class TBSCertificate(univ.Sequence):
componentType = namedtype.NamedTypes(
namedtype.DefaultedNamedType('version', rfc2459.Version('v1', tagSet=rfc2459.Version.tagSet.tagExplicitly(tag.Tag(tag.tagClassContext, tag.tagFormatSimple, 0)))),
namedtype.NamedType('serialNumber', rfc2459.CertificateSerialNumber()),
namedtype.NamedType('signature', AlgorithmIdentifier()),
namedtype.NamedType('issuer', rfc2459.Name()),
namedtype.NamedType('validity', rfc2459.Validity()),
namedtype.NamedType('subject', rfc2459.Name()),
namedtype.NamedType('subjectPublicKeyInfo', SubjectPublicKeyInfo()),
namedtype.OptionalNamedType('issuerUniqueID', rfc2459.UniqueIdentifier().subtype(implicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatSimple, 1))),
namedtype.OptionalNamedType('subjectUniqueID', rfc2459.UniqueIdentifier().subtype(implicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatSimple, 2))),
namedtype.OptionalNamedType('extensions', rfc2459.Extensions().subtype(explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatSimple, 3)))
)
def _build_tbs(csr, days, network):
cri = csr.getComponentByName('certificationRequestInfo')
subject = cri.getComponentByName('subject')
subjectPublicKeyInfo = cri.getComponentByName('subjectPublicKeyInfo')
dt_now = datetime.datetime.utcnow()
later = datetime.timedelta(days=days)
dt_now_str = dt_now.strftime("%y%m%d%H%M%S") + "Z"
later_str = (dt_now + later).strftime("%y%m%d%H%M%S") + "Z"
notbefore = useful.UTCTime(dt_now_str)
notafter = useful.UTCTime(later_str)
validity = rfc2459.Validity()
validity.setComponentByName('notBefore', notbefore)
validity.setComponentByName('notAfter', notafter)
tbs = rfc2459.TBSCertificate()
tbs.setComponentByName(
'version',
rfc2459.Version('v3').subtype(
explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatSimple, 0)))
rndfile = Random.new()
serial = encoding.to_long(256, encoding.byte_to_int, rndfile.read(32))[0]
tbs.setComponentByName(
'serialNumber', rfc2459.CertificateSerialNumber(univ.Integer(serial)))
tbs.setComponentByName('signature',
csr.getComponentByName('signatureAlgorithm'))
tbs.setComponentByName('issuer', subject)
tbs.setComponentByName('validity', validity)
tbs.setComponentByName('subject', subject)
tbs.setComponentByName('subjectPublicKeyInfo', subjectPublicKeyInfo)
extensionstoadd = ""
attributes = cri.getComponentByName('attributes')
for attribute in attributes:
if (attribute.getComponentByName('type') ==
utility.OID_PKCShash9ExtensionRequest):
value = attribute[1]
## careful with decoder, it returns an implicit type in a tuple
extensionstoadd = decoder.decode(value[0])[0]
spk = subjectPublicKeyInfo.getComponentByName('subjectPublicKey')
## self siiiigned
extensions = _build_extensionsForTbs(extensionstoadd,
akipubkeybitstring=spk,
skipubkeybitstring=spk)
if extensions:
tbs.setComponentByName('extensions', extensions)
return tbs
def getValidity(self):
validity = rfc2459.Validity()
validity['notBefore'] = self.getNotBefore()
validity['notAfter'] = self.getNotAfter()
return validity
def getValidity(self):
validity = rfc2459.Validity()
validity.setComponentByName('notBefore', self.getNotBefore())
validity.setComponentByName('notAfter', self.getNotAfter())
return validity
def encode(cls, pki_key: object, **kwargs):
# Algorithm ID
alg_oid = cls.ALG_OID if type(
cls.ALG_OID) is str else cls.ALG_OID(pki_key)
alg_id = rfc2459.AlgorithmIdentifier()
alg_id['algorithm'] = ObjectIdentifier(alg_oid)
