class ExtendedKeyUsageOID(object):
SERVER_AUTH = ObjectIdentifier("1.3.6.1.5.5.7.3.1")
CLIENT_AUTH = ObjectIdentifier("1.3.6.1.5.5.7.3.2")
CODE_SIGNING = ObjectIdentifier("1.3.6.1.5.5.7.3.3")
EMAIL_PROTECTION = ObjectIdentifier("1.3.6.1.5.5.7.3.4")
TIME_STAMPING = ObjectIdentifier("1.3.6.1.5.5.7.3.8")
OCSP_SIGNING = ObjectIdentifier("1.3.6.1.5.5.7.3.9")
ANY_EXTENDED_KEY_USAGE = ObjectIdentifier("2.5.29.37.0")
def get_certificate_extensions(cert):
ias_report = None
ias_report_signature = None
ias_report_signing_certificate = None
for ext in cert.extensions:
if ext.oid == ObjectIdentifier(
config["SGX_CONSTANTS"]["ias_report_signature_oid"]):
ias_report_signature = b64decode(ext.value.value)
if ext.oid == ObjectIdentifier(
config["SGX_CONSTANTS"]["ias_report_oid"]):
ias_report = b64decode(ext.value.value)
if ext.oid == ObjectIdentifier(
config["SGX_CONSTANTS"]["ias_report_signing_certificate_oid"]):
ias_report_signing_certificate = b64decode(ext.value.value)
return (ias_report, ias_report_signature, ias_report_signing_certificate)
class EllipticCurveOID(object):
SECP192R1 = ObjectIdentifier("1.2.840.10045.3.1.1")
SECP224R1 = ObjectIdentifier("1.3.132.0.33")
SECP256K1 = ObjectIdentifier("1.3.132.0.10")
SECP256R1 = ObjectIdentifier("1.2.840.10045.3.1.7")
SECP384R1 = ObjectIdentifier("1.3.132.0.34")
SECP521R1 = ObjectIdentifier("1.3.132.0.35")
def __init__(self, repository_path: Path) -> None:
available_stores = {}
# Validate and parse the content of the trust stores folder
for store_enum in TrustStoreEnum:
# Parse the YAML file to extract the version
store_yaml_path = repository_path / f"{store_enum.name.lower()}.yaml"
store_yaml = store_yaml_path.read_text()
if store_enum in [
TrustStoreEnum.MICROSOFT_WINDOWS,
TrustStoreEnum.MOZILLA_NSS
]:
# Use the date_fetched instead as the version
store_version = store_yaml.split("date_fetched: ",
1)[1].split("\n",
1)[0].strip()
else:
store_version = store_yaml.split("version: ",
1)[1].split("\n",
1)[0].strip(" '")
# Ensure the corresponding PEM file is there
store_pem_path = repository_path / f"{store_enum.name.lower()}.pem"
if not store_pem_path.exists():
raise ValueError(
f"Could not find trust store at {store_pem_path}")
# Store the result
available_stores[store_enum] = TrustStore(
path=store_pem_path,
name=self._STORE_PRETTY_NAMES[store_enum],
version=store_version,
ev_oids=[ObjectIdentifier(oid) for oid in _MOZILLA_EV_OIDS]
if store_enum == TrustStoreEnum.MOZILLA_NSS else None,
)
self._available_stores = available_stores
def test_oid_constraint():
# Too short
with pytest.raises(ValueError):
ObjectIdentifier("1")
# First node too big
with pytest.raises(ValueError):
ObjectIdentifier("3.2.1")
