Check for sigalg by type rather than OID (#8878)

author: Alex Gaynor <alex.gaynor@gmail.com> 2023-05-06 08:51:03 -0500
committer: GitHub <noreply@github.com> 2023-05-06 08:51:03 -0500
commit: 4a3c4407e42f13c6d08ad6863c10962f3f52b230 (patch)
tree: e6975f6b428ac1cb61fe45f970f4976bc708a640
parent: 1f67bb4266ff192fb04602e0d9b8bed1a9dac9e0 (diff)
download: cryptography-4a3c4407e42f13c6d08ad6863c10962f3f52b230.tar.gz
4 files changed, 128 insertions, 57 deletions
diff --git a/src/rust/src/x509/certificate.rs b/src/rust/src/x509/certificate.rs
index 949c4e10f..58dcf2d5d 100644
--- a/src/rust/src/x509/certificate.rs
+++ b/src/rust/src/x509/certificate.rs
@@ -311,7 +311,7 @@ impl Certificate {
         sign::verify_signature_with_oid(
             py,
             issuer.public_key(py)?,
-            self.raw.borrow_value().signature_alg.oid(),
+            &self.raw.borrow_value().signature_alg,
             self.raw.borrow_value().signature.as_bytes(),
             &asn1::write_single(&self.raw.borrow_value().tbs_cert)?,
         )
diff --git a/src/rust/src/x509/crl.rs b/src/rust/src/x509/crl.rs
index b6529ebf3..e2c4b9c09 100644
--- a/src/rust/src/x509/crl.rs
+++ b/src/rust/src/x509/crl.rs
@@ -394,7 +394,7 @@ impl CertificateRevocationList {
         Ok(sign::verify_signature_with_oid(
             py,
             public_key,
-            slf.owned.borrow_value().signature_algorithm.oid(),
+            &slf.owned.borrow_value().signature_algorithm,
             slf.owned.borrow_value().signature_value.as_bytes(),
             &asn1::write_single(&slf.owned.borrow_value().tbs_cert_list)?,
         )
diff --git a/src/rust/src/x509/csr.rs b/src/rust/src/x509/csr.rs
index c4a69ebb5..35aee5c9e 100644
--- a/src/rust/src/x509/csr.rs
+++ b/src/rust/src/x509/csr.rs
@@ -235,7 +235,7 @@ impl CertificateSigningRequest {
         Ok(sign::verify_signature_with_oid(
             py,
             slf.public_key(py)?,
-            slf.raw.borrow_value().signature_alg.oid(),
+            &slf.raw.borrow_value().signature_alg,
             slf.raw.borrow_value().signature.as_bytes(),
             &asn1::write_single(&slf.raw.borrow_value().csr_info)?,
         )
diff --git a/src/rust/src/x509/sign.rs b/src/rust/src/x509/sign.rs
index c2dc3e651..5c69ecedf 100644
--- a/src/rust/src/x509/sign.rs
+++ b/src/rust/src/x509/sign.rs
@@ -4,7 +4,7 @@
 
 use crate::error::{CryptographyError, CryptographyResult};
 use crate::exceptions;
-use cryptography_x509::{common, oid};
+use cryptography_x509::common;
 
 #[derive(Debug, PartialEq)]
 pub(crate) enum KeyType {
@@ -290,12 +290,13 @@ fn py_hash_name_from_hash_type(hash_type: HashType) -> Option<&'static str> {
 pub(crate) fn verify_signature_with_oid<'p>(
     py: pyo3::Python<'p>,
     issuer_public_key: &'p pyo3::PyAny,
-    signature_oid: &asn1::ObjectIdentifier,
+    signature_algorithm: &common::AlgorithmIdentifier<'_>,
     signature: &[u8],
     data: &[u8],
 ) -> CryptographyResult<()> {
     let key_type = identify_public_key_type(py, issuer_public_key)?;
-    let (sig_key_type, sig_hash_type) = identify_key_hash_type_for_oid(signature_oid)?;
+    let (sig_key_type, sig_hash_type) =
