def print_block(pemData): substrate = pem.readPemFromFile(io.StringIO(pemData.decode("utf-8"))) cert, rest = decoder.decode(substrate, asn1Spec=rfc5280.Certificate()) der_subject = encoder.encode(cert['tbsCertificate']['subject']) octets = hex_string_for_struct(der_subject) cert = x509.load_pem_x509_certificate(pemData, default_backend()) common_name = cert.subject.get_attributes_for_oid(NameOID.COMMON_NAME)[0] block_name = "CA{}DN".format(re.sub(r'[-:=_. ]', '', common_name.value)) fingerprint = hex_string_human_readable(cert.fingerprint(hashes.SHA256())) dn_parts = [ "/{id}={value}".format(id=nameOIDtoString(part.oid), value=part.value) for part in cert.subject ] distinguished_name = "".join(dn_parts) print("// {dn}".format(dn=distinguished_name)) print("// SHA256 Fingerprint: " + ":".join(fingerprint[:16])) print("// " + ":".join(fingerprint[16:])) print("// https://crt.sh/?id={crtsh} (crt.sh ID={crtsh})".format( crtsh=crtshId)) print("static const uint8_t {}[{}] = ".format(block_name, len(octets)) + "{") while len(octets) > 0: print(" " + ", ".join(octets[:13]) + ",") octets = octets[13:] print("};") print() return block_name
def testDerCodec(self): asn1Spec = rfc5280.Certificate() substrate = pem.readBase64fromText(self.kea_cert_pem_text) asn1Object, rest = der_decode(substrate, asn1Spec=self.asn1Spec) assert not rest assert asn1Object.prettyPrint() assert der_encode(asn1Object) == substrate spki_a = asn1Object['tbsCertificate']['subjectPublicKeyInfo'][ 'algorithm'] assert spki_a['algorithm'] == rfc3279.id_keyExchangeAlgorithm spki_a_p, rest = der_decode(spki_a['parameters'], asn1Spec=rfc3279.KEA_Parms_Id()) assert not rest assert spki_a_p.prettyPrint() assert der_encode(spki_a_p) == spki_a['parameters'] assert spki_a_p == univ.OctetString(hexValue='5cf8f127e6569d6d88b3') assert asn1Object['tbsCertificate']['signature'][ 'algorithm'] == rfc3279.id_dsa_with_sha1 assert asn1Object['signatureAlgorithm'][ 'algorithm'] == rfc3279.id_dsa_with_sha1 sig_value, rest = der_decode(asn1Object['signature'].asOctets(), asn1Spec=rfc3279.Dss_Sig_Value()) assert not rest assert sig_value.prettyPrint() assert der_encode(sig_value) == asn1Object['signature'].asOctets() assert sig_value['r'].hasValue() assert sig_value['s'].hasValue()
def testOpenTypes(self): asn1Spec = rfc5280.Certificate() substrate = pem.readBase64fromText(self.ec_cert_pem_text) asn1Object, rest = der_decode(substrate, asn1Spec=self.asn1Spec, decodeOpenTypes=True) assert not rest assert asn1Object.prettyPrint() assert der_encode(asn1Object) == substrate spki_a = asn1Object['tbsCertificate']['subjectPublicKeyInfo'][ 'algorithm'] assert spki_a['algorithm'] == rfc3279.id_ecPublicKey assert spki_a['parameters']['namedCurve'] == univ.ObjectIdentifier( '1.3.132.0.34')
def _fake_cert(self, not_before=None, not_after=None): fake_cert = rfc5280.Certificate() fake_cert["tbsCertificate"] = rfc5280.TBSCertificate() fake_cert["tbsCertificate"]["validity"] = rfc5280.Validity() if not_before: fake_cert["tbsCertificate"]["validity"][ "notBefore"] = rfc5280.Time() fake_cert["tbsCertificate"]["validity"]["notBefore"][ "utcTime"] = pyasn1_useful.UTCTime.fromDateTime(not_before) if not_after: fake_cert["tbsCertificate"]["validity"]["notAfter"] = rfc5280.Time( ) fake_cert["tbsCertificate"]["validity"]["notAfter"][ "utcTime"] = pyasn1_useful.UTCTime.fromDateTime(not_after) return fake_cert
