Пример #1
0
def get_subjectaltname(csr, datatype=PEM):
    """
    Given a CSR return the subjectaltname value, if any.

    The return value is a tuple of strings or None
    """
    request = load_certificate_request(csr, datatype)
    for extension in request.extensions:
        if extension.oid_tag == nss.SEC_OID_X509_SUBJECT_ALT_NAME:
            break
    else:
        return None
    del request

    nss_names = nss.x509_alt_name(extension.value, nss.AsObject)
    asn1_names = decoder.decode(extension.value.data,
                                asn1Spec=_SubjectAltName())[0]
    names = []
    for nss_name, asn1_name in zip(nss_names, asn1_names):
        name_type = nss_name.type_string
        if name_type == SAN_OTHERNAME_KRB5PRINCIPALNAME:
            name = _decode_krb5principalname(asn1_name['otherName']['value'])
        else:
            name = nss_name.name
        names.append((name_type, name))

    return tuple(names)
Пример #2
0
def get_subjectaltname(csr, datatype=PEM):
    """
    Given a CSR return the subjectaltname value, if any.

    The return value is a tuple of strings or None
    """
    request = load_certificate_request(csr, datatype)
    for extension in request.extensions:
        if extension.oid_tag == nss.SEC_OID_X509_SUBJECT_ALT_NAME:
            break
    else:
        return None
    del request

    nss_names = nss.x509_alt_name(extension.value, nss.AsObject)
    asn1_names = decoder.decode(extension.value.data,
                                asn1Spec=_SubjectAltName())[0]
    names = []
    for nss_name, asn1_name in zip(nss_names, asn1_names):
        name_type = nss_name.type_string
        if name_type == SAN_OTHERNAME_KRB5PRINCIPALNAME:
            name = _decode_krb5principalname(asn1_name['otherName']['value'])
        else:
            name = nss_name.name
        names.append((name_type, name))

    return tuple(names)
Пример #3
0
def get_subjectaltname(request):
    """
    Given a CSR return the subjectaltname value, if any.

    The return value is a tuple of strings or None
    """
    for extension in request.extensions:
        if extension.oid_tag  == nss.SEC_OID_X509_SUBJECT_ALT_NAME:
            return nss.x509_alt_name(extension.value)
    return None
Пример #4
0
def get_subjectaltname(csr):
    """
    Return the first value of the subject alt name, if any
    """
    try:
        request = pkcs10.load_certificate_request(csr)
        for extension in request.extensions:
            if extension.oid_tag == nss.SEC_OID_X509_SUBJECT_ALT_NAME:
                return nss.x509_alt_name(extension.value)[0]
        return None
    except NSPRError, nsprerr:
        raise errors.CertificateOperationError(error=_('Failure decoding Certificate Signing Request'))
Пример #5
0
def get_subjectaltname(request):
    """
    Given a CSR return the subjectaltname value, if any.

    The return value is a tuple of strings or None
    """
    for extension in request.extensions:
        if extension.oid_tag  == nss.SEC_OID_X509_SUBJECT_ALT_NAME:
            return tuple(name.name
                         for name in nss.x509_alt_name(extension.value,
                                                       nss.AsObject)
                         if name.type_name == SAN_DNSNAME)
    return None
Пример #6
0
def get_subjectaltname(csr):
    """
    Return the first value of the subject alt name, if any
    """
    try:
        request = pkcs10.load_certificate_request(csr)
        for extension in request.extensions:
            if extension.oid_tag == nss.SEC_OID_X509_SUBJECT_ALT_NAME:
                return nss.x509_alt_name(extension.value)[0]
        return None
    except NSPRError, nsprerr:
        raise errors.CertificateOperationError(
            error=_('Failure decoding Certificate Signing Request'))
Пример #7
0
def get_subjectaltname(request):
    """
    Given a CSR return the subjectaltname value, if any.

