From 1f943ab1a6ed391ef9474152e3f5ccb666cce4c9 Mon Sep 17 00:00:00 2001
From: Paul Kehrer <paul.l.kehrer@gmail.com>
Date: Wed, 23 Dec 2015 19:21:23 -0600
Subject: add test that fails if CRL references aren't properly retained

If the X509_CRL reference is not properly retained then this
test will return an openssl error or potentially a crash as it's
reading freed memory to obtain the revocation_date and serial_number
---
 tests/test_x509.py | 19 +++++++++++++++++++
 1 file changed, 19 insertions(+)

diff --git a/tests/test_x509.py b/tests/test_x509.py
index ae2746e3..034e5601 100644
--- a/tests/test_x509.py
+++ b/tests/test_x509.py
@@ -6,6 +6,7 @@ from __future__ import absolute_import, division, print_function
 
 import binascii
 import datetime
+import gc
 import ipaddress
 import os
 
@@ -173,6 +174,24 @@ class TestCertificateRevocationList(object):
         # Check that len() works for CRLs.
         assert len(crl) == 12
 
+    def test_revoked_cert_retrieval_retain_only_revoked(self, backend):
+        """
+        This test attempts to trigger the crash condition described in
+        https://github.com/pyca/cryptography/issues/2557
+        """
+        crl = _load_cert(
+            os.path.join("x509", "custom", "crl_all_reasons.pem"),
+            x509.load_pem_x509_crl,
+            backend
+        )
+        revoked = crl[11]
+        crl = "overwritten"
+        # force a gc collection to potentially X509_CRL_free if there are
+        # no references to the X509_CRL left.
+        gc.collect()
+        assert revoked.revocation_date == datetime.datetime(2015, 1, 1, 0, 0)
+        assert revoked.serial_number == 11
+
     def test_extensions(self, backend):
         crl = _load_cert(
             os.path.join("x509", "custom", "crl_ian_aia_aki.pem"),
-- 
cgit v1.2.3