Merge pull request #2036 from major/master
Added a repr() method to x509._Certificate
diff --git a/docs/development/test-vectors.rst b/docs/development/test-vectors.rst
index 02cc122..3776cb1 100644
--- a/docs/development/test-vectors.rst
+++ b/docs/development/test-vectors.rst
@@ -192,6 +192,13 @@
* ``cdp_reason_aa_compromise.pem`` - An RSA 1024 bit certificate containing a
CRL distribution points extension with the ``AACompromise`` ``reasons`` bit
set.
+* ``nc_permitted_excluded.pem`` - An RSA 2048 bit self-signed certificate
+ containing a name constraints extension with both permitted and excluded
+ elements.
+* ``nc_permitted.pem`` - An RSA 2048 bit self-signed certificate containing a
+ name constraints extension with permitted elements.
+* ``nc_excluded.pem`` - An RSA 2048 bit self-signed certificate containing a
+ name constraints extension with excluded elements.
* ``cp_user_notice_with_notice_reference.pem`` - An RSA 2048 bit self-signed
certificate containing a certificate policies extension with a
notice reference in the user notice.
@@ -203,8 +210,17 @@
* ``cp_user_notice_no_explicit_text.pem`` - An RSA 2048 bit self-signed
certificate containing a certificate policies extension with a user notice
with no explicit text.
+* ``ian_uri.pem`` - An RSA 2048 bit certificate containing an issuer
+ alternative name extension with a ``URI`` general name.
* ``ocsp_nocheck.pem`` - An RSA 2048 bit self-signed certificate containing
an ``OCSPNoCheck`` extension.
+* ``pc_inhibit_require.pem`` - An RSA 2048 bit self-signed certificate
+ containing a policy constraints extension with both inhibit policy mapping
+ and require explicit policy elements.
+* ``pc_inhibit.pem`` - An RSA 2048 bit self-signed certificate containing a
+ policy constraints extension with an inhibit policy mapping element.
+* ``pc_require.pem`` - An RSA 2048 bit self-signed certificate containing a
+ policy constraints extension with a require explicit policy element.
Custom X.509 Request Vectors
~~~~~~~~~~~~~~~~~~~~~~~~~~~~
diff --git a/docs/hazmat/backends/openssl.rst b/docs/hazmat/backends/openssl.rst
index 26ffea6..03ac557 100644
--- a/docs/hazmat/backends/openssl.rst
+++ b/docs/hazmat/backends/openssl.rst
@@ -79,6 +79,6 @@
.. _`OpenSSL`: https://www.openssl.org/
-.. _`initializing the RNG`: https://en.wikipedia.org/wiki/OpenSSL#Predictable_keys_.28Debian-specific.29
+.. _`initializing the RNG`: https://en.wikipedia.org/wiki/OpenSSL#Predictable_private_keys_.28Debian-specific.29
.. _`Yarrow`: https://en.wikipedia.org/wiki/Yarrow_algorithm
.. _`Microsoft documentation`: https://msdn.microsoft.com/en-us/library/windows/desktop/aa379942(v=vs.85).aspx
diff --git a/src/_cffi_src/build_constant_time.py b/src/_cffi_src/build_constant_time.py
index eae0f21..6d9a8f5 100644
--- a/src/_cffi_src/build_constant_time.py
+++ b/src/_cffi_src/build_constant_time.py
@@ -5,8 +5,9 @@
from __future__ import absolute_import, division, print_function
import os
+import sys
-from _cffi_src.utils import build_ffi
+from _cffi_src.utils import build_ffi, extra_link_args
with open(os.path.join(
@@ -22,5 +23,6 @@
ffi = build_ffi(
module_name="_constant_time",
cdef_source=types,
- verify_source=functions
+ verify_source=functions,
+ extra_link_args=extra_link_args(sys.platform),
)
diff --git a/src/_cffi_src/build_openssl.py b/src/_cffi_src/build_openssl.py
index 4c30fe4..1ebadcc 100644
--- a/src/_cffi_src/build_openssl.py
+++ b/src/_cffi_src/build_openssl.py
@@ -7,9 +7,7 @@
import os
import sys
-from _cffi_src.utils import (
- build_ffi_for_binding
-)
+from _cffi_src.utils import build_ffi_for_binding, extra_link_args
def _get_openssl_libraries(platform):
@@ -94,5 +92,6 @@
],
pre_include=_OSX_PRE_INCLUDE,
post_include=_OSX_POST_INCLUDE,
- libraries=_get_openssl_libraries(sys.platform)
+ libraries=_get_openssl_libraries(sys.platform),
+ extra_link_args=extra_link_args(sys.platform),
)
diff --git a/src/_cffi_src/build_padding.py b/src/_cffi_src/build_padding.py
index 3eeac2e..5df93d8 100644
--- a/src/_cffi_src/build_padding.py
+++ b/src/_cffi_src/build_padding.py
@@ -5,8 +5,9 @@
from __future__ import absolute_import, division, print_function
import os
+import sys
-from _cffi_src.utils import build_ffi
+from _cffi_src.utils import build_ffi, extra_link_args
with open(os.path.join(
@@ -22,5 +23,6 @@
ffi = build_ffi(
module_name="_padding",
cdef_source=types,
- verify_source=functions
+ verify_source=functions,
+ extra_link_args=extra_link_args(sys.platform),
)
diff --git a/src/_cffi_src/openssl/x509.py b/src/_cffi_src/openssl/x509.py
index 534f5b0..6bd117b 100644
--- a/src/_cffi_src/openssl/x509.py
+++ b/src/_cffi_src/openssl/x509.py
@@ -182,19 +182,21 @@
int X509_REVOKED_add_ext(X509_REVOKED *, X509_EXTENSION*, int);
int X509_REVOKED_add1_ext_i2d(X509_REVOKED *, int, void *, int, unsigned long);
-X509_CRL *d2i_X509_CRL_bio(BIO *, X509_CRL **);
X509_CRL *X509_CRL_new(void);
-void X509_CRL_free(X509_CRL *);
-int X509_CRL_add0_revoked(X509_CRL *, X509_REVOKED *);
-int i2d_X509_CRL_bio(BIO *, X509_CRL *);
-int X509_CRL_print(BIO *, X509_CRL *);
-int X509_CRL_set_issuer_name(X509_CRL *, X509_NAME *);
-int X509_CRL_sign(X509_CRL *, EVP_PKEY *, const EVP_MD *);
-int X509_CRL_verify(X509_CRL *, EVP_PKEY *);
-int X509_CRL_get_ext_count(X509_CRL *);
+X509_CRL *d2i_X509_CRL_bio(BIO *, X509_CRL **);
X509_EXTENSION *X509_CRL_get_ext(X509_CRL *, int);
+int X509_CRL_add0_revoked(X509_CRL *, X509_REVOKED *);
int X509_CRL_add_ext(X509_CRL *, X509_EXTENSION *, int);
int X509_CRL_cmp(const X509_CRL *, const X509_CRL *);
+int X509_CRL_get_ext_count(X509_CRL *);
+int X509_CRL_print(BIO *, X509_CRL *);
+int X509_CRL_set_issuer_name(X509_CRL *, X509_NAME *);
+int X509_CRL_set_version(X509_CRL *, long);
+int X509_CRL_sign(X509_CRL *, EVP_PKEY *, const EVP_MD *);
+int X509_CRL_sort(X509_CRL *);
+int X509_CRL_verify(X509_CRL *, EVP_PKEY *);
+int i2d_X509_CRL_bio(BIO *, X509_CRL *);
+void X509_CRL_free(X509_CRL *);
int NETSCAPE_SPKI_verify(NETSCAPE_SPKI *, EVP_PKEY *);
int NETSCAPE_SPKI_sign(NETSCAPE_SPKI *, EVP_PKEY *, const EVP_MD *);
diff --git a/src/_cffi_src/openssl/x509_vfy.py b/src/_cffi_src/openssl/x509_vfy.py
index 0263140..23ac848 100644
--- a/src/_cffi_src/openssl/x509_vfy.py
+++ b/src/_cffi_src/openssl/x509_vfy.py
@@ -143,10 +143,14 @@
/* X509_STORE */
X509_STORE *X509_STORE_new(void);
-void X509_STORE_free(X509_STORE *);
int X509_STORE_add_cert(X509_STORE *, X509 *);
+int X509_STORE_add_crl(X509_STORE *, X509_CRL *);
int X509_STORE_load_locations(X509_STORE *, const char *, const char *);
+int X509_STORE_set1_param(X509_STORE *, X509_VERIFY_PARAM *);
int X509_STORE_set_default_paths(X509_STORE *);
+int X509_STORE_set_flags(X509_STORE *, unsigned long);
+void X509_STORE_free(X509_STORE *);
+
/* X509_STORE_CTX */
X509_STORE_CTX *X509_STORE_CTX_new(void);
diff --git a/src/_cffi_src/utils.py b/src/_cffi_src/utils.py
index b1ad74d..65f9f12 100644
--- a/src/_cffi_src/utils.py
+++ b/src/_cffi_src/utils.py
@@ -80,3 +80,12 @@
extra_link_args=extra_link_args,
)
return ffi
+
+
+def extra_link_args(platform):
+ if platform != "win32":
+ return []
+ else:
+ # Enable NX and ASLR for Windows builds. These are enabled by default
+ # on Python 3.3+ but not on 2.x.
