OLD | NEW |
1 # Copyright (c) 2012 The Chromium Authors. All rights reserved. | 1 # Copyright (c) 2012 The Chromium Authors. All rights reserved. |
2 # Use of this source code is governed by a BSD-style license that can be | 2 # Use of this source code is governed by a BSD-style license that can be |
3 # found in the LICENSE file. | 3 # found in the LICENSE file. |
4 | 4 |
5 import asn1 | 5 import asn1 |
6 import hashlib | 6 import hashlib |
7 import os | 7 import os |
8 | 8 |
9 | 9 |
10 # This file implements very minimal certificate and OCSP generation. It's | 10 # This file implements very minimal certificate and OCSP generation. It's |
(...skipping 12 matching lines...) Expand all Loading... |
23 def ModExp(n, e, p): | 23 def ModExp(n, e, p): |
24 '''ModExp returns n^e mod p''' | 24 '''ModExp returns n^e mod p''' |
25 r = 1 | 25 r = 1 |
26 while e != 0: | 26 while e != 0: |
27 if e & 1: | 27 if e & 1: |
28 r = (r*n) % p | 28 r = (r*n) % p |
29 e >>= 1 | 29 e >>= 1 |
30 n = (n*n) % p | 30 n = (n*n) % p |
31 return r | 31 return r |
32 | 32 |
33 # PKCS1v15_SHA1_PREFIX is the ASN.1 prefix for a SHA1 signature. | 33 # PKCS1v15_SHA256_PREFIX is the ASN.1 prefix for a SHA256 signature. |
34 PKCS1v15_SHA1_PREFIX = '3021300906052b0e03021a05000414'.decode('hex') | 34 PKCS1v15_SHA256_PREFIX = '3031300d060960864801650304020105000420'.decode('hex') |
35 | 35 |
36 class RSA(object): | 36 class RSA(object): |
37 def __init__(self, modulus, e, d): | 37 def __init__(self, modulus, e, d): |
38 self.m = modulus | 38 self.m = modulus |
39 self.e = e | 39 self.e = e |
40 self.d = d | 40 self.d = d |
41 | 41 |
42 self.modlen = 0 | 42 self.modlen = 0 |
43 m = modulus | 43 m = modulus |
44 while m != 0: | 44 while m != 0: |
45 self.modlen += 1 | 45 self.modlen += 1 |
46 m >>= 8 | 46 m >>= 8 |
47 | 47 |
48 def Sign(self, message): | 48 def Sign(self, message): |
49 digest = hashlib.sha1(message).digest() | 49 digest = hashlib.sha256(message).digest() |
50 prefix = PKCS1v15_SHA1_PREFIX | 50 prefix = PKCS1v15_SHA256_PREFIX |
51 | 51 |
52 em = ['\xff'] * (self.modlen - 1 - len(prefix) - len(digest)) | 52 em = ['\xff'] * (self.modlen - 1 - len(prefix) - len(digest)) |
53 em[0] = '\x00' | 53 em[0] = '\x00' |
54 em[1] = '\x01' | 54 em[1] = '\x01' |
55 em += "\x00" + prefix + digest | 55 em += "\x00" + prefix + digest |
56 | 56 |
57 n = 0 | 57 n = 0 |
58 for x in em: | 58 for x in em: |
59 n <<= 8 | 59 n <<= 8 |
60 n |= ord(x) | 60 n |= ord(x) |
(...skipping 97 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
158 AIA_OCSP = asn1.OID([1, 3, 6, 1, 5, 5, 7, 48, 1]) | 158 AIA_OCSP = asn1.OID([1, 3, 6, 1, 5, 5, 7, 48, 1]) |
159 AUTHORITY_INFORMATION_ACCESS = asn1.OID([1, 3, 6, 1, 5, 5, 7, 1, 1]) | 159 AUTHORITY_INFORMATION_ACCESS = asn1.OID([1, 3, 6, 1, 5, 5, 7, 1, 1]) |
160 BASIC_CONSTRAINTS = asn1.OID([2, 5, 29, 19]) | 160 BASIC_CONSTRAINTS = asn1.OID([2, 5, 29, 19]) |
