From 56da2a50cd96e7214f4fdb254610bc19d8c0f255 Mon Sep 17 00:00:00 2001 From: Paul Kehrer Date: Wed, 11 Feb 2015 23:35:07 -0600 Subject: add support for signature_algorithm in x509.Certificate --- docs/x509.rst | 84 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 84 insertions(+) (limited to 'docs') diff --git a/docs/x509.rst b/docs/x509.rst index 0298d94d..8043b367 100644 --- a/docs/x509.rst +++ b/docs/x509.rst @@ -182,6 +182,18 @@ X.509 Certificate Object The :class:`Name` of the subject. + .. attribute:: signature_algorithm + + :type: :class:`ObjectIdentifier` + + An :class:`ObjectIdentifier` instance corresponding to the signature + algorithm used to sign the certificate. This is both the digest + used as well as the asymmetric type. + + .. doctest:: + + >>> cert.signature_algorithm + .. class:: Name @@ -266,6 +278,9 @@ Object Identifiers X.509 elements are frequently identified by :class:`ObjectIdentifier` instances. The following common OIDs are available as constants. +Name OIDs +~~~~~~~~~ + .. data:: OID_COMMON_NAME Corresponds to the dotted string ``"2.5.4.3"``. Historically the domain @@ -346,6 +361,75 @@ instances. The following common OIDs are available as constants. Corresponds to the dotted string ``"1.2.840.113549.1.9.1"``. This OID is typically seen in X.509 names. +Signature Algorithm OIDs +~~~~~~~~~~~~~~~~~~~~~~~~ + +.. data:: OID_MD5_WITH_RSA + + Corresponds to the dotted string ``"1.2.840.113549.1.1.4"``. This is + an MD5 digest signed by an RSA key. + +.. data:: OID_SHA1_WITH_RSA + + Corresponds to the dotted string ``"1.2.840.113549.1.1.5"``. This is + a SHA1 digest signed by an RSA key. + +.. data:: OID_SHA224_WITH_RSA + + Corresponds to the dotted string ``"1.2.840.113549.1.1.14"``. This is + a SHA224 digest signed by an RSA key. + +.. data:: OID_SHA256_WITH_RSA + + Corresponds to the dotted string ``"1.2.840.113549.1.1.11"``. This is + a SHA256 digest signed by an RSA key. + +.. data:: OID_SHA384_WITH_RSA + + Corresponds to the dotted string ``"1.2.840.113549.1.1.12"``. This is + a SHA384 digest signed by an RSA key. + +.. data:: OID_SHA512_WITH_RSA + + Corresponds to the dotted string ``"1.2.840.113549.1.1.13"``. This is + a SHA512 digest signed by an RSA key. + +.. data:: OID_ECDSA_WITH_SHA224 + + Corresponds to the dotted string ``"1.2.840.10045.4.3.1"``. This is + a SHA224 digest signed by an ECDSA key. + +.. data:: OID_ECDSA_WITH_SHA256 + + Corresponds to the dotted string ``"1.2.840.10045.4.3.2"``. This is + a SHA256 digest signed by an ECDSA key. + +.. data:: OID_ECDSA_WITH_SHA384 + + Corresponds to the dotted string ``"1.2.840.10045.4.3.3"``. This is + a SHA384 digest signed by an ECDSA key. + +.. data:: OID_ECDSA_WITH_SHA512 + + Corresponds to the dotted string ``"1.2.840.10045.4.3.4"``. This is + a SHA512 digest signed by an ECDSA key. + +.. data:: OID_DSA_WITH_SHA1 + + Corresponds to the dotted string ``"1.2.840.10040.4.3"``. This is + a SHA1 digest signed by a DSA key. + +.. data:: OID_DSA_WITH_SHA224 + + Corresponds to the dotted string ``"2.16.840.1.101.3.4.3.1"``. This is + a SHA224 digest signed by a DSA key. + +.. data:: OID_DSA_WITH_SHA256 + + Corresponds to the dotted string ``2.16.840.1.101.3.4.3.2"``. This is + a SHA256 digest signed by a DSA key. + + Exceptions ~~~~~~~~~~ -- cgit v1.2.3 From b01622d15441068324af7ac68e1a1e26a4757704 Mon Sep 17 00:00:00 2001 From: Paul Kehrer Date: Fri, 13 Feb 2015 11:59:15 -0600 Subject: add legacy Verisign PCA (MD2) root to vectors --- docs/development/test-vectors.rst | 2 ++ 1 file changed, 2 insertions(+) (limited to 'docs') diff --git a/docs/development/test-vectors.rst b/docs/development/test-vectors.rst index 4c048abf..be98c6f1 100644 --- a/docs/development/test-vectors.rst +++ b/docs/development/test-vectors.rst @@ -80,6 +80,8 @@ X.509 * ``v1_cert.pem`` from the OpenSSL source tree (`testx509.pem`_). * ``ecdsa_root.pem`` - `DigiCert Global Root G3`_, a ``secp384r1`` ECDSA root certificate. +* ``verisign-md2-root.pem`` - A legacy Verisign public root signed using the + MD2 algorithm. Custom X.509 Vectors ~~~~~~~~~~~~~~~~~~~~ -- cgit v1.2.3 From 8802a5bae7138d10c289361e5204fb1ea72fc099 Mon Sep 17 00:00:00 2001 From: Paul Kehrer Date: Fri, 13 Feb 2015 12:06:57 -0600 Subject: implement signature_hash_algorithm instead --- docs/spelling_wordlist.txt | 1 + docs/x509.rst | 15 ++++++++------- 2 files changed, 9 insertions(+), 7 deletions(-) (limited to 'docs') diff --git a/docs/spelling_wordlist.txt b/docs/spelling_wordlist.txt index fefd26b3..ddd37897 100644 --- a/docs/spelling_wordlist.txt +++ b/docs/spelling_wordlist.txt @@ -51,3 +51,4 @@ Ubuntu unencrypted unpadded unpadding +Verisign diff --git a/docs/x509.rst b/docs/x509.rst index 8043b367..193b8452 100644 --- a/docs/x509.rst +++ b/docs/x509.rst @@ -182,18 +182,19 @@ X.509 Certificate Object The :class:`Name` of the subject. - .. attribute:: signature_algorithm + .. attribute:: signature_hash_algorithm - :type: :class:`ObjectIdentifier` + :type: :class:`~cryptography.hazmat.primitives.hashes.HashAlgorithm` - An :class:`ObjectIdentifier` instance corresponding to the signature - algorithm used to sign the certificate. This is both the digest - used as well as the asymmetric type. + A :class:`~cryptography.hazmat.primitives.hashes.HashAlgorithm` + corresponding to the hash algorithm used within the certificate + signature. .. doctest:: - >>> cert.signature_algorithm - + >>> from cryptography.hazmat.primitives import hashes + >>> isinstance(cert.signature_hash_algorithm, hashes.SHA256) + True .. class:: Name -- cgit v1.2.3 From 2b6ba0c633ef672a6d8ef2ca109d3ffd508e044e Mon Sep 17 00:00:00 2001 From: Paul Kehrer Date: Sat, 14 Feb 2015 18:58:20 -0600 Subject: document vector provenance --- docs/development/test-vectors.rst | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) (limited to 'docs') diff --git a/docs/development/test-vectors.rst b/docs/development/test-vectors.rst index be98c6f1..2cd9faa6 100644 --- a/docs/development/test-vectors.rst +++ b/docs/development/test-vectors.rst @@ -81,7 +81,8 @@ X.509 * ``ecdsa_root.pem`` - `DigiCert