Initial code to encode SANs #2085
Conversation
|
This is obviously pretty incomplete, but also I don't understand why it's failing the way it is. |
Current coverage is
|
|
This LGTM right now with the TODOs (GC on GENERAL_NAMES and IDNA support) still required. I assume we're planning to land support for each general name type as a separate PR? So after this DNS PR we'll need ones for URI, RegisteredID, IP, dirname, and email. |
|
That's a good question, do you have any sense of how much code it'll be for On Fri, Jul 3, 2015 at 11:35 AM, Paul Kehrer notifications@github.com
"I disapprove of what you say, but I will defend to the death your right to |
|
RegisteredID will be simple and IP probably will be as well (at least for now since there's no need to handle the netmask stuff in #2095). URI requires IDNA handling again, as does email. dirname requires encoding x509 names, but we have support for that already so that should be reasonably simple. |
|
+1 For a merge when you guys are ready, I've got a branch waiting for testing on some sweet CSR SAN support :-). |
There was a problem hiding this comment.
Handle wildcards here or in a followup PR? Leading periods as well, but that's not hugely important until we support NameConstraints construction I suppose.
There was a problem hiding this comment.
Let's do wildcards now.
On Sun, Jul 5, 2015 at 12:23 PM, Paul Kehrer notifications@github.com
wrote:
In src/cryptography/hazmat/backends/openssl/backend.py
#2085 (comment):@@ -136,6 +138,39 @@ def _encode_basic_constraints(backend, basic_constraints):
return pp, r+def _encode_subject_alt_name(backend, san):
- general_names = backend._lib.GENERAL_NAMES_new()
- assert general_names != backend._ffi.NULL
- general_names = backend._ffi.gc(
general_names, backend._lib.GENERAL_NAMES_free- )
- for alt_name in san:
gn = backend._lib.GENERAL_NAME_new()assert gn != backend._ffi.NULLif isinstance(alt_name, x509.DNSName):gn.type = backend._lib.GEN_DNSia5 = backend._lib.ASN1_IA5STRING_new()assert ia5 != backend._ffi.NULLvalue = idna.encode(alt_name.value)Handle wildcards here or in a followup PR? Leading periods as well, but
that's not hugely important until we support NameConstraints construction I
suppose.—
Reply to this email directly or view it on GitHub
https://github.com/pyca/cryptography/pull/2085/files#r33896147.
"I disapprove of what you say, but I will defend to the death your right to
say it." -- Evelyn Beatrice Hall (summarizing Voltaire)
"The people's good is the highest law." -- Cicero
GPG Key fingerprint: 125F 5C67 DFE9 4084
There was a problem hiding this comment.
This will leak if the general name is not a DNSName right now.
There was a problem hiding this comment.
ffff. thanks
On Sun, Jul 5, 2015 at 12:32 PM, Paul Kehrer notifications@github.com
wrote:
In src/cryptography/hazmat/backends/openssl/backend.py
#2085 (comment):@@ -136,6 +138,44 @@ def _encode_basic_constraints(backend, basic_constraints):
return pp, r+def _encode_subject_alt_name(backend, san):
- general_names = backend._lib.GENERAL_NAMES_new()
- assert general_names != backend._ffi.NULL
- general_names = backend._ffi.gc(
general_names, backend._lib.GENERAL_NAMES_free- )
- for alt_name in san:
gn = backend._lib.GENERAL_NAME_new()This will leak if the general name is not a DNSName right now.
—
Reply to this email directly or view it on GitHub
https://github.com/pyca/cryptography/pull/2085/files#r33896254.
"I disapprove of what you say, but I will defend to the death your right to
say it." -- Evelyn Beatrice Hall (summarizing Voltaire)
"The people's good is the highest law." -- Cicero
GPG Key fingerprint: 125F 5C67 DFE9 4084
|
jenkins, retest this please |
No description provided.