Move all certificate and downloading to separate project

ralphje · Mar 20, 2023 · 7ae796d · 7ae796d
1 parent 1892c21
commit 7ae796d
Show file tree

Hide file tree

Showing 15 changed files with 19 additions and 14,829 deletions.
diff --git a/MANIFEST.in b/MANIFEST.in
@@ -1,5 +1,4 @@
 include LICENSE
 include README.rst
 recursive-include docs *
-recursive-exclude docs/_build *
-recursive-include signify/certs *
+recursive-exclude docs/_build *
diff --git a/docs/authroot.rst b/docs/authroot.rst
@@ -73,3 +73,7 @@ Use :const:`TRUSTED_CERTIFICATE_STORE` for a certificate store with associated C
 .. data:: TRUSTED_CERTIFICATE_STORE_NO_CTL
 
    A :class:`signify.x509.CertificateStore` without an associated :class:`CertificateTrustList`.
+
+
+Signify uses a separate project (`mscerts <https://pypi.org/project/mscerts/>`_) to ensure an up-to-date certificate
+bundle. This project is maintained by the same authors as Signify.
diff --git a/docs/changelog.rst b/docs/changelog.rst
@@ -6,7 +6,10 @@ v0.5.0 (unreleased)
 -------------------
 * Drop support for Python 3.6
 * Add support for ECC keys
+* Move certificates to a separate project, mscerts, so that we can update it separately
 * Fix DisallowedFileTime check in Authroot parsing
+* Fix parsing of ``Certificate.subject_public_key``
+* Fix return statement of ``RFC3161SignedData.verify``
 
 v0.4.0 (2021-08-23)
 -------------------

diff --git a/requirements.txt b/requirements.txt
@@ -4,3 +4,4 @@ asn1crypto>=1.3,<2
 oscrypto>=1.1,<2
 pyasn1-modules>=0.2.8
 requests
+mscerts
diff --git a/setup.py b/setup.py
@@ -17,8 +17,7 @@
 setup(
     name='signify',
     version=about['__version__'],
-    packages=['signify', 'signify.asn1', 'signify.authenticode', 'signify.pkcs7', 'signify.x509',
-              'signify.__pyinstaller'],
+    packages=['signify', 'signify.asn1', 'signify.authenticode', 'signify.pkcs7', 'signify.x509'],
     package_data={'signify': ['*.pem']},
     include_package_data=True,
 
@@ -33,7 +32,8 @@
                       'certvalidator>=0.11',
                       'asn1crypto>=1.3,<2',
                       'oscrypto>=1.1,<2',
-                      'pyasn1-modules>=0.2.8'],
+                      'pyasn1-modules>=0.2.8',
+                      'mscerts'],
     extras_require={
         "stlupdate": ["requests"],
     },

diff --git a/signify/__pyinstaller/__init__.py b/signify/__pyinstaller/__init__.py
diff --git a/signify/__pyinstaller/hook-signify.py b/signify/__pyinstaller/hook-signify.py
diff --git a/signify/authenticode/__init__.py b/signify/authenticode/__init__.py
@@ -2,11 +2,10 @@
     AuthenticodeVerificationResult, AuthenticodeCounterSignerInfo, AuthenticodeSignerInfo, SpcInfo, \
     AuthenticodeSignedData, RFC3161SignerInfo, TSTInfo, RFC3161SignedData
 from .signed_pe import SignedPEFile
-from .authroot import AUTHROOTSTL_URL, AUTHROOTSTL_PATH, DISALLOWEDSTL_URL, DISALLOWEDSTL_PATH, CertificateTrustList, \
+from .authroot import AUTHROOTSTL_PATH, CertificateTrustList, \
     CertificateTrustSubject
 
 __all__ = ["CERTIFICATE_LOCATION", "TRUSTED_CERTIFICATE_STORE_NO_CTL", "TRUSTED_CERTIFICATE_STORE",
            "AuthenticodeVerificationResult", "AuthenticodeCounterSignerInfo", "AuthenticodeSignerInfo", "SpcInfo",
            "AuthenticodeSignedData", "RFC3161SignerInfo", "TSTInfo", "RFC3161SignedData", "SignedPEFile",
-           "AUTHROOTSTL_URL", "AUTHROOTSTL_PATH", "DISALLOWEDSTL_URL", "DISALLOWEDSTL_PATH", "CertificateTrustList",
-           "CertificateTrustSubject"]
+           "AUTHROOTSTL_PATH", "CertificateTrustList", "CertificateTrustSubject"]
diff --git a/signify/authenticode/authroot.py b/signify/authenticode/authroot.py
@@ -3,6 +3,7 @@
 import pathlib
 import struct
 
+import mscerts
 from pyasn1.codec.ber import decoder as ber_decoder
 from pyasn1_modules import rfc2315
 
@@ -13,10 +14,8 @@
 from signify.pkcs7.signeddata import SignedData
 from signify.pkcs7.signerinfo import _get_digest_algorithm
 
-AUTHROOTSTL_URL = "http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authroot.stl"
-AUTHROOTSTL_PATH = pathlib.Path(__file__).resolve().parent.parent / "certs" / "authroot.stl"
-DISALLOWEDSTL_URL = "http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcert.stl"
-DISALLOWEDSTL_PATH = pathlib.Path(__file__).resolve().parent.parent / "certs" / "disallowedcerts.stl"
+
+AUTHROOTSTL_PATH = pathlib.Path(mscerts.where(stl=True))
 
 
 def _lookup_ekus(extended_key_usages=None):
@@ -149,19 +148,6 @@ def find_subject(self, certificate):
 
         return self._subjects.get(identifier)
 
-    @classmethod
-    def update_stl_file(cls, url=AUTHROOTSTL_URL, path=AUTHROOTSTL_PATH):
-        """This downloads the latest version of the authroot.stl file and puts it in place of the locally bundled
-        authroot.stl.
-        """
-
-        import requests
-
-        with requests.get(url, stream=True) as r, open(str(path), "wb") as f:
-            r.raise_for_status()
-            for chunk in r.iter_content(chunk_size=8192):
-                f.write(chunk)
-
     @classmethod
     def from_stl_file(cls, path=AUTHROOTSTL_PATH):
         """Loads a :class:`CertificateTrustList` from a specified path."""

diff --git a/signify/authenticode/structures.py b/signify/authenticode/structures.py
@@ -27,6 +27,7 @@
 import logging
 import pathlib
 
+import mscerts
 from pyasn1.codec.ber import decoder as ber_decoder
 from pyasn1_modules import rfc3161, rfc2315, rfc5652
 
@@ -43,7 +44,7 @@
 
 logger = logging.getLogger(__name__)
 
-CERTIFICATE_LOCATION = pathlib.Path(__file__).resolve().parent.parent / "certs" / "authenticode-bundle.pem"
+CERTIFICATE_LOCATION = pathlib.Path(mscerts.where(stl=False))
 TRUSTED_CERTIFICATE_STORE_NO_CTL = FileSystemCertificateStore(location=CERTIFICATE_LOCATION, trusted=True)
 TRUSTED_CERTIFICATE_STORE = FileSystemCertificateStore(location=CERTIFICATE_LOCATION, trusted=True,
                                                        ctl=CertificateTrustList.from_stl_file())

diff --git a/signify/certs/README.rst b/signify/certs/README.rst