From 500ed9dac5934f19da1440f47df4640681c5404a Mon Sep 17 00:00:00 2001 From: Paul Kehrer Date: Fri, 10 Jul 2015 20:51:36 -0500 Subject: raise a nice error if bad ASN.1 is provided --- src/cryptography/hazmat/backends/openssl/backend.py | 3 ++- tests/test_x509.py | 19 +++++++++++++++++++ 2 files changed, 21 insertions(+), 1 deletion(-) diff --git a/src/cryptography/hazmat/backends/openssl/backend.py b/src/cryptography/hazmat/backends/openssl/backend.py index 0017b1bd..637b28cc 100644 --- a/src/cryptography/hazmat/backends/openssl/backend.py +++ b/src/cryptography/hazmat/backends/openssl/backend.py @@ -215,7 +215,8 @@ def _encode_subject_alt_name(backend, san): value = backend._lib.d2i_ASN1_TYPE( backend._ffi.NULL, data_ptr_ptr, len(alt_name.value) ) - assert value != backend._ffi.NULL + if value == backend._ffi.NULL: + raise ValueError("Invalid ASN.1 data") other_name.type_id = type_id other_name.value = value gn.type = backend._lib.GEN_OTHERNAME diff --git a/tests/test_x509.py b/tests/test_x509.py index fc1e7931..cb617268 100644 --- a/tests/test_x509.py +++ b/tests/test_x509.py @@ -1036,6 +1036,25 @@ class TestCertificateSigningRequestBuilder(object): ), ] + def test_invalid_asn1_othername(self, backend): + private_key = RSA_KEY_2048.private_key(backend) + + builder = x509.CertificateSigningRequestBuilder().subject_name( + x509.Name([ + x509.NameAttribute(x509.OID_COMMON_NAME, u"SAN"), + ]) + ).add_extension( + x509.SubjectAlternativeName([ + x509.OtherName( + type_id=x509.ObjectIdentifier("1.2.3.3.3.3"), + value=b"\x01\x02\x01\x05" + ), + ]), + critical=False, + ) + with pytest.raises(ValueError): + builder.sign(private_key, hashes.SHA256(), backend) + def test_subject_alt_name_unsupported_general_name(self, backend): private_key = RSA_KEY_2048.private_key(backend) -- cgit v1.2.3