openssl_* module_utils/crypto.py: add full list of OIDs known to current OpenSSL (#54943)
* Add full list of OIDs known to current OpenSSL. * Remove hardcoded OIDs. * UID -> x500UniqueIdentifier * Reference actual version used. * Don't normalize to lower-case. * Change test back. * Fix typo. * Apply changes suggested by RedHat legal.
This commit is contained in:
parent
0303ea2bfa
commit
c411883618
5 changed files with 1148 additions and 200 deletions
File diff suppressed because it is too large
Load diff
|
@ -1437,14 +1437,14 @@ class AssertOnlyCertificateCryptography(AssertOnlyCertificateBase):
|
||||||
return self.cert.signature_algorithm_oid._name
|
return self.cert.signature_algorithm_oid._name
|
||||||
|
|
||||||
def _validate_subject(self):
|
def _validate_subject(self):
|
||||||
expected_subject = Name([NameAttribute(oid=crypto_utils.cryptography_get_name_oid(sub[0]), value=to_text(sub[1]))
|
expected_subject = Name([NameAttribute(oid=crypto_utils.cryptography_name_to_oid(sub[0]), value=to_text(sub[1]))
|
||||||
for sub in self.subject])
|
for sub in self.subject])
|
||||||
cert_subject = self.cert.subject
|
cert_subject = self.cert.subject
|
||||||
if not compare_sets(expected_subject, cert_subject, self.subject_strict):
|
if not compare_sets(expected_subject, cert_subject, self.subject_strict):
|
||||||
return expected_subject, cert_subject
|
return expected_subject, cert_subject
|
||||||
|
|
||||||
def _validate_issuer(self):
|
def _validate_issuer(self):
|
||||||
expected_issuer = Name([NameAttribute(oid=crypto_utils.cryptography_get_name_oid(iss[0]), value=to_text(iss[1]))
|
expected_issuer = Name([NameAttribute(oid=crypto_utils.cryptography_name_to_oid(iss[0]), value=to_text(iss[1]))
|
||||||
for iss in self.issuer])
|
for iss in self.issuer])
|
||||||
cert_issuer = self.cert.issuer
|
cert_issuer = self.cert.issuer
|
||||||
if not compare_sets(expected_issuer, cert_issuer, self.issuer_strict):
|
if not compare_sets(expected_issuer, cert_issuer, self.issuer_strict):
|
||||||
|
@ -1494,7 +1494,7 @@ class AssertOnlyCertificateCryptography(AssertOnlyCertificateBase):
|
||||||
def _validate_extended_key_usage(self):
|
def _validate_extended_key_usage(self):
|
||||||
try:
|
try:
|
||||||
current_ext_keyusage = self.cert.extensions.get_extension_for_class(x509.ExtendedKeyUsage).value
|
current_ext_keyusage = self.cert.extensions.get_extension_for_class(x509.ExtendedKeyUsage).value
|
||||||
usages = [crypto_utils.cryptography_get_ext_keyusage(usage) for usage in self.extended_key_usage]
|
usages = [crypto_utils.cryptography_name_to_oid(usage) for usage in self.extended_key_usage]
|
||||||
expected_ext_keyusage = x509.ExtendedKeyUsage(usages)
|
expected_ext_keyusage = x509.ExtendedKeyUsage(usages)
|
||||||
if not compare_sets(expected_ext_keyusage, current_ext_keyusage, self.extended_key_usage_strict):
|
if not compare_sets(expected_ext_keyusage, current_ext_keyusage, self.extended_key_usage_strict):
|
||||||
return [eku.value for eku in expected_ext_keyusage], [eku.value for eku in current_ext_keyusage]
|
return [eku.value for eku in expected_ext_keyusage], [eku.value for eku in current_ext_keyusage]
|
||||||
|
|
|
@ -425,18 +425,18 @@ class CertificateInfoCryptography(CertificateInfo):
|
||||||
super(CertificateInfoCryptography, self).__init__(module, 'cryptography')
|
super(CertificateInfoCryptography, self).__init__(module, 'cryptography')
|
||||||
|
|
||||||
def _get_signature_algorithm(self):
|
def _get_signature_algorithm(self):
|
||||||
return crypto_utils.crpytography_oid_to_name(self.cert.signature_algorithm_oid)
|
return crypto_utils.cryptography_oid_to_name(self.cert.signature_algorithm_oid)
|
||||||
|
|
||||||
def _get_subject(self):
|
def _get_subject(self):
|
||||||
result = dict()
|
result = dict()
|
||||||
for attribute in self.cert.subject:
|
for attribute in self.cert.subject:
|
||||||
result[crypto_utils.crpytography_oid_to_name(attribute.oid)] = attribute.value
|
result[crypto_utils.cryptography_oid_to_name(attribute.oid)] = attribute.value
|
||||||
return result
|
return result
|
||||||
|
|
||||||
def _get_issuer(self):
|
def _get_issuer(self):
|
||||||
result = dict()
|
result = dict()
|
||||||
for attribute in self.cert.issuer:
|
for attribute in self.cert.issuer:
|
||||||
result[crypto_utils.crpytography_oid_to_name(attribute.oid)] = attribute.value
|
result[crypto_utils.cryptography_oid_to_name(attribute.oid)] = attribute.value
|
||||||
return result
|
return result
|
||||||
|
|
||||||
def _get_version(self):
|
def _get_version(self):
|
||||||
|
@ -488,7 +488,7 @@ class CertificateInfoCryptography(CertificateInfo):
|
||||||
try:
|
try:
|
||||||
ext_keyusage_ext = self.cert.extensions.get_extension_for_class(x509.ExtendedKeyUsage)
|
ext_keyusage_ext = self.cert.extensions.get_extension_for_class(x509.ExtendedKeyUsage)
|
||||||
return sorted([
|
return sorted([
|
||||||
crypto_utils.crpytography_oid_to_name(eku) for eku in ext_keyusage_ext.value
|
crypto_utils.cryptography_oid_to_name(eku) for eku in ext_keyusage_ext.value
|
||||||
]), ext_keyusage_ext.critical
|
]), ext_keyusage_ext.critical
|
||||||
except cryptography.x509.ExtensionNotFound:
|
except cryptography.x509.ExtensionNotFound:
|
||||||
return None, False
|
return None, False
|
||||||
|
|
|
@ -649,7 +649,7 @@ class CertificateSigningRequestCryptography(CertificateSigningRequestBase):
|
||||||
csr = cryptography.x509.CertificateSigningRequestBuilder()
|
csr = cryptography.x509.CertificateSigningRequestBuilder()
|
||||||
try:
|
try:
|
||||||
csr = csr.subject_name(cryptography.x509.Name([
|
csr = csr.subject_name(cryptography.x509.Name([
|
||||||
cryptography.x509.NameAttribute(crypto_utils.cryptography_get_name_oid(entry[0]), to_text(entry[1])) for entry in self.subject
|
cryptography.x509.NameAttribute(crypto_utils.cryptography_name_to_oid(entry[0]), to_text(entry[1])) for entry in self.subject
|
||||||
]))
|
]))
|
||||||
except ValueError as e:
|
except ValueError as e:
|
||||||
raise CertificateSigningRequestError(e)
|
raise CertificateSigningRequestError(e)
|
||||||
|
@ -664,7 +664,7 @@ class CertificateSigningRequestCryptography(CertificateSigningRequestBase):
|
||||||
csr = csr.add_extension(cryptography.x509.KeyUsage(**params), critical=self.keyUsage_critical)
|
csr = csr.add_extension(cryptography.x509.KeyUsage(**params), critical=self.keyUsage_critical)
|
||||||
|
|
||||||
if self.extendedKeyUsage:
|
if self.extendedKeyUsage:
|
||||||
usages = [crypto_utils.cryptography_get_ext_keyusage(usage) for usage in self.extendedKeyUsage]
|
usages = [crypto_utils.cryptography_name_to_oid(usage) for usage in self.extendedKeyUsage]
|
||||||
