From 2dff2a7fab08917a120c1327e0623a46ac070321 Mon Sep 17 00:00:00 2001 From: wuzhaomin Date: Thu, 16 May 2024 17:46:53 +0800 Subject: [PATCH] Fixes #10422 -- don't crash when a PKCS#12 key and cert don't match --- ...t-crash-when-a-PKCS-12-key-and-cert-.patch | 63 +++++++++++++++++++ python-cryptography.spec | 6 +- 2 files changed, 68 insertions(+), 1 deletion(-) create mode 100644 backport-Fixes-10422-don-t-crash-when-a-PKCS-12-key-and-cert-.patch diff --git a/backport-Fixes-10422-don-t-crash-when-a-PKCS-12-key-and-cert-.patch b/backport-Fixes-10422-don-t-crash-when-a-PKCS-12-key-and-cert-.patch new file mode 100644 index 0000000..9650f59 --- /dev/null +++ b/backport-Fixes-10422-don-t-crash-when-a-PKCS-12-key-and-cert-.patch @@ -0,0 +1,63 @@ +From 97d231672763cdb5959a3b191e692a362f1b9e55 Mon Sep 17 00:00:00 2001 +From: Alex Gaynor +Date: Mon, 19 Feb 2024 11:50:28 -0500 +Subject: [PATCH] Fixes #10422 -- don't crash when a PKCS#12 key and cert don't + match (#10423) + +--- + src/cryptography/hazmat/backends/openssl/backend.py | 9 +++++++++ + tests/hazmat/primitives/test_pkcs12.py | 18 ++++++++++++++++++ + 2 files changed, 27 insertions(+) + +diff --git a/src/cryptography/hazmat/backends/openssl/backend.py b/src/cryptography/hazmat/backends/openssl/backend.py +index 45888f3..6a4aeca 100644 +--- a/src/cryptography/hazmat/backends/openssl/backend.py ++++ b/src/cryptography/hazmat/backends/openssl/backend.py +@@ -623,6 +623,15 @@ class Backend: + mac_iter, + 0, + ) ++ if p12 == self._ffi.NULL: ++ errors = self._consume_errors() ++ raise ValueError( ++ ( ++ "Failed to create PKCS12 (does the key match the " ++ "certificate?)" ++ ), ++ errors, ++ ) + + if ( + self._lib.Cryptography_HAS_PKCS12_SET_MAC +diff --git a/tests/hazmat/primitives/test_pkcs12.py b/tests/hazmat/primitives/test_pkcs12.py +index f49c98a..cb998c4 100644 +--- a/tests/hazmat/primitives/test_pkcs12.py ++++ b/tests/hazmat/primitives/test_pkcs12.py +@@ -660,6 +660,24 @@ class TestPKCS12Creation: + b"name", cakey, cacert, [], algorithm + ) + ++ @pytest.mark.supported( ++ only_if=lambda backend: backend._lib.Cryptography_HAS_PKCS12_SET_MAC, ++ skip_message="Requires OpenSSL with PKCS12_set_mac", ++ ) ++ def test_set_mac_key_certificate_mismatch(self, backend): ++ cacert, _ = _load_ca(backend) ++ key = ec.generate_private_key(ec.SECP256R1()) ++ encryption = ( ++ serialization.PrivateFormat.PKCS12.encryption_builder() ++ .hmac_hash(hashes.SHA256()) ++ .build(b"password") ++ ) ++ ++ with pytest.raises(ValueError): ++ serialize_key_and_certificates( ++ b"name", key, cacert, [], encryption ++ ) ++ + + @pytest.mark.skip_fips( + reason="PKCS12 unsupported in FIPS mode. So much bad crypto in it." +-- +2.9.3.windows.1 + diff --git a/python-cryptography.spec b/python-cryptography.spec index 79c7bb1..075d04f 100644 --- a/python-cryptography.spec +++ b/python-cryptography.spec @@ -1,7 +1,7 @@ %global pypi_name cryptography Name: python-%{pypi_name} Version: 42.0.2 -Release: 3 +Release: 4 Summary: PyCA's cryptography library License: ASL 2.0 or BSD URL: https://cryptography.io/en/latest/ @@ -15,6 +15,7 @@ Source1: cargo-vendor-cache.tar.gz Patch6002: backport-provide-openssl-apis-related-to-SM-for-python.patch Patch6003: backport-CVE-2024-26130.patch +Patch6004: backport-Fixes-10422-don-t-crash-when-a-PKCS-12-key-and-cert-.patch BuildRequires: openssl-devel cargo BuildRequires: gcc @@ -90,6 +91,9 @@ EOF %doc README.rst docs %changelog +* Thu May 16 2024 wuzhaomin - 42.0.2-4 +- Fixes #10422 -- don't crash when a PKCS#12 key and cert don't match + * Thu Apr 18 2024 shixuantong - 42.0.2-3 - set debug is true for build debug package - add rust to BuildRequires -- Gitee