def register(self): now = datetime.utcnow() key = self.keygen.get_key() csr = x509.CSR.new(key, f'CN={self.addr}', hashlib.sha256()) self.runtime_cert = self.sss.runtime_ca_cert.sign( csr, self.sss.runtime_ca_key, not_before=now, not_after=now + timedelta(hours=8), serial_number=self.addr ) ca_der = self.sss.runtime_ca_cert.export(format="DER") crt_der = self.runtime_cert.export(format="DER") pk_der = key.export_key(format="DER") sync_key = self.sss.scum_sync_key sync_salt = self.sss.scum_sync_salt data_key = self.sss.scum_data_key data_salt = self.sss.scum_data_salt entropy = token_bytes(ENTROPY_POOL_SIZE) first_sed = b'\x01' if (self.sss.reg_count == 0) else b'\x00' self.sss.reg_count += 1 # SCUM keys/salts/sync indicator have fixed length return struct.pack('<HhHHHHHHHHH', self.addr, REG, len(ca_der), len(crt_der), len(pk_der), \ len(sync_key), len(sync_salt), len(data_key), len(data_salt), len(first_sed), len(entropy)) \ + ca_der + crt_der + pk_der + sync_key + sync_salt + data_key + data_salt + first_sed + entropy
def ca1_crt(self, ca1_key, ca0_crt, ca0_key, now): ca1_csr = CSR.new(ca1_key, "CN=Intermediate CA", hashlib.sha256()) return ca0_crt.sign( ca1_csr, ca0_key, now, now + dt.timedelta(days=90), 0x234567, basic_constraints=BasicConstraints(True, 1), )
def ca0_crt(self, ca0_key, now): ca0_csr = CSR.new(ca0_key, "CN=Trusted CA", hashlib.sha256()) return CRT.selfsign( ca0_csr, ca0_key, not_before=now, not_after=now + dt.timedelta(days=90), serial_number=0x123456, basic_constraints=BasicConstraints(True, -1), )
def __init__(self, sockf): # Make sure the socket does not already exist try: os.unlink(sockf) except OSError: if os.path.exists(sockf): raise # Load provisioning CA certificate and key self.provision_ca_cert = x509.CRT.from_file('/secrets/sss/ca.crt') with open('/secrets/sss/ca.key', 'r') as keyfile: self.provision_ca_key = pk.RSA.from_buffer(x509.PEM_to_DER(keyfile.read())) # Generate runtime CA certificate and key now = datetime.utcnow() self.runtime_ca_key = pk.RSA() self.runtime_ca_key.generate() csr = x509.CSR.new(self.runtime_ca_key, "CN=SSS", hashlib.sha256()) self.runtime_ca_cert = x509.CRT.selfsign( csr, self.runtime_ca_key, not_before=now, not_after=now + timedelta(hours=8), serial_number=0x1, basic_constraints=x509.BasicConstraints(ca=True, max_path_length=1) ) # Trust store for registration trust_store = tls.TrustStore() trust_store.add(self.provision_ca_cert) # DTLS server configuration self.dtls_conf = tls.DTLSConfiguration( trust_store=trust_store, certificate_chain=([self.provision_ca_cert], self.provision_ca_key), validate_certificates=True ) tls._set_debug_level(DEBUG_LEVEL) tls._enable_debug_output(self.dtls_conf) # Generate SCUM keys self.scum_data_key = token_bytes(SCUM_KEY_LENGTH) self.scum_data_salt = token_bytes(SCUM_SALT_LENGTH) self.scum_sync_key = token_bytes(SCUM_KEY_LENGTH) self.scum_sync_salt = token_bytes(SCUM_SALT_LENGTH) # Registered device count self.reg_count = 0 # Socket self.sock = socket.socket(socket.AF_UNIX, socket.SOCK_STREAM) self.sock.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1) self.sock.bind(sockf) self.devs = {}
def algorithm(self): return hashlib.sha256()
def Sha256(Input): Hash = hashlib.sha256() Hash.update(Input) return Hash.digest()
def ee0_crt(self, ee0_key, ca1_crt, ca1_key, now): ee0_csr = CSR.new(ee0_key, "CN=End Entity", hashlib.sha256()) return ca1_crt.sign(ee0_csr, ca1_key, now, now + dt.timedelta(days=90), 0x345678)
def digestmod(self): return hashlib.sha256()