class Request(univ.Sequence):
componentType = namedtype.NamedTypes(
namedtype.NamedType('reqCert', CertID()),
namedtype.OptionalNamedType(
'singleRequestExtensions',
rfc2459.Extensions().subtype(explicitTag=tag.Tag(
tag.tagClassContext, tag.tagFormatSimple, 0))))
def toDER(self):
tbsCertificate = rfc2459.TBSCertificate()
tbsCertificate.setComponentByName('version', self.getVersion())
tbsCertificate.setComponentByName('serialNumber',
self.getSerialNumber())
tbsCertificate.setComponentByName('signature', self.getSignature())
tbsCertificate.setComponentByName('issuer', self.getIssuer())
tbsCertificate.setComponentByName('validity', self.getValidity())
tbsCertificate.setComponentByName('subject', self.getSubject())
tbsCertificate.setComponentByName(
'subjectPublicKeyInfo', self.subjectKey.asSubjectPublicKeyInfo())
if self.extensions:
extensions = rfc2459.Extensions().subtype(explicitTag=tag.Tag(
tag.tagClassContext, tag.tagFormatSimple, 3))
count = 0
for extension in self.extensions:
extensions.setComponentByPosition(count, extension)
count += 1
tbsCertificate.setComponentByName('extensions', extensions)
certificate = rfc2459.Certificate()
certificate.setComponentByName('tbsCertificate', tbsCertificate)
certificate.setComponentByName('signatureAlgorithm',
self.getSignatureAlgorithm())
tbsDER = encoder.encode(tbsCertificate)
certificate.setComponentByName('signatureValue',
self.issuerKey.sign(tbsDER))
return encoder.encode(certificate)
class TBSRequest(univ.Sequence):
componentType = namedtype.NamedTypes(
namedtype.DefaultedNamedType('version', Version('v1').subtype(explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatSimple, 0))),
namedtype.OptionalNamedType('requestorName', GeneralName().subtype(explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatSimple, 1))),
namedtype.NamedType('requestList', univ.SequenceOf(Request())),
namedtype.OptionalNamedType('requestExtensions', rfc2459.Extensions().subtype(explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatSimple, 2)))
)
def toDER(self):
tbsCertificate = rfc2459.TBSCertificate()
tbsCertificate.setComponentByName('version', self.getVersion())
tbsCertificate.setComponentByName('serialNumber',
self.getSerialNumber())
tbsCertificate.setComponentByName('signature', self.getSignature())
tbsCertificate.setComponentByName('issuer', self.getIssuer())
tbsCertificate.setComponentByName('validity', self.getValidity())
tbsCertificate.setComponentByName('subject', self.getSubject())
tbsCertificate.setComponentByName('subjectPublicKeyInfo',
self.getSubjectPublicKeyInfo())
if self.extensions:
extensions = rfc2459.Extensions().subtype(explicitTag=tag.Tag(
tag.tagClassContext, tag.tagFormatSimple, 3))
count = 0
for extension in self.extensions:
extensions.setComponentByPosition(count, extension)
count += 1
tbsCertificate.setComponentByName('extensions', extensions)
tbsDER = encoder.encode(tbsCertificate)
rsaPrivateKey = rsa.PrivateKey(self.sharedRSA_N, self.sharedRSA_E,
self.sharedRSA_D, self.sharedRSA_P,
self.sharedRSA_Q)
signature = rsa.sign(tbsDER, rsaPrivateKey, 'SHA-256')
certificate = rfc2459.Certificate()
certificate.setComponentByName('tbsCertificate', tbsCertificate)
certificate.setComponentByName('signatureAlgorithm',
self.getSignatureAlgorithm())
certificate.setComponentByName(
'signatureValue', byteStringToHexifiedBitString(signature))
return encoder.encode(certificate)
class RevAnnContent(univ.Sequence):
componentType = namedtype.NamedTypes(
namedtype.NamedType('status', PKIStatus()),
namedtype.NamedType('certId', rfc2511.CertId()),
namedtype.NamedType('willBeRevokedAt', useful.GeneralizedTime()),
namedtype.NamedType('badSinceDate', useful.GeneralizedTime()),
namedtype.OptionalNamedType('crlDetails', rfc2459.Extensions()))
class ResponseData(univ.Sequence):
componentType = namedtype.NamedTypes(
namedtype.DefaultedNamedType('version', Version('v1').subtype(explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatSimple, 0))),
namedtype.NamedType('responderID', ResponderID().subtype(explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatSimple, 2))),
namedtype.NamedType('producedAt', useful.GeneralizedTime()),
