class PKIHeader(univ.Sequence): """ PKIHeader ::= SEQUENCE { pvno INTEGER { cmp1999(1), cmp2000(2) }, sender GeneralName, recipient GeneralName, messageTime [0] GeneralizedTime OPTIONAL, protectionAlg [1] AlgorithmIdentifier OPTIONAL, senderKID [2] KeyIdentifier OPTIONAL, recipKID [3] KeyIdentifier OPTIONAL, transactionID [4] OCTET STRING OPTIONAL, senderNonce [5] OCTET STRING OPTIONAL, recipNonce [6] OCTET STRING OPTIONAL, freeText [7] PKIFreeText OPTIONAL, generalInfo [8] SEQUENCE SIZE (1..MAX) OF InfoTypeAndValue OPTIONAL } """ componentType = namedtype.NamedTypes( namedtype.NamedType('pvno', univ.Integer( namedValues=namedval.NamedValues( ('cmp1999', 1), ('cmp2000', 2) ) ) ), namedtype.NamedType('sender', rfc2459.GeneralName()), namedtype.NamedType('recipient', rfc2459.GeneralName()), namedtype.OptionalNamedType('messageTime', useful.GeneralizedTime().subtype( explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatSimple, 0))), namedtype.OptionalNamedType('protectionAlg', rfc2459.AlgorithmIdentifier().subtype( explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatConstructed, 1))), namedtype.OptionalNamedType('senderKID', rfc2459.KeyIdentifier().subtype( explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatSimple, 2))), namedtype.OptionalNamedType('recipKID', rfc2459.KeyIdentifier().subtype( explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatSimple, 3))), namedtype.OptionalNamedType('transactionID', univ.OctetString().subtype( explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatSimple, 4))), namedtype.OptionalNamedType('senderNonce', univ.OctetString().subtype( explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatSimple, 5))), namedtype.OptionalNamedType('recipNonce', univ.OctetString().subtype( explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatSimple, 6))), namedtype.OptionalNamedType('freeText', PKIFreeText().subtype( explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatConstructed, 7))), namedtype.OptionalNamedType('generalInfo', univ.SequenceOf( componentType=InfoTypeAndValue().subtype( subtypeSpec=constraint.ValueSizeConstraint(1, MAX), explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatSimple, 8) ) ) ) )
def addNameConstraints(self, constraints, critical): nameConstraints = rfc2459.NameConstraints() if constraints.startswith('permitted:'): (subtreesType, subtreesTag) = ('permittedSubtrees', 0) elif constraints.startswith('excluded:'): (subtreesType, subtreesTag) = ('excludedSubtrees', 1) else: raise UnknownNameConstraintsSpecificationError(constraints) generalSubtrees = rfc2459.GeneralSubtrees().subtype( implicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatConstructed, subtreesTag)) subtrees = constraints[(constraints.find(':') + 1):] for pos, name in enumerate(subtrees.split(',')): generalName = rfc2459.GeneralName() if '/' in name: directoryName = stringToDN( name, tag.Tag(tag.tagClassContext, tag.tagFormatSimple, 4)) generalName['directoryName'] = directoryName else: generalName['dNSName'] = name generalSubtree = rfc2459.GeneralSubtree() generalSubtree['base'] = generalName generalSubtrees.setComponentByPosition(pos, generalSubtree) nameConstraints[subtreesType] = generalSubtrees self.addExtension(rfc2459.id_ce_nameConstraints, nameConstraints, critical)
def addSubjectAlternativeName(self, names, critical): IPV4_PREFIX = "ip4:" subjectAlternativeName = rfc2459.SubjectAltName() for count, name in enumerate(names.split(",")): generalName = rfc2459.GeneralName() if "/" in name: directoryName = stringToDN( name, tag.Tag(tag.tagClassContext, tag.tagFormatSimple, 4) ) generalName["directoryName"] = directoryName elif "@" in name: generalName["rfc822Name"] = name elif name.startswith(IPV4_PREFIX): generalName["iPAddress"] = socket.inet_pton( socket.AF_INET, name[len(IPV4_PREFIX) :] ) else: # The string may have things like '\0' (i.e. a slash # followed by the number zero) that have to be decoded into # the resulting '\x00' (i.e. a byte with value zero). generalName["dNSName"] = six.ensure_binary(name).decode( "unicode_escape" ) subjectAlternativeName.setComponentByPosition(count, generalName) self.addExtension( rfc2459.id_ce_subjectAltName, subjectAlternativeName, critical )
