aboutsummaryrefslogtreecommitdiffstats
path: root/src
diff options
context:
space:
mode:
Diffstat (limited to 'src')
-rw-r--r--src/cryptography/hazmat/backends/openssl/x509.py14
1 files changed, 12 insertions, 2 deletions
diff --git a/src/cryptography/hazmat/backends/openssl/x509.py b/src/cryptography/hazmat/backends/openssl/x509.py
index a7a2c70d..ad838b7f 100644
--- a/src/cryptography/hazmat/backends/openssl/x509.py
+++ b/src/cryptography/hazmat/backends/openssl/x509.py
@@ -238,11 +238,21 @@ class _CertificateRevocationList(object):
h.update(der)
return h.finalize()
+ @utils.cached_property
+ def _sorted_crl(self):
+ # X509_CRL_get0_by_serial sorts in place, which breaks a variety of
+ # things we don't want to break (like iteration and the signature).
+ # Let's dupe it and sort that instead.
+ dup = self._backend._lib.X509_CRL_dup(self._x509_crl)
+ self._backend.openssl_assert(dup != self._backend._ffi.NULL)
+ dup = self._backend._ffi.gc(dup, self._backend._lib.X509_CRL_free)
+ return dup
+
def get_revoked_certificate_by_serial_number(self, serial_number):
revoked = self._backend._ffi.new("X509_REVOKED **")
asn1_int = _encode_asn1_int_gc(self._backend, serial_number)
res = self._backend._lib.X509_CRL_get0_by_serial(
- self._x509_crl, revoked, asn1_int
+ self._sorted_crl, revoked, asn1_int
)
if res == 0:
return None
@@ -251,7 +261,7 @@ class _CertificateRevocationList(object):
revoked[0] != self._backend._ffi.NULL
)
return _RevokedCertificate(
- self._backend, self._x509_crl, revoked[0]
+ self._backend, self._sorted_crl, revoked[0]
)
@property
generated by cgit v1.2.3 (git 2.25.1) at 2024-11-16 20:13:21 +0000