class Request(univ.Sequence): componentType = namedtype.NamedTypes( namedtype.NamedType('reqCert', CertID()), namedtype.OptionalNamedType( 'singleRequestExtensions', rfc2459.Extensions().subtype(explicitTag=tag.Tag( tag.tagClassContext, tag.tagFormatSimple, 0))))
def toDER(self): tbsCertificate = rfc2459.TBSCertificate() tbsCertificate.setComponentByName('version', self.getVersion()) tbsCertificate.setComponentByName('serialNumber', self.getSerialNumber()) tbsCertificate.setComponentByName('signature', self.getSignature()) tbsCertificate.setComponentByName('issuer', self.getIssuer()) tbsCertificate.setComponentByName('validity', self.getValidity()) tbsCertificate.setComponentByName('subject', self.getSubject()) tbsCertificate.setComponentByName( 'subjectPublicKeyInfo', self.subjectKey.asSubjectPublicKeyInfo()) if self.extensions: extensions = rfc2459.Extensions().subtype(explicitTag=tag.Tag( tag.tagClassContext, tag.tagFormatSimple, 3)) count = 0 for extension in self.extensions: extensions.setComponentByPosition(count, extension) count += 1 tbsCertificate.setComponentByName('extensions', extensions) certificate = rfc2459.Certificate() certificate.setComponentByName('tbsCertificate', tbsCertificate) certificate.setComponentByName('signatureAlgorithm', self.getSignatureAlgorithm()) tbsDER = encoder.encode(tbsCertificate) certificate.setComponentByName('signatureValue', self.issuerKey.sign(tbsDER)) return encoder.encode(certificate)
class TBSRequest(univ.Sequence): componentType = namedtype.NamedTypes( namedtype.DefaultedNamedType('version', Version('v1').subtype(explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatSimple, 0))), namedtype.OptionalNamedType('requestorName', GeneralName().subtype(explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatSimple, 1))), namedtype.NamedType('requestList', univ.SequenceOf(Request())), namedtype.OptionalNamedType('requestExtensions', rfc2459.Extensions().subtype(explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatSimple, 2))) )
def toDER(self): tbsCertificate = rfc2459.TBSCertificate() tbsCertificate.setComponentByName('version', self.getVersion()) tbsCertificate.setComponentByName('serialNumber', self.getSerialNumber()) tbsCertificate.setComponentByName('signature', self.getSignature()) tbsCertificate.setComponentByName('issuer', self.getIssuer()) tbsCertificate.setComponentByName('validity', self.getValidity()) tbsCertificate.setComponentByName('subject', self.getSubject()) tbsCertificate.setComponentByName('subjectPublicKeyInfo', self.getSubjectPublicKeyInfo()) if self.extensions: extensions = rfc2459.Extensions().subtype(explicitTag=tag.Tag( tag.tagClassContext, tag.tagFormatSimple, 3)) count = 0 for extension in self.extensions: extensions.setComponentByPosition(count, extension) count += 1 tbsCertificate.setComponentByName('extensions', extensions) tbsDER = encoder.encode(tbsCertificate) rsaPrivateKey = rsa.PrivateKey(self.sharedRSA_N, self.sharedRSA_E, self.sharedRSA_D, self.sharedRSA_P, self.sharedRSA_Q) signature = rsa.sign(tbsDER, rsaPrivateKey, 'SHA-256') certificate = rfc2459.Certificate() certificate.setComponentByName('tbsCertificate', tbsCertificate) certificate.setComponentByName('signatureAlgorithm', self.getSignatureAlgorithm()) certificate.setComponentByName( 'signatureValue', byteStringToHexifiedBitString(signature)) return encoder.encode(certificate)
class RevAnnContent(univ.Sequence): componentType = namedtype.NamedTypes( namedtype.NamedType('status', PKIStatus()), namedtype.NamedType('certId', rfc2511.CertId()), namedtype.NamedType('willBeRevokedAt', useful.GeneralizedTime()), namedtype.NamedType('badSinceDate', useful.GeneralizedTime()), namedtype.OptionalNamedType('crlDetails', rfc2459.Extensions()))
