Add RFC 4514 Distinguished Name formatting for Name, RDN and NameAttribute (pyca#4304)

intgr · reaperhulk · commit c3d38b5d80a9 · 2018-12-08T09:26:07.000+08:00
diff --git a/AUTHORS.rst b/AUTHORS.rst
@@ -41,3 +41,4 @@ PGP key fingerprints are enclosed in parentheses.
 * Jeremy Lainé <jeremy.laine@m4x.org>
 * Denis Gladkikh <denis@gladkikh.email>
 * John Pacific <me@johnpacific.com> (2CF6 0381 B5EF 29B7 D48C 2020 7BB9 71A0 E891 44D9)
+* Marti Raudsepp <marti@juffo.org>
diff --git a/CHANGELOG.rst b/CHANGELOG.rst
@@ -23,6 +23,10 @@ Changelog
 * Added initial support for parsing PKCS12 files with
   :func:`~cryptography.hazmat.primitives.serialization.pkcs12.load_key_and_certificates`.
 * Added support for :class:`~cryptography.x509.IssuingDistributionPoint`.
+* Added `rfc4514_string()` method to :class:`~cryptography.x509.Name`,
+  :class:`~cryptography.x509.RelativeDistinguishedName` and
+  :class:`~cryptography.x509.NameAttribute` to format the name or component as
+  a RFC 4514 Distinguished Name string.
 
 .. _v2-4-2:
 
diff --git a/docs/x509/reference.rst b/docs/x509/reference.rst
@@ -583,7 +583,7 @@ X.509 CRL (Certificate Revocation List) Object
         .. doctest::
 
             >>> crl.issuer
-            <Name([<NameAttribute(oid=<ObjectIdentifier(oid=2.5.4.6, name=countryName)>, value='US')>, <NameAttribute(oid=<ObjectIdentifier(oid=2.5.4.3, name=commonName)>, value='cryptography.io')>])>
+            <Name(C=US, CN=cryptography.io)>
 
     .. attribute:: next_update
 
@@ -1246,6 +1246,14 @@ X.509 CSR (Certificate Signing Request) Builder Object
 
         :return bytes: The DER encoded name.
 
+    .. method:: rfc4514_string()
+
+        .. versionadded:: 2.5
+
+        :return str: Format the given name as a `RFC 4514`_ Distinguished Name
+            string, for example ``CN=mydomain.com, O=My Org, C=US``.
+
+
 .. class:: Version
 
     .. versionadded:: 0.7
@@ -1279,6 +1287,13 @@ X.509 CSR (Certificate Signing Request) Builder Object
 
         The value of the attribute.
 
+    .. method:: rfc4514_string()
+
+        .. versionadded:: 2.5
+
+        :return str: Format the given attribute as a `RFC 4514`_ Distinguished
+            Name string.
+
 
 .. class:: RelativeDistinguishedName(attributes)
 
@@ -1295,6 +1310,13 @@ X.509 CSR (Certificate Signing Request) Builder Object
         :returns: A list of :class:`NameAttribute` instances that match the OID
             provided.  The list should contain zero or one values.
 
+    .. method:: rfc4514_string()
+
+        .. versionadded:: 2.5
+
+        :return str: Format the given RDN set as a `RFC 4514`_ Distinguished
+            Name string.
+
 
 .. class:: ObjectIdentifier
 
@@ -1309,6 +1331,8 @@ X.509 CSR (Certificate Signing Request) Builder Object
 
         The dotted string value of the OID (e.g. ``"2.5.4.3"``)
 
+.. _`RFC 4514`: https://tools.ietf.org/html/rfc4514
+
 .. _general_name_classes:
 
 General Name Classes
diff --git a/src/cryptography/x509/extensions.py b/src/cryptography/x509/extensions.py
@@ -541,8 +541,8 @@ def __init__(self, full_name, relative_name, reasons, crl_issuer):
     def __repr__(self):
         return (
             "<DistributionPoint(full_name={0.full_name}, relative_name={0.rela"
-            "tive_name}, reasons={0.reasons}, crl_issuer={0.crl_is"
-            "suer})>".format(self)
+            "tive_name}, reasons={0.reasons}, crl_issuer={0.crl_issuer})>"
+            .format(self)
         )
 
     def __eq__(self, other):
diff --git a/src/cryptography/x509/name.py b/src/cryptography/x509/name.py
@@ -36,6 +36,41 @@ class _ASN1Type(Enum):
     NameOID.DOMAIN_COMPONENT: _ASN1Type.IA5String,
 }
 
