Future-proofing against asn1crypto API change

Some distros already ship the master build of asn1crypto since it's been so long without a release, so we have to address this. See wbond/asn1crypto#230
MatthiasValvekens · Nov 17, 2024 · bab60ea · bab60ea
1 parent f2d2bdd
commit bab60ea
Show file tree

Hide file tree

Showing 4 changed files with 11 additions and 20 deletions.
diff --git a/pyhanko_certvalidator/revinfo/validate_crl.py b/pyhanko_certvalidator/revinfo/validate_crl.py
@@ -1329,16 +1329,12 @@ def _verify_crl_signature(certificate_list, public_key):
         invalid or uses an unsupported algorithm
     """
 
-    signature_algo = certificate_list['signature_algorithm'].signature_algo
-    hash_algo = certificate_list['signature_algorithm'].hash_algo
-
     try:
         validate_sig(
             signature=certificate_list['signature'].native,
             signed_data=certificate_list['tbs_cert_list'].dump(),
             public_key_info=public_key,
-            sig_algo=signature_algo,
-            hash_algo=hash_algo,
+            signed_digest_algorithm=certificate_list['signature_algorithm'],
             parameters=certificate_list['signature_algorithm']['parameters'],
         )
     except PSSParameterMismatch as e:

diff --git a/pyhanko_certvalidator/revinfo/validate_ocsp.py b/pyhanko_certvalidator/revinfo/validate_ocsp.py
@@ -376,19 +376,14 @@ def _verify_ocsp_signature(
     if response is None:
         return False
 
-    # Determine what algorithm was used to sign the response
-    signature_algo = response['signature_algorithm'].signature_algo
-    hash_algo = response['signature_algorithm'].hash_algo
-
     # Verify that the response was properly signed by the validated certificate
     tbs_response = response['tbs_response_data']
     try:
         validate_sig(
             signature=response['signature'].native,
             signed_data=tbs_response.dump(),
+            signed_digest_algorithm=response['signature_algorithm'],
             public_key_info=responder_key,
-            sig_algo=signature_algo,
-            hash_algo=hash_algo,
             parameters=response['signature_algorithm']['parameters'],
         )
         return True

diff --git a/pyhanko_certvalidator/util.py b/pyhanko_certvalidator/util.py
@@ -197,12 +197,13 @@ def validate_sig(
     signature: bytes,
     signed_data: bytes,
     public_key_info: PublicKeyInfo,
-    sig_algo: str,
-    hash_algo: str,
+    signed_digest_algorithm: algos.SignedDigestAlgorithm,
     parameters=None,
 ):
     from .errors import DSAParametersUnavailable, PSSParameterMismatch
 
+    sig_algo = signed_digest_algorithm.signature_algo
+
     if (
         sig_algo == 'dsa'
         and public_key_info['algorithm']['parameters'].native is None
@@ -227,10 +228,12 @@ def validate_sig(
     pub_key = serialization.load_der_public_key(public_key_info.dump())
 
     if sig_algo == 'rsassa_pkcs1v15':
+        hash_algo = signed_digest_algorithm.hash_algo
         assert isinstance(pub_key, rsa.RSAPublicKey)
         h = getattr(hashes, hash_algo.upper())()
         pub_key.verify(signature, signed_data, padding.PKCS1v15(), h)
     elif sig_algo == 'rsassa_pss':
+        hash_algo = signed_digest_algorithm.hash_algo
         assert isinstance(pub_key, rsa.RSAPublicKey)
         assert isinstance(parameters, algos.RSASSAPSSParams)
         mga: algos.MaskGenAlgorithm = parameters['mask_gen_algorithm']
@@ -248,10 +251,12 @@ def validate_sig(
         hash_spec = getattr(hashes, hash_algo.upper())()
         pub_key.verify(signature, signed_data, pss_padding, hash_spec)
     elif sig_algo == 'dsa':
+        hash_algo = signed_digest_algorithm.hash_algo
         assert isinstance(pub_key, dsa.DSAPublicKey)
         hash_spec = getattr(hashes, hash_algo.upper())()
         pub_key.verify(signature, signed_data, hash_spec)
     elif sig_algo == 'ecdsa':
+        hash_algo = signed_digest_algorithm.hash_algo
         assert isinstance(pub_key, ec.EllipticCurvePublicKey)
         hash_spec = getattr(hashes, hash_algo.upper())()
         pub_key.verify(signature, signed_data, ec.ECDSA(hash_spec))

diff --git a/pyhanko_certvalidator/validate.py b/pyhanko_certvalidator/validate.py
@@ -485,9 +485,6 @@ def _check_ac_signature(
             banned_since=digest_allowed.not_allowed_after,
         )
 
-    signature_algo = sd_algo.signature_algo
-    hash_algo = attr_cert['signature_algorithm'].hash_algo
-
     try:
         validate_sig(
             signature=attr_cert['signature'].native,
@@ -497,8 +494,7 @@ def _check_ac_signature(
             #  validation algo)
             # low-priority since this only affects DSA in practice
             public_key_info=aa_cert.public_key,
-            sig_algo=signature_algo,
-            hash_algo=hash_algo,
+            signed_digest_algorithm=sd_algo,
             parameters=attr_cert['signature_algorithm']['parameters'],
         )
     except PSSParameterMismatch:
@@ -983,8 +979,7 @@ def check_certificate_signature(
                 signature=cert['signature_value'].native,
                 signed_data=cert['tbs_certificate'].dump(),
                 public_key_info=self.working_public_key,
-                sig_algo=sd_algo.signature_algo,
-                hash_algo=sd_algo.hash_algo,
+                signed_digest_algorithm=sd_algo,
                 parameters=cert['signature_algorithm']['parameters'],
             )
         except PSSParameterMismatch: