From 0f984369c0f58f0d5db5cb1a6927b550afc89027 Mon Sep 17 00:00:00 2001 From: Paul Kehrer Date: Sat, 1 Aug 2015 20:45:08 +0100 Subject: add test vector from #2183 --- docs/development/test-vectors.rst | 2 ++ vectors/cryptography_vectors/x509/custom/cp_invalid.pem | 16 ++++++++++++++++ 2 files changed, 18 insertions(+) create mode 100644 vectors/cryptography_vectors/x509/custom/cp_invalid.pem diff --git a/docs/development/test-vectors.rst b/docs/development/test-vectors.rst index ea44a46c..d400e662 100644 --- a/docs/development/test-vectors.rst +++ b/docs/development/test-vectors.rst @@ -233,6 +233,8 @@ Custom X.509 Vectors * ``cp_user_notice_no_explicit_text.pem`` - An RSA 2048 bit self-signed certificate containing a certificate policies extension with a user notice with no explicit text. +* ``cp_invalid.pem`` - An RSA 2048 bit self-signed certificate containing a + certificate policies extension with invalid data. * ``ian_uri.pem`` - An RSA 2048 bit certificate containing an issuer alternative name extension with a ``URI`` general name. * ``ocsp_nocheck.pem`` - An RSA 2048 bit self-signed certificate containing diff --git a/vectors/cryptography_vectors/x509/custom/cp_invalid.pem b/vectors/cryptography_vectors/x509/custom/cp_invalid.pem new file mode 100644 index 00000000..b7bcc079 --- /dev/null +++ b/vectors/cryptography_vectors/x509/custom/cp_invalid.pem @@ -0,0 +1,16 @@ +-----BEGIN CERTIFICATE----- +MIIC8TCCAdmgAwIBAgITBmsoYWX1PCELRmm8qB2WJ2QdDjANBgkqhkiG9w0BAQUFADASMRAwDgYD +VQQDDAdQeUNBIENBMB4XDTE1MDUxMTE4NTc0NVoXDTE2MDUxMDE4NTc0NVowEjEQMA4GA1UEAwwH +UHlDQSBDQTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAK3FTRITEY4b/Y1Uv4CtH61Y +19TPxK2+H/XuqHwtYlPRyD35LLFES0wykf0V2m1DUmf9jQa9R63jBZxzCgJ/oIJzV28PgSg9P/Nn +417fNASDduY2GPvYuwwKXcLY2fBBFjBrz7z/5tyXCADjLDkzoUTzQlYPbhOrFU5QwaqlckXBgt/4 +8GRDujoHy4RSMEDNjLUDgwx7Z/JK2ujbGJDguLRuBsHirk2h6xXEmSWxquKDXw4NnakwBqp8kKhQ +2xTSWXxabNps8FCBM4sC78gKgONy3lbYdHFt/2BU4yAMyowJwtDEYHCqe1g4sVsB839Ol0SXb6vl +eXQ6dx+zbi8UzTsCAwEAAaNAMD4wPAYDVR0gBDUwMzAxBgtghkgB4DkBAgMEATAiMCAGCCsGAQUF +BwICFhRodHRwOi8vb3RoZXIuY29tL2NwczANBgkqhkiG9w0BAQUFAAOCAQEADpZIjHvu02euPNI8 +nzzDufRXEnjrF09xc9pudxTjWU2mSVApXPmTDyWzOD+2HmsNKHRE6sWjca5qPDeDbGq4JOw+TzYq +9eoqwK2Sh0QHUpg5ZaAmIJ1qe5/sNETH5RFlXrlzW9S0rwViLgUaJp6MreTdGZbxdpNsfdkuNd+S +Tz0MA/3ScbdUcj6uwQQ4JxQiTuPwD35pKwxfUzHjeTmqIEHDuCk17KqIRORdbeD3vFx0R5IQ3mQ6 +9zSGY2AGB0A9oS0qQ2/Mh59A6xyjbPH3Rr7g5MW58PPTWp2FSXkloy7Ze+doQ7wXE6PVmaeKz5qA +9OGaCHIiC2iG9UcqWxfeWw== +-----END CERTIFICATE----- -- cgit v1.2.3 From a08693f3a71a6537da9cfa7d9dda7781aef2bcdd Mon Sep 17 00:00:00 2001 From: Paul Kehrer Date: Sat, 1 Aug 2015 20:45:21 +0100 Subject: check if the extension decoded to internal openssl repr ...and if not, raise an error (plus consume the error stack) --- src/cryptography/hazmat/backends/openssl/x509.py | 7 ++++++- tests/test_x509_ext.py | 15 +++++++++++++++ 2 files changed, 21 insertions(+), 1 deletion(-) diff --git a/src/cryptography/hazmat/backends/openssl/x509.py b/src/cryptography/hazmat/backends/openssl/x509.py index 63e4a177..1c0c3acf 100644 --- a/src/cryptography/hazmat/backends/openssl/x509.py +++ b/src/cryptography/hazmat/backends/openssl/x509.py @@ -235,7 +235,12 @@ class _X509ExtensionParser(object): ) else: d2i = backend._lib.X509V3_EXT_d2i(ext) - assert d2i != backend._ffi.NULL + if d2i == backend._ffi.NULL: + backend._consume_errors() + raise ValueError( + "The {0} extension appears to be corrupt".format(oid) + ) + value = handler(backend, d2i) extensions.append(x509.Extension(oid, critical, value)) diff --git a/tests/test_x509_ext.py b/tests/test_x509_ext.py index 7b135828..2980808f 100644 --- a/tests/test_x509_ext.py +++ b/tests/test_x509_ext.py @@ -2853,3 +2853,18 @@ class TestInhibitAnyPolicyExtension(object): x509.OID_INHIBIT_ANY_POLICY ).value assert iap.skip_certs == 5 + + +@pytest.mark.requires_backend_interface(interface=RSABackend) +@pytest.mark.requires_backend_interface(interface=X509Backend) +class TestCorruptExtension(object): + def test_invalid_certificate_policies_data(self, backend): + cert = _load_cert( + os.path.join( + "x509", "custom", "cp_invalid.pem" + ), + x509.load_pem_x509_certificate, + backend + ) + with pytest.raises(ValueError): + cert.extensions -- cgit v1.2.3 From 1b7500f5f91a9ad07f5f15caf17264753173f8d8 Mon Sep 17 00:00:00 2001 From: Paul Kehrer Date: Sat, 1 Aug 2015 20:56:27 +0100 Subject: corrupt -> invalid --- src/cryptography/hazmat/backends/openssl/x509.py | 3 ++- tests/test_x509_ext.py | 2 +- 2 files changed, 3 insertions(+), 2 deletions(-) diff --git a/src/cryptography/hazmat/backends/openssl/x509.py b/src/cryptography/hazmat/backends/openssl/x509.py index 1c0c3acf..2572cc41 100644 --- a/src/cryptography/hazmat/backends/openssl/x509.py +++ b/src/cryptography/hazmat/backends/openssl/x509.py @@ -238,7 +238,8 @@ class _X509ExtensionParser(object): if d2i == backend._ffi.NULL: backend._consume_errors() raise ValueError( - "The {0} extension appears to be corrupt".format(oid) + "The {0} extension is invalid and can't be " + "parsed".format(oid) ) value = handler(backend, d2i) diff --git a/tests/test_x509_ext.py b/tests/test_x509_ext.py index 2980808f..890709ae 100644 --- a/tests/test_x509_ext.py +++ b/tests/test_x509_ext.py @@ -2857,7 +2857,7 @@ class TestInhibitAnyPolicyExtension(object): @pytest.mark.requires_backend_interface(interface=RSABackend) @pytest.mark.requires_backend_interface(interface=X509Backend) -class TestCorruptExtension(object): +class TestInvalidExtension(object): def test_invalid_certificate_policies_data(self, backend): cert = _load_cert( os.path.join( -- cgit v1.2.3