Skip to content

Commit

Permalink
raise an exception instead of returning an empty list
Browse files Browse the repository at this point in the history
as davidben points out in pyca#9926 we are calling a specific load
certificates function and an empty value doesn't necessarily mean empty
because PKCS7 contains multitudes. erroring is more correct.
  • Loading branch information
reaperhulk committed Dec 1, 2023
1 parent f7db900 commit 546a3a8
Show file tree
Hide file tree
Showing 2 changed files with 7 additions and 4 deletions.
7 changes: 5 additions & 2 deletions src/cryptography/hazmat/backends/openssl/backend.py
Original file line number Diff line number Diff line change
Expand Up @@ -1111,12 +1111,15 @@ def _load_pkcs7_certificates(self, p7) -> list[x509.Certificate]:
_Reasons.UNSUPPORTED_SERIALIZATION,
)

certs: list[x509.Certificate] = []
if p7.d.sign == self._ffi.NULL:
return certs
raise ValueError(
"The provided PKCS7 has no certificate data, but a cert "
"loading method was called."
)

sk_x509 = p7.d.sign.cert
num = self._lib.sk_X509_num(sk_x509)
certs: list[x509.Certificate] = []
for i in range(num):
x509 = self._lib.sk_X509_value(sk_x509, i)
self.openssl_assert(x509 != self._ffi.NULL)
Expand Down
4 changes: 2 additions & 2 deletions tests/hazmat/primitives/test_pkcs7.py
Original file line number Diff line number Diff line change
Expand Up @@ -92,8 +92,8 @@ def test_load_pkcs7_unsupported_type(self, backend):
def test_load_pkcs7_empty_certificates(self):
der = b"\x30\x0B\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x07\x02"

certificates = pkcs7.load_der_pkcs7_certificates(der)
assert certificates == []
with pytest.raises(ValueError):
pkcs7.load_der_pkcs7_certificates(der)


# We have no public verification API and won't be adding one until we get
Expand Down

0 comments on commit 546a3a8

Please sign in to comment.