Support stage cert chain, including certs with ECDSA public keys

glasserc · glasserc · commit f9fe714a306f · 2019-10-28T14:25:36.000-04:00
diff --git a/autograph_utils/__init__.py b/autograph_utils/__init__.py
@@ -19,6 +19,7 @@
 from cryptography.hazmat.backends import default_backend
 from cryptography.hazmat.primitives.asymmetric import ec as cryptography_ec
 from cryptography.hazmat.primitives.asymmetric import padding
+from cryptography.hazmat.primitives.asymmetric.rsa import RSAPublicKey
 from cryptography.hazmat.primitives.asymmetric.utils import encode_dss_signature
 from cryptography.hazmat.primitives.hashes import SHA256, SHA384
 from cryptography.x509.oid import NameOID
@@ -168,6 +169,18 @@ def detail(self):
         )
 
 
+class CertificateUnknownPublicKey(BadCertificate):
+    """An internal error indicating that support for some type of key is missing."""
+
+    def __init__(self, cert, key):
+        self.cert = cert
+        self.key = key
+
+    @property
+    def detail(self):
+        return f"Unknown public key type for {self.cert!r}: {self.key!r}"
+
+
 class CertificateLeafHasWrongKeyUsage(BadCertificate):
     def __init__(self, cert, key_usage):
         self.cert = cert
@@ -303,15 +316,8 @@ async def verify_x5u(self, url):
 
         current_cert = chain[0]
         for next_cert in chain[1:]:
-            try:
-                current_cert.public_key().verify(
-                    next_cert.signature,
-                    next_cert.tbs_certificate_bytes,
-                    padding.PKCS1v15(),
-                    next_cert.signature_hash_algorithm,
-                )
-            except cryptography.exceptions.InvalidSignature:
-                raise CertificateChainBroken(current_cert, next_cert)
+            self._verify_cert_link(current_cert, next_cert)
+
             current_cert = next_cert
 
         leaf_subject_name = (
@@ -335,6 +341,33 @@ async def verify_x5u(self, url):
         self.cache.set(url, res)
         return res
 
+    def _verify_cert_link(self, current_cert, next_cert):
+        """Verify a single link in a cert chain.
+
+        """
+        key = current_cert.public_key()
+        if isinstance(key, RSAPublicKey):
+            try:
+                key.verify(
+                    next_cert.signature,
+                    next_cert.tbs_certificate_bytes,
+                    padding.PKCS1v15(),
+                    next_cert.signature_hash_algorithm,
+                )
+            except cryptography.exceptions.InvalidSignature:
+                raise CertificateChainBroken(current_cert, next_cert)
+        elif isinstance(key, cryptography_ec.EllipticCurvePublicKey):
+            try:
+                key.verify(
+                    next_cert.signature,
+                    next_cert.tbs_certificate_bytes,
+                    cryptography_ec.ECDSA(next_cert.signature_hash_algorithm),
+                )
+            except cryptography.exceptions.InvalidSignature:
+                raise CertificateChainBroken(current_cert, next_cert)
+        else:
+            raise CertificateUnknownPublicKey(current_cert, key)
+
 
 def split_pem(s):
     """Split a string containing many ASCII-armored PEM structures.
diff --git a/tests/normandy.content-signature.mozilla.org-2019-12-04-18-15-23.chain b/tests/normandy.content-signature.mozilla.org-2019-12-04-18-15-23.chain
@@ -0,0 +1,94 @@
+-----BEGIN CERTIFICATE-----
+MIIC9jCCAnugAwIBAgIIFc3kt9BoLrYwCgYIKoZIzj0EAwMwgaMxCzAJBgNVBAYT
+AlVTMRwwGgYDVQQKExNNb3ppbGxhIENvcnBvcmF0aW9uMS8wLQYDVQQLEyZNb3pp
+bGxhIEFNTyBQcm9kdWN0aW9uIFNpZ25pbmcgU2VydmljZTFFMEMGA1UEAww8Q29u
+dGVudCBTaWduaW5nIEludGVybWVkaWF0ZS9lbWFpbEFkZHJlc3M9Zm94c2VjQG1v
+emlsbGEuY29tMB4XDTE5MDkxNTE4MTUyM1oXDTE5MTIwNDE4MTUyM1owgaIxCzAJ
+BgNVBAYTAlVTMRMwEQYDVQQIEwpDYWxpZm9ybmlhMRYwFAYDVQQHEw1Nb3VudGFp
+biBWaWV3MRwwGgYDVQQKExNNb3ppbGxhIENvcnBvcmF0aW9uMRcwFQYDVQQLEw5D
+bG91ZCBTZXJ2aWNlczEvMC0GA1UEAxMmbm9ybWFuZHkuY29udGVudC1zaWduYXR1
+cmUubW96aWxsYS5vcmcwdjAQBgcqhkjOPQIBBgUrgQQAIgNiAAQOOLFQYkC6GJxU
+/aQ3JhVMhXbWlMomiUp/dPkZzXNmP+ETpg6jRWrE+cn/MHeoQDXzGAvq+nFdtg41
+KentqOEC8ZIp92rf30wf7ZQTLmBKcorQr7fqrqR/iq05ZBgUcnWjezB5MA4GA1Ud
+DwEB/wQEAwIHgDATBgNVHSUEDDAKBggrBgEFBQcDAzAfBgNVHSMEGDAWgBQlZawr
+qt0eUz/t6OdN45oKfmzy6DAxBgNVHREEKjAogiZub3JtYW5keS5jb250ZW50LXNp
+Z25hdHVyZS5tb3ppbGxhLm9yZzAKBggqhkjOPQQDAwNpADBmAjEA7pOfGEFQuzQj
+9gfA/HdQaTbPG1uxxC4G9Z/glfmN2C6HhfF/hoYbtumkiDk1/uYLAjEA51kt/QWq
+S/XsYvIoYME2k+FlOORyag3vgAh4hqBzENI2GI1suRiWpy+Kabj4nRHi
+-----END CERTIFICATE-----
+-----BEGIN CERTIFICATE-----
+MIIF1TCCA72gAwIBAgIEAQAAAjANBgkqhkiG9w0BAQsFADCBqDELMAkGA1UEBhMC
+VVMxCzAJBgNVBAgTAkNBMRYwFAYDVQQHEw1Nb3VudGFpbiBWaWV3MRwwGgYDVQQK
+ExNBZGRvbnMgVGVzdCBTaWduaW5nMSQwIgYDVQQDExt0ZXN0LmFkZG9ucy5zaWdu
+aW5nLnJvb3QuY2ExMDAuBgkqhkiG9w0BCQEWIW9wc2VjK3N0YWdlcm9vdGFkZG9u
+c0Btb3ppbGxhLmNvbTAeFw0xOTAyMTMyMDA5MDVaFw0yMTAyMTIyMDA5MDVaMIGj
+MQswCQYDVQQGEwJVUzEcMBoGA1UEChMTTW96aWxsYSBDb3Jwb3JhdGlvbjEvMC0G
+A1UECxMmTW96aWxsYSBBTU8gUHJvZHVjdGlvbiBTaWduaW5nIFNlcnZpY2UxRTBD
+BgNVBAMMPENvbnRlbnQgU2lnbmluZyBJbnRlcm1lZGlhdGUvZW1haWxBZGRyZXNz
+PWZveHNlY0Btb3ppbGxhLmNvbTB2MBAGByqGSM49AgEGBSuBBAAiA2IABHDV3ITF
+Xlo2Ick9r99Uc7qTEmfehktWi0nQPMVkD2vWxB/yLT6/vw+DT9zedMDJlZ+RQvO8
+6kpgr8YQYG2KzEKQMn4Xc24s+lIiDd9fbmkfQsTXl+8BIFVyvy0otUd46aOCAbYw
