openssl_* module_utils/crypto.py: add full list of OIDs known to current OpenSSL (#54943)

* Add full list of OIDs known to current OpenSSL.

* Remove hardcoded OIDs.

* UID -> x500UniqueIdentifier

* Reference actual version used.

* Don't normalize to lower-case.

* Change test back.

* Fix typo.

* Apply changes suggested by RedHat legal.
This commit is contained in:
Felix Fontein 2019-04-10 13:46:10 +02:00 committed by John R Barker
parent 0303ea2bfa
commit c411883618
5 changed files with 1148 additions and 200 deletions

File diff suppressed because it is too large Load diff

View file

@ -1437,14 +1437,14 @@ class AssertOnlyCertificateCryptography(AssertOnlyCertificateBase):
return self.cert.signature_algorithm_oid._name return self.cert.signature_algorithm_oid._name
def _validate_subject(self): def _validate_subject(self):
expected_subject = Name([NameAttribute(oid=crypto_utils.cryptography_get_name_oid(sub[0]), value=to_text(sub[1])) expected_subject = Name([NameAttribute(oid=crypto_utils.cryptography_name_to_oid(sub[0]), value=to_text(sub[1]))
for sub in self.subject]) for sub in self.subject])
cert_subject = self.cert.subject cert_subject = self.cert.subject
if not compare_sets(expected_subject, cert_subject, self.subject_strict): if not compare_sets(expected_subject, cert_subject, self.subject_strict):
return expected_subject, cert_subject return expected_subject, cert_subject
def _validate_issuer(self): def _validate_issuer(self):
expected_issuer = Name([NameAttribute(oid=crypto_utils.cryptography_get_name_oid(iss[0]), value=to_text(iss[1])) expected_issuer = Name([NameAttribute(oid=crypto_utils.cryptography_name_to_oid(iss[0]), value=to_text(iss[1]))
for iss in self.issuer]) for iss in self.issuer])
cert_issuer = self.cert.issuer cert_issuer = self.cert.issuer
if not compare_sets(expected_issuer, cert_issuer, self.issuer_strict): if not compare_sets(expected_issuer, cert_issuer, self.issuer_strict):
@ -1494,7 +1494,7 @@ class AssertOnlyCertificateCryptography(AssertOnlyCertificateBase):
def _validate_extended_key_usage(self): def _validate_extended_key_usage(self):
try: try:
current_ext_keyusage = self.cert.extensions.get_extension_for_class(x509.ExtendedKeyUsage).value current_ext_keyusage = self.cert.extensions.get_extension_for_class(x509.ExtendedKeyUsage).value
usages = [crypto_utils.cryptography_get_ext_keyusage(usage) for usage in self.extended_key_usage] usages = [crypto_utils.cryptography_name_to_oid(usage) for usage in self.extended_key_usage]
expected_ext_keyusage = x509.ExtendedKeyUsage(usages) expected_ext_keyusage = x509.ExtendedKeyUsage(usages)
if not compare_sets(expected_ext_keyusage, current_ext_keyusage, self.extended_key_usage_strict): if not compare_sets(expected_ext_keyusage, current_ext_keyusage, self.extended_key_usage_strict):
return [eku.value for eku in expected_ext_keyusage], [eku.value for eku in current_ext_keyusage] return [eku.value for eku in expected_ext_keyusage], [eku.value for eku in current_ext_keyusage]

View file

@ -425,18 +425,18 @@ class CertificateInfoCryptography(CertificateInfo):
super(CertificateInfoCryptography, self).__init__(module, 'cryptography') super(CertificateInfoCryptography, self).__init__(module, 'cryptography')
def _get_signature_algorithm(self): def _get_signature_algorithm(self):
return crypto_utils.crpytography_oid_to_name(self.cert.signature_algorithm_oid) return crypto_utils.cryptography_oid_to_name(self.cert.signature_algorithm_oid)
def _get_subject(self): def _get_subject(self):
result = dict() result = dict()
for attribute in self.cert.subject: for attribute in self.cert.subject:
result[crypto_utils.crpytography_oid_to_name(attribute.oid)] = attribute.value result[crypto_utils.cryptography_oid_to_name(attribute.oid)] = attribute.value
return result return result
def _get_issuer(self): def _get_issuer(self):
result = dict() result = dict()
for attribute in self.cert.issuer: for attribute in self.cert.issuer:
result[crypto_utils.crpytography_oid_to_name(attribute.oid)] = attribute.value result[crypto_utils.cryptography_oid_to_name(attribute.oid)] = attribute.value
return result return result
def _get_version(self): def _get_version(self):
@ -488,7 +488,7 @@ class CertificateInfoCryptography(CertificateInfo):
try: try:
ext_keyusage_ext = self.cert.extensions.get_extension_for_class(x509.ExtendedKeyUsage) ext_keyusage_ext = self.cert.extensions.get_extension_for_class(x509.ExtendedKeyUsage)
return sorted([ return sorted([
crypto_utils.crpytography_oid_to_name(eku) for eku in ext_keyusage_ext.value crypto_utils.cryptography_oid_to_name(eku) for eku in ext_keyusage_ext.value
]), ext_keyusage_ext.critical ]), ext_keyusage_ext.critical
except cryptography.x509.ExtensionNotFound: except cryptography.x509.ExtensionNotFound:
return None, False return None, False

