aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
Diffstat
-rw-r--r--src/cryptography/hazmat/backends/openssl/backend.py3
-rw-r--r--tests/test_x509.py19
2 files changed, 21 insertions, 1 deletions
diff --git a/src/cryptography/hazmat/backends/openssl/backend.py b/src/cryptography/hazmat/backends/openssl/backend.py
index 0017b1bd..637b28cc 100644
--- a/src/cryptography/hazmat/backends/openssl/backend.py
+++ b/src/cryptography/hazmat/backends/openssl/backend.py
@@ -215,7 +215,8 @@ def _encode_subject_alt_name(backend, san):
value = backend._lib.d2i_ASN1_TYPE(
backend._ffi.NULL, data_ptr_ptr, len(alt_name.value)
)
- assert value != backend._ffi.NULL
+ if value == backend._ffi.NULL:
+ raise ValueError("Invalid ASN.1 data")
other_name.type_id = type_id
other_name.value = value
gn.type = backend._lib.GEN_OTHERNAME
diff --git a/tests/test_x509.py b/tests/test_x509.py
index fc1e7931..cb617268 100644
--- a/tests/test_x509.py
+++ b/tests/test_x509.py
@@ -1036,6 +1036,25 @@ class TestCertificateSigningRequestBuilder(object):
),
]
+ def test_invalid_asn1_othername(self, backend):
+ private_key = RSA_KEY_2048.private_key(backend)
+
+ builder = x509.CertificateSigningRequestBuilder().subject_name(
+ x509.Name([
+ x509.NameAttribute(x509.OID_COMMON_NAME, u"SAN"),
+ ])
+ ).add_extension(
+ x509.SubjectAlternativeName([
+ x509.OtherName(
+ type_id=x509.ObjectIdentifier("1.2.3.3.3.3"),
+ value=b"\x01\x02\x01\x05"
+ ),
+ ]),
+ critical=False,
+ )
+ with pytest.raises(ValueError):
+ builder.sign(private_key, hashes.SHA256(), backend)
+
def test_subject_alt_name_unsupported_general_name(self, backend):
private_key = RSA_KEY_2048.private_key(backend)
generated by cgit v1.2.3 (git 2.25.1) at 2025-11-18 10:34:15 +0000