+#: Short attribute names from RFC 4514:
+#: https://tools.ietf.org/html/rfc4514#page-7
+_NAMEOID_TO_NAME = {
+    NameOID.COMMON_NAME: 'CN',
+    NameOID.LOCALITY_NAME: 'L',
+    NameOID.STATE_OR_PROVINCE_NAME: 'ST',
+    NameOID.ORGANIZATION_NAME: 'O',
+    NameOID.ORGANIZATIONAL_UNIT_NAME: 'OU',
+    NameOID.COUNTRY_NAME: 'C',
+    NameOID.STREET_ADDRESS: 'STREET',
+    NameOID.DOMAIN_COMPONENT: 'DC',
+    NameOID.USER_ID: 'UID',
+}
+
+
+def _escape_dn_value(val):
+    """Escape special characters in RFC4514 Distinguished Name value."""
+
+    # See https://tools.ietf.org/html/rfc4514#section-2.4
+    val = val.replace('\\', '\\\\')
+    val = val.replace('"', '\\"')
+    val = val.replace('+', '\\+')
+    val = val.replace(',', '\\,')
+    val = val.replace(';', '\\;')
+    val = val.replace('<', '\\<')
+    val = val.replace('>', '\\>')
+    val = val.replace('\0', '\\00')
+
+    if val[0] in ('#', ' '):
+        val = '\\' + val
+    if val[-1] == ' ':
+        val = val[:-1] + '\\ '
+
+    return val
+
 
 class NameAttribute(object):
     def __init__(self, oid, value, _type=_SENTINEL):
@@ -80,6 +115,16 @@ def __init__(self, oid, value, _type=_SENTINEL):
     oid = utils.read_only_property("_oid")
     value = utils.read_only_property("_value")
 
+    def rfc4514_string(self):
+        """
+        Format as RFC4514 Distinguished Name string.
+
+        Use short attribute name if available, otherwise fall back to OID
+        dotted string.
+        """
+        key = _NAMEOID_TO_NAME.get(self.oid, self.oid.dotted_string)
+        return '%s=%s' % (key, _escape_dn_value(self.value))
+
     def __eq__(self, other):
         if not isinstance(other, NameAttribute):
             return NotImplemented
@@ -117,6 +162,15 @@ def __init__(self, attributes):
     def get_attributes_for_oid(self, oid):
         return [i for i in self if i.oid == oid]
 
+    def rfc4514_string(self):
+        """
+        Format as RFC4514 Distinguished Name string.
+
+        Within each RDN, attributes are joined by '+', although that is rarely
+        used in certificates.
+        """
+        return '+'.join(attr.rfc4514_string() for attr in self._attributes)
+
     def __eq__(self, other):
         if not isinstance(other, RelativeDistinguishedName):
             return NotImplemented
@@ -136,7 +190,7 @@ def __len__(self):
         return len(self._attributes)
 
     def __repr__(self):
-        return "<RelativeDistinguishedName({0!r})>".format(list(self))
+        return "<RelativeDistinguishedName({0})>".format(self.rfc4514_string())
 
 
 class Name(object):
@@ -154,6 +208,18 @@ def __init__(self, attributes):
                 " or a list RelativeDistinguishedName"
             )
 
+    def rfc4514_string(self):
+        """
+        Format as RFC4514 Distinguished Name string.
+        For example 'CN=foobar.com,O=Foo Corp,C=US'
+
+        An X.509 name is a two-level structure: a list of sets of attributes.
+        Each list element is separated by ',' and within each list element, set
+        elements are separated by '+'. The latter is almost never used in
+        real world certificates.
+        """
+        return ', '.join(attr.rfc4514_string() for attr in self._attributes)
+
     def get_attributes_for_oid(self, oid):
         return [i for i in self if i.oid == oid]
 
@@ -187,4 +253,4 @@ def __len__(self):
         return sum(len(rdn) for rdn in self._attributes)
 
