diff options
| author | Rob Austein <sra@hactrn.net> | 2007-09-28 20:06:35 +0000 |
|---|---|---|
| committer | Rob Austein <sra@hactrn.net> | 2007-09-28 20:06:35 +0000 |
| commit | 405f90f77a8ca2a8fc5a0837b2eaf91a4cd0255f (patch) | |
| tree | 5aebeb09c10daf1eadbace4b5313e0db302ac2d5 | |
| parent | 0f8c986dd4595122991493c192b794d2831f3977 (diff) | |
Tighten up PKCS#10 attribute decoding
svn path=/pow/POW-0.7/lib/pkix.py; revision=1046
| -rwxr-xr-x | pow/POW-0.7/lib/pkix.py | 17 | ||||
| -rw-r--r-- | scripts/pkcs10.py | 45 |
2 files changed, 43 insertions, 19 deletions
diff --git a/pow/POW-0.7/lib/pkix.py b/pow/POW-0.7/lib/pkix.py index 26881e51..7dd75322 100755 --- a/pow/POW-0.7/lib/pkix.py +++ b/pow/POW-0.7/lib/pkix.py @@ -787,7 +787,7 @@ class Certificate(Sequence): def sign(self, rsa, digestType): driver = getCryptoDriver() oid = driver.getOID(digestType) - self.tbs.subjectPublicKeyInfo.set((((1, 2, 840, 113549, 1, 1, 1), None), driver.toPublicDER(key))) + self.tbs.subjectPublicKeyInfo.set(driver.toPublicDER(key)) self.tbs.signature.set([oid, None]) signedText = driver.sign(rsa, oid, self.tbs.toString()) self.signatureAlgorithm.set([oid, None]) @@ -1193,7 +1193,7 @@ class PKCS10AttributeChoice(Choice): Choice.__init__(self, choices, optional, default) class PKCS10Attributes(Sequence): - def __init__(self, optional=0, default=''): + def __init__(self, optional=1, default=''): self.oid = Oid() self.val = PKCS10AttributeChoice() contents = [ self.oid, self.val ] @@ -1220,10 +1220,19 @@ class CertificationRequest(Sequence): def verify(self): driver = getCryptoDriver() oid = self.signatureAlgorithm.get()[0] - # Should check self.certificationRequestInfo.subjectPublicKeyInfo.algorithmId rsa = driver.fromPublicDER(self.certificationRequestInfo.subjectPublicKeyInfo.toString()) return driver.verify(rsa, oid, self.certificationRequestInfo.toString(), self.signatureValue.get()) + def getExtensions(self): + oid = self.certificationRequestInfo.attributes.oid.get() + if oid is None: + return None + if oid != (1, 2, 840, 113549, 1, 9, 14) or \ + self.certificationRequestInfo.attributes.val.choice != "set" or \ + len(self.certificationRequestInfo.attributes.val.choices["set"]) > 1: + raise DerError, "failed to understand X.501 Attribute encoding, sorry: %s" % self.get() + return self.certificationRequestInfo.attributes.val.choices["set"][0] + #---------- PKCS10 ----------# #---------- GeneralNames object support ----------# class OtherName(Sequence): @@ -1968,7 +1977,7 @@ class Extension(Sequence): if not (isinstance(oid, types.TupleType) or isinstance(oid, types.ListType)): raise DerError, 'the oid should be specified as a sequence of integers' else: - raise DerError, 'unkown object extension %s' % oid + raise DerError, 'unknown object extension %s' % oid try: extnObj.set( val ) diff --git a/scripts/pkcs10.py b/scripts/pkcs10.py index 557d987f..8163cf9b 100644 --- a/scripts/pkcs10.py +++ b/scripts/pkcs10.py @@ -2,37 +2,48 @@ import POW.pkix, rpki.x509, glob, rpki.resource_set -parse_extensions = True -list_extensions = True -show_attributes = True +parse_extensions = True +list_extensions = True +show_attributes = True +show_algorithm = False +do_verify = True -for name in glob.glob("resource-cert-samples/*.req"): +for name in glob.glob("resource-cert-samples/*.req") + glob.glob("biz-certs/*.req"): pkcs10 = rpki.x509.PKCS10_Request(Auto_file = name).get_POWpkix() print "[", name, "]" - if show_attributes: - print pkcs10.certificationRequestInfo.attributes.val + if show_algorithm: + print pkcs10.signatureAlgorithm + print + print pkcs10.signatureAlgorithm.get() print - print pkcs10.certificationRequestInfo.attributes.val.get() + + if show_attributes: + print pkcs10.certificationRequestInfo.attributes.oid, pkcs10.certificationRequestInfo.attributes.oid.get() print - print pkcs10.certificationRequestInfo.attributes.val.choice + print pkcs10.certificationRequestInfo.attributes.val, pkcs10.certificationRequestInfo.attributes.val.get() print - print pkcs10.certificationRequestInfo.attributes.val.choices + print pkcs10.certificationRequestInfo.attributes.val.choice, pkcs10.certificationRequestInfo.attributes.val.choices print print pkcs10.certificationRequestInfo.attributes.val.choices[pkcs10.certificationRequestInfo.attributes.val.choice] print print len(pkcs10.certificationRequestInfo.attributes.val.choices[pkcs10.certificationRequestInfo.attributes.val.choice]) print - print pkcs10.certificationRequestInfo.attributes.val.choices[pkcs10.certificationRequestInfo.attributes.val.choice][0] - print + if len(pkcs10.certificationRequestInfo.attributes.val.choices[pkcs10.certificationRequestInfo.attributes.val.choice]) > 0: + print pkcs10.certificationRequestInfo.attributes.val.choices[pkcs10.certificationRequestInfo.attributes.val.choice][0] + print - extc = pkcs10.certificationRequestInfo.attributes.val - exts = extc.choices[extc.choice][0] + if False: + extc = pkcs10.certificationRequestInfo.attributes.val + exts = extc.choices[extc.choice][0] + assert exts is pkcs10.getExtensions() + else: + exts = pkcs10.getExtensions() #print len(exts), exts[0].extnValue - if list_extensions: + if list_extensions and exts is not None: for x in exts: oid = x.extnID.get() name = POW.pkix.oid2obj(oid) @@ -42,7 +53,7 @@ for name in glob.glob("resource-cert-samples/*.req"): value = ":".join(["%02X" % ord(i) for i in value]) print [ name, oid, crit, value ] - if parse_extensions: + if parse_extensions and exts is not None: as, v4, v6 = rpki.resource_set.parse_extensions(exts.get()) if as: print "ASN =", as @@ -58,4 +69,8 @@ for name in glob.glob("resource-cert-samples/*.req"): val = ":".join(["%02X" % ord(i) for i in val]) print POW.pkix.oid2obj(oid), oid, "=", val + if do_verify: + print + print "Signature verification: %s" % pkcs10.verify() + print |