bpo-46232: Fix parsing of certs with bit string in DN (GH-30351)

(cherry picked from commit be095f6c32) Co-authored-by: Christian Heimes <christian@python.org>
2025-08-03 00:23:06 +00:00 · 2022-02-21 01:37:26 -08:00 · 2022-02-21 01:37:26 -08:00 · 633d0f90f9
commit 633d0f90f9
parent 95d6271f19
2 changed files with 21 additions and 7 deletions
--- a/Misc/NEWS.d/next/Library/2022-01-03-09-46-44.bpo-46232.s0KlyI.rst
+++ b/Misc/NEWS.d/next/Library/2022-01-03-09-46-44.bpo-46232.s0KlyI.rst
@ -0,0 +1,2 @@
+The :mod:`ssl` module now handles certificates with bit strings in DN
+correctly.
--- a/Modules/_ssl.c
+++ b/Modules/_ssl.c
@ -1053,17 +1053,29 @@ _create_tuple_for_attribute(_sslmodulestate *state,
                            ASN1_OBJECT *name, ASN1_STRING *value)
 {
    Py_ssize_t buflen;
-    unsigned char *valuebuf = NULL;
-    PyObject *attr;
+    PyObject *pyattr;
+    PyObject *pyname = _asn1obj2py(state, name, 0);

-    buflen = ASN1_STRING_to_UTF8(&valuebuf, value);
-    if (buflen < 0) {
+    if (pyname == NULL) {
        _setSSLError(state, NULL, 0, __FILE__, __LINE__);
        return NULL;
    }
-    attr = Py_BuildValue("Ns#", _asn1obj2py(state, name, 0), valuebuf, buflen);
-    OPENSSL_free(valuebuf);
-    return attr;
+
+    if (ASN1_STRING_type(value) == V_ASN1_BIT_STRING) {
+        buflen = ASN1_STRING_length(value);
+        pyattr = Py_BuildValue("Ny#", pyname, ASN1_STRING_get0_data(value), buflen);
+    } else {
+        unsigned char *valuebuf = NULL;
+        buflen = ASN1_STRING_to_UTF8(&valuebuf, value);
+        if (buflen < 0) {
+            _setSSLError(state, NULL, 0, __FILE__, __LINE__);
+            Py_DECREF(pyname);
+            return NULL;
+        }
+        pyattr = Py_BuildValue("Ns#", pyname, valuebuf, buflen);
+        OPENSSL_free(valuebuf);
+    }
+    return pyattr;
 }

 static PyObject *