Commit 83583e8b authored by Vincent Pelletier's avatar Vincent Pelletier

caucase.tests: Work around cryptography breakage on >28bits OIDs.

As seen at least on cryptography 35.0.0 .
Ideally this should be on a 63 or 64bits cutoff, but somehow the breakage
is a lot lower.
Bug reported upstream:
  https://github.com/pyca/cryptography/issues/6573
parent 13684357
......@@ -450,7 +450,7 @@ class CertificateAuthority(object):
for policy in certificate_policies.value:
if policy.policy_identifier.dotted_string.startswith(
utils.CAUCASE_LEGACY_OID_TOP
):
): # pragma: no cover
# Always migrate CAUCASE_LEGACY_OID_TOP to CAUCASE_OID_TOP
# by copying current policy and replacing its prefix to the new
# OID prefix
......
......@@ -87,7 +87,60 @@ from caucase.storage import SQLite3Storage
_cryptography_backend = default_backend()
NOT_CAUCASE_OID = '2.25.285541874270823339875695650038637483518'
def _getTestOID():
"""
Some cryptography versions do not tolerate large OIDs. Detect these here.
"""
LONG_UUID = 285541874270823339875695650038637483518
LONG_OID = '2.25.%i' % (LONG_UUID, )
# XXX: this is not a compliant use of the 2.25 OID subtree
SHORT_OID = '2.25.%i' % (LONG_UUID & (2**28 - 1), )
test_private_key = utils.generatePrivateKey(key_len=2048)
def makeAndLoadCSR(oid):
"""
Make a CSR with a policy extension for given OID.
"""
extension = x509.CertificatePolicies([
x509.PolicyInformation(
x509.oid.ObjectIdentifier(oid),
None,
)
])
csr_pem = utils.dump_certificate_request(
x509.CertificateSigningRequestBuilder(
subject_name=x509.Name([
x509.NameAttribute(oid=x509.oid.NameOID.COMMON_NAME, value=u'test'),
]),
).add_extension(
extension,
critical=False,
).sign(
private_key=test_private_key,
algorithm=utils.DEFAULT_DIGEST_CLASS(),
backend=_cryptography_backend,
)
)
# cryptography may succeed in serialising the CSR, but may fail when
# loading it and accessing extensions.
_ = x509.load_pem_x509_csr(
csr_pem,
_cryptography_backend,
).extensions.get_extension_for_class(
extension.__class__,
)
# sanity check
makeAndLoadCSR(SHORT_OID)
try:
# actual verification
makeAndLoadCSR(LONG_OID)
except ValueError: # pragma: no cover
return (False, SHORT_OID)
return (True, LONG_OID) # pragma: no cover
(
_HAS_LONG_OID_SUPPORT,
NOT_CAUCASE_OID,
) = _getTestOID()
del _getTestOID
A_YEAR_IN_SECONDS = 60 * 60 * 24 * 365 # Roughly a year
if sys.version_info[0] >= 3: # pragma: no cover
......@@ -1458,11 +1511,7 @@ class CaucaseTest(TestCase):
x509.IPAddress(ipaddress.IPv4Network(u'127.0.0.0/8')),
x509.IPAddress(ipaddress.IPv6Network(u'::/64')),
])
requested_policies = x509.CertificatePolicies([
x509.PolicyInformation(
x509.oid.ObjectIdentifier(utils.CAUCASE_LEGACY_OID_RESERVED),
None,
),
policy_list = [
x509.PolicyInformation(
x509.oid.ObjectIdentifier(utils.CAUCASE_OID_RESERVED),
None,
......@@ -1471,7 +1520,15 @@ class CaucaseTest(TestCase):
x509.oid.ObjectIdentifier(NOT_CAUCASE_OID),
None,
),
])
]
if _HAS_LONG_OID_SUPPORT: # pragma: no cover
policy_list.append(
x509.PolicyInformation(
x509.oid.ObjectIdentifier(utils.CAUCASE_LEGACY_OID_RESERVED),
None,
),
)
requested_policies = x509.CertificatePolicies(policy_list)
expected_policies = x509.CertificatePolicies([
x509.PolicyInformation(
x509.oid.ObjectIdentifier(NOT_CAUCASE_OID),
......@@ -3481,7 +3538,11 @@ class CaucaseTest(TestCase):
self.assertEqual(os.stat(self._server_db).st_mode & 0o777, 0o600)
self.assertEqual(os.stat(self._server_key).st_mode & 0o777, 0o600)
def testOidMigration(self):
@unittest.skipIf(
not _HAS_LONG_OID_SUPPORT,
'cryptography version lacks >64bits OID support, migration is impossible',
)
def testOidMigration(self): # pragma: no cover
"""Tests OID migration
Monkey patches caucase.utils in order to create user certificate
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment