Merge pull request #2766 from reaperhulk/fix-2665

raise ValueError if > 2 byte value for NameAttribute with CN OID

2 files changed, 20 insertions, 1 deletions

diff --git a/src/cryptography/x509/name.py b/src/cryptography/x509/name.py
index 9d93ece1..d62341d7 100644
--- a/src/cryptography/x509/name.py
+++ b/src/cryptography/x509/name.py
@@ -7,7 +7,7 @@ from __future__ import absolute_import, division, print_function
 import six
 
 from cryptography import utils
-from cryptography.x509.oid import ObjectIdentifier
+from cryptography.x509.oid import NameOID, ObjectIdentifier
 
 
 class NameAttribute(object):
@@ -22,6 +22,11 @@ class NameAttribute(object):
                 "value argument must be a text type."
             )
 
+        if oid == NameOID.COUNTRY_NAME and len(value.encode("utf8")) != 2:
+            raise ValueError(
+                "Country name must be a 2 character country code"
+            )
+
         self._oid = oid
         self._value = value
 
diff --git a/tests/test_x509.py b/tests/test_x509.py
index 6145edb1..9054c4ed 100644
--- a/tests/test_x509.py
+++ b/tests/test_x509.py
@@ -3327,6 +3327,20 @@ class TestNameAttribute(object):
                 b'bytes'
             )
 
+    def test_init_bad_country_code_value(self):
+        with pytest.raises(ValueError):
+            x509.NameAttribute(
+                NameOID.COUNTRY_NAME,
+                u'United States'
+            )
+
+        # unicode string of length 2, but > 2 bytes
+        with pytest.raises(ValueError):
+            x509.NameAttribute(
+                NameOID.COUNTRY_NAME,
+                u'\U0001F37A\U0001F37A'
+            )
+
     def test_eq(self):
         assert x509.NameAttribute(
             x509.ObjectIdentifier('2.999.1'), u'value'