def _make_validity_time(dt):
if dt < datetime(2050, 1, 1, tzinfo=timezone.utc):
value = x509.Time(name='utc_time', value=dt)
else:
value = x509.Time(name='general_time', value=dt)
return value
def format_tbs_crl(self, crl_number: int, this_update: datetime,
revoked_certs, next_update: datetime,
distpoint: x509.DistributionPoint = None) \
-> crl.TbsCertList:
extensions = [
crl.TBSCertListExtension({
'extn_id': 'crl_number', 'extn_value': core.Integer(crl_number)
}),
crl.TBSCertListExtension({
'extn_id': 'authority_key_identifier',
'extn_value': x509.AuthorityKeyIdentifier({
'key_identifier': self.authority_key_identifier
})
}),
]
extensions.extend(self.extra_crl_extensions)
if distpoint is not None:
extn_value = crl.IssuingDistributionPoint(distpoint)
extensions.append(
crl.TBSCertListExtension({
'extn_id': 'issuing_distribution_point',
'critical': True,
'extn_value': core.ParsableOctetString(extn_value.dump())
})
)
revoked = crl.RevokedCertificates(revoked_certs)
return crl.TbsCertList({
'version': 'v2',
'signature': self.signature_algo,
'issuer': self.issuer_name,
'this_update': x509.Time({'general_time': this_update}),
'next_update': x509.Time({'general_time': next_update}),
'revoked_certificates': revoked,
'crl_extensions': crl.TBSCertListExtensions(extensions)
})
def certsign(self, sn, pubKey, subject, until, caprivKey):
tbs = asn1x509.TbsCertificate({
'version':
'v1',
'serial_number':
sn,
'issuer':
asn1x509.Name.build({
'common_name': 'hsm CA',
}),
'subject':
asn1x509.Name.build({
'common_name': subject,
}),
'signature': {
'algorithm': 'sha256_rsa',
'parameters': None,
},
'validity': {
'not_before':
asn1x509.Time({
'utc_time':
datetime.datetime.now(tz=asn1util.timezone.utc) -
datetime.timedelta(days=1),
}),
'not_after':
asn1x509.Time({
'utc_time': until,
}),
},
'subject_public_key_info': {
'algorithm': {
'algorithm': 'rsa',
'parameters': None,
},
'public_key': pubKey
}
})
# Sign the TBS Certificate
data = tbs.dump()
value = self.session.sign(
caprivKey, data,
PyKCS11.Mechanism(PyKCS11.CKM_SHA256_RSA_PKCS, None))
value = bytes(bytearray(value))
cert = asn1x509.Certificate({
'tbs_certificate': tbs,
'signature_algorithm': {
'algorithm': 'sha256_rsa',
'parameters': None,
},
'signature_value': value,
})
return cert.dump()
def ca(self, sn, pubKey, privKey, label, subject, keyID):
tbs = asn1x509.TbsCertificate({
'version':
'v1',
'serial_number':
sn,
'issuer':
asn1x509.Name.build({
'common_name': 'CA',
}),
'subject':
asn1x509.Name.build({
'common_name': 'CA',
}),
'signature': {
'algorithm': 'sha256_rsa',
'parameters': None,
},
'validity': {
'not_before':
asn1x509.Time({
'utc_time': datetime.datetime(2017, 1, 1, 0, 0),
}),
'not_after':
asn1x509.Time({
'utc_time':
datetime.datetime(2038, 12, 31, 23, 59),
}),
},
'subject_public_key_info': {
'algorithm': {
'algorithm': 'rsa',
'parameters': None,
},
'public_key': pubKey
}
})
# Sign the TBS Certificate
data = tbs.dump()
value = self.session.sign(
privKey, data, PyKCS11.Mechanism(PyKCS11.CKM_SHA1_RSA_PKCS, None))
value = bytes(bytearray(value))
cert = asn1x509.Certificate({
'tbs_certificate': tbs,
'signature_algorithm': {
'algorithm': 'sha256_rsa',
'parameters': None,
},
'signature_value': value,
})
der_bytes = cert.dump()
self.cert_save(der_bytes, label, subject, keyID)
def format_revoked_cert(serial: int, reason: Optional[crl.CRLReason],
revocation_date: datetime,
extensions: List[crl.CRLEntryExtension] = None) \
-> crl.RevokedCertificate:
extensions = list(extensions or ())
if reason is not None:
extensions.append(
crl.CRLEntryExtension(
{'extn_id': 'crl_reason', 'extn_value': reason}
)
)
return crl.RevokedCertificate({
'user_certificate': serial,
'revocation_date': x509.Time({'general_time': revocation_date}),
'crl_entry_extensions': extensions
})
_SIGNATURE_ALGORITHM = algos.SignedDigestAlgorithm(
{"algorithm": u"sha256_rsa"})
_FAKE_SUBJECT = x509.Name.build({u"common_name": u"fake"})
FAKE_CERTIFICATE = \
pem.armor(u"CERTIFICATE",
x509.Certificate({
"tbs_certificate": x509.TbsCertificate({
"version": 1,
"serial_number": 1,
"signature": _SIGNATURE_ALGORITHM,
"issuer": _FAKE_SUBJECT,
"validity": {
"not_before": x509.Time(
name="utc_time",
value=datetime.datetime(2000, 1, 1)),
"not_after": x509.Time(
name="utc_time",
value=datetime.datetime(2049, 12, 31))},
"subject": _FAKE_SUBJECT,
"subject_public_key_info":
get_fake_public_key_asn1()}),
"signature_algorithm": algos.SignedDigestAlgorithm({
"algorithm": u"sha256_rsa"}),
"signature_value": b"fake"}).dump()).decode('utf8')
FAKE_CSR = \
pem.armor(
u"CERTIFICATE REQUEST",
csr.CertificationRequest({
return ZERO
UTC = UTC()
FAKE_CERTIFICATE = \
pem.armor(u"CERTIFICATE",
x509.Certificate({
"tbs_certificate": x509.TbsCertificate({
"version": 1,
"serial_number": 1,
"signature": _SIGNATURE_ALGORITHM,
"issuer": _FAKE_SUBJECT,
"validity": {
"not_before": x509.Time(
name="utc_time",
value=datetime.datetime(2000, 1, 1, 9, 47, 35, 249000, tzinfo=UTC)),
"not_after": x509.Time(
name="utc_time",
value=datetime.datetime(2049, 12, 31, 9, 47, 35, 249000, tzinfo=UTC))},
"subject": _FAKE_SUBJECT,
"subject_public_key_info":
get_fake_public_key_asn1()}),
"signature_algorithm": algos.SignedDigestAlgorithm({
"algorithm": u"sha256_rsa"}),
"signature_value": b"fake"}).dump()).decode('utf8')
FAKE_CSR = \
pem.armor(
u"CERTIFICATE REQUEST",
csr.CertificationRequest({
def build(self, issuer_private_key):
"""
Validates the certificate list information, constructs the ASN.1
structure and then signs it
:param issuer_private_key:
An asn1crypto.keys.PrivateKeyInfo or oscrypto.asymmetric.PrivateKey
object for the private key of the CRL issuer
:return:
An asn1crypto.crl.CertificateList object of the newly signed CRL
"""
is_oscrypto = isinstance(issuer_private_key, asymmetric.PrivateKey)
if not isinstance(issuer_private_key,
keys.PrivateKeyInfo) and not is_oscrypto:
raise TypeError(
_pretty_message(
'''
issuer_private_key must be an instance of
asn1crypto.keys.PrivateKeyInfo or
oscrypto.asymmetric.PrivateKey, not %s
''', _type_name(issuer_private_key)))
if self._this_update is None:
self._this_update = datetime.now(timezone.utc)
if self._next_update is None:
self._next_update = self._this_update + timedelta(days=7)
signature_algo = issuer_private_key.algorithm
if signature_algo == 'ec':
signature_algo = 'ecdsa'
signature_algorithm_id = '%s_%s' % (self._hash_algo, signature_algo)
def _make_extension(name, value):
return {
'extn_id': name,
'critical': self._determine_critical(name),
'extn_value': value
}
extensions = []
for name in sorted(self._special_extensions):
value = getattr(self, '_%s' % name)
if value is not None:
extensions.append(_make_extension(name, value))
for name in sorted(self._other_extensions.keys()):
extensions.append(
_make_extension(name, self._other_extensions[name]))
# For an indirect CRL we need to set the first
if self._certificate_issuer and len(self._revoked_certificates) > 0:
self._revoked_certificates[0]['crl_entry_extensions'].append({
'extn_id':
'certificate_issuer',
'critical':
True,
'extn_value':
x509.GeneralNames([
x509.GeneralName(name='directory_name',
value=self._certificate_issuer.subject)
])
})
tbs_cert_list = crl.TbsCertList({
'version':
'v3',
'signature': {
'algorithm': signature_algorithm_id
},
'issuer':
self._issuer.subject,
'this_update':
x509.Time(name='utc_time', value=self._this_update),
'next_update':
x509.Time(name='utc_time', value=self._next_update),
'revoked_certificates':
crl.RevokedCertificates(self._revoked_certificates),
'crl_extensions':
extensions
})
if issuer_private_key.algorithm == 'rsa':
sign_func = asymmetric.rsa_pkcs1v15_sign
elif issuer_private_key.algorithm == 'dsa':
sign_func = asymmetric.dsa_sign
elif issuer_private_key.algorithm == 'ec':
sign_func = asymmetric.ecdsa_sign
if not is_oscrypto:
issuer_private_key = asymmetric.load_private_key(
issuer_private_key)
signature = sign_func(issuer_private_key, tbs_cert_list.dump(),
self._hash_algo)
return crl.CertificateList({
'tbs_cert_list': tbs_cert_list,
'signature_algorithm': {
'algorithm': signature_algorithm_id
},
'signature': signature
})
def add_certificate(self, serial_number, revocation_date, reason):
"""
Adds a certificate to the list of revoked certificates
:param serial_number:
The serial number of the revoked certificate
:param revocation_date:
A datetime.datetime object of when the certificate was revoked
:param reason:
A unicode string of one of:
- "key_compromise" - when a private key is compromised
- "ca_compromise" - when the CA issuing the certificate is compromised
- "affiliation_changed" - when the certificate subject name changed
- "superseded" - when the certificate was replaced with a new one
- "cessation_of_operation" - when the certificate is no longer needed
- "certificate_hold" - when the certificate is temporarily invalid
- "remove_from_crl" - only delta CRLs - when temporary hold is removed
- "privilege_withdrawn" - one of the usages for a certificate was removed
"""
if not isinstance(serial_number, int_types):
raise TypeError(
_pretty_message(
'''
serial_number must be an integer, not %s
''', _type_name(serial_number)))
if not isinstance(revocation_date, datetime):
raise TypeError(
_pretty_message(
'''
revocation_date must be an instance of datetime.datetime, not %s
''', _type_name(revocation_date)))
if not isinstance(reason, str_cls):
raise TypeError(
_pretty_message(
'''
reason must be a unicode string, not %s
''', _type_name(reason)))
valid_reasons = set([
'key_compromise', 'ca_compromise', 'affiliation_changed',
'superseded', 'cessation_of_operation', 'certificate_hold',
'remove_from_crl', 'privilege_withdrawn'
])
if reason not in valid_reasons:
raise ValueError(
_pretty_message(
'''
reason must be one of "key_compromise", "ca_compromise",
"affiliation_changed", "superseded", "cessation_of_operation",
"certificate_hold", "remove_from_crl", "privilege_withdrawn",
not %s
''', repr(reason)))
self._revoked_certificates.append(
crl.RevokedCertificate({
'user_certificate':
serial_number,
'revocation_date':
x509.Time(name='utc_time', value=revocation_date),
'crl_entry_extensions': [{
'extn_id': 'crl_reason',
'critical': False,
'extn_value': reason
}]
}))
def build_mpc(self, signing_private_key, orq_ip, orq_port):
"""
Validates the certificate information, constructs the ASN.1 structure
and then signs it with a mpc engine
:param signing_private_key:
An integer identifier for the private key to sign the certificate with.
This identifier permits the mpc engine to find the private key associated
with the public key exported in the key generation process
:return:
An asn1crypto.x509.Certificate object of the newly signed
certificate
"""
def rsa_mpc_sign(signing_private_key, tbs_cert_dump, hash_algo, orq_ip,
orq_port):
# Calculate hash corresponding to tbs_cert_dump [Only SHA256]
digest = hashes.Hash(hashes.SHA256(), backend=default_backend())
digest.update(tbs_cert_dump)
digest = hexlify(digest.finalize())
print("[Client] Hash: " + digest)
# Send HTTP GET request to the orquestrator for signing
target = "http://" + orq_ip + ":" + orq_port + "/signMessage/" + str(
signing_private_key) + "?message=" + str(digest)
r = requests.get(target)
response = dict(json.loads(r.text))
# Sign format must be bytearray
print("Firma: " + str(response["sign"]))
firma = unhexlify(response["sign"])
return firma
if self._self_signed is not True and self._issuer is None:
raise ValueError(
_pretty_message('''
Certificate must be self-signed, or an issuer must be specified
'''))
if self._self_signed:
self._issuer = self._subject
if self._serial_number is None:
time_part = int_to_bytes(int(time.time()))
random_part = util.rand_bytes(4)
self._serial_number = int_from_bytes(time_part + random_part)
if self._begin_date is None:
self._begin_date = datetime.now(timezone.utc)
if self._end_date is None:
self._end_date = self._begin_date + timedelta(365)
if not self.ca:
for ca_only_extension in set([
'policy_mappings', 'policy_constraints',
'inhibit_any_policy'
]):
if ca_only_extension in self._other_extensions:
raise ValueError(
_pretty_message(
'''
Extension %s is only valid for CA certificates
''', ca_only_extension))
# The algorith is forced to be 'rsa'
signature_algo = 'rsa'
# Hash's algorithm limited to SHA256 (internally)
signature_algorithm_id = '%s_%s' % (self._hash_algo, signature_algo)
def _make_extension(name, value):
return {
'extn_id': name,
'critical': self._determine_critical(name),
'extn_value': value
}
extensions = []
for name in sorted(self._special_extensions):
value = getattr(self, '_%s' % name)
if name == 'ocsp_no_check':
value = core.Null() if value else None
if value is not None:
extensions.append(_make_extension(name, value))
for name in sorted(self._other_extensions.keys()):
extensions.append(
_make_extension(name, self._other_extensions[name]))
tbs_cert = x509.TbsCertificate({
'version': 'v3',
'serial_number': self._serial_number,
'signature': {
'algorithm': signature_algorithm_id
},
'issuer': self._issuer,
'validity': {
'not_before': x509.Time(name='utc_time',
value=self._begin_date),
'not_after': x509.Time(name='utc_time', value=self._end_date),
},
'subject': self._subject,
'subject_public_key_info': self._subject_public_key,
'extensions': extensions
})
# Function binding
sign_func = rsa_mpc_sign
print(orq_ip)
print(orq_port)
signature = sign_func(signing_private_key, tbs_cert.dump(),
self._hash_algo, orq_ip, orq_port)
return x509.Certificate({
'tbs_certificate': tbs_cert,
'signature_algorithm': {
'algorithm': signature_algorithm_id
},
'signature_value': signature
})
