Skip to content

Commit c51f795

Browse files
reaperhulkreaperhulk
authored
raise a valueerror on multi-SINGLERESP valued OCSP responses (pyca#5316)
InternalErrors are bad when we know they're reachable
1 parent aded1cd commit c51f795

File tree

4 files changed

+16
-3
lines changed

4 files changed

+16
-3
lines changed

docs/development/test-vectors.rst

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -532,6 +532,8 @@ X.509 OCSP Test Vectors
532532
contains a ``CRLReason`` single extension.
533533
* ``x509/ocsp/resp-sct-extension.der`` - An OCSP response containing a
534534
``CT Certificate SCTs`` single extension, from the SwissSign OCSP responder.
535+
* ``x509/ocsp/ocsp-army.deps.mil-resp.der`` - An OCSP response containing
536+
multiple ``SINGLERESP`` values.
535537

536538
Custom X.509 OCSP Test Vectors
537539
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

src/cryptography/hazmat/backends/openssl/ocsp.py

Lines changed: 7 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -104,9 +104,13 @@ def __init__(self, backend, ocsp_response):
104104
self._basic = self._backend._ffi.gc(
105105
basic, self._backend._lib.OCSP_BASICRESP_free
106106
)
107-
self._backend.openssl_assert(
108-
self._backend._lib.OCSP_resp_count(self._basic) == 1
109-
)
107+
num_resp = self._backend._lib.OCSP_resp_count(self._basic)
108+
if num_resp != 1:
109+
raise ValueError(
110+
"OCSP response contains more than one SINGLERESP structure"
111+
", which this library does not support. "
112+
"{} found".format(num_resp)
113+
)
110114
self._single = self._backend._lib.OCSP_resp_get0(self._basic, 0)
111115
self._backend.openssl_assert(
112116
self._single != self._backend._ffi.NULL

tests/x509/test_ocsp.py

Lines changed: 7 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -695,6 +695,13 @@ def test_load_response(self):
695695
assert resp.serial_number == 271024907440004808294641238224534273948400
696696
assert len(resp.extensions) == 0
697697

698+
def test_load_multi_valued_response(self):
699+
with pytest.raises(ValueError):
700+
_load_data(
701+
os.path.join("x509", "ocsp", "ocsp-army.deps.mil-resp.der"),
702+
ocsp.load_der_ocsp_response,
703+
)
704+
698705
def test_load_unauthorized(self):
699706
resp = _load_data(
700707
os.path.join("x509", "ocsp", "resp-unauthorized.der"),

vectors/cryptography_vectors/x509/ocsp/ocsp-army.deps.mil-resp.der

3.5 KB
Binary file not shown.

0 commit comments

Comments
 (0)