namedtype.NamedType('responses', univ.SequenceOf(SingleResponse())),
namedtype.OptionalNamedType('responseExtensions', rfc2459.Extensions().subtype(explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatSimple, 1)))
)
class SingleResponse(univ.Sequence):
componentType = namedtype.NamedTypes(
namedtype.NamedType('certID', CertID()),
namedtype.NamedType('certStatus', CertStatus()),
namedtype.NamedType('thisUpdate', useful.GeneralizedTime()),
namedtype.OptionalNamedType('nextUpdate', useful.GeneralizedTime().subtype(explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatSimple, 0))),
namedtype.OptionalNamedType('singleExtensions', rfc2459.Extensions().subtype(explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatSimple, 1)))
)
class RevDetails(univ.Sequence):
"""
RevDetails ::= SEQUENCE {
certDetails CertTemplate,
crlEntryDetails Extensions OPTIONAL
}
"""
componentType = namedtype.NamedTypes(
namedtype.NamedType('certDetails', rfc2511.CertTemplate()),
namedtype.OptionalNamedType('crlEntryDetails', rfc2459.Extensions()))
class TBSCertificate(univ.Sequence):
componentType = namedtype.NamedTypes(
namedtype.DefaultedNamedType('version', rfc2459.Version('v1', tagSet=rfc2459.Version.tagSet.tagExplicitly(tag.Tag(tag.tagClassContext, tag.tagFormatSimple, 0)))),
namedtype.NamedType('serialNumber', rfc2459.CertificateSerialNumber()),
namedtype.NamedType('signature', AlgorithmIdentifier()),
namedtype.NamedType('issuer', rfc2459.Name()),
namedtype.NamedType('validity', rfc2459.Validity()),
namedtype.NamedType('subject', rfc2459.Name()),
namedtype.NamedType('subjectPublicKeyInfo', SubjectPublicKeyInfo()),
namedtype.OptionalNamedType('issuerUniqueID', rfc2459.UniqueIdentifier().subtype(implicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatSimple, 1))),
namedtype.OptionalNamedType('subjectUniqueID', rfc2459.UniqueIdentifier().subtype(implicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatSimple, 2))),
namedtype.OptionalNamedType('extensions', rfc2459.Extensions().subtype(explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatSimple, 3)))
)
def add_extension(self, ext):
if not isinstance(ext, extension.X509Extension):
raise errors.X509Error("ext is not an anchor X509Extension")
attributes = self.get_attributes()
ext_attrs = [
a for a in attributes if a['type'] == OID_extensionRequest
]
if not ext_attrs:
new_attr_index = len(attributes)
attributes[new_attr_index] = None
ext_attr = attributes[new_attr_index]
ext_attr['type'] = OID_extensionRequest
ext_attr['vals'] = None
exts = rfc2459.Extensions()
else:
ext_attr = ext_attrs[0]
exts = decoder.decode(ext_attr['vals'][0].asOctets(),
asn1Spec=rfc2459.Extensions())[0]
new_ext_index = len(exts)
exts[new_ext_index] = ext._ext
ext_attr['vals'][0] = encoder.encode(exts)
class RevAnnContent(univ.Sequence):
"""
RevAnnContent ::= SEQUENCE {
status PKIStatus,
certId CertId,
willBeRevokedAt GeneralizedTime,
badSinceDate GeneralizedTime,
crlDetails Extensions OPTIONAL
}
"""
componentType = namedtype.NamedTypes(
namedtype.NamedType('status', PKIStatus()),
namedtype.NamedType('certId', rfc2511.CertId()),
namedtype.NamedType('willBeRevokedAt', useful.GeneralizedTime()),
namedtype.NamedType('badSinceDate', useful.GeneralizedTime()),
namedtype.OptionalNamedType('crlDetails', rfc2459.Extensions()))
def getTBSCertificate(self):
(signatureOID, _) = stringToAlgorithmIdentifiers(self.signature)
tbsCertificate = rfc2459.TBSCertificate()
tbsCertificate['version'] = self.getVersion()
tbsCertificate['serialNumber'] = self.getSerialNumber()
tbsCertificate['signature'] = signatureOID
tbsCertificate['issuer'] = self.getIssuer()
tbsCertificate['validity'] = self.getValidity()
tbsCertificate['subject'] = self.getSubject()
tbsCertificate['subjectPublicKeyInfo'] = self.subjectKey.asSubjectPublicKeyInfo()
if self.extensions:
extensions = rfc2459.Extensions().subtype(
explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatSimple, 3))
for count, extension in enumerate(self.extensions):
extensions.setComponentByPosition(count, extension)
tbsCertificate['extensions'] = extensions
return tbsCertificate
def get_extensions(self, ext_type=None):
"""Get the list of all X509 V3 Extensions on this CSR