+        identify_key_hash_type_for_algorithm_params(&signature_algorithm.params)?;
     if key_type != sig_key_type {
         return Err(CryptographyError::from(
             pyo3::exceptions::PyValueError::new_err(
@@ -402,32 +403,32 @@ pub(crate) fn identify_public_key_type(
     }
 }
 
-fn identify_key_hash_type_for_oid(
-    oid: &asn1::ObjectIdentifier,
+fn identify_key_hash_type_for_algorithm_params(
+    params: &common::AlgorithmParameters<'_>,
 ) -> pyo3::PyResult<(KeyType, HashType)> {
-    match *oid {
-        oid::RSA_WITH_SHA224_OID => Ok((KeyType::Rsa, HashType::Sha224)),
-        oid::RSA_WITH_SHA256_OID => Ok((KeyType::Rsa, HashType::Sha256)),
-        oid::RSA_WITH_SHA384_OID => Ok((KeyType::Rsa, HashType::Sha384)),
-        oid::RSA_WITH_SHA512_OID => Ok((KeyType::Rsa, HashType::Sha512)),
-        oid::RSA_WITH_SHA3_224_OID => Ok((KeyType::Rsa, HashType::Sha3_224)),
-        oid::RSA_WITH_SHA3_256_OID => Ok((KeyType::Rsa, HashType::Sha3_256)),
-        oid::RSA_WITH_SHA3_384_OID => Ok((KeyType::Rsa, HashType::Sha3_384)),
-        oid::RSA_WITH_SHA3_512_OID => Ok((KeyType::Rsa, HashType::Sha3_512)),
-        oid::ECDSA_WITH_SHA224_OID => Ok((KeyType::Ec, HashType::Sha224)),
-        oid::ECDSA_WITH_SHA256_OID => Ok((KeyType::Ec, HashType::Sha256)),
-        oid::ECDSA_WITH_SHA384_OID => Ok((KeyType::Ec, HashType::Sha384)),
-        oid::ECDSA_WITH_SHA512_OID => Ok((KeyType::Ec, HashType::Sha512)),
-        oid::ECDSA_WITH_SHA3_224_OID => Ok((KeyType::Ec, HashType::Sha3_224)),
-        oid::ECDSA_WITH_SHA3_256_OID => Ok((KeyType::Ec, HashType::Sha3_256)),
-        oid::ECDSA_WITH_SHA3_384_OID => Ok((KeyType::Ec, HashType::Sha3_384)),
-        oid::ECDSA_WITH_SHA3_512_OID => Ok((KeyType::Ec, HashType::Sha3_512)),
-        oid::ED25519_OID => Ok((KeyType::Ed25519, HashType::None)),
-        oid::ED448_OID => Ok((KeyType::Ed448, HashType::None)),
-        oid::DSA_WITH_SHA224_OID => Ok((KeyType::Dsa, HashType::Sha224)),
-        oid::DSA_WITH_SHA256_OID => Ok((KeyType::Dsa, HashType::Sha256)),
-        oid::DSA_WITH_SHA384_OID => Ok((KeyType::Dsa, HashType::Sha384)),
-        oid::DSA_WITH_SHA512_OID => Ok((KeyType::Dsa, HashType::Sha512)),
+    match params {
+        common::AlgorithmParameters::RsaWithSha224(..) => Ok((KeyType::Rsa, HashType::Sha224)),
+        common::AlgorithmParameters::RsaWithSha256(..) => Ok((KeyType::Rsa, HashType::Sha256)),
+        common::AlgorithmParameters::RsaWithSha384(..) => Ok((KeyType::Rsa, HashType::Sha384)),
+        common::AlgorithmParameters::RsaWithSha512(..) => Ok((KeyType::Rsa, HashType::Sha512)),
+        common::AlgorithmParameters::RsaWithSha3_224(..) => Ok((KeyType::Rsa, HashType::Sha3_224)),
+        common::AlgorithmParameters::RsaWithSha3_256(..) => Ok((KeyType::Rsa, HashType::Sha3_256)),
+        common::AlgorithmParameters::RsaWithSha3_384(..) => Ok((KeyType::Rsa, HashType::Sha3_384)),
+        common::AlgorithmParameters::RsaWithSha3_512(..) => Ok((KeyType::Rsa, HashType::Sha3_512)),
+        common::AlgorithmParameters::EcDsaWithSha224 => Ok((KeyType::Ec, HashType::Sha224)),
+        common::AlgorithmParameters::EcDsaWithSha256 => Ok((KeyType::Ec, HashType::Sha256)),
