Closed stanislavlevin closed 1 year ago
tests/test_services.py::test_validate fails with pyhanko-certvalidator 0.20.0:
tests/test_services.py::test_validate
pyhanko-certvalidator
====================================== FAILURES ====================================== _______________________________ test_validate[setup1] ________________________________ requests_mock = <requests_mock.mocker.Mocker object at 0x7f42a3f81ab0> setup = ServiceSetup(config=<certomancer.registry.config.CertomancerConfig object at 0x7f42a3f16c20>, arch=<certomancer.regist...ure object at 0x7f42a3f28100>, illusionist=<certomancer.integrations.illusionist.Illusionist object at 0x7f42a4693010>) @freeze_time('2020-11-01') @pytest.mark.asyncio @pytest.mark.parametrize('setup', [RSA_SETUP, DSA_SETUP, ECDSA_SETUP]) async def test_validate(requests_mock, setup): setup.illusionist.register(requests_mock) signer_cert = setup.arch.get_cert(CertLabel('signer1')) root = setup.arch.get_cert(CertLabel('root')) interm = setup.arch.get_cert(CertLabel('interm')) vc = ValidationContext( trust_roots=[root], allow_fetching=True, revocation_mode='hard-fail', other_certs=[interm], ) validator = CertificateValidator( signer_cert, intermediate_certs=[], validation_context=vc ) > await validator.async_validate_usage({'digital_signature'}) tests/test_services.py:149: .run_venv/lib64/python3/site-packages/pyhanko_certvalidator/__init__.py:269: in async_validate_usage validated_path = await self.async_validate_path() .run_venv/lib64/python3/site-packages/pyhanko_certvalidator/__init__.py:136: in async_validate_path self._path = candidate_path = await find_valid_path( .run_venv/lib64/python3/site-packages/pyhanko_certvalidator/__init__.py:53: in find_valid_path raise exceptions[0] .run_venv/lib64/python3/site-packages/pyhanko_certvalidator/__init__.py:36: in find_valid_path await async_validate_path( .run_venv/lib64/python3/site-packages/pyhanko_certvalidator/validate.py:145: in async_validate_path return await intl_validate_path( .run_venv/lib64/python3/site-packages/pyhanko_certvalidator/validate.py:1100: in intl_validate_path state.check_certificate_signature( _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ self = _PathValidationState(valid_policy_tree=<pyhanko_certvalidator.policy_tree.PolicyTreeRoot object at 0x7f42a3cbe650>, ex...excluded_subtrees=<pyhanko_certvalidator.name_trees.ExcludedSubtrees object at 0x7f42a3cbcc10>, aa_controls_used=False) cert = <asn1crypto.x509.Certificate 139924195110064 b'0\x82\x05Y0\x82\x04\xfe\xa0\x03\x02\x01\x02\x02\x02\x10\x010\x0b\x06\t`...df\xdag\xc3\xd3@x\xbe\x8f\x02!\x00\x9bfSVp\xb4w\x1c\xb7\xe2\x90\x96~\xf9xq\x0e\x91P\x0e\x18\xc2AdI\x18PS\x94\xb9\x1fR'> algorithm_policy = <pyhanko_certvalidator.policy_decl.DisallowWeakAlgorithmsPolicy object at 0x7f42a3c95f30> proc_state = ValProcState() moment = FakeDatetime(2020, 11, 1, 0, 0, tzinfo=datetime.timezone.utc) def check_certificate_signature( self, cert: x509.Certificate, algorithm_policy: AlgorithmUsagePolicy, proc_state: ValProcState, moment: datetime.datetime, ): sd_algo: algos.SignedDigestAlgorithm = cert['signature_algorithm'] sd_algo_name = sd_algo['algorithm'].native sig_algo_allowed = algorithm_policy.signature_algorithm_allowed( sd_algo, moment, public_key=self.working_public_key ) if not sig_algo_allowed: msg = ( f"The path could not be validated because the signature " f"of {proc_state.describe_cert()} uses the disallowed " f"signature mechanism {sd_algo_name}." ) if sig_algo_allowed.failure_reason is not None: msg += f" Reason: {sig_algo_allowed.failure_reason}." > raise DisallowedAlgorithmError.from_state( msg, proc_state, banned_since=sig_algo_allowed.not_allowed_after, ) E pyhanko_certvalidator.errors.DisallowedAlgorithmError: The path could not be validated because the signature of intermediate certificate 1 uses the disallowed signature mechanism sha256_dsa. Reason: Key size 2048 for algorithm dsa is considered too small; policy mandates >= 3192. .run_venv/lib64/python3/site-packages/pyhanko_certvalidator/validate.py:981: DisallowedAlgorithmError
Related change: MatthiasValvekens/certvalidator@0cb83400a2f6be184d09a9e30730902a44d07e84
Aha, good catch! Will update ASAP.
The fix is verified, thank you!
tests/test_services.py::test_validate
fails withpyhanko-certvalidator
0.20.0:Related change: MatthiasValvekens/certvalidator@0cb83400a2f6be184d09a9e30730902a44d07e84