def insert_cert(conn, ip, port, der, cert):
(md5, sha1, sha256) = hashdata(der)
print(sha1)
c = conn.cursor()
c.execute('select * from certs where sha256=? and recdate=? and ip=?', (
sha256,
date,
ip,
))
certrec = c.fetchone()
if certrec == None:
x509obj = x509.load_pem_x509_certificate(cert, default_backend())
try:
cert_str = str(x509obj.subject)
print('IP: ' + ip + ' - ' + cert_str)
except:
cert_str = ("Empty")
print('IP: ' + ip + ' - ' + cert_str)
substrate = pem.readPemFromFile(io.BytesIO(cert))
certobj = decoder.decode(substrate, asn1Spec=rfc2459.Certificate())[0]
cert_str += certobj.prettyPrint()
sql = '''insert into certs
values (NULL, ?, ?, ?, ?, ?, ?, ?,?);'''
c.execute(sql, [
ip, port, md5, sha1, sha256,
sqlite3.Binary(cert), cert_str, date
])
certid = c.lastrowid
conn.commit()
else:
certid = certrec[0]
return certid
def test_https_cert_invalid(self):
"""Verify vikidia SSL certificate is invalid."""
try:
from pyasn1_modules import pem, rfc2459
from pyasn1.codec.der import decoder
except ImportError:
raise unittest.SkipTest('pyasn1 and pyasn1_modules not available.')
import ssl
import io
cert = ssl.get_server_certificate(addr=('en.vikidia.org', 443))
s = io.StringIO(unicode(cert))
substrate = pem.readPemFromFile(s)
cert = decoder.decode(substrate, asn1Spec=rfc2459.Certificate())[0]
tbs_cert = cert.getComponentByName('tbsCertificate')
issuer = tbs_cert.getComponentByName('issuer')
organisation = None
for rdn in issuer.getComponent():
for attr in rdn:
attr_type = attr.getComponentByName('type')
if attr_type == rfc2459.id_at_organizationName:
value, _ = decoder.decode(attr.getComponentByName('value'),
asn1Spec=rfc2459.X520name())
organisation = str(value.getComponent())
break
self.assertEqual(organisation, 'TuxFamily.org non-profit organization')
def toDER(self):
tbsCertificate = rfc2459.TBSCertificate()
tbsCertificate.setComponentByName('version', self.getVersion())
tbsCertificate.setComponentByName('serialNumber',
self.getSerialNumber())
tbsCertificate.setComponentByName('signature', self.getSignature())
tbsCertificate.setComponentByName('issuer', self.getIssuer())
tbsCertificate.setComponentByName('validity', self.getValidity())
tbsCertificate.setComponentByName('subject', self.getSubject())
tbsCertificate.setComponentByName('subjectPublicKeyInfo',
self.getSubjectPublicKeyInfo())
if self.extensions:
extensions = rfc2459.Extensions().subtype(explicitTag=tag.Tag(
tag.tagClassContext, tag.tagFormatSimple, 3))
count = 0
for extension in self.extensions:
extensions.setComponentByPosition(count, extension)
count += 1
tbsCertificate.setComponentByName('extensions', extensions)
tbsDER = encoder.encode(tbsCertificate)
rsaPrivateKey = rsa.PrivateKey(self.sharedRSA_N, self.sharedRSA_E,
self.sharedRSA_D, self.sharedRSA_P,
self.sharedRSA_Q)
signature = rsa.sign(tbsDER, rsaPrivateKey, 'SHA-256')
certificate = rfc2459.Certificate()
certificate.setComponentByName('tbsCertificate', tbsCertificate)
certificate.setComponentByName('signatureAlgorithm',
self.getSignatureAlgorithm())
certificate.setComponentByName(
'signatureValue', byteStringToHexifiedBitString(signature))
return encoder.encode(certificate)
class Signature(univ.Sequence):
componentType = namedtype.NamedTypes(
namedtype.NamedType('signatureAlgorithm', rfc2459.AlgorithmIdentifier()),
namedtype.NamedType('signature', univ.BitString()),
namedtype.OptionalNamedType('certs', univ.SequenceOf(componentType=rfc2459.Certificate()).subtype(
explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatSimple, 0)))
)
def parse_cert(raw_bytes):
result = CertInfo()
certType = rfc2459.Certificate()
cert, rest = decoder.decode(raw_bytes, asn1Spec=certType)
subj_pub_key_bytes = frombits(
cert.getComponentByName('tbsCertificate').getComponentByName(
'subjectPublicKeyInfo').getComponentByName('subjectPublicKey'))
SUBJECT = cert.getComponentByName('tbsCertificate').getComponentByName(
