the check_cert_signature() method was attempting to compare RSA and ECC signatures.
If a ec public-key certificate is signed with an RSA key, then it can't be a self-signed certificate, in which case we just raise InvalidSignature.
This commit is contained in:
parent
14d8596b8a
commit
40fac02d8b
|
@ -147,6 +147,8 @@ def generate_private_key(key_type):
|
||||||
def check_cert_signature(cert, issuer_public_key):
|
def check_cert_signature(cert, issuer_public_key):
|
||||||
"""
|
"""
|
||||||
Check a certificate's signature against an issuer public key.
|
Check a certificate's signature against an issuer public key.
|
||||||
|
Before EC validation, make sure public key and signature are of the same type,
|
||||||
|
otherwise verification not possible (raise InvalidSignature)
|
||||||
On success, returns None; on failure, raises UnsupportedAlgorithm or InvalidSignature.
|
On success, returns None; on failure, raises UnsupportedAlgorithm or InvalidSignature.
|
||||||
"""
|
"""
|
||||||
if isinstance(issuer_public_key, rsa.RSAPublicKey):
|
if isinstance(issuer_public_key, rsa.RSAPublicKey):
|
||||||
|
@ -160,9 +162,10 @@ def check_cert_signature(cert, issuer_public_key):
|
||||||
else:
|
else:
|
||||||
padder = padding.PKCS1v15()
|
padder = padding.PKCS1v15()
|
||||||
issuer_public_key.verify(cert.signature, cert.tbs_certificate_bytes, padder, cert.signature_hash_algorithm)
|
issuer_public_key.verify(cert.signature, cert.tbs_certificate_bytes, padder, cert.signature_hash_algorithm)
|
||||||
|
elif isinstance(issuer_public_key, ec.EllipticCurvePublicKey) and isinstance(cert.signature_hash_algorithm, ec.ECDSA):
|
||||||
|
issuer_public_key.verify(cert.signature, cert.tbs_certificate_bytes, cert.signature_hash_algorithm)
|
||||||
else:
|
else:
|
||||||
# EllipticCurvePublicKey or DSAPublicKey
|
raise InvalidSignature
|
||||||
issuer_public_key.verify(cert.signature, cert.tbs_certificate_bytes, cert.signature_hash_algorithm)
|
|
||||||
|
|
||||||
|
|
||||||
def is_selfsigned(cert):
|
def is_selfsigned(cert):
|
||||||
|
@ -176,6 +179,8 @@ def is_selfsigned(cert):
|
||||||
return True
|
return True
|
||||||
except InvalidSignature:
|
except InvalidSignature:
|
||||||
return False
|
return False
|
||||||
|
except UnsupportedAlgorithm as e:
|
||||||
|
raise Exception(e)
|
||||||
|
|
||||||
|
|
||||||
def is_weekend(date):
|
def is_weekend(date):
|
||||||
|
|
|
@ -1,6 +1,6 @@
|
||||||
import pytest
|
import pytest
|
||||||
|
|
||||||
from lemur.tests.vectors import SAN_CERT, INTERMEDIATE_CERT, ROOTCA_CERT
|
from lemur.tests.vectors import SAN_CERT, INTERMEDIATE_CERT, ROOTCA_CERT, EC_CERT_EXAMPLE
