def _csr_info(self, subject, public_key, sans):
"""
Create the csr info portion of the certificate request"s ASN.1
structure
:param X509Name subject: subject to add to the certificate request
:param asymmetric.PublicKey public_key: public key to use when creating
the certificate request"s signature
:param sans: collection of dns names to insert into a subjAltName
extension for the certificate request
:type sans: None or list(str) or tuple(str) or set(str)
:return: the certificate request info structure
:rtype: csr.CertificationRequestInfo
"""
x509_subject = x509.Name.build(self._subject_as_dict(subject))
extensions = [(u"basic_constraints",
x509.BasicConstraints({"ca": False}), False),
(u"key_usage",
x509.KeyUsage({"digital_signature",
"key_encipherment"}), True),
(u"extended_key_usage",
x509.ExtKeyUsageSyntax([u"client_auth"]), False)]
if sans:
names = x509.GeneralNames()
for san in sans:
names.append(
x509.GeneralName("dns_name", _bytes_to_unicode(san)))
extensions.append((u"subject_alt_name", names, False))
return csr.CertificationRequestInfo({
"version":
u"v1",
"subject":
x509_subject,
"subject_pk_info":
public_key.asn1,
"attributes": [{
"type":
u"extension_request",
"values": [[self._create_extension(x) for x in extensions]]
}]
})
def build(self, signing_private_key):
"""
Validates the certificate information, constructs an X.509 certificate
and then signs it
:param signing_private_key:
An asn1crypto.keys.PrivateKeyInfo or oscrypto.asymmetric.PrivateKey
object for the private key to sign the request with. This should be
the private key that matches the public key.
:return:
An asn1crypto.csr.CertificationRequest object of the request
"""
is_oscrypto = isinstance(signing_private_key, asymmetric.PrivateKey)
if not isinstance(signing_private_key,
keys.PrivateKeyInfo) and not is_oscrypto:
raise TypeError(
_pretty_message(
'''
signing_private_key must be an instance of
asn1crypto.keys.PrivateKeyInfo or
oscrypto.asymmetric.PrivateKey, not %s
''', _type_name(signing_private_key)))
signature_algo = signing_private_key.algorithm
if signature_algo == 'ec':
signature_algo = 'ecdsa'
signature_algorithm_id = '%s_%s' % (self._hash_algo, signature_algo)
def _make_extension(name, value):
return {
'extn_id': name,
'critical': self._determine_critical(name),
'extn_value': value
}
extensions = []
for name in sorted(self._special_extensions):
value = getattr(self, '_%s' % name)
if value is not None:
extensions.append(_make_extension(name, value))
for name in sorted(self._other_extensions.keys()):
extensions.append(
_make_extension(name, self._other_extensions[name]))
attributes = []
if extensions:
attributes.append({
'type': 'extension_request',
'values': [extensions]
})
certification_request_info = csr.CertificationRequestInfo({
'version':
'v1',
'subject':
self._subject,
'subject_pk_info':
self._subject_public_key,
'attributes':
attributes
})
if signing_private_key.algorithm == 'rsa':
sign_func = asymmetric.rsa_pkcs1v15_sign
elif signing_private_key.algorithm == 'dsa':
sign_func = asymmetric.dsa_sign
elif signing_private_key.algorithm == 'ec':
sign_func = asymmetric.ecdsa_sign
if not is_oscrypto:
signing_private_key = asymmetric.load_private_key(
signing_private_key)
signature = sign_func(signing_private_key,
certification_request_info.dump(),
self._hash_algo)
return csr.CertificationRequest({
'certification_request_info': certification_request_info,
'signature_algorithm': {
'algorithm': signature_algorithm_id,
},
'signature': signature
})
name="utc_time",
value=datetime.datetime(2049, 12, 31))},
"subject": _FAKE_SUBJECT,
"subject_public_key_info":
get_fake_public_key_asn1()}),
"signature_algorithm": algos.SignedDigestAlgorithm({
"algorithm": u"sha256_rsa"}),
"signature_value": b"fake"}).dump()).decode('utf8')
FAKE_CSR = \
pem.armor(
u"CERTIFICATE REQUEST",
csr.CertificationRequest({
"certification_request_info":
csr.CertificationRequestInfo({
"version": 1,
"subject": _FAKE_SUBJECT,
"subject_pk_info": get_fake_public_key_asn1()}),
"signature_algorithm": _SIGNATURE_ALGORITHM,
"signature": b"fake"}).dump()).decode('utf8')
class CliTest(unittest.TestCase):
def setUp(self):
pass
def tearDown(self):
patch.stopall()
@parameterized.expand([([], ), ("-h", ), ("--help", )])
def test_help_command(self, value):
with patch("dxlclient._cli.argparse.ArgumentParser.print_help") \
def build(self, signing_key):
"""
Validates the certificate information, constructs an X.509 certificate and then signs it
:param signing_key: An asn1crypto.keys.PrivateKeyInfo or oscrypto.asymmetric.PrivateKey object for the private
key to sign the request with. This should be the private key that matches the public key.
:returns:
An asn1crypto.csr.CertificationRequest object of the request
"""
if not isinstance(signing_key, objects.ECCKey) and \
not isinstance(signing_key, objects.RSAKey):
raise TypeError(
_pretty_message(
'''
signing_private_key must be an instance of
optigatrust.pk.EccKey or optigatrust.pk.RsaKey, not %s
''', _type_name(signing_key)))
if isinstance(signing_key, objects.ECCKey):
signature_algo = 'ecdsa'
elif isinstance(signing_key, objects.RSAKey):
signature_algo = 'rsa'
else:
signature_algo = 'undefined'
signature_algorithm_id = '%s_%s' % (self._hash_algo, signature_algo)
def _make_extension(_name, _value):
return {
'extn_id': _name,
'critical': self._determine_critical(_name),
'extn_value': _value
}
extensions = []
for name in sorted(self._special_extensions):
value = getattr(self, '_%s' % name)
if value is not None:
extensions.append(_make_extension(name, value))
for name in sorted(self._other_extensions.keys()):
extensions.append(
_make_extension(name, self._other_extensions[name]))
attributes = []
if extensions:
attributes.append({
'type': 'extension_request',
'values': [extensions]
})
print(attributes)
certification_request_info = csr.CertificationRequestInfo({
'version':
'v1',
'subject':
self._subject,
'subject_pk_info':
self._subject_public_key,
'attributes':
attributes
})
if isinstance(signing_key, objects.ECCKey):
sign_func = crypto.ecdsa_sign
elif isinstance(signing_key, objects.RSAKey):
sign_func = crypto.pkcs1v15_sign
else:
raise ValueError(
'Algorithm isn\'t supported, use either ecc or rsa')
s = sign_func(signing_key, certification_request_info.dump())
return csr.CertificationRequest({
'certification_request_info': certification_request_info,
'signature_algorithm': {
'algorithm': signature_algorithm_id,
},
'signature': s.signature
})