Merge pull request #5 from mozilla-services/chain-of-trust

glasserc · web-flow · commit d9ee800d6d02 · 2019-11-11T19:21:55.000-05:00
Chain of trust
diff --git a/autograph_utils/__init__.py b/autograph_utils/__init__.py
@@ -18,6 +18,8 @@
 from cryptography import x509
 from cryptography.hazmat.backends import default_backend
 from cryptography.hazmat.primitives.asymmetric import ec as cryptography_ec
+from cryptography.hazmat.primitives.asymmetric import padding
+from cryptography.hazmat.primitives.asymmetric.rsa import RSAPublicKey
 from cryptography.hazmat.primitives.asymmetric.utils import encode_dss_signature
 from cryptography.hazmat.primitives.hashes import SHA256, SHA384
 from cryptography.x509.oid import NameOID
@@ -128,6 +130,19 @@ def detail(self):
         return f"Certificate expired on {self.not_after}"
 
 
+class CertificateHasWrongRoot(BadCertificate):
+    def __init__(self, *, expected, actual):
+        self.expected = binascii.hexlify(expected).decode()
+        self.actual = binascii.hexlify(actual).decode()
+
+    @property
+    def detail(self):
+        return (
+            "Certificate is not based on expected root hash. "
+            f"Got {self.actual!r} expected {self.expected!r}"
+        )
+
+
 class CertificateHasWrongSubject(BadCertificate):
     def __init__(self, actual, check_description):
         self.check_description = check_description
@@ -141,6 +156,90 @@ def detail(self):
         )
 
 
+class CertificateChainBroken(BadCertificate):
+    def __init__(self, previous_cert, next_cert):
+        self.previous_cert = previous_cert
+        self.next_cert = next_cert
+
+    @property
+    def detail(self):
+        return (
+            "Certificate chain is not continuous. "
+            f"Expected {self.previous_cert!r} to sign {self.next_cert!r}"
+        )
+
+
+class CertificateUnsupportedKeyType(BadCertificate):
+    """An internal error indicating that support for some type of key is missing."""
+
+    def __init__(self, cert, key):
+        self.cert = cert
+        self.key = key
+
+    @property
+    def detail(self):
+        return f"Unknown public key type for {self.cert!r}: {self.key!r}"
+
+
+class CertificateChainNameNotPermitted(BadCertificate):
+    def __init__(self, permitted_subtrees, current, next):
+        self.permitted_subtrees = permitted_subtrees
+        self.current = current
+        self.next = next
+
+    @property
+    def detail(self):
+        return (
+            f"Certificate name of {self.next!r} does not match the permitted names "
+            f"for {self.current!r}: {self.permitted_subtrees!r}"
+        )
+
+
+class CertificateCannotSign(BadCertificate):
+    """For intermediate/root certificates that do not have the proper
+    metadata bits saying that they can be used to sign signatures.
+
+    """
+
+    def __init__(self, cert, extra):
+        self.cert = cert
+        self.extra = extra
+
+    @property
+    def detail(self):
+        return (
+            "Certificate cannot be used for signing "
+            f"because {self.extra}: {self.cert!r}"
+        )
+
+
+class CertificateLeafHasWrongKeyUsage(BadCertificate):
+    def __init__(self, cert, key_usage):
+        self.cert = cert
+        self.key_usage = key_usage
+
+    @property
+    def detail(self):
+        return (
+            f"Leaf certificate {self.cert!r} should have extended key usage of just "
+            f"Code Signing. Got {self.key_usage!r}"
+        )
+
+
+class CertificateChainNameExcluded(BadCertificate):
+    def __init__(self, excluded_subtrees, current, next):
+        self.excluded_subtrees = excluded_subtrees
+        self.current = current
+        self.next = next
+
+    @property
+    def detail(self):
+        return (
+            f"Certificate name of {self.next!r} matches the excluded names "
+            f"for {self.current!r}: {self.excluded_subtrees!r}"
+        )
+
+
 class BadSignature(Exception):
     detail = "Unknown signature problem"
 
@@ -255,6 +354,20 @@ async def verify_x5u(self, url):
             if now > cert.not_valid_after:
                 raise CertificateExpired(cert.not_valid_after)
 
+        # Verify chain of trust.
+        chain = certs[::-1]
+        root_hash = chain[0].fingerprint(SHA256())
+        if root_hash != self.root_hash:
+            raise CertificateHasWrongRoot(expected=self.root_hash, actual=root_hash)
+
+        current_cert = chain[0]
+        for next_cert in chain[1:]:
+            self._check_can_sign_other_certs(current_cert)
+            self._verify_cert_link(current_cert, next_cert)
+            self._check_name_constraints(current_cert, next_cert)
+
+            current_cert = next_cert
+
         leaf_subject_name = (
             certs[0].subject.get_attributes_for_oid(NameOID.COMMON_NAME)[0].value
         )
@@ -263,13 +376,107 @@ async def verify_x5u(self, url):
                 leaf_subject_name, check_description=self.subject_name_check.describe()
             )
 
-        root_hash = certs[-1].fingerprint(SHA256())
-        assert root_hash == self.root_hash
+        code_signing = cryptography.x509.oid.ExtendedKeyUsageOID.CODE_SIGNING
+        extended_key_usage = (
+            certs[0]
+            .extensions.get_extension_for_class(cryptography.x509.ExtendedKeyUsage)
+            .value
+        )
+        if list(extended_key_usage) != [code_signing]:
+            raise CertificateLeafHasWrongKeyUsage(certs[0], extended_key_usage)
 
         res = certs[0]
         self.cache.set(url, res)
         return res
 
+    def _verify_cert_link(self, current_cert, next_cert):
+        """Verify a single link in a cert chain.
+
+        """
+        key = current_cert.public_key()
+        if isinstance(key, RSAPublicKey):
+            try:
+                key.verify(
+                    next_cert.signature,
+                    next_cert.tbs_certificate_bytes,
+                    padding.PKCS1v15(),
+                    next_cert.signature_hash_algorithm,
+                )
+            except cryptography.exceptions.InvalidSignature:
+                raise CertificateChainBroken(current_cert, next_cert)
+        elif isinstance(key, cryptography_ec.EllipticCurvePublicKey):
+            try:
+                key.verify(
+                    next_cert.signature,
+                    next_cert.tbs_certificate_bytes,
+                    cryptography_ec.ECDSA(next_cert.signature_hash_algorithm),
+                )
+            except cryptography.exceptions.InvalidSignature:
+                raise CertificateChainBroken(current_cert, next_cert)
+        else:
+            raise CertificateUnsupportedKeyType(current_cert, key)
+
+    def _check_name_constraints(self, current_cert, next_cert):
+        try:
+            nc = current_cert.extensions.get_extension_for_class(
+                cryptography.x509.NameConstraints
+            ).value
+        except x509.ExtensionNotFound:
+            # No name constraints. This cert is therefore OK to sign
+            # any name whatsoever.
+            return
+
+        name = next_cert.subject.get_attributes_for_oid(NameOID.COMMON_NAME)[0].value
+        if nc.permitted_subtrees:
+            for constraint in nc.permitted_subtrees:
+                if _name_constraint_matches(name, constraint):
+                    break
+            else:
+                raise CertificateChainNameNotPermitted(
+                    nc.permitted_subtrees, current=current_cert, next=next_cert
+                )
+
+        excluded_subtrees = nc.excluded_subtrees or []
+
+        for constraint in excluded_subtrees:
+            if _name_constraint_matches(name, constraint):
+                raise CertificateChainNameExcluded(
+                    nc.excluded_subtrees, current=current_cert, next=next_cert
+                )
+
+    def _check_can_sign_other_certs(self, cert):
+        basic = cert.extensions.get_extension_for_class(
+            cryptography.x509.BasicConstraints
+        ).value
+        if not basic.ca:
+            raise CertificateCannotSign(cert, "ca is false")
+
+        usage = cert.extensions.get_extension_for_class(
+            cryptography.x509.KeyUsage
+        ).value
+        usage_is_ok = usage.key_cert_sign and usage.crl_sign
+        if not usage_is_ok:
+            raise CertificateCannotSign(cert, "key usage is incomplete")
+
+
+def _name_constraint_matches(hostname, name_constraint):
+    """Check if a name matches a constraint.
+
+    Taken from
+    https://github.com/alex/x509-validator/blob/master/validator.py.
+
+    """
+    if not isinstance(name_constraint, x509.DNSName):
+        return False
+    constraint_hostname = name_constraint.value
+
+    if constraint_hostname.startswith("."):
+        return hostname.endswith(constraint_hostname)
+    else:
+        return hostname == constraint_hostname or hostname.endswith(
+            "." + constraint_hostname
+        )
+
 
 def split_pem(s):
     """Split a string containing many ASCII-armored PEM structures.
diff --git a/tests/normandy.content-signature.mozilla.org-2019-12-04-18-15-23.chain b/tests/normandy.content-signature.mozilla.org-2019-12-04-18-15-23.chain
@@ -0,0 +1,94 @@
+-----BEGIN CERTIFICATE-----
+MIIC9jCCAnugAwIBAgIIFc3kt9BoLrYwCgYIKoZIzj0EAwMwgaMxCzAJBgNVBAYT
+AlVTMRwwGgYDVQQKExNNb3ppbGxhIENvcnBvcmF0aW9uMS8wLQYDVQQLEyZNb3pp
+bGxhIEFNTyBQcm9kdWN0aW9uIFNpZ25pbmcgU2VydmljZTFFMEMGA1UEAww8Q29u
+dGVudCBTaWduaW5nIEludGVybWVkaWF0ZS9lbWFpbEFkZHJlc3M9Zm94c2VjQG1v
+emlsbGEuY29tMB4XDTE5MDkxNTE4MTUyM1oXDTE5MTIwNDE4MTUyM1owgaIxCzAJ
+BgNVBAYTAlVTMRMwEQYDVQQIEwpDYWxpZm9ybmlhMRYwFAYDVQQHEw1Nb3VudGFp
+biBWaWV3MRwwGgYDVQQKExNNb3ppbGxhIENvcnBvcmF0aW9uMRcwFQYDVQQLEw5D
+bG91ZCBTZXJ2aWNlczEvMC0GA1UEAxMmbm9ybWFuZHkuY29udGVudC1zaWduYXR1
+cmUubW96aWxsYS5vcmcwdjAQBgcqhkjOPQIBBgUrgQQAIgNiAAQOOLFQYkC6GJxU
+/aQ3JhVMhXbWlMomiUp/dPkZzXNmP+ETpg6jRWrE+cn/MHeoQDXzGAvq+nFdtg41
+KentqOEC8ZIp92rf30wf7ZQTLmBKcorQr7fqrqR/iq05ZBgUcnWjezB5MA4GA1Ud
+DwEB/wQEAwIHgDATBgNVHSUEDDAKBggrBgEFBQcDAzAfBgNVHSMEGDAWgBQlZawr
+qt0eUz/t6OdN45oKfmzy6DAxBgNVHREEKjAogiZub3JtYW5keS5jb250ZW50LXNp
+Z25hdHVyZS5tb3ppbGxhLm9yZzAKBggqhkjOPQQDAwNpADBmAjEA7pOfGEFQuzQj
+9gfA/HdQaTbPG1uxxC4G9Z/glfmN2C6HhfF/hoYbtumkiDk1/uYLAjEA51kt/QWq
+S/XsYvIoYME2k+FlOORyag3vgAh4hqBzENI2GI1suRiWpy+Kabj4nRHi
+-----END CERTIFICATE-----
+-----BEGIN CERTIFICATE-----
+MIIF1TCCA72gAwIBAgIEAQAAAjANBgkqhkiG9w0BAQsFADCBqDELMAkGA1UEBhMC
+VVMxCzAJBgNVBAgTAkNBMRYwFAYDVQQHEw1Nb3VudGFpbiBWaWV3MRwwGgYDVQQK
+ExNBZGRvbnMgVGVzdCBTaWduaW5nMSQwIgYDVQQDExt0ZXN0LmFkZG9ucy5zaWdu
+aW5nLnJvb3QuY2ExMDAuBgkqhkiG9w0BCQEWIW9wc2VjK3N0YWdlcm9vdGFkZG9u
+c0Btb3ppbGxhLmNvbTAeFw0xOTAyMTMyMDA5MDVaFw0yMTAyMTIyMDA5MDVaMIGj
+MQswCQYDVQQGEwJVUzEcMBoGA1UEChMTTW96aWxsYSBDb3Jwb3JhdGlvbjEvMC0G
+A1UECxMmTW96aWxsYSBBTU8gUHJvZHVjdGlvbiBTaWduaW5nIFNlcnZpY2UxRTBD
+BgNVBAMMPENvbnRlbnQgU2lnbmluZyBJbnRlcm1lZGlhdGUvZW1haWxBZGRyZXNz
+PWZveHNlY0Btb3ppbGxhLmNvbTB2MBAGByqGSM49AgEGBSuBBAAiA2IABHDV3ITF
+Xlo2Ick9r99Uc7qTEmfehktWi0nQPMVkD2vWxB/yLT6/vw+DT9zedMDJlZ+RQvO8
+6kpgr8YQYG2KzEKQMn4Xc24s+lIiDd9fbmkfQsTXl+8BIFVyvy0otUd46aOCAbYw
+ggGyMAwGA1UdEwQFMAMBAf8wDgYDVR0PAQH/BAQDAgEGMBYGA1UdJQEB/wQMMAoG
+CCsGAQUFBwMDMB0GA1UdDgQWBBQlZawrqt0eUz/t6OdN45oKfmzy6DCB1QYDVR0j
+BIHNMIHKgBSE6l/Nb0ySL+rR9PXIo7LCDLqm9qGBrqSBqzCBqDELMAkGA1UEBhMC
+VVMxCzAJBgNVBAgTAkNBMRYwFAYDVQQHEw1Nb3VudGFpbiBWaWV3MRwwGgYDVQQK
+ExNBZGRvbnMgVGVzdCBTaWduaW5nMSQwIgYDVQQDExt0ZXN0LmFkZG9ucy5zaWdu
+aW5nLnJvb3QuY2ExMDAuBgkqhkiG9w0BCQEWIW9wc2VjK3N0YWdlcm9vdGFkZG9u
+c0Btb3ppbGxhLmNvbYIBATAzBglghkgBhvhCAQQEJhYkaHR0cDovL2FkZG9ucy5h
+bGxpem9tLm9yZy9jYS9jcmwucGVtME4GA1UdHgRHMEWgQzAggh4uY29udGVudC1z
+aWduYXR1cmUubW96aWxsYS5vcmcwH4IdY29udGVudC1zaWduYXR1cmUubW96aWxs
+YS5vcmcwDQYJKoZIhvcNAQELBQADggIBAHcshk/LD4STyAdiqiNlt+lNEW8CvW+Y
+Y3WAQGLoKrQdE3gAvrc0RxeLdLbp1jyxGzrRWY95IJvdTHjpeZBQrz4+NSv9t9hd
+cQtLbXN2rb8+q9U3Z5bxuqMgynaNVX2ax/dwHOl7Elg99ukOtYvhdAlzZlNW+o2M
+m2SYqe0zKbPH6wGMB9JAOhKtY2C+3VlxZyC6IvuzGF0VbKGIHO7sMnnJXqXAhrjv
+pq8lBMC1+BAgVKuN0OrU9aVxFl3sx1UhvKnLHbbHb2y+Dmfrrj2aViP8wkm7TmuP
+pYFE4c53n0+jDp7eSdinzKZLb70q1AgpkyuR5MIDjWxVhIVNr/T/1ZZx4iftF0BW
+Wtriel/JqIBLbBum0d2QD0fGDam9ia8HqEG28P9Q/SJrLI1hTQTaKW46BqAIb/c/
+7RyyE3C3X7ATjj8ksgHgi5P6u0pHl7HPsqWEMZodleLlVy/BX2sbx6EbK2E/CTsp
+DkpiqcDBISzXwGztMkA5L3WkbJwZc1stNWe0LLXmaVqFIvyJXSpa+4N5F09e/nEf
+VqqAwTewqkApsV1nc+aLAxUxK3VBZJ7xtJalwiqGALXhRSADsFMV5nvv7mWQyxvb
+WawvwHt8BrO0k3dRlXqx0w1yP9MZibBoX0MT+IntNHp45/cxb9i/6PLAxhWriIiE
+y2t6gkAeRU3f
+-----END CERTIFICATE-----
+-----BEGIN CERTIFICATE-----
+MIIHYzCCBUugAwIBAgIBATANBgkqhkiG9w0BAQwFADCBqDELMAkGA1UEBhMCVVMx
+CzAJBgNVBAgTAkNBMRYwFAYDVQQHEw1Nb3VudGFpbiBWaWV3MRwwGgYDVQQKExNB
+ZGRvbnMgVGVzdCBTaWduaW5nMSQwIgYDVQQDExt0ZXN0LmFkZG9ucy5zaWduaW5n
+LnJvb3QuY2ExMDAuBgkqhkiG9w0BCQEWIW9wc2VjK3N0YWdlcm9vdGFkZG9uc0Bt
+b3ppbGxhLmNvbTAeFw0xNTAyMTAxNTI4NTFaFw0yNTAyMDcxNTI4NTFaMIGoMQsw
+CQYDVQQGEwJVUzELMAkGA1UECBMCQ0ExFjAUBgNVBAcTDU1vdW50YWluIFZpZXcx
+HDAaBgNVBAoTE0FkZG9ucyBUZXN0IFNpZ25pbmcxJDAiBgNVBAMTG3Rlc3QuYWRk
+b25zLnNpZ25pbmcucm9vdC5jYTEwMC4GCSqGSIb3DQEJARYhb3BzZWMrc3RhZ2Vy
+b290YWRkb25zQG1vemlsbGEuY29tMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIIC
+CgKCAgEAv/OSHh5uUMMKKuBh83kikuJ+BW4fQCHVZvADZh2qHNH8pSaME/YqMItP
+5XQ1N5oLq1tRQO77AKn+eYPDAQkg+9VV+ct4u76YctcU/gvjieGKQ0fvuDH18QLD
+hqa4DHgDmpCa/w+Eqzd54HaFj7ew9Bb7GZPHuZfk7Ct9fcN6kHneEj3KeuLiqzSV
+VCRFV9RTlrUdsc1/VwF4A97JTXc3HJeWJO3azOlFpaJ8QHhmgXLLmB59HPeZ10Sf
+9QwVGaKcn7yLuwtIA+wDhs8iwGZWcgmknW4DkkRDbQo7L+//4kVK+Yqq0HamZArm
+vE4xENvbwOze4XYkCO3PwgmCotU7K5D3sMUUxkOaodlemO9OqRW8vJOJH3b6mhST
+aunQR9/GOJ7sl4egrn2fOVZhBvM29lyBCKBffeQgtIMcKpeEKa4TNx4nTrWu1J9k