|
||||||
|
|
||||||
|
|
||||||
def test_generate_private_key():
|
def test_generate_private_key():
|
||||||
|
@ -83,3 +83,4 @@ def test_is_selfsigned(selfsigned_cert):
|
||||||
assert is_selfsigned(INTERMEDIATE_CERT) is False
|
assert is_selfsigned(INTERMEDIATE_CERT) is False
|
||||||
# Root CA certificates are also technically self-signed
|
# Root CA certificates are also technically self-signed
|
||||||
assert is_selfsigned(ROOTCA_CERT) is True
|
assert is_selfsigned(ROOTCA_CERT) is True
|
||||||
|
assert is_selfsigned(EC_CERT_EXAMPLE) is False
|
||||||
|
|
|
@ -394,3 +394,31 @@ zm3Cn4Ul8DO26w9QS4fmZjmnPOZFXYMWoOR6osHzb62PWQ8FBMqXcdToBV2Q9Iw4
|
||||||
PiFAxlc0tVjlLqQ=
|
PiFAxlc0tVjlLqQ=
|
||||||
-----END CERTIFICATE REQUEST-----
|
-----END CERTIFICATE REQUEST-----
|
||||||
"""
|
"""
|
||||||
|
|
||||||
|
|
||||||
|
EC_CERT_STR = """
|
||||||
|
-----BEGIN CERTIFICATE-----
|
||||||
|
MIIDxzCCAq+gAwIBAgIIHsJeci1JWAkwDQYJKoZIhvcNAQELBQAwVDELMAkGA1UE
|
||||||
|
BhMCVVMxHjAcBgNVBAoTFUdvb2dsZSBUcnVzdCBTZXJ2aWNlczElMCMGA1UEAxMc
|
||||||
|
R29vZ2xlIEludGVybmV0IEF1dGhvcml0eSBHMzAeFw0xOTAyMTMxNTM1NTdaFw0x
|
||||||
|
OTA1MDgxNTM1MDBaMGgxCzAJBgNVBAYTAlVTMRMwEQYDVQQIDApDYWxpZm9ybmlh
|
||||||
|
MRYwFAYDVQQHDA1Nb3VudGFpbiBWaWV3MRMwEQYDVQQKDApHb29nbGUgTExDMRcw
|
||||||
|
FQYDVQQDDA53d3cuZ29vZ2xlLmNvbTBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IA
|
||||||
|
BKwMlIbd4rAwf6eWoa6RrR2w0s5k1M40XOORPf96PByPmld+qhjRMLvA/xcAxdCR
|
||||||
|
XdcMfaX6EUr0Zw8CepitMB2jggFSMIIBTjATBgNVHSUEDDAKBggrBgEFBQcDATAO
|
||||||
|
BgNVHQ8BAf8EBAMCB4AwGQYDVR0RBBIwEIIOd3d3Lmdvb2dsZS5jb20waAYIKwYB
|
||||||
|
BQUHAQEEXDBaMC0GCCsGAQUFBzAChiFodHRwOi8vcGtpLmdvb2cvZ3NyMi9HVFNH
|
||||||
|
SUFHMy5jcnQwKQYIKwYBBQUHMAGGHWh0dHA6Ly9vY3NwLnBraS5nb29nL0dUU0dJ
|
||||||
|
QUczMB0GA1UdDgQWBBQLovm8GG0oG91gOGCL58YPNoAlejAMBgNVHRMBAf8EAjAA
|
||||||
|
MB8GA1UdIwQYMBaAFHfCuFCaZ3Z2sS3ChtCDoH6mfrpLMCEGA1UdIAQaMBgwDAYK
|
||||||
|
KwYBBAHWeQIFAzAIBgZngQwBAgIwMQYDVR0fBCowKDAmoCSgIoYgaHR0cDovL2Ny
|
||||||
|
bC5wa2kuZ29vZy9HVFNHSUFHMy5jcmwwDQYJKoZIhvcNAQELBQADggEBAKFbmNOA
|
||||||
|
e3pJ7UVI5EmkAMZgSDRdrsLHV6F7WluuyYCyE/HFpZjBd6y8xgGtYWcask6edwrq
|
||||||
|
zrcXNEN/GY34AYre0M+p0xAs+lKSwkrJd2sCgygmzsBFtGwjW6lhjm+rg83zPHhH
|
||||||
|
mQZ0ShUR1Kp4TvzXgxj44RXOsS5ZyDe3slGiG4aw/hl+igO8Y8JMvcv/Tpzo+V75
|
||||||
|
BkDAFmLRi08NayfeyCqK/TcRpzxKMKhS7jEHK8Pzu5P+FyFHKqIsobi+BA+psOix
|
||||||
|
5nZLhrweLdKNz387mE2lSSKzr7qeLGHSOMt+ajQtZio4YVyZqJvg4Y++J0n5+Rjw
|
||||||
|
MXp8GrvTfn1DQ+o=
|
||||||
|
-----END CERTIFICATE-----
|
||||||
|
"""
|
||||||
|
EC_CERT_EXAMPLE = parse_certificate(EC_CERT_STR)
|
||||||
|
|
Loading…
Reference in New Issue