Skip to content

Commit

Permalink
Fixes #10422 -- don't crash when a PKCS#12 key and cert don't match (#…
Browse files Browse the repository at this point in the history
  • Loading branch information
alex authored Feb 19, 2024
1 parent df314bb commit 7a4d012
Show file tree
Hide file tree
Showing 2 changed files with 27 additions and 0 deletions.
9 changes: 9 additions & 0 deletions src/cryptography/hazmat/backends/openssl/backend.py
Original file line number Diff line number Diff line change
Expand Up @@ -826,6 +826,15 @@ def serialize_key_and_certificates_to_pkcs12(
mac_iter,
0,
)
if p12 == self._ffi.NULL:
errors = self._consume_errors()
raise ValueError(
(
"Failed to create PKCS12 (does the key match the "
"certificate?)"
),
errors,
)

if (
self._lib.Cryptography_HAS_PKCS12_SET_MAC
Expand Down
18 changes: 18 additions & 0 deletions tests/hazmat/primitives/test_pkcs12.py
Original file line number Diff line number Diff line change
Expand Up @@ -657,6 +657,24 @@ def test_key_serialization_encryption_set_mac_unsupported(
b"name", cakey, cacert, [], algorithm
)

@pytest.mark.supported(
only_if=lambda backend: backend._lib.Cryptography_HAS_PKCS12_SET_MAC,
skip_message="Requires OpenSSL with PKCS12_set_mac",
)
def test_set_mac_key_certificate_mismatch(self, backend):
cacert, _ = _load_ca(backend)
key = ec.generate_private_key(ec.SECP256R1())
encryption = (
serialization.PrivateFormat.PKCS12.encryption_builder()
.hmac_hash(hashes.SHA256())
.build(b"password")
)

with pytest.raises(ValueError):
serialize_key_and_certificates(
b"name", key, cacert, [], encryption
)


@pytest.mark.skip_fips(
reason="PKCS12 unsupported in FIPS mode. So much bad crypto in it."
Expand Down

0 comments on commit 7a4d012

Please sign in to comment.