csr = csr.add_extension(cryptography.x509.ExtendedKeyUsage(usages), critical=self.extendedKeyUsage_critical)
|
csr = csr.add_extension(cryptography.x509.ExtendedKeyUsage(usages), critical=self.extendedKeyUsage_critical)
|
||||||
|
|
||||||
if self.basicConstraints:
|
if self.basicConstraints:
|
||||||
|
@ -713,7 +713,7 @@ class CertificateSigningRequestCryptography(CertificateSigningRequestBase):
|
||||||
|
|
||||||
def _check_csr(self):
|
def _check_csr(self):
|
||||||
def _check_subject(csr):
|
def _check_subject(csr):
|
||||||
subject = [(crypto_utils.cryptography_get_name_oid(entry[0]), entry[1]) for entry in self.subject]
|
subject = [(crypto_utils.cryptography_name_to_oid(entry[0]), entry[1]) for entry in self.subject]
|
||||||
current_subject = [(sub.oid, sub.value) for sub in csr.subject]
|
current_subject = [(sub.oid, sub.value) for sub in csr.subject]
|
||||||
return set(subject) == set(current_subject)
|
return set(subject) == set(current_subject)
|
||||||
|
|
||||||
|
@ -751,7 +751,7 @@ class CertificateSigningRequestCryptography(CertificateSigningRequestBase):
|
||||||
def _check_extenededKeyUsage(extensions):
|
def _check_extenededKeyUsage(extensions):
|
||||||
current_usages_ext = _find_extension(extensions, cryptography.x509.ExtendedKeyUsage)
|
current_usages_ext = _find_extension(extensions, cryptography.x509.ExtendedKeyUsage)
|
||||||
current_usages = [str(usage) for usage in current_usages_ext.value] if current_usages_ext else []
|
current_usages = [str(usage) for usage in current_usages_ext.value] if current_usages_ext else []
|
||||||
usages = [str(crypto_utils.cryptography_get_ext_keyusage(usage)) for usage in self.extendedKeyUsage] if self.extendedKeyUsage else []
|
usages = [str(crypto_utils.cryptography_name_to_oid(usage)) for usage in self.extendedKeyUsage] if self.extendedKeyUsage else []
|
||||||
if set(current_usages) != set(usages):
|
if set(current_usages) != set(usages):
|
||||||
return False
|
return False
|
||||||
if usages:
|
if usages:
|
||||||
|
|
|
@ -294,7 +294,7 @@ class CertificateSigningRequestInfoCryptography(CertificateSigningRequestInfo):
|
||||||
def _get_subject(self):
|
def _get_subject(self):
|
||||||
result = dict()
|
result = dict()
|
||||||
for attribute in self.csr.subject:
|
for attribute in self.csr.subject:
|
||||||
result[crypto_utils.crpytography_oid_to_name(attribute.oid)] = attribute.value
|
result[crypto_utils.cryptography_oid_to_name(attribute.oid)] = attribute.value
|
||||||
return result
|
return result
|
||||||
|
|
||||||
def _get_key_usage(self):
|
def _get_key_usage(self):
|
||||||
|
@ -339,7 +339,7 @@ class CertificateSigningRequestInfoCryptography(CertificateSigningRequestInfo):
|
||||||
try:
|
try:
|
||||||
ext_keyusage_ext = self.csr.extensions.get_extension_for_class(x509.ExtendedKeyUsage)
|
ext_keyusage_ext = self.csr.extensions.get_extension_for_class(x509.ExtendedKeyUsage)
|
||||||
return sorted([
|
return sorted([
|
||||||
crypto_utils.crpytography_oid_to_name(eku) for eku in ext_keyusage_ext.value
|
crypto_utils.cryptography_oid_to_name(eku) for eku in ext_keyusage_ext.value
|
||||||
]), ext_keyusage_ext.critical
|
]), ext_keyusage_ext.critical
|
||||||
except cryptography.x509.ExtensionNotFound:
|
except cryptography.x509.ExtensionNotFound:
|
||||||
return None, False
|
return None, False
|
||||||
|
|
Loading…
Reference in a new issue