Verify the thumbprint of the X.509 cert.

Rebecka Gulliksson · Rebecka Gulliksson · commit a54ddbf38510 · 2016-01-14T10:36:13.000+01:00
diff --git a/src/jwkest/jwk.py b/src/jwkest/jwk.py
@@ -376,10 +376,13 @@ def deserialize(self):
             except ValueError as err:
                 raise DeSerializationNotPossible("%s" % err)
         elif self.x5c:
+            der_cert = base64.b64decode(self.x5c[0].encode("ascii"))
+
             if self.x5t:  # verify the cert
-                pass
+                if not b64d(self.x5t.encode("ascii")) == hashlib.sha1(der_cert).digest():
+                    raise DeSerializationNotPossible("The thumbprint ('x5t') does not match the certificate.")
 
-            self.key = der2rsa(base64.b64decode(self.x5c[0].encode("ascii")))
+            self.key = der2rsa(der_cert)
             self._split()
             if len(self.x5c) > 1:  # verify chain
                 pass
diff --git a/tests/test_2_jwk.py b/tests/test_2_jwk.py
@@ -8,7 +8,7 @@
 import six
 from jwkest.ecc import P256
 from jwkest import long2intarr
-from jwkest.jwk import jwk_wrap
+from jwkest.jwk import jwk_wrap, DeSerializationNotPossible
 from jwkest.jwk import import_rsa_key_from_file
 from jwkest.jwk import rsa_eq
 from jwkest.jwk import keyrep
@@ -169,7 +169,8 @@ def test_import_rsa_key():
     djwk = jwk_wrap(_ckey).to_dict()
     print(djwk)
     assert _eq(djwk.keys(), ["kty", "e", "n", "p", "q", "d"])
-    assert djwk["n"] == '5zbNbHIYIkGGJ3RGdRKkYmF4gOorv5eDuUKTVtuu3VvxrpOWvwnFV-NY0LgqkQSMMyVzodJE3SUuwQTUHPXXY5784vnkFqzPRx6bHgPxKz7XfwQjEBTafQTMmOeYI8wFIOIHY5i0RWR-gxDbh_D5TXuUqScOOqR47vSpIbUH-nc'
+    assert djwk[
+               "n"] == '5zbNbHIYIkGGJ3RGdRKkYmF4gOorv5eDuUKTVtuu3VvxrpOWvwnFV-NY0LgqkQSMMyVzodJE3SUuwQTUHPXXY5784vnkFqzPRx6bHgPxKz7XfwQjEBTafQTMmOeYI8wFIOIHY5i0RWR-gxDbh_D5TXuUqScOOqR47vSpIbUH-nc'
     assert djwk['e'] == 'AQAB'
 
 
@@ -331,5 +332,29 @@ def test_rsa_pubkey_from_x509_cert_chain():
     assert rsa_key.key
 
 
+def test_rsa_pubkey_verify_x509_thumbprint():
+    cert = "MIID0jCCArqgAwIBAgIBSTANBgkqhkiG9w0BAQQFADCBiDELMAkGA1UEBhMCREUxEDAOBgNVBAgTB0JhdmF" \
+           "yaWExEzARBgNVBAoTCkJpb0lEIEdtYkgxLzAtBgNVBAMTJkJpb0lEIENsaWVudCBDZXJ0aWZpY2F0aW9uIE" \
+           "F1dGhvcml0eSAyMSEwHwYJKoZIhvcNAQkBFhJzZWN1cml0eUBiaW9pZC5jb20wHhcNMTUwNDE1MTQ1NjM4W" \
+           "hcNMTYwNDE0MTQ1NjM4WjBfMQswCQYDVQQGEwJERTETMBEGA1UEChMKQmlvSUQgR21iSDE7MDkGA1UEAxMy" \
+           "QmlvSUQgT3BlbklEIENvbm5lY3QgSWRlbnRpdHkgUHJvdmlkZXIgQ2VydGlmaWNhdGUwggEiMA0GCSqGSIb" \
+           "3DQEBAQUAA4IBDwAwggEKAoIBAQC9aFETmU6kDfMBPKM2OfI5eedO3XP12Ci0hDC99bdzUUIhDZG34PQqcH" \
+           "89gVWGthJv5w3kqpdSrxfPCFMsBdnyk1VCuXmLgXS8s4oBtt1c9iM0J8X6Z+5subS3Xje8fu55Csh0JXNfo" \
+           "y29rCY/O6y0fNignegg0KS4PHv5T+agFmaG4rxCQV9/kd8tlo/HTyVPsuSPDgsXxisIVqur9aujYwdCoAZU" \
+           "8OU+5ccMLNIhpWJn+xNjgDRr4L9nxAYKc9vy+f7EoH3LT24B71zazZsQ78vpocz98UT/7vdgS/IYXFniPuU" \
+           "fblja7cq31bUoySDx6FYrtfCSUxNhaZSX8mppAgMBAAGjbzBtMAkGA1UdEwQCMAAwHQYDVR0OBBYEFOfg3f" \
+           "/ewBLK5SkcBEXusD62OlzaMB8GA1UdIwQYMBaAFCQmdD+nVcVLaKt3vu73XyNgpPEpMAsGA1UdDwQEAwIDi" \
+           "DATBgNVHSUEDDAKBggrBgEFBQcDAjANBgkqhkiG9w0BAQQFAAOCAQEAKQjhcL/iGhy0549hEHRQArJXs1im" \
+           "7W244yE+TSChdMWKe2eWvEhc9wX1aVV2mNJM1ZNeYSgfoK6jjuXaHiSaIJEUcW1wVM3rDywi2a9GKzOFgrW" \
+           "pVbpXQ05LSE7qEEWRmSpIMyKTitUalNpNA6cOML5hiuUTfZbw7OvPwbnbSYYL674gEA2sW5AhPiCr9dVnMn" \
+           "/UK2II40802zdXUOvIxWeXpcsCxxZMjp/Ir2jIZWOEjlAXQVGr2oBfL/be/o5WXpaqWSfPRBZV8htRIf0vT" \
+           "lGx7xR8FPWDYmcj4o/tKoNC1AchjOnCwwE/mj4hgtoAsHNmYXF0oZXk7cozqYDqKQ=="
+    rsa_key = RSAKey(x5c=[cert], x5t="KvHXVspLmjWC6cPDIIVMHlJjN-c")
+    assert rsa_key.key
+
+    with pytest.raises(DeSerializationNotPossible):
+        RSAKey(x5c=[cert], x5t="abcdefgh")  # incorrect thumbprint
+
+
 if __name__ == "__main__":
     test_private_key_from_jwk()
