires_backend_interface(interface=RSABackend)
+@pytest.mark.requires_backend_interface(interface=X509Backend)
+class TestPolicyConstraintsExtension(object):
+    def test_SOMETHING(self, backend):
+        cert = _load_cert(
+            os.path.join(
+                "x509", "department-of-state-root.pem"
+            ),
+            x509.load_pem_x509_certificate,
+            backend
+        )
+        ext = cert.extensions.get_extension_for_oid(
+            ExtensionOID.POLICY_CONSTRAINTS,
+        )
+        assert ext.critical is True
+
+        assert ext.value == x509.PolicyConstraints(
+            require_explicit_policy=None, inhibit_policy_mapping=0,
+        )
+
+
 class TestAuthorityInformationAccess(object):
     def test_invalid_descriptions(self):
         with pytest.raises(TypeError):