From 4183beb4bc3f72d656dd9f18acb0ddcabca5ca79 Mon Sep 17 00:00:00 2001 From: Romuald Brunet Date: Mon, 21 Jan 2019 19:38:33 +0100 Subject: Handle NULL bytes in get_components() values (#804) * Handle NULL bytes in get_components() values Some old software may generate "bogus" CN with each character preceded by a NULL. This is already handled in commonName, but wasn't in get_components() * review fixes (fix py3 test & avoid unpack/cast) --- src/OpenSSL/crypto.py | 10 +++++----- tests/test_crypto.py | 11 +++++++++++ 2 files changed, 16 insertions(+), 5 deletions(-) diff --git a/src/OpenSSL/crypto.py b/src/OpenSSL/crypto.py index d555083..715e1ae 100644 --- a/src/OpenSSL/crypto.py +++ b/src/OpenSSL/crypto.py @@ -695,11 +695,11 @@ class X509Name(object): nid = _lib.OBJ_obj2nid(fname) name = _lib.OBJ_nid2sn(nid) - result.append(( - _ffi.string(name), - _ffi.string( - _lib.ASN1_STRING_data(fval), - _lib.ASN1_STRING_length(fval)))) + # ffi.string does not handle strings containing NULL bytes + # (which may have been generated by old, broken software) + value = _ffi.buffer(_lib.ASN1_STRING_data(fval), + _lib.ASN1_STRING_length(fval))[:] + result.append((_ffi.string(name), value)) return result diff --git a/tests/test_crypto.py b/tests/test_crypto.py index ec632d9..c938021 100644 --- a/tests/test_crypto.py +++ b/tests/test_crypto.py @@ -1214,6 +1214,17 @@ class TestX509Name(object): subject = cert.get_subject() assert "null.python.org\x00example.org" == subject.commonName + def test_load_nul_byte_components(self): + """ + An `X509Name` from an `X509` instance loaded from a file can have a + NUL byte in the value of its components + """ + cert = load_certificate(FILETYPE_PEM, nulbyteSubjectAltNamePEM) + subject = cert.get_subject() + components = subject.get_components() + ccn = [value for name, value in components if name == b'CN'] + assert ccn[0] == b'null.python.org\x00example.org' + def test_set_attribute_failure(self): """ If the value of an attribute cannot be set for some reason then -- cgit v1.2.1