def test_self_sign_certificate(self):
# Warning: proof of concept code only!
pub, priv = self.session.generate_keypair(KeyType.RSA, 1024)
tbs = TbsCertificate({
'version':
'v1',
'serial_number':
1,
'issuer':
Name.build({
'common_name': 'Test Certificate',
}),
'subject':
Name.build({
'common_name': 'Test Certificate',
}),
'signature': {
'algorithm': 'sha1_rsa',
'parameters': None,
},
'validity': {
'not_before':
Time({
'utc_time': datetime.datetime(2017, 1, 1, 0, 0),
}),
'not_after':
Time({
'utc_time': datetime.datetime(2038, 12, 31, 23, 59),
}),
},
'subject_public_key_info': {
'algorithm': {
'algorithm': 'rsa',
'parameters': None,
},
'public_key': RSAPublicKey.load(encode_rsa_public_key(pub)),
}
})
# Sign the TBS Certificate
value = priv.sign(tbs.dump(), mechanism=Mechanism.SHA1_RSA_PKCS)
cert = Certificate({
'tbs_certificate': tbs,
'signature_algorithm': {
'algorithm': 'sha1_rsa',
'parameters': None,
},
'signature_value': value,
})
# Pipe our certificate to OpenSSL to verify it
with subprocess.Popen((OPENSSL, 'verify'),
stdin=subprocess.PIPE,
stdout=subprocess.DEVNULL) as proc:
proc.stdin.write(pem.armor('CERTIFICATE', cert.dump()))
proc.stdin.close()
self.assertEqual(proc.wait(), 0)
def encode_rsa_public_key(key):
"""
Encode an RSA public key into PKCS#1 DER-encoded format.
:param PublicKey key: RSA public key
:rtype: bytes
"""
return RSAPublicKey({
'modulus':
int.from_bytes(key[Attribute.MODULUS], byteorder='big'),
'public_exponent':
int.from_bytes(key[Attribute.PUBLIC_EXPONENT], byteorder='big'),
}).dump()
def test_sign_csr(self):
# Warning: proof of concept code only!
pub, priv = self.session.generate_keypair(KeyType.RSA, 1024)
info = CertificationRequestInfo({
'version': 0,
'subject': Name.build({
'common_name': 'Test Certificate',
}),
'subject_pk_info': {
'algorithm': {
'algorithm': 'rsa',
'parameters': None,
},
'public_key': RSAPublicKey.load(encode_rsa_public_key(pub)),
},
})
# Sign the CSR Info
value = priv.sign(info.dump(),
mechanism=Mechanism.SHA1_RSA_PKCS)
csr = CertificationRequest({
'certification_request_info': info,
'signature_algorithm': {
'algorithm': 'sha1_rsa',
'parameters': None,
},
'signature': value,
})
# Pipe our CSR to OpenSSL to verify it
with subprocess.Popen((OPENSSL, 'req',
'-inform', 'der',
'-noout',
'-verify'),
stdin=subprocess.PIPE,
stdout=subprocess.DEVNULL) as proc:
proc.stdin.write(csr.dump())
proc.stdin.close()
self.assertEqual(proc.wait(), 0)
def decode_rsa_public_key(der, capabilities=None):
"""
Decode a RFC2437 (PKCS#1) DER-encoded RSA public key into a dictionary of
attributes able to be passed to :meth:`pkcs11.Session.create_object`.
:param bytes der: DER-encoded key
:param MechanismFlag capabilities: Optional key capabilities
:rtype: dict(Attribute,*)
"""
if capabilities is None:
capabilities = DEFAULT_KEY_CAPABILITIES[KeyType.RSA]
key = RSAPublicKey.load(der)
return {
Attribute.CLASS: ObjectClass.PUBLIC_KEY,
Attribute.KEY_TYPE: KeyType.RSA,
Attribute.MODULUS: biginteger(key['modulus']),
Attribute.PUBLIC_EXPONENT: biginteger(key['public_exponent']),
Attribute.ENCRYPT: MechanismFlag.ENCRYPT in capabilities,
Attribute.VERIFY: MechanismFlag.VERIFY in capabilities,
Attribute.WRAP: MechanismFlag.WRAP in capabilities,
}
with token.open(user_pin='1234') as session:
pub, priv = session.generate_keypair(KeyType.RSA, 2048)
info = CertificationRequestInfo({
'version':
0,
'subject':
Name.build({
'common_name': cn,
}),
'subject_pk_info': {
'algorithm': {
'algorithm': 'rsa',
'parameters': None,
},
'public_key': RSAPublicKey.load(encode_rsa_public_key(pub)),
},
})
# Sign the CSR Info
value = priv.sign(info.dump(), mechanism=Mechanism.SHA1_RSA_PKCS)
csr = CertificationRequest({
'certification_request_info': info,
'signature_algorithm': {
'algorithm': 'sha1_rsa',
'parameters': None,
},
'signature': value,
})
certpem = pem.armor('CERTIFICATE REQUEST', csr.dump()).decode()