class ExtendedKeyUsageOID(object): SERVER_AUTH = ObjectIdentifier("1.3.6.1.5.5.7.3.1") CLIENT_AUTH = ObjectIdentifier("1.3.6.1.5.5.7.3.2") CODE_SIGNING = ObjectIdentifier("1.3.6.1.5.5.7.3.3") EMAIL_PROTECTION = ObjectIdentifier("1.3.6.1.5.5.7.3.4") TIME_STAMPING = ObjectIdentifier("1.3.6.1.5.5.7.3.8") OCSP_SIGNING = ObjectIdentifier("1.3.6.1.5.5.7.3.9") ANY_EXTENDED_KEY_USAGE = ObjectIdentifier("2.5.29.37.0")
def get_certificate_extensions(cert): ias_report = None ias_report_signature = None ias_report_signing_certificate = None for ext in cert.extensions: if ext.oid == ObjectIdentifier( config["SGX_CONSTANTS"]["ias_report_signature_oid"]): ias_report_signature = b64decode(ext.value.value) if ext.oid == ObjectIdentifier( config["SGX_CONSTANTS"]["ias_report_oid"]): ias_report = b64decode(ext.value.value) if ext.oid == ObjectIdentifier( config["SGX_CONSTANTS"]["ias_report_signing_certificate_oid"]): ias_report_signing_certificate = b64decode(ext.value.value) return (ias_report, ias_report_signature, ias_report_signing_certificate)
class EllipticCurveOID(object): SECP192R1 = ObjectIdentifier("1.2.840.10045.3.1.1") SECP224R1 = ObjectIdentifier("1.3.132.0.33") SECP256K1 = ObjectIdentifier("1.3.132.0.10") SECP256R1 = ObjectIdentifier("1.2.840.10045.3.1.7") SECP384R1 = ObjectIdentifier("1.3.132.0.34") SECP521R1 = ObjectIdentifier("1.3.132.0.35")
def __init__(self, repository_path: Path) -> None: available_stores = {} # Validate and parse the content of the trust stores folder for store_enum in TrustStoreEnum: # Parse the YAML file to extract the version store_yaml_path = repository_path / f"{store_enum.name.lower()}.yaml" store_yaml = store_yaml_path.read_text() if store_enum in [ TrustStoreEnum.MICROSOFT_WINDOWS, TrustStoreEnum.MOZILLA_NSS ]: # Use the date_fetched instead as the version store_version = store_yaml.split("date_fetched: ", 1)[1].split("\n", 1)[0].strip() else: store_version = store_yaml.split("version: ", 1)[1].split("\n", 1)[0].strip(" '") # Ensure the corresponding PEM file is there store_pem_path = repository_path / f"{store_enum.name.lower()}.pem" if not store_pem_path.exists(): raise ValueError( f"Could not find trust store at {store_pem_path}") # Store the result available_stores[store_enum] = TrustStore( path=store_pem_path, name=self._STORE_PRETTY_NAMES[store_enum], version=store_version, ev_oids=[ObjectIdentifier(oid) for oid in _MOZILLA_EV_OIDS] if store_enum == TrustStoreEnum.MOZILLA_NSS else None, ) self._available_stores = available_stores
def test_oid_constraint(): # Too short with pytest.raises(ValueError): ObjectIdentifier("1") # First node too big with pytest.raises(ValueError): ObjectIdentifier("3.2.1") # Outside range with pytest.raises(ValueError): ObjectIdentifier("1.40") with pytest.raises(ValueError): ObjectIdentifier("0.42") # non-decimal oid with pytest.raises(ValueError): ObjectIdentifier("1.2.foo.bar") with pytest.raises(ValueError): ObjectIdentifier("1.2.0xf00.0xba4") # negative oid with pytest.raises(ValueError): ObjectIdentifier("1.2.-3.-4")
def test_oid_constraint(): # Too short with pytest.raises(ValueError): ObjectIdentifier('1') # First node too big with pytest.raises(ValueError): ObjectIdentifier('3.2.1') # Outside range with pytest.raises(ValueError): ObjectIdentifier('1.40') with pytest.raises(ValueError): ObjectIdentifier('0.42') # non-decimal oid with pytest.raises(ValueError): ObjectIdentifier('1.2.foo.bar') with pytest.raises(ValueError): ObjectIdentifier('1.2.0xf00.0xba4') # negative oid with pytest.raises(ValueError): ObjectIdentifier('1.2.-3.-4')