+        common::AlgorithmParameters::EcDsaWithSha384 => Ok((KeyType::Ec, HashType::Sha384)),
+        common::AlgorithmParameters::EcDsaWithSha512 => Ok((KeyType::Ec, HashType::Sha512)),
+        common::AlgorithmParameters::EcDsaWithSha3_224 => Ok((KeyType::Ec, HashType::Sha3_224)),
+        common::AlgorithmParameters::EcDsaWithSha3_256 => Ok((KeyType::Ec, HashType::Sha3_256)),
+        common::AlgorithmParameters::EcDsaWithSha3_384 => Ok((KeyType::Ec, HashType::Sha3_384)),
+        common::AlgorithmParameters::EcDsaWithSha3_512 => Ok((KeyType::Ec, HashType::Sha3_512)),
+        common::AlgorithmParameters::Ed25519 => Ok((KeyType::Ed25519, HashType::None)),
+        common::AlgorithmParameters::Ed448 => Ok((KeyType::Ed448, HashType::None)),
+        common::AlgorithmParameters::DsaWithSha224 => Ok((KeyType::Dsa, HashType::Sha224)),
+        common::AlgorithmParameters::DsaWithSha256 => Ok((KeyType::Dsa, HashType::Sha256)),
+        common::AlgorithmParameters::DsaWithSha384 => Ok((KeyType::Dsa, HashType::Sha384)),
+        common::AlgorithmParameters::DsaWithSha512 => Ok((KeyType::Dsa, HashType::Sha512)),
         _ => Err(pyo3::exceptions::PyValueError::new_err(
             "Unsupported signature algorithm",
         )),
@@ -436,100 +437,170 @@ fn identify_key_hash_type_for_oid(
 
 #[cfg(test)]
 mod tests {
-    use super::{identify_key_hash_type_for_oid, py_hash_name_from_hash_type, HashType, KeyType};
-    use cryptography_x509::oid;
+    use super::{
+        identify_key_hash_type_for_algorithm_params, py_hash_name_from_hash_type, HashType, KeyType,
+    };
+    use cryptography_x509::{common, oid};
 
     #[test]
-    fn test_identify_key_hash_type_for_oid() {
+    fn test_identify_key_hash_type_for_algorithm_params() {
         assert_eq!(
-            identify_key_hash_type_for_oid(&oid::RSA_WITH_SHA224_OID).unwrap(),
+            identify_key_hash_type_for_algorithm_params(
+                &common::AlgorithmParameters::RsaWithSha224(Some(()))
+            )
+            .unwrap(),
             (KeyType::Rsa, HashType::Sha224)
         );
         assert_eq!(
-            identify_key_hash_type_for_oid(&oid::RSA_WITH_SHA256_OID).unwrap(),
+            identify_key_hash_type_for_algorithm_params(
+                &common::AlgorithmParameters::RsaWithSha256(Some(()))
+            )
+            .unwrap(),
             (KeyType::Rsa, HashType::Sha256)
         );
         assert_eq!(
-            identify_key_hash_type_for_oid(&oid::RSA_WITH_SHA384_OID).unwrap(),
+            identify_key_hash_type_for_algorithm_params(
+                &common::AlgorithmParameters::RsaWithSha384(Some(()))
+            )
+            .unwrap(),
             (KeyType::Rsa, HashType::Sha384)
         );
         assert_eq!(
-            identify_key_hash_type_for_oid(&oid::RSA_WITH_SHA512_OID).unwrap(),
+            identify_key_hash_type_for_algorithm_params(
+                &common::AlgorithmParameters::RsaWithSha512(Some(()))
+            )
+            .unwrap(),
             (KeyType::Rsa, HashType::Sha512)
         );
         assert_eq!(
-            identify_key_hash_type_for_oid(&oid::RSA_WITH_SHA3_224_OID).unwrap(),