+ggGyMAwGA1UdEwQFMAMBAf8wDgYDVR0PAQH/BAQDAgEGMBYGA1UdJQEB/wQMMAoG
+CCsGAQUFBwMDMB0GA1UdDgQWBBQlZawrqt0eUz/t6OdN45oKfmzy6DCB1QYDVR0j
+BIHNMIHKgBSE6l/Nb0ySL+rR9PXIo7LCDLqm9qGBrqSBqzCBqDELMAkGA1UEBhMC
+VVMxCzAJBgNVBAgTAkNBMRYwFAYDVQQHEw1Nb3VudGFpbiBWaWV3MRwwGgYDVQQK
+ExNBZGRvbnMgVGVzdCBTaWduaW5nMSQwIgYDVQQDExt0ZXN0LmFkZG9ucy5zaWdu
+aW5nLnJvb3QuY2ExMDAuBgkqhkiG9w0BCQEWIW9wc2VjK3N0YWdlcm9vdGFkZG9u
+c0Btb3ppbGxhLmNvbYIBATAzBglghkgBhvhCAQQEJhYkaHR0cDovL2FkZG9ucy5h
+bGxpem9tLm9yZy9jYS9jcmwucGVtME4GA1UdHgRHMEWgQzAggh4uY29udGVudC1z
+aWduYXR1cmUubW96aWxsYS5vcmcwH4IdY29udGVudC1zaWduYXR1cmUubW96aWxs
+YS5vcmcwDQYJKoZIhvcNAQELBQADggIBAHcshk/LD4STyAdiqiNlt+lNEW8CvW+Y
+Y3WAQGLoKrQdE3gAvrc0RxeLdLbp1jyxGzrRWY95IJvdTHjpeZBQrz4+NSv9t9hd
+cQtLbXN2rb8+q9U3Z5bxuqMgynaNVX2ax/dwHOl7Elg99ukOtYvhdAlzZlNW+o2M
+m2SYqe0zKbPH6wGMB9JAOhKtY2C+3VlxZyC6IvuzGF0VbKGIHO7sMnnJXqXAhrjv
+pq8lBMC1+BAgVKuN0OrU9aVxFl3sx1UhvKnLHbbHb2y+Dmfrrj2aViP8wkm7TmuP
+pYFE4c53n0+jDp7eSdinzKZLb70q1AgpkyuR5MIDjWxVhIVNr/T/1ZZx4iftF0BW
+Wtriel/JqIBLbBum0d2QD0fGDam9ia8HqEG28P9Q/SJrLI1hTQTaKW46BqAIb/c/
+7RyyE3C3X7ATjj8ksgHgi5P6u0pHl7HPsqWEMZodleLlVy/BX2sbx6EbK2E/CTsp
+DkpiqcDBISzXwGztMkA5L3WkbJwZc1stNWe0LLXmaVqFIvyJXSpa+4N5F09e/nEf
+VqqAwTewqkApsV1nc+aLAxUxK3VBZJ7xtJalwiqGALXhRSADsFMV5nvv7mWQyxvb
+WawvwHt8BrO0k3dRlXqx0w1yP9MZibBoX0MT+IntNHp45/cxb9i/6PLAxhWriIiE
+y2t6gkAeRU3f
+-----END CERTIFICATE-----
+-----BEGIN CERTIFICATE-----
+MIIHYzCCBUugAwIBAgIBATANBgkqhkiG9w0BAQwFADCBqDELMAkGA1UEBhMCVVMx
+CzAJBgNVBAgTAkNBMRYwFAYDVQQHEw1Nb3VudGFpbiBWaWV3MRwwGgYDVQQKExNB
+ZGRvbnMgVGVzdCBTaWduaW5nMSQwIgYDVQQDExt0ZXN0LmFkZG9ucy5zaWduaW5n
+LnJvb3QuY2ExMDAuBgkqhkiG9w0BCQEWIW9wc2VjK3N0YWdlcm9vdGFkZG9uc0Bt
+b3ppbGxhLmNvbTAeFw0xNTAyMTAxNTI4NTFaFw0yNTAyMDcxNTI4NTFaMIGoMQsw
+CQYDVQQGEwJVUzELMAkGA1UECBMCQ0ExFjAUBgNVBAcTDU1vdW50YWluIFZpZXcx
+HDAaBgNVBAoTE0FkZG9ucyBUZXN0IFNpZ25pbmcxJDAiBgNVBAMTG3Rlc3QuYWRk
+b25zLnNpZ25pbmcucm9vdC5jYTEwMC4GCSqGSIb3DQEJARYhb3BzZWMrc3RhZ2Vy
+b290YWRkb25zQG1vemlsbGEuY29tMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIIC
+CgKCAgEAv/OSHh5uUMMKKuBh83kikuJ+BW4fQCHVZvADZh2qHNH8pSaME/YqMItP
