Beispiel #1
0
def MakeCertificate(
    issuer_cn, subject_cn, serial, pubkey, privkey, ocsp_url = None,
    ca_issuers_url = None, is_ca=False, path_len=None, ip_sans=None,
    dns_sans=None):
  '''MakeCertificate returns a DER encoded certificate, signed by privkey.'''
  extensions = asn1.SEQUENCE([])

  # Default subject name fields
  c = "XX"
  o = "Testing Org"

  if is_ca:
    # Root certificate.
    c = None
    o = None
    extensions.children.append(
      asn1.SEQUENCE([
        BASIC_CONSTRAINTS,
        True,
        asn1.OCTETSTRING(asn1.ToDER(asn1.SEQUENCE([
            True, # IsCA
        ] + ([path_len] if path_len is not None else []) # Path len
        ))),
      ]))

  if ip_sans is not None or dns_sans is not None:
    sans = []
    if dns_sans is not None:
      for dns_name in dns_sans:
        sans.append(
          asn1.Raw(asn1.TagAndLength(0x82, len(dns_name)) + dns_name))
    if ip_sans is not None:
      for ip_addr in ip_sans:
        sans.append(
          asn1.Raw(asn1.TagAndLength(0x87, len(ip_addr)) + ip_addr))
    extensions.children.append(
      asn1.SEQUENCE([
        SUBJECT_ALTERNATIVE_NAME,
        # There is implicitly a critical=False here. Since false is the
        # default, encoding the value would be invalid DER.
        asn1.OCTETSTRING(asn1.ToDER(asn1.SEQUENCE(sans)))
      ]))

  if ocsp_url is not None or ca_issuers_url is not None:
    aia_entries = []
    if ocsp_url is not None:
      aia_entries.append(
          asn1.SEQUENCE([
            AIA_OCSP,
            asn1.Raw(asn1.TagAndLength(0x86, len(ocsp_url)) + ocsp_url),
          ]))
    if ca_issuers_url is not None:
      aia_entries.append(
          asn1.SEQUENCE([
            AIA_CA_ISSUERS,
            asn1.Raw(asn1.TagAndLength(0x86,
                                       len(ca_issuers_url)) + ca_issuers_url),
            ]))
    extensions.children.append(
      asn1.SEQUENCE([
        AUTHORITY_INFORMATION_ACCESS,
        # There is implicitly a critical=False here. Since false is the default,
        # encoding the value would be invalid DER.
        asn1.OCTETSTRING(asn1.ToDER(asn1.SEQUENCE(aia_entries))),
        ]))

  extensions.children.append(
    asn1.SEQUENCE([
      CERT_POLICIES,
      # There is implicitly a critical=False here. Since false is the default,
      # encoding the value would be invalid DER.
      asn1.OCTETSTRING(asn1.ToDER(asn1.SEQUENCE([
        asn1.SEQUENCE([ # PolicyInformation
          CERT_POLICY_OID,
        ]),
      ]))),
    ])
  )

  tbsCert = asn1.ToDER(asn1.SEQUENCE([
      asn1.Explicit(0, 2), # Version
      serial,
      asn1.SEQUENCE([SHA256_WITH_RSA_ENCRYPTION, None]), # SignatureAlgorithm
      Name(cn = issuer_cn), # Issuer
      asn1.SEQUENCE([ # Validity
        asn1.UTCTime("100101060000Z"), # NotBefore
        asn1.UTCTime("321201060000Z"), # NotAfter
      ]),
      Name(cn = subject_cn, c = c, o = o), # Subject
      asn1.SEQUENCE([ # SubjectPublicKeyInfo
        asn1.SEQUENCE([ # Algorithm
          PUBLIC_KEY_RSA,
          None,
        ]),
        asn1.BitString(asn1.ToDER(pubkey)),
      ]),
      asn1.Explicit(3, extensions),
    ]))

  return asn1.ToDER(asn1.SEQUENCE([
    asn1.Raw(tbsCert),
    asn1.SEQUENCE([
      SHA256_WITH_RSA_ENCRYPTION,
      None,
    ]),
    asn1.BitString(privkey.Sign(tbsCert)),
  ]))
Beispiel #2
0
def MakeCertificate(issuer_cn,
                    subject_cn,
                    serial,
                    pubkey,
                    privkey,
                    ocsp_url=None):
    '''MakeCertificate returns a DER encoded certificate, signed by privkey.'''
    extensions = asn1.SEQUENCE([])

    # Default subject name fields
    c = "XX"
    o = "Testing Org"

    if issuer_cn == subject_cn:
        # Root certificate.
        c = None
        o = None
        extensions.children.append(
            asn1.SEQUENCE([
                BASIC_CONSTRAINTS,
                True,
                asn1.OCTETSTRING(
                    asn1.ToDER(asn1.SEQUENCE([
                        True,  # IsCA
                        0,  # Path len
                    ]))),
            ]))

    if ocsp_url is not None:
        extensions.children.append(
            asn1.SEQUENCE([
                AUTHORITY_INFORMATION_ACCESS,
                # There is implicitly a critical=False here. Since false is the default,
                # encoding the value would be invalid DER.
                asn1.OCTETSTRING(
                    asn1.ToDER(
                        asn1.SEQUENCE([
                            asn1.SEQUENCE([
                                AIA_OCSP,
                                asn1.Raw(
                                    asn1.TagAndLength(0x86, len(ocsp_url)) +
                                    ocsp_url),
                            ]),
                        ]))),
            ]))

    extensions.children.append(
        asn1.SEQUENCE([
            CERT_POLICIES,
            # There is implicitly a critical=False here. Since false is the default,
            # encoding the value would be invalid DER.
            asn1.OCTETSTRING(
                asn1.ToDER(
                    asn1.SEQUENCE([
                        asn1.SEQUENCE([  # PolicyInformation
                            CERT_POLICY_OID,
                        ]),
                    ]))),
        ]))

    tbsCert = asn1.ToDER(
        asn1.SEQUENCE([
            asn1.Explicit(0, 2),  # Version
            serial,
            asn1.SEQUENCE([SHA256_WITH_RSA_ENCRYPTION,
                           None]),  # SignatureAlgorithm
            Name(cn=issuer_cn),  # Issuer
            asn1.SEQUENCE([  # Validity
                asn1.UTCTime("100101060000Z"),  # NotBefore
                asn1.UTCTime("321201060000Z"),  # NotAfter
            ]),
            Name(cn=subject_cn, c=c, o=o),  # Subject
            asn1.SEQUENCE([  # SubjectPublicKeyInfo
                asn1.SEQUENCE([  # Algorithm
                    PUBLIC_KEY_RSA,
                    None,
                ]),
                asn1.BitString(asn1.ToDER(pubkey)),
            ]),
            asn1.Explicit(3, extensions),
        ]))

    return asn1.ToDER(
        asn1.SEQUENCE([
            asn1.Raw(tbsCert),
            asn1.SEQUENCE([
                SHA256_WITH_RSA_ENCRYPTION,
                None,
            ]),
            asn1.BitString(privkey.Sign(tbsCert)),
        ]))