Fix CRL nextUpdate handling. #1169
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
When setting the nextUpdate field of a CRL, this code grabbed the nextUpdate ASN1_TIME field from the CRL and set its time. But nextUpdate is optional in a CRL so that field is usually NULL. But OpenSSL's ASN1_TIME_set_string succeeds when the destination argument is NULL, so it was silently a no-op. Given that, the call in a test to set the nextUpdate field suddenly starts working and sets the time to 2018, thus causing the CRL to be considered expired and breaking the test. So this change also changes the expiry year far into the future. Additionally, the other CRL and Revoked setters violate const in the API. Fixes pyca#1168.
davidben
commented
Dec 16, 2022
| ret = _lib.ASN1_TIME_new() | ||
| _openssl_assert(ret != _ffi.NULL) | ||
| ret = _ffi.gc(ret, _lib.ASN1_TIME_free) | ||
| _set_asn1_time(ret, when) |
There was a problem hiding this comment.
We almost could delete _set_asn1_time and inline it in here. But the problem is the setters for X509 aren't bound. I've left it alone for now, but that could be a small bit of cleanup if you want to do the whole multi-sided change. :-)
alex
reviewed
Dec 16, 2022
| ret = _lib.ASN1_TIME_new() | ||
| _openssl_assert(ret != _ffi.NULL) | ||
| ret = _ffi.gc(ret, _lib.ASN1_TIME_free) | ||
| _set_asn1_time(ret, when) |
There was a problem hiding this comment.
This doesn't appear to have any callers left, should it just be inlinined here? I think there's a bunch of checks in it that are now unreachable
There was a problem hiding this comment.
Yeah, see comment above. :-) We could get rid of it if we did a multi-project thing and bound some more APIs.
alex
previously approved these changes
Dec 16, 2022
alex
reviewed
Dec 16, 2022
alex
previously approved these changes
Dec 16, 2022
agl
reviewed
Dec 16, 2022
src/OpenSSL/crypto.py
Outdated
|
|
||
| set_result = _lib.ASN1_TIME_set_string(boundary, when) | ||
| if set_result == 0: | ||
| raise ValueError("Invalid string") | ||
|
|
||
|
|
||
| def _new_asn1_time(when: bytes) -> Any: | ||
| """ | ||
| Behaves like _set_asn1_time bit returns a new ASN1_TIME object. |
alex
reviewed
Dec 16, 2022
Co-authored-by: Alex Gaynor <alex.gaynor@gmail.com>
alex
approved these changes
Dec 16, 2022
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
When setting the nextUpdate field of a CRL, this code grabbed the nextUpdate ASN1_TIME field from the CRL and set its time. But nextUpdate is optional in a CRL so that field is usually NULL. But OpenSSL's ASN1_TIME_set_string succeeds when the destination argument is NULL, so it was silently a no-op.
Given that, the call in a test to set the nextUpdate field suddenly starts working and sets the time to 2018, thus causing the CRL to be considered expired and breaking the test. So this change also changes the expiry year far into the future.
Additionally, the other CRL and Revoked setters violate const in the API.
Fixes #1168.