name constraint vector with invalid IPv4 netmask (pyca#6114)

reaperhulk · web-flow · commit f3612c8585cf · 2021-06-12T16:29:22.000-04:00
diff --git a/docs/development/test-vectors.rst b/docs/development/test-vectors.rst
@@ -374,6 +374,10 @@ Custom X.509 Vectors
 * ``nc_invalid_ip_netmask.pem`` - An RSA 2048 bit self-signed certificate
   containing a name constraints extension with a permitted element that has an
   ``IPv6`` IP and an invalid network mask.
+* ``nc_invalid_ip4_netmask.der`` - An RSA 2048 bit self-signed certificate
+  containing a name constraints extension with a permitted element that has an
+  ``IPv4`` IP and an invalid network mask. The signature on this certificate
+  is invalid.
 * ``nc_single_ip_netmask.pem`` - An RSA 2048 bit self-signed certificate
   containing a name constraints extension with a permitted element that has two
   IPs with ``/32`` and ``/128`` network masks.
diff --git a/tests/x509/test_x509_ext.py b/tests/x509/test_x509_ext.py
@@ -3580,7 +3580,7 @@ def test_ip_invalid_length(self, backend):
                 ExtensionOID.NAME_CONSTRAINTS
             )
 
-    def test_invalid_netmask(self, backend):
+    def test_invalid_ipv6_netmask(self, backend):
         cert = _load_cert(
             os.path.join("x509", "custom", "nc_invalid_ip_netmask.pem"),
             x509.load_pem_x509_certificate,
@@ -3591,6 +3591,17 @@ def test_invalid_netmask(self, backend):
                 ExtensionOID.NAME_CONSTRAINTS
             )
 
+    def test_invalid_ipv4_netmask(self, backend):
+        cert = _load_cert(
+            os.path.join("x509", "custom", "nc_invalid_ip4_netmask.der"),
+            x509.load_der_x509_certificate,
+            backend,
+        )
+        with pytest.raises(ValueError):
+            cert.extensions.get_extension_for_oid(
+                ExtensionOID.NAME_CONSTRAINTS
+            )
+
     def test_certbuilder(self, backend):
         permitted = [
             ".example.org",
diff --git a/vectors/cryptography_vectors/x509/custom/nc_invalid_ip4_netmask.der b/vectors/cryptography_vectors/x509/custom/nc_invalid_ip4_netmask.der
