def insert_cert(conn, ip, port, der, cert): (md5, sha1, sha256) = hashdata(der) print(sha1) c = conn.cursor() c.execute('select * from certs where sha256=? and recdate=? and ip=?', ( sha256, date, ip, )) certrec = c.fetchone() if certrec == None: x509obj = x509.load_pem_x509_certificate(cert, default_backend()) try: cert_str = str(x509obj.subject) print('IP: ' + ip + ' - ' + cert_str) except: cert_str = ("Empty") print('IP: ' + ip + ' - ' + cert_str) substrate = pem.readPemFromFile(io.BytesIO(cert)) certobj = decoder.decode(substrate, asn1Spec=rfc2459.Certificate())[0] cert_str += certobj.prettyPrint() sql = '''insert into certs values (NULL, ?, ?, ?, ?, ?, ?, ?,?);''' c.execute(sql, [ ip, port, md5, sha1, sha256, sqlite3.Binary(cert), cert_str, date ]) certid = c.lastrowid conn.commit() else: certid = certrec[0] return certid
def test_https_cert_invalid(self): """Verify vikidia SSL certificate is invalid.""" try: from pyasn1_modules import pem, rfc2459 from pyasn1.codec.der import decoder except ImportError: raise unittest.SkipTest('pyasn1 and pyasn1_modules not available.') import ssl import io cert = ssl.get_server_certificate(addr=('en.vikidia.org', 443)) s = io.StringIO(unicode(cert)) substrate = pem.readPemFromFile(s) cert = decoder.decode(substrate, asn1Spec=rfc2459.Certificate())[0] tbs_cert = cert.getComponentByName('tbsCertificate') issuer = tbs_cert.getComponentByName('issuer') organisation = None for rdn in issuer.getComponent(): for attr in rdn: attr_type = attr.getComponentByName('type') if attr_type == rfc2459.id_at_organizationName: value, _ = decoder.decode(attr.getComponentByName('value'), asn1Spec=rfc2459.X520name()) organisation = str(value.getComponent()) break self.assertEqual(organisation, 'TuxFamily.org non-profit organization')
def toDER(self): tbsCertificate = rfc2459.TBSCertificate() tbsCertificate.setComponentByName('version', self.getVersion()) tbsCertificate.setComponentByName('serialNumber', self.getSerialNumber()) tbsCertificate.setComponentByName('signature', self.getSignature()) tbsCertificate.setComponentByName('issuer', self.getIssuer()) tbsCertificate.setComponentByName('validity', self.getValidity()) tbsCertificate.setComponentByName('subject', self.getSubject()) tbsCertificate.setComponentByName('subjectPublicKeyInfo', self.getSubjectPublicKeyInfo()) if self.extensions: extensions = rfc2459.Extensions().subtype(explicitTag=tag.Tag( tag.tagClassContext, tag.tagFormatSimple, 3)) count = 0 for extension in self.extensions: extensions.setComponentByPosition(count, extension) count += 1 tbsCertificate.setComponentByName('extensions', extensions) tbsDER = encoder.encode(tbsCertificate) rsaPrivateKey = rsa.PrivateKey(self.sharedRSA_N, self.sharedRSA_E, self.sharedRSA_D, self.sharedRSA_P, self.sharedRSA_Q) signature = rsa.sign(tbsDER, rsaPrivateKey, 'SHA-256') certificate = rfc2459.Certificate() certificate.setComponentByName('tbsCertificate', tbsCertificate) certificate.setComponentByName('signatureAlgorithm', self.getSignatureAlgorithm()) certificate.setComponentByName( 'signatureValue', byteStringToHexifiedBitString(signature)) return encoder.encode(certificate)
class Signature(univ.Sequence): componentType = namedtype.NamedTypes( namedtype.NamedType('signatureAlgorithm', rfc2459.AlgorithmIdentifier()), namedtype.NamedType('signature', univ.BitString()), namedtype.OptionalNamedType('certs', univ.SequenceOf(componentType=rfc2459.Certificate()).subtype( explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatSimple, 0))) )
