def _extract_extensions(self, cert):
extensions = cert.getComponentByName(
'tbsCertificate').getComponentByName('extensions')
is_ca = False
ocsp_urls = []
nocheck = False
for e in extensions:
oid = e.getComponentByName('extnID')
if oid == rfc2459.id_ce_basicConstraints:
constraints = der_decoder.decode(
e.getComponentByName('extnValue'),
asn1Spec=rfc2459.BasicConstraints())[0]
is_ca = constraints.getComponentByPosition(0)
elif oid == rfc2459.id_pe_authorityInfoAccess:
auth_info = der_decoder.decode(
e.getComponentByName('extnValue'),
asn1Spec=rfc2459.AuthorityInfoAccessSyntax())[0]
for a in auth_info:
if a.getComponentByName('accessMethod') == \
rfc2560.id_pkix_ocsp:
url = nat_encoder(
a.getComponentByName(
'accessLocation').getComponentByName(
'uniformResourceIdentifier'))
ocsp_urls.append(url)
elif oid == rfc2560.id_pkix_ocsp_nocheck:
nocheck = True
return nocheck, is_ca, ocsp_urls
def addBasicConstraints(self, basicConstraints, critical):
cA = basicConstraints.split(',')[0]
pathLenConstraint = basicConstraints.split(',')[1]
basicConstraintsExtension = rfc2459.BasicConstraints()
basicConstraintsExtension['cA'] = cA == 'cA'
if pathLenConstraint:
pathLenConstraintValue = \
univ.Integer(int(pathLenConstraint)).subtype(
subtypeSpec=constraint.ValueRangeConstraint(0, float('inf')))
basicConstraintsExtension['pathLenConstraint'] = pathLenConstraintValue
self.addExtension(rfc2459.id_ce_basicConstraints, basicConstraintsExtension, critical)
def addBasicConstraints(self, basicConstraints, critical):
cA = basicConstraints.split(',')[0]
pathLenConstraint = basicConstraints.split(',')[1]
basicConstraintsExtension = rfc2459.BasicConstraints()
basicConstraintsExtension.setComponentByName('cA', cA == 'cA')
if pathLenConstraint:
pathLenConstraintValue = \
univ.Integer(int(pathLenConstraint)).subtype(
subtypeSpec=constraint.ValueRangeConstraint(0, 64))
basicConstraintsExtension.setComponentByName('pathLenConstraint',
pathLenConstraintValue)
self.addExtension(rfc2459.id_ce_basicConstraints, basicConstraintsExtension, critical)
def addBasicConstraints(self, basicConstraints, critical):
cA = basicConstraints.split(",")[0]
pathLenConstraint = basicConstraints.split(",")[1]
basicConstraintsExtension = rfc2459.BasicConstraints()
basicConstraintsExtension["cA"] = cA == "cA"
if pathLenConstraint:
pathLenConstraintValue = univ.Integer(int(pathLenConstraint)).subtype(
subtypeSpec=constraint.ValueRangeConstraint(0, float("inf"))
)
basicConstraintsExtension["pathLenConstraint"] = pathLenConstraintValue
self.addExtension(
rfc2459.id_ce_basicConstraints, basicConstraintsExtension, critical
)
def encode(cls, pki_key: object, **kwargs):
# Algorithm ID
alg_oid = cls.ALG_OID if type(
cls.ALG_OID) is str else cls.ALG_OID(pki_key)
alg_id = rfc2459.AlgorithmIdentifier()
alg_id['algorithm'] = ObjectIdentifier(alg_oid)
if cls.PARAM_ENCODER:
alg_id['parameters'] = Any(
encoder.encode(cls.PARAM_ENCODER.encode(pki_key)))
# Serial number
serial_num = rfc2459.CertificateSerialNumber(
kwargs.get('serial_number') or 0)
# Validity (time valid)
not_before = kwargs.get('not_before') or datetime.now()