# Outside range
with pytest.raises(ValueError):
ObjectIdentifier("1.40")
with pytest.raises(ValueError):
ObjectIdentifier("0.42")
# non-decimal oid
with pytest.raises(ValueError):
ObjectIdentifier("1.2.foo.bar")
with pytest.raises(ValueError):
ObjectIdentifier("1.2.0xf00.0xba4")
# negative oid
with pytest.raises(ValueError):
ObjectIdentifier("1.2.-3.-4")
def test_oid_constraint():
# Too short
with pytest.raises(ValueError):
ObjectIdentifier('1')
# First node too big
with pytest.raises(ValueError):
ObjectIdentifier('3.2.1')
# Outside range
with pytest.raises(ValueError):
ObjectIdentifier('1.40')
with pytest.raises(ValueError):
ObjectIdentifier('0.42')
# non-decimal oid
with pytest.raises(ValueError):
ObjectIdentifier('1.2.foo.bar')
with pytest.raises(ValueError):
ObjectIdentifier('1.2.0xf00.0xba4')
# negative oid
with pytest.raises(ValueError):
ObjectIdentifier('1.2.-3.-4')
class CertificatePoliciesOID(object):
CPS_QUALIFIER = ObjectIdentifier("1.3.6.1.5.5.7.2.1")
CPS_USER_NOTICE = ObjectIdentifier("1.3.6.1.5.5.7.2.2")
ANY_POLICY = ObjectIdentifier("2.5.29.32.0")
class AuthorityInformationAccessOID(object):
CA_ISSUERS = ObjectIdentifier("1.3.6.1.5.5.7.48.2")
OCSP = ObjectIdentifier("1.3.6.1.5.5.7.48.1")
class ExtensionOID(object):
SUBJECT_DIRECTORY_ATTRIBUTES = ObjectIdentifier("2.5.29.9")
SUBJECT_KEY_IDENTIFIER = ObjectIdentifier("2.5.29.14")
KEY_USAGE = ObjectIdentifier("2.5.29.15")
SUBJECT_ALTERNATIVE_NAME = ObjectIdentifier("2.5.29.17")
ISSUER_ALTERNATIVE_NAME = ObjectIdentifier("2.5.29.18")
BASIC_CONSTRAINTS = ObjectIdentifier("2.5.29.19")
NAME_CONSTRAINTS = ObjectIdentifier("2.5.29.30")
CRL_DISTRIBUTION_POINTS = ObjectIdentifier("2.5.29.31")
CERTIFICATE_POLICIES = ObjectIdentifier("2.5.29.32")
POLICY_MAPPINGS = ObjectIdentifier("2.5.29.33")
AUTHORITY_KEY_IDENTIFIER = ObjectIdentifier("2.5.29.35")
POLICY_CONSTRAINTS = ObjectIdentifier("2.5.29.36")
EXTENDED_KEY_USAGE = ObjectIdentifier("2.5.29.37")
FRESHEST_CRL = ObjectIdentifier("2.5.29.46")
INHIBIT_ANY_POLICY = ObjectIdentifier("2.5.29.54")
ISSUING_DISTRIBUTION_POINT = ObjectIdentifier("2.5.29.28")
AUTHORITY_INFORMATION_ACCESS = ObjectIdentifier("1.3.6.1.5.5.7.1.1")
SUBJECT_INFORMATION_ACCESS = ObjectIdentifier("1.3.6.1.5.5.7.1.11")
OCSP_NO_CHECK = ObjectIdentifier("1.3.6.1.5.5.7.48.1.5")
TLS_FEATURE = ObjectIdentifier("1.3.6.1.5.5.7.1.24")
CRL_NUMBER = ObjectIdentifier("2.5.29.20")
DELTA_CRL_INDICATOR = ObjectIdentifier("2.5.29.27")
PRECERT_SIGNED_CERTIFICATE_TIMESTAMPS = (
ObjectIdentifier("1.3.6.1.4.1.11129.2.4.2"))
PRECERT_POISON = (ObjectIdentifier("1.3.6.1.4.1.11129.2.4.3"))
def test_basic_oid():
assert ObjectIdentifier('1.2.3.4').dotted_string == '1.2.3.4'
