def parse(self, backend, x509_obj): extensions = [] seen_oids = set() for i in range(self.ext_count(backend, x509_obj)): ext = self.get_ext(backend, x509_obj, i) backend.openssl_assert(ext != backend._ffi.NULL) crit = backend._lib.X509_EXTENSION_get_critical(ext) critical = crit == 1 oid = x509.ObjectIdentifier(_obj2txt(backend, ext.object)) if oid in seen_oids: raise x509.DuplicateExtension( "Duplicate {0} extension found".format(oid), oid ) try: handler = self.handlers[oid] except KeyError: if critical: raise x509.UnsupportedExtension( "{0} is not currently supported".format(oid), oid ) else: d2i = backend._lib.X509V3_EXT_d2i(ext) if d2i == backend._ffi.NULL: backend._consume_errors() raise ValueError( "The {0} extension is invalid and can't be " "parsed".format(oid) ) value = handler(backend, d2i) extensions.append(x509.Extension(oid, critical, value)) seen_oids.add(oid) return x509.Extensions(extensions)
def parse(self, backend, x509_obj): extensions = [] seen_oids = set() for i in range(self.ext_count(backend, x509_obj)): ext = self.get_ext(backend, x509_obj, i) assert ext != backend._ffi.NULL crit = backend._lib.X509_EXTENSION_get_critical(ext) critical = crit == 1 oid = x509.ObjectIdentifier(_obj2txt(backend, ext.object)) if oid in seen_oids: raise x509.DuplicateExtension( "Duplicate {0} extension found".format(oid), oid ) try: handler = self.handlers[oid] except KeyError: if critical: raise x509.UnsupportedExtension( "{0} is not currently supported".format(oid), oid ) else: value = handler(backend, ext) extensions.append(x509.Extension(oid, critical, value)) seen_oids.add(oid) return x509.Extensions(extensions)
def extensions(self): extensions = [] seen_oids = set() extcount = self._backend._lib.X509_get_ext_count(self._x509) for i in range(0, extcount): ext = self._backend._lib.X509_get_ext(self._x509, i) assert ext != self._backend._ffi.NULL crit = self._backend._lib.X509_EXTENSION_get_critical(ext) critical = crit == 1 oid = x509.ObjectIdentifier(_obj2txt(self._backend, ext.object)) if oid in seen_oids: raise x509.DuplicateExtension( "Duplicate {0} extension found".format(oid), oid) elif oid == x509.OID_BASIC_CONSTRAINTS: value = self._build_basic_constraints(ext) elif oid == x509.OID_SUBJECT_KEY_IDENTIFIER: value = self._build_subject_key_identifier(ext) elif oid == x509.OID_KEY_USAGE: value = self._build_key_usage(ext) elif critical: raise x509.UnsupportedExtension( "{0} is not currently supported".format(oid), oid) else: # Unsupported non-critical extension, silently skipping for now seen_oids.add(oid) continue seen_oids.add(oid) extensions.append(x509.Extension(oid, critical, value)) return x509.Extensions(extensions)
def extensions(self): extensions = [] seen_oids = set() extcount = self._backend._lib.X509_get_ext_count(self._x509) for i in range(0, extcount): ext = self._backend._lib.X509_get_ext(self._x509, i) assert ext != self._backend._ffi.NULL crit = self._backend._lib.X509_EXTENSION_get_critical(ext) critical = crit == 1 oid = x509.ObjectIdentifier(_obj2txt(self._backend, ext.object)) if oid in seen_oids: raise x509.DuplicateExtension( "Duplicate {0} extension found".format(oid), oid) elif oid == x509.OID_BASIC_CONSTRAINTS: value = self._build_basic_constraints(ext) elif oid == x509.OID_KEY_USAGE and critical: # TODO: remove this obviously. warnings.warn( "Extension support is not fully implemented. A key usage " "extension with the critical flag was seen and IGNORED.") seen_oids.add(oid) continue elif critical: raise x509.UnsupportedExtension( "{0} is not currently supported".format(oid), oid) else: # Unsupported non-critical extension, silently skipping for now seen_oids.add(oid) continue seen_oids.add(oid) extensions.append(x509.Extension(oid, critical, value)) return x509.Extensions(extensions)
def parse(self, x509_obj): extensions: typing.List[x509.Extension[x509.ExtensionType]] = [] seen_oids = set() for i in range(self.ext_count(x509_obj)): ext = self.get_ext(x509_obj, i) self._backend.openssl_assert(ext != self._backend._ffi.NULL) crit = self._backend._lib.X509_EXTENSION_get_critical(ext) critical = crit == 1 oid = x509.ObjectIdentifier( _obj2txt( self._backend, self._backend._lib.X509_EXTENSION_get_object(ext), )) if oid in seen_oids: raise x509.DuplicateExtension( "Duplicate {} extension found".format(oid), oid) # Try to parse this with the rust callback first oid_ptr = self._backend._lib.X509_EXTENSION_get_object(ext) oid_der_bytes = self._backend._ffi.buffer( self._backend._lib.Cryptography_OBJ_get0_data(oid_ptr), self._backend._lib.Cryptography_OBJ_length(oid_ptr), )[:] data = self._backend._lib.X509_EXTENSION_get_data(ext) data_bytes = _asn1_string_to_bytes(self._backend, data) ext_obj = self.rust_callback(oid_der_bytes, data_bytes) if ext_obj is None: ext_obj = x509.UnrecognizedExtension(oid, data_bytes) extensions.append(x509.Extension(oid, critical, ext_obj)) seen_oids.add(oid) return x509.Extensions(extensions)
def parse(self, backend, x509_obj): extensions = [] seen_oids = set() for i in range(self.ext_count(backend, x509_obj)): ext = self.get_ext(backend, x509_obj, i) backend.openssl_assert(ext != backend._ffi.NULL) crit = backend._lib.X509_EXTENSION_get_critical(ext) critical = crit == 1 oid = x509.ObjectIdentifier( _obj2txt(backend, backend._lib.X509_EXTENSION_get_object(ext))) if oid in seen_oids: raise x509.DuplicateExtension( "Duplicate {} extension found".format(oid), oid) # These OIDs are only supported in OpenSSL 1.1.0+ but we want # to support them in all versions of OpenSSL so we decode them # ourselves. if oid == ExtensionOID.TLS_FEATURE: data = backend._lib.X509_EXTENSION_get_data(ext) parsed = _Integers.load(_asn1_string_to_bytes(backend, data)) value = x509.TLSFeature( [_TLS_FEATURE_TYPE_TO_ENUM[x.native] for x in parsed]) extensions.append(x509.Extension(oid, critical, value)) seen_oids.add(oid) continue elif oid == ExtensionOID.PRECERT_POISON: data = backend._lib.X509_EXTENSION_get_data(ext) parsed = asn1crypto.core.Null.load( _asn1_string_to_bytes(backend, data)) assert parsed == asn1crypto.core.Null() extensions.append( x509.Extension(oid, critical, x509.PrecertPoison())) seen_oids.add(oid) continue try: handler = self.handlers[oid] except KeyError: # Dump the DER payload into an UnrecognizedExtension object data = backend._lib.X509_EXTENSION_get_data(ext) backend.openssl_assert(data != backend._ffi.NULL) der = backend._ffi.buffer(data.data, data.length)[:] unrecognized = x509.UnrecognizedExtension(oid, der) extensions.append(x509.Extension(oid, critical, unrecognized)) else: ext_data = backend._lib.X509V3_EXT_d2i(ext) if ext_data == backend._ffi.NULL: backend._consume_errors() raise ValueError( "The {} extension is invalid and can't be " "parsed".format(oid)) value = handler(backend, ext_data) extensions.append(x509.Extension(oid, critical, value)) seen_oids.add(oid) return x509.Extensions(extensions)
def parse(self, backend, x509_obj): extensions = [] seen_oids = set() for i in range(self.ext_count(backend, x509_obj)): ext = self.get_ext(backend, x509_obj, i) backend.openssl_assert(ext != backend._ffi.NULL) crit = backend._lib.X509_EXTENSION_get_critical(ext) critical = crit == 1 oid = x509.ObjectIdentifier( _obj2txt(backend, backend._lib.X509_EXTENSION_get_object(ext)) ) if oid in seen_oids: raise x509.DuplicateExtension( "Duplicate {0} extension found".format(oid), oid ) try: handler = self.handlers[oid] except KeyError: if critical: raise x509.UnsupportedExtension( "Critical extension {0} is not currently supported" .format(oid), oid ) else: # Dump the DER payload into an UnrecognizedExtension object data = backend._lib.X509_EXTENSION_get_data(ext) backend.openssl_assert(data != backend._ffi.NULL) der = backend._ffi.buffer(data.data, data.length)[:] unrecognized = x509.UnrecognizedExtension(oid, der) extensions.append( x509.Extension(oid, critical, unrecognized) ) else: # For extensions which are not supported by OpenSSL we pass the # extension object directly to the parsing routine so it can # be decoded manually. if self.unsupported_exts and oid in self.unsupported_exts: ext_data = ext else: ext_data = backend._lib.X509V3_EXT_d2i(ext) if ext_data == backend._ffi.NULL: backend._consume_errors() raise ValueError( "The {0} extension is invalid and can't be " "parsed".format(oid) ) value = handler(backend, ext_data) extensions.append(x509.Extension(oid, critical, value)) seen_oids.add(oid) return x509.Extensions(extensions)
def extensions(self): extensions = [] seen_oids = set() extcount = self._backend._lib.X509_get_ext_count(self._x509) for i in range(0, extcount): ext = self._backend._lib.X509_get_ext(self._x509, i) assert ext != self._backend._ffi.NULL crit = self._backend._lib.X509_EXTENSION_get_critical(ext) critical = crit == 1 oid = x509.ObjectIdentifier(_obj2txt(self._backend, ext.object)) if oid in seen_oids: raise x509.DuplicateExtension( "Duplicate {0} extension found".format(oid), oid) elif oid == x509.OID_BASIC_CONSTRAINTS: value = self._build_basic_constraints(ext) elif oid == x509.OID_SUBJECT_KEY_IDENTIFIER: value = self._build_subject_key_identifier(ext) elif oid == x509.OID_KEY_USAGE: value = self._build_key_usage(ext) elif oid == x509.OID_SUBJECT_ALTERNATIVE_NAME: value = self._build_subject_alt_name(ext) elif oid == x509.OID_EXTENDED_KEY_USAGE: value = self._build_extended_key_usage(ext) elif oid == x509.OID_AUTHORITY_KEY_IDENTIFIER: value = self._build_authority_key_identifier(ext) elif oid == x509.OID_AUTHORITY_INFORMATION_ACCESS: value = self._build_authority_information_access(ext) elif oid == x509.OID_CERTIFICATE_POLICIES: value = self._build_certificate_policies(ext) elif oid == x509.OID_CRL_DISTRIBUTION_POINTS: value = self._build_crl_distribution_points(ext) elif critical: raise x509.UnsupportedExtension( "{0} is not currently supported".format(oid), oid) else: # Unsupported non-critical extension, silently skipping for now seen_oids.add(oid) continue seen_oids.add(oid) extensions.append(x509.Extension(oid, critical, value)) return x509.Extensions(extensions)
def parse(self, backend, x509_obj): extensions = [] seen_oids = set() for i in range(self.ext_count(backend, x509_obj)): ext = self.get_ext(backend, x509_obj, i) backend.openssl_assert(ext != backend._ffi.NULL) crit = backend._lib.X509_EXTENSION_get_critical(ext) critical = crit == 1 oid = x509.ObjectIdentifier( _obj2txt(backend, backend._lib.X509_EXTENSION_get_object(ext))) if oid in seen_oids: raise x509.DuplicateExtension( "Duplicate {0} extension found".format(oid), oid) try: handler = self.handlers[oid] except KeyError: # Dump the DER payload into an UnrecognizedExtension object data = backend._lib.X509_EXTENSION_get_data(ext) backend.openssl_assert(data != backend._ffi.NULL) der = backend._ffi.buffer(data.data, data.length)[:] unrecognized = x509.UnrecognizedExtension(oid, der) extensions.append(x509.Extension(oid, critical, unrecognized)) else: ext_data = backend._lib.X509V3_EXT_d2i(ext) if ext_data == backend._ffi.NULL: backend._consume_errors() raise ValueError( "The {0} extension is invalid and can't be " "parsed".format(oid)) value = handler(backend, ext_data) extensions.append(x509.Extension(oid, critical, value)) seen_oids.add(oid) return x509.Extensions(extensions)
def parse(self, x509_obj): extensions = [] seen_oids = set() for i in range(self.ext_count(x509_obj)): ext = self.get_ext(x509_obj, i) self._backend.openssl_assert(ext != self._backend._ffi.NULL) crit = self._backend._lib.X509_EXTENSION_get_critical(ext) critical = crit == 1 oid = x509.ObjectIdentifier( _obj2txt(self._backend, self._backend._lib.X509_EXTENSION_get_object(ext))) if oid in seen_oids: raise x509.DuplicateExtension( "Duplicate {} extension found".format(oid), oid) # These OIDs are only supported in OpenSSL 1.1.0+ but we want # to support them in all versions of OpenSSL so we decode them # ourselves. if oid == ExtensionOID.TLS_FEATURE: # The extension contents are a SEQUENCE OF INTEGERs. data = self._backend._lib.X509_EXTENSION_get_data(ext) data_bytes = _asn1_string_to_bytes(self._backend, data) features = DERReader(data_bytes).read_single_element(SEQUENCE) parsed = [] while not features.is_empty(): parsed.append(features.read_element(INTEGER).as_integer()) # Map the features to their enum value. value = x509.TLSFeature( [_TLS_FEATURE_TYPE_TO_ENUM[x] for x in parsed]) extensions.append(x509.Extension(oid, critical, value)) seen_oids.add(oid) continue elif oid == ExtensionOID.PRECERT_POISON: data = self._backend._lib.X509_EXTENSION_get_data(ext) # The contents of the extension must be an ASN.1 NULL. reader = DERReader(_asn1_string_to_bytes(self._backend, data)) reader.read_single_element(NULL).check_empty() extensions.append( x509.Extension(oid, critical, x509.PrecertPoison())) seen_oids.add(oid) continue try: handler = self.handlers[oid] except KeyError: # Dump the DER payload into an UnrecognizedExtension object data = self._backend._lib.X509_EXTENSION_get_data(ext) self._backend.openssl_assert(data != self._backend._ffi.NULL) der = self._backend._ffi.buffer(data.data, data.length)[:] unrecognized = x509.UnrecognizedExtension(oid, der) extensions.append(x509.Extension(oid, critical, unrecognized)) else: ext_data = self._backend._lib.X509V3_EXT_d2i(ext) if ext_data == self._backend._ffi.NULL: self._backend._consume_errors() raise ValueError( "The {} extension is invalid and can't be " "parsed".format(oid)) value = handler(self._backend, ext_data) extensions.append(x509.Extension(oid, critical, value)) seen_oids.add(oid) return x509.Extensions(extensions)
def parse(self, x509_obj): extensions: typing.List[x509.Extension[x509.ExtensionType]] = [] seen_oids = set() for i in range(self.ext_count(x509_obj)): ext = self.get_ext(x509_obj, i) self._backend.openssl_assert(ext != self._backend._ffi.NULL) crit = self._backend._lib.X509_EXTENSION_get_critical(ext) critical = crit == 1 oid = x509.ObjectIdentifier( _obj2txt( self._backend, self._backend._lib.X509_EXTENSION_get_object(ext), )) if oid in seen_oids: raise x509.DuplicateExtension( "Duplicate {} extension found".format(oid), oid) if self.rust_callback is not None: oid_ptr = self._backend._lib.X509_EXTENSION_get_object(ext) oid_der_bytes = self._backend._ffi.buffer( self._backend._lib.Cryptography_OBJ_get0_data(oid_ptr), self._backend._lib.Cryptography_OBJ_length(oid_ptr), )[:] data = self._backend._lib.X509_EXTENSION_get_data(ext) data_bytes = _asn1_string_to_bytes(self._backend, data) ext = self.rust_callback(oid_der_bytes, data_bytes) extensions.append(x509.Extension(oid, critical, ext)) seen_oids.add(oid) continue # These OIDs are only supported in OpenSSL 1.1.0+ but we want # to