add alternate signature OID for RSA with SHA1 + test and vector (#3227)
* add alternate signature OID for RSA with SHA1 + test and vector
* mozilla is a proper noun leave me alone spellchecker
diff --git a/docs/development/test-vectors.rst b/docs/development/test-vectors.rst
index 3429d52..49c5ac2 100644
--- a/docs/development/test-vectors.rst
+++ b/docs/development/test-vectors.rst
@@ -117,6 +117,9 @@
* ``e-trust.ru.der`` - A certificate from a `Russian CA`_ signed using the GOST
cipher and containing numerous unusual encodings such as NUMERICSTRING in
the subject DN.
+* ``alternate-rsa-sha1-oid.pem`` - A certificate from an
+ `unknown signature OID`_ Mozilla bug that uses an alternate signature OID for
+ RSA with SHA1.
Custom X.509 Vectors
~~~~~~~~~~~~~~~~~~~~
@@ -459,3 +462,4 @@
.. _`Mozilla bug`: https://bugzilla.mozilla.org/show_bug.cgi?id=233586
.. _`Russian CA`: https://e-trust.gosuslugi.ru/MainCA
.. _`test/evptests.txt`: https://github.com/openssl/openssl/blob/2d0b44126763f989a4cbffbffe9d0c7518158bb7/test/evptests.txt
+.. _`unknown signature OID`: https://bugzilla.mozilla.org/show_bug.cgi?id=405966
diff --git a/docs/spelling_wordlist.txt b/docs/spelling_wordlist.txt
index 1372039..5efbbdc 100644
--- a/docs/spelling_wordlist.txt
+++ b/docs/spelling_wordlist.txt
@@ -48,6 +48,7 @@
Koblitz
Lange
metadata
+Mozilla
multi
namespace
namespaces
diff --git a/src/cryptography/x509/oid.py b/src/cryptography/x509/oid.py
index 17fa42e..3848b89 100644
--- a/src/cryptography/x509/oid.py
+++ b/src/cryptography/x509/oid.py
@@ -121,6 +121,8 @@
class SignatureAlgorithmOID(object):
RSA_WITH_MD5 = ObjectIdentifier("1.2.840.113549.1.1.4")
RSA_WITH_SHA1 = ObjectIdentifier("1.2.840.113549.1.1.5")
+ # This is an alternate OID for RSA with SHA1 that is occasionally seen
+ _RSA_WITH_SHA1 = ObjectIdentifier("1.3.14.3.2.29")
RSA_WITH_SHA224 = ObjectIdentifier("1.2.840.113549.1.1.14")
RSA_WITH_SHA256 = ObjectIdentifier("1.2.840.113549.1.1.11")
RSA_WITH_SHA384 = ObjectIdentifier("1.2.840.113549.1.1.12")
@@ -137,6 +139,7 @@
_SIG_OIDS_TO_HASH = {
SignatureAlgorithmOID.RSA_WITH_MD5: hashes.MD5(),
SignatureAlgorithmOID.RSA_WITH_SHA1: hashes.SHA1(),
+ SignatureAlgorithmOID._RSA_WITH_SHA1: hashes.SHA1(),
SignatureAlgorithmOID.RSA_WITH_SHA224: hashes.SHA224(),
SignatureAlgorithmOID.RSA_WITH_SHA256: hashes.SHA256(),
SignatureAlgorithmOID.RSA_WITH_SHA384: hashes.SHA384(),
diff --git a/tests/test_x509.py b/tests/test_x509.py
index 6a999f4..f375ac5 100644
--- a/tests/test_x509.py
+++ b/tests/test_x509.py
@@ -502,6 +502,18 @@
cert.signature_algorithm_oid == SignatureAlgorithmOID.RSA_WITH_SHA1
)
+ def test_alternate_rsa_with_sha1_oid(self, backend):
+ cert = _load_cert(
+ os.path.join("x509", "alternate-rsa-sha1-oid.pem"),
+ x509.load_pem_x509_certificate,
+ backend
+ )
+ assert isinstance(cert.signature_hash_algorithm, hashes.SHA1)
+ assert (
+ cert.signature_algorithm_oid ==
+ SignatureAlgorithmOID._RSA_WITH_SHA1
+ )
+
def test_cert_serial_number(self, backend):
cert = _load_cert(
os.path.join("x509", "PKITS_data", "certs", "GoodCACert.crt"),
diff --git a/vectors/cryptography_vectors/x509/alternate-rsa-sha1-oid.pem b/vectors/cryptography_vectors/x509/alternate-rsa-sha1-oid.pem
new file mode 100644
index 0000000..807a28b
--- /dev/null
+++ b/vectors/cryptography_vectors/x509/alternate-rsa-sha1-oid.pem
@@ -0,0 +1,12 @@
+-----BEGIN CERTIFICATE-----
+MIIBwjCCAS+gAwIBAgIQj2d4hVEz0L1DYFVhA9CxCzAJBgUrDgMCHQUAMA8xDTAL
+BgNVBAMTBFZQUzEwHhcNMDcwODE4MDkyODUzWhcNMDgwODE3MDkyODUzWjAPMQ0w
+CwYDVQQDEwRWUFMxMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDaqKn40uaU
+DbFL1NXXZ8/b4ZqDJ6eSI5lysMZHfZDs60G3ocbNKofBvURIutabrFuBCB2S5f/z
+ICan0LR4uFpGuZ2I/PuVaU8X5fT8gBh7L636cWzHPPScYts00OyywEq381UB7XwX
+YuWpM5kUW5rkbq1JV3ystTR/4YnLl48YtQIDAQABoycwJTATBgNVHSUEDDAKBggr
+BgEFBQcDATAOBgNVHQ8EBwMFALAAAAAwCQYFKw4DAh0FAAOBgQBuUrU+J2Z5WKcO
+VNjJHFUKo8qpbn8jKQZDl2nvVaXCTXQZblz/qxOm4FaGGzJ/m3GybVZNVfdyHg+U
+lmDpFpOITkvcyNc3xjJCf2GVBo/VvdtVt7Myq0IQtAi/CXRK22BRNhSt9uu2EcRu
+HIXdFWHEzi6eD4PpNw/0X3ID6Gxk4A==
+-----END CERTIFICATE-----