def _ParseAuthAttrs(self, auth_attrs, required): results = dict.fromkeys(required) for attr in auth_attrs: if (attr['type'] in oids.OID_TO_CLASS and oids.OID_TO_CLASS.get(attr['type']) in required): # There are more than those I require, but I don't know what they are, # and what to do with them. The spec does not talk about them. # One example: # 1.3.6.1.4.1.311.2.1.11 contains as value 1.3.6.1.4.1.311.2.1.21 # SPC_STATEMENT_TYPE_OBJID SPC_INDIVIDUAL_SP_KEY_PURPOSE_OBJID results[oids.OID_TO_CLASS.get(attr['type'])] = attr['values'] if None in results.itervalues(): raise Asn1Error('Missing mandatory field(s) in auth_attrs.') # making sure that the auth_attrs were processed in correct order # they need to be sorted in ascending order in the SET, when DER encoded # This also makes sure that the tag on Attributes is correct. a = [der_encoder.encode(i) for i in auth_attrs] a.sort() attrs_for_hash = pkcs7.Attributes() for i in range(len(auth_attrs)): d, _ = decoder.decode(a[i], asn1Spec=pkcs7.Attribute()) attrs_for_hash.setComponentByPosition(i, d) encoded_attrs = der_encoder.encode(attrs_for_hash) return results, encoded_attrs
def ValidateCertificateSignature(self, signed_cert, signing_cert): """Given a cert signed by another cert, validates the signature.""" # First the naive way -- note this does not check expiry / use etc. signed_m2 = M2_X509.load_cert_der_string(der_encoder.encode(signed_cert)) signing_m2 = M2_X509.load_cert_der_string(der_encoder.encode(signing_cert)) pubkey = signing_m2.get_pubkey() v = signed_m2.verify(pubkey) if v != 1: self.openssl_error = M2_Err.get_error() raise Asn1Error('1: Validation of cert signature failed.')
def ValidateCertificateSignature(self, signed_cert, signing_cert): """Given a cert signed by another cert, validates the signature.""" # First the naive way -- note this does not check expiry / use etc. signed_m2 = M2_X509.load_cert_der_string( der_encoder.encode(signed_cert)) signing_m2 = M2_X509.load_cert_der_string( der_encoder.encode(signing_cert)) pubkey = signing_m2.get_pubkey() v = signed_m2.verify(pubkey) if v != 1: self.openssl_error = M2_Err.get_error() raise Asn1Error('1: Validation of cert signature failed.')
def _ValidatePubkeyGeneric(self, signing_cert, digest_alg, payload, enc_digest): m2_cert = M2_X509.load_cert_der_string(der_encoder.encode(signing_cert)) pubkey = m2_cert.get_pubkey() pubkey.reset_context(digest_alg().name) pubkey.verify_init() pubkey.verify_update(payload) v = pubkey.verify_final(enc_digest) if v != 1: self.openssl_error = M2_Err.get_error() # Let's try a special case. I have no idea how I would determine when # to use this instead of the above code, so I'll always try. The # observed problem was that for one countersignature (RSA on MD5), # the encrypted digest did not contain an ASN.1 structure, but the # raw hash value instead. try: rsa = pubkey.get_rsa() except ValueError: # It's not an RSA key, just fall through... pass else: clear = rsa.public_decrypt(enc_digest, M2_RSA.pkcs1_padding) if digest_alg(payload).digest() == clear: return 1 return v
def _ValidatePubkeyGeneric(self, signing_cert, digest_alg, payload, enc_digest): m2_cert = M2_X509.load_cert_der_string( der_encoder.encode(signing_cert)) pubkey = m2_cert.get_pubkey() pubkey.reset_context(digest_alg().name) pubkey.verify_init() pubkey.verify_update(payload) v = pubkey.verify_final(enc_digest) if v != 1: self.openssl_error = M2_Err.get_error() # Let's try a special case. I have no idea how I would determine when # to use this instead of the above code, so I'll always try. The # observed problem was that for one countersignature (RSA on MD5), # the encrypted digest did not contain an ASN.1 structure, but the # raw hash value instead. try: rsa = pubkey.get_rsa() except ValueError: # It's not an RSA key, just fall through... pass else: clear = rsa.public_decrypt(enc_digest, M2_RSA.pkcs1_padding) if digest_alg(payload).digest() == clear: return 1 return v