diff --git a/CHANGELOG.rst b/CHANGELOG.rst index f21913762..8a0957e2e 100644 --- a/CHANGELOG.rst +++ b/CHANGELOG.rst @@ -16,6 +16,8 @@ Deprecations: Changes: ^^^^^^^^ +- Invalid versions are now rejected in ``OpenSSL.crypto.X509Req.set_version``. + 23.1.1 (2023-03-28) ------------------- diff --git a/src/OpenSSL/crypto.py b/src/OpenSSL/crypto.py index f5dd312ef..a3d9e9aaa 100644 --- a/src/OpenSSL/crypto.py +++ b/src/OpenSSL/crypto.py @@ -1010,6 +1010,12 @@ def set_version(self, version: int) -> None: :param int version: The version number. :return: ``None`` """ + if not isinstance(version, int): + raise TypeError("version must be an int") + if version != 0: + raise ValueError( + "Invalid version. The only valid version for X509Req is 0." + ) set_result = _lib.X509_REQ_set_version(self._req, version) _openssl_assert(set_result == 1) diff --git a/tests/test_crypto.py b/tests/test_crypto.py index 3212fba41..0f67d207c 100644 --- a/tests/test_crypto.py +++ b/tests/test_crypto.py @@ -1601,20 +1601,12 @@ def test_version(self): """ `X509Req.set_version` sets the X.509 version of the certificate request. `X509Req.get_version` returns the X.509 version of the - certificate request. The only defined version is 0. Others may or - may not be supported depending on backend. + certificate request. The only defined version is 0. """ request = X509Req() assert request.get_version() == 0 request.set_version(0) assert request.get_version() == 0 - try: - request.set_version(1) - assert request.get_version() == 1 - request.set_version(3) - assert request.get_version() == 3 - except Error: - pass def test_version_wrong_args(self): """ @@ -1624,6 +1616,8 @@ def test_version_wrong_args(self): request = X509Req() with pytest.raises(TypeError): request.set_version("foo") + with pytest.raises(ValueError): + request.set_version(2) def test_get_subject(self): """