commit 641149c2b4cc17edd5934d76e23a47d782b28f55
author Paul Kehrer <paul.l.kehrer@gmail.com> Sun Mar 06 19:10:56 2016 -0430
committer Paul Kehrer <paul.l.kehrer@gmail.com> Sun Mar 06 19:12:43 2016 -0430
tree 29adf4b3413796d53cd89832d11bad6cf41b46f8
parent 6960600f111de1710b01cc4f4ffc6c023d742cd7

raise ValueError if > 2 byte value for NameAttribute with CN OID

src/cryptography/x509/name.py

diff --git a/src/cryptography/x509/name.py b/src/cryptography/x509/name.py
index 9d93ece..c7f6f99 100644
--- a/src/cryptography/x509/name.py
+++ b/src/cryptography/x509/name.py
@@ -7,7 +7,7 @@
 import six
 
 from cryptography import utils
-from cryptography.x509.oid import ObjectIdentifier
+from cryptography.x509.oid import NameOID, ObjectIdentifier
 
 
 class NameAttribute(object):
@@ -22,6 +22,11 @@
                 "value argument must be a text type."
             )
 
+        if oid == NameOID.COUNTRY_NAME and len(value.encode("ascii")) != 2:
+            raise ValueError(
+                "Country name must be a 2 character country code"
+            )
+
         self._oid = oid
         self._value = value
 

tests/test_x509.py

diff --git a/tests/test_x509.py b/tests/test_x509.py
index 6145edb..9054c4e 100644
--- a/tests/test_x509.py
+++ b/tests/test_x509.py
@@ -3327,6 +3327,20 @@
                 b'bytes'
             )
 
+    def test_init_bad_country_code_value(self):
+        with pytest.raises(ValueError):
+            x509.NameAttribute(
+                NameOID.COUNTRY_NAME,
+                u'United States'
+            )
+
+        # unicode string of length 2, but > 2 bytes
+        with pytest.raises(ValueError):
+            x509.NameAttribute(
+                NameOID.COUNTRY_NAME,
+                u'\U0001F37A\U0001F37A'
+            )
+
     def test_eq(self):
         assert x509.NameAttribute(
             x509.ObjectIdentifier('2.999.1'), u'value'