class LDAP_Control(ASN1_Packet):
ASN1_codec = ASN1_Codecs.BER
ASN1_root = ASN1F_SEQUENCE(
LDAPOID("controlType", ""),
ASN1F_optional(ASN1F_BOOLEAN("criticality", False), ),
ASN1F_optional(ASN1F_STRING("controlValue", "")),
)
class X509_ExtPolicyConstraints(ASN1_Packet):
ASN1_codec = ASN1_Codecs.BER
ASN1_root = ASN1F_SEQUENCE(
ASN1F_optional(
ASN1F_INTEGER("requireExplicitPolicy", None, implicit_tag=0x80)),
ASN1F_optional(
ASN1F_INTEGER("inhibitPolicyMapping", None, implicit_tag=0x81)))
class X509_ExtGeneralSubtree(ASN1_Packet):
# 'minimum' is not optional in RFC 5280, yet it is in some implementations.
ASN1_codec = ASN1_Codecs.BER
ASN1_root = ASN1F_SEQUENCE(
ASN1F_PACKET("base", X509_GeneralName(), X509_GeneralName),
ASN1F_optional(ASN1F_INTEGER("minimum", None, implicit_tag=0x80)),
ASN1F_optional(ASN1F_INTEGER("maximum", None, implicit_tag=0x81)))
class SPNEGO_negTokenResp(ASN1_Packet):
ASN1_codec = ASN1_Codecs.BER
ASN1_root = ASN1F_SEQUENCE(
ASN1F_SEQUENCE(
ASN1F_optional(
ASN1F_ENUMERATED("negResult",
0, {
0: "accept-completed",
1: "accept-incomplete",
2: "reject",
3: "request-mic"
},
explicit_tag=0xa0), ),
ASN1F_optional(
ASN1F_PACKET("supportedMech",
SPNEGO_MechType(),
SPNEGO_MechType,
explicit_tag=0xa1), ),
ASN1F_optional(
ASN1F_PACKET("responseToken",
None,
SPNEGO_Token,
explicit_tag=0xa2)),
ASN1F_optional(
ASN1F_PACKET("mechListMIC",
None,
SPNEGO_MechListMIC,
implicit_tag=0xa3))))
class X509_ExtBasicConstraints(ASN1_Packet):
# The cA field should not be optional, but some certs omit it for False.
ASN1_codec = ASN1_Codecs.BER
ASN1_root = ASN1F_SEQUENCE(
ASN1F_optional(
ASN1F_BOOLEAN("cA", False)),
ASN1F_optional(
ASN1F_INTEGER("pathLenConstraint", None)))
class ECDSAPrivateKey(ASN1_Packet):
ASN1_codec = ASN1_Codecs.BER
ASN1_root = ASN1F_SEQUENCE(
ASN1F_enum_INTEGER("version", 1, {1: "ecPrivkeyVer1"}),
ASN1F_STRING("privateKey", ""),
ASN1F_optional(
ASN1F_PACKET("parameters", None, ECParameters, explicit_tag=0xa0)),
ASN1F_optional(
ASN1F_PACKET("publicKey", None, ECDSAPublicKey,
explicit_tag=0xa1)))
class X509_ExtUserNotice(ASN1_Packet):
ASN1_codec = ASN1_Codecs.BER
ASN1_root = ASN1F_SEQUENCE(
ASN1F_optional(ASN1F_PACKET("noticeRef", None,
X509_ExtNoticeReference)),
ASN1F_optional(
ASN1F_CHOICE("explicitText",
ASN1_UTF8_STRING("Dummy ExplicitText"),
ASN1F_IA5_STRING, ASN1F_ISO646_STRING,
ASN1F_BMP_STRING, ASN1F_UTF8_STRING)))
class X509_ExtPrivateKeyUsagePeriod(ASN1_Packet):
ASN1_codec = ASN1_Codecs.BER
ASN1_root = ASN1F_SEQUENCE(
ASN1F_optional(
ASN1F_GENERALIZED_TIME("notBefore",
str(GeneralizedTime(-600)),
implicit_tag=0x80)),
ASN1F_optional(
ASN1F_GENERALIZED_TIME("notAfter",
str(GeneralizedTime(+86400)),
implicit_tag=0x81)))
class X509_ExtNameConstraints(ASN1_Packet):
ASN1_codec = ASN1_Codecs.BER
ASN1_root = ASN1F_SEQUENCE(
ASN1F_optional(
ASN1F_SEQUENCE_OF("permittedSubtrees", None,
X509_ExtGeneralSubtree,
implicit_tag=0xa0)),
ASN1F_optional(
ASN1F_SEQUENCE_OF("excludedSubtrees", None,
X509_ExtGeneralSubtree,
implicit_tag=0xa1)))
class SAPCredv2_Cred_Plain(ASN1_Packet):
ASN1_codec = ASN1_Codecs.BER
ASN1_root = ASN1F_SEQUENCE(
ASN1F_IA5_STRING("pin", None),
ASN1F_optional(ASN1F_IA5_STRING("option1", None)),
ASN1F_optional(ASN1F_IA5_STRING("option2", None)),
ASN1F_optional(ASN1F_IA5_STRING("option3", None)),
)
def decrypt_provider(self, cred):
"""Decrypts a credential file already decrypted using the specified
provider. This is platform dependent and requires specific third-party
libraries.