not_after = kwargs.get('not_after') or not_before.replace(
year=not_before.year + 1)
validity = rfc2459.Validity()
validity['notBefore'] = rfc2459.Time()
validity['notBefore']['utcTime'] = UTCTime.fromDateTime(not_before)
validity['notAfter'] = rfc2459.Time()
validity['notAfter']['utcTime'] = UTCTime.fromDateTime(not_after)
# Public key serialization
pub_info = rfc2459.SubjectPublicKeyInfo()
pub_info['algorithm'] = alg_id
pub_info['subjectPublicKey'] = cls.PUB_KEY_ENCODER.encode(pki_key)
# Issuer RDN
issuer = rfc2459.Name()
issuer.setComponentByPosition(
0, parse_rdn(kwargs.get('issuer') or 'CN=ca'))
# Subject RDN
subject = rfc2459.Name()
subject.setComponentByPosition(
0, parse_rdn(kwargs.get('subject') or 'CN=ca'))
# Signature algorithm
signing_key = kwargs.get('signing_key') or pki_key
if not (kwargs.get('signing_alg')
or hasattr(signing_key, "X509_SIGNING_DEFAULT")):
raise ValueError(
"'signing_alg' not specified and 'signing_key' has no default algorithm"
)
signing_alg = (kwargs.get('signing_alg')
or signing_key.X509_SIGNING_DEFAULT).value
signature_alg = rfc2459.AlgorithmIdentifier()
signature_alg['algorithm'] = SIGNING_ALG_OIDS[signing_alg.name]
if cls.PARAM_ENCODER:
signature_alg['parameters'] = Any(
encoder.encode(cls.PARAM_ENCODER.encode(pki_key)))
# Extensions
extensions = rfc2459.Extensions().subtype(
explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatSimple, 3))
if kwargs.get('ca') and kwargs.get('ca') == True:
# SKI
pkey_bytes = Bytes(int(pub_info['subjectPublicKey']))
ski_ext = rfc2459.Extension()
ski_ext['extnID'] = ObjectIdentifier([2, 5, 29, 14])
ski_ext['extnValue'] = OctetString(
encoder.encode(
rfc2459.SubjectKeyIdentifier(SHA1().hash(pkey_bytes))))
# CA basic constraint
ca_value = rfc2459.BasicConstraints()
ca_value.setComponentByName('cA', True)
ca_ext = rfc2459.Extension()
ca_ext.setComponentByName('extnID', '2.5.29.19')
ca_ext.setComponentByName('critical', True)
ca_ext.setComponentByName('extnValue',
OctetString(encoder.encode(ca_value)))
extensions.setComponentByPosition(0, ski_ext)
extensions.setComponentByPosition(1, ca_ext)
# Put together the TBSCert
tbs_cert = rfc2459.TBSCertificate()
tbs_cert['version'] = 2
tbs_cert['serialNumber'] = serial_num
tbs_cert['signature'] = signature_alg
tbs_cert['issuer'] = issuer
tbs_cert['validity'] = validity
tbs_cert['subject'] = subject
tbs_cert['subjectPublicKeyInfo'] = pub_info
tbs_cert['issuerUniqueID'] = kwargs.get('issuer_unique_id') or 10
tbs_cert['subjectUniqueID'] = kwargs.get('subject_unique_id') or 11
if len(extensions):
tbs_cert['extensions'] = extensions
# Inject or compute the TBSCert signature
if kwargs.get('signature_value') is not None:
sig_value = Bytes.wrap(kwargs.get('signature_value')).int()
else:
encoded_tbs = encoder.encode(tbs_cert,
asn1Spec=rfc2459.TBSCertificate())
sig_value = signing_alg.sign(signing_key, encoded_tbs)
# Build the Cert object
cert = rfc2459.Certificate()
cert['tbsCertificate'] = tbs_cert
cert['signatureAlgorithm'] = signature_alg
cert['signatureValue'] = sig_value
encoded = encoder.encode(cert, asn1Spec=rfc2459.Certificate())
return X509Certificate.transport_encode(encoded, **kwargs)
