Support basic constraints/key usage checks

glasserc · glasserc · commit 0f9fc101a88d · 2019-10-28T18:20:03.000-04:00
diff --git a/autograph_utils/__init__.py b/autograph_utils/__init__.py
@@ -195,6 +195,25 @@ def detail(self):
         )
 
 
+class CertificateCannotSign(BadCertificate):
+    """For intermediate/root certificates that do not have the proper
+    metainformation bits saying that they can be used to sign
+    signatures.
+
+    """
+
+    def __init__(self, cert, extra):
+        self.cert = cert
+        self.extra = extra
+
+    @property
+    def detail(self):
+        return (
+            "Certificate cannot be used for signing "
+            f"because {self.extra}: {self.cert!r}"
+        )
+
+
 class CertificateLeafHasWrongKeyUsage(BadCertificate):
     def __init__(self, cert, key_usage):
         self.cert = cert
@@ -344,6 +363,7 @@ async def verify_x5u(self, url):
 
         current_cert = chain[0]
         for next_cert in chain[1:]:
+            self._check_can_sign_other_certs(current_cert)
             self._verify_cert_link(current_cert, next_cert)
             self._check_name_constraints(current_cert, next_cert)
 
@@ -423,6 +443,20 @@ def _check_name_constraints(self, current_cert, next_cert):
                     nc.excluded_subtrees, current=current_cert, next=next_cert
                 )
 
+    def _check_can_sign_other_certs(self, cert):
+        basic = cert.extensions.get_extension_for_class(
+            cryptography.x509.BasicConstraints
+        ).value
+        if not basic.ca:
+            raise CertificateCannotSign(cert, "ca is false")
+
+        usage = cert.extensions.get_extension_for_class(
+            cryptography.x509.KeyUsage
+        ).value
+        usage_is_ok = usage.key_cert_sign and usage.crl_sign
+        if not usage_is_ok:
+            raise CertificateCannotSign(cert, "key usage is incomplete")
+
 
 def _name_constraint_matches(hostname, name_constraint):
     """Check if a name matches a constraint.
diff --git a/tests/test_autograph_utils.py b/tests/test_autograph_utils.py
@@ -391,6 +391,60 @@ async def test_verify_name_constraints_excludes(
     assert excinfo.value.next == leaf
 
 
+async def test_verify_basic_constraints_must_have_ca(
+    aiohttp_session, mock_with_x5u, cache, now_fixed
+):
+    certs = [
+        cryptography.x509.load_pem_x509_certificate(pem, backend=default_backend())
+        for pem in STAGE_CERT_LIST
+    ]
+    real_intermediate = certs[1]
+    intermediate = mock_cert(real_intermediate)
+    basic_mock = mock.Mock()
+    basic_mock.ca = False
+    mock_cert_extension(intermediate, cryptography.x509.BasicConstraints, basic_mock)
+    certs[1] = intermediate
+
+    with mock.patch("cryptography.x509.load_pem_x509_certificate") as load_cert_mock:
+        load_cert_mock.side_effect = lambda *args, **kwargs: certs.pop(0)
+        s = SignatureVerifier(aiohttp_session, cache, STAGE_ROOT_HASH)
+        with pytest.raises(autograph_utils.CertificateCannotSign) as excinfo:
+            await s.verify_x5u(FAKE_CERT_URL)
+
+    assert excinfo.value.detail.startswith(
+        "Certificate cannot be used for signing because "
+    )
+    assert excinfo.value.cert == intermediate
+    assert excinfo.value.extra == "ca is false"
+
+
+async def test_verify_basic_constraints_must_have_cert_signing(
+    aiohttp_session, mock_with_x5u, cache, now_fixed
+):
+    certs = [
+        cryptography.x509.load_pem_x509_certificate(pem, backend=default_backend())
+        for pem in STAGE_CERT_LIST
+    ]
+    real_intermediate = certs[1]
+    intermediate = mock_cert(real_intermediate)
+    uses_mock = mock.Mock()
+    uses_mock.key_cert_sign = False
+    mock_cert_extension(intermediate, cryptography.x509.KeyUsage, uses_mock)
+    certs[1] = intermediate
+
+    with mock.patch("cryptography.x509.load_pem_x509_certificate") as load_cert_mock:
+        load_cert_mock.side_effect = lambda *args, **kwargs: certs.pop(0)
+        s = SignatureVerifier(aiohttp_session, cache, STAGE_ROOT_HASH)
+        with pytest.raises(autograph_utils.CertificateCannotSign) as excinfo:
+            await s.verify_x5u(FAKE_CERT_URL)
+
+    assert excinfo.value.detail.startswith(
+        "Certificate cannot be used for signing because "
+    )
+    assert excinfo.value.cert == intermediate
+    assert excinfo.value.extra == "key usage is incomplete"
+
+
 async def test_verify_leaf_code_signing(
     aiohttp_session, mock_with_x5u, cache, now_fixed
 ):
