From 5cf016c3ae8b4e60f564e6cac67d43e243034345 Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Mon, 19 Feb 2024 12:09:10 -0500 Subject: Fixes #10422 -- don't crash when a PKCS#12 key and cert don't match (#10423) (#10425) --- .../hazmat/backends/openssl/backend.py | 9 +++++++++ tests/hazmat/primitives/test_pkcs12.py | 18 ++++++++++++++++++ 2 files changed, 27 insertions(+) diff --git a/src/cryptography/hazmat/backends/openssl/backend.py b/src/cryptography/hazmat/backends/openssl/backend.py index 45a644cf6..0ae987bd3 100644 --- a/src/cryptography/hazmat/backends/openssl/backend.py +++ b/src/cryptography/hazmat/backends/openssl/backend.py @@ -2378,6 +2378,15 @@ class Backend: mac_iter, 0, ) + if p12 == self._ffi.NULL: + errors = self._consume_errors() + raise ValueError( + ( + "Failed to create PKCS12 (does the key match the " + "certificate?)" + ), + errors, + ) if ( self._lib.Cryptography_HAS_PKCS12_SET_MAC diff --git a/tests/hazmat/primitives/test_pkcs12.py b/tests/hazmat/primitives/test_pkcs12.py index c9ef57e66..3de92f82a 100644 --- a/tests/hazmat/primitives/test_pkcs12.py +++ b/tests/hazmat/primitives/test_pkcs12.py @@ -682,6 +682,24 @@ class TestPKCS12Creation: b"name", cakey, cacert, [], algorithm ) + @pytest.mark.supported( + only_if=lambda backend: backend._lib.Cryptography_HAS_PKCS12_SET_MAC, + skip_message="Requires OpenSSL with PKCS12_set_mac", + ) + def test_set_mac_key_certificate_mismatch(self, backend): + cacert, _ = _load_ca(backend) + key = ec.generate_private_key(ec.SECP256R1()) + encryption = ( + serialization.PrivateFormat.PKCS12.encryption_builder() + .hmac_hash(hashes.SHA256()) + .build(b"password") + ) + + with pytest.raises(ValueError): + serialize_key_and_certificates( + b"name", key, cacert, [], encryption + ) + @pytest.mark.skip_fips( reason="PKCS12 unsupported in FIPS mode. So much bad crypto in it." -- 2.30.2