commit d607dd7e5bc5c08854ec0c9baff70ba4a35be36f
author Fraser Tweedale <frase@frase.id.au> Mon May 29 16:33:20 2017 -0500
committer Paul Kehrer <paul.l.kehrer@gmail.com> Mon May 29 16:33:20 2017 -0500
tree 1baa1b7d0cc1ba9a5b500abdf044962aabbb702f
parent 7bc36865fcdb1057a4d2925d28f688c5590d6eaf

Enlarge _oid2txt buffer to handle larger OIDs (#3612)

The OpenSSL manual recommends a buffer size of 80 for OBJ_oid2txt:
https://www.openssl.org/docs/crypto/OBJ_nid2ln.html#return_values.
But OIDs longer than this occur in real life (e.g. Active Directory
makes some very long OIDs).  If the length of the stringified OID
exceeds the buffer size, allocate a new buffer that is big enough to
hold the stringified OID, and re-do the conversion into the new
buffer.

tests/test_x509_ext.py

diff --git a/tests/test_x509_ext.py b/tests/test_x509_ext.py
index eaf5a51..b89abdd 100644
--- a/tests/test_x509_ext.py
+++ b/tests/test_x509_ext.py
@@ -409,6 +409,7 @@
         assert pi != object()
 
 
+@pytest.mark.requires_backend_interface(interface=X509Backend)
 class TestCertificatePolicies(object):
     def test_invalid_policies(self):
         pq = [u"string"]
@@ -481,6 +482,26 @@
         assert cp[-1] == cp[4]
         assert cp[2:6:2] == [cp[2], cp[4]]
 
+    def test_long_oid(self, backend):
+        """
+        Test that parsing a CertificatePolicies ext with
+        a very long OID succeeds.
+        """
+        cert = _load_cert(
+            os.path.join("x509", "bigoid.pem"),
+            x509.load_pem_x509_certificate,
+            backend
+        )
+        ext = cert.extensions.get_extension_for_class(
+            x509.CertificatePolicies)
+
+        oid = x509.ObjectIdentifier(
+            "1.3.6.1.4.1.311.21.8.8950086.10656446.2706058"
+            ".12775672.480128.147.13466065.13029902"
+        )
+
+        assert ext.value[0].policy_identifier == oid
+
 
 @pytest.mark.requires_backend_interface(interface=RSABackend)
 @pytest.mark.requires_backend_interface(interface=X509Backend)