class ResponseData(univ.Sequence): componentType = namedtype.NamedTypes( namedtype.DefaultedNamedType('version', Version('v1').subtype(explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatSimple, 0))), namedtype.NamedType('responderID', ResponderID().subtype(explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatSimple, 2))), namedtype.NamedType('producedAt', useful.GeneralizedTime()), namedtype.NamedType('responses', univ.SequenceOf(SingleResponse())), namedtype.OptionalNamedType('responseExtensions', rfc2459.Extensions().subtype(explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatSimple, 1))) )
class SingleResponse(univ.Sequence): componentType = namedtype.NamedTypes( namedtype.NamedType('certID', CertID()), namedtype.NamedType('certStatus', CertStatus()), namedtype.NamedType('thisUpdate', useful.GeneralizedTime()), namedtype.OptionalNamedType('nextUpdate', useful.GeneralizedTime().subtype(explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatSimple, 0))), namedtype.OptionalNamedType('singleExtensions', rfc2459.Extensions().subtype(explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatSimple, 1))) )
class RevDetails(univ.Sequence): """ RevDetails ::= SEQUENCE { certDetails CertTemplate, crlEntryDetails Extensions OPTIONAL } """ componentType = namedtype.NamedTypes( namedtype.NamedType('certDetails', rfc2511.CertTemplate()), namedtype.OptionalNamedType('crlEntryDetails', rfc2459.Extensions()))
class TBSCertificate(univ.Sequence): componentType = namedtype.NamedTypes( namedtype.DefaultedNamedType('version', rfc2459.Version('v1', tagSet=rfc2459.Version.tagSet.tagExplicitly(tag.Tag(tag.tagClassContext, tag.tagFormatSimple, 0)))), namedtype.NamedType('serialNumber', rfc2459.CertificateSerialNumber()), namedtype.NamedType('signature', AlgorithmIdentifier()), namedtype.NamedType('issuer', rfc2459.Name()), namedtype.NamedType('validity', rfc2459.Validity()), namedtype.NamedType('subject', rfc2459.Name()), namedtype.NamedType('subjectPublicKeyInfo', SubjectPublicKeyInfo()), namedtype.OptionalNamedType('issuerUniqueID', rfc2459.UniqueIdentifier().subtype(implicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatSimple, 1))), namedtype.OptionalNamedType('subjectUniqueID', rfc2459.UniqueIdentifier().subtype(implicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatSimple, 2))), namedtype.OptionalNamedType('extensions', rfc2459.Extensions().subtype(explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatSimple, 3))) )
def add_extension(self, ext): if not isinstance(ext, extension.X509Extension): raise errors.X509Error("ext is not an anchor X509Extension") attributes = self.get_attributes() ext_attrs = [ a for a in attributes if a['type'] == OID_extensionRequest ] if not ext_attrs: new_attr_index = len(attributes) attributes[new_attr_index] = None ext_attr = attributes[new_attr_index] ext_attr['type'] = OID_extensionRequest ext_attr['vals'] = None exts = rfc2459.Extensions() else: ext_attr = ext_attrs[0] exts = decoder.decode(ext_attr['vals'][0].asOctets(), asn1Spec=rfc2459.Extensions())[0] new_ext_index = len(exts) exts[new_ext_index] = ext._ext ext_attr['vals'][0] = encoder.encode(exts)
class RevAnnContent(univ.Sequence): """ RevAnnContent ::= SEQUENCE { status PKIStatus, certId CertId, willBeRevokedAt GeneralizedTime, badSinceDate GeneralizedTime, crlDetails Extensions OPTIONAL } """ componentType = namedtype.NamedTypes( namedtype.NamedType('status', PKIStatus()), namedtype.NamedType('certId', rfc2511.CertId()), namedtype.NamedType('willBeRevokedAt', useful.GeneralizedTime()), namedtype.NamedType('badSinceDate', useful.GeneralizedTime()), namedtype.OptionalNamedType('crlDetails', rfc2459.Extensions()))