:return: a list of X509Extension objects
"""
ext_attrs = [
a for a in self.get_attributes()
if a['type'] == OID_extensionRequest
]
if len(ext_attrs) == 0:
return []
else:
exts_der = ext_attrs[0]['vals'][0].asOctets()
exts = decoder.decode(exts_der, asn1Spec=rfc2459.Extensions())[0]
return [
extension.construct_extension(e) for e in exts
if ext_type is None or e['extnID'] == ext_type._oid
]
def build_payload():
# initializations
tbsReq = TBSRequest()
certid = CertID()
request = Request()
requestList = univ.SequenceOf(componentType=Request())
req = OCSPRequest()
reqExts = rfc2459.Extensions().subtype(
explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatSimple, 2))
reqExt = rfc2459.Extension()
signature = Signature()
certs = univ.SequenceOf(componentType=rfc2459.Certificate()).subtype(
explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatSimple, 0)
)
cert = rfc2459.Certificate()
name = rfc2459.GeneralName()
# assignments
certid['hashAlgorithm'] = rfc2459.AlgorithmIdentifier()\
.setComponentByName('algorithm', ALGORITHM)\
.setComponentByName('parameters', univ.Any(hexValue=ALGO_PARAMS_HEX))
certid['issuerNameHash'] = univ.OctetString(hexValue=ISSUER_NAME_HASH)
certid['issuerKeyHash'] = univ.OctetString(hexValue=ISSUER_KEY_HASH)
certid['serialNumber'] = rfc2459.CertificateSerialNumber(SERIAL_NUMBER)
request['reqCert'] = certid
# optional field
#request['singleRequestExtension'] = reqExt
reqExt['extnID'] = univ.ObjectIdentifier('1.3.6.1.5.5.7.48.1.2')
reqExt['critical'] = univ.Boolean('False')
reqExt['extnValue'] = univ.Any(hexValue='04120410236e5193af7958f49edcc756ed6c6dd3')
reqExts[0] = reqExt
requestList[0] = request
# optional
# TODO: fill name?
#tbsReq['requestorName'] = name
tbsReq['requestList'] = requestList
# optional
tbsReq['requestExtensions'] = reqExts
tbsReq['version'] = Version(0).subtype(
explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatSimple, 0))
# optional
# TODO fill cert?
signature['signatureAlgorithm'] = rfc2459.AlgorithmIdentifier()\
.setComponentByName('algorithm', rfc2437.sha1WithRSAEncryption)
signature['signature'] = univ.BitString("'010101010101'B")
certs[0] = cert
signature['certs'] = certs
req['tbsRequest'] = tbsReq
# optional signature
#req['optionalSignature'] = signature
return req
req['tbsRequest']['version'] = Version(0).subtype(
explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatSimple, 0))
request = Request()
certid = CertID()
request['reqCert'] = certid
certid['hashAlgorithm'] = rfc2459.AlgorithmIdentifier()\
.setComponentByName('algorithm', rfc2437.id_sha1)\
.setComponentByName('parameters', univ.Any(hexValue='0500'))
certid['issuerNameHash'] = univ.OctetString(
hexValue='01cb3044531fa8618a68d3c60596ab0555866b09')
certid['issuerKeyHash'] = univ.OctetString(
hexValue='31c3791bbaf553d717e0897a2d176c0ab32b9d33')
certid['serialNumber'] = rfc2459.CertificateSerialNumber(0)
req['tbsRequest']['requestList'] = univ.SequenceOf(
componentType=Request()).setComponentByPosition(0, request)
reqExts = rfc2459.Extensions().subtype(
explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatSimple, 2))
reqExt = rfc2459.Extension()
reqExt['extnID'] = univ.ObjectIdentifier('1.3.6.1.5.5.7.48.1.2')
reqExt['critical'] = univ.Boolean('False')
reqExt['extnValue'] = univ.Any(
hexValue='04120410236e5193af7958f49edcc756ed6c6dd3')
reqExts[0] = reqExt
req['tbsRequest']['requestExtensions'] = reqExts
print(req.prettyPrint())
print(encoder.encode(req))
else:
with open(sys.argv[1], 'rb') as fp:
for t in decoder.decode(fp.read(), asn1Spec=OCSPRequest()):
if hasattr(t, 'prettyPrint'):
print(t.prettyPrint())
def _build_extensionsForTbs(
extensionsfromcsr,
akipubkeybitstring=None,
skipubkeybitstring=None,
nsURL="https://www.github.com/MiwCryptoCurrency/UTXOC"):
count = 0
exts = rfc2459.Extensions().subtype(
explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatSimple, 3))
retval = rfc2459.Extensions()
## BASIC CONSTRAINTS
## we like basic constraints at the top. this is how openssl produces it
bc_ext = _find_basic_contraints(extensionsfromcsr)
if (bc_ext):
ext = _build_extensionFromAttributeExtension(bc_ext)
exts.setComponentByPosition(count, ext)
count += 1
## SKI
if skipubkeybitstring:
