diff options
author | Nick Bastin <nick.bastin@gmail.com> | 2015-12-19 10:43:13 -0800 |
---|---|---|
committer | Nick Bastin <nick.bastin@gmail.com> | 2015-12-19 10:43:13 -0800 |
commit | 4594773bdc8145aa599e18a2119948d061b50b13 (patch) | |
tree | cb1b58308edd44293751d97ccb71e33d1eb16e97 | |
parent | 06042de08fb9ff549b9c9cb7244e7f27ff57eece (diff) | |
parent | e3f46c6d228161957e0549bfa838ba8791c1bb36 (diff) | |
download | cryptography-4594773bdc8145aa599e18a2119948d061b50b13.tar.gz cryptography-4594773bdc8145aa599e18a2119948d061b50b13.tar.bz2 cryptography-4594773bdc8145aa599e18a2119948d061b50b13.zip |
Merge pull request #1 from pyca/master
Sync
-rw-r--r-- | docs/development/custom-vectors/secp256k1/verify_secp256k1.py | 4 | ||||
-rw-r--r-- | src/_cffi_src/openssl/ssl.py | 21 | ||||
-rw-r--r-- | src/cryptography/hazmat/backends/openssl/backend.py | 4 | ||||
-rw-r--r-- | src/cryptography/hazmat/bindings/openssl/_conditional.py | 6 | ||||
-rw-r--r-- | src/cryptography/x509/base.py | 11 | ||||
-rw-r--r-- | src/cryptography/x509/oid.py | 29 | ||||
-rw-r--r-- | tests/hazmat/primitives/test_ec.py | 6 | ||||
-rw-r--r-- | tests/test_x509.py | 99 | ||||
-rw-r--r-- | tests/test_x509_ext.py | 31 |
9 files changed, 146 insertions, 65 deletions
diff --git a/docs/development/custom-vectors/secp256k1/verify_secp256k1.py b/docs/development/custom-vectors/secp256k1/verify_secp256k1.py index 3d2c25b9..b236d77f 100644 --- a/docs/development/custom-vectors/secp256k1/verify_secp256k1.py +++ b/docs/development/custom-vectors/secp256k1/verify_secp256k1.py @@ -6,7 +6,7 @@ from cryptography.hazmat.backends import default_backend from cryptography.hazmat.primitives import hashes from cryptography.hazmat.primitives.asymmetric import ec from cryptography.hazmat.primitives.asymmetric.utils import ( - encode_rfc6979_signature + encode_dss_signature ) from tests.utils import ( @@ -27,7 +27,7 @@ def verify_one_vector(vector): message = vector['message'] x = vector['x'] y = vector['y'] - signature = encode_rfc6979_signature(vector['r'], vector['s']) + signature = encode_dss_signature(vector['r'], vector['s']) numbers = ec.EllipticCurvePublicNumbers( x, y, diff --git a/src/_cffi_src/openssl/ssl.py b/src/_cffi_src/openssl/ssl.py index 83a7386f..64e4e2f0 100644 --- a/src/_cffi_src/openssl/ssl.py +++ b/src/_cffi_src/openssl/ssl.py @@ -301,15 +301,6 @@ unsigned long SSL_CTX_add_extra_chain_cert(SSL_CTX *, X509 *); /* methods */ -/* SSLv2 support is compiled out of some versions of OpenSSL. These will - * get special support when we generate the bindings so that if they are - * available they will be wrapped, but if they are not they won't cause - * problems (like link errors). - */ -const SSL_METHOD *SSLv2_method(void); -const SSL_METHOD *SSLv2_server_method(void); -const SSL_METHOD *SSLv2_client_method(void); - /* * TLSv1_1 and TLSv1_2 are recent additions. Only sufficiently new versions of * OpenSSL support them. @@ -441,14 +432,12 @@ const long SSL_OP_LEGACY_SERVER_CONNECT = 0; #else static const long Cryptography_HAS_SECURE_RENEGOTIATION = 1; #endif -#ifdef OPENSSL_NO_SSL2 + +/* Cryptography now compiles out all SSLv2 bindings. This exists to allow + * clients that use it to check for SSLv2 support to keep functioning as + * expected. + */ static const long Cryptography_HAS_SSL2 = 