def extract_crl_info(crl_der):
# unpack sequence
i = asn1_node_root(crl_der)
# unpack sequence
i = asn1_node_first_child(crl_der,i)
crl_signed_content= i
# get 1. item inside (version)
i = asn1_node_first_child(crl_der,i)
# advance 1 item (Algoidentifier)
i = asn1_node_next(crl_der,i)
# advance 1 item (email, CN etc.)
i = asn1_node_next(crl_der,i)
# advance 1 item
i = asn1_node_next(crl_der,i)
bytestr = asn1_get_value_of_type(crl_der,i,'UTCTime')
crl_not_valid_before = datetime.datetime.strptime(bytestr,'%y%m%d%H%M%SZ')
# advance 1 item
i = asn1_node_next(crl_der,i)
bytestr = asn1_get_value_of_type(crl_der,i,'UTCTime')
crl_not_valid_after = datetime.datetime.strptime(bytestr,'%y%m%d%H%M%SZ')
# advance 1 item (the list)
i = asn1_node_next(crl_der,i)
# Stores for every certificate entry the serial number and and
# 3 pointers indication the position of the certificate entry.
# Returns a dictionary.
# key = certificate serial number
# value = 3 pointers to certificate entry in CRL
#open and read 1. item
j = asn1_node_first_child(crl_der,i)
serials_idx = {}
while asn1_node_is_child_of(i,j):
#read 1. interger inside item
k = asn1_node_first_child(crl_der,j)
serial = bytestr_to_int(
asn1_get_value_of_type(crl_der,k,'INTEGER'))
#store serial and the asn1 container position
serials_idx[serial] = j
# point on next item in the list
j = asn1_node_next(crl_der,j)
# advance 1 item
i = asn1_node_next(crl_der,i)
# advance 1 item (obj. identifier)
i = asn1_node_next(crl_der,i)
# advance 1 item (signature)
i = asn1_node_next(crl_der,i)
# content is crl_signature
crl_signature = bitstr_to_bytestr(
asn1_get_value_of_type(crl_der,i,'BIT STRING'))
return crl_not_valid_before, crl_not_valid_after, \
crl_signature, \
crl_signed_content,serials_idx
def extract_crl_info(crl_der):
# unpack sequence
i = asn1_node_root(crl_der)
# unpack sequence
i = asn1_node_first_child(crl_der,i)
crl_signed_content= i
# get 1. item inside (version)
i = asn1_node_first_child(crl_der,i)
# advance 1 item (Algoidentifier)
i = asn1_node_next(crl_der,i)
# advance 1 item (email, CN etc.)
i = asn1_node_next(crl_der,i)
# advance 1 item
i = asn1_node_next(crl_der,i)
bytestr = asn1_get_value_of_type(crl_der,i,'UTCTime')
crl_not_valid_before = datetime.datetime.strptime(bytestr,'%y%m%d%H%M%SZ')
# advance 1 item
i = asn1_node_next(crl_der,i)
bytestr = asn1_get_value_of_type(crl_der,i,'UTCTime')
crl_not_valid_after = datetime.datetime.strptime(bytestr,'%y%m%d%H%M%SZ')
# advance 1 item (the list)
i = asn1_node_next(crl_der,i)