def parse_cert(raw_bytes): result = CertInfo() certType = rfc2459.Certificate() cert, rest = decoder.decode(raw_bytes, asn1Spec=certType) subj_pub_key_bytes = frombits( cert.getComponentByName('tbsCertificate').getComponentByName( 'subjectPublicKeyInfo').getComponentByName('subjectPublicKey')) SUBJECT = cert.getComponentByName('tbsCertificate').getComponentByName( 'subject') for rdn in SUBJECT[0]: for nv in rdn: name = nv.getComponentByName('type') value = nv.getComponentByName('value') # could pick up regular OUs too if name == rfc2459.id_at_organizationalUnitName: #print 'name: %s' % name #print 'value: [%s] (%s)' % (str(value).strip(), type(value)) result.control_fields.append(str(value).strip()) rsaType = rfc2437.RSAPublicKey() rsadata, rsadata_rest = decoder.decode(subj_pub_key_bytes, asn1Spec=rsaType) mod = rsadata.getComponentByName("modulus") pub_exp = rsadata.getComponentByName("publicExponent") result.pub_key = rsa.PublicKey(long(mod), long(pub_exp)) return result
def sign(target, image_path, key_path, cert_path): image_length = os.path.getsize(image_path) signable_size = get_signable_image_size(image_path) if signable_size < image_length: print('NOTE: truncating file', image_path, 'from', image_length, 'to', signable_size, 'bytes', file=sys.stderr) with open(image_path, 'rb+') as f: f.truncate(signable_size) elif signable_size > image_length: raise ValueError('Invalid image: too short, expected {} bytes'.format(signable_size)) boot_signature = BootSignature.create(target, image_length) cert = X509.load_cert(cert_path) cert_decoded, _ = der_decoder(cert.as_der(), asn1Spec=rfc2459.Certificate()) boot_signature['certificate'] = cert_decoded authenticated_attributes = boot_signature['authenticatedAttributes'] encoded_authenticated_attributes = der_encoder(authenticated_attributes) digest = get_image_hash(image_path, extra_data=encoded_authenticated_attributes) key = RSA.load_key(key_path) signature = key.sign(digest, algo='sha256') boot_signature['signature'] = signature boot_signature['algorithmIdentifier']['algorithm'] = rfc4055.sha256WithRSAEncryption encoded_boot_signature = der_encoder(boot_signature) with open(image_path, 'ab') as f: f.write(encoded_boot_signature)
def decode(buffer: bytes): from samson.public_key.ecdsa import ECDSA cert, _left_over = decoder.decode(buffer, asn1Spec=rfc2459.Certificate()) pub_info = cert['tbsCertificate']['subjectPublicKeyInfo'] curve_params, _ = decoder.decode( Bytes(pub_info['algorithm']['parameters'])) p = int(curve_params[1][1]) b = Bytes(curve_params[2][1]).int() q = int(curve_params[4]) gx, gy = ECDSA.decode_point(Bytes(curve_params[3])) curve = WeierstrassCurve(a=-3, b=b, ring=ZZ / ZZ(p), cardinality=q, base_tuple=(gx, gy)) x, y = ECDSA.decode_point(Bytes(int(pub_info['subjectPublicKey']))) ecdsa = ECDSA(curve.G, None, d=1) ecdsa.Q = curve(x, y) return ecdsa
class BootSignature(univ.Sequence): """ BootSignature ::= SEQUENCE { formatVersion ::= INTEGER certificate ::= Certificate algorithmIdentifier ::= SEQUENCE { algorithm OBJECT IDENTIFIER, parameters ANY DEFINED BY algorithm OPTIONAL } authenticatedAttributes ::= SEQUENCE { target CHARACTER STRING, length INTEGER } signature ::= OCTET STRING } """ _FORMAT_VERSION = 1 componentType = namedtype.NamedTypes( namedtype.NamedType('formatVersion', univ.Integer()), namedtype.NamedType('certificate', rfc2459.Certificate()), namedtype.NamedType('algorithmIdentifier', rfc2459.AlgorithmIdentifier()), namedtype.NamedType('authenticatedAttributes', AuthenticatedAttributes()), namedtype.NamedType('signature', univ.OctetString())) @classmethod def create(cls, target, length): boot_signature = cls() boot_signature['formatVersion'] = cls._FORMAT_VERSION boot_signature['authenticatedAttributes']['target'] = target boot_signature['authenticatedAttributes']['length'] = length return boot_signature
