class PKIHeader(univ.Sequence):
"""
PKIHeader ::= SEQUENCE {
pvno INTEGER { cmp1999(1), cmp2000(2) },
sender GeneralName,
recipient GeneralName,
messageTime [0] GeneralizedTime OPTIONAL,
protectionAlg [1] AlgorithmIdentifier OPTIONAL,
senderKID [2] KeyIdentifier OPTIONAL,
recipKID [3] KeyIdentifier OPTIONAL,
transactionID [4] OCTET STRING OPTIONAL,
senderNonce [5] OCTET STRING OPTIONAL,
recipNonce [6] OCTET STRING OPTIONAL,
freeText [7] PKIFreeText OPTIONAL,
generalInfo [8] SEQUENCE SIZE (1..MAX) OF
InfoTypeAndValue OPTIONAL
}
"""
componentType = namedtype.NamedTypes(
namedtype.NamedType('pvno', univ.Integer(
namedValues=namedval.NamedValues(
('cmp1999', 1),
('cmp2000', 2)
)
)
),
namedtype.NamedType('sender', rfc2459.GeneralName()),
namedtype.NamedType('recipient', rfc2459.GeneralName()),
namedtype.OptionalNamedType('messageTime', useful.GeneralizedTime().subtype(
explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatSimple, 0))),
namedtype.OptionalNamedType('protectionAlg', rfc2459.AlgorithmIdentifier().subtype(
explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatConstructed, 1))),
namedtype.OptionalNamedType('senderKID', rfc2459.KeyIdentifier().subtype(
explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatSimple, 2))),
namedtype.OptionalNamedType('recipKID', rfc2459.KeyIdentifier().subtype(
explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatSimple, 3))),
namedtype.OptionalNamedType('transactionID', univ.OctetString().subtype(
explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatSimple, 4))),
namedtype.OptionalNamedType('senderNonce', univ.OctetString().subtype(
explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatSimple, 5))),
namedtype.OptionalNamedType('recipNonce', univ.OctetString().subtype(
explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatSimple, 6))),
namedtype.OptionalNamedType('freeText', PKIFreeText().subtype(
explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatConstructed, 7))),
namedtype.OptionalNamedType('generalInfo',
univ.SequenceOf(
componentType=InfoTypeAndValue().subtype(
subtypeSpec=constraint.ValueSizeConstraint(1, MAX),
explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatSimple, 8)
)
)
)
)
def addNameConstraints(self, constraints, critical):
nameConstraints = rfc2459.NameConstraints()
if constraints.startswith('permitted:'):
(subtreesType, subtreesTag) = ('permittedSubtrees', 0)
elif constraints.startswith('excluded:'):
(subtreesType, subtreesTag) = ('excludedSubtrees', 1)
else:
raise UnknownNameConstraintsSpecificationError(constraints)
generalSubtrees = rfc2459.GeneralSubtrees().subtype(
implicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatConstructed,
subtreesTag))
subtrees = constraints[(constraints.find(':') + 1):]
for pos, name in enumerate(subtrees.split(',')):
generalName = rfc2459.GeneralName()
if '/' in name:
directoryName = stringToDN(
name, tag.Tag(tag.tagClassContext, tag.tagFormatSimple, 4))
generalName['directoryName'] = directoryName
else:
generalName['dNSName'] = name
generalSubtree = rfc2459.GeneralSubtree()
generalSubtree['base'] = generalName
generalSubtrees.setComponentByPosition(pos, generalSubtree)
nameConstraints[subtreesType] = generalSubtrees
self.addExtension(rfc2459.id_ce_nameConstraints, nameConstraints,
critical)
def addSubjectAlternativeName(self, names, critical):
IPV4_PREFIX = "ip4:"
subjectAlternativeName = rfc2459.SubjectAltName()
for count, name in enumerate(names.split(",")):
generalName = rfc2459.GeneralName()
if "/" in name:
directoryName = stringToDN(
name, tag.Tag(tag.tagClassContext, tag.tagFormatSimple, 4)
)
generalName["directoryName"] = directoryName
elif "@" in name:
generalName["rfc822Name"] = name
elif name.startswith(IPV4_PREFIX):
generalName["iPAddress"] = socket.inet_pton(
socket.AF_INET, name[len(IPV4_PREFIX) :]
)
else:
# The string may have things like '\0' (i.e. a slash
# followed by the number zero) that have to be decoded into
# the resulting '\x00' (i.e. a byte with value zero).
generalName["dNSName"] = six.ensure_binary(name).decode(
"unicode_escape"
)
subjectAlternativeName.setComponentByPosition(count, generalName)
self.addExtension(
rfc2459.id_ce_subjectAltName, subjectAlternativeName, critical
)
def __init__(self, altnames):
"""Создание AltName
:altnames: список вида [(тип, значение), (тип, значение), ]
где значение в зависимости от типа:
'otherName' : ('OID', 'байтовая строка')
'ediPartyName' : ('строка', 'строка') или 'строка'
'x400Address' : 'байтовая строка'
'directoryName' : [('OID', 'строка'), ...]