    The return value is a tuple of strings or None
    """
    for extension in request.extensions:
        if extension.oid_tag == nss.SEC_OID_X509_SUBJECT_ALT_NAME:
            return tuple(
                name.name
                for name in nss.x509_alt_name(extension.value, nss.AsObject)
                if name.type_name == SAN_DNSNAME)
    return None
Пример #8
0
def print_extension(level, extension):
    print nss.indented_format([(level, 'Name: %s' % extension.name),
                               (level, 'Critical: %s' % extension.critical)])

    oid_tag = extension.oid_tag

    if   oid_tag == nss.SEC_OID_PKCS12_KEY_USAGE:
        print nss.indented_format([(level, 'Usages:')])
        print nss.indented_format(nss.make_line_fmt_tuples(level+1, nss.x509_key_usage(extension.value)))

    elif oid_tag == nss.SEC_OID_X509_SUBJECT_KEY_ID:
        print nss.indented_format([(level, 'Data:')])
        print nss.indented_format(nss.make_line_fmt_tuples(level+1,
              extension.value.der_to_hex(nss.OCTETS_PER_LINE_DEFAULT)))

    elif oid_tag == nss.SEC_OID_X509_CRL_DIST_POINTS:
        pts = nss.CRLDistributionPts(extension.value)
        i = 1
        print nss.indented_format([(level, 'CRL Distribution Points: [%d total]' % len(pts))])
        for pt in pts:
            print nss.indented_format([(level+1, 'Point[%d]:' % i)])
            names = pt.get_general_names()
            print nss.indented_format([(level+2, 'General Names: [%d total]' % len(names))])
            for name in names:
                print nss.indented_format([(level+3, '%s:' % name)])
            print nss.indented_format([(level+2, 'Reasons: %s' % (pt.get_reasons(),))])
            print nss.indented_format([(level+2, 'Issuer: %s' % pt.issuer)])

    elif oid_tag == nss.SEC_OID_X509_AUTH_KEY_ID:
        auth_key_id = nss.AuthKeyID(extension.value)
        print nss.indented_format([(level+1, 'Key ID:')])
        print nss.indented_format(nss.make_line_fmt_tuples(level+2,
              auth_key_id.key_id.to_hex(nss.OCTETS_PER_LINE_DEFAULT)))
        print nss.indented_format([(level+1, 'Serial Number: %s' % (auth_key_id.serial_number))])
        print nss.indented_format([(level+1, 'Issuer:' % auth_key_id.get_general_names())])

    elif oid_tag == nss.SEC_OID_X509_BASIC_CONSTRAINTS:
        bc = nss.BasicConstraints(extension.value)
        print nss.indented_format([(level, '%s' % str(bc))])

    elif oid_tag == nss.SEC_OID_X509_EXT_KEY_USAGE:
        print nss.indented_format([(level, 'Usages:')])
        print nss.indented_format(nss.make_line_fmt_tuples(level+1, nss.x509_ext_key_usage(extension.value)))

    elif oid_tag in (nss.SEC_OID_X509_SUBJECT_ALT_NAME, nss.SEC_OID_X509_ISSUER_ALT_NAME):
        names = nss.x509_alt_name(extension.value)
        print nss.indented_format([(level+2, 'Alternate Names: [%d total]' % len(names))])
        for name in names:
            print nss.indented_format([(level+3, '%s:' % name)])

    print
Пример #9
0
    def test_1(self):
        """
        Test CSR with subject alt name
        """
        csr = self.read_file("test1.csr")
        request = pkcs10.load_certificate_request(csr)

        subject = request.subject

        assert(subject.common_name == 'test.example.com')
        assert(subject.state_name == 'California')
        assert(subject.country_name == 'US')

        for extension in request.extensions:
            if extension.oid_tag == nss.SEC_OID_X509_SUBJECT_ALT_NAME:
                assert nss.x509_alt_name(extension.value)[0] == 'testlow.example.com'
Пример #10
0
    def test_1(self):
        """
        Test CSR with subject alt name
        """
        csr = self.read_file("test1.csr")
        request = pkcs10.load_certificate_request(csr)

        subject = request.subject

        assert(subject.common_name == 'test.example.com')
        assert(subject.state_name == 'California')
        assert(subject.country_name == 'US')

        for extension in request.extensions:
            if extension.oid_tag == nss.SEC_OID_X509_SUBJECT_ALT_NAME:
                assert nss.x509_alt_name(extension.value)[0] == 'testlow.example.com'
Пример #11
0
def decode_generalnames(secitem):
    """
    Decode a GeneralNames object (this the data for the Subject
    Alt Name and Issuer Alt Name extensions, among others).

