async def test_cert_constraint_composite(requests_mock):
vc = live_testing_vc(requests_mock)
signer_validation_path = await CertificateValidator(
FROM_CA.signing_cert, FROM_CA.cert_registry,
validation_context=vc).async_validate_usage(set())
tsa_validation_path = await CertificateValidator(
DUMMY_TS.tsa_cert, FROM_CA.cert_registry,
validation_context=vc).async_validate_usage(set())
from asn1crypto import x509
scc = fields.SigCertConstraints(flags=fields.SigCertConstraintFlags.ISSUER
| fields.SigCertConstraintFlags.SUBJECT_DN,
issuers=[INTERM_CERT],
subject_dn=x509.Name.build({
'common_name':
'Alice',
'country_name':
'BE'
}))
scc.satisfied_by(FROM_CA.signing_cert, signer_validation_path)
with pytest.raises(UnacceptableSignerError):
scc.satisfied_by(DUMMY_TS.tsa_cert, tsa_validation_path)
from asn1crypto import x509
scc = fields.SigCertConstraints(flags=fields.SigCertConstraintFlags.ISSUER
| fields.SigCertConstraintFlags.SUBJECT_DN,
issuers=[INTERM_CERT],
subject_dn=x509.Name.build({
'common_name':
'Alice & Bob',
'country_name':
'BE'
}))
with pytest.raises(UnacceptableSignerError):
scc.satisfied_by(FROM_CA.signing_cert, signer_validation_path)
async def test_sv_sign_addrevinfo_req(requests_mock):
sv = fields.SigSeedValueSpec(flags=fields.SigSeedValFlags.ADD_REV_INFO,
add_rev_info=True)
vc = live_testing_vc(requests_mock)
meta = signers.PdfSignatureMetadata(
field_name='Sig',
validation_context=vc,
subfilter=fields.SigSeedSubFilter.ADOBE_PKCS7_DETACHED,
embed_validation_info=True)
emb_sig = await sign_with_sv(sv, meta)
status = await async_validate_pdf_ltv_signature(
emb_sig, RevocationInfoValidationType.ADOBE_STYLE,
{'trust_roots': TRUST_ROOTS})
assert status.valid and status.trusted
assert emb_sig.sig_object['/SubFilter'] == '/adbe.pkcs7.detached'
meta = signers.PdfSignatureMetadata(
field_name='Sig',
validation_context=vc,
subfilter=fields.SigSeedSubFilter.ADOBE_PKCS7_DETACHED,
embed_validation_info=False)
with pytest.raises(SigningError):
await sign_with_sv(sv, meta)
await sign_with_sv(sv, meta, test_violation=True)
meta = signers.PdfSignatureMetadata(
field_name='Sig',
validation_context=vc,
subfilter=fields.SigSeedSubFilter.PADES,
embed_validation_info=True)
# this shouldn't work with PAdES
with pytest.raises(SigningError):
await sign_with_sv(sv, meta)
await sign_with_sv(sv, meta, test_violation=True)
async def test_cert_constraint_issuer(requests_mock):
vc = live_testing_vc(requests_mock)
signer_validation_path = await CertificateValidator(
FROM_CA.signing_cert, FROM_CA.cert_registry,
validation_context=vc).async_validate_usage(set())
tsa_validation_path = await CertificateValidator(
DUMMY_TS.tsa_cert, FROM_CA.cert_registry,
validation_context=vc).async_validate_usage(set())
scc = fields.SigCertConstraints(flags=fields.SigCertConstraintFlags.ISSUER,
issuers=[ROOT_CERT])
scc.satisfied_by(FROM_CA.signing_cert, signer_validation_path)
scc.satisfied_by(DUMMY_TS.tsa_cert, tsa_validation_path)
with pytest.raises(UnacceptableSignerError):
scc.satisfied_by(FROM_CA.signing_cert, None)
scc = fields.SigCertConstraints(flags=fields.SigCertConstraintFlags.ISSUER,
issuers=[INTERM_CERT])
scc.satisfied_by(FROM_CA.signing_cert, signer_validation_path)
with pytest.raises(UnacceptableSignerError):
scc.satisfied_by(DUMMY_TS.tsa_cert, tsa_validation_path)
scc = fields.SigCertConstraints(
flags=fields.SigCertConstraintFlags.ISSUER,
issuers=[INTERM_CERT, SELF_SIGN.signing_cert])
scc.satisfied_by(FROM_CA.signing_cert, signer_validation_path)
with pytest.raises(UnacceptableSignerError):
scc.satisfied_by(DUMMY_TS.tsa_cert, tsa_validation_path)
scc = fields.SigCertConstraints(issuers=[INTERM_CERT])
scc.satisfied_by(FROM_CA.signing_cert, signer_validation_path)
scc.satisfied_by(DUMMY_TS.tsa_cert, tsa_validation_path)
async def test_validate_with_malformed_claimed_attrs(bad_attr, requests_mock):