def check(cls, buffer: bytes, **kwargs): try: cert, _ = decoder.decode(buffer, asn1Spec=rfc2459.Certificate()) return str(cert['tbsCertificate']['subjectPublicKeyInfo'] ['algorithm']['algorithm']) == cls.ALG_OID except PyAsn1Error as _: return False
def from_string(cls, key_pem, is_x509_cert): """Construct an RsaVerifier instance from a string. Args: key_pem: string, public key in PEM format. is_x509_cert: bool, True if key_pem is an X509 cert, otherwise it is expected to be an RSA key in PEM format. Returns: RsaVerifier instance. Raises: ValueError: if the key_pem can't be parsed. In either case, error will begin with 'No PEM start marker'. If ``is_x509_cert`` is True, will fail to find the "-----BEGIN CERTIFICATE-----" error, otherwise fails to find "-----BEGIN RSA PUBLIC KEY-----". """ key_pem = _helpers._to_bytes(key_pem) if is_x509_cert: from pyasn1.codec.der import decoder from pyasn1_modules import rfc2459 der = rsa.pem.load_pem(key_pem, 'CERTIFICATE') asn1_cert, remaining = decoder.decode( der, asn1Spec=rfc2459.Certificate()) if remaining != b'': raise ValueError('Unused bytes', remaining) cert_info = asn1_cert['tbsCertificate']['subjectPublicKeyInfo'] key_bytes = _bit_list_to_bytes(cert_info['subjectPublicKey']) pubkey = rsa.PublicKey.load_pkcs1(key_bytes, 'DER') else: pubkey = rsa.PublicKey.load_pkcs1(key_pem, 'PEM') return cls(pubkey)
def __init__(self, cert, isfile=False): if isfile: f = open(cert, "rb") cert = f.read() f.close() certType = rfc2459.Certificate() self.cert, rest = decoder.decode(cert, asn1Spec=certType)
def toDER(self): tbsCertificate = rfc2459.TBSCertificate() tbsCertificate.setComponentByName('version', self.getVersion()) tbsCertificate.setComponentByName('serialNumber', self.getSerialNumber()) tbsCertificate.setComponentByName('signature', self.getSignature()) tbsCertificate.setComponentByName('issuer', self.getIssuer()) tbsCertificate.setComponentByName('validity', self.getValidity()) tbsCertificate.setComponentByName('subject', self.getSubject()) tbsCertificate.setComponentByName( 'subjectPublicKeyInfo', self.subjectKey.asSubjectPublicKeyInfo()) if self.extensions: extensions = rfc2459.Extensions().subtype(explicitTag=tag.Tag( tag.tagClassContext, tag.tagFormatSimple, 3)) count = 0 for extension in self.extensions: extensions.setComponentByPosition(count, extension) count += 1 tbsCertificate.setComponentByName('extensions', extensions) certificate = rfc2459.Certificate() certificate.setComponentByName('tbsCertificate', tbsCertificate) certificate.setComponentByName('signatureAlgorithm', self.getSignatureAlgorithm()) tbsDER = encoder.encode(tbsCertificate) certificate.setComponentByName('signatureValue', self.issuerKey.sign(tbsDER)) return encoder.encode(certificate)
def validateCertChain (certPem): # Ensure this is a good cert certs = extractPems(certPem) valid = False for indvCertPem in certs: wrappedPem = StringIO.StringIO(indvCertPem) substrate = pem.readPemFromFile(wrappedPem) cert = decoder.decode(substrate, asn1Spec=rfc2459.Certificate())[0] tbsCertificate = cert[0] subj = tbsCertificate['subject'] validity = tbsCertificate['validity'] extensions = tbsCertificate['extensions'] dateformat = '%y%m%d%H%M%SZ' notBefore = datetime.strptime(str(validity.getComponentByPosition(0).getComponentByPosition(0)), dateformat) notAfter = datetime.strptime(str(validity.getComponentByPosition(1).getComponentByPosition(0)), dateformat) #print ('not before: ' + str(notBefore) + ', not after: ' + str(notAfter)) now = datetime.utcnow() if now >= notBefore: if now <= notAfter: print ('Cert is still valid') valid = True else: print ('expired cert!') else: print ('cert not valid yet!') return valid
def CreateCert(name, signer=None, ocsp=False): global NEXT_SERIAL pkey = crypto.PKey() pkey.generate_key(crypto.TYPE_RSA, 1024) cert = crypto.X509() cert.set_version(2) cert.get_subject().CN = name cert.set_pubkey(pkey) cert.set_serial_number(NEXT_SERIAL) NEXT_SERIAL += 1 cert.set_notBefore(CERT_DATE.strftime('%Y%m%d%H%M%SZ')) cert.set_notAfter(CERT_EXPIRE.strftime('%Y%m%d%H%M%SZ')) if ocsp: cert.add_extensions( [crypto.X509Extension('extendedKeyUsage', False, 'OCSPSigning')]) if signer: cert.set_issuer(signer[1].get_subject()) cert.sign(signer[2], 'sha1') else: cert.set_issuer(cert.get_subject()) cert.sign(pkey, 'sha1') asn1cert = decoder.decode(crypto.dump_certificate(crypto.FILETYPE_ASN1, cert), asn1Spec=rfc2459.Certificate())[0] if not signer: signer = [asn1cert] return (asn1cert, cert, pkey, signer[0])
def parse_certificate(certificate_path): fqdns = set() substrate = pem.readPemFromFile(open(certificate_path)) cert = decoder.decode(substrate, asn1Spec=rfc2459.Certificate())[0] core = cert['tbsCertificate'] # Hash public key der = encoder.encode(core.getComponentByName('subjectPublicKeyInfo')) hash_der = hashlib.sha256() hash_der.update(der) pkhash = hash_der.hexdigest() # Extract CommonName for rdnss in core['subject']: for rdns in rdnss: for name in rdns: if name.getComponentByName('type') == rfc2459.id_at_commonName: value = decoder.decode( name.getComponentByName('value'), asn1Spec=rfc2459.DirectoryString())[0] fqdns.add(str(value.getComponent())) # Extract SubjectAltName for extension in core['extensions']: if extension['extnID'] == rfc2459.id_ce_subjectAltName: octet_string = decoder.decode( extension.getComponentByName('extnValue'), asn1Spec=OctetString())[0] (san_list, r) = decoder.decode(octet_string, rfc2459.SubjectAltName()) for san_struct in san_list: if san_struct.getName() == 'dNSName': fqdns.add(str(san_struct.getComponent())) return (pkhash, fqdns)
def retrieveExtension(m2Cert, extensionOID): """Retrieves the extension from a certificate from its OID :param m2Cert: M2Crypto X509 object, a certificate :param extensionOID: the OID we are looking for :returns: an ~pyasn1.type.univ.OctetString object, which is the content of the extension (it still needs to be deserialized, depending on the extension !) :raises: LookupError if it does not have the extension """ # Decode the certificate as a RFC2459 Certificate object.It is compatible # with the RFC proxy definition cert, _rest = der_decode(m2Cert.as_der(), asn1Spec=rfc2459.Certificate()) extensions = cert["tbsCertificate"]["extensions"] # Construct an OID object for comparison purpose extensionOIDObj = univ.ObjectIdentifier(extensionOID) # We check every extension OID. This will be necessary until M2Crypto # allows to register OID alias (https://gitlab.com/m2crypto/m2crypto/issues/231) for extension in extensions: # We found the good extension if extension["extnID"] == extensionOIDObj: return extension["extnValue"] # If we are here, it means that we could not find the expected extension. raise LookupError("Could not find extension with OID %s" % extensionOID)