# Stores for every certificate entry the serial number and and
# 3 pointers indication the position of the certificate entry.
# Returns a dictionary.
# key = certificate serial number
# value = 3 pointers to certificate entry in CRL
#open and read 1. item
j = asn1_node_first_child(crl_der,i)
serials_idx = {}
while asn1_node_is_child_of(i,j):
#read 1. interger inside item
k = asn1_node_first_child(crl_der,j)
serial = bytestr_to_int(
asn1_get_value_of_type(crl_der,k,'INTEGER'))
#store serial and the asn1 container position
serials_idx[serial] = j
# point on next item in the list
j = asn1_node_next(crl_der,j)
# advance 1 item
i = asn1_node_next(crl_der,i)
# advance 1 item (obj. identifier)
i = asn1_node_next(crl_der,i)
# advance 1 item (signature)
i = asn1_node_next(crl_der,i)
# content is crl_signature
crl_signature = bitstr_to_bytestr(
asn1_get_value_of_type(crl_der,i,'BIT STRING'))
return crl_not_valid_before, crl_not_valid_after, \
crl_signature, \
crl_signed_content,serials_idx
def asn1_get_children(der, i):
nodes = []
ii = asn1_node_first_child(der, i)
nodes.append(ii)
while ii[2] < i[2]:
ii = asn1_node_next(der, ii)
nodes.append(ii)
return nodes
def asn1_get_children(der, i):
nodes = []
ii = asn1_node_first_child(der,i)
nodes.append(ii)
while ii[2]<i[2]:
ii = asn1_node_next(der,ii)
nodes.append(ii)
return nodes
def asn1_get_dict(der, i):
p = {}
for ii in asn1_get_children(der, i):
for iii in asn1_get_children(der, ii):
iiii = asn1_node_first_child(der, iii)
oid = decode_OID(asn1_get_value_of_type(der, iiii, 'OBJECT IDENTIFIER'))
iiii = asn1_node_next(der, iiii)
value = asn1_get_value(der, iiii)
p[oid] = value
return p
def asn1_get_dict(der, i):
p = {}
for ii in asn1_get_children(der, i):
for iii in asn1_get_children(der, ii):
iiii = asn1_node_first_child(der, iii)
oid = decode_OID(asn1_get_value_of_type(der, iiii, 'OBJECT IDENTIFIER'))
iiii = asn1_node_next(der, iiii)
value = asn1_get_value(der, iiii)
p[oid] = value
return p
def parseBinary(self, b):
# call tlslite method first
tlslite.X509.parseBinary(self, b)
der = str(b)
root = asn1_node_root(der)
cert = asn1_node_first_child(der, root)
# data for signature
self.data = asn1_get_all(der, cert)
# optional version field
if asn1_get_value(der, cert)[0] == chr(0xa0):
version = asn1_node_first_child(der, cert)
serial_number = asn1_node_next(der, version)
else:
serial_number = asn1_node_first_child(der, cert)
self.serial_number = bytestr_to_int(
asn1_get_value_of_type(der, serial_number, 'INTEGER'))
# signature algorithm
sig_algo = asn1_node_next(der, serial_number)
ii = asn1_node_first_child(der, sig_algo)
self.sig_algo = decode_OID(
asn1_get_value_of_type(der, ii, 'OBJECT IDENTIFIER'))
# issuer
issuer = asn1_node_next(der, sig_algo)
self.issuer = asn1_get_dict(der, issuer)
# validity
validity = asn1_node_next(der, issuer)
ii = asn1_node_first_child(der, validity)
self.notBefore = asn1_get_value_of_type(der, ii, 'UTCTime')
ii = asn1_node_next(der, ii)
self.notAfter = asn1_get_value_of_type(der, ii, 'UTCTime')
# subject
subject = asn1_node_next(der, validity)
self.subject = asn1_get_dict(der, subject)
subject_pki = asn1_node_next(der, subject)
# extensions
self.CA = False
self.AKI = None
self.SKI = None
i = subject_pki
while i[2] < cert[2]:
i = asn1_node_next(der, i)
d = asn1_get_dict(der, i)
for oid, value in d.items():
if oid == '2.5.29.19':
# Basic Constraints
self.CA = bool(value)
elif oid == '2.5.29.14':
# Subject Key Identifier
r = asn1_node_root(value)
value = asn1_get_value_of_type(value, r, 'OCTET STRING')
self.SKI = value.encode('hex')
elif oid == '2.5.29.35':
# Authority Key Identifier
self.AKI = asn1_get_sequence(value)[0].encode('hex')
else:
pass
# cert signature
cert_sig_algo = asn1_node_next(der, cert)
ii = asn1_node_first_child(der, cert_sig_algo)
self.cert_sig_algo = decode_OID(
asn1_get_value_of_type(der, ii, 'OBJECT IDENTIFIER'))
cert_sig = asn1_node_next(der, cert_sig_algo)
self.signature = asn1_get_value(der, cert_sig)[1:]
def parseBinary(self, b):
# call tlslite method first
tlslite.X509.parseBinary(self, b)
