diff options
-rw-r--r-- | docs/development/test-vectors.rst | 4 | ||||
-rw-r--r-- | docs/spelling_wordlist.txt | 1 | ||||
-rw-r--r-- | src/cryptography/x509/oid.py | 3 | ||||
-rw-r--r-- | tests/test_x509.py | 12 | ||||
-rw-r--r-- | vectors/cryptography_vectors/x509/alternate-rsa-sha1-oid.pem | 12 |
5 files changed, 32 insertions, 0 deletions
diff --git a/docs/development/test-vectors.rst b/docs/development/test-vectors.rst index 3429d520..49c5ac23 100644 --- a/docs/development/test-vectors.rst +++ b/docs/development/test-vectors.rst @@ -117,6 +117,9 @@ X.509 * ``e-trust.ru.der`` - A certificate from a `Russian CA`_ signed using the GOST cipher and containing numerous unusual encodings such as NUMERICSTRING in the subject DN. +* ``alternate-rsa-sha1-oid.pem`` - A certificate from an + `unknown signature OID`_ Mozilla bug that uses an alternate signature OID for + RSA with SHA1. Custom X.509 Vectors ~~~~~~~~~~~~~~~~~~~~ @@ -459,3 +462,4 @@ header format (substituting the correct information): .. _`Mozilla bug`: https://bugzilla.mozilla.org/show_bug.cgi?id=233586 .. _`Russian CA`: https://e-trust.gosuslugi.ru/MainCA .. _`test/evptests.txt`: https://github.com/openssl/openssl/blob/2d0b44126763f989a4cbffbffe9d0c7518158bb7/test/evptests.txt +.. _`unknown signature OID`: https://bugzilla.mozilla.org/show_bug.cgi?id=405966 diff --git a/docs/spelling_wordlist.txt b/docs/spelling_wordlist.txt index 1372039e..5efbbdcd 100644 --- a/docs/spelling_wordlist.txt +++ b/docs/spelling_wordlist.txt @@ -48,6 +48,7 @@ iterable Koblitz Lange metadata +Mozilla multi namespace namespaces diff --git a/src/cryptography/x509/oid.py b/src/cryptography/x509/oid.py index 17fa42e3..3848b89e 100644 --- a/src/cryptography/x509/oid.py +++ b/src/cryptography/x509/oid.py @@ -121,6 +121,8 @@ class NameOID(object): class SignatureAlgorithmOID(object): RSA_WITH_MD5 = ObjectIdentifier("1.2.840.113549.1.1.4") RSA_WITH_SHA1 = ObjectIdentifier("1.2.840.113549.1.1.5") + # This is an alternate OID for RSA with SHA1 that is occasionally seen + _RSA_WITH_SHA1 = ObjectIdentifier("1.3.14.3.2.29") RSA_WITH_SHA224 = ObjectIdentifier("1.2.840.113549.1.1.14") RSA_WITH_SHA256 = ObjectIdentifier("1.2.840.113549.1.1.11") RSA_WITH_SHA384 = ObjectIdentifier("1.2.840.113549.1.1.12") @@ -137,6 +139,7 @@ class SignatureAlgorithmOID(object): _SIG_OIDS_TO_HASH = { SignatureAlgorithmOID.RSA_WITH_MD5: hashes.MD5(), SignatureAlgorithmOID.RSA_WITH_SHA1: hashes.SHA1(), + SignatureAlgorithmOID._RSA_WITH_SHA1: hashes.SHA1(), SignatureAlgorithmOID.RSA_WITH_SHA224: hashes.SHA224(), SignatureAlgorithmOID.RSA_WITH_SHA256: hashes.SHA256(), SignatureAlgorithmOID.RSA_WITH_SHA384: hashes.SHA384(), diff --git a/tests/test_x509.py b/tests/test_x509.py index 6a999f41..f375ac55 100644 --- a/tests/test_x509.py +++ b/tests/test_x509.py @@ -502,6 +502,18 @@ class TestRSACertificate(object): cert.signature_algorithm_oid == SignatureAlgorithmOID.RSA_WITH_SHA1 ) + def test_alternate_rsa_with_sha1_oid(self, backend): + cert = _load_cert( + os.path.join("x509", "alternate-rsa-sha1-oid.pem"), + x509.load_pem_x509_certificate, + backend + ) + assert isinstance(cert.signature_hash_algorithm, hashes.SHA1) + assert ( + cert.signature_algorithm_oid == + SignatureAlgorithmOID._RSA_WITH_SHA1 + ) + def test_cert_serial_number(self, backend): cert = _load_cert( os.path.join("x509", "PKITS_data", "certs", "GoodCACert.crt"), diff --git a/vectors/cryptography_vectors/x509/alternate-rsa-sha1-oid.pem b/vectors/cryptography_vectors/x509/alternate-rsa-sha1-oid.pem new file mode 100644 index 00000000..807a28b5 --- /dev/null +++ b/vectors/cryptography_vectors/x509/alternate-rsa-sha1-oid.pem @@ -0,0 +1,12 @@ +-----BEGIN CERTIFICATE----- +MIIBwjCCAS+gAwIBAgIQj2d4hVEz0L1DYFVhA9CxCzAJBgUrDgMCHQUAMA8xDTAL +BgNVBAMTBFZQUzEwHhcNMDcwODE4MDkyODUzWhcNMDgwODE3MDkyODUzWjAPMQ0w +CwYDVQQDEwRWUFMxMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDaqKn40uaU +DbFL1NXXZ8/b4ZqDJ6eSI5lysMZHfZDs60G3ocbNKofBvURIutabrFuBCB2S5f/z +ICan0LR4uFpGuZ2I/PuVaU8X5fT8gBh7L636cWzHPPScYts00OyywEq381UB7XwX +YuWpM5kUW5rkbq1JV3ystTR/4YnLl48YtQIDAQABoycwJTATBgNVHSUEDDAKBggr +BgEFBQcDATAOBgNVHQ8EBwMFALAAAAAwCQYFKw4DAh0FAAOBgQBuUrU+J2Z5WKcO +VNjJHFUKo8qpbn8jKQZDl2nvVaXCTXQZblz/qxOm4FaGGzJ/m3GybVZNVfdyHg+U +lmDpFpOITkvcyNc3xjJCf2GVBo/VvdtVt7Myq0IQtAi/CXRK22BRNhSt9uu2EcRu +HIXdFWHEzi6eD4PpNw/0X3ID6Gxk4A== +-----END CERTIFICATE----- |