def cert_subj_key_id_offset_length(cert):
    cert_der = encoder.encode(cert)
    cert_mod = decoder.decode(cert_der, asn1Spec=rfc2459.Certificate())[0]
    for ext in cert_mod['tbsCertificate']['extensions']:
        if ext['extnID'] == rfc2459.id_ce_subjectKeyIdentifier:
            extn_value = decoder.decode(ext['extnValue'])[0]
            key_id = bytearray(decoder.decode(extn_value, asn1Spec=rfc2459.SubjectKeyIdentifier())[0])
            key_id[0] ^= 0xFF # Change first byte

            extn_value = rfc2459.SubjectKeyIdentifier(key_id)
            ext['extnValue'] = univ.OctetString(encoder.encode(extn_value))

            return {'offset':diff_offset(cert_der, encoder.encode(cert_mod)), 'length':len(key_id)}
    return None
Example #2
0
 def addSubjectKeyId(self, critical):
     if critical:
         raise UnknownSubjectKeyIdError(critical)
     hasher = hashlib.sha1()
     hasher.update(self.subjectKey.toDER())
     digest = hasher.digest()
     ski = rfc2459.SubjectKeyIdentifier(univ.OctetString(digest))
     self.addExtension(rfc2459.id_ce_subjectKeyIdentifier, ski, critical)
Example #3
0
    def encode(cls, pki_key: object, **kwargs):
        # Algorithm ID
        alg_oid = cls.ALG_OID if type(
            cls.ALG_OID) is str else cls.ALG_OID(pki_key)

        alg_id = rfc2459.AlgorithmIdentifier()
        alg_id['algorithm'] = ObjectIdentifier(alg_oid)

        if cls.PARAM_ENCODER:
            alg_id['parameters'] = Any(
                encoder.encode(cls.PARAM_ENCODER.encode(pki_key)))

        # Serial number
        serial_num = rfc2459.CertificateSerialNumber(
            kwargs.get('serial_number') or 0)

        # Validity (time valid)
        not_before = kwargs.get('not_before') or datetime.now()
        not_after = kwargs.get('not_after') or not_before.replace(
            year=not_before.year + 1)

        validity = rfc2459.Validity()
        validity['notBefore'] = rfc2459.Time()
        validity['notBefore']['utcTime'] = UTCTime.fromDateTime(not_before)

        validity['notAfter'] = rfc2459.Time()
        validity['notAfter']['utcTime'] = UTCTime.fromDateTime(not_after)

        # Public key serialization
        pub_info = rfc2459.SubjectPublicKeyInfo()
        pub_info['algorithm'] = alg_id
        pub_info['subjectPublicKey'] = cls.PUB_KEY_ENCODER.encode(pki_key)

        # Issuer RDN
        issuer = rfc2459.Name()
        issuer.setComponentByPosition(
            0, parse_rdn(kwargs.get('issuer') or 'CN=ca'))

        # Subject RDN
        subject = rfc2459.Name()
        subject.setComponentByPosition(
            0, parse_rdn(kwargs.get('subject') or 'CN=ca'))

        # Signature algorithm
        signing_key = kwargs.get('signing_key') or pki_key

        if not (kwargs.get('signing_alg')
                or hasattr(signing_key, "X509_SIGNING_DEFAULT")):
            raise ValueError(
                "'signing_alg' not specified and 'signing_key' has no default algorithm"
            )

        signing_alg = (kwargs.get('signing_alg')
                       or signing_key.X509_SIGNING_DEFAULT).value

        signature_alg = rfc2459.AlgorithmIdentifier()
        signature_alg['algorithm'] = SIGNING_ALG_OIDS[signing_alg.name]

        if cls.PARAM_ENCODER:
            signature_alg['parameters'] = Any(
                encoder.encode(cls.PARAM_ENCODER.encode(pki_key)))

        # Extensions
        extensions = rfc2459.Extensions().subtype(
            explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatSimple, 3))

        if kwargs.get('ca') and kwargs.get('ca') == True:
            # SKI
            pkey_bytes = Bytes(int(pub_info['subjectPublicKey']))

            ski_ext = rfc2459.Extension()
            ski_ext['extnID'] = ObjectIdentifier([2, 5, 29, 14])
            ski_ext['extnValue'] = OctetString(
                encoder.encode(
                    rfc2459.SubjectKeyIdentifier(SHA1().hash(pkey_bytes))))

            # CA basic constraint
            ca_value = rfc2459.BasicConstraints()
            ca_value.setComponentByName('cA', True)

            ca_ext = rfc2459.Extension()
            ca_ext.setComponentByName('extnID', '2.5.29.19')
            ca_ext.setComponentByName('critical', True)
            ca_ext.setComponentByName('extnValue',
                                      OctetString(encoder.encode(ca_value)))

            extensions.setComponentByPosition(0, ski_ext)
            extensions.setComponentByPosition(1, ca_ext)

        # Put together the TBSCert
        tbs_cert = rfc2459.TBSCertificate()
        tbs_cert['version'] = 2
        tbs_cert['serialNumber'] = serial_num
        tbs_cert['signature'] = signature_alg
        tbs_cert['issuer'] = issuer
        tbs_cert['validity'] = validity
        tbs_cert['subject'] = subject
        tbs_cert['subjectPublicKeyInfo'] = pub_info
        tbs_cert['issuerUniqueID'] = kwargs.get('issuer_unique_id') or 10
        tbs_cert['subjectUniqueID'] = kwargs.get('subject_unique_id') or 11

        if len(extensions):
            tbs_cert['extensions'] = extensions

        # Inject or compute the TBSCert signature
        if kwargs.get('signature_value') is not None:
            sig_value = Bytes.wrap(kwargs.get('signature_value')).int()
        else:
            encoded_tbs = encoder.encode(tbs_cert,
                                         asn1Spec=rfc2459.TBSCertificate())
            sig_value = signing_alg.sign(signing_key, encoded_tbs)

        # Build the Cert object
        cert = rfc2459.Certificate()
        cert['tbsCertificate'] = tbs_cert
        cert['signatureAlgorithm'] = signature_alg
        cert['signatureValue'] = sig_value

        encoded = encoder.encode(cert, asn1Spec=rfc2459.Certificate())
        return X509Certificate.transport_encode(encoded, **kwargs)