def format_tbs_crl(self, crl_number: int, this_update: datetime,
revoked_certs, next_update: datetime,
distpoint: x509.DistributionPoint = None) \
-> crl.TbsCertList:
extensions = [
crl.TBSCertListExtension({
'extn_id': 'crl_number', 'extn_value': core.Integer(crl_number)
}),
crl.TBSCertListExtension({
'extn_id': 'authority_key_identifier',
'extn_value': x509.AuthorityKeyIdentifier({
'key_identifier': self.authority_key_identifier
})
}),
]
extensions.extend(self.extra_crl_extensions)
if distpoint is not None:
extn_value = crl.IssuingDistributionPoint(distpoint)
extensions.append(
crl.TBSCertListExtension({
'extn_id': 'issuing_distribution_point',
'critical': True,
'extn_value': core.ParsableOctetString(extn_value.dump())
})
)
revoked = crl.RevokedCertificates(revoked_certs)
return crl.TbsCertList({
'version': 'v2',
'signature': self.signature_algo,
'issuer': self.issuer_name,
'this_update': x509.Time({'general_time': this_update}),
'next_update': x509.Time({'general_time': next_update}),
'revoked_certificates': revoked,
'crl_extensions': crl.TBSCertListExtensions(extensions)
})
def compare_primitive_info():
return (
(core.ObjectIdentifier('1.2.3'), core.ObjectIdentifier('1.2.3'),
True),
(core.Integer(1), Enum(1), False),
(core.Integer(1), core.Integer(1, implicit=5), True),
(core.Integer(1), core.Integer(1, explicit=5), True),
(core.Integer(1), core.Integer(2), False),
(core.OctetString(b''), core.OctetString(b''), True),
(core.OctetString(b''), core.OctetString(b'1'), False),
(core.OctetString(b''), core.OctetBitString(b''), False),
(core.ParsableOctetString(b'12'), core.OctetString(b'12'), True),
(core.ParsableOctetBitString(b'12'), core.OctetBitString(b'12'),
True),
(core.UTF8String('12'), core.UTF8String('12'), True),
(core.UTF8String('12'), core.UTF8String('1'), False),
(core.UTF8String('12'), core.IA5String('12'), False),
)
assert status.intact
assert 'CONTENT_TIMESTAMP_TOKEN<INVALID>' in status.summary()
assert 'TIMESTAMP_TOKEN<INTACT:UNTRUSTED>' in status.summary()
@freeze_time('2020-11-01')
@pytest.mark.parametrize('content,detach', [
(b'This is not a TST!', True),
(b'This is not a TST!', False),
(cms.ContentInfo({
'content_type': 'data', 'content': b'This is not a TST!'
}), False),
(cms.EncapsulatedContentInfo({
'content_type': '2.999',
'content': core.ParsableOctetString(
core.OctetString(b'This is not a TST!').dump()
)
}), False),
(cms.ContentInfo({'content_type': '2.999',}), True),
])
async def test_detached_with_malformed_content_tst(content, detach):
class CustomProvider(CMSAttributeProvider):
attribute_type = 'content_time_stamp'
async def build_attr_value(self, dry_run=False):
attr_value = await FROM_CA.async_sign_general_data(
content, 'sha256',
detached=detach,
)
return attr_value
def build_ocsp_response(self, req: ocsp.OCSPRequest) -> ocsp.OCSPResponse:
nonce = req.nonce_value.native
requests = req['tbs_request']['request_list']
issuer_cert = self.revinfo_interface.get_issuer_cert()
err = SimpleOCSPResponder.build_error_response
if len(requests) == 0:
return err('malformed_request')
responses = []
for req_item in requests:
cid: ocsp.CertId = req_item['req_cert']
if not issuer_match(cid, issuer_cert):
return err('unauthorized')
revinfo_interface = self.revinfo_interface
try:
cert_status, exts = revinfo_interface.check_revocation_status(
cid, self.at_time
)
except NotImplementedError:
return err('internal_error')
except CertomancerServiceError:
return err('unauthorized')
responses.append(
ocsp.SingleResponse({
'cert_id': cid,
'cert_status': cert_status,
'this_update': self.at_time,
'next_update': self.at_time + self.validity,
'single_extensions': exts or None
})
)
rdata = ocsp.ResponseData({
'responder_id': ocsp.ResponderId(
name='by_key', value=self.responder_cert.public_key.sha1
),
'produced_at': self.at_time,
'responses': responses,
})
response_extensions = list(self.response_extensions)
if nonce is not None:
nonce_extension = ocsp.ResponseDataExtension({
'extn_id': 'nonce', 'extn_value': nonce
})
response_extensions.append(nonce_extension)
rdata['response_extensions'] = response_extensions
signature = generic_sign(
self.responder_key, rdata.dump(),
signature_algo=self.signature_algo
)
basic_resp = ocsp.BasicOCSPResponse({
'tbs_response_data': rdata,
'signature_algorithm': self.signature_algo,
'signature': signature,
'certs': [self.responder_cert]
})
response_bytes = ocsp.ResponseBytes({
'response_type': 'basic_ocsp_response',
'response': core.ParsableOctetString(basic_resp.dump())
})
return ocsp.OCSPResponse({
'response_status': 'successful',
'response_bytes': response_bytes
})