    ``secitem``
      The input is the DER-encoded extension data, without the
      OCTET STRING header, as an nss SecItem object.

    Return a list of ``GeneralNameInfo`` namedtuples.  The
    ``der_value`` field is set for otherNames, otherwise it is
    ``None``.

    """
    nss_names = nss.x509_alt_name(secitem, repr_kind=nss.AsObject)
    asn1_names = decoder.decode(secitem.data, asn1Spec=_SubjectAltName())[0]
    names = []
    for nss_name, asn1_name in zip(nss_names, asn1_names):
        # NOTE: we use the NSS enum to identify the name type.
        # (For otherName we also tuple it up with the type-id OID).
        # The enum does not correspond exactly to the ASN.1 tags.
        # If we ever want to switch to using the true tag numbers,
        # the expression to get the tag is:
        #
        #   asn1_name.getComponent().getTagSet()[0].asTuple()[2]
        #
        if nss_name.type_enum == nss.certOtherName:
            oid = str(asn1_name['otherName']['type-id'])
            nametype = (nss_name.type_enum, oid)
            der_value = asn1_name['otherName']['value'].asOctets()
        else:
            nametype = nss_name.type_enum
            der_value = None

        if nametype == (nss.certOtherName, SAN_KRB5PRINCIPALNAME):
            name = _decode_krb5principalname(asn1_name['otherName']['value'])
        else:
            name = nss_name.name

        gni = GeneralNameInfo(nametype, nss_name.type_string, name, der_value)
        names.append(gni)

    return names
Пример #12
0
def decode_generalnames(secitem):
    """
    Decode a GeneralNames object (this the data for the Subject
    Alt Name and Issuer Alt Name extensions, among others).

    ``secitem``
      The input is the DER-encoded extension data, without the
      OCTET STRING header, as an nss SecItem object.

    Return a list of ``GeneralNameInfo`` namedtuples.  The
    ``der_value`` field is set for otherNames, otherwise it is
    ``None``.

    """
    nss_names = nss.x509_alt_name(secitem, repr_kind=nss.AsObject)
    asn1_names = decoder.decode(secitem.data, asn1Spec=_SubjectAltName())[0]
    names = []
    for nss_name, asn1_name in zip(nss_names, asn1_names):
        # NOTE: we use the NSS enum to identify the name type.
        # (For otherName we also tuple it up with the type-id OID).
        # The enum does not correspond exactly to the ASN.1 tags.
        # If we ever want to switch to using the true tag numbers,
        # the expression to get the tag is:
        #
        #   asn1_name.getComponent().getTagSet()[0].asTuple()[2]
        #
        if nss_name.type_enum == nss.certOtherName:
            oid = str(asn1_name['otherName']['type-id'])
            nametype = (nss_name.type_enum, oid)
            der_value = asn1_name['otherName']['value'].asOctets()
        else:
            nametype = nss_name.type_enum
            der_value = None

        if nametype == (nss.certOtherName, SAN_KRB5PRINCIPALNAME):
            name = _decode_krb5principalname(asn1_name['otherName']['value'])
        else:
            name = nss_name.name

        gni = GeneralNameInfo(nametype, nss_name.type_string, name, der_value)
        names.append(gni)

    return names
Пример #13
0
    def test_2(self):
        """
        Test CSR with subject alt name and a list of CRL distribution points
        """
        csr = self.read_file("test2.csr")
        request = pkcs10.load_certificate_request(csr)

        subject = request.subject

        assert(subject.common_name == 'test.example.com')
        assert(subject.state_name == 'California')
        assert(subject.country_name == 'US')

        for extension in request.extensions:
            if extension.oid_tag == nss.SEC_OID_X509_SUBJECT_ALT_NAME:
                assert nss.x509_alt_name(extension.value)[0] == 'testlow.example.com'
            if extension.oid_tag == nss.SEC_OID_X509_CRL_DIST_POINTS:
                pts = nss.CRLDistributionPts(extension.value)
                urls = pts[0].get_general_names()
                assert('http://ca.example.com/my.crl' in urls)
                assert('http://other.example.com/my.crl' in urls)
Пример #14
0
    def test_2(self):
        """
        Test CSR with subject alt name and a list of CRL distribution points
        """
        csr = self.read_file("test2.csr")
        request = pkcs10.load_certificate_request(csr)