## tricky - SKI is a hash (keyid).
## rfc 5280 says use SHA1 of the raw bytes of the pubkey, dont encode as asn1 DER (ie: OctetString())
## SKI is stored in an encoded OctetString()
skider = bytearray(utility.bitStringtoOctetString(skipubkeybitstring))
#skihashfunction = SHA.new(skider)
skihashfunction = SHA256.new(skider)
skidgst = skihashfunction.digest()
extval = univ.OctetString(skidgst)
encapsulated = univ.OctetString(encoder.encode(extval))
extoid = utility.OID_subjectKeyIdentifier
ext = rfc2314.Extension()
ext.setComponentByName('extnID', extoid)
ext.setComponentByName('extnValue', encapsulated)
exts.setComponentByPosition(count, ext)
count += 1
## AKI
if akipubkeybitstring:
## tricky - AKI can be a DN or a keyid. Use KeyID
## rfc 5280 says use SHA1 of the raw bytes of the pubkey, dont encode as asn1 DER (ie: OctetString())
## AKI is stored in a SEQ
akider = bytearray(utility.bitStringtoOctetString(akipubkeybitstring))
#akihashfunction = SHA.new(akider)
akihashfunction = SHA256.new(akider)
akidgst = akihashfunction.digest()
extval = rfc2459.AuthorityKeyIdentifier()
extval.setComponentByPosition(0, akidgst)
encapsulated = univ.OctetString(encoder.encode(extval))
extoid = utility.OID_authorityKeyIdentifier
ext = rfc2314.Extension()
ext.setComponentByName('extnID', extoid)
ext.setComponentByName('extnValue', encapsulated)
exts.setComponentByPosition(count, ext)
count += 1
## put a few more in, so it looks all proper-like
## KEY USAGE
## a bitstring of:
## (1,1,1,1,1,1,1,1)= flags:
## Digital Signature, Non Repudiation, Key Encipherment, Data Encipherment, Key Agreement,
## Certificate Sign, CRL Sign, Encipher Only
## (1,1,1,0,0,1,1) = Digital Signature, Non Repudiation, Key Encipherment, Certificate Sign, CRL Sign
ku_bitstring = (1, 1, 1, 0, 0, 1, 1)
ext_ku = _build_key_usage(ku_bitstring)
## EXTENDED (or ENHANCED) KEY USAGE
## Sequence of OIDs encoded as an OctetString
req_ekus = (utility.OID_eku_serverAuth, utility.OID_eku_clientAuth,
utility.OID_eku_codeSigning,
utility.OID_eku_individualCodeSigning,
utility.OID_eku_certTrustListSigning,
utility.OID_eku_serverGatedCrypto,
utility.OID_eku_encryptedFileSystem,
utility.OID_eku_serverGatedCrypto)
ext_eku = _build_extended_key_usage(req_ekus)
ext_nsurl = _build_extension_netscapeURL(nsURL)
if (ext_ku):
exts.setComponentByPosition(count, ext_ku)
count += 1
if (ext_eku):
exts.setComponentByPosition(count, ext_eku)
count += 1
if (ext_nsurl):
exts.setComponentByPosition(count, ext_nsurl)
count += 1
## cycle through the rest of the requested extensions
## copy them as is, ignoring BC which we grabbed earlier
## also skip the supplied ku and eku and subst our own
for extension in extensionsfromcsr:
extoid = extension[0]
if (extoid == utility.OID_basicConstraints):
continue
if (extoid == utility.OID_eku):
continue
if (extoid == utility.OID_ku):
continue
if (extoid == utility.OID_san):
if not _validate_san(extension):
raise SANValidationException(
"Invalid SAN: does not contain valid address or UTXO")
ext = _build_extensionFromAttributeExtension(extension)
exts.setComponentByPosition(count, ext)
count += 1
return exts
def encode(cls, pki_key: object, **kwargs):
# Algorithm ID
alg_oid = cls.ALG_OID if type(
cls.ALG_OID) is str else cls.ALG_OID(pki_key)
alg_id = rfc2459.AlgorithmIdentifier()
alg_id['algorithm'] = ObjectIdentifier(alg_oid)
if cls.PARAM_ENCODER:
alg_id['parameters'] = Any(
encoder.encode(cls.PARAM_ENCODER.encode(pki_key)))
# Serial number
serial_num = rfc2459.CertificateSerialNumber(
