allez cette fois-ci c la bonne

nitneuqr · nitneuqr · commit 3448711db6b0 · 2025-06-13T11:00:19.000+02:00
diff --git a/src/cryptography/hazmat/primitives/serialization/pkcs7.py b/src/cryptography/hazmat/primitives/serialization/pkcs7.py
@@ -85,7 +85,7 @@ def _validate_key_usage(
     ) -> None:
         if ku is not None:
             # Content commitment used to be named non repudiation
-            if not ku.digital_signature or ku.content_commitment:
+            if not (ku.digital_signature or ku.content_commitment):
                 raise ValueError(
                     "Key Usage, if specified, must have at least one of the "
                     "digital signature or content commitment (formerly non "
diff --git a/tests/hazmat/primitives/test_pkcs7.py b/tests/hazmat/primitives/test_pkcs7.py
@@ -18,6 +18,7 @@
 from cryptography.hazmat.primitives.asymmetric import ed25519, padding, rsa
 from cryptography.hazmat.primitives.ciphers import algorithms
 from cryptography.hazmat.primitives.serialization import pkcs7
+from cryptography.x509.oid import OtherNameFormOID
 from cryptography.x509.verification import (
     PolicyBuilder,
     Store,
@@ -145,18 +146,6 @@ def _load_cert_key():
 
 
 class TestPKCS7VerifyCertificate:
-    def test_verify_pkcs7_certificate(self):
-        certificate, _ = _load_cert_key()
-        ca_policy, ee_policy = pkcs7.pkcs7_x509_extension_policies()
-
-        verifier = (
-            PolicyBuilder()
-            .store(Store([certificate]))
-            .extension_policies(ca_policy=ca_policy, ee_policy=ee_policy)
-            .build_client_verifier()
-        )
-        verifier.verify(certificate, [])
-
     @pytest.fixture(name="certificate_builder")
     def fixture_certificate_builder(self) -> x509.CertificateBuilder:
         certificate, private_key = _load_cert_key()
@@ -170,6 +159,46 @@ def fixture_certificate_builder(self) -> x509.CertificateBuilder:
             .not_valid_after(certificate.not_valid_after)
         )
 
+    def test_verify_pkcs7_certificate(self, certificate_builder):
+        certificate, private_key = _load_cert_key()
+        ca_policy, ee_policy = pkcs7.pkcs7_x509_extension_policies()
+
+        # Add valid KeyUsage extension
+        ku_extension = x509.KeyUsage(
+            digital_signature=True,
+            content_commitment=False,
+            key_encipherment=False,
+            data_encipherment=False,
+            key_agreement=False,
+            key_cert_sign=False,
+            crl_sign=False,
+            encipher_only=False,
+            decipher_only=False,
+        )
+        certificate_builder = certificate_builder.add_extension(
+            ku_extension, True
+        )
+
+        # Add valid ExtendedKeyUsage extension
+        usages = [x509.ExtendedKeyUsageOID.CLIENT_AUTH]  # type: ignore[attr-defined]
+        eku_extension = x509.ExtendedKeyUsage(usages)
+        certificate_builder = certificate_builder.add_extension(
+            eku_extension, True
+        )
+
+        # Build the certificate
+        pkcs7_certificate = certificate_builder.sign(
+            private_key, certificate.signature_hash_algorithm, None
+        )
+
+        verifier = (
+            PolicyBuilder()
+            .store(Store([pkcs7_certificate]))
+            .extension_policies(ca_policy=ca_policy, ee_policy=ee_policy)
+            .build_client_verifier()
+        )
+        verifier.verify(certificate, [])
+
     def test_verify_pkcs7_certificate_wrong_bc(self, certificate_builder):
         certificate, private_key = _load_cert_key()
 
@@ -232,6 +261,22 @@ def test_verify_pkcs7_certificate_wrong_eku(self, certificate_builder):
         # Verify the certificate
         self.verify_invalid_pkcs7_certificate(pkcs7_certificate)
 
