def print_block(pemData):
substrate = pem.readPemFromFile(io.StringIO(pemData.decode("utf-8")))
cert, rest = decoder.decode(substrate, asn1Spec=rfc5280.Certificate())
der_subject = encoder.encode(cert['tbsCertificate']['subject'])
octets = hex_string_for_struct(der_subject)
cert = x509.load_pem_x509_certificate(pemData, default_backend())
common_name = cert.subject.get_attributes_for_oid(NameOID.COMMON_NAME)[0]
block_name = "CA{}DN".format(re.sub(r'[-:=_. ]', '', common_name.value))
fingerprint = hex_string_human_readable(cert.fingerprint(hashes.SHA256()))
dn_parts = [
"/{id}={value}".format(id=nameOIDtoString(part.oid), value=part.value)
for part in cert.subject
]
distinguished_name = "".join(dn_parts)
print("// {dn}".format(dn=distinguished_name))
print("// SHA256 Fingerprint: " + ":".join(fingerprint[:16]))
print("// " + ":".join(fingerprint[16:]))
print("// https://crt.sh/?id={crtsh} (crt.sh ID={crtsh})".format(
crtsh=crtshId))
print("static const uint8_t {}[{}] = ".format(block_name, len(octets)) +
"{")
while len(octets) > 0:
print(" " + ", ".join(octets[:13]) + ",")
octets = octets[13:]
print("};")
print()
return block_name
def testDerCodec(self):
asn1Spec = rfc5280.Certificate()
substrate = pem.readBase64fromText(self.kea_cert_pem_text)
asn1Object, rest = der_decode(substrate, asn1Spec=self.asn1Spec)
assert not rest
assert asn1Object.prettyPrint()
assert der_encode(asn1Object) == substrate
spki_a = asn1Object['tbsCertificate']['subjectPublicKeyInfo'][
'algorithm']
assert spki_a['algorithm'] == rfc3279.id_keyExchangeAlgorithm
spki_a_p, rest = der_decode(spki_a['parameters'],
asn1Spec=rfc3279.KEA_Parms_Id())
assert not rest
assert spki_a_p.prettyPrint()
assert der_encode(spki_a_p) == spki_a['parameters']
assert spki_a_p == univ.OctetString(hexValue='5cf8f127e6569d6d88b3')
assert asn1Object['tbsCertificate']['signature'][
'algorithm'] == rfc3279.id_dsa_with_sha1
assert asn1Object['signatureAlgorithm'][
'algorithm'] == rfc3279.id_dsa_with_sha1
sig_value, rest = der_decode(asn1Object['signature'].asOctets(),
asn1Spec=rfc3279.Dss_Sig_Value())
assert not rest
assert sig_value.prettyPrint()
assert der_encode(sig_value) == asn1Object['signature'].asOctets()
assert sig_value['r'].hasValue()
assert sig_value['s'].hasValue()
def testOpenTypes(self):
asn1Spec = rfc5280.Certificate()
substrate = pem.readBase64fromText(self.ec_cert_pem_text)
asn1Object, rest = der_decode(substrate,
asn1Spec=self.asn1Spec,
decodeOpenTypes=True)
assert not rest
assert asn1Object.prettyPrint()
assert der_encode(asn1Object) == substrate
spki_a = asn1Object['tbsCertificate']['subjectPublicKeyInfo'][
'algorithm']
assert spki_a['algorithm'] == rfc3279.id_ecPublicKey
assert spki_a['parameters']['namedCurve'] == univ.ObjectIdentifier(
'1.3.132.0.34')
def _fake_cert(self, not_before=None, not_after=None):
fake_cert = rfc5280.Certificate()
fake_cert["tbsCertificate"] = rfc5280.TBSCertificate()
fake_cert["tbsCertificate"]["validity"] = rfc5280.Validity()
if not_before:
fake_cert["tbsCertificate"]["validity"][
"notBefore"] = rfc5280.Time()
fake_cert["tbsCertificate"]["validity"]["notBefore"][
"utcTime"] = pyasn1_useful.UTCTime.fromDateTime(not_before)
if not_after:
fake_cert["tbsCertificate"]["validity"]["notAfter"] = rfc5280.Time(
)
fake_cert["tbsCertificate"]["validity"]["notAfter"][