def __init__(self, altnames): """Создание AltName :altnames: список вида [(тип, значение), (тип, значение), ] где значение в зависимости от типа: 'otherName' : ('OID', 'байтовая строка') 'ediPartyName' : ('строка', 'строка') или 'строка' 'x400Address' : 'байтовая строка' 'directoryName' : [('OID', 'строка'), ...] 'dNSName' : строка 'uniformResourceIdentifier' : строка 'iPAddress' : строка 'registeredID' : строка """ val = rfc2459.SubjectAltName() for (i, (t, v)) in enumerate(altnames): gn = rfc2459.GeneralName() elt = getattr(self, t, None) assert elt is not None, 'unsupported element type {0}'.format(t) gn.setComponentByName(t, elt(v)) val.setComponentByPosition(i, gn) super(SubjectAltName, self).__init__(rfc2459.id_ce_subjectAltName, encoder.encode(val))
def addNameConstraints(self, constraints, critical): nameConstraints = rfc2459.NameConstraints() subtrees = {'permitted': [], 'excluded': []} for constraint in constraints.split(','): (subtreeName, nameData) = constraint.split(':') if subtreeName not in subtrees.keys(): raise UnknownNameConstraintsSpecificationError(subtreeName) subtree = subtrees[subtreeName] subtree.append(nameData) for key in subtrees.keys(): if 'permitted' == key: (subtreesType, subtreesTag) = ('permittedSubtrees', 0) if 'excluded' == key: (subtreesType, subtreesTag) = ('excludedSubtrees', 1) generalSubtrees = rfc2459.GeneralSubtrees().subtype( implicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatConstructed, subtreesTag)) for pos, name in enumerate(subtrees[key]): generalName = rfc2459.GeneralName() if '/' in name: directoryName = stringToDN( name, tag.Tag(tag.tagClassContext, tag.tagFormatSimple, 4)) generalName['directoryName'] = directoryName else: generalName['dNSName'] = name generalSubtree = rfc2459.GeneralSubtree() generalSubtree['base'] = generalName generalSubtrees.setComponentByPosition(pos, generalSubtree) nameConstraints[subtreesType] = generalSubtrees self.addExtension(rfc2459.id_ce_nameConstraints, nameConstraints, critical)
class PKIHeader(univ.Sequence): componentType = namedtype.NamedTypes( namedtype.NamedType( 'pvno', univ.Integer( namedValues=namedval.NamedValues(('cmp1999', 1), ('cmp2000', 2)))), namedtype.NamedType('sender', rfc2459.GeneralName()), namedtype.NamedType('recipient', rfc2459.GeneralName()), namedtype.OptionalNamedType( 'messageTime', useful.GeneralizedTime().subtype(explicitTag=tag.Tag( tag.tagClassContext, tag.tagFormatSimple, 0))), namedtype.OptionalNamedType( 'protectionAlg', rfc2459.AlgorithmIdentifier().subtype(explicitTag=tag.Tag( tag.tagClassContext, tag.tagFormatConstructed, 1))), namedtype.OptionalNamedType( 'senderKID', rfc2459.KeyIdentifier().subtype(explicitTag=tag.Tag( tag.tagClassContext, tag.tagFormatSimple, 2))), namedtype.OptionalNamedType( 'recipKID', rfc2459.KeyIdentifier().subtype(explicitTag=tag.Tag( tag.tagClassContext, tag.tagFormatSimple, 3))), namedtype.OptionalNamedType( 'transactionID', univ.OctetString().subtype(explicitTag=tag.Tag( tag.tagClassContext, tag.tagFormatSimple, 4))), namedtype.OptionalNamedType( 'senderNonce', univ.OctetString().subtype(explicitTag=tag.Tag( tag.tagClassContext, tag.tagFormatSimple, 5))), namedtype.OptionalNamedType( 'recipNonce', univ.OctetString().subtype(explicitTag=tag.Tag( tag.tagClassContext, tag.tagFormatSimple, 6))), namedtype.OptionalNamedType( 'freeText', PKIFreeText().subtype(explicitTag=tag.Tag( tag.tagClassContext, tag.tagFormatConstructed, 7))), namedtype.OptionalNamedType( 'generalInfo', univ.SequenceOf(componentType=InfoTypeAndValue().subtype( subtypeSpec=constraint.ValueSizeConstraint(1, MAX), explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatSimple, 8)))))
class GeneralSubtree(univ.Sequence): componentType = namedtype.NamedTypes( namedtype.NamedType('base', rfc2459.GeneralName()), namedtype.DefaultedNamedType('minimum', rfc2459.BaseDistance(0).subtype( implicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatConstructed, 0))), namedtype.OptionalNamedType('maximum', rfc2459.BaseDistance().subtype( implicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatConstructed, 1))) )
class AccessDescription(univ.Sequence): """ AccessDescription ::= SEQUENCE { accessMethod OBJECT IDENTIFIER, accessLocation GeneralName } """ componentType = namedtype.NamedTypes( namedtype.NamedType('accessMethod', univ.ObjectIdentifier()), namedtype.NamedType('accessLocation', rfc2459.GeneralName()))
