search

MatthiasValvekens / certomancer

Quickly construct, mock & deploy PKI test configurations using simple declarative configuration.
MIT License
26 stars 4 forks source link

[tests] test_validate fails with pyhanko-certvalidator 0.20.0 #8

Closed stanislavlevin closed 1 year ago

stanislavlevin commented 1 year ago

tests/test_services.py::test_validate fails with pyhanko-certvalidator 0.20.0:

====================================== FAILURES ======================================
_______________________________ test_validate[setup1] ________________________________

requests_mock = <requests_mock.mocker.Mocker object at 0x7f42a3f81ab0>
setup = ServiceSetup(config=<certomancer.registry.config.CertomancerConfig object at 0x7f42a3f16c20>, arch=<certomancer.regist...ure object at 0x7f42a3f28100>, illusionist=<certomancer.integrations.illusionist.Illusionist object at 0x7f42a4693010>)

    @freeze_time('2020-11-01')
    @pytest.mark.asyncio
    @pytest.mark.parametrize('setup', [RSA_SETUP, DSA_SETUP, ECDSA_SETUP])
    async def test_validate(requests_mock, setup):
        setup.illusionist.register(requests_mock)
        signer_cert = setup.arch.get_cert(CertLabel('signer1'))
        root = setup.arch.get_cert(CertLabel('root'))
        interm = setup.arch.get_cert(CertLabel('interm'))
        vc = ValidationContext(
            trust_roots=[root],
            allow_fetching=True,
            revocation_mode='hard-fail',
            other_certs=[interm],
        )

        validator = CertificateValidator(
            signer_cert, intermediate_certs=[], validation_context=vc
        )
>       await validator.async_validate_usage({'digital_signature'})

tests/test_services.py:149:
.run_venv/lib64/python3/site-packages/pyhanko_certvalidator/__init__.py:269: in async_validate_usage
    validated_path = await self.async_validate_path()
.run_venv/lib64/python3/site-packages/pyhanko_certvalidator/__init__.py:136: in async_validate_path
    self._path = candidate_path = await find_valid_path(
.run_venv/lib64/python3/site-packages/pyhanko_certvalidator/__init__.py:53: in find_valid_path
    raise exceptions[0]
.run_venv/lib64/python3/site-packages/pyhanko_certvalidator/__init__.py:36: in find_valid_path
    await async_validate_path(
.run_venv/lib64/python3/site-packages/pyhanko_certvalidator/validate.py:145: in async_validate_path
    return await intl_validate_path(
.run_venv/lib64/python3/site-packages/pyhanko_certvalidator/validate.py:1100: in intl_validate_path
    state.check_certificate_signature(
_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ 

self = _PathValidationState(valid_policy_tree=<pyhanko_certvalidator.policy_tree.PolicyTreeRoot object at 0x7f42a3cbe650>, ex...excluded_subtrees=<pyhanko_certvalidator.name_trees.ExcludedSubtrees object at 0x7f42a3cbcc10>, aa_controls_used=False)
cert = <asn1crypto.x509.Certificate 139924195110064 b'0\x82\x05Y0\x82\x04\xfe\xa0\x03\x02\x01\x02\x02\x02\x10\x010\x0b\x06\t`...df\xdag\xc3\xd3@x\xbe\x8f\x02!\x00\x9bfSVp\xb4w\x1c\xb7\xe2\x90\x96~\xf9xq\x0e\x91P\x0e\x18\xc2AdI\x18PS\x94\xb9\x1fR'>
algorithm_policy = <pyhanko_certvalidator.policy_decl.DisallowWeakAlgorithmsPolicy object at 0x7f42a3c95f30>
proc_state = ValProcState()
moment = FakeDatetime(2020, 11, 1, 0, 0, tzinfo=datetime.timezone.utc)

    def check_certificate_signature(
        self,
        cert: x509.Certificate,
        algorithm_policy: AlgorithmUsagePolicy,
        proc_state: ValProcState,
        moment: datetime.datetime,
    ):

        sd_algo: algos.SignedDigestAlgorithm = cert['signature_algorithm']
        sd_algo_name = sd_algo['algorithm'].native
        sig_algo_allowed = algorithm_policy.signature_algorithm_allowed(
            sd_algo, moment, public_key=self.working_public_key
        )
        if not sig_algo_allowed:
            msg = (
                f"The path could not be validated because the signature "
                f"of {proc_state.describe_cert()} uses the disallowed "
                f"signature mechanism {sd_algo_name}."
            )
            if sig_algo_allowed.failure_reason is not None:
                msg += f" Reason: {sig_algo_allowed.failure_reason}."
>           raise DisallowedAlgorithmError.from_state(
                msg,
                proc_state,
                banned_since=sig_algo_allowed.not_allowed_after,
            )
E           pyhanko_certvalidator.errors.DisallowedAlgorithmError: The path could not be validated because the signature of intermediate certificate 1 uses the disallowed signature mechanism sha256_dsa. Reason: Key size 2048 for algorithm dsa is considered too small; policy mandates >= 3192.

.run_venv/lib64/python3/site-packages/pyhanko_certvalidator/validate.py:981: DisallowedAlgorithmError

Related change: MatthiasValvekens/certvalidator@0cb83400a2f6be184d09a9e30730902a44d07e84

MatthiasValvekens commented 1 year ago

Aha, good catch! Will update ASAP.

stanislavlevin commented 1 year ago

The fix is verified, thank you!