+ return ["/NXCOMPAT", "/DYNAMICBASE"]
diff --git a/src/cryptography/hazmat/backends/openssl/backend.py b/src/cryptography/hazmat/backends/openssl/backend.py
index 665771a..2fe8832 100644
--- a/src/cryptography/hazmat/backends/openssl/backend.py
+++ b/src/cryptography/hazmat/backends/openssl/backend.py
@@ -388,8 +388,9 @@
rsa_cdata, key_size, bn, self._ffi.NULL
)
assert res == 1
+ evp_pkey = self._rsa_cdata_to_evp_pkey(rsa_cdata)
- return _RSAPrivateKey(self, rsa_cdata)
+ return _RSAPrivateKey(self, rsa_cdata, evp_pkey)
def generate_rsa_parameters_supported(self, public_exponent, key_size):
return (public_exponent >= 3 and public_exponent & 1 != 0 and
@@ -419,8 +420,9 @@
rsa_cdata.n = self._int_to_bn(numbers.public_numbers.n)
res = self._lib.RSA_blinding_on(rsa_cdata, self._ffi.NULL)
assert res == 1
+ evp_pkey = self._rsa_cdata_to_evp_pkey(rsa_cdata)
- return _RSAPrivateKey(self, rsa_cdata)
+ return _RSAPrivateKey(self, rsa_cdata, evp_pkey)
def load_rsa_public_numbers(self, numbers):
rsa._check_public_key_components(numbers.e, numbers.n)
@@ -431,8 +433,17 @@
rsa_cdata.n = self._int_to_bn(numbers.n)
res = self._lib.RSA_blinding_on(rsa_cdata, self._ffi.NULL)
assert res == 1
+ evp_pkey = self._rsa_cdata_to_evp_pkey(rsa_cdata)
- return _RSAPublicKey(self, rsa_cdata)
+ return _RSAPublicKey(self, rsa_cdata, evp_pkey)
+
+ def _rsa_cdata_to_evp_pkey(self, rsa_cdata):
+ evp_pkey = self._lib.EVP_PKEY_new()
+ assert evp_pkey != self._ffi.NULL
+ evp_pkey = self._ffi.gc(evp_pkey, self._lib.EVP_PKEY_free)
+ res = self._lib.EVP_PKEY_set1_RSA(evp_pkey, rsa_cdata)
+ assert res == 1
+ return evp_pkey
def _bytes_to_bio(self, data):
"""
@@ -483,18 +494,18 @@
rsa_cdata = self._lib.EVP_PKEY_get1_RSA(evp_pkey)
assert rsa_cdata != self._ffi.NULL
rsa_cdata = self._ffi.gc(rsa_cdata, self._lib.RSA_free)
- return _RSAPrivateKey(self, rsa_cdata)
+ return _RSAPrivateKey(self, rsa_cdata, evp_pkey)
elif key_type == self._lib.EVP_PKEY_DSA:
dsa_cdata = self._lib.EVP_PKEY_get1_DSA(evp_pkey)
assert dsa_cdata != self._ffi.NULL
dsa_cdata = self._ffi.gc(dsa_cdata, self._lib.DSA_free)
- return _DSAPrivateKey(self, dsa_cdata)
+ return _DSAPrivateKey(self, dsa_cdata, evp_pkey)
elif (self._lib.Cryptography_HAS_EC == 1 and
key_type == self._lib.EVP_PKEY_EC):
ec_cdata = self._lib.EVP_PKEY_get1_EC_KEY(evp_pkey)
assert ec_cdata != self._ffi.NULL
ec_cdata = self._ffi.gc(ec_cdata, self._lib.EC_KEY_free)
- return _EllipticCurvePrivateKey(self, ec_cdata)
+ return _EllipticCurvePrivateKey(self, ec_cdata, evp_pkey)
else:
raise UnsupportedAlgorithm("Unsupported key type.")
@@ -510,18 +521,18 @@
rsa_cdata = self._lib.EVP_PKEY_get1_RSA(evp_pkey)
assert rsa_cdata != self._ffi.NULL
rsa_cdata = self._ffi.gc(rsa_cdata, self._lib.RSA_free)
- return _RSAPublicKey(self, rsa_cdata)
+ return _RSAPublicKey(self, rsa_cdata, evp_pkey)
elif key_type == self._lib.EVP_PKEY_DSA:
dsa_cdata = self._lib.EVP_PKEY_get1_DSA(evp_pkey)
assert dsa_cdata != self._ffi.NULL
dsa_cdata = self._ffi.gc(dsa_cdata, self._lib.DSA_free)
- return _DSAPublicKey(self, dsa_cdata)
+ return _DSAPublicKey(self, dsa_cdata, evp_pkey)
elif (self._lib.Cryptography_HAS_EC == 1 and
key_type == self._lib.EVP_PKEY_EC):
ec_cdata = self._lib.EVP_PKEY_get1_EC_KEY(evp_pkey)
assert ec_cdata != self._ffi.NULL
ec_cdata = self._ffi.gc(ec_cdata, self._lib.EC_KEY_free)
- return _EllipticCurvePublicKey(self, ec_cdata)
+ return _EllipticCurvePublicKey(self, ec_cdata, evp_pkey)
else:
raise UnsupportedAlgorithm("Unsupported key type.")