0; -SSL_METHOD* (*SSLv2_method)(void) = NULL; -SSL_METHOD* (*SSLv2_client_method)(void) = NULL; -SSL_METHOD* (*SSLv2_server_method)(void) = NULL; -#else -static const long Cryptography_HAS_SSL2 = 1; -#endif #ifdef OPENSSL_NO_SSL3_METHOD static const long Cryptography_HAS_SSL3_METHOD = 0; diff --git a/src/cryptography/hazmat/backends/openssl/backend.py b/src/cryptography/hazmat/backends/openssl/backend.py index 8d9e5e0e..768559cf 100644 --- a/src/cryptography/hazmat/backends/openssl/backend.py +++ b/src/cryptography/hazmat/backends/openssl/backend.py @@ -1372,7 +1372,7 @@ class Backend(object): # Set the subject's name. res = self._lib.X509_set_subject_name( - x509_cert, _encode_name(self, list(builder._subject_name)) + x509_cert, _encode_name_gc(self, list(builder._subject_name)) ) self.openssl_assert(res == 1) @@ -1423,7 +1423,7 @@ class Backend(object): # Set the issuer name. res = self._lib.X509_set_issuer_name( - x509_cert, _encode_name(self, list(builder._issuer_name)) + x509_cert, _encode_name_gc(self, list(builder._issuer_name)) ) self.openssl_assert(res == 1) diff --git a/src/cryptography/hazmat/bindings/openssl/_conditional.py b/src/cryptography/hazmat/bindings/openssl/_conditional.py index dad37436..206c2915 100644 --- a/src/cryptography/hazmat/bindings/openssl/_conditional.py +++ b/src/cryptography/hazmat/bindings/openssl/_conditional.py @@ -276,12 +276,6 @@ CONDITIONAL_NAMES = { "TLSv1_2_client_method", ], - "Cryptography_HAS_SSL2": [ - "SSLv2_method", - "SSLv2_client_method", - "SSLv2_server_method", - ], - "Cryptography_HAS_SSL3_METHOD": [ "SSLv3_method", "SSLv3_client_method", diff --git a/src/cryptography/x509/base.py b/src/cryptography/x509/base.py index c56ca5ee..49761046 100644 --- a/src/cryptography/x509/base.py +++ b/src/cryptography/x509/base.py @@ -436,6 +436,11 @@ class CertificateBuilder(object): if time <= _UNIX_EPOCH: raise ValueError('The not valid before date must be after the unix' ' epoch (1970 January 1).') + if self._not_valid_after is not None and time > self._not_valid_after: + raise ValueError( + 'The not valid before date must be before the not valid after ' + 'date.' + ) return CertificateBuilder( self._issuer_name, self._subject_name, self._public_key, self._serial_number, time, @@ -453,6 +458,12 @@ class CertificateBuilder(object): if time <= _UNIX_EPOCH: raise ValueError('The not valid after date must be after the unix' ' epoch (1970 January 1).') + if (self._not_valid_before is not None and + time < self._not_valid_before): + raise ValueError( + 'The not valid after date must be after the not valid before ' + 'date.' + ) return CertificateBuilder( self._issuer_name, self._subject_name, self._public_key, self._serial_number, self._not_valid_before, diff --git a/src/cryptography/x509/oid.py b/src/cryptography/x509/oid.py index ead40169..27fab86b 100644 --- a/src/cryptography/x509/oid.py +++ b/src/cryptography/x509/oid.py @@ -12,6 +12,35 @@ class ObjectIdentifier(object): def __init__(self, dotted_string): self._dotted_string = dotted_string + nodes = self._dotted_string.split(".") + intnodes = [] + + # There must be at least 2 nodes, the first node must be 0..2, and + # if less than 2, the second node cannot have a value outside the + # range 0..39. All nodes must be integers. + for node in nodes: + try: + intnodes.append(int(node, 