'subject')
for rdn in SUBJECT[0]:
for nv in rdn:
name = nv.getComponentByName('type')
value = nv.getComponentByName('value')
# could pick up regular OUs too
if name == rfc2459.id_at_organizationalUnitName:
#print 'name: %s' % name
#print 'value: [%s] (%s)' % (str(value).strip(), type(value))
result.control_fields.append(str(value).strip())
rsaType = rfc2437.RSAPublicKey()
rsadata, rsadata_rest = decoder.decode(subj_pub_key_bytes,
asn1Spec=rsaType)
mod = rsadata.getComponentByName("modulus")
pub_exp = rsadata.getComponentByName("publicExponent")
result.pub_key = rsa.PublicKey(long(mod), long(pub_exp))
return result
def sign(target, image_path, key_path, cert_path):
image_length = os.path.getsize(image_path)
signable_size = get_signable_image_size(image_path)
if signable_size < image_length:
print('NOTE: truncating file', image_path, 'from', image_length,
'to', signable_size, 'bytes', file=sys.stderr)
with open(image_path, 'rb+') as f:
f.truncate(signable_size)
elif signable_size > image_length:
raise ValueError('Invalid image: too short, expected {} bytes'.format(signable_size))
boot_signature = BootSignature.create(target, image_length)
cert = X509.load_cert(cert_path)
cert_decoded, _ = der_decoder(cert.as_der(), asn1Spec=rfc2459.Certificate())
boot_signature['certificate'] = cert_decoded
authenticated_attributes = boot_signature['authenticatedAttributes']
encoded_authenticated_attributes = der_encoder(authenticated_attributes)
digest = get_image_hash(image_path,
extra_data=encoded_authenticated_attributes)
key = RSA.load_key(key_path)
signature = key.sign(digest, algo='sha256')
boot_signature['signature'] = signature
boot_signature['algorithmIdentifier']['algorithm'] = rfc4055.sha256WithRSAEncryption
encoded_boot_signature = der_encoder(boot_signature)
with open(image_path, 'ab') as f:
f.write(encoded_boot_signature)
def decode(buffer: bytes):
from samson.public_key.ecdsa import ECDSA
cert, _left_over = decoder.decode(buffer,
asn1Spec=rfc2459.Certificate())
pub_info = cert['tbsCertificate']['subjectPublicKeyInfo']
curve_params, _ = decoder.decode(
Bytes(pub_info['algorithm']['parameters']))
p = int(curve_params[1][1])
b = Bytes(curve_params[2][1]).int()
q = int(curve_params[4])
gx, gy = ECDSA.decode_point(Bytes(curve_params[3]))
curve = WeierstrassCurve(a=-3,
b=b,
ring=ZZ / ZZ(p),
cardinality=q,
base_tuple=(gx, gy))
x, y = ECDSA.decode_point(Bytes(int(pub_info['subjectPublicKey'])))
ecdsa = ECDSA(curve.G, None, d=1)
ecdsa.Q = curve(x, y)
return ecdsa
class BootSignature(univ.Sequence):
"""
BootSignature ::= SEQUENCE {
formatVersion ::= INTEGER
certificate ::= Certificate
algorithmIdentifier ::= SEQUENCE {
algorithm OBJECT IDENTIFIER,
parameters ANY DEFINED BY algorithm OPTIONAL
}
authenticatedAttributes ::= SEQUENCE {
target CHARACTER STRING,
length INTEGER
}
signature ::= OCTET STRING
}
"""
_FORMAT_VERSION = 1
componentType = namedtype.NamedTypes(
namedtype.NamedType('formatVersion', univ.Integer()),
namedtype.NamedType('certificate', rfc2459.Certificate()),
namedtype.NamedType('algorithmIdentifier',
rfc2459.AlgorithmIdentifier()),
namedtype.NamedType('authenticatedAttributes',
AuthenticatedAttributes()),
namedtype.NamedType('signature', univ.OctetString()))
@classmethod
def create(cls, target, length):
boot_signature = cls()
boot_signature['formatVersion'] = cls._FORMAT_VERSION
boot_signature['authenticatedAttributes']['target'] = target
boot_signature['authenticatedAttributes']['length'] = length
return boot_signature
def check(cls, buffer: bytes, **kwargs):
try:
cert, _ = decoder.decode(buffer, asn1Spec=rfc2459.Certificate())
return str(cert['tbsCertificate']['subjectPublicKeyInfo']
['algorithm']['algorithm']) == cls.ALG_OID
except PyAsn1Error as _:
return False
def from_string(cls, key_pem, is_x509_cert):
"""Construct an RsaVerifier instance from a string.
