When failing to parse SANs or IANs, include which it was that failed (#11785)

Author: alex

docs/development/test-vectors.rst

@@ -544,6 +544,8 @@ Custom X.509 Vectors
   This is an invalid certificate per CA/B 7.1.2.7.6.
 * ``empty-eku.pem`` - A leaf certificate containing an empty EKU extension.
   This is an invalid certificate per :rfc:`5280` 4.2.1.12.
+* ``malformed-san.pem`` - A certificate with a malformed SAN.
+* ``malformed-ian.pem`` - A certificate with a malformed IAN.
 
 Custom X.509 Request Vectors
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~

src/rust/src/x509/certificate.rs

@@ -737,14 +737,18 @@ pub fn parse_cert_ext<'p>(
 ) -> CryptographyResult<Option<pyo3::Bound<'p, pyo3::PyAny>>> {
     match ext.extn_id {
         oid::SUBJECT_ALTERNATIVE_NAME_OID => {
-            let gn_seq = ext.value::<SubjectAlternativeName<'_>>()?;
+            let gn_seq = ext.value::<SubjectAlternativeName<'_>>().map_err(|e| {
+                e.add_location(asn1::ParseLocation::Field("subject_alternative_name"))
+            })?;
             let sans = x509::parse_general_names(py, &gn_seq)?;
             Ok(Some(
                 types::SUBJECT_ALTERNATIVE_NAME.get(py)?.call1((sans,))?,
             ))
         }
         oid::ISSUER_ALTERNATIVE_NAME_OID => {
-            let gn_seq = ext.value::<IssuerAlternativeName<'_>>()?;
+            let gn_seq = ext.value::<IssuerAlternativeName<'_>>().map_err(|e| {
+                e.add_location(asn1::ParseLocation::Field("issuer_alternative_name"))
+            })?;
             let ians = x509::parse_general_names(py, &gn_seq)?;
             Ok(Some(
                 types::ISSUER_ALTERNATIVE_NAME.get(py)?.call1((ians,))?,

tests/x509/test_x509_ext.py

@@ -2324,6 +2324,14 @@ def test_uri(self, backend):
             x509.UniformResourceIdentifier("http://path.to.root/root.crt"),
         ]
 
+    def test_malformed(self):
+        cert = _load_cert(
+            os.path.join("x509", "custom", "malformed-ian.pem"),
+            x509.load_pem_x509_certificate,
+        )
+        with pytest.raises(ValueError, match="issuer_alternative_name"):
+            cert.extensions
+
 
 class TestCRLNumber:
     def test_eq(self):
@@ -2709,6 +2717,14 @@ def test_certbuilder(self, rsa_key_2048: rsa.RSAPrivateKey, backend):
         ]
         assert result == sans
 
+    def test_malformed(self):
+        cert = _load_cert(
+            os.path.join("x509", "custom", "malformed-san.pem"),
+            x509.load_pem_x509_certificate,
+        )
+        with pytest.raises(ValueError, match="subject_alternative_name"):
+            cert.extensions
+
 
 class TestExtendedKeyUsageExtension:
     def test_eku(self, backend):

vectors/cryptography_vectors/x509/custom/malformed-ian.pem

@@ -0,0 +1,11 @@
+-----BEGIN CERTIFICATE-----
+MIIBlDCB/qADAgECAgo/X5syqzQbiVZiMA0GCSqGSIb3DQEBBQUAMAAwHhcNMTIw
+OTI3MTEyNDQzWhcNMTcwOTI3MTEyNDQzWjAAMIGfMA0GCSqGSIb3DQEBAQUAA4GN
+ADCBiQKBgQDEyUkICYplDtDRdLjZV0nF5oK5tBjoXWPxnfx6Msg5Ywvxjh4jq8Jf
+FRwn9oLYpFmnhPYaVNWO7fykCrYz8O6mMtYInUbodvIPniZXjoTlYOPUmLj/XcU0
+iGhUmdo8yquPoe7TC9DDeSfaAwoLMDZjJoQjlBuRk+qTmfySJCNZrQIDAQABoxYw
+FDASBgNVHRIECzAJoAcGA1UEAwwAMA0GCSqGSIb3DQEBBQUAA4GBAD5jUyH8eLrZ
+tJtEJIVH/cvjtATXWwUnPX5NUGrgIBFwKx1f4csOFe6MIhA7j0VwSJ/iOd4xszLA
+r8/2ijoBc+cPbThPSHLdOvOrGJsdrywOUYzGHRh/zoMEnT/FN9p7YbYnQIwFGqx1
+HUFnXljOXCezE5ytzEcpQ/43EvT4u74O
+-----END CERTIFICATE-----

vectors/cryptography_vectors/x509/custom/malformed-san.pem

@@ -0,0 +1,11 @@
+-----BEGIN CERTIFICATE-----
+MIIBlDCB/qADAgECAgo/X5syqzQbiVZiMA0GCSqGSIb3DQEBBQUAMAAwHhcNMTIw
+OTI3MTEyNDQzWhcNMTcwOTI3MTEyNDQzWjAAMIGfMA0GCSqGSIb3DQEBAQUAA4GN
+ADCBiQKBgQDEyUkICYplDtDRdLjZV0nF5oK5tBjoXWPxnfx6Msg5Ywvxjh4jq8Jf
+FRwn9oLYpFmnhPYaVNWO7fykCrYz8O6mMtYInUbodvIPniZXjoTlYOPUmLj/XcU0
+iGhUmdo8yquPoe7TC9DDeSfaAwoLMDZjJoQjlBuRk+qTmfySJCNZrQIDAQABoxYw
+FDASBgNVHREECzAJoAcGA1UEAwwAMA0GCSqGSIb3DQEBBQUAA4GBAD5jUyH8eLrZ
+tJtEJIVH/cvjtATXWwUnPX5NUGrgIBFwKx1f4csOFe6MIhA7j0VwSJ/iOd4xszLA
+r8/2ijoBc+cPbThPSHLdOvOrGJsdrywOUYzGHRh/zoMEnT/FN9p7YbYnQIwFGqx1
+HUFnXljOXCezE5ytzEcpQ/43EvT4u74O
+-----END CERTIFICATE-----