@@ -615,8 +626,9 @@
ctx.g = self._lib.BN_dup(parameters._dsa_cdata.g)
self._lib.DSA_generate_key(ctx)
+ evp_pkey = self._dsa_cdata_to_evp_pkey(ctx)
- return _DSAPrivateKey(self, ctx)
+ return _DSAPrivateKey(self, ctx, evp_pkey)
def generate_dsa_private_key_and_parameters(self, key_size):
parameters = self.generate_dsa_parameters(key_size)
@@ -636,7 +648,9 @@
dsa_cdata.pub_key = self._int_to_bn(numbers.public_numbers.y)
dsa_cdata.priv_key = self._int_to_bn(numbers.x)
- return _DSAPrivateKey(self, dsa_cdata)
+ evp_pkey = self._dsa_cdata_to_evp_pkey(dsa_cdata)
+
+ return _DSAPrivateKey(self, dsa_cdata, evp_pkey)
def load_dsa_public_numbers(self, numbers):
dsa._check_dsa_parameters(numbers.parameter_numbers)
@@ -649,7 +663,9 @@
dsa_cdata.g = self._int_to_bn(numbers.parameter_numbers.g)
dsa_cdata.pub_key = self._int_to_bn(numbers.y)
- return _DSAPublicKey(self, dsa_cdata)
+ evp_pkey = self._dsa_cdata_to_evp_pkey(dsa_cdata)
+
+ return _DSAPublicKey(self, dsa_cdata, evp_pkey)
def load_dsa_parameter_numbers(self, numbers):
dsa._check_dsa_parameters(numbers)
@@ -663,6 +679,14 @@
return _DSAParameters(self, dsa_cdata)
+ def _dsa_cdata_to_evp_pkey(self, dsa_cdata):
+ evp_pkey = self._lib.EVP_PKEY_new()
+ assert evp_pkey != self._ffi.NULL
+ evp_pkey = self._ffi.gc(evp_pkey, self._lib.EVP_PKEY_free)
+ res = self._lib.EVP_PKEY_set1_DSA(evp_pkey, dsa_cdata)
+ assert res == 1
+ return evp_pkey
+
def dsa_hash_supported(self, algorithm):
if self._lib.OPENSSL_VERSION_NUMBER < 0x1000000f:
return isinstance(algorithm, hashes.SHA1)
@@ -714,7 +738,8 @@
)
if rsa_cdata != self._ffi.NULL:
rsa_cdata = self._ffi.gc(rsa_cdata, self._lib.RSA_free)
- return _RSAPublicKey(self, rsa_cdata)
+ evp_pkey = self._rsa_cdata_to_evp_pkey(rsa_cdata)
+ return _RSAPublicKey(self, rsa_cdata, evp_pkey)
else:
self._handle_key_loading_error()
@@ -796,7 +821,8 @@
)
if rsa_cdata != self._ffi.NULL:
rsa_cdata = self._ffi.gc(rsa_cdata, self._lib.RSA_free)
- return _RSAPublicKey(self, rsa_cdata)
+ evp_pkey = self._rsa_cdata_to_evp_pkey(rsa_cdata)
+ return _RSAPublicKey(self, rsa_cdata, evp_pkey)
else:
self._handle_key_loading_error()
@@ -1000,7 +1026,9 @@
res = self._lib.EC_KEY_check_key(ec_cdata)
assert res == 1
- return _EllipticCurvePrivateKey(self, ec_cdata)
+ evp_pkey = self._ec_cdata_to_evp_pkey(ec_cdata)
+
+ return _EllipticCurvePrivateKey(self, ec_cdata, evp_pkey)
else:
raise UnsupportedAlgorithm(
"Backend object does not support {0}.".format(curve.name),
@@ -1022,8 +1050,9 @@
res = self._lib.EC_KEY_set_private_key(
ec_cdata, self._int_to_bn(numbers.private_value))
assert res == 1
+ evp_pkey = self._ec_cdata_to_evp_pkey(ec_cdata)
- return _EllipticCurvePrivateKey(self, ec_cdata)
+ return _EllipticCurvePrivateKey(self, ec_cdata, evp_pkey)
def load_elliptic_curve_public_numbers(self, numbers):
curve_nid = self._elliptic_curve_to_nid(numbers.curve)
@@ -1034,8 +1063,16 @@
ec_cdata = self._ec_key_set_public_key_affine_coordinates(
ec_cdata, numbers.x, numbers.y)
+ evp_pkey = self._ec_cdata_to_evp_pkey(ec_cdata)
- return _EllipticCurvePublicKey(self, ec_cdata)
+ return _EllipticCurvePublicKey(self, ec_cdata, evp_pkey)
+
+ def _ec_cdata_to_evp_pkey(self, ec_cdata):
+ evp_pkey = self._lib.EVP_PKEY_new()
+ assert evp_pkey != self._ffi.NULL
+ evp_pkey = self._ffi.gc(evp_pkey, self._lib.EVP_PKEY_free)
+ res = self._lib.EVP_PKEY_set1_EC_KEY(evp_pkey, ec_cdata)
+ assert res == 1
def _elliptic_curve_to_nid(self, curve):
"""
diff --git a/src/cryptography/hazmat/backends/openssl/dsa.py b/src/cryptography/hazmat/backends/openssl/dsa.py
index 254d29e..f84857f 100644
--- a/src/cryptography/hazmat/backends/openssl/dsa.py
+++ b/src/cryptography/hazmat/backends/openssl/dsa.py
@@ -107,9 +107,10 @@
@utils.register_interface(dsa.DSAPrivateKeyWithSerialization)
class _DSAPrivateKey(object):
- def __init__(self, backend, dsa_cdata):
+ def __init__(self, backend, dsa_cdata, evp_pkey):
self._backend = backend
self._dsa_cdata = dsa_cdata
+ self._evp_pkey = evp_pkey
self._key_size = self._backend._lib.BN_num_bits(self._dsa_cdata.p)
key_size = utils.read_only_property("_key_size")
@@ -140,7 +141,8 @@
dsa_cdata.q = self._backend._lib.BN_dup(self._dsa_cdata.q)
dsa_cdata.g = self._backend._lib.BN_dup(self._dsa_cdata.g)
dsa_cdata.pub_key = self._backend._lib.BN_dup(self._dsa_cdata.pub_key)
- return _DSAPublicKey(self._backend, dsa_cdata)
+ evp_pkey = self._backend._dsa_cdata_to_evp_pkey(dsa_cdata)
