diff options
| -rw-r--r-- | CHANGELOG.rst | 1 | ||||
| -rw-r--r-- | docs/development/test-vectors.rst | 2 | ||||
| -rw-r--r-- | docs/hazmat/backends/interfaces.rst | 20 | ||||
| -rw-r--r-- | docs/x509/reference.rst | 123 | ||||
| -rw-r--r-- | src/_cffi_src/openssl/x509name.py | 10 | ||||
| -rw-r--r-- | src/_cffi_src/openssl/x509v3.py | 5 | ||||
| -rw-r--r-- | src/cryptography/hazmat/backends/interfaces.py | 4 | ||||
| -rw-r--r-- | src/cryptography/hazmat/backends/multibackend.py | 4 | ||||
| -rw-r--r-- | src/cryptography/hazmat/backends/openssl/backend.py | 92 | ||||
| -rw-r--r-- | src/cryptography/hazmat/backends/openssl/x509.py | 6 | ||||
| -rw-r--r-- | src/cryptography/x509.py | 75 | ||||
| -rw-r--r-- | tests/hazmat/backends/test_multibackend.py | 6 | ||||
| -rw-r--r-- | tests/hazmat/backends/test_openssl.py | 4 | ||||
| -rw-r--r-- | tests/test_x509.py | 295 | ||||
| -rw-r--r-- | vectors/cryptography_vectors/x509/rapidssl_sha256_ca_g3.pem | 25 |
15 files changed, 644 insertions, 28 deletions
diff --git a/CHANGELOG.rst b/CHANGELOG.rst index f07a9087..63877d8a 100644 --- a/CHANGELOG.rst +++ b/CHANGELOG.rst @@ -11,6 +11,7 @@ Changelog memory consumption. Due to this change we no longer support PyPy releases older than 2.6 nor do we support any released version of PyPy3 (until a version supporting cffi 1.0 comes out). +* Fix parsing of OpenSSH public keys that have spaces in comments. * Support serialization of certificate signing requests using the ``public_bytes`` method of :class:`~cryptography.x509.CertificateSigningRequest`. diff --git a/docs/development/test-vectors.rst b/docs/development/test-vectors.rst index d400e662..1c84435b 100644 --- a/docs/development/test-vectors.rst +++ b/docs/development/test-vectors.rst @@ -102,6 +102,8 @@ X.509 tree. * ``cryptography.io.pem`` - A leaf certificate issued by RapidSSL for the cryptography website. +* ``rapidssl_sha256_ca_g3.pem`` - The intermediate CA that issued the + ``cryptography.io.pem`` certificate. * ``wildcard_san.pem`` - A leaf certificate issued by a public CA for ``langui.sh`` that contains wildcard entries in the SAN extension. * ``san_edipartyname.der`` - A DSA certificate from a `Mozilla bug`_ diff --git a/docs/hazmat/backends/interfaces.rst b/docs/hazmat/backends/interfaces.rst index fb3786c3..442bd0de 100644 --- a/docs/hazmat/backends/interfaces.rst +++ b/docs/hazmat/backends/interfaces.rst @@ -550,6 +550,26 @@ A specific ``backend`` may provide one or more of these interfaces. :returns: A new object with the :class:`~cryptography.x509.CertificateSigningRequest` interface. + .. method:: create_x509_certificate(builder, private_key, algorithm) + + .. versionadded:: 1.0 + + :param builder: An instance of + :class:`~cryptography.x509.CertificateBuilder`. + + :param private_key: The + :class:`~cryptography.hazmat.primitives.asymmetric.rsa.RSAPrivateKey`, + :class:`~cryptography.hazmat.primitives.asymmetric.dsa.DSAPrivateKey` or + :class:`~cryptography.hazmat.primitives.asymmetric.ec.EllipticCurvePrivateKey` + that will be used to sign the certificate. + + :param algorithm: The + :class:`~cryptography.hazmat.primitives.hashes.HashAlgorithm` + that will be used to generate the certificate signature. + + :returns: A new object with the + :class:`~cryptography.x509.Certificate` interface. + .. class:: DHBackend diff --git a/docs/x509/reference.rst b/docs/x509/reference.rst index e83a4ace..dfa91fac 100644 --- a/docs/x509/reference.rst +++ b/docs/x509/reference.rst @@ -909,14 +909,28 @@ X.509 Extensions Returns an instance of the extension type corresponding to the OID. +.. class:: ExtensionType + + .. versionadded:: 1.0 + + This is the interface against which all the following extension types are + registered. + .. class:: KeyUsage .. versionadded:: 0.9 The key usage extension defines the purpose of the key contained in the certificate. The usage restriction might be employed when a key that could - be used for more than one operation is to be restricted. It corresponds to - :data:`OID_KEY_USAGE`. + be used for more than one operation is to be restricted. + + .. attribute:: oid + + .. versionadded:: 1.0 + + :type: :class:`ObjectIdentifier` + + Returns :data:`OID_KEY_USAGE`. .. attribute:: digital_signature @@ -1007,8 +1021,15 @@ X.509 Extensions Basic constraints is an X.509 extension type that defines whether a given certificate is allowed to sign additional certificates and what path - length restrictions may exist. It corresponds to - :data:`OID_BASIC_CONSTRAINTS`. + length restrictions may exist. + + .. attribute:: oid + + .. versionadded:: 1.0 + + :type: :class:`ObjectIdentifier` + + Returns :data:`OID_BASIC_CONSTRAINTS`. .. attribute:: ca @@ -1038,6 +1059,15 @@ X.509 Extensions purposes indicated in the key usage extension. The object is iterable to obtain the list of :ref:`extended key usage OIDs <eku_oids>`. + .. attribute:: oid + + .. versionadded:: 1.0 + + :type: :class:`ObjectIdentifier` + + Returns :data:`OID_EXTENDED_KEY_USAGE`. + + .. class:: OCSPNoCheck .. versionadded:: 1.0 @@ -1051,6 +1081,14 @@ X.509 Extensions extension is only relevant when the certificate is an authorized OCSP responder. + .. attribute:: oid + + .. versionadded:: 1.0 + + :type: :class:`ObjectIdentifier` + + Returns :data:`OID_OCSP_NO_CHECK`. + .. class:: NameConstraints .. versionadded:: 1.0 @@ -1060,6 +1098,14 @@ X.509 Extensions beneath the CA certificate must (or must not) be in. For specific details on the way this extension should be processed see :rfc:`5280`. + .. attribute:: oid + + .. versionadded:: 1.0 + + :type: :class:`ObjectIdentifier` + + Returns :data:`OID_NAME_CONSTRAINTS`. + .. attribute:: permitted_subtrees :type: list of :class:`GeneralName` objects or None @@ -1087,6 +1133,14 @@ X.509 Extensions certificate chain. For more information about generation and use of this extension see `RFC 5280 section 4.2.1.1`_. + .. attribute:: oid + + .. versionadded:: 1.0 + + :type: :class:`ObjectIdentifier` + + Returns :data:`OID_AUTHORITY_KEY_IDENTIFIER`. + .. attribute:: key_identifier :type: bytes @@ -1113,6 +1167,14 @@ X.509 Extensions The subject key identifier extension provides a means of identifying certificates that contain a particular public key. + .. attribute:: oid + + .. versionadded:: 1.0 + + :type: :class:`ObjectIdentifier` + + Returns :data:`OID_SUBJECT_KEY_IDENTIFIER`. + .. attribute:: digest :type: bytes @@ -1145,6 +1207,14 @@ X.509 Extensions of identities for which the certificate is valid. The object is iterable to get every element. + .. attribute:: oid + + .. versionadded:: 1.0 + + :type: :class:`ObjectIdentifier` + + Returns :data:`OID_SUBJECT_ALTERNATIVE_NAME`. + .. method:: get_values_for_type(type) :param type: A :class:`GeneralName` provider. This is one of the @@ -1175,6 +1245,14 @@ X.509 Extensions of identities for the certificate issuer. The object is iterable to get every element. + .. attribute:: oid + + .. versionadded:: 1.0 + + :type: :class:`ObjectIdentifier` + + Returns :data:`OID_ISSUER_ALTERNATIVE_NAME`. + .. method:: get_values_for_type(type) :param type: A :class:`GeneralName` provider. This is one of the @@ -1193,6 +1271,14 @@ X.509 Extensions validation services (such as OCSP) and issuer data. It is an iterable, containing one or more :class:`AccessDescription` instances. + .. attribute:: oid + + .. versionadded:: 1.0 + + :type: :class:`ObjectIdentifier` + + Returns :data:`OID_AUTHORITY_INFORMATION_ACCESS`. + .. class:: AccessDescription @@ -1223,6 +1309,14 @@ X.509 Extensions obtained. It is an iterable, containing one or more :class:`DistributionPoint` instances. + .. attribute:: oid + + .. versionadded:: 1.0 + + :type: :class:`ObjectIdentifier` + + Returns :data:`OID_CRL_DISTRIBUTION_POINTS`. + .. class:: DistributionPoint .. versionadded:: 0.9 @@ -1321,6 +1415,14 @@ X.509 Extensions certificates issued by the subject of this certificate, but not in additional certificates in the path. + .. attribute:: oid + + .. versionadded:: 1.0 + + :type: :class:`ObjectIdentifier` + + Returns :data:`OID_INHIBIT_ANY_POLICY`. + .. attribute:: skip_certs :type: int @@ -1332,6 +1434,14 @@ X.509 Extensions The certificate policies extension is an iterable, containing one or more :class:`PolicyInformation` instances. + .. attribute:: oid + + .. versionadded:: 1.0 + + :type: :class:`ObjectIdentifier` + + Returns :data:`OID_CERTIFICATE_POLICIES`. + Certificate Policies Classes ~~~~~~~~~~~~~~~~~~~~~~~~~~~~ @@ -1685,6 +1795,11 @@ Extension OIDs Corresponds to the dotted string ``"1.3.6.1.5.5.7.1.1"``. The identifier for the :class:`AuthorityInformationAccess` extension type. +.. data:: OID_INHIBIT_ANY_POLICY + + Corresponds to the dotted string ``"2.5.29.54"``. The identifier + for the :class:`InhibitAnyPolicy` extension type. + .. data:: OID_OCSP_NO_CHECK Corresponds to the dotted string ``"1.3.6.1.5.5.7.48.1.5"``. The identifier diff --git a/src/_cffi_src/openssl/x509name.py b/src/_cffi_src/openssl/x509name.py index 2d87db4c..7b833d61 100644 --- a/src/_cffi_src/openssl/x509name.py +++ b/src/_cffi_src/openssl/x509name.py @@ -15,10 +15,13 @@ typedef STACK_OF(X509_NAME_ENTRY) Cryptography_STACK_OF_X509_NAME_ENTRY; """ TYPES = """ -typedef ... X509_NAME; +typedef ... Cryptography_STACK_OF_X509_NAME_ENTRY; +typedef struct { + Cryptography_STACK_OF_X509_NAME_ENTRY *entries; + ...; +} X509_NAME; typedef ... X509_NAME_ENTRY; typedef ... Cryptography_STACK_OF_X509_NAME; -typedef ... Cryptography_STACK_OF_X509_NAME_ENTRY; """ FUNCTIONS = """ @@ -55,6 +58,9 @@ void sk_X509_NAME_free(Cryptography_STACK_OF_X509_NAME *); int sk_X509_NAME_ENTRY_num(Cryptography_STACK_OF_X509_NAME_ENTRY *); X509_NAME_ENTRY *sk_X509_NAME_ENTRY_value( Cryptography_STACK_OF_X509_NAME_ENTRY *, int); +Cryptography_STACK_OF_X509_NAME_ENTRY *sk_X509_NAME_ENTRY_dup( + Cryptography_STACK_OF_X509_NAME_ENTRY * +); """ CUSTOMIZATIONS = """ diff --git a/src/_cffi_src/openssl/x509v3.py b/src/_cffi_src/openssl/x509v3.py index f6a18903..6e35dacc 100644 --- a/src/_cffi_src/openssl/x509v3.py +++ b/src/_cffi_src/openssl/x509v3.py @@ -189,7 +189,9 @@ BASIC_CONSTRAINTS *BASIC_CONSTRAINTS_new(void); void BASIC_CONSTRAINTS_free(BASIC_CONSTRAINTS *); /* This is a macro defined by a call to DECLARE_ASN1_FUNCTIONS in the x509v3.h header. */ +AUTHORITY_KEYID *AUTHORITY_KEYID_new(void); void AUTHORITY_KEYID_free(AUTHORITY_KEYID *); +int i2d_AUTHORITY_KEYID(AUTHORITY_KEYID *, unsigned char **); NAME_CONSTRAINTS *NAME_CONSTRAINTS_new(void); void NAME_CONSTRAINTS_free(NAME_CONSTRAINTS *); @@ -283,6 +285,9 @@ X509_EXTENSION *X509V3_EXT_i2d(int, int, void *); DIST_POINT *DIST_POINT_new(void); void DIST_POINT_free(DIST_POINT *); +DIST_POINT_NAME *DIST_POINT_NAME_new(void); +void DIST_POINT_NAME_free(DIST_POINT_NAME *); + int i2d_CRL_DIST_POINTS(Cryptography_STACK_OF_DIST_POINT *, unsigned char **); """ diff --git a/src/cryptography/hazmat/backends/interfaces.py b/src/cryptography/hazmat/backends/interfaces.py index 49ccda18..a43621a7 100644 --- a/src/cryptography/hazmat/backends/interfaces.py +++ b/src/cryptography/hazmat/backends/interfaces.py @@ -281,9 +281,9 @@ class X509Backend(object): """ @abc.abstractmethod - def sign_x509_certificate(self, builder, private_key, algorithm): + def create_x509_certificate(self, builder, private_key, algorithm): """ - Sign an X.509 Certificate from a CertificateBuilder object. + Create and sign an X.509 certificate from a CertificateBuilder object. """ diff --git a/src/cryptography/hazmat/backends/multibackend.py b/src/cryptography/hazmat/backends/multibackend.py index 8008989e..9db32aa5 100644 --- a/src/cryptography/hazmat/backends/multibackend.py +++ b/src/cryptography/hazmat/backends/multibackend.py @@ -352,9 +352,9 @@ class MultiBackend(object): _Reasons.UNSUPPORTED_X509 ) - def sign_x509_certificate(self, builder, private_key, algorithm): + def create_x509_certificate(self, builder, private_key, algorithm): for b in self._filtered_backends(X509Backend): - return b.sign_x509_certificate(builder, private_key, algorithm) + return b.create_x509_certificate(builder, private_key, algorithm) raise UnsupportedAlgorithm( "This backend does not support X.509.", diff --git a/src/cryptography/hazmat/backends/openssl/backend.py b/src/cryptography/hazmat/backends/openssl/backend.py index f9da9ea7..2752d98d 100644 --- a/src/cryptography/hazmat/backends/openssl/backend.py +++ b/src/cryptography/hazmat/backends/openssl/backend.py @@ -38,7 +38,8 @@ from cryptography.hazmat.backends.openssl.rsa import ( _RSAPrivateKey, _RSAPublicKey ) from cryptography.hazmat.backends.openssl.x509 import ( - _Certificate, _CertificateSigningRequest + _Certificate, _CertificateSigningRequest, _DISTPOINT_TYPE_FULLNAME, + _DISTPOINT_TYPE_RELATIVENAME ) from cryptography.hazmat.bindings.openssl.binding import Binding from cryptography.hazmat.primitives import hashes, serialization @@ -228,18 +229,22 @@ def _encode_authority_information_access(backend, authority_info_access): return pp, r -def _encode_subject_alt_name(backend, san): +def _encode_general_names(backend, names): general_names = backend._lib.GENERAL_NAMES_new() assert general_names != backend._ffi.NULL - general_names = backend._ffi.gc( - general_names, backend._lib.GENERAL_NAMES_free - ) - - for alt_name in san: - gn = _encode_general_name(backend, alt_name) + for name in names: + gn = _encode_general_name(backend, name) res = backend._lib.sk_GENERAL_NAME_push(general_names, gn) assert res != 0 + return general_names + + +def _encode_subject_alt_name(backend, san): + general_names = _encode_general_names(backend, san) + general_names = backend._ffi.gc( + general_names, backend._lib.GENERAL_NAMES_free + ) pp = backend._ffi.new("unsigned char **") r = backend._lib.i2d_GENERAL_NAMES(general_names, pp) assert r > 0 @@ -355,6 +360,67 @@ def _encode_extended_key_usage(backend, extended_key_usage): return pp, r +_CRLREASONFLAGS = { + x509.ReasonFlags.key_compromise: 1, + x509.ReasonFlags.ca_compromise: 2, + x509.ReasonFlags.affiliation_changed: 3, + x509.ReasonFlags.superseded: 4, + x509.ReasonFlags.cessation_of_operation: 5, + x509.ReasonFlags.certificate_hold: 6, + x509.ReasonFlags.privilege_withdrawn: 7, + x509.ReasonFlags.aa_compromise: 8, +} + + +def _encode_crl_distribution_points(backend, crl_distribution_points): + cdp = backend._lib.sk_DIST_POINT_new_null() + cdp = backend._ffi.gc(cdp, backend._lib.sk_DIST_POINT_free) + for point in crl_distribution_points: + dp = backend._lib.DIST_POINT_new() + assert dp != backend._ffi.NULL + + if point.reasons: + bitmask = backend._lib.ASN1_BIT_STRING_new() + assert bitmask != backend._ffi.NULL + dp.reasons = bitmask + for reason in point.reasons: + res = backend._lib.ASN1_BIT_STRING_set_bit( + bitmask, _CRLREASONFLAGS[reason], 1 + ) + assert res == 1 + + if point.full_name: + dpn = backend._lib.DIST_POINT_NAME_new() + assert dpn != backend._ffi.NULL + dpn.type = _DISTPOINT_TYPE_FULLNAME + dpn.name.fullname = _encode_general_names(backend, point.full_name) + dp.distpoint = dpn + + if point.relative_name: + dpn = backend._lib.DIST_POINT_NAME_new() + assert dpn != backend._ffi.NULL + dpn.type = _DISTPOINT_TYPE_RELATIVENAME + name = _encode_name_gc(backend, point.relative_name) + relativename = backend._lib.sk_X509_NAME_ENTRY_dup(name.entries) + assert relativename != backend._ffi.NULL + dpn.name.relativename = relativename + dp.distpoint = dpn + + if point.crl_issuer: + dp.CRLissuer = _encode_general_names(backend, point.crl_issuer) + + res = backend._lib.sk_DIST_POINT_push(cdp, dp) + assert res >= 1 + + pp = backend._ffi.new('unsigned char **') + r = backend._lib.i2d_CRL_DIST_POINTS(cdp, pp) + assert r > 0 + pp = backend._ffi.gc( + pp, lambda pointer: backend._lib.OPENSSL_free(pointer[0]) + ) + return pp, r + + @utils.register_interface(CipherBackend) @utils.register_interface(CMACBackend) @utils.register_interface(DERSerializationBackend) @@ -1096,7 +1162,7 @@ class Backend(object): return _CertificateSigningRequest(self, x509_req) - def sign_x509_certificate(self, builder, private_key, algorithm): + def create_x509_certificate(self, builder, private_key, algorithm): if not isinstance(builder, x509.CertificateBuilder): raise TypeError('Builder type mismatch.') if not isinstance(algorithm, hashes.HashAlgorithm): @@ -1173,16 +1239,22 @@ class Backend(object): pp, r = _encode_authority_information_access( self, extension.value ) + elif isinstance(extension.value, x509.CRLDistributionPoints): + pp, r = _encode_crl_distribution_points( + self, extension.value + ) else: raise NotImplementedError('Extension not yet supported.') - obj = _txt2obj(self, extension.oid.dotted_string) + obj = _txt2obj_gc(self, extension.oid.dotted_string) extension = self._lib.X509_EXTENSION_create_by_OBJ( self._ffi.NULL, obj, 1 if extension.critical else 0, _encode_asn1_str_gc(self, pp[0], r) ) + assert extension != self._ffi.NULL + extension = self._ffi.gc(extension, self._lib.X509_EXTENSION_free) res = self._lib.X509_add_ext(x509_cert, extension, i) assert res == 1 diff --git a/src/cryptography/hazmat/backends/openssl/x509.py b/src/cryptography/hazmat/backends/openssl/x509.py index ee9a3bbf..564b2680 100644 --- a/src/cryptography/hazmat/backends/openssl/x509.py +++ b/src/cryptography/hazmat/backends/openssl/x509.py @@ -592,6 +592,10 @@ def _decode_extended_key_usage(backend, sk): return x509.ExtendedKeyUsage(ekus) +_DISTPOINT_TYPE_FULLNAME = 0 +_DISTPOINT_TYPE_RELATIVENAME = 1 + + def _decode_crl_distribution_points(backend, cdps): cdps = backend._ffi.cast("Cryptography_STACK_OF_DIST_POINT *", cdps) cdps = backend._ffi.gc(cdps, backend._lib.sk_DIST_POINT_free) @@ -651,7 +655,7 @@ def _decode_crl_distribution_points(backend, cdps): # point so make sure it's not null. if cdp.distpoint != backend._ffi.NULL: # Type 0 is fullName, there is no #define for it in the code. - if cdp.distpoint.type == 0: + if cdp.distpoint.type == _DISTPOINT_TYPE_FULLNAME: full_name = _decode_general_names( backend, cdp.distpoint.name.fullname ) diff --git a/src/cryptography/x509.py b/src/cryptography/x509.py index 82b8bd36..5ed3c094 100644 --- a/src/cryptography/x509.py +++ b/src/cryptography/x509.py @@ -324,7 +324,19 @@ class Extension(object): return not self == other +@six.add_metaclass(abc.ABCMeta) +class ExtensionType(object): + @abc.abstractproperty + def oid(self): + """ + Returns the oid associated with the given extension type. + """ + + +@utils.register_interface(ExtensionType) class ExtendedKeyUsage(object): + oid = OID_EXTENDED_KEY_USAGE + def __init__(self, usages): if not all(isinstance(x, ObjectIdentifier) for x in usages): raise TypeError( @@ -352,11 +364,15 @@ class ExtendedKeyUsage(object): return not self == other +@utils.register_interface(ExtensionType) class OCSPNoCheck(object): - pass + oid = OID_OCSP_NO_CHECK +@utils.register_interface(ExtensionType) class BasicConstraints(object): + oid = OID_BASIC_CONSTRAINTS + def __init__(self, ca, path_length): if not isinstance(ca, bool): raise TypeError("ca must be a boolean value") @@ -392,7 +408,10 @@ class BasicConstraints(object): return not self == other +@utils.register_interface(ExtensionType) class KeyUsage(object): + oid = OID_KEY_USAGE + def __init__(self, digital_signature, content_commitment, key_encipherment, data_encipherment, key_agreement, key_cert_sign, crl_sign, encipher_only, decipher_only): @@ -475,7 +494,10 @@ class KeyUsage(object): return not self == other +@utils.register_interface(ExtensionType) class AuthorityInformationAccess(object): + oid = OID_AUTHORITY_INFORMATION_ACCESS + def __init__(self, descriptions): if not all(isinstance(x, AccessDescription) for x in descriptions): raise TypeError( @@ -539,7 +561,10 @@ class AccessDescription(object): access_location = utils.read_only_property("_access_location") +@utils.register_interface(ExtensionType) class CertificatePolicies(object): + oid = OID_CERTIFICATE_POLICIES + def __init__(self, policies): if not all(isinstance(x, PolicyInformation) for x in policies): raise TypeError( @@ -676,7 +701,10 @@ class NoticeReference(object): notice_numbers = utils.read_only_property("_notice_numbers") +@utils.register_interface(ExtensionType) class SubjectKeyIdentifier(object): + oid = OID_SUBJECT_KEY_IDENTIFIER + def __init__(self, digest): self._digest = digest @@ -718,7 +746,10 @@ class SubjectKeyIdentifier(object): return not self == other +@utils.register_interface(ExtensionType) class NameConstraints(object): + oid = OID_NAME_CONSTRAINTS + def __init__(self, permitted_subtrees, excluded_subtrees): if permitted_subtrees is not None: if not all( @@ -782,7 +813,10 @@ class NameConstraints(object): excluded_subtrees = utils.read_only_property("_excluded_subtrees") +@utils.register_interface(ExtensionType) class CRLDistributionPoints(object): + oid = OID_CRL_DISTRIBUTION_POINTS + def __init__(self, distribution_points): if not all( isinstance(x, DistributionPoint) for x in distribution_points @@ -817,7 +851,8 @@ class DistributionPoint(object): def __init__(self, full_name, relative_name, reasons, crl_issuer): if full_name and relative_name: raise ValueError( - "At least one of full_name and relative_name must be None" + "You cannot provide both full_name and relative_name, at " + "least one must be None." ) if full_name and not all( @@ -902,7 +937,10 @@ class ReasonFlags(Enum): remove_from_crl = "removeFromCRL" +@utils.register_interface(ExtensionType) class InhibitAnyPolicy(object): + oid = OID_INHIBIT_ANY_POLICY + def __init__(self, skip_certs): if not isinstance(skip_certs, six.integer_types): raise TypeError("skip_certs must be an integer") @@ -1192,7 +1230,10 @@ class GeneralNames(object): return not self == other +@utils.register_interface(ExtensionType) class SubjectAlternativeName(object): + oid = OID_SUBJECT_ALTERNATIVE_NAME + def __init__(self, general_names): self._general_names = GeneralNames(general_names) @@ -1218,7 +1259,10 @@ class SubjectAlternativeName(object): return not self == other +@utils.register_interface(ExtensionType) class IssuerAlternativeName(object): + oid = OID_ISSUER_ALTERNATIVE_NAME + def __init__(self, general_names): self._general_names = GeneralNames(general_names) @@ -1244,7 +1288,10 @@ class IssuerAlternativeName(object): return not self == other +@utils.register_interface(ExtensionType) class AuthorityKeyIdentifier(object): + oid = OID_AUTHORITY_KEY_IDENTIFIER + def __init__(self, key_identifier, authority_cert_issuer, authority_cert_serial_number): if authority_cert_issuer or authority_cert_serial_number: @@ -1766,6 +1813,10 @@ class CertificateBuilder(object): ) elif isinstance(extension, InhibitAnyPolicy): extension = Extension(OID_INHIBIT_ANY_POLICY, critical, extension) + elif isinstance(extension, CRLDistributionPoints): + extension = Extension( + OID_CRL_DISTRIBUTION_POINTS, critical, extension + ) else: raise NotImplementedError('Unsupported X.509 extension.') @@ -1784,4 +1835,22 @@ class CertificateBuilder(object): """ Signs the certificate using the CA's private key. """ - return backend.sign_x509_certificate(self, private_key, algorithm) + if self._subject_name is None: + raise ValueError("A certificate must have a subject name") + + if self._issuer_name is None: + raise ValueError("A certificate must have an issuer name") + + if self._serial_number is None: + raise ValueError("A certificate must have a serial number") + + if self._not_valid_before is None: + raise ValueError("A certificate must have a not valid before time") + + if self._not_valid_after