        subject = request.subject

        assert(subject.common_name == 'test.example.com')
        assert(subject.state_name == 'California')
        assert(subject.country_name == 'US')

        for extension in request.extensions:
            if extension.oid_tag == nss.SEC_OID_X509_SUBJECT_ALT_NAME:
                assert nss.x509_alt_name(extension.value)[0] == 'testlow.example.com'
            if extension.oid_tag == nss.SEC_OID_X509_CRL_DIST_POINTS:
                pts = nss.CRLDistributionPts(extension.value)
                urls = pts[0].get_general_names()
                assert('http://ca.example.com/my.crl' in urls)
                assert('http://other.example.com/my.crl' in urls)
Пример #15
0
def print_extension(level, extension):
    print(
        nss.indented_format([(level, 'Name: %s' % extension.name),
                             (level, 'Critical: %s' % extension.critical)]))

    oid_tag = extension.oid_tag

    if oid_tag == nss.SEC_OID_PKCS12_KEY_USAGE:
        print(nss.indented_format([(level, 'Usages:')]))
        print(
            nss.indented_format(
                nss.make_line_fmt_tuples(level + 1,
                                         nss.x509_key_usage(extension.value))))

    elif oid_tag == nss.SEC_OID_NS_CERT_EXT_CERT_TYPE:
        print(nss.indented_format([(level, 'Types:')]))
        print(
            nss.indented_format(
                nss.make_line_fmt_tuples(level + 1,
                                         nss.x509_cert_type(extension.value))))

    elif oid_tag == nss.SEC_OID_X509_SUBJECT_KEY_ID:
        print(nss.indented_format([(level, 'Data:')]))
        print(
            nss.indented_format(
                nss.make_line_fmt_tuples(
                    level + 1,
                    extension.value.der_to_hex(nss.OCTETS_PER_LINE_DEFAULT))))

    elif oid_tag == nss.SEC_OID_X509_CRL_DIST_POINTS:
        pts = nss.CRLDistributionPts(extension.value)
        print(
            nss.indented_format([
                (level, 'CRL Distribution Points: [%d total]' % len(pts))
            ]))
        for i, pt in enumerate(pts):
            print(nss.indented_format([(level + 1, 'Point[%d]:' % i)]))
            names = pt.get_general_names()
            print(
                nss.indented_format([
                    (level + 2, 'General Names: [%d total]' % len(names))
                ]))
            for name in names:
                print(nss.indented_format([(level + 3, '%s:' % name)]))
            print(
                nss.indented_format([(level + 2,
                                      'Reasons: %s' % (pt.get_reasons(), ))]))
            print(nss.indented_format([(level + 2, 'Issuer: %s' % pt.issuer)]))

    elif oid_tag == nss.SEC_OID_X509_AUTH_INFO_ACCESS:
        aias = nss.AuthorityInfoAccesses(extension.value)
        print(
            nss.indented_format([
                (level, 'Authority Information Access: [%d total]' % len(aias))
            ]))
        for i, aia in enumerate(aias):
            print(nss.indented_format([(level + 1, 'Info[%d]:' % i)]))
            print(
                nss.indented_format([(level + 2,
                                      'Method: %s' % (aia.method_str, ))]))
            print(
                nss.indented_format([
                    (level + 2, 'Location: (%s) %s' %
                     (aia.location.type_string, aia.location.name))
                ]))

    elif oid_tag == nss.SEC_OID_X509_AUTH_KEY_ID:
        auth_key_id = nss.AuthKeyID(extension.value)
        print(nss.indented_format([(level + 1, 'Key ID:')]))
        print(
            nss.indented_format(
                nss.make_line_fmt_tuples(
                    level + 2,
                    auth_key_id.key_id.to_hex(nss.OCTETS_PER_LINE_DEFAULT))))
        print(
            nss.indented_format([
                (level + 1, 'Serial Number: %s' % (auth_key_id.serial_number))
            ]))
        print(
            nss.indented_format([
                (level + 1, 'Issuer:' % auth_key_id.get_general_names())
            ]))

