class DHBMParameter(univ.Sequence):
"""
DHBMParameter ::= SEQUENCE {
owf AlgorithmIdentifier,
-- AlgId for a One-Way Function (SHA-1 recommended)
mac AlgorithmIdentifier
-- the MAC AlgId (e.g., DES-MAC, Triple-DES-MAC [PKCS11],
} -- or HMAC [RFC2104, RFC2202])
"""
componentType = namedtype.NamedTypes(
namedtype.NamedType('owf', rfc5280.AlgorithmIdentifier()),
namedtype.NamedType('mac', rfc5280.AlgorithmIdentifier())
)
def testDerCodec(self):
substrate = pem.readBase64fromText(self.env_data_pem_text)
asn1Object, rest = der_decoder(substrate, asn1Spec=self.asn1Spec)
self.assertFalse(rest)
self.assertTrue(asn1Object.prettyPrint())
self.assertEqual(substrate, der_encoder(asn1Object))
self.assertEqual(rfc5652.id_envelopedData, asn1Object['contentType'])
ed, rest = der_decoder(asn1Object['content'],
asn1Spec=rfc5652.EnvelopedData())
self.assertFalse(rest)
self.assertTrue(ed.prettyPrint())
self.assertEqual(asn1Object['content'], der_encoder(ed))
kari_kea = ed['recipientInfos'][0]['kari']['keyEncryptionAlgorithm']
self.assertEqual(rfc2876.id_kEAKeyEncryptionAlgorithm,
kari_kea['algorithm'])
kwa, rest = der_decoder(kari_kea['parameters'],
asn1Spec=rfc5280.AlgorithmIdentifier())
self.assertFalse(rest)
self.assertTrue(kwa.prettyPrint())
self.assertEqual(kari_kea['parameters'], der_encoder(kwa))
self.assertEqual(rfc2876.id_fortezzaWrap80, kwa['algorithm'])
cea = ed['encryptedContentInfo']['contentEncryptionAlgorithm']
self.assertEqual(rfc2876.id_fortezzaConfidentialityAlgorithm,
cea['algorithm'])
param, rest = der_decoder(cea['parameters'], rfc2876.Skipjack_Parm())
self.assertFalse(rest)
self.assertTrue(param.prettyPrint())
self.assertEqual(cea['parameters'], der_encoder(param))
iv = univ.OctetString(hexValue='424f4755535f4956')
self.assertEqual(iv, param['initialization-vector'])
class PBMParameter(univ.Sequence):
"""
PBMParameter ::= SEQUENCE {
salt OCTET STRING,
owf AlgorithmIdentifier,
iterationCount INTEGER,
mac AlgorithmIdentifier
}
"""
componentType = namedtype.NamedTypes(
namedtype.NamedType(
'salt', univ.OctetString().subtype(subtypeSpec=constraint.ValueSizeConstraint(0, 128))
),
namedtype.NamedType('owf', rfc5280.AlgorithmIdentifier()),
namedtype.NamedType('iterationCount', univ.Integer()),
namedtype.NamedType('mac', rfc5280.AlgorithmIdentifier())
)
class PKIHeader(univ.Sequence):
"""
PKIHeader ::= SEQUENCE {
pvno INTEGER { cmp1999(1), cmp2000(2) },
sender GeneralName,
recipient GeneralName,
messageTime [0] GeneralizedTime OPTIONAL,
protectionAlg [1] AlgorithmIdentifier OPTIONAL,
senderKID [2] KeyIdentifier OPTIONAL,
recipKID [3] KeyIdentifier OPTIONAL,
transactionID [4] OCTET STRING OPTIONAL,
senderNonce [5] OCTET STRING OPTIONAL,
recipNonce [6] OCTET STRING OPTIONAL,
freeText [7] PKIFreeText OPTIONAL,
generalInfo [8] SEQUENCE SIZE (1..MAX) OF
InfoTypeAndValue OPTIONAL
}
"""
componentType = namedtype.NamedTypes(
namedtype.NamedType(
'pvno', univ.Integer(
namedValues=namedval.NamedValues(('cmp1999', 1), ('cmp2000', 2))
)
),
namedtype.NamedType('sender', rfc5280.GeneralName()),
namedtype.NamedType('recipient', rfc5280.GeneralName()),
namedtype.OptionalNamedType('messageTime', useful.GeneralizedTime().subtype(
explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatSimple, 0))),
namedtype.OptionalNamedType('protectionAlg', rfc5280.AlgorithmIdentifier().subtype(
explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatConstructed, 1))),
namedtype.OptionalNamedType('senderKID', rfc5280.KeyIdentifier().subtype(
explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatSimple, 2))),