161 CERT_POLICIES = asn1.OID([2, 5, 29, 32]) | 161 CERT_POLICIES = asn1.OID([2, 5, 29, 32]) |
162 COMMON_NAME = asn1.OID([2, 5, 4, 3]) | 162 COMMON_NAME = asn1.OID([2, 5, 4, 3]) |
163 COUNTRY = asn1.OID([2, 5, 4, 6]) | 163 COUNTRY = asn1.OID([2, 5, 4, 6]) |
164 HASH_SHA1 = asn1.OID([1, 3, 14, 3, 2, 26]) | 164 HASH_SHA1 = asn1.OID([1, 3, 14, 3, 2, 26]) |
165 OCSP_TYPE_BASIC = asn1.OID([1, 3, 6, 1, 5, 5, 7, 48, 1, 1]) | 165 OCSP_TYPE_BASIC = asn1.OID([1, 3, 6, 1, 5, 5, 7, 48, 1, 1]) |
166 ORGANIZATION = asn1.OID([2, 5, 4, 10]) | 166 ORGANIZATION = asn1.OID([2, 5, 4, 10]) |
167 PUBLIC_KEY_RSA = asn1.OID([1, 2, 840, 113549, 1, 1, 1]) | 167 PUBLIC_KEY_RSA = asn1.OID([1, 2, 840, 113549, 1, 1, 1]) |
168 SHA1_WITH_RSA_ENCRYPTION = asn1.OID([1, 2, 840, 113549, 1, 1, 5]) | 168 SHA256_WITH_RSA_ENCRYPTION = asn1.OID([1, 2, 840, 113549, 1, 1, 11]) |
169 | 169 |
170 | 170 |
171 def MakeCertificate( | 171 def MakeCertificate( |
172 issuer_cn, subject_cn, serial, pubkey, privkey, ocsp_url = None): | 172 issuer_cn, subject_cn, serial, pubkey, privkey, ocsp_url = None): |
173 '''MakeCertificate returns a DER encoded certificate, signed by privkey.''' | 173 '''MakeCertificate returns a DER encoded certificate, signed by privkey.''' |
174 extensions = asn1.SEQUENCE([]) | 174 extensions = asn1.SEQUENCE([]) |
175 | 175 |
176 # Default subject name fields | 176 # Default subject name fields |
177 c = "XX" | 177 c = "XX" |
178 o = "Testing Org" | 178 o = "Testing Org" |
(...skipping 33 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
212 asn1.SEQUENCE([ # PolicyInformation | 212 asn1.SEQUENCE([ # PolicyInformation |
213 CERT_POLICY_OID, | 213 CERT_POLICY_OID, |
214 ]), | 214 ]), |
215 ]))), | 215 ]))), |
216 ]) | 216 ]) |
217 ) | 217 ) |
218 | 218 |
219 tbsCert = asn1.ToDER(asn1.SEQUENCE([ | 219 tbsCert = asn1.ToDER(asn1.SEQUENCE([ |
220 asn1.Explicit(0, 2), # Version | 220 asn1.Explicit(0, 2), # Version |
221 serial, | 221 serial, |
222 asn1.SEQUENCE([SHA1_WITH_RSA_ENCRYPTION, None]), # SignatureAlgorithm | 222 asn1.SEQUENCE([SHA256_WITH_RSA_ENCRYPTION, None]), # SignatureAlgorithm |
223 Name(cn = issuer_cn), # Issuer | 223 Name(cn = issuer_cn), # Issuer |
224 asn1.SEQUENCE([ # Validity | 224 asn1.SEQUENCE([ # Validity |
225 asn1.UTCTime("100101060000Z"), # NotBefore | 225 asn1.UTCTime("100101060000Z"), # NotBefore |
226 asn1.UTCTime("321201060000Z"), # NotAfter | 226 asn1.UTCTime("321201060000Z"), # NotAfter |
227 ]), | 227 ]), |
228 Name(cn = subject_cn, c = c, o = o), # Subject | 228 Name(cn = subject_cn, c = c, o = o), # Subject |
229 asn1.SEQUENCE([ # SubjectPublicKeyInfo | 229 asn1.SEQUENCE([ # SubjectPublicKeyInfo |
230 asn1.SEQUENCE([ # Algorithm | 230 asn1.SEQUENCE([ # Algorithm |
231 PUBLIC_KEY_RSA, | 231 PUBLIC_KEY_RSA, |
232 None, | 232 None, |
233 ]), | 233 ]), |
234 asn1.BitString(asn1.ToDER(pubkey)), | 234 asn1.BitString(asn1.ToDER(pubkey)), |
235 ]), | 235 ]), |