    elif oid_tag == nss.SEC_OID_X509_BASIC_CONSTRAINTS:
        bc = nss.BasicConstraints(extension.value)
        print(nss.indented_format([(level, '%s' % str(bc))]))

    elif oid_tag == nss.SEC_OID_X509_EXT_KEY_USAGE:
        print(nss.indented_format([(level, 'Usages:')]))
        print(
            nss.indented_format(
                nss.make_line_fmt_tuples(
                    level + 1, nss.x509_ext_key_usage(extension.value))))

    elif oid_tag in (nss.SEC_OID_X509_SUBJECT_ALT_NAME,
                     nss.SEC_OID_X509_ISSUER_ALT_NAME):
        names = nss.x509_alt_name(extension.value)
        print(
            nss.indented_format([
                (level + 2, 'Alternate Names: [%d total]' % len(names))
            ]))
        for name in names:
            print(nss.indented_format([(level + 3, '%s:' % name)]))

    print()
Пример #16
0
def print_extension(level, extension):
    print(nss.indented_format([(level, 'Name: %s' % extension.name),
                               (level, 'Critical: %s' % extension.critical)]))

    oid_tag = extension.oid_tag

    if   oid_tag == nss.SEC_OID_PKCS12_KEY_USAGE:
        print(nss.indented_format([(level, 'Usages:')]))
        print(nss.indented_format(nss.make_line_fmt_tuples(level+1, nss.x509_key_usage(extension.value))))

    elif oid_tag == nss.SEC_OID_NS_CERT_EXT_CERT_TYPE:
        print(nss.indented_format([(level, 'Types:')]))
        print(nss.indented_format(nss.make_line_fmt_tuples(level+1, nss.x509_cert_type(extension.value))))

    elif oid_tag == nss.SEC_OID_X509_SUBJECT_KEY_ID:
        print(nss.indented_format([(level, 'Data:')]))
        print(nss.indented_format(nss.make_line_fmt_tuples(level+1,
              extension.value.der_to_hex(nss.OCTETS_PER_LINE_DEFAULT))))

    elif oid_tag == nss.SEC_OID_X509_CRL_DIST_POINTS:
        pts = nss.CRLDistributionPts(extension.value)
        print(nss.indented_format([(level, 'CRL Distribution Points: [%d total]' % len(pts))]))
        for i, pt in enumerate(pts):
            print(nss.indented_format([(level+1, 'Point[%d]:' % i)]))
            names = pt.get_general_names()
            print(nss.indented_format([(level+2, 'General Names: [%d total]' % len(names))]))
            for name in names:
                print(nss.indented_format([(level+3, '%s:' % name)]))
            print(nss.indented_format([(level+2, 'Reasons: %s' % (pt.get_reasons(),))]))
            print(nss.indented_format([(level+2, 'Issuer: %s' % pt.issuer)]))

    elif oid_tag == nss.SEC_OID_X509_AUTH_INFO_ACCESS:
        aias = nss.AuthorityInfoAccesses(extension.value)
        print(nss.indented_format([(level, 'Authority Information Access: [%d total]' % len(aias))]))
        for i, aia in enumerate(aias):
            print(nss.indented_format([(level+1, 'Info[%d]:' % i)]))
            print(nss.indented_format([(level+2, 'Method: %s' % (aia.method_str,))]))
            print(nss.indented_format([(level+2, 'Location: (%s) %s' % (aia.location.type_string, aia.location.name))]))

    elif oid_tag == nss.SEC_OID_X509_AUTH_KEY_ID:
        auth_key_id = nss.AuthKeyID(extension.value)
        print(nss.indented_format([(level+1, 'Key ID:')]))
        print(nss.indented_format(nss.make_line_fmt_tuples(level+2,
              auth_key_id.key_id.to_hex(nss.OCTETS_PER_LINE_DEFAULT))))
        print(nss.indented_format([(level+1, 'Serial Number: %s' % (auth_key_id.serial_number))]))
        print(nss.indented_format([(level+1, 'Issuer:' % auth_key_id.get_general_names())]))