def print_block(pemData, identifierType="DN", crtshId=None): substrate = pem.readPemFromFile(io.StringIO(pemData.decode("utf-8"))) cert, rest = decoder.decode(substrate, asn1Spec=rfc5280.Certificate()) octets = None if identifierType == "DN": der_subject = encoder.encode(cert["tbsCertificate"]["subject"]) octets = hex_string_for_struct(der_subject) elif identifierType == "SPKI": der_spki = encoder.encode( cert["tbsCertificate"]["subjectPublicKeyInfo"]) octets = hex_string_for_struct(der_spki) else: raise Exception("Unknown identifier type: " + identifierType) cert = x509.load_pem_x509_certificate(pemData, default_backend()) common_name = cert.subject.get_attributes_for_oid(NameOID.COMMON_NAME)[0] block_name = "CA{}{}".format(re.sub(r"[-:=_. ]", "", common_name.value), identifierType) fingerprint = hex_string_human_readable(cert.fingerprint(hashes.SHA256())) dn_parts = [ "/{id}={value}".format(id=nameOIDtoString(part.oid), value=part.value) for part in cert.subject ] distinguished_name = "".join(dn_parts) print("// {dn}".format(dn=distinguished_name)) print("// SHA256 Fingerprint: " + ":".join(fingerprint[:16])) print("// " + ":".join(fingerprint[16:])) if crtshId: print("// https://crt.sh/?id={crtsh} (crt.sh ID={crtsh})".format( crtsh=crtshId)) print("static const uint8_t {}[{}] = ".format(block_name, len(octets)) + "{") while len(octets) > 0: print(" " + ", ".join(octets[:13]) + ",") octets = octets[13:] print("};") print() return block_name
def test_x509_from_ed25519_key_pair(self): pub = xtt.ED25519PublicKey( b"""^\x970Y=\\\x92\xbdsK2\x0cD%\x96\xf8\x1dh\xc4\x1d&k'+\x1a\xca\xd6\x16\x12\x90\x03=""" ) priv = xtt.ED25519PrivateKey( b"""\xd1%\xce\xec\xfb\xdf\x82\xb1w~\xb5AL*\x10'\x9aX\x8f\xae\x05\tTm5\xafC\x14\x06]\xb3X^\x970Y=\\\x92\xbdsK2\x0cD%\x96\xf8\x1dh\xc4\x1d&k'+\x1a\xca\xd6\x16\x12\x90\x03=""" ) common_name = xtt.Identity( b'\xfd\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00' ) cert = xtt.x509_from_ed25519_key_pair(pub, priv, common_name) decoded = der_decode(cert, asn1Spec=rfc5280.Certificate(), decodeOpenTypes=True)[0] decoded_common_name = decoded['tbsCertificate']['subject'][0][0][0][ 'value']['utf8String'] self.assertEqual(decoded_common_name, "FD000000000000000000000000000000")
def test_x509_from_ecdsap256_key_pair(self): pub = xtt.ECDSAP256PublicKey( b"""\x04\x7E\x65\x37\x53\x13\x42\xF4\x8A\xC4\x64\x69\x8C\x4C\xD0\x23\xD7\xE4\xD9\x4C\xE5\x0A\x5D\x8B\xCC\x3C\x94\x13\x00\xA3\x48\xF5\x65\xCC\x56\xBF\x77\xC5\x4D\x1C\x7D\xB9\x45\x5D\xF0\x89\x67\x29\x39\xF3\x63\x70\xF2\xB9\x28\x21\x0A\x65\x78\x70\x8B\xE1\xF8\x86\x9A""" ) priv = xtt.ECDSAP256PrivateKey( b"""\xE7\xAC\x0C\x71\xD7\xA0\xDF\x86\xD2\x7B\x82\xAC\x0F\x0C\xFC\xD1\xB1\xC0\x91\xB2\xAA\xC0\xE8\xE0\x9D\xC5\x04\x5C\x40\xCD\x28\x36""" ) common_name = xtt.Identity( b'\xfd\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00' ) cert = xtt.x509_from_ecdsap256_key_pair(pub, priv, common_name) decoded = der_decode(cert, asn1Spec=rfc5280.Certificate(), decodeOpenTypes=True)[0] decoded_common_name = decoded['tbsCertificate']['subject'][0][0][0][ 'value']['utf8String'] self.assertEqual(decoded_common_name, "FD00:0000:0000:0000:0000:0000:0000:0000")
def parse_pem_to_certs(pem): """ Convert PEM formatted certificates into DER format. :param pem: String containing a list of PEM encoded certificates :returns: List of Python objects representing certificates """ certs_der = [] acc = '' state = 'PRE' for line in pem.split('\n'): if state == 'PRE' and line == '-----BEGIN CERTIFICATE-----': state = 'BODY_OR_META' elif state == 'PRE' and not line: pass elif state == 'BODY_OR_META' and ':' in line: state = 'META' elif state == 'BODY' and line == '-----END CERTIFICATE-----': certs_der.append(base64.b64decode(acc)) acc = '' state = 'PRE' elif state == 'META' and not line: state = 'BODY' elif state == 'BODY' or state == 'BODY_OR_META': acc += line state = 'BODY' else: raise CertificateParseError( f'Unexpected input "{line}" in state "{state}"') if acc: raise CertificateParseError( f'Unexpected end of input. Leftover: {acc}') certs_py = [] for der in certs_der: cert, rest_of_input = der_decode(der, asn1Spec=rfc5280.Certificate()) assert not rest_of_input # assert no left over input certs_py.append(python_encode(cert)) return certs_py
