inhibit any policy extension support for the openssl backend
diff --git a/src/cryptography/hazmat/backends/openssl/x509.py b/src/cryptography/hazmat/backends/openssl/x509.py
index a836e6a..3b0c295 100644
--- a/src/cryptography/hazmat/backends/openssl/x509.py
+++ b/src/cryptography/hazmat/backends/openssl/x509.py
@@ -290,6 +290,8 @@
value = _decode_crl_distribution_points(self._backend, ext)
elif oid == x509.OID_OCSP_NO_CHECK:
value = x509.OCSPNoCheck()
+ elif oid == x509.OID_INHIBIT_ANY_POLICY:
+ value = _decode_inhibit_any_policy(self._backend, ext)
elif critical:
raise x509.UnsupportedExtension(
"{0} is not currently supported".format(oid), oid
@@ -635,6 +637,17 @@
return x509.CRLDistributionPoints(dist_points)
+def _decode_inhibit_any_policy(backend, ext):
+ asn1_int = backend._ffi.cast(
+ "ASN1_INTEGER *",
+ backend._lib.X509V3_EXT_d2i(ext)
+ )
+ assert asn1_int != backend._ffi.NULL
+ asn1_int = backend._ffi.gc(asn1_int, backend._lib.ASN1_INTEGER_free)
+ skip_certs = _asn1_integer_to_int(backend, asn1_int)
+ return x509.InhibitAnyPolicy(skip_certs)
+
+
@utils.register_interface(x509.CertificateSigningRequest)
class _CertificateSigningRequest(object):
def __init__(self, backend, x509_req):
diff --git a/tests/test_x509_ext.py b/tests/test_x509_ext.py
index c906f1e..6a23479 100644
--- a/tests/test_x509_ext.py
+++ b/tests/test_x509_ext.py
@@ -2435,3 +2435,20 @@
iap2 = x509.InhibitAnyPolicy(4)
assert iap != iap2
assert iap != object()
+
+
+@pytest.mark.requires_backend_interface(interface=RSABackend)
+@pytest.mark.requires_backend_interface(interface=X509Backend)
+class TestInhibitAnyPolicyExtension(object):
+ def test_nocheck(self, backend):
+ cert = _load_cert(
+ os.path.join(
+ "x509", "custom", "inhibit_any_policy_5.pem"
+ ),
+ x509.load_pem_x509_certificate,
+ backend
+ )
+ iap = cert.extensions.get_extension_for_oid(
+ x509.OID_INHIBIT_ANY_POLICY
+ ).value
+ assert iap.skip_certs == 5