def _ParseAuthAttrs(self, auth_attrs, required):
results = dict.fromkeys(required)
for attr in auth_attrs:
if (attr['type'] in oids.OID_TO_CLASS and
oids.OID_TO_CLASS.get(attr['type']) in required):
# There are more than those I require, but I don't know what they are,
# and what to do with them. The spec does not talk about them.
# One example:
# 1.3.6.1.4.1.311.2.1.11 contains as value 1.3.6.1.4.1.311.2.1.21
# SPC_STATEMENT_TYPE_OBJID SPC_INDIVIDUAL_SP_KEY_PURPOSE_OBJID
results[oids.OID_TO_CLASS.get(attr['type'])] = attr['values']
if None in results.itervalues():
raise Asn1Error('Missing mandatory field(s) in auth_attrs.')
# making sure that the auth_attrs were processed in correct order
# they need to be sorted in ascending order in the SET, when DER encoded
# This also makes sure that the tag on Attributes is correct.
a = [der_encoder.encode(i) for i in auth_attrs]
a.sort()
attrs_for_hash = pkcs7.Attributes()
for i in range(len(auth_attrs)):
d, _ = decoder.decode(a[i], asn1Spec=pkcs7.Attribute())
attrs_for_hash.setComponentByPosition(i, d)
encoded_attrs = der_encoder.encode(attrs_for_hash)
return results, encoded_attrs
def _ParseAuthAttrs(self, auth_attrs, required):
results = dict.fromkeys(required)
for attr in auth_attrs:
if (attr['type'] in oids.OID_TO_CLASS
and oids.OID_TO_CLASS.get(attr['type']) in required):
# There are more than those I require, but I don't know what they are,
# and what to do with them. The spec does not talk about them.
# One example:
# 1.3.6.1.4.1.311.2.1.11 contains as value 1.3.6.1.4.1.311.2.1.21
# SPC_STATEMENT_TYPE_OBJID SPC_INDIVIDUAL_SP_KEY_PURPOSE_OBJID
results[oids.OID_TO_CLASS.get(attr['type'])] = attr['values']
if None in results.itervalues():
raise Asn1Error('Missing mandatory field(s) in auth_attrs.')
# making sure that the auth_attrs were processed in correct order
# they need to be sorted in ascending order in the SET, when DER encoded
# This also makes sure that the tag on Attributes is correct.
a = [der_encoder.encode(i) for i in auth_attrs]
a.sort()
attrs_for_hash = pkcs7.Attributes()
for i in range(len(auth_attrs)):
d, _ = decoder.decode(a[i], asn1Spec=pkcs7.Attribute())
attrs_for_hash.setComponentByPosition(i, d)
encoded_attrs = der_encoder.encode(attrs_for_hash)
return results, encoded_attrs
def ValidateCertificateSignature(self, signed_cert, signing_cert):
"""Given a cert signed by another cert, validates the signature."""
# First the naive way -- note this does not check expiry / use etc.
signed_m2 = M2_X509.load_cert_der_string(der_encoder.encode(signed_cert))
signing_m2 = M2_X509.load_cert_der_string(der_encoder.encode(signing_cert))
pubkey = signing_m2.get_pubkey()
v = signed_m2.verify(pubkey)
if v != 1:
self.openssl_error = M2_Err.get_error()
raise Asn1Error('1: Validation of cert signature failed.')
def ValidateCertificateSignature(self, signed_cert, signing_cert):
"""Given a cert signed by another cert, validates the signature."""
# First the naive way -- note this does not check expiry / use etc.
signed_m2 = M2_X509.load_cert_der_string(
der_encoder.encode(signed_cert))
signing_m2 = M2_X509.load_cert_der_string(
der_encoder.encode(signing_cert))
pubkey = signing_m2.get_pubkey()
v = signed_m2.verify(pubkey)
if v != 1:
self.openssl_error = M2_Err.get_error()
raise Asn1Error('1: Validation of cert signature failed.')
def _ValidatePubkeyGeneric(self, signing_cert, digest_alg, payload,
enc_digest):
m2_cert = M2_X509.load_cert_der_string(der_encoder.encode(signing_cert))
pubkey = m2_cert.get_pubkey()
pubkey.reset_context(digest_alg().name)
pubkey.verify_init()
pubkey.verify_update(payload)
v = pubkey.verify_final(enc_digest)
if v != 1:
self.openssl_error = M2_Err.get_error()
# Let's try a special case. I have no idea how I would determine when
# to use this instead of the above code, so I'll always try. The
# observed problem was that for one countersignature (RSA on MD5),
# the encrypted digest did not contain an ASN.1 structure, but the
# raw hash value instead.
try:
rsa = pubkey.get_rsa()
except ValueError:
# It's not an RSA key, just fall through...
pass
else:
clear = rsa.public_decrypt(enc_digest, M2_RSA.pkcs1_padding)
if digest_alg(payload).digest() == clear:
return 1
return v
def _ValidatePubkeyGeneric(self, signing_cert, digest_alg, payload,
enc_digest):
m2_cert = M2_X509.load_cert_der_string(
der_encoder.encode(signing_cert))
pubkey = m2_cert.get_pubkey()
pubkey.reset_context(digest_alg().name)
pubkey.verify_init()
pubkey.verify_update(payload)
v = pubkey.verify_final(enc_digest)
if v != 1:
self.openssl_error = M2_Err.get_error()
# Let's try a special case. I have no idea how I would determine when
# to use this instead of the above code, so I'll always try. The
# observed problem was that for one countersignature (RSA on MD5),
# the encrypted digest did not contain an ASN.1 structure, but the
# raw hash value instead.
try:
rsa = pubkey.get_rsa()
except ValueError:
# It's not an RSA key, just fall through...
pass
else:
clear = rsa.public_decrypt(enc_digest, M2_RSA.pkcs1_padding)
if digest_alg(payload).digest() == clear:
return 1
return v