class NameOID(object):
COMMON_NAME = ObjectIdentifier("2.5.4.3")
COUNTRY_NAME = ObjectIdentifier("2.5.4.6")
LOCALITY_NAME = ObjectIdentifier("2.5.4.7")
STATE_OR_PROVINCE_NAME = ObjectIdentifier("2.5.4.8")
STREET_ADDRESS = ObjectIdentifier("2.5.4.9")
ORGANIZATION_NAME = ObjectIdentifier("2.5.4.10")
ORGANIZATIONAL_UNIT_NAME = ObjectIdentifier("2.5.4.11")
SERIAL_NUMBER = ObjectIdentifier("2.5.4.5")
SURNAME = ObjectIdentifier("2.5.4.4")
GIVEN_NAME = ObjectIdentifier("2.5.4.42")
TITLE = ObjectIdentifier("2.5.4.12")
GENERATION_QUALIFIER = ObjectIdentifier("2.5.4.44")
X500_UNIQUE_IDENTIFIER = ObjectIdentifier("2.5.4.45")
DN_QUALIFIER = ObjectIdentifier("2.5.4.46")
PSEUDONYM = ObjectIdentifier("2.5.4.65")
USER_ID = ObjectIdentifier("0.9.2342.19200300.100.1.1")
DOMAIN_COMPONENT = ObjectIdentifier("0.9.2342.19200300.100.1.25")
EMAIL_ADDRESS = ObjectIdentifier("1.2.840.113549.1.9.1")
JURISDICTION_COUNTRY_NAME = ObjectIdentifier("1.3.6.1.4.1.311.60.2.1.3")
JURISDICTION_LOCALITY_NAME = ObjectIdentifier("1.3.6.1.4.1.311.60.2.1.1")
JURISDICTION_STATE_OR_PROVINCE_NAME = ObjectIdentifier(
"1.3.6.1.4.1.311.60.2.1.2")
BUSINESS_CATEGORY = ObjectIdentifier("2.5.4.15")
POSTAL_ADDRESS = ObjectIdentifier("2.5.4.16")
POSTAL_CODE = ObjectIdentifier("2.5.4.17")
def test_basic_oid():
assert ObjectIdentifier("1.2.3.4").dotted_string == "1.2.3.4"
class AttributeOID(object):
CHALLENGE_PASSWORD = ObjectIdentifier("1.2.840.113549.1.9.7")
import os
from OpenSSL import crypto
from cryptography.hazmat._oid import ObjectIdentifier
parser = argparse.ArgumentParser(description='certificate chain validation')
parser.add_argument('-chf',
dest="CHAIN_FILE",
required=True,
default=None,
help="specify the certificate chain file")
args = parser.parse_args()
"""
`oid` is an object identifier, each extension has an oid associated with it, the oid for CRL distribution point extension is 2.5.29.31, we need to pass the objects as an argument in order to get the CRL distribution point (url) from the certificate. the url once obtained can be used to get the crl file.
`valid` specifies if the certificate chain is valid or not, default is true and is set to None when certificate is revoke
"""
oid = ObjectIdentifier("2.5.29.31")
valid = True
certs = pem.parse_file(os.getcwd() + "\\crt\\" + args.CHAIN_FILE)
for i in range(0, len(certs)):
"""
for i in range(0,len(certs)-1):
if we reach the root certificate we can guarentee that the chain is valid, since the root is self signed and cannot exist in any issuer CRL file. hence we can parse only upto last but one certificate in the chain i.e the certificate at the index len(certs)-2, hence we can specify the range as (0,len(certs)-1).