Args:
key_pem: string, public key in PEM format.
is_x509_cert: bool, True if key_pem is an X509 cert, otherwise it
is expected to be an RSA key in PEM format.
Returns:
RsaVerifier instance.
Raises:
ValueError: if the key_pem can't be parsed. In either case, error
will begin with 'No PEM start marker'. If
``is_x509_cert`` is True, will fail to find the
"-----BEGIN CERTIFICATE-----" error, otherwise fails
to find "-----BEGIN RSA PUBLIC KEY-----".
"""
key_pem = _helpers._to_bytes(key_pem)
if is_x509_cert:
from pyasn1.codec.der import decoder
from pyasn1_modules import rfc2459
der = rsa.pem.load_pem(key_pem, 'CERTIFICATE')
asn1_cert, remaining = decoder.decode(
der, asn1Spec=rfc2459.Certificate())
if remaining != b'':
raise ValueError('Unused bytes', remaining)
cert_info = asn1_cert['tbsCertificate']['subjectPublicKeyInfo']
key_bytes = _bit_list_to_bytes(cert_info['subjectPublicKey'])
pubkey = rsa.PublicKey.load_pkcs1(key_bytes, 'DER')
else:
pubkey = rsa.PublicKey.load_pkcs1(key_pem, 'PEM')
return cls(pubkey)
def __init__(self, cert, isfile=False):
if isfile:
f = open(cert, "rb")
cert = f.read()
f.close()
certType = rfc2459.Certificate()
self.cert, rest = decoder.decode(cert, asn1Spec=certType)
def toDER(self):
tbsCertificate = rfc2459.TBSCertificate()
tbsCertificate.setComponentByName('version', self.getVersion())
tbsCertificate.setComponentByName('serialNumber',
self.getSerialNumber())
tbsCertificate.setComponentByName('signature', self.getSignature())
tbsCertificate.setComponentByName('issuer', self.getIssuer())
tbsCertificate.setComponentByName('validity', self.getValidity())
tbsCertificate.setComponentByName('subject', self.getSubject())
tbsCertificate.setComponentByName(
'subjectPublicKeyInfo', self.subjectKey.asSubjectPublicKeyInfo())
if self.extensions:
extensions = rfc2459.Extensions().subtype(explicitTag=tag.Tag(
tag.tagClassContext, tag.tagFormatSimple, 3))
count = 0
for extension in self.extensions:
extensions.setComponentByPosition(count, extension)
count += 1
tbsCertificate.setComponentByName('extensions', extensions)
certificate = rfc2459.Certificate()
certificate.setComponentByName('tbsCertificate', tbsCertificate)
certificate.setComponentByName('signatureAlgorithm',
self.getSignatureAlgorithm())
tbsDER = encoder.encode(tbsCertificate)
certificate.setComponentByName('signatureValue',
self.issuerKey.sign(tbsDER))
return encoder.encode(certificate)
def validateCertChain (certPem):
# Ensure this is a good cert
certs = extractPems(certPem)
valid = False
for indvCertPem in certs:
wrappedPem = StringIO.StringIO(indvCertPem)
substrate = pem.readPemFromFile(wrappedPem)
cert = decoder.decode(substrate, asn1Spec=rfc2459.Certificate())[0]
tbsCertificate = cert[0]
subj = tbsCertificate['subject']
validity = tbsCertificate['validity']
extensions = tbsCertificate['extensions']
dateformat = '%y%m%d%H%M%SZ'
notBefore = datetime.strptime(str(validity.getComponentByPosition(0).getComponentByPosition(0)), dateformat)
notAfter = datetime.strptime(str(validity.getComponentByPosition(1).getComponentByPosition(0)), dateformat)
#print ('not before: ' + str(notBefore) + ', not after: ' + str(notAfter))
now = datetime.utcnow()
if now >= notBefore:
if now <= notAfter:
print ('Cert is still valid')
valid = True
else:
print ('expired cert!')
