fixes #11944 -- don't panic on attributes with no values (#11947)

alex · web-flow · commit 8209d63ae70a · 2024-11-14T14:16:43.000-08:00
diff --git a/docs/development/test-vectors.rst b/docs/development/test-vectors.rst
@@ -612,6 +612,8 @@ Custom X.509 Request Vectors
   invalid.
 * ``long-form-attribute.pem`` - A certificate signing request containing an
   attribute whose value's tag is encoded in the long form.
+* ``zero-element-attribute.pem`` - A certificate signing request containing an
+  attribute whose value has zero elements.
 
 Custom X.509 Certificate Revocation List Vectors
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
diff --git a/src/rust/cryptography-x509/src/csr.rs b/src/rust/cryptography-x509/src/csr.rs
@@ -44,7 +44,7 @@ impl CertificationRequestInfo<'_> {
 pub fn check_attribute_length<'a>(
     values: asn1::SetOf<'a, asn1::Tlv<'a>>,
 ) -> Result<(), asn1::ParseError> {
-    if values.count() > 1 {
+    if values.count() != 1 {
         // TODO: We should raise a more specific error here
         // Only single-valued attributes are supported
         Err(asn1::ParseError::new(asn1::ParseErrorKind::InvalidValue))
diff --git a/tests/x509/test_x509.py b/tests/x509/test_x509.py
@@ -6825,6 +6825,14 @@ def test_no_attributes(self, backend):
         )
         assert len(request.attributes) == 0
 
+    def test_zero_element_attribute(self):
+        request = _load_cert(
+            os.path.join("x509", "requests", "zero-element-attribute.pem"),
+            x509.load_pem_x509_csr,
+        )
+        with pytest.raises(ValueError, match="Only single-valued"):
+            request.attributes
+
 
 def test_load_pem_x509_certificates():
     with pytest.raises(ValueError):
diff --git a/vectors/cryptography_vectors/x509/requests/zero-element-attribute.pem b/vectors/cryptography_vectors/x509/requests/zero-element-attribute.pem
@@ -0,0 +1,16 @@
+-----BEGIN CERTIFICATE REQUEST-----
+MIICgDCCAWgCAQAwLDEQMA4GCSqGSIb3DQEJARYBLzEYMBYGA1UEAwwPbWl0ZWwu
+YmxvbmF5LmNoMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA765FwcoI
+JtKM566SSLXtz85h1ejx3G+efgG2OSiFIcZzPHQnuUPJ5ONL16VedcWi+8OB2Rbx
+KWLf8DH3YK9CAxYeMX/eAay4MCbl9AROiDVhyhHL1DU3pUH4MkVKdwPhZiW1b7gM
+W0DcY6iAuhLsftz5J/uyjGztfNRciErBZeNCh34fZcls4Iddkh0A6mz7KT4PmfNt
+Ywo6+5sG4G0TZPlmXM803soWqfWCX/8FnzXd9ch1oApLE9zfxOlvWM7YBwyGCzZd
+92PfX6D6sbMNmQxoZzT4LXeM4wZ11Jv9PHaGIDV/ub/1/7W0hYWnTHvvJRm9Tiyv
+5JCH9/VpGhjIGQIDAQABoA8wDQYJKoZIhvcNAQkOMQAwDQYJKoZIhvcNAQELBQAD
+ggEBAA9i4mqUrcakDp4YmjwQXaYQhSzxQZjk8xveHLRcyx4Cg8FAE5iUW8s1S+1f
+pODlPrsdmZzRq3o+ZEkZNTM63kaXjDQEzlihlQ2yAScKAV22934pLyrMLn3mo5lO
+oYgfSCHgYQE3YpNe8a2UFgWU5dhDbucCqbUO/AnBNTcBHpGHyvijbOBJn1cheLjZ
+I7jbylyJBjyRgDiG3QNsgc/Iw58ys3DNCTsG0ghAwOh1g1u0LnZJKll1IWuK/HHI
+D8d1ZsJic8ok8BkC/qGsrgQmoJpOP1Fu087svKcUbFT9T8UXzPigL1wEaxRPwkI8
+ECT4bDqrtBADIblEpqq4rNp4QoA=
+-----END CERTIFICATE REQUEST-----