+    @pytest.mark.parametrize(
+        "filename", ["ca_non_ascii_san.pem", "ca_ascii_san.pem"]
+    )
+    def test_verify_pkcs7_certificate_wrong_san(self, filename):
+        # Read a certificate with an invalid SAN
+        pkcs7_certificate = load_vectors_from_file(
+            os.path.join("pkcs7", filename),
+            loader=lambda pemfile: x509.load_pem_x509_certificate(
+                pemfile.read()
+            ),
+            mode="rb",
+        )
+
+        # Verify the certificate
+        self.verify_invalid_pkcs7_certificate(pkcs7_certificate)
+
     @staticmethod
     def verify_invalid_pkcs7_certificate(certificate: x509.Certificate):
         ca_policy, ee_policy = pkcs7.pkcs7_x509_extension_policies()
diff --git a/vectors/cryptography_vectors/pkcs7/ca_ascii_san.pem b/vectors/cryptography_vectors/pkcs7/ca_ascii_san.pem
@@ -0,0 +1,23 @@
+-----BEGIN CERTIFICATE-----
+MIID3DCCAsSgAwIBAgIUGJw032ss5tmRmaY8x41pL5lqqRYwDQYJKoZIhvcNAQEL
+BQAwfzELMAkGA1UEBhMCVVMxEzARBgNVBAgMCkNhbGlmb3JuaWExFjAUBgNVBAcM
+DVNhbiBGcmFuY2lzY28xFTATBgNVBAoMDEV4YW1wbGUgQ29ycDEWMBQGA1UECwwN
+SVQgRGVwYXJ0bWVudDEUMBIGA1UEAwwLZXhhbXBsZS5jb20wHhcNMjUwNjA5MTg0
+NzQ1WhcNMjYwNjA5MTg0NzQ1WjB/MQswCQYDVQQGEwJVUzETMBEGA1UECAwKQ2Fs
+aWZvcm5pYTEWMBQGA1UEBwwNU2FuIEZyYW5jaXNjbzEVMBMGA1UECgwMRXhhbXBs
+ZSBDb3JwMRYwFAYDVQQLDA1JVCBEZXBhcnRtZW50MRQwEgYDVQQDDAtleGFtcGxl
+LmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALLWXuy3atOjhb8g
+fa5AC5me9PqRqcqV63e+NIe8IaKioCM5Sl+3jhKb5DdPIjfQYbHbwPtY+rFSP364
+dBZoJpCDG4gcD6H3eS5JGc8Uz62l+oBNuFoU3EZiUNMF0k17vs/6CGeyt53+D9DJ
+PG6Wv87nAAoK97r1rLdC8Of97QpUV/st+YDP7/LOH8CxJZOnbiUdekzo0dCQkk7n
+17hJCYN1Y98VrlZFY25ny2TURUgK7lIjduEUb0dugYiepjzp7ZV8184kpAD/PtLT
+czA1S8e6kySd5wbJSFcKxrk/j/cccUGLMyKPlMZgsHZUm/2DOLWLljxbEjCOxb1G
+8+EpR9kCAwEAAaNQME4wLQYDVR0RBCYwJKAiBggrBgEFBQcICaAWDBRyZXRvdXJu
+ZUBleGFtcGxlLmNvbTAdBgNVHQ4EFgQUm24AOQAmOInCPZPDUagXXw+BEl0wDQYJ
