OpenSSL asn1 encoder fails to encode IPv[46]Network

[hvenev]

Here's the GeneralName:
x509.general_name.IPAddress(ipaddress.IPv4Network('127.0.0.0',8))

Here's the error:

File "/usr/lib64/python3.5/site-packages/cryptography/x509/base.py", line 526, in sign
    return backend.create_x509_certificate(self, private_key, algorithm)
  File "/usr/lib64/python3.5/site-packages/cryptography/hazmat/backends/multibackend.py", line 388, in create_x509_certificate
    return b.create_x509_certificate(builder, private_key, algorithm)
  File "/usr/lib64/python3.5/site-packages/cryptography/hazmat/backends/openssl/backend.py", line 856, in create_x509_certificate
    gc=True
  File "/usr/lib64/python3.5/site-packages/cryptography/hazmat/backends/openssl/backend.py", line 971, in _create_x509_extensions
    handlers, extension
  File "/usr/lib64/python3.5/site-packages/cryptography/hazmat/backends/openssl/backend.py", line 1002, in _create_x509_extension
    ext_struct = encode(self, extension.value)
  File "/usr/lib64/python3.5/site-packages/cryptography/hazmat/backends/openssl/encode_asn1.py", line 518, in _encode_name_constraints
    backend, name_constraints.permitted_subtrees
  File "/usr/lib64/python3.5/site-packages/cryptography/hazmat/backends/openssl/encode_asn1.py", line 553, in _encode_general_subtree
    gs.base = _encode_general_name(backend, name)
  File "/usr/lib64/python3.5/site-packages/cryptography/hazmat/backends/openssl/encode_asn1.py", line 397, in _encode_general_name
    backend, name.value.packed, len(name.value.packed)
AttributeError: 'IPv4Network' object has no attribute 'packed'

Here's the fix:

--- a/src/cryptography/hazmat/backends/openssl/encode_asn1.py
+++ b/src/cryptography/hazmat/backends/openssl/encode_asn1.py
@@ -8,6 +8,8 @@

 import idna

+import ipaddress
+
 import six

 from cryptography import x509
@@ -393,8 +395,20 @@
     elif isinstance(name, x509.IPAddress):
         gn = backend._lib.GENERAL_NAME_new()
         backend.openssl_assert(gn != backend._ffi.NULL)
+        if isinstance(name.value, ipaddress.IPv4Network):
+            packed = (
+                name.value.network_address.packed +
+                ((1<< 32)-name.value.num_addresses).to_bytes( 4, 'big')
+            )
+        elif isinstance(name.value, ipaddress.IPv6Network):
+            packed = (
+                name.value.network_address.packed +
+                ((1<<128)-name.value.num_addresses).to_bytes(16, 'big')
+            )
+        else:
+            packed = name.value.packed
         ipaddr = _encode_asn1_str(
-            backend, name.value.packed, len(name.value.packed)
+            backend, packed, len(packed)
         )
         gn.type = backend._lib.GEN_IPADD
         gn.d.iPAddress = ipaddr

[reaperhulk]

So the bug here is that you can decode name constraints with networks, but can't encode them, correct?

[hvenev]

Encoding is broken. I haven't tested decoding but the code seems to be there so it probably works.