def sign_authpack_native(data, privkey, certificate, wrap_signed=False):
"""
Creating PKCS7 blob which contains the following things:
1. 'data' blob which is an ASN1 encoded "AuthPack" structure
2. the certificate used to sign the data blob
3. the singed 'signed_attrs' structure (ASN1) which points to the "data" structure (in point 1)
"""
da = {'algorithm': algos.DigestAlgorithmId('1.3.14.3.2.26')}
si = {}
si['version'] = 'v1'
si['sid'] = cms.IssuerAndSerialNumber({
'issuer':
certificate.issuer,
'serial_number':
certificate.serial_number,
})
si['digest_algorithm'] = algos.DigestAlgorithm(da)
si['signed_attrs'] = [
cms.CMSAttribute({
'type': 'content_type',
'values': ['1.3.6.1.5.2.3.1']
}),
# indicates that the encap_content_info's authdata struct (marked with OID '1.3.6.1.5.2.3.1' is signed )
cms.CMSAttribute({
'type': 'message_digest',
'values': [hashlib.sha1(data).digest()]
}),
### hash of the data, the data itself will not be signed, but this block of data will be.
]
si['signature_algorithm'] = algos.SignedDigestAlgorithm(
{'algorithm': '1.2.840.113549.1.1.1'})
si['signature'] = rsa_pkcs1v15_sign(
privkey,
cms.CMSAttributes(si['signed_attrs']).dump(), "sha1")
ec = {}
ec['content_type'] = '1.3.6.1.5.2.3.1'
ec['content'] = data
sd = {}
sd['version'] = 'v3'
sd['digest_algorithms'] = [algos.DigestAlgorithm(da)] # must have only one
sd['encap_content_info'] = cms.EncapsulatedContentInfo(ec)
sd['certificates'] = [certificate]
sd['signer_infos'] = cms.SignerInfos([cms.SignerInfo(si)])
if wrap_signed is True:
ci = {}
ci['content_type'] = '1.2.840.113549.1.7.2' # signed data OID
ci['content'] = cms.SignedData(sd)
return cms.ContentInfo(ci).dump()
return cms.SignedData(sd).dump()
def sign_message(data_to_sign,
digest_alg,
sign_key,
use_signed_attributes=True):
"""Function signs the data and returns the generated ASN.1
:param data_to_sign: A byte string of the data to be signed.
:param digest_alg:
The digest algorithm to be used for generating the signature.
:param sign_key: The key to be used for generating the signature.
:param use_signed_attributes: Optional attribute to indicate weather the
CMS signature attributes should be included in the signature or not.
:return: A CMS ASN.1 byte string of the signed data.
"""
if use_signed_attributes:
digest_func = hashlib.new(digest_alg)
digest_func.update(data_to_sign)
message_digest = digest_func.digest()
class SmimeCapability(core.Sequence):
_fields = [('0', core.Any, {
'optional': True
}), ('1', core.Any, {
'optional': True
}), ('2', core.Any, {
'optional': True
}), ('3', core.Any, {
'optional': True
}), ('4', core.Any, {
'optional': True
})]
class SmimeCapabilities(core.Sequence):
_fields = [
('0', SmimeCapability),
('1', SmimeCapability, {
'optional': True
}),
('2', SmimeCapability, {
'optional': True
}),
('3', SmimeCapability, {
'optional': True
}),
('4', SmimeCapability, {
'optional': True
}),
('5', SmimeCapability, {
'optional': True
}),
]
smime_cap = OrderedDict([
('0',
OrderedDict([('0', core.ObjectIdentifier('1.2.840.113549.3.7'))
])),
('1',
OrderedDict([('0', core.ObjectIdentifier('1.2.840.113549.3.2')),
('1', core.Integer(128))])),
('2',
OrderedDict([('0', core.ObjectIdentifier('1.2.840.113549.3.4')),
('1', core.Integer(128))])),
])
signed_attributes = cms.CMSAttributes([
cms.CMSAttribute({
'type':
cms.CMSAttributeType('content_type'),
'values':
cms.SetOfContentType([cms.ContentType('data')])
}),
cms.CMSAttribute({
'type':
cms.CMSAttributeType('signing_time'),
'values':
cms.SetOfTime(
[cms.Time({'utc_time': core.UTCTime(datetime.now())})])
}),
cms.CMSAttribute({
'type':
cms.CMSAttributeType('message_digest'),
'values':
cms.SetOfOctetString([core.OctetString(message_digest)])
}),
cms.CMSAttribute({
'type':
cms.CMSAttributeType('1.2.840.113549.1.9.15'),
'values':
cms.SetOfAny([core.Any(SmimeCapabilities(smime_cap))])
}),
])
signature = asymmetric.rsa_pkcs1v15_sign(sign_key[0],
signed_attributes.dump(),
digest_alg)
else:
signed_attributes = None
signature = asymmetric.rsa_pkcs1v15_sign(sign_key[0], data_to_sign,
digest_alg)
return cms.ContentInfo({
'content_type':
cms.ContentType('signed_data'),
'content':
cms.SignedData({
'version':
cms.CMSVersion('v1'),
'digest_algorithms':
cms.DigestAlgorithms([
algos.DigestAlgorithm(
{'algorithm': algos.DigestAlgorithmId(digest_alg)})
]),
'encap_content_info':
cms.ContentInfo({'content_type': cms.ContentType('data')}),
'certificates':
cms.CertificateSet(
[cms.CertificateChoices({'certificate': sign_key[1].asn1})]),
'signer_infos':
cms.SignerInfos([
cms.SignerInfo({
'version':
cms.CMSVersion('v1'),
'sid':
cms.SignerIdentifier({
'issuer_and_serial_number':
cms.IssuerAndSerialNumber({
'issuer':
sign_key[1].asn1['tbs_certificate']['issuer'],
'serial_number':
sign_key[1].asn1['tbs_certificate']
['serial_number']
})
}),
'digest_algorithm':
algos.DigestAlgorithm(
{'algorithm': algos.DigestAlgorithmId(digest_alg)}),
'signed_attrs':
signed_attributes,
'signature_algorithm':
algos.SignedDigestAlgorithm({
'algorithm':
algos.SignedDigestAlgorithmId('rsassa_pkcs1v15')
}),
'signature':
core.OctetString(signature)
})
])
})
}).dump()
def sign_message(
data_to_sign,
digest_alg,
sign_key,
sign_alg="rsassa_pkcs1v15",
use_signed_attributes=True,
):
"""Function signs the data and returns the generated ASN.1
:param data_to_sign: A byte string of the data to be signed.
