implement signature_hash_algorithm instead
diff --git a/CHANGELOG.rst b/CHANGELOG.rst
index df78acd..f903b7f 100644
--- a/CHANGELOG.rst
+++ b/CHANGELOG.rst
@@ -9,7 +9,7 @@
* :func:`~cryptography.hazmat.primitives.serialization.load_ssh_public_key` can
now load elliptic curve public keys.
* Added
- :attr:`~cryptography.x509.Certificate.signature_algorithm` support to
+ :attr:`~cryptography.x509.Certificate.signature_hash_algorithm` support to
:class:`~cryptography.x509.Certificate`.
* Added
:func:`~cryptography.hazmat.primitives.asymmetric.rsa.rsa_recover_prime_factors`
diff --git a/docs/spelling_wordlist.txt b/docs/spelling_wordlist.txt
index fefd26b..ddd3789 100644
--- a/docs/spelling_wordlist.txt
+++ b/docs/spelling_wordlist.txt
@@ -51,3 +51,4 @@
unencrypted
unpadded
unpadding
+Verisign
diff --git a/docs/x509.rst b/docs/x509.rst
index 8043b36..193b845 100644
--- a/docs/x509.rst
+++ b/docs/x509.rst
@@ -182,18 +182,19 @@
The :class:`Name` of the subject.
- .. attribute:: signature_algorithm
+ .. attribute:: signature_hash_algorithm
- :type: :class:`ObjectIdentifier`
+ :type: :class:`~cryptography.hazmat.primitives.hashes.HashAlgorithm`
- An :class:`ObjectIdentifier` instance corresponding to the signature
- algorithm used to sign the certificate. This is both the digest
- used as well as the asymmetric type.
+ A :class:`~cryptography.hazmat.primitives.hashes.HashAlgorithm`
+ corresponding to the hash algorithm used within the certificate
+ signature.
.. doctest::
- >>> cert.signature_algorithm
- <ObjectIdentifier(oid=1.2.840.113549.1.1.11, name=sha256WithRSAEncryption)>
+ >>> from cryptography.hazmat.primitives import hashes
+ >>> isinstance(cert.signature_hash_algorithm, hashes.SHA256)
+ True
.. class:: Name
diff --git a/src/cryptography/hazmat/backends/openssl/x509.py b/src/cryptography/hazmat/backends/openssl/x509.py
index a3dddc4..989a9dd 100644
--- a/src/cryptography/hazmat/backends/openssl/x509.py
+++ b/src/cryptography/hazmat/backends/openssl/x509.py
@@ -16,6 +16,7 @@
import datetime
from cryptography import utils, x509
+from cryptography.exceptions import UnsupportedAlgorithm
from cryptography.hazmat.primitives import hashes
@@ -138,7 +139,16 @@
return x509.Name(attributes)
@property
- def signature_algorithm(self):
+ def signature_hash_algorithm(self):
+ oid = self._signature_algorithm()
+ try:
+ return x509._SIG_OIDS_TO_HASH[oid.dotted_string]
+ except KeyError:
+ raise UnsupportedAlgorithm(
+ "Signature algorithm {0} not recognized".format(oid)
+ )
+
+ def _signature_algorithm(self):
buf_len = 50
buf = self._backend._ffi.new("char[]", buf_len)
res = self._backend._lib.OBJ_obj2txt(
diff --git a/src/cryptography/x509.py b/src/cryptography/x509.py
index c4d87bb..c6ce61d 100644
--- a/src/cryptography/x509.py
+++ b/src/cryptography/x509.py
@@ -10,6 +10,7 @@
import six
from cryptography import utils
+from cryptography.hazmat.primitives import hashes
_OID_NAMES = {
@@ -170,6 +171,22 @@
OID_DSA_WITH_SHA224 = ObjectIdentifier("2.16.840.1.101.3.4.3.1")
OID_DSA_WITH_SHA256 = ObjectIdentifier("2.16.840.1.101.3.4.3.2")
+_SIG_OIDS_TO_HASH = {
+ "1.2.840.113549.1.1.4": hashes.MD5(),
+ "1.2.840.113549.1.1.5": hashes.SHA1(),
+ "1.2.840.113549.1.1.14": hashes.SHA224(),
+ "1.2.840.113549.1.1.11": hashes.SHA256(),
+ "1.2.840.113549.1.1.12": hashes.SHA384(),
+ "1.2.840.113549.1.1.13": hashes.SHA512(),
+ "1.2.840.10045.4.3.1": hashes.SHA224(),
+ "1.2.840.10045.4.3.2": hashes.SHA256(),
+ "1.2.840.10045.4.3.3": hashes.SHA384(),
+ "1.2.840.10045.4.3.4": hashes.SHA512(),
+ "1.2.840.10040.4.3": hashes.SHA1(),
+ "2.16.840.1.101.3.4.3.1": hashes.SHA224(),
+ "2.16.840.1.101.3.4.3.2": hashes.SHA256()
+}
+
@six.add_metaclass(abc.ABCMeta)
class Certificate(object):
@@ -222,8 +239,8 @@
"""
@abc.abstractproperty
- def signature_algorithm(self):
+ def signature_hash_algorithm(self):
"""
- Returns an ObjectIdentifier corresponding to the signature algorithm of
- the certificate.