+ return _DSAPublicKey(self._backend, dsa_cdata, evp_pkey)
def parameters(self):
dsa_cdata = self._backend._lib.DSA_new()
@@ -154,27 +156,21 @@
return _DSAParameters(self._backend, dsa_cdata)
def private_bytes(self, encoding, format, encryption_algorithm):
- evp_pkey = self._backend._lib.EVP_PKEY_new()
- assert evp_pkey != self._backend._ffi.NULL
- evp_pkey = self._backend._ffi.gc(
- evp_pkey, self._backend._lib.EVP_PKEY_free
- )
- res = self._backend._lib.EVP_PKEY_set1_DSA(evp_pkey, self._dsa_cdata)
- assert res == 1
return self._backend._private_key_bytes(
encoding,
format,
encryption_algorithm,
- evp_pkey,
+ self._evp_pkey,
self._dsa_cdata
)
@utils.register_interface(dsa.DSAPublicKeyWithSerialization)
class _DSAPublicKey(object):
- def __init__(self, backend, dsa_cdata):
+ def __init__(self, backend, dsa_cdata, evp_pkey):
self._backend = backend
self._dsa_cdata = dsa_cdata
+ self._evp_pkey = evp_pkey
self._key_size = self._backend._lib.BN_num_bits(self._dsa_cdata.p)
key_size = utils.read_only_property("_key_size")
@@ -211,16 +207,9 @@
"DSA public keys do not support PKCS1 serialization"
)
- evp_pkey = self._backend._lib.EVP_PKEY_new()
- assert evp_pkey != self._backend._ffi.NULL
- evp_pkey = self._backend._ffi.gc(
- evp_pkey, self._backend._lib.EVP_PKEY_free
- )
- res = self._backend._lib.EVP_PKEY_set1_DSA(evp_pkey, self._dsa_cdata)
- assert res == 1
return self._backend._public_key_bytes(
encoding,
format,
- evp_pkey,
+ self._evp_pkey,
None
)
diff --git a/src/cryptography/hazmat/backends/openssl/ec.py b/src/cryptography/hazmat/backends/openssl/ec.py
index c2af2be..7d3afb9 100644
--- a/src/cryptography/hazmat/backends/openssl/ec.py
+++ b/src/cryptography/hazmat/backends/openssl/ec.py
@@ -150,10 +150,11 @@
@utils.register_interface(ec.EllipticCurvePrivateKeyWithSerialization)
class _EllipticCurvePrivateKey(object):
- def __init__(self, backend, ec_key_cdata):
+ def __init__(self, backend, ec_key_cdata, evp_pkey):
self._backend = backend
_mark_asn1_named_ec_curve(backend, ec_key_cdata)
self._ec_key = ec_key_cdata
+ self._evp_pkey = evp_pkey
sn = _ec_key_curve_sn(backend, ec_key_cdata)
self._curve = _sn_to_elliptic_curve(backend, sn)
@@ -188,9 +189,9 @@
res = self._backend._lib.EC_KEY_set_public_key(public_ec_key, point)
assert res == 1
- return _EllipticCurvePublicKey(
- self._backend, public_ec_key
- )
+ evp_pkey = self._backend._ec_cdata_to_evp_pkey(public_ec_key)
+
+ return _EllipticCurvePublicKey(self._backend, public_ec_key, evp_pkey)
def private_numbers(self):
bn = self._backend._lib.EC_KEY_get0_private_key(self._ec_key)
@@ -201,28 +202,22 @@
)
def private_bytes(self, encoding, format, encryption_algorithm):
- evp_pkey = self._backend._lib.EVP_PKEY_new()
- assert evp_pkey != self._backend._ffi.NULL
- evp_pkey = self._backend._ffi.gc(
- evp_pkey, self._backend._lib.EVP_PKEY_free
- )
- res = self._backend._lib.EVP_PKEY_set1_EC_KEY(evp_pkey, self._ec_key)
- assert res == 1
return self._backend._private_key_bytes(
encoding,
format,
encryption_algorithm,
- evp_pkey,
+ self._evp_pkey,
self._ec_key
)
@utils.register_interface(ec.EllipticCurvePublicKeyWithSerialization)
class _EllipticCurvePublicKey(object):
- def __init__(self, backend, ec_key_cdata):
+ def __init__(self, backend, ec_key_cdata, evp_pkey):
self._backend = backend
_mark_asn1_named_ec_curve(backend, ec_key_cdata)
self._ec_key = ec_key_cdata
+ self._evp_pkey = evp_pkey
sn = _ec_key_curve_sn(backend, ec_key_cdata)
self._curve = _sn_to_elliptic_curve(backend, sn)
@@ -268,16 +263,9 @@
"EC public keys do not support PKCS1 serialization"
)
- evp_pkey = self._backend._lib.EVP_PKEY_new()
- assert evp_pkey != self._backend._ffi.NULL
- evp_pkey = self._backend._ffi.gc(
- evp_pkey, self._backend._lib.EVP_PKEY_free
- )
- res = self._backend._lib.EVP_PKEY_set1_EC_KEY(evp_pkey, self._ec_key)
- assert res == 1
return self._backend._public_key_bytes(
encoding,
format,
- evp_pkey,
+ self._evp_pkey,
None
)
diff --git a/src/cryptography/hazmat/backends/openssl/rsa.py b/src/cryptography/hazmat/backends/openssl/rsa.py
index 1dbbb84..21414c0 100644
--- a/src/cryptography/hazmat/backends/openssl/rsa.py
+++ b/src/cryptography/hazmat/backends/openssl/rsa.py
@@ -508,17 +508,9 @@
@utils.register_interface(RSAPrivateKeyWithSerialization)
class _RSAPrivateKey(object):
- def __init__(self, backend, rsa_cdata):
+ def __init__(self, backend, rsa_cdata, evp_pkey):
self._backend = backend
self._rsa_cdata = rsa_cdata
-