def parse_certificate(certificate_path): fqdns = set() substrate = pem.readPemFromFile(open(certificate_path)) cert = decoder.decode(substrate, asn1Spec=rfc2459.Certificate())[0] core = cert['tbsCertificate'] # Extract CommonName for rdnss in core['subject']: for rdns in rdnss: for name in rdns: if name.getComponentByName('type') == rfc2459.id_at_commonName: value = decoder.decode( name.getComponentByName('value'), asn1Spec=rfc2459.DirectoryString())[0] fqdns.add(str(value.getComponent())) # extract notAfter datetime notAfter = str(core['validity'].getComponentByName( 'notAfter').getComponent()).strip('Z') (year, month, day, hour, minute, seconds) = [int(notAfter[i:i + 2]) for i in range(0, len(notAfter), 2)] expiration_date = datetime(2000 + year, month, day, hour, minute, seconds) # Extract SubjectAltName for extension in core['extensions']: if extension['extnID'] == rfc2459.id_ce_subjectAltName: (san_list, r) = decoder.decode(extension.getComponentByName('extnValue'), rfc2459.SubjectAltName()) for san_struct in san_list: if san_struct.getName() == 'dNSName': fqdns.add(str(san_struct.getComponent())) return (fqdns, expiration_date)
def asnModify(self, cert, func): substrate = crypto.dump_certificate(crypto.FILETYPE_ASN1, cert); cert = decoder.decode(substrate, asn1Spec=rfc2459.Certificate())[0]; cert = func(cert); substrate = encoder.encode(cert); return crypto.load_certificate(crypto.FILETYPE_ASN1, substrate);
def get_ext_by_oid(cert, oid): from pyasn1.codec.der import decoder from pyasn1_modules import rfc2459 cert, _ = decoder.decode(cert.as_der(), asn1Spec=rfc2459.Certificate()) for ext in cert['tbsCertificate']['extensions']: if ext['extnID'].prettyPrint() == oid: return decoder.decode(ext['extnValue'])[0].asOctets() return None
def check(buffer: bytes): try: cert, _ = decoder.decode(buffer, asn1Spec=rfc2459.Certificate()) alg = cert['tbsCertificate']['subjectPublicKeyInfo']['algorithm'] return str(alg['algorithm']) == '1.2.840.10045.2.1' and type( decoder.decode(alg['parameters'])[0]) == Sequence except PyAsn1Error as _: return False
def gen_cert_def_c_device(cert_der): cert = decoder.decode(cert_der, asn1Spec=rfc2459.Certificate())[0] params = {} info = cert_sn_offset_length(cert) params['cert_sn_cert_loc_offset'] = info['offset'] params['cert_sn_cert_loc_count'] = info['length'] if info['length'] < 1 or info['length'] > 20: raise ValueError( 'Invalid certificate SN length (no more than 20 bytes).') info = cert_signer_id_offset_length(cert, 'issuer') params['signer_id_cert_loc_offset'] = info['offset'] params['signer_id_cert_loc_count'] = info['length'] not_before = set_time_params(params, cert, 'notBefore') not_after = set_time_params(params, cert, 'notAfter') expire_years = not_after.year - not_before.year if expire_years < 1 or expire_years > 31: expire_years = 0 # Don't bother re-setting notAfter params['expire_date_cert_loc_offset'] = 0 params['expire_date_cert_loc_count'] = 0 params['expire_years'] = expire_years info = cert_public_key_offset_length(cert) params['public_key_cert_loc_offset'] = info['offset'] params['public_key_cert_loc_count'] = info['length'] info = cert_subj_key_id_offset_length(cert) if info is not None: params['subj_key_id_cert_loc_offset'] = info['offset'] params['subj_key_id_cert_loc_count'] = info['length'] else: params['subj_key_id_cert_loc_offset'] = 