class CertificatePoliciesOID(object): CPS_QUALIFIER = ObjectIdentifier("1.3.6.1.5.5.7.2.1") CPS_USER_NOTICE = ObjectIdentifier("1.3.6.1.5.5.7.2.2") ANY_POLICY = ObjectIdentifier("2.5.29.32.0")
class AuthorityInformationAccessOID(object): CA_ISSUERS = ObjectIdentifier("1.3.6.1.5.5.7.48.2") OCSP = ObjectIdentifier("1.3.6.1.5.5.7.48.1")
class ExtensionOID(object): SUBJECT_DIRECTORY_ATTRIBUTES = ObjectIdentifier("2.5.29.9") SUBJECT_KEY_IDENTIFIER = ObjectIdentifier("2.5.29.14") KEY_USAGE = ObjectIdentifier("2.5.29.15") SUBJECT_ALTERNATIVE_NAME = ObjectIdentifier("2.5.29.17") ISSUER_ALTERNATIVE_NAME = ObjectIdentifier("2.5.29.18") BASIC_CONSTRAINTS = ObjectIdentifier("2.5.29.19") NAME_CONSTRAINTS = ObjectIdentifier("2.5.29.30") CRL_DISTRIBUTION_POINTS = ObjectIdentifier("2.5.29.31") CERTIFICATE_POLICIES = ObjectIdentifier("2.5.29.32") POLICY_MAPPINGS = ObjectIdentifier("2.5.29.33") AUTHORITY_KEY_IDENTIFIER = ObjectIdentifier("2.5.29.35") POLICY_CONSTRAINTS = ObjectIdentifier("2.5.29.36") EXTENDED_KEY_USAGE = ObjectIdentifier("2.5.29.37") FRESHEST_CRL = ObjectIdentifier("2.5.29.46") INHIBIT_ANY_POLICY = ObjectIdentifier("2.5.29.54") ISSUING_DISTRIBUTION_POINT = ObjectIdentifier("2.5.29.28") AUTHORITY_INFORMATION_ACCESS = ObjectIdentifier("1.3.6.1.5.5.7.1.1") SUBJECT_INFORMATION_ACCESS = ObjectIdentifier("1.3.6.1.5.5.7.1.11") OCSP_NO_CHECK = ObjectIdentifier("1.3.6.1.5.5.7.48.1.5") TLS_FEATURE = ObjectIdentifier("1.3.6.1.5.5.7.1.24") CRL_NUMBER = ObjectIdentifier("2.5.29.20") DELTA_CRL_INDICATOR = ObjectIdentifier("2.5.29.27") PRECERT_SIGNED_CERTIFICATE_TIMESTAMPS = ( ObjectIdentifier("1.3.6.1.4.1.11129.2.4.2")) PRECERT_POISON = (ObjectIdentifier("1.3.6.1.4.1.11129.2.4.3"))
def test_basic_oid(): assert ObjectIdentifier('1.2.3.4').dotted_string == '1.2.3.4'
class NameOID(object): COMMON_NAME = ObjectIdentifier("2.5.4.3") COUNTRY_NAME = ObjectIdentifier("2.5.4.6") LOCALITY_NAME = ObjectIdentifier("2.5.4.7") STATE_OR_PROVINCE_NAME = ObjectIdentifier("2.5.4.8") STREET_ADDRESS = ObjectIdentifier("2.5.4.9") ORGANIZATION_NAME = ObjectIdentifier("2.5.4.10") ORGANIZATIONAL_UNIT_NAME = ObjectIdentifier("2.5.4.11") SERIAL_NUMBER = ObjectIdentifier("2.5.4.5") SURNAME = ObjectIdentifier("2.5.4.4") GIVEN_NAME = ObjectIdentifier("2.5.4.42") TITLE = ObjectIdentifier("2.5.4.12") GENERATION_QUALIFIER = ObjectIdentifier("2.5.4.44") X500_UNIQUE_IDENTIFIER = ObjectIdentifier("2.5.4.45") DN_QUALIFIER = ObjectIdentifier("2.5.4.46") PSEUDONYM = ObjectIdentifier("2.5.4.65") USER_ID = ObjectIdentifier("0.9.2342.19200300.100.1.1") DOMAIN_COMPONENT = ObjectIdentifier("0.9.2342.19200300.100.1.25") EMAIL_ADDRESS = ObjectIdentifier("1.2.840.113549.1.9.1") JURISDICTION_COUNTRY_NAME = ObjectIdentifier("1.3.6.1.4.1.311.60.2.1.3") JURISDICTION_LOCALITY_NAME = ObjectIdentifier("1.3.6.1.4.1.311.60.2.1.1") JURISDICTION_STATE_OR_PROVINCE_NAME = ObjectIdentifier( "1.3.6.1.4.1.311.60.2.1.2") BUSINESS_CATEGORY = ObjectIdentifier("2.5.4.15") POSTAL_ADDRESS = ObjectIdentifier("2.5.4.16") POSTAL_CODE = ObjectIdentifier("2.5.4.17")
def test_basic_oid(): assert ObjectIdentifier("1.2.3.4").dotted_string == "1.2.3.4"
class AttributeOID(object): CHALLENGE_PASSWORD = ObjectIdentifier("1.2.840.113549.1.9.7")
