aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
Diffstat
-rw-r--r--buildtools/defstack.py88
-rw-r--r--buildtools/make-relaxng.py4
-rw-r--r--buildtools/make-sql-schemas.py2
-rw-r--r--buildtools/pylint.rc14
-rwxr-xr-xconfigure16
-rw-r--r--configure.ac14
-rw-r--r--h/Makefile.in26
-rw-r--r--h/README13
-rw-r--r--h/rpki/manifest.h100
-rw-r--r--h/rpki/roa.h (renamed from rcynic/defasn1.h)49
-rw-r--r--h/rpki/sk_manifest.h34
-rw-r--r--h/rpki/sk_roa.h59
-rw-r--r--rcynic/Makefile.in22
-rw-r--r--rcynic/defstack.awk71
-rw-r--r--rcynic/defstack.h134
-rw-r--r--rcynic/rcynic-svn.py190
-rw-r--r--rcynic/rcynic.c332
-rwxr-xr-xrcynic/validation_status.awk32
-rw-r--r--rpkid/Makefile.in4
-rw-r--r--rpkid/examples/rpki.conf14
-rw-r--r--rpkid/examples/rsyncd.conf8
-rw-r--r--rpkid/ext/POW.c12508
-rw-r--r--rpkid/irbe_cli.py105
-rw-r--r--rpkid/portal-gui/Makefile.in6
-rw-r--r--rpkid/rpki-sql-backup.py2
-rw-r--r--rpkid/rpki-sql-setup.py8
-rw-r--r--rpkid/rpki-start-servers.py1
-rw-r--r--rpkid/rpki/POW/__init__.py17
-rw-r--r--rpkid/rpki/POW/_der.py2294
-rw-r--r--rpkid/rpki/POW/_objects.py6880
-rw-r--r--rpkid/rpki/POW/_oids.py8636
-rw-r--r--rpkid/rpki/POW/_simpledb.py55
-rw-r--r--rpkid/rpki/POW/pkix.py2087
-rw-r--r--rpkid/rpki/adns.py21
-rw-r--r--rpkid/rpki/async.py196
-rw-r--r--rpkid/rpki/config.py27
-rw-r--r--rpkid/rpki/csv_utils.py14
-rw-r--r--rpkid/rpki/exceptions.py2
-rw-r--r--rpkid/rpki/ghostbuster.py26
-rw-r--r--rpkid/rpki/gui/app/forms.py10
-rwxr-xr-xrpkid/rpki/gui/app/range_list.py90
-rw-r--r--rpkid/rpki/gui/app/views.py2
-rw-r--r--rpkid/rpki/gui/cacheview/models.py1
-rw-r--r--rpkid/rpki/gui/cacheview/views.py8
-rw-r--r--rpkid/rpki/gui/models.py22
-rw-r--r--rpkid/rpki/http.py33
-rw-r--r--rpkid/rpki/ipaddrs.py4
-rw-r--r--rpkid/rpki/irdb/__init__.py5
-rw-r--r--rpkid/rpki/irdb/models.py48
-rw-r--r--rpkid/rpki/irdb/router.py95
-rw-r--r--rpkid/rpki/irdb/zookeeper.py563
-rw-r--r--rpkid/rpki/irdbd.py11
-rw-r--r--rpkid/rpki/left_right.py607
-rw-r--r--rpkid/rpki/log.py57
-rw-r--r--rpkid/rpki/manifest.py54
-rw-r--r--rpkid/rpki/mysql_import.py6
-rw-r--r--rpkid/rpki/oids.py42
-rw-r--r--rpkid/rpki/old_irdbd.py16
-rw-r--r--rpkid/rpki/pubd.py2
-rw-r--r--rpkid/rpki/publication.py37
-rw-r--r--rpkid/rpki/rcynic.py101
-rw-r--r--rpkid/rpki/relaxng.py8
-rw-r--r--rpkid/rpki/resource_set.py348
-rw-r--r--rpkid/rpki/roa.py76
-rw-r--r--rpkid/rpki/rootd.py27
-rw-r--r--rpkid/rpki/rpkic.py45
-rw-r--r--rpkid/rpki/rpkid.py265
-rw-r--r--rpkid/rpki/rpkid_tasks.py574
-rw-r--r--rpkid/rpki/sql.py80
-rw-r--r--rpkid/rpki/sundial.py103
-rw-r--r--rpkid/rpki/up_down.py16
-rw-r--r--rpkid/rpki/x509.py876
-rw-r--r--rpkid/rpki/xml_utils.py6
-rw-r--r--rpkid/setup.py4
-rw-r--r--rpkid/tests/Makefile.in18
-rw-r--r--rpkid/tests/myrpki-xml-parse-test.py6
-rw-r--r--rpkid/tests/rcynic.conf1
-rw-r--r--rpkid/tests/smoketest.py167
-rw-r--r--rpkid/tests/sql-cleaner.py21
-rw-r--r--rpkid/tests/sql-dumper.py17
-rw-r--r--rpkid/tests/testpoke.py12
-rw-r--r--rpkid/tests/yamlconf.py788
-rw-r--r--rpkid/tests/yamltest.py302
-rw-r--r--rtr-origin/Makefile.in2
-rwxr-xr-xrtr-origin/rtr-origin.py2
-rw-r--r--scripts/Old/test-pow-tls.py61
-rw-r--r--scripts/Old/tls-client.py27
-rw-r--r--scripts/Old/tls-server.py40
-rw-r--r--scripts/convert-from-entitydb-to-sql.py2
-rw-r--r--scripts/find-roa-expiration.py4
-rw-r--r--scripts/format-application-x-rpki.py20
-rw-r--r--scripts/show-tracking-data.py4
-rw-r--r--scripts/x509-dot.py6
-rw-r--r--utils/find_roa/Makefile.in2
-rw-r--r--utils/find_roa/find_roa.c98
-rw-r--r--utils/hashdir/Makefile.in2
-rw-r--r--utils/print_roa/Makefile.in2
-rw-r--r--utils/print_roa/print_roa.c98
-rw-r--r--utils/print_rpki_manifest/Makefile.in2
-rw-r--r--utils/print_rpki_manifest/print_rpki_manifest.c39
-rw-r--r--utils/scan_roas/Makefile.in2
-rw-r--r--utils/scan_roas/scan_roas.c98
-rw-r--r--utils/uri/uri.c38
103 files changed, 10910 insertions, 29324 deletions
diff --git a/buildtools/defstack.py b/buildtools/defstack.py
new file mode 100644
index 00000000..4d93ce66
--- /dev/null
+++ b/buildtools/defstack.py
@@ -0,0 +1,88 @@
+# $Id$
+#
+# Tool to write search C source code for "DECLARE_STACK_OF" macro
+# calls and write corresponding type-safe "safestack" macros.
+#
+# You might want to look away now, this is nasty. Then again, OpenSSL
+# does the same thing, but in Perl, and mixing automatically generated
+# code with code maintained by humans, so "nasty" is a relative term.
+#
+# Copyright (C) 2011-2012 Internet Systems Consortium ("ISC")
+#
+# Permission to use, copy, modify, and distribute this software for any
+# purpose with or without fee is hereby granted, provided that the above
+# copyright notice and this permission notice appear in all copies.
+#
+# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+# AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+# PERFORMANCE OF THIS SOFTWARE.
+
+import fileinput
+import sys
+import re
+
+header = '''\
+/*
+ * Automatically generated, do not edit.
+ * Generator $Id$
+ */
+
+#ifndef __%__DEFSTACK_H__
+#define __%__DEFSTACK_H__
+'''
+
+footer = '''
+#endif /* __%__DEFSTACK_H__ */
+'''
+
+template = '''
+/*
+ * Safestack macros for %.
+ */
+#define sk_%_new(st) SKM_sk_new(%, (st))
+#define sk_%_new_null() SKM_sk_new_null(%)
+#define sk_%_free(st) SKM_sk_free(%, (st))
+#define sk_%_num(st) SKM_sk_num(%, (st))
+#define sk_%_value(st, i) SKM_sk_value(%, (st), (i))
+#define sk_%_set(st, i, val) SKM_sk_set(%, (st), (i), (val))
+#define sk_%_zero(st) SKM_sk_zero(%, (st))
+#define sk_%_push(st, val) SKM_sk_push(%, (st), (val))
+#define sk_%_unshift(st, val) SKM_sk_unshift(%, (st), (val))
+#define sk_%_find(st, val) SKM_sk_find(%, (st), (val))
+#define sk_%_find_ex(st, val) SKM_sk_find_ex(%, (st), (val))
+#define sk_%_delete(st, i) SKM_sk_delete(%, (st), (i))
+#define sk_%_delete_ptr(st, ptr) SKM_sk_delete_ptr(%, (st), (ptr))
+#define sk_%_insert(st, val, i) SKM_sk_insert(%, (st), (val), (i))
+#define sk_%_set_cmp_func(st, cmp) SKM_sk_set_cmp_func(%, (st), (cmp))
+#define sk_%_dup(st) SKM_sk_dup(%, st)
+#define sk_%_pop_free(st, free_func) SKM_sk_pop_free(%, (st), (free_func))
+#define sk_%_shift(st) SKM_sk_shift(%, (st))
+#define sk_%_pop(st) SKM_sk_pop(%, (st))
+#define sk_%_sort(st) SKM_sk_sort(%, (st))
+#define sk_%_is_sorted(st) SKM_sk_is_sorted(%, (st))
+'''
+
+if len(sys.argv) < 2:
+ sys.exit("Usage: %s source.c [source.c ...]" % sys.argv[0])
+
+splitter = re.compile("[() \t]+").split
+
+token = None
+
+for line in fileinput.input():
+
+ if token is None:
+ token = "".join(c if c.isalnum() else "_" for c in fileinput.filename().upper())
+ sys.stdout.write(header.replace("%", token))
+
+ if "DECLARE_STACK_OF" in line:
+ words = splitter(line)
+ if len(words) > 1 and words[0] == "DECLARE_STACK_OF":
+ sys.stdout.write(template.replace("%", words[1]))
+
+if token is not None:
+ sys.stdout.write(footer.replace("%", token))
diff --git a/buildtools/make-relaxng.py b/buildtools/make-relaxng.py
index 0058ade5..d35f56bc 100644
--- a/buildtools/make-relaxng.py
+++ b/buildtools/make-relaxng.py
@@ -3,7 +3,7 @@ Script to generate rpki/relaxng.py.
$Id$
-Copyright (C) 2009-2011 Internet Systems Consortium ("ISC")
+Copyright (C) 2009-2012 Internet Systems Consortium ("ISC")
Permission to use, copy, modify, and distribute this software for any
purpose with or without fee is hereby granted, provided that the above
@@ -43,7 +43,7 @@ import lxml.etree
format_2 = """\
## @var %(name)s
## Parsed RelaxNG %(name)s schema
-%(name)s = lxml.etree.RelaxNG(lxml.etree.fromstring('''%(rng)s'''))
+%(name)s = lxml.etree.RelaxNG(lxml.etree.fromstring(r'''%(rng)s'''))
"""
def filename_to_symbol(s):
diff --git a/buildtools/make-sql-schemas.py b/buildtools/make-sql-schemas.py
index 3ecde014..8175bbf5 100644
--- a/buildtools/make-sql-schemas.py
+++ b/buildtools/make-sql-schemas.py
@@ -3,7 +3,7 @@ Script to generate rpki/relaxng.py.
$Id$
-Copyright (C) 2009-2011 Internet Systems Consortium ("ISC")
+Copyright (C) 2009-2012 Internet Systems Consortium ("ISC")
Permission to use, copy, modify, and distribute this software for any
purpose with or without fee is hereby granted, provided that the above
diff --git a/buildtools/pylint.rc b/buildtools/pylint.rc
index 5e555f45..872345fb 100644
--- a/buildtools/pylint.rc
+++ b/buildtools/pylint.rc
@@ -4,6 +4,18 @@
# differs enough from mine that it's not really usable without
# customization. Useful options: --help, --generate-rcfile.
+# Note that, in addition to disabling unhelpful messages globally, one
+# can disable specific messages for an entire module or for a specific
+# known issue, using magic comments in the Python source code. Form
+# of the comment is the same in either case, how much it controls
+# depends on the scope in which one places the comment. Format:
+#
+# # pylint: disable=code,code,...
+#
+# At top level in a module (eg, right before first import), it
+# disables for a module. Within blocks (eg, as a comment on the line
+# defining formal parameters to a function) it only in that scope.
+
[MASTER]
profile=no
@@ -32,7 +44,7 @@ disable-msg-cat=
#enable-msg=
# Disable the message(s) with the given id(s).
-disable-msg=R0801,R0903,R0913,C0321,R0904,W0201,E1101,W0614,C0301,R0901,C0302,R0902,R0201,W0613,R0912,R0915,W0703,W0212,R0914,W0603
+disable=R0801,R0903,R0913,C0321,R0904,W0201,E1101,W0614,C0301,R0901,C0302,R0902,R0201,W0613,R0912,R0915,W0703,W0212,R0914,W0603,W0142,I0011,C0111,C0103,R0401
[REPORTS]
diff --git a/configure b/configure
index af9775c6..0975bac1 100755
--- a/configure
+++ b/configure
@@ -4425,13 +4425,13 @@ fi
TOP_LEVEL_SUBDIRS=""
test $build_openssl = yes && TOP_LEVEL_SUBDIRS="$TOP_LEVEL_SUBDIRS openssl"
- TOP_LEVEL_SUBDIRS="$TOP_LEVEL_SUBDIRS rcynic utils"
+ TOP_LEVEL_SUBDIRS="$TOP_LEVEL_SUBDIRS h rcynic utils"
test $build_ca_tools = yes && TOP_LEVEL_SUBDIRS="$TOP_LEVEL_SUBDIRS rpkid"
test $build_rpki_rtr = yes && TOP_LEVEL_SUBDIRS="$TOP_LEVEL_SUBDIRS rtr-origin"
-ac_config_files="$ac_config_files Makefile rcynic/Makefile rcynic/static-rsync/Makefile utils/Makefile utils/find_roa/Makefile utils/hashdir/Makefile utils/print_rpki_manifest/Makefile utils/print_roa/Makefile utils/scan_roas/Makefile utils/uri/Makefile"
+ac_config_files="$ac_config_files Makefile h/Makefile rcynic/Makefile rcynic/static-rsync/Makefile utils/Makefile utils/find_roa/Makefile utils/hashdir/Makefile utils/print_rpki_manifest/Makefile utils/print_roa/Makefile utils/scan_roas/Makefile utils/uri/Makefile"
case $host_os in
@@ -4490,9 +4490,9 @@ $as_echo "$OPENSSL_SO_GLOB" >&6; }
# search list to preempt conflicts with system copies.
CFLAGS="-I\${abs_top_srcdir}/openssl/openssl/include $CFLAGS"
- LIBS="\${abs_top_builddir}/openssl/openssl/libssl.a \${abs_top_builddir}/openssl/openssl/libcrypto.a $LIBS"
+ LIBS="\${abs_top_builddir}/openssl/openssl/libcrypto.a $LIBS"
else
- LIBS="$LIBS -lssl -lcrypto"
+ LIBS="$LIBS -lcrypto"
fi
if test $build_ca_tools = yes
@@ -4573,6 +4573,13 @@ then
fi
+# Now that we're finally done with all the conditional changes to
+# CFLAGS, add a search directive for our own header directory. If we
+# ever get to the point of having our own library directory, we'd add
+# it here too, but for the moment our shared C code is all in .h files.
+
+CFLAGS="$CFLAGS -I\${abs_top_srcdir}/h"
+
cat >confcache <<\_ACEOF
# This file is a shell script that caches the results of configure
# tests run on this system so they can be shared between configure
@@ -5280,6 +5287,7 @@ for ac_config_target in $ac_config_targets
do
case $ac_config_target in
"Makefile") CONFIG_FILES="$CONFIG_FILES Makefile" ;;
+ "h/Makefile") CONFIG_FILES="$CONFIG_FILES h/Makefile" ;;
"rcynic/Makefile") CONFIG_FILES="$CONFIG_FILES rcynic/Makefile" ;;
"rcynic/static-rsync/Makefile") CONFIG_FILES="$CONFIG_FILES rcynic/static-rsync/Makefile" ;;
"utils/Makefile") CONFIG_FILES="$CONFIG_FILES utils/Makefile" ;;
diff --git a/configure.ac b/configure.ac
index dafa1154..1aba6106 100644
--- a/configure.ac
+++ b/configure.ac
@@ -373,13 +373,14 @@ fi
TOP_LEVEL_SUBDIRS=""
test $build_openssl = yes && TOP_LEVEL_SUBDIRS="$TOP_LEVEL_SUBDIRS openssl"
- TOP_LEVEL_SUBDIRS="$TOP_LEVEL_SUBDIRS rcynic utils"
+ TOP_LEVEL_SUBDIRS="$TOP_LEVEL_SUBDIRS h rcynic utils"
test $build_ca_tools = yes && TOP_LEVEL_SUBDIRS="$TOP_LEVEL_SUBDIRS rpkid"
test $build_rpki_rtr = yes && TOP_LEVEL_SUBDIRS="$TOP_LEVEL_SUBDIRS rtr-origin"
AC_SUBST(TOP_LEVEL_SUBDIRS)
AC_CONFIG_FILES([Makefile
+ h/Makefile
rcynic/Makefile
rcynic/static-rsync/Makefile
utils/Makefile
@@ -440,9 +441,9 @@ then
# search list to preempt conflicts with system copies.
CFLAGS="-I\${abs_top_srcdir}/openssl/openssl/include $CFLAGS"
- LIBS="\${abs_top_builddir}/openssl/openssl/libssl.a \${abs_top_builddir}/openssl/openssl/libcrypto.a $LIBS"
+ LIBS="\${abs_top_builddir}/openssl/openssl/libcrypto.a $LIBS"
else
- LIBS="$LIBS -lssl -lcrypto"
+ LIBS="$LIBS -lcrypto"
fi
if test $build_ca_tools = yes
@@ -471,4 +472,11 @@ then
AC_CONFIG_FILES([rtr-origin/Makefile])
fi
+# Now that we're finally done with all the conditional changes to
+# CFLAGS, add a search directive for our own header directory. If we
+# ever get to the point of having our own library directory, we'd add
+# it here too, but for the moment our shared C code is all in .h files.
+
+CFLAGS="$CFLAGS -I\${abs_top_srcdir}/h"
+
AC_OUTPUT
diff --git a/h/Makefile.in b/h/Makefile.in
new file mode 100644
index 00000000..02b5c364
--- /dev/null
+++ b/h/Makefile.in
@@ -0,0 +1,26 @@
+# $Id$
+
+GEN = rpki/sk_manifest.h rpki/sk_roa.h
+
+PYTHON = @PYTHON@
+
+abs_top_srcdir = @abs_top_srcdir@
+
+all: ${GEN}
+
+rpki/sk_manifest.h: rpki/manifest.h
+ ${PYTHON} ${abs_top_srcdir}/buildtools/defstack.py rpki/manifest.h >$@.tmp
+ mv $@.tmp $@
+
+rpki/sk_roa.h: rpki/roa.h
+ ${PYTHON} ${abs_top_srcdir}/buildtools/defstack.py rpki/roa.h >$@.tmp
+ mv $@.tmp $@
+
+clean:
+ rm -f ${GEN} *.h.tmp
+
+test install deinstall uninstall:
+ @true
+
+distclean: clean
+ rm -f Makefile
diff --git a/h/README b/h/README
new file mode 100644
index 00000000..f0cef58e
--- /dev/null
+++ b/h/README
@@ -0,0 +1,13 @@
+$Id$
+
+C header files common to RPKI code. For now, most of this is ASN.1
+definitions in OpenSSL's strange template language. May add utility
+routines later.
+
+Due to complexities of the build environment in which some of this is
+used, we may end up keeping all the shared C code in .h files rather
+than attempting to build a library that all the programs can use.
+Python extension modules in particular have their own peculiar linkage
+requirements, and while we could no doubt jump thorugh hoops to get
+all of this right on every platform, it's much simpler to handle code
+reuse via the C preprocssor. Hey, it worked for MIDAS on ITS.
diff --git a/h/rpki/manifest.h b/h/rpki/manifest.h
new file mode 100644
index 00000000..0e6cd531
--- /dev/null
+++ b/h/rpki/manifest.h
@@ -0,0 +1,100 @@
+/*
+ * Copyright (C) 2009--2012 Internet Systems Consortium ("ISC")
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ *
+ * Portions copyright (C) 2006--2008 American Registry for Internet Numbers ("ARIN")
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ARIN DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS. IN NO EVENT SHALL ARIN BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id$ */
+
+#ifndef __MANIFEST_H__
+#define __MANIFEST_H__
+
+#include <openssl/bio.h>
+#include <openssl/pem.h>
+#include <openssl/err.h>
+#include <openssl/x509.h>
+#include <openssl/x509v3.h>
+#include <openssl/safestack.h>
+#include <openssl/conf.h>
+#include <openssl/rand.h>
+#include <openssl/asn1t.h>
+#include <openssl/cms.h>
+
+#include <rpki/sk_manifest.h>
+
+/*
+ * ASN.1 templates. Not sure that ASN1_EXP_OPT() is the right macro
+ * for these defaulted "version" fields, but it's what the examples
+ * for this construction use. So far it has not mattered, as code
+ * using these definitions have only decoded manifests, never encoded
+ * them. We'll see if that breaks with encoding.
+ *
+ * Putting this section under conditional compilation is a hack to
+ * keep Doxygen's parser from becoming hopelessly confused by the
+ * weird OpenSSL ASN.1 macros. Someday perhaps I'll have time to
+ * track down the problem in Doxygen's parser, but this works for now.
+ */
+
+#ifndef DOXYGEN_GETS_HOPELESSLY_CONFUSED_BY_THIS_SECTION
+
+typedef struct FileAndHash_st {
+ ASN1_IA5STRING *file;
+ ASN1_BIT_STRING *hash;
+} FileAndHash;
+
+DECLARE_STACK_OF(FileAndHash)
+
+ASN1_SEQUENCE(FileAndHash) = {
+ ASN1_SIMPLE(FileAndHash, file, ASN1_IA5STRING),
+ ASN1_SIMPLE(FileAndHash, hash, ASN1_BIT_STRING)
+} ASN1_SEQUENCE_END(FileAndHash)
+
+typedef struct Manifest_st {
+ ASN1_INTEGER *version, *manifestNumber;
+ ASN1_GENERALIZEDTIME *thisUpdate, *nextUpdate;
+ ASN1_OBJECT *fileHashAlg;
+ STACK_OF(FileAndHash) *fileList;
+} Manifest;
+
+ASN1_SEQUENCE(Manifest) = {
+ ASN1_EXP_OPT(Manifest, version, ASN1_INTEGER, 0),
+ ASN1_SIMPLE(Manifest, manifestNumber, ASN1_INTEGER),
+ ASN1_SIMPLE(Manifest, thisUpdate, ASN1_GENERALIZEDTIME),
+ ASN1_SIMPLE(Manifest, nextUpdate, ASN1_GENERALIZEDTIME),
+ ASN1_SIMPLE(Manifest, fileHashAlg, ASN1_OBJECT),
+ ASN1_SEQUENCE_OF(Manifest, fileList, FileAndHash)
+} ASN1_SEQUENCE_END(Manifest)
+
+DECLARE_ASN1_FUNCTIONS(FileAndHash)
+DECLARE_ASN1_FUNCTIONS(Manifest)
+
+IMPLEMENT_ASN1_FUNCTIONS(FileAndHash)
+IMPLEMENT_ASN1_FUNCTIONS(Manifest)
+
+#endif /* DOXYGEN_GETS_HOPELESSLY_CONFUSED_BY_THIS_SECTION */
+
+#endif /* __MANIFEST_H__ */
diff --git a/rcynic/defasn1.h b/h/rpki/roa.h
index c14e0ce5..a63f726b 100644
--- a/rcynic/defasn1.h
+++ b/h/rpki/roa.h
@@ -1,5 +1,5 @@
/*
- * Copyright (C) 2009--2011 Internet Systems Consortium ("ISC")
+ * Copyright (C) 2009--2012 Internet Systems Consortium ("ISC")
*
* Permission to use, copy, modify, and distribute this software for any
* purpose with or without fee is hereby granted, provided that the above
@@ -30,8 +30,8 @@
/* $Id$ */
-#ifndef __DEFASN1_H__
-#define __DEFASN1_H__
+#ifndef __ROA_H__
+#define __ROA_H__
#include <openssl/bio.h>
#include <openssl/pem.h>
@@ -44,11 +44,14 @@
#include <openssl/asn1t.h>
#include <openssl/cms.h>
+#include <rpki/sk_roa.h>
+
/*
* ASN.1 templates. Not sure that ASN1_EXP_OPT() is the right macro
* for these defaulted "version" fields, but it's what the examples
- * for this construction use. Probably doesn't matter since this
- * program only decodes manifests, never encodes them.
+ * for this construction use. So far it has not mattered, as code
+ * using these definitions have only decoded ROAs, never encoded
+ * them. We'll see if that breaks with encoding.
*
* Putting this section under conditional compilation is a hack to
* keep Doxygen's parser from becoming hopelessly confused by the
@@ -58,40 +61,6 @@
#ifndef DOXYGEN_GETS_HOPELESSLY_CONFUSED_BY_THIS_SECTION
-typedef struct FileAndHash_st {
- ASN1_IA5STRING *file;
- ASN1_BIT_STRING *hash;
-} FileAndHash;
-
-DECLARE_STACK_OF(FileAndHash)
-
-ASN1_SEQUENCE(FileAndHash) = {
- ASN1_SIMPLE(FileAndHash, file, ASN1_IA5STRING),
- ASN1_SIMPLE(FileAndHash, hash, ASN1_BIT_STRING)
-} ASN1_SEQUENCE_END(FileAndHash)
-
-typedef struct Manifest_st {
- ASN1_INTEGER *version, *manifestNumber;
- ASN1_GENERALIZEDTIME *thisUpdate, *nextUpdate;
- ASN1_OBJECT *fileHashAlg;
- STACK_OF(FileAndHash) *fileList;
-} Manifest;
-
-ASN1_SEQUENCE(Manifest) = {
- ASN1_EXP_OPT(Manifest, version, ASN1_INTEGER, 0),
- ASN1_SIMPLE(Manifest, manifestNumber, ASN1_INTEGER),
- ASN1_SIMPLE(Manifest, thisUpdate, ASN1_GENERALIZEDTIME),
- ASN1_SIMPLE(Manifest, nextUpdate, ASN1_GENERALIZEDTIME),
- ASN1_SIMPLE(Manifest, fileHashAlg, ASN1_OBJECT),
- ASN1_SEQUENCE_OF(Manifest, fileList, FileAndHash)
-} ASN1_SEQUENCE_END(Manifest)
-
-DECLARE_ASN1_FUNCTIONS(FileAndHash)
-DECLARE_ASN1_FUNCTIONS(Manifest)
-
-IMPLEMENT_ASN1_FUNCTIONS(FileAndHash)
-IMPLEMENT_ASN1_FUNCTIONS(Manifest)
-
typedef struct ROAIPAddress_st {
ASN1_BIT_STRING *IPAddress;
ASN1_INTEGER *maxLength;
@@ -137,4 +106,4 @@ IMPLEMENT_ASN1_FUNCTIONS(ROA)
#endif /* DOXYGEN_GETS_HOPELESSLY_CONFUSED_BY_THIS_SECTION */
-#endif /* __DEFASN1_H__ */
+#endif /* __ROA_H__ */
diff --git a/h/rpki/sk_manifest.h b/h/rpki/sk_manifest.h
new file mode 100644
index 00000000..ead7cbe4
--- /dev/null
+++ b/h/rpki/sk_manifest.h
@@ -0,0 +1,34 @@
+/*
+ * Automatically generated, do not edit.
+ * Generator $Id: defstack.py 4725 2012-09-19 21:28:34Z sra $
+ */
+
+#ifndef __RPKI_MANIFEST_H__DEFSTACK_H__
+#define __RPKI_MANIFEST_H__DEFSTACK_H__
+
+/*
+ * Safestack macros for FileAndHash.
+ */
+#define sk_FileAndHash_new(st) SKM_sk_new(FileAndHash, (st))
+#define sk_FileAndHash_new_null() SKM_sk_new_null(FileAndHash)
+#define sk_FileAndHash_free(st) SKM_sk_free(FileAndHash, (st))
+#define sk_FileAndHash_num(st) SKM_sk_num(FileAndHash, (st))
+#define sk_FileAndHash_value(st, i) SKM_sk_value(FileAndHash, (st), (i))
+#define sk_FileAndHash_set(st, i, val) SKM_sk_set(FileAndHash, (st), (i), (val))
+#define sk_FileAndHash_zero(st) SKM_sk_zero(FileAndHash, (st))
+#define sk_FileAndHash_push(st, val) SKM_sk_push(FileAndHash, (st), (val))
+#define sk_FileAndHash_unshift(st, val) SKM_sk_unshift(FileAndHash, (st), (val))
+#define sk_FileAndHash_find(st, val) SKM_sk_find(FileAndHash, (st), (val))
+#define sk_FileAndHash_find_ex(st, val) SKM_sk_find_ex(FileAndHash, (st), (val))
+#define sk_FileAndHash_delete(st, i) SKM_sk_delete(FileAndHash, (st), (i))
+#define sk_FileAndHash_delete_ptr(st, ptr) SKM_sk_delete_ptr(FileAndHash, (st), (ptr))
+#define sk_FileAndHash_insert(st, val, i) SKM_sk_insert(FileAndHash, (st), (val), (i))
+#define sk_FileAndHash_set_cmp_func(st, cmp) SKM_sk_set_cmp_func(FileAndHash, (st), (cmp))
+#define sk_FileAndHash_dup(st) SKM_sk_dup(FileAndHash, st)
+#define sk_FileAndHash_pop_free(st, free_func) SKM_sk_pop_free(FileAndHash, (st), (free_func))
+#define sk_FileAndHash_shift(st) SKM_sk_shift(FileAndHash, (st))
+#define sk_FileAndHash_pop(st) SKM_sk_pop(FileAndHash, (st))
+#define sk_FileAndHash_sort(st) SKM_sk_sort(FileAndHash, (st))
+#define sk_FileAndHash_is_sorted(st) SKM_sk_is_sorted(FileAndHash, (st))
+
+#endif /* __RPKI_MANIFEST_H__DEFSTACK_H__ */
diff --git a/h/rpki/sk_roa.h b/h/rpki/sk_roa.h
new file mode 100644
index 00000000..cb5c5e17
--- /dev/null
+++ b/h/rpki/sk_roa.h
@@ -0,0 +1,59 @@
+/*
+ * Automatically generated, do not edit.
+ * Generator $Id: defstack.py 4725 2012-09-19 21:28:34Z sra $
+ */
+
+#ifndef __RPKI_ROA_H__DEFSTACK_H__
+#define __RPKI_ROA_H__DEFSTACK_H__
+
+/*
+ * Safestack macros for ROAIPAddress.
+ */
+#define sk_ROAIPAddress_new(st) SKM_sk_new(ROAIPAddress, (st))
+#define sk_ROAIPAddress_new_null() SKM_sk_new_null(ROAIPAddress)
+#define sk_ROAIPAddress_free(st) SKM_sk_free(ROAIPAddress, (st))
+#define sk_ROAIPAddress_num(st) SKM_sk_num(ROAIPAddress, (st))
+#define sk_ROAIPAddress_value(st, i) SKM_sk_value(ROAIPAddress, (st), (i))
+#define sk_ROAIPAddress_set(st, i, val) SKM_sk_set(ROAIPAddress, (st), (i), (val))
+#define sk_ROAIPAddress_zero(st) SKM_sk_zero(ROAIPAddress, (st))
+#define sk_ROAIPAddress_push(st, val) SKM_sk_push(ROAIPAddress, (st), (val))
+#define sk_ROAIPAddress_unshift(st, val) SKM_sk_unshift(ROAIPAddress, (st), (val))
+#define sk_ROAIPAddress_find(st, val) SKM_sk_find(ROAIPAddress, (st), (val))
+#define sk_ROAIPAddress_find_ex(st, val) SKM_sk_find_ex(ROAIPAddress, (st), (val))
+#define sk_ROAIPAddress_delete(st, i) SKM_sk_delete(ROAIPAddress, (st), (i))
+#define sk_ROAIPAddress_delete_ptr(st, ptr) SKM_sk_delete_ptr(ROAIPAddress, (st), (ptr))
+#define sk_ROAIPAddress_insert(st, val, i) SKM_sk_insert(ROAIPAddress, (st), (val), (i))
+#define sk_ROAIPAddress_set_cmp_func(st, cmp) SKM_sk_set_cmp_func(ROAIPAddress, (st), (cmp))
+#define sk_ROAIPAddress_dup(st) SKM_sk_dup(ROAIPAddress, st)
+#define sk_ROAIPAddress_pop_free(st, free_func) SKM_sk_pop_free(ROAIPAddress, (st), (free_func))
+#define sk_ROAIPAddress_shift(st) SKM_sk_shift(ROAIPAddress, (st))
+#define sk_ROAIPAddress_pop(st) SKM_sk_pop(ROAIPAddress, (st))
+#define sk_ROAIPAddress_sort(st) SKM_sk_sort(ROAIPAddress, (st))
+#define sk_ROAIPAddress_is_sorted(st) SKM_sk_is_sorted(ROAIPAddress, (st))
+
+/*
+ * Safestack macros for ROAIPAddressFamily.
+ */
+#define sk_ROAIPAddressFamily_new(st) SKM_sk_new(ROAIPAddressFamily, (st))
+#define sk_ROAIPAddressFamily_new_null() SKM_sk_new_null(ROAIPAddressFamily)
+#define sk_ROAIPAddressFamily_free(st) SKM_sk_free(ROAIPAddressFamily, (st))
+#define sk_ROAIPAddressFamily_num(st) SKM_sk_num(ROAIPAddressFamily, (st))
+#define sk_ROAIPAddressFamily_value(st, i) SKM_sk_value(ROAIPAddressFamily, (st), (i))
+#define sk_ROAIPAddressFamily_set(st, i, val) SKM_sk_set(ROAIPAddressFamily, (st), (i), (val))
+#define sk_ROAIPAddressFamily_zero(st) SKM_sk_zero(ROAIPAddressFamily, (st))
+#define sk_ROAIPAddressFamily_push(st, val) SKM_sk_push(ROAIPAddressFamily, (st), (val))
+#define sk_ROAIPAddressFamily_unshift(st, val) SKM_sk_unshift(ROAIPAddressFamily, (st), (val))
+#define sk_ROAIPAddressFamily_find(st, val) SKM_sk_find(ROAIPAddressFamily, (st), (val))
+#define sk_ROAIPAddressFamily_find_ex(st, val) SKM_sk_find_ex(ROAIPAddressFamily, (st), (val))
+#define sk_ROAIPAddressFamily_delete(st, i) SKM_sk_delete(ROAIPAddressFamily, (st), (i))
+#define sk_ROAIPAddressFamily_delete_ptr(st, ptr) SKM_sk_delete_ptr(ROAIPAddressFamily, (st), (ptr))
+#define sk_ROAIPAddressFamily_insert(st, val, i) SKM_sk_insert(ROAIPAddressFamily, (st), (val), (i))
+#define sk_ROAIPAddressFamily_set_cmp_func(st, cmp) SKM_sk_set_cmp_func(ROAIPAddressFamily, (st), (cmp))
+#define sk_ROAIPAddressFamily_dup(st) SKM_sk_dup(ROAIPAddressFamily, st)
+#define sk_ROAIPAddressFamily_pop_free(st, free_func) SKM_sk_pop_free(ROAIPAddressFamily, (st), (free_func))
+#define sk_ROAIPAddressFamily_shift(st) SKM_sk_shift(ROAIPAddressFamily, (st))
+#define sk_ROAIPAddressFamily_pop(st) SKM_sk_pop(ROAIPAddressFamily, (st))
+#define sk_ROAIPAddressFamily_sort(st) SKM_sk_sort(ROAIPAddressFamily, (st))
+#define sk_ROAIPAddressFamily_is_sorted(st) SKM_sk_is_sorted(ROAIPAddressFamily, (st))
+
+#endif /* __RPKI_ROA_H__DEFSTACK_H__ */
diff --git a/rcynic/Makefile.in b/rcynic/Makefile.in
index eba83f39..0370f33a 100644
--- a/rcynic/Makefile.in
+++ b/rcynic/Makefile.in
@@ -6,7 +6,6 @@ BIN = ${NAME}
SRC = ${NAME}.c
OBJ = ${NAME}.o
-HDR = defasn1.h
GEN = defstack.h
OBJS = ${OBJ} bio_f_linebreak.o
@@ -24,21 +23,22 @@ abs_top_builddir = @abs_top_builddir@
host_os = @host_os@
-SCRIPTS = rcynic-text rcynic-html
+SCRIPTS = rcynic-text rcynic-html rcynic-svn validation_status
all: ${BIN} ${SCRIPTS}
clean:
cd static-rsync; ${MAKE} $@
- rm -f ${BIN} ${OBJS} ${GEN} ${SCRIPTS}
+ rm -f ${BIN} ${OBJS} ${SCRIPTS}
-${OBJ}: ${SRC} ${HDR} ${GEN}
+${OBJ}: ${SRC} ${GEN}
${BIN}: ${OBJS}
${CC} ${CFLAGS} -o $@ ${OBJS} ${LDFLAGS} ${LIBS}
-defstack.h: defstack.awk ${SRC} ${HDR}
- ${AWK} -f >$@ defstack.awk ${SRC} ${HDR}
+${GEN}: ${SRC}
+ ${PYTHON} ${abs_top_srcdir}/buildtools/defstack.py ${SRC} >$@.tmp
+ mv $@.tmp $@
test: ${BIN}
if test -r rcynic.conf; \
@@ -73,7 +73,13 @@ rcynic-text: rcynic-text.py
rcynic-html: rcynic-html.py
${COMPILE_PYTHON}
+rcynic-svn: rcynic-svn.py
+ ${COMPILE_PYTHON}
+
+validation_status: validation_status.py
+ ${COMPILE_PYTHON}
+
tags: TAGS
-TAGS: ${SRC} ${HDR} ${GEN}
- etags ${SRC} ${HDR} ${GEN}
+TAGS: ${SRC} ${GEN}
+ etags ${SRC} ${GEN}
diff --git a/rcynic/defstack.awk b/rcynic/defstack.awk
deleted file mode 100644
index 4593cb33..00000000
--- a/rcynic/defstack.awk
+++ /dev/null
@@ -1,71 +0,0 @@
-# $Id$
-#
-# Copyright (C) 2011 Internet Systems Consortium ("ISC")
-#
-# Permission to use, copy, modify, and distribute this software for any
-# purpose with or without fee is hereby granted, provided that the above
-# copyright notice and this permission notice appear in all copies.
-#
-# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
-# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
-# AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
-# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
-# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
-# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
-# PERFORMANCE OF THIS SOFTWARE.
-
-function print_line(name, line)
-{
- gsub(/%/, name, line);
- print line;
-}
-
-function define_stack(name)
-{
- print_line(name, "/*");
- print_line(name, " * Safestack macros for %.");
- print_line(name, " */");
- print_line(name, "#define sk_%_new(st) SKM_sk_new(%, (st))");
- print_line(name, "#define sk_%_new_null() SKM_sk_new_null(%)");
- print_line(name, "#define sk_%_free(st) SKM_sk_free(%, (st))");
- print_line(name, "#define sk_%_num(st) SKM_sk_num(%, (st))");
- print_line(name, "#define sk_%_value(st, i) SKM_sk_value(%, (st), (i))");
- print_line(name, "#define sk_%_set(st, i, val) SKM_sk_set(%, (st), (i), (val))");
- print_line(name, "#define sk_%_zero(st) SKM_sk_zero(%, (st))");
- print_line(name, "#define sk_%_push(st, val) SKM_sk_push(%, (st), (val))");
- print_line(name, "#define sk_%_unshift(st, val) SKM_sk_unshift(%, (st), (val))");
- print_line(name, "#define sk_%_find(st, val) SKM_sk_find(%, (st), (val))");
- print_line(name, "#define sk_%_find_ex(st, val) SKM_sk_find_ex(%, (st), (val))");
- print_line(name, "#define sk_%_delete(st, i) SKM_sk_delete(%, (st), (i))");
- print_line(name, "#define sk_%_delete_ptr(st, ptr) SKM_sk_delete_ptr(%, (st), (ptr))");
- print_line(name, "#define sk_%_insert(st, val, i) SKM_sk_insert(%, (st), (val), (i))");
- print_line(name, "#define sk_%_set_cmp_func(st, cmp) SKM_sk_set_cmp_func(%, (st), (cmp))");
- print_line(name, "#define sk_%_dup(st) SKM_sk_dup(%, st)");
- print_line(name, "#define sk_%_pop_free(st, free_func) SKM_sk_pop_free(%, (st), (free_func))");
- print_line(name, "#define sk_%_shift(st) SKM_sk_shift(%, (st))");
- print_line(name, "#define sk_%_pop(st) SKM_sk_pop(%, (st))");
- print_line(name, "#define sk_%_sort(st) SKM_sk_sort(%, (st))");
- print_line(name, "#define sk_%_is_sorted(st) SKM_sk_is_sorted(%, (st))");
- print_line(name, "");
-}
-
-BEGIN {
- print "/*";
- print " * Automatically generated, do not edit.";
- print " * Generator $Id$";
- print " */";
- print "";
- print "#ifndef __DEFSTACK_H__";
- print "#define __DEFSTACK_H__";
- print "";
-}
-
-/DECLARE_STACK_OF/ {
- sub(/^[ \t]+/, "");
- if (split($0, a, /[() \t]+/) > 1 && a[1] == "DECLARE_STACK_OF")
- define_stack(a[2]);
-}
-
-END {
- print "#endif /* __DEFSTACK_H__ */";
-}
diff --git a/rcynic/defstack.h b/rcynic/defstack.h
new file mode 100644
index 00000000..97490878
--- /dev/null
+++ b/rcynic/defstack.h
@@ -0,0 +1,134 @@
+/*
+ * Automatically generated, do not edit.
+ * Generator $Id: defstack.py 4725 2012-09-19 21:28:34Z sra $
+ */
+
+#ifndef __RCYNIC_C__DEFSTACK_H__
+#define __RCYNIC_C__DEFSTACK_H__
+
+/*
+ * Safestack macros for validation_status_t.
+ */
+#define sk_validation_status_t_new(st) SKM_sk_new(validation_status_t, (st))
+#define sk_validation_status_t_new_null() SKM_sk_new_null(validation_status_t)
+#define sk_validation_status_t_free(st) SKM_sk_free(validation_status_t, (st))
+#define sk_validation_status_t_num(st) SKM_sk_num(validation_status_t, (st))
+#define sk_validation_status_t_value(st, i) SKM_sk_value(validation_status_t, (st), (i))
+#define sk_validation_status_t_set(st, i, val) SKM_sk_set(validation_status_t, (st), (i), (val))
+#define sk_validation_status_t_zero(st) SKM_sk_zero(validation_status_t, (st))
+#define sk_validation_status_t_push(st, val) SKM_sk_push(validation_status_t, (st), (val))
+#define sk_validation_status_t_unshift(st, val) SKM_sk_unshift(validation_status_t, (st), (val))
+#define sk_validation_status_t_find(st, val) SKM_sk_find(validation_status_t, (st), (val))
+#define sk_validation_status_t_find_ex(st, val) SKM_sk_find_ex(validation_status_t, (st), (val))
+#define sk_validation_status_t_delete(st, i) SKM_sk_delete(validation_status_t, (st), (i))
+#define sk_validation_status_t_delete_ptr(st, ptr) SKM_sk_delete_ptr(validation_status_t, (st), (ptr))
+#define sk_validation_status_t_insert(st, val, i) SKM_sk_insert(validation_status_t, (st), (val), (i))
+#define sk_validation_status_t_set_cmp_func(st, cmp) SKM_sk_set_cmp_func(validation_status_t, (st), (cmp))
+#define sk_validation_status_t_dup(st) SKM_sk_dup(validation_status_t, st)
+#define sk_validation_status_t_pop_free(st, free_func) SKM_sk_pop_free(validation_status_t, (st), (free_func))
+#define sk_validation_status_t_shift(st) SKM_sk_shift(validation_status_t, (st))
+#define sk_validation_status_t_pop(st) SKM_sk_pop(validation_status_t, (st))
+#define sk_validation_status_t_sort(st) SKM_sk_sort(validation_status_t, (st))
+#define sk_validation_status_t_is_sorted(st) SKM_sk_is_sorted(validation_status_t, (st))
+
+/*
+ * Safestack macros for walk_ctx_t.
+ */
+#define sk_walk_ctx_t_new(st) SKM_sk_new(walk_ctx_t, (st))
+#define sk_walk_ctx_t_new_null() SKM_sk_new_null(walk_ctx_t)
+#define sk_walk_ctx_t_free(st) SKM_sk_free(walk_ctx_t, (st))
+#define sk_walk_ctx_t_num(st) SKM_sk_num(walk_ctx_t, (st))
+#define sk_walk_ctx_t_value(st, i) SKM_sk_value(walk_ctx_t, (st), (i))
+#define sk_walk_ctx_t_set(st, i, val) SKM_sk_set(walk_ctx_t, (st), (i), (val))
+#define sk_walk_ctx_t_zero(st) SKM_sk_zero(walk_ctx_t, (st))
+#define sk_walk_ctx_t_push(st, val) SKM_sk_push(walk_ctx_t, (st), (val))
+#define sk_walk_ctx_t_unshift(st, val) SKM_sk_unshift(walk_ctx_t, (st), (val))
+#define sk_walk_ctx_t_find(st, val) SKM_sk_find(walk_ctx_t, (st), (val))
+#define sk_walk_ctx_t_find_ex(st, val) SKM_sk_find_ex(walk_ctx_t, (st), (val))
+#define sk_walk_ctx_t_delete(st, i) SKM_sk_delete(walk_ctx_t, (st), (i))
+#define sk_walk_ctx_t_delete_ptr(st, ptr) SKM_sk_delete_ptr(walk_ctx_t, (st), (ptr))
+#define sk_walk_ctx_t_insert(st, val, i) SKM_sk_insert(walk_ctx_t, (st), (val), (i))
+#define sk_walk_ctx_t_set_cmp_func(st, cmp) SKM_sk_set_cmp_func(walk_ctx_t, (st), (cmp))
+#define sk_walk_ctx_t_dup(st) SKM_sk_dup(walk_ctx_t, st)
+#define sk_walk_ctx_t_pop_free(st, free_func) SKM_sk_pop_free(walk_ctx_t, (st), (free_func))
+#define sk_walk_ctx_t_shift(st) SKM_sk_shift(walk_ctx_t, (st))
+#define sk_walk_ctx_t_pop(st) SKM_sk_pop(walk_ctx_t, (st))
+#define sk_walk_ctx_t_sort(st) SKM_sk_sort(walk_ctx_t, (st))
+#define sk_walk_ctx_t_is_sorted(st) SKM_sk_is_sorted(walk_ctx_t, (st))
+
+/*
+ * Safestack macros for rsync_ctx_t.
+ */
+#define sk_rsync_ctx_t_new(st) SKM_sk_new(rsync_ctx_t, (st))
+#define sk_rsync_ctx_t_new_null() SKM_sk_new_null(rsync_ctx_t)
+#define sk_rsync_ctx_t_free(st) SKM_sk_free(rsync_ctx_t, (st))
+#define sk_rsync_ctx_t_num(st) SKM_sk_num(rsync_ctx_t, (st))
+#define sk_rsync_ctx_t_value(st, i) SKM_sk_value(rsync_ctx_t, (st), (i))
+#define sk_rsync_ctx_t_set(st, i, val) SKM_sk_set(rsync_ctx_t, (st), (i), (val))
+#define sk_rsync_ctx_t_zero(st) SKM_sk_zero(rsync_ctx_t, (st))
+#define sk_rsync_ctx_t_push(st, val) SKM_sk_push(rsync_ctx_t, (st), (val))
+#define sk_rsync_ctx_t_unshift(st, val) SKM_sk_unshift(rsync_ctx_t, (st), (val))
+#define sk_rsync_ctx_t_find(st, val) SKM_sk_find(rsync_ctx_t, (st), (val))
+#define sk_rsync_ctx_t_find_ex(st, val) SKM_sk_find_ex(rsync_ctx_t, (st), (val))
+#define sk_rsync_ctx_t_delete(st, i) SKM_sk_delete(rsync_ctx_t, (st), (i))
+#define sk_rsync_ctx_t_delete_ptr(st, ptr) SKM_sk_delete_ptr(rsync_ctx_t, (st), (ptr))
+#define sk_rsync_ctx_t_insert(st, val, i) SKM_sk_insert(rsync_ctx_t, (st), (val), (i))
+#define sk_rsync_ctx_t_set_cmp_func(st, cmp) SKM_sk_set_cmp_func(rsync_ctx_t, (st), (cmp))
+#define sk_rsync_ctx_t_dup(st) SKM_sk_dup(rsync_ctx_t, st)
+#define sk_rsync_ctx_t_pop_free(st, free_func) SKM_sk_pop_free(rsync_ctx_t, (st), (free_func))
+#define sk_rsync_ctx_t_shift(st) SKM_sk_shift(rsync_ctx_t, (st))
+#define sk_rsync_ctx_t_pop(st) SKM_sk_pop(rsync_ctx_t, (st))
+#define sk_rsync_ctx_t_sort(st) SKM_sk_sort(rsync_ctx_t, (st))
+#define sk_rsync_ctx_t_is_sorted(st) SKM_sk_is_sorted(rsync_ctx_t, (st))
+
+/*
+ * Safestack macros for rsync_history_t.
+ */
+#define sk_rsync_history_t_new(st) SKM_sk_new(rsync_history_t, (st))
+#define sk_rsync_history_t_new_null() SKM_sk_new_null(rsync_history_t)
+#define sk_rsync_history_t_free(st) SKM_sk_free(rsync_history_t, (st))
+#define sk_rsync_history_t_num(st) SKM_sk_num(rsync_history_t, (st))
+#define sk_rsync_history_t_value(st, i) SKM_sk_value(rsync_history_t, (st), (i))
+#define sk_rsync_history_t_set(st, i, val) SKM_sk_set(rsync_history_t, (st), (i), (val))
+#define sk_rsync_history_t_zero(st) SKM_sk_zero(rsync_history_t, (st))
+#define sk_rsync_history_t_push(st, val) SKM_sk_push(rsync_history_t, (st), (val))
+#define sk_rsync_history_t_unshift(st, val) SKM_sk_unshift(rsync_history_t, (st), (val))
+#define sk_rsync_history_t_find(st, val) SKM_sk_find(rsync_history_t, (st), (val))
+#define sk_rsync_history_t_find_ex(st, val) SKM_sk_find_ex(rsync_history_t, (st), (val))
+#define sk_rsync_history_t_delete(st, i) SKM_sk_delete(rsync_history_t, (st), (i))
+#define sk_rsync_history_t_delete_ptr(st, ptr) SKM_sk_delete_ptr(rsync_history_t, (st), (ptr))
+#define sk_rsync_history_t_insert(st, val, i) SKM_sk_insert(rsync_history_t, (st), (val), (i))
+#define sk_rsync_history_t_set_cmp_func(st, cmp) SKM_sk_set_cmp_func(rsync_history_t, (st), (cmp))
+#define sk_rsync_history_t_dup(st) SKM_sk_dup(rsync_history_t, st)
+#define sk_rsync_history_t_pop_free(st, free_func) SKM_sk_pop_free(rsync_history_t, (st), (free_func))
+#define sk_rsync_history_t_shift(st) SKM_sk_shift(rsync_history_t, (st))
+#define sk_rsync_history_t_pop(st) SKM_sk_pop(rsync_history_t, (st))
+#define sk_rsync_history_t_sort(st) SKM_sk_sort(rsync_history_t, (st))
+#define sk_rsync_history_t_is_sorted(st) SKM_sk_is_sorted(rsync_history_t, (st))
+
+/*
+ * Safestack macros for task_t.
+ */
+#define sk_task_t_new(st) SKM_sk_new(task_t, (st))
+#define sk_task_t_new_null() SKM_sk_new_null(task_t)
+#define sk_task_t_free(st) SKM_sk_free(task_t, (st))
+#define sk_task_t_num(st) SKM_sk_num(task_t, (st))
+#define sk_task_t_value(st, i) SKM_sk_value(task_t, (st), (i))
+#define sk_task_t_set(st, i, val) SKM_sk_set(task_t, (st), (i), (val))
+#define sk_task_t_zero(st) SKM_sk_zero(task_t, (st))
+#define sk_task_t_push(st, val) SKM_sk_push(task_t, (st), (val))
+#define sk_task_t_unshift(st, val) SKM_sk_unshift(task_t, (st), (val))
+#define sk_task_t_find(st, val) SKM_sk_find(task_t, (st), (val))
+#define sk_task_t_find_ex(st, val) SKM_sk_find_ex(task_t, (st), (val))
+#define sk_task_t_delete(st, i) SKM_sk_delete(task_t, (st), (i))
+#define sk_task_t_delete_ptr(st, ptr) SKM_sk_delete_ptr(task_t, (st), (ptr))
+#define sk_task_t_insert(st, val, i) SKM_sk_insert(task_t, (st), (val), (i))
+#define sk_task_t_set_cmp_func(st, cmp) SKM_sk_set_cmp_func(task_t, (st), (cmp))
+#define sk_task_t_dup(st) SKM_sk_dup(task_t, st)
+#define sk_task_t_pop_free(st, free_func) SKM_sk_pop_free(task_t, (st), (free_func))
+#define sk_task_t_shift(st) SKM_sk_shift(task_t, (st))
+#define sk_task_t_pop(st) SKM_sk_pop(task_t, (st))
+#define sk_task_t_sort(st) SKM_sk_sort(task_t, (st))
+#define sk_task_t_is_sorted(st) SKM_sk_is_sorted(task_t, (st))
+
+#endif /* __RCYNIC_C__DEFSTACK_H__ */
diff --git a/rcynic/rcynic-svn.py b/rcynic/rcynic-svn.py
new file mode 100644
index 00000000..d17e20e1
--- /dev/null
+++ b/rcynic/rcynic-svn.py
@@ -0,0 +1,190 @@
+"""
+Archive rcynic output in a Subversion repository.
+"""
+
+# $Id$
+#
+# Copyright (C) 2012 Internet Systems Consortium, Inc. ("ISC")
+#
+# Permission to use, copy, modify, and/or distribute this software for any
+# purpose with or without fee is hereby granted, provided that the above
+# copyright notice and this permission notice appear in all copies.
+#
+# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+# AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+# PERFORMANCE OF THIS SOFTWARE.
+
+import subprocess
+import argparse
+import datetime
+import fcntl
+import glob
+import os
+
+try:
+ from lxml.etree import ElementTree
+except ImportError:
+ from xml.etree.ElementTree import ElementTree
+
+
+mime_types = (
+ ("html", "application/xhtml+xml"),
+ ("cer", "application/pkix-cert"),
+ ("crl", "application/pkix-crl"),
+ ("mft", "application/rpki-manifest"),
+ ("mnf", "application/rpki-manifest"),
+ ("roa", "application/rpki-roa"),
+ ("gbr", "application/rpki-ghostbusters"))
+
+
+def run(*cmd, **kwargs):
+ """
+ Run a program, displaying timing data when appropriate.
+ """
+
+ t = datetime.datetime.utcnow()
+ subprocess.check_call(cmd, **kwargs)
+ if args.show_timing:
+ now = datetime.datetime.utcnow()
+ print now, (now - t), " ".join(cmd)
+
+
+def runxml(*cmd):
+ """
+
+ Run a program which produces XML output, displaying timing data when
+ appropriate and returning an ElementTree constructed from the
+ program's output.
+ """
+ t = datetime.datetime.utcnow()
+ p = subprocess.Popen(cmd, stdout = subprocess.PIPE)
+ x = ElementTree(file = p.stdout)
+ s = p.wait()
+ if s:
+ raise subprocess.CalledProcessError(s, cmd[0])
+ if args.show_timing:
+ now = datetime.datetime.utcnow()
+ print now, (now - t), " ".join(cmd)
+ return x
+
+
+# Main program.
+
+parser = argparse.ArgumentParser(description = __doc__)
+
+parser.add_argument("--show_timing", action = "store_true", help = \
+ """
+ Show timing data on programs we run.
+ """)
+
+parser.add_argument("--verbatim", action = "store_true", help = \
+ """
+ Whether to archive rcynic's data output exactly as
+ rcynic writes it or map it into a directory
+ structure which makes more sense when used with
+ Subversion. True means archive exactly as rcynic
+ writes it, interpreting file and directory names
+ as rsync would, transient directories and all.
+ False means map the current authenticated/ tree in
+ rcynic's output to a stable authenticated/ subtree
+ in the subversion repository, with file and
+ directory anmes from the command line shorted to
+ their last component.
+ """)
+
+parser.add_argument("--lockfile", default = "rcynic-svn.lock", help = \
+ """
+ Lock file to to prevent multiple copies of this
+ program (eg, running under cron) from stepping on
+ each other while modifying the working directory.
+ """)
+
+parser.add_argument("files_to_archive", nargs = "*", help = \
+ """
+ Files to archive using Subversion. If omitted, we
+ assume that some other process has already
+ modified the Subversion working directory.
+ """)
+
+parser.add_argument("working_directory", help = \
+ """
+ Subversion working directory to use (must already
+ exist).
+ """)
+
+args = parser.parse_args()
+
+if args.show_timing:
+ t0 = datetime.datetime.utcnow()
+ print t0, "Starting"
+
+# Lock out other instances of this program. We may want some more
+# sophsiticated approach when combining this with other programs, but
+# this should minimize the risk of multiple copies of this program
+# trying to modify the same subversion working directory at the same
+# time and messing each other up. We leave the lock file in place
+# because doing so removes a potential race condition.
+
+lock = os.open("cronjob.lock", os.O_RDONLY | os.O_CREAT | os.O_NONBLOCK, 0666)
+fcntl.flock(lock, fcntl.LOCK_EX | fcntl.LOCK_NB)
+
+# Make sure working tree is up to date.
+
+run("svn", "update", "--quiet", args.working_directory)
+
+# Copy rcynic's output as appropriate.
+
+if args.files_to_archive:
+
+ if args.verbatim:
+ cmd = ["rsync", "--archive", "--quiet", "--delete"]
+ cmd.extend(args.files_to_archive)
+ cmd.append(args.working_directory)
+ run(*cmd)
+
+ else:
+ for src in args.files_to_archive:
+ cmd = ["rsync", "--archive", "--quiet", "--delete", "--copy-links"]
+ cmd.append(src.rstrip("/"))
+ cmd.append(args.working_directory.rstrip("/") + "/")
+ run(*cmd)
+
+# Ask Subversion to add any new files, trying hard to get the MIME
+# types right.
+
+cmd = ["svn", "add", "--quiet", "--force", "--auto-props"]
+
+for fn2, mime_type in mime_types:
+ cmd.append("--config-option")
+ cmd.append("config:auto-props:*.%s=svn:mime-type=%s" % (fn2, mime_type))
+
+cmd.append(".")
+
+run(*cmd, cwd = args.working_directory)
+
+# Parse XML version of Subversion's status output to figure out what
+# files have been deleted, and tell Subversion that we deleted them
+# intentionally.
+
+missing = sorted(entry.get("path")
+ for entry in runxml("svn", "status", "--xml", args.working_directory).find("target").findall("entry")
+ if entry.find("wc-status").get("item") == "missing")
+deleted = []
+
+for path in missing:
+ if not any(path.startswith(r) for r in deleted):
+ run("svn", "delete", "--quiet", path)
+ deleted.append(path + "/")
+
+# Commit our changes and update the working tree.
+
+run("svn", "commit", "--quiet", "--message", "Auto update.", args.working_directory)
+run("svn", "update", "--quiet", args.working_directory)
+
+if args.show_timing:
+ now = datetime.datetime.utcnow()
+ print now, now - t0, "total runtime"
diff --git a/rcynic/rcynic.c b/rcynic/rcynic.c
index f06eacec..fd1f7c11 100644
--- a/rcynic/rcynic.c
+++ b/rcynic/rcynic.c
@@ -77,10 +77,12 @@
#include <openssl/asn1t.h>
#include <openssl/cms.h>
+#include <rpki/roa.h>
+#include <rpki/manifest.h>
+
#include "bio_f_linebreak.h"
#include "defstack.h"
-#include "defasn1.h"
#if !defined(FILENAME_MAX) && defined(PATH_MAX) && PATH_MAX > 1024
#define FILENAME_MAX PATH_MAX
@@ -389,8 +391,10 @@ typedef struct validation_status {
uri_t uri;
object_generation_t generation;
time_t timestamp;
- unsigned creation_order;
unsigned char events[(MIB_COUNTER_T_MAX + 7) / 8];
+ short balance;
+ struct validation_status *left_child;
+ struct validation_status *right_child;
} validation_status_t;
DECLARE_STACK_OF(validation_status_t)
@@ -547,7 +551,9 @@ struct rcynic_ctx {
int allow_digest_mismatch, allow_crl_digest_mismatch;
int allow_nonconformant_name, allow_ee_without_signedObject;
int allow_1024_bit_ee_key, allow_wrong_cms_si_attributes;
- unsigned max_select_time, validation_status_creation_order;
+ unsigned max_select_time;
+ validation_status_t *validation_status_in_waiting;
+ validation_status_t *validation_status_root;
log_level_t log_level;
X509_STORE *x509_store;
};
@@ -1056,6 +1062,207 @@ static void validation_status_set_code(validation_status_t *v,
}
/**
+ * validation_status object comparison, for AVL tree rather than
+ * OpenSSL stacks.
+ */
+static int
+validation_status_cmp(const validation_status_t *node,
+ const uri_t *uri,
+ const object_generation_t generation)
+{
+ int cmp = ((int) node->generation) - ((int) generation);
+ if (cmp)
+ return cmp;
+ else
+ return strcmp(uri->s, node->uri.s);
+}
+
+/**
+ * validation_status AVL tree insertion. Adapted from code written by
+ * Paul Vixie and explictly placed in the public domain using examples
+ * from the book: "Algorithms & Data Structures," Niklaus Wirth,
+ * Prentice-Hall, 1986, ISBN 0-13-022005-1. Thanks, Paul!
+ */
+static validation_status_t *
+validation_status_sprout(validation_status_t **node,
+ int *needs_balancing,
+ validation_status_t *new_node)
+{
+#ifdef AVL_DEBUG
+#define AVL_MSG(msg) sprintf(stderr, "AVL_DEBUG: '%s'\n", msg)
+#else
+#define AVL_MSG(msg)
+#endif
+
+ validation_status_t *p1, *p2, *result;
+ int cmp;
+
+ /*
+ * Are we grounded? If so, add the node "here" and set the
+ * rebalance flag, then exit.
+ */
+ if (*node == NULL) {
+ AVL_MSG("Grounded, adding new node");
+ new_node->left_child = NULL;
+ new_node->right_child = NULL;
+ new_node->balance = 0;
+ *node = new_node;
+ *needs_balancing = 1;
+ return *node;
+ }
+
+ /*
+ * Compare the data.
+ */
+ cmp = validation_status_cmp(*node, &new_node->uri, new_node->generation);
+
+ /*
+ * If LESS, prepare to move to the left.
+ */
+ if (cmp < 0) {
+
+ AVL_MSG("LESS. sprouting left.");
+ result = validation_status_sprout(&(*node)->left_child, needs_balancing, new_node);
+
+ if (*needs_balancing) {
+ AVL_MSG("LESS: left branch has grown longer");
+
+ switch ((*node)->balance) {
+
+ case 1:
+ /*
+ * Right branch WAS longer; balance is ok now.
+ */
+ AVL_MSG("LESS: case 1.. balance restored implicitly");
+ (*node)->balance = 0;
+ *needs_balancing = 0;
+ break;
+
+ case 0:
+ /*
+ * Balance WAS okay; now left branch longer.
+ */
+ AVL_MSG("LESS: case 0.. balnce bad but still ok");
+ (*node)->balance = -1;
+ break;
+
+ case -1:
+ /*
+ * Left branch was already too long. Rebalance.
+ */
+ AVL_MSG("LESS: case -1: rebalancing");
+ p1 = (*node)->left_child;
+
+ if (p1->balance == -1) {
+ AVL_MSG("LESS: single LL");
+ (*node)->left_child = p1->right_child;
+ p1->right_child = *node;
+ (*node)->balance = 0;
+ *node = p1;
+ }
+
+ else {
+ AVL_MSG("LESS: double LR");
+
+ p2 = p1->right_child;
+ p1->right_child = p2->left_child;
+ p2->left_child = p1;
+
+ (*node)->left_child = p2->right_child;
+ p2->right_child = *node;
+
+ if (p2->balance == -1)
+ (*node)->balance = 1;
+ else
+ (*node)->balance = 0;
+
+ if (p2->balance == 1)
+ p1->balance = -1;
+ else
+ p1->balance = 0;
+ *node = p2;
+ }
+
+ (*node)->balance = 0;
+ *needs_balancing = 0;
+ }
+ }
+ return result;
+ }
+
+ /*
+ * If MORE, prepare to move to the right.
+ */
+ if (cmp > 0) {
+
+ AVL_MSG("MORE: sprouting to the right");
+ result = validation_status_sprout(&(*node)->right_child, needs_balancing, new_node);
+
+ if (*needs_balancing) {
+ AVL_MSG("MORE: right branch has grown longer");
+
+ switch ((*node)->balance) {
+
+ case -1:AVL_MSG("MORE: balance was off, fixed implicitly");
+ (*node)->balance = 0;
+ *needs_balancing = 0;
+ break;
+
+ case 0: AVL_MSG("MORE: balance was okay, now off but ok");
+ (*node)->balance = 1;
+ break;
+
+ case 1: AVL_MSG("MORE: balance was off, need to rebalance");
+ p1 = (*node)->right_child;
+
+ if (p1->balance == 1) {
+ AVL_MSG("MORE: single RR");
+ (*node)->right_child = p1->left_child;
+ p1->left_child = *node;
+ (*node)->balance = 0;
+ *node = p1;
+ }
+
+ else {
+ AVL_MSG("MORE: double RL");
+
+ p2 = p1->left_child;
+ p1->left_child = p2->right_child;
+ p2->right_child = p1;
+
+ (*node)->right_child = p2->left_child;
+ p2->left_child = *node;
+
+ if (p2->balance == 1)
+ (*node)->balance = -1;
+ else
+ (*node)->balance = 0;
+
+ if (p2->balance == -1)
+ p1->balance = 1;
+ else
+ p1->balance = 0;
+
+ *node = p2;
+ } /*else*/
+ (*node)->balance = 0;
+ *needs_balancing = 0;
+ }
+ }
+ return result;
+ }
+
+ /*
+ * Neither more nor less, found existing node matching key, return it.
+ */
+ AVL_MSG("I found it!");
+ *needs_balancing = 0;
+ return *node;
+
+#undef AVL_DEBUG
+}
+
+/**
* Add a validation status entry to internal log.
*/
static void log_validation_status(rcynic_ctx_t *rc,
@@ -1063,8 +1270,8 @@ static void log_validation_status(rcynic_ctx_t *rc,
const mib_counter_t code,
const object_generation_t generation)
{
- validation_status_t v_, *v = NULL;
- int was_set;
+ validation_status_t *v = NULL;
+ int needs_balancing = 0;
assert(rc && uri && code < MIB_COUNTER_T_MAX && generation < OBJECT_GENERATION_MAX);
@@ -1074,68 +1281,41 @@ static void log_validation_status(rcynic_ctx_t *rc,
if (code == rsync_transfer_skipped && !rc->run_rsync)
return;
- memset(&v_, 0, sizeof(v_));
- v_.uri = *uri;
- v_.generation = generation;
-
- v = sk_validation_status_t_value(rc->validation_status, sk_validation_status_t_find(rc->validation_status, &v_));
- if (v == NULL) {
- if ((v = validation_status_t_new()) == NULL) {
- logmsg(rc, log_sys_err, "Couldn't allocate validation status entry for %s", uri->s);
- return;
- }
- *v = v_;
- v->creation_order = rc->validation_status_creation_order++;
- assert(rc->validation_status_creation_order != 0);
- if (!sk_validation_status_t_push(rc->validation_status, v)) {
- logmsg(rc, log_sys_err, "Couldn't store validation status entry for %s", uri->s);
- free(v);
- return;
- }
+ if (rc->validation_status_in_waiting == NULL &&
+ (rc->validation_status_in_waiting = validation_status_t_new()) == NULL) {
+ logmsg(rc, log_sys_err, "Couldn't allocate validation status entry for %s", uri->s);
+ return;
}
- was_set = validation_status_get_code(v, code);
+ v = rc->validation_status_in_waiting;
+ memset(v, 0, sizeof(*v));
+ v->uri = *uri;
+ v->generation = generation;
+
+ v = validation_status_sprout(&rc->validation_status_root, &needs_balancing, v);
+ if (v == rc->validation_status_in_waiting)
+ rc->validation_status_in_waiting = NULL;
+
+ if (rc->validation_status_in_waiting == NULL &&
+ !sk_validation_status_t_push(rc->validation_status, v)) {
+ logmsg(rc, log_sys_err, "Couldn't store validation status entry for %s", uri->s);
+ return;
+ }
v->timestamp = time(0);
- validation_status_set_code(v, code, 1);
- if (!was_set)
- logmsg(rc, log_verbose, "Recording \"%s\" for %s%s%s",
- (mib_counter_desc[code]
- ? mib_counter_desc[code]
- : X509_verify_cert_error_string(mib_counter_openssl[code])),
- (generation != object_generation_null ? object_generation_label[generation] : ""),
- (generation != object_generation_null ? " " : ""),
- uri->s);
-}
+ if (validation_status_get_code(v, code))
+ return;
-/**
- * Validation status object comparision. While building up the
- * database, we want to do lookups based on URI and generation number.
- */
-static int validation_status_cmp_uri(const validation_status_t * const *a, const validation_status_t * const *b)
-{
- int cmp = strcmp((*a)->uri.s, (*b)->uri.s);
- if (cmp)
- return cmp;
- cmp = (int) ((*a)->generation) - (int) ((*b)->generation);
- if (cmp)
- return cmp;
- return 0;
-}
+ validation_status_set_code(v, code, 1);
-/**
- * Validation status object comparision. When writing out the
- * database, one of our primary consumers has respectfully requested
- * that we write in something approximating the order we traversed, so
- * we regenerate that order using the "order" field added for just
- * that purpose when creating these objects.
- */
-static int validation_status_cmp_creation_order(const validation_status_t * const *a, const validation_status_t * const *b)
-{
- int cmp = (*a)->creation_order - (*b)->creation_order;
- assert(cmp != 0 || a == b);
- return cmp;
+ logmsg(rc, log_verbose, "Recording \"%s\" for %s%s%s",
+ (mib_counter_desc[code]
+ ? mib_counter_desc[code]
+ : X509_verify_cert_error_string(mib_counter_openssl[code])),
+ (generation != object_generation_null ? object_generation_label[generation] : ""),
+ (generation != object_generation_null ? " " : ""),
+ uri->s);
}
/**
@@ -1220,6 +1400,22 @@ static int install_object(rcynic_ctx_t *rc,
}
/**
+ * AVL tree lookup for validation status objects.
+ */
+static validation_status_t *
+validation_status_find(validation_status_t *node,
+ const uri_t *uri,
+ const object_generation_t generation)
+{
+ int cmp;
+
+ while (node != NULL && (cmp = validation_status_cmp(node, uri, generation)) != 0)
+ node = cmp < 0 ? node->left_child : node->right_child;
+
+ return node;
+}
+
+/**
* Figure out whether we already have a good copy of an object. This
* is a little more complicated than it sounds, because we might have
* failed the current generation and accepted the backup due to having
@@ -1235,9 +1431,8 @@ static int skip_checking_this_object(rcynic_ctx_t *rc,
const uri_t *uri,
const object_generation_t generation)
{
- validation_status_t v_, *v = NULL;
+ validation_status_t *v = NULL;
path_t path;
- int i;
assert(rc && uri && rc->validation_status);
@@ -1252,12 +1447,7 @@ static int skip_checking_this_object(rcynic_ctx_t *rc,
if (generation != object_generation_current)
return 1;
- memset(&v_, 0, sizeof(v_));
- v_.uri = *uri;
- v_.generation = generation;
-
- i = sk_validation_status_t_find(rc->validation_status, &v_);
- v = sk_validation_status_t_value(rc->validation_status, i);
+ v = validation_status_find(rc->validation_status_root, uri, generation);
if (v != NULL && validation_status_get_code(v, object_accepted))
return 1;
@@ -4800,9 +4990,6 @@ static int write_xml_file(const rcynic_ctx_t *rc,
if (ok)
ok &= fprintf(f, " </labels>\n") != EOF;
- (void) sk_validation_status_t_set_cmp_func(rc->validation_status, validation_status_cmp_creation_order);
- sk_validation_status_t_sort(rc->validation_status);
-
for (i = 0; ok && i < sk_validation_status_t_num(rc->validation_status); i++) {
validation_status_t *v = sk_validation_status_t_value(rc->validation_status, i);
assert(v);
@@ -5142,7 +5329,7 @@ int main(int argc, char *argv[])
goto done;
}
- if ((rc.validation_status = sk_validation_status_t_new(validation_status_cmp_uri)) == NULL) {
+ if ((rc.validation_status = sk_validation_status_t_new_null()) == NULL) {
logmsg(&rc, log_sys_err, "Couldn't allocate validation_status stack");
goto done;
}
@@ -5360,6 +5547,7 @@ int main(int argc, char *argv[])
*/
sk_validation_status_t_pop_free(rc.validation_status, validation_status_t_free);
sk_rsync_history_t_pop_free(rc.rsync_history, rsync_history_t_free);
+ validation_status_t_free(rc.validation_status_in_waiting);
X509_STORE_free(rc.x509_store);
NCONF_free(cfg_handle);
CONF_modules_free();
diff --git a/rcynic/validation_status.awk b/rcynic/validation_status.awk
deleted file mode 100755
index 92012595..00000000
--- a/rcynic/validation_status.awk
+++ /dev/null
@@ -1,32 +0,0 @@
-#!/usr/bin/awk -f
-
-# $Id$
-#
-# Copyright (C) 2011 Internet Systems Consortium, Inc. ("ISC")
-#
-# Permission to use, copy, modify, and/or distribute this software for any
-# purpose with or without fee is hereby granted, provided that the above
-# copyright notice and this permission notice appear in all copies.
-#
-# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
-# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
-# AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
-# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
-# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
-# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
-# PERFORMANCE OF THIS SOFTWARE.
-
-# Prettyprint output of validation_status.xsl
-
-BEGIN {
- FS = "\t";
- cmd = "xsltproc validation_status.xsl";
- if (ARGC == 1)
- cmd = cmd " -";
- else
- for (i = 1; i < ARGC; ++i)
- cmd = cmd " " ARGV[i];
- while ((cmd | getline) > 0)
- printf "%s %8s %-40s %s\n", $1, $4, $2, $3;
- close(cmd);
-}
diff --git a/rpkid/Makefile.in b/rpkid/Makefile.in
index 93c3582e..798b5e8a 100644
--- a/rpkid/Makefile.in
+++ b/rpkid/Makefile.in
@@ -126,14 +126,14 @@ all-tests:: unit-tests
all-tests:: relaxng
-test all-tests parse-test profile yamltest:: all
+test all-tests parse-test profile yamltest yamlconf:: all
cd tests; $(MAKE) $@
tags: Makefile
find . -type f \( -name '*.py' -o -name '*.sql' -o -name '*.rnc' -o -name '*.py.in' \) ! -name relaxng.py ! -name sql_schemas.py | etags -
lint:
- pylint --rcfile ${abs_top_srcdir}/buildtools/pylint.rc rpki/[a-z]*.py *d.py rpki-*.py rpkic.py irbe_cli.py tests/*.py
+ pylint --rcfile ${abs_top_srcdir}/buildtools/pylint.rc rpki/*.py rpki/irdb/*.py *.py tests/*.py
# Documentation
diff --git a/rpkid/examples/rpki.conf b/rpkid/examples/rpki.conf
index fdcd4cdd..4fbfca0d 100644
--- a/rpkid/examples/rpki.conf
+++ b/rpkid/examples/rpki.conf
@@ -83,6 +83,7 @@ rootd_server_port = 4401
# relying parties can find and verify rpkid's published outputs.
publication_base_directory = publication
+publication_root_cert_directory = ${myrpki::publication_base_directory}.root
# rsyncd module name corresponding to publication_base_directory.
# This has to match the module you configured into rsyncd.conf.
@@ -90,6 +91,12 @@ publication_base_directory = publication
publication_rsync_module = rpki
+# rsyncd module name corresponding to publication_root_cert_directory.
+# This has to match the module you configured into rsyncd.conf.
+# Leave this alone unless you have some need to change it.
+
+publication_root_module = root
+
# Hostname and optional port number for rsync:// URIs. In most cases
# this should just be the same value as pubd_server_host.
@@ -304,7 +311,7 @@ rpki-base-uri = rsync://${myrpki::publication_rsync_server}/${myrpki:
# rsync URI for rootd's root (self-signed) RPKI certificate
-rpki-root-cert-uri = rsync://${myrpki::publication_rsync_server}/${myrpki::publication_rsync_module}/root.cer
+rpki-root-cert-uri = rsync://${myrpki::publication_rsync_server}/${myrpki::publication_root_module}/root.cer
# Private key corresponding to rootd's root RPKI certificate
@@ -312,7 +319,7 @@ rpki-root-key = ${myrpki::bpki_servers_directory}/root.key
# Filename (as opposed to rsync URI) of rootd's root RPKI certificate
-rpki-root-cert = ${myrpki::publication_base_directory}/root.cer
+rpki-root-cert = ${myrpki::publication_root_cert_directory}/root.cer
# Where rootd should stash a copy of the PKCS #10 request it gets from
# its one (and only) child
@@ -472,3 +479,6 @@ subjectInfoAccess = 1.3.6.1.5.5.7.48.5;URI:${rootd::root_cert_sia},1.3.6.
sbgp-autonomousSysNum = critical,${rootd::root_cert_asns}
sbgp-ipAddrBlock = critical,${rootd::root_cert_addrs}
certificatePolicies = critical,1.3.6.1.5.5.7.14.2
+
+#[rpkic]
+#autosync = false
diff --git a/rpkid/examples/rsyncd.conf b/rpkid/examples/rsyncd.conf
index 1bb60324..faf1dd0d 100644
--- a/rpkid/examples/rsyncd.conf
+++ b/rpkid/examples/rsyncd.conf
@@ -43,3 +43,11 @@ gid = nobody
transfer logging = yes
path = /some/where/publication
comment = RPKI Testbed
+
+[root]
+ # This one is only relevant if you're running rootd.
+ use chroot = no
+ read only = yes
+ transfer logging = yes
+ path = /some/where/publication.root
+ comment = RPKI Testbed Root
diff --git a/rpkid/ext/POW.c b/rpkid/ext/POW.c
index 5584e874..231b5802 100644
--- a/rpkid/ext/POW.c
+++ b/rpkid/ext/POW.c
@@ -1,40 +1,88 @@
-/*****************************************************************************/
-/* */
-/* Copyright (c) 2001, 2002, Peter Shannon */
-/* All rights reserved. */
-/* */
-/* Redistribution and use in source and binary forms, with or without */
-/* modification, are permitted provided that the following conditions */
-/* are met: */
-/* */
-/* * Redistributions of source code must retain the above */
-/* copyright notice, this list of conditions and the following */
-/* disclaimer. */
-/* */
-/* * Redistributions in binary form must reproduce the above */
-/* copyright notice, this list of conditions and the following */
-/* disclaimer in the documentation and/or other materials */
-/* provided with the distribution. */
-/* */
-/* * The name of the contributors may be used to endorse or promote */
-/* products derived from this software without specific prior */
-/* written permission. */
-/* */
-/* THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS */
-/* "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT */
-/* LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS */
-/* FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS */
-/* OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, */
-/* SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT */
-/* LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, */
-/* DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY */
-/* THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT */
-/* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE */
-/* OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. */
-/* */
-/*****************************************************************************/
+/*
+ * This module started out as the core of Peter Shannon's "Python
+ * OpenSSL Wrappers" package, an excellent but somewhat dated package
+ * which I encountered while looking for some halfway sane way to cram
+ * RFC 3779 certificate support code into Python.
+ *
+ * At this point enough of the code has been added or rewritten that
+ * it's unclear (either way) whether this code properly qualifies as a
+ * derivative work. Given that both Peter's original code and all of
+ * subsequent changes to it were done under something equivalent to a
+ * BSD license, this may not matter very much, but the following
+ * attempts to give proper credit to all concerned.
+ *
+ ****
+ *
+ * Copyright (C) 2009--2012 Internet Systems Consortium ("ISC")
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ *
+ ****
+ *
+ * Portions copyright (C) 2006--2008 American Registry for Internet
+ * Numbers ("ARIN")
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ARIN DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS. IN NO EVENT SHALL ARIN BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ *
+ ****
+ *
+ * Portions Copyright (c) 2001, 2002, Peter Shannon
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * * Redistributions of source code must retain the above
+ * copyright notice, this list of conditions and the following
+ * disclaimer.
+ *
+ * * Redistributions in binary form must reproduce the above
+ * copyright notice, this list of conditions and the following
+ * disclaimer in the documentation and/or other materials
+ * provided with the distribution.
+ *
+ * * The name of the contributors may be used to endorse or promote
+ * products derived from this software without specific prior
+ * written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+ * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+ * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
+ * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS
+ * OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
+ * LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+ * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+ * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
+ * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+
+/* $Id: rcynic.c 4613 2012-07-30 23:24:15Z sra $ */
#include <Python.h>
+#include <datetime.h>
#include <openssl/opensslconf.h>
#include <openssl/crypto.h>
@@ -43,199 +91,189 @@
#include <openssl/x509.h>
#include <openssl/x509v3.h>
#include <openssl/pem.h>
-#include <openssl/ssl.h>
#include <openssl/evp.h>
#include <openssl/err.h>
#include <openssl/md5.h>
-#ifndef OPENSSL_NO_MD2
-#include <openssl/md2.h>
-#endif
#include <openssl/sha.h>
-#include <openssl/hmac.h>
-#include <openssl/ripemd.h>
#include <openssl/cms.h>
+#include <rpki/roa.h>
+#include <rpki/manifest.h>
+
#include <time.h>
+#include <string.h>
+#include <arpa/inet.h>
+#include <sys/socket.h>
-// Symmetric ciphers
-#define DES_ECB 1
-#define DES_EDE 2
-#define DES_EDE3 3
-#define DES_CFB 4
-#define DES_EDE_CFB 5
-#define DES_EDE3_CFB 6
-#define DES_OFB 7
-#define DES_EDE_OFB 8
-#define DES_EDE3_OFB 9
-#define DES_CBC 10
-#define DES_EDE_CBC 11
-#define DES_EDE3_CBC 12
-#define DESX_CBC 13
-#define RC4 14
-#define RC4_40 15
-#define IDEA_ECB 16
-#define IDEA_CFB 17
-#define IDEA_OFB 18
-#define IDEA_CBC 19
-#define RC2_ECB 20
-#define RC2_CBC 21
-#define RC2_40_CBC 22
-#define RC2_CFB 23
-#define RC2_OFB 24
-#define BF_ECB 25
-#define BF_CBC 26
-#define BF_CFB 27
-#define BF_OFB 28
-#define CAST5_ECB 29
-#define CAST5_CBC 30
-#define CAST5_CFB 31
-#define CAST5_OFB 32
-#define RC5_32_12_16_CBC 33
-#define RC5_32_12_16_CFB 34
-#define RC5_32_12_16_ECB 35
-#define RC5_32_12_16_OFB 36
-
-// SSL connection methods
-#define SSLV2_SERVER_METHOD 1
-#define SSLV2_CLIENT_METHOD 2
-#define SSLV2_METHOD 3
-#define SSLV3_SERVER_METHOD 4
-#define SSLV3_CLIENT_METHOD 5
-#define SSLV3_METHOD 6
-#define TLSV1_SERVER_METHOD 7
-#define TLSV1_CLIENT_METHOD 8
-#define TLSV1_METHOD 9
-#define SSLV23_SERVER_METHOD 10
-#define SSLV23_CLIENT_METHOD 11
-#define SSLV23_METHOD 12
-
-// SSL connection states
-
-// PEM encoded data types
-#define RSA_PUBLIC_KEY 1
-#define RSA_PRIVATE_KEY 2
-#define DSA_PUBLIC_KEY 3
-#define DSA_PRIVATE_KEY 4
-#define DH_PUBLIC_KEY 5
-#define DH_PRIVATE_KEY 6
-#define X509_CERTIFICATE 7
-#define X_X509_CRL 8 // X509_CRL already used by OpenSSL library
-#define CMS_MESSAGE 9
-
-// Asymmetric ciphers
-#define RSA_CIPHER 1
-#define DSA_CIPHER 2
-#define DH_CIPHER 3
-//#define NO_DSA
-//#define NO_DH
-
-// Digests
-#ifndef OPENSSL_NO_MD2
-#define MD2_DIGEST 1
+/*
+ * GCC attribute to let us tell GCC not to whine about unused formal
+ * parameters when we're in maximal warning mode.
+ */
+#ifdef __GNUC__
+#define GCC_UNUSED __attribute__((unused))
+#else
+define GCC_UNUSED
#endif
+
+/*
+ * Maximum size of a raw IP (v4 or v6) address, in bytes.
+ */
+#define RAW_IPADDR_BUFLEN 16
+
+/*
+ * Maximum size of an ASN.1 Integer converted from a Python Long, in bytes.
+ */
+#define MAX_ASN1_INTEGER_LEN 20
+
+/* Asymmetric ciphers */
+#define RSA_CIPHER 1
+
+/* Digests */
#define MD5_DIGEST 2
#define SHA_DIGEST 3
#define SHA1_DIGEST 4
-#define RIPEMD160_DIGEST 5
#define SHA256_DIGEST 6
#define SHA384_DIGEST 7
#define SHA512_DIGEST 8
-// Object format
+/* Object format */
#define SHORTNAME_FORMAT 1
#define LONGNAME_FORMAT 2
+#define OIDNAME_FORMAT 3
-// Output format
+/* Output format */
#define PEM_FORMAT 1
#define DER_FORMAT 2
-// Object check functions
-#define X_X509_Check(op) ((op)->ob_type == &x509type)
-#define X_X509_store_Check(op) ((op)->ob_type == &x509_storetype)
-#define X_X509_crl_Check(op) ((op)->ob_type == &x509_crltype)
-#define X_X509_revoked_Check(op) ((op)->ob_type == &x509_revokedtype)
-#define X_asymmetric_Check(op) ((op)->ob_type == &asymmetrictype)
-#define X_symmetric_Check(op) ((op)->ob_type == &symmetrictype)
-#define X_digest_Check(op) ((op)->ob_type == &digesttype)
-#define X_hmac_Check(op) ((op)->ob_type == &hmactype)
-#define X_ssl_Check(op) ((op)->ob_type == &ssltype)
-#define X_cms_Check(op) ((op)->ob_type == &cmstype)
-
-// Symbolic representation of "no SSL shutdown mode requested"
-#define SSL_NO_SHUTDOWN 0
+/* Object check functions */
+#define POW_X509_Check(op) PyObject_TypeCheck(op, &POW_X509_Type)
+#define POW_X509Store_Check(op) PyObject_TypeCheck(op, &POW_X509Store_Type)
+#define POW_CRL_Check(op) PyObject_TypeCheck(op, &POW_CRL_Type)
+#define POW_Asymmetric_Check(op) PyObject_TypeCheck(op, &POW_Asymmetric_Type)
+#define POW_Digest_Check(op) PyObject_TypeCheck(op, &POW_Digest_Type)
+#define POW_CMS_Check(op) PyObject_TypeCheck(op, &POW_CMS_Type)
+#define POW_IPAddress_Check(op) PyObject_TypeCheck(op, &POW_IPAddress_Type)
+#define POW_ROA_Check(op) PyObject_TypeCheck(op, &POW_ROA_Type)
+#define POW_Manifest_Check(op) PyObject_TypeCheck(op, &POW_Manifest_Type)
+#define POW_ROA_Check(op) PyObject_TypeCheck(op, &POW_ROA_Type)
static char pow_module__doc__ [] =
-"<moduleDescription>\n"
-" <header>\n"
-" <name>POW</name>\n"
-" <author>Peter Shannon</author>\n"
-" </header>\n"
-" <body>\n"
-" <para>\n"
-" This third major release of POW addresses the most critical missing\n"
-" parts of functionality, X509v3 support. Initially I thought adding\n"
-" support via the OpenSSL code would be the easiest option but this\n"
-" proved to be incorrect mainly due to the way I have chosen to handle\n"
-" the complex data such as <classname>directoryNames</classname> and\n"
-" <classname>generalNames</classname>. It is easier in python to\n"
-" construct complex sets of data using lists and dictionaries than\n"
-" coordinate large numbers of objects and method calls. This is no\n"
-" criticism, it is just extremely easy. Coding complex data such as the\n"
-" <classname>certificatePolicies</classname> coding coding routines in C\n"
-" to handle the data proved laborous and ultimately error prone.\n"
-" </para>\n"
-" <para>\n"
-" PKIX structures are supported by a few operations on the relevant POW\n"
-" objects and through a Python library which is modelled on the DER\n"
-" encoding rules. Modeling DER does expose some of the complexities of\n"
-" the ASN1 specifications but avoids coding many assumptions into the\n"
-" data structures and the interface for the objects. For an example of\n"
-" overly complex definitions take a look at the\n"
-" <classname>Name</classname> object in RFC3280. It is equally\n"
-" important that modeling DER in the way leads to a library which is\n"
-" trivial to extend to support new objects - simple objects are one\n"
-" liners and complex objects only require the definition of a new\n"
-" constructor.\n"
-" </para>\n"
-" <para>\n"
-" functionality have been plugged. The <classname>Ssl</classname> class has received\n"
-" several new features relating to security. Other areas have been\n"
-" improved: PRNG support, certificate and CRL signing, certificate chain\n"
-" and client verification. Many bugs have been fixed, and certain\n"
-" parts of code re-written where necessary. I hope you enjoy using POW\n"
-" and please feel free to send me feature requests and bug reports.\n"
-" </para>\n"
-" </body>\n"
-"</moduleDescription>\n"
-;
+ "Python interface to RFC-3779-enabled OpenSSL. This code is intended\n"
+ "to support the rpki.net toolset.\n"
+ "\n"
+ "This code started out life as Peter Shannon's excellent \"Python OpenSSL\n"
+ "Wrappers\" package. It has been extensively modified since then, to add\n"
+ "support for things needed for the RPKI protocols, to upgrade the code\n"
+ "to use modern (circa Python 2.7) classes, and to remove code not\n"
+ "needed for RPKI.\n"
+ ;
+
+#define LAME_DISCLAIMER_IN_ALL_CLASS_DOCUMENTATION \
+ "The documentation for this class used to provide a nice example of how\n" \
+ "to use the class. Sadly, most of what was in that example is now\n" \
+ "obsolete due to recent or impending API changes. Once the new API is\n" \
+ "stable, this documentation should be rewritten to provide such examples.\n"
+
+/*
+ * Handle NIDs we wish OpenSSL knew about. This is carefully (we
+ * hope) written to do nothing at all for any NID that OpenSSL knows
+ * about; the intent is just to add definitions for things OpenSSL
+ * doesn't know about yet. Of necessity, this is a bit gross, since
+ * it confounds runtime static variables with predefined macro names,
+ * but we try to put all the magic associated with this in one place.
+ */
+
+#ifndef NID_rpkiManifest
+static int NID_rpkiManifest;
+#endif
+
+#ifndef NID_signedObject
+static int NID_signedObject;
+#endif
+
+static const struct {
+ int *nid;
+ const char *oid;
+ const char *sn;
+ const char *ln;
+} missing_nids[] = {
+
+#ifndef NID_rpkiManifest
+ {&NID_rpkiManifest, "1.3.6.1.5.5.7.48.10", "id-ad-rpkiManifest", "RPKI Manifest"},
+#endif
+
+#ifndef NID_signedObject
+ {&NID_signedObject, "1.3.6.1.5.5.7.48.11", "id-ad-signedObject", "Signed Object"}
+#endif
+
+};
+
+/*
+ * IP versions.
+ */
+
+typedef struct ipaddress_version {
+ unsigned version;
+ unsigned afi;
+ unsigned af;
+ unsigned length;
+} ipaddress_version;
+
+static const ipaddress_version ipaddress_version_4 = {
+ 4, IANA_AFI_IPV4, AF_INET, 4
+};
+
+static const ipaddress_version ipaddress_version_6 = {
+ 6, IANA_AFI_IPV6, AF_INET6, 16
+};
+
+static const ipaddress_version * const ipaddress_versions[] = {
+ &ipaddress_version_4, &ipaddress_version_6
+};
+
+/*
+ * Exception objects.
+ */
-/*========== Pre-definitions ==========*/
static PyObject
*ErrorObject,
- *SSLErrorObject,
- *ZeroReturnErrorObject,
- *WantReadErrorObject,
- *WantWriteErrorObject,
- *SSLSyscallErrorObject,
- *SSLErrorSSLErrorObject,
- *SSLSyscallSSLErrorObject,
- *SSLUnexpectedEOFErrorObject,
- *SSLOtherErrorObject;
+ *OpenSSLErrorObject,
+ *POWErrorObject,
+ *NotVerifiedErrorObject;
+
+/*
+ * Constructor for customized datetime class.
+ */
+
+static PyObject *custom_datetime;
+
+/*
+ * Declarations of type objects (definitions come later).
+ */
static PyTypeObject
- x509type,
- x509_storetype,
- x509_crltype,
- x509_revokedtype,
- asymmetrictype,
- symmetrictype,
- digesttype,
- hmactype,
- ssltype,
- cmstype;
-/*========== Pre-definitions ==========*/
-
-/*========== C structs ==========*/
+ POW_X509_Type,
+ POW_X509Store_Type,
+ POW_CRL_Type,
+ POW_Asymmetric_Type,
+ POW_Digest_Type,
+ POW_CMS_Type,
+ POW_IPAddress_Type,
+ POW_ROA_Type,
+ POW_Manifest_Type,
+ POW_ROA_Type,
+ POW_PKCS10_Type;
+
+/*
+ * Object internals.
+ */
+
+typedef struct {
+ PyObject_HEAD
+ unsigned char address[16];
+ const struct ipaddress_version *type;
+} ipaddress_object;
+
typedef struct {
PyObject_HEAD
X509 *x509;
@@ -249,82 +287,76 @@ typedef struct {
typedef struct {
PyObject_HEAD
X509_CRL *crl;
-} x509_crl_object;
+} crl_object;
typedef struct {
PyObject_HEAD
- X509_REVOKED *revoked;
-} x509_revoked_object;
-
-typedef struct {
- PyObject_HEAD
- void *cipher;
- int key_type;
- int cipher_type;
+ EVP_PKEY *pkey;
} asymmetric_object;
typedef struct {
PyObject_HEAD
- EVP_CIPHER_CTX cipher_ctx;
- int cipher_type;
-} symmetric_object;
-
-typedef struct {
- PyObject_HEAD
EVP_MD_CTX digest_ctx;
int digest_type;
} digest_object;
typedef struct {
PyObject_HEAD
- HMAC_CTX hmac_ctx;
-} hmac_object;
+ CMS_ContentInfo *cms;
+} cms_object;
typedef struct {
- PyObject_HEAD
- int ctxset;
- SSL *ssl;
- SSL_CTX *ctx;
- STACK_OF(X509) *trusted_certs;
- char *x509_cb_err;
-} ssl_object;
+ cms_object cms; /* Subclass of CMS */
+ ROA *roa;
+} roa_object;
+
+typedef struct {
+ cms_object cms; /* Subclass of CMS */
+ Manifest *manifest;
+} manifest_object;
typedef struct {
PyObject_HEAD
- CMS_ContentInfo *cms;
-} cms_object;
+ X509_REQ *pkcs10;
+ STACK_OF(X509_EXTENSION) *exts;
+} pkcs10_object;
-/*========== C structs ==========*/
+
-/*========== helper functions ==========*/
+/*
+ * Utility functions.
+ */
/*
* Minimal intervention debug-by-printf() hack, use only for good.
*/
#if 0
-#define KVETCH(_msg_) write(2, _msg_ "\n", sizeof(_msg_))
+#define KVETCH(_msg_) write(2, _msg_ "\n", sizeof(_msg_))
#else
-#define KVETCH(_msg_)
+#define KVETCH(_msg_) ((void) 0)
+#endif
+
+#if 0
+#define ENTERING(_name_) KVETCH("Entering " #_name_ "()")
+#else
+#define ENTERING(_name_) ((void) 0)
#endif
/*
- * Error handling macros. These macros make two assumptions:
- *
- * 1) All the macros assume that there's a cleanup label named
- * "error" which these macros can use as a goto target.
- *
- * 2) assert_no_unhandled_openssl_errors() assumes that the return
- * value is stored in a PyObject* variable named "result".
- *
- * These are icky assumptions, but they make it easier to provide
- * uniform error handling and make the code easier to read, not to
- * mention making it easier to track down obscure OpenSSL errors.
+ * Error handling macros. All of macros assume that there's a cleanup
+ * label named "error" which these macros can use as a goto target.
*/
#define lose(_msg_) \
do { \
- PyErr_SetString(ErrorObject, (_msg_)); \
+ PyErr_SetString(POWErrorObject, (_msg_)); \
+ goto error; \
+ } while (0)
+
+#define lose_no_memory() \
+ do { \
+ PyErr_NoMemory(); \
goto error; \
} while (0)
@@ -336,25 +368,20 @@ typedef struct {
#define lose_openssl_error(_msg_) \
do { \
- set_openssl_exception(ErrorObject, (_msg_)); \
+ set_openssl_exception(OpenSSLErrorObject, (_msg_)); \
goto error; \
} while (0)
-#define lose_ssl_error(_self_, _code_) \
+#define lose_not_verified(_msg_) \
do { \
- set_openssl_ssl_exception(_self_, _code_); \
+ PyErr_SetString(NotVerifiedErrorObject, (_msg_)); \
goto error; \
} while (0)
#define assert_no_unhandled_openssl_errors() \
do { \
- if (ERR_peek_error()) { \
- if (result) { \
- Py_XDECREF(result); \
- result = NULL; \
- } \
+ if (ERR_peek_error()) \
lose_openssl_error(assert_helper(__LINE__)); \
- } \
} while (0)
static char *
@@ -367,85 +394,21 @@ assert_helper(int line)
return msg;
}
-static int
-docset_helper_add(PyObject *set, char *v)
-{
- PyObject *value = NULL;
-
- if ((value = PyString_FromString(v)) == NULL)
- lose("could not allocate memory");
-
- if (PyList_Append(set, value) != 0)
- goto error;
-
- Py_XDECREF(value);
- return 1;
-
- error:
-
- Py_XDECREF(value);
- return 0;
-}
-
/*
- * Generate an encrypion envelope. Saves a lot of space having this case
- * statement in one place.
+ * Consolidate some tedious EVP-related switch statements.
*/
-static const EVP_CIPHER *
-evp_cipher_factory(int cipher_type)
-{
- switch(cipher_type) {
-#ifndef OPENSSL_NO_DES
- case DES_ECB: return EVP_des_ecb();
- case DES_EDE: return EVP_des_ede();
- case DES_EDE3: return EVP_des_ede3();
- case DES_CFB: return EVP_des_cfb();
- case DES_EDE_CFB: return EVP_des_ede_cfb();
- case DES_EDE3_CFB: return EVP_des_ede3_cfb();
- case DES_OFB: return EVP_des_ofb();
- case DES_EDE_OFB: return EVP_des_ede_ofb();
- case DES_EDE3_OFB: return EVP_des_ede3_ofb();
- case DES_CBC: return EVP_des_cbc();
- case DES_EDE_CBC: return EVP_des_ede_cbc();
- case DES_EDE3_CBC: return EVP_des_ede3_cbc();
- case DESX_CBC: return EVP_desx_cbc();
-#endif
-#ifndef OPENSSL_NO_RC4
- case RC4: return EVP_rc4();
- case RC4_40: return EVP_rc4_40();
-#endif
-#ifndef OPENSSL_NO_IDEA
- case IDEA_ECB: return EVP_idea_ecb();
- case IDEA_CFB: return EVP_idea_cfb();
- case IDEA_OFB: return EVP_idea_ofb();
- case IDEA_CBC: return EVP_idea_cbc();
-#endif
-#ifndef OPENSSL_NO_RC2
- case RC2_ECB: return EVP_rc2_ecb();
- case RC2_CBC: return EVP_rc2_cbc();
- case RC2_40_CBC: return EVP_rc2_40_cbc();
- case RC2_CFB: return EVP_rc2_cfb();
- case RC2_OFB: return EVP_rc2_ofb();
-#endif
-#ifndef OPENSSL_NO_BF
- case BF_ECB: return EVP_bf_ecb();
- case BF_CBC: return EVP_bf_cbc();
- case BF_CFB: return EVP_bf_cfb();
- case BF_OFB: return EVP_bf_ofb();
-#endif
-#ifndef OPENSSL_NO_CAST5
- case CAST5_ECB: return EVP_cast5_ecb();
- case CAST5_CBC: return EVP_cast5_cbc();
- case CAST5_CFB: return EVP_cast5_cfb();
- case CAST5_OFB: return EVP_cast5_ofb();
-#endif
-#ifndef OPENSSL_NO_RC5
- case RC5_32_12_16_CBC: return EVP_rc5_32_12_16_cbc();
- case RC5_32_12_16_CFB: return EVP_rc5_32_12_16_cfb();
- case RC5_32_12_16_ECB: return EVP_rc5_32_12_16_ecb();
- case RC5_32_12_16_OFB: return EVP_rc5_32_12_16_ofb();
-#endif
- default: return NULL;
+
+static const EVP_MD *
+evp_digest_factory(int digest_type)
+{
+ switch (digest_type) {
+ case MD5_DIGEST: return EVP_md5();
+ case SHA_DIGEST: return EVP_sha();
+ case SHA1_DIGEST: return EVP_sha1();
+ case SHA256_DIGEST: return EVP_sha256();
+ case SHA384_DIGEST: return EVP_sha384();
+ case SHA512_DIGEST: return EVP_sha512();
+ default: return NULL;
}
}
@@ -496,218 +459,160 @@ set_openssl_exception(PyObject *error_class, const char *msg)
Py_XDECREF(errors);
}
-static void
-set_openssl_ssl_exception(const ssl_object *self, const int ret)
+static X509_NAME *
+x509_object_helper_set_name(PyObject *dn_obj)
{
- int err = SSL_get_error(self->ssl, ret);
- const char *s = NULL;
-
- switch(err) {
-
- /*
- * These three get their own exceptions.
- */
-
- case SSL_ERROR_ZERO_RETURN:
- PyErr_SetNone(ZeroReturnErrorObject);
- break;
- case SSL_ERROR_WANT_READ:
- PyErr_SetNone(WantReadErrorObject);
- break;
- case SSL_ERROR_WANT_WRITE:
- PyErr_SetNone(WantWriteErrorObject);
- break;
-
- case SSL_ERROR_SYSCALL:
- /*
- * Horrible jumbled mess of I/O related errors. I'd ask what they
- * were thinking, except that it's pretty clear that they weren't.
- */
- if (ERR_peek_error())
- set_openssl_exception(SSLSyscallSSLErrorObject, NULL);
- else if (ret)
- PyErr_SetFromErrno(SSLSyscallErrorObject);
- else
- PyErr_SetNone(SSLUnexpectedEOFErrorObject);
- break;
-
- case SSL_ERROR_SSL:
- /*
- * Generic OpenSSL error during an SSL call. I think.
- */
- set_openssl_exception(SSLErrorSSLErrorObject, self->x509_cb_err);
- break;
-
- /*
- * All other SSL errors are returned as a (number, string) tuple.
- */
-
- case SSL_ERROR_NONE:
- s = "SSL_ERROR_NONE";
- break;
- case SSL_ERROR_WANT_X509_LOOKUP:
- s = "SSL_ERROR_WANT_X509_LOOKUP";
- break;
- case SSL_ERROR_WANT_CONNECT:
- s = "SSL_ERROR_WANT_CONNECT";
- break;
- case SSL_ERROR_WANT_ACCEPT:
- s = "SSL_ERROR_WANT_ACCEPT";
- break;
- default:
- s = "UNKNOWN_SSL_ERROR";
- }
-
- if (s)
- PyErr_SetObject(SSLOtherErrorObject, Py_BuildValue("(is)", err, s));
-}
+ PyObject *rdn_obj = NULL;
+ PyObject *pair_obj = NULL;
+ PyObject *type_obj = NULL;
+ PyObject *value_obj = NULL;
+ X509_NAME *name = NULL;
+ char *type_str, *value_str;
+ int asn1_type, i, j;
-static PyObject *
-X509_object_helper_set_name(X509_NAME *name, PyObject *name_sequence)
-{
- PyObject *pair = NULL; PyObject *type = NULL; PyObject *value = NULL;
- int no_pairs = 0, i = 0, str_type = 0, nid;
- unsigned char *valueptr = NULL;
- char *typeptr = NULL;
+ if ((name = X509_NAME_new()) == NULL)
+ lose_no_memory();
- no_pairs = PySequence_Size(name_sequence);
- for (i = 0; i < no_pairs; i++) {
- if ((pair = PySequence_GetItem(name_sequence, i)) == NULL)
- return NULL;
+ for (i = 0; i < PySequence_Size(dn_obj); i++) {
- if (!PyTuple_Check(pair) && !PyList_Check(pair))
- lose_type_error("inapropriate type");
+ if ((rdn_obj = PySequence_GetItem(dn_obj, i)) == NULL)
+ goto error;
- if (PySequence_Size(pair) != 2)
- lose("each name entry must have 2 elements");
+ if (!PySequence_Check(rdn_obj) || PySequence_Size(rdn_obj) == 0)
+ lose_type_error("each RDN must be a sequence with at least one element");
- if ((type = PySequence_GetItem(pair, 0)) == NULL)
- lose_type_error("could not get type string");
+ for (j = 0; j < PySequence_Size(rdn_obj); j++) {
- if (!PyString_Check(type))
- lose_type_error("inapropriate type");
+ if ((pair_obj = PySequence_GetItem(rdn_obj, j)) == NULL)
+ goto error;
- if ((value = PySequence_GetItem(pair, 1)) == NULL)
- lose_type_error("could not get value string");
+ if (!PySequence_Check(pair_obj) || PySequence_Size(pair_obj) != 2)
+ lose_type_error("each name entry must be a two-element sequence");
- if (!PyString_Check(value))
- lose_type_error("inapropriate type");
+ if ((type_obj = PySequence_GetItem(pair_obj, 0)) == NULL ||
+ (type_str = PyString_AsString(type_obj)) == NULL ||
+ (value_obj = PySequence_GetItem(pair_obj, 1)) == NULL ||
+ (value_str = PyString_AsString(value_obj)) == NULL)
+ goto error;
- typeptr = PyString_AsString(type);
- valueptr = (unsigned char *) PyString_AsString(value);
+ if ((asn1_type = ASN1_PRINTABLE_type((unsigned char *) value_str, -1)) != V_ASN1_PRINTABLESTRING)
+ asn1_type = V_ASN1_UTF8STRING;
- str_type = ASN1_PRINTABLE_type(valueptr, -1);
- if ((nid = OBJ_ln2nid(typeptr)) == 0 &&
- (nid = OBJ_sn2nid(typeptr)) == 0)
- lose("unknown ASN1 object");
+ if (!X509_NAME_add_entry_by_txt(name, type_str, asn1_type,
+ (unsigned char *) value_str,
+ strlen((char *) value_str),
+ -1, (j ? -1 : 0)))
+ lose("Unable to add name entry");
- if (!X509_NAME_add_entry_by_NID(name, nid, str_type, valueptr,
- strlen((char *) valueptr), -1, 0))
- lose("unable to add name entry");
+ Py_XDECREF(pair_obj);
+ Py_XDECREF(type_obj);
+ Py_XDECREF(value_obj);
+ pair_obj = type_obj = value_obj = NULL;
+ }
- Py_XDECREF(pair);
- Py_XDECREF(type);
- Py_XDECREF(value);
- pair = NULL;
- type = NULL;
- value = NULL;
+ Py_XDECREF(rdn_obj);
+ rdn_obj = NULL;
}
- return name_sequence;
-
- error:
- Py_XDECREF(pair);
- Py_XDECREF(type);
- Py_XDECREF(value);
+ return name;
+ error:
+ X509_NAME_free(name);
+ Py_XDECREF(rdn_obj);
+ Py_XDECREF(pair_obj);
+ Py_XDECREF(type_obj);
+ Py_XDECREF(value_obj);
return NULL;
}
static PyObject *
-X509_object_helper_get_name(X509_NAME *name, int format)
+x509_object_helper_get_name(X509_NAME *name, int format)
{
- int no_entries = 0, no_pairs = 0, i = 0, j = 0, value_len = 0, nid = 0;
X509_NAME_ENTRY *entry = NULL;
- char *value = NULL, long_name[512];
- const char *short_name;
+ PyObject *result = NULL;
+ PyObject *rdn = NULL;
+ PyObject *item = NULL;
+ const char *oid = NULL;
+ char oidbuf[512];
+ int i, set = -1;
- PyObject *result_list = NULL;
- PyObject *pair = NULL;
- PyObject *py_type = NULL;
- PyObject *py_value = NULL;
+ /*
+ * Overall theory here: multi-value RDNs are very rare in the wild.
+ * We should support them, so we don't throw an exception if handed
+ * one in a BPKI certificate, but with minimal effort. What we care
+ * about here is optimizing for the common case of single-valued RDNs.
+ */
- no_entries = X509_NAME_entry_count(name);
+ if ((result = PyTuple_New(X509_NAME_entry_count(name))) == NULL)
+ goto error;
- if ((result_list = PyTuple_New(no_entries)) == NULL)
- lose("could not allocate memory");
+ for (i = 0; i < X509_NAME_entry_count(name); i++) {
- for(i = 0; i < no_entries; i++) {
if ((entry = X509_NAME_get_entry(name, i)) == NULL)
- lose("could not get certificate name");
-
- if (entry->value->length + 1 > value_len) {
- if (value)
- free(value);
-
- if ((value = malloc(entry->value->length + 1)) == NULL)
- lose("could not allocate memory");
+ lose("Couldn't get certificate name");
- value_len = entry->value->length + 1;
- }
- memcpy(value, entry->value->data, entry->value->length);
- value[entry->value->length] = 0;
-
- if (!i2t_ASN1_OBJECT(long_name, sizeof(long_name), entry->object))
- lose("could not find object name");
+ if (entry->set < 0 || entry->set < set || entry->set > set + 1)
+ lose("X509_NAME->set value out of expected range");
switch (format) {
case SHORTNAME_FORMAT:
- nid = OBJ_ln2nid(long_name);
- short_name = OBJ_nid2sn(nid);
- py_type = PyString_FromString(short_name);
+ oid = OBJ_nid2sn(OBJ_obj2nid(entry->object));
break;
case LONGNAME_FORMAT:
- py_type = PyString_FromString(long_name);
+ oid = OBJ_nid2ln(OBJ_obj2nid(entry->object));
+ break;
+ case OIDNAME_FORMAT:
+ oid = NULL;
break;
default:
- lose("unknown name format");
+ lose("Unknown name format");
}
- py_value = PyString_FromString(value);
-
- if ((pair = PyTuple_New(2)) == NULL)
- lose("could not allocate memory");
+ if (oid == NULL) {
+ if (OBJ_obj2txt(oidbuf, sizeof(oidbuf), entry->object, 1) <= 0)
+ lose_openssl_error("Couldn't translate OID");
+ oid = oidbuf;
+ }
- PyTuple_SetItem(pair, 0, py_type);
- PyTuple_SetItem(pair, 1, py_value);
- PyTuple_SetItem(result_list, i, pair);
- }
+ if (entry->set > set) {
- if (value)
- free(value);
+ set++;
+ if ((item = Py_BuildValue("((ss#))", oid,
+ ASN1_STRING_data(entry->value),
+ ASN1_STRING_length(entry->value))) == NULL)
+ goto error;
+ PyTuple_SET_ITEM(result, set, item);
+ item = NULL;
- return result_list;
+ } else {
- error:
+ if ((rdn = PyTuple_GetItem(result, set)) == NULL)
+ goto error;
+ (void) _PyTuple_Resize(&rdn, PyTuple_Size(rdn) + 1);
+ PyTuple_SET_ITEM(result, set, rdn);
+ if (rdn == NULL)
+ goto error;
+ if ((item = Py_BuildValue("(ss#)", oid,
+ ASN1_STRING_data(entry->value),
+ ASN1_STRING_length(entry->value))) == NULL)
+ goto error;
+ PyTuple_SetItem(rdn, PyTuple_Size(rdn) - 1, item);
+ rdn = item = NULL;
- if (value)
- free(value);
-
- if (result_list) {
- no_pairs = PyTuple_Size(result_list);
- for (i = 0; i < no_pairs; i++) {
- pair = PyTuple_GetItem(result_list, i);
- no_entries = PyTuple_Size(result_list);
- for (j = 0; j < no_entries; j++) {
- py_value = PyTuple_GetItem(pair, i);
- Py_XDECREF(py_value);
- }
}
}
- Py_XDECREF(py_type);
- Py_XDECREF(py_value);
- Py_XDECREF(result_list);
+ if (++set != PyTuple_Size(result)) {
+ if (set < 0 || set > PyTuple_Size(result))
+ lose("Impossible set count for DN, something went horribly wrong");
+ _PyTuple_Resize(&result, set);
+ }
+
+ return result;
+
+ error:
+ Py_XDECREF(item);
+ Py_XDECREF(result);
return NULL;
}
@@ -718,11 +623,11 @@ x509_helper_sequence_to_stack(PyObject *x509_sequence)
STACK_OF(X509) *x509_stack = NULL;
int size = 0, i = 0;
- if (x509_sequence != Py_None && !PyTuple_Check(x509_sequence) && !PyList_Check(x509_sequence))
+ if (x509_sequence != Py_None && !PySequence_Check(x509_sequence))
lose_type_error("Inapropriate type");
if ((x509_stack = sk_X509_new_null()) == NULL)
- lose("Couldn't create new X509 stack");
+ lose_no_memory();
if (x509_sequence != Py_None) {
size = PySequence_Size(x509_sequence);
@@ -731,7 +636,7 @@ x509_helper_sequence_to_stack(PyObject *x509_sequence)
if ((x509obj = (x509_object*) PySequence_GetItem(x509_sequence, i)) == NULL)
goto error;
- if (!X_X509_Check(x509obj))
+ if (!POW_X509_Check(x509obj))
lose_type_error("Inapropriate type");
if (!sk_X509_push(x509_stack, x509obj->x509))
@@ -745,2809 +650,2848 @@ x509_helper_sequence_to_stack(PyObject *x509_sequence)
return x509_stack;
error:
-
- if (x509_stack)
- sk_X509_free(x509_stack);
-
+ sk_X509_free(x509_stack);
Py_XDECREF(x509obj);
-
return NULL;
}
+/*
+ * Pull items off an OpenSSL STACK and put them into a Python tuple.
+ * Assumes that handler is stealing the OpenSSL references to the
+ * items in the STACK, so shifts consumed frames off the stack so that
+ * the appropriate _pop_free() destructor can clean up on failures.
+ * This is OK because all current uses of this function are processing
+ * the result of OpenSSL xxx_get1_xxx() methods which we have to free
+ * in any case.
+ */
+
static PyObject *
stack_to_tuple_helper(_STACK *sk, PyObject *(*handler)(void *))
{
- PyObject *result_list = NULL, *result_tuple = NULL, *obj = NULL;
-
- if ((result_list = PyList_New(0)) == NULL)
- lose("could not allocate memory");
+ PyObject *result = NULL;
+ PyObject *obj = NULL;
+ int i;
- while (sk_num(sk)) {
+ if ((result = PyTuple_New(sk_num(sk))) == NULL)
+ goto error;
+ for (i = 0; sk_num(sk); i++) {
if ((obj = handler(sk_value(sk, 0))) == NULL)
- lose("could not allocate memory");
-
+ goto error;
sk_shift(sk);
-
- if (PyList_Append(result_list, obj) != 0)
+ if (PyTuple_SetItem(result, i, obj) != 0)
goto error;
-
- Py_XDECREF(obj);
obj = NULL;
}
- result_tuple = PyList_AsTuple(result_list);
- Py_XDECREF(result_list);
-
- return result_tuple;
+ return result;
error:
Py_XDECREF(obj);
- Py_XDECREF(result_list);
return NULL;
}
/*
- * Time conversion functions. These follow RFC 5280, but use a single
- * text encoding that looks like GeneralizedTime as restricted by RFC
- * 5280; conversion to and from UTCTime is handled internally
- * according to the RFC 5280 rules. The intent is to hide the
- * horrible short-sighted mess from Python code entirely.
+ * Time conversion functions. Obvious mapping into Python data types
+ * is datetime, or, rather, our customized rpki.sundial.datetime.
+ *
+ * Unsuprisingly, it's easiest for us to map between GeneralizedTime
+ * (as restricted by RFC 5280) and datetime. Conversion between
+ * GeneralizedTime and UTCTime is handled automatically according to
+ * the RFC 5280 rules for those ASN.1 types where it's required.
*/
static PyObject *
ASN1_TIME_to_Python(ASN1_TIME *t)
{
- ASN1_GENERALIZEDTIME *g = ASN1_TIME_to_generalizedtime(t, NULL);
+ ASN1_GENERALIZEDTIME *g = NULL;
PyObject *result = NULL;
- if (g) {
- result = Py_BuildValue("s", g->data);
- ASN1_GENERALIZEDTIME_free(g);
- }
+ int year, month, day, hour, minute, second;
+
+ if ((g = ASN1_TIME_to_generalizedtime(t, NULL)) == NULL)
+ lose_openssl_error("Couldn't convert ASN.1 TIME");
+
+ if (sscanf((char *) g->data, "%4d%2d%2d%2d%2d%2dZ",
+ &year, &month, &day, &hour, &minute, &second) != 6)
+ lose("Couldn't scan ASN.1 TIME value");
+
+ if (custom_datetime != NULL && custom_datetime != Py_None)
+ result = PyObject_CallFunction(custom_datetime, "iiiiii",
+ year, month, day, hour, minute, second);
+ else
+ result = PyDateTime_FromDateAndTime(year, month, day, hour, minute, second, 0);
+
+ error:
+ ASN1_GENERALIZEDTIME_free(g);
return result;
}
-static int
-python_ASN1_TIME_set_string(ASN1_TIME *t, const char *s)
+static ASN1_TIME *
+Python_to_ASN1_TIME(PyObject *arg, const int object_requires_utctime)
{
- if (t == NULL || s == NULL || strlen(s) < 10)
- return 0;
- if ((s[0] == '1' && s[1] == '9' && s[2] > '4') ||
- (s[0] == '2' && s[1] == '0' && s[2] < '5'))
- return ASN1_UTCTIME_set_string(t, s + 2);
- else
- return ASN1_GENERALIZEDTIME_set_string(t, s);
-}
+ char buf[sizeof("20010401123456Z") + 1];
+ ASN1_TIME *result = NULL;
+ const char *s = NULL;
+ int ok;
+
+ if (PyDateTime_Check(arg)) {
+ if (snprintf(buf, sizeof(buf), "%4d%02d%02d%02d%02d%02dZ",
+ PyDateTime_GET_YEAR(arg),
+ PyDateTime_GET_MONTH(arg),
+ PyDateTime_GET_DAY(arg),
+ PyDateTime_DATE_GET_HOUR(arg),
+ PyDateTime_DATE_GET_MINUTE(arg),
+ PyDateTime_DATE_GET_SECOND(arg)) >= (int) sizeof(buf))
+ lose("Internal error -- GeneralizedTime buffer too small");
+ s = buf;
+ }
-/*========== helper funcitons ==========*/
+ if (s == NULL && (s = PyString_AsString(arg)) == NULL)
+ goto error;
-/*========== X509 code ==========*/
-static x509_object *
-X509_object_new(void)
-{
- x509_object *self;
+ if (strlen(s) < 10)
+ lose_type_error("String is too short to parse as a valid ASN.1 TIME");
- self = PyObject_New(x509_object, &x509type);
- if (self == NULL)
- goto error;
+ if ((result = ASN1_TIME_new()) == NULL)
+ lose_no_memory();
- self->x509 = X509_new();
- return self;
+ if (object_requires_utctime &&
+ ((s[0] == '1' && s[1] == '9' && s[2] > '4') ||
+ (s[0] == '2' && s[1] == '0' && s[2] < '5')))
+ ok = ASN1_UTCTIME_set_string(result, s + 2);
+ else
+ ok = ASN1_GENERALIZEDTIME_set_string(result, s);
- error:
+ if (ok)
+ return result;
- Py_XDECREF(self);
+ error:
+ ASN1_TIME_free(result);
return NULL;
}
/*
- * This function is pretty dumb. Most of the work is done by the module
- * function pow_module_pem_read().
+ * Extract a Python string from a memory BIO.
*/
-static x509_object *
-X509_object_pem_read(BIO *in)
+static PyObject *
+BIO_to_PyString_helper(BIO *bio)
{
- x509_object *self;
-
- if ((self = PyObject_New(x509_object, &x509type)) == NULL)
- goto error;
+ char *ptr = NULL;
+ int len = 0;
- if ((self->x509 = PEM_read_bio_X509(in, NULL, NULL, NULL)) == NULL)
- lose("could not load PEM encoded certificate");
+ if ((len = BIO_get_mem_data(bio, &ptr)) == 0)
+ lose_openssl_error("Unable to get BIO data");
- return self;
+ return Py_BuildValue("s#", ptr, len);
error:
-
- Py_XDECREF(self);
return NULL;
}
-static x509_object *
-X509_object_der_read(unsigned char *src, int len)
+static PyObject *
+read_from_string_helper(PyObject *(*object_read_helper)(PyTypeObject *, BIO *),
+ PyTypeObject *type,
+ PyObject *args)
{
- x509_object *self;
- unsigned char *ptr = src;
+ PyObject *result = NULL;
+ char *src = NULL;
+ BIO *bio = NULL;
+ int len = 0;
- if ((self = PyObject_New(x509_object, &x509type)) == NULL)
+ if (!PyArg_ParseTuple(args, "s#", &src, &len))
goto error;
- self->x509 = X509_new();
-
- if(!d2i_X509(&self->x509, (const unsigned char **) &ptr, len))
- lose("could not load PEM encoded certificate");
+ if ((bio = BIO_new_mem_buf(src, len)) == NULL)
+ lose_no_memory();
- return self;
+ result = object_read_helper(type, bio);
error:
+ BIO_free(bio);
+ return result;
+}
- Py_XDECREF(self);
- return NULL;
+static PyObject *
+read_from_file_helper(PyObject *(*object_read_helper)(PyTypeObject *, BIO *),
+ PyTypeObject *type,
+ PyObject *args)
+{
+ const char *filename = NULL;
+ PyObject *result = NULL;
+ BIO *bio = NULL;
+
+ if (!PyArg_ParseTuple(args, "s", &filename))
+ goto error;
+
+ if ((bio = BIO_new_file(filename, "rb")) == NULL)
+ lose_openssl_error("Could not open file");
+
+ result = object_read_helper(type, bio);
+
+ error:
+ BIO_free(bio);
+ return result;
}
/*
- * Unlike the previous function this creates the BIO itself. The BIO_s_mem
- * is used as a buffer which the certificate is read into, from this buffer
- * it is read into a char[] and returned as a string.
+ * Simplify entries in method definition tables. See the "Common
+ * Object Structures" section of the API manual for available flags.
+ */
+#define Define_Method(__python_name__, __c_name__, __flags__) \
+ { #__python_name__, (PyCFunction) __c_name__, __flags__, __c_name__##__doc__ }
+
+#define Define_Class_Method(__python_name__, __c_name__, __flags__) \
+ Define_Method(__python_name__, __c_name__, (__flags__) | METH_CLASS)
+
+/*
+ * Convert an ASN1_INTEGER into a Python integer or long.
*/
static PyObject *
-X509_object_write_helper(x509_object *self, PyObject *args, int format)
+ASN1_INTEGER_to_PyLong(ASN1_INTEGER *arg)
{
- int len = 0;
- char *buf = NULL;
- BIO *out_bio = NULL;
- PyObject *cert = NULL;
+ PyObject *result = NULL;
+ PyObject *obj = NULL;
- if (!PyArg_ParseTuple(args, ""))
- return NULL;
+ if ((obj = _PyLong_FromByteArray(ASN1_STRING_data(arg),
+ ASN1_STRING_length(arg),
+ 0, 0)) != NULL)
+ result = PyNumber_Int(obj);
- out_bio = BIO_new(BIO_s_mem());
+ Py_XDECREF(obj);
+ return result;
+}
- switch (format) {
+/*
+ * Convert a Python long to an ASN1_INTEGER.
+ * This is just nasty, do not read on a full stomach.
+ *
+ * Maximum size of integer to be converted here is taken from RFC 5280
+ * 4.1.2.2, which sets a maximum of 20 octets for an X.509 certificate
+ * serial number.
+ *
+ * In theory we could use _PyLong_NumBits() to determine the length of
+ * the long before converting, and raise OverflowError if it's too big.
+ * Hmm.
+ */
+static ASN1_INTEGER *
+PyLong_to_ASN1_INTEGER(PyObject *arg)
+{
+ PyObject *obj = NULL;
+ ASN1_INTEGER *a = NULL;
+ unsigned char buf[MAX_ASN1_INTEGER_LEN];
+ size_t len;
- case DER_FORMAT:
- if (!i2d_X509_bio(out_bio, self->x509))
- lose("unable to write certificate");
- break;
+ memset(buf, 0, sizeof(buf));
- case PEM_FORMAT:
- if (!PEM_write_bio_X509(out_bio, self->x509))
- lose("unable to write certificate");
- break;
+ /*
+ * Make sure argument is a PyLong small enough that its length (in
+ * bits!) doesn't overflow a size_t (which is a mis-use of size_t,
+ * but take that up with whoever wrote _PyLong_NumBits()...).
+ */
+ if ((obj = PyNumber_Long(arg)) == NULL ||
+ (len = _PyLong_NumBits(obj)) == (size_t) -1)
+ goto error;
- default:
- lose("internal error, unknown output format");
+ /*
+ * Next make sure it's a non-negative integer small enough to fit in
+ * our buffer. If we really thought we needed to support larger
+ * integers we could allocate this dynamically, but we don't, so
+ * it's not worth the overhead.
+ *
+ * Paranoia: We can't convert len to bytes yet, because that
+ * requires rounding up and we don't know yet that we have enough
+ * headroom to do that arithmetic without overflowing a size_t.
+ */
+ if (_PyLong_Sign(obj) < 0 || (len / 8) + 1 > sizeof(buf)) {
+ PyErr_SetObject(PyExc_OverflowError, obj);
+ goto error;
}
- if ((len = BIO_ctrl_pending(out_bio)) == 0)
- lose("unable to get bytes stored in bio");
-
- if ((buf = malloc(len)) == NULL)
- lose("unable to allocate memory");
-
- if (BIO_read(out_bio, buf, len) != len)
- lose("unable to write out cert");
+ /*
+ * Now that we know we're dealing with a sane number of bits,
+ * convert it to bytes.
+ */
+ len = (len + 7) / 8;
- cert = Py_BuildValue("s#", buf, len);
+ /*
+ * Extract that many bytes.
+ */
+ if (_PyLong_AsByteArray((PyLongObject *) obj, buf, len, 0, 0) < 0)
+ goto error;
- BIO_free(out_bio);
- free(buf);
- return cert;
+ /*
+ * We're done with the PyLong now.
+ */
+ Py_XDECREF(obj);
+ obj = NULL;
- error:
+ /*
+ * Generate the ASN1_INTEGER and return it.
+ */
+ if ((a = ASN1_INTEGER_new()) == NULL ||
+ (a->length < (int) len + 1 && (a->data = OPENSSL_realloc(a->data, len + 1)) == NULL))
+ lose_no_memory();
- if (out_bio)
- BIO_free(out_bio);
+ a->type = V_ASN1_INTEGER;
+ a->length = len;
+ a->data[len] = 0;
+ memcpy(a->data, buf, len);
- if (buf)
- free(buf);
+ return a;
- Py_XDECREF(cert);
+ error:
+ Py_XDECREF(obj);
+ ASN1_INTEGER_free(a);
return NULL;
}
-static char X509_object_pem_write__doc__[] =
-"<method>\n"
-" <header>\n"
-" <memberof>X509</memberof>\n"
-" <name>pemWrite</name>\n"
-" </header>\n"
-" <body>\n"
-" <para>\n"
-" This method returns a PEM encoded certificate as a\n"
-" string.\n"
-" </para>\n"
-" </body>\n"
-"</method>\n"
-;
+/*
+ * Handle missing NIDs.
+ */
-static PyObject *
-X509_object_pem_write(x509_object *self, PyObject *args)
+static int
+create_missing_nids(void)
{
- return X509_object_write_helper(self, args, PEM_FORMAT);
-}
+ int i;
-static char X509_object_der_write__doc__[] =
-"<method>\n"
-" <header>\n"
-" <memberof>X509</memberof>\n"
-" <name>derWrite</name>\n"
-" </header>\n"
-" <body>\n"
-" <para>\n"
-" This method returns a DER encoded certificate as a\n"
-" string.\n"
-" </para>\n"
-" </body>\n"
-"</method>\n"
-;
+ for (i = 0; i < (int) (sizeof(missing_nids) / sizeof(*missing_nids)); i++)
+ if ((*missing_nids[i].nid = OBJ_txt2nid(missing_nids[i].oid)) == NID_undef &&
+ (*missing_nids[i].nid = OBJ_create(missing_nids[i].oid,
+ missing_nids[i].sn,
+ missing_nids[i].ln)) == NID_undef)
+ return 0;
-static PyObject *
-X509_object_der_write(x509_object *self, PyObject *args)
-{
- return X509_object_write_helper(self, args, DER_FORMAT);
+ return 1;
}
-/*
- * Currently this function only supports RSA keys.
- */
-static char X509_object_set_public_key__doc__[] =
-"<method>\n"
-" <header>\n"
-" <memberof>X509</memberof>\n"
-" <name>setPublicKey</name>\n"
-" <parameter>key</parameter>\n"
-" </header>\n"
-" <body>\n"
-" <para>\n"
-" This method sets the public key for this certificate object. The\n"
-" parameter <parameter>key</parameter> should be an instance of\n"
-" <classname>Asymmetric</classname> containing a public key.\n"
-" </para>\n"
-" </body>\n"
-"</method>\n"
-;
-
-
static PyObject *
-X509_object_set_public_key(x509_object *self, PyObject *args)
+ASN1_OBJECT_to_PyString(const ASN1_OBJECT *oid)
{
- EVP_PKEY *pkey = NULL;
- asymmetric_object *asym;
-
- if (!PyArg_ParseTuple(args, "O!", &asymmetrictype, &asym))
- goto error;
-
- if ((pkey = EVP_PKEY_new()) == NULL)
- lose("could not allocate memory");
+ PyObject *result = NULL;
+ char buf[512];
- if (!EVP_PKEY_assign_RSA(pkey, asym->cipher))
- lose("EVP_PKEY assignment error");
+ ENTERING(ASN1_OBJECT_to_PyString);
- if (!X509_set_pubkey(self->x509,pkey))
- lose("could not set certificate's public key");
+ if (OBJ_obj2txt(buf, sizeof(buf), oid, 1) <= 0)
+ lose_openssl_error("Couldn't translate OID");
- Py_RETURN_NONE;
+ result = PyString_FromString(buf);
error:
-
- if (pkey)
- EVP_PKEY_free(pkey);
-
- return NULL;
-
+ return result;
}
-static char X509_object_sign__doc__[] =
-"<method>\n"
-" <header>\n"
-" <memberof>X509</memberof>\n"
-" <name>sign</name>\n"
-" <parameter>key</parameter>\n"
-" <optional><parameter>digest = MD5_DIGEST</parameter></optional>\n"
-" </header>\n"
-" <body>\n"
-" <para>\n"
-" This method signs a certificate with a private key. See the\n"
-" example for the methods which should be invoked before signing a\n"
-" certificate. <parameter>key</parameter> should be an instance of\n"
-" <classname>Asymmetric</classname> containing a private key.\n"
-" The optional parameter <parameter>digest</parameter> indicates\n"
-" which digest function should be used to compute the hash to be\n"
-" signed, it should be one of the following:\n"
-" </para>\n"
-" <simplelist>\n"
-#ifndef OPENSSL_NO_MD2
-" <member><constant>MD2_DIGEST</constant></member>\n"
-#endif
-" <member><constant>MD5_DIGEST</constant></member>\n"
-" <member><constant>SHA_DIGEST</constant></member>\n"
-" <member><constant>SHA1_DIGEST</constant></member>\n"
-" <member><constant>RIPEMD160_DIGEST</constant></member>\n"
-" <member><constant>SHA256_DIGEST</constant></member>\n"
-" <member><constant>SHA384_DIGEST</constant></member>\n"
-" <member><constant>SHA512_DIGEST</constant></member>\n"
-" </simplelist>\n"
-" </body>\n"
-"</method>\n"
-;
+
+/*
+ * IPAddress object.
+ */
static PyObject *
-X509_object_sign(x509_object *self, PyObject *args)
+ipaddress_object_new(PyTypeObject *type, PyObject *args, PyObject *kwds)
{
- EVP_PKEY *pkey = NULL;
- asymmetric_object *asym;
- int digest = MD5_DIGEST;
-
- if (!PyArg_ParseTuple(args, "O!|i", &asymmetrictype, &asym, &digest))
- goto error;
-
- if ((pkey = EVP_PKEY_new()) == NULL)
- lose("could not allocate memory");
-
- if (asym->key_type != RSA_PRIVATE_KEY)
- lose("cannot use this type of key");
+ static char *kwlist[] = {"initializer", "version", NULL};
+ ipaddress_object *self = NULL;
+ PyObject *init = NULL;
+ PyObject *pylong = NULL;
+ int version = 0;
+ const char *s = NULL;
+ int v;
- if (!EVP_PKEY_assign_RSA(pkey, asym->cipher))
- lose("EVP_PKEY assignment error");
+ ENTERING(ipaddress_object_new);
- switch (digest) {
- case MD5_DIGEST:
- if (!X509_sign(self->x509, pkey, EVP_md5()))
- lose("could not sign certificate");
- break;
+ if (!PyArg_ParseTupleAndKeywords(args, kwds, "O|i", kwlist, &init, &version) ||
+ (self = (ipaddress_object *) type->tp_alloc(type, 0)) == NULL)
+ goto error;
-#ifndef OPENSSL_NO_MD2
- case MD2_DIGEST:
- if (!X509_sign(self->x509, pkey, EVP_md2()))
- lose("could not sign certificate");
- break;
-#endif
+ if (POW_IPAddress_Check(init)) {
+ ipaddress_object *src = (ipaddress_object *) init;
+ memcpy(self->address, src->address, sizeof(self->address));
+ self->type = src->type;
+ return (PyObject *) self;
+ }
- case SHA_DIGEST:
- if (!X509_sign(self->x509, pkey, EVP_sha()))
- lose("could not sign certificate");
- break;
+ if ((s = PyString_AsString(init)) == NULL)
+ PyErr_Clear();
+ else if (version == 0)
+ version = strchr(s, ':') ? 6 : 4;
- case SHA1_DIGEST:
- if (!X509_sign(self->x509, pkey, EVP_sha1()))
- lose("could not sign certificate");
- break;
+ self->type = NULL;
- case RIPEMD160_DIGEST:
- if (!X509_sign(self->x509, pkey, EVP_ripemd160()))
- lose("could not sign certificate");
- break;
+ for (v = 0; v < (int) (sizeof(ipaddress_versions)/sizeof(*ipaddress_versions)); v++)
+ if ((unsigned) version == ipaddress_versions[v]->version)
+ self->type = ipaddress_versions[v];
- case SHA256_DIGEST:
- if (!X509_sign(self->x509, pkey, EVP_sha256()))
- lose("could not sign certificate");
- break;
+ if (self->type == NULL)
+ lose("Unknown IP version number");
- case SHA384_DIGEST:
- if (!X509_sign(self->x509, pkey, EVP_sha384()))
- lose("could not sign certificate");
- break;
+ if (s != NULL) {
+ if (inet_pton(self->type->af, s, self->address) <= 0)
+ lose("Couldn't parse IP address");
+ return (PyObject *) self;
+ }
- case SHA512_DIGEST:
- if (!X509_sign(self->x509, pkey, EVP_sha512()))
- lose("could not sign certificate");
- break;
+ if ((pylong = PyNumber_Long(init)) != NULL) {
+ if (_PyLong_AsByteArray((PyLongObject *) pylong, self->address, self->type->length, 0, 0) < 0)
+ goto error;
+ Py_XDECREF(pylong);
+ return (PyObject *) self;
}
- Py_RETURN_NONE;
+ lose_type_error("Couldn't convert initializer to IPAddress");
error:
-
- if (pkey)
- EVP_PKEY_free(pkey);
-
+ Py_XDECREF(self);
+ Py_XDECREF(pylong);
return NULL;
-
}
-static char X509_object_get_version__doc__[] =
-"<method>\n"
-" <header>\n"
-" <memberof>X509</memberof>\n"
-" <name>getVersion</name>\n"
-" </header>\n"
-" <body>\n"
-" <para>\n"
-" This method returns the version number from the version field of\n"
-" this certificate.\n"
-" </para>\n"
-" </body>\n"
-"</method>\n"
-;
-
-
static PyObject *
-X509_object_get_version(x509_object *self, PyObject *args)
+ipaddress_object_str(ipaddress_object *self)
{
- long version = 0;
+ char addrstr[sizeof("aaaa:bbbb:cccc:dddd:eeee:ffff:255.255.255.255") + 1];
- if (!PyArg_ParseTuple(args, ""))
- goto error;
+ ENTERING(ipaddress_object_str);
- version = X509_get_version(self->x509);
+ if (!inet_ntop(self->type->af, self->address, addrstr, sizeof(addrstr)))
+ lose("Couldn't convert IP address");
- return Py_BuildValue("l", version);
+ return PyString_FromString(addrstr);
error:
-
return NULL;
}
-static char X509_object_set_version__doc__[] =
-"<method>\n"
-" <header>\n"
-" <memberof>X509</memberof>\n"
-" <name>setVersion</name>\n"
-" <parameter>version</parameter>\n"
-" </header>\n"
-" <body>\n"
-" <para>\n"
-" This method sets the version number in the version field of\n"
-" this certificate. <parameter>version</parameter> should be an\n"
-" integer.\n"
-" </para>\n"
-" </body>\n"
-"</method>\n"
-;
-
static PyObject *
-X509_object_set_version(x509_object *self, PyObject *args)
+ipaddress_object_repr(ipaddress_object *self)
{
- long version = 0;
+ char addrstr[sizeof("aaaa:bbbb:cccc:dddd:eeee:ffff:255.255.255.255") + 1];
- if (!PyArg_ParseTuple(args, "l", &version))
- goto error;
+ ENTERING(ipaddress_object_repr);
- if (!X509_set_version(self->x509, version))
- lose("could not set certificate version");
+ if (!inet_ntop(self->type->af, self->address, addrstr, sizeof(addrstr)))
+ lose("Couldn't convert IP address");
- Py_RETURN_NONE;
+ return PyString_FromFormat("<%s object %s at %p>",
+ self->ob_type->tp_name, addrstr, self);
error:
-
return NULL;
}
-static char X509_object_get_serial__doc__[] =
-"<method>\n"
-" <header>\n"
-" <memberof>X509</memberof>\n"
-" <name>getSerial</name>\n"
-" </header>\n"
-" <body>\n"
-" <para>\n"
-" This method get the serial number in the serial field of\n"
-" this certificate.\n"
-" </para>\n"
-" </body>\n"
-"</method>\n"
-;
+static int
+ipaddress_object_compare(PyObject *arg1, PyObject *arg2)
+{
+ PyObject *obj1 = PyNumber_Long(arg1);
+ PyObject *obj2 = PyNumber_Long(arg2);
+ int cmp = -1;
+
+ ENTERING(ipaddress_object_compare);
+
+ if (obj1 != NULL && obj2 != NULL)
+ cmp = PyObject_Compare(obj1, obj2);
+
+ Py_XDECREF(obj1);
+ Py_XDECREF(obj2);
+ return cmp;
+}
static PyObject *
-X509_object_get_serial(x509_object *self, PyObject *args)
+ipaddress_object_richcompare(PyObject *arg1, PyObject *arg2, int op)
{
- long serial = 0;
- ASN1_INTEGER *asn1i = NULL;
+ PyObject *obj1 = PyNumber_Long(arg1);
+ PyObject *obj2 = PyNumber_Long(arg2);
+ PyObject *result = NULL;
- if (!PyArg_ParseTuple(args, ""))
- goto error;
+ ENTERING(ipaddress_object_richcompare);
- if ((asn1i = X509_get_serialNumber(self->x509)) == NULL)
- lose("could not get serial number");
+ if (obj1 != NULL && obj2 != NULL)
+ result = PyObject_RichCompare(obj1, obj2, op);
+
+ Py_XDECREF(obj1);
+ Py_XDECREF(obj2);
+ return result;
+}
- if ((serial = ASN1_INTEGER_get(asn1i)) == -1)
- lose("could not convert ASN1 Integer to long");
+static long
+ipaddress_object_hash(ipaddress_object *self)
+{
+ unsigned long h = 0;
+ int i;
- return Py_BuildValue("l", serial);
+ ENTERING(ipaddress_object_hash);
- error:
+ for (i = 0; (unsigned) i < self->type->length; i++)
+ h ^= self->address[i] << ((i & 3) << 3);
- return NULL;
+ return (long) h == -1 ? 0 : (long) h;
}
-static char X509_object_set_serial__doc__[] =
-"<method>\n"
-" <header>\n"
-" <memberof>X509</memberof>\n"
-" <name>setSerial</name>\n"
-" <parameter>serial</parameter>\n"
-" </header>\n"
-" <body>\n"
-" <para>\n"
-" This method sets the serial number in the serial field of\n"
-" this certificate. <parameter>serial</parameter> should ba an\n"
-" integer.\n"
-" </para>\n"
-" </body>\n"
-"</method>\n"
-;
+static char ipaddress_object_from_bytes__doc__[] =
+ "Construct an IPAddress object from a sequence of bytes.\n"
+ "\n"
+ "Argument must be a Python string of exactly 4 or 16 bytes.\n"
+ ;
static PyObject *
-X509_object_set_serial(x509_object *self, PyObject *args)
+ipaddress_object_from_bytes(PyTypeObject *type, PyObject *args)
{
- long serial = 0;
- ASN1_INTEGER *asn1i = NULL;
+ ipaddress_object *result = NULL;
+ char *bytes = NULL;
+ size_t len;
+ int v;
- if (!PyArg_ParseTuple(args, "l", &serial))
+ ENTERING(ipaddress_object_from_bytes);
+
+ if (!PyArg_ParseTuple(args, "s#", &bytes, &len))
goto error;
- if ((asn1i = ASN1_INTEGER_new()) == NULL)
- lose("could not allocate memory");
+ if ((result = (ipaddress_object *) type->tp_alloc(type, 0)) == NULL)
+ goto error;
- if (!ASN1_INTEGER_set(asn1i, serial))
- lose("could not set ASN1 integer");
+ result->type = NULL;
- if (!X509_set_serialNumber(self->x509, asn1i))
- lose("could not set certificate serial");
+ for (v = 0; v < (int) (sizeof(ipaddress_versions)/sizeof(*ipaddress_versions)); v++)
+ if (len == ipaddress_versions[v]->length)
+ result->type = ipaddress_versions[v];
- ASN1_INTEGER_free(asn1i);
+ if (result->type == NULL)
+ lose("Unknown IP version number");
- Py_RETURN_NONE;
+ memcpy(result->address, bytes, len);
error:
+ return (PyObject *) result;
+}
- if (asn1i)
- ASN1_INTEGER_free(asn1i);
+static char ipaddress_object_to_bytes__doc__[] =
+ "Return the binary value of this IPAddress as a Python string\n"
+ "of exactly 4 or 16 bytes.\n"
+ ;
- return NULL;
+static PyObject *
+ipaddress_object_to_bytes(ipaddress_object *self)
+{
+ ENTERING(ipaddress_object_from_bytes);
+ return PyString_FromStringAndSize((char *) self->address, self->type->length);
}
-static char X509_object_get_issuer__doc__[] =
-"<method>\n"
-" <header>\n"
-" <memberof>X509</memberof>\n"
-" <name>getIssuer</name>\n"
-" <parameter>format = SHORTNAME_FORMAT</parameter>\n"
-" </header>\n"
-" <body>\n"
-" <para>\n"
-" This method returns a tuple containing the issuers name. Each\n"
-" element of the tuple is a tuple with 2 elements. The first tuple\n"
-" is an object name and the second is it's value. Both issuer and\n"
-" subject are names distinguished normally composed of a small\n"
-" number of objects:\n"
-" </para>\n"
-" <simplelist>\n"
-" <member><constant>c</constant> or <constant>countryName</constant></member>\n"
-" <member><constant>st</constant> or <constant>stateOrProvinceName</constant></member>\n"
-" <member><constant>o</constant> or <constant>organizationName</constant></member>\n"
-" <member><constant>l</constant> or <constant>localityName</constant></member>\n"
-" <member><constant>ou</constant> or <constant>organizationalUnitName</constant></member>\n"
-" <member><constant>cn</constant> or <constant>commonName</constant></member>\n"
-" </simplelist>\n"
-" <para>\n"
-" The data type varies from one object to another, however, all the\n"
-" common objects are strings. It would be possible to specify any\n"
-" kind of object but that would certainly adversely effect\n"
-" portability and is not recommended.\n"
-" </para>\n"
-" </body>\n"
-"</method>\n"
-;
-
static PyObject *
-X509_object_get_issuer(x509_object *self, PyObject *args)
+ipaddress_object_get_bits(ipaddress_object *self, GCC_UNUSED void *closure)
{
- PyObject *result_list = NULL;
- X509_NAME *name = NULL;
- int format = SHORTNAME_FORMAT;
+ ENTERING(ipaddress_object_get_bits);
+ return PyInt_FromLong(self->type->length * 8);
+}
- if (!PyArg_ParseTuple(args, "|i", &format))
- goto error;
+static PyObject *
+ipaddress_object_get_version(ipaddress_object *self, GCC_UNUSED void *closure)
+{
+ ENTERING(ipaddress_object_get_version);
+ return PyInt_FromLong(self->type->version);
+}
- if ((name = X509_get_issuer_name(self->x509)) == NULL)
- lose("could not get issuers name");
+static PyObject *
+ipaddress_object_number_binary_helper(binaryfunc function, PyObject *arg1, PyObject *arg2)
+{
+ ipaddress_object *addr = NULL;
+ ipaddress_object *addr1 = NULL;
+ ipaddress_object *addr2 = NULL;
+ ipaddress_object *result = NULL;
+ PyObject *obj1 = NULL;
+ PyObject *obj2 = NULL;
+ PyObject *obj3 = NULL;
+ PyObject *obj4 = NULL;
- if ((result_list = X509_object_helper_get_name(name, format)) == NULL)
- lose("failed to produce name list");
+ if (POW_IPAddress_Check(arg1))
+ addr1 = (ipaddress_object *) arg1;
- return result_list;
+ if (POW_IPAddress_Check(arg2))
+ addr2 = (ipaddress_object *) arg2;
- error:
+ if ((addr1 == NULL && addr2 == NULL) ||
+ (addr1 != NULL && addr2 != NULL && addr1->type != addr2->type) ||
+ (obj1 = PyNumber_Long(arg1)) == NULL ||
+ (obj2 = PyNumber_Long(arg2)) == NULL) {
+ result = (ipaddress_object *) Py_NotImplemented;
+ goto error;
+ }
- return NULL;
-}
+ if ((obj3 = function(obj1, obj2)) == NULL)
+ goto error;
-static char X509_object_get_subject__doc__[] =
-"<method>\n"
-" <header>\n"
-" <memberof>X509</memberof>\n"
-" <name>getSubject</name>\n"
-" <parameter>format = SHORTNAME_FORMAT</parameter>\n"
-" </header>\n"
-" <body>\n"
-" <para>\n"
-" This method returns a tuple containing the subjects name. See\n"
-" <function>getIssuer</function> for a description of the returned\n"
-" object's format.\n"
-" </para>\n"
-" </body>\n"
-"</method>\n"
-;
+ if ((obj4 = PyNumber_Long(obj3)) == NULL)
+ lose("Couldn't convert result");
-static PyObject *
-X509_object_get_subject(x509_object *self, PyObject *args)
-{
- PyObject *result_list = NULL;
- X509_NAME *name = NULL;
- int format = SHORTNAME_FORMAT;
+ addr = addr1 != NULL ? addr1 : addr2;
- if (!PyArg_ParseTuple(args, "|i", &format))
+ if ((result = (ipaddress_object *) addr->ob_type->tp_alloc(addr->ob_type, 0)) == NULL)
goto error;
- if ((name = X509_get_subject_name(self->x509)) == NULL)
- lose("could not get issuers name");
-
- if ((result_list = X509_object_helper_get_name(name, format)) == NULL)
- lose("failed to produce name list");
+ result->type = addr->type;
- return result_list;
+ if (_PyLong_AsByteArray((PyLongObject *) obj4, result->address, result->type->length, 0, 0) < 0) {
+ Py_XDECREF(result);
+ result = NULL;
+ }
- error:
+ error: /* Fall through */
+ Py_XDECREF(obj1);
+ Py_XDECREF(obj2);
+ Py_XDECREF(obj3);
+ Py_XDECREF(obj4);
- return NULL;
+ return (PyObject *) result;
}
-static char X509_object_set_subject__doc__[] =
-"<method>\n"
-" <header>\n"
-" <memberof>X509</memberof>\n"
-" <name>setSubject</name>\n"
-" <parameter>name</parameter>\n"
-" </header>\n"
-" <body>\n"
-" <para>\n"
-" This method is used to set the subjects name.\n"
-" <parameter>name</parameter> can be comprised of lists or tuples in\n"
-" the format described in the <function>getIssuer</function> method.\n"
-" </para>\n"
-" </body>\n"
-"</method>\n"
-;
-
static PyObject *
-X509_object_set_subject(x509_object *self, PyObject *args)
+ipaddress_object_number_long(PyObject *arg)
{
- PyObject *name_sequence = NULL;
- X509_NAME *name = NULL;
+ ipaddress_object *addr = (ipaddress_object *) arg;
- if (!PyArg_ParseTuple(args, "O", &name_sequence))
- goto error;
-
- if (!PyTuple_Check(name_sequence) && !PyList_Check(name_sequence))
- lose_type_error("Inapropriate type");
+ ENTERING(ipaddress_object_number_long);
- if ((name = X509_NAME_new()) == NULL)
- lose("could not allocate memory");
+ if (!POW_IPAddress_Check(arg))
+ return Py_NotImplemented;
- if (!X509_object_helper_set_name(name, name_sequence))
- lose("unable to set new name");
+ return _PyLong_FromByteArray(addr->address, addr->type->length, 0, 0);
+}
- if (!X509_set_subject_name(self->x509, name))
- lose("unable to set name");
+static PyObject *
+ipaddress_object_number_int(PyObject *arg)
+{
+ ENTERING(ipaddress_object_number_int);
+ return ipaddress_object_number_long(arg);
+}
- X509_NAME_free(name);
+static PyObject *
+ipaddress_object_number_add(PyObject *arg1, PyObject *arg2)
+{
+ ENTERING(ipaddress_object_number_add);
+ return ipaddress_object_number_binary_helper(PyNumber_Add, arg1, arg2);
+}
- Py_RETURN_NONE;
+static PyObject *
+ipaddress_object_number_subtract(PyObject *arg1, PyObject *arg2)
+{
+ ENTERING(ipaddress_object_number_subtract);
+ return ipaddress_object_number_binary_helper(PyNumber_Subtract, arg1, arg2);
+}
- error:
+static PyObject *
+ipaddress_object_number_lshift(PyObject *arg1, PyObject *arg2)
+{
+ ENTERING(ipaddress_object_number_lshift);
+ return ipaddress_object_number_binary_helper(PyNumber_Lshift, arg1, arg2);
+}
- return NULL;
+static PyObject *
+ipaddress_object_number_rshift(PyObject *arg1, PyObject *arg2)
+{
+ ENTERING(ipaddress_object_number_rshift);
+ return ipaddress_object_number_binary_helper(PyNumber_Rshift, arg1, arg2);
}
-static char X509_object_set_issuer__doc__[] =
-"<method>\n"
-" <header>\n"
-" <memberof>X509</memberof>\n"
-" <name>setIssuer</name>\n"
-" <parameter>name</parameter>\n"
-" </header>\n"
-" <body>\n"
-" <para>\n"
-" This method is used to set the issuers name.\n"
-" <parameter>name</parameter> can be comprised of lists or tuples in\n"
-" the format described in the <function>getissuer</function> method.\n"
-" </para>\n"
-" </body>\n"
-"</method>\n"
-;
+static PyObject *
+ipaddress_object_number_and(PyObject *arg1, PyObject *arg2)
+{
+ ENTERING(ipaddress_object_number_and);
+ return ipaddress_object_number_binary_helper(PyNumber_And, arg1, arg2);
+}
static PyObject *
-X509_object_set_issuer(x509_object *self, PyObject *args)
+ipaddress_object_number_xor(PyObject *arg1, PyObject *arg2)
{
- PyObject *name_sequence = NULL;
- X509_NAME *name = NULL;
+ ENTERING(ipaddress_object_number_xor);
+ return ipaddress_object_number_binary_helper(PyNumber_Xor, arg1, arg2);
+}
- if (!PyArg_ParseTuple(args, "O", &name_sequence))
- goto error;
+static PyObject *
+ipaddress_object_number_or(PyObject *arg1, PyObject *arg2)
+{
+ ENTERING(ipaddress_object_number_or);
+ return ipaddress_object_number_binary_helper(PyNumber_Or, arg1, arg2);
+}
- if (!PyTuple_Check(name_sequence) && !PyList_Check(name_sequence))
- lose_type_error("Inapropriate type");
+static int
+ipaddress_object_number_nonzero(ipaddress_object *self)
+{
+ int i;
- if ((name = X509_NAME_new()) == NULL)
- lose("could not allocate memory");
+ ENTERING(ipaddress_object_number_nonzero);
- if (!X509_object_helper_set_name(name, name_sequence))
- lose("unable to set new name");
+ for (i = 0; (unsigned) i < self->type->length; i++)
+ if (self->address[i] != 0)
+ return 1;
+ return 0;
+}
- if (!X509_set_issuer_name(self->x509,name))
- lose("unable to set name");
+static PyObject *
+ipaddress_object_number_invert(ipaddress_object *self)
+{
+ ipaddress_object *result = NULL;
+ int i;
- X509_NAME_free(name);
+ ENTERING(ipaddress_object_number_invert);
- Py_RETURN_NONE;
+ if ((result = (ipaddress_object *) self->ob_type->tp_alloc(self->ob_type, 0)) == NULL)
+ goto error;
- error:
+ result->type = self->type;
- if (name)
- X509_NAME_free(name);
+ for (i = 0; (unsigned) i < self->type->length; i++)
+ result->address[i] = ~self->address[i];
- return NULL;
+ error: /* Fall through */
+ return (PyObject *) result;
}
-static char X509_object_get_not_before__doc__[] =
-"<method>\n"
-" <header>\n"
-" <memberof>X509</memberof>\n"
-" <name>getNotBefore</name>\n"
-" </header>\n"
-" <body>\n"
-" <para>\n"
-" In a change from previous releases, for reasons of portability\n"
-" and to avoid hard to fix issues with problems in unreliable time\n"
-" functions, this function returns a UTCTime string. You\n"
-" can use the function <function>time2utc</function> to convert to a\n"
-" string if you like and <function>utc2time</function> to back.\n"
-" </para>\n"
-" </body>\n"
-"</method>\n"
-
-;
+static char ipaddress_object_copy__doc__[] =
+ ""
+ ;
static PyObject *
-X509_object_get_not_before (x509_object *self, PyObject *args)
+ipaddress_object_copy(ipaddress_object *self, GCC_UNUSED PyObject *args)
{
- if (!PyArg_ParseTuple(args, ""))
+ ipaddress_object *result = NULL;
+
+ ENTERING(ipaddress_object_copy);
+
+ if ((result = (ipaddress_object *) self->ob_type->tp_alloc(self->ob_type, 0)) == NULL)
goto error;
- return ASN1_TIME_to_Python(self->x509->cert_info->validity->notBefore);
+ memcpy(result->address, self->address, sizeof(result->address));
+ result->type = self->type;
error:
-
- return NULL;
+ return (PyObject *) result;
}
-static char X509_object_get_not_after__doc__[] =
-"<method>\n"
-" <header>\n"
-" <memberof>X509</memberof>\n"
-" <name>getNotAfter</name>\n"
-" </header>\n"
-" <body>\n"
-" <para>\n"
-" In a change from previous releases, for reasons of portability\n"
-" and to avoid hard to fix issues with problems in unreliable time\n"
-" functions, this function returns a UTCTime string. You\n"
-" can use the function <function>time2utc</function> to convert to a\n"
-" string if you like and <function>utc2time</function> to back.\n"
-" </para>\n"
-" </body>\n"
-"</method>\n"
-;
+static struct PyMethodDef ipaddress_object_methods[] = {
+ Define_Method(__copy__, ipaddress_object_copy, METH_VARARGS),
+ Define_Method(__deepcopy__, ipaddress_object_copy, METH_VARARGS),
+ Define_Method(toBytes, ipaddress_object_to_bytes, METH_NOARGS),
+ Define_Class_Method(fromBytes, ipaddress_object_from_bytes, METH_VARARGS),
+ {NULL}
+};
+
+static PyGetSetDef ipaddress_object_getsetters[] = {
+ {"bits", (getter) ipaddress_object_get_bits},
+ {"version", (getter) ipaddress_object_get_version},
+ {NULL}
+};
+
+static PyNumberMethods ipaddress_NumberMethods = {
+ ipaddress_object_number_add, /* nb_add */
+ ipaddress_object_number_subtract, /* nb_subtract */
+ 0, /* nb_multiply */
+ 0, /* nb_divide */
+ 0, /* nb_remainder */
+ 0, /* nb_divmod */
+ 0, /* nb_power */
+ 0, /* nb_negative */
+ 0, /* nb_positive */
+ 0, /* nb_absolute */
+ (inquiry) ipaddress_object_number_nonzero, /* nb_nonzero */
+ (unaryfunc) ipaddress_object_number_invert, /* nb_invert */
+ ipaddress_object_number_lshift, /* nb_lshift */
+ ipaddress_object_number_rshift, /* nb_rshift */
+ ipaddress_object_number_and, /* nb_and */
+ ipaddress_object_number_xor, /* nb_xor */
+ ipaddress_object_number_or, /* nb_or */
+ 0, /* nb_coerce */
+ ipaddress_object_number_int, /* nb_int */
+ ipaddress_object_number_long, /* nb_long */
+ 0, /* nb_float */
+ 0, /* nb_oct */
+ 0, /* nb_hex */
+ 0, /* nb_inplace_add */
+ 0, /* nb_inplace_subtract */
+ 0, /* nb_inplace_multiply */
+ 0, /* nb_inplace_divide */
+ 0, /* nb_inplace_remainder */
+ 0, /* nb_inplace_power */
+ 0, /* nb_inplace_lshift */
+ 0, /* nb_inplace_rshift */
+ 0, /* nb_inplace_and */
+ 0, /* nb_inplace_xor */
+ 0, /* nb_inplace_or */
+ 0, /* nb_floor_divide */
+ 0, /* nb_true_divide */
+ 0, /* nb_inplace_floor_divide */
+ 0, /* nb_inplace_true_divide */
+ 0, /* nb_index */
+};
+
+static PyTypeObject POW_IPAddress_Type = {
+ PyObject_HEAD_INIT(NULL)
+ 0, /* ob_size */
+ "rpki.POW.IPAddress", /* tp_name */
+ sizeof(ipaddress_object), /* tp_basicsize */
+ 0, /* tp_itemsize */
+ 0, /* tp_dealloc */
+ 0, /* tp_print */
+ 0, /* tp_getattr */
+ 0, /* tp_setattr */
+ ipaddress_object_compare, /* tp_compare */
+ (reprfunc) ipaddress_object_repr, /* tp_repr */
+ &ipaddress_NumberMethods, /* tp_as_number */
+ 0, /* tp_as_sequence */
+ 0, /* tp_as_mapping */
+ (hashfunc) ipaddress_object_hash, /* tp_hash */
+ 0, /* tp_call */
+ (reprfunc) ipaddress_object_str, /* tp_str */
+ 0, /* tp_getattro */
+ 0, /* tp_setattro */
+ 0, /* tp_as_buffer */
+ Py_TPFLAGS_DEFAULT | Py_TPFLAGS_BASETYPE | Py_TPFLAGS_CHECKTYPES, /* tp_flags */
+ 0, /* tp_doc */
+ 0, /* tp_traverse */
+ 0, /* tp_clear */
+ ipaddress_object_richcompare, /* tp_richcompare */
+ 0, /* tp_weaklistoffset */
+ 0, /* tp_iter */
+ 0, /* tp_iternext */
+ ipaddress_object_methods, /* tp_methods */
+ 0, /* tp_members */
+ ipaddress_object_getsetters, /* tp_getset */
+ 0, /* tp_base */
+ 0, /* tp_dict */
+ 0, /* tp_descr_get */
+ 0, /* tp_descr_set */
+ 0, /* tp_dictoffset */
+ 0, /* tp_init */
+ 0, /* tp_alloc */
+ ipaddress_object_new, /* tp_new */
+};
+
+
+
+/*
+ * X509 object.
+ */
static PyObject *
-X509_object_get_not_after (x509_object *self, PyObject *args)
+x509_object_new(PyTypeObject *type, GCC_UNUSED PyObject *args, GCC_UNUSED PyObject *kwds)
{
- if (!PyArg_ParseTuple(args, ""))
- goto error;
+ x509_object *self;
- return ASN1_TIME_to_Python(self->x509->cert_info->validity->notAfter);
+ ENTERING(x509_object_new);
- error:
+ if ((self = (x509_object *) type->tp_alloc(type, 0)) != NULL &&
+ (self->x509 = X509_new()) != NULL)
+ return (PyObject *) self;
+ Py_XDECREF(self);
return NULL;
}
-static char X509_object_set_not_after__doc__[] =
-"<method>\n"
-" <header>\n"
-" <memberof>X509</memberof>\n"
-" <name>setNotAfter</name>\n"
-" <parameter>time</parameter>\n"
-" </header>\n"
-" <body>\n"
-" <para>\n"
-" In a change from previous releases, for reasons of portability\n"
-" and to avoid hard to fix issues with problems in unreliable time\n"
-" functions, this accepts one parameter, a UTCTime string. You\n"
-" can use the function <function>time2utc</function> to convert to a\n"
-" string if you like and <function>utc2time</function> to back.\n"
-" </para>\n"
-" </body>\n"
-"</method>\n"
-;
+static void
+x509_object_dealloc(x509_object *self)
+{
+ ENTERING(x509_object_dealloc);
+ X509_free(self->x509);
+ self->ob_type->tp_free((PyObject*) self);
+}
static PyObject *
-X509_object_set_not_after (x509_object *self, PyObject *args)
+x509_object_pem_read_helper(PyTypeObject *type, BIO *bio)
{
- char *new_time = NULL;
+ x509_object *self = NULL;
+
+ ENTERING(x509_object_pem_read_helper);
- if (!PyArg_ParseTuple(args, "s", &new_time))
+ if ((self = (x509_object *) x509_object_new(type, NULL, NULL)) == NULL)
goto error;
- if (!python_ASN1_TIME_set_string(self->x509->cert_info->validity->notAfter, new_time))
- lose("Could not set notAfter");
+ if (!PEM_read_bio_X509(bio, &self->x509, NULL, NULL))
+ lose_openssl_error("Couldn't load PEM encoded certificate");
- Py_RETURN_NONE;
+ return (PyObject *) self;
error:
+ Py_XDECREF(self);
return NULL;
}
-static char X509_object_set_not_before__doc__[] =
-"<method>\n"
-" <header>\n"
-" <memberof>X509</memberof>\n"
-" <name>setNotBefore</name>\n"
-" <parameter>time</parameter>\n"
-" </header>\n"
-" <body>\n"
-" <para>\n"
-" In a change from previous releases, for reasons of portability\n"
-" and to avoid hard to fix issues with problems in unreliable time\n"
-" functions, this accepts one parameter, a UTCTime string. You\n"
-" can use the function <function>time2utc</function> to convert to a\n"
-" string if you like and <function>utc2time</function> to back.\n"
-" </para>\n"
-" </body>\n"
-"</method>\n"
-;
-
static PyObject *
-X509_object_set_not_before (x509_object *self, PyObject *args)
+x509_object_der_read_helper(PyTypeObject *type, BIO *bio)
{
- char *new_time = NULL;
+ x509_object *self;
- if (!PyArg_ParseTuple(args, "s", &new_time))
+ ENTERING(x509_object_der_read_helper);
+
+ if ((self = (x509_object *) x509_object_new(type, NULL, NULL)) == NULL)
goto error;
- if (!python_ASN1_TIME_set_string(self->x509->cert_info->validity->notBefore, new_time))
- lose("Could not set notBefore");
+ if (!d2i_X509_bio(bio, &self->x509))
+ lose_openssl_error("Couldn't load DER encoded certificate");
- Py_RETURN_NONE;
+ return (PyObject *) self;
error:
-
+ Py_XDECREF(self);
return NULL;
}
-static char X509_object_add_extension__doc__[] =
-"<method>\n"
-" <header>\n"
-" <memberof>X509</memberof>\n"
-" <name>addExtension</name>\n"
-" <parameter>extensionName</parameter>\n"
-" <parameter>critical</parameter>\n"
-" <parameter>extensionValue</parameter>\n"
-" </header>\n"
-" <body>\n"
-" <para>\n"
-" This method adds an extension to this certificate.\n"
-" <parameter>extensionName</parameter> should be the of the\n"
-" extension. <parameter>critical</parameter> should an integer, 1\n"
-" for true and 0 for false. <parameter>extensionValue</parameter>\n"
-" should be a string, DER encoded value of the extension. The name\n"
-" of the extension must be correct according to OpenSSL and can be\n"
-" checked in the <constant>objects.h</constant> header file, part of\n"
-" the OpenSSL source distribution. In the majority of cases they\n"
-" are the same as those defined in <constant>POW._oids</constant>\n"
-" but if you do encounter problems is may be worth checking.\n"
-" </para>\n"
-" <example>\n"
-" <title><function>addExtension</function> method usage</title>\n"
-" <programlisting>\n"
-" basic = POW.pkix.BasicConstraints()\n"
-" basic.set([1,5])\n"
-" serverCert.addExtension('basicConstraints', 0, basic.toString())\n"
-" </programlisting>\n"
-" </example>\n"
-" </body>\n"
-"</method>\n"
-;
+static char x509_object_pem_read__doc__[] =
+ "Read a PEM-encoded X.509 object from a string.\n"
+ ;
static PyObject *
-X509_object_add_extension(x509_object *self, PyObject *args)
+x509_object_pem_read(PyTypeObject *type, PyObject *args)
{
- int critical = 0, nid = 0, len = 0;
- char *name = NULL;
- unsigned char *buf = NULL;
- ASN1_OCTET_STRING *octetString = NULL;
- X509_EXTENSION *extn = NULL;
+ ENTERING(x509_object_pem_read);
+ return read_from_string_helper(x509_object_pem_read_helper, type, args);
+}
- if (!PyArg_ParseTuple(args, "sis#", &name, &critical, &buf, &len))
- goto error;
+static char x509_object_pem_read_file__doc__[] =
+ "Read a PEM-encoded X.509 object from a file.\n"
+ ;
- if ((octetString = M_ASN1_OCTET_STRING_new()) == NULL)
- lose("could not allocate memory");
+static PyObject *
+x509_object_pem_read_file(PyTypeObject *type, PyObject *args)
+{
+ ENTERING(x509_object_pem_read_file);
+ return read_from_file_helper(x509_object_pem_read_helper, type, args);
+}
- if (!ASN1_OCTET_STRING_set(octetString, buf, len))
- lose("could not set ASN1 Octect string");
+static char x509_object_der_read__doc__[] =
+ "Read a DER-encoded X.509 object from a string.\n"
+ ;
- if ((nid = OBJ_txt2nid(name)) == NID_undef)
- lose("extension has unknown object identifier");
+static PyObject *
+x509_object_der_read(PyTypeObject *type, PyObject *args)
+{
+ ENTERING(x509_object_der_read);
+ return read_from_string_helper(x509_object_der_read_helper, type, args);
+}
- if ((extn = X509_EXTENSION_create_by_NID(NULL, nid, critical, octetString)) == NULL)
- lose("unable to create ASN1 X509 Extension object");
+static char x509_object_der_read_file__doc__[] =
+ "Read a DER-encoded X.509 object from a file.\n"
+ ;
- if (!self->x509->cert_info->extensions &&
- (self->x509->cert_info->extensions = sk_X509_EXTENSION_new_null()) == NULL)
- lose("unable to allocate memory");
+static PyObject *
+x509_object_der_read_file(PyTypeObject *type, PyObject *args)
+{
+ ENTERING(x509_object_der_read_file);
+ return read_from_file_helper(x509_object_der_read_helper, type, args);
+}
- if (!sk_X509_EXTENSION_push(self->x509->cert_info->extensions, extn))
- lose("unable to add extension");
+static char x509_object_pem_write__doc__[] =
+ "Return the PEM encoding of this certificate, as a string.\n"
+ ;
- Py_RETURN_NONE;
+static PyObject *
+x509_object_pem_write(x509_object *self)
+{
+ PyObject *result = NULL;
+ BIO *bio = NULL;
- error:
+ ENTERING(x509_object_pem_write);
- if (extn)
- X509_EXTENSION_free(extn);
+ if ((bio = BIO_new(BIO_s_mem())) == NULL)
+ lose_no_memory();
- return NULL;
+ if (!PEM_write_bio_X509(bio, self->x509))
+ lose_openssl_error("Unable to write certificate");
+
+ result = BIO_to_PyString_helper(bio);
+
+ error: /* Fall through */
+ BIO_free(bio);
+ return result;
}
-static char X509_object_clear_extensions__doc__[] =
-"<method>\n"
-" <header>\n"
-" <memberof>X509</memberof>\n"
-" <name>clearExtensions</name>\n"
-" </header>\n"
-" <body>\n"
-" <para>\n"
-" This method clears the structure which holds the extension for\n"
-" this certificate.\n"
-" </para>\n"
-" </body>\n"
-"</method>\n"
-;
+static char x509_object_der_write__doc__[] =
+ "Return the DER encoding of this certificate, as a string.\n"
+ ;
static PyObject *
-X509_object_clear_extensions(x509_object *self, PyObject *args)
+x509_object_der_write(x509_object *self)
{
- if (!PyArg_ParseTuple(args, ""))
- goto error;
+ PyObject *result = NULL;
+ BIO *bio = NULL;
- if (self->x509->cert_info->extensions) {
- sk_X509_EXTENSION_free(self->x509->cert_info->extensions);
- self->x509->cert_info->extensions = NULL;
- }
+ ENTERING(x509_object_der_write);
- Py_RETURN_NONE;
+ if ((bio = BIO_new(BIO_s_mem())) == NULL)
+ lose_no_memory();
- error:
+ if (!i2d_X509_bio(bio, self->x509))
+ lose_openssl_error("Unable to write certificate");
- return NULL;
+ result = BIO_to_PyString_helper(bio);
+
+ error: /* Fall through */
+ BIO_free(bio);
+ return result;
}
-static char X509_object_count_extensions__doc__[] =
-"<method>\n"
-" <header>\n"
-" <memberof>X509</memberof>\n"
-" <name>countExtensions</name>\n"
-" </header>\n"
-" <body>\n"
-" <para>\n"
-" This method returns the size of the structure which holds the\n"
-" extension for this certificate.\n"
-" </para>\n"
-" </body>\n"
-"</method>\n"
-;
+static char x509_object_get_public_key__doc__[] =
+ "Return the public key from this certificate object,\n"
+ "as an Asymmetric object.\n"
+ ;
static PyObject *
-X509_object_count_extensions(x509_object *self, PyObject *args)
+x509_object_get_public_key(x509_object *self)
{
- int num = 0;
+ PyTypeObject *type = &POW_Asymmetric_Type;
+ asymmetric_object *asym = NULL;
+
+ ENTERING(x509_object_get_public_key);
- if (!PyArg_ParseTuple(args, ""))
+ if ((asym = (asymmetric_object *) type->tp_alloc(type, 0)) == NULL)
goto error;
- if (self->x509->cert_info->extensions)
- num = sk_X509_EXTENSION_num(self->x509->cert_info->extensions);
+ if ((asym->pkey = X509_get_pubkey(self->x509)) == NULL)
+ lose_openssl_error("Couldn't extract public key from certificate");
- return Py_BuildValue("i", num);
+ return (PyObject *) asym;
error:
-
+ Py_XDECREF(asym);
return NULL;
}
-static char X509_object_get_extension__doc__[] =
-"<method>\n"
-" <header>\n"
-" <memberof>X509</memberof>\n"
-" <name>getExtension</name>\n"
-" <parameter>index</parameter>\n"
-" </header>\n"
-" <body>\n"
-" <para>\n"
-" This method returns a tuple equivalent the parameters of\n"
-" <function>addExtension</function>.\n"
-" </para>\n"
-" </body>\n"
-"</method>\n"
-;
+static char x509_object_set_public_key__doc__[] =
+ "Set the public key of this certificate object.\n"
+ "\n"
+ "The \"key\" parameter should be an instance of the Asymmetric class,\n"
+ "containing a public key.\n"
+ ;
static PyObject *
-X509_object_get_extension(x509_object *self, PyObject *args)
+x509_object_set_public_key(x509_object *self, PyObject *args)
{
- int num = 0, index = 0, ext_nid = 0;
- char const *ext_ln = NULL;
- char unknown_ext [] = "unknown";
- X509_EXTENSION *ext;
+ asymmetric_object *asym;
+
+ ENTERING(x509_object_set_public_key);
- if (!PyArg_ParseTuple(args, "i", &index))
+ if (!PyArg_ParseTuple(args, "O!", &POW_Asymmetric_Type, &asym))
goto error;
- if (self->x509->cert_info->extensions)
- num = sk_X509_EXTENSION_num(self->x509->cert_info->extensions);
+ if (!X509_set_pubkey(self->x509, asym->pkey))
+ lose_openssl_error("Couldn't set certificate's public key");
- if (index >= num)
- lose("certificate does not have that many extensions");
+ Py_RETURN_NONE;
- if ((ext = sk_X509_EXTENSION_value(self->x509->cert_info->extensions, index)) == NULL)
- lose("could not get extension");
+ error:
+ return NULL;
+}
- if ((ext_nid = OBJ_obj2nid(ext->object)) == NID_undef)
- lose("extension has unknown object identifier");
+static char x509_object_sign__doc__[] =
+ "Sign a certificate with a private key.\n"
+ "\n"
+ "The \"key\" parameter should be an instance of the Asymmetric class,\n"
+ "containing a private key.\n"
+ "\n"
+ "The optional \"digest\" parameter indicates which digest to compute and\n"
+ "sign, and should be one of the following:\n"
+ "\n"
+ "* MD5_DIGEST\n"
+ "* SHA_DIGEST\n"
+ "* SHA1_DIGEST\n"
+ "* SHA256_DIGEST\n"
+ "* SHA384_DIGEST\n"
+ "* SHA512_DIGEST\n"
+ "\n"
+ "The default digest algorithm is SHA-256.\n"
+ ;
+
+static PyObject *
+x509_object_sign(x509_object *self, PyObject *args)
+{
+ asymmetric_object *asym;
+ int digest_type = SHA256_DIGEST;
+ const EVP_MD *digest_method = NULL;
- if ((ext_ln = OBJ_nid2sn(ext_nid)) == NULL)
- ext_ln = unknown_ext;
+ ENTERING(x509_object_sign);
- return Py_BuildValue("sis#", ext_ln, ext->critical, ext->value->data, ext->value->length);
+ if (!PyArg_ParseTuple(args, "O!|i", &POW_Asymmetric_Type, &asym, &digest_type))
+ goto error;
- error:
+ if ((digest_method = evp_digest_factory(digest_type)) == NULL)
+ lose("Unsupported digest algorithm");
+
+ if (!X509_sign(self->x509, asym->pkey, digest_method))
+ lose_openssl_error("Couldn't sign certificate");
+
+ Py_RETURN_NONE;
+ error:
return NULL;
}
-static char x509_object_pprint__doc__[] =
-"<method>\n"
-" <header>\n"
-" <memberof>X509</memberof>\n"
-" <name>pprint</name>\n"
-" </header>\n"
-" <body>\n"
-" <para>\n"
-" This method returns a formatted string showing the information\n"
-" held in the certificate.\n"
-" </para>\n"
-" </body>\n"
-"</method>\n"
-;
+static char x509_object_get_version__doc__[] =
+ "Return version number of this certificate.\n"
+ ;
static PyObject *
-x509_object_pprint(x509_object *self, PyObject *args)
+x509_object_get_version(x509_object *self)
{
- int len = 0, ret = 0;
- char *buf = NULL;
- BIO *out_bio = NULL;
- PyObject *cert = NULL;
-
- if (!PyArg_ParseTuple(args, ""))
- goto error;
-
- out_bio = BIO_new(BIO_s_mem());
+ ENTERING(x509_object_get_version);
+ return Py_BuildValue("l", X509_get_version(self->x509));
+}
- if (!X509_print(out_bio, self->x509))
- lose("unable to write crl");
+static char x509_object_set_version__doc__[] =
+ "Set version number of this certificate.\n"
+ "\n"
+ "The \"version\" parameter should be an integer.\n"
+ ;
- if ((len = BIO_ctrl_pending(out_bio)) == 0)
- lose("unable to get bytes stored in bio");
+static PyObject *
+x509_object_set_version(x509_object *self, PyObject *args)
+{
+ long version = 0;
- if ((buf = malloc(len)) == NULL)
- lose("unable to allocate memory");
+ ENTERING(x509_object_set_version);
- if ((ret = BIO_read(out_bio, buf, len)) != len)
- lose("unable to write out cert");
+ if (!PyArg_ParseTuple(args, "l", &version))
+ goto error;
- cert = Py_BuildValue("s#", buf, len);
+ if (!X509_set_version(self->x509, version))
+ lose("Couldn't set certificate version");
- BIO_free(out_bio);
- free(buf);
- return cert;
+ Py_RETURN_NONE;
error:
- if (out_bio)
- BIO_free(out_bio);
-
- if (buf)
- free(buf);
-
return NULL;
-
}
-static struct PyMethodDef X509_object_methods[] = {
- {"pemWrite", (PyCFunction)X509_object_pem_write, METH_VARARGS, NULL},
- {"derWrite", (PyCFunction)X509_object_der_write, METH_VARARGS, NULL},
- {"sign", (PyCFunction)X509_object_sign, METH_VARARGS, NULL},
- {"setPublicKey", (PyCFunction)X509_object_set_public_key, METH_VARARGS, NULL},
- {"getVersion", (PyCFunction)X509_object_get_version, METH_VARARGS, NULL},
- {"setVersion", (PyCFunction)X509_object_set_version, METH_VARARGS, NULL},
- {"getSerial", (PyCFunction)X509_object_get_serial, METH_VARARGS, NULL},
- {"setSerial", (PyCFunction)X509_object_set_serial, METH_VARARGS, NULL},
- {"getIssuer", (PyCFunction)X509_object_get_issuer, METH_VARARGS, NULL},
- {"setIssuer", (PyCFunction)X509_object_set_issuer, METH_VARARGS, NULL},
- {"getSubject", (PyCFunction)X509_object_get_subject, METH_VARARGS, NULL},
- {"setSubject", (PyCFunction)X509_object_set_subject, METH_VARARGS, NULL},
- {"getNotBefore", (PyCFunction)X509_object_get_not_before, METH_VARARGS, NULL},
- {"getNotAfter", (PyCFunction)X509_object_get_not_after, METH_VARARGS, NULL},
- {"setNotAfter", (PyCFunction)X509_object_set_not_after, METH_VARARGS, NULL},
- {"setNotBefore", (PyCFunction)X509_object_set_not_before, METH_VARARGS, NULL},
- {"addExtension", (PyCFunction)X509_object_add_extension, METH_VARARGS, NULL},
- {"clearExtensions", (PyCFunction)X509_object_clear_extensions, METH_VARARGS, NULL},
- {"countExtensions", (PyCFunction)X509_object_count_extensions, METH_VARARGS, NULL},
- {"getExtension", (PyCFunction)X509_object_get_extension, METH_VARARGS, NULL},
- {"pprint", (PyCFunction)x509_object_pprint, METH_VARARGS, NULL},
-
- {NULL} /* sentinel */
-};
+static char x509_object_get_serial__doc__[] =
+ "Return the serial number of this certificate.\n"
+ ;
static PyObject *
-X509_object_getattr(x509_object *self, char *name)
+x509_object_get_serial(x509_object *self)
{
- return Py_FindMethod(X509_object_methods, (PyObject *)self, name);
+ ENTERING(x509_object_get_serial);
+ return Py_BuildValue("N", ASN1_INTEGER_to_PyLong(X509_get_serialNumber(self->x509)));
}
-static void
-X509_object_dealloc(x509_object *self, char *name)
-{
- X509_free(self->x509);
- PyObject_Del(self);
-}
-
-static char x509type__doc__[] =
-"<class>\n"
-" <header>\n"
-" <name>X509</name>\n"
-" </header>\n"
-" <body>\n"
-" <para>\n"
-" This class provides access to a significant proportion of X509\n"
-" functionality of OpenSSL.\n"
-" </para>\n"
-"\n"
-" <example>\n"
-" <title><classname>x509</classname> class usage</title>\n"
-" <programlisting>\n"
-" privateFile = open('test/private.key', 'r')\n"
-" publicFile = open('test/public.key', 'r')\n"
-" certFile = open('test/cacert.pem', 'w')\n"
-"\n"
-" publicKey = POW.pemRead(POW.RSA_PUBLIC_KEY, publicFile.read())\n"
-" privateKey = POW.pemRead(POW.RSA_PRIVATE_KEY, privateFile.read(), 'pass')\n"
-"\n"
-" c = POW.X509()\n"
-"\n"
-" name = [ ['C', 'GB'], ['ST', 'Hertfordshire'],\n"
-" ['O','The House'], ['CN', 'Peter Shannon'] ]\n"
-"\n"
-" c.setIssuer(name)\n"
-" c.setSubject(name)\n"
-" c.setSerial(0)\n"
-" t1 = POW.pkix.time2utc(time.time())\n"
-" t2 = POW.pkix.time2utc(time.time() + 60*60*24*365)\n"
-" c.setNotBefore(t1)\n"
-" c.setNotAfter(t2)\n"
-" c.setPublicKey(publicKey)\n"
-" c.sign(privateKey)\n"
-"\n"
-" certFile.write(c.pemWrite())\n"
-"\n"
-" privateFile.close()\n"
-" publicFile.close()\n"
-" certFile.close()\n"
-" </programlisting>\n"
-" </example>\n"
-"\n"
-" </body>\n"
-"</class>\n"
-;
-
-static PyTypeObject x509type = {
- PyObject_HEAD_INIT(0)
- 0, /*ob_size*/
- "X509", /*tp_name*/
- sizeof(x509_object), /*tp_basicsize*/
- 0, /*tp_itemsize*/
- (destructor)X509_object_dealloc, /*tp_dealloc*/
- (printfunc)0, /*tp_print*/
- (getattrfunc)X509_object_getattr, /*tp_getattr*/
- (setattrfunc)0, /*tp_setattr*/
- (cmpfunc)0, /*tp_compare*/
- (reprfunc)0, /*tp_repr*/
- 0, /*tp_as_number*/
- 0, /*tp_as_sequence*/
- 0, /*tp_as_mapping*/
- (hashfunc)0, /*tp_hash*/
- (ternaryfunc)0, /*tp_call*/
- (reprfunc)0, /*tp_str*/
- 0,
- 0,
- 0,
- 0,
- x509type__doc__ /* Documentation string */
-};
-/*========== X509 Code ==========*/
+static char x509_object_set_serial__doc__[] =
+ "Set the serial number of this certificate.\n"
+ "\n"
+ "The \"serial\" parameter should ba an integer.\n"
+ ;
-/*========== x509 store Code ==========*/
-static x509_store_object *
-x509_store_object_new(void)
+static PyObject *
+x509_object_set_serial(x509_object *self, PyObject *args)
{
- x509_store_object *self = NULL;
+ ASN1_INTEGER *a_serial = NULL;
+ PyObject *p_serial = NULL;
+ int ok = 0;
- if ((self = PyObject_New(x509_store_object, &x509_storetype)) == NULL)
+ ENTERING(x509_object_set_serial);
+
+ if (!PyArg_ParseTuple(args, "O", &p_serial) ||
+ (a_serial = PyLong_to_ASN1_INTEGER(p_serial)) == NULL)
goto error;
- self->store = X509_STORE_new();
+ if (!X509_set_serialNumber(self->x509, a_serial))
+ lose_no_memory();
- return self;
+ ok = 1;
error:
+ ASN1_INTEGER_free(a_serial);
- Py_XDECREF(self);
- return NULL;
+ if (ok)
+ Py_RETURN_NONE;
+ else
+ return NULL;
}
-static char x509_store_object_verify__doc__[] =
-"<method>\n"
-" <header>\n"
-" <memberof>X509Store</memberof>\n"
-" <name>verify</name>\n"
-" <parameter>certificate</parameter>\n"
-" </header>\n"
-" <body>\n"
-" <para>\n"
-" The <classname>X509Store</classname> method\n"
-" <function>verify</function> is based on the\n"
-" <function>X509_verify_cert</function>. It handles certain aspects\n"
-" of verification but not others. The certificate will be verified\n"
-" against <constant>notBefore</constant>,\n"
-" <constant>notAfter</constant> and trusted certificates.\n"
-" It crucially will not handle checking the certificate against\n"
-" CRLs. This functionality will probably make it into OpenSSL\n"
-" 0.9.7.\n"
-" </para>\n"
-" </body>\n"
-"</method>\n"
-;
-
-static PyObject *
-x509_store_object_verify(x509_store_object *self, PyObject *args)
+static char x509_object_get_issuer__doc__[] =
+ "Return this certificate's issuer name, represented as a tuple.\n"
+ "\n"
+ "Each element of this tuple is another tuple representing one\n"
+ "\"Relative Distinguished Name\" (RDN), each element of which in turn\n"
+ "is yet another tuple representing one AttributeTypeAndValue pair.\n"
+ "\n"
+ "In practice, RDNs containing multiple attributes are rare, thus the RDN\n"
+ "tuples will usually be exactly one element long, but using the\n"
+ "tuple-of-tuples-of-tuples format lets us represent the general case.\n"
+ "\n"
+ "The AttributeTypeANdValue pairs are two-element tuples, the first\n"
+ "element of which is a string representing an Object Identifier (OID),\n"
+ "the second of which contains the attribute value.\n"
+ "\n"
+ "This method takes an optional \"format\" parameter which controls\n"
+ "the format in which OIDs are returned. Allowed values are:\n"
+ "\n"
+ " * SHORTNAME_FORMAT (the OpenSSL \"short name\" for this OID)\n"
+ " * LONGNAME_FORMAT (the OpenSSL \"long name\" for this OID)\n"
+ " * OIDNAME_FORMAT (the OID in dotted decimal numeric format)\n"
+ "\n"
+ "The default is OIDNAME_FORMAT.\n"
+ "\n"
+ "See RFC 5280 section 4.1.2.4 for details of the ASN.1 structure.\n"
+ ;
+
+static PyObject *
+x509_object_get_issuer(x509_object *self, PyObject *args)
{
- X509_STORE_CTX csc;
- x509_object *x509 = NULL;
- int ok;
+ PyObject *result = NULL;
+ int format = OIDNAME_FORMAT;
+
+ ENTERING(x509_object_get_issuer);
- if (!PyArg_ParseTuple(args, "O!", &x509type, &x509))
+ if (!PyArg_ParseTuple(args, "|i", &format))
goto error;
- X509_STORE_CTX_init(&csc, self->store, x509->x509, NULL);
- ok = X509_verify_cert(&csc) == 1;
- X509_STORE_CTX_cleanup(&csc);
+ result = x509_object_helper_get_name(X509_get_issuer_name(self->x509),
+ format);
- return PyBool_FromLong(ok);
+ error: /* Fall through */
+ return result;
+}
- error:
+static char x509_object_get_subject__doc__[] =
+ "Return this certificate's subject name, as a tuple.\n"
+ "\n"
+ "See the documentation for the \"getIssuer\" method for details on the\n"
+ "structure of the return value and use of the optional \"format\"\n"
+ "parameter.\n"
+ ;
- return NULL;
+static PyObject *
+x509_object_get_subject(x509_object *self, PyObject *args)
+{
+ PyObject *result = NULL;
+ int format = OIDNAME_FORMAT;
+
+ ENTERING(x509_object_get_subject);
+
+ if (!PyArg_ParseTuple(args, "|i", &format))
+ goto error;
+
+ result = x509_object_helper_get_name(X509_get_subject_name(self->x509),
+ format);
+
+ error: /* Fall through */
+ return result;
}
-static char x509_store_object_verify_chain__doc__[] =
-"<method>\n"
-" <header>\n"
-" <memberof>X509Store</memberof>\n"
-" <name>verifyChain</name>\n"
-" <parameter>certificate</parameter>\n"
-" <parameter>chain</parameter>\n"
-" </header>\n"
-" <body>\n"
-" <para>\n"
-" The <classname>X509Store</classname> method <function>verifyChain</function>\n"
-" is based on the <function>X509_verify_cert</function> but is initialised\n"
-" with a <classname>X509</classname> object to verify and list of\n"
-" <classname>X509</classname> objects which form a chain to a trusted\n"
-" certificate. Certain aspects of the verification are handled but not others.\n"
-" The certificates will be verified against <constant>notBefore</constant>,\n"
-" <constant>notAfter</constant> and trusted certificates. It crucially will\n"
-" not handle checking the certificate against CRLs. This functionality will\n"
-" probably make it into OpenSSL 0.9.7.\n"
-" </para>\n"
-" <para>\n"
-" This may all sound quite straight forward but determining the\n"
-" certificate associated with the signature on another certificate\n"
-" can be very time consuming. The management aspects of\n"
-" certificates are addressed by various V3 extensions which are not\n"
-" currently supported.\n"
-" </para>\n"
-" </body>\n"
-"</method>\n"
-;
+static char x509_object_set_subject__doc__[] =
+ "Set this certificate's subject name.\n"
+ "\n"
+ "The \"name\" parameter should be in the same format as the return\n"
+ "value from the \"getIssuer\" method.\n"
+ ;
static PyObject *
-x509_store_object_verify_chain(x509_store_object *self, PyObject *args)
+x509_object_set_subject(x509_object *self, PyObject *args)
{
- PyObject *x509_sequence = NULL;
- X509_STORE_CTX csc;
- x509_object *x509 = NULL;
- STACK_OF(X509) *x509_stack = NULL;
- int ok;
+ PyObject *name_sequence = NULL;
+ X509_NAME *name = NULL;
- if (!PyArg_ParseTuple(args, "O!O", &x509type, &x509, &x509_sequence))
- goto error;
+ ENTERING(x509_object_set_subject);
- if ((x509_stack = x509_helper_sequence_to_stack(x509_sequence)) == NULL)
+ if (!PyArg_ParseTuple(args, "O", &name_sequence))
goto error;
- X509_STORE_CTX_init(&csc, self->store, x509->x509, x509_stack);
-
- ok = X509_verify_cert(&csc) == 1;
+ if (!PySequence_Check(name_sequence))
+ lose_type_error("Inapropriate type");
- X509_STORE_CTX_cleanup(&csc);
- sk_X509_free(x509_stack);
+ if ((name = x509_object_helper_set_name(name_sequence)) == NULL)
+ goto error;
- return PyBool_FromLong(ok);
+ if (!X509_set_subject_name(self->x509, name))
+ lose("Unable to set subject name");
- error:
+ X509_NAME_free(name);
- if (x509_stack)
- sk_X509_free(x509_stack);
+ Py_RETURN_NONE;
+ error:
+ X509_NAME_free(name);
return NULL;
}
-static char x509_store_object_verify_detailed__doc__[] =
-"<method>\n"
-" <header>\n"
-" <memberof>X509Store</memberof>\n"
-" <name>verifyDetailed</name>\n"
-" <parameter>certificate</parameter>\n"
-" <optional>\n"
-" <parameter>chain</parameter>\n"
-" </optional>\n"
-" </header>\n"
-" <body>\n"
-" <para>\n"
-" The <classname>X509Store</classname> method <function>verifyDetailed</function>\n"
-" is based on the <function>X509_verify_cert</function> but is initialised\n"
-" with a <classname>X509</classname> object to verify and list of\n"
-" <classname>X509</classname> objects which form a chain to a trusted\n"
-" certificate. Certain aspects of the verification are handled but not others.\n"
-" The certificates will be verified against <constant>notBefore</constant>,\n"
-" <constant>notAfter</constant> and trusted certificates. It crucially will\n"
-" not handle checking the certificate against CRLs. This functionality will\n"
-" probably make it into OpenSSL 0.9.7.\n"
-" </para>\n"
-" <para>\n"
-" This may all sound quite straight forward but determining the\n"
-" certificate associated with the signature on another certificate\n"
-" can be very time consuming. The management aspects of\n"
-" certificates are addressed by various V3 extensions which are not\n"
-" currently supported.\n"
-" </para>\n"
-" <para>\n"
-" Unlike the <function>verify</function> and <function>verifyChain</function>\n"
-" methods, <function>verifyDetailed</function> returns some information about\n"
-" what went wrong when verification fails. The return value is currently a 3-tuple:\n"
-" the first value is the return value from X509_verify_cert(), the second and third\n"
-" are the error and error_depth values from the X509_STORE_CTX.\n"
-" Other values may added to this tuple later.\n"
-" </body>\n"
-"</method>\n"
-;
+static char x509_object_set_issuer__doc__[] =
+ "Set this certificate's issuer name.\n"
+ "\n"
+ "The \"name\" parameter should be in the same format as the return\n"
+ "value from the \"getIssuer\" method.\n"
+ ;
static PyObject *
-x509_store_object_verify_detailed(x509_store_object *self, PyObject *args)
+x509_object_set_issuer(x509_object *self, PyObject *args)
{
- PyObject *x509_sequence = Py_None;
- X509_STORE_CTX csc;
- x509_object *x509 = NULL;
- STACK_OF(X509) *x509_stack = NULL;
- PyObject *result = NULL;
- int ok;
+ PyObject *name_sequence = NULL;
+ X509_NAME *name = NULL;
+
+ ENTERING(x509_object_set_issuer);
- if (!PyArg_ParseTuple(args, "O!|O", &x509type, &x509, &x509_sequence))
+ if (!PyArg_ParseTuple(args, "O", &name_sequence))
goto error;
- if (x509_sequence && !(x509_stack = x509_helper_sequence_to_stack(x509_sequence)))
+ if (!PySequence_Check(name_sequence))
+ lose_type_error("Inapropriate type");
+
+ if ((name = x509_object_helper_set_name(name_sequence)) == NULL)
goto error;
- X509_STORE_CTX_init(&csc, self->store, x509->x509, x509_stack);
+ if (!X509_set_issuer_name(self->x509, name))
+ lose("Unable to set issuer name");
- ok = X509_verify_cert(&csc) == 1;
+ X509_NAME_free(name);
+
+ Py_RETURN_NONE;
- result = Py_BuildValue("(iii)", ok, csc.error, csc.error_depth);
+ error:
+ X509_NAME_free(name);
+ return NULL;
+}
- X509_STORE_CTX_cleanup(&csc);
+static char x509_object_get_not_before__doc__[] =
+ "Return this certificate's \"notBefore\" value as a datetime.\n"
+ ;
- error: /* fall through */
+static PyObject *
+x509_object_get_not_before (x509_object *self)
+{
+ ENTERING(x509_object_get_not_before);
+ return ASN1_TIME_to_Python(X509_get_notBefore(self->x509));
+}
- if (x509_stack)
- sk_X509_free(x509_stack);
+static char x509_object_get_not_after__doc__[] =
+ "Return this certificate's \"notAfter\" value as a datetime.\n"
+ ;
- return result;
+static PyObject *
+x509_object_get_not_after (x509_object *self)
+{
+ ENTERING(x509_object_get_not_after);
+ return ASN1_TIME_to_Python(X509_get_notAfter(self->x509));
}
-static char x509_store_object_add_trust__doc__[] =
-"<method>\n"
-" <header>\n"
-" <memberof>X509Store</memberof>\n"
-" <name>addTrust</name>\n"
-" <parameter>cert</parameter>\n"
-" </header>\n"
-" <body>\n"
-" <para>\n"
-" This method adds a new certificate to the store to be used in the\n"
-" verification process. <parameter>cert</parameter> should be an\n"
-" instance of <classname>X509</classname>. Using trusted certificates to manage\n"
-" verification is relatively primitive, more sophisticated systems\n"
-" can be constructed at an application level by by constructing\n"
-" certificate chains to verify.\n"
-" </para>\n"
-" </body>\n"
-"</method>\n"
-;
+static char x509_object_set_not_after__doc__[] =
+ "Set this certificate's \"notAfter\" value.\n"
+ "\n"
+ "The \"time\" parameter should be a datetime object.\n"
+ ;
static PyObject *
-x509_store_object_add_trust(x509_store_object *self, PyObject *args)
+x509_object_set_not_after (x509_object *self, PyObject *args)
{
- x509_object *x509 = NULL;
+ PyObject *o = NULL;
+ ASN1_TIME *t = NULL;
+
+ ENTERING(x509_object_set_not_after);
- if (!PyArg_ParseTuple(args, "O!", &x509type, &x509))
+ if (!PyArg_ParseTuple(args, "O", &o))
goto error;
- X509_STORE_add_cert(self->store, x509->x509);
+ if ((t = Python_to_ASN1_TIME(o, 1)) == NULL)
+ lose("Couldn't convert notAfter string");
+
+ if (!X509_set_notAfter(self->x509, t))
+ lose("Couldn't set notAfter");
+ ASN1_TIME_free(t);
Py_RETURN_NONE;
error:
-
+ ASN1_TIME_free(t);
return NULL;
}
-static char x509_store_object_add_crl__doc__[] =
-"<method>\n"
-" <header>\n"
-" <memberof>X509Store</memberof>\n"
-" <name>addCrl</name>\n"
-" <parameter>crl</parameter>\n"
-" </header>\n"
-" <body>\n"
-" <para>\n"
-" This method adds a CRL to a store to be used for verification.\n"
-" <parameter>crl</parameter> should be an instance of\n"
-" <classname>X509Crl</classname>.\n"
-" Unfortunately, the current stable release of OpenSSL does not\n"
-" support CRL checking for certificate verification.\n"
-" This functionality will probably make it into OpenSSL 0.9.7, until\n"
-" it does this function is useless and CRL verification must be\n"
-" implemented by the application.\n"
-" </para>\n"
-" </body>\n"
-"</method>\n"
-;
+static char x509_object_set_not_before__doc__[] =
+ "Set this certificate's \"notBefore\" value.\n"
+ "\n"
+ "The \"time\" parameter should be a datetime object.\n"
+ ;
static PyObject *
-x509_store_object_add_crl(x509_store_object *self, PyObject *args)
+x509_object_set_not_before (x509_object *self, PyObject *args)
{
- x509_crl_object *crl = NULL;
+ PyObject *o = NULL;
+ ASN1_TIME *t = NULL;
+
+ ENTERING(x509_object_set_not_before);
- if (!PyArg_ParseTuple(args, "O!", &x509_crltype, &crl))
+ if (!PyArg_ParseTuple(args, "O", &o))
goto error;
- X509_STORE_add_crl(self->store, crl->crl);
+ if ((t = Python_to_ASN1_TIME(o, 1)) == NULL)
+ lose("Couldn't convert notBefore string");
+
+ if (!X509_set_notBefore(self->x509, t))
+ lose("Couldn't set notBefore");
+ ASN1_TIME_free(t);
Py_RETURN_NONE;
error:
-
+ ASN1_TIME_free(t);
return NULL;
}
-static struct PyMethodDef x509_store_object_methods[] = {
- {"verify", (PyCFunction)x509_store_object_verify, METH_VARARGS, NULL},
- {"verifyChain", (PyCFunction)x509_store_object_verify_chain, METH_VARARGS, NULL},
- {"verifyDetailed", (PyCFunction)x509_store_object_verify_detailed, METH_VARARGS, NULL},
- {"addTrust", (PyCFunction)x509_store_object_add_trust, METH_VARARGS, NULL},
- {"addCrl", (PyCFunction)x509_store_object_add_crl, METH_VARARGS, NULL},
-
- {NULL} /* sentinel */
-};
+static char x509_object_clear_extensions__doc__[] =
+ "Clear all extensions attached to this certificate.\n"
+ ;
static PyObject *
-x509_store_object_getattr(x509_store_object *self, char *name)
+x509_object_clear_extensions(x509_object *self)
{
- return Py_FindMethod(x509_store_object_methods, (PyObject *)self, name);
+ X509_EXTENSION *ext;
+
+ ENTERING(x509_object_clear_extensions);
+
+ while ((ext = X509_delete_ext(self->x509, 0)) != NULL)
+ X509_EXTENSION_free(ext);
+
+ Py_RETURN_NONE;
}
-static void
-x509_store_object_dealloc(x509_store_object *self, char *name)
+static char x509_object_get_ski__doc__[] =
+ "Return the Subject Key Identifier (SKI) value for this\n"
+ "certificate, or None if the certificate has no SKI extension.\n"
+ ;
+
+static PyObject *
+x509_object_get_ski(x509_object *self)
{
- X509_STORE_free(self->store);
- PyObject_Del(self);
-}
-
-static char x509_storetype__doc__[] =
-"<class>\n"
-" <header>\n"
-" <name>X509Store</name>\n"
-" </header>\n"
-" <body>\n"
-" <para>\n"
-" This class provides preliminary access to OpenSSL X509 verification\n"
-" facilities.\n"
-" </para>\n"
-"\n"
-" <example>\n"
-" <title><classname>x509_store</classname> class usage</title>\n"
-" <programlisting>\n"
-" store = POW.X509Store()\n"
-"\n"
-" caFile = open('test/cacert.pem', 'r')\n"
-" ca = POW.pemRead(POW.X509_CERTIFICATE, caFile.read())\n"
-" caFile.close()\n"
-"\n"
-" store.addTrust(ca)\n"
-"\n"
-" certFile = open('test/foocom.cert', 'r')\n"
-" x509 = POW.pemRead(POW.X509_CERTIFICATE, certFile.read())\n"
-" certFile.close()\n"
-"\n"
-" print x509.pprint()\n"
-"\n"
-" if store.verify(x509):\n"
-" print 'Verified certificate!.'\n"
-" else:\n"
-" print 'Failed to verify certificate!.'\n"
-" </programlisting>\n"
-" </example>\n"
-" </body>\n"
-"</class>\n"
-;
+ ENTERING(x509_object_get_ski);
-static PyTypeObject x509_storetype = {
- PyObject_HEAD_INIT(0)
- 0, /*ob_size*/
- "X509Store", /*tp_name*/
- sizeof(x509_store_object), /*tp_basicsize*/
- 0, /*tp_itemsize*/
- (destructor)x509_store_object_dealloc, /*tp_dealloc*/
- (printfunc)0, /*tp_print*/
- (getattrfunc)x509_store_object_getattr, /*tp_getattr*/
- (setattrfunc)0, /*tp_setattr*/
- (cmpfunc)0, /*tp_compare*/
- (reprfunc)0, /*tp_repr*/
- 0, /*tp_as_number*/
- 0, /*tp_as_sequence*/
- 0, /*tp_as_mapping*/
- (hashfunc)0, /*tp_hash*/
- (ternaryfunc)0, /*tp_call*/
- (reprfunc)0, /*tp_str*/
- 0,
- 0,
- 0,
- 0,
- x509_storetype__doc__ /* Documentation string */
-};
-/*========== x509 store Code ==========*/
+ (void) X509_check_ca(self->x509); /* Calls x509v3_cache_extensions() */
+
+ if (self->x509->skid == NULL)
+ Py_RETURN_NONE;
+ else
+ return Py_BuildValue("s#",
+ ASN1_STRING_data(self->x509->skid),
+ ASN1_STRING_length(self->x509->skid));
+}
+
+static char x509_object_set_ski__doc__[] =
+ "Set the Subject Key Identifier (SKI) value for this certificate.\n"
+ ;
-/*========== x509 crl Code ==========*/
-static x509_crl_object *
-x509_crl_object_new(void)
+static PyObject *
+x509_object_set_ski(x509_object *self, PyObject *args)
{
- x509_crl_object *self = NULL;
+ ASN1_OCTET_STRING *ext = NULL;
+ const unsigned char *buf = NULL;
+ int len, ok = 0;
+
+ ENTERING(x509_object_set_ski);
- self = PyObject_New(x509_crl_object, &x509_crltype);
- if (self == NULL)
+ if (!PyArg_ParseTuple(args, "s#", &buf, &len))
goto error;
- self->crl = X509_CRL_new();
+ if ((ext = ASN1_OCTET_STRING_new()) == NULL ||
+ !ASN1_OCTET_STRING_set(ext, buf, len))
+ lose_no_memory();
- return self;
+ /*
+ * RFC 5280 4.2.1.2 says this MUST be non-critical.
+ */
- error:
+ if (!X509_add1_ext_i2d(self->x509, NID_subject_key_identifier,
+ ext, 0, X509V3_ADD_REPLACE))
+ lose_openssl_error("Couldn't add SKI extension to certificate");
- Py_XDECREF(self);
- return NULL;
-}
+ ok = 1;
-static x509_crl_object *
-x509_crl_object_pem_read(BIO *in)
-{
- x509_crl_object *self;
+ error:
+ ASN1_OCTET_STRING_free(ext);
- if ((self = PyObject_New(x509_crl_object, &x509_crltype)) == NULL)
- goto error;
+ if (ok)
+ Py_RETURN_NONE;
+ else
+ return NULL;
+}
- if ((self->crl = PEM_read_bio_X509_CRL(in, NULL, NULL, NULL)) == NULL)
- lose("could not load certificate");
+static char x509_object_get_aki__doc__[] =
+ "Return the Authority Key Identifier (AKI) keyid value for this\n"
+ "certificate, or None if the certificate has no AKI extension or has an\n"
+ "AKI extension with no keyIdentifier value.\n"
+ ;
- return self;
+static PyObject *
+x509_object_get_aki(x509_object *self)
+{
+ ENTERING(x509_object_get_aki);
- error:
+ (void) X509_check_ca(self->x509); /* Calls x509v3_cache_extensions() */
- Py_XDECREF(self);
- return NULL;
+ if (self->x509->akid == NULL || self->x509->akid->keyid == NULL)
+ Py_RETURN_NONE;
+ else
+ return Py_BuildValue("s#",
+ ASN1_STRING_data(self->x509->akid->keyid),
+ ASN1_STRING_length(self->x509->akid->keyid));
}
-static x509_crl_object *
-x509_crl_object_der_read(unsigned char *src, int len)
+static char x509_object_set_aki__doc__[] =
+ "Set the Authority Key Identifier (AKI) value for this certificate.\n"
+ "\n"
+ "We only support the keyIdentifier method, as that's the only form\n"
+ "which is legal for RPKI certificates.\n"
+ ;
+
+static PyObject *
+x509_object_set_aki(x509_object *self, PyObject *args)
{
- x509_crl_object *self;
- unsigned char* ptr = src;
+ AUTHORITY_KEYID *ext = NULL;
+ const unsigned char *buf = NULL;
+ int len, ok = 0;
- if ((self = PyObject_New(x509_crl_object, &x509_crltype)) == NULL)
+ ENTERING(x509_object_set_aki);
+
+ if (!PyArg_ParseTuple(args, "s#", &buf, &len))
goto error;
- self->crl = X509_CRL_new();
+ if ((ext = AUTHORITY_KEYID_new()) == NULL ||
+ (ext->keyid == NULL && (ext->keyid = ASN1_OCTET_STRING_new()) == NULL) ||
+ !ASN1_OCTET_STRING_set(ext->keyid, buf, len))
+ lose_no_memory();
- if (!d2i_X509_CRL(&self->crl, (const unsigned char **) &ptr, len))
- lose("could not load PEM encoded CRL");
+ /*
+ * RFC 5280 4.2.1.1 says this MUST be non-critical.
+ */
- return self;
+ if (!X509_add1_ext_i2d(self->x509, NID_authority_key_identifier,
+ ext, 0, X509V3_ADD_REPLACE))
+ lose_openssl_error("Couldn't add AKI extension to certificate");
+
+ ok = 1;
error:
+ AUTHORITY_KEYID_free(ext);
- Py_XDECREF(self);
- return NULL;
+ if (ok)
+ Py_RETURN_NONE;
+ else
+ return NULL;
}
-static char x509_crl_object_get_version__doc__[] =
-"<method>\n"
-" <header>\n"
-" <memberof>X509Crl</memberof>\n"
-" <name>getVersion</name>\n"
-" </header>\n"
-" <body>\n"
-" <para>\n"
-" This method returns the version number from the version field of\n"
-" this CRL.\n"
-" </para>\n"
-" </body>\n"
-"</method>\n"
-;
+static char x509_object_get_key_usage__doc__[] =
+ "Return a FrozenSet of strings representing the KeyUsage\n"
+ "settings for this certificate, or None if the certificate has no\n"
+ "KeyUsage extension. The bits have the same names as in RFC 5280.\n"
+ ;
static PyObject *
-x509_crl_object_get_version(x509_crl_object *self, PyObject *args)
+x509_object_get_key_usage(x509_object *self)
{
- long version = 0;
+ extern X509V3_EXT_METHOD v3_key_usage;
+ BIT_STRING_BITNAME *bit_name;
+ ASN1_BIT_STRING *ext = NULL;
+ PyObject *result = NULL;
+ PyObject *token = NULL;
+
+ ENTERING(x509_object_get_key_usage);
- if (!PyArg_ParseTuple(args, ""))
+ if ((ext = X509_get_ext_d2i(self->x509, NID_key_usage, NULL, NULL)) == NULL)
+ Py_RETURN_NONE;
+
+ if ((result = PyFrozenSet_New(NULL)) == NULL)
goto error;
- if ((version = ASN1_INTEGER_get(self->crl->crl->version)) == -1)
- lose("could not get crl version");
+ for (bit_name = v3_key_usage.usr_data; bit_name->sname != NULL; bit_name++) {
+ if (ASN1_BIT_STRING_get_bit(ext, bit_name->bitnum) &&
+ ((token = PyString_FromString(bit_name->sname)) == NULL ||
+ PySet_Add(result, token) < 0))
+ goto error;
+ Py_XDECREF(token);
+ token = NULL;
+ }
- return Py_BuildValue("l", version);
+ ASN1_BIT_STRING_free(ext);
+ return result;
error:
-
+ ASN1_BIT_STRING_free(ext);
+ Py_XDECREF(token);
+ Py_XDECREF(result);
return NULL;
}
-static char x509_crl_object_set_version__doc__[] =
-"<method>\n"
-" <header>\n"
-" <memberof>X509Crl</memberof>\n"
-" <name>setVersion</name>\n"
-" <parameter>version</parameter>\n"
-" </header>\n"
-" <body>\n"
-" <para>\n"
-" This method sets the version number in the version field of\n"
-" this CRL. <parameter>version</parameter> should be an\n"
-" integer.\n"
-" </para>\n"
-" </body>\n"
-"</method>\n"
-;
+static char x509_object_set_key_usage__doc__[] =
+ "Set the KeyUsage extension for this certificate.\n"
+ "\n"
+ "Argument \"iterable\" should be an iterable object which returns zero or more\n"
+ "strings naming bits to be enabled. The bits have the same names as in RFC 5280.\n"
+ "\n"
+ "Optional argument \"critical\" is a boolean indicating whether the extension\n"
+ "should be marked as critical or not. RFC 5280 4.2.1.3 says this extension SHOULD\n"
+ "be marked as critical when used, so the default is True.\n"
+ ;
static PyObject *
-x509_crl_object_set_version(x509_crl_object *self, PyObject *args)
+x509_object_set_key_usage(x509_object *self, PyObject *args)
{
- long version = 0;
- ASN1_INTEGER *asn1_version = NULL;
+ extern X509V3_EXT_METHOD v3_key_usage;
+ BIT_STRING_BITNAME *bit_name;
+ ASN1_BIT_STRING *ext = NULL;
+ PyObject *iterable = NULL;
+ PyObject *critical = Py_True;
+ PyObject *iterator = NULL;
+ PyObject *token = NULL;
+ const char *t;
+ int ok = 0;
- if (!PyArg_ParseTuple(args, "i", &version))
+ ENTERING(x509_object_set_key_usage);
+
+ if ((ext = ASN1_BIT_STRING_new()) == NULL)
+ lose_no_memory();
+
+ if (!PyArg_ParseTuple(args, "O|O", &iterable, &critical) ||
+ (iterator = PyObject_GetIter(iterable)) == NULL)
goto error;
- if ((asn1_version = ASN1_INTEGER_new()) == NULL)
- lose("could not allocate memory");
+ while ((token = PyIter_Next(iterator)) != NULL) {
- if (!ASN1_INTEGER_set(asn1_version, version))
- lose("could not get set version");
+ if ((t = PyString_AsString(token)) == NULL)
+ goto error;
- self->crl->crl->version = asn1_version;
+ for (bit_name = v3_key_usage.usr_data; bit_name->sname != NULL; bit_name++)
+ if (!strcmp(t, bit_name->sname))
+ break;
- Py_RETURN_NONE;
+ if (bit_name->sname == NULL)
+ lose("Unrecognized KeyUsage token");
- error:
+ if (!ASN1_BIT_STRING_set_bit(ext, bit_name->bitnum, 1))
+ lose_no_memory();
- if (asn1_version)
- ASN1_INTEGER_free(asn1_version);
+ Py_XDECREF(token);
+ token = NULL;
+ }
- return NULL;
+ if (!X509_add1_ext_i2d(self->x509, NID_key_usage, ext,
+ PyObject_IsTrue(critical),
+ X509V3_ADD_REPLACE))
+ lose_openssl_error("Couldn't add KeyUsage extension to certificate");
+
+ ok = 1;
+
+ error: /* Fall through */
+ ASN1_BIT_STRING_free(ext);
+ Py_XDECREF(iterator);
+ Py_XDECREF(token);
+
+ if (ok)
+ Py_RETURN_NONE;
+ else
+ return NULL;
}
-static char x509_crl_object_get_issuer__doc__[] =
-"<method>\n"
-" <header>\n"
-" <memberof>X509Crl</memberof>\n"
-" <name>getIssuer</name>\n"
-" <parameter>format = SHORTNAME_FORMAT</parameter>\n"
-" </header>\n"
-" <body>\n"
-" <para>\n"
-" This method returns a tuple containing the issuers name. See the\n"
-" <function>getIssuer</function> method of\n"
-" <classname>X509</classname> for more details.\n"
-" </para>\n"
-" </body>\n"
-"</method>\n"
-;
+static char x509_object_get_rfc3779__doc__[] =
+ "Return this certificate's RFC 3779 resources.\n"
+ "\n"
+ "Return value is a three-element tuple: the first element is the ASN\n"
+ "resources, the second is the IPv4 resources, the third is the IPv6\n"
+ "resources. Each of these elements in turn is either the string\n"
+ "\"inherit\" or a tuple representing a set of ranges of ASNs or IP\n"
+ "addresses.\n"
+ "\n"
+ "Each range is a two-element tuple, respectively representing the low\n"
+ "and high ends of the range, inclusive. ASN ranges are represented by\n"
+ "pairs of integers, IP address ranges are represented by pairs of\n"
+ "IPAddress objects.\n"
+ ;
static PyObject *
-x509_crl_object_get_issuer(x509_crl_object *self, PyObject *args)
+x509_object_get_rfc3779(x509_object *self)
{
- PyObject *result_list = NULL;
- int format = SHORTNAME_FORMAT;
+ PyObject *result = NULL;
+ PyObject *asn_result = NULL;
+ PyObject *ipv4_result = NULL;
+ PyObject *ipv6_result = NULL;
+ PyObject *range = NULL;
+ PyObject *range_b = NULL;
+ PyObject *range_e = NULL;
+ ASIdentifiers *asid = NULL;
+ IPAddrBlocks *addr = NULL;
+ int i, j;
+
+ ENTERING(x509_object_get_rfc3779);
+
+ if ((asid = X509_get_ext_d2i(self->x509, NID_sbgp_autonomousSysNum, NULL, NULL)) != NULL &&
+ asid->asnum != NULL) {
+ switch (asid->asnum->type) {
+
+ case ASIdentifierChoice_inherit:
+ if ((asn_result = PyString_FromString("inherit")) == NULL)
+ goto error;
+ break;
- if (!PyArg_ParseTuple(args, "|i", &format))
- goto error;
+ case ASIdentifierChoice_asIdsOrRanges:
- if ((result_list = X509_object_helper_get_name(self->crl->crl->issuer, format)) == NULL)
- lose("failed to produce name list");
+ if ((asn_result = PyTuple_New(sk_ASIdOrRange_num(asid->asnum->u.asIdsOrRanges))) == NULL)
+ goto error;
- return result_list;
+ for (i = 0; i < sk_ASIdOrRange_num(asid->asnum->u.asIdsOrRanges); i++) {
+ ASIdOrRange *aor = sk_ASIdOrRange_value(asid->asnum->u.asIdsOrRanges, i);
+ ASN1_INTEGER *b = NULL;
+ ASN1_INTEGER *e = NULL;
- error:
+ switch (aor->type) {
- return NULL;
-}
+ case ASIdOrRange_id:
+ b = e = aor->u.id;
+ break;
-static char x509_crl_object_set_issuer__doc__[] =
-"<method>\n"
-" <header>\n"
-" <memberof>X509Crl</memberof>\n"
-" <name>setIssuer</name>\n"
-" <parameter>name</parameter>\n"
-" </header>\n"
-" <body>\n"
-" <para>\n"
-" This method is used to set the issuers name.\n"
-" <parameter>name</parameter> can be comprised of lists or tuples in\n"
-" the format described in the <function>getIssuer</function> method\n"
-" of <classname>X509</classname>.\n"
-" </para>\n"
-" </body>\n"
-"</method>\n"
-;
+ case ASIdOrRange_range:
+ b = aor->u.range->min;
+ e = aor->u.range->max;
+ break;
-static PyObject *
-x509_crl_object_set_issuer(x509_crl_object *self, PyObject *args)
-{
- PyObject *name_sequence = NULL;
- X509_NAME *name = NULL;
+ default:
+ lose_type_error("Unexpected asIdsOrRanges type");
+ }
- if (!PyArg_ParseTuple(args, "O", &name_sequence))
- goto error;
+ if (ASN1_STRING_type(b) == V_ASN1_NEG_INTEGER ||
+ ASN1_STRING_type(e) == V_ASN1_NEG_INTEGER)
+ lose_type_error("I don't believe in negative ASNs");
- if (!PyTuple_Check(name_sequence) && !PyList_Check(name_sequence))
- lose_type_error("Inapropriate type");
+ if ((range_b = ASN1_INTEGER_to_PyLong(b)) == NULL ||
+ (range_e = ASN1_INTEGER_to_PyLong(e)) == NULL ||
+ (range = Py_BuildValue("(NN)", range_b, range_e)) == NULL)
+ goto error;
- if ((name = X509_NAME_new()) == NULL)
- lose("could not allocate memory");
+ PyTuple_SET_ITEM(asn_result, i, range);
+ range = range_b = range_e = NULL;
+ }
- if (!X509_object_helper_set_name(name, name_sequence))
- lose("unable to set new name");
+ break;
- if (!X509_NAME_set(&self->crl->crl->issuer, name))
- lose("unable to set name");
+ default:
+ lose_type_error("Unexpected ASIdentifierChoice type");
+ }
+ }
- X509_NAME_free(name);
+ if ((addr = X509_get_ext_d2i(self->x509, NID_sbgp_ipAddrBlock, NULL, NULL)) != NULL) {
+ for (i = 0; i < sk_IPAddressFamily_num(addr); i++) {
+ IPAddressFamily *f = sk_IPAddressFamily_value(addr, i);
+ const struct ipaddress_version *ip_type = NULL;
+ const unsigned int afi = v3_addr_get_afi(f);
+ PyObject **result_obj = NULL;
+ int addr_len = 0;
+
+ switch (afi) {
+ case IANA_AFI_IPV4: result_obj = &ipv4_result; ip_type = &ipaddress_version_4; break;
+ case IANA_AFI_IPV6: result_obj = &ipv6_result; ip_type = &ipaddress_version_6; break;
+ default: lose_type_error("Unknown AFI");
+ }
- Py_RETURN_NONE;
+ if (*result_obj != NULL)
+ lose_type_error("Duplicate IPAddressFamily");
- error:
+ if (f->addressFamily->length > 2)
+ lose_type_error("Unsupported SAFI");
- if (name)
- X509_NAME_free(name);
+ switch (f->ipAddressChoice->type) {
- return NULL;
-}
+ case IPAddressChoice_inherit:
+ if ((*result_obj = PyString_FromString("inherit")) == NULL)
+ goto error;
+ continue;
-static char x509_crl_object_set_this_update__doc__[] =
-"<method>\n"
-" <header>\n"
-" <memberof>X509Crl</memberof>\n"
-" <name>setThisUpdate</name>\n"
-" <parameter>time</parameter>\n"
-" </header>\n"
-" <body>\n"
-" <para>\n"
-" In a change from previous releases, for reasons of portability\n"
-" and to avoid hard to fix issues with problems in unreliable time\n"
-" functions, this accepts one parameter, a UTCTime string. You\n"
-" can use the function <function>time2utc</function> to convert to a\n"
-" string if you like and <function>utc2time</function> to back.\n"
-" </para>\n"
-" </body>\n"
-"</method>\n"
-;
+ case IPAddressChoice_addressesOrRanges:
+ break;
-static PyObject *
-x509_crl_object_set_this_update (x509_crl_object *self, PyObject *args)
-{
- char *new_time = NULL;
+ default:
+ lose_type_error("Unexpected IPAddressChoice type");
+ }
- if (!PyArg_ParseTuple(args, "s", &new_time))
- goto error;
+ if ((*result_obj = PyTuple_New(sk_IPAddressOrRange_num(f->ipAddressChoice->u.addressesOrRanges))) == NULL)
+ goto error;
- if (!python_ASN1_TIME_set_string(self->crl->crl->lastUpdate, new_time))
- lose("Could not set lastUpdate");
+ for (j = 0; j < sk_IPAddressOrRange_num(f->ipAddressChoice->u.addressesOrRanges); j++) {
+ IPAddressOrRange *aor = sk_IPAddressOrRange_value(f->ipAddressChoice->u.addressesOrRanges, j);
+ ipaddress_object *addr_b = NULL;
+ ipaddress_object *addr_e = NULL;
- Py_RETURN_NONE;
+ if ((range_b = POW_IPAddress_Type.tp_alloc(&POW_IPAddress_Type, 0)) == NULL ||
+ (range_e = POW_IPAddress_Type.tp_alloc(&POW_IPAddress_Type, 0)) == NULL)
+ goto error;
- error:
+ addr_b = (ipaddress_object *) range_b;
+ addr_e = (ipaddress_object *) range_e;
- return NULL;
-}
+ if ((addr_len = v3_addr_get_range(aor, afi, addr_b->address, addr_e->address,
+ sizeof(addr_b->address))) == 0)
+ lose_type_error("Couldn't unpack IP addresses from BIT STRINGs");
-static char x509_crl_object_get_this_update__doc__[] =
-"<method>\n"
-" <header>\n"
-" <memberof>X509Crl</memberof>\n"
-" <name>getThisUpdate</name>\n"
-" </header>\n"
-" <body>\n"
-" <para>\n"
-" In a change from previous releases, for reasons of portability\n"
-" and to avoid hard to fix issues with problems in unreliable time\n"
-" functions, this function returns a UTCTime string. You\n"
-" can use the function <function>time2utc</function> to convert to a\n"
-" string if you like and <function>utc2time</function> to back.\n"
-" </para>\n"
-" </body>\n"
-"</method>\n"
-;
+ addr_b->type = addr_e->type = ip_type;
-static PyObject *
-x509_crl_object_get_this_update (x509_crl_object *self, PyObject *args)
-{
- if (!PyArg_ParseTuple(args, ""))
- goto error;
+ if ((range = Py_BuildValue("(NN)", range_b, range_e)) == NULL)
+ goto error;
- return ASN1_TIME_to_Python(self->crl->crl->lastUpdate);
+ PyTuple_SET_ITEM(*result_obj, j, range);
+ range = range_b = range_e = NULL;
+ }
+ }
+ }
- error:
+ result = Py_BuildValue("(OOO)",
+ (asn_result == NULL ? Py_None : asn_result),
+ (ipv4_result == NULL ? Py_None : ipv4_result),
+ (ipv6_result == NULL ? Py_None : ipv6_result));
+
+ error: /* Fall through */
+ ASIdentifiers_free(asid);
+ sk_IPAddressFamily_pop_free(addr, IPAddressFamily_free);
+ Py_XDECREF(range_b);
+ Py_XDECREF(range_e);
+ Py_XDECREF(range);
+ Py_XDECREF(asn_result);
+ Py_XDECREF(ipv4_result);
+ Py_XDECREF(ipv6_result);
- return NULL;
+ return result;
}
-static char x509_crl_object_set_next_update__doc__[] =
-"<method>\n"
-" <header>\n"
-" <memberof>X509Crl</memberof>\n"
-" <name>setNextUpdate</name>\n"
-" <parameter>time</parameter>\n"
-" </header>\n"
-" <body>\n"
-" <para>\n"
-" In a change from previous releases, for reasons of portability\n"
-" and to avoid hard to fix issues with problems in unreliable time\n"
-" functions, this accepts one parameter, a UTCTime string. You\n"
-" can use the function <function>time2utc</function> to convert to a\n"
-" string if you like and <function>utc2time</function> to back.\n"
-" </para>\n"
-" </body>\n"
-"</method>\n"
-;
+static char x509_object_set_rfc3779__doc__[] =
+ "Set this certificate's RFC 3779 resources.\n"
+ "\n"
+ "This method takes three arguments: \"asn\", \"ipv4\", and \"ipv6\".\n"
+ "\n"
+ "Each of these arguments can be:\n"
+ "\n"
+ "* None, to omit this kind of resource;\n"
+ "\n"
+ "* The string \"inherit\", to specify RFC 3779 resource inheritance; or\n"
+ "\n"
+ "* An iterable object which returns range pairs of the appropriate type.\n"
+ "\n"
+ "Range pairs are as returned by the .getRFC3779() method.\n"
+ ;
static PyObject *
-x509_crl_object_set_next_update (x509_crl_object *self, PyObject *args)
+x509_object_set_rfc3779(x509_object *self, PyObject *args, PyObject *kwds)
{
- char *new_time = NULL;
- ASN1_UTCTIME *time = NULL;
+ static char *kwlist[] = {"asn", "ipv4", "ipv6", NULL};
+ PyObject *asn_arg = Py_None;
+ PyObject *ipv4_arg = Py_None;
+ PyObject *ipv6_arg = Py_None;
+ PyObject *iterator = NULL;
+ PyObject *item = NULL;
+ PyObject *fast = NULL;
+ ASIdentifiers *asid = NULL;
+ IPAddrBlocks *addr = NULL;
+ ASN1_INTEGER *asid_b = NULL;
+ ASN1_INTEGER *asid_e = NULL;
+ ipaddress_object *addr_b = NULL;
+ ipaddress_object *addr_e = NULL;
+ int empty = 0;
- if (!PyArg_ParseTuple(args, "s", &new_time))
+ ENTERING(x509_object_set_rfc3779);
+
+ if (!PyArg_ParseTupleAndKeywords(args, kwds, "|OOO", kwlist, &asn_arg, &ipv4_arg, &ipv6_arg))
goto error;
- if (self->crl->crl->nextUpdate == NULL && (time = ASN1_UTCTIME_new()) == NULL)
- lose("could not allocate memory");
+ if (asn_arg != Py_None) {
- self->crl->crl->nextUpdate = time;
+ empty = 1;
- if (!python_ASN1_TIME_set_string(time, new_time))
- lose("Could not set nextUpdate");
+ if ((asid = ASIdentifiers_new()) == NULL)
+ lose_no_memory();
- Py_RETURN_NONE;
+ if (PyString_Check(asn_arg)) {
- error:
+ if (strcmp(PyString_AsString(asn_arg), "inherit"))
+ lose_type_error("ASID must be sequence of range pairs, or \"inherit\"");
- return NULL;
-}
+ if (!v3_asid_add_inherit(asid, V3_ASID_ASNUM))
+ lose_no_memory();
-static char x509_crl_object_get_next_update__doc__[] =
-"<method>\n"
-" <header>\n"
-" <memberof>X509Crl</memberof>\n"
-" <name>getNextUpdate</name>\n"
-" </header>\n"
-" <body>\n"
-" <para>\n"
-" In a change from previous releases, for reasons of portability\n"
-" and to avoid hard to fix issues with problems in unreliable time\n"
-" functions, this function returns a UTCTime string. You\n"
-" can use the function <function>time2utc</function> to convert to a\n"
-" string if you like and <function>utc2time</function> to back.\n"
-" </para>\n"
-" </body>\n"
-"</method>\n"
-;
+ empty = 0;
-static PyObject *
-x509_crl_object_get_next_update (x509_crl_object *self, PyObject *args)
-{
- if (!PyArg_ParseTuple(args, ""))
- goto error;
+ } else {
- return ASN1_TIME_to_Python(self->crl->crl->nextUpdate);
+ if ((iterator = PyObject_GetIter(asn_arg)) == NULL)
+ goto error;
- error:
+ while ((item = PyIter_Next(iterator)) != NULL) {
+
+ if ((fast = PySequence_Fast(item, "ASN range must be a sequence")) == NULL)
+ goto error;
+
+ if (PySequence_Fast_GET_SIZE(fast) != 2)
+ lose_type_error("ASN range must be two-element sequence");
+
+ if ((asid_b = PyLong_to_ASN1_INTEGER(PySequence_Fast_GET_ITEM(fast, 0))) == NULL)
+ goto error;
+
+ switch (PyObject_RichCompareBool(PySequence_Fast_GET_ITEM(fast, 0),
+ PySequence_Fast_GET_ITEM(fast, 1), Py_EQ)) {
+ case 0:
+ if ((asid_e = PyLong_to_ASN1_INTEGER(PySequence_Fast_GET_ITEM(fast, 1))) == NULL)
+ goto error;
+ break;
+ case 1:
+ break;
+ default:
+ goto error;
+ }
+
+ if (!v3_asid_add_id_or_range(asid, V3_ASID_ASNUM, asid_b, asid_e))
+ lose_openssl_error("Couldn't add range to ASID");
+
+ asid_b = asid_e = NULL;
+ Py_XDECREF(item);
+ Py_XDECREF(fast);
+ item = fast = NULL;
+ empty = 0;
+ }
- return NULL;
-}
+ if (!empty && (!v3_asid_canonize(asid) ||
+ !X509_add1_ext_i2d(self->x509, NID_sbgp_autonomousSysNum,
+ asid, 1, X509V3_ADD_REPLACE)))
+ lose_openssl_error("Couldn't add ASID extension to certificate");
-static char x509_crl_object_set_revoked__doc__[] =
-"<method>\n"
-" <header>\n"
-" <memberof>X509Crl</memberof>\n"
-" <name>setRevoked</name>\n"
-" <parameter>revoked</parameter>\n"
-" </header>\n"
-" <body>\n"
-" <para>\n"
-" This method sets the sequence of revoked certificates in this CRL.\n"
-" <parameter>revoked</parameter> should be a list or tuple of\n"
-" <classname>X509Revoked</classname>.\n"
-" </para>\n"
-" <example>\n"
-" <title><function>setRevoked</function> function usage</title>\n"
-" <programlisting>\n"
-" privateFile = open('test/private.key', 'r')\n"
-" publicFile = open('test/public.key', 'r')\n"
-" crlFile = open('test/crl.pem', 'w')\n"
-"\n"
-" publicKey = POW.pemRead(POW.RSA_PUBLIC_KEY, publicFile.read())\n"
-" privateKey = POW.pemRead(POW.RSA_PRIVATE_KEY, privateFile.read(), 'pass')\n"
-"\n"
-" crl = POW.X509Crl()\n"
-"\n"
-" name = [ ['C', 'GB'], ['ST', 'Hertfordshire'],\n"
-" ['O','The House'], ['CN', 'Peter Shannon'] ]\n"
-"\n"
-" t1 = POW.pkix.time2utc(time.time())\n"
-" t2 = POW.pkix.time2utc(time.time() + 60*60*24*365)\n"
-" crl.setIssuer(name)\n"
-" rev = [ POW.X509Revoked(3, t1),\n"
-" POW.X509Revoked(4, t1),\n"
-" POW.X509Revoked(5, t1) ]\n"
-"\n"
-" crl.setRevoked(rev)\n"
-" crl.setThisUpdate(t1)\n"
-" crl.setNextUpdate(t2)\n"
-" crl.sign(privateKey)\n"
-"\n"
-" crlFile.write(crl.pemWrite())\n"
-"\n"
-" privateFile.close()\n"
-" publicFile.close()\n"
-" crlFile.close()\n"
-" </programlisting>\n"
-" </example>\n"
-"\n"
-" </body>\n"
-"</method>\n"
-;
+ Py_XDECREF(iterator);
+ iterator = NULL;
+ }
+ }
-// added because we don't already have one!
-static X509_REVOKED *
-X509_REVOKED_dup(X509_REVOKED *rev)
-{
- return((X509_REVOKED *)ASN1_dup((i2d_of_void *) i2d_X509_REVOKED,
- (d2i_of_void *) d2i_X509_REVOKED,
- (char *) rev));
-}
+ if (ipv4_arg != Py_None || ipv6_arg != Py_None) {
+ int v;
-static PyObject *
-x509_crl_object_set_revoked(x509_crl_object *self, PyObject *args)
-{
- PyObject *revoked_sequence = NULL;
- x509_revoked_object *revoked = NULL;
- X509_REVOKED *tmp_revoked = NULL;
- int i = 0,size = 0;
+ empty = 1;
- if (!PyArg_ParseTuple(args, "O", &revoked_sequence))
- goto error;
+ if ((addr = sk_IPAddressFamily_new_null()) == NULL)
+ lose_no_memory();
- if (!PyTuple_Check(revoked_sequence) && !PyList_Check(revoked_sequence))
- lose_type_error("inapropriate type");
+ /*
+ * Cheap trick to let us inline all of this instead of being
+ * forced to use a separate function. Refactor, some day.
+ */
- size = PySequence_Size(revoked_sequence);
- for (i = 0; i < size; i++) {
- if ((revoked = (x509_revoked_object*) PySequence_GetItem(revoked_sequence, i)) == NULL)
- goto error;
+ for (v = 0; v < (int) (sizeof(ipaddress_versions)/sizeof(*ipaddress_versions)); v++) {
+ const struct ipaddress_version *ip_type = ipaddress_versions[v];
+ PyObject **argp;
- if (!X_X509_revoked_Check(revoked))
- lose_type_error("inapropriate type");
+ switch (ip_type->version) {
+ case 4: argp = &ipv4_arg; break;
+ case 6: argp = &ipv6_arg; break;
+ default: continue; /* Never happens */
+ }
- if ((tmp_revoked = X509_REVOKED_dup(revoked->revoked)) == NULL)
- lose("could not allocate memory");
+ if (PyString_Check(*argp)) {
- if (!X509_CRL_add0_revoked(self->crl, tmp_revoked))
- lose("could not add revokation to stack");
+ if (strcmp(PyString_AsString(*argp), "inherit"))
+ lose_type_error("Argument must be sequence of range pairs, or \"inherit\"");
- Py_XDECREF(revoked);
- revoked = NULL;
- }
+ if (!v3_addr_add_inherit(addr, ip_type->afi, NULL))
+ lose_no_memory();
- Py_RETURN_NONE;
+ empty = 0;
- error:
+ } else {
- Py_XDECREF(revoked);
+ if ((iterator = PyObject_GetIter(*argp)) == NULL)
+ goto error;
- return NULL;
-}
+ while ((item = PyIter_Next(iterator)) != NULL) {
-static PyObject *
-x509_crl_object_helper_get_revoked(STACK_OF(X509_REVOKED) *revoked)
-{
- int no_entries = 0, i = 0;
- x509_revoked_object *revoke_obj = NULL;
- PyObject *result_list = NULL, *result_tuple = NULL;
+ if ((fast = PySequence_Fast(item, "Address range must be a sequence")) == NULL)
+ goto error;
- no_entries = sk_X509_REVOKED_num(revoked);
+ if (PySequence_Fast_GET_SIZE(fast) != 2 ||
+ !POW_IPAddress_Check(PySequence_Fast_GET_ITEM(fast, 0)) ||
+ !POW_IPAddress_Check(PySequence_Fast_GET_ITEM(fast, 1)))
+ lose_type_error("Address range must be two-element sequence of IPAddress objects");
- if ((result_list = PyList_New(0)) == NULL)
- lose("could not allocate memory");
+ addr_b = (ipaddress_object *) PySequence_Fast_GET_ITEM(fast, 0);
+ addr_e = (ipaddress_object *) PySequence_Fast_GET_ITEM(fast, 1);
- for (i = 0; i < no_entries; i++) {
- if ((revoke_obj = PyObject_New(x509_revoked_object, &x509_revokedtype)) == NULL)
- lose("could not allocate memory");
+ if (addr_b->type != ip_type ||
+ addr_e->type != ip_type ||
+ memcmp(addr_b->address, addr_e->address, ip_type->length) > 0)
+ lose("IPAddrBlock must be sequence of address pairs, or \"inherit\"");
- if ((revoke_obj->revoked = X509_REVOKED_dup(sk_X509_REVOKED_value(revoked, i))) == NULL)
- lose("could not get revocation");
+ if (!v3_addr_add_range(addr, ip_type->afi, NULL, addr_b->address, addr_e->address))
+ lose_openssl_error("Couldn't add range to IPAddrBlock");
- if (PyList_Append(result_list, (PyObject*) revoke_obj) != 0)
- goto error;
+ Py_XDECREF(item);
+ Py_XDECREF(fast);
+ item = fast = NULL;
+ addr_b = addr_e = NULL;
+ }
- Py_XDECREF(revoke_obj);
- revoke_obj = NULL;
- }
+ Py_XDECREF(iterator);
+ iterator = NULL;
+ empty = 0;
+ }
+ }
- result_tuple = PyList_AsTuple(result_list);
- Py_XDECREF(result_list);
+ if (!empty && (!v3_addr_canonize(addr) ||
+ !X509_add1_ext_i2d(self->x509, NID_sbgp_ipAddrBlock,
+ addr, 1, X509V3_ADD_REPLACE)))
+ lose_openssl_error("Couldn't add IPAddrBlock extension to certificate");
+ }
- return result_tuple;
+ Py_RETURN_NONE;
error:
-
- Py_XDECREF(revoke_obj);
- Py_XDECREF(result_list);
+ ASN1_INTEGER_free(asid_b);
+ ASN1_INTEGER_free(asid_e);
+ ASIdentifiers_free(asid);
+ sk_IPAddressFamily_pop_free(addr, IPAddressFamily_free);
+ Py_XDECREF(iterator);
+ Py_XDECREF(item);
+ Py_XDECREF(fast);
return NULL;
}
-static char x509_crl_object_get_revoked__doc__[] =
-"<method>\n"
-" <header>\n"
-" <memberof>X509Crl</memberof>\n"
-" <name>getRevoked</name>\n"
-" </header>\n"
-" <body>\n"
-" <para>\n"
-" This method returns a tuple of <classname>X509Revoked</classname>\n"
-" objects described in the CRL.\n"
-" </para>\n"
-" <example>\n"
-" <title><function>getRevoked</function> function usage</title>\n"
-" <programlisting>\n"
-" publicFile = open('test/public.key', 'r')\n"
-" crlFile = open('test/crl.pem', 'r')\n"
-"\n"
-" publicKey = POW.pemRead(POW.RSA_PUBLIC_KEY, publicFile.read())\n"
-"\n"
-" crl = POW.pemRead(POW.X509_CRL, crlFile.read())\n"
-"\n"
-" print crl.pprint()\n"
-" if crl.verify(publicKey):\n"
-" print 'signature ok!'\n"
-" else:\n"
-" print 'signature not ok!'\n"
-"\n"
-" revocations = crl.getRevoked()\n"
-" for revoked in revocations:\n"
-" print 'serial number:', revoked.getSerial()\n"
-" print 'date:', time.ctime(revoked.getDate()[0])\n"
-"\n"
-" publicFile.close()\n"
-" crlFile.close()\n"
-" </programlisting>\n"
-" </example>\n"
-"\n"
-" </body>\n"
-"</method>\n"
-;
+static char x509_object_get_basic_constraints__doc__[] =
+ "Return BasicConstraints for this certificate.\n"
+ "\n"
+ "If this certificate has no BasicConstraints extension, this method\n"
+ "returns None.\n"
+ "\n"
+ "Otherwise, this method returns a two-element tuple. The first element\n"
+ "of the tuple is a boolean representing the extension's cA value; the\n"
+ "second element of the tuple is either an integer representing the\n"
+ "pathLenConstraint value or None if there is no pathLenConstraint.\n"
+ ;
static PyObject *
-x509_crl_object_get_revoked(x509_crl_object *self, PyObject *args)
+x509_object_get_basic_constraints(x509_object *self)
{
- if (!PyArg_ParseTuple(args, ""))
- goto error;
+ BASIC_CONSTRAINTS *ext = NULL;
+ PyObject *result;
- return x509_crl_object_helper_get_revoked(X509_CRL_get_REVOKED(self->crl));
+ ENTERING(x509_object_get_basic_constraints);
- error:
+ if ((ext = X509_get_ext_d2i(self->x509, NID_basic_constraints, NULL, NULL)) == NULL)
+ Py_RETURN_NONE;
- return NULL;
+ if (ext->pathlen == NULL)
+ result = Py_BuildValue("(NO)", PyBool_FromLong(ext->ca), Py_None);
+ else
+ result = Py_BuildValue("(Nl)", PyBool_FromLong(ext->ca), ASN1_INTEGER_get(ext->pathlen));
+
+ BASIC_CONSTRAINTS_free(ext);
+ return result;
}
-static char X509_crl_object_add_extension__doc__[] =
-"<method>\n"
-" <header>\n"
-" <memberof>X509Crl</memberof>\n"
-" <name>addExtension</name>\n"
-" <parameter>extensionName</parameter>\n"
-" <parameter>critical</parameter>\n"
-" <parameter>extensionValue</parameter>\n"
-" </header>\n"
-" <body>\n"
-" <para>\n"
-" This method adds an extension to this CRL.\n"
-" <parameter>extensionName</parameter> should be the of the\n"
-" extension. <parameter>critical</parameter> should an integer, 1\n"
-" for true and 0 for clase. <parameter>extensionValue</parameter>\n"
-" should be a string, DER encoded value of the extension. The name\n"
-" of the extension must be correct according to OpenSSL and can be\n"
-" checkd in the <constant>objects.h</constant> header file, part of\n"
-" the OpenSSL source distrobution. In the majority of cases they\n"
-" are the same as those defined in <constant>POW._oids</constant>\n"
-" but if you do encounter problems is may be worth checking.\n"
-" </para>\n"
-" <example>\n"
-" <title><function>addExtension</function> method usage</title>\n"
-" <programlisting>\n"
-" oids = POW.pkix.OidData()\n"
-" o2i = oids.obj2oid\n"
-"\n"
-" n1 = ('directoryName', (((o2i('countryName'), ('printableString', 'UK')),),\n"
-" ((o2i('stateOrProvinceName'), ('printableString', 'Herts')),),\n"
-" ((o2i('organizationName'), ('printableString', 'The House')),),\n"
-" ((o2i('commonName'), ('printableString', 'Shannon Works')),)))\n"
-"\n"
-" n2 = ('rfc822Name', 'peter_shannon@yahoo.com')\n"
-" n3 = ('uri', 'http://www.p-s.org.uk')\n"
-" n4 = ('iPAddress', (192,168,100,51))\n"
-"\n"
-" issuer = POW.pkix.IssuerAltName()\n"
-" issuer.set([n1,n2,n3,n4])\n"
-" crl.addExtension('issuerAltName', 0, issuer.toString())\n"
-" </programlisting>\n"
-" </example>\n"
-" </body>\n"
-"</method>\n"
-;
+static char x509_object_set_basic_constraints__doc__[] =
+ "Set BasicConstraints for this certificate.\n"
+ "\n"
+ "First argument \"ca\" is a boolean indicating whether the certificate\n"
+ "is a CA certificate or not.\n"
+ "\n"
+ "Optional second argument \"pathLenConstraint\" is a non-negative integer\n"
+ "specifying the pathLenConstraint value for this certificate; this value\n"
+ "may only be set for CA certificates."
+ "\n"
+ "Optional third argument \"critical\" specifies whether the extension\n"
+ "should be marked as critical. RFC 5280 4.2.1.9 requires that CA\n"
+ "certificates mark this extension as critical, so the default is True.\n"
+ ;
static PyObject *
-X509_crl_object_add_extension(x509_crl_object *self, PyObject *args)
+x509_object_set_basic_constraints(x509_object *self, PyObject *args)
{
- int critical = 0, nid = 0, len = 0;
- char *name = NULL;
- unsigned char *buf = NULL;
- ASN1_OCTET_STRING *octetString = NULL;
- X509_EXTENSION *extn = NULL;
+ BASIC_CONSTRAINTS *ext = NULL;
+ PyObject *is_ca = NULL;
+ PyObject *pathlen_obj = Py_None;
+ PyObject *critical = Py_True;
+ long pathlen = -1;
+ int ok = 0;
- if (!PyArg_ParseTuple(args, "sis#", &name, &critical, &buf, &len))
- goto error;
+ ENTERING(x509_object_set_basic_constraints);
- if ((octetString = M_ASN1_OCTET_STRING_new()) == NULL)
- lose("could not allocate memory");
+ if (!PyArg_ParseTuple(args, "O|OO", &is_ca, &pathlen_obj, &critical))
+ goto error;
- if (!ASN1_OCTET_STRING_set(octetString, buf, len))
- lose("could not set ASN1 Octect string");
+ if (pathlen_obj != Py_None && (pathlen = PyInt_AsLong(pathlen_obj)) < 0)
+ lose_type_error("Bad pathLenConstraint value");
- if ((nid = OBJ_txt2nid(name)) == NID_undef)
- lose("extension has unknown object identifier");
+ if ((ext = BASIC_CONSTRAINTS_new()) == NULL)
+ lose_no_memory();
- if ((extn = X509_EXTENSION_create_by_NID(NULL, nid, critical, octetString)) == NULL)
- lose("unable to create ASN1 X509 Extension object");
+ ext->ca = PyObject_IsTrue(is_ca) ? 0xFF : 0;
- if (!self->crl->crl->extensions &&
- (self->crl->crl->extensions = sk_X509_EXTENSION_new_null()) == NULL)
- lose("unable to allocate memory");
+ if (pathlen_obj != Py_None &&
+ ((ext->pathlen == NULL && (ext->pathlen = ASN1_INTEGER_new()) == NULL) ||
+ !ASN1_INTEGER_set(ext->pathlen, pathlen)))
+ lose_no_memory();
- if (!sk_X509_EXTENSION_push(self->crl->crl->extensions, extn))
- lose("unable to add extension");
+ if (!X509_add1_ext_i2d(self->x509, NID_basic_constraints,
+ ext, PyObject_IsTrue(critical), X509V3_ADD_REPLACE))
+ lose_openssl_error("Couldn't add BasicConstraints extension to certificate");
- Py_RETURN_NONE;
+ ok = 1;
error:
+ BASIC_CONSTRAINTS_free(ext);
- if (extn)
- X509_EXTENSION_free(extn);
-
- return NULL;
+ if (ok)
+ Py_RETURN_NONE;
+ else
+ return NULL;
}
-static char X509_crl_object_clear_extensions__doc__[] =
-"<method>\n"
-" <header>\n"
-" <memberof>X509Crl</memberof>\n"
-" <name>clearExtensions</name>\n"
-" </header>\n"
-" <body>\n"
-" <para>\n"
-" This method clears the structure which holds the extension for\n"
-" this CRL.\n"
-" </para>\n"
-" </body>\n"
-"</method>\n"
-;
+static char x509_object_get_sia__doc__[] =
+ "Get SIA values for this certificate.\n"
+ "\n"
+ "If the certificate has no SIA extension, this method returns None.\n"
+ "\n"
+ "Otherwise, it returns a tuple containing three values:\n"
+ "caRepository URIs, rpkiManifest URIs, and signedObject URIs.\n"
+ "Each of these values is a tuple of strings, representing an ordered\n"
+ "sequence of URIs. Any or all of these sequences may be empty.\n"
+ "\n"
+ "Any other accessMethods are ignored, as are any non-URI\n"
+ "accessLocations.\n"
+ ;
static PyObject *
-X509_crl_object_clear_extensions(x509_crl_object *self, PyObject *args)
+x509_object_get_sia(x509_object *self)
{
- if (!PyArg_ParseTuple(args, ""))
+ AUTHORITY_INFO_ACCESS *ext = NULL;
+ PyObject *result = NULL;
+ PyObject *result_caRepository = NULL;
+ PyObject *result_rpkiManifest = NULL;
+ PyObject *result_signedObject = NULL;
+ int n_caRepository = 0;
+ int n_rpkiManifest = 0;
+ int n_signedObject = 0;
+ const char *uri;
+ PyObject *obj;
+ int i, nid;
+
+ ENTERING(x509_object_get_sia);
+
+ if ((ext = X509_get_ext_d2i(self->x509, NID_sinfo_access, NULL, NULL)) == NULL)
+ Py_RETURN_NONE;
+
+ /*
+ * Easiest to do this in two passes, first pass just counts URIs.
+ */
+
+ for (i = 0; i < sk_ACCESS_DESCRIPTION_num(ext); i++) {
+ ACCESS_DESCRIPTION *a = sk_ACCESS_DESCRIPTION_value(ext, i);
+ if (a->location->type != GEN_URI)
+ continue;
+ nid = OBJ_obj2nid(a->method);
+ if (nid == NID_caRepository) {
+ n_caRepository++;
+ continue;
+ }
+ if (nid == NID_rpkiManifest) {
+ n_rpkiManifest++;
+ continue;
+ }
+ if (nid == NID_signedObject) {
+ n_signedObject++;
+ continue;
+ }
+ }
+
+ if (((result_caRepository = PyTuple_New(n_caRepository)) == NULL) ||
+ ((result_rpkiManifest = PyTuple_New(n_rpkiManifest)) == NULL) ||
+ ((result_signedObject = PyTuple_New(n_signedObject)) == NULL))
goto error;
- if (self->crl->crl->extensions) {
- sk_X509_EXTENSION_free(self->crl->crl->extensions);
- self->crl->crl->extensions = NULL;
+ n_caRepository = n_rpkiManifest = n_signedObject = 0;
+
+ for (i = 0; i < sk_ACCESS_DESCRIPTION_num(ext); i++) {
+ ACCESS_DESCRIPTION *a = sk_ACCESS_DESCRIPTION_value(ext, i);
+ if (a->location->type != GEN_URI)
+ continue;
+ nid = OBJ_obj2nid(a->method);
+ uri = (char *) ASN1_STRING_data(a->location->d.uniformResourceIdentifier);
+ if (nid == NID_caRepository) {
+ if ((obj = PyString_FromString(uri)) == NULL)
+ goto error;
+ PyTuple_SET_ITEM(result_caRepository, n_caRepository++, obj);
+ continue;
+ }
+ if (nid == NID_rpkiManifest) {
+ if ((obj = PyString_FromString(uri)) == NULL)
+ goto error;
+ PyTuple_SET_ITEM(result_rpkiManifest, n_rpkiManifest++, obj);
+ continue;
+ }
+ if (nid == NID_signedObject) {
+ if ((obj = PyString_FromString(uri)) == NULL)
+ goto error;
+ PyTuple_SET_ITEM(result_signedObject, n_signedObject++, obj);
+ continue;
+ }
}
- Py_RETURN_NONE;
+ result = Py_BuildValue("(OOO)",
+ result_caRepository,
+ result_rpkiManifest,
+ result_signedObject);
error:
-
- return NULL;
+ AUTHORITY_INFO_ACCESS_free(ext);
+ Py_XDECREF(result_caRepository);
+ Py_XDECREF(result_rpkiManifest);
+ Py_XDECREF(result_signedObject);
+ return result;
}
-static char X509_crl_object_count_extensions__doc__[] =
-"<method>\n"
-" <header>\n"
-" <memberof>X509Crl</memberof>\n"
-" <name>countExtensions</name>\n"
-" </header>\n"
-" <body>\n"
-" <para>\n"
-" This method returns the size of the structure which holds the\n"
-" extension for this CRL.\n"
-" </para>\n"
-" </body>\n"
-"</method>\n"
-;
+static char x509_object_set_sia__doc__[] =
+ "Set SIA values for this certificate. Takes three arguments:\n"
+ "\"caRepository\", \"rpkiManifest\", and \"signedObject\".\n"
+ "Each of these should be an iterable which returns URIs.\n"
+ "\n"
+ "None is acceptable as an alternate way of specifying an empty\n"
+ "sequence of URIs for a particular argument.\n"
+ ;
static PyObject *
-X509_crl_object_count_extensions(x509_crl_object *self, PyObject *args)
+x509_object_set_sia(x509_object *self, PyObject *args, PyObject *kwds)
{
- int num = 0;
+ static char *kwlist[] = {"caRepository", "rpkiManifest", "signedObject", NULL};
+ AUTHORITY_INFO_ACCESS *ext = NULL;
+ PyObject *caRepository = Py_None;
+ PyObject *rpkiManifest = Py_None;
+ PyObject *signedObject = Py_None;
+ PyObject *iterator = NULL;
+ ASN1_OBJECT *oid = NULL;
+ PyObject **pobj = NULL;
+ PyObject *item = NULL;
+ ACCESS_DESCRIPTION *a = NULL;
+ int i, nid = NID_undef, ok = 0;
+ Py_ssize_t urilen;
+ char *uri;
+
+ ENTERING(x509_object_set_sia);
- if (!PyArg_ParseTuple(args, ""))
+ if (!PyArg_ParseTupleAndKeywords(args, kwds, "|OOO", kwlist,
+ &caRepository, &rpkiManifest, &signedObject))
goto error;
- if (self->crl->crl->extensions)
- num = sk_X509_EXTENSION_num(self->crl->crl->extensions);
+ if ((ext = AUTHORITY_INFO_ACCESS_new()) == NULL)
+ lose_no_memory();
+
+ /*
+ * This is going to want refactoring, because it's ugly, because we
+ * want to reuse code for AIA, and because it'd be nice to support a
+ * single URI as an abbreviation for a sequence containing one URI.
+ */
+
+ for (i = 0; i < 3; i++) {
+ switch (i) {
+ case 0: pobj = &caRepository; nid = NID_caRepository; break;
+ case 1: pobj = &rpkiManifest; nid = NID_rpkiManifest; break;
+ case 2: pobj = &signedObject; nid = NID_signedObject; break;
+ }
+
+ if (*pobj == Py_None)
+ continue;
+
+ if ((oid = OBJ_nid2obj(nid)) == NULL)
+ lose_openssl_error("Couldn't find SIA accessMethod OID");
+
+ if ((iterator = PyObject_GetIter(*pobj)) == NULL)
+ goto error;
+
+ while ((item = PyIter_Next(iterator)) != NULL) {
+
+ if (PyString_AsStringAndSize(item, &uri, &urilen) < 0)
+ goto error;
+
+ if ((a = ACCESS_DESCRIPTION_new()) == NULL ||
+ (a->method = OBJ_dup(oid)) == NULL ||
+ (a->location->d.uniformResourceIdentifier = ASN1_IA5STRING_new()) == NULL ||
+ !ASN1_OCTET_STRING_set(a->location->d.uniformResourceIdentifier, (unsigned char *) uri, urilen))
+ lose_no_memory();
+
+ a->location->type = GEN_URI;
+
+ if (!sk_ACCESS_DESCRIPTION_push(ext, a))
+ lose_no_memory();
+
+ a = NULL;
+ Py_XDECREF(item);
+ item = NULL;
+ }
+
+ Py_XDECREF(iterator);
+ iterator = NULL;
+ }
+
+ if (!X509_add1_ext_i2d(self->x509, NID_sinfo_access, ext, 0, X509V3_ADD_REPLACE))
+ lose_openssl_error("Couldn't add SIA extension to certificate");
- return Py_BuildValue("i", num);
+ ok = 1;
error:
+ AUTHORITY_INFO_ACCESS_free(ext);
+ ACCESS_DESCRIPTION_free(a);
+ Py_XDECREF(item);
+ Py_XDECREF(iterator);
- return NULL;
+ if (ok)
+ Py_RETURN_NONE;
+ else
+ return NULL;
}
-static char X509_crl_object_get_extension__doc__[] =
-"<method>\n"
-" <header>\n"
-" <memberof>X509Crl</memberof>\n"
-" <name>getExtension</name>\n"
-" <parameter>index</parameter>\n"
-" </header>\n"
-" <body>\n"
-" <para>\n"
-" This method returns a tuple equivalent the parameters of\n"
-" <function>addExtension</function>.\n"
-" </para>\n"
-" </body>\n"
-"</method>\n"
-;
+static char x509_object_get_aia__doc__[] =
+ "Get this certificate's AIA values.\n"
+ "\n"
+ "If the certificate has no AIA extension, this method returns None.\n"
+ "\n"
+ "Otherwise, this returns a sequence of caIssuers URIs.\n"
+ "\n"
+ "Any other accessMethods are ignored, as are any non-URI\n"
+ "accessLocations.\n"
+ ;
static PyObject *
-X509_crl_object_get_extension(x509_crl_object *self, PyObject *args)
+x509_object_get_aia(x509_object *self)
{
- int num = 0, index = 0, ext_nid = 0;
- char const *ext_ln = NULL;
- char unknown_ext [] = "unknown";
- X509_EXTENSION *ext;
-
- if (!PyArg_ParseTuple(args, "i", &index))
- goto error;
+ AUTHORITY_INFO_ACCESS *ext = NULL;
+ PyObject *result = NULL;
+ const char *uri;
+ PyObject *obj;
+ int i, n = 0;
- if (self->crl->crl->extensions)
- num = sk_X509_EXTENSION_num(self->crl->crl->extensions);
+ ENTERING(x509_object_get_aia);
+ if ((ext = X509_get_ext_d2i(self->x509, NID_info_access, NULL, NULL)) == NULL)
+ Py_RETURN_NONE;
- if (index >= num)
- lose("certificate does not have that many extensions");
+ for (i = 0; i < sk_ACCESS_DESCRIPTION_num(ext); i++) {
+ ACCESS_DESCRIPTION *a = sk_ACCESS_DESCRIPTION_value(ext, i);
+ if (a->location->type == GEN_URI &&
+ OBJ_obj2nid(a->method) == NID_ad_ca_issuers)
+ n++;
+ }
- if ((ext = sk_X509_EXTENSION_value(self->crl->crl->extensions, index)) == NULL)
- lose("could not get extension");
+ if (((result = PyTuple_New(n)) == NULL))
+ goto error;
- if ((ext_nid = OBJ_obj2nid(ext->object)) == NID_undef)
- lose("extension has unknown object identifier");
+ n = 0;
- if ((ext_ln = OBJ_nid2sn(ext_nid)) == NULL)
- ext_ln = unknown_ext;
+ for (i = 0; i < sk_ACCESS_DESCRIPTION_num(ext); i++) {
+ ACCESS_DESCRIPTION *a = sk_ACCESS_DESCRIPTION_value(ext, i);
+ if (a->location->type == GEN_URI && OBJ_obj2nid(a->method) == NID_ad_ca_issuers) {
+ uri = (char *) ASN1_STRING_data(a->location->d.uniformResourceIdentifier);
+ if ((obj = PyString_FromString(uri)) == NULL)
+ goto error;
+ PyTuple_SET_ITEM(result, n++, obj);
+ }
+ }
- return Py_BuildValue("sis#", ext_ln, ext->critical, ext->value->data, ext->value->length);
+ AUTHORITY_INFO_ACCESS_free(ext);
+ return result;
error:
-
+ AUTHORITY_INFO_ACCESS_free(ext);
+ Py_XDECREF(result);
return NULL;
}
-static char x509_crl_object_sign__doc__[] =
-"<method>\n"
-" <header>\n"
-" <memberof>X509Crl</memberof>\n"
-" <name>sign</name>\n"
-" <parameter>key</parameter>\n"
-" <parameter>digest = MD5_DIGEST</parameter>\n"
-" </header>\n"
-" <body>\n"
-" <para>\n"
-" <parameter>key</parameter> should be an instance of\n"
-" <classname>Asymmetric</classname> and contain a private key.\n"
-" <parameter>digest</parameter> indicates\n"
-" which digest function should be used to compute the hash to be\n"
-" signed, it should be one of the following:\n"
-" </para>\n"
-" <simplelist>\n"
-#ifndef OPENSSL_NO_MD2
-" <member><constant>MD2_DIGEST</constant></member>\n"
-#endif
-" <member><constant>MD5_DIGEST</constant></member>\n"
-" <member><constant>SHA_DIGEST</constant></member>\n"
-" <member><constant>SHA1_DIGEST</constant></member>\n"
-" <member><constant>RIPEMD160_DIGEST</constant></member>\n"
-" <member><constant>SHA256_DIGEST</constant></member>\n"
-" <member><constant>SHA384_DIGEST</constant></member>\n"
-" <member><constant>SHA512_DIGEST</constant></member>\n"
-" </simplelist>\n"
-" </body>\n"
-"</method>\n"
-;
+static char x509_object_set_aia__doc__[] =
+ "Set AIA URIs for this certificate.\n"
+ "\n"
+ "Argument is a iterable which returns caIssuers URIs.\n"
+ ;
static PyObject *
-x509_crl_object_sign(x509_crl_object *self, PyObject *args)
+x509_object_set_aia(x509_object *self, PyObject *args)
{
- EVP_PKEY *pkey = NULL;
- asymmetric_object *asym;
- int digest = MD5_DIGEST;
+ AUTHORITY_INFO_ACCESS *ext = NULL;
+ PyObject *caIssuers = NULL;
+ PyObject *iterator = NULL;
+ ASN1_OBJECT *oid = NULL;
+ PyObject *item = NULL;
+ ACCESS_DESCRIPTION *a = NULL;
+ int ok = 0;
+ Py_ssize_t urilen;
+ char *uri;
- if (!PyArg_ParseTuple(args, "O!|i", &asymmetrictype, &asym, &digest))
- goto error;
-
- if ((pkey = EVP_PKEY_new()) == NULL)
- lose("could not allocate memory");
+ ENTERING(x509_object_set_aia);
- if (asym->key_type != RSA_PRIVATE_KEY)
- lose("cannot use this type of key");
+ if (!PyArg_ParseTuple(args, "O", &caIssuers))
+ goto error;
- if (!EVP_PKEY_assign_RSA(pkey, asym->cipher))
- lose("EVP_PKEY assignment error");
+ if ((ext = AUTHORITY_INFO_ACCESS_new()) == NULL)
+ lose_no_memory();
- switch (digest) {
- case MD5_DIGEST:
- if (!X509_CRL_sign(self->crl, pkey, EVP_md5()))
- lose("could not sign CRL");
- break;
+ if ((oid = OBJ_nid2obj(NID_ad_ca_issuers)) == NULL)
+ lose_openssl_error("Couldn't find AIA accessMethod OID");
-#ifndef OPENSSL_NO_MD2
- case MD2_DIGEST:
- if (!X509_CRL_sign(self->crl, pkey, EVP_md2()))
- lose("could not sign CRL");
- break;
-#endif
+ if ((iterator = PyObject_GetIter(caIssuers)) == NULL)
+ goto error;
- case SHA_DIGEST:
- if (!X509_CRL_sign(self->crl, pkey, EVP_sha()))
- lose("could not sign CRL");
- break;
+ while ((item = PyIter_Next(iterator)) != NULL) {
- case SHA1_DIGEST:
- if (!X509_CRL_sign(self->crl, pkey, EVP_sha1()))
- lose("could not sign CRL");
- break;
+ if (PyString_AsStringAndSize(item, &uri, &urilen) < 0)
+ goto error;
- case RIPEMD160_DIGEST:
- if (!X509_CRL_sign(self->crl, pkey, EVP_ripemd160()))
- lose("could not sign CRL");
- break;
+ if ((a = ACCESS_DESCRIPTION_new()) == NULL ||
+ (a->method = OBJ_dup(oid)) == NULL ||
+ (a->location->d.uniformResourceIdentifier = ASN1_IA5STRING_new()) == NULL ||
+ !ASN1_OCTET_STRING_set(a->location->d.uniformResourceIdentifier, (unsigned char *) uri, urilen))
+ lose_no_memory();
- case SHA256_DIGEST:
- if (!X509_CRL_sign(self->crl, pkey, EVP_sha256()))
- lose("could not sign CRL");
- break;
+ a->location->type = GEN_URI;
- case SHA384_DIGEST:
- if (!X509_CRL_sign(self->crl, pkey, EVP_sha384()))
- lose("could not sign CRL");
- break;
+ if (!sk_ACCESS_DESCRIPTION_push(ext, a))
+ lose_no_memory();
- case SHA512_DIGEST:
- if (!X509_CRL_sign(self->crl, pkey, EVP_sha512()))
- lose("could not sign CRL");
- break;
+ a = NULL;
+ Py_XDECREF(item);
+ item = NULL;
}
- Py_RETURN_NONE;
+ Py_XDECREF(iterator);
+ iterator = NULL;
- error:
+ if (!X509_add1_ext_i2d(self->x509, NID_info_access, ext, 0, X509V3_ADD_REPLACE))
+ lose_openssl_error("Couldn't add AIA extension to certificate");
- if (pkey)
- EVP_PKEY_free(pkey);
+ ok = 1;
- return NULL;
+ error:
+ AUTHORITY_INFO_ACCESS_free(ext);
+ ACCESS_DESCRIPTION_free(a);
+ Py_XDECREF(item);
+ Py_XDECREF(iterator);
+ if (ok)
+ Py_RETURN_NONE;
+ else
+ return NULL;
}
-static char x509_crl_object_verify__doc__[] =
-"<method>\n"
-" <header>\n"
-" <memberof>X509Crl</memberof>\n"
-" <name>verify</name>\n"
-" <parameter>key</parameter>\n"
-" </header>\n"
-" <body>\n"
-" <para>\n"
-" The <classname>X509Crl</classname> method\n"
-" <function>verify</function> is based on the\n"
-" <function>X509_CRL_verify</function> function. Unlike the\n"
-" <classname>X509</classname> function of the same name, this\n"
-" function simply checks the CRL was signed with the private key\n"
-" which corresponds the parameter <parameter>key</parameter>.\n"
-" <parameter>key</parameter> should be an instance of\n"
-" <classname>Asymmetric</classname> and contain a public key.\n"
-" </para>\n"
-" </body>\n"
-"</method>\n"
-;
+static char x509_object_get_crldp__doc__[] =
+ "Get CRL Distribution Point (CRLDP) values for this certificate.\n"
+ "\n"
+ "If the certificate has no CRLDP extension, this method returns None.\n"
+ "\n"
+ "Otherwise, it returns a sequence of URIs representing distributionPoint\n"
+ "fullName values found in the first Distribution Point. Other CRLDP\n"
+ "fields are ignored, as are subsequent Distribution Points and any non-URI\n"
+ "fullName values.\n"
+ ;
static PyObject *
-x509_crl_object_verify(x509_crl_object *self, PyObject *args)
+x509_object_get_crldp(x509_object *self)
{
- EVP_PKEY *pkey = NULL;
- asymmetric_object *asym;
- int ok;
+ CRL_DIST_POINTS *ext = NULL;
+ DIST_POINT *dp = NULL;
+ PyObject *result = NULL;
+ const char *uri;
+ PyObject *obj;
+ int i, n = 0;
- if (!PyArg_ParseTuple(args, "O!", &asymmetrictype, &asym))
- goto error;
+ ENTERING(x509_object_get_crldp);
- if ((pkey = EVP_PKEY_new()) == NULL)
- lose("could not allocate memory");
+ if ((ext = X509_get_ext_d2i(self->x509, NID_crl_distribution_points, NULL, NULL)) == NULL ||
+ (dp = sk_DIST_POINT_value(ext, 0)) == NULL ||
+ dp->distpoint == NULL ||
+ dp->distpoint->type != 0)
+ Py_RETURN_NONE;
- if (!EVP_PKEY_assign_RSA(pkey, asym->cipher))
- lose("EVP_PKEY assignment error");
+ for (i = 0; i < sk_GENERAL_NAME_num(dp->distpoint->name.fullname); i++) {
+ GENERAL_NAME *gn = sk_GENERAL_NAME_value(dp->distpoint->name.fullname, i);
+ if (gn->type == GEN_URI)
+ n++;
+ }
- ok = X509_CRL_verify(self->crl, pkey);
+ if (((result = PyTuple_New(n)) == NULL))
+ goto error;
- return PyBool_FromLong(ok);
+ n = 0;
- error:
+ for (i = 0; i < sk_GENERAL_NAME_num(dp->distpoint->name.fullname); i++) {
+ GENERAL_NAME *gn = sk_GENERAL_NAME_value(dp->distpoint->name.fullname, i);
+ if (gn->type == GEN_URI) {
+ uri = (char *) ASN1_STRING_data(gn->d.uniformResourceIdentifier);
+ if ((obj = PyString_FromString(uri)) == NULL)
+ goto error;
+ PyTuple_SET_ITEM(result, n++, obj);
+ }
+ }
- if (pkey)
- EVP_PKEY_free(pkey);
+ sk_DIST_POINT_pop_free(ext, DIST_POINT_free);
+ return result;
+ error:
+ sk_DIST_POINT_pop_free(ext, DIST_POINT_free);
+ Py_XDECREF(result);
return NULL;
-
}
+static char x509_object_set_crldp__doc__[] =
+ "Set CRLDP values for this certificate.\n"
+ "\n"
+ "Argument is a iterable which returns distributionPoint fullName URIs.\n"
+ ;
+
static PyObject *
-x509_crl_object_write_helper(x509_crl_object *self, PyObject *args, int format)
+x509_object_set_crldp(x509_object *self, PyObject *args)
{
- int len = 0, ret = 0;
- char *buf = NULL;
- BIO *out_bio = NULL;
- PyObject *cert = NULL;
+ CRL_DIST_POINTS *ext = NULL;
+ PyObject *fullNames = NULL;
+ PyObject *iterator = NULL;
+ PyObject *item = NULL;
+ DIST_POINT *dp = NULL;
+ GENERAL_NAME *gn = NULL;
+ Py_ssize_t urilen;
+ char *uri;
+ int ok = 0;
- if (!PyArg_ParseTuple(args, ""))
+ ENTERING(x509_object_set_crldp);
+
+ if (!PyArg_ParseTuple(args, "O", &fullNames))
goto error;
- out_bio = BIO_new(BIO_s_mem());
+ if ((ext = sk_DIST_POINT_new_null()) == NULL ||
+ (dp = DIST_POINT_new()) == NULL ||
+ (dp->distpoint = DIST_POINT_NAME_new()) == NULL ||
+ (dp->distpoint->name.fullname = sk_GENERAL_NAME_new_null()) == NULL)
+ lose_no_memory();
- switch (format) {
+ dp->distpoint->type = 0;
- case DER_FORMAT:
- if (!i2d_X509_CRL_bio(out_bio, self->crl))
- lose("unable to write certificate");
- break;
+ if ((iterator = PyObject_GetIter(fullNames)) == NULL)
+ goto error;
- case PEM_FORMAT:
- if (!PEM_write_bio_X509_CRL(out_bio, self->crl))
- lose("unable to write certificate");
+ while ((item = PyIter_Next(iterator)) != NULL) {
- default:
- lose("internal error, unknown output format");
- }
+ if (PyString_AsStringAndSize(item, &uri, &urilen) < 0)
+ goto error;
- if ((len = BIO_ctrl_pending(out_bio)) == 0)
- lose("unable to get bytes stored in bio");
+ if ((gn = GENERAL_NAME_new()) == NULL ||
+ (gn->d.uniformResourceIdentifier = ASN1_IA5STRING_new()) == NULL ||
+ !ASN1_OCTET_STRING_set(gn->d.uniformResourceIdentifier, (unsigned char *) uri, urilen))
+ lose_no_memory();
- if ((buf = malloc(len)) == NULL)
- lose("unable to allocate memory");
+ gn->type = GEN_URI;
- if ((ret = BIO_read(out_bio, buf, len)) != len)
- lose("unable to write out cert");
+ if (!sk_GENERAL_NAME_push(dp->distpoint->name.fullname, gn))
+ lose_no_memory();
- cert = Py_BuildValue("s#", buf, len);
+ gn = NULL;
+ Py_XDECREF(item);
+ item = NULL;
+ }
- BIO_free(out_bio);
- free(buf);
- return cert;
+ Py_XDECREF(iterator);
+ iterator = NULL;
- error:
+ if (!sk_DIST_POINT_push(ext, dp))
+ lose_no_memory();
- if (out_bio)
- BIO_free(out_bio);
+ dp = NULL;
- if (buf)
- free(buf);
+ if (!X509_add1_ext_i2d(self->x509, NID_crl_distribution_points, ext, 0, X509V3_ADD_REPLACE))
+ lose_openssl_error("Couldn't add CRLDP extension to certificate");
- return NULL;
-}
+ ok = 1;
-static char x509_crl_object_pem_write__doc__[] =
-"<method>\n"
-" <header>\n"
-" <memberof>X509Crl</memberof>\n"
-" <name>pemWrite</name>\n"
-" </header>\n"
-" <body>\n"
-" <para>\n"
-" This method returns a PEM encoded CRL as a\n"
-" string.\n"
-" </para>\n"
-" </body>\n"
-"</method>\n"
-;
+ error:
+ sk_DIST_POINT_pop_free(ext, DIST_POINT_free);
+ DIST_POINT_free(dp);
+ GENERAL_NAME_free(gn);
+ Py_XDECREF(item);
+ Py_XDECREF(iterator);
-static PyObject *
-x509_crl_object_pem_write(x509_crl_object *self, PyObject *args)
-{
- return x509_crl_object_write_helper(self, args, PEM_FORMAT);
+ if (ok)
+ Py_RETURN_NONE;
+ else
+ return NULL;
}
-static char x509_crl_object_der_write__doc__[] =
-"<method>\n"
-" <header>\n"
-" <memberof>X509Crl</memberof>\n"
-" <name>derWrite</name>\n"
-" </header>\n"
-" <body>\n"
-" <para>\n"
-" This method returns a DER encoded CRL as a string.\n"
-" </para>\n"
-" </body>\n"
-"</method>\n"
-;
+static char x509_object_get_certificate_policies__doc__[] =
+ "Get Certificate Policies values for this certificate.\n"
+ "\n"
+ "If this certificate has no Certificate Policies extension, this method\n"
+ "returns None.\n"
+ "\n"
+ "Otherwise, this method returns a sequence of Object Identifiers.\n"
+ "\n"
+ "Policy qualifiers, if any, are ignored.\n"
+ ;
static PyObject *
-x509_crl_object_der_write(x509_crl_object *self, PyObject *args)
+x509_object_get_certificate_policies(x509_object *self)
{
- return x509_crl_object_write_helper(self, args, DER_FORMAT);
+ CERTIFICATEPOLICIES *ext = NULL;
+ PyObject *result = NULL;
+ PyObject *obj;
+ int i;
+
+ ENTERING(x509_object_get_certificate_policies);
+
+ if ((ext = X509_get_ext_d2i(self->x509, NID_certificate_policies, NULL, NULL)) == NULL)
+ Py_RETURN_NONE;
+
+ if (((result = PyTuple_New(sk_POLICYINFO_num(ext))) == NULL))
+ goto error;
+
+ for (i = 0; i < sk_POLICYINFO_num(ext); i++) {
+ POLICYINFO *p = sk_POLICYINFO_value(ext, i);
+
+ if ((obj = ASN1_OBJECT_to_PyString(p->policyid)) == NULL)
+ goto error;
+
+ PyTuple_SET_ITEM(result, i, obj);
+ }
+
+ sk_POLICYINFO_pop_free(ext, POLICYINFO_free);
+ return result;
+
+ error:
+ sk_POLICYINFO_pop_free(ext, POLICYINFO_free);
+ Py_XDECREF(result);
+ return NULL;
}
-static char x509_crl_object_pprint__doc__[] =
-"<method>\n"
-" <header>\n"
-" <memberof>X509Crl</memberof>\n"
-" <name>pprint</name>\n"
-" </header>\n"
-" <body>\n"
-" <para>\n"
-" This method returns a formatted string showing the information\n"
-" held in the CRL.\n"
-" </para>\n"
-" </body>\n"
-"</method>\n"
-;
+static char x509_object_set_certificate_policies__doc__[] =
+ "Set Certificate Policies for this certificate.\n"
+ "\n"
+ "Argument is a iterable which returns policy OIDs.\n"
+ "\n"
+ "Policy qualifier are not supported.\n"
+ "\n"
+ "The extension will be marked as critical, since there's not much point\n"
+ "in using this extension without making it critical.\n"
+ ;
static PyObject *
-x509_crl_object_pprint(x509_crl_object *self, PyObject *args)
+x509_object_set_certificate_policies(x509_object *self, PyObject *args)
{
- int len = 0, ret = 0;
- char *buf = NULL;
- BIO *out_bio = NULL;
- PyObject *crl = NULL;
+ CERTIFICATEPOLICIES *ext = NULL;
+ PyObject *policies = NULL;
+ PyObject *iterator = NULL;
+ POLICYINFO *pol = NULL;
+ PyObject *item = NULL;
+ const char *oid;
+ int ok = 0;
+
+ ENTERING(x509_object_set_certificate_policies);
- if (!PyArg_ParseTuple(args, ""))
+ if (!PyArg_ParseTuple(args, "O", &policies))
goto error;
- out_bio = BIO_new(BIO_s_mem());
+ if ((ext = sk_POLICYINFO_new_null()) == NULL)
+ lose_no_memory();
- if (!X509_CRL_print(out_bio, self->crl))
- lose("unable to write crl");
+ if ((iterator = PyObject_GetIter(policies)) == NULL)
+ goto error;
- if ((len = BIO_ctrl_pending(out_bio)) == 0)
- lose("unable to get bytes stored in bio");
+ while ((item = PyIter_Next(iterator)) != NULL) {
- if ((buf = malloc(len)) == NULL)
- lose("unable to allocate memory");
+ if ((oid = PyString_AsString(item)) == NULL)
+ goto error;
- if ((ret = BIO_read(out_bio, buf, len)) != len)
- lose("unable to write out cert");
+ if ((pol = POLICYINFO_new()) == NULL)
+ lose_no_memory();
- crl = Py_BuildValue("s#", buf, len);
+ if ((pol->policyid = OBJ_txt2obj(oid, 1)) == NULL)
+ lose("Couldn't parse OID");
- BIO_free(out_bio);
- free(buf);
- return crl;
+ if (!sk_POLICYINFO_push(ext, pol))
+ lose_no_memory();
- error:
+ pol = NULL;
+ Py_XDECREF(item);
+ item = NULL;
+ }
- if (out_bio)
- BIO_free(out_bio);
+ Py_XDECREF(iterator);
+ iterator = NULL;
- if (buf)
- free(buf);
+ if (!X509_add1_ext_i2d(self->x509, NID_certificate_policies, ext, 1, X509V3_ADD_REPLACE))
+ lose_openssl_error("Couldn't add CERTIFICATE_POLICIES extension to certificate");
- return NULL;
+ ok = 1;
+ error:
+ POLICYINFO_free(pol);
+ sk_POLICYINFO_pop_free(ext, POLICYINFO_free);
+ Py_XDECREF(item);
+ Py_XDECREF(iterator);
+
+ if (ok)
+ Py_RETURN_NONE;
+ else
+ return NULL;
}
-static struct PyMethodDef x509_crl_object_methods[] = {
- {"sign", (PyCFunction)x509_crl_object_sign, METH_VARARGS, NULL},
- {"verify", (PyCFunction)x509_crl_object_verify, METH_VARARGS, NULL},
- {"getVersion", (PyCFunction)x509_crl_object_get_version, METH_VARARGS, NULL},
- {"setVersion", (PyCFunction)x509_crl_object_set_version, METH_VARARGS, NULL},
- {"getIssuer", (PyCFunction)x509_crl_object_get_issuer, METH_VARARGS, NULL},
- {"setIssuer", (PyCFunction)x509_crl_object_set_issuer, METH_VARARGS, NULL},
- {"getThisUpdate", (PyCFunction)x509_crl_object_get_this_update, METH_VARARGS, NULL},
- {"setThisUpdate", (PyCFunction)x509_crl_object_set_this_update, METH_VARARGS, NULL},
- {"getNextUpdate", (PyCFunction)x509_crl_object_get_next_update, METH_VARARGS, NULL},
- {"setNextUpdate", (PyCFunction)x509_crl_object_set_next_update, METH_VARARGS, NULL},
- {"setRevoked", (PyCFunction)x509_crl_object_set_revoked, METH_VARARGS, NULL},
- {"getRevoked", (PyCFunction)x509_crl_object_get_revoked, METH_VARARGS, NULL},
- {"addExtension", (PyCFunction)X509_crl_object_add_extension, METH_VARARGS, NULL},
- {"clearExtensions", (PyCFunction)X509_crl_object_clear_extensions, METH_VARARGS, NULL},
- {"countExtensions", (PyCFunction)X509_crl_object_count_extensions, METH_VARARGS, NULL},
- {"getExtension", (PyCFunction)X509_crl_object_get_extension, METH_VARARGS, NULL},
- {"pemWrite", (PyCFunction)x509_crl_object_pem_write, METH_VARARGS, NULL},
- {"derWrite", (PyCFunction)x509_crl_object_der_write, METH_VARARGS, NULL},
- {"pprint", (PyCFunction)x509_crl_object_pprint, METH_VARARGS, NULL},
-
- {NULL} /* sentinel */
-};
+/*
+ * May want EKU handlers eventually, skip for now.
+ */
+
+static char x509_object_pprint__doc__[] =
+ "Return a pretty-printed rendition of this certificate.\n"
+ ;
static PyObject *
-x509_crl_object_getattr(x509_crl_object *self, char *name)
+x509_object_pprint(x509_object *self)
{
- return Py_FindMethod(x509_crl_object_methods, (PyObject *)self, name);
+ PyObject *result = NULL;
+ BIO *bio = NULL;
+
+ ENTERING(x509_object_pprint);
+
+ if ((bio = BIO_new(BIO_s_mem())) == NULL)
+ lose_no_memory();
+
+ if (!X509_print(bio, self->x509))
+ lose_openssl_error("Unable to pretty-print certificate");
+
+ result = BIO_to_PyString_helper(bio);
+
+ error: /* Fall through */
+ BIO_free(bio);
+ return result;
}
-static void
-x509_crl_object_dealloc(x509_crl_object *self, char *name)
-{
- X509_CRL_free(self->crl);
- PyObject_Del(self);
-}
-
-static char x509_crltype__doc__[] =
-"<class>\n"
-" <header>\n"
-" <name>X509Crl</name>\n"
-" </header>\n"
-" <body>\n"
-" <para>\n"
-" This class provides access to OpenSSL X509 CRL management\n"
-" facilities.\n"
-" </para>\n"
-" </body>\n"
-"</class>\n"
-;
+static struct PyMethodDef x509_object_methods[] = {
+ Define_Method(pemWrite, x509_object_pem_write, METH_NOARGS),
+ Define_Method(derWrite, x509_object_der_write, METH_NOARGS),
+ Define_Method(sign, x509_object_sign, METH_VARARGS),
+ Define_Method(getPublicKey, x509_object_get_public_key, METH_NOARGS),
+ Define_Method(setPublicKey, x509_object_set_public_key, METH_VARARGS),
+ Define_Method(getVersion, x509_object_get_version, METH_NOARGS),
+ Define_Method(setVersion, x509_object_set_version, METH_VARARGS),
+ Define_Method(getSerial, x509_object_get_serial, METH_NOARGS),
+ Define_Method(setSerial, x509_object_set_serial, METH_VARARGS),
+ Define_Method(getIssuer, x509_object_get_issuer, METH_VARARGS),
+ Define_Method(setIssuer, x509_object_set_issuer, METH_VARARGS),
+ Define_Method(getSubject, x509_object_get_subject, METH_VARARGS),
+ Define_Method(setSubject, x509_object_set_subject, METH_VARARGS),
+ Define_Method(getNotBefore, x509_object_get_not_before, METH_NOARGS),
+ Define_Method(getNotAfter, x509_object_get_not_after, METH_NOARGS),
+ Define_Method(setNotAfter, x509_object_set_not_after, METH_VARARGS),
+ Define_Method(setNotBefore, x509_object_set_not_before, METH_VARARGS),
+ Define_Method(clearExtensions, x509_object_clear_extensions, METH_NOARGS),
+ Define_Method(pprint, x509_object_pprint, METH_NOARGS),
+ Define_Method(getSKI, x509_object_get_ski, METH_NOARGS),
+ Define_Method(setSKI, x509_object_set_ski, METH_VARARGS),
+ Define_Method(getAKI, x509_object_get_aki, METH_NOARGS),
+ Define_Method(setAKI, x509_object_set_aki, METH_VARARGS),
+ Define_Method(getKeyUsage, x509_object_get_key_usage, METH_NOARGS),
+ Define_Method(setKeyUsage, x509_object_set_key_usage, METH_VARARGS),
+ Define_Method(getRFC3779, x509_object_get_rfc3779, METH_NOARGS),
+ Define_Method(setRFC3779, x509_object_set_rfc3779, METH_KEYWORDS),
+ Define_Method(getBasicConstraints, x509_object_get_basic_constraints, METH_NOARGS),
+ Define_Method(setBasicConstraints, x509_object_set_basic_constraints, METH_VARARGS),
+ Define_Method(getSIA, x509_object_get_sia, METH_NOARGS),
+ Define_Method(setSIA, x509_object_set_sia, METH_KEYWORDS),
+ Define_Method(getAIA, x509_object_get_aia, METH_NOARGS),
+ Define_Method(setAIA, x509_object_set_aia, METH_VARARGS),
+ Define_Method(getCRLDP, x509_object_get_crldp, METH_NOARGS),
+ Define_Method(setCRLDP, x509_object_set_crldp, METH_VARARGS),
+ Define_Method(getCertificatePolicies, x509_object_get_certificate_policies, METH_NOARGS),
+ Define_Method(setCertificatePolicies, x509_object_set_certificate_policies, METH_VARARGS),
+ Define_Class_Method(pemRead, x509_object_pem_read, METH_VARARGS),
+ Define_Class_Method(pemReadFile, x509_object_pem_read_file, METH_VARARGS),
+ Define_Class_Method(derRead, x509_object_der_read, METH_VARARGS),
+ Define_Class_Method(derReadFile, x509_object_der_read_file, METH_VARARGS),
+ {NULL}
+};
-static PyTypeObject x509_crltype = {
+static char POW_X509_Type__doc__[] =
+ "This class represents an X.509 certificate.\n"
+ "\n"
+ LAME_DISCLAIMER_IN_ALL_CLASS_DOCUMENTATION
+ ;
+
+static PyTypeObject POW_X509_Type = {
PyObject_HEAD_INIT(0)
- 0, /*ob_size*/
- "X509Crl", /*tp_name*/
- sizeof(x509_crl_object), /*tp_basicsize*/
- 0, /*tp_itemsize*/
- (destructor)x509_crl_object_dealloc, /*tp_dealloc*/
- (printfunc)0, /*tp_print*/
- (getattrfunc)x509_crl_object_getattr, /*tp_getattr*/
- (setattrfunc)0, /*tp_setattr*/
- (cmpfunc)0, /*tp_compare*/
- (reprfunc)0, /*tp_repr*/
- 0, /*tp_as_number*/
- 0, /*tp_as_sequence*/
- 0, /*tp_as_mapping*/
- (hashfunc)0, /*tp_hash*/
- (ternaryfunc)0, /*tp_call*/
- (reprfunc)0, /*tp_str*/
- 0,
- 0,
- 0,
- 0,
- x509_crltype__doc__ /* Documentation string */
+ 0, /* ob_size */
+ "rpki.POW.X509", /* tp_name */
+ sizeof(x509_object), /* tp_basicsize */
+ 0, /* tp_itemsize */
+ (destructor)x509_object_dealloc, /* tp_dealloc */
+ 0, /* tp_print */
+ 0, /* tp_getattr */
+ 0, /* tp_setattr */
+ 0, /* tp_compare */
+ 0, /* tp_repr */
+ 0, /* tp_as_number */
+ 0, /* tp_as_sequence */
+ 0, /* tp_as_mapping */
+ 0, /* tp_hash */
+ 0, /* tp_call */
+ 0, /* tp_str */
+ 0, /* tp_getattro */
+ 0, /* tp_setattro */
+ 0, /* tp_as_buffer */
+ Py_TPFLAGS_DEFAULT | Py_TPFLAGS_BASETYPE, /* tp_flags */
+ POW_X509_Type__doc__, /* tp_doc */
+ 0, /* tp_traverse */
+ 0, /* tp_clear */
+ 0, /* tp_richcompare */
+ 0, /* tp_weaklistoffset */
+ 0, /* tp_iter */
+ 0, /* tp_iternext */
+ x509_object_methods, /* tp_methods */
+ 0, /* tp_members */
+ 0, /* tp_getset */
+ 0, /* tp_base */
+ 0, /* tp_dict */
+ 0, /* tp_descr_get */
+ 0, /* tp_descr_set */
+ 0, /* tp_dictoffset */
+ 0, /* tp_init */
+ 0, /* tp_alloc */
+ x509_object_new, /* tp_new */
};
-/*========== x509 crl Code ==========*/
-/*========== revoked Code ==========*/
-static x509_revoked_object* x509_revoked_object_new(void)
-{
- x509_revoked_object *self = NULL;
+
- if ((self = PyObject_New(x509_revoked_object, &x509_revokedtype)) == NULL)
- goto error;
+/*
+ * X509Store object.
+ */
- self->revoked = X509_REVOKED_new();
+static PyObject *
+x509_store_object_new(PyTypeObject *type, GCC_UNUSED PyObject *args, GCC_UNUSED PyObject *kwds)
+{
+ x509_store_object *self = NULL;
- return self;
+ ENTERING(x509_store_object_new);
- error:
+ if ((self = (x509_store_object *) type->tp_alloc(type, 0)) != NULL &&
+ (self->store = X509_STORE_new()) != NULL)
+ return (PyObject *) self;
Py_XDECREF(self);
return NULL;
}
-static char x509_revoked_object_set_serial__doc__[] =
-"<method>\n"
-" <header>\n"
-" <memberof>X509Revoked</memberof>\n"
-" <name>setSerial</name>\n"
-" <parameter>serial</parameter>\n"
-" </header>\n"
-" <body>\n"
-" <para>\n"
-" This method sets the serial number in the serial field of\n"
-" this object. <parameter>serial</parameter> should be an\n"
-" integer.\n"
-" </para>\n"
-" </body>\n"
-"</method>\n"
-;
+static void
+x509_store_object_dealloc(x509_store_object *self)
+{
+ ENTERING(x509_store_object_dealloc);
+ X509_STORE_free(self->store);
+ self->ob_type->tp_free((PyObject*) self);
+}
+
+static char x509_store_object_add_trust__doc__[] =
+ "Add a trusted certificate to this certificate store object.\n"
+ "\n"
+ "The \"certificate\" parameter should be an instance of the X509 class.\n"
+ ;
static PyObject *
-x509_revoked_object_set_serial(x509_revoked_object *self, PyObject *args)
+x509_store_object_add_trust(x509_store_object *self, PyObject *args)
{
- int serial = 0;
+ x509_object *x509 = NULL;
- if (!PyArg_ParseTuple(args, "i", &serial))
+ ENTERING(x509_store_object_add_trust);
+
+ if (!PyArg_ParseTuple(args, "O!", &POW_X509_Type, &x509))
goto error;
- if (!ASN1_INTEGER_set(self->revoked->serialNumber, serial))
- lose("unable to set serial number");
+ X509_STORE_add_cert(self->store, x509->x509);
Py_RETURN_NONE;
@@ -3556,4384 +3500,4502 @@ x509_revoked_object_set_serial(x509_revoked_object *self, PyObject *args)
return NULL;
}
-static char x509_revoked_object_get_serial__doc__[] =
-"<method>\n"
-" <header>\n"
-" <memberof>X509Revoked</memberof>\n"
-" <name>getSerial</name>\n"
-" </header>\n"
-" <body>\n"
-" <para>\n"
-" This method gets the serial number in the serial field of\n"
-" this object.\n"
-" </para>\n"
-" </body>\n"
-"</method>\n"
-;
+static char x509_store_object_add_crl__doc__[] =
+ "Add a CRL to this certificate store object.\n"
+ "\n"
+ "The \"crl\" parameter should be an instance of the CRL class.\n"
+ ;
static PyObject *
-x509_revoked_object_get_serial(x509_revoked_object *self, PyObject *args)
+x509_store_object_add_crl(x509_store_object *self, PyObject *args)
{
- int serial = 0;
+ crl_object *crl = NULL;
- if (!PyArg_ParseTuple(args, ""))
+ ENTERING(x509_store_object_add_crl);
+
+ if (!PyArg_ParseTuple(args, "O!", &POW_CRL_Type, &crl))
goto error;
- if ((serial = ASN1_INTEGER_get(self->revoked->serialNumber)) == -1)
- lose("unable to get serial number");
+ X509_STORE_add_crl(self->store, crl->crl);
- return Py_BuildValue("i", serial);
+ Py_RETURN_NONE;
error:
return NULL;
}
-static char x509_revoked_object_get_date__doc__[] =
-"<method>\n"
-" <header>\n"
-" <memberof>X509Revoked</memberof>\n"
-" <name>getDate</name>\n"
-" </header>\n"
-" <body>\n"
-" <para>\n"
-" In a change from previous releases, for reasons of portability\n"
-" and to avoid hard to fix issues with problems in unreliable time\n"
-" functions, this function returns a UTCTime string. You\n"
-" can use the function <function>time2utc</function> to convert to a\n"
-" string if you like and <function>utc2time</function> to back.\n"
-" </para>\n"
-" </body>\n"
-"</method>\n"
-;
+static struct PyMethodDef x509_store_object_methods[] = {
+ Define_Method(addTrust, x509_store_object_add_trust, METH_VARARGS),
+ Define_Method(addCrl, x509_store_object_add_crl, METH_VARARGS),
+ {NULL}
+};
+
+static char POW_X509Store_Type__doc__[] =
+ "This class holds the OpenSSL certificate store objects used in CMS\n"
+ "verification.\n"
+ "\n"
+ LAME_DISCLAIMER_IN_ALL_CLASS_DOCUMENTATION
+ ;
+
+static PyTypeObject POW_X509Store_Type = {
+ PyObject_HEAD_INIT(0)
+ 0, /* ob_size */
+ "rpki.POW.X509Store", /* tp_name */
+ sizeof(x509_store_object), /* tp_basicsize */
+ 0, /* tp_itemsize */
+ (destructor)x509_store_object_dealloc, /* tp_dealloc */
+ 0, /* tp_print */
+ 0, /* tp_getattr */
+ 0, /* tp_setattr */
+ 0, /* tp_compare */
+ 0, /* tp_repr */
+ 0, /* tp_as_number */
+ 0, /* tp_as_sequence */
+ 0, /* tp_as_mapping */
+ 0, /* tp_hash */
+ 0, /* tp_call */
+ 0, /* tp_str */
+ 0, /* tp_getattro */
+ 0, /* tp_setattro */
+ 0, /* tp_as_buffer */
+ Py_TPFLAGS_DEFAULT | Py_TPFLAGS_BASETYPE, /* tp_flags */
+ POW_X509Store_Type__doc__, /* tp_doc */
+ 0, /* tp_traverse */
+ 0, /* tp_clear */
+ 0, /* tp_richcompare */
+ 0, /* tp_weaklistoffset */
+ 0, /* tp_iter */
+ 0, /* tp_iternext */
+ x509_store_object_methods, /* tp_methods */
+ 0, /* tp_members */
+ 0, /* tp_getset */
+ 0, /* tp_base */
+ 0, /* tp_dict */
+ 0, /* tp_descr_get */
+ 0, /* tp_descr_set */
+ 0, /* tp_dictoffset */
+ 0, /* tp_init */
+ 0, /* tp_alloc */
+ x509_store_object_new, /* tp_new */
+};
+
+
+
+/*
+ * CRL object.
+ */
static PyObject *
-x509_revoked_object_get_date(x509_revoked_object *self, PyObject *args)
+crl_object_new(PyTypeObject *type, GCC_UNUSED PyObject *args, GCC_UNUSED PyObject *kwds)
{
- if (!PyArg_ParseTuple(args, ""))
- goto error;
+ crl_object *self = NULL;
- return ASN1_TIME_to_Python(self->revoked->revocationDate);
+ ENTERING(crl_object_new);
- error:
+ if ((self = (crl_object *) type->tp_alloc(type, 0)) != NULL &&
+ (self->crl = X509_CRL_new()) != NULL)
+ return (PyObject *) self;
+ Py_XDECREF(self);
return NULL;
}
-static char x509_revoked_object_set_date__doc__[] =
-"<method>\n"
-" <header>\n"
-" <memberof>X509Revoked</memberof>\n"
-" <name>setDate</name>\n"
-" <parameter>time</parameter>\n"
-" </header>\n"
-" <body>\n"
-" <para>\n"
-" In a change from previous releases, for reasons of portability\n"
-" and to avoid hard to fix issues with problems in unreliable time\n"
-" functions, this accepts one parameter, a UTCTime string. You\n"
-" can use the function <function>time2utc</function> to convert to a\n"
-" string if you like and <function>utc2time</function> to back.\n"
-" </para>\n"
-" </body>\n"
-"</method>\n"
-;
+static void
+crl_object_dealloc(crl_object *self)
+{
+ ENTERING(crl_object_dealloc);
+ X509_CRL_free(self->crl);
+ self->ob_type->tp_free((PyObject*) self);
+}
static PyObject *
-x509_revoked_object_set_date(x509_revoked_object *self, PyObject *args)
+crl_object_pem_read_helper(PyTypeObject *type, BIO *bio)
{
- char *time = NULL;
+ crl_object *self;
- if (!PyArg_ParseTuple(args, "s", &time))
+ ENTERING(crl_object_pem_read_helper);
+
+ if ((self = (crl_object *) crl_object_new(type, NULL, NULL)) == NULL)
goto error;
- if (!python_ASN1_TIME_set_string(self->revoked->revocationDate, time))
- lose_type_error("Could not set revocationDate");
+ if (!PEM_read_bio_X509_CRL(bio, &self->crl, NULL, NULL))
+ lose_openssl_error("Couldn't PEM encoded load CRL");
- Py_RETURN_NONE;
+ return (PyObject *) self;
error:
-
+ Py_XDECREF(self);
return NULL;
}
-static char X509_revoked_object_add_extension__doc__[] =
-"<method>\n"
-" <header>\n"
-" <memberof>X509Revoked</memberof>\n"
-" <name>addExtension</name>\n"
-" <parameter>extensionName</parameter>\n"
-" <parameter>critical</parameter>\n"
-" <parameter>extensionValue</parameter>\n"
-" </header>\n"
-" <body>\n"
-" <para>\n"
-" This method adds an extension to this revocation.\n"
-" <parameter>extensionName</parameter> should be the of the\n"
-" extension. <parameter>critical</parameter> should an integer, 1\n"
-" for true and 0 for clase. <parameter>extensionValue</parameter>\n"
-" should be a string, DER encoded value of the extension. The name\n"
-" of the extension must be correct according to OpenSSL and can be\n"
-" checkd in the <constant>objects.h</constant> header file, part of\n"
-" the OpenSSL source distrobution. In the majority of cases they\n"
-" are the same as those defined in <constant>POW._oids</constant>\n"
-" but if you do encounter problems is may be worth checking.\n"
-" </para>\n"
-" <example>\n"
-" <title><function>addExtension</function> method usage</title>\n"
-" <programlisting>\n"
-" reason = POW.pkix.CrlReason()\n"
-" reason.set(1)\n"
-" revocation.addExtension('CRLReason', 0, reason.toString())\n"
-" </programlisting>\n"
-" </example>\n"
-" </body>\n"
-"</method>\n"
-;
-
static PyObject *
-X509_revoked_object_add_extension(x509_revoked_object *self, PyObject *args)
+crl_object_der_read_helper(PyTypeObject *type, BIO *bio)
{
- int critical = 0, nid = 0, len = 0;
- char *name = NULL;
- unsigned char *buf = NULL;
- ASN1_OCTET_STRING *octetString = NULL;
- X509_EXTENSION *extn = NULL;
+ crl_object *self;
- if (!PyArg_ParseTuple(args, "sis#", &name, &critical, &buf, &len))
+ ENTERING(crl_object_der_read_helper);
+
+ if ((self = (crl_object *) crl_object_new(type, NULL, NULL)) == NULL)
goto error;
- if ((octetString = M_ASN1_OCTET_STRING_new()) == NULL)
- lose("could not allocate memory");
+ if (!d2i_X509_CRL_bio(bio, &self->crl))
+ lose_openssl_error("Couldn't load DER encoded CRL");
- if (!ASN1_OCTET_STRING_set(octetString, buf, strlen((char *) buf)))
- lose("could not set ASN1 Octect string");
+ return (PyObject *) self;
- if ((nid = OBJ_txt2nid(name)) == NID_undef)
- lose("extension has unknown object identifier");
+ error:
+ Py_XDECREF(self);
+ return NULL;
+}
- if ((extn = X509_EXTENSION_create_by_NID(NULL, nid, critical, octetString)) == NULL)
- lose("unable to create ASN1 X509 Extension object");
+static char crl_object_pem_read__doc__[] =
+ "Read a PEM-encoded CRL object from a string.\n"
+ ;
- if (!self->revoked->extensions && (self->revoked->extensions = sk_X509_EXTENSION_new_null()) == NULL)
- lose("unable to allocate memory");
+static PyObject *
+crl_object_pem_read(PyTypeObject *type, PyObject *args)
+{
+ ENTERING(crl_object_pem_read);
+ return read_from_string_helper(crl_object_pem_read_helper, type, args);
+}
- if (!sk_X509_EXTENSION_push(self->revoked->extensions, extn))
- lose("unable to add extension");
+static char crl_object_pem_read_file__doc__[] =
+ "Read a PEM-encoded CRL object from a file.\n"
+ ;
- Py_RETURN_NONE;
+static PyObject *
+crl_object_pem_read_file(PyTypeObject *type, PyObject *args)
+{
+ ENTERING(crl_object_pem_read_file);
+ return read_from_file_helper(crl_object_pem_read_helper, type, args);
+}
- error:
+static char crl_object_der_read__doc__[] =
+ "Read a DER-encoded CRL object from a string.\n"
+ ;
- if (extn)
- X509_EXTENSION_free(extn);
+static PyObject *
+crl_object_der_read(PyTypeObject *type, PyObject *args)
+{
+ ENTERING(crl_object_der_read);
+ return read_from_string_helper(crl_object_der_read_helper, type, args);
+}
- return NULL;
+static char crl_object_der_read_file__doc__[] =
+ "Read a DER-encoded CRL object from a file.\n"
+ ;
+
+static PyObject *
+crl_object_der_read_file(PyTypeObject *type, PyObject *args)
+{
+ ENTERING(crl_object_der_read_file);
+ return read_from_file_helper(crl_object_der_read_helper, type, args);
}
-static char X509_revoked_object_clear_extensions__doc__[] =
-"<method>\n"
-" <header>\n"
-" <memberof>X509Revoked</memberof>\n"
-" <name>clearExtensions</name>\n"
-" </header>\n"
-" <body>\n"
-" <para>\n"
-" This method clears the structure which holds the extension for\n"
-" this revocation.\n"
-" </para>\n"
-" </body>\n"
-"</method>\n"
-;
+static char crl_object_get_version__doc__[] =
+ "return the version number of this CRL.\n"
+ ;
+
+static PyObject *
+crl_object_get_version(crl_object *self)
+{
+ ENTERING(crl_object_get_version);
+ return Py_BuildValue("l", X509_CRL_get_version(self->crl));
+}
+
+static char crl_object_set_version__doc__[] =
+ "Set the version number of this CRL.\n"
+ "\n"
+ "The \"version\" parameter should be a positive integer.\n"
+ ;
static PyObject *
-X509_revoked_object_clear_extensions(x509_revoked_object *self, PyObject *args)
+crl_object_set_version(crl_object *self, PyObject *args)
{
- if (!PyArg_ParseTuple(args, ""))
+ long version = 0;
+
+ ENTERING(crl_object_set_version);
+
+ if (!PyArg_ParseTuple(args, "i", &version))
goto error;
- if (self->revoked->extensions) {
- sk_X509_EXTENSION_free(self->revoked->extensions);
- self->revoked->extensions = NULL;
- }
+ if (!X509_CRL_set_version(self->crl, version))
+ lose_no_memory();
Py_RETURN_NONE;
error:
-
return NULL;
}
-static char X509_revoked_object_count_extensions__doc__[] =
-"<method>\n"
-" <header>\n"
-" <memberof>X509Revoked</memberof>\n"
-" <name>countExtensions</name>\n"
-" </header>\n"
-" <body>\n"
-" <para>\n"
-" This method returns the size of the structure which holds the\n"
-" extension for this revocation.\n"
-" </para>\n"
-" </body>\n"
-"</method>\n"
-;
+static char crl_object_get_issuer__doc__[] =
+ "Return issuer name of this CRL.\n"
+ "\n"
+ "See the \"getIssuer()\" method of the X509 class for more details.\n"
+ ;
static PyObject *
-X509_revoked_object_count_extensions(x509_revoked_object *self, PyObject *args)
+crl_object_get_issuer(crl_object *self, PyObject *args)
{
- int num = 0;
-
- if (!PyArg_ParseTuple(args, ""))
- goto error;
+ PyObject *result = NULL;
+ int format = OIDNAME_FORMAT;
- if (self->revoked->extensions)
- num = sk_X509_EXTENSION_num(self->revoked->extensions);
+ ENTERING(crl_object_get_issuer);
- return Py_BuildValue("i", num);
+ if (!PyArg_ParseTuple(args, "|i", &format))
+ goto error;
- error:
+ result = x509_object_helper_get_name(X509_CRL_get_issuer(self->crl), format);
- return NULL;
+ error: /* Fall through */
+ return result;
}
-static char X509_revoked_object_get_extension__doc__[] =
-"<method>\n"
-" <header>\n"
-" <memberof>X509Revoked</memberof>\n"
-" <name>getExtension</name>\n"
-" <parameter>index</parameter>\n"
-" </header>\n"
-" <body>\n"
-" <para>\n"
-" This method returns a tuple equivalent the parameters of\n"
-" <function>addExtension</function>.\n"
-" </para>\n"
-" </body>\n"
-"</method>\n"
-;
+static char crl_object_set_issuer__doc__[] =
+ "Set this CRL's issuer name.\n"
+ "\n"
+ "See the \"setIssuer()\" method of the X509 class for details.\n"
+ ;
static PyObject *
-X509_revoked_object_get_extension(x509_revoked_object *self, PyObject *args)
+crl_object_set_issuer(crl_object *self, PyObject *args)
{
- int num = 0, index = 0, ext_nid = 0;
- char const *ext_ln = NULL;
- char unknown_ext [] = "unknown";
- X509_EXTENSION *ext;
+ PyObject *name_sequence = NULL;
+ X509_NAME *name = NULL;
- if (!PyArg_ParseTuple(args, "i", &index))
- goto error;
+ ENTERING(crl_object_set_issuer);
- if (self->revoked->extensions)
- num = sk_X509_EXTENSION_num(self->revoked->extensions);
+ if (!PyArg_ParseTuple(args, "O", &name_sequence))
+ goto error;
- if (index >= num)
- lose("certificate does not have that many extensions");
+ if (!PySequence_Check(name_sequence))
+ lose_type_error("Inapropriate type");
- if ((ext = sk_X509_EXTENSION_value(self->revoked->extensions, index)) == NULL)
- lose("could not get extension");
+ if ((name = x509_object_helper_set_name(name_sequence)) == NULL)
+ goto error;
- if ((ext_nid = OBJ_obj2nid(ext->object)) == NID_undef)
- lose("extension has unknown object identifier");
+ if (!X509_CRL_set_issuer_name(self->crl, name))
+ lose_openssl_error("Unable to set issuer name");
- if ((ext_ln = OBJ_nid2sn(ext_nid)) == NULL)
- ext_ln = unknown_ext;
+ X509_NAME_free(name);
- return Py_BuildValue("sis#", ext_ln, ext->critical, ext->value->data, ext->value->length);
+ Py_RETURN_NONE;
error:
-
+ X509_NAME_free(name);
return NULL;
}
-static struct PyMethodDef x509_revoked_object_methods[] = {
- {"getSerial", (PyCFunction)x509_revoked_object_get_serial, METH_VARARGS, NULL},
- {"setSerial", (PyCFunction)x509_revoked_object_set_serial, METH_VARARGS, NULL},
- {"getDate", (PyCFunction)x509_revoked_object_get_date, METH_VARARGS, NULL},
- {"setDate", (PyCFunction)x509_revoked_object_set_date, METH_VARARGS, NULL},
- {"addExtension", (PyCFunction)X509_revoked_object_add_extension, METH_VARARGS, NULL},
- {"clearExtensions", (PyCFunction)X509_revoked_object_clear_extensions, METH_VARARGS, NULL},
- {"countExtensions", (PyCFunction)X509_revoked_object_count_extensions, METH_VARARGS, NULL},
- {"getExtension", (PyCFunction)X509_revoked_object_get_extension, METH_VARARGS, NULL},
+/*
+ * NB: OpenSSL is confused about the name of this field, probably for
+ * backwards compatability with some ancient mistake. What RFC 5280
+ * calls "thisUpdate", OpenSSL calls "lastUpdate".
+ */
- {NULL} /* sentinel */
-};
+static char crl_object_set_this_update__doc__[] =
+ "Set this CRL's \"thisUpdate\" value.\n"
+ "\n"
+ "The \"time\" parameter should be a datetime object.\n"
+ ;
static PyObject *
-x509_revoked_object_getattr(x509_revoked_object *self, char *name)
+crl_object_set_this_update (crl_object *self, PyObject *args)
{
- return Py_FindMethod(x509_revoked_object_methods, (PyObject *) self, name);
-}
+ PyObject *o = NULL;
+ ASN1_TIME *t = NULL;
-static void
-x509_revoked_object_dealloc(x509_revoked_object *self, char *name)
-{
- X509_REVOKED_free(self->revoked);
- PyObject_Del(self);
-}
-
-static char x509_revokedtype__doc__[] =
-"<class>\n"
-" <header>\n"
-" <name>X509Revoked</name>\n"
-" </header>\n"
-" <body>\n"
-" <para>\n"
-" This class provides a container for details of a revoked\n"
-" certificate. It normally would only be used in association with\n"
-" a CRL, its not much use by itself. Indeed the only reason this\n"
-" class exists is because in the future POW is likely to be extended\n"
-" to support extensions for certificates, CRLs and revocations.\n"
-" <classname>X509Revoked</classname> existing as an object in its\n"
-" own right will make adding this support easier, while avoiding\n"
-" backwards compatibility issues.\n"
-" </para>\n"
-" </body>\n"
-"</class>\n"
-;
-
-static PyTypeObject x509_revokedtype = {
- PyObject_HEAD_INIT(0)
- 0, /*ob_size*/
- "X509Revoked", /*tp_name*/
- sizeof(x509_revoked_object), /*tp_basicsize*/
- 0, /*tp_itemsize*/
- (destructor)x509_revoked_object_dealloc, /*tp_dealloc*/
- (printfunc)0, /*tp_print*/
- (getattrfunc)x509_revoked_object_getattr, /*tp_getattr*/
- (setattrfunc)0, /*tp_setattr*/
- (cmpfunc)0, /*tp_compare*/
- (reprfunc)0, /*tp_repr*/
- 0, /*tp_as_number*/
- 0, /*tp_as_sequence*/
- 0, /*tp_as_mapping*/
- (hashfunc)0, /*tp_hash*/
- (ternaryfunc)0, /*tp_call*/
- (reprfunc)0, /*tp_str*/
- 0,
- 0,
- 0,
- 0,
- x509_revokedtype__doc__ /* Documentation string */
-};
-/*========== x509 revoked Code ==========*/
-
-/*========== ssl Code ==========*/
-static char ssl_object_use_certificate__doc__[] =
-"<method>\n"
-" <header>\n"
-" <memberof>Ssl</memberof>\n"
-" <name>useCertificate</name>\n"
-" <parameter>cert</parameter>\n"
-" </header>\n"
-" <body>\n"
-" <para>\n"
-" The parameter <parameter>cert</parameter> must be an\n"
-" instance of the <classname>X590</classname> class and must be\n"
-" called before <function>setFd</function>.\n"
-" </para>\n"
-" </body>\n"
-"</method>\n"
-;
+ ENTERING(crl_object_set_this_update);
-static PyObject *
-ssl_object_use_certificate(ssl_object *self, PyObject *args)
-{
- x509_object *x509 = NULL;
-
- if (!PyArg_ParseTuple(args, "O!", &x509type, &x509))
+ if (!PyArg_ParseTuple(args, "O", &o))
goto error;
- if (self->ctxset)
- lose("cannot be called after setFd()");
+ if ((t = Python_to_ASN1_TIME(o, 1)) == NULL)
+ lose("Couldn't convert thisUpdate string");
- if (!SSL_CTX_use_certificate(self->ctx, x509->x509))
- lose("could not use certificate");
+ if (!X509_CRL_set_lastUpdate(self->crl, t)) /* sic */
+ lose("Couldn't set thisUpdate");
+ ASN1_TIME_free(t);
Py_RETURN_NONE;
error:
-
+ ASN1_TIME_free(t);
return NULL;
}
+static char crl_object_get_this_update__doc__[] =
+ "Return this CRL's \"thisUpdate\" value as a datetime.\n"
+ ;
+
static PyObject *
-ssl_object_add_certificate(ssl_object *self, PyObject *args)
+crl_object_get_this_update (crl_object *self)
{
- x509_object *x509 = NULL;
- X509 *x = NULL;
+ ENTERING(crl_object_get_this_update);
+ return ASN1_TIME_to_Python(X509_CRL_get_lastUpdate(self->crl)); /* sic */
+}
- if (!PyArg_ParseTuple(args, "O!", &x509type, &x509))
- goto error;
+static char crl_object_set_next_update__doc__[] =
+ "Set this CRL's \"nextUpdate\" value.\n"
+ "\n"
+ "The \"time\" parameter should be a datetime object.\n"
+ ;
+
+static PyObject *
+crl_object_set_next_update (crl_object *self, PyObject *args)
+{
+ PyObject *o = NULL;
+ ASN1_TIME *t = NULL;
- if (self->ctxset)
- lose("cannot be called after setFd()");
+ ENTERING(crl_object_set_next_update);
- if ((x = X509_dup(x509->x509)) == NULL)
- lose("could not duplicate X509 object");
+ if (!PyArg_ParseTuple(args, "O", &o))
+ goto error;
- if (!SSL_CTX_add_extra_chain_cert(self->ctx, x))
- lose_openssl_error("Could not add certificate");
+ if ((t = Python_to_ASN1_TIME(o, 1)) == NULL)
+ lose("Couldn't parse nextUpdate string");
- x = NULL;
+ if (!X509_CRL_set_nextUpdate(self->crl, t))
+ lose("Couldn't set nextUpdate");
+ ASN1_TIME_free(t);
Py_RETURN_NONE;
error:
+ ASN1_TIME_free(t);
+ return NULL;
+}
- if (x)
- X509_free(x);
+static char crl_object_get_next_update__doc__[] =
+ "Returns this CRL's \"nextUpdate\" value as a datetime.\n"
+ ;
- return NULL;
+static PyObject *
+crl_object_get_next_update (crl_object *self)
+{
+ ENTERING(crl_object_get_next_update);
+ return ASN1_TIME_to_Python(X509_CRL_get_nextUpdate(self->crl));
}
+static char crl_object_add_revocations__doc__[] =
+ "This method adds a collection of revocations to this CRL.\n"
+ "\n"
+ "The \"iterable\" parameter should be an iterable object which returns\n"
+ "two-element sequences. The first element of each pair should be the\n"
+ "revoked serial number (an integer), the second element should be the\n"
+ "revocation date (a datetime object).\n"
+ ;
+
static PyObject *
-ssl_object_add_trust(ssl_object *self, PyObject *args)
+crl_object_add_revocations(crl_object *self, PyObject *args)
{
- x509_object *x509 = NULL;
- X509 *x = NULL;
+ PyObject *iterable = NULL;
+ PyObject *iterator = NULL;
+ PyObject *item = NULL;
+ PyObject *fast = NULL;
+ X509_REVOKED *revoked = NULL;
+ ASN1_INTEGER *serial = NULL;
+ ASN1_TIME *date = NULL;
+ int ok = 0;
+
+ ENTERING(crl_object_add_revocations);
- if (!PyArg_ParseTuple(args, "O!", &x509type, &x509))
+ if (!PyArg_ParseTuple(args, "O", &iterable) ||
+ (iterator = PyObject_GetIter(iterable)) == NULL)
goto error;
- if (self->ctxset)
- lose("Cannot be called after setFd()");
+ while ((item = PyIter_Next(iterator)) != NULL) {
- if (self->trusted_certs == NULL &&
- (self->trusted_certs = sk_X509_new_null()) == NULL)
- lose("Couldn't allocate trusted certificate stack");
+ if ((fast = PySequence_Fast(item, "Revocation entry must be a sequence")) == NULL)
+ goto error;
- if ((x = X509_dup(x509->x509)) == NULL)
- lose("Couldn't duplicate X509 object");
+ if (PySequence_Fast_GET_SIZE(fast) != 2)
+ lose_type_error("Revocation entry must be two-element sequence");
- if (!sk_X509_push(self->trusted_certs, x))
- lose("Couldn't push cert onto trusted certificate stack");
+ if ((serial = PyLong_to_ASN1_INTEGER(PySequence_Fast_GET_ITEM(fast, 0))) == NULL ||
+ (date = Python_to_ASN1_TIME(PySequence_Fast_GET_ITEM(fast, 1), 1)) == NULL)
+ goto error;
- x = NULL;
+ if ((revoked = X509_REVOKED_new()) == NULL ||
+ !X509_REVOKED_set_serialNumber(revoked, serial) ||
+ !X509_REVOKED_set_revocationDate(revoked, date))
+ lose_no_memory();
- Py_RETURN_NONE;
+ ASN1_INTEGER_free(serial);
+ serial = NULL;
- error:
+ ASN1_TIME_free(date);
+ date = NULL;
- if (x)
- X509_free(x);
+ if (!X509_CRL_add0_revoked(self->crl, revoked))
+ lose_no_memory();
- return NULL;
+ revoked = NULL;
+ Py_XDECREF(item);
+ Py_XDECREF(fast);
+ item = fast = NULL;
+ }
+
+ if (!X509_CRL_sort(self->crl))
+ lose_openssl_error("Couldn't sort CRL");
+
+ ok = 1;
+
+ error:
+ Py_XDECREF(iterator);
+ Py_XDECREF(item);
+ Py_XDECREF(fast);
+ X509_REVOKED_free(revoked);
+ ASN1_INTEGER_free(serial);
+ ASN1_TIME_free(date);
+
+ if (ok)
+ Py_RETURN_NONE;
+ else
+ return NULL;
}
-static char ssl_object_use_key__doc__[] =
-"<method>\n"
-" <header>\n"
-" <memberof>Ssl</memberof>\n"
-" <name>useKey</name>\n"
-" <parameter>key</parameter>\n"
-" </header>\n"
-" <body>\n"
-" <para>\n"
-" The parameter <parameter>key</parameter> must be an\n"
-" instance of the <classname>Asymmetric</classname> class and\n"
-" must contain the private key. This function cannot be called\n"
-" after <function>useKey</function>.\n"
-" </para>\n"
-" </body>\n"
-"</method>\n"
-;
+static char crl_object_get_revoked__doc__[] =
+ "Return a sequence of two-element tuples representing the sequence of\n"
+ "revoked certificates listed in this CRL.\n"
+ "\n"
+ "The first element of each pair is the serialNumber of the revoked\n"
+ "certificate, the second element is the revocationDate.\n"
+ ;
static PyObject *
-ssl_object_use_key(ssl_object *self, PyObject *args)
+crl_object_get_revoked(crl_object *self)
{
- asymmetric_object *asym = NULL;
- EVP_PKEY *pkey = NULL;
+ STACK_OF(X509_REVOKED) *revoked = NULL;
+ X509_REVOKED *r = NULL;
+ PyObject *result = NULL;
+ PyObject *item = NULL;
+ PyObject *serial = NULL;
+ PyObject *date = NULL;
+ int i;
- if (!PyArg_ParseTuple(args, "O!", &asymmetrictype, &asym))
- goto error;
+ ENTERING(crl_object_get_revoked);
- if (self->ctxset)
- lose("cannot be called after setFd()");
+ if ((revoked = X509_CRL_get_REVOKED(self->crl)) == NULL)
+ lose("Inexplicable NULL revocation list pointer");
- if ((pkey = EVP_PKEY_new()) == NULL)
- lose("could not allocate memory");
+ if ((result = PyTuple_New(sk_X509_REVOKED_num(revoked))) == NULL)
+ goto error;
- if (asym->key_type != RSA_PRIVATE_KEY)
- lose("cannot use this type of key");
+ for (i = 0; i < sk_X509_REVOKED_num(revoked); i++) {
+ r = sk_X509_REVOKED_value(revoked, i);
- if (!EVP_PKEY_set1_RSA(pkey, asym->cipher))
- lose("EVP_PKEY assignment error");
+ if ((serial = ASN1_INTEGER_to_PyLong(r->serialNumber)) == NULL ||
+ (date = ASN1_TIME_to_Python(r->revocationDate)) == NULL ||
+ (item = Py_BuildValue("(NN)", serial, date)) == NULL)
+ goto error;
- if (!SSL_CTX_use_PrivateKey(self->ctx, pkey))
- lose("ctx key assignment error");
+ PyTuple_SET_ITEM(result, i, item);
+ item = serial = date = NULL;
+ }
- Py_RETURN_NONE;
+ return result;
error:
-
- if(pkey)
- EVP_PKEY_free(pkey);
-
+ Py_XDECREF(result);
+ Py_XDECREF(item);
+ Py_XDECREF(serial);
+ Py_XDECREF(date);
return NULL;
}
-static char ssl_object_check_key__doc__[] =
-"<method>\n"
-" <header>\n"
-" <memberof>Ssl</memberof>\n"
-" <name>checkKey</name>\n"
-" </header>\n"
-" <body>\n"
-" <para>\n"
-" This simple method will return 1 if the public key, contained in\n"
-" the X509 certificate this <classname>Ssl</classname> instance is using,\n"
-" matches the private key this <classname>Ssl</classname> instance is using.\n"
-" Otherwise it will return 0.\n"
-" </para>\n"
-" </body>\n"
-"</method>\n"
-;
-
-static PyObject *
-ssl_object_check_key(ssl_object *self, PyObject *args)
-{
- return PyBool_FromLong(SSL_CTX_check_private_key(self->ctx));
-}
-
-static char ssl_object_set_fd__doc__[] =
-"<method>\n"
-" <header>\n"
-" <memberof>Ssl</memberof>\n"
-" <name>setFd</name>\n"
-" <parameter>descriptor</parameter>\n"
-" </header>\n"
-" <body>\n"
-" <para>\n"
-" This function is used to associate a file descriptor with a\n"
-" <classname>Ssl</classname> object. The file descriptor should\n"
-" belong to an open TCP connection. Once this function has\n"
-" been called, calling <function>useKey</function> or\n"
-" <function>useCertificate</function> will, fail rasing exceptions.\n"
-" </para>\n"
-" </body>\n"
-"</method>\n"
-;
+static char crl_object_clear_extensions__doc__[] =
+ "Clear all extensions attached to this CRL.\n"
+ ;
static PyObject *
-ssl_object_set_fd(ssl_object *self, PyObject *args)
+crl_object_clear_extensions(crl_object *self)
{
- int fd = 0, self_index = 0;
+ X509_EXTENSION *ext;
- if (!PyArg_ParseTuple(args, "i", &fd))
- goto error;
+ ENTERING(crl_object_clear_extensions);
- if ((self->ssl = SSL_new(self->ctx)) == NULL)
- lose("Unable to create ssl structure");
+ while ((ext = X509_CRL_delete_ext(self->crl, 0)) != NULL)
+ X509_EXTENSION_free(ext);
- SSL_set_mode(self->ssl, (SSL_MODE_ENABLE_PARTIAL_WRITE |
- SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER));
+ Py_RETURN_NONE;
+}
- if (!SSL_set_fd(self->ssl, fd))
- lose("Unable to set file descriptor");
+static char crl_object_sign__doc__[] =
+ "Sign this CRL with a private key.\n"
+ "\n"
+ "The \"key\" parameter should be an instance of the Asymmetric class,\n"
+ "containing a private key.\n"
+ "\n"
+ "The optional \"digest\" parameter indicates which digest to compute and\n"
+ "sign, and should be one of the following:\n"
+ "\n"
+ "* MD5_DIGEST\n"
+ "* SHA_DIGEST\n"
+ "* SHA1_DIGEST\n"
+ "* SHA256_DIGEST\n"
+ "* SHA384_DIGEST\n"
+ "* SHA512_DIGEST\n"
+ "\n"
+ "The default digest algorithm is SHA-256.\n"
+ ;
+
+static PyObject *
+crl_object_sign(crl_object *self, PyObject *args)
+{
+ asymmetric_object *asym;
+ int digest_type = SHA256_DIGEST;
+ const EVP_MD *digest_method = NULL;
- if ((self_index = SSL_get_ex_new_index(0, "self_index", NULL, NULL, NULL)) != -1)
- SSL_set_ex_data(self->ssl, self_index, self);
- else
- lose("Unable to create ex data index");
+ ENTERING(crl_object_sign);
+
+ if (!PyArg_ParseTuple(args, "O!|i", &POW_Asymmetric_Type, &asym, &digest_type))
+ goto error;
+
+ if ((digest_method = evp_digest_factory(digest_type)) == NULL)
+ lose("Unsupported digest algorithm");
- self->ctxset = 1;
+ if (!X509_CRL_sign(self->crl, asym->pkey, digest_method))
+ lose_openssl_error("Couldn't sign CRL");
Py_RETURN_NONE;
error:
-
return NULL;
}
-static char ssl_object_fileno__doc__[] =
-"<method>\n"
-" <header>\n"
-" <memberof>Ssl</memberof>\n"
-" <name>fileno</name>\n"
-" </header>\n"
-" <body>\n"
-" <para>\n"
-" This function is used to extract the file descriptor associated\n"
-" with a <classname>Ssl</classname> object.\n"
-" </para>\n"
-" </body>\n"
-"</method>\n"
-;
+static char crl_object_verify__doc__[] =
+ "Verifie this CRL's signature.\n"
+ "\n"
+ "The check is performed using OpenSSL's X509_CRL_verify() function.\n"
+ "\n"
+ "The \"key\" parameter should be an instance of the Asymmetric class\n"
+ "containing the public key of the purported signer.\n"
+ ;
static PyObject *
-ssl_object_fileno(ssl_object *self, PyObject *args)
+crl_object_verify(crl_object *self, PyObject *args)
{
- if (!PyArg_ParseTuple(args, ""))
- goto error;
+ asymmetric_object *asym;
- if (!self->ctxset)
- lose("cannot be called before setFd()");
+ ENTERING(crl_object_verify);
- return Py_BuildValue("i", SSL_get_fd(self->ssl));
+ if (!PyArg_ParseTuple(args, "O!", &POW_Asymmetric_Type, &asym))
+ goto error;
- error:
+ return PyBool_FromLong(X509_CRL_verify(self->crl, asym->pkey));
+ error:
return NULL;
}
-static char ssl_object_accept__doc__[] =
-"<method>\n"
-" <header>\n"
-" <memberof>Ssl</memberof>\n"
-" <name>accept</name>\n"
-" </header>\n"
-" <body>\n"
-" <para>\n"
-" This function will attempt the SSL level accept with a\n"
-" client. The <classname>Ssl</classname> object must have been\n"
-" created using a <constant>XXXXX_SERVER_METHOD</constant> or\n"
-" a <constant>XXXXX_METHOD</constant> and this function should only be\n"
-" called after <function>useKey</function>,\n"
-" <function>useCertificate</function> and\n"
-" <function>setFd</function> functions have been called.\n"
-" </para>\n"
-"\n"
-" <example>\n"
-" <title><function>accept</function> function usage</title>\n"
-" <programlisting>\n"
-" keyFile = open('test/private.key', 'r')\n"
-" certFile = open('test/cacert.pem', 'r')\n"
-"\n"
-" rsa = POW.pemRead(POW.RSA_PRIVATE_KEY, keyFile.read(), 'pass')\n"
-" x509 = POW.pemRead(POW.X509_CERTIFICATE, certFile.read())\n"
-"\n"
-" keyFile.close()\n"
-" certFile.close()\n"
-"\n"
-" sl = POW.Ssl(POW.SSLV23_SERVER_METHOD)\n"
-" sl.useCertificate(x509)\n"
-" sl.useKey(rsa)\n"
-"\n"
-" s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)\n"
-" s.bind(('localhost', 1111))\n"
-" s.listen(5)\n"
-" s2, addr = s.accept()\n"
-"\n"
-" s.close()\n"
-"\n"
-" sl.setFd(s2.fileno())\n"
-" sl.accept()\n"
-" print sl.read(1024)\n"
-" sl.write('Message from server to client...')\n"
-"\n"
-" s2.close()\n"
-" </programlisting>\n"
-" </example>\n"
-" </body>\n"
-"</method>\n"
-;
+static char crl_object_pem_write__doc__[] =
+ "Return the PEM encoding of this CRL, as a string.\n"
+ ;
static PyObject *
-ssl_object_accept(ssl_object *self, PyObject *args)
+crl_object_pem_write(crl_object *self)
{
- int ret = 0;
-
- if (!PyArg_ParseTuple(args, ""))
- goto error;
-
- if (!self->ctxset)
- lose("cannot be called before setFd()");
+ PyObject *result = NULL;
+ BIO *bio = NULL;
- Py_BEGIN_ALLOW_THREADS;
- ret = SSL_accept(self->ssl);
- Py_END_ALLOW_THREADS;
+ ENTERING(crl_object_pem_write);
- if (ret <= 0)
- lose_ssl_error(self, ret);
+ if ((bio = BIO_new(BIO_s_mem())) == NULL)
+ lose_no_memory();
- Py_RETURN_NONE;
+ if (!PEM_write_bio_X509_CRL(bio, self->crl))
+ lose_openssl_error("Unable to write CRL");
- error:
+ result = BIO_to_PyString_helper(bio);
- return NULL;
+ error: /* Fall through */
+ BIO_free(bio);
+ return result;
}
-static char ssl_object_connect__doc__[] =
-"<method>\n"
-" <header>\n"
-" <memberof>Ssl</memberof>\n"
-" <name>connect</name>\n"
-" </header>\n"
-" <body>\n"
-" <para>\n"
-" This function will attempt the SSL level connection with a\n"
-" server. The <classname>Ssl</classname> object must have been\n"
-" created using a <constant>XXXXX_CLIENT_METHOD</constant> or\n"
-" a <constant>XXXXX_METHOD</constant> and this function should only be\n"
-" called after <function>setFd</function> has already been\n"
-" called.\n"
-" </para>\n"
-"\n"
-" <example>\n"
-" <title><function>connect</function> function usage</title>\n"
-" <programlisting>\n"
-" s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)\n"
-" s.connect(('localhost', 1111))\n"
-"\n"
-" sl = POW.Ssl(POW.SSLV23_CLIENT_METHOD)\n"
-" sl.setFd(s.fileno())\n"
-" sl.connect()\n"
-" sl.write('Message from client to server...')\n"
-" print sl.read(1024)\n"
-" </programlisting>\n"
-" </example>\n"
-" </body>\n"
-"</method>\n"
-;
+static char crl_object_der_write__doc__[] =
+ "Return the DER encoding of this CRL, as a string.\n"
+ ;
static PyObject *
-ssl_object_connect(ssl_object *self, PyObject *args)
+crl_object_der_write(crl_object *self)
{
- int ret;
+ PyObject *result = NULL;
+ BIO *bio = NULL;
- if (!PyArg_ParseTuple(args, ""))
- goto error;
+ ENTERING(crl_object_der_write);
- if (!self->ctxset)
- lose("cannot be called before setFd()");
+ if ((bio = BIO_new(BIO_s_mem())) == NULL)
+ lose_no_memory();
- Py_BEGIN_ALLOW_THREADS;
- ret = SSL_connect(self->ssl);
- Py_END_ALLOW_THREADS;
+ if (!i2d_X509_CRL_bio(bio, self->crl))
+ lose_openssl_error("Unable to write CRL");
- if (ret <= 0)
- lose_ssl_error(self, ret);
+ result = BIO_to_PyString_helper(bio);
- Py_RETURN_NONE;
+ error: /* Fall through */
+ BIO_free(bio);
+ return result;
+}
- error:
+static char crl_object_get_aki__doc__[] =
+ "Return the Authority Key Identifier (AKI) keyid value for\n"
+ "this CRL, or None if the CRL has no AKI extension\n"
+ "or has an AKI extension with no keyIdentifier value.\n"
+ ;
- return NULL;
+static PyObject *
+crl_object_get_aki(crl_object *self)
+{
+ AUTHORITY_KEYID *ext = X509_CRL_get_ext_d2i(self->crl, NID_authority_key_identifier, NULL, NULL);
+ int empty = (ext == NULL || ext->keyid == NULL);
+ PyObject *result = NULL;
+
+ ENTERING(crl_object_get_aki);
+
+ if (!empty)
+ result = Py_BuildValue("s#", ASN1_STRING_data(ext->keyid), ASN1_STRING_length(ext->keyid));
+
+ AUTHORITY_KEYID_free(ext);
+
+ if (empty)
+ Py_RETURN_NONE;
+ else
+ return result;
}
-static char ssl_object_write__doc__[] =
-"<method>\n"
-" <header>\n"
-" <memberof>Ssl</memberof>\n"
-" <name>write</name>\n"
-" <parameter>string</parameter>\n"
-" </header>\n"
-" <body>\n"
-" <para>\n"
-" This method writes the <parameter>string</parameter> to the\n"
-" <classname>Ssl</classname> object, to be read by it's peer. This\n"
-" function is analogous to the <classname>socket</classname>\n"
-" classes <function>write</function> function.\n"
-" </para>\n"
-" </body>\n"
-"</method>\n"
-;
+static char crl_object_set_aki__doc__[] =
+ "Set the Authority Key Identifier (AKI) value for this\n"
+ "CRL. We only support the keyIdentifier method, as that's\n"
+ "the only form which is legal for RPKI certificates.\n"
+ ;
static PyObject *
-ssl_object_write(ssl_object *self, PyObject *args)
+crl_object_set_aki(crl_object *self, PyObject *args)
{
- char *msg;
- int length = 0, ret = 0;
+ AUTHORITY_KEYID *ext = NULL;
+ const unsigned char *buf = NULL;
+ int len, ok = 0;
- if (!PyArg_ParseTuple(args, "s#", &msg, &length))
- goto error;
+ ENTERING(crl_object_set_aki);
- if (!self->ctxset)
- lose("cannot be called before setFd()");
+ if (!PyArg_ParseTuple(args, "s#", &buf, &len))
+ goto error;
- Py_BEGIN_ALLOW_THREADS;
- ret = SSL_write(self->ssl, msg, length);
- Py_END_ALLOW_THREADS;
+ if ((ext = AUTHORITY_KEYID_new()) == NULL ||
+ (ext->keyid = ASN1_OCTET_STRING_new()) == NULL ||
+ !ASN1_OCTET_STRING_set(ext->keyid, buf, len))
+ lose_no_memory();
- if (ret <= 0)
- lose_ssl_error(self, ret);
+ if (!X509_CRL_add1_ext_i2d(self->crl, NID_authority_key_identifier,
+ ext, 0, X509V3_ADD_REPLACE))
+ lose_openssl_error("Couldn't add AKI extension to CRL");
- return Py_BuildValue("i", ret);
+ ok = 1;
error:
+ AUTHORITY_KEYID_free(ext);
- return NULL;
+ if (ok)
+ Py_RETURN_NONE;
+ else
+ return NULL;
}
-static char ssl_object_read__doc__[] =
-"<method>\n"
-" <header>\n"
-" <memberof>Ssl</memberof>\n"
-" <name>read</name>\n"
-" <parameter>amount = 1024</parameter>\n"
-" </header>\n"
-" <body>\n"
-" <para>\n"
-" This method reads up to <parameter>amount</parameter> characters from the\n"
-" <classname>Ssl</classname> object. This\n"
-" function is analogous to the <classname>socket</classname>\n"
-" classes <function>read</function> function.\n"
-" </para>\n"
-" </body>\n"
-"</method>\n"
-;
+static char crl_object_get_crl_number__doc__[] =
+ "Return the CRL Number extension value from this CRL, an integer.\n"
+ ;
static PyObject *
-ssl_object_read(ssl_object *self, PyObject *args)
+crl_object_get_crl_number(crl_object *self)
{
- PyObject *data;
- char *msg = NULL;
- int len = 1024, ret = 0;
+ ASN1_INTEGER *ext = X509_CRL_get_ext_d2i(self->crl, NID_crl_number, NULL, NULL);
+ PyObject *result = NULL;
- if (!PyArg_ParseTuple(args, "|i", &len))
- goto error;
+ ENTERING(crl_object_get_crl_number);
- if (!self->ctxset)
- lose("cannot be called before setFd()");
+ if (ext == NULL)
+ Py_RETURN_NONE;
- if ((msg = malloc(len)) == NULL)
- lose("unable to allocate memory");
+ result = Py_BuildValue("N", ASN1_INTEGER_to_PyLong(ext));
+ ASN1_INTEGER_free(ext);
+ return result;
+}
- Py_BEGIN_ALLOW_THREADS;
- ret = SSL_read(self->ssl, msg, len);
- Py_END_ALLOW_THREADS;
+static char crl_object_set_crl_number__doc__[] =
+ "Set the CRL Number extension value in this CRL.\n"
+ "\n"
+ "The \"number\" parameter should be an integer.\n"
+ ;
- if (ret <= 0)
- lose_ssl_error(self, ret);
+static PyObject *
+crl_object_set_crl_number(crl_object *self, PyObject *args)
+{
+ ASN1_INTEGER *ext = NULL;
+ PyObject *crl_number = NULL;
- data = Py_BuildValue("s#", msg, ret);
+ ENTERING(crl_object_set_crl_number);
- free(msg);
- return data;
+ if (!PyArg_ParseTuple(args, "O", &crl_number) ||
+ (ext = PyLong_to_ASN1_INTEGER(crl_number)) == NULL)
+ goto error;
- error:
+ if (!X509_CRL_add1_ext_i2d(self->crl, NID_crl_number, ext, 0, X509V3_ADD_REPLACE))
+ lose_openssl_error("Couldn't add CRL Number extension to CRL");
- if (msg)
- free(msg);
+ ASN1_INTEGER_free(ext);
+ Py_RETURN_NONE;
+ error:
+ ASN1_INTEGER_free(ext);
return NULL;
}
-static char ssl_object_peer_certificate__doc__[] =
-"<method>\n"
-" <header>\n"
-" <memberof>Ssl</memberof>\n"
-" <name>peerCertificate</name>\n"
-" </header>\n"
-" <body>\n"
-" <para>\n"
-" This method returns any peer certificate presented in the initial\n"
-" SSL negotiation or <constant>None</constant>. If a certificate is\n"
-" returned, it will be an instance of <classname>X509</classname>.\n"
-" </para>\n"
-" </body>\n"
-"</method>\n"
-;
+static char crl_object_pprint__doc__[] =
+ "Return a pretty-printed rendition of this CRL.\n"
+ ;
static PyObject *
-ssl_object_peer_certificate(ssl_object *self, PyObject *args)
+crl_object_pprint(crl_object *self)
{
- X509 *x509 = NULL;
- x509_object *x509_obj = NULL;
+ PyObject *result = NULL;
+ BIO *bio = NULL;
- if (!PyArg_ParseTuple(args, ""))
- goto error;
+ ENTERING(crl_object_pprint);
- if (!self->ctxset)
- lose("cannot be called before setFd()");
+ if ((bio = BIO_new(BIO_s_mem())) == NULL)
+ lose_no_memory();
- if ((x509_obj = X509_object_new()) == NULL)
- lose("could not create x509 object");
+ if (!X509_CRL_print(bio, self->crl))
+ lose_openssl_error("Unable to pretty-print CRL");
- x509 = SSL_get_peer_certificate(self->ssl);
+ result = BIO_to_PyString_helper(bio);
- if (x509) {
- X509_free(x509_obj->x509);
- x509_obj->x509 = x509;
- return (PyObject *) x509_obj;
- }
- else {
- Py_XDECREF(x509_obj);
- Py_RETURN_NONE;
- }
+ error: /* Fall through */
+ BIO_free(bio);
+ return result;
+}
- error:
+static struct PyMethodDef crl_object_methods[] = {
+ Define_Method(sign, crl_object_sign, METH_VARARGS),
+ Define_Method(verify, crl_object_verify, METH_VARARGS),
+ Define_Method(getVersion, crl_object_get_version, METH_NOARGS),
+ Define_Method(setVersion, crl_object_set_version, METH_VARARGS),
+ Define_Method(getIssuer, crl_object_get_issuer, METH_VARARGS),
+ Define_Method(setIssuer, crl_object_set_issuer, METH_VARARGS),
+ Define_Method(getThisUpdate, crl_object_get_this_update, METH_NOARGS),
+ Define_Method(setThisUpdate, crl_object_set_this_update, METH_VARARGS),
+ Define_Method(getNextUpdate, crl_object_get_next_update, METH_NOARGS),
+ Define_Method(setNextUpdate, crl_object_set_next_update, METH_VARARGS),
+ Define_Method(getRevoked, crl_object_get_revoked, METH_NOARGS),
+ Define_Method(addRevocations, crl_object_add_revocations, METH_VARARGS),
+ Define_Method(clearExtensions, crl_object_clear_extensions, METH_NOARGS),
+ Define_Method(pemWrite, crl_object_pem_write, METH_NOARGS),
+ Define_Method(derWrite, crl_object_der_write, METH_NOARGS),
+ Define_Method(pprint, crl_object_pprint, METH_NOARGS),
+ Define_Method(getAKI, crl_object_get_aki, METH_NOARGS),
+ Define_Method(setAKI, crl_object_set_aki, METH_VARARGS),
+ Define_Method(getCRLNumber, crl_object_get_crl_number, METH_NOARGS),
+ Define_Method(setCRLNumber, crl_object_set_crl_number, METH_VARARGS),
+ Define_Class_Method(pemRead, crl_object_pem_read, METH_VARARGS),
+ Define_Class_Method(pemReadFile, crl_object_pem_read_file, METH_VARARGS),
+ Define_Class_Method(derRead, crl_object_der_read, METH_VARARGS),
+ Define_Class_Method(derReadFile, crl_object_der_read_file, METH_VARARGS),
+ {NULL}
+};
- if (x509)
- X509_free(x509);
+static char POW_CRL_Type__doc__[] =
+ "Container for OpenSSL's X509 CRL management facilities.\n"
+ ;
- Py_XDECREF(x509_obj);
- return NULL;
-}
+static PyTypeObject POW_CRL_Type = {
+ PyObject_HEAD_INIT(0)
+ 0, /* ob_size */
+ "rpki.POW.CRL", /* tp_name */
+ sizeof(crl_object), /* tp_basicsize */
+ 0, /* tp_itemsize */
+ (destructor)crl_object_dealloc, /* tp_dealloc */
+ 0, /* tp_print */
+ 0, /* tp_getattr */
+ 0, /* tp_setattr */
+ 0, /* tp_compare */
+ 0, /* tp_repr */
+ 0, /* tp_as_number */
+ 0, /* tp_as_sequence */
+ 0, /* tp_as_mapping */
+ 0, /* tp_hash */
+ 0, /* tp_call */
+ 0, /* tp_str */
+ 0, /* tp_getattro */
+ 0, /* tp_setattro */
+ 0, /* tp_as_buffer */
+ Py_TPFLAGS_DEFAULT | Py_TPFLAGS_BASETYPE, /* tp_flags */
+ POW_CRL_Type__doc__, /* tp_doc */
+ 0, /* tp_traverse */
+ 0, /* tp_clear */
+ 0, /* tp_richcompare */
+ 0, /* tp_weaklistoffset */
+ 0, /* tp_iter */
+ 0, /* tp_iternext */
+ crl_object_methods, /* tp_methods */
+ 0, /* tp_members */
+ 0, /* tp_getset */
+ 0, /* tp_base */
+ 0, /* tp_dict */
+ 0, /* tp_descr_get */
+ 0, /* tp_descr_set */
+ 0, /* tp_dictoffset */
+ 0, /* tp_init */
+ 0, /* tp_alloc */
+ crl_object_new, /* tp_new */
+};
-static char ssl_object_clear__doc__[] =
-"<method>\n"
-" <header>\n"
-" <memberof>Ssl</memberof>\n"
-" <name>clear</name>\n"
-" </header>\n"
-" <body>\n"
-" <para>\n"
-" This method will clear the SSL session ready for\n"
-" a new SSL connection. It will not effect the underlying socket.\n"
-" </para>\n"
-" </body>\n"
-"</method>\n"
-;
+
+
+/*
+ * Asymmetric object.
+ */
static PyObject *
-ssl_object_clear(ssl_object *self, PyObject *args)
+asymmetric_object_new(PyTypeObject *type, GCC_UNUSED PyObject *args, GCC_UNUSED PyObject *kwds)
{
- if (!PyArg_ParseTuple(args, ""))
- goto error;
+ asymmetric_object *self = NULL;
- if (!self->ctxset)
- lose("cannot be called before setFd()");
+ ENTERING(asymmetric_object_new);
- if (!SSL_clear(self->ssl))
- lose("failed to clear ssl connection");
+ if ((self = (asymmetric_object *) type->tp_alloc(type, 0)) == NULL)
+ goto error;
- if (self->x509_cb_err) {
- free(self->x509_cb_err);
- self->x509_cb_err = NULL;
- }
+ self->pkey = NULL;
- Py_RETURN_NONE;
+ return (PyObject *) self;
error:
+ Py_XDECREF(self);
return NULL;
}
-static char ssl_object_shutdown__doc__[] =
-"<method>\n"
-" <header>\n"
-" <memberof>Ssl</memberof>\n"
-" <name>shutdown</name>\n"
-" </header>\n"
-" <body>\n"
-" <para>\n"
-" This method will issue a <constant>shutdown</constant> signal to it's peer.\n"
-" If this connection's peer has already initiated a shutdown this call\n"
-" will succeed, otherwise it will raise and exception. In order to\n"
-" check the shutdown handshake was successful,\n"
-" <function>shutdown</function> must be called again. If no\n"
-" exception is raised, the handshake is complete.\n"
-" </para>\n"
-" <para>\n"
-" The odd\n"
-" implementation of this function reflects the underlying OpenSSL\n"
-" function, which reflects the SSL protocol. Although rasing an\n"
-" exception is a bit annoying, the alternative, returning true all\n"
-" false will not tell you why the call failed and the exception\n"
-" will, at least that is the theory. Look up the exact meaning\n"
-" of the exceptions in the OpenSSL man page SSL_get_error.\n"
-" </para>\n"
-" </body>\n"
-"</method>\n"
-;
-
-static PyObject *
-ssl_object_shutdown(ssl_object *self, PyObject *args)
+static int
+asymmetric_object_init(asymmetric_object *self, PyObject *args, PyObject *kwds)
{
- int ret = 0;
+ static char *kwlist[] = {"cipher", "key_size", NULL};
+ int cipher_type = RSA_CIPHER, key_size = 2048;
+ EVP_PKEY_CTX *ctx = NULL;
+ int ok = 0;
- if (!PyArg_ParseTuple(args, ""))
+ ENTERING(asymmetric_object_init);
+
+ if (!PyArg_ParseTupleAndKeywords(args, kwds, "|ii", kwlist, &cipher_type, &key_size))
goto error;
- if (!self->ctxset)
- lose("cannot be called before setFd()");
+ /*
+ * This silliness is necessary until we move this to an RSA-specific class method.
+ */
+ if (cipher_type != RSA_CIPHER)
+ lose("unsupported cipher");
- ret = SSL_shutdown(self->ssl);
+ if ((ctx = EVP_PKEY_CTX_new_id(EVP_PKEY_RSA, NULL)) == NULL ||
+ EVP_PKEY_keygen_init(ctx) <= 0 ||
+ EVP_PKEY_CTX_set_rsa_keygen_bits(ctx, key_size) <= 0)
+ lose_openssl_error("Couldn't initialize EVP_PKEY_CTX");
/*
- * The original POW behavior here seems nuts to me. SSL_shutdown()
- * returns a tristate:
- *
- * 1: fully closed
- * 0: close notification sent, waiting for peer
- * -1: error, WANT_READ, or WANT_WRITE
- *
- * Doc claims the protocol allows us to bail on 0 return if we don't
- * want to wait. So the "obvious" thing to do here is return boolean
- * for 1 or 0 and raise an exception for -1. Original author's explanation
- * for why he didn't do that makes no sense to me, so I've changed it.
+ * Should set RSA_F4 for drill, although I think it's the default now.
+ * Looks like the call is
+ * int EVP_PKEY_CTX_set_rsa_keygen_pubexp(EVP_PKEY_CTX *ctx, BIGNUM *pubexp);
+ * while RSA_F4 is a plain C long integer, so would need to make a bignum (sigh),
+ * which is probably BN_new()/BN_set_word()/BN_free().
*/
- if (ret < 0)
- lose_ssl_error(self, ret);
+ EVP_PKEY_free(self->pkey);
+ self->pkey = NULL;
- return PyBool_FromLong(ret);
+ if (EVP_PKEY_keygen(ctx, &self->pkey) <= 0)
+ lose_openssl_error("Couldn't generate new RSA key");
+
+ ok = 1;
error:
+ EVP_PKEY_CTX_free(ctx);
- return NULL;
+ if (ok)
+ return 0;
+ else
+ return -1;
}
-static char ssl_object_get_shutdown__doc__[] =
-"<method>\n"
-" <header>\n"
-" <memberof>Ssl</memberof>\n"
-" <name>getShutdown</name>\n"
-" </header>\n"
-" <body>\n"
-" <para>\n"
-" This function returns an integer indicating the state of the\n"
-" SSL connection. <constant>SSL_RECEIVED_SHUTDOWN</constant>\n"
-" will be set the if it's peer sends a <constant>shutdown</constant>\n"
-" signal or the underlying socket\n"
-" receives a close notify . The possible values are:\n"
-" </para>\n"
-" <simplelist>\n"
-" <member><constant>SSL_NO_SHUTDOWN</constant></member>\n"
-" <member><constant>SSL_SENT_SHUTDOWN</constant></member>\n"
-" <member><constant>SSL_RECEIVED_SHUTDOWN</constant></member>\n"
-" <member><constant>SSL_SENT_SHUTDOWN</constant> | <constant>SSL_RECEIVED_SHUTDOWN</constant></member>\n"
-" </simplelist>\n"
-" </body>\n"
-"</method>\n"
-;
+static void
+asymmetric_object_dealloc(asymmetric_object *self)
+{
+ ENTERING(asymmetric_object_dealloc);
+ EVP_PKEY_free(self->pkey);
+ self->ob_type->tp_free((PyObject*) self);
+}
static PyObject *
-ssl_object_get_shutdown(ssl_object *self, PyObject *args)
+asymmetric_object_pem_read_private_helper(PyTypeObject *type, BIO *bio, char *pass)
{
- int state = 0;
+ asymmetric_object *self = NULL;
- if (!PyArg_ParseTuple(args, ""))
- goto error;
+ ENTERING(asymmetric_object_pem_read_private_helper);
- if (!self->ctxset)
- lose("cannot be called before setFd()");
+ if ((self = (asymmetric_object *) asymmetric_object_new(type, NULL, NULL)) == NULL)
+ goto error;
- state = SSL_get_shutdown(self->ssl);
+ if (!PEM_read_bio_PrivateKey(bio, &self->pkey, NULL, pass))
+ lose_openssl_error("Couldn't load private key");
- return Py_BuildValue("i", state);
+ return (PyObject *) self;
error:
-
+ Py_XDECREF(self);
return NULL;
}
-static char ssl_object_get_ciphers__doc__[] =
-"<method>\n"
-" <header>\n"
-" <memberof>Ssl</memberof>\n"
-" <name>getCiphers</name>\n"
-" </header>\n"
-" <body>\n"
-" <para>\n"
-" This function returns a list of available ciphers ordered from\n"
-" most favored to least. This function must be called after\n"
-" <function>setFd</function>.\n"
-" </para>\n"
-" </body>\n"
-"</method>\n"
-;
+/*
+ * We can't use the generic read_from_*_helper() functions here
+ * because of optional the PEM password, so we just code the two PEM
+ * read cases for private keys directly. Other than the passphrase,
+ * code is pretty much the same as the generic functions.
+ */
+
+static char asymmetric_object_pem_read_private__doc__[] =
+ "Read a PEM-encoded private key from a string.\n"
+ "\n"
+ "Optional second argument is a passphrase for the key.\n"
+ ;
static PyObject *
-ssl_object_get_ciphers(ssl_object *self, PyObject *args)
+asymmetric_object_pem_read_private(PyTypeObject *type, PyObject *args)
{
- int i = 0;
- const char *cipher = NULL;
- PyObject *list = NULL, *name = NULL;
+ PyObject *result = NULL;
+ char *pass = NULL;
+ char *src = NULL;
+ BIO *bio = NULL;
+ int len = 0;
- if (!PyArg_ParseTuple(args, ""))
- goto error;
+ ENTERING(asymmetric_object_pem_read_private);
- if (!self->ctxset)
- lose("cannot be called before setFd()");
+ if (!PyArg_ParseTuple(args, "s#|s", &src, &len, &pass))
+ goto error;
- list = PyList_New(0);
+ if ((bio = BIO_new_mem_buf(src, len)) == NULL)
+ lose_no_memory();
- cipher = SSL_get_cipher_list(self->ssl, 0);
- while (cipher) {
- if ((name = PyString_FromString(cipher)) == NULL)
- goto error;
- if (PyList_Append(list, name) != 0)
- goto error;
- Py_XDECREF(name);
- name = NULL;
- cipher = SSL_get_cipher_list(self->ssl, ++i);
- }
- return list;
+ result = asymmetric_object_pem_read_private_helper(type, bio, pass);
error:
-
- Py_XDECREF(name);
- Py_XDECREF(list);
- return NULL;
+ BIO_free(bio);
+ return result;
}
-static char ssl_object_set_ciphers__doc__[] =
-"<method>\n"
-" <header>\n"
-" <memberof>Ssl</memberof>\n"
-" <name>setCiphers</name>\n"
-" <parameter>ciphers</parameter>\n"
-" </header>\n"
-" <body>\n"
-" <para>\n"
-" <function>setCiphers</function>\n"
-" can help protect against certain types of attacks which try to\n"
-" coerce the server, client or both to negotiate a weak cipher.\n"
-" <parameter>ciphers</parameter> should be a list of strings, as\n"
-" produced by <function>getCiphers</function> and described in the\n"
-" OpenSSL man page ciphers. <function>setCiphers</function> should\n"
-" only be called after <function>setFd</function>.\n"
-" </para>\n"
-" </body>\n"
-"</method>\n"
-;
+static char asymmetric_object_pem_read_private_file__doc__[] =
+ "Read a PEM-encoded private key from a file.\n"
+ "\n"
+ "Optional second argument is a passphrase for the key.\n"
+ ;
static PyObject *
-ssl_object_set_ciphers(ssl_object *self, PyObject *args)
+asymmetric_object_pem_read_private_file(PyTypeObject *type, PyObject *args)
{
- PyObject *ciphers = NULL;
- PyObject *cipher = NULL;
- int size = 0, cipherstrlen = 0, nextstrlen = 0, i = 0;
- char *cipherstr = NULL;
+ const char *filename = NULL;
+ PyObject *result = NULL;
+ char *pass = NULL;
+ BIO *bio = NULL;
+
+ ENTERING(asymmetric_object_pem_read_private_file);
- if (!PyArg_ParseTuple(args, "O", &ciphers))
+ if (!PyArg_ParseTuple(args, "s|s", &filename, &pass))
goto error;
- if (!PyList_Check(ciphers) && !PyTuple_Check(ciphers))
- lose_type_error("inapropriate type");
+ if ((bio = BIO_new_file(filename, "rb")) == NULL)
+ lose_openssl_error("Could not open file");
- if (!self->ctxset)
- lose("cannot be called before setFd()");
+ result = asymmetric_object_pem_read_private_helper(type, bio, pass);
- cipherstr = malloc(8); // Very bogus, realloc() dosn't work without some
- // previously allocated memory! Really should.
- memset(cipherstr, 0, 8);
- size = PySequence_Size(ciphers);
- for (i = 0; i < size; i++) {
- if ((cipher = PySequence_GetItem(ciphers, i)) == NULL)
- goto error;
+ error:
+ BIO_free(bio);
+ return result;
+}
- if (!PyString_Check(cipher))
- lose_type_error("inapropriate type");
+static PyObject *
+asymmetric_object_der_read_private_helper(PyTypeObject *type, BIO *bio)
+{
+ asymmetric_object *self = NULL;
- cipherstrlen = strlen(cipherstr);
- nextstrlen = strlen(PyString_AsString(cipher));
+ ENTERING(asymmetric_object_der_read_private_helper);
- if ((cipherstr = realloc(cipherstr, cipherstrlen + nextstrlen + 2)) == NULL)
- lose_type_error("could allocate memory");
+ if ((self = (asymmetric_object *) asymmetric_object_new(type, NULL, NULL)) == NULL)
+ goto error;
- if (cipherstrlen)
- strcat(cipherstr, ":\0");
+ if (!d2i_PrivateKey_bio(bio, &self->pkey))
+ lose_openssl_error("Couldn't load private key");
- strcat(cipherstr, PyString_AsString(cipher));
- Py_XDECREF(cipher);
- cipher = NULL;
- }
- SSL_set_cipher_list(self->ssl, cipherstr);
- free(cipherstr);
- Py_RETURN_NONE;
+ return (PyObject *) self;
error:
- if (cipherstr)
- free(cipherstr);
+ Py_XDECREF(self);
+ return NULL;
+}
- Py_XDECREF(cipher);
+static char asymmetric_object_der_read_private__doc__[] =
+ "Read a DER-encoded private key from a string.\n"
+ ;
- return NULL;
+static PyObject *
+asymmetric_object_der_read_private(PyTypeObject *type, PyObject *args)
+{
+ ENTERING(asymmetric_object_der_read_private);
+ return read_from_string_helper(asymmetric_object_der_read_private_helper, type, args);
}
-static char ssl_object_get_cipher__doc__[] =
-"<method>\n"
-" <header>\n"
-" <memberof>Ssl</memberof>\n"
-" <name>getCipher</name>\n"
-" </header>\n"
-" <body>\n"
-" <para>\n"
-" This function returns the current cipher in use.\n"
-" </para>\n"
-" </body>\n"
-"</method>\n"
-;
+static char asymmetric_object_der_read_private_file__doc__[] =
+ "Read a DER-encoded private key from a file.\n"
+ ;
static PyObject *
-ssl_object_get_cipher(ssl_object *self, PyObject *args)
+asymmetric_object_der_read_private_file(PyTypeObject *type, PyObject *args)
{
- if (!PyArg_ParseTuple(args, ""))
+ ENTERING(asymmetric_object_der_read_private_file);
+ return read_from_file_helper(asymmetric_object_der_read_private_helper, type, args);
+}
+
+static PyObject *
+asymmetric_object_pem_read_public_helper(PyTypeObject *type, BIO *bio)
+{
+ asymmetric_object *self = NULL;
+
+ ENTERING(asymmetric_object_pem_read_public_helper);
+
+ if ((self = (asymmetric_object *) asymmetric_object_new(type, NULL, NULL)) == NULL)
goto error;
- if (!self->ctxset)
- lose("cannot be called before setFd()");
+ if (!PEM_read_bio_PUBKEY(bio, &self->pkey, NULL, NULL))
+ lose_openssl_error("Couldn't load public key");
- return Py_BuildValue("s", SSL_get_cipher(self->ssl));
+ return (PyObject *) self;
error:
-
+ Py_XDECREF(self);
return NULL;
}
-static int ssl_object_verify_callback(X509_STORE_CTX *ctx, void *arg)
+static PyObject *
+asymmetric_object_der_read_public_helper(PyTypeObject *type, BIO *bio)
{
- ssl_object *self = arg;
- int ok;
+ asymmetric_object *self = NULL;
- if (self->trusted_certs)
- X509_STORE_CTX_trusted_stack(ctx, self->trusted_certs);
+ ENTERING(asymmetric_object_der_read_public_helper);
- if (self->x509_cb_err) {
- free(self->x509_cb_err);
- self->x509_cb_err = NULL;
- }
+ if ((self = (asymmetric_object *) asymmetric_object_new(type, NULL, NULL)) == NULL)
+ goto error;
- ok = X509_verify_cert(ctx) == 1;
+ if (!d2i_PUBKEY_bio(bio, &self->pkey))
+ lose_openssl_error("Couldn't load public key");
- if (!ok) {
+ return (PyObject *) self;
- /*
- * We probably should be pushing out structured Python data here
- * rather than a string, but we're pretty deep in the OpenSSL call
- * chain at this point and I'd rather not risk whacky interactions
- * with the Python garbage collector. Try this kludge initially,
- * rewrite as something better later if it looks worth the effort.
- */
+ error:
- BIO *b = BIO_new(BIO_s_mem());
- char *buf = NULL;
- int len;
-
- if (!b)
- goto fail;
-
- BIO_puts(b, "TLS validation failure:\n\n");
-
- if (self->trusted_certs) {
- int i;
- BIO_puts(b, "Trusted cert stack\n");
- for (i = 0; i < sk_X509_num(self->trusted_certs); i++) {
- X509 *x = sk_X509_value(self->trusted_certs, i);
- BIO_printf(b, "[%d] ", i);
- if (x)
- X509_print(b, x);
- else
- BIO_puts(b, "<NULL>!\n");
- }
- } else {
- BIO_puts(b, "No trusted cert stack\n");
- }
+ Py_XDECREF(self);
+ return NULL;
+}
- BIO_printf(b,
- "\nX509_verify_cert() error: error depth %d error %d current_cert %p current_issuer %p current_crl %p: %s\n",
- ctx->error_depth,
- ctx->error,
- ctx->current_cert,
- ctx->current_issuer,
- ctx->current_crl,
- X509_verify_cert_error_string(ctx->error));
- if (ctx->current_cert)
- X509_print(b, ctx->current_cert);
-
- /* This seems to be returning garbage, don't know why */
- if (ctx->current_issuer)
- X509_print(b, ctx->current_issuer);
-
- if ((len = BIO_ctrl_pending(b)) == 0 || (buf = malloc(len + 1)) == NULL)
- goto fail;
-
- if (BIO_read(b, buf, len) == len) {
- buf[len] = '\0';
- self->x509_cb_err = buf;
- } else {
- free(buf);
- }
+static char asymmetric_object_pem_read_public__doc__[] =
+ "Read a PEM-encoded public key from a string.\n"
+ ;
- fail:
- BIO_free(b);
- }
+static PyObject *
+asymmetric_object_pem_read_public(PyTypeObject *type, PyObject *args)
+{
+ ENTERING(asymmetric_object_pem_read_public);
+ return read_from_string_helper(asymmetric_object_pem_read_public_helper, type, args);
+}
- return ok;
+static char asymmetric_object_pem_read_public_file__doc__[] =
+ "Read a PEM-encoded public key from a file.\n"
+ ;
+
+static PyObject *
+asymmetric_object_pem_read_public_file(PyTypeObject *type, PyObject *args)
+{
+ ENTERING(asymmetric_object_pem_read_public_file);
+ return read_from_file_helper(asymmetric_object_pem_read_public_helper, type, args);
}
-static char ssl_object_set_verify_mode__doc__[] =
-"<method>\n"
-" <header>\n"
-" <memberof>Ssl</memberof>\n"
-" <name>setVerifyMode</name>\n"
-" <parameter>mode</parameter>\n"
-" </header>\n"
-" <body>\n"
-" <para>\n"
-" This function sets the behavior of the SSL handshake. The\n"
-" parameter <parameter>mode</parameter> should be one of the\n"
-" following:\n"
-" </para>\n"
-" <simplelist>\n"
-" <member><constant>SSL_VERIFY_NONE</constant></member>\n"
-" <member><constant>SSL_VERIFY_PEER</constant></member>\n"
-" <member><constant>SSL_VERIFY_PEER</constant> |\n"
-" <constant>SSL_VERIFY_FAIL_IF_NO_PEER_CERT</constant></member>\n"
-" </simplelist>\n"
-" <para>\n"
-" See the OpenSSL man page <function>SSL_CTX_set_verify</function>\n"
-" for details. This function must be called after <function>setfd</function>\n"
-" has been called.\n"
-" </para>\n"
-" </body>\n"
-"</method>\n"
-;
+static char asymmetric_object_der_read_public__doc__[] =
+ "Read a DER-encoded public key from a string.\n"
+ ;
+
+static PyObject *
+asymmetric_object_der_read_public(PyTypeObject *type, PyObject *args)
+{
+ ENTERING(asymmetric_object_der_read_public);
+ return read_from_string_helper(asymmetric_object_der_read_public_helper, type, args);
+}
+
+static char asymmetric_object_der_read_public_file__doc__[] =
+ "Read a DER-encoded public key from a file.\n"
+ ;
static PyObject *
-ssl_object_set_verify_mode(ssl_object *self, PyObject *args)
+asymmetric_object_der_read_public_file(PyTypeObject *type, PyObject *args)
{
- int mode = 0;
+ ENTERING(asymmetric_object_der_read_public_file);
+ return read_from_file_helper(asymmetric_object_der_read_public_helper, type, args);
+}
+
+static char asymmetric_object_pem_write_private__doc__[] =
+ "Return the PEM encoding of an \"Asymmetric\" private key.\n"
+ "\n"
+ "This method takes an optional parameter \"passphrase\" which, if\n"
+ "specified, will be used to encrypt the private key with AES-256-CBC.\n"
+ "\n"
+ "If you don't specify a passphrase, the key will not be encrypted.\n"
+ ;
- if (!PyArg_ParseTuple(args, "i", &mode))
+static PyObject *
+asymmetric_object_pem_write_private(asymmetric_object *self, PyObject *args)
+{
+ PyObject *result = NULL;
+ char *passphrase = NULL;
+ const EVP_CIPHER *evp_method = NULL;
+ BIO *bio = NULL;
+
+ ENTERING(asymmetric_object_pem_write_private);
+
+ if (!PyArg_ParseTuple(args, "|s", &passphrase))
goto error;
- if (self->ctxset)
- lose("cannot be called after setfd()");
+ if ((bio = BIO_new(BIO_s_mem())) == NULL)
+ lose_no_memory();
- SSL_CTX_set_verify(self->ctx, mode, NULL);
+ if (passphrase)
+ evp_method = EVP_aes_256_cbc();
- Py_RETURN_NONE;
+ if (!PEM_write_bio_PrivateKey(bio, self->pkey, evp_method, NULL, 0, NULL, passphrase))
+ lose_openssl_error("Unable to write key");
- error:
+ result = BIO_to_PyString_helper(bio);
- return NULL;
+ error: /* Fall through */
+ BIO_free(bio);
+ return result;
}
-static struct PyMethodDef ssl_object_methods[] = {
- {"useCertificate", (PyCFunction)ssl_object_use_certificate, METH_VARARGS, NULL},
- {"addCertificate", (PyCFunction)ssl_object_add_certificate, METH_VARARGS, NULL},
- {"addTrust", (PyCFunction)ssl_object_add_trust, METH_VARARGS, NULL},
- {"useKey", (PyCFunction)ssl_object_use_key, METH_VARARGS, NULL},
- {"checkKey", (PyCFunction)ssl_object_check_key, METH_VARARGS, NULL},
- {"setFd", (PyCFunction)ssl_object_set_fd, METH_VARARGS, NULL},
- {"fileno", (PyCFunction)ssl_object_fileno, METH_VARARGS, NULL},
- {"connect", (PyCFunction)ssl_object_connect, METH_VARARGS, NULL},
- {"accept", (PyCFunction)ssl_object_accept, METH_VARARGS, NULL},
- {"write", (PyCFunction)ssl_object_write, METH_VARARGS, NULL},
- {"read", (PyCFunction)ssl_object_read, METH_VARARGS, NULL},
- {"peerCertificate", (PyCFunction)ssl_object_peer_certificate, METH_VARARGS, NULL},
- {"clear", (PyCFunction)ssl_object_clear, METH_VARARGS, NULL},
- {"shutdown", (PyCFunction)ssl_object_shutdown, METH_VARARGS, NULL},
- {"getShutdown", (PyCFunction)ssl_object_get_shutdown, METH_VARARGS, NULL},
- {"getCiphers", (PyCFunction)ssl_object_get_ciphers, METH_VARARGS, NULL},
- {"setCiphers", (PyCFunction)ssl_object_set_ciphers, METH_VARARGS, NULL},
- {"getCipher", (PyCFunction)ssl_object_get_cipher, METH_VARARGS, NULL},
- {"setVerifyMode", (PyCFunction)ssl_object_set_verify_mode, METH_VARARGS, NULL},
-
- {NULL} /* sentinel */
-};
+static char asymmetric_object_pem_write_public__doc__[] =
+ "Return the PEM encoding of an \"Asymmetric\" public key.\n"
+ ;
-static ssl_object *
-newssl_object(int type)
+static PyObject *
+asymmetric_object_pem_write_public(asymmetric_object *self)
{
- ssl_object *self;
- const SSL_METHOD *method;
+ PyObject *result = NULL;
+ BIO *bio = NULL;
+ ENTERING(asymmetric_object_pem_write_public);
- if ((self = PyObject_NEW(ssl_object, &ssltype)) == NULL)
- goto error;
+ if ((bio = BIO_new(BIO_s_mem())) == NULL)
+ lose_no_memory();
- self->ctxset = 0;
- self->ssl = NULL;
- self->trusted_certs = NULL;
- self->x509_cb_err = NULL;
-
- switch (type) {
- case SSLV2_SERVER_METHOD: method = SSLv2_server_method(); break;
- case SSLV2_CLIENT_METHOD: method = SSLv2_client_method(); break;
- case SSLV2_METHOD: method = SSLv2_method(); break;
- case SSLV3_SERVER_METHOD: method = SSLv3_server_method(); break;
- case SSLV3_CLIENT_METHOD: method = SSLv3_client_method(); break;
- case SSLV3_METHOD: method = SSLv3_method(); break;
- case TLSV1_SERVER_METHOD: method = TLSv1_server_method(); break;
- case TLSV1_CLIENT_METHOD: method = TLSv1_client_method(); break;
- case TLSV1_METHOD: method = TLSv1_method(); break;
- case SSLV23_SERVER_METHOD: method = SSLv23_server_method(); break;
- case SSLV23_CLIENT_METHOD: method = SSLv23_client_method(); break;
- case SSLV23_METHOD: method = SSLv23_method(); break;
+ if (!PEM_write_bio_PUBKEY(bio, self->pkey))
+ lose_openssl_error("Unable to write key");
- default:
- lose("unknown ctx method");
- }
+ result = BIO_to_PyString_helper(bio);
- if ((self->ctx = SSL_CTX_new(method)) == NULL)
- lose("unable to create new ctx");
+ error: /* Fall through */
+ BIO_free(bio);
+ return result;
+}
- SSL_CTX_set_cert_verify_callback(self->ctx, ssl_object_verify_callback, self);
+static char asymmetric_object_der_write_private__doc__[] =
+ "Return the DER encoding of an \"Asymmetric\" private key.\n"
+ ;
- return self;
+static PyObject *
+asymmetric_object_der_write_private(asymmetric_object *self)
+{
+ PyObject *result = NULL;
+ BIO *bio = NULL;
- error:
+ ENTERING(asymmetric_object_der_write_private);
- Py_XDECREF(self);
- return NULL;
+ if ((bio = BIO_new(BIO_s_mem())) == NULL)
+ lose_no_memory();
+
+ if (!i2d_PrivateKey_bio(bio, self->pkey))
+ lose_openssl_error("Unable to write private key");
+
+ result = BIO_to_PyString_helper(bio);
+
+ error: /* Fall through */
+ BIO_free(bio);
+ return result;
}
+static char asymmetric_object_der_write_public__doc__[] =
+ "Return the DER encoding of an \"Asymmetric\" public key.\n"
+ ;
+
static PyObject *
-ssl_object_getattr(ssl_object *self, char *name)
+asymmetric_object_der_write_public(asymmetric_object *self)
{
- return Py_FindMethod(ssl_object_methods, (PyObject *)self, name);
-}
+ PyObject *result = NULL;
+ BIO *bio = NULL;
-static void
-ssl_object_dealloc(ssl_object *self)
-{
- SSL_free(self->ssl);
- SSL_CTX_free(self->ctx);
- if (self->trusted_certs)
- sk_X509_pop_free(self->trusted_certs, X509_free);
- if (self->x509_cb_err)
- free(self->x509_cb_err);
- PyObject_Del(self);
-}
-
-static char ssltype__doc__[] =
-"<class>\n"
-" <header>\n"
-" <name>Ssl</name>\n"
-" </header>\n"
-" <body>\n"
-" <para>\n"
-" This class provides access to the Secure Socket Layer\n"
-" functionality of OpenSSL. It is designed to be a simple as\n"
-" possible to use and is not designed for high performance\n"
-" applications which handle many simultaneous connections. The\n"
-" original motivation for writing this library was to provide a\n"
-" security layer for network agents written in Python, for this\n"
-" application, good performance with multiple concurrent connections\n"
-" is not an issue.\n"
-" </para>\n"
-" </body>\n"
-"</class>\n"
-;
+ ENTERING(asymmetric_object_der_write_public);
-static PyTypeObject ssltype = {
- PyObject_HEAD_INIT(0)
- 0, /*ob_size*/
- "Ssl", /*tp_name*/
- sizeof(ssl_object), /*tp_basicsize*/
- 0, /*tp_itemsize*/
- (destructor)ssl_object_dealloc, /*tp_dealloc*/
- (printfunc)0, /*tp_print*/
- (getattrfunc)ssl_object_getattr, /*tp_getattr*/
- (setattrfunc)0, /*tp_setattr*/
- (cmpfunc)0, /*tp_compare*/
- (reprfunc)0, /*tp_repr*/
- 0, /*tp_as_number*/
- 0, /*tp_as_sequence*/
- 0, /*tp_as_mapping*/
- (hashfunc)0, /*tp_hash*/
- (ternaryfunc)0, /*tp_call*/
- (reprfunc)0, /*tp_str*/
- 0,
- 0,
- 0,
- 0,
- ssltype__doc__ /* Documentation string */
-};
-/*========== ssl Object ==========*/
+ if ((bio = BIO_new(BIO_s_mem())) == NULL)
+ lose_no_memory();
-/*========== asymmetric Object ==========*/
-static asymmetric_object *
-asymmetric_object_new(int cipher_type, int key_size)
-{
- asymmetric_object *self = NULL;
+ if (!i2d_PUBKEY_bio(bio, self->pkey))
+ lose_openssl_error("Unable to write public key");
- self = PyObject_New(asymmetric_object, &asymmetrictype);
- if (self == NULL)
- goto error;
+ result = BIO_to_PyString_helper(bio);
- if (cipher_type != RSA_CIPHER)
- lose("unsupported cipher");
+ error: /* Fall through */
+ BIO_free(bio);
+ return result;
+}
- if ((self->cipher = RSA_generate_key(key_size,RSA_F4,NULL,NULL)) == NULL)
- lose("could not generate key");
+static char asymmetric_object_calculate_ski__doc__[] =
+ "Calculate SKI value for this key.\n"
+ "\n"
+ "The SKI is the SHA-1 hash of key's SubjectPublicKey value.\n"
+ ;
- self->key_type = RSA_PRIVATE_KEY;
- self->cipher_type = RSA_CIPHER;
+static PyObject *
+asymmetric_object_calculate_ski(asymmetric_object *self)
+{
+ PyObject *result = NULL;
+ X509_PUBKEY *pubkey = NULL;
+ unsigned char digest[EVP_MAX_MD_SIZE];
+ unsigned digest_length;
- return self;
+ ENTERING(asymmetric_object_calculate_ski);
- error:
+ if (!X509_PUBKEY_set(&pubkey, self->pkey))
+ lose_openssl_error("Couldn't extract public key");
- Py_XDECREF(self);
- return NULL;
+ if (!EVP_Digest(pubkey->public_key->data, pubkey->public_key->length,
+ digest, &digest_length, EVP_sha1(), NULL))
+ lose_openssl_error("Couldn't calculate SHA-1 digest of public key");
+
+ result = PyString_FromStringAndSize((char *) digest, digest_length);
+
+ error:
+ X509_PUBKEY_free(pubkey);
+ return result;
}
-static asymmetric_object *
-asymmetric_object_pem_read(int key_type, BIO *in, char *pass)
-{
- asymmetric_object *self = NULL;
+static struct PyMethodDef asymmetric_object_methods[] = {
+ Define_Method(pemWritePrivate, asymmetric_object_pem_write_private, METH_VARARGS),
+ Define_Method(pemWritePublic, asymmetric_object_pem_write_public, METH_NOARGS),
+ Define_Method(derWritePrivate, asymmetric_object_der_write_private, METH_NOARGS),
+ Define_Method(derWritePublic, asymmetric_object_der_write_public, METH_NOARGS),
+ Define_Method(calculateSKI, asymmetric_object_calculate_ski, METH_NOARGS),
+ Define_Class_Method(pemReadPublic, asymmetric_object_pem_read_public, METH_VARARGS),
+ Define_Class_Method(pemReadPublicFile, asymmetric_object_pem_read_public_file, METH_VARARGS),
+ Define_Class_Method(derReadPublic, asymmetric_object_der_read_public, METH_VARARGS),
+ Define_Class_Method(derReadPublicFile, asymmetric_object_der_read_public_file, METH_VARARGS),
+ Define_Class_Method(pemReadPrivate, asymmetric_object_pem_read_private, METH_VARARGS),
+ Define_Class_Method(pemReadPrivateFile, asymmetric_object_pem_read_private_file, METH_VARARGS),
+ Define_Class_Method(derReadPrivate, asymmetric_object_der_read_private, METH_VARARGS),
+ Define_Class_Method(derReadPrivateFile, asymmetric_object_der_read_private_file, METH_VARARGS),
+ {NULL}
+};
- self = PyObject_New(asymmetric_object, &asymmetrictype);
- if (self == NULL)
- goto error;
+static char POW_Asymmetric_Type__doc__[] =
+ "Container for OpenSSL's EVP_PKEY asymmetric key classes.\n"
+ "\n"
+ "At the moment the only supported algorithm is RSA, but that will\n"
+ "likely change, as BGPSEC will require EC-DSA.\n"
+ "\n"
+ LAME_DISCLAIMER_IN_ALL_CLASS_DOCUMENTATION
+ ;
- switch (key_type) {
+static PyTypeObject POW_Asymmetric_Type = {
+ PyObject_HEAD_INIT(0)
+ 0, /* ob_size */
+ "rpki.POW.Asymmetric", /* tp_name */
+ sizeof(asymmetric_object), /* tp_basicsize */
+ 0, /* tp_itemsize */
+ (destructor)asymmetric_object_dealloc, /* tp_dealloc */
+ 0, /* tp_print */
+ 0, /* tp_getattr */
+ 0, /* tp_setattr */
+ 0, /* tp_compare */
+ 0, /* tp_repr */
+ 0, /* tp_as_number */
+ 0, /* tp_as_sequence */
+ 0, /* tp_as_mapping */
+ 0, /* tp_hash */
+ 0, /* tp_call */
+ 0, /* tp_str */
+ 0, /* tp_getattro */
+ 0, /* tp_setattro */
+ 0, /* tp_as_buffer */
+ Py_TPFLAGS_DEFAULT | Py_TPFLAGS_BASETYPE, /* tp_flags */
+ POW_Asymmetric_Type__doc__, /* tp_doc */
+ 0, /* tp_traverse */
+ 0, /* tp_clear */
+ 0, /* tp_richcompare */
+ 0, /* tp_weaklistoffset */
+ 0, /* tp_iter */
+ 0, /* tp_iternext */
+ asymmetric_object_methods, /* tp_methods */
+ 0, /* tp_members */
+ 0, /* tp_getset */
+ 0, /* tp_base */
+ 0, /* tp_dict */
+ 0, /* tp_descr_get */
+ 0, /* tp_descr_set */
+ 0, /* tp_dictoffset */
+ (initproc) asymmetric_object_init, /* tp_init */
+ 0, /* tp_alloc */
+ asymmetric_object_new, /* tp_new */
+};
- case RSA_PUBLIC_KEY:
- if ((self->cipher = PEM_read_bio_RSA_PUBKEY(in, NULL, NULL, NULL)) == NULL)
- lose("could not load public key");
- self->key_type = RSA_PUBLIC_KEY;
- self->cipher_type = RSA_CIPHER;
- break;
+
- case RSA_PRIVATE_KEY:
- if ((self->cipher = PEM_read_bio_RSAPrivateKey(in, NULL, NULL, pass)) == NULL)
- lose("could not load private key");
- self->key_type = RSA_PRIVATE_KEY;
- self->cipher_type = RSA_CIPHER;
- break;
+/*
+ * Digest object.
+ */
- default:
- lose("unknown key type");
- }
+static PyObject *
+digest_object_new(PyTypeObject *type, GCC_UNUSED PyObject *args, GCC_UNUSED PyObject *kwds)
+{
+ digest_object *self = NULL;
- return self;
+ ENTERING(digest_object_new);
- error:
+ if ((self = (digest_object *) type->tp_alloc(type, 0)) == NULL)
+ goto error;
- Py_XDECREF(self);
+ self->digest_type = 0;
+
+ return (PyObject *) self;
+
+ error:
return NULL;
}
-static asymmetric_object *
-asymmetric_object_der_read(int key_type, unsigned char *src, int len)
+static int
+digest_object_init(digest_object *self, PyObject *args, PyObject *kwds)
{
- asymmetric_object *self = NULL;
- unsigned char *ptr = src;
+ static char *kwlist[] = {"digest_type", NULL};
+ const EVP_MD *digest_method = NULL;
+ int digest_type = 0;
+
+ ENTERING(digest_object_init);
- self = PyObject_New(asymmetric_object, &asymmetrictype);
- if (self == NULL)
+ if (!PyArg_ParseTupleAndKeywords(args, kwds, "i", kwlist, &digest_type))
goto error;
- switch (key_type) {
- case RSA_PUBLIC_KEY:
+ if ((digest_method = evp_digest_factory(digest_type)) == NULL)
+ lose("Unsupported digest algorithm");
- if ((self->cipher = d2i_RSA_PUBKEY(NULL, (const unsigned char **) &ptr, len)) == NULL)
- lose("could not load public key");
+ self->digest_type = digest_type;
+ if (!EVP_DigestInit(&self->digest_ctx, digest_method))
+ lose_openssl_error("Couldn't initialize digest");
- self->key_type = RSA_PUBLIC_KEY;
- self->cipher_type = RSA_CIPHER;
- break;
+ return 0;
- case RSA_PRIVATE_KEY:
+ error:
+ return -1;
+}
- if ((self->cipher = d2i_RSAPrivateKey(NULL, (const unsigned char **) &ptr, len)) == NULL)
- lose("could not load private key");
+static void
+digest_object_dealloc(digest_object *self)
+{
+ ENTERING(digest_object_dealloc);
+ EVP_MD_CTX_cleanup(&self->digest_ctx);
+ self->ob_type->tp_free((PyObject*) self);
+}
- self->key_type = RSA_PRIVATE_KEY;
- self->cipher_type = RSA_CIPHER;
- break;
+static char digest_object_update__doc__[] =
+ "Add data to this digest.\n"
+ "\n"
+ "the \"data\" parameter should be a string containing the data to be added.\n"
+ ;
- default:
- lose("unknown key type");
- }
+static PyObject *
+digest_object_update(digest_object *self, PyObject *args)
+{
+ char *data = NULL;
+ int len = 0;
- return self;
+ ENTERING(digest_object_update);
- error:
+ if (!PyArg_ParseTuple(args, "s#", &data, &len))
+ goto error;
- Py_XDECREF(self);
+ if (!EVP_DigestUpdate(&self->digest_ctx, data, len))
+ lose_openssl_error("EVP_DigestUpdate() failed");
+
+ Py_RETURN_NONE;
+
+ error:
return NULL;
}
-static char asymmetric_object_pem_write__doc__[] =
-"<method>\n"
-" <header>\n"
-" <memberof>Asymmetric</memberof>\n"
-" <name>pemWrite</name>\n"
-" <parameter>keytype</parameter>\n"
-" <parameter>ciphertype = None</parameter>\n"
-" <parameter>passphrase = None</parameter>\n"
-" </header>\n"
-" <body>\n"
-" <para>\n"
-" This method is used to write <classname>Asymmetric</classname>\n"
-" objects out as strings. The first argument should be either\n"
-" <constant>RSA_PUBLIC_KEY</constant> or\n"
-" <constant>RSA_PRIVATE_KEY</constant>. Private keys are often\n"
-" saved in encrypted files to offer extra security above access\n"
-" control mechanisms. If the <parameter>keytype</parameter> is\n"
-" <constant>RSA_PRIVATE_KEY</constant> a\n"
-" <parameter>ciphertype</parameter> and\n"
-" <parameter>passphrase</parameter> can also be specified. The\n"
-" <parameter>ciphertype</parameter> should be one of those listed in\n"
-" the <classname>Symmetric</classname> class section.\n"
-" </para>\n"
-" </body>\n"
-"</method>\n"
-;
+static char digest_object_copy__doc__[] =
+ "Return a copy of this Digest object.\n"
+ ;
static PyObject *
-asymmetric_object_pem_write(asymmetric_object *self, PyObject *args)
+digest_object_copy(digest_object *self)
{
- int key_type = 0, cipher = 0, len = 0, ret = 0;
- char *kstr = NULL, *buf = NULL;
- BIO *out_bio = NULL;
- PyObject *asymmetric = NULL;
+ digest_object *new = NULL;
+
+ ENTERING(digest_object_copy);
- if (!PyArg_ParseTuple(args, "|iis", &key_type, &cipher, &kstr))
+ if ((new = (digest_object *) digest_object_new(&POW_Digest_Type, NULL, NULL)) == NULL)
goto error;
- if (key_type == 0)
- key_type = self->key_type;
+ new->digest_type = self->digest_type;
+ if (!EVP_MD_CTX_copy(&new->digest_ctx, &self->digest_ctx))
+ lose_openssl_error("Couldn't copy digest");
- if ((out_bio = BIO_new(BIO_s_mem())) == NULL)
- lose("unable to create new BIO");
+ return (PyObject*) new;
- if ((kstr && !cipher) || (cipher && !kstr))
- lose("cipher type and key string must both be supplied");
+ error:
- switch(key_type) {
+ Py_XDECREF(new);
+ return NULL;
+}
- case RSA_PRIVATE_KEY:
- if (kstr && cipher) {
- if (!PEM_write_bio_RSAPrivateKey(out_bio, self->cipher, evp_cipher_factory(cipher), NULL, 0, NULL, kstr))
- lose("unable to write key");
- }
- else {
- if (!PEM_write_bio_RSAPrivateKey(out_bio, self->cipher, NULL, NULL, 0, NULL, NULL))
- lose("unable to write key");
- }
- break;
+static char digest_object_digest__doc__[] =
+ "Return the digest of all the data which this Digest object has processed.\n"
+ "\n"
+ "This method can be called at any time and will not effect the internal\n"
+ "state of the Digest object.\n"
+ ;
- case RSA_PUBLIC_KEY:
- if (kstr && cipher)
- lose("public keys should not encrypted");
- else {
- if (!PEM_write_bio_RSA_PUBKEY(out_bio, self->cipher))
- lose("unable to write key");
- }
- break;
+/*
+ * Do we really need to do this copy? Nice general operation, but does
+ * anything we're doing for RPKI care?
+ */
- default:
- lose("unsupported key type");
- }
+static PyObject *
+digest_object_digest(digest_object *self)
+{
+ unsigned char digest_text[EVP_MAX_MD_SIZE];
+ EVP_MD_CTX ctx;
+ unsigned digest_len = 0;
- if ((len = BIO_ctrl_pending(out_bio)) == 0)
- lose("unable to get number of bytes in bio");
+ ENTERING(digest_object_digest);
- if ((buf = malloc(len)) == NULL)
- lose("unable to allocate memory");
+ if (!EVP_MD_CTX_copy(&ctx, &self->digest_ctx))
+ lose_openssl_error("Couldn't copy digest");
- if ((ret = BIO_read(out_bio, buf, len)) != len)
- lose("unable to write out key");
+ EVP_DigestFinal(&ctx, digest_text, &digest_len);
- asymmetric = Py_BuildValue("s#", buf, len);
+ EVP_MD_CTX_cleanup(&ctx);
- BIO_free(out_bio);
- free(buf);
- return asymmetric;
+ return Py_BuildValue("s#", digest_text, digest_len);
error:
+ return NULL;
+}
- if (out_bio);
- BIO_free(out_bio);
+static struct PyMethodDef digest_object_methods[] = {
+ Define_Method(update, digest_object_update, METH_VARARGS),
+ Define_Method(digest, digest_object_digest, METH_NOARGS),
+ Define_Method(copy, digest_object_copy, METH_NOARGS),
+ {NULL}
+};
- if (buf)
- free(buf);
+static char POW_Digest_Type__doc__[] =
+ "This class provides access to the digest functionality of OpenSSL.\n"
+ "It emulates the digest modules in the Python Standard Library, but\n"
+ "does not currently support the \"hexdigest\" method.\n"
+ "\n"
+ "The constructor takes one parameter, the kind of Digest object to create.\n"
+ "This should be one of the following:\n"
+ "\n"
+ " * MD5_DIGEST\n"
+ " * SHA_DIGEST\n"
+ " * SHA1_DIGEST\n"
+ " * SHA256_DIGEST\n"
+ " * SHA384_DIGEST\n"
+ " * SHA512_DIGEST\n"
+ ;
+
+static PyTypeObject POW_Digest_Type = {
+ PyObject_HEAD_INIT(0)
+ 0, /* ob_size */
+ "rpki.POW.Digest", /* tp_name */
+ sizeof(digest_object), /* tp_basicsize */
+ 0, /* tp_itemsize */
+ (destructor)digest_object_dealloc, /* tp_dealloc */
+ 0, /* tp_print */
+ 0, /* tp_getattr */
+ 0, /* tp_setattr */
+ 0, /* tp_compare */
+ 0, /* tp_repr */
+ 0, /* tp_as_number */
+ 0, /* tp_as_sequence */
+ 0, /* tp_as_mapping */
+ 0, /* tp_hash */
+ 0, /* tp_call */
+ 0, /* tp_str */
+ 0, /* tp_getattro */
+ 0, /* tp_setattro */
+ 0, /* tp_as_buffer */
+ Py_TPFLAGS_DEFAULT | Py_TPFLAGS_BASETYPE, /* tp_flags */
+ POW_Digest_Type__doc__, /* tp_doc */
+ 0, /* tp_traverse */
+ 0, /* tp_clear */
+ 0, /* tp_richcompare */
+ 0, /* tp_weaklistoffset */
+ 0, /* tp_iter */
+ 0, /* tp_iternext */
+ digest_object_methods, /* tp_methods */
+ 0, /* tp_members */
+ 0, /* tp_getset */
+ 0, /* tp_base */
+ 0, /* tp_dict */
+ 0, /* tp_descr_get */
+ 0, /* tp_descr_set */
+ 0, /* tp_dictoffset */
+ (initproc) digest_object_init, /* tp_init */
+ 0, /* tp_alloc */
+ digest_object_new, /* tp_new */
+};
+
+
+/*
+ * CMS object.
+ */
+
+static PyObject *
+cms_object_new(PyTypeObject *type, GCC_UNUSED PyObject *args, GCC_UNUSED PyObject *kwds)
+{
+ cms_object *self;
+
+ ENTERING(cms_object_new);
+
+ if ((self = (cms_object *) type->tp_alloc(type, 0)) != NULL)
+ return (PyObject *) self;
+
+ Py_XDECREF(self);
return NULL;
}
-static char asymmetric_object_der_write__doc__[] =
-"<method>"
-" <header>"
-" <memberof>Asymmetric</memberof>"
-" <name>derWrite</name>"
-" <parameter>keytype</parameter>"
-" </header>"
-" <body>"
-" <para>"
-" This method is used to write <classname>Asymmetric</classname>"
-" objects out as strings. The first argument should be either"
-" <constant>RSA_PUBLIC_KEY</constant> or "
-" <constant>RSA_PRIVATE_KEY</constant>."
-" </para>"
-" </body>"
-"</method>"
-;
+static void
+cms_object_dealloc(cms_object *self)
+{
+ ENTERING(cms_object_dealloc);
+ CMS_ContentInfo_free(self->cms);
+ self->ob_type->tp_free((PyObject*) self);
+}
static PyObject *
-asymmetric_object_der_write(asymmetric_object *self, PyObject *args)
+cms_object_pem_read_helper(PyTypeObject *type, BIO *bio)
{
- int len = 0, key_type = 0;
- unsigned char *buf = NULL, *p = NULL;
- PyObject *asymmetric = NULL;
+ cms_object *self;
+
+ ENTERING(cms_object_pem_read_helper);
- if (!PyArg_ParseTuple(args, "|i", &key_type))
+ if ((self = (cms_object *) type->tp_new(type, NULL, NULL)) == NULL)
goto error;
- if (key_type == 0)
- key_type = self->key_type;
+ if (!PEM_read_bio_CMS(bio, &self->cms, NULL, NULL))
+ lose_openssl_error("Couldn't load PEM encoded CMS message");
- switch(key_type) {
+ return (PyObject *) self;
- case RSA_PRIVATE_KEY:
- len = i2d_RSAPrivateKey(self->cipher, NULL);
- if ((buf = malloc(len)) == NULL)
- lose("could not allocate memory");
- p = buf;
- if (!i2d_RSAPrivateKey(self->cipher, &buf))
- lose("unable to write key");
- break;
+ error:
+ Py_XDECREF(self);
+ return NULL;
+}
- case RSA_PUBLIC_KEY:
- len = i2d_RSA_PUBKEY(self->cipher, NULL);
- if ((buf = malloc(len)) == NULL)
- lose("could not allocate memory");
- p = buf;
- if (!i2d_RSA_PUBKEY(self->cipher, &buf))
- lose("unable to write key");
- break;
+static PyObject *
+cms_object_der_read_helper(PyTypeObject *type, BIO *bio)
+{
+ cms_object *self;
- default:
- lose("unsupported key type");
- }
+ ENTERING(cms_object_der_read_helper);
- asymmetric = Py_BuildValue("s#", p, len);
+ if ((self = (cms_object *) type->tp_new(type, NULL, NULL)) == NULL)
+ goto error;
+
+ if (!d2i_CMS_bio(bio, &self->cms))
+ lose_openssl_error("Couldn't load DER encoded CMS message");
- free(p);
- return asymmetric;
+ return (PyObject *) self;
error:
+ Py_XDECREF(self);
+ return NULL;
+}
- if (p)
- free(p);
+static char cms_object_pem_read__doc__[] =
+ "Read a PEM-encoded CMS object from a string.\n"
+ ;
- return NULL;
+static PyObject *
+cms_object_pem_read(PyTypeObject *type, PyObject *args)
+{
+ ENTERING(cms_object_pem_read);
+ return read_from_string_helper(cms_object_pem_read_helper, type, args);
}
-static char asymmetric_object_public_encrypt__doc__[] =
-"<method>\n"
-" <header>\n"
-" <memberof>Asymmetric</memberof>\n"
-" <name>publicEncrypt</name>\n"
-" <parameter>plaintext</parameter>\n"
-" </header>\n"
-" <body>\n"
-" <para>\n"
-" This method is used to encrypt the <parameter>plaintext</parameter>\n"
-" using a public key. It should be noted; in practice this\n"
-" function would be used almost exclusively to encrypt symmetric cipher\n"
-" keys and not data since asymmetric cipher operations are very slow.\n"
-" </para>\n"
-" </body>\n"
-"</method>\n"
-;
+static char cms_object_pem_read_file__doc__[] =
+ "Read a PEM-encoded CMS object from a file.\n"
+ ;
static PyObject *
-asymmetric_object_public_encrypt(asymmetric_object *self, PyObject *args)
+cms_object_pem_read_file(PyTypeObject *type, PyObject *args)
{
- unsigned char *plain_text = NULL, *cipher_text = NULL;
- int len = 0, size = 0;
- PyObject *obj = NULL;
+ ENTERING(cms_object_pem_read_file);
+ return read_from_file_helper(cms_object_pem_read_helper, type, args);
+}
- if (self->cipher_type != RSA_CIPHER)
- lose("unsupported cipher type");
+static char cms_object_der_read__doc__[] =
+ "Read a DER-encoded CMS object from a string.\n"
+ ;
- if (!PyArg_ParseTuple(args, "s#", &plain_text, &len))
- goto error;
+static PyObject *
+cms_object_der_read(PyTypeObject *type, PyObject *args)
+{
+ ENTERING(cms_object_der_read);
+ return read_from_string_helper(cms_object_der_read_helper, type, args);
+}
- size = RSA_size(self->cipher);
- if (len > size)
- lose("plain text is too long");
+static char cms_object_der_read_file__doc__[] =
+ "Read a DER-encoded CMS object from a file.\n"
+ ;
- if ((cipher_text = malloc(size + 16)) == NULL)
- lose("could not allocate memory");
+static PyObject *
+cms_object_der_read_file(PyTypeObject *type, PyObject *args)
+{
+ ENTERING(cms_object_der_read_file);
+ return read_from_file_helper(cms_object_der_read_helper, type, args);
+}
- if ((len = RSA_public_encrypt(len, plain_text, cipher_text, self->cipher, RSA_PKCS1_PADDING)) < 0)
- lose("could not encrypt plain text");
+static char cms_object_pem_write__doc__[] =
+ "Return the DER encoding of this CMS message.\n"
+ ;
- obj = Py_BuildValue("s#", cipher_text, len);
- free(cipher_text);
- return obj;
+static PyObject *
+cms_object_pem_write(cms_object *self)
+{
+ PyObject *result = NULL;
+ BIO *bio = NULL;
- error:
+ ENTERING(cms_object_pem_write);
- if (cipher_text)
- free(cipher_text);
+ if ((bio = BIO_new(BIO_s_mem())) == NULL)
+ lose_no_memory();
- return NULL;
+ if (!PEM_write_bio_CMS(bio, self->cms))
+ lose_openssl_error("Unable to write CMS object");
+
+ result = BIO_to_PyString_helper(bio);
+
+ error: /* Fall through */
+ BIO_free(bio);
+ return result;
}
-static char asymmetric_object_private_encrypt__doc__[] =
-"<method>\n"
-" <header>\n"
-" <memberof>Asymmetric</memberof>\n"
-" <name>privateEncrypt</name>\n"
-" <parameter>plaintext</parameter>\n"
-" </header>\n"
-" <body>\n"
-" <para>\n"
-" This method is used to encrypt the <parameter>plaintext</parameter>\n"
-" using a private key. It should be noted; in practice this\n"
-" function would be used almost exclusively to encrypt symmetric cipher\n"
-" keys and not data since asymmetric cipher operations are very slow.\n"
-" </para>\n"
-" </body>\n"
-"</method>\n"
-;
+static char cms_object_der_write__doc__[] =
+ "Return the DER encoding of this CMS message.\n"
+ ;
static PyObject *
-asymmetric_object_private_encrypt(asymmetric_object *self, PyObject *args)
+cms_object_der_write(cms_object *self)
{
- unsigned char *plain_text = NULL, *cipher_text = NULL;
- int len = 0, size = 0;
- PyObject *obj = NULL;
+ PyObject *result = NULL;
+ BIO *bio = NULL;
+
+ ENTERING(cms_object_der_write);
+
+ if ((bio = BIO_new(BIO_s_mem())) == NULL)
+ lose_no_memory();
- if (self->key_type != RSA_PRIVATE_KEY)
- lose("cannot perform private encryption with this key");
+ if (!i2d_CMS_bio(bio, self->cms))
+ lose_openssl_error("Unable to write CMS object");
- if (!PyArg_ParseTuple(args, "s#", &plain_text, &len))
+ result = BIO_to_PyString_helper(bio);
+
+ error: /* Fall through */
+ BIO_free(bio);
+ return result;
+}
+
+static int
+cms_object_sign_helper(cms_object *self,
+ BIO *bio,
+ x509_object *signcert,
+ asymmetric_object *signkey,
+ PyObject *x509_sequence,
+ PyObject *crl_sequence,
+ char *oid,
+ unsigned flags)
+{
+ crl_object *crlobj = NULL;
+ STACK_OF(X509) *x509_stack = NULL;
+ int i, n, ok = 0;
+ CMS_ContentInfo *cms = NULL;
+ ASN1_OBJECT *econtent_type = NULL;
+
+ ENTERING(cms_object_sign_helper);
+
+ assert_no_unhandled_openssl_errors();
+
+ flags &= CMS_NOCERTS | CMS_NOATTR;
+ flags |= CMS_BINARY | CMS_NOSMIMECAP | CMS_PARTIAL | CMS_USE_KEYID;
+
+ if ((x509_stack = x509_helper_sequence_to_stack(x509_sequence)) == NULL)
goto error;
- size = RSA_size(self->cipher);
- if (len > size)
- lose("plain text is too long");
+ assert_no_unhandled_openssl_errors();
- if ((cipher_text = malloc(size + 16)) == NULL)
- lose("could not allocate memory");
+ if (oid && (econtent_type = OBJ_txt2obj(oid, 1)) == NULL)
+ lose_openssl_error("Couldn't parse OID");
- if ((len = RSA_private_encrypt(len, plain_text, cipher_text, self->cipher, RSA_PKCS1_PADDING)) < 0)
- lose("could not encrypt plain text");
+ assert_no_unhandled_openssl_errors();
- obj = Py_BuildValue("s#", cipher_text, len);
- free(cipher_text);
- return obj;
+ if ((cms = CMS_sign(NULL, NULL, x509_stack, bio, flags)) == NULL)
+ lose_openssl_error("Couldn't create CMS message");
- error:
+ assert_no_unhandled_openssl_errors();
- if (cipher_text)
- free(cipher_text);
+ if (econtent_type)
+ CMS_set1_eContentType(cms, econtent_type);
- return NULL;
-}
+ assert_no_unhandled_openssl_errors();
-static char asymmetric_object_public_decrypt__doc__[] =
-"<method>\n"
-" <header>\n"
-" <memberof>Asymmetric</memberof>\n"
-" <name>publicDecrypt</name>\n"
-" <parameter>ciphertext</parameter>\n"
-" </header>\n"
-" <body>\n"
-" <para>\n"
-" This method is used to decrypt the\n"
-" <parameter>ciphertext</parameter> which has been encrypted\n"
-" using the corresponding private key and the\n"
-" <function>privateEncrypt</function> function.\n"
-" </para>\n"
-" </body>\n"
-"</method>\n"
-;
+ if (!CMS_add1_signer(cms, signcert->x509, signkey->pkey, EVP_sha256(), flags))
+ lose_openssl_error("Couldn't sign CMS message");
-static PyObject *
-asymmetric_object_public_decrypt(asymmetric_object *self, PyObject *args)
+ assert_no_unhandled_openssl_errors();
+
+ if (crl_sequence != Py_None) {
+
+ if (!PySequence_Check(crl_sequence))
+ lose_type_error("Inapropriate type");
+
+ n = PySequence_Size(crl_sequence);
+
+ for (i = 0; i < n; i++) {
+
+ if ((crlobj = (crl_object *) PySequence_GetItem(crl_sequence, i)) == NULL)
+ goto error;
+
+ if (!POW_CRL_Check(crlobj))
+ lose_type_error("Inappropriate type");
+
+ if (!crlobj->crl)
+ lose("CRL object with null CRL field!");
+
+ if (!CMS_add1_crl(cms, crlobj->crl))
+ lose_openssl_error("Couldn't add CRL to CMS");
+
+ assert_no_unhandled_openssl_errors();
+
+ Py_XDECREF(crlobj);
+ crlobj = NULL;
+ }
+ }
+
+ if (!CMS_final(cms, bio, NULL, flags))
+ lose_openssl_error("Couldn't finalize CMS signatures");
+
+ assert_no_unhandled_openssl_errors();
+
+ CMS_ContentInfo_free(self->cms);
+ self->cms = cms;
+ cms = NULL;
+
+ ok = 1;
+
+ error: /* fall through */
+ CMS_ContentInfo_free(cms);
+ sk_X509_free(x509_stack);
+ ASN1_OBJECT_free(econtent_type);
+ Py_XDECREF(crlobj);
+
+ return ok;
+}
+
+static char cms_object_sign__doc__[] =
+ "Sign this CMS message message with a private key.\n"
+ "\n"
+ "The \"signcert\" parameter should be the certificate against which the\n"
+ "message will eventually be verified, an X509 object.\n"
+ "\n"
+ "The \"key\" parameter should be the private key with which to sign the\n"
+ "message, an Asymmetric object.\n"
+ "\n"
+ "The \"data\" parameter should be the message to be signed, a string.\n"
+ "\n"
+ "The optional \"certs\" parameter should be a sequence of X509 objects\n"
+ "to be included in the signed message.\n"
+ "\n"
+ "The optional \"crls\" parameter should be a sequence of CRL objects\n"
+ "to be included in the signed message.\n"
+ "\n"
+ "The optional \"eContentType\" parameter should be an Object Identifier\n"
+ "to use as the eContentType value in the signed message.\n"
+ "\n"
+ "The optional \"flags\" parameters should be an integer holding a bitmask,\n"
+ "and can include the following flags:\n"
+ "\n"
+ " * CMS_NOCERTS\n"
+ " * CMS_NOATTR\n"
+ ;
+
+static PyObject *
+cms_object_sign(cms_object *self, PyObject *args)
{
- unsigned char *plain_text = NULL, *cipher_text = NULL;
- int len = 0, size = 0;
- PyObject *obj = NULL;
+ asymmetric_object *signkey = NULL;
+ x509_object *signcert = NULL;
+ PyObject *x509_sequence = Py_None;
+ PyObject *crl_sequence = Py_None;
+ char *buf = NULL, *oid = NULL;
+ int len;
+ unsigned flags = 0;
+ BIO *bio = NULL;
+ int ok = 0;
- if (self->cipher_type != RSA_CIPHER)
- lose("unsupported cipher type");
+ ENTERING(cms_object_sign);
- if (!PyArg_ParseTuple(args, "s#", &cipher_text, &len))
+ if (!PyArg_ParseTuple(args, "O!O!s#|OOsI",
+ &POW_X509_Type, &signcert,
+ &POW_Asymmetric_Type, &signkey,
+ &buf, &len,
+ &x509_sequence,
+ &crl_sequence,
+ &oid,
+ &flags))
goto error;
- size = RSA_size(self->cipher);
- if (len > size)
- lose("cipher text is too long");
+ assert_no_unhandled_openssl_errors();
- if ((plain_text = malloc(size + 16)) == NULL)
- lose("could not allocate memory");
+ if ((bio = BIO_new_mem_buf(buf, len)) == NULL)
+ lose_no_memory();
- if ((len = RSA_public_decrypt(len, cipher_text, plain_text, self->cipher, RSA_PKCS1_PADDING)) < 0)
- lose("could not decrypt cipher text");
+ assert_no_unhandled_openssl_errors();
- obj = Py_BuildValue("s#", plain_text, len);
- free(plain_text);
- return obj;
+ if (!cms_object_sign_helper(self, bio, signcert, signkey,
+ x509_sequence, crl_sequence, oid, flags))
+ lose_openssl_error("Couldn't sign CMS object");
- error:
+ assert_no_unhandled_openssl_errors();
- if (plain_text)
- free(plain_text);
+ ok = 1;
- return NULL;
-}
+ error:
+ BIO_free(bio);
-static char asymmetric_object_private_decrypt__doc__[] =
-"<method>\n"
-" <header>\n"
-" <memberof>Asymmetric</memberof>\n"
-" <name>privateDecrypt</name>\n"
-" <parameter>ciphertext</parameter>\n"
-" </header>\n"
-" <body>\n"
-" <para>\n"
-" This method is used to decrypt ciphertext which has been encrypted\n"
-" using the corresponding public key and the\n"
-" <function>publicEncrypt</function> function.\n"
-" </para>\n"
-" </body>\n"
-"</method>\n"
-;
+ if (ok)
+ Py_RETURN_NONE;
+ else
+ return NULL;
+}
-static PyObject *
-asymmetric_object_private_decrypt(asymmetric_object *self, PyObject *args)
+static BIO *
+cms_object_verify_helper(cms_object *self, PyObject *args, PyObject *kwds)
{
- unsigned char *plain_text = NULL, *cipher_text = NULL;
- int len = 0, size = 0;
- PyObject *obj = NULL;
+ static char *kwlist[] = {"store", "certs", "flags", NULL};
+ x509_store_object *store = NULL;
+ PyObject *certs_sequence = Py_None;
+ STACK_OF(X509) *certs_stack = NULL;
+ unsigned flags = 0, ok = 0;
+ BIO *bio = NULL;
- if (self->key_type != RSA_PRIVATE_KEY)
- lose("cannot perform private decryption with this key");
+ ENTERING(cms_object_verify_helper);
- if (!PyArg_ParseTuple(args, "s#", &cipher_text, &len))
+ if (!PyArg_ParseTupleAndKeywords(args, kwds, "O!|OI", kwlist, &POW_X509Store_Type, &store, &certs_sequence, &flags))
goto error;
- size = RSA_size(self->cipher);
- if (len > size)
- lose("cipher text is too long");
+ if ((bio = BIO_new(BIO_s_mem())) == NULL)
+ lose_no_memory();
- if ((plain_text = malloc(size + 16)) == NULL)
- lose("could not allocate memory");
+ assert_no_unhandled_openssl_errors();
- if ((len = RSA_private_decrypt(len, cipher_text, plain_text, self->cipher, RSA_PKCS1_PADDING)) < 0)
- lose("could not decrypt cipher text");
+ flags &= (CMS_NOINTERN | CMS_NOCRL | CMS_NO_SIGNER_CERT_VERIFY |
+ CMS_NO_ATTR_VERIFY | CMS_NO_CONTENT_VERIFY);
- obj = Py_BuildValue("s#", plain_text, len);
- free(plain_text);
- return obj;
+ if (certs_sequence != Py_None &&
+ (certs_stack = x509_helper_sequence_to_stack(certs_sequence)) == NULL)
+ goto error;
- error:
+ assert_no_unhandled_openssl_errors();
+
+ if (CMS_verify(self->cms, certs_stack, store->store, NULL, bio, flags) <= 0)
+ lose_openssl_error("Couldn't verify CMS message");
- if (plain_text)
- free(plain_text);
+ assert_no_unhandled_openssl_errors();
+
+ ok = 1;
+
+ error: /* fall through */
+ sk_X509_free(certs_stack);
+
+ if (ok)
+ return bio;
+
+ BIO_free(bio);
return NULL;
}
-static char asymmetric_object_sign__doc__[] =
-"<method>\n"
-" <header>\n"
-" <memberof>Asymmetric</memberof>\n"
-" <name>sign</name>\n"
-" <parameter>digesttext</parameter>\n"
-" <parameter>digesttype</parameter>\n"
-" </header>\n"
-" <body>\n"
-" <para>\n"
-" This method is used to produce a signed digest text.\n"
-" This instance of\n"
-" <classname>Asymmetric</classname> should be a private key used for\n"
-" signing. The parameter\n"
-" <parameter>digesttext</parameter> should be a digest of the\n"
-" data to protect against alteration and\n"
-" finally <parameter>digesttype</parameter> should be one of the\n"
-" following:\n"
-" </para>\n"
-" <simplelist>\n"
-#ifndef OPENSSL_NO_MD2
-" <member><constant>MD2_DIGEST</constant></member>\n"
-#endif
-" <member><constant>MD5_DIGEST</constant></member>\n"
-" <member><constant>SHA_DIGEST</constant></member>\n"
-" <member><constant>SHA1_DIGEST</constant></member>\n"
-" <member><constant>RIPEMD160_DIGEST</constant></member>\n"
-" <member><constant>SHA256_DIGEST</constant></member>\n"
-" <member><constant>SHA384_DIGEST</constant></member>\n"
-" <member><constant>SHA512_DIGEST</constant></member>\n"
-" </simplelist>\n"
-" <para>\n"
-" If the procedure was successful, a string containing the signed\n"
-" digest is returned.\n"
-" </para>\n"
-" </body>\n"
-"</method>\n"
-;
+static char cms_object_verify__doc__[] =
+ "Verify this CMS message against a trusted certificate store.\n"
+ "\n"
+ "The \"store\" parameter is an X509Store object, the trusted certificate\n"
+ "store to use in verification.\n"
+ "\n"
+ "The optional \"certs\" parameter is a set of certificates to search\n"
+ "for the signer's certificate.\n"
+ "\n"
+ "The optional \"flags\" parameter is an integer of bit flags,\n"
+ "containing zero or more of the following:\n"
+ "\n"
+ " * CMS_NOINTERN\n"
+ " * CMS_NOCRL\n"
+ " * CMS_NO_SIGNER_CERT_VERIFY\n"
+ " * CMS_NO_ATTR_VERIFY\n"
+ " * CMS_NO_CONTENT_VERIFY\n"
+ ;
+
+static PyObject *
+cms_object_verify(cms_object *self, PyObject *args, PyObject *kwds)
+{
+ PyObject *result = NULL;
+ BIO *bio = NULL;
+
+ ENTERING(cms_object_verify);
+
+ if ((bio = cms_object_verify_helper(self, args, kwds)) != NULL)
+ result = BIO_to_PyString_helper(bio);
+
+ BIO_free(bio);
+ return result;
+}
+
+static char cms_object_eContentType__doc__[] =
+ "Return the eContentType OID of this CMS message.\n"
+ ;
static PyObject *
-asymmetric_object_sign(asymmetric_object *self, PyObject *args)
+cms_object_eContentType(cms_object *self)
{
- unsigned char *digest_text = NULL, *signed_text = NULL;
- unsigned int digest_len = 0, digest_type = 0, digest_nid = 0, signed_len = 0;
- PyObject *obj = NULL;
+ const ASN1_OBJECT *oid = NULL;
+ PyObject *result = NULL;
- if (!PyArg_ParseTuple(args, "s#i", &digest_text, &digest_len, &digest_type))
- goto error;
+ ENTERING(cms_object_eContentType);
- if (self->key_type != RSA_PRIVATE_KEY)
- lose("unsupported key type");
+ if ((oid = CMS_get0_eContentType(self->cms)) == NULL)
+ lose_openssl_error("Couldn't extract eContentType from CMS message");
- if ((signed_text = malloc(RSA_size(self->cipher))) == NULL)
- lose("could not allocate memory");
+ assert_no_unhandled_openssl_errors();
- switch(digest_type) {
-#ifndef OPENSSL_NO_MD2
- case MD2_DIGEST:
- digest_nid = NID_md2;
- digest_len = MD2_DIGEST_LENGTH;
- break;
-#endif
- case MD5_DIGEST:
- digest_nid = NID_md5;
- digest_len = MD5_DIGEST_LENGTH;
- break;
- case SHA_DIGEST:
- digest_nid = NID_sha;
- digest_len = SHA_DIGEST_LENGTH;
- break;
- case SHA1_DIGEST:
- digest_nid = NID_sha1;
- digest_len = SHA_DIGEST_LENGTH;
- break;
- case RIPEMD160_DIGEST:
- digest_nid = NID_ripemd160;
- digest_len = RIPEMD160_DIGEST_LENGTH;
- break;
- case SHA256_DIGEST:
- digest_nid = NID_sha256;
- digest_len = SHA256_DIGEST_LENGTH;
- break;
- case SHA384_DIGEST:
- digest_nid = NID_sha384;
- digest_len = SHA384_DIGEST_LENGTH;
+ result = ASN1_OBJECT_to_PyString(oid);
+
+ error:
+ return result;
+}
+
+static char cms_object_signingTime__doc__[] =
+ "Return the signingTime of this CMS message.\n"
+ ;
+
+static PyObject *
+cms_object_signingTime(cms_object *self)
+{
+ PyObject *result = NULL;
+ STACK_OF(CMS_SignerInfo) *sis = NULL;
+ CMS_SignerInfo *si = NULL;
+ X509_ATTRIBUTE *xa = NULL;
+ ASN1_TYPE *so = NULL;
+ int i;
+
+ ENTERING(cms_object_signingTime);
+
+ if ((sis = CMS_get0_SignerInfos(self->cms)) == NULL)
+ lose_openssl_error("Couldn't extract signerInfos from CMS message[1]");
+
+ if (sk_CMS_SignerInfo_num(sis) != 1)
+ lose_openssl_error("Couldn't extract signerInfos from CMS message[2]");
+
+ si = sk_CMS_SignerInfo_value(sis, 0);
+
+ if ((i = CMS_signed_get_attr_by_NID(si, NID_pkcs9_signingTime, -1)) < 0)
+ lose_openssl_error("Couldn't extract signerInfos from CMS message[3]");
+
+ if ((xa = CMS_signed_get_attr(si, i)) == NULL)
+ lose_openssl_error("Couldn't extract signerInfos from CMS message[4]");
+
+ if (xa->single)
+ lose("Couldn't extract signerInfos from CMS message[5]");
+
+ if (sk_ASN1_TYPE_num(xa->value.set) != 1)
+ lose("Couldn't extract signerInfos from CMS message[6]");
+
+ if ((so = sk_ASN1_TYPE_value(xa->value.set, 0)) == NULL)
+ lose("Couldn't extract signerInfos from CMS message[7]");
+
+ switch (so->type) {
+ case V_ASN1_UTCTIME:
+ result = ASN1_TIME_to_Python(so->value.utctime);
break;
- case SHA512_DIGEST:
- digest_nid = NID_sha512;
- digest_len = SHA512_DIGEST_LENGTH;
+ case V_ASN1_GENERALIZEDTIME:
+ result = ASN1_TIME_to_Python(so->value.generalizedtime);
break;
default:
- lose("unsupported digest");
+ lose("Couldn't extract signerInfos from CMS message[8]");
}
- if (!RSA_sign(digest_nid, digest_text, digest_len, signed_text, &signed_len, self->cipher))
- lose("could not sign digest");
+ error:
+ return result;
+}
+
+static char cms_object_pprint__doc__[] =
+ "Return a pretty-printed representation of this CMS message.\n"
+ ;
+
+static PyObject *
+cms_object_pprint(cms_object *self)
+{
+ BIO *bio = NULL;
+ PyObject *result = NULL;
+
+ ENTERING(cms_object_pprint);
- obj = Py_BuildValue("s#", signed_text, signed_len);
- free(signed_text);
- return obj;
+ if ((bio = BIO_new(BIO_s_mem())) == NULL)
+ lose_no_memory();
+
+ if (!CMS_ContentInfo_print_ctx(bio, self->cms, 0, NULL))
+ lose_openssl_error("Unable to pretty-print CMS object");
+
+ result = BIO_to_PyString_helper(bio);
error:
+ BIO_free(bio);
+ return result;
+}
- if (signed_text)
- free(signed_text);
+static PyObject *
+cms_object_helper_get_cert(void *cert)
+{
+ x509_object *obj;
- return NULL;
+ ENTERING(cms_object_helper_get_cert);
+
+ if ((obj = (x509_object *) x509_object_new(&POW_X509_Type, NULL, NULL)) == NULL)
+ return NULL;
+
+ X509_free(obj->x509);
+ obj->x509 = cert;
+ return (PyObject *) obj;
}
-static char asymmetric_object_verify__doc__[] =
-"<method>\n"
-" <header>\n"
-" <memberof>Asymmetric</memberof>\n"
-" <name>verify</name>\n"
-" <parameter>signedtext</parameter>\n"
-" <parameter>digesttext</parameter>\n"
-" <parameter>digesttype</parameter>\n"
-" </header>\n"
-" <body>\n"
-" <para>\n"
-" This method is used to verify a signed digest text.\n"
-" </para>\n"
-" <example>\n"
-" <title><function>verify</function> method usage</title>\n"
-" <programlisting>\n"
-" plain_text = 'Hello World!'\n"
-" print '\tPlain text:', plain_text\n"
-" digest = POW.Digest(POW.RIPEMD160_DIGEST)\n"
-" digest.update(plain_text)\n"
-" print '\tDigest text:', digest.digest()\n"
-"\n"
-" privateFile = open('test/private.key', 'r')\n"
-" privateKey = POW.pemRead(POW.RSA_PRIVATE_KEY, privateFile.read(), 'pass')\n"
-" privateFile.close()\n"
-" signed_text = privateKey.sign(digest.digest(), POW.RIPEMD160_DIGEST)\n"
-" print '\tSigned text:', signed_text\n"
-"\n"
-" digest2 = POW.Digest(POW.RIPEMD160_DIGEST)\n"
-" digest2.update(plain_text)\n"
-" publicFile = open('test/public.key', 'r')\n"
-" publicKey = POW.pemRead(POW.RSA_PUBLIC_KEY, publicFile.read())\n"
-" publicFile.close()\n"
-" if publicKey.verify(signed_text, digest2.digest(), POW.RIPEMD160_DIGEST):\n"
-" print 'Signing verified!'\n"
-" else:\n"
-" print 'Signing gone wrong!'\n"
-" </programlisting>\n"
-" </example>\n"
-" <para>\n"
-" The parameter <parameter>signedtext</parameter> should be a\n"
-" signed digest text. This instance of\n"
-" <classname>Asymmetric</classname> should correspond to the private\n"
-" key used to sign the digest. The parameter\n"
-" <parameter>digesttext</parameter> should be a digest of the same\n"
-" data used to produce the <parameter>signedtext</parameter> and\n"
-" finally <parameter>digesttype</parameter> should be one of the\n"
-" following:\n"
-" </para>\n"
-" <simplelist>\n"
-#ifndef OPENSSL_NO_MD2
-" <member><constant>MD2_DIGEST</constant></member>\n"
-#endif
-" <member><constant>MD5_DIGEST</constant></member>\n"
-" <member><constant>SHA_DIGEST</constant></member>\n"
-" <member><constant>SHA1_DIGEST</constant></member>\n"
-" <member><constant>RIPEMD160_DIGEST</constant></member>\n"
-" <member><constant>SHA256_DIGEST</constant></member>\n"
-" <member><constant>SHA384_DIGEST</constant></member>\n"
-" <member><constant>SHA512_DIGEST</constant></member>\n"
-" </simplelist>\n"
-" <para>\n"
-" If the procedure was successful, 1 is returned, otherwise 0 is\n"
-" returned.\n"
-" </para>\n"
-" </body>\n"
-"</method>\n"
-;
+static char cms_object_certs__doc__[] =
+ "Return any certificates embedded in this CMS message, as a\n"
+ "tuple of X509 objects. This tuple will be empty if the message\n"
+ "wrapper contains no certificates.\n"
+ ;
static PyObject *
-asymmetric_object_verify(asymmetric_object *self, PyObject *args)
+cms_object_certs(cms_object *self)
{
- unsigned char *digest_text = NULL, *signed_text = NULL;
- int digest_len = 0, digest_type = 0, digest_nid = 0, signed_len = 0;
+ STACK_OF(X509) *certs = NULL;
+ PyObject *result = NULL;
- if (!PyArg_ParseTuple(args, "s#s#i", &signed_text, &signed_len, &digest_text, &digest_len, &digest_type))
- goto error;
+ ENTERING(cms_object_certs);
- switch (digest_type) {
-#ifndef OPENSSL_NO_MD2
- case MD2_DIGEST:
- digest_len = MD2_DIGEST_LENGTH;
- digest_nid = NID_md2;
- break;
-#endif
- case MD5_DIGEST:
- digest_len = MD5_DIGEST_LENGTH;
- digest_nid = NID_md5;
- break;
- case SHA_DIGEST:
- digest_len = SHA_DIGEST_LENGTH;
- digest_nid = NID_sha;
- break;
- case SHA1_DIGEST:
- digest_len = SHA_DIGEST_LENGTH;
- digest_nid = NID_sha1;
- break;
- case RIPEMD160_DIGEST:
- digest_len = RIPEMD160_DIGEST_LENGTH;
- digest_nid = NID_ripemd160;
- break;
- case SHA256_DIGEST:
- digest_len = SHA256_DIGEST_LENGTH;
- digest_nid = NID_sha256;
- break;
- case SHA384_DIGEST:
- digest_len = SHA384_DIGEST_LENGTH;
- digest_nid = NID_sha384;
- break;
- case SHA512_DIGEST:
- digest_len = SHA512_DIGEST_LENGTH;
- digest_nid = NID_sha512;
- break;
- default:
- lose("unsupported digest");
- }
+ if ((certs = CMS_get1_certs(self->cms)) != NULL)
+ result = stack_to_tuple_helper(CHECKED_PTR_OF(STACK_OF(X509), certs),
+ cms_object_helper_get_cert);
+ else if (!ERR_peek_error())
+ result = Py_BuildValue("()");
+ else
+ lose_openssl_error("Couldn't extract certs from CMS message");
- return PyBool_FromLong(RSA_verify(digest_nid, digest_text, digest_len, signed_text, signed_len, self->cipher));
+ error: /* fall through */
+ sk_X509_pop_free(certs, X509_free);
+ return result;
+}
- error:
+static PyObject *
+cms_object_helper_get_crl(void *crl)
+{
+ crl_object *obj;
- return NULL;
+ ENTERING(cms_object_helper_get_crl);
+
+ if ((obj = (crl_object *) crl_object_new(&POW_CRL_Type, NULL, NULL)) == NULL)
+ return NULL;
+
+ X509_CRL_free(obj->crl);
+ obj->crl = crl;
+ return (PyObject *) obj;
}
-static struct PyMethodDef asymmetric_object_methods[] = {
- {"pemWrite", (PyCFunction)asymmetric_object_pem_write, METH_VARARGS, NULL},
- {"derWrite", (PyCFunction)asymmetric_object_der_write, METH_VARARGS, NULL},
- {"publicEncrypt", (PyCFunction)asymmetric_object_public_encrypt, METH_VARARGS, NULL},
- {"privateEncrypt", (PyCFunction)asymmetric_object_private_encrypt, METH_VARARGS, NULL},
- {"privateDecrypt", (PyCFunction)asymmetric_object_private_decrypt, METH_VARARGS, NULL},
- {"publicDecrypt", (PyCFunction)asymmetric_object_public_decrypt, METH_VARARGS, NULL},
- {"sign", (PyCFunction)asymmetric_object_sign, METH_VARARGS, NULL},
- {"verify", (PyCFunction)asymmetric_object_verify, METH_VARARGS, NULL},
-
- {NULL} /* sentinel */
-};
+static char cms_object_crls__doc__[] =
+ "Return any CRLs embedded in this CMS message, as a tuple of\n"
+ "CRL objects. This tuple will be empty if the message contains no CRLs.\n"
+ ;
static PyObject *
-asymmetric_object_getattr(asymmetric_object *self, char *name)
+cms_object_crls(cms_object *self)
{
- return Py_FindMethod(asymmetric_object_methods, (PyObject *)self, name);
+ STACK_OF(X509_CRL) *crls = NULL;
+ PyObject *result = NULL;
+
+ ENTERING(cms_object_crls);
+
+ if ((crls = CMS_get1_crls(self->cms)) != NULL)
+ result = stack_to_tuple_helper(CHECKED_PTR_OF(STACK_OF(X509_CRL), crls),
+ cms_object_helper_get_crl);
+ else if (!ERR_peek_error())
+ result = Py_BuildValue("()");
+ else
+ lose_openssl_error("Couldn't extract CRLs from CMS message");
+
+ error: /* fall through */
+ sk_X509_CRL_pop_free(crls, X509_CRL_free);
+ return result;
}
-static void
-asymmetric_object_dealloc(asymmetric_object *self, char *name)
-{
- switch(self->cipher_type) {
- case RSA_CIPHER:
- RSA_free(self->cipher);
- break;
- }
- PyObject_Del(self);
-}
-
-static char asymmetrictype__doc__[] =
-"<class>\n"
-" <header>\n"
-" <name>Asymmetric</name>\n"
-" </header>\n"
-" <body>\n"
-" <para>\n"
-" This class provides access to RSA asymmetric ciphers in OpenSSL.\n"
-" Other ciphers will probably be supported in the future but this is\n"
-" not a priority.\n"
-" </para>\n"
-" </body>\n"
-"</class>\n"
-;
+static struct PyMethodDef cms_object_methods[] = {
+ Define_Method(pemWrite, cms_object_pem_write, METH_NOARGS),
+ Define_Method(derWrite, cms_object_der_write, METH_NOARGS),
+ Define_Method(sign, cms_object_sign, METH_VARARGS),
+ Define_Method(verify, cms_object_verify, METH_KEYWORDS),
+ Define_Method(eContentType, cms_object_eContentType, METH_NOARGS),
+ Define_Method(signingTime, cms_object_signingTime, METH_NOARGS),
+ Define_Method(pprint, cms_object_pprint, METH_NOARGS),
+ Define_Method(certs, cms_object_certs, METH_NOARGS),
+ Define_Method(crls, cms_object_crls, METH_NOARGS),
+ Define_Class_Method(pemRead, cms_object_pem_read, METH_VARARGS),
+ Define_Class_Method(pemReadFile, cms_object_pem_read_file, METH_VARARGS),
+ Define_Class_Method(derRead, cms_object_der_read, METH_VARARGS),
+ Define_Class_Method(derReadFile, cms_object_der_read_file, METH_VARARGS),
+ {NULL}
+};
+
+static char POW_CMS_Type__doc__[] =
+ "Wrapper for OpenSSL's CMS class. At present this only handes signed\n"
+ "objects, as those are the only kind of CMS objects used in RPKI.\n"
+ ;
-static PyTypeObject asymmetrictype = {
- PyObject_HEAD_INIT(0)
- 0, /*ob_size*/
- "Asymmetric", /*tp_name*/
- sizeof(asymmetric_object), /*tp_basicsize*/
- 0, /*tp_itemsize*/
- (destructor)asymmetric_object_dealloc, /*tp_dealloc*/
- (printfunc)0, /*tp_print*/
- (getattrfunc)asymmetric_object_getattr, /*tp_getattr*/
- (setattrfunc)0, /*tp_setattr*/
- (cmpfunc)0, /*tp_compare*/
- (reprfunc)0, /*tp_repr*/
- 0, /*tp_as_number*/
- 0, /*tp_as_sequence*/
- 0, /*tp_as_mapping*/
- (hashfunc)0, /*tp_hash*/
- (ternaryfunc)0, /*tp_call*/
- (reprfunc)0, /*tp_str*/
- 0,
- 0,
- 0,
- 0,
- asymmetrictype__doc__ /* Documentation string */
+static PyTypeObject POW_CMS_Type = {
+ PyObject_HEAD_INIT(0)
+ 0, /* ob_size */
+ "rpki.POW.CMS", /* tp_name */
+ sizeof(cms_object), /* tp_basicsize */
+ 0, /* tp_itemsize */
+ (destructor)cms_object_dealloc, /* tp_dealloc */
+ 0, /* tp_print */
+ 0, /* tp_getattr */
+ 0, /* tp_setattr */
+ 0, /* tp_compare */
+ 0, /* tp_repr */
+ 0, /* tp_as_number */
+ 0, /* tp_as_sequence */
+ 0, /* tp_as_mapping */
+ 0, /* tp_hash */
+ 0, /* tp_call */
+ 0, /* tp_str */
+ 0, /* tp_getattro */
+ 0, /* tp_setattro */
+ 0, /* tp_as_buffer */
+ Py_TPFLAGS_DEFAULT | Py_TPFLAGS_BASETYPE, /* tp_flags */
+ POW_CMS_Type__doc__, /* tp_doc */
+ 0, /* tp_traverse */
+ 0, /* tp_clear */
+ 0, /* tp_richcompare */
+ 0, /* tp_weaklistoffset */
+ 0, /* tp_iter */
+ 0, /* tp_iternext */
+ cms_object_methods, /* tp_methods */
+ 0, /* tp_members */
+ 0, /* tp_getset */
+ 0, /* tp_base */
+ 0, /* tp_dict */
+ 0, /* tp_descr_get */
+ 0, /* tp_descr_set */
+ 0, /* tp_dictoffset */
+ 0, /* tp_init */
+ 0, /* tp_alloc */
+ cms_object_new, /* tp_new */
};
-/*========== asymmetric Code ==========*/
-/*========== symmetric Code ==========*/
-static symmetric_object *
-symmetric_object_new(int cipher_type)
-{
- symmetric_object *self = NULL;
+
- if ((self = PyObject_New(symmetric_object, &symmetrictype)) == NULL)
- goto error;
+/*
+ * Manifest object.
+ */
- self->cipher_type = cipher_type;
- EVP_CIPHER_CTX_init(&self->cipher_ctx);
+static PyObject *
+manifest_object_new(PyTypeObject *type, PyObject *args, PyObject *kwds)
+{
+ manifest_object *self = NULL;
- return self;
+ ENTERING(manifest_object_new);
- error:
+ if ((self = (manifest_object *) cms_object_new(type, args, kwds)) != NULL &&
+ (self->manifest = Manifest_new()) != NULL)
+ return (PyObject *) self;
Py_XDECREF(self);
return NULL;
}
-static char symmetric_object_encrypt_init__doc__[] =
-"<method>\n"
-" <header>\n"
-" <memberof>Symmetric</memberof>\n"
-" <name>encryptInit</name>\n"
-" <parameter>key</parameter>\n"
-" <parameter>initialvalue = ''</parameter>\n"
-" </header>\n"
-" <body>\n"
-" <para>\n"
-" This method sets up the cipher object to start encrypting a stream\n"
-" of data. The first parameter is the key used to encrypt the\n"
-" data. The second, the <parameter>initialvalue</parameter> serves\n"
-" a similar purpose the the salt supplied to the Unix\n"
-" <function>crypt</function> function.\n"
-" The <parameter>initialvalue</parameter> is normally chosen at random and\n"
-" often transmitted with the encrypted data, its purpose is to prevent\n"
-" two identical plain texts resulting in two identical cipher texts.\n"
-" </para>\n"
-" </body>\n"
-"</method>\n"
-;
+static void
+manifest_object_dealloc(manifest_object *self)
+{
+ ENTERING(manifest_object_dealloc);
+ Manifest_free(self->manifest);
+ cms_object_dealloc(&self->cms);
+}
+
+static char manifest_object_verify__doc__[] =
+ "Verify this manifest. See the CMS class's .verify() method for details.\n"
+ ;
static PyObject *
-symmetric_object_encrypt_init(symmetric_object *self, PyObject *args)
+manifest_object_verify(manifest_object *self, PyObject *args, PyObject *kwds)
{
- unsigned char *key = NULL, *iv = NULL, nulliv [] = "";
- const EVP_CIPHER *cipher = NULL;
+ BIO *bio = NULL;
+ int ok = 0;
+
+ ENTERING(manifest_object_verify);
- if (!PyArg_ParseTuple(args, "s|s", &key, &iv))
+ if ((bio = cms_object_verify_helper(&self->cms, args, kwds)) == NULL)
goto error;
- if (!iv)
- iv = nulliv;
+ if (!ASN1_item_d2i_bio(ASN1_ITEM_rptr(Manifest), bio, &self->manifest))
+ lose_openssl_error("Couldn't decode manifest");
- if ((cipher = evp_cipher_factory(self->cipher_type)) == NULL)
- lose("unsupported cipher");
+ ok = 1;
- if (!EVP_EncryptInit(&self->cipher_ctx, cipher, key, iv))
- lose("could not initialise cipher");
+ error:
+ BIO_free(bio);
- Py_RETURN_NONE;
+ if (ok)
+ Py_RETURN_NONE;
+ else
+ return NULL;
+}
- error:
+static PyObject *
+manifest_object_der_read_helper(PyTypeObject *type, BIO *bio)
+{
+ manifest_object *self;
- return NULL;
+ ENTERING(manifest_object_der_read_helper);
+
+ if ((self = (manifest_object *) cms_object_der_read_helper(type, bio)) != NULL)
+ self->manifest = NULL;
+
+ return (PyObject *) self;
}
-static char symmetric_object_decrypt_init__doc__[] =
-"<method>\n"
-" <header>\n"
-" <memberof>Symmetric</memberof>\n"
-" <name>decryptInit</name>\n"
-" <parameter>key</parameter>\n"
-" <parameter>initialvalue = ''</parameter>\n"
-" </header>\n"
-" <body>\n"
-" <para>\n"
-" This method sets up the cipher object to start decrypting a stream\n"
-" of data. The first value must be the key used to encrypt the\n"
-" data. The second parameter is the <parameter>initialvalue</parameter>\n"
-" used to encrypt the data.\n"
-" </para>\n"
-" </body>\n"
-"</method>\n"
-;
+static char manifest_object_der_read__doc__[] =
+ "Read a DER-encoded manifest object from a string.\n"
+ ;
static PyObject *
-symmetric_object_decrypt_init(symmetric_object *self, PyObject *args)
+manifest_object_der_read(PyTypeObject *type, PyObject *args)
{
- unsigned char *key = NULL, *iv = NULL, nulliv [] = "";
- const EVP_CIPHER *cipher = NULL;
-
- if (!PyArg_ParseTuple(args, "s|s", &key, &iv))
- goto error;
+ ENTERING(manifest_object_der_read);
+ return read_from_string_helper(manifest_object_der_read_helper, type, args);
+}
- if (!iv)
- iv = nulliv;
+static char manifest_object_der_read_file__doc__[] =
+ "Read a DER-encoded manifest object from a file.\n"
+ ;
- if ((cipher = evp_cipher_factory(self->cipher_type)) == NULL)
- lose("unsupported cipher");
+static PyObject *
+manifest_object_der_read_file(PyTypeObject *type, PyObject *args)
+{
+ ENTERING(manifest_object_der_read_file);
+ return read_from_file_helper(manifest_object_der_read_helper, type, args);
+}
- if (!EVP_DecryptInit(&self->cipher_ctx, cipher, key, iv))
- lose("could not initialise cipher");
+static PyObject *
+manifest_object_pem_read_helper(PyTypeObject *type, BIO *bio)
+{
+ manifest_object *self;
- Py_RETURN_NONE;
+ ENTERING(manifest_object_pem_read_helper);
- error:
+ if ((self = (manifest_object *) cms_object_pem_read_helper(type, bio)) != NULL)
+ self->manifest = NULL;
- return NULL;
+ return (PyObject *) self;
}
-static char symmetric_object_update__doc__[] =
-"<method>\n"
-" <header>\n"
-" <memberof>Symmetric</memberof>\n"
-" <name>update</name>\n"
-" <parameter>data</parameter>\n"
-" </header>\n"
-" <body>\n"
-" <para>\n"
-" This method is used to process the bulk of data being encrypted\n"
-" or decrypted by the cipher object. <parameter>data</parameter>\n"
-" should be a string.\n"
-" </para>\n"
-" </body>\n"
-"</method>\n"
-;
+static char manifest_object_pem_read__doc__[] =
+ "Read a PEM-encoded manifest object from a string.\n"
+ ;
static PyObject *
-symmetric_object_update(symmetric_object *self, PyObject *args)
+manifest_object_pem_read(PyTypeObject *type, PyObject *args)
{
- int inl = 0, outl = 0;
- unsigned char *in = NULL, *out = NULL;
- PyObject *py_out = NULL;
-
- if (!PyArg_ParseTuple(args, "s#", &in, &inl))
- goto error;
+ ENTERING(manifest_object_pem_read);
+ return read_from_string_helper(manifest_object_pem_read_helper, type, args);
+}
- if ((out = malloc(inl + EVP_CIPHER_CTX_block_size(&self->cipher_ctx))) == NULL)
- lose("could not allocate memory");
+static char manifest_object_pem_read_file__doc__[] =
+ "Read a PEM-encoded manifest object from a file.\n"
+ ;
- if (!EVP_CipherUpdate(&self->cipher_ctx, out, &outl, in, inl))
- lose("could not update cipher");
+static PyObject *
+manifest_object_pem_read_file(PyTypeObject *type, PyObject *args)
+{
+ ENTERING(manifest_object_pem_read_file);
+ return read_from_file_helper(manifest_object_pem_read_helper, type, args);
+}
- if ((py_out = Py_BuildValue("s#", out, outl)) == NULL)
- lose("could not allocate memory");
+static char manifest_object_get_version__doc__[] =
+ "Return the version number of this manifest.\n"
+ ;
- free(out);
- return py_out;
+static PyObject *
+manifest_object_get_version(manifest_object *self)
+{
+ ENTERING(manifest_object_get_version);
- error:
+ if (self->manifest == NULL)
+ lose_not_verified("Can't report version of unverified manifest");
- if (out)
- free(out);
+ if (self->manifest->version)
+ return Py_BuildValue("N", ASN1_INTEGER_to_PyLong(self->manifest->version));
+ else
+ return PyInt_FromLong(0);
+ error:
return NULL;
}
-static char symmetric_object_final__doc__[] =
-"<method>\n"
-" <header>\n"
-" <memberof>Symmetric</memberof>\n"
-" <name>final</name>\n"
-" <parameter>size = 1024</parameter>\n"
-" </header>\n"
-" <body>\n"
-" <para>\n"
-" Most ciphers are block ciphers, that is they encrypt or decrypt a block of\n"
-" data at a time. Often the data being processed will not fill an\n"
-" entire block, this method processes these half-empty blocks. A\n"
-" string is returned of a maximum length <parameter>size</parameter>.\n"
-" </para>\n"
-" </body>\n"
-"</method>\n"
-;
+static char manifest_object_set_version__doc__[] =
+ "Set the version number of this manifest.\n"
+ "\n"
+ "The \"version\" parameter should be a non-negative integer.\n"
+ "\n"
+ "As of this writing, zero is both the default and the only defined version.\n"
+ "Attempting to set any version number other than zero will fail, as we\n"
+ "don't understand how to write other versions, by definition.\n"
+ ;
static PyObject *
-symmetric_object_final(symmetric_object *self, PyObject *args)
+manifest_object_set_version(manifest_object *self, PyObject *args)
{
- int outl = 0, size = 1024;
- unsigned char *out = NULL;
- PyObject *py_out = NULL;
+ int version = 0;
- if (!PyArg_ParseTuple(args, "|i", &size))
+ ENTERING(manifest_object_set_version);
+
+ if (!PyArg_ParseTuple(args, "|i", &version))
goto error;
- if ((out = malloc(size + EVP_CIPHER_CTX_block_size(&self->cipher_ctx))) == NULL)
- lose("could not allocate memory");
+ if (version != 0)
+ lose("RFC 6486 only defines RPKI manifest version zero");
- if (!EVP_CipherFinal(&self->cipher_ctx, out, &outl))
- lose("could not update cipher");
+ if (self->manifest == NULL)
+ lose_not_verified("Can't set version of unverified manifest");
- if ((py_out = Py_BuildValue("s#", out, outl)) == NULL)
- lose("could not allocate memory");
+ ASN1_INTEGER_free(self->manifest->version);
+ self->manifest->version = NULL;
- free(out);
- return py_out;
+ Py_RETURN_NONE;
error:
-
- if (out)
- free(out);
-
return NULL;
}
-static struct PyMethodDef symmetric_object_methods[] = {
- {"encryptInit", (PyCFunction)symmetric_object_encrypt_init, METH_VARARGS, NULL},
- {"decryptInit", (PyCFunction)symmetric_object_decrypt_init, METH_VARARGS, NULL},
- {"update", (PyCFunction)symmetric_object_update, METH_VARARGS, NULL},
- {"final", (PyCFunction)symmetric_object_final, METH_VARARGS, NULL},
-
- {NULL} /* sentinel */
-};
+static char manifest_object_get_manifest_number__doc__[] =
+ "Return the manifestNumber of this manifest.\n"
+ ;
static PyObject *
-symmetric_object_getattr(symmetric_object *self, char *name)
+manifest_object_get_manifest_number(manifest_object *self)
{
- return Py_FindMethod(symmetric_object_methods, (PyObject *)self, name);
-}
+ ENTERING(manifest_object_get_manifest_number);
-static void
-symmetric_object_dealloc(symmetric_object *self, char *name)
-{
- PyObject_Del(self);
-}
-
-static char symmetrictype__doc__[] =
-"<class>\n"
-" <header>\n"
-" <name>Symmetric</name>\n"
-" </header>\n"
-" <body>\n"
-" <para>\n"
-" This class provides access to all the symmetric ciphers in OpenSSL.\n"
-" Initialisation of the cipher structures is performed late, only\n"
-" when <function>encryptInit</function> or\n"
-" <function>decryptInit</function> is called, the\n"
-" constructor only records the cipher type. It is possible to reuse\n"
-" the <classname>Symmetric</classname> objects by calling\n"
-" <function>encryptInit</function> or <function>decryptInit</function>\n"
-" again.\n"
-" </para>\n"
-" <example>\n"
-" <title><classname>Symmetric</classname> class usage</title>\n"
-" <programlisting>\n"
-" passphrase = 'my silly passphrase'\n"
-" md5 = POW.Digest(POW.MD5_DIGEST)\n"
-" md5.update(passphrase)\n"
-" password = md5.digest()[:8]\n"
-"\n"
-" plaintext = 'cast test message'\n"
-" cast = POW.Symmetric(POW.CAST5_CFB)\n"
-" cast.encryptInit(password)\n"
-" ciphertext = cast.update(plaintext) + cast.final()\n"
-" print 'Cipher text:', ciphertext\n"
-"\n"
-" cast.decryptInit(password)\n"
-" out = cast.update(ciphertext) + cast.final()\n"
-" print 'Deciphered text:', out\n"
-" </programlisting>\n"
-" </example>\n"
-" </body>\n"
-"</class>\n"
-;
+ if (self->manifest == NULL)
+ lose_not_verified("Can't get manifestNumber of unverified manifest");
-static PyTypeObject symmetrictype = {
- PyObject_HEAD_INIT(0)
- 0, /*ob_size*/
- "Symmetric", /*tp_name*/
- sizeof(symmetric_object), /*tp_basicsize*/
- 0, /*tp_itemsize*/
- (destructor)symmetric_object_dealloc, /*tp_dealloc*/
- (printfunc)0, /*tp_print*/
- (getattrfunc)symmetric_object_getattr, /*tp_getattr*/
- (setattrfunc)0, /*tp_setattr*/
- (cmpfunc)0, /*tp_compare*/
- (reprfunc)0, /*tp_repr*/
- 0, /*tp_as_number*/
- 0, /*tp_as_sequence*/
- 0, /*tp_as_mapping*/
- (hashfunc)0, /*tp_hash*/
- (ternaryfunc)0, /*tp_call*/
- (reprfunc)0, /*tp_str*/
- 0,
- 0,
- 0,
- 0,
- symmetrictype__doc__ /* Documentation string */
-};
-/*========== symmetric Code ==========*/
+ return Py_BuildValue("N", ASN1_INTEGER_to_PyLong(self->manifest->manifestNumber));
-/*========== digest Code ==========*/
-static digest_object *
-digest_object_new(int digest_type)
+ error:
+ return NULL;
+}
+
+static char manifest_object_set_manifest_number__doc__[] =
+ "Set the manifestNumber of this manifest.\n"
+ "\n"
+ "The \"manifestNumber\" parameter should be a non-negative integer.\n"
+ ;
+
+static PyObject *
+manifest_object_set_manifest_number(manifest_object *self, PyObject *args)
{
- digest_object *self = NULL;
+ PyObject *manifestNumber = NULL;
+ PyObject *zero = NULL;
+ int ok = 0;
- if ((self = PyObject_New(digest_object, &digesttype)) == NULL)
+ ENTERING(manifest_object_set_manifest_number);
+
+ if (!PyArg_ParseTuple(args, "O", &manifestNumber))
goto error;
- switch(digest_type) {
-#ifndef OPENSSL_NO_MD2
- case MD2_DIGEST:
- self->digest_type = MD2_DIGEST;
- EVP_DigestInit(&self->digest_ctx, EVP_md2());
- break;
-#endif
- case MD5_DIGEST:
- self->digest_type = MD5_DIGEST;
- EVP_DigestInit(&self->digest_ctx, EVP_md5());
- break;
- case SHA_DIGEST:
- self->digest_type = SHA_DIGEST;
- EVP_DigestInit(&self->digest_ctx, EVP_sha());
- break;
- case SHA1_DIGEST:
- self->digest_type = SHA1_DIGEST;
- EVP_DigestInit(&self->digest_ctx, EVP_sha1());
- break;
- case RIPEMD160_DIGEST:
- self->digest_type = RIPEMD160_DIGEST;
- EVP_DigestInit(&self->digest_ctx, EVP_ripemd160());
- break;
- case SHA256_DIGEST:
- self->digest_type = SHA256_DIGEST;
- EVP_DigestInit(&self->digest_ctx, EVP_sha256());
- break;
- case SHA384_DIGEST:
- self->digest_type = SHA384_DIGEST;
- EVP_DigestInit(&self->digest_ctx, EVP_sha384());
- break;
- case SHA512_DIGEST:
- self->digest_type = SHA512_DIGEST;
- EVP_DigestInit(&self->digest_ctx, EVP_sha512());
- break;
- default:
- lose("unsupported digest");
+ if ((zero = PyInt_FromLong(0)) == NULL)
+ goto error;
+
+ switch (PyObject_RichCompareBool(manifestNumber, zero, Py_GE)) {
+ case -1:
+ goto error;
+ case 0:
+ lose("Negative manifest number is not allowed");
}
- return self;
+ if (self->manifest == NULL)
+ lose_not_verified("Can't set manifestNumber of unverified manifest");
+
+ ASN1_INTEGER_free(self->manifest->manifestNumber);
+
+ if ((self->manifest->manifestNumber = PyLong_to_ASN1_INTEGER(manifestNumber)) == NULL)
+ goto error;
+
+ ok = 1;
error:
+ Py_XDECREF(zero);
- Py_XDECREF(self);
- return NULL;
+ if (ok)
+ Py_RETURN_NONE;
+ else
+ return NULL;
}
-static char digest_object_update__doc__[] =
-"<method>\n"
-" <header>\n"
-" <memberof>Digest</memberof>\n"
-" <name>update</name>\n"
-" <parameter>data</parameter>\n"
-" </header>\n"
-" <body>\n"
-" <para>\n"
-" This method updates the internal structures of the\n"
-" <classname>Digest</classname> object with <parameter>data</parameter>.\n"
-" <parameter>data</parameter> should be a string.\n"
-" </para>\n"
-" </body>\n"
-"</method>\n"
-;
+static char manifest_object_set_this_update__doc__[] =
+ "Set this manifest's \"thisUpdate\" value.\n"
+ "\n"
+ "The \"time\" parameter should be a datetime object.\n"
+ ;
static PyObject *
-digest_object_update(digest_object *self, PyObject *args)
+manifest_object_set_this_update (manifest_object *self, PyObject *args)
{
- char *data = NULL;
- int len = 0;
+ ASN1_TIME *t = NULL;
+ PyObject *o = NULL;
- if (!PyArg_ParseTuple(args, "s#", &data, &len))
+ ENTERING(manifest_object_set_this_update);
+
+ if (!PyArg_ParseTuple(args, "O", &o))
goto error;
- EVP_DigestUpdate(&self->digest_ctx, data, len);
+ if (self->manifest == NULL)
+ lose_not_verified("Can't set thisUpdate value of unverified manifest");
+ if ((t = Python_to_ASN1_TIME(o, 0)) == NULL)
+ lose("Couldn't convert thisUpdate string");
+
+ ASN1_TIME_free(self->manifest->thisUpdate);
+ self->manifest->thisUpdate = t;
Py_RETURN_NONE;
error:
-
+ ASN1_TIME_free(t);
return NULL;
}
-static char digest_object_copy__doc__[] =
-"<method>\n"
-" <header>\n"
-" <memberof>Digest</memberof>\n"
-" <name>copy</name>\n"
-" </header>\n"
-" <body>\n"
-" <para>\n"
-" This method returns a copy of the <classname>Digest</classname>\n"
-" object.\n"
-" </para>\n"
-" </body>\n"
-"</method>\n"
-;
+static char manifest_object_get_this_update__doc__[] =
+ "Return this manifest's \"thisUpdate\" value as a datetime.\n"
+ ;
static PyObject *
-digest_object_copy(digest_object *self, PyObject *args)
+manifest_object_get_this_update (manifest_object *self)
{
- digest_object *new = NULL;
+ ENTERING(manifest_object_get_this_update);
- if ((new = PyObject_New(digest_object, &digesttype)) == NULL)
- lose("could not allocate memory");
-
- new->digest_type = self->digest_type;
- if (!EVP_MD_CTX_copy(&new->digest_ctx, &self->digest_ctx))
- lose("could not copy digest");
+ if (self->manifest == NULL)
+ lose_not_verified("Can't get thisUpdate value of unverified manifest");
- return (PyObject*)new;
+ return ASN1_TIME_to_Python(self->manifest->thisUpdate);
error:
-
- Py_XDECREF(new);
return NULL;
}
-static char digest_object_digest__doc__[] =
-"<method>\n"
-" <header>\n"
-" <memberof>Digest</memberof>\n"
-" <name>digest</name>\n"
-" </header>\n"
-" <body>\n"
-" <para>\n"
-" This method returns the digest of all the data which has been\n"
-" processed. This function can be called at any time and will not\n"
-" effect the internal structure of the <classname>digest</classname>\n"
-" object.\n"
-" </para>\n"
-" </body>\n"
-"</method>\n"
-;
+static char manifest_object_set_next_update__doc__[] =
+ "Set this manifest's \"nextUpdate\" value.\n"
+ "\n"
+ "The \"time\" parameter should be a datetime object.\n"
+ ;
static PyObject *
-digest_object_digest(digest_object *self, PyObject *args)
+manifest_object_set_next_update (manifest_object *self, PyObject *args)
{
- unsigned char digest_text[EVP_MAX_MD_SIZE];
- void *md_copy = NULL;
- unsigned digest_len = 0;
+ ASN1_TIME *t = NULL;
+ PyObject *o = NULL;
+
+ ENTERING(manifest_object_set_next_update);
- if (!PyArg_ParseTuple(args, ""))
+ if (!PyArg_ParseTuple(args, "O", &o))
goto error;
- if ((md_copy = malloc(sizeof(EVP_MD_CTX))) == NULL)
- lose("could not allocate memory");
+ if (self->manifest == NULL)
+ lose_not_verified("Can't set nextUpdate value of unverified manifest");
- if (!EVP_MD_CTX_copy(md_copy, &self->digest_ctx))
- lose("could not copy digest");
+ if ((t = Python_to_ASN1_TIME(o, 0)) == NULL)
+ lose("Couldn't parse nextUpdate string");
- EVP_DigestFinal(md_copy, digest_text, &digest_len);
+ ASN1_TIME_free(self->manifest->nextUpdate);
+ self->manifest->nextUpdate = t;
+ Py_RETURN_NONE;
- free(md_copy);
+ error:
+ ASN1_TIME_free(t);
+ return NULL;
+}
- return Py_BuildValue("s#", digest_text, digest_len);
+static char manifest_object_get_next_update__doc__[] =
+ "Return this manifest's \"nextUpdate\" value as a datetime.\n"
+ ;
- error:
+static PyObject *
+manifest_object_get_next_update (manifest_object *self)
+{
+ ENTERING(manifest_object_get_next_update);
- if (md_copy)
- free(md_copy);
+ if (self->manifest == NULL)
+ lose_not_verified("Can't extract nextUpdate value of unverified manifest");
+ return ASN1_TIME_to_Python(self->manifest->nextUpdate);
+
+ error:
return NULL;
}
-static struct PyMethodDef digest_object_methods[] = {
- {"update", (PyCFunction)digest_object_update, METH_VARARGS, NULL},
- {"digest", (PyCFunction)digest_object_digest, METH_VARARGS, NULL},
- {"copy", (PyCFunction)digest_object_copy, METH_VARARGS, NULL},
-
- {NULL} /* sentinel */
-};
+static char manifest_object_get_algorithm__doc__[] =
+ "Return this manifest's fileHashAlg OID.\n"
+ ;
static PyObject *
-digest_object_getattr(digest_object *self, char *name)
+manifest_object_get_algorithm(manifest_object *self)
{
- return Py_FindMethod(digest_object_methods, (PyObject *)self, name);
-}
+ PyObject *result = NULL;
-static void
-digest_object_dealloc(digest_object *self, char *name)
-{
- EVP_MD_CTX_cleanup(&self->digest_ctx);
- PyObject_Del(self);
-}
-
-static char digesttype__doc__[] =
-"<class>\n"
-" <header>\n"
-" <name>Digest</name>\n"
-" </header>\n"
-" <body>\n"
-" <para>\n"
-" This class provides access to the digest functionality of OpenSSL.\n"
-" It emulates the digest modules in the Python Standard Library but\n"
-" does not currently support the <function>hexdigest</function>\n"
-" function.\n"
-" </para>\n"
-" <example>\n"
-" <title><classname>digest</classname> class usage</title>\n"
-" <programlisting>\n"
-" plain_text = 'Hello World!'\n"
-" sha1 = POW.Digest(POW.SHA1_DIGEST)\n"
-" sha1.update(plain_text)\n"
-" print '\tPlain text: Hello World! =>', sha1.digest()\n"
-" </programlisting>\n"
-" </example>\n"
-" </body>\n"
-"</class>\n"
-;
+ ENTERING(manifest_object_get_algorithm);
-static PyTypeObject digesttype = {
- PyObject_HEAD_INIT(0)
- 0, /*ob_size*/
- "Digest", /*tp_name*/
- sizeof(digest_object), /*tp_basicsize*/
- 0, /*tp_itemsize*/
- (destructor)digest_object_dealloc, /*tp_dealloc*/
- (printfunc)0, /*tp_print*/
- (getattrfunc)digest_object_getattr, /*tp_getattr*/
- (setattrfunc)0, /*tp_setattr*/
- (cmpfunc)0, /*tp_compare*/
- (reprfunc)0, /*tp_repr*/
- 0, /*tp_as_number*/
- 0, /*tp_as_sequence*/
- 0, /*tp_as_mapping*/
- (hashfunc)0, /*tp_hash*/
- (ternaryfunc)0, /*tp_call*/
- (reprfunc)0, /*tp_str*/
- 0,
- 0,
- 0,
- 0,
- digesttype__doc__ /* Documentation string */
-};
-/*========== digest Code ==========*/
+ if (self->manifest == NULL)
+ lose_not_verified("Can't extract algorithm OID of unverified manifest");
+
+ result = ASN1_OBJECT_to_PyString(self->manifest->fileHashAlg);
+
+ error:
+ return result;
+}
+
+static char manifest_object_set_algorithm__doc__[] =
+ "Set this manifest's fileHashAlg OID.\n"
+ ;
-/*========== hmac Code ==========*/
-static hmac_object *
-hmac_object_new(int digest_type, char *key, int key_len)
+static PyObject *
+manifest_object_set_algorithm(manifest_object *self, PyObject *args)
{
- hmac_object *self = NULL;
- const EVP_MD *md = NULL;
+ ASN1_OBJECT *oid = NULL;
+ const char *s = NULL;
- if ((self = PyObject_New(hmac_object, &hmactype)) == NULL)
+ ENTERING(manifest_object_set_algorithm);
+
+ if (!PyArg_ParseTuple(args, "s", &s))
goto error;
- switch (digest_type) {
-#ifndef OPENSSL_NO_MD2
- case MD2_DIGEST:
- md = EVP_md2();
- break;
-#endif
- case MD5_DIGEST:
- md = EVP_md5();
- break;
- case SHA_DIGEST:
- md = EVP_sha();
- break;
- case SHA1_DIGEST:
- md = EVP_sha1();
- break;
- case RIPEMD160_DIGEST:
- md = EVP_ripemd160();
- break;
- case SHA256_DIGEST:
- md = EVP_sha256();
- break;
- case SHA384_DIGEST:
- md = EVP_sha384();
- break;
- case SHA512_DIGEST:
- md = EVP_sha512();
- break;
- default:
- lose("unsupported digest");
- }
+ if (self->manifest == NULL)
+ lose_not_verified("Can't set algorithm OID for unverified manifest");
- HMAC_Init(&self->hmac_ctx, key, key_len, md);
+ if ((oid = OBJ_txt2obj(s, 1)) == NULL)
+ lose_no_memory();
- return self;
+ ASN1_OBJECT_free(self->manifest->fileHashAlg);
+ self->manifest->fileHashAlg = oid;
+ Py_RETURN_NONE;
error:
-
- Py_XDECREF(self);
+ ASN1_OBJECT_free(oid);
return NULL;
}
-static char hmac_object_update__doc__[] =
-"<method>\n"
-" <header>\n"
-" <memberof>Hmac</memberof>\n"
-" <name>update</name>\n"
-" <parameter>data</parameter>\n"
-" </header>\n"
-" <body>\n"
-" <para>\n"
-" This method updates the internal structures of the\n"
-" <classname>Hmac</classname> object with <parameter>data</parameter>.\n"
-" <parameter>data</parameter> should be a string.\n"
-" </para>\n"
-" </body>\n"
-"</method>\n"
-;
+static char manifest_object_add_files__doc__[] =
+ "Add a collection of <filename, hash> pairs to this manifest.\n"
+ "\n"
+ "The \"iterable\" parameter should be an iterable object, each element\n"
+ "of which is a two-element sequence; the first element of this sequence\n"
+ "should be the filename (a text string), the second element should be the\n"
+ "hash (a binary string).\n"
+ ;
static PyObject *
-hmac_object_update(hmac_object *self, PyObject *args)
+manifest_object_add_files(manifest_object *self, PyObject *args)
{
- unsigned char *data = NULL;
- int len = 0;
+ PyObject *iterable = NULL;
+ PyObject *iterator = NULL;
+ PyObject *item = NULL;
+ PyObject *fast = NULL;
+ FileAndHash *fah = NULL;
+ char *file = NULL;
+ char *hash = NULL;
+ Py_ssize_t filelen, hashlen;
+ int ok = 0;
- if (!PyArg_ParseTuple(args, "s#", &data, &len))
+ ENTERING(manifest_object_add_files);
+
+ if (self->manifest == NULL)
+ lose_not_verified("Can't add files to unverified manifest");
+
+ if (!PyArg_ParseTuple(args, "O", &iterable) ||
+ (iterator = PyObject_GetIter(iterable)) == NULL)
goto error;
- HMAC_Update(&self->hmac_ctx, data, len);
+ while ((item = PyIter_Next(iterator)) != NULL) {
- Py_RETURN_NONE;
+ if ((fast = PySequence_Fast(item, "FileAndHash entry must be a sequence")) == NULL)
+ goto error;
+
+ if (PySequence_Fast_GET_SIZE(fast) != 2)
+ lose_type_error("FileAndHash entry must be two-element sequence");
+
+ if (PyString_AsStringAndSize(PySequence_Fast_GET_ITEM(fast, 0), &file, &filelen) < 0 ||
+ PyString_AsStringAndSize(PySequence_Fast_GET_ITEM(fast, 1), &hash, &hashlen) < 0)
+ goto error;
+
+ if ((fah = FileAndHash_new()) == NULL ||
+ !ASN1_OCTET_STRING_set(fah->file, (unsigned char *) file, filelen) ||
+ !ASN1_BIT_STRING_set(fah->hash, (unsigned char *) hash, hashlen) ||
+ !sk_FileAndHash_push(self->manifest->fileList, fah))
+ lose_no_memory();
+
+ fah->hash->flags &= ~7;
+ fah->hash->flags |= ASN1_STRING_FLAG_BITS_LEFT;
+
+ fah = NULL;
+ Py_XDECREF(item);
+ Py_XDECREF(fast);
+ item = fast = NULL;
+ }
+
+ ok = 1;
error:
+ Py_XDECREF(iterator);
+ Py_XDECREF(item);
+ Py_XDECREF(fast);
+ FileAndHash_free(fah);
- return NULL;
+ if (ok)
+ Py_RETURN_NONE;
+ else
+ return NULL;
}
-static char hmac_object_copy__doc__[] =
-"<method>\n"
-" <header>\n"
-" <memberof>Hmac</memberof>\n"
-" <name>copy</name>\n"
-" </header>\n"
-" <body>\n"
-" <para>\n"
-" This method returns a copy of the <classname>Hmac</classname>\n"
-" object.\n"
-" </para>\n"
-" </body>\n"
-"</method>\n"
-;
+static char manifest_object_get_files__doc__[] =
+ "Return a tuple of <filename, hash> pairs representing the contents of\n"
+ "this manifest.\n"
+ ;
static PyObject *
-hmac_object_copy(hmac_object *self, PyObject *args)
+manifest_object_get_files(manifest_object *self)
{
- hmac_object *new = NULL;
+ PyObject *result = NULL;
+ PyObject *item = NULL;
+ int i;
- if ((new = PyObject_New(hmac_object, &hmactype)) == NULL)
- lose("could not allocate memory");
+ ENTERING(manifest_object_get_files);
- memcpy(&new->hmac_ctx, &self->hmac_ctx, sizeof(HMAC_CTX));
+ if (self->manifest == NULL)
+ lose_not_verified("Can't get files from unverified manifest");
- return (PyObject*) new;
+ if (self->manifest->fileList == NULL)
+ lose("Inexplicable NULL manifest fileList pointer");
- error:
+ if ((result = PyTuple_New(sk_FileAndHash_num(self->manifest->fileList))) == NULL)
+ goto error;
- Py_XDECREF(new);
+ for (i = 0; i < sk_FileAndHash_num(self->manifest->fileList); i++) {
+ FileAndHash *fah = sk_FileAndHash_value(self->manifest->fileList, i);
+
+ if ((item = Py_BuildValue("(s#s#)",
+ ASN1_STRING_data(fah->file), ASN1_STRING_length(fah->file),
+ ASN1_STRING_data(fah->hash), ASN1_STRING_length(fah->hash))) == NULL)
+ goto error;
+
+ PyTuple_SET_ITEM(result, i, item);
+ item = NULL;
+ }
+
+ return result;
+
+ error:
+ Py_XDECREF(result);
+ Py_XDECREF(item);
return NULL;
}
-static char hmac_object_mac__doc__[] =
-"<method>\n"
-" <header>\n"
-" <memberof>Hmac</memberof>\n"
-" <name>mac</name>\n"
-" </header>\n"
-" <body>\n"
-" <para>\n"
-" This method returns the MAC of all the data which has been\n"
-" processed. This function can be called at any time and will not\n"
-" effect the internal structure of the <classname>Hmac</classname>\n"
-" object.\n"
-" </para>\n"
-" </body>\n"
-"</method>\n"
-;
+static char manifest_object_sign__doc__[] =
+ "Sign this manifest. See the CMS class's .sign() method for details.\n"
+ ;
static PyObject *
-hmac_object_mac(hmac_object *self, PyObject *args)
+manifest_object_sign(manifest_object *self, PyObject *args)
{
- unsigned char hmac_text[EVP_MAX_MD_SIZE];
- void *hmac_copy = NULL;
- unsigned int hmac_len = 0;
+ asymmetric_object *signkey = NULL;
+ x509_object *signcert = NULL;
+ PyObject *x509_sequence = Py_None;
+ PyObject *crl_sequence = Py_None;
+ char *oid = NULL;
+ unsigned flags = 0;
+ BIO *bio = NULL;
+ int ok = 0;
- if (!PyArg_ParseTuple(args, ""))
+ ENTERING(manifest_object_sign);
+
+ if (!PyArg_ParseTuple(args, "O!O!|OOsI",
+ &POW_X509_Type, &signcert,
+ &POW_Asymmetric_Type, &signkey,
+ &x509_sequence,
+ &crl_sequence,
+ &oid,
+ &flags))
goto error;
- if ((hmac_copy = malloc(sizeof(HMAC_CTX))) == NULL)
- lose("could not allocate memory");
+ if ((bio = BIO_new(BIO_s_mem())) == NULL)
+ lose_no_memory();
+
+ assert_no_unhandled_openssl_errors();
- memcpy(hmac_copy, &self->hmac_ctx, sizeof(HMAC_CTX));
- HMAC_Final(hmac_copy, hmac_text, &hmac_len);
+ if (!ASN1_item_i2d_bio(ASN1_ITEM_rptr(Manifest), bio, self->manifest))
+ lose_openssl_error("Couldn't encode manifest");
- free(hmac_copy);
- return Py_BuildValue("s#", hmac_text, hmac_len);
+ assert_no_unhandled_openssl_errors();
- error:
+ if (!cms_object_sign_helper(&self->cms, bio, signcert, signkey,
+ x509_sequence, crl_sequence, oid, flags))
+ lose_openssl_error("Couldn't sign manifest");
- if (hmac_copy)
- free(hmac_copy);
+ assert_no_unhandled_openssl_errors();
- return NULL;
+ ok = 1;
+
+ error:
+ BIO_free(bio);
+
+ if (ok)
+ Py_RETURN_NONE;
+ else
+ return NULL;
}
+static struct PyMethodDef manifest_object_methods[] = {
+ Define_Method(getVersion, manifest_object_get_version, METH_NOARGS),
+ Define_Method(setVersion, manifest_object_set_version, METH_VARARGS),
+ Define_Method(getManifestNumber, manifest_object_get_manifest_number, METH_NOARGS),
+ Define_Method(setManifestNumber, manifest_object_set_manifest_number, METH_VARARGS),
+ Define_Method(getThisUpdate, manifest_object_get_this_update, METH_NOARGS),
+ Define_Method(setThisUpdate, manifest_object_set_this_update, METH_VARARGS),
+ Define_Method(getNextUpdate, manifest_object_get_next_update, METH_NOARGS),
+ Define_Method(setNextUpdate, manifest_object_set_next_update, METH_VARARGS),
+ Define_Method(getAlgorithm, manifest_object_get_algorithm, METH_NOARGS),
+ Define_Method(setAlgorithm, manifest_object_set_algorithm, METH_VARARGS),
+ Define_Method(getFiles, manifest_object_get_files, METH_NOARGS),
+ Define_Method(addFiles, manifest_object_add_files, METH_VARARGS),
+ Define_Method(sign, manifest_object_sign, METH_VARARGS),
+ Define_Method(verify, manifest_object_verify, METH_KEYWORDS),
+ Define_Class_Method(pemRead, manifest_object_pem_read, METH_VARARGS),
+ Define_Class_Method(pemReadFile, manifest_object_pem_read_file, METH_VARARGS),
+ Define_Class_Method(derRead, manifest_object_der_read, METH_VARARGS),
+ Define_Class_Method(derReadFile, manifest_object_der_read_file, METH_VARARGS),
+ {NULL}
+};
-static struct PyMethodDef hmac_object_methods[] = {
- {"update", (PyCFunction)hmac_object_update, METH_VARARGS, NULL},
- {"mac", (PyCFunction)hmac_object_mac, METH_VARARGS, NULL},
- {"copy", (PyCFunction)hmac_object_copy, METH_VARARGS, NULL},
+static char POW_Manifest_Type__doc__[] =
+ "This class provides access to RPKI manifest payload.\n"
+ "Most methods are inherited from or share code with the CMS class.\n"
+ ;
- {NULL} /* sentinel */
+static PyTypeObject POW_Manifest_Type = {
+ PyObject_HEAD_INIT(0)
+ 0, /* ob_size */
+ "rpki.POW.Manifest", /* tp_name */
+ sizeof(manifest_object), /* tp_basicsize */
+ 0, /* tp_itemsize */
+ (destructor)manifest_object_dealloc, /* tp_dealloc */
+ 0, /* tp_print */
+ 0, /* tp_getattr */
+ 0, /* tp_setattr */
+ 0, /* tp_compare */
+ 0, /* tp_repr */
+ 0, /* tp_as_number */
+ 0, /* tp_as_sequence */
+ 0, /* tp_as_mapping */
+ 0, /* tp_hash */
+ 0, /* tp_call */
+ 0, /* tp_str */
+ 0, /* tp_getattro */
+ 0, /* tp_setattro */
+ 0, /* tp_as_buffer */
+ Py_TPFLAGS_DEFAULT | Py_TPFLAGS_BASETYPE, /* tp_flags */
+ POW_Manifest_Type__doc__, /* tp_doc */
+ 0, /* tp_traverse */
+ 0, /* tp_clear */
+ 0, /* tp_richcompare */
+ 0, /* tp_weaklistoffset */
+ 0, /* tp_iter */
+ 0, /* tp_iternext */
+ manifest_object_methods, /* tp_methods */
+ 0, /* tp_members */
+ 0, /* tp_getset */
+ &POW_CMS_Type, /* tp_base */
+ 0, /* tp_dict */
+ 0, /* tp_descr_get */
+ 0, /* tp_descr_set */
+ 0, /* tp_dictoffset */
+ 0, /* tp_init */
+ 0, /* tp_alloc */
+ manifest_object_new, /* tp_new */
};
+
+
+/*
+ * ROA object.