     def __repr__(self):
-        return "<Name({0!r})>".format(list(self))
+        return "<Name({0})>".format(self.rfc4514_string())
diff --git a/tests/x509/test_x509.py b/tests/x509/test_x509.py
@@ -1138,30 +1138,11 @@ def test_certificate_repr(self, backend):
             x509.load_pem_x509_certificate,
             backend
         )
-        if not six.PY2:
-            assert repr(cert) == (
-                "<Certificate(subject=<Name([<NameAttribute(oid=<ObjectIdentif"
-                "ier(oid=2.5.4.11, name=organizationalUnitName)>, value='GT487"
-                "42965')>, <NameAttribute(oid=<ObjectIdentifier(oid=2.5.4.11, "
-                "name=organizationalUnitName)>, value='See www.rapidssl.com/re"
-                "sources/cps (c)14')>, <NameAttribute(oid=<ObjectIdentifier(oi"
-                "d=2.5.4.11, name=organizationalUnitName)>, value='Domain Cont"
-                "rol Validated - RapidSSL(R)')>, <NameAttribute(oid=<ObjectIde"
-                "ntifier(oid=2.5.4.3, name=commonName)>, value='www.cryptograp"
-                "hy.io')>])>, ...)>"
-            )
-        else:
-            assert repr(cert) == (
-                "<Certificate(subject=<Name([<NameAttribute(oid=<ObjectIdentif"
-                "ier(oid=2.5.4.11, name=organizationalUnitName)>, value=u'GT48"
-                "742965')>, <NameAttribute(oid=<ObjectIdentifier(oid=2.5.4.11,"
-                " name=organizationalUnitName)>, value=u'See www.rapidssl.com/"
-                "resources/cps (c)14')>, <NameAttribute(oid=<ObjectIdentifier("
-                "oid=2.5.4.11, name=organizationalUnitName)>, value=u'Domain C"
-                "ontrol Validated - RapidSSL(R)')>, <NameAttribute(oid=<Object"
-                "Identifier(oid=2.5.4.3, name=commonName)>, value=u'www.crypto"
-                "graphy.io')>])>, ...)>"
-            )
+        assert repr(cert) == (
+            "<Certificate(subject=<Name(OU=GT48742965, OU=See www.rapidssl.com"
+            "/resources/cps (c)14, OU=Domain Control Validated - RapidSSL(R), "
+            "CN=www.cryptography.io)>, ...)>"
+        )
 
     def test_parse_tls_feature_extension(self, backend):
         cert = _load_cert(
@@ -3933,6 +3914,18 @@ def test_repr(self):
                 "nName)>, value=u'value')>"
             )
 
+    def test_distinugished_name(self):
+        # Escaping
+        na = x509.NameAttribute(NameOID.COMMON_NAME, u'James "Jim" Smith, III')
+        assert na.rfc4514_string() == r'CN=James \"Jim\" Smith\, III'
+        na = x509.NameAttribute(NameOID.USER_ID, u'# escape+,;\0this ')
+        assert na.rfc4514_string() == r'UID=\# escape\+\,\;\00this\ '
+
+        # Nonstandard attribute OID
+        na = x509.NameAttribute(NameOID.EMAIL_ADDRESS, u'somebody@example.com')
+        assert (na.rfc4514_string() ==
+                '1.2.840.113549.1.9.1=somebody@example.com')
+
 
 class TestRelativeDistinguishedName(object):
     def test_init_empty(self):
@@ -4120,20 +4113,23 @@ def test_repr(self):
             x509.NameAttribute(NameOID.ORGANIZATION_NAME, u'PyCA'),
         ])
 
-        if not six.PY2:
-            assert repr(name) == (
-                "<Name([<NameAttribute(oid=<ObjectIdentifier(oid=2.5.4.3, name"
-                "=commonName)>, value='cryptography.io')>, <NameAttribute(oid="
-                "<ObjectIdentifier(oid=2.5.4.10, name=organizationName)>, valu"
-                "e='PyCA')>])>"
-            )
-        else:
-            assert repr(name) == (
-                "<Name([<NameAttribute(oid=<ObjectIdentifier(oid=2.5.4.3, name"
-                "=commonName)>, value=u'cryptography.io')>, <NameAttribute(oid"
-                "=<ObjectIdentifier(oid=2.5.4.10, name=organizationName)>, val"
-                "ue=u'PyCA')>])>"
-            )
+        assert repr(name) == "<Name(CN=cryptography.io, O=PyCA)>"
+
+    def test_rfc4514_string(self):
+        n = x509.Name([
+            x509.RelativeDistinguishedName([
+                x509.NameAttribute(NameOID.ORGANIZATIONAL_UNIT_NAME, u'Sales'),
+                x509.NameAttribute(NameOID.COMMON_NAME, u'J.  Smith'),
+            ]),
+            x509.RelativeDistinguishedName([
+                x509.NameAttribute(NameOID.DOMAIN_COMPONENT, u'example'),
+            ]),
+            x509.RelativeDistinguishedName([
+                x509.NameAttribute(NameOID.DOMAIN_COMPONENT, u'net'),
+            ]),
+        ])
+        assert (n.rfc4514_string() ==
+                'OU=Sales+CN=J.  Smith, DC=example, DC=net')
 