def setUp(self): self.asn1Spec = rfc5280.Certificate()
# License: http://pyasn1.sf.net/license.html # # Read ASN.1/PEM X.509 certificates on stdin, parse each into plain text, # then build substrate from it (using RFC5280) # from pyasn1.codec.der import decoder, encoder from pyasn1_modules import rfc5280, pem import sys if len(sys.argv) != 1: print("""Usage: $ cat CACertificate.pem | %s $ cat userCertificate.pem | %s""" % (sys.argv[0], sys.argv[0])) sys.exit(-1) certType = rfc5280.Certificate() certCnt = 0 while 1: idx, substrate = pem.readPemBlocksFromFile( sys.stdin, ('-----BEGIN CERTIFICATE-----', '-----END CERTIFICATE-----')) if not substrate: break cert, rest = decoder.decode(substrate, asn1Spec=certType) if rest: substrate = substrate[:-len(rest)]
pass OtherCertificateFormat.componentType = namedtype.NamedTypes( namedtype.NamedType('otherCertFormat', univ.ObjectIdentifier()), namedtype.NamedType('otherCert', univ.Any()) ) class ExtendedCertificateInfo(univ.Sequence): pass ExtendedCertificateInfo.componentType = namedtype.NamedTypes( namedtype.NamedType('version', CMSVersion()), namedtype.NamedType('certificate', rfc5280.Certificate()), namedtype.NamedType('attributes', UnauthAttributes()) ) class Signature(univ.BitString): pass class SignatureAlgorithmIdentifier(rfc5280.AlgorithmIdentifier): pass class ExtendedCertificate(univ.Sequence): pass
def from_der(cls, content): """Load the Certificate object from DER-encoded data""" return cls( der_decoder.decode(content, asn1Spec=rfc5280.Certificate())[0])
'=I', struct.pack('!4B', 0, parser.res['len1'], parser.res['len2'], parser.res['len3']))[0] parser.res['der_len'] = der_len parser.read('der', flo('!{der_len}s')) return parser.result() ASN1Cert = namedtuple( typename='ASN1Cert', field_names='arg', lazy_vals={ '_parse_func': lambda _: _parse_asn1_cert, 'der': lambda self: self._parse['der'], 'pyasn1': lambda self: der_decoder(self.der, rfc5280.Certificate()), }) def _parse_asn1_cert_list(tdf): with TdfBytesParser(tdf) as parser: parser.read('len1', '!B') parser.read('len2', '!B') parser.read('len3', '!B') der_list_len = struct.unpack( '=I', struct.pack('!4B', 0, parser.res['len1'], parser.res['len2'], parser.res['len3']))[0] der_end_offset = parser.offset + der_list_len
def parse_cert_from_der(der): cert, rest_of_input = der_decode(der, asn1Spec=rfc5280.Certificate()) assert not rest_of_input # assert no left over input return cert
class PkiPath(univ.SequenceOf): componentType = rfc5280.Certificate() subtypeSpec = constraint.ValueSizeConstraint(1, MAX)
def pyasn1_certificate_from_der(cert_der): '''Return pyasn1_modules.rfc5280.Certificate instance parsed from cert_der. ''' cert, _ = der_decoder(cert_der, asn1Spec=rfc5280.Certificate()) return cert
# ASN.1 source from: # https://www.rfc-editor.org/rfc/rfc7296.txt from pyasn1.type import namedtype from pyasn1.type import tag from pyasn1.type import univ from pyasn1_modules import rfc5280 class CertificateOrCRL(univ.Choice): pass CertificateOrCRL.componentType = namedtype.NamedTypes( namedtype.NamedType( 'cert', rfc5280.Certificate().subtype( explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatSimple, 0))), namedtype.NamedType( 'crl', rfc5280.CertificateList().subtype( explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatSimple, 1)))) class CertificateBundle(univ.SequenceOf): pass CertificateBundle.componentType = CertificateOrCRL()