Merge pull request #394 from inikolcev/bad-certificate-parsing

tomato42 · web-flow · commit 09f55888603c · 2020-02-17T17:22:12.000+01:00
If parsing of the certificate fails throw BadCertificate error
diff --git a/tlslite/messages.py b/tlslite/messages.py
@@ -1170,8 +1170,13 @@ def _parse_tls12(self, p):
             certificate_list = []
             while index != chainLength:
                 certBytes = p.getVarBytes(3)
+                if not certBytes:
+                    raise DecodeError("Client certificate is empty")
                 x509 = X509()
-                x509.parseBinary(certBytes)
+                try:
+                    x509.parseBinary(certBytes)
+                except SyntaxError:
+                    raise BadCertificateError("Certificate could not be parsed")
                 certificate_list.append(x509)
                 index += len(certBytes)+3
             if certificate_list:
diff --git a/tlslite/tlsrecordlayer.py b/tlslite/tlsrecordlayer.py
@@ -17,7 +17,7 @@
 
 from .utils.compat import *
 from .utils.cryptomath import *
-from .utils.codec import Parser
+from .utils.codec import Parser, BadCertificateError
 from .utils.lists import to_str_delimiter, getFirstMatching
 from .errors import *
 from .messages import *
@@ -1201,9 +1201,13 @@ def _getMsg(self, expectedType, secondaryType=None, constructorType=None):
                     raise AssertionError()
 
         #If an exception was raised by a Parser or Message instance:
+        except BadCertificateError as e:
+            for result in self._sendError(AlertDescription.bad_certificate,
+                                          formatExceptionTrace(e)):
+                yield result
         except SyntaxError as e:
             for result in self._sendError(AlertDescription.decode_error,
-                                         formatExceptionTrace(e)):
+                                          formatExceptionTrace(e)):
                 yield result
 
     #Returns next record or next handshake message
diff --git a/tlslite/utils/codec.py b/tlslite/utils/codec.py
@@ -15,6 +15,11 @@ class DecodeError(SyntaxError):
     pass
 
 
+class BadCertificateError(SyntaxError):
+    """Exception raised in case of bad certificate."""
+    pass
+
+
 class Writer(object):
     """Serialisation helper for complex byte-based structures."""
 
