Backport tlv fix, 38.0.1 bump (#7576)

* fix parsing for CRLs with TLVs > 65535 bytes (#7575) * add CRL test vector with 9,999 revoked items * bump rust-asn1 * add large CRL test this tests CRLs larger than 65535 bytes in size. rust-asn1 supports up to 4GiB TLVs now, but we'll avoid putting a test vector that big for now * changelog and 38.0.1 bump
pyca · Sep 7, 2022 · 3ff5218 · 3ff5218
1 parent 52d6f1a
commit 3ff5218
Show file tree

Hide file tree

Showing 8 changed files with 4,406 additions and 7 deletions.
diff --git a/CHANGELOG.rst b/CHANGELOG.rst
@@ -1,6 +1,14 @@
 Changelog
 =========
 
+.. _v38-0-1:
+
+38.0.0 - 2022-09-07
+~~~~~~~~~~~~~~~~~~~
+
+* Fixed parsing TLVs in ASN.1 with length greater than 65535 bytes (typically
+  seen in large CRLs).
+
 .. _v38-0-0:
 
 38.0.0 - 2022-09-06

diff --git a/docs/development/test-vectors.rst b/docs/development/test-vectors.rst
@@ -597,6 +597,7 @@ Custom X.509 Certificate Revocation List Vectors
 * ``crl_no_next_time.pem`` - Contains a CRL with no ``nextUpdate`` value. The
   signature on this CRL is invalid.
 * ``crl_bad_version.pem`` - Contains a CRL with an invalid version.
+* ``crl_almost_10k.pem`` - Contains a CRL with 9,999 entries.
 
 X.509 OCSP Test Vectors
 ~~~~~~~~~~~~~~~~~~~~~~~

diff --git a/src/cryptography/__about__.py b/src/cryptography/__about__.py
@@ -9,7 +9,7 @@
     "__copyright__",
 ]
 
-__version__ = "38.0.0"
+__version__ = "38.0.1"
 
 __author__ = "The Python Cryptographic Authority and individual contributors"
 __copyright__ = "Copyright 2013-2022 {}".format(__author__)
diff --git a/src/rust/Cargo.lock b/src/rust/Cargo.lock
diff --git a/src/rust/Cargo.toml b/src/rust/Cargo.toml
@@ -8,7 +8,7 @@ publish = false
 [dependencies]
 once_cell = "1"
 pyo3 = { version = "0.15.2" }
-asn1 = { version = "0.12.1", default-features = false, features = ["derive"] }
+asn1 = { version = "0.12.2", default-features = false, features = ["derive"] }
 pem = "1.1"
 chrono = { version = "0.4.22", default-features = false, features = ["alloc", "clock"] }
 ouroboros = "0.15"

diff --git a/tests/x509/test_x509.py b/tests/x509/test_x509.py
@@ -107,6 +107,14 @@ def test_load_der_crl(self, backend):
         assert fingerprint == b"dd3db63c50f4c4a13e090f14053227cb1011a5ad"
         assert isinstance(crl.signature_hash_algorithm, hashes.SHA256)
 
+    def test_load_large_crl(self, backend):
+        crl = _load_cert(
+            os.path.join("x509", "custom", "crl_almost_10k.pem"),
+            x509.load_pem_x509_crl,
+            backend,
+        )
+        assert len(crl) == 9999
+
     def test_empty_crl_no_sequence(self, backend):
         # The SEQUENCE for revoked certificates is optional so let's
         # test that we handle it properly.

diff --git a/vectors/cryptography_vectors/__about__.py b/vectors/cryptography_vectors/__about__.py
@@ -6,4 +6,4 @@
     "__version__",
 ]
 
-__version__ = "38.0.0"
+__version__ = "38.0.1"
diff --git a/vectors/cryptography_vectors/x509/custom/crl_almost_10k.pem b/vectors/cryptography_vectors/x509/custom/crl_almost_10k.pem