bpo-46232: Fix parsing of certs with bit string in DN (GH-30351)

Misc/NEWS.d/next/Library/2022-01-03-09-46-44.bpo-46232.s0KlyI.rst

@@ -0,0 +1,2 @@
+The :mod:`ssl` module now handles certificates with bit strings in DN
+correctly.

Modules/_ssl.c

@@ -1053,17 +1053,29 @@ _create_tuple_for_attribute(_sslmodulestate *state,
                             ASN1_OBJECT *name, ASN1_STRING *value)
 {
     Py_ssize_t buflen;
-    unsigned char *valuebuf = NULL;
+    PyObject *pyattr;
-    PyObject *attr;
+    PyObject *pyname = _asn1obj2py(state, name, 0);
 
-    buflen = ASN1_STRING_to_UTF8(&valuebuf, value);
+    if (pyname == NULL) {
-    if (buflen < 0) {
         _setSSLError(state, NULL, 0, __FILE__, __LINE__);
         return NULL;
     }
-    attr = Py_BuildValue("Ns#", _asn1obj2py(state, name, 0), valuebuf, buflen);
+
+    if (ASN1_STRING_type(value) == V_ASN1_BIT_STRING) {
+        buflen = ASN1_STRING_length(value);
+        pyattr = Py_BuildValue("Ny#", pyname, ASN1_STRING_get0_data(value), buflen);
+    } else {
+        unsigned char *valuebuf = NULL;
+        buflen = ASN1_STRING_to_UTF8(&valuebuf, value);
+        if (buflen < 0) {
+            _setSSLError(state, NULL, 0, __FILE__, __LINE__);
+            Py_DECREF(pyname);
+            return NULL;
+        }
+        pyattr = Py_BuildValue("Ns#", pyname, valuebuf, buflen);
         OPENSSL_free(valuebuf);
-    return attr;
+    }
+    return pyattr;
 }
 
 static PyObject *