aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
Diffstat
-rw-r--r--src/cryptography/hazmat/backends/openssl/x509.py7
-rw-r--r--tests/test_x509_ext.py15
2 files changed, 21 insertions, 1 deletions
diff --git a/src/cryptography/hazmat/backends/openssl/x509.py b/src/cryptography/hazmat/backends/openssl/x509.py
index 63e4a177..1c0c3acf 100644
--- a/src/cryptography/hazmat/backends/openssl/x509.py
+++ b/src/cryptography/hazmat/backends/openssl/x509.py
@@ -235,7 +235,12 @@ class _X509ExtensionParser(object):
)
else:
d2i = backend._lib.X509V3_EXT_d2i(ext)
- assert d2i != backend._ffi.NULL
+ if d2i == backend._ffi.NULL:
+ backend._consume_errors()
+ raise ValueError(
+ "The {0} extension appears to be corrupt".format(oid)
+ )
+
value = handler(backend, d2i)
extensions.append(x509.Extension(oid, critical, value))
diff --git a/tests/test_x509_ext.py b/tests/test_x509_ext.py
index 7b135828..2980808f 100644
--- a/tests/test_x509_ext.py
+++ b/tests/test_x509_ext.py
@@ -2853,3 +2853,18 @@ class TestInhibitAnyPolicyExtension(object):
x509.OID_INHIBIT_ANY_POLICY
).value
assert iap.skip_certs == 5
+
+
+@pytest.mark.requires_backend_interface(interface=RSABackend)
+@pytest.mark.requires_backend_interface(interface=X509Backend)
+class TestCorruptExtension(object):
+ def test_invalid_certificate_policies_data(self, backend):
+ cert = _load_cert(
+ os.path.join(
+ "x509", "custom", "cp_invalid.pem"
+ ),
+ x509.load_pem_x509_certificate,
+ backend
+ )
+ with pytest.raises(ValueError):
+ cert.extensions
generated by cgit v1.2.3 (git 2.25.1) at 2025-04-20 18:34:38 +0000