diff options
| -rw-r--r-- | docs/development/test-vectors.rst | 1 | ||||
| -rw-r--r-- | src/cryptography/hazmat/backends/openssl/x509.py | 13 | ||||
| -rw-r--r-- | tests/test_x509.py | 8 | ||||
| -rw-r--r-- | vectors/cryptography_vectors/x509/custom/crl_empty.pem | 12 |
4 files changed, 27 insertions, 7 deletions
diff --git a/docs/development/test-vectors.rst b/docs/development/test-vectors.rst index 2f49047d..9e8eb388 100644 --- a/docs/development/test-vectors.rst +++ b/docs/development/test-vectors.rst @@ -304,6 +304,7 @@ Custom X.509 Certificate Revocation List Vectors an unsupported reason code. * ``crl_inval_cert_issuer_entry_ext.pem`` - Contains a CRL with one revocation which has one entry extension for certificate issuer with an empty value. +* ``crl_empty.pem`` - Contains a CRL with no revoked certificates. Hashes ~~~~~~ diff --git a/src/cryptography/hazmat/backends/openssl/x509.py b/src/cryptography/hazmat/backends/openssl/x509.py index 4e91bf43..f50a0d5d 100644 --- a/src/cryptography/hazmat/backends/openssl/x509.py +++ b/src/cryptography/hazmat/backends/openssl/x509.py @@ -835,14 +835,13 @@ class _CertificateRevocationList(object): def _revoked_certificates(self): revoked = self._backend._lib.X509_CRL_get_REVOKED(self._x509_crl) - self._backend.openssl_assert(revoked != self._backend._ffi.NULL) - - num = self._backend._lib.sk_X509_REVOKED_num(revoked) revoked_list = [] - for i in range(num): - r = self._backend._lib.sk_X509_REVOKED_value(revoked, i) - self._backend.openssl_assert(r != self._backend._ffi.NULL) - revoked_list.append(_RevokedCertificate(self._backend, r)) + if revoked != self._backend._ffi.NULL: + num = self._backend._lib.sk_X509_REVOKED_num(revoked) + for i in range(num): + r = self._backend._lib.sk_X509_REVOKED_value(revoked, i) + self._backend.openssl_assert(r != self._backend._ffi.NULL) + revoked_list.append(_RevokedCertificate(self._backend, r)) return revoked_list diff --git a/tests/test_x509.py b/tests/test_x509.py index 67066f04..5e5944a4 100644 --- a/tests/test_x509.py +++ b/tests/test_x509.py @@ -299,6 +299,14 @@ class TestRevokedCertificate(object): assert len(flags) == 0 + def test_no_revoked_certs(self, backend): + crl = _load_cert( + os.path.join("x509", "custom", "crl_empty.pem"), + x509.load_pem_x509_crl, + backend + ) + assert len(crl) == 0 + def test_duplicate_entry_ext(self, backend): crl = _load_cert( os.path.join("x509", "custom", "crl_dup_entry_ext.pem"), diff --git a/vectors/cryptography_vectors/x509/custom/crl_empty.pem b/vectors/cryptography_vectors/x509/custom/crl_empty.pem new file mode 100644 index 00000000..3de41831 --- /dev/null +++ b/vectors/cryptography_vectors/x509/custom/crl_empty.pem @@ -0,0 +1,12 @@ +-----BEGIN X509 CRL----- +MIIBxTCBrgIBATANBgkqhkiG9w0BAQUFADBhMQswCQYDVQQGEwJVUzERMA8GA1UE +CAwISWxsaW5vaXMxEDAOBgNVBAcMB0NoaWNhZ28xETAPBgNVBAoMCHI1MDkgTExD +MRowGAYDVQQDDBFyNTA5IENSTCBEZWxlZ2F0ZRcNMTUxMjIwMjM0NDQ3WhcNMTUx +MjI4MDA0NDQ3WqAZMBcwCgYDVR0UBAMCAQEwCQYDVR0jBAIwADANBgkqhkiG9w0B +AQUFAAOCAQEAXebqoZfEVAC4NcSEB5oGqUviUn/AnY6TzB6hUe8XC7yqEkBcyTgk +G1Zq+b+T/5X1ewTldvuUqv19WAU/Epbbu4488PoH5qMV8Aii2XcotLJOR9OBANp0 +Yy4ir/n6qyw8kM3hXJloE+xgkELhd5JmKCnlXihM1BTl7Xp7jyKeQ86omR+DhItb +CU+9RoqOK9Hm087Z7RurXVrz5RKltQo7VLCp8VmrxFwfALCZENXGEQ+g5VkvoCjc +ph5jqOSyzp7aZy1pnLE/6U6V32ItskrwqA+x4oj2Wvzir/Q23y2zYfqOkuq4fTd2 +lWW+w5mB167fIWmd6efecDn1ZqbdECDPUg== +-----END X509 CRL----- |