+ */
+
static PyObject *
-hmac_object_getattr(hmac_object *self, char *name)
+roa_object_new(PyTypeObject *type, PyObject *args, PyObject *kwds)
{
- return Py_FindMethod(hmac_object_methods, (PyObject *)self, name);
+ roa_object *self = NULL;
+
+ ENTERING(roa_object_new);
+
+ if ((self = (roa_object *) cms_object_new(type, args, kwds)) != NULL &&
+ (self->roa = ROA_new()) != NULL)
+ return (PyObject *) self;
+
+ Py_XDECREF(self);
+ return NULL;
}
static void
-hmac_object_dealloc(hmac_object *self, char *name)
-{
- PyObject_Del(self);
-}
-
-static char hmactype__doc__[] =
-"<class>\n"
-" <header>\n"
-" <name>Hmac</name>\n"
-" </header>\n"
-" <body>\n"
-" <para>\n"
-" This class provides access to the HMAC functionality of OpenSSL.\n"
-" HMAC's are a variant on digest based MACs, which have the\n"
-" interesting property of a provable level of security. HMAC is\n"
-" discussed further in RFC 2104.\n"
-" </para>\n"
-" </body>\n"
-"</class>\n"
-;
+roa_object_dealloc(roa_object *self)
+{
+ ENTERING(roa_object_dealloc);
+ ROA_free(self->roa);
+ cms_object_dealloc(&self->cms);
+}
-static PyTypeObject hmactype = {
- PyObject_HEAD_INIT(0)
- 0, /*ob_size*/
- "Hmac", /*tp_name*/
- sizeof(hmac_object), /*tp_basicsize*/
- 0, /*tp_itemsize*/
- (destructor)hmac_object_dealloc, /*tp_dealloc*/
- (printfunc)0, /*tp_print*/
- (getattrfunc)hmac_object_getattr, /*tp_getattr*/
- (setattrfunc)0, /*tp_setattr*/
- (cmpfunc)0, /*tp_compare*/
- (reprfunc)0, /*tp_repr*/
- 0, /*tp_as_number*/
- 0, /*tp_as_sequence*/
- 0, /*tp_as_mapping*/
- (hashfunc)0, /*tp_hash*/
- (ternaryfunc)0, /*tp_call*/
- (reprfunc)0, /*tp_str*/
- 0,
- 0,
- 0,
- 0,
- hmactype__doc__ /* Documentation string */
-};
-/*========== hmac Code ==========*/
+static char roa_object_verify__doc__[] =
+ "Verify this ROA. See CMS.verify() for details.\n"
+ ;
-/*========== CMS code ==========*/
-static cms_object *
-CMS_object_new(void)
+static PyObject *
+roa_object_verify(roa_object *self, PyObject *args, PyObject *kwds)
{
- cms_object *self;
+ BIO *bio = NULL;
+ int ok = 0;
+
+ ENTERING(roa_object_verify);
- if ((self = PyObject_New(cms_object, &cmstype)) == NULL)
+ if ((bio = cms_object_verify_helper(&self->cms, args, kwds)) == NULL)
goto error;
+
+ if (!ASN1_item_d2i_bio(ASN1_ITEM_rptr(ROA), bio, &self->roa))
+ lose_openssl_error("Couldn't decode ROA");
- self->cms = NULL;
- return self;
+ ok = 1;
error:
+ BIO_free(bio);
- Py_XDECREF(self);
- return NULL;
+ if (ok)
+ Py_RETURN_NONE;
+ else
+ return NULL;
}
-static cms_object *
-CMS_object_pem_read(BIO *in)
+static PyObject *
+roa_object_pem_read_helper(PyTypeObject *type, BIO *bio)
{
- cms_object *self;
-
- if ((self = PyObject_New(cms_object, &cmstype)) == NULL)
- goto error;
+ roa_object *self;
- if ((self->cms = PEM_read_bio_CMS(in, NULL, NULL, NULL)) == NULL)
- lose("could not load PEM encoded CMS message");
+ ENTERING(roa_object_pem_read_helper);
- return self;
-
- error:
+ if ((self = (roa_object *) cms_object_pem_read_helper(type, bio)) != NULL)
+ self->roa = NULL;
- Py_XDECREF(self);
- return NULL;
+ return (PyObject *) self;
}
-static cms_object *
-CMS_object_der_read(char *src, int len)
+static PyObject *
+roa_object_der_read_helper(PyTypeObject *type, BIO *bio)
{
- cms_object *self;
- BIO *bio = NULL;
+ roa_object *self;
- if ((self = PyObject_New(cms_object, &cmstype)) == NULL)
- goto error;
+ ENTERING(roa_object_der_read_helper);
- self->cms = CMS_ContentInfo_new();
+ if ((self = (roa_object *) cms_object_der_read_helper(type, bio)) != NULL)
+ self->roa = NULL;
- if ((bio = BIO_new_mem_buf(src, len)) == NULL)
- goto error;
+ return (PyObject *) self;
+}
- if (!d2i_CMS_bio(bio, &self->cms))
- lose("could not load DER encoded CMS message");
+static char roa_object_pem_read__doc__[] =
+ "Read a PEM-encoded ROA object from a string.\n"
+ ;
- BIO_free(bio);
+static PyObject *
+roa_object_pem_read(PyTypeObject *type, PyObject *args)
+{
+ ENTERING(roa_object_pem_read);
+ return read_from_string_helper(roa_object_pem_read_helper, type, args);
+}
- return self;
+static char roa_object_pem_read_file__doc__[] =
+ "Read a PEM-encoded ROA object from a file.\n"
+ ;
- error:
+static PyObject *
+roa_object_pem_read_file(PyTypeObject *type, PyObject *args)
+{
+ ENTERING(roa_object_pem_read_file);
+ return read_from_file_helper(roa_object_pem_read_helper, type, args);
+}
- if (bio)
- BIO_free(bio);
+static char roa_object_der_read__doc__[] =
+ "Read a DER-encoded ROA object from a string.\n"
+ ;
- Py_XDECREF(self);
- return NULL;
+static PyObject *
+roa_object_der_read(PyTypeObject *type, PyObject *args)
+{
+ ENTERING(roa_object_der_read);
+ return read_from_string_helper(roa_object_der_read_helper, type, args);
}
+static char roa_object_der_read_file__doc__[] =
+ "Read a DER-encoded ROA object from a file.\n"
+ ;
+
static PyObject *
-CMS_object_write_helper(cms_object *self, PyObject *args, int format)
+roa_object_der_read_file(PyTypeObject *type, PyObject *args)
{
- int len = 0;
- char *buf = NULL;
- BIO *out_bio = NULL;
- PyObject *cert = NULL;
-
- if (!PyArg_ParseTuple(args, ""))
- return NULL;
+ ENTERING(roa_object_der_read_file);
+ return read_from_file_helper(roa_object_der_read_helper, type, args);
+}
- out_bio = BIO_new(BIO_s_mem());
+static char roa_object_get_version__doc__[] =
+ "Return the version number of this ROA.\n"
+ ;
- switch (format) {
+static PyObject *
+roa_object_get_version(roa_object *self)
+{
+ ENTERING(roa_object_get_version);
- case DER_FORMAT:
- if (!i2d_CMS_bio(out_bio, self->cms))
- lose("unable to write certificate");
- break;
+ if (self->roa == NULL)
+ lose_not_verified("Can't get version of unverified ROA");
- case PEM_FORMAT:
- if (!PEM_write_bio_CMS(out_bio, self->cms))
- lose("unable to write certificate");
- break;
+ if (self->roa->version)
+ return Py_BuildValue("N", ASN1_INTEGER_to_PyLong(self->roa->version));
+ else
+ return PyInt_FromLong(0);
- default:
- lose("internal error, unknown output format");
- }
+ error:
+ return NULL;
+}
- if ((len = BIO_ctrl_pending(out_bio)) == 0)
- lose("unable to get bytes stored in bio");
+static char roa_object_set_version__doc__[] =
+ "Set the version number of this ROA.\n"
+ "\n"
+ "The \"version\" parameter should be a non-negative integer.\n"
+ "\n"
+ "As of this writing, zero is both the default and the only defined version.\n"
+ "Attempting to set any version number other than zero will fail, as we\n"
+ "don't understand how to write other versions, by definition.\n"
+ ;
- if ((buf = malloc(len)) == NULL)
- lose("unable to allocate memory");
+static PyObject *
+roa_object_set_version(roa_object *self, PyObject *args)
+{
+ int version = 0;
- if (BIO_read(out_bio, buf, len) != len)
- lose("unable to write out cert");
+ ENTERING(roa_object_set_version);
- cert = Py_BuildValue("s#", buf, len);
+ if (self->roa == NULL)
+ lose_not_verified("Can't set version of unverified ROA");
- BIO_free(out_bio);
- free(buf);
- return cert;
+ if (!PyArg_ParseTuple(args, "|i", &version))
+ goto error;
- error:
+ if (version != 0)
+ lose("RFC 6482 only defines ROA version zero");
- if (out_bio)
- BIO_free(out_bio);
+ ASN1_INTEGER_free(self->roa->version);
+ self->roa->version = NULL;
- if (buf)
- free(buf);
+ Py_RETURN_NONE;
- Py_XDECREF(cert);
+ error:
return NULL;
}
-static char CMS_object_pem_write__doc__[] =
-"<method>\n"
-" <header>\n"
-" <memberof>CMS</memberof>\n"
-" <name>pemWrite</name>\n"
-" </header>\n"
-" <body>\n"
-" <para>\n"
-" This method returns a PEM encoded CMS message as a\n"
-" string.\n"
-" </para>\n"
-" </body>\n"
-"</method>\n"
-;
+static char roa_object_get_asid__doc__[] =
+ "Return the Autonomous System ID of this ROA.\n"
+ ;
static PyObject *
-CMS_object_pem_write(cms_object *self, PyObject *args)
+roa_object_get_asid(roa_object *self)
{
- return CMS_object_write_helper(self, args, PEM_FORMAT);
-}
+ ENTERING(roa_object_get_asid);
-static char CMS_object_der_write__doc__[] =
-"<method>\n"
-" <header>\n"
-" <memberof>CMS</memberof>\n"
-" <name>derWrite</name>\n"
-" </header>\n"
-" <body>\n"
-" <para>\n"
-" This method returns a DER encoded CMS message as a\n"
-" string.\n"
-" </para>\n"
-" </body>\n"
-"</method>\n"
-;
+ if (self->roa == NULL)
+ lose_not_verified("Can't get ASN of unverified ROA");
-static PyObject *
-CMS_object_der_write(cms_object *self, PyObject *args)
-{
- return CMS_object_write_helper(self, args, DER_FORMAT);
-}
-
-static char CMS_object_sign__doc__[] =
-"<method>\n"
-" <header>\n"
-" <memberof>CMS</memberof>\n"
-" <name>sign</name>\n"
-" <parameter>signcert</parameter>\n"
-" <parameter>key</parameter>\n"
-" <parameter>data</parameter>\n"
-" <optional>\n"
-" <parameter>certs</parameter>\n"
-" <parameter>crls</parameter>\n"
-" <parameter>eContentType</parameter>\n"
-" <parameter>flags</parameter>\n"
-" </optional>\n"
-" </header>\n"
-" <body>\n"
-" <para>\n"
-" This method signs a message with a private key.\n"
-" Supported flags: CMS_NOCERTS, CMS_NOATTR.\n"
-" </para>\n"
-" </body>\n"
-"</method>\n"
-;
+ return Py_BuildValue("N", ASN1_INTEGER_to_PyLong(self->roa->asID));
+
+ error:
+ return NULL;
+}
+
+static char roa_object_set_asid__doc__[] =
+ "Sets the Autonomous System ID of this ROA.\n"
+ "\n"
+ "The \"asID\" parameter should be a non-negative integer.\n"
+ ;
static PyObject *
-CMS_object_sign(cms_object *self, PyObject *args)
+roa_object_set_asid(roa_object *self, PyObject *args)
{
- asymmetric_object *signkey = NULL;
- x509_object *signcert = NULL;
- x509_crl_object *crlobj = NULL;
- PyObject *x509_sequence = Py_None, *crl_sequence = Py_None, *result = NULL;
- STACK_OF(X509) *x509_stack = NULL;
- EVP_PKEY *pkey = NULL;
- char *buf = NULL, *oid = NULL;
- int i, n, len;
- unsigned flags = 0;
- BIO *bio = NULL;
- CMS_ContentInfo *cms = NULL;
- ASN1_OBJECT *econtent_type = NULL;
+ PyObject *asID = NULL;
+ PyObject *zero = NULL;
+ int ok = 0;
- if (!PyArg_ParseTuple(args, "O!O!s#|OOsI",
- &x509type, &signcert,
- &asymmetrictype, &signkey,
- &buf, &len,
- &x509_sequence,
- &crl_sequence,
- &oid,
- &flags))
+ ENTERING(roa_object_set_asid);
+
+ if (self->roa == NULL)
+ lose_not_verified("Can't set ASN of unverified ROA");
+
+ if (!PyArg_ParseTuple(args, "O", &asID))
goto error;
- assert_no_unhandled_openssl_errors();
+ if ((zero = PyInt_FromLong(0)) == NULL)
+ goto error;
- flags &= CMS_NOCERTS | CMS_NOATTR;
- flags |= CMS_BINARY | CMS_NOSMIMECAP | CMS_PARTIAL | CMS_USE_KEYID;
+ switch (PyObject_RichCompareBool(asID, zero, Py_GE)) {
+ case -1:
+ goto error;
+ case 0:
+ lose("Negative asID is not allowed");
+ }
- if (signkey->key_type != RSA_PRIVATE_KEY)
- lose("unsupported key type");
+ ASN1_INTEGER_free(self->roa->asID);
- if ((x509_stack = x509_helper_sequence_to_stack(x509_sequence)) == NULL)
+ if ((self->roa->asID = PyLong_to_ASN1_INTEGER(asID)) == NULL)
goto error;
- assert_no_unhandled_openssl_errors();
+ ok = 1;
- if ((pkey = EVP_PKEY_new()) == NULL)
- lose_openssl_error("Could not allocate memory");
+ error:
+ Py_XDECREF(zero);
- assert_no_unhandled_openssl_errors();
+ if (ok)
+ Py_RETURN_NONE;
+ else
+ return NULL;
+}
- if (!EVP_PKEY_assign_RSA(pkey, signkey->cipher))
- lose_openssl_error("EVP_PKEY assignment error");
+static char roa_object_get_prefixes__doc__[] =
+ "Return this ROA's prefix list. This is a two-element\n"
+ "tuple: the first element is the IPv4 prefix set, the second is the\n"
+ "IPv6 prefix set.\n"
+ "\n"
+ "Each prefix set is either None, if there are no prefixes for this IP\n"
+ "version, or a sequence of three-element tuple representing ROA prefix\n"
+ "entries.\n"
+ "\n"
+ "Each ROA prefix entry consists of the prefix itself (an IPAddress),\n"
+ "the prefix length (an integer), and the maxPrefixLen value, which is\n"
+ "either an integer or None depending on whether the maxPrefixLen value\n"
+ "is set for this prefix.\n"
+ ;
- assert_no_unhandled_openssl_errors();
+static PyObject *
+roa_object_get_prefixes(roa_object *self)
+{
+ PyObject *result = NULL;
+ PyObject *ipv4_result = NULL;
+ PyObject *ipv6_result = NULL;
+ PyObject *item = NULL;
+ ipaddress_object *addr = NULL;
+ int i, j;
+
+ ENTERING(roa_object_get_prefixes);
+
+ if (self->roa == NULL)
+ lose_not_verified("Can't get prefixes from unverified ROA");
+
+ for (i = 0; i < sk_ROAIPAddressFamily_num(self->roa->ipAddrBlocks); i++) {
+ ROAIPAddressFamily *fam = sk_ROAIPAddressFamily_value(self->roa->ipAddrBlocks, i);
+ const unsigned afi = (fam->addressFamily->data[0] << 8) | (fam->addressFamily->data[1]);
+ const ipaddress_version *ip_type = NULL;
+ PyObject **resultp = NULL;
+
+ switch (afi) {
+ case IANA_AFI_IPV4: resultp = &ipv4_result; ip_type = &ipaddress_version_4; break;
+ case IANA_AFI_IPV6: resultp = &ipv6_result; ip_type = &ipaddress_version_6; break;
+ default: lose_type_error("Unknown AFI");
+ }
- if ((bio = BIO_new_mem_buf(buf, len)) == NULL)
- goto error;
+ if (fam->addressFamily->length > 2)
+ lose_type_error("Unsupported SAFI");
- assert_no_unhandled_openssl_errors();
+ if (*resultp != NULL)
+ lose_type_error("Duplicate ROAIPAddressFamily");
- if (oid && (econtent_type = OBJ_txt2obj(oid, 0)) == NULL)
- lose_openssl_error("Could not parse OID");
+ if ((*resultp = PyTuple_New(sk_ROAIPAddress_num(fam->addresses))) == NULL)
+ goto error;
- assert_no_unhandled_openssl_errors();
+ for (j = 0; j < sk_ROAIPAddress_num(fam->addresses); j++) {
+ ROAIPAddress *a = sk_ROAIPAddress_value(fam->addresses, j);
+ unsigned prefixlen = ((a->IPAddress)->length * 8 - ((a->IPAddress)->flags & 7));
- if ((cms = CMS_sign(NULL, NULL, x509_stack, bio, flags)) == NULL)
- lose_openssl_error("Could not create CMS message");
+ if ((addr = (ipaddress_object *) POW_IPAddress_Type.tp_alloc(&POW_IPAddress_Type, 0)) == NULL)
+ goto error;
- assert_no_unhandled_openssl_errors();
+ addr->type = ip_type;
- if (econtent_type)
- CMS_set1_eContentType(cms, econtent_type);
+ memset(addr->address, 0, sizeof(addr->address));
- assert_no_unhandled_openssl_errors();
+ if ((unsigned) a->IPAddress->length > addr->type->length)
+ lose("ROAIPAddress BIT STRING too long for AFI");
- if (!CMS_add1_signer(cms, signcert->x509, pkey, EVP_sha256(), flags))
- lose_openssl_error("Could not sign CMS message");
+ if (a->IPAddress->length > 0) {
+ memcpy(addr->address, a->IPAddress->data, a->IPAddress->length);
- pkey = NULL; /* CMS_add1_signer() now owns pkey */
+ if ((a->IPAddress->flags & 7) != 0) {
+ unsigned char mask = 0xFF >> (8 - (a->IPAddress->flags & 7));
+ addr->address[a->IPAddress->length - 1] &= ~mask;
+ }
+ }
- assert_no_unhandled_openssl_errors();
+ if (a->maxLength == NULL)
+ item = Py_BuildValue("(NIO)", addr, prefixlen, Py_None);
+ else
+ item = Py_BuildValue("(NIl)", addr, prefixlen, ASN1_INTEGER_get(a->maxLength));
- if (crl_sequence != Py_None) {
+ if (item == NULL)
+ goto error;
- if (!PyTuple_Check(crl_sequence) && !PyList_Check(crl_sequence))
- lose_type_error("inapropriate type");
+ PyTuple_SET_ITEM(*resultp, j, item);
+ item = NULL;
+ addr = NULL;
+ }
+ }
- n = PySequence_Size(crl_sequence);
+ result = Py_BuildValue("(OO)",
+ (ipv4_result == NULL ? Py_None : ipv4_result),
+ (ipv6_result == NULL ? Py_None : ipv6_result));
- for (i = 0; i < n; i++) {
+ error: /* Fall through */
+ Py_XDECREF(addr);
+ Py_XDECREF(item);
+ Py_XDECREF(ipv4_result);
+ Py_XDECREF(ipv6_result);
- if ((crlobj = (x509_crl_object *) PySequence_GetItem(crl_sequence, i)) == NULL)
- goto error;
+ return result;
+}
- if (!X_X509_crl_Check(crlobj))
- lose_type_error("inappropriate type");
+static char roa_object_set_prefixes__doc__[] =
+ "Set this ROA's prefix list.\n"
+ "\n"
+ "This method takes two arguments, \"ipv4\" and \"ipv6\". Each of these\n"
+ "is either None, if no prefixes should be set for this IP version, or\n"
+ "an iterable object returning ROA prefix entries in the same format as\n"
+ "returned by the .getPrefixes() method. The maxPrefixLen value may be\n"
+ "omitted (that is, the ROA prefix entry tuple may be of length two\n"
+ "rather than of length three); this will be taken as equivalent to\n"
+ "specifying a maxPrefixLen value of None.\n"
+ ;
- if (!crlobj->crl)
- lose("CRL object with null crl field!");
+static PyObject *
+roa_object_set_prefixes(roa_object *self, PyObject *args, PyObject *kwds)
+{
+ static char *kwlist[] = {"ipv4", "ipv6", NULL};
+ STACK_OF(ROAIPAddressFamily) *prefixes = NULL;
+ ROAIPAddressFamily *fam = NULL;
+ ROAIPAddress *a = NULL;
+ PyObject *ipv4_arg = Py_None;
+ PyObject *ipv6_arg = Py_None;
+ PyObject *iterator = NULL;
+ PyObject *item = NULL;
+ PyObject *fast = NULL;
+ int ok = 0;
+ int v;
- if (!CMS_add1_crl(cms, crlobj->crl))
- lose_openssl_error("Could not add CRL to CMS");
+ ENTERING(roa_object_set_prefixes);
- assert_no_unhandled_openssl_errors();
+ if (self->roa == NULL)
+ lose_not_verified("Can't set prefixes of unverified ROA");
- Py_XDECREF(crlobj);
- crlobj = NULL;
+ if (!PyArg_ParseTupleAndKeywords(args, kwds, "|OO", kwlist, &ipv4_arg, &ipv6_arg))
+ goto error;
+
+ if ((prefixes = sk_ROAIPAddressFamily_new_null()) == NULL)
+ lose_no_memory();
+
+ for (v = 0; v < (int) (sizeof(ipaddress_versions)/sizeof(*ipaddress_versions)); v++) {
+ const struct ipaddress_version *ip_type = ipaddress_versions[v];
+ unsigned char afibuf[2];
+ PyObject **argp;
+
+ switch (ip_type->version) {
+ case 4: argp = &ipv4_arg; break;
+ case 6: argp = &ipv6_arg; break;
+ default: continue;
}
- }
- if (!CMS_final(cms, bio, NULL, flags))
- lose_openssl_error("Could not finalize CMS signatures");
+ if (*argp == Py_None)
+ continue;
- assert_no_unhandled_openssl_errors();
+ afibuf[0] = (ip_type->afi >> 8) & 0xFF;
+ afibuf[1] = (ip_type->afi ) & 0xFF;
- if (self->cms)
- CMS_ContentInfo_free(self->cms);
- self->cms = cms;
- cms = NULL;
+ if ((iterator = PyObject_GetIter(*argp)) == NULL)
+ goto error;
- result = Py_BuildValue("");
+ while ((item = PyIter_Next(iterator)) != NULL) {
+ unsigned prefixlen, maxprefixlen, bitlen, bytelen;
+ ipaddress_object *addr = NULL;
+ PyObject *maxlenobj = Py_None;
- error: /* fall through */
+ if ((fast = PySequence_Fast(item, "ROA prefix must be a sequence")) == NULL)
+ goto error;
- assert_no_unhandled_openssl_errors();
+ switch (PySequence_Fast_GET_SIZE(fast)) {
+ case 3:
+ maxlenobj = PySequence_Fast_GET_ITEM(fast, 2);
+ /* Fall through */
+ case 2:
+ if (!POW_IPAddress_Check(PySequence_Fast_GET_ITEM(fast, 0)))
+ lose_type_error("First element of ROA prefix must be an IPAddress object");
+ addr = (ipaddress_object *) PySequence_Fast_GET_ITEM(fast, 0);
+ prefixlen = (unsigned) PyInt_AsLong(PySequence_Fast_GET_ITEM(fast, 1));
+ if (PyErr_Occurred())
+ goto error;
+ break;
+ default:
+ lose_type_error("ROA prefix must be a two- or three-element sequence");
+ }
- if (cms)
- CMS_ContentInfo_free(cms);
+ if (maxlenobj == Py_None) {
+ maxprefixlen = prefixlen;
+ } else {
+ maxprefixlen = (unsigned) PyInt_AsLong(maxlenobj);
+ if (PyErr_Occurred())
+ goto error;
+ }
- if (bio)
- BIO_free(bio);
+ if (addr->type != ip_type)
+ lose_type_error("Bad ROA prefix");
- if (x509_stack)
- sk_X509_free(x509_stack);
+ if (prefixlen > addr->type->length * 8)
+ lose("Bad prefix length");
- if (pkey)
- EVP_PKEY_free(pkey);
+ if (maxprefixlen > addr->type->length * 8 || maxprefixlen < prefixlen)
+ lose("Bad maxLength value");
- if (econtent_type)
- ASN1_OBJECT_free(econtent_type);
+ bytelen = (prefixlen + 7) / 8;
+ bitlen = prefixlen % 8;
+
+ if ((a = ROAIPAddress_new()) == NULL ||
+ (a->IPAddress == NULL && (a->IPAddress = ASN1_BIT_STRING_new()) == NULL) ||
+ !ASN1_BIT_STRING_set(a->IPAddress, addr->address, bytelen))
+ lose_no_memory();
+
+ a->IPAddress->flags &= ~7;
+ a->IPAddress->flags |= ASN1_STRING_FLAG_BITS_LEFT;
+ if (bitlen > 0) {
+ a->IPAddress->data[bytelen - 1] &= ~(0xFF >> bitlen);
+ a->IPAddress->flags |= 8 - bitlen;
+ }
+
+ if (prefixlen != maxprefixlen &&
+ ((a->maxLength = ASN1_INTEGER_new()) == NULL ||
+ !ASN1_INTEGER_set(a->maxLength, maxprefixlen)))
+ lose_no_memory();
+
+ if (fam == NULL &&
+ ((fam = ROAIPAddressFamily_new()) == NULL ||
+ !sk_ROAIPAddressFamily_push(prefixes, fam) ||
+ !ASN1_OCTET_STRING_set(fam->addressFamily, afibuf, sizeof(afibuf))))
+ lose_no_memory();
- if (crlobj) {
- Py_XDECREF(crlobj);
+ if (!sk_ROAIPAddress_push(fam->addresses, a))
+ lose_no_memory();
+
+ a = NULL;
+ Py_XDECREF(item);
+ Py_XDECREF(fast);
+ item = fast = NULL;
+ }
+
+ fam = NULL;
+ Py_XDECREF(iterator);
+ iterator = NULL;
}
- return result;
+ sk_ROAIPAddressFamily_pop_free(self->roa->ipAddrBlocks, ROAIPAddressFamily_free);
+ self->roa->ipAddrBlocks = prefixes;
+ prefixes = NULL;
+
+ ok = 1;
+
+ error:
+ sk_ROAIPAddressFamily_pop_free(prefixes, ROAIPAddressFamily_free);
+ ROAIPAddressFamily_free(fam);
+ ROAIPAddress_free(a);
+ Py_XDECREF(iterator);
+ Py_XDECREF(item);
+ Py_XDECREF(fast);
+
+ if (ok)
+ Py_RETURN_NONE;
+ else
+ return NULL;
}
-static char CMS_object_verify__doc__[] =
-"<method>\n"
-" <header>\n"
-" <memberof>CMS</memberof>\n"
-" <name>verify</name>\n"
-" <parameter>store</parameter>\n"
-" <optional>\n"
-" <parameter>certs</parameter>\n"
-" <parameter>flags</parameter>\n"
-" </optional>\n"
-" </header>\n"
-" <body>\n"
-" <para>\n"
-" This method verifies a message against a trusted store.\n"
-" The optional certs parameter is a set of certificates to search\n"
-" for the signer's certificate.\n"
-" Supported flags: CMS_NOINTERN, CMS_NOCRL,\n"
-" CMS_NO_SIGNER_CERT_VERIFY, CMS_NO_ATTR_VERIFY,\n"
-" CMS_NO_CONTENT_VERIFY.\n"
-" </para>\n"
-" </body>\n"
-"</method>\n"
-;
+static char roa_object_sign__doc__[] =
+ "Sign this ROA. See CMS.sign() for details.\n"
+ ;
static PyObject *
-CMS_object_verify(cms_object *self, PyObject *args)
+roa_object_sign(roa_object *self, PyObject *args)
{
- x509_store_object *store = NULL;
- PyObject *result = NULL, *certs_sequence = Py_None;
- STACK_OF(X509) *certs_stack = NULL;
+ asymmetric_object *signkey = NULL;
+ x509_object *signcert = NULL;
+ PyObject *x509_sequence = Py_None;
+ PyObject *crl_sequence = Py_None;
+ char *oid = NULL;
unsigned flags = 0;
- char *buf = NULL;
BIO *bio = NULL;
- int len;
+ int ok = 0;
+
+ ENTERING(roa_object_sign);
- if (!PyArg_ParseTuple(args, "O!|OI", &x509_storetype, &store, &certs_sequence, &flags))
+ if (!PyArg_ParseTuple(args, "O!O!|OOsI",
+ &POW_X509_Type, &signcert,
+ &POW_Asymmetric_Type, &signkey,
+ &x509_sequence,
+ &crl_sequence,
+ &oid,
+ &flags))
goto error;
if ((bio = BIO_new(BIO_s_mem())) == NULL)
- goto error;
+ lose_no_memory();
assert_no_unhandled_openssl_errors();
- flags &= CMS_NOINTERN | CMS_NOCRL | CMS_NO_SIGNER_CERT_VERIFY | CMS_NO_ATTR_VERIFY | CMS_NO_CONTENT_VERIFY;
-
- if (certs_sequence != Py_None && (certs_stack = x509_helper_sequence_to_stack(certs_sequence)) == NULL)
- goto error;
+ if (!ASN1_item_i2d_bio(ASN1_ITEM_rptr(ROA), bio, self->roa))
+ lose_openssl_error("Couldn't encode ROA");
assert_no_unhandled_openssl_errors();
- if (CMS_verify(self->cms, certs_stack, store->store, NULL, bio, flags) <= 0)
- lose_openssl_error("Could not verify CMS message");
+ if (!cms_object_sign_helper(&self->cms, bio, signcert, signkey,
+ x509_sequence, crl_sequence, oid, flags))
+ lose_openssl_error("Couldn't sign ROA");
assert_no_unhandled_openssl_errors();
- if ((len = BIO_ctrl_pending(bio)) == 0)
- lose("unable to get bytes stored in bio");
+ ok = 1;
- assert_no_unhandled_openssl_errors();
-
- if ((buf = malloc(len)) == NULL)
- lose("unable to allocate memory");
+ error:
+ BIO_free(bio);
- assert_no_unhandled_openssl_errors();
+ if (ok)
+ Py_RETURN_NONE;
+ else
+ return NULL;
+}
- if (BIO_read(bio, buf, len) != len)
- lose("unable to write out CMS content");
+static struct PyMethodDef roa_object_methods[] = {
+ Define_Method(getVersion, roa_object_get_version, METH_NOARGS),
+ Define_Method(setVersion, roa_object_set_version, METH_VARARGS),
+ Define_Method(getASID, roa_object_get_asid, METH_NOARGS),
+ Define_Method(setASID, roa_object_set_asid, METH_VARARGS),
+ Define_Method(getPrefixes, roa_object_get_prefixes, METH_NOARGS),
+ Define_Method(setPrefixes, roa_object_set_prefixes, METH_KEYWORDS),
+ Define_Method(sign, roa_object_sign, METH_VARARGS),
+ Define_Method(verify, roa_object_verify, METH_KEYWORDS),
+ Define_Class_Method(pemRead, roa_object_pem_read, METH_VARARGS),
+ Define_Class_Method(pemReadFile, roa_object_pem_read_file, METH_VARARGS),
+ Define_Class_Method(derRead, roa_object_der_read, METH_VARARGS),
+ Define_Class_Method(derReadFile, roa_object_der_read_file, METH_VARARGS),
+ {NULL}
+};
- assert_no_unhandled_openssl_errors();
+static char POW_ROA_Type__doc__[] =
+ "This class provides access to RPKI ROA payload.\n"
+ "Most methods are inherited from or share code with the CMS class.\n"
+ ;
- result = Py_BuildValue("s#", buf, len);
+static PyTypeObject POW_ROA_Type = {
+ PyObject_HEAD_INIT(0)
+ 0, /* ob_size */
+ "rpki.POW.ROA", /* tp_name */
+ sizeof(roa_object), /* tp_basicsize */
+ 0, /* tp_itemsize */
+ (destructor)roa_object_dealloc, /* tp_dealloc */
+ 0, /* tp_print */
+ 0, /* tp_getattr */
+ 0, /* tp_setattr */
+ 0, /* tp_compare */
+ 0, /* tp_repr */
+ 0, /* tp_as_number */
+ 0, /* tp_as_sequence */
+ 0, /* tp_as_mapping */
+ 0, /* tp_hash */
+ 0, /* tp_call */
+ 0, /* tp_str */
+ 0, /* tp_getattro */
+ 0, /* tp_setattro */
+ 0, /* tp_as_buffer */
+ Py_TPFLAGS_DEFAULT | Py_TPFLAGS_BASETYPE, /* tp_flags */
+ POW_ROA_Type__doc__, /* tp_doc */
+ 0, /* tp_traverse */
+ 0, /* tp_clear */
+ 0, /* tp_richcompare */
+ 0, /* tp_weaklistoffset */
+ 0, /* tp_iter */
+ 0, /* tp_iternext */
+ roa_object_methods, /* tp_methods */
+ 0, /* tp_members */
+ 0, /* tp_getset */
+ &POW_CMS_Type, /* tp_base */
+ 0, /* tp_dict */
+ 0, /* tp_descr_get */
+ 0, /* tp_descr_set */
+ 0, /* tp_dictoffset */
+ 0, /* tp_init */
+ 0, /* tp_alloc */
+ roa_object_new, /* tp_new */
+};
- error: /* fall through */
+
- assert_no_unhandled_openssl_errors();
+/*
+ * PKCS10 object.
+ */
- if (certs_stack)
- sk_X509_free(certs_stack);
+static PyObject *
+pkcs10_object_new(PyTypeObject *type, GCC_UNUSED PyObject *args, GCC_UNUSED PyObject *kwds)
+{
+ pkcs10_object *self;
- if (bio)
- BIO_free(bio);
+ ENTERING(pkcs10_object_new);
- if (buf)
- free(buf);
+ if ((self = (pkcs10_object *) type->tp_alloc(type, 0)) != NULL &&
+ (self->pkcs10 = X509_REQ_new()) != NULL &&
+ (self->exts = sk_X509_EXTENSION_new_null()) != NULL)
+ return (PyObject *) self;
- return result;
+ Py_XDECREF(self);
+ return NULL;
}
-static char CMS_object_eContentType__doc__[] =
-"<method>\n"
-" <header>\n"
-" <memberof>CMS</memberof>\n"
-" <name>get_eContentType</name>\n"
-" </header>\n"
-" <body>\n"
-" <para>\n"
-" This method returns the eContentType of a CMS message.\n"
-" </para>\n"
-" </body>\n"
-"</method>\n"
-;
+static void
+pkcs10_object_dealloc(pkcs10_object *self)
+{
+ ENTERING(pkcs10_object_dealloc);
+ X509_REQ_free(self->pkcs10);
+ sk_X509_EXTENSION_pop_free(self->exts, X509_EXTENSION_free);
+ self->ob_type->tp_free((PyObject*) self);
+}
static PyObject *
-CMS_object_eContentType(cms_object *self, PyObject *args)
+pkcs10_object_pem_read_helper(PyTypeObject *type, BIO *bio)
{
- const ASN1_OBJECT *oid = NULL;
- PyObject *result = NULL;
- char buf[512];
+ pkcs10_object *self = NULL;
- if (!PyArg_ParseTuple(args, ""))
- return NULL;
+ ENTERING(pkcs10_object_pem_read_helper);
- if ((oid = CMS_get0_eContentType(self->cms)) == NULL)
- lose_openssl_error("Could not extract eContentType from CMS message");
+ assert_no_unhandled_openssl_errors();
- OBJ_obj2txt(buf, sizeof(buf), oid, 1);
+ if ((self = (pkcs10_object *) pkcs10_object_new(type, NULL, NULL)) == NULL)
+ goto error;
- result = Py_BuildValue("s", buf);
+ assert_no_unhandled_openssl_errors();
- error:
+ if (!PEM_read_bio_X509_REQ(bio, &self->pkcs10, NULL, NULL))
+ lose_openssl_error("Couldn't load PEM encoded PKCS#10 request");
+
+ sk_X509_EXTENSION_pop_free(self->exts, X509_EXTENSION_free);
+ self->exts = X509_REQ_get_extensions(self->pkcs10);
assert_no_unhandled_openssl_errors();
- return result;
-}
+ return (PyObject *) self;
-static char CMS_object_signingTime__doc__[] =
-"<method>\n"
-" <header>\n"
-" <memberof>CMS</memberof>\n"
-" <name>get_signingTime</name>\n"
-" </header>\n"
-" <body>\n"
-" <para>\n"
-" This method returns the signingTime of a CMS message.\n"
-" </para>\n"
-" </body>\n"
-"</method>\n"
-;
+ error:
+
+ Py_XDECREF(self);
+ return NULL;
+}
static PyObject *
-CMS_object_signingTime(cms_object *self, PyObject *args)
+pkcs10_object_der_read_helper(PyTypeObject *type, BIO *bio)
{
- PyObject *result = NULL;
- STACK_OF(CMS_SignerInfo) *sis = NULL;
- CMS_SignerInfo *si = NULL;
- X509_ATTRIBUTE *xa = NULL;
- ASN1_TYPE *so = NULL;
- int i;
+ pkcs10_object *self = NULL;
- if (!PyArg_ParseTuple(args, ""))
- return NULL;
+ ENTERING(pkcs10_object_der_read_helper);
- if ((sis = CMS_get0_SignerInfos(self->cms)) == NULL)
- lose("Could not extract signerInfos from CMS message[1]");
+ assert_no_unhandled_openssl_errors();
- if (sk_CMS_SignerInfo_num(sis) != 1)
- lose("Could not extract signerInfos from CMS message[2]");
+ if ((self = (pkcs10_object *) pkcs10_object_new(type, NULL, NULL)) == NULL)
+ goto error;
- si = sk_CMS_SignerInfo_value(sis, 0);
+ assert_no_unhandled_openssl_errors();
- if ((i = CMS_signed_get_attr_by_NID(si, NID_pkcs9_signingTime, -1)) < 0)
- lose("Could not extract signerInfos from CMS message[3]");
+ if (!d2i_X509_REQ_bio(bio, &self->pkcs10))
+ lose_openssl_error("Couldn't load DER encoded PKCS#10 request");
- if ((xa = CMS_signed_get_attr(si, i)) == NULL)
- lose("Could not extract signerInfos from CMS message[4]");
+ sk_X509_EXTENSION_pop_free(self->exts, X509_EXTENSION_free);
+ self->exts = X509_REQ_get_extensions(self->pkcs10);
- if (xa->single)
- lose("Could not extract signerInfos from CMS message[5]");
+ assert_no_unhandled_openssl_errors();
- if (sk_ASN1_TYPE_num(xa->value.set) != 1)
- lose("Could not extract signerInfos from CMS message[6]");
+ return (PyObject *) self;
- if ((so = sk_ASN1_TYPE_value(xa->value.set, 0)) == NULL)
- lose("Could not extract signerInfos from CMS message[7]");
+ error:
+ Py_XDECREF(self);
+ return NULL;
+}
- switch (so->type) {
- case V_ASN1_UTCTIME:
- result = ASN1_TIME_to_Python(so->value.utctime);
- break;
- case V_ASN1_GENERALIZEDTIME:
- result = ASN1_TIME_to_Python(so->value.generalizedtime);
- break;
- default:
- lose("Could not extract signerInfos from CMS message[8]");
- }
+static char pkcs10_object_pem_read__doc__[] =
+ "Read a PEM-encoded PKCS#10 object from a string.\n"
+ ;
- error:
+static PyObject *
+pkcs10_object_pem_read(PyTypeObject *type, PyObject *args)
+{
+ ENTERING(pkcs10_object_pem_read);
+ return read_from_string_helper(pkcs10_object_pem_read_helper, type, args);
+}
- assert_no_unhandled_openssl_errors();
+static char pkcs10_object_pem_read_file__doc__[] =
+ "Read a PEM-encoded PKCS#10 object from a file.\n"
+ ;
- return result;
+static PyObject *
+pkcs10_object_pem_read_file(PyTypeObject *type, PyObject *args)
+{
+ ENTERING(pkcs10_object_pem_read_file);
+ return read_from_file_helper(pkcs10_object_pem_read_helper, type, args);
}
-static char CMS_object_pprint__doc__[] =
-"<method>\n"
-" <header>\n"
-" <memberof>CMS</memberof>\n"
-" <name>pprint</name>\n"
-" </header>\n"
-" <body>\n"
-" <para>\n"
-" This method returns a formatted string showing the information\n"
-" held in the certificate.\n"
-" </para>\n"
-" </body>\n"
-"</method>\n"
-;
+static char pkcs10_object_der_read__doc__[] =
+ "Read a DER-encoded PKCS#10 object from a string.\n"
+ ;
static PyObject *
-CMS_object_pprint(cms_object *self, PyObject *args)
+pkcs10_object_der_read(PyTypeObject *type, PyObject *args)
+{
+ ENTERING(pkcs10_object_der_read);
+ return read_from_string_helper(pkcs10_object_der_read_helper, type, args);
+}
+
+static char pkcs10_object_der_read_file__doc__[] =
+ "Read a DER-encoded PKCS#10 object from a file.\n"
+ ;
+
+static PyObject *
+pkcs10_object_der_read_file(PyTypeObject *type, PyObject *args)
+{
+ ENTERING(pkcs10_object_der_read_file);
+ return read_from_file_helper(pkcs10_object_der_read_helper, type, args);
+}
+
+static char pkcs10_object_pem_write__doc__[] =
+ "Returns the PEM encoding of this PKCS#10 object.\n"
+ ;
+
+static PyObject *
+pkcs10_object_pem_write(pkcs10_object *self)
{
- int len = 0, ret = 0;
- char *buf = NULL;
- BIO *bio = NULL;
PyObject *result = NULL;
+ BIO *bio = NULL;
- if (!PyArg_ParseTuple(args, ""))
- goto error;
+ ENTERING(pkcs10_object_pem_write);
- bio = BIO_new(BIO_s_mem());
+ if ((bio = BIO_new(BIO_s_mem())) == NULL)
+ lose_no_memory();
- if (!CMS_ContentInfo_print_ctx(bio, self->cms, 0, NULL))
- lose("unable to pprint CMS");
+ if (!PEM_write_bio_X509_REQ(bio, self->pkcs10))
+ lose_openssl_error("Unable to write PKCS#10 request");
- if ((len = BIO_ctrl_pending(bio)) == 0)
- lose("unable to get bytes stored in bio");
+ result = BIO_to_PyString_helper(bio);
- if ((buf = malloc(len)) == NULL)
- lose("unable to allocate memory");
+ error: /* Fall through */
+ BIO_free(bio);
+ return result;
+}
- if ((ret = BIO_read(bio, buf, len)) != len)
- lose("unable to pprint CMS");
+static char pkcs10_object_der_write__doc__[] =
+ "Return the DER encoding of this PKCS#10 object.\n"
+ ;
- result = Py_BuildValue("s#", buf, len);
+static PyObject *
+pkcs10_object_der_write(pkcs10_object *self)
+{
+ PyObject *result = NULL;
+ BIO *bio = NULL;
- error: /* fall through */
+ ENTERING(pkcs10_object_der_write);
- assert_no_unhandled_openssl_errors();
+ if ((bio = BIO_new(BIO_s_mem())) == NULL)
+ lose_no_memory();
- if (bio)
- BIO_free(bio);
+ if (!i2d_X509_REQ_bio(bio, self->pkcs10))
+ lose_openssl_error("Unable to write PKCS#10 request");
- if (buf)
- free(buf);
+ result = BIO_to_PyString_helper(bio);
+ error: /* Fall through */
+ BIO_free(bio);
return result;
}
+static char pkcs10_object_get_public_key__doc__[] =
+ "Return the public key from this PKCS#10 request, as an Asymmetric\n"
+ "object.\n"
+ ;
static PyObject *
-cms_object_helper_get_cert(void *cert)
+pkcs10_object_get_public_key(pkcs10_object *self)
{
- x509_object *obj = PyObject_New(x509_object, &x509type);
+ PyTypeObject *type = &POW_Asymmetric_Type;
+ asymmetric_object *asym = NULL;
- if (obj)
- obj->x509 = cert;
+ ENTERING(pkcs10_object_get_public_key);
- return (PyObject *) obj;
+ if ((asym = (asymmetric_object *) type->tp_alloc(type, 0)) == NULL)
+ goto error;
+
+ if ((asym->pkey = X509_REQ_get_pubkey(self->pkcs10)) == NULL)
+ lose_openssl_error("Couldn't extract public key from PKCS#10 request");
+
+ return (PyObject *) asym;
+
+ error:
+ Py_XDECREF(asym);
+ return NULL;
}
-static char CMS_object_certs__doc__[] =
-"<method>\n"
-" <header>\n"
-" <memberof>CMS</memberof>\n"
-" <name>certs</name>\n"
-" </header>\n"
-" <body>\n"
-" <para>\n"
-" This method returns any certs embedded in a CMS message.\n"
-" </para>\n"
-" </body>\n"
-"</method>\n"
-;
+static char pkcs10_object_set_public_key__doc__[] =
+ "Set the public key for this PKCS#10 request.\n"
+ "\n"
+ "The \"key\" parameter should be an instance of the Asymmetric class,\n"
+ "containing a public key.\n"
+ ;
static PyObject *
-CMS_object_certs(cms_object *self, PyObject *args)
+pkcs10_object_set_public_key(pkcs10_object *self, PyObject *args)
{
- STACK_OF(X509) *certs = NULL;
- PyObject *result = NULL;
+ asymmetric_object *asym;
- if (!PyArg_ParseTuple(args, ""))
- goto error;
+ ENTERING(pkcs10_object_set_public_key);
- if ((certs = CMS_get1_certs(self->cms)) != NULL)
- result = stack_to_tuple_helper(CHECKED_PTR_OF(STACK_OF(X509), certs),
- cms_object_helper_get_cert);
- else if (!ERR_peek_error())
- result = Py_BuildValue("()");
- else
- lose_openssl_error("Could not extract certs from CMS message");
+ if (!PyArg_ParseTuple(args, "O!", &POW_Asymmetric_Type, &asym))
+ goto error;
- error: /* fall through */
+ if (!X509_REQ_set_pubkey(self->pkcs10, asym->pkey))
+ lose_openssl_error("Couldn't set certificate's PKCS#10 request");
- if (certs)
- sk_X509_pop_free(certs, X509_free);
+ Py_RETURN_NONE;
- return result;
+ error:
+ return NULL;
}
-static PyObject *
-cms_object_helper_get_crl(void *crl)
+static char pkcs10_object_sign__doc__[] =
+ "Sign a PKCS#10 request with a private key.\n"
+ "\n"
+ "The \"key\" parameter should be an instance of the Asymmetric class,\n"
+ "containing a private key.\n"
+ "\n"
+ "The optional \"digest\" parameter indicates which digest to compute and\n"
+ "sign, and should be one of the following:\n"
+ "\n"
+ "* MD5_DIGEST\n"
+ "* SHA_DIGEST\n"
+ "* SHA1_DIGEST\n"
+ "* SHA256_DIGEST\n"
+ "* SHA384_DIGEST\n"
+ "* SHA512_DIGEST\n"
+ "\n"
+ "The default digest algorithm is SHA-256.\n"
+ ;
+
+static PyObject *
+pkcs10_object_sign(pkcs10_object *self, PyObject *args)
{
- x509_crl_object *obj = PyObject_New(x509_crl_object, &x509_crltype);
+ asymmetric_object *asym;
+ int loc, digest_type = SHA256_DIGEST;
+ const EVP_MD *digest_method = NULL;
- if (obj)
- obj->crl = crl;
+ ENTERING(pkcs10_object_sign);
- return (PyObject *) obj;
+ if (!PyArg_ParseTuple(args, "O!|i", &POW_Asymmetric_Type, &asym, &digest_type))
+ goto error;
+
+ if ((digest_method = evp_digest_factory(digest_type)) == NULL)
+ lose("Unsupported digest algorithm");
+
+ while ((loc = X509_REQ_get_attr_by_NID(self->pkcs10, NID_ext_req, -1)) >= 0)
+ X509_ATTRIBUTE_free(X509_REQ_delete_attr(self->pkcs10, loc));
+
+ if (sk_X509_EXTENSION_num(self->exts) > 0 &&
+ !X509_REQ_add_extensions(self->pkcs10, self->exts))
+ lose_openssl_error("Couldn't add extensions block to PKCS#10 request");
+
+ if (!X509_REQ_sign(self->pkcs10, asym->pkey, digest_method))
+ lose_openssl_error("Couldn't sign PKCS#10 request");
+
+ Py_RETURN_NONE;
+
+ error:
+ return NULL;
}
-static char CMS_object_crls__doc__[] =
-"<method>\n"
-" <header>\n"
-" <memberof>CMS</memberof>\n"
-" <name>crls</name>\n"
-" </header>\n"
-" <body>\n"
-" <para>\n"
-" This method returns any CRLs embedded in a CMS message.\n"
-" </para>\n"
-" </body>\n"
-"</method>\n"
-;
+static char pkcs10_object_verify__doc__[] =
+ "Verify a PKCS#10 request.\n"
+ "\n"
+ "This calls OpenSSL's X509_REQ_verify() method to check the request's\n"
+ "self-signature.\n"
+ ;
static PyObject *
-CMS_object_crls(cms_object *self, PyObject *args)
+pkcs10_object_verify(pkcs10_object *self)
{
- STACK_OF(X509_CRL) *crls = NULL;
- PyObject *result = NULL;
+ EVP_PKEY *pkey = NULL;
+ int status;
- if (!PyArg_ParseTuple(args, ""))
- goto error;
+ ENTERING(pkcs10_object_verify);
- if ((crls = CMS_get1_crls(self->cms)) != NULL)
- result = stack_to_tuple_helper(CHECKED_PTR_OF(STACK_OF(X509_CRL), crls),
- cms_object_helper_get_crl);
- else if (!ERR_peek_error())
- result = Py_BuildValue("()");
- else
- lose_openssl_error("Could not extract CRLs from CMS message");
+ if ((pkey = X509_REQ_get_pubkey(self->pkcs10)) == NULL)
+ lose_openssl_error("Couldn't extract public key from PKCS#10 for verification");
- error: /* fall through */
+ if ((status = X509_REQ_verify(self->pkcs10, pkey)) < 0)
+ lose_openssl_error("Couldn't verify PKCS#10 signature");
- if (crls)
- sk_X509_CRL_pop_free(crls, X509_CRL_free);
+ EVP_PKEY_free(pkey);
+ return PyBool_FromLong(status);
- return result;
+ error:
+ EVP_PKEY_free(pkey);
+ return NULL;
}
-static struct PyMethodDef CMS_object_methods[] = {
- {"pemWrite", (PyCFunction)CMS_object_pem_write, METH_VARARGS, NULL},
- {"derWrite", (PyCFunction)CMS_object_der_write, METH_VARARGS, NULL},
- {"sign", (PyCFunction)CMS_object_sign, METH_VARARGS, NULL},
- {"verify", (PyCFunction)CMS_object_verify, METH_VARARGS, NULL},
- {"eContentType", (PyCFunction)CMS_object_eContentType, METH_VARARGS, NULL},
- {"signingTime", (PyCFunction)CMS_object_signingTime, METH_VARARGS, NULL},
- {"pprint", (PyCFunction)CMS_object_pprint, METH_VARARGS, NULL},
- {"certs", (PyCFunction)CMS_object_certs, METH_VARARGS, NULL},
- {"crls", (PyCFunction)CMS_object_crls, METH_VARARGS, NULL},
-
- {NULL} /* sentinel */
-};
+static char pkcs10_object_get_version__doc__[] =
+ "Return the version number of this PKCS#10 request.\n"
+ ;
static PyObject *
-CMS_object_getattr(cms_object *self, char *name)
+pkcs10_object_get_version(pkcs10_object *self)
{
- return Py_FindMethod(CMS_object_methods, (PyObject *)self, name);
+ ENTERING(pkcs10_object_get_version);
+ return Py_BuildValue("l", X509_REQ_get_version(self->pkcs10));
}
-static void
-CMS_object_dealloc(cms_object *self, char *name)
-{
- CMS_ContentInfo_free(self->cms);
- PyObject_Del(self);
-}
-
-static char cmstype__doc__[] =
-"<class>\n"
-" <header>\n"
-" <name>CMS</name>\n"
-" </header>\n"
-" <body>\n"
-" <para>\n"
-" This class provides basic access OpenSSL's CMS functionality.\n"
-" </para>\n"
-" </body>\n"
-"</class>\n"
-;
-
-static PyTypeObject cmstype = {
- PyObject_HEAD_INIT(0)
- 0, /*ob_size*/
- "CMS", /*tp_name*/
- sizeof(cms_object), /*tp_basicsize*/
- 0, /*tp_itemsize*/
- (destructor)CMS_object_dealloc, /*tp_dealloc*/
- (printfunc)0, /*tp_print*/
- (getattrfunc)CMS_object_getattr, /*tp_getattr*/
- (setattrfunc)0, /*tp_setattr*/
- (cmpfunc)0, /*tp_compare*/
- (reprfunc)0, /*tp_repr*/
- 0, /*tp_as_number*/
- 0, /*tp_as_sequence*/
- 0, /*tp_as_mapping*/
- (hashfunc)0, /*tp_hash*/
- (ternaryfunc)0, /*tp_call*/
- (reprfunc)0, /*tp_str*/
- 0,
- 0,
- 0,
- 0,
- cmstype__doc__ /* Documentation string */
-};
-/*========== CMS Code ==========*/
-
-/*========== module functions ==========*/
-static char pow_module_new_ssl__doc__[] =
-"<constructor>\n"
-" <header>\n"
-" <memberof>Ssl</memberof>\n"
-" <parameter>protocol = SSLV23METHOD</parameter>\n"
-" </header>\n"
-" <body>\n"
-" <para>\n"
-" This constructor creates a new <classname>Ssl</classname> object which will behave as a client\n"
-" or server, depending on the <parameter>protocol</parameter> value passed. The\n"
-" <parameter>protocol</parameter> also determines the protocol type\n"
-" and version and should be one of the following:\n"
-" </para>\n"
-"\n"
-" <simplelist>\n"
-" <member><constant>SSLV2_SERVER_METHOD</constant></member>\n"
-" <member><constant>SSLV2_CLIENT_METHOD</constant></member>\n"
-" <member><constant>SSLV2_METHOD</constant></member>\n"
-" <member><constant>SSLV3_SERVER_METHOD</constant></member>\n"
-" <member><constant>SSLV3_CLIENT_METHOD</constant></member>\n"
-" <member><constant>SSLV3_METHOD</constant></member>\n"
-" <member><constant>TLSV1_SERVER_METHOD</constant></member>\n"
-" <member><constant>TLSV1_CLIENT_METHOD</constant></member>\n"
-" <member><constant>TLSV1_METHOD</constant></member>\n"
-" <member><constant>SSLV23_SERVER_METHOD</constant></member>\n"
-" <member><constant>SSLV23_CLIENT_METHOD</constant></member>\n"
-" <member><constant>SSLV23_METHOD</constant></member>\n"
-" </simplelist>\n"
-" </body>\n"
-"</constructor>\n"
+static char pkcs10_object_set_version__doc__[] =
+ "Set the version number of this PKCS#10 request.\n"
+ "\n"
+ "The \"version\" parameter should be an integer, but the only defined\n"
+ "value is zero, so this field is optional and defaults to zero.\n"
;
static PyObject *
-pow_module_new_ssl (PyObject *self, PyObject *args)
+pkcs10_object_set_version(pkcs10_object *self, PyObject *args)
{
- ssl_object *ssl = NULL;
- int ctxtype = SSLV23_METHOD;
+ long version = 0;
- if (!PyArg_ParseTuple(args, "|i", &ctxtype))
- goto error;
+ ENTERING(pkcs10_object_set_version);
- if ((ssl = newssl_object(ctxtype)) == NULL)
+ if (!PyArg_ParseTuple(args, "|l", &version))
goto error;
- return (PyObject*) ssl;
+ if (version != 0)
+ lose("RFC 6487 6.1.1 forbids non-zero values for this field");
+
+ if (!X509_REQ_set_version(self->pkcs10, version))
+ lose("Couldn't set certificate version");
+
+ Py_RETURN_NONE;
error:
return NULL;
}
-static char pow_module_new_x509__doc__[] =
-"<constructor>\n"
-" <header>\n"
-" <memberof>X509</memberof>\n"
-" </header>\n"
-" <body>\n"
-" <para>\n"
-" This constructor creates a skeletal X509 certificate object.\n"
-" It won't be any use at all until several structures\n"
-" have been created using it's member functions.\n"
-" </para>\n"
-" </body>\n"
-"</constructor>\n"
-;
+static char pkcs10_object_get_subject__doc__[] =
+ "Return this PKCS #10 request's subject name.\n"
+ "\n"
+ "See the X509.getIssuer() method for details of the return value and\n"
+ "use of the optional \"format\" parameter.\n"
+ ;
static PyObject *
-pow_module_new_x509 (PyObject *self, PyObject *args)
+pkcs10_object_get_subject(pkcs10_object *self, PyObject *args)
{
- x509_object *x509 = NULL;
-
- if (!PyArg_ParseTuple(args, ""))
- goto error;
+ PyObject *result = NULL;
+ int format = OIDNAME_FORMAT;
- if ((x509 = X509_object_new()) == NULL)
- lose("could not create new x509 object");
+ ENTERING(pkcs10_object_get_subject);
- return (PyObject*)x509;
+ if (!PyArg_ParseTuple(args, "|i", &format))
+ goto error;
- error:
+ result = x509_object_helper_get_name(X509_REQ_get_subject_name(self->pkcs10),
+ format);
- return NULL;
+ error: /* Fall through */
+ return result;
}
-static char pow_module_new_asymmetric__doc__[] =
-"<constructor>\n"
-" <header>\n"
-" <memberof>Asymmetric</memberof>\n"
-" <parameter>ciphertype = RSA_CIPHER</parameter>\n"
-" <parameter>keylength = 1024</parameter>\n"
-" </header>\n"
-" <body>\n"
-" <para>\n"
-" This constructor builds a new cipher object. Only RSA ciphers\n"
-" are currently support, so the first argument should always be\n"
-" <constant>RSA_CIPHER</constant>. The second argument,\n"
-" <parameter>keylength</parameter>,\n"
-" is normally 512, 768, 1024 or 2048. Key lengths as short as 512\n"
-" bits are generally considered weak, and can be cracked by\n"
-" determined attackers without tremendous expense.\n"
-" </para>\n"
-" <example>\n"
-" <title><classname>asymmetric</classname> class usage</title>\n"
-" <programlisting>\n"
-" privateFile = open('test/private.key', 'w')\n"
-" publicFile = open('test/public.key', 'w')\n"
-"\n"
-" passphrase = 'my silly passphrase'\n"
-" md5 = POW.Digest(POW.MD5_DIGEST)\n"
-" md5.update(passphrase)\n"
-" password = md5.digest()\n"
-"\n"
-" rsa = POW.Asymmetric(POW.RSA_CIPHER, 1024)\n"
-" privateFile.write(rsa.pemWrite(\n"
-" POW.RSA_PRIVATE_KEY, POW.DES_EDE3_CFB, password))\n"
-" publicFile.write(rsa.pemWrite(POW.RSA_PUBLIC_KEY))\n"
-"\n"
-" privateFile.close()\n"
-" publicFile.close()\n"
-" </programlisting>\n"
-" </example>\n"
-" </body>\n"
-"</constructor>\n"
-;
+static char pkcs10_object_set_subject__doc__[] =
+ "Set this PKCS#10 request's subject name.\n"
+ "\n"
+ "The \"name\" parameter should be in the same format as the return\n"
+ "value from the \"getSubject\" method.\n"
+ ;
static PyObject *
-pow_module_new_asymmetric (PyObject *self, PyObject *args)
+pkcs10_object_set_subject(pkcs10_object *self, PyObject *args)
{
- int cipher_type = RSA_CIPHER, key_size = 1024;
+ PyObject *name_sequence = NULL;
+ X509_NAME *name = NULL;
+
+ ENTERING(pkcs10_object_set_subject);
- if (!PyArg_ParseTuple(args, "|ii", &cipher_type, &key_size))
+ if (!PyArg_ParseTuple(args, "O", &name_sequence))
goto error;
- return (PyObject*) asymmetric_object_new(cipher_type, key_size);
+ if (!PySequence_Check(name_sequence))
+ lose_type_error("Inapropriate type");
- error:
+ if ((name = x509_object_helper_set_name(name_sequence)) == NULL)
+ goto error;
+
+ if (!X509_REQ_set_subject_name(self->pkcs10, name))
+ lose("Unable to set subject name");
+ X509_NAME_free(name);
+
+ Py_RETURN_NONE;
+
+ error:
+ X509_NAME_free(name);
return NULL;
}
-static char pow_module_new_digest__doc__[] =
-"<constructor>\n"
-" <header>\n"
-" <memberof>Digest</memberof>\n"
-" <parameter>type</parameter>\n"
-" </header>\n"
-" <body>\n"
-" <para>\n"
-" This constructor creates a new <classname>Digest</classname>\n"
-" object. The parameter <parameter>type</parameter> specifies what kind\n"
-" of digest to create and should be one of the following:\n"
-" </para>\n"
-" <simplelist>\n"
-#ifndef OPENSSL_NO_MD2
-" <member><constant>MD2_DIGEST</constant></member>\n"
-#endif
-" <member><constant>MD5_DIGEST</constant></member>\n"
-" <member><constant>SHA_DIGEST</constant></member>\n"
-" <member><constant>SHA1_DIGEST</constant></member>\n"
-" <member><constant>RIPEMD160_DIGEST</constant></member>\n"
-" <member><constant>SHA256_DIGEST</constant></member>\n"
-" <member><constant>SHA384_DIGEST</constant></member>\n"
-" <member><constant>SHA512_DIGEST</constant></member>\n"
-" </simplelist>\n"
-" </body>\n"
-"</constructor>\n"
-;
+static char pkcs10_object_get_key_usage__doc__[] =
+ "Return a FrozenSet of strings representing the KeyUsage settings for\n"
+ "this PKCS#10 request, or None if the request has no KeyUsage\n"
+ "extension. The bits have the same names as in RFC 5280.\n"
+ ;
static PyObject *
-pow_module_new_digest (PyObject *self, PyObject *args)
+pkcs10_object_get_key_usage(pkcs10_object *self)
{
- int digest_type = 0;
+ extern X509V3_EXT_METHOD v3_key_usage;
+ BIT_STRING_BITNAME *bit_name;
+ ASN1_BIT_STRING *ext = NULL;
+ PyObject *result = NULL;
+ PyObject *token = NULL;
+
+ ENTERING(pkcs10_object_get_key_usage);
- if (!PyArg_ParseTuple(args, "i", &digest_type))
+ if ((ext = X509V3_get_d2i(self->exts, NID_key_usage, NULL, NULL)) == NULL)
+ Py_RETURN_NONE;
+
+ if ((result = PyFrozenSet_New(NULL)) == NULL)
goto error;
- return (PyObject*) digest_object_new(digest_type);
+ for (bit_name = v3_key_usage.usr_data; bit_name->sname != NULL; bit_name++) {
+ if (ASN1_BIT_STRING_get_bit(ext, bit_name->bitnum) &&
+ ((token = PyString_FromString(bit_name->sname)) == NULL ||
+ PySet_Add(result, token) < 0))
+ goto error;
+ Py_XDECREF(token);
+ token = NULL;
+ }
- error:
+ ASN1_BIT_STRING_free(ext);
+ return result;
+ error:
+ ASN1_BIT_STRING_free(ext);
+ Py_XDECREF(token);
+ Py_XDECREF(result);
return NULL;
}
-static char pow_module_new_hmac__doc__[] =
-"<constructor>\n"
-" <header>\n"
-" <memberof>Hmac</memberof>\n"
-" <parameter>type</parameter>\n"
-" <parameter>key</parameter>\n"
-" </header>\n"
-" <body>\n"
-" <para>\n"
-" This constructor creates a new <classname>Hmac</classname>\n"
-" object. The parameter <parameter>key</parameter> should be a\n"
-" string and <parameter>type</parameter> should be one of the following:\n"
-" </para>\n"
-" <simplelist>\n"
-#ifndef OPENSSL_NO_MD2
-" <member><constant>MD2_DIGEST</constant></member>\n"
-#endif
-" <member><constant>MD5_DIGEST</constant></member>\n"
-" <member><constant>SHA_DIGEST</constant></member>\n"
-" <member><constant>SHA1_DIGEST</constant></member>\n"
-" <member><constant>RIPEMD160_DIGEST</constant></member>\n"
-" <member><constant>SHA256_DIGEST</constant></member>\n"
-" <member><constant>SHA384_DIGEST</constant></member>\n"
-" <member><constant>SHA512_DIGEST</constant></member>\n"
-" </simplelist>\n"
-" </body>\n"
-"</constructor>\n"
-;
+static char pkcs10_object_set_key_usage__doc__[] =
+ "Set the KeyUsage extension for this PKCS#10 request.\n"
+ "\n"
+ "Argument \"iterable\" should be an iterable object which returns zero or more\n"
+ "strings naming bits to be enabled. The bits have the same names as in RFC 5280.\n"
+ "\n"
+ "Optional argument \"critical\" is a boolean indicating whether the extension\n"
+ "should be marked as critical or not. RFC 5280 4.2.1.3 says this extension SHOULD\n"
+ "be marked as critical when used, so the default is True.\n"
+ ;
static PyObject *
-pow_module_new_hmac (PyObject *self, PyObject *args)
+pkcs10_object_set_key_usage(pkcs10_object *self, PyObject *args)
{
- int digest_type = 0, key_len = 0;
- char *key = NULL;
+ extern X509V3_EXT_METHOD v3_key_usage;
+ BIT_STRING_BITNAME *bit_name;
+ ASN1_BIT_STRING *ext = NULL;
+ PyObject *iterable = NULL;
+ PyObject *critical = Py_True;
+ PyObject *iterator = NULL;
+ PyObject *token = NULL;
+ const char *t;
+ int ok = 0;
+
+ ENTERING(pkcs10_object_set_key_usage);
- if (!PyArg_ParseTuple(args, "is#", &digest_type, &key, &key_len))
+ if ((ext = ASN1_BIT_STRING_new()) == NULL)
+ lose_no_memory();
+
+ if (!PyArg_ParseTuple(args, "O|O", &iterable, &critical) ||
+ (iterator = PyObject_GetIter(iterable)) == NULL)
goto error;
- return (PyObject*) hmac_object_new(digest_type, key, key_len);
+ while ((token = PyIter_Next(iterator)) != NULL) {
- error:
+ if ((t = PyString_AsString(token)) == NULL)
+ goto error;
- return NULL;
+ for (bit_name = v3_key_usage.usr_data; bit_name->sname != NULL; bit_name++)
+ if (!strcmp(t, bit_name->sname))
+ break;
+
+ if (bit_name->sname == NULL)
+ lose("Unrecognized KeyUsage token");
+
+ if (!ASN1_BIT_STRING_set_bit(ext, bit_name->bitnum, 1))
+ lose_no_memory();
+
+ Py_XDECREF(token);
+ token = NULL;
+ }
+
+ if (!X509V3_add1_i2d(&self->exts, NID_key_usage, ext,
+ PyObject_IsTrue(critical),
+ X509V3_ADD_REPLACE))
+ lose_openssl_error("Couldn't add KeyUsage extension to certificate");
+
+ ok = 1;
+
+ error: /* Fall through */
+ ASN1_BIT_STRING_free(ext);
+ Py_XDECREF(iterator);
+ Py_XDECREF(token);
+
+ if (ok)
+ Py_RETURN_NONE;
+ else
+ return NULL;
}
-static char pow_module_new_cms__doc__[] =
-"<constructor>\n"
-" <header>\n"
-" <memberof>CMS</memberof>\n"
-" </header>\n"
-" <body>\n"
-" <para>\n"
-" This constructor creates a skeletal CMS object.\n"
-" </para>\n"
-" </body>\n"
-"</constructor>\n"
-;
+static char pkcs10_object_get_basic_constraints__doc__[] =
+ "Return BasicConstraints value for this PKCS#10 request.\n"
+ "\n"
+ "If this request has no BasicConstraints extension, this method returns\n"
+ "None.\n"
+ "\n"
+ "Otherwise, this method returns a two-element tuple. The first element\n"
+ "of the tuple is a boolean representing the extension's cA value; the\n"
+ "second element of the tuple is either an integer representing\n"
+ "thepathLenConstraint value or None if there is no pathLenConstraint.\n"
+ ;
static PyObject *
-pow_module_new_cms (PyObject *self, PyObject *args)
+pkcs10_object_get_basic_constraints(pkcs10_object *self)
{
- cms_object *cms = NULL;
+ BASIC_CONSTRAINTS *ext = NULL;
+ PyObject *result;
- if (!PyArg_ParseTuple(args, ""))
- goto error;
-
- if ((cms = CMS_object_new()) == NULL)
- lose("could not create new CMS object");
+ ENTERING(pkcs10_object_get_basic_constraints);
- return (PyObject*)cms;
+ if ((ext = X509V3_get_d2i(self->exts, NID_basic_constraints, NULL, NULL)) == NULL)
+ Py_RETURN_NONE;
- error:
+ if (ext->pathlen == NULL)
+ result = Py_BuildValue("(NO)", PyBool_FromLong(ext->ca), Py_None);
+ else
+ result = Py_BuildValue("(Nl)", PyBool_FromLong(ext->ca), ASN1_INTEGER_get(ext->pathlen));
- return NULL;
+ BASIC_CONSTRAINTS_free(ext);
+ return result;
}
-static char pow_module_pem_read__doc__[] =
-"<modulefunction>\n"
-" <header>\n"
-" <name>pemRead</name>\n"
-" <parameter>type</parameter>\n"
-" <parameter>string</parameter>\n"
-" <parameter>pass = None</parameter>\n"
-" </header>\n"
-" <body>\n"
-" <para>\n"
-" This function attempts to parse the <parameter>string</parameter> according to the PEM\n"
-" type passed. <parameter>type</parameter> should be one of the\n"
-" following:\n"
-" </para>\n"
-" <simplelist>\n"
-" <member><constant>RSA_PUBLIC_KEY</constant></member>\n"
-" <member><constant>RSA_PRIVATE_KEY</constant></member>\n"
-" <member><constant>X509_CERTIFICATE</constant></member>\n"
-" <member><constant>X509_CRL</constant></member>\n"
-" <member><constant>CMS_MESSAGE</constant></member>\n"
-" </simplelist>\n"
-" <para>\n"
-" <parameter>pass</parameter> should only be provided if an encrypted\n"
-" <classname>Asymmetric</classname> is being loaded. If the password\n"
-" is incorrect an exception will be raised, if no password is provided\n"
-" and the PEM file is encrypted the user will be prompted. If this is\n"
-" not desirable, always supply a password. The object returned will be\n"
-" and instance of <classname>Asymmetric</classname>,\n"
-" <classname>X509</classname>, <classname>X509Crl</classname>,\n"
-" or <classname>CMS</classname>.\n"
-" </para>\n"
-" </body>\n"
-"</modulefunction>\n"
-;
+static char pkcs10_object_set_basic_constraints__doc__[] =
+ "Set BasicConstraints value for this PKCS#10 request.\n"
+ "\n"
+ "First argument \"ca\" is a boolean indicating whether the request\n"
+ "is for a CA certificate or not.\n"
+ "\n"
+ "Optional second argument \"pathLenConstraint\" is None or a\n"
+ "non-negative integer specifying the pathLenConstraint value for this\n"
+ "certificate. Per RFC 5280, this value may only be set to an integer\n"
+ "value for CA certificates."
+ "\n"
+ "Optional third argument \"critical\" specifies whether the extension\n"
+ "should be marked as critical. RFC 5280 4.2.1.9 requires that CA\n"
+ "certificates mark this extension as critical, so the default is True.\n"
+ ;
static PyObject *
-pow_module_pem_read (PyObject *self, PyObject *args)
+pkcs10_object_set_basic_constraints(pkcs10_object *self, PyObject *args)
{
- BIO *in = NULL;
- PyObject *obj = NULL;
- int object_type = 0, len = 0;
- char *pass = NULL, *src = NULL;
+ BASIC_CONSTRAINTS *ext = NULL;
+ PyObject *is_ca = NULL;
+ PyObject *pathlen_obj = Py_None;
+ PyObject *critical = Py_True;
+ long pathlen = -1;
+ int ok = 0;
+
+ ENTERING(pkcs10_object_set_basic_constraints);
- if (!PyArg_ParseTuple(args, "is#|s", &object_type, &src, &len, &pass))
+ if (!PyArg_ParseTuple(args, "O|OO", &is_ca, &pathlen_obj, &critical))
goto error;
- if ((in = BIO_new_mem_buf(src, len)) == NULL)
- lose("unable to create new BIO");
+ if (pathlen_obj != Py_None && (pathlen = PyInt_AsLong(pathlen_obj)) < 0)
+ lose_type_error("Bad pathLenConstraint value");
- switch(object_type) {
- case RSA_PRIVATE_KEY:
- obj = (PyObject*)asymmetric_object_pem_read(object_type, in, pass);
- break;
- case RSA_PUBLIC_KEY:
- obj = (PyObject*)asymmetric_object_pem_read(object_type, in, pass);
- break;
- case X509_CERTIFICATE:
- obj = (PyObject*)X509_object_pem_read(in);
- break;
- case X_X509_CRL:
- obj = (PyObject*)x509_crl_object_pem_read(in);
- break;
- case CMS_MESSAGE:
- obj = (PyObject*)CMS_object_pem_read(in);
- break;
- default:
- lose("unknown pem encoding");
- }
+ if ((ext = BASIC_CONSTRAINTS_new()) == NULL)
+ lose_no_memory();
+
+ ext->ca = PyObject_IsTrue(is_ca) ? 0xFF : 0;
+
+ if (pathlen_obj != Py_None &&
+ ((ext->pathlen == NULL && (ext->pathlen = ASN1_INTEGER_new()) == NULL) ||
+ !ASN1_INTEGER_set(ext->pathlen, pathlen)))
+ lose_no_memory();
- BIO_free(in);
+ if (!X509V3_add1_i2d(&self->exts, NID_basic_constraints, ext,
+ PyObject_IsTrue(critical), X509V3_ADD_REPLACE))
+ lose_openssl_error("Couldn't add BasicConstraints extension to certificate");
- if (obj)
- return obj;
+ ok = 1;
error:
+ BASIC_CONSTRAINTS_free(ext);
- return NULL;
+ if (ok)
+ Py_RETURN_NONE;
+ else
+ return NULL;
}
-
-static char pow_module_der_read__doc__[] =
-"<modulefunction>\n"
-" <header>\n"
-" <name>derRead</name>\n"
-" <parameter>type</parameter>\n"
-" <parameter>string</parameter>\n"
-" </header>\n"
-" <body>\n"
-" <para>\n"
-" This function attempts to parse the <parameter>string</parameter> according to the PEM\n"
-" type passed. <parameter>type</parameter> should be one of the\n"
-" following:\n"
-" </para>\n"
-" <simplelist>\n"
-" <member><constant>RSA_PUBLIC_KEY</constant></member>\n"
-" <member><constant>RSA_PRIVATE_KEY</constant></member>\n"
-" <member><constant>X509_CERTIFICATE</constant></member>\n"
-" <member><constant>X509_CRL</constant></member>\n"
-" <member><constant>CMS_MESSAGE</constant></member>\n"
-" </simplelist>\n"
-" <para>\n"
-" As with the PEM operations, the object returned will be and instance\n"
-" of <classname>Asymmetric</classname>, <classname>X509</classname>,\n"
-" <classname>X509Crl</classname>, or <classname>CMS</classname>.\n"
-" </para>\n"
-" </body>\n"
-"</modulefunction>\n"
-;
+static char pkcs10_object_get_sia__doc__[] =
+ "Return the SIA values for this PKCS#10 request.\n"
+ "\n"
+ "If this request has no SIA extension, this method returns None.\n"
+ "\n"
+ "Otherwise, this returns a tuple containing three sequences:\n"
+ "caRepository URIs, rpkiManifest URIs, and signedObject URIs.\n"
+ "Any other accessMethods are ignored, as are any non-URI\n"
+ "accessLocations.\n"
+ ;
static PyObject *
-pow_module_der_read (PyObject *self, PyObject *args)
+pkcs10_object_get_sia(pkcs10_object *self)
{
- PyObject *obj = NULL;
- int object_type = 0, len = 0;
- unsigned char *src = NULL;
+ AUTHORITY_INFO_ACCESS *ext = NULL;
+ PyObject *result = NULL;
+ PyObject *result_caRepository = NULL;
+ PyObject *result_rpkiManifest = NULL;
+ PyObject *result_signedObject = NULL;
+ int n_caRepository = 0;
+ int n_rpkiManifest = 0;
+ int n_signedObject = 0;
+ const char *uri;
+ PyObject *obj;
+ int i, nid;
+
+ ENTERING(pkcs10_object_get_sia);
+
+ if ((ext = X509V3_get_d2i(self->exts, NID_sinfo_access, NULL, NULL)) == NULL)
+ Py_RETURN_NONE;
+
+ /*
+ * Easiest to do this in two passes, first pass just counts URIs.
+ */
- if (!PyArg_ParseTuple(args, "is#", &object_type, &src, &len))
+ for (i = 0; i < sk_ACCESS_DESCRIPTION_num(ext); i++) {
+ ACCESS_DESCRIPTION *a = sk_ACCESS_DESCRIPTION_value(ext, i);
+ if (a->location->type != GEN_URI)
+ continue;
+ nid = OBJ_obj2nid(a->method);
+ if (nid == NID_caRepository) {
+ n_caRepository++;
+ continue;
+ }
+ if (nid == NID_rpkiManifest) {
+ n_rpkiManifest++;
+ continue;
+ }
+ if (nid == NID_signedObject) {
+ n_signedObject++;
+ continue;
+ }
+ }
+
+ if (((result_caRepository = PyTuple_New(n_caRepository)) == NULL) ||
+ ((result_rpkiManifest = PyTuple_New(n_rpkiManifest)) == NULL) ||
+ ((result_signedObject = PyTuple_New(n_signedObject)) == NULL))
goto error;
- switch(object_type) {
- case RSA_PRIVATE_KEY:
- obj = (PyObject*) asymmetric_object_der_read(object_type, src, len);
- break;
- case RSA_PUBLIC_KEY:
- obj = (PyObject*) asymmetric_object_der_read(object_type, src, len);
- break;
- case X509_CERTIFICATE:
- obj = (PyObject*)X509_object_der_read(src, len);
- break;
- case X_X509_CRL:
- obj = (PyObject*)x509_crl_object_der_read(src, len);
- break;
- case CMS_MESSAGE:
- obj = (PyObject*)CMS_object_der_read((char *) src, len);
- break;
- default:
- lose("unknown der encoding");
+ n_caRepository = n_rpkiManifest = n_signedObject = 0;
+
+ for (i = 0; i < sk_ACCESS_DESCRIPTION_num(ext); i++) {
+ ACCESS_DESCRIPTION *a = sk_ACCESS_DESCRIPTION_value(ext, i);
+ if (a->location->type != GEN_URI)
+ continue;
+ nid = OBJ_obj2nid(a->method);
+ uri = (char *) ASN1_STRING_data(a->location->d.uniformResourceIdentifier);
+ if (nid == NID_caRepository) {
+ if ((obj = PyString_FromString(uri)) == NULL)
+ goto error;
+ PyTuple_SET_ITEM(result_caRepository, n_caRepository++, obj);
+ continue;
+ }
+ if (nid == NID_rpkiManifest) {
+ if ((obj = PyString_FromString(uri)) == NULL)
+ goto error;
+ PyTuple_SET_ITEM(result_rpkiManifest, n_rpkiManifest++, obj);
+ continue;
+ }
+ if (nid == NID_signedObject) {
+ if ((obj = PyString_FromString(uri)) == NULL)
+ goto error;
+ PyTuple_SET_ITEM(result_signedObject, n_signedObject++, obj);
+ continue;
+ }
}
- if (obj)
- return obj;
+ result = Py_BuildValue("(OOO)",
+ result_caRepository,
+ result_rpkiManifest,
+ result_signedObject);
error:
-
- return NULL;
+ AUTHORITY_INFO_ACCESS_free(ext);
+ Py_XDECREF(result_caRepository);
+ Py_XDECREF(result_rpkiManifest);
+ Py_XDECREF(result_signedObject);
+ return result;
}
-static char pow_module_new_x509_store__doc__[] =
-"<constructor>\n"
-" <header>\n"
-" <memberof>X509Store</memberof>\n"
-" </header>\n"
-" <body>\n"
-" <para>\n"
-" This constructor takes no arguments. The\n"
-" <classname>X509Store</classname> returned cannot be used for\n"
-" verifying certificates until at least one trusted certificate has been\n"
-" added.\n"
-" </para>\n"
-" </body>\n"
-"</constructor>\n"
-;
+static char pkcs10_object_set_sia__doc__[] =
+ "Set SIA values for this PKCS#10 request.\n"
+ "\n"
+ "Takes three arguments: caRepository, rpkiManifest, and signedObject.\n"
+ "\n"
+ "Each of these should be an iterable which returns URIs.\n"
+ "\n"
+ "None is acceptable as an alternate way of specifying an empty\n"
+ "sequence of URIs for a particular argument.\n"
+ ;
static PyObject *
-pow_module_new_x509_store (PyObject *self, PyObject *args)
+pkcs10_object_set_sia(pkcs10_object *self, PyObject *args)
{
- if (!PyArg_ParseTuple(args, ""))
+ AUTHORITY_INFO_ACCESS *ext = NULL;
+ PyObject *caRepository = NULL;
+ PyObject *rpkiManifest = NULL;
+ PyObject *signedObject = NULL;
+ PyObject *iterator = NULL;
+ ASN1_OBJECT *oid = NULL;
+ PyObject **pobj = NULL;
+ PyObject *item = NULL;
+ ACCESS_DESCRIPTION *a = NULL;
+ int i, nid = NID_undef, ok = 0;
+ Py_ssize_t urilen;
+ char *uri;
+
+ ENTERING(pkcs10_object_set_sia);
+
+ if (!PyArg_ParseTuple(args, "OOO", &caRepository, &rpkiManifest, &signedObject))
goto error;
- return (PyObject *) x509_store_object_new();
+ if ((ext = AUTHORITY_INFO_ACCESS_new()) == NULL)
+ lose_no_memory();
+
+ /*
+ * This is going to want refactoring, because it's ugly, because we
+ * want to reuse code for AIA, and because it'd be nice to support a
+ * single URI as an abbreviation for a sequence containing one URI.
+ */
+
+ for (i = 0; i < 3; i++) {
+ switch (i) {
+ case 0: pobj = &caRepository; nid = NID_caRepository; break;
+ case 1: pobj = &rpkiManifest; nid = NID_rpkiManifest; break;
+ case 2: pobj = &signedObject; nid = NID_signedObject; break;
+ }
+
+ if (*pobj == Py_None)
+ continue;
+
+ if ((oid = OBJ_nid2obj(nid)) == NULL)
+ lose_openssl_error("Couldn't find SIA accessMethod OID");
+
+ if ((iterator = PyObject_GetIter(*pobj)) == NULL)
+ goto error;
+
+ while ((item = PyIter_Next(iterator)) != NULL) {
+
+ if (PyString_AsStringAndSize(item, &uri, &urilen) < 0)
+ goto error;
+
+ if ((a = ACCESS_DESCRIPTION_new()) == NULL ||
+ (a->method = OBJ_dup(oid)) == NULL ||
+ (a->location->d.uniformResourceIdentifier = ASN1_IA5STRING_new()) == NULL ||
+ !ASN1_OCTET_STRING_set(a->location->d.uniformResourceIdentifier, (unsigned char *) uri, urilen))
+ lose_no_memory();
+
+ a->location->type = GEN_URI;
+
+ if (!sk_ACCESS_DESCRIPTION_push(ext, a))
+ lose_no_memory();
+
+ a = NULL;
+ Py_XDECREF(item);
+ item = NULL;
+ }
+
+ Py_XDECREF(iterator);
+ iterator = NULL;
+ }
+
+ if (!X509V3_add1_i2d(&self->exts, NID_sinfo_access, ext, 0, X509V3_ADD_REPLACE))
+ lose_openssl_error("Couldn't add SIA extension to certificate");
+
+ ok = 1;
error:
+ AUTHORITY_INFO_ACCESS_free(ext);
+ ACCESS_DESCRIPTION_free(a);
+ Py_XDECREF(item);
+ Py_XDECREF(iterator);
- return NULL;
+ if (ok)
+ Py_RETURN_NONE;
+ else
+ return NULL;
}
-static char pow_module_new_symmetric__doc__[] =
-"<constructor>\n"
-" <header>\n"
-" <memberof>Symmetric</memberof>\n"
-" <parameter>type</parameter>\n"
-" </header>\n"
-" <body>\n"
-" <para>\n"
-" This constructor creates a new <classname>Symmetric</classname>\n"
-" object. The parameter <parameter>type</parameter> specifies which kind\n"
-" of cipher to create. <constant>type</constant> should be one of the following:\n"
-" </para>\n"
-" <simplelist columns = \"2\">\n"
-" <member><constant>DES_ECB</constant></member>\n"
-" <member><constant>DES_EDE</constant></member>\n"
-" <member><constant>DES_EDE3</constant></member>\n"
-" <member><constant>DES_CFB</constant></member>\n"
-" <member><constant>DES_EDE_CFB</constant></member>\n"
-" <member><constant>DES_EDE3_CFB</constant></member>\n"
-" <member><constant>DES_OFB</constant></member>\n"
-" <member><constant>DES_EDE_OFB</constant></member>\n"
-" <member><constant>DES_EDE3_OFB</constant></member>\n"
-" <member><constant>DES_CBC</constant></member>\n"
-" <member><constant>DES_EDE_CBC</constant></member>\n"
-" <member><constant>DES_EDE3_CBC</constant></member>\n"
-" <member><constant>DESX_CBC</constant></member>\n"
-" <member><constant>RC4</constant></member>\n"
-" <member><constant>RC4_40</constant></member>\n"
-" <member><constant>IDEA_ECB</constant></member>\n"
-" <member><constant>IDEA_CFB</constant></member>\n"
-" <member><constant>IDEA_OFB</constant></member>\n"
-" <member><constant>IDEA_CBC</constant></member>\n"
-" <member><constant>RC2_ECB</constant></member>\n"
-" <member><constant>RC2_CBC</constant></member>\n"
-" <member><constant>RC2_40_CBC</constant></member>\n"
-" <member><constant>RC2_CFB</constant></member>\n"
-" <member><constant>RC2_OFB</constant></member>\n"
-" <member><constant>BF_ECB</constant></member>\n"
-" <member><constant>BF_CBC</constant></member>\n"
-" <member><constant>BF_CFB</constant></member>\n"
-" <member><constant>BF_OFB</constant></member>\n"
-" <member><constant>CAST5_ECB</constant></member>\n"
-" <member><constant>CAST5_CBC</constant></member>\n"
-" <member><constant>CAST5_CFB</constant></member>\n"
-" <member><constant>CAST5_OFB</constant></member>\n"
-" <member><constant>RC5_32_12_16_CBC</constant></member>\n"
-" <member><constant>RC5_32_12_16_CFB</constant></member>\n"
-" <member><constant>RC5_32_12_16_ECB</constant></member>\n"
-" <member><constant>RC5_32_12_16_OFB</constant></member>\n"
-" </simplelist>\n"
-" <para>\n"
-" Please note your version of OpenSSL might not have been compiled with\n"
-" all the ciphers listed above. If that is the case, which is very\n"
-" likely if you are using a stock binary, the unsuported ciphers will not even\n"
-" be in the module namespace.\n"
-" </para>\n"
-" </body>\n"
-"</constructor>\n"
-;
+static char pkcs10_object_get_signature_algorithm__doc__[] =
+ "Return this PKCS #10 reqeuest's signature algorithm OID.\n"
+ ;
static PyObject *
-pow_module_new_symmetric (PyObject *self, PyObject *args)
+pkcs10_object_get_signature_algorithm(pkcs10_object *self)
{
- int cipher_type = 0;
+ ASN1_OBJECT *oid = NULL;
- if (!PyArg_ParseTuple(args, "i", &cipher_type))
- goto error;
+ ENTERING(pkcs10_object_get_signature_algorithm);
- return (PyObject *) symmetric_object_new(cipher_type);
+ X509_ALGOR_get0(&oid, NULL, NULL, self->pkcs10->sig_alg);
- error:
-
- return NULL;
+ return ASN1_OBJECT_to_PyString(oid);
}
-static char pow_module_new_x509_crl__doc__[] =
-"<constructor>\n"
-" <header>\n"
-" <memberof>x509_crl</memberof>\n"
-" </header>\n"
-" <body>\n"
-" <para>\n"
-" This constructor builds an empty CRL.\n"
-" </para>\n"
-" </body>\n"
-"</constructor>\n"
-;
+static char pkcs10_object_get_extension_oids__doc__[] =
+ "Return the set of extension OIDs used in this request. This is mostly\n"
+ "useful for enforcing restrictions on what extensions are allowed to be\n"
+ "present, eg, to conform with the RPKI profile.\n"
+ ;
static PyObject *
-pow_module_new_x509_crl (PyObject *self, PyObject *args)
+pkcs10_object_get_extension_oids(pkcs10_object *self)
{
- if (!PyArg_ParseTuple(args, ""))
+ PyObject *result = NULL;
+ PyObject *oid = NULL;
+ int i;
+
+ ENTERING(pkcs10_object_get_extension_oids);
+
+ if ((result = PyFrozenSet_New(NULL)) == NULL)
goto error;
- return (PyObject *) x509_crl_object_new();
+ for (i = 0; i < sk_X509_EXTENSION_num(self->exts); i++) {
+ X509_EXTENSION *ext = sk_X509_EXTENSION_value(self->exts, i);
+ if ((oid = ASN1_OBJECT_to_PyString(ext->object)) == NULL ||
+ PySet_Add(result, oid) < 0)
+ goto error;
+ Py_XDECREF(oid);
+ oid = NULL;
+ }
- error:
+ return result;
- return NULL;
+ error:
+ Py_XDECREF(result);
+ Py_XDECREF(oid);
+ return NULL;
}
-static char pow_module_new_x509_revoked__doc__[] =
-"<constructor>\n"
-" <header>\n"
-" <memberof>X509Revoked</memberof>\n"
-" <parameter>serial</parameter>\n"
-" <parameter>date</parameter>\n"
-" </header>\n"
-" <body>\n"
-" <para>\n"
-" This constructor builds a X509 Revoked structure. <parameter>serial</parameter>\n"
-" should be an integer and <parameter>date</parameter> should be and\n"
-" UTCTime string.\n"
-" </para>\n"
-" </body>\n"
-"</constructor>\n"
-;
+/*
+ * May want EKU handlers eventually, skip for now.
+ */
+
+static char pkcs10_object_pprint__doc__[] =
+ "Return a pretty-printed rendition of this PKCS#10 request.\n"
+ ;
static PyObject *
-pow_module_new_x509_revoked (PyObject *self, PyObject *args)
+pkcs10_object_pprint(pkcs10_object *self)
{
- int serial = -1;
- char *date = NULL;
- x509_revoked_object *revoke = NULL;
-
- if (!PyArg_ParseTuple(args, "|is", &serial, &date))
- goto error;
+ PyObject *result = NULL;
+ BIO *bio = NULL;
- revoke = x509_revoked_object_new();
- if (serial != -1 && !ASN1_INTEGER_set(revoke->revoked->serialNumber, serial))
- lose("unable to set serial number");
+ ENTERING(pkcs10_object_pprint);
- if (date != NULL && !python_ASN1_TIME_set_string(revoke->revoked->revocationDate, date))
- lose_type_error("Could not set revocationDate");
+ if ((bio = BIO_new(BIO_s_mem())) == NULL)
+ lose_no_memory();
- return (PyObject*) revoke;
+ if (!X509_REQ_print(bio, self->pkcs10))
+ lose_openssl_error("Unable to pretty-print PKCS#10 request");
- error:
+ result = BIO_to_PyString_helper(bio);
- return NULL;
+ error: /* Fall through */
+ BIO_free(bio);
+ return result;
}
+static struct PyMethodDef pkcs10_object_methods[] = {
+ Define_Method(pemWrite, pkcs10_object_pem_write, METH_NOARGS),
+ Define_Method(derWrite, pkcs10_object_der_write, METH_NOARGS),
+ Define_Method(sign, pkcs10_object_sign, METH_VARARGS),
+ Define_Method(verify, pkcs10_object_verify, METH_NOARGS),
+ Define_Method(getPublicKey, pkcs10_object_get_public_key, METH_NOARGS),
+ Define_Method(setPublicKey, pkcs10_object_set_public_key, METH_VARARGS),
+ Define_Method(getVersion, pkcs10_object_get_version, METH_NOARGS),
+ Define_Method(setVersion, pkcs10_object_set_version, METH_VARARGS),
+ Define_Method(getSubject, pkcs10_object_get_subject, METH_VARARGS),
+ Define_Method(setSubject, pkcs10_object_set_subject, METH_VARARGS),
+ Define_Method(pprint, pkcs10_object_pprint, METH_NOARGS),
+ Define_Method(getKeyUsage, pkcs10_object_get_key_usage, METH_NOARGS),
+ Define_Method(setKeyUsage, pkcs10_object_set_key_usage, METH_VARARGS),
+ Define_Method(getBasicConstraints, pkcs10_object_get_basic_constraints, METH_NOARGS),
+ Define_Method(setBasicConstraints, pkcs10_object_set_basic_constraints, METH_VARARGS),
+ Define_Method(getSIA, pkcs10_object_get_sia, METH_NOARGS),
+ Define_Method(setSIA, pkcs10_object_set_sia, METH_VARARGS),
+ Define_Method(getSignatureAlgorithm, pkcs10_object_get_signature_algorithm, METH_NOARGS),
+ Define_Method(getExtensionOIDs, pkcs10_object_get_extension_oids, METH_NOARGS),
+ Define_Class_Method(pemRead, pkcs10_object_pem_read, METH_VARARGS),
+ Define_Class_Method(pemReadFile, pkcs10_object_pem_read_file, METH_VARARGS),
+ Define_Class_Method(derRead, pkcs10_object_der_read, METH_VARARGS),
+ Define_Class_Method(derReadFile, pkcs10_object_der_read_file, METH_VARARGS),
+ {NULL}
+};
+
+static char POW_PKCS10_Type__doc__[] =
+ "This class represents a PKCS#10 request.\n"
+ "\n"
+ LAME_DISCLAIMER_IN_ALL_CLASS_DOCUMENTATION
+ ;
+
+static PyTypeObject POW_PKCS10_Type = {
+ PyObject_HEAD_INIT(0)
+ 0, /* ob_size */
+ "rpki.POW.PKCS10", /* tp_name */
+ sizeof(pkcs10_object), /* tp_basicsize */
+ 0, /* tp_itemsize */
+ (destructor)pkcs10_object_dealloc, /* tp_dealloc */
+ 0, /* tp_print */
+ 0, /* tp_getattr */
+ 0, /* tp_setattr */
+ 0, /* tp_compare */
+ 0, /* tp_repr */
+ 0, /* tp_as_number */
+ 0, /* tp_as_sequence */
+ 0, /* tp_as_mapping */
+ 0, /* tp_hash */
+ 0, /* tp_call */
+ 0, /* tp_str */
+ 0, /* tp_getattro */
+ 0, /* tp_setattro */
+ 0, /* tp_as_buffer */
+ Py_TPFLAGS_DEFAULT | Py_TPFLAGS_BASETYPE, /* tp_flags */
+ POW_PKCS10_Type__doc__, /* tp_doc */
+ 0, /* tp_traverse */
+ 0, /* tp_clear */
+ 0, /* tp_richcompare */
+ 0, /* tp_weaklistoffset */
+ 0, /* tp_iter */
+ 0, /* tp_iternext */
+ pkcs10_object_methods, /* tp_methods */
+ 0, /* tp_members */
+ 0, /* tp_getset */
+ 0, /* tp_base */
+ 0, /* tp_dict */
+ 0, /* tp_descr_get */
+ 0, /* tp_descr_set */
+ 0, /* tp_dictoffset */
+ 0, /* tp_init */
+ 0, /* tp_alloc */
+ pkcs10_object_new, /* tp_new */
+};
+
+
+
+/*
+ * Module functions.
+ */
+
static char pow_module_add_object__doc__[] =
-"<modulefunction>\n"
-" <header>\n"
-" <name>addObject</name>\n"
-" <parameter>oid</parameter>\n"
-" <parameter>shortName</parameter>\n"
-" <parameter>longName</parameter>\n"
-" </header>\n"
-" <body>\n"
-" <para>\n"
-" This function can be used to dynamically add new objects to\n"
-" OpenSSL. The <parameter>oid</parameter> should be a string of space separated numbers\n"
-" and <parameter>shortName</parameter> and\n"
-" <parameter>longName</parameter> are the names of the object, ie\n"
-" 'cn' and 'commonName'.\n"
-" </para>\n"
-" </body>\n"
-"</modulefunction>\n"
-;
+ "Add new a new object identifier to OpenSSL's internal database.\n"
+ "\n"
+ "The \"oid\" should be an ASN.1 object identifer, represented as a string\n"
+ "in dotted-decimal format.\n"
+ "\n"
+ "The \"shortName\" parameter should be the OpenSSL \"short name\" to use.\n"
+ "\n"
+ "The \"longName\" parameter should be the OpenSSL \"long name\" to use.\n"
+ ;
static PyObject *
-pow_module_add_object(PyObject *self, PyObject *args)
+pow_module_add_object(GCC_UNUSED PyObject *self, PyObject *args)
{
char *oid = NULL, *sn = NULL, *ln = NULL;
+ ENTERING(pow_module_add_object);
+
if (!PyArg_ParseTuple(args, "sss", &oid, &sn, &ln))
goto error;
if (!OBJ_create(oid, sn, ln))
- lose("unable to add object");
+ lose_openssl_error("Unable to add object");
Py_RETURN_NONE;
@@ -7943,104 +8005,57 @@ pow_module_add_object(PyObject *self, PyObject *args)
}
static char pow_module_get_error__doc__[] =
-"<modulefunction>\n"
-" <header>\n"
-" <name>getError</name>\n"
-" </header>\n"
-" <body>\n"
-" <para>\n"
-" Pops an error off the global error stack and returns it as a string.\n"
-" Returns None if the global error stack is empty.\n"
-" </para>\n"
-" </body>\n"
-"</modulefunction>\n"
-;
+ "Pop one error off OpenSSL's global error stack and returns it as a string.\n"
+ "\n"
+ "Returns None if the error stack is empty.\n"
+ ;
static PyObject *
-pow_module_get_error(PyObject *self, PyObject *args)
+pow_module_get_error(GCC_UNUSED PyObject *self)
{
- unsigned long error;
+ unsigned long error = ERR_get_error();
char buf[256];
- if (!PyArg_ParseTuple(args, ""))
- goto error;
-
- error = ERR_get_error();
+ ENTERING(pow_module_get_error);
if (!error)
Py_RETURN_NONE;
ERR_error_string_n(error, buf, sizeof(buf));
-
return Py_BuildValue("s", buf);
-
- error:
-
- return NULL;
}
static char pow_module_clear_error__doc__[] =
-"<modulefunction>\n"
-" <header>\n"
-" <name>clearError</name>\n"
-" </header>\n"
-" <body>\n"
-" <para>\n"
-" Removes all errors from the global error stack.\n"
-" </para>\n"
-" </body>\n"
-"</modulefunction>\n"
-;
+ "Remove all errors from OpenSSL's global error stack.\n"
+ ;
static PyObject *
-pow_module_clear_error(PyObject *self, PyObject *args)
+pow_module_clear_error(GCC_UNUSED PyObject *self)
{
- if (!PyArg_ParseTuple(args, ""))
- goto error;
-
+ ENTERING(pow_module_clear_error);
ERR_clear_error();
-
Py_RETURN_NONE;
-
- error:
-
- return NULL;
}
static char pow_module_seed__doc__[] =
-"<modulefunction>\n"
-" <header>\n"
-" <name>seed</name>\n"
-" <parameter>data</parameter>\n"
-" </header>\n"
-" <body>\n"
-" <para>\n"
-" The <function>seed</function> function adds data to OpenSSLs PRNG\n"
-" state. It is often said the hardest part of cryptography is\n"
-" getting good random data, after all if you don't have good random\n"
-" data, a 1024 bit key is no better than a 512 bit key and neither\n"
-" would provide protection from a targeted brute force attack.\n"
-" The <function>seed</function> and <function>add</function> are very\n"
-" similar, except the entropy of the data is assumed to be equal to\n"
-" the length for <function>seed</function>. One final point to be aware\n"
-" of, only systems which support /dev/urandom are automatically seeded.\n"
-" If your system does not support /dev/urandom it is your responsibility\n"
-" to seed OpenSSL's PRNG.\n"
-" </para>\n"
-" </body>\n"
-"</modulefunction>\n"
-;
+ "Add data to OpenSSL's pseudo-random number generator state.\n"
+ "\n"
+ "The \"data\" parameter is the seed to add. Entropy of the data is\n"
+ "assumed to be equal to the length of the data.\n"
+ ;
static PyObject *
-pow_module_seed(PyObject *self, PyObject *args)
+pow_module_seed(GCC_UNUSED PyObject *self, PyObject *args)
{
- char *in = NULL;
- int inl = 0;
+ char *data = NULL;
+ int datalen = 0;
- if (!PyArg_ParseTuple(args, "s#", &in, &inl))
+ ENTERING(pow_module_seed);
+
+ if (!PyArg_ParseTuple(args, "s#", &data, &datalen))
goto error;
- RAND_seed(in, inl);
+ RAND_seed(data, datalen);
Py_RETURN_NONE;
@@ -8050,489 +8065,213 @@ pow_module_seed(PyObject *self, PyObject *args)
}
static char pow_module_add__doc__[] =
-"<modulefunction>\n"
-" <header>\n"
-" <name>add</name>\n"
-" <parameter>data</parameter>\n"
-" <parameter>entropy</parameter>\n"
-" </header>\n"
-" <body>\n"
-" <para>\n"
-" The <function>add</function> function adds data to OpenSSLs PRNG\n"
-" state. <parameter>data</parameter> should be data obtained from a\n"
-" random source and <parameter>entropy</parameter> is an estimation of the number of random\n"
-" bytes in <parameter>data</parameter>.\n"
-" </para>\n"
-" </body>\n"
-"</modulefunction>\n"
-;
+ "Add data to OpenSSL's pseudo-random number generator state.\n"
+ "\n"
+ "The \"data\" parameter is the data to add.\n"
+ "\n"
+ "The \"entropy\" parameter should be an estimate of the number of\n"
+ "random bytes in the data parameter.\n"
+ ;
static PyObject *
-pow_module_add(PyObject *self, PyObject *args)
+pow_module_add(GCC_UNUSED PyObject *self, PyObject *args)
{
- char *in = NULL;
- int inl = 0;
+ char *data = NULL;
+ int datalen = 0;
double entropy = 0;
- if (!PyArg_ParseTuple(args, "s#d", &in, &inl, &entropy))
+ ENTERING(pow_module_add);
+
+ if (!PyArg_ParseTuple(args, "s#d", &data, &datalen, &entropy))
goto error;
- RAND_add(in, inl, entropy);
+ RAND_add(data, datalen, entropy);
Py_RETURN_NONE;
error:
-
return NULL;
}
static char pow_module_write_random_file__doc__[] =
-"<modulefunction>\n"
-" <header>\n"
-" <name>writeRandomFile</name>\n"
-" <parameter>filename</parameter>\n"
-" </header>\n"
-" <body>\n"
-" <para>\n"
-" This function writes the current random state to a file. Clearly\n"
-" this function should be used in conjunction with\n"
-" <function>readRandomFile</function>.\n"
-" </para>\n"
-" </body>\n"
-"</modulefunction>\n"
-;
+ "Write the current state of OpenSSL's pseduo-random number generator to\n"
+ "a file.\n"
+ "\n"
+ "The \"filename\" parameter is the name of the file to write.\n"
+ ;
static PyObject *
-pow_module_write_random_file(PyObject *self, PyObject *args)
+pow_module_write_random_file(GCC_UNUSED PyObject *self, PyObject *args)
{
- char *file = NULL;
+ char *filename = NULL;
+
+ ENTERING(pow_module_write_random_file);
- if (!PyArg_ParseTuple(args, "s", &file))
+ if (!PyArg_ParseTuple(args, "s", &filename))
goto error;
- if (RAND_write_file(file) == -1)
- lose("could not write random file");
+ if (RAND_write_file(filename) == -1)
+ lose("Couldn't write random file");
Py_RETURN_NONE;
error:
-
return NULL;
}
static char pow_module_read_random_file__doc__[] =
-"<modulefunction>\n"
-" <header>\n"
-" <name>readRandomFile</name>\n"
-" <parameter>filename</parameter>\n"
-" </header>\n"
-" <body>\n"
-" <para>\n"
-" This function reads a previously saved random state. It can be very\n"
-" useful to improve the quality of random data used by an application.\n"
-" The random data should be added to, using the\n"
-" <function>add</function> function, with data from other\n"
-" suitable random sources.\n"
-" </para>\n"
-" </body>\n"
-"</modulefunction>\n"
-;
+ "Restore the state of OpenSSLs pseudo-random number generator from\n"
+ "data previously saved to a file.\n"
+ "\n"
+ "The \"filename\" parameter is the name of the file to read.\n"
+ ;
static PyObject *
-pow_module_read_random_file(PyObject *self, PyObject *args)
+pow_module_read_random_file(GCC_UNUSED PyObject *self, PyObject *args)
{
char *file = NULL;
int len = -1;
+ ENTERING(pow_module_read_random_file);
+
if (!PyArg_ParseTuple(args, "s|i", &file, &len))
goto error;
if (!RAND_load_file(file, len))
- lose("could not load random file");
+ lose("Couldn't load random file");
Py_RETURN_NONE;
error:
-
return NULL;
}
+static char pow_module_custom_datetime__doc__[] =
+ "Set constructor callback for customized datetime class.\n"
+ ;
+
static PyObject *
-pow_module_docset(PyObject *self, PyObject *args)
+pow_module_custom_datetime(GCC_UNUSED PyObject *self, PyObject *args)
{
- PyObject *docset;
+ PyObject *cb = NULL;
- if (!PyArg_ParseTuple(args, ""))
+ ENTERING(pow_module_custom_datetime);
+
+ if (!PyArg_ParseTuple(args, "O", &cb))
goto error;
- docset = PyList_New(0);
-
- // module documentation
- docset_helper_add(docset, pow_module__doc__);
-
- // constructors
- docset_helper_add(docset, pow_module_new_symmetric__doc__);
- docset_helper_add(docset, pow_module_new_asymmetric__doc__);
- docset_helper_add(docset, pow_module_new_digest__doc__);
- docset_helper_add(docset, pow_module_new_hmac__doc__);
- docset_helper_add(docset, pow_module_new_ssl__doc__);
- docset_helper_add(docset, pow_module_new_x509__doc__);
- docset_helper_add(docset, pow_module_new_x509_store__doc__);
- docset_helper_add(docset, pow_module_new_x509_crl__doc__);
- docset_helper_add(docset, pow_module_new_x509_revoked__doc__);
- docset_helper_add(docset, pow_module_new_cms__doc__);
-
- // functions
- docset_helper_add(docset, pow_module_pem_read__doc__);
- docset_helper_add(docset, pow_module_der_read__doc__);
- docset_helper_add(docset, pow_module_seed__doc__);
- docset_helper_add(docset, pow_module_add__doc__);
- docset_helper_add(docset, pow_module_read_random_file__doc__);
- docset_helper_add(docset, pow_module_write_random_file__doc__);
- docset_helper_add(docset, pow_module_get_error__doc__);
- docset_helper_add(docset, pow_module_clear_error__doc__);
- docset_helper_add(docset, pow_module_add_object__doc__);
-
- // ssl documentation
- docset_helper_add(docset, ssltype__doc__);
- docset_helper_add(docset, ssl_object_set_fd__doc__);
- docset_helper_add(docset, ssl_object_fileno__doc__);
- docset_helper_add(docset, ssl_object_accept__doc__);
- docset_helper_add(docset, ssl_object_connect__doc__);
- docset_helper_add(docset, ssl_object_write__doc__);
- docset_helper_add(docset, ssl_object_read__doc__);
- docset_helper_add(docset, ssl_object_peer_certificate__doc__);
- docset_helper_add(docset, ssl_object_use_certificate__doc__);
- docset_helper_add(docset, ssl_object_use_key__doc__);
- docset_helper_add(docset, ssl_object_check_key__doc__);
- docset_helper_add(docset, ssl_object_clear__doc__);
- docset_helper_add(docset, ssl_object_shutdown__doc__);
- docset_helper_add(docset, ssl_object_get_shutdown__doc__);
- docset_helper_add(docset, ssl_object_get_ciphers__doc__);
- docset_helper_add(docset, ssl_object_set_ciphers__doc__);
- docset_helper_add(docset, ssl_object_get_cipher__doc__);
- docset_helper_add(docset, ssl_object_set_verify_mode__doc__);
-
- // x509 documentation
- docset_helper_add(docset, x509type__doc__);
- docset_helper_add(docset, X509_object_pem_write__doc__);
- docset_helper_add(docset, X509_object_der_write__doc__);
- docset_helper_add(docset, X509_object_sign__doc__);
- docset_helper_add(docset, X509_object_set_public_key__doc__);
- docset_helper_add(docset, X509_object_get_version__doc__);
- docset_helper_add(docset, X509_object_set_version__doc__);
- docset_helper_add(docset, X509_object_get_serial__doc__);
- docset_helper_add(docset, X509_object_set_serial__doc__);
- docset_helper_add(docset, X509_object_get_issuer__doc__);
- docset_helper_add(docset, X509_object_set_issuer__doc__);
- docset_helper_add(docset, X509_object_get_subject__doc__);
- docset_helper_add(docset, X509_object_set_subject__doc__);
- docset_helper_add(docset, X509_object_get_not_before__doc__);
- docset_helper_add(docset, X509_object_set_not_before__doc__);
- docset_helper_add(docset, X509_object_get_not_after__doc__);
- docset_helper_add(docset, X509_object_set_not_after__doc__);
- docset_helper_add(docset, X509_object_add_extension__doc__);
- docset_helper_add(docset, X509_object_clear_extensions__doc__);
- docset_helper_add(docset, X509_object_count_extensions__doc__);
- docset_helper_add(docset, X509_object_get_extension__doc__);
- docset_helper_add(docset, x509_object_pprint__doc__);
-
- // x509_crl documentation
- docset_helper_add(docset, x509_crltype__doc__);
- docset_helper_add(docset, x509_crl_object_pem_write__doc__);
- docset_helper_add(docset, x509_crl_object_der_write__doc__);
- docset_helper_add(docset, x509_crl_object_get_version__doc__);
- docset_helper_add(docset, x509_crl_object_set_version__doc__);
- docset_helper_add(docset, x509_crl_object_get_issuer__doc__);
- docset_helper_add(docset, x509_crl_object_set_issuer__doc__);
- docset_helper_add(docset, x509_crl_object_get_this_update__doc__);
- docset_helper_add(docset, x509_crl_object_set_this_update__doc__);
- docset_helper_add(docset, x509_crl_object_get_next_update__doc__);
- docset_helper_add(docset, x509_crl_object_set_next_update__doc__);
- docset_helper_add(docset, x509_crl_object_get_revoked__doc__);
- docset_helper_add(docset, x509_crl_object_set_revoked__doc__);
- docset_helper_add(docset, x509_crl_object_verify__doc__);
- docset_helper_add(docset, x509_crl_object_sign__doc__);
- docset_helper_add(docset, X509_crl_object_add_extension__doc__);
- docset_helper_add(docset, X509_crl_object_clear_extensions__doc__);
- docset_helper_add(docset, X509_crl_object_count_extensions__doc__);
- docset_helper_add(docset, X509_crl_object_get_extension__doc__);
- docset_helper_add(docset, x509_crl_object_pprint__doc__);
-
- // x509_revoked documentation
- docset_helper_add(docset, x509_revokedtype__doc__);
- docset_helper_add(docset, x509_revoked_object_get_date__doc__);
- docset_helper_add(docset, x509_revoked_object_set_date__doc__);
- docset_helper_add(docset, x509_revoked_object_get_serial__doc__);
- docset_helper_add(docset, x509_revoked_object_set_serial__doc__);
- docset_helper_add(docset, X509_revoked_object_add_extension__doc__);
- docset_helper_add(docset, X509_revoked_object_clear_extensions__doc__);
- docset_helper_add(docset, X509_revoked_object_count_extensions__doc__);
- docset_helper_add(docset, X509_revoked_object_get_extension__doc__);
-
- // x509_store documentation
- docset_helper_add(docset, x509_storetype__doc__);
- docset_helper_add(docset, x509_store_object_verify__doc__);
- docset_helper_add(docset, x509_store_object_verify_chain__doc__);
- docset_helper_add(docset, x509_store_object_verify_detailed__doc__);
- docset_helper_add(docset, x509_store_object_add_trust__doc__);
- docset_helper_add(docset, x509_store_object_add_crl__doc__);
-
- // digest documentation
- docset_helper_add(docset, digesttype__doc__);
- docset_helper_add(docset, digest_object_update__doc__);
- docset_helper_add(docset, digest_object_copy__doc__);
- docset_helper_add(docset, digest_object_digest__doc__);
-
- // hmac documentation
- docset_helper_add(docset, hmactype__doc__);
- docset_helper_add(docset, hmac_object_update__doc__);
- docset_helper_add(docset, hmac_object_copy__doc__);
- docset_helper_add(docset, hmac_object_mac__doc__);
-
- // cms documentation
- docset_helper_add(docset, CMS_object_pem_write__doc__);
- docset_helper_add(docset, CMS_object_der_write__doc__);
- docset_helper_add(docset, CMS_object_sign__doc__);
- docset_helper_add(docset, CMS_object_verify__doc__);
- docset_helper_add(docset, CMS_object_eContentType__doc__);
- docset_helper_add(docset, CMS_object_signingTime__doc__);
- docset_helper_add(docset, CMS_object_pprint__doc__);
- docset_helper_add(docset, CMS_object_certs__doc__);
- docset_helper_add(docset, CMS_object_crls__doc__);
-
- // symmetric documentation
- docset_helper_add(docset, symmetrictype__doc__);
- docset_helper_add(docset, symmetric_object_encrypt_init__doc__);
- docset_helper_add(docset, symmetric_object_decrypt_init__doc__);
- docset_helper_add(docset, symmetric_object_update__doc__);
- docset_helper_add(docset, symmetric_object_final__doc__);
-
- // asymmetric documentation
- docset_helper_add(docset, asymmetrictype__doc__);
- docset_helper_add(docset, asymmetric_object_pem_write__doc__);
- docset_helper_add(docset, asymmetric_object_der_write__doc__);
- docset_helper_add(docset, asymmetric_object_public_encrypt__doc__);
- docset_helper_add(docset, asymmetric_object_public_decrypt__doc__);
- docset_helper_add(docset, asymmetric_object_private_encrypt__doc__);
- docset_helper_add(docset, asymmetric_object_private_decrypt__doc__);
- docset_helper_add(docset, asymmetric_object_sign__doc__);
- docset_helper_add(docset, asymmetric_object_verify__doc__);
-
- return docset;
+ Py_XINCREF(cb);
+ Py_XDECREF(custom_datetime);
+ custom_datetime = cb;
- error:
+ Py_RETURN_NONE;
+ error:
return NULL;
}
+
static struct PyMethodDef pow_module_methods[] = {
- {"Ssl", (PyCFunction)pow_module_new_ssl, METH_VARARGS, NULL},
- {"X509", (PyCFunction)pow_module_new_x509, METH_VARARGS, NULL},
- {"pemRead", (PyCFunction)pow_module_pem_read, METH_VARARGS, NULL},
- {"derRead", (PyCFunction)pow_module_der_read, METH_VARARGS, NULL},
- {"Digest", (PyCFunction)pow_module_new_digest, METH_VARARGS, NULL},
- {"Hmac", (PyCFunction)pow_module_new_hmac, METH_VARARGS, NULL},
- {"CMS", (PyCFunction)pow_module_new_cms, METH_VARARGS, NULL},
- {"Asymmetric", (PyCFunction)pow_module_new_asymmetric, METH_VARARGS, NULL},
- {"Symmetric", (PyCFunction)pow_module_new_symmetric, METH_VARARGS, NULL},
- {"X509Store", (PyCFunction)pow_module_new_x509_store, METH_VARARGS, NULL},
- {"X509Crl", (PyCFunction)pow_module_new_x509_crl, METH_VARARGS, NULL},
- {"X509Revoked", (PyCFunction)pow_module_new_x509_revoked, METH_VARARGS, NULL},
- {"getError", (PyCFunction)pow_module_get_error, METH_VARARGS, NULL},
- {"clearError", (PyCFunction)pow_module_clear_error, METH_VARARGS, NULL},
- {"seed", (PyCFunction)pow_module_seed, METH_VARARGS, NULL},
- {"add", (PyCFunction)pow_module_add, METH_VARARGS, NULL},
- {"readRandomFile", (PyCFunction)pow_module_read_random_file, METH_VARARGS, NULL},
- {"writeRandomFile", (PyCFunction)pow_module_write_random_file, METH_VARARGS, NULL},
- {"addObject", (PyCFunction)pow_module_add_object, METH_VARARGS, NULL},
-
- {"_docset", (PyCFunction)pow_module_docset, METH_VARARGS, NULL},
-
- {NULL} /* sentinel */
+ Define_Method(getError, pow_module_get_error, METH_NOARGS),
+ Define_Method(clearError, pow_module_clear_error, METH_NOARGS),
+ Define_Method(seed, pow_module_seed, METH_VARARGS),
+ Define_Method(add, pow_module_add, METH_VARARGS),
+ Define_Method(readRandomFile, pow_module_read_random_file, METH_VARARGS),
+ Define_Method(writeRandomFile, pow_module_write_random_file, METH_VARARGS),
+ Define_Method(addObject, pow_module_add_object, METH_VARARGS),
+ Define_Method(customDatetime, pow_module_custom_datetime, METH_VARARGS),
+ {NULL}
};
-/*========== module functions ==========*/
+
+
+/*
+ * Module initialization.
+ */
-/*==========================================================================*/
void
init_POW(void)
{
- PyObject *m;
-
- x509type.ob_type = &PyType_Type;
- x509_storetype.ob_type = &PyType_Type;
- x509_crltype.ob_type = &PyType_Type;
- x509_revokedtype.ob_type = &PyType_Type;
- ssltype.ob_type = &PyType_Type;
- asymmetrictype.ob_type = &PyType_Type;
- symmetrictype.ob_type = &PyType_Type;
- digesttype.ob_type = &PyType_Type;
- hmactype.ob_type = &PyType_Type;
- cmstype.ob_type = &PyType_Type;
-
- m = Py_InitModule3("_POW", pow_module_methods, pow_module__doc__);
-
-#define Define_Exception(__name__, __parent__) \
- PyModule_AddObject(m, #__name__, ((__name__##Object) = PyErr_NewException("POW." #__name__, __parent__, NULL)))
-
- Define_Exception(Error, NULL);
- Define_Exception(SSLError, ErrorObject);
- Define_Exception(ZeroReturnError, SSLErrorObject);
- Define_Exception(WantReadError, SSLErrorObject);
- Define_Exception(WantWriteError, SSLErrorObject);
- Define_Exception(SSLSyscallError, SSLErrorObject);
- Define_Exception(SSLErrorSSLError, SSLErrorObject);
- Define_Exception(SSLSyscallSSLError, SSLErrorObject);
- Define_Exception(SSLUnexpectedEOFError,SSLErrorObject);
- Define_Exception(SSLOtherError, SSLErrorObject);
+ PyObject *m = Py_InitModule3("_POW", pow_module_methods, pow_module__doc__);
+ int OpenSSL_ok = 1;
+
+ /*
+ * Python encourages us to use these functions instead of the ones
+ * in libc, and OpenSSL allows us to do this. The result seems to
+ * work, and, in theory, gives Python's memory allocator a better
+ * idea of how much memory we're really using. Not sure why it
+ * cares, but let's try to be nice about it.
+ *
+ * Note that this must be done BEFORE anything in OpenSSL uses
+ * dynamic memory, and that this will probably fail in horrible ways
+ * without the build-time code (-Bsymbolic, etc) which isolates our
+ * copy of the OpenSSL code from any system shared libraries.
+ * Enough other things already fail in horrible ways without that
+ * isolation that adding one more doesn't make much difference, but
+ * if you tinker with the build script and start seeing nasty
+ * memory-related issues, this might be the cause.
+ */
+ CRYPTO_set_mem_functions(PyMem_Malloc, PyMem_Realloc, PyMem_Free);
+
+ /*
+ * Import the DateTime API
+ */
+
+ PyDateTime_IMPORT;
+
+#define Define_Class(__type__) \
+ do { \
+ char *__name__ = strrchr(__type__.tp_name, '.'); \
+ if (PyType_Ready(&__type__) == 0 && __name__ != NULL) { \
+ Py_INCREF(&__type__); \
+ PyModule_AddObject(m, __name__+1, (PyObject *) &__type__); \
+ } \
+ } while (0)
+
+ Define_Class(POW_X509_Type);
+ Define_Class(POW_X509Store_Type);
+ Define_Class(POW_CRL_Type);
+ Define_Class(POW_Asymmetric_Type);
+ Define_Class(POW_Digest_Type);
+ Define_Class(POW_CMS_Type);
+ Define_Class(POW_IPAddress_Type);
+ Define_Class(POW_Manifest_Type);
+ Define_Class(POW_ROA_Type);
+ Define_Class(POW_PKCS10_Type);
+
+#undef Define_Class
+
+#define Define_Exception(__name__, __parent__) \
+ PyModule_AddObject(m, #__name__, ((__name__##Object) \
+ = PyErr_NewException("rpki.POW." #__name__, __parent__, NULL)))
+
+ Define_Exception(Error, NULL);
+ Define_Exception(OpenSSLError, ErrorObject);
+ Define_Exception(POWError, ErrorObject);
+ Define_Exception(NotVerifiedError, ErrorObject);
#undef Define_Exception
#define Define_Integer_Constant(__name__) \
PyModule_AddIntConstant(m, #__name__, __name__)
- // constants for SSL_get_error()
- Define_Integer_Constant(SSL_ERROR_NONE);
- Define_Integer_Constant(SSL_ERROR_ZERO_RETURN);
- Define_Integer_Constant(SSL_ERROR_WANT_READ);
- Define_Integer_Constant(SSL_ERROR_WANT_WRITE);
- Define_Integer_Constant(SSL_ERROR_WANT_X509_LOOKUP);
- Define_Integer_Constant(SSL_ERROR_SYSCALL);
- Define_Integer_Constant(SSL_ERROR_SSL);
- Define_Integer_Constant(SSL_ERROR_WANT_CONNECT);
- Define_Integer_Constant(SSL_ERROR_WANT_ACCEPT);
-
- // constants for different types of connection methods
- Define_Integer_Constant(SSLV2_SERVER_METHOD);
- Define_Integer_Constant(SSLV2_CLIENT_METHOD);
- Define_Integer_Constant(SSLV2_METHOD);
- Define_Integer_Constant(SSLV3_SERVER_METHOD);
- Define_Integer_Constant(SSLV3_CLIENT_METHOD);
- Define_Integer_Constant(SSLV3_METHOD);
- Define_Integer_Constant(SSLV23_SERVER_METHOD);
- Define_Integer_Constant(SSLV23_CLIENT_METHOD);
- Define_Integer_Constant(SSLV23_METHOD);
- Define_Integer_Constant(TLSV1_SERVER_METHOD);
- Define_Integer_Constant(TLSV1_CLIENT_METHOD);
- Define_Integer_Constant(TLSV1_METHOD);
-
- Define_Integer_Constant(SSL_NO_SHUTDOWN);
- Define_Integer_Constant(SSL_SENT_SHUTDOWN);
- Define_Integer_Constant(SSL_RECEIVED_SHUTDOWN);
-
- // ssl verification mode
- Define_Integer_Constant(SSL_VERIFY_NONE);
- Define_Integer_Constant(SSL_VERIFY_PEER);
- Define_Integer_Constant(SSL_VERIFY_FAIL_IF_NO_PEER_CERT);
- Define_Integer_Constant(SSL_VERIFY_CLIENT_ONCE);
-
- // object format types
+ /* Object format types */
Define_Integer_Constant(LONGNAME_FORMAT);
Define_Integer_Constant(SHORTNAME_FORMAT);
+ Define_Integer_Constant(OIDNAME_FORMAT);
- // PEM encoded types
-#ifndef OPENSSL_NO_RSA
- Define_Integer_Constant(RSA_PUBLIC_KEY);
- Define_Integer_Constant(RSA_PRIVATE_KEY);
-#endif
-#ifndef OPENSSL_NO_DSA
- Define_Integer_Constant(DSA_PUBLIC_KEY);
- Define_Integer_Constant(DSA_PRIVATE_KEY);
-#endif
-#ifndef OPENSSL_NO_DH
- Define_Integer_Constant(DH_PUBLIC_KEY);
- Define_Integer_Constant(DH_PRIVATE_KEY);
-#endif
- Define_Integer_Constant(X509_CERTIFICATE);
- PyModule_AddIntConstant(m, "X509_CRL", X_X509_CRL);
- Define_Integer_Constant(CMS_MESSAGE);
-
- // asymmetric ciphers
-#ifndef OPENSSL_NO_RSA
+ /* Asymmetric ciphers */
Define_Integer_Constant(RSA_CIPHER);
-#endif
-#ifndef OPENSSL_NO_DSA
- Define_Integer_Constant(DSA_CIPHER);
-#endif
-#ifndef OPENSSL_NO_DH
- Define_Integer_Constant(DH_CIPHER);
-#endif
- // symmetric ciphers
-#ifndef OPENSSL_NO_DES
- Define_Integer_Constant(DES_ECB);
- Define_Integer_Constant(DES_EDE);
- Define_Integer_Constant(DES_EDE3);
- Define_Integer_Constant(DES_CFB);
- Define_Integer_Constant(DES_EDE_CFB);
- Define_Integer_Constant(DES_EDE3_CFB);
- Define_Integer_Constant(DES_OFB);
- Define_Integer_Constant(DES_EDE_OFB);
- Define_Integer_Constant(DES_EDE3_OFB);
- Define_Integer_Constant(DES_CBC);
- Define_Integer_Constant(DES_EDE_CBC);
- Define_Integer_Constant(DES_EDE3_CBC);
- Define_Integer_Constant(DESX_CBC);
-#endif
-#ifndef OPENSSL_NO_RC4
- Define_Integer_Constant(RC4);
- Define_Integer_Constant(RC4_40);
-#endif
-#ifndef OPENSSL_NO_IDEA
- Define_Integer_Constant(IDEA_ECB);
- Define_Integer_Constant(IDEA_CFB);
- Define_Integer_Constant(IDEA_OFB);
- Define_Integer_Constant(IDEA_CBC);
-#endif
-#ifndef OPENSSL_NO_RC2
- Define_Integer_Constant(RC2_ECB);
- Define_Integer_Constant(RC2_CBC);
- Define_Integer_Constant(RC2_40_CBC);
- Define_Integer_Constant(RC2_CFB);
- Define_Integer_Constant(RC2_OFB);
-#endif
-#ifndef OPENSSL_NO_BF
- Define_Integer_Constant(BF_ECB);
- Define_Integer_Constant(BF_CBC);
- Define_Integer_Constant(BF_CFB);
- Define_Integer_Constant(BF_OFB);
-#endif
- Define_Integer_Constant(CAST5_ECB);
- Define_Integer_Constant(CAST5_CBC);
- Define_Integer_Constant(CAST5_CFB);
- Define_Integer_Constant(CAST5_OFB);
-#ifndef OPENSSL_NO_RC5
- Define_Integer_Constant(RC5_32_12_16_CBC);
- Define_Integer_Constant(RC5_32_12_16_CFB);
- Define_Integer_Constant(RC5_32_12_16_ECB);
- Define_Integer_Constant(RC5_32_12_16_OFB);
-#endif
-
- // message digests
-#ifndef OPENSSL_NO_MD2
- Define_Integer_Constant(MD2_DIGEST);
-#endif
+ /* Message digests */
Define_Integer_Constant(MD5_DIGEST);
Define_Integer_Constant(SHA_DIGEST);
Define_Integer_Constant(SHA1_DIGEST);
- Define_Integer_Constant(RIPEMD160_DIGEST);
Define_Integer_Constant(SHA256_DIGEST);
Define_Integer_Constant(SHA384_DIGEST);
Define_Integer_Constant(SHA512_DIGEST);
- // general name
- Define_Integer_Constant(GEN_OTHERNAME);
- Define_Integer_Constant(GEN_EMAIL);
- Define_Integer_Constant(GEN_DNS);
- Define_Integer_Constant(GEN_X400);
- Define_Integer_Constant(GEN_DIRNAME);
- Define_Integer_Constant(GEN_EDIPARTY);
- Define_Integer_Constant(GEN_URI);
- Define_Integer_Constant(GEN_IPADD);
- Define_Integer_Constant(GEN_RID);
-
- // CMS flags
+ /* CMS flags */
Define_Integer_Constant(CMS_NOCERTS);
Define_Integer_Constant(CMS_NOATTR);
Define_Integer_Constant(CMS_NOINTERN);
@@ -8543,19 +8282,26 @@ init_POW(void)
#undef Define_Integer_Constant
- // initialise library
- SSL_library_init();
+ /*
+ * Initialise library.
+ *
+ * We shouldn't need any of the SSL code or error strings anymore.
+ *
+ * If we cared deeply about avoiding references to symmetric cipher
+ * algorithms and digest algorithms we're not using, we could
+ * replace the call to OpenSSL_add_all_algorithms() with calls to
+ * add just the specific algorithms we use rather than all of them.
+ * For now, don't worry about it.
+ */
+
OpenSSL_add_all_algorithms();
- OpenSSL_add_all_ciphers();
- OpenSSL_add_all_digests();
+ ERR_load_crypto_strings();
- // load error strings
- SSL_load_error_strings();
+ OpenSSL_ok &= create_missing_nids();
- if (PyErr_Occurred())
+ if (PyErr_Occurred() || !OpenSSL_ok)
Py_FatalError("Can't initialize module POW");
}
-/*==========================================================================*/
/*
* Local Variables:
diff --git a/rpkid/irbe_cli.py b/rpkid/irbe_cli.py
index 520b186d..0a458009 100644
--- a/rpkid/irbe_cli.py
+++ b/rpkid/irbe_cli.py
@@ -3,7 +3,7 @@ Command line IR back-end control program for rpkid and pubd.
$Id$
-Copyright (C) 2009--2010 Internet Systems Consortium ("ISC")
+Copyright (C) 2009--2012 Internet Systems Consortium ("ISC")
Permission to use, copy, modify, and distribute this software for any
purpose with or without fee is hereby granted, provided that the above
@@ -95,6 +95,7 @@ class cmd_elt_mixin(reply_elt_mixin):
"""
Parse options for this class.
"""
+ # pylint: disable=W0621
opts, argv = getopt.getopt(argv, "", [x + "=" for x in self.attributes + self.elements if x not in self.excludes] + list(self.booleans))
for o, a in opts:
o = o[2:]
@@ -148,47 +149,48 @@ class cmd_msg_mixin(object):
# left-right protcol
-class self_elt(cmd_elt_mixin, rpki.left_right.self_elt):
- pass
+class left_right_msg(cmd_msg_mixin, rpki.left_right.msg):
-class bsc_elt(cmd_elt_mixin, rpki.left_right.bsc_elt):
+ class self_elt(cmd_elt_mixin, rpki.left_right.self_elt):
+ pass
- excludes = ("pkcs10_request",)
+ class bsc_elt(cmd_elt_mixin, rpki.left_right.bsc_elt):
- def client_query_signing_cert(self, arg):
- """--signing_cert option."""
- self.signing_cert = rpki.x509.X509(Auto_file = arg)
+ excludes = ("pkcs10_request",)
- def client_query_signing_cert_crl(self, arg):
- """--signing_cert_crl option."""
- self.signing_cert_crl = rpki.x509.CRL(Auto_file = arg)
+ def client_query_signing_cert(self, arg):
+ """--signing_cert option."""
+ self.signing_cert = rpki.x509.X509(Auto_file = arg)
- def client_reply_decode(self):
- global pem_out
- if pem_out is not None and self.pkcs10_request is not None:
- if isinstance(pem_out, str):
- pem_out = open(pem_out, "w")
- pem_out.write(self.pkcs10_request.get_PEM())
+ def client_query_signing_cert_crl(self, arg):
+ """--signing_cert_crl option."""
+ self.signing_cert_crl = rpki.x509.CRL(Auto_file = arg)
-class parent_elt(cmd_elt_mixin, rpki.left_right.parent_elt):
- pass
+ def client_reply_decode(self):
+ global pem_out
+ if pem_out is not None and self.pkcs10_request is not None:
+ if isinstance(pem_out, str):
+ pem_out = open(pem_out, "w")
+ pem_out.write(self.pkcs10_request.get_PEM())
-class child_elt(cmd_elt_mixin, rpki.left_right.child_elt):
- pass
+ class parent_elt(cmd_elt_mixin, rpki.left_right.parent_elt):
+ pass
-class repository_elt(cmd_elt_mixin, rpki.left_right.repository_elt):
- pass
+ class child_elt(cmd_elt_mixin, rpki.left_right.child_elt):
+ pass
-class list_published_objects_elt(cmd_elt_mixin, rpki.left_right.list_published_objects_elt):
- excludes = ("uri",)
+ class repository_elt(cmd_elt_mixin, rpki.left_right.repository_elt):
+ pass
-class list_received_resources_elt(cmd_elt_mixin, rpki.left_right.list_received_resources_elt):
- excludes = ("parent_handle", "notBefore", "notAfter", "uri", "sia_uri", "aia_uri", "asn", "ipv4", "ipv6")
+ class list_published_objects_elt(cmd_elt_mixin, rpki.left_right.list_published_objects_elt):
+ excludes = ("uri",)
-class report_error_elt(reply_elt_mixin, rpki.left_right.report_error_elt):
- pass
+ class list_received_resources_elt(cmd_elt_mixin, rpki.left_right.list_received_resources_elt):
+ excludes = ("parent_handle", "notBefore", "notAfter", "uri", "sia_uri", "aia_uri", "asn", "ipv4", "ipv6")
+
+ class report_error_elt(reply_elt_mixin, rpki.left_right.report_error_elt):
+ pass
-class left_right_msg(cmd_msg_mixin, rpki.left_right.msg):
pdus = dict((x.element_name, x)
for x in (self_elt, bsc_elt, parent_elt, child_elt, repository_elt,
list_published_objects_elt, list_received_resources_elt, report_error_elt))
@@ -201,36 +203,37 @@ class left_right_cms_msg(rpki.left_right.cms_msg):
# Publication protocol
-class config_elt(cmd_elt_mixin, rpki.publication.config_elt):
+class publication_msg(cmd_msg_mixin, rpki.publication.msg):
- def client_query_bpki_crl(self, arg):
- """
- Special handler for --bpki_crl option.
- """
- self.bpki_crl = rpki.x509.CRL(Auto_file = arg)
+ class config_elt(cmd_elt_mixin, rpki.publication.config_elt):
-class client_elt(cmd_elt_mixin, rpki.publication.client_elt):
- pass
+ def client_query_bpki_crl(self, arg):
+ """
+ Special handler for --bpki_crl option.
+ """
+ self.bpki_crl = rpki.x509.CRL(Auto_file = arg)
-class certificate_elt(cmd_elt_mixin, rpki.publication.certificate_elt):
- pass
+ class client_elt(cmd_elt_mixin, rpki.publication.client_elt):
+ pass
-class crl_elt(cmd_elt_mixin, rpki.publication.crl_elt):
- pass
+ class certificate_elt(cmd_elt_mixin, rpki.publication.certificate_elt):
+ pass
+
+ class crl_elt(cmd_elt_mixin, rpki.publication.crl_elt):
+ pass
-class manifest_elt(cmd_elt_mixin, rpki.publication.manifest_elt):
- pass
+ class manifest_elt(cmd_elt_mixin, rpki.publication.manifest_elt):
+ pass
-class roa_elt(cmd_elt_mixin, rpki.publication.roa_elt):
- pass
+ class roa_elt(cmd_elt_mixin, rpki.publication.roa_elt):
+ pass
-class report_error_elt(reply_elt_mixin, rpki.publication.report_error_elt):
- pass
+ class report_error_elt(reply_elt_mixin, rpki.publication.report_error_elt):
+ pass
-class ghostbuster_elt(cmd_elt_mixin, rpki.publication.ghostbuster_elt):
- pass
+ class ghostbuster_elt(cmd_elt_mixin, rpki.publication.ghostbuster_elt):
+ pass
-class publication_msg(cmd_msg_mixin, rpki.publication.msg):
pdus = dict((x.element_name, x)
for x in (config_elt, client_elt, certificate_elt, crl_elt,
manifest_elt, roa_elt, report_error_elt,
diff --git a/rpkid/portal-gui/Makefile.in b/rpkid/portal-gui/Makefile.in
index d4b7c5dc..eb84d873 100644
--- a/rpkid/portal-gui/Makefile.in
+++ b/rpkid/portal-gui/Makefile.in
@@ -40,9 +40,9 @@ apache.conf: $(srcdir)/apache.conf.in Makefile
$(edit) $@.in > $@
install: $(BUILD)
- ${INSTALL} -d $(SYSCONFDIR)
- ${INSTALL} -d $(INSTDIR)/media/css
- ${INSTALL} -d $(INSTDIR)/wsgi
+ if test -d $(SYSCONFDIR); then :; else ${INSTALL} -d $(SYSCONFDIR); fi
+ if test -d $(INSTDIR)/media/css; then :; else ${INSTALL} -d $(INSTDIR)/media/css; fi
+ if test -d $(INSTDIR)/wsgi; then :; else ${INSTALL} -d $(INSTDIR)/wsgi; fi
${INSTALL} -m 644 apache.conf $(SYSCONFDIR)/apache.conf
${INSTALL} -m 644 $(srcdir)/media/css/bootstrap.min.css $(INSTDIR)/media/css/bootstrap.min.css
${INSTALL} -m 644 rpki.wsgi $(INSTDIR)/wsgi/rpki.wsgi
diff --git a/rpkid/rpki-sql-backup.py b/rpkid/rpki-sql-backup.py
index b6e7320a..ea11d957 100644
--- a/rpkid/rpki-sql-backup.py
+++ b/rpkid/rpki-sql-backup.py
@@ -6,7 +6,7 @@ For the moment, this just writes all the SQL to stdout.
$Id$
-Copyright (C) 2010 Internet Systems Consortium ("ISC")
+Copyright (C) 2010-2012 Internet Systems Consortium ("ISC")
Permission to use, copy, modify, and distribute this software for any
purpose with or without fee is hereby granted, provided that the above
diff --git a/rpkid/rpki-sql-setup.py b/rpkid/rpki-sql-setup.py
index be138b0e..700d150a 100644
--- a/rpkid/rpki-sql-setup.py
+++ b/rpkid/rpki-sql-setup.py
@@ -4,7 +4,7 @@ root password, pulls other information from rpki.conf.
$Id$
-Copyright (C) 2009--2011 Internet Systems Consortium ("ISC")
+Copyright (C) 2009--2012 Internet Systems Consortium ("ISC")
Permission to use, copy, modify, and distribute this software for any
purpose with or without fee is hereby granted, provided that the above
@@ -19,8 +19,10 @@ OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
PERFORMANCE OF THIS SOFTWARE.
"""
-import os, getopt, sys, rpki.config, getpass, warnings
-
+import getopt
+import sys
+import getpass
+import rpki.config
import rpki.sql_schemas
from rpki.mysql_import import MySQLdb
diff --git a/rpkid/rpki-start-servers.py b/rpkid/rpki-start-servers.py
index e7061062..722f51e6 100644
--- a/rpkid/rpki-start-servers.py
+++ b/rpkid/rpki-start-servers.py
@@ -58,6 +58,7 @@ cfg = rpki.config.parser(cfg_file, "myrpki")
def run(name):
+ # pylint: disable=E1103
cmd = (sys.executable, os.path.join(rpkid_dir, name), "-c", cfg.filename)
if debug:
proc = subprocess.Popen(cmd + ("-d",), stdout = open(name + ".log", "a"), stderr = subprocess.STDOUT)
diff --git a/rpkid/rpki/POW/__init__.py b/rpkid/rpki/POW/__init__.py
index b150bbf1..d3796245 100644
--- a/rpkid/rpki/POW/__init__.py
+++ b/rpkid/rpki/POW/__init__.py
@@ -1,16 +1,7 @@
from _POW import *
-from _POW import _docset
-## @mainpage
-##
-## Python OpenSSL Wrappers (POW) is an old (but well-written)
-## interface between Python and OpenSSL (ok, you could have guessed
-## that from the name). Sadly, it appears to have fallen by the
-## wayside, and M2Crypto is getting a lot more attention these days.
-##
-## POW ships with a submodule, POW.pkix, which includes a wonderful
-## set of pure-Python routines for dealing with ASN.1 encodings of
-## X.509v3 certificates, extensions, and related data. I haven't
-## found anything as good anywhere else. This code deserves to be
-## salvaged and put to work.
+# Set callback to let POW construct rpki.sundial.datetime objects
+from rpki.sundial import datetime as sundial_datetime
+customDatetime(sundial_datetime)
+del sundial_datetime
diff --git a/rpkid/rpki/POW/_der.py b/rpkid/rpki/POW/_der.py
deleted file mode 100644
index c7f58411..00000000
--- a/rpkid/rpki/POW/_der.py
+++ /dev/null
@@ -1,2294 +0,0 @@
-#*****************************************************************************#
-#* *#
-#* Copyright (c) 2002, Peter Shannon *#
-#* All rights reserved. *#
-#* *#
-#* Redistribution and use in source and binary forms, with or without *#
-#* modification, are permitted provided that the following conditions *#
-#* are met: *#
-#* *#
-#* * Redistributions of source code must retain the above *#
-#* copyright notice, this list of conditions and the following *#
-#* disclaimer. *#
-#* *#
-#* * Redistributions in binary form must reproduce the above *#
-#* copyright notice, this list of conditions and the following *#
-#* disclaimer in the documentation and/or other materials *#
-#* provided with the distribution. *#
-#* *#
-#* * The name of the contributors may be used to endorse or promote *#
-#* products derived from this software without specific prior *#
-#* written permission. *#
-#* *#
-#* THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS *#
-#* "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT *#
-#* LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS *#
-#* FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS *#
-#* OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, *#
-#* SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT *#
-#* LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, *#
-#* DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY *#
-#* THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT *#
-#* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE *#
-#* OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. *#
-#* *#
-#*****************************************************************************#
-
-import exceptions, types, copy, string, time, base64, traceback, cStringIO
-
-DEBUG = 0
-
-# CLASS
-CLASS_UNIVERSAL = 0x00
-CLASS_APPLICATION = 0x40
-CLASS_CONTEXT = 0x80
-CLASS_PRIVATE = 0xC0
-
-# FORM
-FORM_PRIMITIVE = 0x00
-FORM_CONSTRUCTED = 0x20
-
-# TAG
-TAG_BOOLEAN = 0x01
-TAG_INTEGER = 0x02
-TAG_BITSTRING = 0x03
-TAG_OCTETSTRING = 0x04
-TAG_NULL = 0x05
-TAG_OID = 0x06
-TAG_OBJDESCRIPTOR = 0x07
-TAG_EXTERNAL = 0x08
-TAG_REAL = 0x09
-TAG_ENUMERATED = 0x0A
-TAG_EMBEDDED_PDV = 0x0B
-TAG_UTF8STRING = 0x0C
-TAG_SEQUENCE = 0x10
-TAG_SET = 0x11
-TAG_NUMERICSTRING = 0x12
-TAG_PRINTABLESTRING = 0x13
-TAG_T61STRING = 0x14
-TAG_VIDEOTEXSTRING = 0x15
-TAG_IA5STRING = 0x16
-TAG_UTCTIME = 0x17
-TAG_GENERALIZEDTIME = 0x18
-TAG_GRAPHICSTRING = 0x19
-TAG_VISIBLESTRING = 0x1A
-TAG_GENERALSTRING = 0x1B
-TAG_UNIVERSALSTRING = 0x1C
-TAG_BMPSTRING = 0x1E
-
-_fragments = []
-
-def _docset():
- return _fragments
-
-def _addFragment(frag):
- global _fragments
- _fragments.append(frag)
-
-
-_addFragment('''
-<moduleDescription>
- <header>
- <name>POW.pkix</name>
- <author>Peter Shannon</author>
- </header>
- <body>
- <para>
- This module is a solution to reading and writing X509v3 written
- purely in Python. It does use limited facilities from POW for
- signing and verifying but these could be replaced easily. It is
- an abstract module and to use it successfully RFC3280 should be
- referred to as well as the sourcecode where necessary. The correct
- use of many extensions often not clear from the definitions alone.
- Do refer to the RFC for details.
- </para>
- <para>
- Each constructed objects defined in the RFC is built from primitives
- defined by the ASN1 recommedations. Not all ASN1 primitive are available but all those
- required for X509v3 should be. The implementation is more or less
- complete for DER encoding the only caveat, aside from a few
- missing objects, is the behaviour of <classname>SET</classname> objects
- and <classname>SET OF</classname> objects. The order the objects are
- written in should be determined at runtime by sorting their tags but this
- library does not do this. For X509 it isn't really necessary
- since all the <classname>Set</classname> objects are simple and the
- order they are written in is defined by the object's constructor.
- </para>
- <para>
- Every documented object in this module supports the functions documented for
- <classname>_GeneralObject</classname>. In general the function
- will only be documented in descendant classes if the class changes
- the behaviour significantly from its ancestor. This would
- normally be <classname>_GeneralObject</classname> or
- <classname>Sequence</classname>.
- </para>
- </body>
-</moduleDescription>
-''')
-
-class DerError(Exception):
- def __init__(self, msg):
- if not isinstance(msg, types.StringType):
- raise Exception, 'argunment should be a string'
- self.msg = msg
-
- def __repr__(self):
- return self.msg
-
- __str__ = __repr__
-
-class _Tag(object):
- def __init__(self):
- self.tagclass = 0
- self.tagform = 0
- self.tagnumber = 0
-
- def __repr__(self):
- return '(%s, %s, %s)' % (self.tagclass, self.tagform, self.tagnumber)
-
- def write(self, file):
- if self.tagnumber < 31:
- file.write( chr(self.tagclass | self.tagform | self.tagnumber) )
- else:
- val = copy.deepcopy(self.tagnumber)
- bytes = []
- while val:
- byte = val & 0x7F
- bytes.append(byte | 0x80)
- val = val >> 7
- bytes[0] = bytes[0] ^ 0x80
- bytes.append( self.tagclass | self.tagform | 0x1F )
- bytes.reverse()
- file.write( string.join(map(chr, bytes), '') )
-
- def read(self, file):
- octet1 = ord( file.read(1) )
- self.tagclass = octet1 & 0xC0
- self.tagform = octet1 & 0x20
- value = octet1 & 0x1F
- if value < 31:
- self.tagnumber = value
- else:
- total = 0
- byte = 0x80
- while byte & 0x80:
- byte = ord( file.read(1) )
- if byte & 0x80:
- total = (total << 7) | byte ^ 0x80
- else:
- total = (total << 7) | byte
- self.tagnumber = total
-
-class _Length(object):
- def __init__(self):
- self.length = 0
-
- def __repr__(self):
- return '(%s)' % self.length
-
- def write(self, file):
- if self.length < 128:
- file.write( chr(self.length) )
- else:
- val = copy.deepcopy(self.length)
- bytes = []
- while val:
- byte = val & 0xFF
- bytes.append(byte)
- val = val >> 8
- lengthOfLength = len(bytes)
- if lengthOfLength > 126:
- raise DerError, 'object is too long!'
- bytes.append(lengthOfLength)
- bytes.reverse()
- bytes[0] = bytes[0] ^ 0x80
- file.write( string.join(map(chr, bytes), '') )
-
- def read(self, file):
- octet1 = ord( file.read(1) )
- if octet1 < 128:
- self.length = octet1
- else:
- total = 0
- byte = 0
- for i in range(octet1 ^ 0x80):
- byte = ord( file.read(1) )
- total = (total << 8) | byte
- self.length = total
-
-class _TlvIo(_Tag, _Length):
- def __init__(self, file):
- self.file = file
- self.offset = None
- self.valueOffset = None
-
- def __repr__(self):
- return '<TAG:%s Length:%s>' % (_Tag.__repr__(self), _Length.__repr__(self))
-
- def __nonzero__(self):
- pos = self.file.tell()
- self.file.seek(0,2)
- if self.file.tell():
- self.file.seek(pos)
- return 1
- else:
- return 0
-
- def read(self):
- self.offset = self.file.tell()
- _Tag.read( self, self.file )
- _Length.read( self, self.file )
- self.valueOffset = self.file.tell()
- self.file.seek( self.length, 1 )
-
- def readValue(self):
- self.file.seek( self.valueOffset )
- return self.file.read( self.length )
-
- def write(self, val):
- _Tag.write( self, self.file )
- self.length = len(val)
- _Length.write( self, self.file )
- self.file.write(val)
-
-def _decodeBoolean(val):
- 'der encoded value not including tag or length'
- if not isinstance(val, types.StringType):
- raise DerError, 'argument should be a string'
- if ord(val) == 0xFF:
- return 1
- elif ord(val) == 0x00:
- return 0
- else:
- raise DerError, 'boolean should be encode as all 1s or all 0s'
-
-def _encodeBoolean(val):
- 'anything we can test for truth'
- if val:
- return chr(0xFF)
- else:
- return chr(0x00)
-
-def _decodeInteger(val):
- 'der encoded value not including tag or length'
- if not isinstance(val, types.StringType):
- raise DerError, 'argument should be a string'
- total = 0L
- if ord(val[0]) & 0x80:
- val = map( lambda x : ord(x) ^ 0xFF, val )
- for byte in val:
- total = (total << 8) | byte
- total = -(total+1)
- else:
- for byte in val:
- total = (total << 8) | ord(byte)
- return total
-
-def _encodeInteger(val):
- 'python integer'
- if not isinstance(val, types.IntType) and not isinstance(val, types.LongType):
- raise DerError, 'argument should be an integer'
- if val == 0:
- return chr(0x00)
- else:
- val2 = copy.deepcopy(val)
- if val2 < 0:
- val2 = -(val2+1)
- bytes = []
- byte = 0
- while val2:
- byte = val2 & 0xFF
- bytes.append(byte)
- val2 = val2 >> 8
- # if we have no used up the last byte to represent the value we need
- # to add one more on to show if this is negative of positive. Also,
- # due to adding 1 and inverting -1 would be 0 or if 0 is the encoding
- # value, so bytes would empty and this would lead to and empty value
- # and this would not be working properly. Adding this null byte
- # fixes this, since it is inverted to -1 and preserved for 0.
- if byte & 0x80 or not bytes:
- bytes.append(0x00)
- if val < 0:
- bytes = map( lambda x : x ^ 0xFF, bytes )
- bytes.reverse()
-
- return string.join(map(chr, bytes), '')
-
-def _decodeBitString(val):
- 'der encoded value not including tag or length'
- if not isinstance(val, types.StringType):
- raise DerError, 'argument should be a string'
- bitmasks = [0x80,0x40,0x20,0x10,0x08,0x04,0x02,0x01]
- unused = ord( val[0] )
- bits = []
- for byte in val[1:]:
- for j in range(8):
- if ord(byte) & bitmasks[j]:
- bits.append(1)
- else:
- bits.append(0)
- if unused == 0:
- return tuple(bits)
- else:
- return tuple(bits[:-unused])
-
-def _encodeBitString(val):
- 'list of true/false objects ie [0,1,1,0,1,1]'
- if not (isinstance(val, types.ListType) or isinstance(val, types.TupleType)):
- raise DerError, 'argument should be a list or tuple'
- bitmasks = [0x80,0x40,0x20,0x10,0x08,0x04,0x02,0x01]
- bytes = []
- fits, leftover = divmod(len(val), 8)
- nobytes = fits
- if leftover > 0:
- nobytes = nobytes + 1
- if leftover:
- unused = 8 - leftover
- else:
- unused = 0
- bytes.append(unused)
- for i in range(nobytes):
- byte = 0
- for j in range(8):
- offset = j + i*8
- if offset < len(val):
- if val[offset]:
- byte = byte | bitmasks[j]
- bytes.append(byte)
-
- return string.join(map(chr, bytes), '')
-
-def _decodeOid(val):
- 'der encoded value not including tag or length'
- if not isinstance(val, types.StringType):
- raise DerError, 'argument should be a string'
- arc12 = ord( val[0] )
- arc1, arc2 = divmod(arc12, 40)
- oids = [arc1,arc2]
-
- total = 0
- for byte in val[1:]:
- val = ord(byte)
- if val & 0x80:
- total = (total << 7) | (val ^ 0x80)
- else:
- total = (total << 7) | val
- oids.append(total)
- total = 0
-
- return tuple(oids)
-
-def _encodeOid(val):
- 'list of intgers'
- if not (isinstance(val, types.ListType) or isinstance(val, types.TupleType)):
- raise DerError, 'argument should be a list or tuple'
- oids = []
- oids.append( chr(40 * val[0] + val[1]) )
- for val in val[2:]:
- if val == 0:
- oids.append( chr(0) )
- else:
- bytes = []
- while val:
- val, rem = divmod(val, 128)
- bytes.append(rem | 0x80)
- bytes[0] = bytes[0] ^ 0x80
- bytes.reverse()
- oids.append( string.join(map(chr, bytes), '') )
-
- return string.join(oids, '')
-
-def _decodeSequence(val):
- 'der encoded value not including tag or length'
- if not isinstance(val, types.StringType):
- raise DerError, 'argument should be a string'
- buf = cStringIO.StringIO(val)
- buflen = len(val)
- tvls = []
- while buf.tell() < buflen:
- t = _TlvIo(buf)
- t.read()
- tvls.append(t)
- return tuple(tvls)
-
-def _encodeSequence(val):
- 'list of GenerlObjects'
- if not (isinstance(val, types.ListType) or isinstance(val, types.TupleType)):
- raise DerError, 'argument should be a list or tuple'
- buf = cStringIO.StringIO()
- for obj in val:
- if obj or isinstance(obj, _GeneralObject):
- obj.write(buf)
- elif not obj.optional:
- raise DerError, 'object not set which should be: %s' % obj
-
- return buf.getvalue()
-
-_addFragment('''
-<class>
- <header>
- <name>_GeneralObject</name>
- </header>
- <body>
- <para>
- <classname>_GeneralObject</classname> is the basis for all DER objects,
- primitive or constructed. It defines the basic behaviour of an
- object which is serialised using the tag, length and value
- approach of DER. It is unlikely you would ever want to
- instantiate one of these directly but I include a description
- since many primatives don't override much of
- <classname>_GeneralObject</classname>'s functions.
- </para>
- </body>
-</class>
-''')
-
-class _GeneralObject(object):
-
- _addFragment('''
- <constructor>
- <header>
- <memberof>_GeneralObject</memberof>
- <parameter>normclass</parameter>
- <parameter>normform</parameter>
- <parameter>normnumber</parameter>
- <parameter>encRoutine</parameter>
- <parameter>decRoutine</parameter>
- <parameter>optional=0</parameter>
- <parameter>default=''</parameter>
- </header>
- <body>
- <para>
- <parameter>normclass</parameter> is the class of the object,
- ei: universal, application, context or private.
- <parameter>normform</parameter> is the form of the object, ei
- primitive or constructed. <parameter>normnumber</parameter> is
- the tag number of the object.
- <parameter>encRoutine</parameter> is a function which takes a
- value and encodes it according the appropriate DER rules.
- <parameter>decRoutine</parameter> is a function which reads a
- string value and returns a value which is more useful in
- Python. <parameter>optional</parameter> is a boolean
- indicating if this object is optional. The final parameter,
- <parameter>default</parameter> is the base 64 encoded DER
- value, which should be used as the default in leu of a value to
- read or incase it is unset.
- </para>
- </body>
- </constructor>
- ''')
-
- def __init__(self, normclass, normform, normnumber, encRoutine, decRoutine, optional=0, default=''):
- if not isinstance(normclass, types.IntType):
- raise DerError, 'nomrclass argument should be an integer : %s' % normclass
- if not isinstance(normform, types.IntType):
- raise DerError, 'normform argument should be an integer : %s' % normform
- if not isinstance(normnumber, types.IntType):
- raise DerError, 'normnumber argument should be an integer : %s' % normnumber
- if not isinstance(encRoutine, types.FunctionType):
- raise DerError, 'encRoutine argument should be an function : %s' % encRoutine
- if not isinstance(decRoutine, types.FunctionType):
- raise DerError, 'decRoutine argument should be an function : %s' % decRoutine
- if not isinstance(optional, types.IntType):
- raise DerError, 'optional argument should be an integer : %s' % optional
- if not isinstance(default, types.StringType):
- raise DerError, 'default argument should be an String : %s' % default
- self.normclass = normclass
- self.normform = normform
- self.normnumber = normnumber
- self.encRoutine = encRoutine
- self.decRoutine = decRoutine
- self.value = None
- self.optional = optional
- self.default = default
- self.reset()
-
- def _ioSafe(self):
- 'is it safe to write this object'
- if self.optional or self._isSet():
- return 1
- else:
- return 0
-
- def _isSet(self):
- 'are the values of this object set or not'
- if self.value is not None:
- return 1
- else:
- return 0
-
- _addFragment('''
- <method>
- <header>
- <memberof>_GeneralObject</memberof>
- <name>reset</name>
- </header>
- <body>
- <para>
- This function re-initialises the object, clearing the value or
- setting it to any default.
- </para>
- </body>
- </method>
- ''')
- def reset(self):
- self.value = None
- if self.default:
- buf = cStringIO.StringIO( base64.decodestring( self.default ) )
- io = _TlvIo(buf)
- io.read()
- self.read(io)
-
- _addFragment('''
- <method>
- <header>
- <memberof>_GeneralObject</memberof>
- <name>set</name>
- <parameter>value</parameter>
- </header>
- <body>
- <para>
- This dosn't do much except store <parameter>value</parameter>,
- presumably prior to writing the object. The correct values to
- use would be determined by the encoder or decoder this class is
- instantiated with. Be careful, there is some flexibility in
- setting objects so you might find that once the object has been
- written and read back in the value isn't identical. A good
- example would be anything which contains a sequence(list or
- tuple), all sequence objects are returned as tuples.
- </para>
- </body>
- </method>
- ''')
- def set(self, value):
- if value is not None:
- self.value = value
-
- _addFragment('''
- <method>
- <header>
- <memberof>_GeneralObject</memberof>
- <name>get</name>
- </header>
- <body>
- <para>
- Gets the value stored presumably after reading the object.
- </para>
- </body>
- </method>
- ''')
- def get(self):
- return self.value
-
- _addFragment('''
- <method>
- <header>
- <memberof>_GeneralObject</memberof>
- <name>implied</name>
- <parameter>impclass</parameter>
- <parameter>impform</parameter>
- <parameter>impnumber</parameter>
- </header>
- <body>
- <para>
- This function is used to change how the tag is written or read
- for a particular object and should be called in the constructor
- for derived objects. If you have an example of the structure you need to
- process, Pete Gutmann's excellent
- <application>dumpasn1</application> can be invaluable for
- debugging objects.
- </para>
- </body>
- </method>
- ''')
- def implied(self, impclass, impform, impnumber):
- if not isinstance(impclass, types.IntType):
- raise DerError, 'impclass argument should be an integer'
- if not isinstance(impform, types.IntType):
- raise DerError, 'impform argument should be an integer'
- if not isinstance(impnumber, types.IntType):
- raise DerError, 'impnumber argument should be an integer'
- self.normclass = impclass
- self.normform = impform
- self.normnumber = impnumber
-
- _addFragment('''
- <method>
- <header>
- <memberof>_GeneralObject</memberof>
- <name>read</name>
- <parameter>io</parameter>
- </header>
- <body>
- <para>
- <parameter>io</parameter> should be a file like object. If the
- object being read matches the expected class, form and tag the
- value is read and decoded using
- <function>decRoutine</function>. Else, if it has a default
- that is read and stored.
- </para>
- <para>
- The return value of this function does not indicate success but
- whether this TLV was processed successfully. This bahaviour is
- vital for processing constructed types since the object may be
- optional or have a default. Failure to decode would be indicated
- by an exception.
- </para>
- </body>
- </method>
- ''')
-
- def read(self, io=None):
-
- processDefOpt = 0
- if io is None:
- processDefOpt = 1
- elif isinstance(io, _TlvIo):
- if not io:
- processDefOpt = 1
- else:
- pos = io.tell()
- io.seek(0,2)
- if io.tell():
- io.seek(pos)
- else:
- processDefOpt = 1
-
- if processDefOpt:
- if self.optional or self.default:
- self.reset()
- return 0
- else:
- raise DerError, 'no TLV is available to read in non-optional/non-default object: %s' % repr(self)
-
- if not isinstance(io, _TlvIo):
- tmp = _TlvIo(io)
- tmp.read()
- io = tmp
-
- if io.tagclass != self.normclass or io.tagform != self.normform or io.tagnumber != self.normnumber:
- if self.default or self.optional:
- self.reset()
- return 0
- else:
- raise DerError, 'error in encoding, missing object:%s' % repr(self)
- else:
- derval = io.readValue()
- self.value = self.decRoutine( derval )
- return 1
-
- _addFragment('''
- <method>
- <header>
- <memberof>_GeneralObject</memberof>
- <name>write</name>
- <parameter>io</parameter>
- </header>
- <body>
- <para>
- If this object has not been set and is not optional and dosn't
- have a default, a <classname>DerError</classname> exception will be raised
- </para>
- <para>
- If no value has been set and this object is optional, nothing
- is written. If this object's value is equal to the default,
- nothing is written as stipulated by DER. Otherwise the value
- is encoded and written.
- </para>
- </body>
- </method>
- ''')
-
- def write(self, file):
- if not self._ioSafe():
- raise DerError, 'object not set which must be: %s' % repr(self)
- elif self.optional and self.value is None:
- pass
- else:
- buf = cStringIO.StringIO()
- io = _TlvIo(buf)
- io.tagclass = self.normclass
- io.tagform = self.normform
- io.tagnumber = self.normnumber
- derval = self.encRoutine( self.value )
- io.length = len(derval)
- io.write(derval)
- if self.default:
- if buf.getvalue() != base64.decodestring(self.default):
- file.write( buf.getvalue() )
- else:
- file.write( buf.getvalue() )
-
- _addFragment('''
- <method>
- <header>
- <memberof>_GeneralObject</memberof>
- <name>toString</name>
- </header>
- <body>
- <para>
- Encodes the value in DER and returns it as a string.
- </para>
- </body>
- </method>
- ''')
-
- def toString(self):
- buf = cStringIO.StringIO()
- self.write(buf)
- return buf.getvalue()
-
- _addFragment('''
- <method>
- <header>
- <memberof>_GeneralObject</memberof>
- <name>fromString</name>
- </header>
- <body>
- <para>
- Decodes the string and sets the value of this object.
- </para>
- </body>
- </method>
- ''')
-
- def fromString(self, value):
- buf = cStringIO.StringIO(value)
- self.read(buf)
-
-class Any(_GeneralObject):
-
- def __init__(self):
- self.value = None
- self.normclass = None
- self.normform = None
- self.normnumber = None
-
- def _ioSafe(self):
- if self.optional or (self._isSet() and self.normclass is not None and self.normform is not None and self.normnumber is not None):
- return 1
- else:
- return 0
-
- def setTag(self, klass, form, number):
- self.normclass = klass
- self.normform = form
- self.normnumber = number
-
- def reset(self):
- self.value = None
-
- def get(self):
- return self.value
-
- def set(self, value):
- self.value = value
-
- def write(self,file):
- if not self._ioSafe():
- raise DerError, 'object not set which must be: %s' % repr(self)
- elif self.optional and self.value is None:
- pass
- else:
- buf = cStringIO.StringIO()
- io = _TlvIo(buf)
- io.tagclass = self.normclass
- io.tagform = self.normform
- io.tagnumber = self.normnumber
- io.length = len(self.value)
- io.write(self.value)
- file.write(buf.getvalue())
-
- def read(self, io=None):
-
- processDefOpt = 0
- if io is None:
- processDefOpt = 1
- elif isinstance(io, _TlvIo):
- if not io:
- processDefOpt = 1
- else:
- pos = io.tell()
- io.seek(0,2)
- if io.tell():
- io.seek(pos)
- else:
- processDefOpt = 1
- if processDefOpt:
- if self.optional or self.default:
- self.reset()
- return 0
- else:
- raise DerError, 'no TLV is available to read in non-optional/non-default object: %s' % repr(self)
-
- if not isinstance(io, _TlvIo):
- tmp = _TlvIo(io)
- tmp.read()
- io = tmp
-
- self.value = io.readValue()
- self.normclass = io.tagclass
- self.normform = io.tagform
- self.normnumber = io.tagnumber
-
-_addFragment('''
-<class>
- <header>
- <name>Boolean</name>
- <super>_GeneralObject</super>
- </header>
- <body>
- <para>
- This object represents the ASN1 BOOLEAN type. It can be set
- with any object which can be tested for truth.
- </para>
- </body>
-</class>
-''')
-
-class Boolean(_GeneralObject): # 0x01
-
- _addFragment('''
- <constructor>
- <header>
- <memberof>Boolean</memberof>
- <parameter>optional=0</parameter>
- <parameter>default=''</parameter>
- </header>
- </constructor>
- ''')
- def __init__(self, optional=0, default=''):
- _GeneralObject.__init__(self, CLASS_UNIVERSAL, FORM_PRIMITIVE, TAG_BOOLEAN, _encodeBoolean, _decodeBoolean, optional, default)
-
-_addFragment('''
-<class>
- <header>
- <name>Integer</name>
- <super>_GeneralObject</super>
- </header>
- <body>
- <para>
- This object represents the ASN1 INTEGER type. It should be set
- with a Python integer.
- </para>
- </body>
-</class>
-''')
-
-class Integer(_GeneralObject): # 0x02
-
- _addFragment('''
- <constructor>
- <header>
- <memberof>Integer</memberof>
- <parameter>optional=0</parameter>
- <parameter>default=''</parameter>
- </header>
- </constructor>
- ''')
- def __init__(self, optional=0, default=''):
- _GeneralObject.__init__(self, CLASS_UNIVERSAL, FORM_PRIMITIVE, TAG_INTEGER, _encodeInteger, _decodeInteger, optional, default)
-
-_addFragment('''
-<class>
- <header>
- <name>BitString</name>
- <super>_GeneralObject</super>
- </header>
- <body>
- <para>
- This object represents the ASN1 BIT STRING type. It should be set
- with a sequence of integers. A non-zero number will set the bit,
- zero will leave the bit unset.
- </para>
- </body>
-</class>
-''')
-
-class BitString(_GeneralObject): # 0x03
-
- _addFragment('''
- <constructor>
- <header>
- <memberof>BitString</memberof>
- <parameter>optional=0</parameter>
- <parameter>default=''</parameter>
- </header>
- </constructor>
- ''')
- def __init__(self, optional=0, default=''):
- _GeneralObject.__init__(self, CLASS_UNIVERSAL, FORM_PRIMITIVE, TAG_BITSTRING, _encodeBitString, _decodeBitString, optional, default)
-
-_addFragment('''
-<class>
- <header>
- <name>AltBitString</name>
- <super>_GeneralObject</super>
- </header>
- <body>
- <para>
- This object represents the ASN1 BIT STRING type. It differs from
- the first <classname>BitString</classname> in that it's coding
- routines treat values as binary data and do not interpret the data
- in any way. Some application treat the
- <classname>BIT STRING</classname> in the same way as
- <classname>OCTET STRING</classname> type, hence this extra object.
- </para>
- </body>
-</class>
-''')
-
-class AltBitString(_GeneralObject): # 0x03
-
- _addFragment('''
- <constructor>
- <header>
- <memberof>AltBitString</memberof>
- <parameter>optional=0</parameter>
- <parameter>default=''</parameter>
- </header>
- </constructor>
- ''')
-
- def __init__(self, optional=0, default=''):
- _GeneralObject.__init__(self, CLASS_UNIVERSAL, FORM_PRIMITIVE, TAG_BITSTRING, lambda x : chr(0)+x, lambda x : x[1:], optional, default)
-
-_addFragment('''
-<class>
- <header>
- <name>OctetString</name>
- <super>_GeneralObject</super>
- </header>
- <body>
- <para>
- This object represents the ASN1 OCTET STRING type. This object
- can be set with any binary data.
- </para>
- </body>
-</class>
-''')
-class OctetString(_GeneralObject): # 0x04
-
- _addFragment('''
- <constructor>
- <header>
- <memberof>OctetString</memberof>
- <parameter>optional=0</parameter>
- <parameter>default=''</parameter>
- </header>
- </constructor>
- ''')
-
- def __init__(self, optional=0, default=''):
- _GeneralObject.__init__(self, CLASS_UNIVERSAL, FORM_PRIMITIVE, TAG_OCTETSTRING, lambda x : x, lambda x : x, optional, default)
-
-_addFragment('''
-<class>
- <header>
- <name>Null</name>
- <super>_GeneralObject</super>
- </header>
- <body>
- <para>
- This object represents the ASN1 NULL type. There is no point in
- setting this object, the value will always be ignored when it is
- written out.
- </para>
- </body>
-</class>
-''')
-class Null(_GeneralObject): # 0x05
-
- _addFragment('''
- <constructor>
- <header>
- <memberof>Null</memberof>
- <parameter>optional=0</parameter>
- <parameter>default=''</parameter>
- </header>
- </constructor>
- ''')
-
- def __init__(self, optional=0, default=''):
- _GeneralObject.__init__(self, CLASS_UNIVERSAL, FORM_PRIMITIVE, TAG_NULL, lambda x : '', lambda x : '', optional, default)
- self.value = ''
-
- def _ioSafe(self):
- return 1
-
- def reset(self):
- self.value = ''
-
-_addFragment('''
-<class>
- <header>
- <name>Oid</name>
- <super>_GeneralObject</super>
- </header>
- <body>
- <para>
- This object represents the ASN1 OID type. This object should be
- set with a list or tuple of integers defining an objects oid.
- Please note that the first three arcs have a restricted set of
- values, so encoding (5, 3, 7, 1) will produce bad results.
- </para>
- </body>
-</class>
-''')
-class Oid(_GeneralObject): # 0x06
-
- _addFragment('''
- <constructor>
- <header>
- <memberof>Oid</memberof>
- <parameter>optional=0</parameter>
- <parameter>default=''</parameter>
- </header>
- </constructor>
- ''')
-
- def __init__(self, optional=0, default=''):
- _GeneralObject.__init__(self, CLASS_UNIVERSAL, FORM_PRIMITIVE, TAG_OID, _encodeOid, _decodeOid, optional, default)
-
-_addFragment('''
-<class>
- <header>
- <name>Enum</name>
- <super>_GeneralObject</super>
- </header>
- <body>
- <para>
- This object represents the ASN1 ENUM type. This should be set
- using a Python integer, the meaning should be described in the
- ASN1 document for the object you are encoding.
- </para>
- </body>
-</class>
-''')
-class Enum(_GeneralObject): # 0x0A
-
- _addFragment('''
- <constructor>
- <header>
- <memberof>Enum</memberof>
- <parameter>optional=0</parameter>
- <parameter>default=''</parameter>
- </header>
- </constructor>
- ''')
-
- def __init__(self, optional=0, default=''):
- _GeneralObject.__init__(self, CLASS_UNIVERSAL, FORM_PRIMITIVE, TAG_ENUMERATED, _encodeInteger, _decodeInteger, optional, default)
-
-_addFragment('''
-<class>
- <header>
- <name>Utf8String</name>
- <super>_GeneralObject</super>
- </header>
- <body>
- <para>
- This object represents the ASN1 UTF8String type. This object
- should be set with a string. It is up to the application to ensure
- it only contains valid characters for this type.
- </para>
- </body>
-</class>
-''')
-class Utf8String(_GeneralObject): # 0x0C
-
- _addFragment('''
- <constructor>
- <header>
- <memberof>Utf8String</memberof>
- <parameter>optional=0</parameter>
- <parameter>default=''</parameter>
- </header>
- </constructor>
- ''')
-
- def __init__(self, optional=0, default=''):
- _GeneralObject.__init__(self, CLASS_UNIVERSAL, FORM_PRIMITIVE, TAG_UTF8STRING, lambda x : x, lambda x : x, optional, default)
-
-_addFragment('''
-<class>
- <header>
- <name>NumericString</name>
- <super>_GeneralObject</super>
- </header>
- <body>
- <para>
- This object represents the ASN1 NumericString type. This should
- object should be set with a string. It is up to the application to ensure
- it only contains valid characters for this type.
- </para>
- </body>
-</class>
-''')
-class NumericString(_GeneralObject): # 0x12
-
- _addFragment('''
- <constructor>
- <header>
- <memberof>NumericString</memberof>
- <parameter>optional=0</parameter>
- <parameter>default=''</parameter>
- </header>
- </constructor>
- ''')
-
- def __init__(self, optional=0, default=''):
- _GeneralObject.__init__(self, CLASS_UNIVERSAL, FORM_PRIMITIVE, TAG_NUMERICSTRING, lambda x : x, lambda x : x, optional, default)
-_addFragment('''
-<class>
- <header>
- <name>PrintableString</name>
- <super>_GeneralObject</super>
- </header>
- <body>
- <para>
- This object represents the ASN1 PrintableString type. This should
- object should be set with a string. It is up to the application to ensure
- it only contains valid characters for this type.
- </para>
- </body>
-</class>
-''')
-class PrintableString(_GeneralObject): # 0x13
-
- _addFragment('''
- <constructor>
- <header>
- <memberof>PrintableString</memberof>
- <parameter>optional=0</parameter>
- <parameter>default=''</parameter>
- </header>
- </constructor>
- ''')
-
- def __init__(self, optional=0, default=''):
- _GeneralObject.__init__(self, CLASS_UNIVERSAL, FORM_PRIMITIVE, TAG_PRINTABLESTRING, lambda x : x, lambda x : x, optional, default)
-
-_addFragment('''
-<class>
- <header>
- <name>T61String</name>
- <super>_GeneralObject</super>
- </header>
- <body>
- <para>
- This object represents the ASN1 T61String type. This object
- should be set with a string. It is up to the application to ensure
- it only contains valid characters for this type.
- </para>
- </body>
-</class>
-''')
-class T61String(_GeneralObject): # 0x14
-
- _addFragment('''
- <constructor>
- <header>
- <memberof>T61String</memberof>
- <parameter>optional=0</parameter>
- <parameter>default=''</parameter>
- </header>
- </constructor>
- ''')
-
- def __init__(self, optional=0, default=''):
- _GeneralObject.__init__(self, CLASS_UNIVERSAL, FORM_PRIMITIVE, TAG_T61STRING, lambda x : x, lambda x : x, optional, default)
-
-_addFragment('''
-<class>
- <header>
- <name>VideotexString</name>
- <super>_GeneralObject</super>
- </header>
- <body>
- <para>
- This object represents the ASN1 VideotexString type. This should
- object should be set with a string. It is up to the application to ensure
- it only contains valid characters for this type.
- </para>
- </body>
-</class>
-''')
-class VideotexString(_GeneralObject): # 0x15
-
- _addFragment('''
- <constructor>
- <header>
- <memberof>VideotexString</memberof>
- <parameter>optional=0</parameter>
- <parameter>default=''</parameter>
- </header>
- </constructor>
- ''')
-
- def __init__(self, optional=0, default=''):
- _GeneralObject.__init__(self, CLASS_UNIVERSAL, FORM_PRIMITIVE, TAG_VIDEOTEXSTRING, lambda x : x, lambda x : x, optional, default)
-
-_addFragment('''
-<class>
- <header>
- <name>IA5String</name>
- <super>_GeneralObject</super>
- </header>
- <body>
- <para>
- This object represents the ASN1 IA5String type. This object
- should be set with a string. It is up to the application to ensure
- it only contains valid characters for this type.
- </para>
- </body>
-</class>
-''')
-class IA5String(_GeneralObject): # 0x16
-
- _addFragment('''
- <constructor>
- <header>
- <memberof>IA5String</memberof>
- <parameter>optional=0</parameter>
- <parameter>default=''</parameter>
- </header>
- </constructor>
- ''')
-
- def __init__(self, optional=0, default=''):
- _GeneralObject.__init__(self, CLASS_UNIVERSAL, FORM_PRIMITIVE, TAG_IA5STRING, lambda x : x, lambda x : x, optional, default)
-
-_addFragment('''
-<class>
- <header>
- <name>UtcTime</name>
- <super>_GeneralObject</super>
- </header>
- <body>
- <para>
- This object represents the ASN1 UTCTime type. This object should
- be set with a string of the general format YYMMDDhhmmssZ. The
- helper functions <function>time2utc</function> and
- <function>utc2time</function> can be used to handle the conversion
- from an integer to a string and back.
- </para>
- </body>
-</class>
-''')
-class UtcTime(_GeneralObject): # 0x17
-
- _addFragment('''
- <constructor>
- <header>
- <memberof>UtcTime</memberof>
- <parameter>optional=0</parameter>
- <parameter>default=''</parameter>
- </header>
- </constructor>
- ''')
-
- def __init__(self, optional=0, default=''):
- _GeneralObject.__init__(self, CLASS_UNIVERSAL, FORM_PRIMITIVE, TAG_UTCTIME, lambda x : x, lambda x : x, optional, default)
-
-_addFragment('''
-<class>
- <header>
- <name>GeneralizedTime</name>
- <super>_GeneralObject</super>
- </header>
- <body>
- <para>
- This object represents the ASN1 GeneralizedTime type. This object should
- be set with a string of the general format YYYYMMDDhhmmssZ. The
- helper functions <function>time2utc</function> and
- <function>utc2time</function> can be used to handle the conversion
- from an integer to a string and back.
- </para>
- </body>
-</class>
-''')
-class GeneralizedTime(_GeneralObject): # 0x18
-
- _addFragment('''
- <constructor>
- <header>
- <memberof>GeneralizedTime</memberof>
- <parameter>optional=0</parameter>
- <parameter>default=''</parameter>
- </header>
- </constructor>
- ''')
-
-
- def __init__(self, optional=0, default=''):
- _GeneralObject.__init__(self, CLASS_UNIVERSAL, FORM_PRIMITIVE, TAG_GENERALIZEDTIME, lambda x : x, lambda x : x, optional, default)
-
-_addFragment('''
-<class>
- <header>
- <name>GraphicString</name>
- <super>_GeneralObject</super>
- </header>
- <body>
- <para>
- This object represents the ASN1 GraphicString type. This should
- object should be set with a string. It is up to the application to
- ensure it only contains valid characters for this type.
- </para>
- </body>
-</class>
-''')
-class GraphicString(_GeneralObject): # 0x19
-
- _addFragment('''
- <constructor>
- <header>
- <memberof>GraphicString</memberof>
- <parameter>optional=0</parameter>
- <parameter>default=''</parameter>
- </header>
- </constructor>
- ''')
-
- def __init__(self, optional=0, default=''):
- _GeneralObject.__init__(self, CLASS_UNIVERSAL, FORM_PRIMITIVE, TAG_GRAPHICSTRING, lambda x : x, lambda x : x, optional, default)
-
-_addFragment('''
-<class>
- <header>
- <name>VisibleString</name>
- <super>_GeneralObject</super>
- </header>
- <body>
- <para>
- This object represents the ASN1 VisibleString type. This should
- object should be set with a string. It is up to the application to
- ensure it only contains valid characters for this type.
- </para>
- </body>
-</class>
-''')
-class VisibleString(_GeneralObject): # 0xC0
-
- _addFragment('''
- <constructor>
- <header>
- <memberof>VisibleString</memberof>
- <parameter>optional=0</parameter>
- <parameter>default=''</parameter>
- </header>
- </constructor>
- ''')
-
- def __init__(self, optional=0, default=''):
- _GeneralObject.__init__(self, CLASS_UNIVERSAL, FORM_PRIMITIVE, TAG_VISIBLESTRING, lambda x : x, lambda x : x, optional, default)
-
-_addFragment('''
-<class>
- <header>
- <name>GeneralString</name>
- <super>_GeneralObject</super>
- </header>
- <body>
- <para>
- This object represents the ASN1 GeneralString type. This should
- object should be set with a string. It is up to the application to
- ensure it only contains valid characters for this type.
- </para>
- </body>
-</class>
-''')
-class GeneralString(_GeneralObject): # 0xC0
-
- _addFragment('''
- <constructor>
- <header>
- <memberof>GeneralString</memberof>
- <parameter>optional=0</parameter>
- <parameter>default=''</parameter>
- </header>
- </constructor>
- ''')
-
- def __init__(self, optional=0, default=''):
- _GeneralObject.__init__(self, CLASS_UNIVERSAL, FORM_PRIMITIVE, TAG_GENERALSTRING, lambda x : x, lambda x : x, optional, default)
-
-_addFragment('''
-<class>
- <header>
- <name>UniversalString</name>
- <super>_GeneralObject</super>
- </header>
- <body>
- <para>
- This object represents the ASN1 UniversalString type. This should
- object should be set with a string. It is up to the application to
- ensure it only contains valid characters for this type.
- </para>
- </body>
-</class>
-''')
-class UniversalString(_GeneralObject): # 0xC0
-
- _addFragment('''
- <constructor>
- <header>
- <memberof>UniversalString</memberof>
- <parameter>optional=0</parameter>
- <parameter>default=''</parameter>
- </header>
- </constructor>
- ''')
-
- def __init__(self, optional=0, default=''):
- _GeneralObject.__init__(self, CLASS_UNIVERSAL, FORM_PRIMITIVE, TAG_UNIVERSALSTRING, lambda x : x, lambda x : x, optional, default)
-
-_addFragment('''
-<class>
- <header>
- <name>BmpString</name>
- <super>_GeneralObject</super>
- </header>
- <body>
- <para>
- This object represents the ASN1 BMPString type. This object
- should be set with a string. It is up to the application to ensure
- it only contains valid characters for this type.
- </para>
- </body>
-</class>
-''')
-class BmpString(_GeneralObject): # 0xC0
-
- _addFragment('''
- <constructor>
- <header>
- <memberof>BmpString</memberof>
- <parameter>optional=0</parameter>
- <parameter>default=''</parameter>
- </header>
- </constructor>
- ''')
-
- def __init__(self, optional=0, default=''):
- _GeneralObject.__init__(self, CLASS_UNIVERSAL, FORM_PRIMITIVE, TAG_BMPSTRING, lambda x : x, lambda x : x, optional, default)
-
-_addFragment('''
-<class>
- <header>
- <name>Sequence</name>
- <super>_GeneralObject</super>
- </header>
- <body>
- <para>
- This object represents the ASN1 SEQUENCE type.
- </para>
- </body>
-</class>
-''')
-class Sequence(_GeneralObject): # 0x10
-
- _addFragment('''
- <constructor>
- <header>
- <memberof>Sequence</memberof>
- <super>_GeneralObject</super>
- <parameter>contents</parameter>
- <parameter>optional=0</parameter>
- <parameter>default=''</parameter>
- </header>
- <body>
- <para>
- The <parameter>contents</parameter> should be a list or tuple containing
- the contents of the sequence.
- Two important members are initialised this this constructor.
- First <constant>self.next</constant> this is used to keep track
- of which TLVs in this sequence has been read succesfully. The second,
- <constant>self.contents</constant> should be set to the list of
- objects stored in this sequence. Note that the order they are
- specified in is the order in which they are written or read.
- </para>
- </body>
- </constructor>
- ''')
-
- def __init__(self, contents, optional=0, default=''):
- self.contents = contents
- self.next = 0
- _GeneralObject.__init__(self, CLASS_UNIVERSAL, FORM_CONSTRUCTED, TAG_SEQUENCE, _encodeSequence, _decodeSequence, optional, default)
-
- def _childRead(self, obj):
- if self.next < len(self.value):
- if obj.read( self.value[self.next] ):
- self.next += 1
- else:
- obj.read()
-
- _addFragment('''
- <method>
- <header>
- <memberof>Sequence</memberof>
- <name>readContents</name>
- <parameter>io</parameter>
- <parameter>contents</parameter>
- </header>
- <body>
- <para>
- This function implements basic SEQUENCE like reading behaviour.
- It will attempt to read each of the objects in
- <parameter>contents</parameter> in turn from
- <parameter>io</parameter>. It exists as a function, separate
- from <function>read</function> for the benefit of the SEQUENCE
- OF implementation.
- </para>
- <para>
- The TLV of this SEQUENCE is read and parsed into a list of
- TLVs, which are store in <constant>self.value</constant>, by
- <classname>_GeneralObject</classname>.<function>read</function>.
- Then <function>read</function> is called on each member to
- process each TLV in turn. The next TLV is moved onto only when
- a member returns TRUE from the read call.
- </para>
- </body>
- </method>
- ''')
-
- def readContents(self, io, contents):
- if _GeneralObject.read( self, io ):
- for item in contents:
- Sequence._childRead( self, item )
- return 1
- else:
- return 0
-
- _addFragment('''
- <method>
- <header>
- <memberof>Sequence</memberof>
- <name>read</name>
- <parameter>io</parameter>
- </header>
- <body>
- <para>
- Most of the logic for reading is implemented in <function>readContents</function>
- so it can be reused for <classname>SequenceOf</classname>'s
- <function>read</function> function.
- </para>
- </body>
- </method>
- ''')
-
- def read(self, io=None):
- self.next = 0
- return self.readContents(io, self.contents)
-
- _addFragment('''
- <method>
- <header>
- <memberof>Sequence</memberof>
- <name>write</name>
- <parameter>file</parameter>
- </header>
- <body>
- <para>
- <constant>self.value</constant> is set to the contents of this
- SEQUENCE and then written by calling
- <classname>_GeneralObject</classname>.<function>write</function>
- whos encoder will call <function>write</function> of
- each element in the list of contents in turn.
- </para>
- </body>
- </method>
- ''')
-
- def write(self, file):
- if self._ioSafe():
- if self._isSet():
- _GeneralObject.set( self, self.contents )
- _GeneralObject.write( self, file )
- elif self.optional:
- pass
- else:
- prob = self.findUnset()
- raise DerError, '%s is not in a state which can be written, %s is unset' % (repr(self), repr(prob) )
-
- _addFragment('''
- <method>
- <header>
- <memberof>Sequence</memberof>
- <name>set</name>
- <parameter>values</parameter>
- </header>
- <body>
- <para>
- Accessing and setting values for ASN1 objects is a bit of a
- thorny issue. The problem stems from the arbitrary complexity
- of the data and the possible levels of nesting, which in
- practice are used and are quite massive. Designing a good general
- approach is a bit tricky, perhaps nearly
- impossible. I choose to use a most compact
- form which is excellent for simple objects and is very concise.
- </para>
- <para>
- <parameter>value</parameter> should be a list or tuple of
- values. Each element of the list (or tuple) will be used in
- turn to set a member. Defaults can be specified by using the
- default value itself or <constant>None</constant>. Hence, for
- SEQUENCES of SEQUENCES, SEQUENCES OF, SET and so on
- <parameter>values</parameter> should consist of nested lists or
- tuples. Look at the ASN1 specs for that object to figure out
- exactly what these should look like.
- </para>
- </body>
- </method>
- ''')
-
- def set(self, values):
- if self.contents is None:
- raise DerError, 'the contents attribute should be set before using this object'
- if not( isinstance(values, types.ListType) or isinstance(values, types.TupleType) ):
- raise DerError, 'a sequence should be set with a list or tuple of values'
- if len(values) != len(self.contents):
- raise DerError, 'wrong number of values have been supplied to set %s. Expecting %i, got %i' % \
- (self.__class__.__name__, len(self.contents), len(values) )
-
- i = 0
- for val in values:
- self.contents[i].set(val)
- i = i + 1
-
- _addFragment('''
- <method>
- <header>
- <memberof>Sequence</memberof>
- <name>get</name>
- </header>
- <body>
- <para>
- A tuple of the values of the contents of this sequence will be
- returned. Hence, for SEQUENCES of SEQUENCES, SEQUENCES OF, SET
- and so on nested tuples will be returned.
- <function>get</function> always returns tuples even if a list
- was used to set and object.
- </para>
- </body>
- </method>
- ''')
-
- def get(self):
- if self.contents is None:
- return _GeneralObject.get(self)
- else:
- results = []
- for obj in self.contents:
- results.append( obj.get() )
- return tuple(results)
-
- def reset(self):
- if self.contents is None:
- raise DerError, 'this object has no members to set'
- self.next = 0
- for obj in self.contents:
- obj.reset() # clear all child objects prior to possible setting
- # via default
- _GeneralObject.reset(self)
-
- def _isSet(self):
- if self.contents is None:
- raise DerError, 'this object has no members to set'
- for obj in self.contents:
- if not obj._ioSafe():
- return 0
- return 1
-
- def findUnset(self):
- if self.contents is None:
- raise DerError, 'this object has no members to check'
- for obj in self.contents:
- if not obj._ioSafe():
- return obj
-
- def _ioSafe(self):
- if self.optional or self._isSet():
- return 1
- else:
- for obj in self.contents:
- if not obj._ioSafe():
- return 0
- return 1
-
-_addFragment('''
-<class>
- <header>
- <name>SequenceOf</name>
- <super>Sequence</super>
- </header>
- <body>
- <para>
- This object represents the ASN1 SEQUENCE OF construct.
- </para>
- </body>
-</class>
-''')
-class SequenceOf(Sequence):
-
- _addFragment('''
- <constructor>
- <header>
- <memberof>SequenceOf</memberof>
- <super>Sequence</super>
- <parameter>contains</parameter>
- <parameter>optional=0</parameter>
- <parameter>default=''</parameter>
- </header>
- <body>
- <para>
- The <parameter>contains</parameter> should be the constructor
- for the objects which this SEQUENCE OF contains.
- </para>
- </body>
- </constructor>
- ''')
-
- def __init__(self, contains, optional=0, default=''):
- self.contains = contains
- self.sequenceOf = []
- Sequence.__init__(self, [], optional, default)
-
- def _ioSafe(self):
- return 1
-
- def reset(self):
- if self.contents is None:
- raise DerError, 'this object has no members to set'
- self.next = 0
- self.sequenceOf = []
- _GeneralObject.reset(self)
-
- def _isSet(self):
- if self.sequenceOf:
- for obj in self.contents:
- if not obj._ioSafe():
- return 0
- return 1
- else:
- return 0
-
- def set(self, values):
- if isinstance(values, types.NoneType):
- return
- objects = []
- for val in values:
- obj = self.contains()
- obj.set(val)
- objects.append(obj)
- self.sequenceOf = objects
-
- def get(self):
- results = []
- for obj in self.sequenceOf:
- results.append( obj.get() )
- return tuple(results)
-
- def read(self, io=None):
- self.sequenceOf = []
- self.next = 0
- if _GeneralObject.read( self, io ):
- for tagio in _GeneralObject.get(self):
- value = self.contains()
- value.read(tagio)
- self.sequenceOf.append(value)
- return 1
- else:
- return 0
-
- def write(self, file):
- if not self._isSet() and self.optional:
- pass
- else:
- _GeneralObject.set( self, self.sequenceOf )
- _GeneralObject.write( self, file )
-
- def __len__(self):
- return len(self.sequenceOf)
-
- def __getitem__(self, key):
- return self.sequenceOf[key]
-
- def __iter__(self):
- for i in self.sequenceOf:
- yield(i)
-
- def __contains__(self, item):
- return item in self.sequenceOf
-
-_addFragment('''
-<class>
- <header>
- <name>Set</name>
- <super>Sequence</super>
- </header>
- <body>
- <para>
- This object represents the ASN1 Set type.
- </para>
- </body>
-</class>
-''')
-class Set(Sequence): # 0x11
-
- _addFragment('''
- <constructor>
- <header>
- <memberof>Set</memberof>
- <super>Sequence</super>
- <parameter>contents</parameter>
- <parameter>optional=0</parameter>
- <parameter>default=''</parameter>
- </header>
- <body>
- <para>
- The <parameter>contents</parameter> should be a list containing
- the contents of the sequence.
- </para>
- </body>
- </constructor>
- ''')
-
- def __init__(self, contents, optional=0, default=''):
- Sequence.__init__(self, contents, optional, default)
- self.normnumber = TAG_SET
-
-_addFragment('''
-<class>
- <header>
- <name>SetOf</name>
- <super>SequenceOf</super>
- </header>
- <body>
- <para>
- This object represents the ASN1 SET OF construct.
- </para>
- </body>
-</class>
-''')
-class SetOf(SequenceOf):
-
- _addFragment('''
- <constructor>
- <header>
- <memberof>SetOf</memberof>
- <super>SequenceOf</super>
- <parameter>contains</parameter>
- <parameter>optional=0</parameter>
- <parameter>default=''</parameter>
- </header>
- <body>
- <para>
- The <parameter>contains</parameter> should be the constructor
- for the objects which this SET OF contains.
- </para>
- </body>
- </constructor>
- ''')
-
- def __init__(self, contains, optional=0, default=''):
- SequenceOf.__init__(self, contains, optional, default)
- self.normnumber = TAG_SET
-
-_addFragment('''
-<class>
- <header>
- <name>Explicit</name>
- <super>Sequence</super>
- </header>
- <body>
- <para>
- Explicit objects support the DER concept of explicit tagging. In
- general they behave just like a SEQUENCE which must have only one
- element. See below for other differences.
- </para>
- </body>
-</class>
-''')
-class Explicit(Sequence):
-
- _addFragment('''
- <constructor>
- <header>
- <memberof>Explicit</memberof>
- <super>Sequence</super>
- <parameter>expclass</parameter>
- <parameter>expform</parameter>
- <parameter>expnumber</parameter>
- <parameter>contents</parameter>
- <parameter>optional=0</parameter>
- <parameter>default=''</parameter>
- </header>
- <body>
- <para>
- <parameter>expclass</parameter>,
- <parameter>expform</parameter>,
- <parameter>expnumber</parameter> should be as
- specified in the ASN1 documentation for this object.
- <parameter>contents</parameter> should be an object instance
- such as <classname>Integer</classname>,
- <classname>Oid</classname> or a derived object which supports
- the <classname>_GeneralObjec</classname> interface.
- </para>
- </body>
- </constructor>
- ''')
-
- def __init__(self, expclass, expform, expnumber, contents, optional=0, default=''):
- self.contents = [contents]
- self.next = 0
- _GeneralObject.__init__(self, expclass, expform, expnumber, _encodeSequence, _decodeSequence, optional, default)
-
- _addFragment('''
- <method>
- <header>
- <memberof>Explicit</memberof>
- <name>set</name>
- <parameter>value</parameter>
- </header>
- <body>
- <para>
- <parameter>value</parameter> is passed direct to
- <function>set</function> of the explicit object, so it should
- not be placed in a list or tuple(unless you are setting a constructed
- object).
- </para>
- </body>
- </method>
- ''')
- def set(self, value):
- return Sequence.set(self, [value])
-
- _addFragment('''
- <method>
- <header>
- <memberof>Explicit</memberof>
- <name>get</name>
- </header>
- <body>
- <para>
- The value of explicit object is returned and not
- put in a tuple.
- </para>
- </body>
- </method>
- ''')
- def get(self):
- return Sequence.get(self)[0]
-
-_addFragment('''
-<class>
- <header>
- <name>Choice</name>
- </header>
- <body>
- <para>
- This object represents the ASN1 Choice type.
- </para>
- </body>
-</class>
-''')
-class Choice(object):
-
- _addFragment('''
- <constructor>
- <header>
- <memberof>Choice</memberof>
- <parameter>choices</parameter>
- <parameter>optional=0</parameter>
- <parameter>default=''</parameter>
- </header>
- <body>
- <para>
- <parameter>choices</parameter> should be a dictionary of
- objects which support the <classname>_GeneralObject</classname>
- interface. The key being the name of the choice specified in the
- ASN1 documentation. <parameter>optional</parameter> is a boolean
- indicating if this object is optional. The final parameter,
- <parameter>default</parameter> is the base 64 encoded DER
- value, which should be used as the default in leu of a value to
- read or incase it is unset. If neither
- <parameter>optional</parameter> or
- <parameter>default</parameter> is not set then the first choice
- which is optional or has a default will be honored.
- </para>
- </body>
- </constructor>
- ''')
-
- def __init__(self, choices, optional=0, default=''):
- self.value = None
- self.choices = choices
- self.optional = optional
- self.default = default
- self.choice = None
- self.reset()
-
- def _ioSafe(self):
- if self.optional or self._isSet():
- return 1
- elif self.choice and self.choices[ self.choice ]._ioSafe():
- return 1
- else:
- return 0
-
- def _isSet(self):
- if self.choice and self.choices[self.choice]._isSet():
- return 1
- else:
- return 0
-
- _addFragment('''
- <method>
- <header>
- <memberof>Choice</memberof>
- <name>reset</name>
- </header>
- <body>
- <para>
- This function re-initialises the object, clearing the value or
- setting it to any default.
- </para>
- </body>
- </method>
- ''')
- def reset(self):
- self.value = None
- self.choice = None
- if self.default:
- buf = cStringIO.StringIO( base64.decodestring( self.default ) )
- io = _TlvIo(buf)
- io.read()
- self.read(io)
- else:
- for key in self.choices.keys():
- self.choices[key].reset()
- if self.choices[key]._ioSafe():
- self.choice = key
- break;
-
-
- _addFragment('''
- <method>
- <header>
- <memberof>Choice</memberof>
- <name>set</name>
- <parameter>value</parameter>
- </header>
- <body>
- <para>
- <parameter>value</parameter> should be a list or tuple with two
- elements. The first value should be the name of the choice to
- be set and the second the value to set it with.
- </para>
- </body>
- </method>
- ''')
- def set(self, val):
- if val is None:
- return
- if not (isinstance(val, types.ListType) or isinstance(val, types.TupleType)):
- raise DerError, 'argument should be a list or tuple'
- if not self.choices.has_key( val[0] ):
- raise DerError, 'unknown choice: %s' % val[0]
- self.choices[ val[0] ].set(val[1])
- self.choice = val[0]
-
- _addFragment('''
- <method>
- <header>
- <memberof>Choice</memberof>
- <name>get</name>
- </header>
- <body>
- <para>
- This function will return tuple with two elements. The first
- value will be the name of the choice which was set and the second
- the value it was set to.
- </para>
- </body>
- </method>
- ''')
-
- def get(self):
- if self._isSet():
- return (self.choice, self.choices[ self.choice ].get())
- else:
- return None
-
- _addFragment('''
- <method>
- <header>
- <memberof>Choice</memberof>
- <name>toString</name>
- </header>
- <body>
- <para>
- Encodes the value in DER and returns it as a string.
- </para>
- </body>
- </method>
- ''')
-
- def toString(self):
- buf = cStringIO.StringIO()
- self.write(buf)
- return buf.getvalue()
-
- _addFragment('''
- <method>
- <header>
- <memberof>Choice</memberof>
- <name>fromString</name>
- </header>
- <body>
- <para>
- Decodes the string and sets the value of this object.
- </para>
- </body>
- </method>
- ''')
-
- def fromString(self, value):
- buf = cStringIO.StringIO(value)
- self.read(buf)
-
- _addFragment('''
- <method>
- <header>
- <memberof>Choice</memberof>
- <name>read</name>
- <parameter>io</parameter>
- </header>
- <body>
- <para>
- <parameter>io</parameter> should be a file like object. If the
- object being read matches the expected class, form and tag the
- value is read and decoded using
- <function>decRoutine</function>. Else, if it has a default
- that is read and stored.
- </para>
- <para>
- The return value of this function does not indicate success but
- whether this TLV was processed successfully. This bahaviour is
- vital for processing constructed types since the object may be
- optional or have a default. Failure to decode would be indicated
- by an exception.
- </para>
- </body>
- </method>
- ''')
-
- def _readChoices(self, io):
- for key in self.choices.keys():
- try:
- readindicator = self.choices[key].read(io)
- self.choice = key
- break;
- except DerError:
- if DEBUG:
- traceback.print_exc()
- return readindicator
-
- def read(self, io=None):
-
- self.choice = None
- processDefOpt = 0
- readindicator = 0
-
- if io is None:
- processDefOpt = 1
- elif isinstance(io, _TlvIo):
- if not io:
- processDefOpt = 1
- else:
- pos = io.tell()
- io.seek(0,2)
- if io.tell():
- io.seek(pos)
- else:
- processDefOpt = 1
-
- if processDefOpt:
- if self.optional or self.default:
- self.reset()
- return 0
- else:
- readindicator = self._readChoices(io)
- for key in self.choices.keys():
- try:
- readindicator = self.choices[key].read(io)
- self.choice = key
- break;
- except DerError:
- if DEBUG:
- traceback.print_exc()
- if not self._isSet():
- raise DerError, 'no TLV is available to read in non-optional/non-default object: %s' % repr(self)
- else:
- return readindicator
-
- if not isinstance(io, _TlvIo):
- tmp = _TlvIo(io)
- tmp.read()
- io = tmp
-
- for key in self.choices.keys():
- try:
- if self.choices[key].read(io):
- self.choice = key
- readindicator = 1
- break;
- except DerError:
- if DEBUG:
- traceback.print_exc()
-
- if not self._isSet():
- self.reset()
- else:
- return readindicator
-
- _addFragment('''
- <method>
- <header>
- <memberof>Choice</memberof>
- <name>write</name>
- <parameter>file</parameter>
- </header>
- <body>
- <para>
- If this object has not been set and is not optional and dosn't
- have a default, a <classname>DerError</classname> exception will be raised
- </para>
- <para>
- If no value has been set and this object is optional, nothing
- is written. If this object's value is equal to the default,
- nothing is written as stipulated by DER. Otherwise the value
- is encoded and written.