+5XQ1N5oLq1tRQO77AKn+eYPDAQkg+9VV+ct4u76YctcU/gvjieGKQ0fvuDH18QLD
+hqa4DHgDmpCa/w+Eqzd54HaFj7ew9Bb7GZPHuZfk7Ct9fcN6kHneEj3KeuLiqzSV
+VCRFV9RTlrUdsc1/VwF4A97JTXc3HJeWJO3azOlFpaJ8QHhmgXLLmB59HPeZ10Sf
+9QwVGaKcn7yLuwtIA+wDhs8iwGZWcgmknW4DkkRDbQo7L+//4kVK+Yqq0HamZArm
+vE4xENvbwOze4XYkCO3PwgmCotU7K5D3sMUUxkOaodlemO9OqRW8vJOJH3b6mhST
+aunQR9/GOJ7sl4egrn2fOVZhBvM29lyBCKBffeQgtIMcKpeEKa4TNx4nTrWu1J9k
+jHlvNeVL3FzMzJXRPl0RV71cYak+G6GnQ4fg3+4ZSSPxTvbwRJAO2xajkURxFSZo
+sXcjYG8iPTSrDazj4LN2+882t4Q2/rMYpkowwLGbvJqHiw2tg9/hpLn1K4W18vcC
+vFgzNRrTdKaJ/KjD17eJl8s8oPA7TiophPeezy1WzAc4mdlXS6A85b0mKDDU2A/4
+3YmltjsSmizR2LnfeNs125EsCWxSUrAsnUYRO+lJOyNr7GGKGscCAwZVN6OCAZQw
+ggGQMAwGA1UdEwQFMAMBAf8wDgYDVR0PAQH/BAQDAgEGMBYGA1UdJQEB/wQMMAoG
+CCsGAQUFBwMDMCwGCWCGSAGG+EIBDQQfFh1PcGVuU1NMIEdlbmVyYXRlZCBDZXJ0
+aWZpY2F0ZTAzBglghkgBhvhCAQQEJhYkaHR0cDovL2FkZG9ucy5tb3ppbGxhLm9y
+Zy9jYS9jcmwucGVtMB0GA1UdDgQWBBSE6l/Nb0ySL+rR9PXIo7LCDLqm9jCB1QYD
+VR0jBIHNMIHKgBSE6l/Nb0ySL+rR9PXIo7LCDLqm9qGBrqSBqzCBqDELMAkGA1UE
+BhMCVVMxCzAJBgNVBAgTAkNBMRYwFAYDVQQHEw1Nb3VudGFpbiBWaWV3MRwwGgYD
+VQQKExNBZGRvbnMgVGVzdCBTaWduaW5nMSQwIgYDVQQDExt0ZXN0LmFkZG9ucy5z
+aWduaW5nLnJvb3QuY2ExMDAuBgkqhkiG9w0BCQEWIW9wc2VjK3N0YWdlcm9vdGFk
+ZG9uc0Btb3ppbGxhLmNvbYIBATANBgkqhkiG9w0BAQwFAAOCAgEAck21RaAcTzbT
+vmqqcCezBd5Gej6jV53HItXfF06tLLzAxKIU1loLH/330xDdOGyiJdvUATDVn8q6
+5v4Kae2awON6ytWZp9b0sRdtlLsRo8EWOoRszCqiMWdl1gnGMaV7e2ycz/tR+PoK
+GxHCh8rbOtG0eiVJIyRijLDjtExW8Eg+uz6Zkg1IWXqInj7Gqr23FOqD76uAfE82
+YTWW3lzxpP3gL7pmV5G7ob/tIyAfrPEB4w0Nt2HEl9h7NDtKPMprrOLPkrI9eAVU
+QeeI3RpAKnXOFQkqPYPXIlAaJ6qxtYa6tWHOqRyS1xKnvy/uWjEtU3tYJ5eUL1+2
+vzNTdakJgkZDRdDNg0V3NYwza6BwL80VPSfqc1H6R8CU1uj+kjTlCEsoTPLeW7k5
+t+lKHFMj0HZLNymgDD5f9UpI7yiOAIF0z4WKAMv/f12vnAPwmOPuOikRNOv0nNuL
+RIpKO53Cd7aV5PdB0pNSPNjc6V+5IPrepALNQhKIpzoHA4oG+LlVVy4R3csPcj4e
+zQQ9gt3NC2OXF4hveHfKZdCnb+BBl4S71QMYYCCTe+EDCsIGuyXWD/K2hfLD8TPW
+thPX5WNsS8bwno2ccqncVLQ4PZxOIB83DFBFmAvTuBiAYWq874rneTXqInHyeCq+
+819l9s72pDsFaGevmm0Us9bYuufTS5U=
+-----END CERTIFICATE-----
diff --git a/tests/test_autograph_utils.py b/tests/test_autograph_utils.py
@@ -59,6 +59,16 @@
     + "83:04:EF:01:BF:FA:03:29:B2:46:9F:3C:C5:EC:36:04"
 )
 