support them in all versions of OpenSSL so we decode them # ourselves. if oid == ExtensionOID.TLS_FEATURE: # The extension contents are a SEQUENCE OF INTEGERs. data = self._backend._lib.X509_EXTENSION_get_data(ext) data_bytes = _asn1_string_to_bytes(self._backend, data) tls_feature = asn1.parse_tls_feature(data_bytes) extensions.append(x509.Extension(oid, critical, tls_feature)) seen_oids.add(oid) continue elif oid == ExtensionOID.PRECERT_POISON: data = self._backend._lib.X509_EXTENSION_get_data(ext) data_bytes = _asn1_string_to_bytes(self._backend, data) precert_poison = asn1.parse_precert_poison(data_bytes) extensions.append(x509.Extension(oid, critical, precert_poison)) seen_oids.add(oid) continue try: handler = self.handlers[oid] except KeyError: # Dump the DER payload into an UnrecognizedExtension object data = self._backend._lib.X509_EXTENSION_get_data(ext) self._backend.openssl_assert(data != self._backend._ffi.NULL) der = self._backend._ffi.buffer(data.data, data.length)[:] unrecognized = x509.UnrecognizedExtension(oid, der) extensions.append(x509.Extension(oid, critical, unrecognized)) else: ext_data = self._backend._lib.X509V3_EXT_d2i(ext) if ext_data == self._backend._ffi.NULL: self._backend._consume_errors() raise ValueError( "The {} extension is invalid and can't be " "parsed".format(oid)) value = handler(self._backend, ext_data) extensions.append(x509.Extension(oid, critical, value)) seen_oids.add(oid) return x509.Extensions(extensions)
def parse(self, backend, x509_obj): extensions = [] seen_oids = set() for i in range(self.ext_count(backend, x509_obj)): ext = self.get_ext(backend, x509_obj, i) backend.openssl_assert(ext != backend._ffi.NULL) crit = backend._lib.X509_EXTENSION_get_critical(ext) critical = crit == 1 oid = x509.ObjectIdentifier( _obj2txt(backend, backend._lib.X509_EXTENSION_get_object(ext)) ) if oid in seen_oids: raise x509.DuplicateExtension( "Duplicate {} extension found".format(oid), oid ) if oid == ExtensionOID.TLS_FEATURE: data = backend._lib.X509_EXTENSION_get_data(ext) data_bytes = _asn1_string_to_bytes(backend, data) features = DERReader(data_bytes).read_single_element(SEQUENCE) parsed = [] while not features.is_empty(): parsed.append(features.read_element(INTEGER).as_integer()) value = x509.TLSFeature( [_TLS_FEATURE_TYPE_TO_ENUM[x] for x in parsed] ) extensions.append(x509.Extension(oid, critical, value)) seen_oids.add(oid) continue elif oid == ExtensionOID.PRECERT_POSION: data = backend._lib.X509_EXTENSION_get_data(ext) reader = DERReader(_asn1_string_to_bytes(backend, data)) reader.read_single_element(NULL).check_empty() extensions.append(x509.Extension( oid, critical, x509.PrecertPoison() )) seen_oids.add(oid) continue elif oid == ExtensionOID.PRECERT_POISON: data = backend._lib.X509_EXTENSION_get_data(ext) reader = DERReader(_asn1_string_to_bytes(backend, data)) reader.read_single_element(NULL).check_empty() extensions.append(x509.Extension( oid, critical, x509.PrecertPoison() )) seen_oids.add(oid) continue try: handler = self.handlers[oid] except KeyError: data = backend._lib.X509_EXTENSION_get_data(ext) backend.openssl_assert(data != backend._ffi.NULL) der = backend._ffi.buffer(data.data, data.length)[:] unrecognized = x509.UnrecognizedExtension(oid, der) extensions.append( x509.Extension(oid, critical, unrecognized) ) else: ext_data = backend._lib.X509V3_EXT_d2i(ext) if ext_data == backend._ffi.NULL: backend._consume_errors() raise ValueError( "The {} extension is invalid and can't be " "parsed".format(oid) ) value = handler(backend, ext_data) extensions.append(x509.Extension(oid, critical, value)) seen_oids.add(oid) return x509.Extensions(extenions)