def __parse__(self, data):
if data is not None:
if isinstance(data, list):
for cert in data:
try:
cert_data = base64.b64decode(cert)
except binascii.Error as e:
print("can't decode data")
# 删除无用数据
print(
'delete from cert_schema.cert_data where cert_data =\''
+ cert + '\'')
self.db.execute(
'delete from cert_schema.cert_data where cert_data =\''
+ cert + '\'')
data.remove(cert)
try:
certificate = x509.Certificate().load(cert_data)
except ValueError as e:
print("try load tbs certificate in python")
try:
certificate = x509.TbsCertificate.load(cert_data)
except ValueError as e:
print("can't load byte[] in python!")
# 删除无用数据
sql = 'delete from cert_schema.cert_data where cert_data = \''
self.db.execute(sql + cert + '\'')
data.remove(cert)
subject = self.parse_certificate(certificate)
# 将得到的证书信息插入到数据库中
self.write(subject)
def get_my_data(self, serial_number=None):
if serial_number is not None:
connect = BasicConnect(Config.rest_server_url, Config.rest_server_port)
response = connect.connection(Config.getMyData, serial_number)
data = response.read().decode('utf-8')
certificate_data = base64.b64decode(data)
return x509.Certificate().load(certificate_data)
def certsign(self, sn, pubKey, subject, until, caprivKey):
tbs = asn1x509.TbsCertificate({
'version':
'v1',
'serial_number':
sn,
'issuer':
asn1x509.Name.build({
'common_name': 'hsm CA',
}),
'subject':
asn1x509.Name.build({
'common_name': subject,
}),
'signature': {
'algorithm': 'sha256_rsa',
'parameters': None,
},
'validity': {
'not_before':
asn1x509.Time({
'utc_time':
datetime.datetime.now(tz=asn1util.timezone.utc) -
datetime.timedelta(days=1),
}),
'not_after':
asn1x509.Time({
'utc_time': until,
}),
},
'subject_public_key_info': {
'algorithm': {
'algorithm': 'rsa',
'parameters': None,
},
'public_key': pubKey
}
})
# Sign the TBS Certificate
data = tbs.dump()
value = self.session.sign(
caprivKey, data,
PyKCS11.Mechanism(PyKCS11.CKM_SHA256_RSA_PKCS, None))
value = bytes(bytearray(value))
cert = asn1x509.Certificate({
'tbs_certificate': tbs,
'signature_algorithm': {
'algorithm': 'sha256_rsa',
'parameters': None,
},
'signature_value': value,
})
return cert.dump()
def ca(self, sn, pubKey, privKey, label, subject, keyID):
tbs = asn1x509.TbsCertificate({
'version':
'v1',
'serial_number':
sn,
'issuer':
asn1x509.Name.build({
'common_name': 'CA',
}),
'subject':
asn1x509.Name.build({
'common_name': 'CA',
}),
'signature': {
'algorithm': 'sha256_rsa',
'parameters': None,
},
'validity': {
'not_before':
asn1x509.Time({
'utc_time': datetime.datetime(2017, 1, 1, 0, 0),
}),
'not_after':
asn1x509.Time({
'utc_time':
datetime.datetime(2038, 12, 31, 23, 59),
}),
},
'subject_public_key_info': {
'algorithm': {
'algorithm': 'rsa',
'parameters': None,
},
'public_key': pubKey
}
})
# Sign the TBS Certificate
data = tbs.dump()
value = self.session.sign(
privKey, data, PyKCS11.Mechanism(PyKCS11.CKM_SHA1_RSA_PKCS, None))
value = bytes(bytearray(value))
cert = asn1x509.Certificate({
'tbs_certificate': tbs,
'signature_algorithm': {
'algorithm': 'sha256_rsa',
'parameters': None,
},
'signature_value': value,
})
der_bytes = cert.dump()
self.cert_save(der_bytes, label, subject, keyID)
def _generate_mock_cert(req_cert_id: CertId, issuer_cert: Certificate) -> CertRetrieveFuncRet:
serial_num = req_cert_id['serial_number'].native
tbs_cert = x509.TbsCertificate({
'version': 'v3',
'serial_number': serial_num,
'issuer': issuer_cert.subject,
})
cert = x509.Certificate({
'tbs_certificate': tbs_cert
})
return cert
def parse(self, data):
serial_number = None
# 得到ca证书信息
ca = x509.Certificate().load(data['certificate_data'])
for k, v in ca.native['tbs_certificate'].items():
if k == 'serial_number':
serial_number = v
# 获取ca私钥信息
private_key_data = load_pem_private_key(data['private_key_data'].encode('utf-8'), password=b'trustasia-cloudpki',
backend=default_backend())
private_key_data = private_key_data.private_bytes(
encoding=Encoding.DER,
format=PrivateFormat.PKCS8,
encryption_algorithm=NoEncryption())
ca_privateKey = keys.PrivateKeyInfo().load(private_key_data)
ca_info = {
'ca': ca,
'ca_privateKey': ca_privateKey,
'ca_serialNumber': serial_number
}
return ca_info
def get_responder(self, serialNumber):
connect = pymysql.connect(host=Config.db_url, port=Config.port, user=Config.user_name, password=Config.password,
db=Config.db)
cur = connect.cursor(cursor=pymysql.cursors.DictCursor)
cur.execute(Config.sql.format(str(serialNumber) + '_responser'))
rest = cur.fetchall()
connect.commit()
cur.close()
connect.close()
cert_data = base64.b64decode(rest[0]['cert'])
responder_cert = x509.Certificate().load(cert_data)
private_key_data = load_pem_private_key(rest[0]['privatekey'].encode('utf-8'), password=b'trustasia-cloudpki',
backend=default_backend())
private_key_data = private_key_data.private_bytes(
encoding=Encoding.DER,
format=PrivateFormat.PKCS8,
encryption_algorithm=NoEncryption())
responder_privatekey = keys.PrivateKeyInfo().load(private_key_data)
responder_info = {
'responder_cert': responder_cert,
'responder_privatekey': responder_privatekey
}
return responder_info
def build(self, signing_private_key):
"""
Validates the certificate information, constructs the ASN.1 structure
and then signs it
:param signing_private_key:
An asn1crypto.keys.PrivateKeyInfo or oscrypto.asymmetric.PrivateKey
object for the private key to sign the certificate with. If the key
is self-signed, this should be the private key that matches the
public key, otherwise it needs to be the issuer's private key.
:return:
An asn1crypto.x509.Certificate object of the newly signed
certificate
"""
is_oscrypto = isinstance(signing_private_key, asymmetric.PrivateKey)
if not isinstance(
signing_private_key, keys.PrivateKeyInfo
) and not is_oscrypto and signing_private_key is not None:
raise TypeError(
_pretty_message(
'''
signing_private_key must be an instance of
asn1crypto.keys.PrivateKeyInfo or
oscrypto.asymmetric.PrivateKey, not %s
''', _type_name(signing_private_key)))
if self._self_signed is not True and self._issuer is None:
raise ValueError(
_pretty_message('''
Certificate must be self-signed, or an issuer must be specified
'''))
if self._self_signed:
self._issuer = self._subject
if self._serial_number is None:
time_part = int_to_bytes(int(time.time()))
random_part = util.rand_bytes(4)
self._serial_number = int_from_bytes(time_part + random_part)
if self._begin_date is None:
self._begin_date = datetime.now(timezone.utc)
if self._end_date is None:
self._end_date = self._begin_date + timedelta(365)
if not self.ca:
for ca_only_extension in set([
'policy_mappings', 'policy_constraints',
'inhibit_any_policy'
]):
if ca_only_extension in self._other_extensions:
raise ValueError(
_pretty_message(
'''
Extension %s is only valid for CA certificates
''', ca_only_extension))
if signing_private_key is not None:
signature_algo = signing_private_key.algorithm
if signature_algo == 'ec':
signature_algo = 'ecdsa'
signature_algorithm_id = '%s_%s' % (self._hash_algo,
signature_algo)
else:
signature_algorithm_id = '%s_%s' % (
self._hash_algo, "rsa") #making rsa assumption for ease
# RFC 3280 4.1.2.5
def _make_validity_time(dt):
if dt < datetime(2050, 1, 1, tzinfo=timezone.utc):
value = x509.Time(name='utc_time', value=dt)
else:
value = x509.Time(name='general_time', value=dt)
return value
def _make_extension(name, value):
return {
'extn_id': name,
'critical': self._determine_critical(name),
'extn_value': value
}
extensions = []
for name in sorted(self._special_extensions):
value = getattr(self, '_%s' % name)
if name == 'ocsp_no_check':
value = core.Null() if value else None
if value is not None:
extensions.append(_make_extension(name, value))
for name in sorted(self._other_extensions.keys()):
extensions.append(
_make_extension(name, self._other_extensions[name]))
tbs_cert = x509.TbsCertificate({
'version': 'v3',
'serial_number': self._serial_number,
'signature': {
'algorithm': signature_algorithm_id
},
'issuer': self._issuer,
'validity': {
'not_before': _make_validity_time(self._begin_date),
'not_after': _make_validity_time(self._end_date),
},
'subject': self._subject,
'subject_public_key_info': self._subject_public_key,