der = str(b)
root = asn1_node_root(der)
cert = asn1_node_first_child(der, root)
# data for signature
self.data = asn1_get_all(der, cert)
# optional version field
if asn1_get_value(der, cert)[0] == chr(0xa0):
version = asn1_node_first_child(der, cert)
serial_number = asn1_node_next(der, version)
else:
serial_number = asn1_node_first_child(der, cert)
self.serial_number = bytestr_to_int(asn1_get_value_of_type(der, serial_number, 'INTEGER'))
# signature algorithm
sig_algo = asn1_node_next(der, serial_number)
ii = asn1_node_first_child(der, sig_algo)
self.sig_algo = decode_OID(asn1_get_value_of_type(der, ii, 'OBJECT IDENTIFIER'))
# issuer
issuer = asn1_node_next(der, sig_algo)
self.issuer = asn1_get_dict(der, issuer)
# validity
validity = asn1_node_next(der, issuer)
ii = asn1_node_first_child(der, validity)
self.notBefore = asn1_get_value_of_type(der, ii, 'UTCTime')
ii = asn1_node_next(der,ii)
self.notAfter = asn1_get_value_of_type(der, ii, 'UTCTime')
# subject
subject = asn1_node_next(der, validity)
self.subject = asn1_get_dict(der, subject)
subject_pki = asn1_node_next(der, subject)
# extensions
self.CA = False
self.AKI = None
self.SKI = None
i = subject_pki
while i[2] < cert[2]:
i = asn1_node_next(der, i)
d = asn1_get_dict(der, i)
for oid, value in d.items():
if oid == '2.5.29.19':
# Basic Constraints
self.CA = bool(value)
elif oid == '2.5.29.14':
# Subject Key Identifier
r = asn1_node_root(value)
value = asn1_get_value_of_type(value, r, 'OCTET STRING')
self.SKI = value.encode('hex')
elif oid == '2.5.29.35':
# Authority Key Identifier
self.AKI = asn1_get_sequence(value)[0].encode('hex')
else:
pass
# cert signature
cert_sig_algo = asn1_node_next(der, cert)
ii = asn1_node_first_child(der, cert_sig_algo)
self.cert_sig_algo = decode_OID(asn1_get_value_of_type(der, ii, 'OBJECT IDENTIFIER'))
cert_sig = asn1_node_next(der, cert_sig_algo)
self.signature = asn1_get_value(der, cert_sig)[1:]
def extract_crl_info(
crl_der: bytes
) -> Tuple[datetime, datetime, bytes, Tuple[int, int, int], Dict[int, Tuple[
int, int, int]]]:
"""
This function extracts some header fields of the CRL list
and stores pointers to the list entries in a dictionary
"""
# unpack sequence
i = asn1_node_root(crl_der)
# unpack sequence
i = asn1_node_first_child(crl_der, i)
crl_signed_content = i
# get 1. item inside (version)
i = asn1_node_first_child(crl_der, i)
# advance 1 item (Algoidentifier)
i = asn1_node_next(crl_der, i)
# advance 1 item (email, CN etc.)
i = asn1_node_next(crl_der, i)
# advance 1 item
i = asn1_node_next(crl_der, i)
bytestr = asn1_get_value_of_type(crl_der, i, "UTCTime")
crl_not_valid_before = datetime.strptime(bytestr.decode("utf8"),
"%y%m%d%H%M%SZ")
# advance 1 item
i = asn1_node_next(crl_der, i)
bytestr = asn1_get_value_of_type(crl_der, i, "UTCTime")
crl_not_valid_after = datetime.strptime(bytestr.decode("utf8"),
"%y%m%d%H%M%SZ")
# advance 1 item (the list)
i = asn1_node_next(crl_der, i)
# Stores for every certificate entry the serial number and and
# 3 pointers indication the position of the certificate entry.
# Returns a dictionary.
# key = certificate serial number
# value = 3 pointers to certificate entry in CRL
# open and read 1. item
j = asn1_node_first_child(crl_der, i)
serials_idx = {}
while asn1_node_is_child_of(i, j):
# read 1. interger inside item
k = asn1_node_first_child(crl_der, j)
serial = bytestr_to_int(asn1_get_value_of_type(crl_der, k, "INTEGER"))
# store serial and the asn1 container position
serials_idx[serial] = j
# point on next item in the list
j = asn1_node_next(crl_der, j)
# advance 1 item
i = asn1_node_next(crl_der, i)
# advance 1 item (obj. identifier)
i = asn1_node_next(crl_der, i)
# advance 1 item (signature)
i = asn1_node_next(crl_der, i)
# content is crl_signature
crl_signature = asn1_get_value_of_type(crl_der, i, "BIT STRING")
if crl_signature[0] != 0x00:
raise ValueError(
"Error: CRL signature should start with 0x00 padding!")
crl_signature = crl_signature[1:]
return (
crl_not_valid_before,
crl_not_valid_after,
crl_signature,
crl_signed_content,
serials_idx,
)