diff options
author | Paul Kehrer <paul.l.kehrer@gmail.com> | 2015-07-10 20:51:36 -0500 |
---|---|---|
committer | Paul Kehrer <paul.l.kehrer@gmail.com> | 2015-07-11 22:20:45 -0500 |
commit | 500ed9dac5934f19da1440f47df4640681c5404a (patch) | |
tree | db211b25df4c76bccb5a9ccf974733494f2c6a36 | |
parent | 22f5fbb4def79519becd5b247e32a87c9bd8adeb (diff) | |
download | cryptography-500ed9dac5934f19da1440f47df4640681c5404a.tar.gz cryptography-500ed9dac5934f19da1440f47df4640681c5404a.tar.bz2 cryptography-500ed9dac5934f19da1440f47df4640681c5404a.zip |
raise a nice error if bad ASN.1 is provided
-rw-r--r-- | src/cryptography/hazmat/backends/openssl/backend.py | 3 | ||||
-rw-r--r-- | tests/test_x509.py | 19 |
2 files changed, 21 insertions, 1 deletions
diff --git a/src/cryptography/hazmat/backends/openssl/backend.py b/src/cryptography/hazmat/backends/openssl/backend.py index 0017b1bd..637b28cc 100644 --- a/src/cryptography/hazmat/backends/openssl/backend.py +++ b/src/cryptography/hazmat/backends/openssl/backend.py @@ -215,7 +215,8 @@ def _encode_subject_alt_name(backend, san): value = backend._lib.d2i_ASN1_TYPE( backend._ffi.NULL, data_ptr_ptr, len(alt_name.value) ) - assert value != backend._ffi.NULL + if value == backend._ffi.NULL: + raise ValueError("Invalid ASN.1 data") other_name.type_id = type_id other_name.value = value gn.type = backend._lib.GEN_OTHERNAME diff --git a/tests/test_x509.py b/tests/test_x509.py index fc1e7931..cb617268 100644 --- a/tests/test_x509.py +++ b/tests/test_x509.py @@ -1036,6 +1036,25 @@ class TestCertificateSigningRequestBuilder(object): ), ] + def test_invalid_asn1_othername(self, backend): + private_key = RSA_KEY_2048.private_key(backend) + + builder = x509.CertificateSigningRequestBuilder().subject_name( + x509.Name([ + x509.NameAttribute(x509.OID_COMMON_NAME, u"SAN"), + ]) + ).add_extension( + x509.SubjectAlternativeName([ + x509.OtherName( + type_id=x509.ObjectIdentifier("1.2.3.3.3.3"), + value=b"\x01\x02\x01\x05" + ), + ]), + critical=False, + ) + with pytest.raises(ValueError): + builder.sign(private_key, hashes.SHA256(), backend) + def test_subject_alt_name_unsupported_general_name(self, backend): private_key = RSA_KEY_2048.private_key(backend) |