Backport tlv fix, 38.0.1 bump (#7576)

* fix parsing for CRLs with TLVs > 65535 bytes (#7575) * add CRL test vector with 9,999 revoked items * bump rust-asn1 * add large CRL test this tests CRLs larger than 65535 bytes in size. rust-asn1 supports up to 4GiB TLVs now, but we'll avoid putting a test vector that big for now * changelog and 38.0.1 bump
2026-05-14 20:37:55 +00:00 · 2022-09-07 20:19:50 +08:00 · 2022-09-07 20:19:50 +08:00 · 3ff52182ba
commit 3ff52182ba
parent 52d6f1a491
8 changed files with 4406 additions and 7 deletions
--- a/CHANGELOG.rst
+++ b/CHANGELOG.rst
@ -1,6 +1,14 @@
 Changelog
 =========

+.. _v38-0-1:
+
+38.0.0 - 2022-09-07
+~~~~~~~~~~~~~~~~~~~
+
+* Fixed parsing TLVs in ASN.1 with length greater than 65535 bytes (typically
+  seen in large CRLs).
+
 .. _v38-0-0:

 38.0.0 - 2022-09-06
--- a/docs/development/test-vectors.rst
+++ b/docs/development/test-vectors.rst
@ -597,6 +597,7 @@ Custom X.509 Certificate Revocation List Vectors
 * ``crl_no_next_time.pem`` - Contains a CRL with no ``nextUpdate`` value. The
  signature on this CRL is invalid.
 * ``crl_bad_version.pem`` - Contains a CRL with an invalid version.
+* ``crl_almost_10k.pem`` - Contains a CRL with 9,999 entries.

 X.509 OCSP Test Vectors
 ~~~~~~~~~~~~~~~~~~~~~~~
--- a/src/cryptography/about.py
+++ b/src/cryptography/about.py
@ -9,7 +9,7 @@ __all__ = [
    "__copyright__",
 ]

-__version__ = "38.0.0"
+__version__ = "38.0.1"

 __author__ = "The Python Cryptographic Authority and individual contributors"
 __copyright__ = "Copyright 2013-2022 {}".format(__author__)
--- a/src/rust/Cargo.lock
+++ b/src/rust/Cargo.lock
@ -25,9 +25,9 @@ dependencies = [

 [[package]]
 name = "asn1"
-version = "0.12.1"
+version = "0.12.2"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "570eb4740d127e98f0b6b1b93adf0d2ad054bee6272284fcc029323d902c3095"
+checksum = "22c27c85cd71c1bf4373c7c1aa752b73d2df799277c0930af16fffbf3444f210"
 dependencies = [
 "asn1_derive",
 "chrono",
@ -35,9 +35,9 @@ dependencies = [

 [[package]]
 name = "asn1_derive"
-version = "0.12.1"
+version = "0.12.2"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "56792f155e38317e455b140f625c0e8593af8cb7b072842024c37aae22f087ea"
+checksum = "d48d1854a01241e8d22f8f5ae4e2dc332f66c5946e1772f5576886d83e18e1b7"
 dependencies = [
 "proc-macro2",
 "quote",
--- a/src/rust/Cargo.toml
+++ b/src/rust/Cargo.toml
@ -8,7 +8,7 @@ publish = false
 [dependencies]
 once_cell = "1"
 pyo3 = { version = "0.15.2" }
-asn1 = { version = "0.12.1", default-features = false, features = ["derive"] }
+asn1 = { version = "0.12.2", default-features = false, features = ["derive"] }
 pem = "1.1"
 chrono = { version = "0.4.22", default-features = false, features = ["alloc", "clock"] }
 ouroboros = "0.15"
--- a/tests/x509/test_x509.py
+++ b/tests/x509/test_x509.py
@ -107,6 +107,14 @@ class TestCertificateRevocationList:
        assert fingerprint == b"dd3db63c50f4c4a13e090f14053227cb1011a5ad"
        assert isinstance(crl.signature_hash_algorithm, hashes.SHA256)

+    def test_load_large_crl(self, backend):
+        crl = _load_cert(
+            os.path.join("x509", "custom", "crl_almost_10k.pem"),
+            x509.load_pem_x509_crl,
+            backend,
+        )
+        assert len(crl) == 9999
+
    def test_empty_crl_no_sequence(self, backend):
        # The SEQUENCE for revoked certificates is optional so let's
        # test that we handle it properly.
--- a/vectors/cryptography_vectors/about.py
+++ b/vectors/cryptography_vectors/about.py
@ -6,4 +6,4 @@ __all__ = [
    "__version__",
 ]

-__version__ = "38.0.0"
+__version__ = "38.0.1"
--- a/vectors/cryptography_vectors/x509/custom/crl_almost_10k.pem
+++ b/vectors/cryptography_vectors/x509/custom/crl_almost_10k.pem