caucase.utils: Follow cryptography unwillingness to parse long OIDs

7664ca18 · Vincent Pelletier · 0d663926 · 7664ca18 · 7664ca18
Commit 7664ca18 authored Apr 26, 2023 by Vincent Pelletier
Hide whitespace changes
Inline Side-by-side

Showing with 20 additions and 7 deletions

CHANGES.txt CHANGES.txt +4 -0

caucase/utils.py caucase/utils.py +16 -7

No files found.
--- a/CHANGES.txt
+++ b/CHANGES.txt
+0.9.?? (????-??-??)
+===================
+* Fix support for recent (at least >= 40.0.2) cryptography versions
+
 0.9.14 (2022-11-07)
 ===================
 * Janitorial: make updated code checkers happier.

--- a/caucase/utils.py
+++ b/caucase/utils.py
@@ -101,9 +101,21 @@ CAUCASE_POLICY_INFORMATION_AUTO_SIGNED = x509.PolicyInformation(
 CAUCASE_LEGACY_OID_TOP = '2.25.285541874270823339875695650038637483517'
 CAUCASE_LEGACY_OID_AUTO_SIGNED = CAUCASE_LEGACY_OID_TOP + '.0'
 CAUCASE_LEGACY_OID_RESERVED = CAUCASE_LEGACY_OID_TOP + '.999'
-_CAUCASE_LEGACY_OID_AUTO_SIGNED = x509.oid.ObjectIdentifier(
-  CAUCASE_LEGACY_OID_AUTO_SIGNED,
-)
+try:
+  _CAUCASE_LEGACY_OID_AUTO_SIGNED = x509.oid.ObjectIdentifier(
+    CAUCASE_LEGACY_OID_AUTO_SIGNED,
+  )
+except ValueError: # pragma: no-cover
+  # cryptography started raising when instanciating long OIDs somewhere up to
+  # 40.0.2 .
+  _CAUCASE_AUTO_SIGNED_OID_SET = (
+    _CAUCASE_OID_AUTO_SIGNED,
+  )
+else: # pragma: no-cover
+  _CAUCASE_AUTO_SIGNED_OID_SET = (
+    _CAUCASE_OID_AUTO_SIGNED,
+    _CAUCASE_LEGACY_OID_AUTO_SIGNED,
+  )

 def isCertificateAutoSigned(crt):
  """
@@ -123,10 +135,7 @@ def isCertificateAutoSigned(crt):
    pass
  else:
    for policy_information in extension.value:
-      if policy_information.policy_identifier in (
-        _CAUCASE_OID_AUTO_SIGNED,
-        _CAUCASE_LEGACY_OID_AUTO_SIGNED, # BBB
-      ):
+      if policy_information.policy_identifier in _CAUCASE_AUTO_SIGNED_OID_SET:
        return True
  return False