class ECPrivateKey(Sequence):
schema = (
("version", Integer(ecPrivkeyVer1)),
("privateKey", OctetString()),
("parameters", ECParameters(expl=tag_ctxc(0), optional=True)),
("publicKey", BitString(expl=tag_ctxc(1), optional=True)),
)
class Certificate(Sequence):
# Certificate ::= SEQUENCE {
# tbsCertificate TBSCertificate,
# signatureAlgorithm AlgorithmIdentifier,
# signature BIT STRING }
schema = (
("tbsCertificate", TBSCertificate()),
("signatureAlgorithm", AlgorithmIdentifier()),
("signatureValue", BitString()),
)
class CertificationRequest(Sequence):
schema = (
("certificationRequestInfo", CertificationRequestInfo()),
("signatureAlgorithm", AlgorithmIdentifier()),
("signature", BitString()),
)
class CertificateList(Sequence):
schema = (
("tbsCertList", TBSCertList()),
("signatureAlgorithm", AlgorithmIdentifier()),
("signatureValue", BitString()),
)
class SubjectPublicKeyInfo(Sequence):
schema = (
("algorithm", AlgorithmIdentifier()),
("subjectPublicKey", BitString()),
)
class OriginatorPublicKey(Sequence):
schema = (
("algorithm", AlgorithmIdentifier()),
("publicKey", BitString()),
)
def _test_vector(
self,
curve_name,
mode,
hsh,
ai_spki,
ai_sign,
cert_serial,
prv_hex,
cr_sign_hex,
cr_b64,
c_sign_hex,
c_b64,
crl_sign_hex,
crl_b64,
):
prv_raw = hexdec(prv_hex)[::-1]
prv = prv_unmarshal(prv_raw)
curve = CURVES[curve_name]
pub = public_key(curve, prv)
pub_raw = pub_marshal(pub, mode=mode)
subj = Name(
("rdnSequence",
RDNSequence([
RelativeDistinguishedName((AttributeTypeAndValue((
("type", AttributeType(id_at_commonName)),
("value", AttributeValue(PrintableString("Example"))),
)), ))
])))
spki = SubjectPublicKeyInfo((
("algorithm", ai_spki),
("subjectPublicKey", BitString(OctetString(pub_raw).encode())),
))
# Certification request
cri = CertificationRequestInfo((
("version", Integer(0)),
("subject", subj),
("subjectPKInfo", spki),
("attributes", Attributes()),
))
sign = hexdec(cr_sign_hex)
self.assertTrue(
verify(
curve,
pub,
hsh(cri.encode()).digest()[::-1],
sign,
mode=mode,
))
cr = CertificationRequest((
("certificationRequestInfo", cri),
("signatureAlgorithm", ai_sign),
("signature", BitString(sign)),
))
self.assertSequenceEqual(cr.encode(), b64decode(cr_b64))
# Certificate
tbs = TBSCertificate((
("version", Version("v3")),
("serialNumber", CertificateSerialNumber(cert_serial)),
("signature", ai_sign),
("issuer", subj),
("validity",
Validity((
("notBefore", Time(("utcTime", UTCTime(b"010101000000Z")))),
("notAfter",
Time(("generalTime", GeneralizedTime(b"20501231000000Z")))),
))),
("subject", subj),
("subjectPublicKeyInfo", spki),
("extensions",
Extensions((Extension((
("extnID", id_ce_basicConstraints),
("critical", Boolean(True)),
("extnValue",
OctetString(
BasicConstraints((("cA", Boolean(True)), )).encode())),
)), ))),
))
sign = hexdec(c_sign_hex)
self.assertTrue(
verify(
curve,
pub,
hsh(tbs.encode()).digest()[::-1],
sign,
mode=mode,
))
cert = Certificate((
("tbsCertificate", tbs),
("signatureAlgorithm", ai_sign),
("signatureValue", BitString(sign)),
))
self.assertSequenceEqual(cert.encode(), b64decode(c_b64))
# CRL
tbs = TBSCertList((
("version", Version("v2")),
("signature", ai_sign),
("issuer", subj),
("thisUpdate", Time(("utcTime", UTCTime(b"140101000000Z")))),
("nextUpdate", Time(("utcTime", UTCTime(b"140102000000Z")))),
))
sign = hexdec(crl_sign_hex)
self.assertTrue(
verify(
curve,
pub,
hsh(tbs.encode()).digest()[::-1],
sign,
mode=mode,
))
crl = CertificateList((
("tbsCertList", tbs),
("signatureAlgorithm", ai_sign),
("signatureValue", BitString(sign)),
))
self.assertSequenceEqual(crl.encode(), b64decode(crl_b64))
("signature", ai_sign),
("issuer", subj),
("validity",
Validity((
("notBefore", Time(("utcTime", UTCTime(not_before)))),
("notAfter", Time(("utcTime", UTCTime(not_after)))),
))),
("subject", subj),
("subjectPublicKeyInfo",
SubjectPublicKeyInfo((
("algorithm",
AlgorithmIdentifier((
("algorithm", id_tc26_gost3410_2012_512),
("parameters", Any(key_params)),
))),
("subjectPublicKey", BitString(OctetString(pub_raw).encode())),
))),
("extensions",
Extensions((Extension((
("extnID", id_ce_subjectKeyIdentifier),
("extnValue",
OctetString(
SubjectKeyIdentifier(
GOST34112012512(pub_raw).digest()[:20]).encode())),
)), ))),
))
cert = Certificate((
("tbsCertificate", tbs),
("signatureAlgorithm", ai_sign),
("signatureValue",
BitString(