- </para>
- </body>
- </method>
- ''')
- def write(self,file):
- if self.optional and not self.choice:
- pass
- elif not self.choice:
- raise DerError, 'choice not set'
- elif self.choice:
- if self.default:
- defval = base64.decodestring( self.default )
- if defval != self.choices[ self.choice ].toString():
- self.choices[ self.choice ].write(file)
- else:
- self.choices[ self.choice ].write(file)
- else:
- raise DerError, 'an internal error has occured: %s' % repr(self)
-
-
diff --git a/rpkid/rpki/POW/_objects.py b/rpkid/rpki/POW/_objects.py
deleted file mode 100644
index dc3a9c2b..00000000
--- a/rpkid/rpki/POW/_objects.py
+++ /dev/null
@@ -1,6880 +0,0 @@
-data = {'?': {'comment': 'ASTM 31.20',
- 'description': '? (1 2 840 10065 2 2)',
- 'hexoid': '06 07 2A 86 48 CE 51 02 02',
- 'name': '?',
- 'oid': (1, 2, 840, 10065, 2, 2)},
- 'AmericanExpress': {'comment': 'SET brand',
- 'description': 'AmericanExpress (2 23 42 8 34)',
- 'hexoid': '06 04 67 2A 08 22',
- 'name': 'AmericanExpress',
- 'oid': (2, 23, 42, 8, 34)},
- 'Antares': {'comment': 'SET vendor',
- 'description': 'Antares (2 23 42 9 14)',
- 'hexoid': '06 04 67 2A 09 0E',
- 'name': 'Antares',
- 'oid': (2, 23, 42, 9, 14)},
- 'BankGate': {'comment': 'SET vendor',
- 'description': 'BankGate (2 23 42 9 7)',
- 'hexoid': '06 04 67 2A 09 07',
- 'name': 'BankGate',
- 'oid': (2, 23, 42, 9, 7)},
- 'BlueMoney': {'comment': 'SET vendor',
- 'description': 'BlueMoney (2 23 42 9 19)',
- 'hexoid': '06 04 67 2A 09 13',
- 'name': 'BlueMoney',
- 'oid': (2, 23, 42, 9, 19)},
- 'Certicom': {'comment': 'SET vendor',
- 'description': 'Certicom (2 23 42 9 11)',
- 'hexoid': '06 04 67 2A 09 0B',
- 'name': 'Certicom',
- 'oid': (2, 23, 42, 9, 11)},
- 'Certificates': {'comment': 'Certificates Australia CA',
- 'description': 'Certificates Australia policyIdentifier (1 2 36 75878867 1 100 1 1)',
- 'hexoid': '06 0A 2A 24 A4 97 A3 53 01 64 01 01',
- 'name': 'Certificates',
- 'oid': (1, 2, 36, 75878867, 1, 100, 1, 1)},
- 'CompuSource': {'comment': 'SET vendor',
- 'description': 'CompuSource (2 23 42 9 9)',
- 'hexoid': '06 04 67 2A 09 09',
- 'name': 'CompuSource',
- 'oid': (2, 23, 42, 9, 9)},
- 'CyberCash': {'comment': 'SET vendor',
- 'description': 'CyberCash (2 23 42 9 2)',
- 'hexoid': '06 04 67 2A 09 02',
- 'name': 'CyberCash',
- 'oid': (2, 23, 42, 9, 2)},
- 'Diners': {'comment': 'SET brand',
- 'description': 'Diners (2 23 42 8 30)',
- 'hexoid': '06 04 67 2A 08 1E',
- 'name': 'Diners',
- 'oid': (2, 23, 42, 8, 30)},
- 'ECC': {'comment': 'SET vendor',
- 'description': 'ECC (2 23 42 9 15)',
- 'hexoid': '06 04 67 2A 09 0F',
- 'name': 'ECC',
- 'oid': (2, 23, 42, 9, 15)},
- 'ElGamal': {'comment': 'Unsure about this OID',
- 'description': 'ElGamal (1 3 14 7 2 1 1)',
- 'hexoid': '06 06 2B 0E 07 02 01 01',
- 'name': 'ElGamal',
- 'oid': (1, 3, 14, 7, 2, 1, 1)},
- 'EntityLogo': {'comment': 'Netscape certificate extension',
- 'description': 'EntityLogo (2 16 840 1 113730 1 10)',
- 'hexoid': '06 09 60 86 48 01 86 F8 42 01 0A',
- 'name': 'EntityLogo',
- 'oid': (2, 16, 840, 1, 113730, 1, 10)},
- 'Entrust': {'comment': 'SET vendor',
- 'description': 'Entrust (2 23 42 9 23)',
- 'hexoid': '06 04 67 2A 09 17',
- 'name': 'Entrust',
- 'oid': (2, 23, 42, 9, 23)},
- 'FBCA-Basic': {'comment': 'Federal Bridge CA Policy',
- 'description': 'FBCA-Basic policyIdentifier (2 16 840 1 101 3 2 1 3 2)',
- 'hexoid': '06 0A 60 86 48 01 65 03 02 01 03 02',
- 'name': 'FBCA-Basic',
- 'oid': (2, 16, 840, 1, 101, 3, 2, 1, 3, 2)},
- 'FBCA-High': {'comment': 'Federal Bridge CA Policy',
- 'description': 'FBCA-High policyIdentifier (2 16 840 1 101 3 2 1 3 4)',
- 'hexoid': '06 0A 60 86 48 01 65 03 02 01 03 04',
- 'name': 'FBCA-High',
- 'oid': (2, 16, 840, 1, 101, 3, 2, 1, 3, 4)},
- 'FBCA-Medium': {'comment': 'Federal Bridge CA Policy',
- 'description': 'FBCA-Medium policyIdentifier (2 16 840 1 101 3 2 1 3 3)',
- 'hexoid': '06 0A 60 86 48 01 65 03 02 01 03 03',
- 'name': 'FBCA-Medium',
- 'oid': (2, 16, 840, 1, 101, 3, 2, 1, 3, 3)},
- 'FBCA-Rudimentary': {'comment': 'Federal Bridge CA Policy',
- 'description': 'FBCA-Rudimentary policyIdentifier (2 16 840 1 101 3 2 1 3 1)',
- 'hexoid': '06 0A 60 86 48 01 65 03 02 01 03 01',
- 'name': 'FBCA-Rudimentary',
- 'oid': (2, 16, 840, 1, 101, 3, 2, 1, 3, 1)},
- 'Fujitsu': {'comment': 'SET vendor',
- 'description': 'Fujitsu (2 23 42 9 21)',
- 'hexoid': '06 04 67 2A 09 15',
- 'name': 'Fujitsu',
- 'oid': (2, 23, 42, 9, 21)},
- 'GTE': {'comment': 'SET vendor',
- 'description': 'GTE (2 23 42 9 8)',
- 'hexoid': '06 04 67 2A 09 08',
- 'name': 'GTE',
- 'oid': (2, 23, 42, 9, 8)},
- 'Gemplus': {'comment': 'SET vendor',
- 'description': 'Gemplus (2 23 42 9 38)',
- 'hexoid': '06 04 67 2A 09 26',
- 'name': 'Gemplus',
- 'oid': (2, 23, 42, 9, 38)},
- 'GlobeSet': {'comment': 'SET vendor',
- 'description': 'GlobeSet (2 23 42 9 0)',
- 'hexoid': '06 04 67 2A 09 00',
- 'name': 'GlobeSet',
- 'oid': (2, 23, 42, 9, 0)},
- 'Griffin': {'comment': 'SET vendor',
- 'description': 'Griffin (2 23 42 9 10)',
- 'hexoid': '06 04 67 2A 09 0A',
- 'name': 'Griffin',
- 'oid': (2, 23, 42, 9, 10)},
- 'Hitachi': {'comment': 'SET vendor',
- 'description': 'Hitachi (2 23 42 9 32)',
- 'hexoid': '06 04 67 2A 09 20',
- 'name': 'Hitachi',
- 'oid': (2, 23, 42, 9, 32)},
- 'HomePage-url': {'comment': 'Netscape certificate extension',
- 'description': 'HomePage-url (2 16 840 1 113730 1 9)',
- 'hexoid': '06 09 60 86 48 01 86 F8 42 01 09',
- 'name': 'HomePage-url',
- 'oid': (2, 16, 840, 1, 113730, 1, 9)},
- 'IATA-ATA': {'comment': 'SET brand',
- 'description': 'IATA-ATA (2 23 42 8 1)',
- 'hexoid': '06 04 67 2A 08 01',
- 'name': 'IATA-ATA',
- 'oid': (2, 23, 42, 8, 1)},
- 'IBM': {'comment': 'SET vendor',
- 'description': 'IBM (2 23 42 9 1)',
- 'hexoid': '06 04 67 2A 09 01',
- 'name': 'IBM',
- 'oid': (2, 23, 42, 9, 1)},
- 'ICE-TEL': {'comment': 'ICE-TEL CA policy',
- 'description': 'ICE-TEL Italian policyIdentifier (1 3 6 1 4 1 2786 1 1 1)',
- 'hexoid': '06 0A 2B 06 01 04 01 95 62 01 01 01',
- 'name': 'ICE-TEL',
- 'oid': (1, 3, 6, 1, 4, 1, 2786, 1, 1, 1)},
- 'III': {'comment': 'SET vendor',
- 'description': 'III (2 23 42 9 25)',
- 'hexoid': '06 04 67 2A 09 19',
- 'name': 'III',
- 'oid': (2, 23, 42, 9, 25)},
- 'IKEhmacWithMD5-RSA': {'comment': 'Novell signature algorithm',
- 'description': 'IKEhmacWithMD5-RSA (2 16 840 1 113719 1 2 8 52)',
- 'hexoid': '06 0B 60 86 48 01 86 F8 37 01 02 08 34',
- 'name': 'IKEhmacWithMD5-RSA',
- 'oid': (2, 16, 840, 1, 113719, 1, 2, 8, 52)},
- 'IKEhmacWithSHA1-RSA': {'comment': 'Novell signature algorithm',
- 'description': 'IKEhmacWithSHA1-RSA (2 16 840 1 113719 1 2 8 51)',
- 'hexoid': '06 0B 60 86 48 01 86 F8 37 01 02 08 33',
- 'name': 'IKEhmacWithSHA1-RSA',
- 'oid': (2, 16, 840, 1, 113719, 1, 2, 8, 51)},
- 'Identrus': {'comment': 'Identrus',
- 'description': 'Identrus unknown policyIdentifier (1 2 840 114021 1 6 1)',
- 'hexoid': '06 09 2A 86 48 86 FA 65 01 06 01',
- 'name': 'Identrus',
- 'oid': (1, 2, 840, 114021, 1, 6, 1)},
- 'Intertrader': {'comment': 'SET vendor',
- 'description': 'Intertrader (2 23 42 9 28)',
- 'hexoid': '06 04 67 2A 09 1C',
- 'name': 'Intertrader',
- 'oid': (2, 23, 42, 9, 28)},
- 'Japan': {'comment': 'SET national',
- 'description': 'Japan (2 23 42 10 392)',
- 'hexoid': '06 05 67 2A 0A 83 08',
- 'name': 'Japan',
- 'oid': (2, 23, 42, 10, 392)},
- 'LMDigest': {'comment': 'Novell digest algorithm',
- 'description': 'LMDigest (2 16 840 1 113719 1 2 8 32)',
- 'hexoid': '06 0B 60 86 48 01 86 F8 37 01 02 08 20',
- 'name': 'LMDigest',
- 'oid': (2, 16, 840, 1, 113719, 1, 2, 8, 32)},
- 'Lacerte': {'comment': 'SET vendor',
- 'description': 'Lacerte (2 23 42 9 20)',
- 'hexoid': '06 04 67 2A 09 14',
- 'name': 'Lacerte',
- 'oid': (2, 23, 42, 9, 20)},
- 'Lexem': {'comment': 'SET vendor',
- 'description': 'Lexem (2 23 42 9 27)',
- 'hexoid': '06 04 67 2A 09 1B',
- 'name': 'Lexem',
- 'oid': (2, 23, 42, 9, 27)},
- 'MD2': {'comment': 'Novell digest algorithm',
- 'description': 'MD2 (2 16 840 1 113719 1 2 8 40)',
- 'hexoid': '06 0B 60 86 48 01 86 F8 37 01 02 08 28',
- 'name': 'MD2',
- 'oid': (2, 16, 840, 1, 113719, 1, 2, 8, 40)},
- 'MD4': {'comment': 'Novell digest algorithm',
- 'description': 'MD4 (2 16 840 1 113719 1 2 8 95)',
- 'hexoid': '06 0B 60 86 48 01 86 F8 37 01 02 08 5F',
- 'name': 'MD4',
- 'oid': (2, 16, 840, 1, 113719, 1, 2, 8, 95)},
- 'MD4Packet': {'comment': 'Novell keyed hash',
- 'description': 'MD4Packet (2 16 840 1 113719 1 2 8 130)',
- 'hexoid': '06 0C 60 86 48 01 86 F8 37 01 02 08 81 02',
- 'name': 'MD4Packet',
- 'oid': (2, 16, 840, 1, 113719, 1, 2, 8, 130)},
- 'MD5': {'comment': 'Novell digest algorithm',
- 'description': 'MD5 (2 16 840 1 113719 1 2 8 50)',
- 'hexoid': '06 0B 60 86 48 01 86 F8 37 01 02 08 32',
- 'name': 'MD5',
- 'oid': (2, 16, 840, 1, 113719, 1, 2, 8, 50)},
- 'Maithean': {'comment': 'SET vendor',
- 'description': 'Maithean (2 23 42 9 16)',
- 'hexoid': '06 04 67 2A 09 10',
- 'name': 'Maithean',
- 'oid': (2, 23, 42, 9, 16)},
- 'MasterCard': {'comment': 'SET brand',
- 'description': 'MasterCard (2 23 42 8 5)',
- 'hexoid': '06 04 67 2A 08 05',
- 'name': 'MasterCard',
- 'oid': (2, 23, 42, 8, 5)},
- 'Microsoft': {'comment': 'SET vendor',
- 'description': 'Microsoft (2 23 42 9 33)',
- 'hexoid': '06 04 67 2A 09 21',
- 'name': 'Microsoft',
- 'oid': (2, 23, 42, 9, 33)},
- 'Mitsubishi': {'comment': 'SET vendor',
- 'description': 'Mitsubishi (2 23 42 9 35)',
- 'hexoid': '06 04 67 2A 09 23',
- 'name': 'Mitsubishi',
- 'oid': (2, 23, 42, 9, 35)},
- 'NABLE': {'comment': 'SET vendor',
- 'description': 'NABLE (2 23 42 9 30)',
- 'hexoid': '06 04 67 2A 09 1E',
- 'name': 'NABLE',
- 'oid': (2, 23, 42, 9, 30)},
- 'NCR': {'comment': 'SET vendor',
- 'description': 'NCR (2 23 42 9 36)',
- 'hexoid': '06 04 67 2A 09 24',
- 'name': 'NCR',
- 'oid': (2, 23, 42, 9, 36)},
- 'NEC': {'comment': 'SET vendor',
- 'description': 'NEC (2 23 42 9 34)',
- 'hexoid': '06 04 67 2A 09 22',
- 'name': 'NEC',
- 'oid': (2, 23, 42, 9, 34)},
- 'NWPassword': {'comment': 'Novell encryption algorithm',
- 'description': 'NWPassword (2 16 840 1 113719 1 2 8 132)',
- 'hexoid': '06 0C 60 86 48 01 86 F8 37 01 02 08 81 04',
- 'name': 'NWPassword',
- 'oid': (2, 16, 840, 1, 113719, 1, 2, 8, 132)},
- 'Netscape': {'comment': 'SET vendor',
- 'description': 'Netscape (2 23 42 9 17)',
- 'hexoid': '06 04 67 2A 09 11',
- 'name': 'Netscape',
- 'oid': (2, 23, 42, 9, 17)},
- 'Northrop': {'comment': 'Northrop Grumman extended key usage',
- 'description': 'Northrop Grumman extKeyUsage? (1 3 6 1 4 1 16334 509 1 1)',
- 'hexoid': '06 0B 2B 06 01 04 01 FF 4E 83 7D 01 01',
- 'name': 'Northrop',
- 'oid': (1, 3, 6, 1, 4, 1, 16334, 509, 1, 1)},
- 'Novus': {'comment': 'SET brand',
- 'description': 'Novus (2 23 42 8 6011)',
- 'hexoid': '06 05 67 2A 08 AE 7B',
- 'name': 'Novus',
- 'oid': (2, 23, 42, 8, 6011)},
- 'OSS': {'comment': 'SET vendor',
- 'description': 'OSS (2 23 42 9 12)',
- 'hexoid': '06 04 67 2A 09 0C',
- 'name': 'OSS',
- 'oid': (2, 23, 42, 9, 12)},
- 'OpenMarket': {'comment': 'SET vendor',
- 'description': 'OpenMarket (2 23 42 9 26)',
- 'hexoid': '06 04 67 2A 09 1A',
- 'name': 'OpenMarket',
- 'oid': (2, 23, 42, 9, 26)},
- 'PANData': {'comment': 'SET contentType',
- 'description': 'PANData (2 23 42 0 0)',
- 'hexoid': '06 04 67 2A 00 00',
- 'name': 'PANData',
- 'oid': (2, 23, 42, 0, 0)},
- 'PANOnly': {'comment': 'SET contentType',
- 'description': 'PANOnly (2 23 42 0 2)',
- 'hexoid': '06 04 67 2A 00 02',
- 'name': 'PANOnly',
- 'oid': (2, 23, 42, 0, 2)},
- 'PANToken': {'comment': 'SET contentType',
- 'description': 'PANToken (2 23 42 0 1)',
- 'hexoid': '06 04 67 2A 00 01',
- 'name': 'PANToken',
- 'oid': (2, 23, 42, 0, 1)},
- 'Persimmon': {'comment': 'SET vendor',
- 'description': 'Persimmon (2 23 42 9 29)',
- 'hexoid': '06 04 67 2A 09 1D',
- 'name': 'Persimmon',
- 'oid': (2, 23, 42, 9, 29)},
- 'RSADSI': {'comment': 'SET vendor',
- 'description': 'RSADSI (2 23 42 9 4)',
- 'hexoid': '06 04 67 2A 09 04',
- 'name': 'RSADSI',
- 'oid': (2, 23, 42, 9, 4)},
- 'SEIS': {'comment': 'SEIS Project attribute',
- 'description': 'SEIS at-personalIdentifier (1 2 752 34 3 1)',
- 'hexoid': '06 06 2A 85 70 22 03 01',
- 'name': 'SEIS',
- 'oid': (1, 2, 752, 34, 3, 1)},
- 'SHA-1': {'comment': 'Novell digest algorithm',
- 'description': 'SHA-1 (2 16 840 1 113719 1 2 8 82)',
- 'hexoid': '06 0B 60 86 48 01 86 F8 37 01 02 08 52',
- 'name': 'SHA-1',
- 'oid': (2, 16, 840, 1, 113719, 1, 2, 8, 82)},
- 'Signet': {'comment': 'Signet CA',
- 'description': 'Signet policyIdentifier (1 2 36 68980861 1 1 20)',
- 'hexoid': '06 09 2A 24 A0 F2 A0 7D 01 01 14',
- 'name': 'Signet',
- 'oid': (1, 2, 36, 68980861, 1, 1, 20)},
- 'Telesec': {'comment': 'Telesec cert/CRL extension',
- 'description': 'Telesec policyIdentifier (0 2 262 1 10 12 2)',
- 'hexoid': '06 07 02 82 06 01 0A 0C 02',
- 'name': 'Telesec',
- 'oid': (0, 2, 262, 1, 10, 12, 2)},
- 'Teletrust': {'comment': 'Teletrust policy',
- 'description': 'Teletrust SigGConform policyIdentifier (1 3 36 8 1 1)',
- 'hexoid': '06 05 2B 24 08 01 01',
- 'name': 'Teletrust',
- 'oid': (1, 3, 36, 8, 1, 1)},
- 'TenthMountain': {'comment': 'SET vendor',
- 'description': 'TenthMountain (2 23 42 9 13)',
- 'hexoid': '06 04 67 2A 09 0D',
- 'name': 'TenthMountain',
- 'oid': (2, 23, 42, 9, 13)},
- 'Terisa': {'comment': 'SET vendor',
- 'description': 'Terisa (2 23 42 9 3)',
- 'hexoid': '06 04 67 2A 09 03',
- 'name': 'Terisa',
- 'oid': (2, 23, 42, 9, 3)},
- 'TrinTech': {'comment': 'SET vendor',
- 'description': 'TrinTech (2 23 42 9 6)',
- 'hexoid': '06 04 67 2A 09 06',
- 'name': 'TrinTech',
- 'oid': (2, 23, 42, 9, 6)},
- 'UNINETT': {'comment': 'UNINETT PCA',
- 'description': 'UNINETT policyIdentifier (1 3 6 1 4 1 2428 10 1 1)',
- 'hexoid': '06 0A 2B 06 01 04 01 92 7C 0A 01 01',
- 'name': 'UNINETT',
- 'oid': (1, 3, 6, 1, 4, 1, 2428, 10, 1, 1)},
- 'Unknown': {'comment': 'Verisign extension',
- 'description': 'Unknown Verisign VPN extension (2 16 840 1 113733 1 6 13)',
- 'hexoid': '06 0A 60 86 48 01 86 F8 45 01 06 0D',
- 'name': 'Unknown',
- 'oid': (2, 16, 840, 1, 113733, 1, 6, 13)},
- 'UserPicture': {'comment': 'Netscape certificate extension',
- 'description': 'UserPicture (2 16 840 1 113730 1 11)',
- 'hexoid': '06 09 60 86 48 01 86 F8 42 01 0B',
- 'name': 'UserPicture',
- 'oid': (2, 16, 840, 1, 113730, 1, 11)},
- 'VIAnet': {'comment': 'SET vendor',
- 'description': 'VIAnet (2 23 42 9 24)',
- 'hexoid': '06 04 67 2A 09 18',
- 'name': 'VIAnet',
- 'oid': (2, 23, 42, 9, 24)},
- 'VISA': {'comment': 'SET brand',
- 'description': 'VISA (2 23 42 8 4)',
- 'hexoid': '06 04 67 2A 08 04',
- 'name': 'VISA',
- 'oid': (2, 23, 42, 8, 4)},
- 'VeriFone': {'comment': 'SET vendor',
- 'description': 'VeriFone (2 23 42 9 5)',
- 'hexoid': '06 04 67 2A 09 05',
- 'name': 'VeriFone',
- 'oid': (2, 23, 42, 9, 5)},
- 'Verisign': {'comment': 'SET vendor',
- 'description': 'Verisign (2 23 42 9 18)',
- 'hexoid': '06 04 67 2A 09 12',
- 'name': 'Verisign',
- 'oid': (2, 23, 42, 9, 18)},
- 'X.500-Alg-Encryption': {'description': 'X.500-Alg-Encryption (2 5 8 1)',
- 'hexoid': '06 03 55 08 01',
- 'name': 'X.500-Alg-Encryption',
- 'oid': (2, 5, 8, 1)},
- 'X.500-Algorithms': {'description': 'X.500-Algorithms (2 5 8)',
- 'hexoid': '06 02 55 08',
- 'name': 'X.500-Algorithms',
- 'oid': (2, 5, 8)},
- 'aACertificate': {'comment': 'X.520 id-at (2 5 4)',
- 'description': 'aACertificate (2 5 4 61)',
- 'hexoid': '06 03 55 04 3D',
- 'name': 'aACertificate',
- 'oid': (2, 5, 4, 61)},
- 'acAaControls': {'comment': 'PKIX private extension',
- 'description': 'acAaControls (1 3 6 1 5 5 7 1 6)',
- 'hexoid': '06 08 2B 06 01 05 05 07 01 06',
- 'name': 'acAaControls',
- 'oid': (1, 3, 6, 1, 5, 5, 7, 1, 6)},
- 'acAuditIdentity': {'comment': 'PKIX private extension',
- 'description': 'acAuditIdentity (1 3 6 1 5 5 7 1 4)',
- 'hexoid': '06 08 2B 06 01 05 05 07 01 04',
- 'name': 'acAuditIdentity',
- 'oid': (1, 3, 6, 1, 5, 5, 7, 1, 4)},
- 'acProxying': {'comment': 'PKIX private extension',
- 'description': 'acProxying (1 3 6 1 5 5 7 1 10)',
- 'hexoid': '06 08 2B 06 01 05 05 07 01 0A',
- 'name': 'acProxying',
- 'oid': (1, 3, 6, 1, 5, 5, 7, 1, 10)},
- 'acTargeting': {'comment': 'PKIX private extension',
- 'description': 'acTargeting (1 3 6 1 5 5 7 1 5)',
- 'hexoid': '06 08 2B 06 01 05 05 07 01 05',
- 'name': 'acTargeting',
- 'oid': (1, 3, 6, 1, 5, 5, 7, 1, 5)},
- 'accessIdentity': {'comment': 'PKIX attribute certificate extension',
- 'description': 'accessIdentity (1 3 6 1 5 5 7 10 2)',
- 'hexoid': '06 08 2B 06 01 05 05 07 0A 02',
- 'name': 'accessIdentity',
- 'oid': (1, 3, 6, 1, 5, 5, 7, 10, 2)},
- 'accountNumber': {'comment': 'SET field',
- 'description': 'accountNumber (2 23 42 2 11)',
- 'hexoid': '06 04 67 2A 02 0B',
- 'name': 'accountNumber',
- 'oid': (2, 23, 42, 2, 11)},
- 'action': {'comment': 'Telesec',
- 'description': 'action (0 2 262 1 10 9)',
- 'hexoid': '06 06 02 82 06 01 0A 09',
- 'name': 'action',
- 'oid': (0, 2, 262, 1, 10, 9)},
- 'additionalAttributesSig': {'comment': 'S/MIME Signature Type Identifier',
- 'description': 'additionalAttributesSig (1 2 840 113549 1 9 16 9 3)',
- 'hexoid': '06 0B 2A 86 48 86 F7 0D 01 09 10 09 03',
- 'name': 'additionalAttributesSig',
- 'oid': (1, 2, 840, 113549, 1, 9, 16, 9, 3)},
- 'additionalInformation': {'comment': 'Teletrust attribute',
- 'description': 'additionalInformation (1 3 36 8 3 15)',
- 'hexoid': '06 05 2B 24 08 03 0F',
- 'name': 'additionalInformation',
- 'oid': (1, 3, 36, 8, 3, 15)},
- 'additionalPolicy': {'comment': 'SET cert attribute',
- 'description': 'additionalPolicy (2 23 42 3 0 1)',
- 'hexoid': '06 05 67 2A 03 00 01',
- 'name': 'additionalPolicy',
- 'oid': (2, 23, 42, 3, 0, 1)},
- 'address': {'comment': 'SET field',
- 'description': 'address (2 23 42 2 8)',
- 'hexoid': '06 04 67 2A 02 08',
- 'name': 'address',
- 'oid': (2, 23, 42, 2, 8)},
- 'admission': {'comment': 'Teletrust attribute',
- 'description': 'admission (1 3 36 8 3 3)',
- 'hexoid': '06 05 2B 24 08 03 03',
- 'name': 'admission',
- 'oid': (1, 3, 36, 8, 3, 3)},
- 'aes': {'comment': 'NIST Algorithm',
- 'description': 'aes (2 16 840 1 101 3 4 1)',
- 'hexoid': '06 08 60 86 48 01 65 03 04 01',
- 'name': 'aes',
- 'oid': (2, 16, 840, 1, 101, 3, 4, 1)},
- 'aes128-CBC': {'comment': 'NIST Algorithm',
- 'description': 'aes128-CBC (2 16 840 1 101 3 4 1 2)',
- 'hexoid': '06 09 60 86 48 01 65 03 04 01 02',
- 'name': 'aes128-CBC',
- 'oid': (2, 16, 840, 1, 101, 3, 4, 1, 2)},
- 'aes128-CFB': {'comment': 'NIST Algorithm',
- 'description': 'aes128-CFB (2 16 840 1 101 3 4 1 4)',
- 'hexoid': '06 09 60 86 48 01 65 03 04 01 04',
- 'name': 'aes128-CFB',
- 'oid': (2, 16, 840, 1, 101, 3, 4, 1, 4)},
- 'aes128-ECB': {'comment': 'NIST Algorithm',
- 'description': 'aes128-ECB (2 16 840 1 101 3 4 1 1)',
- 'hexoid': '06 09 60 86 48 01 65 03 04 01 01',
- 'name': 'aes128-ECB',
- 'oid': (2, 16, 840, 1, 101, 3, 4, 1, 1)},
- 'aes128-OFB': {'comment': 'NIST Algorithm',
- 'description': 'aes128-OFB (2 16 840 1 101 3 4 1 3)',
- 'hexoid': '06 09 60 86 48 01 65 03 04 01 03',
- 'name': 'aes128-OFB',
- 'oid': (2, 16, 840, 1, 101, 3, 4, 1, 3)},
- 'aes192-CBC': {'comment': 'NIST Algorithm',
- 'description': 'aes192-CBC (2 16 840 1 101 3 4 1 22)',
- 'hexoid': '06 09 60 86 48 01 65 03 04 01 16',
- 'name': 'aes192-CBC',
- 'oid': (2, 16, 840, 1, 101, 3, 4, 1, 22)},
- 'aes192-CFB': {'comment': 'NIST Algorithm',
- 'description': 'aes192-CFB (2 16 840 1 101 3 4 1 24)',
- 'hexoid': '06 09 60 86 48 01 65 03 04 01 18',
- 'name': 'aes192-CFB',
- 'oid': (2, 16, 840, 1, 101, 3, 4, 1, 24)},
- 'aes192-ECB': {'comment': 'NIST Algorithm',
- 'description': 'aes192-ECB (2 16 840 1 101 3 4 1 21)',
- 'hexoid': '06 09 60 86 48 01 65 03 04 01 15',
- 'name': 'aes192-ECB',
- 'oid': (2, 16, 840, 1, 101, 3, 4, 1, 21)},
- 'aes192-OFB': {'comment': 'NIST Algorithm',
- 'description': 'aes192-OFB (2 16 840 1 101 3 4 1 23)',
- 'hexoid': '06 09 60 86 48 01 65 03 04 01 17',
- 'name': 'aes192-OFB',
- 'oid': (2, 16, 840, 1, 101, 3, 4, 1, 23)},
- 'aes256-CBC': {'comment': 'NIST Algorithm',
- 'description': 'aes256-CBC (2 16 840 1 101 3 4 1 42)',
- 'hexoid': '06 09 60 86 48 01 65 03 04 01 2A',
- 'name': 'aes256-CBC',
- 'oid': (2, 16, 840, 1, 101, 3, 4, 1, 42)},
- 'aes256-CFB': {'comment': 'NIST Algorithm',
- 'description': 'aes256-CFB (2 16 840 1 101 3 4 1 44)',
- 'hexoid': '06 09 60 86 48 01 65 03 04 01 2C',
- 'name': 'aes256-CFB',
- 'oid': (2, 16, 840, 1, 101, 3, 4, 1, 44)},
- 'aes256-ECB': {'comment': 'NIST Algorithm',
- 'description': 'aes256-ECB (2 16 840 1 101 3 4 1 41)',
- 'hexoid': '06 09 60 86 48 01 65 03 04 01 29',
- 'name': 'aes256-ECB',
- 'oid': (2, 16, 840, 1, 101, 3, 4, 1, 41)},
- 'aes256-OFB': {'comment': 'NIST Algorithm',
- 'description': 'aes256-OFB (2 16 840 1 101 3 4 1 43)',
- 'hexoid': '06 09 60 86 48 01 65 03 04 01 2B',
- 'name': 'aes256-OFB',
- 'oid': (2, 16, 840, 1, 101, 3, 4, 1, 43)},
- 'alExemptedAddressProcessor': {'comment': 'SDN.700 INFOSEC attributes',
- 'description': 'alExemptedAddressProcessor (2 16 840 1 101 2 1 5 47)',
- 'hexoid': '06 09 60 86 48 01 65 02 01 05 2F',
- 'name': 'alExemptedAddressProcessor',
- 'oid': (2, 16, 840, 1, 101, 2, 1, 5, 47)},
- 'algorithm': {'comment': 'SET',
- 'description': 'algorithm (2 23 42 4)',
- 'hexoid': '06 03 67 2A 04',
- 'name': 'algorithm',
- 'oid': (2, 23, 42, 4)},
- 'algorithms': {'comment': 'PKIX',
- 'description': 'algorithms (1 3 6 1 5 5 7 6)',
- 'hexoid': '06 07 2B 06 01 05 05 07 06',
- 'name': 'algorithms',
- 'oid': (1, 3, 6, 1, 5, 5, 7, 6)},
- 'alias': {'comment': 'X.520 objectClass (2 5 6)',
- 'description': 'alias (2 5 6 1)',
- 'hexoid': '06 03 55 06 01',
- 'name': 'alias',
- 'oid': (2, 5, 6, 1)},
- 'aliasedEntryName': {'comment': 'X.520 id-at (2 5 4)',
- 'description': 'aliasedEntryName (2 5 4 1)',
- 'hexoid': '06 03 55 04 01',
- 'name': 'aliasedEntryName',
- 'oid': (2, 5, 4, 1)},
- 'alid': {'comment': 'SDN.700 INFOSEC attributes',
- 'description': 'alid (2 16 840 1 101 2 1 5 14)',
- 'hexoid': '06 09 60 86 48 01 65 02 01 05 0E',
- 'name': 'alid',
- 'oid': (2, 16, 840, 1, 101, 2, 1, 5, 14)},
- 'altCertTemplate': {'comment': 'PKIX CRMF registration control',
- 'description': 'altCertTemplate (1 3 6 1 5 5 7 5 1 7)',
- 'hexoid': '06 09 2B 06 01 05 05 07 05 01 07',
- 'name': 'altCertTemplate',
- 'oid': (1, 3, 6, 1, 5, 5, 7, 5, 1, 7)},
- 'amount': {'comment': 'SET field',
- 'description': 'amount (2 23 42 2 10)',
- 'hexoid': '06 04 67 2A 02 0A',
- 'name': 'amount',
- 'oid': (2, 23, 42, 2, 10)},
- 'anonymizedPublicKeyDirectory': {'comment': 'Telesec attribute',
- 'description': 'anonymizedPublicKeyDirectory (0 2 262 1 10 7 16)',
- 'hexoid': '06 07 02 82 06 01 0A 07 10',
- 'name': 'anonymizedPublicKeyDirectory',
- 'oid': (0, 2, 262, 1, 10, 7, 16)},
- 'ansiX9p192r1': {'comment': 'ANSI X9.62 named elliptic curve',
- 'description': 'ansiX9p192r1 (1 2 840 10045 3 1 1)',
- 'hexoid': '06 08 2A 86 48 CE 3D 03 01 01',
- 'name': 'ansiX9p192r1',
- 'oid': (1, 2, 840, 10045, 3, 1, 1)},
- 'ansiX9p256r1': {'comment': 'ANSI X9.62 named elliptic curve',
- 'description': 'ansiX9p256r1 (1 2 840 10045 3 1 7)',
- 'hexoid': '06 08 2A 86 48 CE 3D 03 01 07',
- 'name': 'ansiX9p256r1',
- 'oid': (1, 2, 840, 10045, 3, 1, 7)},
- 'anyExtendedKeyUsage': {'comment': 'X.509 extended key usage',
- 'description': 'anyExtendedKeyUsage (2 5 29 37 0)',
- 'hexoid': '06 04 55 1D 25 00',
- 'name': 'anyExtendedKeyUsage',
- 'oid': (2, 5, 29, 37, 0)},
- 'anyPolicy': {'comment': 'X.509 certificatePolicies (2 5 29 32)',
- 'description': 'anyPolicy (2 5 29 32 0)',
- 'hexoid': '06 04 55 1D 20 00',
- 'name': 'anyPolicy',
- 'oid': (2, 5, 29, 32, 0)},
- 'api': {'comment': 'Teletrust API',
- 'description': 'api (1 3 36 6)',
- 'hexoid': '06 03 2B 24 06',
- 'name': 'api',
- 'oid': (1, 3, 36, 6)},
- 'applicationEntity': {'comment': 'X.520 objectClass (2 5 6)',
- 'description': 'applicationEntity (2 5 6 12)',
- 'hexoid': '06 03 55 06 0C',
- 'name': 'applicationEntity',
- 'oid': (2, 5, 6, 12)},
- 'applicationGroupIdentifier': {'comment': 'Telesec attribute',
- 'description': 'applicationGroupIdentifier (0 2 262 1 10 7 0)',
- 'hexoid': '06 07 02 82 06 01 0A 07 00',
- 'name': 'applicationGroupIdentifier',
- 'oid': (0, 2, 262, 1, 10, 7, 0)},
- 'applicationProcess': {'comment': 'X.520 objectClass (2 5 6)',
- 'description': 'applicationProcess (2 5 6 11)',
- 'hexoid': '06 03 55 06 0B',
- 'name': 'applicationProcess',
- 'oid': (2, 5, 6, 11)},
- 'aprUKMs': {'comment': 'SDN.700 INFOSEC attributes',
- 'description': 'aprUKMs (2 16 840 1 101 2 1 5 23)',
- 'hexoid': '06 09 60 86 48 01 65 02 01 05 17',
- 'name': 'aprUKMs',
- 'oid': (2, 16, 840, 1, 101, 2, 1, 5, 23)},
- 'archiveTimeStamp': {'comment': 'S/MIME Authenticated Attributes',
- 'description': 'archiveTimeStamp (1 2 840 113549 1 9 16 2 27)',
- 'hexoid': '06 0B 2A 86 48 86 F7 0D 01 09 10 02 1B',
- 'name': 'archiveTimeStamp',
- 'oid': (1, 2, 840, 113549, 1, 9, 16, 2, 27)},
- 'archivedKey': {'comment': 'Microsoft attribute',
- 'description': 'archivedKey (1 3 6 1 4 1 311 21 13)',
- 'hexoid': '06 09 2B 06 01 04 01 82 37 15 0D',
- 'name': 'archivedKey',
- 'oid': (1, 3, 6, 1, 4, 1, 311, 21, 13)},
- 'ascom': {'comment': 'Ascom Systech',
- 'description': 'ascom (1 3 6 1 4 1 188 7 1 1)',
- 'hexoid': '06 0A 2B 06 01 04 01 81 3C 07 01 01',
- 'name': 'ascom',
- 'oid': (1, 3, 6, 1, 4, 1, 188, 7, 1, 1)},
- 'attrCert': {'comment': 'Teletrust signature attributes',
- 'description': 'attrCert (1 3 36 8 6 3)',
- 'hexoid': '06 05 2B 24 08 06 03',
- 'name': 'attrCert',
- 'oid': (1, 3, 36, 8, 6, 3)},
- 'attrRef': {'comment': 'Teletrust signature attributes',
- 'description': 'attrRef (1 3 36 8 6 4)',
- 'hexoid': '06 05 2B 24 08 06 04',
- 'name': 'attrRef',
- 'oid': (1, 3, 36, 8, 6, 4)},
- 'attribute': {'comment': 'SET',
- 'description': 'attribute (2 23 42 3)',
- 'hexoid': '06 03 67 2A 03',
- 'name': 'attribute',
- 'oid': (2, 23, 42, 3)},
- 'attribute-cert': {'comment': 'ANSI X9.57 attribute',
- 'description': 'attribute-cert (1 2 840 10040 3 2)',
- 'hexoid': '06 07 2A 86 48 CE 38 03 02',
- 'name': 'attribute-cert',
- 'oid': (1, 2, 840, 10040, 3, 2)},
- 'attributeAuthorityRevocationList': {'comment': 'X.520 id-at (2 5 4)',
- 'description': 'attributeAuthorityRevocationList (2 5 4 63)',
- 'hexoid': '06 03 55 04 3F',
- 'name': 'attributeAuthorityRevocationList',
- 'oid': (2, 5, 4, 63)},
- 'attributeCert': {'comment': 'PKIX',
- 'description': 'attributeCert (1 3 6 1 5 5 7 0 12)',
- 'hexoid': '06 08 2B 06 01 05 05 07 00 0C',
- 'name': 'attributeCert',
- 'oid': (1, 3, 6, 1, 5, 5, 7, 0, 12)},
- 'attributeCertificate': {'comment': 'X.520 id-at (2 5 4)',
- 'description': 'attributeCertificate (2 5 4 58)',
- 'hexoid': '06 03 55 04 3A',
- 'name': 'attributeCertificate',
- 'oid': (2, 5, 4, 58)},
- 'attributeCertificateRevocationList': {'comment': 'X.520 id-at (2 5 4)',
- 'description': 'attributeCertificateRevocationList (2 5 4 59)',
- 'hexoid': '06 03 55 04 3B',
- 'name': 'attributeCertificateRevocationList',
- 'oid': (2, 5, 4, 59)},
- 'attributeDescriptorCertificate': {'comment': 'X.520 id-at (2 5 4)',
- 'description': 'attributeDescriptorCertificate (2 5 4 62)',
- 'hexoid': '06 03 55 04 3E',
- 'name': 'attributeDescriptorCertificate',
- 'oid': (2, 5, 4, 62)},
- 'attributeGroup': {'comment': 'Telesec',
- 'description': 'attributeGroup (0 2 262 1 10 8)',
- 'hexoid': '06 06 02 82 06 01 0A 08',
- 'name': 'attributeGroup',
- 'oid': (0, 2, 262, 1, 10, 8)},
- 'attributeIntegrityInfo': {'comment': 'X.520 id-at (2 5 4)',
- 'description': 'attributeIntegrityInfo (2 5 4 57)',
- 'hexoid': '06 03 55 04 39',
- 'name': 'attributeIntegrityInfo',
- 'oid': (2, 5, 4, 57)},
- 'attributeSchema': {'comment': 'Microsoft Exchange Server - object class',
- 'description': 'attributeSchema (1 2 840 113556 1 3 14)',
- 'hexoid': '06 09 2A 86 48 86 F7 14 01 03 0E',
- 'name': 'attributeSchema',
- 'oid': (1, 2, 840, 113556, 1, 3, 14)},
- 'attributeTypes': {'comment': 'Telesec module',
- 'description': 'attributeTypes (0 2 262 1 10 2 1)',
- 'hexoid': '06 07 02 82 06 01 0A 02 01',
- 'name': 'attributeTypes',
- 'oid': (0, 2, 262, 1, 10, 2, 1)},
- 'augUKMs': {'comment': 'SDN.700 INFOSEC attributes',
- 'description': 'augUKMs (2 16 840 1 101 2 1 5 27)',
- 'hexoid': '06 09 60 86 48 01 65 02 01 05 1B',
- 'name': 'augUKMs',
- 'oid': (2, 16, 840, 1, 101, 2, 1, 5, 27)},
- 'australianBusinessNumber': {'comment': 'Australian Government corporate taxpayer ID',
- 'description': 'australianBusinessNumber (1 2 36 1 333 1)',
- 'hexoid': '06 06 2A 24 01 82 4D 01',
- 'name': 'australianBusinessNumber',
- 'oid': (1, 2, 36, 1, 333, 1)},
- 'authData': {'comment': 'S/MIME Content Types',
- 'description': 'authData (1 2 840 113549 1 9 16 1 2)',
- 'hexoid': '06 0B 2A 86 48 86 F7 0D 01 09 10 01 02',
- 'name': 'authData',
- 'oid': (1, 2, 840, 113549, 1, 9, 16, 1, 2)},
- 'authenticatedAttributes': {'comment': 'S/MIME',
- 'description': 'authenticatedAttributes (1 2 840 113549 1 9 16 2)',
- 'hexoid': '06 0A 2A 86 48 86 F7 0D 01 09 10 02',
- 'name': 'authenticatedAttributes',
- 'oid': (1, 2, 840, 113549, 1, 9, 16, 2)},
- 'authentication': {'comment': 'Telesec mechanism',
- 'description': 'authentication (0 2 262 1 10 1 0)',
- 'hexoid': '06 07 02 82 06 01 0A 01 00',
- 'name': 'authentication',
- 'oid': (0, 2, 262, 1, 10, 1, 0)},
- 'authenticationInfo': {'comment': 'PKIX attribute certificate extension',
- 'description': 'authenticationInfo (1 3 6 1 5 5 7 10 1)',
- 'hexoid': '06 08 2B 06 01 05 05 07 0A 01',
- 'name': 'authenticationInfo',
- 'oid': (1, 3, 6, 1, 5, 5, 7, 10, 1)},
- 'authenticator': {'comment': 'PKIX CRMF registration control',
- 'description': 'authenticator (1 3 6 1 5 5 7 5 1 2)',
- 'hexoid': '06 09 2B 06 01 05 05 07 05 01 02',
- 'name': 'authenticator',
- 'oid': (1, 3, 6, 1, 5, 5, 7, 5, 1, 2)},
- 'authorityInfoAccess': {'comment': 'PKIX private extension',
- 'description': 'authorityInfoAccess (1 3 6 1 5 5 7 1 1)',
- 'hexoid': '06 08 2B 06 01 05 05 07 01 01',
- 'name': 'authorityInfoAccess',
- 'oid': (1, 3, 6, 1, 5, 5, 7, 1, 1)},
- 'authorityKeyIdentifier': {'comment': 'X.509 id-ce (2 5 29)',
- 'description': 'authorityKeyIdentifier (2 5 29 35)',
- 'hexoid': '06 03 55 1D 23',
- 'name': 'authorityKeyIdentifier',
- 'oid': (2, 5, 29, 35)},
- 'authorityRevocationList': {'comment': 'X.520 id-at (2 5 4)',
- 'description': 'authorityRevocationList (2 5 4 38)',
- 'hexoid': '06 03 55 04 26',
- 'name': 'authorityRevocationList',
- 'oid': (2, 5, 4, 38)},
- 'autoGen': {'comment': 'Teletrust signature attributes',
- 'description': 'autoGen (1 3 36 8 6 10)',
- 'hexoid': '06 05 2B 24 08 06 0A',
- 'name': 'autoGen',
- 'oid': (1, 3, 36, 8, 6, 10)},
- 'basicConstraints': {'comment': 'X.509 id-ce (2 5 29)',
- 'description': 'basicConstraints (2 5 29 19)',
- 'hexoid': '06 03 55 1D 13',
- 'name': 'basicConstraints',
- 'oid': (2, 5, 29, 19)},
- 'biometricInfo': {'comment': 'PKIX private extension',
- 'description': 'biometricInfo (1 3 6 1 5 5 7 1 2)',
- 'hexoid': '06 08 2B 06 01 05 05 07 01 02',
- 'name': 'biometricInfo',
- 'oid': (1, 3, 6, 1, 5, 5, 7, 1, 2)},
- 'birthFamilyName': {'comment': 'SET field',
- 'description': 'birthFamilyName (2 23 42 2 3)',
- 'hexoid': '06 04 67 2A 02 03',
- 'name': 'birthFamilyName',
- 'oid': (2, 23, 42, 2, 3)},
- 'blowfishCBC': {'comment': 'cryptlib encryption algorithm',
- 'description': 'blowfishCBC (1 3 6 1 4 1 3029 1 1 2)',
- 'hexoid': '06 0A 2B 06 01 04 01 97 55 01 01 02',
- 'name': 'blowfishCBC',
- 'oid': (1, 3, 6, 1, 4, 1, 3029, 1, 1, 2)},
- 'blowfishCFB': {'comment': 'cryptlib encryption algorithm',
- 'description': 'blowfishCFB (1 3 6 1 4 1 3029 1 1 3)',
- 'hexoid': '06 0A 2B 06 01 04 01 97 55 01 01 03',
- 'name': 'blowfishCFB',
- 'oid': (1, 3, 6, 1, 4, 1, 3029, 1, 1, 3)},
- 'blowfishECB': {'comment': 'cryptlib encryption algorithm',
- 'description': 'blowfishECB (1 3 6 1 4 1 3029 1 1 1)',
- 'hexoid': '06 0A 2B 06 01 04 01 97 55 01 01 01',
- 'name': 'blowfishECB',
- 'oid': (1, 3, 6, 1, 4, 1, 3029, 1, 1, 1)},
- 'blowfishOFB': {'comment': 'cryptlib encryption algorithm',
- 'description': 'blowfishOFB (1 3 6 1 4 1 3029 1 1 4)',
- 'hexoid': '06 0A 2B 06 01 04 01 97 55 01 01 04',
- 'name': 'blowfishOFB',
- 'oid': (1, 3, 6, 1, 4, 1, 3029, 1, 1, 4)},
- 'brainpoolP224r1': {'comment': 'ECC Brainpool Standard Curves and Curve Generation',
- 'description': 'brainpoolP224r1 (1 3 36 3 3 2 8 1 1 14)',
- 'hexoid': '06 09 2B 24 03 03 02 08 01 01 0E',
- 'name': 'brainpoolP224r1',
- 'oid': (1, 3, 36, 3, 3, 2, 8, 1, 1, 14)},
- 'brand': {'comment': 'SET',
- 'description': 'brand (2 23 42 8)',
- 'hexoid': '06 03 67 2A 08',
- 'name': 'brand',
- 'oid': (2, 23, 42, 8)},
- 'bsi': {'comment': 'BSI TR-03110/TR-03111',
- 'description': 'bsi (0 4 0 127 0 7)',
- 'hexoid': '06 05 04 00 7F 00 07',
- 'name': 'bsi',
- 'oid': (0, 4, 0, 127, 0, 7)},
- 'bsi-1': {'comment': 'Teletrust encryption algorithm',
- 'description': 'bsi-1 (1 3 36 3 1 5)',
- 'hexoid': '06 05 2B 24 03 01 05',
- 'name': 'bsi-1',
- 'oid': (1, 3, 36, 3, 1, 5)},
- 'bsiCA': {'comment': 'BSI TR-03110',
- 'description': 'bsiCA (0 4 0 127 0 7 2 2 1)',
- 'hexoid': '06 08 04 00 7F 00 07 02 02 01',
- 'name': 'bsiCA',
- 'oid': (0, 4, 0, 127, 0, 7, 2, 2, 1)},
- 'bsiCA_DH': {'comment': 'BSI TR-03110',
- 'description': 'bsiCA_DH (0 4 0 127 0 7 2 2 1 1)',
- 'hexoid': '06 09 04 00 7F 00 07 02 02 01 01',
- 'name': 'bsiCA_DH',
- 'oid': (0, 4, 0, 127, 0, 7, 2, 2, 1, 1)},
- 'bsiCA_ECDH': {'comment': 'BSI TR-03110',
- 'description': 'bsiCA_ECDH (0 4 0 127 0 7 2 2 1 2)',
- 'hexoid': '06 09 04 00 7F 00 07 02 02 01 02',
- 'name': 'bsiCA_ECDH',
- 'oid': (0, 4, 0, 127, 0, 7, 2, 2, 1, 2)},
- 'bsiCharacteristicTwoBasis': {'comment': 'BSI TR-03111',
- 'description': 'bsiCharacteristicTwoBasis (0 4 0 127 0 7 1 1 2 3)',
- 'hexoid': '06 09 04 00 7F 00 07 01 01 02 03',
- 'name': 'bsiCharacteristicTwoBasis',
- 'oid': (0, 4, 0, 127, 0, 7, 1, 1, 2, 3)},
- 'bsiCharacteristicTwoField': {'comment': 'BSI TR-03111',
- 'description': 'bsiCharacteristicTwoField (0 4 0 127 0 7 1 1 2)',
- 'hexoid': '06 08 04 00 7F 00 07 01 01 02',
- 'name': 'bsiCharacteristicTwoField',
- 'oid': (0, 4, 0, 127, 0, 7, 1, 1, 2)},
- 'bsiEcKeyType': {'comment': 'BSI TR-03111',
- 'description': 'bsiEcKeyType (0 4 0 127 0 7 1 2)',
- 'hexoid': '06 07 04 00 7F 00 07 01 02',
- 'name': 'bsiEcKeyType',
- 'oid': (0, 4, 0, 127, 0, 7, 1, 2)},
- 'bsiEcPublicKey': {'comment': 'BSI TR-03111',
- 'description': 'bsiEcPublicKey (0 4 0 127 0 7 1 2 1)',
- 'hexoid': '06 08 04 00 7F 00 07 01 02 01',
- 'name': 'bsiEcPublicKey',
- 'oid': (0, 4, 0, 127, 0, 7, 1, 2, 1)},
- 'bsiEcc': {'comment': 'BSI TR-03111',
- 'description': 'bsiEcc (0 4 0 127 0 7 1)',
- 'hexoid': '06 06 04 00 7F 00 07 01',
- 'name': 'bsiEcc',
- 'oid': (0, 4, 0, 127, 0, 7, 1)},
- 'bsiEcdsaSignatures': {'comment': 'BSI TR-03111',
- 'description': 'bsiEcdsaSignatures (0 4 0 127 0 7 1 4 1)',
- 'hexoid': '06 08 04 00 7F 00 07 01 04 01',
- 'name': 'bsiEcdsaSignatures',
- 'oid': (0, 4, 0, 127, 0, 7, 1, 4, 1)},
- 'bsiEcdsaWithRIPEMD160': {'comment': 'BSI TR-03111',
- 'description': 'bsiEcdsaWithRIPEMD160 (0 4 0 127 0 7 1 4 1 6)',
- 'hexoid': '06 09 04 00 7F 00 07 01 04 01 06',
- 'name': 'bsiEcdsaWithRIPEMD160',
- 'oid': (0, 4, 0, 127, 0, 7, 1, 4, 1, 6)},
- 'bsiEcdsaWithSHA1': {'comment': 'BSI TR-03111',
- 'description': 'bsiEcdsaWithSHA1 (0 4 0 127 0 7 1 4 1 1)',
- 'hexoid': '06 09 04 00 7F 00 07 01 04 01 01',
- 'name': 'bsiEcdsaWithSHA1',
- 'oid': (0, 4, 0, 127, 0, 7, 1, 4, 1, 1)},
- 'bsiEcdsaWithSHA224': {'comment': 'BSI TR-03111',
- 'description': 'bsiEcdsaWithSHA224 (0 4 0 127 0 7 1 4 1 2)',
- 'hexoid': '06 09 04 00 7F 00 07 01 04 01 02',
- 'name': 'bsiEcdsaWithSHA224',
- 'oid': (0, 4, 0, 127, 0, 7, 1, 4, 1, 2)},
- 'bsiEcdsaWithSHA256': {'comment': 'BSI TR-03111',
- 'description': 'bsiEcdsaWithSHA256 (0 4 0 127 0 7 1 4 1 3)',
- 'hexoid': '06 09 04 00 7F 00 07 01 04 01 03',
- 'name': 'bsiEcdsaWithSHA256',
- 'oid': (0, 4, 0, 127, 0, 7, 1, 4, 1, 3)},
- 'bsiEcdsaWithSHA384': {'comment': 'BSI TR-03111',
- 'description': 'bsiEcdsaWithSHA384 (0 4 0 127 0 7 1 4 1 4)',
- 'hexoid': '06 09 04 00 7F 00 07 01 04 01 04',
- 'name': 'bsiEcdsaWithSHA384',
- 'oid': (0, 4, 0, 127, 0, 7, 1, 4, 1, 4)},
- 'bsiEcdsaWithSHA512': {'comment': 'BSI TR-03111',
- 'description': 'bsiEcdsaWithSHA512 (0 4 0 127 0 7 1 4 1 5)',
- 'hexoid': '06 09 04 00 7F 00 07 01 04 01 05',
- 'name': 'bsiEcdsaWithSHA512',
- 'oid': (0, 4, 0, 127, 0, 7, 1, 4, 1, 5)},
- 'bsiGnBasis': {'comment': 'BSI TR-03111',
- 'description': 'bsiGnBasis (0 4 0 127 0 7 1 1 2 3 1)',
- 'hexoid': '06 0A 04 00 7F 00 07 01 01 02 03 01',
- 'name': 'bsiGnBasis',
- 'oid': (0, 4, 0, 127, 0, 7, 1, 1, 2, 3, 1)},
- 'bsiKaeg': {'comment': 'BSI TR-03111',
- 'description': 'bsiKaeg (0 4 0 127 0 7 1 5 1)',
- 'hexoid': '06 08 04 00 7F 00 07 01 05 01',
- 'name': 'bsiKaeg',
- 'oid': (0, 4, 0, 127, 0, 7, 1, 5, 1)},
- 'bsiKaegWith3DESKDF': {'comment': 'BSI TR-03111',
- 'description': 'bsiKaegWith3DESKDF (0 4 0 127 0 7 1 5 1 2)',
- 'hexoid': '06 09 04 00 7F 00 07 01 05 01 02',
- 'name': 'bsiKaegWith3DESKDF',
- 'oid': (0, 4, 0, 127, 0, 7, 1, 5, 1, 2)},
- 'bsiKaegWithX963KDF': {'comment': 'BSI TR-03111',
- 'description': 'bsiKaegWithX963KDF (0 4 0 127 0 7 1 5 1 1)',
- 'hexoid': '06 09 04 00 7F 00 07 01 05 01 01',
- 'name': 'bsiKaegWithX963KDF',
- 'oid': (0, 4, 0, 127, 0, 7, 1, 5, 1, 1)},
- 'bsiPKE': {'comment': 'Teletrust key management',
- 'description': 'bsiPKE (1 3 36 7 1 1)',
- 'hexoid': '06 05 2B 24 07 01 01',
- 'name': 'bsiPKE',
- 'oid': (1, 3, 36, 7, 1, 1)},
- 'bsiPpBasis': {'comment': 'BSI TR-03111',
- 'description': 'bsiPpBasis (0 4 0 127 0 7 1 1 2 3 3)',
- 'hexoid': '06 0A 04 00 7F 00 07 01 01 02 03 03',
- 'name': 'bsiPpBasis',
- 'oid': (0, 4, 0, 127, 0, 7, 1, 1, 2, 3, 3)},
- 'bsiPrimeField': {'comment': 'BSI TR-03111',
- 'description': 'bsiPrimeField (0 4 0 127 0 7 1 1 1)',
- 'hexoid': '06 08 04 00 7F 00 07 01 01 01',
- 'name': 'bsiPrimeField',
- 'oid': (0, 4, 0, 127, 0, 7, 1, 1, 1)},
- 'bsiRoleEAC': {'comment': 'BSI TR-03110',
- 'description': 'bsiRoleEAC (0 4 0 127 0 7 3 1 2)',
- 'hexoid': '06 08 04 00 7F 00 07 03 01 02',
- 'name': 'bsiRoleEAC',
- 'oid': (0, 4, 0, 127, 0, 7, 3, 1, 2)},
- 'bsiTA': {'comment': 'BSI TR-03110',
- 'description': 'bsiTA (0 4 0 127 0 7 2 2 2)',
- 'hexoid': '06 08 04 00 7F 00 07 02 02 02',
- 'name': 'bsiTA',
- 'oid': (0, 4, 0, 127, 0, 7, 2, 2, 2)},
- 'bsiTA_ECDSA': {'comment': 'BSI TR-03110',
- 'description': 'bsiTA_ECDSA (0 4 0 127 0 7 2 2 2 2)',
- 'hexoid': '06 09 04 00 7F 00 07 02 02 02 02',
- 'name': 'bsiTA_ECDSA',
- 'oid': (0, 4, 0, 127, 0, 7, 2, 2, 2, 2)},
- 'bsiTA_ECDSA_SHA1': {'comment': 'BSI TR-03110',
- 'description': 'bsiTA_ECDSA_SHA1 (0 4 0 127 0 7 2 2 2 2 1)',
- 'hexoid': '06 0A 04 00 7F 00 07 02 02 02 02 01',
- 'name': 'bsiTA_ECDSA_SHA1',
- 'oid': (0, 4, 0, 127, 0, 7, 2, 2, 2, 2, 1)},
- 'bsiTA_ECDSA_SHA224': {'comment': 'BSI TR-03110',
- 'description': 'bsiTA_ECDSA_SHA224 (0 4 0 127 0 7 2 2 2 2 2)',
- 'hexoid': '06 0A 04 00 7F 00 07 02 02 02 02 02',
- 'name': 'bsiTA_ECDSA_SHA224',
- 'oid': (0, 4, 0, 127, 0, 7, 2, 2, 2, 2, 2)},
- 'bsiTA_ECDSA_SHA256': {'comment': 'BSI TR-03110',
- 'description': 'bsiTA_ECDSA_SHA256 (0 4 0 127 0 7 2 2 2 2 3)',
- 'hexoid': '06 0A 04 00 7F 00 07 02 02 02 02 03',
- 'name': 'bsiTA_ECDSA_SHA256',
- 'oid': (0, 4, 0, 127, 0, 7, 2, 2, 2, 2, 3)},
- 'bsiTA_RSA': {'comment': 'BSI TR-03110',
- 'description': 'bsiTA_RSA (0 4 0 127 0 7 2 2 2 1)',
- 'hexoid': '06 09 04 00 7F 00 07 02 02 02 01',
- 'name': 'bsiTA_RSA',
- 'oid': (0, 4, 0, 127, 0, 7, 2, 2, 2, 1)},
- 'bsiTA_RSAPSS_SHA1': {'comment': 'BSI TR-03110',
- 'description': 'bsiTA_RSAPSS_SHA1 (0 4 0 127 0 7 2 2 2 1 3)',
- 'hexoid': '06 0A 04 00 7F 00 07 02 02 02 01 03',
- 'name': 'bsiTA_RSAPSS_SHA1',
- 'oid': (0, 4, 0, 127, 0, 7, 2, 2, 2, 1, 3)},
- 'bsiTA_RSAPSS_SHA256': {'comment': 'BSI TR-03110',
- 'description': 'bsiTA_RSAPSS_SHA256 (0 4 0 127 0 7 2 2 2 1 4)',
- 'hexoid': '06 0A 04 00 7F 00 07 02 02 02 01 04',
- 'name': 'bsiTA_RSAPSS_SHA256',
- 'oid': (0, 4, 0, 127, 0, 7, 2, 2, 2, 1, 4)},
- 'bsiTA_RSAv1_5_SHA1': {'comment': 'BSI TR-03110',
- 'description': 'bsiTA_RSAv1_5_SHA1 (0 4 0 127 0 7 2 2 2 1 1)',
- 'hexoid': '06 0A 04 00 7F 00 07 02 02 02 01 01',
- 'name': 'bsiTA_RSAv1_5_SHA1',
- 'oid': (0, 4, 0, 127, 0, 7, 2, 2, 2, 1, 1)},
- 'bsiTA_RSAv1_5_SHA256': {'comment': 'BSI TR-03110',
- 'description': 'bsiTA_RSAv1_5_SHA256 (0 4 0 127 0 7 2 2 2 1 2)',
- 'hexoid': '06 0A 04 00 7F 00 07 02 02 02 01 02',
- 'name': 'bsiTA_RSAv1_5_SHA256',
- 'oid': (0, 4, 0, 127, 0, 7, 2, 2, 2, 1, 2)},
- 'bsiTpBasis': {'comment': 'BSI TR-03111',
- 'description': 'bsiTpBasis (0 4 0 127 0 7 1 1 2 3 2)',
- 'hexoid': '06 0A 04 00 7F 00 07 01 01 02 03 02',
- 'name': 'bsiTpBasis',
- 'oid': (0, 4, 0, 127, 0, 7, 1, 1, 2, 3, 2)},
- 'bsi_1CBC_PEMpad': {'comment': 'Teletrust encryption algorithm',
- 'description': 'bsi_1CBC_PEMpad (1 3 36 3 1 5 2 1)',
- 'hexoid': '06 07 2B 24 03 01 05 02 01',
- 'name': 'bsi_1CBC_PEMpad',
- 'oid': (1, 3, 36, 3, 1, 5, 2, 1)},
- 'bsi_1CBC_pad': {'comment': 'Teletrust encryption algorithm',
- 'description': 'bsi_1CBC_pad (1 3 36 3 1 5 2)',
- 'hexoid': '06 06 2B 24 03 01 05 02',
- 'name': 'bsi_1CBC_pad',
- 'oid': (1, 3, 36, 3, 1, 5, 2)},
- 'bsi_1ECB_pad': {'comment': 'Teletrust encryption algorithm',
- 'description': 'bsi_1ECB_pad (1 3 36 3 1 5 1)',
- 'hexoid': '06 06 2B 24 03 01 05 01',
- 'name': 'bsi_1ECB_pad',
- 'oid': (1, 3, 36, 3, 1, 5, 1)},
- 'bsifieldType': {'comment': 'BSI TR-03111',
- 'description': 'bsifieldType (0 4 0 127 0 7 1 1)',
- 'hexoid': '06 07 04 00 7F 00 07 01 01',
- 'name': 'bsifieldType',
- 'oid': (0, 4, 0, 127, 0, 7, 1, 1)},
- 'businessCategory': {'comment': 'X.520 id-at (2 5 4)',
- 'description': 'businessCategory (2 5 4 15)',
- 'hexoid': '06 03 55 04 0F',
- 'name': 'businessCategory',
- 'oid': (2, 5, 4, 15)},
- 'c2pnb163v1': {'comment': 'ANSI X9.62 named elliptic curve',
- 'description': 'c2pnb163v1 (1 2 840 10045 3 0 1)',
- 'hexoid': '06 08 2A 86 48 CE 3D 03 00 01',
- 'name': 'c2pnb163v1',
- 'oid': (1, 2, 840, 10045, 3, 0, 1)},
- 'c2pnb163v2': {'comment': 'ANSI X9.62 named elliptic curve',
- 'description': 'c2pnb163v2 (1 2 840 10045 3 0 2)',
- 'hexoid': '06 08 2A 86 48 CE 3D 03 00 02',
- 'name': 'c2pnb163v2',
- 'oid': (1, 2, 840, 10045, 3, 0, 2)},
- 'c2pnb163v3': {'comment': 'ANSI X9.62 named elliptic curve',
- 'description': 'c2pnb163v3 (1 2 840 10045 3 0 3)',
- 'hexoid': '06 08 2A 86 48 CE 3D 03 00 03',
- 'name': 'c2pnb163v3',
- 'oid': (1, 2, 840, 10045, 3, 0, 3)},
- 'c2pnb208w1': {'comment': 'ANSI X9.62 named elliptic curve',
- 'description': 'c2pnb208w1 (1 2 840 10045 3 0 10)',
- 'hexoid': '06 08 2A 86 48 CE 3D 03 00 0A',
- 'name': 'c2pnb208w1',
- 'oid': (1, 2, 840, 10045, 3, 0, 10)},
- 'c2pnb272w1': {'comment': 'ANSI X9.62 named elliptic curve',
- 'description': 'c2pnb272w1 (1 2 840 10045 3 0 16)',
- 'hexoid': '06 08 2A 86 48 CE 3D 03 00 10',
- 'name': 'c2pnb272w1',
- 'oid': (1, 2, 840, 10045, 3, 0, 16)},
- 'c2pnb368w1': {'comment': 'ANSI X9.62 named elliptic curve',
- 'description': 'c2pnb368w1 (1 2 840 10045 3 0 19)',
- 'hexoid': '06 08 2A 86 48 CE 3D 03 00 13',
- 'name': 'c2pnb368w1',
- 'oid': (1, 2, 840, 10045, 3, 0, 19)},
- 'c2tnb191v1': {'comment': 'ANSI X9.62 named elliptic curve',
- 'description': 'c2tnb191v1 (1 2 840 10045 3 0 5)',
- 'hexoid': '06 08 2A 86 48 CE 3D 03 00 05',
- 'name': 'c2tnb191v1',
- 'oid': (1, 2, 840, 10045, 3, 0, 5)},
- 'c2tnb191v2': {'comment': 'ANSI X9.62 named elliptic curve',
- 'description': 'c2tnb191v2 (1 2 840 10045 3 0 6)',
- 'hexoid': '06 08 2A 86 48 CE 3D 03 00 06',
- 'name': 'c2tnb191v2',
- 'oid': (1, 2, 840, 10045, 3, 0, 6)},
- 'c2tnb191v3': {'comment': 'ANSI X9.62 named elliptic curve',
- 'description': 'c2tnb191v3 (1 2 840 10045 3 0 7)',
- 'hexoid': '06 08 2A 86 48 CE 3D 03 00 07',
- 'name': 'c2tnb191v3',
- 'oid': (1, 2, 840, 10045, 3, 0, 7)},
- 'c2tnb239v1': {'comment': 'ANSI X9.62 named elliptic curve',
- 'description': 'c2tnb239v1 (1 2 840 10045 3 0 11)',
- 'hexoid': '06 08 2A 86 48 CE 3D 03 00 0B',
- 'name': 'c2tnb239v1',
- 'oid': (1, 2, 840, 10045, 3, 0, 11)},
- 'c2tnb239v2': {'comment': 'ANSI X9.62 named elliptic curve',
- 'description': 'c2tnb239v2 (1 2 840 10045 3 0 12)',
- 'hexoid': '06 08 2A 86 48 CE 3D 03 00 0C',
- 'name': 'c2tnb239v2',
- 'oid': (1, 2, 840, 10045, 3, 0, 12)},
- 'c2tnb239v3': {'comment': 'ANSI X9.62 named elliptic curve',
- 'description': 'c2tnb239v3 (1 2 840 10045 3 0 13)',
- 'hexoid': '06 08 2A 86 48 CE 3D 03 00 0D',
- 'name': 'c2tnb239v3',
- 'oid': (1, 2, 840, 10045, 3, 0, 13)},
- 'c2tnb359v1': {'comment': 'ANSI X9.62 named elliptic curve',
- 'description': 'c2tnb359v1 (1 2 840 10045 3 0 18)',
- 'hexoid': '06 08 2A 86 48 CE 3D 03 00 12',
- 'name': 'c2tnb359v1',
- 'oid': (1, 2, 840, 10045, 3, 0, 18)},
- 'c2tnb431r1': {'comment': 'ANSI X9.62 named elliptic curve',
- 'description': 'c2tnb431r1 (1 2 840 10045 3 0 20)',
- 'hexoid': '06 08 2A 86 48 CE 3D 03 00 14',
- 'name': 'c2tnb431r1',
- 'oid': (1, 2, 840, 10045, 3, 0, 20)},
- 'cAClearanceConstraint': {'comment': 'SDN.700 INFOSEC attributes',
- 'description': 'cAClearanceConstraint (2 16 840 1 101 2 1 5 60)',
- 'hexoid': '06 09 60 86 48 01 65 02 01 05 3C',
- 'name': 'cAClearanceConstraint',
- 'oid': (2, 16, 840, 1, 101, 2, 1, 5, 60)},
- 'cAKeyCertIndexPair': {'comment': 'Microsoft attribute',
- 'description': 'cAKeyCertIndexPair (1 3 6 1 4 1 311 21 1)',
- 'hexoid': '06 09 2B 06 01 04 01 82 37 15 01',
- 'name': 'cAKeyCertIndexPair',
- 'oid': (1, 3, 6, 1, 4, 1, 311, 21, 1)},
- 'cRLDistributionPoints': {'comment': 'X.509 id-ce (2 5 29)',
- 'description': 'cRLDistributionPoints (2 5 29 31)',
- 'hexoid': '06 03 55 1D 1F',
- 'name': 'cRLDistributionPoints',
- 'oid': (2, 5, 29, 31)},
- 'cRLNumber': {'comment': 'X.509 id-ce (2 5 29)',
- 'description': 'cRLNumber (2 5 29 20)',
- 'hexoid': '06 03 55 1D 14',
- 'name': 'cRLNumber',
- 'oid': (2, 5, 29, 20)},
- 'cRLReason': {'comment': 'X.509 id-ce (2 5 29)',
- 'description': 'cRLReason (2 5 29 21)',
- 'hexoid': '06 03 55 1D 15',
- 'name': 'cRLReason',
- 'oid': (2, 5, 29, 21)},
- 'caCertificate': {'comment': 'X.520 id-at (2 5 4)',
- 'description': 'caCertificate (2 5 4 37)',
- 'hexoid': '06 03 55 04 25',
- 'name': 'caCertificate',
- 'oid': (2, 5, 4, 37)},
- 'caIssuers': {'comment': 'PKIX subject/authority info access descriptor',
- 'description': 'caIssuers (1 3 6 1 5 5 7 48 2)',
- 'hexoid': '06 08 2B 06 01 05 05 07 30 02',
- 'name': 'caIssuers',
- 'oid': (1, 3, 6, 1, 5, 5, 7, 48, 2)},
- 'caKeyUpdateInfo': {'comment': 'PKIX CMP information',
- 'description': 'caKeyUpdateInfo (1 3 6 1 5 5 7 4 5)',
- 'hexoid': '06 08 2B 06 01 05 05 07 04 05',
- 'name': 'caKeyUpdateInfo',
- 'oid': (1, 3, 6, 1, 5, 5, 7, 4, 5)},
- 'caProtEncCert': {'comment': 'PKIX CMP information',
- 'description': 'caProtEncCert (1 3 6 1 5 5 7 4 1)',
- 'hexoid': '06 08 2B 06 01 05 05 07 04 01',
- 'name': 'caProtEncCert',
- 'oid': (1, 3, 6, 1, 5, 5, 7, 4, 1)},
- 'caRepository': {'comment': 'PKIX subject/authority info access descriptor',
- 'description': 'caRepository (1 3 6 1 5 5 7 48 5)',
- 'hexoid': '06 08 2B 06 01 05 05 07 30 05',
- 'name': 'caRepository',
- 'oid': (1, 3, 6, 1, 5, 5, 7, 48, 5)},
- 'callissuer': {'comment': 'ANSI X9.57 hold instruction',
- 'description': 'callissuer (1 2 840 10040 2 2)',
- 'hexoid': '06 07 2A 86 48 CE 38 02 02',
- 'name': 'callissuer',
- 'oid': (1, 2, 840, 10040, 2, 2)},
- 'canNotDecryptAny': {'comment': 'sMIMECapabilities',
- 'description': 'canNotDecryptAny (1 2 840 113549 1 9 15 2)',
- 'hexoid': '06 0A 2A 86 48 86 F7 0D 01 09 0F 02',
- 'name': 'canNotDecryptAny',
- 'oid': (1, 2, 840, 113549, 1, 9, 15, 2)},
- 'capabilities': {'comment': 'S/MIME',
- 'description': 'capabilities (1 2 840 113549 1 9 16 11)',
- 'hexoid': '06 0A 2A 86 48 86 F7 0D 01 09 10 0B',
- 'name': 'capabilities',
- 'oid': (1, 2, 840, 113549, 1, 9, 16, 11)},
- 'capcoMarkings': {'comment': 'SDN.700 INFOSEC policy',
- 'description': 'capcoMarkings (2 16 840 1 101 2 1 3 13)',
- 'hexoid': '06 09 60 86 48 01 65 02 01 03 0D',
- 'name': 'capcoMarkings',
- 'oid': (2, 16, 840, 1, 101, 2, 1, 3, 13)},
- 'capcoSecurityCategories': {'comment': 'SDN.700 INFOSEC policy CAPCO markings',
- 'description': 'capcoSecurityCategories (2 16 840 1 101 2 1 3 13 0)',
- 'hexoid': '06 0A 60 86 48 01 65 02 01 03 0D 00',
- 'name': 'capcoSecurityCategories',
- 'oid': (2, 16, 840, 1, 101, 2, 1, 3, 13, 0)},
- 'capcoTagSetName1': {'comment': 'SDN.700 INFOSEC policy CAPCO markings',
- 'description': 'capcoTagSetName1 (2 16 840 1 101 2 1 3 13 0 1)',
- 'hexoid': '06 0B 60 86 48 01 65 02 01 03 0D 00 01',
- 'name': 'capcoTagSetName1',
- 'oid': (2, 16, 840, 1, 101, 2, 1, 3, 13, 0, 1)},
- 'capcoTagSetName2': {'comment': 'SDN.700 INFOSEC policy CAPCO markings',
- 'description': 'capcoTagSetName2 (2 16 840 1 101 2 1 3 13 0 2)',
- 'hexoid': '06 0B 60 86 48 01 65 02 01 03 0D 00 02',
- 'name': 'capcoTagSetName2',
- 'oid': (2, 16, 840, 1, 101, 2, 1, 3, 13, 0, 2)},
- 'capcoTagSetName3': {'comment': 'SDN.700 INFOSEC policy CAPCO markings',
- 'description': 'capcoTagSetName3 (2 16 840 1 101 2 1 3 13 0 3)',
- 'hexoid': '06 0B 60 86 48 01 65 02 01 03 0D 00 03',
- 'name': 'capcoTagSetName3',
- 'oid': (2, 16, 840, 1, 101, 2, 1, 3, 13, 0, 3)},
- 'capcoTagSetName4': {'comment': 'SDN.700 INFOSEC policy CAPCO markings',
- 'description': 'capcoTagSetName4 (2 16 840 1 101 2 1 3 13 0 4)',
- 'hexoid': '06 0B 60 86 48 01 65 02 01 03 0D 00 04',
- 'name': 'capcoTagSetName4',
- 'oid': (2, 16, 840, 1, 101, 2, 1, 3, 13, 0, 4)},
- 'carLicense': {'comment': 'Netscape LDAP definitions',
- 'description': 'carLicense (2 16 840 1 113730 3 1 1)',
- 'hexoid': '06 0A 60 86 48 01 86 F8 42 03 01 01',
- 'name': 'carLicense',
- 'oid': (2, 16, 840, 1, 113730, 3, 1, 1)},
- 'cardCertRequired': {'comment': 'SET cert extension',
- 'description': 'cardCertRequired (2 23 42 7 3)',
- 'hexoid': '06 04 67 2A 07 03',
- 'name': 'cardCertRequired',
- 'oid': (2, 23, 42, 7, 3)},
- 'cast3CBC': {'comment': 'Nortel Secure Networks alg',
- 'description': 'cast3CBC (1 2 840 113533 7 66 3)',
- 'hexoid': '06 09 2A 86 48 86 F6 7D 07 42 03',
- 'name': 'cast3CBC',
- 'oid': (1, 2, 840, 113533, 7, 66, 3)},
- 'cast5CBC': {'comment': 'Nortel Secure Networks alg',
- 'description': 'cast5CBC (1 2 840 113533 7 66 10)',
- 'hexoid': '06 09 2A 86 48 86 F6 7D 07 42 0A',
- 'name': 'cast5CBC',
- 'oid': (1, 2, 840, 113533, 7, 66, 10)},
- 'cast5MAC': {'comment': 'Nortel Secure Networks alg',
- 'description': 'cast5MAC (1 2 840 113533 7 66 11)',
- 'hexoid': '06 09 2A 86 48 86 F6 7D 07 42 0B',
- 'name': 'cast5MAC',
- 'oid': (1, 2, 840, 113533, 7, 66, 11)},
- 'cert': {'comment': 'SET attribute',
- 'description': 'cert (2 23 42 3 0)',
- 'hexoid': '06 04 67 2A 03 00',
- 'name': 'cert',
- 'oid': (2, 23, 42, 3, 0)},
- 'cert-extension': {'comment': 'Netscape',
- 'description': 'cert-extension (2 16 840 1 113730 1)',
- 'hexoid': '06 08 60 86 48 01 86 F8 42 01',
- 'name': 'cert-extension',
- 'oid': (2, 16, 840, 1, 113730, 1)},
- 'certAndCrlExtensionDefinitions': {'comment': 'Telesec',
- 'description': 'certAndCrlExtensionDefinitions (0 2 262 1 10 12)',
- 'hexoid': '06 06 02 82 06 01 0A 0C',
- 'name': 'certAndCrlExtensionDefinitions',
- 'oid': (0, 2, 262, 1, 10, 12)},
- 'certCRLTimestamp': {'comment': 'S/MIME Authenticated Attributes',
- 'description': 'certCRLTimestamp (1 2 840 113549 1 9 16 2 26)',
- 'hexoid': '06 0B 2A 86 48 86 F7 0D 01 09 10 02 1A',
- 'name': 'certCRLTimestamp',
- 'oid': (1, 2, 840, 113549, 1, 9, 16, 2, 26)},
- 'certDist-ldap': {'comment': 'S/MIME Certificate Distribution',
- 'description': 'certDist-ldap (1 2 840 113549 1 9 16 4 1)',
- 'hexoid': '06 0B 2A 86 48 86 F7 0D 01 09 10 04 01',
- 'name': 'certDist-ldap',
- 'oid': (1, 2, 840, 113549, 1, 9, 16, 4, 1)},
- 'certExt': {'comment': 'SET',
- 'description': 'certExt (2 23 42 7)',
- 'hexoid': '06 03 67 2A 07',
- 'name': 'certExt',
- 'oid': (2, 23, 42, 7)},
- 'certHash': {'comment': 'Teletrust OCSP attribute',
- 'description': 'certHash (1 3 36 8 3 13)',
- 'hexoid': '06 05 2B 24 08 03 0D',
- 'name': 'certHash',
- 'oid': (1, 3, 36, 8, 3, 13)},
- 'certRef': {'comment': 'Teletrust signature attributes',
- 'description': 'certRef (1 3 36 8 6 2)',
- 'hexoid': '06 05 2B 24 08 06 02',
- 'name': 'certRef',
- 'oid': (1, 3, 36, 8, 6, 2)},
- 'certReq': {'comment': 'PKIX CRMF registration control',
- 'description': 'certReq (1 3 6 1 5 5 7 5 2 2)',
- 'hexoid': '06 09 2B 06 01 05 05 07 05 02 02',
- 'name': 'certReq',
- 'oid': (1, 3, 6, 1, 5, 5, 7, 5, 2, 2)},
- 'certReqExtensions': {'comment': 'Microsoft',
- 'description': 'certReqExtensions (1 3 6 1 4 1 311 2 1 14)',
- 'hexoid': '06 0A 2B 06 01 04 01 82 37 02 01 0E',
- 'name': 'certReqExtensions',
- 'oid': (1, 3, 6, 1, 4, 1, 311, 2, 1, 14)},
- 'certSequence': {'comment': 'Netscape data type',
- 'description': 'certSequence (2 16 840 1 113730 2 5)',
- 'hexoid': '06 09 60 86 48 01 86 F8 42 02 05',
- 'name': 'certSequence',
- 'oid': (2, 16, 840, 1, 113730, 2, 5)},
- 'certTrustList': {'comment': 'Microsoft PKCS #7 contentType',
- 'description': 'certTrustList (1 3 6 1 4 1 311 10 1)',
- 'hexoid': '06 09 2B 06 01 04 01 82 37 0A 01',
- 'name': 'certTrustList',
- 'oid': (1, 3, 6, 1, 4, 1, 311, 10, 1)},
- 'certTrustListSigning': {'comment': 'Microsoft enhanced key usage',
- 'description': 'certTrustListSigning (1 3 6 1 4 1 311 10 3 1)',
- 'hexoid': '06 0A 2B 06 01 04 01 82 37 0A 03 01',
- 'name': 'certTrustListSigning',
- 'oid': (1, 3, 6, 1, 4, 1, 311, 10, 3, 1)},
- 'certTypes': {'comment': 'PKCS #9 via PKCS #12',
- 'description': 'certTypes (for PKCS #12) (1 2 840 113549 1 9 22)',
- 'hexoid': '06 09 2A 86 48 86 F7 0D 01 09 16',
- 'name': 'certTypes',
- 'oid': (1, 2, 840, 113549, 1, 9, 22)},
- 'certURL': {'comment': 'Netscape certificate extension',
- 'description': 'certURL (2 16 840 1 113730 2 6)',
- 'hexoid': '06 09 60 86 48 01 86 F8 42 02 06',
- 'name': 'certURL',
- 'oid': (2, 16, 840, 1, 113730, 2, 6)},
- 'certValues': {'comment': 'S/MIME Authenticated Attributes',
- 'description': 'certValues (1 2 840 113549 1 9 16 2 23)',
- 'hexoid': '06 0B 2A 86 48 86 F7 0D 01 09 10 02 17',
- 'name': 'certValues',
- 'oid': (1, 2, 840, 113549, 1, 9, 16, 2, 23)},
- 'certificateAuthority': {'comment': 'X.520 objectClass (2 5 6)',
- 'description': 'certificateAuthority (2 5 6 16)',
- 'hexoid': '06 03 55 06 10',
- 'name': 'certificateAuthority',
- 'oid': (2, 5, 6, 16)},
- 'certificateIssuer': {'comment': 'X.509 id-ce (2 5 29)',
- 'description': 'certificateIssuer (2 5 29 29)',
- 'hexoid': '06 03 55 1D 1D',
- 'name': 'certificateIssuer',
- 'oid': (2, 5, 29, 29)},
- 'certificateNumber': {'comment': 'Telesec attribute',
- 'description': 'certificateNumber (0 2 262 1 10 7 3)',
- 'hexoid': '06 07 02 82 06 01 0A 07 03',
- 'name': 'certificateNumber',
- 'oid': (0, 2, 262, 1, 10, 7, 3)},
- 'certificatePolicies': {'comment': 'X.509 id-ce (2 5 29)',
- 'description': 'certificatePolicies (2 5 29 32)',
- 'hexoid': '06 03 55 1D 20',
- 'name': 'certificatePolicies',
- 'oid': (2, 5, 29, 32)},
- 'certificatePolicy': {'comment': 'X.520 id-at (2 5 4)',
- 'description': 'certificatePolicy (2 5 4 69)',
- 'hexoid': '06 03 55 04 45',
- 'name': 'certificatePolicy',
- 'oid': (2, 5, 4, 69)},
- 'certificateRefs': {'comment': 'S/MIME Authenticated Attributes',
- 'description': 'certificateRefs (1 2 840 113549 1 9 16 2 21)',
- 'hexoid': '06 0B 2A 86 48 86 F7 0D 01 09 10 02 15',
- 'name': 'certificateRefs',
- 'oid': (1, 2, 840, 113549, 1, 9, 16, 2, 21)},
- 'certificateRevocationList': {'comment': 'X.520 id-at (2 5 4)',
- 'description': 'certificateRevocationList (2 5 4 39)',
- 'hexoid': '06 03 55 04 27',
- 'name': 'certificateRevocationList',
- 'oid': (2, 5, 4, 39)},
- 'certificateTemplate': {'comment': 'Microsoft CAPICOM certificate template, V2',
- 'description': 'certificateTemplate (1 3 6 1 4 1 311 21 7)',
- 'hexoid': '06 09 2B 06 01 04 01 82 37 15 07',
- 'name': 'certificateTemplate',
- 'oid': (1, 3, 6, 1, 4, 1, 311, 21, 7)},
- 'certificateTemplateList': {'comment': 'Telesec attribute',
- 'description': 'certificateTemplateList (0 2 262 1 10 7 29)',
- 'hexoid': '06 07 02 82 06 01 0A 07 1D',
- 'name': 'certificateTemplateList',
- 'oid': (0, 2, 262, 1, 10, 7, 29)},
- 'certificateType': {'comment': 'SET cert extension',
- 'description': 'certificateType (2 23 42 7 1)',
- 'hexoid': '06 04 67 2A 07 01',
- 'name': 'certificateType',
- 'oid': (2, 23, 42, 7, 1)},
- 'certificateTypes': {'comment': 'Telesec module',
- 'description': 'certificateTypes (0 2 262 1 10 2 2)',
- 'hexoid': '06 07 02 82 06 01 0A 02 02',
- 'name': 'certificateTypes',
- 'oid': (0, 2, 262, 1, 10, 2, 2)},
- 'certificationPracticeStmt': {'comment': 'X.520 id-at (2 5 4)',
- 'description': 'certificationPracticeStmt (2 5 4 68)',
- 'hexoid': '06 03 55 04 44',
- 'name': 'certificationPracticeStmt',
- 'oid': (2, 5, 4, 68)},
- 'challengePassword': {'comment': 'PKCS #9',
- 'description': 'challengePassword (1 2 840 113549 1 9 7)',
- 'hexoid': '06 09 2A 86 48 86 F7 0D 01 09 07',
- 'name': 'challengePassword',
- 'oid': (1, 2, 840, 113549, 1, 9, 7)},
- 'characteristic-two-basis': {'comment': 'ANSI X9.62 field type',
- 'description': 'characteristic-two-basis (1 2 840 10045 1 2 3)',
- 'hexoid': '06 08 2A 86 48 CE 3D 01 02 03',
- 'name': 'characteristic-two-basis',
- 'oid': (1, 2, 840, 10045, 1, 2, 3)},
- 'characteristic-two-field': {'comment': 'ANSI X9.62 field type',
- 'description': 'characteristic-two-field (1 2 840 10045 1 2)',
- 'hexoid': '06 07 2A 86 48 CE 3D 01 02',
- 'name': 'characteristic-two-field',
- 'oid': (1, 2, 840, 10045, 1, 2)},
- 'chargingIdentity': {'comment': 'PKIX attribute certificate extension',
- 'description': 'chargingIdentity (1 3 6 1 5 5 7 10 3)',
- 'hexoid': '06 08 2B 06 01 05 05 07 0A 03',
- 'name': 'chargingIdentity',
- 'oid': (1, 3, 6, 1, 5, 5, 7, 10, 3)},
- 'classSchema': {'comment': 'Microsoft Exchange Server - object class',
- 'description': 'classSchema (1 2 840 113556 1 3 13)',
- 'hexoid': '06 09 2A 86 48 86 F7 14 01 03 0D',
- 'name': 'classSchema',
- 'oid': (1, 2, 840, 113556, 1, 3, 13)},
- 'clearance': {'comment': 'X.520 id-at (2 5 4)',
- 'description': 'clearance (2 5 4 55)',
- 'hexoid': '06 03 55 04 37',
- 'name': 'clearance',
- 'oid': (2, 5, 4, 55)},
- 'clientAuth': {'comment': 'PKIX key purpose',
- 'description': 'clientAuth (1 3 6 1 5 5 7 3 2)',
- 'hexoid': '06 08 2B 06 01 05 05 07 03 02',
- 'name': 'clientAuth',
- 'oid': (1, 3, 6, 1, 5, 5, 7, 3, 2)},
- 'cmcControls': {'comment': 'PKIX',
- 'description': 'cmcControls (1 3 6 1 5 5 7 7)',
- 'hexoid': '06 07 2B 06 01 05 05 07 07',
- 'name': 'cmcControls',
- 'oid': (1, 3, 6, 1, 5, 5, 7, 7)},
- 'cmpInformationTypes': {'comment': 'PKIX',
- 'description': 'cmpInformationTypes (1 3 6 1 5 5 7 4)',
- 'hexoid': '06 07 2B 06 01 05 05 07 04',
- 'name': 'cmpInformationTypes',
- 'oid': (1, 3, 6, 1, 5, 5, 7, 4)},
- 'cms3DESwrap': {'comment': 'S/MIME Algorithms',
- 'description': 'cms3DESwrap (1 2 840 113549 1 9 16 3 6)',
- 'hexoid': '06 0B 2A 86 48 86 F7 0D 01 09 10 03 06',
- 'name': 'cms3DESwrap',
- 'oid': (1, 2, 840, 113549, 1, 9, 16, 3, 6)},
- 'cmsRC2wrap': {'comment': 'S/MIME Algorithms',
- 'description': 'cmsRC2wrap (1 2 840 113549 1 9 16 3 7)',
- 'hexoid': '06 0B 2A 86 48 86 F7 0D 01 09 10 03 07',
- 'name': 'cmsRC2wrap',
- 'oid': (1, 2, 840, 113549, 1, 9, 16, 3, 7)},
- 'codeSigning': {'comment': 'PKIX key purpose',
- 'description': 'codeSigning (1 3 6 1 5 5 7 3 3)',
- 'hexoid': '06 08 2B 06 01 05 05 07 03 03',
- 'name': 'codeSigning',
- 'oid': (1, 3, 6, 1, 5, 5, 7, 3, 3)},
- 'collectiveFacsimileTelephoneNumber': {'comment': 'X.520 id-at (2 5 4)',
- 'description': 'collectiveFacsimileTelephoneNumber (2 5 4 23 1)',
- 'hexoid': '06 04 55 04 17 01',
- 'name': 'collectiveFacsimileTelephoneNumber',
- 'oid': (2, 5, 4, 23, 1)},
- 'collectiveInternationalISDNNumber': {'comment': 'X.520 id-at (2 5 4)',
- 'description': 'collectiveInternationalISDNNumber (2 5 4 25 1)',
- 'hexoid': '06 04 55 04 19 01',
- 'name': 'collectiveInternationalISDNNumber',
- 'oid': (2, 5, 4, 25, 1)},
- 'collectiveLocalityName': {'comment': 'X.520 id-at (2 5 4)',
- 'description': 'collectiveLocalityName (2 5 4 7 1)',
- 'hexoid': '06 04 55 04 07 01',
- 'name': 'collectiveLocalityName',
- 'oid': (2, 5, 4, 7, 1)},
- 'collectiveOrganizationName': {'comment': 'X.520 id-at (2 5 4)',
- 'description': 'collectiveOrganizationName (2 5 4 10 1)',
- 'hexoid': '06 04 55 04 0A 01',
- 'name': 'collectiveOrganizationName',
- 'oid': (2, 5, 4, 10, 1)},
- 'collectiveOrganizationalUnitName': {'comment': 'X.520 id-at (2 5 4)',
- 'description': 'collectiveOrganizationalUnitName (2 5 4 11 1)',
- 'hexoid': '06 04 55 04 0B 01',
- 'name': 'collectiveOrganizationalUnitName',
- 'oid': (2, 5, 4, 11, 1)},
- 'collectivePhysicalDeliveryOfficeName': {'comment': 'X.520 id-at (2 5 4)',
- 'description': 'collectivePhysicalDeliveryOfficeName (2 5 4 19 1)',
- 'hexoid': '06 04 55 04 13 01',
- 'name': 'collectivePhysicalDeliveryOfficeName',
- 'oid': (2, 5, 4, 19, 1)},
- 'collectivePostOfficeBox': {'comment': 'X.520 id-at (2 5 4)',
- 'description': 'collectivePostOfficeBox (2 5 4 18 1)',
- 'hexoid': '06 04 55 04 12 01',
- 'name': 'collectivePostOfficeBox',
- 'oid': (2, 5, 4, 18, 1)},
- 'collectivePostalAddress': {'comment': 'X.520 id-at (2 5 4)',
- 'description': 'collectivePostalAddress (2 5 4 16 1)',
- 'hexoid': '06 04 55 04 10 01',
- 'name': 'collectivePostalAddress',
- 'oid': (2, 5, 4, 16, 1)},
- 'collectivePostalCode': {'comment': 'X.520 id-at (2 5 4)',
- 'description': 'collectivePostalCode (2 5 4 17 1)',
- 'hexoid': '06 04 55 04 11 01',
- 'name': 'collectivePostalCode',
- 'oid': (2, 5, 4, 17, 1)},
- 'collectiveStateOrProvinceName': {'comment': 'X.520 id-at (2 5 4)',
- 'description': 'collectiveStateOrProvinceName (2 5 4 8 1)',
- 'hexoid': '06 04 55 04 08 01',
- 'name': 'collectiveStateOrProvinceName',
- 'oid': (2, 5, 4, 8, 1)},
- 'collectiveStreetAddress': {'comment': 'X.520 id-at (2 5 4)',
- 'description': 'collectiveStreetAddress (2 5 4 9 1)',
- 'hexoid': '06 04 55 04 09 01',
- 'name': 'collectiveStreetAddress',
- 'oid': (2, 5, 4, 9, 1)},
- 'collectiveTelephoneNumber': {'comment': 'X.520 id-at (2 5 4)',
- 'description': 'collectiveTelephoneNumber (2 5 4 20 1)',
- 'hexoid': '06 04 55 04 14 01',
- 'name': 'collectiveTelephoneNumber',
- 'oid': (2, 5, 4, 20, 1)},
- 'collectiveTeletexTerminalIdentifier': {'comment': 'X.520 id-at (2 5 4)',
- 'description': 'collectiveTeletexTerminalIdentifier (2 5 4 22 1)',
- 'hexoid': '06 04 55 04 16 01',
- 'name': 'collectiveTeletexTerminalIdentifier',
- 'oid': (2, 5, 4, 22, 1)},
- 'collectiveTelexNumber': {'comment': 'X.520 id-at (2 5 4)',
- 'description': 'collectiveTelexNumber (2 5 4 21 1)',
- 'hexoid': '06 04 55 04 15 01',
- 'name': 'collectiveTelexNumber',
- 'oid': (2, 5, 4, 21, 1)},
- 'commPrivileges': {'comment': 'SDN.700 INFOSEC attributes',
- 'description': 'commPrivileges (2 16 840 1 101 2 1 5 56)',
- 'hexoid': '06 09 60 86 48 01 65 02 01 05 38',
- 'name': 'commPrivileges',
- 'oid': (2, 16, 840, 1, 101, 2, 1, 5, 56)},
- 'commercialCodeSigning': {'comment': 'Microsoft',
- 'description': 'commercialCodeSigning (1 3 6 1 4 1 311 2 1 22)',
- 'hexoid': '06 0A 2B 06 01 04 01 82 37 02 01 16',
- 'name': 'commercialCodeSigning',
- 'oid': (1, 3, 6, 1, 4, 1, 311, 2, 1, 22)},
- 'commitmentType': {'comment': 'S/MIME Authenticated Attributes',
- 'description': 'commitmentType (1 2 840 113549 1 9 16 2 16)',
- 'hexoid': '06 0B 2A 86 48 86 F7 0D 01 09 10 02 10',
- 'name': 'commitmentType',
- 'oid': (1, 2, 840, 113549, 1, 9, 16, 2, 16)},
- 'commonName': {'comment': 'X.520 id-at (2 5 4)',
- 'description': 'commonName (2 5 4 3)',
- 'hexoid': '06 03 55 04 03',
- 'name': 'commonName',
- 'oid': (2, 5, 4, 3)},
- 'communicationsNetwork': {'comment': 'X.520 id-at (2 5 4)',
- 'description': 'communicationsNetwork (2 5 4 67)',
- 'hexoid': '06 03 55 04 43',
- 'name': 'communicationsNetwork',
- 'oid': (2, 5, 4, 67)},
- 'communicationsService': {'comment': 'X.520 id-at (2 5 4)',
- 'description': 'communicationsService (2 5 4 66)',
- 'hexoid': '06 03 55 04 42',
- 'name': 'communicationsService',
- 'oid': (2, 5, 4, 66)},
- 'comodoCertifiedDeliveryService': {'comment': 'Comodo CA',
- 'description': 'comodoCertifiedDeliveryService (1 3 6 1 4 1 6449 1 3 5 2)',
- 'hexoid': '06 0B 2B 06 01 04 01 B2 31 01 03 05 02',
- 'name': 'comodoCertifiedDeliveryService',
- 'oid': (1,
- 3,
- 6,
- 1,
- 4,
- 1,
- 6449,
- 1,
- 3,
- 5,
- 2)},
- 'comodoPolicy': {'comment': 'Comodo CA',
- 'description': 'comodoPolicy (1 3 6 1 4 1 6449 1 2 1 3 1)',
- 'hexoid': '06 0C 2B 06 01 04 01 B2 31 01 02 01 03 01',
- 'name': 'comodoPolicy',
- 'oid': (1, 3, 6, 1, 4, 1, 6449, 1, 2, 1, 3, 1)},
- 'compressedData': {'comment': 'S/MIME Content Types',
- 'description': 'compressedData (1 2 840 113549 1 9 16 1 9)',
- 'hexoid': '06 0B 2A 86 48 86 F7 0D 01 09 10 01 09',
- 'name': 'compressedData',
- 'oid': (1, 2, 840, 113549, 1, 9, 16, 1, 9)},
- 'confKeyInfo': {'comment': 'X.520 id-at (2 5 4)',
- 'description': 'confKeyInfo (2 5 4 60)',
- 'hexoid': '06 03 55 04 3C',
- 'name': 'confKeyInfo',
- 'oid': (2, 5, 4, 60)},
- 'confirmWaitTime': {'comment': 'PKIX CMP information',
- 'description': 'confirmWaitTime (1 3 6 1 5 5 7 4 14)',
- 'hexoid': '06 08 2B 06 01 05 05 07 04 0E',
- 'name': 'confirmWaitTime',
- 'oid': (1, 3, 6, 1, 5, 5, 7, 4, 14)},
- 'container': {'comment': 'Microsoft Exchange Server - object class',
- 'description': 'container (1 2 840 113556 1 3 23)',
- 'hexoid': '06 09 2A 86 48 86 F7 14 01 03 17',
- 'name': 'container',
- 'oid': (1, 2, 840, 113556, 1, 3, 23)},
- 'contentHint': {'comment': 'S/MIME Authenticated Attributes',
- 'description': 'contentHint (1 2 840 113549 1 9 16 2 4)',
- 'hexoid': '06 0B 2A 86 48 86 F7 0D 01 09 10 02 04',
- 'name': 'contentHint',
- 'oid': (1, 2, 840, 113549, 1, 9, 16, 2, 4)},
- 'contentIdentifier': {'comment': 'S/MIME Authenticated Attributes',
- 'description': 'contentIdentifier (1 2 840 113549 1 9 16 2 7)',
- 'hexoid': '06 0B 2A 86 48 86 F7 0D 01 09 10 02 07',
- 'name': 'contentIdentifier',
- 'oid': (1, 2, 840, 113549, 1, 9, 16, 2, 7)},
- 'contentInfo': {'comment': 'S/MIME Content Types',
- 'description': 'contentInfo (1 2 840 113549 1 9 16 1 6)',
- 'hexoid': '06 0B 2A 86 48 86 F7 0D 01 09 10 01 06',
- 'name': 'contentInfo',
- 'oid': (1, 2, 840, 113549, 1, 9, 16, 1, 6)},
- 'contentReference': {'comment': 'S/MIME Authenticated Attributes',
- 'description': 'contentReference (1 2 840 113549 1 9 16 2 10)',
- 'hexoid': '06 0B 2A 86 48 86 F7 0D 01 09 10 02 0A',
- 'name': 'contentReference',
- 'oid': (1, 2, 840, 113549, 1, 9, 16, 2, 10)},
- 'contentTimestamp': {'comment': 'S/MIME Authenticated Attributes',
- 'description': 'contentTimestamp (1 2 840 113549 1 9 16 2 20)',
- 'hexoid': '06 0B 2A 86 48 86 F7 0D 01 09 10 02 14',
- 'name': 'contentTimestamp',
- 'oid': (1, 2, 840, 113549, 1, 9, 16, 2, 20)},
- 'contentType': {'comment': 'SET',
- 'description': 'contentType (2 23 42 0)',
- 'hexoid': '06 03 67 2A 00',
- 'name': 'contentType',
- 'oid': (2, 23, 42, 0)},
- 'countersignature': {'comment': 'PKCS #9',
- 'description': 'countersignature (1 2 840 113549 1 9 6)',
- 'hexoid': '06 09 2A 86 48 86 F7 0D 01 09 06',
- 'name': 'countersignature',
- 'oid': (1, 2, 840, 113549, 1, 9, 6)},
- 'country': {'comment': 'X.520 objectClass (2 5 6)',
- 'description': 'country (2 5 6 2)',
- 'hexoid': '06 03 55 06 02',
- 'name': 'country',
- 'oid': (2, 5, 6, 2)},
- 'countryName': {'comment': 'X.520 id-at (2 5 4)',
- 'description': 'countryName (2 5 4 6)',
- 'hexoid': '06 03 55 04 06',
- 'name': 'countryName',
- 'oid': (2, 5, 4, 6)},
- 'countryOfCitizenship': {'comment': 'PKIX personal data',
- 'description': 'countryOfCitizenship (1 3 6 1 5 5 7 9 4)',
- 'hexoid': '06 08 2B 06 01 05 05 07 09 04',
- 'name': 'countryOfCitizenship',
- 'oid': (1, 3, 6, 1, 5, 5, 7, 9, 4)},
- 'countryOfResidence': {'comment': 'PKIX personal data',
- 'description': 'countryOfResidence (1 3 6 1 5 5 7 9 5)',
- 'hexoid': '06 08 2B 06 01 05 05 07 09 05',
- 'name': 'countryOfResidence',
- 'oid': (1, 3, 6, 1, 5, 5, 7, 9, 5)},
- 'cps': {'comment': 'PKIX policy qualifier',
- 'description': 'cps (1 3 6 1 5 5 7 2 1)',
- 'hexoid': '06 08 2B 06 01 05 05 07 02 01',
- 'name': 'cps',
- 'oid': (1, 3, 6, 1, 5, 5, 7, 2, 1)},
- 'creationDate': {'comment': 'Telesec attribute',
- 'description': 'creationDate (0 2 262 1 10 7 5)',
- 'hexoid': '06 07 02 82 06 01 0A 07 05',
- 'name': 'creationDate',
- 'oid': (0, 2, 262, 1, 10, 7, 5)},
- 'crlExtReason': {'comment': 'cryptlib attribute type',
- 'description': 'crlExtReason (1 3 6 1 4 1 3029 3 1 4)',
- 'hexoid': '06 0A 2B 06 01 04 01 97 55 03 01 04',
- 'name': 'crlExtReason',
- 'oid': (1, 3, 6, 1, 4, 1, 3029, 3, 1, 4)},
- 'crlTypes': {'comment': 'PKCS #9 via PKCS #12',
- 'description': 'crlTypes (for PKCS #12) (1 2 840 113549 1 9 23)',
- 'hexoid': '06 09 2A 86 48 86 F7 0D 01 09 17',
- 'name': 'crlTypes',
- 'oid': (1, 2, 840, 113549, 1, 9, 23)},
- 'crmfRegistration': {'comment': 'PKIX',
- 'description': 'crmfRegistration (1 3 6 1 5 5 7 5)',
- 'hexoid': '06 07 2B 06 01 05 05 07 05',
- 'name': 'crmfRegistration',
- 'oid': (1, 3, 6, 1, 5, 5, 7, 5)},
- 'crossCertificatePair': {'comment': 'X.520 id-at (2 5 4)',
- 'description': 'crossCertificatePair (2 5 4 40)',
- 'hexoid': '06 03 55 04 28',
- 'name': 'crossCertificatePair',
- 'oid': (2, 5, 4, 40)},
- 'cryptlibConfigData': {'comment': 'cryptlib content type',
- 'description': 'cryptlibConfigData (1 3 6 1 4 1 3029 4 1 1)',
- 'hexoid': '06 0A 2B 06 01 04 01 97 55 04 01 01',
- 'name': 'cryptlibConfigData',
- 'oid': (1, 3, 6, 1, 4, 1, 3029, 4, 1, 1)},
- 'cryptlibContent': {'comment': 'cryptlib',
- 'description': 'cryptlibContent (1 3 6 1 4 1 3029 4 1)',
- 'hexoid': '06 09 2B 06 01 04 01 97 55 04 01',
- 'name': 'cryptlibContent',
- 'oid': (1, 3, 6, 1, 4, 1, 3029, 4, 1)},
- 'cryptlibPresenceCheck': {'comment': 'cryptlib attribute type',
- 'description': 'cryptlibPresenceCheck (1 3 6 1 4 1 3029 3 1 1)',
- 'hexoid': '06 0A 2B 06 01 04 01 97 55 03 01 01',
- 'name': 'cryptlibPresenceCheck',
- 'oid': (1, 3, 6, 1, 4, 1, 3029, 3, 1, 1)},
- 'cryptlibUserIndex': {'comment': 'cryptlib content type',
- 'description': 'cryptlibUserIndex (1 3 6 1 4 1 3029 4 1 2)',
- 'hexoid': '06 0A 2B 06 01 04 01 97 55 04 01 02',
- 'name': 'cryptlibUserIndex',
- 'oid': (1, 3, 6, 1, 4, 1, 3029, 4, 1, 2)},
- 'cryptlibUserInfo': {'comment': 'cryptlib content type',
- 'description': 'cryptlibUserInfo (1 3 6 1 4 1 3029 4 1 3)',
- 'hexoid': '06 0A 2B 06 01 04 01 97 55 04 01 03',
- 'name': 'cryptlibUserInfo',
- 'oid': (1, 3, 6, 1, 4, 1, 3029, 4, 1, 3)},
- 'cspContentType': {'comment': 'SDN.700 INFOSEC format',
- 'description': 'cspContentType (2 16 840 1 101 2 1 2 3)',
- 'hexoid': '06 09 60 86 48 01 65 02 01 02 03',
- 'name': 'cspContentType',
- 'oid': (2, 16, 840, 1, 101, 2, 1, 2, 3)},
- 'cspCsExtn': {'comment': 'SDN.700 INFOSEC extensions',
- 'description': 'cspCsExtn (2 16 840 1 101 2 1 7 1 0)',
- 'hexoid': '06 0A 60 86 48 01 65 02 01 07 01 00',
- 'name': 'cspCsExtn',
- 'oid': (2, 16, 840, 1, 101, 2, 1, 7, 1, 0)},
- 'cspExtns': {'comment': 'SDN.700 INFOSEC extensions',
- 'description': 'cspExtns (2 16 840 1 101 2 1 7 1)',
- 'hexoid': '06 09 60 86 48 01 65 02 01 07 01',
- 'name': 'cspExtns',
- 'oid': (2, 16, 840, 1, 101, 2, 1, 7, 1)},
- 'cspForwardedMessageParameters': {'comment': 'SDN.700 INFOSEC format',
- 'description': 'cspForwardedMessageParameters (2 16 840 1 101 2 1 2 75)',
- 'hexoid': '06 09 60 86 48 01 65 02 01 02 4B',
- 'name': 'cspForwardedMessageParameters',
- 'oid': (2, 16, 840, 1, 101, 2, 1, 2, 75)},
- 'ctlFileIsArchive': {'comment': 'Telesec attribute',
- 'description': 'ctlFileIsArchive (0 2 262 1 10 7 27)',
- 'hexoid': '06 07 02 82 06 01 0A 07 1B',
- 'name': 'ctlFileIsArchive',
- 'oid': (0, 2, 262, 1, 10, 7, 27)},
- 'currentCRL': {'comment': 'PKIX CMP information',
- 'description': 'currentCRL (1 3 6 1 5 5 7 4 6)',
- 'hexoid': '06 08 2B 06 01 05 05 07 04 06',
- 'name': 'currentCRL',
- 'oid': (1, 3, 6, 1, 5, 5, 7, 4, 6)},
- 'dSA': {'comment': 'X.520 objectClass (2 5 6)',
- 'description': 'dSA (2 5 6 13)',
- 'hexoid': '06 03 55 06 0D',
- 'name': 'dSA',
- 'oid': (2, 5, 6, 13)},
- 'dVCSRequestData': {'comment': 'S/MIME Content Types',
- 'description': 'dVCSRequestData (1 2 840 113549 1 9 16 1 7)',
- 'hexoid': '06 0B 2A 86 48 86 F7 0D 01 09 10 01 07',
- 'name': 'dVCSRequestData',
- 'oid': (1, 2, 840, 113549, 1, 9, 16, 1, 7)},
- 'dVCSResponseData': {'comment': 'S/MIME Content Types',
- 'description': 'dVCSResponseData (1 2 840 113549 1 9 16 1 8)',
- 'hexoid': '06 0B 2A 86 48 86 F7 0D 01 09 10 01 08',
- 'name': 'dVCSResponseData',
- 'oid': (1, 2, 840, 113549, 1, 9, 16, 1, 8)},
- 'data': {'comment': 'PKCS #7',
- 'description': 'data (1 2 840 113549 1 7 1)',
- 'hexoid': '06 09 2A 86 48 86 F7 0D 01 07 01',
- 'name': 'data',
- 'oid': (1, 2, 840, 113549, 1, 7, 1)},
- 'data-type': {'comment': 'Netscape',
- 'description': 'data-type (2 16 840 1 113730 2)',
- 'hexoid': '06 08 60 86 48 01 86 F8 42 02',
- 'name': 'data-type',
- 'oid': (2, 16, 840, 1, 113730, 2)},
- 'dataGIF': {'comment': 'Netscape data type',
- 'description': 'dataGIF (2 16 840 1 113730 2 1)',
- 'hexoid': '06 09 60 86 48 01 86 F8 42 02 01',
- 'name': 'dataGIF',
- 'oid': (2, 16, 840, 1, 113730, 2, 1)},
- 'dataHTML': {'comment': 'Netscape data type',
- 'description': 'dataHTML (2 16 840 1 113730 2 4)',
- 'hexoid': '06 09 60 86 48 01 86 F8 42 02 04',
- 'name': 'dataHTML',
- 'oid': (2, 16, 840, 1, 113730, 2, 4)},
- 'dataJPEG': {'comment': 'Netscape data type',
- 'description': 'dataJPEG (2 16 840 1 113730 2 2)',
- 'hexoid': '06 09 60 86 48 01 86 F8 42 02 02',
- 'name': 'dataJPEG',
- 'oid': (2, 16, 840, 1, 113730, 2, 2)},
- 'dataURL': {'comment': 'Netscape data type',
- 'description': 'dataURL (2 16 840 1 113730 2 3)',
- 'hexoid': '06 09 60 86 48 01 86 F8 42 02 03',
- 'name': 'dataURL',
- 'oid': (2, 16, 840, 1, 113730, 2, 3)},
- 'date': {'comment': 'SET field',
- 'description': 'date (2 23 42 2 7)',
- 'hexoid': '06 04 67 2A 02 07',
- 'name': 'date',
- 'oid': (2, 23, 42, 2, 7)},
- 'dateOfBirth': {'comment': 'PKIX personal data',
- 'description': 'dateOfBirth (1 3 6 1 5 5 7 9 1)',
- 'hexoid': '06 08 2B 06 01 05 05 07 09 01',
- 'name': 'dateOfBirth',
- 'oid': (1, 3, 6, 1, 5, 5, 7, 9, 1)},
- 'dateOfCertGen': {'comment': 'Teletrust attribute',
- 'description': 'dateOfCertGen (1 3 36 8 3 1)',
- 'hexoid': '06 05 2B 24 08 03 01',
- 'name': 'dateOfCertGen',
- 'oid': (1, 3, 36, 8, 3, 1)},
- 'decDEA': {'comment': 'DASS encryption algorithm',
- 'description': 'decDEA (1 3 12 2 1011 7 1 2)',
- 'hexoid': '06 08 2B 0C 02 87 73 07 01 02',
- 'name': 'decDEA',
- 'oid': (1, 3, 12, 2, 1011, 7, 1, 2)},
- 'decDEAMAC': {'comment': 'DASS signature algorithm',
- 'description': 'decDEAMAC (1 3 12 2 1011 7 3 3)',
- 'hexoid': '06 08 2B 0C 02 87 73 07 03 03',
- 'name': 'decDEAMAC',
- 'oid': (1, 3, 12, 2, 1011, 7, 3, 3)},
- 'decEncryptionAlgorithm': {'comment': 'DASS algorithm',
- 'description': 'decEncryptionAlgorithm (1 3 12 2 1011 7 1)',
- 'hexoid': '06 07 2B 0C 02 87 73 07 01',
- 'name': 'decEncryptionAlgorithm',
- 'oid': (1, 3, 12, 2, 1011, 7, 1)},
- 'decHashAlgorithm': {'comment': 'DASS algorithm',
- 'description': 'decHashAlgorithm (1 3 12 2 1011 7 2)',
- 'hexoid': '06 07 2B 0C 02 87 73 07 02',
- 'name': 'decHashAlgorithm',
- 'oid': (1, 3, 12, 2, 1011, 7, 2)},
- 'decMD2': {'comment': 'DASS hash algorithm',
- 'description': 'decMD2 (1 3 12 2 1011 7 2 1)',
- 'hexoid': '06 08 2B 0C 02 87 73 07 02 01',
- 'name': 'decMD2',
- 'oid': (1, 3, 12, 2, 1011, 7, 2, 1)},
- 'decMD2withRSA': {'comment': 'DASS signature algorithm',
- 'description': 'decMD2withRSA (1 3 12 2 1011 7 3 1)',
- 'hexoid': '06 08 2B 0C 02 87 73 07 03 01',
- 'name': 'decMD2withRSA',
- 'oid': (1, 3, 12, 2, 1011, 7, 3, 1)},
- 'decMD4': {'comment': 'DASS hash algorithm',
- 'description': 'decMD4 (1 3 12 2 1011 7 2 2)',
- 'hexoid': '06 08 2B 0C 02 87 73 07 02 02',
- 'name': 'decMD4',
- 'oid': (1, 3, 12, 2, 1011, 7, 2, 2)},
- 'decMD4withRSA': {'comment': 'DASS signature algorithm',
- 'description': 'decMD4withRSA (1 3 12 2 1011 7 3 2)',
- 'hexoid': '06 08 2B 0C 02 87 73 07 03 02',
- 'name': 'decMD4withRSA',
- 'oid': (1, 3, 12, 2, 1011, 7, 3, 2)},
- 'decSignatureAlgorithm': {'comment': 'DASS algorithm',
- 'description': 'decSignatureAlgorithm (1 3 12 2 1011 7 3)',
- 'hexoid': '06 07 2B 0C 02 87 73 07 03',
- 'name': 'decSignatureAlgorithm',
- 'oid': (1, 3, 12, 2, 1011, 7, 3)},
- 'decUKMs': {'comment': 'SDN.700 INFOSEC attributes',
- 'description': 'decUKMs (2 16 840 1 101 2 1 5 31)',
- 'hexoid': '06 09 60 86 48 01 65 02 01 05 1F',
- 'name': 'decUKMs',
- 'oid': (2, 16, 840, 1, 101, 2, 1, 5, 31)},
- 'declarationOfMajority': {'comment': 'Teletrust attribute',
- 'description': 'declarationOfMajority (1 3 36 8 3 5)',
- 'hexoid': '06 05 2B 24 08 03 05',
- 'name': 'declarationOfMajority',
- 'oid': (1, 3, 36, 8, 3, 5)},
- 'defaultDirQop': {'comment': 'X.520 id-at (2 5 4)',
- 'description': 'defaultDirQop (2 5 4 56)',
- 'hexoid': '06 03 55 04 38',
- 'name': 'defaultDirQop',
- 'oid': (2, 5, 4, 56)},
- 'defaultSecurityPolicy': {'comment': 'SDN.700 INFOSEC policy',
- 'description': 'defaultSecurityPolicy (2 16 840 1 101 2 1 3 12)',
- 'hexoid': '06 09 60 86 48 01 65 02 01 03 0C',
- 'name': 'defaultSecurityPolicy',
- 'oid': (2, 16, 840, 1, 101, 2, 1, 3, 12)},
- 'delegationPath': {'comment': 'X.520 id-at (2 5 4)',
- 'description': 'delegationPath (2 5 4 73)',
- 'hexoid': '06 03 55 04 49',
- 'name': 'delegationPath',
- 'oid': (2, 5, 4, 73)},
- 'deliveryMechanism': {'comment': 'Microsoft Exchange Server - attribute',
- 'description': 'deliveryMechanism (1 2 840 113556 1 2 241)',
- 'hexoid': '06 0A 2A 86 48 86 F7 14 01 02 81 71',
- 'name': 'deliveryMechanism',
- 'oid': (1, 2, 840, 113556, 1, 2, 241)},
- 'deltaCRLIndicator': {'comment': 'X.509 id-ce (2 5 29)',
- 'description': 'deltaCRLIndicator (2 5 29 27)',
- 'hexoid': '06 03 55 1D 1B',
- 'name': 'deltaCRLIndicator',
- 'oid': (2, 5, 29, 27)},
- 'deltaRevocationList': {'comment': 'X.520 id-at (2 5 4)',
- 'description': 'deltaRevocationList (2 5 4 53)',
- 'hexoid': '06 03 55 04 35',
- 'name': 'deltaRevocationList',
- 'oid': (2, 5, 4, 53)},
- 'departmentNumber': {'comment': 'Netscape LDAP definitions',
- 'description': 'departmentNumber (2 16 840 1 113730 3 1 2)',
- 'hexoid': '06 0A 60 86 48 01 86 F8 42 03 01 02',
- 'name': 'departmentNumber',
- 'oid': (2, 16, 840, 1, 113730, 3, 1, 2)},
- 'des': {'comment': 'Teletrust encryption algorithm',
- 'description': 'des (1 3 36 3 1 1)',
- 'hexoid': '06 05 2B 24 03 01 01',
- 'name': 'des',
- 'oid': (1, 3, 36, 3, 1, 1)},
- 'des-EDE3-CBC': {'comment': 'RSADSI encryptionAlgorithm',
- 'description': 'des-EDE3-CBC (1 2 840 113549 3 7)',
- 'hexoid': '06 08 2A 86 48 86 F7 0D 03 07',
- 'name': 'des-EDE3-CBC',
- 'oid': (1, 2, 840, 113549, 3, 7)},
- 'des3': {'comment': 'Telesec encryption',
- 'description': 'des3 (0 2 262 1 10 1 2 3)',
- 'hexoid': '06 08 02 82 06 01 0A 01 02 03',
- 'name': 'des3',
- 'oid': (0, 2, 262, 1, 10, 1, 2, 3)},
- 'des3CBC': {'comment': 'Telesec encryption',
- 'description': 'des3CBC (0 2 262 1 10 1 2 3 2)',
- 'hexoid': '06 09 02 82 06 01 0A 01 02 03 02',
- 'name': 'des3CBC',
- 'oid': (0, 2, 262, 1, 10, 1, 2, 3, 2)},
- 'des3CFB64': {'comment': 'Telesec encryption',
- 'description': 'des3CFB64 (0 2 262 1 10 1 2 3 5)',
- 'hexoid': '06 09 02 82 06 01 0A 01 02 03 05',
- 'name': 'des3CFB64',
- 'oid': (0, 2, 262, 1, 10, 1, 2, 3, 5)},
- 'des3CFB8': {'comment': 'Telesec encryption',
- 'description': 'des3CFB8 (0 2 262 1 10 1 2 3 4)',
- 'hexoid': '06 09 02 82 06 01 0A 01 02 03 04',
- 'name': 'des3CFB8',
- 'oid': (0, 2, 262, 1, 10, 1, 2, 3, 4)},
- 'des3ECB': {'comment': 'Telesec encryption',
- 'description': 'des3ECB (0 2 262 1 10 1 2 3 1)',
- 'hexoid': '06 09 02 82 06 01 0A 01 02 03 01',
- 'name': 'des3ECB',
- 'oid': (0, 2, 262, 1, 10, 1, 2, 3, 1)},
- 'des3OFB': {'comment': 'Telesec encryption',
- 'description': 'des3OFB (0 2 262 1 10 1 2 3 3)',
- 'hexoid': '06 09 02 82 06 01 0A 01 02 03 03',
- 'name': 'des3OFB',
- 'oid': (0, 2, 262, 1, 10, 1, 2, 3, 3)},
- 'des40': {'comment': 'PKIX algorithm',
- 'description': 'des40 (1 3 6 1 5 5 7 6 1)',
- 'hexoid': '06 08 2B 06 01 05 05 07 06 01',
- 'name': 'des40',
- 'oid': (1, 3, 6, 1, 5, 5, 7, 6, 1)},
- 'desCBC': {'description': 'desCBC (1 3 14 3 2 7)',
- 'hexoid': '06 05 2B 0E 03 02 07',
- 'name': 'desCBC',
- 'oid': (1, 3, 14, 3, 2, 7)},
- 'desCBC_ISOpad': {'comment': 'Teletrust encryption algorithm',
- 'description': 'desCBC_ISOpad (1 3 36 3 1 1 2 1 1)',
- 'hexoid': '06 08 2B 24 03 01 01 02 01 01',
- 'name': 'desCBC_ISOpad',
- 'oid': (1, 3, 36, 3, 1, 1, 2, 1, 1)},
- 'desCBC_pad': {'comment': 'Teletrust encryption algorithm',
- 'description': 'desCBC_pad (1 3 36 3 1 1 2 1)',
- 'hexoid': '06 07 2B 24 03 01 01 02 01',
- 'name': 'desCBC_pad',
- 'oid': (1, 3, 36, 3, 1, 1, 2, 1)},
- 'desCDMF': {'comment': 'RSADSI encryptionAlgorithm. Formerly called CDMFCBCPad',
- 'description': 'desCDMF (1 2 840 113549 3 10)',
- 'hexoid': '06 08 2A 86 48 86 F7 0D 03 0A',
- 'name': 'desCDMF',
- 'oid': (1, 2, 840, 113549, 3, 10)},
- 'desCFB': {'description': 'desCFB (1 3 14 3 2 9)',
- 'hexoid': '06 05 2B 0E 03 02 09',
- 'name': 'desCFB',
- 'oid': (1, 3, 14, 3, 2, 9)},
- 'desCFB64': {'comment': 'Telesec encryption',
- 'description': 'desCFB64 (0 2 262 1 10 1 2 2 5)',
- 'hexoid': '06 09 02 82 06 01 0A 01 02 02 05',
- 'name': 'desCFB64',
- 'oid': (0, 2, 262, 1, 10, 1, 2, 2, 5)},
- 'desCFB8': {'comment': 'Telesec encryption',
- 'description': 'desCFB8 (0 2 262 1 10 1 2 2 4)',
- 'hexoid': '06 09 02 82 06 01 0A 01 02 02 04',
- 'name': 'desCFB8',
- 'oid': (0, 2, 262, 1, 10, 1, 2, 2, 4)},
- 'desCbcIV8': {'comment': 'Novell encryption algorithm',
- 'description': 'desCbcIV8 (2 16 840 1 113719 1 2 8 22)',
- 'hexoid': '06 0B 60 86 48 01 86 F8 37 01 02 08 16',
- 'name': 'desCbcIV8',
- 'oid': (2, 16, 840, 1, 113719, 1, 2, 8, 22)},
- 'desCbcPadIV8': {'comment': 'Novell encryption algorithm',
- 'description': 'desCbcPadIV8 (2 16 840 1 113719 1 2 8 23)',
- 'hexoid': '06 0B 60 86 48 01 86 F8 37 01 02 08 17',
- 'name': 'desCbcPadIV8',
- 'oid': (2, 16, 840, 1, 113719, 1, 2, 8, 23)},
- 'desECB': {'description': 'desECB (1 3 14 3 2 6)',
- 'hexoid': '06 05 2B 0E 03 02 06',
- 'name': 'desECB',
- 'oid': (1, 3, 14, 3, 2, 6)},
- 'desECB_ISOpad': {'comment': 'Teletrust encryption algorithm',
- 'description': 'desECB_ISOpad (1 3 36 3 1 1 1 1)',
- 'hexoid': '06 07 2B 24 03 01 01 01 01',
- 'name': 'desECB_ISOpad',
- 'oid': (1, 3, 36, 3, 1, 1, 1, 1)},
- 'desECB_pad': {'comment': 'Teletrust encryption algorithm',
- 'description': 'desECB_pad (1 3 36 3 1 1 1)',
- 'hexoid': '06 06 2B 24 03 01 01 01',
- 'name': 'desECB_pad',
- 'oid': (1, 3, 36, 3, 1, 1, 1)},
- 'desEDE': {'comment': 'Oddball OIW OID. Mode is ECB',
- 'description': 'desEDE (1 3 14 3 2 17)',
- 'hexoid': '06 05 2B 0E 03 02 11',
- 'name': 'desEDE',
- 'oid': (1, 3, 14, 3, 2, 17)},
- 'desEDE2CbcIV8': {'comment': 'Novell encryption algorithm',
- 'description': 'desEDE2CbcIV8 (2 16 840 1 113719 1 2 8 24)',
- 'hexoid': '06 0B 60 86 48 01 86 F8 37 01 02 08 18',
- 'name': 'desEDE2CbcIV8',
- 'oid': (2, 16, 840, 1, 113719, 1, 2, 8, 24)},
- 'desEDE2CbcPadIV8': {'comment': 'Novell encryption algorithm',
- 'description': 'desEDE2CbcPadIV8 (2 16 840 1 113719 1 2 8 25)',
- 'hexoid': '06 0B 60 86 48 01 86 F8 37 01 02 08 19',
- 'name': 'desEDE2CbcPadIV8',
- 'oid': (2, 16, 840, 1, 113719, 1, 2, 8, 25)},
- 'desEDE3CbcIV8': {'comment': 'Novell encryption algorithm',
- 'description': 'desEDE3CbcIV8 (2 16 840 1 113719 1 2 8 26)',
- 'hexoid': '06 0B 60 86 48 01 86 F8 37 01 02 08 1A',
- 'name': 'desEDE3CbcIV8',
- 'oid': (2, 16, 840, 1, 113719, 1, 2, 8, 26)},
- 'desEDE3CbcPadIV8': {'comment': 'Novell encryption algorithm',
- 'description': 'desEDE3CbcPadIV8 (2 16 840 1 113719 1 2 8 27)',
- 'hexoid': '06 0B 60 86 48 01 86 F8 37 01 02 08 1B',
- 'name': 'desEDE3CbcPadIV8',
- 'oid': (2, 16, 840, 1, 113719, 1, 2, 8, 27)},
- 'desMAC': {'description': 'desMAC (1 3 14 3 2 10)',
- 'hexoid': '06 05 2B 0E 03 02 0A',
- 'name': 'desMAC',
- 'oid': (1, 3, 14, 3, 2, 10)},
- 'desOFB': {'description': 'desOFB (1 3 14 3 2 8)',
- 'hexoid': '06 05 2B 0E 03 02 08',
- 'name': 'desOFB',
- 'oid': (1, 3, 14, 3, 2, 8)},
- 'des_3': {'comment': 'Teletrust encryption algorithm',
- 'description': 'des_3 (1 3 36 3 1 3)',
- 'hexoid': '06 05 2B 24 03 01 03',
- 'name': 'des_3',
- 'oid': (1, 3, 36, 3, 1, 3)},
- 'des_3CBC_ISOpad': {'comment': 'Teletrust encryption algorithm. EDE triple DES',
- 'description': 'des_3CBC_ISOpad (1 3 36 3 1 3 2 1 1)',
- 'hexoid': '06 08 2B 24 03 01 03 02 01 01',
- 'name': 'des_3CBC_ISOpad',
- 'oid': (1, 3, 36, 3, 1, 3, 2, 1, 1)},
- 'des_3CBC_pad': {'comment': 'Teletrust encryption algorithm. EDE triple DES',
- 'description': 'des_3CBC_pad (1 3 36 3 1 3 2 1)',
- 'hexoid': '06 07 2B 24 03 01 03 02 01',
- 'name': 'des_3CBC_pad',
- 'oid': (1, 3, 36, 3, 1, 3, 2, 1)},
- 'des_3ECB_ISOpad': {'comment': 'Teletrust encryption algorithm. EDE triple DES',
- 'description': 'des_3ECB_ISOpad (1 3 36 3 1 3 1 1 1)',
- 'hexoid': '06 08 2B 24 03 01 03 01 01 01',
- 'name': 'des_3ECB_ISOpad',
- 'oid': (1, 3, 36, 3, 1, 3, 1, 1, 1)},
- 'des_3ECB_pad': {'comment': 'Teletrust encryption algorithm. EDE triple DES',
- 'description': 'des_3ECB_pad (1 3 36 3 1 3 1 1)',
- 'hexoid': '06 07 2B 24 03 01 03 01 01',
- 'name': 'des_3ECB_pad',
- 'oid': (1, 3, 36, 3, 1, 3, 1, 1)},
- 'description': {'comment': 'X.520 id-at (2 5 4)',
- 'description': 'description (2 5 4 13)',
- 'hexoid': '06 03 55 04 0D',
- 'name': 'description',
- 'oid': (2, 5, 4, 13)},
- 'destinationIndicator': {'comment': 'X.520 id-at (2 5 4)',
- 'description': 'destinationIndicator (2 5 4 27)',
- 'hexoid': '06 03 55 04 1B',
- 'name': 'destinationIndicator',
- 'oid': (2, 5, 4, 27)},
- 'desx-CBC': {'comment': 'RSADSI encryptionAlgorithm',
- 'description': 'desx-CBC (1 2 840 113549 3 6)',
- 'hexoid': '06 08 2A 86 48 86 F7 0D 03 06',
- 'name': 'desx-CBC',
- 'oid': (1, 2, 840, 113549, 3, 6)},
- 'device': {'comment': 'X.520 objectClass (2 5 6)',
- 'description': 'device (2 5 6 14)',
- 'hexoid': '06 03 55 06 0E',
- 'name': 'device',
- 'oid': (2, 5, 6, 14)},
- 'dh-pop': {'comment': 'PKIX algorithm',
- 'description': 'dh-pop (1 3 6 1 5 5 7 6 4)',
- 'hexoid': '06 08 2B 06 01 05 05 07 06 04',
- 'name': 'dh-pop',
- 'oid': (1, 3, 6, 1, 5, 5, 7, 6, 4)},
- 'dh-sig-hmac-sha1': {'comment': 'PKIX algorithm',
- 'description': 'dh-sig-hmac-sha1 (1 3 6 1 5 5 7 6 3)',
- 'hexoid': '06 08 2B 06 01 05 05 07 06 03',
- 'name': 'dh-sig-hmac-sha1',
- 'oid': (1, 3, 6, 1, 5, 5, 7, 6, 3)},
- 'dhEphem': {'comment': 'ANSI X9.42 scheme',
- 'description': 'dhEphem (1 2 840 10046 3 2)',
- 'hexoid': '06 07 2A 86 48 CE 3E 03 02',
- 'name': 'dhEphem',
- 'oid': (1, 2, 840, 10046, 3, 2)},
- 'dhHybrid1': {'comment': 'ANSI X9.42 scheme',
- 'description': 'dhHybrid1 (1 2 840 10046 3 3)',
- 'hexoid': '06 07 2A 86 48 CE 3E 03 03',
- 'name': 'dhHybrid1',
- 'oid': (1, 2, 840, 10046, 3, 3)},
- 'dhHybrid2': {'comment': 'ANSI X9.42 scheme',
- 'description': 'dhHybrid2 (1 2 840 10046 3 4)',
- 'hexoid': '06 07 2A 86 48 CE 3E 03 04',
- 'name': 'dhHybrid2',
- 'oid': (1, 2, 840, 10046, 3, 4)},
- 'dhKeyAgreement': {'comment': 'PKCS #3',
- 'description': 'dhKeyAgreement (1 2 840 113549 1 3 1)',
- 'hexoid': '06 09 2A 86 48 86 F7 0D 01 03 01',
- 'name': 'dhKeyAgreement',
- 'oid': (1, 2, 840, 113549, 1, 3, 1)},
- 'dhPublicKey': {'comment': 'ANSI X9.42 number type',
- 'description': 'dhPublicKey (1 2 840 10046 2 1)',
- 'hexoid': '06 07 2A 86 48 CE 3E 02 01',
- 'name': 'dhPublicKey',
- 'oid': (1, 2, 840, 10046, 2, 1)},
- 'dhStatic': {'comment': 'ANSI X9.42 scheme',
- 'description': 'dhStatic (1 2 840 10046 3 1)',
- 'hexoid': '06 07 2A 86 48 CE 3E 03 01',
- 'name': 'dhStatic',
- 'oid': (1, 2, 840, 10046, 3, 1)},
- 'digestAlgorithm': {'description': 'digestAlgorithm (1 2 840 113549 2)',
- 'hexoid': '06 07 2A 86 48 86 F7 0D 02',
- 'name': 'digestAlgorithm',
- 'oid': (1, 2, 840, 113549, 2)},
- 'digestedData': {'comment': 'PKCS #7',
- 'description': 'digestedData (1 2 840 113549 1 7 5)',
- 'hexoid': '06 09 2A 86 48 86 F7 0D 01 07 05',
- 'name': 'digestedData',
- 'oid': (1, 2, 840, 113549, 1, 7, 5)},
- 'directory': {'comment': 'Netscape',
- 'description': 'directory (2 16 840 1 113730 3)',
- 'hexoid': '06 08 60 86 48 01 86 F8 42 03',
- 'name': 'directory',
- 'oid': (2, 16, 840, 1, 113730, 3)},
- 'directoryGroup': {'comment': 'Telesec object class',
- 'description': 'directoryGroup (0 2 262 1 10 3 3)',
- 'hexoid': '06 07 02 82 06 01 0A 03 03',
- 'name': 'directoryGroup',
- 'oid': (0, 2, 262, 1, 10, 3, 3)},
- 'directoryGroupName': {'comment': 'Telesec attribute',
- 'description': 'directoryGroupName (0 2 262 1 10 7 32)',
- 'hexoid': '06 07 02 82 06 01 0A 07 20',
- 'name': 'directoryGroupName',
- 'oid': (0, 2, 262, 1, 10, 7, 32)},
- 'directoryName': {'comment': 'Telesec attribute',
- 'description': 'directoryName (0 2 262 1 10 7 30)',
- 'hexoid': '06 07 02 82 06 01 0A 07 1E',
- 'name': 'directoryName',
- 'oid': (0, 2, 262, 1, 10, 7, 30)},
- 'directoryService': {'comment': 'Teletrust extended key usage',
- 'description': 'directoryService (1 3 36 8 2 1)',
- 'hexoid': '06 05 2B 24 08 02 01',
- 'name': 'directoryService',
- 'oid': (1, 3, 36, 8, 2, 1)},
- 'directoryType': {'comment': 'Telesec object class',
- 'description': 'directoryType (0 2 262 1 10 3 2)',
- 'hexoid': '06 07 02 82 06 01 0A 03 02',
- 'name': 'directoryType',
- 'oid': (0, 2, 262, 1, 10, 3, 2)},
- 'directoryTypeName': {'comment': 'Telesec attribute',
- 'description': 'directoryTypeName (0 2 262 1 10 7 31)',
- 'hexoid': '06 07 02 82 06 01 0A 07 1F',
- 'name': 'directoryTypeName',
- 'oid': (0, 2, 262, 1, 10, 7, 31)},
- 'directoryUser': {'comment': 'Telesec object class',
- 'description': 'directoryUser (0 2 262 1 10 3 4)',
- 'hexoid': '06 07 02 82 06 01 0A 03 04',
- 'name': 'directoryUser',
- 'oid': (0, 2, 262, 1, 10, 3, 4)},
- 'directoryUserName': {'comment': 'Telesec attribute',
- 'description': 'directoryUserName (0 2 262 1 10 7 33)',
- 'hexoid': '06 07 02 82 06 01 0A 07 21',
- 'name': 'directoryUserName',
- 'oid': (0, 2, 262, 1, 10, 7, 33)},
- 'distinguishedName': {'comment': 'X.520 id-at (2 5 4)',
- 'description': 'distinguishedName (2 5 4 49)',
- 'hexoid': '06 03 55 04 31',
- 'name': 'distinguishedName',
- 'oid': (2, 5, 4, 49)},
- 'dmdName': {'comment': 'X.520 id-at (2 5 4)',
- 'description': 'dmdName (2 5 4 54)',
- 'hexoid': '06 03 55 04 36',
- 'name': 'dmdName',
- 'oid': (2, 5, 4, 54)},
- 'dnQualifier': {'comment': 'X.520 id-at (2 5 4)',
- 'description': 'dnQualifier (2 5 4 46)',
- 'hexoid': '06 03 55 04 2E',
- 'name': 'dnQualifier',
- 'oid': (2, 5, 4, 46)},
- 'document': {'comment': 'Teletrust document',
- 'description': 'document (1 3 36 1)',
- 'hexoid': '06 03 2B 24 01',
- 'name': 'document',
- 'oid': (1, 3, 36, 1)},
- 'domainComponent': {'comment': 'Men are from Mars, this OID is from Pluto',
- 'description': 'domainComponent (0 9 2342 19200300 100 1 25)',
- 'hexoid': '06 0A 09 92 26 89 93 F2 2C 64 01 19',
- 'name': 'domainComponent',
- 'oid': (0, 9, 2342, 19200300, 100, 1, 25)},
- 'domainSig': {'comment': 'S/MIME Signature Type Identifier',
- 'description': 'domainSig (1 2 840 113549 1 9 16 9 2)',
- 'hexoid': '06 0B 2A 86 48 86 F7 0D 01 09 10 09 02',
- 'name': 'domainSig',
- 'oid': (1, 2, 840, 113549, 1, 9, 16, 9, 2)},
- 'draft': {'comment': 'Teletrust document',
- 'description': 'draft (1 3 36 1 2)',
- 'hexoid': '06 04 2B 24 01 02',
- 'name': 'draft',
- 'oid': (1, 3, 36, 1, 2)},
- 'dsa': {'comment': 'ANSI X9.57 algorithm',
- 'description': 'dsa (1 2 840 10040 4 1)',
- 'hexoid': '06 07 2A 86 48 CE 38 04 01',
- 'name': 'dsa',
- 'oid': (1, 2, 840, 10040, 4, 1)},
- 'dsa-match': {'comment': 'ANSI X9.57 algorithm',
- 'description': 'dsa-match (1 2 840 10040 4 2)',
- 'hexoid': '06 07 2A 86 48 CE 38 04 02',
- 'name': 'dsa-match',
- 'oid': (1, 2, 840, 10040, 4, 2)},
- 'dsaExtended': {'comment': 'Teletrust signature algorithm',
- 'description': 'dsaExtended (1 3 36 8 5 1 2 1)',
- 'hexoid': '06 07 2B 24 08 05 01 02 01',
- 'name': 'dsaExtended',
- 'oid': (1, 3, 36, 8, 5, 1, 2, 1)},
- 'dsaWithCommonSHA1': {'comment': 'OIW',
- 'description': 'dsaWithCommonSHA1 (1 3 14 3 2 28)',
- 'hexoid': '06 05 2B 0E 03 02 1C',
- 'name': 'dsaWithCommonSHA1',
- 'oid': (1, 3, 14, 3, 2, 28)},
- 'dsaWithRIPEMD160': {'comment': 'Teletrust signature algorithm',
- 'description': 'dsaWithRIPEMD160 (1 3 36 8 5 1 2 2)',
- 'hexoid': '06 07 2B 24 08 05 01 02 02',
- 'name': 'dsaWithRIPEMD160',
- 'oid': (1, 3, 36, 8, 5, 1, 2, 2)},
- 'dsaWithSHA1': {'comment': 'OIW. This OID may also be assigned as ripemd-160',
- 'description': 'dsaWithSHA1 (1 3 14 3 2 27)',
- 'hexoid': '06 05 2B 0E 03 02 1B',
- 'name': 'dsaWithSHA1',
- 'oid': (1, 3, 14, 3, 2, 27)},
- 'dsaWithSha1': {'comment': 'ANSI X9.57 algorithm',
- 'description': 'dsaWithSha1 (1 2 840 10040 4 3)',
- 'hexoid': '06 07 2A 86 48 CE 38 04 03',
- 'name': 'dsaWithSha1',
- 'oid': (1, 2, 840, 10040, 4, 3)},
- 'dsaWithSha224': {'comment': 'NIST Algorithm',
- 'description': 'dsaWithSha224 (2 16 840 1 101 3 4 3 1)',
- 'hexoid': '06 09 60 86 48 01 65 03 04 03 01',
- 'name': 'dsaWithSha224',
- 'oid': (2, 16, 840, 1, 101, 3, 4, 3, 1)},
- 'dsaWithSha256': {'comment': 'NIST Algorithm',
- 'description': 'dsaWithSha256 (2 16 840 1 101 3 4 3 2)',
- 'hexoid': '06 09 60 86 48 01 65 03 04 03 02',
- 'name': 'dsaWithSha256',
- 'oid': (2, 16, 840, 1, 101, 3, 4, 3, 2)},
- 'dvcs': {'comment': 'PKIX key purpose',
- 'description': 'dvcs (1 3 6 1 5 5 7 3 10)',
- 'hexoid': '06 08 2B 06 01 05 05 07 03 0A',
- 'name': 'dvcs',
- 'oid': (1, 3, 6, 1, 5, 5, 7, 3, 10)},
- 'dvcs-dvc': {'comment': 'S/MIME Authenticated Attributes',
- 'description': 'dvcs-dvc (1 2 840 113549 1 9 16 2 29)',
- 'hexoid': '06 0B 2A 86 48 86 F7 0D 01 09 10 02 1D',
- 'name': 'dvcs-dvc',
- 'oid': (1, 2, 840, 113549, 1, 9, 16, 2, 29)},
- 'e-COMM': {'comment': 'SET vendor',
- 'description': 'e-COMM (2 23 42 9 37)',
- 'hexoid': '06 04 67 2A 09 25',
- 'name': 'e-COMM',
- 'oid': (2, 23, 42, 9, 37)},
- 'eLab': {'comment': 'SET vendor',
- 'description': 'eLab (2 23 42 9 22)',
- 'hexoid': '06 04 67 2A 09 16',
- 'name': 'eLab',
- 'oid': (2, 23, 42, 9, 22)},
- 'eapOverPPP': {'comment': 'PKIX key purpose',
- 'description': 'eapOverPPP (1 3 6 1 5 5 7 3 13)',
- 'hexoid': '06 08 2B 06 01 05 05 07 03 0D',
- 'name': 'eapOverPPP',
- 'oid': (1, 3, 6, 1, 5, 5, 7, 3, 13)},
- 'ecPublicKey': {'comment': 'ANSI X9.62 public key type',
- 'description': 'ecPublicKey (1 2 840 10045 2 1)',
- 'hexoid': '06 07 2A 86 48 CE 3D 02 01',
- 'name': 'ecPublicKey',
- 'oid': (1, 2, 840, 10045, 2, 1)},
- 'ecdsaWithRecommended': {'comment': 'ANSI X9.62 ECDSA algorithm with Recommended',
- 'description': 'ecdsaWithRecommended (1 2 840 10045 4 2)',
- 'hexoid': '06 07 2A 86 48 CE 3D 04 02',
- 'name': 'ecdsaWithRecommended',
- 'oid': (1, 2, 840, 10045, 4, 2)},
- 'ecdsaWithSHA1': {'comment': 'ANSI X9.62 ECDSA algorithm with SHA1',
- 'description': 'ecdsaWithSHA1 (1 2 840 10045 4 1)',
- 'hexoid': '06 07 2A 86 48 CE 3D 04 01',
- 'name': 'ecdsaWithSHA1',
- 'oid': (1, 2, 840, 10045, 4, 1)},
- 'ecdsaWithSHA224': {'comment': 'ANSI X9.62 ECDSA algorithm with SHA224',
- 'description': 'ecdsaWithSHA224 (1 2 840 10045 4 3 1)',
- 'hexoid': '06 08 2A 86 48 CE 3D 04 03 01',
- 'name': 'ecdsaWithSHA224',
- 'oid': (1, 2, 840, 10045, 4, 3, 1)},
- 'ecdsaWithSHA256': {'comment': 'ANSI X9.62 ECDSA algorithm with SHA256',
- 'description': 'ecdsaWithSHA256 (1 2 840 10045 4 3 2)',
- 'hexoid': '06 08 2A 86 48 CE 3D 04 03 02',
- 'name': 'ecdsaWithSHA256',
- 'oid': (1, 2, 840, 10045, 4, 3, 2)},
- 'ecdsaWithSHA384': {'comment': 'ANSI X9.62 ECDSA algorithm with SHA384',
- 'description': 'ecdsaWithSHA384 (1 2 840 10045 4 3 3)',
- 'hexoid': '06 08 2A 86 48 CE 3D 04 03 03',
- 'name': 'ecdsaWithSHA384',
- 'oid': (1, 2, 840, 10045, 4, 3, 3)},
- 'ecdsaWithSHA512': {'comment': 'ANSI X9.62 ECDSA algorithm with SHA512',
- 'description': 'ecdsaWithSHA512 (1 2 840 10045 4 3 4)',
- 'hexoid': '06 08 2A 86 48 CE 3D 04 03 04',
- 'name': 'ecdsaWithSHA512',
- 'oid': (1, 2, 840, 10045, 4, 3, 4)},
- 'ecdsaWithSpecified': {'comment': 'ANSI X9.62 ECDSA algorithm with Specified',
- 'description': 'ecdsaWithSpecified (1 2 840 10045 4 3)',
- 'hexoid': '06 07 2A 86 48 CE 3D 04 03',
- 'name': 'ecdsaWithSpecified',
- 'oid': (1, 2, 840, 10045, 4, 3)},
- 'eciaAscX12Edi': {'comment': 'TMN EDI for Interactive Agents',
- 'description': 'eciaAscX12Edi (1 3 6 1 4 1 3576 7)',
- 'hexoid': '06 08 2B 06 01 04 01 9B 78 07',
- 'name': 'eciaAscX12Edi',
- 'oid': (1, 3, 6, 1, 4, 1, 3576, 7)},
- 'eciaEdifact': {'comment': 'TMN EDI for Interactive Agents',
- 'description': 'eciaEdifact (1 3 6 1 4 1 3576 8)',
- 'hexoid': '06 08 2B 06 01 04 01 9B 78 08',
- 'name': 'eciaEdifact',
- 'oid': (1, 3, 6, 1, 4, 1, 3576, 8)},
- 'eciaNonEdi': {'comment': 'TMN EDI for Interactive Agents',
- 'description': 'eciaNonEdi (1 3 6 1 4 1 3576 9)',
- 'hexoid': '06 08 2B 06 01 04 01 9B 78 09',
- 'name': 'eciaNonEdi',
- 'oid': (1, 3, 6, 1, 4, 1, 3576, 9)},
- 'ecsieSign': {'comment': 'Teletrust signature algorithm',
- 'description': 'ecsieSign (1 3 36 3 3 2)',
- 'hexoid': '06 05 2B 24 03 03 02',
- 'name': 'ecsieSign',
- 'oid': (1, 3, 36, 3, 3, 2)},
- 'ecsieSignWithmd2': {'comment': 'Teletrust signature algorithm',
- 'description': 'ecsieSignWithmd2 (1 3 36 3 3 2 3)',
- 'hexoid': '06 06 2B 24 03 03 02 03',
- 'name': 'ecsieSignWithmd2',
- 'oid': (1, 3, 36, 3, 3, 2, 3)},
- 'ecsieSignWithmd5': {'comment': 'Teletrust signature algorithm',
- 'description': 'ecsieSignWithmd5 (1 3 36 3 3 2 4)',
- 'hexoid': '06 06 2B 24 03 03 02 04',
- 'name': 'ecsieSignWithmd5',
- 'oid': (1, 3, 36, 3, 3, 2, 4)},
- 'ecsieSignWithripemd160': {'comment': 'Teletrust signature algorithm',
- 'description': 'ecsieSignWithripemd160 (1 3 36 3 3 2 2)',
- 'hexoid': '06 06 2B 24 03 03 02 02',
- 'name': 'ecsieSignWithripemd160',
- 'oid': (1, 3, 36, 3, 3, 2, 2)},
- 'ecsieSignWithsha1': {'comment': 'Teletrust signature algorithm',
- 'description': 'ecsieSignWithsha1 (1 3 36 3 3 2 1)',
- 'hexoid': '06 06 2B 24 03 03 02 01',
- 'name': 'ecsieSignWithsha1',
- 'oid': (1, 3, 36, 3, 3, 2, 1)},
- 'electronicOrder': {'comment': 'Telesec module',
- 'description': 'electronicOrder (0 2 262 1 10 2 10)',
- 'hexoid': '06 07 02 82 06 01 0A 02 0A',
- 'name': 'electronicOrder',
- 'oid': (0, 2, 262, 1, 10, 2, 10)},
- 'elgamal': {'comment': 'cryptlib public-key algorithm',
- 'description': 'elgamal (1 3 6 1 4 1 3029 1 2 1)',
- 'hexoid': '06 0A 2B 06 01 04 01 97 55 01 02 01',
- 'name': 'elgamal',
- 'oid': (1, 3, 6, 1, 4, 1, 3029, 1, 2, 1)},
- 'elgamalWithRIPEMD-160': {'comment': 'cryptlib public-key algorithm',
- 'description': 'elgamalWithRIPEMD-160 (1 3 6 1 4 1 3029 1 2 1 2)',
- 'hexoid': '06 0B 2B 06 01 04 01 97 55 01 02 01 02',
- 'name': 'elgamalWithRIPEMD-160',
- 'oid': (1, 3, 6, 1, 4, 1, 3029, 1, 2, 1, 2)},
- 'elgamalWithSHA-1': {'comment': 'cryptlib public-key algorithm',
- 'description': 'elgamalWithSHA-1 (1 3 6 1 4 1 3029 1 2 1 1)',
- 'hexoid': '06 0B 2B 06 01 04 01 97 55 01 02 01 01',
- 'name': 'elgamalWithSHA-1',
- 'oid': (1, 3, 6, 1, 4, 1, 3029, 1, 2, 1, 1)},
- 'emailAddress': {'comment': 'PKCS #9. Deprecated, use an altName extension instead',
- 'description': 'emailAddress (1 2 840 113549 1 9 1)',
- 'hexoid': '06 09 2A 86 48 86 F7 0D 01 09 01',
- 'name': 'emailAddress',
- 'oid': (1, 2, 840, 113549, 1, 9, 1)},
- 'emailProtection': {'comment': 'PKIX key purpose',
- 'description': 'emailProtection (1 3 6 1 5 5 7 3 4)',
- 'hexoid': '06 08 2B 06 01 05 05 07 03 04',
- 'name': 'emailProtection',
- 'oid': (1, 3, 6, 1, 5, 5, 7, 3, 4)},
- 'employeeNumber': {'comment': 'Netscape LDAP definitions',
- 'description': 'employeeNumber (2 16 840 1 113730 3 1 3)',
- 'hexoid': '06 0A 60 86 48 01 86 F8 42 03 01 03',
- 'name': 'employeeNumber',
- 'oid': (2, 16, 840, 1, 113730, 3, 1, 3)},
- 'employeeType': {'comment': 'Netscape LDAP definitions',
- 'description': 'employeeType (2 16 840 1 113730 3 1 4)',
- 'hexoid': '06 0A 60 86 48 01 86 F8 42 03 01 04',
- 'name': 'employeeType',
- 'oid': (2, 16, 840, 1, 113730, 3, 1, 4)},
- 'emptyContent': {'comment': 'SDN.700 INFOSEC format',
- 'description': 'emptyContent (2 16 840 1 101 2 1 2 2)',
- 'hexoid': '06 09 60 86 48 01 65 02 01 02 02',
- 'name': 'emptyContent',
- 'oid': (2, 16, 840, 1, 101, 2, 1, 2, 2)},
- 'encAttrs': {'comment': 'PKIX attribute certificate extension',
- 'description': 'encAttrs (1 3 6 1 5 5 7 10 6)',
- 'hexoid': '06 08 2B 06 01 05 05 07 0A 06',
- 'name': 'encAttrs',
- 'oid': (1, 3, 6, 1, 5, 5, 7, 10, 6)},
- 'encISO9796-2Withrsa': {'comment': 'Teletrust key management. 9796-2 with key stored in hash field',
- 'description': 'encISO9796-2Withrsa (1 3 36 7 2 1)',
- 'hexoid': '06 05 2B 24 07 02 01',
- 'name': 'encISO9796-2Withrsa',
- 'oid': (1, 3, 36, 7, 2, 1)},
- 'encKeyPairTypes': {'comment': 'PKIX CMP information',
- 'description': 'encKeyPairTypes (1 3 6 1 5 5 7 4 3)',
- 'hexoid': '06 08 2B 06 01 05 05 07 04 03',
- 'name': 'encKeyPairTypes',
- 'oid': (1, 3, 6, 1, 5, 5, 7, 4, 3)},
- 'encrypKeyPref': {'comment': 'S/MIME Authenticated Attributes',
- 'description': 'encrypKeyPref (1 2 840 113549 1 9 16 2 11)',
- 'hexoid': '06 0B 2A 86 48 86 F7 0D 01 09 10 02 0B',
- 'name': 'encrypKeyPref',
- 'oid': (1, 2, 840, 113549, 1, 9, 16, 2, 11)},
- 'encryptedData': {'comment': 'PKCS #7',
- 'description': 'encryptedData (1 2 840 113549 1 7 6)',
- 'hexoid': '06 09 2A 86 48 86 F7 0D 01 07 06',
- 'name': 'encryptedData',
- 'oid': (1, 2, 840, 113549, 1, 7, 6)},
- 'encryptedFileSystem': {'comment': 'Microsoft enhanced key usage',
- 'description': 'encryptedFileSystem (1 3 6 1 4 1 311 10 3 4)',
- 'hexoid': '06 0A 2B 06 01 04 01 82 37 0A 03 04',
- 'name': 'encryptedFileSystem',
- 'oid': (1, 3, 6, 1, 4, 1, 311, 10, 3, 4)},
- 'encryptedKeyHash': {'comment': 'Microsoft attribute',
- 'description': 'encryptedKeyHash (1 3 6 1 4 1 311 21 21)',
- 'hexoid': '06 09 2B 06 01 04 01 82 37 15 15',
- 'name': 'encryptedKeyHash',
- 'oid': (1, 3, 6, 1, 4, 1, 311, 21, 21)},
- 'encryptedPrivateKeyInfo': {'comment': 'PKCS #9/RFC 2985 attribute',
- 'description': 'encryptedPrivateKeyInfo (1 2 840 113549 1 9 25 2)',
- 'hexoid': '06 0A 2A 86 48 86 F7 0D 01 09 19 02',
- 'name': 'encryptedPrivateKeyInfo',
- 'oid': (1, 2, 840, 113549, 1, 9, 25, 2)},
- 'encryption': {'comment': 'Telesec mechanism',
- 'description': 'encryption (0 2 262 1 10 1 2)',
- 'hexoid': '06 07 02 82 06 01 0A 01 02',
- 'name': 'encryption',
- 'oid': (0, 2, 262, 1, 10, 1, 2)},
- 'encryptionAlgorithm': {'comment': 'Teletrust algorithm',
- 'description': 'encryptionAlgorithm (1 3 36 3 1)',
- 'hexoid': '06 04 2B 24 03 01',
- 'name': 'encryptionAlgorithm',
- 'oid': (1, 3, 36, 3, 1)},
- 'enhancedSearchGuide': {'comment': 'X.520 id-at (2 5 4)',
- 'description': 'enhancedSearchGuide (2 5 4 47)',
- 'hexoid': '06 03 55 04 2F',
- 'name': 'enhancedSearchGuide',
- 'oid': (2, 5, 4, 47)},
- 'enrollCerttypeExtension': {'comment': 'Microsoft CAPICOM certificate template, V1',
- 'description': 'enrollCerttypeExtension (1 3 6 1 4 1 311 20 2)',
- 'hexoid': '06 09 2B 06 01 04 01 82 37 14 02',
- 'name': 'enrollCerttypeExtension',
- 'oid': (1, 3, 6, 1, 4, 1, 311, 20, 2)},
- 'enrolmentCSP': {'comment': 'Microsoft attribute',
- 'description': 'enrolmentCSP (1 3 6 1 4 1 311 13 2 2)',
- 'hexoid': '06 0A 2B 06 01 04 01 82 37 0D 02 02',
- 'name': 'enrolmentCSP',
- 'oid': (1, 3, 6, 1, 4, 1, 311, 13, 2, 2)},
- 'enrolmentNameValuePair': {'comment': 'Microsoft attribute',
- 'description': 'enrolmentNameValuePair (1 3 6 1 4 1 311 13 2 1)',
- 'hexoid': '06 0A 2B 06 01 04 01 82 37 0D 02 01',
- 'name': 'enrolmentNameValuePair',
- 'oid': (1, 3, 6, 1, 4, 1, 311, 13, 2, 1)},
- 'entrustCAInfo': {'comment': 'Nortel Secure Networks at',
- 'description': 'entrustCAInfo (1 2 840 113533 7 68 0)',
- 'hexoid': '06 09 2A 86 48 86 F6 7D 07 44 00',
- 'name': 'entrustCAInfo',
- 'oid': (1, 2, 840, 113533, 7, 68, 0)},
- 'entrustUser': {'comment': 'Nortel Secure Networks oc',
- 'description': 'entrustUser (1 2 840 113533 7 67 0)',
- 'hexoid': '06 09 2A 86 48 86 F6 7D 07 43 00',
- 'name': 'entrustUser',
- 'oid': (1, 2, 840, 113533, 7, 67, 0)},
- 'entrustVersInfo': {'comment': 'Nortel Secure Networks ce',
- 'description': 'entrustVersInfo (1 2 840 113533 7 65 0)',
- 'hexoid': '06 09 2A 86 48 86 F6 7D 07 41 00',
- 'name': 'entrustVersInfo',
- 'oid': (1, 2, 840, 113533, 7, 65, 0)},
- 'envelopedData': {'comment': 'PKCS #7',
- 'description': 'envelopedData (1 2 840 113549 1 7 3)',
- 'hexoid': '06 09 2A 86 48 86 F7 0D 01 07 03',
- 'name': 'envelopedData',
- 'oid': (1, 2, 840, 113549, 1, 7, 3)},
- 'equivalentLabels': {'comment': 'S/MIME Authenticated Attributes',
- 'description': 'equivalentLabels (1 2 840 113549 1 9 16 2 9)',
- 'hexoid': '06 0B 2A 86 48 86 F7 0D 01 09 10 02 09',
- 'name': 'equivalentLabels',
- 'oid': (1, 2, 840, 113549, 1, 9, 16, 2, 9)},
- 'esDH': {'comment': 'S/MIME Algorithms',
- 'description': 'esDH (1 2 840 113549 1 9 16 3 5)',
- 'hexoid': '06 0B 2A 86 48 86 F7 0D 01 09 10 03 05',
- 'name': 'esDH',
- 'oid': (1, 2, 840, 113549, 1, 9, 16, 3, 5)},
- 'escTimeStamp': {'comment': 'S/MIME Authenticated Attributes',
- 'description': 'escTimeStamp (1 2 840 113549 1 9 16 2 25)',
- 'hexoid': '06 0B 2A 86 48 86 F7 0D 01 09 10 02 19',
- 'name': 'escTimeStamp',
- 'oid': (1, 2, 840, 113549, 1, 9, 16, 2, 25)},
- 'espace-net': {'comment': 'SET vendor',
- 'description': 'espace-net (2 23 42 9 31)',
- 'hexoid': '06 04 67 2A 09 1F',
- 'name': 'espace-net',
- 'oid': (2, 23, 42, 9, 31)},
- 'etsiQcs': {'comment': 'ETSI TS 101 862 qualified certificates',
- 'description': 'etsiQcs (0 4 0 1862 1)',
- 'hexoid': '06 05 04 00 8E 46 01',
- 'name': 'etsiQcs',
- 'oid': (0, 4, 0, 1862, 1)},
- 'etsiQcsCompliance': {'comment': 'ETSI TS 101 862 qualified certificates',
- 'description': 'etsiQcsCompliance (0 4 0 1862 1 1)',
- 'hexoid': '06 06 04 00 8E 46 01 01',
- 'name': 'etsiQcsCompliance',
- 'oid': (0, 4, 0, 1862, 1, 1)},
- 'etsiQcsLimitValue': {'comment': 'ETSI TS 101 862 qualified certificates',
- 'description': 'etsiQcsLimitValue (0 4 0 1862 1 2)',
- 'hexoid': '06 06 04 00 8E 46 01 02',
- 'name': 'etsiQcsLimitValue',
- 'oid': (0, 4, 0, 1862, 1, 2)},
- 'etsiQcsProfile': {'comment': 'ETSI TS 101 862 qualified certificates',
- 'description': 'etsiQcsProfile (0 4 0 1862)',
- 'hexoid': '06 04 04 00 8E 46',
- 'name': 'etsiQcsProfile',
- 'oid': (0, 4, 0, 1862)},
- 'etsiQcsQcSSCD': {'comment': 'ETSI TS 101 862 qualified certificates',
- 'description': 'etsiQcsQcSSCD (0 4 0 1862 1 4)',
- 'hexoid': '06 06 04 00 8E 46 01 04',
- 'name': 'etsiQcsQcSSCD',
- 'oid': (0, 4, 0, 1862, 1, 4)},
- 'etsiQcsRetentionPeriod': {'comment': 'ETSI TS 101 862 qualified certificates',
- 'description': 'etsiQcsRetentionPeriod (0 4 0 1862 1 3)',
- 'hexoid': '06 06 04 00 8E 46 01 03',
- 'name': 'etsiQcsRetentionPeriod',
- 'oid': (0, 4, 0, 1862, 1, 3)},
- 'extKeyUsage': {'comment': 'X.509 id-ce (2 5 29)',
- 'description': 'extKeyUsage (2 5 29 37)',
- 'hexoid': '06 03 55 1D 25',
- 'name': 'extKeyUsage',
- 'oid': (2, 5, 29, 37)},
- 'extendedCertificateAttributes': {'comment': 'PKCS #9',
- 'description': 'extendedCertificateAttributes (1 2 840 113549 1 9 9)',
- 'hexoid': '06 09 2A 86 48 86 F7 0D 01 09 09',
- 'name': 'extendedCertificateAttributes',
- 'oid': (1, 2, 840, 113549, 1, 9, 9)},
- 'extension': {'comment': 'Telesec',
- 'description': 'extension (0 2 262 1 10 0)',
- 'hexoid': '06 06 02 82 06 01 0A 00',
- 'name': 'extension',
- 'oid': (0, 2, 262, 1, 10, 0)},
- 'extensionRequest': {'comment': 'PKCS #9 via CRMF',
- 'description': 'extensionRequest (1 2 840 113549 1 9 14)',
- 'hexoid': '06 09 2A 86 48 86 F7 0D 01 09 0E',
- 'name': 'extensionRequest',
- 'oid': (1, 2, 840, 113549, 1, 9, 14)},
- 'facsimileTelephoneNumber': {'comment': 'X.520 id-at (2 5 4)',
- 'description': 'facsimileTelephoneNumber (2 5 4 23)',
- 'hexoid': '06 03 55 04 17',
- 'name': 'facsimileTelephoneNumber',
- 'oid': (2, 5, 4, 23)},
- 'failInfo': {'comment': 'Verisign PKCS #7 attribute',
- 'description': 'failInfo (2 16 840 1 113733 1 9 4)',
- 'hexoid': '06 0A 60 86 48 01 86 F8 45 01 09 04',
- 'name': 'failInfo',
- 'oid': (2, 16, 840, 1, 113733, 1, 9, 4)},
- 'familyInformation': {'comment': 'X.520 id-at (2 5 4)',
- 'description': 'familyInformation (2 5 4 64)',
- 'hexoid': '06 03 55 04 40',
- 'name': 'familyInformation',
- 'oid': (2, 5, 4, 64)},
- 'familyName': {'comment': 'SET field',
- 'description': 'familyName (2 23 42 2 2)',
- 'hexoid': '06 04 67 2A 02 02',
- 'name': 'familyName',
- 'oid': (2, 23, 42, 2, 2)},
- 'febUKMs': {'comment': 'SDN.700 INFOSEC attributes',
- 'description': 'febUKMs (2 16 840 1 101 2 1 5 21)',
- 'hexoid': '06 09 60 86 48 01 65 02 01 05 15',
- 'name': 'febUKMs',
- 'oid': (2, 16, 840, 1, 101, 2, 1, 5, 21)},
- 'fec': {'comment': 'Telesec module',
- 'description': 'fec (0 2 262 1 10 2 6)',
- 'hexoid': '06 07 02 82 06 01 0A 02 06',
- 'name': 'fec',
- 'oid': (0, 2, 262, 1, 10, 2, 6)},
- 'fecFunction': {'comment': 'Telesec mechanism',
- 'description': 'fecFunction (0 2 262 1 10 1 4)',
- 'hexoid': '06 07 02 82 06 01 0A 01 04',
- 'name': 'fecFunction',
- 'oid': (0, 2, 262, 1, 10, 1, 4)},
- 'field': {'comment': 'SET',
- 'description': 'field (2 23 42 2)',
- 'hexoid': '06 03 67 2A 02',
- 'name': 'field',
- 'oid': (2, 23, 42, 2)},
- 'fieldType': {'comment': 'ANSI X9.42',
- 'description': 'fieldType (1 2 840 10046 1)',
- 'hexoid': '06 06 2A 86 48 CE 3E 01',
- 'name': 'fieldType',
- 'oid': (1, 2, 840, 10046, 1)},
- 'fileName': {'comment': 'Teletrust signature attributes',
- 'description': 'fileName (1 3 36 8 6 5)',
- 'hexoid': '06 05 2B 24 08 06 05',
- 'name': 'fileName',
- 'oid': (1, 3, 36, 8, 6, 5)},
- 'fileSize': {'comment': 'Teletrust signature attributes',
- 'description': 'fileSize (1 3 36 8 6 7)',
- 'hexoid': '06 05 2B 24 08 06 07',
- 'name': 'fileSize',
- 'oid': (1, 3, 36, 8, 6, 7)},
- 'fileType': {'comment': 'Telesec attribute',
- 'description': 'fileType (0 2 262 1 10 7 26)',
- 'hexoid': '06 07 02 82 06 01 0A 07 1A',
- 'name': 'fileType',
- 'oid': (0, 2, 262, 1, 10, 7, 26)},
- 'finalVersion': {'comment': 'Teletrust document',
- 'description': 'finalVersion (1 3 36 1 1)',
- 'hexoid': '06 04 2B 24 01 01',
- 'name': 'finalVersion',
- 'oid': (1, 3, 36, 1, 1)},
- 'fortezzaCKL': {'comment': 'SDN.700 INFOSEC attributes',
- 'description': 'fortezzaCKL (2 16 840 1 101 2 1 5 46)',
- 'hexoid': '06 09 60 86 48 01 65 02 01 05 2E',
- 'name': 'fortezzaCKL',
- 'oid': (2, 16, 840, 1, 101, 2, 1, 5, 46)},
- 'fortezzaConfidentialityAlgorithm': {'comment': 'SDN.700 INFOSEC algorithms. Formerly known as mosaicConfidentialityAlgorithm',
- 'description': 'fortezzaConfidentialityAlgorithm (2 16 840 1 101 2 1 1 4)',
- 'hexoid': '06 09 60 86 48 01 65 02 01 01 04',
- 'name': 'fortezzaConfidentialityAlgorithm',
- 'oid': (2, 16, 840, 1, 101, 2, 1, 1, 4)},
- 'fortezzaIntegrityAlgorithm': {'comment': 'SDN.700 INFOSEC algorithms. Formerly known as mosaicIntegrityAlgorithm',
- 'description': 'fortezzaIntegrityAlgorithm (2 16 840 1 101 2 1 1 6)',
- 'hexoid': '06 09 60 86 48 01 65 02 01 01 06',
- 'name': 'fortezzaIntegrityAlgorithm',
- 'oid': (2, 16, 840, 1, 101, 2, 1, 1, 6)},
- 'fortezzaKMandSigAlgorithm': {'comment': 'SDN.700 INFOSEC algorithms. Formerly known as mosaicKMandSigAlgorithm',
- 'description': 'fortezzaKMandSigAlgorithm (2 16 840 1 101 2 1 1 12)',
- 'hexoid': '06 09 60 86 48 01 65 02 01 01 0C',
- 'name': 'fortezzaKMandSigAlgorithm',
- 'oid': (2, 16, 840, 1, 101, 2, 1, 1, 12)},
- 'fortezzaKMandUpdSigAlgorithms': {'comment': 'SDN.700 INFOSEC algorithms. Formerly known as mosaicKMandUpdSigAlgorithms',
- 'description': 'fortezzaKMandUpdSigAlgorithms (2 16 840 1 101 2 1 1 20)',
- 'hexoid': '06 09 60 86 48 01 65 02 01 01 14',
- 'name': 'fortezzaKMandUpdSigAlgorithms',
- 'oid': (2, 16, 840, 1, 101, 2, 1, 1, 20)},
- 'fortezzaKeyManagementAlgorithm': {'comment': 'SDN.700 INFOSEC algorithms. Formerly known as mosaicKeyManagementAlgorithm',
- 'description': 'fortezzaKeyManagementAlgorithm (2 16 840 1 101 2 1 1 10)',
- 'hexoid': '06 09 60 86 48 01 65 02 01 01 0A',
- 'name': 'fortezzaKeyManagementAlgorithm',
- 'oid': (2, 16, 840, 1, 101, 2, 1, 1, 10)},
- 'fortezzaSignatureAlgorithm': {'comment': 'SDN.700 INFOSEC algorithms. Formerly known as mosaicSignatureAlgorithm, this OID is better known as dsaWithSHA-1.',
- 'description': 'fortezzaSignatureAlgorithm (2 16 840 1 101 2 1 1 2)',
- 'hexoid': '06 09 60 86 48 01 65 02 01 01 02',
- 'name': 'fortezzaSignatureAlgorithm',
- 'oid': (2, 16, 840, 1, 101, 2, 1, 1, 2)},
- 'fortezzaTokenProtectionAlgorithm': {'comment': 'SDN.700 INFOSEC algorithms. Formerly know as mosaicTokenProtectionAlgorithm',
- 'description': 'fortezzaTokenProtectionAlgorithm (2 16 840 1 101 2 1 1 8)',
- 'hexoid': '06 09 60 86 48 01 65 02 01 01 08',
- 'name': 'fortezzaTokenProtectionAlgorithm',
- 'oid': (2, 16, 840, 1, 101, 2, 1, 1, 8)},
- 'fortezzaUpdatedIntegAlgorithm': {'comment': 'SDN.700 INFOSEC algorithms. Formerly known as mosaicUpdatedIntegAlgorithm',
- 'description': 'fortezzaUpdatedIntegAlgorithm (2 16 840 1 101 2 1 1 21)',
- 'hexoid': '06 09 60 86 48 01 65 02 01 01 15',
- 'name': 'fortezzaUpdatedIntegAlgorithm',
- 'oid': (2, 16, 840, 1, 101, 2, 1, 1, 21)},
- 'fortezzaUpdatedSigAlgorithm': {'comment': 'SDN.700 INFOSEC algorithms. Formerly known as mosaicUpdatedSigAlgorithm',
- 'description': 'fortezzaUpdatedSigAlgorithm (2 16 840 1 101 2 1 1 19)',
- 'hexoid': '06 09 60 86 48 01 65 02 01 01 13',
- 'name': 'fortezzaUpdatedSigAlgorithm',
- 'oid': (2, 16, 840, 1, 101, 2, 1, 1, 19)},
- 'fortezzaWrap80Algorithm': {'comment': 'SDN.700 INFOSEC algorithms',
- 'description': 'fortezzaWrap80Algorithm (2 16 840 1 101 2 1 1 23)',
- 'hexoid': '06 09 60 86 48 01 65 02 01 01 17',
- 'name': 'fortezzaWrap80Algorithm',
- 'oid': (2, 16, 840, 1, 101, 2, 1, 1, 23)},
- 'forwardedCSPMsgBodyPart': {'comment': 'SDN.700 INFOSEC format',
- 'description': 'forwardedCSPMsgBodyPart (2 16 840 1 101 2 1 2 74)',
- 'hexoid': '06 09 60 86 48 01 65 02 01 02 4A',
- 'name': 'forwardedCSPMsgBodyPart',
- 'oid': (2, 16, 840, 1, 101, 2, 1, 2, 74)},
- 'forwardedMSPMessageBodyPart': {'comment': 'SDN.700 INFOSEC format',
- 'description': 'forwardedMSPMessageBodyPart (2 16 840 1 101 2 1 2 72)',
- 'hexoid': '06 09 60 86 48 01 65 02 01 02 48',
- 'name': 'forwardedMSPMessageBodyPart',
- 'oid': (2, 16, 840, 1, 101, 2, 1, 2, 72)},
- 'freshestCRL': {'comment': 'X.509 id-ce (2 5 29)',
- 'description': 'freshestCRL (2 5 29 46)',
- 'hexoid': '06 03 55 1D 2E',
- 'name': 'freshestCRL',
- 'oid': (2, 5, 29, 46)},
- 'friendlyName': {'comment': 'PKCS #9 via PKCS #12',
- 'description': 'friendlyName (for PKCS #12) (1 2 840 113549 1 9 20)',
- 'hexoid': '06 09 2A 86 48 86 F7 0D 01 09 14',
- 'name': 'friendlyName',
- 'oid': (1, 2, 840, 113549, 1, 9, 20)},
- 'fullName': {'comment': 'SET field',
- 'description': 'fullName (2 23 42 2 0)',
- 'hexoid': '06 04 67 2A 02 00',
- 'name': 'fullName',
- 'oid': (2, 23, 42, 2, 0)},
- 'functionality-specific_api': {'comment': 'Teletrust API',
- 'description': 'functionality-specific_api (1 3 36 6 2)',
- 'hexoid': '06 04 2B 24 06 02',
- 'name': 'functionality-specific_api',
- 'oid': (1, 3, 36, 6, 2)},
- 'gKeyData': {'comment': 'Telesec attribute',
- 'description': 'gKeyData (0 2 262 1 10 7 38)',
- 'hexoid': '06 07 02 82 06 01 0A 07 26',
- 'name': 'gKeyData',
- 'oid': (0, 2, 262, 1, 10, 7, 38)},
- 'gender': {'comment': 'PKIX personal data',
- 'description': 'gender (1 3 6 1 5 5 7 9 3)',
- 'hexoid': '06 08 2B 06 01 05 05 07 09 03',
- 'name': 'gender',
- 'oid': (1, 3, 6, 1, 5, 5, 7, 9, 3)},
- 'generationQualifier': {'comment': 'X.520 id-at (2 5 4)',
- 'description': 'generationQualifier (2 5 4 44)',
- 'hexoid': '06 03 55 04 2C',
- 'name': 'generationQualifier',
- 'oid': (2, 5, 4, 44)},
- 'genser': {'comment': 'SDN.700 INFOSEC policy',
- 'description': 'genser (2 16 840 1 101 2 1 3 11)',
- 'hexoid': '06 09 60 86 48 01 65 02 01 03 0B',
- 'name': 'genser',
- 'oid': (2, 16, 840, 1, 101, 2, 1, 3, 11)},
- 'genserSecurityCategories': {'comment': 'SDN.700 INFOSEC policy',
- 'description': 'genserSecurityCategories (2 16 840 1 101 2 1 3 11 3)',
- 'hexoid': '06 0A 60 86 48 01 65 02 01 03 0B 03',
- 'name': 'genserSecurityCategories',
- 'oid': (2, 16, 840, 1, 101, 2, 1, 3, 11, 3)},
- 'genserTagSetName': {'comment': 'SDN.700 INFOSEC GENSER policy',
- 'description': 'genserTagSetName (2 16 840 1 101 2 1 3 11 3 0)',
- 'hexoid': '06 0B 60 86 48 01 65 02 01 03 0B 03 00',
- 'name': 'genserTagSetName',
- 'oid': (2, 16, 840, 1, 101, 2, 1, 3, 11, 3, 0)},
- 'gf-prime': {'comment': 'ANSI X9.42 field type',
- 'description': 'gf-prime (1 2 840 10046 1 1)',
- 'hexoid': '06 07 2A 86 48 CE 3E 01 01',
- 'name': 'gf-prime',
- 'oid': (1, 2, 840, 10046, 1, 1)},
- 'givenName': {'comment': 'SET field',
- 'description': 'givenName (2 23 42 2 1)',
- 'hexoid': '06 04 67 2A 02 01',
- 'name': 'givenName',
- 'oid': (2, 23, 42, 2, 1)},
- 'glNumber': {'comment': 'Telesec attribute',
- 'description': 'glNumber (0 2 262 1 10 7 36)',
- 'hexoid': '06 07 02 82 06 01 0A 07 24',
- 'name': 'glNumber',
- 'oid': (0, 2, 262, 1, 10, 7, 36)},
- 'gnu': {'comment': 'GNU Project (see http://www.gnupg.org/oids.html)',
- 'description': 'gnu (1 3 6 1 4 1 11591)',
- 'hexoid': '06 07 2B 06 01 04 01 DA 47',
- 'name': 'gnu',
- 'oid': (1, 3, 6, 1, 4, 1, 11591)},
- 'gnuDigestAlgorithm': {'comment': 'GNU digest algorithm',
- 'description': 'gnuDigestAlgorithm (1 3 6 1 4 1 11591 12)',
- 'hexoid': '06 08 2B 06 01 04 01 DA 47 0C',
- 'name': 'gnuDigestAlgorithm',
- 'oid': (1, 3, 6, 1, 4, 1, 11591, 12)},
- 'gnuEncryptionAlgorithm': {'comment': 'GNU encryption algorithm',
- 'description': 'gnuEncryptionAlgorithm (1 3 6 1 4 1 11591 13)',
- 'hexoid': '06 08 2B 06 01 04 01 DA 47 0D',
- 'name': 'gnuEncryptionAlgorithm',
- 'oid': (1, 3, 6, 1, 4, 1, 11591, 13)},
- 'gnuRadar': {'comment': 'GNU Radar',
- 'description': 'gnuRadar (1 3 6 1 4 1 11591 3)',
- 'hexoid': '06 08 2B 06 01 04 01 DA 47 03',
- 'name': 'gnuRadar',
- 'oid': (1, 3, 6, 1, 4, 1, 11591, 3)},
- 'gnuRadius': {'comment': 'GNU Radius',
- 'description': 'gnuRadius (1 3 6 1 4 1 11591 1)',
- 'hexoid': '06 08 2B 06 01 04 01 DA 47 01',
- 'name': 'gnuRadius',
- 'oid': (1, 3, 6, 1, 4, 1, 11591, 1)},
- 'goNumber': {'comment': 'Telesec attribute',
- 'description': 'goNumber (0 2 262 1 10 7 37)',
- 'hexoid': '06 07 02 82 06 01 0A 07 25',
- 'name': 'goNumber',
- 'oid': (0, 2, 262, 1, 10, 7, 37)},
- 'group': {'comment': 'PKIX attribute certificate extension',
- 'description': 'group (1 3 6 1 5 5 7 10 4)',
- 'hexoid': '06 08 2B 06 01 05 05 07 0A 04',
- 'name': 'group',
- 'oid': (1, 3, 6, 1, 5, 5, 7, 10, 4)},
- 'groupOfNames': {'comment': 'X.520 objectClass (2 5 6)',
- 'description': 'groupOfNames (2 5 6 9)',
- 'hexoid': '06 03 55 06 09',
- 'name': 'groupOfNames',
- 'oid': (2, 5, 6, 9)},
- 'groupOfUniqueNames': {'comment': 'X.520 objectClass (2 5 6)',
- 'description': 'groupOfUniqueNames (2 5 6 17)',
- 'hexoid': '06 03 55 06 11',
- 'name': 'groupOfUniqueNames',
- 'oid': (2, 5, 6, 17)},
- 'hashAlgorithm': {'comment': 'Teletrust algorithm',
- 'description': 'hashAlgorithm (1 3 36 3 2)',
- 'hexoid': '06 04 2B 24 03 02',
- 'name': 'hashAlgorithm',
- 'oid': (1, 3, 36, 3, 2)},
- 'hashAlgos': {'comment': 'NIST Algorithm',
- 'description': 'hashAlgos (2 16 840 1 101 3 4 2)',
- 'hexoid': '06 08 60 86 48 01 65 03 04 02',
- 'name': 'hashAlgos',
- 'oid': (2, 16, 840, 1, 101, 3, 4, 2)},
- 'hashUsingBlockCipher': {'comment': 'Telesec one-way function',
- 'description': 'hashUsingBlockCipher (0 2 262 1 10 1 3 6)',
- 'hexoid': '06 08 02 82 06 01 0A 01 03 06',
- 'name': 'hashUsingBlockCipher',
- 'oid': (0, 2, 262, 1, 10, 1, 3, 6)},
- 'hashedRootKey': {'comment': 'SET cert extension',
- 'description': 'hashedRootKey (2 23 42 7 0)',
- 'hexoid': '06 04 67 2A 07 00',
- 'name': 'hashedRootKey',
- 'oid': (2, 23, 42, 7, 0)},
- 'hbciRsaSignature': {'comment': 'Telesec signature',
- 'description': 'hbciRsaSignature (0 2 262 1 10 1 1 9)',
- 'hexoid': '06 08 02 82 06 01 0A 01 01 09',
- 'name': 'hbciRsaSignature',
- 'oid': (0, 2, 262, 1, 10, 1, 1, 9)},
- 'healthcareLicense': {'comment': 'ASTM 31.20',
- 'description': 'healthcareLicense (1 2 840 10065 2 3)',
- 'hexoid': '06 07 2A 86 48 CE 51 02 03',
- 'name': 'healthcareLicense',
- 'oid': (1, 2, 840, 10065, 2, 3)},
- 'hmacMD5': {'comment': 'ISAKMP HMAC algorithm',
- 'description': 'hmacMD5 (1 3 6 1 5 5 8 1 1)',
- 'hexoid': '06 08 2B 06 01 05 05 08 01 01',
- 'name': 'hmacMD5',
- 'oid': (1, 3, 6, 1, 5, 5, 8, 1, 1)},
- 'hmacSHA': {'comment': 'ISAKMP HMAC algorithm',
- 'description': 'hmacSHA (1 3 6 1 5 5 8 1 2)',
- 'hexoid': '06 08 2B 06 01 05 05 08 01 02',
- 'name': 'hmacSHA',
- 'oid': (1, 3, 6, 1, 5, 5, 8, 1, 2)},
- 'hmacTiger': {'comment': 'ISAKMP HMAC algorithm',
- 'description': 'hmacTiger (1 3 6 1 5 5 8 1 3)',
- 'hexoid': '06 08 2B 06 01 05 05 08 01 03',
- 'name': 'hmacTiger',
- 'oid': (1, 3, 6, 1, 5, 5, 8, 1, 3)},
- 'hmacWithSHA1': {'comment': 'RSADSI digestAlgorithm',
- 'description': 'hmacWithSHA1 (1 2 840 113549 2 7)',
- 'hexoid': '06 08 2A 86 48 86 F7 0D 02 07',
- 'name': 'hmacWithSHA1',
- 'oid': (1, 2, 840, 113549, 2, 7)},
- 'hmacWithSHA224': {'comment': 'RSADSI digestAlgorithm',
- 'description': 'hmacWithSHA224 (1 2 840 113549 2 8)',
- 'hexoid': '06 08 2A 86 48 86 F7 0D 02 08',
- 'name': 'hmacWithSHA224',
- 'oid': (1, 2, 840, 113549, 2, 8)},
- 'hmacWithSHA256': {'comment': 'RSADSI digestAlgorithm',
- 'description': 'hmacWithSHA256 (1 2 840 113549 2 9)',
- 'hexoid': '06 08 2A 86 48 86 F7 0D 02 09',
- 'name': 'hmacWithSHA256',
- 'oid': (1, 2, 840, 113549, 2, 9)},
- 'hmacWithSHA384': {'comment': 'RSADSI digestAlgorithm',
- 'description': 'hmacWithSHA384 (1 2 840 113549 2 10)',
- 'hexoid': '06 08 2A 86 48 86 F7 0D 02 0A',
- 'name': 'hmacWithSHA384',
- 'oid': (1, 2, 840, 113549, 2, 10)},
- 'hmacWithSHA512': {'comment': 'RSADSI digestAlgorithm',
- 'description': 'hmacWithSHA512 (1 2 840 113549 2 11)',
- 'hexoid': '06 08 2A 86 48 86 F7 0D 02 0B',
- 'name': 'hmacWithSHA512',
- 'oid': (1, 2, 840, 113549, 2, 11)},
- 'holdinstruction': {'comment': 'ANSI X9.57',
- 'description': 'holdinstruction (1 2 840 10040 2)',
- 'hexoid': '06 06 2A 86 48 CE 38 02',
- 'name': 'holdinstruction',
- 'oid': (1, 2, 840, 10040, 2)},
- 'holdinstruction-none': {'comment': 'ANSI X9.57 hold instruction',
- 'description': 'holdinstruction-none (1 2 840 10040 2 1)',
- 'hexoid': '06 07 2A 86 48 CE 38 02 01',
- 'name': 'holdinstruction-none',
- 'oid': (1, 2, 840, 10040, 2, 1)},
- 'houseIdentifier': {'comment': 'X.520 id-at (2 5 4)',
- 'description': 'houseIdentifier (2 5 4 51)',
- 'hexoid': '06 03 55 04 33',
- 'name': 'houseIdentifier',
- 'oid': (2, 5, 4, 51)},
- 'iKEIntermediate': {'comment': 'IKE ???',
- 'description': 'iKEIntermediate (1 3 6 1 5 5 8 2 2)',
- 'hexoid': '06 08 2B 06 01 05 05 08 02 02',
- 'name': 'iKEIntermediate',
- 'oid': (1, 3, 6, 1, 5, 5, 8, 2, 2)},
- 'iaReceiptMessage': {'comment': 'TMN EDI for Interactive Agents',
- 'description': 'iaReceiptMessage (1 3 6 1 4 1 3576 7 65)',
- 'hexoid': '06 09 2B 06 01 04 01 9B 78 07 41',
- 'name': 'iaReceiptMessage',
- 'oid': (1, 3, 6, 1, 4, 1, 3576, 7, 65)},
- 'iaStatusMessage': {'comment': 'TMN EDI for Interactive Agents',
- 'description': 'iaStatusMessage (1 3 6 1 4 1 3576 7 97)',
- 'hexoid': '06 09 2B 06 01 04 01 9B 78 07 61',
- 'name': 'iaStatusMessage',
- 'oid': (1, 3, 6, 1, 4, 1, 3576, 7, 97)},
- 'id-ad-rpkiManifest': {'comment': 'RPKI project',
- 'description': 'id-ad-rpkiManifest (1 3 6 1 5 5 7 48 10)',
- 'hexoid': '06 08 2B 06 01 05 05 07 30 0A',
- 'name': 'id-ad-rpkiManifest',
- 'oid': (1, 3, 6, 1, 5, 5, 7, 48, 10)},
- 'id-ad-signedObject': {'comment': 'RPKI project',
- 'description': 'id-ad-signedObject (1 3 6 1 5 5 7 48 11)',
- 'hexoid': '06 08 2B 06 01 05 05 07 30 0B',
- 'name': 'id-ad-signedObject',
- 'oid': (1, 3, 6, 1, 5, 5, 7, 48, 11)},
- 'id-ad-signedObjectRepository': {'comment': 'RPKI project',
- 'description': 'id-ad-signedObjectRepository (1 3 6 1 5 5 7 48 9)',
- 'hexoid': '06 08 2B 06 01 05 05 07 30 09',
- 'name': 'id-ad-signedObjectRepository',
- 'oid': (1, 3, 6, 1, 5, 5, 7, 48, 9)},
- 'id-cp-ipAddr-asNumber': {'comment': 'RPKI project',
- 'description': 'id-cp-ipAddr-asNumber (1 3 6 1 5 5 7 14 2)',
- 'hexoid': '06 08 2B 06 01 05 05 07 0E 02',
- 'name': 'id-cp-ipAddr-asNumber',
- 'oid': (1, 3, 6, 1, 5, 5, 7, 14, 2)},
- 'id-ct-routeOriginAttestation': {'comment': 'RPKI project',
- 'description': 'id-ct-routeOriginAttestation (1 2 840 113549 1 9 16 1 24)',
- 'hexoid': '06 0B 2A 86 48 86 F7 0D 01 09 10 01 18',
- 'name': 'id-ct-routeOriginAttestation',
- 'oid': (1, 2, 840, 113549, 1, 9, 16, 1, 24)},
- 'id-ct-rpkiManifest': {'comment': 'RPKI project',
- 'description': 'id-ct-rpkiManifest (1 2 840 113549 1 9 16 1 26)',
- 'hexoid': '06 0B 2A 86 48 86 F7 0D 01 09 10 01 1A',
- 'name': 'id-ct-rpkiManifest',
- 'oid': (1, 2, 840, 113549, 1, 9, 16, 1, 26)},
- 'id-ct-xml': {'comment': 'RPKI project',
- 'description': 'id-ct-xml (1 2 840 113549 1 9 16 1 28)',
- 'hexoid': '06 0B 2A 86 48 86 F7 0D 01 09 10 01 1C',
- 'name': 'id-ct-xml',
- 'oid': (1, 2, 840, 113549, 1, 9, 16, 1, 28)},
- 'id-mod': {'comment': 'id-sMIME',
- 'description': 'id-mod (1 2 840 113549 1 9 16 0)',
- 'hexoid': '06 0A 2A 86 48 86 F7 0D 01 09 10 00',
- 'name': 'id-mod',
- 'oid': (1, 2, 840, 113549, 1, 9, 16, 0)},
- 'id-mod-cms': {'comment': 'S/MIME Modules',
- 'description': 'id-mod-cms (1 2 840 113549 1 9 16 0 1)',
- 'hexoid': '06 0B 2A 86 48 86 F7 0D 01 09 10 00 01',
- 'name': 'id-mod-cms',
- 'oid': (1, 2, 840, 113549, 1, 9, 16, 0, 1)},
- 'id-mod-ess': {'comment': 'S/MIME Modules',
- 'description': 'id-mod-ess (1 2 840 113549 1 9 16 0 2)',
- 'hexoid': '06 0B 2A 86 48 86 F7 0D 01 09 10 00 02',
- 'name': 'id-mod-ess',
- 'oid': (1, 2, 840, 113549, 1, 9, 16, 0, 2)},
- 'id-mod-ets-eSigPolicy-88': {'comment': 'S/MIME Modules',
- 'description': 'id-mod-ets-eSigPolicy-88 (1 2 840 113549 1 9 16 0 8)',
- 'hexoid': '06 0B 2A 86 48 86 F7 0D 01 09 10 00 08',
- 'name': 'id-mod-ets-eSigPolicy-88',
- 'oid': (1, 2, 840, 113549, 1, 9, 16, 0, 8)},
- 'id-mod-ets-eSignature-88': {'comment': 'S/MIME Modules',
- 'description': 'id-mod-ets-eSignature-88 (1 2 840 113549 1 9 16 0 5)',
- 'hexoid': '06 0B 2A 86 48 86 F7 0D 01 09 10 00 05',
- 'name': 'id-mod-ets-eSignature-88',
- 'oid': (1, 2, 840, 113549, 1, 9, 16, 0, 5)},
- 'id-mod-ets-eSignature-97': {'comment': 'S/MIME Modules',
- 'description': 'id-mod-ets-eSignature-97 (1 2 840 113549 1 9 16 0 6)',
- 'hexoid': '06 0B 2A 86 48 86 F7 0D 01 09 10 00 06',
- 'name': 'id-mod-ets-eSignature-97',
- 'oid': (1, 2, 840, 113549, 1, 9, 16, 0, 6)},
- 'id-mod-msg-v3': {'comment': 'S/MIME Modules',
- 'description': 'id-mod-msg-v3 (1 2 840 113549 1 9 16 0 4)',
- 'hexoid': '06 0B 2A 86 48 86 F7 0D 01 09 10 00 04',
- 'name': 'id-mod-msg-v3',
- 'oid': (1, 2, 840, 113549, 1, 9, 16, 0, 4)},
- 'id-mod-oid': {'comment': 'S/MIME Modules',
- 'description': 'id-mod-oid (1 2 840 113549 1 9 16 0 3)',
- 'hexoid': '06 0B 2A 86 48 86 F7 0D 01 09 10 00 03',
- 'name': 'id-mod-oid',
- 'oid': (1, 2, 840, 113549, 1, 9, 16, 0, 3)},
- 'id-sMIME': {'comment': 'PKCS #9',
- 'description': 'id-sMIME (1 2 840 113549 1 9 16)',
- 'hexoid': '06 09 2A 86 48 86 F7 0D 01 09 10',
- 'name': 'id-sMIME',
- 'oid': (1, 2, 840, 113549, 1, 9, 16)},
- 'idea': {'comment': 'Teletrust encryption algorithm',
- 'description': 'idea (1 3 36 3 1 2)',
- 'hexoid': '06 05 2B 24 03 01 02',
- 'name': 'idea',
- 'oid': (1, 3, 36, 3, 1, 2)},
- 'ideaCBC': {'comment': 'Teletrust encryption algorithm',
- 'description': 'ideaCBC (1 3 36 3 1 2 2)',
- 'hexoid': '06 06 2B 24 03 01 02 02',
- 'name': 'ideaCBC',
- 'oid': (1, 3, 36, 3, 1, 2, 2)},
- 'ideaCBC_ISOpad': {'comment': 'Teletrust encryption algorithm',
- 'description': 'ideaCBC_ISOpad (1 3 36 3 1 2 2 1 1)',
- 'hexoid': '06 08 2B 24 03 01 02 02 01 01',
- 'name': 'ideaCBC_ISOpad',
- 'oid': (1, 3, 36, 3, 1, 2, 2, 1, 1)},
- 'ideaCBC_pad': {'comment': 'Teletrust encryption algorithm',
- 'description': 'ideaCBC_pad (1 3 36 3 1 2 2 1)',
- 'hexoid': '06 07 2B 24 03 01 02 02 01',
- 'name': 'ideaCBC_pad',
- 'oid': (1, 3, 36, 3, 1, 2, 2, 1)},
- 'ideaCFB': {'comment': 'Teletrust encryption algorithm',
- 'description': 'ideaCFB (1 3 36 3 1 2 4)',
- 'hexoid': '06 06 2B 24 03 01 02 04',
- 'name': 'ideaCFB',
- 'oid': (1, 3, 36, 3, 1, 2, 4)},
- 'ideaCFB64': {'comment': 'Telesec encryption',
- 'description': 'ideaCFB64 (0 2 262 1 10 1 2 5 5)',
- 'hexoid': '06 09 02 82 06 01 0A 01 02 05 05',
- 'name': 'ideaCFB64',
- 'oid': (0, 2, 262, 1, 10, 1, 2, 5, 5)},
- 'ideaCFB8': {'comment': 'Telesec encryption',
- 'description': 'ideaCFB8 (0 2 262 1 10 1 2 5 4)',
- 'hexoid': '06 09 02 82 06 01 0A 01 02 05 04',
- 'name': 'ideaCFB8',
- 'oid': (0, 2, 262, 1, 10, 1, 2, 5, 4)},
- 'ideaECB': {'comment': 'Teletrust encryption algorithm',
- 'description': 'ideaECB (1 3 36 3 1 2 1)',
- 'hexoid': '06 06 2B 24 03 01 02 01',
- 'name': 'ideaECB',
- 'oid': (1, 3, 36, 3, 1, 2, 1)},
- 'ideaECB_ISOpad': {'comment': 'Teletrust encryption algorithm',
- 'description': 'ideaECB_ISOpad (1 3 36 3 1 2 1 1 1)',
- 'hexoid': '06 08 2B 24 03 01 02 01 01 01',
- 'name': 'ideaECB_ISOpad',
- 'oid': (1, 3, 36, 3, 1, 2, 1, 1, 1)},
- 'ideaECB_pad': {'comment': 'Teletrust encryption algorithm',
- 'description': 'ideaECB_pad (1 3 36 3 1 2 1 1)',
- 'hexoid': '06 07 2B 24 03 01 02 01 01',
- 'name': 'ideaECB_pad',
- 'oid': (1, 3, 36, 3, 1, 2, 1, 1)},
- 'ideaOFB': {'comment': 'Teletrust encryption algorithm',
- 'description': 'ideaOFB (1 3 36 3 1 2 3)',
- 'hexoid': '06 06 2B 24 03 01 02 03',
- 'name': 'ideaOFB',
- 'oid': (1, 3, 36, 3, 1, 2, 3)},
- 'identificationNumber': {'comment': 'SET field',
- 'description': 'identificationNumber (2 23 42 2 5)',
- 'hexoid': '06 04 67 2A 02 05',
- 'name': 'identificationNumber',
- 'oid': (2, 23, 42, 2, 5)},
- 'identrusOCSP': {'comment': 'Identrus',
- 'description': 'identrusOCSP (1 2 840 114021 4 1)',
- 'hexoid': '06 08 2A 86 48 86 FA 65 04 01',
- 'name': 'identrusOCSP',
- 'oid': (1, 2, 840, 114021, 4, 1)},
- 'implicitConfirm': {'comment': 'PKIX CMP information',
- 'description': 'implicitConfirm (1 3 6 1 5 5 7 4 13)',
- 'hexoid': '06 08 2B 06 01 05 05 07 04 0D',
- 'name': 'implicitConfirm',
- 'oid': (1, 3, 6, 1, 5, 5, 7, 4, 13)},
- 'individualCodeSigning': {'comment': 'Microsoft',
- 'description': 'individualCodeSigning (1 3 6 1 4 1 311 2 1 21)',
- 'hexoid': '06 0A 2B 06 01 04 01 82 37 02 01 15',
- 'name': 'individualCodeSigning',
- 'oid': (1, 3, 6, 1, 4, 1, 311, 2, 1, 21)},
- 'inetOrgPerson': {'comment': 'Netscape LDAP definitions',
- 'description': 'inetOrgPerson (2 16 840 1 113730 3 2 2)',
- 'hexoid': '06 0A 60 86 48 01 86 F8 42 03 02 02',
- 'name': 'inetOrgPerson',
- 'oid': (2, 16, 840, 1, 113730, 3, 2, 2)},
- 'inhibitAnyPolicy': {'comment': 'X.509 id-ce (2 5 29)',
- 'description': 'inhibitAnyPolicy (2 5 29 54)',
- 'hexoid': '06 03 55 1D 36',
- 'name': 'inhibitAnyPolicy',
- 'oid': (2, 5, 29, 54)},
- 'initials': {'comment': 'X.520 id-at (2 5 4)',
- 'description': 'initials (2 5 4 43)',
- 'hexoid': '06 03 55 04 2B',
- 'name': 'initials',
- 'oid': (2, 5, 4, 43)},
- 'instructionCode': {'comment': 'X.509 id-ce (2 5 29)',
- 'description': 'instructionCode (2 5 29 23)',
- 'hexoid': '06 03 55 1D 17',
- 'name': 'instructionCode',
- 'oid': (2, 5, 29, 23)},
- 'integratedCircuitCardSerialNumber': {'comment': 'Teletrust attribute',
- 'description': 'integratedCircuitCardSerialNumber (1 3 36 8 3 6)',
- 'hexoid': '06 05 2B 24 08 03 06',
- 'name': 'integratedCircuitCardSerialNumber',
- 'oid': (1, 3, 36, 8, 3, 6)},
- 'integrityEDImessage': {'comment': 'TMN EDI for Interactive Agents',
- 'description': 'integrityEDImessage (1 3 6 1 4 1 3576 7 5)',
- 'hexoid': '06 09 2B 06 01 04 01 9B 78 07 05',
- 'name': 'integrityEDImessage',
- 'oid': (1, 3, 6, 1, 4, 1, 3576, 7, 5)},
- 'internationalISDNNumber': {'comment': 'X.520 id-at (2 5 4)',
- 'description': 'internationalISDNNumber (2 5 4 25)',
- 'hexoid': '06 03 55 04 19',
- 'name': 'internationalISDNNumber',
- 'oid': (2, 5, 4, 25)},
- 'invalidityDate': {'comment': 'X.509 id-ce (2 5 29)',
- 'description': 'invalidityDate (2 5 29 24)',
- 'hexoid': '06 03 55 1D 18',
- 'name': 'invalidityDate',
- 'oid': (2, 5, 29, 24)},
- 'ipsecEndSystem': {'comment': 'PKIX key purpose',
- 'description': 'ipsecEndSystem (1 3 6 1 5 5 7 3 5)',
- 'hexoid': '06 08 2B 06 01 05 05 07 03 05',
- 'name': 'ipsecEndSystem',
- 'oid': (1, 3, 6, 1, 5, 5, 7, 3, 5)},
- 'ipsecTunnel': {'comment': 'PKIX key purpose',
- 'description': 'ipsecTunnel (1 3 6 1 5 5 7 3 6)',
- 'hexoid': '06 08 2B 06 01 05 05 07 03 06',
- 'name': 'ipsecTunnel',
- 'oid': (1, 3, 6, 1, 5, 5, 7, 3, 6)},
- 'ipsecUser': {'comment': 'PKIX key purpose',
- 'description': 'ipsecUser (1 3 6 1 5 5 7 3 7)',
- 'hexoid': '06 08 2B 06 01 05 05 07 03 07',
- 'name': 'ipsecUser',
- 'oid': (1, 3, 6, 1, 5, 5, 7, 3, 7)},
- 'issuer': {'comment': 'Telesec attribute',
- 'description': 'issuer (0 2 262 1 10 7 6)',
- 'hexoid': '06 07 02 82 06 01 0A 07 06',
- 'name': 'issuer',
- 'oid': (0, 2, 262, 1, 10, 7, 6)},
- 'issuerAltName': {'comment': 'X.509 id-ce (2 5 29)',
- 'description': 'issuerAltName (2 5 29 18)',
- 'hexoid': '06 03 55 1D 12',
- 'name': 'issuerAltName',
- 'oid': (2, 5, 29, 18)},
- 'issuingDistributionPoint': {'comment': 'X.509 id-ce (2 5 29)',
- 'description': 'issuingDistributionPoint (2 5 29 28)',
- 'hexoid': '06 03 55 1D 1C',
- 'name': 'issuingDistributionPoint',
- 'oid': (2, 5, 29, 28)},
- 'janUKMs': {'comment': 'SDN.700 INFOSEC attributes',
- 'description': 'janUKMs (2 16 840 1 101 2 1 5 20)',
- 'hexoid': '06 09 60 86 48 01 65 02 01 05 14',
- 'name': 'janUKMs',
- 'oid': (2, 16, 840, 1, 101, 2, 1, 5, 20)},
- 'julUKMs': {'comment': 'SDN.700 INFOSEC attributes',
- 'description': 'julUKMs (2 16 840 1 101 2 1 5 26)',
- 'hexoid': '06 09 60 86 48 01 65 02 01 05 1A',
- 'name': 'julUKMs',
- 'oid': (2, 16, 840, 1, 101, 2, 1, 5, 26)},
- 'junUKMs': {'comment': 'SDN.700 INFOSEC attributes',
- 'description': 'junUKMs (2 16 840 1 101 2 1 5 25)',
- 'hexoid': '06 09 60 86 48 01 65 02 01 05 19',
- 'name': 'junUKMs',
- 'oid': (2, 16, 840, 1, 101, 2, 1, 5, 25)},
- 'kEAKeyEncryptionAlgorithm': {'comment': 'SDN.700 INFOSEC algorithms',
- 'description': 'kEAKeyEncryptionAlgorithm (2 16 840 1 101 2 1 1 24)',
- 'hexoid': '06 09 60 86 48 01 65 02 01 01 18',
- 'name': 'kEAKeyEncryptionAlgorithm',
- 'oid': (2, 16, 840, 1, 101, 2, 1, 1, 24)},
- 'kafka': {'comment': 'SDN.700 INFOSEC test objects',
- 'description': 'kafka (2 16 840 1 101 2 1 12 0 3)',
- 'hexoid': '06 0A 60 86 48 01 65 02 01 0C 00 03',
- 'name': 'kafka',
- 'oid': (2, 16, 840, 1, 101, 2, 1, 12, 0, 3)},
- 'kafkaSecurityCategories': {'comment': 'SDN.700 INFOSEC test objects',
- 'description': 'kafkaSecurityCategories (2 16 840 1 101 2 1 12 0 3 0)',
- 'hexoid': '06 0B 60 86 48 01 65 02 01 0C 00 03 00',
- 'name': 'kafkaSecurityCategories',
- 'oid': (2, 16, 840, 1, 101, 2, 1, 12, 0, 3, 0)},
- 'kafkaTagSetName1': {'comment': 'SDN.700 INFOSEC test objects',
- 'description': 'kafkaTagSetName1 (2 16 840 1 101 2 1 12 0 3 0 1)',
- 'hexoid': '06 0C 60 86 48 01 65 02 01 0C 00 03 00 01',
- 'name': 'kafkaTagSetName1',
- 'oid': (2, 16, 840, 1, 101, 2, 1, 12, 0, 3, 0, 1)},
- 'kafkaTagSetName2': {'comment': 'SDN.700 INFOSEC test objects',
- 'description': 'kafkaTagSetName2 (2 16 840 1 101 2 1 12 0 3 0 2)',
- 'hexoid': '06 0C 60 86 48 01 65 02 01 0C 00 03 00 02',
- 'name': 'kafkaTagSetName2',
- 'oid': (2, 16, 840, 1, 101, 2, 1, 12, 0, 3, 0, 2)},
- 'kafkaTagSetName3': {'comment': 'SDN.700 INFOSEC test objects',
- 'description': 'kafkaTagSetName3 (2 16 840 1 101 2 1 12 0 3 0 3)',
- 'hexoid': '06 0C 60 86 48 01 65 02 01 0C 00 03 00 03',
- 'name': 'kafkaTagSetName3',
- 'oid': (2, 16, 840, 1, 101, 2, 1, 12, 0, 3, 0, 3)},
- 'keyExchangeAlgorithm': {'comment': 'SDN.700 INFOSEC algorithms. Formerly known as mosaicKeyEncryptionAlgorithm',
- 'description': 'keyExchangeAlgorithm (2 16 840 1 101 2 1 1 22)',
- 'hexoid': '06 09 60 86 48 01 65 02 01 01 16',
- 'name': 'keyExchangeAlgorithm',
- 'oid': (2, 16, 840, 1, 101, 2, 1, 1, 22)},
- 'keyFeatures': {'comment': 'cryptlib attribute type',
- 'description': 'keyFeatures (1 3 6 1 4 1 3029 3 1 5)',
- 'hexoid': '06 0A 2B 06 01 04 01 97 55 03 01 05',
- 'name': 'keyFeatures',
- 'oid': (1, 3, 6, 1, 4, 1, 3029, 3, 1, 5)},
- 'keyPairParamRep': {'comment': 'PKIX CMP information',
- 'description': 'keyPairParamRep (1 3 6 1 5 5 7 4 11)',
- 'hexoid': '06 08 2B 06 01 05 05 07 04 0B',
- 'name': 'keyPairParamRep',
- 'oid': (1, 3, 6, 1, 5, 5, 7, 4, 11)},
- 'keyPairParamReq': {'comment': 'PKIX CMP information',
- 'description': 'keyPairParamReq (1 3 6 1 5 5 7 4 10)',
- 'hexoid': '06 08 2B 06 01 05 05 07 04 0A',
- 'name': 'keyPairParamReq',
- 'oid': (1, 3, 6, 1, 5, 5, 7, 4, 10)},
- 'keyPurpose': {'comment': 'PKIX',
- 'description': 'keyPurpose (1 3 6 1 5 5 7 3)',
- 'hexoid': '06 07 2B 06 01 05 05 07 03',
- 'name': 'keyPurpose',
- 'oid': (1, 3, 6, 1, 5, 5, 7, 3)},
- 'keyUsage': {'comment': 'X.509 id-ce (2 5 29)',
- 'description': 'keyUsage (2 5 29 15)',
- 'hexoid': '06 03 55 1D 0F',
- 'name': 'keyUsage',
- 'oid': (2, 5, 29, 15)},
- 'keyagree': {'comment': 'Teletrust key management',
- 'description': 'keyagree (1 3 36 7 1)',
- 'hexoid': '06 04 2B 24 07 01',
- 'name': 'keyagree',
- 'oid': (1, 3, 36, 7, 1)},
- 'keyed-hash-seal': {'comment': 'Oddball OIW OID',
- 'description': 'keyed-hash-seal (1 3 14 3 2 23)',
- 'hexoid': '06 05 2B 0E 03 02 17',
- 'name': 'keyed-hash-seal',
- 'oid': (1, 3, 14, 3, 2, 23)},
- 'keymgmnt': {'comment': 'Teletrust key management',
- 'description': 'keymgmnt (1 3 36 7)',
- 'hexoid': '06 03 2B 24 07',
- 'name': 'keymgmnt',
- 'oid': (1, 3, 36, 7)},
- 'keytrans': {'comment': 'Teletrust key management',
- 'description': 'keytrans (1 3 36 7 2)',
- 'hexoid': '06 04 2B 24 07 02',
- 'name': 'keytrans',
- 'oid': (1, 3, 36, 7, 2)},
- 'kmPrivileges': {'comment': 'SDN.700 INFOSEC privileges',
- 'description': 'kmPrivileges (2 16 840 1 101 2 1 10 2)',
- 'hexoid': '06 09 60 86 48 01 65 02 01 0A 02',
- 'name': 'kmPrivileges',
- 'oid': (2, 16, 840, 1, 101, 2, 1, 10, 2)},
- 'knowledgeInformation': {'comment': 'X.520 id-at (2 5 4)',
- 'description': 'knowledgeInformation (2 5 4 2)',
- 'hexoid': '06 03 55 04 02',
- 'name': 'knowledgeInformation',
- 'oid': (2, 5, 4, 2)},
- 'ktKeyData': {'comment': 'Telesec attribute',
- 'description': 'ktKeyData (0 2 262 1 10 7 40)',
- 'hexoid': '06 07 02 82 06 01 0A 07 28',
- 'name': 'ktKeyData',
- 'oid': (0, 2, 262, 1, 10, 7, 40)},
- 'ktKeyNumber': {'comment': 'Telesec attribute',
- 'description': 'ktKeyNumber (0 2 262 1 10 7 41)',
- 'hexoid': '06 07 02 82 06 01 0A 07 29',
- 'name': 'ktKeyNumber',
- 'oid': (0, 2, 262, 1, 10, 7, 41)},
- 'labeledAttribute': {'comment': 'SDN.700 INFOSEC attributes',
- 'description': 'labeledAttribute (2 16 840 1 101 2 1 5 57)',
- 'hexoid': '06 09 60 86 48 01 65 02 01 05 39',
- 'name': 'labeledAttribute',
- 'oid': (2, 16, 840, 1, 101, 2, 1, 5, 57)},
- 'ldapDefinitions': {'comment': 'Netscape directory',
- 'description': 'ldapDefinitions (2 16 840 1 113730 3 1)',
- 'hexoid': '06 09 60 86 48 01 86 F8 42 03 01',
- 'name': 'ldapDefinitions',
- 'oid': (2, 16, 840, 1, 113730, 3, 1)},
- 'liabilityLimitationFlag': {'comment': 'Telesec cert/CRL extension',
- 'description': 'liabilityLimitationFlag (0 2 262 1 10 12 0)',
- 'hexoid': '06 07 02 82 06 01 0A 0C 00',
- 'name': 'liabilityLimitationFlag',
- 'oid': (0, 2, 262, 1, 10, 12, 0)},
- 'liabilityText': {'comment': 'Telesec attribute',
- 'description': 'liabilityText (0 2 262 1 10 7 52)',
- 'hexoid': '06 07 02 82 06 01 0A 07 34',
- 'name': 'liabilityText',
- 'oid': (0, 2, 262, 1, 10, 7, 52)},
- 'license?': {'comment': 'ASTM 31.20 healthcare license type',
- 'description': 'license? (1 2 840 10065 2 3 1 1)',
- 'hexoid': '06 09 2A 86 48 CE 51 02 03 01 01',
- 'name': 'license?',
- 'oid': (1, 2, 840, 10065, 2, 3, 1, 1)},
- 'localKeyID': {'comment': 'PKCS #9 via PKCS #12',
- 'description': 'localKeyID (for PKCS #12) (1 2 840 113549 1 9 21)',
- 'hexoid': '06 09 2A 86 48 86 F7 0D 01 09 15',
- 'name': 'localKeyID',
- 'oid': (1, 2, 840, 113549, 1, 9, 21)},
- 'locality': {'comment': 'X.520 objectClass (2 5 6)',
- 'description': 'locality (2 5 6 3)',
- 'hexoid': '06 03 55 06 03',
- 'name': 'locality',
- 'oid': (2, 5, 6, 3)},
- 'localityName': {'comment': 'X.520 id-at (2 5 4)',
- 'description': 'localityName (2 5 4 7)',
- 'hexoid': '06 03 55 04 07',
- 'name': 'localityName',
- 'oid': (2, 5, 4, 7)},
- 'location': {'comment': 'Teletrust signature attributes',
- 'description': 'location (1 3 36 8 6 8)',
- 'hexoid': '06 05 2B 24 08 06 08',
- 'name': 'location',
- 'oid': (1, 3, 36, 8, 6, 8)},
- 'logo': {'comment': 'PKIX qualified certificates',
- 'description': 'logo (1 3 6 1 5 5 7 20)',
- 'hexoid': '06 07 2B 06 01 05 05 07 14',
- 'name': 'logo',
- 'oid': (1, 3, 6, 1, 5, 5, 7, 20)},
- 'logoBackground': {'comment': 'PKIX',
- 'description': 'logoBackground (1 3 6 1 5 5 7 20 2)',
- 'hexoid': '06 08 2B 06 01 05 05 07 14 02',
- 'name': 'logoBackground',
- 'oid': (1, 3, 6, 1, 5, 5, 7, 20, 2)},
- 'logoLoyalty': {'comment': 'PKIX',
- 'description': 'logoLoyalty (1 3 6 1 5 5 7 20 1)',
- 'hexoid': '06 08 2B 06 01 05 05 07 14 01',
- 'name': 'logoLoyalty',
- 'oid': (1, 3, 6, 1, 5, 5, 7, 20, 1)},
- 'logoType': {'comment': 'PKIX private extension',
- 'description': 'logoType (1 3 6 1 5 5 7 1 12)',
- 'hexoid': '06 08 2B 06 01 05 05 07 01 0C',
- 'name': 'logoType',
- 'oid': (1, 3, 6, 1, 5, 5, 7, 1, 12)},
- 'mISSISecurityCategories': {'comment': 'SDN.700 INFOSEC security category',
- 'description': 'mISSISecurityCategories (2 16 840 1 101 2 1 8 1)',
- 'hexoid': '06 09 60 86 48 01 65 02 01 08 01',
- 'name': 'mISSISecurityCategories',
- 'oid': (2, 16, 840, 1, 101, 2, 1, 8, 1)},
- 'mac': {'comment': 'Telesec one-way function',
- 'description': 'mac (0 2 262 1 10 1 3 7)',
- 'hexoid': '06 08 02 82 06 01 0A 01 03 07',
- 'name': 'mac',
- 'oid': (0, 2, 262, 1, 10, 1, 3, 7)},
- 'magenta': {'comment': 'Telesec encryption',
- 'description': 'magenta (0 2 262 1 10 1 2 4)',
- 'hexoid': '06 08 02 82 06 01 0A 01 02 04',
- 'name': 'magenta',
- 'oid': (0, 2, 262, 1, 10, 1, 2, 4)},
- 'mailRecipient': {'comment': 'Microsoft Exchange Server - object class',
- 'description': 'mailRecipient (1 2 840 113556 1 3 46)',
- 'hexoid': '06 09 2A 86 48 86 F7 14 01 03 2E',
- 'name': 'mailRecipient',
- 'oid': (1, 2, 840, 113556, 1, 3, 46)},
- 'mailbox': {'comment': 'Microsoft Exchange Server - object class',
- 'description': 'mailbox (1 2 840 113556 1 3 22)',
- 'hexoid': '06 09 2A 86 48 86 F7 14 01 03 16',
- 'name': 'mailbox',
- 'oid': (1, 2, 840, 113556, 1, 3, 22)},
- 'mailbox-Agent': {'comment': 'Microsoft Exchange Server - object class',
- 'description': 'mailbox-Agent (1 2 840 113556 1 3 17)',
- 'hexoid': '06 09 2A 86 48 86 F7 14 01 03 11',
- 'name': 'mailbox-Agent',
- 'oid': (1, 2, 840, 113556, 1, 3, 17)},
- 'manufacturer-specific_api': {'comment': 'Teletrust API',
- 'description': 'manufacturer-specific_api (1 3 36 6 1)',
- 'hexoid': '06 04 2B 24 06 01',
- 'name': 'manufacturer-specific_api',
- 'oid': (1, 3, 36, 6, 1)},
- 'marUKMs': {'comment': 'SDN.700 INFOSEC attributes',
- 'description': 'marUKMs (2 16 840 1 101 2 1 5 22)',
- 'hexoid': '06 09 60 86 48 01 65 02 01 05 16',
- 'name': 'marUKMs',
- 'oid': (2, 16, 840, 1, 101, 2, 1, 5, 22)},
- 'mayUKMs': {'comment': 'SDN.700 INFOSEC attributes',
- 'description': 'mayUKMs (2 16 840 1 101 2 1 5 24)',
- 'hexoid': '06 09 60 86 48 01 65 02 01 05 18',
- 'name': 'mayUKMs',
- 'oid': (2, 16, 840, 1, 101, 2, 1, 5, 24)},
- 'md2': {'comment': 'RSADSI digestAlgorithm',
- 'description': 'md2 (1 2 840 113549 2 2)',
- 'hexoid': '06 08 2A 86 48 86 F7 0D 02 02',
- 'name': 'md2',
- 'oid': (1, 2, 840, 113549, 2, 2)},
- 'md2WithElGamal': {'comment': 'Unsure about this OID',
- 'description': 'md2WithElGamal (1 3 14 7 2 3 2)',
- 'hexoid': '06 06 2B 0E 07 02 03 02',
- 'name': 'md2WithElGamal',
- 'oid': (1, 3, 14, 7, 2, 3, 2)},
- 'md2WithRSA': {'comment': 'Unsure about this OID',
- 'description': 'md2WithRSA (1 3 14 7 2 3 1)',
- 'hexoid': '06 06 2B 0E 07 02 03 01',
- 'name': 'md2WithRSA',
- 'oid': (1, 3, 14, 7, 2, 3, 1)},
- 'md2WithRSAEncryptionBSafe1': {'comment': 'Novell signature algorithm',
- 'description': 'md2WithRSAEncryptionBSafe1 (2 16 840 1 113719 1 2 8 29)',
- 'hexoid': '06 0B 60 86 48 01 86 F8 37 01 02 08 1D',
- 'name': 'md2WithRSAEncryptionBSafe1',
- 'oid': (2, 16, 840, 1, 113719, 1, 2, 8, 29)},
- 'md2WithRSASignature': {'comment': 'Oddball OIW OID using 9796-2 padding rules',
- 'description': 'md2WithRSASignature (1 3 14 3 2 24)',
- 'hexoid': '06 05 2B 0E 03 02 18',
- 'name': 'md2WithRSASignature',
- 'oid': (1, 3, 14, 3, 2, 24)},
- 'md2withRSAEncryption': {'comment': 'PKCS #1',
- 'description': 'md2withRSAEncryption (1 2 840 113549 1 1 2)',
- 'hexoid': '06 09 2A 86 48 86 F7 0D 01 01 02',
- 'name': 'md2withRSAEncryption',
- 'oid': (1, 2, 840, 113549, 1, 1, 2)},
- 'md4': {'comment': 'RSADSI digestAlgorithm',
- 'description': 'md4 (1 2 840 113549 2 4)',
- 'hexoid': '06 08 2A 86 48 86 F7 0D 02 04',
- 'name': 'md4',
- 'oid': (1, 2, 840, 113549, 2, 4)},
- 'md4WitRSA': {'comment': 'Oddball OIW OID',
- 'description': 'md4WitRSA (1 3 14 3 2 2)',
- 'hexoid': '06 05 2B 0E 03 02 02',
- 'name': 'md4WitRSA',
- 'oid': (1, 3, 14, 3, 2, 2)},
- 'md4WithRSAAndISO9697': {'comment': 'Telesec mechanism',
- 'description': 'md4WithRSAAndISO9697 (0 2 262 1 10 1 1 1)',
- 'hexoid': '06 08 02 82 06 01 0A 01 01 01',
- 'name': 'md4WithRSAAndISO9697',
- 'oid': (0, 2, 262, 1, 10, 1, 1, 1)},
- 'md4WithRSAAndTelesecSignatureStandard': {'comment': 'Telesec mechanism',
- 'description': 'md4WithRSAAndTelesecSignatureStandard (0 2 262 1 10 1 1 2)',
- 'hexoid': '06 08 02 82 06 01 0A 01 01 02',
- 'name': 'md4WithRSAAndTelesecSignatureStandard',
- 'oid': (0, 2, 262, 1, 10, 1, 1, 2)},
- 'md4WithRSAEncryption': {'comment': 'Oddball OIW OID',
- 'description': 'md4WithRSAEncryption (1 3 14 3 2 4)',
- 'hexoid': '06 05 2B 0E 03 02 04',
- 'name': 'md4WithRSAEncryption',
- 'oid': (1, 3, 14, 3, 2, 4)},
- 'md4withRSAEncryption': {'comment': 'PKCS #1',
- 'description': 'md4withRSAEncryption (1 2 840 113549 1 1 3)',
- 'hexoid': '06 09 2A 86 48 86 F7 0D 01 01 03',
- 'name': 'md4withRSAEncryption',
- 'oid': (1, 2, 840, 113549, 1, 1, 3)},
- 'md5': {'comment': 'RSADSI digestAlgorithm',
- 'description': 'md5 (1 2 840 113549 2 5)',
- 'hexoid': '06 08 2A 86 48 86 F7 0D 02 05',
- 'name': 'md5',
- 'oid': (1, 2, 840, 113549, 2, 5)},
- 'md5WithRSA': {'comment': 'Oddball OIW OID',
- 'description': 'md5WithRSA (1 3 14 3 2 3)',
- 'hexoid': '06 05 2B 0E 03 02 03',
- 'name': 'md5WithRSA',
- 'oid': (1, 3, 14, 3, 2, 3)},
- 'md5WithRSAAndISO9697': {'comment': 'Telesec mechanism',
- 'description': 'md5WithRSAAndISO9697 (0 2 262 1 10 1 1 3)',
- 'hexoid': '06 08 02 82 06 01 0A 01 01 03',
- 'name': 'md5WithRSAAndISO9697',
- 'oid': (0, 2, 262, 1, 10, 1, 1, 3)},
- 'md5WithRSAAndTelesecSignatureStandard': {'comment': 'Telesec mechanism',
- 'description': 'md5WithRSAAndTelesecSignatureStandard (0 2 262 1 10 1 1 4)',
- 'hexoid': '06 08 02 82 06 01 0A 01 01 04',
- 'name': 'md5WithRSAAndTelesecSignatureStandard',
- 'oid': (0, 2, 262, 1, 10, 1, 1, 4)},
- 'md5WithRSAEncryptionBSafe1': {'comment': 'Novell signature algorithm',
- 'description': 'md5WithRSAEncryptionBSafe1 (2 16 840 1 113719 1 2 8 30)',
- 'hexoid': '06 0B 60 86 48 01 86 F8 37 01 02 08 1E',
- 'name': 'md5WithRSAEncryptionBSafe1',
- 'oid': (2, 16, 840, 1, 113719, 1, 2, 8, 30)},
- 'md5WithRSASignature': {'comment': 'Oddball OIW OID using 9796-2 padding rules',
- 'description': 'md5WithRSASignature (1 3 14 3 2 25)',
- 'hexoid': '06 05 2B 0E 03 02 19',
- 'name': 'md5WithRSASignature',
- 'oid': (1, 3, 14, 3, 2, 25)},
- 'md5withRSAEncryption': {'comment': 'PKCS #1',
- 'description': 'md5withRSAEncryption (1 2 840 113549 1 1 4)',
- 'hexoid': '06 09 2A 86 48 86 F7 0D 01 01 04',
- 'name': 'md5withRSAEncryption',
- 'oid': (1, 2, 840, 113549, 1, 1, 4)},
- 'mdc-2': {'comment': 'Oddball OIW OID, DES-based hash, planned for X9.31 Part 2',
- 'description': 'mdc-2 (1 3 14 3 2 19)',
- 'hexoid': '06 05 2B 0E 03 02 13',
- 'name': 'mdc-2',
- 'oid': (1, 3, 14, 3, 2, 19)},
- 'mdc2WithRSASignature': {'comment': 'Oddball OIW OID using 9796-2 padding rules',
- 'description': 'mdc2WithRSASignature (1 3 14 3 2 14)',
- 'hexoid': '06 05 2B 0E 03 02 0E',
- 'name': 'mdc2WithRSASignature',
- 'oid': (1, 3, 14, 3, 2, 14)},
- 'mdc2doubleLength': {'comment': 'Teletrust hash algorithm',
- 'description': 'mdc2doubleLength (1 3 36 3 2 5)',
- 'hexoid': '06 05 2B 24 03 02 05',
- 'name': 'mdc2doubleLength',
- 'oid': (1, 3, 36, 3, 2, 5)},
- 'mdc2singleLength': {'comment': 'Teletrust hash algorithm',
- 'description': 'mdc2singleLength (1 3 36 3 2 4)',
- 'hexoid': '06 05 2B 24 03 02 04',
- 'name': 'mdc2singleLength',
- 'oid': (1, 3, 36, 3, 2, 4)},
- 'mechanism': {'comment': 'Telesec',
- 'description': 'mechanism (0 2 262 1 10 1)',
- 'hexoid': '06 06 02 82 06 01 0A 01',
- 'name': 'mechanism',
- 'oid': (0, 2, 262, 1, 10, 1)},
- 'member': {'comment': 'X.520 id-at (2 5 4)',
- 'description': 'member (2 5 4 31)',
- 'hexoid': '06 03 55 04 1F',
- 'name': 'member',
- 'oid': (2, 5, 4, 31)},
- 'merchantData': {'comment': 'SET cert extension',
- 'description': 'merchantData (2 23 42 7 2)',
- 'hexoid': '06 04 67 2A 07 02',
- 'name': 'merchantData',
- 'oid': (2, 23, 42, 7, 2)},
- 'messageDigest': {'comment': 'PKCS #9',
- 'description': 'messageDigest (1 2 840 113549 1 9 4)',
- 'hexoid': '06 09 2A 86 48 86 F7 0D 01 09 04',
- 'name': 'messageDigest',
- 'oid': (1, 2, 840, 113549, 1, 9, 4)},
- 'messageType': {'comment': 'Verisign PKCS #7 attribute',
- 'description': 'messageType (2 16 840 1 113733 1 9 2)',
- 'hexoid': '06 0A 60 86 48 01 86 F8 45 01 09 02',
- 'name': 'messageType',
- 'oid': (2, 16, 840, 1, 113733, 1, 9, 2)},
- 'messageTypes': {'comment': 'Telesec module',
- 'description': 'messageTypes (0 2 262 1 10 2 3)',
- 'hexoid': '06 07 02 82 06 01 0A 02 03',
- 'name': 'messageTypes',
- 'oid': (0, 2, 262, 1, 10, 2, 3)},
- 'metaSDNSckl': {'comment': 'SDN.700 INFOSEC attributes',
- 'description': 'metaSDNSckl (2 16 840 1 101 2 1 5 40)',
- 'hexoid': '06 09 60 86 48 01 65 02 01 05 28',
- 'name': 'metaSDNSckl',
- 'oid': (2, 16, 840, 1, 101, 2, 1, 5, 40)},
- 'metaSDNSsignatureCKL': {'comment': 'SDN.700 INFOSEC attributes',
- 'description': 'metaSDNSsignatureCKL (2 16 840 1 101 2 1 5 42)',
- 'hexoid': '06 09 60 86 48 01 65 02 01 05 2A',
- 'name': 'metaSDNSsignatureCKL',
- 'oid': (2, 16, 840, 1, 101, 2, 1, 5, 42)},
- 'microsoftExcel': {'comment': 'Microsoft',
- 'description': 'microsoftExcel (1 2 840 113556 4 3)',
- 'hexoid': '06 08 2A 86 48 86 F7 14 04 03',
- 'name': 'microsoftExcel',
- 'oid': (1, 2, 840, 113556, 4, 3)},
- 'microsoftPowerPoint': {'comment': 'Microsoft',
- 'description': 'microsoftPowerPoint (1 2 840 113556 4 5)',
- 'hexoid': '06 08 2A 86 48 86 F7 14 04 05',
- 'name': 'microsoftPowerPoint',
- 'oid': (1, 2, 840, 113556, 4, 5)},
- 'microsoftRecipientInfo': {'comment': 'Microsoft attribute',
- 'description': 'microsoftRecipientInfo (1 3 6 1 4 1 311 16 4)',
- 'hexoid': '06 09 2B 06 01 04 01 82 37 10 04',
- 'name': 'microsoftRecipientInfo',
- 'oid': (1, 3, 6, 1, 4, 1, 311, 16, 4)},
- 'misty1-cbc': {'comment': 'Mitsubishi security algorithm',
- 'description': 'misty1-cbc (1 2 392 200011 61 1 1 1 1)',
- 'hexoid': '06 0B 2A 83 08 8C 9A 4B 3D 01 01 01 01',
- 'name': 'misty1-cbc',
- 'oid': (1, 2, 392, 200011, 61, 1, 1, 1, 1)},
- 'mlAdministrators': {'comment': 'SDN.700 INFOSEC attributes',
- 'description': 'mlAdministrators (2 16 840 1 101 2 1 5 13)',
- 'hexoid': '06 09 60 86 48 01 65 02 01 05 0D',
- 'name': 'mlAdministrators',
- 'oid': (2, 16, 840, 1, 101, 2, 1, 5, 13)},
- 'mlExpandHistory': {'comment': 'S/MIME Authenticated Attributes',
- 'description': 'mlExpandHistory (1 2 840 113549 1 9 16 2 3)',
- 'hexoid': '06 0B 2A 86 48 86 F7 0D 01 09 10 02 03',
- 'name': 'mlExpandHistory',
- 'oid': (1, 2, 840, 113549, 1, 9, 16, 2, 3)},
- 'mlMembership': {'comment': 'SDN.700 INFOSEC attributes',
- 'description': 'mlMembership (2 16 840 1 101 2 1 5 12)',
- 'hexoid': '06 09 60 86 48 01 65 02 01 05 0C',
- 'name': 'mlMembership',
- 'oid': (2, 16, 840, 1, 101, 2, 1, 5, 12)},
- 'mlReceiptPolicy': {'comment': 'SDN.700 INFOSEC attributes',
- 'description': 'mlReceiptPolicy (2 16 840 1 101 2 1 5 11)',
- 'hexoid': '06 09 60 86 48 01 65 02 01 05 0B',
- 'name': 'mlReceiptPolicy',
- 'oid': (2, 16, 840, 1, 101, 2, 1, 5, 11)},
- 'module': {'comment': 'SET',
- 'description': 'module (2 23 42 6)',
- 'hexoid': '06 03 67 2A 06',
- 'name': 'module',
- 'oid': (2, 23, 42, 6)},
- 'monetaryLimit': {'comment': 'Teletrust attribute',
- 'description': 'monetaryLimit (1 3 36 8 3 4)',
- 'hexoid': '06 05 2B 24 08 03 04',
- 'name': 'monetaryLimit',
- 'oid': (1, 3, 36, 8, 3, 4)},
- 'month': {'comment': 'SET field',
- 'description': 'month (2 23 42 2 6)',
- 'hexoid': '06 04 67 2A 02 06',
- 'name': 'month',
- 'oid': (2, 23, 42, 2, 6)},
- 'mosaicPRBAC': {'comment': 'SDN.700 INFOSEC policy',
- 'description': 'mosaicPRBAC (2 16 840 1 101 2 1 3 3)',
- 'hexoid': '06 09 60 86 48 01 65 02 01 03 03',
- 'name': 'mosaicPRBAC',
- 'oid': (2, 16, 840, 1, 101, 2, 1, 3, 3)},
- 'mpeg-1': {'comment': 'cryptlib special MPEG-of-cat OID',
- 'description': 'mpeg-1 (1 3 6 1 4 1 3029 42 11172 1)',
- 'hexoid': '06 0B 2B 06 01 04 01 97 55 2A D7 24 01',
- 'name': 'mpeg-1',
- 'oid': (1, 3, 6, 1, 4, 1, 3029, 42, 11172, 1)},
- 'mqv1': {'comment': 'ANSI X9.42 scheme',
- 'description': 'mqv1 (1 2 840 10046 3 6)',
- 'hexoid': '06 07 2A 86 48 CE 3E 03 06',
- 'name': 'mqv1',
- 'oid': (1, 2, 840, 10046, 3, 6)},
- 'mqv2': {'comment': 'ANSI X9.42 scheme',
- 'description': 'mqv2 (1 2 840 10046 3 5)',
- 'hexoid': '06 07 2A 86 48 CE 3E 03 05',
- 'name': 'mqv2',
- 'oid': (1, 2, 840, 10046, 3, 5)},
- 'msPKI-Cert-Template-OID': {'comment': 'Microsoft Cert Template - attribute',
- 'description': 'msPKI-Cert-Template-OID (1 2 840 113556 1 4 1436)',
- 'hexoid': '06 0A 2A 86 48 86 F7 14 01 04 8B 1C',
- 'name': 'msPKI-Cert-Template-OID',
- 'oid': (1, 2, 840, 113556, 1, 4, 1436)},
- 'msPKI-Certificate-Application-Policy': {'comment': 'Microsoft Cert Template - attribute',
- 'description': 'msPKI-Certificate-Application-Policy (1 2 840 113556 1 4 1674)',
- 'hexoid': '06 0A 2A 86 48 86 F7 14 01 04 8D 0A',
- 'name': 'msPKI-Certificate-Application-Policy',
- 'oid': (1,
- 2,
- 840,
- 113556,
- 1,
- 4,
- 1674)},
- 'msPKI-Certificate-Name-Flag': {'comment': 'Microsoft Cert Template - attribute',
- 'description': 'msPKI-Certificate-Name-Flag (1 2 840 113556 1 4 1432)',
- 'hexoid': '06 0A 2A 86 48 86 F7 14 01 04 8B 18',
- 'name': 'msPKI-Certificate-Name-Flag',
- 'oid': (1, 2, 840, 113556, 1, 4, 1432)},
- 'msPKI-Certificate-Policy': {'comment': 'Microsoft Cert Template - attribute',
- 'description': 'msPKI-Certificate-Policy (1 2 840 113556 1 4 1439)',
- 'hexoid': '06 0A 2A 86 48 86 F7 14 01 04 8B 1F',
- 'name': 'msPKI-Certificate-Policy',
- 'oid': (1, 2, 840, 113556, 1, 4, 1439)},
- 'msPKI-Enrollment-Flag': {'comment': 'Microsoft Cert Template - attribute',
- 'description': 'msPKI-Enrollment-Flag (1 2 840 113556 1 4 1430)',
- 'hexoid': '06 0A 2A 86 48 86 F7 14 01 04 8B 16',
- 'name': 'msPKI-Enrollment-Flag',
- 'oid': (1, 2, 840, 113556, 1, 4, 1430)},
- 'msPKI-Minimal-Key-Size': {'comment': 'Microsoft Cert Template - attribute',
- 'description': 'msPKI-Minimal-Key-Size (1 2 840 113556 1 4 1433)',
- 'hexoid': '06 0A 2A 86 48 86 F7 14 01 04 8B 19',
- 'name': 'msPKI-Minimal-Key-Size',
- 'oid': (1, 2, 840, 113556, 1, 4, 1433)},
- 'msPKI-Private-Key-Flag': {'comment': 'Microsoft Cert Template - attribute',
- 'description': 'msPKI-Private-Key-Flag (1 2 840 113556 1 4 1431)',
- 'hexoid': '06 0A 2A 86 48 86 F7 14 01 04 8B 17',
- 'name': 'msPKI-Private-Key-Flag',
- 'oid': (1, 2, 840, 113556, 1, 4, 1431)},
- 'msPKI-RA-Application-Policies': {'comment': 'Microsoft Cert Template - attribute',
- 'description': 'msPKI-RA-Application-Policies (1 2 840 113556 1 4 1675)',
- 'hexoid': '06 0A 2A 86 48 86 F7 14 01 04 8D 0B',
- 'name': 'msPKI-RA-Application-Policies',
- 'oid': (1, 2, 840, 113556, 1, 4, 1675)},
- 'msPKI-RA-Policies': {'comment': 'Microsoft Cert Template - attribute',
- 'description': 'msPKI-RA-Policies (1 2 840 113556 1 4 1438)',
- 'hexoid': '06 0A 2A 86 48 86 F7 14 01 04 8B 1E',
- 'name': 'msPKI-RA-Policies',
- 'oid': (1, 2, 840, 113556, 1, 4, 1438)},
- 'msPKI-RA-Signature': {'comment': 'Microsoft Cert Template - attribute',
- 'description': 'msPKI-RA-Signature (1 2 840 113556 1 4 1429)',
- 'hexoid': '06 0A 2A 86 48 86 F7 14 01 04 8B 15',
- 'name': 'msPKI-RA-Signature',
- 'oid': (1, 2, 840, 113556, 1, 4, 1429)},
- 'msPKI-Supersede-Templates': {'comment': 'Microsoft Cert Template - attribute',
- 'description': 'msPKI-Supersede-Templates (1 2 840 113556 1 4 1437)',
- 'hexoid': '06 0A 2A 86 48 86 F7 14 01 04 8B 1D',
- 'name': 'msPKI-Supersede-Templates',
- 'oid': (1, 2, 840, 113556, 1, 4, 1437)},
- 'msPKI-Template-Minor-Revision': {'comment': 'Microsoft Cert Template - attribute',
- 'description': 'msPKI-Template-Minor-Revision (1 2 840 113556 1 4 1435)',
- 'hexoid': '06 0A 2A 86 48 86 F7 14 01 04 8B 1B',
- 'name': 'msPKI-Template-Minor-Revision',
- 'oid': (1, 2, 840, 113556, 1, 4, 1435)},
- 'msPKI-Template-Schema-Version': {'comment': 'Microsoft Cert Template - attribute',
- 'description': 'msPKI-Template-Schema-Version (1 2 840 113556 1 4 1434)',
- 'hexoid': '06 0A 2A 86 48 86 F7 14 01 04 8B 1A',
- 'name': 'msPKI-Template-Schema-Version',
- 'oid': (1, 2, 840, 113556, 1, 4, 1434)},
- 'msgExt': {'comment': 'SET',
- 'description': 'msgExt (2 23 42 1)',
- 'hexoid': '06 03 67 2A 01',
- 'name': 'msgExt',
- 'oid': (2, 23, 42, 1)},
- 'msgSigDigest': {'comment': 'S/MIME Authenticated Attributes',
- 'description': 'msgSigDigest (1 2 840 113549 1 9 16 2 5)',
- 'hexoid': '06 0B 2A 86 48 86 F7 0D 01 09 10 02 05',
- 'name': 'msgSigDigest',
- 'oid': (1, 2, 840, 113549, 1, 9, 16, 2, 5)},
- 'mspContentType': {'comment': 'SDN.700 INFOSEC format',
- 'description': 'mspContentType (2 16 840 1 101 2 1 2 48)',
- 'hexoid': '06 09 60 86 48 01 65 02 01 02 30',
- 'name': 'mspContentType',
- 'oid': (2, 16, 840, 1, 101, 2, 1, 2, 48)},
- 'mspForwardedMessageParameters': {'comment': 'SDN.700 INFOSEC format',
- 'description': 'mspForwardedMessageParameters (2 16 840 1 101 2 1 2 73)',
- 'hexoid': '06 09 60 86 48 01 65 02 01 02 49',
- 'name': 'mspForwardedMessageParameters',
- 'oid': (2, 16, 840, 1, 101, 2, 1, 2, 73)},
- 'mspMMP': {'comment': 'SDN.700 INFOSEC format',
- 'description': 'mspMMP (2 16 840 1 101 2 1 2 50)',
- 'hexoid': '06 09 60 86 48 01 65 02 01 02 32',
- 'name': 'mspMMP',
- 'oid': (2, 16, 840, 1, 101, 2, 1, 2, 50)},
- 'mspMMP2': {'comment': 'SDN.700 INFOSEC format',
- 'description': 'mspMMP2 (2 16 840 1 101 2 1 2 76)',
- 'hexoid': '06 09 60 86 48 01 65 02 01 02 4C',
- 'name': 'mspMMP2',
- 'oid': (2, 16, 840, 1, 101, 2, 1, 2, 76)},
- 'mspRekeyAgentProtocol': {'comment': 'SDN.700 INFOSEC format',
- 'description': 'mspRekeyAgentProtocol (2 16 840 1 101 2 1 2 49)',
- 'hexoid': '06 09 60 86 48 01 65 02 01 02 31',
- 'name': 'mspRekeyAgentProtocol',
- 'oid': (2, 16, 840, 1, 101, 2, 1, 2, 49)},
- 'mspRev3-1ContentType': {'comment': 'SDN.700 INFOSEC format',
- 'description': 'mspRev3-1ContentType (2 16 840 1 101 2 1 2 66)',
- 'hexoid': '06 09 60 86 48 01 65 02 01 02 42',
- 'name': 'mspRev3-1ContentType',
- 'oid': (2, 16, 840, 1, 101, 2, 1, 2, 66)},
- 'mspRev3ContentType': {'comment': 'SDN.700 INFOSEC format',
- 'description': 'mspRev3ContentType (2 16 840 1 101 2 1 2 42)',
- 'hexoid': '06 09 60 86 48 01 65 02 01 02 2A',
- 'name': 'mspRev3ContentType',
- 'oid': (2, 16, 840, 1, 101, 2, 1, 2, 42)},
- 'name': {'comment': 'X.520 id-at (2 5 4)',
- 'description': 'name (2 5 4 41)',
- 'hexoid': '06 03 55 04 29',
- 'name': 'name',
- 'oid': (2, 5, 4, 41)},
- 'nameAdditions': {'comment': 'Telesec attribute',
- 'description': 'nameAdditions (0 2 262 1 10 7 18)',
- 'hexoid': '06 07 02 82 06 01 0A 07 12',
- 'name': 'nameAdditions',
- 'oid': (0, 2, 262, 1, 10, 7, 18)},
- 'nameAtBirth': {'comment': 'Teletrust attribute',
- 'description': 'nameAtBirth (1 3 36 8 3 14)',
- 'hexoid': '06 05 2B 24 08 03 0E',
- 'name': 'nameAtBirth',
- 'oid': (1, 3, 36, 8, 3, 14)},
- 'nameBinding': {'comment': 'Telesec',
- 'description': 'nameBinding (0 2 262 1 10 6)',
- 'hexoid': '06 06 02 82 06 01 0A 06',
- 'name': 'nameBinding',
- 'oid': (0, 2, 262, 1, 10, 6)},
- 'nameConstraints': {'comment': 'X.509 id-ce (2 5 29)',
- 'description': 'nameConstraints (2 5 29 30)',
- 'hexoid': '06 03 55 1D 1E',
- 'name': 'nameConstraints',
- 'oid': (2, 5, 29, 30)},
- 'nameDistinguisher': {'comment': 'Telesec attribute',
- 'description': 'nameDistinguisher (0 2 262 1 10 7 20)',
- 'hexoid': '06 07 02 82 06 01 0A 07 14',
- 'name': 'nameDistinguisher',
- 'oid': (0, 2, 262, 1, 10, 7, 20)},
- 'namedTagSetPrivilege': {'comment': 'SDN.700 INFOSEC privileges',
- 'description': 'namedTagSetPrivilege (2 16 840 1 101 2 1 10 3)',
- 'hexoid': '06 09 60 86 48 01 65 02 01 0A 03',
- 'name': 'namedTagSetPrivilege',
- 'oid': (2, 16, 840, 1, 101, 2, 1, 10, 3)},
- 'namingAuthorities': {'comment': 'Teletrust attribute',
- 'description': 'namingAuthorities (1 3 36 8 3 11)',
- 'hexoid': '06 05 2B 24 08 03 0B',
- 'name': 'namingAuthorities',
- 'oid': (1, 3, 36, 8, 3, 11)},
- 'namingAuthority': {'comment': 'Telesec attribute',
- 'description': 'namingAuthority (0 2 262 1 10 7 7)',
- 'hexoid': '06 07 02 82 06 01 0A 07 07',
- 'name': 'namingAuthority',
- 'oid': (0, 2, 262, 1, 10, 7, 7)},
- 'national': {'comment': 'SET',
- 'description': 'national (2 23 42 10)',
- 'hexoid': '06 03 67 2A 0A',
- 'name': 'national',
- 'oid': (2, 23, 42, 10)},
- 'netscape-base-url': {'comment': 'Netscape certificate extension',
- 'description': 'netscape-base-url (2 16 840 1 113730 1 2)',
- 'hexoid': '06 09 60 86 48 01 86 F8 42 01 02',
- 'name': 'netscape-base-url',
- 'oid': (2, 16, 840, 1, 113730, 1, 2)},
- 'netscape-ca-policy-url': {'comment': 'Netscape certificate extension',
- 'description': 'netscape-ca-policy-url (2 16 840 1 113730 1 8)',
- 'hexoid': '06 09 60 86 48 01 86 F8 42 01 08',
- 'name': 'netscape-ca-policy-url',
- 'oid': (2, 16, 840, 1, 113730, 1, 8)},
- 'netscape-ca-revocation-url': {'comment': 'Netscape certificate extension',
- 'description': 'netscape-ca-revocation-url (2 16 840 1 113730 1 4)',
- 'hexoid': '06 09 60 86 48 01 86 F8 42 01 04',
- 'name': 'netscape-ca-revocation-url',
- 'oid': (2, 16, 840, 1, 113730, 1, 4)},
- 'netscape-cert-renewal-url': {'comment': 'Netscape certificate extension',
- 'description': 'netscape-cert-renewal-url (2 16 840 1 113730 1 7)',
- 'hexoid': '06 09 60 86 48 01 86 F8 42 01 07',
- 'name': 'netscape-cert-renewal-url',
- 'oid': (2, 16, 840, 1, 113730, 1, 7)},
- 'netscape-cert-type': {'comment': 'Netscape certificate extension',
- 'description': 'netscape-cert-type (2 16 840 1 113730 1 1)',
- 'hexoid': '06 09 60 86 48 01 86 F8 42 01 01',
- 'name': 'netscape-cert-type',
- 'oid': (2, 16, 840, 1, 113730, 1, 1)},
- 'netscape-comment': {'comment': 'Netscape certificate extension',
- 'description': 'netscape-comment (2 16 840 1 113730 1 13)',
- 'hexoid': '06 09 60 86 48 01 86 F8 42 01 0D',
- 'name': 'netscape-comment',
- 'oid': (2, 16, 840, 1, 113730, 1, 13)},
- 'netscape-revocation-url': {'comment': 'Netscape certificate extension',
- 'description': 'netscape-revocation-url (2 16 840 1 113730 1 3)',
- 'hexoid': '06 09 60 86 48 01 86 F8 42 01 03',
- 'name': 'netscape-revocation-url',
- 'oid': (2, 16, 840, 1, 113730, 1, 3)},
- 'netscape-ssl-server-name': {'comment': 'Netscape certificate extension',
- 'description': 'netscape-ssl-server-name (2 16 840 1 113730 1 12)',
- 'hexoid': '06 09 60 86 48 01 86 F8 42 01 0C',
- 'name': 'netscape-ssl-server-name',
- 'oid': (2, 16, 840, 1, 113730, 1, 12)},
- 'nextUpdateLocation': {'comment': 'Microsoft',
- 'description': 'nextUpdateLocation (1 3 6 1 4 1 311 10 2)',
- 'hexoid': '06 09 2B 06 01 04 01 82 37 0A 02',
- 'name': 'nextUpdateLocation',
- 'oid': (1, 3, 6, 1, 4, 1, 311, 10, 2)},
- 'ngcClass1': {'comment': 'Northrop Grumman policy',
- 'description': 'ngcClass1 (1 3 6 1 4 1 16334 509 2 1)',
- 'hexoid': '06 0B 2B 06 01 04 01 FF 4E 83 7D 02 01',
- 'name': 'ngcClass1',
- 'oid': (1, 3, 6, 1, 4, 1, 16334, 509, 2, 1)},
- 'ngcClass2': {'comment': 'Northrop Grumman policy',
- 'description': 'ngcClass2 (1 3 6 1 4 1 16334 509 2 2)',
- 'hexoid': '06 0B 2B 06 01 04 01 FF 4E 83 7D 02 02',
- 'name': 'ngcClass2',
- 'oid': (1, 3, 6, 1, 4, 1, 16334, 509, 2, 2)},
- 'ngcClass3': {'comment': 'Northrop Grumman policy',
- 'description': 'ngcClass3 (1 3 6 1 4 1 16334 509 2 3)',
- 'hexoid': '06 0B 2B 06 01 04 01 FF 4E 83 7D 02 03',
- 'name': 'ngcClass3',
- 'oid': (1, 3, 6, 1, 4, 1, 16334, 509, 2, 3)},
- 'nistAlgorithm': {'comment': 'NIST Algorithm',
- 'description': 'nistAlgorithm (2 16 840 1 101 3 4)',
- 'hexoid': '06 07 60 86 48 01 65 03 04',
- 'name': 'nistAlgorithm',
- 'oid': (2, 16, 840, 1, 101, 3, 4)},
- 'noSignature': {'comment': 'PKIX algorithm',
- 'description': 'noSignature (1 3 6 1 5 5 7 6 2)',
- 'hexoid': '06 08 2B 06 01 05 05 07 06 02',
- 'name': 'noSignature',
- 'oid': (1, 3, 6, 1, 5, 5, 7, 6, 2)},
- 'none': {'comment': 'Telesec encryption',
- 'description': 'none (0 2 262 1 10 1 2 0)',
- 'hexoid': '06 08 02 82 06 01 0A 01 02 00',
- 'name': 'none',
- 'oid': (0, 2, 262, 1, 10, 1, 2, 0)},
- 'notar': {'comment': 'Teletrust ProfessionInfo',
- 'description': 'notar (1 3 36 8 3 11 1 9)',
- 'hexoid': '06 07 2B 24 08 03 0B 01 09',
- 'name': 'notar',
- 'oid': (1, 3, 36, 8, 3, 11, 1, 9)},
- 'notarVertreter': {'comment': 'Teletrust ProfessionInfo',
- 'description': 'notarVertreter (1 3 36 8 3 11 1 11)',
- 'hexoid': '06 07 2B 24 08 03 0B 01 0B',
- 'name': 'notarVertreter',
- 'oid': (1, 3, 36, 8, 3, 11, 1, 11)},
- 'notarVertreterin': {'comment': 'Teletrust ProfessionInfo',
- 'description': 'notarVertreterin (1 3 36 8 3 11 1 10)',
- 'hexoid': '06 07 2B 24 08 03 0B 01 0A',
- 'name': 'notarVertreterin',
- 'oid': (1, 3, 36, 8, 3, 11, 1, 10)},
- 'notariatsVerwalter': {'comment': 'Teletrust ProfessionInfo',
- 'description': 'notariatsVerwalter (1 3 36 8 3 11 1 13)',
- 'hexoid': '06 07 2B 24 08 03 0B 01 0D',
- 'name': 'notariatsVerwalter',
- 'oid': (1, 3, 36, 8, 3, 11, 1, 13)},
- 'notariatsVerwalterin': {'comment': 'Teletrust ProfessionInfo',
- 'description': 'notariatsVerwalterin (1 3 36 8 3 11 1 12)',
- 'hexoid': '06 07 2B 24 08 03 0B 01 0C',
- 'name': 'notariatsVerwalterin',
- 'oid': (1, 3, 36, 8, 3, 11, 1, 12)},
- 'notarin': {'comment': 'Teletrust ProfessionInfo',
- 'description': 'notarin (1 3 36 8 3 11 1 8)',
- 'hexoid': '06 07 2B 24 08 03 0B 01 08',
- 'name': 'notarin',
- 'oid': (1, 3, 36, 8, 3, 11, 1, 8)},
- 'notification': {'comment': 'Telesec',
- 'description': 'notification (0 2 262 1 10 10)',
- 'hexoid': '06 06 02 82 06 01 0A 0A',
- 'name': 'notification',
- 'oid': (0, 2, 262, 1, 10, 10)},
- 'novUKMs': {'comment': 'SDN.700 INFOSEC attributes',
- 'description': 'novUKMs (2 16 840 1 101 2 1 5 30)',
- 'hexoid': '06 09 60 86 48 01 65 02 01 05 1E',
- 'name': 'novUKMs',
- 'oid': (2, 16, 840, 1, 101, 2, 1, 5, 30)},
- 'novellAlgorithm': {'comment': 'Novell',
- 'description': 'novellAlgorithm (2 16 840 1 113719 1 2 8)',
- 'hexoid': '06 0A 60 86 48 01 86 F8 37 01 02 08',
- 'name': 'novellAlgorithm',
- 'oid': (2, 16, 840, 1, 113719, 1, 2, 8)},
- 'novellObfuscate-1': {'comment': 'Novell encryption algorithm',
- 'description': 'novellObfuscate-1 (2 16 840 1 113719 1 2 8 133)',
- 'hexoid': '06 0C 60 86 48 01 86 F8 37 01 02 08 81 05',
- 'name': 'novellObfuscate-1',
- 'oid': (2, 16, 840, 1, 113719, 1, 2, 8, 133)},
- 'nsn': {'description': 'nsn (1 2 840 113533 7)',
- 'hexoid': '06 07 2A 86 48 86 F6 7D 07',
- 'name': 'nsn',
- 'oid': (1, 2, 840, 113533, 7)},
- 'nsn-alg': {'description': 'nsn-alg (1 2 840 113533 7 66)',
- 'hexoid': '06 08 2A 86 48 86 F6 7D 07 42',
- 'name': 'nsn-alg',
- 'oid': (1, 2, 840, 113533, 7, 66)},
- 'nsn-at': {'description': 'nsn-at (1 2 840 113533 7 68)',
- 'hexoid': '06 08 2A 86 48 86 F6 7D 07 44',
- 'name': 'nsn-at',
- 'oid': (1, 2, 840, 113533, 7, 68)},
- 'nsn-ce': {'description': 'nsn-ce (1 2 840 113533 7 65)',
- 'hexoid': '06 08 2A 86 48 86 F6 7D 07 41',
- 'name': 'nsn-ce',
- 'oid': (1, 2, 840, 113533, 7, 65)},
- 'nsn-oc': {'description': 'nsn-oc (1 2 840 113533 7 67)',
- 'hexoid': '06 08 2A 86 48 86 F6 7D 07 43',
- 'name': 'nsn-oc',
- 'oid': (1, 2, 840, 113533, 7, 67)},
- 'ntSecurityDescriptor': {'comment': 'Microsoft Cert Template - attribute',
- 'description': 'ntSecurityDescriptor (1 2 840 113556 1 2 281)',
- 'hexoid': '06 0A 2A 86 48 86 F7 14 01 02 82 19',
- 'name': 'ntSecurityDescriptor',
- 'oid': (1, 2, 840, 113556, 1, 2, 281)},
- 'numberType': {'comment': 'ANSI X9.42',
- 'description': 'numberType (1 2 840 10046 2)',
- 'hexoid': '06 06 2A 86 48 CE 3E 02',
- 'name': 'numberType',
- 'oid': (1, 2, 840, 10046, 2)},
- 'objectClass': {'comment': 'X.520 id-at (2 5 4)',
- 'description': 'objectClass (2 5 4 0)',
- 'hexoid': '06 03 55 04 00',
- 'name': 'objectClass',
- 'oid': (2, 5, 4, 0)},
- 'ocsp': {'comment': 'PKIX',
- 'description': 'ocsp (1 3 6 1 5 5 7 48 1)',
- 'hexoid': '06 08 2B 06 01 05 05 07 30 01',
- 'name': 'ocsp',
- 'oid': (1, 3, 6, 1, 5, 5, 7, 48, 1)},
- 'ocspArchiveCutoff': {'comment': 'OCSP',
- 'description': 'ocspArchiveCutoff (1 3 6 1 5 5 7 48 1 6)',
- 'hexoid': '06 09 2B 06 01 05 05 07 30 01 06',
- 'name': 'ocspArchiveCutoff',
- 'oid': (1, 3, 6, 1, 5, 5, 7, 48, 1, 6)},
- 'ocspBasic': {'comment': 'OCSP',
- 'description': 'ocspBasic (1 3 6 1 5 5 7 48 1 1)',
- 'hexoid': '06 09 2B 06 01 05 05 07 30 01 01',
- 'name': 'ocspBasic',
- 'oid': (1, 3, 6, 1, 5, 5, 7, 48, 1, 1)},
- 'ocspCRL': {'comment': 'OCSP',
- 'description': 'ocspCRL (1 3 6 1 5 5 7 48 1 3)',
- 'hexoid': '06 09 2B 06 01 05 05 07 30 01 03',
- 'name': 'ocspCRL',
- 'oid': (1, 3, 6, 1, 5, 5, 7, 48, 1, 3)},
- 'ocspNoCheck': {'comment': 'OCSP',
- 'description': 'ocspNoCheck (1 3 6 1 5 5 7 48 1 5)',
- 'hexoid': '06 09 2B 06 01 05 05 07 30 01 05',
- 'name': 'ocspNoCheck',
- 'oid': (1, 3, 6, 1, 5, 5, 7, 48, 1, 5)},
- 'ocspNonce': {'comment': 'OCSP',
- 'description': 'ocspNonce (1 3 6 1 5 5 7 48 1 2)',
- 'hexoid': '06 09 2B 06 01 05 05 07 30 01 02',
- 'name': 'ocspNonce',
- 'oid': (1, 3, 6, 1, 5, 5, 7, 48, 1, 2)},
- 'ocspResponse': {'comment': 'OCSP',
- 'description': 'ocspResponse (1 3 6 1 5 5 7 48 1 4)',
- 'hexoid': '06 09 2B 06 01 05 05 07 30 01 04',
- 'name': 'ocspResponse',
- 'oid': (1, 3, 6, 1, 5, 5, 7, 48, 1, 4)},
- 'ocspServiceLocator': {'comment': 'OCSP',
- 'description': 'ocspServiceLocator (1 3 6 1 5 5 7 48 1 7)',
- 'hexoid': '06 09 2B 06 01 05 05 07 30 01 07',
- 'name': 'ocspServiceLocator',
- 'oid': (1, 3, 6, 1, 5, 5, 7, 48, 1, 7)},
- 'ocspSigning': {'comment': 'PKIX key purpose',
- 'description': 'ocspSigning (1 3 6 1 5 5 7 3 9)',
- 'hexoid': '06 08 2B 06 01 05 05 07 03 09',
- 'name': 'ocspSigning',
- 'oid': (1, 3, 6, 1, 5, 5, 7, 3, 9)},
- 'octUKMs': {'comment': 'SDN.700 INFOSEC attributes',
- 'description': 'octUKMs (2 16 840 1 101 2 1 5 29)',
- 'hexoid': '06 09 60 86 48 01 65 02 01 05 1D',
- 'name': 'octUKMs',
- 'oid': (2, 16, 840, 1, 101, 2, 1, 5, 29)},
- 'oldCertID': {'comment': 'PKIX CRMF registration control',
- 'description': 'oldCertID (1 3 6 1 5 5 7 5 1 5)',
- 'hexoid': '06 09 2B 06 01 05 05 07 05 01 05',
- 'name': 'oldCertID',
- 'oid': (1, 3, 6, 1, 5, 5, 7, 5, 1, 5)},
- 'onBasis': {'comment': 'ANSI X9.62 field basis',
- 'description': 'onBasis (1 2 840 10045 1 2 3 1)',
- 'hexoid': '06 09 2A 86 48 CE 3D 01 02 03 01',
- 'name': 'onBasis',
- 'oid': (1, 2, 840, 10045, 1, 2, 3, 1)},
- 'oneWayFunction': {'comment': 'Telesec mechanism',
- 'description': 'oneWayFunction (0 2 262 1 10 1 3)',
- 'hexoid': '06 07 02 82 06 01 0A 01 03',
- 'name': 'oneWayFunction',
- 'oid': (0, 2, 262, 1, 10, 1, 3)},
- 'oneWayISO9798Authentication': {'comment': 'Telesec authentication',
- 'description': 'oneWayISO9798Authentication (0 2 262 1 10 1 0 6)',
- 'hexoid': '06 08 02 82 06 01 0A 01 00 06',
- 'name': 'oneWayISO9798Authentication',
- 'oid': (0, 2, 262, 1, 10, 1, 0, 6)},
- 'oneWayX509Authentication': {'comment': 'Telesec authentication',
- 'description': 'oneWayX509Authentication (0 2 262 1 10 1 0 3)',
- 'hexoid': '06 08 02 82 06 01 0A 01 00 03',
- 'name': 'oneWayX509Authentication',
- 'oid': (0, 2, 262, 1, 10, 1, 0, 3)},
- 'organization': {'comment': 'X.520 objectClass (2 5 6)',
- 'description': 'organization (2 5 6 4)',
- 'hexoid': '06 03 55 06 04',
- 'name': 'organization',
- 'oid': (2, 5, 6, 4)},
- 'organizationName': {'comment': 'X.520 id-at (2 5 4)',
- 'description': 'organizationName (2 5 4 10)',
- 'hexoid': '06 03 55 04 0A',
- 'name': 'organizationName',
- 'oid': (2, 5, 4, 10)},
- 'organizationalPerson': {'comment': 'X.520 objectClass (2 5 6)',
- 'description': 'organizationalPerson (2 5 6 7)',
- 'hexoid': '06 03 55 06 07',
- 'name': 'organizationalPerson',
- 'oid': (2, 5, 6, 7)},
- 'organizationalRole': {'comment': 'X.520 objectClass (2 5 6)',
- 'description': 'organizationalRole (2 5 6 8)',
- 'hexoid': '06 03 55 06 08',
- 'name': 'organizationalRole',
- 'oid': (2, 5, 6, 8)},
- 'organizationalUnit': {'comment': 'X.520 objectClass (2 5 6)',
- 'description': 'organizationalUnit (2 5 6 5)',
- 'hexoid': '06 03 55 06 05',
- 'name': 'organizationalUnit',
- 'oid': (2, 5, 6, 5)},
- 'organizationalUnitName': {'comment': 'X.520 id-at (2 5 4)',
- 'description': 'organizationalUnitName (2 5 4 11)',
- 'hexoid': '06 03 55 04 0B',
- 'name': 'organizationalUnitName',
- 'oid': (2, 5, 4, 11)},
- 'origPKIMessage': {'comment': 'PKIX CMP information',
- 'description': 'origPKIMessage (1 3 6 1 5 5 7 4 15)',
- 'hexoid': '06 08 2B 06 01 05 05 07 04 0F',
- 'name': 'origPKIMessage',
- 'oid': (1, 3, 6, 1, 5, 5, 7, 4, 15)},
- 'originalFilename': {'comment': 'Microsoft attribute',
- 'description': 'originalFilename (1 3 6 1 4 1 311 88 2 1)',
- 'hexoid': '06 0A 2B 06 01 04 01 82 37 58 02 01',
- 'name': 'originalFilename',
- 'oid': (1, 3, 6, 1, 4, 1, 311, 88, 2, 1)},
- 'originatorSig': {'comment': 'S/MIME Signature Type Identifier',
- 'description': 'originatorSig (1 2 840 113549 1 9 16 9 1)',
- 'hexoid': '06 0B 2A 86 48 86 F7 0D 01 09 10 09 01',
- 'name': 'originatorSig',
- 'oid': (1, 2, 840, 113549, 1, 9, 16, 9, 1)},
- 'osVersion': {'comment': 'Microsoft attribute',
- 'description': 'osVersion (1 3 6 1 4 1 311 13 2 3)',
- 'hexoid': '06 0A 2B 06 01 04 01 82 37 0D 02 03',
- 'name': 'osVersion',
- 'oid': (1, 3, 6, 1, 4, 1, 311, 13, 2, 3)},
- 'otherNames': {'comment': 'PKIX',
- 'description': 'otherNames (1 3 6 1 5 5 7 8)',
- 'hexoid': '06 07 2B 06 01 05 05 07 08',
- 'name': 'otherNames',
- 'oid': (1, 3, 6, 1, 5, 5, 7, 8)},
- 'otherSigCert': {'comment': 'S/MIME Authenticated Attributes',
- 'description': 'otherSigCert (1 2 840 113549 1 9 16 2 19)',
- 'hexoid': '06 0B 2A 86 48 86 F7 0D 01 09 10 02 13',
- 'name': 'otherSigCert',
- 'oid': (1, 2, 840, 113549, 1, 9, 16, 2, 19)},
- 'owner': {'comment': 'X.520 id-at (2 5 4)',
- 'description': 'owner (2 5 4 32)',
- 'hexoid': '06 03 55 04 20',
- 'name': 'owner',
- 'oid': (2, 5, 4, 32)},
- 'pKICriticalExtensions': {'comment': 'Microsoft Cert Template - attribute',
- 'description': 'pKICriticalExtensions (1 2 840 113556 1 4 1330)',
- 'hexoid': '06 0A 2A 86 48 86 F7 14 01 04 8A 32',
- 'name': 'pKICriticalExtensions',
- 'oid': (1, 2, 840, 113556, 1, 4, 1330)},
- 'pKIDefaultCSPs': {'comment': 'Microsoft Cert Template - attribute',
- 'description': 'pKIDefaultCSPs (1 2 840 113556 1 4 1334)',
- 'hexoid': '06 0A 2A 86 48 86 F7 14 01 04 8A 36',
- 'name': 'pKIDefaultCSPs',
- 'oid': (1, 2, 840, 113556, 1, 4, 1334)},
- 'pKIDefaultKeySpec': {'comment': 'Microsoft Cert Template - attribute',
- 'description': 'pKIDefaultKeySpec (1 2 840 113556 1 4 1327)',
- 'hexoid': '06 0A 2A 86 48 86 F7 14 01 04 8A 2F',
- 'name': 'pKIDefaultKeySpec',
- 'oid': (1, 2, 840, 113556, 1, 4, 1327)},
- 'pKIEnrollmentAccess': {'comment': 'Microsoft Cert Template - attribute',
- 'description': 'pKIEnrollmentAccess (1 2 840 113556 1 4 1335)',
- 'hexoid': '06 0A 2A 86 48 86 F7 14 01 04 8A 37',
- 'name': 'pKIEnrollmentAccess',
- 'oid': (1, 2, 840, 113556, 1, 4, 1335)},
- 'pKIExpirationPeriod': {'comment': 'Microsoft Cert Template - attribute',
- 'description': 'pKIExpirationPeriod (1 2 840 113556 1 4 1331)',
- 'hexoid': '06 0A 2A 86 48 86 F7 14 01 04 8A 33',
- 'name': 'pKIExpirationPeriod',
- 'oid': (1, 2, 840, 113556, 1, 4, 1331)},
- 'pKIExtendedKeyUsage': {'comment': 'Microsoft Cert Template - attribute',
- 'description': 'pKIExtendedKeyUsage (1 2 840 113556 1 4 1333)',
- 'hexoid': '06 0A 2A 86 48 86 F7 14 01 04 8A 35',
- 'name': 'pKIExtendedKeyUsage',
- 'oid': (1, 2, 840, 113556, 1, 4, 1333)},
- 'pKIKeyUsage': {'comment': 'Microsoft Cert Template - attribute',
- 'description': 'pKIKeyUsage (1 2 840 113556 1 4 1328)',
- 'hexoid': '06 0A 2A 86 48 86 F7 14 01 04 8A 30',
- 'name': 'pKIKeyUsage',
- 'oid': (1, 2, 840, 113556, 1, 4, 1328)},
- 'pKIMaxIssuingDepth': {'comment': 'Microsoft Cert Template - attribute',
- 'description': 'pKIMaxIssuingDepth (1 2 840 113556 1 4 1329)',
- 'hexoid': '06 0A 2A 86 48 86 F7 14 01 04 8A 31',
- 'name': 'pKIMaxIssuingDepth',
- 'oid': (1, 2, 840, 113556, 1, 4, 1329)},
- 'pKIOverlapPeriod': {'comment': 'Microsoft Cert Template - attribute',
- 'description': 'pKIOverlapPeriod (1 2 840 113556 1 4 1332)',
- 'hexoid': '06 0A 2A 86 48 86 F7 14 01 04 8A 34',
- 'name': 'pKIOverlapPeriod',
- 'oid': (1, 2, 840, 113556, 1, 4, 1332)},
- 'pKReference': {'comment': 'Teletrust attribute',
- 'description': 'pKReference (1 3 36 8 3 7)',
- 'hexoid': '06 05 2B 24 08 03 07',
- 'name': 'pKReference',
- 'oid': (1, 3, 36, 8, 3, 7)},
- 'package': {'comment': 'Telesec',
- 'description': 'package (0 2 262 1 10 4)',
- 'hexoid': '06 06 02 82 06 01 0A 04',
- 'name': 'package',
- 'oid': (0, 2, 262, 1, 10, 4)},
- 'parameter': {'comment': 'Telesec',
- 'description': 'parameter (0 2 262 1 10 5)',
- 'hexoid': '06 06 02 82 06 01 0A 05',
- 'name': 'parameter',
- 'oid': (0, 2, 262, 1, 10, 5)},
- 'passPhrase': {'comment': 'SET field',
- 'description': 'passPhrase (2 23 42 2 12)',
- 'hexoid': '06 04 67 2A 02 0C',
- 'name': 'passPhrase',
- 'oid': (2, 23, 42, 2, 12)},
- 'passwordAuthentication': {'comment': 'Telesec authentication',
- 'description': 'passwordAuthentication (0 2 262 1 10 1 0 1)',
- 'hexoid': '06 08 02 82 06 01 0A 01 00 01',
- 'name': 'passwordAuthentication',
- 'oid': (0, 2, 262, 1, 10, 1, 0, 1)},
- 'passwordBasedMac': {'comment': 'Nortel Secure Networks alg',
- 'description': 'passwordBasedMac (1 2 840 113533 7 66 13)',
- 'hexoid': '06 09 2A 86 48 86 F6 7D 07 42 0D',
- 'name': 'passwordBasedMac',
- 'oid': (1, 2, 840, 113533, 7, 66, 13)},
- 'patentAnwaeltin': {'comment': 'Teletrust ProfessionInfo',
- 'description': 'patentAnwaeltin (1 3 36 8 3 11 1 18)',
- 'hexoid': '06 07 2B 24 08 03 0B 01 12',
- 'name': 'patentAnwaeltin',
- 'oid': (1, 3, 36, 8, 3, 11, 1, 18)},
- 'patentAnwalt': {'comment': 'Teletrust ProfessionInfo',
- 'description': 'patentAnwalt (1 3 36 8 3 11 1 19)',
- 'hexoid': '06 07 2B 24 08 03 0B 01 13',
- 'name': 'patentAnwalt',
- 'oid': (1, 3, 36, 8, 3, 11, 1, 19)},
- 'pbeWithMD2AndDES-CBC': {'comment': 'PKCS #5',
- 'description': 'pbeWithMD2AndDES-CBC (1 2 840 113549 1 5 1)',
- 'hexoid': '06 09 2A 86 48 86 F7 0D 01 05 01',
- 'name': 'pbeWithMD2AndDES-CBC',
- 'oid': (1, 2, 840, 113549, 1, 5, 1)},
- 'pbeWithMD2AndRC2-CBC': {'comment': 'PKCS #5',
- 'description': 'pbeWithMD2AndRC2-CBC (1 2 840 113549 1 5 4)',
- 'hexoid': '06 09 2A 86 48 86 F7 0D 01 05 04',
- 'name': 'pbeWithMD2AndRC2-CBC',
- 'oid': (1, 2, 840, 113549, 1, 5, 4)},
- 'pbeWithMD5AndCAST5-CBC': {'comment': 'Nortel Secure Networks alg',
- 'description': 'pbeWithMD5AndCAST5-CBC (1 2 840 113533 7 66 12)',
- 'hexoid': '06 09 2A 86 48 86 F6 7D 07 42 0C',
- 'name': 'pbeWithMD5AndCAST5-CBC',
- 'oid': (1, 2, 840, 113533, 7, 66, 12)},
- 'pbeWithMD5AndDES-CBC': {'comment': 'PKCS #5',
- 'description': 'pbeWithMD5AndDES-CBC (1 2 840 113549 1 5 3)',
- 'hexoid': '06 09 2A 86 48 86 F7 0D 01 05 03',
- 'name': 'pbeWithMD5AndDES-CBC',
- 'oid': (1, 2, 840, 113549, 1, 5, 3)},
- 'pbeWithMD5AndRC2-CBC': {'comment': 'PKCS #5',
- 'description': 'pbeWithMD5AndRC2-CBC (1 2 840 113549 1 5 6)',
- 'hexoid': '06 09 2A 86 48 86 F7 0D 01 05 06',
- 'name': 'pbeWithMD5AndRC2-CBC',
- 'oid': (1, 2, 840, 113549, 1, 5, 6)},
- 'pbeWithSHAAnd128BitRC2-CBC': {'comment': 'PKCS #12 PbeIds',
- 'description': 'pbeWithSHAAnd128BitRC2-CBC (1 2 840 113549 1 12 1 5)',
- 'hexoid': '06 0A 2A 86 48 86 F7 0D 01 0C 01 05',
- 'name': 'pbeWithSHAAnd128BitRC2-CBC',
- 'oid': (1, 2, 840, 113549, 1, 12, 1, 5)},
- 'pbeWithSHAAnd128BitRC4': {'comment': 'PKCS #12 PbeIds. This OID was formerly assigned as pkcs-12-OfflineTransportMode',
- 'description': 'pbeWithSHAAnd128BitRC4 (1 2 840 113549 1 12 1 1)',
- 'hexoid': '06 0A 2A 86 48 86 F7 0D 01 0C 01 01',
- 'name': 'pbeWithSHAAnd128BitRC4',
- 'oid': (1, 2, 840, 113549, 1, 12, 1, 1)},
- 'pbeWithSHAAnd2-KeyTripleDES-CBC': {'comment': 'PKCS #12 PbeIds',
- 'description': 'pbeWithSHAAnd2-KeyTripleDES-CBC (1 2 840 113549 1 12 1 4)',
- 'hexoid': '06 0A 2A 86 48 86 F7 0D 01 0C 01 04',
- 'name': 'pbeWithSHAAnd2-KeyTripleDES-CBC',
- 'oid': (1, 2, 840, 113549, 1, 12, 1, 4)},
- 'pbeWithSHAAnd3-KeyTripleDES-CBC': {'comment': 'PKCS #12 PbeIds',
- 'description': 'pbeWithSHAAnd3-KeyTripleDES-CBC (1 2 840 113549 1 12 1 3)',
- 'hexoid': '06 0A 2A 86 48 86 F7 0D 01 0C 01 03',
- 'name': 'pbeWithSHAAnd3-KeyTripleDES-CBC',
- 'oid': (1, 2, 840, 113549, 1, 12, 1, 3)},
- 'pbeWithSHAAnd40BitRC2-CBC': {'comment': 'PKCS #12 PbeIds',
- 'description': 'pbeWithSHAAnd40BitRC2-CBC (1 2 840 113549 1 12 1 6)',
- 'hexoid': '06 0A 2A 86 48 86 F7 0D 01 0C 01 06',
- 'name': 'pbeWithSHAAnd40BitRC2-CBC',
- 'oid': (1, 2, 840, 113549, 1, 12, 1, 6)},
- 'pbeWithSHAAnd40BitRC4': {'comment': 'PKCS #12 PbeIds. This OID was formerly assigned as pkcs-12-OnlineTransportMode',
- 'description': 'pbeWithSHAAnd40BitRC4 (1 2 840 113549 1 12 1 2)',
- 'hexoid': '06 0A 2A 86 48 86 F7 0D 01 0C 01 02',
- 'name': 'pbeWithSHAAnd40BitRC4',
- 'oid': (1, 2, 840, 113549, 1, 12, 1, 2)},
- 'pbeWithSHAAndDES-CBC': {'comment': 'PKCS #5',
- 'description': 'pbeWithSHAAndDES-CBC (1 2 840 113549 1 5 10)',
- 'hexoid': '06 09 2A 86 48 86 F7 0D 01 05 0A',
- 'name': 'pbeWithSHAAndDES-CBC',
- 'oid': (1, 2, 840, 113549, 1, 5, 10)},
- 'person': {'comment': 'X.520 objectClass (2 5 6)',
- 'description': 'person (2 5 6 6)',
- 'hexoid': '06 03 55 06 06',
- 'name': 'person',
- 'oid': (2, 5, 6, 6)},
- 'personalData': {'comment': 'Teletrust OtherName attribute',
- 'description': 'personalData (1 3 36 8 4 1)',
- 'hexoid': '06 05 2B 24 08 04 01',
- 'name': 'personalData',
- 'oid': (1, 3, 36, 8, 4, 1)},
- 'pgpExtension': {'comment': 'PGP key information',
- 'description': 'pgpExtension (1 3 6 1 4 1 3401 8 1 1)',
- 'hexoid': '06 0A 2B 06 01 04 01 9A 49 08 01 01',
- 'name': 'pgpExtension',
- 'oid': (1, 3, 6, 1, 4, 1, 3401, 8, 1, 1)},
- 'physicalCardNumber': {'comment': 'Telesec attribute',
- 'description': 'physicalCardNumber (0 2 262 1 10 7 25)',
- 'hexoid': '06 07 02 82 06 01 0A 07 19',
- 'name': 'physicalCardNumber',
- 'oid': (0, 2, 262, 1, 10, 7, 25)},
- 'physicalDeliveryOfficeName': {'comment': 'X.520 id-at (2 5 4)',
- 'description': 'physicalDeliveryOfficeName (2 5 4 19)',
- 'hexoid': '06 03 55 04 13',
- 'name': 'physicalDeliveryOfficeName',
- 'oid': (2, 5, 4, 19)},
- 'physicianIdentifiers': {'comment': 'MEDePass',
- 'description': 'physicianIdentifiers (1 3 6 1 4 1 5770 0 4)',
- 'hexoid': '06 09 2B 06 01 04 01 AD 0A 00 04',
- 'name': 'physicianIdentifiers',
- 'oid': (1, 3, 6, 1, 4, 1, 5770, 0, 4)},
- 'pickupToken': {'comment': 'ANSI X9.57 hold instruction',
- 'description': 'pickupToken (1 2 840 10040 2 4)',
- 'hexoid': '06 07 2A 86 48 CE 38 02 04',
- 'name': 'pickupToken',
- 'oid': (1, 2, 840, 10040, 2, 4)},
- 'pkcs-1': {'description': 'pkcs-1 (1 2 840 113549 1 1)',
- 'hexoid': '06 08 2A 86 48 86 F7 0D 01 01',
- 'name': 'pkcs-1',
- 'oid': (1, 2, 840, 113549, 1, 1)},
- 'pkcs-12': {'description': 'pkcs-12 (1 2 840 113549 1 12)',
- 'hexoid': '06 08 2A 86 48 86 F7 0D 01 0C',
- 'name': 'pkcs-12',
- 'oid': (1, 2, 840, 113549, 1, 12)},
- 'pkcs-12-BagIds': {'description': 'pkcs-12-BagIds (1 2 840 113549 1 12 3)',
- 'hexoid': '06 09 2A 86 48 86 F7 0D 01 0C 03',
- 'name': 'pkcs-12-BagIds',
- 'oid': (1, 2, 840, 113549, 1, 12, 3)},
- 'pkcs-12-EnvelopingID': {'comment': 'PKCS #12 OID. Deprecated, use the conventional PKCS #1 OIDs instead',
- 'description': 'pkcs-12-EnvelopingID (1 2 840 113549 1 12 5 2)',
- 'hexoid': '06 0A 2A 86 48 86 F7 0D 01 0C 05 02',
- 'name': 'pkcs-12-EnvelopingID',
- 'oid': (1, 2, 840, 113549, 1, 12, 5, 2)},
- 'pkcs-12-PbeIds': {'comment': 'This OID was formerly assigned as PKCS #12 modeID',
- 'description': 'pkcs-12-PbeIds (1 2 840 113549 1 12 1)',
- 'hexoid': '06 09 2A 86 48 86 F7 0D 01 0C 01',
- 'name': 'pkcs-12-PbeIds',
- 'oid': (1, 2, 840, 113549, 1, 12, 1)},
- 'pkcs-12-SDSICertBagID': {'comment': 'PKCS #12 CertBagID. This OID was formerly assigned as pkcs-12-SDSICertBag',
- 'description': 'pkcs-12-SDSICertBagID (1 2 840 113549 1 12 4 2)',
- 'hexoid': '06 0A 2A 86 48 86 F7 0D 01 0C 04 02',
- 'name': 'pkcs-12-SDSICertBagID',
- 'oid': (1, 2, 840, 113549, 1, 12, 4, 2)},
- 'pkcs-12-X509CertCRLBagID': {'comment': 'PKCS #12 CertBagID. This OID was formerly assigned as pkcs-12-X509CertCRLBag',
- 'description': 'pkcs-12-X509CertCRLBagID (1 2 840 113549 1 12 4 1)',
- 'hexoid': '06 0A 2A 86 48 86 F7 0D 01 0C 04 01',
- 'name': 'pkcs-12-X509CertCRLBagID',
- 'oid': (1, 2, 840, 113549, 1, 12, 4, 1)},
- 'pkcs-12-certAndCRLBagId': {'comment': 'PKCS #12 BagIds',
- 'description': 'pkcs-12-certAndCRLBagId (1 2 840 113549 1 12 3 2)',
- 'hexoid': '06 0A 2A 86 48 86 F7 0D 01 0C 03 02',
- 'name': 'pkcs-12-certAndCRLBagId',
- 'oid': (1, 2, 840, 113549, 1, 12, 3, 2)},
- 'pkcs-12-certBag': {'comment': 'PKCS #12 BagIds',
- 'description': 'pkcs-12-certBag (1 2 840 113549 1 12 10 1 3)',
- 'hexoid': '06 0B 2A 86 48 86 F7 0D 01 0C 0A 01 03',
- 'name': 'pkcs-12-certBag',
- 'oid': (1, 2, 840, 113549, 1, 12, 10, 1, 3)},
- 'pkcs-12-crlBag': {'comment': 'PKCS #12 BagIds',
- 'description': 'pkcs-12-crlBag (1 2 840 113549 1 12 10 1 4)',
- 'hexoid': '06 0B 2A 86 48 86 F7 0D 01 0C 0A 01 04',
- 'name': 'pkcs-12-crlBag',
- 'oid': (1, 2, 840, 113549, 1, 12, 10, 1, 4)},
- 'pkcs-12-keyBag': {'comment': 'PKCS #12 BagIds',
- 'description': 'pkcs-12-keyBag (1 2 840 113549 1 12 10 1 1)',
- 'hexoid': '06 0B 2A 86 48 86 F7 0D 01 0C 0A 01 01',
- 'name': 'pkcs-12-keyBag',
- 'oid': (1, 2, 840, 113549, 1, 12, 10, 1, 1)},
- 'pkcs-12-keyBagId': {'comment': 'PKCS #12 BagIds',
- 'description': 'pkcs-12-keyBagId (1 2 840 113549 1 12 3 1)',
- 'hexoid': '06 0A 2A 86 48 86 F7 0D 01 0C 03 01',
- 'name': 'pkcs-12-keyBagId',
- 'oid': (1, 2, 840, 113549, 1, 12, 3, 1)},
- 'pkcs-12-pkcs-8ShroudedKeyBag': {'comment': 'PKCS #12 BagIds',
- 'description': 'pkcs-12-pkcs-8ShroudedKeyBag (1 2 840 113549 1 12 10 1 2)',
- 'hexoid': '06 0B 2A 86 48 86 F7 0D 01 0C 0A 01 02',
- 'name': 'pkcs-12-pkcs-8ShroudedKeyBag',
- 'oid': (1, 2, 840, 113549, 1, 12, 10, 1, 2)},
- 'pkcs-12-pkcs-8ShroudedKeyBagId': {'comment': 'PKCS #12 BagIds',
- 'description': 'pkcs-12-pkcs-8ShroudedKeyBagId (1 2 840 113549 1 12 3 5)',
- 'hexoid': '06 0A 2A 86 48 86 F7 0D 01 0C 03 05',
- 'name': 'pkcs-12-pkcs-8ShroudedKeyBagId',
- 'oid': (1, 2, 840, 113549, 1, 12, 3, 5)},
- 'pkcs-12-safeContentsBag': {'comment': 'PKCS #12 BagIds',
- 'description': 'pkcs-12-safeContentsBag (1 2 840 113549 1 12 10 1 6)',
- 'hexoid': '06 0B 2A 86 48 86 F7 0D 01 0C 0A 01 06',
- 'name': 'pkcs-12-safeContentsBag',
- 'oid': (1, 2, 840, 113549, 1, 12, 10, 1, 6)},
- 'pkcs-12-safeContentsId': {'comment': 'PKCS #12 BagIds',
- 'description': 'pkcs-12-safeContentsId (1 2 840 113549 1 12 3 4)',
- 'hexoid': '06 0A 2A 86 48 86 F7 0D 01 0C 03 04',
- 'name': 'pkcs-12-safeContentsId',
- 'oid': (1, 2, 840, 113549, 1, 12, 3, 4)},
- 'pkcs-12-secretBag': {'comment': 'PKCS #12 BagIds',
- 'description': 'pkcs-12-secretBag (1 2 840 113549 1 12 10 1 5)',
- 'hexoid': '06 0B 2A 86 48 86 F7 0D 01 0C 0A 01 05',
- 'name': 'pkcs-12-secretBag',
- 'oid': (1, 2, 840, 113549, 1, 12, 10, 1, 5)},
- 'pkcs-12-secretBagId': {'comment': 'PKCS #12 BagIds',
- 'description': 'pkcs-12-secretBagId (1 2 840 113549 1 12 3 3)',
- 'hexoid': '06 0A 2A 86 48 86 F7 0D 01 0C 03 03',
- 'name': 'pkcs-12-secretBagId',
- 'oid': (1, 2, 840, 113549, 1, 12, 3, 3)},
- 'pkcs-12BadIds': {'description': 'pkcs-12BadIds (1 2 840 113549 1 12 10 1)',
- 'hexoid': '06 0A 2A 86 48 86 F7 0D 01 0C 0A 01',
- 'name': 'pkcs-12BadIds',
- 'oid': (1, 2, 840, 113549, 1, 12, 10, 1)},
- 'pkcs-12Version1': {'description': 'pkcs-12Version1 (1 2 840 113549 1 12 10)',
- 'hexoid': '06 09 2A 86 48 86 F7 0D 01 0C 0A',
- 'name': 'pkcs-12Version1',
- 'oid': (1, 2, 840, 113549, 1, 12, 10)},
- 'pkcs-3': {'description': 'pkcs-3 (1 2 840 113549 1 3)',
- 'hexoid': '06 08 2A 86 48 86 F7 0D 01 03',
- 'name': 'pkcs-3',
- 'oid': (1, 2, 840, 113549, 1, 3)},
- 'pkcs-5': {'description': 'pkcs-5 (1 2 840 113549 1 5)',
- 'hexoid': '06 08 2A 86 48 86 F7 0D 01 05',
- 'name': 'pkcs-5',
- 'oid': (1, 2, 840, 113549, 1, 5)},
- 'pkcs-7': {'description': 'pkcs-7 (1 2 840 113549 1 7)',
- 'hexoid': '06 08 2A 86 48 86 F7 0D 01 07',
- 'name': 'pkcs-7',
- 'oid': (1, 2, 840, 113549, 1, 7)},
- 'pkcs-9': {'description': 'pkcs-9 (1 2 840 113549 1 9)',
- 'hexoid': '06 08 2A 86 48 86 F7 0D 01 09',
- 'name': 'pkcs-9',
- 'oid': (1, 2, 840, 113549, 1, 9)},
- 'pkcs1-MGF': {'comment': 'PKCS #1',
- 'description': 'pkcs1-MGF (1 2 840 113549 1 1 8)',
- 'hexoid': '06 09 2A 86 48 86 F7 0D 01 01 08',
- 'name': 'pkcs1-MGF',
- 'oid': (1, 2, 840, 113549, 1, 1, 8)},
- 'pkcs15Token': {'comment': 'PKCS #9/RFC 2985 attribute',
- 'description': 'pkcs15Token (1 2 840 113549 1 9 25 1)',
- 'hexoid': '06 0A 2A 86 48 86 F7 0D 01 09 19 01',
- 'name': 'pkcs15Token',
- 'oid': (1, 2, 840, 113549, 1, 9, 25, 1)},
- 'pkcs15attributes': {'comment': 'PKCS #15',
- 'description': 'pkcs15attributes (1 2 840 113549 1 15 2)',
- 'hexoid': '06 09 2A 86 48 86 F7 0D 01 0F 02',
- 'name': 'pkcs15attributes',
- 'oid': (1, 2, 840, 113549, 1, 15, 2)},
- 'pkcs15content': {'comment': 'PKCS #15 content type',
- 'description': 'pkcs15content (1 2 840 113549 1 15 3 1)',
- 'hexoid': '06 0A 2A 86 48 86 F7 0D 01 0F 03 01',
- 'name': 'pkcs15content',
- 'oid': (1, 2, 840, 113549, 1, 15, 3, 1)},
- 'pkcs15contentType': {'comment': 'PKCS #15',
- 'description': 'pkcs15contentType (1 2 840 113549 1 15 3)',
- 'hexoid': '06 09 2A 86 48 86 F7 0D 01 0F 03',
- 'name': 'pkcs15contentType',
- 'oid': (1, 2, 840, 113549, 1, 15, 3)},
- 'pkcs15modules': {'comment': 'PKCS #15',
- 'description': 'pkcs15modules (1 2 840 113549 1 15 1)',
- 'hexoid': '06 09 2A 86 48 86 F7 0D 01 0F 01',
- 'name': 'pkcs15modules',
- 'oid': (1, 2, 840, 113549, 1, 15, 1)},
- 'pkcs5PBES2': {'comment': 'PKCS #5 v2.0',
- 'description': 'pkcs5PBES2 (1 2 840 113549 1 5 13)',
- 'hexoid': '06 09 2A 86 48 86 F7 0D 01 05 0D',
- 'name': 'pkcs5PBES2',
- 'oid': (1, 2, 840, 113549, 1, 5, 13)},
- 'pkcs5PBKDF2': {'comment': 'PKCS #5 v2.0',
- 'description': 'pkcs5PBKDF2 (1 2 840 113549 1 5 12)',
- 'hexoid': '06 09 2A 86 48 86 F7 0D 01 05 0C',
- 'name': 'pkcs5PBKDF2',
- 'oid': (1, 2, 840, 113549, 1, 5, 12)},
- 'pkcs5PBMAC1': {'comment': 'PKCS #5 v2.0',
- 'description': 'pkcs5PBMAC1 (1 2 840 113549 1 5 14)',
- 'hexoid': '06 09 2A 86 48 86 F7 0D 01 05 0E',
- 'name': 'pkcs5PBMAC1',
- 'oid': (1, 2, 840, 113549, 1, 5, 14)},
- 'pkcs7Attribute': {'comment': 'Verisign PKI extension',
- 'description': 'pkcs7Attribute (2 16 840 1 113733 1 9)',
- 'hexoid': '06 09 60 86 48 01 86 F8 45 01 09',
- 'name': 'pkcs7Attribute',
- 'oid': (2, 16, 840, 1, 113733, 1, 9)},
- 'pkcs7PDU': {'comment': 'PKCS #9/RFC 2985 attribute',
- 'description': 'pkcs7PDU (1 2 840 113549 1 9 25 5)',
- 'hexoid': '06 0A 2A 86 48 86 F7 0D 01 09 19 05',
- 'name': 'pkcs7PDU',
- 'oid': (1, 2, 840, 113549, 1, 9, 25, 5)},
- 'pkcs9attributes': {'comment': 'PKCS #9/RFC 2985',
- 'description': 'pkcs9attributes (1 2 840 113549 1 9 25)',
- 'hexoid': '06 09 2A 86 48 86 F7 0D 01 09 19',
- 'name': 'pkcs9attributes',
- 'oid': (1, 2, 840, 113549, 1, 9, 25)},
- 'pkcs9matchingRules': {'comment': 'PKCS #9/RFC 2985',
- 'description': 'pkcs9matchingRules (1 2 840 113549 1 9 27)',
- 'hexoid': '06 09 2A 86 48 86 F7 0D 01 09 1B',
- 'name': 'pkcs9matchingRules',
- 'oid': (1, 2, 840, 113549, 1, 9, 27)},
- 'pkcs9objectClass': {'comment': 'PKCS #9/RFC 2985',
- 'description': 'pkcs9objectClass (1 2 840 113549 1 9 24)',
- 'hexoid': '06 09 2A 86 48 86 F7 0D 01 09 18',
- 'name': 'pkcs9objectClass',
- 'oid': (1, 2, 840, 113549, 1, 9, 24)},
- 'pkcs9syntax': {'comment': 'PKCS #9/RFC 2985',
- 'description': 'pkcs9syntax (1 2 840 113549 1 9 26)',
- 'hexoid': '06 09 2A 86 48 86 F7 0D 01 09 1A',
- 'name': 'pkcs9syntax',
- 'oid': (1, 2, 840, 113549, 1, 9, 26)},
- 'pki': {'comment': 'Verisign extension',
- 'description': 'pki (2 16 840 1 113733 1)',
- 'hexoid': '06 08 60 86 48 01 86 F8 45 01',
- 'name': 'pki',
- 'oid': (2, 16, 840, 1, 113733, 1)},
- 'pkiArchiveOptions': {'comment': 'PKIX CRMF registration control',
- 'description': 'pkiArchiveOptions (1 3 6 1 5 5 7 5 1 4)',
- 'hexoid': '06 09 2B 06 01 05 05 07 05 01 04',
- 'name': 'pkiArchiveOptions',
- 'oid': (1, 3, 6, 1, 5, 5, 7, 5, 1, 4)},
- 'pkiAttributeType': {'comment': 'Novell PKI',
- 'description': 'pkiAttributeType (2 16 840 1 113719 1 9 4)',
- 'hexoid': '06 0A 60 86 48 01 86 F8 37 01 09 04',
- 'name': 'pkiAttributeType',
- 'oid': (2, 16, 840, 1, 113719, 1, 9, 4)},
- 'pkiBoot': {'comment': 'cryptlib attribute type',
- 'description': 'pkiBoot (1 3 6 1 4 1 3029 3 1 2)',
- 'hexoid': '06 0A 2B 06 01 04 01 97 55 03 01 02',
- 'name': 'pkiBoot',
- 'oid': (1, 3, 6, 1, 4, 1, 3029, 3, 1, 2)},
- 'pkiCA': {'comment': 'X.520 objectClass (2 5 6)',
- 'description': 'pkiCA (2 5 6 22)',
- 'hexoid': '06 03 55 06 16',
- 'name': 'pkiCA',
- 'oid': (2, 5, 6, 22)},
- 'pkiPath': {'comment': 'X.520 id-at (2 5 4)',
- 'description': 'pkiPath (2 5 4 70)',
- 'hexoid': '06 03 55 04 46',
- 'name': 'pkiPath',
- 'oid': (2, 5, 4, 70)},
- 'pkiPublicationInfo': {'comment': 'PKIX CRMF registration control',
- 'description': 'pkiPublicationInfo (1 3 6 1 5 5 7 5 1 3)',
- 'hexoid': '06 09 2B 06 01 05 05 07 05 01 03',
- 'name': 'pkiPublicationInfo',
- 'oid': (1, 3, 6, 1, 5, 5, 7, 5, 1, 3)},
- 'pkiStatus': {'comment': 'Verisign PKCS #7 attribute',
- 'description': 'pkiStatus (2 16 840 1 113733 1 9 3)',
- 'hexoid': '06 0A 60 86 48 01 86 F8 45 01 09 03',
- 'name': 'pkiStatus',
- 'oid': (2, 16, 840, 1, 113733, 1, 9, 3)},
- 'pkiUser': {'comment': 'X.520 objectClass (2 5 6)',
- 'description': 'pkiUser (2 5 6 21)',
- 'hexoid': '06 03 55 06 15',
- 'name': 'pkiUser',
- 'oid': (2, 5, 6, 21)},
- 'pkix': {'description': 'pkix (1 3 6 1 5 5 7)',
- 'hexoid': '06 06 2B 06 01 05 05 07',
- 'name': 'pkix',
- 'oid': (1, 3, 6, 1, 5, 5, 7)},
- 'pkixQCSyntax-v1': {'comment': 'PKIX qualified certificates',
- 'description': 'pkixQCSyntax-v1 (1 3 6 1 5 5 7 11 1)',
- 'hexoid': '06 08 2B 06 01 05 05 07 0B 01',
- 'name': 'pkixQCSyntax-v1',
- 'oid': (1, 3, 6, 1, 5, 5, 7, 11, 1)},
- 'plProtocol': {'comment': 'Telesec module',
- 'description': 'plProtocol (0 2 262 1 10 2 4)',
- 'hexoid': '06 07 02 82 06 01 0A 02 04',
- 'name': 'plProtocol',
- 'oid': (0, 2, 262, 1, 10, 2, 4)},
- 'placeName': {'comment': 'SET field',
- 'description': 'placeName (2 23 42 2 4)',
- 'hexoid': '06 04 67 2A 02 04',
- 'name': 'placeName',
- 'oid': (2, 23, 42, 2, 4)},
- 'placeOfBirth': {'comment': 'PKIX personal data',
- 'description': 'placeOfBirth (1 3 6 1 5 5 7 9 2)',
- 'hexoid': '06 08 2B 06 01 05 05 07 09 02',
- 'name': 'placeOfBirth',
- 'oid': (1, 3, 6, 1, 5, 5, 7, 9, 2)},
- 'plainEDImessage': {'comment': 'TMN EDI for Interactive Agents',
- 'description': 'plainEDImessage (1 3 6 1 4 1 3576 7 1)',
- 'hexoid': '06 09 2B 06 01 04 01 9B 78 07 01',
- 'name': 'plainEDImessage',
- 'oid': (1, 3, 6, 1, 4, 1, 3576, 7, 1)},
- 'policy': {'comment': 'SET',
- 'description': 'policy (2 23 42 5)',
- 'hexoid': '06 03 67 2A 05',
- 'name': 'policy',
- 'oid': (2, 23, 42, 5)},
- 'policyConstraints': {'comment': 'X.509 id-ce (2 5 29)',
- 'description': 'policyConstraints (2 5 29 36)',
- 'hexoid': '06 03 55 1D 24',
- 'name': 'policyConstraints',
- 'oid': (2, 5, 29, 36)},
- 'policyMappings': {'comment': 'X.509 id-ce (2 5 29)',
- 'description': 'policyMappings (2 5 29 33)',
- 'hexoid': '06 03 55 1D 21',
- 'name': 'policyMappings',
- 'oid': (2, 5, 29, 33)},
- 'policyQualifierIds': {'comment': 'PKIX',
- 'description': 'policyQualifierIds (1 3 6 1 5 5 7 2)',
- 'hexoid': '06 07 2B 06 01 05 05 07 02',
- 'name': 'policyQualifierIds',
- 'oid': (1, 3, 6, 1, 5, 5, 7, 2)},
- 'postOfficeBox': {'comment': 'X.520 id-at (2 5 4)',
- 'description': 'postOfficeBox (2 5 4 18)',
- 'hexoid': '06 03 55 04 12',
- 'name': 'postOfficeBox',
- 'oid': (2, 5, 4, 18)},
- 'postalAddress': {'comment': 'X.520 id-at (2 5 4)',
- 'description': 'postalAddress (2 5 4 16)',
- 'hexoid': '06 03 55 04 10',
- 'name': 'postalAddress',
- 'oid': (2, 5, 4, 16)},
- 'postalCode': {'comment': 'X.520 id-at (2 5 4)',
- 'description': 'postalCode (2 5 4 17)',
- 'hexoid': '06 03 55 04 11',
- 'name': 'postalCode',
- 'oid': (2, 5, 4, 17)},
- 'ppBasis': {'comment': 'ANSI X9.62 field basis',
- 'description': 'ppBasis (1 2 840 10045 1 2 3 3)',
- 'hexoid': '06 09 2A 86 48 CE 3D 01 02 03 03',
- 'name': 'ppBasis',
- 'oid': (1, 2, 840, 10045, 1, 2, 3, 3)},
- 'prbacCAConstraints': {'comment': 'SDN.700 INFOSEC attributes',
- 'description': 'prbacCAConstraints (2 16 840 1 101 2 1 5 54)',
- 'hexoid': '06 09 60 86 48 01 65 02 01 05 36',
- 'name': 'prbacCAConstraints',
- 'oid': (2, 16, 840, 1, 101, 2, 1, 5, 54)},
- 'prbacInfo': {'comment': 'SDN.700 INFOSEC attributes',
- 'description': 'prbacInfo (2 16 840 1 101 2 1 5 53)',
- 'hexoid': '06 09 60 86 48 01 65 02 01 05 35',
- 'name': 'prbacInfo',
- 'oid': (2, 16, 840, 1, 101, 2, 1, 5, 53)},
- 'preferBinaryInside': {'comment': 'S/MIME Capability',
- 'description': 'preferBinaryInside (1 2 840 113549 1 9 16 11 1)',
- 'hexoid': '06 0B 2A 86 48 86 F7 0D 01 09 10 0B 01',
- 'name': 'preferBinaryInside',
- 'oid': (1, 2, 840, 113549, 1, 9, 16, 11, 1)},
- 'preferSignedData': {'comment': 'sMIMECapabilities',
- 'description': 'preferSignedData (1 2 840 113549 1 9 15 1)',
- 'hexoid': '06 0A 2A 86 48 86 F7 0D 01 09 0F 01',
- 'name': 'preferSignedData',
- 'oid': (1, 2, 840, 113549, 1, 9, 15, 1)},
- 'preferredDeliveryMehtod': {'comment': 'X.520 id-at (2 5 4)',
- 'description': 'preferredDeliveryMehtod (2 5 4 28)',
- 'hexoid': '06 03 55 04 1C',
- 'name': 'preferredDeliveryMehtod',
- 'oid': (2, 5, 4, 28)},
- 'preferredSymmAlg': {'comment': 'PKIX CMP information',
- 'description': 'preferredSymmAlg (1 3 6 1 5 5 7 4 4)',
- 'hexoid': '06 08 2B 06 01 05 05 07 04 04',
- 'name': 'preferredSymmAlg',
- 'oid': (1, 3, 6, 1, 5, 5, 7, 4, 4)},
- 'presentationAddress': {'comment': 'X.520 id-at (2 5 4)',
- 'description': 'presentationAddress (2 5 4 29)',
- 'hexoid': '06 03 55 04 1D',
- 'name': 'presentationAddress',
- 'oid': (2, 5, 4, 29)},
- 'prime-field': {'comment': 'ANSI X9.62 field type',
- 'description': 'prime-field (1 2 840 10045 1 1)',
- 'hexoid': '06 07 2A 86 48 CE 3D 01 01',
- 'name': 'prime-field',
- 'oid': (1, 2, 840, 10045, 1, 1)},
- 'prime192v1': {'comment': 'ANSI X9.62 named elliptic curve',
- 'description': 'prime192v1 (1 2 840 10045 3 1 1 1)',
- 'hexoid': '06 09 2A 86 48 CE 3D 03 01 01 01',
- 'name': 'prime192v1',
- 'oid': (1, 2, 840, 10045, 3, 1, 1, 1)},
- 'prime192v2': {'comment': 'ANSI X9.62 named elliptic curve',
- 'description': 'prime192v2 (1 2 840 10045 3 1 1 2)',
- 'hexoid': '06 09 2A 86 48 CE 3D 03 01 01 02',
- 'name': 'prime192v2',
- 'oid': (1, 2, 840, 10045, 3, 1, 1, 2)},
- 'prime192v3': {'comment': 'ANSI X9.62 named elliptic curve',
- 'description': 'prime192v3 (1 2 840 10045 3 1 1 3)',
- 'hexoid': '06 09 2A 86 48 CE 3D 03 01 01 03',
- 'name': 'prime192v3',
- 'oid': (1, 2, 840, 10045, 3, 1, 1, 3)},
- 'prime239v1': {'comment': 'ANSI X9.62 named elliptic curve',
- 'description': 'prime239v1 (1 2 840 10045 3 1 1 4)',
- 'hexoid': '06 09 2A 86 48 CE 3D 03 01 01 04',
- 'name': 'prime239v1',
- 'oid': (1, 2, 840, 10045, 3, 1, 1, 4)},
- 'prime239v2': {'comment': 'ANSI X9.62 named elliptic curve',
- 'description': 'prime239v2 (1 2 840 10045 3 1 1 5)',
- 'hexoid': '06 09 2A 86 48 CE 3D 03 01 01 05',
- 'name': 'prime239v2',
- 'oid': (1, 2, 840, 10045, 3, 1, 1, 5)},
- 'prime239v3': {'comment': 'ANSI X9.62 named elliptic curve',
- 'description': 'prime239v3 (1 2 840 10045 3 1 1 6)',
- 'hexoid': '06 09 2A 86 48 CE 3D 03 01 01 06',
- 'name': 'prime239v3',
- 'oid': (1, 2, 840, 10045, 3, 1, 1, 6)},
- 'prime256v1': {'comment': 'ANSI X9.62 named elliptic curve',
- 'description': 'prime256v1 (1 2 840 10045 3 1 1 7)',
- 'hexoid': '06 09 2A 86 48 CE 3D 03 01 01 07',
- 'name': 'prime256v1',
- 'oid': (1, 2, 840, 10045, 3, 1, 1, 7)},
- 'privPolicy': {'comment': 'X.520 id-at (2 5 4)',
- 'description': 'privPolicy (2 5 4 71)',
- 'hexoid': '06 03 55 04 47',
- 'name': 'privPolicy',
- 'oid': (2, 5, 4, 71)},
- 'privateExtension': {'comment': 'PKIX',
- 'description': 'privateExtension (1 3 6 1 5 5 7 1)',
- 'hexoid': '06 07 2B 06 01 05 05 07 01',
- 'name': 'privateExtension',
- 'oid': (1, 3, 6, 1, 5, 5, 7, 1)},
- 'privateKeyUsagePeriod': {'comment': 'X.509 id-ce (2 5 29)',
- 'description': 'privateKeyUsagePeriod (2 5 29 16)',
- 'hexoid': '06 03 55 1D 10',
- 'name': 'privateKeyUsagePeriod',
- 'oid': (2, 5, 29, 16)},
- 'procuration': {'comment': 'Teletrust attribute',
- 'description': 'procuration (1 3 36 8 3 2)',
- 'hexoid': '06 05 2B 24 08 03 02',
- 'name': 'procuration',
- 'oid': (1, 3, 36, 8, 3, 2)},
- 'proofOfApproval': {'comment': 'S/MIME',
- 'description': 'proofOfApproval (1 2 840 113549 1 9 16 6 5)',
- 'hexoid': '06 0B 2A 86 48 86 F7 0D 01 09 10 06 05',
- 'name': 'proofOfApproval',
- 'oid': (1, 2, 840, 113549, 1, 9, 16, 6, 5)},
- 'proofOfCreation': {'comment': 'S/MIME',
- 'description': 'proofOfCreation (1 2 840 113549 1 9 16 6 6)',
- 'hexoid': '06 0B 2A 86 48 86 F7 0D 01 09 10 06 06',
- 'name': 'proofOfCreation',
- 'oid': (1, 2, 840, 113549, 1, 9, 16, 6, 6)},
- 'proofOfDelivery': {'comment': 'S/MIME',
- 'description': 'proofOfDelivery (1 2 840 113549 1 9 16 6 3)',
- 'hexoid': '06 0B 2A 86 48 86 F7 0D 01 09 10 06 03',
- 'name': 'proofOfDelivery',
- 'oid': (1, 2, 840, 113549, 1, 9, 16, 6, 3)},
- 'proofOfOrigin': {'comment': 'S/MIME',
- 'description': 'proofOfOrigin (1 2 840 113549 1 9 16 6 1)',
- 'hexoid': '06 0B 2A 86 48 86 F7 0D 01 09 10 06 01',
- 'name': 'proofOfOrigin',
- 'oid': (1, 2, 840, 113549, 1, 9, 16, 6, 1)},
- 'proofOfReceipt': {'comment': 'S/MIME',
- 'description': 'proofOfReceipt (1 2 840 113549 1 9 16 6 2)',
- 'hexoid': '06 0B 2A 86 48 86 F7 0D 01 09 10 06 02',
- 'name': 'proofOfReceipt',
- 'oid': (1, 2, 840, 113549, 1, 9, 16, 6, 2)},
- 'proofOfSender': {'comment': 'S/MIME',
- 'description': 'proofOfSender (1 2 840 113549 1 9 16 6 4)',
- 'hexoid': '06 0B 2A 86 48 86 F7 0D 01 09 10 06 04',
- 'name': 'proofOfSender',
- 'oid': (1, 2, 840, 113549, 1, 9, 16, 6, 4)},
- 'protectedPasswordAuthentication': {'comment': 'Telesec authentication',
- 'description': 'protectedPasswordAuthentication (0 2 262 1 10 1 0 2)',
- 'hexoid': '06 08 02 82 06 01 0A 01 00 02',
- 'name': 'protectedPasswordAuthentication',
- 'oid': (0, 2, 262, 1, 10, 1, 0, 2)},
- 'protocolEncrKey': {'comment': 'PKIX CRMF registration control',
- 'description': 'protocolEncrKey (1 3 6 1 5 5 7 5 1 6)',
- 'hexoid': '06 09 2B 06 01 05 05 07 05 01 06',
- 'name': 'protocolEncrKey',
- 'oid': (1, 3, 6, 1, 5, 5, 7, 5, 1, 6)},
- 'protocolInformation': {'comment': 'X.520 id-at (2 5 4)',
- 'description': 'protocolInformation (2 5 4 48)',
- 'hexoid': '06 03 55 04 30',
- 'name': 'protocolInformation',
- 'oid': (2, 5, 4, 48)},
- 'pseudonym': {'comment': 'X.520 id-at (2 5 4)',
- 'description': 'pseudonym (2 5 4 65)',
- 'hexoid': '06 03 55 04 41',
- 'name': 'pseudonym',
- 'oid': (2, 5, 4, 65)},
- 'ptAdobeILL': {'comment': 'Teletrust presentation types',
- 'description': 'ptAdobeILL (1 3 36 8 7 1 1)',
- 'hexoid': '06 06 2B 24 08 07 01 01',
- 'name': 'ptAdobeILL',
- 'oid': (1, 3, 36, 8, 7, 1, 1)},
- 'ptAmiPro': {'comment': 'Teletrust presentation types',
- 'description': 'ptAmiPro (1 3 36 8 7 1 2)',
- 'hexoid': '06 06 2B 24 08 07 01 02',
- 'name': 'ptAmiPro',
- 'oid': (1, 3, 36, 8, 7, 1, 2)},
- 'ptAutoCAD': {'comment': 'Teletrust presentation types',
- 'description': 'ptAutoCAD (1 3 36 8 7 1 3)',
- 'hexoid': '06 06 2B 24 08 07 01 03',
- 'name': 'ptAutoCAD',
- 'oid': (1, 3, 36, 8, 7, 1, 3)},
- 'ptBMP': {'comment': 'Teletrust presentation types',
- 'description': 'ptBMP (1 3 36 8 7 1 5)',
- 'hexoid': '06 06 2B 24 08 07 01 05',
- 'name': 'ptBMP',
- 'oid': (1, 3, 36, 8, 7, 1, 5)},
- 'ptBinary': {'comment': 'Teletrust presentation types',
- 'description': 'ptBinary (1 3 36 8 7 1 4)',
- 'hexoid': '06 06 2B 24 08 07 01 04',
- 'name': 'ptBinary',
- 'oid': (1, 3, 36, 8, 7, 1, 4)},
- 'ptCGM': {'comment': 'Teletrust presentation types',
- 'description': 'ptCGM (1 3 36 8 7 1 6)',
- 'hexoid': '06 06 2B 24 08 07 01 06',
- 'name': 'ptCGM',
- 'oid': (1, 3, 36, 8, 7, 1, 6)},
- 'ptCorelCRT': {'comment': 'Teletrust presentation types',
- 'description': 'ptCorelCRT (1 3 36 8 7 1 7)',
- 'hexoid': '06 06 2B 24 08 07 01 07',
- 'name': 'ptCorelCRT',
- 'oid': (1, 3, 36, 8, 7, 1, 7)},
- 'ptCorelDRW': {'comment': 'Teletrust presentation types',
- 'description': 'ptCorelDRW (1 3 36 8 7 1 8)',
- 'hexoid': '06 06 2B 24 08 07 01 08',
- 'name': 'ptCorelDRW',
- 'oid': (1, 3, 36, 8, 7, 1, 8)},
- 'ptCorelEXC': {'comment': 'Teletrust presentation types',
- 'description': 'ptCorelEXC (1 3 36 8 7 1 9)',
- 'hexoid': '06 06 2B 24 08 07 01 09',
- 'name': 'ptCorelEXC',
- 'oid': (1, 3, 36, 8, 7, 1, 9)},
- 'ptCorelPHT': {'comment': 'Teletrust presentation types',
- 'description': 'ptCorelPHT (1 3 36 8 7 1 10)',
- 'hexoid': '06 06 2B 24 08 07 01 0A',
- 'name': 'ptCorelPHT',
- 'oid': (1, 3, 36, 8, 7, 1, 10)},
- 'ptDVI': {'comment': 'Teletrust presentation types',
- 'description': 'ptDVI (1 3 36 8 7 1 12)',
- 'hexoid': '06 06 2B 24 08 07 01 0C',
- 'name': 'ptDVI',
- 'oid': (1, 3, 36, 8, 7, 1, 12)},
- 'ptDraw': {'comment': 'Teletrust presentation types',
- 'description': 'ptDraw (1 3 36 8 7 1 11)',
- 'hexoid': '06 06 2B 24 08 07 01 0B',
- 'name': 'ptDraw',
- 'oid': (1, 3, 36, 8, 7, 1, 11)},
- 'ptEPS': {'comment': 'Teletrust presentation types',
- 'description': 'ptEPS (1 3 36 8 7 1 13)',
- 'hexoid': '06 06 2B 24 08 07 01 0D',
- 'name': 'ptEPS',
- 'oid': (1, 3, 36, 8, 7, 1, 13)},
- 'ptExcel': {'comment': 'Teletrust presentation types',
- 'description': 'ptExcel (1 3 36 8 7 1 14)',
- 'hexoid': '06 06 2B 24 08 07 01 0E',
- 'name': 'ptExcel',
- 'oid': (1, 3, 36, 8, 7, 1, 14)},
- 'ptGEM': {'comment': 'Teletrust presentation types',
- 'description': 'ptGEM (1 3 36 8 7 1 15)',
- 'hexoid': '06 06 2B 24 08 07 01 0F',
- 'name': 'ptGEM',
- 'oid': (1, 3, 36, 8, 7, 1, 15)},
- 'ptGIF': {'comment': 'Teletrust presentation types',
- 'description': 'ptGIF (1 3 36 8 7 1 16)',
- 'hexoid': '06 06 2B 24 08 07 01 10',
- 'name': 'ptGIF',
- 'oid': (1, 3, 36, 8, 7, 1, 16)},
- 'ptHPGL': {'comment': 'Teletrust presentation types',
- 'description': 'ptHPGL (1 3 36 8 7 1 17)',
- 'hexoid': '06 06 2B 24 08 07 01 11',
- 'name': 'ptHPGL',
- 'oid': (1, 3, 36, 8, 7, 1, 17)},
- 'ptJPEG': {'comment': 'Teletrust presentation types',
- 'description': 'ptJPEG (1 3 36 8 7 1 18)',
- 'hexoid': '06 06 2B 24 08 07 01 12',
- 'name': 'ptJPEG',
- 'oid': (1, 3, 36, 8, 7, 1, 18)},
- 'ptKodak': {'comment': 'Teletrust presentation types',
- 'description': 'ptKodak (1 3 36 8 7 1 19)',
- 'hexoid': '06 06 2B 24 08 07 01 13',
- 'name': 'ptKodak',
- 'oid': (1, 3, 36, 8, 7, 1, 19)},
- 'ptLaTeX': {'comment': 'Teletrust presentation types',
- 'description': 'ptLaTeX (1 3 36 8 7 1 20)',
- 'hexoid': '06 06 2B 24 08 07 01 14',
- 'name': 'ptLaTeX',
- 'oid': (1, 3, 36, 8, 7, 1, 20)},
- 'ptLotus': {'comment': 'Teletrust presentation types',
- 'description': 'ptLotus (1 3 36 8 7 1 21)',
- 'hexoid': '06 06 2B 24 08 07 01 15',
- 'name': 'ptLotus',
- 'oid': (1, 3, 36, 8, 7, 1, 21)},
- 'ptLotusPIC': {'comment': 'Teletrust presentation types',
- 'description': 'ptLotusPIC (1 3 36 8 7 1 22)',
- 'hexoid': '06 06 2B 24 08 07 01 16',
- 'name': 'ptLotusPIC',
- 'oid': (1, 3, 36, 8, 7, 1, 22)},
- 'ptMSWfD': {'comment': 'Teletrust presentation types',
- 'description': 'ptMSWfD (1 3 36 8 7 1 25)',
- 'hexoid': '06 06 2B 24 08 07 01 19',
- 'name': 'ptMSWfD',
- 'oid': (1, 3, 36, 8, 7, 1, 25)},
- 'ptMSWord': {'comment': 'Teletrust presentation types',
- 'description': 'ptMSWord (1 3 36 8 7 1 26)',
- 'hexoid': '06 06 2B 24 08 07 01 1A',
- 'name': 'ptMSWord',
- 'oid': (1, 3, 36, 8, 7, 1, 26)},
- 'ptMSWord2': {'comment': 'Teletrust presentation types',
- 'description': 'ptMSWord2 (1 3 36 8 7 1 27)',
- 'hexoid': '06 06 2B 24 08 07 01 1B',
- 'name': 'ptMSWord2',
- 'oid': (1, 3, 36, 8, 7, 1, 27)},
- 'ptMSWord6': {'comment': 'Teletrust presentation types',
- 'description': 'ptMSWord6 (1 3 36 8 7 1 28)',
- 'hexoid': '06 06 2B 24 08 07 01 1C',
- 'name': 'ptMSWord6',
- 'oid': (1, 3, 36, 8, 7, 1, 28)},
- 'ptMSWord8': {'comment': 'Teletrust presentation types',
- 'description': 'ptMSWord8 (1 3 36 8 7 1 29)',
- 'hexoid': '06 06 2B 24 08 07 01 1D',
- 'name': 'ptMSWord8',
- 'oid': (1, 3, 36, 8, 7, 1, 29)},
- 'ptMacPICT': {'comment': 'Teletrust presentation types',
- 'description': 'ptMacPICT (1 3 36 8 7 1 23)',
- 'hexoid': '06 06 2B 24 08 07 01 17',
- 'name': 'ptMacPICT',
- 'oid': (1, 3, 36, 8, 7, 1, 23)},
- 'ptMacWord': {'comment': 'Teletrust presentation types',
- 'description': 'ptMacWord (1 3 36 8 7 1 24)',
- 'hexoid': '06 06 2B 24 08 07 01 18',
- 'name': 'ptMacWord',
- 'oid': (1, 3, 36, 8, 7, 1, 24)},
- 'ptPDF': {'comment': 'Teletrust presentation types',
- 'description': 'ptPDF (1 3 36 8 7 1 30)',
- 'hexoid': '06 06 2B 24 08 07 01 1E',
- 'name': 'ptPDF',
- 'oid': (1, 3, 36, 8, 7, 1, 30)},
- 'ptPIF': {'comment': 'Teletrust presentation types',
- 'description': 'ptPIF (1 3 36 8 7 1 31)',
- 'hexoid': '06 06 2B 24 08 07 01 1F',
- 'name': 'ptPIF',
- 'oid': (1, 3, 36, 8, 7, 1, 31)},
- 'ptPostscript': {'comment': 'Teletrust presentation types',
- 'description': 'ptPostscript (1 3 36 8 7 1 32)',
- 'hexoid': '06 06 2B 24 08 07 01 20',
- 'name': 'ptPostscript',
- 'oid': (1, 3, 36, 8, 7, 1, 32)},
- 'ptRTF': {'comment': 'Teletrust presentation types',
- 'description': 'ptRTF (1 3 36 8 7 1 33)',
- 'hexoid': '06 06 2B 24 08 07 01 21',
- 'name': 'ptRTF',
- 'oid': (1, 3, 36, 8, 7, 1, 33)},
- 'ptSCITEX': {'comment': 'Teletrust presentation types',
- 'description': 'ptSCITEX (1 3 36 8 7 1 34)',
- 'hexoid': '06 06 2B 24 08 07 01 22',
- 'name': 'ptSCITEX',
- 'oid': (1, 3, 36, 8, 7, 1, 34)},
- 'ptTAR': {'comment': 'Teletrust presentation types',
- 'description': 'ptTAR (1 3 36 8 7 1 35)',
- 'hexoid': '06 06 2B 24 08 07 01 23',
- 'name': 'ptTAR',
- 'oid': (1, 3, 36, 8, 7, 1, 35)},
- 'ptTIFF': {'comment': 'Teletrust presentation types',
- 'description': 'ptTIFF (1 3 36 8 7 1 39)',
- 'hexoid': '06 06 2B 24 08 07 01 27',
- 'name': 'ptTIFF',
- 'oid': (1, 3, 36, 8, 7, 1, 39)},
- 'ptTIFF-FC': {'comment': 'Teletrust presentation types',
- 'description': 'ptTIFF-FC (1 3 36 8 7 1 40)',
- 'hexoid': '06 06 2B 24 08 07 01 28',
- 'name': 'ptTIFF-FC',
- 'oid': (1, 3, 36, 8, 7, 1, 40)},
- 'ptTarga': {'comment': 'Teletrust presentation types',
- 'description': 'ptTarga (1 3 36 8 7 1 36)',
- 'hexoid': '06 06 2B 24 08 07 01 24',
- 'name': 'ptTarga',
- 'oid': (1, 3, 36, 8, 7, 1, 36)},
- 'ptTeX': {'comment': 'Teletrust presentation types',
- 'description': 'ptTeX (1 3 36 8 7 1 37)',
- 'hexoid': '06 06 2B 24 08 07 01 25',
- 'name': 'ptTeX',
- 'oid': (1, 3, 36, 8, 7, 1, 37)},
- 'ptText': {'comment': 'Teletrust presentation types',
- 'description': 'ptText (1 3 36 8 7 1 38)',
- 'hexoid': '06 06 2B 24 08 07 01 26',
- 'name': 'ptText',
- 'oid': (1, 3, 36, 8, 7, 1, 38)},
- 'ptUID': {'comment': 'Teletrust presentation types',
- 'description': 'ptUID (1 3 36 8 7 1 41)',
- 'hexoid': '06 06 2B 24 08 07 01 29',
- 'name': 'ptUID',
- 'oid': (1, 3, 36, 8, 7, 1, 41)},
- 'ptUUEncode': {'comment': 'Teletrust presentation types',
- 'description': 'ptUUEncode (1 3 36 8 7 1 42)',
- 'hexoid': '06 06 2B 24 08 07 01 2A',
- 'name': 'ptUUEncode',
- 'oid': (1, 3, 36, 8, 7, 1, 42)},
- 'ptWMF': {'comment': 'Teletrust presentation types',
- 'description': 'ptWMF (1 3 36 8 7 1 43)',
- 'hexoid': '06 06 2B 24 08 07 01 2B',
- 'name': 'ptWMF',
- 'oid': (1, 3, 36, 8, 7, 1, 43)},
- 'ptWPGrph': {'comment': 'Teletrust presentation types',
- 'description': 'ptWPGrph (1 3 36 8 7 1 45)',
- 'hexoid': '06 06 2B 24 08 07 01 2D',
- 'name': 'ptWPGrph',
- 'oid': (1, 3, 36, 8, 7, 1, 45)},
- 'ptWordPerfect': {'comment': 'Teletrust presentation types',
- 'description': 'ptWordPerfect (1 3 36 8 7 1 44)',
- 'hexoid': '06 06 2B 24 08 07 01 2C',
- 'name': 'ptWordPerfect',
- 'oid': (1, 3, 36, 8, 7, 1, 44)},
- 'publicKeyDirectory': {'comment': 'Telesec attribute',
- 'description': 'publicKeyDirectory (0 2 262 1 10 7 8)',
- 'hexoid': '06 07 02 82 06 01 0A 07 08',
- 'name': 'publicKeyDirectory',
- 'oid': (0, 2, 262, 1, 10, 7, 8)},
- 'publicKeyType': {'comment': 'ANSI X9.62',
- 'description': 'publicKeyType (1 2 840 10045 2)',
- 'hexoid': '06 06 2A 86 48 CE 3D 02',
- 'name': 'publicKeyType',
- 'oid': (1, 2, 840, 10045, 2)},
- 'publishCert': {'comment': 'S/MIME Content Types',
- 'description': 'publishCert (1 2 840 113549 1 9 16 1 3)',
- 'hexoid': '06 0B 2A 86 48 86 F7 0D 01 09 10 01 03',
- 'name': 'publishCert',
- 'oid': (1, 2, 840, 113549, 1, 9, 16, 1, 3)},
- 'pwri-KEK': {'comment': 'S/MIME Algorithms',
- 'description': 'pwri-KEK (1 2 840 113549 1 9 16 3 9)',
- 'hexoid': '06 0B 2A 86 48 86 F7 0D 01 09 10 03 09',
- 'name': 'pwri-KEK',
- 'oid': (1, 2, 840, 113549, 1, 9, 16, 3, 9)},
- 'qcStatements': {'comment': 'PKIX private extension',
- 'description': 'qcStatements (1 3 6 1 5 5 7 1 3)',
- 'hexoid': '06 08 2B 06 01 05 05 07 01 03',
- 'name': 'qcStatements',
- 'oid': (1, 3, 6, 1, 5, 5, 7, 1, 3)},
- 'randomNonce': {'comment': 'PKCS #9/RFC 2985 attribute',
- 'description': 'randomNonce (1 2 840 113549 1 9 25 3)',
- 'hexoid': '06 0A 2A 86 48 86 F7 0D 01 09 19 03',
- 'name': 'randomNonce',
- 'oid': (1, 2, 840, 113549, 1, 9, 25, 3)},
- 'rc2BSafe1Cbc': {'comment': 'Novell encryption algorithm',
- 'description': 'rc2BSafe1Cbc (2 16 840 1 113719 1 2 8 92)',
- 'hexoid': '06 0B 60 86 48 01 86 F8 37 01 02 08 5C',
- 'name': 'rc2BSafe1Cbc',
- 'oid': (2, 16, 840, 1, 113719, 1, 2, 8, 92)},
- 'rc2CBC': {'comment': 'RSADSI encryptionAlgorithm',
- 'description': 'rc2CBC (1 2 840 113549 3 2)',
- 'hexoid': '06 08 2A 86 48 86 F7 0D 03 02',
- 'name': 'rc2CBC',
- 'oid': (1, 2, 840, 113549, 3, 2)},
- 'rc2CbcPad': {'comment': 'Novell encryption algorithm',
- 'description': 'rc2CbcPad (2 16 840 1 113719 1 2 8 69)',
- 'hexoid': '06 0B 60 86 48 01 86 F8 37 01 02 08 45',
- 'name': 'rc2CbcPad',
- 'oid': (2, 16, 840, 1, 113719, 1, 2, 8, 69)},
- 'rc2ECB': {'comment': 'RSADSI encryptionAlgorithm',
- 'description': 'rc2ECB (1 2 840 113549 3 3)',
- 'hexoid': '06 08 2A 86 48 86 F7 0D 03 03',
- 'name': 'rc2ECB',
- 'oid': (1, 2, 840, 113549, 3, 3)},
- 'rc4': {'comment': 'RSADSI encryptionAlgorithm',
- 'description': 'rc4 (1 2 840 113549 3 4)',
- 'hexoid': '06 08 2A 86 48 86 F7 0D 03 04',
- 'name': 'rc4',
- 'oid': (1, 2, 840, 113549, 3, 4)},
- 'rc4WithMAC': {'comment': 'RSADSI encryptionAlgorithm',
- 'description': 'rc4WithMAC (1 2 840 113549 3 5)',
- 'hexoid': '06 08 2A 86 48 86 F7 0D 03 05',
- 'name': 'rc4WithMAC',
- 'oid': (1, 2, 840, 113549, 3, 5)},
- 'rc5-CBCPad': {'comment': 'RSADSI encryptionAlgorithm',
- 'description': 'rc5-CBCPad (1 2 840 113549 3 9)',
- 'hexoid': '06 08 2A 86 48 86 F7 0D 03 09',
- 'name': 'rc5-CBCPad',
- 'oid': (1, 2, 840, 113549, 3, 9)},
- 'rc5CBC': {'comment': 'RSADSI encryptionAlgorithm',
- 'description': 'rc5CBC (1 2 840 113549 3 8)',
- 'hexoid': '06 08 2A 86 48 86 F7 0D 03 08',
- 'name': 'rc5CBC',
- 'oid': (1, 2, 840, 113549, 3, 8)},
- 'rc5CbcPad': {'comment': 'Novell encryption algorithm',
- 'description': 'rc5CbcPad (2 16 840 1 113719 1 2 8 28)',
- 'hexoid': '06 0B 60 86 48 01 86 F8 37 01 02 08 1C',
- 'name': 'rc5CbcPad',
- 'oid': (2, 16, 840, 1, 113719, 1, 2, 8, 28)},
- 'receipt': {'comment': 'S/MIME Content Types',
- 'description': 'receipt (1 2 840 113549 1 9 16 1 1)',
- 'hexoid': '06 0B 2A 86 48 86 F7 0D 01 09 10 01 01',
- 'name': 'receipt',
- 'oid': (1, 2, 840, 113549, 1, 9, 16, 1, 1)},
- 'receiptRequest': {'comment': 'S/MIME Authenticated Attributes',
- 'description': 'receiptRequest (1 2 840 113549 1 9 16 2 1)',
- 'hexoid': '06 0B 2A 86 48 86 F7 0D 01 09 10 02 01',
- 'name': 'receiptRequest',
- 'oid': (1, 2, 840, 113549, 1, 9, 16, 2, 1)},
- 'rechtWirtschaftSteuern': {'comment': 'Teletrust naming authorities',
- 'description': 'rechtWirtschaftSteuern (1 3 36 8 3 11 1)',
- 'hexoid': '06 06 2B 24 08 03 0B 01',
- 'name': 'rechtWirtschaftSteuern',
- 'oid': (1, 3, 36, 8, 3, 11, 1)},
- 'rechtsBeistand': {'comment': 'Teletrust ProfessionInfo',
- 'description': 'rechtsBeistand (1 3 36 8 3 11 1 3)',
- 'hexoid': '06 07 2B 24 08 03 0B 01 03',
- 'name': 'rechtsBeistand',
- 'oid': (1, 3, 36, 8, 3, 11, 1, 3)},
- 'rechtsanwaeltin': {'comment': 'Teletrust ProfessionInfo',
- 'description': 'rechtsanwaeltin (1 3 36 8 3 11 1 1)',
- 'hexoid': '06 07 2B 24 08 03 0B 01 01',
- 'name': 'rechtsanwaeltin',
- 'oid': (1, 3, 36, 8, 3, 11, 1, 1)},
- 'rechtsanwalt': {'comment': 'Teletrust ProfessionInfo',
- 'description': 'rechtsanwalt (1 3 36 8 3 11 1 2)',
- 'hexoid': '06 07 2B 24 08 03 0B 01 02',
- 'name': 'rechtsanwalt',
- 'oid': (1, 3, 36, 8, 3, 11, 1, 2)},
- 'recipientNonce': {'comment': 'Verisign PKCS #7 attribute',
- 'description': 'recipientNonce (2 16 840 1 113733 1 9 6)',
- 'hexoid': '06 0A 60 86 48 01 86 F8 45 01 09 06',
- 'name': 'recipientNonce',
- 'oid': (2, 16, 840, 1, 113733, 1, 9, 6)},
- 'reedSolomon': {'comment': 'Telesec mechanism',
- 'description': 'reedSolomon (0 2 262 1 10 1 4 1)',
- 'hexoid': '06 08 02 82 06 01 0A 01 04 01',
- 'name': 'reedSolomon',
- 'oid': (0, 2, 262, 1, 10, 1, 4, 1)},
- 'regCtrl': {'comment': 'PKIX CRMF registration',
- 'description': 'regCtrl (1 3 6 1 5 5 7 5 1)',
- 'hexoid': '06 08 2B 06 01 05 05 07 05 01',
- 'name': 'regCtrl',
- 'oid': (1, 3, 6, 1, 5, 5, 7, 5, 1)},
- 'regToken': {'comment': 'PKIX CRMF registration control',
- 'description': 'regToken (1 3 6 1 5 5 7 5 1 1)',
- 'hexoid': '06 09 2B 06 01 05 05 07 05 01 01',
- 'name': 'regToken',
- 'oid': (1, 3, 6, 1, 5, 5, 7, 5, 1, 1)},
- 'registeredAddress': {'comment': 'X.520 id-at (2 5 4)',
- 'description': 'registeredAddress (2 5 4 26)',
- 'hexoid': '06 03 55 04 1A',
- 'name': 'registeredAddress',
- 'oid': (2, 5, 4, 26)},
- 'reject': {'comment': 'ANSI X9.57 hold instruction',
- 'description': 'reject (1 2 840 10040 2 3)',
- 'hexoid': '06 07 2A 86 48 CE 38 02 03',
- 'name': 'reject',
- 'oid': (1, 2, 840, 10040, 2, 3)},
- 'relianceLimit': {'comment': 'Novell PKI attribute type',
- 'description': 'relianceLimit (2 16 840 1 113719 1 9 4 2)',
- 'hexoid': '06 0B 60 86 48 01 86 F8 37 01 09 04 02',
- 'name': 'relianceLimit',
- 'oid': (2, 16, 840, 1, 113719, 1, 9, 4, 2)},
- 'renewalCertificate': {'comment': 'Microsoft attribute',
- 'description': 'renewalCertificate (1 3 6 1 4 1 311 13 1)',
- 'hexoid': '06 09 2B 06 01 04 01 82 37 0D 01',
- 'name': 'renewalCertificate',
- 'oid': (1, 3, 6, 1, 4, 1, 311, 13, 1)},
- 'requestClientInfo': {'comment': 'Microsoft attribute',
- 'description': 'requestClientInfo (1 3 6 1 4 1 311 21 20)',
- 'hexoid': '06 09 2B 06 01 04 01 82 37 15 14',
- 'name': 'requestClientInfo',
- 'oid': (1, 3, 6, 1, 4, 1, 311, 21, 20)},
- 'requestedCertificate': {'comment': 'Teletrust attribute',
- 'description': 'requestedCertificate (1 3 36 8 3 10)',
- 'hexoid': '06 05 2B 24 08 03 0A',
- 'name': 'requestedCertificate',
- 'oid': (1, 3, 36, 8, 3, 10)},
- 'residentialPerson': {'comment': 'X.520 objectClass (2 5 6)',
- 'description': 'residentialPerson (2 5 6 10)',
- 'hexoid': '06 03 55 06 0A',
- 'name': 'residentialPerson',
- 'oid': (2, 5, 6, 10)},
- 'restriction': {'comment': 'Teletrust attribute certificate attribute',
- 'description': 'restriction (1 3 36 8 4 8)',
- 'hexoid': '06 05 2B 24 08 04 08',
- 'name': 'restriction',
- 'oid': (1, 3, 36, 8, 4, 8)},
- 'retrieveIfAllowed': {'comment': 'Teletrust attribute',
- 'description': 'retrieveIfAllowed (1 3 36 8 3 9)',
- 'hexoid': '06 05 2B 24 08 03 09',
- 'name': 'retrieveIfAllowed',
- 'oid': (1, 3, 36, 8, 3, 9)},
- 'revPassphrase': {'comment': 'PKIX CMP information',
- 'description': 'revPassphrase (1 3 6 1 5 5 7 4 12)',
- 'hexoid': '06 08 2B 06 01 05 05 07 04 0C',
- 'name': 'revPassphrase',
- 'oid': (1, 3, 6, 1, 5, 5, 7, 4, 12)},
- 'reviewSig': {'comment': 'S/MIME Signature Type Identifier',
- 'description': 'reviewSig (1 2 840 113549 1 9 16 9 4)',
- 'hexoid': '06 0B 2A 86 48 86 F7 0D 01 09 10 09 04',
- 'name': 'reviewSig',
- 'oid': (1, 2, 840, 113549, 1, 9, 16, 9, 4)},
- 'revision': {'comment': 'Microsoft Cert Template - attribute',
- 'description': 'revision (1 2 840 113556 1 4 145)',
- 'hexoid': '06 0A 2A 86 48 86 F7 14 01 04 81 11',
- 'name': 'revision',
- 'oid': (1, 2, 840, 113556, 1, 4, 145)},
- 'revocationFlag': {'comment': 'Telesec attribute',
- 'description': 'revocationFlag (0 2 262 1 10 7 34)',
- 'hexoid': '06 07 02 82 06 01 0A 07 22',
- 'name': 'revocationFlag',
- 'oid': (0, 2, 262, 1, 10, 7, 34)},
- 'revocationRefs': {'comment': 'S/MIME Authenticated Attributes',
- 'description': 'revocationRefs (1 2 840 113549 1 9 16 2 22)',
- 'hexoid': '06 0B 2A 86 48 86 F7 0D 01 09 10 02 16',
- 'name': 'revocationRefs',
- 'oid': (1, 2, 840, 113549, 1, 9, 16, 2, 22)},
- 'revocationValues': {'comment': 'S/MIME Authenticated Attributes',
- 'description': 'revocationValues (1 2 840 113549 1 9 16 2 24)',
- 'hexoid': '06 0B 2A 86 48 86 F7 0D 01 09 10 02 18',
- 'name': 'revocationValues',
- 'oid': (1, 2, 840, 113549, 1, 9, 16, 2, 24)},
- 'rfc822Mailbox': {'comment': 'Some oddball X.500 attribute collection',
- 'description': 'rfc822Mailbox (0 9 2342 19200300 100 1 3)',
- 'hexoid': '06 0A 09 92 26 89 93 F2 2C 64 01 03',
- 'name': 'rfc822Mailbox',
- 'oid': (0, 9, 2342, 19200300, 100, 1, 3)},
- 'rfc822MessageFormat': {'comment': 'SDN.700 INFOSEC format',
- 'description': 'rfc822MessageFormat (2 16 840 1 101 2 1 2 1)',
- 'hexoid': '06 09 60 86 48 01 65 02 01 02 01',
- 'name': 'rfc822MessageFormat',
- 'oid': (2, 16, 840, 1, 101, 2, 1, 2, 1)},
- 'ripemd128': {'comment': 'Teletrust hash algorithm',
- 'description': 'ripemd128 (1 3 36 3 2 2)',
- 'hexoid': '06 05 2B 24 03 02 02',
- 'name': 'ripemd128',
- 'oid': (1, 3, 36, 3, 2, 2)},
- 'ripemd160': {'comment': 'Teletrust hash algorithm',
- 'description': 'ripemd160 (1 3 36 3 2 1)',
- 'hexoid': '06 05 2B 24 03 02 01',
- 'name': 'ripemd160',
- 'oid': (1, 3, 36, 3, 2, 1)},
- 'ripemd160WithRSAAndTelekomSignatureStandard': {'comment': 'Telesec mechanism',
- 'description': 'ripemd160WithRSAAndTelekomSignatureStandard (0 2 262 1 10 1 1 5)',
- 'hexoid': '06 08 02 82 06 01 0A 01 01 05',
- 'name': 'ripemd160WithRSAAndTelekomSignatureStandard',
- 'oid': (0,
- 2,
- 262,
- 1,
- 10,
- 1,
- 1,
- 5)},
- 'ripemd256': {'comment': 'Teletrust hash algorithm',
- 'description': 'ripemd256 (1 3 36 3 2 3)',
- 'hexoid': '06 05 2B 24 03 02 03',
- 'name': 'ripemd256',
- 'oid': (1, 3, 36, 3, 2, 3)},
- 'rolUnicoNacional': {'comment': 'Chilean Government national unique roll number',
- 'description': 'rolUnicoNacional (1 3 6 1 4 1 8231 1)',
- 'hexoid': '06 08 2B 06 01 04 01 C0 27 01',
- 'name': 'rolUnicoNacional',
- 'oid': (1, 3, 6, 1, 4, 1, 8231, 1)},
- 'role': {'comment': 'X.520 id-at (2 5 4)',
- 'description': 'role (2 5 4 72)',
- 'hexoid': '06 03 55 04 48',
- 'name': 'role',
- 'oid': (2, 5, 4, 72)},
- 'roleOccupant': {'comment': 'X.520 id-at (2 5 4)',
- 'description': 'roleOccupant (2 5 4 33)',
- 'hexoid': '06 03 55 04 21',
- 'name': 'roleOccupant',
- 'oid': (2, 5, 4, 33)},
- 'root': {'comment': 'SET policy',
- 'description': 'root (2 23 42 5 0)',
- 'hexoid': '06 04 67 2A 05 00',
- 'name': 'root',
- 'oid': (2, 23, 42, 5, 0)},
- 'rootKeyThumb': {'comment': 'SET cert attribute',
- 'description': 'rootKeyThumb (2 23 42 3 0 0)',
- 'hexoid': '06 05 67 2A 03 00 00',
- 'name': 'rootKeyThumb',
- 'oid': (2, 23, 42, 3, 0, 0)},
- 'rsa': {'comment': 'X.509. Unsure about this OID',
- 'description': 'rsa (1 3 14 3 2 1 1)',
- 'hexoid': '06 06 2B 0E 03 02 01 01',
- 'name': 'rsa',
- 'oid': (1, 3, 14, 3, 2, 1, 1)},
- 'rsaEncryption': {'comment': 'Teletrust encryption algorithm',
- 'description': 'rsaEncryption (1 3 36 3 1 4)',
- 'hexoid': '06 05 2B 24 03 01 04',
- 'name': 'rsaEncryption',
- 'oid': (1, 3, 36, 3, 1, 4)},
- 'rsaEncryptionBsafe1': {'comment': 'Novell encryption algorithm',
- 'description': 'rsaEncryptionBsafe1 (2 16 840 1 113719 1 2 8 131)',
- 'hexoid': '06 0C 60 86 48 01 86 F8 37 01 02 08 81 03',
- 'name': 'rsaEncryptionBsafe1',
- 'oid': (2, 16, 840, 1, 113719, 1, 2, 8, 131)},
- 'rsaEncryptionWithlmod512expe17': {'comment': 'Teletrust encryption algorithm',
- 'description': 'rsaEncryptionWithlmod512expe17 (1 3 36 3 1 4 512 17)',
- 'hexoid': '06 08 2B 24 03 01 04 84 00 11',
- 'name': 'rsaEncryptionWithlmod512expe17',
- 'oid': (1, 3, 36, 3, 1, 4, 512, 17)},
- 'rsaIndicateRIPEMD160': {'comment': 'Teletrust signature algorithm',
- 'description': 'rsaIndicateRIPEMD160 (1 3 36 8 5 1 1 2)',
- 'hexoid': '06 07 2B 24 08 05 01 01 02',
- 'name': 'rsaIndicateRIPEMD160',
- 'oid': (1, 3, 36, 8, 5, 1, 1, 2)},
- 'rsaIndicateSHA1': {'comment': 'Teletrust signature algorithm',
- 'description': 'rsaIndicateSHA1 (1 3 36 8 5 1 1 1)',
- 'hexoid': '06 07 2B 24 08 05 01 01 01',
- 'name': 'rsaIndicateSHA1',
- 'oid': (1, 3, 36, 8, 5, 1, 1, 1)},
- 'rsaKeyTransport': {'comment': 'Oddball OIW OID',
- 'description': 'rsaKeyTransport (1 3 14 3 2 22)',
- 'hexoid': '06 05 2B 0E 03 02 16',
- 'name': 'rsaKeyTransport',
- 'oid': (1, 3, 14, 3, 2, 22)},
- 'rsaOAEP': {'comment': 'PKCS #1',
- 'description': 'rsaOAEP (1 2 840 113549 1 1 7)',
- 'hexoid': '06 09 2A 86 48 86 F7 0D 01 01 07',
- 'name': 'rsaOAEP',
- 'oid': (1, 2, 840, 113549, 1, 1, 7)},
- 'rsaOAEP-pSpecified': {'comment': 'PKCS #1',
- 'description': 'rsaOAEP-pSpecified (1 2 840 113549 1 1 9)',
- 'hexoid': '06 09 2A 86 48 86 F7 0D 01 01 09',
- 'name': 'rsaOAEP-pSpecified',
- 'oid': (1, 2, 840, 113549, 1, 1, 9)},
- 'rsaOAEPEncryptionSET': {'comment': 'PKCS #1. This OID may also be assigned as ripemd160WithRSAEncryption',
- 'description': 'rsaOAEPEncryptionSET (1 2 840 113549 1 1 6)',
- 'hexoid': '06 09 2A 86 48 86 F7 0D 01 01 06',
- 'name': 'rsaOAEPEncryptionSET',
- 'oid': (1, 2, 840, 113549, 1, 1, 6)},
- 'rsaPSS': {'comment': 'PKCS #1',
- 'description': 'rsaPSS (1 2 840 113549 1 1 10)',
- 'hexoid': '06 09 2A 86 48 86 F7 0D 01 01 0A',
- 'name': 'rsaPSS',
- 'oid': (1, 2, 840, 113549, 1, 1, 10)},
- 'rsaSignature': {'comment': 'Teletrust signature algorithm',
- 'description': 'rsaSignature (1 3 36 3 3 1)',
- 'hexoid': '06 05 2B 24 03 03 01',
- 'name': 'rsaSignature',
- 'oid': (1, 3, 36, 3, 3, 1)},
- 'rsaSignatureWithrimpemd128': {'comment': 'Teletrust signature algorithm',
- 'description': 'rsaSignatureWithrimpemd128 (1 3 36 3 3 1 3)',
- 'hexoid': '06 06 2B 24 03 03 01 03',
- 'name': 'rsaSignatureWithrimpemd128',
- 'oid': (1, 3, 36, 3, 3, 1, 3)},
- 'rsaSignatureWithrimpemd256': {'comment': 'Teletrust signature algorithm',
- 'description': 'rsaSignatureWithrimpemd256 (1 3 36 3 3 1 4)',
- 'hexoid': '06 06 2B 24 03 03 01 04',
- 'name': 'rsaSignatureWithrimpemd256',
- 'oid': (1, 3, 36, 3, 3, 1, 4)},
- 'rsaSignatureWithripemd160': {'comment': 'Teletrust signature algorithm',
- 'description': 'rsaSignatureWithripemd160 (1 3 36 3 3 1 2)',
- 'hexoid': '06 06 2B 24 03 03 01 02',
- 'name': 'rsaSignatureWithripemd160',
- 'oid': (1, 3, 36, 3, 3, 1, 2)},
- 'rsaSignatureWithripemd160_l1024_l11': {'comment': 'Teletrust signature algorithm',
- 'description': 'rsaSignatureWithripemd160_l1024_l11 (1 3 36 3 3 1 2 1024 11)',
- 'hexoid': '06 09 2B 24 03 03 01 02 88 00 0B',
- 'name': 'rsaSignatureWithripemd160_l1024_l11',
- 'oid': (1,
- 3,
- 36,
- 3,
- 3,
- 1,
- 2,
- 1024,
- 11)},
- 'rsaSignatureWithripemd160_l1024_l2': {'comment': 'Teletrust signature algorithm',
- 'description': 'rsaSignatureWithripemd160_l1024_l2 (1 3 36 3 3 1 2 1024 2)',
- 'hexoid': '06 09 2B 24 03 03 01 02 88 00 02',
- 'name': 'rsaSignatureWithripemd160_l1024_l2',
- 'oid': (1,
- 3,
- 36,
- 3,
- 3,
- 1,
- 2,
- 1024,
- 2)},
- 'rsaSignatureWithripemd160_l1024_l3': {'comment': 'Teletrust signature algorithm',
- 'description': 'rsaSignatureWithripemd160_l1024_l3 (1 3 36 3 3 1 2 1024 3)',
- 'hexoid': '06 09 2B 24 03 03 01 02 88 00 03',
- 'name': 'rsaSignatureWithripemd160_l1024_l3',
- 'oid': (1,
- 3,
- 36,
- 3,
- 3,
- 1,
- 2,
- 1024,
- 3)},
- 'rsaSignatureWithripemd160_l1024_l5': {'comment': 'Teletrust signature algorithm',
- 'description': 'rsaSignatureWithripemd160_l1024_l5 (1 3 36 3 3 1 2 1024 5)',
- 'hexoid': '06 09 2B 24 03 03 01 02 88 00 05',
- 'name': 'rsaSignatureWithripemd160_l1024_l5',
- 'oid': (1,
- 3,
- 36,
- 3,
- 3,
- 1,
- 2,
- 1024,
- 5)},
- 'rsaSignatureWithripemd160_l1024_l9': {'comment': 'Teletrust signature algorithm',
- 'description': 'rsaSignatureWithripemd160_l1024_l9 (1 3 36 3 3 1 2 1024 9)',
- 'hexoid': '06 09 2B 24 03 03 01 02 88 00 09',
- 'name': 'rsaSignatureWithripemd160_l1024_l9',
- 'oid': (1,
- 3,
- 36,
- 3,
- 3,
- 1,
- 2,
- 1024,
- 9)},
- 'rsaSignatureWithripemd160_l512_l11': {'comment': 'Teletrust signature algorithm',
- 'description': 'rsaSignatureWithripemd160_l512_l11 (1 3 36 3 3 1 2 512 11)',
- 'hexoid': '06 09 2B 24 03 03 01 02 84 00 0B',
- 'name': 'rsaSignatureWithripemd160_l512_l11',
- 'oid': (1,
- 3,
- 36,
- 3,
- 3,
- 1,
- 2,
- 512,
- 11)},
- 'rsaSignatureWithripemd160_l512_l2': {'comment': 'Teletrust signature algorithm',
- 'description': 'rsaSignatureWithripemd160_l512_l2 (1 3 36 3 3 1 2 512 2)',
- 'hexoid': '06 09 2B 24 03 03 01 02 84 00 02',
- 'name': 'rsaSignatureWithripemd160_l512_l2',
- 'oid': (1, 3, 36, 3, 3, 1, 2, 512, 2)},
- 'rsaSignatureWithripemd160_l512_l3': {'comment': 'Teletrust signature algorithm',
- 'description': 'rsaSignatureWithripemd160_l512_l3 (1 3 36 3 3 1 2 512 3)',
- 'hexoid': '06 09 2B 24 03 03 01 02 84 00 03',
- 'name': 'rsaSignatureWithripemd160_l512_l3',
- 'oid': (1, 3, 36, 3, 3, 1, 2, 512, 3)},
- 'rsaSignatureWithripemd160_l512_l5': {'comment': 'Teletrust signature algorithm',
- 'description': 'rsaSignatureWithripemd160_l512_l5 (1 3 36 3 3 1 2 512 5)',
- 'hexoid': '06 09 2B 24 03 03 01 02 84 00 05',
- 'name': 'rsaSignatureWithripemd160_l512_l5',
- 'oid': (1, 3, 36, 3, 3, 1, 2, 512, 5)},
- 'rsaSignatureWithripemd160_l512_l9': {'comment': 'Teletrust signature algorithm',
- 'description': 'rsaSignatureWithripemd160_l512_l9 (1 3 36 3 3 1 2 512 9)',
- 'hexoid': '06 09 2B 24 03 03 01 02 84 00 09',
- 'name': 'rsaSignatureWithripemd160_l512_l9',
- 'oid': (1, 3, 36, 3, 3, 1, 2, 512, 9)},
- 'rsaSignatureWithripemd160_l640_l11': {'comment': 'Teletrust signature algorithm',
- 'description': 'rsaSignatureWithripemd160_l640_l11 (1 3 36 3 3 1 2 640 11)',
- 'hexoid': '06 09 2B 24 03 03 01 02 85 00 0B',
- 'name': 'rsaSignatureWithripemd160_l640_l11',
- 'oid': (1,
- 3,
- 36,
- 3,
- 3,
- 1,
- 2,
- 640,
- 11)},
- 'rsaSignatureWithripemd160_l640_l2': {'comment': 'Teletrust signature algorithm',
- 'description': 'rsaSignatureWithripemd160_l640_l2 (1 3 36 3 3 1 2 640 2)',
- 'hexoid': '06 09 2B 24 03 03 01 02 85 00 02',
- 'name': 'rsaSignatureWithripemd160_l640_l2',
- 'oid': (1, 3, 36, 3, 3, 1, 2, 640, 2)},
- 'rsaSignatureWithripemd160_l640_l3': {'comment': 'Teletrust signature algorithm',
- 'description': 'rsaSignatureWithripemd160_l640_l3 (1 3 36 3 3 1 2 640 3)',
- 'hexoid': '06 09 2B 24 03 03 01 02 85 00 03',
- 'name': 'rsaSignatureWithripemd160_l640_l3',
- 'oid': (1, 3, 36, 3, 3, 1, 2, 640, 3)},
- 'rsaSignatureWithripemd160_l640_l5': {'comment': 'Teletrust signature algorithm',
- 'description': 'rsaSignatureWithripemd160_l640_l5 (1 3 36 3 3 1 2 640 5)',
- 'hexoid': '06 09 2B 24 03 03 01 02 85 00 05',
- 'name': 'rsaSignatureWithripemd160_l640_l5',
- 'oid': (1, 3, 36, 3, 3, 1, 2, 640, 5)},
- 'rsaSignatureWithripemd160_l640_l9': {'comment': 'Teletrust signature algorithm',
- 'description': 'rsaSignatureWithripemd160_l640_l9 (1 3 36 3 3 1 2 640 9)',
- 'hexoid': '06 09 2B 24 03 03 01 02 85 00 09',
- 'name': 'rsaSignatureWithripemd160_l640_l9',
- 'oid': (1, 3, 36, 3, 3, 1, 2, 640, 9)},
- 'rsaSignatureWithripemd160_l768_l11': {'comment': 'Teletrust signature algorithm',
- 'description': 'rsaSignatureWithripemd160_l768_l11 (1 3 36 3 3 1 2 768 11)',
- 'hexoid': '06 09 2B 24 03 03 01 02 86 00 0B',
- 'name': 'rsaSignatureWithripemd160_l768_l11',
- 'oid': (1,
- 3,
- 36,
- 3,
- 3,
- 1,
- 2,
- 768,
- 11)},
- 'rsaSignatureWithripemd160_l768_l2': {'comment': 'Teletrust signature algorithm',
- 'description': 'rsaSignatureWithripemd160_l768_l2 (1 3 36 3 3 1 2 768 2)',
- 'hexoid': '06 09 2B 24 03 03 01 02 86 00 02',
- 'name': 'rsaSignatureWithripemd160_l768_l2',
- 'oid': (1, 3, 36, 3, 3, 1, 2, 768, 2)},
- 'rsaSignatureWithripemd160_l768_l3': {'comment': 'Teletrust signature algorithm',
- 'description': 'rsaSignatureWithripemd160_l768_l3 (1 3 36 3 3 1 2 768 3)',
- 'hexoid': '06 09 2B 24 03 03 01 02 86 00 03',
- 'name': 'rsaSignatureWithripemd160_l768_l3',
- 'oid': (1, 3, 36, 3, 3, 1, 2, 768, 3)},
- 'rsaSignatureWithripemd160_l768_l5': {'comment': 'Teletrust signature algorithm',
- 'description': 'rsaSignatureWithripemd160_l768_l5 (1 3 36 3 3 1 2 768 5)',
- 'hexoid': '06 09 2B 24 03 03 01 02 86 00 05',
- 'name': 'rsaSignatureWithripemd160_l768_l5',
- 'oid': (1, 3, 36, 3, 3, 1, 2, 768, 5)},
- 'rsaSignatureWithripemd160_l768_l9': {'comment': 'Teletrust signature algorithm',
- 'description': 'rsaSignatureWithripemd160_l768_l9 (1 3 36 3 3 1 2 768 9)',
- 'hexoid': '06 09 2B 24 03 03 01 02 86 00 09',
- 'name': 'rsaSignatureWithripemd160_l768_l9',
- 'oid': (1, 3, 36, 3, 3, 1, 2, 768, 9)},
- 'rsaSignatureWithripemd160_l896_l11': {'comment': 'Teletrust signature algorithm',
- 'description': 'rsaSignatureWithripemd160_l896_l11 (1 3 36 3 3 1 2 896 11)',
- 'hexoid': '06 09 2B 24 03 03 01 02 87 00 0B',
- 'name': 'rsaSignatureWithripemd160_l896_l11',
- 'oid': (1,
- 3,
- 36,
- 3,
- 3,
- 1,
- 2,
- 896,
- 11)},
- 'rsaSignatureWithripemd160_l896_l2': {'comment': 'Teletrust signature algorithm',
- 'description': 'rsaSignatureWithripemd160_l896_l2 (1 3 36 3 3 1 2 896 2)',
- 'hexoid': '06 09 2B 24 03 03 01 02 87 00 02',
- 'name': 'rsaSignatureWithripemd160_l896_l2',
- 'oid': (1, 3, 36, 3, 3, 1, 2, 896, 2)},
- 'rsaSignatureWithripemd160_l896_l3': {'comment': 'Teletrust signature algorithm',
- 'description': 'rsaSignatureWithripemd160_l896_l3 (1 3 36 3 3 1 2 896 3)',
- 'hexoid': '06 09 2B 24 03 03 01 02 87 00 03',
- 'name': 'rsaSignatureWithripemd160_l896_l3',
- 'oid': (1, 3, 36, 3, 3, 1, 2, 896, 3)},
- 'rsaSignatureWithripemd160_l896_l5': {'comment': 'Teletrust signature algorithm',
- 'description': 'rsaSignatureWithripemd160_l896_l5 (1 3 36 3 3 1 2 896 5)',
- 'hexoid': '06 09 2B 24 03 03 01 02 87 00 05',
- 'name': 'rsaSignatureWithripemd160_l896_l5',
- 'oid': (1, 3, 36, 3, 3, 1, 2, 896, 5)},
- 'rsaSignatureWithripemd160_l896_l9': {'comment': 'Teletrust signature algorithm',
- 'description': 'rsaSignatureWithripemd160_l896_l9 (1 3 36 3 3 1 2 896 9)',
- 'hexoid': '06 09 2B 24 03 03 01 02 87 00 09',
- 'name': 'rsaSignatureWithripemd160_l896_l9',
- 'oid': (1, 3, 36, 3, 3, 1, 2, 896, 9)},
- 'rsaSignatureWithsha1': {'comment': 'Teletrust signature algorithm',
- 'description': 'rsaSignatureWithsha1 (1 3 36 3 3 1 1)',
- 'hexoid': '06 06 2B 24 03 03 01 01',
- 'name': 'rsaSignatureWithsha1',
- 'oid': (1, 3, 36, 3, 3, 1, 1)},
- 'rsaSignatureWithsha1_l1024_l11': {'comment': 'Teletrust signature algorithm',
- 'description': 'rsaSignatureWithsha1_l1024_l11 (1 3 36 3 3 1 1 1024 11)',
- 'hexoid': '06 09 2B 24 03 03 01 01 88 00 0B',
- 'name': 'rsaSignatureWithsha1_l1024_l11',
- 'oid': (1, 3, 36, 3, 3, 1, 1, 1024, 11)},
- 'rsaSignatureWithsha1_l1024_l2': {'comment': 'Teletrust signature algorithm',
- 'description': 'rsaSignatureWithsha1_l1024_l2 (1 3 36 3 3 1 1 1024 2)',
- 'hexoid': '06 09 2B 24 03 03 01 01 88 00 02',
- 'name': 'rsaSignatureWithsha1_l1024_l2',
- 'oid': (1, 3, 36, 3, 3, 1, 1, 1024, 2)},
- 'rsaSignatureWithsha1_l1024_l3': {'comment': 'Teletrust signature algorithm',
- 'description': 'rsaSignatureWithsha1_l1024_l3 (1 3 36 3 3 1 1 1024 3)',
- 'hexoid': '06 09 2B 24 03 03 01 01 88 00 03',
- 'name': 'rsaSignatureWithsha1_l1024_l3',
- 'oid': (1, 3, 36, 3, 3, 1, 1, 1024, 3)},
- 'rsaSignatureWithsha1_l1024_l5': {'comment': 'Teletrust signature algorithm',
- 'description': 'rsaSignatureWithsha1_l1024_l5 (1 3 36 3 3 1 1 1024 5)',
- 'hexoid': '06 09 2B 24 03 03 01 01 88 00 05',
- 'name': 'rsaSignatureWithsha1_l1024_l5',
- 'oid': (1, 3, 36, 3, 3, 1, 1, 1024, 5)},
- 'rsaSignatureWithsha1_l1024_l9': {'comment': 'Teletrust signature algorithm',
- 'description': 'rsaSignatureWithsha1_l1024_l9 (1 3 36 3 3 1 1 1024 9)',
- 'hexoid': '06 09 2B 24 03 03 01 01 88 00 09',
- 'name': 'rsaSignatureWithsha1_l1024_l9',
- 'oid': (1, 3, 36, 3, 3, 1, 1, 1024, 9)},
- 'rsaSignatureWithsha1_l512_l11': {'comment': 'Teletrust signature algorithm',
- 'description': 'rsaSignatureWithsha1_l512_l11 (1 3 36 3 3 1 1 512 11)',
- 'hexoid': '06 09 2B 24 03 03 01 01 84 00 0B',
- 'name': 'rsaSignatureWithsha1_l512_l11',
- 'oid': (1, 3, 36, 3, 3, 1, 1, 512, 11)},
- 'rsaSignatureWithsha1_l512_l2': {'comment': 'Teletrust signature algorithm',
- 'description': 'rsaSignatureWithsha1_l512_l2 (1 3 36 3 3 1 1 512 2)',
- 'hexoid': '06 09 2B 24 03 03 01 01 84 00 02',
- 'name': 'rsaSignatureWithsha1_l512_l2',
- 'oid': (1, 3, 36, 3, 3, 1, 1, 512, 2)},
- 'rsaSignatureWithsha1_l512_l3': {'comment': 'Teletrust signature algorithm',
- 'description': 'rsaSignatureWithsha1_l512_l3 (1 3 36 3 3 1 1 512 3)',
- 'hexoid': '06 09 2B 24 03 03 01 01 84 00 03',
- 'name': 'rsaSignatureWithsha1_l512_l3',
- 'oid': (1, 3, 36, 3, 3, 1, 1, 512, 3)},
- 'rsaSignatureWithsha1_l512_l5': {'comment': 'Teletrust signature algorithm',
- 'description': 'rsaSignatureWithsha1_l512_l5 (1 3 36 3 3 1 1 512 5)',
- 'hexoid': '06 09 2B 24 03 03 01 01 84 00 05',
- 'name': 'rsaSignatureWithsha1_l512_l5',
- 'oid': (1, 3, 36, 3, 3, 1, 1, 512, 5)},
- 'rsaSignatureWithsha1_l512_l9': {'comment': 'Teletrust signature algorithm',
- 'description': 'rsaSignatureWithsha1_l512_l9 (1 3 36 3 3 1 1 512 9)',
- 'hexoid': '06 09 2B 24 03 03 01 01 84 00 09',
- 'name': 'rsaSignatureWithsha1_l512_l9',
- 'oid': (1, 3, 36, 3, 3, 1, 1, 512, 9)},
- 'rsaSignatureWithsha1_l640_l11': {'comment': 'Teletrust signature algorithm',
- 'description': 'rsaSignatureWithsha1_l640_l11 (1 3 36 3 3 1 1 640 11)',
- 'hexoid': '06 09 2B 24 03 03 01 01 85 00 0B',
- 'name': 'rsaSignatureWithsha1_l640_l11',
- 'oid': (1, 3, 36, 3, 3, 1, 1, 640, 11)},
- 'rsaSignatureWithsha1_l640_l2': {'comment': 'Teletrust signature algorithm',
- 'description': 'rsaSignatureWithsha1_l640_l2 (1 3 36 3 3 1 1 640 2)',
- 'hexoid': '06 09 2B 24 03 03 01 01 85 00 02',
- 'name': 'rsaSignatureWithsha1_l640_l2',
- 'oid': (1, 3, 36, 3, 3, 1, 1, 640, 2)},
- 'rsaSignatureWithsha1_l640_l3': {'comment': 'Teletrust signature algorithm',
- 'description': 'rsaSignatureWithsha1_l640_l3 (1 3 36 3 3 1 1 640 3)',
- 'hexoid': '06 09 2B 24 03 03 01 01 85 00 03',
- 'name': 'rsaSignatureWithsha1_l640_l3',
- 'oid': (1, 3, 36, 3, 3, 1, 1, 640, 3)},
- 'rsaSignatureWithsha1_l640_l5': {'comment': 'Teletrust signature algorithm',
- 'description': 'rsaSignatureWithsha1_l640_l5 (1 3 36 3 3 1 1 640 5)',
- 'hexoid': '06 09 2B 24 03 03 01 01 85 00 05',
- 'name': 'rsaSignatureWithsha1_l640_l5',
- 'oid': (1, 3, 36, 3, 3, 1, 1, 640, 5)},
- 'rsaSignatureWithsha1_l640_l9': {'comment': 'Teletrust signature algorithm',
- 'description': 'rsaSignatureWithsha1_l640_l9 (1 3 36 3 3 1 1 640 9)',
- 'hexoid': '06 09 2B 24 03 03 01 01 85 00 09',
- 'name': 'rsaSignatureWithsha1_l640_l9',
- 'oid': (1, 3, 36, 3, 3, 1, 1, 640, 9)},
- 'rsaSignatureWithsha1_l768_l11': {'comment': 'Teletrust signature algorithm',
- 'description': 'rsaSignatureWithsha1_l768_l11 (1 3 36 3 3 1 1 768 11)',
- 'hexoid': '06 09 2B 24 03 03 01 01 86 00 0B',
- 'name': 'rsaSignatureWithsha1_l768_l11',
- 'oid': (1, 3, 36, 3, 3, 1, 1, 768, 11)},
- 'rsaSignatureWithsha1_l768_l2': {'comment': 'Teletrust signature algorithm',
- 'description': 'rsaSignatureWithsha1_l768_l2 (1 3 36 3 3 1 1 768 2)',
- 'hexoid': '06 09 2B 24 03 03 01 01 86 00 02',
- 'name': 'rsaSignatureWithsha1_l768_l2',
- 'oid': (1, 3, 36, 3, 3, 1, 1, 768, 2)},
- 'rsaSignatureWithsha1_l768_l3': {'comment': 'Teletrust signature algorithm',
- 'description': 'rsaSignatureWithsha1_l768_l3 (1 3 36 3 3 1 1 768 3)',
- 'hexoid': '06 09 2B 24 03 03 01 01 86 00 03',
- 'name': 'rsaSignatureWithsha1_l768_l3',
- 'oid': (1, 3, 36, 3, 3, 1, 1, 768, 3)},
- 'rsaSignatureWithsha1_l768_l5': {'comment': 'Teletrust signature algorithm',
- 'description': 'rsaSignatureWithsha1_l768_l5 (1 3 36 3 3 1 1 768 5)',
- 'hexoid': '06 09 2B 24 03 03 01 01 86 00 05',
- 'name': 'rsaSignatureWithsha1_l768_l5',
- 'oid': (1, 3, 36, 3, 3, 1, 1, 768, 5)},
- 'rsaSignatureWithsha1_l768_l9': {'comment': 'Teletrust signature algorithm',
- 'description': 'rsaSignatureWithsha1_l768_l9 (1 3 36 3 3 1 1 768 9)',
- 'hexoid': '06 09 2B 24 03 03 01 01 86 00 09',
- 'name': 'rsaSignatureWithsha1_l768_l9',
- 'oid': (1, 3, 36, 3, 3, 1, 1, 768, 9)},
- 'rsaSignatureWithsha1_l896_l11': {'comment': 'Teletrust signature algorithm',
- 'description': 'rsaSignatureWithsha1_l896_l11 (1 3 36 3 3 1 1 896 11)',
- 'hexoid': '06 09 2B 24 03 03 01 01 87 00 0B',
- 'name': 'rsaSignatureWithsha1_l896_l11',
- 'oid': (1, 3, 36, 3, 3, 1, 1, 896, 11)},
- 'rsaSignatureWithsha1_l896_l2': {'comment': 'Teletrust signature algorithm',
- 'description': 'rsaSignatureWithsha1_l896_l2 (1 3 36 3 3 1 1 896 2)',
- 'hexoid': '06 09 2B 24 03 03 01 01 87 00 02',
- 'name': 'rsaSignatureWithsha1_l896_l2',
- 'oid': (1, 3, 36, 3, 3, 1, 1, 896, 2)},
- 'rsaSignatureWithsha1_l896_l3': {'comment': 'Teletrust signature algorithm',
- 'description': 'rsaSignatureWithsha1_l896_l3 (1 3 36 3 3 1 1 896 3)',
- 'hexoid': '06 09 2B 24 03 03 01 01 87 00 03',
- 'name': 'rsaSignatureWithsha1_l896_l3',
- 'oid': (1, 3, 36, 3, 3, 1, 1, 896, 3)},
- 'rsaSignatureWithsha1_l896_l5': {'comment': 'Teletrust signature algorithm',
- 'description': 'rsaSignatureWithsha1_l896_l5 (1 3 36 3 3 1 1 896 5)',
- 'hexoid': '06 09 2B 24 03 03 01 01 87 00 05',
- 'name': 'rsaSignatureWithsha1_l896_l5',
- 'oid': (1, 3, 36, 3, 3, 1, 1, 896, 5)},
- 'rsaSignatureWithsha1_l896_l9': {'comment': 'Teletrust signature algorithm',
- 'description': 'rsaSignatureWithsha1_l896_l9 (1 3 36 3 3 1 1 896 9)',
- 'hexoid': '06 09 2B 24 03 03 01 01 87 00 09',
- 'name': 'rsaSignatureWithsha1_l896_l9',
- 'oid': (1, 3, 36, 3, 3, 1, 1, 896, 9)},
- 'rsaTelesec': {'comment': 'Telesec encryption',
- 'description': 'rsaTelesec (0 2 262 1 10 1 2 1)',
- 'hexoid': '06 08 02 82 06 01 0A 01 02 01',
- 'name': 'rsaTelesec',
- 'oid': (0, 2, 262, 1, 10, 1, 2, 1)},
- 'rsaWithRIPEMD160': {'comment': 'Teletrust signature algorithm',
- 'description': 'rsaWithRIPEMD160 (1 3 36 8 5 1 1 4)',
- 'hexoid': '06 07 2B 24 08 05 01 01 04',
- 'name': 'rsaWithRIPEMD160',
- 'oid': (1, 3, 36, 8, 5, 1, 1, 4)},
- 'rsaWithSHA1': {'comment': 'Teletrust signature algorithm',
- 'description': 'rsaWithSHA1 (1 3 36 8 5 1 1 3)',
- 'hexoid': '06 07 2B 24 08 05 01 01 03',
- 'name': 'rsaWithSHA1',
- 'oid': (1, 3, 36, 8, 5, 1, 1, 3)},
- 'rtcsRequest': {'comment': 'cryptlib content type',
- 'description': 'rtcsRequest (1 3 6 1 4 1 3029 4 1 4)',
- 'hexoid': '06 0A 2B 06 01 04 01 97 55 04 01 04',
- 'name': 'rtcsRequest',
- 'oid': (1, 3, 6, 1, 4, 1, 3029, 4, 1, 4)},
- 'rtcsResponse': {'comment': 'cryptlib content type',
- 'description': 'rtcsResponse (1 3 6 1 4 1 3029 4 1 5)',
- 'hexoid': '06 0A 2B 06 01 04 01 97 55 04 01 05',
- 'name': 'rtcsResponse',
- 'oid': (1, 3, 6, 1, 4, 1, 3029, 4, 1, 5)},
- 'rtcsResponseExt': {'comment': 'cryptlib content type',
- 'description': 'rtcsResponseExt (1 3 6 1 4 1 3029 4 1 6)',
- 'hexoid': '06 0A 2B 06 01 04 01 97 55 04 01 06',
- 'name': 'rtcsResponseExt',
- 'oid': (1, 3, 6, 1, 4, 1, 3029, 4, 1, 6)},
- 'sMIMECapabilities': {'comment': 'PKCS #9. This OID was formerly assigned as symmetricCapabilities, then reassigned as SMIMECapabilities, then renamed to the current name',
- 'description': 'sMIMECapabilities (1 2 840 113549 1 9 15)',
- 'hexoid': '06 09 2A 86 48 86 F7 0D 01 09 0F',
- 'name': 'sMIMECapabilities',
- 'oid': (1, 2, 840, 113549, 1, 9, 15)},
- 'sadmib': {'comment': 'Telesec module',
- 'description': 'sadmib (0 2 262 1 10 2 9)',
- 'hexoid': '06 07 02 82 06 01 0A 02 09',
- 'name': 'sadmib',
- 'oid': (0, 2, 262, 1, 10, 2, 9)},
- 'sbgp-autonomousSysNum': {'comment': 'PKIX private extension',
- 'description': 'sbgp-autonomousSysNum (1 3 6 1 5 5 7 1 8)',
- 'hexoid': '06 08 2B 06 01 05 05 07 01 08',
- 'name': 'sbgp-autonomousSysNum',
- 'oid': (1, 3, 6, 1, 5, 5, 7, 1, 8)},
- 'sbgp-ipAddrBlock': {'comment': 'PKIX private extension',
- 'description': 'sbgp-ipAddrBlock (1 3 6 1 5 5 7 1 7)',
- 'hexoid': '06 08 2B 06 01 05 05 07 01 07',
- 'name': 'sbgp-ipAddrBlock',
- 'oid': (1, 3, 6, 1, 5, 5, 7, 1, 7)},
- 'sbgp-routerIdentifier': {'comment': 'PKIX private extension',
- 'description': 'sbgp-routerIdentifier (1 3 6 1 5 5 7 1 9)',
- 'hexoid': '06 08 2B 06 01 05 05 07 01 09',
- 'name': 'sbgp-routerIdentifier',
- 'oid': (1, 3, 6, 1, 5, 5, 7, 1, 9)},
- 'sbgpCertAAServerAuth': {'comment': 'PKIX key purpose',
- 'description': 'sbgpCertAAServerAuth (1 3 6 1 5 5 7 3 11)',
- 'hexoid': '06 08 2B 06 01 05 05 07 03 0B',
- 'name': 'sbgpCertAAServerAuth',
- 'oid': (1, 3, 6, 1, 5, 5, 7, 3, 11)},
- 'scheme': {'comment': 'ANSI X9.42',
- 'description': 'scheme (1 2 840 10046 3)',
- 'hexoid': '06 06 2A 86 48 CE 3E 03',
- 'name': 'scheme',
- 'oid': (1, 2, 840, 10046, 3)},
- 'sdnsCKL': {'comment': 'SDN.700 INFOSEC attributes',
- 'description': 'sdnsCKL (2 16 840 1 101 2 1 5 41)',
- 'hexoid': '06 09 60 86 48 01 65 02 01 05 29',
- 'name': 'sdnsCKL',
- 'oid': (2, 16, 840, 1, 101, 2, 1, 5, 41)},
- 'sdnsCertificateRevocationList': {'comment': 'SDN.700 INFOSEC attributes',
- 'description': 'sdnsCertificateRevocationList (2 16 840 1 101 2 1 5 44)',
- 'hexoid': '06 09 60 86 48 01 65 02 01 05 2C',
- 'name': 'sdnsCertificateRevocationList',
- 'oid': (2, 16, 840, 1, 101, 2, 1, 5, 44)},
- 'sdnsConfidentialityAlgorithm': {'comment': 'SDN.700 INFOSEC algorithms',
- 'description': 'sdnsConfidentialityAlgorithm (2 16 840 1 101 2 1 1 3)',
- 'hexoid': '06 09 60 86 48 01 65 02 01 01 03',
- 'name': 'sdnsConfidentialityAlgorithm',
- 'oid': (2, 16, 840, 1, 101, 2, 1, 1, 3)},
- 'sdnsIntegrityAlgorithm': {'comment': 'SDN.700 INFOSEC algorithms',
- 'description': 'sdnsIntegrityAlgorithm (2 16 840 1 101 2 1 1 5)',
- 'hexoid': '06 09 60 86 48 01 65 02 01 01 05',
- 'name': 'sdnsIntegrityAlgorithm',
- 'oid': (2, 16, 840, 1, 101, 2, 1, 1, 5)},
- 'sdnsKMandSigAlgorithm': {'comment': 'SDN.700 INFOSEC algorithms',
- 'description': 'sdnsKMandSigAlgorithm (2 16 840 1 101 2 1 1 11)',
- 'hexoid': '06 09 60 86 48 01 65 02 01 01 0B',
- 'name': 'sdnsKMandSigAlgorithm',
- 'oid': (2, 16, 840, 1, 101, 2, 1, 1, 11)},
- 'sdnsKeyManagementAlgorithm': {'comment': 'SDN.700 INFOSEC algorithms',
- 'description': 'sdnsKeyManagementAlgorithm (2 16 840 1 101 2 1 1 9)',
- 'hexoid': '06 09 60 86 48 01 65 02 01 01 09',
- 'name': 'sdnsKeyManagementAlgorithm',
- 'oid': (2, 16, 840, 1, 101, 2, 1, 1, 9)},
- 'sdnsPRBAC': {'comment': 'SDN.700 INFOSEC policy',
- 'description': 'sdnsPRBAC (2 16 840 1 101 2 1 3 2)',
- 'hexoid': '06 09 60 86 48 01 65 02 01 03 02',
- 'name': 'sdnsPRBAC',
- 'oid': (2, 16, 840, 1, 101, 2, 1, 3, 2)},
- 'sdnsSecurityPolicy': {'comment': 'SDN.700 INFOSEC policy',
- 'description': 'sdnsSecurityPolicy (2 16 840 1 101 2 1 3 1)',
- 'hexoid': '06 09 60 86 48 01 65 02 01 03 01',
- 'name': 'sdnsSecurityPolicy',
- 'oid': (2, 16, 840, 1, 101, 2, 1, 3, 1)},
- 'sdnsSignatureAlgorithm': {'comment': 'SDN.700 INFOSEC algorithms',
- 'description': 'sdnsSignatureAlgorithm (2 16 840 1 101 2 1 1 1)',
- 'hexoid': '06 09 60 86 48 01 65 02 01 01 01',
- 'name': 'sdnsSignatureAlgorithm',
- 'oid': (2, 16, 840, 1, 101, 2, 1, 1, 1)},
- 'sdnsSignatureCKL': {'comment': 'SDN.700 INFOSEC attributes',
- 'description': 'sdnsSignatureCKL (2 16 840 1 101 2 1 5 43)',
- 'hexoid': '06 09 60 86 48 01 65 02 01 05 2B',
- 'name': 'sdnsSignatureCKL',
- 'oid': (2, 16, 840, 1, 101, 2, 1, 5, 43)},
- 'sdnsTokenProtectionAlgorithm': {'comment': 'SDN.700 INFOSEC algorithms',
- 'description': 'sdnsTokenProtectionAlgorithm (2 16 840 1 101 2 1 1 7)',
- 'hexoid': '06 09 60 86 48 01 65 02 01 01 07',
- 'name': 'sdnsTokenProtectionAlgorithm',
- 'oid': (2, 16, 840, 1, 101, 2, 1, 1, 7)},
- 'sdsiCertificate': {'comment': 'PKCS #9 via PKCS #12',
- 'description': 'sdsiCertificate (for PKCS #12) (1 2 840 113549 1 9 22 2)',
- 'hexoid': '06 0A 2A 86 48 86 F7 0D 01 09 16 02',
- 'name': 'sdsiCertificate',
- 'oid': (1, 2, 840, 113549, 1, 9, 22, 2)},
- 'searchGuide': {'comment': 'X.520 id-at (2 5 4)',
- 'description': 'searchGuide (2 5 4 14)',
- 'hexoid': '06 03 55 04 0E',
- 'name': 'searchGuide',
- 'oid': (2, 5, 4, 14)},
- 'secPolicyInformationFile': {'comment': 'SDN.700 INFOSEC attributes',
- 'description': 'secPolicyInformationFile (2 16 840 1 101 2 1 5 59)',
- 'hexoid': '06 09 60 86 48 01 65 02 01 05 3B',
- 'name': 'secPolicyInformationFile',
- 'oid': (2, 16, 840, 1, 101, 2, 1, 5, 59)},
- 'secondaryPractices': {'comment': 'MEDePass',
- 'description': 'secondaryPractices (1 3 6 1 4 1 5770 0 3)',
- 'hexoid': '06 09 2B 06 01 04 01 AD 0A 00 03',
- 'name': 'secondaryPractices',
- 'oid': (1, 3, 6, 1, 4, 1, 5770, 0, 3)},
- 'secp112r1': {'comment': 'SECG (Certicom) named elliptic curve',
- 'description': 'secp112r1 (1 3 132 0 6)',
- 'hexoid': '06 05 2B 81 04 00 06',
- 'name': 'secp112r1',
- 'oid': (1, 3, 132, 0, 6)},
- 'secp112r2': {'comment': 'SECG (Certicom) named elliptic curve',
- 'description': 'secp112r2 (1 3 132 0 7)',
- 'hexoid': '06 05 2B 81 04 00 07',
- 'name': 'secp112r2',
- 'oid': (1, 3, 132, 0, 7)},
- 'secp128r1': {'comment': 'SECG (Certicom) named elliptic curve',
- 'description': 'secp128r1 (1 3 132 0 28)',
- 'hexoid': '06 05 2B 81 04 00 1C',
- 'name': 'secp128r1',
- 'oid': (1, 3, 132, 0, 28)},
- 'secp128r2': {'comment': 'SECG (Certicom) named elliptic curve',
- 'description': 'secp128r2 (1 3 132 0 29)',
- 'hexoid': '06 05 2B 81 04 00 1D',
- 'name': 'secp128r2',
- 'oid': (1, 3, 132, 0, 29)},
- 'secp160k1': {'comment': 'SECG (Certicom) named elliptic curve',
- 'description': 'secp160k1 (1 3 132 0 9)',
- 'hexoid': '06 05 2B 81 04 00 09',
- 'name': 'secp160k1',
- 'oid': (1, 3, 132, 0, 9)},
- 'secp160r1': {'comment': 'SECG (Certicom) named elliptic curve',
- 'description': 'secp160r1 (1 3 132 0 8)',
- 'hexoid': '06 05 2B 81 04 00 08',
- 'name': 'secp160r1',
- 'oid': (1, 3, 132, 0, 8)},
- 'secp160r2': {'comment': 'SECG (Certicom) named elliptic curve',
- 'description': 'secp160r2 (1 3 132 0 30)',
- 'hexoid': '06 05 2B 81 04 00 1E',
- 'name': 'secp160r2',
- 'oid': (1, 3, 132, 0, 30)},
- 'secp192k1': {'comment': 'SECG (Certicom) named elliptic curve',
- 'description': 'secp192k1 (1 3 132 0 31)',
- 'hexoid': '06 05 2B 81 04 00 1F',
- 'name': 'secp192k1',
- 'oid': (1, 3, 132, 0, 31)},
- 'secp224k1': {'comment': 'SECG (Certicom) named elliptic curve',
- 'description': 'secp224k1 (1 3 132 0 32)',
- 'hexoid': '06 05 2B 81 04 00 20',
- 'name': 'secp224k1',
- 'oid': (1, 3, 132, 0, 32)},
- 'secp224r1': {'comment': 'SECG (Certicom) named elliptic curve',
- 'description': 'secp224r1 (1 3 132 0 33)',
- 'hexoid': '06 05 2B 81 04 00 21',
- 'name': 'secp224r1',
- 'oid': (1, 3, 132, 0, 33)},
- 'secp256k1': {'comment': 'SECG (Certicom) named elliptic curve',
- 'description': 'secp256k1 (1 3 132 0 10)',
- 'hexoid': '06 05 2B 81 04 00 0A',
- 'name': 'secp256k1',
- 'oid': (1, 3, 132, 0, 10)},
- 'secp384r1': {'comment': 'SECG (Certicom) named elliptic curve',
- 'description': 'secp384r1 (1 3 132 0 34)',
- 'hexoid': '06 05 2B 81 04 00 22',
- 'name': 'secp384r1',
- 'oid': (1, 3, 132, 0, 34)},
- 'secp521r1': {'comment': 'SECG (Certicom) named elliptic curve',
- 'description': 'secp521r1 (1 3 132 0 35)',
- 'hexoid': '06 05 2B 81 04 00 23',
- 'name': 'secp521r1',
- 'oid': (1, 3, 132, 0, 35)},
- 'sect113r1': {'comment': 'SECG (Certicom) named elliptic curve',
- 'description': 'sect113r1 (1 3 132 0 4)',
- 'hexoid': '06 05 2B 81 04 00 04',
- 'name': 'sect113r1',
- 'oid': (1, 3, 132, 0, 4)},
- 'sect113r2': {'comment': 'SECG (Certicom) named elliptic curve',
- 'description': 'sect113r2 (1 3 132 0 5)',
- 'hexoid': '06 05 2B 81 04 00 05',
- 'name': 'sect113r2',
- 'oid': (1, 3, 132, 0, 5)},
- 'sect131r1': {'comment': 'SECG (Certicom) named elliptic curve',
- 'description': 'sect131r1 (1 3 132 0 22)',
- 'hexoid': '06 05 2B 81 04 00 16',
- 'name': 'sect131r1',
- 'oid': (1, 3, 132, 0, 22)},
- 'sect131r2': {'comment': 'SECG (Certicom) named elliptic curve',
- 'description': 'sect131r2 (1 3 132 0 23)',
- 'hexoid': '06 05 2B 81 04 00 17',
- 'name': 'sect131r2',
- 'oid': (1, 3, 132, 0, 23)},
- 'sect163k1': {'comment': 'SECG (Certicom) named elliptic curve',
- 'description': 'sect163k1 (1 3 132 0 1)',
- 'hexoid': '06 05 2B 81 04 00 01',
- 'name': 'sect163k1',
- 'oid': (1, 3, 132, 0, 1)},
- 'sect163r1': {'comment': 'SECG (Certicom) named elliptic curve',
- 'description': 'sect163r1 (1 3 132 0 2)',
- 'hexoid': '06 05 2B 81 04 00 02',
- 'name': 'sect163r1',
- 'oid': (1, 3, 132, 0, 2)},
- 'sect163r2': {'comment': 'SECG (Certicom) named elliptic curve',
- 'description': 'sect163r2 (1 3 132 0 15)',
- 'hexoid': '06 05 2B 81 04 00 0F',
- 'name': 'sect163r2',
- 'oid': (1, 3, 132, 0, 15)},
- 'sect193r1': {'comment': 'SECG (Certicom) named elliptic curve',
- 'description': 'sect193r1 (1 3 132 0 24)',
- 'hexoid': '06 05 2B 81 04 00 18',
- 'name': 'sect193r1',
- 'oid': (1, 3, 132, 0, 24)},
- 'sect193r2': {'comment': 'SECG (Certicom) named elliptic curve',
- 'description': 'sect193r2 (1 3 132 0 25)',
- 'hexoid': '06 05 2B 81 04 00 19',
- 'name': 'sect193r2',
- 'oid': (1, 3, 132, 0, 25)},
- 'sect233k1': {'comment': 'SECG (Certicom) named elliptic curve',
- 'description': 'sect233k1 (1 3 132 0 26)',
- 'hexoid': '06 05 2B 81 04 00 1A',
- 'name': 'sect233k1',
- 'oid': (1, 3, 132, 0, 26)},
- 'sect233r1': {'comment': 'SECG (Certicom) named elliptic curve',
- 'description': 'sect233r1 (1 3 132 0 27)',
- 'hexoid': '06 05 2B 81 04 00 1B',
- 'name': 'sect233r1',
- 'oid': (1, 3, 132, 0, 27)},
- 'sect239k1': {'comment': 'SECG (Certicom) named elliptic curve',
- 'description': 'sect239k1 (1 3 132 0 3)',
- 'hexoid': '06 05 2B 81 04 00 03',
- 'name': 'sect239k1',
- 'oid': (1, 3, 132, 0, 3)},
- 'sect283k1': {'comment': 'SECG (Certicom) named elliptic curve',
- 'description': 'sect283k1 (1 3 132 0 16)',
- 'hexoid': '06 05 2B 81 04 00 10',
- 'name': 'sect283k1',
- 'oid': (1, 3, 132, 0, 16)},
- 'sect283r1': {'comment': 'SECG (Certicom) named elliptic curve',
- 'description': 'sect283r1 (1 3 132 0 17)',
- 'hexoid': '06 05 2B 81 04 00 11',
- 'name': 'sect283r1',
- 'oid': (1, 3, 132, 0, 17)},
- 'sect409k1': {'comment': 'SECG (Certicom) named elliptic curve',
- 'description': 'sect409k1 (1 3 132 0 36)',
- 'hexoid': '06 05 2B 81 04 00 24',
- 'name': 'sect409k1',
- 'oid': (1, 3, 132, 0, 36)},
- 'sect409r1': {'comment': 'SECG (Certicom) named elliptic curve',
- 'description': 'sect409r1 (1 3 132 0 37)',
- 'hexoid': '06 05 2B 81 04 00 25',
- 'name': 'sect409r1',
- 'oid': (1, 3, 132, 0, 37)},
- 'sect571k1': {'comment': 'SECG (Certicom) named elliptic curve',
- 'description': 'sect571k1 (1 3 132 0 38)',
- 'hexoid': '06 05 2B 81 04 00 26',
- 'name': 'sect571k1',
- 'oid': (1, 3, 132, 0, 38)},
- 'sect571r1': {'comment': 'SECG (Certicom) named elliptic curve',
- 'description': 'sect571r1 (1 3 132 0 39)',
- 'hexoid': '06 05 2B 81 04 00 27',
- 'name': 'sect571r1',
- 'oid': (1, 3, 132, 0, 39)},
- 'securityApplication': {'comment': 'Telesec SNMP MIBs',
- 'description': 'securityApplication (0 2 262 1 10 11 1)',
- 'hexoid': '06 07 02 82 06 01 0A 0B 01',
- 'name': 'securityApplication',
- 'oid': (0, 2, 262, 1, 10, 11, 1)},
- 'securityAttributes': {'comment': 'Novell PKI attribute type',
- 'description': 'securityAttributes (2 16 840 1 113719 1 9 4 1)',
- 'hexoid': '06 0B 60 86 48 01 86 F8 37 01 09 04 01',
- 'name': 'securityAttributes',
- 'oid': (2, 16, 840, 1, 113719, 1, 9, 4, 1)},
- 'securityDomain': {'comment': 'Telesec attribute',
- 'description': 'securityDomain (0 2 262 1 10 7 9)',
- 'hexoid': '06 07 02 82 06 01 0A 07 09',
- 'name': 'securityDomain',
- 'oid': (0, 2, 262, 1, 10, 7, 9)},
- 'securityLabel': {'comment': 'S/MIME Authenticated Attributes',
- 'description': 'securityLabel (1 2 840 113549 1 9 16 2 2)',
- 'hexoid': '06 0B 2A 86 48 86 F7 0D 01 09 10 02 02',
- 'name': 'securityLabel',
- 'oid': (1, 2, 840, 113549, 1, 9, 16, 2, 2)},
- 'securityMessEnv': {'comment': 'Telesec attribute',
- 'description': 'securityMessEnv (0 2 262 1 10 7 15)',
- 'hexoid': '06 07 02 82 06 01 0A 07 0F',
- 'name': 'securityMessEnv',
- 'oid': (0, 2, 262, 1, 10, 7, 15)},
- 'sedu': {'comment': 'Teletrust sio',
- 'description': 'sedu (1 3 36 2 1)',
- 'hexoid': '06 04 2B 24 02 01',
- 'name': 'sedu',
- 'oid': (1, 3, 36, 2, 1)},
- 'seeAlso': {'comment': 'X.520 id-at (2 5 4)',
- 'description': 'seeAlso (2 5 4 34)',
- 'hexoid': '06 03 55 04 22',
- 'name': 'seeAlso',
- 'oid': (2, 5, 4, 34)},
- 'seis-cp': {'comment': 'SEIS Project',
- 'description': 'seis-cp (1 2 752 34 1)',
- 'hexoid': '06 05 2A 85 70 22 01',
- 'name': 'seis-cp',
- 'oid': (1, 2, 752, 34, 1)},
- 'senderNonce': {'comment': 'Verisign PKCS #7 attribute',
- 'description': 'senderNonce (2 16 840 1 113733 1 9 5)',
- 'hexoid': '06 0A 60 86 48 01 86 F8 45 01 09 05',
- 'name': 'senderNonce',
- 'oid': (2, 16, 840, 1, 113733, 1, 9, 5)},
- 'sepUKMs': {'comment': 'SDN.700 INFOSEC attributes',
- 'description': 'sepUKMs (2 16 840 1 101 2 1 5 28)',
- 'hexoid': '06 09 60 86 48 01 65 02 01 05 1C',
- 'name': 'sepUKMs',
- 'oid': (2, 16, 840, 1, 101, 2, 1, 5, 28)},
- 'sequenceNumber': {'comment': 'PKCS #9/RFC 2985 attribute',
- 'description': 'sequenceNumber (1 2 840 113549 1 9 25 4)',
- 'hexoid': '06 0A 2A 86 48 86 F7 0D 01 09 19 04',
- 'name': 'sequenceNumber',
- 'oid': (1, 2, 840, 113549, 1, 9, 25, 4)},
- 'serialNumber': {'comment': 'X.520 id-at (2 5 4)',
- 'description': 'serialNumber (2 5 4 5)',
- 'hexoid': '06 03 55 04 05',
- 'name': 'serialNumber',
- 'oid': (2, 5, 4, 5)},
- 'serpent': {'comment': 'GNU encryption algorithm',
- 'description': 'serpent (1 3 6 1 4 1 11591 13 2)',
- 'hexoid': '06 09 2B 06 01 04 01 DA 47 0D 02',
- 'name': 'serpent',
- 'oid': (1, 3, 6, 1, 4, 1, 11591, 13, 2)},
- 'serpent128_CBC': {'comment': 'GNU encryption algorithm',
- 'description': 'serpent128_CBC (1 3 6 1 4 1 11591 13 2 2)',
- 'hexoid': '06 0A 2B 06 01 04 01 DA 47 0D 02 02',
- 'name': 'serpent128_CBC',
- 'oid': (1, 3, 6, 1, 4, 1, 11591, 13, 2, 2)},
- 'serpent128_CFB': {'comment': 'GNU encryption algorithm',
- 'description': 'serpent128_CFB (1 3 6 1 4 1 11591 13 2 4)',
- 'hexoid': '06 0A 2B 06 01 04 01 DA 47 0D 02 04',
- 'name': 'serpent128_CFB',
- 'oid': (1, 3, 6, 1, 4, 1, 11591, 13, 2, 4)},
- 'serpent128_ECB': {'comment': 'GNU encryption algorithm',
- 'description': 'serpent128_ECB (1 3 6 1 4 1 11591 13 2 1)',
- 'hexoid': '06 0A 2B 06 01 04 01 DA 47 0D 02 01',
- 'name': 'serpent128_ECB',
- 'oid': (1, 3, 6, 1, 4, 1, 11591, 13, 2, 1)},
- 'serpent128_OFB': {'comment': 'GNU encryption algorithm',
- 'description': 'serpent128_OFB (1 3 6 1 4 1 11591 13 2 3)',
- 'hexoid': '06 0A 2B 06 01 04 01 DA 47 0D 02 03',
- 'name': 'serpent128_OFB',
- 'oid': (1, 3, 6, 1, 4, 1, 11591, 13, 2, 3)},
- 'serpent192_CBC': {'comment': 'GNU encryption algorithm',
- 'description': 'serpent192_CBC (1 3 6 1 4 1 11591 13 2 22)',
- 'hexoid': '06 0A 2B 06 01 04 01 DA 47 0D 02 16',
- 'name': 'serpent192_CBC',
- 'oid': (1, 3, 6, 1, 4, 1, 11591, 13, 2, 22)},
- 'serpent192_CFB': {'comment': 'GNU encryption algorithm',
- 'description': 'serpent192_CFB (1 3 6 1 4 1 11591 13 2 24)',
- 'hexoid': '06 0A 2B 06 01 04 01 DA 47 0D 02 18',
- 'name': 'serpent192_CFB',
- 'oid': (1, 3, 6, 1, 4, 1, 11591, 13, 2, 24)},
- 'serpent192_ECB': {'comment': 'GNU encryption algorithm',
- 'description': 'serpent192_ECB (1 3 6 1 4 1 11591 13 2 21)',
- 'hexoid': '06 0A 2B 06 01 04 01 DA 47 0D 02 15',
- 'name': 'serpent192_ECB',
- 'oid': (1, 3, 6, 1, 4, 1, 11591, 13, 2, 21)},
- 'serpent192_OFB': {'comment': 'GNU encryption algorithm',
- 'description': 'serpent192_OFB (1 3 6 1 4 1 11591 13 2 23)',
- 'hexoid': '06 0A 2B 06 01 04 01 DA 47 0D 02 17',
- 'name': 'serpent192_OFB',
- 'oid': (1, 3, 6, 1, 4, 1, 11591, 13, 2, 23)},
- 'serpent256_CBC': {'comment': 'GNU encryption algorithm',
- 'description': 'serpent256_CBC (1 3 6 1 4 1 11591 13 2 42)',
- 'hexoid': '06 0A 2B 06 01 04 01 DA 47 0D 02 2A',
- 'name': 'serpent256_CBC',
- 'oid': (1, 3, 6, 1, 4, 1, 11591, 13, 2, 42)},
- 'serpent256_CFB': {'comment': 'GNU encryption algorithm',
- 'description': 'serpent256_CFB (1 3 6 1 4 1 11591 13 2 44)',
- 'hexoid': '06 0A 2B 06 01 04 01 DA 47 0D 02 2C',
- 'name': 'serpent256_CFB',
- 'oid': (1, 3, 6, 1, 4, 1, 11591, 13, 2, 44)},
- 'serpent256_ECB': {'comment': 'GNU encryption algorithm',
- 'description': 'serpent256_ECB (1 3 6 1 4 1 11591 13 2 41)',
- 'hexoid': '06 0A 2B 06 01 04 01 DA 47 0D 02 29',
- 'name': 'serpent256_ECB',
- 'oid': (1, 3, 6, 1, 4, 1, 11591, 13, 2, 41)},
- 'serpent256_OFB': {'comment': 'GNU encryption algorithm',
- 'description': 'serpent256_OFB (1 3 6 1 4 1 11591 13 2 43)',
- 'hexoid': '06 0A 2B 06 01 04 01 DA 47 0D 02 2B',
- 'name': 'serpent256_OFB',
- 'oid': (1, 3, 6, 1, 4, 1, 11591, 13, 2, 43)},
- 'serverAuth': {'comment': 'PKIX key purpose',
- 'description': 'serverAuth (1 3 6 1 5 5 7 3 1)',
- 'hexoid': '06 08 2B 06 01 05 05 07 03 01',
- 'name': 'serverAuth',
- 'oid': (1, 3, 6, 1, 5, 5, 7, 3, 1)},
- 'serverGatedCrypto': {'comment': 'Netscape',
- 'description': 'serverGatedCrypto (2 16 840 1 113730 4 1)',
- 'hexoid': '06 09 60 86 48 01 86 F8 42 04 01',
- 'name': 'serverGatedCrypto',
- 'oid': (2, 16, 840, 1, 113730, 4, 1)},
- 'setExtensions': {'comment': 'SET cert extension',
- 'description': 'setExtensions (2 23 42 7 5)',
- 'hexoid': '06 04 67 2A 07 05',
- 'name': 'setExtensions',
- 'oid': (2, 23, 42, 7, 5)},
- 'setQualifier': {'comment': 'SET cert extension',
- 'description': 'setQualifier (2 23 42 7 6)',
- 'hexoid': '06 04 67 2A 07 06',
- 'name': 'setQualifier',
- 'oid': (2, 23, 42, 7, 6)},
- 'sha': {'comment': 'Oddball OIW OID',
- 'description': 'sha (1 3 14 3 2 18)',
- 'hexoid': '06 05 2B 0E 03 02 12',
- 'name': 'sha',
- 'oid': (1, 3, 14, 3, 2, 18)},
- 'sha-1WithRSAEncryption': {'comment': 'Oddball OIW OID',
- 'description': 'sha-1WithRSAEncryption (1 3 14 3 2 29)',
- 'hexoid': '06 05 2B 0E 03 02 1D',
- 'name': 'sha-1WithRSAEncryption',
- 'oid': (1, 3, 14, 3, 2, 29)},
- 'sha-224': {'comment': 'NIST Algorithm',
- 'description': 'sha-224 (2 16 840 1 101 3 4 2 4)',
- 'hexoid': '06 09 60 86 48 01 65 03 04 02 04',
- 'name': 'sha-224',
- 'oid': (2, 16, 840, 1, 101, 3, 4, 2, 4)},
- 'sha-256': {'comment': 'NIST Algorithm',
- 'description': 'sha-256 (2 16 840 1 101 3 4 2 1)',
- 'hexoid': '06 09 60 86 48 01 65 03 04 02 01',
- 'name': 'sha-256',
- 'oid': (2, 16, 840, 1, 101, 3, 4, 2, 1)},
- 'sha-384': {'comment': 'NIST Algorithm',
- 'description': 'sha-384 (2 16 840 1 101 3 4 2 2)',
- 'hexoid': '06 09 60 86 48 01 65 03 04 02 02',
- 'name': 'sha-384',
- 'oid': (2, 16, 840, 1, 101, 3, 4, 2, 2)},
- 'sha-512': {'comment': 'NIST Algorithm',
- 'description': 'sha-512 (2 16 840 1 101 3 4 2 3)',
- 'hexoid': '06 09 60 86 48 01 65 03 04 02 03',
- 'name': 'sha-512',
- 'oid': (2, 16, 840, 1, 101, 3, 4, 2, 3)},
- 'sha1': {'comment': 'OIW',
- 'description': 'sha1 (1 3 14 3 2 26)',
- 'hexoid': '06 05 2B 0E 03 02 1A',
- 'name': 'sha1',
- 'oid': (1, 3, 14, 3, 2, 26)},
- 'sha1WithRSAEncryptionBSafe1': {'comment': 'Novell signature algorithm',
- 'description': 'sha1WithRSAEncryptionBSafe1 (2 16 840 1 113719 1 2 8 31)',
- 'hexoid': '06 0B 60 86 48 01 86 F8 37 01 02 08 1F',
- 'name': 'sha1WithRSAEncryptionBSafe1',
- 'oid': (2, 16, 840, 1, 113719, 1, 2, 8, 31)},
- 'sha1withRSAEncryption': {'comment': 'PKCS #1',
- 'description': 'sha1withRSAEncryption (1 2 840 113549 1 1 5)',
- 'hexoid': '06 09 2A 86 48 86 F7 0D 01 01 05',
- 'name': 'sha1withRSAEncryption',
- 'oid': (1, 2, 840, 113549, 1, 1, 5)},
- 'sha256WithRSAEncryption': {'comment': 'PKCS #1',
- 'description': 'sha256WithRSAEncryption (1 2 840 113549 1 1 11)',
- 'hexoid': '06 09 2A 86 48 86 F7 0D 01 01 0B',
- 'name': 'sha256WithRSAEncryption',
- 'oid': (1, 2, 840, 113549, 1, 1, 11)},
- 'sha384WithRSAEncryption': {'comment': 'PKCS #1',
- 'description': 'sha384WithRSAEncryption (1 2 840 113549 1 1 12)',
- 'hexoid': '06 09 2A 86 48 86 F7 0D 01 01 0C',
- 'name': 'sha384WithRSAEncryption',
- 'oid': (1, 2, 840, 113549, 1, 1, 12)},
- 'sha512WithRSAEncryption': {'comment': 'PKCS #1',
- 'description': 'sha512WithRSAEncryption (1 2 840 113549 1 1 13)',
- 'hexoid': '06 09 2A 86 48 86 F7 0D 01 01 0D',
- 'name': 'sha512WithRSAEncryption',
- 'oid': (1, 2, 840, 113549, 1, 1, 13)},
- 'shaWithRSASignature': {'comment': 'Oddball OIW OID using 9796-2 padding rules',
- 'description': 'shaWithRSASignature (1 3 14 3 2 15)',
- 'hexoid': '06 05 2B 0E 03 02 0F',
- 'name': 'shaWithRSASignature',
- 'oid': (1, 3, 14, 3, 2, 15)},
- 'siSecurityPolicy': {'comment': 'SDN.700 INFOSEC policy',
- 'description': 'siSecurityPolicy (2 16 840 1 101 2 1 3 10)',
- 'hexoid': '06 09 60 86 48 01 65 02 01 03 0A',
- 'name': 'siSecurityPolicy',
- 'oid': (2, 16, 840, 1, 101, 2, 1, 3, 10)},
- 'sigNumber': {'comment': 'Teletrust signature attributes',
- 'description': 'sigNumber (1 3 36 8 6 9)',
- 'hexoid': '06 05 2B 24 08 06 09',
- 'name': 'sigNumber',
- 'oid': (1, 3, 36, 8, 6, 9)},
- 'sigOrKMPrivileges': {'comment': 'SDN.700 INFOSEC attributes',
- 'description': 'sigOrKMPrivileges (2 16 840 1 101 2 1 5 55)',
- 'hexoid': '06 09 60 86 48 01 65 02 01 05 37',
- 'name': 'sigOrKMPrivileges',
- 'oid': (2, 16, 840, 1, 101, 2, 1, 5, 55)},
- 'sigPolicyId': {'comment': 'S/MIME Authenticated Attributes',
- 'description': 'sigPolicyId (1 2 840 113549 1 9 16 2 15)',
- 'hexoid': '06 0B 2A 86 48 86 F7 0D 01 09 10 02 0F',
- 'name': 'sigPolicyId',
- 'oid': (1, 2, 840, 113549, 1, 9, 16, 2, 15)},
- 'sigPolicyQualifier-spUserNotice': {'comment': 'S/MIME Signature Policy Qualifier',
- 'description': 'sigPolicyQualifier-spUserNotice (1 2 840 113549 1 9 16 5 2)',
- 'hexoid': '06 0B 2A 86 48 86 F7 0D 01 09 10 05 02',
- 'name': 'sigPolicyQualifier-spUserNotice',
- 'oid': (1,
- 2,
- 840,
- 113549,
- 1,
- 9,
- 16,
- 5,
- 2)},
- 'sigPolicyQualifier-spuri': {'comment': 'S/MIME Signature Policy Qualifier',
- 'description': 'sigPolicyQualifier-spuri (1 2 840 113549 1 9 16 5 1)',
- 'hexoid': '06 0B 2A 86 48 86 F7 0D 01 09 10 05 01',
- 'name': 'sigPolicyQualifier-spuri',
- 'oid': (1, 2, 840, 113549, 1, 9, 16, 5, 1)},
- 'sigPrivileges': {'comment': 'SDN.700 INFOSEC privileges',
- 'description': 'sigPrivileges (2 16 840 1 101 2 1 10 1)',
- 'hexoid': '06 09 60 86 48 01 65 02 01 0A 01',
- 'name': 'sigPrivileges',
- 'oid': (2, 16, 840, 1, 101, 2, 1, 10, 1)},
- 'sigS_ISO9796-1': {'comment': 'Teletrust signature scheme',
- 'description': 'sigS_ISO9796-1 (1 3 36 3 4 1)',
- 'hexoid': '06 05 2B 24 03 04 01',
- 'name': 'sigS_ISO9796-1',
- 'oid': (1, 3, 36, 3, 4, 1)},
- 'sigS_ISO9796-2': {'comment': 'Teletrust signature scheme',
- 'description': 'sigS_ISO9796-2 (1 3 36 3 4 2)',
- 'hexoid': '06 05 2B 24 03 04 02',
- 'name': 'sigS_ISO9796-2',
- 'oid': (1, 3, 36, 3, 4, 2)},
- 'sigS_ISO9796-2Withred': {'comment': 'Teletrust signature scheme. Unsure what this is supposed to be',
- 'description': 'sigS_ISO9796-2Withred (1 3 36 3 4 2 1)',
- 'hexoid': '06 06 2B 24 03 04 02 01',
- 'name': 'sigS_ISO9796-2Withred',
- 'oid': (1, 3, 36, 3, 4, 2, 1)},
- 'sigS_ISO9796-2Withrnd': {'comment': 'Teletrust signature scheme. 9796-2 with random number in padding field',
- 'description': 'sigS_ISO9796-2Withrnd (1 3 36 3 4 2 3)',
- 'hexoid': '06 06 2B 24 03 04 02 03',
- 'name': 'sigS_ISO9796-2Withrnd',
- 'oid': (1, 3, 36, 3, 4, 2, 3)},
- 'sigS_ISO9796-2Withrsa': {'comment': 'Teletrust signature scheme. Unsure what this is supposed to be',
- 'description': 'sigS_ISO9796-2Withrsa (1 3 36 3 4 2 2)',
- 'hexoid': '06 06 2B 24 03 04 02 02',
- 'name': 'sigS_ISO9796-2Withrsa',
- 'oid': (1, 3, 36, 3, 4, 2, 2)},
- 'signKeyPairTypes': {'comment': 'PKIX CMP information',
- 'description': 'signKeyPairTypes (1 3 6 1 5 5 7 4 2)',
- 'hexoid': '06 08 2B 06 01 05 05 07 04 02',
- 'name': 'signKeyPairTypes',
- 'oid': (1, 3, 6, 1, 5, 5, 7, 4, 2)},
- 'signature': {'comment': 'Telesec mechanism',
- 'description': 'signature (0 2 262 1 10 1 1)',
- 'hexoid': '06 07 02 82 06 01 0A 01 01',
- 'name': 'signature',
- 'oid': (0, 2, 262, 1, 10, 1, 1)},
- 'signatureAlgorithm': {'comment': 'Teletrust algorithm',
- 'description': 'signatureAlgorithm (1 3 36 3 3)',
- 'hexoid': '06 04 2B 24 03 03',
- 'name': 'signatureAlgorithm',
- 'oid': (1, 3, 36, 3, 3)},
- 'signatureScheme': {'comment': 'Teletrust algorithm',
- 'description': 'signatureScheme (1 3 36 3 4)',
- 'hexoid': '06 04 2B 24 03 04',
- 'name': 'signatureScheme',
- 'oid': (1, 3, 36, 3, 4)},
- 'signatureType': {'comment': 'S/MIME Authenticated Attributes',
- 'description': 'signatureType (1 2 840 113549 1 9 16 2 28)',
- 'hexoid': '06 0B 2A 86 48 86 F7 0D 01 09 10 02 1C',
- 'name': 'signatureType',
- 'oid': (1, 2, 840, 113549, 1, 9, 16, 2, 28)},
- 'signatureTypeIdentifier': {'comment': 'S/MIME',
- 'description': 'signatureTypeIdentifier (1 2 840 113549 1 9 16 9)',
- 'hexoid': '06 0A 2A 86 48 86 F7 0D 01 09 10 09',
- 'name': 'signatureTypeIdentifier',
- 'oid': (1, 2, 840, 113549, 1, 9, 16, 9)},
- 'signedAndEnvelopedData': {'comment': 'PKCS #7',
- 'description': 'signedAndEnvelopedData (1 2 840 113549 1 7 4)',
- 'hexoid': '06 09 2A 86 48 86 F7 0D 01 07 04',
- 'name': 'signedAndEnvelopedData',
- 'oid': (1, 2, 840, 113549, 1, 7, 4)},
- 'signedData': {'comment': 'PKCS #7',
- 'description': 'signedData (1 2 840 113549 1 7 2)',
- 'hexoid': '06 09 2A 86 48 86 F7 0D 01 07 02',
- 'name': 'signedData',
- 'oid': (1, 2, 840, 113549, 1, 7, 2)},
- 'signedEDImessage': {'comment': 'TMN EDI for Interactive Agents',
- 'description': 'signedEDImessage (1 3 6 1 4 1 3576 7 2)',
- 'hexoid': '06 09 2B 06 01 04 01 9B 78 07 02',
- 'name': 'signedEDImessage',
- 'oid': (1, 3, 6, 1, 4, 1, 3576, 7, 2)},
- 'signerAttr': {'comment': 'S/MIME Authenticated Attributes',
- 'description': 'signerAttr (1 2 840 113549 1 9 16 2 18)',
- 'hexoid': '06 0B 2A 86 48 86 F7 0D 01 09 10 02 12',
- 'name': 'signerAttr',
- 'oid': (1, 2, 840, 113549, 1, 9, 16, 2, 18)},
- 'signerLocation': {'comment': 'S/MIME Authenticated Attributes',
- 'description': 'signerLocation (1 2 840 113549 1 9 16 2 17)',
- 'hexoid': '06 0B 2A 86 48 86 F7 0D 01 09 10 02 11',
- 'name': 'signerLocation',
- 'oid': (1, 2, 840, 113549, 1, 9, 16, 2, 17)},
- 'signingCertificate': {'comment': 'S/MIME Authenticated Attributes',
- 'description': 'signingCertificate (1 2 840 113549 1 9 16 2 12)',
- 'hexoid': '06 0B 2A 86 48 86 F7 0D 01 09 10 02 0C',
- 'name': 'signingCertificate',
- 'oid': (1, 2, 840, 113549, 1, 9, 16, 2, 12)},
- 'signingDescription': {'comment': 'PKCS #9',
- 'description': 'signingDescription (1 2 840 113549 1 9 13)',
- 'hexoid': '06 09 2A 86 48 86 F7 0D 01 09 0D',
- 'name': 'signingDescription',
- 'oid': (1, 2, 840, 113549, 1, 9, 13)},
- 'signingTime': {'comment': 'PKCS #9',
- 'description': 'signingTime (1 2 840 113549 1 9 5)',
- 'hexoid': '06 09 2A 86 48 86 F7 0D 01 09 05',
- 'name': 'signingTime',
- 'oid': (1, 2, 840, 113549, 1, 9, 5)},
- 'simple-strong-auth-mechanism': {'comment': 'Oddball OIW OID',
- 'description': 'simple-strong-auth-mechanism (1 3 14 3 3 1)',
- 'hexoid': '06 05 2B 0E 03 03 01',
- 'name': 'simple-strong-auth-mechanism',
- 'oid': (1, 3, 14, 3, 3, 1)},
- 'sio': {'comment': 'Teletrust sio',
- 'description': 'sio (1 3 36 2)',
- 'hexoid': '06 03 2B 24 02',
- 'name': 'sio',
- 'oid': (1, 3, 36, 2)},
- 'site-Addressing': {'comment': 'Microsoft Exchange Server - object class',
- 'description': 'site-Addressing (1 2 840 113556 1 3 0)',
- 'hexoid': '06 09 2A 86 48 86 F7 14 01 03 00',
- 'name': 'site-Addressing',
- 'oid': (1, 2, 840, 113556, 1, 3, 0)},
- 'smeAndComponentsOfSme': {'comment': 'Telesec module',
- 'description': 'smeAndComponentsOfSme (0 2 262 1 10 2 5)',
- 'hexoid': '06 07 02 82 06 01 0A 02 05',
- 'name': 'smeAndComponentsOfSme',
- 'oid': (0, 2, 262, 1, 10, 2, 5)},
- 'smimeEncryptCerts': {'comment': 'S/MIME Authenticated Attributes',
- 'description': 'smimeEncryptCerts (1 2 840 113549 1 9 16 2 13)',
- 'hexoid': '06 0B 2A 86 48 86 F7 0D 01 09 10 02 0D',
- 'name': 'smimeEncryptCerts',
- 'oid': (1, 2, 840, 113549, 1, 9, 16, 2, 13)},
- 'snmp-mibs': {'comment': 'Telesec',
- 'description': 'snmp-mibs (0 2 262 1 10 11)',
- 'hexoid': '06 06 02 82 06 01 0A 0B',
- 'name': 'snmp-mibs',
- 'oid': (0, 2, 262, 1, 10, 11)},
- 'spcAgencyInfo': {'comment': 'Microsoft code signing. Also known as policyLink',
- 'description': 'spcAgencyInfo (1 3 6 1 4 1 311 2 1 10)',
- 'hexoid': '06 0A 2B 06 01 04 01 82 37 02 01 0A',
- 'name': 'spcAgencyInfo',
- 'oid': (1, 3, 6, 1, 4, 1, 311, 2, 1, 10)},
- 'spcFinancialCriteriaInfo': {'comment': 'Microsoft code signing',
- 'description': 'spcFinancialCriteriaInfo (1 3 6 1 4 1 311 2 1 27)',
- 'hexoid': '06 0A 2B 06 01 04 01 82 37 02 01 1B',
- 'name': 'spcFinancialCriteriaInfo',
- 'oid': (1, 3, 6, 1, 4, 1, 311, 2, 1, 27)},
- 'spcIndirectDataContext': {'comment': 'Microsoft code signing',
- 'description': 'spcIndirectDataContext (1 3 6 1 4 1 311 2 1 4)',
- 'hexoid': '06 0A 2B 06 01 04 01 82 37 02 01 04',
- 'name': 'spcIndirectDataContext',
- 'oid': (1, 3, 6, 1, 4, 1, 311, 2, 1, 4)},
- 'spcJavaClassData': {'comment': 'Microsoft code signing. Formerly "link extension" aka "glue extension"',
- 'description': 'spcJavaClassData (type 1) (1 3 6 1 4 1 311 2 1 20)',
- 'hexoid': '06 0A 2B 06 01 04 01 82 37 02 01 14',
- 'name': 'spcJavaClassData',
- 'oid': (1, 3, 6, 1, 4, 1, 311, 2, 1, 20)},
- 'spcLink': {'comment': 'Microsoft code signing. Also known as "glue extension"',
- 'description': 'spcLink (type 3) (1 3 6 1 4 1 311 2 1 28)',
- 'hexoid': '06 0A 2B 06 01 04 01 82 37 02 01 1C',
- 'name': 'spcLink',
- 'oid': (1, 3, 6, 1, 4, 1, 311, 2, 1, 28)},
- 'spcMinimalCriteriaInfo': {'comment': 'Microsoft code signing',
- 'description': 'spcMinimalCriteriaInfo (1 3 6 1 4 1 311 2 1 26)',
- 'hexoid': '06 0A 2B 06 01 04 01 82 37 02 01 1A',
- 'name': 'spcMinimalCriteriaInfo',
- 'oid': (1, 3, 6, 1, 4, 1, 311, 2, 1, 26)},
- 'spcPEImageData': {'comment': 'Microsoft code signing',
- 'description': 'spcPEImageData (1 3 6 1 4 1 311 2 1 15)',
- 'hexoid': '06 0A 2B 06 01 04 01 82 37 02 01 0F',
- 'name': 'spcPEImageData',
- 'oid': (1, 3, 6, 1, 4, 1, 311, 2, 1, 15)},
- 'spcRawFileData': {'comment': 'Microsoft code signing',
- 'description': 'spcRawFileData (1 3 6 1 4 1 311 2 1 18)',
- 'hexoid': '06 0A 2B 06 01 04 01 82 37 02 01 12',
- 'name': 'spcRawFileData',
- 'oid': (1, 3, 6, 1, 4, 1, 311, 2, 1, 18)},
- 'spcSpOpusInfo': {'comment': 'Microsoft code signing',
- 'description': 'spcSpOpusInfo (1 3 6 1 4 1 311 2 1 12)',
- 'hexoid': '06 0A 2B 06 01 04 01 82 37 02 01 0C',
- 'name': 'spcSpOpusInfo',
- 'oid': (1, 3, 6, 1, 4, 1, 311, 2, 1, 12)},
- 'spcStatementType': {'comment': 'Microsoft code signing',
- 'description': 'spcStatementType (1 3 6 1 4 1 311 2 1 11)',
- 'hexoid': '06 0A 2B 06 01 04 01 82 37 02 01 0B',
- 'name': 'spcStatementType',
- 'oid': (1, 3, 6, 1, 4, 1, 311, 2, 1, 11)},
- 'spcStructuredStorageData': {'comment': 'Microsoft code signing',
- 'description': 'spcStructuredStorageData (1 3 6 1 4 1 311 2 1 19)',
- 'hexoid': '06 0A 2B 06 01 04 01 82 37 02 01 13',
- 'name': 'spcStructuredStorageData',
- 'oid': (1, 3, 6, 1, 4, 1, 311, 2, 1, 19)},
- 'sqModNISO': {'comment': 'Telesec one-way function',
- 'description': 'sqModNISO (0 2 262 1 10 1 3 4)',
- 'hexoid': '06 08 02 82 06 01 0A 01 03 04',
- 'name': 'sqModNISO',
- 'oid': (0, 2, 262, 1, 10, 1, 3, 4)},
- 'sqModNX509': {'comment': 'Telesec one-way function',
- 'description': 'sqModNX509 (0 2 262 1 10 1 3 3)',
- 'hexoid': '06 08 02 82 06 01 0A 01 03 03',
- 'name': 'sqModNX509',
- 'oid': (0, 2, 262, 1, 10, 1, 3, 3)},
- 'standardSecurityLabelPrivileges': {'comment': 'SDN.700 INFOSEC security category',
- 'description': 'standardSecurityLabelPrivileges (2 16 840 1 101 2 1 8 2)',
- 'hexoid': '06 09 60 86 48 01 65 02 01 08 02',
- 'name': 'standardSecurityLabelPrivileges',
- 'oid': (2, 16, 840, 1, 101, 2, 1, 8, 2)},
- 'stateOrProvinceName': {'comment': 'X.520 id-at (2 5 4)',
- 'description': 'stateOrProvinceName (2 5 4 8)',
- 'hexoid': '06 03 55 04 08',
- 'name': 'stateOrProvinceName',
- 'oid': (2, 5, 4, 8)},
- 'stefiles': {'comment': 'Telesec module',
- 'description': 'stefiles (0 2 262 1 10 2 8)',
- 'hexoid': '06 07 02 82 06 01 0A 02 08',
- 'name': 'stefiles',
- 'oid': (0, 2, 262, 1, 10, 2, 8)},
- 'steuerBerater': {'comment': 'Teletrust ProfessionInfo',
- 'description': 'steuerBerater (1 3 36 8 3 11 1 5)',
- 'hexoid': '06 07 2B 24 08 03 0B 01 05',
- 'name': 'steuerBerater',
- 'oid': (1, 3, 36, 8, 3, 11, 1, 5)},
- 'steuerBeraterin': {'comment': 'Teletrust ProfessionInfo',
- 'description': 'steuerBeraterin (1 3 36 8 3 11 1 4)',
- 'hexoid': '06 07 2B 24 08 03 0B 01 04',
- 'name': 'steuerBeraterin',
- 'oid': (1, 3, 36, 8, 3, 11, 1, 4)},
- 'steuerBevollmaechtigte': {'comment': 'Teletrust ProfessionInfo',
- 'description': 'steuerBevollmaechtigte (1 3 36 8 3 11 1 6)',
- 'hexoid': '06 07 2B 24 08 03 0B 01 06',
- 'name': 'steuerBevollmaechtigte',
- 'oid': (1, 3, 36, 8, 3, 11, 1, 6)},
- 'steuerBevollmaechtigter': {'comment': 'Teletrust ProfessionInfo',
- 'description': 'steuerBevollmaechtigter (1 3 36 8 3 11 1 7)',
- 'hexoid': '06 07 2B 24 08 03 0B 01 07',
- 'name': 'steuerBevollmaechtigter',
- 'oid': (1, 3, 36, 8, 3, 11, 1, 7)},
- 'storageTime': {'comment': 'Teletrust signature attributes',
- 'description': 'storageTime (1 3 36 8 6 6)',
- 'hexoid': '06 05 2B 24 08 06 06',
- 'name': 'storageTime',
- 'oid': (1, 3, 36, 8, 6, 6)},
- 'streetAddress': {'comment': 'X.520 id-at (2 5 4)',
- 'description': 'streetAddress (2 5 4 9)',
- 'hexoid': '06 03 55 04 09',
- 'name': 'streetAddress',
- 'oid': (2, 5, 4, 9)},
- 'strongAuthenticationUser': {'comment': 'X.520 objectClass (2 5 6)',
- 'description': 'strongAuthenticationUser (2 5 6 15)',
- 'hexoid': '06 03 55 06 0F',
- 'name': 'strongAuthenticationUser',
- 'oid': (2, 5, 6, 15)},
- 'strongExtranet': {'comment': 'Thawte certificate extension',
- 'description': 'strongExtranet (1 3 101 1 4 1)',
- 'hexoid': '06 05 2B 65 01 04 01',
- 'name': 'strongExtranet',
- 'oid': (1, 3, 101, 1, 4, 1)},
- 'subject': {'comment': 'Telesec attribute',
- 'description': 'subject (0 2 262 1 10 7 10)',
- 'hexoid': '06 07 02 82 06 01 0A 07 0A',
- 'name': 'subject',
- 'oid': (0, 2, 262, 1, 10, 7, 10)},
- 'subjectAltName': {'comment': 'X.509 id-ce (2 5 29)',
- 'description': 'subjectAltName (2 5 29 17)',
- 'hexoid': '06 03 55 1D 11',
- 'name': 'subjectAltName',
- 'oid': (2, 5, 29, 17)},
- 'subjectDirectoryAttributes': {'comment': 'X.509 id-ce (2 5 29)',
- 'description': 'subjectDirectoryAttributes (2 5 29 9)',
- 'hexoid': '06 03 55 1D 09',
- 'name': 'subjectDirectoryAttributes',
- 'oid': (2, 5, 29, 9)},
- 'subjectInfoAccess': {'comment': 'PKIX private extension',
- 'description': 'subjectInfoAccess (1 3 6 1 5 5 7 1 11)',
- 'hexoid': '06 08 2B 06 01 05 05 07 01 0B',
- 'name': 'subjectInfoAccess',
- 'oid': (1, 3, 6, 1, 5, 5, 7, 1, 11)},
- 'subjectKeyIdentifier': {'comment': 'X.509 id-ce (2 5 29)',
- 'description': 'subjectKeyIdentifier (2 5 29 14)',
- 'hexoid': '06 03 55 1D 0E',
- 'name': 'subjectKeyIdentifier',
- 'oid': (2, 5, 29, 14)},
- 'suiteAConfidentialityAlgorithm': {'comment': 'SDN.700 INFOSEC algorithms',
- 'description': 'suiteAConfidentialityAlgorithm (2 16 840 1 101 2 1 1 14)',
- 'hexoid': '06 09 60 86 48 01 65 02 01 01 0E',
- 'name': 'suiteAConfidentialityAlgorithm',
- 'oid': (2, 16, 840, 1, 101, 2, 1, 1, 14)},
- 'suiteAIntegrityAlgorithm': {'comment': 'SDN.700 INFOSEC algorithms',
- 'description': 'suiteAIntegrityAlgorithm (2 16 840 1 101 2 1 1 15)',
- 'hexoid': '06 09 60 86 48 01 65 02 01 01 0F',
- 'name': 'suiteAIntegrityAlgorithm',
- 'oid': (2, 16, 840, 1, 101, 2, 1, 1, 15)},
- 'suiteAKMandSigAlgorithm': {'comment': 'SDN.700 INFOSEC algorithms',
- 'description': 'suiteAKMandSigAlgorithm (2 16 840 1 101 2 1 1 18)',
- 'hexoid': '06 09 60 86 48 01 65 02 01 01 12',
- 'name': 'suiteAKMandSigAlgorithm',
- 'oid': (2, 16, 840, 1, 101, 2, 1, 1, 18)},
- 'suiteAKeyManagementAlgorithm': {'comment': 'SDN.700 INFOSEC algorithms',
- 'description': 'suiteAKeyManagementAlgorithm (2 16 840 1 101 2 1 1 17)',
- 'hexoid': '06 09 60 86 48 01 65 02 01 01 11',
- 'name': 'suiteAKeyManagementAlgorithm',
- 'oid': (2, 16, 840, 1, 101, 2, 1, 1, 17)},
- 'suiteASignatureAlgorithm': {'comment': 'SDN.700 INFOSEC algorithms',
- 'description': 'suiteASignatureAlgorithm (2 16 840 1 101 2 1 1 13)',
- 'hexoid': '06 09 60 86 48 01 65 02 01 01 0D',
- 'name': 'suiteASignatureAlgorithm',
- 'oid': (2, 16, 840, 1, 101, 2, 1, 1, 13)},
- 'suiteATokenProtectionAlgorithm': {'comment': 'SDN.700 INFOSEC algorithms',
- 'description': 'suiteATokenProtectionAlgorithm (2 16 840 1 101 2 1 1 16)',
- 'hexoid': '06 09 60 86 48 01 65 02 01 01 10',
- 'name': 'suiteATokenProtectionAlgorithm',
- 'oid': (2, 16, 840, 1, 101, 2, 1, 1, 16)},
- 'suppLangTags': {'comment': 'PKIX CMP information',
- 'description': 'suppLangTags (1 3 6 1 5 5 7 4 16)',
- 'hexoid': '06 08 2B 06 01 05 05 07 04 10',
- 'name': 'suppLangTags',
- 'oid': (1, 3, 6, 1, 5, 5, 7, 4, 16)},
- 'supportedAlgorithms': {'comment': 'X.520 id-at (2 5 4)',
- 'description': 'supportedAlgorithms (2 5 4 52)',
- 'hexoid': '06 03 55 04 34',
- 'name': 'supportedAlgorithms',
- 'oid': (2, 5, 4, 52)},
- 'supportedApplicationContext': {'comment': 'X.520 id-at (2 5 4)',
- 'description': 'supportedApplicationContext (2 5 4 30)',
- 'hexoid': '06 03 55 04 1E',
- 'name': 'supportedApplicationContext',
- 'oid': (2, 5, 4, 30)},
- 'surname': {'comment': 'X.520 id-at (2 5 4)',
- 'description': 'surname (2 5 4 4)',
- 'hexoid': '06 03 55 04 04',
- 'name': 'surname',
- 'oid': (2, 5, 4, 4)},
- 'symmetric-encryption-algorithm': {'comment': 'Mitsubishi security algorithm',
- 'description': 'symmetric-encryption-algorithm (1 2 392 200011 61 1 1 1)',
- 'hexoid': '06 0A 2A 83 08 8C 9A 4B 3D 01 01 01',
- 'name': 'symmetric-encryption-algorithm',
- 'oid': (1, 2, 392, 200011, 61, 1, 1, 1)},
- 'symmetricKeyEntry': {'comment': 'Telesec object class',
- 'description': 'symmetricKeyEntry (0 2 262 1 10 3 5)',
- 'hexoid': '06 07 02 82 06 01 0A 03 05',
- 'name': 'symmetricKeyEntry',
- 'oid': (0, 2, 262, 1, 10, 3, 5)},
- 'symmetricKeyEntryName': {'comment': 'Telesec attribute',
- 'description': 'symmetricKeyEntryName (0 2 262 1 10 7 35)',
- 'hexoid': '06 07 02 82 06 01 0A 07 23',
- 'name': 'symmetricKeyEntryName',
- 'oid': (0, 2, 262, 1, 10, 7, 35)},
- 'systemHealth': {'comment': 'Microsoft extended key usage',
- 'description': 'systemHealth (1 3 6 1 4 1 311 47 1 1)',
- 'hexoid': '06 0A 2B 06 01 04 01 82 37 2F 01 01',
- 'name': 'systemHealth',
- 'oid': (1, 3, 6, 1, 4, 1, 311, 47, 1, 1)},
- 'systemHealthLoophole': {'comment': 'Microsoft extended key usage',
- 'description': 'systemHealthLoophole (1 3 6 1 4 1 311 47 1 3)',
- 'hexoid': '06 0A 2B 06 01 04 01 82 37 2F 01 03',
- 'name': 'systemHealthLoophole',
- 'oid': (1, 3, 6, 1, 4, 1, 311, 47, 1, 3)},
- 'tDTInfo': {'comment': 'S/MIME Content Types',
- 'description': 'tDTInfo (1 2 840 113549 1 9 16 1 5)',
- 'hexoid': '06 0B 2A 86 48 86 F7 0D 01 09 10 01 05',
- 'name': 'tDTInfo',
- 'oid': (1, 2, 840, 113549, 1, 9, 16, 1, 5)},
- 'tSTInfo': {'comment': 'S/MIME Content Types',
- 'description': 'tSTInfo (1 2 840 113549 1 9 16 1 4)',
- 'hexoid': '06 0B 2A 86 48 86 F7 0D 01 09 10 01 04',
- 'name': 'tSTInfo',
- 'oid': (1, 2, 840, 113549, 1, 9, 16, 1, 4)},
- 'tcp1': {'comment': 'SDN.700 INFOSEC test objects',
- 'description': 'tcp1 (2 16 840 1 101 2 1 12 1 1)',
- 'hexoid': '06 0A 60 86 48 01 65 02 01 0C 01 01',
- 'name': 'tcp1',
- 'oid': (2, 16, 840, 1, 101, 2, 1, 12, 1, 1)},
- 'telekomAuthentication': {'comment': 'Telesec authentication',
- 'description': 'telekomAuthentication (0 2 262 1 10 1 0 8)',
- 'hexoid': '06 08 02 82 06 01 0A 01 00 08',
- 'name': 'telekomAuthentication',
- 'oid': (0, 2, 262, 1, 10, 1, 0, 8)},
- 'telephone': {'comment': 'SET field',
- 'description': 'telephone (2 23 42 2 9)',
- 'hexoid': '06 04 67 2A 02 09',
- 'name': 'telephone',
- 'oid': (2, 23, 42, 2, 9)},
- 'telephoneNumber': {'comment': 'X.520 id-at (2 5 4)',
- 'description': 'telephoneNumber (2 5 4 20)',
- 'hexoid': '06 03 55 04 14',
- 'name': 'telephoneNumber',
- 'oid': (2, 5, 4, 20)},
- 'telesecCRLFilterExt': {'comment': 'Telesec cert/CRL extension',
- 'description': 'telesecCRLFilterExt (0 2 262 1 10 12 5)',
- 'hexoid': '06 07 02 82 06 01 0A 0C 05',
- 'name': 'telesecCRLFilterExt',
- 'oid': (0, 2, 262, 1, 10, 12, 5)},
- 'telesecCRLFilteredExt': {'comment': 'Telesec cert/CRL extension',
- 'description': 'telesecCRLFilteredExt (0 2 262 1 10 12 4)',
- 'hexoid': '06 07 02 82 06 01 0A 0C 04',
- 'name': 'telesecCRLFilteredExt',
- 'oid': (0, 2, 262, 1, 10, 12, 4)},
- 'telesecCertIdExt': {'comment': 'Telesec cert/CRL extension',
- 'description': 'telesecCertIdExt (0 2 262 1 10 12 1)',
- 'hexoid': '06 07 02 82 06 01 0A 0C 01',
- 'name': 'telesecCertIdExt',
- 'oid': (0, 2, 262, 1, 10, 12, 1)},
- 'telesecCertificate': {'comment': 'Telesec attribute',
- 'description': 'telesecCertificate (0 2 262 1 10 7 2)',
- 'hexoid': '06 07 02 82 06 01 0A 07 02',
- 'name': 'telesecCertificate',
- 'oid': (0, 2, 262, 1, 10, 7, 2)},
- 'telesecCertificateList': {'comment': 'Telesec attribute',
- 'description': 'telesecCertificateList (0 2 262 1 10 7 21)',
- 'hexoid': '06 07 02 82 06 01 0A 07 15',
- 'name': 'telesecCertificateList',
- 'oid': (0, 2, 262, 1, 10, 7, 21)},
- 'telesecGivenName': {'comment': 'Telesec attribute',
- 'description': 'telesecGivenName (0 2 262 1 10 7 17)',
- 'hexoid': '06 07 02 82 06 01 0A 07 11',
- 'name': 'telesecGivenName',
- 'oid': (0, 2, 262, 1, 10, 7, 17)},
- 'telesecNamingAuthorityExt': {'comment': 'Telesec cert/CRL extension',
- 'description': 'telesecNamingAuthorityExt (0 2 262 1 10 12 6)',
- 'hexoid': '06 07 02 82 06 01 0A 0C 06',
- 'name': 'telesecNamingAuthorityExt',
- 'oid': (0, 2, 262, 1, 10, 12, 6)},
- 'telesecOtherName': {'comment': 'Telesec object class',
- 'description': 'telesecOtherName (0 2 262 1 10 3 0)',
- 'hexoid': '06 07 02 82 06 01 0A 03 00',
- 'name': 'telesecOtherName',
- 'oid': (0, 2, 262, 1, 10, 3, 0)},
- 'telesecPolicyQualifierID': {'comment': 'Telesec cert/CRL extension',
- 'description': 'telesecPolicyQualifierID (0 2 262 1 10 12 3)',
- 'hexoid': '06 07 02 82 06 01 0A 0C 03',
- 'name': 'telesecPolicyQualifierID',
- 'oid': (0, 2, 262, 1, 10, 12, 3)},
- 'telesecPostalCode': {'comment': 'Telesec attribute',
- 'description': 'telesecPostalCode (0 2 262 1 10 7 19)',
- 'hexoid': '06 07 02 82 06 01 0A 07 13',
- 'name': 'telesecPostalCode',
- 'oid': (0, 2, 262, 1, 10, 7, 19)},
- 'telesecTtpAsymmetricApplication': {'comment': 'Telesec module',
- 'description': 'telesecTtpAsymmetricApplication (0 2 262 1 10 2 11)',
- 'hexoid': '06 07 02 82 06 01 0A 02 0B',
- 'name': 'telesecTtpAsymmetricApplication',
- 'oid': (0, 2, 262, 1, 10, 2, 11)},
- 'telesecTtpBasisApplication': {'comment': 'Telesec module',
- 'description': 'telesecTtpBasisApplication (0 2 262 1 10 2 12)',
- 'hexoid': '06 07 02 82 06 01 0A 02 0C',
- 'name': 'telesecTtpBasisApplication',
- 'oid': (0, 2, 262, 1, 10, 2, 12)},
- 'telesecTtpMessages': {'comment': 'Telesec module',
- 'description': 'telesecTtpMessages (0 2 262 1 10 2 13)',
- 'hexoid': '06 07 02 82 06 01 0A 02 0D',
- 'name': 'telesecTtpMessages',
- 'oid': (0, 2, 262, 1, 10, 2, 13)},
- 'telesecTtpTimeStampApplication': {'comment': 'Telesec module',
- 'description': 'telesecTtpTimeStampApplication (0 2 262 1 10 2 14)',
- 'hexoid': '06 07 02 82 06 01 0A 02 0E',
- 'name': 'telesecTtpTimeStampApplication',
- 'oid': (0, 2, 262, 1, 10, 2, 14)},
- 'teletexTerminalIdentifier': {'comment': 'X.520 id-at (2 5 4)',
- 'description': 'teletexTerminalIdentifier (2 5 4 22)',
- 'hexoid': '06 03 55 04 16',
- 'name': 'teletexTerminalIdentifier',
- 'oid': (2, 5, 4, 22)},
- 'teletrustCertificateList': {'comment': 'Telesec attribute',
- 'description': 'teletrustCertificateList (0 2 262 1 10 7 22)',
- 'hexoid': '06 07 02 82 06 01 0A 07 16',
- 'name': 'teletrustCertificateList',
- 'oid': (0, 2, 262, 1, 10, 7, 22)},
- 'telexNumber': {'comment': 'X.520 id-at (2 5 4)',
- 'description': 'telexNumber (2 5 4 21)',
- 'hexoid': '06 03 55 04 15',
- 'name': 'telexNumber',
- 'oid': (2, 5, 4, 21)},
- 'testSecurityPolicy': {'comment': 'SDN.700 INFOSEC test objects',
- 'description': 'testSecurityPolicy (2 16 840 1 101 2 1 12 0)',
- 'hexoid': '06 09 60 86 48 01 65 02 01 0C 00',
- 'name': 'testSecurityPolicy',
- 'oid': (2, 16, 840, 1, 101, 2, 1, 12, 0)},
- 'textNotice': {'comment': 'PKIX policy qualifier',
- 'description': 'textNotice (1 3 6 1 5 5 7 2 3)',
- 'hexoid': '06 08 2B 06 01 05 05 07 02 03',
- 'name': 'textNotice',
- 'oid': (1, 3, 6, 1, 5, 5, 7, 2, 3)},
- 'thawte-ce': {'comment': 'Thawte',
- 'description': 'thawte-ce (1 3 101 1 4)',
- 'hexoid': '06 04 2B 65 01 04',
- 'name': 'thawte-ce',
- 'oid': (1, 3, 101, 1, 4)},
- 'threeWayX509Authentication': {'comment': 'Telesec authentication',
- 'description': 'threeWayX509Authentication (0 2 262 1 10 1 0 5)',
- 'hexoid': '06 08 02 82 06 01 0A 01 00 05',
- 'name': 'threeWayX509Authentication',
- 'oid': (0, 2, 262, 1, 10, 1, 0, 5)},
- 'tiger': {'comment': 'GNU digest algorithm',
- 'description': 'tiger (1 3 6 1 4 1 11591 12 2)',
- 'hexoid': '06 09 2B 06 01 04 01 DA 47 0C 02',
- 'name': 'tiger',
- 'oid': (1, 3, 6, 1, 4, 1, 11591, 12, 2)},
- 'timeOfIssue': {'comment': 'Telesec attribute',
- 'description': 'timeOfIssue (0 2 262 1 10 7 24)',
- 'hexoid': '06 07 02 82 06 01 0A 07 18',
- 'name': 'timeOfIssue',
- 'oid': (0, 2, 262, 1, 10, 7, 24)},
- 'timeOfRevocation': {'comment': 'Telesec attribute',
- 'description': 'timeOfRevocation (0 2 262 1 10 7 11)',
- 'hexoid': '06 07 02 82 06 01 0A 07 0B',
- 'name': 'timeOfRevocation',
- 'oid': (0, 2, 262, 1, 10, 7, 11)},
- 'timeOfRevocationGen': {'comment': 'Telesec attribute',
- 'description': 'timeOfRevocationGen (0 2 262 1 10 7 51)',
- 'hexoid': '06 07 02 82 06 01 0A 07 33',
- 'name': 'timeOfRevocationGen',
- 'oid': (0, 2, 262, 1, 10, 7, 51)},
- 'timeStampSigning': {'comment': 'Microsoft enhanced key usage',
- 'description': 'timeStampSigning (1 3 6 1 4 1 311 10 3 2)',
- 'hexoid': '06 0A 2B 06 01 04 01 82 37 0A 03 02',
- 'name': 'timeStampSigning',
- 'oid': (1, 3, 6, 1, 4, 1, 311, 10, 3, 2)},
- 'timeStampToken': {'comment': 'S/MIME Authenticated Attributes',
- 'description': 'timeStampToken (1 2 840 113549 1 9 16 2 14)',
- 'hexoid': '06 0B 2A 86 48 86 F7 0D 01 09 10 02 0E',
- 'name': 'timeStampToken',
- 'oid': (1, 2, 840, 113549, 1, 9, 16, 2, 14)},
- 'timeStamping': {'comment': 'PKIX subject/authority info access descriptor',
- 'description': 'timeStamping (1 3 6 1 5 5 7 48 3)',
- 'hexoid': '06 08 2B 06 01 05 05 07 30 03',
- 'name': 'timeStamping',
- 'oid': (1, 3, 6, 1, 5, 5, 7, 48, 3)},
- 'timeproof': {'comment': 'enterprise',
- 'description': 'timeproof (1 3 6 1 4 1 5472)',
- 'hexoid': '06 07 2B 06 01 04 01 AA 60',
- 'name': 'timeproof',
- 'oid': (1, 3, 6, 1, 4, 1, 5472)},
- 'timestampRequest': {'comment': 'Microsoft code signing',
- 'description': 'timestampRequest (1 3 6 1 4 1 311 3 2 1)',
- 'hexoid': '06 0A 2B 06 01 04 01 82 37 03 02 01',
- 'name': 'timestampRequest',
- 'oid': (1, 3, 6, 1, 4, 1, 311, 3, 2, 1)},
- 'title': {'comment': 'X.520 id-at (2 5 4)',
- 'description': 'title (2 5 4 12)',
- 'hexoid': '06 03 55 04 0C',
- 'name': 'title',
- 'oid': (2, 5, 4, 12)},
- 'titledWithOID': {'comment': 'Microsoft',
- 'description': 'titledWithOID (1 2 840 113556 4 4)',
- 'hexoid': '06 08 2A 86 48 86 F7 14 04 04',
- 'name': 'titledWithOID',
- 'oid': (1, 2, 840, 113556, 4, 4)},
- 'top': {'comment': 'X.520 objectClass (2 5 6)',
- 'description': 'top (2 5 6 0)',
- 'hexoid': '06 03 55 06 00',
- 'name': 'top',
- 'oid': (2, 5, 6, 0)},
- 'tpBasis': {'comment': 'ANSI X9.62 field basis',
- 'description': 'tpBasis (1 2 840 10045 1 2 3 2)',
- 'hexoid': '06 09 2A 86 48 CE 3D 01 02 03 02',
- 'name': 'tpBasis',
- 'oid': (1, 2, 840, 10045, 1, 2, 3, 2)},
- 'transID': {'comment': 'Verisign PKCS #7 attribute',
- 'description': 'transID (2 16 840 1 113733 1 9 7)',
- 'hexoid': '06 0A 60 86 48 01 86 F8 45 01 09 07',
- 'name': 'transID',
- 'oid': (2, 16, 840, 1, 113733, 1, 9, 7)},
- 'tsp1': {'comment': 'SDN.700 INFOSEC test objects',
- 'description': 'tsp1 (2 16 840 1 101 2 1 12 0 1)',
- 'hexoid': '06 0A 60 86 48 01 65 02 01 0C 00 01',
- 'name': 'tsp1',
- 'oid': (2, 16, 840, 1, 101, 2, 1, 12, 0, 1)},
- 'tsp1SecurityCategories': {'comment': 'SDN.700 INFOSEC test objects',
- 'description': 'tsp1SecurityCategories (2 16 840 1 101 2 1 12 0 1 0)',
- 'hexoid': '06 0B 60 86 48 01 65 02 01 0C 00 01 00',
- 'name': 'tsp1SecurityCategories',
- 'oid': (2, 16, 840, 1, 101, 2, 1, 12, 0, 1, 0)},
- 'tsp1TagSetOne': {'comment': 'SDN.700 INFOSEC test objects',
- 'description': 'tsp1TagSetOne (2 16 840 1 101 2 1 12 0 1 0 1)',
- 'hexoid': '06 0C 60 86 48 01 65 02 01 0C 00 01 00 01',
- 'name': 'tsp1TagSetOne',
- 'oid': (2, 16, 840, 1, 101, 2, 1, 12, 0, 1, 0, 1)},
- 'tsp1TagSetTwo': {'comment': 'SDN.700 INFOSEC test objects',
- 'description': 'tsp1TagSetTwo (2 16 840 1 101 2 1 12 0 1 0 2)',
- 'hexoid': '06 0C 60 86 48 01 65 02 01 0C 00 01 00 02',
- 'name': 'tsp1TagSetTwo',
- 'oid': (2, 16, 840, 1, 101, 2, 1, 12, 0, 1, 0, 2)},
- 'tsp1TagSetZero': {'comment': 'SDN.700 INFOSEC test objects',
- 'description': 'tsp1TagSetZero (2 16 840 1 101 2 1 12 0 1 0 0)',
- 'hexoid': '06 0C 60 86 48 01 65 02 01 0C 00 01 00 00',
- 'name': 'tsp1TagSetZero',
- 'oid': (2, 16, 840, 1, 101, 2, 1, 12, 0, 1, 0, 0)},
- 'tsp2': {'comment': 'SDN.700 INFOSEC test objects',
- 'description': 'tsp2 (2 16 840 1 101 2 1 12 0 2)',
- 'hexoid': '06 0A 60 86 48 01 65 02 01 0C 00 02',
- 'name': 'tsp2',
- 'oid': (2, 16, 840, 1, 101, 2, 1, 12, 0, 2)},
- 'tsp2SecurityCategories': {'comment': 'SDN.700 INFOSEC test objects',
- 'description': 'tsp2SecurityCategories (2 16 840 1 101 2 1 12 0 2 0)',
- 'hexoid': '06 0B 60 86 48 01 65 02 01 0C 00 02 00',
- 'name': 'tsp2SecurityCategories',
- 'oid': (2, 16, 840, 1, 101, 2, 1, 12, 0, 2, 0)},
- 'tsp2TagSetOne': {'comment': 'SDN.700 INFOSEC test objects',
- 'description': 'tsp2TagSetOne (2 16 840 1 101 2 1 12 0 2 0 1)',
- 'hexoid': '06 0C 60 86 48 01 65 02 01 0C 00 02 00 01',
- 'name': 'tsp2TagSetOne',
- 'oid': (2, 16, 840, 1, 101, 2, 1, 12, 0, 2, 0, 1)},
- 'tsp2TagSetTwo': {'comment': 'SDN.700 INFOSEC test objects',
- 'description': 'tsp2TagSetTwo (2 16 840 1 101 2 1 12 0 2 0 2)',
- 'hexoid': '06 0C 60 86 48 01 65 02 01 0C 00 02 00 02',
- 'name': 'tsp2TagSetTwo',
- 'oid': (2, 16, 840, 1, 101, 2, 1, 12, 0, 2, 0, 2)},
- 'tsp2TagSetZero': {'comment': 'SDN.700 INFOSEC test objects',
- 'description': 'tsp2TagSetZero (2 16 840 1 101 2 1 12 0 2 0 0)',
- 'hexoid': '06 0C 60 86 48 01 65 02 01 0C 00 02 00 00',
- 'name': 'tsp2TagSetZero',
- 'oid': (2, 16, 840, 1, 101, 2, 1, 12, 0, 2, 0, 0)},
- 'tss': {'comment': 'timeproof',
- 'description': 'tss (1 3 6 1 4 1 5472 1)',
- 'hexoid': '06 08 2B 06 01 04 01 AA 60 01',
- 'name': 'tss',
- 'oid': (1, 3, 6, 1, 4, 1, 5472, 1)},
- 'tss380': {'comment': 'timeproof TSS',
- 'description': 'tss380 (1 3 6 1 4 1 5472 1 2)',
- 'hexoid': '06 09 2B 06 01 04 01 AA 60 01 02',
- 'name': 'tss380',
- 'oid': (1, 3, 6, 1, 4, 1, 5472, 1, 2)},
- 'tss400': {'comment': 'timeproof TSS',
- 'description': 'tss400 (1 3 6 1 4 1 5472 1 3)',
- 'hexoid': '06 09 2B 06 01 04 01 AA 60 01 03',
- 'name': 'tss400',
- 'oid': (1, 3, 6, 1, 4, 1, 5472, 1, 3)},
- 'tss80': {'comment': 'timeproof TSS',
- 'description': 'tss80 (1 3 6 1 4 1 5472 1 1)',
- 'hexoid': '06 09 2B 06 01 04 01 AA 60 01 01',
- 'name': 'tss80',
- 'oid': (1, 3, 6, 1, 4, 1, 5472, 1, 1)},
- 'tunneling': {'comment': 'SET cert extension',
- 'description': 'tunneling (2 23 42 7 4)',
- 'hexoid': '06 04 67 2A 07 04',
- 'name': 'tunneling',
- 'oid': (2, 23, 42, 7, 4)},
- 'twoWayISO9798Authentication': {'comment': 'Telesec authentication',
- 'description': 'twoWayISO9798Authentication (0 2 262 1 10 1 0 7)',
- 'hexoid': '06 08 02 82 06 01 0A 01 00 07',
- 'name': 'twoWayISO9798Authentication',
- 'oid': (0, 2, 262, 1, 10, 1, 0, 7)},
- 'twoWayX509Authentication': {'comment': 'Telesec authentication',
- 'description': 'twoWayX509Authentication (0 2 262 1 10 1 0 4)',
- 'hexoid': '06 08 02 82 06 01 0A 01 00 04',
- 'name': 'twoWayX509Authentication',
- 'oid': (0, 2, 262, 1, 10, 1, 0, 4)},
- 'ukDemo': {'comment': 'SDN.700 INFOSEC certificate policy',
- 'description': 'ukDemo (2 16 840 1 101 2 1 11 1)',
- 'hexoid': '06 09 60 86 48 01 65 02 01 0B 01',
- 'name': 'ukDemo',
- 'oid': (2, 16, 840, 1, 101, 2, 1, 11, 1)},
- 'uniqueIdentifier': {'comment': 'X.520 id-at (2 5 4)',
- 'description': 'uniqueIdentifier (2 5 4 45)',
- 'hexoid': '06 03 55 04 2D',
- 'name': 'uniqueIdentifier',
- 'oid': (2, 5, 4, 45)},
- 'uniqueMember': {'comment': 'X.520 id-at (2 5 4)',
- 'description': 'uniqueMember (2 5 4 50)',
- 'hexoid': '06 03 55 04 32',
- 'name': 'uniqueMember',
- 'oid': (2, 5, 4, 50)},
- 'universalPrincipalName': {'comment': 'Microsoft UPN',
- 'description': 'universalPrincipalName (1 3 6 1 4 1 311 20 2 3)',
- 'hexoid': '06 0A 2B 06 01 04 01 82 37 14 02 03',
- 'name': 'universalPrincipalName',
- 'oid': (1, 3, 6, 1, 4, 1, 311, 20, 2, 3)},
- 'unotice': {'comment': 'PKIX policy qualifier',
- 'description': 'unotice (1 3 6 1 5 5 7 2 2)',
- 'hexoid': '06 08 2B 06 01 05 05 07 02 02',
- 'name': 'unotice',
- 'oid': (1, 3, 6, 1, 5, 5, 7, 2, 2)},
- 'unstructuredAddress': {'comment': 'PKCS #9',
- 'description': 'unstructuredAddress (1 2 840 113549 1 9 8)',
- 'hexoid': '06 09 2A 86 48 86 F7 0D 01 09 08',
- 'name': 'unstructuredAddress',
- 'oid': (1, 2, 840, 113549, 1, 9, 8)},
- 'unstructuredName': {'comment': 'PKCS #9',
- 'description': 'unstructuredName (1 2 840 113549 1 9 2)',
- 'hexoid': '06 09 2A 86 48 86 F7 0D 01 09 02',
- 'name': 'unstructuredName',
- 'oid': (1, 2, 840, 113549, 1, 9, 2)},
- 'unsupportedOIDs': {'comment': 'PKIX CMP information',
- 'description': 'unsupportedOIDs (1 3 6 1 5 5 7 4 7)',
- 'hexoid': '06 08 2B 06 01 05 05 07 04 07',
- 'name': 'unsupportedOIDs',
- 'oid': (1, 3, 6, 1, 5, 5, 7, 4, 7)},
- 'usDODClass2': {'comment': 'SDN.700 INFOSEC certificate policy',
- 'description': 'usDODClass2 (2 16 840 1 101 2 1 11 2)',
- 'hexoid': '06 09 60 86 48 01 65 02 01 0B 02',
- 'name': 'usDODClass2',
- 'oid': (2, 16, 840, 1, 101, 2, 1, 11, 2)},
- 'usDODClass3': {'comment': 'SDN.700 INFOSEC certificate policy',
- 'description': 'usDODClass3 (2 16 840 1 101 2 1 11 5)',
- 'hexoid': '06 09 60 86 48 01 65 02 01 0B 05',
- 'name': 'usDODClass3',
- 'oid': (2, 16, 840, 1, 101, 2, 1, 11, 5)},
- 'usDODClass4': {'comment': 'SDN.700 INFOSEC certificate policy',
- 'description': 'usDODClass4 (2 16 840 1 101 2 1 11 4)',
- 'hexoid': '06 09 60 86 48 01 65 02 01 0B 04',
- 'name': 'usDODClass4',
- 'oid': (2, 16, 840, 1, 101, 2, 1, 11, 4)},
- 'usDODClass5': {'comment': 'SDN.700 INFOSEC certificate policy',
- 'description': 'usDODClass5 (2 16 840 1 101 2 1 11 6)',
- 'hexoid': '06 09 60 86 48 01 65 02 01 0B 06',
- 'name': 'usDODClass5',
- 'oid': (2, 16, 840, 1, 101, 2, 1, 11, 6)},
- 'usMediumPilot': {'comment': 'SDN.700 INFOSEC certificate policy',
- 'description': 'usMediumPilot (2 16 840 1 101 2 1 11 3)',
- 'hexoid': '06 09 60 86 48 01 65 02 01 0B 03',
- 'name': 'usMediumPilot',
- 'oid': (2, 16, 840, 1, 101, 2, 1, 11, 3)},
- 'usefulDefinitions': {'comment': 'Telesec module',
- 'description': 'usefulDefinitions (0 2 262 1 10 2 7)',
- 'hexoid': '06 07 02 82 06 01 0A 02 07',
- 'name': 'usefulDefinitions',
- 'oid': (0, 2, 262, 1, 10, 2, 7)},
- 'userCertificate': {'comment': 'X.520 id-at (2 5 4)',
- 'description': 'userCertificate (2 5 4 36)',
- 'hexoid': '06 03 55 04 24',
- 'name': 'userCertificate',
- 'oid': (2, 5, 4, 36)},
- 'userGroup': {'comment': 'PKIX other name',
- 'description': 'userGroup (1 3 6 1 5 5 7 8 2)',
- 'hexoid': '06 08 2B 06 01 05 05 07 08 02',
- 'name': 'userGroup',
- 'oid': (1, 3, 6, 1, 5, 5, 7, 8, 2)},
- 'userGroupReference': {'comment': 'Telesec attribute',
- 'description': 'userGroupReference (0 2 262 1 10 7 12)',
- 'hexoid': '06 07 02 82 06 01 0A 07 0C',
- 'name': 'userGroupReference',
- 'oid': (0, 2, 262, 1, 10, 7, 12)},
- 'userID': {'comment': 'Some oddball X.500 attribute collection',
- 'description': 'userID (0 9 2342 19200300 100 1 1)',
- 'hexoid': '06 0A 09 92 26 89 93 F2 2C 64 01 01',
- 'name': 'userID',
- 'oid': (0, 9, 2342, 19200300, 100, 1, 1)},
- 'userPassword': {'comment': 'X.520 id-at (2 5 4)',
- 'description': 'userPassword (2 5 4 35)',
- 'hexoid': '06 03 55 04 23',
- 'name': 'userPassword',
- 'oid': (2, 5, 4, 35)},
- 'utf8Pairs': {'comment': 'PKIX CRMF registration control',
- 'description': 'utf8Pairs (1 3 6 1 5 5 7 5 2 1)',
- 'hexoid': '06 09 2B 06 01 05 05 07 05 02 01',
- 'name': 'utf8Pairs',
- 'oid': (1, 3, 6, 1, 5, 5, 7, 5, 2, 1)},
- 'utimaco-api': {'comment': 'Teletrust API',
- 'description': 'utimaco-api (1 3 36 6 1 1)',
- 'hexoid': '06 05 2B 24 06 01 01',
- 'name': 'utimaco-api',
- 'oid': (1, 3, 36, 6, 1, 1)},
- 'validity': {'comment': 'Telesec attribute',
- 'description': 'validity (0 2 262 1 10 7 13)',
- 'hexoid': '06 07 02 82 06 01 0A 07 0D',
- 'name': 'validity',
- 'oid': (0, 2, 262, 1, 10, 7, 13)},
- 'validityModel': {'comment': 'TU Darmstadt ValidityModel',
- 'description': 'validityModel (1 3 6 1 4 1 8301 3 5)',
- 'hexoid': '06 09 2B 06 01 04 01 C0 6D 03 05',
- 'name': 'validityModel',
- 'oid': (1, 3, 6, 1, 4, 1, 8301, 3, 5)},
- 'validityModelChain': {'comment': 'TU Darmstadt ValidityModel',
- 'description': 'validityModelChain (1 3 6 1 4 1 8301 3 5 1)',
- 'hexoid': '06 0A 2B 06 01 04 01 C0 6D 03 05 01',
- 'name': 'validityModelChain',
- 'oid': (1, 3, 6, 1, 4, 1, 8301, 3, 5, 1)},
- 'validityModelShell': {'comment': 'ValidityModel',
- 'description': 'validityModelShell (1 3 6 1 4 1 8301 3 5 2)',
- 'hexoid': '06 0A 2B 06 01 04 01 C0 6D 03 05 02',
- 'name': 'validityModelShell',
- 'oid': (1, 3, 6, 1, 4, 1, 8301, 3, 5, 2)},
- 'vendor': {'comment': 'SET',
- 'description': 'vendor (2 23 42 9)',
- 'hexoid': '06 03 67 2A 09',
- 'name': 'vendor',
- 'oid': (2, 23, 42, 9)},
- 'vereidigteBuchprueferin': {'comment': 'Teletrust ProfessionInfo',
- 'description': 'vereidigteBuchprueferin (1 3 36 8 3 11 1 16)',
- 'hexoid': '06 07 2B 24 08 03 0B 01 10',
- 'name': 'vereidigteBuchprueferin',
- 'oid': (1, 3, 36, 8, 3, 11, 1, 16)},
- 'vereidigterBuchpruefer': {'comment': 'Teletrust ProfessionInfo',
- 'description': 'vereidigterBuchpruefer (1 3 36 8 3 11 1 17)',
- 'hexoid': '06 07 2B 24 08 03 0B 01 11',
- 'name': 'vereidigterBuchpruefer',
- 'oid': (1, 3, 36, 8, 3, 11, 1, 17)},
- 'verisignCPSv1notice': {'comment': 'Verisign policy (obsolete)',
- 'description': 'verisignCPSv1notice (2 16 840 1 113733 1 7 1 1 1)',
- 'hexoid': '06 0C 60 86 48 01 86 F8 45 01 07 01 01 01',
- 'name': 'verisignCPSv1notice',
- 'oid': (2, 16, 840, 1, 113733, 1, 7, 1, 1, 1)},
- 'verisignCPSv1nsi': {'comment': 'Verisign policy (obsolete)',
- 'description': 'verisignCPSv1nsi (2 16 840 1 113733 1 7 1 1 2)',
- 'hexoid': '06 0C 60 86 48 01 86 F8 45 01 07 01 01 02',
- 'name': 'verisignCPSv1nsi',
- 'oid': (2, 16, 840, 1, 113733, 1, 7, 1, 1, 2)},
- 'verisignCZAG': {'comment': 'Verisign extension',
- 'description': 'verisignCZAG (2 16 840 1 113733 1 6 3)',
- 'hexoid': '06 0A 60 86 48 01 86 F8 45 01 06 03',
- 'name': 'verisignCZAG',
- 'oid': (2, 16, 840, 1, 113733, 1, 6, 3)},
- 'verisignInBox': {'comment': 'Verisign extension',
- 'description': 'verisignInBox (2 16 840 1 113733 1 6 6)',
- 'hexoid': '06 0A 60 86 48 01 86 F8 45 01 06 06',
- 'name': 'verisignInBox',
- 'oid': (2, 16, 840, 1, 113733, 1, 6, 6)},
- 'wirtschaftsPruefer': {'comment': 'Teletrust ProfessionInfo',
- 'description': 'wirtschaftsPruefer (1 3 36 8 3 11 1 15)',
- 'hexoid': '06 07 2B 24 08 03 0B 01 0F',
- 'name': 'wirtschaftsPruefer',
- 'oid': (1, 3, 36, 8, 3, 11, 1, 15)},
- 'wirtschaftsPrueferin': {'comment': 'Teletrust ProfessionInfo',
- 'description': 'wirtschaftsPrueferin (1 3 36 8 3 11 1 14)',
- 'hexoid': '06 07 2B 24 08 03 0B 01 0E',
- 'name': 'wirtschaftsPrueferin',
- 'oid': (1, 3, 36, 8, 3, 11, 1, 14)},
- 'wlanSSID': {'comment': 'PKIX key purpose',
- 'description': 'wlanSSID (1 3 6 1 5 5 7 3 14)',
- 'hexoid': '06 08 2B 06 01 05 05 07 03 0E',
- 'name': 'wlanSSID',
- 'oid': (1, 3, 6, 1, 5, 5, 7, 3, 14)},
- 'wtlsTemplate': {'comment': 'PKIX CRMF registration control',
- 'description': 'wtlsTemplate (1 3 6 1 5 5 7 5 1 8)',
- 'hexoid': '06 09 2B 06 01 05 05 07 05 01 08',
- 'name': 'wtlsTemplate',
- 'oid': (1, 3, 6, 1, 5, 5, 7, 5, 1, 8)},
- 'x121Address': {'comment': 'X.520 id-at (2 5 4)',
- 'description': 'x121Address (2 5 4 24)',
- 'hexoid': '06 03 55 04 18',
- 'name': 'x121Address',
- 'oid': (2, 5, 4, 24)},
- 'x509Certificate': {'comment': 'PKCS #9 via PKCS #12',
- 'description': 'x509Certificate (for PKCS #12) (1 2 840 113549 1 9 22 1)',
- 'hexoid': '06 0A 2A 86 48 86 F7 0D 01 09 16 01',
- 'name': 'x509Certificate',
- 'oid': (1, 2, 840, 113549, 1, 9, 22, 1)},
- 'x509CertificateList': {'comment': 'Telesec attribute',
- 'description': 'x509CertificateList (0 2 262 1 10 7 23)',
- 'hexoid': '06 07 02 82 06 01 0A 07 17',
- 'name': 'x509CertificateList',
- 'oid': (0, 2, 262, 1, 10, 7, 23)},
- 'x509Crl': {'comment': 'PKCS #9 via PKCS #12',
- 'description': 'x509Crl (for PKCS #12) (1 2 840 113549 1 9 23 1)',
- 'hexoid': '06 0A 2A 86 48 86 F7 0D 01 09 17 01',
- 'name': 'x509Crl',
- 'oid': (1, 2, 840, 113549, 1, 9, 23, 1)},
- 'x9f1-cert-mgmt': {'comment': 'ANSI X9.57 module',
- 'description': 'x9f1-cert-mgmt (1 2 840 10040 1 1)',
- 'hexoid': '06 07 2A 86 48 CE 38 01 01',
- 'name': 'x9f1-cert-mgmt',
- 'oid': (1, 2, 840, 10040, 1, 1)},
- 'xYZZY': {'comment': 'cryptlib certificate policy',
- 'description': 'xYZZY policyIdentifier (1 3 6 1 4 1 3029 88 89 90 90 89)',
- 'hexoid': '06 0C 2B 06 01 04 01 97 55 58 59 5A 5A 59',
- 'name': 'xYZZY',
- 'oid': (1, 3, 6, 1, 4, 1, 3029, 88, 89, 90, 90, 89)},
- 'yesnoTrustAttr': {'comment': 'Microsoft attribute',
- 'description': 'yesnoTrustAttr (1 3 6 1 4 1 311 10 4 1)',
- 'hexoid': '06 0A 2B 06 01 04 01 82 37 0A 04 01',
- 'name': 'yesnoTrustAttr',
- 'oid': (1, 3, 6, 1, 4, 1, 311, 10, 4, 1)},
- 'zKeyData': {'comment': 'Telesec attribute',
- 'description': 'zKeyData (0 2 262 1 10 7 39)',
- 'hexoid': '06 07 02 82 06 01 0A 07 27',
- 'name': 'zKeyData',
- 'oid': (0, 2, 262, 1, 10, 7, 39)},
- 'zert93': {'comment': 'Telesec attribute',
- 'description': 'zert93 (0 2 262 1 10 7 14)',
- 'hexoid': '06 07 02 82 06 01 0A 07 0E',
- 'name': 'zert93',
- 'oid': (0, 2, 262, 1, 10, 7, 14)},
- 'zlib': {'comment': 'S/MIME Algorithms',
- 'description': 'zlib (1 2 840 113549 1 9 16 3 8)',
- 'hexoid': '06 0B 2A 86 48 86 F7 0D 01 09 10 03 08',
- 'name': 'zlib',
- 'oid': (1, 2, 840, 113549, 1, 9, 16, 3, 8)}}
diff --git a/rpkid/rpki/POW/_oids.py b/rpkid/rpki/POW/_oids.py
deleted file mode 100644
index e170236b..00000000
--- a/rpkid/rpki/POW/_oids.py
+++ /dev/null
@@ -1,8636 +0,0 @@
-data = {(0, 2, 262, 1, 10): {'comment': 'Deutsche Telekom',
- 'description': 'Telesec (0 2 262 1 10)',
- 'hexoid': '06 05 02 82 06 01 0A',
- 'name': 'Telesec',
- 'oid': (0, 2, 262, 1, 10)},
- (0, 2, 262, 1, 10, 0): {'comment': 'Telesec',
- 'description': 'extension (0 2 262 1 10 0)',
- 'hexoid': '06 06 02 82 06 01 0A 00',
- 'name': 'extension',
- 'oid': (0, 2, 262, 1, 10, 0)},
- (0, 2, 262, 1, 10, 1): {'comment': 'Telesec',
- 'description': 'mechanism (0 2 262 1 10 1)',
- 'hexoid': '06 06 02 82 06 01 0A 01',
- 'name': 'mechanism',
- 'oid': (0, 2, 262, 1, 10, 1)},
- (0, 2, 262, 1, 10, 1, 0): {'comment': 'Telesec mechanism',
- 'description': 'authentication (0 2 262 1 10 1 0)',
- 'hexoid': '06 07 02 82 06 01 0A 01 00',
- 'name': 'authentication',
- 'oid': (0, 2, 262, 1, 10, 1, 0)},
- (0, 2, 262, 1, 10, 1, 0, 1): {'comment': 'Telesec authentication',
- 'description': 'passwordAuthentication (0 2 262 1 10 1 0 1)',
- 'hexoid': '06 08 02 82 06 01 0A 01 00 01',
- 'name': 'passwordAuthentication',
- 'oid': (0, 2, 262, 1, 10, 1, 0, 1)},
- (0, 2, 262, 1, 10, 1, 0, 2): {'comment': 'Telesec authentication',
- 'description': 'protectedPasswordAuthentication (0 2 262 1 10 1 0 2)',
- 'hexoid': '06 08 02 82 06 01 0A 01 00 02',
- 'name': 'protectedPasswordAuthentication',
- 'oid': (0, 2, 262, 1, 10, 1, 0, 2)},
- (0, 2, 262, 1, 10, 1, 0, 3): {'comment': 'Telesec authentication',
- 'description': 'oneWayX509Authentication (0 2 262 1 10 1 0 3)',
- 'hexoid': '06 08 02 82 06 01 0A 01 00 03',
- 'name': 'oneWayX509Authentication',
- 'oid': (0, 2, 262, 1, 10, 1, 0, 3)},
- (0, 2, 262, 1, 10, 1, 0, 4): {'comment': 'Telesec authentication',
- 'description': 'twoWayX509Authentication (0 2 262 1 10 1 0 4)',
- 'hexoid': '06 08 02 82 06 01 0A 01 00 04',
- 'name': 'twoWayX509Authentication',
- 'oid': (0, 2, 262, 1, 10, 1, 0, 4)},
- (0, 2, 262, 1, 10, 1, 0, 5): {'comment': 'Telesec authentication',
- 'description': 'threeWayX509Authentication (0 2 262 1 10 1 0 5)',
- 'hexoid': '06 08 02 82 06 01 0A 01 00 05',
- 'name': 'threeWayX509Authentication',
- 'oid': (0, 2, 262, 1, 10, 1, 0, 5)},
- (0, 2, 262, 1, 10, 1, 0, 6): {'comment': 'Telesec authentication',
- 'description': 'oneWayISO9798Authentication (0 2 262 1 10 1 0 6)',
- 'hexoid': '06 08 02 82 06 01 0A 01 00 06',
- 'name': 'oneWayISO9798Authentication',
- 'oid': (0, 2, 262, 1, 10, 1, 0, 6)},
- (0, 2, 262, 1, 10, 1, 0, 7): {'comment': 'Telesec authentication',
- 'description': 'twoWayISO9798Authentication (0 2 262 1 10 1 0 7)',
- 'hexoid': '06 08 02 82 06 01 0A 01 00 07',
- 'name': 'twoWayISO9798Authentication',
- 'oid': (0, 2, 262, 1, 10, 1, 0, 7)},
- (0, 2, 262, 1, 10, 1, 0, 8): {'comment': 'Telesec authentication',
- 'description': 'telekomAuthentication (0 2 262 1 10 1 0 8)',
- 'hexoid': '06 08 02 82 06 01 0A 01 00 08',
- 'name': 'telekomAuthentication',
- 'oid': (0, 2, 262, 1, 10, 1, 0, 8)},
- (0, 2, 262, 1, 10, 1, 1): {'comment': 'Telesec mechanism',
- 'description': 'signature (0 2 262 1 10 1 1)',
- 'hexoid': '06 07 02 82 06 01 0A 01 01',
- 'name': 'signature',
- 'oid': (0, 2, 262, 1, 10, 1, 1)},
- (0, 2, 262, 1, 10, 1, 1, 1): {'comment': 'Telesec mechanism',
- 'description': 'md4WithRSAAndISO9697 (0 2 262 1 10 1 1 1)',
- 'hexoid': '06 08 02 82 06 01 0A 01 01 01',
- 'name': 'md4WithRSAAndISO9697',
- 'oid': (0, 2, 262, 1, 10, 1, 1, 1)},
- (0, 2, 262, 1, 10, 1, 1, 2): {'comment': 'Telesec mechanism',
- 'description': 'md4WithRSAAndTelesecSignatureStandard (0 2 262 1 10 1 1 2)',
- 'hexoid': '06 08 02 82 06 01 0A 01 01 02',
- 'name': 'md4WithRSAAndTelesecSignatureStandard',
- 'oid': (0, 2, 262, 1, 10, 1, 1, 2)},
- (0, 2, 262, 1, 10, 1, 1, 3): {'comment': 'Telesec mechanism',
- 'description': 'md5WithRSAAndISO9697 (0 2 262 1 10 1 1 3)',
- 'hexoid': '06 08 02 82 06 01 0A 01 01 03',
- 'name': 'md5WithRSAAndISO9697',
- 'oid': (0, 2, 262, 1, 10, 1, 1, 3)},
- (0, 2, 262, 1, 10, 1, 1, 4): {'comment': 'Telesec mechanism',
- 'description': 'md5WithRSAAndTelesecSignatureStandard (0 2 262 1 10 1 1 4)',
- 'hexoid': '06 08 02 82 06 01 0A 01 01 04',
- 'name': 'md5WithRSAAndTelesecSignatureStandard',
- 'oid': (0, 2, 262, 1, 10, 1, 1, 4)},
- (0, 2, 262, 1, 10, 1, 1, 5): {'comment': 'Telesec mechanism',
- 'description': 'ripemd160WithRSAAndTelekomSignatureStandard (0 2 262 1 10 1 1 5)',
- 'hexoid': '06 08 02 82 06 01 0A 01 01 05',
- 'name': 'ripemd160WithRSAAndTelekomSignatureStandard',
- 'oid': (0, 2, 262, 1, 10, 1, 1, 5)},
- (0, 2, 262, 1, 10, 1, 1, 9): {'comment': 'Telesec signature',
- 'description': 'hbciRsaSignature (0 2 262 1 10 1 1 9)',
- 'hexoid': '06 08 02 82 06 01 0A 01 01 09',
- 'name': 'hbciRsaSignature',
- 'oid': (0, 2, 262, 1, 10, 1, 1, 9)},
- (0, 2, 262, 1, 10, 1, 2): {'comment': 'Telesec mechanism',
- 'description': 'encryption (0 2 262 1 10 1 2)',
- 'hexoid': '06 07 02 82 06 01 0A 01 02',
- 'name': 'encryption',
- 'oid': (0, 2, 262, 1, 10, 1, 2)},
- (0, 2, 262, 1, 10, 1, 2, 0): {'comment': 'Telesec encryption',
- 'description': 'none (0 2 262 1 10 1 2 0)',
- 'hexoid': '06 08 02 82 06 01 0A 01 02 00',
- 'name': 'none',
- 'oid': (0, 2, 262, 1, 10, 1, 2, 0)},
- (0, 2, 262, 1, 10, 1, 2, 1): {'comment': 'Telesec encryption',
- 'description': 'rsaTelesec (0 2 262 1 10 1 2 1)',
- 'hexoid': '06 08 02 82 06 01 0A 01 02 01',
- 'name': 'rsaTelesec',
- 'oid': (0, 2, 262, 1, 10, 1, 2, 1)},
- (0, 2, 262, 1, 10, 1, 2, 2): {'comment': 'Telesec encryption',
- 'description': 'des (0 2 262 1 10 1 2 2)',
- 'hexoid': '06 08 02 82 06 01 0A 01 02 02',
- 'name': 'des',
- 'oid': (0, 2, 262, 1, 10, 1, 2, 2)},
- (0, 2, 262, 1, 10, 1, 2, 2, 1): {'comment': 'Telesec encryption',
- 'description': 'desECB (0 2 262 1 10 1 2 2 1)',
- 'hexoid': '06 09 02 82 06 01 0A 01 02 02 01',
- 'name': 'desECB',
- 'oid': (0, 2, 262, 1, 10, 1, 2, 2, 1)},
- (0, 2, 262, 1, 10, 1, 2, 2, 2): {'comment': 'Telesec encryption',
- 'description': 'desCBC (0 2 262 1 10 1 2 2 2)',
- 'hexoid': '06 09 02 82 06 01 0A 01 02 02 02',
- 'name': 'desCBC',
- 'oid': (0, 2, 262, 1, 10, 1, 2, 2, 2)},
- (0, 2, 262, 1, 10, 1, 2, 2, 3): {'comment': 'Telesec encryption',
- 'description': 'desOFB (0 2 262 1 10 1 2 2 3)',
- 'hexoid': '06 09 02 82 06 01 0A 01 02 02 03',
- 'name': 'desOFB',
- 'oid': (0, 2, 262, 1, 10, 1, 2, 2, 3)},
- (0, 2, 262, 1, 10, 1, 2, 2, 4): {'comment': 'Telesec encryption',
- 'description': 'desCFB8 (0 2 262 1 10 1 2 2 4)',
- 'hexoid': '06 09 02 82 06 01 0A 01 02 02 04',
- 'name': 'desCFB8',
- 'oid': (0, 2, 262, 1, 10, 1, 2, 2, 4)},
- (0, 2, 262, 1, 10, 1, 2, 2, 5): {'comment': 'Telesec encryption',
- 'description': 'desCFB64 (0 2 262 1 10 1 2 2 5)',
- 'hexoid': '06 09 02 82 06 01 0A 01 02 02 05',
- 'name': 'desCFB64',
- 'oid': (0, 2, 262, 1, 10, 1, 2, 2, 5)},
- (0, 2, 262, 1, 10, 1, 2, 3): {'comment': 'Telesec encryption',
- 'description': 'des3 (0 2 262 1 10 1 2 3)',
- 'hexoid': '06 08 02 82 06 01 0A 01 02 03',
- 'name': 'des3',
- 'oid': (0, 2, 262, 1, 10, 1, 2, 3)},
- (0, 2, 262, 1, 10, 1, 2, 3, 1): {'comment': 'Telesec encryption',
- 'description': 'des3ECB (0 2 262 1 10 1 2 3 1)',
- 'hexoid': '06 09 02 82 06 01 0A 01 02 03 01',
- 'name': 'des3ECB',
- 'oid': (0, 2, 262, 1, 10, 1, 2, 3, 1)},
- (0, 2, 262, 1, 10, 1, 2, 3, 2): {'comment': 'Telesec encryption',
- 'description': 'des3CBC (0 2 262 1 10 1 2 3 2)',
- 'hexoid': '06 09 02 82 06 01 0A 01 02 03 02',
- 'name': 'des3CBC',
- 'oid': (0, 2, 262, 1, 10, 1, 2, 3, 2)},
- (0, 2, 262, 1, 10, 1, 2, 3, 3): {'comment': 'Telesec encryption',
- 'description': 'des3OFB (0 2 262 1 10 1 2 3 3)',
- 'hexoid': '06 09 02 82 06 01 0A 01 02 03 03',
- 'name': 'des3OFB',
- 'oid': (0, 2, 262, 1, 10, 1, 2, 3, 3)},
- (0, 2, 262, 1, 10, 1, 2, 3, 4): {'comment': 'Telesec encryption',
- 'description': 'des3CFB8 (0 2 262 1 10 1 2 3 4)',
- 'hexoid': '06 09 02 82 06 01 0A 01 02 03 04',
- 'name': 'des3CFB8',
- 'oid': (0, 2, 262, 1, 10, 1, 2, 3, 4)},
- (0, 2, 262, 1, 10, 1, 2, 3, 5): {'comment': 'Telesec encryption',
- 'description': 'des3CFB64 (0 2 262 1 10 1 2 3 5)',
- 'hexoid': '06 09 02 82 06 01 0A 01 02 03 05',
- 'name': 'des3CFB64',
- 'oid': (0, 2, 262, 1, 10, 1, 2, 3, 5)},
- (0, 2, 262, 1, 10, 1, 2, 4): {'comment': 'Telesec encryption',
- 'description': 'magenta (0 2 262 1 10 1 2 4)',
- 'hexoid': '06 08 02 82 06 01 0A 01 02 04',
- 'name': 'magenta',
- 'oid': (0, 2, 262, 1, 10, 1, 2, 4)},
- (0, 2, 262, 1, 10, 1, 2, 5): {'comment': 'Telesec encryption',
- 'description': 'idea (0 2 262 1 10 1 2 5)',
- 'hexoid': '06 08 02 82 06 01 0A 01 02 05',
- 'name': 'idea',
- 'oid': (0, 2, 262, 1, 10, 1, 2, 5)},
- (0, 2, 262, 1, 10, 1, 2, 5, 1): {'comment': 'Telesec encryption',
- 'description': 'ideaECB (0 2 262 1 10 1 2 5 1)',
- 'hexoid': '06 09 02 82 06 01 0A 01 02 05 01',
- 'name': 'ideaECB',
- 'oid': (0, 2, 262, 1, 10, 1, 2, 5, 1)},
- (0, 2, 262, 1, 10, 1, 2, 5, 2): {'comment': 'Telesec encryption',
- 'description': 'ideaCBC (0 2 262 1 10 1 2 5 2)',
- 'hexoid': '06 09 02 82 06 01 0A 01 02 05 02',
- 'name': 'ideaCBC',
- 'oid': (0, 2, 262, 1, 10, 1, 2, 5, 2)},
- (0, 2, 262, 1, 10, 1, 2, 5, 3): {'comment': 'Telesec encryption',
- 'description': 'ideaOFB (0 2 262 1 10 1 2 5 3)',
- 'hexoid': '06 09 02 82 06 01 0A 01 02 05 03',
- 'name': 'ideaOFB',
- 'oid': (0, 2, 262, 1, 10, 1, 2, 5, 3)},
- (0, 2, 262, 1, 10, 1, 2, 5, 4): {'comment': 'Telesec encryption',
- 'description': 'ideaCFB8 (0 2 262 1 10 1 2 5 4)',
- 'hexoid': '06 09 02 82 06 01 0A 01 02 05 04',
- 'name': 'ideaCFB8',
- 'oid': (0, 2, 262, 1, 10, 1, 2, 5, 4)},
- (0, 2, 262, 1, 10, 1, 2, 5, 5): {'comment': 'Telesec encryption',
- 'description': 'ideaCFB64 (0 2 262 1 10 1 2 5 5)',
- 'hexoid': '06 09 02 82 06 01 0A 01 02 05 05',
- 'name': 'ideaCFB64',
- 'oid': (0, 2, 262, 1, 10, 1, 2, 5, 5)},
- (0, 2, 262, 1, 10, 1, 3): {'comment': 'Telesec mechanism',
- 'description': 'oneWayFunction (0 2 262 1 10 1 3)',
- 'hexoid': '06 07 02 82 06 01 0A 01 03',
- 'name': 'oneWayFunction',
- 'oid': (0, 2, 262, 1, 10, 1, 3)},
- (0, 2, 262, 1, 10, 1, 3, 1): {'comment': 'Telesec one-way function',
- 'description': 'md4 (0 2 262 1 10 1 3 1)',
- 'hexoid': '06 08 02 82 06 01 0A 01 03 01',
- 'name': 'md4',
- 'oid': (0, 2, 262, 1, 10, 1, 3, 1)},
- (0, 2, 262, 1, 10, 1, 3, 2): {'comment': 'Telesec one-way function',
- 'description': 'md5 (0 2 262 1 10 1 3 2)',
- 'hexoid': '06 08 02 82 06 01 0A 01 03 02',
- 'name': 'md5',
- 'oid': (0, 2, 262, 1, 10, 1, 3, 2)},
- (0, 2, 262, 1, 10, 1, 3, 3): {'comment': 'Telesec one-way function',
- 'description': 'sqModNX509 (0 2 262 1 10 1 3 3)',
- 'hexoid': '06 08 02 82 06 01 0A 01 03 03',
- 'name': 'sqModNX509',
- 'oid': (0, 2, 262, 1, 10, 1, 3, 3)},
- (0, 2, 262, 1, 10, 1, 3, 4): {'comment': 'Telesec one-way function',
- 'description': 'sqModNISO (0 2 262 1 10 1 3 4)',
- 'hexoid': '06 08 02 82 06 01 0A 01 03 04',
- 'name': 'sqModNISO',
- 'oid': (0, 2, 262, 1, 10, 1, 3, 4)},
- (0, 2, 262, 1, 10, 1, 3, 5): {'comment': 'Telesec one-way function',
- 'description': 'ripemd128 (0 2 262 1 10 1 3 5)',
- 'hexoid': '06 08 02 82 06 01 0A 01 03 05',
- 'name': 'ripemd128',
- 'oid': (0, 2, 262, 1, 10, 1, 3, 5)},
- (0, 2, 262, 1, 10, 1, 3, 6): {'comment': 'Telesec one-way function',
- 'description': 'hashUsingBlockCipher (0 2 262 1 10 1 3 6)',
- 'hexoid': '06 08 02 82 06 01 0A 01 03 06',
- 'name': 'hashUsingBlockCipher',
- 'oid': (0, 2, 262, 1, 10, 1, 3, 6)},
- (0, 2, 262, 1, 10, 1, 3, 7): {'comment': 'Telesec one-way function',
- 'description': 'mac (0 2 262 1 10 1 3 7)',
- 'hexoid': '06 08 02 82 06 01 0A 01 03 07',
- 'name': 'mac',
- 'oid': (0, 2, 262, 1, 10, 1, 3, 7)},
- (0, 2, 262, 1, 10, 1, 3, 8): {'comment': 'Telesec one-way function',
- 'description': 'ripemd160 (0 2 262 1 10 1 3 8)',
- 'hexoid': '06 08 02 82 06 01 0A 01 03 08',
- 'name': 'ripemd160',
- 'oid': (0, 2, 262, 1, 10, 1, 3, 8)},
- (0, 2, 262, 1, 10, 1, 4): {'comment': 'Telesec mechanism',
- 'description': 'fecFunction (0 2 262 1 10 1 4)',
- 'hexoid': '06 07 02 82 06 01 0A 01 04',
- 'name': 'fecFunction',
- 'oid': (0, 2, 262, 1, 10, 1, 4)},
- (0, 2, 262, 1, 10, 1, 4, 1): {'comment': 'Telesec mechanism',
- 'description': 'reedSolomon (0 2 262 1 10 1 4 1)',
- 'hexoid': '06 08 02 82 06 01 0A 01 04 01',
- 'name': 'reedSolomon',
- 'oid': (0, 2, 262, 1, 10, 1, 4, 1)},
- (0, 2, 262, 1, 10, 2): {'comment': 'Telesec',
- 'description': 'module (0 2 262 1 10 2)',
- 'hexoid': '06 06 02 82 06 01 0A 02',
- 'name': 'module',
- 'oid': (0, 2, 262, 1, 10, 2)},
- (0, 2, 262, 1, 10, 2, 0): {'comment': 'Telesec module',
- 'description': 'algorithms (0 2 262 1 10 2 0)',
- 'hexoid': '06 07 02 82 06 01 0A 02 00',
- 'name': 'algorithms',
- 'oid': (0, 2, 262, 1, 10, 2, 0)},
- (0, 2, 262, 1, 10, 2, 1): {'comment': 'Telesec module',
- 'description': 'attributeTypes (0 2 262 1 10 2 1)',
- 'hexoid': '06 07 02 82 06 01 0A 02 01',
- 'name': 'attributeTypes',
- 'oid': (0, 2, 262, 1, 10, 2, 1)},
- (0, 2, 262, 1, 10, 2, 2): {'comment': 'Telesec module',
- 'description': 'certificateTypes (0 2 262 1 10 2 2)',
- 'hexoid': '06 07 02 82 06 01 0A 02 02',
- 'name': 'certificateTypes',
- 'oid': (0, 2, 262, 1, 10, 2, 2)},
- (0, 2, 262, 1, 10, 2, 3): {'comment': 'Telesec module',
- 'description': 'messageTypes (0 2 262 1 10 2 3)',
- 'hexoid': '06 07 02 82 06 01 0A 02 03',
- 'name': 'messageTypes',
- 'oid': (0, 2, 262, 1, 10, 2, 3)},
- (0, 2, 262, 1, 10, 2, 4): {'comment': 'Telesec module',
- 'description': 'plProtocol (0 2 262 1 10 2 4)',
- 'hexoid': '06 07 02 82 06 01 0A 02 04',
- 'name': 'plProtocol',
- 'oid': (0, 2, 262, 1, 10, 2, 4)},
- (0, 2, 262, 1, 10, 2, 5): {'comment': 'Telesec module',
- 'description': 'smeAndComponentsOfSme (0 2 262 1 10 2 5)',
- 'hexoid': '06 07 02 82 06 01 0A 02 05',
- 'name': 'smeAndComponentsOfSme',
- 'oid': (0, 2, 262, 1, 10, 2, 5)},
- (0, 2, 262, 1, 10, 2, 6): {'comment': 'Telesec module',
- 'description': 'fec (0 2 262 1 10 2 6)',
- 'hexoid': '06 07 02 82 06 01 0A 02 06',
- 'name': 'fec',
- 'oid': (0, 2, 262, 1, 10, 2, 6)},
- (0, 2, 262, 1, 10, 2, 7): {'comment': 'Telesec module',
- 'description': 'usefulDefinitions (0 2 262 1 10 2 7)',
- 'hexoid': '06 07 02 82 06 01 0A 02 07',
- 'name': 'usefulDefinitions',
- 'oid': (0, 2, 262, 1, 10, 2, 7)},
- (0, 2, 262, 1, 10, 2, 8): {'comment': 'Telesec module',
- 'description': 'stefiles (0 2 262 1 10 2 8)',
- 'hexoid': '06 07 02 82 06 01 0A 02 08',
- 'name': 'stefiles',
- 'oid': (0, 2, 262, 1, 10, 2, 8)},
- (0, 2, 262, 1, 10, 2, 9): {'comment': 'Telesec module',
- 'description': 'sadmib (0 2 262 1 10 2 9)',
- 'hexoid': '06 07 02 82 06 01 0A 02 09',
- 'name': 'sadmib',
- 'oid': (0, 2, 262, 1, 10, 2, 9)},
- (0, 2, 262, 1, 10, 2, 10): {'comment': 'Telesec module',
- 'description': 'electronicOrder (0 2 262 1 10 2 10)',
- 'hexoid': '06 07 02 82 06 01 0A 02 0A',
- 'name': 'electronicOrder',
- 'oid': (0, 2, 262, 1, 10, 2, 10)},
- (0, 2, 262, 1, 10, 2, 11): {'comment': 'Telesec module',
- 'description': 'telesecTtpAsymmetricApplication (0 2 262 1 10 2 11)',
- 'hexoid': '06 07 02 82 06 01 0A 02 0B',
- 'name': 'telesecTtpAsymmetricApplication',
- 'oid': (0, 2, 262, 1, 10, 2, 11)},
- (0, 2, 262, 1, 10, 2, 12): {'comment': 'Telesec module',
- 'description': 'telesecTtpBasisApplication (0 2 262 1 10 2 12)',
- 'hexoid': '06 07 02 82 06 01 0A 02 0C',
- 'name': 'telesecTtpBasisApplication',
- 'oid': (0, 2, 262, 1, 10, 2, 12)},
- (0, 2, 262, 1, 10, 2, 13): {'comment': 'Telesec module',
- 'description': 'telesecTtpMessages (0 2 262 1 10 2 13)',
- 'hexoid': '06 07 02 82 06 01 0A 02 0D',
- 'name': 'telesecTtpMessages',
- 'oid': (0, 2, 262, 1, 10, 2, 13)},
- (0, 2, 262, 1, 10, 2, 14): {'comment': 'Telesec module',
- 'description': 'telesecTtpTimeStampApplication (0 2 262 1 10 2 14)',
- 'hexoid': '06 07 02 82 06 01 0A 02 0E',
- 'name': 'telesecTtpTimeStampApplication',
- 'oid': (0, 2, 262, 1, 10, 2, 14)},
- (0, 2, 262, 1, 10, 3): {'comment': 'Telesec',
- 'description': 'objectClass (0 2 262 1 10 3)',
- 'hexoid': '06 06 02 82 06 01 0A 03',
- 'name': 'objectClass',
- 'oid': (0, 2, 262, 1, 10, 3)},
- (0, 2, 262, 1, 10, 3, 0): {'comment': 'Telesec object class',
- 'description': 'telesecOtherName (0 2 262 1 10 3 0)',
- 'hexoid': '06 07 02 82 06 01 0A 03 00',
- 'name': 'telesecOtherName',
- 'oid': (0, 2, 262, 1, 10, 3, 0)},
- (0, 2, 262, 1, 10, 3, 1): {'comment': 'Telesec object class',
- 'description': 'directory (0 2 262 1 10 3 1)',
- 'hexoid': '06 07 02 82 06 01 0A 03 01',
- 'name': 'directory',
- 'oid': (0, 2, 262, 1, 10, 3, 1)},
- (0, 2, 262, 1, 10, 3, 2): {'comment': 'Telesec object class',
- 'description': 'directoryType (0 2 262 1 10 3 2)',
- 'hexoid': '06 07 02 82 06 01 0A 03 02',
- 'name': 'directoryType',
- 'oid': (0, 2, 262, 1, 10, 3, 2)},
- (0, 2, 262, 1, 10, 3, 3): {'comment': 'Telesec object class',
- 'description': 'directoryGroup (0 2 262 1 10 3 3)',
- 'hexoid': '06 07 02 82 06 01 0A 03 03',
- 'name': 'directoryGroup',
- 'oid': (0, 2, 262, 1, 10, 3, 3)},
- (0, 2, 262, 1, 10, 3, 4): {'comment': 'Telesec object class',
- 'description': 'directoryUser (0 2 262 1 10 3 4)',
- 'hexoid': '06 07 02 82 06 01 0A 03 04',
- 'name': 'directoryUser',
- 'oid': (0, 2, 262, 1, 10, 3, 4)},
- (0, 2, 262, 1, 10, 3, 5): {'comment': 'Telesec object class',
- 'description': 'symmetricKeyEntry (0 2 262 1 10 3 5)',
- 'hexoid': '06 07 02 82 06 01 0A 03 05',
- 'name': 'symmetricKeyEntry',
- 'oid': (0, 2, 262, 1, 10, 3, 5)},
- (0, 2, 262, 1, 10, 4): {'comment': 'Telesec',
- 'description': 'package (0 2 262 1 10 4)',
- 'hexoid': '06 06 02 82 06 01 0A 04',
- 'name': 'package',
- 'oid': (0, 2, 262, 1, 10, 4)},
- (0, 2, 262, 1, 10, 5): {'comment': 'Telesec',
- 'description': 'parameter (0 2 262 1 10 5)',
- 'hexoid': '06 06 02 82 06 01 0A 05',
- 'name': 'parameter',
- 'oid': (0, 2, 262, 1, 10, 5)},
- (0, 2, 262, 1, 10, 6): {'comment': 'Telesec',
- 'description': 'nameBinding (0 2 262 1 10 6)',
- 'hexoid': '06 06 02 82 06 01 0A 06',
- 'name': 'nameBinding',
- 'oid': (0, 2, 262, 1, 10, 6)},
- (0, 2, 262, 1, 10, 7): {'comment': 'Telesec',
- 'description': 'attribute (0 2 262 1 10 7)',
- 'hexoid': '06 06 02 82 06 01 0A 07',
- 'name': 'attribute',
- 'oid': (0, 2, 262, 1, 10, 7)},
- (0, 2, 262, 1, 10, 7, 0): {'comment': 'Telesec attribute',
- 'description': 'applicationGroupIdentifier (0 2 262 1 10 7 0)',
- 'hexoid': '06 07 02 82 06 01 0A 07 00',
- 'name': 'applicationGroupIdentifier',
- 'oid': (0, 2, 262, 1, 10, 7, 0)},
- (0, 2, 262, 1, 10, 7, 1): {'comment': 'Telesec attribute',
- 'description': 'certificateType (0 2 262 1 10 7 1)',
- 'hexoid': '06 07 02 82 06 01 0A 07 01',
- 'name': 'certificateType',
- 'oid': (0, 2, 262, 1, 10, 7, 1)},
- (0, 2, 262, 1, 10, 7, 2): {'comment': 'Telesec attribute',
- 'description': 'telesecCertificate (0 2 262 1 10 7 2)',
- 'hexoid': '06 07 02 82 06 01 0A 07 02',
- 'name': 'telesecCertificate',
- 'oid': (0, 2, 262, 1, 10, 7, 2)},
- (0, 2, 262, 1, 10, 7, 3): {'comment': 'Telesec attribute',
- 'description': 'certificateNumber (0 2 262 1 10 7 3)',
- 'hexoid': '06 07 02 82 06 01 0A 07 03',
- 'name': 'certificateNumber',
- 'oid': (0, 2, 262, 1, 10, 7, 3)},
- (0, 2, 262, 1, 10, 7, 4): {'comment': 'Telesec attribute',
- 'description': 'certificateRevocationList (0 2 262 1 10 7 4)',
- 'hexoid': '06 07 02 82 06 01 0A 07 04',
- 'name': 'certificateRevocationList',
- 'oid': (0, 2, 262, 1, 10, 7, 4)},
- (0, 2, 262, 1, 10, 7, 5): {'comment': 'Telesec attribute',
- 'description': 'creationDate (0 2 262 1 10 7 5)',
- 'hexoid': '06 07 02 82 06 01 0A 07 05',
- 'name': 'creationDate',
- 'oid': (0, 2, 262, 1, 10, 7, 5)},
- (0, 2, 262, 1, 10, 7, 6): {'comment': 'Telesec attribute',
