1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
|
# Copyright (c) 2014, NORDUnet A/S.
# See LICENSE for licensing information.
import sys
import hashlib
import rfc2459 # debian package python-pyasn1-modules
from pyasn1.type import univ, tag
from pyasn1.codec.der import encoder, decoder
def cleanextensions(extensions):
result = rfc2459.Extensions().subtype(explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatSimple, 3))
for idx in range(len(extensions)):
extension = extensions.getComponentByPosition(idx)
if extension.getComponentByName("extnID") == univ.ObjectIdentifier("1.3.6.1.4.1.11129.2.4.3"):
pass
else:
result.setComponentByPosition(len(result), extension)
return result
def decode_any(anydata, asn1Spec=None):
(wrapper, _) = decoder.decode(anydata)
(data, _) = decoder.decode(wrapper, asn1Spec=asn1Spec)
return data
def get_subject(cert):
(asn1,rest) = decoder.decode(cert, asn1Spec=rfc2459.Certificate())
assert rest == ''
tbsCertificate = asn1.getComponentByName("tbsCertificate")
subject = tbsCertificate.getComponentByName("subject")
extensions = tbsCertificate.getComponentByName("extensions")
keyid_wrapper = get_extension(extensions, rfc2459.id_ce_subjectKeyIdentifier)
keyid = decode_any(keyid_wrapper, asn1Spec=rfc2459.KeyIdentifier())
return (subject, keyid)
def cleanprecert(precert, issuer=None):
(asn1,rest) = decoder.decode(precert, asn1Spec=rfc2459.Certificate())
assert rest == ''
tbsCertificate = asn1.getComponentByName("tbsCertificate")
extensions = tbsCertificate.getComponentByName("extensions")
tbsCertificate.setComponentByName("extensions", cleanextensions(extensions))
if issuer:
(issuer_subject, keyid) = get_subject(issuer)
tbsCertificate.setComponentByName("issuer", issuer_subject)
authkeyid = rfc2459.AuthorityKeyIdentifier()
authkeyid.setComponentByName("keyIdentifier",
rfc2459.KeyIdentifier(str(keyid)).subtype(implicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatSimple, 0)))
authkeyid_wrapper = univ.OctetString(encoder.encode(authkeyid))
authkeyid_wrapper2 = encoder.encode(authkeyid_wrapper)
set_extension(extensions, rfc2459.id_ce_authorityKeyIdentifier, authkeyid_wrapper2)
return encoder.encode(tbsCertificate)
def get_extension(extensions, id):
for idx in range(len(extensions)):
extension = extensions.getComponentByPosition(idx)
if extension.getComponentByName("extnID") == id:
return extension.getComponentByName("extnValue")
return None
def set_extension(extensions, id, value):
result = rfc2459.Extensions().subtype(explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatSimple, 3))
for idx in range(len(extensions)):
extension = extensions.getComponentByPosition(idx)
if extension.getComponentByName("extnID") == id:
extension.setComponentByName("extnValue", value)
def get_cert_key_hash(cert):
(asn1,rest) = decoder.decode(cert, asn1Spec=rfc2459.Certificate())
assert rest == ''
tbsCertificate = asn1.getComponentByName("tbsCertificate")
key = encoder.encode(tbsCertificate.getComponentByName("subjectPublicKeyInfo"))
hash = hashlib.sha256()
hash.update(key)
return hash.digest()
def printcert(cert, outfile=sys.stdout):
(asn1,rest) = decoder.decode(cert, asn1Spec=rfc2459.Certificate())
assert rest == ''
print >>outfile, asn1.prettyPrint()
def printtbscert(cert, outfile=sys.stdout):
(asn1,rest) = decoder.decode(cert, asn1Spec=rfc2459.TBSCertificate())
assert rest == ''
print >>outfile, asn1.prettyPrint()
ext_key_usage_precert_signing_cert = univ.ObjectIdentifier("1.3.6.1.4.1.11129.2.4.4")
def get_ext_key_usage(cert):
(asn1,rest) = decoder.decode(cert, asn1Spec=rfc2459.Certificate())
assert rest == ''
tbsCertificate = asn1.getComponentByName("tbsCertificate")
extensions = tbsCertificate.getComponentByName("extensions")
for idx in range(len(extensions)):
extension = extensions.getComponentByPosition(idx)
if extension.getComponentByName("extnID") == rfc2459.id_ce_extKeyUsage:
ext_key_usage_wrapper_binary = extension.getComponentByName("extnValue")
(ext_key_usage_wrapper, _) = decoder.decode(ext_key_usage_wrapper_binary)
(ext_key_usage, _) = decoder.decode(ext_key_usage_wrapper)#, asn1Spec=rfc2459.ExtKeyUsageSyntax())
return list(ext_key_usage)
return []
|