- evp_pkey = self._backend._lib.EVP_PKEY_new()
- assert evp_pkey != self._backend._ffi.NULL
- evp_pkey = self._backend._ffi.gc(
- evp_pkey, self._backend._lib.EVP_PKEY_free
- )
- res = self._backend._lib.EVP_PKEY_set1_RSA(evp_pkey, rsa_cdata)
- assert res == 1
self._evp_pkey = evp_pkey
self._key_size = self._backend._lib.BN_num_bits(self._rsa_cdata.n)
@@ -543,7 +535,8 @@
ctx.n = self._backend._lib.BN_dup(self._rsa_cdata.n)
res = self._backend._lib.RSA_blinding_on(ctx, self._backend._ffi.NULL)
assert res == 1
- return _RSAPublicKey(self._backend, ctx)
+ evp_pkey = self._backend._rsa_cdata_to_evp_pkey(ctx)
+ return _RSAPublicKey(self._backend, ctx, evp_pkey)
def private_numbers(self):
return rsa.RSAPrivateNumbers(
@@ -571,17 +564,9 @@
@utils.register_interface(RSAPublicKeyWithSerialization)
class _RSAPublicKey(object):
- def __init__(self, backend, rsa_cdata):
+ def __init__(self, backend, rsa_cdata, evp_pkey):
self._backend = backend
self._rsa_cdata = rsa_cdata
-
- evp_pkey = self._backend._lib.EVP_PKEY_new()
- assert evp_pkey != self._backend._ffi.NULL
- evp_pkey = self._backend._ffi.gc(
- evp_pkey, self._backend._lib.EVP_PKEY_free
- )
- res = self._backend._lib.EVP_PKEY_set1_RSA(evp_pkey, rsa_cdata)
- assert res == 1
self._evp_pkey = evp_pkey
self._key_size = self._backend._lib.BN_num_bits(self._rsa_cdata.n)
diff --git a/src/cryptography/hazmat/backends/openssl/x509.py b/src/cryptography/hazmat/backends/openssl/x509.py
index 9cd3508..a03414c 100644
--- a/src/cryptography/hazmat/backends/openssl/x509.py
+++ b/src/cryptography/hazmat/backends/openssl/x509.py
@@ -291,6 +291,12 @@
value = _decode_certificate_policies(self._backend, ext)
elif oid == x509.OID_CRL_DISTRIBUTION_POINTS:
value = _decode_crl_distribution_points(self._backend, ext)
+ elif oid == x509.OID_OCSP_NO_CHECK:
+ value = x509.OCSPNoCheck()
+ elif oid == x509.OID_INHIBIT_ANY_POLICY:
+ value = _decode_inhibit_any_policy(self._backend, ext)
+ elif oid == x509.OID_ISSUER_ALTERNATIVE_NAME:
+ value = _decode_issuer_alt_name(self._backend, ext)
elif critical:
raise x509.UnsupportedExtension(
"{0} is not currently supported".format(oid), oid
@@ -511,15 +517,26 @@
)
-def _decode_subject_alt_name(backend, ext):
+def _decode_general_names_extension(backend, ext):
gns = backend._ffi.cast(
"GENERAL_NAMES *", backend._lib.X509V3_EXT_d2i(ext)
)
assert gns != backend._ffi.NULL
gns = backend._ffi.gc(gns, backend._lib.GENERAL_NAMES_free)
general_names = _decode_general_names(backend, gns)
+ return general_names
- return x509.SubjectAlternativeName(general_names)
+
+def _decode_subject_alt_name(backend, ext):
+ return x509.SubjectAlternativeName(
+ _decode_general_names_extension(backend, ext)
+ )
+
+
+def _decode_issuer_alt_name(backend, ext):
+ return x509.IssuerAlternativeName(
+ _decode_general_names_extension(backend, ext)
+ )
def _decode_extended_key_usage(backend, ext):
@@ -636,6 +653,17 @@
return x509.CRLDistributionPoints(dist_points)
+def _decode_inhibit_any_policy(backend, ext):
+ asn1_int = backend._ffi.cast(
+ "ASN1_INTEGER *",
+ backend._lib.X509V3_EXT_d2i(ext)
+ )
+ assert asn1_int != backend._ffi.NULL
+ asn1_int = backend._ffi.gc(asn1_int, backend._lib.ASN1_INTEGER_free)
+ skip_certs = _asn1_integer_to_int(backend, asn1_int)
+ return x509.InhibitAnyPolicy(skip_certs)
+
+
@utils.register_interface(x509.CertificateSigningRequest)
class _CertificateSigningRequest(object):
def __init__(self, backend, x509_req):
diff --git a/src/cryptography/hazmat/primitives/twofactor/hotp.py b/src/cryptography/hazmat/primitives/twofactor/hotp.py
index 8c0cec1..12bc766 100644
--- a/src/cryptography/hazmat/primitives/twofactor/hotp.py
+++ b/src/cryptography/hazmat/primitives/twofactor/hotp.py
@@ -62,6 +62,6 @@
return struct.unpack(">I", p)[0] & 0x7fffffff
def get_provisioning_uri(self, account_name, counter, issuer):
- return _generate_uri(self, 'hotp', account_name, issuer, [
- ('counter', int(counter)),
+ return _generate_uri(self, "hotp", account_name, issuer, [
+ ("counter", int(counter)),
])
diff --git a/src/cryptography/hazmat/primitives/twofactor/totp.py b/src/cryptography/hazmat/primitives/twofactor/totp.py
index 98493b6..6070590 100644
--- a/src/cryptography/hazmat/primitives/twofactor/totp.py
+++ b/src/cryptography/hazmat/primitives/twofactor/totp.py
@@ -34,6 +34,6 @@
raise InvalidToken("Supplied TOTP value does not match.")
def get_provisioning_uri(self, account_name, issuer):