+ Returns a HashAlgorithm corresponding to the type of the digest signed
+ in the certificate.
"""
diff --git a/tests/test_x509.py b/tests/test_x509.py
index 613263d..8f00eee 100644
--- a/tests/test_x509.py
+++ b/tests/test_x509.py
@@ -13,6 +13,7 @@
import six
from cryptography import x509
+from cryptography.exceptions import UnsupportedAlgorithm
from cryptography.hazmat.backends.interfaces import (
DSABackend, EllipticCurveBackend, RSABackend, X509Backend
)
@@ -45,7 +46,7 @@
assert cert.serial == 11559813051657483483
fingerprint = binascii.hexlify(cert.fingerprint(hashes.SHA1()))
assert fingerprint == b"2b619ed04bfc9c3b08eb677d272192286a0947a8"
- assert cert.signature_algorithm == x509.OID_SHA1_WITH_RSA
+ assert isinstance(cert.signature_hash_algorithm, hashes.SHA1)
def test_load_der_cert(self, backend):
cert = _load_cert(
@@ -57,7 +58,7 @@
assert cert.serial == 2
fingerprint = binascii.hexlify(cert.fingerprint(hashes.SHA1()))
assert fingerprint == b"6f49779533d565e8b7c1062503eab41492c38e4d"
- assert cert.signature_algorithm == x509.OID_SHA256_WITH_RSA
+ assert isinstance(cert.signature_hash_algorithm, hashes.SHA256)
def test_issuer(self, backend):
cert = _load_cert(
@@ -330,6 +331,15 @@
with pytest.raises(ValueError):
x509.load_der_x509_certificate(b"notacert", backend)
+ def test_unsupported_signature_hash_algorithm_cert(self, backend):
+ cert = _load_cert(
+ os.path.join("x509", "verisign_md2_root.pem"),
+ x509.load_pem_x509_certificate,
+ backend
+ )
+ with pytest.raises(UnsupportedAlgorithm):
+ cert.signature_hash_algorithm
+
@pytest.mark.requires_backend_interface(interface=DSABackend)
@pytest.mark.requires_backend_interface(interface=X509Backend)
@@ -340,7 +350,7 @@
x509.load_pem_x509_certificate,
backend
)
- assert cert.signature_algorithm == x509.OID_DSA_WITH_SHA1
+ assert isinstance(cert.signature_hash_algorithm, hashes.SHA1)
public_key = cert.public_key()
assert isinstance(public_key, interfaces.DSAPublicKey)
if isinstance(public_key, interfaces.DSAPublicKeyWithNumbers):
@@ -393,7 +403,7 @@
x509.load_pem_x509_certificate,
backend
)
- assert cert.signature_algorithm == x509.OID_ECDSA_WITH_SHA384
+ assert isinstance(cert.signature_hash_algorithm, hashes.SHA384)
public_key = cert.public_key()
assert isinstance(public_key, interfaces.EllipticCurvePublicKey)
if isinstance(