"utcTime"] = pyasn1_useful.UTCTime.fromDateTime(not_after)
return fake_cert
def print_block(pemData, identifierType="DN", crtshId=None):
substrate = pem.readPemFromFile(io.StringIO(pemData.decode("utf-8")))
cert, rest = decoder.decode(substrate, asn1Spec=rfc5280.Certificate())
octets = None
if identifierType == "DN":
der_subject = encoder.encode(cert["tbsCertificate"]["subject"])
octets = hex_string_for_struct(der_subject)
elif identifierType == "SPKI":
der_spki = encoder.encode(
cert["tbsCertificate"]["subjectPublicKeyInfo"])
octets = hex_string_for_struct(der_spki)
else:
raise Exception("Unknown identifier type: " + identifierType)
cert = x509.load_pem_x509_certificate(pemData, default_backend())
common_name = cert.subject.get_attributes_for_oid(NameOID.COMMON_NAME)[0]
block_name = "CA{}{}".format(re.sub(r"[-:=_. ]", "", common_name.value),
identifierType)
fingerprint = hex_string_human_readable(cert.fingerprint(hashes.SHA256()))
dn_parts = [
"/{id}={value}".format(id=nameOIDtoString(part.oid), value=part.value)
for part in cert.subject
]
distinguished_name = "".join(dn_parts)
print("// {dn}".format(dn=distinguished_name))
print("// SHA256 Fingerprint: " + ":".join(fingerprint[:16]))
print("// " + ":".join(fingerprint[16:]))
if crtshId:
print("// https://crt.sh/?id={crtsh} (crt.sh ID={crtsh})".format(
crtsh=crtshId))
print("static const uint8_t {}[{}] = ".format(block_name, len(octets)) +
"{")
while len(octets) > 0:
print(" " + ", ".join(octets[:13]) + ",")
octets = octets[13:]
print("};")
print()
return block_name
def test_x509_from_ed25519_key_pair(self):
pub = xtt.ED25519PublicKey(
b"""^\x970Y=\\\x92\xbdsK2\x0cD%\x96\xf8\x1dh\xc4\x1d&k'+\x1a\xca\xd6\x16\x12\x90\x03="""
)
priv = xtt.ED25519PrivateKey(
b"""\xd1%\xce\xec\xfb\xdf\x82\xb1w~\xb5AL*\x10'\x9aX\x8f\xae\x05\tTm5\xafC\x14\x06]\xb3X^\x970Y=\\\x92\xbdsK2\x0cD%\x96\xf8\x1dh\xc4\x1d&k'+\x1a\xca\xd6\x16\x12\x90\x03="""
)
common_name = xtt.Identity(
b'\xfd\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00'
)
cert = xtt.x509_from_ed25519_key_pair(pub, priv, common_name)
decoded = der_decode(cert,
asn1Spec=rfc5280.Certificate(),
decodeOpenTypes=True)[0]
decoded_common_name = decoded['tbsCertificate']['subject'][0][0][0][
'value']['utf8String']
self.assertEqual(decoded_common_name,
"FD000000000000000000000000000000")
def test_x509_from_ecdsap256_key_pair(self):
pub = xtt.ECDSAP256PublicKey(
b"""\x04\x7E\x65\x37\x53\x13\x42\xF4\x8A\xC4\x64\x69\x8C\x4C\xD0\x23\xD7\xE4\xD9\x4C\xE5\x0A\x5D\x8B\xCC\x3C\x94\x13\x00\xA3\x48\xF5\x65\xCC\x56\xBF\x77\xC5\x4D\x1C\x7D\xB9\x45\x5D\xF0\x89\x67\x29\x39\xF3\x63\x70\xF2\xB9\x28\x21\x0A\x65\x78\x70\x8B\xE1\xF8\x86\x9A"""
)
priv = xtt.ECDSAP256PrivateKey(
b"""\xE7\xAC\x0C\x71\xD7\xA0\xDF\x86\xD2\x7B\x82\xAC\x0F\x0C\xFC\xD1\xB1\xC0\x91\xB2\xAA\xC0\xE8\xE0\x9D\xC5\x04\x5C\x40\xCD\x28\x36"""
)
common_name = xtt.Identity(
b'\xfd\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00'
)
cert = xtt.x509_from_ecdsap256_key_pair(pub, priv, common_name)
decoded = der_decode(cert,
asn1Spec=rfc5280.Certificate(),
decodeOpenTypes=True)[0]
decoded_common_name = decoded['tbsCertificate']['subject'][0][0][0][
'value']['utf8String']
self.assertEqual(decoded_common_name,
"FD00:0000:0000:0000:0000:0000:0000:0000")
def parse_pem_to_certs(pem):
"""
Convert PEM formatted certificates into DER format.