- return _generate_uri(self._hotp, 'totp', account_name, issuer, [
- ('period', int(self._time_step)),
+ return _generate_uri(self._hotp, "totp", account_name, issuer, [
+ ("period", int(self._time_step)),
])
diff --git a/src/cryptography/hazmat/primitives/twofactor/utils.py b/src/cryptography/hazmat/primitives/twofactor/utils.py
index 91d2e14..0ed8c4c 100644
--- a/src/cryptography/hazmat/primitives/twofactor/utils.py
+++ b/src/cryptography/hazmat/primitives/twofactor/utils.py
@@ -11,20 +11,20 @@
def _generate_uri(hotp, type_name, account_name, issuer, extra_parameters):
parameters = [
- ('digits', hotp._length),
- ('secret', base64.b32encode(hotp._key)),
- ('algorithm', hotp._algorithm.name.upper()),
+ ("digits", hotp._length),
+ ("secret", base64.b32encode(hotp._key)),
+ ("algorithm", hotp._algorithm.name.upper()),
]
if issuer is not None:
- parameters.append(('issuer', issuer))
+ parameters.append(("issuer", issuer))
parameters.extend(extra_parameters)
uriparts = {
- 'type': type_name,
- 'label': ('%s:%s' % (quote(issuer), quote(account_name)) if issuer
+ "type": type_name,
+ "label": ("%s:%s" % (quote(issuer), quote(account_name)) if issuer
else quote(account_name)),
- 'parameters': urlencode(parameters),
+ "parameters": urlencode(parameters),
}
- return 'otpauth://{type}/{label}?{parameters}'.format(**uriparts)
+ return "otpauth://{type}/{label}?{parameters}".format(**uriparts)
diff --git a/tests/test_x509_ext.py b/tests/test_x509_ext.py
index d836164..62d9f83 100644
--- a/tests/test_x509_ext.py
+++ b/tests/test_x509_ext.py
@@ -1258,6 +1258,23 @@
assert san != object()
+@pytest.mark.requires_backend_interface(interface=RSABackend)
+@pytest.mark.requires_backend_interface(interface=X509Backend)
+class TestRSAIssuerAlternativeNameExtension(object):
+ def test_uri(self, backend):
+ cert = _load_cert(
+ os.path.join("x509", "custom", "ian_uri.pem"),
+ x509.load_pem_x509_certificate,
+ backend,
+ )
+ ext = cert.extensions.get_extension_for_oid(
+ x509.OID_ISSUER_ALTERNATIVE_NAME
+ )
+ assert list(ext.value) == [
+ x509.UniformResourceIdentifier(u"http://path.to.root/root.crt"),
+ ]
+
+
class TestSubjectAlternativeName(object):
def test_get_values_for_type(self):
san = x509.SubjectAlternativeName(
@@ -2395,6 +2412,23 @@
])
+@pytest.mark.requires_backend_interface(interface=RSABackend)
+@pytest.mark.requires_backend_interface(interface=X509Backend)
+class TestOCSPNoCheckExtension(object):
+ def test_nocheck(self, backend):
+ cert = _load_cert(
+ os.path.join(
+ "x509", "custom", "ocsp_nocheck.pem"
+ ),
+ x509.load_pem_x509_certificate,
+ backend
+ )
+ ext = cert.extensions.get_extension_for_oid(
+ x509.OID_OCSP_NO_CHECK
+ )
+ assert isinstance(ext.value, x509.OCSPNoCheck)
+
+
class TestInhibitAnyPolicy(object):
def test_not_int(self):
with pytest.raises(TypeError):
@@ -2418,3 +2452,20 @@
iap2 = x509.InhibitAnyPolicy(4)
assert iap != iap2
assert iap != object()
+
+
+@pytest.mark.requires_backend_interface(interface=RSABackend)
+@pytest.mark.requires_backend_interface(interface=X509Backend)
+class TestInhibitAnyPolicyExtension(object):
+ def test_nocheck(self, backend):
+ cert = _load_cert(
+ os.path.join(
+ "x509", "custom", "inhibit_any_policy_5.pem"
+ ),
+ x509.load_pem_x509_certificate,
+ backend
+ )
+ iap = cert.extensions.get_extension_for_oid(
+ x509.OID_INHIBIT_ANY_POLICY
+ ).value
+ assert iap.skip_certs == 5
diff --git a/tox.ini b/tox.ini
index 96a175f..272f5b5 100644
--- a/tox.ini
+++ b/tox.ini
@@ -85,7 +85,7 @@
py.test --capture=no --strict --random {posargs}
[flake8]
-exclude = .tox,*.egg
+exclude = .tox,*.egg,.git,_build
select = E,W,F,N,I
application-import-names = cryptography,cryptography_vectors,tests
diff --git a/vectors/cryptography_vectors/x509/custom/ian_uri.pem b/vectors/cryptography_vectors/x509/custom/ian_uri.pem
new file mode 100644
index 0000000..83b3ff5
--- /dev/null
+++ b/vectors/cryptography_vectors/x509/custom/ian_uri.pem
@@ -0,0 +1,19 @@
+-----BEGIN CERTIFICATE-----
+MIIDATCCAemgAwIBAgIBAzANBgkqhkiG9w0BAQUFADBbMQswCQYDVQQGEwJBVTET
+MBEGA1UECBMKU29tZS1TdGF0ZTEhMB8GA1UEChMYSW50ZXJuZXQgV2lkZ2l0cyBQ
+dHkgTHRkMRQwEgYDVQQDEwtUZXN0SW5mcmFDQTAeFw0xNTA2MTgwNDI2MzFaFw0x
+NjA2MTcwNDI2MzFaMAAwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDf
+LkjBhv4bpxSITJXXgB9gxszfwcwRYyvbTEJmD1lLWhOk13gnILagQgupZB33902u
+3lChgQPY4418NQkivJJeMw4jfl/Use7gFxax5n/6YlU3A93CxNY+2ei2ejgWBD8w
+tEdvFi9FSsaR+2ds5/vyONJdHkC6DR3aZdokCaU0X1h11JxKhJgsPPP41pL8P0A1