236 asn1.Explicit(3, extensions), | 236 asn1.Explicit(3, extensions), |
237 ])) | 237 ])) |
238 | 238 |
239 return asn1.ToDER(asn1.SEQUENCE([ | 239 return asn1.ToDER(asn1.SEQUENCE([ |
240 asn1.Raw(tbsCert), | 240 asn1.Raw(tbsCert), |
241 asn1.SEQUENCE([ | 241 asn1.SEQUENCE([ |
242 SHA1_WITH_RSA_ENCRYPTION, | 242 SHA256_WITH_RSA_ENCRYPTION, |
243 None, | 243 None, |
244 ]), | 244 ]), |
245 asn1.BitString(privkey.Sign(tbsCert)), | 245 asn1.BitString(privkey.Sign(tbsCert)), |
246 ])) | 246 ])) |
247 | 247 |
248 | 248 |
249 def MakeOCSPResponse(issuer_cn, issuer_key, serial, ocsp_state): | 249 def MakeOCSPResponse(issuer_cn, issuer_key, serial, ocsp_state): |
250 # https://tools.ietf.org/html/rfc2560 | 250 # https://tools.ietf.org/html/rfc2560 |
251 issuer_name_hash = asn1.OCTETSTRING( | 251 issuer_name_hash = asn1.OCTETSTRING( |
252 hashlib.sha1(asn1.ToDER(Name(cn = issuer_cn))).digest()) | 252 hashlib.sha1(asn1.ToDER(Name(cn = issuer_cn))).digest()) |
(...skipping 28 matching lines...) Expand all Loading... |
281 cert_status, | 281 cert_status, |
282 asn1.GeneralizedTime("20100101060000Z"), # thisUpdate | 282 asn1.GeneralizedTime("20100101060000Z"), # thisUpdate |
283 asn1.Explicit(0, asn1.GeneralizedTime("20300101060000Z")), # nextUpdate | 283 asn1.Explicit(0, asn1.GeneralizedTime("20300101060000Z")), # nextUpdate |
284 ]), | 284 ]), |
285 ]), | 285 ]), |
286 ])) | 286 ])) |
287 | 287 |
288 basic_resp = asn1.SEQUENCE([ | 288 basic_resp = asn1.SEQUENCE([ |
289 asn1.Raw(basic_resp_data_der), | 289 asn1.Raw(basic_resp_data_der), |
290 asn1.SEQUENCE([ | 290 asn1.SEQUENCE([ |
291 SHA1_WITH_RSA_ENCRYPTION, | 291 SHA256_WITH_RSA_ENCRYPTION, |
292 None, | 292 None, |
293 ]), | 293 ]), |
294 asn1.BitString(issuer_key.Sign(basic_resp_data_der)), | 294 asn1.BitString(issuer_key.Sign(basic_resp_data_der)), |
295 ]) | 295 ]) |
296 | 296 |
297 resp = asn1.SEQUENCE([ | 297 resp = asn1.SEQUENCE([ |
298 asn1.ENUMERATED(0), | 298 asn1.ENUMERATED(0), |
299 asn1.Explicit(0, asn1.SEQUENCE([ | 299 asn1.Explicit(0, asn1.SEQUENCE([ |
300 OCSP_TYPE_BASIC, | 300 OCSP_TYPE_BASIC, |
301 asn1.OCTETSTRING(asn1.ToDER(basic_resp)), | 301 asn1.OCTETSTRING(asn1.ToDER(basic_resp)), |
(...skipping 38 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
340 ocsp_der = None | 340 ocsp_der = None |
341 if ocsp_url is not None: | 341 if ocsp_url is not None: |
342 if ocsp_state == OCSP_STATE_UNAUTHORIZED: | 342 if ocsp_state == OCSP_STATE_UNAUTHORIZED: |
343 ocsp_der = unauthorizedDER | 343 ocsp_der = unauthorizedDER |
344 elif ocsp_state == OCSP_STATE_INVALID: | 344 elif ocsp_state == OCSP_STATE_INVALID: |
345 ocsp_der = '3' | 345 ocsp_der = '3' |
346 else: | 346 else: |
347 ocsp_der = MakeOCSPResponse(ISSUER_CN, KEY, serial, ocsp_state) | 347 ocsp_der = MakeOCSPResponse(ISSUER_CN, KEY, serial, ocsp_state) |
348 | 348 |
349 return (cert_pem + KEY_PEM, ocsp_der) | 349 return (cert_pem + KEY_PEM, ocsp_der) |
OLD | NEW |