From fb637b7c58e42d7c99558276ffaabec1878bf97d Mon Sep 17 00:00:00 2001

From: Christian Heimes <cheimes@redhat.com>

Date: Mon, 29 May 2017 16:33:20 -0500

Subject: [PATCH 4/4] Enlarge _oid2txt buffer to handle larger OIDs (#3612)

The OpenSSL manual recommends a buffer size of 80 for OBJ_oid2txt:

https://www.openssl.org/docs/crypto/OBJ_nid2ln.html#return_values.

But OIDs longer than this occur in real life (e.g. Active Directory

makes some very long OIDs).  If the length of the stringified OID

exceeds the buffer size, allocate a new buffer that is big enough to

hold the stringified OID, and re-do the conversion into the new

buffer.

NOTE: bigoid.pem has been moved to tests/.

Fixes RHBZ #1455755

---

 docs/development/test-vectors.rst                  |  3 ++

 .../hazmat/backends/openssl/decode_asn1.py         | 14 ++++++++++

 tests/bigoid.pem                                   | 32 ++++++++++++++++++++++

 tests/test_x509_ext.py                             | 19 +++++++++++++

 4 files changed, 68 insertions(+)

 create mode 100644 tests/bigoid.pem

diff --git a/docs/development/test-vectors.rst b/docs/development/test-vectors.rst

index fb72240d..bc72a470 100644

--- a/docs/development/test-vectors.rst

+++ b/docs/development/test-vectors.rst

@@ -127,6 +127,9 @@ X.509

 * ``alternate-rsa-sha1-oid.pem`` - A certificate from an

   `unknown signature OID`_ Mozilla bug that uses an alternate signature OID for

   RSA with SHA1.

+* ``bigoid.pem`` - A certificate with a rather long OID in the

+  Certificate Policies extension.  We need to make sure we can parse

+  long OIDs.

