def calculate_certificate(self, node, key_x509):
fingerprint = key_x509.fingerprint(MAP_HASHLIB[self.hash_method]())
_ETSI_Cert = ETSI.Cert(
ETSI.CertDigest(
DS.DigestMethod(Algorithm=self.hash_method),
DS.DigestValue(b64encode(fingerprint).decode()),
),
ETSI.IssuerSerial(
DS.X509IssuerName(get_rdns_name(key_x509.issuer.rdns)),
DS.X509SerialNumber(str(key_x509.serial_number)),
),
)
node.append(_ETSI_Cert)
def calculate_certificate(self, node, key_x509):
cert = create_node('Cert', node, EtsiNS)
cert_digest = create_node('CertDigest', cert, EtsiNS)
digest_algorithm = create_node('DigestMethod', cert_digest, DSigNs)
digest_algorithm.set('Algorithm', self.hash_method)
digest_value = create_node('DigestValue', cert_digest, DSigNs)
digest_value.text = b64encode(
key_x509.fingerprint(MAP_HASHLIB[self.hash_method]()))
issuer_serial = create_node('IssuerSerial', cert, EtsiNS)
create_node('X509IssuerName', issuer_serial,
DSigNs).text = get_rdns_name(key_x509.issuer.rdns)
create_node('X509SerialNumber', issuer_serial,
DSigNs).text = str(key_x509.serial_number)
return
def validate_certificate(self, node, signature):
certs = node.findall('etsi:Cert', namespaces=NS_MAP)
x509 = signature.find('ds:KeyInfo/ds:X509Data', namespaces=NS_MAP)
x509_data = x509.find('ds:X509Certificate', namespaces=NS_MAP)
serial = x509.find('ds:X509IssuerSerial', namespaces=NS_MAP)
if serial is not None:
serial_name = serial.find(
'ds:X509IssuerName', namespaces=NS_MAP
).text
serial_number = serial.find(
'ds:X509SerialNumber', namespaces=NS_MAP
).text
certificate = None
for cert in certs:
if cert.find(
'etsi:IssuerSerial/ds:X509IssuerName',
namespaces=NS_MAP
).text == serial_name and cert.find(
'etsi:IssuerSerial/ds:X509SerialNumber',
namespaces=NS_MAP
).text == serial_number:
certificate = cert
assert certificate is not None
else:
certificate = certs[0]
if x509_data is not None:
parsed_x509 = load_der_x509_certificate(
b64decode(x509_data.text), default_backend()
)
assert str(parsed_x509.serial_number) == certificate.find(
'etsi:IssuerSerial/ds:X509SerialNumber', namespaces=NS_MAP
).text
dict_compare(
rdns_to_map(get_rdns_name(parsed_x509.issuer.rdns)),
rdns_to_map(certificate.find(
'etsi:IssuerSerial/ds:X509IssuerName',
namespaces=NS_MAP
).text)
)
digest = certificate.find(
'etsi:CertDigest', namespaces=NS_MAP
)
assert b64encode(
parsed_x509.fingerprint(MAP_HASHLIB[digest.find(
'ds:DigestMethod', namespaces=NS_MAP
).get('Algorithm')]())) == digest.find(
'ds:DigestValue', namespaces=NS_MAP).text.encode()