else:
print ('cert not valid yet!')
return valid
def CreateCert(name, signer=None, ocsp=False):
global NEXT_SERIAL
pkey = crypto.PKey()
pkey.generate_key(crypto.TYPE_RSA, 1024)
cert = crypto.X509()
cert.set_version(2)
cert.get_subject().CN = name
cert.set_pubkey(pkey)
cert.set_serial_number(NEXT_SERIAL)
NEXT_SERIAL += 1
cert.set_notBefore(CERT_DATE.strftime('%Y%m%d%H%M%SZ'))
cert.set_notAfter(CERT_EXPIRE.strftime('%Y%m%d%H%M%SZ'))
if ocsp:
cert.add_extensions(
[crypto.X509Extension('extendedKeyUsage', False, 'OCSPSigning')])
if signer:
cert.set_issuer(signer[1].get_subject())
cert.sign(signer[2], 'sha1')
else:
cert.set_issuer(cert.get_subject())
cert.sign(pkey, 'sha1')
asn1cert = decoder.decode(crypto.dump_certificate(crypto.FILETYPE_ASN1,
cert),
asn1Spec=rfc2459.Certificate())[0]
if not signer:
signer = [asn1cert]
return (asn1cert, cert, pkey, signer[0])
def parse_certificate(certificate_path):
fqdns = set()
substrate = pem.readPemFromFile(open(certificate_path))
cert = decoder.decode(substrate, asn1Spec=rfc2459.Certificate())[0]
core = cert['tbsCertificate']
# Hash public key
der = encoder.encode(core.getComponentByName('subjectPublicKeyInfo'))
hash_der = hashlib.sha256()
hash_der.update(der)
pkhash = hash_der.hexdigest()
# Extract CommonName
for rdnss in core['subject']:
for rdns in rdnss:
for name in rdns:
if name.getComponentByName('type') == rfc2459.id_at_commonName:
value = decoder.decode(
name.getComponentByName('value'),
asn1Spec=rfc2459.DirectoryString())[0]
fqdns.add(str(value.getComponent()))
# Extract SubjectAltName
for extension in core['extensions']:
if extension['extnID'] == rfc2459.id_ce_subjectAltName:
octet_string = decoder.decode(
extension.getComponentByName('extnValue'),
asn1Spec=OctetString())[0]
(san_list, r) = decoder.decode(octet_string,
rfc2459.SubjectAltName())
for san_struct in san_list:
if san_struct.getName() == 'dNSName':
fqdns.add(str(san_struct.getComponent()))
return (pkhash, fqdns)
def retrieveExtension(m2Cert, extensionOID):
"""Retrieves the extension from a certificate from its OID
:param m2Cert: M2Crypto X509 object, a certificate
:param extensionOID: the OID we are looking for
:returns: an ~pyasn1.type.univ.OctetString object, which is the content of the extension
(it still needs to be deserialized, depending on the extension !)
:raises: LookupError if it does not have the extension
"""
# Decode the certificate as a RFC2459 Certificate object.It is compatible
# with the RFC proxy definition
cert, _rest = der_decode(m2Cert.as_der(), asn1Spec=rfc2459.Certificate())
extensions = cert["tbsCertificate"]["extensions"]
# Construct an OID object for comparison purpose
extensionOIDObj = univ.ObjectIdentifier(extensionOID)
# We check every extension OID. This will be necessary until M2Crypto
# allows to register OID alias (https://gitlab.com/m2crypto/m2crypto/issues/231)
for extension in extensions:
# We found the good extension
if extension["extnID"] == extensionOIDObj:
return extension["extnValue"]