0 params['subj_key_id_cert_loc_count'] = 0 info = cert_auth_key_id_offset_length(cert) if info is not None: params['auth_key_id_cert_loc_offset'] = info['offset'] params['auth_key_id_cert_loc_count'] = info['length'] else: params['auth_key_id_cert_loc_offset'] = 0 params['auth_key_id_cert_loc_count'] = 0 info = cert_tbs_offset_length(cert) params['tbs_cert_loc_offset'] = info['offset'] params['tbs_cert_loc_count'] = info['length'] info = cert_sig_offset_length(cert) params['signature_cert_loc_offset'] = info['offset'] params['signature_cert_loc_count'] = info['length'] params['cert_template'] = bin_to_c_hex(cert_der) return string.Template(cert_def_2_device_c).substitute(params)
def gen_cert_def_c_signer(cert_der): cert = decoder.decode(cert_der, asn1Spec=rfc2459.Certificate())[0] params = {} # CA public key needs to be handled dynamically in the kit, so we can use fake data for now #params['ca_public_key'] = bin_to_c_hex(b'\x00'*64) info = cert_sn_offset_length(cert) params['cert_sn_cert_loc_offset'] = info['offset'] params['cert_sn_cert_loc_count'] = info['length'] if info['length'] < 1 or info['length'] > 20: raise ValueError( 'Invalid certificate SN length (no more than 20 bytes).') not_before = set_time_params(params, cert, 'notBefore') not_after = set_time_params(params, cert, 'notAfter') expire_years = not_after.year - not_before.year if expire_years < 1 or expire_years > 31: expire_years = 0 params['expire_years'] = expire_years info = cert_signer_id_offset_length(cert, 'subject') params['signer_id_cert_loc_offset'] = info['offset'] params['signer_id_cert_loc_count'] = info['length'] info = cert_public_key_offset_length(cert) params['public_key_cert_loc_offset'] = info['offset'] params['public_key_cert_loc_count'] = info['length'] info = cert_subj_key_id_offset_length(cert) if info is not None: params['subj_key_id_cert_loc_offset'] = info['offset'] params['subj_key_id_cert_loc_count'] = info['length'] else: params['subj_key_id_cert_loc_offset'] = 0 params['subj_key_id_cert_loc_count'] = 0 info = cert_auth_key_id_offset_length(cert) if info is not None: params['auth_key_id_cert_loc_offset'] = info['offset'] params['auth_key_id_cert_loc_count'] = info['length'] else: params['auth_key_id_cert_loc_offset'] = 0 params['auth_key_id_cert_loc_count'] = 0 info = cert_tbs_offset_length(cert) params['tbs_cert_loc_offset'] = info['offset'] params['tbs_cert_loc_count'] = info['length'] info = cert_sig_offset_length(cert) params['signature_cert_loc_offset'] = info['offset'] params['signature_cert_loc_count'] = info['length'] params['cert_template'] = bin_to_c_hex(cert_der) return string.Template(cert_def_1_signer_c).substitute(params)
def cert_time_offset_length(cert, name): cert_der = encoder.encode(cert) cert_mod = decoder.decode(cert_der, asn1Spec=rfc2459.Certificate())[0] time_str = str(cert_mod['tbsCertificate']['validity'][name].getComponent()) time_str = chr(ord(time_str[0]) + 1) + time_str[1:] cert_mod['tbsCertificate']['validity'][name] = cert_mod['tbsCertificate']['validity'][name].getComponent().clone( value=time_str) return {'offset': diff_offset(cert_der, encoder.encode(cert_mod)), 'length': len(time_str)}
def cert_signer_id_offset_length(cert, name): name_der = bytearray(encoder.encode(cert['tbsCertificate'][name])) name_der = name_der.replace(b'FFFF', b'0000') cert_der = encoder.encode(cert) cert_mod = decoder.decode(cert_der, asn1Spec=rfc2459.Certificate())[0] cert_mod['tbsCertificate'][name] = decoder.decode(bytes(name_der))[0] return {'offset':diff_offset(cert_der, encoder.encode(cert_mod)), 'length':4}
