expose tbs_certrequest_bytes and signature on CertificateSigningRequest
diff --git a/docs/x509/reference.rst b/docs/x509/reference.rst
index 35c00e6..0fea616 100644
--- a/docs/x509/reference.rst
+++ b/docs/x509/reference.rst
@@ -734,6 +734,25 @@
over the network to be signed by the certificate
authority.
+ .. attribute:: signature
+
+ .. versionadded:: 1.2
+
+ :type: bytes
+
+ The bytes of the certificate signing request's signature.
+
+ .. attribute:: tbs_certrequest_bytes
+
+ .. versionadded:: 1.2
+
+ :type: bytes
+
+ The DER encoded bytes payload (as defined by :rfc:`2986`) that is
+ hashed and then signed by the private key (corresponding to the public
+ key embedded in the CSR). This data may be used to validate the CSR
+ signature.
+
X.509 Revoked Certificate Object
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
diff --git a/src/_cffi_src/openssl/x509.py b/src/_cffi_src/openssl/x509.py
index b5d461a..0fc49ac 100644
--- a/src/_cffi_src/openssl/x509.py
+++ b/src/_cffi_src/openssl/x509.py
@@ -43,9 +43,12 @@
} X509_EXTENSION;
typedef ... X509_EXTENSIONS;
+typedef ... X509_REQ_INFO;
typedef struct {
+ X509_REQ_INFO *req_info;
X509_ALGOR *sig_alg;
+ ASN1_BIT_STRING *signature;
...;
} X509_REQ;
@@ -267,6 +270,7 @@
MACROS = """
int i2d_X509_CINF(X509_CINF *, unsigned char **);
int i2d_X509_CRL_INFO(X509_CRL_INFO *, unsigned char **);
+int i2d_X509_REQ_INFO(X509_REQ_INFO *, unsigned char **);
long X509_get_version(X509 *);
diff --git a/src/cryptography/hazmat/backends/openssl/x509.py b/src/cryptography/hazmat/backends/openssl/x509.py
index 8fa43ea..01232df 100644
--- a/src/cryptography/hazmat/backends/openssl/x509.py
+++ b/src/cryptography/hazmat/backends/openssl/x509.py
@@ -921,6 +921,21 @@
self._backend.openssl_assert(res == 1)
return self._backend._read_mem_bio(bio)
+ @property
+ def tbs_certrequest_bytes(self):
+ pp = self._backend._ffi.new("unsigned char **")
+ # the X509_CINF struct holds the tbsCertificate data
+ res = self._backend._lib.i2d_X509_REQ_INFO(self._x509_req.req_info, pp)
+ self._backend.openssl_assert(res > 0)
+ pp = self._backend._ffi.gc(
+ pp, lambda pointer: self._backend._lib.OPENSSL_free(pointer[0])
+ )
+ return self._backend._ffi.buffer(pp[0], res)[:]
+
+ @property
+ def signature(self):
+ return self._backend._asn1_string_to_bytes(self._x509_req.signature)
+
_EXTENSION_HANDLERS = {
ExtensionOID.BASIC_CONSTRAINTS: _decode_basic_constraints,
diff --git a/src/cryptography/x509/base.py b/src/cryptography/x509/base.py
index 6c2386f..c56ca5e 100644
--- a/src/cryptography/x509/base.py
+++ b/src/cryptography/x509/base.py
@@ -270,6 +270,19 @@
Encodes the request to PEM or DER format.
"""
+ @abc.abstractproperty
+ def signature(self):
+ """
+ Returns the signature bytes.
+ """
+
+ @abc.abstractproperty
+ def tbs_certrequest_bytes(self):
+ """
+ Returns the PKCS#10 CertificationRequestInfo bytes as defined in RFC
+ 2986.
