def setupKey(self, subjectOrIssuer, value):
if subjectOrIssuer == 'subject':
self.subjectKey = pykey.keyFromSpecification(value)
elif subjectOrIssuer == 'issuer':
self.issuerKey = pykey.keyFromSpecification(value)
else:
raise UnknownKeyTargetError(subjectOrIssuer)
def createSTH(configStream):
"""Given a stream that will provide the specification for a signed
tree head (see the comment at the top of this file), creates the
corresponding signed tree head. Returns a string that can be
compiled as C/C++ that declares two const char*s kSTHHex and
kSPKIHex corresponding to the hex encoding of the signed tree head
and the hex encoding of the subject public key info from the
specification, respectively."""
toSign = ""
prefix = ""
hashAlgorithm = "sha256"
for line in configStream.readlines():
if ":" in line:
param = line.split(":")[0]
arg = line.split(":")[1].split("//")[0].strip()
if param == "signingKey":
signingKey = pykey.keyFromSpecification(arg)
elif param == "spki":
spki = pykey.keyFromSpecification(arg)
elif param == "prefix":
prefix = arg
elif param == "hash":
hashAlgorithm = arg
else:
raise UnknownParameterTypeError(param)
else:
toSign = toSign + line.split("//")[0].strip()
signature = sign(signingKey, hashAlgorithm, toSign)
lengthBytesHex = getTwoByteLenAsHex(binascii.unhexlify(signature))
sth = prefix + toSign + lengthBytesHex + signature
spkiHex = encoder.encode(spki.asSubjectPublicKeyInfo()).hex()
return 'const char* kSTHHex = "%s";\nconst char* kSPKIHex = "%s";\n' % (
sth,
spkiHex,
)
def __init__(self, paramStream):
self.versionValue = 2 # a value of 2 is X509v3
self.signature = 'sha256WithRSAEncryption'
self.issuer = 'Default Issuer'
actualNow = datetime.datetime.utcnow()
self.now = datetime.datetime.strptime(str(actualNow.year), '%Y')
aYearAndAWhile = datetime.timedelta(days=400)
self.notBefore = self.now - aYearAndAWhile
self.notAfter = self.now + aYearAndAWhile
self.subject = 'Default Subject'
self.extensions = None
# The serial number can be automatically generated from the
# certificate specification. We need this value to depend in
# part of what extensions are present. self.extensions are
# pyasn1 objects. Depending on the string representation of
# these objects can cause the resulting serial number to change
# unexpectedly, so instead we depend on the original string
# representation of the extensions as specified.
self.extensionLines = None
self.savedEmbeddedSCTListData = None
self.subjectKey = pykey.keyFromSpecification('default')
self.issuerKey = pykey.keyFromSpecification('default')
self.serialNumber = None
self.decodeParams(paramStream)
# If a serial number wasn't specified, generate one based on
# the certificate contents.
if not self.serialNumber:
self.serialNumber = self.generateSerialNumber()
# This has to be last because the SCT signature depends on the
# contents of the certificate.
if self.savedEmbeddedSCTListData:
self.addEmbeddedSCTListData()
def setupKey(self, subjectOrIssuer, value):
if subjectOrIssuer == 'subject':
self.subjectKey = pykey.keyFromSpecification(value)
elif subjectOrIssuer == 'issuer':
self.issuerKey = pykey.keyFromSpecification(value)
else:
raise UnknownKeyTargetError(subjectOrIssuer)
def __init__(self, paramStream):
self.versionValue = 2 # a value of 2 is X509v3
self.signature = 'sha256WithRSAEncryption'
self.issuer = 'Default Issuer'
actualNow = datetime.datetime.utcnow()
self.now = datetime.datetime.strptime(str(actualNow.year), '%Y')
aYearAndAWhile = datetime.timedelta(days=550)
self.notBefore = self.now - aYearAndAWhile
self.notAfter = self.now + aYearAndAWhile
self.subject = 'Default Subject'
self.extensions = None
self.subjectKey = pykey.keyFromSpecification('default')
self.issuerKey = pykey.keyFromSpecification('default')
self.decodeParams(paramStream)
self.serialNumber = self.generateSerialNumber()
def __init__(self, paramStream):
self.versionValue = 2 # a value of 2 is X509v3
self.signature = 'sha256WithRSAEncryption'
self.issuer = 'Default Issuer'
actualNow = datetime.datetime.utcnow()
self.now = datetime.datetime.strptime(str(actualNow.year), '%Y')
aYearAndAWhile = datetime.timedelta(days=550)
self.notBefore = self.now - aYearAndAWhile
self.notAfter = self.now + aYearAndAWhile
self.subject = 'Default Subject'
self.extensions = None
self.subjectKey = pykey.keyFromSpecification('default')
self.issuerKey = pykey.keyFromSpecification('default')
self.decodeParams(paramStream)
self.serialNumber = self.generateSerialNumber()
def __init__(self, paramStream):
self.versionValue = 2 # a value of 2 is X509v3
self.signature = 'sha256WithRSAEncryption'
self.issuer = 'Default Issuer'
actualNow = datetime.datetime.utcnow()
self.now = datetime.datetime.strptime(str(actualNow.year), '%Y')
aYearAndAWhile = datetime.timedelta(days=400)
self.notBefore = self.now - aYearAndAWhile
self.notAfter = self.now + aYearAndAWhile
self.subject = 'Default Subject'
self.extensions = None
self.savedEmbeddedSCTListData = None
self.subjectKey = pykey.keyFromSpecification('default')
self.issuerKey = pykey.keyFromSpecification('default')
self.serialNumber = None
self.decodeParams(paramStream)