:param digest_alg: The digest algorithm to be used for generating the signature.
:param sign_key: The key to be used for generating the signature.
:param sign_alg: The algorithm to be used for signing the message.
:param use_signed_attributes: Optional attribute to indicate weather the
CMS signature attributes should be included in the signature or not.
:return: A CMS ASN.1 byte string of the signed data.
"""
if use_signed_attributes:
digest_func = hashlib.new(digest_alg)
digest_func.update(data_to_sign)
message_digest = digest_func.digest()
class SmimeCapability(core.Sequence):
_fields = [
("0", core.Any, {
"optional": True
}),
("1", core.Any, {
"optional": True
}),
("2", core.Any, {
"optional": True
}),
("3", core.Any, {
"optional": True
}),
("4", core.Any, {
"optional": True
}),
]
class SmimeCapabilities(core.Sequence):
_fields = [
("0", SmimeCapability),
("1", SmimeCapability, {
"optional": True
}),
("2", SmimeCapability, {
"optional": True
}),
("3", SmimeCapability, {
"optional": True
}),
("4", SmimeCapability, {
"optional": True
}),
("5", SmimeCapability, {
"optional": True
}),
]
smime_cap = OrderedDict([
(
"0",
OrderedDict([
("0", core.ObjectIdentifier("2.16.840.1.101.3.4.1.42"))
]),
),
(
"1",
OrderedDict([
("0", core.ObjectIdentifier("2.16.840.1.101.3.4.1.2"))
]),
),
(
"2",
OrderedDict([("0", core.ObjectIdentifier("1.2.840.113549.3.7"))
]),
),
(
"3",
OrderedDict([
("0", core.ObjectIdentifier("1.2.840.113549.3.2")),
("1", core.Integer(128)),
]),
),
(
"4",
OrderedDict([
("0", core.ObjectIdentifier("1.2.840.113549.3.4")),
("1", core.Integer(128)),
]),
),
])
signed_attributes = cms.CMSAttributes([
cms.CMSAttribute({
"type":
cms.CMSAttributeType("content_type"),
"values":
cms.SetOfContentType([cms.ContentType("data")]),
}),
cms.CMSAttribute({
"type":
cms.CMSAttributeType("signing_time"),
"values":
cms.SetOfTime([
cms.Time({
"utc_time":
core.UTCTime(
datetime.utcnow().replace(tzinfo=timezone.utc))
})
]),
}),
cms.CMSAttribute({
"type":
cms.CMSAttributeType("message_digest"),
"values":
cms.SetOfOctetString([core.OctetString(message_digest)]),
}),
cms.CMSAttribute({
"type":
cms.CMSAttributeType("1.2.840.113549.1.9.15"),
"values":
cms.SetOfAny([core.Any(SmimeCapabilities(smime_cap))]),
}),
])
else:
signed_attributes = None
# Generate the signature
data_to_sign = signed_attributes.dump(
) if signed_attributes else data_to_sign
if sign_alg == "rsassa_pkcs1v15":
signature = asymmetric.rsa_pkcs1v15_sign(sign_key[0], data_to_sign,
digest_alg)
elif sign_alg == "rsassa_pss":
signature = asymmetric.rsa_pss_sign(sign_key[0], data_to_sign,
digest_alg)
else:
raise AS2Exception("Unsupported Signature Algorithm")
return cms.ContentInfo({
"content_type":
cms.ContentType("signed_data"),
"content":
cms.SignedData({
"version":
cms.CMSVersion("v1"),
"digest_algorithms":
cms.DigestAlgorithms([
algos.DigestAlgorithm(
{"algorithm": algos.DigestAlgorithmId(digest_alg)})
]),
"encap_content_info":
cms.ContentInfo({"content_type": cms.ContentType("data")}),
"certificates":
cms.CertificateSet(
[cms.CertificateChoices({"certificate": sign_key[1].asn1})]),
"signer_infos":
cms.SignerInfos([
cms.SignerInfo({
"version":
cms.CMSVersion("v1"),
"sid":
cms.SignerIdentifier({
"issuer_and_serial_number":
cms.IssuerAndSerialNumber({
"issuer":
sign_key[1].asn1["tbs_certificate"]["issuer"],
"serial_number":
sign_key[1].asn1["tbs_certificate"]
["serial_number"],
})
}),
"digest_algorithm":
algos.DigestAlgorithm(
{"algorithm": algos.DigestAlgorithmId(digest_alg)}),
"signed_attrs":
signed_attributes,
"signature_algorithm":
algos.SignedDigestAlgorithm(
{"algorithm":
algos.SignedDigestAlgorithmId(sign_alg)}),
"signature":
core.OctetString(signature),
})
]),
}),
}).dump()