:param cred: credential from where the blob was extracted
:type cred: SAPCredv2_Cred
:return: the content in the blob decrypted using the provider
:rtype: string
:raise Exception: if the provider is invalid or unsupported
"""
if self.option1 and self.option1 in self.providers:
return self.providers[self.option1](self, cred)
else:
raise Exception("Invalid or unsupported provider")
@staticmethod
def decrypt_MSCryptProtect(plain, cred):
"""Decrypts a credential using the Windows DP API. Requires the current
logged-in user to have permissions to decrypt the blob stored in the
credentials file.
:param plain: plain credential extracted
:type plain: SAPCredv2_Cred_Plain
:param cred: credential from where the blob was extracted
:type cred: SAPCredv2_Cred
:return: the content in the blob decrypted using the provider
:rtype: string
"""
entropy = cred.pse_path
return dpapi_decrypt_blob(unhexlify(plain.blob.val), entropy)
PROVIDER_MSCryptProtect = "MSCryptProtect"
"""Provider for Windows hosts using DPAPI"""
providers = {
PROVIDER_MSCryptProtect: decrypt_MSCryptProtect,
}
"""Definition of implemented providers"""
class X509_ExtAuthorityKeyIdentifier(ASN1_Packet):
ASN1_codec = ASN1_Codecs.BER
ASN1_root = ASN1F_SEQUENCE(
ASN1F_optional(
ASN1F_STRING("keyIdentifier", b"\xff" * 20, implicit_tag=0x80)),
ASN1F_optional(
ASN1F_SEQUENCE_OF("authorityCertIssuer",
None,
X509_GeneralName,
implicit_tag=0xa1)),
ASN1F_optional(
ASN1F_INTEGER("authorityCertSerialNumber", None,
implicit_tag=0x82)))
class OCSP_ResponseData(ASN1_Packet):
ASN1_codec = ASN1_Codecs.BER
ASN1_root = ASN1F_SEQUENCE(
ASN1F_optional(
ASN1F_enum_INTEGER("version", 0, {0: "v1"}, explicit_tag=0x80)),
ASN1F_PACKET("responderID", OCSP_ResponderID(), OCSP_ResponderID),
ASN1F_GENERALIZED_TIME("producedAt", str(GeneralizedTime())),
ASN1F_SEQUENCE_OF("responses", [], OCSP_SingleResponse),
ASN1F_optional(
ASN1F_SEQUENCE_OF("responseExtensions",
None,
X509_Extension,
explicit_tag=0xa1)))
class OCSP_SingleResponse(ASN1_Packet):
ASN1_codec = ASN1_Codecs.BER
ASN1_root = ASN1F_SEQUENCE(
ASN1F_PACKET("certID", OCSP_CertID(), OCSP_CertID),
ASN1F_PACKET("certStatus", OCSP_CertStatus(), OCSP_CertStatus),
ASN1F_GENERALIZED_TIME("thisUpdate", ""),
ASN1F_optional(
ASN1F_GENERALIZED_TIME("nextUpdate", "", explicit_tag=0xa0)),
ASN1F_optional(
ASN1F_SEQUENCE_OF("singleExtensions",
None,
X509_Extension,
explicit_tag=0xa1)))
class RSAPrivateKey_OpenSSL(ASN1_Packet):
ASN1_codec = ASN1_Codecs.BER
ASN1_root = ASN1F_SEQUENCE(
ASN1F_enum_INTEGER("version", 0, ["v1", "v2"]),
ASN1F_PACKET("privateKeyAlgorithm", X509_AlgorithmIdentifier(),
X509_AlgorithmIdentifier),
ASN1F_PACKET("privateKey",
RSAPrivateKey(),
RSAPrivateKey,
explicit_tag=0x04),
ASN1F_optional(
ASN1F_PACKET("parameters", None, ECParameters, explicit_tag=0xa0)),
ASN1F_optional(
ASN1F_PACKET("publicKey", None, ECDSAPublicKey,
explicit_tag=0xa1)))
class X509_ExtDistributionPoint(ASN1_Packet):
ASN1_codec = ASN1_Codecs.BER
