summaryrefslogtreecommitdiff
path: root/tools/precerttools.py
blob: 9687e28dfaa9e0aa087d51e532047147c331ec95 (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
# Copyright (c) 2014, NORDUnet A/S.
# See LICENSE for licensing information.

import sys
import hashlib
import rfc2459                  # debian package python-pyasn1-modules
from pyasn1.type import univ, tag
from pyasn1.codec.der import encoder, decoder

def cleanextensions(extensions):
    result = rfc2459.Extensions().subtype(explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatSimple, 3))
    for idx in range(len(extensions)):
        extension = extensions.getComponentByPosition(idx)
        if extension.getComponentByName("extnID") == univ.ObjectIdentifier("1.3.6.1.4.1.11129.2.4.3"):
            pass
        else:
            result.setComponentByPosition(len(result), extension)
    return result

def decode_any(anydata, asn1Spec=None):
    (wrapper, _) = decoder.decode(anydata)
    (data, _) = decoder.decode(wrapper, asn1Spec=asn1Spec)
    return data

def get_subject(cert):
    (asn1,rest) = decoder.decode(cert, asn1Spec=rfc2459.Certificate())
    assert rest == ''
    tbsCertificate = asn1.getComponentByName("tbsCertificate")
    subject = tbsCertificate.getComponentByName("subject")
    extensions = tbsCertificate.getComponentByName("extensions")
    keyid_wrapper = get_extension(extensions, rfc2459.id_ce_subjectKeyIdentifier)
    keyid = decode_any(keyid_wrapper, asn1Spec=rfc2459.KeyIdentifier())
    return (subject, keyid)

def cleanprecert(precert, issuer=None):
    (asn1,rest) = decoder.decode(precert, asn1Spec=rfc2459.Certificate())
    assert rest == ''
    tbsCertificate = asn1.getComponentByName("tbsCertificate")

    extensions = tbsCertificate.getComponentByName("extensions")
    tbsCertificate.setComponentByName("extensions", cleanextensions(extensions))

    if issuer:
        (issuer_subject, keyid) = get_subject(issuer)
        tbsCertificate.setComponentByName("issuer", issuer_subject)
        authkeyid = rfc2459.AuthorityKeyIdentifier()
        authkeyid.setComponentByName("keyIdentifier",
            rfc2459.KeyIdentifier(str(keyid)).subtype(implicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatSimple, 0)))
        authkeyid_wrapper = univ.OctetString(encoder.encode(authkeyid))
        authkeyid_wrapper2 = encoder.encode(authkeyid_wrapper)
        set_extension(extensions, rfc2459.id_ce_authorityKeyIdentifier, authkeyid_wrapper2)
    return encoder.encode(tbsCertificate)

def get_extension(extensions, id):
    for idx in range(len(extensions)):
        extension = extensions.getComponentByPosition(idx)
        if extension.getComponentByName("extnID") == id:
            return extension.getComponentByName("extnValue")
    return None

def set_extension(extensions, id, value):
    result = rfc2459.Extensions().subtype(explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatSimple, 3))
    for idx in range(len(extensions)):
        extension = extensions.getComponentByPosition(idx)
        if extension.getComponentByName("extnID") == id:
            extension.setComponentByName("extnValue", value)

def get_cert_key_hash(cert):
    (asn1,rest) = decoder.decode(cert, asn1Spec=rfc2459.Certificate())
    assert rest == ''
    tbsCertificate = asn1.getComponentByName("tbsCertificate")
    key = encoder.encode(tbsCertificate.getComponentByName("subjectPublicKeyInfo"))
    hash = hashlib.sha256()
    hash.update(key)
    return hash.digest()

def printcert(cert, outfile=sys.stdout):
    (asn1,rest) = decoder.decode(cert, asn1Spec=rfc2459.Certificate())
    assert rest == ''
    print >>outfile, asn1.prettyPrint()

def printtbscert(cert, outfile=sys.stdout):
    (asn1,rest) = decoder.decode(cert, asn1Spec=rfc2459.TBSCertificate())
    assert rest == ''
    print >>outfile, asn1.prettyPrint()

ext_key_usage_precert_signing_cert = univ.ObjectIdentifier("1.3.6.1.4.1.11129.2.4.4")

def get_ext_key_usage(cert):
    (asn1,rest) = decoder.decode(cert, asn1Spec=rfc2459.Certificate())
    assert rest == ''
    tbsCertificate = asn1.getComponentByName("tbsCertificate")
    extensions = tbsCertificate.getComponentByName("extensions")
    for idx in range(len(extensions)):
        extension = extensions.getComponentByPosition(idx)
        if extension.getComponentByName("extnID") == rfc2459.id_ce_extKeyUsage:
            ext_key_usage_wrapper_binary = extension.getComponentByName("extnValue")
            (ext_key_usage_wrapper, _) = decoder.decode(ext_key_usage_wrapper_binary)
            (ext_key_usage, _) = decoder.decode(ext_key_usage_wrapper)#, asn1Spec=rfc2459.ExtKeyUsageSyntax())
            return list(ext_key_usage)
    return []