0)) + except ValueError: + raise ValueError( + "Malformed OID: %s (non-integer nodes)" % ( + self._dotted_string)) + + if len(nodes) < 2: + raise ValueError( + "Malformed OID: %s (insufficient number of nodes)" % ( + self._dotted_string)) + + if intnodes[0] > 2: + raise ValueError( + "Malformed OID: %s (first node outside valid range)" % ( + self._dotted_string)) + + if intnodes[0] < 2 and intnodes[1] >= 40: + raise ValueError( + "Malformed OID: %s (second node outside valid range)" % ( + self._dotted_string)) + def __eq__(self, other): if not isinstance(other, ObjectIdentifier): return NotImplemented diff --git a/tests/hazmat/primitives/test_ec.py b/tests/hazmat/primitives/test_ec.py index a0417fbd..86132678 100644 --- a/tests/hazmat/primitives/test_ec.py +++ b/tests/hazmat/primitives/test_ec.py @@ -19,7 +19,7 @@ from cryptography.hazmat.backends.interfaces import ( from cryptography.hazmat.primitives import hashes, serialization from cryptography.hazmat.primitives.asymmetric import ec from cryptography.hazmat.primitives.asymmetric.utils import ( - encode_rfc6979_signature + encode_dss_signature ) from .fixtures_ec import EC_KEY_SECP384R1 @@ -434,7 +434,7 @@ class TestECDSAVectors(object): curve_type() ).public_key(backend) - signature = encode_rfc6979_signature(vector['r'], vector['s']) + signature = encode_dss_signature(vector['r'], vector['s']) verifier = key.verifier( signature, @@ -463,7 +463,7 @@ class TestECDSAVectors(object): curve_type() ).public_key(backend) - signature = encode_rfc6979_signature(vector['r'], vector['s']) + signature = encode_dss_signature(vector['r'], vector['s']) verifier = key.verifier( signature, diff --git a/tests/test_x509.py b/tests/test_x509.py index 0a1870d5..67066f04 100644 --- a/tests/test_x509.py +++ b/tests/test_x509.py @@ -1437,6 +1437,28 @@ class TestCertificateBuilder(object): with pytest.raises(ValueError): builder.subject_name(name) + def test_not_valid_before_after_not_valid_after(self): + builder = x509.CertificateBuilder() + + builder = builder.not_valid_after( + datetime.datetime(2002, 1, 1, 12, 1) + ) + with pytest.raises(ValueError): + builder.not_valid_before( + datetime.datetime(2003, 1, 1, 12, 1) + ) + + def test_not_valid_after_before_not_valid_before(self): + builder = x509.CertificateBuilder() + + builder = builder.not_valid_before( + datetime.datetime(2002, 1, 1, 12, 1) + ) + with pytest.raises(ValueError): + builder.not_valid_after( + datetime.datetime(2001, 1, 1, 12, 1) + ) + @pytest.mark.requires_backend_interface(interface=RSABackend) @pytest.mark.requires_backend_interface(interface=X509Backend) def test_public_key_must_be_public_key(self, backend): @@ -3188,15 +3210,15 @@ class TestNameAttribute(object): def test_init_bad_value(self): with pytest.raises(TypeError): x509.NameAttribute( - x509.ObjectIdentifier('oid'), + x509.ObjectIdentifier('2.999.1'), b'bytes' ) def test_eq(self): assert x509.NameAttribute( - x509.ObjectIdentifier('oid'), u'value' + x509.ObjectIdentifier('2.999.1'), u'value' ) == x509.NameAttribute( - x509.ObjectIdentifier('oid'), u'value' + x509.ObjectIdentifier('2.999.1'), u'value' ) def test_ne(self): @@ -3206,12 +3228,12 @@ class TestNameAttribute(object): x509.ObjectIdentifier('2.5.4.5'), u'value' ) assert x509.NameAttribute( - x509.ObjectIdentifier('oid'), u'value' + x509.ObjectIdentifier('2.999.1'), u'value' ) != x509.NameAttribute( - x509.ObjectIdentifier('oid'), u'value2' + x509.ObjectIdentifier('2.999.1'), u'value2' ) assert x509.NameAttribute( - x509.ObjectIdentifier('oid'), u'value' + x509.ObjectIdentifier('2.999.2'), u'value' ) != object() def test_repr(self): @@ -3230,64 +3252,87 @@ class TestNameAttribute(object): class TestObjectIdentifier(object): def test_eq(self): - oid1 = x509.ObjectIdentifier('oid') - oid2 = x509.ObjectIdentifier('oid') + oid1 = x509.ObjectIdentifier('2.999.1') + oid2 = x509.ObjectIdentifier('2.999.1') assert oid1 == oid2 def test_ne(self): - oid1 = x509.ObjectIdentifier('oid') - assert oid1 != x509.ObjectIdentifier('oid1') + oid1 = x509.ObjectIdentifier('2.999.1') + assert oid1 != x509.ObjectIdentifier('2.999.2') assert oid1 != object() def test_repr(self): oid = x509.ObjectIdentifier("2.5.4.3") assert repr(oid) == "<ObjectIdentifier(oid=2.5.4.3, name=commonName)>" - oid = x509.ObjectIdentifier("oid1") - assert repr(oid) == "<ObjectIdentifier(oid=oid1, name=Unknown OID)>" + oid = x509.ObjectIdentifier("2.999.1") + assert repr(oid) == "<ObjectIdentifier(oid=2.999.1, name=Unknown OID)>" def test_name_property(self): oid = x509.ObjectIdentifier("2.5.4.3") assert oid._name == 'commonName' - oid = x509.ObjectIdentifier("oid1") + oid = x509.ObjectIdentifier("2.999.1") assert oid._name == 'Unknown OID' + def test_too_short(self): + with pytest.raises(ValueError): + x509.ObjectIdentifier("1") + + def test_invalid_input(self): + with pytest.raises(ValueError): + x509.ObjectIdentifier("notavalidform") + + def test_invalid_node1(self): + with pytest.raises(ValueError): + x509.ObjectIdentifier("7.1.37") + + def test_invalid_node2(self): + with pytest.raises(ValueError): + x509.ObjectIdentifier("1.50.200") + + def test_valid(self): + x509.ObjectIdentifier("0.35.200") + x509.ObjectIdentifier("1.39.999") + x509.ObjectIdentifier("2.5.29.3") + x509.ObjectIdentifier("2.999.37.5.22.8") + x509.ObjectIdentifier("2.25.305821105408246119474742976030998643995") + class TestName(object): def test_eq(self): name1 = x509.Name([ - x509.NameAttribute(x509.ObjectIdentifier('oid'), u'value1'), - x509.NameAttribute(x509.ObjectIdentifier('oid2'), u'value2'), + x509.NameAttribute(x509.ObjectIdentifier('2.999.1'), u'value1'), + x509.NameAttribute(x509.ObjectIdentifier('2.999.2'), u'value2'), ]) name2 = x509.Name([ - x509.NameAttribute(x509.ObjectIdentifier('oid'), u'value1'), - x509.NameAttribute(x509.ObjectIdentifier('oid2'), u'value2'), + x509.NameAttribute(x509.ObjectIdentifier('2.999.1'), u'value1'), + x509.NameAttribute(x509.ObjectIdentifier('2.999.2'), u'value2'), ]) assert name1 == name2 def test_ne(self): name1 = x509.Name([ - x509.NameAttribute(x509.ObjectIdentifier('oid'), u'value1'), - x509.NameAttribute(x509.ObjectIdentifier('oid2'), u'value2'), + x509.NameAttribute(x509.ObjectIdentifier('2.999.1'), u'value1'), + x509.NameAttribute(x509.ObjectIdentifier('2.999.2'), u'value2'), ]) name2 = x509.Name([ - x509.NameAttribute(x509.ObjectIdentifier('oid2'), u'value2'), - x509.NameAttribute(x509.ObjectIdentifier('oid'), u'value1'), + x509.NameAttribute(x509.ObjectIdentifier('2.999.2'), u'value2'), + x509.NameAttribute(x509.ObjectIdentifier('2.999.1'), u'value1'), ]) assert name1 != name2 assert name1 != object() def test_hash(self): name1 = x509.Name([ - x509.NameAttribute(x509.ObjectIdentifier('oid'), u'value1'), - x509.NameAttribute(x509.ObjectIdentifier('oid2'), u'value2'), + x509.NameAttribute(x509.ObjectIdentifier('2.999.1'), u'value1'), + x509.NameAttribute(x509.ObjectIdentifier('2.999.2'), u'value2'), ]) name2 = x509.Name([ - x509.NameAttribute(x509.ObjectIdentifier('oid'), u'value1'), - x509.NameAttribute(x509.ObjectIdentifier('oid2'), u'value2'), + x509.NameAttribute(x509.ObjectIdentifier('2.999.1'), u'value1'), + x509.NameAttribute(x509.ObjectIdentifier('2.999.2'), u'value2'), ]) name3 = x509.Name([ - x509.NameAttribute(x509.ObjectIdentifier('oid2'), u'value2'), - x509.NameAttribute(x509.ObjectIdentifier('oid'), u'value1'), + x509.NameAttribute(x509.ObjectIdentifier('2.999.2'), u'value2'), + x509.NameAttribute(x509.ObjectIdentifier('2.999.1'), u'value1'), ]) assert hash(name1) == hash(name2) diff --git a/tests/test_x509_ext.py b/tests/test_x509_ext.py index 8f469366..751de08d 100644 --- a/tests/test_x509_ext.py +++ b/tests/test_x509_ext.py @@ -18,7 +18,8 @@ from cryptography.hazmat.backends.interfaces import ( ) from cryptography.hazmat.primitives.asymmetric import ec from cryptography.x509.oid import ( - AuthorityInformationAccessOID, ExtendedKeyUsageOID, ExtensionOID, NameOID + AuthorityInformationAccessOID, ExtendedKeyUsageOID, + ExtensionOID, NameOID ) from .hazmat.primitives.test_ec import _skip_curve_unsupported @@ -603,8 +604,14 @@ class TestAuthorityKeyIdentifier(object): def test_authority_cert_serial_number_not_integer(self): dirname = x509.DirectoryName( x509.Name([ - x509.NameAttribute(x509.ObjectIdentifier('oid'), u'value1'), - x509.NameAttribute(x509.ObjectIdentifier('oid2'), u'value2'), + x509.NameAttribute( + x509.ObjectIdentifier('2.999.1'), + u'value1' + ), + x509.NameAttribute( + x509.ObjectIdentifier('2.999.2'), + u'value2' + ), ]) ) with pytest.raises(TypeError): @@ -617,8 +624,14 @@ class TestAuthorityKeyIdentifier(object): def test_authority_issuer_not_none_serial_none(self): dirname = x509.DirectoryName( x509.Name([ - x509.NameAttribute(x509.ObjectIdentifier('oid'), u'value1'), - x509.NameAttribute(x509.ObjectIdentifier('oid2'), u'value2'), + x509.NameAttribute( + x509.ObjectIdentifier('2.999.1'), + u'value1' + ), + x509.NameAttribute( + x509.ObjectIdentifier('2.999.2'), + u'value2' + ), ]) ) with pytest.raises(ValueError): @@ -1166,10 +1179,10 @@ class TestDirectoryName(object): def test_eq(self): name = x509.Name([ - x509.NameAttribute(x509.ObjectIdentifier('oid'), u'value1') + x509.NameAttribute(x509.ObjectIdentifier('2.999.1'), u'value1') ]) name2 = x509.Name([ - x509.NameAttribute(x509.ObjectIdentifier('oid'), u'value1') + x509.NameAttribute(x509.ObjectIdentifier('2.999.1'), u'value1') ]) gn = x509.DirectoryName(x509.Name([name])) gn2 = x509.DirectoryName(x509.Name([name2])) @@ -1177,10 +1190,10 @@ class TestDirectoryName(object): def test_ne(self): name = x509.Name([ - x509.NameAttribute(x509.ObjectIdentifier('oid'), u'value1') + x509.NameAttribute(x509.ObjectIdentifier('2.999.1'), u'value1') ]) name2 = x509.Name([ - x509.NameAttribute(x509.ObjectIdentifier('oid'), u'value2') + x509.NameAttribute(x509.ObjectIdentifier('2.999.2'), u'value2') ]) gn = x509.DirectoryName(x509.Name([name])) gn2 = x509.DirectoryName(x509.Name([name2])) |