+            identify_key_hash_type_for_algorithm_params(
+                &common::AlgorithmParameters::RsaWithSha3_224(Some(()))
+            )
+            .unwrap(),
             (KeyType::Rsa, HashType::Sha3_224)
         );
         assert_eq!(
-            identify_key_hash_type_for_oid(&oid::RSA_WITH_SHA3_256_OID).unwrap(),
+            identify_key_hash_type_for_algorithm_params(
+                &common::AlgorithmParameters::RsaWithSha3_256(Some(()))
+            )
+            .unwrap(),
             (KeyType::Rsa, HashType::Sha3_256)
         );
         assert_eq!(
-            identify_key_hash_type_for_oid(&oid::RSA_WITH_SHA3_384_OID).unwrap(),
+            identify_key_hash_type_for_algorithm_params(
+                &common::AlgorithmParameters::RsaWithSha3_384(Some(()))
+            )
+            .unwrap(),
             (KeyType::Rsa, HashType::Sha3_384)
         );
         assert_eq!(
-            identify_key_hash_type_for_oid(&oid::RSA_WITH_SHA3_512_OID).unwrap(),
+            identify_key_hash_type_for_algorithm_params(
+                &common::AlgorithmParameters::RsaWithSha3_512(Some(()))
+            )
+            .unwrap(),
             (KeyType::Rsa, HashType::Sha3_512)
         );
         assert_eq!(
-            identify_key_hash_type_for_oid(&oid::ECDSA_WITH_SHA224_OID).unwrap(),
+            identify_key_hash_type_for_algorithm_params(
+                &common::AlgorithmParameters::EcDsaWithSha224
+            )
+            .unwrap(),
             (KeyType::Ec, HashType::Sha224)
         );
         assert_eq!(
-            identify_key_hash_type_for_oid(&oid::ECDSA_WITH_SHA256_OID).unwrap(),
+            identify_key_hash_type_for_algorithm_params(
+                &common::AlgorithmParameters::EcDsaWithSha256
+            )
+            .unwrap(),
             (KeyType::Ec, HashType::Sha256)
         );
         assert_eq!(
-            identify_key_hash_type_for_oid(&oid::ECDSA_WITH_SHA384_OID).unwrap(),
+            identify_key_hash_type_for_algorithm_params(
+                &common::AlgorithmParameters::EcDsaWithSha384
+            )
+            .unwrap(),
             (KeyType::Ec, HashType::Sha384)
         );
         assert_eq!(
-            identify_key_hash_type_for_oid(&oid::ECDSA_WITH_SHA512_OID).unwrap(),
+            identify_key_hash_type_for_algorithm_params(
+                &common::AlgorithmParameters::EcDsaWithSha512
+            )
+            .unwrap(),
             (KeyType::Ec, HashType::Sha512)
         );
         assert_eq!(
-            identify_key_hash_type_for_oid(&oid::ECDSA_WITH_SHA3_224_OID).unwrap(),
+            identify_key_hash_type_for_algorithm_params(
+                &common::AlgorithmParameters::EcDsaWithSha3_224
+            )
+            .unwrap(),
             (KeyType::Ec, HashType::Sha3_224)
         );
         assert_eq!(
-            identify_key_hash_type_for_oid(&oid::ECDSA_WITH_SHA3_256_OID).unwrap(),
+            identify_key_hash_type_for_algorithm_params(
+                &common::AlgorithmParameters::EcDsaWithSha3_256
+            )
+            .unwrap(),
             (KeyType::Ec, HashType::Sha3_256)