+scje090lfoGbVttD6ayxvccr+9GwkWVfHgYWUGOcAi/4e7wqXpvqZqlCOH7QnVUC
+xyknyPjETiW2ki4RacjAZh5gEw6q9mNFO4Xeo30vmDx/7VWPBqdi7MLPVCiIaHs+
+YnDkSWV0qp3auI+MZqVjAgMBAAGjKzApMCcGA1UdEgQgMB6GHGh0dHA6Ly9wYXRo
+LnRvLnJvb3Qvcm9vdC5jcnQwDQYJKoZIhvcNAQEFBQADggEBAMiTTyKTErcmDlbn
+fkc4y+IsL1GuS1yGcurIy0zghptsdZXA5v3VqkOtFCxLgk/syWVDfhAPwM4aBfeI
+6Fe1kwPQk0xvdvPZ62lev0ELBOsceM2kge1obCc/ZyhXPYo1r7rmXxTvc8gxyASh
+L9r+0AglSId8YJFscF+siTuTg/5SSHALT/DwGdeYv/rmnOeeHW4pv3WXPS32XUOG
+D605kXQ/9HCujxCU3VGYUbkBWjsdqj9vZXQk1OVeMwWpH3O0AdFMQXgY7vpzkLuD
+e+/zmLFDlI3k0p3UajtxsBft8AMNJaenknuQiMOryALRkfeyu5qhYlJ5bJFKUKn9
+K7X9MIA=
+-----END CERTIFICATE-----
diff --git a/vectors/cryptography_vectors/x509/custom/nc_excluded.pem b/vectors/cryptography_vectors/x509/custom/nc_excluded.pem
new file mode 100644
index 0000000..69f416e
--- /dev/null
+++ b/vectors/cryptography_vectors/x509/custom/nc_excluded.pem
@@ -0,0 +1,19 @@
+-----BEGIN CERTIFICATE-----
+MIIDADCCAeigAwIBAgITBm7Xt1PqHBXFuN+BRDTMZ+XpWzANBgkqhkiG9w0BAQsF
+ADAXMRUwEwYDVQQDDAxjcnlwdG9ncmFwaHkwHhcNMTUwNjE3MjIzNzUwWhcNMTYw
+NjE2MjIzNzUwWjAXMRUwEwYDVQQDDAxjcnlwdG9ncmFwaHkwggEiMA0GCSqGSIb3
+DQEBAQUAA4IBDwAwggEKAoIBAQCylTa0WkLvIXB4sWoPdv5iL3idlVHKR+ncODKL
+nwQ2Jtd990MfakOFRLrJFF1tfPL4qyRbbyMyrgCOoKBCAuIdBZfBDH3JWFjxGy8J
+Yls8yVeAVKreV18HmLvAsBL3bnr7Gk3vpznrfoG5rn5T/fL0cqqTXFV8zQhjHiEo
+zftSaoq0LOxsSgFdxXS8e8K6RMvLCZPcMpI4fo1Kq2QBT2J1x1/Hq/VnK132cs0g
+TOyiTyyJfvRmlqdXowh7Jf8LQB4mM6gc023fEdQ+HH6JYX1vDQVxaiTM6KMYJNv/
+l4gchP3jknOfZffwGGdXQrtUMhQmltnSqV5nY/G2OGm/Z0pdAgMBAAGjRTBDMEEG
+A1UdHgEB/wQ3MDWhMzATghEqLmNyeXB0b2dyYXBoeS5pbzAchhpnb3BoZXI6Ly9j
+cnlwdG9ncmFwaHkudGVzdDANBgkqhkiG9w0BAQsFAAOCAQEAcCcidJm7Wmc9ZdzF
+AlP/9Gd5bXBlNswcq1wCmS9S6fgM0oGDgK2duY72Jr5Qqz66yqfzmIO7TtAhaegp
+zCYar3Mmy7rwJHtJNRhBY+PYVLWXmUTf4yJhL+RcH6S+69PkqGQWjBa50vknIHt3
+dPtqadewocO7FuPWCdYDFLmMHM8S/ueMhSSJfFaGlYfy4UrnQhjuSpn6V/Gh5ED7
+tSqoncpHELItkvoS2LUTrpVDmQifuy3X78g7dYAGkjotCqddb90Y/MNSoM8BFS6i
+Fmh8kn8kj6ct1csFLaBzATWby4/NHkuD9vuj9Z941szqpvvZSZhQ/8pEBevs2CNE
+l2Sb0g==
+-----END CERTIFICATE-----
diff --git a/vectors/cryptography_vectors/x509/custom/nc_permitted.pem b/vectors/cryptography_vectors/x509/custom/nc_permitted.pem
new file mode 100644
index 0000000..a68096e
--- /dev/null
+++ b/vectors/cryptography_vectors/x509/custom/nc_permitted.pem
@@ -0,0 +1,19 @@
+-----BEGIN CERTIFICATE-----
+MIIC/TCCAeWgAwIBAgITBm7XungOGlx+YwUFD5Z/Pzj7KTANBgkqhkiG9w0BAQsF
+ADAXMRUwEwYDVQQDDAxjcnlwdG9ncmFwaHkwHhcNMTUwNjE3MjIzODMyWhcNMTYw
+NjE2MjIzODMyWjAXMRUwEwYDVQQDDAxjcnlwdG9ncmFwaHkwggEiMA0GCSqGSIb3
+DQEBAQUAA4IBDwAwggEKAoIBAQCylTa0WkLvIXB4sWoPdv5iL3idlVHKR+ncODKL
+nwQ2Jtd990MfakOFRLrJFF1tfPL4qyRbbyMyrgCOoKBCAuIdBZfBDH3JWFjxGy8J
+Yls8yVeAVKreV18HmLvAsBL3bnr7Gk3vpznrfoG5rn5T/fL0cqqTXFV8zQhjHiEo
+zftSaoq0LOxsSgFdxXS8e8K6RMvLCZPcMpI4fo1Kq2QBT2J1x1/Hq/VnK132cs0g
+TOyiTyyJfvRmlqdXowh7Jf8LQB4mM6gc023fEdQ+HH6JYX1vDQVxaiTM6KMYJNv/
+l4gchP3jknOfZffwGGdXQrtUMhQmltnSqV5nY/G2OGm/Z0pdAgMBAAGjQjBAMD4G
+A1UdHgEB/wQ0MDKgMDATghEqLmNyeXB0b2dyYXBoeS5pbzAZhhdmdHA6Ly9jcnlw
+dG9ncmFwaHkudGVzdDANBgkqhkiG9w0BAQsFAAOCAQEAkQItRDBDmQLlhnyeqYvh
+I5urSAsvAoSMiuXSekM5hv6HtOrpZECUS4SDU3RaSsjTf4uNpebRAgP/Uj5JVgL6
+byWSpQBRGVtFRtORTIldxhexeSJtg675+4DQ/kUjiFawM2AlwUluz7WUJavbrz1H
+4HJTKCFTH5gj27ynfdTUVNkW1tKRiffwdKG9xq+po0FlaAgMNzUlvcNBZKxG5CuT
+C1e08/sEFeZEYtFCxuqqrl7wvk0l/7ayNjdld2Mkk//jKhzvScy6d1lBaxUurOn1
+UAxkdnQ65Jw86oebie8C5Faw43U0p42dMqXeXqhXfXmNpMs5p/FumRUHcr9bs+G4
+hw==
+-----END CERTIFICATE-----
diff --git a/vectors/cryptography_vectors/x509/custom/nc_permitted_excluded.pem b/vectors/cryptography_vectors/x509/custom/nc_permitted_excluded.pem
new file mode 100644
index 0000000..726b3b8
--- /dev/null
+++ b/vectors/cryptography_vectors/x509/custom/nc_permitted_excluded.pem
@@ -0,0 +1,19 @@
+-----BEGIN CERTIFICATE-----
+MIIDJDCCAgygAwIBAgITBm7Xr09L6ZOQw9RfzgaA+R4ROjANBgkqhkiG9w0BAQsF
+ADAXMRUwEwYDVQQDDAxjcnlwdG9ncmFwaHkwHhcNMTUwNjE3MjIzNjAzWhcNMTYw
+NjE2MjIzNjAzWjAXMRUwEwYDVQQDDAxjcnlwdG9ncmFwaHkwggEiMA0GCSqGSIb3
+DQEBAQUAA4IBDwAwggEKAoIBAQCylTa0WkLvIXB4sWoPdv5iL3idlVHKR+ncODKL
+nwQ2Jtd990MfakOFRLrJFF1tfPL4qyRbbyMyrgCOoKBCAuIdBZfBDH3JWFjxGy8J
+Yls8yVeAVKreV18HmLvAsBL3bnr7Gk3vpznrfoG5rn5T/fL0cqqTXFV8zQhjHiEo
+zftSaoq0LOxsSgFdxXS8e8K6RMvLCZPcMpI4fo1Kq2QBT2J1x1/Hq/VnK132cs0g
+TOyiTyyJfvRmlqdXowh7Jf8LQB4mM6gc023fEdQ+HH6JYX1vDQVxaiTM6KMYJNv/
+l4gchP3jknOfZffwGGdXQrtUMhQmltnSqV5nY/G2OGm/Z0pdAgMBAAGjaTBnMGUG
+A1UdHgEB/wRbMFmgMDAKhwjAqAAA////ADAihyAA/wAAAAAAAAAAAAAAAAAAAP8A
+AAAAAAAAAAAAAAAA/6ElMA6CDCouZG9tYWluLmNvbTAThhFodHRwOi8vdGVzdC5s
