Reject invalid versions in X509Req.set_version

pyca · Mar 31, 2023 · 63abbfb · 63abbfb
1 parent da18a74
commit 63abbfb
Show file tree

Hide file tree

Showing 3 changed files with 10 additions and 0 deletions.
diff --git a/CHANGELOG.rst b/CHANGELOG.rst
@@ -16,6 +16,8 @@ Deprecations:
 Changes:
 ^^^^^^^^
 
+- Invalid versions are now rejected in ``OpenSSL.crypt.X509Req.set_version``.
+
 23.1.1 (2023-03-28)
 -------------------
 

diff --git a/src/OpenSSL/crypto.py b/src/OpenSSL/crypto.py
@@ -1010,6 +1010,12 @@ def set_version(self, version: int) -> None:
         :param int version: The version number.
         :return: ``None``
         """
+        if not isinstance(version, int):
+            raise TypeError("version must be an int")
+        if version != 0:
+            raise ValueError(
+                "Invalid version. The only valid version for X509Req is 0."
+            )
         set_result = _lib.X509_REQ_set_version(self._req, version)
         _openssl_assert(set_result == 1)
 

diff --git a/tests/test_crypto.py b/tests/test_crypto.py
@@ -1624,6 +1624,8 @@ def test_version_wrong_args(self):
         request = X509Req()
         with pytest.raises(TypeError):
             request.set_version("foo")
+        with pytest.raises(ValueError):
+            request.set_version(2)
 
     def test_get_subject(self):
         """