File CVE-2024-26130.patch of Package python-cryptography.32695
From 97d231672763cdb5959a3b191e692a362f1b9e55 Mon Sep 17 00:00:00 2001
From: Alex Gaynor <alex.gaynor@gmail.com>
Date: Mon, 19 Feb 2024 11:50:28 -0500
Subject: [PATCH] Fixes #10422 -- don't crash when a PKCS#12 key and cert don't
match (#10423)
---
.../hazmat/backends/openssl/backend.py | 9 +++++++++
tests/hazmat/primitives/test_pkcs12.py | 18 ++++++++++++++++++
2 files changed, 27 insertions(+)
Index: cryptography-41.0.3/src/cryptography/hazmat/backends/openssl/backend.py
===================================================================
--- cryptography-41.0.3.orig/src/cryptography/hazmat/backends/openssl/backend.py
+++ cryptography-41.0.3/src/cryptography/hazmat/backends/openssl/backend.py
@@ -1821,6 +1821,15 @@ class Backend:
mac_iter,
0,
)
+ if p12 == self._ffi.NULL:
+ errors = self._consume_errors()
+ raise ValueError(
+ (
+ "Failed to create PKCS12 (does the key match the "
+ "certificate?)"
+ ),
+ errors,
+ )
if (
self._lib.Cryptography_HAS_PKCS12_SET_MAC
Index: cryptography-41.0.3/tests/hazmat/primitives/test_pkcs12.py
===================================================================
--- cryptography-41.0.3.orig/tests/hazmat/primitives/test_pkcs12.py
+++ cryptography-41.0.3/tests/hazmat/primitives/test_pkcs12.py
@@ -682,6 +682,24 @@ class TestPKCS12Creation:
b"name", cakey, cacert, [], algorithm
)
+ @pytest.mark.supported(
+ only_if=lambda backend: backend._lib.Cryptography_HAS_PKCS12_SET_MAC,
+ skip_message="Requires OpenSSL with PKCS12_set_mac",
+ )
+ def test_set_mac_key_certificate_mismatch(self, backend):
+ cacert, _ = _load_ca(backend)
+ key = ec.generate_private_key(ec.SECP256R1())
+ encryption = (
+ serialization.PrivateFormat.PKCS12.encryption_builder()
+ .hmac_hash(hashes.SHA256())
+ .build(b"password")
+ )
+
+ with pytest.raises(ValueError):
+ serialize_key_and_certificates(
+ b"name", key, cacert, [], encryption
+ )
+
@pytest.mark.skip_fips(
reason="PKCS12 unsupported in FIPS mode. So much bad crypto in it."
