def cert_auth_key_id_offset_length(cert):
cert_der = encoder.encode(cert)
cert_mod = decoder.decode(cert_der, asn1Spec=rfc2459.Certificate())[0]
for ext in cert_mod['tbsCertificate']['extensions']:
if ext['extnID'] == rfc2459.id_ce_authorityKeyIdentifier:
extn_value = decoder.decode(ext['extnValue'])[0]
auth_key_id = decoder.decode(extn_value, asn1Spec=rfc2459.AuthorityKeyIdentifier())[0]
key_id = bytearray(auth_key_id['keyIdentifier'])
key_id[0] ^= 0xFF # Change first byte
auth_key_id['keyIdentifier'] = auth_key_id['keyIdentifier'].clone(value=key_id)
ext['extnValue'] = univ.OctetString(encoder.encode(auth_key_id))
return {'offset':diff_offset(cert_der, encoder.encode(cert_mod)), 'length':len(key_id)}
return None
def addAuthorityKeyId(self, akiTypes, critical):
types = [st.strip() for st in akiTypes.split(',')]
noneSpecified = 0 == len(akiTypes.strip())
if critical:
raise UnknownAuthorityKeyIdError(critical)
hasher = hashlib.sha1()
hasher.update(self.issuerKey.toDER())
akiKi = rfc2459.KeyIdentifier().subtype(implicitTag=tag.Tag(
tag.tagClassContext, tag.tagFormatSimple, 0),
value=hasher.digest())
aki = rfc2459.AuthorityKeyIdentifier()
# If the issuerSerialNumber is set, we can add AKI data for Issuer principal and the issuer serial number
if None != self.issuerSerialNumber:
issuerName = rfc2459.GeneralNames().subtype(implicitTag=tag.Tag(
tag.tagClassContext, tag.tagFormatSimple, 1))
generalName = stringToDN(
self.issuer,
tag.Tag(tag.tagClassContext, tag.tagFormatSimple, 4))
issuerName.setComponentByPosition(0, generalName)
csn = rfc2459.CertificateSerialNumber().subtype(
implicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatSimple,
2),
value=decoder.decode(self.issuerSerialNumber)[0])
if noneSpecified or 'ki' in types:
aki.setComponentByPosition(0, akiKi)
if noneSpecified or 'issuer' in types:
aki.setComponentByPosition(1, issuerName)
if noneSpecified or 'serialNumber' in types:
aki.setComponentByPosition(2, csn)
else:
if noneSpecified or 'ki' in types:
aki.setComponentByPosition(0, akiKi)
self.addExtension(rfc2459.id_ce_authorityKeyIdentifier, aki, critical)
def _build_extensionsForTbs(
extensionsfromcsr,
akipubkeybitstring=None,
skipubkeybitstring=None,
nsURL="https://www.github.com/MiwCryptoCurrency/UTXOC"):
count = 0
exts = rfc2459.Extensions().subtype(
explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatSimple, 3))
retval = rfc2459.Extensions()
## BASIC CONSTRAINTS
## we like basic constraints at the top. this is how openssl produces it
bc_ext = _find_basic_contraints(extensionsfromcsr)
if (bc_ext):
ext = _build_extensionFromAttributeExtension(bc_ext)
exts.setComponentByPosition(count, ext)
count += 1
## SKI
if skipubkeybitstring:
## tricky - SKI is a hash (keyid).
## rfc 5280 says use SHA1 of the raw bytes of the pubkey, dont encode as asn1 DER (ie: OctetString())
## SKI is stored in an encoded OctetString()
skider = bytearray(utility.bitStringtoOctetString(skipubkeybitstring))
#skihashfunction = SHA.new(skider)
skihashfunction = SHA256.new(skider)
skidgst = skihashfunction.digest()
extval = univ.OctetString(skidgst)
encapsulated = univ.OctetString(encoder.encode(extval))
extoid = utility.OID_subjectKeyIdentifier
ext = rfc2314.Extension()
ext.setComponentByName('extnID', extoid)
ext.setComponentByName('extnValue', encapsulated)
exts.setComponentByPosition(count, ext)
count += 1
## AKI
if akipubkeybitstring:
## tricky - AKI can be a DN or a keyid. Use KeyID
## rfc 5280 says use SHA1 of the raw bytes of the pubkey, dont encode as asn1 DER (ie: OctetString())
## AKI is stored in a SEQ
akider = bytearray(utility.bitStringtoOctetString(akipubkeybitstring))
#akihashfunction = SHA.new(akider)
akihashfunction = SHA256.new(akider)
akidgst = akihashfunction.digest()
extval = rfc2459.AuthorityKeyIdentifier()
extval.setComponentByPosition(0, akidgst)
encapsulated = univ.OctetString(encoder.encode(extval))
extoid = utility.OID_authorityKeyIdentifier
ext = rfc2314.Extension()
ext.setComponentByName('extnID', extoid)
ext.setComponentByName('extnValue', encapsulated)
exts.setComponentByPosition(count, ext)
count += 1
## put a few more in, so it looks all proper-like
## KEY USAGE
## a bitstring of:
## (1,1,1,1,1,1,1,1)= flags:
## Digital Signature, Non Repudiation, Key Encipherment, Data Encipherment, Key Agreement,
## Certificate Sign, CRL Sign, Encipher Only
## (1,1,1,0,0,1,1) = Digital Signature, Non Repudiation, Key Encipherment, Certificate Sign, CRL Sign
ku_bitstring = (1, 1, 1, 0, 0, 1, 1)
ext_ku = _build_key_usage(ku_bitstring)
## EXTENDED (or ENHANCED) KEY USAGE
## Sequence of OIDs encoded as an OctetString
req_ekus = (utility.OID_eku_serverAuth, utility.OID_eku_clientAuth,
utility.OID_eku_codeSigning,
utility.OID_eku_individualCodeSigning,
utility.OID_eku_certTrustListSigning,
utility.OID_eku_serverGatedCrypto,
utility.OID_eku_encryptedFileSystem,
utility.OID_eku_serverGatedCrypto)
ext_eku = _build_extended_key_usage(req_ekus)
ext_nsurl = _build_extension_netscapeURL(nsURL)
if (ext_ku):
exts.setComponentByPosition(count, ext_ku)
count += 1
if (ext_eku):
exts.setComponentByPosition(count, ext_eku)
count += 1
if (ext_nsurl):
exts.setComponentByPosition(count, ext_nsurl)
count += 1
## cycle through the rest of the requested extensions
## copy them as is, ignoring BC which we grabbed earlier
## also skip the supplied ku and eku and subst our own
for extension in extensionsfromcsr:
extoid = extension[0]
if (extoid == utility.OID_basicConstraints):
continue
if (extoid == utility.OID_eku):
continue
if (extoid == utility.OID_ku):
continue
if (extoid == utility.OID_san):
if not _validate_san(extension):
raise SANValidationException(
"Invalid SAN: does not contain valid address or UTXO")
ext = _build_extensionFromAttributeExtension(extension)
exts.setComponentByPosition(count, ext)
count += 1
return exts