'dNSName' : строка
'uniformResourceIdentifier' : строка
'iPAddress' : строка
'registeredID' : строка
"""
val = rfc2459.SubjectAltName()
for (i, (t, v)) in enumerate(altnames):
gn = rfc2459.GeneralName()
elt = getattr(self, t, None)
assert elt is not None, 'unsupported element type {0}'.format(t)
gn.setComponentByName(t, elt(v))
val.setComponentByPosition(i, gn)
super(SubjectAltName, self).__init__(rfc2459.id_ce_subjectAltName,
encoder.encode(val))
def addNameConstraints(self, constraints, critical):
nameConstraints = rfc2459.NameConstraints()
subtrees = {'permitted': [], 'excluded': []}
for constraint in constraints.split(','):
(subtreeName, nameData) = constraint.split(':')
if subtreeName not in subtrees.keys():
raise UnknownNameConstraintsSpecificationError(subtreeName)
subtree = subtrees[subtreeName]
subtree.append(nameData)
for key in subtrees.keys():
if 'permitted' == key:
(subtreesType, subtreesTag) = ('permittedSubtrees', 0)
if 'excluded' == key:
(subtreesType, subtreesTag) = ('excludedSubtrees', 1)
generalSubtrees = rfc2459.GeneralSubtrees().subtype(
implicitTag=tag.Tag(tag.tagClassContext,
tag.tagFormatConstructed, subtreesTag))
for pos, name in enumerate(subtrees[key]):
generalName = rfc2459.GeneralName()
if '/' in name:
directoryName = stringToDN(
name,
tag.Tag(tag.tagClassContext, tag.tagFormatSimple, 4))
generalName['directoryName'] = directoryName
else:
generalName['dNSName'] = name
generalSubtree = rfc2459.GeneralSubtree()
generalSubtree['base'] = generalName
generalSubtrees.setComponentByPosition(pos, generalSubtree)
nameConstraints[subtreesType] = generalSubtrees
self.addExtension(rfc2459.id_ce_nameConstraints, nameConstraints,
critical)
class PKIHeader(univ.Sequence):
componentType = namedtype.NamedTypes(
namedtype.NamedType(
'pvno',
univ.Integer(
namedValues=namedval.NamedValues(('cmp1999', 1), ('cmp2000',
2)))),
namedtype.NamedType('sender', rfc2459.GeneralName()),
namedtype.NamedType('recipient', rfc2459.GeneralName()),
namedtype.OptionalNamedType(
'messageTime',
useful.GeneralizedTime().subtype(explicitTag=tag.Tag(
tag.tagClassContext, tag.tagFormatSimple, 0))),
namedtype.OptionalNamedType(
'protectionAlg',
rfc2459.AlgorithmIdentifier().subtype(explicitTag=tag.Tag(
tag.tagClassContext, tag.tagFormatConstructed, 1))),
namedtype.OptionalNamedType(
'senderKID',
rfc2459.KeyIdentifier().subtype(explicitTag=tag.Tag(
tag.tagClassContext, tag.tagFormatSimple, 2))),
namedtype.OptionalNamedType(
'recipKID',
rfc2459.KeyIdentifier().subtype(explicitTag=tag.Tag(
tag.tagClassContext, tag.tagFormatSimple, 3))),
namedtype.OptionalNamedType(
'transactionID',
univ.OctetString().subtype(explicitTag=tag.Tag(
tag.tagClassContext, tag.tagFormatSimple, 4))),
namedtype.OptionalNamedType(
'senderNonce',
univ.OctetString().subtype(explicitTag=tag.Tag(
tag.tagClassContext, tag.tagFormatSimple, 5))),
namedtype.OptionalNamedType(
'recipNonce',
univ.OctetString().subtype(explicitTag=tag.Tag(
tag.tagClassContext, tag.tagFormatSimple, 6))),
namedtype.OptionalNamedType(
'freeText',
PKIFreeText().subtype(explicitTag=tag.Tag(
tag.tagClassContext, tag.tagFormatConstructed, 7))),
namedtype.OptionalNamedType(
'generalInfo',
univ.SequenceOf(componentType=InfoTypeAndValue().subtype(
subtypeSpec=constraint.ValueSizeConstraint(1, MAX),
explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatSimple,
8)))))
class GeneralSubtree(univ.Sequence):
componentType = namedtype.NamedTypes(
namedtype.NamedType('base', rfc2459.GeneralName()),
namedtype.DefaultedNamedType('minimum', rfc2459.BaseDistance(0).subtype(
implicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatConstructed, 0))),
namedtype.OptionalNamedType('maximum', rfc2459.BaseDistance().subtype(
implicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatConstructed, 1)))
)
class AccessDescription(univ.Sequence):
"""
AccessDescription ::= SEQUENCE {
accessMethod OBJECT IDENTIFIER,
accessLocation GeneralName }
"""
componentType = namedtype.NamedTypes(
namedtype.NamedType('accessMethod', univ.ObjectIdentifier()),
namedtype.NamedType('accessLocation', rfc2459.GeneralName()))
def addSubjectAlternativeName(self, dNSNames, critical):
subjectAlternativeName = rfc2459.SubjectAltName()
for count, dNSName in enumerate(dNSNames.split(',')):
generalName = rfc2459.GeneralName()
