From 8b3de53ed80e1d426d512ede2d9fd756e6fb46ec Mon Sep 17 00:00:00 2001
From: Alex Gaynor <alex.gaynor@gmail.com>
Date: Thu, 17 Oct 2024 23:13:03 -0400
Subject: [PATCH] When failing to parse SANs or IANs, include which it was that
 failed (#11785)

---
 docs/development/test-vectors.rst                |  2 ++
 src/rust/src/x509/certificate.rs                 |  8 ++++++--
 tests/x509/test_x509_ext.py                      | 16 ++++++++++++++++
 .../x509/custom/malformed-ian.pem                | 11 +++++++++++
 .../x509/custom/malformed-san.pem                | 11 +++++++++++
 5 files changed, 46 insertions(+), 2 deletions(-)
 create mode 100644 vectors/cryptography_vectors/x509/custom/malformed-ian.pem
 create mode 100644 vectors/cryptography_vectors/x509/custom/malformed-san.pem

diff --git a/docs/development/test-vectors.rst b/docs/development/test-vectors.rst
index dcbc93edf..3714b17d4 100644
--- a/docs/development/test-vectors.rst
+++ b/docs/development/test-vectors.rst
@@ -544,6 +544,8 @@ Custom X.509 Vectors
   This is an invalid certificate per CA/B 7.1.2.7.6.
 * ``empty-eku.pem`` - A leaf certificate containing an empty EKU extension.
   This is an invalid certificate per :rfc:`5280` 4.2.1.12.
+* ``malformed-san.pem`` - A certificate with a malformed SAN.
+* ``malformed-ian.pem`` - A certificate with a malformed IAN.
 
 Custom X.509 Request Vectors
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~
diff --git a/src/rust/src/x509/certificate.rs b/src/rust/src/x509/certificate.rs
index b9e331a72..739b28694 100644
--- a/src/rust/src/x509/certificate.rs
+++ b/src/rust/src/x509/certificate.rs
@@ -737,14 +737,18 @@ pub fn parse_cert_ext<'p>(
 ) -> CryptographyResult<Option<pyo3::Bound<'p, pyo3::PyAny>>> {
     match ext.extn_id {
         oid::SUBJECT_ALTERNATIVE_NAME_OID => {
-            let gn_seq = ext.value::<SubjectAlternativeName<'_>>()?;
+            let gn_seq = ext.value::<SubjectAlternativeName<'_>>().map_err(|e| {
+                e.add_location(asn1::ParseLocation::Field("subject_alternative_name"))
+            })?;
             let sans = x509::parse_general_names(py, &gn_seq)?;
             Ok(Some(
                 types::SUBJECT_ALTERNATIVE_NAME.get(py)?.call1((sans,))?,
             ))
         }
         oid::ISSUER_ALTERNATIVE_NAME_OID => {
-            let gn_seq = ext.value::<IssuerAlternativeName<'_>>()?;
+            let gn_seq = ext.value::<IssuerAlternativeName<'_>>().map_err(|e| {
+                e.add_location(asn1::ParseLocation::Field("issuer_alternative_name"))
+            })?;
             let ians = x509::parse_general_names(py, &gn_seq)?;
             Ok(Some(
                 types::ISSUER_ALTERNATIVE_NAME.get(py)?.call1((ians,))?,
diff --git a/tests/x509/test_x509_ext.py b/tests/x509/test_x509_ext.py
index 911006406..4f75c2987 100644
--- a/tests/x509/test_x509_ext.py
+++ b/tests/x509/test_x509_ext.py
@@ -2324,6 +2324,14 @@ class TestRSAIssuerAlternativeNameExtension:
             x509.UniformResourceIdentifier("http://path.to.root/root.crt"),
         ]
 
+    def test_malformed(self):
+        cert = _load_cert(
+            os.path.join("x509", "custom", "malformed-ian.pem"),
+            x509.load_pem_x509_certificate,
+        )
+        with pytest.raises(ValueError, match="issuer_alternative_name"):
+            cert.extensions
+
 
 class TestCRLNumber:
     def test_eq(self):
@@ -2709,6 +2717,14 @@ class TestRSASubjectAlternativeNameExtension:
         ]
         assert result == sans
 
