File CVE-2024-26130.patch of Package python-cryptography.38704
Index: cryptography-41.0.3/src/cryptography/hazmat/backends/openssl/backend.py
===================================================================
--- cryptography-41.0.3.orig/src/cryptography/hazmat/backends/openssl/backend.py
+++ cryptography-41.0.3/src/cryptography/hazmat/backends/openssl/backend.py
@@ -1821,6 +1821,15 @@ class Backend:
mac_iter,
0,
)
+ if p12 == self._ffi.NULL:
+ errors = self._consume_errors()
+ raise ValueError(
+ (
+ "Failed to create PKCS12 (does the key match the "
+ "certificate?)"
+ ),
+ errors,
+ )
if (
self._lib.Cryptography_HAS_PKCS12_SET_MAC
Index: cryptography-41.0.3/tests/hazmat/primitives/test_pkcs12.py
===================================================================
--- cryptography-41.0.3.orig/tests/hazmat/primitives/test_pkcs12.py
+++ cryptography-41.0.3/tests/hazmat/primitives/test_pkcs12.py
@@ -682,6 +682,24 @@ class TestPKCS12Creation:
b"name", cakey, cacert, [], algorithm
)
+ @pytest.mark.supported(
+ only_if=lambda backend: backend._lib.Cryptography_HAS_PKCS12_SET_MAC,
+ skip_message="Requires OpenSSL with PKCS12_set_mac",
+ )
+ def test_set_mac_key_certificate_mismatch(self, backend):
+ cacert, _ = _load_ca(backend)
+ key = ec.generate_private_key(ec.SECP256R1())
+ encryption = (
+ serialization.PrivateFormat.PKCS12.encryption_builder()
+ .hmac_hash(hashes.SHA256())
+ .build(b"password")
+ )
+
+ with pytest.raises(ValueError):
+ serialize_key_and_certificates(
+ b"name", key, cacert, [], encryption
+ )
+
@pytest.mark.skip_fips(
reason="PKCS12 unsupported in FIPS mode. So much bad crypto in it."