         );
         assert_eq!(
-            identify_key_hash_type_for_oid(&oid::ECDSA_WITH_SHA3_384_OID).unwrap(),
+            identify_key_hash_type_for_algorithm_params(
+                &common::AlgorithmParameters::EcDsaWithSha3_384
+            )
+            .unwrap(),
             (KeyType::Ec, HashType::Sha3_384)
         );
         assert_eq!(
-            identify_key_hash_type_for_oid(&oid::ECDSA_WITH_SHA3_512_OID).unwrap(),
+            identify_key_hash_type_for_algorithm_params(
+                &common::AlgorithmParameters::EcDsaWithSha3_512
+            )
+            .unwrap(),
             (KeyType::Ec, HashType::Sha3_512)
         );
         assert_eq!(
-            identify_key_hash_type_for_oid(&oid::ED25519_OID).unwrap(),
+            identify_key_hash_type_for_algorithm_params(&common::AlgorithmParameters::Ed25519)
+                .unwrap(),
             (KeyType::Ed25519, HashType::None)
         );
         assert_eq!(
-            identify_key_hash_type_for_oid(&oid::ED448_OID).unwrap(),
+            identify_key_hash_type_for_algorithm_params(&common::AlgorithmParameters::Ed448)
+                .unwrap(),
             (KeyType::Ed448, HashType::None)
         );
         assert_eq!(
-            identify_key_hash_type_for_oid(&oid::DSA_WITH_SHA224_OID).unwrap(),
+            identify_key_hash_type_for_algorithm_params(
+                &common::AlgorithmParameters::DsaWithSha224
+            )
+            .unwrap(),
             (KeyType::Dsa, HashType::Sha224)
         );
         assert_eq!(
-            identify_key_hash_type_for_oid(&oid::DSA_WITH_SHA256_OID).unwrap(),
+            identify_key_hash_type_for_algorithm_params(
+                &common::AlgorithmParameters::DsaWithSha256
+            )
+            .unwrap(),
             (KeyType::Dsa, HashType::Sha256)
         );
         assert_eq!(
-            identify_key_hash_type_for_oid(&oid::DSA_WITH_SHA384_OID).unwrap(),
+            identify_key_hash_type_for_algorithm_params(
+                &common::AlgorithmParameters::DsaWithSha384
+            )
+            .unwrap(),
             (KeyType::Dsa, HashType::Sha384)
         );
         assert_eq!(
-            identify_key_hash_type_for_oid(&oid::DSA_WITH_SHA512_OID).unwrap(),
+            identify_key_hash_type_for_algorithm_params(
+                &common::AlgorithmParameters::DsaWithSha512
+            )
+            .unwrap(),
             (KeyType::Dsa, HashType::Sha512)
         );
-        assert!(identify_key_hash_type_for_oid(&oid::TLS_FEATURE_OID).is_err());
+        assert!(
+            identify_key_hash_type_for_algorithm_params(&common::AlgorithmParameters::Other(
+                oid::TLS_FEATURE_OID,
+                None
+            ))
+            .is_err()
+        );
     }
 
     #[test]
author	Alex Gaynor <alex.gaynor@gmail.com>	2023-05-06 08:51:03 -0500
committer	GitHub <noreply@github.com>	2023-05-06 08:51:03 -0500
commit	4a3c4407e42f13c6d08ad6863c10962f3f52b230 (patch)
tree	e6975f6b428ac1cb61fe45f970f4976bc708a640
parent	1f67bb4266ff192fb04602e0d9b8bed1a9dac9e0 (diff)
download	cryptography-4a3c4407e42f13c6d08ad6863c10962f3f52b230.tar.gz