Global Root G3`_, a ``secp384r1`` ECDSA root certificate. * ``verisign-md2-root.pem`` - A legacy Verisign public root signed using the - MD2 algorithm. + MD2 algorithm. This is a PEM conversion of the `root data`_ in the NSS source + tree. Custom X.509 Vectors ~~~~~~~~~~~~~~~~~~~~ @@ -221,3 +222,4 @@ header format (substituting the correct information): .. _`NIST PKI Testing`: http://csrc.nist.gov/groups/ST/crypto_apps_infra/pki/pkitesting.html .. _`testx509.pem`: https://github.com/openssl/openssl/blob/master/test/testx509.pem .. _`DigiCert Global Root G3`: http://cacerts.digicert.com/DigiCertGlobalRootG3.crt +.. _`root data`: https://hg.mozilla.org/projects/nss/file/25b2922cc564/security/nss/lib/ckfw/builtins/certdata.txt#l2053 -- cgit v1.2.3 From e612ec74f68f344ee4bde5d6e377ffc03cdb1ec6 Mon Sep 17 00:00:00 2001 From: Paul Kehrer Date: Mon, 16 Feb 2015 14:33:35 -0600 Subject: try to make this a bit more clear --- docs/x509.rst | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) (limited to 'docs') diff --git a/docs/x509.rst b/docs/x509.rst index 193b8452..e16e79e9 100644 --- a/docs/x509.rst +++ b/docs/x509.rst @@ -186,9 +186,9 @@ X.509 Certificate Object :type: :class:`~cryptography.hazmat.primitives.hashes.HashAlgorithm` - A :class:`~cryptography.hazmat.primitives.hashes.HashAlgorithm` - corresponding to the hash algorithm used within the certificate - signature. + Returns the + :class:`~cryptography.hazmat.primitives.hashes.HashAlgorithm` used in + the signature. .. doctest:: -- cgit v1.2.3 From e19201e6250cf0f60bbf2362938294ab7c533d3b Mon Sep 17 00:00:00 2001 From: Paul Kehrer Date: Mon, 16 Feb 2015 18:05:20 -0600 Subject: attempt to clarify signature hash algorithm a bit more --- docs/x509.rst | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) (limited to 'docs') diff --git a/docs/x509.rst b/docs/x509.rst index e16e79e9..262ba301 100644 --- a/docs/x509.rst +++ b/docs/x509.rst @@ -188,7 +188,11 @@ X.509 Certificate Object Returns the :class:`~cryptography.hazmat.primitives.hashes.HashAlgorithm` used in - the signature. + the certificate's signature. + + .. note:: + Items signed by the parsed certificate do not have to use the same + hash algorithm. .. doctest:: -- cgit v1.2.3 From 71d40c6af6c70f38da3bf1f65c8b8f16ae7d567e Mon Sep 17 00:00:00 2001 From: Paul Kehrer Date: Thu, 19 Feb 2015 08:21:04 -0600 Subject: address review feedback, fix short names for sig alg OIDs --- docs/x509.rst | 20 ++++++++------------ 1 file changed, 8 insertions(+), 12 deletions(-) (limited to 'docs') diff --git a/docs/x509.rst b/docs/x509.rst index 262ba301..a3426a2b 100644 --- a/docs/x509.rst +++ b/docs/x509.rst @@ -187,12 +187,8 @@ X.509 Certificate Object :type: :class:`~cryptography.hazmat.primitives.hashes.HashAlgorithm` Returns the - :class:`~cryptography.hazmat.primitives.hashes.HashAlgorithm` used in - the certificate's signature. - - .. note:: - Items signed by the parsed certificate do not have to use the same - hash algorithm. + :class:`~cryptography.hazmat.primitives.hashes.HashAlgorithm` which + was used in signing the certificate. .. doctest:: @@ -369,32 +365,32 @@ Name OIDs Signature Algorithm OIDs ~~~~~~~~~~~~~~~~~~~~~~~~ -.. data:: OID_MD5_WITH_RSA +.. data:: OID_MD5_WITH_RSA_ENCRYPTION Corresponds to the dotted string ``"1.2.840.113549.1.1.4"``. This is an MD5 digest signed by an RSA key. -.. data:: OID_SHA1_WITH_RSA +.. data:: OID_SHA1_WITH_RSA_ENCRYPTION Corresponds to the dotted string ``"1.2.840.113549.1.1.5"``. This is a SHA1 digest signed by an RSA key. -.. data:: OID_SHA224_WITH_RSA +.. data:: OID_SHA224_WITH_RSA_ENCRYPTION Corresponds to the dotted string ``"1.2.840.113549.1.1.14"``. This is a SHA224 digest signed by an RSA key. -.. data:: OID_SHA256_WITH_RSA +.. data:: OID_SHA256_WITH_RSA_ENCRYPTION Corresponds to the dotted string ``"1.2.840.113549.1.1.11"``. This is a SHA256 digest signed by an RSA key. -.. data:: OID_SHA384_WITH_RSA +.. data:: OID_SHA384_WITH_RSA_ENCRYPTION Corresponds to the dotted string ``"1.2.840.113549.1.1.12"``. This is a SHA384 digest signed by an RSA key. -.. data:: OID_SHA512_WITH_RSA +.. data:: OID_SHA512_WITH_RSA_ENCRYPTION Corresponds to the dotted string ``"1.2.840.113549.1.1.13"``. This is a SHA512 digest signed by an RSA key. -- cgit v1.2.3 From 1a7ba87dcc9c44178c9dae3351484707730d6a18 Mon Sep 17 00:00:00 2001 From: Paul Kehrer Date: Thu, 19 Feb 2015 18:09:05 -0600 Subject: surrender to alex's feels and name our constants consistently --- docs/x509.rst | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) (limited to 'docs') diff --git a/docs/x509.rst b/docs/x509.rst index a3426a2b..27f1d544 100644 --- a/docs/x509.rst +++ b/docs/x509.rst @@ -188,7 +188,7 @@ X.509 Certificate Object Returns the :class:`~cryptography.hazmat.primitives.hashes.HashAlgorithm` which - was used in signing the certificate. + was used in signing this certificate. .. doctest:: @@ -365,32 +365,32 @@ Name OIDs Signature Algorithm OIDs ~~~~~~~~~~~~~~~~~~~~~~~~ -.. data:: OID_MD5_WITH_RSA_ENCRYPTION +.. data:: OID_RSA_WITH_MD5 Corresponds to the dotted string ``"1.2.840.113549.1.1.4"``. This is an MD5 digest signed by an RSA key. -.. data:: OID_SHA1_WITH_RSA_ENCRYPTION +.. data:: OID_RSA_WITH_SHA1 Corresponds to the dotted string ``"1.2.840.113549.1.1.5"``. This is a SHA1 digest signed by an RSA key. -.. data:: OID_SHA224_WITH_RSA_ENCRYPTION +.. data:: OID_RSA_WITH_SHA224 Corresponds to the dotted string ``"1.2.840.113549.1.1.14"``. This is a SHA224 digest signed by an RSA key. -.. data:: OID_SHA256_WITH_RSA_ENCRYPTION +.. data:: OID_RSA_WITH_SHA256 Corresponds to the dotted string ``"1.2.840.113549.1.1.11"``. This is a SHA256 digest signed by an RSA key. -.. data:: OID_SHA384_WITH_RSA_ENCRYPTION +.. data:: OID_RSA_WITH_SHA384 Corresponds to the dotted string ``"1.2.840.113549.1.1.12"``. This is a SHA384 digest signed by an RSA key. -.. data:: OID_SHA512_WITH_RSA_ENCRYPTION +.. data:: OID_RSA_WITH_SHA512 Corresponds to the dotted string ``"1.2.840.113549.1.1.13"``. This is a SHA512 digest signed by an RSA key. -- cgit v1.2.3