add test that fails if CRL references aren't properly retained
If the X509_CRL reference is not properly retained then this
test will return an openssl error or potentially a crash as it's
reading freed memory to obtain the revocation_date and serial_number
diff --git a/tests/test_x509.py b/tests/test_x509.py
index ae2746e..034e560 100644
--- a/tests/test_x509.py
+++ b/tests/test_x509.py
@@ -6,6 +6,7 @@
import binascii
import datetime
+import gc
import ipaddress
import os
@@ -173,6 +174,24 @@
# Check that len() works for CRLs.
assert len(crl) == 12
+ def test_revoked_cert_retrieval_retain_only_revoked(self, backend):
+ """
+ This test attempts to trigger the crash condition described in
+ https://github.com/pyca/cryptography/issues/2557
+ """
+ crl = _load_cert(
+ os.path.join("x509", "custom", "crl_all_reasons.pem"),
+ x509.load_pem_x509_crl,
+ backend
+ )
+ revoked = crl[11]
+ crl = "overwritten"
+ # force a gc collection to potentially X509_CRL_free if there are
+ # no references to the X509_CRL left.
+ gc.collect()
+ assert revoked.revocation_date == datetime.datetime(2015, 1, 1, 0, 0)
+ assert revoked.serial_number == 11
+
def test_extensions(self, backend):
crl = _load_cert(
os.path.join("x509", "custom", "crl_ian_aia_aki.pem"),