    elif oid_tag == nss.SEC_OID_X509_BASIC_CONSTRAINTS:
        bc = nss.BasicConstraints(extension.value)
        print(nss.indented_format([(level, '%s' % str(bc))]))

    elif oid_tag == nss.SEC_OID_X509_EXT_KEY_USAGE:
        print(nss.indented_format([(level, 'Usages:')]))
        print(nss.indented_format(nss.make_line_fmt_tuples(level+1, nss.x509_ext_key_usage(extension.value))))

    elif oid_tag in (nss.SEC_OID_X509_SUBJECT_ALT_NAME, nss.SEC_OID_X509_ISSUER_ALT_NAME):
        names = nss.x509_alt_name(extension.value)
        print(nss.indented_format([(level+2, 'Alternate Names: [%d total]' % len(names))]))
        for name in names:
            print(nss.indented_format([(level+3, '%s:' % name)]))

    print()
Пример #17
0
def print_extension(level, extension):
    print nss.indented_format([(level, 'Name: %s' % extension.name),
                               (level, 'Critical: %s' % extension.critical)])

    oid_tag = extension.oid_tag

    if oid_tag == nss.SEC_OID_PKCS12_KEY_USAGE:
        print nss.indented_format([(level, 'Usages:')])
        print nss.indented_format(
            nss.make_line_fmt_tuples(level + 1,
                                     nss.x509_key_usage(extension.value)))

    elif oid_tag == nss.SEC_OID_X509_SUBJECT_KEY_ID:
        print nss.indented_format([(level, 'Data:')])
        print nss.indented_format(
            nss.make_line_fmt_tuples(
                level + 1,
                extension.value.der_to_hex(nss.OCTETS_PER_LINE_DEFAULT)))

    elif oid_tag == nss.SEC_OID_X509_CRL_DIST_POINTS:
        pts = nss.CRLDistributionPts(extension.value)
        i = 1
        print nss.indented_format([
            (level, 'CRL Distribution Points: [%d total]' % len(pts))
        ])
        for pt in pts:
            print nss.indented_format([(level + 1, 'Point[%d]:' % i)])
            names = pt.get_general_names()
            print nss.indented_format([
                (level + 2, 'General Names: [%d total]' % len(names))
            ])
            for name in names:
                print nss.indented_format([(level + 3, '%s:' % name)])
            print nss.indented_format([(level + 2,
                                        'Reasons: %s' % (pt.get_reasons(), ))])
            print nss.indented_format([(level + 2, 'Issuer: %s' % pt.issuer)])

    elif oid_tag == nss.SEC_OID_X509_AUTH_KEY_ID:
        auth_key_id = nss.AuthKeyID(extension.value)
        print nss.indented_format([(level + 1, 'Key ID:')])
        print nss.indented_format(
            nss.make_line_fmt_tuples(
                level + 2,
                auth_key_id.key_id.to_hex(nss.OCTETS_PER_LINE_DEFAULT)))
        print nss.indented_format([
            (level + 1, 'Serial Number: %s' % (auth_key_id.serial_number))
        ])
        print nss.indented_format([
            (level + 1, 'Issuer:' % auth_key_id.get_general_names())
        ])

    elif oid_tag == nss.SEC_OID_X509_BASIC_CONSTRAINTS:
        bc = nss.BasicConstraints(extension.value)
        print nss.indented_format([(level, '%s' % str(bc))])

    elif oid_tag == nss.SEC_OID_X509_EXT_KEY_USAGE:
        print nss.indented_format([(level, 'Usages:')])
        print nss.indented_format(
            nss.make_line_fmt_tuples(level + 1,
                                     nss.x509_ext_key_usage(extension.value)))

    elif oid_tag in (nss.SEC_OID_X509_SUBJECT_ALT_NAME,
                     nss.SEC_OID_X509_ISSUER_ALT_NAME):
        names = nss.x509_alt_name(extension.value)
        print nss.indented_format([
            (level + 2, 'Alternate Names: [%d total]' % len(names))
        ])
        for name in names:
            print nss.indented_format([(level + 3, '%s:' % name)])

    print