New submission from Christian Heimes:
A X509 cert with a registered id general name in subject alternative name
causes a SystemError: error return without exception set. This prevents host
name validation of certs with a registered id.
>>> import _ssl
>>> _ssl._test_decode_cert('rid.pem')
Traceback (most recent call last):
File "<stdin>", line 1, in <module>
SystemError: error return without exception set
The problem is caused by a bug in OpenSSL's print function for general names.
Python's _get_peer_alt_names() uses GENERAL_NAME_print() to print GEN_IPADD,
GEN_RID and others into a buffer. The buffer is then split at ':' into two
strings. This works for all fields except for GEN_RID because OpenSSL doesn't
put a ':' after 'Registered ID',
https://github.com/openssl/openssl/blob/master/crypto/x509v3/v3_alt.c#L183 .
_get_peer_alt_names() fails and returns NULL without setting a proper exception.
It looks like we haven't had tests for GEN_RID as well as some other field
types.
Related Red Hat bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1364268
----------
components: Extension Modules
files: rid.pem
messages: 272020
nosy: alex, christian.heimes, dstufft, giampaolo.rodola, janssen, pitrou
priority: normal
severity: normal
stage: test needed
status: open
title: X509 cert with GEN_RID subject alt name causes SytemError
type: behavior
versions: Python 2.7, Python 3.4, Python 3.5, Python 3.6
Added file: http://bugs.python.org/file44014/rid.pem
_______________________________________
Python tracker <rep...@bugs.python.org>
<http://bugs.python.org/issue27691>
_______________________________________
_______________________________________________
Python-bugs-list mailing list
Unsubscribe:
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
