"Access Violation Error" on creating legacy pkcs12 file with wrong private key #10422
Description
serialize_key_and_certificates exits the main thread with -1073741819 (0xC0000005) when called with a private key not belonging to the certificate.
Versions:
- Python:
3.10.11 - Pip:
24.0 - cryptography:
42.0.3 - OS:
Windows 11
cryptography was installed via pip pip install cryptography
min steps to reproduce:
def min_example():
from cryptography import x509
from cryptography.x509.oid import NameOID
from cryptography.hazmat.primitives import hashes
from cryptography.hazmat.backends import default_backend
from cryptography.hazmat.primitives.asymmetric import rsa
from cryptography.hazmat.primitives._serialization import PrivateFormat
from cryptography.hazmat.primitives.serialization import pkcs12
from datetime import datetime, timedelta
private_key = rsa.generate_private_key(
public_exponent=65537,
key_size=2048
)
name = x509.Name([
x509.NameAttribute(NameOID.COMMON_NAME, "COMMON_NAME")
])
basic_contraints = x509.BasicConstraints(ca=True, path_length=0)
now = datetime.utcnow()
cert = (
x509.CertificateBuilder()
.subject_name(name)
.issuer_name(name)
.public_key(private_key.public_key())
.serial_number(1000)
.not_valid_before(now)
.not_valid_after(now + timedelta(days=10*365))
.add_extension(basic_contraints, False)
.sign(private_key, hashes.SHA256(), default_backend())
)
false_private_key = rsa.generate_private_key(
public_exponent=65537,
key_size=2048
)
encryption = (
PrivateFormat.PKCS12.encryption_builder().
kdf_rounds(50000).
key_cert_algorithm(pkcs12.PBES.PBESv1SHA1And3KeyTripleDESCBC).
hmac_hash(hashes.SHA1()).
build("test12345678".encode())
)
### program exits with: -1073741819 (0xC0000005). This "Access Violation Error" uncatchable with try except
p12 = pkcs12.serialize_key_and_certificates(
name="common_name".encode(), key=false_private_key, cert=cert, cas=None, encryption_algorithm=encryption
)
I am working with a user maintained database of certs and cannot know if the certs and private keys have been stored correctly. I would like to have a descriptive exception that is catchable by python.
For now I'm building the cert first with the python OpenSSL lib which returns me the wrong kind of .pfx but throws catchable errors and if no error occurs I build the .pfx file with the cryptography lib. A sub optimal process but it works for now.