# If a serial number wasn't specified, generate one based on
# the certificate contents.
if not self.serialNumber:
self.serialNumber = self.generateSerialNumber()
# This has to be last because the SCT signature depends on the
# contents of the certificate.
if self.savedEmbeddedSCTListData:
self.addEmbeddedSCTListData()
def __init__(self, paramStream):
self.versionValue = 2 # a value of 2 is X509v3
self.signature = 'sha256WithRSAEncryption'
self.issuer = 'Default Issuer'
actualNow = datetime.datetime.utcnow()
self.now = datetime.datetime.strptime(str(actualNow.year), '%Y')
aYearAndAWhile = datetime.timedelta(days=400)
self.notBefore = self.now - aYearAndAWhile
self.notAfter = self.now + aYearAndAWhile
self.subject = 'Default Subject'
self.extensions = None
self.savedEmbeddedSCTListData = None
self.subjectKey = pykey.keyFromSpecification('default')
self.issuerKey = pykey.keyFromSpecification('default')
self.serialNumber = None
self.decodeParams(paramStream)
# If a serial number wasn't specified, generate one based on
# the certificate contents.
if not self.serialNumber:
self.serialNumber = self.generateSerialNumber()
# This has to be last because the SCT signature depends on the
# contents of the certificate.
if self.savedEmbeddedSCTListData:
self.addEmbeddedSCTListData()
def __init__(self, paramStream):
self.sha1 = ''
self.sha256 = ''
signerSpecification = StringIO.StringIO()
readingSignerSpecification = False
for line in paramStream.readlines():
if readingSignerSpecification:
print >> signerSpecification, line.strip()
elif line.strip() == 'signer:':
readingSignerSpecification = True
elif line.startswith('sha1:'):
self.sha1 = line.strip()[len('sha1:'):]
elif line.startswith('sha256:'):
self.sha256 = line.strip()[len('sha256:'):]
else:
raise UnknownDirectiveError(line.strip())
signerSpecification.seek(0)
self.signer = pycert.Certificate(signerSpecification)
self.signingKey = pykey.keyFromSpecification('default')
def __init__(self, paramStream):
self.sha1 = ""
self.sha256 = ""
signerSpecification = StringIO()
readingSignerSpecification = False
for line in paramStream.readlines():
if readingSignerSpecification:
print(line.strip(), file=signerSpecification)
elif line.strip() == "signer:":
readingSignerSpecification = True
elif line.startswith("sha1:"):
self.sha1 = line.strip()[len("sha1:"):]
elif line.startswith("sha256:"):
self.sha256 = line.strip()[len("sha256:"):]
else:
raise UnknownDirectiveError(line.strip())
signerSpecification.seek(0)
self.signer = pycert.Certificate(signerSpecification)
self.signingKey = pykey.keyFromSpecification("default")
def __init__(self, paramStream):
self.sha1 = ''
self.sha256 = ''
signerSpecification = StringIO.StringIO()
readingSignerSpecification = False
for line in paramStream.readlines():
if readingSignerSpecification:
print >>signerSpecification, line.strip()
elif line.strip() == 'signer:':
readingSignerSpecification = True
elif line.startswith('sha1:'):
self.sha1 = line.strip()[len('sha1:'):]
elif line.startswith('sha256:'):
self.sha256 = line.strip()[len('sha256:'):]
else:
raise UnknownDirectiveError(line.strip())
signerSpecification.seek(0)
self.signer = pycert.Certificate(signerSpecification)
self.signingKey = pykey.keyFromSpecification('default')
def addEmbeddedSCTListData(self):
(scts, critical) = self.savedEmbeddedSCTListData
encodedSCTs = []
for sctSpec in scts.split(','):
match = re.search('(\w+):(\d{8})', sctSpec)
if not match:
raise InvalidSCTSpecification(sctSpec)
keySpec = match.group(1)
key = pykey.keyFromSpecification(keySpec)
time = datetime.datetime.strptime(match.group(2), '%Y%m%d')
tbsCertificate = self.getTBSCertificate()
tbsDER = encoder.encode(tbsCertificate)
sct = pyct.SCT(key, time, tbsDER, self.issuerKey)
signed = sct.signAndEncode()
lengthPrefix = pack('!H', len(signed))
encodedSCTs.append(lengthPrefix + signed)
encodedSCTBytes = "".join(encodedSCTs)
lengthPrefix = pack('!H', len(encodedSCTBytes))
extensionBytes = lengthPrefix + encodedSCTBytes
self.addExtension(univ.ObjectIdentifier('1.3.6.1.4.1.11129.2.4.2'),
univ.OctetString(extensionBytes), critical)
def addEmbeddedSCTListData(self):
(scts, critical) = self.savedEmbeddedSCTListData
encodedSCTs = []
for sctSpec in scts.split(','):
match = re.search('(\w+):(\d{8})', sctSpec)
if not match:
raise InvalidSCTSpecification(sctSpec)
keySpec = match.group(1)
key = pykey.keyFromSpecification(keySpec)
time = datetime.datetime.strptime(match.group(2), '%Y%m%d')
tbsCertificate = self.getTBSCertificate()
tbsDER = encoder.encode(tbsCertificate)
sct = pyct.SCT(key, time, tbsDER, self.issuerKey)
signed = sct.signAndEncode()
lengthPrefix = pack('!H', len(signed))
encodedSCTs.append(lengthPrefix + signed)
encodedSCTBytes = "".join(encodedSCTs)
lengthPrefix = pack('!H', len(encodedSCTBytes))
extensionBytes = lengthPrefix + encodedSCTBytes
self.addExtension(univ.ObjectIdentifier('1.3.6.1.4.1.11129.2.4.2'),
univ.OctetString(extensionBytes), critical)