namedtype.OptionalNamedType('recipKID', rfc5280.KeyIdentifier().subtype(
explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatSimple, 3))),
namedtype.OptionalNamedType('transactionID', univ.OctetString().subtype(
explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatSimple, 4))),
namedtype.OptionalNamedType('senderNonce', univ.OctetString().subtype(
explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatSimple, 5))),
namedtype.OptionalNamedType('recipNonce', univ.OctetString().subtype(
explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatSimple, 6))),
namedtype.OptionalNamedType('freeText', PKIFreeText().subtype(
explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatConstructed, 7))),
namedtype.OptionalNamedType('generalInfo',
univ.SequenceOf(
componentType=InfoTypeAndValue().subtype(
sizeSpec=constraint.ValueSizeConstraint(1, MAX)
)
).subtype(
explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatSimple, 8))
)
)
class Challenge(univ.Sequence):
"""
Challenge ::= SEQUENCE {
owf AlgorithmIdentifier OPTIONAL,
witness OCTET STRING,
challenge OCTET STRING
}
"""
componentType = namedtype.NamedTypes(
namedtype.OptionalNamedType('owf', rfc5280.AlgorithmIdentifier()),
namedtype.NamedType('witness', univ.OctetString()),
namedtype.NamedType('challenge', univ.OctetString())
)
def testOpenTypes(self):
openTypeMap = {
rfc4357.id_GostR3410_2001:
rfc4357.GostR3410_2001_PublicKeyParameters(),
rfc4357.id_Gost28147_89:
rfc4357.Gost28147_89_Parameters(),
rfc4490.id_GostR3410_2001_CryptoPro_ESDH:
rfc5280.AlgorithmIdentifier(),
}
substrate = pem.readBase64fromText(self.keyagree_pem_text)
asn1Object, rest = der_decoder(substrate,
asn1Spec=self.asn1Spec,
openTypes=openTypeMap,
decodeOpenTypes=True)
self.assertFalse(rest)
self.assertTrue(asn1Object.prettyPrint())
self.assertEqual(substrate, der_encoder(asn1Object))
self.assertEqual(rfc5652.id_envelopedData, asn1Object['contentType'])
ri = asn1Object['content']['recipientInfos'][0]
alg1 = ri['kari']['originator']['originatorKey']['algorithm']
self.assertEqual(rfc4357.id_GostR3410_2001, alg1['algorithm'])
param1 = alg1['parameters']
self.assertEqual(rfc4357.id_GostR3410_2001_CryptoPro_XchA_ParamSet,
param1['publicKeyParamSet'])
self.assertEqual(rfc4357.id_GostR3411_94_CryptoProParamSet,
param1['digestParamSet'])
self.assertEqual(8, len(ri['kari']['ukm']))
alg2 = ri['kari']['keyEncryptionAlgorithm']
self.assertEqual(rfc4490.id_GostR3410_2001_CryptoPro_ESDH,
alg2['algorithm'])
param2 = alg2['parameters']
self.assertEqual(rfc4490.id_Gost28147_89_None_KeyWrap,
param2['algorithm'])
kwa_p = param2['parameters']
self.assertEqual(rfc4357.id_Gost28147_89_CryptoPro_A_ParamSet,
kwa_p['encryptionParamSet'])
alg3 = asn1Object['content']['encryptedContentInfo'][
'contentEncryptionAlgorithm']
self.assertEqual(rfc4357.id_Gost28147_89, alg3['algorithm'])
param3 = alg3['parameters']
self.assertEqual(8, len(param3['iv']))
self.assertEqual(rfc4357.id_Gost28147_89_CryptoPro_A_ParamSet,
param3['encryptionParamSet'])
class OOBCertHash(univ.Sequence):
"""
OOBCertHash ::= SEQUENCE {
hashAlg [0] AlgorithmIdentifier OPTIONAL,
certId [1] CertId OPTIONAL,
hashVal BIT STRING
}
"""
componentType = namedtype.NamedTypes(
namedtype.OptionalNamedType(
'hashAlg', rfc5280.AlgorithmIdentifier().subtype(explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatConstructed, 0))
),
namedtype.OptionalNamedType(
'certId', rfc4211.CertId().subtype(explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatConstructed, 1))
),
namedtype.NamedType('hashVal', univ.BitString())
)
class GCMParameters(univ.Sequence):