# If we are here, it means that we could not find the expected extension.
raise LookupError("Could not find extension with OID %s" % extensionOID)
def parse_certificate(certificate_path):
fqdns = set()
substrate = pem.readPemFromFile(open(certificate_path))
cert = decoder.decode(substrate, asn1Spec=rfc2459.Certificate())[0]
core = cert['tbsCertificate']
# Extract CommonName
for rdnss in core['subject']:
for rdns in rdnss:
for name in rdns:
if name.getComponentByName('type') == rfc2459.id_at_commonName:
value = decoder.decode(
name.getComponentByName('value'),
asn1Spec=rfc2459.DirectoryString())[0]
fqdns.add(str(value.getComponent()))
# extract notAfter datetime
notAfter = str(core['validity'].getComponentByName(
'notAfter').getComponent()).strip('Z')
(year, month, day, hour, minute,
seconds) = [int(notAfter[i:i + 2]) for i in range(0, len(notAfter), 2)]
expiration_date = datetime(2000 + year, month, day, hour, minute, seconds)
# Extract SubjectAltName
for extension in core['extensions']:
if extension['extnID'] == rfc2459.id_ce_subjectAltName:
(san_list,
r) = decoder.decode(extension.getComponentByName('extnValue'),
rfc2459.SubjectAltName())
for san_struct in san_list:
if san_struct.getName() == 'dNSName':
fqdns.add(str(san_struct.getComponent()))
return (fqdns, expiration_date)
def asnModify(self, cert, func):
substrate = crypto.dump_certificate(crypto.FILETYPE_ASN1, cert);
cert = decoder.decode(substrate, asn1Spec=rfc2459.Certificate())[0];
cert = func(cert);
substrate = encoder.encode(cert);
return crypto.load_certificate(crypto.FILETYPE_ASN1, substrate);
def get_ext_by_oid(cert, oid):
from pyasn1.codec.der import decoder
from pyasn1_modules import rfc2459
cert, _ = decoder.decode(cert.as_der(), asn1Spec=rfc2459.Certificate())
for ext in cert['tbsCertificate']['extensions']:
if ext['extnID'].prettyPrint() == oid:
return decoder.decode(ext['extnValue'])[0].asOctets()
return None
def check(buffer: bytes):
try:
cert, _ = decoder.decode(buffer, asn1Spec=rfc2459.Certificate())
alg = cert['tbsCertificate']['subjectPublicKeyInfo']['algorithm']
return str(alg['algorithm']) == '1.2.840.10045.2.1' and type(
decoder.decode(alg['parameters'])[0]) == Sequence
except PyAsn1Error as _:
return False
def gen_cert_def_c_device(cert_der):
cert = decoder.decode(cert_der, asn1Spec=rfc2459.Certificate())[0]
params = {}
info = cert_sn_offset_length(cert)
params['cert_sn_cert_loc_offset'] = info['offset']
params['cert_sn_cert_loc_count'] = info['length']
if info['length'] < 1 or info['length'] > 20:
raise ValueError(
'Invalid certificate SN length (no more than 20 bytes).')
