diff --git a/backport-raise-an-exception-instead-of-returning-an-empty-list-for-pkcs7-cert-loading.patch b/backport-raise-an-exception-instead-of-returning-an-empty-list-for-pkcs7-cert-loading.patch new file mode 100644 index 0000000000000000000000000000000000000000..e7124715ed0ef01109b8ee299b8e808ff66c2b36 --- /dev/null +++ b/backport-raise-an-exception-instead-of-returning-an-empty-list-for-pkcs7-cert-loading.patch @@ -0,0 +1,70 @@ +From 7ef48ec44ac59fb70180955a9e05312571c923de Mon Sep 17 00:00:00 2001 +From: Paul Kehrer +Date: Sun, 5 Nov 2023 18:47:12 +0800 +Subject: [PATCH] raise an exception instead of returning an empty list for + pkcs7 cert loading (#9947) + +* raise an exception instead of returning an empty list + +as davidben points out in #9926 we are calling a specific load +certificates function and an empty value doesn't necessarily mean empty +because PKCS7 contains multitudes. erroring is more correct. + +* changelog + +* Update CHANGELOG.rst + +Co-authored-by: Alex Gaynor + +--------- + +Co-authored-by: Alex Gaynor +--- + src/cryptography/hazmat/backends/openssl/backend.py | 7 +++++-- + tests/hazmat/primitives/test_pkcs7.py | 6 +++--- + 2 files changed, 8 insertions(+), 5 deletions(-) + +diff --git a/src/cryptography/hazmat/backends/openssl/backend.py b/src/cryptography/hazmat/backends/openssl/backend.py +index ba0fad0..0b5b215 100644 +--- a/src/cryptography/hazmat/backends/openssl/backend.py ++++ b/src/cryptography/hazmat/backends/openssl/backend.py +@@ -2669,12 +2669,15 @@ class Backend(object): + _Reasons.UNSUPPORTED_SERIALIZATION, + ) + +- certs = [] + if p7.d.sign == self._ffi.NULL: +- return certs ++ raise ValueError( ++ "The provided PKCS7 has no certificate data, but a cert " ++ "loading method was called." ++ ) + + sk_x509 = p7.d.sign.cert + num = self._lib.sk_X509_num(sk_x509) ++ certs = [] + for i in range(num): + x509 = self._lib.sk_X509_value(sk_x509, i) + self.openssl_assert(x509 != self._ffi.NULL) +diff --git a/tests/hazmat/primitives/test_pkcs7.py b/tests/hazmat/primitives/test_pkcs7.py +index 0145a24..34cbb16 100644 +--- a/tests/hazmat/primitives/test_pkcs7.py ++++ b/tests/hazmat/primitives/test_pkcs7.py +@@ -80,11 +80,11 @@ class TestPKCS7Loading(object): + mode="rb", + ) + +- def test_load_pkcs7_empty_certificates(self, backend): ++ def test_load_pkcs7_empty_certificates(self): + der = b"\x30\x0B\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x07\x02" + +- certificates = pkcs7.load_der_pkcs7_certificates(der) +- assert certificates == [] ++ with pytest.raises(ValueError): ++ pkcs7.load_der_pkcs7_certificates(der) + + + # We have no public verification API and won't be adding one until we get +-- +2.33.0 + diff --git a/python-cryptography.spec b/python-cryptography.spec index 0c3ac0858e625984f41a35ba65ff34c6da06d605..83c955aa3d6f3b4f23ac7ba2b9564a91e28bf5d5 100644 --- a/python-cryptography.spec +++ b/python-cryptography.spec @@ -3,7 +3,7 @@ %global srcname cryptography Name: python-%{srcname} Version: 3.3.1 -Release: 4 +Release: 5 Summary: PyCA's cryptography library License: ASL 2.0 or BSD URL: https://cryptography.io/en/latest/ @@ -13,7 +13,9 @@ Patch6000: backport-CVE-2020-36242.patch Patch6001: backport-add-SM4-symmetric-block-cipher-5834.patch Patch6002: backport-provide-openssl-apis-related-to-SM-for-python.patch Patch6003: backport-CVE-2023-23931.patch +# CVE-2023-49083 Patch6004: backport-Fixed-crash-when-loading-a-PKCS-7-bundle-with-no-certificates.patch +Patch6005: backport-raise-an-exception-instead-of-returning-an-empty-list-for-pkcs7-cert-loading.patch BuildRequires: openssl-devel BuildRequires: gcc @@ -123,6 +125,9 @@ PYTHONPATH=%{buildroot}%{python3_sitearch} %{__python3} -m pytest -k "not (test_ %doc README.rst docs %changelog +* Sat Dec 2 2023 liningjie - 3.3.1-5 +- raise an exception instead of returning an empty list for pkcs7 cert loading + * Wed Nov 29 2023 liningjie - 3.3.1-4 - Fixed crash when loading a PKCS#7 bundle with no certificates