diff options
author | Paul Kehrer <paul.l.kehrer@gmail.com> | 2019-01-10 15:37:03 -0800 |
---|---|---|
committer | Alex Gaynor <alex.gaynor@gmail.com> | 2019-01-10 18:37:03 -0500 |
commit | 60f264b0f293bfded7a0b4395715669d355a6185 (patch) | |
tree | a8fdf4f17f20115063e557eebf36b0f9dd1b7a63 | |
parent | 90a557764542f2d939a8b0a61c74b299870fca6c (diff) | |
download | cryptography-60f264b0f293bfded7a0b4395715669d355a6185.tar.gz cryptography-60f264b0f293bfded7a0b4395715669d355a6185.tar.bz2 cryptography-60f264b0f293bfded7a0b4395715669d355a6185.zip |
add signature_hash_algorithm to OCSPResponse (#4681)
* add signature_hash_algorithm to OCSPResponse
* fix pointless asserts
-rw-r--r-- | CHANGELOG.rst | 2 | ||||
-rw-r--r-- | docs/development/test-vectors.rst | 2 | ||||
-rw-r--r-- | docs/x509/ocsp.rst | 10 | ||||
-rw-r--r-- | src/cryptography/hazmat/backends/openssl/ocsp.py | 11 | ||||
-rw-r--r-- | src/cryptography/x509/ocsp.py | 6 | ||||
-rw-r--r-- | tests/x509/test_ocsp.py | 50 | ||||
-rw-r--r-- | vectors/cryptography_vectors/x509/ocsp/resp-invalid-signature-oid.der | bin | 0 -> 527 bytes |
7 files changed, 63 insertions, 18 deletions
diff --git a/CHANGELOG.rst b/CHANGELOG.rst index 191d8042..42772af0 100644 --- a/CHANGELOG.rst +++ b/CHANGELOG.rst @@ -35,6 +35,8 @@ Changelog which immediately checks if the point is on the curve and supports compressed points. Deprecated the previous method :meth:`~cryptography.hazmat.primitives.asymmetric.ec.EllipticCurvePublicNumbers.from_encoded_point`. +* Added :attr:`~cryptography.x509.ocsp.OCSPResponse.signature_hash_algorithm` + to ``OCSPResponse``. .. _v2-4-2: diff --git a/docs/development/test-vectors.rst b/docs/development/test-vectors.rst index eb9ba4b4..a10125ac 100644 --- a/docs/development/test-vectors.rst +++ b/docs/development/test-vectors.rst @@ -471,6 +471,8 @@ X.509 OCSP Test Vectors revocation reason. * ``x509/ocsp/resp-revoked-no-next-update.der`` - An OCSP response that contains a revoked certificate and no ``nextUpdate`` value. +* ``x509/ocsp/resp-invalid-signature-oid.der`` - An OCSP response that was + modified to contain an MD2 signature algorithm object identifier. Custom X.509 OCSP Test Vectors ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ diff --git a/docs/x509/ocsp.rst b/docs/x509/ocsp.rst index 535ffdda..d3815d6f 100644 --- a/docs/x509/ocsp.rst +++ b/docs/x509/ocsp.rst @@ -426,6 +426,16 @@ Interfaces :raises ValueError: If ``response_status`` is not :class:`~cryptography.x509.ocsp.OCSPResponseStatus.SUCCESSFUL`. + .. attribute:: signature_hash_algorithm + + .. versionadded:: 2.5 + + :type: :class:`~cryptography.hazmat.primitives.hashes.HashAlgorithm` + + Returns the + :class:`~cryptography.hazmat.primitives.hashes.HashAlgorithm` which + was used in signing this response. + .. attribute:: signature :type: bytes diff --git a/src/cryptography/hazmat/backends/openssl/ocsp.py b/src/cryptography/hazmat/backends/openssl/ocsp.py index 32e26a0a..16dbbc2a 100644 --- a/src/cryptography/hazmat/backends/openssl/ocsp.py +++ b/src/cryptography/hazmat/backends/openssl/ocsp.py @@ -128,6 +128,17 @@ class _OCSPResponse(object): @property @_requires_successful_response + def signature_hash_algorithm(self): + oid = self.signature_algorithm_oid + try: + return x509._SIG_OIDS_TO_HASH[oid] + except KeyError: + raise UnsupportedAlgorithm( + "Signature algorithm OID:{0} not recognized".format(oid) + ) + + @property + @_requires_successful_response def signature(self): sig = self._backend._lib.OCSP_resp_get0_signature(self._basic) self._backend.openssl_assert(sig != self._backend._ffi.NULL) diff --git a/src/cryptography/x509/ocsp.py b/src/cryptography/x509/ocsp.py index 2b0b1dc3..97933b1f 100644 --- a/src/cryptography/x509/ocsp.py +++ b/src/cryptography/x509/ocsp.py @@ -315,6 +315,12 @@ class OCSPResponse(object): """ @abc.abstractproperty + def signature_hash_algorithm(self): + """ + Returns a HashAlgorithm corresponding to the type of the digest signed + """ + + @abc.abstractproperty def signature(self): """ The signature bytes diff --git a/tests/x509/test_ocsp.py b/tests/x509/test_ocsp.py index fad48dab..3abaff50 100644 --- a/tests/x509/test_ocsp.py +++ b/tests/x509/test_ocsp.py @@ -583,6 +583,7 @@ class TestOCSPResponse(object): assert resp.response_status == ocsp.OCSPResponseStatus.SUCCESSFUL assert (resp.signature_algorithm_oid == x509.SignatureAlgorithmOID.RSA_WITH_SHA256) + assert isinstance(resp.signature_hash_algorithm, hashes.SHA256) assert resp.signature == base64.b64decode( b"I9KUlyLV/2LbNCVu1BQphxdNlU/jBzXsPYVscPjW5E93pCrSO84GkIWoOJtqsnt" b"78DLcQPnF3W24NXGzSGKlSWfXIsyoXCxnBm0mIbD5ZMnKyXEnqSR33Z9He/A+ML" @@ -602,7 +603,7 @@ class TestOCSPResponse(object): resp.signature, resp.tbs_response_bytes, PKCS1v15(), - hashes.SHA256() + resp.signature_hash_algorithm ) assert resp.certificates == [] assert resp.responder_key_hash is None @@ -630,39 +631,41 @@ class TestOCSPResponse(object): ) assert resp.response_status == ocsp.OCSPResponseStatus.UNAUTHORIZED with pytest.raises(ValueError): - assert resp.signature_algorithm_oid + resp.signature_algorithm_oid with pytest.raises(ValueError): - assert resp.signature + resp.signature_hash_algorithm with pytest.raises(ValueError): - assert resp.tbs_response_bytes + resp.signature with pytest.raises(ValueError): - assert resp.certificates + resp.tbs_response_bytes with pytest.raises(ValueError): - assert resp.responder_key_hash + resp.certificates with pytest.raises(ValueError): - assert resp.responder_name + resp.responder_key_hash with pytest.raises(ValueError): - assert resp.produced_at + resp.responder_name with pytest.raises(ValueError): - assert resp.certificate_status + resp.produced_at with pytest.raises(ValueError): - assert resp.revocation_time + resp.certificate_status with pytest.raises(ValueError): - assert resp.revocation_reason + resp.revocation_time with pytest.raises(ValueError): - assert resp.this_update + resp.revocation_reason with pytest.raises(ValueError): - assert resp.next_update + resp.this_update with pytest.raises(ValueError): - assert resp.issuer_key_hash + resp.next_update with pytest.raises(ValueError): - assert resp.issuer_name_hash + resp.issuer_key_hash with pytest.raises(ValueError): - assert resp.hash_algorithm + resp.issuer_name_hash with pytest.raises(ValueError): - assert resp.serial_number + resp.hash_algorithm with pytest.raises(ValueError): - assert resp.extensions + resp.serial_number + with pytest.raises(ValueError): + resp.extensions def test_load_revoked(self): resp = _load_data( @@ -684,6 +687,17 @@ class TestOCSPResponse(object): assert isinstance(resp.certificates[0], x509.Certificate) assert resp.certificate_status == ocsp.OCSPCertStatus.UNKNOWN + def test_load_invalid_signature_oid(self): + resp = _load_data( + os.path.join("x509", "ocsp", "resp-invalid-signature-oid.der"), + ocsp.load_der_ocsp_response, + ) + assert resp.signature_algorithm_oid == x509.ObjectIdentifier( + "1.2.840.113549.1.1.2" + ) + with pytest.raises(UnsupportedAlgorithm): + resp.signature_hash_algorithm + def test_load_responder_key_hash(self): resp = _load_data( os.path.join("x509", "ocsp", "resp-responder-key-hash.der"), diff --git a/vectors/cryptography_vectors/x509/ocsp/resp-invalid-signature-oid.der b/vectors/cryptography_vectors/x509/ocsp/resp-invalid-signature-oid.der Binary files differnew file mode 100644 index 00000000..e2c7dd87 --- /dev/null +++ b/vectors/cryptography_vectors/x509/ocsp/resp-invalid-signature-oid.der |