diff options
author | Paul Kehrer <paul.l.kehrer@gmail.com> | 2015-08-01 20:45:21 +0100 |
---|---|---|
committer | Paul Kehrer <paul.l.kehrer@gmail.com> | 2015-08-01 20:45:21 +0100 |
commit | a08693f3a71a6537da9cfa7d9dda7781aef2bcdd (patch) | |
tree | 0c54f65a4f9008381f8187e2c2649c82d7ee5485 | |
parent | 0f984369c0f58f0d5db5cb1a6927b550afc89027 (diff) | |
download | cryptography-a08693f3a71a6537da9cfa7d9dda7781aef2bcdd.tar.gz cryptography-a08693f3a71a6537da9cfa7d9dda7781aef2bcdd.tar.bz2 cryptography-a08693f3a71a6537da9cfa7d9dda7781aef2bcdd.zip |
check if the extension decoded to internal openssl repr
...and if not, raise an error (plus consume the error stack)
-rw-r--r-- | src/cryptography/hazmat/backends/openssl/x509.py | 7 | ||||
-rw-r--r-- | tests/test_x509_ext.py | 15 |
2 files changed, 21 insertions, 1 deletions
diff --git a/src/cryptography/hazmat/backends/openssl/x509.py b/src/cryptography/hazmat/backends/openssl/x509.py index 63e4a177..1c0c3acf 100644 --- a/src/cryptography/hazmat/backends/openssl/x509.py +++ b/src/cryptography/hazmat/backends/openssl/x509.py @@ -235,7 +235,12 @@ class _X509ExtensionParser(object): ) else: d2i = backend._lib.X509V3_EXT_d2i(ext) - assert d2i != backend._ffi.NULL + if d2i == backend._ffi.NULL: + backend._consume_errors() + raise ValueError( + "The {0} extension appears to be corrupt".format(oid) + ) + value = handler(backend, d2i) extensions.append(x509.Extension(oid, critical, value)) diff --git a/tests/test_x509_ext.py b/tests/test_x509_ext.py index 7b135828..2980808f 100644 --- a/tests/test_x509_ext.py +++ b/tests/test_x509_ext.py @@ -2853,3 +2853,18 @@ class TestInhibitAnyPolicyExtension(object): x509.OID_INHIBIT_ANY_POLICY ).value assert iap.skip_certs == 5 + + +@pytest.mark.requires_backend_interface(interface=RSABackend) +@pytest.mark.requires_backend_interface(interface=X509Backend) +class TestCorruptExtension(object): + def test_invalid_certificate_policies_data(self, backend): + cert = _load_cert( + os.path.join( + "x509", "custom", "cp_invalid.pem" + ), + x509.load_pem_x509_certificate, + backend + ) + with pytest.raises(ValueError): + cert.extensions |