def create_csr_ec(key, dn, network, csrfilename=None, attributes=None): """ from jandd pkiutils adjusted for EC """ certreqInfo = rfc2314.CertificationRequestInfo() certreqInfo.setComponentByName('version', rfc2314.Version(0)) certreqInfo.setComponentByName('subject', _build_dn(dn)) certreqInfo.setComponentByName('subjectPublicKeyInfo', _build_subject_publickey_info(key)) attrpos = certreqInfo.componentType.getPositionByName('attributes') attrtype = certreqInfo.componentType.getTypeByPosition(attrpos) attr_asn1 = _build_attributes(attributes, attrtype) certreqInfo.setComponentByName('attributes', attr_asn1) certreq = rfc2314.CertificationRequest() certreq.setComponentByName('certificationRequestInfo', certreqInfo) sigAlgIdentifier = rfc2314.SignatureAlgorithmIdentifier() sigAlgIdentifier.setComponentByName('algorithm', utility.OID_ecdsaWithSHA256) certreq.setComponentByName('signatureAlgorithm', sigAlgIdentifier) sig = _build_signature(key, certreqInfo, network) certreq.setComponentByName('signature', sig) output = pkiutils._der_to_pem(encoder.encode(certreq), 'CERTIFICATE REQUEST') if csrfilename: with open(csrfilename, 'w') as csrfile: csrfile.write(output) print "generated certification request:\n\n%s" % output return output
def csr_public_key_offset_length(csr): pk_der = bytearray(encoder.encode(csr['certificationRequestInfo']['subjectPublicKeyInfo']['subjectPublicKey'])) pk_info = der_value_offset_length(pk_der) # Skip the unused bits field and key compression byte pk_der[pk_info['offset']+2] ^= 0xFF csr_der = encoder.encode(csr) csr_mod = decoder.decode(csr_der, asn1Spec=rfc2314.CertificationRequest())[0] csr_mod['certificationRequestInfo']['subjectPublicKeyInfo']['subjectPublicKey'] = decoder.decode(bytes(pk_der))[0] return {'offset':diff_offset(csr_der, encoder.encode(csr_mod)), 'length':pk_info['length']-2}
def from_open_file(f): try: der_content = pem.readPemFromFile( f, startMarker='-----BEGIN CERTIFICATE REQUEST-----', endMarker='-----END CERTIFICATE REQUEST-----') csr = decoder.decode(der_content, asn1Spec=rfc2314.CertificationRequest())[0] return X509Csr(csr) except Exception: raise X509CsrError("Could not read X509 certificate from " "PEM data.")
def sign_csr(self, certification_request_info): reqinfo = decoder.decode(certification_request_info, rfc2314.CertificationRequestInfo())[0] csr = rfc2314.CertificationRequest() csr.setComponentByName('certificationRequestInfo', reqinfo) algorithm = rfc2314.SignatureAlgorithmIdentifier() algorithm.setComponentByName( 'algorithm', univ.ObjectIdentifier( '1.2.840.113549.1.1.11')) # sha256WithRSAEncryption csr.setComponentByName('signatureAlgorithm', algorithm) signature = self.key().sign(certification_request_info, padding.PKCS1v15(), hashes.SHA256()) asn1sig = univ.BitString("'%s'H" % signature.encode('hex')) csr.setComponentByName('signature', asn1sig) return encoder.encode(csr)
def _create_csr(cert, private_key): """Creates a CSR with the RENEWAL_CERTIFICATE extension""" subject_public_key_info = decoder.decode( private_key.public_key().public_bytes( encoding=serialization.Encoding.DER, format=serialization.PublicFormat.SubjectPublicKeyInfo), asn1Spec=rfc2314.SubjectPublicKeyInfo())[0] subject = cert[0]['tbsCertificate']['subject'] # Microsoft OID: szOID_RENEWAL_CERTIFICATE renewal_certificate_type = rfc2314.AttributeType( (1, 3, 6, 1, 4, 1, 311, 13, 1)) renewal_certificate_value = rfc2314.univ.SetOf().setComponents(cert[0]) renewal_certificate = rfc2314.Attribute() renewal_certificate.setComponentByName('type', renewal_certificate_type) renewal_certificate.setComponentByName('vals', renewal_certificate_value) attributes = rfc2314.Attributes().subtype(implicitTag=rfc2314.tag.Tag( rfc2314.tag.tagClassContext, rfc2314.tag.tagFormatConstructed, 0)) attributes.setComponents(renewal_certificate) certification_request_info = rfc2314.CertificationRequestInfo() certification_request_info.setComponentByName('version', 0) certification_request_info.setComponentByName('subject', subject) certification_request_info.setComponentByName('subjectPublicKeyInfo', subject_public_key_info) certification_request_info.setComponentByName('attributes', attributes) raw_signature, signature_algorithm = _sign( private_key, encoder.encode(certification_request_info)) signature = rfc2314.univ.BitString( hexValue=binascii.hexlify(raw_signature).decode('ascii')) certification_request = rfc2314.CertificationRequest() certification_request.setComponentByName('certificationRequestInfo', certification_request_info) certification_request.setComponentByName('signatureAlgorithm', signature_algorithm) certification_request.setComponentByName('signature', signature) return encoder.encode(certification_request)
def test_rsa_cert(self): """Generates a PKCS#7 renewal request from an rsa certificate""" cert, key = _generate_self_signed_cert('rsa') csr = pkcs7csr.create_pkcs7csr(cert, key) verify_result, raw_inner_csr = _verify_pkcs7_signature(csr) inner_csr = x509.load_der_x509_csr(raw_inner_csr, default_backend()) decoded_inner_csr = decoder.decode(raw_inner_csr, asn1Spec=rfc2314.CertificationRequest()) encoded_inner_csr = encoder.encode(decoded_inner_csr[0]['certificationRequestInfo'] ['attributes'][0]['vals'][0]) self.assertEqual(verify_result, 0) self.assertEqual(inner_csr.is_signature_valid, True) self.assertEqual( key.public_key().public_bytes(Encoding.DER, PublicFormat.SubjectPublicKeyInfo), inner_csr.public_key().public_bytes(Encoding.DER, PublicFormat.SubjectPublicKeyInfo)) self.assertEqual(cert.public_bytes(Encoding.DER), encoded_inner_csr)
def gen_cert_def_c_device_csr(csr_der): # Use the device certificate to create a CSR template csr = decoder.decode(csr_der, asn1Spec=rfc2314.CertificationRequest())[0] params = {} info = csr_public_key_offset_length(csr) params['public_key_cert_loc_offset'] = info['offset'] params['public_key_cert_loc_count'] = info['length'] info = cert_tbs_offset_length(csr) # cert TBS works for CSR too params['tbs_cert_loc_offset'] = info['offset'] params['tbs_cert_loc_count'] = info['length'] info = cert_sig_offset_length(csr) # cert sig works for CSR too params['signature_cert_loc_offset'] = info['offset'] params['signature_cert_loc_count'] = info['length'] params['cert_template'] = bin_to_c_hex(csr_der) return string.Template(cert_def_3_device_csr_c).substitute(params)
