Support parsing embedded SCT extension on X.509 certificates

[alex]

• Add OID (1.3.6.1.4.1.11129.2.4.2)
• Add classes representing the relevant data
• Add bindings for OpenSSL SCT functions
• Support parsing an X.509 extension into the data
• Support encoding the data into an X.509 extension

[3lixy]

Hi, I can see in cryptography.x509.oid that it has
PRECERT_SIGNED_CERTIFICATE_TIMESTAMPS = ( ObjectIdentifier("1.3.6.1.4.1.11129.2.4.2") )
however i am getting UnrecognizedExtension for this extension.

Its value is:
04:82:01:E1:01:DF:00:75:00:DD:EB:1D:2B:7A:0D:4F:A6:20:8B:81:AD:81:68:70:7E:2E:8E:9D:01:D5:5C:88:8D:3D:11:C4:CD:B6:EC:BE:CC:00:00:01:5F:7F:F8:AA:82:00:00:04:03:00:46:30:44:02:20:38:14:02:D7:F3:55:D6:30:01:F4:64:FE:12:84:5E:32:6E:E1:D5:01:05:C3:F1:50:5D:51:D1:20:29:7D:A6:F7:02:20:58:C1:8D:46:4A:ED:BA:A1:D9:05:A9:0B:17:83:51:F8:1E:69:AE:4E:A9:D8:97:C7:68:C2:4E:60:D3:7B:F5:E4:00:76:00:56:14:06:9A:2F:D7:C2:EC:D3:F5:E1:BD:44:B2:3E:C7:46:76:B9:BC:99:11:5C:C0:EF:94:98:55:D6:89:D0:DD:00:00:01:5F:7F:F8:AA:DA:00:00:04:03:00:47:30:45:02:20:0C:CD:09:DE:5C:EA:E9:C9:7E:74:64:F3:1D:C5:72:19:26:6F:92:28:9C:D0:1A:67:43:A0:38:75:13:7E:C1:23:02:21:00:9B:01:9F:AD:C8:6F:07:F1:D0:3E:89:DF:C9:D6:6E:BD:E1:AE:E7:68:30:D1:5F:34:48:56:D5:50:F3:7F:81:8B:00:76:00:A4:B9:09:90:B4:18:58:14:87:BB:13:A2:CC:67:70:0A:3C:35:98:04:F9:1B:DF:B8:E3:77:CD:0E:C8:0D:DC:10:00:00:01:5F:7F:F8:AD:4A:00:00:04:03:00:47:30:45:02:20:3E:27:0F:B4:ED:7C:C4:6E:81:8B:FB:60:7C:5A:B7:FC:67:DA:50:5B:3E:53:ED:54:19:4F:A3:B7:75:40:C8:BC:02:21:00:C2:0D:4D:D0:A0:00:6A:95:0A:21:17:32:D7:CB:B9:DF:9A:8E:23:19:BA:71:59:9E:CF:C3:28:8E:53:52:0E:F8:00:76:00:EE:4B:BD:B7:75:CE:60:BA:E1:42:69:1F:AB:E1:9E:66:A3:0F:7E:5F:B0:72:D8:83:00:C4:7B:89:7A:A8:FD:CB:00:00:01:5F:7F:F8:B0:31:00:00:04:03:00:47:30:45:02:21:00:91:26:1E:19:FF:66:C6:67:E5:54:57:BE:11:7C:FA:10:3A:68:F8:38:42:10:6D:77:09:CA:B4:EF:E2:CA:E6:37:02:20:11:C5:A3:DB:0B:58:3D:CD:2D:C6:74:45:63:9D:68:26:9D:73:8C:30:96:8C:30:1F:89:E1:40:6B:08:56:01:1F

An example cert https://www.wikipedia.org/ has this issue. serial 09de734b91754c1879c0ae4e

I am running cryptography==2.3, Python 3.6.4.

I can post the PEM for the cert if needed.

Done some work on trying to find where the issue is but not real joy:
If I use:
cert.extensions.get_extension_for_oid( x509.ExtensionOID.PRECERT_SIGNED_CERTIFICATE_TIMESTAMPS )
i get:
<Extension(oid=<ObjectIdentifier(oid=1.3.6.1.4.1.11129.2.4.2, name=signedCertificateTimestampList)>, critical=False, value=<UnrecognizedExtension(oid=<ObjectIdentifier(oid=1.3.6.1.4.1.11129.2.4.2, name=signedCertificateTimestampList)>, value=b".......bytes......")>)>
so it seems the oid is identified correctly but the data cannot be parsed?

However i am iterating over the extensions rather than getting them directly using get_extension_for_oid.

import cryptography.x509 as x509
from cryptography.hazmat.backends import default_backend
# response is a python socket essentially
cert = x509.load_der_x509_certificate(
                data=response._sock_stat_peercert_binary,
                backend=default_backend()
            )
for extension in cert.extensions:
  for extension_type in ['AuthorityInformationAccess',
                           'AuthorityKeyIdentifier',
                           'SubjectKeyIdentifier',
                           'KeyUsage',
                           'BasicConstraints',
                           'ExtendedKeyUsage',
                           'CertificatePolicies',
                           'CRLDistributionPoints',
                           'SubjectAlternativeName',
                           'UnrecognizedExtension']:
    if isinstance(extension.value, getattr(x509.extensions, extension_type)):
      # at this point 1.3.6.1.4.1.11129.2.4.2 is UnrecognizedExtension

[reaperhulk]

cryptography requires OpenSSL 1.1.0 to parse SCTs. What is the output of running:

from cryptography.hazmat.backends.openssl.backend import backend

print(backend.openssl_version_text())

[3lixy]

Thanks I have lower than 1.1.0. Will update and try again.