add support for signature_algorithm in x509.Certificate

author: Paul Kehrer <paul.l.kehrer@gmail.com> 2015-02-11 23:35:07 -0600
committer: Paul Kehrer <paul.l.kehrer@gmail.com> 2015-02-14 10:12:25 -0600
commit: 56da2a50cd96e7214f4fdb254610bc19d8c0f255 (patch)
tree: 5b47e66f3506e64fe35598a0728fa8933b949025
parent: b8dc2f03ff2af2139ef9d77552562b0dce18d6bd (diff)
download: cryptography-56da2a50cd96e7214f4fdb254610bc19d8c0f255.tar.gz
cryptography-56da2a50cd96e7214f4fdb254610bc19d8c0f255.tar.bz2
cryptography-56da2a50cd96e7214f4fdb254610bc19d8c0f255.zip
5 files changed, 134 insertions, 0 deletions
diff --git a/docs/x509.rst b/docs/x509.rst
index 0298d94d..8043b367 100644
--- a/docs/x509.rst
+++ b/docs/x509.rst
@@ -182,6 +182,18 @@ X.509 Certificate Object
 
         The :class:`Name` of the subject.
 
+    .. attribute:: signature_algorithm
+
+        :type: :class:`ObjectIdentifier`
+
+        An :class:`ObjectIdentifier` instance corresponding to the signature
+        algorithm used to sign the certificate. This is both the digest
+        used as well as the asymmetric type.
+
+        .. doctest::
+
+            >>> cert.signature_algorithm
+            <ObjectIdentifier(oid=1.2.840.113549.1.1.11, name=sha256WithRSAEncryption)>
 
 .. class:: Name
 
@@ -266,6 +278,9 @@ Object Identifiers
 X.509 elements are frequently identified by :class:`ObjectIdentifier`
 instances. The following common OIDs are available as constants.
 
+Name OIDs
+~~~~~~~~~
+
 .. data:: OID_COMMON_NAME
 
     Corresponds to the dotted string ``"2.5.4.3"``. Historically the domain
@@ -346,6 +361,75 @@ instances. The following common OIDs are available as constants.
     Corresponds to the dotted string ``"1.2.840.113549.1.9.1"``. This OID is
     typically seen in X.509 names.
 