# The string may have things like '\0' (i.e. a slash
# followed by the number zero) that have to be decoded into
# the resulting '\x00' (i.e. a byte with value zero).
generalName.setComponentByName('dNSName', dNSName.decode(encoding='string_escape'))
subjectAlternativeName.setComponentByPosition(count, generalName)
self.addExtension(rfc2459.id_ce_subjectAltName, subjectAlternativeName, critical)
def stringToAccessDescription(string):
"""Helper function that takes a string representing a URI
presumably identifying an OCSP authority information access
location. Returns an AccessDescription usable by pyasn1."""
accessMethod = rfc2459.id_ad_ocsp
accessLocation = rfc2459.GeneralName()
accessLocation['uniformResourceIdentifier'] = string
sequence = univ.Sequence()
sequence.setComponentByPosition(0, accessMethod)
sequence.setComponentByPosition(1, accessLocation)
return sequence
def addSubjectAlternativeName(self, names, critical):
subjectAlternativeName = rfc2459.SubjectAltName()
for count, name in enumerate(names.split(',')):
generalName = rfc2459.GeneralName()
if '/' in name:
directoryName = stringToDN(name,
tag.Tag(tag.tagClassContext, tag.tagFormatSimple, 4))
generalName.setComponentByName('directoryName', directoryName)
else:
# The string may have things like '\0' (i.e. a slash
# followed by the number zero) that have to be decoded into
# the resulting '\x00' (i.e. a byte with value zero).
generalName.setComponentByName('dNSName', name.decode(encoding='string_escape'))
subjectAlternativeName.setComponentByPosition(count, generalName)
self.addExtension(rfc2459.id_ce_subjectAltName, subjectAlternativeName, critical)
class TBSRequest(univ.Sequence):
componentType = namedtype.NamedTypes(
namedtype.DefaultedNamedType(
'version',
Version(0).subtype(explicitTag=tag.Tag(tag.tagClassContext,
tag.tagFormatSimple, 0))),
namedtype.OptionalNamedType(
'requestorName',
rfc2459.GeneralName().subtype(explicitTag=tag.Tag(
tag.tagClassContext, tag.tagFormatSimple, 1))),
namedtype.NamedType('requestList',
univ.SequenceOf(componentType=Request())),
namedtype.OptionalNamedType(
'requestExtensions',
rfc2459.Extensions().subtype(explicitTag=tag.Tag(
tag.tagClassContext, tag.tagFormatSimple, 2))))
def build_payload():
# initializations
tbsReq = TBSRequest()
certid = CertID()
request = Request()
requestList = univ.SequenceOf(componentType=Request())
req = OCSPRequest()
reqExts = rfc2459.Extensions().subtype(
explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatSimple, 2))
reqExt = rfc2459.Extension()
signature = Signature()
certs = univ.SequenceOf(componentType=rfc2459.Certificate()).subtype(
explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatSimple, 0)
)
cert = rfc2459.Certificate()
name = rfc2459.GeneralName()
# assignments
certid['hashAlgorithm'] = rfc2459.AlgorithmIdentifier()\
.setComponentByName('algorithm', ALGORITHM)\
.setComponentByName('parameters', univ.Any(hexValue=ALGO_PARAMS_HEX))
certid['issuerNameHash'] = univ.OctetString(hexValue=ISSUER_NAME_HASH)
certid['issuerKeyHash'] = univ.OctetString(hexValue=ISSUER_KEY_HASH)
certid['serialNumber'] = rfc2459.CertificateSerialNumber(SERIAL_NUMBER)
request['reqCert'] = certid
# optional field
#request['singleRequestExtension'] = reqExt
reqExt['extnID'] = univ.ObjectIdentifier('1.3.6.1.5.5.7.48.1.2')
reqExt['critical'] = univ.Boolean('False')
reqExt['extnValue'] = univ.Any(hexValue='04120410236e5193af7958f49edcc756ed6c6dd3')
reqExts[0] = reqExt
requestList[0] = request
# optional
# TODO: fill name?
#tbsReq['requestorName'] = name
tbsReq['requestList'] = requestList
# optional
tbsReq['requestExtensions'] = reqExts
tbsReq['version'] = Version(0).subtype(
explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatSimple, 0))
# optional
# TODO fill cert?
signature['signatureAlgorithm'] = rfc2459.AlgorithmIdentifier()\
.setComponentByName('algorithm', rfc2437.sha1WithRSAEncryption)
signature['signature'] = univ.BitString("'010101010101'B")
certs[0] = cert
signature['certs'] = certs
req['tbsRequest'] = tbsReq
# optional signature
#req['optionalSignature'] = signature
return req