'extensions': extensions
})
if signing_private_key is None:
return tbs_cert
elif signing_private_key.algorithm == 'rsa':
sign_func = asymmetric.rsa_pkcs1v15_sign
elif signing_private_key.algorithm == 'dsa':
sign_func = asymmetric.dsa_sign
elif signing_private_key.algorithm == 'ec':
sign_func = asymmetric.ecdsa_sign
if not is_oscrypto:
signing_private_key = asymmetric.load_private_key(
signing_private_key)
signature = sign_func(signing_private_key, tbs_cert.dump(),
self._hash_algo)
return x509.Certificate({
'tbs_certificate': tbs_cert,
'signature_algorithm': {
'algorithm': signature_algorithm_id
},
'signature_value': signature
})
_SIGNATURE_ALGORITHM = algos.SignedDigestAlgorithm(
{"algorithm": u"sha256_rsa"})
_FAKE_SUBJECT = x509.Name.build({u"common_name": u"fake"})
FAKE_CERTIFICATE = \
pem.armor(u"CERTIFICATE",
x509.Certificate({
"tbs_certificate": x509.TbsCertificate({
"version": 1,
"serial_number": 1,
"signature": _SIGNATURE_ALGORITHM,
"issuer": _FAKE_SUBJECT,
"validity": {
"not_before": x509.Time(
name="utc_time",
value=datetime.datetime(2000, 1, 1)),
"not_after": x509.Time(
name="utc_time",
value=datetime.datetime(2049, 12, 31))},
"subject": _FAKE_SUBJECT,
"subject_public_key_info":
get_fake_public_key_asn1()}),
"signature_algorithm": algos.SignedDigestAlgorithm({
"algorithm": u"sha256_rsa"}),
"signature_value": b"fake"}).dump()).decode('utf8')
FAKE_CSR = \
pem.armor(
u"CERTIFICATE REQUEST",
csr.CertificationRequest({
"certification_request_info":
def write_authenticode_certificate(
ca_cert: x509.Certificate,
ca_cert_orig: x509.Certificate,
signing_key: ecdsa.keys.SigningKey,
name: str,
subject: x509.Name,
) -> None:
private_key, public_key = generate_private_key("rsa:4096")
signed_digest_algorithm = x509.SignedDigestAlgorithm(
{"algorithm": "sha256_ecdsa"})
certificate = x509.Certificate({
"tbs_certificate": {
"version":
"v3",
"serial_number":
random_serial_number(),
"signature":
signed_digest_algorithm,
"issuer":
ca_cert.subject,
"validity": {
"not_before":
x509.UTCTime(
datetime.datetime(2018, 1, 1,
tzinfo=datetime.timezone.utc)),
"not_after":
x509.UTCTime(
datetime.datetime(2021, 1, 1,
tzinfo=datetime.timezone.utc)),
},
"subject":
subject,
"subject_public_key_info":
public_key,
"extensions": [
{
"extn_id": "basic_constraints",
"critical": True,
"extn_value": {
"ca": False
},
},
{
"extn_id": "key_usage",
"critical": True,
"extn_value": {"digital_signature"},
},
{
"extn_id":
"extended_key_usage",
"critical":
True,
"extn_value": [
"code_signing",
"1.3.6.1.4.1.311.2.1.21",
"1.3.6.1.4.1.311.2.1.22",
],
},
],
},
"signature_algorithm":
signed_digest_algorithm,
})
sign_certificate(signing_key, certificate)
with open(name + ".crt", "wb") as f:
write_pem(f, certificate, "CERTIFICATE")
write_pem(f, ca_cert_orig, "CERTIFICATE")
write_pem(f, ca_cert, "CERTIFICATE")
with open(name + ".key", "wb") as f:
write_pem(f, private_key, "PRIVATE KEY")
subprocess.check_call((
"openssl",
"crl2pkcs7",
"-nocrl",
"-certfile",
name + ".crt",
"-outform",
"DER",
"-out",
name + ".spc",
))
subprocess.check_call((
"openssl",
"rsa",
"-in",
name + ".key",
"-outform",
"PVK",
"-pvk-none",
"-out",
name + ".pvk",
))
def write_tls_certificate(
ca_cert: x509.Certificate,
ca_cert_orig: x509.Certificate,
signing_key: ecdsa.keys.SigningKey,
name: str,
subject: x509.Name,
subject_alt_names: Sequence[str],
) -> None:
private_key, public_key = generate_private_key("rsa:4096")
signed_digest_algorithm = x509.SignedDigestAlgorithm(
{"algorithm": "sha256_ecdsa"})
certificate = x509.Certificate({
"tbs_certificate": {
"version":
"v3",
"serial_number":
random_serial_number(),
"signature":
signed_digest_algorithm,
"issuer":
ca_cert_orig.subject,
"validity": {
"not_before":
x509.UTCTime(
datetime.datetime(2018, 1, 1,
tzinfo=datetime.timezone.utc)),
"not_after":
x509.UTCTime(
datetime.datetime(2021, 1, 1,
tzinfo=datetime.timezone.utc)),
},
"subject":
subject,
"subject_public_key_info":
public_key,
"extensions": [
{
"extn_id": "basic_constraints",
"critical": True,
"extn_value": {
"ca": False
},
},
{
"extn_id":
"subject_alt_name",
"critical":