+Signature Algorithm OIDs
+~~~~~~~~~~~~~~~~~~~~~~~~
+
+.. data:: OID_MD5_WITH_RSA
+
+    Corresponds to the dotted string ``"1.2.840.113549.1.1.4"``. This is
+    an MD5 digest signed by an RSA key.
+
+.. data:: OID_SHA1_WITH_RSA
+
+    Corresponds to the dotted string ``"1.2.840.113549.1.1.5"``. This is
+    a SHA1 digest signed by an RSA key.
+
+.. data:: OID_SHA224_WITH_RSA
+
+    Corresponds to the dotted string ``"1.2.840.113549.1.1.14"``. This is
+    a SHA224 digest signed by an RSA key.
+
+.. data:: OID_SHA256_WITH_RSA
+
+    Corresponds to the dotted string ``"1.2.840.113549.1.1.11"``. This is
+    a SHA256 digest signed by an RSA key.
+
+.. data:: OID_SHA384_WITH_RSA
+
+    Corresponds to the dotted string ``"1.2.840.113549.1.1.12"``. This is
+    a SHA384 digest signed by an RSA key.
+
+.. data:: OID_SHA512_WITH_RSA
+
+    Corresponds to the dotted string ``"1.2.840.113549.1.1.13"``. This is
+    a SHA512 digest signed by an RSA key.
+
+.. data:: OID_ECDSA_WITH_SHA224
+
+    Corresponds to the dotted string ``"1.2.840.10045.4.3.1"``. This is
+    a SHA224 digest signed by an ECDSA key.
+
+.. data:: OID_ECDSA_WITH_SHA256
+
+    Corresponds to the dotted string ``"1.2.840.10045.4.3.2"``. This is
+    a SHA256 digest signed by an ECDSA key.
+
+.. data:: OID_ECDSA_WITH_SHA384
+
+    Corresponds to the dotted string ``"1.2.840.10045.4.3.3"``. This is
+    a SHA384 digest signed by an ECDSA key.
+
+.. data:: OID_ECDSA_WITH_SHA512
+
+    Corresponds to the dotted string ``"1.2.840.10045.4.3.4"``. This is
+    a SHA512 digest signed by an ECDSA key.
+
+.. data:: OID_DSA_WITH_SHA1
+
+    Corresponds to the dotted string ``"1.2.840.10040.4.3"``. This is
+    a SHA1 digest signed by a DSA key.
+
+.. data:: OID_DSA_WITH_SHA224
+
+    Corresponds to the dotted string ``"2.16.840.1.101.3.4.3.1"``. This is
+    a SHA224 digest signed by a DSA key.
+
+.. data:: OID_DSA_WITH_SHA256
+
+    Corresponds to the dotted string ``2.16.840.1.101.3.4.3.2"``. This is
+    a SHA256 digest signed by a DSA key.
+
+
 Exceptions
 ~~~~~~~~~~
 
diff --git a/src/cryptography/hazmat/backends/openssl/x509.py b/src/cryptography/hazmat/backends/openssl/x509.py
index 76dcf32f..a3dddc49 100644
--- a/src/cryptography/hazmat/backends/openssl/x509.py
+++ b/src/cryptography/hazmat/backends/openssl/x509.py
@@ -136,3 +136,14 @@ class _Certificate(object):
             )
 
         return x509.Name(attributes)
+
+    @property
+    def signature_algorithm(self):
+        buf_len = 50
+        buf = self._backend._ffi.new("char[]", buf_len)
+        res = self._backend._lib.OBJ_obj2txt(
+            buf, buf_len, self._x509.sig_alg.algorithm, 1
+        )
+        assert res <= 50 and res > 0
+        oid = self._backend._ffi.buffer(buf, res)[:].decode()
+        return x509.ObjectIdentifier(oid)
diff --git a/src/cryptography/hazmat/bindings/openssl/x509.py b/src/cryptography/hazmat/bindings/openssl/x509.py
index e30d23b7..bf689e33 100644
--- a/src/cryptography/hazmat/bindings/openssl/x509.py
+++ b/src/cryptography/hazmat/bindings/openssl/x509.py
@@ -65,6 +65,7 @@ typedef struct {
 } X509_CRL;
 
 typedef struct {
+    X509_ALGOR *sig_alg;
     X509_CINF *cert_info;
     ...;
 } X509;
diff --git a/src/cryptography/x509.py b/src/cryptography/x509.py
index 8a888d2a..c4d87bb7 100644
--- a/src/cryptography/x509.py
+++ b/src/cryptography/x509.py
@@ -28,6 +28,19 @@ _OID_NAMES = {
     "2.5.4.65": "pseudonym",
     "0.9.2342.19200300.100.1.25": "domainComponent",
     "1.2.840.113549.1.9.1": "emailAddress",
+    "1.2.840.113549.1.1.4": "md5WithRSA",
+    "1.2.840.113549.1.1.5": "sha1WithRSA",
+    "1.2.840.113549.1.1.14": "sha224WithRSAEncryption",
+    "1.2.840.113549.1.1.11": "sha256WithRSAEncryption",
+    "1.2.840.113549.1.1.12": "sha384WithRSAEncryption",
+    "1.2.840.113549.1.1.13": "sha512WithRSAEncryption",