def getTBSCertificate(self): (signatureOID, _) = stringToAlgorithmIdentifiers(self.signature) tbsCertificate = rfc2459.TBSCertificate() tbsCertificate['version'] = self.getVersion() tbsCertificate['serialNumber'] = self.getSerialNumber() tbsCertificate['signature'] = signatureOID tbsCertificate['issuer'] = self.getIssuer() tbsCertificate['validity'] = self.getValidity() tbsCertificate['subject'] = self.getSubject() tbsCertificate['subjectPublicKeyInfo'] = self.subjectKey.asSubjectPublicKeyInfo() if self.extensions: extensions = rfc2459.Extensions().subtype( explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatSimple, 3)) for count, extension in enumerate(self.extensions): extensions.setComponentByPosition(count, extension) tbsCertificate['extensions'] = extensions return tbsCertificate
def get_extensions(self, ext_type=None): """Get the list of all X509 V3 Extensions on this CSR :return: a list of X509Extension objects """ ext_attrs = [ a for a in self.get_attributes() if a['type'] == OID_extensionRequest ] if len(ext_attrs) == 0: return [] else: exts_der = ext_attrs[0]['vals'][0].asOctets() exts = decoder.decode(exts_der, asn1Spec=rfc2459.Extensions())[0] return [ extension.construct_extension(e) for e in exts if ext_type is None or e['extnID'] == ext_type._oid ]
def build_payload(): # initializations tbsReq = TBSRequest() certid = CertID() request = Request() requestList = univ.SequenceOf(componentType=Request()) req = OCSPRequest() reqExts = rfc2459.Extensions().subtype( explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatSimple, 2)) reqExt = rfc2459.Extension() signature = Signature() certs = univ.SequenceOf(componentType=rfc2459.Certificate()).subtype( explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatSimple, 0) ) cert = rfc2459.Certificate() name = rfc2459.GeneralName() # assignments certid['hashAlgorithm'] = rfc2459.AlgorithmIdentifier()\ .setComponentByName('algorithm', ALGORITHM)\ .setComponentByName('parameters', univ.Any(hexValue=ALGO_PARAMS_HEX)) certid['issuerNameHash'] = univ.OctetString(hexValue=ISSUER_NAME_HASH) certid['issuerKeyHash'] = univ.OctetString(hexValue=ISSUER_KEY_HASH) certid['serialNumber'] = rfc2459.CertificateSerialNumber(SERIAL_NUMBER) request['reqCert'] = certid # optional field #request['singleRequestExtension'] = reqExt reqExt['extnID'] = univ.ObjectIdentifier('1.3.6.1.5.5.7.48.1.2') reqExt['critical'] = univ.Boolean('False') reqExt['extnValue'] = univ.Any(hexValue='04120410236e5193af7958f49edcc756ed6c6dd3') reqExts[0] = reqExt requestList[0] = request # optional # TODO: fill name? #tbsReq['requestorName'] = name tbsReq['requestList'] = requestList # optional tbsReq['requestExtensions'] = reqExts tbsReq['version'] = Version(0).subtype( explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatSimple, 0)) # optional # TODO fill cert? signature['signatureAlgorithm'] = rfc2459.AlgorithmIdentifier()\ .setComponentByName('algorithm', rfc2437.sha1WithRSAEncryption) signature['signature'] = univ.BitString("'010101010101'B") certs[0] = cert signature['certs'] = certs req['tbsRequest'] = tbsReq # optional signature #req['optionalSignature'] = signature return req
req['tbsRequest']['version'] = Version(0).subtype( explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatSimple, 0)) request = Request() certid = CertID() request['reqCert'] = certid certid['hashAlgorithm'] = rfc2459.AlgorithmIdentifier()\ .setComponentByName('algorithm', rfc2437.id_sha1)\ .setComponentByName('parameters', univ.Any(hexValue='0500')) certid['issuerNameHash'] = univ.OctetString( hexValue='01cb3044531fa8618a68d3c60596ab0555866b09') certid['issuerKeyHash'] = univ.OctetString( hexValue='31c3791bbaf553d717e0897a2d176c0ab32b9d33') certid['serialNumber'] = rfc2459.CertificateSerialNumber(0) req['tbsRequest']['requestList'] = univ.SequenceOf( componentType=Request()).setComponentByPosition(0, request) reqExts = rfc2459.Extensions().subtype( explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatSimple, 2)) reqExt = rfc2459.Extension() reqExt['extnID'] = univ.ObjectIdentifier('1.3.6.1.5.5.7.48.1.2') reqExt['critical'] = univ.Boolean('False') reqExt['extnValue'] = univ.Any( hexValue='04120410236e5193af7958f49edcc756ed6c6dd3') reqExts[0] = reqExt req['tbsRequest']['requestExtensions'] = reqExts print(req.prettyPrint()) print(encoder.encode(req)) else: with open(sys.argv[1], 'rb') as fp: for t in decoder.decode(fp.read(), asn1Spec=OCSPRequest()): if hasattr(t, 'prettyPrint'): print(t.prettyPrint())