def addSubjectAlternativeName(self, dNSNames, critical): subjectAlternativeName = rfc2459.SubjectAltName() for count, dNSName in enumerate(dNSNames.split(',')): generalName = rfc2459.GeneralName() # The string may have things like '\0' (i.e. a slash # followed by the number zero) that have to be decoded into # the resulting '\x00' (i.e. a byte with value zero). generalName.setComponentByName('dNSName', dNSName.decode(encoding='string_escape')) subjectAlternativeName.setComponentByPosition(count, generalName) self.addExtension(rfc2459.id_ce_subjectAltName, subjectAlternativeName, critical)
def stringToAccessDescription(string): """Helper function that takes a string representing a URI presumably identifying an OCSP authority information access location. Returns an AccessDescription usable by pyasn1.""" accessMethod = rfc2459.id_ad_ocsp accessLocation = rfc2459.GeneralName() accessLocation['uniformResourceIdentifier'] = string sequence = univ.Sequence() sequence.setComponentByPosition(0, accessMethod) sequence.setComponentByPosition(1, accessLocation) return sequence
def addSubjectAlternativeName(self, names, critical): subjectAlternativeName = rfc2459.SubjectAltName() for count, name in enumerate(names.split(',')): generalName = rfc2459.GeneralName() if '/' in name: directoryName = stringToDN(name, tag.Tag(tag.tagClassContext, tag.tagFormatSimple, 4)) generalName.setComponentByName('directoryName', directoryName) else: # The string may have things like '\0' (i.e. a slash # followed by the number zero) that have to be decoded into # the resulting '\x00' (i.e. a byte with value zero). generalName.setComponentByName('dNSName', name.decode(encoding='string_escape')) subjectAlternativeName.setComponentByPosition(count, generalName) self.addExtension(rfc2459.id_ce_subjectAltName, subjectAlternativeName, critical)
class TBSRequest(univ.Sequence): componentType = namedtype.NamedTypes( namedtype.DefaultedNamedType( 'version', Version(0).subtype(explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatSimple, 0))), namedtype.OptionalNamedType( 'requestorName', rfc2459.GeneralName().subtype(explicitTag=tag.Tag( tag.tagClassContext, tag.tagFormatSimple, 1))), namedtype.NamedType('requestList', univ.SequenceOf(componentType=Request())), namedtype.OptionalNamedType( 'requestExtensions', rfc2459.Extensions().subtype(explicitTag=tag.Tag( tag.tagClassContext, tag.tagFormatSimple, 2))))
def build_payload(): # initializations tbsReq = TBSRequest() certid = CertID() request = Request() requestList = univ.SequenceOf(componentType=Request()) req = OCSPRequest() reqExts = rfc2459.Extensions().subtype( explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatSimple, 2)) reqExt = rfc2459.Extension() signature = Signature() certs = univ.SequenceOf(componentType=rfc2459.Certificate()).subtype( explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatSimple, 0) ) cert = rfc2459.Certificate() name = rfc2459.GeneralName() # assignments certid['hashAlgorithm'] = rfc2459.AlgorithmIdentifier()\ .setComponentByName('algorithm', ALGORITHM)\ .setComponentByName('parameters', univ.Any(hexValue=ALGO_PARAMS_HEX)) certid['issuerNameHash'] = univ.OctetString(hexValue=ISSUER_NAME_HASH) certid['issuerKeyHash'] = univ.OctetString(hexValue=ISSUER_KEY_HASH) certid['serialNumber'] = rfc2459.CertificateSerialNumber(SERIAL_NUMBER) request['reqCert'] = certid # optional field #request['singleRequestExtension'] = reqExt reqExt['extnID'] = univ.ObjectIdentifier('1.3.6.1.5.5.7.48.1.2') reqExt['critical'] = univ.Boolean('False') reqExt['extnValue'] = univ.Any(hexValue='04120410236e5193af7958f49edcc756ed6c6dd3') reqExts[0] = reqExt requestList[0] = request # optional # TODO: fill name? #tbsReq['requestorName'] = name tbsReq['requestList'] = requestList # optional tbsReq['requestExtensions'] = reqExts tbsReq['version'] = Version(0).subtype( explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatSimple, 0)) # optional # TODO fill cert? signature['signatureAlgorithm'] = rfc2459.AlgorithmIdentifier()\ .setComponentByName('algorithm', rfc2437.sha1WithRSAEncryption) signature['signature'] = univ.BitString("'010101010101'B") certs[0] = cert signature['certs'] = certs req['tbsRequest'] = tbsReq # optional signature #req['optionalSignature'] = signature return req