UnrecognizedExtension constructor does not DER encode data

[wpd]

• Versions of:

  • Python: 3.8.10
  • cryptography: 41.0.5
  • cffi, pip, and setuptools: (immaterial, imho)

• How you installed cryptography
pip install cryptography

• Clear steps for reproducing your bug

>>> from cryptography import x509
>>> x = x509.UnrecognizedExtension(x509.ObjectIdentifier("1.2.3.4.5.6"), b"abc")
>>> x.value
b'abc'

The output does not represent the DER encoded version of the byte string b"abc" (which I would have expected, according to the docs).

If I add this extension to a CSR or (presumably, although I haven't tried that yet) a certificate, serialize the CSR, and view the hex dump, I see the extension encoded as an OCTET STREAM (tag 0x04):

000002c0: 0183 8c3c 0604 0361 6263 300d 0609 2a86  ...<...abc0...*.

(note the 04 0361 6263 embedded in the hex dump).

It seems like #9283 might get me closer to what I want, but I'm not sure.

It would be nice if I could provide b"\x04\x03abc" in the constructor for UnrecognizedExtension and have that be serialized unmodified.

It would be nicer if, should I provide a byte string in the constructor, it would be serialized as an OCTET STREAM, but if I were to provide a regular string in the constructor, it would be serialized as a UTF8String.

It would be amazingly nice if, should I provide a pure ASCII string, it would be serialized as a PrintableString, but only on alternate Tuesdays when the code knew that was what I wanted... okay, I guess I'm asking for too much there.

But perhaps a better alternative would be to examine the tag and length fields of a byte string, and if the length matches the length of the string, and the tag is reasonable (or perhaps even ignore the tag), accept the byte string as already having been DER encoded.

Right now, I'm kinda stuck, as I'm not sure how to embed a custom PrintableString extension in my CRL or cert.

[alex]

The argument to UnrecognizedExtension should be DER-encoded bytes. That is to say, if you want a printable string like you said, you DER encode it yourself and pass it there.

The reason you're seeing the argument wrapped in an octet string is that all X.509 extensions get wrapped in an octet string, per the RFC. So an X.509 extension that's a bool would be encoded as \x04\x03\x01\x01\xff, and you could accomplish this by passing b"\x01\x01\xff" to the UnrecognizedExtension constructor.

#9283 discusses APIs for DER deserialization, and not serialization, though if we choose to add one we'll likely to do the other as well.

Hopefully that gives you what you need to accomplish your task.

[wpd]

Ohhhhhhhhhhhhhhh. Sorry for the spam. Thanks for the quick answer.