Example #1
0
    def test_self_sign_certificate(self):
        # Warning: proof of concept code only!
        pub, priv = self.session.generate_keypair(KeyType.RSA, 1024)

        tbs = TbsCertificate({
            'version':
            'v1',
            'serial_number':
            1,
            'issuer':
            Name.build({
                'common_name': 'Test Certificate',
            }),
            'subject':
            Name.build({
                'common_name': 'Test Certificate',
            }),
            'signature': {
                'algorithm': 'sha1_rsa',
                'parameters': None,
            },
            'validity': {
                'not_before':
                Time({
                    'utc_time': datetime.datetime(2017, 1, 1, 0, 0),
                }),
                'not_after':
                Time({
                    'utc_time': datetime.datetime(2038, 12, 31, 23, 59),
                }),
            },
            'subject_public_key_info': {
                'algorithm': {
                    'algorithm': 'rsa',
                    'parameters': None,
                },
                'public_key': RSAPublicKey.load(encode_rsa_public_key(pub)),
            }
        })

        # Sign the TBS Certificate
        value = priv.sign(tbs.dump(), mechanism=Mechanism.SHA1_RSA_PKCS)

        cert = Certificate({
            'tbs_certificate': tbs,
            'signature_algorithm': {
                'algorithm': 'sha1_rsa',
                'parameters': None,
            },
            'signature_value': value,
        })

        # Pipe our certificate to OpenSSL to verify it
        with subprocess.Popen((OPENSSL, 'verify'),
                              stdin=subprocess.PIPE,
                              stdout=subprocess.DEVNULL) as proc:

            proc.stdin.write(pem.armor('CERTIFICATE', cert.dump()))
            proc.stdin.close()
            self.assertEqual(proc.wait(), 0)
Example #2
0
def check_ess_certid(cert: x509.Certificate, certid: Union[tsp.ESSCertID,
                                                           tsp.ESSCertIDv2]):
    """
    Match an ``ESSCertID`` value against a certificate.

    :param cert:
        The certificate to match against.
    :param certid:
        The ``ESSCertID`` value.
    :return:
        ``True`` if the ``ESSCertID`` matches the certificate,
        ``False`` otherwise.
    """
    if isinstance(certid, tsp.ESSCertID):
        hash_algo = 'sha1'
    else:
        hash_algo = certid['hash_algorithm']['algorithm'].native

    hash_spec = get_pyca_cryptography_hash(hash_algo)
    md = hashes.Hash(hash_spec)
    md.update(cert.dump())
    digest_value = md.finalize()
    expected_digest_value = certid['cert_hash'].native
    if digest_value != expected_digest_value:
        return False
    expected_issuer_serial: tsp.IssuerSerial = certid['issuer_serial']
    return (not expected_issuer_serial
            or match_issuer_serial(expected_issuer_serial, cert))
Example #3
0
def check_ess_certid(cert: x509.Certificate, certid: Union[tsp.ESSCertID,
                                                           tsp.ESSCertIDv2]):
    if isinstance(certid, tsp.ESSCertID):
        hash_algo = 'sha1'
    else:
        hash_algo = certid['hash_algorithm']['algorithm'].native

    hash_spec = get_pyca_cryptography_hash(hash_algo)
    md = hashes.Hash(hash_spec)
    md.update(cert.dump())
    digest_value = md.finalize()
    expected_digest_value = certid['cert_hash'].native
    if digest_value != expected_digest_value:
        return False
    expected_issuer_serial: tsp.IssuerSerial = certid['issuer_serial']
    return (not expected_issuer_serial
            or match_issuer_serial(expected_issuer_serial, cert))
Example #4
0
def as_signing_certificate_v2(cert: x509.Certificate, hash_algo='sha256') \
        -> tsp.SigningCertificateV2:
    """
    Format an ASN.1 ``SigningCertificateV2`` value, where the certificate
    is identified by the hash algorithm specified.

    :param cert:
        An X.509 certificate.
    :param hash_algo:
        Hash algorithm to use to digest the certificate.
        Default is SHA-256.
    :return:
        A :class:`tsp.SigningCertificateV2` object referring to the original
        certificate.
    """

    # see RFC 5035
    hash_spec = get_pyca_cryptography_hash(hash_algo)
    md = hashes.Hash(hash_spec)
    md.update(cert.dump())
    digest_value = md.finalize()
    return tsp.SigningCertificateV2({
        'certs': [
            tsp.ESSCertIDv2({
                'hash_algorithm': {
                    'algorithm': hash_algo
                },
                'cert_hash': digest_value,
                'issuer_serial': {
                    'issuer':
                    [x509.GeneralName({'directory_name': cert.issuer})],
                    'serial_number': cert['tbs_certificate']['serial_number']
                }
            })
        ]
    })
Example #5
0
def as_signing_certificate(cert: x509.Certificate) -> tsp.SigningCertificate:
    """
    Format an ASN.1 ``SigningCertificate`` object, where the certificate
    is identified by its SHA-1 digest.

    :param cert:
        An X.509 certificate.
    :return:
        A :class:`tsp.SigningCertificate` object referring to the original
        certificate.
    """
    # see RFC 2634, § 5.4.1
    return tsp.SigningCertificate({
        'certs': [
            tsp.ESSCertID({
                'cert_hash': hashlib.sha1(cert.dump()).digest(),
                'issuer_serial': {
                    'issuer':
                    [x509.GeneralName({'directory_name': cert.issuer})],
                    'serial_number': cert['tbs_certificate']['serial_number']
                }
            })
        ]
    })
Example #6
0
 def PackX509Certificate(self, cert: Certificate):
     self.PackBytes(cert.dump())
Example #7
0
def as_signing_certificate(cert: x509.Certificate) -> tsp.SigningCertificate:
    # see RFC 2634, § 5.4.1
    return tsp.SigningCertificate({
        'certs':
        [tsp.ESSCertID({'cert_hash': hashlib.sha1(cert.dump()).digest()})]
    })