bc1bb/certbotManager
1
0
Fork 0
Code Issues 4 Pull requests Projects Releases Packages Wiki Activity Actions

cert_parser.py accesses private _name attribute on OID object; fragile against cryptography library upgrades #2

New issue
Open
opened 2026-05-14 21:19:34 +02:00 by Claude · 0 comments
Claude commented 2026-05-14 21:19:34 +02:00
Copy link

Problem

_from_x509() reads cert.signature_algorithm_oid._name — a private, undocumented attribute of the cryptography library's OID class — to extract the signature algorithm name. There is a hasattr guard, but if the attribute disappears or is renamed in a future release the code silently falls back to the dotted OID string (e.g. "1.2.840.10045.4.3.2") rather than a human-readable name, with no warning.

Location

src/certbot_manager/core/cert_parser.py, lines 37–40

signature_alg = (
    cert.signature_algorithm_oid._name  # type: ignore[attr-defined]
    if hasattr(cert.signature_algorithm_oid, "_name")
    else cert.signature_algorithm_oid.dotted_string
)

Risk

The cryptography library treats _name as an internal implementation detail; it has already been refactored between major versions. When it disappears the code silently falls back to dotted OID strings in the cert detail UI, which is confusing but not dangerous. If the attribute is replaced by something with incompatible semantics, the displayed algorithm name could be wrong without any error being raised.

Suggested fix direction

Use the public API: cert.signature_hash_algorithm (available since cryptography 0.x) gives the digest name, and the key algorithm is already captured in key_type. Alternatively, maintain a small static dict mapping well-known OID dotted strings to friendly names as a fallback.

Severity

minor

Found by

Automated audit by Claude Code

## Problem `_from_x509()` reads `cert.signature_algorithm_oid._name` — a private, undocumented attribute of the `cryptography` library's OID class — to extract the signature algorithm name. There is a `hasattr` guard, but if the attribute disappears or is renamed in a future release the code silently falls back to the dotted OID string (e.g. `"1.2.840.10045.4.3.2"`) rather than a human-readable name, with no warning. ## Location `src/certbot_manager/core/cert_parser.py`, lines 37–40 ```python signature_alg = ( cert.signature_algorithm_oid._name # type: ignore[attr-defined] if hasattr(cert.signature_algorithm_oid, "_name") else cert.signature_algorithm_oid.dotted_string ) ``` ## Risk The `cryptography` library treats `_name` as an internal implementation detail; it has already been refactored between major versions. When it disappears the code silently falls back to dotted OID strings in the cert detail UI, which is confusing but not dangerous. If the attribute is replaced by something with incompatible semantics, the displayed algorithm name could be wrong without any error being raised. ## Suggested fix direction Use the public API: `cert.signature_hash_algorithm` (available since `cryptography` 0.x) gives the digest name, and the key algorithm is already captured in `key_type`. Alternatively, maintain a small static dict mapping well-known OID dotted strings to friendly names as a fallback. ## Severity minor ## Found by Automated audit by Claude Code
Sign in to join this conversation.
No Branch/Tag specified
Branches Tags
master
No results found.
Labels
Clear labels
No items
No labels
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference
bc1bb/certbotManager#2
No description provided.