diff options
| author | Romuald Brunet <romuald@chivil.com> | 2019-01-21 19:38:33 +0100 |
|---|---|---|
| committer | Alex Gaynor <alex.gaynor@gmail.com> | 2019-01-21 12:38:33 -0600 |
| commit | 4183beb4bc3f72d656dd9f18acb0ddcabca5ca79 (patch) | |
| tree | a1bebfdc1db26a115c03e8fa3b2abe3d90128932 | |
| parent | 7d5a3bfd55c7c9de71af877e773dce4554cf455b (diff) | |
| download | pyopenssl-git-4183beb4bc3f72d656dd9f18acb0ddcabca5ca79.tar.gz | |
Handle NULL bytes in get_components() values (#804)
* Handle NULL bytes in get_components() values
Some old software may generate "bogus" CN with each character preceded
by a NULL.
This is already handled in commonName, but wasn't in get_components()
* review fixes (fix py3 test & avoid unpack/cast)
| -rw-r--r-- | src/OpenSSL/crypto.py | 10 | ||||
| -rw-r--r-- | tests/test_crypto.py | 11 |
2 files changed, 16 insertions, 5 deletions
diff --git a/src/OpenSSL/crypto.py b/src/OpenSSL/crypto.py index d555083..715e1ae 100644 --- a/src/OpenSSL/crypto.py +++ b/src/OpenSSL/crypto.py @@ -695,11 +695,11 @@ class X509Name(object): nid = _lib.OBJ_obj2nid(fname) name = _lib.OBJ_nid2sn(nid) - result.append(( - _ffi.string(name), - _ffi.string( - _lib.ASN1_STRING_data(fval), - _lib.ASN1_STRING_length(fval)))) + # ffi.string does not handle strings containing NULL bytes + # (which may have been generated by old, broken software) + value = _ffi.buffer(_lib.ASN1_STRING_data(fval), + _lib.ASN1_STRING_length(fval))[:] + result.append((_ffi.string(name), value)) return result diff --git a/tests/test_crypto.py b/tests/test_crypto.py index ec632d9..c938021 100644 --- a/tests/test_crypto.py +++ b/tests/test_crypto.py @@ -1214,6 +1214,17 @@ class TestX509Name(object): subject = cert.get_subject() assert "null.python.org\x00example.org" == subject.commonName + def test_load_nul_byte_components(self): + """ + An `X509Name` from an `X509` instance loaded from a file can have a + NUL byte in the value of its components + """ + cert = load_certificate(FILETYPE_PEM, nulbyteSubjectAltNamePEM) + subject = cert.get_subject() + components = subject.get_components() + ccn = [value for name, value in components if name == b'CN'] + assert ccn[0] == b'null.python.org\x00example.org' + def test_set_attribute_failure(self): """ If the value of an attribute cannot be set for some reason then |