don't parse SCTs on older openssl (#3749)
* don't parse SCTs on older openssl
* use two diff extension parsers because why not
* review feedback
diff --git a/src/cryptography/hazmat/backends/openssl/decode_asn1.py b/src/cryptography/hazmat/backends/openssl/decode_asn1.py
index ab97dc1..a55b588 100644
--- a/src/cryptography/hazmat/backends/openssl/decode_asn1.py
+++ b/src/cryptography/hazmat/backends/openssl/decode_asn1.py
@@ -749,7 +749,7 @@
return datetime.datetime.strptime(time, "%Y%m%d%H%M%SZ")
-_EXTENSION_HANDLERS = {
+_EXTENSION_HANDLERS_NO_SCT = {
ExtensionOID.BASIC_CONSTRAINTS: _decode_basic_constraints,
ExtensionOID.SUBJECT_KEY_IDENTIFIER: _decode_subject_key_identifier,
ExtensionOID.KEY_USAGE: _decode_key_usage,
@@ -766,10 +766,12 @@
ExtensionOID.ISSUER_ALTERNATIVE_NAME: _decode_issuer_alt_name,
ExtensionOID.NAME_CONSTRAINTS: _decode_name_constraints,
ExtensionOID.POLICY_CONSTRAINTS: _decode_policy_constraints,
- ExtensionOID.PRECERT_SIGNED_CERTIFICATE_TIMESTAMPS: (
- _decode_precert_signed_certificate_timestamps
- ),
}
+_EXTENSION_HANDLERS = _EXTENSION_HANDLERS_NO_SCT.copy()
+_EXTENSION_HANDLERS[
+ ExtensionOID.PRECERT_SIGNED_CERTIFICATE_TIMESTAMPS
+] = _decode_precert_signed_certificate_timestamps
+
_REVOKED_EXTENSION_HANDLERS = {
CRLEntryExtensionOID.CRL_REASON: _decode_crl_reason,
@@ -786,6 +788,12 @@
),
}
+_CERTIFICATE_EXTENSION_PARSER_NO_SCT = _X509ExtensionParser(
+ ext_count=lambda backend, x: backend._lib.X509_get_ext_count(x),
+ get_ext=lambda backend, x, i: backend._lib.X509_get_ext(x, i),
+ handlers=_EXTENSION_HANDLERS_NO_SCT
+)
+
_CERTIFICATE_EXTENSION_PARSER = _X509ExtensionParser(
ext_count=lambda backend, x: backend._lib.X509_get_ext_count(x),
get_ext=lambda backend, x, i: backend._lib.X509_get_ext(x, i),
diff --git a/src/cryptography/hazmat/backends/openssl/x509.py b/src/cryptography/hazmat/backends/openssl/x509.py
index 4345638..a04d6d5 100644
--- a/src/cryptography/hazmat/backends/openssl/x509.py
+++ b/src/cryptography/hazmat/backends/openssl/x509.py
@@ -11,10 +11,10 @@
from cryptography import utils, x509
from cryptography.exceptions import UnsupportedAlgorithm
from cryptography.hazmat.backends.openssl.decode_asn1 import (
- _CERTIFICATE_EXTENSION_PARSER, _CRL_EXTENSION_PARSER,
- _CSR_EXTENSION_PARSER, _REVOKED_CERTIFICATE_EXTENSION_PARSER,
- _asn1_integer_to_int, _asn1_string_to_bytes, _decode_x509_name, _obj2txt,
- _parse_asn1_time
+ _CERTIFICATE_EXTENSION_PARSER, _CERTIFICATE_EXTENSION_PARSER_NO_SCT,
+ _CRL_EXTENSION_PARSER, _CSR_EXTENSION_PARSER,
+ _REVOKED_CERTIFICATE_EXTENSION_PARSER, _asn1_integer_to_int,
+ _asn1_string_to_bytes, _decode_x509_name, _obj2txt, _parse_asn1_time
)
from cryptography.hazmat.primitives import hashes, serialization
@@ -128,7 +128,14 @@
@property
def extensions(self):
- return _CERTIFICATE_EXTENSION_PARSER.parse(self._backend, self._x509)
+ if self._backend._lib.CRYPTOGRAPHY_OPENSSL_110_OR_GREATER:
+ return _CERTIFICATE_EXTENSION_PARSER.parse(
+ self._backend, self._x509
+ )
+ else:
+ return _CERTIFICATE_EXTENSION_PARSER_NO_SCT.parse(
+ self._backend, self._x509
+ )
@property
def signature(self):
diff --git a/tests/test_x509_ext.py b/tests/test_x509_ext.py
index 595ec70..c324397 100644
--- a/tests/test_x509_ext.py
+++ b/tests/test_x509_ext.py
@@ -3668,10 +3668,6 @@
@pytest.mark.requires_backend_interface(interface=RSABackend)
@pytest.mark.requires_backend_interface(interface=X509Backend)
-@pytest.mark.supported(
- only_if=lambda backend: backend._lib.CRYPTOGRAPHY_OPENSSL_110F_OR_GREATER,
- skip_message="Requires OpenSSL 1.1.0f+",
-)
class TestPrecertificateSignedCertificateTimestampsExtension(object):
def test_init(self):
with pytest.raises(TypeError):
@@ -3682,6 +3678,11 @@
"<PrecertificateSignedCertificateTimestamps([])>"
)
+ @pytest.mark.supported(
+ only_if=lambda backend: (
+ backend._lib.CRYPTOGRAPHY_OPENSSL_110F_OR_GREATER),
+ skip_message="Requires OpenSSL 1.1.0f+",
+ )
def test_simple(self, backend):
cert = _load_cert(
os.path.join("x509", "badssl-sct.pem"),
@@ -3707,6 +3708,28 @@
x509.certificate_transparency.LogEntryType.PRE_CERTIFICATE
)
+ @pytest.mark.supported(
+ only_if=lambda backend: (
+ not backend._lib.CRYPTOGRAPHY_OPENSSL_110_OR_GREATER),
+ skip_message="Requires OpenSSL < 1.1.0",
+ )
+ def test_skips_scts_if_unsupported(self, backend):
+ cert = _load_cert(
+ os.path.join("x509", "badssl-sct.pem"),
+ x509.load_pem_x509_certificate,
+ backend
+ )
+ assert len(cert.extensions) == 10
+ with pytest.raises(x509.ExtensionNotFound):
+ cert.extensions.get_extension_for_class(
+ x509.PrecertificateSignedCertificateTimestamps
+ )
+
+ ext = cert.extensions.get_extension_for_oid(
+ x509.ExtensionOID.PRECERT_SIGNED_CERTIFICATE_TIMESTAMPS
+ )
+ assert isinstance(ext.value, x509.UnrecognizedExtension)
+
@pytest.mark.requires_backend_interface(interface=RSABackend)
@pytest.mark.requires_backend_interface(interface=X509Backend)