diff options
| -rw-r--r-- | src/cryptography/hazmat/backends/openssl/x509.py | 20 | ||||
| -rw-r--r-- | tests/test_x509.py | 10 |
2 files changed, 30 insertions, 0 deletions
diff --git a/src/cryptography/hazmat/backends/openssl/x509.py b/src/cryptography/hazmat/backends/openssl/x509.py index fa4d1a01..1de3f4d5 100644 --- a/src/cryptography/hazmat/backends/openssl/x509.py +++ b/src/cryptography/hazmat/backends/openssl/x509.py @@ -63,6 +63,26 @@ class _X509Certificate(object): pkey = self._backend._lib.X509_get_pubkey(self._x509) assert pkey != self._backend._ffi.NULL pkey = self._backend._ffi.gc(pkey, self._backend._lib.EVP_PKEY_free) + # The following check is to find ECDSA certificates with unnamed + # curves and raise an error for now. + if ( + self._backend._lib.Cryptography_HAS_EC == 1 and + pkey.type == self._backend._lib.EVP_PKEY_EC + ): + ec_cdata = self._backend._lib.EVP_PKEY_get1_EC_KEY(pkey) + assert ec_cdata != self._backend._ffi.NULL + ec_cdata = self._backend._ffi.gc( + ec_cdata, self._backend._lib.EC_KEY_free + ) + group = self._backend._lib.EC_KEY_get0_group(ec_cdata) + assert group != self._backend._ffi.NULL + nid = self._backend._lib.EC_GROUP_get_curve_name(group) + if nid == self._backend._lib.NID_undef: + raise NotImplementedError( + "ECDSA certificates without named curves are unsupported " + "at this time" + ) + return self._backend._evp_pkey_to_public_key(pkey) @property diff --git a/tests/test_x509.py b/tests/test_x509.py index 638c7d1b..7a4d0b7d 100644 --- a/tests/test_x509.py +++ b/tests/test_x509.py @@ -179,3 +179,13 @@ class TestECDSAX509Certificate(object): ) public_key = cert.public_key() assert isinstance(public_key, interfaces.EllipticCurvePublicKey) + + def test_load_ecdsa_no_named_curve(self, backend): + _skip_curve_unsupported(backend, ec.SECP256R1()) + cert = _load_cert( + os.path.join("x509", "custom", "ec_no_named_curve.pem"), + x509.load_pem_x509_certificate, + backend + ) + with pytest.raises(NotImplementedError): + cert.public_key() |