componentType = namedtype.NamedTypes(
namedtype.NamedType('nonce', univ.OctetString()),
# The nonce may have any number of bits between 8 and 2^64,
# but it MUST be a multiple of 8 bits. Within the scope of any
# content-authenticated-encryption key, the nonce value MUST be
# unique. A nonce value of 12 octets can be processed more
# efficiently, so that length is RECOMMENDED.
namedtype.DefaultedNamedType('length',
MACLength().subtype(value=12)))
# GMAC Algorithm Identifiers
maca_aes128_GMAC = rfc5280.AlgorithmIdentifier()
maca_aes128_GMAC['algorithm'] = id_aes128_GMAC
# maca_aes128_GMAC['parameters'] are absent
maca_aes192_GMAC = rfc5280.AlgorithmIdentifier()
maca_aes192_GMAC['algorithm'] = id_aes192_GMAC
# maca_aes192_GMAC['parameters'] are absent
maca_aes256_GMAC = rfc5280.AlgorithmIdentifier()
maca_aes256_GMAC['algorithm'] = id_aes256_GMAC
# maca_aes256_GMAC['parameters'] are absent
# Update the Algorithm Identifiers Map and the SMIMECapability Map
_algorithmIdentifierMapUpdate = {
id_aes128_GMAC: GCMParameters(),
'2.16.840.1.101.2.1.1.4')
id_fortezzaWrap80 = univ.ObjectIdentifier('2.16.840.1.101.2.1.1.23')
id_kEAKeyEncryptionAlgorithm = univ.ObjectIdentifier('2.16.840.1.101.2.1.1.24')
id_keyExchangeAlgorithm = univ.ObjectIdentifier('2.16.840.1.101.2.1.1.22')
class Skipjack_Parm(univ.Sequence):
componentType = namedtype.NamedTypes(
namedtype.NamedType('initialization-vector', univ.OctetString()))
# Update the Algorithm Identifier map
_algorithmIdentifierMapUpdate = {
id_fortezzaConfidentialityAlgorithm: Skipjack_Parm(),
id_kEAKeyEncryptionAlgorithm: rfc5280.AlgorithmIdentifier(),
}
algorithmIdentifierMap.update(_algorithmIdentifierMapUpdate)
# Update the S/MIME Capability map
_smimeCapabilityMapUpdate = {
id_kEAKeyEncryptionAlgorithm: rfc5280.AlgorithmIdentifier(),
}
smimeCapabilityMap.update(_smimeCapabilityMapUpdate)
# ASN.1 source from:
# https://www.rfc-editor.org/rfc/rfc8692.txt
#
from pyasn1.type import univ
from pyasn1_alt_modules import rfc4055
from pyasn1_alt_modules import rfc5280
from pyasn1_alt_modules import rfc5480
# SHAKE128 One-Way Hash Function
id_shake128 = univ.ObjectIdentifier('2.16.840.1.101.3.4.2.11')
mda_shake128 = rfc5280.AlgorithmIdentifier()
mda_shake128['algorithm'] = id_shake128
# mda_shake128['parameters'] is absent
# SHAKE256 One-Way Hash Function
id_shake256 = univ.ObjectIdentifier('2.16.840.1.101.3.4.2.12')
mda_shake256 = rfc5280.AlgorithmIdentifier()
mda_shake256['algorithm'] = id_shake256
# mda_shake256['parameters'] is absent
# RSA PSS with SHAKE128
#
from pyasn1.type import constraint
from pyasn1.type import univ
from pyasn1_alt_modules import rfc5280
from pyasn1_alt_modules import opentypemap
algorithmIdentifierMap = opentypemap.get('algorithmIdentifierMap')
# MD5-XOR Experimental Message Digest Algorithm
id_alg_MD5_XOR_EXPERIMENT = univ.ObjectIdentifier('1.2.840.113549.1.9.16.3.13')