def _build_extensionsForTbs( extensionsfromcsr, akipubkeybitstring=None, skipubkeybitstring=None, nsURL="https://www.github.com/MiwCryptoCurrency/UTXOC"): count = 0 exts = rfc2459.Extensions().subtype( explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatSimple, 3)) retval = rfc2459.Extensions() ## BASIC CONSTRAINTS ## we like basic constraints at the top. this is how openssl produces it bc_ext = _find_basic_contraints(extensionsfromcsr) if (bc_ext): ext = _build_extensionFromAttributeExtension(bc_ext) exts.setComponentByPosition(count, ext) count += 1 ## SKI if skipubkeybitstring: ## tricky - SKI is a hash (keyid). ## rfc 5280 says use SHA1 of the raw bytes of the pubkey, dont encode as asn1 DER (ie: OctetString()) ## SKI is stored in an encoded OctetString() skider = bytearray(utility.bitStringtoOctetString(skipubkeybitstring)) #skihashfunction = SHA.new(skider) skihashfunction = SHA256.new(skider) skidgst = skihashfunction.digest() extval = univ.OctetString(skidgst) encapsulated = univ.OctetString(encoder.encode(extval)) extoid = utility.OID_subjectKeyIdentifier ext = rfc2314.Extension() ext.setComponentByName('extnID', extoid) ext.setComponentByName('extnValue', encapsulated) exts.setComponentByPosition(count, ext) count += 1 ## AKI if akipubkeybitstring: ## tricky - AKI can be a DN or a keyid. Use KeyID ## rfc 5280 says use SHA1 of the raw bytes of the pubkey, dont encode as asn1 DER (ie: OctetString()) ## AKI is stored in a SEQ akider = bytearray(utility.bitStringtoOctetString(akipubkeybitstring)) #akihashfunction = SHA.new(akider) akihashfunction = SHA256.new(akider) akidgst = akihashfunction.digest() extval = rfc2459.AuthorityKeyIdentifier() extval.setComponentByPosition(0, akidgst) encapsulated = univ.OctetString(encoder.encode(extval)) extoid = utility.OID_authorityKeyIdentifier ext = rfc2314.Extension() ext.setComponentByName('extnID', extoid) ext.setComponentByName('extnValue', encapsulated) exts.setComponentByPosition(count, ext) count += 1 ## put a few more in, so it looks all proper-like ## KEY USAGE ## a bitstring of: ## (1,1,1,1,1,1,1,1)= flags: ## Digital Signature, Non Repudiation, Key Encipherment, Data Encipherment, Key Agreement, ## Certificate Sign, CRL Sign, Encipher Only ## (1,1,1,0,0,1,1) = Digital Signature, Non Repudiation, Key Encipherment, Certificate Sign, CRL Sign ku_bitstring = (1, 1, 1, 0, 0, 1, 1) ext_ku = _build_key_usage(ku_bitstring) ## EXTENDED (or ENHANCED) KEY USAGE ## Sequence of OIDs encoded as an OctetString req_ekus = (utility.OID_eku_serverAuth, utility.OID_eku_clientAuth, utility.OID_eku_codeSigning, utility.OID_eku_individualCodeSigning, utility.OID_eku_certTrustListSigning, utility.OID_eku_serverGatedCrypto, utility.OID_eku_encryptedFileSystem, utility.OID_eku_serverGatedCrypto) ext_eku = _build_extended_key_usage(req_ekus) ext_nsurl = _build_extension_netscapeURL(nsURL) if (ext_ku): exts.setComponentByPosition(count, ext_ku) count += 1 if (ext_eku): exts.setComponentByPosition(count, ext_eku) count += 1 if (ext_nsurl): exts.setComponentByPosition(count, ext_nsurl) count += 1 ## cycle through the rest of the requested extensions ## copy them as is, ignoring BC which we grabbed earlier ## also skip the supplied ku and eku and subst our own for extension in extensionsfromcsr: extoid = extension[0] if (extoid == utility.OID_basicConstraints): continue if (extoid == utility.OID_eku): continue if (extoid == utility.OID_ku): continue if (extoid == utility.OID_san): if not _validate_san(extension): raise SANValidationException( "Invalid SAN: does not contain valid address or UTXO") ext = _build_extensionFromAttributeExtension(extension) exts.setComponentByPosition(count, ext) count += 1 return exts