import os from OpenSSL import crypto from cryptography.hazmat._oid import ObjectIdentifier parser = argparse.ArgumentParser(description='certificate chain validation') parser.add_argument('-chf', dest="CHAIN_FILE", required=True, default=None, help="specify the certificate chain file") args = parser.parse_args() """ `oid` is an object identifier, each extension has an oid associated with it, the oid for CRL distribution point extension is 2.5.29.31, we need to pass the objects as an argument in order to get the CRL distribution point (url) from the certificate. the url once obtained can be used to get the crl file. `valid` specifies if the certificate chain is valid or not, default is true and is set to None when certificate is revoke """ oid = ObjectIdentifier("2.5.29.31") valid = True certs = pem.parse_file(os.getcwd() + "\\crt\\" + args.CHAIN_FILE) for i in range(0, len(certs)): """ for i in range(0,len(certs)-1): if we reach the root certificate we can guarentee that the chain is valid, since the root is self signed and cannot exist in any issuer CRL file. hence we can parse only upto last but one certificate in the chain i.e the certificate at the index len(certs)-2, hence we can specify the range as (0,len(certs)-1). i have gone upto len(certs) to only print all the certificates in the chain """ cert = crypto.load_certificate(crypto.FILETYPE_PEM, str(certs[i])) dict_sn = {} print("Certificate Details -", i + 1) #print("X509 object = ",cert) # return X509 object
class OCSPExtensionOID(object): NONCE = ObjectIdentifier("1.3.6.1.5.5.7.48.1.2")
class CRLEntryExtensionOID(object): CERTIFICATE_ISSUER = ObjectIdentifier("2.5.29.29") CRL_REASON = ObjectIdentifier("2.5.29.21") INVALIDITY_DATE = ObjectIdentifier("2.5.29.24")
def getExtensions(self, oid): if not self._cert: raise BaseException('no cert loaded') _extension = self._cert.extensions.get_extension_for_oid( ObjectIdentifier(oid)) return _extension.value.value
class SignatureAlgorithmOID(object): RSA_WITH_MD5 = ObjectIdentifier("1.2.840.113549.1.1.4") RSA_WITH_SHA1 = ObjectIdentifier("1.2.840.113549.1.1.5") # This is an alternate OID for RSA with SHA1 that is occasionally seen _RSA_WITH_SHA1 = ObjectIdentifier("1.3.14.3.2.29") RSA_WITH_SHA224 = ObjectIdentifier("1.2.840.113549.1.1.14") RSA_WITH_SHA256 = ObjectIdentifier("1.2.840.113549.1.1.11") RSA_WITH_SHA384 = ObjectIdentifier("1.2.840.113549.1.1.12") RSA_WITH_SHA512 = ObjectIdentifier("1.2.840.113549.1.1.13") RSASSA_PSS = ObjectIdentifier("1.2.840.113549.1.1.10") ECDSA_WITH_SHA1 = ObjectIdentifier("1.2.840.10045.4.1") ECDSA_WITH_SHA224 = ObjectIdentifier("1.2.840.10045.4.3.1") ECDSA_WITH_SHA256 = ObjectIdentifier("1.2.840.10045.4.3.2") ECDSA_WITH_SHA384 = ObjectIdentifier("1.2.840.10045.4.3.3") ECDSA_WITH_SHA512 = ObjectIdentifier("1.2.840.10045.4.3.4") DSA_WITH_SHA1 = ObjectIdentifier("1.2.840.10040.4.3") DSA_WITH_SHA224 = ObjectIdentifier("2.16.840.1.101.3.4.3.1") DSA_WITH_SHA256 = ObjectIdentifier("2.16.840.1.101.3.4.3.2")
class SubjectInformationAccessOID(object): CA_REPOSITORY = ObjectIdentifier("1.3.6.1.5.5.7.48.5")
class EllipticCurveOID(object): SECP192R1 = ObjectIdentifier("1.2.840.10045.3.1.1") SECP224R1 = ObjectIdentifier("1.3.132.0.33") SECP256K1 = ObjectIdentifier("1.3.132.0.10") SECP256R1 = ObjectIdentifier("1.2.840.10045.3.1.7") SECP384R1 = ObjectIdentifier("1.3.132.0.34") SECP521R1 = ObjectIdentifier("1.3.132.0.35") BRAINPOOLP256R1 = ObjectIdentifier("1.3.36.3.3.2.8.1.1.7") BRAINPOOLP384R1 = ObjectIdentifier("1.3.36.3.3.2.8.1.1.11") BRAINPOOLP512R1 = ObjectIdentifier("1.3.36.3.3.2.8.1.1.13") SECT163K1 = ObjectIdentifier("1.3.132.0.1") SECT163R2 = ObjectIdentifier("1.3.132.0.15") SECT233K1 = ObjectIdentifier("1.3.132.0.26") SECT233R1 = ObjectIdentifier("1.3.132.0.27") SECT283K1 = ObjectIdentifier("1.3.132.0.16") SECT283R1 = ObjectIdentifier("1.3.132.0.17") SECT409K1 = ObjectIdentifier("1.3.132.0.36") SECT409R1 = ObjectIdentifier("1.3.132.0.37") SECT571K1 = ObjectIdentifier("1.3.132.0.38") SECT571R1 = ObjectIdentifier("1.3.132.0.39")
class AttributeOID(object): CHALLENGE_PASSWORD = ObjectIdentifier("1.2.840.113549.1.9.7") UNSTRUCTURED_NAME = ObjectIdentifier("1.2.840.113549.1.9.2")