From 12bc43bc7a2faee3e7de742a705e19e05645fe12 Mon Sep 17 00:00:00 2001 From: Paul Kehrer Date: Tue, 28 Mar 2023 12:06:50 +0900 Subject: work around openssl 3.1.0 bug and bump for 23.1.1 (#1204) * work around openssl 3.1.0 bug and bump for 23.1.1 * remove a CI job that can't succeed cryptographyMain does not support 3.6 --- .github/workflows/ci.yml | 1 - CHANGELOG.rst | 17 ++++++++++++++++- src/OpenSSL/crypto.py | 9 ++++++++- src/OpenSSL/version.py | 2 +- tests/test_crypto.py | 8 ++++++++ 5 files changed, 33 insertions(+), 4 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index e00ef74..26adcfe 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -20,7 +20,6 @@ jobs: - {VERSION: "pypy-3.9", TOXENV: "pypy3"} - {VERSION: "3.11", TOXENV: "py311-useWheel", OS: "windows-2022" } # -cryptographyMain - - {VERSION: "3.6", TOXENV: "py36-cryptographyMain", OS: "ubuntu-20.04"} - {VERSION: "3.7", TOXENV: "py37-cryptographyMain"} - {VERSION: "3.8", TOXENV: "py38-cryptographyMain"} - {VERSION: "3.9", TOXENV: "py39-cryptographyMain"} diff --git a/CHANGELOG.rst b/CHANGELOG.rst index f7118eb..c2e0f43 100644 --- a/CHANGELOG.rst +++ b/CHANGELOG.rst @@ -4,6 +4,21 @@ Changelog Versions are year-based with a strict backward-compatibility policy. The third digit is only for regressions. +23.1.1 (2023-03-28) +------------------- + +Backward-incompatible changes: +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ + +Deprecations: +^^^^^^^^^^^^^ + +Changes: +^^^^^^^^ + +- Worked around an issue in OpenSSL 3.1.0 which caused `X509Extension.get_short_name` to raise an exception when no short name was known to OpenSSL. + `#1204 `_. + 23.1.0 (2023-03-24) ------------------- @@ -44,7 +59,7 @@ Backward-incompatible changes: ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ - Remove support for SSLv2 and SSLv3. -- The minimum ``cryptography`` version is now 38.0.x (and we now pin releases +- The minimum ``cryptography`` version is now 38.0.x (and we now pin releases against ``cryptography`` major versions to prevent future breakage) - The ``OpenSSL.crypto.X509StoreContextError`` exception has been refactored, changing its internal attributes. diff --git a/src/OpenSSL/crypto.py b/src/OpenSSL/crypto.py index 8b12769..f5dd312 100644 --- a/src/OpenSSL/crypto.py +++ b/src/OpenSSL/crypto.py @@ -904,7 +904,14 @@ class X509Extension: """ obj = _lib.X509_EXTENSION_get_object(self._extension) nid = _lib.OBJ_obj2nid(obj) - return _ffi.string(_lib.OBJ_nid2sn(nid)) + # OpenSSL 3.1.0 has a bug where nid2sn returns NULL for NIDs that + # previously returned UNDEF. This is a workaround for that issue. + # https://github.com/openssl/openssl/commit/908ba3ed9adbb3df90f76 + buf = _lib.OBJ_nid2sn(nid) + if buf != _ffi.NULL: + return _ffi.string(buf) + else: + return b"UNDEF" def get_data(self) -> bytes: """ diff --git a/src/OpenSSL/version.py b/src/OpenSSL/version.py index 78ff8bb..bc73a1c 100644 --- a/src/OpenSSL/version.py +++ b/src/OpenSSL/version.py @@ -17,7 +17,7 @@ __all__ = [ "__version__", ] -__version__ = "23.1.0" +__version__ = "23.1.1" __title__ = "pyOpenSSL" __uri__ = "https://pyopenssl.org/" diff --git a/tests/test_crypto.py b/tests/test_crypto.py index 4b63fa2..3212fba 100644 --- a/tests/test_crypto.py +++ b/tests/test_crypto.py @@ -1681,6 +1681,14 @@ class TestX509Req(_PKeyInteractionTestsMixin): exts = request.get_extensions() assert len(exts) == 2 + def test_undef_oid(self): + assert ( + X509Extension( + b"1.2.3.4.5.6.7", False, b"DER:05:00" + ).get_short_name() + == b"UNDEF" + ) + def test_add_extensions_wrong_args(self): """ `X509Req.add_extensions` raises `TypeError` if called with a -- cgit v1.2.1