Cryptography analyzes the IssuerAlternativeName extension with non-standard URI names.

[onepeople158]

Version:
cryptography-44.0.2

Hello, developer. I used cryptography to parse a CRL file and found an incorrect URI value in the IssuerAlternativeName extension. Is this an issue?

URI="https://1kYj\\[@.cfZGv3T_Tr.D?/zrm3/4WA/Ir}BQ/yR]/0[g?<tX=uR?&K'O={d2}&sG?rLi=<}e>"

Code:

from cryptography.x509 import load_pem_x509_crl, load_der_x509_crl
from cryptography.x509 import ExtensionNotFound
import sys

def load_crl(file_path):
    with open(file_path, "rb") as f:
        crl_data = f.read()
    try:
        crl = load_pem_x509_crl(crl_data)
    except ValueError:
        crl = load_der_x509_crl(crl_data)
    return crl

def print_crl_issuer(file_path):
    crl=load_crl(file_path)
    try:
        for ext in crl.extensions:
              if ext.oid == x509.oid.ExtensionOID.ISSUER_ALTERNATIVE_NAME:
                        print("IAN",ext.value)
    except Exception as e:
        print(f"Error occurred: {e}")

file_path = 'crl_ian_uri.der'
print_crl_issuer(file_path)

Test Case:

crl_ian_uri.zip

[reaperhulk]

No, cryptography deliberately does not validate most general names. We even allow disallowed characters in ia5string due to compatibility requirements.

[onepeople158]

No, cryptography deliberately does not validate most general names. We even allow disallowed characters in ia5string due to compatibility requirements.

I understand.