+KoZIhvcNAQELBQADggEBAGgLqsx27sS28t1okxT1MU6QhfAn/Yw07Nhk3cpNKGnh
+edrPPTXvJc05qHuQIqOiFIJ4SojbQ2+bVZwo7V3Jhspx9T+Gkb/Dn3rHpAfOXuaJ
+RqJ777Cor2seAKv07jerGnEULYW8JcezZDGbv6ViC0oEgazwTzahfynrUMJ2DJRX
+tnNdczDsGw+DVMvOBzcSE/aEzhd4ghgVq5aFS05wzhN/fTWKiN4tpEAG6y95gU73
+29O3y1W3dLjblTZJvXNtgCjMT6R3OVeWAsqyXDprFrZWZucCj8opIxRf6jpZlRfJ
+qW+57pkefhg3q4MFjn08BOKpYwOdRouGE4l96dGBDwM=
+-----END CERTIFICATE-----
diff --git a/vectors/cryptography_vectors/pkcs7/ca_non_ascii_san.pem b/vectors/cryptography_vectors/pkcs7/ca_non_ascii_san.pem
@@ -0,0 +1,23 @@
+-----BEGIN CERTIFICATE-----
+MIIDzzCCAregAwIBAgIUAX/xKTtlMllrK5ng0+OkmnxxIugwDQYJKoZIhvcNAQEL
+BQAwfzELMAkGA1UEBhMCVVMxEzARBgNVBAgMCkNhbGlmb3JuaWExFjAUBgNVBAcM
+DVNhbiBGcmFuY2lzY28xFTATBgNVBAoMDEV4YW1wbGUgQ29ycDEWMBQGA1UECwwN
+SVQgRGVwYXJ0bWVudDEUMBIGA1UEAwwLZXhhbXBsZS5jb20wHhcNMjUwNjA5MTgw
+NzE4WhcNMjYwNjA5MTgwNzE4WjB/MQswCQYDVQQGEwJVUzETMBEGA1UECAwKQ2Fs
+aWZvcm5pYTEWMBQGA1UEBwwNU2FuIEZyYW5jaXNjbzEVMBMGA1UECgwMRXhhbXBs
+ZSBDb3JwMRYwFAYDVQQLDA1JVCBEZXBhcnRtZW50MRQwEgYDVQQDDAtleGFtcGxl
+LmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAOxyV/ZsaGn7dOcZ
+6ODFcnmwjPCKRASFeDtOMYoGrlALb9zA+UMuMB63dTZ8ofWsDgLLGhw86njfSYad
+RslOw8Bki9lKiS1RhS/RbnDSBWB2wJzniyFn/qI2F93WbgqHMOnzzJcAkc/YPU0T
+iyvNpjD3Q/xObcp7ouBJJmFSvLybSTJtFrVzkpIbDZYrn0KyKtgTCPc/r9D04u+u
+scSACvTRjePsEZIgRkVgfVpdBmy1KeJmx2NqS8Yev+y+0e9q3t8Ga/j/CnPFXlEl
+iBHciFtkKdd2HrPLJMXBKhMn2KagLJSSdABNApi8qULIpOnrEE8FepKCzkptFyS1
+5g0H3u0CAwEAAaNDMEEwIAYDVR0RBBkwF4EVcmV0b3VybsOpQGV4YW1wbGUuY29t
+MB0GA1UdDgQWBBTthtqdM0IoehNymXnqMPX1joF1LzANBgkqhkiG9w0BAQsFAAOC
+AQEApQZ3vOuBgNg1U26c4l0VSCU5q73Lecbgjc42AhEp9FyP7ratj4MyH7RGr4io
+vl0wWROFBnzliW5ZA8CP3Ux4AbqgtxcFPBRHACjmrpoSFHmW7bpzRnqwJKwXsOGJ
+ZhjA/2o91lEJr0UNhpvSGyR+xCkuvw83mvM1rmE19yNMElv96x/DPVQV2ocsffOb
+kS7pIpvXX3pSIj7Up0Xrz+bSyhJlsO3sO5bREshyvuiRivm9AjBVRY/BtbFY6DcV
+9javEitCw93BgImIs0CXGpZUrvphX8muWVct5xpKj64/Yo0hIYystX+xVl3EjTRf
+B7pH2DE+cXg99p7L6RoYtlOeRA==
+-----END CERTIFICATE-----