+STAGE_CERT_PATH = os.path.join(
+    TESTS_BASE, "normandy.content-signature.mozilla.org-2019-12-04-18-15-23.chain"
+)
+STAGE_CERT_CHAIN = open(STAGE_CERT_PATH, "rb").read()
+STAGE_CERT_LIST = autograph_utils.split_pem(STAGE_CERT_CHAIN)
+STAGE_ROOT_HASH = decode_mozilla_hash(
+    "DB:74:CE:58:E4:F9:D0:9E:E0:42:36:BE:6C:C5:C4:F6:"
+    + "6A:E7:74:7D:C0:21:42:7A:03:BC:2F:57:0C:8B:9B:90"
+)
+
 
 @pytest.fixture
 def mock_aioresponses():
@@ -105,6 +115,7 @@ def mock_cert(real_cert):
     mock_cert.signature_hash_algorithm = real_cert.signature_hash_algorithm
     mock_cert.subject = real_cert.subject
     mock_cert.extensions = real_cert.extensions
+    mock_cert.public_key = real_cert.public_key
 
     return mock_cert
 
@@ -272,6 +283,36 @@ async def test_verify_broken_chain(
     )
 
 
+async def test_verify_stage_cert_chain(
+    aiohttp_session, mock_aioresponses, cache, now_fixed
+):
+    mock_aioresponses.get(FAKE_CERT_URL, status=200, body=STAGE_CERT_CHAIN)
+    s = SignatureVerifier(aiohttp_session, cache, STAGE_ROOT_HASH)
+    await s.verify_x5u(FAKE_CERT_URL)
+
+
+async def test_unknown_key(aiohttp_session, mock_with_x5u, cache, now_fixed):
+    certs = [
+        cryptography.x509.load_pem_x509_certificate(pem, backend=default_backend())
+        for pem in CERT_LIST
+    ]
+
+    # Change public_key for an intermediate cert
+    real_intermediate = certs[1]
+    mock_intermediate = mock_cert(real_intermediate)
+    mock_intermediate.public_key = mock.Mock()
+    certs[1] = mock_intermediate
+
+    with mock.patch("cryptography.x509.load_pem_x509_certificate") as load_cert_mock:
+        load_cert_mock.side_effect = lambda *args, **kwargs: certs.pop(0)
+        s = SignatureVerifier(aiohttp_session, cache, DEV_ROOT_HASH)
+        with pytest.raises(autograph_utils.CertificateUnknownPublicKey) as excinfo:
+            await s.verify_x5u(FAKE_CERT_URL)
+
+    assert excinfo.value.cert == mock_intermediate
+    assert excinfo.value.key == mock_intermediate.public_key()
+
+
 async def test_verify_leaf_code_signing(
     aiohttp_session, mock_with_x5u, cache, now_fixed
 ):