+    "1.2.840.10045.4.3.1": "ecdsa_with_SHA224",
+    "1.2.840.10045.4.3.2": "ecdsa_with_SHA256",
+    "1.2.840.10045.4.3.3": "ecdsa_with_SHA384",
+    "1.2.840.10045.4.3.4": "ecdsa_with_SHA512",
+    "1.2.840.10040.4.3": "dsaWithSHA1",
+    "2.16.840.1.101.3.4.3.1": "dsa_with_SHA224",
+    "2.16.840.1.101.3.4.3.2": "dsa_with_SHA256",
 }
 
 
@@ -143,6 +156,20 @@ OID_PSEUDONYM = ObjectIdentifier("2.5.4.65")
 OID_DOMAIN_COMPONENT = ObjectIdentifier("0.9.2342.19200300.100.1.25")
 OID_EMAIL_ADDRESS = ObjectIdentifier("1.2.840.113549.1.9.1")
 
+OID_MD5_WITH_RSA = ObjectIdentifier("1.2.840.113549.1.1.4")
+OID_SHA1_WITH_RSA = ObjectIdentifier("1.2.840.113549.1.1.5")
+OID_SHA224_WITH_RSA = ObjectIdentifier("1.2.840.113549.1.1.14")
+OID_SHA256_WITH_RSA = ObjectIdentifier("1.2.840.113549.1.1.11")
+OID_SHA384_WITH_RSA = ObjectIdentifier("1.2.840.113549.1.1.12")
+OID_SHA512_WITH_RSA = ObjectIdentifier("1.2.840.113549.1.1.13")
+OID_ECDSA_WITH_SHA224 = ObjectIdentifier("1.2.840.10045.4.3.1")
+OID_ECDSA_WITH_SHA256 = ObjectIdentifier("1.2.840.10045.4.3.2")
+OID_ECDSA_WITH_SHA384 = ObjectIdentifier("1.2.840.10045.4.3.3")
+OID_ECDSA_WITH_SHA512 = ObjectIdentifier("1.2.840.10045.4.3.4")
+OID_DSA_WITH_SHA1 = ObjectIdentifier("1.2.840.10040.4.3")
+OID_DSA_WITH_SHA224 = ObjectIdentifier("2.16.840.1.101.3.4.3.1")
+OID_DSA_WITH_SHA256 = ObjectIdentifier("2.16.840.1.101.3.4.3.2")
+
 
 @six.add_metaclass(abc.ABCMeta)
 class Certificate(object):
@@ -193,3 +220,10 @@ class Certificate(object):
         """
         Returns the subject name object.
         """
+
+    @abc.abstractproperty
+    def signature_algorithm(self):
+        """
+        Returns an ObjectIdentifier corresponding to the signature algorithm of
+        the certificate.
+        """
diff --git a/tests/test_x509.py b/tests/test_x509.py
index 55a94084..613263d1 100644
--- a/tests/test_x509.py
+++ b/tests/test_x509.py
@@ -45,6 +45,7 @@ class TestRSACertificate(object):
         assert cert.serial == 11559813051657483483
         fingerprint = binascii.hexlify(cert.fingerprint(hashes.SHA1()))
         assert fingerprint == b"2b619ed04bfc9c3b08eb677d272192286a0947a8"
+        assert cert.signature_algorithm == x509.OID_SHA1_WITH_RSA
 
     def test_load_der_cert(self, backend):
         cert = _load_cert(
@@ -56,6 +57,7 @@ class TestRSACertificate(object):
         assert cert.serial == 2
         fingerprint = binascii.hexlify(cert.fingerprint(hashes.SHA1()))
         assert fingerprint == b"6f49779533d565e8b7c1062503eab41492c38e4d"
+        assert cert.signature_algorithm == x509.OID_SHA256_WITH_RSA
 
     def test_issuer(self, backend):
         cert = _load_cert(
@@ -338,6 +340,7 @@ class TestDSACertificate(object):
             x509.load_pem_x509_certificate,
             backend
         )
+        assert cert.signature_algorithm == x509.OID_DSA_WITH_SHA1
         public_key = cert.public_key()
         assert isinstance(public_key, interfaces.DSAPublicKey)
         if isinstance(public_key, interfaces.DSAPublicKeyWithNumbers):
@@ -390,6 +393,7 @@ class TestECDSACertificate(object):
             x509.load_pem_x509_certificate,
             backend
         )
+        assert cert.signature_algorithm == x509.OID_ECDSA_WITH_SHA384
         public_key = cert.public_key()
         assert isinstance(public_key, interfaces.EllipticCurvePublicKey)
         if isinstance(
author	Paul Kehrer <paul.l.kehrer@gmail.com>	2015-02-11 23:35:07 -0600
committer	Paul Kehrer <paul.l.kehrer@gmail.com>	2015-02-14 10:12:25 -0600
commit	56da2a50cd96e7214f4fdb254610bc19d8c0f255 (patch)
tree	5b47e66f3506e64fe35598a0728fa8933b949025
parent	b8dc2f03ff2af2139ef9d77552562b0dce18d6bd (diff)
download	cryptography-56da2a50cd96e7214f4fdb254610bc19d8c0f255.tar.gz cryptography-56da2a50cd96e7214f4fdb254610bc19d8c0f255.tar.bz2 cryptography-56da2a50cd96e7214f4fdb254610bc19d8c0f255.zip