# This should parse up to the first level and be reencoded by asn1crypto
# without asking any questions.
cms_sig = await FROM_CA.async_sign_general_data(
b'Hello world', digest_algorithm='sha256',
signed_attr_settings=PdfCMSSignedAttributes(
cades_signed_attrs=CAdESSignedAttrSpec(
signer_attributes=SignerAttrSpec(
claimed_attrs=[bad_attr, SAMPLE_GROUP_ATTR],
certified_attrs=[]
)
)
)
)
status = await async_validate_detached_cms(
input_data=b'Hello world', signed_data=cms_sig['content'],
signer_validation_context=live_testing_vc(requests_mock)
)
assert isinstance(status, StandardCMSSignatureStatus)
# The malformed attribute shouldn't have been processed,
# but the other attrs should've
assert len(status.cades_signer_attrs.claimed_attrs) == 1
async def test_parse_ac_with_malformed_attribute(requests_mock):
attr_cert_cfg = f'''
test-ac:
holder:
name: signer1
# this needs to match against something from a totally different PKI
# arch, so make the coupling as loose as possible
include-base-cert-id: false
include-entity-name: true
issuer: root
attributes:
- id: charging_identity
smart-value:
schema: ietf-attribute
params: ["Big Corp Inc."]
validity:
valid-from: "2000-01-01T00:00:00+0000"
valid-to: "2100-01-01T00:00:00+0000"
'''
pki_arch = PKIArchitecture(
arch_label=ArchLabel('test'),
key_set=TESTING_CA.key_set, entities=TESTING_CA.entities,
cert_spec_config=yaml.safe_load(BASIC_AC_ISSUER_SETUP),
ac_spec_config=yaml.safe_load(attr_cert_cfg),
service_config={},
external_url_prefix='http://test.test',
)
spec = pki_arch.get_attr_cert_spec(CertLabel('test-ac'))
# we have to get a bit creative to get Certomancer to output invalid asn1
# in exactly the way we want
class FakeAttrSpec:
# noinspection PyUnusedLocal
def to_asn1(self, arch):
return NONSENSICAL_ATTR
# noinspection PyTypeChecker
spec.attributes.append(FakeAttrSpec())
cms_sig = await FROM_CA.async_sign_general_data(
b'Hello world', digest_algorithm='sha256',
signed_attr_settings=PdfCMSSignedAttributes(
cades_signed_attrs=CAdESSignedAttrSpec(
signer_attributes=SignerAttrSpec(
certified_attrs=[
pki_arch.get_attr_cert(CertLabel('test-ac'))
],
claimed_attrs=[]
)
)
)
)
vc = live_testing_vc(requests_mock)
ac_vc = ValidationContext(
trust_roots=[pki_arch.get_cert(CertLabel('ac-issuer'))],
allow_fetching=False,
)
status = await async_validate_detached_cms(
input_data=b'Hello world', signed_data=cms_sig['content'],
signer_validation_context=vc,
ac_validation_context=ac_vc
)
assert isinstance(status, StandardCMSSignatureStatus)
# The malformed attribute shouldn't have been processed,
# but the other attrs should've
assert len(status.cades_signer_attrs.certified_attrs) == 1