class SignedData(univ.Sequence):
componentType = namedtype.NamedTypes(
namedtype.NamedType('version', rfc2315.Version()),
namedtype.NamedType('digestAlgorithms',
rfc2315.DigestAlgorithmIdentifiers()),
namedtype.NamedType('contentInfo', rfc2315.ContentInfo()),
namedtype.OptionalNamedType(
'certificates',
CertificateSet().subtype(implicitTag=tag.Tag(
tag.tagClassContext, tag.tagFormatConstructed, 0))),
namedtype.OptionalNamedType(
'crls',
rfc2315.CertificateRevocationLists().subtype(implicitTag=tag.Tag(
tag.tagClassContext, tag.tagFormatConstructed, 1))),
namedtype.NamedType('signerInfos', rfc2315.SignerInfos()))
def toDER(self):
contentInfo = rfc2315.ContentInfo()
contentInfo['contentType'] = rfc2315.signedData
signedData = rfc2315.SignedData()
signedData['version'] = rfc2315.Version(1)
digestAlgorithms = rfc2315.DigestAlgorithmIdentifiers()
digestAlgorithms[0] = self.pykeyHashToDigestAlgorithm(pykey.HASH_SHA1)
signedData['digestAlgorithms'] = digestAlgorithms
dataContentInfo = rfc2315.ContentInfo()
dataContentInfo['contentType'] = rfc2315.data
signedData['contentInfo'] = dataContentInfo
certificates = rfc2315.ExtendedCertificatesAndCertificates().subtype(
implicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatConstructed,
0))
extendedCertificateOrCertificate = rfc2315.ExtendedCertificateOrCertificate(
)
certificate = decoder.decode(self.signer.toDER(),
asn1Spec=rfc2459.Certificate())[0]
extendedCertificateOrCertificate['certificate'] = certificate
certificates[0] = extendedCertificateOrCertificate
signedData['certificates'] = certificates
signerInfos = rfc2315.SignerInfos()
if len(self.sha1) > 0:
signerInfos[len(signerInfos)] = self.buildSignerInfo(
certificate, pykey.HASH_SHA1, self.sha1)
if len(self.sha256) > 0:
signerInfos[len(signerInfos)] = self.buildSignerInfo(
certificate, pykey.HASH_SHA256, self.sha256)
signedData['signerInfos'] = signerInfos
encoded = encoder.encode(signedData)
anyTag = univ.Any(encoded).subtype(explicitTag=tag.Tag(
tag.tagClassContext, tag.tagFormatConstructed, 0))
contentInfo['content'] = anyTag
return encoder.encode(contentInfo)
def _create_pkcs7(cert, csr, private_key):
"""Creates the PKCS7 structure and signs it"""
content_info = rfc2315.ContentInfo()
content_info.setComponentByName('contentType', rfc2315.data)
content_info.setComponentByName('content',
encoder.encode(rfc2315.Data(csr)))
issuer_and_serial = rfc2315.IssuerAndSerialNumber()
issuer_and_serial.setComponentByName('issuer',
cert[0]['tbsCertificate']['issuer'])
issuer_and_serial.setComponentByName(
'serialNumber', cert[0]['tbsCertificate']['serialNumber'])
raw_signature, _ = _sign(private_key, csr)
signature = rfc2314.univ.OctetString(
hexValue=binascii.hexlify(raw_signature).decode('ascii'))
# Microsoft adds parameters with ASN.1 NULL encoding here,
# but according to rfc5754 they should be absent:
# "Implementations MUST generate SHA2 AlgorithmIdentifiers with absent parameters."
sha2 = rfc2315.AlgorithmIdentifier()
sha2.setComponentByName('algorithm', (2, 16, 840, 1, 101, 3, 4, 2, 1))
alg_from_cert = cert[0]['tbsCertificate']['subjectPublicKeyInfo'][
'algorithm']['algorithm']
digest_encryption_algorithm = rfc2315.AlgorithmIdentifier()
digest_encryption_algorithm.setComponentByName('algorithm', alg_from_cert)
digest_encryption_algorithm.setComponentByName('parameters', '\x05\x00')
signer_info = rfc2315.SignerInfo()
signer_info.setComponentByName('version', 1)
signer_info.setComponentByName('issuerAndSerialNumber', issuer_and_serial)
signer_info.setComponentByName('digestAlgorithm', sha2)
signer_info.setComponentByName('digestEncryptionAlgorithm',
digest_encryption_algorithm)
signer_info.setComponentByName('encryptedDigest', signature)
signer_infos = rfc2315.SignerInfos().setComponents(signer_info)
digest_algorithms = rfc2315.DigestAlgorithmIdentifiers().setComponents(
sha2)
extended_cert_or_cert = rfc2315.ExtendedCertificateOrCertificate()
extended_cert_or_cert.setComponentByName('certificate', cert[0])
extended_certs_and_cert = rfc2315.ExtendedCertificatesAndCertificates(
).subtype(implicitTag=rfc2315.tag.Tag(rfc2315.tag.tagClassContext,
rfc2315.tag.tagFormatConstructed, 0))
extended_certs_and_cert.setComponents(extended_cert_or_cert)
signed_data = rfc2315.SignedData()
signed_data.setComponentByName('version', 1)
signed_data.setComponentByName('digestAlgorithms', digest_algorithms)
signed_data.setComponentByName('contentInfo', content_info)
signed_data.setComponentByName('certificates', extended_certs_and_cert)
signed_data.setComponentByName('signerInfos', signer_infos)
outer_content_info = rfc2315.ContentInfo()
outer_content_info.setComponentByName('contentType', rfc2315.signedData)
outer_content_info.setComponentByName('content',
encoder.encode(signed_data))
return encoder.encode(outer_content_info)