class PKIBody(univ.Choice): """ PKIBody ::= CHOICE { -- message-specific body elements ir [0] CertReqMessages, --Initialization Request ip [1] CertRepMessage, --Initialization Response cr [2] CertReqMessages, --Certification Request cp [3] CertRepMessage, --Certification Response p10cr [4] CertificationRequest, --imported from [PKCS10] popdecc [5] POPODecKeyChallContent, --pop Challenge popdecr [6] POPODecKeyRespContent, --pop Response kur [7] CertReqMessages, --Key Update Request kup [8] CertRepMessage, --Key Update Response krr [9] CertReqMessages, --Key Recovery Request krp [10] KeyRecRepContent, --Key Recovery Response rr [11] RevReqContent, --Revocation Request rp [12] RevRepContent, --Revocation Response ccr [13] CertReqMessages, --Cross-Cert. Request ccp [14] CertRepMessage, --Cross-Cert. Response ckuann [15] CAKeyUpdAnnContent, --CA Key Update Ann. cann [16] CertAnnContent, --Certificate Ann. rann [17] RevAnnContent, --Revocation Ann. crlann [18] CRLAnnContent, --CRL Announcement pkiconf [19] PKIConfirmContent, --Confirmation nested [20] NestedMessageContent, --Nested Message genm [21] GenMsgContent, --General Message """ componentType = namedtype.NamedTypes( namedtype.NamedType('ir', rfc2511.CertReqMessages().subtype( explicitTag=tag.Tag(tag.tagClassContext,tag.tagFormatConstructed,0) ) ), namedtype.NamedType('ip', CertRepMessage().subtype( explicitTag=tag.Tag(tag.tagClassContext,tag.tagFormatConstructed,1) ) ), namedtype.NamedType('cr', rfc2511.CertReqMessages().subtype( explicitTag=tag.Tag(tag.tagClassContext,tag.tagFormatConstructed,2) ) ), namedtype.NamedType('cp', CertRepMessage().subtype( explicitTag=tag.Tag(tag.tagClassContext,tag.tagFormatConstructed,3) ) ), namedtype.NamedType('p10cr', rfc2314.CertificationRequest().subtype( explicitTag=tag.Tag(tag.tagClassContext,tag.tagFormatConstructed,4) ) ), namedtype.NamedType('popdecc', POPODecKeyChallContent().subtype( explicitTag=tag.Tag(tag.tagClassContext,tag.tagFormatConstructed,5) ) ), namedtype.NamedType('popdecr', POPODecKeyRespContent().subtype( explicitTag=tag.Tag(tag.tagClassContext,tag.tagFormatConstructed,6) ) ), namedtype.NamedType('kur', rfc2511.CertReqMessages().subtype( explicitTag=tag.Tag(tag.tagClassContext,tag.tagFormatConstructed,7) ) ), namedtype.NamedType('kup', CertRepMessage().subtype( explicitTag=tag.Tag(tag.tagClassContext,tag.tagFormatConstructed,8) ) ), namedtype.NamedType('krr', rfc2511.CertReqMessages().subtype( explicitTag=tag.Tag(tag.tagClassContext,tag.tagFormatConstructed,9) ) ), namedtype.NamedType('krp', KeyRecRepContent().subtype( explicitTag=tag.Tag(tag.tagClassContext,tag.tagFormatConstructed,10) ) ), namedtype.NamedType('rr', RevReqContent().subtype( explicitTag=tag.Tag(tag.tagClassContext,tag.tagFormatConstructed,11) ) ), namedtype.NamedType('rp', RevRepContent().subtype( explicitTag=tag.Tag(tag.tagClassContext,tag.tagFormatConstructed,12) ) ), namedtype.NamedType('ccr', rfc2511.CertReqMessages().subtype( explicitTag=tag.Tag(tag.tagClassContext,tag.tagFormatConstructed,13) ) ), namedtype.NamedType('ccp', CertRepMessage().subtype( explicitTag=tag.Tag(tag.tagClassContext,tag.tagFormatConstructed,14) ) ), namedtype.NamedType('ckuann', CAKeyUpdAnnContent().subtype( explicitTag=tag.Tag(tag.tagClassContext,tag.tagFormatConstructed,15) ) ), namedtype.NamedType('cann', CertAnnContent().subtype( explicitTag=tag.Tag(tag.tagClassContext,tag.tagFormatConstructed,16) ) ), namedtype.NamedType('rann', RevAnnContent().subtype( explicitTag=tag.Tag(tag.tagClassContext,tag.tagFormatConstructed,17) ) ), namedtype.NamedType('crlann', CRLAnnContent().subtype( explicitTag=tag.Tag(tag.tagClassContext,tag.tagFormatConstructed,18) ) ), namedtype.NamedType('pkiconf', PKIConfirmContent().subtype( explicitTag=tag.Tag(tag.tagClassContext,tag.tagFormatConstructed,19) ) ), namedtype.NamedType('nested', nestedMessageContent), # namedtype.NamedType('nested', NestedMessageContent().subtype( # explicitTag=tag.Tag(tag.tagClassContext,tag.tagFormatConstructed,20) # ) # ), namedtype.NamedType('genm', GenMsgContent().subtype( explicitTag=tag.Tag(tag.tagClassContext,tag.tagFormatConstructed,21) ) ) )