ASN1_root = ASN1F_SEQUENCE(
ASN1F_optional(
ASN1F_PACKET("distributionPoint",
X509_ExtDistributionPointName(),
X509_ExtDistributionPointName,
explicit_tag=0xa0)),
ASN1F_optional(
ASN1F_FLAGS("reasons", None, _reasons_mapping, implicit_tag=0x81)),
ASN1F_optional(
ASN1F_SEQUENCE_OF("cRLIssuer",
None,
X509_GeneralName,
implicit_tag=0xa2)))
class CLDAP(ASN1_Packet):
ASN1_codec = ASN1_Codecs.BER
ASN1_root = ASN1F_SEQUENCE(
LDAP.ASN1_root.seq[0], # messageID
ASN1F_optional(LDAPDN("user", ""), ),
LDAP.ASN1_root.seq[1] # protocolOp
)
class X509_EDIPartyName(ASN1_Packet):
ASN1_codec = ASN1_Codecs.BER
ASN1_root = ASN1F_SEQUENCE(
ASN1F_optional(
ASN1F_X509_DirectoryString("nameAssigner", None,
explicit_tag=0xa0)),
ASN1F_X509_DirectoryString("partyName", None, explicit_tag=0xa1))
class X509_RevokedCertificate(ASN1_Packet):
ASN1_codec = ASN1_Codecs.BER
ASN1_root = ASN1F_SEQUENCE(
ASN1F_INTEGER("serialNumber", 1),
ASN1F_UTC_TIME("revocationDate", str(ZuluTime(+86400))),
ASN1F_optional(
ASN1F_SEQUENCE_OF("crlEntryExtensions", None, X509_Extension)))
class ECCurve(ASN1_Packet):
ASN1_codec = ASN1_Codecs.BER
ASN1_root = ASN1F_SEQUENCE(
ASN1F_STRING("a", ""),
ASN1F_STRING("b", ""),
ASN1F_optional(
ASN1F_BIT_STRING("seed", None)))
class X509_AlgorithmIdentifier(ASN1_Packet):
ASN1_codec = ASN1_Codecs.BER
ASN1_root = ASN1F_SEQUENCE(
ASN1F_OID("algorithm", "1.2.840.113549.1.1.11"),
ASN1F_optional(
ASN1F_CHOICE("parameters", ASN1_NULL(0), ASN1F_NULL,
ECParameters)))
class X509_ExtPolicyInformation(ASN1_Packet):
ASN1_codec = ASN1_Codecs.BER
ASN1_root = ASN1F_SEQUENCE(
ASN1F_OID("policyIdentifier", "2.5.29.32.0"),
ASN1F_optional(
ASN1F_SEQUENCE_OF("policyQualifiers", None,
X509_ExtPolicyQualifierInfo)))
class X509_ExtIssuingDistributionPoint(ASN1_Packet):
ASN1_codec = ASN1_Codecs.BER
ASN1_root = ASN1F_SEQUENCE(
ASN1F_optional(
ASN1F_PACKET("distributionPoint",
X509_ExtDistributionPointName(),
X509_ExtDistributionPointName,
explicit_tag=0xa0)),
ASN1F_BOOLEAN("onlyContainsUserCerts", False, implicit_tag=0x81),
ASN1F_BOOLEAN("onlyContainsCACerts", False, implicit_tag=0x82),
ASN1F_optional(
ASN1F_FLAGS("onlySomeReasons",
None,
_reasons_mapping,
implicit_tag=0x83)),
ASN1F_BOOLEAN("indirectCRL", False, implicit_tag=0x84),
ASN1F_BOOLEAN("onlyContainsAttributeCerts", False, implicit_tag=0x85))
class OCSP_RevokedInfo(ASN1_Packet):
ASN1_codec = ASN1_Codecs.BER
ASN1_root = ASN1F_SEQUENCE(
ASN1F_GENERALIZED_TIME("revocationTime", ""),
ASN1F_optional(
ASN1F_PACKET("revocationReason", None,
X509_ExtReasonCode,
explicit_tag=0x80)))
class ECSpecifiedDomain(ASN1_Packet):
ASN1_codec = ASN1_Codecs.BER
ASN1_root = ASN1F_SEQUENCE(
ASN1F_enum_INTEGER("version", 1, {1: "ecpVer1"}),
ASN1F_PACKET("fieldID", ECFieldID(), ECFieldID),
ASN1F_PACKET("curve", ECCurve(), ECCurve), ASN1F_STRING("base", ""),
ASN1F_INTEGER("order", 0),
ASN1F_optional(ASN1F_INTEGER("cofactor", None)))
def __init__(self, **kargs):
seq = [ASN1F_OID("extnID", "2.5.29.19"),