def toDER(self): (signatureOID, hashAlgorithm) = stringToAlgorithmIdentifiers(self.signature) certificate = rfc2459.Certificate() tbsCertificate = self.getTBSCertificate() certificate.setComponentByName('tbsCertificate', tbsCertificate) certificate.setComponentByName('signatureAlgorithm', signatureOID) tbsDER = encoder.encode(tbsCertificate) certificate.setComponentByName('signatureValue', self.issuerKey.sign(tbsDER, hashAlgorithm)) return encoder.encode(certificate)
def toDER(self): (signatureOID, hashAlgorithm) = stringToAlgorithmIdentifiers(self.signature) certificate = rfc2459.Certificate() tbsCertificate = self.getTBSCertificate() certificate["tbsCertificate"] = tbsCertificate certificate["signatureAlgorithm"] = signatureOID tbsDER = encoder.encode(tbsCertificate) certificate["signatureValue"] = self.issuerKey.sign(tbsDER, hashAlgorithm) return encoder.encode(certificate)
def pemcert_to_attrs(certpath): # rather than use pycryptography x509 parser, which gives native type access to certficiate # fields use pyASN1 to get raw ASN1 encoded values for the fields as the spec requires them with open(certpath, "r") as f: substrate = pem.readPemFromFile(f) cert = decoder.decode(substrate, asn1Spec=rfc2459.Certificate())[0] c = cert['tbsCertificate'] # print(cert.prettyPrint()) h = binascii.hexlify b = berenc.encode d = derenc.encode bercert = b(cert) hexbercert = h(bercert).decode() # the CKA_CHECKSUM attrs is the first 3 bytes of a sha1hash m = hashlib.sha1() m.update(bercert) bercertchecksum = m.digest()[0:3] hexbercertchecksum = h(bercertchecksum).decode() subj = c['subject'] hexsubj = h(d(str2bytes(subj))).decode() return { # The attrs of this attribute is derived by taking the first 3 bytes of the CKA_VALUE # field. CKA_CHECK_VALUE: hexbercertchecksum, # Start date for the certificate (default empty) CKA_START_DATE: "", # End date for the certificate (default empty) CKA_END_DATE: "", # DER-encoding of the SubjectPublicKeyInfo for the public key # contained in this certificate (default empty) CKA_PUBLIC_KEY_INFO: "", # DER encoded subject CKA_SUBJECT: hexsubj, # der encoding of issuer, default empty CKA_ISSUER: '', # der encoding of the cert serial, default empty CKA_SERIAL_NUMBER: '', # BER encoding of the certificate CKA_VALUE: hexbercert, # RFC2279 string to URL where cert can be found, default empty CKA_URL: '', # hash of pub key subj, default empty CKA_HASH_OF_SUBJECT_PUBLIC_KEY: '', # Hash of pub key, default empty CKA_HASH_OF_ISSUER_PUBLIC_KEY: '', # Java security domain, default CK_SECURITY_DOMAIN_UNSPECIFIED CKA_JAVA_MIDP_SECURITY_DOMAIN: CK_SECURITY_DOMAIN_UNSPECIFIED, # Name hash algorithm, defaults to SHA1 CKA_NAME_HASH_ALGORITHM: CKM_SHA_1 }
def loadPEM(cls, pemData): cert = X509Certificate() cert.__internalTwistedCert = Certificate.loadPEM(pemData) asn1cert = decoder.decode(pem.readPemFromFile(StringIO(pemData)), asn1Spec=rfc2459.Certificate())[0] cert.__internalAsn1 = asn1cert return cert
def __init__(self, certdata): """@todo: Docstring for __init__ :certdata: @todo :returns: @todo """ self.asn = decoder.decode(certdata, asn1Spec=rfc2459.Certificate())[0]
def from_open_file(f): try: der_content = pem.readPemFromFile(f) certificate = decoder.decode(der_content, asn1Spec=rfc2459.Certificate())[0] return X509Certificate(certificate) except Exception: raise X509CertificateError("Could not read X509 certificate from " "PEM data.")