don't sort the serial numbers in a parsed CRL (#4457)

* don't sort the serial numbers in a parsed CRL OpenSSL sorts them in place and this breaks the signature and more. fixes #4456 * cache the sorted CRL (but create it lazily) * use the cache decorator
author: Paul Kehrer <paul.l.kehrer@gmail.com> 2018-09-04 15:29:34 -0500
committer: Alex Gaynor <alex.gaynor@gmail.com> 2018-09-04 16:29:34 -0400
commit: 18d49d0c6cd117e82934f65e641c1d830edd20df (patch)
tree: c3e2359961749a613d1b949a95b72b035682125b /tests/x509/test_x509.py
parent: 636ad6052ef0d51dc55ae4dc2b38af15d06ea220 (diff)
download: cryptography-18d49d0c6cd117e82934f65e641c1d830edd20df.tar.gz
cryptography-18d49d0c6cd117e82934f65e641c1d830edd20df.tar.bz2
cryptography-18d49d0c6cd117e82934f65e641c1d830edd20df.zip
1 files changed, 29 insertions, 0 deletions
diff --git a/tests/x509/test_x509.py b/tests/x509/test_x509.py
index a866d813..4ce4d958 100644
--- a/tests/x509/test_x509.py
+++ b/tests/x509/test_x509.py
@@ -550,6 +550,35 @@ class TestRevokedCertificate(object):
         assert crl[2:4][0].serial_number == crl[2].serial_number
         assert crl[2:4][1].serial_number == crl[3].serial_number
 
+    def test_get_revoked_certificate_doesnt_reorder(self, backend):
+        private_key = RSA_KEY_2048.private_key(backend)
+        last_update = datetime.datetime(2002, 1, 1, 12, 1)
+        next_update = datetime.datetime(2030, 1, 1, 12, 1)
+        builder = x509.CertificateRevocationListBuilder().issuer_name(
+            x509.Name([
+                x509.NameAttribute(NameOID.COMMON_NAME, u"cryptography.io CA")
+            ])
+        ).last_update(
+            last_update
+        ).next_update(
+            next_update
+        )
+        for i in [2, 500, 3, 49, 7, 1]:
+            revoked_cert = x509.RevokedCertificateBuilder().serial_number(
+                i
+            ).revocation_date(
+                datetime.datetime(2012, 1, 1, 1, 1)
+            ).build(backend)
+            builder = builder.add_revoked_certificate(revoked_cert)
+        crl = builder.sign(private_key, hashes.SHA256(), backend)
+        assert crl[0].serial_number == 2
+        assert crl[2].serial_number == 3
+        # make sure get_revoked_certificate_by_serial_number doesn't affect
+        # ordering after being invoked
+        crl.get_revoked_certificate_by_serial_number(500)
+        assert crl[0].serial_number == 2
+        assert crl[2].serial_number == 3
+
 
 @pytest.mark.requires_backend_interface(interface=RSABackend)
 @pytest.mark.requires_backend_interface(interface=X509Backend)
author	Paul Kehrer <paul.l.kehrer@gmail.com>	2018-09-04 15:29:34 -0500
committer	Alex Gaynor <alex.gaynor@gmail.com>	2018-09-04 16:29:34 -0400
commit	18d49d0c6cd117e82934f65e641c1d830edd20df (patch)
tree	c3e2359961749a613d1b949a95b72b035682125b /tests/x509/test_x509.py
parent	636ad6052ef0d51dc55ae4dc2b38af15d06ea220 (diff)
download	cryptography-18d49d0c6cd117e82934f65e641c1d830edd20df.tar.gz cryptography-18d49d0c6cd117e82934f65e641c1d830edd20df.tar.bz2 cryptography-18d49d0c6cd117e82934f65e641c1d830edd20df.zip