예제 #1
0
    def encrypt(self, key_password):
        """
        Encrypts the private key, so that it can be saved to a keystore.

        This will make it necessary to decrypt it again if it is going to be used later.
        Has no effect if the entry is already encrypted.

        :param str key_password: The password to encrypt the entry with.
        """
        if not self.is_decrypted():
            return

        encrypted_private_key = sun_crypto.jks_pkey_encrypt(
            self.pkey_pkcs8, key_password)

        a = AlgorithmIdentifier()
        a.setComponentByName('algorithm', sun_crypto.SUN_JKS_ALGO_ID)
        a.setComponentByName('parameters', '\x05\x00')
        epki = rfc5208.EncryptedPrivateKeyInfo()
        epki.setComponentByName('encryptionAlgorithm', a)
        epki.setComponentByName('encryptedData', encrypted_private_key)

        self._encrypted = encoder.encode(epki)
        self._pkey = None
        self._pkey_pkcs8 = None
        self._algorithm_oid = None
예제 #2
0
    def new(cls, alias, certs, key, key_format='pkcs8'):
        """
        Helper function to create a new PrivateKeyEntry.

        :param str alias: The alias for the Private Key Entry
        :param list certs: An list of certificates, as byte strings.
          The first one should be the one belonging to the private key,
          the others the chain (in correct order).
        :param str key: A byte string containing the private key in the
          format specified in the key_format parameter (default pkcs8).
        :param str key_format: The format of the provided private key.
          Valid options are pkcs8 or rsa_raw. Defaults to pkcs8.

        :returns: A loaded :class:`PrivateKeyEntry` instance, ready
          to be placed in a keystore.

        :raises UnsupportedKeyFormatException: If the key format is
          unsupported.
        """
        timestamp = int(time.time()) * 1000

        cert_chain = []
        for cert in certs:
            cert_chain.append(('X.509', cert))

        pke = cls(
            timestamp=timestamp,
            # Alias must be lower case or it will corrupt the keystore for Java Keytool and Keytool Explorer
            alias=alias.lower(),
            cert_chain=cert_chain)

        if key_format == 'pkcs8':
            private_key_info = decoder.decode(
                key, asn1Spec=rfc5208.PrivateKeyInfo())[0]

            pke._algorithm_oid = private_key_info['privateKeyAlgorithm'][
                'algorithm'].asTuple()
            pke.pkey = private_key_info['privateKey'].asOctets()
            pke.pkey_pkcs8 = key

        elif key_format == 'rsa_raw':
            pke._algorithm_oid = RSA_ENCRYPTION_OID

            # We must encode it to pkcs8
            private_key_info = rfc5208.PrivateKeyInfo()
            private_key_info.setComponentByName('version', 'v1')
            a = AlgorithmIdentifier()
            a.setComponentByName('algorithm', pke._algorithm_oid)
            a.setComponentByName('parameters', '\x05\x00')
            private_key_info.setComponentByName('privateKeyAlgorithm', a)
            private_key_info.setComponentByName('privateKey', key)

            pke.pkey_pkcs8 = encoder.encode(private_key_info, ifNotEmpty=True)
            pke.pkey = key

        else:
            raise UnsupportedKeyFormatException(
                "Key Format '%s' is not supported" % key_format)

        return pke