+b2NhbDANBgkqhkiG9w0BAQsFAAOCAQEAqMvB4gK4XFrDtdEXE4eq3LcAbuII4loK
+2CD0D3gMygTXG7KJ9gVjckWMTzGwW0n/honog6L2T8xF77a4HcbHkMsrY5wU2z5m
+MoJWa5z/kQWKMcL6nCaRHzPm2dj/UcEIoZrgJwlrp42OVYNE/4LeSQTF7xBG6V2C
+GNRpNKZFWwZA8Kgxxp4FUpy3jkspCuKsY2r6bm9IutUy6Mx/AQaSNxz4qDWojiYc
+AA/UXvX6lssK+gHWHMc2SmdN2wCa+dJvZyaGGUZOfxoVXwllpnLO2Upslgs8DrOD
+3FOw7Bi/d1zkcPr6Gtq0z8Nf7hHAs9mRXoLmRHKhyBkA9jmkla0wGw==
+-----END CERTIFICATE-----
diff --git a/vectors/cryptography_vectors/x509/custom/pc_inhibit.pem b/vectors/cryptography_vectors/x509/custom/pc_inhibit.pem
new file mode 100644
index 0000000..95245a9
--- /dev/null
+++ b/vectors/cryptography_vectors/x509/custom/pc_inhibit.pem
@@ -0,0 +1,18 @@
+-----BEGIN CERTIFICATE-----
+MIICzjCCAbagAwIBAgITBm7W468Txw7iiF9Jyd7CNKQ2NzANBgkqhkiG9w0BAQsF
+ADAXMRUwEwYDVQQDDAxjcnlwdG9ncmFwaHkwHhcNMTUwNjE3MjE1MDU3WhcNMTYw
+NjE2MjE1MDU3WjAXMRUwEwYDVQQDDAxjcnlwdG9ncmFwaHkwggEiMA0GCSqGSIb3
+DQEBAQUAA4IBDwAwggEKAoIBAQCylTa0WkLvIXB4sWoPdv5iL3idlVHKR+ncODKL
+nwQ2Jtd990MfakOFRLrJFF1tfPL4qyRbbyMyrgCOoKBCAuIdBZfBDH3JWFjxGy8J
+Yls8yVeAVKreV18HmLvAsBL3bnr7Gk3vpznrfoG5rn5T/fL0cqqTXFV8zQhjHiEo
+zftSaoq0LOxsSgFdxXS8e8K6RMvLCZPcMpI4fo1Kq2QBT2J1x1/Hq/VnK132cs0g
+TOyiTyyJfvRmlqdXowh7Jf8LQB4mM6gc023fEdQ+HH6JYX1vDQVxaiTM6KMYJNv/
+l4gchP3jknOfZffwGGdXQrtUMhQmltnSqV5nY/G2OGm/Z0pdAgMBAAGjEzARMA8G
+A1UdJAEB/wQFMAOBAQEwDQYJKoZIhvcNAQELBQADggEBADWtdmob6aFscj2AhUB4
+s2zGFmfPdhh0Q/dBsQGX27UhOlF9loZxMwVvCIma/iMtxh1kOLoUsqu1fAkOLAuC
+KQfED30bxYVYS+G/866A+TVUdFs6i7ZlAI7I10ojH4nfHcGaaofHObvQ5XI0NpiJ
+9Pzi55qJJ2Yv/x8xvFZZZ7F/SkPzjfSLg+FnzqPspsNFPUzN/s9nZ3TJuHItc+AP
+9zQCWyIo0z5AexLjxrbXlPwcOgXirbhR/VPEc5/LrFc3VNv27Z6NNgHEY/ahmjL5
+ig/ObITiDMh/KWqwPbGpSK0xEYdmWaVRnHMOfKjy78oYMNrPHZHx0StzIUJRCa6J
+wNs=
+-----END CERTIFICATE-----
diff --git a/vectors/cryptography_vectors/x509/custom/pc_inhibit_require.pem b/vectors/cryptography_vectors/x509/custom/pc_inhibit_require.pem
new file mode 100644
index 0000000..6475afc
--- /dev/null
+++ b/vectors/cryptography_vectors/x509/custom/pc_inhibit_require.pem
@@ -0,0 +1,18 @@
+-----BEGIN CERTIFICATE-----
+MIIC0TCCAbmgAwIBAgITBm7W5plm/+MNl9v4WkUqdcxmjjANBgkqhkiG9w0BAQsF
+ADAXMRUwEwYDVQQDDAxjcnlwdG9ncmFwaHkwHhcNMTUwNjE3MjE1MTM1WhcNMTYw
+NjE2MjE1MTM1WjAXMRUwEwYDVQQDDAxjcnlwdG9ncmFwaHkwggEiMA0GCSqGSIb3
+DQEBAQUAA4IBDwAwggEKAoIBAQCylTa0WkLvIXB4sWoPdv5iL3idlVHKR+ncODKL
+nwQ2Jtd990MfakOFRLrJFF1tfPL4qyRbbyMyrgCOoKBCAuIdBZfBDH3JWFjxGy8J
+Yls8yVeAVKreV18HmLvAsBL3bnr7Gk3vpznrfoG5rn5T/fL0cqqTXFV8zQhjHiEo
+zftSaoq0LOxsSgFdxXS8e8K6RMvLCZPcMpI4fo1Kq2QBT2J1x1/Hq/VnK132cs0g
+TOyiTyyJfvRmlqdXowh7Jf8LQB4mM6gc023fEdQ+HH6JYX1vDQVxaiTM6KMYJNv/
+l4gchP3jknOfZffwGGdXQrtUMhQmltnSqV5nY/G2OGm/Z0pdAgMBAAGjFjAUMBIG
+A1UdJAEB/wQIMAaAAQGBAQEwDQYJKoZIhvcNAQELBQADggEBAF2vihRcIlDO+aAZ
+yjpwSTZH0J0mw5yJKxo8oJ/Ij26d2vjhu/xKhPV1L8dTgVQsSU8RVJK5+MRSog+C
+jP81YaTTgktHxu1JIXEdTJJ9HZlTvsXvMHq1y3XYxzu8i8Lsj9mf+NFAb+ecLfhF
+mVDwFY+TrPT2jcCPD7PcV8fgSio6MXRP2jrqFKBTRAJTsZMpWJg4Jn1vDRgLWqwZ
+VOd4G4IfmuN2n92kd0UT6flvbpJEDQJr5elqeU9Mp1PjN3UwSnox1D+fAd2Rqknn
+6FPfjjJO+j6RFtqlzPH8A3/Pps1C61U947oawS/tk9P4WVrDVto3tHH5jxOPp/wA
+EqtmA1c=
+-----END CERTIFICATE-----
diff --git a/vectors/cryptography_vectors/x509/custom/pc_require.pem b/vectors/cryptography_vectors/x509/custom/pc_require.pem
new file mode 100644
index 0000000..d41e1dc
--- /dev/null
+++ b/vectors/cryptography_vectors/x509/custom/pc_require.pem
@@ -0,0 +1,18 @@
+-----BEGIN CERTIFICATE-----
+MIICzjCCAbagAwIBAgITBm7W5SWig9xJ0Sqde+PhIPV4QzANBgkqhkiG9w0BAQsF
+ADAXMRUwEwYDVQQDDAxjcnlwdG9ncmFwaHkwHhcNMTUwNjE3MjE1MTE2WhcNMTYw
+NjE2MjE1MTE2WjAXMRUwEwYDVQQDDAxjcnlwdG9ncmFwaHkwggEiMA0GCSqGSIb3
+DQEBAQUAA4IBDwAwggEKAoIBAQCylTa0WkLvIXB4sWoPdv5iL3idlVHKR+ncODKL
+nwQ2Jtd990MfakOFRLrJFF1tfPL4qyRbbyMyrgCOoKBCAuIdBZfBDH3JWFjxGy8J
+Yls8yVeAVKreV18HmLvAsBL3bnr7Gk3vpznrfoG5rn5T/fL0cqqTXFV8zQhjHiEo
+zftSaoq0LOxsSgFdxXS8e8K6RMvLCZPcMpI4fo1Kq2QBT2J1x1/Hq/VnK132cs0g
+TOyiTyyJfvRmlqdXowh7Jf8LQB4mM6gc023fEdQ+HH6JYX1vDQVxaiTM6KMYJNv/
+l4gchP3jknOfZffwGGdXQrtUMhQmltnSqV5nY/G2OGm/Z0pdAgMBAAGjEzARMA8G
+A1UdJAEB/wQFMAOAAQEwDQYJKoZIhvcNAQELBQADggEBAB1WST/bEzDX6ws3xRLt
+kfe12ZzMXkxGjAWM3Ai2VigqUqVOZRsB70Zekv/NXAmz+et6hdlzg1b3S+2Kffe/
+1aDGvIHqoFtbokctJyrX7eCjhENdKb/yR8CYWOWCWTdWe6ij4TjxkkEbBxajeR1V
+hzSOHG8l3r5OTqFdBknsbLBIiE0NlxyHoYzklunmjS468B/JpAgJ9seKkrVGHN2H
+J6wDMMe1i+3qKtqv0+xeTII2W4fPX/Uvhyh0jXa6QbggdjqO4q1pAyC0ruYDmuo1
+D7k5lbVU9j4BRUnK6s8wno/p1sRG61eQDdHj6Ri/svcstk03ZFmTSORE/RaI1pYB
+8QU=
+-----END CERTIFICATE-----