Example #1
0
async def test_cert_constraint_composite(requests_mock):
    vc = live_testing_vc(requests_mock)
    signer_validation_path = await CertificateValidator(
        FROM_CA.signing_cert, FROM_CA.cert_registry,
        validation_context=vc).async_validate_usage(set())
    tsa_validation_path = await CertificateValidator(
        DUMMY_TS.tsa_cert, FROM_CA.cert_registry,
        validation_context=vc).async_validate_usage(set())

    from asn1crypto import x509
    scc = fields.SigCertConstraints(flags=fields.SigCertConstraintFlags.ISSUER
                                    | fields.SigCertConstraintFlags.SUBJECT_DN,
                                    issuers=[INTERM_CERT],
                                    subject_dn=x509.Name.build({
                                        'common_name':
                                        'Alice',
                                        'country_name':
                                        'BE'
                                    }))
    scc.satisfied_by(FROM_CA.signing_cert, signer_validation_path)
    with pytest.raises(UnacceptableSignerError):
        scc.satisfied_by(DUMMY_TS.tsa_cert, tsa_validation_path)

    from asn1crypto import x509
    scc = fields.SigCertConstraints(flags=fields.SigCertConstraintFlags.ISSUER
                                    | fields.SigCertConstraintFlags.SUBJECT_DN,
                                    issuers=[INTERM_CERT],
                                    subject_dn=x509.Name.build({
                                        'common_name':
                                        'Alice & Bob',
                                        'country_name':
                                        'BE'
                                    }))
    with pytest.raises(UnacceptableSignerError):
        scc.satisfied_by(FROM_CA.signing_cert, signer_validation_path)
Example #2
0
async def test_sv_sign_addrevinfo_req(requests_mock):
    sv = fields.SigSeedValueSpec(flags=fields.SigSeedValFlags.ADD_REV_INFO,
                                 add_rev_info=True)
    vc = live_testing_vc(requests_mock)
    meta = signers.PdfSignatureMetadata(
        field_name='Sig',
        validation_context=vc,
        subfilter=fields.SigSeedSubFilter.ADOBE_PKCS7_DETACHED,
        embed_validation_info=True)
    emb_sig = await sign_with_sv(sv, meta)
    status = await async_validate_pdf_ltv_signature(
        emb_sig, RevocationInfoValidationType.ADOBE_STYLE,
        {'trust_roots': TRUST_ROOTS})
    assert status.valid and status.trusted
    assert emb_sig.sig_object['/SubFilter'] == '/adbe.pkcs7.detached'

    meta = signers.PdfSignatureMetadata(
        field_name='Sig',
        validation_context=vc,
        subfilter=fields.SigSeedSubFilter.ADOBE_PKCS7_DETACHED,
        embed_validation_info=False)
    with pytest.raises(SigningError):
        await sign_with_sv(sv, meta)
    await sign_with_sv(sv, meta, test_violation=True)
    meta = signers.PdfSignatureMetadata(
        field_name='Sig',
        validation_context=vc,
        subfilter=fields.SigSeedSubFilter.PADES,
        embed_validation_info=True)
    # this shouldn't work with PAdES
    with pytest.raises(SigningError):
        await sign_with_sv(sv, meta)
    await sign_with_sv(sv, meta, test_violation=True)
Example #3
0
async def test_cert_constraint_issuer(requests_mock):
    vc = live_testing_vc(requests_mock)
    signer_validation_path = await CertificateValidator(
        FROM_CA.signing_cert, FROM_CA.cert_registry,
        validation_context=vc).async_validate_usage(set())
    tsa_validation_path = await CertificateValidator(
        DUMMY_TS.tsa_cert, FROM_CA.cert_registry,
        validation_context=vc).async_validate_usage(set())

    scc = fields.SigCertConstraints(flags=fields.SigCertConstraintFlags.ISSUER,
                                    issuers=[ROOT_CERT])
    scc.satisfied_by(FROM_CA.signing_cert, signer_validation_path)
    scc.satisfied_by(DUMMY_TS.tsa_cert, tsa_validation_path)
    with pytest.raises(UnacceptableSignerError):
        scc.satisfied_by(FROM_CA.signing_cert, None)

    scc = fields.SigCertConstraints(flags=fields.SigCertConstraintFlags.ISSUER,
                                    issuers=[INTERM_CERT])
    scc.satisfied_by(FROM_CA.signing_cert, signer_validation_path)
    with pytest.raises(UnacceptableSignerError):
        scc.satisfied_by(DUMMY_TS.tsa_cert, tsa_validation_path)

