testcases: add CVE-2024-0567 (#176)

* add CVE-2024-0567 Signed-off-by: William Woodruff <[email protected]> * license, render improvements Signed-off-by: William Woodruff <[email protected]> * rebuild the chain from scratch Signed-off-by: William Woodruff <[email protected]> * limbo: fixup key typing Signed-off-by: William Woodruff <[email protected]> --------- Signed-off-by: William Woodruff <[email protected]>
C2SP · Jan 23, 2024 · 5df450e · 5df450e
1 parent 1e3455f
commit 5df450e
Show file tree

Hide file tree

Showing 9 changed files with 49,269 additions and 48,951 deletions.
diff --git a/limbo.json b/limbo.json
diff --git a/limbo/assets.py b/limbo/assets.py
@@ -13,7 +13,7 @@
 
 from cryptography import x509
 from cryptography.hazmat.primitives import serialization
-from cryptography.hazmat.primitives.asymmetric.types import PrivateKeyTypes
+from cryptography.hazmat.primitives.asymmetric.types import CertificateIssuerPrivateKeyTypes
 from cryptography.x509 import ExtensionType
 
 # NOTE: We judiciously start on the second *after* the Unix epoch, since
@@ -47,7 +47,7 @@ class CertificatePair(Certificate):
     An X.509 certificate and its associated private key.
     """
 
-    key: PrivateKeyTypes
+    key: CertificateIssuerPrivateKeyTypes
 
     @cached_property
     def key_pem(self) -> str:

diff --git a/limbo/testcases/__init__.py b/limbo/testcases/__init__.py
@@ -4,6 +4,7 @@
 
 from limbo.testcases._core import registry
 
+from .cve import *  # noqa: F403
 from .pathlen import *  # noqa: F403
 from .pathological import *  # noqa: F403
 from .rfc5280 import *  # noqa: F403

diff --git a/limbo/testcases/_core.py b/limbo/testcases/_core.py
@@ -8,7 +8,7 @@
 from cryptography import x509
 from cryptography.hazmat.primitives import hashes
 from cryptography.hazmat.primitives.asymmetric import ec
-from cryptography.hazmat.primitives.asymmetric.types import PrivateKeyTypes
+from cryptography.hazmat.primitives.asymmetric.types import CertificateIssuerPrivateKeyTypes
 
 from limbo.assets import (
     EPOCH,
@@ -38,7 +38,7 @@ def _ca(
         serial: int | None,
         not_before: datetime,
         not_after: datetime,
-        key: PrivateKeyTypes | None,
+        key: CertificateIssuerPrivateKeyTypes | None,
         basic_constraints: _Extension[x509.BasicConstraints] | None,
         key_usage: _Extension[x509.KeyUsage] | None,
         san: _Extension[x509.SubjectAlternativeName] | Literal[True] | None,
@@ -60,7 +60,7 @@ def _ca(
         builder = x509.CertificateBuilder(
             issuer_name=issuer,
             subject_name=subject,
-            public_key=key.public_key(),  # type: ignore[arg-type]
+            public_key=key.public_key(),
             serial_number=serial,
             not_valid_before=not_before,
             not_valid_after=not_after,
@@ -93,19 +93,15 @@ def _ca(
             )
         elif aki:
             builder = builder.add_extension(
-                x509.AuthorityKeyIdentifier.from_issuer_public_key(
-                    key.public_key()  # type: ignore[arg-type]
-                ),
+                x509.AuthorityKeyIdentifier.from_issuer_public_key(key.public_key()),
                 critical=False,
             )
 
         if isinstance(ski, _Extension):
             builder = builder.add_extension(ski.ext, critical=ski.critical)
         elif ski:
             builder = builder.add_extension(
-                x509.SubjectKeyIdentifier.from_public_key(
-                    key.public_key()  # type: ignore[arg-type]
-                ),
+                x509.SubjectKeyIdentifier.from_public_key(key.public_key()),
                 critical=False,
             )
 
@@ -118,9 +114,9 @@ def _ca(
             builder = builder.add_extension(extra_extension.ext, critical=extra_extension.critical)
 
         if parent:
-            cert = builder.sign(parent.key, algorithm=hashes.SHA256())  # type: ignore[arg-type]
+            cert = builder.sign(parent.key, algorithm=hashes.SHA256())
         else:
-            cert = builder.sign(key, algorithm=hashes.SHA256())  # type: ignore[arg-type]
+            cert = builder.sign(key, algorithm=hashes.SHA256())
 
         return CertificatePair(cert, key)
 
@@ -132,7 +128,7 @@ def root_ca(
         serial: int | None = None,
         not_before: datetime = EPOCH,
         not_after: datetime = ONE_THOUSAND_YEARS_OF_TORMENT,
-        key: PrivateKeyTypes | None = None,
+        key: CertificateIssuerPrivateKeyTypes | None = None,
         basic_constraints: _Extension[x509.BasicConstraints] | None = ext(
             x509.BasicConstraints(ca=True, path_length=None),
             critical=True,
@@ -184,7 +180,7 @@ def intermediate_ca(
         serial: int | None = None,
         not_before: datetime = EPOCH,
         not_after: datetime = ONE_THOUSAND_YEARS_OF_TORMENT,
-        key: PrivateKeyTypes | None = None,
+        key: CertificateIssuerPrivateKeyTypes | None = None,
         basic_constraints: _Extension[x509.BasicConstraints] | Literal[True] | None = True,
         key_usage: _Extension[x509.KeyUsage] | None = ext(
             x509.KeyUsage(
@@ -259,7 +255,7 @@ def leaf_cert(
         serial: int | None = None,
         not_before: datetime = EPOCH,
         not_after: datetime = ONE_THOUSAND_YEARS_OF_TORMENT,
-        key: PrivateKeyTypes | None = None,
+        key: CertificateIssuerPrivateKeyTypes | None = None,
         basic_constraints: _Extension[x509.BasicConstraints] | Literal[True] | None = None,
         key_usage: _Extension[x509.KeyUsage] | None = ext(
             x509.KeyUsage(
@@ -308,9 +304,9 @@ def leaf_cert(
         builder = builder.issuer_name(issuer)
         builder = builder.not_valid_before(not_before)
         builder = builder.not_valid_after(not_after)
-        builder = builder.public_key(key.public_key())  # type: ignore[arg-type]
+        builder = builder.public_key(key.public_key())
         builder = builder.add_extension(
-            x509.SubjectKeyIdentifier.from_public_key(key.public_key()),  # type: ignore[arg-type]
+            x509.SubjectKeyIdentifier.from_public_key(key.public_key()),
             critical=False,
         )
 
@@ -328,9 +324,7 @@ def leaf_cert(
             builder = builder.add_extension(aki.ext, critical=aki.critical)
         elif aki:
             builder = builder.add_extension(
-                x509.AuthorityKeyIdentifier.from_issuer_public_key(
-                    parent.key.public_key()  # type: ignore[arg-type]
-                ),
+                x509.AuthorityKeyIdentifier.from_issuer_public_key(parent.key.public_key()),
                 critical=False,
             )
 
@@ -363,7 +357,7 @@ def leaf_cert(
                 builder._extensions = []
 
         certificate = builder.sign(
-            private_key=parent.key,  # type: ignore[arg-type]
+            private_key=parent.key,
             algorithm=hashes.SHA256(),
         )