class MD5_XOR_EXPERIMENT(univ.OctetString):
subtypeSpec = constraint.ValueSizeConstraint(64, 64)
mda_xor_md5_EXPERIMENT = rfc5280.AlgorithmIdentifier()
mda_xor_md5_EXPERIMENT['algorithm'] = id_alg_MD5_XOR_EXPERIMENT
mda_xor_md5_EXPERIMENT['parameters'] = MD5_XOR_EXPERIMENT()
# Update the Algorithm Identifier Map and the S/MIME Capability Map
_algorithmIdentifierMapUpdate = {
id_alg_MD5_XOR_EXPERIMENT: MD5_XOR_EXPERIMENT(),
}
algorithmIdentifierMap.update(_algorithmIdentifierMapUpdate)
id_RSAES_OAEP = _OID(1, 2, 840, 113549, 1, 1, 7)
id_pSpecified = _OID(1, 2, 840, 113549, 1, 1, 9)
id_RSASSA_PSS = _OID(1, 2, 840, 113549, 1, 1, 10)
sha256WithRSAEncryption = _OID(1, 2, 840, 113549, 1, 1, 11)
sha384WithRSAEncryption = _OID(1, 2, 840, 113549, 1, 1, 12)
sha512WithRSAEncryption = _OID(1, 2, 840, 113549, 1, 1, 13)
sha224WithRSAEncryption = _OID(1, 2, 840, 113549, 1, 1, 14)
sha1Identifier = rfc5280.AlgorithmIdentifier()
sha1Identifier['algorithm'] = id_sha1
sha1Identifier['parameters'] = univ.Null("")
sha224Identifier = rfc5280.AlgorithmIdentifier()
sha224Identifier['algorithm'] = id_sha224
sha224Identifier['parameters'] = univ.Null("")
sha256Identifier = rfc5280.AlgorithmIdentifier()
sha256Identifier['algorithm'] = id_sha256
sha256Identifier['parameters'] = univ.Null("")
sha384Identifier = rfc5280.AlgorithmIdentifier()
sha384Identifier['algorithm'] = id_sha384
sha384Identifier['parameters'] = univ.Null("")
def setUp(self):
self.asn1Spec = rfc5280.AlgorithmIdentifier()
FirmwarePackageIdentifier.componentType = namedtype.NamedTypes(
namedtype.NamedType('name', PreferredOrLegacyPackageIdentifier()),
namedtype.OptionalNamedType('stale',
PreferredOrLegacyStalePackageIdentifier()))
# Firmware Package Message Digest Signed Attribute and Object Identifier
id_aa_fwPkgMessageDigest = univ.ObjectIdentifier('1.2.840.113549.1.9.16.2.41')
class FirmwarePackageMessageDigest(univ.Sequence):
pass
FirmwarePackageMessageDigest.componentType = namedtype.NamedTypes(
namedtype.NamedType('algorithm', rfc5280.AlgorithmIdentifier()),
namedtype.NamedType('msgDigest', univ.OctetString()))
# Firmware Package Load Error Report Content Type and Object Identifier
class FWErrorVersion(univ.Integer):
pass
FWErrorVersion.namedValues = namedval.NamedValues(('v1', 1))
id_ct_firmwareLoadError = univ.ObjectIdentifier('1.2.840.113549.1.9.16.1.18')
class FirmwarePackageLoadError(univ.Sequence):
id_ct_compressedData = univ.ObjectIdentifier('1.2.840.113549.1.9.16.1.9')
class CompressedData(univ.Sequence):
pass
CompressedData.componentType = namedtype.NamedTypes(
namedtype.NamedType('version', rfc5652.CMSVersion()), # Always set to 0
namedtype.NamedType('compressionAlgorithm', CompressionAlgorithmIdentifier()),
namedtype.NamedType('encapContentInfo', rfc5652.EncapsulatedContentInfo())
)
# Algorithm identifier for the zLib Compression Algorithm
# This includes cpa_zlibCompress as defined in RFC 6268,
# from https://www.rfc-editor.org/rfc/rfc6268.txt
id_alg_zlibCompress = univ.ObjectIdentifier('1.2.840.113549.1.9.16.3.8')
cpa_zlibCompress = rfc5280.AlgorithmIdentifier()
cpa_zlibCompress['algorithm'] = id_alg_zlibCompress
# cpa_zlibCompress['parameters'] are absent
# Update the CMS Content Types Map
_cmsContentTypesMapUpdate = {
id_ct_compressedData: CompressedData(),
}
cmsContentTypesMap.update(_cmsContentTypesMapUpdate)
id_pkix = _buildOid(1, 3, 6, 1, 5, 5, 7)
id_cmc = _buildOid(id_pkix, 7)
id_cmc_batchResponses = _buildOid(id_cmc, 29)
id_cmc_popLinkWitness = _buildOid(id_cmc, 23)
class PopLinkWitnessV2(univ.Sequence):
pass
PopLinkWitnessV2.componentType = namedtype.NamedTypes(
namedtype.NamedType('keyGenAlgorithm', rfc5280.AlgorithmIdentifier()),
namedtype.NamedType('macAlgorithm', rfc5280.AlgorithmIdentifier()),
namedtype.NamedType('witness', univ.OctetString())
)
id_cmc_popLinkWitnessV2 = _buildOid(id_cmc, 33)
id_cmc_identityProofV2 = _buildOid(id_cmc, 34)
id_cmc_revokeRequest = _buildOid(id_cmc, 17)
id_cmc_recipientNonce = _buildOid(id_cmc, 7)
class ControlsProcessed(univ.Sequence):
pass
from pyasn1.type import univ
from pyasn1_alt_modules import rfc5280
# Object Identifiers
id_alg_hss_lms_hashsig = univ.ObjectIdentifier('1.2.840.113549.1.9.16.3.17')
id_alg_mts_hashsig = id_alg_hss_lms_hashsig
# Signature Algorithm Identifier
sa_HSS_LMS_HashSig = rfc5280.AlgorithmIdentifier()
sa_HSS_LMS_HashSig['algorithm'] = id_alg_hss_lms_hashsig
# sa_HSS_LMS_HashSig['parameters'] is alway absent
# Public Key
class HSS_LMS_HashSig_PublicKey(univ.OctetString):
pass
pk_HSS_LMS_HashSig = rfc5280.SubjectPublicKeyInfo()
pk_HSS_LMS_HashSig['algorithm'] = sa_HSS_LMS_HashSig
# pk_HSS_LMS_HashSig['parameters'] CONTAINS a DER-encoded HSS_LMS_HashSig_PublicKey
#
# ASN.1 source from:
# https://www.rfc-editor.org/rfc/rfc8619.txt
#
from pyasn1.type import univ
from pyasn1_alt_modules import rfc5280
# Object Identifiers
id_alg_hkdf_with_sha256 = univ.ObjectIdentifier('1.2.840.113549.1.9.16.3.28')
id_alg_hkdf_with_sha384 = univ.ObjectIdentifier('1.2.840.113549.1.9.16.3.29')
id_alg_hkdf_with_sha512 = univ.ObjectIdentifier('1.2.840.113549.1.9.16.3.30')
# Key Derivation Algorithm Identifiers
kda_hkdf_with_sha256 = rfc5280.AlgorithmIdentifier()
kda_hkdf_with_sha256['algorithm'] = id_alg_hkdf_with_sha256
# kda_hkdf_with_sha256['parameters'] are absent
kda_hkdf_with_sha384 = rfc5280.AlgorithmIdentifier()
kda_hkdf_with_sha384['algorithm'] = id_alg_hkdf_with_sha384
# kda_hkdf_with_sha384['parameters'] are absent
kda_hkdf_with_sha512 = rfc5280.AlgorithmIdentifier()
kda_hkdf_with_sha512['algorithm'] = id_alg_hkdf_with_sha512
# kda_hkdf_with_sha512['parameters'] are absent
from pyasn1.type import univ
from pyasn1_alt_modules import rfc5280
from pyasn1_alt_modules import opentypemap
algorithmIdentifierMap = opentypemap.get('algorithmIdentifierMap')
class ShakeOutputLen(univ.Integer):
pass
id_Ed25519 = univ.ObjectIdentifier('1.3.101.112')
sigAlg_Ed25519 = rfc5280.AlgorithmIdentifier()
sigAlg_Ed25519['algorithm'] = id_Ed25519
# sigAlg_Ed25519['parameters'] is absent
id_Ed448 = univ.ObjectIdentifier('1.3.101.113')
sigAlg_Ed448 = rfc5280.AlgorithmIdentifier()
sigAlg_Ed448['algorithm'] = id_Ed448
# sigAlg_Ed448['parameters'] is absent
hashAlgs = univ.ObjectIdentifier('2.16.840.1.101.3.4.2')
id_sha512 = hashAlgs + (3, )
hashAlg_SHA_512 = rfc5280.AlgorithmIdentifier()
hashAlg_SHA_512['algorithm'] = id_sha512
class SIM(univ.Sequence):
componentType = namedtype.NamedTypes(
namedtype.NamedType('hashAlg', rfc5280.AlgorithmIdentifier()),
namedtype.NamedType('authorityRandom', univ.OctetString()),
namedtype.NamedType('pEPSI', univ.OctetString()))
AttributeCertificateInfoV1.componentType = namedtype.NamedTypes(
namedtype.DefaultedNamedType('version',
AttCertVersionV1().subtype(value="v1")),
namedtype.NamedType(
'subject',
univ.Choice(componentType=namedtype.NamedTypes(
namedtype.NamedType(
'baseCertificateID',
rfc3281.IssuerSerial().subtype(explicitTag=tag.Tag(
tag.tagClassContext, tag.tagFormatSimple, 0))),
namedtype.NamedType(
'subjectName',
rfc5280.GeneralNames().subtype(explicitTag=tag.Tag(
tag.tagClassContext, tag.tagFormatSimple, 1)))))),
namedtype.NamedType('issuer', rfc5280.GeneralNames()),
namedtype.NamedType('signature', rfc5280.AlgorithmIdentifier()),
namedtype.NamedType('serialNumber', rfc5280.CertificateSerialNumber()),
namedtype.NamedType('attCertValidityPeriod',
rfc3281.AttCertValidityPeriod()),
namedtype.NamedType('attributes',
univ.SequenceOf(componentType=rfc5280.Attribute())),
namedtype.OptionalNamedType('issuerUniqueID', rfc5280.UniqueIdentifier()),
namedtype.OptionalNamedType('extensions', rfc5280.Extensions()))
class AttributeCertificateV1(univ.Sequence):
pass
AttributeCertificateV1.componentType = namedtype.NamedTypes(
namedtype.NamedType('acInfo', AttributeCertificateInfoV1()),
# ASN.1 source from:
# https://www.rfc-editor.org/rfc/rfc8649.txt
#
from pyasn1.type import namedtype
from pyasn1.type import univ
from pyasn1_alt_modules import rfc5280
from pyasn1_alt_modules import opentypemap
certificateExtensionsMap = opentypemap.get('certificateExtensionsMap')
id_ce_hashOfRootKey = univ.ObjectIdentifier('1.3.6.1.4.1.51483.2.1')
class HashedRootKey(univ.Sequence):
pass
HashedRootKey.componentType = namedtype.NamedTypes(
namedtype.NamedType('hashAlg', rfc5280.AlgorithmIdentifier()),
namedtype.NamedType('hashValue', univ.OctetString()))
# Update the Certificate Extensions Map
_certificateExtensionsMapUpdate = {
id_ce_hashOfRootKey: HashedRootKey(),
}
certificateExtensionsMap.update(_certificateExtensionsMapUpdate)
