diff options
-rw-r--r-- | src/cryptography/hazmat/backends/openssl/backend.py | 17 | ||||
-rw-r--r-- | tests/test_x509.py | 30 |
2 files changed, 45 insertions, 2 deletions
diff --git a/src/cryptography/hazmat/backends/openssl/backend.py b/src/cryptography/hazmat/backends/openssl/backend.py index 9df113b6..1c01e83d 100644 --- a/src/cryptography/hazmat/backends/openssl/backend.py +++ b/src/cryptography/hazmat/backends/openssl/backend.py @@ -845,14 +845,16 @@ class Backend(object): self._lib.X509_get_notBefore(x509_cert), calendar.timegm(builder._not_valid_before.timetuple()) ) - self.openssl_assert(res != self._ffi.NULL) + if res == self._ffi.NULL: + self._raise_time_set_error() # Set the "not after" time. res = self._lib.ASN1_TIME_set( self._lib.X509_get_notAfter(x509_cert), calendar.timegm(builder._not_valid_after.timetuple()) ) - self.openssl_assert(res != self._ffi.NULL) + if res == self._ffi.NULL: + self._raise_time_set_error() # Add extensions. self._create_x509_extensions( @@ -883,6 +885,17 @@ class Backend(object): return _Certificate(self, x509_cert) + def _raise_time_set_error(self): + errors = self._consume_errors() + self.openssl_assert(errors[0][1] == self._lib.ERR_LIB_ASN1) + self.openssl_assert( + errors[0][3] == self._lib.ASN1_R_ERROR_GETTING_TIME + ) + raise ValueError( + "Invalid time. This error can occur if you set a time too far in " + "the future on Windows." + ) + def create_x509_crl(self, builder, private_key, algorithm): if not isinstance(builder, x509.CertificateRevocationListBuilder): raise TypeError('Builder type mismatch.') diff --git a/tests/test_x509.py b/tests/test_x509.py index 5d334242..966cba6f 100644 --- a/tests/test_x509.py +++ b/tests/test_x509.py @@ -8,6 +8,7 @@ import binascii import datetime import ipaddress import os +import sys import warnings from pyasn1.codec.der import decoder @@ -1524,6 +1525,35 @@ class TestCertificateBuilder(object): builder.sign(private_key, hashes.SHA256(), backend) + @pytest.mark.skipif(sys.platform != "win32", reason="Requires windows") + @pytest.mark.parametrize( + ("not_valid_before", "not_valid_after"), + [ + [datetime.datetime(1999, 1, 1), datetime.datetime(9999, 1, 1)], + [datetime.datetime(9999, 1, 1), datetime.datetime(9999, 12, 31)], + ] + ) + @pytest.mark.requires_backend_interface(interface=RSABackend) + @pytest.mark.requires_backend_interface(interface=X509Backend) + def test_invalid_time_windows(self, not_valid_before, not_valid_after, + backend): + private_key = RSA_KEY_2048.private_key(backend) + builder = x509.CertificateBuilder().subject_name(x509.Name([ + x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'), + ])).issuer_name(x509.Name([ + x509.NameAttribute(NameOID.COUNTRY_NAME, u'US'), + ])).public_key( + private_key.public_key() + ).serial_number( + 777 + ).not_valid_before( + not_valid_before + ).not_valid_after( + not_valid_after + ) + with pytest.raises(ValueError): + builder.sign(private_key, hashes.SHA256(), backend) + @pytest.mark.requires_backend_interface(interface=RSABackend) @pytest.mark.requires_backend_interface(interface=X509Backend) def test_no_subject_name(self, backend): |