is None: + raise ValueError("A certificate must have a not valid after time") + + if self._public_key is None: + raise ValueError("A certificate must have a public key") + + return backend.create_x509_certificate(self, private_key, algorithm) diff --git a/tests/hazmat/backends/test_multibackend.py b/tests/hazmat/backends/test_multibackend.py index d516af16..cc59a8d4 100644 --- a/tests/hazmat/backends/test_multibackend.py +++ b/tests/hazmat/backends/test_multibackend.py @@ -206,7 +206,7 @@ class DummyX509Backend(object): def create_x509_csr(self, builder, private_key, algorithm): pass - def sign_x509_certificate(self, builder, private_key, algorithm): + def create_x509_certificate(self, builder, private_key, algorithm): pass @@ -487,7 +487,7 @@ class TestMultiBackend(object): backend.load_pem_x509_csr(b"reqdata") backend.load_der_x509_csr(b"reqdata") backend.create_x509_csr(object(), b"privatekey", hashes.SHA1()) - backend.sign_x509_certificate(object(), b"privatekey", hashes.SHA1()) + backend.create_x509_certificate(object(), b"privatekey", hashes.SHA1()) backend = MultiBackend([]) with raises_unsupported_algorithm(_Reasons.UNSUPPORTED_X509): @@ -501,6 +501,6 @@ class TestMultiBackend(object): with raises_unsupported_algorithm(_Reasons.UNSUPPORTED_X509): backend.create_x509_csr(object(), b"privatekey", hashes.SHA1()) with raises_unsupported_algorithm(_Reasons.UNSUPPORTED_X509): - backend.sign_x509_certificate( + backend.create_x509_certificate( object(), b"privatekey", hashes.SHA1() ) diff --git a/tests/hazmat/backends/test_openssl.py b/tests/hazmat/backends/test_openssl.py index 0f2c80a6..051827af 100644 --- a/tests/hazmat/backends/test_openssl.py +++ b/tests/hazmat/backends/test_openssl.py @@ -512,12 +512,14 @@ class TestOpenSSLSignX509Certificate(object): private_key = RSA_KEY_2048.private_key(backend) with pytest.raises(TypeError): - backend.sign_x509_certificate(object(), private_key, DummyHash()) + backend.create_x509_certificate(object(), private_key, DummyHash()) def test_checks_for_unsupported_extensions(self): private_key = RSA_KEY_2048.private_key(backend) builder = x509.CertificateBuilder().subject_name(x509.Name([ x509.NameAttribute(x509.OID_COUNTRY_NAME, u'US'), + ])).issuer_name(x509.Name([ + x509.NameAttribute(x509.OID_COUNTRY_NAME, u'US'), ])).public_key( private_key.public_key() ).serial_number( diff --git a/tests/test_x509.py b/tests/test_x509.py index e31b57f4..4e763e36 100644 --- a/tests/test_x509.py +++ b/tests/test_x509.py @@ -828,6 +828,114 @@ class TestRSACertificateRequest(object): class TestCertificateBuilder(object): + @pytest.mark.requires_backend_interface(interface=RSABackend) + @pytest.mark.requires_backend_interface(interface=X509Backend) + def test_no_subject_name(self, backend): + subject_private_key = RSA_KEY_2048.private_key(backend) + builder = x509.CertificateBuilder().serial_number( + 777 + ).issuer_name(x509.Name([ + x509.NameAttribute(x509.OID_COUNTRY_NAME, u'US'), + ])).public_key( + subject_private_key.public_key() + ).not_valid_before( + datetime.datetime(2002, 1, 1, 12, 1) + ).not_valid_after( + datetime.datetime(2030, 12, 31, 8, 30) + ) + with pytest.raises(ValueError): + builder.sign(subject_private_key, hashes.SHA256(), backend) + + @pytest.mark.requires_backend_interface(interface=RSABackend) + @pytest.mark.requires_backend_interface(interface=X509Backend) + def test_no_issuer_name(self, backend): + subject_private_key = RSA_KEY_2048.private_key(backend) + builder = x509.CertificateBuilder().serial_number( + 777 + ).subject_name(x509.Name([ + x509.NameAttribute(x509.OID_COUNTRY_NAME, u'US'), + ])).public_key( + subject_private_key.public_key() + ).not_valid_before( + datetime.datetime(2002, 1, 1, 12, 1) + ).not_valid_after( + datetime.datetime(2030, 12, 31, 8, 30) + ) + with pytest.raises(ValueError): + builder.sign(subject_private_key, hashes.SHA256(), backend) + + @pytest.mark.requires_backend_interface(interface=RSABackend) + @pytest.mark.requires_backend_interface(interface=X509Backend) + def test_no_public_key(self, backend): + subject_private_key = RSA_KEY_2048.private_key(backend) + builder = x509.CertificateBuilder().serial_number( + 777 + ).issuer_name(x509.Name([ + x509.NameAttribute(x509.OID_COUNTRY_NAME, u'US'), + ])).subject_name(x509.Name([ + x509.NameAttribute(x509.OID_COUNTRY_NAME, u'US'), + ])).not_valid_before( + datetime.datetime(2002, 1, 1, 12, 1) + ).not_valid_after( + datetime.datetime(2030, 12, 31, 8, 30) + ) + with pytest.raises(ValueError): + builder.sign(subject_private_key, hashes.SHA256(), backend) + + @pytest.mark.requires_backend_interface(interface=RSABackend) + @pytest.mark.requires_backend_interface(interface=X509Backend) + def