def setUp(self): self.asn1Spec = rfc2314.CertificationRequest()
def main(): parser = argparse.ArgumentParser( description= 'utxocsr.py by MiWCryptoCurrency for UTXOC UTXO based certificate signing (to produce PEM encoded).' ) parser.add_argument('-k', '--key', required=True, type=argparse.FileType('r'), help='Private EC Key') parser.add_argument('-c', '--csrfilename', required=True, type=argparse.FileType('r'), help='Input CSR Filename') parser.add_argument('-f', '--certfilename', required=True, type=argparse.FileType('w'), help='Output UTXOC Filename') parser.add_argument('-n', "--network", help='specify network (default: BTC = Bitcoin)', default='BTC', choices=NETWORK_NAMES) parser.add_argument('-r', "--redemption", required=False, help='redemption address (to claim after expiry)') parser.add_argument( '-d', "--days", required=False, help= 'number of days to hold Bond (certificate validity period). Suggested >365' ) inputkey = "" inputcsr = "" args = parser.parse_args() network = args.network days = 365 if args.days: days = args.days csrfilename = args.csrfilename while True: line = args.key.readline().strip() if not line: break inputkey += line + '\n' parsed_key = decoder.decode(utility.read_ec_private_pem(inputkey), asn1Spec=utility.ECPrivateKey()) secret_exponent = encoding.to_long(256, encoding.byte_to_int, parsed_key[0][1].asOctets())[0] #coin = Key(secret_exponent=secret_exponent, netcode=network) #pubaddr = coin.address(use_uncompressed=False) while True: line = args.csrfilename.readline().strip() if not line: break inputcsr += line + '\n' parsed_csr = decoder.decode(utility.read_csr_pem(inputcsr), asn1Spec=rfc2314.CertificationRequest()) tbs = _build_tbs(parsed_csr[0], days, network) certificate = rfc2459.Certificate() certificate.setComponentByName('tbsCertificate', tbs) certificate.setComponentByName('signatureAlgorithm', _build_ECDSAwithSHA256_signatureAlgorithm()) certificate.setComponentByName('signatureValue', _build_signature(parsed_key, tbs, network)) certder = encoder.encode(certificate) certpem = utility.generate_certificate_pem(certder) args.certfilename.write(certpem) print certpem return
# Copyright (c) 2005-2017, Ilya Etingof <*****@*****.**> # License: http://pyasn1.sf.net/license.html # # Read ASN.1/PEM X.509 certificate requests (PKCS#10 format) on stdin, # parse each into plain text, then build substrate from it # from pyasn1.codec.der import decoder, encoder from pyasn1_modules import rfc2314, pem import sys if len(sys.argv) != 1: print("""Usage: $ cat certificateRequest.pem | %s""" % sys.argv[0]) sys.exit(-1) certType = rfc2314.CertificationRequest() certCnt = 0 while True: idx, substrate = pem.readPemBlocksFromFile( sys.stdin, ('-----BEGIN CERTIFICATE REQUEST-----', '-----END CERTIFICATE REQUEST-----') ) if not substrate: break cert, rest = decoder.decode(substrate, asn1Spec=certType) if rest: substrate = substrate[:-len(rest)]
class PKIBody(univ.Choice): componentType = namedtype.NamedTypes( namedtype.NamedType( 'ir', rfc2511.CertReqMessages().subtype(explicitTag=tag.Tag( tag.tagClassContext, tag.tagFormatConstructed, 0))), namedtype.NamedType( 