if cls.PARAM_ENCODER:
alg_id['parameters'] = Any(
encoder.encode(cls.PARAM_ENCODER.encode(pki_key)))
# Serial number
serial_num = rfc2459.CertificateSerialNumber(
kwargs.get('serial_number') or 0)
# Validity (time valid)
not_before = kwargs.get('not_before') or datetime.now()
not_after = kwargs.get('not_after') or not_before.replace(
year=not_before.year + 1)
validity = rfc2459.Validity()
validity['notBefore'] = rfc2459.Time()
validity['notBefore']['utcTime'] = UTCTime.fromDateTime(not_before)
validity['notAfter'] = rfc2459.Time()
validity['notAfter']['utcTime'] = UTCTime.fromDateTime(not_after)
# Public key serialization
pub_info = rfc2459.SubjectPublicKeyInfo()
pub_info['algorithm'] = alg_id
pub_info['subjectPublicKey'] = cls.PUB_KEY_ENCODER.encode(pki_key)
# Issuer RDN
issuer = rfc2459.Name()
issuer.setComponentByPosition(
0, parse_rdn(kwargs.get('issuer') or 'CN=ca'))
# Subject RDN
subject = rfc2459.Name()
subject.setComponentByPosition(
0, parse_rdn(kwargs.get('subject') or 'CN=ca'))
# Signature algorithm
signing_key = kwargs.get('signing_key') or pki_key
if not (kwargs.get('signing_alg')
or hasattr(signing_key, "X509_SIGNING_DEFAULT")):
raise ValueError(
"'signing_alg' not specified and 'signing_key' has no default algorithm"
)
signing_alg = (kwargs.get('signing_alg')
or signing_key.X509_SIGNING_DEFAULT).value
signature_alg = rfc2459.AlgorithmIdentifier()
signature_alg['algorithm'] = SIGNING_ALG_OIDS[signing_alg.name]
if cls.PARAM_ENCODER:
signature_alg['parameters'] = Any(
encoder.encode(cls.PARAM_ENCODER.encode(pki_key)))
# Extensions
extensions = rfc2459.Extensions().subtype(
explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatSimple, 3))
if kwargs.get('ca') and kwargs.get('ca') == True:
# SKI
pkey_bytes = Bytes(int(pub_info['subjectPublicKey']))
ski_ext = rfc2459.Extension()
ski_ext['extnID'] = ObjectIdentifier([2, 5, 29, 14])
ski_ext['extnValue'] = OctetString(
encoder.encode(
rfc2459.SubjectKeyIdentifier(SHA1().hash(pkey_bytes))))
# CA basic constraint
ca_value = rfc2459.BasicConstraints()
ca_value.setComponentByName('cA', True)
ca_ext = rfc2459.Extension()
ca_ext.setComponentByName('extnID', '2.5.29.19')
ca_ext.setComponentByName('critical', True)
ca_ext.setComponentByName('extnValue',
OctetString(encoder.encode(ca_value)))
extensions.setComponentByPosition(0, ski_ext)
extensions.setComponentByPosition(1, ca_ext)
# Put together the TBSCert
tbs_cert = rfc2459.TBSCertificate()
tbs_cert['version'] = 2
tbs_cert['serialNumber'] = serial_num
tbs_cert['signature'] = signature_alg
tbs_cert['issuer'] = issuer
tbs_cert['validity'] = validity
tbs_cert['subject'] = subject
tbs_cert['subjectPublicKeyInfo'] = pub_info
tbs_cert['issuerUniqueID'] = kwargs.get('issuer_unique_id') or 10
tbs_cert['subjectUniqueID'] = kwargs.get('subject_unique_id') or 11
if len(extensions):
tbs_cert['extensions'] = extensions
# Inject or compute the TBSCert signature
if kwargs.get('signature_value') is not None:
sig_value = Bytes.wrap(kwargs.get('signature_value')).int()
else:
encoded_tbs = encoder.encode(tbs_cert,
asn1Spec=rfc2459.TBSCertificate())
sig_value = signing_alg.sign(signing_key, encoded_tbs)
# Build the Cert object
cert = rfc2459.Certificate()
cert['tbsCertificate'] = tbs_cert
cert['signatureAlgorithm'] = signature_alg
cert['signatureValue'] = sig_value
encoded = encoder.encode(cert, asn1Spec=rfc2459.Certificate())
return X509Certificate.transport_encode(encoded, **kwargs)