+jHlvNeVL3FzMzJXRPl0RV71cYak+G6GnQ4fg3+4ZSSPxTvbwRJAO2xajkURxFSZo
+sXcjYG8iPTSrDazj4LN2+882t4Q2/rMYpkowwLGbvJqHiw2tg9/hpLn1K4W18vcC
+vFgzNRrTdKaJ/KjD17eJl8s8oPA7TiophPeezy1WzAc4mdlXS6A85b0mKDDU2A/4
+3YmltjsSmizR2LnfeNs125EsCWxSUrAsnUYRO+lJOyNr7GGKGscCAwZVN6OCAZQw
+ggGQMAwGA1UdEwQFMAMBAf8wDgYDVR0PAQH/BAQDAgEGMBYGA1UdJQEB/wQMMAoG
+CCsGAQUFBwMDMCwGCWCGSAGG+EIBDQQfFh1PcGVuU1NMIEdlbmVyYXRlZCBDZXJ0
+aWZpY2F0ZTAzBglghkgBhvhCAQQEJhYkaHR0cDovL2FkZG9ucy5tb3ppbGxhLm9y
+Zy9jYS9jcmwucGVtMB0GA1UdDgQWBBSE6l/Nb0ySL+rR9PXIo7LCDLqm9jCB1QYD
+VR0jBIHNMIHKgBSE6l/Nb0ySL+rR9PXIo7LCDLqm9qGBrqSBqzCBqDELMAkGA1UE
+BhMCVVMxCzAJBgNVBAgTAkNBMRYwFAYDVQQHEw1Nb3VudGFpbiBWaWV3MRwwGgYD
+VQQKExNBZGRvbnMgVGVzdCBTaWduaW5nMSQwIgYDVQQDExt0ZXN0LmFkZG9ucy5z
+aWduaW5nLnJvb3QuY2ExMDAuBgkqhkiG9w0BCQEWIW9wc2VjK3N0YWdlcm9vdGFk
+ZG9uc0Btb3ppbGxhLmNvbYIBATANBgkqhkiG9w0BAQwFAAOCAgEAck21RaAcTzbT
+vmqqcCezBd5Gej6jV53HItXfF06tLLzAxKIU1loLH/330xDdOGyiJdvUATDVn8q6
+5v4Kae2awON6ytWZp9b0sRdtlLsRo8EWOoRszCqiMWdl1gnGMaV7e2ycz/tR+PoK
+GxHCh8rbOtG0eiVJIyRijLDjtExW8Eg+uz6Zkg1IWXqInj7Gqr23FOqD76uAfE82
+YTWW3lzxpP3gL7pmV5G7ob/tIyAfrPEB4w0Nt2HEl9h7NDtKPMprrOLPkrI9eAVU
+QeeI3RpAKnXOFQkqPYPXIlAaJ6qxtYa6tWHOqRyS1xKnvy/uWjEtU3tYJ5eUL1+2
+vzNTdakJgkZDRdDNg0V3NYwza6BwL80VPSfqc1H6R8CU1uj+kjTlCEsoTPLeW7k5
+t+lKHFMj0HZLNymgDD5f9UpI7yiOAIF0z4WKAMv/f12vnAPwmOPuOikRNOv0nNuL
+RIpKO53Cd7aV5PdB0pNSPNjc6V+5IPrepALNQhKIpzoHA4oG+LlVVy4R3csPcj4e
+zQQ9gt3NC2OXF4hveHfKZdCnb+BBl4S71QMYYCCTe+EDCsIGuyXWD/K2hfLD8TPW
+thPX5WNsS8bwno2ccqncVLQ4PZxOIB83DFBFmAvTuBiAYWq874rneTXqInHyeCq+
+819l9s72pDsFaGevmm0Us9bYuufTS5U=
+-----END CERTIFICATE-----
diff --git a/tests/test_autograph_utils.py b/tests/test_autograph_utils.py
