From 74ce48c5d00e4846740d248a65d35b874f15afe2 Mon Sep 17 00:00:00 2001 From: Paul Kehrer Date: Tue, 30 Oct 2018 10:23:30 +0800 Subject: Add eq/ne/hash to PrecertificateSignedCertificateTimestamps (#4534) * Add eq/ne/hash to PrecertificateSignedCertificateTimestamps This requires adding it to SignedCertificateTimestamps as well * slightly more consistent * right, these need to be conditional * compare by signature * don't use private API --- src/cryptography/hazmat/backends/openssl/x509.py | 20 +++ src/cryptography/x509/extensions.py | 15 +++ tests/x509/test_x509_ext.py | 154 +++++++++++++++++++++++ 3 files changed, 189 insertions(+) diff --git a/src/cryptography/hazmat/backends/openssl/x509.py b/src/cryptography/hazmat/backends/openssl/x509.py index ad838b7f..ac1838c6 100644 --- a/src/cryptography/hazmat/backends/openssl/x509.py +++ b/src/cryptography/hazmat/backends/openssl/x509.py @@ -534,3 +534,23 @@ class _SignedCertificateTimestamp(object): # we only have precerts. assert entry_type == self._backend._lib.CT_LOG_ENTRY_TYPE_PRECERT return x509.certificate_transparency.LogEntryType.PRE_CERTIFICATE + + @property + def _signature(self): + ptrptr = self._backend._ffi.new("unsigned char **") + res = self._backend._lib.SCT_get0_signature(self._sct, ptrptr) + self._backend.openssl_assert(res > 0) + self._backend.openssl_assert(ptrptr[0] != self._backend._ffi.NULL) + return self._backend._ffi.buffer(ptrptr[0], res)[:] + + def __hash__(self): + return hash(self._signature) + + def __eq__(self, other): + if not isinstance(other, _SignedCertificateTimestamp): + return NotImplemented + + return self._signature == other._signature + + def __ne__(self, other): + return not self == other diff --git a/src/cryptography/x509/extensions.py b/src/cryptography/x509/extensions.py index b2d9908e..6301af5a 100644 --- a/src/cryptography/x509/extensions.py +++ b/src/cryptography/x509/extensions.py @@ -1402,6 +1402,21 @@ class PrecertificateSignedCertificateTimestamps(object): ) ) + def __hash__(self): + return hash(tuple(self._signed_certificate_timestamps)) + + def __eq__(self, other): + if not isinstance(other, PrecertificateSignedCertificateTimestamps): + return NotImplemented + + return ( + self._signed_certificate_timestamps == + other._signed_certificate_timestamps + ) + + def __ne__(self, other): + return not self == other + @utils.register_interface(ExtensionType) class OCSPNonce(object): diff --git a/tests/x509/test_x509_ext.py b/tests/x509/test_x509_ext.py index 7a43c851..9eac9a27 100644 --- a/tests/x509/test_x509_ext.py +++ b/tests/x509/test_x509_ext.py @@ -4469,6 +4469,85 @@ class TestPrecertPoisonExtension(object): assert isinstance(poison, x509.PrecertPoison) +@pytest.mark.requires_backend_interface(interface=RSABackend) +@pytest.mark.requires_backend_interface(interface=X509Backend) +class TestSignedCertificateTimestamps(object): + @pytest.mark.supported( + only_if=lambda backend: ( + backend._lib.CRYPTOGRAPHY_OPENSSL_110F_OR_GREATER), + skip_message="Requires OpenSSL 1.1.0f+", + ) + def test_eq(self, backend): + sct = _load_cert( + os.path.join("x509", "badssl-sct.pem"), + x509.load_pem_x509_certificate, + backend + ).extensions.get_extension_for_class( + x509.PrecertificateSignedCertificateTimestamps + ).value[0] + sct2 = _load_cert( + os.path.join("x509", "badssl-sct.pem"), + x509.load_pem_x509_certificate, + backend + ).extensions.get_extension_for_class( + x509.PrecertificateSignedCertificateTimestamps + ).value[0] + assert sct == sct2 + + @pytest.mark.supported( + only_if=lambda backend: ( + backend._lib.CRYPTOGRAPHY_OPENSSL_110F_OR_GREATER), + skip_message="Requires OpenSSL 1.1.0f+", + ) + def test_ne(self, backend): + sct = _load_cert( + os.path.join("x509", "badssl-sct.pem"), + x509.load_pem_x509_certificate, + backend + ).extensions.get_extension_for_class( + x509.PrecertificateSignedCertificateTimestamps + ).value[0] + sct2 = _load_cert( + os.path.join("x509", "cryptography-scts.pem"), + x509.load_pem_x509_certificate, + backend + ).extensions.get_extension_for_class( + x509.PrecertificateSignedCertificateTimestamps + ).value[0] + assert sct != sct2 + assert sct != object() + + @pytest.mark.supported( + only_if=lambda backend: ( + backend._lib.CRYPTOGRAPHY_OPENSSL_110F_OR_GREATER), + skip_message="Requires OpenSSL 1.1.0f+", + ) + def test_hash(self, backend): + sct = _load_cert( + os.path.join("x509", "badssl-sct.pem"), + x509.load_pem_x509_certificate, + backend + ).extensions.get_extension_for_class( + x509.PrecertificateSignedCertificateTimestamps + ).value[0] + sct2 = _load_cert( + os.path.join("x509", "badssl-sct.pem"), + x509.load_pem_x509_certificate, + backend + ).extensions.get_extension_for_class( + x509.PrecertificateSignedCertificateTimestamps + ).value[0] + sct3 = _load_cert( + os.path.join("x509", "cryptography-scts.pem"), + x509.load_pem_x509_certificate, + backend + ).extensions.get_extension_for_class( + x509.PrecertificateSignedCertificateTimestamps + ).value[0] + assert hash(sct) == hash(sct2) + assert hash(sct) != hash(sct3) + + @pytest.mark.requires_backend_interface(interface=RSABackend) @pytest.mark.requires_backend_interface(interface=X509Backend) class TestPrecertificateSignedCertificateTimestampsExtension(object): @@ -4481,6 +4560,81 @@ class TestPrecertificateSignedCertificateTimestampsExtension(object): "" ) + @pytest.mark.supported( + only_if=lambda backend: ( + backend._lib.CRYPTOGRAPHY_OPENSSL_110F_OR_GREATER), + skip_message="Requires OpenSSL 1.1.0f+", + ) + def test_eq(self, backend): + psct1 = _load_cert( + os.path.join("x509", "badssl-sct.pem"), + x509.load_pem_x509_certificate, + backend + ).extensions.get_extension_for_class( + x509.PrecertificateSignedCertificateTimestamps + ).value + psct2 = _load_cert( + os.path.join("x509", "badssl-sct.pem"), + x509.load_pem_x509_certificate, + backend + ).extensions.get_extension_for_class( + x509.PrecertificateSignedCertificateTimestamps + ).value + assert psct1 == psct2 + + @pytest.mark.supported( + only_if=lambda backend: ( + backend._lib.CRYPTOGRAPHY_OPENSSL_110F_OR_GREATER), + skip_message="Requires OpenSSL 1.1.0f+", + ) + def test_ne(self, backend): + psct1 = _load_cert( + os.path.join("x509", "cryptography-scts.pem"), + x509.load_pem_x509_certificate, + backend + ).extensions.get_extension_for_class( + x509.PrecertificateSignedCertificateTimestamps + ).value + psct2 = _load_cert( + os.path.join("x509", "badssl-sct.pem"), + x509.load_pem_x509_certificate, + backend + ).extensions.get_extension_for_class( + x509.PrecertificateSignedCertificateTimestamps + ).value + assert psct1 != psct2 + assert psct1 != object() + + @pytest.mark.supported( + only_if=lambda backend: ( + backend._lib.CRYPTOGRAPHY_OPENSSL_110F_OR_GREATER), + skip_message="Requires OpenSSL 1.1.0f+", + ) + def test_hash(self, backend): + psct1 = _load_cert( + os.path.join("x509", "badssl-sct.pem"), + x509.load_pem_x509_certificate, + backend + ).extensions.get_extension_for_class( + x509.PrecertificateSignedCertificateTimestamps + ).value + psct2 = _load_cert( + os.path.join("x509", "badssl-sct.pem"), + x509.load_pem_x509_certificate, + backend + ).extensions.get_extension_for_class( + x509.PrecertificateSignedCertificateTimestamps + ).value + psct3 = _load_cert( + os.path.join("x509", "cryptography-scts.pem"), + x509.load_pem_x509_certificate, + backend + ).extensions.get_extension_for_class( + x509.PrecertificateSignedCertificateTimestamps + ).value + assert hash(psct1) == hash(psct2) + assert hash(psct1) != hash(psct3) + @pytest.mark.supported( only_if=lambda backend: ( backend._lib.CRYPTOGRAPHY_OPENSSL_110F_OR_GREATER), -- cgit v1.2.3