i have gone upto len(certs) to only print all the certificates in the chain
"""
cert = crypto.load_certificate(crypto.FILETYPE_PEM, str(certs[i]))
dict_sn = {}
print("Certificate Details -", i + 1)
#print("X509 object = ",cert) # return X509 object
class OCSPExtensionOID(object):
NONCE = ObjectIdentifier("1.3.6.1.5.5.7.48.1.2")
class CRLEntryExtensionOID(object):
CERTIFICATE_ISSUER = ObjectIdentifier("2.5.29.29")
CRL_REASON = ObjectIdentifier("2.5.29.21")
INVALIDITY_DATE = ObjectIdentifier("2.5.29.24")
def getExtensions(self, oid):
if not self._cert: raise BaseException('no cert loaded')
_extension = self._cert.extensions.get_extension_for_oid(
ObjectIdentifier(oid))
return _extension.value.value
class SignatureAlgorithmOID(object):
RSA_WITH_MD5 = ObjectIdentifier("1.2.840.113549.1.1.4")
RSA_WITH_SHA1 = ObjectIdentifier("1.2.840.113549.1.1.5")
# This is an alternate OID for RSA with SHA1 that is occasionally seen
_RSA_WITH_SHA1 = ObjectIdentifier("1.3.14.3.2.29")
RSA_WITH_SHA224 = ObjectIdentifier("1.2.840.113549.1.1.14")
RSA_WITH_SHA256 = ObjectIdentifier("1.2.840.113549.1.1.11")
RSA_WITH_SHA384 = ObjectIdentifier("1.2.840.113549.1.1.12")
RSA_WITH_SHA512 = ObjectIdentifier("1.2.840.113549.1.1.13")
RSASSA_PSS = ObjectIdentifier("1.2.840.113549.1.1.10")
ECDSA_WITH_SHA1 = ObjectIdentifier("1.2.840.10045.4.1")
ECDSA_WITH_SHA224 = ObjectIdentifier("1.2.840.10045.4.3.1")
ECDSA_WITH_SHA256 = ObjectIdentifier("1.2.840.10045.4.3.2")
ECDSA_WITH_SHA384 = ObjectIdentifier("1.2.840.10045.4.3.3")
ECDSA_WITH_SHA512 = ObjectIdentifier("1.2.840.10045.4.3.4")
DSA_WITH_SHA1 = ObjectIdentifier("1.2.840.10040.4.3")
DSA_WITH_SHA224 = ObjectIdentifier("2.16.840.1.101.3.4.3.1")
DSA_WITH_SHA256 = ObjectIdentifier("2.16.840.1.101.3.4.3.2")
class SubjectInformationAccessOID(object):
CA_REPOSITORY = ObjectIdentifier("1.3.6.1.5.5.7.48.5")
class EllipticCurveOID(object):
SECP192R1 = ObjectIdentifier("1.2.840.10045.3.1.1")
SECP224R1 = ObjectIdentifier("1.3.132.0.33")
SECP256K1 = ObjectIdentifier("1.3.132.0.10")
SECP256R1 = ObjectIdentifier("1.2.840.10045.3.1.7")
SECP384R1 = ObjectIdentifier("1.3.132.0.34")
SECP521R1 = ObjectIdentifier("1.3.132.0.35")
BRAINPOOLP256R1 = ObjectIdentifier("1.3.36.3.3.2.8.1.1.7")
BRAINPOOLP384R1 = ObjectIdentifier("1.3.36.3.3.2.8.1.1.11")
BRAINPOOLP512R1 = ObjectIdentifier("1.3.36.3.3.2.8.1.1.13")
SECT163K1 = ObjectIdentifier("1.3.132.0.1")
SECT163R2 = ObjectIdentifier("1.3.132.0.15")
SECT233K1 = ObjectIdentifier("1.3.132.0.26")
SECT233R1 = ObjectIdentifier("1.3.132.0.27")
SECT283K1 = ObjectIdentifier("1.3.132.0.16")
SECT283R1 = ObjectIdentifier("1.3.132.0.17")
SECT409K1 = ObjectIdentifier("1.3.132.0.36")
SECT409R1 = ObjectIdentifier("1.3.132.0.37")
SECT571K1 = ObjectIdentifier("1.3.132.0.38")
SECT571R1 = ObjectIdentifier("1.3.132.0.39")
class AttributeOID(object):
CHALLENGE_PASSWORD = ObjectIdentifier("1.2.840.113549.1.9.7")
UNSTRUCTURED_NAME = ObjectIdentifier("1.2.840.113549.1.9.2")