False,
"extn_value": [
x509.GeneralName({"dns_name": dns_name})
for dns_name in subject_alt_names
],
},
{
"extn_id":
"certificate_policies",
"critical":
False,
"extn_value": [
{
"policy_identifier": "1.3.6.1.4.1.6449.1.2.1.5.1"
},
],
},
],
},
"signature_algorithm":
signed_digest_algorithm,
})
sign_certificate(signing_key, certificate)
with open(name + ".crt", "wb") as f:
write_pem(f, certificate, "CERTIFICATE")
write_pem(f, ca_cert_orig, "CERTIFICATE")
write_pem(f, ca_cert, "CERTIFICATE")
with open(name + ".key", "wb") as f:
write_pem(f, private_key, "PRIVATE KEY")
write_pem(f, certificate, "CERTIFICATE")
write_pem(f, ca_cert_orig, "CERTIFICATE")
write_pem(f, ca_cert, "CERTIFICATE")
def build_mpc(self, signing_private_key, orq_ip, orq_port):
"""
Validates the certificate information, constructs the ASN.1 structure
and then signs it with a mpc engine
:param signing_private_key:
An integer identifier for the private key to sign the certificate with.
This identifier permits the mpc engine to find the private key associated
with the public key exported in the key generation process
:return:
An asn1crypto.x509.Certificate object of the newly signed
certificate
"""
def rsa_mpc_sign(signing_private_key, tbs_cert_dump, hash_algo, orq_ip,
orq_port):
# Calculate hash corresponding to tbs_cert_dump [Only SHA256]
digest = hashes.Hash(hashes.SHA256(), backend=default_backend())
digest.update(tbs_cert_dump)
digest = hexlify(digest.finalize())
print("[Client] Hash: " + digest)
# Send HTTP GET request to the orquestrator for signing
target = "http://" + orq_ip + ":" + orq_port + "/signMessage/" + str(
signing_private_key) + "?message=" + str(digest)
r = requests.get(target)
response = dict(json.loads(r.text))
# Sign format must be bytearray
print("Firma: " + str(response["sign"]))
firma = unhexlify(response["sign"])
return firma
if self._self_signed is not True and self._issuer is None:
raise ValueError(
_pretty_message('''
Certificate must be self-signed, or an issuer must be specified
'''))
if self._self_signed:
self._issuer = self._subject
if self._serial_number is None:
time_part = int_to_bytes(int(time.time()))
random_part = util.rand_bytes(4)
self._serial_number = int_from_bytes(time_part + random_part)
if self._begin_date is None:
self._begin_date = datetime.now(timezone.utc)
if self._end_date is None:
self._end_date = self._begin_date + timedelta(365)
if not self.ca:
for ca_only_extension in set([
'policy_mappings', 'policy_constraints',
'inhibit_any_policy'
]):
if ca_only_extension in self._other_extensions:
raise ValueError(
_pretty_message(
'''
Extension %s is only valid for CA certificates
''', ca_only_extension))
# The algorith is forced to be 'rsa'
signature_algo = 'rsa'
# Hash's algorithm limited to SHA256 (internally)
signature_algorithm_id = '%s_%s' % (self._hash_algo, signature_algo)
def _make_extension(name, value):
return {
'extn_id': name,
'critical': self._determine_critical(name),
'extn_value': value
}
extensions = []
for name in sorted(self._special_extensions):
value = getattr(self, '_%s' % name)
if name == 'ocsp_no_check':
value = core.Null() if value else None
if value is not None:
extensions.append(_make_extension(name, value))
for name in sorted(self._other_extensions.keys()):
extensions.append(
_make_extension(name, self._other_extensions[name]))
tbs_cert = x509.TbsCertificate({
'version': 'v3',
'serial_number': self._serial_number,
'signature': {
'algorithm': signature_algorithm_id
},
'issuer': self._issuer,
'validity': {
'not_before': x509.Time(name='utc_time',
value=self._begin_date),
'not_after': x509.Time(name='utc_time', value=self._end_date),
},
'subject': self._subject,
'subject_public_key_info': self._subject_public_key,
'extensions': extensions
})
# Function binding
sign_func = rsa_mpc_sign
print(orq_ip)
print(orq_port)
signature = sign_func(signing_private_key, tbs_cert.dump(),
self._hash_algo, orq_ip, orq_port)
return x509.Certificate({
'tbs_certificate': tbs_cert,
'signature_algorithm': {
'algorithm': signature_algorithm_id
},
'signature_value': signature
})