kwargs.get('serial_number') or 0)
# Validity (time valid)
not_before = kwargs.get('not_before') or datetime.now()
not_after = kwargs.get('not_after') or not_before.replace(
year=not_before.year + 1)
validity = rfc2459.Validity()
validity['notBefore'] = rfc2459.Time()
validity['notBefore']['utcTime'] = UTCTime.fromDateTime(not_before)
validity['notAfter'] = rfc2459.Time()
validity['notAfter']['utcTime'] = UTCTime.fromDateTime(not_after)
# Public key serialization
pub_info = rfc2459.SubjectPublicKeyInfo()
pub_info['algorithm'] = alg_id
pub_info['subjectPublicKey'] = cls.PUB_KEY_ENCODER.encode(pki_key)
# Issuer RDN
issuer = rfc2459.Name()
issuer.setComponentByPosition(
0, parse_rdn(kwargs.get('issuer') or 'CN=ca'))
# Subject RDN
subject = rfc2459.Name()
subject.setComponentByPosition(
0, parse_rdn(kwargs.get('subject') or 'CN=ca'))
# Signature algorithm
signing_key = kwargs.get('signing_key') or pki_key
if not (kwargs.get('signing_alg')
or hasattr(signing_key, "X509_SIGNING_DEFAULT")):
raise ValueError(
"'signing_alg' not specified and 'signing_key' has no default algorithm"
)
signing_alg = (kwargs.get('signing_alg')
or signing_key.X509_SIGNING_DEFAULT).value
signature_alg = rfc2459.AlgorithmIdentifier()
signature_alg['algorithm'] = SIGNING_ALG_OIDS[signing_alg.name]
if cls.PARAM_ENCODER:
signature_alg['parameters'] = Any(
encoder.encode(cls.PARAM_ENCODER.encode(pki_key)))
# Extensions
extensions = rfc2459.Extensions().subtype(
explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatSimple, 3))
if kwargs.get('ca') and kwargs.get('ca') == True:
# SKI
pkey_bytes = Bytes(int(pub_info['subjectPublicKey']))
ski_ext = rfc2459.Extension()
ski_ext['extnID'] = ObjectIdentifier([2, 5, 29, 14])
ski_ext['extnValue'] = OctetString(
encoder.encode(
rfc2459.SubjectKeyIdentifier(SHA1().hash(pkey_bytes))))
# CA basic constraint
ca_value = rfc2459.BasicConstraints()
ca_value.setComponentByName('cA', True)
ca_ext = rfc2459.Extension()
ca_ext.setComponentByName('extnID', '2.5.29.19')
ca_ext.setComponentByName('critical', True)
ca_ext.setComponentByName('extnValue',
OctetString(encoder.encode(ca_value)))
extensions.setComponentByPosition(0, ski_ext)
extensions.setComponentByPosition(1, ca_ext)
# Put together the TBSCert
tbs_cert = rfc2459.TBSCertificate()
tbs_cert['version'] = 2
tbs_cert['serialNumber'] = serial_num
tbs_cert['signature'] = signature_alg
tbs_cert['issuer'] = issuer
tbs_cert['validity'] = validity
tbs_cert['subject'] = subject
tbs_cert['subjectPublicKeyInfo'] = pub_info
tbs_cert['issuerUniqueID'] = kwargs.get('issuer_unique_id') or 10
tbs_cert['subjectUniqueID'] = kwargs.get('subject_unique_id') or 11
if len(extensions):
tbs_cert['extensions'] = extensions
# Inject or compute the TBSCert signature
if kwargs.get('signature_value') is not None:
sig_value = Bytes.wrap(kwargs.get('signature_value')).int()
else:
encoded_tbs = encoder.encode(tbs_cert,
asn1Spec=rfc2459.TBSCertificate())
sig_value = signing_alg.sign(signing_key, encoded_tbs)
# Build the Cert object
cert = rfc2459.Certificate()
cert['tbsCertificate'] = tbs_cert
cert['signatureAlgorithm'] = signature_alg
cert['signatureValue'] = sig_value
encoded = encoder.encode(cert, asn1Spec=rfc2459.Certificate())
return X509Certificate.transport_encode(encoded, **kwargs)
class RevDetails(univ.Sequence):
componentType = namedtype.NamedTypes(
namedtype.NamedType('certDetails', rfc2511.CertTemplate()),
namedtype.OptionalNamedType('crlEntryDetails', rfc2459.Extensions()))
