From 15d5d6fd5cffdea185d18fbd4feb62afa23b9d12 Mon Sep 17 00:00:00 2001
From: Magnus Ahltorp <map@kth.se>
Date: Wed, 18 Mar 2015 01:03:18 +0100
Subject: Added validatestore.py

---
 tools/precerttools.py | 102 ++++++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 102 insertions(+)
 create mode 100644 tools/precerttools.py

(limited to 'tools/precerttools.py')

diff --git a/tools/precerttools.py b/tools/precerttools.py
new file mode 100644
index 0000000..13ac572
--- /dev/null
+++ b/tools/precerttools.py
@@ -0,0 +1,102 @@
+# Copyright (c) 2014, NORDUnet A/S.
+# See LICENSE for licensing information.
+
+import sys
+import hashlib
+import rfc2459
+from pyasn1.type import univ, tag
+from pyasn1.codec.der import encoder, decoder
+
+def cleanextensions(extensions):
+    result = rfc2459.Extensions().subtype(explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatSimple, 3))
+    for idx in range(len(extensions)):
+        extension = extensions.getComponentByPosition(idx)
+        if extension.getComponentByName("extnID") == univ.ObjectIdentifier("1.3.6.1.4.1.11129.2.4.3"):
+            pass
+        else:
+            result.setComponentByPosition(len(result), extension)
+    return result
+
+def decode_any(anydata, asn1Spec=None):
+    (wrapper, _) = decoder.decode(anydata)
+    (data, _) = decoder.decode(wrapper, asn1Spec=asn1Spec)
+    return data
+
+def get_subject(cert):
+    (asn1,rest) = decoder.decode(cert, asn1Spec=rfc2459.Certificate())
+    assert rest == ''
+    tbsCertificate = asn1.getComponentByName("tbsCertificate")
+    subject = tbsCertificate.getComponentByName("subject")
+    extensions = tbsCertificate.getComponentByName("extensions")
+    keyid_wrapper = get_extension(extensions, rfc2459.id_ce_subjectKeyIdentifier)
+    keyid = decode_any(keyid_wrapper, asn1Spec=rfc2459.KeyIdentifier())
+    return (subject, keyid)
+
+def cleanprecert(precert, issuer=None):
+    (asn1,rest) = decoder.decode(precert, asn1Spec=rfc2459.Certificate())
+    assert rest == ''
+    tbsCertificate = asn1.getComponentByName("tbsCertificate")
+
+    extensions = tbsCertificate.getComponentByName("extensions")
+    tbsCertificate.setComponentByName("extensions", cleanextensions(extensions))
+
+    if issuer:
+        (issuer_subject, keyid) = get_subject(issuer)
+        tbsCertificate.setComponentByName("issuer", issuer_subject)
+        authkeyid = rfc2459.AuthorityKeyIdentifier()
+        authkeyid.setComponentByName("keyIdentifier",
+            rfc2459.KeyIdentifier(str(keyid)).subtype(implicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatSimple, 0)))
+        authkeyid_wrapper = univ.OctetString(encoder.encode(authkeyid))
+        authkeyid_wrapper2 = encoder.encode(authkeyid_wrapper)
+        set_extension(extensions, rfc2459.id_ce_authorityKeyIdentifier, authkeyid_wrapper2)
+    return encoder.encode(tbsCertificate)
+
+def get_extension(extensions, id):
+    for idx in range(len(extensions)):
+        extension = extensions.getComponentByPosition(idx)
+        if extension.getComponentByName("extnID") == id:
+            return extension.getComponentByName("extnValue")
+    return None
+
+def set_extension(extensions, id, value):
+    result = rfc2459.Extensions().subtype(explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatSimple, 3))
+    for idx in range(len(extensions)):
+        extension = extensions.getComponentByPosition(idx)
+        if extension.getComponentByName("extnID") == id:
+            extension.setComponentByName("extnValue", value)
+
+def get_cert_key_hash(cert):
+    (asn1,rest) = decoder.decode(cert, asn1Spec=rfc2459.Certificate())
+    assert rest == ''
+    tbsCertificate = asn1.getComponentByName("tbsCertificate")
+    key = encoder.encode(tbsCertificate.getComponentByName("subjectPublicKeyInfo"))
+    hash = hashlib.sha256()
+    hash.update(key)
+    return hash.digest()
+
+def printcert(cert, outfile=sys.stdout):
+    (asn1,rest) = decoder.decode(cert, asn1Spec=rfc2459.Certificate())
+    assert rest == ''
+    print >>outfile, asn1.prettyPrint()
+
+def printtbscert(cert, outfile=sys.stdout):
+    (asn1,rest) = decoder.decode(cert, asn1Spec=rfc2459.TBSCertificate())
+    assert rest == ''
+    print >>outfile, asn1.prettyPrint()
+
+ext_key_usage_precert_signing_cert = univ.ObjectIdentifier("1.3.6.1.4.1.11129.2.4.4")
+
+def get_ext_key_usage(cert):
+    (asn1,rest) = decoder.decode(cert, asn1Spec=rfc2459.Certificate())
+    assert rest == ''
+    tbsCertificate = asn1.getComponentByName("tbsCertificate")
+    extensions = tbsCertificate.getComponentByName("extensions")
+    for idx in range(len(extensions)):
+        extension = extensions.getComponentByPosition(idx)
+        if extension.getComponentByName("extnID") == rfc2459.id_ce_extKeyUsage:
+            ext_key_usage_wrapper_binary = extension.getComponentByName("extnValue")
+            (ext_key_usage_wrapper, _) = decoder.decode(ext_key_usage_wrapper_binary)
+            (ext_key_usage, _) = decoder.decode(ext_key_usage_wrapper)#, asn1Spec=rfc2459.ExtKeyUsageSyntax())
+            return list(ext_key_usage)
+    return []
+
-- 
cgit v1.1