+ """
+
@six.add_metaclass(abc.ABCMeta)
class RevokedCertificate(object):
diff --git a/tests/test_x509.py b/tests/test_x509.py
index 5a1c4c5..51c48f4 100644
--- a/tests/test_x509.py
+++ b/tests/test_x509.py
@@ -1051,6 +1051,52 @@
x509.NameAttribute(NameOID.COMMON_NAME, u'cryptography.io'),
]
+ def test_signature(self, backend):
+ request = _load_cert(
+ os.path.join("x509", "requests", "rsa_sha1.pem"),
+ x509.load_pem_x509_csr,
+ backend
+ )
+ assert request.signature == binascii.unhexlify(
+ b"8364c86ffbbfe0bfc9a21f831256658ca8989741b80576d36f08a934603a43b1"
+ b"837246d00167a518abb1de7b51a1e5b7ebea14944800818b1a923c804f120a0d"
+ b"624f6310ef79e8612755c2b01dcc7f59dfdbce0db3f2630f185f504b8c17af80"
+ b"cbd364fa5fda68337153930948226cd4638287a0aed6524d3006885c19028a1e"
+ b"e2f5a91d6e77dbaa0b49996ee0a0c60b55b61bd080a08bb34aa7f3e07e91f37f"
+ b"6a11645be2d8654c1570dcda145ed7cc92017f7d53225d7f283f3459ec5bda41"
+ b"cf6dd75d43676c543483385226b7e4fa29c8739f1b0eaf199613593991979862"
+ b"e36181e8c4c270c354b7f52c128db1b70639823324c7ea24791b7bc3d7005f3b"
+ )
+
+ def test_tbs_certrequest_bytes(self, backend):
+ request = _load_cert(
+ os.path.join("x509", "requests", "rsa_sha1.pem"),
+ x509.load_pem_x509_csr,
+ backend
+ )
+ assert request.tbs_certrequest_bytes == binascii.unhexlify(
+ b"308201840201003057310b3009060355040613025553310e300c060355040813"
+ b"055465786173310f300d0603550407130641757374696e310d300b060355040a"
+ b"130450794341311830160603550403130f63727970746f6772617068792e696f"
+ b"30820122300d06092a864886f70d01010105000382010f003082010a02820101"
+ b"00a840a78460cb861066dfa3045a94ba6cf1b7ab9d24c761cffddcc2cb5e3f1d"
+ b"c3e4be253e7039ef14fe9d6d2304f50d9f2e1584c51530ab75086f357138bff7"
+ b"b854d067d1d5f384f1f2f2c39cc3b15415e2638554ef8402648ae3ef08336f22"
+ b"b7ecc6d4331c2b21c3091a7f7a9518180754a646640b60419e4cc6f5c798110a"
+ b"7f030a639fe87e33b4776dfcd993940ec776ab57a181ad8598857976dc303f9a"
+ b"573ca619ab3fe596328e92806b828683edc17cc256b41948a2bfa8d047d2158d"
+ b"3d8e069aa05fa85b3272abb1c4b4422b6366f3b70e642377b145cd6259e5d3e7"
+ b"db048d51921e50766a37b1b130ee6b11f507d20a834001e8de16a92c14f2e964"
+ b"a30203010001a000"
+ )
+ verifier = request.public_key().verifier(
+ request.signature,
+ padding.PKCS1v15(),
+ request.signature_hash_algorithm
+ )
+ verifier.update(request.tbs_certrequest_bytes)
+ verifier.verify()
+
def test_public_bytes_invalid_encoding(self, backend):
request = _load_cert(
os.path.join("x509", "requests", "rsa_sha1.pem"),
@@ -2884,6 +2930,10 @@
verifier.update(cert.tbs_certificate_bytes)
verifier.verify()
+
+@pytest.mark.requires_backend_interface(interface=DSABackend)
+@pytest.mark.requires_backend_interface(interface=X509Backend)
+class TestDSACertificateRequest(object):
@pytest.mark.parametrize(
("path", "loader_func"),
[
@@ -2912,6 +2962,49 @@
x509.NameAttribute(NameOID.LOCALITY_NAME, u'Austin'),
]
+ def test_signature(self, backend):
+ request = _load_cert(
+ os.path.join("x509", "requests", "dsa_sha1.pem"),
+ x509.load_pem_x509_csr,
+ backend
+ )
+ assert request.signature == binascii.unhexlify(
+ b"302c021461d58dc028d0110818a7d817d74235727c4acfdf0214097b52e198e"
+ b"ce95de17273f0a924df23ce9d8188"
+ )
+
+ def test_tbs_certrequest_bytes(self, backend):
+ request = _load_cert(
+ os.path.join("x509", "requests", "dsa_sha1.pem"),
+ x509.load_pem_x509_csr,
+ backend
+ )
