def create(cls, parameters):
asn1 = rfc2459.SubjectPublicKeyInfo()
asn1["algorithm"] = rfc2459.AlgorithmIdentifier()
asn1["algorithm"][
"algorithm"] = OIDDB.KeySpecificationAlgorithms.inverse(
"id-dsa").to_asn1()
asn1["algorithm"]["algorithm"] = parameters["curve"].oid.to_asn1()
inner_key = parameters["curve"].point(parameters["x"],
parameters["y"]).encode()
asn1["subjectPublicKey"] = ASN1Tools.bytes2bitstring(inner_key)
return asn1
def _forge_cert(self, cert_issuer_id, issuer, cert_subject_id, subject):
self._log.debug("Forging chain element %d -> %d: %s -> %s", cert_issuer_id, cert_subject_id, issuer, subject)
issuer_key_filename = self._args.key_template % (cert_issuer_id)
key_filename = self._args.key_template % (cert_subject_id)
crt_filename = self._args.cert_template % (cert_subject_id)
if (not os.path.isfile(key_filename)) or self._args.force:
OpenSSLTools.create_private_key(PrivateKeyStorage(storage_form = PrivateKeyStorageForm.PEM_FILE, filename = key_filename), subject.pubkey.keyspec)
# Read new private key and convert to public key
with tempfile.NamedTemporaryFile(prefix = "pubkey_", suffix = ".pem") as pubkey_file:
OpenSSLTools.private_to_public(key_filename, pubkey_file.name)
subject_pubkey = PublicKey.read_pemfile(pubkey_file.name)[0]
# Do the same for the issuer key to get the issuer key ID
with tempfile.NamedTemporaryFile(prefix = "pubkey_", suffix = ".pem") as pubkey_file:
OpenSSLTools.private_to_public(issuer_key_filename, pubkey_file.name)
issuer_pubkey = PublicKey.read_pemfile(pubkey_file.name)[0]
# Replace public key first
forged_cert_asn1 = subject.asn1_clone
forged_cert_asn1["tbsCertificate"]["subjectPublicKeyInfo"] = subject_pubkey.asn1
# Do identifiers need to be recalculated?
if self._args.recalculate_keyids:
if subject.extensions.has(OIDDB.X509Extensions.inverse("SubjectKeyIdentifier")):
# Replace subject key identifier
new_key_id = subject_pubkey.keyid()
replacement_extension = X509SubjectKeyIdentifierExtension.construct(new_key_id)
subject.extensions.filter(OIDDB.X509Extensions.inverse("SubjectKeyIdentifier"), replacement_extension)
if subject.extensions.has(OIDDB.X509Extensions.inverse("AuthorityKeyIdentifier")):
# Replace authority key identifier
new_key_id = issuer_pubkey.keyid()
replacement_extension = X509AuthorityKeyIdentifierExtension.construct(new_key_id)
subject.extensions.filter(OIDDB.X509Extensions.inverse("AuthorityKeyIdentifier"), replacement_extension)
forged_cert_asn1["tbsCertificate"]["extensions"] = subject.extensions.to_asn1()
# Re-serialize certificate
forged_cert = X509Certificate.from_asn1(forged_cert_asn1)
# Then sign the modified certifiate
signature = OpenSSLTools.sign_data(subject.signature_algorithm, issuer_key_filename, forged_cert.signed_payload)
# Finally, place the signature into the certificate
forged_cert_asn1["signatureValue"] = ASN1Tools.bytes2bitstring(signature)
forged_cert = X509Certificate.from_asn1(forged_cert_asn1)
forged_cert.write_pemfile(crt_filename)
def create(cls, parameters):
asn1 = rfc2459.SubjectPublicKeyInfo()
asn1["algorithm"] = rfc2459.AlgorithmIdentifier()
asn1["algorithm"][
"algorithm"] = OIDDB.KeySpecificationAlgorithms.inverse(
"rsaEncryption").to_asn1()
asn1["algorithm"]["parameters"] = pyasn1.type.univ.Any(
value=pyasn1.codec.der.encoder.encode(pyasn1.type.univ.Null()))
inner_key = rfc2437.RSAPublicKey()
inner_key["modulus"] = pyasn1.type.univ.Integer(parameters["n"])
inner_key["publicExponent"] = pyasn1.type.univ.Integer(parameters["e"])
inner_key = pyasn1.codec.der.encoder.encode(inner_key)
asn1["subjectPublicKey"] = ASN1Tools.bytes2bitstring(inner_key)
return asn1
def create(cls, parameters):
asn1 = rfc2459.SubjectPublicKeyInfo()
asn1["algorithm"] = rfc2459.AlgorithmIdentifier()
asn1["algorithm"][
"algorithm"] = OIDDB.KeySpecificationAlgorithms.inverse(
"id-dsa").to_asn1()
asn1["algorithm"]["parameters"] = rfc3279.Dss_Parms()
asn1["algorithm"]["parameters"]["p"] = parameters["p"]
asn1["algorithm"]["parameters"]["q"] = parameters["q"]
asn1["algorithm"]["parameters"]["g"] = parameters["g"]
inner_key = rfc3279.DSAPublicKey(parameters["pubkey"])
inner_key = pyasn1.codec.der.encoder.encode(inner_key)
asn1["subjectPublicKey"] = ASN1Tools.bytes2bitstring(inner_key)
return asn1
def create(cls, parameters):
asn1 = rfc2459.SubjectPublicKeyInfo()
asn1["algorithm"][
"algorithm"] = OIDDB.KeySpecificationAlgorithms.inverse(
"ecPublicKey").to_asn1()
if parameters["curve"].oid is not None:
asn1["algorithm"]["parameters"] = pyasn1.codec.der.encoder.encode(
parameters["curve"].oid.to_asn1())
else:
# TODO not implemented
#domain_params = SpecifiedECDomain()
#domain_params["version"] = 1
#asn1["algorithm"]["parameters"] = domain_params
raise NotImplementedError(
"Creation of explicitly specified elliptic curve domain parameters (i.e., non-named curves) is not implemented in x509sak"
)
inner_key = parameters["curve"].point(parameters["x"],
parameters["y"]).encode()
asn1["subjectPublicKey"] = ASN1Tools.bytes2bitstring(inner_key)
return asn1