I have created a CSR with the challengePassword attribute (oid 1.2.840.113549.1.9.7) via openssl cli:
openssl req -nodes -new -newkey rsa:4096 -out www.example.com.csr -keyout www.example.com.key
I verify that the challengePassword is present via
openssl req -noout -text -in www.example.com.csr
When I read it in with cryptography.x509.load_pem_x509_csr(), I can find no record of 'Attributes' or this specific oid, e.g.
csr = x509.load_pem_x509_csr(csr_data, default_backend())
print(csr.subject) # Lists expected subject info; countryName, etc.
CHALLENGE_OID = "1.2.840.113549.1.9.7"
challenge_att = x509.oid.ObjectIdentifier(CHALLENGE_OID)
challenge = csr.subject.get_attributes_for_oid(challenge_att) # challenge is []
Is this Attribute visible anywhere in the resulting object? The pyca/cryptography docs are not helping me out.
A challenge password is an attribute encoded into the CSR. Unfortunately, arbitrary attributes aren't currently supported by pyca/cryptography. There is an open issue for this on GitHub right now but no one has implemented it yet.