aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorPaul Kehrer <paul.l.kehrer@gmail.com>2018-10-24 08:58:07 +0800
committerAlex Gaynor <alex.gaynor@gmail.com>2018-10-23 20:58:07 -0400
commita9b4f86de8a0de2e846a42d9b35c39e88d621bb7 (patch)
treeefef31ddf64ca127c40c48209853c66d2440e46a
parentf6f2d7ebd5b4370be74e8dc267e9b76621147f29 (diff)
downloadcryptography-a9b4f86de8a0de2e846a42d9b35c39e88d621bb7.tar.gz
cryptography-a9b4f86de8a0de2e846a42d9b35c39e88d621bb7.tar.bz2
cryptography-a9b4f86de8a0de2e846a42d9b35c39e88d621bb7.zip
next_update is not a required field on OCSP responses (#4513)
Diffstat
-rw-r--r--docs/development/test-vectors.rst2
-rw-r--r--src/cryptography/hazmat/backends/openssl/ocsp.py6
-rw-r--r--tests/x509/test_ocsp.py8
-rw-r--r--vectors/cryptography_vectors/x509/ocsp/resp-revoked-no-next-update.derbin0 -> 283 bytes
4 files changed, 14 insertions, 2 deletions
diff --git a/docs/development/test-vectors.rst b/docs/development/test-vectors.rst
index b56a4c56..e512a902 100644
--- a/docs/development/test-vectors.rst
+++ b/docs/development/test-vectors.rst
@@ -427,6 +427,8 @@ X.509 OCSP Test Vectors
* ``x509/ocsp/resp-revoked-reason.der`` - An OCSP response from the
``QuoVadis`` OCSP responder that contains a revoked certificate with a
revocation reason.
+* ``x509/ocsp/resp-revoked-no-next-update.der`` - An OCSP response that
+ contains a revoked certificate and no ``nextUpdate`` value.
Custom X.509 OCSP Test Vectors
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
diff --git a/src/cryptography/hazmat/backends/openssl/ocsp.py b/src/cryptography/hazmat/backends/openssl/ocsp.py
index cd3650ae..32e26a0a 100644
--- a/src/cryptography/hazmat/backends/openssl/ocsp.py
+++ b/src/cryptography/hazmat/backends/openssl/ocsp.py
@@ -278,8 +278,10 @@ class _OCSPResponse(object):
self._backend._ffi.NULL,
asn1_time,
)
- self._backend.openssl_assert(asn1_time[0] != self._backend._ffi.NULL)
- return _parse_asn1_generalized_time(self._backend, asn1_time[0])
+ if asn1_time[0] != self._backend._ffi.NULL:
+ return _parse_asn1_generalized_time(self._backend, asn1_time[0])
+ else:
+ return None
@property
@_requires_successful_response
diff --git a/tests/x509/test_ocsp.py b/tests/x509/test_ocsp.py
index 0d44b6da..3ee6a26e 100644
--- a/tests/x509/test_ocsp.py
+++ b/tests/x509/test_ocsp.py
@@ -319,6 +319,14 @@ class TestOCSPResponse(object):
)
assert resp.revocation_reason is x509.ReasonFlags.superseded
+ def test_load_revoked_no_next_update(self):
+ resp = _load_data(
+ os.path.join("x509", "ocsp", "resp-revoked-no-next-update.der"),
+ ocsp.load_der_ocsp_response,
+ )
+ assert resp.serial_number == 16160
+ assert resp.next_update is None
+
def test_response_extensions(self):
resp = _load_data(
os.path.join("x509", "ocsp", "resp-revoked-reason.der"),
diff --git a/vectors/cryptography_vectors/x509/ocsp/resp-revoked-no-next-update.der b/vectors/cryptography_vectors/x509/ocsp/resp-revoked-no-next-update.der
new file mode 100644
index 00000000..c9bb9d6f
--- /dev/null
+++ b/vectors/cryptography_vectors/x509/ocsp/resp-revoked-no-next-update.der
Binary files differ
generated by cgit v1.2.3 (git 2.25.1) at 2024-06-02 11:06:03 +0000