+ assert request.tbs_certrequest_bytes == binascii.unhexlify(
+ b"3082021802010030573118301606035504030c0f63727970746f677261706879"
+ b"2e696f310d300b060355040a0c0450794341310b300906035504061302555331"
+ b"0e300c06035504080c055465786173310f300d06035504070c0641757374696e"
+ b"308201b63082012b06072a8648ce3804013082011e028181008d7fadbc09e284"
+ b"aafa69154cea24177004909e519f8b35d685cde5b4ecdc9583e74d370a0f88ad"
+ b"a98f026f27762fb3d5da7836f986dfcdb3589e5b925bea114defc03ef81dae30"
+ b"c24bbc6df3d588e93427bba64203d4a5b1687b2b5e3b643d4c614976f89f95a3"
+ b"8d3e4c89065fba97514c22c50adbbf289163a74b54859b35b7021500835de56b"
+ b"d07cf7f82e2032fe78949aed117aa2ef0281801f717b5a07782fc2e4e68e311f"
+ b"ea91a54edd36b86ac634d14f05a68a97eae9d2ef31fb1ef3de42c3d100df9ca6"
+ b"4f5bdc2aec7bfdfb474cf831fea05853b5e059f2d24980a0ac463f1e818af352"
+ b"3e3cb79a39d45fa92731897752842469cf8540b01491024eaafbce6018e8a1f4"
+ b"658c343f4ba7c0b21e5376a21f4beb8491961e038184000281800713f07641f6"
+ b"369bb5a9545274a2d4c01998367fb371bb9e13436363672ed68f82174c2de05c"
+ b"8e839bc6de568dd50ba28d8d9d8719423aaec5557df10d773ab22d6d65cbb878"
+ b"04a697bc8fd965b952f9f7e850edf13c8acdb5d753b6d10e59e0b5732e3c82ba"
+ b"fa140342bc4a3bba16bd0681c8a6a2dbbb7efe6ce2b8463b170ba000"
+ )
+ verifier = request.public_key().verifier(
+ request.signature,
+ request.signature_hash_algorithm
+ )
+ verifier.update(request.tbs_certrequest_bytes)
+ verifier.verify()
+
@pytest.mark.requires_backend_interface(interface=EllipticCurveBackend)
@pytest.mark.requires_backend_interface(interface=X509Backend)
@@ -3001,6 +3094,10 @@
with pytest.raises(NotImplementedError):
cert.public_key()
+
+@pytest.mark.requires_backend_interface(interface=X509Backend)
+@pytest.mark.requires_backend_interface(interface=EllipticCurveBackend)
+class TestECDSACertificateRequest(object):
@pytest.mark.parametrize(
("path", "loader_func"),
[
@@ -3030,6 +3127,41 @@
x509.NameAttribute(NameOID.LOCALITY_NAME, u'Austin'),
]
+ def test_signature(self, backend):
+ request = _load_cert(
+ os.path.join("x509", "requests", "ec_sha256.pem"),
+ x509.load_pem_x509_csr,
+ backend
+ )
+ assert request.signature == binascii.unhexlify(
+ b"306502302c1a9f7de8c1787332d2307a886b476a59f172b9b0e250262f3238b1"
+ b"b45ee112bb6eb35b0fb56a123b9296eb212dffc302310094cf440c95c52827d5"
+ b"56ae6d76500e3008255d47c29f7ee782ed7558e51bfd76aa45df6d999ed5c463"
+ b"347fe2382d1751"
+ )
+
+ def test_tbs_certrequest_bytes(self, backend):
+ request = _load_cert(
+ os.path.join("x509", "requests", "ec_sha256.pem"),
+ x509.load_pem_x509_csr,
+ backend
+ )
+ assert request.tbs_certrequest_bytes == binascii.unhexlify(
+ b"3081d602010030573118301606035504030c0f63727970746f6772617068792"
+ b"e696f310d300b060355040a0c0450794341310b300906035504061302555331"
+ b"0e300c06035504080c055465786173310f300d06035504070c0641757374696"
+ b"e3076301006072a8648ce3d020106052b8104002203620004de19b514c0b3c3"
+ b"ae9b398ea3e26b5e816bdcf9102cad8f12fe02f9e4c9248724b39297ed7582e"
+ b"04d8b32a551038d09086803a6d3fb91a1a1167ec02158b00efad39c9396462f"
+ b"accff0ffaf7155812909d3726bd59fde001cff4bb9b2f5af8cbaa000"
+ )
+ verifier = request.public_key().verifier(
+ request.signature,
+ ec.ECDSA(request.signature_hash_algorithm)
+ )
+ verifier.update(request.tbs_certrequest_bytes)
+ verifier.verify()
+
@pytest.mark.requires_backend_interface(interface=X509Backend)
class TestOtherCertificate(object):