    scc = fields.SigCertConstraints(
        flags=fields.SigCertConstraintFlags.ISSUER,
        issuers=[INTERM_CERT, SELF_SIGN.signing_cert])
    scc.satisfied_by(FROM_CA.signing_cert, signer_validation_path)
    with pytest.raises(UnacceptableSignerError):
        scc.satisfied_by(DUMMY_TS.tsa_cert, tsa_validation_path)

    scc = fields.SigCertConstraints(issuers=[INTERM_CERT])
    scc.satisfied_by(FROM_CA.signing_cert, signer_validation_path)
    scc.satisfied_by(DUMMY_TS.tsa_cert, tsa_validation_path)
Example #4
0
async def test_validate_with_malformed_claimed_attrs(bad_attr, requests_mock):
    # This should parse up to the first level and be reencoded by asn1crypto
    #  without asking any questions.
    cms_sig = await FROM_CA.async_sign_general_data(
        b'Hello world', digest_algorithm='sha256',
        signed_attr_settings=PdfCMSSignedAttributes(
            cades_signed_attrs=CAdESSignedAttrSpec(
                signer_attributes=SignerAttrSpec(
                    claimed_attrs=[bad_attr, SAMPLE_GROUP_ATTR],
                    certified_attrs=[]
                )
            )
        )
    )
    status = await async_validate_detached_cms(
        input_data=b'Hello world', signed_data=cms_sig['content'],
        signer_validation_context=live_testing_vc(requests_mock)
    )
    assert isinstance(status, StandardCMSSignatureStatus)
    # The malformed attribute shouldn't have been processed,
    # but the other attrs should've
    assert len(status.cades_signer_attrs.claimed_attrs) == 1
Example #5
0
async def test_parse_ac_with_malformed_attribute(requests_mock):
    attr_cert_cfg = f'''
    test-ac:
      holder:
          name: signer1
          # this needs to match against something from a totally different PKI
          # arch, so make the coupling as loose as possible
          include-base-cert-id: false
          include-entity-name: true
      issuer: root
      attributes:
          - id: charging_identity
            smart-value:
                schema: ietf-attribute
                params: ["Big Corp Inc."]
      validity:
        valid-from: "2000-01-01T00:00:00+0000"
        valid-to: "2100-01-01T00:00:00+0000"
    '''

    pki_arch = PKIArchitecture(
        arch_label=ArchLabel('test'),
        key_set=TESTING_CA.key_set, entities=TESTING_CA.entities,
        cert_spec_config=yaml.safe_load(BASIC_AC_ISSUER_SETUP),
        ac_spec_config=yaml.safe_load(attr_cert_cfg),
        service_config={},
        external_url_prefix='http://test.test',
    )
    spec = pki_arch.get_attr_cert_spec(CertLabel('test-ac'))

    # we have to get a bit creative to get Certomancer to output invalid asn1
    #  in exactly the way we want
    class FakeAttrSpec:
        # noinspection PyUnusedLocal
        def to_asn1(self, arch):
            return NONSENSICAL_ATTR

    # noinspection PyTypeChecker
    spec.attributes.append(FakeAttrSpec())

    cms_sig = await FROM_CA.async_sign_general_data(
        b'Hello world', digest_algorithm='sha256',
        signed_attr_settings=PdfCMSSignedAttributes(
            cades_signed_attrs=CAdESSignedAttrSpec(
                signer_attributes=SignerAttrSpec(
                    certified_attrs=[
                        pki_arch.get_attr_cert(CertLabel('test-ac'))
                    ],
                    claimed_attrs=[]
                )
            )
        )
    )
    vc = live_testing_vc(requests_mock)
    ac_vc = ValidationContext(
        trust_roots=[pki_arch.get_cert(CertLabel('ac-issuer'))],
        allow_fetching=False,
    )
    status = await async_validate_detached_cms(
        input_data=b'Hello world', signed_data=cms_sig['content'],
        signer_validation_context=vc,
        ac_validation_context=ac_vc
    )
    assert isinstance(status, StandardCMSSignatureStatus)
    # The malformed attribute shouldn't have been processed,
    # but the other attrs should've
    assert len(status.cades_signer_attrs.certified_attrs) == 1