Reject invalid versions in X509Req.set_version (#1208)

alex · reaperhulk · web-flow · commit f4f77cc4f76e · 2023-04-01T05:46:53.000+09:00
* Reject invalid versions in X509Req.set_version

* Update CHANGELOG.rst

Co-authored-by: Paul Kehrer &lt;paul.l.kehrer@gmail.com&gt;

---------

Co-authored-by: Paul Kehrer &lt;paul.l.kehrer@gmail.com&gt;
diff --git a/CHANGELOG.rst b/CHANGELOG.rst
@@ -16,6 +16,8 @@ Deprecations:
 Changes:
 ^^^^^^^^
 
+- Invalid versions are now rejected in ``OpenSSL.crypto.X509Req.set_version``.
+
 23.1.1 (2023-03-28)
 -------------------
 
diff --git a/src/OpenSSL/crypto.py b/src/OpenSSL/crypto.py
@@ -1010,6 +1010,12 @@ def set_version(self, version: int) -> None:
         :param int version: The version number.
         :return: ``None``
         """
+        if not isinstance(version, int):
+            raise TypeError("version must be an int")
+        if version != 0:
+            raise ValueError(
+                "Invalid version. The only valid version for X509Req is 0."
+            )
         set_result = _lib.X509_REQ_set_version(self._req, version)
         _openssl_assert(set_result == 1)
 
diff --git a/tests/test_crypto.py b/tests/test_crypto.py
@@ -1601,20 +1601,12 @@ def test_version(self):
         """
         `X509Req.set_version` sets the X.509 version of the certificate
         request. `X509Req.get_version` returns the X.509 version of the
-        certificate request. The only defined version is 0. Others may or
-        may not be supported depending on backend.
+        certificate request. The only defined version is 0.
         """
         request = X509Req()
         assert request.get_version() == 0
         request.set_version(0)
         assert request.get_version() == 0
-        try:
-            request.set_version(1)
-            assert request.get_version() == 1
-            request.set_version(3)
-            assert request.get_version() == 3
-        except Error:
-            pass
 
     def test_version_wrong_args(self):
         """
@@ -1624,6 +1616,8 @@ def test_version_wrong_args(self):
         request = X509Req()
         with pytest.raises(TypeError):
             request.set_version("foo")
+        with pytest.raises(ValueError):
+            request.set_version(2)
 
     def test_get_subject(self):
         """
