def _makeSignatureByCertificate(self, certificateName, digestAlgorithm):
"""
Return a new Signature object based on the signature algorithm of the
public key with keyName (derived from certificateName).
:param Name certificateName: The full certificate name.
:param Array digestAlgorithm: Set digestAlgorithm[0] to the signature
algorithm's digest algorithm, e.g. DigestAlgorithm.SHA256 .
:return: The related public key name.
:rtype: Signature
"""
keyName = IdentityCertificate.certificateNameToPublicKeyName(
certificateName)
publicKey = self._privateKeyStorage.getPublicKey(keyName)
keyType = publicKey.getKeyType()
if keyType == KeyType.RSA:
signature = Sha256WithRsaSignature()
digestAlgorithm[0] = DigestAlgorithm.SHA256
signature.getKeyLocator().setType(KeyLocatorType.KEYNAME)
signature.getKeyLocator().setKeyName(certificateName.getPrefix(-1))
return signature
elif keyType == KeyType.ECDSA:
signature = Sha256WithEcdsaSignature()
digestAlgorithm[0] = DigestAlgorithm.SHA256
signature.getKeyLocator().setType(KeyLocatorType.KEYNAME)
signature.getKeyLocator().setKeyName(certificateName.getPrefix(-1))
return signature
else:
raise SecurityException("Key type is not recognized")
def _makeSelfSignedCertificate(keyName, privateKeyBag, publicKeyEncoding,
password, digestAlgorithm, wireFormat):
certificate = CertificateV2()
# Set the name.
now = Common.getNowMilliseconds()
certificateName = Name(keyName)
certificateName.append("self").appendVersion(int(now))
certificate.setName(certificateName)
# Set the MetaInfo.
certificate.getMetaInfo().setType(ContentType.KEY)
# Set a one-hour freshness period.
certificate.getMetaInfo().setFreshnessPeriod(3600 * 1000.0)
# Set the content.
publicKey = PublicKey(publicKeyEncoding)
certificate.setContent(publicKey.getKeyDer())
# Create a temporary in-memory Tpm and import the private key.
tpm = Tpm("", "", TpmBackEndMemory())
tpm._importPrivateKey(keyName, privateKeyBag.toBytes(), password)
# Set the signature info.
if publicKey.getKeyType() == KeyType.RSA:
certificate.setSignature(Sha256WithRsaSignature())
elif publicKey.getKeyType() == KeyType.EC:
certificate.setSignature(Sha256WithEcdsaSignature())
else:
raise ValueError("Unsupported key type")
signatureInfo = certificate.getSignature()
KeyLocator.getFromSignature(signatureInfo).setType(
KeyLocatorType.KEYNAME)
KeyLocator.getFromSignature(signatureInfo).setKeyName(keyName)
# Set a 20-year validity period.
ValidityPeriod.getFromSignature(signatureInfo).setPeriod(
now, now + 20 * 365 * 24 * 3600 * 1000.0)
# Encode once to get the signed portion.
encoding = certificate.wireEncode(wireFormat)
signatureBytes = tpm.sign(encoding.toSignedBytes(), keyName,
digestAlgorithm)
signatureInfo.setSignature(signatureBytes)
# Encode again to include the signature.
certificate.wireEncode(wireFormat)
return certificate