[Python-checkins] bpo-46232: Fix parsing of certs with bit string in DN (GH-30351)

miss-islington webhook-mailer at python.org
Mon Feb 21 04:37:47 EST 2022 

https://github.com/python/cpython/commit/633d0f90f933515a9fca21a38cf87a8baf8ddc7d
commit: 633d0f90f933515a9fca21a38cf87a8baf8ddc7d
branch: 3.10
author: Miss Islington (bot) <31488909+miss-islington at users.noreply.github.com>
committer: miss-islington <31488909+miss-islington at users.noreply.github.com>
date: 2022-02-21T01:37:26-08:00
summary:

bpo-46232: Fix parsing of certs with bit string in DN (GH-30351)

(cherry picked from commit be095f6c32188bba02079d086ac8639ea37cec3c)

Co-authored-by: Christian Heimes <christian at python.org>

files:
A Misc/NEWS.d/next/Library/2022-01-03-09-46-44.bpo-46232.s0KlyI.rst
M Modules/_ssl.c

diff --git a/Misc/NEWS.d/next/Library/2022-01-03-09-46-44.bpo-46232.s0KlyI.rst b/Misc/NEWS.d/next/Library/2022-01-03-09-46-44.bpo-46232.s0KlyI.rst
new file mode 100644
index 0000000000000..e252449199a05
--- /dev/null
+++ b/Misc/NEWS.d/next/Library/2022-01-03-09-46-44.bpo-46232.s0KlyI.rst
@@ -0,0 +1,2 @@
+The :mod:`ssl` module now handles certificates with bit strings in DN
+correctly.
diff --git a/Modules/_ssl.c b/Modules/_ssl.c
index 6c63301b2a7d8..af2520432a64e 100644
--- a/Modules/_ssl.c
+++ b/Modules/_ssl.c
@@ -1053,17 +1053,29 @@ _create_tuple_for_attribute(_sslmodulestate *state,
                             ASN1_OBJECT *name, ASN1_STRING *value)
 {
     Py_ssize_t buflen;
-    unsigned char *valuebuf = NULL;
-    PyObject *attr;
+    PyObject *pyattr;
+    PyObject *pyname = _asn1obj2py(state, name, 0);
 
-    buflen = ASN1_STRING_to_UTF8(&valuebuf, value);
-    if (buflen < 0) {
+    if (pyname == NULL) {
         _setSSLError(state, NULL, 0, __FILE__, __LINE__);
         return NULL;
     }
-    attr = Py_BuildValue("Ns#", _asn1obj2py(state, name, 0), valuebuf, buflen);
-    OPENSSL_free(valuebuf);
-    return attr;
+
+    if (ASN1_STRING_type(value) == V_ASN1_BIT_STRING) {
+        buflen = ASN1_STRING_length(value);
+        pyattr = Py_BuildValue("Ny#", pyname, ASN1_STRING_get0_data(value), buflen);
+    } else {
+        unsigned char *valuebuf = NULL;
+        buflen = ASN1_STRING_to_UTF8(&valuebuf, value);
+        if (buflen < 0) {
+            _setSSLError(state, NULL, 0, __FILE__, __LINE__);
+            Py_DECREF(pyname);
+            return NULL;
+        }
+        pyattr = Py_BuildValue("Ns#", pyname, valuebuf, buflen);
+        OPENSSL_free(valuebuf);
+    }
+    return pyattr;
 }
 
 static PyObject *

More information about the Python-checkins mailing list