raise an exception instead of returning an empty list for pkcs7 cert loading

backport-raise-an-exception-instead-of-returning-an-empty-list-for-pkcs7-cert-loading.patch

@@ -0,0 +1,70 @@
+From 6e9dc67ed5d8151d5b7604ad1a97b57cd367e028 Mon Sep 17 00:00:00 2001
+From: Paul Kehrer <paul.l.kehrer@gmail.com>
+Date: Sun, 5 Nov 2023 19:36:55 +0800
+Subject: [PATCH] raise an exception instead of returning an empty list for
+ pkcs7 cert loading (#9947)
+
+* raise an exception instead of returning an empty list
+
+as davidben points out in #9926 we are calling a specific load
+certificates function and an empty value doesn't necessarily mean empty
+because PKCS7 contains multitudes. erroring is more correct.
+
+* changelog
+
+* Update CHANGELOG.rst
+
+Co-authored-by: Alex Gaynor <alex.gaynor@gmail.com>
+
+---------
+
+Co-authored-by: Alex Gaynor <alex.gaynor@gmail.com>
+---
+ src/cryptography/hazmat/backends/openssl/backend.py | 7 +++++--
+ tests/hazmat/primitives/test_pkcs7.py               | 6 +++---
+ 2 files changed, 8 insertions(+), 5 deletions(-)
+
+diff --git a/src/cryptography/hazmat/backends/openssl/backend.py b/src/cryptography/hazmat/backends/openssl/backend.py
+index 58e7207..d42220f 100644
+--- a/src/cryptography/hazmat/backends/openssl/backend.py
++++ b/src/cryptography/hazmat/backends/openssl/backend.py
+@@ -2383,12 +2383,15 @@ class Backend:
+                 _Reasons.UNSUPPORTED_SERIALIZATION,
+             )
+ 
+-        certs: list[x509.Certificate] = []
+         if p7.d.sign == self._ffi.NULL:
+-            return certs
++            raise ValueError(
++                "The provided PKCS7 has no certificate data, but a cert "
++                "loading method was called."
++            )
+ 
+         sk_x509 = p7.d.sign.cert
+         num = self._lib.sk_X509_num(sk_x509)
++        certs: list[x509.Certificate] = []
+         for i in range(num):
+             x509 = self._lib.sk_X509_value(sk_x509, i)
+             self.openssl_assert(x509 != self._ffi.NULL)
+diff --git a/tests/hazmat/primitives/test_pkcs7.py b/tests/hazmat/primitives/test_pkcs7.py
+index d8170bf..44c1d8d 100644
+--- a/tests/hazmat/primitives/test_pkcs7.py
++++ b/tests/hazmat/primitives/test_pkcs7.py
+@@ -89,11 +89,11 @@ class TestPKCS7Loading:
+                 mode="rb",
+             )
+ 
+-    def test_load_pkcs7_empty_certificates(self, backend):
++    def test_load_pkcs7_empty_certificates(self):
+         der = b"\x30\x0B\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x07\x02"
+ 
+-        certificates = pkcs7.load_der_pkcs7_certificates(der)
+-        assert certificates == []
++        with pytest.raises(ValueError):
++            pkcs7.load_der_pkcs7_certificates(der)
+ 
+ 
+ # We have no public verification API and won't be adding one until we get
+-- 
+2.33.0
+

python-cryptography.spec

@@ -1,7 +1,7 @@
 %global pypi_name cryptography
 Name:           python-%{pypi_name}
 Version:        40.0.2
-Release:        3
+Release:        4
 Summary:        PyCA's cryptography library
 License:        ASL 2.0 or BSD
 URL:            https://cryptography.io/en/latest/  
@@ -10,7 +10,9 @@ Source1:        cargo-vendor-cache.tar.gz
 
 Patch6002:      backport-provide-openssl-apis-related-to-SM-for-python.patch
 Patch6003:      backport-CVE-2023-38325.patch
+# CVE-2023-49083
 Patch6004:      backport-Fixed-crash-when-loading-a-PKCS-7-bundle-with-no-certificates.patch
+Patch6005:      backport-raise-an-exception-instead-of-returning-an-empty-list-for-pkcs7-cert-loading.patch
 
 BuildRequires:  openssl-devel cargo
 BuildRequires:  gcc
@@ -87,6 +89,9 @@ EOF
 %doc README.rst docs
 
 %changelog
+* Sat Dec 2 2023 liningjie <liningjie@xfusion.com> - 40.0.2-4
+- raise an exception instead of returning an empty list for pkcs7 cert loading
+
 * Wed Nov 29 2023 liningjie <liningjie@xfusion.com> - 40.0.2-3
 - Fixed crash when loading a PKCS#7 bundle with no certificates