From 546a3a831d49cd1cc46e52d8328a40cc2e641205 Mon Sep 17 00:00:00 2001 From: Paul Kehrer Date: Thu, 30 Nov 2023 20:30:34 -0600 Subject: [PATCH 1/3] raise an exception instead of returning an empty list as davidben points out in #9926 we are calling a specific load certificates function and an empty value doesn't necessarily mean empty because PKCS7 contains multitudes. erroring is more correct. --- src/cryptography/hazmat/backends/openssl/backend.py | 7 +++++-- tests/hazmat/primitives/test_pkcs7.py | 4 ++-- 2 files changed, 7 insertions(+), 4 deletions(-) diff --git a/src/cryptography/hazmat/backends/openssl/backend.py b/src/cryptography/hazmat/backends/openssl/backend.py index 755431f29410..ea7d171e6136 100644 --- a/src/cryptography/hazmat/backends/openssl/backend.py +++ b/src/cryptography/hazmat/backends/openssl/backend.py @@ -1111,12 +1111,15 @@ def _load_pkcs7_certificates(self, p7) -> list[x509.Certificate]: _Reasons.UNSUPPORTED_SERIALIZATION, ) - certs: list[x509.Certificate] = [] if p7.d.sign == self._ffi.NULL: - return certs + raise ValueError( + "The provided PKCS7 has no certificate data, but a cert " + "loading method was called." + ) sk_x509 = p7.d.sign.cert num = self._lib.sk_X509_num(sk_x509) + certs: list[x509.Certificate] = [] for i in range(num): x509 = self._lib.sk_X509_value(sk_x509, i) self.openssl_assert(x509 != self._ffi.NULL) diff --git a/tests/hazmat/primitives/test_pkcs7.py b/tests/hazmat/primitives/test_pkcs7.py index 434a361057f2..dffc4ab2c1d0 100644 --- a/tests/hazmat/primitives/test_pkcs7.py +++ b/tests/hazmat/primitives/test_pkcs7.py @@ -92,8 +92,8 @@ def test_load_pkcs7_unsupported_type(self, backend): def test_load_pkcs7_empty_certificates(self): der = b"\x30\x0B\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x07\x02" - certificates = pkcs7.load_der_pkcs7_certificates(der) - assert certificates == [] + with pytest.raises(ValueError): + pkcs7.load_der_pkcs7_certificates(der) # We have no public verification API and won't be adding one until we get From 8b3793a16b17b84bafa5558c5cd02822cce19157 Mon Sep 17 00:00:00 2001 From: Paul Kehrer Date: Fri, 1 Dec 2023 11:04:11 -0600 Subject: [PATCH 2/3] changelog --- CHANGELOG.rst | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/CHANGELOG.rst b/CHANGELOG.rst index 82ef930811f3..0bce7d2b9645 100644 --- a/CHANGELOG.rst +++ b/CHANGELOG.rst @@ -9,6 +9,11 @@ Changelog .. note:: This version is not yet released and is under active development. * **BACKWARDS INCOMPATIBLE:** Dropped support for LibreSSL < 3.7. +* **BACKWARDS INCOMPATIBLE:** Loading a PKCS7 with no content field using + :func:`~cryptography.hazmat.primitives.serialization.pkcs7.load_pem_pkcs7_certificates` + or + :func:`~cryptography.hazmat.primitives.serialization.pkcs7.load_der_pkcs7_certificates` + will now raise an exception rather than return an empty list. * Parsing SSH certificates no longer permits malformed critical options with values, as documented in the 41.0.2 release notes. * Updated the minimum supported Rust version (MSRV) to 1.63.0, from 1.56.0. From c7b5ae6695459cbbf8d83f12e5f91bb4fb140426 Mon Sep 17 00:00:00 2001 From: Paul Kehrer Date: Fri, 1 Dec 2023 13:19:04 -0600 Subject: [PATCH 3/3] Update CHANGELOG.rst Co-authored-by: Alex Gaynor --- CHANGELOG.rst | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/CHANGELOG.rst b/CHANGELOG.rst index 0bce7d2b9645..d71e9c006b81 100644 --- a/CHANGELOG.rst +++ b/CHANGELOG.rst @@ -13,7 +13,7 @@ Changelog :func:`~cryptography.hazmat.primitives.serialization.pkcs7.load_pem_pkcs7_certificates` or :func:`~cryptography.hazmat.primitives.serialization.pkcs7.load_der_pkcs7_certificates` - will now raise an exception rather than return an empty list. + will now raise a ``ValueError`` rather than return an empty list. * Parsing SSH certificates no longer permits malformed critical options with values, as documented in the 41.0.2 release notes. * Updated the minimum supported Rust version (MSRV) to 1.63.0, from 1.56.0.