From 68e49ae4400c0ff68aac2e7c5f95725e7af0de40 Mon Sep 17 00:00:00 2001
From: Noel Remy <mocramis@gmail.com>
Date: Sun, 10 Nov 2019 16:45:30 +0100
Subject: Let Oid enforce positive decimal integers (#5053)

Failing that would lead to an OpenSSL error when calling OBJ_txt2obj at
serialization.

Adds basic tests for oids.
---
 src/cryptography/hazmat/_oid.py |  7 ++++++-
 tests/hazmat/test_oid.py        | 39 +++++++++++++++++++++++++++++++++++++++
 2 files changed, 45 insertions(+), 1 deletion(-)
 create mode 100644 tests/hazmat/test_oid.py

diff --git a/src/cryptography/hazmat/_oid.py b/src/cryptography/hazmat/_oid.py
index 4b08722f..f98912f9 100644
--- a/src/cryptography/hazmat/_oid.py
+++ b/src/cryptography/hazmat/_oid.py
@@ -19,11 +19,16 @@ class ObjectIdentifier(object):
         # range 0..39.  All nodes must be integers.
         for node in nodes:
             try:
-                intnodes.append(int(node, 0))
+                node_value = int(node, 10)
             except ValueError:
                 raise ValueError(
                     "Malformed OID: %s (non-integer nodes)" % (
                         self._dotted_string))
+            if node_value < 0:
+                raise ValueError(
+                    "Malformed OID: %s (negative-integer nodes)" % (
+                        self._dotted_string))
+            intnodes.append(node_value)
 
         if len(nodes) < 2:
             raise ValueError(
diff --git a/tests/hazmat/test_oid.py b/tests/hazmat/test_oid.py
new file mode 100644
index 00000000..d1a34f8e
--- /dev/null
+++ b/tests/hazmat/test_oid.py
@@ -0,0 +1,39 @@
+# This file is dual licensed under the terms of the Apache License, Version
+# 2.0, and the BSD License. See the LICENSE file in the root of this repository
+# for complete details.
+
+from __future__ import absolute_import, division, print_function
+
+import pytest
+
+from cryptography.hazmat._oid import ObjectIdentifier
+
+
+def test_basic_oid():
+    assert ObjectIdentifier('1.2.3.4').dotted_string == '1.2.3.4'
+
+
+def test_oid_constraint():
+    # Too short
+    with pytest.raises(ValueError):
+        ObjectIdentifier('1')
+
+    # First node too big
+    with pytest.raises(ValueError):
+        ObjectIdentifier('3.2.1')
+
+    # Outside range
+    with pytest.raises(ValueError):
+        ObjectIdentifier('1.40')
+    with pytest.raises(ValueError):
+        ObjectIdentifier('0.42')
+
+    # non-decimal oid
+    with pytest.raises(ValueError):
+        ObjectIdentifier('1.2.foo.bar')
+    with pytest.raises(ValueError):
+        ObjectIdentifier('1.2.0xf00.0xba4')
+
+    # negative oid
+    with pytest.raises(ValueError):
+        ObjectIdentifier('1.2.-3.-4')
-- 
cgit v1.2.3