def encode(cls, pki_key: object, **kwargs): # Algorithm ID alg_oid = cls.ALG_OID if type( cls.ALG_OID) is str else cls.ALG_OID(pki_key) alg_id = rfc2459.AlgorithmIdentifier() alg_id['algorithm'] = ObjectIdentifier(alg_oid) if cls.PARAM_ENCODER: alg_id['parameters'] = Any( encoder.encode(cls.PARAM_ENCODER.encode(pki_key))) # Serial number serial_num = rfc2459.CertificateSerialNumber( kwargs.get('serial_number') or 0) # Validity (time valid) not_before = kwargs.get('not_before') or datetime.now() not_after = kwargs.get('not_after') or not_before.replace( year=not_before.year + 1) validity = rfc2459.Validity() validity['notBefore'] = rfc2459.Time() validity['notBefore']['utcTime'] = UTCTime.fromDateTime(not_before) validity['notAfter'] = rfc2459.Time() validity['notAfter']['utcTime'] = UTCTime.fromDateTime(not_after) # Public key serialization pub_info = rfc2459.SubjectPublicKeyInfo() pub_info['algorithm'] = alg_id pub_info['subjectPublicKey'] = cls.PUB_KEY_ENCODER.encode(pki_key) # Issuer RDN issuer = rfc2459.Name() issuer.setComponentByPosition( 0, parse_rdn(kwargs.get('issuer') or 'CN=ca')) # Subject RDN subject = rfc2459.Name() subject.setComponentByPosition( 0, parse_rdn(kwargs.get('subject') or 'CN=ca')) # Signature algorithm signing_key = kwargs.get('signing_key') or pki_key if not (kwargs.get('signing_alg') or hasattr(signing_key, "X509_SIGNING_DEFAULT")): raise ValueError( "'signing_alg' not specified and 'signing_key' has no default algorithm" ) signing_alg = (kwargs.get('signing_alg') or signing_key.X509_SIGNING_DEFAULT).value signature_alg = rfc2459.AlgorithmIdentifier() signature_alg['algorithm'] = SIGNING_ALG_OIDS[signing_alg.name] if cls.PARAM_ENCODER: signature_alg['parameters'] = Any( encoder.encode(cls.PARAM_ENCODER.encode(pki_key))) # Extensions extensions = rfc2459.Extensions().subtype( explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatSimple, 3)) if kwargs.get('ca') and kwargs.get('ca') == True: # SKI pkey_bytes = Bytes(int(pub_info['subjectPublicKey'])) ski_ext = rfc2459.Extension() ski_ext['extnID'] = ObjectIdentifier([2, 5, 29, 14]) ski_ext['extnValue'] = OctetString( encoder.encode( rfc2459.SubjectKeyIdentifier(SHA1().hash(pkey_bytes)))) # CA basic constraint ca_value = rfc2459.BasicConstraints() ca_value.setComponentByName('cA', True) ca_ext = rfc2459.Extension() ca_ext.setComponentByName('extnID', '2.5.29.19') ca_ext.setComponentByName('critical', True) ca_ext.setComponentByName('extnValue', OctetString(encoder.encode(ca_value))) extensions.setComponentByPosition(0, ski_ext) extensions.setComponentByPosition(1, ca_ext) # Put together the TBSCert tbs_cert = rfc2459.TBSCertificate() tbs_cert['version'] = 2 tbs_cert['serialNumber'] = serial_num tbs_cert['signature'] = signature_alg tbs_cert['issuer'] = issuer tbs_cert['validity'] = validity tbs_cert['subject'] = subject tbs_cert['subjectPublicKeyInfo'] = pub_info tbs_cert['issuerUniqueID'] = kwargs.get('issuer_unique_id') or 10 tbs_cert['subjectUniqueID'] = kwargs.get('subject_unique_id') or 11 if len(extensions): tbs_cert['extensions'] = extensions # Inject or compute the TBSCert signature if kwargs.get('signature_value') is not None: sig_value = Bytes.wrap(kwargs.get('signature_value')).int() else: encoded_tbs = encoder.encode(tbs_cert, asn1Spec=rfc2459.TBSCertificate()) sig_value = signing_alg.sign(signing_key, encoded_tbs) # Build the Cert object cert = rfc2459.Certificate() cert['tbsCertificate'] = tbs_cert cert['signatureAlgorithm'] = signature_alg cert['signatureValue'] = sig_value encoded = encoder.encode(cert, asn1Spec=rfc2459.Certificate()) return X509Certificate.transport_encode(encoded, **kwargs)
class RevDetails(univ.Sequence): componentType = namedtype.NamedTypes( namedtype.NamedType('certDetails', rfc2511.CertTemplate()), namedtype.OptionalNamedType('crlEntryDetails', rfc2459.Extensions()))