View file

@ -649,7 +649,7 @@ class CertificateSigningRequestCryptography(CertificateSigningRequestBase):
csr = cryptography.x509.CertificateSigningRequestBuilder() csr = cryptography.x509.CertificateSigningRequestBuilder()
try: try:
csr = csr.subject_name(cryptography.x509.Name([ csr = csr.subject_name(cryptography.x509.Name([
cryptography.x509.NameAttribute(crypto_utils.cryptography_get_name_oid(entry[0]), to_text(entry[1])) for entry in self.subject cryptography.x509.NameAttribute(crypto_utils.cryptography_name_to_oid(entry[0]), to_text(entry[1])) for entry in self.subject
])) ]))
except ValueError as e: except ValueError as e:
raise CertificateSigningRequestError(e) raise CertificateSigningRequestError(e)
@ -664,7 +664,7 @@ class CertificateSigningRequestCryptography(CertificateSigningRequestBase):
csr = csr.add_extension(cryptography.x509.KeyUsage(**params), critical=self.keyUsage_critical) csr = csr.add_extension(cryptography.x509.KeyUsage(**params), critical=self.keyUsage_critical)
if self.extendedKeyUsage: if self.extendedKeyUsage:
usages = [crypto_utils.cryptography_get_ext_keyusage(usage) for usage in self.extendedKeyUsage] usages = [crypto_utils.cryptography_name_to_oid(usage) for usage in self.extendedKeyUsage]
csr = csr.add_extension(cryptography.x509.ExtendedKeyUsage(usages), critical=self.extendedKeyUsage_critical) csr = csr.add_extension(cryptography.x509.ExtendedKeyUsage(usages), critical=self.extendedKeyUsage_critical)
if self.basicConstraints: if self.basicConstraints:
@ -713,7 +713,7 @@ class CertificateSigningRequestCryptography(CertificateSigningRequestBase):
def _check_csr(self): def _check_csr(self):
def _check_subject(csr): def _check_subject(csr):
subject = [(crypto_utils.cryptography_get_name_oid(entry[0]), entry[1]) for entry in self.subject] subject = [(crypto_utils.cryptography_name_to_oid(entry[0]), entry[1]) for entry in self.subject]
current_subject = [(sub.oid, sub.value) for sub in csr.subject] current_subject = [(sub.oid, sub.value) for sub in csr.subject]
return set(subject) == set(current_subject) return set(subject) == set(current_subject)
@ -751,7 +751,7 @@ class CertificateSigningRequestCryptography(CertificateSigningRequestBase):
def _check_extenededKeyUsage(extensions): def _check_extenededKeyUsage(extensions):
current_usages_ext = _find_extension(extensions, cryptography.x509.ExtendedKeyUsage) current_usages_ext = _find_extension(extensions, cryptography.x509.ExtendedKeyUsage)
current_usages = [str(usage) for usage in current_usages_ext.value] if current_usages_ext else [] current_usages = [str(usage) for usage in current_usages_ext.value] if current_usages_ext else []
usages = [str(crypto_utils.cryptography_get_ext_keyusage(usage)) for usage in self.extendedKeyUsage] if self.extendedKeyUsage else [] usages = [str(crypto_utils.cryptography_name_to_oid(usage)) for usage in self.extendedKeyUsage] if self.extendedKeyUsage else []
if set(current_usages) != set(usages): if set(current_usages) != set(usages):
return False return False
if usages: if usages:

View file

@ -294,7 +294,7 @@ class CertificateSigningRequestInfoCryptography(CertificateSigningRequestInfo):
def _get_subject(self): def _get_subject(self):
result = dict() result = dict()
for attribute in self.csr.subject: for attribute in self.csr.subject:
result[crypto_utils.crpytography_oid_to_name(attribute.oid)] = attribute.value result[crypto_utils.cryptography_oid_to_name(attribute.oid)] = attribute.value
return result return result
def _get_key_usage(self): def _get_key_usage(self):
@ -339,7 +339,7 @@ class CertificateSigningRequestInfoCryptography(CertificateSigningRequestInfo):
try: try:
ext_keyusage_ext = self.csr.extensions.get_extension_for_class(x509.ExtendedKeyUsage) ext_keyusage_ext = self.csr.extensions.get_extension_for_class(x509.ExtendedKeyUsage)
return sorted([ return sorted([
crypto_utils.crpytography_oid_to_name(eku) for eku in ext_keyusage_ext.value crypto_utils.cryptography_oid_to_name(eku) for eku in ext_keyusage_ext.value
]), ext_keyusage_ext.critical ]), ext_keyusage_ext.critical
except cryptography.x509.ExtensionNotFound: except cryptography.x509.ExtensionNotFound:
return None, False return None, False