+    def test_malformed(self):
+        cert = _load_cert(
+            os.path.join("x509", "custom", "malformed-san.pem"),
+            x509.load_pem_x509_certificate,
+        )
+        with pytest.raises(ValueError, match="subject_alternative_name"):
+            cert.extensions
+
 
 class TestExtendedKeyUsageExtension:
     def test_eku(self, backend):
diff --git a/vectors/cryptography_vectors/x509/custom/malformed-ian.pem b/vectors/cryptography_vectors/x509/custom/malformed-ian.pem
new file mode 100644
index 000000000..a7c7d6093
--- /dev/null
+++ b/vectors/cryptography_vectors/x509/custom/malformed-ian.pem
@@ -0,0 +1,11 @@
+-----BEGIN CERTIFICATE-----
+MIIBlDCB/qADAgECAgo/X5syqzQbiVZiMA0GCSqGSIb3DQEBBQUAMAAwHhcNMTIw
+OTI3MTEyNDQzWhcNMTcwOTI3MTEyNDQzWjAAMIGfMA0GCSqGSIb3DQEBAQUAA4GN
+ADCBiQKBgQDEyUkICYplDtDRdLjZV0nF5oK5tBjoXWPxnfx6Msg5Ywvxjh4jq8Jf
+FRwn9oLYpFmnhPYaVNWO7fykCrYz8O6mMtYInUbodvIPniZXjoTlYOPUmLj/XcU0
+iGhUmdo8yquPoe7TC9DDeSfaAwoLMDZjJoQjlBuRk+qTmfySJCNZrQIDAQABoxYw
+FDASBgNVHRIECzAJoAcGA1UEAwwAMA0GCSqGSIb3DQEBBQUAA4GBAD5jUyH8eLrZ
+tJtEJIVH/cvjtATXWwUnPX5NUGrgIBFwKx1f4csOFe6MIhA7j0VwSJ/iOd4xszLA
+r8/2ijoBc+cPbThPSHLdOvOrGJsdrywOUYzGHRh/zoMEnT/FN9p7YbYnQIwFGqx1
+HUFnXljOXCezE5ytzEcpQ/43EvT4u74O
+-----END CERTIFICATE-----
diff --git a/vectors/cryptography_vectors/x509/custom/malformed-san.pem b/vectors/cryptography_vectors/x509/custom/malformed-san.pem
new file mode 100644
index 000000000..00aa6feea
--- /dev/null
+++ b/vectors/cryptography_vectors/x509/custom/malformed-san.pem
@@ -0,0 +1,11 @@
+-----BEGIN CERTIFICATE-----
+MIIBlDCB/qADAgECAgo/X5syqzQbiVZiMA0GCSqGSIb3DQEBBQUAMAAwHhcNMTIw
+OTI3MTEyNDQzWhcNMTcwOTI3MTEyNDQzWjAAMIGfMA0GCSqGSIb3DQEBAQUAA4GN
+ADCBiQKBgQDEyUkICYplDtDRdLjZV0nF5oK5tBjoXWPxnfx6Msg5Ywvxjh4jq8Jf
+FRwn9oLYpFmnhPYaVNWO7fykCrYz8O6mMtYInUbodvIPniZXjoTlYOPUmLj/XcU0
+iGhUmdo8yquPoe7TC9DDeSfaAwoLMDZjJoQjlBuRk+qTmfySJCNZrQIDAQABoxYw
+FDASBgNVHREECzAJoAcGA1UEAwwAMA0GCSqGSIb3DQEBBQUAA4GBAD5jUyH8eLrZ
+tJtEJIVH/cvjtATXWwUnPX5NUGrgIBFwKx1f4csOFe6MIhA7j0VwSJ/iOd4xszLA
+r8/2ijoBc+cPbThPSHLdOvOrGJsdrywOUYzGHRh/zoMEnT/FN9p7YbYnQIwFGqx1
+HUFnXljOXCezE5ytzEcpQ/43EvT4u74O
+-----END CERTIFICATE-----