From a9b4f86de8a0de2e846a42d9b35c39e88d621bb7 Mon Sep 17 00:00:00 2001 From: Paul Kehrer Date: Wed, 24 Oct 2018 08:58:07 +0800 Subject: next_update is not a required field on OCSP responses (#4513) --- docs/development/test-vectors.rst | 2 ++ src/cryptography/hazmat/backends/openssl/ocsp.py | 6 ++++-- tests/x509/test_ocsp.py | 8 ++++++++ .../x509/ocsp/resp-revoked-no-next-update.der | Bin 0 -> 283 bytes 4 files changed, 14 insertions(+), 2 deletions(-) create mode 100644 vectors/cryptography_vectors/x509/ocsp/resp-revoked-no-next-update.der diff --git a/docs/development/test-vectors.rst b/docs/development/test-vectors.rst index b56a4c56..e512a902 100644 --- a/docs/development/test-vectors.rst +++ b/docs/development/test-vectors.rst @@ -427,6 +427,8 @@ X.509 OCSP Test Vectors * ``x509/ocsp/resp-revoked-reason.der`` - An OCSP response from the ``QuoVadis`` OCSP responder that contains a revoked certificate with a revocation reason. +* ``x509/ocsp/resp-revoked-no-next-update.der`` - An OCSP response that + contains a revoked certificate and no ``nextUpdate`` value. Custom X.509 OCSP Test Vectors ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ diff --git a/src/cryptography/hazmat/backends/openssl/ocsp.py b/src/cryptography/hazmat/backends/openssl/ocsp.py index cd3650ae..32e26a0a 100644 --- a/src/cryptography/hazmat/backends/openssl/ocsp.py +++ b/src/cryptography/hazmat/backends/openssl/ocsp.py @@ -278,8 +278,10 @@ class _OCSPResponse(object): self._backend._ffi.NULL, asn1_time, ) - self._backend.openssl_assert(asn1_time[0] != self._backend._ffi.NULL) - return _parse_asn1_generalized_time(self._backend, asn1_time[0]) + if asn1_time[0] != self._backend._ffi.NULL: + return _parse_asn1_generalized_time(self._backend, asn1_time[0]) + else: + return None @property @_requires_successful_response diff --git a/tests/x509/test_ocsp.py b/tests/x509/test_ocsp.py index 0d44b6da..3ee6a26e 100644 --- a/tests/x509/test_ocsp.py +++ b/tests/x509/test_ocsp.py @@ -319,6 +319,14 @@ class TestOCSPResponse(object): ) assert resp.revocation_reason is x509.ReasonFlags.superseded + def test_load_revoked_no_next_update(self): + resp = _load_data( + os.path.join("x509", "ocsp", "resp-revoked-no-next-update.der"), + ocsp.load_der_ocsp_response, + ) + assert resp.serial_number == 16160 + assert resp.next_update is None + def test_response_extensions(self): resp = _load_data( os.path.join("x509", "ocsp", "resp-revoked-reason.der"), diff --git a/vectors/cryptography_vectors/x509/ocsp/resp-revoked-no-next-update.der b/vectors/cryptography_vectors/x509/ocsp/resp-revoked-no-next-update.der new file mode 100644 index 00000000..c9bb9d6f Binary files /dev/null and b/vectors/cryptography_vectors/x509/ocsp/resp-revoked-no-next-update.der differ -- cgit v1.2.3