ASN1F_optional(
ASN1F_BOOLEAN("critical", False)),
ASN1F_PACKET("extnValue",
X509_ExtBasicConstraints(),
X509_ExtBasicConstraints,
explicit_tag=0x04)]
ASN1F_SEQUENCE.__init__(self, *seq, **kargs)
class OCSP_Response(ASN1_Packet):
ASN1_codec = ASN1_Codecs.BER
ASN1_root = ASN1F_SEQUENCE(
ASN1F_ENUMERATED("responseStatus", 0, _responseStatus_mapping),
ASN1F_optional(
ASN1F_PACKET("responseBytes",
None,
OCSP_ResponseBytes,
explicit_tag=0xa0)))
class X509_TBSCertList(ASN1_Packet):
ASN1_codec = ASN1_Codecs.BER
ASN1_root = ASN1F_SEQUENCE(
ASN1F_optional(
ASN1F_enum_INTEGER("version", 1, ["v1", "v2"])),
ASN1F_PACKET("signature",
X509_AlgorithmIdentifier(),
X509_AlgorithmIdentifier),
ASN1F_SEQUENCE_OF("issuer", _default_issuer, X509_RDN),
ASN1F_UTC_TIME("this_update", str(ZuluTime(-1))),
ASN1F_optional(
ASN1F_UTC_TIME("next_update", None)),
ASN1F_optional(
ASN1F_SEQUENCE_OF("revokedCertificates", None,
X509_RevokedCertificate)),
ASN1F_optional(
ASN1F_SEQUENCE_OF("crlExtensions", None,
X509_Extension,
explicit_tag=0xa0)))
def get_issuer(self):
attrs = self.issuer
attrsDict = {}
for attr in attrs:
# we assume there is only one name in each rdn ASN1_SET
attrsDict[attr.rdn[0].type.oidname] = plain_str(attr.rdn[0].value.val) # noqa: E501
return attrsDict
def get_issuer_str(self):
"""
Returns a one-line string containing every type/value
in a rather specific order. sorted() built-in ensures unicity.
"""
name_str = ""
attrsDict = self.get_issuer()
for attrType, attrSymbol in _attrName_mapping:
if attrType in attrsDict:
name_str += "/" + attrSymbol + "="
name_str += attrsDict[attrType]
for attrType in sorted(attrsDict):
if attrType not in _attrName_specials:
name_str += "/" + attrType + "="
name_str += attrsDict[attrType]
return name_str
class RSAPrivateKey(ASN1_Packet):
ASN1_codec = ASN1_Codecs.BER
ASN1_root = ASN1F_SEQUENCE(
ASN1F_enum_INTEGER("version", 0, ["two-prime", "multi"]),
ASN1F_INTEGER("modulus", 10), ASN1F_INTEGER("publicExponent", 3),
ASN1F_INTEGER("privateExponent", 3), ASN1F_INTEGER("prime1", 2),
ASN1F_INTEGER("prime2", 5), ASN1F_INTEGER("exponent1", 0),
ASN1F_INTEGER("exponent2", 3), ASN1F_INTEGER("coefficient", 1),
ASN1F_optional(
ASN1F_SEQUENCE_OF("otherPrimeInfos", None, RSAOtherPrimeInfo)))
def __init__(self, **kargs):
seq = [
ASN1F_PACKET("tbsResponseData", OCSP_ResponseData(),
OCSP_ResponseData),
ASN1F_PACKET("signatureAlgorithm", X509_AlgorithmIdentifier(),
X509_AlgorithmIdentifier),
ASN1F_BIT_STRING("signature", "defaultsignature" * 2),
ASN1F_optional(
ASN1F_SEQUENCE_OF("certs", None, X509_Cert, explicit_tag=0xa0))
]
ASN1F_SEQUENCE.__init__(self, *seq, **kargs)
class PKCS5_Algorithm_Identifier(ASN1_Packet):
"""PKCS5 Algorithm Identifier"""
ASN1_codec = ASN1_Codecs.BER
ASN1_root = ASN1F_SEQUENCE(
ASN1F_OID("alg_id", PKCS12_ALGORITHM_PBE1_SHA_3DES_CBC),
ASN1F_optional(
ASN1F_CHOICE(
"parameters",
PKCS12_PBE1_Parameters(),
PKCS12_PBE1_Parameters,
PKCS5_Salt_Parameter,
)))