X.509 certificate parsing error in v41.0.0, not observed in v38.0.4, v40.0.2 #8996
Description
Hello,
Using cryptography version 41.0.0, I get a parsing error when trying to decode a particular certificate. The error message is pretty cryptic to me, so I'm not sure why exactly.
I did not get the any error when using versions 38.0.4 or 40.0.2
Reproducer
from cryptography.x509 import load_pem_x509_certificate
# the cert isn't sensitive
CERT = '''
-----BEGIN CERTIFICATE-----\nMIIBmjCCAT+gAwIBAgIENly8LzAMBggqhkjOPQQDAgUAMEIxCTAHBgNVBAYTADEJMAcGA1UECBMAMQkwBwYDVQQHEwAxCTAHBgNVBAoTADEJMAcGA1UECxMAMQkwBwYDVQQDEwAwHhcNMjIwNjA3MDYzNDA4WhcNMjMwNjA3MDYzNDA4WjBCMQkwBwYDVQQGEwAxCTAHBgNVBAgTADEJMAcGA1UEBxMAMQkwBwYDVQQKEwAxCTAHBgNVBAsTADEJMAcGA1UEAxMAMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE51twjnVX0FuF+8krofQrvhF6TiTwOWI2BYO4vK3zrImy4EyhpuMJL86//EmuXmJkt6Omd3YrKkKVZkiN4zyZV6MhMB8wHQYDVR0OBBYEFFozVBqs1HcRVwMXDiAOyciW7BOtMAwGCCqGSM49BAMCBQADRwAwRAIgepMfKTURqtkh/4L4kxei6fc972othjG62JAsbyZ1YwICID2Ma+l20vVyWtCbRc7JlHawoYg8OfXfQxIxuUKVw4gG\n-----END CERTIFICATE-----
'''
cert_obj = load_pem_x509_certificate(bytes(CERT, 'utf-8'))
print(cert_obj)Running with cryptography version 41.0.0
- Wheel name -
cryptography-41.0.0-cp37-abi3-manylinux_2_28_x86_64 - cffi - 1.15.1
- pycparser - 2.21
The error I get is:
File "...", line 7, in <module>
cert_obj = load_pem_x509_certificate(bytes(CERT, 'utf-8'))
File ".../env/lib/python3.10/site-packages/cryptography/x509/base.py", line 583, in load_pem_x509_certificate
return rust_x509.load_pem_x509_certificate(data)
ValueError: error parsing asn1 value: ParseError { kind: ExtraData, location: ["Certificate::tbs_cert", "TbsCertificate::signature_alg"] }
Running with cryptography version 38.0.4, 40.0.2
- cffi - 1.15.1
- pycparser - 2.21
It works with these versions, I get a Certificate object
Certificate
The certificate (the same one in the reproducer):
-----BEGIN CERTIFICATE-----
MIIBmjCCAT+gAwIBAgIENly8LzAMBggqhkjOPQQDAgUAMEIxCTAHBgNVBAYTADEJ
MAcGA1UECBMAMQkwBwYDVQQHEwAxCTAHBgNVBAoTADEJMAcGA1UECxMAMQkwBwYD
VQQDEwAwHhcNMjIwNjA3MDYzNDA4WhcNMjMwNjA3MDYzNDA4WjBCMQkwBwYDVQQG
EwAxCTAHBgNVBAgTADEJMAcGA1UEBxMAMQkwBwYDVQQKEwAxCTAHBgNVBAsTADEJ
MAcGA1UEAxMAMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE51twjnVX0FuF+8kr
ofQrvhF6TiTwOWI2BYO4vK3zrImy4EyhpuMJL86//EmuXmJkt6Omd3YrKkKVZkiN
4zyZV6MhMB8wHQYDVR0OBBYEFFozVBqs1HcRVwMXDiAOyciW7BOtMAwGCCqGSM49
BAMCBQADRwAwRAIgepMfKTURqtkh/4L4kxei6fc972othjG62JAsbyZ1YwICID2M
a+l20vVyWtCbRc7JlHawoYg8OfXfQxIxuUKVw4gG
-----END CERTIFICATE-----
The decoded certificate:
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 912047151 (0x365cbc2f)
Signature Algorithm: ecdsa-with-SHA256
Issuer: C = , ST = , L = , O = , OU = , CN =
Validity
Not Before: Jun 7 06:34:08 2022 GMT
Not After : Jun 7 06:34:08 2023 GMT
Subject: C = , ST = , L = , O = , OU = , CN =
Subject Public Key Info:
Public Key Algorithm: id-ecPublicKey
Public-Key: (256 bit)
pub:
04:e7:5b:70:8e:75:57:d0:5b:85:fb:c9:2b:a1:f4:
2b:be:11:7a:4e:24:f0:39:62:36:05:83:b8:bc:ad:
f3:ac:89:b2:e0:4c:a1:a6:e3:09:2f:ce:bf:fc:49:
ae:5e:62:64:b7:a3:a6:77:76:2b:2a:42:95:66:48:
8d:e3:3c:99:57
ASN1 OID: prime256v1
NIST CURVE: P-256
X509v3 extensions:
X509v3 Subject Key Identifier:
5A:33:54:1A:AC:D4:77:11:57:03:17:0E:20:0E:C9:C8:96:EC:13:AD
Signature Algorithm: ecdsa-with-SHA256
Signature Value:
30:44:02:20:7a:93:1f:29:35:11:aa:d9:21:ff:82:f8:93:17:
a2:e9:f7:3d:ef:6a:2d:86:31:ba:d8:90:2c:6f:26:75:63:02:
02:20:3d:8c:6b:e9:76:d2:f5:72:5a:d0:9b:45:ce:c9:94:76:
b0:a1:88:3c:39:f5:df:43:12:31:b9:42:95:c3:88:06
(I'm not sure if 41.0.0 is complaining because the Issuer and Subject information is blank)