 Custom X.509 Vectors

 ~~~~~~~~~~~~~~~~~~~~

diff --git a/src/cryptography/hazmat/backends/openssl/decode_asn1.py b/src/cryptography/hazmat/backends/openssl/decode_asn1.py

index 2cbc349e..5a23da25 100644

--- a/src/cryptography/hazmat/backends/openssl/decode_asn1.py

+++ b/src/cryptography/hazmat/backends/openssl/decode_asn1.py

@@ -24,9 +24,23 @@ from cryptography.x509.oid import (

 def _obj2txt(backend, obj):

     # Set to 80 on the recommendation of

     # https://www.openssl.org/docs/crypto/OBJ_nid2ln.html#return_values

+    #

+    # But OIDs longer than this occur in real life (e.g. Active

+    # Directory makes some very long OIDs).  So we need to detect

+    # and properly handle the case where the default buffer is not

+    # big enough.

+    #

     buf_len = 80

     buf = backend._ffi.new("char[]", buf_len)

+

+    # 'res' is the number of bytes that *would* be written if the

+    # buffer is large enough.  If 'res' > buf_len - 1, we need to

+    # alloc a big-enough buffer and go again.

     res = backend._lib.OBJ_obj2txt(buf, buf_len, obj, 1)

+    if res > buf_len - 1:  # account for terminating null byte

+        buf_len = res + 1

+        buf = backend._ffi.new("char[]", buf_len)

+        res = backend._lib.OBJ_obj2txt(buf, buf_len, obj, 1)

     backend.openssl_assert(res > 0)

     return backend._ffi.buffer(buf, res)[:].decode()

diff --git a/tests/bigoid.pem b/tests/bigoid.pem

new file mode 100644

index 00000000..7bf865bf

--- /dev/null

+++ b/tests/bigoid.pem

@@ -0,0 +1,32 @@

+-----BEGIN CERTIFICATE-----

+MIIFiTCCBHGgAwIBAgITSAAAAAd1bEC5lsOdnQAAAAAABzANBgkqhkiG9w0BAQsF

+ADBLMRUwEwYKCZImiZPyLGQBGRYFbG9jYWwxEjAQBgoJkiaJk/IsZAEZFgJhZDEe

+MBwGA1UEAxMVYWQtV0lOLVBQSzAxNUY5TURRLUNBMB4XDTE3MDUyNTIzNDg0NVoX

+DTE5MDUyNTIzNTg0NVowNDESMBAGA1UEChMJSVBBLkxPQ0FMMR4wHAYDVQQDExVD

+ZXJ0aWZpY2F0ZSBBdXRob3JpdHkwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEK

+AoIBAQDyyuty6irlL89hdaSW0UyAGLsOOMgAuJwBAeuRUorR159rsSnUXLcTHIsm

+EszKhwxp3NkkawRWx/s0UN1m2+RUwMl6gvlw+G80Mz0S77C77M+2lO8HRmZGm+Wu

+zBNcc9SANHuDQ1NISfZgLiscMS0+l0T3g6/Iqtg1kPWrq/tMevfh6tJEIedSBGo4

+3xKEMSDkrvaeTuSVrgn/QT0m+WNccZa0c7X35L/hgR22/l5sr057Ef8F9vL8zUH5

+TttFBIuiWJo8A8XX9I1zYIFhWjW3OVDZPBUnhGHH6yNyXGxXMRfcrrc74eTw8ivC

+080AQuRtgwvDErB/JPDJ5w5t/ielAgMBAAGjggJ7MIICdzA9BgkrBgEEAYI3FQcE

+MDAuBiYrBgEEAYI3FQiEoqJGhYq1PoGllQqGi+F4nacAgRODs5gfgozzAAIBZAIB

+BTAPBgNVHRMBAf8EBTADAQH/MA4GA1UdDwEB/wQEAwIBhjAdBgNVHQ4EFgQUnSrC

+yW3CR0e3ilJdN6kL06P3KHMwHwYDVR0jBBgwFoAUj69xtyUNwp8on+NWO+HlxKyg

+X7AwgdgGA1UdHwSB0DCBzTCByqCBx6CBxIaBwWxkYXA6Ly8vQ049YWQtV0lOLVBQ

+SzAxNUY5TURRLUNBLENOPVdJTi1QUEswMTVGOU1EUSxDTj1DRFAsQ049UHVibGlj

+JTIwS2V5JTIwU2VydmljZXMsQ049U2VydmljZXMsQ049Q29uZmlndXJhdGlvbixE

+Qz1hZCxEQz1sb2NhbD9jZXJ0aWZpY2F0ZVJldm9jYXRpb25MaXN0P2Jhc2U/b2Jq

+ZWN0Q2xhc3M9Y1JMRGlzdHJpYnV0aW9uUG9pbnQwgcQGCCsGAQUFBwEBBIG3MIG0

+MIGxBggrBgEFBQcwAoaBpGxkYXA6Ly8vQ049YWQtV0lOLVBQSzAxNUY5TURRLUNB

+LENOPUFJQSxDTj1QdWJsaWMlMjBLZXklMjBTZXJ2aWNlcyxDTj1TZXJ2aWNlcyxD

+Tj1Db25maWd1cmF0aW9uLERDPWFkLERDPWxvY2FsP2NBQ2VydGlmaWNhdGU/YmFz

+ZT9vYmplY3RDbGFzcz1jZXJ0aWZpY2F0aW9uQXV0aG9yaXR5MDMGA1UdIAQsMCow

+KAYmKwYBBAGCNxUIhKKiRoWKtT6BpZUKhovheJ2nAIEThrXzUYabpA4wDQYJKoZI

+hvcNAQELBQADggEBAIsFS+Qc/ufTrkuHbMmzksOpxq+OIi9rot8zy9/1Vmj6d+iP

+kB+vQ1u4/IhdQArJFNhsBzWSY9Pi8ZclovpepFeEZfXPUenyeRCU43HdMXcHXnlP

+YZfyLQWOugdo1WxK6S9qQSOSlC7BSGZWvKkiAPAwr4zNbbS+ROA2w0xaYMv0rr5W

+A4UAyzZAdqaGRJBRvCZ/uFHM5wMw0LzNCL4CqKW9jfZX0Fc2tdGx8zbTYxIdgr2D

+PL25as32r3S/m4uWqoQaK0lxK5Y97eusK2rrmidy32Jctzwl29UWq8kpjRAuD8iR

+CSc7sKqOf+fn3+fKITR2/DcSVvb0SGCr5fVVnjQ=

+-----END CERTIFICATE-----

diff --git a/tests/test_x509_ext.py b/tests/test_x509_ext.py

index 00cf0a6f..91df35db 100644

--- a/tests/test_x509_ext.py

+++ b/tests/test_x509_ext.py

@@ -409,6 +409,7 @@ class TestPolicyInformation(object):

         assert pi != object()

+@pytest.mark.requires_backend_interface(interface=X509Backend)

 class TestCertificatePolicies(object):

     def test_invalid_policies(self):

         pq = [u"string"]

@@ -481,6 +482,24 @@ class TestCertificatePolicies(object):

         assert cp[-1] == cp[4]

         assert cp[2:6:2] == [cp[2], cp[4]]

+    def test_long_oid(self, backend):

+        """

+        Test that parsing a CertificatePolicies ext with

+        a very long OID succeeds.

+        """

+        here = os.path.dirname(os.path.abspath(__file__))

+        with open(os.path.join(here, "bigoid.pem"), 'rb') as f:

+            cert = x509.load_pem_x509_certificate(f.read(), backend)

+        ext = cert.extensions.get_extension_for_class(

+            x509.CertificatePolicies)

+

+        oid = x509.ObjectIdentifier(

+            "1.3.6.1.4.1.311.21.8.8950086.10656446.2706058"

+            ".12775672.480128.147.13466065.13029902"

+        )

+

+        assert ext.value[0].policy_identifier == oid

+

 @pytest.mark.requires_backend_interface(interface=RSABackend)

 @pytest.mark.requires_backend_interface(interface=X509Backend)

-- 

2.13.5