add signature_hash_algorithm to OCSPResponse (#4681)
* add signature_hash_algorithm to OCSPResponse
* fix pointless asserts
diff --git a/CHANGELOG.rst b/CHANGELOG.rst
index 191d804..42772af 100644
--- a/CHANGELOG.rst
+++ b/CHANGELOG.rst
@@ -35,6 +35,8 @@
which immediately checks if the point is on the curve and supports compressed
points. Deprecated the previous method
:meth:`~cryptography.hazmat.primitives.asymmetric.ec.EllipticCurvePublicNumbers.from_encoded_point`.
+* Added :attr:`~cryptography.x509.ocsp.OCSPResponse.signature_hash_algorithm`
+ to ``OCSPResponse``.
.. _v2-4-2:
diff --git a/docs/development/test-vectors.rst b/docs/development/test-vectors.rst
index eb9ba4b..a10125a 100644
--- a/docs/development/test-vectors.rst
+++ b/docs/development/test-vectors.rst
@@ -471,6 +471,8 @@
revocation reason.
* ``x509/ocsp/resp-revoked-no-next-update.der`` - An OCSP response that
contains a revoked certificate and no ``nextUpdate`` value.
+* ``x509/ocsp/resp-invalid-signature-oid.der`` - An OCSP response that was
+ modified to contain an MD2 signature algorithm object identifier.
Custom X.509 OCSP Test Vectors
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
diff --git a/docs/x509/ocsp.rst b/docs/x509/ocsp.rst
index 535ffdd..d3815d6 100644
--- a/docs/x509/ocsp.rst
+++ b/docs/x509/ocsp.rst
@@ -426,6 +426,16 @@
:raises ValueError: If ``response_status`` is not
:class:`~cryptography.x509.ocsp.OCSPResponseStatus.SUCCESSFUL`.
+ .. attribute:: signature_hash_algorithm
+
+ .. versionadded:: 2.5
+
+ :type: :class:`~cryptography.hazmat.primitives.hashes.HashAlgorithm`
+
+ Returns the
+ :class:`~cryptography.hazmat.primitives.hashes.HashAlgorithm` which
+ was used in signing this response.
+
.. attribute:: signature
:type: bytes
diff --git a/src/cryptography/hazmat/backends/openssl/ocsp.py b/src/cryptography/hazmat/backends/openssl/ocsp.py
index 32e26a0..16dbbc2 100644
--- a/src/cryptography/hazmat/backends/openssl/ocsp.py
+++ b/src/cryptography/hazmat/backends/openssl/ocsp.py
@@ -128,6 +128,17 @@
@property
@_requires_successful_response
+ def signature_hash_algorithm(self):
+ oid = self.signature_algorithm_oid
+ try:
+ return x509._SIG_OIDS_TO_HASH[oid]
+ except KeyError:
+ raise UnsupportedAlgorithm(
+ "Signature algorithm OID:{0} not recognized".format(oid)
+ )
+
+ @property
+ @_requires_successful_response
def signature(self):
sig = self._backend._lib.OCSP_resp_get0_signature(self._basic)
self._backend.openssl_assert(sig != self._backend._ffi.NULL)
diff --git a/src/cryptography/x509/ocsp.py b/src/cryptography/x509/ocsp.py
index 2b0b1dc..97933b1 100644
--- a/src/cryptography/x509/ocsp.py
+++ b/src/cryptography/x509/ocsp.py
@@ -315,6 +315,12 @@
"""
@abc.abstractproperty
+ def signature_hash_algorithm(self):
+ """
+ Returns a HashAlgorithm corresponding to the type of the digest signed
+ """
+
+ @abc.abstractproperty
def signature(self):
"""
The signature bytes
diff --git a/tests/x509/test_ocsp.py b/tests/x509/test_ocsp.py
index fad48da..3abaff5 100644
--- a/tests/x509/test_ocsp.py
+++ b/tests/x509/test_ocsp.py
@@ -583,6 +583,7 @@
assert resp.response_status == ocsp.OCSPResponseStatus.SUCCESSFUL
assert (resp.signature_algorithm_oid ==
x509.SignatureAlgorithmOID.RSA_WITH_SHA256)
+ assert isinstance(resp.signature_hash_algorithm, hashes.SHA256)
assert resp.signature == base64.b64decode(
b"I9KUlyLV/2LbNCVu1BQphxdNlU/jBzXsPYVscPjW5E93pCrSO84GkIWoOJtqsnt"
b"78DLcQPnF3W24NXGzSGKlSWfXIsyoXCxnBm0mIbD5ZMnKyXEnqSR33Z9He/A+ML"
@@ -602,7 +603,7 @@
resp.signature,
resp.tbs_response_bytes,
PKCS1v15(),
- hashes.SHA256()
+ resp.signature_hash_algorithm
)
assert resp.certificates == []
assert resp.responder_key_hash is None
@@ -630,39 +631,41 @@
)
assert resp.response_status == ocsp.OCSPResponseStatus.UNAUTHORIZED
with pytest.raises(ValueError):
- assert resp.signature_algorithm_oid
+ resp.signature_algorithm_oid
with pytest.raises(ValueError):
- assert resp.signature
+ resp.signature_hash_algorithm
with pytest.raises(ValueError):
- assert resp.tbs_response_bytes
+ resp.signature
with pytest.raises(ValueError):
- assert resp.certificates
+ resp.tbs_response_bytes
with pytest.raises(ValueError):
- assert resp.responder_key_hash
+ resp.certificates
with pytest.raises(ValueError):
- assert resp.responder_name
+ resp.responder_key_hash
with pytest.raises(ValueError):
- assert resp.produced_at
+ resp.responder_name
with pytest.raises(ValueError):
- assert resp.certificate_status
+ resp.produced_at
with pytest.raises(ValueError):
- assert resp.revocation_time
+ resp.certificate_status
with pytest.raises(ValueError):
- assert resp.revocation_reason
+ resp.revocation_time
with pytest.raises(ValueError):
- assert resp.this_update
+ resp.revocation_reason
with pytest.raises(ValueError):
- assert resp.next_update
+ resp.this_update
with pytest.raises(ValueError):
- assert resp.issuer_key_hash
+ resp.next_update
with pytest.raises(ValueError):
- assert resp.issuer_name_hash
+ resp.issuer_key_hash
with pytest.raises(ValueError):
- assert resp.hash_algorithm
+ resp.issuer_name_hash
with pytest.raises(ValueError):
- assert resp.serial_number
+ resp.hash_algorithm
with pytest.raises(ValueError):
- assert resp.extensions
+ resp.serial_number
+ with pytest.raises(ValueError):
+ resp.extensions
def test_load_revoked(self):
resp = _load_data(
@@ -684,6 +687,17 @@
assert isinstance(resp.certificates[0], x509.Certificate)
assert resp.certificate_status == ocsp.OCSPCertStatus.UNKNOWN
+ def test_load_invalid_signature_oid(self):
+ resp = _load_data(
+ os.path.join("x509", "ocsp", "resp-invalid-signature-oid.der"),
+ ocsp.load_der_ocsp_response,
+ )
+ assert resp.signature_algorithm_oid == x509.ObjectIdentifier(
+ "1.2.840.113549.1.1.2"
+ )
+ with pytest.raises(UnsupportedAlgorithm):
+ resp.signature_hash_algorithm
+
def test_load_responder_key_hash(self):
resp = _load_data(
os.path.join("x509", "ocsp", "resp-responder-key-hash.der"),
diff --git a/vectors/cryptography_vectors/x509/ocsp/resp-invalid-signature-oid.der b/vectors/cryptography_vectors/x509/ocsp/resp-invalid-signature-oid.der
new file mode 100644
index 0000000..e2c7dd8
--- /dev/null
+++ b/vectors/cryptography_vectors/x509/ocsp/resp-invalid-signature-oid.der
Binary files differ