test_no_not_valid_before(self, backend): + subject_private_key = RSA_KEY_2048.private_key(backend) + builder = x509.CertificateBuilder().serial_number( + 777 + ).issuer_name(x509.Name([ + x509.NameAttribute(x509.OID_COUNTRY_NAME, u'US'), + ])).subject_name(x509.Name([ + x509.NameAttribute(x509.OID_COUNTRY_NAME, u'US'), + ])).public_key( + subject_private_key.public_key() + ).not_valid_after( + datetime.datetime(2030, 12, 31, 8, 30) + ) + with pytest.raises(ValueError): + builder.sign(subject_private_key, hashes.SHA256(), backend) + + @pytest.mark.requires_backend_interface(interface=RSABackend) + @pytest.mark.requires_backend_interface(interface=X509Backend) + def test_no_not_valid_after(self, backend): + subject_private_key = RSA_KEY_2048.private_key(backend) + builder = x509.CertificateBuilder().serial_number( + 777 + ).issuer_name(x509.Name([ + x509.NameAttribute(x509.OID_COUNTRY_NAME, u'US'), + ])).subject_name(x509.Name([ + x509.NameAttribute(x509.OID_COUNTRY_NAME, u'US'), + ])).public_key( + subject_private_key.public_key() + ).not_valid_before( + datetime.datetime(2002, 1, 1, 12, 1) + ) + with pytest.raises(ValueError): + builder.sign(subject_private_key, hashes.SHA256(), backend) + + @pytest.mark.requires_backend_interface(interface=RSABackend) + @pytest.mark.requires_backend_interface(interface=X509Backend) + def test_no_serial_number(self, backend): + subject_private_key = RSA_KEY_2048.private_key(backend) + builder = x509.CertificateBuilder().issuer_name(x509.Name([ + x509.NameAttribute(x509.OID_COUNTRY_NAME, u'US'), + ])).subject_name(x509.Name([ + x509.NameAttribute(x509.OID_COUNTRY_NAME, u'US'), + ])).public_key( + subject_private_key.public_key() + ).not_valid_before( + datetime.datetime(2002, 1, 1, 12, 1) + ).not_valid_after( + datetime.datetime(2030, 12, 31, 8, 30) + ) + with pytest.raises(ValueError): + builder.sign(subject_private_key, hashes.SHA256(), backend) + def test_issuer_name_must_be_a_name_type(self): builder = x509.CertificateBuilder() @@ -967,6 +1075,19 @@ class TestCertificateBuilder(object): def test_sign_with_unsupported_hash(self, backend): private_key = RSA_KEY_2048.private_key(backend) builder = x509.CertificateBuilder() + builder = builder.subject_name( + x509.Name([x509.NameAttribute(x509.OID_COUNTRY_NAME, u'US')]) + ).issuer_name( + x509.Name([x509.NameAttribute(x509.OID_COUNTRY_NAME, u'US')]) + ).serial_number( + 1 + ).public_key( + private_key.public_key() + ).not_valid_before( + datetime.datetime(2002, 1, 1, 12, 1) + ).not_valid_after( + datetime.datetime(2032, 1, 1, 12, 1) + ) with pytest.raises(TypeError): builder.sign(private_key, object(), backend) @@ -979,6 +1100,19 @@ class TestCertificateBuilder(object): private_key = DSA_KEY_2048.private_key(backend) builder = x509.CertificateBuilder() + builder = builder.subject_name( + x509.Name([x509.NameAttribute(x509.OID_COUNTRY_NAME, u'US')]) + ).issuer_name( + x509.Name([x509.NameAttribute(x509.OID_COUNTRY_NAME, u'US')]) + ).serial_number( + 1 + ).public_key( + private_key.public_key() + ).not_valid_before( + datetime.datetime(2002, 1, 1, 12, 1) + ).not_valid_after( + datetime.datetime(2032, 1, 1, 12, 1) + ) with pytest.raises(NotImplementedError): builder.sign(private_key, hashes.SHA512(), backend) @@ -992,10 +1126,171 @@ class TestCertificateBuilder(object): _skip_curve_unsupported(backend, ec.SECP256R1()) private_key = ec.generate_private_key(ec.SECP256R1(), backend) builder = x509.CertificateBuilder() + builder = builder.subject_name( + x509.Name([x509.NameAttribute(x509.OID_COUNTRY_NAME, u'US')]) + ).issuer_name( + x509.Name([x509.NameAttribute(x509.OID_COUNTRY_NAME, u'US')]) + ).serial_number( + 1 + ).public_key( + private_key.public_key() + ).not_valid_before( + datetime.datetime(2002, 1, 1, 12, 1) + ).not_valid_after( + datetime.datetime(2032, 1, 1, 12, 1) + ) with pytest.raises(NotImplementedError): builder.sign(private_key, hashes.SHA512(), backend) + @pytest.mark.parametrize( + "cdp", + [ + x509.CRLDistributionPoints([ + x509.DistributionPoint( + full_name=None, + relative_name=x509.Name([ + x509.NameAttribute( + x509.OID_COMMON_NAME, + u"indirect CRL for indirectCRL CA3" + ), + ]), + reasons=None, + crl_issuer=[x509.DirectoryName( + x509.Name([ + x509.NameAttribute(x509.OID_COUNTRY_NAME, u"US"), + x509.NameAttribute( + x509.OID_ORGANIZATION_NAME, + u"Test Certificates 2011" + ), + x509.NameAttribute( + x509.OID_ORGANIZATIONAL_UNIT_NAME, + u"indirectCRL CA3 cRLIssuer" + ), + ]) + )], + ) + ]), + x509.CRLDistributionPoints([ + x509.DistributionPoint( + full_name=[x509.DirectoryName( + x509.Name([ + x509.NameAttribute(x509.OID_COUNTRY_NAME, u"US"), + ]) + )], + relative_name=None, + reasons=None, + crl_issuer=[x509.DirectoryName( + x509.Name([ + x509.NameAttribute( + x509.OID_ORGANIZATION_NAME, + u"cryptography Testing" + ), + ]) + )], + ) + ]), + x509.CRLDistributionPoints([ + x509.DistributionPoint( + full_name=[ + x509.UniformResourceIdentifier( + u"http://myhost.com/myca.crl" + ), + x509.UniformResourceIdentifier( + u"http://backup.myhost.com/myca.crl" + ) + ], + relative_name=None, + reasons=frozenset([ + x509.ReasonFlags.key_compromise, + x509.ReasonFlags.ca_compromise + ]), + crl_issuer=[x509.DirectoryName( + x509.Name([ + x509.NameAttribute(x509.OID_COUNTRY_NAME, u"US"), + x509.NameAttribute( + x509.OID_COMMON_NAME, u"cryptography CA" + ), + ]) + )], + ) + ]), + x509.CRLDistributionPoints([ + x509.DistributionPoint( + full_name=[x509.UniformResourceIdentifier( + u"http://domain.com/some.crl" + )], + relative_name=None, + reasons=frozenset([ + x509.ReasonFlags.key_compromise, + x509.ReasonFlags.ca_compromise, + x509.ReasonFlags.affiliation_changed, + x509.ReasonFlags.superseded, + x509.ReasonFlags.privilege_withdrawn, + x509.ReasonFlags.cessation_of_operation, + x509.ReasonFlags.aa_compromise, + x509.ReasonFlags.certificate_hold, + ]), + crl_issuer=None + ) + ]), + x509.CRLDistributionPoints([ + x509.DistributionPoint( + full_name=None, + relative_name=None, + reasons=None, + crl_issuer=[x509.DirectoryName( + x509.Name([ + x509.NameAttribute( + x509.OID_COMMON_NAME, u"cryptography CA" + ), + ]) + )], + ) + ]), + x509.CRLDistributionPoints([ + x509.DistributionPoint( + full_name=[x509.UniformResourceIdentifier( + u"http://domain.com/some.crl" + )], + relative_name=None, + reasons=frozenset([x509.ReasonFlags.aa_compromise]), + crl_issuer=None + ) + ]) + ] + ) + @pytest.mark.requires_backend_interface(interface=RSABackend) + @pytest.mark.requires_backend_interface(interface=X509Backend) + def test_crl_distribution_points(self, backend, cdp): + issuer_private_key = RSA_KEY_2048.private_key(backend) + subject_private_key = RSA_KEY_2048.private_key(backend) + + builder = x509.CertificateBuilder().serial_number( + 4444444 + ).issuer_name(x509.Name([ + x509.NameAttribute(x509.OID_LOCALITY_NAME, u'Austin'), + ])).subject_name(x509.Name([ + x509.NameAttribute(x509.OID_LOCALITY_NAME, u'Austin'), + ])).public_key( + subject_private_key.public_key() + ).add_extension( + cdp, + critical=False, + ).not_valid_before( + datetime.datetime(2002, 1, 1, 12, 1) + ).not_valid_after( + datetime.datetime(2030, 12, 31, 8, 30) + ) + + cert = builder.sign(issuer_private_key, hashes.SHA1(), backend) + + ext = cert.extensions.get_extension_for_oid( + x509.OID_CRL_DISTRIBUTION_POINTS + ) + assert ext.critical is False + assert ext.value == cdp + @pytest.mark.requires_backend_interface(interface=DSABackend) @pytest.mark.requires_backend_interface(interface=X509Backend) def test_build_cert_with_dsa_private_key(self, backend): diff --git a/vectors/cryptography_vectors/x509/rapidssl_sha256_ca_g3.pem b/vectors/cryptography_vectors/x509/rapidssl_sha256_ca_g3.pem new file mode 100644 index 00000000..f0d70125 --- /dev/null +++ b/vectors/cryptography_vectors/x509/rapidssl_sha256_ca_g3.pem @@ -0,0 +1,25 @@ +-----BEGIN CERTIFICATE----- +MIIEJTCCAw2gAwIBAgIDAjp3MA0GCSqGSIb3DQEBCwUAMEIxCzAJBgNVBAYTAlVT +MRYwFAYDVQQKEw1HZW9UcnVzdCBJbmMuMRswGQYDVQQDExJHZW9UcnVzdCBHbG9i +YWwgQ0EwHhcNMTQwODI5MjEzOTMyWhcNMjIwNTIwMjEzOTMyWjBHMQswCQYDVQQG +EwJVUzEWMBQGA1UEChMNR2VvVHJ1c3QgSW5jLjEgMB4GA1UEAxMXUmFwaWRTU0wg +U0hBMjU2IENBIC0gRzMwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCv +VJvZWF0eLFbG1eh/9H0WA//Qi1rkjqfdVC7UBMBdmJyNkA+8EGVf2prWRHzAn7Xp +SowLBkMEu/SW4ib2YQGRZjEiwzQ0Xz8/kS9EX9zHFLYDn4ZLDqP/oIACg8PTH2lS +1p1kD8mD5xvEcKyU58Okaiy9uJ5p2L4KjxZjWmhxgHsw3hUEv8zTvz5IBVV6s9cQ +DAP8m/0Ip4yM26eO8R5j3LMBL3+vV8M8SKeDaCGnL+enP/C1DPz1hNFTvA5yT2AM +QriYrRmIV9cE7Ie/fodOoyH5U/02mEiN1vi7SPIpyGTRzFRIU4uvt2UevykzKdkp +YEj4/5G8V1jlNS67abZZAgMBAAGjggEdMIIBGTAfBgNVHSMEGDAWgBTAephojYn7 +qwVkDBF9qn1luMrMTjAdBgNVHQ4EFgQUw5zz/NNGCDS7zkZ/oHxb8+IIy1kwEgYD +VR0TAQH/BAgwBgEB/wIBADAOBgNVHQ8BAf8EBAMCAQYwNQYDVR0fBC4wLDAqoCig +JoYkaHR0cDovL2cuc3ltY2IuY29tL2NybHMvZ3RnbG9iYWwuY3JsMC4GCCsGAQUF +BwEBBCIwIDAeBggrBgEFBQcwAYYSaHR0cDovL2cuc3ltY2QuY29tMEwGA1UdIARF +MEMwQQYKYIZIAYb4RQEHNjAzMDEGCCsGAQUFBwIBFiVodHRwOi8vd3d3Lmdlb3Ry +dXN0LmNvbS9yZXNvdXJjZXMvY3BzMA0GCSqGSIb3DQEBCwUAA4IBAQCjWB7GQzKs +rC+TeLfqrlRARy1+eI1Q9vhmrNZPc9ZE768LzFvB9E+aj0l+YK/CJ8cW8fuTgZCp +fO9vfm5FlBaEvexJ8cQO9K8EWYOHDyw7l8NaEpt7BDV7o5UzCHuTcSJCs6nZb0+B +kvwHtnm8hEqddwnxxYny8LScVKoSew26T++TGezvfU5ho452nFnPjJSxhJf3GrkH +uLLGTxN5279PURt/aQ1RKsHWFf83UTRlUfQevjhq7A6rvz17OQV79PP7GqHQyH5O +ZI3NjGFVkP46yl0lD/gdo0p0Vk8aVUBwdSWmMy66S6VdU5oNMOGNX2Esr8zvsJmh +gP8L8mJMcCaY +-----END CERTIFICATE----- |