commit f7d1b72c8ab1bd3f198965b9747794c82d270341
author Paul Kehrer <paul.l.kehrer@gmail.com> Thu Aug 06 18:49:45 2015 +0100
committer Paul Kehrer <paul.l.kehrer@gmail.com> Sun Aug 09 10:37:59 2015 -0500
tree d6ff9a7a27f2892420f9cf641678aa20804a45f1
parent 8020e564eaee293dfe743623d75629bd3f51eb87

add support for OCSPNoCheck to the CertificateBuilder

src/cryptography/hazmat/backends/openssl/backend.py

diff --git a/src/cryptography/hazmat/backends/openssl/backend.py b/src/cryptography/hazmat/backends/openssl/backend.py
index ad88dd9..4ce6d6d 100644
--- a/src/cryptography/hazmat/backends/openssl/backend.py
+++ b/src/cryptography/hazmat/backends/openssl/backend.py
@@ -155,6 +155,15 @@
     return obj
 
 
+def _encode_ocsp_nocheck(backend, ext):
+    """
+    The OCSP No Check extension is defined as a null ASN.1 value. We can just
+    return that value directly here in the pp, r tuple form the other
+    extension encoding functions use.
+    """
+    return [b"\x05\x00"], 2
+
+
 def _encode_key_usage(backend, key_usage):
     set_bit = backend._lib.ASN1_BIT_STRING_set_bit
     ku = backend._lib.ASN1_BIT_STRING_new()
@@ -485,6 +494,7 @@
     ),
     x509.OID_CRL_DISTRIBUTION_POINTS: _encode_crl_distribution_points,
     x509.OID_INHIBIT_ANY_POLICY: _encode_inhibit_any_policy,
+    x509.OID_OCSP_NO_CHECK: _encode_ocsp_nocheck,
 }
 
 

tests/test_x509.py

diff --git a/tests/test_x509.py b/tests/test_x509.py
index 26bd3cb..c1db026 100644
--- a/tests/test_x509.py
+++ b/tests/test_x509.py
@@ -2129,6 +2129,36 @@
         )
         assert ext.value == aki
 
+    def test_ocsp_nocheck(self, backend):
+        issuer_private_key = RSA_KEY_2048.private_key(backend)
+        subject_private_key = RSA_KEY_2048.private_key(backend)
+
+        not_valid_before = datetime.datetime(2002, 1, 1, 12, 1)
+        not_valid_after = datetime.datetime(2030, 12, 31, 8, 30)
+
+        builder = x509.CertificateBuilder().serial_number(
+            777
+        ).issuer_name(x509.Name([
+            x509.NameAttribute(x509.OID_COUNTRY_NAME, u'US'),
+        ])).subject_name(x509.Name([
+            x509.NameAttribute(x509.OID_COUNTRY_NAME, u'US'),
+        ])).public_key(
+            subject_private_key.public_key()
+        ).add_extension(
+            x509.OCSPNoCheck(), critical=False
+        ).not_valid_before(
+            not_valid_before
+        ).not_valid_after(
+            not_valid_after
+        )
+
+        cert = builder.sign(issuer_private_key, hashes.SHA256(), backend)
+
+        ext = cert.extensions.get_extension_for_oid(
+            x509.OID_OCSP_NO_CHECK
+        )
+        assert isinstance(ext.value, x509.OCSPNoCheck)
+
 
 @pytest.mark.requires_backend_interface(interface=DSABackend)
 @pytest.mark.requires_backend_interface(interface=X509Backend)