:param pem: String containing a list of PEM encoded certificates
:returns: List of Python objects representing certificates
"""
certs_der = []
acc = ''
state = 'PRE'
for line in pem.split('\n'):
if state == 'PRE' and line == '-----BEGIN CERTIFICATE-----':
state = 'BODY_OR_META'
elif state == 'PRE' and not line:
pass
elif state == 'BODY_OR_META' and ':' in line:
state = 'META'
elif state == 'BODY' and line == '-----END CERTIFICATE-----':
certs_der.append(base64.b64decode(acc))
acc = ''
state = 'PRE'
elif state == 'META' and not line:
state = 'BODY'
elif state == 'BODY' or state == 'BODY_OR_META':
acc += line
state = 'BODY'
else:
raise CertificateParseError(
f'Unexpected input "{line}" in state "{state}"')
if acc:
raise CertificateParseError(
f'Unexpected end of input. Leftover: {acc}')
certs_py = []
for der in certs_der:
cert, rest_of_input = der_decode(der, asn1Spec=rfc5280.Certificate())
assert not rest_of_input # assert no left over input
certs_py.append(python_encode(cert))
return certs_py
def setUp(self):
self.asn1Spec = rfc5280.Certificate()
# License: http://pyasn1.sf.net/license.html
#
# Read ASN.1/PEM X.509 certificates on stdin, parse each into plain text,
# then build substrate from it (using RFC5280)
#
from pyasn1.codec.der import decoder, encoder
from pyasn1_modules import rfc5280, pem
import sys
if len(sys.argv) != 1:
print("""Usage:
$ cat CACertificate.pem | %s
$ cat userCertificate.pem | %s""" % (sys.argv[0], sys.argv[0]))
sys.exit(-1)
certType = rfc5280.Certificate()
certCnt = 0
while 1:
idx, substrate = pem.readPemBlocksFromFile(
sys.stdin,
('-----BEGIN CERTIFICATE-----', '-----END CERTIFICATE-----'))
if not substrate:
break
cert, rest = decoder.decode(substrate, asn1Spec=certType)
if rest:
substrate = substrate[:-len(rest)]
pass
OtherCertificateFormat.componentType = namedtype.NamedTypes(
namedtype.NamedType('otherCertFormat', univ.ObjectIdentifier()),
namedtype.NamedType('otherCert', univ.Any())
)
class ExtendedCertificateInfo(univ.Sequence):
pass
ExtendedCertificateInfo.componentType = namedtype.NamedTypes(
namedtype.NamedType('version', CMSVersion()),
namedtype.NamedType('certificate', rfc5280.Certificate()),
namedtype.NamedType('attributes', UnauthAttributes())
)
class Signature(univ.BitString):
pass
class SignatureAlgorithmIdentifier(rfc5280.AlgorithmIdentifier):
pass
class ExtendedCertificate(univ.Sequence):
pass
def from_der(cls, content):
"""Load the Certificate object from DER-encoded data"""
return cls(
der_decoder.decode(content, asn1Spec=rfc5280.Certificate())[0])
'=I',
struct.pack('!4B', 0, parser.res['len1'], parser.res['len2'],
parser.res['len3']))[0]
parser.res['der_len'] = der_len
parser.read('der', flo('!{der_len}s'))
return parser.result()
ASN1Cert = namedtuple(
typename='ASN1Cert',
field_names='arg',
lazy_vals={
'_parse_func': lambda _: _parse_asn1_cert,
'der': lambda self: self._parse['der'],
'pyasn1': lambda self: der_decoder(self.der, rfc5280.Certificate()),
})
def _parse_asn1_cert_list(tdf):
with TdfBytesParser(tdf) as parser:
parser.read('len1', '!B')
parser.read('len2', '!B')
parser.read('len3', '!B')
der_list_len = struct.unpack(
'=I',
struct.pack('!4B', 0, parser.res['len1'], parser.res['len2'],
parser.res['len3']))[0]
der_end_offset = parser.offset + der_list_len
def parse_cert_from_der(der):
cert, rest_of_input = der_decode(der, asn1Spec=rfc5280.Certificate())
assert not rest_of_input # assert no left over input
return cert
class PkiPath(univ.SequenceOf):
componentType = rfc5280.Certificate()
subtypeSpec = constraint.ValueSizeConstraint(1, MAX)
def pyasn1_certificate_from_der(cert_der):
'''Return pyasn1_modules.rfc5280.Certificate instance parsed from cert_der.
'''
cert, _ = der_decoder(cert_der, asn1Spec=rfc5280.Certificate())
return cert
# ASN.1 source from:
# https://www.rfc-editor.org/rfc/rfc7296.txt
from pyasn1.type import namedtype
from pyasn1.type import tag
from pyasn1.type import univ
from pyasn1_modules import rfc5280
class CertificateOrCRL(univ.Choice):
pass
CertificateOrCRL.componentType = namedtype.NamedTypes(
namedtype.NamedType(
'cert',
rfc5280.Certificate().subtype(
explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatSimple, 0))),
namedtype.NamedType(
'crl',
rfc5280.CertificateList().subtype(
explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatSimple, 1))))
class CertificateBundle(univ.SequenceOf):
pass
CertificateBundle.componentType = CertificateOrCRL()
