def generate_csr(self, private_key, subject_name, extensions=None):
common_name = subject_name.get_attributes_for_oid(
NameOID.COMMON_NAME)[0].value
info = CertificationRequestInfo({
'version':
0,
'subject':
Name.build({
'country_name': 'US',
'state_or_province_name': 'North Carolina',
'organization_name': 'Hyperledger',
'organizational_unit_name': 'Fabric',
'common_name': common_name
}),
'subject_pk_info':
PublicKeyInfo.load(encode_ec_public_key(private_key.public_key)),
'attributes':
CRIAttributes([])
})
hash = hashlib.sha256(info.dump()).digest()
signature = private_key.private_key.sign(hash,
mechanism=Mechanism.ECDSA)
csr = CertificationRequest({
'certification_request_info':
info,
'signature_algorithm': {
'algorithm': 'sha256_ecdsa',
'parameters': None
},
'signature':
encode_ecdsa_signature(signature)
})
der = csr.dump()
result = x509.load_der_x509_csr(der, default_backend())
return result
def decode_ec_public_key(der, encode_ec_point=True):
"""
Decode a DER-encoded EC public key as stored by OpenSSL into a dictionary
of attributes able to be passed to :meth:`pkcs11.Session.create_object`.
.. note:: **encode_ec_point**
For use as an attribute `EC_POINT` should be DER-encoded (True).
For key derivation implementations can vary. Since v2.30 the
specification says implementations MUST accept a raw `EC_POINT` for
ECDH (False), however not all implementations follow this yet.
:param bytes der: DER-encoded key
:param encode_ec_point: See text.
:rtype: dict(Attribute,*)
"""
asn1 = PublicKeyInfo.load(der)
assert asn1.algorithm == 'ec', \
"Wrong algorithm, not an EC key!"
ecpoint = bytes(asn1['public_key'])
if encode_ec_point:
ecpoint = OctetString(ecpoint).dump()
return {
Attribute.KEY_TYPE: KeyType.EC,
Attribute.CLASS: ObjectClass.PUBLIC_KEY,
Attribute.EC_PARAMS: asn1['algorithm']['parameters'].dump(),
Attribute.EC_POINT: ecpoint,
}
def _key_identifier_from_public_key(public_key):
if isinstance(public_key, RSAPublicKey):
data = public_key.public_bytes(
serialization.Encoding.DER,
serialization.PublicFormat.PKCS1,
)
elif isinstance(public_key, EllipticCurvePublicKey):
data = public_key.public_numbers().encode_point()
else:
# This is a very slow way to do this.
serialized = public_key.public_bytes(
serialization.Encoding.DER,
serialization.PublicFormat.SubjectPublicKeyInfo)
data = six.binary_type(PublicKeyInfo.load(serialized)['public_key'])
return hashlib.sha1(data).digest()
def _key_identifier_from_public_key(public_key):
if isinstance(public_key, RSAPublicKey):
data = public_key.public_bytes(
serialization.Encoding.DER,
serialization.PublicFormat.PKCS1,
)
elif isinstance(public_key, EllipticCurvePublicKey):
data = public_key.public_numbers().encode_point()
else:
# This is a very slow way to do this.
serialized = public_key.public_bytes(
serialization.Encoding.DER,
serialization.PublicFormat.SubjectPublicKeyInfo
)
data = six.binary_type(PublicKeyInfo.load(serialized)['public_key'])
return hashlib.sha1(data).digest()
def exchange(self):
key = ec.generate_private_key(
curve=self.name_curved.curve,
backend=default_backend(),
)
args = (Encoding.DER, PublicFormat.SubjectPublicKeyInfo)
der = key.public_key().public_bytes(*args)
info = PublicKeyInfo.load(der)
header = der[:len(der) - len(self.public_key)]
server_public_key = load_der_public_key(header + self.public_key,
default_backend())
shared_key = key.exchange(ec.ECDH(), server_public_key)
return shared_key, len(info['public_key'].native).to_bytes(
1, 'big'), info['public_key'].native
def _key_identifier_from_public_key(public_key):
if isinstance(public_key, RSAPublicKey):
data = public_key.public_bytes(
serialization.Encoding.DER,
serialization.PublicFormat.PKCS1,
)
elif isinstance(public_key, EllipticCurvePublicKey):
data = public_key.public_bytes(
serialization.Encoding.X962,
serialization.PublicFormat.UncompressedPoint)
else:
# This is a very slow way to do this.
serialized = public_key.public_bytes(
serialization.Encoding.DER,
serialization.PublicFormat.SubjectPublicKeyInfo)
data = bytes(PublicKeyInfo.load(serialized)['public_key'])
return hashlib.sha1(data).digest()
def _key_identifier_from_public_key(public_key):
if isinstance(public_key, RSAPublicKey):
data = public_key.public_bytes(
serialization.Encoding.DER,
serialization.PublicFormat.PKCS1,
)
elif isinstance(public_key, EllipticCurvePublicKey):
data = public_key.public_bytes(
serialization.Encoding.X962,
serialization.PublicFormat.UncompressedPoint
)
else:
# This is a very slow way to do this.
serialized = public_key.public_bytes(
serialization.Encoding.DER,
serialization.PublicFormat.SubjectPublicKeyInfo
)
data = bytes(PublicKeyInfo.load(serialized)['public_key'])
return hashlib.sha1(data).digest()
def public_key_bytes(self) -> bytes:
if len(self.message.public_key) == 33:
return self.message.public_key
public_key_info = PublicKeyInfo.load(self.message.public_key)
public_key = cPublicKey(public_key_info.native['public_key'])
return public_key.format(compressed=True)