From 0d943bbd2d239db90bfea61fdcd94bb87adfeb83 Mon Sep 17 00:00:00 2001
From: Paul Kehrer <paul.l.kehrer@gmail.com>
Date: Tue, 5 Jan 2016 19:02:32 -0600
Subject: refactor the init validation of AuthorityKeyIdentifier

Fixes #2640
---
 src/cryptography/x509/extensions.py | 37 ++++++++++++++++++++-----------------
 tests/test_x509_ext.py              |  7 +++++++
 2 files changed, 27 insertions(+), 17 deletions(-)

diff --git a/src/cryptography/x509/extensions.py b/src/cryptography/x509/extensions.py
index f7b5d7f5..3e6fc3b3 100644
--- a/src/cryptography/x509/extensions.py
+++ b/src/cryptography/x509/extensions.py
@@ -155,25 +155,28 @@ class AuthorityKeyIdentifier(object):
 
     def __init__(self, key_identifier, authority_cert_issuer,
                  authority_cert_serial_number):
-        if authority_cert_issuer or authority_cert_serial_number:
-            if not authority_cert_issuer or not authority_cert_serial_number:
-                raise ValueError(
-                    "authority_cert_issuer and authority_cert_serial_number "
-                    "must both be present or both None"
-                )
+        if (authority_cert_issuer is None) != (
+            authority_cert_serial_number is None
+        ):
+            raise ValueError(
+                "authority_cert_issuer and authority_cert_serial_number "
+                "must both be present or both None"
+            )
 
-            if not all(
-                isinstance(x, GeneralName) for x in authority_cert_issuer
-            ):
-                raise TypeError(
-                    "authority_cert_issuer must be a list of GeneralName "
-                    "objects"
-                )
+        if authority_cert_issuer is not None and not all(
+            isinstance(x, GeneralName) for x in authority_cert_issuer
+        ):
+            raise TypeError(
+                "authority_cert_issuer must be a list of GeneralName "
+                "objects"
+            )
 
-            if not isinstance(authority_cert_serial_number, six.integer_types):
-                raise TypeError(
-                    "authority_cert_serial_number must be an integer"
-                )
+        if authority_cert_serial_number is not None and not isinstance(
+            authority_cert_serial_number, six.integer_types
+        ):
+            raise TypeError(
+                "authority_cert_serial_number must be an integer"
+            )
 
         self._key_identifier = key_identifier
         self._authority_cert_issuer = authority_cert_issuer
diff --git a/tests/test_x509_ext.py b/tests/test_x509_ext.py
index 9ac1d2ba..ff826458 100644
--- a/tests/test_x509_ext.py
+++ b/tests/test_x509_ext.py
@@ -835,6 +835,13 @@ class TestAuthorityKeyIdentifier(object):
         assert aki.authority_cert_issuer is None
         assert aki.authority_cert_serial_number is None
 
+    def test_authority_cert_serial_zero(self):
+        dns = x509.DNSName(u"SomeIssuer")
+        aki = x509.AuthorityKeyIdentifier(b"id", [dns], 0)
+        assert aki.key_identifier == b"id"
+        assert aki.authority_cert_issuer == [dns]
+        assert aki.authority_cert_serial_number == 0
+
     def test_repr(self):
         dirname = x509.DirectoryName(
             x509.Name([x509.NameAttribute(NameOID.COMMON_NAME, u'myCN')])
-- 
cgit v1.2.3