info = cert_signer_id_offset_length(cert, 'issuer')
params['signer_id_cert_loc_offset'] = info['offset']
params['signer_id_cert_loc_count'] = info['length']
not_before = set_time_params(params, cert, 'notBefore')
not_after = set_time_params(params, cert, 'notAfter')
expire_years = not_after.year - not_before.year
if expire_years < 1 or expire_years > 31:
expire_years = 0
# Don't bother re-setting notAfter
params['expire_date_cert_loc_offset'] = 0
params['expire_date_cert_loc_count'] = 0
params['expire_years'] = expire_years
info = cert_public_key_offset_length(cert)
params['public_key_cert_loc_offset'] = info['offset']
params['public_key_cert_loc_count'] = info['length']
info = cert_subj_key_id_offset_length(cert)
if info is not None:
params['subj_key_id_cert_loc_offset'] = info['offset']
params['subj_key_id_cert_loc_count'] = info['length']
else:
params['subj_key_id_cert_loc_offset'] = 0
params['subj_key_id_cert_loc_count'] = 0
info = cert_auth_key_id_offset_length(cert)
if info is not None:
params['auth_key_id_cert_loc_offset'] = info['offset']
params['auth_key_id_cert_loc_count'] = info['length']
else:
params['auth_key_id_cert_loc_offset'] = 0
params['auth_key_id_cert_loc_count'] = 0
info = cert_tbs_offset_length(cert)
params['tbs_cert_loc_offset'] = info['offset']
params['tbs_cert_loc_count'] = info['length']
info = cert_sig_offset_length(cert)
params['signature_cert_loc_offset'] = info['offset']
params['signature_cert_loc_count'] = info['length']
params['cert_template'] = bin_to_c_hex(cert_der)
return string.Template(cert_def_2_device_c).substitute(params)
def gen_cert_def_c_signer(cert_der):
cert = decoder.decode(cert_der, asn1Spec=rfc2459.Certificate())[0]
params = {}
# CA public key needs to be handled dynamically in the kit, so we can use fake data for now
#params['ca_public_key'] = bin_to_c_hex(b'\x00'*64)
info = cert_sn_offset_length(cert)
params['cert_sn_cert_loc_offset'] = info['offset']
params['cert_sn_cert_loc_count'] = info['length']
if info['length'] < 1 or info['length'] > 20:
raise ValueError(
'Invalid certificate SN length (no more than 20 bytes).')
not_before = set_time_params(params, cert, 'notBefore')
not_after = set_time_params(params, cert, 'notAfter')
expire_years = not_after.year - not_before.year
if expire_years < 1 or expire_years > 31:
expire_years = 0
params['expire_years'] = expire_years
info = cert_signer_id_offset_length(cert, 'subject')
params['signer_id_cert_loc_offset'] = info['offset']
params['signer_id_cert_loc_count'] = info['length']
info = cert_public_key_offset_length(cert)
params['public_key_cert_loc_offset'] = info['offset']
params['public_key_cert_loc_count'] = info['length']
info = cert_subj_key_id_offset_length(cert)
if info is not None:
params['subj_key_id_cert_loc_offset'] = info['offset']
params['subj_key_id_cert_loc_count'] = info['length']
else:
params['subj_key_id_cert_loc_offset'] = 0
params['subj_key_id_cert_loc_count'] = 0
info = cert_auth_key_id_offset_length(cert)
if info is not None:
params['auth_key_id_cert_loc_offset'] = info['offset']
params['auth_key_id_cert_loc_count'] = info['length']
else:
params['auth_key_id_cert_loc_offset'] = 0
params['auth_key_id_cert_loc_count'] = 0
info = cert_tbs_offset_length(cert)
params['tbs_cert_loc_offset'] = info['offset']
params['tbs_cert_loc_count'] = info['length']
info = cert_sig_offset_length(cert)
params['signature_cert_loc_offset'] = info['offset']
params['signature_cert_loc_count'] = info['length']
params['cert_template'] = bin_to_c_hex(cert_der)
return string.Template(cert_def_1_signer_c).substitute(params)
def cert_time_offset_length(cert, name):
cert_der = encoder.encode(cert)
cert_mod = decoder.decode(cert_der, asn1Spec=rfc2459.Certificate())[0]
time_str = str(cert_mod['tbsCertificate']['validity'][name].getComponent())
time_str = chr(ord(time_str[0]) + 1) + time_str[1:]
cert_mod['tbsCertificate']['validity'][name] = cert_mod['tbsCertificate']['validity'][name].getComponent().clone(