     def test_not_nameattribute(self):
         with pytest.raises(TypeError):
diff --git a/tests/x509/test_x509_ext.py b/tests/x509/test_x509_ext.py
@@ -1135,16 +1135,14 @@ def test_repr(self):
         if not six.PY2:
             assert repr(aki) == (
                 "<AuthorityKeyIdentifier(key_identifier=b'digest', authority_"
-                "cert_issuer=[<DirectoryName(value=<Name([<NameAttribute(oid="
-                "<ObjectIdentifier(oid=2.5.4.3, name=commonName)>, value='myC"
-                "N')>])>)>], authority_cert_serial_number=1234)>"
+                "cert_issuer=[<DirectoryName(value=<Name(CN=myCN)>)>], author"
+                "ity_cert_serial_number=1234)>"
             )
         else:
             assert repr(aki) == (
-                "<AuthorityKeyIdentifier(key_identifier='digest', authority_ce"
-                "rt_issuer=[<DirectoryName(value=<Name([<NameAttribute(oid=<Ob"
-                "jectIdentifier(oid=2.5.4.3, name=commonName)>, value=u'myCN')"
-                ">])>)>], authority_cert_serial_number=1234)>"
+                "<AuthorityKeyIdentifier(key_identifier='digest', authority_"
+                "cert_issuer=[<DirectoryName(value=<Name(CN=myCN)>)>], author"
+                "ity_cert_serial_number=1234)>"
             )
 
     def test_eq(self):
@@ -1719,16 +1717,7 @@ def test_not_name(self):
     def test_repr(self):
         name = x509.Name([x509.NameAttribute(NameOID.COMMON_NAME, u'value1')])
         gn = x509.DirectoryName(name)
-        if not six.PY2:
-            assert repr(gn) == (
-                "<DirectoryName(value=<Name([<NameAttribute(oid=<ObjectIdentif"
-                "ier(oid=2.5.4.3, name=commonName)>, value='value1')>])>)>"
-            )
-        else:
-            assert repr(gn) == (
-                "<DirectoryName(value=<Name([<NameAttribute(oid=<ObjectIdentif"
-                "ier(oid=2.5.4.3, name=commonName)>, value=u'value1')>])>)>"
-            )
+        assert repr(gn) == "<DirectoryName(value=<Name(CN=value1)>)>"
 
     def test_eq(self):
         name = x509.Name([
@@ -3656,22 +3645,16 @@ def test_repr(self):
         if not six.PY2:
             assert repr(dp) == (
                 "<DistributionPoint(full_name=None, relative_name=<RelativeDis"
-                "tinguishedName([<NameAttribute(oid=<ObjectIdentifier(oid=2.5."
-                "4.3, name=commonName)>, value='myCN')>])>, reasons=frozenset("
-                "{<ReasonFlags.ca_compromise: 'cACompromise'>}), crl_issuer=[<"
-                "DirectoryName(value=<Name([<NameAttribute(oid=<ObjectIdentifi"
-                "er(oid=2.5.4.3, name=commonName)>, value='Important CA')>])>)"
-                ">])>"
+                "tinguishedName(CN=myCN)>, reasons=frozenset({<ReasonFlags.ca_"
+                "compromise: 'cACompromise'>}), crl_issuer=[<DirectoryName(val"
+                "ue=<Name(CN=Important CA)>)>])>"
             )
         else:
             assert repr(dp) == (
                 "<DistributionPoint(full_name=None, relative_name=<RelativeDis"
-                "tinguishedName([<NameAttribute(oid=<ObjectIdentifier(oid=2.5."
-                "4.3, name=commonName)>, value=u'myCN')>])>, reasons=frozenset"
-                "([<ReasonFlags.ca_compromise: 'cACompromise'>]), crl_issuer=["
-                "<DirectoryName(value=<Name([<NameAttribute(oid=<ObjectIdentif"
-                "ier(oid=2.5.4.3, name=commonName)>, value=u'Important CA')>])"
-                ">)>])>"
+                "tinguishedName(CN=myCN)>, reasons=frozenset([<ReasonFlags.ca_"
+                "compromise: 'cACompromise'>]), crl_issuer=[<DirectoryName(val"
+                "ue=<Name(CN=Important CA)>)>])>"
             )
 
     def test_hash(self):

-Original file line number
+Diff line change
 * Jeremy Lainé <[email protected]>
 * Denis Gladkikh <[email protected]>
 * John Pacific <[email protected]> (2CF6 0381 B5EF 29B7 D48C 2020 7BB9 71A0 E891 44D9)
 +* Marti Raudsepp <[email protected]>