Don't try to serialize invalid objects in tests#1037
Merged
Conversation
A default-constructed X509_REQ or NETSCAPE_SPKI contains empty values for all its fields, notably the OIDs in public keys. This initial state is incomplete and not yet a valid object. The ASN.1 structures make the public key mandatory. When serializing, OpenSSL would previously silently omit the field, which doesn't actually produce a valid structure. As of openssl/openssl#16027, OpenSSL will notice this and return an error rather than serialize garbage. Sadly, that had to be reverted on 1.1.1, but it is present in the 3.0 branch. With that change, some of pyOpenSSL's tests fail. The bug here is in pyOpenSSL: pyOpenSSL tests are trying to serialize incomplete objects. Instead, fill in the public key. While not syntactically necessary (the empty string is a BIT STRING), also fill in the signature for NetscapeSPKI, to better align with real code. Tested by running pyOpenSSL tests against a copy of OpenSSL 1.1.1's dev branch, prior to the changes getting reverted.
alex
approved these changes
Aug 23, 2021
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
A default-constructed X509_REQ or NETSCAPE_SPKI contains empty values
for all its fields, notably the OIDs in public keys. This initial state
is incomplete and not yet a valid object. The ASN.1 structures make the
public key mandatory. When serializing, OpenSSL would previously
silently omit the field, which doesn't actually produce a valid
structure.
As of openssl/openssl#16027, OpenSSL will notice
this and return an error rather than serialize garbage. Sadly, that had
to be reverted on 1.1.1, but it is present in the 3.0 branch. With that
change, some of pyOpenSSL's tests fail.
The bug here is in pyOpenSSL: pyOpenSSL tests are trying to serialize
incomplete objects. Instead, fill in the public key. While not
syntactically necessary (the empty string is a BIT STRING), also fill in
the signature for NetscapeSPKI, to better align with real code.
Tested by running pyOpenSSL tests against a copy of OpenSSL 1.1.1's dev
branch, prior to the changes getting reverted.