value=time_str)
return {'offset': diff_offset(cert_der, encoder.encode(cert_mod)), 'length': len(time_str)}
def cert_signer_id_offset_length(cert, name):
name_der = bytearray(encoder.encode(cert['tbsCertificate'][name]))
name_der = name_der.replace(b'FFFF', b'0000')
cert_der = encoder.encode(cert)
cert_mod = decoder.decode(cert_der, asn1Spec=rfc2459.Certificate())[0]
cert_mod['tbsCertificate'][name] = decoder.decode(bytes(name_der))[0]
return {'offset':diff_offset(cert_der, encoder.encode(cert_mod)), 'length':4}
def toDER(self):
(signatureOID, hashAlgorithm) = stringToAlgorithmIdentifiers(self.signature)
certificate = rfc2459.Certificate()
tbsCertificate = self.getTBSCertificate()
certificate.setComponentByName('tbsCertificate', tbsCertificate)
certificate.setComponentByName('signatureAlgorithm', signatureOID)
tbsDER = encoder.encode(tbsCertificate)
certificate.setComponentByName('signatureValue', self.issuerKey.sign(tbsDER, hashAlgorithm))
return encoder.encode(certificate)
def toDER(self):
(signatureOID, hashAlgorithm) = stringToAlgorithmIdentifiers(self.signature)
certificate = rfc2459.Certificate()
tbsCertificate = self.getTBSCertificate()
certificate["tbsCertificate"] = tbsCertificate
certificate["signatureAlgorithm"] = signatureOID
tbsDER = encoder.encode(tbsCertificate)
certificate["signatureValue"] = self.issuerKey.sign(tbsDER, hashAlgorithm)
return encoder.encode(certificate)
def pemcert_to_attrs(certpath):
# rather than use pycryptography x509 parser, which gives native type access to certficiate
# fields use pyASN1 to get raw ASN1 encoded values for the fields as the spec requires them
with open(certpath, "r") as f:
substrate = pem.readPemFromFile(f)
cert = decoder.decode(substrate, asn1Spec=rfc2459.Certificate())[0]
c = cert['tbsCertificate']
# print(cert.prettyPrint())
h = binascii.hexlify
b = berenc.encode
d = derenc.encode
bercert = b(cert)
hexbercert = h(bercert).decode()
# the CKA_CHECKSUM attrs is the first 3 bytes of a sha1hash
m = hashlib.sha1()
m.update(bercert)
bercertchecksum = m.digest()[0:3]
hexbercertchecksum = h(bercertchecksum).decode()
subj = c['subject']
hexsubj = h(d(str2bytes(subj))).decode()
return {
# The attrs of this attribute is derived by taking the first 3 bytes of the CKA_VALUE
# field.
CKA_CHECK_VALUE: hexbercertchecksum,
# Start date for the certificate (default empty)
CKA_START_DATE: "",
# End date for the certificate (default empty)
CKA_END_DATE: "",
# DER-encoding of the SubjectPublicKeyInfo for the public key
# contained in this certificate (default empty)
CKA_PUBLIC_KEY_INFO: "",
# DER encoded subject
CKA_SUBJECT: hexsubj,
# der encoding of issuer, default empty
CKA_ISSUER: '',
# der encoding of the cert serial, default empty
CKA_SERIAL_NUMBER: '',
# BER encoding of the certificate
CKA_VALUE: hexbercert,
# RFC2279 string to URL where cert can be found, default empty
CKA_URL: '',
# hash of pub key subj, default empty
CKA_HASH_OF_SUBJECT_PUBLIC_KEY: '',
# Hash of pub key, default empty
CKA_HASH_OF_ISSUER_PUBLIC_KEY: '',
# Java security domain, default CK_SECURITY_DOMAIN_UNSPECIFIED
CKA_JAVA_MIDP_SECURITY_DOMAIN: CK_SECURITY_DOMAIN_UNSPECIFIED,
# Name hash algorithm, defaults to SHA1
CKA_NAME_HASH_ALGORITHM: CKM_SHA_1
}
def loadPEM(cls, pemData):
cert = X509Certificate()
cert.__internalTwistedCert = Certificate.loadPEM(pemData)
asn1cert = decoder.decode(pem.readPemFromFile(StringIO(pemData)),
asn1Spec=rfc2459.Certificate())[0]
cert.__internalAsn1 = asn1cert
return cert
def __init__(self, certdata):
"""@todo: Docstring for __init__
:certdata: @todo
:returns: @todo
"""
self.asn = decoder.decode(certdata, asn1Spec=rfc2459.Certificate())[0]
def from_open_file(f):
try:
der_content = pem.readPemFromFile(f)
certificate = decoder.decode(der_content,
asn1Spec=rfc2459.Certificate())[0]
return X509Certificate(certificate)
except Exception:
raise X509CertificateError("Could not read X509 certificate from "
"PEM data.")
