diff --git a/CHANGELOG.rst b/CHANGELOG.rst index 4aa25566d32b..9f3d59d7ceaf 100644 --- a/CHANGELOG.rst +++ b/CHANGELOG.rst @@ -1,6 +1,17 @@ Changelog ========= +.. _v41-0-8: + +41.0.8 - 2024-02-07 +~~~~~~~~~~~~~~~~~~~ + +* **BACKWARDS INCOMPATIBLE:** Loading a PKCS7 with no content field using + :func:`~cryptography.hazmat.primitives.serialization.pkcs7.load_pem_pkcs7_certificates` + or + :func:`~cryptography.hazmat.primitives.serialization.pkcs7.load_der_pkcs7_certificates` + will now raise a ``ValueError`` rather than return an empty list. + .. _v41-0-7: 41.0.7 - 2023-11-27 diff --git a/src/cryptography/hazmat/backends/openssl/backend.py b/src/cryptography/hazmat/backends/openssl/backend.py index f1c79008b689..3e8b8aa6bd80 100644 --- a/src/cryptography/hazmat/backends/openssl/backend.py +++ b/src/cryptography/hazmat/backends/openssl/backend.py @@ -1890,12 +1890,15 @@ def _load_pkcs7_certificates(self, p7) -> typing.List[x509.Certificate]: _Reasons.UNSUPPORTED_SERIALIZATION, ) - certs: list[x509.Certificate] = [] if p7.d.sign == self._ffi.NULL: - return certs + raise ValueError( + "The provided PKCS7 has no certificate data, but a cert " + "loading method was called." + ) sk_x509 = p7.d.sign.cert num = self._lib.sk_X509_num(sk_x509) + certs: list[x509.Certificate] = [] for i in range(num): x509 = self._lib.sk_X509_value(sk_x509, i) self.openssl_assert(x509 != self._ffi.NULL) diff --git a/tests/hazmat/primitives/test_pkcs7.py b/tests/hazmat/primitives/test_pkcs7.py index f6ad64151cb3..bc006dae3c59 100644 --- a/tests/hazmat/primitives/test_pkcs7.py +++ b/tests/hazmat/primitives/test_pkcs7.py @@ -92,8 +92,8 @@ def test_load_pkcs7_unsupported_type(self, backend): def test_load_pkcs7_empty_certificates(self, backend): der = b"\x30\x0B\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x07\x02" - certificates = pkcs7.load_der_pkcs7_certificates(der) - assert certificates == [] + with pytest.raises(ValueError): + pkcs7.load_der_pkcs7_certificates(der) # We have no public verification API and won't be adding one until we get