Merge pull request #1859 from reaperhulk/san-unsupported
SAN unsupported type
diff --git a/docs/x509.rst b/docs/x509.rst
index eed88b0..035fa87 100644
--- a/docs/x509.rst
+++ b/docs/x509.rst
@@ -274,6 +274,9 @@
:raises cryptography.x509.UnsupportedExtension: If the certificate
contains an extension that is not supported.
+ :raises cryptography.x509.UnsupportedGeneralNameType: If an extension
+ contains a general name that is not supported.
+
.. doctest::
>>> for ext in cert.extensions:
@@ -964,7 +967,20 @@
Returns the OID.
+.. class:: UnsupportedGeneralNameType
+
+ This is raised when a certificate contains an unsupported general name
+ type in an extension.
+
+ .. attribute:: type
+
+ :type: int
+
+ The integer value of the unsupported type. The complete list of
+ types can be found in `RFC 5280 section 4.2.1.6`_.
+
.. _`public key infrastructure`: https://en.wikipedia.org/wiki/Public_key_infrastructure
.. _`TLS`: https://en.wikipedia.org/wiki/Transport_Layer_Security
.. _`RFC 5280 section 4.2.1.1`: https://tools.ietf.org/html/rfc5280#section-4.2.1.1
+.. _`RFC 5280 section 4.2.1.6`: https://tools.ietf.org/html/rfc5280#section-4.2.1.6
diff --git a/src/cryptography/hazmat/backends/openssl/x509.py b/src/cryptography/hazmat/backends/openssl/x509.py
index dcde5e7..cc4a92a 100644
--- a/src/cryptography/hazmat/backends/openssl/x509.py
+++ b/src/cryptography/hazmat/backends/openssl/x509.py
@@ -63,6 +63,14 @@
if gn.type == backend._lib.GEN_DNS:
data = backend._ffi.buffer(gn.d.dNSName.data, gn.d.dNSName.length)[:]
return x509.DNSName(idna.decode(data))
+ else:
+ # otherName, x400Address or ediPartyName
+ raise x509.UnsupportedGeneralNameType(
+ "{0} is not a supported type".format(
+ x509._GENERAL_NAMES.get(gn.type, gn.type)
+ ),
+ gn.type
+ )
@utils.register_interface(x509.Certificate)
diff --git a/src/cryptography/x509.py b/src/cryptography/x509.py
index 898ab6c..dd6ea92 100644
--- a/src/cryptography/x509.py
+++ b/src/cryptography/x509.py
@@ -70,6 +70,19 @@
}
+_GENERAL_NAMES = {
+ 0: "otherName",
+ 1: "rfc822Name",
+ 2: "dNSName",
+ 3: "x400Address",
+ 4: "directoryName",
+ 5: "ediPartyName",
+ 6: "uniformResourceIdentifier",
+ 7: "iPAddress",
+ 8: "registeredID",
+}
+
+
class Version(Enum):
v1 = 0
v3 = 2
@@ -115,6 +128,12 @@
self.oid = oid
+class UnsupportedGeneralNameType(Exception):
+ def __init__(self, msg, type):
+ super(UnsupportedGeneralNameType, self).__init__(msg)
+ self.type = type
+
+
class NameAttribute(object):
def __init__(self, oid, value):
if not isinstance(oid, ObjectIdentifier):
diff --git a/tests/test_x509_ext.py b/tests/test_x509_ext.py
index a7e0415..1283fca 100644
--- a/tests/test_x509_ext.py
+++ b/tests/test_x509_ext.py
@@ -757,3 +757,16 @@
dns = san.get_values_for_type(x509.DNSName)
assert dns == [u"www.cryptography.io", u"cryptography.io"]
+
+ def test_unsupported_other_name(self, backend):
+ cert = _load_cert(
+ os.path.join(
+ "x509", "custom", "san_other_name.pem"
+ ),
+ x509.load_pem_x509_certificate,
+ backend
+ )
+ with pytest.raises(x509.UnsupportedGeneralNameType) as exc:
+ cert.extensions
+
+ assert exc.value.type == 0