Backport tlv fix, 38.0.1 bump (#7576)

reaperhulk · web-flow · commit 3ff52182ba6e · 2022-09-07T08:19:50.000-04:00
* fix parsing for CRLs with TLVs > 65535 bytes (#7575) * add CRL test vector with 9,999 revoked items * bump rust-asn1 * add large CRL test this tests CRLs larger than 65535 bytes in size. rust-asn1 supports up to 4GiB TLVs now, but we'll avoid putting a test vector that big for now * changelog and 38.0.1 bump
diff --git a/CHANGELOG.rst b/CHANGELOG.rst
@@ -1,6 +1,14 @@
 Changelog
 =========
 
+.. _v38-0-1:
+
+38.0.0 - 2022-09-07
+~~~~~~~~~~~~~~~~~~~
+
+* Fixed parsing TLVs in ASN.1 with length greater than 65535 bytes (typically
+  seen in large CRLs).
+
 .. _v38-0-0:
 
 38.0.0 - 2022-09-06
diff --git a/docs/development/test-vectors.rst b/docs/development/test-vectors.rst
@@ -597,6 +597,7 @@ Custom X.509 Certificate Revocation List Vectors
 * ``crl_no_next_time.pem`` - Contains a CRL with no ``nextUpdate`` value. The
   signature on this CRL is invalid.
 * ``crl_bad_version.pem`` - Contains a CRL with an invalid version.
+* ``crl_almost_10k.pem`` - Contains a CRL with 9,999 entries.
 
 X.509 OCSP Test Vectors
 ~~~~~~~~~~~~~~~~~~~~~~~
diff --git a/src/cryptography/__about__.py b/src/cryptography/__about__.py
@@ -9,7 +9,7 @@
     "__copyright__",
 ]
 
-__version__ = "38.0.0"
+__version__ = "38.0.1"
 
 __author__ = "The Python Cryptographic Authority and individual contributors"
 __copyright__ = "Copyright 2013-2022 {}".format(__author__)
diff --git a/src/rust/Cargo.lock b/src/rust/Cargo.lock
diff --git a/src/rust/Cargo.toml b/src/rust/Cargo.toml
@@ -8,7 +8,7 @@ publish = false
 [dependencies]
 once_cell = "1"
 pyo3 = { version = "0.15.2" }
-asn1 = { version = "0.12.1", default-features = false, features = ["derive"] }
+asn1 = { version = "0.12.2", default-features = false, features = ["derive"] }
 pem = "1.1"
 chrono = { version = "0.4.22", default-features = false, features = ["alloc", "clock"] }
 ouroboros = "0.15"
diff --git a/tests/x509/test_x509.py b/tests/x509/test_x509.py
@@ -107,6 +107,14 @@ def test_load_der_crl(self, backend):
         assert fingerprint == b"dd3db63c50f4c4a13e090f14053227cb1011a5ad"
         assert isinstance(crl.signature_hash_algorithm, hashes.SHA256)
 
+    def test_load_large_crl(self, backend):
+        crl = _load_cert(
+            os.path.join("x509", "custom", "crl_almost_10k.pem"),
+            x509.load_pem_x509_crl,
+            backend,
+        )
+        assert len(crl) == 9999
+
     def test_empty_crl_no_sequence(self, backend):
         # The SEQUENCE for revoked certificates is optional so let's
         # test that we handle it properly.
diff --git a/vectors/cryptography_vectors/__about__.py b/vectors/cryptography_vectors/__about__.py
@@ -6,4 +6,4 @@
     "__version__",
 ]
 
-__version__ = "38.0.0"
+__version__ = "38.0.1"
diff --git a/vectors/cryptography_vectors/x509/custom/crl_almost_10k.pem b/vectors/cryptography_vectors/x509/custom/crl_almost_10k.pem

Original file line number	Diff line number	Diff line change
`@@ -9,7 +9,7 @@`
`9`	`9`	`"__copyright__",`
`10`	`10`	`]`
`11`	`11`
`12`		`-__version__ = "38.0.0"`
	`12`	`+__version__ = "38.0.1"`
`13`	`13`
`14`	`14`	`__author__ = "The Python Cryptographic Authority and individual contributors"`
`15`	`15`	`__copyright__ = "Copyright 2013-2022 {}".format(__author__)`
Original file line number	Diff line number	Diff line change
`@@ -6,4 +6,4 @@`
`6`	`6`	`"__version__",`
`7`	`7`	`]`
`8`	`8`
`9`		`-__version__ = "38.0.0"`
	`9`	`+__version__ = "38.0.1"`