'ip', CertRepMessage().subtype(explicitTag=tag.Tag( tag.tagClassContext, tag.tagFormatConstructed, 1))), namedtype.NamedType( 'cr', rfc2511.CertReqMessages().subtype(explicitTag=tag.Tag( tag.tagClassContext, tag.tagFormatConstructed, 2))), namedtype.NamedType( 'cp', CertRepMessage().subtype(explicitTag=tag.Tag( tag.tagClassContext, tag.tagFormatConstructed, 3))), namedtype.NamedType( 'p10cr', rfc2314.CertificationRequest().subtype(explicitTag=tag.Tag( tag.tagClassContext, tag.tagFormatConstructed, 4))), namedtype.NamedType( 'popdecc', POPODecKeyChallContent().subtype(explicitTag=tag.Tag( tag.tagClassContext, tag.tagFormatConstructed, 5))), namedtype.NamedType( 'popdecr', POPODecKeyRespContent().subtype(explicitTag=tag.Tag( tag.tagClassContext, tag.tagFormatConstructed, 6))), namedtype.NamedType( 'kur', rfc2511.CertReqMessages().subtype(explicitTag=tag.Tag( tag.tagClassContext, tag.tagFormatConstructed, 7))), namedtype.NamedType( 'kup', CertRepMessage().subtype(explicitTag=tag.Tag( tag.tagClassContext, tag.tagFormatConstructed, 8))), namedtype.NamedType( 'krr', rfc2511.CertReqMessages().subtype(explicitTag=tag.Tag( tag.tagClassContext, tag.tagFormatConstructed, 9))), namedtype.NamedType( 'krp', KeyRecRepContent().subtype(explicitTag=tag.Tag( tag.tagClassContext, tag.tagFormatConstructed, 10))), namedtype.NamedType( 'rr', RevReqContent().subtype(explicitTag=tag.Tag( tag.tagClassContext, tag.tagFormatConstructed, 11))), namedtype.NamedType( 'rp', RevRepContent().subtype(explicitTag=tag.Tag( tag.tagClassContext, tag.tagFormatConstructed, 12))), namedtype.NamedType( 'ccr', rfc2511.CertReqMessages().subtype(explicitTag=tag.Tag( tag.tagClassContext, tag.tagFormatConstructed, 13))), namedtype.NamedType( 'ccp', CertRepMessage().subtype(explicitTag=tag.Tag( tag.tagClassContext, tag.tagFormatConstructed, 14))), namedtype.NamedType( 'ckuann', CAKeyUpdAnnContent().subtype(explicitTag=tag.Tag( tag.tagClassContext, tag.tagFormatConstructed, 15))), namedtype.NamedType( 'cann', CertAnnContent().subtype(explicitTag=tag.Tag( tag.tagClassContext, tag.tagFormatConstructed, 16))), namedtype.NamedType( 'rann', RevAnnContent().subtype(explicitTag=tag.Tag( tag.tagClassContext, tag.tagFormatConstructed, 17))), namedtype.NamedType( 'crlann', CRLAnnContent().subtype(explicitTag=tag.Tag( tag.tagClassContext, tag.tagFormatConstructed, 18))), namedtype.NamedType( 'pkiconf', PKIConfirmContent().subtype(explicitTag=tag.Tag( tag.tagClassContext, tag.tagFormatConstructed, 19))), namedtype.NamedType('nested', nestedMessageContent), namedtype.NamedType( 'genm', GenMsgContent().subtype(explicitTag=tag.Tag( tag.tagClassContext, tag.tagFormatConstructed, 21))), namedtype.NamedType( 'gen', GenRepContent().subtype(explicitTag=tag.Tag( tag.tagClassContext, tag.tagFormatConstructed, 22))), namedtype.NamedType( 'error', ErrorMsgContent().subtype(explicitTag=tag.Tag( tag.tagClassContext, tag.tagFormatConstructed, 23))), namedtype.NamedType( 'certConf', CertConfirmContent().subtype(explicitTag=tag.Tag( tag.tagClassContext, tag.tagFormatConstructed, 24))), namedtype.NamedType( 'pollReq', PollReqContent().subtype(explicitTag=tag.Tag( tag.tagClassContext, tag.tagFormatConstructed, 25))), namedtype.NamedType( 'pollRep', PollRepContent().subtype(explicitTag=tag.Tag( tag.tagClassContext, tag.tagFormatConstructed, 26))))
def __init__(self, csr=None): if csr is None: self._csr = rfc2314.CertificationRequest() else: self._csr = csr