work around openssl 3.1.0 bug and bump for 23.1.1 (#1204)

* work around openssl 3.1.0 bug and bump for 23.1.1 * remove a CI job that can't succeed cryptographyMain does not support 3.6
pyca · Mar 28, 2023 · 12bc43b · 12bc43b
1 parent 240ae6f
commit 12bc43b
Show file tree

Hide file tree

Showing 5 changed files with 33 additions and 4 deletions.
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -20,7 +20,6 @@ jobs:
           - {VERSION: "pypy-3.9", TOXENV: "pypy3"}
           - {VERSION: "3.11", TOXENV: "py311-useWheel", OS: "windows-2022" }
           # -cryptographyMain
-          - {VERSION: "3.6", TOXENV: "py36-cryptographyMain", OS: "ubuntu-20.04"}
           - {VERSION: "3.7", TOXENV: "py37-cryptographyMain"}
           - {VERSION: "3.8", TOXENV: "py38-cryptographyMain"}
           - {VERSION: "3.9", TOXENV: "py39-cryptographyMain"}

diff --git a/CHANGELOG.rst b/CHANGELOG.rst
@@ -4,6 +4,21 @@ Changelog
 Versions are year-based with a strict backward-compatibility policy.
 The third digit is only for regressions.
 
+23.1.1 (2023-03-28)
+-------------------
+
+Backward-incompatible changes:
+^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+
+Deprecations:
+^^^^^^^^^^^^^
+
+Changes:
+^^^^^^^^
+
+- Worked around an issue in OpenSSL 3.1.0 which caused `X509Extension.get_short_name` to raise an exception when no short name was known to OpenSSL.
+  `#1204 <https://github.com/pyca/pyopenssl/pull/1204>`_.
+
 23.1.0 (2023-03-24)
 -------------------
 
@@ -44,7 +59,7 @@ Backward-incompatible changes:
 ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
 
 - Remove support for SSLv2 and SSLv3.
-- The minimum ``cryptography`` version is now 38.0.x (and we now pin releases 
+- The minimum ``cryptography`` version is now 38.0.x (and we now pin releases
   against ``cryptography`` major versions to prevent future breakage)
 - The ``OpenSSL.crypto.X509StoreContextError`` exception has been refactored,
   changing its internal attributes.

diff --git a/src/OpenSSL/crypto.py b/src/OpenSSL/crypto.py
@@ -904,7 +904,14 @@ def get_short_name(self) -> bytes:
         """
         obj = _lib.X509_EXTENSION_get_object(self._extension)
         nid = _lib.OBJ_obj2nid(obj)
-        return _ffi.string(_lib.OBJ_nid2sn(nid))
+        # OpenSSL 3.1.0 has a bug where nid2sn returns NULL for NIDs that
+        # previously returned UNDEF. This is a workaround for that issue.
+        # https://github.com/openssl/openssl/commit/908ba3ed9adbb3df90f76
+        buf = _lib.OBJ_nid2sn(nid)
+        if buf != _ffi.NULL:
+            return _ffi.string(buf)
+        else:
+            return b"UNDEF"
 
     def get_data(self) -> bytes:
         """

diff --git a/src/OpenSSL/version.py b/src/OpenSSL/version.py
@@ -17,7 +17,7 @@
     "__version__",
 ]
 
-__version__ = "23.1.0"
+__version__ = "23.1.1"
 
 __title__ = "pyOpenSSL"
 __uri__ = "https://pyopenssl.org/"

diff --git a/tests/test_crypto.py b/tests/test_crypto.py
@@ -1681,6 +1681,14 @@ def test_get_extensions(self):
         exts = request.get_extensions()
         assert len(exts) == 2
 
+    def test_undef_oid(self):
+        assert (
+            X509Extension(
+                b"1.2.3.4.5.6.7", False, b"DER:05:00"
+            ).get_short_name()
+            == b"UNDEF"
+        )
+
     def test_add_extensions_wrong_args(self):
         """
         `X509Req.add_extensions` raises `TypeError` if called with a