- 'description': 'issuer (0 2 262 1 10 7 6)',
- 'hexoid': '06 07 02 82 06 01 0A 07 06',
- 'name': 'issuer',
- 'oid': (0, 2, 262, 1, 10, 7, 6)},
- (0, 2, 262, 1, 10, 7, 7): {'comment': 'Telesec attribute',
- 'description': 'namingAuthority (0 2 262 1 10 7 7)',
- 'hexoid': '06 07 02 82 06 01 0A 07 07',
- 'name': 'namingAuthority',
- 'oid': (0, 2, 262, 1, 10, 7, 7)},
- (0, 2, 262, 1, 10, 7, 8): {'comment': 'Telesec attribute',
- 'description': 'publicKeyDirectory (0 2 262 1 10 7 8)',
- 'hexoid': '06 07 02 82 06 01 0A 07 08',
- 'name': 'publicKeyDirectory',
- 'oid': (0, 2, 262, 1, 10, 7, 8)},
- (0, 2, 262, 1, 10, 7, 9): {'comment': 'Telesec attribute',
- 'description': 'securityDomain (0 2 262 1 10 7 9)',
- 'hexoid': '06 07 02 82 06 01 0A 07 09',
- 'name': 'securityDomain',
- 'oid': (0, 2, 262, 1, 10, 7, 9)},
- (0, 2, 262, 1, 10, 7, 10): {'comment': 'Telesec attribute',
- 'description': 'subject (0 2 262 1 10 7 10)',
- 'hexoid': '06 07 02 82 06 01 0A 07 0A',
- 'name': 'subject',
- 'oid': (0, 2, 262, 1, 10, 7, 10)},
- (0, 2, 262, 1, 10, 7, 11): {'comment': 'Telesec attribute',
- 'description': 'timeOfRevocation (0 2 262 1 10 7 11)',
- 'hexoid': '06 07 02 82 06 01 0A 07 0B',
- 'name': 'timeOfRevocation',
- 'oid': (0, 2, 262, 1, 10, 7, 11)},
- (0, 2, 262, 1, 10, 7, 12): {'comment': 'Telesec attribute',
- 'description': 'userGroupReference (0 2 262 1 10 7 12)',
- 'hexoid': '06 07 02 82 06 01 0A 07 0C',
- 'name': 'userGroupReference',
- 'oid': (0, 2, 262, 1, 10, 7, 12)},
- (0, 2, 262, 1, 10, 7, 13): {'comment': 'Telesec attribute',
- 'description': 'validity (0 2 262 1 10 7 13)',
- 'hexoid': '06 07 02 82 06 01 0A 07 0D',
- 'name': 'validity',
- 'oid': (0, 2, 262, 1, 10, 7, 13)},
- (0, 2, 262, 1, 10, 7, 14): {'comment': 'Telesec attribute',
- 'description': 'zert93 (0 2 262 1 10 7 14)',
- 'hexoid': '06 07 02 82 06 01 0A 07 0E',
- 'name': 'zert93',
- 'oid': (0, 2, 262, 1, 10, 7, 14)},
- (0, 2, 262, 1, 10, 7, 15): {'comment': 'Telesec attribute',
- 'description': 'securityMessEnv (0 2 262 1 10 7 15)',
- 'hexoid': '06 07 02 82 06 01 0A 07 0F',
- 'name': 'securityMessEnv',
- 'oid': (0, 2, 262, 1, 10, 7, 15)},
- (0, 2, 262, 1, 10, 7, 16): {'comment': 'Telesec attribute',
- 'description': 'anonymizedPublicKeyDirectory (0 2 262 1 10 7 16)',
- 'hexoid': '06 07 02 82 06 01 0A 07 10',
- 'name': 'anonymizedPublicKeyDirectory',
- 'oid': (0, 2, 262, 1, 10, 7, 16)},
- (0, 2, 262, 1, 10, 7, 17): {'comment': 'Telesec attribute',
- 'description': 'telesecGivenName (0 2 262 1 10 7 17)',
- 'hexoid': '06 07 02 82 06 01 0A 07 11',
- 'name': 'telesecGivenName',
- 'oid': (0, 2, 262, 1, 10, 7, 17)},
- (0, 2, 262, 1, 10, 7, 18): {'comment': 'Telesec attribute',
- 'description': 'nameAdditions (0 2 262 1 10 7 18)',
- 'hexoid': '06 07 02 82 06 01 0A 07 12',
- 'name': 'nameAdditions',
- 'oid': (0, 2, 262, 1, 10, 7, 18)},
- (0, 2, 262, 1, 10, 7, 19): {'comment': 'Telesec attribute',
- 'description': 'telesecPostalCode (0 2 262 1 10 7 19)',
- 'hexoid': '06 07 02 82 06 01 0A 07 13',
- 'name': 'telesecPostalCode',
- 'oid': (0, 2, 262, 1, 10, 7, 19)},
- (0, 2, 262, 1, 10, 7, 20): {'comment': 'Telesec attribute',
- 'description': 'nameDistinguisher (0 2 262 1 10 7 20)',
- 'hexoid': '06 07 02 82 06 01 0A 07 14',
- 'name': 'nameDistinguisher',
- 'oid': (0, 2, 262, 1, 10, 7, 20)},
- (0, 2, 262, 1, 10, 7, 21): {'comment': 'Telesec attribute',
- 'description': 'telesecCertificateList (0 2 262 1 10 7 21)',
- 'hexoid': '06 07 02 82 06 01 0A 07 15',
- 'name': 'telesecCertificateList',
- 'oid': (0, 2, 262, 1, 10, 7, 21)},
- (0, 2, 262, 1, 10, 7, 22): {'comment': 'Telesec attribute',
- 'description': 'teletrustCertificateList (0 2 262 1 10 7 22)',
- 'hexoid': '06 07 02 82 06 01 0A 07 16',
- 'name': 'teletrustCertificateList',
- 'oid': (0, 2, 262, 1, 10, 7, 22)},
- (0, 2, 262, 1, 10, 7, 23): {'comment': 'Telesec attribute',
- 'description': 'x509CertificateList (0 2 262 1 10 7 23)',
- 'hexoid': '06 07 02 82 06 01 0A 07 17',
- 'name': 'x509CertificateList',
- 'oid': (0, 2, 262, 1, 10, 7, 23)},
- (0, 2, 262, 1, 10, 7, 24): {'comment': 'Telesec attribute',
- 'description': 'timeOfIssue (0 2 262 1 10 7 24)',
- 'hexoid': '06 07 02 82 06 01 0A 07 18',
- 'name': 'timeOfIssue',
- 'oid': (0, 2, 262, 1, 10, 7, 24)},
- (0, 2, 262, 1, 10, 7, 25): {'comment': 'Telesec attribute',
- 'description': 'physicalCardNumber (0 2 262 1 10 7 25)',
- 'hexoid': '06 07 02 82 06 01 0A 07 19',
- 'name': 'physicalCardNumber',
- 'oid': (0, 2, 262, 1, 10, 7, 25)},
- (0, 2, 262, 1, 10, 7, 26): {'comment': 'Telesec attribute',
- 'description': 'fileType (0 2 262 1 10 7 26)',
- 'hexoid': '06 07 02 82 06 01 0A 07 1A',
- 'name': 'fileType',
- 'oid': (0, 2, 262, 1, 10, 7, 26)},
- (0, 2, 262, 1, 10, 7, 27): {'comment': 'Telesec attribute',
- 'description': 'ctlFileIsArchive (0 2 262 1 10 7 27)',
- 'hexoid': '06 07 02 82 06 01 0A 07 1B',
- 'name': 'ctlFileIsArchive',
- 'oid': (0, 2, 262, 1, 10, 7, 27)},
- (0, 2, 262, 1, 10, 7, 28): {'comment': 'Telesec attribute',
- 'description': 'emailAddress (0 2 262 1 10 7 28)',
- 'hexoid': '06 07 02 82 06 01 0A 07 1C',
- 'name': 'emailAddress',
- 'oid': (0, 2, 262, 1, 10, 7, 28)},
- (0, 2, 262, 1, 10, 7, 29): {'comment': 'Telesec attribute',
- 'description': 'certificateTemplateList (0 2 262 1 10 7 29)',
- 'hexoid': '06 07 02 82 06 01 0A 07 1D',
- 'name': 'certificateTemplateList',
- 'oid': (0, 2, 262, 1, 10, 7, 29)},
- (0, 2, 262, 1, 10, 7, 30): {'comment': 'Telesec attribute',
- 'description': 'directoryName (0 2 262 1 10 7 30)',
- 'hexoid': '06 07 02 82 06 01 0A 07 1E',
- 'name': 'directoryName',
- 'oid': (0, 2, 262, 1, 10, 7, 30)},
- (0, 2, 262, 1, 10, 7, 31): {'comment': 'Telesec attribute',
- 'description': 'directoryTypeName (0 2 262 1 10 7 31)',
- 'hexoid': '06 07 02 82 06 01 0A 07 1F',
- 'name': 'directoryTypeName',
- 'oid': (0, 2, 262, 1, 10, 7, 31)},
- (0, 2, 262, 1, 10, 7, 32): {'comment': 'Telesec attribute',
- 'description': 'directoryGroupName (0 2 262 1 10 7 32)',
- 'hexoid': '06 07 02 82 06 01 0A 07 20',
- 'name': 'directoryGroupName',
- 'oid': (0, 2, 262, 1, 10, 7, 32)},
- (0, 2, 262, 1, 10, 7, 33): {'comment': 'Telesec attribute',
- 'description': 'directoryUserName (0 2 262 1 10 7 33)',
- 'hexoid': '06 07 02 82 06 01 0A 07 21',
- 'name': 'directoryUserName',
- 'oid': (0, 2, 262, 1, 10, 7, 33)},
- (0, 2, 262, 1, 10, 7, 34): {'comment': 'Telesec attribute',
- 'description': 'revocationFlag (0 2 262 1 10 7 34)',
- 'hexoid': '06 07 02 82 06 01 0A 07 22',
- 'name': 'revocationFlag',
- 'oid': (0, 2, 262, 1, 10, 7, 34)},
- (0, 2, 262, 1, 10, 7, 35): {'comment': 'Telesec attribute',
- 'description': 'symmetricKeyEntryName (0 2 262 1 10 7 35)',
- 'hexoid': '06 07 02 82 06 01 0A 07 23',
- 'name': 'symmetricKeyEntryName',
- 'oid': (0, 2, 262, 1, 10, 7, 35)},
- (0, 2, 262, 1, 10, 7, 36): {'comment': 'Telesec attribute',
- 'description': 'glNumber (0 2 262 1 10 7 36)',
- 'hexoid': '06 07 02 82 06 01 0A 07 24',
- 'name': 'glNumber',
- 'oid': (0, 2, 262, 1, 10, 7, 36)},
- (0, 2, 262, 1, 10, 7, 37): {'comment': 'Telesec attribute',
- 'description': 'goNumber (0 2 262 1 10 7 37)',
- 'hexoid': '06 07 02 82 06 01 0A 07 25',
- 'name': 'goNumber',
- 'oid': (0, 2, 262, 1, 10, 7, 37)},
- (0, 2, 262, 1, 10, 7, 38): {'comment': 'Telesec attribute',
- 'description': 'gKeyData (0 2 262 1 10 7 38)',
- 'hexoid': '06 07 02 82 06 01 0A 07 26',
- 'name': 'gKeyData',
- 'oid': (0, 2, 262, 1, 10, 7, 38)},
- (0, 2, 262, 1, 10, 7, 39): {'comment': 'Telesec attribute',
- 'description': 'zKeyData (0 2 262 1 10 7 39)',
- 'hexoid': '06 07 02 82 06 01 0A 07 27',
- 'name': 'zKeyData',
- 'oid': (0, 2, 262, 1, 10, 7, 39)},
- (0, 2, 262, 1, 10, 7, 40): {'comment': 'Telesec attribute',
- 'description': 'ktKeyData (0 2 262 1 10 7 40)',
- 'hexoid': '06 07 02 82 06 01 0A 07 28',
- 'name': 'ktKeyData',
- 'oid': (0, 2, 262, 1, 10, 7, 40)},
- (0, 2, 262, 1, 10, 7, 41): {'comment': 'Telesec attribute',
- 'description': 'ktKeyNumber (0 2 262 1 10 7 41)',
- 'hexoid': '06 07 02 82 06 01 0A 07 29',
- 'name': 'ktKeyNumber',
- 'oid': (0, 2, 262, 1, 10, 7, 41)},
- (0, 2, 262, 1, 10, 7, 51): {'comment': 'Telesec attribute',
- 'description': 'timeOfRevocationGen (0 2 262 1 10 7 51)',
- 'hexoid': '06 07 02 82 06 01 0A 07 33',
- 'name': 'timeOfRevocationGen',
- 'oid': (0, 2, 262, 1, 10, 7, 51)},
- (0, 2, 262, 1, 10, 7, 52): {'comment': 'Telesec attribute',
- 'description': 'liabilityText (0 2 262 1 10 7 52)',
- 'hexoid': '06 07 02 82 06 01 0A 07 34',
- 'name': 'liabilityText',
- 'oid': (0, 2, 262, 1, 10, 7, 52)},
- (0, 2, 262, 1, 10, 8): {'comment': 'Telesec',
- 'description': 'attributeGroup (0 2 262 1 10 8)',
- 'hexoid': '06 06 02 82 06 01 0A 08',
- 'name': 'attributeGroup',
- 'oid': (0, 2, 262, 1, 10, 8)},
- (0, 2, 262, 1, 10, 9): {'comment': 'Telesec',
- 'description': 'action (0 2 262 1 10 9)',
- 'hexoid': '06 06 02 82 06 01 0A 09',
- 'name': 'action',
- 'oid': (0, 2, 262, 1, 10, 9)},
- (0, 2, 262, 1, 10, 10): {'comment': 'Telesec',
- 'description': 'notification (0 2 262 1 10 10)',
- 'hexoid': '06 06 02 82 06 01 0A 0A',
- 'name': 'notification',
- 'oid': (0, 2, 262, 1, 10, 10)},
- (0, 2, 262, 1, 10, 11): {'comment': 'Telesec',
- 'description': 'snmp-mibs (0 2 262 1 10 11)',
- 'hexoid': '06 06 02 82 06 01 0A 0B',
- 'name': 'snmp-mibs',
- 'oid': (0, 2, 262, 1, 10, 11)},
- (0, 2, 262, 1, 10, 11, 1): {'comment': 'Telesec SNMP MIBs',
- 'description': 'securityApplication (0 2 262 1 10 11 1)',
- 'hexoid': '06 07 02 82 06 01 0A 0B 01',
- 'name': 'securityApplication',
- 'oid': (0, 2, 262, 1, 10, 11, 1)},
- (0, 2, 262, 1, 10, 12): {'comment': 'Telesec',
- 'description': 'certAndCrlExtensionDefinitions (0 2 262 1 10 12)',
- 'hexoid': '06 06 02 82 06 01 0A 0C',
- 'name': 'certAndCrlExtensionDefinitions',
- 'oid': (0, 2, 262, 1, 10, 12)},
- (0, 2, 262, 1, 10, 12, 0): {'comment': 'Telesec cert/CRL extension',
- 'description': 'liabilityLimitationFlag (0 2 262 1 10 12 0)',
- 'hexoid': '06 07 02 82 06 01 0A 0C 00',
- 'name': 'liabilityLimitationFlag',
- 'oid': (0, 2, 262, 1, 10, 12, 0)},
- (0, 2, 262, 1, 10, 12, 1): {'comment': 'Telesec cert/CRL extension',
- 'description': 'telesecCertIdExt (0 2 262 1 10 12 1)',
- 'hexoid': '06 07 02 82 06 01 0A 0C 01',
- 'name': 'telesecCertIdExt',
- 'oid': (0, 2, 262, 1, 10, 12, 1)},
- (0, 2, 262, 1, 10, 12, 2): {'comment': 'Telesec cert/CRL extension',
- 'description': 'Telesec policyIdentifier (0 2 262 1 10 12 2)',
- 'hexoid': '06 07 02 82 06 01 0A 0C 02',
- 'name': 'Telesec',
- 'oid': (0, 2, 262, 1, 10, 12, 2)},
- (0, 2, 262, 1, 10, 12, 3): {'comment': 'Telesec cert/CRL extension',
- 'description': 'telesecPolicyQualifierID (0 2 262 1 10 12 3)',
- 'hexoid': '06 07 02 82 06 01 0A 0C 03',
- 'name': 'telesecPolicyQualifierID',
- 'oid': (0, 2, 262, 1, 10, 12, 3)},
- (0, 2, 262, 1, 10, 12, 4): {'comment': 'Telesec cert/CRL extension',
- 'description': 'telesecCRLFilteredExt (0 2 262 1 10 12 4)',
- 'hexoid': '06 07 02 82 06 01 0A 0C 04',
- 'name': 'telesecCRLFilteredExt',
- 'oid': (0, 2, 262, 1, 10, 12, 4)},
- (0, 2, 262, 1, 10, 12, 5): {'comment': 'Telesec cert/CRL extension',
- 'description': 'telesecCRLFilterExt (0 2 262 1 10 12 5)',
- 'hexoid': '06 07 02 82 06 01 0A 0C 05',
- 'name': 'telesecCRLFilterExt',
- 'oid': (0, 2, 262, 1, 10, 12, 5)},
- (0, 2, 262, 1, 10, 12, 6): {'comment': 'Telesec cert/CRL extension',
- 'description': 'telesecNamingAuthorityExt (0 2 262 1 10 12 6)',
- 'hexoid': '06 07 02 82 06 01 0A 0C 06',
- 'name': 'telesecNamingAuthorityExt',
- 'oid': (0, 2, 262, 1, 10, 12, 6)},
- (0, 4, 0, 127, 0, 7): {'comment': 'BSI TR-03110/TR-03111',
- 'description': 'bsi (0 4 0 127 0 7)',
- 'hexoid': '06 05 04 00 7F 00 07',
- 'name': 'bsi',
- 'oid': (0, 4, 0, 127, 0, 7)},
- (0, 4, 0, 127, 0, 7, 1): {'comment': 'BSI TR-03111',
- 'description': 'bsiEcc (0 4 0 127 0 7 1)',
- 'hexoid': '06 06 04 00 7F 00 07 01',
- 'name': 'bsiEcc',
- 'oid': (0, 4, 0, 127, 0, 7, 1)},
- (0, 4, 0, 127, 0, 7, 1, 1): {'comment': 'BSI TR-03111',
- 'description': 'bsifieldType (0 4 0 127 0 7 1 1)',
- 'hexoid': '06 07 04 00 7F 00 07 01 01',
- 'name': 'bsifieldType',
- 'oid': (0, 4, 0, 127, 0, 7, 1, 1)},
- (0, 4, 0, 127, 0, 7, 1, 1, 1): {'comment': 'BSI TR-03111',
- 'description': 'bsiPrimeField (0 4 0 127 0 7 1 1 1)',
- 'hexoid': '06 08 04 00 7F 00 07 01 01 01',
- 'name': 'bsiPrimeField',
- 'oid': (0, 4, 0, 127, 0, 7, 1, 1, 1)},
- (0, 4, 0, 127, 0, 7, 1, 1, 2): {'comment': 'BSI TR-03111',
- 'description': 'bsiCharacteristicTwoField (0 4 0 127 0 7 1 1 2)',
- 'hexoid': '06 08 04 00 7F 00 07 01 01 02',
- 'name': 'bsiCharacteristicTwoField',
- 'oid': (0, 4, 0, 127, 0, 7, 1, 1, 2)},
- (0, 4, 0, 127, 0, 7, 1, 1, 2, 3): {'comment': 'BSI TR-03111',
- 'description': 'bsiCharacteristicTwoBasis (0 4 0 127 0 7 1 1 2 3)',
- 'hexoid': '06 09 04 00 7F 00 07 01 01 02 03',
- 'name': 'bsiCharacteristicTwoBasis',
- 'oid': (0, 4, 0, 127, 0, 7, 1, 1, 2, 3)},
- (0, 4, 0, 127, 0, 7, 1, 1, 2, 3, 1): {'comment': 'BSI TR-03111',
- 'description': 'bsiGnBasis (0 4 0 127 0 7 1 1 2 3 1)',
- 'hexoid': '06 0A 04 00 7F 00 07 01 01 02 03 01',
- 'name': 'bsiGnBasis',
- 'oid': (0,
- 4,
- 0,
- 127,
- 0,
- 7,
- 1,
- 1,
- 2,
- 3,
- 1)},
- (0, 4, 0, 127, 0, 7, 1, 1, 2, 3, 2): {'comment': 'BSI TR-03111',
- 'description': 'bsiTpBasis (0 4 0 127 0 7 1 1 2 3 2)',
- 'hexoid': '06 0A 04 00 7F 00 07 01 01 02 03 02',
- 'name': 'bsiTpBasis',
- 'oid': (0,
- 4,
- 0,
- 127,
- 0,
- 7,
- 1,
- 1,
- 2,
- 3,
- 2)},
- (0, 4, 0, 127, 0, 7, 1, 1, 2, 3, 3): {'comment': 'BSI TR-03111',
- 'description': 'bsiPpBasis (0 4 0 127 0 7 1 1 2 3 3)',
- 'hexoid': '06 0A 04 00 7F 00 07 01 01 02 03 03',
- 'name': 'bsiPpBasis',
- 'oid': (0,
- 4,
- 0,
- 127,
- 0,
- 7,
- 1,
- 1,
- 2,
- 3,
- 3)},
- (0, 4, 0, 127, 0, 7, 1, 2): {'comment': 'BSI TR-03111',
- 'description': 'bsiEcKeyType (0 4 0 127 0 7 1 2)',
- 'hexoid': '06 07 04 00 7F 00 07 01 02',
- 'name': 'bsiEcKeyType',
- 'oid': (0, 4, 0, 127, 0, 7, 1, 2)},
- (0, 4, 0, 127, 0, 7, 1, 2, 1): {'comment': 'BSI TR-03111',
- 'description': 'bsiEcPublicKey (0 4 0 127 0 7 1 2 1)',
- 'hexoid': '06 08 04 00 7F 00 07 01 02 01',
- 'name': 'bsiEcPublicKey',
- 'oid': (0, 4, 0, 127, 0, 7, 1, 2, 1)},
- (0, 4, 0, 127, 0, 7, 1, 4, 1): {'comment': 'BSI TR-03111',
- 'description': 'bsiEcdsaSignatures (0 4 0 127 0 7 1 4 1)',
- 'hexoid': '06 08 04 00 7F 00 07 01 04 01',
- 'name': 'bsiEcdsaSignatures',
- 'oid': (0, 4, 0, 127, 0, 7, 1, 4, 1)},
- (0, 4, 0, 127, 0, 7, 1, 4, 1, 1): {'comment': 'BSI TR-03111',
- 'description': 'bsiEcdsaWithSHA1 (0 4 0 127 0 7 1 4 1 1)',
- 'hexoid': '06 09 04 00 7F 00 07 01 04 01 01',
- 'name': 'bsiEcdsaWithSHA1',
- 'oid': (0, 4, 0, 127, 0, 7, 1, 4, 1, 1)},
- (0, 4, 0, 127, 0, 7, 1, 4, 1, 2): {'comment': 'BSI TR-03111',
- 'description': 'bsiEcdsaWithSHA224 (0 4 0 127 0 7 1 4 1 2)',
- 'hexoid': '06 09 04 00 7F 00 07 01 04 01 02',
- 'name': 'bsiEcdsaWithSHA224',
- 'oid': (0, 4, 0, 127, 0, 7, 1, 4, 1, 2)},
- (0, 4, 0, 127, 0, 7, 1, 4, 1, 3): {'comment': 'BSI TR-03111',
- 'description': 'bsiEcdsaWithSHA256 (0 4 0 127 0 7 1 4 1 3)',
- 'hexoid': '06 09 04 00 7F 00 07 01 04 01 03',
- 'name': 'bsiEcdsaWithSHA256',
- 'oid': (0, 4, 0, 127, 0, 7, 1, 4, 1, 3)},
- (0, 4, 0, 127, 0, 7, 1, 4, 1, 4): {'comment': 'BSI TR-03111',
- 'description': 'bsiEcdsaWithSHA384 (0 4 0 127 0 7 1 4 1 4)',
- 'hexoid': '06 09 04 00 7F 00 07 01 04 01 04',
- 'name': 'bsiEcdsaWithSHA384',
- 'oid': (0, 4, 0, 127, 0, 7, 1, 4, 1, 4)},
- (0, 4, 0, 127, 0, 7, 1, 4, 1, 5): {'comment': 'BSI TR-03111',
- 'description': 'bsiEcdsaWithSHA512 (0 4 0 127 0 7 1 4 1 5)',
- 'hexoid': '06 09 04 00 7F 00 07 01 04 01 05',
- 'name': 'bsiEcdsaWithSHA512',
- 'oid': (0, 4, 0, 127, 0, 7, 1, 4, 1, 5)},
- (0, 4, 0, 127, 0, 7, 1, 4, 1, 6): {'comment': 'BSI TR-03111',
- 'description': 'bsiEcdsaWithRIPEMD160 (0 4 0 127 0 7 1 4 1 6)',
- 'hexoid': '06 09 04 00 7F 00 07 01 04 01 06',
- 'name': 'bsiEcdsaWithRIPEMD160',
- 'oid': (0, 4, 0, 127, 0, 7, 1, 4, 1, 6)},
- (0, 4, 0, 127, 0, 7, 1, 5, 1): {'comment': 'BSI TR-03111',
- 'description': 'bsiKaeg (0 4 0 127 0 7 1 5 1)',
- 'hexoid': '06 08 04 00 7F 00 07 01 05 01',
- 'name': 'bsiKaeg',
- 'oid': (0, 4, 0, 127, 0, 7, 1, 5, 1)},
- (0, 4, 0, 127, 0, 7, 1, 5, 1, 1): {'comment': 'BSI TR-03111',
- 'description': 'bsiKaegWithX963KDF (0 4 0 127 0 7 1 5 1 1)',
- 'hexoid': '06 09 04 00 7F 00 07 01 05 01 01',
- 'name': 'bsiKaegWithX963KDF',
- 'oid': (0, 4, 0, 127, 0, 7, 1, 5, 1, 1)},
- (0, 4, 0, 127, 0, 7, 1, 5, 1, 2): {'comment': 'BSI TR-03111',
- 'description': 'bsiKaegWith3DESKDF (0 4 0 127 0 7 1 5 1 2)',
- 'hexoid': '06 09 04 00 7F 00 07 01 05 01 02',
- 'name': 'bsiKaegWith3DESKDF',
- 'oid': (0, 4, 0, 127, 0, 7, 1, 5, 1, 2)},
- (0, 4, 0, 127, 0, 7, 2, 2, 1): {'comment': 'BSI TR-03110',
- 'description': 'bsiCA (0 4 0 127 0 7 2 2 1)',
- 'hexoid': '06 08 04 00 7F 00 07 02 02 01',
- 'name': 'bsiCA',
- 'oid': (0, 4, 0, 127, 0, 7, 2, 2, 1)},
- (0, 4, 0, 127, 0, 7, 2, 2, 1, 1): {'comment': 'BSI TR-03110',
- 'description': 'bsiCA_DH (0 4 0 127 0 7 2 2 1 1)',
- 'hexoid': '06 09 04 00 7F 00 07 02 02 01 01',
- 'name': 'bsiCA_DH',
- 'oid': (0, 4, 0, 127, 0, 7, 2, 2, 1, 1)},
- (0, 4, 0, 127, 0, 7, 2, 2, 1, 2): {'comment': 'BSI TR-03110',
- 'description': 'bsiCA_ECDH (0 4 0 127 0 7 2 2 1 2)',
- 'hexoid': '06 09 04 00 7F 00 07 02 02 01 02',
- 'name': 'bsiCA_ECDH',
- 'oid': (0, 4, 0, 127, 0, 7, 2, 2, 1, 2)},
- (0, 4, 0, 127, 0, 7, 2, 2, 2): {'comment': 'BSI TR-03110',
- 'description': 'bsiTA (0 4 0 127 0 7 2 2 2)',
- 'hexoid': '06 08 04 00 7F 00 07 02 02 02',
- 'name': 'bsiTA',
- 'oid': (0, 4, 0, 127, 0, 7, 2, 2, 2)},
- (0, 4, 0, 127, 0, 7, 2, 2, 2, 1): {'comment': 'BSI TR-03110',
- 'description': 'bsiTA_RSA (0 4 0 127 0 7 2 2 2 1)',
- 'hexoid': '06 09 04 00 7F 00 07 02 02 02 01',
- 'name': 'bsiTA_RSA',
- 'oid': (0, 4, 0, 127, 0, 7, 2, 2, 2, 1)},
- (0, 4, 0, 127, 0, 7, 2, 2, 2, 1, 1): {'comment': 'BSI TR-03110',
- 'description': 'bsiTA_RSAv1_5_SHA1 (0 4 0 127 0 7 2 2 2 1 1)',
- 'hexoid': '06 0A 04 00 7F 00 07 02 02 02 01 01',
- 'name': 'bsiTA_RSAv1_5_SHA1',
- 'oid': (0,
- 4,
- 0,
- 127,
- 0,
- 7,
- 2,
- 2,
- 2,
- 1,
- 1)},
- (0, 4, 0, 127, 0, 7, 2, 2, 2, 1, 2): {'comment': 'BSI TR-03110',
- 'description': 'bsiTA_RSAv1_5_SHA256 (0 4 0 127 0 7 2 2 2 1 2)',
- 'hexoid': '06 0A 04 00 7F 00 07 02 02 02 01 02',
- 'name': 'bsiTA_RSAv1_5_SHA256',
- 'oid': (0,
- 4,
- 0,
- 127,
- 0,
- 7,
- 2,
- 2,
- 2,
- 1,
- 2)},
- (0, 4, 0, 127, 0, 7, 2, 2, 2, 1, 3): {'comment': 'BSI TR-03110',
- 'description': 'bsiTA_RSAPSS_SHA1 (0 4 0 127 0 7 2 2 2 1 3)',
- 'hexoid': '06 0A 04 00 7F 00 07 02 02 02 01 03',
- 'name': 'bsiTA_RSAPSS_SHA1',
- 'oid': (0,
- 4,
- 0,
- 127,
- 0,
- 7,
- 2,
- 2,
- 2,
- 1,
- 3)},
- (0, 4, 0, 127, 0, 7, 2, 2, 2, 1, 4): {'comment': 'BSI TR-03110',
- 'description': 'bsiTA_RSAPSS_SHA256 (0 4 0 127 0 7 2 2 2 1 4)',
- 'hexoid': '06 0A 04 00 7F 00 07 02 02 02 01 04',
- 'name': 'bsiTA_RSAPSS_SHA256',
- 'oid': (0,
- 4,
- 0,
- 127,
- 0,
- 7,
- 2,
- 2,
- 2,
- 1,
- 4)},
- (0, 4, 0, 127, 0, 7, 2, 2, 2, 2): {'comment': 'BSI TR-03110',
- 'description': 'bsiTA_ECDSA (0 4 0 127 0 7 2 2 2 2)',
- 'hexoid': '06 09 04 00 7F 00 07 02 02 02 02',
- 'name': 'bsiTA_ECDSA',
- 'oid': (0, 4, 0, 127, 0, 7, 2, 2, 2, 2)},
- (0, 4, 0, 127, 0, 7, 2, 2, 2, 2, 1): {'comment': 'BSI TR-03110',
- 'description': 'bsiTA_ECDSA_SHA1 (0 4 0 127 0 7 2 2 2 2 1)',
- 'hexoid': '06 0A 04 00 7F 00 07 02 02 02 02 01',
- 'name': 'bsiTA_ECDSA_SHA1',
- 'oid': (0,
- 4,
- 0,
- 127,
- 0,
- 7,
- 2,
- 2,
- 2,
- 2,
- 1)},
- (0, 4, 0, 127, 0, 7, 2, 2, 2, 2, 2): {'comment': 'BSI TR-03110',
- 'description': 'bsiTA_ECDSA_SHA224 (0 4 0 127 0 7 2 2 2 2 2)',
- 'hexoid': '06 0A 04 00 7F 00 07 02 02 02 02 02',
- 'name': 'bsiTA_ECDSA_SHA224',
- 'oid': (0,
- 4,
- 0,
- 127,
- 0,
- 7,
- 2,
- 2,
- 2,
- 2,
- 2)},
- (0, 4, 0, 127, 0, 7, 2, 2, 2, 2, 3): {'comment': 'BSI TR-03110',
- 'description': 'bsiTA_ECDSA_SHA256 (0 4 0 127 0 7 2 2 2 2 3)',
- 'hexoid': '06 0A 04 00 7F 00 07 02 02 02 02 03',
- 'name': 'bsiTA_ECDSA_SHA256',
- 'oid': (0,
- 4,
- 0,
- 127,
- 0,
- 7,
- 2,
- 2,
- 2,
- 2,
- 3)},
- (0, 4, 0, 127, 0, 7, 3, 1, 2): {'comment': 'BSI TR-03110',
- 'description': 'bsiRoleEAC (0 4 0 127 0 7 3 1 2)',
- 'hexoid': '06 08 04 00 7F 00 07 03 01 02',
- 'name': 'bsiRoleEAC',
- 'oid': (0, 4, 0, 127, 0, 7, 3, 1, 2)},
- (0, 4, 0, 1862): {'comment': 'ETSI TS 101 862 qualified certificates',
- 'description': 'etsiQcsProfile (0 4 0 1862)',
- 'hexoid': '06 04 04 00 8E 46',
- 'name': 'etsiQcsProfile',
- 'oid': (0, 4, 0, 1862)},
- (0, 4, 0, 1862, 1): {'comment': 'ETSI TS 101 862 qualified certificates',
- 'description': 'etsiQcs (0 4 0 1862 1)',
- 'hexoid': '06 05 04 00 8E 46 01',
- 'name': 'etsiQcs',
- 'oid': (0, 4, 0, 1862, 1)},
- (0, 4, 0, 1862, 1, 1): {'comment': 'ETSI TS 101 862 qualified certificates',
- 'description': 'etsiQcsCompliance (0 4 0 1862 1 1)',
- 'hexoid': '06 06 04 00 8E 46 01 01',
- 'name': 'etsiQcsCompliance',
- 'oid': (0, 4, 0, 1862, 1, 1)},
- (0, 4, 0, 1862, 1, 2): {'comment': 'ETSI TS 101 862 qualified certificates',
- 'description': 'etsiQcsLimitValue (0 4 0 1862 1 2)',
- 'hexoid': '06 06 04 00 8E 46 01 02',
- 'name': 'etsiQcsLimitValue',
- 'oid': (0, 4, 0, 1862, 1, 2)},
- (0, 4, 0, 1862, 1, 3): {'comment': 'ETSI TS 101 862 qualified certificates',
- 'description': 'etsiQcsRetentionPeriod (0 4 0 1862 1 3)',
- 'hexoid': '06 06 04 00 8E 46 01 03',
- 'name': 'etsiQcsRetentionPeriod',
- 'oid': (0, 4, 0, 1862, 1, 3)},
- (0, 4, 0, 1862, 1, 4): {'comment': 'ETSI TS 101 862 qualified certificates',
- 'description': 'etsiQcsQcSSCD (0 4 0 1862 1 4)',
- 'hexoid': '06 06 04 00 8E 46 01 04',
- 'name': 'etsiQcsQcSSCD',
- 'oid': (0, 4, 0, 1862, 1, 4)},
- (0, 9, 2342, 19200300, 100, 1, 1): {'comment': 'Some oddball X.500 attribute collection',
- 'description': 'userID (0 9 2342 19200300 100 1 1)',
- 'hexoid': '06 0A 09 92 26 89 93 F2 2C 64 01 01',
- 'name': 'userID',
- 'oid': (0, 9, 2342, 19200300, 100, 1, 1)},
- (0, 9, 2342, 19200300, 100, 1, 3): {'comment': 'Some oddball X.500 attribute collection',
- 'description': 'rfc822Mailbox (0 9 2342 19200300 100 1 3)',
- 'hexoid': '06 0A 09 92 26 89 93 F2 2C 64 01 03',
- 'name': 'rfc822Mailbox',
- 'oid': (0, 9, 2342, 19200300, 100, 1, 3)},
- (0, 9, 2342, 19200300, 100, 1, 25): {'comment': 'Men are from Mars, this OID is from Pluto',
- 'description': 'domainComponent (0 9 2342 19200300 100 1 25)',
- 'hexoid': '06 0A 09 92 26 89 93 F2 2C 64 01 19',
- 'name': 'domainComponent',
- 'oid': (0,
- 9,
- 2342,
- 19200300,
- 100,
- 1,
- 25)},
- (1, 2, 36, 1, 333, 1): {'comment': 'Australian Government corporate taxpayer ID',
- 'description': 'australianBusinessNumber (1 2 36 1 333 1)',
- 'hexoid': '06 06 2A 24 01 82 4D 01',
- 'name': 'australianBusinessNumber',
- 'oid': (1, 2, 36, 1, 333, 1)},
- (1, 2, 36, 68980861, 1, 1, 2): {'comment': 'Signet CA',
- 'description': 'Signet personal (1 2 36 68980861 1 1 2)',
- 'hexoid': '06 09 2A 24 A0 F2 A0 7D 01 01 02',
- 'name': 'Signet',
- 'oid': (1, 2, 36, 68980861, 1, 1, 2)},
- (1, 2, 36, 68980861, 1, 1, 3): {'comment': 'Signet CA',
- 'description': 'Signet business (1 2 36 68980861 1 1 3)',
- 'hexoid': '06 09 2A 24 A0 F2 A0 7D 01 01 03',
- 'name': 'Signet',
- 'oid': (1, 2, 36, 68980861, 1, 1, 3)},
- (1, 2, 36, 68980861, 1, 1, 4): {'comment': 'Signet CA',
- 'description': 'Signet legal (1 2 36 68980861 1 1 4)',
- 'hexoid': '06 09 2A 24 A0 F2 A0 7D 01 01 04',
- 'name': 'Signet',
- 'oid': (1, 2, 36, 68980861, 1, 1, 4)},
- (1, 2, 36, 68980861, 1, 1, 10): {'comment': 'Signet CA',
- 'description': 'Signet pilot (1 2 36 68980861 1 1 10)',
- 'hexoid': '06 09 2A 24 A0 F2 A0 7D 01 01 0A',
- 'name': 'Signet',
- 'oid': (1, 2, 36, 68980861, 1, 1, 10)},
- (1, 2, 36, 68980861, 1, 1, 11): {'comment': 'Signet CA',
- 'description': 'Signet intraNet (1 2 36 68980861 1 1 11)',
- 'hexoid': '06 09 2A 24 A0 F2 A0 7D 01 01 0B',
- 'name': 'Signet',
- 'oid': (1, 2, 36, 68980861, 1, 1, 11)},
- (1, 2, 36, 68980861, 1, 1, 20): {'comment': 'Signet CA',
- 'description': 'Signet policyIdentifier (1 2 36 68980861 1 1 20)',
- 'hexoid': '06 09 2A 24 A0 F2 A0 7D 01 01 14',
- 'name': 'Signet',
- 'oid': (1, 2, 36, 68980861, 1, 1, 20)},
- (1, 2, 36, 75878867, 1, 100, 1, 1): {'comment': 'Certificates Australia CA',
- 'description': 'Certificates Australia policyIdentifier (1 2 36 75878867 1 100 1 1)',
- 'hexoid': '06 0A 2A 24 A4 97 A3 53 01 64 01 01',
- 'name': 'Certificates',
- 'oid': (1,
- 2,
- 36,
- 75878867,
- 1,
- 100,
- 1,
- 1)},
- (1, 2, 392, 200011, 61, 1, 1, 1): {'comment': 'Mitsubishi security algorithm',
- 'description': 'symmetric-encryption-algorithm (1 2 392 200011 61 1 1 1)',
- 'hexoid': '06 0A 2A 83 08 8C 9A 4B 3D 01 01 01',
- 'name': 'symmetric-encryption-algorithm',
- 'oid': (1, 2, 392, 200011, 61, 1, 1, 1)},
- (1, 2, 392, 200011, 61, 1, 1, 1, 1): {'comment': 'Mitsubishi security algorithm',
- 'description': 'misty1-cbc (1 2 392 200011 61 1 1 1 1)',
- 'hexoid': '06 0B 2A 83 08 8C 9A 4B 3D 01 01 01 01',
- 'name': 'misty1-cbc',
- 'oid': (1,
- 2,
- 392,
- 200011,
- 61,
- 1,
- 1,
- 1,
- 1)},
- (1, 2, 752, 34, 1): {'comment': 'SEIS Project',
- 'description': 'seis-cp (1 2 752 34 1)',
- 'hexoid': '06 05 2A 85 70 22 01',
- 'name': 'seis-cp',
- 'oid': (1, 2, 752, 34, 1)},
- (1, 2, 752, 34, 1, 1): {'comment': 'SEIS Project certificate policies',
- 'description': 'SEIS high-assurance policyIdentifier (1 2 752 34 1 1)',
- 'hexoid': '06 06 2A 85 70 22 01 01',
- 'name': 'SEIS',
- 'oid': (1, 2, 752, 34, 1, 1)},
- (1, 2, 752, 34, 1, 2): {'comment': 'SEIS Project certificate policies',
- 'description': 'SEIS GAK policyIdentifier (1 2 752 34 1 2)',
- 'hexoid': '06 06 2A 85 70 22 01 02',
- 'name': 'SEIS',
- 'oid': (1, 2, 752, 34, 1, 2)},
- (1, 2, 752, 34, 2): {'comment': 'SEIS Project',
- 'description': 'SEIS pe (1 2 752 34 2)',
- 'hexoid': '06 05 2A 85 70 22 02',
- 'name': 'SEIS',
- 'oid': (1, 2, 752, 34, 2)},
- (1, 2, 752, 34, 3): {'comment': 'SEIS Project',
- 'description': 'SEIS at (1 2 752 34 3)',
- 'hexoid': '06 05 2A 85 70 22 03',
- 'name': 'SEIS',
- 'oid': (1, 2, 752, 34, 3)},
- (1, 2, 752, 34, 3, 1): {'comment': 'SEIS Project attribute',
- 'description': 'SEIS at-personalIdentifier (1 2 752 34 3 1)',
- 'hexoid': '06 06 2A 85 70 22 03 01',
- 'name': 'SEIS',
- 'oid': (1, 2, 752, 34, 3, 1)},
- (1, 2, 840, 10040, 1): {'comment': 'ANSI X9.57',
- 'description': 'module (1 2 840 10040 1)',
- 'hexoid': '06 06 2A 86 48 CE 38 01',
- 'name': 'module',
- 'oid': (1, 2, 840, 10040, 1)},
- (1, 2, 840, 10040, 1, 1): {'comment': 'ANSI X9.57 module',
- 'description': 'x9f1-cert-mgmt (1 2 840 10040 1 1)',
- 'hexoid': '06 07 2A 86 48 CE 38 01 01',
- 'name': 'x9f1-cert-mgmt',
- 'oid': (1, 2, 840, 10040, 1, 1)},
- (1, 2, 840, 10040, 2): {'comment': 'ANSI X9.57',
- 'description': 'holdinstruction (1 2 840 10040 2)',
- 'hexoid': '06 06 2A 86 48 CE 38 02',
- 'name': 'holdinstruction',
- 'oid': (1, 2, 840, 10040, 2)},
- (1, 2, 840, 10040, 2, 1): {'comment': 'ANSI X9.57 hold instruction',
- 'description': 'holdinstruction-none (1 2 840 10040 2 1)',
- 'hexoid': '06 07 2A 86 48 CE 38 02 01',
- 'name': 'holdinstruction-none',
- 'oid': (1, 2, 840, 10040, 2, 1)},
- (1, 2, 840, 10040, 2, 2): {'comment': 'ANSI X9.57 hold instruction',
- 'description': 'callissuer (1 2 840 10040 2 2)',
- 'hexoid': '06 07 2A 86 48 CE 38 02 02',
- 'name': 'callissuer',
- 'oid': (1, 2, 840, 10040, 2, 2)},
- (1, 2, 840, 10040, 2, 3): {'comment': 'ANSI X9.57 hold instruction',
- 'description': 'reject (1 2 840 10040 2 3)',
- 'hexoid': '06 07 2A 86 48 CE 38 02 03',
- 'name': 'reject',
- 'oid': (1, 2, 840, 10040, 2, 3)},
- (1, 2, 840, 10040, 2, 4): {'comment': 'ANSI X9.57 hold instruction',
- 'description': 'pickupToken (1 2 840 10040 2 4)',
- 'hexoid': '06 07 2A 86 48 CE 38 02 04',
- 'name': 'pickupToken',
- 'oid': (1, 2, 840, 10040, 2, 4)},
- (1, 2, 840, 10040, 3): {'comment': 'ANSI X9.57',
- 'description': 'attribute (1 2 840 10040 3)',
- 'hexoid': '06 06 2A 86 48 CE 38 03',
- 'name': 'attribute',
- 'oid': (1, 2, 840, 10040, 3)},
- (1, 2, 840, 10040, 3, 1): {'comment': 'ANSI X9.57 attribute',
- 'description': 'countersignature (1 2 840 10040 3 1)',
- 'hexoid': '06 07 2A 86 48 CE 38 03 01',
- 'name': 'countersignature',
- 'oid': (1, 2, 840, 10040, 3, 1)},
- (1, 2, 840, 10040, 3, 2): {'comment': 'ANSI X9.57 attribute',
- 'description': 'attribute-cert (1 2 840 10040 3 2)',
- 'hexoid': '06 07 2A 86 48 CE 38 03 02',
- 'name': 'attribute-cert',
- 'oid': (1, 2, 840, 10040, 3, 2)},
- (1, 2, 840, 10040, 4): {'comment': 'ANSI X9.57',
- 'description': 'algorithm (1 2 840 10040 4)',
- 'hexoid': '06 06 2A 86 48 CE 38 04',
- 'name': 'algorithm',
- 'oid': (1, 2, 840, 10040, 4)},
- (1, 2, 840, 10040, 4, 1): {'comment': 'ANSI X9.57 algorithm',
- 'description': 'dsa (1 2 840 10040 4 1)',
- 'hexoid': '06 07 2A 86 48 CE 38 04 01',
- 'name': 'dsa',
- 'oid': (1, 2, 840, 10040, 4, 1)},
- (1, 2, 840, 10040, 4, 2): {'comment': 'ANSI X9.57 algorithm',
- 'description': 'dsa-match (1 2 840 10040 4 2)',
- 'hexoid': '06 07 2A 86 48 CE 38 04 02',
- 'name': 'dsa-match',
- 'oid': (1, 2, 840, 10040, 4, 2)},
- (1, 2, 840, 10040, 4, 3): {'comment': 'ANSI X9.57 algorithm',
- 'description': 'dsaWithSha1 (1 2 840 10040 4 3)',
- 'hexoid': '06 07 2A 86 48 CE 38 04 03',
- 'name': 'dsaWithSha1',
- 'oid': (1, 2, 840, 10040, 4, 3)},
- (1, 2, 840, 10045, 1): {'comment': 'ANSI X9.62. This OID is also assigned as ecdsa-with-SHA1',
- 'description': 'fieldType (1 2 840 10045 1)',
- 'hexoid': '06 06 2A 86 48 CE 3D 01',
- 'name': 'fieldType',
- 'oid': (1, 2, 840, 10045, 1)},
- (1, 2, 840, 10045, 1, 1): {'comment': 'ANSI X9.62 field type',
- 'description': 'prime-field (1 2 840 10045 1 1)',
- 'hexoid': '06 07 2A 86 48 CE 3D 01 01',
- 'name': 'prime-field',
- 'oid': (1, 2, 840, 10045, 1, 1)},
- (1, 2, 840, 10045, 1, 2): {'comment': 'ANSI X9.62 field type',
- 'description': 'characteristic-two-field (1 2 840 10045 1 2)',
- 'hexoid': '06 07 2A 86 48 CE 3D 01 02',
- 'name': 'characteristic-two-field',
- 'oid': (1, 2, 840, 10045, 1, 2)},
- (1, 2, 840, 10045, 1, 2, 3): {'comment': 'ANSI X9.62 field type',
- 'description': 'characteristic-two-basis (1 2 840 10045 1 2 3)',
- 'hexoid': '06 08 2A 86 48 CE 3D 01 02 03',
- 'name': 'characteristic-two-basis',
- 'oid': (1, 2, 840, 10045, 1, 2, 3)},
- (1, 2, 840, 10045, 1, 2, 3, 1): {'comment': 'ANSI X9.62 field basis',
- 'description': 'onBasis (1 2 840 10045 1 2 3 1)',
- 'hexoid': '06 09 2A 86 48 CE 3D 01 02 03 01',
- 'name': 'onBasis',
- 'oid': (1, 2, 840, 10045, 1, 2, 3, 1)},
- (1, 2, 840, 10045, 1, 2, 3, 2): {'comment': 'ANSI X9.62 field basis',
- 'description': 'tpBasis (1 2 840 10045 1 2 3 2)',
- 'hexoid': '06 09 2A 86 48 CE 3D 01 02 03 02',
- 'name': 'tpBasis',
- 'oid': (1, 2, 840, 10045, 1, 2, 3, 2)},
- (1, 2, 840, 10045, 1, 2, 3, 3): {'comment': 'ANSI X9.62 field basis',
- 'description': 'ppBasis (1 2 840 10045 1 2 3 3)',
- 'hexoid': '06 09 2A 86 48 CE 3D 01 02 03 03',
- 'name': 'ppBasis',
- 'oid': (1, 2, 840, 10045, 1, 2, 3, 3)},
- (1, 2, 840, 10045, 2): {'comment': 'ANSI X9.62',
- 'description': 'publicKeyType (1 2 840 10045 2)',
- 'hexoid': '06 06 2A 86 48 CE 3D 02',
- 'name': 'publicKeyType',
- 'oid': (1, 2, 840, 10045, 2)},
- (1, 2, 840, 10045, 2, 1): {'comment': 'ANSI X9.62 public key type',
- 'description': 'ecPublicKey (1 2 840 10045 2 1)',
- 'hexoid': '06 07 2A 86 48 CE 3D 02 01',
- 'name': 'ecPublicKey',
- 'oid': (1, 2, 840, 10045, 2, 1)},
- (1, 2, 840, 10045, 3, 0, 1): {'comment': 'ANSI X9.62 named elliptic curve',
- 'description': 'c2pnb163v1 (1 2 840 10045 3 0 1)',
- 'hexoid': '06 08 2A 86 48 CE 3D 03 00 01',
- 'name': 'c2pnb163v1',
- 'oid': (1, 2, 840, 10045, 3, 0, 1)},
- (1, 2, 840, 10045, 3, 0, 2): {'comment': 'ANSI X9.62 named elliptic curve',
- 'description': 'c2pnb163v2 (1 2 840 10045 3 0 2)',
- 'hexoid': '06 08 2A 86 48 CE 3D 03 00 02',
- 'name': 'c2pnb163v2',
- 'oid': (1, 2, 840, 10045, 3, 0, 2)},
- (1, 2, 840, 10045, 3, 0, 3): {'comment': 'ANSI X9.62 named elliptic curve',
- 'description': 'c2pnb163v3 (1 2 840 10045 3 0 3)',
- 'hexoid': '06 08 2A 86 48 CE 3D 03 00 03',
- 'name': 'c2pnb163v3',
- 'oid': (1, 2, 840, 10045, 3, 0, 3)},
- (1, 2, 840, 10045, 3, 0, 5): {'comment': 'ANSI X9.62 named elliptic curve',
- 'description': 'c2tnb191v1 (1 2 840 10045 3 0 5)',
- 'hexoid': '06 08 2A 86 48 CE 3D 03 00 05',
- 'name': 'c2tnb191v1',
- 'oid': (1, 2, 840, 10045, 3, 0, 5)},
- (1, 2, 840, 10045, 3, 0, 6): {'comment': 'ANSI X9.62 named elliptic curve',
- 'description': 'c2tnb191v2 (1 2 840 10045 3 0 6)',
- 'hexoid': '06 08 2A 86 48 CE 3D 03 00 06',
- 'name': 'c2tnb191v2',
- 'oid': (1, 2, 840, 10045, 3, 0, 6)},
- (1, 2, 840, 10045, 3, 0, 7): {'comment': 'ANSI X9.62 named elliptic curve',
- 'description': 'c2tnb191v3 (1 2 840 10045 3 0 7)',
- 'hexoid': '06 08 2A 86 48 CE 3D 03 00 07',
- 'name': 'c2tnb191v3',
- 'oid': (1, 2, 840, 10045, 3, 0, 7)},
- (1, 2, 840, 10045, 3, 0, 10): {'comment': 'ANSI X9.62 named elliptic curve',
- 'description': 'c2pnb208w1 (1 2 840 10045 3 0 10)',
- 'hexoid': '06 08 2A 86 48 CE 3D 03 00 0A',
- 'name': 'c2pnb208w1',
- 'oid': (1, 2, 840, 10045, 3, 0, 10)},
- (1, 2, 840, 10045, 3, 0, 11): {'comment': 'ANSI X9.62 named elliptic curve',
- 'description': 'c2tnb239v1 (1 2 840 10045 3 0 11)',
- 'hexoid': '06 08 2A 86 48 CE 3D 03 00 0B',
- 'name': 'c2tnb239v1',
- 'oid': (1, 2, 840, 10045, 3, 0, 11)},
- (1, 2, 840, 10045, 3, 0, 12): {'comment': 'ANSI X9.62 named elliptic curve',
- 'description': 'c2tnb239v2 (1 2 840 10045 3 0 12)',
- 'hexoid': '06 08 2A 86 48 CE 3D 03 00 0C',
- 'name': 'c2tnb239v2',
- 'oid': (1, 2, 840, 10045, 3, 0, 12)},
- (1, 2, 840, 10045, 3, 0, 13): {'comment': 'ANSI X9.62 named elliptic curve',
- 'description': 'c2tnb239v3 (1 2 840 10045 3 0 13)',
- 'hexoid': '06 08 2A 86 48 CE 3D 03 00 0D',
- 'name': 'c2tnb239v3',
- 'oid': (1, 2, 840, 10045, 3, 0, 13)},
- (1, 2, 840, 10045, 3, 0, 16): {'comment': 'ANSI X9.62 named elliptic curve',
- 'description': 'c2pnb272w1 (1 2 840 10045 3 0 16)',
- 'hexoid': '06 08 2A 86 48 CE 3D 03 00 10',
- 'name': 'c2pnb272w1',
- 'oid': (1, 2, 840, 10045, 3, 0, 16)},
- (1, 2, 840, 10045, 3, 0, 18): {'comment': 'ANSI X9.62 named elliptic curve',
- 'description': 'c2tnb359v1 (1 2 840 10045 3 0 18)',
- 'hexoid': '06 08 2A 86 48 CE 3D 03 00 12',
- 'name': 'c2tnb359v1',
- 'oid': (1, 2, 840, 10045, 3, 0, 18)},
- (1, 2, 840, 10045, 3, 0, 19): {'comment': 'ANSI X9.62 named elliptic curve',
- 'description': 'c2pnb368w1 (1 2 840 10045 3 0 19)',
- 'hexoid': '06 08 2A 86 48 CE 3D 03 00 13',
- 'name': 'c2pnb368w1',
- 'oid': (1, 2, 840, 10045, 3, 0, 19)},
- (1, 2, 840, 10045, 3, 0, 20): {'comment': 'ANSI X9.62 named elliptic curve',
- 'description': 'c2tnb431r1 (1 2 840 10045 3 0 20)',
- 'hexoid': '06 08 2A 86 48 CE 3D 03 00 14',
- 'name': 'c2tnb431r1',
- 'oid': (1, 2, 840, 10045, 3, 0, 20)},
- (1, 2, 840, 10045, 3, 1, 1): {'comment': 'ANSI X9.62 named elliptic curve',
- 'description': 'ansiX9p192r1 (1 2 840 10045 3 1 1)',
- 'hexoid': '06 08 2A 86 48 CE 3D 03 01 01',
- 'name': 'ansiX9p192r1',
- 'oid': (1, 2, 840, 10045, 3, 1, 1)},
- (1, 2, 840, 10045, 3, 1, 1, 1): {'comment': 'ANSI X9.62 named elliptic curve',
- 'description': 'prime192v1 (1 2 840 10045 3 1 1 1)',
- 'hexoid': '06 09 2A 86 48 CE 3D 03 01 01 01',
- 'name': 'prime192v1',
- 'oid': (1, 2, 840, 10045, 3, 1, 1, 1)},
- (1, 2, 840, 10045, 3, 1, 1, 2): {'comment': 'ANSI X9.62 named elliptic curve',
- 'description': 'prime192v2 (1 2 840 10045 3 1 1 2)',
- 'hexoid': '06 09 2A 86 48 CE 3D 03 01 01 02',
- 'name': 'prime192v2',
- 'oid': (1, 2, 840, 10045, 3, 1, 1, 2)},
- (1, 2, 840, 10045, 3, 1, 1, 3): {'comment': 'ANSI X9.62 named elliptic curve',
- 'description': 'prime192v3 (1 2 840 10045 3 1 1 3)',
- 'hexoid': '06 09 2A 86 48 CE 3D 03 01 01 03',
- 'name': 'prime192v3',
- 'oid': (1, 2, 840, 10045, 3, 1, 1, 3)},
- (1, 2, 840, 10045, 3, 1, 1, 4): {'comment': 'ANSI X9.62 named elliptic curve',
- 'description': 'prime239v1 (1 2 840 10045 3 1 1 4)',
- 'hexoid': '06 09 2A 86 48 CE 3D 03 01 01 04',
- 'name': 'prime239v1',
- 'oid': (1, 2, 840, 10045, 3, 1, 1, 4)},
- (1, 2, 840, 10045, 3, 1, 1, 5): {'comment': 'ANSI X9.62 named elliptic curve',
- 'description': 'prime239v2 (1 2 840 10045 3 1 1 5)',
- 'hexoid': '06 09 2A 86 48 CE 3D 03 01 01 05',
- 'name': 'prime239v2',
- 'oid': (1, 2, 840, 10045, 3, 1, 1, 5)},
- (1, 2, 840, 10045, 3, 1, 1, 6): {'comment': 'ANSI X9.62 named elliptic curve',
- 'description': 'prime239v3 (1 2 840 10045 3 1 1 6)',
- 'hexoid': '06 09 2A 86 48 CE 3D 03 01 01 06',
- 'name': 'prime239v3',
- 'oid': (1, 2, 840, 10045, 3, 1, 1, 6)},
- (1, 2, 840, 10045, 3, 1, 1, 7): {'comment': 'ANSI X9.62 named elliptic curve',
- 'description': 'prime256v1 (1 2 840 10045 3 1 1 7)',
- 'hexoid': '06 09 2A 86 48 CE 3D 03 01 01 07',
- 'name': 'prime256v1',
- 'oid': (1, 2, 840, 10045, 3, 1, 1, 7)},
- (1, 2, 840, 10045, 3, 1, 7): {'comment': 'ANSI X9.62 named elliptic curve',
- 'description': 'ansiX9p256r1 (1 2 840 10045 3 1 7)',
- 'hexoid': '06 08 2A 86 48 CE 3D 03 01 07',
- 'name': 'ansiX9p256r1',
- 'oid': (1, 2, 840, 10045, 3, 1, 7)},
- (1, 2, 840, 10045, 4, 1): {'comment': 'ANSI X9.62 ECDSA algorithm with SHA1',
- 'description': 'ecdsaWithSHA1 (1 2 840 10045 4 1)',
- 'hexoid': '06 07 2A 86 48 CE 3D 04 01',
- 'name': 'ecdsaWithSHA1',
- 'oid': (1, 2, 840, 10045, 4, 1)},
- (1, 2, 840, 10045, 4, 2): {'comment': 'ANSI X9.62 ECDSA algorithm with Recommended',
- 'description': 'ecdsaWithRecommended (1 2 840 10045 4 2)',
- 'hexoid': '06 07 2A 86 48 CE 3D 04 02',
- 'name': 'ecdsaWithRecommended',
- 'oid': (1, 2, 840, 10045, 4, 2)},
- (1, 2, 840, 10045, 4, 3): {'comment': 'ANSI X9.62 ECDSA algorithm with Specified',
- 'description': 'ecdsaWithSpecified (1 2 840 10045 4 3)',
- 'hexoid': '06 07 2A 86 48 CE 3D 04 03',
- 'name': 'ecdsaWithSpecified',
- 'oid': (1, 2, 840, 10045, 4, 3)},
- (1, 2, 840, 10045, 4, 3, 1): {'comment': 'ANSI X9.62 ECDSA algorithm with SHA224',
- 'description': 'ecdsaWithSHA224 (1 2 840 10045 4 3 1)',
- 'hexoid': '06 08 2A 86 48 CE 3D 04 03 01',
- 'name': 'ecdsaWithSHA224',
- 'oid': (1, 2, 840, 10045, 4, 3, 1)},
- (1, 2, 840, 10045, 4, 3, 2): {'comment': 'ANSI X9.62 ECDSA algorithm with SHA256',
- 'description': 'ecdsaWithSHA256 (1 2 840 10045 4 3 2)',
- 'hexoid': '06 08 2A 86 48 CE 3D 04 03 02',
- 'name': 'ecdsaWithSHA256',
- 'oid': (1, 2, 840, 10045, 4, 3, 2)},
- (1, 2, 840, 10045, 4, 3, 3): {'comment': 'ANSI X9.62 ECDSA algorithm with SHA384',
- 'description': 'ecdsaWithSHA384 (1 2 840 10045 4 3 3)',
- 'hexoid': '06 08 2A 86 48 CE 3D 04 03 03',
- 'name': 'ecdsaWithSHA384',
- 'oid': (1, 2, 840, 10045, 4, 3, 3)},
- (1, 2, 840, 10045, 4, 3, 4): {'comment': 'ANSI X9.62 ECDSA algorithm with SHA512',
- 'description': 'ecdsaWithSHA512 (1 2 840 10045 4 3 4)',
- 'hexoid': '06 08 2A 86 48 CE 3D 04 03 04',
- 'name': 'ecdsaWithSHA512',
- 'oid': (1, 2, 840, 10045, 4, 3, 4)},
- (1, 2, 840, 10046, 1): {'comment': 'ANSI X9.42',
- 'description': 'fieldType (1 2 840 10046 1)',
- 'hexoid': '06 06 2A 86 48 CE 3E 01',
- 'name': 'fieldType',
- 'oid': (1, 2, 840, 10046, 1)},
- (1, 2, 840, 10046, 1, 1): {'comment': 'ANSI X9.42 field type',
- 'description': 'gf-prime (1 2 840 10046 1 1)',
- 'hexoid': '06 07 2A 86 48 CE 3E 01 01',
- 'name': 'gf-prime',
- 'oid': (1, 2, 840, 10046, 1, 1)},
- (1, 2, 840, 10046, 2): {'comment': 'ANSI X9.42',
- 'description': 'numberType (1 2 840 10046 2)',
- 'hexoid': '06 06 2A 86 48 CE 3E 02',
- 'name': 'numberType',
- 'oid': (1, 2, 840, 10046, 2)},
- (1, 2, 840, 10046, 2, 1): {'comment': 'ANSI X9.42 number type',
- 'description': 'dhPublicKey (1 2 840 10046 2 1)',
- 'hexoid': '06 07 2A 86 48 CE 3E 02 01',
- 'name': 'dhPublicKey',
- 'oid': (1, 2, 840, 10046, 2, 1)},
- (1, 2, 840, 10046, 3): {'comment': 'ANSI X9.42',
- 'description': 'scheme (1 2 840 10046 3)',
- 'hexoid': '06 06 2A 86 48 CE 3E 03',
- 'name': 'scheme',
- 'oid': (1, 2, 840, 10046, 3)},
- (1, 2, 840, 10046, 3, 1): {'comment': 'ANSI X9.42 scheme',
- 'description': 'dhStatic (1 2 840 10046 3 1)',
- 'hexoid': '06 07 2A 86 48 CE 3E 03 01',
- 'name': 'dhStatic',
- 'oid': (1, 2, 840, 10046, 3, 1)},
- (1, 2, 840, 10046, 3, 2): {'comment': 'ANSI X9.42 scheme',
- 'description': 'dhEphem (1 2 840 10046 3 2)',
- 'hexoid': '06 07 2A 86 48 CE 3E 03 02',
- 'name': 'dhEphem',
- 'oid': (1, 2, 840, 10046, 3, 2)},
- (1, 2, 840, 10046, 3, 3): {'comment': 'ANSI X9.42 scheme',
- 'description': 'dhHybrid1 (1 2 840 10046 3 3)',
- 'hexoid': '06 07 2A 86 48 CE 3E 03 03',
- 'name': 'dhHybrid1',
- 'oid': (1, 2, 840, 10046, 3, 3)},
- (1, 2, 840, 10046, 3, 4): {'comment': 'ANSI X9.42 scheme',
- 'description': 'dhHybrid2 (1 2 840 10046 3 4)',
- 'hexoid': '06 07 2A 86 48 CE 3E 03 04',
- 'name': 'dhHybrid2',
- 'oid': (1, 2, 840, 10046, 3, 4)},
- (1, 2, 840, 10046, 3, 5): {'comment': 'ANSI X9.42 scheme',
- 'description': 'mqv2 (1 2 840 10046 3 5)',
- 'hexoid': '06 07 2A 86 48 CE 3E 03 05',
- 'name': 'mqv2',
- 'oid': (1, 2, 840, 10046, 3, 5)},
- (1, 2, 840, 10046, 3, 6): {'comment': 'ANSI X9.42 scheme',
- 'description': 'mqv1 (1 2 840 10046 3 6)',
- 'hexoid': '06 07 2A 86 48 CE 3E 03 06',
- 'name': 'mqv1',
- 'oid': (1, 2, 840, 10046, 3, 6)},
- (1, 2, 840, 10065, 2, 2): {'comment': 'ASTM 31.20',
- 'description': '? (1 2 840 10065 2 2)',
- 'hexoid': '06 07 2A 86 48 CE 51 02 02',
- 'name': '?',
- 'oid': (1, 2, 840, 10065, 2, 2)},
- (1, 2, 840, 10065, 2, 3): {'comment': 'ASTM 31.20',
- 'description': 'healthcareLicense (1 2 840 10065 2 3)',
- 'hexoid': '06 07 2A 86 48 CE 51 02 03',
- 'name': 'healthcareLicense',
- 'oid': (1, 2, 840, 10065, 2, 3)},
- (1, 2, 840, 10065, 2, 3, 1, 1): {'comment': 'ASTM 31.20 healthcare license type',
- 'description': 'license? (1 2 840 10065 2 3 1 1)',
- 'hexoid': '06 09 2A 86 48 CE 51 02 03 01 01',
- 'name': 'license?',
- 'oid': (1, 2, 840, 10065, 2, 3, 1, 1)},
- (1, 2, 840, 113533, 7): {'description': 'nsn (1 2 840 113533 7)',
- 'hexoid': '06 07 2A 86 48 86 F6 7D 07',
- 'name': 'nsn',
- 'oid': (1, 2, 840, 113533, 7)},
- (1, 2, 840, 113533, 7, 65): {'description': 'nsn-ce (1 2 840 113533 7 65)',
- 'hexoid': '06 08 2A 86 48 86 F6 7D 07 41',
- 'name': 'nsn-ce',
- 'oid': (1, 2, 840, 113533, 7, 65)},
- (1, 2, 840, 113533, 7, 65, 0): {'comment': 'Nortel Secure Networks ce',
- 'description': 'entrustVersInfo (1 2 840 113533 7 65 0)',
- 'hexoid': '06 09 2A 86 48 86 F6 7D 07 41 00',
- 'name': 'entrustVersInfo',
- 'oid': (1, 2, 840, 113533, 7, 65, 0)},
- (1, 2, 840, 113533, 7, 66): {'description': 'nsn-alg (1 2 840 113533 7 66)',
- 'hexoid': '06 08 2A 86 48 86 F6 7D 07 42',
- 'name': 'nsn-alg',
- 'oid': (1, 2, 840, 113533, 7, 66)},
- (1, 2, 840, 113533, 7, 66, 3): {'comment': 'Nortel Secure Networks alg',
- 'description': 'cast3CBC (1 2 840 113533 7 66 3)',
- 'hexoid': '06 09 2A 86 48 86 F6 7D 07 42 03',
- 'name': 'cast3CBC',
- 'oid': (1, 2, 840, 113533, 7, 66, 3)},
- (1, 2, 840, 113533, 7, 66, 10): {'comment': 'Nortel Secure Networks alg',
- 'description': 'cast5CBC (1 2 840 113533 7 66 10)',
- 'hexoid': '06 09 2A 86 48 86 F6 7D 07 42 0A',
- 'name': 'cast5CBC',
- 'oid': (1, 2, 840, 113533, 7, 66, 10)},
- (1, 2, 840, 113533, 7, 66, 11): {'comment': 'Nortel Secure Networks alg',
- 'description': 'cast5MAC (1 2 840 113533 7 66 11)',
- 'hexoid': '06 09 2A 86 48 86 F6 7D 07 42 0B',
- 'name': 'cast5MAC',
- 'oid': (1, 2, 840, 113533, 7, 66, 11)},
- (1, 2, 840, 113533, 7, 66, 12): {'comment': 'Nortel Secure Networks alg',
- 'description': 'pbeWithMD5AndCAST5-CBC (1 2 840 113533 7 66 12)',
- 'hexoid': '06 09 2A 86 48 86 F6 7D 07 42 0C',
- 'name': 'pbeWithMD5AndCAST5-CBC',
- 'oid': (1, 2, 840, 113533, 7, 66, 12)},
- (1, 2, 840, 113533, 7, 66, 13): {'comment': 'Nortel Secure Networks alg',
- 'description': 'passwordBasedMac (1 2 840 113533 7 66 13)',
- 'hexoid': '06 09 2A 86 48 86 F6 7D 07 42 0D',
- 'name': 'passwordBasedMac',
- 'oid': (1, 2, 840, 113533, 7, 66, 13)},
- (1, 2, 840, 113533, 7, 67): {'description': 'nsn-oc (1 2 840 113533 7 67)',
- 'hexoid': '06 08 2A 86 48 86 F6 7D 07 43',
- 'name': 'nsn-oc',
- 'oid': (1, 2, 840, 113533, 7, 67)},
- (1, 2, 840, 113533, 7, 67, 0): {'comment': 'Nortel Secure Networks oc',
- 'description': 'entrustUser (1 2 840 113533 7 67 0)',
- 'hexoid': '06 09 2A 86 48 86 F6 7D 07 43 00',
- 'name': 'entrustUser',
- 'oid': (1, 2, 840, 113533, 7, 67, 0)},
- (1, 2, 840, 113533, 7, 68): {'description': 'nsn-at (1 2 840 113533 7 68)',
- 'hexoid': '06 08 2A 86 48 86 F6 7D 07 44',
- 'name': 'nsn-at',
- 'oid': (1, 2, 840, 113533, 7, 68)},
- (1, 2, 840, 113533, 7, 68, 0): {'comment': 'Nortel Secure Networks at',
- 'description': 'entrustCAInfo (1 2 840 113533 7 68 0)',
- 'hexoid': '06 09 2A 86 48 86 F6 7D 07 44 00',
- 'name': 'entrustCAInfo',
- 'oid': (1, 2, 840, 113533, 7, 68, 0)},
- (1, 2, 840, 113533, 7, 68, 10): {'comment': 'Nortel Secure Networks at',
- 'description': 'attributeCertificate (1 2 840 113533 7 68 10)',
- 'hexoid': '06 09 2A 86 48 86 F6 7D 07 44 0A',
- 'name': 'attributeCertificate',
- 'oid': (1, 2, 840, 113533, 7, 68, 10)},
- (1, 2, 840, 113549, 1, 1): {'description': 'pkcs-1 (1 2 840 113549 1 1)',
- 'hexoid': '06 08 2A 86 48 86 F7 0D 01 01',
- 'name': 'pkcs-1',
- 'oid': (1, 2, 840, 113549, 1, 1)},
- (1, 2, 840, 113549, 1, 1, 1): {'comment': 'PKCS #1',
- 'description': 'rsaEncryption (1 2 840 113549 1 1 1)',
- 'hexoid': '06 09 2A 86 48 86 F7 0D 01 01 01',
- 'name': 'rsaEncryption',
- 'oid': (1, 2, 840, 113549, 1, 1, 1)},
- (1, 2, 840, 113549, 1, 1, 2): {'comment': 'PKCS #1',
- 'description': 'md2withRSAEncryption (1 2 840 113549 1 1 2)',
- 'hexoid': '06 09 2A 86 48 86 F7 0D 01 01 02',
- 'name': 'md2withRSAEncryption',
- 'oid': (1, 2, 840, 113549, 1, 1, 2)},
- (1, 2, 840, 113549, 1, 1, 3): {'comment': 'PKCS #1',
- 'description': 'md4withRSAEncryption (1 2 840 113549 1 1 3)',
- 'hexoid': '06 09 2A 86 48 86 F7 0D 01 01 03',
- 'name': 'md4withRSAEncryption',
- 'oid': (1, 2, 840, 113549, 1, 1, 3)},
- (1, 2, 840, 113549, 1, 1, 4): {'comment': 'PKCS #1',
- 'description': 'md5withRSAEncryption (1 2 840 113549 1 1 4)',
- 'hexoid': '06 09 2A 86 48 86 F7 0D 01 01 04',
- 'name': 'md5withRSAEncryption',
- 'oid': (1, 2, 840, 113549, 1, 1, 4)},
- (1, 2, 840, 113549, 1, 1, 5): {'comment': 'PKCS #1',
- 'description': 'sha1withRSAEncryption (1 2 840 113549 1 1 5)',
- 'hexoid': '06 09 2A 86 48 86 F7 0D 01 01 05',
- 'name': 'sha1withRSAEncryption',
- 'oid': (1, 2, 840, 113549, 1, 1, 5)},
- (1, 2, 840, 113549, 1, 1, 6): {'comment': 'PKCS #1. This OID may also be assigned as ripemd160WithRSAEncryption',
- 'description': 'rsaOAEPEncryptionSET (1 2 840 113549 1 1 6)',
- 'hexoid': '06 09 2A 86 48 86 F7 0D 01 01 06',
- 'name': 'rsaOAEPEncryptionSET',
- 'oid': (1, 2, 840, 113549, 1, 1, 6)},
- (1, 2, 840, 113549, 1, 1, 7): {'comment': 'PKCS #1',
- 'description': 'rsaOAEP (1 2 840 113549 1 1 7)',
- 'hexoid': '06 09 2A 86 48 86 F7 0D 01 01 07',
- 'name': 'rsaOAEP',
- 'oid': (1, 2, 840, 113549, 1, 1, 7)},
- (1, 2, 840, 113549, 1, 1, 8): {'comment': 'PKCS #1',
- 'description': 'pkcs1-MGF (1 2 840 113549 1 1 8)',
- 'hexoid': '06 09 2A 86 48 86 F7 0D 01 01 08',
- 'name': 'pkcs1-MGF',
- 'oid': (1, 2, 840, 113549, 1, 1, 8)},
- (1, 2, 840, 113549, 1, 1, 9): {'comment': 'PKCS #1',
- 'description': 'rsaOAEP-pSpecified (1 2 840 113549 1 1 9)',
- 'hexoid': '06 09 2A 86 48 86 F7 0D 01 01 09',
- 'name': 'rsaOAEP-pSpecified',
- 'oid': (1, 2, 840, 113549, 1, 1, 9)},
- (1, 2, 840, 113549, 1, 1, 10): {'comment': 'PKCS #1',
- 'description': 'rsaPSS (1 2 840 113549 1 1 10)',
- 'hexoid': '06 09 2A 86 48 86 F7 0D 01 01 0A',
- 'name': 'rsaPSS',
- 'oid': (1, 2, 840, 113549, 1, 1, 10)},
- (1, 2, 840, 113549, 1, 1, 11): {'comment': 'PKCS #1',
- 'description': 'sha256WithRSAEncryption (1 2 840 113549 1 1 11)',
- 'hexoid': '06 09 2A 86 48 86 F7 0D 01 01 0B',
- 'name': 'sha256WithRSAEncryption',
- 'oid': (1, 2, 840, 113549, 1, 1, 11)},
- (1, 2, 840, 113549, 1, 1, 12): {'comment': 'PKCS #1',
- 'description': 'sha384WithRSAEncryption (1 2 840 113549 1 1 12)',
- 'hexoid': '06 09 2A 86 48 86 F7 0D 01 01 0C',
- 'name': 'sha384WithRSAEncryption',
- 'oid': (1, 2, 840, 113549, 1, 1, 12)},
- (1, 2, 840, 113549, 1, 1, 13): {'comment': 'PKCS #1',
- 'description': 'sha512WithRSAEncryption (1 2 840 113549 1 1 13)',
- 'hexoid': '06 09 2A 86 48 86 F7 0D 01 01 0D',
- 'name': 'sha512WithRSAEncryption',
- 'oid': (1, 2, 840, 113549, 1, 1, 13)},
- (1, 2, 840, 113549, 1, 3): {'description': 'pkcs-3 (1 2 840 113549 1 3)',
- 'hexoid': '06 08 2A 86 48 86 F7 0D 01 03',
- 'name': 'pkcs-3',
- 'oid': (1, 2, 840, 113549, 1, 3)},
- (1, 2, 840, 113549, 1, 3, 1): {'comment': 'PKCS #3',
- 'description': 'dhKeyAgreement (1 2 840 113549 1 3 1)',
- 'hexoid': '06 09 2A 86 48 86 F7 0D 01 03 01',
- 'name': 'dhKeyAgreement',
- 'oid': (1, 2, 840, 113549, 1, 3, 1)},
- (1, 2, 840, 113549, 1, 5): {'description': 'pkcs-5 (1 2 840 113549 1 5)',
- 'hexoid': '06 08 2A 86 48 86 F7 0D 01 05',
- 'name': 'pkcs-5',
- 'oid': (1, 2, 840, 113549, 1, 5)},
- (1, 2, 840, 113549, 1, 5, 1): {'comment': 'PKCS #5',
- 'description': 'pbeWithMD2AndDES-CBC (1 2 840 113549 1 5 1)',
- 'hexoid': '06 09 2A 86 48 86 F7 0D 01 05 01',
- 'name': 'pbeWithMD2AndDES-CBC',
- 'oid': (1, 2, 840, 113549, 1, 5, 1)},
- (1, 2, 840, 113549, 1, 5, 3): {'comment': 'PKCS #5',
- 'description': 'pbeWithMD5AndDES-CBC (1 2 840 113549 1 5 3)',
- 'hexoid': '06 09 2A 86 48 86 F7 0D 01 05 03',
- 'name': 'pbeWithMD5AndDES-CBC',
- 'oid': (1, 2, 840, 113549, 1, 5, 3)},
- (1, 2, 840, 113549, 1, 5, 4): {'comment': 'PKCS #5',
- 'description': 'pbeWithMD2AndRC2-CBC (1 2 840 113549 1 5 4)',
- 'hexoid': '06 09 2A 86 48 86 F7 0D 01 05 04',
- 'name': 'pbeWithMD2AndRC2-CBC',
- 'oid': (1, 2, 840, 113549, 1, 5, 4)},
- (1, 2, 840, 113549, 1, 5, 6): {'comment': 'PKCS #5',
- 'description': 'pbeWithMD5AndRC2-CBC (1 2 840 113549 1 5 6)',
- 'hexoid': '06 09 2A 86 48 86 F7 0D 01 05 06',
- 'name': 'pbeWithMD5AndRC2-CBC',
- 'oid': (1, 2, 840, 113549, 1, 5, 6)},
- (1, 2, 840, 113549, 1, 5, 10): {'comment': 'PKCS #5',
- 'description': 'pbeWithSHAAndDES-CBC (1 2 840 113549 1 5 10)',
- 'hexoid': '06 09 2A 86 48 86 F7 0D 01 05 0A',
- 'name': 'pbeWithSHAAndDES-CBC',
- 'oid': (1, 2, 840, 113549, 1, 5, 10)},
- (1, 2, 840, 113549, 1, 5, 12): {'comment': 'PKCS #5 v2.0',
- 'description': 'pkcs5PBKDF2 (1 2 840 113549 1 5 12)',
- 'hexoid': '06 09 2A 86 48 86 F7 0D 01 05 0C',
- 'name': 'pkcs5PBKDF2',
- 'oid': (1, 2, 840, 113549, 1, 5, 12)},
- (1, 2, 840, 113549, 1, 5, 13): {'comment': 'PKCS #5 v2.0',
- 'description': 'pkcs5PBES2 (1 2 840 113549 1 5 13)',
- 'hexoid': '06 09 2A 86 48 86 F7 0D 01 05 0D',
- 'name': 'pkcs5PBES2',
- 'oid': (1, 2, 840, 113549, 1, 5, 13)},
- (1, 2, 840, 113549, 1, 5, 14): {'comment': 'PKCS #5 v2.0',
- 'description': 'pkcs5PBMAC1 (1 2 840 113549 1 5 14)',
- 'hexoid': '06 09 2A 86 48 86 F7 0D 01 05 0E',
- 'name': 'pkcs5PBMAC1',
- 'oid': (1, 2, 840, 113549, 1, 5, 14)},
- (1, 2, 840, 113549, 1, 7): {'description': 'pkcs-7 (1 2 840 113549 1 7)',
- 'hexoid': '06 08 2A 86 48 86 F7 0D 01 07',
- 'name': 'pkcs-7',
- 'oid': (1, 2, 840, 113549, 1, 7)},
- (1, 2, 840, 113549, 1, 7, 1): {'comment': 'PKCS #7',
- 'description': 'data (1 2 840 113549 1 7 1)',
- 'hexoid': '06 09 2A 86 48 86 F7 0D 01 07 01',
- 'name': 'data',
- 'oid': (1, 2, 840, 113549, 1, 7, 1)},
- (1, 2, 840, 113549, 1, 7, 2): {'comment': 'PKCS #7',
- 'description': 'signedData (1 2 840 113549 1 7 2)',
- 'hexoid': '06 09 2A 86 48 86 F7 0D 01 07 02',
- 'name': 'signedData',
- 'oid': (1, 2, 840, 113549, 1, 7, 2)},
- (1, 2, 840, 113549, 1, 7, 3): {'comment': 'PKCS #7',
- 'description': 'envelopedData (1 2 840 113549 1 7 3)',
- 'hexoid': '06 09 2A 86 48 86 F7 0D 01 07 03',
- 'name': 'envelopedData',
- 'oid': (1, 2, 840, 113549, 1, 7, 3)},
- (1, 2, 840, 113549, 1, 7, 4): {'comment': 'PKCS #7',
- 'description': 'signedAndEnvelopedData (1 2 840 113549 1 7 4)',
- 'hexoid': '06 09 2A 86 48 86 F7 0D 01 07 04',
- 'name': 'signedAndEnvelopedData',
- 'oid': (1, 2, 840, 113549, 1, 7, 4)},
- (1, 2, 840, 113549, 1, 7, 5): {'comment': 'PKCS #7',
- 'description': 'digestedData (1 2 840 113549 1 7 5)',
- 'hexoid': '06 09 2A 86 48 86 F7 0D 01 07 05',
- 'name': 'digestedData',
- 'oid': (1, 2, 840, 113549, 1, 7, 5)},
- (1, 2, 840, 113549, 1, 7, 6): {'comment': 'PKCS #7',
- 'description': 'encryptedData (1 2 840 113549 1 7 6)',
- 'hexoid': '06 09 2A 86 48 86 F7 0D 01 07 06',
- 'name': 'encryptedData',
- 'oid': (1, 2, 840, 113549, 1, 7, 6)},
- (1, 2, 840, 113549, 1, 9): {'description': 'pkcs-9 (1 2 840 113549 1 9)',
- 'hexoid': '06 08 2A 86 48 86 F7 0D 01 09',
- 'name': 'pkcs-9',
- 'oid': (1, 2, 840, 113549, 1, 9)},
- (1, 2, 840, 113549, 1, 9, 1): {'comment': 'PKCS #9. Deprecated, use an altName extension instead',
- 'description': 'emailAddress (1 2 840 113549 1 9 1)',
- 'hexoid': '06 09 2A 86 48 86 F7 0D 01 09 01',
- 'name': 'emailAddress',
- 'oid': (1, 2, 840, 113549, 1, 9, 1)},
- (1, 2, 840, 113549, 1, 9, 2): {'comment': 'PKCS #9',
- 'description': 'unstructuredName (1 2 840 113549 1 9 2)',
- 'hexoid': '06 09 2A 86 48 86 F7 0D 01 09 02',
- 'name': 'unstructuredName',
- 'oid': (1, 2, 840, 113549, 1, 9, 2)},
- (1, 2, 840, 113549, 1, 9, 3): {'comment': 'PKCS #9',
- 'description': 'contentType (1 2 840 113549 1 9 3)',
- 'hexoid': '06 09 2A 86 48 86 F7 0D 01 09 03',
- 'name': 'contentType',
- 'oid': (1, 2, 840, 113549, 1, 9, 3)},
- (1, 2, 840, 113549, 1, 9, 4): {'comment': 'PKCS #9',
- 'description': 'messageDigest (1 2 840 113549 1 9 4)',
- 'hexoid': '06 09 2A 86 48 86 F7 0D 01 09 04',
- 'name': 'messageDigest',
- 'oid': (1, 2, 840, 113549, 1, 9, 4)},
- (1, 2, 840, 113549, 1, 9, 5): {'comment': 'PKCS #9',
- 'description': 'signingTime (1 2 840 113549 1 9 5)',
- 'hexoid': '06 09 2A 86 48 86 F7 0D 01 09 05',
- 'name': 'signingTime',
- 'oid': (1, 2, 840, 113549, 1, 9, 5)},
- (1, 2, 840, 113549, 1, 9, 6): {'comment': 'PKCS #9',
- 'description': 'countersignature (1 2 840 113549 1 9 6)',
- 'hexoid': '06 09 2A 86 48 86 F7 0D 01 09 06',
- 'name': 'countersignature',
- 'oid': (1, 2, 840, 113549, 1, 9, 6)},
- (1, 2, 840, 113549, 1, 9, 7): {'comment': 'PKCS #9',
- 'description': 'challengePassword (1 2 840 113549 1 9 7)',
- 'hexoid': '06 09 2A 86 48 86 F7 0D 01 09 07',
- 'name': 'challengePassword',
- 'oid': (1, 2, 840, 113549, 1, 9, 7)},
- (1, 2, 840, 113549, 1, 9, 8): {'comment': 'PKCS #9',
- 'description': 'unstructuredAddress (1 2 840 113549 1 9 8)',
- 'hexoid': '06 09 2A 86 48 86 F7 0D 01 09 08',
- 'name': 'unstructuredAddress',
- 'oid': (1, 2, 840, 113549, 1, 9, 8)},
- (1, 2, 840, 113549, 1, 9, 9): {'comment': 'PKCS #9',
- 'description': 'extendedCertificateAttributes (1 2 840 113549 1 9 9)',
- 'hexoid': '06 09 2A 86 48 86 F7 0D 01 09 09',
- 'name': 'extendedCertificateAttributes',
- 'oid': (1, 2, 840, 113549, 1, 9, 9)},
- (1, 2, 840, 113549, 1, 9, 13): {'comment': 'PKCS #9',
- 'description': 'signingDescription (1 2 840 113549 1 9 13)',
- 'hexoid': '06 09 2A 86 48 86 F7 0D 01 09 0D',
- 'name': 'signingDescription',
- 'oid': (1, 2, 840, 113549, 1, 9, 13)},
- (1, 2, 840, 113549, 1, 9, 14): {'comment': 'PKCS #9 via CRMF',
- 'description': 'extensionRequest (1 2 840 113549 1 9 14)',
- 'hexoid': '06 09 2A 86 48 86 F7 0D 01 09 0E',
- 'name': 'extensionRequest',
- 'oid': (1, 2, 840, 113549, 1, 9, 14)},
- (1, 2, 840, 113549, 1, 9, 15): {'comment': 'PKCS #9. This OID was formerly assigned as symmetricCapabilities, then reassigned as SMIMECapabilities, then renamed to the current name',
- 'description': 'sMIMECapabilities (1 2 840 113549 1 9 15)',
- 'hexoid': '06 09 2A 86 48 86 F7 0D 01 09 0F',
- 'name': 'sMIMECapabilities',
- 'oid': (1, 2, 840, 113549, 1, 9, 15)},
- (1, 2, 840, 113549, 1, 9, 15, 1): {'comment': 'sMIMECapabilities',
- 'description': 'preferSignedData (1 2 840 113549 1 9 15 1)',
- 'hexoid': '06 0A 2A 86 48 86 F7 0D 01 09 0F 01',
- 'name': 'preferSignedData',
- 'oid': (1, 2, 840, 113549, 1, 9, 15, 1)},
- (1, 2, 840, 113549, 1, 9, 15, 2): {'comment': 'sMIMECapabilities',
- 'description': 'canNotDecryptAny (1 2 840 113549 1 9 15 2)',
- 'hexoid': '06 0A 2A 86 48 86 F7 0D 01 09 0F 02',
- 'name': 'canNotDecryptAny',
- 'oid': (1, 2, 840, 113549, 1, 9, 15, 2)},
- (1, 2, 840, 113549, 1, 9, 16): {'comment': 'PKCS #9',
- 'description': 'id-sMIME (1 2 840 113549 1 9 16)',
- 'hexoid': '06 09 2A 86 48 86 F7 0D 01 09 10',
- 'name': 'id-sMIME',
- 'oid': (1, 2, 840, 113549, 1, 9, 16)},
- (1, 2, 840, 113549, 1, 9, 16, 0): {'comment': 'id-sMIME',
- 'description': 'id-mod (1 2 840 113549 1 9 16 0)',
- 'hexoid': '06 0A 2A 86 48 86 F7 0D 01 09 10 00',
- 'name': 'id-mod',
- 'oid': (1, 2, 840, 113549, 1, 9, 16, 0)},
- (1, 2, 840, 113549, 1, 9, 16, 0, 1): {'comment': 'S/MIME Modules',
- 'description': 'id-mod-cms (1 2 840 113549 1 9 16 0 1)',
- 'hexoid': '06 0B 2A 86 48 86 F7 0D 01 09 10 00 01',
- 'name': 'id-mod-cms',
- 'oid': (1,
- 2,
- 840,
- 113549,
- 1,
- 9,
- 16,
- 0,
- 1)},
- (1, 2, 840, 113549, 1, 9, 16, 0, 2): {'comment': 'S/MIME Modules',
- 'description': 'id-mod-ess (1 2 840 113549 1 9 16 0 2)',
- 'hexoid': '06 0B 2A 86 48 86 F7 0D 01 09 10 00 02',
- 'name': 'id-mod-ess',
- 'oid': (1,
- 2,
- 840,
- 113549,
- 1,
- 9,
- 16,
- 0,
- 2)},
- (1, 2, 840, 113549, 1, 9, 16, 0, 3): {'comment': 'S/MIME Modules',
- 'description': 'id-mod-oid (1 2 840 113549 1 9 16 0 3)',
- 'hexoid': '06 0B 2A 86 48 86 F7 0D 01 09 10 00 03',
- 'name': 'id-mod-oid',
- 'oid': (1,
- 2,
- 840,
- 113549,
- 1,
- 9,
- 16,
- 0,
- 3)},
- (1, 2, 840, 113549, 1, 9, 16, 0, 4): {'comment': 'S/MIME Modules',
- 'description': 'id-mod-msg-v3 (1 2 840 113549 1 9 16 0 4)',
- 'hexoid': '06 0B 2A 86 48 86 F7 0D 01 09 10 00 04',
- 'name': 'id-mod-msg-v3',
- 'oid': (1,
- 2,
- 840,
- 113549,
- 1,
- 9,
- 16,
- 0,
- 4)},
- (1, 2, 840, 113549, 1, 9, 16, 0, 5): {'comment': 'S/MIME Modules',
- 'description': 'id-mod-ets-eSignature-88 (1 2 840 113549 1 9 16 0 5)',
- 'hexoid': '06 0B 2A 86 48 86 F7 0D 01 09 10 00 05',
- 'name': 'id-mod-ets-eSignature-88',
- 'oid': (1,
- 2,
- 840,
- 113549,
- 1,
- 9,
- 16,
- 0,
- 5)},
- (1, 2, 840, 113549, 1, 9, 16, 0, 6): {'comment': 'S/MIME Modules',
- 'description': 'id-mod-ets-eSignature-97 (1 2 840 113549 1 9 16 0 6)',
- 'hexoid': '06 0B 2A 86 48 86 F7 0D 01 09 10 00 06',
- 'name': 'id-mod-ets-eSignature-97',
- 'oid': (1,
- 2,
- 840,
- 113549,
- 1,
- 9,
- 16,
- 0,
- 6)},
- (1, 2, 840, 113549, 1, 9, 16, 0, 7): {'comment': 'S/MIME Modules',
- 'description': 'id-mod-ets-eSigPolicy-88 (1 2 840 113549 1 9 16 0 7)',
- 'hexoid': '06 0B 2A 86 48 86 F7 0D 01 09 10 00 07',
- 'name': 'id-mod-ets-eSigPolicy-88',
- 'oid': (1,
- 2,
- 840,
- 113549,
- 1,
- 9,
- 16,
- 0,
- 7)},
- (1, 2, 840, 113549, 1, 9, 16, 0, 8): {'comment': 'S/MIME Modules',
- 'description': 'id-mod-ets-eSigPolicy-88 (1 2 840 113549 1 9 16 0 8)',
- 'hexoid': '06 0B 2A 86 48 86 F7 0D 01 09 10 00 08',
- 'name': 'id-mod-ets-eSigPolicy-88',
- 'oid': (1,
- 2,
- 840,
- 113549,
- 1,
- 9,
- 16,
- 0,
- 8)},
- (1, 2, 840, 113549, 1, 9, 16, 1): {'comment': 'S/MIME',
- 'description': 'contentType (1 2 840 113549 1 9 16 1)',
- 'hexoid': '06 0A 2A 86 48 86 F7 0D 01 09 10 01',
- 'name': 'contentType',
- 'oid': (1, 2, 840, 113549, 1, 9, 16, 1)},
- (1, 2, 840, 113549, 1, 9, 16, 1, 1): {'comment': 'S/MIME Content Types',
- 'description': 'receipt (1 2 840 113549 1 9 16 1 1)',
- 'hexoid': '06 0B 2A 86 48 86 F7 0D 01 09 10 01 01',
- 'name': 'receipt',
- 'oid': (1,
- 2,
- 840,
- 113549,
- 1,
- 9,
- 16,
- 1,
- 1)},
- (1, 2, 840, 113549, 1, 9, 16, 1, 2): {'comment': 'S/MIME Content Types',
- 'description': 'authData (1 2 840 113549 1 9 16 1 2)',
- 'hexoid': '06 0B 2A 86 48 86 F7 0D 01 09 10 01 02',
- 'name': 'authData',
- 'oid': (1,
- 2,
- 840,
- 113549,
- 1,
- 9,
- 16,
- 1,
- 2)},
- (1, 2, 840, 113549, 1, 9, 16, 1, 3): {'comment': 'S/MIME Content Types',
- 'description': 'publishCert (1 2 840 113549 1 9 16 1 3)',
- 'hexoid': '06 0B 2A 86 48 86 F7 0D 01 09 10 01 03',
- 'name': 'publishCert',
- 'oid': (1,
- 2,
- 840,
- 113549,
- 1,
- 9,
- 16,
- 1,
- 3)},
- (1, 2, 840, 113549, 1, 9, 16, 1, 4): {'comment': 'S/MIME Content Types',
- 'description': 'tSTInfo (1 2 840 113549 1 9 16 1 4)',
- 'hexoid': '06 0B 2A 86 48 86 F7 0D 01 09 10 01 04',
- 'name': 'tSTInfo',
- 'oid': (1,
- 2,
- 840,
- 113549,
- 1,
- 9,
- 16,
- 1,
- 4)},
- (1, 2, 840, 113549, 1, 9, 16, 1, 5): {'comment': 'S/MIME Content Types',
- 'description': 'tDTInfo (1 2 840 113549 1 9 16 1 5)',
- 'hexoid': '06 0B 2A 86 48 86 F7 0D 01 09 10 01 05',
- 'name': 'tDTInfo',
- 'oid': (1,
- 2,
- 840,
- 113549,
- 1,
- 9,
- 16,
- 1,
- 5)},
- (1, 2, 840, 113549, 1, 9, 16, 1, 6): {'comment': 'S/MIME Content Types',
- 'description': 'contentInfo (1 2 840 113549 1 9 16 1 6)',
- 'hexoid': '06 0B 2A 86 48 86 F7 0D 01 09 10 01 06',
- 'name': 'contentInfo',
- 'oid': (1,
- 2,
- 840,
- 113549,
- 1,
- 9,
- 16,
- 1,
- 6)},
- (1, 2, 840, 113549, 1, 9, 16, 1, 7): {'comment': 'S/MIME Content Types',
- 'description': 'dVCSRequestData (1 2 840 113549 1 9 16 1 7)',
- 'hexoid': '06 0B 2A 86 48 86 F7 0D 01 09 10 01 07',
- 'name': 'dVCSRequestData',
- 'oid': (1,
- 2,
- 840,
- 113549,
- 1,
- 9,
- 16,
- 1,
- 7)},
- (1, 2, 840, 113549, 1, 9, 16, 1, 8): {'comment': 'S/MIME Content Types',
- 'description': 'dVCSResponseData (1 2 840 113549 1 9 16 1 8)',
- 'hexoid': '06 0B 2A 86 48 86 F7 0D 01 09 10 01 08',
- 'name': 'dVCSResponseData',
- 'oid': (1,
- 2,
- 840,
- 113549,
- 1,
- 9,
- 16,
- 1,
- 8)},
- (1, 2, 840, 113549, 1, 9, 16, 1, 9): {'comment': 'S/MIME Content Types',
- 'description': 'compressedData (1 2 840 113549 1 9 16 1 9)',
- 'hexoid': '06 0B 2A 86 48 86 F7 0D 01 09 10 01 09',
- 'name': 'compressedData',
- 'oid': (1,
- 2,
- 840,
- 113549,
- 1,
- 9,
- 16,
- 1,
- 9)},
- (1, 2, 840, 113549, 1, 9, 16, 1, 24): {'comment': 'RPKI project',
- 'description': 'id-ct-routeOriginAttestation (1 2 840 113549 1 9 16 1 24)',
- 'hexoid': '06 0B 2A 86 48 86 F7 0D 01 09 10 01 18',
- 'name': 'id-ct-routeOriginAttestation',
- 'oid': (1,
- 2,
- 840,
- 113549,
- 1,
- 9,
- 16,
- 1,
- 24)},
- (1, 2, 840, 113549, 1, 9, 16, 1, 26): {'comment': 'RPKI project',
- 'description': 'id-ct-rpkiManifest (1 2 840 113549 1 9 16 1 26)',
- 'hexoid': '06 0B 2A 86 48 86 F7 0D 01 09 10 01 1A',
- 'name': 'id-ct-rpkiManifest',
- 'oid': (1,
- 2,
- 840,
- 113549,
- 1,
- 9,
- 16,
- 1,
- 26)},
- (1, 2, 840, 113549, 1, 9, 16, 1, 28): {'comment': 'RPKI project',
- 'description': 'id-ct-xml (1 2 840 113549 1 9 16 1 28)',
- 'hexoid': '06 0B 2A 86 48 86 F7 0D 01 09 10 01 1C',
- 'name': 'id-ct-xml',
- 'oid': (1,
- 2,
- 840,
- 113549,
- 1,
- 9,
- 16,
- 1,
- 28)},
- (1, 2, 840, 113549, 1, 9, 16, 2): {'comment': 'S/MIME',
- 'description': 'authenticatedAttributes (1 2 840 113549 1 9 16 2)',
- 'hexoid': '06 0A 2A 86 48 86 F7 0D 01 09 10 02',
- 'name': 'authenticatedAttributes',
- 'oid': (1, 2, 840, 113549, 1, 9, 16, 2)},
- (1, 2, 840, 113549, 1, 9, 16, 2, 1): {'comment': 'S/MIME Authenticated Attributes',
- 'description': 'receiptRequest (1 2 840 113549 1 9 16 2 1)',
- 'hexoid': '06 0B 2A 86 48 86 F7 0D 01 09 10 02 01',
- 'name': 'receiptRequest',
- 'oid': (1,
- 2,
- 840,
- 113549,
- 1,
- 9,
- 16,
- 2,
- 1)},
- (1, 2, 840, 113549, 1, 9, 16, 2, 2): {'comment': 'S/MIME Authenticated Attributes',
- 'description': 'securityLabel (1 2 840 113549 1 9 16 2 2)',
- 'hexoid': '06 0B 2A 86 48 86 F7 0D 01 09 10 02 02',
- 'name': 'securityLabel',
- 'oid': (1,
- 2,
- 840,
- 113549,
- 1,
- 9,
- 16,
- 2,
- 2)},
- (1, 2, 840, 113549, 1, 9, 16, 2, 3): {'comment': 'S/MIME Authenticated Attributes',
- 'description': 'mlExpandHistory (1 2 840 113549 1 9 16 2 3)',
- 'hexoid': '06 0B 2A 86 48 86 F7 0D 01 09 10 02 03',
- 'name': 'mlExpandHistory',
- 'oid': (1,
- 2,
- 840,
- 113549,
- 1,
- 9,
- 16,
- 2,
- 3)},
- (1, 2, 840, 113549, 1, 9, 16, 2, 4): {'comment': 'S/MIME Authenticated Attributes',
- 'description': 'contentHint (1 2 840 113549 1 9 16 2 4)',
- 'hexoid': '06 0B 2A 86 48 86 F7 0D 01 09 10 02 04',
- 'name': 'contentHint',
- 'oid': (1,
- 2,
- 840,
- 113549,
- 1,
- 9,
- 16,
- 2,
- 4)},
- (1, 2, 840, 113549, 1, 9, 16, 2, 5): {'comment': 'S/MIME Authenticated Attributes',
- 'description': 'msgSigDigest (1 2 840 113549 1 9 16 2 5)',
- 'hexoid': '06 0B 2A 86 48 86 F7 0D 01 09 10 02 05',
- 'name': 'msgSigDigest',
- 'oid': (1,
- 2,
- 840,
- 113549,
- 1,
- 9,
- 16,
- 2,
- 5)},
- (1, 2, 840, 113549, 1, 9, 16, 2, 7): {'comment': 'S/MIME Authenticated Attributes',
- 'description': 'contentIdentifier (1 2 840 113549 1 9 16 2 7)',
- 'hexoid': '06 0B 2A 86 48 86 F7 0D 01 09 10 02 07',
- 'name': 'contentIdentifier',
- 'oid': (1,
- 2,
- 840,
- 113549,
- 1,
- 9,
- 16,
- 2,
- 7)},
- (1, 2, 840, 113549, 1, 9, 16, 2, 9): {'comment': 'S/MIME Authenticated Attributes',
- 'description': 'equivalentLabels (1 2 840 113549 1 9 16 2 9)',
- 'hexoid': '06 0B 2A 86 48 86 F7 0D 01 09 10 02 09',
- 'name': 'equivalentLabels',
- 'oid': (1,
- 2,
- 840,
- 113549,
- 1,
- 9,
- 16,
- 2,
- 9)},
- (1, 2, 840, 113549, 1, 9, 16, 2, 10): {'comment': 'S/MIME Authenticated Attributes',
- 'description': 'contentReference (1 2 840 113549 1 9 16 2 10)',
- 'hexoid': '06 0B 2A 86 48 86 F7 0D 01 09 10 02 0A',
- 'name': 'contentReference',
- 'oid': (1,
- 2,
- 840,
- 113549,
- 1,
- 9,
- 16,
- 2,
- 10)},
- (1, 2, 840, 113549, 1, 9, 16, 2, 11): {'comment': 'S/MIME Authenticated Attributes',
- 'description': 'encrypKeyPref (1 2 840 113549 1 9 16 2 11)',
- 'hexoid': '06 0B 2A 86 48 86 F7 0D 01 09 10 02 0B',
- 'name': 'encrypKeyPref',
- 'oid': (1,
- 2,
- 840,
- 113549,
- 1,
- 9,
- 16,
- 2,
- 11)},
- (1, 2, 840, 113549, 1, 9, 16, 2, 12): {'comment': 'S/MIME Authenticated Attributes',
- 'description': 'signingCertificate (1 2 840 113549 1 9 16 2 12)',
- 'hexoid': '06 0B 2A 86 48 86 F7 0D 01 09 10 02 0C',
- 'name': 'signingCertificate',
- 'oid': (1,
- 2,
- 840,
- 113549,
- 1,
- 9,
- 16,
- 2,
- 12)},
- (1, 2, 840, 113549, 1, 9, 16, 2, 13): {'comment': 'S/MIME Authenticated Attributes',
- 'description': 'smimeEncryptCerts (1 2 840 113549 1 9 16 2 13)',
- 'hexoid': '06 0B 2A 86 48 86 F7 0D 01 09 10 02 0D',
- 'name': 'smimeEncryptCerts',
- 'oid': (1,
- 2,
- 840,
- 113549,
- 1,
- 9,
- 16,
- 2,
- 13)},
- (1, 2, 840, 113549, 1, 9, 16, 2, 14): {'comment': 'S/MIME Authenticated Attributes',
- 'description': 'timeStampToken (1 2 840 113549 1 9 16 2 14)',
- 'hexoid': '06 0B 2A 86 48 86 F7 0D 01 09 10 02 0E',
- 'name': 'timeStampToken',
- 'oid': (1,
- 2,
- 840,
- 113549,
- 1,
- 9,
- 16,
- 2,
- 14)},
- (1, 2, 840, 113549, 1, 9, 16, 2, 15): {'comment': 'S/MIME Authenticated Attributes',
- 'description': 'sigPolicyId (1 2 840 113549 1 9 16 2 15)',
- 'hexoid': '06 0B 2A 86 48 86 F7 0D 01 09 10 02 0F',
- 'name': 'sigPolicyId',
- 'oid': (1,
- 2,
- 840,
- 113549,
- 1,
- 9,
- 16,
- 2,
- 15)},
- (1, 2, 840, 113549, 1, 9, 16, 2, 16): {'comment': 'S/MIME Authenticated Attributes',
- 'description': 'commitmentType (1 2 840 113549 1 9 16 2 16)',
- 'hexoid': '06 0B 2A 86 48 86 F7 0D 01 09 10 02 10',
- 'name': 'commitmentType',
- 'oid': (1,
- 2,
- 840,
- 113549,
- 1,
- 9,
- 16,
- 2,
- 16)},
- (1, 2, 840, 113549, 1, 9, 16, 2, 17): {'comment': 'S/MIME Authenticated Attributes',
- 'description': 'signerLocation (1 2 840 113549 1 9 16 2 17)',
- 'hexoid': '06 0B 2A 86 48 86 F7 0D 01 09 10 02 11',
- 'name': 'signerLocation',
- 'oid': (1,
- 2,
- 840,
- 113549,
- 1,
- 9,
- 16,
- 2,
- 17)},
- (1, 2, 840, 113549, 1, 9, 16, 2, 18): {'comment': 'S/MIME Authenticated Attributes',
- 'description': 'signerAttr (1 2 840 113549 1 9 16 2 18)',
- 'hexoid': '06 0B 2A 86 48 86 F7 0D 01 09 10 02 12',
- 'name': 'signerAttr',
- 'oid': (1,
- 2,
- 840,
- 113549,
- 1,
- 9,
- 16,
- 2,
- 18)},
- (1, 2, 840, 113549, 1, 9, 16, 2, 19): {'comment': 'S/MIME Authenticated Attributes',
- 'description': 'otherSigCert (1 2 840 113549 1 9 16 2 19)',
- 'hexoid': '06 0B 2A 86 48 86 F7 0D 01 09 10 02 13',
- 'name': 'otherSigCert',
- 'oid': (1,
- 2,
- 840,
- 113549,
- 1,
- 9,
- 16,
- 2,
- 19)},
- (1, 2, 840, 113549, 1, 9, 16, 2, 20): {'comment': 'S/MIME Authenticated Attributes',
- 'description': 'contentTimestamp (1 2 840 113549 1 9 16 2 20)',
- 'hexoid': '06 0B 2A 86 48 86 F7 0D 01 09 10 02 14',
- 'name': 'contentTimestamp',
- 'oid': (1,
- 2,
- 840,
- 113549,
- 1,
- 9,
- 16,
- 2,
- 20)},
- (1, 2, 840, 113549, 1, 9, 16, 2, 21): {'comment': 'S/MIME Authenticated Attributes',
- 'description': 'certificateRefs (1 2 840 113549 1 9 16 2 21)',
- 'hexoid': '06 0B 2A 86 48 86 F7 0D 01 09 10 02 15',
- 'name': 'certificateRefs',
- 'oid': (1,
- 2,
- 840,
- 113549,
- 1,
- 9,
- 16,
- 2,
- 21)},
- (1, 2, 840, 113549, 1, 9, 16, 2, 22): {'comment': 'S/MIME Authenticated Attributes',
- 'description': 'revocationRefs (1 2 840 113549 1 9 16 2 22)',
- 'hexoid': '06 0B 2A 86 48 86 F7 0D 01 09 10 02 16',
- 'name': 'revocationRefs',
- 'oid': (1,
- 2,
- 840,
- 113549,
- 1,
- 9,
- 16,
- 2,
- 22)},
- (1, 2, 840, 113549, 1, 9, 16, 2, 23): {'comment': 'S/MIME Authenticated Attributes',
- 'description': 'certValues (1 2 840 113549 1 9 16 2 23)',
- 'hexoid': '06 0B 2A 86 48 86 F7 0D 01 09 10 02 17',
- 'name': 'certValues',
- 'oid': (1,
- 2,
- 840,
- 113549,
- 1,
- 9,
- 16,
- 2,
- 23)},
- (1, 2, 840, 113549, 1, 9, 16, 2, 24): {'comment': 'S/MIME Authenticated Attributes',
- 'description': 'revocationValues (1 2 840 113549 1 9 16 2 24)',
- 'hexoid': '06 0B 2A 86 48 86 F7 0D 01 09 10 02 18',
- 'name': 'revocationValues',
- 'oid': (1,
- 2,
- 840,
- 113549,
- 1,
- 9,
- 16,
- 2,
- 24)},
- (1, 2, 840, 113549, 1, 9, 16, 2, 25): {'comment': 'S/MIME Authenticated Attributes',
- 'description': 'escTimeStamp (1 2 840 113549 1 9 16 2 25)',
- 'hexoid': '06 0B 2A 86 48 86 F7 0D 01 09 10 02 19',
- 'name': 'escTimeStamp',
- 'oid': (1,
- 2,
- 840,
- 113549,
- 1,
- 9,
- 16,
- 2,
- 25)},
- (1, 2, 840, 113549, 1, 9, 16, 2, 26): {'comment': 'S/MIME Authenticated Attributes',
- 'description': 'certCRLTimestamp (1 2 840 113549 1 9 16 2 26)',
- 'hexoid': '06 0B 2A 86 48 86 F7 0D 01 09 10 02 1A',
- 'name': 'certCRLTimestamp',
- 'oid': (1,
- 2,
- 840,
- 113549,
- 1,
- 9,
- 16,
- 2,
- 26)},
- (1, 2, 840, 113549, 1, 9, 16, 2, 27): {'comment': 'S/MIME Authenticated Attributes',
- 'description': 'archiveTimeStamp (1 2 840 113549 1 9 16 2 27)',
- 'hexoid': '06 0B 2A 86 48 86 F7 0D 01 09 10 02 1B',
- 'name': 'archiveTimeStamp',
- 'oid': (1,
- 2,
- 840,
- 113549,
- 1,
- 9,
- 16,
- 2,
- 27)},
- (1, 2, 840, 113549, 1, 9, 16, 2, 28): {'comment': 'S/MIME Authenticated Attributes',
- 'description': 'signatureType (1 2 840 113549 1 9 16 2 28)',
- 'hexoid': '06 0B 2A 86 48 86 F7 0D 01 09 10 02 1C',
- 'name': 'signatureType',
- 'oid': (1,
- 2,
- 840,
- 113549,
- 1,
- 9,
- 16,
- 2,
- 28)},
- (1, 2, 840, 113549, 1, 9, 16, 2, 29): {'comment': 'S/MIME Authenticated Attributes',
- 'description': 'dvcs-dvc (1 2 840 113549 1 9 16 2 29)',
- 'hexoid': '06 0B 2A 86 48 86 F7 0D 01 09 10 02 1D',
- 'name': 'dvcs-dvc',
- 'oid': (1,
- 2,
- 840,
- 113549,
- 1,
- 9,
- 16,
- 2,
- 29)},
- (1, 2, 840, 113549, 1, 9, 16, 3, 5): {'comment': 'S/MIME Algorithms',
- 'description': 'esDH (1 2 840 113549 1 9 16 3 5)',
- 'hexoid': '06 0B 2A 86 48 86 F7 0D 01 09 10 03 05',
- 'name': 'esDH',
- 'oid': (1,
- 2,
- 840,
- 113549,
- 1,
- 9,
- 16,
- 3,
- 5)},
- (1, 2, 840, 113549, 1, 9, 16, 3, 6): {'comment': 'S/MIME Algorithms',
- 'description': 'cms3DESwrap (1 2 840 113549 1 9 16 3 6)',
- 'hexoid': '06 0B 2A 86 48 86 F7 0D 01 09 10 03 06',
- 'name': 'cms3DESwrap',
- 'oid': (1,
- 2,
- 840,
- 113549,
- 1,
- 9,
- 16,
- 3,
- 6)},
- (1, 2, 840, 113549, 1, 9, 16, 3, 7): {'comment': 'S/MIME Algorithms',
- 'description': 'cmsRC2wrap (1 2 840 113549 1 9 16 3 7)',
- 'hexoid': '06 0B 2A 86 48 86 F7 0D 01 09 10 03 07',
- 'name': 'cmsRC2wrap',
- 'oid': (1,
- 2,
- 840,
- 113549,
- 1,
- 9,
- 16,
- 3,
- 7)},
- (1, 2, 840, 113549, 1, 9, 16, 3, 8): {'comment': 'S/MIME Algorithms',
- 'description': 'zlib (1 2 840 113549 1 9 16 3 8)',
- 'hexoid': '06 0B 2A 86 48 86 F7 0D 01 09 10 03 08',
- 'name': 'zlib',
- 'oid': (1,
- 2,
- 840,
- 113549,
- 1,
- 9,
- 16,
- 3,
- 8)},
- (1, 2, 840, 113549, 1, 9, 16, 3, 9): {'comment': 'S/MIME Algorithms',
- 'description': 'pwri-KEK (1 2 840 113549 1 9 16 3 9)',
- 'hexoid': '06 0B 2A 86 48 86 F7 0D 01 09 10 03 09',
- 'name': 'pwri-KEK',
- 'oid': (1,
- 2,
- 840,
- 113549,
- 1,
- 9,
- 16,
- 3,
- 9)},
- (1, 2, 840, 113549, 1, 9, 16, 4, 1): {'comment': 'S/MIME Certificate Distribution',
- 'description': 'certDist-ldap (1 2 840 113549 1 9 16 4 1)',
- 'hexoid': '06 0B 2A 86 48 86 F7 0D 01 09 10 04 01',
- 'name': 'certDist-ldap',
- 'oid': (1,
- 2,
- 840,
- 113549,
- 1,
- 9,
- 16,
- 4,
- 1)},
- (1, 2, 840, 113549, 1, 9, 16, 5, 1): {'comment': 'S/MIME Signature Policy Qualifier',
- 'description': 'sigPolicyQualifier-spuri (1 2 840 113549 1 9 16 5 1)',
- 'hexoid': '06 0B 2A 86 48 86 F7 0D 01 09 10 05 01',
- 'name': 'sigPolicyQualifier-spuri',
- 'oid': (1,
- 2,
- 840,
- 113549,
- 1,
- 9,
- 16,
- 5,
- 1)},
- (1, 2, 840, 113549, 1, 9, 16, 5, 2): {'comment': 'S/MIME Signature Policy Qualifier',
- 'description': 'sigPolicyQualifier-spUserNotice (1 2 840 113549 1 9 16 5 2)',
- 'hexoid': '06 0B 2A 86 48 86 F7 0D 01 09 10 05 02',
- 'name': 'sigPolicyQualifier-spUserNotice',
- 'oid': (1,
- 2,
- 840,
- 113549,
- 1,
- 9,
- 16,
- 5,
- 2)},
- (1, 2, 840, 113549, 1, 9, 16, 6, 1): {'comment': 'S/MIME',
- 'description': 'proofOfOrigin (1 2 840 113549 1 9 16 6 1)',
- 'hexoid': '06 0B 2A 86 48 86 F7 0D 01 09 10 06 01',
- 'name': 'proofOfOrigin',
- 'oid': (1,
- 2,
- 840,
- 113549,
- 1,
- 9,
- 16,
- 6,
- 1)},
- (1, 2, 840, 113549, 1, 9, 16, 6, 2): {'comment': 'S/MIME',
- 'description': 'proofOfReceipt (1 2 840 113549 1 9 16 6 2)',
- 'hexoid': '06 0B 2A 86 48 86 F7 0D 01 09 10 06 02',
- 'name': 'proofOfReceipt',
- 'oid': (1,
- 2,
- 840,
- 113549,
- 1,
- 9,
- 16,
- 6,
- 2)},
- (1, 2, 840, 113549, 1, 9, 16, 6, 3): {'comment': 'S/MIME',
- 'description': 'proofOfDelivery (1 2 840 113549 1 9 16 6 3)',
- 'hexoid': '06 0B 2A 86 48 86 F7 0D 01 09 10 06 03',
- 'name': 'proofOfDelivery',
- 'oid': (1,
- 2,
- 840,
- 113549,
- 1,
- 9,
- 16,
- 6,
- 3)},
- (1, 2, 840, 113549, 1, 9, 16, 6, 4): {'comment': 'S/MIME',
- 'description': 'proofOfSender (1 2 840 113549 1 9 16 6 4)',
- 'hexoid': '06 0B 2A 86 48 86 F7 0D 01 09 10 06 04',
- 'name': 'proofOfSender',
- 'oid': (1,
- 2,
- 840,
- 113549,
- 1,
- 9,
- 16,
- 6,
- 4)},
- (1, 2, 840, 113549, 1, 9, 16, 6, 5): {'comment': 'S/MIME',
- 'description': 'proofOfApproval (1 2 840 113549 1 9 16 6 5)',
- 'hexoid': '06 0B 2A 86 48 86 F7 0D 01 09 10 06 05',
- 'name': 'proofOfApproval',
- 'oid': (1,
- 2,
- 840,
- 113549,
- 1,
- 9,
- 16,
- 6,
- 5)},
- (1, 2, 840, 113549, 1, 9, 16, 6, 6): {'comment': 'S/MIME',
- 'description': 'proofOfCreation (1 2 840 113549 1 9 16 6 6)',
- 'hexoid': '06 0B 2A 86 48 86 F7 0D 01 09 10 06 06',
- 'name': 'proofOfCreation',
- 'oid': (1,
- 2,
- 840,
- 113549,
- 1,
- 9,
- 16,
- 6,
- 6)},
- (1, 2, 840, 113549, 1, 9, 16, 9): {'comment': 'S/MIME',
- 'description': 'signatureTypeIdentifier (1 2 840 113549 1 9 16 9)',
- 'hexoid': '06 0A 2A 86 48 86 F7 0D 01 09 10 09',
- 'name': 'signatureTypeIdentifier',
- 'oid': (1, 2, 840, 113549, 1, 9, 16, 9)},
- (1, 2, 840, 113549, 1, 9, 16, 9, 1): {'comment': 'S/MIME Signature Type Identifier',
- 'description': 'originatorSig (1 2 840 113549 1 9 16 9 1)',
- 'hexoid': '06 0B 2A 86 48 86 F7 0D 01 09 10 09 01',
- 'name': 'originatorSig',
- 'oid': (1,
- 2,
- 840,
- 113549,
- 1,
- 9,
- 16,
- 9,
- 1)},
- (1, 2, 840, 113549, 1, 9, 16, 9, 2): {'comment': 'S/MIME Signature Type Identifier',
- 'description': 'domainSig (1 2 840 113549 1 9 16 9 2)',
- 'hexoid': '06 0B 2A 86 48 86 F7 0D 01 09 10 09 02',
- 'name': 'domainSig',
- 'oid': (1,
- 2,
- 840,
- 113549,
- 1,
- 9,
- 16,
- 9,
- 2)},
- (1, 2, 840, 113549, 1, 9, 16, 9, 3): {'comment': 'S/MIME Signature Type Identifier',
- 'description': 'additionalAttributesSig (1 2 840 113549 1 9 16 9 3)',
- 'hexoid': '06 0B 2A 86 48 86 F7 0D 01 09 10 09 03',
- 'name': 'additionalAttributesSig',
- 'oid': (1,
- 2,
- 840,
- 113549,
- 1,
- 9,
- 16,
- 9,
- 3)},
- (1, 2, 840, 113549, 1, 9, 16, 9, 4): {'comment': 'S/MIME Signature Type Identifier',
- 'description': 'reviewSig (1 2 840 113549 1 9 16 9 4)',
- 'hexoid': '06 0B 2A 86 48 86 F7 0D 01 09 10 09 04',
- 'name': 'reviewSig',
- 'oid': (1,
- 2,
- 840,
- 113549,
- 1,
- 9,
- 16,
- 9,
- 4)},
- (1, 2, 840, 113549, 1, 9, 16, 11): {'comment': 'S/MIME',
- 'description': 'capabilities (1 2 840 113549 1 9 16 11)',
- 'hexoid': '06 0A 2A 86 48 86 F7 0D 01 09 10 0B',
- 'name': 'capabilities',
- 'oid': (1, 2, 840, 113549, 1, 9, 16, 11)},
- (1, 2, 840, 113549, 1, 9, 16, 11, 1): {'comment': 'S/MIME Capability',
- 'description': 'preferBinaryInside (1 2 840 113549 1 9 16 11 1)',
- 'hexoid': '06 0B 2A 86 48 86 F7 0D 01 09 10 0B 01',
- 'name': 'preferBinaryInside',
- 'oid': (1,
- 2,
- 840,
- 113549,
- 1,
- 9,
- 16,
- 11,
- 1)},
- (1, 2, 840, 113549, 1, 9, 20): {'comment': 'PKCS #9 via PKCS #12',
- 'description': 'friendlyName (for PKCS #12) (1 2 840 113549 1 9 20)',
- 'hexoid': '06 09 2A 86 48 86 F7 0D 01 09 14',
- 'name': 'friendlyName',
- 'oid': (1, 2, 840, 113549, 1, 9, 20)},
- (1, 2, 840, 113549, 1, 9, 21): {'comment': 'PKCS #9 via PKCS #12',
- 'description': 'localKeyID (for PKCS #12) (1 2 840 113549 1 9 21)',
- 'hexoid': '06 09 2A 86 48 86 F7 0D 01 09 15',
- 'name': 'localKeyID',
- 'oid': (1, 2, 840, 113549, 1, 9, 21)},
- (1, 2, 840, 113549, 1, 9, 22): {'comment': 'PKCS #9 via PKCS #12',
- 'description': 'certTypes (for PKCS #12) (1 2 840 113549 1 9 22)',
- 'hexoid': '06 09 2A 86 48 86 F7 0D 01 09 16',
- 'name': 'certTypes',
- 'oid': (1, 2, 840, 113549, 1, 9, 22)},
- (1, 2, 840, 113549, 1, 9, 22, 1): {'comment': 'PKCS #9 via PKCS #12',
- 'description': 'x509Certificate (for PKCS #12) (1 2 840 113549 1 9 22 1)',
- 'hexoid': '06 0A 2A 86 48 86 F7 0D 01 09 16 01',
- 'name': 'x509Certificate',
- 'oid': (1, 2, 840, 113549, 1, 9, 22, 1)},
- (1, 2, 840, 113549, 1, 9, 22, 2): {'comment': 'PKCS #9 via PKCS #12',
- 'description': 'sdsiCertificate (for PKCS #12) (1 2 840 113549 1 9 22 2)',
- 'hexoid': '06 0A 2A 86 48 86 F7 0D 01 09 16 02',
- 'name': 'sdsiCertificate',
- 'oid': (1, 2, 840, 113549, 1, 9, 22, 2)},
- (1, 2, 840, 113549, 1, 9, 23): {'comment': 'PKCS #9 via PKCS #12',
- 'description': 'crlTypes (for PKCS #12) (1 2 840 113549 1 9 23)',
- 'hexoid': '06 09 2A 86 48 86 F7 0D 01 09 17',
- 'name': 'crlTypes',
- 'oid': (1, 2, 840, 113549, 1, 9, 23)},
- (1, 2, 840, 113549, 1, 9, 23, 1): {'comment': 'PKCS #9 via PKCS #12',
- 'description': 'x509Crl (for PKCS #12) (1 2 840 113549 1 9 23 1)',
- 'hexoid': '06 0A 2A 86 48 86 F7 0D 01 09 17 01',
- 'name': 'x509Crl',
- 'oid': (1, 2, 840, 113549, 1, 9, 23, 1)},
- (1, 2, 840, 113549, 1, 9, 24): {'comment': 'PKCS #9/RFC 2985',
- 'description': 'pkcs9objectClass (1 2 840 113549 1 9 24)',
- 'hexoid': '06 09 2A 86 48 86 F7 0D 01 09 18',
- 'name': 'pkcs9objectClass',
- 'oid': (1, 2, 840, 113549, 1, 9, 24)},
- (1, 2, 840, 113549, 1, 9, 25): {'comment': 'PKCS #9/RFC 2985',
- 'description': 'pkcs9attributes (1 2 840 113549 1 9 25)',
- 'hexoid': '06 09 2A 86 48 86 F7 0D 01 09 19',
- 'name': 'pkcs9attributes',
- 'oid': (1, 2, 840, 113549, 1, 9, 25)},
- (1, 2, 840, 113549, 1, 9, 25, 1): {'comment': 'PKCS #9/RFC 2985 attribute',
- 'description': 'pkcs15Token (1 2 840 113549 1 9 25 1)',
- 'hexoid': '06 0A 2A 86 48 86 F7 0D 01 09 19 01',
- 'name': 'pkcs15Token',
- 'oid': (1, 2, 840, 113549, 1, 9, 25, 1)},
- (1, 2, 840, 113549, 1, 9, 25, 2): {'comment': 'PKCS #9/RFC 2985 attribute',
- 'description': 'encryptedPrivateKeyInfo (1 2 840 113549 1 9 25 2)',
- 'hexoid': '06 0A 2A 86 48 86 F7 0D 01 09 19 02',
- 'name': 'encryptedPrivateKeyInfo',
- 'oid': (1, 2, 840, 113549, 1, 9, 25, 2)},
- (1, 2, 840, 113549, 1, 9, 25, 3): {'comment': 'PKCS #9/RFC 2985 attribute',
- 'description': 'randomNonce (1 2 840 113549 1 9 25 3)',
- 'hexoid': '06 0A 2A 86 48 86 F7 0D 01 09 19 03',
- 'name': 'randomNonce',
- 'oid': (1, 2, 840, 113549, 1, 9, 25, 3)},
- (1, 2, 840, 113549, 1, 9, 25, 4): {'comment': 'PKCS #9/RFC 2985 attribute',
- 'description': 'sequenceNumber (1 2 840 113549 1 9 25 4)',
- 'hexoid': '06 0A 2A 86 48 86 F7 0D 01 09 19 04',
- 'name': 'sequenceNumber',
- 'oid': (1, 2, 840, 113549, 1, 9, 25, 4)},
- (1, 2, 840, 113549, 1, 9, 25, 5): {'comment': 'PKCS #9/RFC 2985 attribute',
- 'description': 'pkcs7PDU (1 2 840 113549 1 9 25 5)',
- 'hexoid': '06 0A 2A 86 48 86 F7 0D 01 09 19 05',
- 'name': 'pkcs7PDU',
- 'oid': (1, 2, 840, 113549, 1, 9, 25, 5)},
- (1, 2, 840, 113549, 1, 9, 26): {'comment': 'PKCS #9/RFC 2985',
- 'description': 'pkcs9syntax (1 2 840 113549 1 9 26)',
- 'hexoid': '06 09 2A 86 48 86 F7 0D 01 09 1A',
- 'name': 'pkcs9syntax',
- 'oid': (1, 2, 840, 113549, 1, 9, 26)},
- (1, 2, 840, 113549, 1, 9, 27): {'comment': 'PKCS #9/RFC 2985',
- 'description': 'pkcs9matchingRules (1 2 840 113549 1 9 27)',
- 'hexoid': '06 09 2A 86 48 86 F7 0D 01 09 1B',
- 'name': 'pkcs9matchingRules',
- 'oid': (1, 2, 840, 113549, 1, 9, 27)},
- (1, 2, 840, 113549, 1, 12): {'description': 'pkcs-12 (1 2 840 113549 1 12)',
- 'hexoid': '06 08 2A 86 48 86 F7 0D 01 0C',
- 'name': 'pkcs-12',
- 'oid': (1, 2, 840, 113549, 1, 12)},
- (1, 2, 840, 113549, 1, 12, 1): {'comment': 'This OID was formerly assigned as PKCS #12 modeID',
- 'description': 'pkcs-12-PbeIds (1 2 840 113549 1 12 1)',
- 'hexoid': '06 09 2A 86 48 86 F7 0D 01 0C 01',
- 'name': 'pkcs-12-PbeIds',
- 'oid': (1, 2, 840, 113549, 1, 12, 1)},
- (1, 2, 840, 113549, 1, 12, 1, 1): {'comment': 'PKCS #12 PbeIds. This OID was formerly assigned as pkcs-12-OfflineTransportMode',
- 'description': 'pbeWithSHAAnd128BitRC4 (1 2 840 113549 1 12 1 1)',
- 'hexoid': '06 0A 2A 86 48 86 F7 0D 01 0C 01 01',
- 'name': 'pbeWithSHAAnd128BitRC4',
- 'oid': (1, 2, 840, 113549, 1, 12, 1, 1)},
- (1, 2, 840, 113549, 1, 12, 1, 2): {'comment': 'PKCS #12 PbeIds. This OID was formerly assigned as pkcs-12-OnlineTransportMode',
- 'description': 'pbeWithSHAAnd40BitRC4 (1 2 840 113549 1 12 1 2)',
- 'hexoid': '06 0A 2A 86 48 86 F7 0D 01 0C 01 02',
- 'name': 'pbeWithSHAAnd40BitRC4',
- 'oid': (1, 2, 840, 113549, 1, 12, 1, 2)},
- (1, 2, 840, 113549, 1, 12, 1, 3): {'comment': 'PKCS #12 PbeIds',
- 'description': 'pbeWithSHAAnd3-KeyTripleDES-CBC (1 2 840 113549 1 12 1 3)',
- 'hexoid': '06 0A 2A 86 48 86 F7 0D 01 0C 01 03',
- 'name': 'pbeWithSHAAnd3-KeyTripleDES-CBC',
- 'oid': (1, 2, 840, 113549, 1, 12, 1, 3)},
- (1, 2, 840, 113549, 1, 12, 1, 4): {'comment': 'PKCS #12 PbeIds',
- 'description': 'pbeWithSHAAnd2-KeyTripleDES-CBC (1 2 840 113549 1 12 1 4)',
- 'hexoid': '06 0A 2A 86 48 86 F7 0D 01 0C 01 04',
- 'name': 'pbeWithSHAAnd2-KeyTripleDES-CBC',
- 'oid': (1, 2, 840, 113549, 1, 12, 1, 4)},
- (1, 2, 840, 113549, 1, 12, 1, 5): {'comment': 'PKCS #12 PbeIds',
- 'description': 'pbeWithSHAAnd128BitRC2-CBC (1 2 840 113549 1 12 1 5)',
- 'hexoid': '06 0A 2A 86 48 86 F7 0D 01 0C 01 05',
- 'name': 'pbeWithSHAAnd128BitRC2-CBC',
- 'oid': (1, 2, 840, 113549, 1, 12, 1, 5)},
- (1, 2, 840, 113549, 1, 12, 1, 6): {'comment': 'PKCS #12 PbeIds',
- 'description': 'pbeWithSHAAnd40BitRC2-CBC (1 2 840 113549 1 12 1 6)',
- 'hexoid': '06 0A 2A 86 48 86 F7 0D 01 0C 01 06',
- 'name': 'pbeWithSHAAnd40BitRC2-CBC',
- 'oid': (1, 2, 840, 113549, 1, 12, 1, 6)},
- (1, 2, 840, 113549, 1, 12, 3): {'description': 'pkcs-12-BagIds (1 2 840 113549 1 12 3)',
- 'hexoid': '06 09 2A 86 48 86 F7 0D 01 0C 03',
- 'name': 'pkcs-12-BagIds',
- 'oid': (1, 2, 840, 113549, 1, 12, 3)},
- (1, 2, 840, 113549, 1, 12, 3, 1): {'comment': 'PKCS #12 BagIds',
- 'description': 'pkcs-12-keyBagId (1 2 840 113549 1 12 3 1)',
- 'hexoid': '06 0A 2A 86 48 86 F7 0D 01 0C 03 01',
- 'name': 'pkcs-12-keyBagId',
- 'oid': (1, 2, 840, 113549, 1, 12, 3, 1)},
- (1, 2, 840, 113549, 1, 12, 3, 2): {'comment': 'PKCS #12 BagIds',
- 'description': 'pkcs-12-certAndCRLBagId (1 2 840 113549 1 12 3 2)',
- 'hexoid': '06 0A 2A 86 48 86 F7 0D 01 0C 03 02',
- 'name': 'pkcs-12-certAndCRLBagId',
- 'oid': (1, 2, 840, 113549, 1, 12, 3, 2)},
- (1, 2, 840, 113549, 1, 12, 3, 3): {'comment': 'PKCS #12 BagIds',
- 'description': 'pkcs-12-secretBagId (1 2 840 113549 1 12 3 3)',
- 'hexoid': '06 0A 2A 86 48 86 F7 0D 01 0C 03 03',
- 'name': 'pkcs-12-secretBagId',
- 'oid': (1, 2, 840, 113549, 1, 12, 3, 3)},
- (1, 2, 840, 113549, 1, 12, 3, 4): {'comment': 'PKCS #12 BagIds',
- 'description': 'pkcs-12-safeContentsId (1 2 840 113549 1 12 3 4)',
- 'hexoid': '06 0A 2A 86 48 86 F7 0D 01 0C 03 04',
- 'name': 'pkcs-12-safeContentsId',
- 'oid': (1, 2, 840, 113549, 1, 12, 3, 4)},
- (1, 2, 840, 113549, 1, 12, 3, 5): {'comment': 'PKCS #12 BagIds',
- 'description': 'pkcs-12-pkcs-8ShroudedKeyBagId (1 2 840 113549 1 12 3 5)',
- 'hexoid': '06 0A 2A 86 48 86 F7 0D 01 0C 03 05',
- 'name': 'pkcs-12-pkcs-8ShroudedKeyBagId',
- 'oid': (1, 2, 840, 113549, 1, 12, 3, 5)},
- (1, 2, 840, 113549, 1, 12, 4, 1): {'comment': 'PKCS #12 CertBagID. This OID was formerly assigned as pkcs-12-X509CertCRLBag',
- 'description': 'pkcs-12-X509CertCRLBagID (1 2 840 113549 1 12 4 1)',
- 'hexoid': '06 0A 2A 86 48 86 F7 0D 01 0C 04 01',
- 'name': 'pkcs-12-X509CertCRLBagID',
- 'oid': (1, 2, 840, 113549, 1, 12, 4, 1)},
- (1, 2, 840, 113549, 1, 12, 4, 2): {'comment': 'PKCS #12 CertBagID. This OID was formerly assigned as pkcs-12-SDSICertBag',
- 'description': 'pkcs-12-SDSICertBagID (1 2 840 113549 1 12 4 2)',
- 'hexoid': '06 0A 2A 86 48 86 F7 0D 01 0C 04 02',
- 'name': 'pkcs-12-SDSICertBagID',
- 'oid': (1, 2, 840, 113549, 1, 12, 4, 2)},
- (1, 2, 840, 113549, 1, 12, 5, 2): {'comment': 'PKCS #12 OID. Deprecated, use the conventional PKCS #1 OIDs instead',
- 'description': 'pkcs-12-EnvelopingID (1 2 840 113549 1 12 5 2)',
- 'hexoid': '06 0A 2A 86 48 86 F7 0D 01 0C 05 02',
- 'name': 'pkcs-12-EnvelopingID',
- 'oid': (1, 2, 840, 113549, 1, 12, 5, 2)},
- (1, 2, 840, 113549, 1, 12, 10): {'description': 'pkcs-12Version1 (1 2 840 113549 1 12 10)',
- 'hexoid': '06 09 2A 86 48 86 F7 0D 01 0C 0A',
- 'name': 'pkcs-12Version1',
- 'oid': (1, 2, 840, 113549, 1, 12, 10)},
- (1, 2, 840, 113549, 1, 12, 10, 1): {'description': 'pkcs-12BadIds (1 2 840 113549 1 12 10 1)',
- 'hexoid': '06 0A 2A 86 48 86 F7 0D 01 0C 0A 01',
- 'name': 'pkcs-12BadIds',
- 'oid': (1, 2, 840, 113549, 1, 12, 10, 1)},
- (1, 2, 840, 113549, 1, 12, 10, 1, 1): {'comment': 'PKCS #12 BagIds',
- 'description': 'pkcs-12-keyBag (1 2 840 113549 1 12 10 1 1)',
- 'hexoid': '06 0B 2A 86 48 86 F7 0D 01 0C 0A 01 01',
- 'name': 'pkcs-12-keyBag',
- 'oid': (1,
- 2,
- 840,
- 113549,
- 1,
- 12,
- 10,
- 1,
- 1)},
- (1, 2, 840, 113549, 1, 12, 10, 1, 2): {'comment': 'PKCS #12 BagIds',
- 'description': 'pkcs-12-pkcs-8ShroudedKeyBag (1 2 840 113549 1 12 10 1 2)',
- 'hexoid': '06 0B 2A 86 48 86 F7 0D 01 0C 0A 01 02',
- 'name': 'pkcs-12-pkcs-8ShroudedKeyBag',
- 'oid': (1,
- 2,
- 840,
- 113549,
- 1,
- 12,
- 10,
- 1,
- 2)},
- (1, 2, 840, 113549, 1, 12, 10, 1, 3): {'comment': 'PKCS #12 BagIds',
- 'description': 'pkcs-12-certBag (1 2 840 113549 1 12 10 1 3)',
- 'hexoid': '06 0B 2A 86 48 86 F7 0D 01 0C 0A 01 03',
- 'name': 'pkcs-12-certBag',
- 'oid': (1,
- 2,
- 840,
- 113549,
- 1,
- 12,
- 10,
- 1,
- 3)},
- (1, 2, 840, 113549, 1, 12, 10, 1, 4): {'comment': 'PKCS #12 BagIds',
- 'description': 'pkcs-12-crlBag (1 2 840 113549 1 12 10 1 4)',
- 'hexoid': '06 0B 2A 86 48 86 F7 0D 01 0C 0A 01 04',
- 'name': 'pkcs-12-crlBag',
- 'oid': (1,
- 2,
- 840,
- 113549,
- 1,
- 12,
- 10,
- 1,
- 4)},
- (1, 2, 840, 113549, 1, 12, 10, 1, 5): {'comment': 'PKCS #12 BagIds',
- 'description': 'pkcs-12-secretBag (1 2 840 113549 1 12 10 1 5)',
- 'hexoid': '06 0B 2A 86 48 86 F7 0D 01 0C 0A 01 05',
- 'name': 'pkcs-12-secretBag',
- 'oid': (1,
- 2,
- 840,
- 113549,
- 1,
- 12,
- 10,
- 1,
- 5)},
- (1, 2, 840, 113549, 1, 12, 10, 1, 6): {'comment': 'PKCS #12 BagIds',
- 'description': 'pkcs-12-safeContentsBag (1 2 840 113549 1 12 10 1 6)',
- 'hexoid': '06 0B 2A 86 48 86 F7 0D 01 0C 0A 01 06',
- 'name': 'pkcs-12-safeContentsBag',
- 'oid': (1,
- 2,
- 840,
- 113549,
- 1,
- 12,
- 10,
- 1,
- 6)},
- (1, 2, 840, 113549, 1, 15, 1): {'comment': 'PKCS #15',
- 'description': 'pkcs15modules (1 2 840 113549 1 15 1)',
- 'hexoid': '06 09 2A 86 48 86 F7 0D 01 0F 01',
- 'name': 'pkcs15modules',
- 'oid': (1, 2, 840, 113549, 1, 15, 1)},
- (1, 2, 840, 113549, 1, 15, 2): {'comment': 'PKCS #15',
- 'description': 'pkcs15attributes (1 2 840 113549 1 15 2)',
- 'hexoid': '06 09 2A 86 48 86 F7 0D 01 0F 02',
- 'name': 'pkcs15attributes',
- 'oid': (1, 2, 840, 113549, 1, 15, 2)},
- (1, 2, 840, 113549, 1, 15, 3): {'comment': 'PKCS #15',
- 'description': 'pkcs15contentType (1 2 840 113549 1 15 3)',
- 'hexoid': '06 09 2A 86 48 86 F7 0D 01 0F 03',
- 'name': 'pkcs15contentType',
- 'oid': (1, 2, 840, 113549, 1, 15, 3)},
- (1, 2, 840, 113549, 1, 15, 3, 1): {'comment': 'PKCS #15 content type',
- 'description': 'pkcs15content (1 2 840 113549 1 15 3 1)',
- 'hexoid': '06 0A 2A 86 48 86 F7 0D 01 0F 03 01',
- 'name': 'pkcs15content',
- 'oid': (1, 2, 840, 113549, 1, 15, 3, 1)},
- (1, 2, 840, 113549, 2): {'description': 'digestAlgorithm (1 2 840 113549 2)',
- 'hexoid': '06 07 2A 86 48 86 F7 0D 02',
- 'name': 'digestAlgorithm',
- 'oid': (1, 2, 840, 113549, 2)},
- (1, 2, 840, 113549, 2, 2): {'comment': 'RSADSI digestAlgorithm',
- 'description': 'md2 (1 2 840 113549 2 2)',
- 'hexoid': '06 08 2A 86 48 86 F7 0D 02 02',
- 'name': 'md2',
- 'oid': (1, 2, 840, 113549, 2, 2)},
- (1, 2, 840, 113549, 2, 4): {'comment': 'RSADSI digestAlgorithm',
- 'description': 'md4 (1 2 840 113549 2 4)',
- 'hexoid': '06 08 2A 86 48 86 F7 0D 02 04',
- 'name': 'md4',
- 'oid': (1, 2, 840, 113549, 2, 4)},
- (1, 2, 840, 113549, 2, 5): {'comment': 'RSADSI digestAlgorithm',
- 'description': 'md5 (1 2 840 113549 2 5)',
- 'hexoid': '06 08 2A 86 48 86 F7 0D 02 05',
- 'name': 'md5',
- 'oid': (1, 2, 840, 113549, 2, 5)},
- (1, 2, 840, 113549, 2, 7): {'comment': 'RSADSI digestAlgorithm',
- 'description': 'hmacWithSHA1 (1 2 840 113549 2 7)',
- 'hexoid': '06 08 2A 86 48 86 F7 0D 02 07',
- 'name': 'hmacWithSHA1',
- 'oid': (1, 2, 840, 113549, 2, 7)},
- (1, 2, 840, 113549, 2, 8): {'comment': 'RSADSI digestAlgorithm',
- 'description': 'hmacWithSHA224 (1 2 840 113549 2 8)',
- 'hexoid': '06 08 2A 86 48 86 F7 0D 02 08',
- 'name': 'hmacWithSHA224',
- 'oid': (1, 2, 840, 113549, 2, 8)},
- (1, 2, 840, 113549, 2, 9): {'comment': 'RSADSI digestAlgorithm',
- 'description': 'hmacWithSHA256 (1 2 840 113549 2 9)',
- 'hexoid': '06 08 2A 86 48 86 F7 0D 02 09',
- 'name': 'hmacWithSHA256',
- 'oid': (1, 2, 840, 113549, 2, 9)},
- (1, 2, 840, 113549, 2, 10): {'comment': 'RSADSI digestAlgorithm',
- 'description': 'hmacWithSHA384 (1 2 840 113549 2 10)',
- 'hexoid': '06 08 2A 86 48 86 F7 0D 02 0A',
- 'name': 'hmacWithSHA384',
- 'oid': (1, 2, 840, 113549, 2, 10)},
- (1, 2, 840, 113549, 2, 11): {'comment': 'RSADSI digestAlgorithm',
- 'description': 'hmacWithSHA512 (1 2 840 113549 2 11)',
- 'hexoid': '06 08 2A 86 48 86 F7 0D 02 0B',
- 'name': 'hmacWithSHA512',
- 'oid': (1, 2, 840, 113549, 2, 11)},
- (1, 2, 840, 113549, 3): {'description': 'encryptionAlgorithm (1 2 840 113549 3)',
- 'hexoid': '06 07 2A 86 48 86 F7 0D 03',
- 'name': 'encryptionAlgorithm',
- 'oid': (1, 2, 840, 113549, 3)},
- (1, 2, 840, 113549, 3, 2): {'comment': 'RSADSI encryptionAlgorithm',
- 'description': 'rc2CBC (1 2 840 113549 3 2)',
- 'hexoid': '06 08 2A 86 48 86 F7 0D 03 02',
- 'name': 'rc2CBC',
- 'oid': (1, 2, 840, 113549, 3, 2)},
- (1, 2, 840, 113549, 3, 3): {'comment': 'RSADSI encryptionAlgorithm',
- 'description': 'rc2ECB (1 2 840 113549 3 3)',
- 'hexoid': '06 08 2A 86 48 86 F7 0D 03 03',
- 'name': 'rc2ECB',
- 'oid': (1, 2, 840, 113549, 3, 3)},
- (1, 2, 840, 113549, 3, 4): {'comment': 'RSADSI encryptionAlgorithm',
- 'description': 'rc4 (1 2 840 113549 3 4)',
- 'hexoid': '06 08 2A 86 48 86 F7 0D 03 04',
- 'name': 'rc4',
- 'oid': (1, 2, 840, 113549, 3, 4)},
- (1, 2, 840, 113549, 3, 5): {'comment': 'RSADSI encryptionAlgorithm',
- 'description': 'rc4WithMAC (1 2 840 113549 3 5)',
- 'hexoid': '06 08 2A 86 48 86 F7 0D 03 05',
- 'name': 'rc4WithMAC',
- 'oid': (1, 2, 840, 113549, 3, 5)},
- (1, 2, 840, 113549, 3, 6): {'comment': 'RSADSI encryptionAlgorithm',
- 'description': 'desx-CBC (1 2 840 113549 3 6)',
- 'hexoid': '06 08 2A 86 48 86 F7 0D 03 06',
- 'name': 'desx-CBC',
- 'oid': (1, 2, 840, 113549, 3, 6)},
- (1, 2, 840, 113549, 3, 7): {'comment': 'RSADSI encryptionAlgorithm',
- 'description': 'des-EDE3-CBC (1 2 840 113549 3 7)',
- 'hexoid': '06 08 2A 86 48 86 F7 0D 03 07',
- 'name': 'des-EDE3-CBC',
- 'oid': (1, 2, 840, 113549, 3, 7)},
- (1, 2, 840, 113549, 3, 8): {'comment': 'RSADSI encryptionAlgorithm',
- 'description': 'rc5CBC (1 2 840 113549 3 8)',
- 'hexoid': '06 08 2A 86 48 86 F7 0D 03 08',
- 'name': 'rc5CBC',
- 'oid': (1, 2, 840, 113549, 3, 8)},
- (1, 2, 840, 113549, 3, 9): {'comment': 'RSADSI encryptionAlgorithm',
- 'description': 'rc5-CBCPad (1 2 840 113549 3 9)',
- 'hexoid': '06 08 2A 86 48 86 F7 0D 03 09',
- 'name': 'rc5-CBCPad',
- 'oid': (1, 2, 840, 113549, 3, 9)},
- (1, 2, 840, 113549, 3, 10): {'comment': 'RSADSI encryptionAlgorithm. Formerly called CDMFCBCPad',
- 'description': 'desCDMF (1 2 840 113549 3 10)',
- 'hexoid': '06 08 2A 86 48 86 F7 0D 03 0A',
- 'name': 'desCDMF',
- 'oid': (1, 2, 840, 113549, 3, 10)},
- (1, 2, 840, 113556, 1, 2, 241): {'comment': 'Microsoft Exchange Server - attribute',
- 'description': 'deliveryMechanism (1 2 840 113556 1 2 241)',
- 'hexoid': '06 0A 2A 86 48 86 F7 14 01 02 81 71',
- 'name': 'deliveryMechanism',
- 'oid': (1, 2, 840, 113556, 1, 2, 241)},
- (1, 2, 840, 113556, 1, 2, 281): {'comment': 'Microsoft Cert Template - attribute',
- 'description': 'ntSecurityDescriptor (1 2 840 113556 1 2 281)',
- 'hexoid': '06 0A 2A 86 48 86 F7 14 01 02 82 19',
- 'name': 'ntSecurityDescriptor',
- 'oid': (1, 2, 840, 113556, 1, 2, 281)},
- (1, 2, 840, 113556, 1, 3, 0): {'comment': 'Microsoft Exchange Server - object class',
- 'description': 'site-Addressing (1 2 840 113556 1 3 0)',
- 'hexoid': '06 09 2A 86 48 86 F7 14 01 03 00',
- 'name': 'site-Addressing',
- 'oid': (1, 2, 840, 113556, 1, 3, 0)},
- (1, 2, 840, 113556, 1, 3, 13): {'comment': 'Microsoft Exchange Server - object class',
- 'description': 'classSchema (1 2 840 113556 1 3 13)',
- 'hexoid': '06 09 2A 86 48 86 F7 14 01 03 0D',
- 'name': 'classSchema',
- 'oid': (1, 2, 840, 113556, 1, 3, 13)},
- (1, 2, 840, 113556, 1, 3, 14): {'comment': 'Microsoft Exchange Server - object class',
- 'description': 'attributeSchema (1 2 840 113556 1 3 14)',
- 'hexoid': '06 09 2A 86 48 86 F7 14 01 03 0E',
- 'name': 'attributeSchema',
- 'oid': (1, 2, 840, 113556, 1, 3, 14)},
- (1, 2, 840, 113556, 1, 3, 17): {'comment': 'Microsoft Exchange Server - object class',
- 'description': 'mailbox-Agent (1 2 840 113556 1 3 17)',
- 'hexoid': '06 09 2A 86 48 86 F7 14 01 03 11',
- 'name': 'mailbox-Agent',
- 'oid': (1, 2, 840, 113556, 1, 3, 17)},
- (1, 2, 840, 113556, 1, 3, 22): {'comment': 'Microsoft Exchange Server - object class',
- 'description': 'mailbox (1 2 840 113556 1 3 22)',
- 'hexoid': '06 09 2A 86 48 86 F7 14 01 03 16',
- 'name': 'mailbox',
- 'oid': (1, 2, 840, 113556, 1, 3, 22)},
- (1, 2, 840, 113556, 1, 3, 23): {'comment': 'Microsoft Exchange Server - object class',
- 'description': 'container (1 2 840 113556 1 3 23)',
- 'hexoid': '06 09 2A 86 48 86 F7 14 01 03 17',
- 'name': 'container',
- 'oid': (1, 2, 840, 113556, 1, 3, 23)},
- (1, 2, 840, 113556, 1, 3, 46): {'comment': 'Microsoft Exchange Server - object class',
- 'description': 'mailRecipient (1 2 840 113556 1 3 46)',
- 'hexoid': '06 09 2A 86 48 86 F7 14 01 03 2E',
- 'name': 'mailRecipient',
- 'oid': (1, 2, 840, 113556, 1, 3, 46)},
- (1, 2, 840, 113556, 1, 4, 145): {'comment': 'Microsoft Cert Template - attribute',
- 'description': 'revision (1 2 840 113556 1 4 145)',
- 'hexoid': '06 0A 2A 86 48 86 F7 14 01 04 81 11',
- 'name': 'revision',
- 'oid': (1, 2, 840, 113556, 1, 4, 145)},
- (1, 2, 840, 113556, 1, 4, 1327): {'comment': 'Microsoft Cert Template - attribute',
- 'description': 'pKIDefaultKeySpec (1 2 840 113556 1 4 1327)',
- 'hexoid': '06 0A 2A 86 48 86 F7 14 01 04 8A 2F',
- 'name': 'pKIDefaultKeySpec',
- 'oid': (1, 2, 840, 113556, 1, 4, 1327)},
- (1, 2, 840, 113556, 1, 4, 1328): {'comment': 'Microsoft Cert Template - attribute',
- 'description': 'pKIKeyUsage (1 2 840 113556 1 4 1328)',
- 'hexoid': '06 0A 2A 86 48 86 F7 14 01 04 8A 30',
- 'name': 'pKIKeyUsage',
- 'oid': (1, 2, 840, 113556, 1, 4, 1328)},
- (1, 2, 840, 113556, 1, 4, 1329): {'comment': 'Microsoft Cert Template - attribute',
- 'description': 'pKIMaxIssuingDepth (1 2 840 113556 1 4 1329)',
- 'hexoid': '06 0A 2A 86 48 86 F7 14 01 04 8A 31',
- 'name': 'pKIMaxIssuingDepth',
- 'oid': (1, 2, 840, 113556, 1, 4, 1329)},
- (1, 2, 840, 113556, 1, 4, 1330): {'comment': 'Microsoft Cert Template - attribute',
- 'description': 'pKICriticalExtensions (1 2 840 113556 1 4 1330)',
- 'hexoid': '06 0A 2A 86 48 86 F7 14 01 04 8A 32',
- 'name': 'pKICriticalExtensions',
- 'oid': (1, 2, 840, 113556, 1, 4, 1330)},
- (1, 2, 840, 113556, 1, 4, 1331): {'comment': 'Microsoft Cert Template - attribute',
- 'description': 'pKIExpirationPeriod (1 2 840 113556 1 4 1331)',
- 'hexoid': '06 0A 2A 86 48 86 F7 14 01 04 8A 33',
- 'name': 'pKIExpirationPeriod',
- 'oid': (1, 2, 840, 113556, 1, 4, 1331)},
- (1, 2, 840, 113556, 1, 4, 1332): {'comment': 'Microsoft Cert Template - attribute',
- 'description': 'pKIOverlapPeriod (1 2 840 113556 1 4 1332)',
- 'hexoid': '06 0A 2A 86 48 86 F7 14 01 04 8A 34',
- 'name': 'pKIOverlapPeriod',
- 'oid': (1, 2, 840, 113556, 1, 4, 1332)},
- (1, 2, 840, 113556, 1, 4, 1333): {'comment': 'Microsoft Cert Template - attribute',
- 'description': 'pKIExtendedKeyUsage (1 2 840 113556 1 4 1333)',
- 'hexoid': '06 0A 2A 86 48 86 F7 14 01 04 8A 35',
- 'name': 'pKIExtendedKeyUsage',
- 'oid': (1, 2, 840, 113556, 1, 4, 1333)},
- (1, 2, 840, 113556, 1, 4, 1334): {'comment': 'Microsoft Cert Template - attribute',
- 'description': 'pKIDefaultCSPs (1 2 840 113556 1 4 1334)',
- 'hexoid': '06 0A 2A 86 48 86 F7 14 01 04 8A 36',
- 'name': 'pKIDefaultCSPs',
- 'oid': (1, 2, 840, 113556, 1, 4, 1334)},
- (1, 2, 840, 113556, 1, 4, 1335): {'comment': 'Microsoft Cert Template - attribute',
- 'description': 'pKIEnrollmentAccess (1 2 840 113556 1 4 1335)',
- 'hexoid': '06 0A 2A 86 48 86 F7 14 01 04 8A 37',
- 'name': 'pKIEnrollmentAccess',
- 'oid': (1, 2, 840, 113556, 1, 4, 1335)},
- (1, 2, 840, 113556, 1, 4, 1429): {'comment': 'Microsoft Cert Template - attribute',
- 'description': 'msPKI-RA-Signature (1 2 840 113556 1 4 1429)',
- 'hexoid': '06 0A 2A 86 48 86 F7 14 01 04 8B 15',
- 'name': 'msPKI-RA-Signature',
- 'oid': (1, 2, 840, 113556, 1, 4, 1429)},
- (1, 2, 840, 113556, 1, 4, 1430): {'comment': 'Microsoft Cert Template - attribute',
- 'description': 'msPKI-Enrollment-Flag (1 2 840 113556 1 4 1430)',
- 'hexoid': '06 0A 2A 86 48 86 F7 14 01 04 8B 16',
- 'name': 'msPKI-Enrollment-Flag',
- 'oid': (1, 2, 840, 113556, 1, 4, 1430)},
- (1, 2, 840, 113556, 1, 4, 1431): {'comment': 'Microsoft Cert Template - attribute',
- 'description': 'msPKI-Private-Key-Flag (1 2 840 113556 1 4 1431)',
- 'hexoid': '06 0A 2A 86 48 86 F7 14 01 04 8B 17',
- 'name': 'msPKI-Private-Key-Flag',
- 'oid': (1, 2, 840, 113556, 1, 4, 1431)},
- (1, 2, 840, 113556, 1, 4, 1432): {'comment': 'Microsoft Cert Template - attribute',
- 'description': 'msPKI-Certificate-Name-Flag (1 2 840 113556 1 4 1432)',
- 'hexoid': '06 0A 2A 86 48 86 F7 14 01 04 8B 18',
- 'name': 'msPKI-Certificate-Name-Flag',
- 'oid': (1, 2, 840, 113556, 1, 4, 1432)},
- (1, 2, 840, 113556, 1, 4, 1433): {'comment': 'Microsoft Cert Template - attribute',
- 'description': 'msPKI-Minimal-Key-Size (1 2 840 113556 1 4 1433)',
- 'hexoid': '06 0A 2A 86 48 86 F7 14 01 04 8B 19',
- 'name': 'msPKI-Minimal-Key-Size',
- 'oid': (1, 2, 840, 113556, 1, 4, 1433)},
- (1, 2, 840, 113556, 1, 4, 1434): {'comment': 'Microsoft Cert Template - attribute',
- 'description': 'msPKI-Template-Schema-Version (1 2 840 113556 1 4 1434)',
- 'hexoid': '06 0A 2A 86 48 86 F7 14 01 04 8B 1A',
- 'name': 'msPKI-Template-Schema-Version',
- 'oid': (1, 2, 840, 113556, 1, 4, 1434)},
- (1, 2, 840, 113556, 1, 4, 1435): {'comment': 'Microsoft Cert Template - attribute',
- 'description': 'msPKI-Template-Minor-Revision (1 2 840 113556 1 4 1435)',
- 'hexoid': '06 0A 2A 86 48 86 F7 14 01 04 8B 1B',
- 'name': 'msPKI-Template-Minor-Revision',
- 'oid': (1, 2, 840, 113556, 1, 4, 1435)},
- (1, 2, 840, 113556, 1, 4, 1436): {'comment': 'Microsoft Cert Template - attribute',
- 'description': 'msPKI-Cert-Template-OID (1 2 840 113556 1 4 1436)',
- 'hexoid': '06 0A 2A 86 48 86 F7 14 01 04 8B 1C',
- 'name': 'msPKI-Cert-Template-OID',
- 'oid': (1, 2, 840, 113556, 1, 4, 1436)},
- (1, 2, 840, 113556, 1, 4, 1437): {'comment': 'Microsoft Cert Template - attribute',
- 'description': 'msPKI-Supersede-Templates (1 2 840 113556 1 4 1437)',
- 'hexoid': '06 0A 2A 86 48 86 F7 14 01 04 8B 1D',
- 'name': 'msPKI-Supersede-Templates',
- 'oid': (1, 2, 840, 113556, 1, 4, 1437)},
- (1, 2, 840, 113556, 1, 4, 1438): {'comment': 'Microsoft Cert Template - attribute',
- 'description': 'msPKI-RA-Policies (1 2 840 113556 1 4 1438)',
- 'hexoid': '06 0A 2A 86 48 86 F7 14 01 04 8B 1E',
- 'name': 'msPKI-RA-Policies',
- 'oid': (1, 2, 840, 113556, 1, 4, 1438)},
- (1, 2, 840, 113556, 1, 4, 1439): {'comment': 'Microsoft Cert Template - attribute',
- 'description': 'msPKI-Certificate-Policy (1 2 840 113556 1 4 1439)',
- 'hexoid': '06 0A 2A 86 48 86 F7 14 01 04 8B 1F',
- 'name': 'msPKI-Certificate-Policy',
- 'oid': (1, 2, 840, 113556, 1, 4, 1439)},
- (1, 2, 840, 113556, 1, 4, 1674): {'comment': 'Microsoft Cert Template - attribute',
- 'description': 'msPKI-Certificate-Application-Policy (1 2 840 113556 1 4 1674)',
- 'hexoid': '06 0A 2A 86 48 86 F7 14 01 04 8D 0A',
- 'name': 'msPKI-Certificate-Application-Policy',
- 'oid': (1, 2, 840, 113556, 1, 4, 1674)},
- (1, 2, 840, 113556, 1, 4, 1675): {'comment': 'Microsoft Cert Template - attribute',
- 'description': 'msPKI-RA-Application-Policies (1 2 840 113556 1 4 1675)',
- 'hexoid': '06 0A 2A 86 48 86 F7 14 01 04 8D 0B',
- 'name': 'msPKI-RA-Application-Policies',
- 'oid': (1, 2, 840, 113556, 1, 4, 1675)},
- (1, 2, 840, 113556, 4, 3): {'comment': 'Microsoft',
- 'description': 'microsoftExcel (1 2 840 113556 4 3)',
- 'hexoid': '06 08 2A 86 48 86 F7 14 04 03',
- 'name': 'microsoftExcel',
- 'oid': (1, 2, 840, 113556, 4, 3)},
- (1, 2, 840, 113556, 4, 4): {'comment': 'Microsoft',
- 'description': 'titledWithOID (1 2 840 113556 4 4)',
- 'hexoid': '06 08 2A 86 48 86 F7 14 04 04',
- 'name': 'titledWithOID',
- 'oid': (1, 2, 840, 113556, 4, 4)},
- (1, 2, 840, 113556, 4, 5): {'comment': 'Microsoft',
- 'description': 'microsoftPowerPoint (1 2 840 113556 4 5)',
- 'hexoid': '06 08 2A 86 48 86 F7 14 04 05',
- 'name': 'microsoftPowerPoint',
- 'oid': (1, 2, 840, 113556, 4, 5)},
- (1, 2, 840, 114021, 1, 6, 1): {'comment': 'Identrus',
- 'description': 'Identrus unknown policyIdentifier (1 2 840 114021 1 6 1)',
- 'hexoid': '06 09 2A 86 48 86 FA 65 01 06 01',
- 'name': 'Identrus',
- 'oid': (1, 2, 840, 114021, 1, 6, 1)},
- (1, 2, 840, 114021, 4, 1): {'comment': 'Identrus',
- 'description': 'identrusOCSP (1 2 840 114021 4 1)',
- 'hexoid': '06 08 2A 86 48 86 FA 65 04 01',
- 'name': 'identrusOCSP',
- 'oid': (1, 2, 840, 114021, 4, 1)},
- (1, 3, 6, 1, 4, 1, 188, 7, 1, 1): {'comment': 'Ascom Systech',
- 'description': 'ascom (1 3 6 1 4 1 188 7 1 1)',
- 'hexoid': '06 0A 2B 06 01 04 01 81 3C 07 01 01',
- 'name': 'ascom',
- 'oid': (1, 3, 6, 1, 4, 1, 188, 7, 1, 1)},
- (1, 3, 6, 1, 4, 1, 188, 7, 1, 1, 1): {'comment': 'Ascom Systech',
- 'description': 'ideaECB (1 3 6 1 4 1 188 7 1 1 1)',
- 'hexoid': '06 0B 2B 06 01 04 01 81 3C 07 01 01 01',
- 'name': 'ideaECB',
- 'oid': (1,
- 3,
- 6,
- 1,
- 4,
- 1,
- 188,
- 7,
- 1,
- 1,
- 1)},
- (1, 3, 6, 1, 4, 1, 188, 7, 1, 1, 2): {'comment': 'Ascom Systech',
- 'description': 'ideaCBC (1 3 6 1 4 1 188 7 1 1 2)',
- 'hexoid': '06 0B 2B 06 01 04 01 81 3C 07 01 01 02',
- 'name': 'ideaCBC',
- 'oid': (1,
- 3,
- 6,
- 1,
- 4,
- 1,
- 188,
- 7,
- 1,
- 1,
- 2)},
- (1, 3, 6, 1, 4, 1, 188, 7, 1, 1, 3): {'comment': 'Ascom Systech',
- 'description': 'ideaCFB (1 3 6 1 4 1 188 7 1 1 3)',
- 'hexoid': '06 0B 2B 06 01 04 01 81 3C 07 01 01 03',
- 'name': 'ideaCFB',
- 'oid': (1,
- 3,
- 6,
- 1,
- 4,
- 1,
- 188,
- 7,
- 1,
- 1,
- 3)},
- (1, 3, 6, 1, 4, 1, 188, 7, 1, 1, 4): {'comment': 'Ascom Systech',
- 'description': 'ideaOFB (1 3 6 1 4 1 188 7 1 1 4)',
- 'hexoid': '06 0B 2B 06 01 04 01 81 3C 07 01 01 04',
- 'name': 'ideaOFB',
- 'oid': (1,
- 3,
- 6,
- 1,
- 4,
- 1,
- 188,
- 7,
- 1,
- 1,
- 4)},
- (1, 3, 6, 1, 4, 1, 311, 2, 1, 4): {'comment': 'Microsoft code signing',
- 'description': 'spcIndirectDataContext (1 3 6 1 4 1 311 2 1 4)',
- 'hexoid': '06 0A 2B 06 01 04 01 82 37 02 01 04',
- 'name': 'spcIndirectDataContext',
- 'oid': (1, 3, 6, 1, 4, 1, 311, 2, 1, 4)},
- (1, 3, 6, 1, 4, 1, 311, 2, 1, 10): {'comment': 'Microsoft code signing. Also known as policyLink',
- 'description': 'spcAgencyInfo (1 3 6 1 4 1 311 2 1 10)',
- 'hexoid': '06 0A 2B 06 01 04 01 82 37 02 01 0A',
- 'name': 'spcAgencyInfo',
- 'oid': (1, 3, 6, 1, 4, 1, 311, 2, 1, 10)},
- (1, 3, 6, 1, 4, 1, 311, 2, 1, 11): {'comment': 'Microsoft code signing',
- 'description': 'spcStatementType (1 3 6 1 4 1 311 2 1 11)',
- 'hexoid': '06 0A 2B 06 01 04 01 82 37 02 01 0B',
- 'name': 'spcStatementType',
- 'oid': (1, 3, 6, 1, 4, 1, 311, 2, 1, 11)},
- (1, 3, 6, 1, 4, 1, 311, 2, 1, 12): {'comment': 'Microsoft code signing',
- 'description': 'spcSpOpusInfo (1 3 6 1 4 1 311 2 1 12)',
- 'hexoid': '06 0A 2B 06 01 04 01 82 37 02 01 0C',
- 'name': 'spcSpOpusInfo',
- 'oid': (1, 3, 6, 1, 4, 1, 311, 2, 1, 12)},
- (1, 3, 6, 1, 4, 1, 311, 2, 1, 14): {'comment': 'Microsoft',
- 'description': 'certReqExtensions (1 3 6 1 4 1 311 2 1 14)',
- 'hexoid': '06 0A 2B 06 01 04 01 82 37 02 01 0E',
- 'name': 'certReqExtensions',
- 'oid': (1, 3, 6, 1, 4, 1, 311, 2, 1, 14)},
- (1, 3, 6, 1, 4, 1, 311, 2, 1, 15): {'comment': 'Microsoft code signing',
- 'description': 'spcPEImageData (1 3 6 1 4 1 311 2 1 15)',
- 'hexoid': '06 0A 2B 06 01 04 01 82 37 02 01 0F',
- 'name': 'spcPEImageData',
- 'oid': (1, 3, 6, 1, 4, 1, 311, 2, 1, 15)},
- (1, 3, 6, 1, 4, 1, 311, 2, 1, 18): {'comment': 'Microsoft code signing',
- 'description': 'spcRawFileData (1 3 6 1 4 1 311 2 1 18)',
- 'hexoid': '06 0A 2B 06 01 04 01 82 37 02 01 12',
- 'name': 'spcRawFileData',
- 'oid': (1, 3, 6, 1, 4, 1, 311, 2, 1, 18)},
- (1, 3, 6, 1, 4, 1, 311, 2, 1, 19): {'comment': 'Microsoft code signing',
- 'description': 'spcStructuredStorageData (1 3 6 1 4 1 311 2 1 19)',
- 'hexoid': '06 0A 2B 06 01 04 01 82 37 02 01 13',
- 'name': 'spcStructuredStorageData',
- 'oid': (1, 3, 6, 1, 4, 1, 311, 2, 1, 19)},
- (1, 3, 6, 1, 4, 1, 311, 2, 1, 20): {'comment': 'Microsoft code signing. Formerly "link extension" aka "glue extension"',
- 'description': 'spcJavaClassData (type 1) (1 3 6 1 4 1 311 2 1 20)',
- 'hexoid': '06 0A 2B 06 01 04 01 82 37 02 01 14',
- 'name': 'spcJavaClassData',
- 'oid': (1, 3, 6, 1, 4, 1, 311, 2, 1, 20)},
- (1, 3, 6, 1, 4, 1, 311, 2, 1, 21): {'comment': 'Microsoft',
- 'description': 'individualCodeSigning (1 3 6 1 4 1 311 2 1 21)',
- 'hexoid': '06 0A 2B 06 01 04 01 82 37 02 01 15',
- 'name': 'individualCodeSigning',
- 'oid': (1, 3, 6, 1, 4, 1, 311, 2, 1, 21)},
- (1, 3, 6, 1, 4, 1, 311, 2, 1, 22): {'comment': 'Microsoft',
- 'description': 'commercialCodeSigning (1 3 6 1 4 1 311 2 1 22)',
- 'hexoid': '06 0A 2B 06 01 04 01 82 37 02 01 16',
- 'name': 'commercialCodeSigning',
- 'oid': (1, 3, 6, 1, 4, 1, 311, 2, 1, 22)},
- (1, 3, 6, 1, 4, 1, 311, 2, 1, 25): {'comment': 'Microsoft code signing. Also known as "glue extension"',
- 'description': 'spcLink (type 2) (1 3 6 1 4 1 311 2 1 25)',
- 'hexoid': '06 0A 2B 06 01 04 01 82 37 02 01 19',
- 'name': 'spcLink',
- 'oid': (1, 3, 6, 1, 4, 1, 311, 2, 1, 25)},
- (1, 3, 6, 1, 4, 1, 311, 2, 1, 26): {'comment': 'Microsoft code signing',
- 'description': 'spcMinimalCriteriaInfo (1 3 6 1 4 1 311 2 1 26)',
- 'hexoid': '06 0A 2B 06 01 04 01 82 37 02 01 1A',
- 'name': 'spcMinimalCriteriaInfo',
- 'oid': (1, 3, 6, 1, 4, 1, 311, 2, 1, 26)},
- (1, 3, 6, 1, 4, 1, 311, 2, 1, 27): {'comment': 'Microsoft code signing',
- 'description': 'spcFinancialCriteriaInfo (1 3 6 1 4 1 311 2 1 27)',
- 'hexoid': '06 0A 2B 06 01 04 01 82 37 02 01 1B',
- 'name': 'spcFinancialCriteriaInfo',
- 'oid': (1, 3, 6, 1, 4, 1, 311, 2, 1, 27)},
- (1, 3, 6, 1, 4, 1, 311, 2, 1, 28): {'comment': 'Microsoft code signing. Also known as "glue extension"',
- 'description': 'spcLink (type 3) (1 3 6 1 4 1 311 2 1 28)',
- 'hexoid': '06 0A 2B 06 01 04 01 82 37 02 01 1C',
- 'name': 'spcLink',
- 'oid': (1, 3, 6, 1, 4, 1, 311, 2, 1, 28)},
- (1, 3, 6, 1, 4, 1, 311, 3, 2, 1): {'comment': 'Microsoft code signing',
- 'description': 'timestampRequest (1 3 6 1 4 1 311 3 2 1)',
- 'hexoid': '06 0A 2B 06 01 04 01 82 37 03 02 01',
- 'name': 'timestampRequest',
- 'oid': (1, 3, 6, 1, 4, 1, 311, 3, 2, 1)},
- (1, 3, 6, 1, 4, 1, 311, 10, 1): {'comment': 'Microsoft PKCS #7 contentType',
- 'description': 'certTrustList (1 3 6 1 4 1 311 10 1)',
- 'hexoid': '06 09 2B 06 01 04 01 82 37 0A 01',
- 'name': 'certTrustList',
- 'oid': (1, 3, 6, 1, 4, 1, 311, 10, 1)},
- (1, 3, 6, 1, 4, 1, 311, 10, 2): {'comment': 'Microsoft',
- 'description': 'nextUpdateLocation (1 3 6 1 4 1 311 10 2)',
- 'hexoid': '06 09 2B 06 01 04 01 82 37 0A 02',
- 'name': 'nextUpdateLocation',
- 'oid': (1, 3, 6, 1, 4, 1, 311, 10, 2)},
- (1, 3, 6, 1, 4, 1, 311, 10, 3, 1): {'comment': 'Microsoft enhanced key usage',
- 'description': 'certTrustListSigning (1 3 6 1 4 1 311 10 3 1)',
- 'hexoid': '06 0A 2B 06 01 04 01 82 37 0A 03 01',
- 'name': 'certTrustListSigning',
- 'oid': (1, 3, 6, 1, 4, 1, 311, 10, 3, 1)},
- (1, 3, 6, 1, 4, 1, 311, 10, 3, 2): {'comment': 'Microsoft enhanced key usage',
- 'description': 'timeStampSigning (1 3 6 1 4 1 311 10 3 2)',
- 'hexoid': '06 0A 2B 06 01 04 01 82 37 0A 03 02',
- 'name': 'timeStampSigning',
- 'oid': (1, 3, 6, 1, 4, 1, 311, 10, 3, 2)},
- (1, 3, 6, 1, 4, 1, 311, 10, 3, 3): {'comment': 'Microsoft enhanced key usage',
- 'description': 'serverGatedCrypto (1 3 6 1 4 1 311 10 3 3)',
- 'hexoid': '06 0A 2B 06 01 04 01 82 37 0A 03 03',
- 'name': 'serverGatedCrypto',
- 'oid': (1, 3, 6, 1, 4, 1, 311, 10, 3, 3)},
- (1, 3, 6, 1, 4, 1, 311, 10, 3, 4): {'comment': 'Microsoft enhanced key usage',
- 'description': 'encryptedFileSystem (1 3 6 1 4 1 311 10 3 4)',
- 'hexoid': '06 0A 2B 06 01 04 01 82 37 0A 03 04',
- 'name': 'encryptedFileSystem',
- 'oid': (1, 3, 6, 1, 4, 1, 311, 10, 3, 4)},
- (1, 3, 6, 1, 4, 1, 311, 10, 4, 1): {'comment': 'Microsoft attribute',
- 'description': 'yesnoTrustAttr (1 3 6 1 4 1 311 10 4 1)',
- 'hexoid': '06 0A 2B 06 01 04 01 82 37 0A 04 01',
- 'name': 'yesnoTrustAttr',
- 'oid': (1, 3, 6, 1, 4, 1, 311, 10, 4, 1)},
- (1, 3, 6, 1, 4, 1, 311, 13, 1): {'comment': 'Microsoft attribute',
- 'description': 'renewalCertificate (1 3 6 1 4 1 311 13 1)',
- 'hexoid': '06 09 2B 06 01 04 01 82 37 0D 01',
- 'name': 'renewalCertificate',
- 'oid': (1, 3, 6, 1, 4, 1, 311, 13, 1)},
- (1, 3, 6, 1, 4, 1, 311, 13, 2, 1): {'comment': 'Microsoft attribute',
- 'description': 'enrolmentNameValuePair (1 3 6 1 4 1 311 13 2 1)',
- 'hexoid': '06 0A 2B 06 01 04 01 82 37 0D 02 01',
- 'name': 'enrolmentNameValuePair',
- 'oid': (1, 3, 6, 1, 4, 1, 311, 13, 2, 1)},
- (1, 3, 6, 1, 4, 1, 311, 13, 2, 2): {'comment': 'Microsoft attribute',
- 'description': 'enrolmentCSP (1 3 6 1 4 1 311 13 2 2)',
- 'hexoid': '06 0A 2B 06 01 04 01 82 37 0D 02 02',
- 'name': 'enrolmentCSP',
- 'oid': (1, 3, 6, 1, 4, 1, 311, 13, 2, 2)},
- (1, 3, 6, 1, 4, 1, 311, 13, 2, 3): {'comment': 'Microsoft attribute',
- 'description': 'osVersion (1 3 6 1 4 1 311 13 2 3)',
- 'hexoid': '06 0A 2B 06 01 04 01 82 37 0D 02 03',
- 'name': 'osVersion',
- 'oid': (1, 3, 6, 1, 4, 1, 311, 13, 2, 3)},
- (1, 3, 6, 1, 4, 1, 311, 16, 4): {'comment': 'Microsoft attribute',
- 'description': 'microsoftRecipientInfo (1 3 6 1 4 1 311 16 4)',
- 'hexoid': '06 09 2B 06 01 04 01 82 37 10 04',
- 'name': 'microsoftRecipientInfo',
- 'oid': (1, 3, 6, 1, 4, 1, 311, 16, 4)},
- (1, 3, 6, 1, 4, 1, 311, 20, 2): {'comment': 'Microsoft CAPICOM certificate template, V1',
- 'description': 'enrollCerttypeExtension (1 3 6 1 4 1 311 20 2)',
- 'hexoid': '06 09 2B 06 01 04 01 82 37 14 02',
- 'name': 'enrollCerttypeExtension',
- 'oid': (1, 3, 6, 1, 4, 1, 311, 20, 2)},
- (1, 3, 6, 1, 4, 1, 311, 20, 2, 3): {'comment': 'Microsoft UPN',
- 'description': 'universalPrincipalName (1 3 6 1 4 1 311 20 2 3)',
- 'hexoid': '06 0A 2B 06 01 04 01 82 37 14 02 03',
- 'name': 'universalPrincipalName',
- 'oid': (1, 3, 6, 1, 4, 1, 311, 20, 2, 3)},
- (1, 3, 6, 1, 4, 1, 311, 21, 1): {'comment': 'Microsoft attribute',
- 'description': 'cAKeyCertIndexPair (1 3 6 1 4 1 311 21 1)',
- 'hexoid': '06 09 2B 06 01 04 01 82 37 15 01',
- 'name': 'cAKeyCertIndexPair',
- 'oid': (1, 3, 6, 1, 4, 1, 311, 21, 1)},
- (1, 3, 6, 1, 4, 1, 311, 21, 7): {'comment': 'Microsoft CAPICOM certificate template, V2',
- 'description': 'certificateTemplate (1 3 6 1 4 1 311 21 7)',
- 'hexoid': '06 09 2B 06 01 04 01 82 37 15 07',
- 'name': 'certificateTemplate',
- 'oid': (1, 3, 6, 1, 4, 1, 311, 21, 7)},
- (1, 3, 6, 1, 4, 1, 311, 21, 13): {'comment': 'Microsoft attribute',
- 'description': 'archivedKey (1 3 6 1 4 1 311 21 13)',
- 'hexoid': '06 09 2B 06 01 04 01 82 37 15 0D',
- 'name': 'archivedKey',
- 'oid': (1, 3, 6, 1, 4, 1, 311, 21, 13)},
- (1, 3, 6, 1, 4, 1, 311, 21, 20): {'comment': 'Microsoft attribute',
- 'description': 'requestClientInfo (1 3 6 1 4 1 311 21 20)',
- 'hexoid': '06 09 2B 06 01 04 01 82 37 15 14',
- 'name': 'requestClientInfo',
- 'oid': (1, 3, 6, 1, 4, 1, 311, 21, 20)},
- (1, 3, 6, 1, 4, 1, 311, 21, 21): {'comment': 'Microsoft attribute',
- 'description': 'encryptedKeyHash (1 3 6 1 4 1 311 21 21)',
- 'hexoid': '06 09 2B 06 01 04 01 82 37 15 15',
- 'name': 'encryptedKeyHash',
- 'oid': (1, 3, 6, 1, 4, 1, 311, 21, 21)},
- (1, 3, 6, 1, 4, 1, 311, 47, 1, 1): {'comment': 'Microsoft extended key usage',
- 'description': 'systemHealth (1 3 6 1 4 1 311 47 1 1)',
- 'hexoid': '06 0A 2B 06 01 04 01 82 37 2F 01 01',
- 'name': 'systemHealth',
- 'oid': (1, 3, 6, 1, 4, 1, 311, 47, 1, 1)},
- (1, 3, 6, 1, 4, 1, 311, 47, 1, 3): {'comment': 'Microsoft extended key usage',
- 'description': 'systemHealthLoophole (1 3 6 1 4 1 311 47 1 3)',
- 'hexoid': '06 0A 2B 06 01 04 01 82 37 2F 01 03',
- 'name': 'systemHealthLoophole',
- 'oid': (1, 3, 6, 1, 4, 1, 311, 47, 1, 3)},
- (1, 3, 6, 1, 4, 1, 311, 88, 2, 1): {'comment': 'Microsoft attribute',
- 'description': 'originalFilename (1 3 6 1 4 1 311 88 2 1)',
- 'hexoid': '06 0A 2B 06 01 04 01 82 37 58 02 01',
- 'name': 'originalFilename',
- 'oid': (1, 3, 6, 1, 4, 1, 311, 88, 2, 1)},
- (1, 3, 6, 1, 4, 1, 2428, 10, 1, 1): {'comment': 'UNINETT PCA',
- 'description': 'UNINETT policyIdentifier (1 3 6 1 4 1 2428 10 1 1)',
- 'hexoid': '06 0A 2B 06 01 04 01 92 7C 0A 01 01',
- 'name': 'UNINETT',
- 'oid': (1,
- 3,
- 6,
- 1,
- 4,
- 1,
- 2428,
- 10,
- 1,
- 1)},
- (1, 3, 6, 1, 4, 1, 2712, 10): {'comment': 'ICE-TEL CA',
- 'description': 'ICE-TEL policyIdentifier (1 3 6 1 4 1 2712 10)',
- 'hexoid': '06 08 2B 06 01 04 01 95 18 0A',
- 'name': 'ICE-TEL',
- 'oid': (1, 3, 6, 1, 4, 1, 2712, 10)},
- (1, 3, 6, 1, 4, 1, 2786, 1, 1, 1): {'comment': 'ICE-TEL CA policy',
- 'description': 'ICE-TEL Italian policyIdentifier (1 3 6 1 4 1 2786 1 1 1)',
- 'hexoid': '06 0A 2B 06 01 04 01 95 62 01 01 01',
- 'name': 'ICE-TEL',
- 'oid': (1, 3, 6, 1, 4, 1, 2786, 1, 1, 1)},
- (1, 3, 6, 1, 4, 1, 3029, 1, 1, 1): {'comment': 'cryptlib encryption algorithm',
- 'description': 'blowfishECB (1 3 6 1 4 1 3029 1 1 1)',
- 'hexoid': '06 0A 2B 06 01 04 01 97 55 01 01 01',
- 'name': 'blowfishECB',
- 'oid': (1, 3, 6, 1, 4, 1, 3029, 1, 1, 1)},
- (1, 3, 6, 1, 4, 1, 3029, 1, 1, 2): {'comment': 'cryptlib encryption algorithm',
- 'description': 'blowfishCBC (1 3 6 1 4 1 3029 1 1 2)',
- 'hexoid': '06 0A 2B 06 01 04 01 97 55 01 01 02',
- 'name': 'blowfishCBC',
- 'oid': (1, 3, 6, 1, 4, 1, 3029, 1, 1, 2)},
- (1, 3, 6, 1, 4, 1, 3029, 1, 1, 3): {'comment': 'cryptlib encryption algorithm',
- 'description': 'blowfishCFB (1 3 6 1 4 1 3029 1 1 3)',
- 'hexoid': '06 0A 2B 06 01 04 01 97 55 01 01 03',
- 'name': 'blowfishCFB',
- 'oid': (1, 3, 6, 1, 4, 1, 3029, 1, 1, 3)},
- (1, 3, 6, 1, 4, 1, 3029, 1, 1, 4): {'comment': 'cryptlib encryption algorithm',
- 'description': 'blowfishOFB (1 3 6 1 4 1 3029 1 1 4)',
- 'hexoid': '06 0A 2B 06 01 04 01 97 55 01 01 04',
- 'name': 'blowfishOFB',
- 'oid': (1, 3, 6, 1, 4, 1, 3029, 1, 1, 4)},
- (1, 3, 6, 1, 4, 1, 3029, 1, 2, 1): {'comment': 'cryptlib public-key algorithm',
- 'description': 'elgamal (1 3 6 1 4 1 3029 1 2 1)',
- 'hexoid': '06 0A 2B 06 01 04 01 97 55 01 02 01',
- 'name': 'elgamal',
- 'oid': (1, 3, 6, 1, 4, 1, 3029, 1, 2, 1)},
- (1, 3, 6, 1, 4, 1, 3029, 1, 2, 1, 1): {'comment': 'cryptlib public-key algorithm',
- 'description': 'elgamalWithSHA-1 (1 3 6 1 4 1 3029 1 2 1 1)',
- 'hexoid': '06 0B 2B 06 01 04 01 97 55 01 02 01 01',
- 'name': 'elgamalWithSHA-1',
- 'oid': (1,
- 3,
- 6,
- 1,
- 4,
- 1,
- 3029,
- 1,
- 2,
- 1,
- 1)},
- (1, 3, 6, 1, 4, 1, 3029, 1, 2, 1, 2): {'comment': 'cryptlib public-key algorithm',
- 'description': 'elgamalWithRIPEMD-160 (1 3 6 1 4 1 3029 1 2 1 2)',
- 'hexoid': '06 0B 2B 06 01 04 01 97 55 01 02 01 02',
- 'name': 'elgamalWithRIPEMD-160',
- 'oid': (1,
- 3,
- 6,
- 1,
- 4,
- 1,
- 3029,
- 1,
- 2,
- 1,
- 2)},
- (1, 3, 6, 1, 4, 1, 3029, 3, 1, 1): {'comment': 'cryptlib attribute type',
- 'description': 'cryptlibPresenceCheck (1 3 6 1 4 1 3029 3 1 1)',
- 'hexoid': '06 0A 2B 06 01 04 01 97 55 03 01 01',
- 'name': 'cryptlibPresenceCheck',
- 'oid': (1, 3, 6, 1, 4, 1, 3029, 3, 1, 1)},
- (1, 3, 6, 1, 4, 1, 3029, 3, 1, 2): {'comment': 'cryptlib attribute type',
- 'description': 'pkiBoot (1 3 6 1 4 1 3029 3 1 2)',
- 'hexoid': '06 0A 2B 06 01 04 01 97 55 03 01 02',
- 'name': 'pkiBoot',
- 'oid': (1, 3, 6, 1, 4, 1, 3029, 3, 1, 2)},
- (1, 3, 6, 1, 4, 1, 3029, 3, 1, 4): {'comment': 'cryptlib attribute type',
- 'description': 'crlExtReason (1 3 6 1 4 1 3029 3 1 4)',
- 'hexoid': '06 0A 2B 06 01 04 01 97 55 03 01 04',
- 'name': 'crlExtReason',
- 'oid': (1, 3, 6, 1, 4, 1, 3029, 3, 1, 4)},
- (1, 3, 6, 1, 4, 1, 3029, 3, 1, 5): {'comment': 'cryptlib attribute type',
- 'description': 'keyFeatures (1 3 6 1 4 1 3029 3 1 5)',
- 'hexoid': '06 0A 2B 06 01 04 01 97 55 03 01 05',
- 'name': 'keyFeatures',
- 'oid': (1, 3, 6, 1, 4, 1, 3029, 3, 1, 5)},
- (1, 3, 6, 1, 4, 1, 3029, 4, 1): {'comment': 'cryptlib',
- 'description': 'cryptlibContent (1 3 6 1 4 1 3029 4 1)',
- 'hexoid': '06 09 2B 06 01 04 01 97 55 04 01',
- 'name': 'cryptlibContent',
- 'oid': (1, 3, 6, 1, 4, 1, 3029, 4, 1)},
- (1, 3, 6, 1, 4, 1, 3029, 4, 1, 1): {'comment': 'cryptlib content type',
- 'description': 'cryptlibConfigData (1 3 6 1 4 1 3029 4 1 1)',
- 'hexoid': '06 0A 2B 06 01 04 01 97 55 04 01 01',
- 'name': 'cryptlibConfigData',
- 'oid': (1, 3, 6, 1, 4, 1, 3029, 4, 1, 1)},
- (1, 3, 6, 1, 4, 1, 3029, 4, 1, 2): {'comment': 'cryptlib content type',
- 'description': 'cryptlibUserIndex (1 3 6 1 4 1 3029 4 1 2)',
- 'hexoid': '06 0A 2B 06 01 04 01 97 55 04 01 02',
- 'name': 'cryptlibUserIndex',
- 'oid': (1, 3, 6, 1, 4, 1, 3029, 4, 1, 2)},
- (1, 3, 6, 1, 4, 1, 3029, 4, 1, 3): {'comment': 'cryptlib content type',
- 'description': 'cryptlibUserInfo (1 3 6 1 4 1 3029 4 1 3)',
- 'hexoid': '06 0A 2B 06 01 04 01 97 55 04 01 03',
- 'name': 'cryptlibUserInfo',
- 'oid': (1, 3, 6, 1, 4, 1, 3029, 4, 1, 3)},
- (1, 3, 6, 1, 4, 1, 3029, 4, 1, 4): {'comment': 'cryptlib content type',
- 'description': 'rtcsRequest (1 3 6 1 4 1 3029 4 1 4)',
- 'hexoid': '06 0A 2B 06 01 04 01 97 55 04 01 04',
- 'name': 'rtcsRequest',
- 'oid': (1, 3, 6, 1, 4, 1, 3029, 4, 1, 4)},
- (1, 3, 6, 1, 4, 1, 3029, 4, 1, 5): {'comment': 'cryptlib content type',
- 'description': 'rtcsResponse (1 3 6 1 4 1 3029 4 1 5)',
- 'hexoid': '06 0A 2B 06 01 04 01 97 55 04 01 05',
- 'name': 'rtcsResponse',
- 'oid': (1, 3, 6, 1, 4, 1, 3029, 4, 1, 5)},
- (1, 3, 6, 1, 4, 1, 3029, 4, 1, 6): {'comment': 'cryptlib content type',
- 'description': 'rtcsResponseExt (1 3 6 1 4 1 3029 4 1 6)',
- 'hexoid': '06 0A 2B 06 01 04 01 97 55 04 01 06',
- 'name': 'rtcsResponseExt',
- 'oid': (1, 3, 6, 1, 4, 1, 3029, 4, 1, 6)},
- (1, 3, 6, 1, 4, 1, 3029, 42, 11172, 1): {'comment': 'cryptlib special MPEG-of-cat OID',
- 'description': 'mpeg-1 (1 3 6 1 4 1 3029 42 11172 1)',
- 'hexoid': '06 0B 2B 06 01 04 01 97 55 2A D7 24 01',
- 'name': 'mpeg-1',
- 'oid': (1,
- 3,
- 6,
- 1,
- 4,
- 1,
- 3029,
- 42,
- 11172,
- 1)},
- (1, 3, 6, 1, 4, 1, 3029, 88, 89, 90, 90, 89): {'comment': 'cryptlib certificate policy',
- 'description': 'xYZZY policyIdentifier (1 3 6 1 4 1 3029 88 89 90 90 89)',
- 'hexoid': '06 0C 2B 06 01 04 01 97 55 58 59 5A 5A 59',
- 'name': 'xYZZY',
- 'oid': (1,
- 3,
- 6,
- 1,
- 4,
- 1,
- 3029,
- 88,
- 89,
- 90,
- 90,
- 89)},
- (1, 3, 6, 1, 4, 1, 3401, 8, 1, 1): {'comment': 'PGP key information',
- 'description': 'pgpExtension (1 3 6 1 4 1 3401 8 1 1)',
- 'hexoid': '06 0A 2B 06 01 04 01 9A 49 08 01 01',
- 'name': 'pgpExtension',
- 'oid': (1, 3, 6, 1, 4, 1, 3401, 8, 1, 1)},
- (1, 3, 6, 1, 4, 1, 3576, 7): {'comment': 'TMN EDI for Interactive Agents',
- 'description': 'eciaAscX12Edi (1 3 6 1 4 1 3576 7)',
- 'hexoid': '06 08 2B 06 01 04 01 9B 78 07',
- 'name': 'eciaAscX12Edi',
- 'oid': (1, 3, 6, 1, 4, 1, 3576, 7)},
- (1, 3, 6, 1, 4, 1, 3576, 7, 1): {'comment': 'TMN EDI for Interactive Agents',
- 'description': 'plainEDImessage (1 3 6 1 4 1 3576 7 1)',
- 'hexoid': '06 09 2B 06 01 04 01 9B 78 07 01',
- 'name': 'plainEDImessage',
- 'oid': (1, 3, 6, 1, 4, 1, 3576, 7, 1)},
- (1, 3, 6, 1, 4, 1, 3576, 7, 2): {'comment': 'TMN EDI for Interactive Agents',
- 'description': 'signedEDImessage (1 3 6 1 4 1 3576 7 2)',
- 'hexoid': '06 09 2B 06 01 04 01 9B 78 07 02',
- 'name': 'signedEDImessage',
- 'oid': (1, 3, 6, 1, 4, 1, 3576, 7, 2)},
- (1, 3, 6, 1, 4, 1, 3576, 7, 5): {'comment': 'TMN EDI for Interactive Agents',
- 'description': 'integrityEDImessage (1 3 6 1 4 1 3576 7 5)',
- 'hexoid': '06 09 2B 06 01 04 01 9B 78 07 05',
- 'name': 'integrityEDImessage',
- 'oid': (1, 3, 6, 1, 4, 1, 3576, 7, 5)},
- (1, 3, 6, 1, 4, 1, 3576, 7, 65): {'comment': 'TMN EDI for Interactive Agents',
- 'description': 'iaReceiptMessage (1 3 6 1 4 1 3576 7 65)',
- 'hexoid': '06 09 2B 06 01 04 01 9B 78 07 41',
- 'name': 'iaReceiptMessage',
- 'oid': (1, 3, 6, 1, 4, 1, 3576, 7, 65)},
- (1, 3, 6, 1, 4, 1, 3576, 7, 97): {'comment': 'TMN EDI for Interactive Agents',
- 'description': 'iaStatusMessage (1 3 6 1 4 1 3576 7 97)',
- 'hexoid': '06 09 2B 06 01 04 01 9B 78 07 61',
- 'name': 'iaStatusMessage',
- 'oid': (1, 3, 6, 1, 4, 1, 3576, 7, 97)},
- (1, 3, 6, 1, 4, 1, 3576, 8): {'comment': 'TMN EDI for Interactive Agents',
- 'description': 'eciaEdifact (1 3 6 1 4 1 3576 8)',
- 'hexoid': '06 08 2B 06 01 04 01 9B 78 08',
- 'name': 'eciaEdifact',
- 'oid': (1, 3, 6, 1, 4, 1, 3576, 8)},
- (1, 3, 6, 1, 4, 1, 3576, 9): {'comment': 'TMN EDI for Interactive Agents',
- 'description': 'eciaNonEdi (1 3 6 1 4 1 3576 9)',
- 'hexoid': '06 08 2B 06 01 04 01 9B 78 09',
- 'name': 'eciaNonEdi',
- 'oid': (1, 3, 6, 1, 4, 1, 3576, 9)},
- (1, 3, 6, 1, 4, 1, 5472): {'comment': 'enterprise',
- 'description': 'timeproof (1 3 6 1 4 1 5472)',
- 'hexoid': '06 07 2B 06 01 04 01 AA 60',
- 'name': 'timeproof',
- 'oid': (1, 3, 6, 1, 4, 1, 5472)},
- (1, 3, 6, 1, 4, 1, 5472, 1): {'comment': 'timeproof',
- 'description': 'tss (1 3 6 1 4 1 5472 1)',
- 'hexoid': '06 08 2B 06 01 04 01 AA 60 01',
- 'name': 'tss',
- 'oid': (1, 3, 6, 1, 4, 1, 5472, 1)},
- (1, 3, 6, 1, 4, 1, 5472, 1, 1): {'comment': 'timeproof TSS',
- 'description': 'tss80 (1 3 6 1 4 1 5472 1 1)',
- 'hexoid': '06 09 2B 06 01 04 01 AA 60 01 01',
- 'name': 'tss80',
- 'oid': (1, 3, 6, 1, 4, 1, 5472, 1, 1)},
- (1, 3, 6, 1, 4, 1, 5472, 1, 2): {'comment': 'timeproof TSS',
- 'description': 'tss380 (1 3 6 1 4 1 5472 1 2)',
- 'hexoid': '06 09 2B 06 01 04 01 AA 60 01 02',
- 'name': 'tss380',
- 'oid': (1, 3, 6, 1, 4, 1, 5472, 1, 2)},
- (1, 3, 6, 1, 4, 1, 5472, 1, 3): {'comment': 'timeproof TSS',
- 'description': 'tss400 (1 3 6 1 4 1 5472 1 3)',
- 'hexoid': '06 09 2B 06 01 04 01 AA 60 01 03',
- 'name': 'tss400',
- 'oid': (1, 3, 6, 1, 4, 1, 5472, 1, 3)},
- (1, 3, 6, 1, 4, 1, 5770, 0, 3): {'comment': 'MEDePass',
- 'description': 'secondaryPractices (1 3 6 1 4 1 5770 0 3)',
- 'hexoid': '06 09 2B 06 01 04 01 AD 0A 00 03',
- 'name': 'secondaryPractices',
- 'oid': (1, 3, 6, 1, 4, 1, 5770, 0, 3)},
- (1, 3, 6, 1, 4, 1, 5770, 0, 4): {'comment': 'MEDePass',
- 'description': 'physicianIdentifiers (1 3 6 1 4 1 5770 0 4)',
- 'hexoid': '06 09 2B 06 01 04 01 AD 0A 00 04',
- 'name': 'physicianIdentifiers',
- 'oid': (1, 3, 6, 1, 4, 1, 5770, 0, 4)},
- (1, 3, 6, 1, 4, 1, 6449, 1, 2, 1, 3, 1): {'comment': 'Comodo CA',
- 'description': 'comodoPolicy (1 3 6 1 4 1 6449 1 2 1 3 1)',
- 'hexoid': '06 0C 2B 06 01 04 01 B2 31 01 02 01 03 01',
- 'name': 'comodoPolicy',
- 'oid': (1,
- 3,
- 6,
- 1,
- 4,
- 1,
- 6449,
- 1,
- 2,
- 1,
- 3,
- 1)},
- (1, 3, 6, 1, 4, 1, 6449, 1, 3, 5, 2): {'comment': 'Comodo CA',
- 'description': 'comodoCertifiedDeliveryService (1 3 6 1 4 1 6449 1 3 5 2)',
- 'hexoid': '06 0B 2B 06 01 04 01 B2 31 01 03 05 02',
- 'name': 'comodoCertifiedDeliveryService',
- 'oid': (1,
- 3,
- 6,
- 1,
- 4,
- 1,
- 6449,
- 1,
- 3,
- 5,
- 2)},
- (1, 3, 6, 1, 4, 1, 8231, 1): {'comment': 'Chilean Government national unique roll number',
- 'description': 'rolUnicoNacional (1 3 6 1 4 1 8231 1)',
- 'hexoid': '06 08 2B 06 01 04 01 C0 27 01',
- 'name': 'rolUnicoNacional',
- 'oid': (1, 3, 6, 1, 4, 1, 8231, 1)},
- (1, 3, 6, 1, 4, 1, 8301, 3, 5): {'comment': 'TU Darmstadt ValidityModel',
- 'description': 'validityModel (1 3 6 1 4 1 8301 3 5)',
- 'hexoid': '06 09 2B 06 01 04 01 C0 6D 03 05',
- 'name': 'validityModel',
- 'oid': (1, 3, 6, 1, 4, 1, 8301, 3, 5)},
- (1, 3, 6, 1, 4, 1, 8301, 3, 5, 1): {'comment': 'TU Darmstadt ValidityModel',
- 'description': 'validityModelChain (1 3 6 1 4 1 8301 3 5 1)',
- 'hexoid': '06 0A 2B 06 01 04 01 C0 6D 03 05 01',
- 'name': 'validityModelChain',
- 'oid': (1, 3, 6, 1, 4, 1, 8301, 3, 5, 1)},
- (1, 3, 6, 1, 4, 1, 8301, 3, 5, 2): {'comment': 'ValidityModel',
- 'description': 'validityModelShell (1 3 6 1 4 1 8301 3 5 2)',
- 'hexoid': '06 0A 2B 06 01 04 01 C0 6D 03 05 02',
- 'name': 'validityModelShell',
- 'oid': (1, 3, 6, 1, 4, 1, 8301, 3, 5, 2)},
- (1, 3, 6, 1, 4, 1, 11591): {'comment': 'GNU Project (see http://www.gnupg.org/oids.html)',
- 'description': 'gnu (1 3 6 1 4 1 11591)',
- 'hexoid': '06 07 2B 06 01 04 01 DA 47',
- 'name': 'gnu',
- 'oid': (1, 3, 6, 1, 4, 1, 11591)},
- (1, 3, 6, 1, 4, 1, 11591, 1): {'comment': 'GNU Radius',
- 'description': 'gnuRadius (1 3 6 1 4 1 11591 1)',
- 'hexoid': '06 08 2B 06 01 04 01 DA 47 01',
- 'name': 'gnuRadius',
- 'oid': (1, 3, 6, 1, 4, 1, 11591, 1)},
- (1, 3, 6, 1, 4, 1, 11591, 3): {'comment': 'GNU Radar',
- 'description': 'gnuRadar (1 3 6 1 4 1 11591 3)',
- 'hexoid': '06 08 2B 06 01 04 01 DA 47 03',
- 'name': 'gnuRadar',
- 'oid': (1, 3, 6, 1, 4, 1, 11591, 3)},
- (1, 3, 6, 1, 4, 1, 11591, 12): {'comment': 'GNU digest algorithm',
- 'description': 'gnuDigestAlgorithm (1 3 6 1 4 1 11591 12)',
- 'hexoid': '06 08 2B 06 01 04 01 DA 47 0C',
- 'name': 'gnuDigestAlgorithm',
- 'oid': (1, 3, 6, 1, 4, 1, 11591, 12)},
- (1, 3, 6, 1, 4, 1, 11591, 12, 2): {'comment': 'GNU digest algorithm',
- 'description': 'tiger (1 3 6 1 4 1 11591 12 2)',
- 'hexoid': '06 09 2B 06 01 04 01 DA 47 0C 02',
- 'name': 'tiger',
- 'oid': (1, 3, 6, 1, 4, 1, 11591, 12, 2)},
- (1, 3, 6, 1, 4, 1, 11591, 13): {'comment': 'GNU encryption algorithm',
- 'description': 'gnuEncryptionAlgorithm (1 3 6 1 4 1 11591 13)',
- 'hexoid': '06 08 2B 06 01 04 01 DA 47 0D',
- 'name': 'gnuEncryptionAlgorithm',
- 'oid': (1, 3, 6, 1, 4, 1, 11591, 13)},
- (1, 3, 6, 1, 4, 1, 11591, 13, 2): {'comment': 'GNU encryption algorithm',
- 'description': 'serpent (1 3 6 1 4 1 11591 13 2)',
- 'hexoid': '06 09 2B 06 01 04 01 DA 47 0D 02',
- 'name': 'serpent',
- 'oid': (1, 3, 6, 1, 4, 1, 11591, 13, 2)},
- (1, 3, 6, 1, 4, 1, 11591, 13, 2, 1): {'comment': 'GNU encryption algorithm',
- 'description': 'serpent128_ECB (1 3 6 1 4 1 11591 13 2 1)',
- 'hexoid': '06 0A 2B 06 01 04 01 DA 47 0D 02 01',
- 'name': 'serpent128_ECB',
- 'oid': (1,
- 3,
- 6,
- 1,
- 4,
- 1,
- 11591,
- 13,
- 2,
- 1)},
- (1, 3, 6, 1, 4, 1, 11591, 13, 2, 2): {'comment': 'GNU encryption algorithm',
- 'description': 'serpent128_CBC (1 3 6 1 4 1 11591 13 2 2)',
- 'hexoid': '06 0A 2B 06 01 04 01 DA 47 0D 02 02',
- 'name': 'serpent128_CBC',
- 'oid': (1,
- 3,
- 6,
- 1,
- 4,
- 1,
- 11591,
- 13,
- 2,
- 2)},
- (1, 3, 6, 1, 4, 1, 11591, 13, 2, 3): {'comment': 'GNU encryption algorithm',
- 'description': 'serpent128_OFB (1 3 6 1 4 1 11591 13 2 3)',
- 'hexoid': '06 0A 2B 06 01 04 01 DA 47 0D 02 03',
- 'name': 'serpent128_OFB',
- 'oid': (1,
- 3,
- 6,
- 1,
- 4,
- 1,
- 11591,
- 13,
- 2,
- 3)},
- (1, 3, 6, 1, 4, 1, 11591, 13, 2, 4): {'comment': 'GNU encryption algorithm',
- 'description': 'serpent128_CFB (1 3 6 1 4 1 11591 13 2 4)',
- 'hexoid': '06 0A 2B 06 01 04 01 DA 47 0D 02 04',
- 'name': 'serpent128_CFB',
- 'oid': (1,
- 3,
- 6,
- 1,
- 4,
- 1,
- 11591,
- 13,
- 2,
- 4)},
- (1, 3, 6, 1, 4, 1, 11591, 13, 2, 21): {'comment': 'GNU encryption algorithm',
- 'description': 'serpent192_ECB (1 3 6 1 4 1 11591 13 2 21)',
- 'hexoid': '06 0A 2B 06 01 04 01 DA 47 0D 02 15',
- 'name': 'serpent192_ECB',
- 'oid': (1,
- 3,
- 6,
- 1,
- 4,
- 1,
- 11591,
- 13,
- 2,
- 21)},
- (1, 3, 6, 1, 4, 1, 11591, 13, 2, 22): {'comment': 'GNU encryption algorithm',
- 'description': 'serpent192_CBC (1 3 6 1 4 1 11591 13 2 22)',
- 'hexoid': '06 0A 2B 06 01 04 01 DA 47 0D 02 16',
- 'name': 'serpent192_CBC',
- 'oid': (1,
- 3,
- 6,
- 1,
- 4,
- 1,
- 11591,
- 13,
- 2,
- 22)},
- (1, 3, 6, 1, 4, 1, 11591, 13, 2, 23): {'comment': 'GNU encryption algorithm',
- 'description': 'serpent192_OFB (1 3 6 1 4 1 11591 13 2 23)',
- 'hexoid': '06 0A 2B 06 01 04 01 DA 47 0D 02 17',
- 'name': 'serpent192_OFB',
- 'oid': (1,
- 3,
- 6,
- 1,
- 4,
- 1,
- 11591,
- 13,
- 2,
- 23)},
- (1, 3, 6, 1, 4, 1, 11591, 13, 2, 24): {'comment': 'GNU encryption algorithm',
- 'description': 'serpent192_CFB (1 3 6 1 4 1 11591 13 2 24)',
- 'hexoid': '06 0A 2B 06 01 04 01 DA 47 0D 02 18',
- 'name': 'serpent192_CFB',
- 'oid': (1,
- 3,
- 6,
- 1,
- 4,
- 1,
- 11591,
- 13,
- 2,
- 24)},
- (1, 3, 6, 1, 4, 1, 11591, 13, 2, 41): {'comment': 'GNU encryption algorithm',
- 'description': 'serpent256_ECB (1 3 6 1 4 1 11591 13 2 41)',
- 'hexoid': '06 0A 2B 06 01 04 01 DA 47 0D 02 29',
- 'name': 'serpent256_ECB',
- 'oid': (1,
- 3,
- 6,
- 1,
- 4,
- 1,
- 11591,
- 13,
- 2,
- 41)},
- (1, 3, 6, 1, 4, 1, 11591, 13, 2, 42): {'comment': 'GNU encryption algorithm',
- 'description': 'serpent256_CBC (1 3 6 1 4 1 11591 13 2 42)',
- 'hexoid': '06 0A 2B 06 01 04 01 DA 47 0D 02 2A',
- 'name': 'serpent256_CBC',
- 'oid': (1,
- 3,
- 6,
- 1,
- 4,
- 1,
- 11591,
- 13,
- 2,
- 42)},
- (1, 3, 6, 1, 4, 1, 11591, 13, 2, 43): {'comment': 'GNU encryption algorithm',
- 'description': 'serpent256_OFB (1 3 6 1 4 1 11591 13 2 43)',
- 'hexoid': '06 0A 2B 06 01 04 01 DA 47 0D 02 2B',
- 'name': 'serpent256_OFB',
- 'oid': (1,
- 3,
- 6,
- 1,
- 4,
- 1,
- 11591,
- 13,
- 2,
- 43)},
- (1, 3, 6, 1, 4, 1, 11591, 13, 2, 44): {'comment': 'GNU encryption algorithm',
- 'description': 'serpent256_CFB (1 3 6 1 4 1 11591 13 2 44)',
- 'hexoid': '06 0A 2B 06 01 04 01 DA 47 0D 02 2C',
- 'name': 'serpent256_CFB',
- 'oid': (1,
- 3,
- 6,
- 1,
- 4,
- 1,
- 11591,
- 13,
- 2,
- 44)},
- (1, 3, 6, 1, 4, 1, 16334, 509, 1, 1): {'comment': 'Northrop Grumman extended key usage',
- 'description': 'Northrop Grumman extKeyUsage? (1 3 6 1 4 1 16334 509 1 1)',
- 'hexoid': '06 0B 2B 06 01 04 01 FF 4E 83 7D 01 01',
- 'name': 'Northrop',
- 'oid': (1,
- 3,
- 6,
- 1,
- 4,
- 1,
- 16334,
- 509,
- 1,
- 1)},
- (1, 3, 6, 1, 4, 1, 16334, 509, 2, 1): {'comment': 'Northrop Grumman policy',
- 'description': 'ngcClass1 (1 3 6 1 4 1 16334 509 2 1)',
- 'hexoid': '06 0B 2B 06 01 04 01 FF 4E 83 7D 02 01',
- 'name': 'ngcClass1',
- 'oid': (1,
- 3,
- 6,
- 1,
- 4,
- 1,
- 16334,
- 509,
- 2,
- 1)},
- (1, 3, 6, 1, 4, 1, 16334, 509, 2, 2): {'comment': 'Northrop Grumman policy',
- 'description': 'ngcClass2 (1 3 6 1 4 1 16334 509 2 2)',
- 'hexoid': '06 0B 2B 06 01 04 01 FF 4E 83 7D 02 02',
- 'name': 'ngcClass2',
- 'oid': (1,
- 3,
- 6,
- 1,
- 4,
- 1,
- 16334,
- 509,
- 2,
- 2)},
- (1, 3, 6, 1, 4, 1, 16334, 509, 2, 3): {'comment': 'Northrop Grumman policy',
- 'description': 'ngcClass3 (1 3 6 1 4 1 16334 509 2 3)',
- 'hexoid': '06 0B 2B 06 01 04 01 FF 4E 83 7D 02 03',
- 'name': 'ngcClass3',
- 'oid': (1,
- 3,
- 6,
- 1,
- 4,
- 1,
- 16334,
- 509,
- 2,
- 3)},
- (1, 3, 6, 1, 5, 5, 7): {'description': 'pkix (1 3 6 1 5 5 7)',
- 'hexoid': '06 06 2B 06 01 05 05 07',
- 'name': 'pkix',
- 'oid': (1, 3, 6, 1, 5, 5, 7)},
- (1, 3, 6, 1, 5, 5, 7, 0, 12): {'comment': 'PKIX',
- 'description': 'attributeCert (1 3 6 1 5 5 7 0 12)',
- 'hexoid': '06 08 2B 06 01 05 05 07 00 0C',
- 'name': 'attributeCert',
- 'oid': (1, 3, 6, 1, 5, 5, 7, 0, 12)},
- (1, 3, 6, 1, 5, 5, 7, 1): {'comment': 'PKIX',
- 'description': 'privateExtension (1 3 6 1 5 5 7 1)',
- 'hexoid': '06 07 2B 06 01 05 05 07 01',
- 'name': 'privateExtension',
- 'oid': (1, 3, 6, 1, 5, 5, 7, 1)},
- (1, 3, 6, 1, 5, 5, 7, 1, 1): {'comment': 'PKIX private extension',
- 'description': 'authorityInfoAccess (1 3 6 1 5 5 7 1 1)',
- 'hexoid': '06 08 2B 06 01 05 05 07 01 01',
- 'name': 'authorityInfoAccess',
- 'oid': (1, 3, 6, 1, 5, 5, 7, 1, 1)},
- (1, 3, 6, 1, 5, 5, 7, 1, 2): {'comment': 'PKIX private extension',
- 'description': 'biometricInfo (1 3 6 1 5 5 7 1 2)',
- 'hexoid': '06 08 2B 06 01 05 05 07 01 02',
- 'name': 'biometricInfo',
- 'oid': (1, 3, 6, 1, 5, 5, 7, 1, 2)},
- (1, 3, 6, 1, 5, 5, 7, 1, 3): {'comment': 'PKIX private extension',
- 'description': 'qcStatements (1 3 6 1 5 5 7 1 3)',
- 'hexoid': '06 08 2B 06 01 05 05 07 01 03',
- 'name': 'qcStatements',
- 'oid': (1, 3, 6, 1, 5, 5, 7, 1, 3)},
- (1, 3, 6, 1, 5, 5, 7, 1, 4): {'comment': 'PKIX private extension',
- 'description': 'acAuditIdentity (1 3 6 1 5 5 7 1 4)',
- 'hexoid': '06 08 2B 06 01 05 05 07 01 04',
- 'name': 'acAuditIdentity',
- 'oid': (1, 3, 6, 1, 5, 5, 7, 1, 4)},
- (1, 3, 6, 1, 5, 5, 7, 1, 5): {'comment': 'PKIX private extension',
- 'description': 'acTargeting (1 3 6 1 5 5 7 1 5)',
- 'hexoid': '06 08 2B 06 01 05 05 07 01 05',
- 'name': 'acTargeting',
- 'oid': (1, 3, 6, 1, 5, 5, 7, 1, 5)},
- (1, 3, 6, 1, 5, 5, 7, 1, 6): {'comment': 'PKIX private extension',
- 'description': 'acAaControls (1 3 6 1 5 5 7 1 6)',
- 'hexoid': '06 08 2B 06 01 05 05 07 01 06',
- 'name': 'acAaControls',
- 'oid': (1, 3, 6, 1, 5, 5, 7, 1, 6)},
- (1, 3, 6, 1, 5, 5, 7, 1, 7): {'comment': 'PKIX private extension',
- 'description': 'sbgp-ipAddrBlock (1 3 6 1 5 5 7 1 7)',
- 'hexoid': '06 08 2B 06 01 05 05 07 01 07',
- 'name': 'sbgp-ipAddrBlock',
- 'oid': (1, 3, 6, 1, 5, 5, 7, 1, 7)},
- (1, 3, 6, 1, 5, 5, 7, 1, 8): {'comment': 'PKIX private extension',
- 'description': 'sbgp-autonomousSysNum (1 3 6 1 5 5 7 1 8)',
- 'hexoid': '06 08 2B 06 01 05 05 07 01 08',
- 'name': 'sbgp-autonomousSysNum',
- 'oid': (1, 3, 6, 1, 5, 5, 7, 1, 8)},
- (1, 3, 6, 1, 5, 5, 7, 1, 9): {'comment': 'PKIX private extension',
- 'description': 'sbgp-routerIdentifier (1 3 6 1 5 5 7 1 9)',
- 'hexoid': '06 08 2B 06 01 05 05 07 01 09',
- 'name': 'sbgp-routerIdentifier',
- 'oid': (1, 3, 6, 1, 5, 5, 7, 1, 9)},
- (1, 3, 6, 1, 5, 5, 7, 1, 10): {'comment': 'PKIX private extension',
- 'description': 'acProxying (1 3 6 1 5 5 7 1 10)',
- 'hexoid': '06 08 2B 06 01 05 05 07 01 0A',
- 'name': 'acProxying',
- 'oid': (1, 3, 6, 1, 5, 5, 7, 1, 10)},
- (1, 3, 6, 1, 5, 5, 7, 1, 11): {'comment': 'PKIX private extension',
- 'description': 'subjectInfoAccess (1 3 6 1 5 5 7 1 11)',
- 'hexoid': '06 08 2B 06 01 05 05 07 01 0B',
- 'name': 'subjectInfoAccess',
- 'oid': (1, 3, 6, 1, 5, 5, 7, 1, 11)},
- (1, 3, 6, 1, 5, 5, 7, 1, 12): {'comment': 'PKIX private extension',
- 'description': 'logoType (1 3 6 1 5 5 7 1 12)',
- 'hexoid': '06 08 2B 06 01 05 05 07 01 0C',
- 'name': 'logoType',
- 'oid': (1, 3, 6, 1, 5, 5, 7, 1, 12)},
- (1, 3, 6, 1, 5, 5, 7, 2): {'comment': 'PKIX',
- 'description': 'policyQualifierIds (1 3 6 1 5 5 7 2)',
- 'hexoid': '06 07 2B 06 01 05 05 07 02',
- 'name': 'policyQualifierIds',
- 'oid': (1, 3, 6, 1, 5, 5, 7, 2)},
- (1, 3, 6, 1, 5, 5, 7, 2, 1): {'comment': 'PKIX policy qualifier',
- 'description': 'cps (1 3 6 1 5 5 7 2 1)',
- 'hexoid': '06 08 2B 06 01 05 05 07 02 01',
- 'name': 'cps',
- 'oid': (1, 3, 6, 1, 5, 5, 7, 2, 1)},
- (1, 3, 6, 1, 5, 5, 7, 2, 2): {'comment': 'PKIX policy qualifier',
- 'description': 'unotice (1 3 6 1 5 5 7 2 2)',
- 'hexoid': '06 08 2B 06 01 05 05 07 02 02',
- 'name': 'unotice',
- 'oid': (1, 3, 6, 1, 5, 5, 7, 2, 2)},
- (1, 3, 6, 1, 5, 5, 7, 2, 3): {'comment': 'PKIX policy qualifier',
- 'description': 'textNotice (1 3 6 1 5 5 7 2 3)',
- 'hexoid': '06 08 2B 06 01 05 05 07 02 03',
- 'name': 'textNotice',
- 'oid': (1, 3, 6, 1, 5, 5, 7, 2, 3)},
- (1, 3, 6, 1, 5, 5, 7, 3): {'comment': 'PKIX',
- 'description': 'keyPurpose (1 3 6 1 5 5 7 3)',
- 'hexoid': '06 07 2B 06 01 05 05 07 03',
- 'name': 'keyPurpose',
- 'oid': (1, 3, 6, 1, 5, 5, 7, 3)},
- (1, 3, 6, 1, 5, 5, 7, 3, 1): {'comment': 'PKIX key purpose',
- 'description': 'serverAuth (1 3 6 1 5 5 7 3 1)',
- 'hexoid': '06 08 2B 06 01 05 05 07 03 01',
- 'name': 'serverAuth',
- 'oid': (1, 3, 6, 1, 5, 5, 7, 3, 1)},
- (1, 3, 6, 1, 5, 5, 7, 3, 2): {'comment': 'PKIX key purpose',
- 'description': 'clientAuth (1 3 6 1 5 5 7 3 2)',
- 'hexoid': '06 08 2B 06 01 05 05 07 03 02',
- 'name': 'clientAuth',
- 'oid': (1, 3, 6, 1, 5, 5, 7, 3, 2)},
- (1, 3, 6, 1, 5, 5, 7, 3, 3): {'comment': 'PKIX key purpose',
- 'description': 'codeSigning (1 3 6 1 5 5 7 3 3)',
- 'hexoid': '06 08 2B 06 01 05 05 07 03 03',
- 'name': 'codeSigning',
- 'oid': (1, 3, 6, 1, 5, 5, 7, 3, 3)},
- (1, 3, 6, 1, 5, 5, 7, 3, 4): {'comment': 'PKIX key purpose',
- 'description': 'emailProtection (1 3 6 1 5 5 7 3 4)',
- 'hexoid': '06 08 2B 06 01 05 05 07 03 04',
- 'name': 'emailProtection',
- 'oid': (1, 3, 6, 1, 5, 5, 7, 3, 4)},
- (1, 3, 6, 1, 5, 5, 7, 3, 5): {'comment': 'PKIX key purpose',
- 'description': 'ipsecEndSystem (1 3 6 1 5 5 7 3 5)',
- 'hexoid': '06 08 2B 06 01 05 05 07 03 05',
- 'name': 'ipsecEndSystem',
- 'oid': (1, 3, 6, 1, 5, 5, 7, 3, 5)},
- (1, 3, 6, 1, 5, 5, 7, 3, 6): {'comment': 'PKIX key purpose',
- 'description': 'ipsecTunnel (1 3 6 1 5 5 7 3 6)',
- 'hexoid': '06 08 2B 06 01 05 05 07 03 06',
- 'name': 'ipsecTunnel',
- 'oid': (1, 3, 6, 1, 5, 5, 7, 3, 6)},
- (1, 3, 6, 1, 5, 5, 7, 3, 7): {'comment': 'PKIX key purpose',
- 'description': 'ipsecUser (1 3 6 1 5 5 7 3 7)',
- 'hexoid': '06 08 2B 06 01 05 05 07 03 07',
- 'name': 'ipsecUser',
- 'oid': (1, 3, 6, 1, 5, 5, 7, 3, 7)},
- (1, 3, 6, 1, 5, 5, 7, 3, 8): {'comment': 'PKIX key purpose',
- 'description': 'timeStamping (1 3 6 1 5 5 7 3 8)',
- 'hexoid': '06 08 2B 06 01 05 05 07 03 08',
- 'name': 'timeStamping',
- 'oid': (1, 3, 6, 1, 5, 5, 7, 3, 8)},
- (1, 3, 6, 1, 5, 5, 7, 3, 9): {'comment': 'PKIX key purpose',
- 'description': 'ocspSigning (1 3 6 1 5 5 7 3 9)',
- 'hexoid': '06 08 2B 06 01 05 05 07 03 09',
- 'name': 'ocspSigning',
- 'oid': (1, 3, 6, 1, 5, 5, 7, 3, 9)},
- (1, 3, 6, 1, 5, 5, 7, 3, 10): {'comment': 'PKIX key purpose',
- 'description': 'dvcs (1 3 6 1 5 5 7 3 10)',
- 'hexoid': '06 08 2B 06 01 05 05 07 03 0A',
- 'name': 'dvcs',
- 'oid': (1, 3, 6, 1, 5, 5, 7, 3, 10)},
- (1, 3, 6, 1, 5, 5, 7, 3, 11): {'comment': 'PKIX key purpose',
- 'description': 'sbgpCertAAServerAuth (1 3 6 1 5 5 7 3 11)',
- 'hexoid': '06 08 2B 06 01 05 05 07 03 0B',
- 'name': 'sbgpCertAAServerAuth',
- 'oid': (1, 3, 6, 1, 5, 5, 7, 3, 11)},
- (1, 3, 6, 1, 5, 5, 7, 3, 13): {'comment': 'PKIX key purpose',
- 'description': 'eapOverPPP (1 3 6 1 5 5 7 3 13)',
- 'hexoid': '06 08 2B 06 01 05 05 07 03 0D',
- 'name': 'eapOverPPP',
- 'oid': (1, 3, 6, 1, 5, 5, 7, 3, 13)},
- (1, 3, 6, 1, 5, 5, 7, 3, 14): {'comment': 'PKIX key purpose',
- 'description': 'wlanSSID (1 3 6 1 5 5 7 3 14)',
- 'hexoid': '06 08 2B 06 01 05 05 07 03 0E',
- 'name': 'wlanSSID',
- 'oid': (1, 3, 6, 1, 5, 5, 7, 3, 14)},
- (1, 3, 6, 1, 5, 5, 7, 4): {'comment': 'PKIX',
- 'description': 'cmpInformationTypes (1 3 6 1 5 5 7 4)',
- 'hexoid': '06 07 2B 06 01 05 05 07 04',
- 'name': 'cmpInformationTypes',
- 'oid': (1, 3, 6, 1, 5, 5, 7, 4)},
- (1, 3, 6, 1, 5, 5, 7, 4, 1): {'comment': 'PKIX CMP information',
- 'description': 'caProtEncCert (1 3 6 1 5 5 7 4 1)',
- 'hexoid': '06 08 2B 06 01 05 05 07 04 01',
- 'name': 'caProtEncCert',
- 'oid': (1, 3, 6, 1, 5, 5, 7, 4, 1)},
- (1, 3, 6, 1, 5, 5, 7, 4, 2): {'comment': 'PKIX CMP information',
- 'description': 'signKeyPairTypes (1 3 6 1 5 5 7 4 2)',
- 'hexoid': '06 08 2B 06 01 05 05 07 04 02',
- 'name': 'signKeyPairTypes',
- 'oid': (1, 3, 6, 1, 5, 5, 7, 4, 2)},
- (1, 3, 6, 1, 5, 5, 7, 4, 3): {'comment': 'PKIX CMP information',
- 'description': 'encKeyPairTypes (1 3 6 1 5 5 7 4 3)',
- 'hexoid': '06 08 2B 06 01 05 05 07 04 03',
- 'name': 'encKeyPairTypes',
- 'oid': (1, 3, 6, 1, 5, 5, 7, 4, 3)},
- (1, 3, 6, 1, 5, 5, 7, 4, 4): {'comment': 'PKIX CMP information',
- 'description': 'preferredSymmAlg (1 3 6 1 5 5 7 4 4)',
- 'hexoid': '06 08 2B 06 01 05 05 07 04 04',
- 'name': 'preferredSymmAlg',
- 'oid': (1, 3, 6, 1, 5, 5, 7, 4, 4)},
- (1, 3, 6, 1, 5, 5, 7, 4, 5): {'comment': 'PKIX CMP information',
- 'description': 'caKeyUpdateInfo (1 3 6 1 5 5 7 4 5)',
- 'hexoid': '06 08 2B 06 01 05 05 07 04 05',
- 'name': 'caKeyUpdateInfo',
- 'oid': (1, 3, 6, 1, 5, 5, 7, 4, 5)},
- (1, 3, 6, 1, 5, 5, 7, 4, 6): {'comment': 'PKIX CMP information',
- 'description': 'currentCRL (1 3 6 1 5 5 7 4 6)',
- 'hexoid': '06 08 2B 06 01 05 05 07 04 06',
- 'name': 'currentCRL',
- 'oid': (1, 3, 6, 1, 5, 5, 7, 4, 6)},
- (1, 3, 6, 1, 5, 5, 7, 4, 7): {'comment': 'PKIX CMP information',
- 'description': 'unsupportedOIDs (1 3 6 1 5 5 7 4 7)',
- 'hexoid': '06 08 2B 06 01 05 05 07 04 07',
- 'name': 'unsupportedOIDs',
- 'oid': (1, 3, 6, 1, 5, 5, 7, 4, 7)},
- (1, 3, 6, 1, 5, 5, 7, 4, 10): {'comment': 'PKIX CMP information',
- 'description': 'keyPairParamReq (1 3 6 1 5 5 7 4 10)',
- 'hexoid': '06 08 2B 06 01 05 05 07 04 0A',
- 'name': 'keyPairParamReq',
- 'oid': (1, 3, 6, 1, 5, 5, 7, 4, 10)},
- (1, 3, 6, 1, 5, 5, 7, 4, 11): {'comment': 'PKIX CMP information',
- 'description': 'keyPairParamRep (1 3 6 1 5 5 7 4 11)',
- 'hexoid': '06 08 2B 06 01 05 05 07 04 0B',
- 'name': 'keyPairParamRep',
- 'oid': (1, 3, 6, 1, 5, 5, 7, 4, 11)},
- (1, 3, 6, 1, 5, 5, 7, 4, 12): {'comment': 'PKIX CMP information',
- 'description': 'revPassphrase (1 3 6 1 5 5 7 4 12)',
- 'hexoid': '06 08 2B 06 01 05 05 07 04 0C',
- 'name': 'revPassphrase',
- 'oid': (1, 3, 6, 1, 5, 5, 7, 4, 12)},
- (1, 3, 6, 1, 5, 5, 7, 4, 13): {'comment': 'PKIX CMP information',
- 'description': 'implicitConfirm (1 3 6 1 5 5 7 4 13)',
- 'hexoid': '06 08 2B 06 01 05 05 07 04 0D',
- 'name': 'implicitConfirm',
- 'oid': (1, 3, 6, 1, 5, 5, 7, 4, 13)},
- (1, 3, 6, 1, 5, 5, 7, 4, 14): {'comment': 'PKIX CMP information',
- 'description': 'confirmWaitTime (1 3 6 1 5 5 7 4 14)',
- 'hexoid': '06 08 2B 06 01 05 05 07 04 0E',
- 'name': 'confirmWaitTime',
- 'oid': (1, 3, 6, 1, 5, 5, 7, 4, 14)},
- (1, 3, 6, 1, 5, 5, 7, 4, 15): {'comment': 'PKIX CMP information',
- 'description': 'origPKIMessage (1 3 6 1 5 5 7 4 15)',
- 'hexoid': '06 08 2B 06 01 05 05 07 04 0F',
- 'name': 'origPKIMessage',
- 'oid': (1, 3, 6, 1, 5, 5, 7, 4, 15)},
- (1, 3, 6, 1, 5, 5, 7, 4, 16): {'comment': 'PKIX CMP information',
- 'description': 'suppLangTags (1 3 6 1 5 5 7 4 16)',
- 'hexoid': '06 08 2B 06 01 05 05 07 04 10',
- 'name': 'suppLangTags',
- 'oid': (1, 3, 6, 1, 5, 5, 7, 4, 16)},
- (1, 3, 6, 1, 5, 5, 7, 5): {'comment': 'PKIX',
- 'description': 'crmfRegistration (1 3 6 1 5 5 7 5)',
- 'hexoid': '06 07 2B 06 01 05 05 07 05',
- 'name': 'crmfRegistration',
- 'oid': (1, 3, 6, 1, 5, 5, 7, 5)},
- (1, 3, 6, 1, 5, 5, 7, 5, 1): {'comment': 'PKIX CRMF registration',
- 'description': 'regCtrl (1 3 6 1 5 5 7 5 1)',
- 'hexoid': '06 08 2B 06 01 05 05 07 05 01',
- 'name': 'regCtrl',
- 'oid': (1, 3, 6, 1, 5, 5, 7, 5, 1)},
- (1, 3, 6, 1, 5, 5, 7, 5, 1, 1): {'comment': 'PKIX CRMF registration control',
- 'description': 'regToken (1 3 6 1 5 5 7 5 1 1)',
- 'hexoid': '06 09 2B 06 01 05 05 07 05 01 01',
- 'name': 'regToken',
- 'oid': (1, 3, 6, 1, 5, 5, 7, 5, 1, 1)},
- (1, 3, 6, 1, 5, 5, 7, 5, 1, 2): {'comment': 'PKIX CRMF registration control',
- 'description': 'authenticator (1 3 6 1 5 5 7 5 1 2)',
- 'hexoid': '06 09 2B 06 01 05 05 07 05 01 02',
- 'name': 'authenticator',
- 'oid': (1, 3, 6, 1, 5, 5, 7, 5, 1, 2)},
- (1, 3, 6, 1, 5, 5, 7, 5, 1, 3): {'comment': 'PKIX CRMF registration control',
- 'description': 'pkiPublicationInfo (1 3 6 1 5 5 7 5 1 3)',
- 'hexoid': '06 09 2B 06 01 05 05 07 05 01 03',
- 'name': 'pkiPublicationInfo',
- 'oid': (1, 3, 6, 1, 5, 5, 7, 5, 1, 3)},
- (1, 3, 6, 1, 5, 5, 7, 5, 1, 4): {'comment': 'PKIX CRMF registration control',
- 'description': 'pkiArchiveOptions (1 3 6 1 5 5 7 5 1 4)',
- 'hexoid': '06 09 2B 06 01 05 05 07 05 01 04',
- 'name': 'pkiArchiveOptions',
- 'oid': (1, 3, 6, 1, 5, 5, 7, 5, 1, 4)},
- (1, 3, 6, 1, 5, 5, 7, 5, 1, 5): {'comment': 'PKIX CRMF registration control',
- 'description': 'oldCertID (1 3 6 1 5 5 7 5 1 5)',
- 'hexoid': '06 09 2B 06 01 05 05 07 05 01 05',
- 'name': 'oldCertID',
- 'oid': (1, 3, 6, 1, 5, 5, 7, 5, 1, 5)},
- (1, 3, 6, 1, 5, 5, 7, 5, 1, 6): {'comment': 'PKIX CRMF registration control',
- 'description': 'protocolEncrKey (1 3 6 1 5 5 7 5 1 6)',
- 'hexoid': '06 09 2B 06 01 05 05 07 05 01 06',
- 'name': 'protocolEncrKey',
- 'oid': (1, 3, 6, 1, 5, 5, 7, 5, 1, 6)},
- (1, 3, 6, 1, 5, 5, 7, 5, 1, 7): {'comment': 'PKIX CRMF registration control',
- 'description': 'altCertTemplate (1 3 6 1 5 5 7 5 1 7)',
- 'hexoid': '06 09 2B 06 01 05 05 07 05 01 07',
- 'name': 'altCertTemplate',
- 'oid': (1, 3, 6, 1, 5, 5, 7, 5, 1, 7)},
- (1, 3, 6, 1, 5, 5, 7, 5, 1, 8): {'comment': 'PKIX CRMF registration control',
- 'description': 'wtlsTemplate (1 3 6 1 5 5 7 5 1 8)',
- 'hexoid': '06 09 2B 06 01 05 05 07 05 01 08',
- 'name': 'wtlsTemplate',
- 'oid': (1, 3, 6, 1, 5, 5, 7, 5, 1, 8)},
- (1, 3, 6, 1, 5, 5, 7, 5, 2): {'comment': 'PKIX CRMF registration',
- 'description': 'utf8Pairs (1 3 6 1 5 5 7 5 2)',
- 'hexoid': '06 08 2B 06 01 05 05 07 05 02',
- 'name': 'utf8Pairs',
- 'oid': (1, 3, 6, 1, 5, 5, 7, 5, 2)},
- (1, 3, 6, 1, 5, 5, 7, 5, 2, 1): {'comment': 'PKIX CRMF registration control',
- 'description': 'utf8Pairs (1 3 6 1 5 5 7 5 2 1)',
- 'hexoid': '06 09 2B 06 01 05 05 07 05 02 01',
- 'name': 'utf8Pairs',
- 'oid': (1, 3, 6, 1, 5, 5, 7, 5, 2, 1)},
- (1, 3, 6, 1, 5, 5, 7, 5, 2, 2): {'comment': 'PKIX CRMF registration control',
- 'description': 'certReq (1 3 6 1 5 5 7 5 2 2)',
- 'hexoid': '06 09 2B 06 01 05 05 07 05 02 02',
- 'name': 'certReq',
- 'oid': (1, 3, 6, 1, 5, 5, 7, 5, 2, 2)},
- (1, 3, 6, 1, 5, 5, 7, 6): {'comment': 'PKIX',
- 'description': 'algorithms (1 3 6 1 5 5 7 6)',
- 'hexoid': '06 07 2B 06 01 05 05 07 06',
- 'name': 'algorithms',
- 'oid': (1, 3, 6, 1, 5, 5, 7, 6)},
- (1, 3, 6, 1, 5, 5, 7, 6, 1): {'comment': 'PKIX algorithm',
- 'description': 'des40 (1 3 6 1 5 5 7 6 1)',
- 'hexoid': '06 08 2B 06 01 05 05 07 06 01',
- 'name': 'des40',
- 'oid': (1, 3, 6, 1, 5, 5, 7, 6, 1)},
- (1, 3, 6, 1, 5, 5, 7, 6, 2): {'comment': 'PKIX algorithm',
- 'description': 'noSignature (1 3 6 1 5 5 7 6 2)',
- 'hexoid': '06 08 2B 06 01 05 05 07 06 02',
- 'name': 'noSignature',
- 'oid': (1, 3, 6, 1, 5, 5, 7, 6, 2)},
- (1, 3, 6, 1, 5, 5, 7, 6, 3): {'comment': 'PKIX algorithm',
- 'description': 'dh-sig-hmac-sha1 (1 3 6 1 5 5 7 6 3)',
- 'hexoid': '06 08 2B 06 01 05 05 07 06 03',
- 'name': 'dh-sig-hmac-sha1',
- 'oid': (1, 3, 6, 1, 5, 5, 7, 6, 3)},
- (1, 3, 6, 1, 5, 5, 7, 6, 4): {'comment': 'PKIX algorithm',
- 'description': 'dh-pop (1 3 6 1 5 5 7 6 4)',
- 'hexoid': '06 08 2B 06 01 05 05 07 06 04',
- 'name': 'dh-pop',
- 'oid': (1, 3, 6, 1, 5, 5, 7, 6, 4)},
- (1, 3, 6, 1, 5, 5, 7, 7): {'comment': 'PKIX',
- 'description': 'cmcControls (1 3 6 1 5 5 7 7)',
- 'hexoid': '06 07 2B 06 01 05 05 07 07',
- 'name': 'cmcControls',
- 'oid': (1, 3, 6, 1, 5, 5, 7, 7)},
- (1, 3, 6, 1, 5, 5, 7, 8): {'comment': 'PKIX',
- 'description': 'otherNames (1 3 6 1 5 5 7 8)',
- 'hexoid': '06 07 2B 06 01 05 05 07 08',
- 'name': 'otherNames',
- 'oid': (1, 3, 6, 1, 5, 5, 7, 8)},
- (1, 3, 6, 1, 5, 5, 7, 8, 1): {'comment': 'PKIX other name',
- 'description': 'personalData (1 3 6 1 5 5 7 8 1)',
- 'hexoid': '06 08 2B 06 01 05 05 07 08 01',
- 'name': 'personalData',
- 'oid': (1, 3, 6, 1, 5, 5, 7, 8, 1)},
- (1, 3, 6, 1, 5, 5, 7, 8, 2): {'comment': 'PKIX other name',
- 'description': 'userGroup (1 3 6 1 5 5 7 8 2)',
- 'hexoid': '06 08 2B 06 01 05 05 07 08 02',
- 'name': 'userGroup',
- 'oid': (1, 3, 6, 1, 5, 5, 7, 8, 2)},
- (1, 3, 6, 1, 5, 5, 7, 9): {'comment': 'PKIX qualified certificates',
- 'description': 'personalData (1 3 6 1 5 5 7 9)',
- 'hexoid': '06 07 2B 06 01 05 05 07 09',
- 'name': 'personalData',
- 'oid': (1, 3, 6, 1, 5, 5, 7, 9)},
- (1, 3, 6, 1, 5, 5, 7, 9, 1): {'comment': 'PKIX personal data',
- 'description': 'dateOfBirth (1 3 6 1 5 5 7 9 1)',
- 'hexoid': '06 08 2B 06 01 05 05 07 09 01',
- 'name': 'dateOfBirth',
- 'oid': (1, 3, 6, 1, 5, 5, 7, 9, 1)},
- (1, 3, 6, 1, 5, 5, 7, 9, 2): {'comment': 'PKIX personal data',
- 'description': 'placeOfBirth (1 3 6 1 5 5 7 9 2)',
- 'hexoid': '06 08 2B 06 01 05 05 07 09 02',
- 'name': 'placeOfBirth',
- 'oid': (1, 3, 6, 1, 5, 5, 7, 9, 2)},
- (1, 3, 6, 1, 5, 5, 7, 9, 3): {'comment': 'PKIX personal data',
- 'description': 'gender (1 3 6 1 5 5 7 9 3)',
- 'hexoid': '06 08 2B 06 01 05 05 07 09 03',
- 'name': 'gender',
- 'oid': (1, 3, 6, 1, 5, 5, 7, 9, 3)},
- (1, 3, 6, 1, 5, 5, 7, 9, 4): {'comment': 'PKIX personal data',
- 'description': 'countryOfCitizenship (1 3 6 1 5 5 7 9 4)',
- 'hexoid': '06 08 2B 06 01 05 05 07 09 04',
- 'name': 'countryOfCitizenship',
- 'oid': (1, 3, 6, 1, 5, 5, 7, 9, 4)},
- (1, 3, 6, 1, 5, 5, 7, 9, 5): {'comment': 'PKIX personal data',
- 'description': 'countryOfResidence (1 3 6 1 5 5 7 9 5)',
- 'hexoid': '06 08 2B 06 01 05 05 07 09 05',
- 'name': 'countryOfResidence',
- 'oid': (1, 3, 6, 1, 5, 5, 7, 9, 5)},
- (1, 3, 6, 1, 5, 5, 7, 10): {'comment': 'PKIX',
- 'description': 'attributeCertificate (1 3 6 1 5 5 7 10)',
- 'hexoid': '06 07 2B 06 01 05 05 07 0A',
- 'name': 'attributeCertificate',
- 'oid': (1, 3, 6, 1, 5, 5, 7, 10)},
- (1, 3, 6, 1, 5, 5, 7, 10, 1): {'comment': 'PKIX attribute certificate extension',
- 'description': 'authenticationInfo (1 3 6 1 5 5 7 10 1)',
- 'hexoid': '06 08 2B 06 01 05 05 07 0A 01',
- 'name': 'authenticationInfo',
- 'oid': (1, 3, 6, 1, 5, 5, 7, 10, 1)},
- (1, 3, 6, 1, 5, 5, 7, 10, 2): {'comment': 'PKIX attribute certificate extension',
- 'description': 'accessIdentity (1 3 6 1 5 5 7 10 2)',
- 'hexoid': '06 08 2B 06 01 05 05 07 0A 02',
- 'name': 'accessIdentity',
- 'oid': (1, 3, 6, 1, 5, 5, 7, 10, 2)},
- (1, 3, 6, 1, 5, 5, 7, 10, 3): {'comment': 'PKIX attribute certificate extension',
- 'description': 'chargingIdentity (1 3 6 1 5 5 7 10 3)',
- 'hexoid': '06 08 2B 06 01 05 05 07 0A 03',
- 'name': 'chargingIdentity',
- 'oid': (1, 3, 6, 1, 5, 5, 7, 10, 3)},
- (1, 3, 6, 1, 5, 5, 7, 10, 4): {'comment': 'PKIX attribute certificate extension',
- 'description': 'group (1 3 6 1 5 5 7 10 4)',
- 'hexoid': '06 08 2B 06 01 05 05 07 0A 04',
- 'name': 'group',
- 'oid': (1, 3, 6, 1, 5, 5, 7, 10, 4)},
- (1, 3, 6, 1, 5, 5, 7, 10, 5): {'comment': 'PKIX attribute certificate extension',
- 'description': 'role (1 3 6 1 5 5 7 10 5)',
- 'hexoid': '06 08 2B 06 01 05 05 07 0A 05',
- 'name': 'role',
- 'oid': (1, 3, 6, 1, 5, 5, 7, 10, 5)},
- (1, 3, 6, 1, 5, 5, 7, 10, 6): {'comment': 'PKIX attribute certificate extension',
- 'description': 'encAttrs (1 3 6 1 5 5 7 10 6)',
- 'hexoid': '06 08 2B 06 01 05 05 07 0A 06',
- 'name': 'encAttrs',
- 'oid': (1, 3, 6, 1, 5, 5, 7, 10, 6)},
- (1, 3, 6, 1, 5, 5, 7, 11): {'comment': 'PKIX qualified certificates',
- 'description': 'personalData (1 3 6 1 5 5 7 11)',
- 'hexoid': '06 07 2B 06 01 05 05 07 0B',
- 'name': 'personalData',
- 'oid': (1, 3, 6, 1, 5, 5, 7, 11)},
- (1, 3, 6, 1, 5, 5, 7, 11, 1): {'comment': 'PKIX qualified certificates',
- 'description': 'pkixQCSyntax-v1 (1 3 6 1 5 5 7 11 1)',
- 'hexoid': '06 08 2B 06 01 05 05 07 0B 01',
- 'name': 'pkixQCSyntax-v1',
- 'oid': (1, 3, 6, 1, 5, 5, 7, 11, 1)},
- (1, 3, 6, 1, 5, 5, 7, 14, 2): {'comment': 'RPKI project',
- 'description': 'id-cp-ipAddr-asNumber (1 3 6 1 5 5 7 14 2)',
- 'hexoid': '06 08 2B 06 01 05 05 07 0E 02',
- 'name': 'id-cp-ipAddr-asNumber',
- 'oid': (1, 3, 6, 1, 5, 5, 7, 14, 2)},
- (1, 3, 6, 1, 5, 5, 7, 20): {'comment': 'PKIX qualified certificates',
- 'description': 'logo (1 3 6 1 5 5 7 20)',
- 'hexoid': '06 07 2B 06 01 05 05 07 14',
- 'name': 'logo',
- 'oid': (1, 3, 6, 1, 5, 5, 7, 20)},
- (1, 3, 6, 1, 5, 5, 7, 20, 1): {'comment': 'PKIX',
- 'description': 'logoLoyalty (1 3 6 1 5 5 7 20 1)',
- 'hexoid': '06 08 2B 06 01 05 05 07 14 01',
- 'name': 'logoLoyalty',
- 'oid': (1, 3, 6, 1, 5, 5, 7, 20, 1)},
- (1, 3, 6, 1, 5, 5, 7, 20, 2): {'comment': 'PKIX',
- 'description': 'logoBackground (1 3 6 1 5 5 7 20 2)',
- 'hexoid': '06 08 2B 06 01 05 05 07 14 02',
- 'name': 'logoBackground',
- 'oid': (1, 3, 6, 1, 5, 5, 7, 20, 2)},
- (1, 3, 6, 1, 5, 5, 7, 48, 1): {'comment': 'PKIX',
- 'description': 'ocsp (1 3 6 1 5 5 7 48 1)',
- 'hexoid': '06 08 2B 06 01 05 05 07 30 01',
- 'name': 'ocsp',
- 'oid': (1, 3, 6, 1, 5, 5, 7, 48, 1)},
- (1, 3, 6, 1, 5, 5, 7, 48, 1, 1): {'comment': 'OCSP',
- 'description': 'ocspBasic (1 3 6 1 5 5 7 48 1 1)',
- 'hexoid': '06 09 2B 06 01 05 05 07 30 01 01',
- 'name': 'ocspBasic',
- 'oid': (1, 3, 6, 1, 5, 5, 7, 48, 1, 1)},
- (1, 3, 6, 1, 5, 5, 7, 48, 1, 2): {'comment': 'OCSP',
- 'description': 'ocspNonce (1 3 6 1 5 5 7 48 1 2)',
- 'hexoid': '06 09 2B 06 01 05 05 07 30 01 02',
- 'name': 'ocspNonce',
- 'oid': (1, 3, 6, 1, 5, 5, 7, 48, 1, 2)},
- (1, 3, 6, 1, 5, 5, 7, 48, 1, 3): {'comment': 'OCSP',
- 'description': 'ocspCRL (1 3 6 1 5 5 7 48 1 3)',
- 'hexoid': '06 09 2B 06 01 05 05 07 30 01 03',
- 'name': 'ocspCRL',
- 'oid': (1, 3, 6, 1, 5, 5, 7, 48, 1, 3)},
- (1, 3, 6, 1, 5, 5, 7, 48, 1, 4): {'comment': 'OCSP',
- 'description': 'ocspResponse (1 3 6 1 5 5 7 48 1 4)',
- 'hexoid': '06 09 2B 06 01 05 05 07 30 01 04',
- 'name': 'ocspResponse',
- 'oid': (1, 3, 6, 1, 5, 5, 7, 48, 1, 4)},
- (1, 3, 6, 1, 5, 5, 7, 48, 1, 5): {'comment': 'OCSP',
- 'description': 'ocspNoCheck (1 3 6 1 5 5 7 48 1 5)',
- 'hexoid': '06 09 2B 06 01 05 05 07 30 01 05',
- 'name': 'ocspNoCheck',
- 'oid': (1, 3, 6, 1, 5, 5, 7, 48, 1, 5)},
- (1, 3, 6, 1, 5, 5, 7, 48, 1, 6): {'comment': 'OCSP',
- 'description': 'ocspArchiveCutoff (1 3 6 1 5 5 7 48 1 6)',
- 'hexoid': '06 09 2B 06 01 05 05 07 30 01 06',
- 'name': 'ocspArchiveCutoff',
- 'oid': (1, 3, 6, 1, 5, 5, 7, 48, 1, 6)},
- (1, 3, 6, 1, 5, 5, 7, 48, 1, 7): {'comment': 'OCSP',
- 'description': 'ocspServiceLocator (1 3 6 1 5 5 7 48 1 7)',
- 'hexoid': '06 09 2B 06 01 05 05 07 30 01 07',
- 'name': 'ocspServiceLocator',
- 'oid': (1, 3, 6, 1, 5, 5, 7, 48, 1, 7)},
- (1, 3, 6, 1, 5, 5, 7, 48, 2): {'comment': 'PKIX subject/authority info access descriptor',
- 'description': 'caIssuers (1 3 6 1 5 5 7 48 2)',
- 'hexoid': '06 08 2B 06 01 05 05 07 30 02',
- 'name': 'caIssuers',
- 'oid': (1, 3, 6, 1, 5, 5, 7, 48, 2)},
- (1, 3, 6, 1, 5, 5, 7, 48, 3): {'comment': 'PKIX subject/authority info access descriptor',
- 'description': 'timeStamping (1 3 6 1 5 5 7 48 3)',
- 'hexoid': '06 08 2B 06 01 05 05 07 30 03',
- 'name': 'timeStamping',
- 'oid': (1, 3, 6, 1, 5, 5, 7, 48, 3)},
- (1, 3, 6, 1, 5, 5, 7, 48, 5): {'comment': 'PKIX subject/authority info access descriptor',
- 'description': 'caRepository (1 3 6 1 5 5 7 48 5)',
- 'hexoid': '06 08 2B 06 01 05 05 07 30 05',
- 'name': 'caRepository',
- 'oid': (1, 3, 6, 1, 5, 5, 7, 48, 5)},
- (1, 3, 6, 1, 5, 5, 7, 48, 9): {'comment': 'RPKI project',
- 'description': 'id-ad-signedObjectRepository (1 3 6 1 5 5 7 48 9)',
- 'hexoid': '06 08 2B 06 01 05 05 07 30 09',
- 'name': 'id-ad-signedObjectRepository',
- 'oid': (1, 3, 6, 1, 5, 5, 7, 48, 9)},
- (1, 3, 6, 1, 5, 5, 7, 48, 10): {'comment': 'RPKI project',
- 'description': 'id-ad-rpkiManifest (1 3 6 1 5 5 7 48 10)',
- 'hexoid': '06 08 2B 06 01 05 05 07 30 0A',
- 'name': 'id-ad-rpkiManifest',
- 'oid': (1, 3, 6, 1, 5, 5, 7, 48, 10)},
- (1, 3, 6, 1, 5, 5, 7, 48, 11): {'comment': 'RPKI project',
- 'description': 'id-ad-signedObject (1 3 6 1 5 5 7 48 11)',
- 'hexoid': '06 08 2B 06 01 05 05 07 30 0B',
- 'name': 'id-ad-signedObject',
- 'oid': (1, 3, 6, 1, 5, 5, 7, 48, 11)},
- (1, 3, 6, 1, 5, 5, 8, 1, 1): {'comment': 'ISAKMP HMAC algorithm',
- 'description': 'hmacMD5 (1 3 6 1 5 5 8 1 1)',
- 'hexoid': '06 08 2B 06 01 05 05 08 01 01',
- 'name': 'hmacMD5',
- 'oid': (1, 3, 6, 1, 5, 5, 8, 1, 1)},
- (1, 3, 6, 1, 5, 5, 8, 1, 2): {'comment': 'ISAKMP HMAC algorithm',
- 'description': 'hmacSHA (1 3 6 1 5 5 8 1 2)',
- 'hexoid': '06 08 2B 06 01 05 05 08 01 02',
- 'name': 'hmacSHA',
- 'oid': (1, 3, 6, 1, 5, 5, 8, 1, 2)},
- (1, 3, 6, 1, 5, 5, 8, 1, 3): {'comment': 'ISAKMP HMAC algorithm',
- 'description': 'hmacTiger (1 3 6 1 5 5 8 1 3)',
- 'hexoid': '06 08 2B 06 01 05 05 08 01 03',
- 'name': 'hmacTiger',
- 'oid': (1, 3, 6, 1, 5, 5, 8, 1, 3)},
- (1, 3, 6, 1, 5, 5, 8, 2, 2): {'comment': 'IKE ???',
- 'description': 'iKEIntermediate (1 3 6 1 5 5 8 2 2)',
- 'hexoid': '06 08 2B 06 01 05 05 08 02 02',
- 'name': 'iKEIntermediate',
- 'oid': (1, 3, 6, 1, 5, 5, 8, 2, 2)},
- (1, 3, 12, 2, 1011, 7, 1): {'comment': 'DASS algorithm',
- 'description': 'decEncryptionAlgorithm (1 3 12 2 1011 7 1)',
- 'hexoid': '06 07 2B 0C 02 87 73 07 01',
- 'name': 'decEncryptionAlgorithm',
- 'oid': (1, 3, 12, 2, 1011, 7, 1)},
- (1, 3, 12, 2, 1011, 7, 1, 2): {'comment': 'DASS encryption algorithm',
- 'description': 'decDEA (1 3 12 2 1011 7 1 2)',
- 'hexoid': '06 08 2B 0C 02 87 73 07 01 02',
- 'name': 'decDEA',
- 'oid': (1, 3, 12, 2, 1011, 7, 1, 2)},
- (1, 3, 12, 2, 1011, 7, 2): {'comment': 'DASS algorithm',
- 'description': 'decHashAlgorithm (1 3 12 2 1011 7 2)',
- 'hexoid': '06 07 2B 0C 02 87 73 07 02',
- 'name': 'decHashAlgorithm',
- 'oid': (1, 3, 12, 2, 1011, 7, 2)},
- (1, 3, 12, 2, 1011, 7, 2, 1): {'comment': 'DASS hash algorithm',
- 'description': 'decMD2 (1 3 12 2 1011 7 2 1)',
- 'hexoid': '06 08 2B 0C 02 87 73 07 02 01',
- 'name': 'decMD2',
- 'oid': (1, 3, 12, 2, 1011, 7, 2, 1)},
- (1, 3, 12, 2, 1011, 7, 2, 2): {'comment': 'DASS hash algorithm',
- 'description': 'decMD4 (1 3 12 2 1011 7 2 2)',
- 'hexoid': '06 08 2B 0C 02 87 73 07 02 02',
- 'name': 'decMD4',
- 'oid': (1, 3, 12, 2, 1011, 7, 2, 2)},
- (1, 3, 12, 2, 1011, 7, 3): {'comment': 'DASS algorithm',
- 'description': 'decSignatureAlgorithm (1 3 12 2 1011 7 3)',
- 'hexoid': '06 07 2B 0C 02 87 73 07 03',
- 'name': 'decSignatureAlgorithm',
- 'oid': (1, 3, 12, 2, 1011, 7, 3)},
- (1, 3, 12, 2, 1011, 7, 3, 1): {'comment': 'DASS signature algorithm',
- 'description': 'decMD2withRSA (1 3 12 2 1011 7 3 1)',
- 'hexoid': '06 08 2B 0C 02 87 73 07 03 01',
- 'name': 'decMD2withRSA',
- 'oid': (1, 3, 12, 2, 1011, 7, 3, 1)},
- (1, 3, 12, 2, 1011, 7, 3, 2): {'comment': 'DASS signature algorithm',
- 'description': 'decMD4withRSA (1 3 12 2 1011 7 3 2)',
- 'hexoid': '06 08 2B 0C 02 87 73 07 03 02',
- 'name': 'decMD4withRSA',
- 'oid': (1, 3, 12, 2, 1011, 7, 3, 2)},
- (1, 3, 12, 2, 1011, 7, 3, 3): {'comment': 'DASS signature algorithm',
- 'description': 'decDEAMAC (1 3 12 2 1011 7 3 3)',
- 'hexoid': '06 08 2B 0C 02 87 73 07 03 03',
- 'name': 'decDEAMAC',
- 'oid': (1, 3, 12, 2, 1011, 7, 3, 3)},
- (1, 3, 14, 2, 26, 5): {'comment': 'Unsure about this OID',
- 'description': 'sha (1 3 14 2 26 5)',
- 'hexoid': '06 05 2B 0E 02 1A 05',
- 'name': 'sha',
- 'oid': (1, 3, 14, 2, 26, 5)},
- (1, 3, 14, 3, 2, 1, 1): {'comment': 'X.509. Unsure about this OID',
- 'description': 'rsa (1 3 14 3 2 1 1)',
- 'hexoid': '06 06 2B 0E 03 02 01 01',
- 'name': 'rsa',
- 'oid': (1, 3, 14, 3, 2, 1, 1)},
- (1, 3, 14, 3, 2, 2): {'comment': 'Oddball OIW OID',
- 'description': 'md4WitRSA (1 3 14 3 2 2)',
- 'hexoid': '06 05 2B 0E 03 02 02',
- 'name': 'md4WitRSA',
- 'oid': (1, 3, 14, 3, 2, 2)},
- (1, 3, 14, 3, 2, 3): {'comment': 'Oddball OIW OID',
- 'description': 'md5WithRSA (1 3 14 3 2 3)',
- 'hexoid': '06 05 2B 0E 03 02 03',
- 'name': 'md5WithRSA',
- 'oid': (1, 3, 14, 3, 2, 3)},
- (1, 3, 14, 3, 2, 4): {'comment': 'Oddball OIW OID',
- 'description': 'md4WithRSAEncryption (1 3 14 3 2 4)',
- 'hexoid': '06 05 2B 0E 03 02 04',
- 'name': 'md4WithRSAEncryption',
- 'oid': (1, 3, 14, 3, 2, 4)},
- (1, 3, 14, 3, 2, 6): {'description': 'desECB (1 3 14 3 2 6)',
- 'hexoid': '06 05 2B 0E 03 02 06',
- 'name': 'desECB',
- 'oid': (1, 3, 14, 3, 2, 6)},
- (1, 3, 14, 3, 2, 7): {'description': 'desCBC (1 3 14 3 2 7)',
- 'hexoid': '06 05 2B 0E 03 02 07',
- 'name': 'desCBC',
- 'oid': (1, 3, 14, 3, 2, 7)},
- (1, 3, 14, 3, 2, 8): {'description': 'desOFB (1 3 14 3 2 8)',
- 'hexoid': '06 05 2B 0E 03 02 08',
- 'name': 'desOFB',
- 'oid': (1, 3, 14, 3, 2, 8)},
- (1, 3, 14, 3, 2, 9): {'description': 'desCFB (1 3 14 3 2 9)',
- 'hexoid': '06 05 2B 0E 03 02 09',
- 'name': 'desCFB',
- 'oid': (1, 3, 14, 3, 2, 9)},
- (1, 3, 14, 3, 2, 10): {'description': 'desMAC (1 3 14 3 2 10)',
- 'hexoid': '06 05 2B 0E 03 02 0A',
- 'name': 'desMAC',
- 'oid': (1, 3, 14, 3, 2, 10)},
- (1, 3, 14, 3, 2, 11): {'comment': 'ISO 9796-2, also X9.31 Part 1',
- 'description': 'rsaSignature (1 3 14 3 2 11)',
- 'hexoid': '06 05 2B 0E 03 02 0B',
- 'name': 'rsaSignature',
- 'oid': (1, 3, 14, 3, 2, 11)},
- (1, 3, 14, 3, 2, 14): {'comment': 'Oddball OIW OID using 9796-2 padding rules',
- 'description': 'mdc2WithRSASignature (1 3 14 3 2 14)',
- 'hexoid': '06 05 2B 0E 03 02 0E',
- 'name': 'mdc2WithRSASignature',
- 'oid': (1, 3, 14, 3, 2, 14)},
- (1, 3, 14, 3, 2, 15): {'comment': 'Oddball OIW OID using 9796-2 padding rules',
- 'description': 'shaWithRSASignature (1 3 14 3 2 15)',
- 'hexoid': '06 05 2B 0E 03 02 0F',
- 'name': 'shaWithRSASignature',
- 'oid': (1, 3, 14, 3, 2, 15)},
- (1, 3, 14, 3, 2, 17): {'comment': 'Oddball OIW OID. Mode is ECB',
- 'description': 'desEDE (1 3 14 3 2 17)',
- 'hexoid': '06 05 2B 0E 03 02 11',
- 'name': 'desEDE',
- 'oid': (1, 3, 14, 3, 2, 17)},
- (1, 3, 14, 3, 2, 18): {'comment': 'Oddball OIW OID',
- 'description': 'sha (1 3 14 3 2 18)',
- 'hexoid': '06 05 2B 0E 03 02 12',
- 'name': 'sha',
- 'oid': (1, 3, 14, 3, 2, 18)},
- (1, 3, 14, 3, 2, 19): {'comment': 'Oddball OIW OID, DES-based hash, planned for X9.31 Part 2',
- 'description': 'mdc-2 (1 3 14 3 2 19)',
- 'hexoid': '06 05 2B 0E 03 02 13',
- 'name': 'mdc-2',
- 'oid': (1, 3, 14, 3, 2, 19)},
- (1, 3, 14, 3, 2, 22): {'comment': 'Oddball OIW OID',
- 'description': 'rsaKeyTransport (1 3 14 3 2 22)',
- 'hexoid': '06 05 2B 0E 03 02 16',
- 'name': 'rsaKeyTransport',
- 'oid': (1, 3, 14, 3, 2, 22)},
- (1, 3, 14, 3, 2, 23): {'comment': 'Oddball OIW OID',
- 'description': 'keyed-hash-seal (1 3 14 3 2 23)',
- 'hexoid': '06 05 2B 0E 03 02 17',
- 'name': 'keyed-hash-seal',
- 'oid': (1, 3, 14, 3, 2, 23)},
- (1, 3, 14, 3, 2, 24): {'comment': 'Oddball OIW OID using 9796-2 padding rules',
- 'description': 'md2WithRSASignature (1 3 14 3 2 24)',
- 'hexoid': '06 05 2B 0E 03 02 18',
- 'name': 'md2WithRSASignature',
- 'oid': (1, 3, 14, 3, 2, 24)},
- (1, 3, 14, 3, 2, 25): {'comment': 'Oddball OIW OID using 9796-2 padding rules',
- 'description': 'md5WithRSASignature (1 3 14 3 2 25)',
- 'hexoid': '06 05 2B 0E 03 02 19',
- 'name': 'md5WithRSASignature',
- 'oid': (1, 3, 14, 3, 2, 25)},
- (1, 3, 14, 3, 2, 26): {'comment': 'OIW',
- 'description': 'sha1 (1 3 14 3 2 26)',
- 'hexoid': '06 05 2B 0E 03 02 1A',
- 'name': 'sha1',
- 'oid': (1, 3, 14, 3, 2, 26)},
- (1, 3, 14, 3, 2, 27): {'comment': 'OIW. This OID may also be assigned as ripemd-160',
- 'description': 'dsaWithSHA1 (1 3 14 3 2 27)',
- 'hexoid': '06 05 2B 0E 03 02 1B',
- 'name': 'dsaWithSHA1',
- 'oid': (1, 3, 14, 3, 2, 27)},
- (1, 3, 14, 3, 2, 28): {'comment': 'OIW',
- 'description': 'dsaWithCommonSHA1 (1 3 14 3 2 28)',
- 'hexoid': '06 05 2B 0E 03 02 1C',
- 'name': 'dsaWithCommonSHA1',
- 'oid': (1, 3, 14, 3, 2, 28)},
- (1, 3, 14, 3, 2, 29): {'comment': 'Oddball OIW OID',
- 'description': 'sha-1WithRSAEncryption (1 3 14 3 2 29)',
- 'hexoid': '06 05 2B 0E 03 02 1D',
- 'name': 'sha-1WithRSAEncryption',
- 'oid': (1, 3, 14, 3, 2, 29)},
- (1, 3, 14, 3, 3, 1): {'comment': 'Oddball OIW OID',
- 'description': 'simple-strong-auth-mechanism (1 3 14 3 3 1)',
- 'hexoid': '06 05 2B 0E 03 03 01',
- 'name': 'simple-strong-auth-mechanism',
- 'oid': (1, 3, 14, 3, 3, 1)},
- (1, 3, 14, 7, 2, 1, 1): {'comment': 'Unsure about this OID',
- 'description': 'ElGamal (1 3 14 7 2 1 1)',
- 'hexoid': '06 06 2B 0E 07 02 01 01',
- 'name': 'ElGamal',
- 'oid': (1, 3, 14, 7, 2, 1, 1)},
- (1, 3, 14, 7, 2, 3, 1): {'comment': 'Unsure about this OID',
- 'description': 'md2WithRSA (1 3 14 7 2 3 1)',
- 'hexoid': '06 06 2B 0E 07 02 03 01',
- 'name': 'md2WithRSA',
- 'oid': (1, 3, 14, 7, 2, 3, 1)},
- (1, 3, 14, 7, 2, 3, 2): {'comment': 'Unsure about this OID',
- 'description': 'md2WithElGamal (1 3 14 7 2 3 2)',
- 'hexoid': '06 06 2B 0E 07 02 03 02',
- 'name': 'md2WithElGamal',
- 'oid': (1, 3, 14, 7, 2, 3, 2)},
- (1, 3, 36, 1): {'comment': 'Teletrust document',
- 'description': 'document (1 3 36 1)',
- 'hexoid': '06 03 2B 24 01',
- 'name': 'document',
- 'oid': (1, 3, 36, 1)},
- (1, 3, 36, 1, 1): {'comment': 'Teletrust document',
- 'description': 'finalVersion (1 3 36 1 1)',
- 'hexoid': '06 04 2B 24 01 01',
- 'name': 'finalVersion',
- 'oid': (1, 3, 36, 1, 1)},
- (1, 3, 36, 1, 2): {'comment': 'Teletrust document',
- 'description': 'draft (1 3 36 1 2)',
- 'hexoid': '06 04 2B 24 01 02',
- 'name': 'draft',
- 'oid': (1, 3, 36, 1, 2)},
- (1, 3, 36, 2): {'comment': 'Teletrust sio',
- 'description': 'sio (1 3 36 2)',
- 'hexoid': '06 03 2B 24 02',
- 'name': 'sio',
- 'oid': (1, 3, 36, 2)},
- (1, 3, 36, 2, 1): {'comment': 'Teletrust sio',
- 'description': 'sedu (1 3 36 2 1)',
- 'hexoid': '06 04 2B 24 02 01',
- 'name': 'sedu',
- 'oid': (1, 3, 36, 2, 1)},
- (1, 3, 36, 3): {'comment': 'Teletrust algorithm',
- 'description': 'algorithm (1 3 36 3)',
- 'hexoid': '06 03 2B 24 03',
- 'name': 'algorithm',
- 'oid': (1, 3, 36, 3)},
- (1, 3, 36, 3, 1): {'comment': 'Teletrust algorithm',
- 'description': 'encryptionAlgorithm (1 3 36 3 1)',
- 'hexoid': '06 04 2B 24 03 01',
- 'name': 'encryptionAlgorithm',
- 'oid': (1, 3, 36, 3, 1)},
- (1, 3, 36, 3, 1, 1): {'comment': 'Teletrust encryption algorithm',
- 'description': 'des (1 3 36 3 1 1)',
- 'hexoid': '06 05 2B 24 03 01 01',
- 'name': 'des',
- 'oid': (1, 3, 36, 3, 1, 1)},
- (1, 3, 36, 3, 1, 1, 1): {'comment': 'Teletrust encryption algorithm',
- 'description': 'desECB_pad (1 3 36 3 1 1 1)',
- 'hexoid': '06 06 2B 24 03 01 01 01',
- 'name': 'desECB_pad',
- 'oid': (1, 3, 36, 3, 1, 1, 1)},
- (1, 3, 36, 3, 1, 1, 1, 1): {'comment': 'Teletrust encryption algorithm',
- 'description': 'desECB_ISOpad (1 3 36 3 1 1 1 1)',
- 'hexoid': '06 07 2B 24 03 01 01 01 01',
- 'name': 'desECB_ISOpad',
- 'oid': (1, 3, 36, 3, 1, 1, 1, 1)},
- (1, 3, 36, 3, 1, 1, 2, 1): {'comment': 'Teletrust encryption algorithm',
- 'description': 'desCBC_pad (1 3 36 3 1 1 2 1)',
- 'hexoid': '06 07 2B 24 03 01 01 02 01',
- 'name': 'desCBC_pad',
- 'oid': (1, 3, 36, 3, 1, 1, 2, 1)},
- (1, 3, 36, 3, 1, 1, 2, 1, 1): {'comment': 'Teletrust encryption algorithm',
- 'description': 'desCBC_ISOpad (1 3 36 3 1 1 2 1 1)',
- 'hexoid': '06 08 2B 24 03 01 01 02 01 01',
- 'name': 'desCBC_ISOpad',
- 'oid': (1, 3, 36, 3, 1, 1, 2, 1, 1)},
- (1, 3, 36, 3, 1, 2): {'comment': 'Teletrust encryption algorithm',
- 'description': 'idea (1 3 36 3 1 2)',
- 'hexoid': '06 05 2B 24 03 01 02',
- 'name': 'idea',
- 'oid': (1, 3, 36, 3, 1, 2)},
- (1, 3, 36, 3, 1, 2, 1): {'comment': 'Teletrust encryption algorithm',
- 'description': 'ideaECB (1 3 36 3 1 2 1)',
- 'hexoid': '06 06 2B 24 03 01 02 01',
- 'name': 'ideaECB',
- 'oid': (1, 3, 36, 3, 1, 2, 1)},
- (1, 3, 36, 3, 1, 2, 1, 1): {'comment': 'Teletrust encryption algorithm',
- 'description': 'ideaECB_pad (1 3 36 3 1 2 1 1)',
- 'hexoid': '06 07 2B 24 03 01 02 01 01',
- 'name': 'ideaECB_pad',
- 'oid': (1, 3, 36, 3, 1, 2, 1, 1)},
- (1, 3, 36, 3, 1, 2, 1, 1, 1): {'comment': 'Teletrust encryption algorithm',
- 'description': 'ideaECB_ISOpad (1 3 36 3 1 2 1 1 1)',
- 'hexoid': '06 08 2B 24 03 01 02 01 01 01',
- 'name': 'ideaECB_ISOpad',
- 'oid': (1, 3, 36, 3, 1, 2, 1, 1, 1)},
- (1, 3, 36, 3, 1, 2, 2): {'comment': 'Teletrust encryption algorithm',
- 'description': 'ideaCBC (1 3 36 3 1 2 2)',
- 'hexoid': '06 06 2B 24 03 01 02 02',
- 'name': 'ideaCBC',
- 'oid': (1, 3, 36, 3, 1, 2, 2)},
- (1, 3, 36, 3, 1, 2, 2, 1): {'comment': 'Teletrust encryption algorithm',
- 'description': 'ideaCBC_pad (1 3 36 3 1 2 2 1)',
- 'hexoid': '06 07 2B 24 03 01 02 02 01',
- 'name': 'ideaCBC_pad',
- 'oid': (1, 3, 36, 3, 1, 2, 2, 1)},
- (1, 3, 36, 3, 1, 2, 2, 1, 1): {'comment': 'Teletrust encryption algorithm',
- 'description': 'ideaCBC_ISOpad (1 3 36 3 1 2 2 1 1)',
- 'hexoid': '06 08 2B 24 03 01 02 02 01 01',
- 'name': 'ideaCBC_ISOpad',
- 'oid': (1, 3, 36, 3, 1, 2, 2, 1, 1)},
- (1, 3, 36, 3, 1, 2, 3): {'comment': 'Teletrust encryption algorithm',
- 'description': 'ideaOFB (1 3 36 3 1 2 3)',
- 'hexoid': '06 06 2B 24 03 01 02 03',
- 'name': 'ideaOFB',
- 'oid': (1, 3, 36, 3, 1, 2, 3)},
- (1, 3, 36, 3, 1, 2, 4): {'comment': 'Teletrust encryption algorithm',
- 'description': 'ideaCFB (1 3 36 3 1 2 4)',
- 'hexoid': '06 06 2B 24 03 01 02 04',
- 'name': 'ideaCFB',
- 'oid': (1, 3, 36, 3, 1, 2, 4)},
- (1, 3, 36, 3, 1, 3): {'comment': 'Teletrust encryption algorithm',
- 'description': 'des_3 (1 3 36 3 1 3)',
- 'hexoid': '06 05 2B 24 03 01 03',
- 'name': 'des_3',
- 'oid': (1, 3, 36, 3, 1, 3)},
- (1, 3, 36, 3, 1, 3, 1, 1): {'comment': 'Teletrust encryption algorithm. EDE triple DES',
- 'description': 'des_3ECB_pad (1 3 36 3 1 3 1 1)',
- 'hexoid': '06 07 2B 24 03 01 03 01 01',
- 'name': 'des_3ECB_pad',
- 'oid': (1, 3, 36, 3, 1, 3, 1, 1)},
- (1, 3, 36, 3, 1, 3, 1, 1, 1): {'comment': 'Teletrust encryption algorithm. EDE triple DES',
- 'description': 'des_3ECB_ISOpad (1 3 36 3 1 3 1 1 1)',
- 'hexoid': '06 08 2B 24 03 01 03 01 01 01',
- 'name': 'des_3ECB_ISOpad',
- 'oid': (1, 3, 36, 3, 1, 3, 1, 1, 1)},
- (1, 3, 36, 3, 1, 3, 2, 1): {'comment': 'Teletrust encryption algorithm. EDE triple DES',
- 'description': 'des_3CBC_pad (1 3 36 3 1 3 2 1)',
- 'hexoid': '06 07 2B 24 03 01 03 02 01',
- 'name': 'des_3CBC_pad',
- 'oid': (1, 3, 36, 3, 1, 3, 2, 1)},
- (1, 3, 36, 3, 1, 3, 2, 1, 1): {'comment': 'Teletrust encryption algorithm. EDE triple DES',
- 'description': 'des_3CBC_ISOpad (1 3 36 3 1 3 2 1 1)',
- 'hexoid': '06 08 2B 24 03 01 03 02 01 01',
- 'name': 'des_3CBC_ISOpad',
- 'oid': (1, 3, 36, 3, 1, 3, 2, 1, 1)},
- (1, 3, 36, 3, 1, 4): {'comment': 'Teletrust encryption algorithm',
- 'description': 'rsaEncryption (1 3 36 3 1 4)',
- 'hexoid': '06 05 2B 24 03 01 04',
- 'name': 'rsaEncryption',
- 'oid': (1, 3, 36, 3, 1, 4)},
- (1, 3, 36, 3, 1, 4, 512, 17): {'comment': 'Teletrust encryption algorithm',
- 'description': 'rsaEncryptionWithlmod512expe17 (1 3 36 3 1 4 512 17)',
- 'hexoid': '06 08 2B 24 03 01 04 84 00 11',
- 'name': 'rsaEncryptionWithlmod512expe17',
- 'oid': (1, 3, 36, 3, 1, 4, 512, 17)},
- (1, 3, 36, 3, 1, 5): {'comment': 'Teletrust encryption algorithm',
- 'description': 'bsi-1 (1 3 36 3 1 5)',
- 'hexoid': '06 05 2B 24 03 01 05',
- 'name': 'bsi-1',
- 'oid': (1, 3, 36, 3, 1, 5)},
- (1, 3, 36, 3, 1, 5, 1): {'comment': 'Teletrust encryption algorithm',
- 'description': 'bsi_1ECB_pad (1 3 36 3 1 5 1)',
- 'hexoid': '06 06 2B 24 03 01 05 01',
- 'name': 'bsi_1ECB_pad',
- 'oid': (1, 3, 36, 3, 1, 5, 1)},
- (1, 3, 36, 3, 1, 5, 2): {'comment': 'Teletrust encryption algorithm',
- 'description': 'bsi_1CBC_pad (1 3 36 3 1 5 2)',
- 'hexoid': '06 06 2B 24 03 01 05 02',
- 'name': 'bsi_1CBC_pad',
- 'oid': (1, 3, 36, 3, 1, 5, 2)},
- (1, 3, 36, 3, 1, 5, 2, 1): {'comment': 'Teletrust encryption algorithm',
- 'description': 'bsi_1CBC_PEMpad (1 3 36 3 1 5 2 1)',
- 'hexoid': '06 07 2B 24 03 01 05 02 01',
- 'name': 'bsi_1CBC_PEMpad',
- 'oid': (1, 3, 36, 3, 1, 5, 2, 1)},
- (1, 3, 36, 3, 2): {'comment': 'Teletrust algorithm',
- 'description': 'hashAlgorithm (1 3 36 3 2)',
- 'hexoid': '06 04 2B 24 03 02',
- 'name': 'hashAlgorithm',
- 'oid': (1, 3, 36, 3, 2)},
- (1, 3, 36, 3, 2, 1): {'comment': 'Teletrust hash algorithm',
- 'description': 'ripemd160 (1 3 36 3 2 1)',
- 'hexoid': '06 05 2B 24 03 02 01',
- 'name': 'ripemd160',
- 'oid': (1, 3, 36, 3, 2, 1)},
- (1, 3, 36, 3, 2, 2): {'comment': 'Teletrust hash algorithm',
- 'description': 'ripemd128 (1 3 36 3 2 2)',
- 'hexoid': '06 05 2B 24 03 02 02',
- 'name': 'ripemd128',
- 'oid': (1, 3, 36, 3, 2, 2)},
- (1, 3, 36, 3, 2, 3): {'comment': 'Teletrust hash algorithm',
- 'description': 'ripemd256 (1 3 36 3 2 3)',
- 'hexoid': '06 05 2B 24 03 02 03',
- 'name': 'ripemd256',
- 'oid': (1, 3, 36, 3, 2, 3)},
- (1, 3, 36, 3, 2, 4): {'comment': 'Teletrust hash algorithm',
- 'description': 'mdc2singleLength (1 3 36 3 2 4)',
- 'hexoid': '06 05 2B 24 03 02 04',
- 'name': 'mdc2singleLength',
- 'oid': (1, 3, 36, 3, 2, 4)},
- (1, 3, 36, 3, 2, 5): {'comment': 'Teletrust hash algorithm',
- 'description': 'mdc2doubleLength (1 3 36 3 2 5)',
- 'hexoid': '06 05 2B 24 03 02 05',
- 'name': 'mdc2doubleLength',
- 'oid': (1, 3, 36, 3, 2, 5)},
- (1, 3, 36, 3, 3): {'comment': 'Teletrust algorithm',
- 'description': 'signatureAlgorithm (1 3 36 3 3)',
- 'hexoid': '06 04 2B 24 03 03',
- 'name': 'signatureAlgorithm',
- 'oid': (1, 3, 36, 3, 3)},
- (1, 3, 36, 3, 3, 1): {'comment': 'Teletrust signature algorithm',
- 'description': 'rsaSignature (1 3 36 3 3 1)',
- 'hexoid': '06 05 2B 24 03 03 01',
- 'name': 'rsaSignature',
- 'oid': (1, 3, 36, 3, 3, 1)},
- (1, 3, 36, 3, 3, 1, 1): {'comment': 'Teletrust signature algorithm',
- 'description': 'rsaSignatureWithsha1 (1 3 36 3 3 1 1)',
- 'hexoid': '06 06 2B 24 03 03 01 01',
- 'name': 'rsaSignatureWithsha1',
- 'oid': (1, 3, 36, 3, 3, 1, 1)},
- (1, 3, 36, 3, 3, 1, 1, 512, 2): {'comment': 'Teletrust signature algorithm',
- 'description': 'rsaSignatureWithsha1_l512_l2 (1 3 36 3 3 1 1 512 2)',
- 'hexoid': '06 09 2B 24 03 03 01 01 84 00 02',
- 'name': 'rsaSignatureWithsha1_l512_l2',
- 'oid': (1, 3, 36, 3, 3, 1, 1, 512, 2)},
- (1, 3, 36, 3, 3, 1, 1, 512, 3): {'comment': 'Teletrust signature algorithm',
- 'description': 'rsaSignatureWithsha1_l512_l3 (1 3 36 3 3 1 1 512 3)',
- 'hexoid': '06 09 2B 24 03 03 01 01 84 00 03',
- 'name': 'rsaSignatureWithsha1_l512_l3',
- 'oid': (1, 3, 36, 3, 3, 1, 1, 512, 3)},
- (1, 3, 36, 3, 3, 1, 1, 512, 5): {'comment': 'Teletrust signature algorithm',
- 'description': 'rsaSignatureWithsha1_l512_l5 (1 3 36 3 3 1 1 512 5)',
- 'hexoid': '06 09 2B 24 03 03 01 01 84 00 05',
- 'name': 'rsaSignatureWithsha1_l512_l5',
- 'oid': (1, 3, 36, 3, 3, 1, 1, 512, 5)},
- (1, 3, 36, 3, 3, 1, 1, 512, 9): {'comment': 'Teletrust signature algorithm',
- 'description': 'rsaSignatureWithsha1_l512_l9 (1 3 36 3 3 1 1 512 9)',
- 'hexoid': '06 09 2B 24 03 03 01 01 84 00 09',
- 'name': 'rsaSignatureWithsha1_l512_l9',
- 'oid': (1, 3, 36, 3, 3, 1, 1, 512, 9)},
- (1, 3, 36, 3, 3, 1, 1, 512, 11): {'comment': 'Teletrust signature algorithm',
- 'description': 'rsaSignatureWithsha1_l512_l11 (1 3 36 3 3 1 1 512 11)',
- 'hexoid': '06 09 2B 24 03 03 01 01 84 00 0B',
- 'name': 'rsaSignatureWithsha1_l512_l11',
- 'oid': (1, 3, 36, 3, 3, 1, 1, 512, 11)},
- (1, 3, 36, 3, 3, 1, 1, 640, 2): {'comment': 'Teletrust signature algorithm',
- 'description': 'rsaSignatureWithsha1_l640_l2 (1 3 36 3 3 1 1 640 2)',
- 'hexoid': '06 09 2B 24 03 03 01 01 85 00 02',
- 'name': 'rsaSignatureWithsha1_l640_l2',
- 'oid': (1, 3, 36, 3, 3, 1, 1, 640, 2)},
- (1, 3, 36, 3, 3, 1, 1, 640, 3): {'comment': 'Teletrust signature algorithm',
- 'description': 'rsaSignatureWithsha1_l640_l3 (1 3 36 3 3 1 1 640 3)',
- 'hexoid': '06 09 2B 24 03 03 01 01 85 00 03',
- 'name': 'rsaSignatureWithsha1_l640_l3',
- 'oid': (1, 3, 36, 3, 3, 1, 1, 640, 3)},
- (1, 3, 36, 3, 3, 1, 1, 640, 5): {'comment': 'Teletrust signature algorithm',
- 'description': 'rsaSignatureWithsha1_l640_l5 (1 3 36 3 3 1 1 640 5)',
- 'hexoid': '06 09 2B 24 03 03 01 01 85 00 05',
- 'name': 'rsaSignatureWithsha1_l640_l5',
- 'oid': (1, 3, 36, 3, 3, 1, 1, 640, 5)},
- (1, 3, 36, 3, 3, 1, 1, 640, 9): {'comment': 'Teletrust signature algorithm',
- 'description': 'rsaSignatureWithsha1_l640_l9 (1 3 36 3 3 1 1 640 9)',
- 'hexoid': '06 09 2B 24 03 03 01 01 85 00 09',
- 'name': 'rsaSignatureWithsha1_l640_l9',
- 'oid': (1, 3, 36, 3, 3, 1, 1, 640, 9)},
- (1, 3, 36, 3, 3, 1, 1, 640, 11): {'comment': 'Teletrust signature algorithm',
- 'description': 'rsaSignatureWithsha1_l640_l11 (1 3 36 3 3 1 1 640 11)',
- 'hexoid': '06 09 2B 24 03 03 01 01 85 00 0B',
- 'name': 'rsaSignatureWithsha1_l640_l11',
- 'oid': (1, 3, 36, 3, 3, 1, 1, 640, 11)},
- (1, 3, 36, 3, 3, 1, 1, 768, 2): {'comment': 'Teletrust signature algorithm',
- 'description': 'rsaSignatureWithsha1_l768_l2 (1 3 36 3 3 1 1 768 2)',
- 'hexoid': '06 09 2B 24 03 03 01 01 86 00 02',
- 'name': 'rsaSignatureWithsha1_l768_l2',
- 'oid': (1, 3, 36, 3, 3, 1, 1, 768, 2)},
- (1, 3, 36, 3, 3, 1, 1, 768, 3): {'comment': 'Teletrust signature algorithm',
- 'description': 'rsaSignatureWithsha1_l768_l3 (1 3 36 3 3 1 1 768 3)',
- 'hexoid': '06 09 2B 24 03 03 01 01 86 00 03',
- 'name': 'rsaSignatureWithsha1_l768_l3',
- 'oid': (1, 3, 36, 3, 3, 1, 1, 768, 3)},
- (1, 3, 36, 3, 3, 1, 1, 768, 5): {'comment': 'Teletrust signature algorithm',
- 'description': 'rsaSignatureWithsha1_l768_l5 (1 3 36 3 3 1 1 768 5)',
- 'hexoid': '06 09 2B 24 03 03 01 01 86 00 05',
- 'name': 'rsaSignatureWithsha1_l768_l5',
- 'oid': (1, 3, 36, 3, 3, 1, 1, 768, 5)},
- (1, 3, 36, 3, 3, 1, 1, 768, 9): {'comment': 'Teletrust signature algorithm',
- 'description': 'rsaSignatureWithsha1_l768_l9 (1 3 36 3 3 1 1 768 9)',
- 'hexoid': '06 09 2B 24 03 03 01 01 86 00 09',
- 'name': 'rsaSignatureWithsha1_l768_l9',
- 'oid': (1, 3, 36, 3, 3, 1, 1, 768, 9)},
- (1, 3, 36, 3, 3, 1, 1, 768, 11): {'comment': 'Teletrust signature algorithm',
- 'description': 'rsaSignatureWithsha1_l768_l11 (1 3 36 3 3 1 1 768 11)',
- 'hexoid': '06 09 2B 24 03 03 01 01 86 00 0B',
- 'name': 'rsaSignatureWithsha1_l768_l11',
- 'oid': (1, 3, 36, 3, 3, 1, 1, 768, 11)},
- (1, 3, 36, 3, 3, 1, 1, 896, 2): {'comment': 'Teletrust signature algorithm',
- 'description': 'rsaSignatureWithsha1_l896_l2 (1 3 36 3 3 1 1 896 2)',
- 'hexoid': '06 09 2B 24 03 03 01 01 87 00 02',
- 'name': 'rsaSignatureWithsha1_l896_l2',
- 'oid': (1, 3, 36, 3, 3, 1, 1, 896, 2)},
- (1, 3, 36, 3, 3, 1, 1, 896, 3): {'comment': 'Teletrust signature algorithm',
- 'description': 'rsaSignatureWithsha1_l896_l3 (1 3 36 3 3 1 1 896 3)',
- 'hexoid': '06 09 2B 24 03 03 01 01 87 00 03',
- 'name': 'rsaSignatureWithsha1_l896_l3',
- 'oid': (1, 3, 36, 3, 3, 1, 1, 896, 3)},
- (1, 3, 36, 3, 3, 1, 1, 896, 5): {'comment': 'Teletrust signature algorithm',
- 'description': 'rsaSignatureWithsha1_l896_l5 (1 3 36 3 3 1 1 896 5)',
- 'hexoid': '06 09 2B 24 03 03 01 01 87 00 05',
- 'name': 'rsaSignatureWithsha1_l896_l5',
- 'oid': (1, 3, 36, 3, 3, 1, 1, 896, 5)},
- (1, 3, 36, 3, 3, 1, 1, 896, 9): {'comment': 'Teletrust signature algorithm',
- 'description': 'rsaSignatureWithsha1_l896_l9 (1 3 36 3 3 1 1 896 9)',
- 'hexoid': '06 09 2B 24 03 03 01 01 87 00 09',
- 'name': 'rsaSignatureWithsha1_l896_l9',
- 'oid': (1, 3, 36, 3, 3, 1, 1, 896, 9)},
- (1, 3, 36, 3, 3, 1, 1, 896, 11): {'comment': 'Teletrust signature algorithm',
- 'description': 'rsaSignatureWithsha1_l896_l11 (1 3 36 3 3 1 1 896 11)',
- 'hexoid': '06 09 2B 24 03 03 01 01 87 00 0B',
- 'name': 'rsaSignatureWithsha1_l896_l11',
- 'oid': (1, 3, 36, 3, 3, 1, 1, 896, 11)},
- (1, 3, 36, 3, 3, 1, 1, 1024, 2): {'comment': 'Teletrust signature algorithm',
- 'description': 'rsaSignatureWithsha1_l1024_l2 (1 3 36 3 3 1 1 1024 2)',
- 'hexoid': '06 09 2B 24 03 03 01 01 88 00 02',
- 'name': 'rsaSignatureWithsha1_l1024_l2',
- 'oid': (1, 3, 36, 3, 3, 1, 1, 1024, 2)},
- (1, 3, 36, 3, 3, 1, 1, 1024, 3): {'comment': 'Teletrust signature algorithm',
- 'description': 'rsaSignatureWithsha1_l1024_l3 (1 3 36 3 3 1 1 1024 3)',
- 'hexoid': '06 09 2B 24 03 03 01 01 88 00 03',
- 'name': 'rsaSignatureWithsha1_l1024_l3',
- 'oid': (1, 3, 36, 3, 3, 1, 1, 1024, 3)},
- (1, 3, 36, 3, 3, 1, 1, 1024, 5): {'comment': 'Teletrust signature algorithm',
- 'description': 'rsaSignatureWithsha1_l1024_l5 (1 3 36 3 3 1 1 1024 5)',
- 'hexoid': '06 09 2B 24 03 03 01 01 88 00 05',
- 'name': 'rsaSignatureWithsha1_l1024_l5',
- 'oid': (1, 3, 36, 3, 3, 1, 1, 1024, 5)},
- (1, 3, 36, 3, 3, 1, 1, 1024, 9): {'comment': 'Teletrust signature algorithm',
- 'description': 'rsaSignatureWithsha1_l1024_l9 (1 3 36 3 3 1 1 1024 9)',
- 'hexoid': '06 09 2B 24 03 03 01 01 88 00 09',
- 'name': 'rsaSignatureWithsha1_l1024_l9',
- 'oid': (1, 3, 36, 3, 3, 1, 1, 1024, 9)},
- (1, 3, 36, 3, 3, 1, 1, 1024, 11): {'comment': 'Teletrust signature algorithm',
- 'description': 'rsaSignatureWithsha1_l1024_l11 (1 3 36 3 3 1 1 1024 11)',
- 'hexoid': '06 09 2B 24 03 03 01 01 88 00 0B',
- 'name': 'rsaSignatureWithsha1_l1024_l11',
- 'oid': (1, 3, 36, 3, 3, 1, 1, 1024, 11)},
- (1, 3, 36, 3, 3, 1, 2): {'comment': 'Teletrust signature algorithm',
- 'description': 'rsaSignatureWithripemd160 (1 3 36 3 3 1 2)',
- 'hexoid': '06 06 2B 24 03 03 01 02',
- 'name': 'rsaSignatureWithripemd160',
- 'oid': (1, 3, 36, 3, 3, 1, 2)},
- (1, 3, 36, 3, 3, 1, 2, 512, 2): {'comment': 'Teletrust signature algorithm',
- 'description': 'rsaSignatureWithripemd160_l512_l2 (1 3 36 3 3 1 2 512 2)',
- 'hexoid': '06 09 2B 24 03 03 01 02 84 00 02',
- 'name': 'rsaSignatureWithripemd160_l512_l2',
- 'oid': (1, 3, 36, 3, 3, 1, 2, 512, 2)},
- (1, 3, 36, 3, 3, 1, 2, 512, 3): {'comment': 'Teletrust signature algorithm',
- 'description': 'rsaSignatureWithripemd160_l512_l3 (1 3 36 3 3 1 2 512 3)',
- 'hexoid': '06 09 2B 24 03 03 01 02 84 00 03',
- 'name': 'rsaSignatureWithripemd160_l512_l3',
- 'oid': (1, 3, 36, 3, 3, 1, 2, 512, 3)},
- (1, 3, 36, 3, 3, 1, 2, 512, 5): {'comment': 'Teletrust signature algorithm',
- 'description': 'rsaSignatureWithripemd160_l512_l5 (1 3 36 3 3 1 2 512 5)',
- 'hexoid': '06 09 2B 24 03 03 01 02 84 00 05',
- 'name': 'rsaSignatureWithripemd160_l512_l5',
- 'oid': (1, 3, 36, 3, 3, 1, 2, 512, 5)},
- (1, 3, 36, 3, 3, 1, 2, 512, 9): {'comment': 'Teletrust signature algorithm',
- 'description': 'rsaSignatureWithripemd160_l512_l9 (1 3 36 3 3 1 2 512 9)',
- 'hexoid': '06 09 2B 24 03 03 01 02 84 00 09',
- 'name': 'rsaSignatureWithripemd160_l512_l9',
- 'oid': (1, 3, 36, 3, 3, 1, 2, 512, 9)},
- (1, 3, 36, 3, 3, 1, 2, 512, 11): {'comment': 'Teletrust signature algorithm',
- 'description': 'rsaSignatureWithripemd160_l512_l11 (1 3 36 3 3 1 2 512 11)',
- 'hexoid': '06 09 2B 24 03 03 01 02 84 00 0B',
- 'name': 'rsaSignatureWithripemd160_l512_l11',
- 'oid': (1, 3, 36, 3, 3, 1, 2, 512, 11)},
- (1, 3, 36, 3, 3, 1, 2, 640, 2): {'comment': 'Teletrust signature algorithm',
- 'description': 'rsaSignatureWithripemd160_l640_l2 (1 3 36 3 3 1 2 640 2)',
- 'hexoid': '06 09 2B 24 03 03 01 02 85 00 02',
- 'name': 'rsaSignatureWithripemd160_l640_l2',
- 'oid': (1, 3, 36, 3, 3, 1, 2, 640, 2)},
- (1, 3, 36, 3, 3, 1, 2, 640, 3): {'comment': 'Teletrust signature algorithm',
- 'description': 'rsaSignatureWithripemd160_l640_l3 (1 3 36 3 3 1 2 640 3)',
- 'hexoid': '06 09 2B 24 03 03 01 02 85 00 03',
- 'name': 'rsaSignatureWithripemd160_l640_l3',
- 'oid': (1, 3, 36, 3, 3, 1, 2, 640, 3)},
- (1, 3, 36, 3, 3, 1, 2, 640, 5): {'comment': 'Teletrust signature algorithm',
- 'description': 'rsaSignatureWithripemd160_l640_l5 (1 3 36 3 3 1 2 640 5)',
- 'hexoid': '06 09 2B 24 03 03 01 02 85 00 05',
- 'name': 'rsaSignatureWithripemd160_l640_l5',
- 'oid': (1, 3, 36, 3, 3, 1, 2, 640, 5)},
- (1, 3, 36, 3, 3, 1, 2, 640, 9): {'comment': 'Teletrust signature algorithm',
- 'description': 'rsaSignatureWithripemd160_l640_l9 (1 3 36 3 3 1 2 640 9)',
- 'hexoid': '06 09 2B 24 03 03 01 02 85 00 09',
- 'name': 'rsaSignatureWithripemd160_l640_l9',
- 'oid': (1, 3, 36, 3, 3, 1, 2, 640, 9)},
- (1, 3, 36, 3, 3, 1, 2, 640, 11): {'comment': 'Teletrust signature algorithm',
- 'description': 'rsaSignatureWithripemd160_l640_l11 (1 3 36 3 3 1 2 640 11)',
- 'hexoid': '06 09 2B 24 03 03 01 02 85 00 0B',
- 'name': 'rsaSignatureWithripemd160_l640_l11',
- 'oid': (1, 3, 36, 3, 3, 1, 2, 640, 11)},
- (1, 3, 36, 3, 3, 1, 2, 768, 2): {'comment': 'Teletrust signature algorithm',
- 'description': 'rsaSignatureWithripemd160_l768_l2 (1 3 36 3 3 1 2 768 2)',
- 'hexoid': '06 09 2B 24 03 03 01 02 86 00 02',
- 'name': 'rsaSignatureWithripemd160_l768_l2',
- 'oid': (1, 3, 36, 3, 3, 1, 2, 768, 2)},
- (1, 3, 36, 3, 3, 1, 2, 768, 3): {'comment': 'Teletrust signature algorithm',
- 'description': 'rsaSignatureWithripemd160_l768_l3 (1 3 36 3 3 1 2 768 3)',
- 'hexoid': '06 09 2B 24 03 03 01 02 86 00 03',
- 'name': 'rsaSignatureWithripemd160_l768_l3',
- 'oid': (1, 3, 36, 3, 3, 1, 2, 768, 3)},
- (1, 3, 36, 3, 3, 1, 2, 768, 5): {'comment': 'Teletrust signature algorithm',
- 'description': 'rsaSignatureWithripemd160_l768_l5 (1 3 36 3 3 1 2 768 5)',
- 'hexoid': '06 09 2B 24 03 03 01 02 86 00 05',
- 'name': 'rsaSignatureWithripemd160_l768_l5',
- 'oid': (1, 3, 36, 3, 3, 1, 2, 768, 5)},
- (1, 3, 36, 3, 3, 1, 2, 768, 9): {'comment': 'Teletrust signature algorithm',
- 'description': 'rsaSignatureWithripemd160_l768_l9 (1 3 36 3 3 1 2 768 9)',
- 'hexoid': '06 09 2B 24 03 03 01 02 86 00 09',
- 'name': 'rsaSignatureWithripemd160_l768_l9',
- 'oid': (1, 3, 36, 3, 3, 1, 2, 768, 9)},
- (1, 3, 36, 3, 3, 1, 2, 768, 11): {'comment': 'Teletrust signature algorithm',
- 'description': 'rsaSignatureWithripemd160_l768_l11 (1 3 36 3 3 1 2 768 11)',
- 'hexoid': '06 09 2B 24 03 03 01 02 86 00 0B',
- 'name': 'rsaSignatureWithripemd160_l768_l11',
- 'oid': (1, 3, 36, 3, 3, 1, 2, 768, 11)},
- (1, 3, 36, 3, 3, 1, 2, 896, 2): {'comment': 'Teletrust signature algorithm',
- 'description': 'rsaSignatureWithripemd160_l896_l2 (1 3 36 3 3 1 2 896 2)',
- 'hexoid': '06 09 2B 24 03 03 01 02 87 00 02',
- 'name': 'rsaSignatureWithripemd160_l896_l2',
- 'oid': (1, 3, 36, 3, 3, 1, 2, 896, 2)},
- (1, 3, 36, 3, 3, 1, 2, 896, 3): {'comment': 'Teletrust signature algorithm',
- 'description': 'rsaSignatureWithripemd160_l896_l3 (1 3 36 3 3 1 2 896 3)',
- 'hexoid': '06 09 2B 24 03 03 01 02 87 00 03',
- 'name': 'rsaSignatureWithripemd160_l896_l3',
- 'oid': (1, 3, 36, 3, 3, 1, 2, 896, 3)},
- (1, 3, 36, 3, 3, 1, 2, 896, 5): {'comment': 'Teletrust signature algorithm',
- 'description': 'rsaSignatureWithripemd160_l896_l5 (1 3 36 3 3 1 2 896 5)',
- 'hexoid': '06 09 2B 24 03 03 01 02 87 00 05',
- 'name': 'rsaSignatureWithripemd160_l896_l5',
- 'oid': (1, 3, 36, 3, 3, 1, 2, 896, 5)},
- (1, 3, 36, 3, 3, 1, 2, 896, 9): {'comment': 'Teletrust signature algorithm',
- 'description': 'rsaSignatureWithripemd160_l896_l9 (1 3 36 3 3 1 2 896 9)',
- 'hexoid': '06 09 2B 24 03 03 01 02 87 00 09',
- 'name': 'rsaSignatureWithripemd160_l896_l9',
- 'oid': (1, 3, 36, 3, 3, 1, 2, 896, 9)},
- (1, 3, 36, 3, 3, 1, 2, 896, 11): {'comment': 'Teletrust signature algorithm',
- 'description': 'rsaSignatureWithripemd160_l896_l11 (1 3 36 3 3 1 2 896 11)',
- 'hexoid': '06 09 2B 24 03 03 01 02 87 00 0B',
- 'name': 'rsaSignatureWithripemd160_l896_l11',
- 'oid': (1, 3, 36, 3, 3, 1, 2, 896, 11)},
- (1, 3, 36, 3, 3, 1, 2, 1024, 2): {'comment': 'Teletrust signature algorithm',
- 'description': 'rsaSignatureWithripemd160_l1024_l2 (1 3 36 3 3 1 2 1024 2)',
- 'hexoid': '06 09 2B 24 03 03 01 02 88 00 02',
- 'name': 'rsaSignatureWithripemd160_l1024_l2',
- 'oid': (1, 3, 36, 3, 3, 1, 2, 1024, 2)},
- (1, 3, 36, 3, 3, 1, 2, 1024, 3): {'comment': 'Teletrust signature algorithm',
- 'description': 'rsaSignatureWithripemd160_l1024_l3 (1 3 36 3 3 1 2 1024 3)',
- 'hexoid': '06 09 2B 24 03 03 01 02 88 00 03',
- 'name': 'rsaSignatureWithripemd160_l1024_l3',
- 'oid': (1, 3, 36, 3, 3, 1, 2, 1024, 3)},
- (1, 3, 36, 3, 3, 1, 2, 1024, 5): {'comment': 'Teletrust signature algorithm',
- 'description': 'rsaSignatureWithripemd160_l1024_l5 (1 3 36 3 3 1 2 1024 5)',
- 'hexoid': '06 09 2B 24 03 03 01 02 88 00 05',
- 'name': 'rsaSignatureWithripemd160_l1024_l5',
- 'oid': (1, 3, 36, 3, 3, 1, 2, 1024, 5)},
- (1, 3, 36, 3, 3, 1, 2, 1024, 9): {'comment': 'Teletrust signature algorithm',
- 'description': 'rsaSignatureWithripemd160_l1024_l9 (1 3 36 3 3 1 2 1024 9)',
- 'hexoid': '06 09 2B 24 03 03 01 02 88 00 09',
- 'name': 'rsaSignatureWithripemd160_l1024_l9',
- 'oid': (1, 3, 36, 3, 3, 1, 2, 1024, 9)},
- (1, 3, 36, 3, 3, 1, 2, 1024, 11): {'comment': 'Teletrust signature algorithm',
- 'description': 'rsaSignatureWithripemd160_l1024_l11 (1 3 36 3 3 1 2 1024 11)',
- 'hexoid': '06 09 2B 24 03 03 01 02 88 00 0B',
- 'name': 'rsaSignatureWithripemd160_l1024_l11',
- 'oid': (1, 3, 36, 3, 3, 1, 2, 1024, 11)},
- (1, 3, 36, 3, 3, 1, 3): {'comment': 'Teletrust signature algorithm',
- 'description': 'rsaSignatureWithrimpemd128 (1 3 36 3 3 1 3)',
- 'hexoid': '06 06 2B 24 03 03 01 03',
- 'name': 'rsaSignatureWithrimpemd128',
- 'oid': (1, 3, 36, 3, 3, 1, 3)},
- (1, 3, 36, 3, 3, 1, 4): {'comment': 'Teletrust signature algorithm',
- 'description': 'rsaSignatureWithrimpemd256 (1 3 36 3 3 1 4)',
- 'hexoid': '06 06 2B 24 03 03 01 04',
- 'name': 'rsaSignatureWithrimpemd256',
- 'oid': (1, 3, 36, 3, 3, 1, 4)},
- (1, 3, 36, 3, 3, 2): {'comment': 'Teletrust signature algorithm',
- 'description': 'ecsieSign (1 3 36 3 3 2)',
- 'hexoid': '06 05 2B 24 03 03 02',
- 'name': 'ecsieSign',
- 'oid': (1, 3, 36, 3, 3, 2)},
- (1, 3, 36, 3, 3, 2, 1): {'comment': 'Teletrust signature algorithm',
- 'description': 'ecsieSignWithsha1 (1 3 36 3 3 2 1)',
- 'hexoid': '06 06 2B 24 03 03 02 01',
- 'name': 'ecsieSignWithsha1',
- 'oid': (1, 3, 36, 3, 3, 2, 1)},
- (1, 3, 36, 3, 3, 2, 2): {'comment': 'Teletrust signature algorithm',
- 'description': 'ecsieSignWithripemd160 (1 3 36 3 3 2 2)',
- 'hexoid': '06 06 2B 24 03 03 02 02',
- 'name': 'ecsieSignWithripemd160',
- 'oid': (1, 3, 36, 3, 3, 2, 2)},
- (1, 3, 36, 3, 3, 2, 3): {'comment': 'Teletrust signature algorithm',
- 'description': 'ecsieSignWithmd2 (1 3 36 3 3 2 3)',
- 'hexoid': '06 06 2B 24 03 03 02 03',
- 'name': 'ecsieSignWithmd2',
- 'oid': (1, 3, 36, 3, 3, 2, 3)},
- (1, 3, 36, 3, 3, 2, 4): {'comment': 'Teletrust signature algorithm',
- 'description': 'ecsieSignWithmd5 (1 3 36 3 3 2 4)',
- 'hexoid': '06 06 2B 24 03 03 02 04',
- 'name': 'ecsieSignWithmd5',
- 'oid': (1, 3, 36, 3, 3, 2, 4)},
- (1, 3, 36, 3, 3, 2, 8, 1, 1, 1): {'comment': 'ECC Brainpool Standard Curves and Curve Generation',
- 'description': 'brainpoolP224r1 (1 3 36 3 3 2 8 1 1 1)',
- 'hexoid': '06 09 2B 24 03 03 02 08 01 01 01',
- 'name': 'brainpoolP224r1',
- 'oid': (1, 3, 36, 3, 3, 2, 8, 1, 1, 1)},
- (1, 3, 36, 3, 3, 2, 8, 1, 1, 2): {'comment': 'ECC Brainpool Standard Curves and Curve Generation',
- 'description': 'brainpoolP224r1 (1 3 36 3 3 2 8 1 1 2)',
- 'hexoid': '06 09 2B 24 03 03 02 08 01 01 02',
- 'name': 'brainpoolP224r1',
- 'oid': (1, 3, 36, 3, 3, 2, 8, 1, 1, 2)},
- (1, 3, 36, 3, 3, 2, 8, 1, 1, 3): {'comment': 'ECC Brainpool Standard Curves and Curve Generation',
- 'description': 'brainpoolP224r1 (1 3 36 3 3 2 8 1 1 3)',
- 'hexoid': '06 09 2B 24 03 03 02 08 01 01 03',
- 'name': 'brainpoolP224r1',
- 'oid': (1, 3, 36, 3, 3, 2, 8, 1, 1, 3)},
- (1, 3, 36, 3, 3, 2, 8, 1, 1, 4): {'comment': 'ECC Brainpool Standard Curves and Curve Generation',
- 'description': 'brainpoolP224r1 (1 3 36 3 3 2 8 1 1 4)',
- 'hexoid': '06 09 2B 24 03 03 02 08 01 01 04',
- 'name': 'brainpoolP224r1',
- 'oid': (1, 3, 36, 3, 3, 2, 8, 1, 1, 4)},
- (1, 3, 36, 3, 3, 2, 8, 1, 1, 5): {'comment': 'ECC Brainpool Standard Curves and Curve Generation',
- 'description': 'brainpoolP224r1 (1 3 36 3 3 2 8 1 1 5)',
- 'hexoid': '06 09 2B 24 03 03 02 08 01 01 05',
- 'name': 'brainpoolP224r1',
- 'oid': (1, 3, 36, 3, 3, 2, 8, 1, 1, 5)},
- (1, 3, 36, 3, 3, 2, 8, 1, 1, 6): {'comment': 'ECC Brainpool Standard Curves and Curve Generation',
- 'description': 'brainpoolP224r1 (1 3 36 3 3 2 8 1 1 6)',
- 'hexoid': '06 09 2B 24 03 03 02 08 01 01 06',
- 'name': 'brainpoolP224r1',
- 'oid': (1, 3, 36, 3, 3, 2, 8, 1, 1, 6)},
- (1, 3, 36, 3, 3, 2, 8, 1, 1, 7): {'comment': 'ECC Brainpool Standard Curves and Curve Generation',
- 'description': 'brainpoolP224r1 (1 3 36 3 3 2 8 1 1 7)',
- 'hexoid': '06 09 2B 24 03 03 02 08 01 01 07',
- 'name': 'brainpoolP224r1',
- 'oid': (1, 3, 36, 3, 3, 2, 8, 1, 1, 7)},
- (1, 3, 36, 3, 3, 2, 8, 1, 1, 8): {'comment': 'ECC Brainpool Standard Curves and Curve Generation',
- 'description': 'brainpoolP224r1 (1 3 36 3 3 2 8 1 1 8)',
- 'hexoid': '06 09 2B 24 03 03 02 08 01 01 08',
- 'name': 'brainpoolP224r1',
- 'oid': (1, 3, 36, 3, 3, 2, 8, 1, 1, 8)},
- (1, 3, 36, 3, 3, 2, 8, 1, 1, 9): {'comment': 'ECC Brainpool Standard Curves and Curve Generation',
- 'description': 'brainpoolP224r1 (1 3 36 3 3 2 8 1 1 9)',
- 'hexoid': '06 09 2B 24 03 03 02 08 01 01 09',
- 'name': 'brainpoolP224r1',
- 'oid': (1, 3, 36, 3, 3, 2, 8, 1, 1, 9)},
- (1, 3, 36, 3, 3, 2, 8, 1, 1, 10): {'comment': 'ECC Brainpool Standard Curves and Curve Generation',
- 'description': 'brainpoolP224r1 (1 3 36 3 3 2 8 1 1 10)',
- 'hexoid': '06 09 2B 24 03 03 02 08 01 01 0A',
- 'name': 'brainpoolP224r1',
- 'oid': (1, 3, 36, 3, 3, 2, 8, 1, 1, 10)},
- (1, 3, 36, 3, 3, 2, 8, 1, 1, 11): {'comment': 'ECC Brainpool Standard Curves and Curve Generation',
- 'description': 'brainpoolP224r1 (1 3 36 3 3 2 8 1 1 11)',
- 'hexoid': '06 09 2B 24 03 03 02 08 01 01 0B',
- 'name': 'brainpoolP224r1',
- 'oid': (1, 3, 36, 3, 3, 2, 8, 1, 1, 11)},
- (1, 3, 36, 3, 3, 2, 8, 1, 1, 12): {'comment': 'ECC Brainpool Standard Curves and Curve Generation',
- 'description': 'brainpoolP224r1 (1 3 36 3 3 2 8 1 1 12)',
- 'hexoid': '06 09 2B 24 03 03 02 08 01 01 0C',
- 'name': 'brainpoolP224r1',
- 'oid': (1, 3, 36, 3, 3, 2, 8, 1, 1, 12)},
- (1, 3, 36, 3, 3, 2, 8, 1, 1, 13): {'comment': 'ECC Brainpool Standard Curves and Curve Generation',
- 'description': 'brainpoolP224r1 (1 3 36 3 3 2 8 1 1 13)',
- 'hexoid': '06 09 2B 24 03 03 02 08 01 01 0D',
- 'name': 'brainpoolP224r1',
- 'oid': (1, 3, 36, 3, 3, 2, 8, 1, 1, 13)},
- (1, 3, 36, 3, 3, 2, 8, 1, 1, 14): {'comment': 'ECC Brainpool Standard Curves and Curve Generation',
- 'description': 'brainpoolP224r1 (1 3 36 3 3 2 8 1 1 14)',
- 'hexoid': '06 09 2B 24 03 03 02 08 01 01 0E',
- 'name': 'brainpoolP224r1',
- 'oid': (1, 3, 36, 3, 3, 2, 8, 1, 1, 14)},
- (1, 3, 36, 3, 4): {'comment': 'Teletrust algorithm',
- 'description': 'signatureScheme (1 3 36 3 4)',
- 'hexoid': '06 04 2B 24 03 04',
- 'name': 'signatureScheme',
- 'oid': (1, 3, 36, 3, 4)},
- (1, 3, 36, 3, 4, 1): {'comment': 'Teletrust signature scheme',
- 'description': 'sigS_ISO9796-1 (1 3 36 3 4 1)',
- 'hexoid': '06 05 2B 24 03 04 01',
- 'name': 'sigS_ISO9796-1',
- 'oid': (1, 3, 36, 3, 4, 1)},
- (1, 3, 36, 3, 4, 2): {'comment': 'Teletrust signature scheme',
- 'description': 'sigS_ISO9796-2 (1 3 36 3 4 2)',
- 'hexoid': '06 05 2B 24 03 04 02',
- 'name': 'sigS_ISO9796-2',
- 'oid': (1, 3, 36, 3, 4, 2)},
- (1, 3, 36, 3, 4, 2, 1): {'comment': 'Teletrust signature scheme. Unsure what this is supposed to be',
- 'description': 'sigS_ISO9796-2Withred (1 3 36 3 4 2 1)',
- 'hexoid': '06 06 2B 24 03 04 02 01',
- 'name': 'sigS_ISO9796-2Withred',
- 'oid': (1, 3, 36, 3, 4, 2, 1)},
- (1, 3, 36, 3, 4, 2, 2): {'comment': 'Teletrust signature scheme. Unsure what this is supposed to be',
- 'description': 'sigS_ISO9796-2Withrsa (1 3 36 3 4 2 2)',
- 'hexoid': '06 06 2B 24 03 04 02 02',
- 'name': 'sigS_ISO9796-2Withrsa',
- 'oid': (1, 3, 36, 3, 4, 2, 2)},
- (1, 3, 36, 3, 4, 2, 3): {'comment': 'Teletrust signature scheme. 9796-2 with random number in padding field',
- 'description': 'sigS_ISO9796-2Withrnd (1 3 36 3 4 2 3)',
- 'hexoid': '06 06 2B 24 03 04 02 03',
- 'name': 'sigS_ISO9796-2Withrnd',
- 'oid': (1, 3, 36, 3, 4, 2, 3)},
- (1, 3, 36, 4): {'comment': 'Teletrust attribute',
- 'description': 'attribute (1 3 36 4)',
- 'hexoid': '06 03 2B 24 04',
- 'name': 'attribute',
- 'oid': (1, 3, 36, 4)},
- (1, 3, 36, 5): {'comment': 'Teletrust policy',
- 'description': 'policy (1 3 36 5)',
- 'hexoid': '06 03 2B 24 05',
- 'name': 'policy',
- 'oid': (1, 3, 36, 5)},
- (1, 3, 36, 6): {'comment': 'Teletrust API',
- 'description': 'api (1 3 36 6)',
- 'hexoid': '06 03 2B 24 06',
- 'name': 'api',
- 'oid': (1, 3, 36, 6)},
- (1, 3, 36, 6, 1): {'comment': 'Teletrust API',
- 'description': 'manufacturer-specific_api (1 3 36 6 1)',
- 'hexoid': '06 04 2B 24 06 01',
- 'name': 'manufacturer-specific_api',
- 'oid': (1, 3, 36, 6, 1)},
- (1, 3, 36, 6, 1, 1): {'comment': 'Teletrust API',
- 'description': 'utimaco-api (1 3 36 6 1 1)',
- 'hexoid': '06 05 2B 24 06 01 01',
- 'name': 'utimaco-api',
- 'oid': (1, 3, 36, 6, 1, 1)},
- (1, 3, 36, 6, 2): {'comment': 'Teletrust API',
- 'description': 'functionality-specific_api (1 3 36 6 2)',
- 'hexoid': '06 04 2B 24 06 02',
- 'name': 'functionality-specific_api',
- 'oid': (1, 3, 36, 6, 2)},
- (1, 3, 36, 7): {'comment': 'Teletrust key management',
- 'description': 'keymgmnt (1 3 36 7)',
- 'hexoid': '06 03 2B 24 07',
- 'name': 'keymgmnt',
- 'oid': (1, 3, 36, 7)},
- (1, 3, 36, 7, 1): {'comment': 'Teletrust key management',
- 'description': 'keyagree (1 3 36 7 1)',
- 'hexoid': '06 04 2B 24 07 01',
- 'name': 'keyagree',
- 'oid': (1, 3, 36, 7, 1)},
- (1, 3, 36, 7, 1, 1): {'comment': 'Teletrust key management',
- 'description': 'bsiPKE (1 3 36 7 1 1)',
- 'hexoid': '06 05 2B 24 07 01 01',
- 'name': 'bsiPKE',
- 'oid': (1, 3, 36, 7, 1, 1)},
- (1, 3, 36, 7, 2): {'comment': 'Teletrust key management',
- 'description': 'keytrans (1 3 36 7 2)',
- 'hexoid': '06 04 2B 24 07 02',
- 'name': 'keytrans',
- 'oid': (1, 3, 36, 7, 2)},
- (1, 3, 36, 7, 2, 1): {'comment': 'Teletrust key management. 9796-2 with key stored in hash field',
- 'description': 'encISO9796-2Withrsa (1 3 36 7 2 1)',
- 'hexoid': '06 05 2B 24 07 02 01',
- 'name': 'encISO9796-2Withrsa',
- 'oid': (1, 3, 36, 7, 2, 1)},
- (1, 3, 36, 8, 1, 1): {'comment': 'Teletrust policy',
- 'description': 'Teletrust SigGConform policyIdentifier (1 3 36 8 1 1)',
- 'hexoid': '06 05 2B 24 08 01 01',
- 'name': 'Teletrust',
- 'oid': (1, 3, 36, 8, 1, 1)},
- (1, 3, 36, 8, 2, 1): {'comment': 'Teletrust extended key usage',
- 'description': 'directoryService (1 3 36 8 2 1)',
- 'hexoid': '06 05 2B 24 08 02 01',
- 'name': 'directoryService',
- 'oid': (1, 3, 36, 8, 2, 1)},
- (1, 3, 36, 8, 3, 1): {'comment': 'Teletrust attribute',
- 'description': 'dateOfCertGen (1 3 36 8 3 1)',
- 'hexoid': '06 05 2B 24 08 03 01',
- 'name': 'dateOfCertGen',
- 'oid': (1, 3, 36, 8, 3, 1)},
- (1, 3, 36, 8, 3, 2): {'comment': 'Teletrust attribute',
- 'description': 'procuration (1 3 36 8 3 2)',
- 'hexoid': '06 05 2B 24 08 03 02',
- 'name': 'procuration',
- 'oid': (1, 3, 36, 8, 3, 2)},
- (1, 3, 36, 8, 3, 3): {'comment': 'Teletrust attribute',
- 'description': 'admission (1 3 36 8 3 3)',
- 'hexoid': '06 05 2B 24 08 03 03',
- 'name': 'admission',
- 'oid': (1, 3, 36, 8, 3, 3)},
- (1, 3, 36, 8, 3, 4): {'comment': 'Teletrust attribute',
- 'description': 'monetaryLimit (1 3 36 8 3 4)',
- 'hexoid': '06 05 2B 24 08 03 04',
- 'name': 'monetaryLimit',
- 'oid': (1, 3, 36, 8, 3, 4)},
- (1, 3, 36, 8, 3, 5): {'comment': 'Teletrust attribute',
- 'description': 'declarationOfMajority (1 3 36 8 3 5)',
- 'hexoid': '06 05 2B 24 08 03 05',
- 'name': 'declarationOfMajority',
- 'oid': (1, 3, 36, 8, 3, 5)},
- (1, 3, 36, 8, 3, 6): {'comment': 'Teletrust attribute',
- 'description': 'integratedCircuitCardSerialNumber (1 3 36 8 3 6)',
- 'hexoid': '06 05 2B 24 08 03 06',
- 'name': 'integratedCircuitCardSerialNumber',
- 'oid': (1, 3, 36, 8, 3, 6)},
- (1, 3, 36, 8, 3, 7): {'comment': 'Teletrust attribute',
- 'description': 'pKReference (1 3 36 8 3 7)',
- 'hexoid': '06 05 2B 24 08 03 07',
- 'name': 'pKReference',
- 'oid': (1, 3, 36, 8, 3, 7)},
- (1, 3, 36, 8, 3, 8): {'comment': 'Teletrust attribute',
- 'description': 'restriction (1 3 36 8 3 8)',
- 'hexoid': '06 05 2B 24 08 03 08',
- 'name': 'restriction',
- 'oid': (1, 3, 36, 8, 3, 8)},
- (1, 3, 36, 8, 3, 9): {'comment': 'Teletrust attribute',
- 'description': 'retrieveIfAllowed (1 3 36 8 3 9)',
- 'hexoid': '06 05 2B 24 08 03 09',
- 'name': 'retrieveIfAllowed',
- 'oid': (1, 3, 36, 8, 3, 9)},
- (1, 3, 36, 8, 3, 10): {'comment': 'Teletrust attribute',
- 'description': 'requestedCertificate (1 3 36 8 3 10)',
- 'hexoid': '06 05 2B 24 08 03 0A',
- 'name': 'requestedCertificate',
- 'oid': (1, 3, 36, 8, 3, 10)},
- (1, 3, 36, 8, 3, 11): {'comment': 'Teletrust attribute',
- 'description': 'namingAuthorities (1 3 36 8 3 11)',
- 'hexoid': '06 05 2B 24 08 03 0B',
- 'name': 'namingAuthorities',
- 'oid': (1, 3, 36, 8, 3, 11)},
- (1, 3, 36, 8, 3, 11, 1): {'comment': 'Teletrust naming authorities',
- 'description': 'rechtWirtschaftSteuern (1 3 36 8 3 11 1)',
- 'hexoid': '06 06 2B 24 08 03 0B 01',
- 'name': 'rechtWirtschaftSteuern',
- 'oid': (1, 3, 36, 8, 3, 11, 1)},
- (1, 3, 36, 8, 3, 11, 1, 1): {'comment': 'Teletrust ProfessionInfo',
- 'description': 'rechtsanwaeltin (1 3 36 8 3 11 1 1)',
- 'hexoid': '06 07 2B 24 08 03 0B 01 01',
- 'name': 'rechtsanwaeltin',
- 'oid': (1, 3, 36, 8, 3, 11, 1, 1)},
- (1, 3, 36, 8, 3, 11, 1, 2): {'comment': 'Teletrust ProfessionInfo',
- 'description': 'rechtsanwalt (1 3 36 8 3 11 1 2)',
- 'hexoid': '06 07 2B 24 08 03 0B 01 02',
- 'name': 'rechtsanwalt',
- 'oid': (1, 3, 36, 8, 3, 11, 1, 2)},
- (1, 3, 36, 8, 3, 11, 1, 3): {'comment': 'Teletrust ProfessionInfo',
- 'description': 'rechtsBeistand (1 3 36 8 3 11 1 3)',
- 'hexoid': '06 07 2B 24 08 03 0B 01 03',
- 'name': 'rechtsBeistand',
- 'oid': (1, 3, 36, 8, 3, 11, 1, 3)},
- (1, 3, 36, 8, 3, 11, 1, 4): {'comment': 'Teletrust ProfessionInfo',
- 'description': 'steuerBeraterin (1 3 36 8 3 11 1 4)',
- 'hexoid': '06 07 2B 24 08 03 0B 01 04',
- 'name': 'steuerBeraterin',
- 'oid': (1, 3, 36, 8, 3, 11, 1, 4)},
- (1, 3, 36, 8, 3, 11, 1, 5): {'comment': 'Teletrust ProfessionInfo',
- 'description': 'steuerBerater (1 3 36 8 3 11 1 5)',
- 'hexoid': '06 07 2B 24 08 03 0B 01 05',
- 'name': 'steuerBerater',
- 'oid': (1, 3, 36, 8, 3, 11, 1, 5)},
- (1, 3, 36, 8, 3, 11, 1, 6): {'comment': 'Teletrust ProfessionInfo',
- 'description': 'steuerBevollmaechtigte (1 3 36 8 3 11 1 6)',
- 'hexoid': '06 07 2B 24 08 03 0B 01 06',
- 'name': 'steuerBevollmaechtigte',
- 'oid': (1, 3, 36, 8, 3, 11, 1, 6)},
- (1, 3, 36, 8, 3, 11, 1, 7): {'comment': 'Teletrust ProfessionInfo',
- 'description': 'steuerBevollmaechtigter (1 3 36 8 3 11 1 7)',
- 'hexoid': '06 07 2B 24 08 03 0B 01 07',
- 'name': 'steuerBevollmaechtigter',
- 'oid': (1, 3, 36, 8, 3, 11, 1, 7)},
- (1, 3, 36, 8, 3, 11, 1, 8): {'comment': 'Teletrust ProfessionInfo',
- 'description': 'notarin (1 3 36 8 3 11 1 8)',
- 'hexoid': '06 07 2B 24 08 03 0B 01 08',
- 'name': 'notarin',
- 'oid': (1, 3, 36, 8, 3, 11, 1, 8)},
- (1, 3, 36, 8, 3, 11, 1, 9): {'comment': 'Teletrust ProfessionInfo',
- 'description': 'notar (1 3 36 8 3 11 1 9)',
- 'hexoid': '06 07 2B 24 08 03 0B 01 09',
- 'name': 'notar',
- 'oid': (1, 3, 36, 8, 3, 11, 1, 9)},
- (1, 3, 36, 8, 3, 11, 1, 10): {'comment': 'Teletrust ProfessionInfo',
- 'description': 'notarVertreterin (1 3 36 8 3 11 1 10)',
- 'hexoid': '06 07 2B 24 08 03 0B 01 0A',
- 'name': 'notarVertreterin',
- 'oid': (1, 3, 36, 8, 3, 11, 1, 10)},
- (1, 3, 36, 8, 3, 11, 1, 11): {'comment': 'Teletrust ProfessionInfo',
- 'description': 'notarVertreter (1 3 36 8 3 11 1 11)',
- 'hexoid': '06 07 2B 24 08 03 0B 01 0B',
- 'name': 'notarVertreter',
- 'oid': (1, 3, 36, 8, 3, 11, 1, 11)},
- (1, 3, 36, 8, 3, 11, 1, 12): {'comment': 'Teletrust ProfessionInfo',
- 'description': 'notariatsVerwalterin (1 3 36 8 3 11 1 12)',
- 'hexoid': '06 07 2B 24 08 03 0B 01 0C',
- 'name': 'notariatsVerwalterin',
- 'oid': (1, 3, 36, 8, 3, 11, 1, 12)},
- (1, 3, 36, 8, 3, 11, 1, 13): {'comment': 'Teletrust ProfessionInfo',
- 'description': 'notariatsVerwalter (1 3 36 8 3 11 1 13)',
- 'hexoid': '06 07 2B 24 08 03 0B 01 0D',
- 'name': 'notariatsVerwalter',
- 'oid': (1, 3, 36, 8, 3, 11, 1, 13)},
- (1, 3, 36, 8, 3, 11, 1, 14): {'comment': 'Teletrust ProfessionInfo',
- 'description': 'wirtschaftsPrueferin (1 3 36 8 3 11 1 14)',
- 'hexoid': '06 07 2B 24 08 03 0B 01 0E',
- 'name': 'wirtschaftsPrueferin',
- 'oid': (1, 3, 36, 8, 3, 11, 1, 14)},
- (1, 3, 36, 8, 3, 11, 1, 15): {'comment': 'Teletrust ProfessionInfo',
- 'description': 'wirtschaftsPruefer (1 3 36 8 3 11 1 15)',
- 'hexoid': '06 07 2B 24 08 03 0B 01 0F',
- 'name': 'wirtschaftsPruefer',
- 'oid': (1, 3, 36, 8, 3, 11, 1, 15)},
- (1, 3, 36, 8, 3, 11, 1, 16): {'comment': 'Teletrust ProfessionInfo',
- 'description': 'vereidigteBuchprueferin (1 3 36 8 3 11 1 16)',
- 'hexoid': '06 07 2B 24 08 03 0B 01 10',
- 'name': 'vereidigteBuchprueferin',
- 'oid': (1, 3, 36, 8, 3, 11, 1, 16)},
- (1, 3, 36, 8, 3, 11, 1, 17): {'comment': 'Teletrust ProfessionInfo',
- 'description': 'vereidigterBuchpruefer (1 3 36 8 3 11 1 17)',
- 'hexoid': '06 07 2B 24 08 03 0B 01 11',
- 'name': 'vereidigterBuchpruefer',
- 'oid': (1, 3, 36, 8, 3, 11, 1, 17)},
- (1, 3, 36, 8, 3, 11, 1, 18): {'comment': 'Teletrust ProfessionInfo',
- 'description': 'patentAnwaeltin (1 3 36 8 3 11 1 18)',
- 'hexoid': '06 07 2B 24 08 03 0B 01 12',
- 'name': 'patentAnwaeltin',
- 'oid': (1, 3, 36, 8, 3, 11, 1, 18)},
- (1, 3, 36, 8, 3, 11, 1, 19): {'comment': 'Teletrust ProfessionInfo',
- 'description': 'patentAnwalt (1 3 36 8 3 11 1 19)',
- 'hexoid': '06 07 2B 24 08 03 0B 01 13',
- 'name': 'patentAnwalt',
- 'oid': (1, 3, 36, 8, 3, 11, 1, 19)},
- (1, 3, 36, 8, 3, 13): {'comment': 'Teletrust OCSP attribute',
- 'description': 'certHash (1 3 36 8 3 13)',
- 'hexoid': '06 05 2B 24 08 03 0D',
- 'name': 'certHash',
- 'oid': (1, 3, 36, 8, 3, 13)},
- (1, 3, 36, 8, 3, 14): {'comment': 'Teletrust attribute',
- 'description': 'nameAtBirth (1 3 36 8 3 14)',
- 'hexoid': '06 05 2B 24 08 03 0E',
- 'name': 'nameAtBirth',
- 'oid': (1, 3, 36, 8, 3, 14)},
- (1, 3, 36, 8, 3, 15): {'comment': 'Teletrust attribute',
- 'description': 'additionalInformation (1 3 36 8 3 15)',
- 'hexoid': '06 05 2B 24 08 03 0F',
- 'name': 'additionalInformation',
- 'oid': (1, 3, 36, 8, 3, 15)},
- (1, 3, 36, 8, 4, 1): {'comment': 'Teletrust OtherName attribute',
- 'description': 'personalData (1 3 36 8 4 1)',
- 'hexoid': '06 05 2B 24 08 04 01',
- 'name': 'personalData',
- 'oid': (1, 3, 36, 8, 4, 1)},
- (1, 3, 36, 8, 4, 8): {'comment': 'Teletrust attribute certificate attribute',
- 'description': 'restriction (1 3 36 8 4 8)',
- 'hexoid': '06 05 2B 24 08 04 08',
- 'name': 'restriction',
- 'oid': (1, 3, 36, 8, 4, 8)},
- (1, 3, 36, 8, 5, 1, 1, 1): {'comment': 'Teletrust signature algorithm',
- 'description': 'rsaIndicateSHA1 (1 3 36 8 5 1 1 1)',
- 'hexoid': '06 07 2B 24 08 05 01 01 01',
- 'name': 'rsaIndicateSHA1',
- 'oid': (1, 3, 36, 8, 5, 1, 1, 1)},
- (1, 3, 36, 8, 5, 1, 1, 2): {'comment': 'Teletrust signature algorithm',
- 'description': 'rsaIndicateRIPEMD160 (1 3 36 8 5 1 1 2)',
- 'hexoid': '06 07 2B 24 08 05 01 01 02',
- 'name': 'rsaIndicateRIPEMD160',
- 'oid': (1, 3, 36, 8, 5, 1, 1, 2)},
- (1, 3, 36, 8, 5, 1, 1, 3): {'comment': 'Teletrust signature algorithm',
- 'description': 'rsaWithSHA1 (1 3 36 8 5 1 1 3)',
- 'hexoid': '06 07 2B 24 08 05 01 01 03',
- 'name': 'rsaWithSHA1',
- 'oid': (1, 3, 36, 8, 5, 1, 1, 3)},
- (1, 3, 36, 8, 5, 1, 1, 4): {'comment': 'Teletrust signature algorithm',
- 'description': 'rsaWithRIPEMD160 (1 3 36 8 5 1 1 4)',
- 'hexoid': '06 07 2B 24 08 05 01 01 04',
- 'name': 'rsaWithRIPEMD160',
- 'oid': (1, 3, 36, 8, 5, 1, 1, 4)},
- (1, 3, 36, 8, 5, 1, 2, 1): {'comment': 'Teletrust signature algorithm',
- 'description': 'dsaExtended (1 3 36 8 5 1 2 1)',
- 'hexoid': '06 07 2B 24 08 05 01 02 01',
- 'name': 'dsaExtended',
- 'oid': (1, 3, 36, 8, 5, 1, 2, 1)},
- (1, 3, 36, 8, 5, 1, 2, 2): {'comment': 'Teletrust signature algorithm',
- 'description': 'dsaWithRIPEMD160 (1 3 36 8 5 1 2 2)',
- 'hexoid': '06 07 2B 24 08 05 01 02 02',
- 'name': 'dsaWithRIPEMD160',
- 'oid': (1, 3, 36, 8, 5, 1, 2, 2)},
- (1, 3, 36, 8, 6, 1): {'comment': 'Teletrust signature attributes',
- 'description': 'cert (1 3 36 8 6 1)',
- 'hexoid': '06 05 2B 24 08 06 01',
- 'name': 'cert',
- 'oid': (1, 3, 36, 8, 6, 1)},
- (1, 3, 36, 8, 6, 2): {'comment': 'Teletrust signature attributes',
- 'description': 'certRef (1 3 36 8 6 2)',
- 'hexoid': '06 05 2B 24 08 06 02',
- 'name': 'certRef',
- 'oid': (1, 3, 36, 8, 6, 2)},
- (1, 3, 36, 8, 6, 3): {'comment': 'Teletrust signature attributes',
- 'description': 'attrCert (1 3 36 8 6 3)',
- 'hexoid': '06 05 2B 24 08 06 03',
- 'name': 'attrCert',
- 'oid': (1, 3, 36, 8, 6, 3)},
- (1, 3, 36, 8, 6, 4): {'comment': 'Teletrust signature attributes',
- 'description': 'attrRef (1 3 36 8 6 4)',
- 'hexoid': '06 05 2B 24 08 06 04',
- 'name': 'attrRef',
- 'oid': (1, 3, 36, 8, 6, 4)},
- (1, 3, 36, 8, 6, 5): {'comment': 'Teletrust signature attributes',
- 'description': 'fileName (1 3 36 8 6 5)',
- 'hexoid': '06 05 2B 24 08 06 05',
- 'name': 'fileName',
- 'oid': (1, 3, 36, 8, 6, 5)},
- (1, 3, 36, 8, 6, 6): {'comment': 'Teletrust signature attributes',
- 'description': 'storageTime (1 3 36 8 6 6)',
- 'hexoid': '06 05 2B 24 08 06 06',
- 'name': 'storageTime',
- 'oid': (1, 3, 36, 8, 6, 6)},
- (1, 3, 36, 8, 6, 7): {'comment': 'Teletrust signature attributes',
- 'description': 'fileSize (1 3 36 8 6 7)',
- 'hexoid': '06 05 2B 24 08 06 07',
- 'name': 'fileSize',
- 'oid': (1, 3, 36, 8, 6, 7)},
- (1, 3, 36, 8, 6, 8): {'comment': 'Teletrust signature attributes',
- 'description': 'location (1 3 36 8 6 8)',
- 'hexoid': '06 05 2B 24 08 06 08',
- 'name': 'location',
- 'oid': (1, 3, 36, 8, 6, 8)},
- (1, 3, 36, 8, 6, 9): {'comment': 'Teletrust signature attributes',
- 'description': 'sigNumber (1 3 36 8 6 9)',
- 'hexoid': '06 05 2B 24 08 06 09',
- 'name': 'sigNumber',
- 'oid': (1, 3, 36, 8, 6, 9)},
- (1, 3, 36, 8, 6, 10): {'comment': 'Teletrust signature attributes',
- 'description': 'autoGen (1 3 36 8 6 10)',
- 'hexoid': '06 05 2B 24 08 06 0A',
- 'name': 'autoGen',
- 'oid': (1, 3, 36, 8, 6, 10)},
- (1, 3, 36, 8, 7, 1, 1): {'comment': 'Teletrust presentation types',
- 'description': 'ptAdobeILL (1 3 36 8 7 1 1)',
- 'hexoid': '06 06 2B 24 08 07 01 01',
- 'name': 'ptAdobeILL',
- 'oid': (1, 3, 36, 8, 7, 1, 1)},
- (1, 3, 36, 8, 7, 1, 2): {'comment': 'Teletrust presentation types',
- 'description': 'ptAmiPro (1 3 36 8 7 1 2)',
- 'hexoid': '06 06 2B 24 08 07 01 02',
- 'name': 'ptAmiPro',
- 'oid': (1, 3, 36, 8, 7, 1, 2)},
- (1, 3, 36, 8, 7, 1, 3): {'comment': 'Teletrust presentation types',
- 'description': 'ptAutoCAD (1 3 36 8 7 1 3)',
- 'hexoid': '06 06 2B 24 08 07 01 03',
- 'name': 'ptAutoCAD',
- 'oid': (1, 3, 36, 8, 7, 1, 3)},
- (1, 3, 36, 8, 7, 1, 4): {'comment': 'Teletrust presentation types',
- 'description': 'ptBinary (1 3 36 8 7 1 4)',
- 'hexoid': '06 06 2B 24 08 07 01 04',
- 'name': 'ptBinary',
- 'oid': (1, 3, 36, 8, 7, 1, 4)},
- (1, 3, 36, 8, 7, 1, 5): {'comment': 'Teletrust presentation types',
- 'description': 'ptBMP (1 3 36 8 7 1 5)',
- 'hexoid': '06 06 2B 24 08 07 01 05',
- 'name': 'ptBMP',
- 'oid': (1, 3, 36, 8, 7, 1, 5)},
- (1, 3, 36, 8, 7, 1, 6): {'comment': 'Teletrust presentation types',
- 'description': 'ptCGM (1 3 36 8 7 1 6)',
- 'hexoid': '06 06 2B 24 08 07 01 06',
- 'name': 'ptCGM',
- 'oid': (1, 3, 36, 8, 7, 1, 6)},
- (1, 3, 36, 8, 7, 1, 7): {'comment': 'Teletrust presentation types',
- 'description': 'ptCorelCRT (1 3 36 8 7 1 7)',
- 'hexoid': '06 06 2B 24 08 07 01 07',
- 'name': 'ptCorelCRT',
- 'oid': (1, 3, 36, 8, 7, 1, 7)},
- (1, 3, 36, 8, 7, 1, 8): {'comment': 'Teletrust presentation types',
- 'description': 'ptCorelDRW (1 3 36 8 7 1 8)',
- 'hexoid': '06 06 2B 24 08 07 01 08',
- 'name': 'ptCorelDRW',
- 'oid': (1, 3, 36, 8, 7, 1, 8)},
- (1, 3, 36, 8, 7, 1, 9): {'comment': 'Teletrust presentation types',
- 'description': 'ptCorelEXC (1 3 36 8 7 1 9)',
- 'hexoid': '06 06 2B 24 08 07 01 09',
- 'name': 'ptCorelEXC',
- 'oid': (1, 3, 36, 8, 7, 1, 9)},
- (1, 3, 36, 8, 7, 1, 10): {'comment': 'Teletrust presentation types',
- 'description': 'ptCorelPHT (1 3 36 8 7 1 10)',
- 'hexoid': '06 06 2B 24 08 07 01 0A',
- 'name': 'ptCorelPHT',
- 'oid': (1, 3, 36, 8, 7, 1, 10)},
- (1, 3, 36, 8, 7, 1, 11): {'comment': 'Teletrust presentation types',
- 'description': 'ptDraw (1 3 36 8 7 1 11)',
- 'hexoid': '06 06 2B 24 08 07 01 0B',
- 'name': 'ptDraw',
- 'oid': (1, 3, 36, 8, 7, 1, 11)},
- (1, 3, 36, 8, 7, 1, 12): {'comment': 'Teletrust presentation types',
- 'description': 'ptDVI (1 3 36 8 7 1 12)',
- 'hexoid': '06 06 2B 24 08 07 01 0C',
- 'name': 'ptDVI',
- 'oid': (1, 3, 36, 8, 7, 1, 12)},
- (1, 3, 36, 8, 7, 1, 13): {'comment': 'Teletrust presentation types',
- 'description': 'ptEPS (1 3 36 8 7 1 13)',
- 'hexoid': '06 06 2B 24 08 07 01 0D',
- 'name': 'ptEPS',
- 'oid': (1, 3, 36, 8, 7, 1, 13)},
- (1, 3, 36, 8, 7, 1, 14): {'comment': 'Teletrust presentation types',
- 'description': 'ptExcel (1 3 36 8 7 1 14)',
- 'hexoid': '06 06 2B 24 08 07 01 0E',
- 'name': 'ptExcel',
- 'oid': (1, 3, 36, 8, 7, 1, 14)},
- (1, 3, 36, 8, 7, 1, 15): {'comment': 'Teletrust presentation types',
- 'description': 'ptGEM (1 3 36 8 7 1 15)',
- 'hexoid': '06 06 2B 24 08 07 01 0F',
- 'name': 'ptGEM',
- 'oid': (1, 3, 36, 8, 7, 1, 15)},
- (1, 3, 36, 8, 7, 1, 16): {'comment': 'Teletrust presentation types',
- 'description': 'ptGIF (1 3 36 8 7 1 16)',
- 'hexoid': '06 06 2B 24 08 07 01 10',
- 'name': 'ptGIF',
- 'oid': (1, 3, 36, 8, 7, 1, 16)},
- (1, 3, 36, 8, 7, 1, 17): {'comment': 'Teletrust presentation types',
- 'description': 'ptHPGL (1 3 36 8 7 1 17)',
- 'hexoid': '06 06 2B 24 08 07 01 11',
- 'name': 'ptHPGL',
- 'oid': (1, 3, 36, 8, 7, 1, 17)},
- (1, 3, 36, 8, 7, 1, 18): {'comment': 'Teletrust presentation types',
- 'description': 'ptJPEG (1 3 36 8 7 1 18)',
- 'hexoid': '06 06 2B 24 08 07 01 12',
- 'name': 'ptJPEG',
- 'oid': (1, 3, 36, 8, 7, 1, 18)},
- (1, 3, 36, 8, 7, 1, 19): {'comment': 'Teletrust presentation types',
- 'description': 'ptKodak (1 3 36 8 7 1 19)',
- 'hexoid': '06 06 2B 24 08 07 01 13',
- 'name': 'ptKodak',
- 'oid': (1, 3, 36, 8, 7, 1, 19)},
- (1, 3, 36, 8, 7, 1, 20): {'comment': 'Teletrust presentation types',
- 'description': 'ptLaTeX (1 3 36 8 7 1 20)',
- 'hexoid': '06 06 2B 24 08 07 01 14',
- 'name': 'ptLaTeX',
- 'oid': (1, 3, 36, 8, 7, 1, 20)},
- (1, 3, 36, 8, 7, 1, 21): {'comment': 'Teletrust presentation types',
- 'description': 'ptLotus (1 3 36 8 7 1 21)',
- 'hexoid': '06 06 2B 24 08 07 01 15',
- 'name': 'ptLotus',
- 'oid': (1, 3, 36, 8, 7, 1, 21)},
- (1, 3, 36, 8, 7, 1, 22): {'comment': 'Teletrust presentation types',
- 'description': 'ptLotusPIC (1 3 36 8 7 1 22)',
- 'hexoid': '06 06 2B 24 08 07 01 16',
- 'name': 'ptLotusPIC',
- 'oid': (1, 3, 36, 8, 7, 1, 22)},
- (1, 3, 36, 8, 7, 1, 23): {'comment': 'Teletrust presentation types',
- 'description': 'ptMacPICT (1 3 36 8 7 1 23)',
- 'hexoid': '06 06 2B 24 08 07 01 17',
- 'name': 'ptMacPICT',
- 'oid': (1, 3, 36, 8, 7, 1, 23)},
- (1, 3, 36, 8, 7, 1, 24): {'comment': 'Teletrust presentation types',
- 'description': 'ptMacWord (1 3 36 8 7 1 24)',
- 'hexoid': '06 06 2B 24 08 07 01 18',
- 'name': 'ptMacWord',
- 'oid': (1, 3, 36, 8, 7, 1, 24)},
- (1, 3, 36, 8, 7, 1, 25): {'comment': 'Teletrust presentation types',
- 'description': 'ptMSWfD (1 3 36 8 7 1 25)',
- 'hexoid': '06 06 2B 24 08 07 01 19',
- 'name': 'ptMSWfD',
- 'oid': (1, 3, 36, 8, 7, 1, 25)},
- (1, 3, 36, 8, 7, 1, 26): {'comment': 'Teletrust presentation types',
- 'description': 'ptMSWord (1 3 36 8 7 1 26)',
- 'hexoid': '06 06 2B 24 08 07 01 1A',
- 'name': 'ptMSWord',
- 'oid': (1, 3, 36, 8, 7, 1, 26)},
- (1, 3, 36, 8, 7, 1, 27): {'comment': 'Teletrust presentation types',
- 'description': 'ptMSWord2 (1 3 36 8 7 1 27)',
- 'hexoid': '06 06 2B 24 08 07 01 1B',
- 'name': 'ptMSWord2',
- 'oid': (1, 3, 36, 8, 7, 1, 27)},
- (1, 3, 36, 8, 7, 1, 28): {'comment': 'Teletrust presentation types',
- 'description': 'ptMSWord6 (1 3 36 8 7 1 28)',
- 'hexoid': '06 06 2B 24 08 07 01 1C',
- 'name': 'ptMSWord6',
- 'oid': (1, 3, 36, 8, 7, 1, 28)},
- (1, 3, 36, 8, 7, 1, 29): {'comment': 'Teletrust presentation types',
- 'description': 'ptMSWord8 (1 3 36 8 7 1 29)',
- 'hexoid': '06 06 2B 24 08 07 01 1D',
- 'name': 'ptMSWord8',
- 'oid': (1, 3, 36, 8, 7, 1, 29)},
- (1, 3, 36, 8, 7, 1, 30): {'comment': 'Teletrust presentation types',
- 'description': 'ptPDF (1 3 36 8 7 1 30)',
- 'hexoid': '06 06 2B 24 08 07 01 1E',
- 'name': 'ptPDF',
- 'oid': (1, 3, 36, 8, 7, 1, 30)},
- (1, 3, 36, 8, 7, 1, 31): {'comment': 'Teletrust presentation types',
- 'description': 'ptPIF (1 3 36 8 7 1 31)',
- 'hexoid': '06 06 2B 24 08 07 01 1F',
- 'name': 'ptPIF',
- 'oid': (1, 3, 36, 8, 7, 1, 31)},
- (1, 3, 36, 8, 7, 1, 32): {'comment': 'Teletrust presentation types',
- 'description': 'ptPostscript (1 3 36 8 7 1 32)',
- 'hexoid': '06 06 2B 24 08 07 01 20',
- 'name': 'ptPostscript',
- 'oid': (1, 3, 36, 8, 7, 1, 32)},
- (1, 3, 36, 8, 7, 1, 33): {'comment': 'Teletrust presentation types',
- 'description': 'ptRTF (1 3 36 8 7 1 33)',
- 'hexoid': '06 06 2B 24 08 07 01 21',
- 'name': 'ptRTF',
- 'oid': (1, 3, 36, 8, 7, 1, 33)},
- (1, 3, 36, 8, 7, 1, 34): {'comment': 'Teletrust presentation types',
- 'description': 'ptSCITEX (1 3 36 8 7 1 34)',
- 'hexoid': '06 06 2B 24 08 07 01 22',
- 'name': 'ptSCITEX',
- 'oid': (1, 3, 36, 8, 7, 1, 34)},
- (1, 3, 36, 8, 7, 1, 35): {'comment': 'Teletrust presentation types',
- 'description': 'ptTAR (1 3 36 8 7 1 35)',
- 'hexoid': '06 06 2B 24 08 07 01 23',
- 'name': 'ptTAR',
- 'oid': (1, 3, 36, 8, 7, 1, 35)},
- (1, 3, 36, 8, 7, 1, 36): {'comment': 'Teletrust presentation types',
- 'description': 'ptTarga (1 3 36 8 7 1 36)',
- 'hexoid': '06 06 2B 24 08 07 01 24',
- 'name': 'ptTarga',
- 'oid': (1, 3, 36, 8, 7, 1, 36)},
- (1, 3, 36, 8, 7, 1, 37): {'comment': 'Teletrust presentation types',
- 'description': 'ptTeX (1 3 36 8 7 1 37)',
- 'hexoid': '06 06 2B 24 08 07 01 25',
- 'name': 'ptTeX',
- 'oid': (1, 3, 36, 8, 7, 1, 37)},
- (1, 3, 36, 8, 7, 1, 38): {'comment': 'Teletrust presentation types',
- 'description': 'ptText (1 3 36 8 7 1 38)',
- 'hexoid': '06 06 2B 24 08 07 01 26',
- 'name': 'ptText',
- 'oid': (1, 3, 36, 8, 7, 1, 38)},
- (1, 3, 36, 8, 7, 1, 39): {'comment': 'Teletrust presentation types',
- 'description': 'ptTIFF (1 3 36 8 7 1 39)',
- 'hexoid': '06 06 2B 24 08 07 01 27',
- 'name': 'ptTIFF',
- 'oid': (1, 3, 36, 8, 7, 1, 39)},
- (1, 3, 36, 8, 7, 1, 40): {'comment': 'Teletrust presentation types',
- 'description': 'ptTIFF-FC (1 3 36 8 7 1 40)',
- 'hexoid': '06 06 2B 24 08 07 01 28',
- 'name': 'ptTIFF-FC',
- 'oid': (1, 3, 36, 8, 7, 1, 40)},
- (1, 3, 36, 8, 7, 1, 41): {'comment': 'Teletrust presentation types',
- 'description': 'ptUID (1 3 36 8 7 1 41)',
- 'hexoid': '06 06 2B 24 08 07 01 29',
- 'name': 'ptUID',
- 'oid': (1, 3, 36, 8, 7, 1, 41)},
- (1, 3, 36, 8, 7, 1, 42): {'comment': 'Teletrust presentation types',
- 'description': 'ptUUEncode (1 3 36 8 7 1 42)',
- 'hexoid': '06 06 2B 24 08 07 01 2A',
- 'name': 'ptUUEncode',
- 'oid': (1, 3, 36, 8, 7, 1, 42)},
- (1, 3, 36, 8, 7, 1, 43): {'comment': 'Teletrust presentation types',
- 'description': 'ptWMF (1 3 36 8 7 1 43)',
- 'hexoid': '06 06 2B 24 08 07 01 2B',
- 'name': 'ptWMF',
- 'oid': (1, 3, 36, 8, 7, 1, 43)},
- (1, 3, 36, 8, 7, 1, 44): {'comment': 'Teletrust presentation types',
- 'description': 'ptWordPerfect (1 3 36 8 7 1 44)',
- 'hexoid': '06 06 2B 24 08 07 01 2C',
- 'name': 'ptWordPerfect',
- 'oid': (1, 3, 36, 8, 7, 1, 44)},
- (1, 3, 36, 8, 7, 1, 45): {'comment': 'Teletrust presentation types',
- 'description': 'ptWPGrph (1 3 36 8 7 1 45)',
- 'hexoid': '06 06 2B 24 08 07 01 2D',
- 'name': 'ptWPGrph',
- 'oid': (1, 3, 36, 8, 7, 1, 45)},
- (1, 3, 101, 1, 4): {'comment': 'Thawte',
- 'description': 'thawte-ce (1 3 101 1 4)',
- 'hexoid': '06 04 2B 65 01 04',
- 'name': 'thawte-ce',
- 'oid': (1, 3, 101, 1, 4)},
- (1, 3, 101, 1, 4, 1): {'comment': 'Thawte certificate extension',
- 'description': 'strongExtranet (1 3 101 1 4 1)',
- 'hexoid': '06 05 2B 65 01 04 01',
- 'name': 'strongExtranet',
- 'oid': (1, 3, 101, 1, 4, 1)},
- (1, 3, 132, 0, 1): {'comment': 'SECG (Certicom) named elliptic curve',
- 'description': 'sect163k1 (1 3 132 0 1)',
- 'hexoid': '06 05 2B 81 04 00 01',
- 'name': 'sect163k1',
- 'oid': (1, 3, 132, 0, 1)},
- (1, 3, 132, 0, 2): {'comment': 'SECG (Certicom) named elliptic curve',
- 'description': 'sect163r1 (1 3 132 0 2)',
- 'hexoid': '06 05 2B 81 04 00 02',
- 'name': 'sect163r1',
- 'oid': (1, 3, 132, 0, 2)},
- (1, 3, 132, 0, 3): {'comment': 'SECG (Certicom) named elliptic curve',
- 'description': 'sect239k1 (1 3 132 0 3)',
- 'hexoid': '06 05 2B 81 04 00 03',
- 'name': 'sect239k1',
- 'oid': (1, 3, 132, 0, 3)},
- (1, 3, 132, 0, 4): {'comment': 'SECG (Certicom) named elliptic curve',
- 'description': 'sect113r1 (1 3 132 0 4)',
- 'hexoid': '06 05 2B 81 04 00 04',
- 'name': 'sect113r1',
- 'oid': (1, 3, 132, 0, 4)},
- (1, 3, 132, 0, 5): {'comment': 'SECG (Certicom) named elliptic curve',
- 'description': 'sect113r2 (1 3 132 0 5)',
- 'hexoid': '06 05 2B 81 04 00 05',
- 'name': 'sect113r2',
- 'oid': (1, 3, 132, 0, 5)},
- (1, 3, 132, 0, 6): {'comment': 'SECG (Certicom) named elliptic curve',
- 'description': 'secp112r1 (1 3 132 0 6)',
- 'hexoid': '06 05 2B 81 04 00 06',
- 'name': 'secp112r1',
- 'oid': (1, 3, 132, 0, 6)},
- (1, 3, 132, 0, 7): {'comment': 'SECG (Certicom) named elliptic curve',
- 'description': 'secp112r2 (1 3 132 0 7)',
- 'hexoid': '06 05 2B 81 04 00 07',
- 'name': 'secp112r2',
- 'oid': (1, 3, 132, 0, 7)},
- (1, 3, 132, 0, 8): {'comment': 'SECG (Certicom) named elliptic curve',
- 'description': 'secp160r1 (1 3 132 0 8)',
- 'hexoid': '06 05 2B 81 04 00 08',
- 'name': 'secp160r1',
- 'oid': (1, 3, 132, 0, 8)},
- (1, 3, 132, 0, 9): {'comment': 'SECG (Certicom) named elliptic curve',
- 'description': 'secp160k1 (1 3 132 0 9)',
- 'hexoid': '06 05 2B 81 04 00 09',
- 'name': 'secp160k1',
- 'oid': (1, 3, 132, 0, 9)},
- (1, 3, 132, 0, 10): {'comment': 'SECG (Certicom) named elliptic curve',
- 'description': 'secp256k1 (1 3 132 0 10)',
- 'hexoid': '06 05 2B 81 04 00 0A',
- 'name': 'secp256k1',
- 'oid': (1, 3, 132, 0, 10)},
- (1, 3, 132, 0, 15): {'comment': 'SECG (Certicom) named elliptic curve',
- 'description': 'sect163r2 (1 3 132 0 15)',
- 'hexoid': '06 05 2B 81 04 00 0F',
- 'name': 'sect163r2',
- 'oid': (1, 3, 132, 0, 15)},
- (1, 3, 132, 0, 16): {'comment': 'SECG (Certicom) named elliptic curve',
- 'description': 'sect283k1 (1 3 132 0 16)',
- 'hexoid': '06 05 2B 81 04 00 10',
- 'name': 'sect283k1',
- 'oid': (1, 3, 132, 0, 16)},
- (1, 3, 132, 0, 17): {'comment': 'SECG (Certicom) named elliptic curve',
- 'description': 'sect283r1 (1 3 132 0 17)',
- 'hexoid': '06 05 2B 81 04 00 11',
- 'name': 'sect283r1',
- 'oid': (1, 3, 132, 0, 17)},
- (1, 3, 132, 0, 22): {'comment': 'SECG (Certicom) named elliptic curve',
- 'description': 'sect131r1 (1 3 132 0 22)',
- 'hexoid': '06 05 2B 81 04 00 16',
- 'name': 'sect131r1',
- 'oid': (1, 3, 132, 0, 22)},
- (1, 3, 132, 0, 23): {'comment': 'SECG (Certicom) named elliptic curve',
- 'description': 'sect131r2 (1 3 132 0 23)',
- 'hexoid': '06 05 2B 81 04 00 17',
- 'name': 'sect131r2',
- 'oid': (1, 3, 132, 0, 23)},
- (1, 3, 132, 0, 24): {'comment': 'SECG (Certicom) named elliptic curve',
- 'description': 'sect193r1 (1 3 132 0 24)',
- 'hexoid': '06 05 2B 81 04 00 18',
- 'name': 'sect193r1',
- 'oid': (1, 3, 132, 0, 24)},
- (1, 3, 132, 0, 25): {'comment': 'SECG (Certicom) named elliptic curve',
- 'description': 'sect193r2 (1 3 132 0 25)',
- 'hexoid': '06 05 2B 81 04 00 19',
- 'name': 'sect193r2',
- 'oid': (1, 3, 132, 0, 25)},
- (1, 3, 132, 0, 26): {'comment': 'SECG (Certicom) named elliptic curve',
- 'description': 'sect233k1 (1 3 132 0 26)',
- 'hexoid': '06 05 2B 81 04 00 1A',
- 'name': 'sect233k1',
- 'oid': (1, 3, 132, 0, 26)},
- (1, 3, 132, 0, 27): {'comment': 'SECG (Certicom) named elliptic curve',
- 'description': 'sect233r1 (1 3 132 0 27)',
- 'hexoid': '06 05 2B 81 04 00 1B',
- 'name': 'sect233r1',
- 'oid': (1, 3, 132, 0, 27)},
- (1, 3, 132, 0, 28): {'comment': 'SECG (Certicom) named elliptic curve',
- 'description': 'secp128r1 (1 3 132 0 28)',
- 'hexoid': '06 05 2B 81 04 00 1C',
- 'name': 'secp128r1',
- 'oid': (1, 3, 132, 0, 28)},
- (1, 3, 132, 0, 29): {'comment': 'SECG (Certicom) named elliptic curve',
- 'description': 'secp128r2 (1 3 132 0 29)',
- 'hexoid': '06 05 2B 81 04 00 1D',
- 'name': 'secp128r2',
- 'oid': (1, 3, 132, 0, 29)},
- (1, 3, 132, 0, 30): {'comment': 'SECG (Certicom) named elliptic curve',
- 'description': 'secp160r2 (1 3 132 0 30)',
- 'hexoid': '06 05 2B 81 04 00 1E',
- 'name': 'secp160r2',
- 'oid': (1, 3, 132, 0, 30)},
- (1, 3, 132, 0, 31): {'comment': 'SECG (Certicom) named elliptic curve',
- 'description': 'secp192k1 (1 3 132 0 31)',
- 'hexoid': '06 05 2B 81 04 00 1F',
- 'name': 'secp192k1',
- 'oid': (1, 3, 132, 0, 31)},
- (1, 3, 132, 0, 32): {'comment': 'SECG (Certicom) named elliptic curve',
- 'description': 'secp224k1 (1 3 132 0 32)',
- 'hexoid': '06 05 2B 81 04 00 20',
- 'name': 'secp224k1',
- 'oid': (1, 3, 132, 0, 32)},
- (1, 3, 132, 0, 33): {'comment': 'SECG (Certicom) named elliptic curve',
- 'description': 'secp224r1 (1 3 132 0 33)',
- 'hexoid': '06 05 2B 81 04 00 21',
- 'name': 'secp224r1',
- 'oid': (1, 3, 132, 0, 33)},
- (1, 3, 132, 0, 34): {'comment': 'SECG (Certicom) named elliptic curve',
- 'description': 'secp384r1 (1 3 132 0 34)',
- 'hexoid': '06 05 2B 81 04 00 22',
- 'name': 'secp384r1',
- 'oid': (1, 3, 132, 0, 34)},
- (1, 3, 132, 0, 35): {'comment': 'SECG (Certicom) named elliptic curve',
- 'description': 'secp521r1 (1 3 132 0 35)',
- 'hexoid': '06 05 2B 81 04 00 23',
- 'name': 'secp521r1',
- 'oid': (1, 3, 132, 0, 35)},
- (1, 3, 132, 0, 36): {'comment': 'SECG (Certicom) named elliptic curve',
- 'description': 'sect409k1 (1 3 132 0 36)',
- 'hexoid': '06 05 2B 81 04 00 24',
- 'name': 'sect409k1',
- 'oid': (1, 3, 132, 0, 36)},
- (1, 3, 132, 0, 37): {'comment': 'SECG (Certicom) named elliptic curve',
- 'description': 'sect409r1 (1 3 132 0 37)',
- 'hexoid': '06 05 2B 81 04 00 25',
- 'name': 'sect409r1',
- 'oid': (1, 3, 132, 0, 37)},
- (1, 3, 132, 0, 38): {'comment': 'SECG (Certicom) named elliptic curve',
- 'description': 'sect571k1 (1 3 132 0 38)',
- 'hexoid': '06 05 2B 81 04 00 26',
- 'name': 'sect571k1',
- 'oid': (1, 3, 132, 0, 38)},
- (1, 3, 132, 0, 39): {'comment': 'SECG (Certicom) named elliptic curve',
- 'description': 'sect571r1 (1 3 132 0 39)',
- 'hexoid': '06 05 2B 81 04 00 27',
- 'name': 'sect571r1',
- 'oid': (1, 3, 132, 0, 39)},
- (2, 5, 4, 0): {'comment': 'X.520 id-at (2 5 4)',
- 'description': 'objectClass (2 5 4 0)',
- 'hexoid': '06 03 55 04 00',
- 'name': 'objectClass',
- 'oid': (2, 5, 4, 0)},
- (2, 5, 4, 1): {'comment': 'X.520 id-at (2 5 4)',
- 'description': 'aliasedEntryName (2 5 4 1)',
- 'hexoid': '06 03 55 04 01',
- 'name': 'aliasedEntryName',
- 'oid': (2, 5, 4, 1)},
- (2, 5, 4, 2): {'comment': 'X.520 id-at (2 5 4)',
- 'description': 'knowledgeInformation (2 5 4 2)',
- 'hexoid': '06 03 55 04 02',
- 'name': 'knowledgeInformation',
- 'oid': (2, 5, 4, 2)},
- (2, 5, 4, 3): {'comment': 'X.520 id-at (2 5 4)',
- 'description': 'commonName (2 5 4 3)',
- 'hexoid': '06 03 55 04 03',
- 'name': 'commonName',
- 'oid': (2, 5, 4, 3)},
- (2, 5, 4, 4): {'comment': 'X.520 id-at (2 5 4)',
- 'description': 'surname (2 5 4 4)',
- 'hexoid': '06 03 55 04 04',
- 'name': 'surname',
- 'oid': (2, 5, 4, 4)},
- (2, 5, 4, 5): {'comment': 'X.520 id-at (2 5 4)',
- 'description': 'serialNumber (2 5 4 5)',
- 'hexoid': '06 03 55 04 05',
- 'name': 'serialNumber',
- 'oid': (2, 5, 4, 5)},
- (2, 5, 4, 6): {'comment': 'X.520 id-at (2 5 4)',
- 'description': 'countryName (2 5 4 6)',
- 'hexoid': '06 03 55 04 06',
- 'name': 'countryName',
- 'oid': (2, 5, 4, 6)},
- (2, 5, 4, 7): {'comment': 'X.520 id-at (2 5 4)',
- 'description': 'localityName (2 5 4 7)',
- 'hexoid': '06 03 55 04 07',
- 'name': 'localityName',
- 'oid': (2, 5, 4, 7)},
- (2, 5, 4, 7, 1): {'comment': 'X.520 id-at (2 5 4)',
- 'description': 'collectiveLocalityName (2 5 4 7 1)',
- 'hexoid': '06 04 55 04 07 01',
- 'name': 'collectiveLocalityName',
- 'oid': (2, 5, 4, 7, 1)},
- (2, 5, 4, 8): {'comment': 'X.520 id-at (2 5 4)',
- 'description': 'stateOrProvinceName (2 5 4 8)',
- 'hexoid': '06 03 55 04 08',
- 'name': 'stateOrProvinceName',
- 'oid': (2, 5, 4, 8)},
- (2, 5, 4, 8, 1): {'comment': 'X.520 id-at (2 5 4)',
- 'description': 'collectiveStateOrProvinceName (2 5 4 8 1)',
- 'hexoid': '06 04 55 04 08 01',
- 'name': 'collectiveStateOrProvinceName',
- 'oid': (2, 5, 4, 8, 1)},
- (2, 5, 4, 9): {'comment': 'X.520 id-at (2 5 4)',
- 'description': 'streetAddress (2 5 4 9)',
- 'hexoid': '06 03 55 04 09',
- 'name': 'streetAddress',
- 'oid': (2, 5, 4, 9)},
- (2, 5, 4, 9, 1): {'comment': 'X.520 id-at (2 5 4)',
- 'description': 'collectiveStreetAddress (2 5 4 9 1)',
- 'hexoid': '06 04 55 04 09 01',
- 'name': 'collectiveStreetAddress',
- 'oid': (2, 5, 4, 9, 1)},
- (2, 5, 4, 10): {'comment': 'X.520 id-at (2 5 4)',
- 'description': 'organizationName (2 5 4 10)',
- 'hexoid': '06 03 55 04 0A',
- 'name': 'organizationName',
- 'oid': (2, 5, 4, 10)},
- (2, 5, 4, 10, 1): {'comment': 'X.520 id-at (2 5 4)',
- 'description': 'collectiveOrganizationName (2 5 4 10 1)',
- 'hexoid': '06 04 55 04 0A 01',
- 'name': 'collectiveOrganizationName',
- 'oid': (2, 5, 4, 10, 1)},
- (2, 5, 4, 11): {'comment': 'X.520 id-at (2 5 4)',
- 'description': 'organizationalUnitName (2 5 4 11)',
- 'hexoid': '06 03 55 04 0B',
- 'name': 'organizationalUnitName',
- 'oid': (2, 5, 4, 11)},
- (2, 5, 4, 11, 1): {'comment': 'X.520 id-at (2 5 4)',
- 'description': 'collectiveOrganizationalUnitName (2 5 4 11 1)',
- 'hexoid': '06 04 55 04 0B 01',
- 'name': 'collectiveOrganizationalUnitName',
- 'oid': (2, 5, 4, 11, 1)},
- (2, 5, 4, 12): {'comment': 'X.520 id-at (2 5 4)',
- 'description': 'title (2 5 4 12)',
- 'hexoid': '06 03 55 04 0C',
- 'name': 'title',
- 'oid': (2, 5, 4, 12)},
- (2, 5, 4, 13): {'comment': 'X.520 id-at (2 5 4)',
- 'description': 'description (2 5 4 13)',
- 'hexoid': '06 03 55 04 0D',
- 'name': 'description',
- 'oid': (2, 5, 4, 13)},
- (2, 5, 4, 14): {'comment': 'X.520 id-at (2 5 4)',
- 'description': 'searchGuide (2 5 4 14)',
- 'hexoid': '06 03 55 04 0E',
- 'name': 'searchGuide',
- 'oid': (2, 5, 4, 14)},
- (2, 5, 4, 15): {'comment': 'X.520 id-at (2 5 4)',
- 'description': 'businessCategory (2 5 4 15)',
- 'hexoid': '06 03 55 04 0F',
- 'name': 'businessCategory',
- 'oid': (2, 5, 4, 15)},
- (2, 5, 4, 16): {'comment': 'X.520 id-at (2 5 4)',
- 'description': 'postalAddress (2 5 4 16)',
- 'hexoid': '06 03 55 04 10',
- 'name': 'postalAddress',
- 'oid': (2, 5, 4, 16)},
- (2, 5, 4, 16, 1): {'comment': 'X.520 id-at (2 5 4)',
- 'description': 'collectivePostalAddress (2 5 4 16 1)',
- 'hexoid': '06 04 55 04 10 01',
- 'name': 'collectivePostalAddress',
- 'oid': (2, 5, 4, 16, 1)},
- (2, 5, 4, 17): {'comment': 'X.520 id-at (2 5 4)',
- 'description': 'postalCode (2 5 4 17)',
- 'hexoid': '06 03 55 04 11',
- 'name': 'postalCode',
- 'oid': (2, 5, 4, 17)},
- (2, 5, 4, 17, 1): {'comment': 'X.520 id-at (2 5 4)',
- 'description': 'collectivePostalCode (2 5 4 17 1)',
- 'hexoid': '06 04 55 04 11 01',
- 'name': 'collectivePostalCode',
- 'oid': (2, 5, 4, 17, 1)},
- (2, 5, 4, 18): {'comment': 'X.520 id-at (2 5 4)',
- 'description': 'postOfficeBox (2 5 4 18)',
- 'hexoid': '06 03 55 04 12',
- 'name': 'postOfficeBox',
- 'oid': (2, 5, 4, 18)},
- (2, 5, 4, 18, 1): {'comment': 'X.520 id-at (2 5 4)',
- 'description': 'collectivePostOfficeBox (2 5 4 18 1)',
- 'hexoid': '06 04 55 04 12 01',
- 'name': 'collectivePostOfficeBox',
- 'oid': (2, 5, 4, 18, 1)},
- (2, 5, 4, 19): {'comment': 'X.520 id-at (2 5 4)',
- 'description': 'physicalDeliveryOfficeName (2 5 4 19)',
- 'hexoid': '06 03 55 04 13',
- 'name': 'physicalDeliveryOfficeName',
- 'oid': (2, 5, 4, 19)},
- (2, 5, 4, 19, 1): {'comment': 'X.520 id-at (2 5 4)',
- 'description': 'collectivePhysicalDeliveryOfficeName (2 5 4 19 1)',
- 'hexoid': '06 04 55 04 13 01',
- 'name': 'collectivePhysicalDeliveryOfficeName',
- 'oid': (2, 5, 4, 19, 1)},
- (2, 5, 4, 20): {'comment': 'X.520 id-at (2 5 4)',
- 'description': 'telephoneNumber (2 5 4 20)',
- 'hexoid': '06 03 55 04 14',
- 'name': 'telephoneNumber',
- 'oid': (2, 5, 4, 20)},
- (2, 5, 4, 20, 1): {'comment': 'X.520 id-at (2 5 4)',
- 'description': 'collectiveTelephoneNumber (2 5 4 20 1)',
- 'hexoid': '06 04 55 04 14 01',
- 'name': 'collectiveTelephoneNumber',
- 'oid': (2, 5, 4, 20, 1)},
- (2, 5, 4, 21): {'comment': 'X.520 id-at (2 5 4)',
- 'description': 'telexNumber (2 5 4 21)',
- 'hexoid': '06 03 55 04 15',
- 'name': 'telexNumber',
- 'oid': (2, 5, 4, 21)},
- (2, 5, 4, 21, 1): {'comment': 'X.520 id-at (2 5 4)',
- 'description': 'collectiveTelexNumber (2 5 4 21 1)',
- 'hexoid': '06 04 55 04 15 01',
- 'name': 'collectiveTelexNumber',
- 'oid': (2, 5, 4, 21, 1)},
- (2, 5, 4, 22): {'comment': 'X.520 id-at (2 5 4)',
- 'description': 'teletexTerminalIdentifier (2 5 4 22)',
- 'hexoid': '06 03 55 04 16',
- 'name': 'teletexTerminalIdentifier',
- 'oid': (2, 5, 4, 22)},
- (2, 5, 4, 22, 1): {'comment': 'X.520 id-at (2 5 4)',
- 'description': 'collectiveTeletexTerminalIdentifier (2 5 4 22 1)',
- 'hexoid': '06 04 55 04 16 01',
- 'name': 'collectiveTeletexTerminalIdentifier',
- 'oid': (2, 5, 4, 22, 1)},
- (2, 5, 4, 23): {'comment': 'X.520 id-at (2 5 4)',
- 'description': 'facsimileTelephoneNumber (2 5 4 23)',
- 'hexoid': '06 03 55 04 17',
- 'name': 'facsimileTelephoneNumber',
- 'oid': (2, 5, 4, 23)},
- (2, 5, 4, 23, 1): {'comment': 'X.520 id-at (2 5 4)',
- 'description': 'collectiveFacsimileTelephoneNumber (2 5 4 23 1)',
- 'hexoid': '06 04 55 04 17 01',
- 'name': 'collectiveFacsimileTelephoneNumber',
- 'oid': (2, 5, 4, 23, 1)},
- (2, 5, 4, 24): {'comment': 'X.520 id-at (2 5 4)',
- 'description': 'x121Address (2 5 4 24)',
- 'hexoid': '06 03 55 04 18',
- 'name': 'x121Address',
- 'oid': (2, 5, 4, 24)},
- (2, 5, 4, 25): {'comment': 'X.520 id-at (2 5 4)',
- 'description': 'internationalISDNNumber (2 5 4 25)',
- 'hexoid': '06 03 55 04 19',
- 'name': 'internationalISDNNumber',
- 'oid': (2, 5, 4, 25)},
- (2, 5, 4, 25, 1): {'comment': 'X.520 id-at (2 5 4)',
- 'description': 'collectiveInternationalISDNNumber (2 5 4 25 1)',
- 'hexoid': '06 04 55 04 19 01',
- 'name': 'collectiveInternationalISDNNumber',
- 'oid': (2, 5, 4, 25, 1)},
- (2, 5, 4, 26): {'comment': 'X.520 id-at (2 5 4)',
- 'description': 'registeredAddress (2 5 4 26)',
- 'hexoid': '06 03 55 04 1A',
- 'name': 'registeredAddress',
- 'oid': (2, 5, 4, 26)},
- (2, 5, 4, 27): {'comment': 'X.520 id-at (2 5 4)',
- 'description': 'destinationIndicator (2 5 4 27)',
- 'hexoid': '06 03 55 04 1B',
- 'name': 'destinationIndicator',
- 'oid': (2, 5, 4, 27)},
- (2, 5, 4, 28): {'comment': 'X.520 id-at (2 5 4)',
- 'description': 'preferredDeliveryMehtod (2 5 4 28)',
- 'hexoid': '06 03 55 04 1C',
- 'name': 'preferredDeliveryMehtod',
- 'oid': (2, 5, 4, 28)},
- (2, 5, 4, 29): {'comment': 'X.520 id-at (2 5 4)',
- 'description': 'presentationAddress (2 5 4 29)',
- 'hexoid': '06 03 55 04 1D',
- 'name': 'presentationAddress',
- 'oid': (2, 5, 4, 29)},
- (2, 5, 4, 30): {'comment': 'X.520 id-at (2 5 4)',
- 'description': 'supportedApplicationContext (2 5 4 30)',
- 'hexoid': '06 03 55 04 1E',
- 'name': 'supportedApplicationContext',
- 'oid': (2, 5, 4, 30)},
- (2, 5, 4, 31): {'comment': 'X.520 id-at (2 5 4)',
- 'description': 'member (2 5 4 31)',
- 'hexoid': '06 03 55 04 1F',
- 'name': 'member',
- 'oid': (2, 5, 4, 31)},
- (2, 5, 4, 32): {'comment': 'X.520 id-at (2 5 4)',
- 'description': 'owner (2 5 4 32)',
- 'hexoid': '06 03 55 04 20',
- 'name': 'owner',
- 'oid': (2, 5, 4, 32)},
- (2, 5, 4, 33): {'comment': 'X.520 id-at (2 5 4)',
- 'description': 'roleOccupant (2 5 4 33)',
- 'hexoid': '06 03 55 04 21',
- 'name': 'roleOccupant',
- 'oid': (2, 5, 4, 33)},
- (2, 5, 4, 34): {'comment': 'X.520 id-at (2 5 4)',
- 'description': 'seeAlso (2 5 4 34)',
- 'hexoid': '06 03 55 04 22',
- 'name': 'seeAlso',
- 'oid': (2, 5, 4, 34)},
- (2, 5, 4, 35): {'comment': 'X.520 id-at (2 5 4)',
- 'description': 'userPassword (2 5 4 35)',
- 'hexoid': '06 03 55 04 23',
- 'name': 'userPassword',
- 'oid': (2, 5, 4, 35)},
- (2, 5, 4, 36): {'comment': 'X.520 id-at (2 5 4)',
- 'description': 'userCertificate (2 5 4 36)',
- 'hexoid': '06 03 55 04 24',
- 'name': 'userCertificate',
- 'oid': (2, 5, 4, 36)},
- (2, 5, 4, 37): {'comment': 'X.520 id-at (2 5 4)',
- 'description': 'caCertificate (2 5 4 37)',
- 'hexoid': '06 03 55 04 25',
- 'name': 'caCertificate',
- 'oid': (2, 5, 4, 37)},
- (2, 5, 4, 38): {'comment': 'X.520 id-at (2 5 4)',
- 'description': 'authorityRevocationList (2 5 4 38)',
- 'hexoid': '06 03 55 04 26',
- 'name': 'authorityRevocationList',
- 'oid': (2, 5, 4, 38)},
- (2, 5, 4, 39): {'comment': 'X.520 id-at (2 5 4)',
- 'description': 'certificateRevocationList (2 5 4 39)',
- 'hexoid': '06 03 55 04 27',
- 'name': 'certificateRevocationList',
- 'oid': (2, 5, 4, 39)},
- (2, 5, 4, 40): {'comment': 'X.520 id-at (2 5 4)',
- 'description': 'crossCertificatePair (2 5 4 40)',
- 'hexoid': '06 03 55 04 28',
- 'name': 'crossCertificatePair',
- 'oid': (2, 5, 4, 40)},
- (2, 5, 4, 41): {'comment': 'X.520 id-at (2 5 4)',
- 'description': 'name (2 5 4 41)',
- 'hexoid': '06 03 55 04 29',
- 'name': 'name',
- 'oid': (2, 5, 4, 41)},
- (2, 5, 4, 42): {'comment': 'X.520 id-at (2 5 4)',
- 'description': 'givenName (2 5 4 42)',
- 'hexoid': '06 03 55 04 2A',
- 'name': 'givenName',
- 'oid': (2, 5, 4, 42)},
- (2, 5, 4, 43): {'comment': 'X.520 id-at (2 5 4)',
- 'description': 'initials (2 5 4 43)',
- 'hexoid': '06 03 55 04 2B',
- 'name': 'initials',
- 'oid': (2, 5, 4, 43)},
- (2, 5, 4, 44): {'comment': 'X.520 id-at (2 5 4)',
- 'description': 'generationQualifier (2 5 4 44)',
- 'hexoid': '06 03 55 04 2C',
- 'name': 'generationQualifier',
- 'oid': (2, 5, 4, 44)},
- (2, 5, 4, 45): {'comment': 'X.520 id-at (2 5 4)',
- 'description': 'uniqueIdentifier (2 5 4 45)',
- 'hexoid': '06 03 55 04 2D',
- 'name': 'uniqueIdentifier',
- 'oid': (2, 5, 4, 45)},
- (2, 5, 4, 46): {'comment': 'X.520 id-at (2 5 4)',
- 'description': 'dnQualifier (2 5 4 46)',
- 'hexoid': '06 03 55 04 2E',
- 'name': 'dnQualifier',
- 'oid': (2, 5, 4, 46)},
- (2, 5, 4, 47): {'comment': 'X.520 id-at (2 5 4)',
- 'description': 'enhancedSearchGuide (2 5 4 47)',
- 'hexoid': '06 03 55 04 2F',
- 'name': 'enhancedSearchGuide',
- 'oid': (2, 5, 4, 47)},
- (2, 5, 4, 48): {'comment': 'X.520 id-at (2 5 4)',
- 'description': 'protocolInformation (2 5 4 48)',
- 'hexoid': '06 03 55 04 30',
- 'name': 'protocolInformation',
- 'oid': (2, 5, 4, 48)},
- (2, 5, 4, 49): {'comment': 'X.520 id-at (2 5 4)',
- 'description': 'distinguishedName (2 5 4 49)',
- 'hexoid': '06 03 55 04 31',
- 'name': 'distinguishedName',
- 'oid': (2, 5, 4, 49)},
- (2, 5, 4, 50): {'comment': 'X.520 id-at (2 5 4)',
- 'description': 'uniqueMember (2 5 4 50)',
- 'hexoid': '06 03 55 04 32',
- 'name': 'uniqueMember',
- 'oid': (2, 5, 4, 50)},
- (2, 5, 4, 51): {'comment': 'X.520 id-at (2 5 4)',
- 'description': 'houseIdentifier (2 5 4 51)',
- 'hexoid': '06 03 55 04 33',
- 'name': 'houseIdentifier',
- 'oid': (2, 5, 4, 51)},
- (2, 5, 4, 52): {'comment': 'X.520 id-at (2 5 4)',
- 'description': 'supportedAlgorithms (2 5 4 52)',
- 'hexoid': '06 03 55 04 34',
- 'name': 'supportedAlgorithms',
- 'oid': (2, 5, 4, 52)},
- (2, 5, 4, 53): {'comment': 'X.520 id-at (2 5 4)',
- 'description': 'deltaRevocationList (2 5 4 53)',
- 'hexoid': '06 03 55 04 35',
- 'name': 'deltaRevocationList',
- 'oid': (2, 5, 4, 53)},
- (2, 5, 4, 54): {'comment': 'X.520 id-at (2 5 4)',
- 'description': 'dmdName (2 5 4 54)',
- 'hexoid': '06 03 55 04 36',
- 'name': 'dmdName',
- 'oid': (2, 5, 4, 54)},
- (2, 5, 4, 55): {'comment': 'X.520 id-at (2 5 4)',
- 'description': 'clearance (2 5 4 55)',
- 'hexoid': '06 03 55 04 37',
- 'name': 'clearance',
- 'oid': (2, 5, 4, 55)},
- (2, 5, 4, 56): {'comment': 'X.520 id-at (2 5 4)',
- 'description': 'defaultDirQop (2 5 4 56)',
- 'hexoid': '06 03 55 04 38',
- 'name': 'defaultDirQop',
- 'oid': (2, 5, 4, 56)},
- (2, 5, 4, 57): {'comment': 'X.520 id-at (2 5 4)',
- 'description': 'attributeIntegrityInfo (2 5 4 57)',
- 'hexoid': '06 03 55 04 39',
- 'name': 'attributeIntegrityInfo',
- 'oid': (2, 5, 4, 57)},
- (2, 5, 4, 58): {'comment': 'X.520 id-at (2 5 4)',
- 'description': 'attributeCertificate (2 5 4 58)',
- 'hexoid': '06 03 55 04 3A',
- 'name': 'attributeCertificate',
- 'oid': (2, 5, 4, 58)},
- (2, 5, 4, 59): {'comment': 'X.520 id-at (2 5 4)',
- 'description': 'attributeCertificateRevocationList (2 5 4 59)',
- 'hexoid': '06 03 55 04 3B',
- 'name': 'attributeCertificateRevocationList',
- 'oid': (2, 5, 4, 59)},
- (2, 5, 4, 60): {'comment': 'X.520 id-at (2 5 4)',
- 'description': 'confKeyInfo (2 5 4 60)',
- 'hexoid': '06 03 55 04 3C',
- 'name': 'confKeyInfo',
- 'oid': (2, 5, 4, 60)},
- (2, 5, 4, 61): {'comment': 'X.520 id-at (2 5 4)',
- 'description': 'aACertificate (2 5 4 61)',
- 'hexoid': '06 03 55 04 3D',
- 'name': 'aACertificate',
- 'oid': (2, 5, 4, 61)},
- (2, 5, 4, 62): {'comment': 'X.520 id-at (2 5 4)',
- 'description': 'attributeDescriptorCertificate (2 5 4 62)',
- 'hexoid': '06 03 55 04 3E',
- 'name': 'attributeDescriptorCertificate',
- 'oid': (2, 5, 4, 62)},
- (2, 5, 4, 63): {'comment': 'X.520 id-at (2 5 4)',
- 'description': 'attributeAuthorityRevocationList (2 5 4 63)',
- 'hexoid': '06 03 55 04 3F',
- 'name': 'attributeAuthorityRevocationList',
- 'oid': (2, 5, 4, 63)},
- (2, 5, 4, 64): {'comment': 'X.520 id-at (2 5 4)',
- 'description': 'familyInformation (2 5 4 64)',
- 'hexoid': '06 03 55 04 40',
- 'name': 'familyInformation',
- 'oid': (2, 5, 4, 64)},
- (2, 5, 4, 65): {'comment': 'X.520 id-at (2 5 4)',
- 'description': 'pseudonym (2 5 4 65)',
- 'hexoid': '06 03 55 04 41',
- 'name': 'pseudonym',
- 'oid': (2, 5, 4, 65)},
- (2, 5, 4, 66): {'comment': 'X.520 id-at (2 5 4)',
- 'description': 'communicationsService (2 5 4 66)',
- 'hexoid': '06 03 55 04 42',
- 'name': 'communicationsService',
- 'oid': (2, 5, 4, 66)},
- (2, 5, 4, 67): {'comment': 'X.520 id-at (2 5 4)',
- 'description': 'communicationsNetwork (2 5 4 67)',
- 'hexoid': '06 03 55 04 43',
- 'name': 'communicationsNetwork',
- 'oid': (2, 5, 4, 67)},
- (2, 5, 4, 68): {'comment': 'X.520 id-at (2 5 4)',
- 'description': 'certificationPracticeStmt (2 5 4 68)',
- 'hexoid': '06 03 55 04 44',
- 'name': 'certificationPracticeStmt',
- 'oid': (2, 5, 4, 68)},
- (2, 5, 4, 69): {'comment': 'X.520 id-at (2 5 4)',
- 'description': 'certificatePolicy (2 5 4 69)',
- 'hexoid': '06 03 55 04 45',
- 'name': 'certificatePolicy',
- 'oid': (2, 5, 4, 69)},
- (2, 5, 4, 70): {'comment': 'X.520 id-at (2 5 4)',
- 'description': 'pkiPath (2 5 4 70)',
- 'hexoid': '06 03 55 04 46',
- 'name': 'pkiPath',
- 'oid': (2, 5, 4, 70)},
- (2, 5, 4, 71): {'comment': 'X.520 id-at (2 5 4)',
- 'description': 'privPolicy (2 5 4 71)',
- 'hexoid': '06 03 55 04 47',
- 'name': 'privPolicy',
- 'oid': (2, 5, 4, 71)},
- (2, 5, 4, 72): {'comment': 'X.520 id-at (2 5 4)',
- 'description': 'role (2 5 4 72)',
- 'hexoid': '06 03 55 04 48',
- 'name': 'role',
- 'oid': (2, 5, 4, 72)},
- (2, 5, 4, 73): {'comment': 'X.520 id-at (2 5 4)',
- 'description': 'delegationPath (2 5 4 73)',
- 'hexoid': '06 03 55 04 49',
- 'name': 'delegationPath',
- 'oid': (2, 5, 4, 73)},
- (2, 5, 6, 0): {'comment': 'X.520 objectClass (2 5 6)',
- 'description': 'top (2 5 6 0)',
- 'hexoid': '06 03 55 06 00',
- 'name': 'top',
- 'oid': (2, 5, 6, 0)},
- (2, 5, 6, 1): {'comment': 'X.520 objectClass (2 5 6)',
- 'description': 'alias (2 5 6 1)',
- 'hexoid': '06 03 55 06 01',
- 'name': 'alias',
- 'oid': (2, 5, 6, 1)},
- (2, 5, 6, 2): {'comment': 'X.520 objectClass (2 5 6)',
- 'description': 'country (2 5 6 2)',
- 'hexoid': '06 03 55 06 02',
- 'name': 'country',
- 'oid': (2, 5, 6, 2)},
- (2, 5, 6, 3): {'comment': 'X.520 objectClass (2 5 6)',
- 'description': 'locality (2 5 6 3)',
- 'hexoid': '06 03 55 06 03',
- 'name': 'locality',
- 'oid': (2, 5, 6, 3)},
- (2, 5, 6, 4): {'comment': 'X.520 objectClass (2 5 6)',
- 'description': 'organization (2 5 6 4)',
- 'hexoid': '06 03 55 06 04',
- 'name': 'organization',
- 'oid': (2, 5, 6, 4)},
- (2, 5, 6, 5): {'comment': 'X.520 objectClass (2 5 6)',
- 'description': 'organizationalUnit (2 5 6 5)',
- 'hexoid': '06 03 55 06 05',
- 'name': 'organizationalUnit',
- 'oid': (2, 5, 6, 5)},
- (2, 5, 6, 6): {'comment': 'X.520 objectClass (2 5 6)',
- 'description': 'person (2 5 6 6)',
- 'hexoid': '06 03 55 06 06',
- 'name': 'person',
- 'oid': (2, 5, 6, 6)},
- (2, 5, 6, 7): {'comment': 'X.520 objectClass (2 5 6)',
- 'description': 'organizationalPerson (2 5 6 7)',
- 'hexoid': '06 03 55 06 07',
- 'name': 'organizationalPerson',
- 'oid': (2, 5, 6, 7)},
- (2, 5, 6, 8): {'comment': 'X.520 objectClass (2 5 6)',
- 'description': 'organizationalRole (2 5 6 8)',
- 'hexoid': '06 03 55 06 08',
- 'name': 'organizationalRole',
- 'oid': (2, 5, 6, 8)},
- (2, 5, 6, 9): {'comment': 'X.520 objectClass (2 5 6)',
- 'description': 'groupOfNames (2 5 6 9)',
- 'hexoid': '06 03 55 06 09',
- 'name': 'groupOfNames',
- 'oid': (2, 5, 6, 9)},
- (2, 5, 6, 10): {'comment': 'X.520 objectClass (2 5 6)',
- 'description': 'residentialPerson (2 5 6 10)',
- 'hexoid': '06 03 55 06 0A',
- 'name': 'residentialPerson',
- 'oid': (2, 5, 6, 10)},
- (2, 5, 6, 11): {'comment': 'X.520 objectClass (2 5 6)',
- 'description': 'applicationProcess (2 5 6 11)',
- 'hexoid': '06 03 55 06 0B',
- 'name': 'applicationProcess',
- 'oid': (2, 5, 6, 11)},
- (2, 5, 6, 12): {'comment': 'X.520 objectClass (2 5 6)',
- 'description': 'applicationEntity (2 5 6 12)',
- 'hexoid': '06 03 55 06 0C',
- 'name': 'applicationEntity',
- 'oid': (2, 5, 6, 12)},
- (2, 5, 6, 13): {'comment': 'X.520 objectClass (2 5 6)',
- 'description': 'dSA (2 5 6 13)',
- 'hexoid': '06 03 55 06 0D',
- 'name': 'dSA',
- 'oid': (2, 5, 6, 13)},
- (2, 5, 6, 14): {'comment': 'X.520 objectClass (2 5 6)',
- 'description': 'device (2 5 6 14)',
- 'hexoid': '06 03 55 06 0E',
- 'name': 'device',
- 'oid': (2, 5, 6, 14)},
- (2, 5, 6, 15): {'comment': 'X.520 objectClass (2 5 6)',
- 'description': 'strongAuthenticationUser (2 5 6 15)',
- 'hexoid': '06 03 55 06 0F',
- 'name': 'strongAuthenticationUser',
- 'oid': (2, 5, 6, 15)},
- (2, 5, 6, 16): {'comment': 'X.520 objectClass (2 5 6)',
- 'description': 'certificateAuthority (2 5 6 16)',
- 'hexoid': '06 03 55 06 10',
- 'name': 'certificateAuthority',
- 'oid': (2, 5, 6, 16)},
- (2, 5, 6, 17): {'comment': 'X.520 objectClass (2 5 6)',
- 'description': 'groupOfUniqueNames (2 5 6 17)',
- 'hexoid': '06 03 55 06 11',
- 'name': 'groupOfUniqueNames',
- 'oid': (2, 5, 6, 17)},
- (2, 5, 6, 21): {'comment': 'X.520 objectClass (2 5 6)',
- 'description': 'pkiUser (2 5 6 21)',
- 'hexoid': '06 03 55 06 15',
- 'name': 'pkiUser',
- 'oid': (2, 5, 6, 21)},
- (2, 5, 6, 22): {'comment': 'X.520 objectClass (2 5 6)',
- 'description': 'pkiCA (2 5 6 22)',
- 'hexoid': '06 03 55 06 16',
- 'name': 'pkiCA',
- 'oid': (2, 5, 6, 22)},
- (2, 5, 8): {'description': 'X.500-Algorithms (2 5 8)',
- 'hexoid': '06 02 55 08',
- 'name': 'X.500-Algorithms',
- 'oid': (2, 5, 8)},
- (2, 5, 8, 1): {'description': 'X.500-Alg-Encryption (2 5 8 1)',
- 'hexoid': '06 03 55 08 01',
- 'name': 'X.500-Alg-Encryption',
- 'oid': (2, 5, 8, 1)},
- (2, 5, 29, 9): {'comment': 'X.509 id-ce (2 5 29)',
- 'description': 'subjectDirectoryAttributes (2 5 29 9)',
- 'hexoid': '06 03 55 1D 09',
- 'name': 'subjectDirectoryAttributes',
- 'oid': (2, 5, 29, 9)},
- (2, 5, 29, 14): {'comment': 'X.509 id-ce (2 5 29)',
- 'description': 'subjectKeyIdentifier (2 5 29 14)',
- 'hexoid': '06 03 55 1D 0E',
- 'name': 'subjectKeyIdentifier',
- 'oid': (2, 5, 29, 14)},
- (2, 5, 29, 15): {'comment': 'X.509 id-ce (2 5 29)',
- 'description': 'keyUsage (2 5 29 15)',
- 'hexoid': '06 03 55 1D 0F',
- 'name': 'keyUsage',
- 'oid': (2, 5, 29, 15)},
- (2, 5, 29, 16): {'comment': 'X.509 id-ce (2 5 29)',
- 'description': 'privateKeyUsagePeriod (2 5 29 16)',
- 'hexoid': '06 03 55 1D 10',
- 'name': 'privateKeyUsagePeriod',
- 'oid': (2, 5, 29, 16)},
- (2, 5, 29, 17): {'comment': 'X.509 id-ce (2 5 29)',
- 'description': 'subjectAltName (2 5 29 17)',
- 'hexoid': '06 03 55 1D 11',
- 'name': 'subjectAltName',
- 'oid': (2, 5, 29, 17)},
- (2, 5, 29, 18): {'comment': 'X.509 id-ce (2 5 29)',
- 'description': 'issuerAltName (2 5 29 18)',
- 'hexoid': '06 03 55 1D 12',
- 'name': 'issuerAltName',
- 'oid': (2, 5, 29, 18)},
- (2, 5, 29, 19): {'comment': 'X.509 id-ce (2 5 29)',
- 'description': 'basicConstraints (2 5 29 19)',
- 'hexoid': '06 03 55 1D 13',
- 'name': 'basicConstraints',
- 'oid': (2, 5, 29, 19)},
- (2, 5, 29, 20): {'comment': 'X.509 id-ce (2 5 29)',
- 'description': 'cRLNumber (2 5 29 20)',
- 'hexoid': '06 03 55 1D 14',
- 'name': 'cRLNumber',
- 'oid': (2, 5, 29, 20)},
- (2, 5, 29, 21): {'comment': 'X.509 id-ce (2 5 29)',
- 'description': 'cRLReason (2 5 29 21)',
- 'hexoid': '06 03 55 1D 15',
- 'name': 'cRLReason',
- 'oid': (2, 5, 29, 21)},
- (2, 5, 29, 23): {'comment': 'X.509 id-ce (2 5 29)',
- 'description': 'instructionCode (2 5 29 23)',
- 'hexoid': '06 03 55 1D 17',
- 'name': 'instructionCode',
- 'oid': (2, 5, 29, 23)},
- (2, 5, 29, 24): {'comment': 'X.509 id-ce (2 5 29)',
- 'description': 'invalidityDate (2 5 29 24)',
- 'hexoid': '06 03 55 1D 18',
- 'name': 'invalidityDate',
- 'oid': (2, 5, 29, 24)},
- (2, 5, 29, 27): {'comment': 'X.509 id-ce (2 5 29)',
- 'description': 'deltaCRLIndicator (2 5 29 27)',
- 'hexoid': '06 03 55 1D 1B',
- 'name': 'deltaCRLIndicator',
- 'oid': (2, 5, 29, 27)},
- (2, 5, 29, 28): {'comment': 'X.509 id-ce (2 5 29)',
- 'description': 'issuingDistributionPoint (2 5 29 28)',
- 'hexoid': '06 03 55 1D 1C',
- 'name': 'issuingDistributionPoint',
- 'oid': (2, 5, 29, 28)},
- (2, 5, 29, 29): {'comment': 'X.509 id-ce (2 5 29)',
- 'description': 'certificateIssuer (2 5 29 29)',
- 'hexoid': '06 03 55 1D 1D',
- 'name': 'certificateIssuer',
- 'oid': (2, 5, 29, 29)},
- (2, 5, 29, 30): {'comment': 'X.509 id-ce (2 5 29)',
- 'description': 'nameConstraints (2 5 29 30)',
- 'hexoid': '06 03 55 1D 1E',
- 'name': 'nameConstraints',
- 'oid': (2, 5, 29, 30)},
- (2, 5, 29, 31): {'comment': 'X.509 id-ce (2 5 29)',
- 'description': 'cRLDistributionPoints (2 5 29 31)',
- 'hexoid': '06 03 55 1D 1F',
- 'name': 'cRLDistributionPoints',
- 'oid': (2, 5, 29, 31)},
- (2, 5, 29, 32): {'comment': 'X.509 id-ce (2 5 29)',
- 'description': 'certificatePolicies (2 5 29 32)',
- 'hexoid': '06 03 55 1D 20',
- 'name': 'certificatePolicies',
- 'oid': (2, 5, 29, 32)},
- (2, 5, 29, 32, 0): {'comment': 'X.509 certificatePolicies (2 5 29 32)',
- 'description': 'anyPolicy (2 5 29 32 0)',
- 'hexoid': '06 04 55 1D 20 00',
- 'name': 'anyPolicy',
- 'oid': (2, 5, 29, 32, 0)},
- (2, 5, 29, 33): {'comment': 'X.509 id-ce (2 5 29)',
- 'description': 'policyMappings (2 5 29 33)',
- 'hexoid': '06 03 55 1D 21',
- 'name': 'policyMappings',
- 'oid': (2, 5, 29, 33)},
- (2, 5, 29, 35): {'comment': 'X.509 id-ce (2 5 29)',
- 'description': 'authorityKeyIdentifier (2 5 29 35)',
- 'hexoid': '06 03 55 1D 23',
- 'name': 'authorityKeyIdentifier',
- 'oid': (2, 5, 29, 35)},
- (2, 5, 29, 36): {'comment': 'X.509 id-ce (2 5 29)',
- 'description': 'policyConstraints (2 5 29 36)',
- 'hexoid': '06 03 55 1D 24',
- 'name': 'policyConstraints',
- 'oid': (2, 5, 29, 36)},
- (2, 5, 29, 37): {'comment': 'X.509 id-ce (2 5 29)',
- 'description': 'extKeyUsage (2 5 29 37)',
- 'hexoid': '06 03 55 1D 25',
- 'name': 'extKeyUsage',
- 'oid': (2, 5, 29, 37)},
- (2, 5, 29, 37, 0): {'comment': 'X.509 extended key usage',
- 'description': 'anyExtendedKeyUsage (2 5 29 37 0)',
- 'hexoid': '06 04 55 1D 25 00',
- 'name': 'anyExtendedKeyUsage',
- 'oid': (2, 5, 29, 37, 0)},
- (2, 5, 29, 46): {'comment': 'X.509 id-ce (2 5 29)',
- 'description': 'freshestCRL (2 5 29 46)',
- 'hexoid': '06 03 55 1D 2E',
- 'name': 'freshestCRL',
- 'oid': (2, 5, 29, 46)},
- (2, 5, 29, 54): {'comment': 'X.509 id-ce (2 5 29)',
- 'description': 'inhibitAnyPolicy (2 5 29 54)',
- 'hexoid': '06 03 55 1D 36',
- 'name': 'inhibitAnyPolicy',
- 'oid': (2, 5, 29, 54)},
- (2, 16, 840, 1, 101, 2, 1, 1, 1): {'comment': 'SDN.700 INFOSEC algorithms',
- 'description': 'sdnsSignatureAlgorithm (2 16 840 1 101 2 1 1 1)',
- 'hexoid': '06 09 60 86 48 01 65 02 01 01 01',
- 'name': 'sdnsSignatureAlgorithm',
- 'oid': (2, 16, 840, 1, 101, 2, 1, 1, 1)},
- (2, 16, 840, 1, 101, 2, 1, 1, 2): {'comment': 'SDN.700 INFOSEC algorithms. Formerly known as mosaicSignatureAlgorithm, this OID is better known as dsaWithSHA-1.',
- 'description': 'fortezzaSignatureAlgorithm (2 16 840 1 101 2 1 1 2)',
- 'hexoid': '06 09 60 86 48 01 65 02 01 01 02',
- 'name': 'fortezzaSignatureAlgorithm',
- 'oid': (2, 16, 840, 1, 101, 2, 1, 1, 2)},
- (2, 16, 840, 1, 101, 2, 1, 1, 3): {'comment': 'SDN.700 INFOSEC algorithms',
- 'description': 'sdnsConfidentialityAlgorithm (2 16 840 1 101 2 1 1 3)',
- 'hexoid': '06 09 60 86 48 01 65 02 01 01 03',
- 'name': 'sdnsConfidentialityAlgorithm',
- 'oid': (2, 16, 840, 1, 101, 2, 1, 1, 3)},
- (2, 16, 840, 1, 101, 2, 1, 1, 4): {'comment': 'SDN.700 INFOSEC algorithms. Formerly known as mosaicConfidentialityAlgorithm',
- 'description': 'fortezzaConfidentialityAlgorithm (2 16 840 1 101 2 1 1 4)',
- 'hexoid': '06 09 60 86 48 01 65 02 01 01 04',
- 'name': 'fortezzaConfidentialityAlgorithm',
- 'oid': (2, 16, 840, 1, 101, 2, 1, 1, 4)},
- (2, 16, 840, 1, 101, 2, 1, 1, 5): {'comment': 'SDN.700 INFOSEC algorithms',
- 'description': 'sdnsIntegrityAlgorithm (2 16 840 1 101 2 1 1 5)',
- 'hexoid': '06 09 60 86 48 01 65 02 01 01 05',
- 'name': 'sdnsIntegrityAlgorithm',
- 'oid': (2, 16, 840, 1, 101, 2, 1, 1, 5)},
- (2, 16, 840, 1, 101, 2, 1, 1, 6): {'comment': 'SDN.700 INFOSEC algorithms. Formerly known as mosaicIntegrityAlgorithm',
- 'description': 'fortezzaIntegrityAlgorithm (2 16 840 1 101 2 1 1 6)',
- 'hexoid': '06 09 60 86 48 01 65 02 01 01 06',
- 'name': 'fortezzaIntegrityAlgorithm',
- 'oid': (2, 16, 840, 1, 101, 2, 1, 1, 6)},
- (2, 16, 840, 1, 101, 2, 1, 1, 7): {'comment': 'SDN.700 INFOSEC algorithms',
- 'description': 'sdnsTokenProtectionAlgorithm (2 16 840 1 101 2 1 1 7)',
- 'hexoid': '06 09 60 86 48 01 65 02 01 01 07',
- 'name': 'sdnsTokenProtectionAlgorithm',
- 'oid': (2, 16, 840, 1, 101, 2, 1, 1, 7)},
- (2, 16, 840, 1, 101, 2, 1, 1, 8): {'comment': 'SDN.700 INFOSEC algorithms. Formerly know as mosaicTokenProtectionAlgorithm',
- 'description': 'fortezzaTokenProtectionAlgorithm (2 16 840 1 101 2 1 1 8)',
- 'hexoid': '06 09 60 86 48 01 65 02 01 01 08',
- 'name': 'fortezzaTokenProtectionAlgorithm',
- 'oid': (2, 16, 840, 1, 101, 2, 1, 1, 8)},
- (2, 16, 840, 1, 101, 2, 1, 1, 9): {'comment': 'SDN.700 INFOSEC algorithms',
- 'description': 'sdnsKeyManagementAlgorithm (2 16 840 1 101 2 1 1 9)',
- 'hexoid': '06 09 60 86 48 01 65 02 01 01 09',
- 'name': 'sdnsKeyManagementAlgorithm',
- 'oid': (2, 16, 840, 1, 101, 2, 1, 1, 9)},
- (2, 16, 840, 1, 101, 2, 1, 1, 10): {'comment': 'SDN.700 INFOSEC algorithms. Formerly known as mosaicKeyManagementAlgorithm',
- 'description': 'fortezzaKeyManagementAlgorithm (2 16 840 1 101 2 1 1 10)',
- 'hexoid': '06 09 60 86 48 01 65 02 01 01 0A',
- 'name': 'fortezzaKeyManagementAlgorithm',
- 'oid': (2, 16, 840, 1, 101, 2, 1, 1, 10)},
- (2, 16, 840, 1, 101, 2, 1, 1, 11): {'comment': 'SDN.700 INFOSEC algorithms',
- 'description': 'sdnsKMandSigAlgorithm (2 16 840 1 101 2 1 1 11)',
- 'hexoid': '06 09 60 86 48 01 65 02 01 01 0B',
- 'name': 'sdnsKMandSigAlgorithm',
- 'oid': (2, 16, 840, 1, 101, 2, 1, 1, 11)},
- (2, 16, 840, 1, 101, 2, 1, 1, 12): {'comment': 'SDN.700 INFOSEC algorithms. Formerly known as mosaicKMandSigAlgorithm',
- 'description': 'fortezzaKMandSigAlgorithm (2 16 840 1 101 2 1 1 12)',
- 'hexoid': '06 09 60 86 48 01 65 02 01 01 0C',
- 'name': 'fortezzaKMandSigAlgorithm',
- 'oid': (2, 16, 840, 1, 101, 2, 1, 1, 12)},
- (2, 16, 840, 1, 101, 2, 1, 1, 13): {'comment': 'SDN.700 INFOSEC algorithms',
- 'description': 'suiteASignatureAlgorithm (2 16 840 1 101 2 1 1 13)',
- 'hexoid': '06 09 60 86 48 01 65 02 01 01 0D',
- 'name': 'suiteASignatureAlgorithm',
- 'oid': (2, 16, 840, 1, 101, 2, 1, 1, 13)},
- (2, 16, 840, 1, 101, 2, 1, 1, 14): {'comment': 'SDN.700 INFOSEC algorithms',
- 'description': 'suiteAConfidentialityAlgorithm (2 16 840 1 101 2 1 1 14)',
- 'hexoid': '06 09 60 86 48 01 65 02 01 01 0E',
- 'name': 'suiteAConfidentialityAlgorithm',
- 'oid': (2, 16, 840, 1, 101, 2, 1, 1, 14)},
- (2, 16, 840, 1, 101, 2, 1, 1, 15): {'comment': 'SDN.700 INFOSEC algorithms',
- 'description': 'suiteAIntegrityAlgorithm (2 16 840 1 101 2 1 1 15)',
- 'hexoid': '06 09 60 86 48 01 65 02 01 01 0F',
- 'name': 'suiteAIntegrityAlgorithm',
- 'oid': (2, 16, 840, 1, 101, 2, 1, 1, 15)},
- (2, 16, 840, 1, 101, 2, 1, 1, 16): {'comment': 'SDN.700 INFOSEC algorithms',
- 'description': 'suiteATokenProtectionAlgorithm (2 16 840 1 101 2 1 1 16)',
- 'hexoid': '06 09 60 86 48 01 65 02 01 01 10',
- 'name': 'suiteATokenProtectionAlgorithm',
- 'oid': (2, 16, 840, 1, 101, 2, 1, 1, 16)},
- (2, 16, 840, 1, 101, 2, 1, 1, 17): {'comment': 'SDN.700 INFOSEC algorithms',
- 'description': 'suiteAKeyManagementAlgorithm (2 16 840 1 101 2 1 1 17)',
- 'hexoid': '06 09 60 86 48 01 65 02 01 01 11',
- 'name': 'suiteAKeyManagementAlgorithm',
- 'oid': (2, 16, 840, 1, 101, 2, 1, 1, 17)},
- (2, 16, 840, 1, 101, 2, 1, 1, 18): {'comment': 'SDN.700 INFOSEC algorithms',
- 'description': 'suiteAKMandSigAlgorithm (2 16 840 1 101 2 1 1 18)',
- 'hexoid': '06 09 60 86 48 01 65 02 01 01 12',
- 'name': 'suiteAKMandSigAlgorithm',
- 'oid': (2, 16, 840, 1, 101, 2, 1, 1, 18)},
- (2, 16, 840, 1, 101, 2, 1, 1, 19): {'comment': 'SDN.700 INFOSEC algorithms. Formerly known as mosaicUpdatedSigAlgorithm',
- 'description': 'fortezzaUpdatedSigAlgorithm (2 16 840 1 101 2 1 1 19)',
- 'hexoid': '06 09 60 86 48 01 65 02 01 01 13',
- 'name': 'fortezzaUpdatedSigAlgorithm',
- 'oid': (2, 16, 840, 1, 101, 2, 1, 1, 19)},
- (2, 16, 840, 1, 101, 2, 1, 1, 20): {'comment': 'SDN.700 INFOSEC algorithms. Formerly known as mosaicKMandUpdSigAlgorithms',
- 'description': 'fortezzaKMandUpdSigAlgorithms (2 16 840 1 101 2 1 1 20)',
- 'hexoid': '06 09 60 86 48 01 65 02 01 01 14',
- 'name': 'fortezzaKMandUpdSigAlgorithms',
- 'oid': (2, 16, 840, 1, 101, 2, 1, 1, 20)},
- (2, 16, 840, 1, 101, 2, 1, 1, 21): {'comment': 'SDN.700 INFOSEC algorithms. Formerly known as mosaicUpdatedIntegAlgorithm',
- 'description': 'fortezzaUpdatedIntegAlgorithm (2 16 840 1 101 2 1 1 21)',
- 'hexoid': '06 09 60 86 48 01 65 02 01 01 15',
- 'name': 'fortezzaUpdatedIntegAlgorithm',
- 'oid': (2, 16, 840, 1, 101, 2, 1, 1, 21)},
- (2, 16, 840, 1, 101, 2, 1, 1, 22): {'comment': 'SDN.700 INFOSEC algorithms. Formerly known as mosaicKeyEncryptionAlgorithm',
- 'description': 'keyExchangeAlgorithm (2 16 840 1 101 2 1 1 22)',
- 'hexoid': '06 09 60 86 48 01 65 02 01 01 16',
- 'name': 'keyExchangeAlgorithm',
- 'oid': (2, 16, 840, 1, 101, 2, 1, 1, 22)},
- (2, 16, 840, 1, 101, 2, 1, 1, 23): {'comment': 'SDN.700 INFOSEC algorithms',
- 'description': 'fortezzaWrap80Algorithm (2 16 840 1 101 2 1 1 23)',
- 'hexoid': '06 09 60 86 48 01 65 02 01 01 17',
- 'name': 'fortezzaWrap80Algorithm',
- 'oid': (2, 16, 840, 1, 101, 2, 1, 1, 23)},
- (2, 16, 840, 1, 101, 2, 1, 1, 24): {'comment': 'SDN.700 INFOSEC algorithms',
- 'description': 'kEAKeyEncryptionAlgorithm (2 16 840 1 101 2 1 1 24)',
- 'hexoid': '06 09 60 86 48 01 65 02 01 01 18',
- 'name': 'kEAKeyEncryptionAlgorithm',
- 'oid': (2, 16, 840, 1, 101, 2, 1, 1, 24)},
- (2, 16, 840, 1, 101, 2, 1, 2, 1): {'comment': 'SDN.700 INFOSEC format',
- 'description': 'rfc822MessageFormat (2 16 840 1 101 2 1 2 1)',
- 'hexoid': '06 09 60 86 48 01 65 02 01 02 01',
- 'name': 'rfc822MessageFormat',
- 'oid': (2, 16, 840, 1, 101, 2, 1, 2, 1)},
- (2, 16, 840, 1, 101, 2, 1, 2, 2): {'comment': 'SDN.700 INFOSEC format',
- 'description': 'emptyContent (2 16 840 1 101 2 1 2 2)',
- 'hexoid': '06 09 60 86 48 01 65 02 01 02 02',
- 'name': 'emptyContent',
- 'oid': (2, 16, 840, 1, 101, 2, 1, 2, 2)},
- (2, 16, 840, 1, 101, 2, 1, 2, 3): {'comment': 'SDN.700 INFOSEC format',
- 'description': 'cspContentType (2 16 840 1 101 2 1 2 3)',
- 'hexoid': '06 09 60 86 48 01 65 02 01 02 03',
- 'name': 'cspContentType',
- 'oid': (2, 16, 840, 1, 101, 2, 1, 2, 3)},
- (2, 16, 840, 1, 101, 2, 1, 2, 42): {'comment': 'SDN.700 INFOSEC format',
- 'description': 'mspRev3ContentType (2 16 840 1 101 2 1 2 42)',
- 'hexoid': '06 09 60 86 48 01 65 02 01 02 2A',
- 'name': 'mspRev3ContentType',
- 'oid': (2, 16, 840, 1, 101, 2, 1, 2, 42)},
- (2, 16, 840, 1, 101, 2, 1, 2, 48): {'comment': 'SDN.700 INFOSEC format',
- 'description': 'mspContentType (2 16 840 1 101 2 1 2 48)',
- 'hexoid': '06 09 60 86 48 01 65 02 01 02 30',
- 'name': 'mspContentType',
- 'oid': (2, 16, 840, 1, 101, 2, 1, 2, 48)},
- (2, 16, 840, 1, 101, 2, 1, 2, 49): {'comment': 'SDN.700 INFOSEC format',
- 'description': 'mspRekeyAgentProtocol (2 16 840 1 101 2 1 2 49)',
- 'hexoid': '06 09 60 86 48 01 65 02 01 02 31',
- 'name': 'mspRekeyAgentProtocol',
- 'oid': (2, 16, 840, 1, 101, 2, 1, 2, 49)},
- (2, 16, 840, 1, 101, 2, 1, 2, 50): {'comment': 'SDN.700 INFOSEC format',
- 'description': 'mspMMP (2 16 840 1 101 2 1 2 50)',
- 'hexoid': '06 09 60 86 48 01 65 02 01 02 32',
- 'name': 'mspMMP',
- 'oid': (2, 16, 840, 1, 101, 2, 1, 2, 50)},
- (2, 16, 840, 1, 101, 2, 1, 2, 66): {'comment': 'SDN.700 INFOSEC format',
- 'description': 'mspRev3-1ContentType (2 16 840 1 101 2 1 2 66)',
- 'hexoid': '06 09 60 86 48 01 65 02 01 02 42',
- 'name': 'mspRev3-1ContentType',
- 'oid': (2, 16, 840, 1, 101, 2, 1, 2, 66)},
- (2, 16, 840, 1, 101, 2, 1, 2, 72): {'comment': 'SDN.700 INFOSEC format',
- 'description': 'forwardedMSPMessageBodyPart (2 16 840 1 101 2 1 2 72)',
- 'hexoid': '06 09 60 86 48 01 65 02 01 02 48',
- 'name': 'forwardedMSPMessageBodyPart',
- 'oid': (2, 16, 840, 1, 101, 2, 1, 2, 72)},
- (2, 16, 840, 1, 101, 2, 1, 2, 73): {'comment': 'SDN.700 INFOSEC format',
- 'description': 'mspForwardedMessageParameters (2 16 840 1 101 2 1 2 73)',
- 'hexoid': '06 09 60 86 48 01 65 02 01 02 49',
- 'name': 'mspForwardedMessageParameters',
- 'oid': (2, 16, 840, 1, 101, 2, 1, 2, 73)},
- (2, 16, 840, 1, 101, 2, 1, 2, 74): {'comment': 'SDN.700 INFOSEC format',
- 'description': 'forwardedCSPMsgBodyPart (2 16 840 1 101 2 1 2 74)',
- 'hexoid': '06 09 60 86 48 01 65 02 01 02 4A',
- 'name': 'forwardedCSPMsgBodyPart',
- 'oid': (2, 16, 840, 1, 101, 2, 1, 2, 74)},
- (2, 16, 840, 1, 101, 2, 1, 2, 75): {'comment': 'SDN.700 INFOSEC format',
- 'description': 'cspForwardedMessageParameters (2 16 840 1 101 2 1 2 75)',
- 'hexoid': '06 09 60 86 48 01 65 02 01 02 4B',
- 'name': 'cspForwardedMessageParameters',
- 'oid': (2, 16, 840, 1, 101, 2, 1, 2, 75)},
- (2, 16, 840, 1, 101, 2, 1, 2, 76): {'comment': 'SDN.700 INFOSEC format',
- 'description': 'mspMMP2 (2 16 840 1 101 2 1 2 76)',
- 'hexoid': '06 09 60 86 48 01 65 02 01 02 4C',
- 'name': 'mspMMP2',
- 'oid': (2, 16, 840, 1, 101, 2, 1, 2, 76)},
- (2, 16, 840, 1, 101, 2, 1, 3, 1): {'comment': 'SDN.700 INFOSEC policy',
- 'description': 'sdnsSecurityPolicy (2 16 840 1 101 2 1 3 1)',
- 'hexoid': '06 09 60 86 48 01 65 02 01 03 01',
- 'name': 'sdnsSecurityPolicy',
- 'oid': (2, 16, 840, 1, 101, 2, 1, 3, 1)},
- (2, 16, 840, 1, 101, 2, 1, 3, 2): {'comment': 'SDN.700 INFOSEC policy',
- 'description': 'sdnsPRBAC (2 16 840 1 101 2 1 3 2)',
- 'hexoid': '06 09 60 86 48 01 65 02 01 03 02',
- 'name': 'sdnsPRBAC',
- 'oid': (2, 16, 840, 1, 101, 2, 1, 3, 2)},
- (2, 16, 840, 1, 101, 2, 1, 3, 3): {'comment': 'SDN.700 INFOSEC policy',
- 'description': 'mosaicPRBAC (2 16 840 1 101 2 1 3 3)',
- 'hexoid': '06 09 60 86 48 01 65 02 01 03 03',
- 'name': 'mosaicPRBAC',
- 'oid': (2, 16, 840, 1, 101, 2, 1, 3, 3)},
- (2, 16, 840, 1, 101, 2, 1, 3, 10): {'comment': 'SDN.700 INFOSEC policy',
- 'description': 'siSecurityPolicy (2 16 840 1 101 2 1 3 10)',
- 'hexoid': '06 09 60 86 48 01 65 02 01 03 0A',
- 'name': 'siSecurityPolicy',
- 'oid': (2, 16, 840, 1, 101, 2, 1, 3, 10)},
- (2, 16, 840, 1, 101, 2, 1, 3, 11): {'comment': 'SDN.700 INFOSEC policy',
- 'description': 'genser (2 16 840 1 101 2 1 3 11)',
- 'hexoid': '06 09 60 86 48 01 65 02 01 03 0B',
- 'name': 'genser',
- 'oid': (2, 16, 840, 1, 101, 2, 1, 3, 11)},
- (2, 16, 840, 1, 101, 2, 1, 3, 11, 3): {'comment': 'SDN.700 INFOSEC policy',
- 'description': 'genserSecurityCategories (2 16 840 1 101 2 1 3 11 3)',
- 'hexoid': '06 0A 60 86 48 01 65 02 01 03 0B 03',
- 'name': 'genserSecurityCategories',
- 'oid': (2,
- 16,
- 840,
- 1,
- 101,
- 2,
- 1,
- 3,
- 11,
- 3)},
- (2, 16, 840, 1, 101, 2, 1, 3, 11, 3, 0): {'comment': 'SDN.700 INFOSEC GENSER policy',
- 'description': 'genserTagSetName (2 16 840 1 101 2 1 3 11 3 0)',
- 'hexoid': '06 0B 60 86 48 01 65 02 01 03 0B 03 00',
- 'name': 'genserTagSetName',
- 'oid': (2,
- 16,
- 840,
- 1,
- 101,
- 2,
- 1,
- 3,
- 11,
- 3,
- 0)},
- (2, 16, 840, 1, 101, 2, 1, 3, 12): {'comment': 'SDN.700 INFOSEC policy',
- 'description': 'defaultSecurityPolicy (2 16 840 1 101 2 1 3 12)',
- 'hexoid': '06 09 60 86 48 01 65 02 01 03 0C',
- 'name': 'defaultSecurityPolicy',
- 'oid': (2, 16, 840, 1, 101, 2, 1, 3, 12)},
- (2, 16, 840, 1, 101, 2, 1, 3, 13): {'comment': 'SDN.700 INFOSEC policy',
- 'description': 'capcoMarkings (2 16 840 1 101 2 1 3 13)',
- 'hexoid': '06 09 60 86 48 01 65 02 01 03 0D',
- 'name': 'capcoMarkings',
- 'oid': (2, 16, 840, 1, 101, 2, 1, 3, 13)},
- (2, 16, 840, 1, 101, 2, 1, 3, 13, 0): {'comment': 'SDN.700 INFOSEC policy CAPCO markings',
- 'description': 'capcoSecurityCategories (2 16 840 1 101 2 1 3 13 0)',
- 'hexoid': '06 0A 60 86 48 01 65 02 01 03 0D 00',
- 'name': 'capcoSecurityCategories',
- 'oid': (2,
- 16,
- 840,
- 1,
- 101,
- 2,
- 1,
- 3,
- 13,
- 0)},
- (2, 16, 840, 1, 101, 2, 1, 3, 13, 0, 1): {'comment': 'SDN.700 INFOSEC policy CAPCO markings',
- 'description': 'capcoTagSetName1 (2 16 840 1 101 2 1 3 13 0 1)',
- 'hexoid': '06 0B 60 86 48 01 65 02 01 03 0D 00 01',
- 'name': 'capcoTagSetName1',
- 'oid': (2,
- 16,
- 840,
- 1,
- 101,
- 2,
- 1,
- 3,
- 13,
- 0,
- 1)},
- (2, 16, 840, 1, 101, 2, 1, 3, 13, 0, 2): {'comment': 'SDN.700 INFOSEC policy CAPCO markings',
- 'description': 'capcoTagSetName2 (2 16 840 1 101 2 1 3 13 0 2)',
- 'hexoid': '06 0B 60 86 48 01 65 02 01 03 0D 00 02',
- 'name': 'capcoTagSetName2',
- 'oid': (2,
- 16,
- 840,
- 1,
- 101,
- 2,
- 1,
- 3,
- 13,
- 0,
- 2)},
- (2, 16, 840, 1, 101, 2, 1, 3, 13, 0, 3): {'comment': 'SDN.700 INFOSEC policy CAPCO markings',
- 'description': 'capcoTagSetName3 (2 16 840 1 101 2 1 3 13 0 3)',
- 'hexoid': '06 0B 60 86 48 01 65 02 01 03 0D 00 03',
- 'name': 'capcoTagSetName3',
- 'oid': (2,
- 16,
- 840,
- 1,
- 101,
- 2,
- 1,
- 3,
- 13,
- 0,
- 3)},
- (2, 16, 840, 1, 101, 2, 1, 3, 13, 0, 4): {'comment': 'SDN.700 INFOSEC policy CAPCO markings',
- 'description': 'capcoTagSetName4 (2 16 840 1 101 2 1 3 13 0 4)',
- 'hexoid': '06 0B 60 86 48 01 65 02 01 03 0D 00 04',
- 'name': 'capcoTagSetName4',
- 'oid': (2,
- 16,
- 840,
- 1,
- 101,
- 2,
- 1,
- 3,
- 13,
- 0,
- 4)},
- (2, 16, 840, 1, 101, 2, 1, 5, 11): {'comment': 'SDN.700 INFOSEC attributes',
- 'description': 'mlReceiptPolicy (2 16 840 1 101 2 1 5 11)',
- 'hexoid': '06 09 60 86 48 01 65 02 01 05 0B',
- 'name': 'mlReceiptPolicy',
- 'oid': (2, 16, 840, 1, 101, 2, 1, 5, 11)},
- (2, 16, 840, 1, 101, 2, 1, 5, 12): {'comment': 'SDN.700 INFOSEC attributes',
- 'description': 'mlMembership (2 16 840 1 101 2 1 5 12)',
- 'hexoid': '06 09 60 86 48 01 65 02 01 05 0C',
- 'name': 'mlMembership',
- 'oid': (2, 16, 840, 1, 101, 2, 1, 5, 12)},
- (2, 16, 840, 1, 101, 2, 1, 5, 13): {'comment': 'SDN.700 INFOSEC attributes',
- 'description': 'mlAdministrators (2 16 840 1 101 2 1 5 13)',
- 'hexoid': '06 09 60 86 48 01 65 02 01 05 0D',
- 'name': 'mlAdministrators',
- 'oid': (2, 16, 840, 1, 101, 2, 1, 5, 13)},
- (2, 16, 840, 1, 101, 2, 1, 5, 14): {'comment': 'SDN.700 INFOSEC attributes',
- 'description': 'alid (2 16 840 1 101 2 1 5 14)',
- 'hexoid': '06 09 60 86 48 01 65 02 01 05 0E',
- 'name': 'alid',
- 'oid': (2, 16, 840, 1, 101, 2, 1, 5, 14)},
- (2, 16, 840, 1, 101, 2, 1, 5, 20): {'comment': 'SDN.700 INFOSEC attributes',
- 'description': 'janUKMs (2 16 840 1 101 2 1 5 20)',
- 'hexoid': '06 09 60 86 48 01 65 02 01 05 14',
- 'name': 'janUKMs',
- 'oid': (2, 16, 840, 1, 101, 2, 1, 5, 20)},
- (2, 16, 840, 1, 101, 2, 1, 5, 21): {'comment': 'SDN.700 INFOSEC attributes',
- 'description': 'febUKMs (2 16 840 1 101 2 1 5 21)',
- 'hexoid': '06 09 60 86 48 01 65 02 01 05 15',
- 'name': 'febUKMs',
- 'oid': (2, 16, 840, 1, 101, 2, 1, 5, 21)},
- (2, 16, 840, 1, 101, 2, 1, 5, 22): {'comment': 'SDN.700 INFOSEC attributes',
- 'description': 'marUKMs (2 16 840 1 101 2 1 5 22)',
- 'hexoid': '06 09 60 86 48 01 65 02 01 05 16',
- 'name': 'marUKMs',
- 'oid': (2, 16, 840, 1, 101, 2, 1, 5, 22)},
- (2, 16, 840, 1, 101, 2, 1, 5, 23): {'comment': 'SDN.700 INFOSEC attributes',
- 'description': 'aprUKMs (2 16 840 1 101 2 1 5 23)',
- 'hexoid': '06 09 60 86 48 01 65 02 01 05 17',
- 'name': 'aprUKMs',
- 'oid': (2, 16, 840, 1, 101, 2, 1, 5, 23)},
- (2, 16, 840, 1, 101, 2, 1, 5, 24): {'comment': 'SDN.700 INFOSEC attributes',
- 'description': 'mayUKMs (2 16 840 1 101 2 1 5 24)',
- 'hexoid': '06 09 60 86 48 01 65 02 01 05 18',
- 'name': 'mayUKMs',
- 'oid': (2, 16, 840, 1, 101, 2, 1, 5, 24)},
- (2, 16, 840, 1, 101, 2, 1, 5, 25): {'comment': 'SDN.700 INFOSEC attributes',
- 'description': 'junUKMs (2 16 840 1 101 2 1 5 25)',
- 'hexoid': '06 09 60 86 48 01 65 02 01 05 19',
- 'name': 'junUKMs',
- 'oid': (2, 16, 840, 1, 101, 2, 1, 5, 25)},
- (2, 16, 840, 1, 101, 2, 1, 5, 26): {'comment': 'SDN.700 INFOSEC attributes',
- 'description': 'julUKMs (2 16 840 1 101 2 1 5 26)',
- 'hexoid': '06 09 60 86 48 01 65 02 01 05 1A',
- 'name': 'julUKMs',
- 'oid': (2, 16, 840, 1, 101, 2, 1, 5, 26)},
- (2, 16, 840, 1, 101, 2, 1, 5, 27): {'comment': 'SDN.700 INFOSEC attributes',
- 'description': 'augUKMs (2 16 840 1 101 2 1 5 27)',
- 'hexoid': '06 09 60 86 48 01 65 02 01 05 1B',
- 'name': 'augUKMs',
- 'oid': (2, 16, 840, 1, 101, 2, 1, 5, 27)},
- (2, 16, 840, 1, 101, 2, 1, 5, 28): {'comment': 'SDN.700 INFOSEC attributes',
- 'description': 'sepUKMs (2 16 840 1 101 2 1 5 28)',
- 'hexoid': '06 09 60 86 48 01 65 02 01 05 1C',
- 'name': 'sepUKMs',
- 'oid': (2, 16, 840, 1, 101, 2, 1, 5, 28)},
- (2, 16, 840, 1, 101, 2, 1, 5, 29): {'comment': 'SDN.700 INFOSEC attributes',
- 'description': 'octUKMs (2 16 840 1 101 2 1 5 29)',
- 'hexoid': '06 09 60 86 48 01 65 02 01 05 1D',
- 'name': 'octUKMs',
- 'oid': (2, 16, 840, 1, 101, 2, 1, 5, 29)},
- (2, 16, 840, 1, 101, 2, 1, 5, 30): {'comment': 'SDN.700 INFOSEC attributes',
- 'description': 'novUKMs (2 16 840 1 101 2 1 5 30)',
- 'hexoid': '06 09 60 86 48 01 65 02 01 05 1E',
- 'name': 'novUKMs',
- 'oid': (2, 16, 840, 1, 101, 2, 1, 5, 30)},
- (2, 16, 840, 1, 101, 2, 1, 5, 31): {'comment': 'SDN.700 INFOSEC attributes',
- 'description': 'decUKMs (2 16 840 1 101 2 1 5 31)',
- 'hexoid': '06 09 60 86 48 01 65 02 01 05 1F',
- 'name': 'decUKMs',
- 'oid': (2, 16, 840, 1, 101, 2, 1, 5, 31)},
- (2, 16, 840, 1, 101, 2, 1, 5, 40): {'comment': 'SDN.700 INFOSEC attributes',
- 'description': 'metaSDNSckl (2 16 840 1 101 2 1 5 40)',
- 'hexoid': '06 09 60 86 48 01 65 02 01 05 28',
- 'name': 'metaSDNSckl',
- 'oid': (2, 16, 840, 1, 101, 2, 1, 5, 40)},
- (2, 16, 840, 1, 101, 2, 1, 5, 41): {'comment': 'SDN.700 INFOSEC attributes',
- 'description': 'sdnsCKL (2 16 840 1 101 2 1 5 41)',
- 'hexoid': '06 09 60 86 48 01 65 02 01 05 29',
- 'name': 'sdnsCKL',
- 'oid': (2, 16, 840, 1, 101, 2, 1, 5, 41)},
- (2, 16, 840, 1, 101, 2, 1, 5, 42): {'comment': 'SDN.700 INFOSEC attributes',
- 'description': 'metaSDNSsignatureCKL (2 16 840 1 101 2 1 5 42)',
- 'hexoid': '06 09 60 86 48 01 65 02 01 05 2A',
- 'name': 'metaSDNSsignatureCKL',
- 'oid': (2, 16, 840, 1, 101, 2, 1, 5, 42)},
- (2, 16, 840, 1, 101, 2, 1, 5, 43): {'comment': 'SDN.700 INFOSEC attributes',
- 'description': 'sdnsSignatureCKL (2 16 840 1 101 2 1 5 43)',
- 'hexoid': '06 09 60 86 48 01 65 02 01 05 2B',
- 'name': 'sdnsSignatureCKL',
- 'oid': (2, 16, 840, 1, 101, 2, 1, 5, 43)},
- (2, 16, 840, 1, 101, 2, 1, 5, 44): {'comment': 'SDN.700 INFOSEC attributes',
- 'description': 'sdnsCertificateRevocationList (2 16 840 1 101 2 1 5 44)',
- 'hexoid': '06 09 60 86 48 01 65 02 01 05 2C',
- 'name': 'sdnsCertificateRevocationList',
- 'oid': (2, 16, 840, 1, 101, 2, 1, 5, 44)},
- (2, 16, 840, 1, 101, 2, 1, 5, 46): {'comment': 'SDN.700 INFOSEC attributes',
- 'description': 'fortezzaCKL (2 16 840 1 101 2 1 5 46)',
- 'hexoid': '06 09 60 86 48 01 65 02 01 05 2E',
- 'name': 'fortezzaCKL',
- 'oid': (2, 16, 840, 1, 101, 2, 1, 5, 46)},
- (2, 16, 840, 1, 101, 2, 1, 5, 47): {'comment': 'SDN.700 INFOSEC attributes',
- 'description': 'alExemptedAddressProcessor (2 16 840 1 101 2 1 5 47)',
- 'hexoid': '06 09 60 86 48 01 65 02 01 05 2F',
- 'name': 'alExemptedAddressProcessor',
- 'oid': (2, 16, 840, 1, 101, 2, 1, 5, 47)},
- (2, 16, 840, 1, 101, 2, 1, 5, 53): {'comment': 'SDN.700 INFOSEC attributes',
- 'description': 'prbacInfo (2 16 840 1 101 2 1 5 53)',
- 'hexoid': '06 09 60 86 48 01 65 02 01 05 35',
- 'name': 'prbacInfo',
- 'oid': (2, 16, 840, 1, 101, 2, 1, 5, 53)},
- (2, 16, 840, 1, 101, 2, 1, 5, 54): {'comment': 'SDN.700 INFOSEC attributes',
- 'description': 'prbacCAConstraints (2 16 840 1 101 2 1 5 54)',
- 'hexoid': '06 09 60 86 48 01 65 02 01 05 36',
- 'name': 'prbacCAConstraints',
- 'oid': (2, 16, 840, 1, 101, 2, 1, 5, 54)},
- (2, 16, 840, 1, 101, 2, 1, 5, 55): {'comment': 'SDN.700 INFOSEC attributes',
- 'description': 'sigOrKMPrivileges (2 16 840 1 101 2 1 5 55)',
- 'hexoid': '06 09 60 86 48 01 65 02 01 05 37',
- 'name': 'sigOrKMPrivileges',
- 'oid': (2, 16, 840, 1, 101, 2, 1, 5, 55)},
- (2, 16, 840, 1, 101, 2, 1, 5, 56): {'comment': 'SDN.700 INFOSEC attributes',
- 'description': 'commPrivileges (2 16 840 1 101 2 1 5 56)',
- 'hexoid': '06 09 60 86 48 01 65 02 01 05 38',
- 'name': 'commPrivileges',
- 'oid': (2, 16, 840, 1, 101, 2, 1, 5, 56)},
- (2, 16, 840, 1, 101, 2, 1, 5, 57): {'comment': 'SDN.700 INFOSEC attributes',
- 'description': 'labeledAttribute (2 16 840 1 101 2 1 5 57)',
- 'hexoid': '06 09 60 86 48 01 65 02 01 05 39',
- 'name': 'labeledAttribute',
- 'oid': (2, 16, 840, 1, 101, 2, 1, 5, 57)},
- (2, 16, 840, 1, 101, 2, 1, 5, 59): {'comment': 'SDN.700 INFOSEC attributes',
- 'description': 'secPolicyInformationFile (2 16 840 1 101 2 1 5 59)',
- 'hexoid': '06 09 60 86 48 01 65 02 01 05 3B',
- 'name': 'secPolicyInformationFile',
- 'oid': (2, 16, 840, 1, 101, 2, 1, 5, 59)},
- (2, 16, 840, 1, 101, 2, 1, 5, 60): {'comment': 'SDN.700 INFOSEC attributes',
- 'description': 'cAClearanceConstraint (2 16 840 1 101 2 1 5 60)',
- 'hexoid': '06 09 60 86 48 01 65 02 01 05 3C',
- 'name': 'cAClearanceConstraint',
- 'oid': (2, 16, 840, 1, 101, 2, 1, 5, 60)},
- (2, 16, 840, 1, 101, 2, 1, 7, 1): {'comment': 'SDN.700 INFOSEC extensions',
- 'description': 'cspExtns (2 16 840 1 101 2 1 7 1)',
- 'hexoid': '06 09 60 86 48 01 65 02 01 07 01',
- 'name': 'cspExtns',
- 'oid': (2, 16, 840, 1, 101, 2, 1, 7, 1)},
- (2, 16, 840, 1, 101, 2, 1, 7, 1, 0): {'comment': 'SDN.700 INFOSEC extensions',
- 'description': 'cspCsExtn (2 16 840 1 101 2 1 7 1 0)',
- 'hexoid': '06 0A 60 86 48 01 65 02 01 07 01 00',
- 'name': 'cspCsExtn',
- 'oid': (2,
- 16,
- 840,
- 1,
- 101,
- 2,
- 1,
- 7,
- 1,
- 0)},
- (2, 16, 840, 1, 101, 2, 1, 8, 1): {'comment': 'SDN.700 INFOSEC security category',
- 'description': 'mISSISecurityCategories (2 16 840 1 101 2 1 8 1)',
- 'hexoid': '06 09 60 86 48 01 65 02 01 08 01',
- 'name': 'mISSISecurityCategories',
- 'oid': (2, 16, 840, 1, 101, 2, 1, 8, 1)},
- (2, 16, 840, 1, 101, 2, 1, 8, 2): {'comment': 'SDN.700 INFOSEC security category',
- 'description': 'standardSecurityLabelPrivileges (2 16 840 1 101 2 1 8 2)',
- 'hexoid': '06 09 60 86 48 01 65 02 01 08 02',
- 'name': 'standardSecurityLabelPrivileges',
- 'oid': (2, 16, 840, 1, 101, 2, 1, 8, 2)},
- (2, 16, 840, 1, 101, 2, 1, 10, 1): {'comment': 'SDN.700 INFOSEC privileges',
- 'description': 'sigPrivileges (2 16 840 1 101 2 1 10 1)',
- 'hexoid': '06 09 60 86 48 01 65 02 01 0A 01',
- 'name': 'sigPrivileges',
- 'oid': (2, 16, 840, 1, 101, 2, 1, 10, 1)},
- (2, 16, 840, 1, 101, 2, 1, 10, 2): {'comment': 'SDN.700 INFOSEC privileges',
- 'description': 'kmPrivileges (2 16 840 1 101 2 1 10 2)',
- 'hexoid': '06 09 60 86 48 01 65 02 01 0A 02',
- 'name': 'kmPrivileges',
- 'oid': (2, 16, 840, 1, 101, 2, 1, 10, 2)},
- (2, 16, 840, 1, 101, 2, 1, 10, 3): {'comment': 'SDN.700 INFOSEC privileges',
- 'description': 'namedTagSetPrivilege (2 16 840 1 101 2 1 10 3)',
- 'hexoid': '06 09 60 86 48 01 65 02 01 0A 03',
- 'name': 'namedTagSetPrivilege',
- 'oid': (2, 16, 840, 1, 101, 2, 1, 10, 3)},
- (2, 16, 840, 1, 101, 2, 1, 11, 1): {'comment': 'SDN.700 INFOSEC certificate policy',
- 'description': 'ukDemo (2 16 840 1 101 2 1 11 1)',
- 'hexoid': '06 09 60 86 48 01 65 02 01 0B 01',
- 'name': 'ukDemo',
- 'oid': (2, 16, 840, 1, 101, 2, 1, 11, 1)},
- (2, 16, 840, 1, 101, 2, 1, 11, 2): {'comment': 'SDN.700 INFOSEC certificate policy',
- 'description': 'usDODClass2 (2 16 840 1 101 2 1 11 2)',
- 'hexoid': '06 09 60 86 48 01 65 02 01 0B 02',
- 'name': 'usDODClass2',
- 'oid': (2, 16, 840, 1, 101, 2, 1, 11, 2)},
- (2, 16, 840, 1, 101, 2, 1, 11, 3): {'comment': 'SDN.700 INFOSEC certificate policy',
- 'description': 'usMediumPilot (2 16 840 1 101 2 1 11 3)',
- 'hexoid': '06 09 60 86 48 01 65 02 01 0B 03',
- 'name': 'usMediumPilot',
- 'oid': (2, 16, 840, 1, 101, 2, 1, 11, 3)},
- (2, 16, 840, 1, 101, 2, 1, 11, 4): {'comment': 'SDN.700 INFOSEC certificate policy',
- 'description': 'usDODClass4 (2 16 840 1 101 2 1 11 4)',
- 'hexoid': '06 09 60 86 48 01 65 02 01 0B 04',
- 'name': 'usDODClass4',
- 'oid': (2, 16, 840, 1, 101, 2, 1, 11, 4)},
- (2, 16, 840, 1, 101, 2, 1, 11, 5): {'comment': 'SDN.700 INFOSEC certificate policy',
- 'description': 'usDODClass3 (2 16 840 1 101 2 1 11 5)',
- 'hexoid': '06 09 60 86 48 01 65 02 01 0B 05',
- 'name': 'usDODClass3',
- 'oid': (2, 16, 840, 1, 101, 2, 1, 11, 5)},
- (2, 16, 840, 1, 101, 2, 1, 11, 6): {'comment': 'SDN.700 INFOSEC certificate policy',
- 'description': 'usDODClass5 (2 16 840 1 101 2 1 11 6)',
- 'hexoid': '06 09 60 86 48 01 65 02 01 0B 06',
- 'name': 'usDODClass5',
- 'oid': (2, 16, 840, 1, 101, 2, 1, 11, 6)},
- (2, 16, 840, 1, 101, 2, 1, 12, 0): {'comment': 'SDN.700 INFOSEC test objects',
- 'description': 'testSecurityPolicy (2 16 840 1 101 2 1 12 0)',
- 'hexoid': '06 09 60 86 48 01 65 02 01 0C 00',
- 'name': 'testSecurityPolicy',
- 'oid': (2, 16, 840, 1, 101, 2, 1, 12, 0)},
- (2, 16, 840, 1, 101, 2, 1, 12, 0, 1): {'comment': 'SDN.700 INFOSEC test objects',
- 'description': 'tsp1 (2 16 840 1 101 2 1 12 0 1)',
- 'hexoid': '06 0A 60 86 48 01 65 02 01 0C 00 01',
- 'name': 'tsp1',
- 'oid': (2,
- 16,
- 840,
- 1,
- 101,
- 2,
- 1,
- 12,
- 0,
- 1)},
- (2, 16, 840, 1, 101, 2, 1, 12, 0, 1, 0): {'comment': 'SDN.700 INFOSEC test objects',
- 'description': 'tsp1SecurityCategories (2 16 840 1 101 2 1 12 0 1 0)',
- 'hexoid': '06 0B 60 86 48 01 65 02 01 0C 00 01 00',
- 'name': 'tsp1SecurityCategories',
- 'oid': (2,
- 16,
- 840,
- 1,
- 101,
- 2,
- 1,
- 12,
- 0,
- 1,
- 0)},
- (2, 16, 840, 1, 101, 2, 1, 12, 0, 1, 0, 0): {'comment': 'SDN.700 INFOSEC test objects',
- 'description': 'tsp1TagSetZero (2 16 840 1 101 2 1 12 0 1 0 0)',
- 'hexoid': '06 0C 60 86 48 01 65 02 01 0C 00 01 00 00',
- 'name': 'tsp1TagSetZero',
- 'oid': (2,
- 16,
- 840,
- 1,
- 101,
- 2,
- 1,
- 12,
- 0,
- 1,
- 0,
- 0)},
- (2, 16, 840, 1, 101, 2, 1, 12, 0, 1, 0, 1): {'comment': 'SDN.700 INFOSEC test objects',
- 'description': 'tsp1TagSetOne (2 16 840 1 101 2 1 12 0 1 0 1)',
- 'hexoid': '06 0C 60 86 48 01 65 02 01 0C 00 01 00 01',
- 'name': 'tsp1TagSetOne',
- 'oid': (2,
- 16,
- 840,
- 1,
- 101,
- 2,
- 1,
- 12,
- 0,
- 1,
- 0,
- 1)},
- (2, 16, 840, 1, 101, 2, 1, 12, 0, 1, 0, 2): {'comment': 'SDN.700 INFOSEC test objects',
- 'description': 'tsp1TagSetTwo (2 16 840 1 101 2 1 12 0 1 0 2)',
- 'hexoid': '06 0C 60 86 48 01 65 02 01 0C 00 01 00 02',
- 'name': 'tsp1TagSetTwo',
- 'oid': (2,
- 16,
- 840,
- 1,
- 101,
- 2,
- 1,
- 12,
- 0,
- 1,
- 0,
- 2)},
- (2, 16, 840, 1, 101, 2, 1, 12, 0, 2): {'comment': 'SDN.700 INFOSEC test objects',
- 'description': 'tsp2 (2 16 840 1 101 2 1 12 0 2)',
- 'hexoid': '06 0A 60 86 48 01 65 02 01 0C 00 02',
- 'name': 'tsp2',
- 'oid': (2,
- 16,
- 840,
- 1,
- 101,
- 2,
- 1,
- 12,
- 0,
- 2)},
- (2, 16, 840, 1, 101, 2, 1, 12, 0, 2, 0): {'comment': 'SDN.700 INFOSEC test objects',
- 'description': 'tsp2SecurityCategories (2 16 840 1 101 2 1 12 0 2 0)',
- 'hexoid': '06 0B 60 86 48 01 65 02 01 0C 00 02 00',
- 'name': 'tsp2SecurityCategories',
- 'oid': (2,
- 16,
- 840,
- 1,
- 101,
- 2,
- 1,
- 12,
- 0,
- 2,
- 0)},
- (2, 16, 840, 1, 101, 2, 1, 12, 0, 2, 0, 0): {'comment': 'SDN.700 INFOSEC test objects',
- 'description': 'tsp2TagSetZero (2 16 840 1 101 2 1 12 0 2 0 0)',
- 'hexoid': '06 0C 60 86 48 01 65 02 01 0C 00 02 00 00',
- 'name': 'tsp2TagSetZero',
- 'oid': (2,
- 16,
- 840,
- 1,
- 101,
- 2,
- 1,
- 12,
- 0,
- 2,
- 0,
- 0)},
- (2, 16, 840, 1, 101, 2, 1, 12, 0, 2, 0, 1): {'comment': 'SDN.700 INFOSEC test objects',
- 'description': 'tsp2TagSetOne (2 16 840 1 101 2 1 12 0 2 0 1)',
- 'hexoid': '06 0C 60 86 48 01 65 02 01 0C 00 02 00 01',
- 'name': 'tsp2TagSetOne',
- 'oid': (2,
- 16,
- 840,
- 1,
- 101,
- 2,
- 1,
- 12,
- 0,
- 2,
- 0,
- 1)},
- (2, 16, 840, 1, 101, 2, 1, 12, 0, 2, 0, 2): {'comment': 'SDN.700 INFOSEC test objects',
- 'description': 'tsp2TagSetTwo (2 16 840 1 101 2 1 12 0 2 0 2)',
- 'hexoid': '06 0C 60 86 48 01 65 02 01 0C 00 02 00 02',
- 'name': 'tsp2TagSetTwo',
- 'oid': (2,
- 16,
- 840,
- 1,
- 101,
- 2,
- 1,
- 12,
- 0,
- 2,
- 0,
- 2)},
- (2, 16, 840, 1, 101, 2, 1, 12, 0, 3): {'comment': 'SDN.700 INFOSEC test objects',
- 'description': 'kafka (2 16 840 1 101 2 1 12 0 3)',
- 'hexoid': '06 0A 60 86 48 01 65 02 01 0C 00 03',
- 'name': 'kafka',
- 'oid': (2,
- 16,
- 840,
- 1,
- 101,
- 2,
- 1,
- 12,
- 0,
- 3)},
- (2, 16, 840, 1, 101, 2, 1, 12, 0, 3, 0): {'comment': 'SDN.700 INFOSEC test objects',
- 'description': 'kafkaSecurityCategories (2 16 840 1 101 2 1 12 0 3 0)',
- 'hexoid': '06 0B 60 86 48 01 65 02 01 0C 00 03 00',
- 'name': 'kafkaSecurityCategories',
- 'oid': (2,
- 16,
- 840,
- 1,
- 101,
- 2,
- 1,
- 12,
- 0,
- 3,
- 0)},
- (2, 16, 840, 1, 101, 2, 1, 12, 0, 3, 0, 1): {'comment': 'SDN.700 INFOSEC test objects',
- 'description': 'kafkaTagSetName1 (2 16 840 1 101 2 1 12 0 3 0 1)',
- 'hexoid': '06 0C 60 86 48 01 65 02 01 0C 00 03 00 01',
- 'name': 'kafkaTagSetName1',
- 'oid': (2,
- 16,
- 840,
- 1,
- 101,
- 2,
- 1,
- 12,
- 0,
- 3,
- 0,
- 1)},
- (2, 16, 840, 1, 101, 2, 1, 12, 0, 3, 0, 2): {'comment': 'SDN.700 INFOSEC test objects',
- 'description': 'kafkaTagSetName2 (2 16 840 1 101 2 1 12 0 3 0 2)',
- 'hexoid': '06 0C 60 86 48 01 65 02 01 0C 00 03 00 02',
- 'name': 'kafkaTagSetName2',
- 'oid': (2,
- 16,
- 840,
- 1,
- 101,
- 2,
- 1,
- 12,
- 0,
- 3,
- 0,
- 2)},
- (2, 16, 840, 1, 101, 2, 1, 12, 0, 3, 0, 3): {'comment': 'SDN.700 INFOSEC test objects',
- 'description': 'kafkaTagSetName3 (2 16 840 1 101 2 1 12 0 3 0 3)',
- 'hexoid': '06 0C 60 86 48 01 65 02 01 0C 00 03 00 03',
- 'name': 'kafkaTagSetName3',
- 'oid': (2,
- 16,
- 840,
- 1,
- 101,
- 2,
- 1,
- 12,
- 0,
- 3,
- 0,
- 3)},
- (2, 16, 840, 1, 101, 2, 1, 12, 1, 1): {'comment': 'SDN.700 INFOSEC test objects',
- 'description': 'tcp1 (2 16 840 1 101 2 1 12 1 1)',
- 'hexoid': '06 0A 60 86 48 01 65 02 01 0C 01 01',
- 'name': 'tcp1',
- 'oid': (2,
- 16,
- 840,
- 1,
- 101,
- 2,
- 1,
- 12,
- 1,
- 1)},
- (2, 16, 840, 1, 101, 3, 2, 1, 3, 1): {'comment': 'Federal Bridge CA Policy',
- 'description': 'FBCA-Rudimentary policyIdentifier (2 16 840 1 101 3 2 1 3 1)',
- 'hexoid': '06 0A 60 86 48 01 65 03 02 01 03 01',
- 'name': 'FBCA-Rudimentary',
- 'oid': (2,
- 16,
- 840,
- 1,
- 101,
- 3,
- 2,
- 1,
- 3,
- 1)},
- (2, 16, 840, 1, 101, 3, 2, 1, 3, 2): {'comment': 'Federal Bridge CA Policy',
- 'description': 'FBCA-Basic policyIdentifier (2 16 840 1 101 3 2 1 3 2)',
- 'hexoid': '06 0A 60 86 48 01 65 03 02 01 03 02',
- 'name': 'FBCA-Basic',
- 'oid': (2,
- 16,
- 840,
- 1,
- 101,
- 3,
- 2,
- 1,
- 3,
- 2)},
- (2, 16, 840, 1, 101, 3, 2, 1, 3, 3): {'comment': 'Federal Bridge CA Policy',
- 'description': 'FBCA-Medium policyIdentifier (2 16 840 1 101 3 2 1 3 3)',
- 'hexoid': '06 0A 60 86 48 01 65 03 02 01 03 03',
- 'name': 'FBCA-Medium',
- 'oid': (2,
- 16,
- 840,
- 1,
- 101,
- 3,
- 2,
- 1,
- 3,
- 3)},
- (2, 16, 840, 1, 101, 3, 2, 1, 3, 4): {'comment': 'Federal Bridge CA Policy',
- 'description': 'FBCA-High policyIdentifier (2 16 840 1 101 3 2 1 3 4)',
- 'hexoid': '06 0A 60 86 48 01 65 03 02 01 03 04',
- 'name': 'FBCA-High',
- 'oid': (2,
- 16,
- 840,
- 1,
- 101,
- 3,
- 2,
- 1,
- 3,
- 4)},
- (2, 16, 840, 1, 101, 3, 4): {'comment': 'NIST Algorithm',
- 'description': 'nistAlgorithm (2 16 840 1 101 3 4)',
- 'hexoid': '06 07 60 86 48 01 65 03 04',
- 'name': 'nistAlgorithm',
- 'oid': (2, 16, 840, 1, 101, 3, 4)},
- (2, 16, 840, 1, 101, 3, 4, 1): {'comment': 'NIST Algorithm',
- 'description': 'aes (2 16 840 1 101 3 4 1)',
- 'hexoid': '06 08 60 86 48 01 65 03 04 01',
- 'name': 'aes',
- 'oid': (2, 16, 840, 1, 101, 3, 4, 1)},
- (2, 16, 840, 1, 101, 3, 4, 1, 1): {'comment': 'NIST Algorithm',
- 'description': 'aes128-ECB (2 16 840 1 101 3 4 1 1)',
- 'hexoid': '06 09 60 86 48 01 65 03 04 01 01',
- 'name': 'aes128-ECB',
- 'oid': (2, 16, 840, 1, 101, 3, 4, 1, 1)},
- (2, 16, 840, 1, 101, 3, 4, 1, 2): {'comment': 'NIST Algorithm',
- 'description': 'aes128-CBC (2 16 840 1 101 3 4 1 2)',
- 'hexoid': '06 09 60 86 48 01 65 03 04 01 02',
- 'name': 'aes128-CBC',
- 'oid': (2, 16, 840, 1, 101, 3, 4, 1, 2)},
- (2, 16, 840, 1, 101, 3, 4, 1, 3): {'comment': 'NIST Algorithm',
- 'description': 'aes128-OFB (2 16 840 1 101 3 4 1 3)',
- 'hexoid': '06 09 60 86 48 01 65 03 04 01 03',
- 'name': 'aes128-OFB',
- 'oid': (2, 16, 840, 1, 101, 3, 4, 1, 3)},
- (2, 16, 840, 1, 101, 3, 4, 1, 4): {'comment': 'NIST Algorithm',
- 'description': 'aes128-CFB (2 16 840 1 101 3 4 1 4)',
- 'hexoid': '06 09 60 86 48 01 65 03 04 01 04',
- 'name': 'aes128-CFB',
- 'oid': (2, 16, 840, 1, 101, 3, 4, 1, 4)},
- (2, 16, 840, 1, 101, 3, 4, 1, 21): {'comment': 'NIST Algorithm',
- 'description': 'aes192-ECB (2 16 840 1 101 3 4 1 21)',
- 'hexoid': '06 09 60 86 48 01 65 03 04 01 15',
- 'name': 'aes192-ECB',
- 'oid': (2, 16, 840, 1, 101, 3, 4, 1, 21)},
- (2, 16, 840, 1, 101, 3, 4, 1, 22): {'comment': 'NIST Algorithm',
- 'description': 'aes192-CBC (2 16 840 1 101 3 4 1 22)',
- 'hexoid': '06 09 60 86 48 01 65 03 04 01 16',
- 'name': 'aes192-CBC',
- 'oid': (2, 16, 840, 1, 101, 3, 4, 1, 22)},
- (2, 16, 840, 1, 101, 3, 4, 1, 23): {'comment': 'NIST Algorithm',
- 'description': 'aes192-OFB (2 16 840 1 101 3 4 1 23)',
- 'hexoid': '06 09 60 86 48 01 65 03 04 01 17',
- 'name': 'aes192-OFB',
- 'oid': (2, 16, 840, 1, 101, 3, 4, 1, 23)},
- (2, 16, 840, 1, 101, 3, 4, 1, 24): {'comment': 'NIST Algorithm',
- 'description': 'aes192-CFB (2 16 840 1 101 3 4 1 24)',
- 'hexoid': '06 09 60 86 48 01 65 03 04 01 18',
- 'name': 'aes192-CFB',
- 'oid': (2, 16, 840, 1, 101, 3, 4, 1, 24)},
- (2, 16, 840, 1, 101, 3, 4, 1, 41): {'comment': 'NIST Algorithm',
- 'description': 'aes256-ECB (2 16 840 1 101 3 4 1 41)',
- 'hexoid': '06 09 60 86 48 01 65 03 04 01 29',
- 'name': 'aes256-ECB',
- 'oid': (2, 16, 840, 1, 101, 3, 4, 1, 41)},
- (2, 16, 840, 1, 101, 3, 4, 1, 42): {'comment': 'NIST Algorithm',
- 'description': 'aes256-CBC (2 16 840 1 101 3 4 1 42)',
- 'hexoid': '06 09 60 86 48 01 65 03 04 01 2A',
- 'name': 'aes256-CBC',
- 'oid': (2, 16, 840, 1, 101, 3, 4, 1, 42)},
- (2, 16, 840, 1, 101, 3, 4, 1, 43): {'comment': 'NIST Algorithm',
- 'description': 'aes256-OFB (2 16 840 1 101 3 4 1 43)',
- 'hexoid': '06 09 60 86 48 01 65 03 04 01 2B',
- 'name': 'aes256-OFB',
- 'oid': (2, 16, 840, 1, 101, 3, 4, 1, 43)},
- (2, 16, 840, 1, 101, 3, 4, 1, 44): {'comment': 'NIST Algorithm',
- 'description': 'aes256-CFB (2 16 840 1 101 3 4 1 44)',
- 'hexoid': '06 09 60 86 48 01 65 03 04 01 2C',
- 'name': 'aes256-CFB',
- 'oid': (2, 16, 840, 1, 101, 3, 4, 1, 44)},
- (2, 16, 840, 1, 101, 3, 4, 2): {'comment': 'NIST Algorithm',
- 'description': 'hashAlgos (2 16 840 1 101 3 4 2)',
- 'hexoid': '06 08 60 86 48 01 65 03 04 02',
- 'name': 'hashAlgos',
- 'oid': (2, 16, 840, 1, 101, 3, 4, 2)},
- (2, 16, 840, 1, 101, 3, 4, 2, 1): {'comment': 'NIST Algorithm',
- 'description': 'sha-256 (2 16 840 1 101 3 4 2 1)',
- 'hexoid': '06 09 60 86 48 01 65 03 04 02 01',
- 'name': 'sha-256',
- 'oid': (2, 16, 840, 1, 101, 3, 4, 2, 1)},
- (2, 16, 840, 1, 101, 3, 4, 2, 2): {'comment': 'NIST Algorithm',
- 'description': 'sha-384 (2 16 840 1 101 3 4 2 2)',
- 'hexoid': '06 09 60 86 48 01 65 03 04 02 02',
- 'name': 'sha-384',
- 'oid': (2, 16, 840, 1, 101, 3, 4, 2, 2)},
- (2, 16, 840, 1, 101, 3, 4, 2, 3): {'comment': 'NIST Algorithm',
- 'description': 'sha-512 (2 16 840 1 101 3 4 2 3)',
- 'hexoid': '06 09 60 86 48 01 65 03 04 02 03',
- 'name': 'sha-512',
- 'oid': (2, 16, 840, 1, 101, 3, 4, 2, 3)},
- (2, 16, 840, 1, 101, 3, 4, 2, 4): {'comment': 'NIST Algorithm',
- 'description': 'sha-224 (2 16 840 1 101 3 4 2 4)',
- 'hexoid': '06 09 60 86 48 01 65 03 04 02 04',
- 'name': 'sha-224',
- 'oid': (2, 16, 840, 1, 101, 3, 4, 2, 4)},
- (2, 16, 840, 1, 101, 3, 4, 3, 1): {'comment': 'NIST Algorithm',
- 'description': 'dsaWithSha224 (2 16 840 1 101 3 4 3 1)',
- 'hexoid': '06 09 60 86 48 01 65 03 04 03 01',
- 'name': 'dsaWithSha224',
- 'oid': (2, 16, 840, 1, 101, 3, 4, 3, 1)},
- (2, 16, 840, 1, 101, 3, 4, 3, 2): {'comment': 'NIST Algorithm',
- 'description': 'dsaWithSha256 (2 16 840 1 101 3 4 3 2)',
- 'hexoid': '06 09 60 86 48 01 65 03 04 03 02',
- 'name': 'dsaWithSha256',
- 'oid': (2, 16, 840, 1, 101, 3, 4, 3, 2)},
- (2, 16, 840, 1, 113719, 1, 2, 8): {'comment': 'Novell',
- 'description': 'novellAlgorithm (2 16 840 1 113719 1 2 8)',
- 'hexoid': '06 0A 60 86 48 01 86 F8 37 01 02 08',
- 'name': 'novellAlgorithm',
- 'oid': (2, 16, 840, 1, 113719, 1, 2, 8)},
- (2, 16, 840, 1, 113719, 1, 2, 8, 22): {'comment': 'Novell encryption algorithm',
- 'description': 'desCbcIV8 (2 16 840 1 113719 1 2 8 22)',
- 'hexoid': '06 0B 60 86 48 01 86 F8 37 01 02 08 16',
- 'name': 'desCbcIV8',
- 'oid': (2,
- 16,
- 840,
- 1,
- 113719,
- 1,
- 2,
- 8,
- 22)},
- (2, 16, 840, 1, 113719, 1, 2, 8, 23): {'comment': 'Novell encryption algorithm',
- 'description': 'desCbcPadIV8 (2 16 840 1 113719 1 2 8 23)',
- 'hexoid': '06 0B 60 86 48 01 86 F8 37 01 02 08 17',
- 'name': 'desCbcPadIV8',
- 'oid': (2,
- 16,
- 840,
- 1,
- 113719,
- 1,
- 2,
- 8,
- 23)},
- (2, 16, 840, 1, 113719, 1, 2, 8, 24): {'comment': 'Novell encryption algorithm',
- 'description': 'desEDE2CbcIV8 (2 16 840 1 113719 1 2 8 24)',
- 'hexoid': '06 0B 60 86 48 01 86 F8 37 01 02 08 18',
- 'name': 'desEDE2CbcIV8',
- 'oid': (2,
- 16,
- 840,
- 1,
- 113719,
- 1,
- 2,
- 8,
- 24)},
- (2, 16, 840, 1, 113719, 1, 2, 8, 25): {'comment': 'Novell encryption algorithm',
- 'description': 'desEDE2CbcPadIV8 (2 16 840 1 113719 1 2 8 25)',
- 'hexoid': '06 0B 60 86 48 01 86 F8 37 01 02 08 19',
- 'name': 'desEDE2CbcPadIV8',
- 'oid': (2,
- 16,
- 840,
- 1,
- 113719,
- 1,
- 2,
- 8,
- 25)},
- (2, 16, 840, 1, 113719, 1, 2, 8, 26): {'comment': 'Novell encryption algorithm',
- 'description': 'desEDE3CbcIV8 (2 16 840 1 113719 1 2 8 26)',
- 'hexoid': '06 0B 60 86 48 01 86 F8 37 01 02 08 1A',
- 'name': 'desEDE3CbcIV8',
- 'oid': (2,
- 16,
- 840,
- 1,
- 113719,
- 1,
- 2,
- 8,
- 26)},
- (2, 16, 840, 1, 113719, 1, 2, 8, 27): {'comment': 'Novell encryption algorithm',
- 'description': 'desEDE3CbcPadIV8 (2 16 840 1 113719 1 2 8 27)',
- 'hexoid': '06 0B 60 86 48 01 86 F8 37 01 02 08 1B',
- 'name': 'desEDE3CbcPadIV8',
- 'oid': (2,
- 16,
- 840,
- 1,
- 113719,
- 1,
- 2,
- 8,
- 27)},
- (2, 16, 840, 1, 113719, 1, 2, 8, 28): {'comment': 'Novell encryption algorithm',
- 'description': 'rc5CbcPad (2 16 840 1 113719 1 2 8 28)',
- 'hexoid': '06 0B 60 86 48 01 86 F8 37 01 02 08 1C',
- 'name': 'rc5CbcPad',
- 'oid': (2,
- 16,
- 840,
- 1,
- 113719,
- 1,
- 2,
- 8,
- 28)},
- (2, 16, 840, 1, 113719, 1, 2, 8, 29): {'comment': 'Novell signature algorithm',
- 'description': 'md2WithRSAEncryptionBSafe1 (2 16 840 1 113719 1 2 8 29)',
- 'hexoid': '06 0B 60 86 48 01 86 F8 37 01 02 08 1D',
- 'name': 'md2WithRSAEncryptionBSafe1',
- 'oid': (2,
- 16,
- 840,
- 1,
- 113719,
- 1,
- 2,
- 8,
- 29)},
- (2, 16, 840, 1, 113719, 1, 2, 8, 30): {'comment': 'Novell signature algorithm',
- 'description': 'md5WithRSAEncryptionBSafe1 (2 16 840 1 113719 1 2 8 30)',
- 'hexoid': '06 0B 60 86 48 01 86 F8 37 01 02 08 1E',
- 'name': 'md5WithRSAEncryptionBSafe1',
- 'oid': (2,
- 16,
- 840,
- 1,
- 113719,
- 1,
- 2,
- 8,
- 30)},
- (2, 16, 840, 1, 113719, 1, 2, 8, 31): {'comment': 'Novell signature algorithm',
- 'description': 'sha1WithRSAEncryptionBSafe1 (2 16 840 1 113719 1 2 8 31)',
- 'hexoid': '06 0B 60 86 48 01 86 F8 37 01 02 08 1F',
- 'name': 'sha1WithRSAEncryptionBSafe1',
- 'oid': (2,
- 16,
- 840,
- 1,
- 113719,
- 1,
- 2,
- 8,
- 31)},
- (2, 16, 840, 1, 113719, 1, 2, 8, 32): {'comment': 'Novell digest algorithm',
- 'description': 'LMDigest (2 16 840 1 113719 1 2 8 32)',
- 'hexoid': '06 0B 60 86 48 01 86 F8 37 01 02 08 20',
- 'name': 'LMDigest',
- 'oid': (2,
- 16,
- 840,
- 1,
- 113719,
- 1,
- 2,
- 8,
- 32)},
- (2, 16, 840, 1, 113719, 1, 2, 8, 40): {'comment': 'Novell digest algorithm',
- 'description': 'MD2 (2 16 840 1 113719 1 2 8 40)',
- 'hexoid': '06 0B 60 86 48 01 86 F8 37 01 02 08 28',
- 'name': 'MD2',
- 'oid': (2,
- 16,
- 840,
- 1,
- 113719,
- 1,
- 2,
- 8,
- 40)},
- (2, 16, 840, 1, 113719, 1, 2, 8, 50): {'comment': 'Novell digest algorithm',
- 'description': 'MD5 (2 16 840 1 113719 1 2 8 50)',
- 'hexoid': '06 0B 60 86 48 01 86 F8 37 01 02 08 32',
- 'name': 'MD5',
- 'oid': (2,
- 16,
- 840,
- 1,
- 113719,
- 1,
- 2,
- 8,
- 50)},
- (2, 16, 840, 1, 113719, 1, 2, 8, 51): {'comment': 'Novell signature algorithm',
- 'description': 'IKEhmacWithSHA1-RSA (2 16 840 1 113719 1 2 8 51)',
- 'hexoid': '06 0B 60 86 48 01 86 F8 37 01 02 08 33',
- 'name': 'IKEhmacWithSHA1-RSA',
- 'oid': (2,
- 16,
- 840,
- 1,
- 113719,
- 1,
- 2,
- 8,
- 51)},
- (2, 16, 840, 1, 113719, 1, 2, 8, 52): {'comment': 'Novell signature algorithm',
- 'description': 'IKEhmacWithMD5-RSA (2 16 840 1 113719 1 2 8 52)',
- 'hexoid': '06 0B 60 86 48 01 86 F8 37 01 02 08 34',
- 'name': 'IKEhmacWithMD5-RSA',
- 'oid': (2,
- 16,
- 840,
- 1,
- 113719,
- 1,
- 2,
- 8,
- 52)},
- (2, 16, 840, 1, 113719, 1, 2, 8, 69): {'comment': 'Novell encryption algorithm',
- 'description': 'rc2CbcPad (2 16 840 1 113719 1 2 8 69)',
- 'hexoid': '06 0B 60 86 48 01 86 F8 37 01 02 08 45',
- 'name': 'rc2CbcPad',
- 'oid': (2,
- 16,
- 840,
- 1,
- 113719,
- 1,
- 2,
- 8,
- 69)},
- (2, 16, 840, 1, 113719, 1, 2, 8, 82): {'comment': 'Novell digest algorithm',
- 'description': 'SHA-1 (2 16 840 1 113719 1 2 8 82)',
- 'hexoid': '06 0B 60 86 48 01 86 F8 37 01 02 08 52',
- 'name': 'SHA-1',
- 'oid': (2,
- 16,
- 840,
- 1,
- 113719,
- 1,
- 2,
- 8,
- 82)},
- (2, 16, 840, 1, 113719, 1, 2, 8, 92): {'comment': 'Novell encryption algorithm',
- 'description': 'rc2BSafe1Cbc (2 16 840 1 113719 1 2 8 92)',
- 'hexoid': '06 0B 60 86 48 01 86 F8 37 01 02 08 5C',
- 'name': 'rc2BSafe1Cbc',
- 'oid': (2,
- 16,
- 840,
- 1,
- 113719,
- 1,
- 2,
- 8,
- 92)},
- (2, 16, 840, 1, 113719, 1, 2, 8, 95): {'comment': 'Novell digest algorithm',
- 'description': 'MD4 (2 16 840 1 113719 1 2 8 95)',
- 'hexoid': '06 0B 60 86 48 01 86 F8 37 01 02 08 5F',
- 'name': 'MD4',
- 'oid': (2,
- 16,
- 840,
- 1,
- 113719,
- 1,
- 2,
- 8,
- 95)},
- (2, 16, 840, 1, 113719, 1, 2, 8, 130): {'comment': 'Novell keyed hash',
- 'description': 'MD4Packet (2 16 840 1 113719 1 2 8 130)',
- 'hexoid': '06 0C 60 86 48 01 86 F8 37 01 02 08 81 02',
- 'name': 'MD4Packet',
- 'oid': (2,
- 16,
- 840,
- 1,
- 113719,
- 1,
- 2,
- 8,
- 130)},
- (2, 16, 840, 1, 113719, 1, 2, 8, 131): {'comment': 'Novell encryption algorithm',
- 'description': 'rsaEncryptionBsafe1 (2 16 840 1 113719 1 2 8 131)',
- 'hexoid': '06 0C 60 86 48 01 86 F8 37 01 02 08 81 03',
- 'name': 'rsaEncryptionBsafe1',
- 'oid': (2,
- 16,
- 840,
- 1,
- 113719,
- 1,
- 2,
- 8,
- 131)},
- (2, 16, 840, 1, 113719, 1, 2, 8, 132): {'comment': 'Novell encryption algorithm',
- 'description': 'NWPassword (2 16 840 1 113719 1 2 8 132)',
- 'hexoid': '06 0C 60 86 48 01 86 F8 37 01 02 08 81 04',
- 'name': 'NWPassword',
- 'oid': (2,
- 16,
- 840,
- 1,
- 113719,
- 1,
- 2,
- 8,
- 132)},
- (2, 16, 840, 1, 113719, 1, 2, 8, 133): {'comment': 'Novell encryption algorithm',
- 'description': 'novellObfuscate-1 (2 16 840 1 113719 1 2 8 133)',
- 'hexoid': '06 0C 60 86 48 01 86 F8 37 01 02 08 81 05',
- 'name': 'novellObfuscate-1',
- 'oid': (2,
- 16,
- 840,
- 1,
- 113719,
- 1,
- 2,
- 8,
- 133)},
- (2, 16, 840, 1, 113719, 1, 9): {'comment': 'Novell',
- 'description': 'pki (2 16 840 1 113719 1 9)',
- 'hexoid': '06 09 60 86 48 01 86 F8 37 01 09',
- 'name': 'pki',
- 'oid': (2, 16, 840, 1, 113719, 1, 9)},
- (2, 16, 840, 1, 113719, 1, 9, 4): {'comment': 'Novell PKI',
- 'description': 'pkiAttributeType (2 16 840 1 113719 1 9 4)',
- 'hexoid': '06 0A 60 86 48 01 86 F8 37 01 09 04',
- 'name': 'pkiAttributeType',
- 'oid': (2, 16, 840, 1, 113719, 1, 9, 4)},
- (2, 16, 840, 1, 113719, 1, 9, 4, 1): {'comment': 'Novell PKI attribute type',
- 'description': 'securityAttributes (2 16 840 1 113719 1 9 4 1)',
- 'hexoid': '06 0B 60 86 48 01 86 F8 37 01 09 04 01',
- 'name': 'securityAttributes',
- 'oid': (2,
- 16,
- 840,
- 1,
- 113719,
- 1,
- 9,
- 4,
- 1)},
- (2, 16, 840, 1, 113719, 1, 9, 4, 2): {'comment': 'Novell PKI attribute type',
- 'description': 'relianceLimit (2 16 840 1 113719 1 9 4 2)',
- 'hexoid': '06 0B 60 86 48 01 86 F8 37 01 09 04 02',
- 'name': 'relianceLimit',
- 'oid': (2,
- 16,
- 840,
- 1,
- 113719,
- 1,
- 9,
- 4,
- 2)},
- (2, 16, 840, 1, 113730, 1): {'comment': 'Netscape',
- 'description': 'cert-extension (2 16 840 1 113730 1)',
- 'hexoid': '06 08 60 86 48 01 86 F8 42 01',
- 'name': 'cert-extension',
- 'oid': (2, 16, 840, 1, 113730, 1)},
- (2, 16, 840, 1, 113730, 1, 1): {'comment': 'Netscape certificate extension',
- 'description': 'netscape-cert-type (2 16 840 1 113730 1 1)',
- 'hexoid': '06 09 60 86 48 01 86 F8 42 01 01',
- 'name': 'netscape-cert-type',
- 'oid': (2, 16, 840, 1, 113730, 1, 1)},
- (2, 16, 840, 1, 113730, 1, 2): {'comment': 'Netscape certificate extension',
- 'description': 'netscape-base-url (2 16 840 1 113730 1 2)',
- 'hexoid': '06 09 60 86 48 01 86 F8 42 01 02',
- 'name': 'netscape-base-url',
- 'oid': (2, 16, 840, 1, 113730, 1, 2)},
- (2, 16, 840, 1, 113730, 1, 3): {'comment': 'Netscape certificate extension',
- 'description': 'netscape-revocation-url (2 16 840 1 113730 1 3)',
- 'hexoid': '06 09 60 86 48 01 86 F8 42 01 03',
- 'name': 'netscape-revocation-url',
- 'oid': (2, 16, 840, 1, 113730, 1, 3)},
- (2, 16, 840, 1, 113730, 1, 4): {'comment': 'Netscape certificate extension',
- 'description': 'netscape-ca-revocation-url (2 16 840 1 113730 1 4)',
- 'hexoid': '06 09 60 86 48 01 86 F8 42 01 04',
- 'name': 'netscape-ca-revocation-url',
- 'oid': (2, 16, 840, 1, 113730, 1, 4)},
- (2, 16, 840, 1, 113730, 1, 7): {'comment': 'Netscape certificate extension',
- 'description': 'netscape-cert-renewal-url (2 16 840 1 113730 1 7)',
- 'hexoid': '06 09 60 86 48 01 86 F8 42 01 07',
- 'name': 'netscape-cert-renewal-url',
- 'oid': (2, 16, 840, 1, 113730, 1, 7)},
- (2, 16, 840, 1, 113730, 1, 8): {'comment': 'Netscape certificate extension',
- 'description': 'netscape-ca-policy-url (2 16 840 1 113730 1 8)',
- 'hexoid': '06 09 60 86 48 01 86 F8 42 01 08',
- 'name': 'netscape-ca-policy-url',
- 'oid': (2, 16, 840, 1, 113730, 1, 8)},
- (2, 16, 840, 1, 113730, 1, 9): {'comment': 'Netscape certificate extension',
- 'description': 'HomePage-url (2 16 840 1 113730 1 9)',
- 'hexoid': '06 09 60 86 48 01 86 F8 42 01 09',
- 'name': 'HomePage-url',
- 'oid': (2, 16, 840, 1, 113730, 1, 9)},
- (2, 16, 840, 1, 113730, 1, 10): {'comment': 'Netscape certificate extension',
- 'description': 'EntityLogo (2 16 840 1 113730 1 10)',
- 'hexoid': '06 09 60 86 48 01 86 F8 42 01 0A',
- 'name': 'EntityLogo',
- 'oid': (2, 16, 840, 1, 113730, 1, 10)},
- (2, 16, 840, 1, 113730, 1, 11): {'comment': 'Netscape certificate extension',
- 'description': 'UserPicture (2 16 840 1 113730 1 11)',
- 'hexoid': '06 09 60 86 48 01 86 F8 42 01 0B',
- 'name': 'UserPicture',
- 'oid': (2, 16, 840, 1, 113730, 1, 11)},
- (2, 16, 840, 1, 113730, 1, 12): {'comment': 'Netscape certificate extension',
- 'description': 'netscape-ssl-server-name (2 16 840 1 113730 1 12)',
- 'hexoid': '06 09 60 86 48 01 86 F8 42 01 0C',
- 'name': 'netscape-ssl-server-name',
- 'oid': (2, 16, 840, 1, 113730, 1, 12)},
- (2, 16, 840, 1, 113730, 1, 13): {'comment': 'Netscape certificate extension',
- 'description': 'netscape-comment (2 16 840 1 113730 1 13)',
- 'hexoid': '06 09 60 86 48 01 86 F8 42 01 0D',
- 'name': 'netscape-comment',
- 'oid': (2, 16, 840, 1, 113730, 1, 13)},
- (2, 16, 840, 1, 113730, 2): {'comment': 'Netscape',
- 'description': 'data-type (2 16 840 1 113730 2)',
- 'hexoid': '06 08 60 86 48 01 86 F8 42 02',
- 'name': 'data-type',
- 'oid': (2, 16, 840, 1, 113730, 2)},
- (2, 16, 840, 1, 113730, 2, 1): {'comment': 'Netscape data type',
- 'description': 'dataGIF (2 16 840 1 113730 2 1)',
- 'hexoid': '06 09 60 86 48 01 86 F8 42 02 01',
- 'name': 'dataGIF',
- 'oid': (2, 16, 840, 1, 113730, 2, 1)},
- (2, 16, 840, 1, 113730, 2, 2): {'comment': 'Netscape data type',
- 'description': 'dataJPEG (2 16 840 1 113730 2 2)',
- 'hexoid': '06 09 60 86 48 01 86 F8 42 02 02',
- 'name': 'dataJPEG',
- 'oid': (2, 16, 840, 1, 113730, 2, 2)},
- (2, 16, 840, 1, 113730, 2, 3): {'comment': 'Netscape data type',
- 'description': 'dataURL (2 16 840 1 113730 2 3)',
- 'hexoid': '06 09 60 86 48 01 86 F8 42 02 03',
- 'name': 'dataURL',
- 'oid': (2, 16, 840, 1, 113730, 2, 3)},
- (2, 16, 840, 1, 113730, 2, 4): {'comment': 'Netscape data type',
- 'description': 'dataHTML (2 16 840 1 113730 2 4)',
- 'hexoid': '06 09 60 86 48 01 86 F8 42 02 04',
- 'name': 'dataHTML',
- 'oid': (2, 16, 840, 1, 113730, 2, 4)},
- (2, 16, 840, 1, 113730, 2, 5): {'comment': 'Netscape data type',
- 'description': 'certSequence (2 16 840 1 113730 2 5)',
- 'hexoid': '06 09 60 86 48 01 86 F8 42 02 05',
- 'name': 'certSequence',
- 'oid': (2, 16, 840, 1, 113730, 2, 5)},
- (2, 16, 840, 1, 113730, 2, 6): {'comment': 'Netscape certificate extension',
- 'description': 'certURL (2 16 840 1 113730 2 6)',
- 'hexoid': '06 09 60 86 48 01 86 F8 42 02 06',
- 'name': 'certURL',
- 'oid': (2, 16, 840, 1, 113730, 2, 6)},
- (2, 16, 840, 1, 113730, 3): {'comment': 'Netscape',
- 'description': 'directory (2 16 840 1 113730 3)',
- 'hexoid': '06 08 60 86 48 01 86 F8 42 03',
- 'name': 'directory',
- 'oid': (2, 16, 840, 1, 113730, 3)},
- (2, 16, 840, 1, 113730, 3, 1): {'comment': 'Netscape directory',
- 'description': 'ldapDefinitions (2 16 840 1 113730 3 1)',
- 'hexoid': '06 09 60 86 48 01 86 F8 42 03 01',
- 'name': 'ldapDefinitions',
- 'oid': (2, 16, 840, 1, 113730, 3, 1)},
- (2, 16, 840, 1, 113730, 3, 1, 1): {'comment': 'Netscape LDAP definitions',
- 'description': 'carLicense (2 16 840 1 113730 3 1 1)',
- 'hexoid': '06 0A 60 86 48 01 86 F8 42 03 01 01',
- 'name': 'carLicense',
- 'oid': (2, 16, 840, 1, 113730, 3, 1, 1)},
- (2, 16, 840, 1, 113730, 3, 1, 2): {'comment': 'Netscape LDAP definitions',
- 'description': 'departmentNumber (2 16 840 1 113730 3 1 2)',
- 'hexoid': '06 0A 60 86 48 01 86 F8 42 03 01 02',
- 'name': 'departmentNumber',
- 'oid': (2, 16, 840, 1, 113730, 3, 1, 2)},
- (2, 16, 840, 1, 113730, 3, 1, 3): {'comment': 'Netscape LDAP definitions',
- 'description': 'employeeNumber (2 16 840 1 113730 3 1 3)',
- 'hexoid': '06 0A 60 86 48 01 86 F8 42 03 01 03',
- 'name': 'employeeNumber',
- 'oid': (2, 16, 840, 1, 113730, 3, 1, 3)},
- (2, 16, 840, 1, 113730, 3, 1, 4): {'comment': 'Netscape LDAP definitions',
- 'description': 'employeeType (2 16 840 1 113730 3 1 4)',
- 'hexoid': '06 0A 60 86 48 01 86 F8 42 03 01 04',
- 'name': 'employeeType',
- 'oid': (2, 16, 840, 1, 113730, 3, 1, 4)},
- (2, 16, 840, 1, 113730, 3, 2, 2): {'comment': 'Netscape LDAP definitions',
- 'description': 'inetOrgPerson (2 16 840 1 113730 3 2 2)',
- 'hexoid': '06 0A 60 86 48 01 86 F8 42 03 02 02',
- 'name': 'inetOrgPerson',
- 'oid': (2, 16, 840, 1, 113730, 3, 2, 2)},
- (2, 16, 840, 1, 113730, 4, 1): {'comment': 'Netscape',
- 'description': 'serverGatedCrypto (2 16 840 1 113730 4 1)',
- 'hexoid': '06 09 60 86 48 01 86 F8 42 04 01',
- 'name': 'serverGatedCrypto',
- 'oid': (2, 16, 840, 1, 113730, 4, 1)},
- (2, 16, 840, 1, 113733, 1): {'comment': 'Verisign extension',
- 'description': 'pki (2 16 840 1 113733 1)',
- 'hexoid': '06 08 60 86 48 01 86 F8 45 01',
- 'name': 'pki',
- 'oid': (2, 16, 840, 1, 113733, 1)},
- (2, 16, 840, 1, 113733, 1, 6, 3): {'comment': 'Verisign extension',
- 'description': 'verisignCZAG (2 16 840 1 113733 1 6 3)',
- 'hexoid': '06 0A 60 86 48 01 86 F8 45 01 06 03',
- 'name': 'verisignCZAG',
- 'oid': (2, 16, 840, 1, 113733, 1, 6, 3)},
- (2, 16, 840, 1, 113733, 1, 6, 6): {'comment': 'Verisign extension',
- 'description': 'verisignInBox (2 16 840 1 113733 1 6 6)',
- 'hexoid': '06 0A 60 86 48 01 86 F8 45 01 06 06',
- 'name': 'verisignInBox',
- 'oid': (2, 16, 840, 1, 113733, 1, 6, 6)},
- (2, 16, 840, 1, 113733, 1, 6, 11): {'comment': 'Verisign extension',
- 'description': 'Unknown Verisign VPN extension (2 16 840 1 113733 1 6 11)',
- 'hexoid': '06 0A 60 86 48 01 86 F8 45 01 06 0B',
- 'name': 'Unknown',
- 'oid': (2, 16, 840, 1, 113733, 1, 6, 11)},
- (2, 16, 840, 1, 113733, 1, 6, 13): {'comment': 'Verisign extension',
- 'description': 'Unknown Verisign VPN extension (2 16 840 1 113733 1 6 13)',
- 'hexoid': '06 0A 60 86 48 01 86 F8 45 01 06 0D',
- 'name': 'Unknown',
- 'oid': (2, 16, 840, 1, 113733, 1, 6, 13)},
- (2, 16, 840, 1, 113733, 1, 6, 15): {'comment': 'Verisign extension',
- 'description': 'Verisign serverID (2 16 840 1 113733 1 6 15)',
- 'hexoid': '06 0A 60 86 48 01 86 F8 45 01 06 0F',
- 'name': 'Verisign',
- 'oid': (2, 16, 840, 1, 113733, 1, 6, 15)},
- (2, 16, 840, 1, 113733, 1, 7, 1, 1): {'comment': 'Verisign policy',
- 'description': 'Verisign policyIdentifier (2 16 840 1 113733 1 7 1 1)',
- 'hexoid': '06 0B 60 86 48 01 86 F8 45 01 07 01 01',
- 'name': 'Verisign',
- 'oid': (2,
- 16,
- 840,
- 1,
- 113733,
- 1,
- 7,
- 1,
- 1)},
- (2, 16, 840, 1, 113733, 1, 7, 1, 1, 1): {'comment': 'Verisign policy (obsolete)',
- 'description': 'verisignCPSv1notice (2 16 840 1 113733 1 7 1 1 1)',
- 'hexoid': '06 0C 60 86 48 01 86 F8 45 01 07 01 01 01',
- 'name': 'verisignCPSv1notice',
- 'oid': (2,
- 16,
- 840,
- 1,
- 113733,
- 1,
- 7,
- 1,
- 1,
- 1)},
- (2, 16, 840, 1, 113733, 1, 7, 1, 1, 2): {'comment': 'Verisign policy (obsolete)',
- 'description': 'verisignCPSv1nsi (2 16 840 1 113733 1 7 1 1 2)',
- 'hexoid': '06 0C 60 86 48 01 86 F8 45 01 07 01 01 02',
- 'name': 'verisignCPSv1nsi',
- 'oid': (2,
- 16,
- 840,
- 1,
- 113733,
- 1,
- 7,
- 1,
- 1,
- 2)},
- (2, 16, 840, 1, 113733, 1, 8, 1): {'comment': 'Verisign',
- 'description': 'Verisign SGC CA? (2 16 840 1 113733 1 8 1)',
- 'hexoid': '06 0A 60 86 48 01 86 F8 45 01 08 01',
- 'name': 'Verisign',
- 'oid': (2, 16, 840, 1, 113733, 1, 8, 1)},
- (2, 16, 840, 1, 113733, 1, 9): {'comment': 'Verisign PKI extension',
- 'description': 'pkcs7Attribute (2 16 840 1 113733 1 9)',
- 'hexoid': '06 09 60 86 48 01 86 F8 45 01 09',
- 'name': 'pkcs7Attribute',
- 'oid': (2, 16, 840, 1, 113733, 1, 9)},
- (2, 16, 840, 1, 113733, 1, 9, 2): {'comment': 'Verisign PKCS #7 attribute',
- 'description': 'messageType (2 16 840 1 113733 1 9 2)',
- 'hexoid': '06 0A 60 86 48 01 86 F8 45 01 09 02',
- 'name': 'messageType',
- 'oid': (2, 16, 840, 1, 113733, 1, 9, 2)},
- (2, 16, 840, 1, 113733, 1, 9, 3): {'comment': 'Verisign PKCS #7 attribute',
- 'description': 'pkiStatus (2 16 840 1 113733 1 9 3)',
- 'hexoid': '06 0A 60 86 48 01 86 F8 45 01 09 03',
- 'name': 'pkiStatus',
- 'oid': (2, 16, 840, 1, 113733, 1, 9, 3)},
- (2, 16, 840, 1, 113733, 1, 9, 4): {'comment': 'Verisign PKCS #7 attribute',
- 'description': 'failInfo (2 16 840 1 113733 1 9 4)',
- 'hexoid': '06 0A 60 86 48 01 86 F8 45 01 09 04',
- 'name': 'failInfo',
- 'oid': (2, 16, 840, 1, 113733, 1, 9, 4)},
- (2, 16, 840, 1, 113733, 1, 9, 5): {'comment': 'Verisign PKCS #7 attribute',
- 'description': 'senderNonce (2 16 840 1 113733 1 9 5)',
- 'hexoid': '06 0A 60 86 48 01 86 F8 45 01 09 05',
- 'name': 'senderNonce',
- 'oid': (2, 16, 840, 1, 113733, 1, 9, 5)},
- (2, 16, 840, 1, 113733, 1, 9, 6): {'comment': 'Verisign PKCS #7 attribute',
- 'description': 'recipientNonce (2 16 840 1 113733 1 9 6)',
- 'hexoid': '06 0A 60 86 48 01 86 F8 45 01 09 06',
- 'name': 'recipientNonce',
- 'oid': (2, 16, 840, 1, 113733, 1, 9, 6)},
- (2, 16, 840, 1, 113733, 1, 9, 7): {'comment': 'Verisign PKCS #7 attribute',
- 'description': 'transID (2 16 840 1 113733 1 9 7)',
- 'hexoid': '06 0A 60 86 48 01 86 F8 45 01 09 07',
- 'name': 'transID',
- 'oid': (2, 16, 840, 1, 113733, 1, 9, 7)},
- (2, 23, 42, 0): {'comment': 'SET',
- 'description': 'contentType (2 23 42 0)',
- 'hexoid': '06 03 67 2A 00',
- 'name': 'contentType',
- 'oid': (2, 23, 42, 0)},
- (2, 23, 42, 0, 0): {'comment': 'SET contentType',
- 'description': 'PANData (2 23 42 0 0)',
- 'hexoid': '06 04 67 2A 00 00',
- 'name': 'PANData',
- 'oid': (2, 23, 42, 0, 0)},
- (2, 23, 42, 0, 1): {'comment': 'SET contentType',
- 'description': 'PANToken (2 23 42 0 1)',
- 'hexoid': '06 04 67 2A 00 01',
- 'name': 'PANToken',
- 'oid': (2, 23, 42, 0, 1)},
- (2, 23, 42, 0, 2): {'comment': 'SET contentType',
- 'description': 'PANOnly (2 23 42 0 2)',
- 'hexoid': '06 04 67 2A 00 02',
- 'name': 'PANOnly',
- 'oid': (2, 23, 42, 0, 2)},
- (2, 23, 42, 1): {'comment': 'SET',
- 'description': 'msgExt (2 23 42 1)',
- 'hexoid': '06 03 67 2A 01',
- 'name': 'msgExt',
- 'oid': (2, 23, 42, 1)},
- (2, 23, 42, 2): {'comment': 'SET',
- 'description': 'field (2 23 42 2)',
- 'hexoid': '06 03 67 2A 02',
- 'name': 'field',
- 'oid': (2, 23, 42, 2)},
- (2, 23, 42, 2, 0): {'comment': 'SET field',
- 'description': 'fullName (2 23 42 2 0)',
- 'hexoid': '06 04 67 2A 02 00',
- 'name': 'fullName',
- 'oid': (2, 23, 42, 2, 0)},
- (2, 23, 42, 2, 1): {'comment': 'SET field',
- 'description': 'givenName (2 23 42 2 1)',
- 'hexoid': '06 04 67 2A 02 01',
- 'name': 'givenName',
- 'oid': (2, 23, 42, 2, 1)},
- (2, 23, 42, 2, 2): {'comment': 'SET field',
- 'description': 'familyName (2 23 42 2 2)',
- 'hexoid': '06 04 67 2A 02 02',
- 'name': 'familyName',
- 'oid': (2, 23, 42, 2, 2)},
- (2, 23, 42, 2, 3): {'comment': 'SET field',
- 'description': 'birthFamilyName (2 23 42 2 3)',
- 'hexoid': '06 04 67 2A 02 03',
- 'name': 'birthFamilyName',
- 'oid': (2, 23, 42, 2, 3)},
- (2, 23, 42, 2, 4): {'comment': 'SET field',
- 'description': 'placeName (2 23 42 2 4)',
- 'hexoid': '06 04 67 2A 02 04',
- 'name': 'placeName',
- 'oid': (2, 23, 42, 2, 4)},
- (2, 23, 42, 2, 5): {'comment': 'SET field',
- 'description': 'identificationNumber (2 23 42 2 5)',
- 'hexoid': '06 04 67 2A 02 05',
- 'name': 'identificationNumber',
- 'oid': (2, 23, 42, 2, 5)},
- (2, 23, 42, 2, 6): {'comment': 'SET field',
- 'description': 'month (2 23 42 2 6)',
- 'hexoid': '06 04 67 2A 02 06',
- 'name': 'month',
- 'oid': (2, 23, 42, 2, 6)},
- (2, 23, 42, 2, 7): {'comment': 'SET field',
- 'description': 'date (2 23 42 2 7)',
- 'hexoid': '06 04 67 2A 02 07',
- 'name': 'date',
- 'oid': (2, 23, 42, 2, 7)},
- (2, 23, 42, 2, 8): {'comment': 'SET field',
- 'description': 'address (2 23 42 2 8)',
- 'hexoid': '06 04 67 2A 02 08',
- 'name': 'address',
- 'oid': (2, 23, 42, 2, 8)},
- (2, 23, 42, 2, 9): {'comment': 'SET field',
- 'description': 'telephone (2 23 42 2 9)',
- 'hexoid': '06 04 67 2A 02 09',
- 'name': 'telephone',
- 'oid': (2, 23, 42, 2, 9)},
- (2, 23, 42, 2, 10): {'comment': 'SET field',
- 'description': 'amount (2 23 42 2 10)',
- 'hexoid': '06 04 67 2A 02 0A',
- 'name': 'amount',
- 'oid': (2, 23, 42, 2, 10)},
- (2, 23, 42, 2, 11): {'comment': 'SET field',
- 'description': 'accountNumber (2 23 42 2 11)',
- 'hexoid': '06 04 67 2A 02 0B',
- 'name': 'accountNumber',
- 'oid': (2, 23, 42, 2, 11)},
- (2, 23, 42, 2, 12): {'comment': 'SET field',
- 'description': 'passPhrase (2 23 42 2 12)',
- 'hexoid': '06 04 67 2A 02 0C',
- 'name': 'passPhrase',
- 'oid': (2, 23, 42, 2, 12)},
- (2, 23, 42, 3): {'comment': 'SET',
- 'description': 'attribute (2 23 42 3)',
- 'hexoid': '06 03 67 2A 03',
- 'name': 'attribute',
- 'oid': (2, 23, 42, 3)},
- (2, 23, 42, 3, 0): {'comment': 'SET attribute',
- 'description': 'cert (2 23 42 3 0)',
- 'hexoid': '06 04 67 2A 03 00',
- 'name': 'cert',
- 'oid': (2, 23, 42, 3, 0)},
- (2, 23, 42, 3, 0, 0): {'comment': 'SET cert attribute',
- 'description': 'rootKeyThumb (2 23 42 3 0 0)',
- 'hexoid': '06 05 67 2A 03 00 00',
- 'name': 'rootKeyThumb',
- 'oid': (2, 23, 42, 3, 0, 0)},
- (2, 23, 42, 3, 0, 1): {'comment': 'SET cert attribute',
- 'description': 'additionalPolicy (2 23 42 3 0 1)',
- 'hexoid': '06 05 67 2A 03 00 01',
- 'name': 'additionalPolicy',
- 'oid': (2, 23, 42, 3, 0, 1)},
- (2, 23, 42, 4): {'comment': 'SET',
- 'description': 'algorithm (2 23 42 4)',
- 'hexoid': '06 03 67 2A 04',
- 'name': 'algorithm',
- 'oid': (2, 23, 42, 4)},
- (2, 23, 42, 5): {'comment': 'SET',
- 'description': 'policy (2 23 42 5)',
- 'hexoid': '06 03 67 2A 05',
- 'name': 'policy',
- 'oid': (2, 23, 42, 5)},
- (2, 23, 42, 5, 0): {'comment': 'SET policy',
- 'description': 'root (2 23 42 5 0)',
- 'hexoid': '06 04 67 2A 05 00',
- 'name': 'root',
- 'oid': (2, 23, 42, 5, 0)},
- (2, 23, 42, 6): {'comment': 'SET',
- 'description': 'module (2 23 42 6)',
- 'hexoid': '06 03 67 2A 06',
- 'name': 'module',
- 'oid': (2, 23, 42, 6)},
- (2, 23, 42, 7): {'comment': 'SET',
- 'description': 'certExt (2 23 42 7)',
- 'hexoid': '06 03 67 2A 07',
- 'name': 'certExt',
- 'oid': (2, 23, 42, 7)},
- (2, 23, 42, 7, 0): {'comment': 'SET cert extension',
- 'description': 'hashedRootKey (2 23 42 7 0)',
- 'hexoid': '06 04 67 2A 07 00',
- 'name': 'hashedRootKey',
- 'oid': (2, 23, 42, 7, 0)},
- (2, 23, 42, 7, 1): {'comment': 'SET cert extension',
- 'description': 'certificateType (2 23 42 7 1)',
- 'hexoid': '06 04 67 2A 07 01',
- 'name': 'certificateType',
- 'oid': (2, 23, 42, 7, 1)},
- (2, 23, 42, 7, 2): {'comment': 'SET cert extension',
- 'description': 'merchantData (2 23 42 7 2)',
- 'hexoid': '06 04 67 2A 07 02',
- 'name': 'merchantData',
- 'oid': (2, 23, 42, 7, 2)},
- (2, 23, 42, 7, 3): {'comment': 'SET cert extension',
- 'description': 'cardCertRequired (2 23 42 7 3)',
- 'hexoid': '06 04 67 2A 07 03',
- 'name': 'cardCertRequired',
- 'oid': (2, 23, 42, 7, 3)},
- (2, 23, 42, 7, 4): {'comment': 'SET cert extension',
- 'description': 'tunneling (2 23 42 7 4)',
- 'hexoid': '06 04 67 2A 07 04',
- 'name': 'tunneling',
- 'oid': (2, 23, 42, 7, 4)},
- (2, 23, 42, 7, 5): {'comment': 'SET cert extension',
- 'description': 'setExtensions (2 23 42 7 5)',
- 'hexoid': '06 04 67 2A 07 05',
- 'name': 'setExtensions',
- 'oid': (2, 23, 42, 7, 5)},
- (2, 23, 42, 7, 6): {'comment': 'SET cert extension',
- 'description': 'setQualifier (2 23 42 7 6)',
- 'hexoid': '06 04 67 2A 07 06',
- 'name': 'setQualifier',
- 'oid': (2, 23, 42, 7, 6)},
- (2, 23, 42, 8): {'comment': 'SET',
- 'description': 'brand (2 23 42 8)',
- 'hexoid': '06 03 67 2A 08',
- 'name': 'brand',
- 'oid': (2, 23, 42, 8)},
- (2, 23, 42, 8, 1): {'comment': 'SET brand',
- 'description': 'IATA-ATA (2 23 42 8 1)',
- 'hexoid': '06 04 67 2A 08 01',
- 'name': 'IATA-ATA',
- 'oid': (2, 23, 42, 8, 1)},
- (2, 23, 42, 8, 4): {'comment': 'SET brand',
- 'description': 'VISA (2 23 42 8 4)',
- 'hexoid': '06 04 67 2A 08 04',
- 'name': 'VISA',
- 'oid': (2, 23, 42, 8, 4)},
- (2, 23, 42, 8, 5): {'comment': 'SET brand',
- 'description': 'MasterCard (2 23 42 8 5)',
- 'hexoid': '06 04 67 2A 08 05',
- 'name': 'MasterCard',
- 'oid': (2, 23, 42, 8, 5)},
- (2, 23, 42, 8, 30): {'comment': 'SET brand',
- 'description': 'Diners (2 23 42 8 30)',
- 'hexoid': '06 04 67 2A 08 1E',
- 'name': 'Diners',
- 'oid': (2, 23, 42, 8, 30)},
- (2, 23, 42, 8, 34): {'comment': 'SET brand',
- 'description': 'AmericanExpress (2 23 42 8 34)',
- 'hexoid': '06 04 67 2A 08 22',
- 'name': 'AmericanExpress',
- 'oid': (2, 23, 42, 8, 34)},
- (2, 23, 42, 8, 6011): {'comment': 'SET brand',
- 'description': 'Novus (2 23 42 8 6011)',
- 'hexoid': '06 05 67 2A 08 AE 7B',
- 'name': 'Novus',
- 'oid': (2, 23, 42, 8, 6011)},
- (2, 23, 42, 9): {'comment': 'SET',
- 'description': 'vendor (2 23 42 9)',
- 'hexoid': '06 03 67 2A 09',
- 'name': 'vendor',
- 'oid': (2, 23, 42, 9)},
- (2, 23, 42, 9, 0): {'comment': 'SET vendor',
- 'description': 'GlobeSet (2 23 42 9 0)',
- 'hexoid': '06 04 67 2A 09 00',
- 'name': 'GlobeSet',
- 'oid': (2, 23, 42, 9, 0)},
- (2, 23, 42, 9, 1): {'comment': 'SET vendor',
- 'description': 'IBM (2 23 42 9 1)',
- 'hexoid': '06 04 67 2A 09 01',
- 'name': 'IBM',
- 'oid': (2, 23, 42, 9, 1)},
- (2, 23, 42, 9, 2): {'comment': 'SET vendor',
- 'description': 'CyberCash (2 23 42 9 2)',
- 'hexoid': '06 04 67 2A 09 02',
- 'name': 'CyberCash',
- 'oid': (2, 23, 42, 9, 2)},
- (2, 23, 42, 9, 3): {'comment': 'SET vendor',
- 'description': 'Terisa (2 23 42 9 3)',
- 'hexoid': '06 04 67 2A 09 03',
- 'name': 'Terisa',
- 'oid': (2, 23, 42, 9, 3)},
- (2, 23, 42, 9, 4): {'comment': 'SET vendor',
- 'description': 'RSADSI (2 23 42 9 4)',
- 'hexoid': '06 04 67 2A 09 04',
- 'name': 'RSADSI',
- 'oid': (2, 23, 42, 9, 4)},
- (2, 23, 42, 9, 5): {'comment': 'SET vendor',
- 'description': 'VeriFone (2 23 42 9 5)',
- 'hexoid': '06 04 67 2A 09 05',
- 'name': 'VeriFone',
- 'oid': (2, 23, 42, 9, 5)},
- (2, 23, 42, 9, 6): {'comment': 'SET vendor',
- 'description': 'TrinTech (2 23 42 9 6)',
- 'hexoid': '06 04 67 2A 09 06',
- 'name': 'TrinTech',
- 'oid': (2, 23, 42, 9, 6)},
- (2, 23, 42, 9, 7): {'comment': 'SET vendor',
- 'description': 'BankGate (2 23 42 9 7)',
- 'hexoid': '06 04 67 2A 09 07',
- 'name': 'BankGate',
- 'oid': (2, 23, 42, 9, 7)},
- (2, 23, 42, 9, 8): {'comment': 'SET vendor',
- 'description': 'GTE (2 23 42 9 8)',
- 'hexoid': '06 04 67 2A 09 08',
- 'name': 'GTE',
- 'oid': (2, 23, 42, 9, 8)},
- (2, 23, 42, 9, 9): {'comment': 'SET vendor',
- 'description': 'CompuSource (2 23 42 9 9)',
- 'hexoid': '06 04 67 2A 09 09',
- 'name': 'CompuSource',
- 'oid': (2, 23, 42, 9, 9)},
- (2, 23, 42, 9, 10): {'comment': 'SET vendor',
- 'description': 'Griffin (2 23 42 9 10)',
- 'hexoid': '06 04 67 2A 09 0A',
- 'name': 'Griffin',
- 'oid': (2, 23, 42, 9, 10)},
- (2, 23, 42, 9, 11): {'comment': 'SET vendor',
- 'description': 'Certicom (2 23 42 9 11)',
- 'hexoid': '06 04 67 2A 09 0B',
- 'name': 'Certicom',
- 'oid': (2, 23, 42, 9, 11)},
- (2, 23, 42, 9, 12): {'comment': 'SET vendor',
- 'description': 'OSS (2 23 42 9 12)',
- 'hexoid': '06 04 67 2A 09 0C',
- 'name': 'OSS',
- 'oid': (2, 23, 42, 9, 12)},
- (2, 23, 42, 9, 13): {'comment': 'SET vendor',
- 'description': 'TenthMountain (2 23 42 9 13)',
- 'hexoid': '06 04 67 2A 09 0D',
- 'name': 'TenthMountain',
- 'oid': (2, 23, 42, 9, 13)},
- (2, 23, 42, 9, 14): {'comment': 'SET vendor',
- 'description': 'Antares (2 23 42 9 14)',
- 'hexoid': '06 04 67 2A 09 0E',
- 'name': 'Antares',
- 'oid': (2, 23, 42, 9, 14)},
- (2, 23, 42, 9, 15): {'comment': 'SET vendor',
- 'description': 'ECC (2 23 42 9 15)',
- 'hexoid': '06 04 67 2A 09 0F',
- 'name': 'ECC',
- 'oid': (2, 23, 42, 9, 15)},
- (2, 23, 42, 9, 16): {'comment': 'SET vendor',
- 'description': 'Maithean (2 23 42 9 16)',
- 'hexoid': '06 04 67 2A 09 10',
- 'name': 'Maithean',
- 'oid': (2, 23, 42, 9, 16)},
- (2, 23, 42, 9, 17): {'comment': 'SET vendor',
- 'description': 'Netscape (2 23 42 9 17)',
- 'hexoid': '06 04 67 2A 09 11',
- 'name': 'Netscape',
- 'oid': (2, 23, 42, 9, 17)},
- (2, 23, 42, 9, 18): {'comment': 'SET vendor',
- 'description': 'Verisign (2 23 42 9 18)',
- 'hexoid': '06 04 67 2A 09 12',
- 'name': 'Verisign',
- 'oid': (2, 23, 42, 9, 18)},
- (2, 23, 42, 9, 19): {'comment': 'SET vendor',
- 'description': 'BlueMoney (2 23 42 9 19)',
- 'hexoid': '06 04 67 2A 09 13',
- 'name': 'BlueMoney',
- 'oid': (2, 23, 42, 9, 19)},
- (2, 23, 42, 9, 20): {'comment': 'SET vendor',
- 'description': 'Lacerte (2 23 42 9 20)',
- 'hexoid': '06 04 67 2A 09 14',
- 'name': 'Lacerte',
- 'oid': (2, 23, 42, 9, 20)},
- (2, 23, 42, 9, 21): {'comment': 'SET vendor',
- 'description': 'Fujitsu (2 23 42 9 21)',
- 'hexoid': '06 04 67 2A 09 15',
- 'name': 'Fujitsu',
- 'oid': (2, 23, 42, 9, 21)},
- (2, 23, 42, 9, 22): {'comment': 'SET vendor',
- 'description': 'eLab (2 23 42 9 22)',
- 'hexoid': '06 04 67 2A 09 16',
- 'name': 'eLab',
- 'oid': (2, 23, 42, 9, 22)},
- (2, 23, 42, 9, 23): {'comment': 'SET vendor',
- 'description': 'Entrust (2 23 42 9 23)',
- 'hexoid': '06 04 67 2A 09 17',
- 'name': 'Entrust',
- 'oid': (2, 23, 42, 9, 23)},
- (2, 23, 42, 9, 24): {'comment': 'SET vendor',
- 'description': 'VIAnet (2 23 42 9 24)',
- 'hexoid': '06 04 67 2A 09 18',
- 'name': 'VIAnet',
- 'oid': (2, 23, 42, 9, 24)},
- (2, 23, 42, 9, 25): {'comment': 'SET vendor',
- 'description': 'III (2 23 42 9 25)',
- 'hexoid': '06 04 67 2A 09 19',
- 'name': 'III',
- 'oid': (2, 23, 42, 9, 25)},
- (2, 23, 42, 9, 26): {'comment': 'SET vendor',
- 'description': 'OpenMarket (2 23 42 9 26)',
- 'hexoid': '06 04 67 2A 09 1A',
- 'name': 'OpenMarket',
- 'oid': (2, 23, 42, 9, 26)},
- (2, 23, 42, 9, 27): {'comment': 'SET vendor',
- 'description': 'Lexem (2 23 42 9 27)',
- 'hexoid': '06 04 67 2A 09 1B',
- 'name': 'Lexem',
- 'oid': (2, 23, 42, 9, 27)},
- (2, 23, 42, 9, 28): {'comment': 'SET vendor',
- 'description': 'Intertrader (2 23 42 9 28)',
- 'hexoid': '06 04 67 2A 09 1C',
- 'name': 'Intertrader',
- 'oid': (2, 23, 42, 9, 28)},
- (2, 23, 42, 9, 29): {'comment': 'SET vendor',
- 'description': 'Persimmon (2 23 42 9 29)',
- 'hexoid': '06 04 67 2A 09 1D',
- 'name': 'Persimmon',
- 'oid': (2, 23, 42, 9, 29)},
- (2, 23, 42, 9, 30): {'comment': 'SET vendor',
- 'description': 'NABLE (2 23 42 9 30)',
- 'hexoid': '06 04 67 2A 09 1E',
- 'name': 'NABLE',
- 'oid': (2, 23, 42, 9, 30)},
- (2, 23, 42, 9, 31): {'comment': 'SET vendor',
- 'description': 'espace-net (2 23 42 9 31)',
- 'hexoid': '06 04 67 2A 09 1F',
- 'name': 'espace-net',
- 'oid': (2, 23, 42, 9, 31)},
- (2, 23, 42, 9, 32): {'comment': 'SET vendor',
- 'description': 'Hitachi (2 23 42 9 32)',
- 'hexoid': '06 04 67 2A 09 20',
- 'name': 'Hitachi',
- 'oid': (2, 23, 42, 9, 32)},
- (2, 23, 42, 9, 33): {'comment': 'SET vendor',
- 'description': 'Microsoft (2 23 42 9 33)',
- 'hexoid': '06 04 67 2A 09 21',
- 'name': 'Microsoft',
- 'oid': (2, 23, 42, 9, 33)},
- (2, 23, 42, 9, 34): {'comment': 'SET vendor',
- 'description': 'NEC (2 23 42 9 34)',
- 'hexoid': '06 04 67 2A 09 22',
- 'name': 'NEC',
- 'oid': (2, 23, 42, 9, 34)},
- (2, 23, 42, 9, 35): {'comment': 'SET vendor',
- 'description': 'Mitsubishi (2 23 42 9 35)',
- 'hexoid': '06 04 67 2A 09 23',
- 'name': 'Mitsubishi',
- 'oid': (2, 23, 42, 9, 35)},
- (2, 23, 42, 9, 36): {'comment': 'SET vendor',
- 'description': 'NCR (2 23 42 9 36)',
- 'hexoid': '06 04 67 2A 09 24',
- 'name': 'NCR',
- 'oid': (2, 23, 42, 9, 36)},
- (2, 23, 42, 9, 37): {'comment': 'SET vendor',
- 'description': 'e-COMM (2 23 42 9 37)',
- 'hexoid': '06 04 67 2A 09 25',
- 'name': 'e-COMM',
- 'oid': (2, 23, 42, 9, 37)},
- (2, 23, 42, 9, 38): {'comment': 'SET vendor',
- 'description': 'Gemplus (2 23 42 9 38)',
- 'hexoid': '06 04 67 2A 09 26',
- 'name': 'Gemplus',
- 'oid': (2, 23, 42, 9, 38)},
- (2, 23, 42, 10): {'comment': 'SET',
- 'description': 'national (2 23 42 10)',
- 'hexoid': '06 03 67 2A 0A',
- 'name': 'national',
- 'oid': (2, 23, 42, 10)},
- (2, 23, 42, 10, 392): {'comment': 'SET national',
- 'description': 'Japan (2 23 42 10 392)',
- 'hexoid': '06 05 67 2A 0A 83 08',
- 'name': 'Japan',
- 'oid': (2, 23, 42, 10, 392)}}
diff --git a/rpkid/rpki/POW/_simpledb.py b/rpkid/rpki/POW/_simpledb.py
deleted file mode 100644
index 190e96be..00000000
--- a/rpkid/rpki/POW/_simpledb.py
+++ /dev/null
@@ -1,55 +0,0 @@
-#*****************************************************************************#
-#* *#
-#* Copyright (c) 2002, Peter Shannon *#
-#* All rights reserved. *#
-#* *#
-#* Redistribution and use in source and binary forms, with or without *#
-#* modification, are permitted provided that the following conditions *#
-#* are met: *#
-#* *#
-#* * Redistributions of source code must retain the above *#
-#* copyright notice, this list of conditions and the following *#
-#* disclaimer. *#
-#* *#
-#* * Redistributions in binary form must reproduce the above *#
-#* copyright notice, this list of conditions and the following *#
-#* disclaimer in the documentation and/or other materials *#
-#* provided with the distribution. *#
-#* *#
-#* * The name of the contributors may be used to endorse or promote *#
-#* products derived from this software without specific prior *#
-#* written permission. *#
-#* *#
-#* THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS *#
-#* "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT *#
-#* LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS *#
-#* FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS *#
-#* OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, *#
-#* SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT *#
-#* LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, *#
-#* DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY *#
-#* THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT *#
-#* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE *#
-#* OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. *#
-#* *#
-#*****************************************************************************#
-
-import _oids, _objects, types
-
-class OidData(object):
- def __init__(self):
- self.oids = _oids.data
- self.objs = _objects.data
-
- def obj2oid(self, obj):
- if not self.objs.has_key(obj):
- raise Exception, 'unknown object: %s' % obj
- return tuple(self.objs[obj]['oid'])
-
- def oid2obj(self, oid):
- if isinstance( oid, types.ListType ):
- oid = tuple(oid)
- if not self.oids.has_key(oid):
- raise Exception, 'unknown oid %s' % `oid`
- return self.oids[oid]['name']
-
diff --git a/rpkid/rpki/POW/pkix.py b/rpkid/rpki/POW/pkix.py
deleted file mode 100644
index e7d9dde1..00000000
--- a/rpkid/rpki/POW/pkix.py
+++ /dev/null
@@ -1,2087 +0,0 @@
-#*****************************************************************************#
-#* *#
-#* Copyright (c) 2002, Peter Shannon *#
-#* All rights reserved. *#
-#* *#
-#* Redistribution and use in source and binary forms, with or without *#
-#* modification, are permitted provided that the following conditions *#
-#* are met: *#
-#* *#
-#* * Redistributions of source code must retain the above *#
-#* copyright notice, this list of conditions and the following *#
-#* disclaimer. *#
-#* *#
-#* * Redistributions in binary form must reproduce the above *#
-#* copyright notice, this list of conditions and the following *#
-#* disclaimer in the documentation and/or other materials *#
-#* provided with the distribution. *#
-#* *#
-#* * The name of the contributors may be used to endorse or promote *#
-#* products derived from this software without specific prior *#
-#* written permission. *#
-#* *#
-#* THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS *#
-#* "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT *#
-#* LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS *#
-#* FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS *#
-#* OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, *#
-#* SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT *#
-#* LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, *#
-#* DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY *#
-#* THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT *#
-#* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE *#
-#* OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. *#
-#* *#
-#*****************************************************************************#
-
-import types, time, pprint, cStringIO, _der
-from _simpledb import OidData as _OidData
-from _der import *
-
-DEBUG = 0
-
-_oidData = _OidData()
-obj2oid = _oidData.obj2oid
-oid2obj = _oidData.oid2obj
-
-_fragments = []
-
-def _docset():
- return _der._docset() + _fragments
-
-#---------- crypto driver ----------#
-
-class CryptoDriver(object):
- """Dispatcher for crypto calls.
-
- This module has very minimal dependencies on crypto code, as it's
- almost entirely about ASN.1 encoding and decoding. Rather than
- wiring in the handful of crypto calls, we dispatch them through
- this driver. The default driver uses POW, but you can replace it
- with any crypto package you like.
-
- This is a virtual class. You will have to subtype it.
- """
-
- def getOID(self, digestType):
- """Convert a digest identifier into an OID.
-
- If the identifier we get is a tuple, we assume it's already an
- OID and just return it. If the identifier is in the driver
- identifier mapping table, we use that to return an OID.
- Otherwise, we try mapping it via the name-to-OID database.
- """
- if isinstance(digestType, tuple):
- return digestType
- if digestType in self.driver2OID:
- return self.driver2OID[digestType]
- return obj2oid(digestType)
-
- def sign(self, key, oid, plaintext):
- """Sign something with an RSA key and a given digest algorithm."""
- raise NotImplementedError
-
- def verify(self, key, oid, plaintext, signature):
- """Verify a signature."""
- raise NotImplementedError
-
- def toPublicDER(self, key):
- """Get the DER representation of an RSA key."""
- raise NotImplementedError
-
- def fromPublicDER(self, der):
- """Set the driver representation of an RSA key from DER."""
- raise NotImplementedError
-
-class POWCryptoDriver(CryptoDriver):
- """Dispatcher for crypto calls using POW package."""
-
- def __init__(self):
- global POW
- try:
- import rpki.POW
- POW = rpki.POW
- except ImportError:
- import POW
- self.driver2OID = {}
- for k, v in (("MD2_DIGEST", (1, 2, 840, 113549, 1, 1, 2)), # md2WithRSAEncryption
- ("MD5_DIGEST", (1, 2, 840, 113549, 1, 1, 4)), # md5WithRSAEncryption
- ("SHA_DIGEST", (1, 3, 14, 3, 2, 15)), # shaWithRSAEncryption
- ("SHA1_DIGEST", (1, 2, 840, 113549, 1, 1, 5)), # sha1withRSAEncryption
- ("RIPEMD160_DIGEST", (1, 2, 840, 113549, 1, 1, 6)), # ripemd160WithRSAEncryption
- ("SHA256_DIGEST", (1, 2, 840, 113549, 1, 1, 11)), # sha256WithRSAEncryption
- ("SHA384_DIGEST", (1, 2, 840, 113549, 1, 1, 12)), # sha384WithRSAEncryption
- ("SHA512_DIGEST", (1, 2, 840, 113549, 1, 1, 13)), # sha512WithRSAEncryption
- ):
- try:
- self.driver2OID[getattr(POW, k)] = v
- except AttributeError:
- pass
- self.OID2driver = dict((v,k) for k,v in self.driver2OID.items())
-
- def _digest(self, oid, plaintext):
- digest = POW.Digest(self.OID2driver[oid])
- digest.update(plaintext)
- return digest.digest()
-
- def sign(self, key, oid, plaintext):
- return key.sign(self._digest(oid, plaintext), self.OID2driver[oid])
-
- def verify(self, key, oid, plaintext, signature):
- return key.verify(signature, self._digest(oid, plaintext), self.OID2driver[oid])
-
- def toPublicDER(self, key):
- return key.derWrite(POW.RSA_PUBLIC_KEY)
-
- def fromPublicDER(self, der):
- return POW.derRead(POW.RSA_PUBLIC_KEY, der)
-
-_cryptoDriver = None # Don't touch this directly
-
-def setCryptoDriver(driver):
- """Set crypto driver.
-
- The driver should be an instance of CryptoDriver.
- """
- assert isinstance(driver, CryptoDriver)
- global _cryptoDriver
- _cryptoDriver = driver
-
-def getCryptoDriver():
- """Return the currently selected CryptoDriver instance.
-
- If no driver has been selected, instantiate the default POW driver.
- """
- global _cryptoDriver
- if _cryptoDriver is None:
- setCryptoDriver(POWCryptoDriver())
- return _cryptoDriver
-
-#---------- crypto driver ----------#
-
-def _addFragment(frag):
- global _fragments
- _fragments.append(frag)
-
-_addFragment('''
-<modulefunction>
- <header>
- <name>utc2time</name>
- <parameter>time</parameter>
- </header>
- <body>
- <para>
- This is a helper function for turning a UTCTime string into an
- integer. It isn't built into the encoder since the various
- functions which are used to manipulate the tm structure are
- notoriously unreliable.
- </para>
- </body>
-</modulefunction>
-''')
-def utc2time(val):
- 'der encoded value not including tag or length'
- if not isinstance(val, types.StringType):
- raise DerError, 'argument should be a string'
- t = time.strptime(val, '%y%m%d%H%M%SZ')
- return int(time.mktime(t))
-
-_addFragment('''
-<modulefunction>
- <header>
- <name>time2utc</name>
- <parameter>time</parameter>
- </header>
- <body>
- <para>
- This is a helper function for turning an integer into a
- UTCTime string. It isn't built into the encoder since the
- various functions which are used to manipulate the tm structure
- are notoriously unreliable.
- </para>
- </body>
-</modulefunction>
-''')
-def time2utc(val):
- 'numerical time value like time_t'
- val = int(val)
- t = time.gmtime(val)
- return time.strftime('%y%m%d%H%M%SZ', t)
-
-_addFragment('''
-<modulefunction>
- <header>
- <name>gen2time</name>
- <parameter>time</parameter>
- </header>
- <body>
- <para>
- This is a helper function for turning a GeneralizedTime string into an
- integer. It isn't built into the encoder since the various
- functions which are used to manipulate the tm structure are
- notoriously unreliable.
- </para>
- </body>
-</modulefunction>
-''')
-def gen2Time(val):
- 'der encoded value not including tag or length'
- if not isinstance(val, types.StringType):
- raise DerError, 'argument should be a string'
- t = time.strptime(val, '%Y%m%d%H%M%SZ')
- return int(time.mktime(t))
-
-_addFragment('''
-<modulefunction>
- <header>
- <name>time2gen</name>
- <parameter>time</parameter>
- </header>
- <body>
- <para>
- This is a helper function for turning an integer into a
- GeneralizedTime string. It isn't built into the encoder since the
- various functions which are used to manipulate the tm structure
- are notoriously unreliable.
- </para>
- </body>
-</modulefunction>
-''')
-def time2gen(val):
- 'numerical time value like time_t'
- val = int(val)
- t = time.gmtime(val)
- return time.strftime('%Y%m%d%H%M%SZ', t)
-
-_addFragment('''
-<method>
- <header>
- <name>ip42oct</name>
- <parameter>ip</parameter>
- </header>
- <body>
- <para>
- <parameter>ip</parameter> should be a list or tuple of integers,
- from 0 to 256.
- </para>
- <example>
- <title>Setting <classname>IpAddress</classname></title>
- <programlisting>
- ip = IpAddress()
- ip.set( ip42oct(192, 168, 0, 231) )
- </programlisting>
- </example>
- </body>
-</method>
-''')
-def ip42oct(val0, val1, val2, val3):
- return chr(val0) + chr(val1) + chr(val2) + chr(val3)
-
-_addFragment('''
-<method>
- <header>
- <name>oct2ip4</name>
- <parameter>val</parameter>
- </header>
- <body>
- <para>
- Returns a tuple of 4 integers, from 0 to 256.
- </para>
- </body>
-</method>
-''')
-def oct2ip4(val):
- if not isinstance(val, types.StringType) or len(val) != 4:
- raise DerError, 'parameter should be string of 4 characters'
- return ( ord(val[0]), ord(val[1]), ord(val[2]), ord(val[3]) )
-
-#---------- certificate support ----------#
-class TbsCertificate(Sequence):
- def __init__(self, optional=0, default=''):
-
- self.version = Integer()
- self.explicitVersion = Explicit( CLASS_CONTEXT, FORM_CONSTRUCTED, 0, self.version, 0, 'oAMCAQA=\n' )
-
- self.serial = Integer()
- self.signature = AlgorithmIdentifier()
- self.issuer = Name()
- self.subject = Name()
- self.subjectPublicKeyInfo = SubjectPublicKeyInfo()
-
- self.validity = Validity()
-
- self.issuerUniqueID = BitString(1)
- self.issuerUniqueID.implied( CLASS_CONTEXT, FORM_PRIMITIVE, 1 )
- self.subjectUniqueID = BitString(1)
- self.subjectUniqueID.implied( CLASS_CONTEXT, FORM_PRIMITIVE, 2 )
-
- self.extensions = Extensions()
- self.explicitExtensions = Explicit( CLASS_CONTEXT, FORM_CONSTRUCTED, 3, self.extensions, 1 )
-
- contents = [
- self.explicitVersion,
- self.serial,
- self.signature,
- self.issuer,
- self.validity,
- self.subject,
- self.subjectPublicKeyInfo,
- self.issuerUniqueID,
- self.subjectUniqueID,
- self.explicitExtensions
- ]
-
- Sequence.__init__(self, contents, optional, default)
-
-class Validity(Sequence):
- def __init__(self, optional=0, default=''):
- Time = lambda : Choice({ 'generalTime' : GeneralizedTime(), 'utcTime' : UtcTime() })
- self.notBefore = Time()
- self.notAfter = Time()
- contents = [self.notBefore, self.notAfter]
- Sequence.__init__(self, contents, optional, default)
-
-# IA5String should not be allowed in DirectoryString, but old
-# implementations (deprecated but not quite outlawed by RFC 3280)
-# sometimes use it for EmailAddress attributes in subject names, which
-# triggers decode failures here unless we violate RFC 3280 by allowing
-# IA5String. Do not use, do not use, do not use.
-
-class DirectoryString(Choice):
- def __init__(self, optional=0, default=''):
- choices = { 'teletexString' : T61String(),
- 'printableString' : PrintableString(),
- 'universalString' : UniversalString(),
- 'bmpString' : BmpString(),
- 'utf8String' : Utf8String(),
- 'ia5String' : IA5String() }
-
- Choice.__init__(self, choices, optional, default)
-
-class AttributeTypeAndValue(Sequence):
- def __init__(self, optional=0, default=''):
- self.type = Oid()
- self.dirstr = DirectoryString()
- contents = [ self.type, self.dirstr ]
- Sequence.__init__(self, contents, optional, default)
-
-class RelativeDistinguishedName(SetOf):
- def __init__(self, optional=0, default=''):
- SetOf.__init__(self, AttributeTypeAndValue, optional, default)
-
-class Name(SequenceOf):
- def __init__(self, optional=0, default=''):
- SequenceOf.__init__(self, RelativeDistinguishedName, optional, default)
-
-class AlgorithmIdentifier(Sequence):
- def __init__(self, optional=0, default=''):
- self.algorithm = Oid()
- self.parameters = Null()
- contents = [self.algorithm, self.parameters]
- Sequence.__init__(self, contents, optional, default)
-
-class SubjectPublicKeyInfo(Sequence):
- def __init__(self, optional=0, default=''):
- self.algorithmId = AlgorithmIdentifier()
- self.subjectPublicKey = AltBitString()
- contents = [ self.algorithmId, self.subjectPublicKey ]
- Sequence.__init__(self, contents, optional, default)
-
-class Extensions(SequenceOf):
- def __init__(self, optional=0, default=''):
- SequenceOf.__init__(self, Extension, optional, default)
-
-_addFragment('''
-<class>
- <header>
- <name>Certificate</name>
- <super>Sequence</super>
- </header>
- <body>
- <example>
- <title>Setting <classname>Certificate</classname></title>
- <programlisting>
- rsa = POW.Asymmetric()
- cert = POW.pkix.Certificate()
- cert.setVersion(1)
- cert.setSerial(5)
-
- name = ( (( o2i('countryName'), ('printableString', 'GB') ),),
- (( o2i('stateOrProvinceName'), ('printableString', 'Hertfordshire') ),),
- (( o2i('organizationName'), ('printableString', 'The House') ),),
- (( o2i('commonName'), ('printableString', 'Client') ),) )
-
- cert.setIssuer(name)
- cert.setSubject(name)
-
- now = POW.pkix.time2gen( time.time() )
- then = POW.pkix.time2gen(time.time() + 60*60*24*365*12)
- cert.setNotBefore( ('generalTime', now) )
- cert.setNotAfter( ( 'generalTime', then) )
- cert.setIssuerUniqueID((1,0,1,0))
- cert.setSubjectUniqueID((1,0,0,1))
- cert.sign(rsa, POW.MD5_DIGEST)
- </programlisting>
- </example>
- </body>
-</class>
-''')
-
-class Certificate(Sequence):
-
- _addFragment('''
- <constructor>
- <header>
- <memberof>Certificate</memberof>
- <parameter>optional=0</parameter>
- <parameter>default=''</parameter>
- </header>
- </constructor>
- ''')
- def __init__(self, optional=0, default=''):
- self.tbs = TbsCertificate()
- self.signatureAlgorithm = AlgorithmIdentifier()
- self.signatureValue = AltBitString()
- contents = [ self.tbs, self.signatureAlgorithm, self.signatureValue ]
- Sequence.__init__(self, contents, optional, default)
-
- _addFragment('''
- <method>
- <header>
- <memberof>Certificate</memberof>
- <name>setVersion</name>
- <parameter>version</parameter>
- </header>
- <body>
- <para>
- This function sets an <classname>Integer</classname> object. 0
- indicates a version 1 certificate, 1 a version 2 certificate and 2 a
- version 3 certificate.
- </para>
- </body>
- </method>
- ''')
- def setVersion(self, version):
- self.tbs.version.set(version)
-
- _addFragment('''
- <method>
- <header>
- <memberof>Certificate</memberof>
- <name>getVersion</name>
- </header>
- <body>
- <para>
- This function returns whatever the version object is set to,
- this should be 0, 1 or 2.
- </para>
- </body>
- </method>
- ''')
- def getVersion(self):
- return self.tbs.version.get()
-
- _addFragment('''
- <method>
- <header>
- <memberof>Certificate</memberof>
- <name>setSerial</name>
- <parameter>serial</parameter>
- </header>
- <body>
- <para>
- This function sets an <classname>Integer</classname> object.
- No two certificates issued should ever have the same serial
- number.
- </para>
- </body>
- </method>
- ''')
- def setSerial(self, serial):
- self.tbs.serial.set(serial)
-
- _addFragment('''
- <method>
- <header>
- <memberof>Certificate</memberof>
- <name>getVersion</name>
- </header>
- <body>
- <para>
- This function returns whatever the serial object is set to.
- </para>
- </body>
- </method>
- ''')
- def getSerial(self):
- return self.tbs.serial.get()
-
- _addFragment('''
- <method>
- <header>
- <memberof>Certificate</memberof>
- <name>setIssuer</name>
- <parameter>names</parameter>
- </header>
- <body>
- <para>
- This function sets an <classname>Name</classname> object.
- See <classname>Certificate</classname> class for an example.
- </para>
- </body>
- </method>
- ''')
- def setIssuer(self, issuer):
- self.tbs.issuer.set(issuer)
-
- _addFragment('''
- <method>
- <header>
- <memberof>Certificate</memberof>
- <name>getIssuer</name>
- </header>
- <body>
- <para>
- This function returns a complex tuple containing other tuples.
- </para>
- </body>
- </method>
- ''')
- def getIssuer(self):
- return self.tbs.issuer.get()
-
- _addFragment('''
- <method>
- <header>
- <memberof>Certificate</memberof>
- <name>setSubject</name>
- <parameter>names</parameter>
- </header>
- <body>
- <para>
- This function sets an <classname>Name</classname> object.
- See <classname>Certificate</classname> class for an example.
- </para>
- </body>
- </method>
- ''')
- def setSubject(self, subject):
- self.tbs.subject.set(subject)
-
- _addFragment('''
- <method>
- <header>
- <memberof>Certificate</memberof>
- <name>getSubject</name>
- </header>
- <body>
- <para>
- This function returns a complex tuple containing other tuples.
- </para>
- </body>
- </method>
- ''')
- def getSubject(self):
- return self.tbs.subject.get()
-
- _addFragment('''
- <method>
- <header>
- <memberof>Certificate</memberof>
- <name>setNotBefore</name>
- <parameter>time</parameter>
- </header>
- <body>
- <para>
- This function sets a <classname>Choice</classname> object.
- It can be either a <classname>GeneralTime</classname> or
- <classname>UTCTime</classname> object. The functions
- <function>gen2time</function>, <function>utc2time</function>,
- <function>time2gen</function> and <function>time2utc</function>
- can be used to convert to and from integer times and their
- string representation.
- </para>
- <example>
- <title><function>setNotBefore</function> method usage</title>
- <programlisting>
- cert = POW.pkix.Certificate()
- now = POW.pkix.time2gen( time.time() )
- cert.setNotBefore( ('generalTime', now) )
- </programlisting>
- </example>
- </body>
- </method>
- ''')
- def setNotBefore(self, nb):
- self.tbs.validity.notBefore.set(nb)
-
- _addFragment('''
- <method>
- <header>
- <memberof>Certificate</memberof>
- <name>getNotBefore</name>
- </header>
- <body>
- <para>
- This function returns a tuple indicating which type of time was
- stored and its value. See <function>setNotBefore</function> for details.
- </para>
- </body>
- </method>
- ''')
- def getNotBefore(self):
- return self.tbs.validity.notBefore.get()
-
- _addFragment('''
- <method>
- <header>
- <memberof>Certificate</memberof>
- <name>setNotAfter</name>
- <parameter>time</parameter>
- </header>
- <body>
- <para>
- This function sets a <classname>Choice</classname> object.
- See <function>setNotBefore</function> for details.
- </para>
- </body>
- </method>
- ''')
- def setNotAfter(self, na):
- self.tbs.validity.notAfter.set(na)
-
- _addFragment('''
- <method>
- <header>
- <memberof>Certificate</memberof>
- <name>getNotAfter</name>
- </header>
- <body>
- <para>
- This function returns a tuple indicating which type of time was
- stored and its value. See <function>setNotBefore</function> for details.
- </para>
- </body>
- </method>
- ''')
- def getNotAfter(self):
- return self.tbs.validity.notAfter.get()
-
- _addFragment('''
- <method>
- <header>
- <memberof>Certificate</memberof>
- <name>setIssuerUniqueID</name>
- <parameter>id</parameter>
- </header>
- <body>
- <para>
- This function sets a <classname>BitString</classname> object.
- This is part of the X509v2 standard and is quite poorly
- regarded in general, its use is not recommended. It is set
- using the normal <classname>BitString</classname> method, that
- is with a sequence of true/false objects.
- </para>
- </body>
- </method>
- ''')
- def setIssuerUniqueID(self, id):
- self.tbs.issuerUniqueID.set(id)
-
- _addFragment('''
- <method>
- <header>
- <memberof>Certificate</memberof>
- <name>getIssuerUniqueID</name>
- </header>
- <body>
- <para>
- This function returns a tuple of integers, 1 or 0.
- </para>
- </body>
- </method>
- ''')
- def getIssuerUniqueID(self):
- return self.tbs.issuerUniqueID.get()
-
- _addFragment('''
- <method>
- <header>
- <memberof>Certificate</memberof>
- <name>setSubjectUniqueID</name>
- <parameter>id</parameter>
- </header>
- <body>
- <para>
- This function sets a <classname>BitString</classname> object.
- This is part of the X509v2 standard and is quite poorly
- regarded in general, its use is not recommended. It is set
- using the normal <classname>BitString</classname> method, that
- is with a sequence of true/false objects.
- </para>
- </body>
- </method>
- ''')
- def setSubjectUniqueID(self, id):
- self.tbs.subjectUniqueID.set(id)
-
- _addFragment('''
- <method>
- <header>
- <memberof>Certificate</memberof>
- <name>getSubjectUniqueID</name>
- </header>
- <body>
- <para>
- This function returns a tuple of integers, 1 or 0.
- </para>
- </body>
- </method>
- ''')
- def getSubjectUniqueID(self):
- return self.tbs.subjectUniqueID.get()
-
- _addFragment('''
- <method>
- <header>
- <memberof>Certificate</memberof>
- <name>setExtensions</name>
- <parameter>extns</parameter>
- </header>
- <body>
- <para>
- This method sets an <classname>Extensions</classname> object,
- defined as SEQUENCE OF Extension. The parameter
- <parameter>extns</parameter> should consist of a list or tuple
- of values suitable to set an extension. See the extension
- class for details.
- </para>
- </body>
- </method>
- ''')
- def setExtensions(self, extns):
- self.tbs.extensions.set(extns)
-
- _addFragment('''
- <method>
- <header>
- <memberof>Certificate</memberof>
- <name>getExtensions</name>
- </header>
- <body>
- <para>
- This function returns a tuple of
- <classname>Extension</classname> values. See
- <classname>Extension</classname> for details.
- </para>
- </body>
- </method>
- ''')
- def getExtensions(self):
- return self.tbs.extensions.get()
-
- def getExtension(self, oid):
- for x in self.getExtensions():
- if x[0] == oid:
- return x
- return None
-
- _addFragment('''
- <method>
- <header>
- <memberof>Certificate</memberof>
- <name>sign</name>
- <parameter>rsa</parameter>
- <parameter>digestType</parameter>
- </header>
- <body>
- <para>
- This function updates structured of the
- <classname>Certificate</classname> and
- <constant>tbs</constant> as appropriate and performs the
- specified digest on the <constant>tbs</constant> and set
- <constant>signedText</constant> to signed the digest.
- </para>
- </body>
- </method>
- ''')
- def sign(self, rsa, digestType):
- driver = getCryptoDriver()
- oid = driver.getOID(digestType)
- self.tbs.signature.set([oid, None])
- signedText = driver.sign(rsa, oid, self.tbs.toString())
- self.signatureAlgorithm.set([oid, None])
- self.signatureValue.set(signedText)
-
- _addFragment('''
- <method>
- <header>
- <memberof>Certificate</memberof>
- <name>verify</name>
- <parameter>rsa</parameter>
- </header>
- <body>
- <para>
- This function works out what kind of digest was used to
- during signing, calculates the digest of
- <constant>tbs</constant> and verifies the envelope using the
- key.
- </para>
- </body>
- </method>
- ''')
- def verify(self, rsa):
- driver = getCryptoDriver()
- oid = self.signatureAlgorithm.get()[0]
- return driver.verify(rsa, oid, self.tbs.toString(), self.signatureValue.get())
-
-#---------- certificate support ----------#
-#---------- CRL ----------#
-
-class RevokedCertificate(Sequence):
- def __init__(self, optional=0, default=''):
- self.userCertificate = Integer()
- self.revocationDate = Choice( { 'generalTime' : GeneralizedTime(), 'utcTime' : UtcTime() } )
- self.crlEntryExtensions = Extensions(1)
- contents = [ self.userCertificate, self.revocationDate, self.crlEntryExtensions ]
- Sequence.__init__(self, contents, optional, default)
-
-class RevokedCertificates(SequenceOf):
- def __init__(self, optional=0, default=''):
- SequenceOf.__init__(self, RevokedCertificate, optional, default)
-
-class TbsCertList(Sequence):
- def __init__(self, optional=0, default=''):
- self.version = Integer(1)
- self.signature = AlgorithmIdentifier()
- self.issuer = Name()
- self.thisUpdate = Choice( { 'generalTime' : GeneralizedTime(), 'utcTime' : UtcTime() } )
- self.nextUpdate = Choice( { 'generalTime' : GeneralizedTime(), 'utcTime' : UtcTime() }, 1 )
- self.revokedCertificates = RevokedCertificates(1)
- self.crlExtensions = Extensions()
- self.explicitCrlExtensions = Explicit( CLASS_CONTEXT, FORM_CONSTRUCTED, 0, self.crlExtensions, 1 )
- contents = [ self.version,
- self.signature,
- self.issuer,
- self.thisUpdate,
- self.nextUpdate,
- self.revokedCertificates,
- self.explicitCrlExtensions ]
- Sequence.__init__(self, contents, optional, default)
-
-_addFragment('''
-<class>
- <header>
- <name>CertificateList</name>
- <super>Sequence</super>
- </header>
- <body>
- <example>
- <title>Setting <classname>CertificateList</classname></title>
- <programlisting>
- now = POW.pkix.time2gen( time.time() )
- then = POW.pkix.time2gen(time.time() + 60*60*24*365*12)
- rsa = POW.Asymmetric()
-
- crl = POW.pkix.CertificateList()
- crl.setThisUpdate( ('generalTime', now ) )
-
- name = ( (( o2i('countryName'), ('printableString', 'GB') ),),
- (( o2i('stateOrProvinceName'), ('printableString', 'Hertfordshire') ),),
- (( o2i('organizationName'), ('printableString', 'The House') ),),
- (( o2i('commonName'), ('printableString', 'Client') ),) )
-
- myRevocations = (
- (1, ('generalTime', now), ()),
- (2, ('generalTime', now), ()),
- (3, ('generalTime', now), (( o2i('cRLReason'), 0, 1),))
- )
-
- crl.setIssuer(name)
- crl.setRevokedCertificates( myRevocations )
-
- crl.sign(rsa, POW.MD5_DIGEST)
- </programlisting>
- </example>
- </body>
-</class>
-''')
-class CertificateList(Sequence):
- _addFragment('''
- <constructor>
- <header>
- <memberof>CertificateList</memberof>
- <parameter>optional=0</parameter>
- <parameter>default=''</parameter>
- </header>
- </constructor>
- ''')
- def __init__(self, optional=0, default=''):
- self.tbs = TbsCertList()
- self.signatureAlgorithm = AlgorithmIdentifier()
- self.signature = AltBitString()
- contents = [self.tbs, self.signatureAlgorithm, self.signature]
- Sequence.__init__(self, contents, optional, default)
-
- _addFragment('''
- <method>
- <header>
- <memberof>CertificateList</memberof>
- <name>setVersion</name>
- <parameter>version</parameter>
- </header>
- <body>
- <para>
- This function sets an <classname>Integer</classname> object. 0
- indicates a version 1 CRL, and 1 a version 2 CRL.
- </para>
- </body>
- </method>
- ''')
- def setVersion(self, version):
- self.tbs.version.set(version)
-
- _addFragment('''
- <method>
- <header>
- <memberof>CertificateList</memberof>
- <name>getVersion</name>
- </header>
- <body>
- <para>
- This function returns whatever the version object is set to,
- this should be 0, 1 or 2.
- </para>
- </body>
- </method>
- ''')
- def getVersion(self):
- return self.tbs.version.get()
-
- _addFragment('''
- <method>
- <header>
- <memberof>CertificateList</memberof>
- <name>setIssuer</name>
- <parameter>names</parameter>
- </header>
- <body>
- <para>
- This function sets an <classname>Name</classname> object.
- </para>
- </body>
- </method>
- ''')
- def setIssuer(self, issuer):
- self.tbs.issuer.set(issuer)
-
- _addFragment('''
- <method>
- <header>
- <memberof>CertificateList</memberof>
- <name>getIssuer</name>
- </header>
- <body>
- <para>
- This function returns a complex tuple containing other tuples.
- </para>
- </body>
- </method>
- ''')
- def getIssuer(self):
- return self.tbs.issuer.get()
-
- _addFragment('''
- <method>
- <header>
- <memberof>setThisUpdate</memberof>
- <name>setNotBefore</name>
- <parameter>time</parameter>
- </header>
- <body>
- <para>
- This function sets a <classname>Choice</classname> object.
- It can be either a <classname>GeneralTime</classname> or
- <classname>UTCTime</classname> object. The functions
- <function>gen2time</function>, <function>utc2time</function>,
- <function>time2gen</function> and <function>time2utc</function>
- can be used to convert to and from integer times and their
- string representation.
- </para>
- <example>
- <title><function>setNotBefore</function> method usage</title>
- <programlisting>
- crl = POW.pkix.CertificateList()
- now = POW.pkix.time2gen( time.time() )
- crl.setNotBefore( ('generalTime', now) )
- </programlisting>
- </example>
- </body>
- </method>
- ''')
- def setThisUpdate(self, nu):
- self.tbs.thisUpdate.set(nu)
-
- _addFragment('''
- <method>
- <header>
- <memberof>CertificateList</memberof>
- <name>getThisUpdate</name>
- </header>
- <body>
- <para>
- This function returns a tuple containing two strings. The first
- is either 'utcTime' or 'generalTime' and the second is the time
- value as a string.
- </para>
- </body>
- </method>
- ''')
- def getThisUpdate(self):
- return self.tbs.thisUpdate.get()
-
- _addFragment('''
- <method>
- <header>
- <memberof>CertificateList</memberof>
- <name>setNextUpdate</name>
- </header>
- <body>
- <para>
- See set <function>setThisUpdate</function>.
- </para>
- </body>
- </method>
- ''')
- def setNextUpdate(self, nu):
- self.tbs.nextUpdate.set(nu)
-
- _addFragment('''
- <method>
- <header>
- <memberof>CertificateList</memberof>
- <name>getNextUpdate</name>
- </header>
- <body>
- <para>
- See set <function>getThisUpdate</function>.
- </para>
- </body>
- </method>
- ''')
- def getNextUpdate(self):
- return self.tbs.nextUpdate.get()
-
- _addFragment('''
- <method>
- <header>
- <memberof>CertificateList</memberof>
- <name>setExtensions</name>
- <parameter>extns</parameter>
- </header>
- <body>
- <para>
- This method sets an <classname>Extensions</classname> object,
- defined as SEQUENCE OF Extension. The parameter
- <parameter>extns</parameter> should consist of a list or tuple
- of values suitable to set an extension. See the extension
- class for details.
- </para>
- </body>
- </method>
- ''')
- def setExtensions(self, extns):
- self.tbs.crlExtensions.set(extns)
-
- _addFragment('''
- <method>
- <header>
- <memberof>CertificateList</memberof>
- <name>getExtensions</name>
- </header>
- <body>
- <para>
- This function returns a tuple of
- <classname>Extension</classname> values. See
- <classname>Extension</classname> for details.
- </para>
- </body>
- </method>
- ''')
- def getExtensions(self):
- return self.tbs.crlExtensions.get()
-
- def getExtension(self, oid):
- for x in self.getExtensions():
- if x[0] == oid:
- return x
- return None
-
- _addFragment('''
- <method>
- <header>
- <memberof>CertificateList</memberof>
- <name>setRevokedCertificates</name>
- </header>
- <body>
- <para>
- This function sets a sequence of
- <classname>revokedCertificate</classname> objects.
- This object is optional. See
- <classname>CertificateList</classname> for an example of its
- use.
- </para>
- </body>
- </method>
- ''')
- def setRevokedCertificates(self, rc):
- self.tbs.revokedCertificates.set(rc)
-
- _addFragment('''
- <method>
- <header>
- <memberof>CertificateList</memberof>
- <name>getRevokedCertificates</name>
- </header>
- <body>
- <para>
- This function return a sequence of
- <classname>revokedCertificate</classname> objects or None.
- </para>
- </body>
- </method>
- ''')
- def getRevokedCertificates(self):
- return self.tbs.revokedCertificates.get()
-
- _addFragment('''
- <method>
- <header>
- <memberof>Certificate</memberof>
- <name>sign</name>
- </header>
- <body>
- <para>
- This function updates structured of the
- <classname>certificateList</classname> and
- <classname>tBSCertList</classname> as appropriate, performs the
- specified digest on the <classname>tBSCertList</classname> and sets
- <constant>signedValue</constant> to signed the digest.
- </para>
- </body>
- </method>
- ''')
- def sign(self, rsa, digestType):
- driver = getCryptoDriver()
- oid = driver.getOID(digestType)
- self.tbs.signature.set([oid, None])
- signedText = driver.sign(rsa, oid, self.tbs.toString())
- self.signatureAlgorithm.set([oid, None])
- self.signature.set(signedText)
-
- _addFragment('''
- <method>
- <header>
- <memberof>CertificateList</memberof>
- <name>verify</name>
- </header>
- <body>
- <para>
- This function works out what kind of digest was used to during
- signing, calculates the digest of
- <classname>tBSCertList</classname> and verifies the
- <constant>signedText</constant> using the key.
- </para>
- </body>
- </method>
- ''')
- def verify(self, rsa):
- driver = getCryptoDriver()
- oid = self.signatureAlgorithm.get()[0]
- return driver.verify(rsa, oid, self.tbs.toString(), self.signature.get())
-
-#---------- CRL ----------#
-#---------- PKCS10 ----------#
-
-# My ASN.1-foo (and perhaps this ASN.1 implementation) isn't quite up
-# to X.501 or PKCS #10, so this is partly based on a dump of what
-# OpenSSL generates, and doesn't handle attributes other than X.509v3
-# extensions.
-
-class PKCS10AttributeSet(SetOf):
- def __init__(self, optional=0, default=''):
- SetOf.__init__(self, Extensions, optional, default)
-
-class PKCS10AttributeChoice(Choice):
- def __init__(self, optional=0, default=''):
- choices = { 'single' : Extensions(),
- 'set' : PKCS10AttributeSet() }
- Choice.__init__(self, choices, optional, default)
-
-class PKCS10Attributes(Sequence):
- def __init__(self, optional=1, default=''):
- self.oid = Oid()
- self.val = PKCS10AttributeChoice()
- contents = [ self.oid, self.val ]
- Sequence.__init__(self, contents, optional, default)
-
-class CertificationRequestInfo(Sequence):
- def __init__(self, optional=0, default=''):
- self.version = Integer()
- self.subject = Name()
- self.subjectPublicKeyInfo = SubjectPublicKeyInfo()
- self.attributes = PKCS10Attributes()
- self.explicitAttributes = Explicit(CLASS_CONTEXT, FORM_CONSTRUCTED, 0, self.attributes)
- contents = [ self.version, self.subject, self.subjectPublicKeyInfo, self.explicitAttributes ]
- Sequence.__init__(self, contents, optional, default)
-
-class CertificationRequest(Sequence):
- def __init__(self, optional=0, default=''):
- self.certificationRequestInfo = CertificationRequestInfo()
- self.signatureAlgorithm = AlgorithmIdentifier()
- self.signatureValue = AltBitString()
- contents = [ self.certificationRequestInfo, self.signatureAlgorithm, self.signatureValue ]
- Sequence.__init__(self, contents, optional, default)
-
- def sign(self, rsa, digestType):
- driver = getCryptoDriver()
- oid = driver.getOID(digestType)
- self.certificationRequestInfo.subjectPublicKeyInfo.fromString(driver.toPublicDER(rsa))
- signedText = driver.sign(rsa, oid, self.certificationRequestInfo.toString())
- self.signatureAlgorithm.set([oid, None])
- self.signatureValue.set(signedText)
-
- def verify(self):
- driver = getCryptoDriver()
- oid = self.signatureAlgorithm.get()[0]
- rsa = driver.fromPublicDER(self.certificationRequestInfo.subjectPublicKeyInfo.toString())
- return driver.verify(rsa, oid, self.certificationRequestInfo.toString(), self.signatureValue.get())
-
- def getExtensions(self):
- oid = self.certificationRequestInfo.attributes.oid.get()
- if oid is None:
- return ()
- if oid != (1, 2, 840, 113549, 1, 9, 14) or \
- self.certificationRequestInfo.attributes.val.choice != "set" or \
- len(self.certificationRequestInfo.attributes.val.choices["set"]) > 1:
- raise DerError, "failed to understand X.501 Attribute encoding, sorry: %s" % self.get()
- return self.certificationRequestInfo.attributes.val.choices["set"][0].get()
-
- def getExtension(self, oid):
- for x in self.getExtensions():
- if x[0] == oid:
- return x
- return None
-
- def setExtensions(self, exts):
- self.certificationRequestInfo.attributes.oid.set((1, 2, 840, 113549, 1, 9, 14))
- self.certificationRequestInfo.attributes.val.set(("set", [exts]))
-
-#---------- PKCS10 ----------#
-#---------- GeneralNames object support ----------#
-class OtherName(Sequence):
- def __init__(self, optional=0, default=''):
- self.typeId = Oid()
- self.any = Any()
- contents = [self.typeId, self.any]
- Sequence.__init__(self, contents, optional, default)
-
-class EdiPartyName(Sequence):
- def __init__(self, optional=0, default=''):
- self.nameAssigner = DirectoryString()
- self.partyName = DirectoryString()
- self.explicitNameAssigner = Explicit( CLASS_CONTEXT, FORM_CONSTRUCTED, 0, self.nameAssigner, 1 )
- self.explicitPartyName = Explicit( CLASS_CONTEXT, FORM_CONSTRUCTED, 1, self.partyName )
- contents = [ self.explicitNameAssigner, self.explicitPartyName ]
- Sequence.__init__(self, contents, optional, default)
-
-class IpAddress(OctetString):
- pass
-
-class GeneralName(Choice):
- def __init__(self, optional=0, default=''):
-
- otherName = OtherName()
- otherName.implied( CLASS_CONTEXT, FORM_CONSTRUCTED, 0 )
- rfc822Name = IA5String()
- rfc822Name.implied( CLASS_CONTEXT, FORM_PRIMITIVE, 1 )
- dnsName = IA5String()
- dnsName.implied( CLASS_CONTEXT, FORM_PRIMITIVE, 2 )
- directoryName = Name()
- explicitDirectoryName = Explicit( CLASS_CONTEXT, FORM_CONSTRUCTED, 4, directoryName)
- ediPartyName = EdiPartyName()
- ediPartyName.implied( CLASS_CONTEXT, FORM_CONSTRUCTED, 5 )
- uri = IA5String()
- uri.implied( CLASS_CONTEXT, FORM_PRIMITIVE, 6 )
- ipAddress = IpAddress()
- ipAddress.implied( CLASS_CONTEXT, FORM_PRIMITIVE, 7 )
- registeredId = Oid()
- registeredId.implied( CLASS_CONTEXT, FORM_PRIMITIVE, 8 )
-
- choices = { 'otherName' : otherName ,
- 'rfc822Name' : rfc822Name ,
- 'dNSName' : dnsName ,
- 'directoryName' : explicitDirectoryName ,
- 'ediPartyName' : ediPartyName ,
- 'uri' : uri ,
- 'iPAddress' : ipAddress ,
- 'registeredId' : registeredId }
-
- Choice.__init__(self, choices, optional, default)
-
-class GeneralNames(SequenceOf):
- def __init__(self, optional=0, default=''):
- SequenceOf.__init__(self, GeneralName, optional, default)
-
-#---------- GeneralNames object support ----------#
-#---------- X509v3 extensions ----------#
-
-_addFragment('''
-<class>
- <header>
- <name>BasicConstraints</name>
- <super>Sequence</super>
- </header>
- <body>
- <para>
- This little extension has recently caused plenty of problems for
- several large organisations. It consist of a
- <classname>Boolean</classname> and an
- <classname>Integer</classname>. The first indicates if the owner
- is a CA, the second indicates how long a chain of CAs you should
- trust which the subject of this certificate trusts.
- </para>
- <example>
- <title>Setting <classname>BasicConstraints</classname></title>
- <programlisting>
- bc = BasicConstraints()
- bc.set( (1, 1) )
- </programlisting>
- </example>
- </body>
-</class>
-''')
-class BasicConstraints(Sequence):
- _addFragment('''
- <constructor>
- <header>
- <memberof>BasicConstraints</memberof>
- <parameter>optional=0</parameter>
- <parameter>default=''</parameter>
- </header>
- </constructor>
- ''')
- def __init__(self, optional=0, default=''):
- self.ca = Boolean(0, 'AQEA\n')
- self.pathLenConstraint = Integer(1)
- contents = [self.ca, self.pathLenConstraint]
- Sequence.__init__(self, contents, optional, default)
-
-_addFragment('''
-<class>
- <header>
- <name>KeyUsage</name>
- <super>BitString</super>
- </header>
-</class>
-''')
-class KeyUsage(BitString):
- pass
-
-_addFragment('''
-<class>
- <header>
- <name>SubjectAltName</name>
- <super>GeneralNames</super>
- </header>
-</class>
-''')
-class SubjectAltName(GeneralNames):
- pass
-
-_addFragment('''
-<class>
- <header>
- <name>IssuerAltName</name>
- <super>GeneralNames</super>
- </header>
-</class>
-''')
-class IssuerAltName(GeneralNames):
- pass
-
-_addFragment('''
-<class>
- <header>
- <name>SubjectKeyIdentifier</name>
- <super>OctetString</super>
- </header>
-</class>
-''')
-class SubjectKeyIdentifier(OctetString):
- pass
-
-_addFragment('''
-<class>
- <header>
- <name>AuthorityKeyIdentifier</name>
- <super>Sequence</super>
- </header>
- <body>
- <para>
- </para>
- <example>
- <title>Setting <classname>AuthorityKeyIdentifier</classname></title>
- <programlisting>
- id = AuthorityKeyIdentifier()
- authdigest = POW.Digest( POW.SHA1_DIGEST )
- authdigest.update(rsa.derWrite(POW.RSA_PUBLIC_KEY))
- keyHash = authdigest.digest()
- id.set( (keyHash, None, None) )
- </programlisting>
- </example>
- </body>
-
-</class>
-''')
-class AuthorityKeyIdentifier(Sequence):
- _addFragment('''
- <constructor>
- <header>
- <memberof>AuthorityKeyIdentifier</memberof>
- <parameter>optional=0</parameter>
- <parameter>default=''</parameter>
- </header>
- </constructor>
- ''')
- def __init__(self, optional=0, default=''):
- self.keyIdentifier = OctetString(1)
- self.keyIdentifier.implied( CLASS_CONTEXT, FORM_PRIMITIVE, 0 )
- self.authorityCertIssuer = GeneralNames(1)
- self.authorityCertIssuer.implied( CLASS_CONTEXT, FORM_CONSTRUCTED, 1 )
- self.authorityCertSerialNumber = Integer(1)
- self.authorityCertSerialNumber.implied( CLASS_CONTEXT, FORM_PRIMITIVE, 2 )
- contents = [self.keyIdentifier, self.authorityCertIssuer, self.authorityCertSerialNumber]
- Sequence.__init__(self, contents, optional, default)
-
-_addFragment('''
-<class>
- <header>
- <name>PrivateKeyUsagePeriod</name>
- <super>Sequence</super>
- </header>
- <body>
- <example>
- <title>Setting <classname>PrivateKeyUsagePeriod</classname></title>
- <programlisting>
- period = PrivateKeyUsagePeriod()
- period.set( ( time2gen( time.time() ), None) )
- </programlisting>
- </example>
- </body>
-</class>
-''')
-class PrivateKeyUsagePeriod(Sequence):
- _addFragment('''
- <constructor>
- <header>
- <memberof>PrivateKeyUsagePeriod</memberof>
- <parameter>optional=0</parameter>
- <parameter>default=''</parameter>
- </header>
- </constructor>
- ''')
- def __init__(self, optional=0, default=''):
- self.notBefore = GeneralizedTime()
- self.notBefore.implied( CLASS_CONTEXT, FORM_PRIMITIVE, 0 )
- self.notAfter = GeneralizedTime()
- self.notAfter.implied( CLASS_CONTEXT, FORM_PRIMITIVE, 1 )
- contents = [self.notBefore, self.notAfter]
- Sequence.__init__(self, contents, optional, default)
-
-class DisplayText(Choice):
- def __init__(self, optional=0, default=''):
- choices = { 'visibleString' : VisibleString(),
- 'bmpString' : BmpString(),
- 'utf8String' : Utf8String() }
-
- Choice.__init__(self, choices, optional, default)
-
-class NoticeNumbers(SequenceOf):
- def __init__(self, optional=0, default=''):
- SequenceOf.__init__(self, Integer, optional, default)
-
-class NoticeReference(Sequence):
- def __init__(self, optional=0, default=''):
- self.organization = DisplayText()
- self.noticeNumbers = NoticeNumbers()
- contents = [self.organization, self.noticeNumbers]
- Sequence.__init__(self, contents, optional, default)
-
-class UserNotice(Sequence):
- def __init__(self, optional=0, default=''):
- self.noticeRef = NoticeReference(1)
- self.explicitText = DisplayText(1)
- contents = [self.noticeRef, self.explicitText]
- Sequence.__init__(self, contents, optional, default)
-
-class Qualifier(Choice):
- def __init__(self, optional=0, default=''):
- choices = { 'cPSuri' : IA5String(),
- 'userNotice' : UserNotice() }
-
- Choice.__init__(self, choices, optional, default)
-
-class PolicyQualifierInfo(Sequence):
- def __init__(self, optional=0, default=''):
- self.policyQualifierId = Oid()
- self.qualifier = Qualifier()
- contents = [self.policyQualifierId, self.qualifier]
- Sequence.__init__(self, contents, optional, default)
-
-class PolicyQualifiers(SequenceOf):
- def __init__(self, optional=0, default=''):
- SequenceOf.__init__(self, PolicyQualifierInfo, optional, default)
-
-class PolicyInformation(Sequence):
- def __init__(self, optional=0, default=''):
- self.policyIdentifier = Oid()
- self.policyQualifiers = PolicyQualifiers(1)
- contents = [self.policyIdentifier, self.policyQualifiers]
- Sequence.__init__(self, contents, optional, default)
-
-_addFragment('''
-<class>
- <header>
- <name>CertificatePolicies</name>
- <super>SequenceOf</super>
- </header>
- <body>
- <example>
- <title>Setting <classname>CertificatePolicies</classname></title>
- <programlisting>
- data = (
- ( o2i('id-cti-ets-proofOfReceipt'), (
- (o2i('cps'), ('cPSuri', 'http://www.p-s.org.uk/policies/policy1')),
- (o2i('unotice'), ( 'userNotice',
- ((('visibleString', 'The House'),(1,2,3)),
- ('visibleString', 'We guarentee nothing')))),
- )),
- ( o2i('id-cti-ets-proofOfOrigin'), (
- (o2i('cps'), ('cPSuri', 'http://www.p-s.org.uk/policies/policy2')),
- ))
- )
- policies = CertificatePolicies()
- policies.set( data )
- </programlisting>
- </example>
- </body>
-</class>
-''')
-class CertificatePolicies(SequenceOf):
- _addFragment('''
- <constructor>
- <header>
- <memberof>CertificatePolicies</memberof>
- <parameter>optional=0</parameter>
- <parameter>default=''</parameter>
- </header>
- </constructor>
- ''')
- def __init__(self, optional=0, default=''):
- SequenceOf.__init__(self, PolicyInformation, optional, default)
-
-class DistributionPointName(Choice):
- def __init__(self, optional=0, default=''):
- fullName = GeneralNames()
- fullName.implied( CLASS_CONTEXT, FORM_CONSTRUCTED, 0 )
- nameRelativeToCRLIssuer = RelativeDistinguishedName()
- nameRelativeToCRLIssuer.implied( CLASS_CONTEXT, FORM_CONSTRUCTED, 1 )
-
- choices = { 'fullName' : fullName,
- 'nameRelativeToCRLIssuer ' : nameRelativeToCRLIssuer }
-
- Choice.__init__(self, choices, optional, default)
-
-class DistributionPoint(Sequence):
- def __init__(self, optional=0, default=''):
- self.distributionPoint = DistributionPointName(1)
- self.explicitDistributionPoint = Explicit(CLASS_CONTEXT, FORM_CONSTRUCTED, 0, self.distributionPoint)
- self.reasons = BitString(1)
- self.reasons.implied( CLASS_CONTEXT, FORM_PRIMITIVE, 1 )
- self.cRLIssuer = GeneralNames(1)
- self.cRLIssuer.implied( CLASS_CONTEXT, FORM_CONSTRUCTED, 2 )
- contents = [self.explicitDistributionPoint, self.reasons, self.cRLIssuer]
- Sequence.__init__(self, contents, optional, default)
-
-_addFragment('''
-<class>
- <header>
- <name>CRLDistrobutionPoints</name>
- <super>SequenceOf</super>
- </header>
- <body>
- <example>
- <title>Setting <classname>CRLDistrobutionPoints</classname></title>
- <programlisting>
- n1 = ('directoryName',
- ( (( o2i('countryName'), ('printableString', 'UK') ),),
- (( o2i('stateOrProvinceName'), ('printableString', 'Herts') ),),
- (( o2i('organizationName'), ('printableString', 'The House') ),),
- (( o2i('commonName'), ('printableString', 'Shannon Works') ),) ) )
-
- n2 = ('iPAddress', POW.pkix.ip42oct(192,168,100,51))
-
- data = ( ( ('fullName',(n1, n2)), (1,1,1,1,1), (n1,) ), )
- points = CRLDistrobutionPoints()
- points.set( data )
- </programlisting>
- </example>
- </body>
-</class>
-''')
-class CRLDistributionPoints(SequenceOf):
- _addFragment('''
- <constructor>
- <header>
- <memberof>CRLDistrobutionPoints</memberof>
- <parameter>optional=0</parameter>
- <parameter>default=''</parameter>
- </header>
- </constructor>
- ''')
- def __init__(self, optional=0, default=''):
- SequenceOf.__init__(self, DistributionPoint, optional, default)
-
-_addFragment('''
-<class>
- <header>
- <name>CrlNumber</name>
- <super>Integer</super>
- </header>
-</class>
-''')
-class CrlNumber(Integer):
- pass
-
-_addFragment('''
-<class>
- <header>
- <name>DeltaCrlIndicator</name>
- <super>Integer</super>
- </header>
-</class>
-''')
-class DeltaCrlIndicator(Integer):
- pass
-
-_addFragment('''
-<class>
- <header>
- <name>InvalidityDate</name>
- <super>GeneralizedTime</super>
- </header>
-</class>
-''')
-class InvalidityDate(GeneralizedTime):
- pass
-
-_addFragment('''
-<class>
- <header>
- <name>CrlReason</name>
- <super>Enum</super>
- </header>
-</class>
-''')
-class CrlReason(Enum):
- pass
-
-_addFragment('''
-<class>
- <header>
- <name>IPAddressRange</name>
- <super>Sequence</super>
- </header>
-</class>
-''')
-class IPAddressRange(Sequence):
- def __init__(self, optional=0, default=''):
- self.min = BitString()
- self.max = BitString()
- contents = [ self.min, self.max ]
- Sequence.__init__(self, contents, optional, default)
-
-_addFragment('''
-<class>
- <header>
- <name>IPAddressOrRange</name>
- <super>Choice</super>
- </header>
-</class>
-''')
-class IPAddressOrRange(Choice):
- def __init__(self, optional=0, default=''):
- choices = { 'addressPrefix' : BitString(),
- 'addressRange' : IPAddressRange() }
- Choice.__init__(self, choices, optional, default)
-
-_addFragment('''
-<class>
- <header>
- <name>IPAddressesOrRanges</name>
- <super>SequenceOf</super>
- </header>
-</class>
-''')
-class IPAddressesOrRanges(SequenceOf):
- def __init__(self, optional=0, default=''):
- SequenceOf.__init__(self, IPAddressOrRange, optional, default)
-
-_addFragment('''
-<class>
- <header>
- <name>IPAddressChoice</name>
- <super>Choice</super>
- </header>
-</class>
-''')
-class IPAddressChoice(Choice):
- def __init__(self, optional=0, default=''):
- choices = { 'inherit' : Null(),
- 'addressesOrRanges' : IPAddressesOrRanges() }
- Choice.__init__(self, choices, optional, default)
-
-_addFragment('''
-<class>
- <header>
- <name>IPAddressFamily</name>
- <super>Sequence</super>
- </header>
-</class>
-''')
-class IPAddressFamily(Sequence):
- def __init__(self, optional=0, default=''):
- self.addressFamily = OctetString()
- self.ipAddressChoice = IPAddressChoice()
- contents = [ self.addressFamily, self.ipAddressChoice ]
- Sequence.__init__(self, contents, optional, default)
-
-_addFragment('''
-<class>
- <header>
- <name>IPAddrBlocks</name>
- <super>SequenceOf</super>
- </header>
- <body>
- <para>
- Implementation of RFC 3779 section 2.2.3.
- </para>
- </body>
-</class>
-''')
-class IPAddrBlocks(SequenceOf):
- def __init__(self, optional=0, default=''):
- SequenceOf.__init__(self, IPAddressFamily, optional, default)
-
-_addFragment('''
-<class>
- <header>
- <name>ASRange</name>
- <super>Sequence</super>
- </header>
-</class>
-''')
-class ASRange(Sequence):
- def __init__(self, optional=0, default=''):
- self.min = Integer()
- self.max = Integer()
- contents = [ self.min, self.max ]
- Sequence.__init__(self, contents, optional, default)
-
-_addFragment('''
-<class>
- <header>
- <name>ASIdOrRange</name>
- <super>Choice</super>
- </header>
-</class>
-''')
-class ASIdOrRange(Choice):
- def __init__(self, optional=0, default=''):
- choices = { 'id' : Integer(),
- 'range' : ASRange() }
- Choice.__init__(self, choices, optional, default)
-
-_addFragment('''
-<class>
- <header>
- <name>ASIdsOrRanges</name>
- <super>SequenceOf</super>
- </header>
-</class>
-''')
-class ASIdsOrRanges(SequenceOf):
- def __init__(self, optional=0, default=''):
- SequenceOf.__init__(self, ASIdOrRange, optional, default)
-
-_addFragment('''
-<class>
- <header>
- <name>ASIdentifierChoice</name>
- <super>Choice</super>
- </header>
-</class>
-''')
-class ASIdentifierChoice(Choice):
- def __init__(self, optional=0, default=''):
- choices = { 'inherit' : Null(),
- 'asIdsOrRanges' : ASIdsOrRanges() }
- Choice.__init__(self, choices, optional, default)
-
-_addFragment('''
-<class>
- <header>
- <name>ASIdentifiers</name>
- <super>Sequence</super>
- </header>
- <body>
- <para>
- Implementation of RFC 3779 section 3.2.3.
- </para>
- </body>
-</class>
-''')
-class ASIdentifiers(Sequence):
- def __init__(self, optional=0, default=''):
- #
- # This is what we -should- be doing
- #self.asnum = ASIdentifierChoice()
- #self.rdi = ASIdentifierChoice()
- #self.explicitAsnum = Explicit(CLASS_CONTEXT, FORM_CONSTRUCTED, 0, self.asnum, 1)
- #self.explictRdi = Explicit(CLASS_CONTEXT, FORM_CONSTRUCTED, 1, self.rdi, 1)
- #contents = [ self.explicitAsnum, self.explictRdi ]
- #
- # ...but it generates a spurious empty RDI clause, so try this instead
- # since we know that we never use RDI anyway.
- self.asnum = ASIdentifierChoice()
- self.explicitAsnum = Explicit(CLASS_CONTEXT, FORM_CONSTRUCTED, 0, self.asnum, 1)
- contents = [ self.explicitAsnum ]
- #
- Sequence.__init__(self, contents, optional, default)
-
- def set(self, values):
- assert len(values) == 1 or (len(values) == 2 and values[1] is None)
- Sequence.set(self, (values[0],))
-
-_addFragment('''
-<class>
- <header>
- <name>AccessDescription</name>
- <super>Sequence</super>
- </header>
-</class>
-''')
-class AccessDescription(Sequence):
- def __init__(self, optional=0, default=''):
- self.accessMethod = Oid()
- self.accessLocation = GeneralName()
- contents = [ self.accessMethod, self.accessLocation ]
- Sequence.__init__(self, contents, optional, default)
-
-_addFragment('''
-<class>
- <header>
- <name>AuthorityInfoAccess</name>
- <super>SequenceOf</super>
- </header>
- <body>
- <para>
- Implementation of RFC 3280 section 4.2.2.1.
- </para>
- </body>
-</class>
-''')
-class AuthorityInfoAccess(SequenceOf):
- def __init__(self, optional=0, default=''):
- SequenceOf.__init__(self, AccessDescription, optional, default)
-
-_addFragment('''
-<class>
- <header>
- <name>SubjectInfoAccess</name>
- <super>SequenceOf</super>
- </header>
- <body>
- <para>
- Implementation of RFC 3280 section 4.2.2.2.
- </para>
- </body>
-</class>
-''')
-class SubjectInfoAccess(SequenceOf):
- def __init__(self, optional=0, default=''):
- SequenceOf.__init__(self, AccessDescription, optional, default)
-
-#---------- X509v3 extensions ----------#
-
-_addFragment('''
-<class>
- <header>
- <name>Extension</name>
- <super>Sequence</super>
- </header>
- <body>
- <para>
- This class is a useful little object. It is set by passing three
- values: an oid, an integer(a boolean really) and a value. The
- boolean indicates if this extension is critical. The value is
- used to set the extension once it has been created. The oid
- is used to create the correct object which, to be fully supported it must
- be one of these:
- <simplelist>
- <member><classname>basicConstraints</classname></member>
- <member><classname>subjectAltName</classname></member>
- <member><classname>issuerAltName</classname></member>
- <member><classname>authorityKeyIdentifier</classname></member>
- <member><classname>privateKeyUsagePeriod</classname></member>
- <member><classname>certificatePolicies</classname></member>
- <member><classname>cRLDistributionPoints</classname></member>
- <member><classname>subjectKeyIdentifier</classname></member>
- <member><classname>keyUsage</classname></member>
- <member><classname>crlNumber</classname></member>
- <member><classname>deltaCrlIndicator</classname></member>
- <member><classname>invalidityDate</classname></member>
- <member><classname>crlReason</classname></member>
- </simplelist>
- </para>
- <example>
- <title>Setting <classname>Extension</classname></title>
- <programlisting>
- extn = Extension()
- email = ('rfc822Name', 'peter_shannon@yahoo.com')
- extn.set( (obj2oid('subjectAltName'),1, (email,)) )
- </programlisting>
- </example>
- </body>
-</class>
-''')
-class Extension(Sequence):
-
- classMap = {
- (2, 5, 29, 19) : BasicConstraints,
- (2, 5, 29, 17) : SubjectAltName,
- (2, 5, 29, 18) : IssuerAltName,
- (2, 5, 29, 35) : AuthorityKeyIdentifier,
- (2, 5, 29, 16) : PrivateKeyUsagePeriod,
- (2, 5, 29, 32) : CertificatePolicies,
- (2, 5, 29, 31) : CRLDistributionPoints,
- (2, 5, 29, 14) : SubjectKeyIdentifier,
- (2, 5, 29, 15) : KeyUsage,
- (2, 5, 29, 20) : CrlNumber,
- (2, 5, 29, 27) : DeltaCrlIndicator,
- (2, 5, 29, 24) : InvalidityDate,
- (2, 5, 29, 21) : CrlReason,
- (1, 3, 6, 1, 5, 5, 7, 1, 1) : AuthorityInfoAccess,
- (1, 3, 6, 1, 5, 5, 7, 1, 7) : IPAddrBlocks,
- (1, 3, 6, 1, 5, 5, 7, 1, 8) : ASIdentifiers,
- (1, 3, 6, 1, 5, 5, 7, 1, 11) : SubjectInfoAccess,
- }
-# Missing -- fix later
-# extendedKeyUsage
-# privateKeyUsagePeriod
-# policyMappings
-# nameConstraints
-# policyConstraints
-# subjectDirectoryAttributes
-# instructionCode
-# issuingDistrobutionPoint
-
- def __init__(self, optional=0, default=''):
- self.extnID = Oid()
- self.critical = Boolean(0, 'AQEA')
- self.extnValue = OctetString()
- contents = [self.extnID, self.critical, self.extnValue]
- Sequence.__init__(self, contents, optional, default)
-
- _addFragment('''
- <method>
- <header>
- <memberof>Extension</memberof>
- <name>set</name>
- <parameter>values</parameter>
- </header>
- <body>
- <para>
- <parameter>values</parameter> should be a sequence of three
- values, the oid, critical marker and a value to set the
- extension. If an unknown oid is passed to this function it
- will raise an exception. <parameter>critical</parameter> is a
- boolean. <parameter>value</parameter> will be used to set the
- extension after it has been created.
- </para>
- </body>
- </method>
- ''')
- def set(self, (oid, critical, val) ):
- self.extnID.set( oid )
- self.critical.set( critical )
-
- extnObj = None
- if self.classMap.has_key(oid):
- extnObj = self.classMap[oid]()
- else:
- if not (isinstance(oid, types.TupleType) or isinstance(oid, types.ListType)):
- raise DerError, 'the oid should be specified as a sequence of integers'
- else:
- raise DerError, 'unknown object extension %s' % oid
-
- try:
- extnObj.set( val )
- self.extnValue.set( extnObj.toString() )
- except DerError, e:
- raise DerError, 'failed to set %s, with:\n\t%s\nresulting in:\n\t%s' % (oid, val, `e`)
-
- _addFragment('''
- <method>
- <header>
- <memberof>Extension</memberof>
- <name>get</name>
- </header>
- <body>
- <para>
- There are several ways this function might fail to decode an
- extension. Firstly if the extension was marked critical but if
- the oid cannot be mapped to a class or If a failure occurs decoding the
- <constant>extnValue</constant>, an exception will be raised.
- If a failure occurred and the extension was not marked critical it
- will return a tuple like this: <constant>(oid, critical,
- ())</constant>. If no failures occur a tuple will be returned,
- containg the oid, critical and extension values.
- </para>
- </body>
- </method>
- ''')
- def get(self):
- oid = self.extnID.get()
- critical = self.critical.get()
-
- if self.classMap.has_key(oid):
- extnObj = self.classMap[oid]()
- else:
- if critical:
- raise DerError, 'failed to read critical extension %s' % str(oid)
- else:
- return (oid, critical, ())
-
- try:
- extnObj = self.classMap[oid]()
- extnObj.fromString(self.extnValue.get())
- value = extnObj.get()
- except:
- if critical:
- raise DerError, 'failed to read critical extension %s' % str(oid)
- else:
- return (oid, critical, ())
-
- return (oid, critical, value)
diff --git a/rpkid/rpki/adns.py b/rpkid/rpki/adns.py
index a9d04c2a..736d793a 100644
--- a/rpkid/rpki/adns.py
+++ b/rpkid/rpki/adns.py
@@ -4,7 +4,7 @@ dnspython package.
$Id$
-Copyright (C) 2010--2011 Internet Systems Consortium ("ISC")
+Copyright (C) 2010--2012 Internet Systems Consortium ("ISC")
Permission to use, copy, modify, and distribute this software for any
purpose with or without fee is hereby granted, provided that the above
@@ -34,8 +34,13 @@ ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT
OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
"""
-import asyncore, socket, time, sys
-import rpki.async, rpki.sundial, rpki.log
+import asyncore
+import socket
+import time
+import sys
+import rpki.async
+import rpki.sundial
+import rpki.log
try:
import dns.resolver, dns.rdatatype, dns.rdataclass, dns.name, dns.message
@@ -134,7 +139,7 @@ class query(object):
self.qtype = qtype
self.qclass = qclass
self.start = time.time()
- rpki.async.defer(self.go)
+ rpki.async.event_defer(self.go)
def go(self):
"""
@@ -364,12 +369,12 @@ if __name__ == "__main__":
e)
if True:
- for qtype in (dns.rdatatype.A, dns.rdatatype.AAAA, dns.rdatatype.HINFO):
- test_query("subvert-rpki.hactrn.net", qtype)
+ for t in (dns.rdatatype.A, dns.rdatatype.AAAA, dns.rdatatype.HINFO):
+ test_query("subvert-rpki.hactrn.net", t)
test_query("nonexistant.rpki.net")
test_query("subvert-rpki.hactrn.net", qclass = dns.rdataclass.CH)
- for host in ("subvert-rpki.hactrn.net", "nonexistant.rpki.net"):
- test_getaddrinfo(host)
+ for h in ("subvert-rpki.hactrn.net", "nonexistant.rpki.net"):
+ test_getaddrinfo(h)
rpki.async.event_loop()
diff --git a/rpkid/rpki/async.py b/rpkid/rpki/async.py
index 5eaa34f9..aee7770f 100644
--- a/rpkid/rpki/async.py
+++ b/rpkid/rpki/async.py
@@ -3,7 +3,7 @@ Utilities for event-driven programming.
$Id$
-Copyright (C) 2009--2011 Internet Systems Consortium ("ISC")
+Copyright (C) 2009--2012 Internet Systems Consortium ("ISC")
Permission to use, copy, modify, and distribute this software for any
purpose with or without fee is hereby granted, provided that the above
@@ -18,8 +18,13 @@ OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
PERFORMANCE OF THIS SOFTWARE.
"""
-import asyncore, signal, traceback, gc, sys
-import rpki.log, rpki.sundial
+import asyncore
+import signal
+import traceback
+import gc
+import sys
+import rpki.log
+import rpki.sundial
ExitNow = asyncore.ExitNow
@@ -40,15 +45,24 @@ class iterator(object):
to continue to the next item in the iteration.
The termination callback receives no arguments.
+
+ Special case for memory constrained cases: if keyword argument
+ pop_list is True, iterable must be a list, which is modified in
+ place, popping items off of it until it's empty.
"""
- def __init__(self, iterable, item_callback, done_callback, unwind_stack = True):
+ def __init__(self, iterable, item_callback, done_callback, unwind_stack = True, pop_list = False):
+ assert not pop_list or isinstance(iterable, list), "iterable must be a list when using pop_list"
self.item_callback = item_callback
- self.done_callback = done_callback
+ self.done_callback = done_callback if done_callback is not None else lambda: None
self.caller_file, self.caller_line, self.caller_function = traceback.extract_stack(limit = 2)[0][0:3]
self.unwind_stack = unwind_stack
+ self.pop_list = pop_list
try:
- self.iterator = iter(iterable)
+ if self.pop_list:
+ self.iterator = iterable
+ else:
+ self.iterator = iter(iterable)
except (ExitNow, SystemExit):
raise
except Exception:
@@ -57,13 +71,14 @@ class iterator(object):
self.doit()
def __repr__(self):
- return ("<%s created at %s:%s %s at 0x%x>" %
- (self.__class__.__name__,
- self.caller_file, self.caller_line, self.caller_function, id(self)))
+ return rpki.log.log_repr(self,
+ "created at %s:%s" % (self.caller_file,
+ self.caller_line),
+ self.caller_function)
def __call__(self):
if self.unwind_stack:
- defer(self.doit)
+ event_defer(self.doit)
else:
self.doit()
@@ -73,25 +88,25 @@ class iterator(object):
with the next iteration value, call the termination handler if the
iterator signaled StopIteration.
"""
- try:
- self.item_callback(self, self.iterator.next())
- except StopIteration:
- if self.done_callback is not None:
- self.done_callback()
-class timer(object):
- """
- Timer construct for event-driven code. It can be used in either of two ways:
+ try:
+ if self.pop_list:
+ val = self.iterator.pop(0)
+ else:
+ val = self.iterator.next()
+ except (IndexError, StopIteration):
+ self.done_callback()
+ else:
+ self.item_callback(self, val)
- - As a virtual class, in which case the subclass should provide a
- handler() method to receive the wakup event when the timer expires; or
+## @var timer_queue
+# Timer queue.
- - By setting an explicit handler callback, either via the
- constructor or the set_handler() method.
+timer_queue = []
- Subclassing is probably more Pythonic, but setting an explict
- handler turns out to be very convenient when combined with bound
- methods to other objects.
+class timer(object):
+ """
+ Timer construct for event-driven code.
"""
## @var gc_debug
@@ -102,15 +117,9 @@ class timer(object):
# Verbose chatter about timers being run.
run_debug = False
- ## @var queue
- # Timer queue, shared by all timer instances (there can be only one queue).
- queue = []
-
def __init__(self, handler = None, errback = None):
- if handler is not None:
- self.set_handler(handler)
- if errback is not None:
- self.set_errback(errback)
+ self.set_handler(handler)
+ self.set_errback(errback)
self.when = None
if self.gc_debug:
self.trace("Creating %r" % self)
@@ -135,9 +144,9 @@ class timer(object):
else:
self.when = when
assert isinstance(self.when, rpki.sundial.datetime), "%r: Expecting a datetime, got %r" % (self, self.when)
- if self not in self.queue:
- self.queue.append(self)
- self.queue.sort(key = lambda x: x.when)
+ if self not in timer_queue:
+ timer_queue.append(self)
+ timer_queue.sort(key = lambda x: x.when)
def __cmp__(self, other):
return cmp(id(self), id(other))
@@ -154,7 +163,7 @@ class timer(object):
self.trace("Canceling %r" % self)
try:
while True:
- self.queue.remove(self)
+ timer_queue.remove(self)
except ValueError:
pass
@@ -162,14 +171,7 @@ class timer(object):
"""
Test whether this timer is currently set.
"""
- return self in self.queue
-
- def handler(self):
- """
- Handle a timer that has expired. This must either be overriden by
- a subclass or set dynamically by set_handler().
- """
- raise NotImplementedError
+ return self in timer_queue
def set_handler(self, handler):
"""
@@ -181,13 +183,6 @@ class timer(object):
"""
self.handler = handler
- def errback(self, e):
- """
- Error callback. May be overridden, or set with set_errback().
- """
- rpki.log.error("Unhandled exception from timer: %s" % e)
- rpki.log.traceback()
-
def set_errback(self, errback):
"""
Set a timer's errback. Like set_handler(), for errbacks.
@@ -199,17 +194,29 @@ class timer(object):
"""
Run the timer queue: for each timer whose call time has passed,
pull the timer off the queue and call its handler() method.
+
+ Comparisions are made against time at which this function was
+ called, so that even if new events keep getting scheduled, we'll
+ return to the I/O loop reasonably quickly.
"""
- while cls.queue and rpki.sundial.now() >= cls.queue[0].when:
- t = cls.queue.pop(0)
+ now = rpki.sundial.now()
+ while timer_queue and now >= timer_queue[0].when:
+ t = timer_queue.pop(0)
if cls.run_debug:
rpki.log.debug("Running %r" % t)
try:
- t.handler()
+ if t.handler is not None:
+ t.handler()
+ else:
+ rpki.log.warn("Timer %r expired with no handler set" % t)
except (ExitNow, SystemExit):
raise
except Exception, e:
- t.errback(e)
+ if t.errback is not None:
+ t.errback(e)
+ else:
+ rpki.log.error("Unhandled exception from timer %r: %s" % (t, e))
+ rpki.log.traceback()
def __repr__(self):
return rpki.log.log_repr(self, self.when, repr(self.handler))
@@ -224,12 +231,12 @@ class timer(object):
the same units (argh!), and we're not doing anything that
hair-triggered, so rounding up is simplest.
"""
- if not cls.queue:
+ if not timer_queue:
return None
now = rpki.sundial.now()
- if now >= cls.queue[0].when:
+ if now >= timer_queue[0].when:
return 0
- delay = cls.queue[0].when - now
+ delay = timer_queue[0].when - now
seconds = delay.convert_to_seconds()
if delay.microseconds:
seconds += 1
@@ -242,40 +249,32 @@ class timer(object):
queue content, but this way we can notify subclasses that provide
their own cancel() method.
"""
- while cls.queue:
- cls.queue.pop(0).cancel()
-
-## @var deferred_queue
-# List to hold deferred actions. We used to do this with the timer
-# queue, but that appears to confuse the garbage collector, and is
-# overengineering for simple deferred actions in any case.
-
-deferred_queue = []
+ while timer_queue:
+ timer_queue.pop(0).cancel()
-def defer(thunk):
+def _raiseExitNow(signum, frame):
"""
- Defer an action until the next pass through the event loop.
+ Signal handler for event_loop().
"""
- deferred_queue.append(thunk)
+ raise ExitNow
-def run_deferred():
+def exit_event_loop():
"""
- Run deferred actions.
+ Force exit from event_loop().
"""
- while deferred_queue:
- try:
- deferred_queue.pop(0)()
- except (ExitNow, SystemExit):
- raise
- except Exception, e:
- rpki.log.error("Unhandled exception from deferred action %s: %s" % (e.__class__.__name__, e))
- rpki.log.traceback()
+ raise ExitNow
-def _raiseExitNow(signum, frame):
+def event_defer(handler, delay = rpki.sundial.timedelta(seconds = 0)):
"""
- Signal handler for event_loop().
+ Use a near-term (default: zero interval) timer to schedule an event
+ to run after letting the I/O system have a turn.
"""
- raise ExitNow
+ timer(handler).set(delay)
+
+## @var debug_event_timing
+# Enable insanely verbose logging of event timing
+
+debug_event_timing = False
def event_loop(catch_signals = (signal.SIGINT, signal.SIGTERM)):
"""
@@ -289,10 +288,11 @@ def event_loop(catch_signals = (signal.SIGINT, signal.SIGTERM)):
old = signal.signal(sig, _raiseExitNow)
if save_sigs:
old_signal_handlers[sig] = old
- while asyncore.socket_map or deferred_queue or timer.queue:
- run_deferred()
- asyncore.poll(timer.seconds_until_wakeup(), asyncore.socket_map)
- run_deferred()
+ while asyncore.socket_map or timer_queue:
+ t = timer.seconds_until_wakeup()
+ if debug_event_timing:
+ rpki.log.debug("Dismissing to asyncore.poll(), t = %s, q = %r" % (t, timer_queue))
+ asyncore.poll(t, asyncore.socket_map)
timer.runq()
if timer.gc_debug:
gc.collect()
@@ -359,10 +359,6 @@ class sync_wrapper(object):
def __call__(self, *args, **kwargs):
def thunk():
- """
- Deferred action to call the wrapped code once event system is
- running.
- """
try:
self.func(self.cb, self.eb, *args, **kwargs)
except ExitNow:
@@ -370,7 +366,7 @@ class sync_wrapper(object):
except Exception, e:
self.eb(e)
- defer(thunk)
+ event_defer(thunk)
event_loop()
if self.err is None:
return self.res
@@ -379,20 +375,6 @@ class sync_wrapper(object):
else:
raise self.err
-def exit_event_loop():
- """
- Force exit from event_loop().
- """
- raise ExitNow
-
-def event_yield(handler, delay = rpki.sundial.timedelta(seconds = 2)):
- """
- Use a near-term timer to schedule an event after letting the timer
- and I/O systems run.
- """
- t = timer(handler)
- t.set(delay)
-
class gc_summary(object):
"""
Periodic summary of GC state, for tracking down memory bloat.
diff --git a/rpkid/rpki/config.py b/rpkid/rpki/config.py
index c954ad5f..cc5b6580 100644
--- a/rpkid/rpki/config.py
+++ b/rpkid/rpki/config.py
@@ -4,7 +4,7 @@ ConfigParser module.
$Id$
-Copyright (C) 2009--2011 Internet Systems Consortium ("ISC")
+Copyright (C) 2009--2012 Internet Systems Consortium ("ISC")
Permission to use, copy, modify, and distribute this software for any
purpose with or without fee is hereby granted, provided that the above
@@ -33,7 +33,9 @@ OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
PERFORMANCE OF THIS SOFTWARE.
"""
-import ConfigParser, os, re
+import ConfigParser
+import os
+import re
## @var default_filename
# Default name of config file if caller doesn't specify one explictly.
@@ -85,6 +87,8 @@ class parser(object):
if default_dirname is not None:
filenames.append("%s/%s" % (default_dirname, default_filename))
+ f = fn = None
+
for fn in filenames:
try:
f = open(fn)
@@ -128,7 +132,7 @@ class parser(object):
section = self.default_section
if self.cfg.has_option(section, option):
matches.append((-1, self.get(option, section = section)))
- for key, value in self.cfg.items(section):
+ for key in self.cfg.options(section):
s = key.rsplit(".", 1)
if len(s) == 2 and s[0] == option and s[1].isdigit():
matches.append((int(s[1]), self.get(option, section = section)))
@@ -267,6 +271,16 @@ class parser(object):
pass
try:
+ rpki.x509.XML_CMS_object.check_inbound_schema = self.getboolean("check_inbound_schema")
+ except ConfigParser.NoOptionError:
+ pass
+
+ try:
+ rpki.x509.XML_CMS_object.check_outbound_schema = self.getboolean("check_outbound_schema")
+ except ConfigParser.NoOptionError:
+ pass
+
+ try:
rpki.async.gc_summary(self.getint("gc_summary"), self.getint("gc_summary_threshold", 0))
except ConfigParser.NoOptionError:
pass
@@ -285,3 +299,10 @@ class parser(object):
rpki.daemonize.pid_filename = self.get("pid_filename")
except ConfigParser.NoOptionError:
pass
+
+ try:
+ rpki.x509.generate_insecure_debug_only_rsa_key = rpki.x509.insecure_debug_only_rsa_key_generator(*self.get("insecure-debug-only-rsa-key-db").split())
+ except ConfigParser.NoOptionError:
+ pass
+ except:
+ rpki.log.warn("insecure-debug-only-rsa-key-db configured but initialization failed, check for corrupted database file")
diff --git a/rpkid/rpki/csv_utils.py b/rpkid/rpki/csv_utils.py
index f7eed414..30d07560 100644
--- a/rpkid/rpki/csv_utils.py
+++ b/rpkid/rpki/csv_utils.py
@@ -3,7 +3,7 @@ CSV utilities, moved here from myrpki.py.
$Id$
-Copyright (C) 2009--2011 Internet Systems Consortium ("ISC")
+Copyright (C) 2009--2012 Internet Systems Consortium ("ISC")
Permission to use, copy, modify, and distribute this software for any
purpose with or without fee is hereby granted, provided that the above
@@ -68,6 +68,12 @@ class csv_reader(object):
fields += tuple(None for i in xrange(self.columns - len(fields)))
yield fields
+ def __enter__(self):
+ return self
+
+ def __exit__(self, _type, value, traceback):
+ self.file.close()
+
class csv_writer(object):
"""
Writer object for tab delimited text. We just use the stock CSV
@@ -83,6 +89,12 @@ class csv_writer(object):
self.file = open(self.renmwo, "w")
self.writer = csv.writer(self.file, dialect = csv.get_dialect("excel-tab"))
+ def __enter__(self):
+ return self
+
+ def __exit__(self, _type, value, traceback):
+ self.close()
+
def close(self):
"""
Close this writer.
diff --git a/rpkid/rpki/exceptions.py b/rpkid/rpki/exceptions.py
index 68ea3bf6..0f5dbc49 100644
--- a/rpkid/rpki/exceptions.py
+++ b/rpkid/rpki/exceptions.py
@@ -3,7 +3,7 @@ Exception definitions for RPKI modules.
$Id$
-Copyright (C) 2009--2010 Internet Systems Consortium ("ISC")
+Copyright (C) 2009--2012 Internet Systems Consortium ("ISC")
Permission to use, copy, modify, and distribute this software for any
purpose with or without fee is hereby granted, provided that the above
diff --git a/rpkid/rpki/ghostbuster.py b/rpkid/rpki/ghostbuster.py
deleted file mode 100644
index 151a7cd0..00000000
--- a/rpkid/rpki/ghostbuster.py
+++ /dev/null
@@ -1,26 +0,0 @@
-# $Id$
-"""
-Copyright (C) 2011 SPARTA, Inc. dba Cobham Analytic Solutions
-
-Permission to use, copy, modify, and distribute this software for any
-purpose with or without fee is hereby granted, provided that the above
-copyright notice and this permission notice appear in all copies.
-
-THE SOFTWARE IS PROVIDED "AS IS" AND SPARTA DISCLAIMS ALL WARRANTIES WITH
-REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
-AND FITNESS. IN NO EVENT SHALL SPARTA BE LIABLE FOR ANY SPECIAL, DIRECT,
-INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
-LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
-OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
-PERFORMANCE OF THIS SOFTWARE.
-
-
-
-ASN.1 encoder/decoder for the Ghostbuster record, specified in
-draft-ietf-sidr-ghostbusters.
-"""
-
-from rpki.POW._der import *
-
-class Ghostbuster(OctetString):
- pass
diff --git a/rpkid/rpki/gui/app/forms.py b/rpkid/rpki/gui/app/forms.py
index 80439b00..2166343a 100644
--- a/rpkid/rpki/gui/app/forms.py
+++ b/rpkid/rpki/gui/app/forms.py
@@ -23,7 +23,7 @@ from rpki.resource_set import (resource_range_as, resource_range_ipv4,
from rpki.gui.app import models
from rpki.exceptions import BadIPResource
from rpki.gui.app.glue import str_to_resource_range
-import rpki.ipaddrs
+from rpki.POW import IPAddress
class AddConfForm(forms.Form):
@@ -190,11 +190,7 @@ class ROARequest(forms.Form):
"""
prefix = self.cleaned_data.get('prefix')
if '/' not in prefix:
- p = rpki.ipaddrs.parse(prefix)
-
- # rpki.ipaddrs.parse doesn't return a v?addr object, so can't
- # introspect p.bits
- bits = 32 if ':' not in prefix else 64
+ p = IPAddress(prefix)
# determine the first nonzero bit starting from the lsb and
# subtract from the address size to find the closest classful
@@ -203,7 +199,7 @@ class ROARequest(forms.Form):
while (p != 0) and (p & 1) == 0:
prefixlen = prefixlen + 1
p = p >> 1
- mask = bits - (8 * (prefixlen / 8))
+ mask = p.bits - (8 * (prefixlen / 8))
prefix = prefix + '/' + str(mask)
return str_to_resource_range(prefix)
diff --git a/rpkid/rpki/gui/app/range_list.py b/rpkid/rpki/gui/app/range_list.py
index fcfcfc24..21fd1f29 100755
--- a/rpkid/rpki/gui/app/range_list.py
+++ b/rpkid/rpki/gui/app/range_list.py
@@ -17,6 +17,7 @@ __version__ = '$Id$'
import bisect
import unittest
+
class RangeList(list):
"""A sorted list of ranges, which automatically merges adjacent ranges.
@@ -36,35 +37,39 @@ class RangeList(list):
# upper bound
j = bisect.bisect_right(keys, v.max, lo=i)
- # if the max value for the previous item is greater than v.min, include the previous item in the range to replace
- # and use its min value. also include the previous item if the max value is 1 less than the min value for the
- # inserted item
- if i > 0 and self[i-1].max >= v.min - 1:
+ # if the max value for the previous item is greater than v.min, include
+ # the previous item in the range to replace and use its min value.
+ # also include the previous item if the max value is 1 less than the
+ # min value for the inserted item
+ if i > 0 and self[i - 1].max >= v.min - 1:
i = i - 1
vmin = self[i].min
else:
vmin = v.min
- # if the max value for the previous item is greater than the max value for the new item, use the previous item's max
- if j > 0 and self[j-1].max > v.max:
- vmax = self[j-1].max
+ # if the max value for the previous item is greater than the max value
+ # for the new item, use the previous item's max
+ if j > 0 and self[j - 1].max > v.max:
+ vmax = self[j - 1].max
else:
vmax = v.max
- # if the max value for the new item is 1 less than the min value for the next item, combine into a single item
- if j < len(self) and vmax+1 == self[j].min:
+ # if the max value for the new item is 1 less than the min value for
+ # the next item, combine into a single item
+ if j < len(self) and vmax + 1 == self[j].min:
vmax = self[j].max
- j = j+1
+ j = j + 1
# replace the range with a new object covering the entire range
- self[i:j] = [v.__class__(min=vmin, max=vmax)]
+ self[i:j] = [v.__class__(vmin, vmax)]
def extend(self, args):
for x in args:
self.append(x)
def difference(self, other):
- """Return a RangeList object which contains ranges in this object which are not in "other"."""
+ """Return a RangeList object which contains ranges in this object which
+ are not in "other"."""
it = iter(other)
try:
@@ -85,27 +90,30 @@ class RangeList(list):
try:
while xmin <= x.max:
if xmin < cur.min:
- r.append(x.__class__(min=V(xmin),
- max=V(min(x.max,cur.min-1))))
- xmin = cur.max+1
+ r.append(x.__class__(V(xmin),
+ V(min(x.max, cur.min - 1))))
+ xmin = cur.max + 1
elif xmin == cur.min:
- xmin = cur.max+1
- else: # xmin > cur.min
+ xmin = cur.max + 1
+ else: # xmin > cur.min
if xmin <= cur.max:
- xmin = cur.max+1
- else: # xmin > cur.max
+ xmin = cur.max + 1
+ else: # xmin > cur.max
cur = it.next()
except StopIteration:
- r.append(x.__class__(min=V(xmin), max=x.max))
+ r.append(x.__class__(V(xmin), x.max))
return r
+
class TestRangeList(unittest.TestCase):
class MinMax(object):
- def __init__(self, min, max):
- self.min = min
- self.max = max
+ datum_type = int
+
+ def __init__(self, range_min, range_max):
+ self.min = range_min
+ self.max = range_max
def __str__(self):
return '(%d, %d)' % (self.min, self.max)
@@ -117,12 +125,12 @@ class TestRangeList(unittest.TestCase):
return self.min == other.min and self.max == other.max
def setUp(self):
- self.v1 = TestRangeList.MinMax(1,2)
- self.v2 = TestRangeList.MinMax(4,5)
- self.v3 = TestRangeList.MinMax(7,8)
- self.v4 = TestRangeList.MinMax(3,4)
- self.v5 = TestRangeList.MinMax(2,3)
- self.v6 = TestRangeList.MinMax(1,10)
+ self.v1 = TestRangeList.MinMax(1, 2)
+ self.v2 = TestRangeList.MinMax(4, 5)
+ self.v3 = TestRangeList.MinMax(7, 8)
+ self.v4 = TestRangeList.MinMax(3, 4)
+ self.v5 = TestRangeList.MinMax(2, 3)
+ self.v6 = TestRangeList.MinMax(1, 10)
def test_empty_append(self):
s = RangeList()
@@ -161,14 +169,14 @@ class TestRangeList(unittest.TestCase):
s.append(self.v1)
s.append(self.v5)
self.assertTrue(len(s) == 1)
- self.assertEqual(s[0], TestRangeList.MinMax(1,3))
+ self.assertEqual(s[0], TestRangeList.MinMax(1, 3))
def test_combine_range(self):
s = RangeList()
s.append(self.v1)
s.append(self.v4)
self.assertTrue(len(s) == 1)
- self.assertEqual(s[0], TestRangeList.MinMax(1,4))
+ self.assertEqual(s[0], TestRangeList.MinMax(1, 4))
def test_append_subset(self):
s = RangeList()
@@ -189,7 +197,7 @@ class TestRangeList(unittest.TestCase):
s.append(self.v4)
s.append(self.v1)
self.assertTrue(len(s) == 1)
- self.assertEqual(s[0], TestRangeList.MinMax(1,4))
+ self.assertEqual(s[0], TestRangeList.MinMax(1, 4))
def test_append_aggregate(self):
s = RangeList()
@@ -213,31 +221,31 @@ class TestRangeList(unittest.TestCase):
def test_diff_middle(self):
s1 = RangeList([self.v6])
s2 = RangeList([self.v3])
- self.assertEqual(s1.difference(s2), RangeList([TestRangeList.MinMax(1,6), TestRangeList.MinMax(9, 10)]))
+ self.assertEqual(s1.difference(s2), RangeList([TestRangeList.MinMax(1, 6), TestRangeList.MinMax(9, 10)]))
def test_diff_overlap(self):
s1 = RangeList([self.v2])
s2 = RangeList([self.v4])
- self.assertEqual(s1.difference(s2), RangeList([TestRangeList.MinMax(5,5)]))
+ self.assertEqual(s1.difference(s2), RangeList([TestRangeList.MinMax(5, 5)]))
def test_diff_overlap2(self):
s1 = RangeList([self.v2])
s2 = RangeList([self.v4])
- self.assertEqual(s2.difference(s1), RangeList([TestRangeList.MinMax(3,3)]))
+ self.assertEqual(s2.difference(s1), RangeList([TestRangeList.MinMax(3, 3)]))
def test_diff_multi(self):
- s1 = RangeList([TestRangeList.MinMax(1,2), TestRangeList.MinMax(4,5)])
- s2 = RangeList([TestRangeList.MinMax(4,4)])
- self.assertEqual(s1.difference(s2), RangeList([TestRangeList.MinMax(1,2), TestRangeList.MinMax(5,5)]))
+ s1 = RangeList([TestRangeList.MinMax(1, 2), TestRangeList.MinMax(4, 5)])
+ s2 = RangeList([TestRangeList.MinMax(4, 4)])
+ self.assertEqual(s1.difference(s2), RangeList([TestRangeList.MinMax(1, 2), TestRangeList.MinMax(5, 5)]))
def test_diff_multi_overlap(self):
- s1 = RangeList([TestRangeList.MinMax(1,2), TestRangeList.MinMax(3,4)])
- s2 = RangeList([TestRangeList.MinMax(2,3)])
+ s1 = RangeList([TestRangeList.MinMax(1, 2), TestRangeList.MinMax(3, 4)])
+ s2 = RangeList([TestRangeList.MinMax(2, 3)])
self.assertEqual(s1.difference(s2), RangeList([TestRangeList.MinMax(1,1), TestRangeList.MinMax(4,4)]))
def test_diff_multi_overlap2(self):
s1 = RangeList([TestRangeList.MinMax(1,2), TestRangeList.MinMax(3,4), TestRangeList.MinMax(6,7)])
- s2 = RangeList([TestRangeList.MinMax(2,3), TestRangeList.MinMax(6,6)])
+ s2 = RangeList([TestRangeList.MinMax(2, 3), TestRangeList.MinMax(6, 6)])
self.assertEqual(s1.difference(s2), RangeList([TestRangeList.MinMax(1,1), TestRangeList.MinMax(4,4), TestRangeList.MinMax(7,7)]))
if __name__ == '__main__':
diff --git a/rpkid/rpki/gui/app/views.py b/rpkid/rpki/gui/app/views.py
index 835bf4a5..6de313e3 100644
--- a/rpkid/rpki/gui/app/views.py
+++ b/rpkid/rpki/gui/app/views.py
@@ -414,7 +414,7 @@ def child_edit(request, pk):
if request.method == 'POST':
form = form_class(request.POST, request.FILES)
if form.is_valid():
- child.valid_until = sundial.datetime.fromdatetime(form.cleaned_data.get('valid_until'))
+ child.valid_until = sundial.datetime.from_datetime(form.cleaned_data.get('valid_until'))
child.save()
# remove AS & prefixes that are not selected in the form
models.ChildASN.objects.filter(child=child).exclude(pk__in=form.cleaned_data.get('as_ranges')).delete()
diff --git a/rpkid/rpki/gui/cacheview/models.py b/rpkid/rpki/gui/cacheview/models.py
index 4be45b5c..f58cca33 100644
--- a/rpkid/rpki/gui/cacheview/models.py
+++ b/rpkid/rpki/gui/cacheview/models.py
@@ -20,7 +20,6 @@ import time
from django.db import models
-import rpki.ipaddrs
import rpki.resource_set
import rpki.gui.models
diff --git a/rpkid/rpki/gui/cacheview/views.py b/rpkid/rpki/gui/cacheview/views.py
index b75763fa..ffb04136 100644
--- a/rpkid/rpki/gui/cacheview/views.py
+++ b/rpkid/rpki/gui/cacheview/views.py
@@ -20,7 +20,7 @@ from django.shortcuts import get_object_or_404, redirect
from rpki.gui.cacheview import models, forms, misc
from rpki.gui.app.views import render
from rpki.resource_set import resource_range_as
-from rpki.ipaddrs import v4addr, v6addr
+from rpki.POW import IPAddress
# Create your views here.
@@ -133,11 +133,7 @@ def query_view(request):
prefix_list = []
for roa in roas:
for pfx in roa.prefixes.all():
- if pfx.family == 4:
- addr = v4addr(pfx.prefix.encode())
- elif pfx.family == 6:
- addr = v6addr(pfx.prefix.encode())
-
+ addr = IPAddress(pfx.prefix.encode())
prefix_list.append((pfx, roa, addr))
prefix_list.sort(cmp=cmp_prefix)
diff --git a/rpkid/rpki/gui/models.py b/rpkid/rpki/gui/models.py
index 30879e44..0ea0924b 100644
--- a/rpkid/rpki/gui/models.py
+++ b/rpkid/rpki/gui/models.py
@@ -18,12 +18,10 @@ Common classes for reuse in apps.
__version__ = '$Id$'
-import struct
-
from django.db import models
import rpki.resource_set
-import rpki.ipaddrs
+import rpki.POW
from south.modelsinspector import add_introspection_rules
@@ -36,17 +34,16 @@ class IPv6AddressField(models.Field):
return 'binary(16)'
def to_python(self, value):
- if isinstance(value, rpki.ipaddrs.v6addr):
+ if isinstance(value, rpki.POW.IPAddress):
return value
- x = struct.unpack('!QQ', value)
- return rpki.ipaddrs.v6addr((x[0] << 64) | x[1])
+ return rpki.POW.IPAddress.fromBytes(value)
def get_db_prep_value(self, value, connection, prepared):
- return struct.pack('!QQ', (long(value) >> 64) & 0xFFFFFFFFFFFFFFFFL, long(value) & 0xFFFFFFFFFFFFFFFFL)
+ return value.toBytes()
class IPv4AddressField(models.Field):
- "Wrapper around rpki.ipaddrs.v4addr."
+ "Wrapper around rpki.POW.IPAddress."
__metaclass__ = models.SubfieldBase
@@ -54,9 +51,9 @@ class IPv4AddressField(models.Field):
return 'int UNSIGNED'
def to_python(self, value):
- if isinstance(value, rpki.ipaddrs.v4addr):
+ if isinstance(value, rpki.POW.IPAddress):
return value
- return rpki.ipaddrs.v4addr(value)
+ return rpki.POW.IPAddress(value, version=4)
def get_db_prep_value(self, value, connection, prepared):
return long(value)
@@ -97,10 +94,11 @@ class Prefix(models.Model):
class Meta:
abstract = True
-
+
# default sort order reflects what "sh ip bgp" outputs
ordering = ('prefix_min',)
+
class PrefixV4(Prefix):
"IPv4 Prefix."
@@ -112,6 +110,7 @@ class PrefixV4(Prefix):
class Meta(Prefix.Meta):
abstract = True
+
class PrefixV6(Prefix):
"IPv6 Prefix."
@@ -123,6 +122,7 @@ class PrefixV6(Prefix):
class Meta(Prefix.Meta):
abstract = True
+
class ASN(models.Model):
"""Represents a range of ASNs.
diff --git a/rpkid/rpki/http.py b/rpkid/rpki/http.py
index 244a9305..c3eae1fe 100644
--- a/rpkid/rpki/http.py
+++ b/rpkid/rpki/http.py
@@ -3,7 +3,7 @@ HTTP utilities, both client and server.
$Id$
-Copyright (C) 2009-2011 Internet Systems Consortium ("ISC")
+Copyright (C) 2009-2012 Internet Systems Consortium ("ISC")
Permission to use, copy, modify, and distribute this software for any
purpose with or without fee is hereby granted, provided that the above
@@ -82,11 +82,6 @@ enable_ipv6_servers = True
# far too much of the world.
enable_ipv6_clients = False
-## @var use_adns
-# Whether to use rpki.adns code. This is still experimental, so it's
-# not (yet) enabled by default.
-use_adns = False
-
## @var have_ipv6
# Whether the current machine claims to support IPv6. Note that just
# because the kernel supports it doesn't mean that the machine has
@@ -95,6 +90,7 @@ use_adns = False
# SRI-NIC.ARPA?" seems a bit dated...). Don't set this, it's set
# automatically by probing using the socket() system call at runtime.
try:
+ # pylint: disable=W0702,W0104
socket.socket(socket.AF_INET6).close()
socket.IPPROTO_IPV6
socket.IPV6_V6ONLY
@@ -103,6 +99,16 @@ except:
else:
have_ipv6 = True
+## @var use_adns
+
+# Whether to use rpki.adns code. This is still experimental, so it's
+# not (yet) enabled by default.
+use_adns = False
+try:
+ import rpki.adns
+except ImportError:
+ pass
+
def supported_address_families(enable_ipv6):
"""
IP address families on which servers should listen, and to consider
@@ -590,7 +596,7 @@ class http_listener(asyncore.dispatcher):
asyncore.dispatcher.__init__(self)
self.handlers = handlers
try:
- af, socktype, proto, canonname, sockaddr = addrinfo
+ af, socktype, proto, canonname, sockaddr = addrinfo # pylint: disable=W0612
self.create_socket(af, socktype)
self.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1)
try:
@@ -614,8 +620,8 @@ class http_listener(asyncore.dispatcher):
stream for it and pass along all of our handler data.
"""
try:
- s, client = self.accept()
- self.log("Accepting connection from %s" % addr_to_string(client))
+ s, c = self.accept()
+ self.log("Accepting connection from %s" % addr_to_string(c))
http_server(sock = s, handlers = self.handlers)
except (rpki.async.ExitNow, SystemExit):
raise
@@ -669,7 +675,6 @@ class http_client(http_stream):
self.log("Bypassing DNS for localhost")
self.gotaddrinfo(localhost_addrinfo())
else:
- import rpki.adns # This should move to start of file once we've decided to inflict it on all users
families = supported_address_families(enable_ipv6_clients)
self.log("Starting ADNS lookup for %s in families %r" % (self.host, families))
rpki.adns.getaddrinfo(self.gotaddrinfo, self.dns_error, self.host, families)
@@ -804,7 +809,7 @@ class http_client(http_stream):
if bad:
try:
raise rpki.exceptions.HTTPTimeout
- except:
+ except: # pylint: disable=W0702
self.handle_error()
else:
self.queue.detach(self)
@@ -829,7 +834,7 @@ class http_queue(object):
log = log_method
def __repr__(self):
- return rpki.log.log_repr(self, "%s" % addr_to_string(self.hostport))
+ return rpki.log.log_repr(self, addr_to_string(self.hostport))
def __init__(self, hostport):
self.hostport = hostport
@@ -886,7 +891,7 @@ class http_queue(object):
self.log("Detaching client %r" % client_)
self.client = None
- def return_result(self, client, result, detach = False):
+ def return_result(self, client, result, detach = False): # pylint: disable=W0621
"""
Client stream has returned a result, which we need to pass along
to the original caller. Result may be either an HTTP response
@@ -985,7 +990,7 @@ def client(msg, url, callback, errback):
if debug_http:
rpki.log.debug("Scheduling connection startup for %r" % request)
- rpki.async.defer(client_queues[hostport].restart)
+ rpki.async.event_defer(client_queues[hostport].restart)
def server(handlers, port, host = ""):
"""
diff --git a/rpkid/rpki/ipaddrs.py b/rpkid/rpki/ipaddrs.py
index a192f92b..d096e1d4 100644
--- a/rpkid/rpki/ipaddrs.py
+++ b/rpkid/rpki/ipaddrs.py
@@ -13,7 +13,7 @@ once, here, thus avoiding a lot of duplicate code elsewhere.
$Id$
-Copyright (C) 2009 Internet Systems Consortium ("ISC")
+Copyright (C) 2009-2012 Internet Systems Consortium ("ISC")
Permission to use, copy, modify, and distribute this software for any
purpose with or without fee is hereby granted, provided that the above
@@ -52,6 +52,7 @@ class v4addr(long):
"""
bits = 32
+ ipversion = 4
def __new__(cls, x):
"""
@@ -91,6 +92,7 @@ class v6addr(long):
"""
bits = 128
+ ipversion = 6
def __new__(cls, x):
"""
diff --git a/rpkid/rpki/irdb/__init__.py b/rpkid/rpki/irdb/__init__.py
index 3eb6fab7..64c9ee6c 100644
--- a/rpkid/rpki/irdb/__init__.py
+++ b/rpkid/rpki/irdb/__init__.py
@@ -4,7 +4,7 @@ Python package, so humor it.
$Id$
-Copyright (C) 2011 Internet Systems Consortium ("ISC")
+Copyright (C) 2011-2012 Internet Systems Consortium ("ISC")
Permission to use, copy, modify, and distribute this software for any
purpose with or without fee is hereby granted, provided that the above
@@ -19,5 +19,8 @@ OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
PERFORMANCE OF THIS SOFTWARE.
"""
+# pylint: disable=W0401
+
from rpki.irdb.models import *
from rpki.irdb.zookeeper import Zookeeper
+from rpki.irdb.router import DBContextRouter, database
diff --git a/rpkid/rpki/irdb/models.py b/rpkid/rpki/irdb/models.py
index 010ba635..1d3d70de 100644
--- a/rpkid/rpki/irdb/models.py
+++ b/rpkid/rpki/irdb/models.py
@@ -7,7 +7,7 @@ Django GUI code, so be careful.
$Id$
-Copyright (C) 2011 Internet Systems Consortium ("ISC")
+Copyright (C) 2011-2012 Internet Systems Consortium ("ISC")
Permission to use, copy, modify, and distribute this software for any
purpose with or without fee is hereby granted, provided that the above
@@ -22,12 +22,14 @@ OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
PERFORMANCE OF THIS SOFTWARE.
"""
+# pylint: disable=W0232
+
import django.db.models
import rpki.x509
import rpki.sundial
import rpki.resource_set
-import rpki.ipaddrs
import socket
+import rpki.POW
from south.modelsinspector import add_introspection_rules
## @var ip_version_choices
@@ -65,7 +67,6 @@ class HandleField(django.db.models.CharField):
kwargs["max_length"] = 120
django.db.models.CharField.__init__(self, *args, **kwargs)
-
class EnumField(django.db.models.PositiveSmallIntegerField):
"""
An enumeration type that uses strings in Python and small integers
@@ -99,14 +100,14 @@ class SundialField(django.db.models.DateTimeField):
def to_python(self, value):
if isinstance(value, rpki.sundial.pydatetime.datetime):
- return rpki.sundial.datetime.fromdatetime(
+ return rpki.sundial.datetime.from_datetime(
django.db.models.DateTimeField.to_python(self, value))
else:
return value
def get_prep_value(self, value):
if isinstance(value, rpki.sundial.datetime):
- return value.to_sql()
+ return value.to_datetime()
else:
return value
@@ -297,7 +298,7 @@ class CA(django.db.models.Model):
return result
def revoke(self, cert):
- Revocations.objects.create(
+ Revocation.objects.create(
issuer = self,
revoked = rpki.sundial.now(),
serial = cert.certificate.getSerial(),
@@ -308,8 +309,7 @@ class CA(django.db.models.Model):
def generate_crl(self):
now = rpki.sundial.now()
self.revocations.filter(expires__lt = now).delete()
- revoked = [(r.serial, rpki.sundial.datetime.fromdatetime(r.revoked).toASN1tuple(), ())
- for r in self.revocations.all()]
+ revoked = [(r.serial, r.revoked) for r in self.revocations.all()]
self.latest_crl = rpki.x509.CRL.generate(
keypair = self.private_key,
issuer = self.certificate,
@@ -332,7 +332,7 @@ class ServerCA(CA):
if self.certificate is not None:
return self.certificate.getSubject()
else:
- return rpki.x509.X501DN("%s BPKI server CA" % socket.gethostname())
+ return rpki.x509.X501DN.from_cn("%s BPKI server CA" % socket.gethostname())
class ResourceHolderCA(CA):
handle = HandleField(unique = True)
@@ -346,7 +346,7 @@ class ResourceHolderCA(CA):
if self.certificate is not None:
return self.certificate.getSubject()
else:
- return rpki.x509.X501DN("%s BPKI resource CA" % self.handle)
+ return rpki.x509.X501DN.from_cn("%s BPKI resource CA" % self.handle)
class Certificate(django.db.models.Model):
@@ -435,7 +435,8 @@ class ServerEE(EECertificate):
@property
def subject_name(self):
- return rpki.x509.X501DN("%s BPKI %s EE" % (socket.gethostname(), self.get_purpose_display()))
+ return rpki.x509.X501DN.from_cn("%s BPKI %s EE" % (socket.gethostname(),
+ self.get_purpose_display()))
class Referral(EECertificate):
issuer = django.db.models.OneToOneField(ResourceHolderCA, related_name = "referral_certificate")
@@ -443,7 +444,7 @@ class Referral(EECertificate):
@property
def subject_name(self):
- return rpki.x509.X501DN("%s BPKI Referral EE" % self.issuer.handle)
+ return rpki.x509.X501DN.from_cn("%s BPKI Referral EE" % self.issuer.handle)
class Turtle(django.db.models.Model):
service_uri = django.db.models.CharField(max_length = 255)
@@ -454,7 +455,7 @@ class Rootd(EECertificate, Turtle):
@property
def subject_name(self):
- return rpki.x509.X501DN("%s BPKI rootd EE" % self.issuer.handle)
+ return rpki.x509.X501DN.from_cn("%s BPKI rootd EE" % self.issuer.handle)
class BSC(Certificate):
issuer = django.db.models.ForeignKey(ResourceHolderCA, related_name = "bscs")
@@ -478,12 +479,22 @@ class Child(CrossCertification):
@property
def resource_bag(self):
+ child_asn = rpki.irdb.ChildASN.objects.raw("""
+ SELECT *
+ FROM irdb_childasn
+ WHERE child_id = %s
+ """, [self.id])
+ child_net = list(rpki.irdb.ChildNet.objects.raw("""
+ SELECT *
+ FROM irdb_childnet
+ WHERE child_id = %s
+ """, [self.id]))
asns = rpki.resource_set.resource_set_as.from_django(
- (a.start_as, a.end_as) for a in self.asns.all())
+ (a.start_as, a.end_as) for a in child_asn)
ipv4 = rpki.resource_set.resource_set_ipv4.from_django(
- (a.start_ip, a.end_ip) for a in self.address_ranges.filter(version = 'IPv4'))
+ (a.start_ip, a.end_ip) for a in child_net if a.version == "IPv4")
ipv6 = rpki.resource_set.resource_set_ipv6.from_django(
- (a.start_ip, a.end_ip) for a in self.address_ranges.filter(version = 'IPv6'))
+ (a.start_ip, a.end_ip) for a in child_net if a.version == "IPv6")
return rpki.resource_set.resource_bag(
valid_until = self.valid_until, asn = asns, v4 = ipv4, v6 = ipv6)
@@ -556,9 +567,9 @@ class ROARequestPrefix(django.db.models.Model):
def as_roa_prefix(self):
if self.version == 'IPv4':
- return rpki.resource_set.roa_prefix_ipv4(rpki.ipaddrs.v4addr(self.prefix), self.prefixlen, self.max_prefixlen)
+ return rpki.resource_set.roa_prefix_ipv4(rpki.POW.IPAddress(self.prefix), self.prefixlen, self.max_prefixlen)
else:
- return rpki.resource_set.roa_prefix_ipv6(rpki.ipaddrs.v6addr(self.prefix), self.prefixlen, self.max_prefixlen)
+ return rpki.resource_set.roa_prefix_ipv6(rpki.POW.IPAddress(self.prefix), self.prefixlen, self.max_prefixlen)
def as_resource_range(self):
return self.as_roa_prefix().to_resource_range()
@@ -591,7 +602,6 @@ class Client(CrossCertification):
class Meta:
unique_together = ("issuer", "handle")
-
# for Django South -- these are just simple subclasses
add_introspection_rules([],
('^rpki\.irdb\.models\.CertificateField',
diff --git a/rpkid/rpki/irdb/router.py b/rpkid/rpki/irdb/router.py
new file mode 100644
index 00000000..fad78b36
--- /dev/null
+++ b/rpkid/rpki/irdb/router.py
@@ -0,0 +1,95 @@
+"""
+Django-style "Database router".
+
+For most programs, you don't need this. Django's normal mode of
+behavior is to use a single SQL database for the IRDB, which is
+normally what we want. For certain test scenarios, however, it's
+useful to be able to use the same Django ORM models and managers with
+multiple databases without having to complicate the interface by
+passing database names everywhere. Using a database router
+accomplishes this.
+
+$Id$
+
+Copyright (C) 2012 Internet Systems Consortium ("ISC")
+
+Permission to use, copy, modify, and distribute this software for any
+purpose with or without fee is hereby granted, provided that the above
+copyright notice and this permission notice appear in all copies.
+
+THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+PERFORMANCE OF THIS SOFTWARE.
+"""
+
+class DBContextRouter(object):
+ """
+ A Django database router for use with multiple IRDBs.
+
+ This router is designed to work in conjunction with the
+ rpki.irdb.database context handler (q.v.).
+ """
+
+ _app = "irdb"
+
+ _database = None
+
+ def db_for_read(self, model, **hints):
+ if model._meta.app_label == self._app:
+ return self._database
+ else:
+ return None
+
+ def db_for_write(self, model, **hints):
+ if model._meta.app_label == self._app:
+ return self._database
+ else:
+ return None
+
+ def allow_relation(self, obj1, obj2, **hints):
+ if self._database is None:
+ return None
+ elif obj1._meta.app_label == self._app and obj2._meta.app_label == self._app:
+ return True
+ else:
+ return None
+
+ def allow_syncdb(self, db, model):
+ if db == self._database and model._meta.app_label == self._app:
+ return True
+ else:
+ return None
+
+class database(object):
+ """
+ Context manager for use with DBContextRouter. Use thusly:
+
+ with rpki.irdb.database("blarg"):
+ do_stuff()
+
+ This binds IRDB operations to database blarg for the duration of
+ the call to do_stuff(), then restores the prior state.
+ """
+
+ def __init__(self, name, on_entry = None, on_exit = None):
+ if not isinstance(name, str):
+ raise ValueError("database name must be a string, not %r" % name)
+ self.name = name
+ self.on_entry = on_entry
+ self.on_exit = on_exit
+
+ def __enter__(self):
+ if self.on_entry is not None:
+ self.on_entry()
+ self.former = DBContextRouter._database
+ DBContextRouter._database = self.name
+
+ def __exit__(self, _type, value, traceback):
+ assert DBContextRouter._database is self.name
+ DBContextRouter._database = self.former
+ if self.on_exit is not None:
+ self.on_exit()
diff --git a/rpkid/rpki/irdb/zookeeper.py b/rpkid/rpki/irdb/zookeeper.py
index 19bd55f7..9747bb30 100644
--- a/rpkid/rpki/irdb/zookeeper.py
+++ b/rpkid/rpki/irdb/zookeeper.py
@@ -18,17 +18,10 @@ OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
PERFORMANCE OF THIS SOFTWARE.
"""
-import subprocess
-import csv
-import re
+# pylint: disable=W0612
+
import os
-import getopt
-import sys
-import base64
-import time
-import glob
import copy
-import warnings
import rpki.config
import rpki.cli
import rpki.sundial
@@ -45,10 +38,9 @@ import rpki.irdb
import django.db.transaction
from lxml.etree import (Element, SubElement, ElementTree,
- fromstring as ElementFromString,
- tostring as ElementToString)
+ tostring as ElementToString)
-from rpki.csv_utils import (csv_reader, csv_writer, BadCSVSyntax)
+from rpki.csv_utils import csv_reader
@@ -96,24 +88,34 @@ class PEM_writer(object):
"""
Write PEM files to disk, keeping track of which ones we've already
written and setting the file mode appropriately.
+
+ Comparing the old file with what we're about to write serves no real
+ purpose except to calm users who find repeated messages about
+ writing the same file confusing.
"""
def __init__(self, logstream = None):
self.wrote = set()
self.logstream = logstream
- def __call__(self, filename, obj):
+ def __call__(self, filename, obj, compare = True):
filename = os.path.realpath(filename)
if filename in self.wrote:
return
tempname = filename
+ pem = obj.get_PEM()
if not filename.startswith("/dev/"):
+ try:
+ if compare and pem == open(filename, "r").read():
+ return
+ except: # pylint: disable=W0702
+ pass
tempname += ".%s.tmp" % os.getpid()
mode = 0400 if filename.endswith(".key") else 0444
if self.logstream is not None:
self.logstream.write("Writing %s\n" % filename)
f = os.fdopen(os.open(tempname, os.O_WRONLY | os.O_CREAT | os.O_TRUNC, mode), "w")
- f.write(obj.get_PEM())
+ f.write(pem)
f.close()
if tempname != filename:
os.rename(tempname, filename)
@@ -174,6 +176,11 @@ class etree_wrapper(object):
if self.msg is not None:
logstream.write(self.msg + "\n")
+ @property
+ def file(self):
+ from cStringIO import StringIO
+ return StringIO(ElementToString(self.etree))
+
class Zookeeper(object):
@@ -218,7 +225,7 @@ class Zookeeper(object):
if handle is None:
raise MissingHandle
- self.handle= handle
+ self.handle = handle
def set_logstream(self, logstream):
@@ -514,7 +521,7 @@ class Zookeeper(object):
try:
self.resource_ca.children.get(handle = child_handle).delete()
except rpki.irdb.Child.DoesNotExist:
- self.log("No such child \"%s\"" % arg)
+ self.log("No such child \"%s\"" % child_handle)
@django.db.transaction.commit_on_success
@@ -590,7 +597,7 @@ class Zookeeper(object):
try:
self.resource_ca.parents.get(handle = parent_handle).delete()
except rpki.irdb.Parent.DoesNotExist:
- self.log("No such parent \"%s\"" % arg)
+ self.log("No such parent \"%s\"" % parent_handle)
@django.db.transaction.commit_on_success
@@ -709,7 +716,7 @@ class Zookeeper(object):
try:
self.server_ca.clients.get(handle = client_handle).delete()
except rpki.irdb.Client.DoesNotExist:
- self.log("No such client \"%s\"" % arg)
+ self.log("No such client \"%s\"" % client_handle)
@django.db.transaction.commit_on_success
@@ -758,9 +765,9 @@ class Zookeeper(object):
assert repository_handle is not None
try:
- self.resource_ca.repositories.get(handle = arg).delete()
+ self.resource_ca.repositories.get(handle = repository_handle).delete()
except rpki.irdb.Repository.DoesNotExist:
- self.log("No such repository \"%s\"" % arg)
+ self.log("No such repository \"%s\"" % repository_handle)
@django.db.transaction.commit_on_success
@@ -1062,11 +1069,63 @@ class Zookeeper(object):
def synchronize(self, *handles_to_poke):
"""
Configure RPKI daemons with the data built up by the other
- commands in this program. Most commands which modify the IRDB
- should call this when they're done.
+ commands in this program. Commands which modify the IRDB and want
+ to whack everything into sync should call this when they're done,
+ but be warned that this can be slow with a lot of CAs.
+
+ Any arguments given are handles of CAs which should be poked with a
+ <self run_now="yes"/> operation.
+ """
+
+ for ca in rpki.irdb.ResourceHolderCA.objects.all():
+ self.synchronize_rpkid_one_ca_core(ca, ca.handle in handles_to_poke)
+ self.synchronize_pubd_core()
+ self.synchronize_rpkid_deleted_core()
+
+
+ @django.db.transaction.commit_on_success
+ def synchronize_ca(self, ca = None, poke = False):
+ """
+ Synchronize one CA. Most commands which modify a CA should call
+ this. CA to synchronize defaults to the current resource CA.
+ """
+
+ if ca is None:
+ ca = self.resource_ca
+ self.synchronize_rpkid_one_ca_core(ca, poke)
+
+
+ @django.db.transaction.commit_on_success
+ def synchronize_deleted_ca(self):
+ """
+ Delete CAs which are present in rpkid's database but not in the
+ IRDB.
+ """
+
+ self.synchronize_rpkid_deleted_core()
+
+
+ @django.db.transaction.commit_on_success
+ def synchronize_pubd(self):
+ """
+ Synchronize pubd. Most commands which modify pubd should call this.
+ """
- Any arguments given are handles to be sent to rpkid at the end of
- the synchronization run with a <self run_now="yes"/> operation.
+ self.synchronize_pubd_core()
+
+
+ def synchronize_rpkid_one_ca_core(self, ca, poke = False):
+ """
+ Synchronize one CA. This is the core synchronization code. Don't
+ call this directly, instead call one of the methods that calls
+ this inside a Django commit wrapper.
+
+ This method configures rpkid with data built up by the other
+ commands in this program. Most commands which modify IRDB values
+ related to rpkid should call this when they're done.
+
+ If poke is True, we append a left-right run_now operation for this
+ CA to the end of whatever other commands this method generates.
"""
# We can use a single BSC for everything -- except BSC key
@@ -1082,258 +1141,285 @@ class Zookeeper(object):
self_regen_margin = self.cfg.getint("self_regen_margin", self_crl_interval / 4,
section = myrpki_section)
- # Make sure that pubd's BPKI CRL is up to date.
+ # See what rpkid already has on file for this entity.
- if self.run_pubd:
- self.call_pubd(rpki.publication.config_elt.make_pdu(
- action = "set",
- bpki_crl = self.server_ca.latest_crl))
+ rpkid_reply = self.call_rpkid(
+ rpki.left_right.self_elt.make_pdu( action = "get", tag = "self", self_handle = ca.handle),
+ rpki.left_right.bsc_elt.make_pdu( action = "list", tag = "bsc", self_handle = ca.handle),
+ rpki.left_right.repository_elt.make_pdu(action = "list", tag = "repository", self_handle = ca.handle),
+ rpki.left_right.parent_elt.make_pdu( action = "list", tag = "parent", self_handle = ca.handle),
+ rpki.left_right.child_elt.make_pdu( action = "list", tag = "child", self_handle = ca.handle))
- for ca in rpki.irdb.ResourceHolderCA.objects.all():
+ self_pdu = rpkid_reply[0]
+ bsc_pdus = dict((x.bsc_handle, x) for x in rpkid_reply if isinstance(x, rpki.left_right.bsc_elt))
+ repository_pdus = dict((x.repository_handle, x) for x in rpkid_reply if isinstance(x, rpki.left_right.repository_elt))
+ parent_pdus = dict((x.parent_handle, x) for x in rpkid_reply if isinstance(x, rpki.left_right.parent_elt))
+ child_pdus = dict((x.child_handle, x) for x in rpkid_reply if isinstance(x, rpki.left_right.child_elt))
- # See what rpkid and pubd already have on file for this entity.
-
- if self.run_pubd:
- pubd_reply = self.call_pubd(rpki.publication.client_elt.make_pdu(action = "list"))
- client_pdus = dict((x.client_handle, x) for x in pubd_reply if isinstance(x, rpki.publication.client_elt))
-
- rpkid_reply = self.call_rpkid(
- rpki.left_right.self_elt.make_pdu( action = "get", tag = "self", self_handle = ca.handle),
- rpki.left_right.bsc_elt.make_pdu( action = "list", tag = "bsc", self_handle = ca.handle),
- rpki.left_right.repository_elt.make_pdu(action = "list", tag = "repository", self_handle = ca.handle),
- rpki.left_right.parent_elt.make_pdu( action = "list", tag = "parent", self_handle = ca.handle),
- rpki.left_right.child_elt.make_pdu( action = "list", tag = "child", self_handle = ca.handle))
-
- self_pdu = rpkid_reply[0]
- bsc_pdus = dict((x.bsc_handle, x) for x in rpkid_reply if isinstance(x, rpki.left_right.bsc_elt))
- repository_pdus = dict((x.repository_handle, x) for x in rpkid_reply if isinstance(x, rpki.left_right.repository_elt))
- parent_pdus = dict((x.parent_handle, x) for x in rpkid_reply if isinstance(x, rpki.left_right.parent_elt))
- child_pdus = dict((x.child_handle, x) for x in rpkid_reply if isinstance(x, rpki.left_right.child_elt))
-
- pubd_query = []
- rpkid_query = []
-
- self_cert, created = rpki.irdb.HostedCA.objects.get_or_certify(
- issuer = self.server_ca,
- hosted = ca)
-
- # There should be exactly one <self/> object per hosted entity, by definition
-
- if (isinstance(self_pdu, rpki.left_right.report_error_elt) or
- self_pdu.crl_interval != self_crl_interval or
- self_pdu.regen_margin != self_regen_margin or
- self_pdu.bpki_cert != self_cert.certificate):
- rpkid_query.append(rpki.left_right.self_elt.make_pdu(
- action = "create" if isinstance(self_pdu, rpki.left_right.report_error_elt) else "set",
- tag = "self",
- self_handle = ca.handle,
- bpki_cert = ca.certificate,
- crl_interval = self_crl_interval,
- regen_margin = self_regen_margin))
+ rpkid_query = []
+
+ self_cert, created = rpki.irdb.HostedCA.objects.get_or_certify(
+ issuer = self.server_ca,
+ hosted = ca)
+
+ # There should be exactly one <self/> object per hosted entity, by definition
+
+ if (isinstance(self_pdu, rpki.left_right.report_error_elt) or
+ self_pdu.crl_interval != self_crl_interval or
+ self_pdu.regen_margin != self_regen_margin or
+ self_pdu.bpki_cert != self_cert.certificate):
+ rpkid_query.append(rpki.left_right.self_elt.make_pdu(
+ action = "create" if isinstance(self_pdu, rpki.left_right.report_error_elt) else "set",
+ tag = "self",
+ self_handle = ca.handle,
+ bpki_cert = ca.certificate,
+ crl_interval = self_crl_interval,
+ regen_margin = self_regen_margin))
+
+ # In general we only need one <bsc/> per <self/>. BSC objects
+ # are a little unusual in that the keypair and PKCS #10
+ # subelement is generated by rpkid, so complete setup requires
+ # two round trips.
+
+ bsc_pdu = bsc_pdus.pop(bsc_handle, None)
+
+ if bsc_pdu is None:
+ rpkid_query.append(rpki.left_right.bsc_elt.make_pdu(
+ action = "create",
+ tag = "bsc",
+ self_handle = ca.handle,
+ bsc_handle = bsc_handle,
+ generate_keypair = "yes"))
+
+ elif bsc_pdu.pkcs10_request is None:
+ rpkid_query.append(rpki.left_right.bsc_elt.make_pdu(
+ action = "set",
+ tag = "bsc",
+ self_handle = ca.handle,
+ bsc_handle = bsc_handle,
+ generate_keypair = "yes"))
+
+ rpkid_query.extend(rpki.left_right.bsc_elt.make_pdu(
+ action = "destroy", self_handle = ca.handle, bsc_handle = b) for b in bsc_pdus)
- # In general we only need one <bsc/> per <self/>. BSC objects
- # are a little unusual in that the keypair and PKCS #10
- # subelement is generated by rpkid, so complete setup requires
- # two round trips.
+ # If we've already got actions queued up, run them now, so we
+ # can finish setting up the BSC before anything tries to use it.
+ if rpkid_query:
+ rpkid_query.append(rpki.left_right.bsc_elt.make_pdu(action = "list", tag = "bsc", self_handle = ca.handle))
+ rpkid_reply = self.call_rpkid(*rpkid_query)
+ bsc_pdus = dict((x.bsc_handle, x)
+ for x in rpkid_reply
+ if isinstance(x, rpki.left_right.bsc_elt) and x.action == "list")
bsc_pdu = bsc_pdus.pop(bsc_handle, None)
+ self.check_error_report(rpkid_reply)
+
+ rpkid_query = []
- if bsc_pdu is None:
- rpkid_query.append(rpki.left_right.bsc_elt.make_pdu(
- action = "create",
- tag = "bsc",
+ assert bsc_pdu.pkcs10_request is not None
+
+ bsc, created = rpki.irdb.BSC.objects.get_or_certify(
+ issuer = ca,
+ handle = bsc_handle,
+ pkcs10 = bsc_pdu.pkcs10_request)
+
+ if bsc_pdu.signing_cert != bsc.certificate or bsc_pdu.signing_cert_crl != ca.latest_crl:
+ rpkid_query.append(rpki.left_right.bsc_elt.make_pdu(
+ action = "set",
+ tag = "bsc",
+ self_handle = ca.handle,
+ bsc_handle = bsc_handle,
+ signing_cert = bsc.certificate,
+ signing_cert_crl = ca.latest_crl))
+
+ # At present we need one <repository/> per <parent/>, not because
+ # rpkid requires that, but because pubd does. pubd probably should
+ # be fixed to support a single client allowed to update multiple
+ # trees, but for the moment the easiest way forward is just to
+ # enforce a 1:1 mapping between <parent/> and <repository/> objects
+
+ for repository in ca.repositories.all():
+
+ repository_pdu = repository_pdus.pop(repository.handle, None)
+
+ if (repository_pdu is None or
+ repository_pdu.bsc_handle != bsc_handle or
+ repository_pdu.peer_contact_uri != repository.service_uri or
+ repository_pdu.bpki_cert != repository.certificate):
+ rpkid_query.append(rpki.left_right.repository_elt.make_pdu(
+ action = "create" if repository_pdu is None else "set",
+ tag = repository.handle,
self_handle = ca.handle,
+ repository_handle = repository.handle,
bsc_handle = bsc_handle,
- generate_keypair = "yes"))
-
- elif bsc_pdu.pkcs10_request is None:
- rpkid_query.append(rpki.left_right.bsc_elt.make_pdu(
- action = "set",
- tag = "bsc",
+ peer_contact_uri = repository.service_uri,
+ bpki_cert = repository.certificate))
+
+ rpkid_query.extend(rpki.left_right.repository_elt.make_pdu(
+ action = "destroy", self_handle = ca.handle, repository_handle = r) for r in repository_pdus)
+
+ # <parent/> setup code currently assumes 1:1 mapping between
+ # <repository/> and <parent/>, and further assumes that the handles
+ # for an associated pair are the identical (that is:
+ # parent.repository_handle == parent.parent_handle).
+
+ for parent in ca.parents.all():
+
+ parent_pdu = parent_pdus.pop(parent.handle, None)
+
+ if (parent_pdu is None or
+ parent_pdu.bsc_handle != bsc_handle or
+ parent_pdu.repository_handle != parent.handle or
+ parent_pdu.peer_contact_uri != parent.service_uri or
+ parent_pdu.sia_base != parent.repository.sia_base or
+ parent_pdu.sender_name != parent.child_handle or
+ parent_pdu.recipient_name != parent.parent_handle or
+ parent_pdu.bpki_cms_cert != parent.certificate):
+ rpkid_query.append(rpki.left_right.parent_elt.make_pdu(
+ action = "create" if parent_pdu is None else "set",
+ tag = parent.handle,
self_handle = ca.handle,
+ parent_handle = parent.handle,
bsc_handle = bsc_handle,
- generate_keypair = "yes"))
+ repository_handle = parent.handle,
+ peer_contact_uri = parent.service_uri,
+ sia_base = parent.repository.sia_base,
+ sender_name = parent.child_handle,
+ recipient_name = parent.parent_handle,
+ bpki_cms_cert = parent.certificate))
- rpkid_query.extend(rpki.left_right.bsc_elt.make_pdu(
- action = "destroy", self_handle = ca.handle, bsc_handle = b) for b in bsc_pdus)
+ try:
- # If we've already got actions queued up, run them now, so we
- # can finish setting up the BSC before anything tries to use it.
+ parent_pdu = parent_pdus.pop(ca.handle, None)
+
+ if (parent_pdu is None or
+ parent_pdu.bsc_handle != bsc_handle or
+ parent_pdu.repository_handle != ca.handle or
+ parent_pdu.peer_contact_uri != ca.rootd.service_uri or
+ parent_pdu.sia_base != ca.rootd.repository.sia_base or
+ parent_pdu.sender_name != ca.handle or
+ parent_pdu.recipient_name != ca.handle or
+ parent_pdu.bpki_cms_cert != ca.rootd.certificate):
+ rpkid_query.append(rpki.left_right.parent_elt.make_pdu(
+ action = "create" if parent_pdu is None else "set",
+ tag = ca.handle,
+ self_handle = ca.handle,
+ parent_handle = ca.handle,
+ bsc_handle = bsc_handle,
+ repository_handle = ca.handle,
+ peer_contact_uri = ca.rootd.service_uri,
+ sia_base = ca.rootd.repository.sia_base,
+ sender_name = ca.handle,
+ recipient_name = ca.handle,
+ bpki_cms_cert = ca.rootd.certificate))
+
+ except rpki.irdb.Rootd.DoesNotExist:
+ pass
- if rpkid_query:
- rpkid_query.append(rpki.left_right.bsc_elt.make_pdu(action = "list", tag = "bsc", self_handle = ca.handle))
- rpkid_reply = self.call_rpkid(*rpkid_query)
- bsc_pdus = dict((x.bsc_handle, x)
- for x in rpkid_reply
- if isinstance(x, rpki.left_right.bsc_elt) and x.action == "list")
- bsc_pdu = bsc_pdus.pop(bsc_handle, None)
- self.check_error_report(rpkid_reply)
+ rpkid_query.extend(rpki.left_right.parent_elt.make_pdu(
+ action = "destroy", self_handle = ca.handle, parent_handle = p) for p in parent_pdus)
- rpkid_query = []
+ # Children are simpler than parents, because they call us, so no URL
+ # to construct and figuring out what certificate to use is their
+ # problem, not ours.
- assert bsc_pdu.pkcs10_request is not None
+ for child in ca.children.all():
- bsc, created = rpki.irdb.BSC.objects.get_or_certify(
- issuer = ca,
- handle = bsc_handle,
- pkcs10 = bsc_pdu.pkcs10_request)
+ child_pdu = child_pdus.pop(child.handle, None)
- if bsc_pdu.signing_cert != bsc.certificate or bsc_pdu.signing_cert_crl != ca.latest_crl:
- rpkid_query.append(rpki.left_right.bsc_elt.make_pdu(
- action = "set",
- tag = "bsc",
+ if (child_pdu is None or
+ child_pdu.bsc_handle != bsc_handle or
+ child_pdu.bpki_cert != child.certificate):
+ rpkid_query.append(rpki.left_right.child_elt.make_pdu(
+ action = "create" if child_pdu is None else "set",
+ tag = child.handle,
self_handle = ca.handle,
+ child_handle = child.handle,
bsc_handle = bsc_handle,
- signing_cert = bsc.certificate,
- signing_cert_crl = ca.latest_crl))
-
- # At present we need one <repository/> per <parent/>, not because
- # rpkid requires that, but because pubd does. pubd probably should
- # be fixed to support a single client allowed to update multiple
- # trees, but for the moment the easiest way forward is just to
- # enforce a 1:1 mapping between <parent/> and <repository/> objects
-
- for repository in ca.repositories.all():
-
- repository_pdu = repository_pdus.pop(repository.handle, None)
-
- if (repository_pdu is None or
- repository_pdu.bsc_handle != bsc_handle or
- repository_pdu.peer_contact_uri != repository.service_uri or
- repository_pdu.bpki_cert != repository.certificate):
- rpkid_query.append(rpki.left_right.repository_elt.make_pdu(
- action = "create" if repository_pdu is None else "set",
- tag = repository.handle,
- self_handle = ca.handle,
- repository_handle = repository.handle,
- bsc_handle = bsc_handle,
- peer_contact_uri = repository.service_uri,
- bpki_cert = repository.certificate))
-
- rpkid_query.extend(rpki.left_right.repository_elt.make_pdu(
- action = "destroy", self_handle = ca.handle, repository_handle = r) for r in repository_pdus)
-
- # <parent/> setup code currently assumes 1:1 mapping between
- # <repository/> and <parent/>, and further assumes that the handles
- # for an associated pair are the identical (that is:
- # parent.repository_handle == parent.parent_handle).
-
- for parent in ca.parents.all():
-
- parent_pdu = parent_pdus.pop(parent.handle, None)
-
- if (parent_pdu is None or
- parent_pdu.bsc_handle != bsc_handle or
- parent_pdu.repository_handle != parent.handle or
- parent_pdu.peer_contact_uri != parent.service_uri or
- parent_pdu.sia_base != parent.repository.sia_base or
- parent_pdu.sender_name != parent.child_handle or
- parent_pdu.recipient_name != parent.parent_handle or
- parent_pdu.bpki_cms_cert != parent.certificate):
- rpkid_query.append(rpki.left_right.parent_elt.make_pdu(
- action = "create" if parent_pdu is None else "set",
- tag = parent.handle,
- self_handle = ca.handle,
- parent_handle = parent.handle,
- bsc_handle = bsc_handle,
- repository_handle = parent.handle,
- peer_contact_uri = parent.service_uri,
- sia_base = parent.repository.sia_base,
- sender_name = parent.child_handle,
- recipient_name = parent.parent_handle,
- bpki_cms_cert = parent.certificate))
+ bpki_cert = child.certificate))
- try:
+ rpkid_query.extend(rpki.left_right.child_elt.make_pdu(
+ action = "destroy", self_handle = ca.handle, child_handle = c) for c in child_pdus)
+
+ # If caller wants us to poke rpkid, add that to the very end of the message
+
+ if poke:
+ rpkid_query.append(rpki.left_right.self_elt.make_pdu(
+ action = "set", self_handle = ca.handle, run_now = "yes"))
+
+ # If we changed anything, ship updates off to rpkid
+
+ if rpkid_query:
+ rpkid_reply = self.call_rpkid(*rpkid_query)
+ bsc_pdus = dict((x.bsc_handle, x) for x in rpkid_reply if isinstance(x, rpki.left_right.bsc_elt))
+ if bsc_handle in bsc_pdus and bsc_pdus[bsc_handle].pkcs10_request:
+ bsc_req = bsc_pdus[bsc_handle].pkcs10_request
+ self.check_error_report(rpkid_reply)
- parent_pdu = parent_pdus.pop(ca.handle, None)
-
- if (parent_pdu is None or
- parent_pdu.bsc_handle != bsc_handle or
- parent_pdu.repository_handle != ca.handle or
- parent_pdu.peer_contact_uri != ca.rootd.service_uri or
- parent_pdu.sia_base != ca.rootd.repository.sia_base or
- parent_pdu.sender_name != ca.handle or
- parent_pdu.recipient_name != ca.handle or
- parent_pdu.bpki_cms_cert != ca.rootd.certificate):
- rpkid_query.append(rpki.left_right.parent_elt.make_pdu(
- action = "create" if parent_pdu is None else "set",
- tag = ca.handle,
- self_handle = ca.handle,
- parent_handle = ca.handle,
- bsc_handle = bsc_handle,
- repository_handle = ca.handle,
- peer_contact_uri = ca.rootd.service_uri,
- sia_base = ca.rootd.repository.sia_base,
- sender_name = ca.handle,
- recipient_name = ca.handle,
- bpki_cms_cert = ca.rootd.certificate))
-
- except rpki.irdb.Rootd.DoesNotExist:
- pass
- rpkid_query.extend(rpki.left_right.parent_elt.make_pdu(
- action = "destroy", self_handle = ca.handle, parent_handle = p) for p in parent_pdus)
+ def synchronize_pubd_core(self):
+ """
+ Configure pubd with data built up by the other commands in this
+ program. This is the core synchronization code. Don't call this
+ directly, instead call a methods that calls this inside a Django
+ commit wrapper.
- # Children are simpler than parents, because they call us, so no URL
- # to construct and figuring out what certificate to use is their
- # problem, not ours.
+ This method configures pubd with data built up by the other
+ commands in this program. Commands which modify IRDB fields
+ related to pubd should call this when they're done.
+ """
- for child in ca.children.all():
+ # If we're not running pubd, the rest of this is a waste of time
- child_pdu = child_pdus.pop(child.handle, None)
+ if not self.run_pubd:
+ return
+
+ # Make sure that pubd's BPKI CRL is up to date.
- if (child_pdu is None or
- child_pdu.bsc_handle != bsc_handle or
- child_pdu.bpki_cert != child.certificate):
- rpkid_query.append(rpki.left_right.child_elt.make_pdu(
- action = "create" if child_pdu is None else "set",
- tag = child.handle,
- self_handle = ca.handle,
- child_handle = child.handle,
- bsc_handle = bsc_handle,
- bpki_cert = child.certificate))
+ self.call_pubd(rpki.publication.config_elt.make_pdu(
+ action = "set",
+ bpki_crl = self.server_ca.latest_crl))
- rpkid_query.extend(rpki.left_right.child_elt.make_pdu(
- action = "destroy", self_handle = ca.handle, child_handle = c) for c in child_pdus)
+ # See what pubd already has on file
- # Publication setup.
+ pubd_reply = self.call_pubd(rpki.publication.client_elt.make_pdu(action = "list"))
+ client_pdus = dict((x.client_handle, x) for x in pubd_reply if isinstance(x, rpki.publication.client_elt))
+ pubd_query = []
- # Um, why are we doing this per resource holder?
+ # Check all clients
- if self.run_pubd:
+ for client in self.server_ca.clients.all():
- for client in self.server_ca.clients.all():
+ client_pdu = client_pdus.pop(client.handle, None)
- client_pdu = client_pdus.pop(client.handle, None)
+ if (client_pdu is None or
+ client_pdu.base_uri != client.sia_base or
+ client_pdu.bpki_cert != client.certificate):
+ pubd_query.append(rpki.publication.client_elt.make_pdu(
+ action = "create" if client_pdu is None else "set",
+ client_handle = client.handle,
+ bpki_cert = client.certificate,
+ base_uri = client.sia_base))
- if (client_pdu is None or
- client_pdu.base_uri != client.sia_base or
- client_pdu.bpki_cert != client.certificate):
- pubd_query.append(rpki.publication.client_elt.make_pdu(
- action = "create" if client_pdu is None else "set",
- client_handle = client.handle,
- bpki_cert = client.certificate,
- base_uri = client.sia_base))
+ # Delete any unknown clients
- pubd_query.extend(rpki.publication.client_elt.make_pdu(
+ pubd_query.extend(rpki.publication.client_elt.make_pdu(
action = "destroy", client_handle = p) for p in client_pdus)
- # If we changed anything, ship updates off to daemons
+ # If we changed anything, ship updates off to pubd
- if rpkid_query:
- rpkid_reply = self.call_rpkid(*rpkid_query)
- bsc_pdus = dict((x.bsc_handle, x) for x in rpkid_reply if isinstance(x, rpki.left_right.bsc_elt))
- if bsc_handle in bsc_pdus and bsc_pdus[bsc_handle].pkcs10_request:
- bsc_req = bsc_pdus[bsc_handle].pkcs10_request
- self.check_error_report(rpkid_reply)
+ if pubd_query:
+ pubd_reply = self.call_pubd(*pubd_query)
+ self.check_error_report(pubd_reply)
- if pubd_query:
- assert self.run_pubd
- pubd_reply = self.call_pubd(*pubd_query)
- self.check_error_report(pubd_reply)
- # Clean up any <self/> objects rpkid might be holding that don't
- # match a ResourceCA object.
+ def synchronize_rpkid_deleted_core(self):
+ """
+ Remove any <self/> objects present in rpkid's database but not
+ present in the IRDB. This is the core synchronization code.
+ Don't call this directly, instead call a methods that calls this
+ inside a Django commit wrapper.
+ """
rpkid_reply = self.call_rpkid(rpki.left_right.self_elt.make_pdu(action = "list"))
self.check_error_report(rpkid_reply)
@@ -1345,11 +1431,6 @@ class Zookeeper(object):
rpkid_query = [rpki.left_right.self_elt.make_pdu(action = "destroy", self_handle = handle)
for handle in (self_handles - ca_handles)]
- # Poke rpkid to run immediately for any requested handles.
-
- rpkid_query.extend(rpki.left_right.self_elt.make_pdu(
- action = "set", self_handle = h, run_now = "yes") for h in handles_to_poke)
-
if rpkid_query:
rpkid_reply = self.call_rpkid(*rpkid_query)
self.check_error_report(rpkid_reply)
diff --git a/rpkid/rpki/irdbd.py b/rpkid/rpki/irdbd.py
index 592ad799..dafdaff9 100644
--- a/rpkid/rpki/irdbd.py
+++ b/rpkid/rpki/irdbd.py
@@ -42,7 +42,6 @@ import os
import time
import getopt
import urlparse
-import warnings
import rpki.http
import rpki.config
import rpki.resource_set
@@ -105,6 +104,8 @@ class main(object):
try:
q_pdu = None
r_msg = rpki.left_right.msg.reply()
+ from django.db import connection
+ connection.cursor() # Reconnect to mysqld if necessary
self.start_new_transaction()
serverCA = rpki.irdb.ServerCA.objects.get()
rpkid = serverCA.ee_certificates.get(purpose = "rpkid")
@@ -142,7 +143,7 @@ class main(object):
def __init__(self, **kwargs):
- global rpki
+ global rpki # pylint: disable=W0602
os.environ["TZ"] = "UTC"
time.tzset()
@@ -190,7 +191,7 @@ class main(object):
def main(self):
- global rpki
+ global rpki # pylint: disable=W0602
from django.conf import settings
startup_msg = self.cfg.get("startup-message", "")
@@ -218,8 +219,8 @@ class main(object):
"PORT" : "" }},
INSTALLED_APPS = ("rpki.irdb",),)
- import rpki.irdb
-
+ import rpki.irdb # pylint: disable=W0621
+
# Entirely too much fun with read-only access to transactional databases.
#
# http://stackoverflow.com/questions/3346124/how-do-i-force-django-to-ignore-any-caches-and-reload-data
diff --git a/rpkid/rpki/left_right.py b/rpkid/rpki/left_right.py
index b74b12b5..a7dca013 100644
--- a/rpkid/rpki/left_right.py
+++ b/rpkid/rpki/left_right.py
@@ -3,7 +3,7 @@ RPKI "left-right" protocol.
$Id$
-Copyright (C) 2009--2011 Internet Systems Consortium ("ISC")
+Copyright (C) 2009--2012 Internet Systems Consortium ("ISC")
Permission to use, copy, modify, and distribute this software for any
purpose with or without fee is hereby granted, provided that the above
@@ -32,24 +32,25 @@ OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
PERFORMANCE OF THIS SOFTWARE.
"""
-import rpki.resource_set, rpki.x509, rpki.sql, rpki.exceptions, rpki.xml_utils
-import rpki.http, rpki.up_down, rpki.relaxng, rpki.sundial, rpki.log, rpki.roa
-import rpki.publication, rpki.async
+import rpki.resource_set
+import rpki.x509
+import rpki.sql
+import rpki.exceptions
+import rpki.xml_utils
+import rpki.http
+import rpki.up_down
+import rpki.relaxng
+import rpki.sundial
+import rpki.log
+import rpki.publication
+import rpki.async
+import rpki.rpkid_tasks
## @var enforce_strict_up_down_xml_sender
# Enforce strict checking of XML "sender" field in up-down protocol
enforce_strict_up_down_xml_sender = False
-## @var max_new_roas_at_once
-# Upper limit on the number of ROAs we'll create in a single
-# self_elt.update_roas() call. This is a bit of a kludge, and may be
-# replaced with something more clever or general later; for the moment
-# the goal is to avoid going totally compute bound when somebody
-# throws 50,000 new ROA requests at us in a single batch.
-
-max_new_roas_at_once = 50
-
class left_right_namespace(object):
"""
XML namespace parameters for left-right protocol.
@@ -69,6 +70,7 @@ class data_elt(rpki.xml_utils.data_elt, rpki.sql.sql_persistent, left_right_name
self_handle = None
@property
+ @rpki.sql.cache_reference
def self(self):
"""
Fetch self object to which this object links.
@@ -76,6 +78,7 @@ class data_elt(rpki.xml_utils.data_elt, rpki.sql.sql_persistent, left_right_name
return self_elt.sql_fetch(self.gctx, self.self_id)
@property
+ @rpki.sql.cache_reference
def bsc(self):
"""
Return BSC object to which this object links.
@@ -149,9 +152,16 @@ class self_elt(data_elt):
booleans = ("rekey", "reissue", "revoke", "run_now", "publish_world_now", "revoke_forgotten",
"clear_replay_protection")
- sql_template = rpki.sql.template("self", "self_id", "self_handle",
- "use_hsm", "crl_interval", "regen_margin",
- ("bpki_cert", rpki.x509.X509), ("bpki_glue", rpki.x509.X509))
+ sql_template = rpki.sql.template(
+ "self",
+ "self_id",
+ "self_handle",
+ "use_hsm",
+ "crl_interval",
+ "regen_margin",
+ ("bpki_cert", rpki.x509.X509),
+ ("bpki_glue", rpki.x509.X509))
+
handles = ()
use_hsm = False
@@ -159,6 +169,10 @@ class self_elt(data_elt):
regen_margin = None
bpki_cert = None
bpki_glue = None
+ cron_tasks = None
+
+ def __repr__(self):
+ return rpki.log.log_repr(self)
@property
def bscs(self):
@@ -306,11 +320,16 @@ class self_elt(data_elt):
for ca in parent.cas:
ca_detail = ca.active_ca_detail
if ca_detail is not None:
- q_msg.append(rpki.publication.crl_elt.make_publish(ca_detail.crl_uri, ca_detail.latest_crl))
- q_msg.append(rpki.publication.manifest_elt.make_publish(ca_detail.manifest_uri, ca_detail.latest_manifest))
- q_msg.extend(rpki.publication.certificate_elt.make_publish(c.uri, c.cert) for c in ca_detail.child_certs)
- q_msg.extend(rpki.publication.roa_elt.make_publish(r.uri, r.roa) for r in ca_detail.roas if r.roa is not None)
- q_msg.extend(rpki.publication.ghostbuster_elt.make_publish(g.uri, g.ghostbuster) for g in ca_detail.ghostbusters)
+ q_msg.append(rpki.publication.crl_elt.make_publish(
+ ca_detail.crl_uri, ca_detail.latest_crl))
+ q_msg.append(rpki.publication.manifest_elt.make_publish(
+ ca_detail.manifest_uri, ca_detail.latest_manifest))
+ q_msg.extend(rpki.publication.certificate_elt.make_publish(
+ c.uri, c.cert) for c in ca_detail.child_certs)
+ q_msg.extend(rpki.publication.roa_elt.make_publish(
+ r.uri, r.roa) for r in ca_detail.roas if r.roa is not None)
+ q_msg.extend(rpki.publication.ghostbuster_elt.make_publish(
+ g.uri, g.ghostbuster) for g in ca_detail.ghostbusters)
parent.repository.call_pubd(iterator, eb, q_msg)
rpki.async.iterator(self.parents, loop, cb)
@@ -319,8 +338,12 @@ class self_elt(data_elt):
"""
Handle a left-right run_now action for this self.
"""
- rpki.log.debug("Forced immediate run of periodic actions for self %s[%d]" % (self.self_handle, self.self_id))
- self.cron(cb)
+ rpki.log.debug("Forced immediate run of periodic actions for self %s[%d]" % (
+ self.self_handle, self.self_id))
+ completion = rpki.rpkid_tasks.CompletionHandler(cb)
+ self.schedule_cron_tasks(completion)
+ assert completion.count > 0
+ self.gctx.task_run()
def serve_fetch_one_maybe(self):
"""
@@ -344,415 +367,22 @@ class self_elt(data_elt):
"""
return self.sql_fetch_all(self.gctx)
- def cron(self, cb):
- """
- Periodic tasks.
- """
-
- def one():
- self.gctx.checkpoint()
- rpki.log.debug("Self %s[%d] polling parents" % (self.self_handle, self.self_id))
- self.client_poll(two)
-
- def two():
- self.gctx.checkpoint()
- rpki.log.debug("Self %s[%d] updating children" % (self.self_handle, self.self_id))
- self.update_children(three)
-
- def three():
- self.gctx.checkpoint()
- rpki.log.debug("Self %s[%d] updating ROAs" % (self.self_handle, self.self_id))
- self.update_roas(four)
-
- def four():
- self.gctx.checkpoint()
- rpki.log.debug("Self %s[%d] updating Ghostbuster records" % (self.self_handle, self.self_id))
- self.update_ghostbusters(five)
-
- def five():
- self.gctx.checkpoint()
- rpki.log.debug("Self %s[%d] regenerating CRLs and manifests" % (self.self_handle, self.self_id))
- self.regenerate_crls_and_manifests(six)
-
- def six():
- self.gctx.checkpoint()
- self.gctx.sql.sweep()
- self.gctx.sql.cache_clear_maybe()
- cb()
-
- one()
-
-
- def client_poll(self, callback):
- """
- Run the regular client poll cycle with each of this self's parents
- in turn.
- """
-
- rpki.log.trace()
-
- def parent_loop(parent_iterator, parent):
-
- def got_list(r_msg):
- ca_map = dict((ca.parent_resource_class, ca) for ca in parent.cas)
- self.gctx.checkpoint()
-
- def class_loop(class_iterator, rc):
-
- def class_update_failed(e):
- rpki.log.traceback()
- rpki.log.warn("Couldn't update class, skipping: %s" % e)
- class_iterator()
-
- def class_create_failed(e):
- rpki.log.traceback()
- rpki.log.warn("Couldn't create class, skipping: %s" % e)
- class_iterator()
-
- self.gctx.checkpoint()
- if rc.class_name in ca_map:
- ca = ca_map[rc.class_name]
- del ca_map[rc.class_name]
- ca.check_for_updates(parent, rc, class_iterator, class_update_failed)
- else:
- rpki.rpkid.ca_obj.create(parent, rc, class_iterator, class_create_failed)
-
- def class_done():
-
- def ca_loop(iterator, ca):
- self.gctx.checkpoint()
- ca.delete(parent, iterator)
-
- def ca_done():
- self.gctx.checkpoint()
- self.gctx.sql.sweep()
- parent_iterator()
-
- rpki.async.iterator(ca_map.values(), ca_loop, ca_done)
-
- rpki.async.iterator(r_msg.payload.classes, class_loop, class_done)
-
- def list_failed(e):
- rpki.log.traceback()
- rpki.log.warn("Couldn't get resource class list from parent %r, skipping: %s (%r)" % (parent, e, e))
- parent_iterator()
-
- rpki.up_down.list_pdu.query(parent, got_list, list_failed)
-
- rpki.async.iterator(self.parents, parent_loop, callback)
-
-
- def update_children(self, cb):
- """
- Check for updated IRDB data for all of this self's children and
- issue new certs as necessary. Must handle changes both in
- resources and in expiration date.
- """
-
- rpki.log.trace()
- now = rpki.sundial.now()
- rsn = now + rpki.sundial.timedelta(seconds = self.regen_margin)
- publisher = rpki.rpkid.publication_queue()
-
- def loop(iterator, child):
-
- def lose(e):
- rpki.log.traceback()
- rpki.log.warn("Couldn't update child %r, skipping: %s" % (child, e))
- iterator()
-
- def got_resources(irdb_resources):
- try:
- for child_cert in child_certs:
- ca_detail = child_cert.ca_detail
- ca = ca_detail.ca
- if ca_detail.state == "active":
- old_resources = child_cert.cert.get_3779resources()
- new_resources = irdb_resources.intersection(old_resources).intersection(ca_detail.latest_ca_cert.get_3779resources())
-
- if new_resources.empty():
- rpki.log.debug("Resources shrank to the null set, revoking and withdrawing child %s certificate SKI %s" % (child.child_handle, child_cert.cert.gSKI()))
- child_cert.revoke(publisher = publisher)
- ca_detail.generate_crl(publisher = publisher)
- ca_detail.generate_manifest(publisher = publisher)
-
- elif old_resources != new_resources or (old_resources.valid_until < rsn and irdb_resources.valid_until > now):
- rpki.log.debug("Need to reissue child %s certificate SKI %s" % (child.child_handle, child_cert.cert.gSKI()))
- child_cert.reissue(
- ca_detail = ca_detail,
- resources = new_resources,
- publisher = publisher)
-
- elif old_resources.valid_until < now:
- rpki.log.debug("Child %s certificate SKI %s has expired: cert.valid_until %s, irdb.valid_until %s"
- % (child.child_handle, child_cert.cert.gSKI(), old_resources.valid_until, irdb_resources.valid_until))
- child_cert.sql_delete()
- publisher.withdraw(cls = rpki.publication.certificate_elt, uri = child_cert.uri, obj = child_cert.cert, repository = ca.parent.repository)
- ca_detail.generate_manifest(publisher = publisher)
-
- except (SystemExit, rpki.async.ExitNow):
- raise
- except Exception, e:
- self.gctx.checkpoint()
- lose(e)
- else:
- self.gctx.checkpoint()
- self.gctx.sql.sweep()
- iterator()
-
- self.gctx.checkpoint()
- self.gctx.sql.sweep()
- child_certs = child.child_certs
- if child_certs:
- self.gctx.irdb_query_child_resources(child.self.self_handle, child.child_handle, got_resources, lose)
- else:
- iterator()
-
- def done():
- def lose(e):
- rpki.log.traceback()
- rpki.log.warn("Couldn't publish for %s, skipping: %s" % (self.self_handle, e))
- self.gctx.checkpoint()
- cb()
- self.gctx.checkpoint()
- self.gctx.sql.sweep()
- publisher.call_pubd(cb, lose)
-
- rpki.async.iterator(self.children, loop, done)
-
-
- def regenerate_crls_and_manifests(self, cb):
- """
- Generate new CRLs and manifests as necessary for all of this
- self's CAs. Extracting nextUpdate from a manifest is hard at the
- moment due to implementation silliness, so for now we generate a
- new manifest whenever we generate a new CRL
-
- This method also cleans up tombstones left behind by revoked
- ca_detail objects, since we're walking through the relevant
- portions of the database anyway.
+ def schedule_cron_tasks(self, completion):
"""
-
- rpki.log.trace()
- now = rpki.sundial.now()
- regen_margin = rpki.sundial.timedelta(seconds = self.regen_margin)
- publisher = rpki.rpkid.publication_queue()
-
- for parent in self.parents:
- for ca in parent.cas:
- try:
- for ca_detail in ca.revoked_ca_details:
- if now > ca_detail.latest_crl.getNextUpdate():
- ca_detail.delete(ca = ca, publisher = publisher)
- ca_detail = ca.active_ca_detail
- if ca_detail is not None and now + regen_margin > ca_detail.latest_crl.getNextUpdate():
- ca_detail.generate_crl(publisher = publisher)
- ca_detail.generate_manifest(publisher = publisher)
- except (SystemExit, rpki.async.ExitNow):
- raise
- except Exception, e:
- rpki.log.traceback()
- rpki.log.warn("Couldn't regenerate CRLs and manifests for CA %r, skipping: %s" % (ca, e))
-
- def lose(e):
- rpki.log.traceback()
- rpki.log.warn("Couldn't publish updated CRLs and manifests for self %r, skipping: %s" % (self.self_handle, e))
- self.gctx.checkpoint()
- cb()
-
- self.gctx.checkpoint()
- self.gctx.sql.sweep()
- publisher.call_pubd(cb, lose)
-
-
- def update_ghostbusters(self, cb):
+ Schedule periodic tasks.
"""
- Generate or update Ghostbuster records for this self.
- This is heavily based on .update_roas(), and probably both of them
- need refactoring.
- """
-
- parents = dict((p.parent_handle, p) for p in self.parents)
-
- def got_ghostbuster_requests(ghostbuster_requests):
+ if self.cron_tasks is None:
+ self.cron_tasks = (
+ rpki.rpkid_tasks.PollParentTask(self),
+ rpki.rpkid_tasks.UpdateChildrenTask(self),
+ rpki.rpkid_tasks.UpdateROAsTask(self),
+ rpki.rpkid_tasks.UpdateGhostbustersTask(self),
+ rpki.rpkid_tasks.RegenerateCRLsAndManifestsTask(self))
- try:
- self.gctx.checkpoint()
- if self.gctx.sql.dirty:
- rpki.log.warn("Unexpected dirty SQL cache, flushing")
- self.gctx.sql.sweep()
-
- ghostbusters = {}
- orphans = []
- for ghostbuster in self.ghostbusters:
- k = (ghostbuster.ca_detail_id, ghostbuster.vcard)
- if ghostbuster.ca_detail.state != "active" or k in ghostbusters:
- orphans.append(ghostbuster)
- else:
- ghostbusters[k] = ghostbuster
-
- publisher = rpki.rpkid.publication_queue()
- ca_details = set()
-
- seen = set()
- for ghostbuster_request in ghostbuster_requests:
- if ghostbuster_request.parent_handle not in parents:
- rpki.log.warn("Unknown parent_handle %r in Ghostbuster request, skipping" % ghostbuster_request.parent_handle)
- continue
- k = (ghostbuster_request.parent_handle, ghostbuster_request.vcard)
- if k in seen:
- rpki.log.warn("Skipping duplicate Ghostbuster request %r" % ghostbuster_request)
- continue
- seen.add(k)
- for ca in parents[ghostbuster_request.parent_handle].cas:
- ca_detail = ca.active_ca_detail
- if ca_detail is not None:
- ghostbuster = ghostbusters.pop((ca_detail.ca_detail_id, ghostbuster_request.vcard), None)
- if ghostbuster is None:
- ghostbuster = rpki.rpkid.ghostbuster_obj(self.gctx, self.self_id, ca_detail.ca_detail_id, ghostbuster_request.vcard)
- rpki.log.debug("Created new Ghostbuster request for %r" % ghostbuster_request.parent_handle)
- else:
- rpki.log.debug("Found existing Ghostbuster request for %r" % ghostbuster_request.parent_handle)
- ghostbuster.update(publisher = publisher, fast = True)
- ca_details.add(ca_detail)
-
- orphans.extend(ghostbusters.itervalues())
- for ghostbuster in orphans:
- ca_details.add(ghostbuster.ca_detail)
- ghostbuster.revoke(publisher = publisher, fast = True)
-
- for ca_detail in ca_details:
- ca_detail.generate_crl(publisher = publisher)
- ca_detail.generate_manifest(publisher = publisher)
-
- self.gctx.sql.sweep()
-
- def publication_failed(e):
- rpki.log.traceback()
- rpki.log.warn("Couldn't publish Ghostbuster updates for %s, skipping: %s" % (self.self_handle, e))
- self.gctx.checkpoint()
- cb()
-
- self.gctx.checkpoint()
- publisher.call_pubd(cb, publication_failed)
-
- except (SystemExit, rpki.async.ExitNow):
- raise
- except Exception, e:
- rpki.log.traceback()
- rpki.log.warn("Could not update Ghostbuster records for %s, skipping: %s" % (self.self_handle, e))
- cb()
-
- def ghostbuster_requests_failed(e):
- rpki.log.traceback()
- rpki.log.warn("Could not fetch Ghostbuster record requests for %s, skipping: %s" % (self.self_handle, e))
- cb()
-
- self.gctx.checkpoint()
- self.gctx.sql.sweep()
- self.gctx.irdb_query_ghostbuster_requests(self.self_handle, parents.iterkeys(),
- got_ghostbuster_requests, ghostbuster_requests_failed)
-
-
- def update_roas(self, cb):
- """
- Generate or update ROAs for this self.
- """
-
- def got_roa_requests(roa_requests):
-
- self.gctx.checkpoint()
-
- if self.gctx.sql.dirty:
- rpki.log.warn("Unexpected dirty SQL cache, flushing")
- self.gctx.sql.sweep()
-
- roas = {}
- orphans = []
- for roa in self.roas:
- k = (roa.asn, str(roa.ipv4), str(roa.ipv6))
- if k not in roas:
- roas[k] = roa
- elif (roa.roa is not None and roa.cert is not None and roa.ca_detail is not None and roa.ca_detail.state == "active" and
- (roas[k].roa is None or roas[k].cert is None or roas[k].ca_detail is None or roas[k].ca_detail.state != "active")):
- orphans.append(roas[k])
- roas[k] = roa
- else:
- orphans.append(roa)
-
- publisher = rpki.rpkid.publication_queue()
- ca_details = set()
- seen = set()
-
- def loop(iterator, roa_request):
- self.gctx.checkpoint()
- try:
- k = (roa_request.asn, str(roa_request.ipv4), str(roa_request.ipv6))
- if k in seen:
- rpki.log.warn("Skipping duplicate ROA request %r" % roa_request)
- else:
- seen.add(k)
- roa = roas.pop(k, None)
- if roa is None:
- roa = rpki.rpkid.roa_obj(self.gctx, self.self_id, roa_request.asn, roa_request.ipv4, roa_request.ipv6)
- rpki.log.debug("Couldn't find existing ROA, created %r" % roa)
- else:
- rpki.log.debug("Found existing %r" % roa)
- roa.update(publisher = publisher, fast = True)
- ca_details.add(roa.ca_detail)
- except (SystemExit, rpki.async.ExitNow):
- raise
- except Exception, e:
- if not isinstance(e, rpki.exceptions.NoCoveringCertForROA):
- rpki.log.traceback()
- rpki.log.warn("Could not update %r, skipping: %s" % (roa, e))
- if max_new_roas_at_once is not None and publisher.size > max_new_roas_at_once:
- self.gctx.sql.sweep()
- self.gctx.checkpoint()
- publisher.call_pubd(iterator, publication_failed)
- else:
- iterator()
-
- def publication_failed(e):
- rpki.log.traceback()
- rpki.log.warn("Couldn't publish for %s, skipping: %s" % (self.self_handle, e))
- self.gctx.checkpoint()
- cb()
-
- def done():
-
- orphans.extend(roas.itervalues())
- for roa in orphans:
- try:
- ca_details.add(roa.ca_detail)
- roa.revoke(publisher = publisher, fast = True)
- except (SystemExit, rpki.async.ExitNow):
- raise
- except Exception, e:
- rpki.log.traceback()
- rpki.log.warn("Could not revoke %r: %s" % (roa, e))
-
- self.gctx.sql.sweep()
-
- for ca_detail in ca_details:
- ca_detail.generate_crl(publisher = publisher)
- ca_detail.generate_manifest(publisher = publisher)
-
- self.gctx.sql.sweep()
- self.gctx.checkpoint()
- publisher.call_pubd(cb, publication_failed)
-
- rpki.async.iterator(roa_requests, loop, done)
-
- def roa_requests_failed(e):
- rpki.log.traceback()
- rpki.log.warn("Could not fetch ROA requests for %s, skipping: %s" % (self.self_handle, e))
- cb()
-
- self.gctx.checkpoint()
- self.gctx.sql.sweep()
- self.gctx.irdb_query_roa_requests(self.self_handle, got_roa_requests, roa_requests_failed)
+ for task in self.cron_tasks:
+ self.gctx.task_add(task)
+ completion.register(task)
class bsc_elt(data_elt):
@@ -765,12 +395,17 @@ class bsc_elt(data_elt):
elements = ("signing_cert", "signing_cert_crl", "pkcs10_request")
booleans = ("generate_keypair",)
- sql_template = rpki.sql.template("bsc", "bsc_id", "bsc_handle",
- "self_id", "hash_alg",
- ("private_key_id", rpki.x509.RSA),
- ("pkcs10_request", rpki.x509.PKCS10),
- ("signing_cert", rpki.x509.X509),
- ("signing_cert_crl", rpki.x509.CRL))
+ sql_template = rpki.sql.template(
+ "bsc",
+ "bsc_id",
+ "bsc_handle",
+ "self_id",
+ "hash_alg",
+ ("private_key_id", rpki.x509.RSA),
+ ("pkcs10_request", rpki.x509.PKCS10),
+ ("signing_cert", rpki.x509.X509),
+ ("signing_cert_crl", rpki.x509.CRL))
+
handles = (("self", self_elt),)
private_key_id = None
@@ -778,6 +413,9 @@ class bsc_elt(data_elt):
signing_cert = None
signing_cert_crl = None
+ def __repr__(self):
+ return rpki.log.log_repr(self, self.bsc_handle)
+
@property
def repositories(self):
"""
@@ -807,7 +445,7 @@ class bsc_elt(data_elt):
if q_pdu.generate_keypair:
assert q_pdu.key_type in (None, "rsa") and q_pdu.hash_alg in (None, "sha256")
self.private_key_id = rpki.x509.RSA.generate(keylength = q_pdu.key_length or 2048)
- self.pkcs10_request = rpki.x509.PKCS10.create(self.private_key_id)
+ self.pkcs10_request = rpki.x509.PKCS10.create(keypair = self.private_key_id)
r_pdu.pkcs10_request = self.pkcs10_request
data_elt.serve_pre_save_hook(self, q_pdu, r_pdu, cb, eb)
@@ -821,18 +459,27 @@ class repository_elt(data_elt):
elements = ("bpki_cert", "bpki_glue")
booleans = ("clear_replay_protection",)
- sql_template = rpki.sql.template("repository", "repository_id", "repository_handle",
- "self_id", "bsc_id", "peer_contact_uri",
- ("bpki_cert", rpki.x509.X509),
- ("bpki_glue", rpki.x509.X509),
- ("last_cms_timestamp", rpki.sundial.datetime))
+ sql_template = rpki.sql.template(
+ "repository",
+ "repository_id",
+ "repository_handle",
+ "self_id",
+ "bsc_id",
+ "peer_contact_uri",
+ ("bpki_cert", rpki.x509.X509),
+ ("bpki_glue", rpki.x509.X509),
+ ("last_cms_timestamp", rpki.sundial.datetime))
- handles = (("self", self_elt), ("bsc", bsc_elt))
+ handles = (("self", self_elt),
+ ("bsc", bsc_elt))
bpki_cert = None
bpki_glue = None
last_cms_timestamp = None
+ def __repr__(self):
+ return rpki.log.log_repr(self, self.repository_handle)
+
@property
def parents(self):
"""
@@ -900,12 +547,14 @@ class repository_elt(data_elt):
def done(r_der):
try:
+ rpki.log.debug("Received response from pubd")
r_cms = rpki.publication.cms_msg(DER = r_der)
r_msg = r_cms.unwrap(bpki_ta_path)
r_cms.check_replay_sql(self)
for r_pdu in r_msg:
handler = handlers.get(r_pdu.tag, self.default_pubd_handler)
if handler:
+ rpki.log.debug("Calling pubd handler %r" % handler)
handler(r_pdu)
if len(q_msg) != len(r_msg):
raise rpki.exceptions.BadPublicationReply, "Wrong number of response PDUs from pubd: sent %r, got %r" % (q_msg, r_msg)
@@ -915,6 +564,7 @@ class repository_elt(data_elt):
except Exception, e:
errback(e)
+ rpki.log.debug("Sending request to pubd")
rpki.http.client(
url = self.peer_contact_uri,
msg = q_der,
@@ -937,21 +587,34 @@ class parent_elt(data_elt):
elements = ("bpki_cms_cert", "bpki_cms_glue")
booleans = ("rekey", "reissue", "revoke", "revoke_forgotten", "clear_replay_protection")
- sql_template = rpki.sql.template("parent", "parent_id", "parent_handle",
- "self_id", "bsc_id", "repository_id",
- "peer_contact_uri", "sia_base",
- "sender_name", "recipient_name",
- ("bpki_cms_cert", rpki.x509.X509),
- ("bpki_cms_glue", rpki.x509.X509),
- ("last_cms_timestamp", rpki.sundial.datetime))
-
- handles = (("self", self_elt), ("bsc", bsc_elt), ("repository", repository_elt))
+ sql_template = rpki.sql.template(
+ "parent",
+ "parent_id",
+ "parent_handle",
+ "self_id",
+ "bsc_id",
+ "repository_id",
+ "peer_contact_uri",
+ "sia_base",
+ "sender_name",
+ "recipient_name",
+ ("bpki_cms_cert", rpki.x509.X509),
+ ("bpki_cms_glue", rpki.x509.X509),
+ ("last_cms_timestamp", rpki.sundial.datetime))
+
+ handles = (("self", self_elt),
+ ("bsc", bsc_elt),
+ ("repository", repository_elt))
bpki_cms_cert = None
bpki_cms_glue = None
last_cms_timestamp = None
+ def __repr__(self):
+ return rpki.log.log_repr(self, self.parent_handle)
+
@property
+ @rpki.sql.cache_reference
def repository(self):
"""
Fetch repository object to which this parent object links.
@@ -1170,18 +833,26 @@ class child_elt(data_elt):
elements = ("bpki_cert", "bpki_glue")
booleans = ("reissue", "clear_replay_protection")
- sql_template = rpki.sql.template("child", "child_id", "child_handle",
- "self_id", "bsc_id",
- ("bpki_cert", rpki.x509.X509),
- ("bpki_glue", rpki.x509.X509),
- ("last_cms_timestamp", rpki.sundial.datetime))
+ sql_template = rpki.sql.template(
+ "child",
+ "child_id",
+ "child_handle",
+ "self_id",
+ "bsc_id",
+ ("bpki_cert", rpki.x509.X509),
+ ("bpki_glue", rpki.x509.X509),
+ ("last_cms_timestamp", rpki.sundial.datetime))
- handles = (("self", self_elt), ("bsc", bsc_elt))
+ handles = (("self", self_elt),
+ ("bsc", bsc_elt))
bpki_cert = None
bpki_glue = None
last_cms_timestamp = None
+ def __repr__(self):
+ return rpki.log.log_repr(self, self.child_handle)
+
def fetch_child_certs(self, ca_detail = None, ski = None, unique = False):
"""
Fetch all child_cert objects that link to this child object.
@@ -1243,7 +914,9 @@ class child_elt(data_elt):
raise rpki.exceptions.ClassNameUnknown, "Unknown class name %s" % class_name
parent = ca.parent
if self.self_id != parent.self_id:
- raise rpki.exceptions.ClassNameMismatch, "Class name mismatch: child.self_id = %d, parent.self_id = %d" % (self.self_id, parent.self_id)
+ raise rpki.exceptions.ClassNameMismatch(
+ "Class name mismatch: child.self_id = %d, parent.self_id = %d" % (
+ self.self_id, parent.self_id))
return ca
def serve_destroy_hook(self, cb, eb):
@@ -1276,6 +949,7 @@ class child_elt(data_elt):
q_msg.payload.gctx = self.gctx
if enforce_strict_up_down_xml_sender and q_msg.sender != str(self.child_id):
raise rpki.exceptions.BadSender, "Unexpected XML sender %s" % q_msg.sender
+ self.gctx.sql.sweep()
def done(r_msg):
#
@@ -1306,6 +980,9 @@ class list_resources_elt(rpki.xml_utils.base_elt, left_right_namespace):
attributes = ("self_handle", "tag", "child_handle", "valid_until", "asn", "ipv4", "ipv6")
valid_until = None
+ def __repr__(self):
+ return rpki.log.log_repr(self, self.self_handle, self.child_handle, self.asn, self.ipv4, self.ipv6)
+
def startElement(self, stack, name, attrs):
"""
Handle <list_resources/> element. This requires special handling
@@ -1353,7 +1030,7 @@ class list_roa_requests_elt(rpki.xml_utils.base_elt, left_right_namespace):
self.ipv6 = rpki.resource_set.roa_prefix_set_ipv6(self.ipv6)
def __repr__(self):
- return rpki.log.log_repr(self, self.asn, self.ipv4, self.ipv6)
+ return rpki.log.log_repr(self, self.self_handle, self.asn, self.ipv4, self.ipv6)
class list_ghostbuster_requests_elt(rpki.xml_utils.text_elt, left_right_namespace):
"""
@@ -1366,6 +1043,8 @@ class list_ghostbuster_requests_elt(rpki.xml_utils.text_elt, left_right_namespac
vcard = None
+ def __repr__(self):
+ return rpki.log.log_repr(self, self.self_handle, self.parent_handle)
class list_published_objects_elt(rpki.xml_utils.text_elt, left_right_namespace):
"""
@@ -1379,6 +1058,9 @@ class list_published_objects_elt(rpki.xml_utils.text_elt, left_right_namespace):
obj = None
child_handle = None
+ def __repr__(self):
+ return rpki.log.log_repr(self, self.self_handle, self.child_handle, self.uri)
+
def serve_dispatch(self, r_msg, cb, eb):
"""
Handle a <list_published_objects/> query. The method name is a
@@ -1417,6 +1099,9 @@ class list_received_resources_elt(rpki.xml_utils.base_elt, left_right_namespace)
attributes = ("self_handle", "tag", "parent_handle",
"notBefore", "notAfter", "uri", "sia_uri", "aia_uri", "asn", "ipv4", "ipv6")
+ def __repr__(self):
+ return rpki.log.log_repr(self, self.self_handle, self.parent_handle, self.uri, self.notAfter)
+
def serve_dispatch(self, r_msg, cb, eb):
"""
Handle a <list_received_resources/> query. The method name is a
@@ -1460,6 +1145,9 @@ class report_error_elt(rpki.xml_utils.text_elt, left_right_namespace):
error_text = None
+ def __repr__(self):
+ return rpki.log.log_repr(self, self.self_handle, self.error_code)
+
@classmethod
def from_exception(cls, e, self_handle = None, tag = None):
"""
@@ -1502,7 +1190,8 @@ class msg(rpki.xml_utils.msg, left_right_namespace):
def fail(e):
if not isinstance(e, rpki.exceptions.NotFound):
rpki.log.traceback()
- r_msg.append(report_error_elt.from_exception(e, self_handle = q_pdu.self_handle, tag = q_pdu.tag))
+ r_msg.append(report_error_elt.from_exception(
+ e, self_handle = q_pdu.self_handle, tag = q_pdu.tag))
cb(r_msg)
try:
diff --git a/rpkid/rpki/log.py b/rpkid/rpki/log.py
index bc20e395..2b48cb6d 100644
--- a/rpkid/rpki/log.py
+++ b/rpkid/rpki/log.py
@@ -3,7 +3,7 @@ Logging facilities for RPKI libraries.
$Id$
-Copyright (C) 2009--2011 Internet Systems Consortium ("ISC")
+Copyright (C) 2009--2012 Internet Systems Consortium ("ISC")
Permission to use, copy, modify, and distribute this software for any
purpose with or without fee is hereby granted, provided that the above
@@ -32,9 +32,18 @@ OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
PERFORMANCE OF THIS SOFTWARE.
"""
-import syslog, sys, os, time
+import syslog
+import sys
+import os
+import time
import traceback as tb
+try:
+ import setproctitle
+ have_setproctitle = True
+except ImportError:
+ have_setproctitle = False
+
## @var enable_trace
# Whether call tracing is enabled.
@@ -54,7 +63,22 @@ show_python_ids = False
# Whether tracebacks are enabled globally. Individual classes and
# modules may choose to override this.
-enable_tracebacks = False
+enable_tracebacks = True
+
+## @var use_setproctitle
+# Whether to use setproctitle (if available) to change name shown for
+# this process in ps listings (etc).
+
+use_setproctitle = True
+
+## @var proctitle_extra
+
+# Extra text to include in proctitle display. By default this is the
+# tail of the current directory name, as this is often useful, but you
+# can set it to something else if you like. If None or the empty
+# string, the extra information field will be omitted from the proctitle.
+
+proctitle_extra = os.path.basename(os.getcwd())
tag = ""
pid = 0
@@ -70,6 +94,11 @@ def init(ident = "rpki", flags = syslog.LOG_PID, facility = syslog.LOG_DAEMON):
global tag, pid
tag = ident
pid = os.getpid()
+ if ident and have_setproctitle and use_setproctitle:
+ if proctitle_extra:
+ setproctitle.setproctitle("%s (%s)" % (ident, proctitle_extra))
+ else:
+ setproctitle.setproctitle(ident)
def set_trace(enable):
"""
@@ -115,13 +144,20 @@ def traceback(do_it = None):
classes have their own controls for this, this lets us provide a
unified interface). If no argument is specified, we use the global
default value rpki.log.enable_tracebacks.
+
+ Assertion failures generate backtraces unconditionally, on the
+ theory that (a) assertion failures are programming errors by
+ definition, and (b) it's often hard to figure out what's triggering
+ a particular assertion failure without the backtrace.
"""
if do_it is None:
do_it = enable_tracebacks
- if do_it:
- assert sys.exc_info() != (None, None, None), "rpki.log.traceback() called without valid trace on stack, this is a programming error"
+ e = sys.exc_info()[1]
+ assert e is not None, "rpki.log.traceback() called without valid trace on stack! This should not happen."
+
+ if do_it or isinstance(e, AssertionError):
bt = tb.extract_stack(limit = 3)
error("Exception caught in %s() at %s:%d called from %s:%d" % (bt[1][2], bt[1][0], bt[1][1], bt[0][0], bt[0][1]))
bt = tb.format_exc()
@@ -135,12 +171,21 @@ def log_repr(obj, *tokens):
IDs as needed, includes self_handle when available.
"""
+ # pylint: disable=W0702
words = ["%s.%s" % (obj.__class__.__module__, obj.__class__.__name__)]
try:
words.append("{%s}" % obj.self.self_handle)
except:
pass
- words.extend(str(token) for token in tokens if token is not None and token != "")
+ for token in tokens:
+ if token is not None and token != "":
+ try:
+ assert token is not None
+ words.append(str(token))
+ except:
+ debug("Failed to generate repr() string for object of type %r" % type(token))
+ traceback()
+ words.append("???")
if show_python_ids:
words.append(" at %#x" % id(obj))
return "<" + " ".join(words) + ">"
diff --git a/rpkid/rpki/manifest.py b/rpkid/rpki/manifest.py
deleted file mode 100644
index f832ca20..00000000
--- a/rpkid/rpki/manifest.py
+++ /dev/null
@@ -1,54 +0,0 @@
-"""
-Signed manifests. This is just the ASN.1 encoder, the rest is in
-rpki.x509 with the rest of the DER_object code.
-
-Note that rpki.x509.SignedManifest implements the signed manifest;
-the structures here are just the payload of the CMS eContent field.
-
-$Id$
-
-Copyright (C) 2007--2008 American Registry for Internet Numbers ("ARIN")
-
-Permission to use, copy, modify, and distribute this software for any
-purpose with or without fee is hereby granted, provided that the above
-copyright notice and this permission notice appear in all copies.
-
-THE SOFTWARE IS PROVIDED "AS IS" AND ARIN DISCLAIMS ALL WARRANTIES WITH
-REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
-AND FITNESS. IN NO EVENT SHALL ARIN BE LIABLE FOR ANY SPECIAL, DIRECT,
-INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
-LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
-OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
-PERFORMANCE OF THIS SOFTWARE.
-"""
-
-from rpki.POW._der import *
-
-class FileAndHash(Sequence):
- def __init__(self, optional=0, default=''):
- self.file = IA5String()
- self.hash = AltBitString()
- contents = [ self.file, self.hash ]
- Sequence.__init__(self, contents, optional, default)
-
-class FilesAndHashes(SequenceOf):
- def __init__(self, optional=0, default=''):
- SequenceOf.__init__(self, FileAndHash, optional, default)
-
-class Manifest(Sequence):
- def __init__(self, optional=0, default=''):
- self.version = Integer()
- self.explicitVersion = Explicit(CLASS_CONTEXT, FORM_CONSTRUCTED, 0, self.version, 0, 'oAMCAQA=')
- self.manifestNumber = Integer()
- self.thisUpdate = GeneralizedTime()
- self.nextUpdate = GeneralizedTime()
- self.fileHashAlg = Oid()
- self.fileList = FilesAndHashes()
-
- contents = [ self.explicitVersion,
- self.manifestNumber,
- self.thisUpdate,
- self.nextUpdate,
- self.fileHashAlg,
- self.fileList ]
- Sequence.__init__(self, contents, optional, default)
diff --git a/rpkid/rpki/mysql_import.py b/rpkid/rpki/mysql_import.py
index ac2b580d..e7b54dde 100644
--- a/rpkid/rpki/mysql_import.py
+++ b/rpkid/rpki/mysql_import.py
@@ -16,7 +16,7 @@ object from this module. Looks kind of strange, but seems to work.
$Id$
-Copyright (C) 2011 Internet Systems Consortium ("ISC")
+Copyright (C) 2011-2012 Internet Systems Consortium ("ISC")
Permission to use, copy, modify, and distribute this software for any
purpose with or without fee is hereby granted, provided that the above
@@ -45,6 +45,8 @@ OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
PERFORMANCE OF THIS SOFTWARE.
"""
+# pylint: disable=W0611
+
from __future__ import with_statement
import warnings
@@ -59,3 +61,5 @@ else:
import _mysql_exceptions
warnings.simplefilter("error", _mysql_exceptions.Warning)
+
+import MySQLdb.converters
diff --git a/rpkid/rpki/oids.py b/rpkid/rpki/oids.py
index 2b8302aa..dc596f0b 100644
--- a/rpkid/rpki/oids.py
+++ b/rpkid/rpki/oids.py
@@ -3,7 +3,7 @@ OID database.
$Id$
-Copyright (C) 2009--2011 Internet Systems Consortium ("ISC")
+Copyright (C) 2009--2012 Internet Systems Consortium ("ISC")
Permission to use, copy, modify, and distribute this software for any
purpose with or without fee is hereby granted, provided that the above
@@ -92,8 +92,7 @@ def safe_name2oid(name):
fields = name.split(".")
if all(field.isdigit() for field in fields):
return tuple(int(field) for field in fields)
- else:
- raise
+ raise
def safe_oid2name(oid):
"""
@@ -104,4 +103,39 @@ def safe_oid2name(oid):
try:
return oid2name[oid]
except KeyError:
- return ".".join(str(field) for field in oid)
+ return oid2dotted(oid)
+
+def oid2dotted(oid):
+ """
+ Convert OID to numeric (dotted decimal) format.
+ """
+
+ return ".".join(str(field) for field in oid)
+
+def dotted2oid(dotted):
+ """
+ Convert dotted decimal format to OID tuple.
+ """
+
+ fields = dotted.split(".")
+ if all(field.isdigit() for field in fields):
+ return tuple(int(field) for field in fields)
+ raise ValueError("%r is not a dotted decimal OID" % dotted)
+
+def safe_name2dotted(name):
+ """
+ Convert name to dotted decimal format.
+ """
+
+ return oid2dotted(safe_name2oid(name))
+
+def safe_dotted2name(dotted):
+ """
+ Convert dotted decimal to name if we know one,
+ otherwise just return dotted.
+ """
+
+ try:
+ return oid2name[dotted2oid(dotted)]
+ except KeyError:
+ return dotted
diff --git a/rpkid/rpki/old_irdbd.py b/rpkid/rpki/old_irdbd.py
index c63ce9e2..6cc6cb14 100644
--- a/rpkid/rpki/old_irdbd.py
+++ b/rpkid/rpki/old_irdbd.py
@@ -37,9 +37,19 @@ OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
PERFORMANCE OF THIS SOFTWARE.
"""
-import sys, os, time, getopt, urlparse, warnings
-import rpki.http, rpki.config, rpki.resource_set, rpki.relaxng
-import rpki.exceptions, rpki.left_right, rpki.log, rpki.x509
+import sys
+import os
+import time
+import getopt
+import urlparse
+import rpki.http
+import rpki.config
+import rpki.resource_set
+import rpki.relaxng
+import rpki.exceptions
+import rpki.left_right
+import rpki.log
+import rpki.x509
from rpki.mysql_import import MySQLdb
diff --git a/rpkid/rpki/pubd.py b/rpkid/rpki/pubd.py
index 7a00c172..a6d8f83f 100644
--- a/rpkid/rpki/pubd.py
+++ b/rpkid/rpki/pubd.py
@@ -160,7 +160,6 @@ class main(object):
rpki.log.trace()
try:
- self.sql.ping()
self.handler_common(query, None, done, (self.bpki_ta, self.irbe_cert))
except (rpki.async.ExitNow, SystemExit):
raise
@@ -180,7 +179,6 @@ class main(object):
rpki.log.trace()
try:
- self.sql.ping()
match = self.client_url_regexp.search(path)
if match is None:
raise rpki.exceptions.BadContactURL, "Bad path: %s" % path
diff --git a/rpkid/rpki/publication.py b/rpkid/rpki/publication.py
index 07905601..975d5fc9 100644
--- a/rpkid/rpki/publication.py
+++ b/rpkid/rpki/publication.py
@@ -3,7 +3,7 @@ RPKI "publication" protocol.
$Id$
-Copyright (C) 2009--2011 Internet Systems Consortium ("ISC")
+Copyright (C) 2009--2012 Internet Systems Consortium ("ISC")
Permission to use, copy, modify, and distribute this software for any
purpose with or without fee is hereby granted, provided that the above
@@ -32,9 +32,18 @@ OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
PERFORMANCE OF THIS SOFTWARE.
"""
-import os, errno
-import rpki.resource_set, rpki.x509, rpki.sql, rpki.exceptions, rpki.xml_utils
-import rpki.http, rpki.up_down, rpki.relaxng, rpki.sundial, rpki.log, rpki.roa
+import os
+import errno
+import rpki.resource_set
+import rpki.x509
+import rpki.sql
+import rpki.exceptions
+import rpki.xml_utils
+import rpki.http
+import rpki.up_down
+import rpki.relaxng
+import rpki.sundial
+import rpki.log
class publication_namespace(object):
"""
@@ -73,7 +82,10 @@ class config_elt(control_elt):
element_name = "config"
elements = ("bpki_crl",)
- sql_template = rpki.sql.template("config", "config_id", ("bpki_crl", rpki.x509.CRL))
+ sql_template = rpki.sql.template(
+ "config",
+ "config_id",
+ ("bpki_crl", rpki.x509.CRL))
wired_in_config_id = 1
@@ -120,10 +132,14 @@ class client_elt(control_elt):
elements = ("bpki_cert", "bpki_glue")
booleans = ("clear_replay_protection",)
- sql_template = rpki.sql.template("client", "client_id", "client_handle", "base_uri",
- ("bpki_cert", rpki.x509.X509),
- ("bpki_glue", rpki.x509.X509),
- ("last_cms_timestamp", rpki.sundial.datetime))
+ sql_template = rpki.sql.template(
+ "client",
+ "client_id",
+ "client_handle",
+ "base_uri",
+ ("bpki_cert", rpki.x509.X509),
+ ("bpki_glue", rpki.x509.X509),
+ ("last_cms_timestamp", rpki.sundial.datetime))
base_uri = None
bpki_cert = None
@@ -189,7 +205,7 @@ class publication_object_elt(rpki.xml_utils.base_elt, publication_namespace):
"""
assert name == self.element_name, "Unexpected name %s, stack %s" % (name, stack)
if text:
- self.payload = self.payload_type(Base64 = text)
+ self.payload = self.payload_type(Base64 = text) # pylint: disable=E1102
stack.pop()
def toXML(self):
@@ -205,6 +221,7 @@ class publication_object_elt(rpki.xml_utils.base_elt, publication_namespace):
"""
Action dispatch handler.
"""
+ # pylint: disable=E0203
try:
if self.client is None:
raise rpki.exceptions.BadQuery, "Client query received on control channel"
diff --git a/rpkid/rpki/rcynic.py b/rpkid/rpki/rcynic.py
index b05586ff..d6c00710 100644
--- a/rpkid/rpki/rcynic.py
+++ b/rpkid/rpki/rcynic.py
@@ -1,9 +1,7 @@
"""
Prototype of an iterator class to parse the output of an rcynic run.
-This script will almost certainly move to the library package once
-it's stable.
-Copyright (C) 2010-2011 Internet Systems Consortium ("ISC")
+Copyright (C) 2010-2012 Internet Systems Consortium ("ISC")
Permission to use, copy, modify, and distribute this software for any
purpose with or without fee is hereby granted, provided that the above
@@ -18,9 +16,12 @@ OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
PERFORMANCE OF THIS SOFTWARE.
"""
-__revision__ = '$Id$'
+__version__ = '$Id$'
-import sys, os, rpki.x509, rpki.exceptions
+import os
+import rpki.x509
+import rpki.exceptions
+import rpki.resource_set
from xml.etree.ElementTree import ElementTree
class UnknownObject(rpki.exceptions.RPKI_Exception):
@@ -100,25 +101,18 @@ class rcynic_roa(rcynic_object):
obj_class = rpki.x509.ROA
- _afi_map = dict((cls.resource_set_type.afi, cls)
- for cls in (rpki.resource_set.roa_prefix_set_ipv4,
- rpki.resource_set.roa_prefix_set_ipv6))
-
def __init__(self, filename, **kwargs):
rcynic_object.__init__(self, filename, **kwargs)
self.obj.extract()
- self.asID = self.obj.get_content().asID.get()
+ self.asID = self.obj.get_POW().getASID()
self.prefix_sets = []
- for fam in self.obj.get_content().ipAddrBlocks:
- prefix_set = self._afi_map[fam.addressFamily.get()]()
- addr_type = prefix_set.resource_set_type.range_type.datum_type
- self.prefix_sets.append(prefix_set)
- for addr in fam.addresses:
- prefix = addr.address.get()
- prefixlen = len(prefix)
- prefix = addr_type(rpki.resource_set._bs2long(prefix, addr_type.bits, 0))
- maxprefixlen = addr.maxLength.get()
- prefix_set.append(prefix_set.prefix_type(prefix, prefixlen, maxprefixlen))
+ v4, v6 = self.obj.get_POW().getPrefixes()
+ if v4:
+ self.prefix_sets.append(rpki.resource_set.roa_prefix_set_ipv4([
+ rpki.resource_set.roa_prefix_ipv4(long(p[0]), p[1], p[2]) for p in v4]))
+ if v6:
+ self.prefix_sets.append(rpki.resource_set.roa_prefix_set_ipv6([
+ rpki.resource_set.roa_prefix_ipv6(long(p[0]), p[1], p[2]) for p in v6]))
self.ee = rpki.x509.X509(POW = self.obj.get_POW().certs()[0])
self.notBefore = self.ee.getNotBefore()
self.notAfter = self.ee.getNotAfter()
@@ -180,7 +174,7 @@ class rcynic_file_iterator(object):
self.rcynic_dir = os.path.join(rcynic_root, authenticated_subdir)
def __iter__(self):
- for root, dirs, files in os.walk(self.rcynic_dir):
+ for root, dirs, files in os.walk(self.rcynic_dir): # pylint: disable=W0612
for filename in files:
filename = os.path.join(root, filename)
ext = os.path.splitext(filename)[1]
@@ -188,26 +182,26 @@ class rcynic_file_iterator(object):
yield file_name_classes[ext](filename)
class validation_status_element(object):
- def __init__(self, *args, **kwargs):
- self.attrs = []
- for k,v in kwargs.iteritems():
- setattr(self, k, v)
- # attribute names are saved so that the __repr__ method can
- # display the subset of attributes the user specified
- self.attrs.append(k)
- self._obj = None
-
- def get_obj(self):
- if not self._obj:
- self._obj = self.file_class(filename=self.filename, uri=self.uri)
- return self._obj
-
- def __repr__(self):
- v = [self.__class__.__name__, 'id=%s' % str(id(self))]
- v.extend(['%s=%s' % (x, getattr(self, x)) for x in self.attrs])
- return '<%s>' % (' '.join(v),)
-
- obj = property(get_obj)
+ def __init__(self, *args, **kwargs):
+ self.attrs = []
+ for k, v in kwargs.iteritems():
+ setattr(self, k, v)
+ # attribute names are saved so that the __repr__ method can
+ # display the subset of attributes the user specified
+ self.attrs.append(k)
+ self._obj = None
+
+ def get_obj(self):
+ if not self._obj:
+ self._obj = self.file_class(filename=self.filename, uri=self.uri)
+ return self._obj
+
+ def __repr__(self):
+ v = [self.__class__.__name__, 'id=%s' % str(id(self))]
+ v.extend(['%s=%s' % (x, getattr(self, x)) for x in self.attrs])
+ return '<%s>' % (' '.join(v),)
+
+ obj = property(get_obj)
class rcynic_xml_iterator(object):
"""
@@ -256,25 +250,26 @@ class rcynic_xml_iterator(object):
# determine the path to this object
if status == 'object_accepted':
- d = self.authenticated_subdir
+ d = self.authenticated_subdir
elif generation == 'backup':
- d = self.authenticated_old_subdir
+ d = self.authenticated_old_subdir
else:
- d = self.unauthenticated_subdir
+ d = self.unauthenticated_subdir
filename = os.path.join(d, self.uri_to_filename(uri))
ext = os.path.splitext(filename)[1]
if ext in file_name_classes:
- yield validation_status_element(timestamp=timestamp, generation=generation, uri=uri,
- status=status, filename=filename, file_class=file_name_classes[ext])
+ yield validation_status_element(timestamp = timestamp, generation = generation,
+ uri=uri, status = status, filename = filename,
+ file_class = file_name_classes[ext])
def label_iterator(xml_file):
- """
- Returns an iterator which contains all defined labels from an rcynic XML
- output file. Each item is a tuple of the form
- (label, kind, description).
- """
+ """
+ Returns an iterator which contains all defined labels from an rcynic XML
+ output file. Each item is a tuple of the form
+ (label, kind, description).
+ """
- for label in ElementTree(file=xml_file).find("labels"):
- yield label.tag, label.get("kind"), label.text.strip()
+ for label in ElementTree(file=xml_file).find("labels"):
+ yield label.tag, label.get("kind"), label.text.strip()
diff --git a/rpkid/rpki/relaxng.py b/rpkid/rpki/relaxng.py
index c3f239d4..962858c7 100644
--- a/rpkid/rpki/relaxng.py
+++ b/rpkid/rpki/relaxng.py
@@ -4,7 +4,7 @@ import lxml.etree
## @var left_right
## Parsed RelaxNG left_right schema
-left_right = lxml.etree.RelaxNG(lxml.etree.fromstring('''<?xml version="1.0" encoding="UTF-8"?>
+left_right = lxml.etree.RelaxNG(lxml.etree.fromstring(r'''<?xml version="1.0" encoding="UTF-8"?>
<!--
$Id: left-right-schema.rnc 4588 2012-07-06 19:43:56Z sra $
@@ -1037,7 +1037,7 @@ left_right = lxml.etree.RelaxNG(lxml.etree.fromstring('''<?xml version="1.0" enc
## @var up_down
## Parsed RelaxNG up_down schema
-up_down = lxml.etree.RelaxNG(lxml.etree.fromstring('''<?xml version="1.0" encoding="UTF-8"?>
+up_down = lxml.etree.RelaxNG(lxml.etree.fromstring(r'''<?xml version="1.0" encoding="UTF-8"?>
<!--
$Id: up-down-schema.rnc 3913 2011-07-01 17:04:18Z sra $
@@ -1289,7 +1289,7 @@ up_down = lxml.etree.RelaxNG(lxml.etree.fromstring('''<?xml version="1.0" encodi
## @var publication
## Parsed RelaxNG publication schema
-publication = lxml.etree.RelaxNG(lxml.etree.fromstring('''<?xml version="1.0" encoding="UTF-8"?>
+publication = lxml.etree.RelaxNG(lxml.etree.fromstring(r'''<?xml version="1.0" encoding="UTF-8"?>
<!--
$Id: publication-schema.rnc 4588 2012-07-06 19:43:56Z sra $
@@ -1879,7 +1879,7 @@ publication = lxml.etree.RelaxNG(lxml.etree.fromstring('''<?xml version="1.0" en
## @var myrpki
## Parsed RelaxNG myrpki schema
-myrpki = lxml.etree.RelaxNG(lxml.etree.fromstring('''<?xml version="1.0" encoding="UTF-8"?>
+myrpki = lxml.etree.RelaxNG(lxml.etree.fromstring(r'''<?xml version="1.0" encoding="UTF-8"?>
<!--
$Id: myrpki.rnc 4430 2012-04-17 16:00:14Z sra $
diff --git a/rpkid/rpki/resource_set.py b/rpkid/rpki/resource_set.py
index 0bc31ef2..f0d096d5 100644
--- a/rpkid/rpki/resource_set.py
+++ b/rpkid/rpki/resource_set.py
@@ -10,7 +10,7 @@ We also provide some basic set operations (union, intersection, etc).
$Id$
-Copyright (C) 2009--2010 Internet Systems Consortium ("ISC")
+Copyright (C) 2009--2012 Internet Systems Consortium ("ISC")
Permission to use, copy, modify, and distribute this software for any
purpose with or without fee is hereby granted, provided that the above
@@ -39,8 +39,11 @@ OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
PERFORMANCE OF THIS SOFTWARE.
"""
-import re, math
-import rpki.ipaddrs, rpki.oids, rpki.exceptions
+import re
+import math
+import rpki.oids
+import rpki.exceptions
+import rpki.POW
## @var inherit_token
# Token used to indicate inheritance in read and print syntax.
@@ -61,20 +64,16 @@ class resource_range(object):
directly.
"""
- def __init__(self, min, max):
- """
- Initialize and sanity check a resource_range.
- """
- assert min.__class__ is max.__class__, "Type mismatch, %r doesn't match %r" % (min.__class__, max.__class__)
- assert min <= max, "Mis-ordered range: %s before %s" % (min, max)
- self.min = min
- self.max = max
+ def __init__(self, range_min, range_max):
+ assert range_min.__class__ is range_max.__class__, \
+ "Type mismatch, %r doesn't match %r" % (range_min.__class__, range_max.__class__)
+ assert range_min <= range_max, "Mis-ordered range: %s before %s" % (range_min, range_max)
+ self.min = range_min
+ self.max = range_max
def __cmp__(self, other):
- """
- Compare two resource_range objects.
- """
- assert self.__class__ is other.__class__, "Type mismatch, comparing %r with %r" % (self.__class__, other.__class__)
+ assert self.__class__ is other.__class__, \
+ "Type mismatch, comparing %r with %r" % (self.__class__, other.__class__)
return cmp(self.min, other.min) or cmp(self.max, other.max)
class resource_range_as(resource_range):
@@ -90,6 +89,11 @@ class resource_range_as(resource_range):
datum_type = long
+ def __init__(self, range_min, range_max):
+ resource_range.__init__(self,
+ long(range_min) if isinstance(range_min, int) else range_min,
+ long(range_max) if isinstance(range_max, int) else range_max)
+
def __str__(self):
"""
Convert a resource_range_as to string format.
@@ -99,15 +103,6 @@ class resource_range_as(resource_range):
else:
return str(self.min) + "-" + str(self.max)
- def to_rfc3779_tuple(self):
- """
- Convert a resource_range_as to tuple format for RFC 3779 ASN.1 encoding.
- """
- if self.min == self.max:
- return ("id", self.min)
- else:
- return ("range", (self.min, self.max))
-
@classmethod
def parse_str(cls, x):
"""
@@ -139,6 +134,11 @@ class resource_range_ip(resource_range):
directly.
"""
+ ## @var datum_type
+ # Type of underlying data (min and max).
+
+ datum_type = rpki.POW.IPAddress
+
def prefixlen(self):
"""
Determine whether a resource_range_ip can be expressed as a
@@ -148,7 +148,7 @@ class resource_range_ip(resource_range):
mask = self.min ^ self.max
if self.min & mask != 0:
raise rpki.exceptions.MustBePrefix
- prefixlen = self.datum_type.bits
+ prefixlen = self.min.bits
while mask & 1:
prefixlen -= 1
mask >>= 1
@@ -156,9 +156,6 @@ class resource_range_ip(resource_range):
raise rpki.exceptions.MustBePrefix
return prefixlen
- # Backwards compatability, will go away at some point
- _prefixlen = prefixlen
-
def __str__(self):
"""
Convert a resource_range_ip to string format.
@@ -168,18 +165,6 @@ class resource_range_ip(resource_range):
except rpki.exceptions.MustBePrefix:
return str(self.min) + "-" + str(self.max)
- def to_rfc3779_tuple(self):
- """
- Convert a resource_range_ip to tuple format for RFC 3779 ASN.1
- encoding.
- """
- try:
- return ("addressPrefix", _long2bs(self.min, self.datum_type.bits,
- prefixlen = self.prefixlen()))
- except rpki.exceptions.MustBePrefix:
- return ("addressRange", (_long2bs(self.min, self.datum_type.bits, strip = 0),
- _long2bs(self.max, self.datum_type.bits, strip = 1)))
-
@classmethod
def parse_str(cls, x):
"""
@@ -187,10 +172,10 @@ class resource_range_ip(resource_range):
"""
r = re_address_range.match(x)
if r:
- return cls(cls.datum_type(r.group(1)), cls.datum_type(r.group(2)))
+ return cls(rpki.POW.IPAddress(r.group(1)), rpki.POW.IPAddress(r.group(2)))
r = re_prefix.match(x)
if r:
- return cls.make_prefix(cls.datum_type(r.group(1)), int(r.group(2)))
+ return cls.make_prefix(rpki.POW.IPAddress(r.group(1)), int(r.group(2)))
raise rpki.exceptions.BadIPResource, 'Bad IP resource "%s"' % (x)
@classmethod
@@ -198,11 +183,11 @@ class resource_range_ip(resource_range):
"""
Construct a resource range corresponding to a prefix.
"""
- assert isinstance(prefix, cls.datum_type) and isinstance(prefixlen, (int, long))
- assert prefixlen >= 0 and prefixlen <= cls.datum_type.bits, "Nonsensical prefix length: %s" % prefixlen
- mask = (1 << (cls.datum_type.bits - prefixlen)) - 1
+ assert isinstance(prefix, rpki.POW.IPAddress) and isinstance(prefixlen, (int, long))
+ assert prefixlen >= 0 and prefixlen <= prefix.bits, "Nonsensical prefix length: %s" % prefixlen
+ mask = (1 << (prefix.bits - prefixlen)) - 1
assert (prefix & mask) == 0, "Resource not in canonical form: %s/%s" % (prefix, prefixlen)
- return cls(cls.datum_type(prefix), cls.datum_type(prefix | mask))
+ return cls(prefix, rpki.POW.IPAddress(prefix | mask))
def chop_into_prefixes(self, result):
"""
@@ -213,19 +198,19 @@ class resource_range_ip(resource_range):
self.prefixlen()
result.append(self)
except rpki.exceptions.MustBePrefix:
- min = self.min
- max = self.max
- while max >= min:
- bits = int(math.log(max - min + 1, 2))
+ range_min = self.min
+ range_max = self.max
+ while range_max >= range_min:
+ bits = int(math.log(long(range_max - range_min + 1), 2))
while True:
mask = ~(~0 << bits)
- assert min + mask <= max
- if min & mask == 0:
+ assert range_min + mask <= range_max
+ if range_min & mask == 0:
break
assert bits > 0
bits -= 1
- result.append(self.make_prefix(min, self.datum_type.bits - bits))
- min = self.datum_type(min + mask + 1)
+ result.append(self.make_prefix(range_min, range_min.bits - bits))
+ range_min = range_min + mask + 1
@classmethod
def from_strings(cls, a, b = None):
@@ -234,54 +219,55 @@ class resource_range_ip(resource_range):
"""
if b is None:
b = a
- a = rpki.ipaddrs.parse(a)
- b = rpki.ipaddrs.parse(b)
- if a.__class__ is not b.__class__:
+ a = rpki.POW.IPAddress(a)
+ b = rpki.POW.IPAddress(b)
+ if a.version != b.version:
raise TypeError
if cls is resource_range_ip:
- if isinstance(a, rpki.ipaddrs.v4addr):
+ if a.version == 4:
return resource_range_ipv4(a, b)
- if isinstance(a, rpki.ipaddrs.v6addr):
+ if a.version == 6:
return resource_range_ipv6(a, b)
- elif isinstance(a, cls.datum_type):
+ elif a.version == cls.version:
return cls(a, b)
- raise TypeError
+ else:
+ raise TypeError
class resource_range_ipv4(resource_range_ip):
"""
Range of IPv4 addresses.
"""
- ## @var datum_type
- # Type of underlying data (min and max).
-
- datum_type = rpki.ipaddrs.v4addr
+ version = 4
class resource_range_ipv6(resource_range_ip):
"""
Range of IPv6 addresses.
"""
- ## @var datum_type
- # Type of underlying data (min and max).
-
- datum_type = rpki.ipaddrs.v6addr
+ version = 6
def _rsplit(rset, that):
"""
Utility function to split a resource range into two resource ranges.
"""
+
this = rset.pop(0)
- cell_type = type(this.min)
- assert type(this) is type(that) and type(this.max) is cell_type and \
- type(that.min) is cell_type and type(that.max) is cell_type
+
+ assert type(this) is type(that), "type(this) [%r] is not type(that) [%r]" % (type(this), type(that))
+
+ assert type(this.min) is type(that.min), "type(this.min) [%r] is not type(that.min) [%r]" % (type(this.min), type(that.min))
+ assert type(this.min) is type(this.max), "type(this.min) [%r] is not type(this.max) [%r]" % (type(this.min), type(this.max))
+ assert type(that.min) is type(that.max), "type(that.min) [%r] is not type(that.max) [%r]" % (type(that.min), type(that.max))
+
if this.min < that.min:
- rset.insert(0, type(this)(this.min, cell_type(that.min - 1)))
+ rset.insert(0, type(this)(this.min, type(that.min)(that.min - 1)))
rset.insert(1, type(this)(that.min, this.max))
+
else:
assert this.max > that.max
rset.insert(0, type(this)(this.min, that.max))
- rset.insert(1, type(this)(cell_type(that.max + 1), this.max))
+ rset.insert(1, type(this)(type(that.max)(that.max + 1), this.max))
class resource_set(list):
"""
@@ -312,8 +298,6 @@ class resource_set(list):
self.inherit = True
elif isinstance(ini, str) and len(ini):
self.extend(self.parse_str(s) for s in ini.split(","))
- elif isinstance(ini, tuple):
- self.parse_rfc3779_tuple(ini)
elif isinstance(ini, list):
self.extend(ini)
elif ini is not None and ini != "":
@@ -418,16 +402,14 @@ class resource_set(list):
this = set1.pop(0)
that = set2.pop(0)
assert type(this) is type(that)
- if this.min < that.min: min = this.min
- else: min = that.min
- if this.max > that.max: max = this.max
- else: max = that.max
- result.append(type(this)(min, max))
- while set1 and set1[0].max <= max:
- assert set1[0].min >= min
+ range_min = min(this.min, that.min)
+ range_max = max(this.max, that.max)
+ result.append(type(this)(range_min, range_max))
+ while set1 and set1[0].max <= range_max:
+ assert set1[0].min >= range_min
del set1[0]
- while set2 and set2[0].max <= max:
- assert set2[0].min >= min
+ while set2 and set2[0].max <= range_max:
+ assert set2[0].min >= range_min
del set2[0]
return type(self)(result)
@@ -454,7 +436,7 @@ class resource_set(list):
Set symmetric difference (XOR) for resource sets.
"""
com = self._comm(other)
- return com[0].union(com[1])
+ return com[0] | com[1]
__xor__ = symmetric_difference
@@ -467,20 +449,20 @@ class resource_set(list):
if not self:
return False
if type(item) is type(self[0]):
- min = item.min
- max = item.max
+ range_min = item.min
+ range_max = item.max
else:
- min = item
- max = item
+ range_min = item
+ range_max = item
lo = 0
hi = len(self)
while lo < hi:
mid = (lo + hi) / 2
- if self[mid].max < max:
+ if self[mid].max < range_max:
lo = mid + 1
else:
hi = mid
- return lo < len(self) and self[lo].min <= min and self[lo].max >= max
+ return lo < len(self) and self[lo].min <= range_min and self[lo].max >= range_max
__contains__ = contains
@@ -560,37 +542,6 @@ class resource_set_as(resource_set):
range_type = resource_range_as
- def parse_rfc3779_tuple(self, x):
- """
- Parse ASN resource from tuple format generated by RFC 3779 ASN.1
- decoder.
- """
- if x[0] == "asIdsOrRanges":
- for aor in x[1]:
- if aor[0] == "range":
- min = aor[1][0]
- max = aor[1][1]
- else:
- min = aor[1]
- max = min
- self.append(resource_range_as(min, max))
- else:
- assert x[0] == "inherit"
- self.inherit = True
-
- def to_rfc3779_tuple(self):
- """
- Convert ASN resource set into tuple format used for RFC 3779 ASN.1
- encoding.
- """
- self.canonize()
- if self:
- return ("asIdsOrRanges", tuple(a.to_rfc3779_tuple() for a in self))
- elif self.inherit:
- return ("inherit", "")
- else:
- return None
-
class resource_set_ip(resource_set):
"""
(Generic) IP address resource set.
@@ -599,24 +550,6 @@ class resource_set_ip(resource_set):
directly.
"""
- def parse_rfc3779_tuple(self, x):
- """
- Parse IP address resource sets from tuple format generated by RFC
- 3779 ASN.1 decoder.
- """
- if x[0] == "addressesOrRanges":
- for aor in x[1]:
- if aor[0] == "addressRange":
- min = _bs2long(aor[1][0], self.range_type.datum_type.bits, 0)
- max = _bs2long(aor[1][1], self.range_type.datum_type.bits, 1)
- else:
- min = _bs2long(aor[1], self.range_type.datum_type.bits, 0)
- max = _bs2long(aor[1], self.range_type.datum_type.bits, 1)
- self.append(self.range_type(self.range_type.datum_type(min), self.range_type.datum_type(max)))
- else:
- assert x[0] == "inherit"
- self.inherit = True
-
def to_roa_prefix_set(self):
"""
Convert from a resource set to a ROA prefix set.
@@ -628,19 +561,6 @@ class resource_set_ip(resource_set):
self.roa_prefix_set_type.prefix_type(r.min, r.prefixlen())
for r in prefix_ranges])
- def to_rfc3779_tuple(self):
- """
- Convert IP resource set into tuple format used by RFC 3779 ASN.1
- encoder.
- """
- self.canonize()
- if self:
- return (self.afi, ("addressesOrRanges", tuple(a.to_rfc3779_tuple() for a in self)))
- elif self.inherit:
- return (self.afi, ("inherit", ""))
- else:
- return None
-
class resource_set_ipv4(resource_set_ip):
"""
IPv4 address resource set.
@@ -651,11 +571,6 @@ class resource_set_ipv4(resource_set_ip):
range_type = resource_range_ipv4
- ## @var afi
- # Address Family Identifier value for IPv4.
-
- afi = "\x00\x01"
-
class resource_set_ipv6(resource_set_ip):
"""
IPv6 address resource set.
@@ -666,44 +581,6 @@ class resource_set_ipv6(resource_set_ip):
range_type = resource_range_ipv6
- ## @var afi
- # Address Family Identifier value for IPv6.
-
- afi = "\x00\x02"
-
-def _bs2long(bs, addrlen, fill):
- """
- Utility function to convert a bitstring (rpki.POW.pkix tuple
- representation) into a Python long.
- """
- x = 0L
- for y in bs:
- x = (x << 1) | y
- for y in xrange(addrlen - len(bs)):
- x = (x << 1) | fill
- return x
-
-def _long2bs(number, addrlen, prefixlen = None, strip = None):
- """
- Utility function to convert a Python long into a rpki.POW.pkix tuple
- bitstring. This is a bit complicated because it supports the
- fiendishly compact encoding used in RFC 3779.
- """
- assert prefixlen is None or strip is None
- bs = []
- while number:
- bs.append(int(number & 1))
- number >>= 1
- if addrlen > len(bs):
- bs.extend((0 for i in xrange(addrlen - len(bs))))
- bs.reverse()
- if prefixlen is not None:
- return tuple(bs[0:prefixlen])
- if strip is not None:
- while bs and bs[-1] == strip:
- bs.pop()
- return tuple(bs)
-
class resource_bag(object):
"""
Container to simplify passing around the usual triple of ASN, IPv4,
@@ -780,28 +657,21 @@ class resource_bag(object):
v6 = resource_set_ipv6(",".join(v6s), allow_overlap) if v6s else None)
@classmethod
- def from_rfc3779_tuples(cls, exts):
- """
- Build a resource_bag from intermediate form generated by RFC 3779
- ASN.1 decoder.
- """
- asn = None
- v4 = None
- v6 = None
- for x in exts:
- if x[0] == rpki.oids.name2oid["sbgp-autonomousSysNum"]:
- assert len(x[2]) == 1 or x[2][1] is None, "RDI not implemented: %s" % (str(x))
- assert asn is None
- asn = resource_set_as(x[2][0])
- if x[0] == rpki.oids.name2oid["sbgp-ipAddrBlock"]:
- for fam in x[2]:
- if fam[0] == resource_set_ipv4.afi:
- assert v4 is None
- v4 = resource_set_ipv4(fam[1])
- if fam[0] == resource_set_ipv6.afi:
- assert v6 is None
- v6 = resource_set_ipv6(fam[1])
- return cls(asn, v4, v6)
+ def from_POW_rfc3779(cls, resources):
+ """
+ Build a resource_bag from data returned by
+ rpki.POW.X509.getRFC3779().
+
+ The conversion to long for v4 and v6 is (intended to be)
+ temporary: in the long run, we should be using rpki.POW.IPAddress
+ rather than long here.
+ """
+ asn = [resource_range_as(r[0], r[1]) for r in resources[0] or ()]
+ v4 = [resource_range_ipv4(r[0], r[1]) for r in resources[1] or ()]
+ v6 = [resource_range_ipv6(r[0], r[1]) for r in resources[2] or ()]
+ return cls(resource_set_as(asn) if asn else None,
+ resource_set_ipv4(v4) if v4 else None,
+ resource_set_ipv6(v6) if v6 else None)
def empty(self):
"""
@@ -956,16 +826,13 @@ class roa_prefix(object):
"""
Return highest address covered by prefix.
"""
- t = self.range_type.datum_type
- return t(self.prefix | ((1 << (t.bits - self.prefixlen)) - 1))
-
- def to_roa_tuple(self):
+ return self.prefix | ((1 << (self.prefix.bits - self.prefixlen)) - 1)
+
+ def to_POW_roa_tuple(self):
"""
- Convert a resource_range_ip to tuple format for ROA ASN.1
- encoding.
+ Convert a resource_range_ip to rpki.POW.ROA.setPrefixes() format.
"""
- return (_long2bs(self.prefix, self.range_type.datum_type.bits, prefixlen = self.prefixlen),
- None if self.prefixlen == self.max_prefixlen else self.max_prefixlen)
+ return self.prefix, self.prefixlen, self.max_prefixlen
@classmethod
def parse_str(cls, x):
@@ -974,20 +841,12 @@ class roa_prefix(object):
"""
r = re_prefix_with_maxlen.match(x)
if r:
- return cls(cls.range_type.datum_type(r.group(1)), int(r.group(2)), int(r.group(3)))
+ return cls(rpki.POW.IPAddress(r.group(1)), int(r.group(2)), int(r.group(3)))
r = re_prefix.match(x)
if r:
- return cls(cls.range_type.datum_type(r.group(1)), int(r.group(2)))
+ return cls(rpki.POW.IPAddress(r.group(1)), int(r.group(2)))
raise rpki.exceptions.BadROAPrefix, 'Bad ROA prefix "%s"' % (x)
- @classmethod
- def from_roa_tuple(cls, o):
- """
- Convert from ROA ASN.1 tuple format.
- """
- assert isinstance(o, (list, tuple)), 'argument must be either list or tuple'
- return cls(cls.range_type.datum_type(_bs2long(o[0], cls.range_type.datum_type.bits, 0)), len(o[0]), o[1])
-
class roa_prefix_ipv4(roa_prefix):
"""
IPv4 ROA prefix.
@@ -1054,7 +913,7 @@ class roa_prefix_set(list):
s.append(None)
for p in self:
s[0] = p.to_resource_range()
- r = r.union(s)
+ r |= s
return r
@classmethod
@@ -1070,7 +929,7 @@ class roa_prefix_set(list):
"""
sql.execute(query, args)
- return cls([cls.prefix_type(cls.prefix_type.range_type.datum_type(x), int(y), int(z))
+ return cls([cls.prefix_type(rpki.POW.IPAddress(x), int(y), int(z))
for (x, y, z) in sql.fetchall()])
@classmethod
@@ -1082,20 +941,19 @@ class roa_prefix_set(list):
max_prefixlen) triples.
"""
- return cls([cls.prefix_type(cls.prefix_type.range_type.datum_type(x), int(y), int(z))
+ return cls([cls.prefix_type(rpki.POW.IPAddress(x), int(y), int(z))
for (x, y, z) in iterable])
-
- def to_roa_tuple(self):
+ def to_POW_roa_tuple(self):
"""
- Convert ROA prefix set into tuple format used by ROA ASN.1
- encoder. This is a variation on the format used in RFC 3779.
+ Convert ROA prefix set to form used by rpki.POW.ROA.setPrefixes().
"""
if self:
- return (self.resource_set_type.afi, tuple(a.to_roa_tuple() for a in self))
+ return tuple(a.to_POW_roa_tuple() for a in self)
else:
return None
+
class roa_prefix_set_ipv4(roa_prefix_set):
"""
Set of IPv4 ROA prefixes.
diff --git a/rpkid/rpki/roa.py b/rpkid/rpki/roa.py
deleted file mode 100644
index 51b141e1..00000000
--- a/rpkid/rpki/roa.py
+++ /dev/null
@@ -1,76 +0,0 @@
-"""
-ROA (Route Origin Authorization).
-
-At the moment this is just the ASN.1 encoder.
-
-This corresponds to draft-ietf-sidr-roa-format, which is a work in
-progress, so this may need updating later.
-
-$Id$
-
-Copyright (C) 2007--2008 American Registry for Internet Numbers ("ARIN")
-
-Permission to use, copy, modify, and distribute this software for any
-purpose with or without fee is hereby granted, provided that the above
-copyright notice and this permission notice appear in all copies.
-
-THE SOFTWARE IS PROVIDED "AS IS" AND ARIN DISCLAIMS ALL WARRANTIES WITH
-REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
-AND FITNESS. IN NO EVENT SHALL ARIN BE LIABLE FOR ANY SPECIAL, DIRECT,
-INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
-LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
-OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
-PERFORMANCE OF THIS SOFTWARE.
-
-draft-ietf-sidr-roa-format-03 2.1.3.2 specifies:
-
- RouteOriginAttestation ::= SEQUENCE {
- version [0] INTEGER DEFAULT 0,
- asID ASID,
- ipAddrBlocks SEQUENCE OF ROAIPAddressFamily }
-
- ASID ::= INTEGER
-
- ROAIPAddressFamily ::= SEQUENCE {
- addressFamily OCTET STRING (SIZE (2..3)),
- addresses SEQUENCE OF ROAIPAddress }
-
- ROAIPAddress ::= SEQUENCE {
- address IPAddress,
- maxLength INTEGER OPTIONAL }
-
- IPAddress ::= BIT STRING
-"""
-
-from rpki.POW._der import *
-
-class ROAIPAddress(Sequence):
- def __init__(self, optional=0, default=''):
- self.address = BitString()
- self.maxLength = Integer(1)
- contents = [ self.address, self.maxLength ]
- Sequence.__init__(self, contents, optional, default)
-
-class ROAIPAddresses(SequenceOf):
- def __init__(self, optional=0, default=''):
- SequenceOf.__init__(self, ROAIPAddress, optional, default)
-
-class ROAIPAddressFamily(Sequence):
- def __init__(self, optional=0, default=''):
- self.addressFamily = OctetString()
- self.addresses = ROAIPAddresses()
- contents = [ self.addressFamily, self.addresses ]
- Sequence.__init__(self, contents, optional, default)
-
-class ROAIPAddressFamilies(SequenceOf):
- def __init__(self, optional=0, default=''):
- SequenceOf.__init__(self, ROAIPAddressFamily, optional, default)
-
-class RouteOriginAttestation(Sequence):
- def __init__(self, optional=0, default=''):
- self.version = Integer()
- self.explicitVersion = Explicit(CLASS_CONTEXT, FORM_CONSTRUCTED, 0, self.version, 0, 'oAMCAQA=')
- self.asID = Integer()
- self.ipAddrBlocks = ROAIPAddressFamilies()
- contents = [ self.explicitVersion, self.asID, self.ipAddrBlocks ]
- Sequence.__init__(self, contents, optional, default)
diff --git a/rpkid/rpki/rootd.py b/rpkid/rpki/rootd.py
index 75257a80..6da7081b 100644
--- a/rpkid/rpki/rootd.py
+++ b/rpkid/rpki/rootd.py
@@ -10,7 +10,7 @@ Usage: python rootd.py [ { -c | --config } configfile ]
$Id$
-Copyright (C) 2009--2011 Internet Systems Consortium ("ISC")
+Copyright (C) 2009--2012 Internet Systems Consortium ("ISC")
Permission to use, copy, modify, and distribute this software for any
purpose with or without fee is hereby granted, provided that the above
@@ -186,7 +186,9 @@ class main(object):
rpki.log.debug("No PKCS #10 request, can't generate subject certificate yet")
return None
resources = self.rpki_root_cert.get_3779resources()
- rpki.log.info("Generating subject cert with resources " + str(resources))
+ notAfter = now + self.rpki_subject_lifetime
+ rpki.log.info("Generating subject cert %s with resources %s, expires %s" % (
+ self.rpki_base_uri + self.rpki_subject_cert, resources, notAfter))
req_key = pkcs10.getPublicKey()
req_sia = pkcs10.get_SIA()
self.next_serial_number()
@@ -198,7 +200,7 @@ class main(object):
aia = self.rpki_root_cert_uri,
crldp = self.rpki_base_uri + self.rpki_root_crl,
resources = resources,
- notAfter = now + self.rpki_subject_lifetime)
+ notAfter = notAfter)
self.set_subject_cert(subject_cert)
self.generate_crl_and_manifest(now)
return subject_cert
@@ -227,8 +229,7 @@ class main(object):
keypair = self.rpki_root_key,
subject_key = manifest_keypair.get_RSApublic(),
serial = self.serial_number,
- sia = ((rpki.oids.name2oid["id-ad-signedObject"],
- ("uri", self.rpki_base_uri + self.rpki_root_manifest)),),
+ sia = (None, None, self.rpki_base_uri + self.rpki_root_manifest),
aia = self.rpki_root_cert_uri,
crldp = self.rpki_base_uri + self.rpki_root_crl,
resources = manifest_resources,
@@ -247,7 +248,7 @@ class main(object):
f.close()
def revoke_subject_cert(self, now):
- self.revoked.append((self.get_subject_cert().getSerial(), now.toASN1tuple(), ()))
+ self.revoked.append((self.get_subject_cert().getSerial(), now))
def compose_response(self, r_msg, pkcs10 = None):
subject_cert = self.issue_subject_cert_maybe(pkcs10)
@@ -297,8 +298,8 @@ class main(object):
if self.crl_number is None:
try:
crl = rpki.x509.CRL(DER_file = os.path.join(self.rpki_root_dir, self.rpki_root_crl))
- self.crl_number = crl.get_POWpkix().getExtension(rpki.oids.name2oid["cRLNumber"])[2]
- except:
+ self.crl_number = crl.getCRLNumber()
+ except: # pylint: disable=W0702
self.crl_number = 0
self.crl_number += 1
return self.crl_number
@@ -372,12 +373,12 @@ class main(object):
self.rpki_root_key = rpki.x509.RSA(Auto_update = self.cfg.get("rpki-root-key"))
self.rpki_root_cert_file = self.cfg.get("rpki-root-cert")
- self.rpki_root_cert_uri = self.cfg.get("rpki-root-cert-uri", self.rpki_base_uri + "Root.cer")
+ self.rpki_root_cert_uri = self.cfg.get("rpki-root-cert-uri", self.rpki_base_uri + "root.cer")
- self.rpki_root_manifest = self.cfg.get("rpki-root-manifest", "Root.mft")
- self.rpki_root_crl = self.cfg.get("rpki-root-crl", "Root.crl")
- self.rpki_subject_cert = self.cfg.get("rpki-subject-cert", "Child.cer")
- self.rpki_subject_pkcs10 = self.cfg.get("rpki-subject-pkcs10", "Child.pkcs10")
+ self.rpki_root_manifest = self.cfg.get("rpki-root-manifest", "root.mft")
+ self.rpki_root_crl = self.cfg.get("rpki-root-crl", "root.crl")
+ self.rpki_subject_cert = self.cfg.get("rpki-subject-cert", "child.cer")
+ self.rpki_subject_pkcs10 = self.cfg.get("rpki-subject-pkcs10", "child.pkcs10")
self.rpki_subject_lifetime = rpki.sundial.timedelta.parse(self.cfg.get("rpki-subject-lifetime", "30d"))
self.rpki_subject_regen = rpki.sundial.timedelta.parse(self.cfg.get("rpki-subject-regen", self.rpki_subject_lifetime.convert_to_seconds() / 2))
diff --git a/rpkid/rpki/rpkic.py b/rpkid/rpki/rpkic.py
index 2849aa12..f00e15b5 100644
--- a/rpkid/rpki/rpkic.py
+++ b/rpkid/rpki/rpkic.py
@@ -39,16 +39,10 @@ PERFORMANCE OF THIS SOFTWARE.
# modules, or anything that imports Django modules. Bottom line is
# that we don't import such modules until we need them.
-import csv
-import re
import os
import getopt
import sys
-import base64
import time
-import glob
-import copy
-import warnings
import rpki.config
import rpki.cli
import rpki.sundial
@@ -116,7 +110,7 @@ class main(rpki.cli.Cmd):
rpki.cli.Cmd.__init__(self, self.argv)
def read_config(self):
- global rpki
+ global rpki # pylint: disable=W0602
cfg = rpki.config.parser(self.cfg_file, "myrpki")
cfg.set_global_flags()
@@ -137,7 +131,7 @@ class main(rpki.cli.Cmd):
INSTALLED_APPS = ("rpki.irdb",),
)
- import rpki.irdb
+ import rpki.irdb # pylint: disable=W0621
try:
rpki.irdb.models.ca_certificate_lifetime = rpki.sundial.timedelta.parse(
@@ -228,6 +222,7 @@ class main(rpki.cli.Cmd):
self.zoo.update_bpki()
self.zoo.write_bpki_files()
+ self.zoo.synchronize()
def do_configure_child(self, arg):
@@ -252,7 +247,7 @@ class main(rpki.cli.Cmd):
r, child_handle = self.zoo.configure_child(argv[0], child_handle)
r.save("%s.%s.parent-response.xml" % (self.zoo.handle, child_handle), sys.stdout)
- self.zoo.synchronize()
+ self.zoo.synchronize_ca()
def do_delete_child(self, arg):
@@ -262,7 +257,7 @@ class main(rpki.cli.Cmd):
try:
self.zoo.delete_child(arg)
- self.zoo.synchronize()
+ self.zoo.synchronize_ca()
except rpki.irdb.Child.DoesNotExist:
print "No such child \"%s\"" % arg
@@ -309,7 +304,7 @@ class main(rpki.cli.Cmd):
try:
self.zoo.delete_parent(arg)
- self.zoo.synchronize()
+ self.zoo.synchronize_ca()
except rpki.irdb.Parent.DoesNotExist:
print "No such parent \"%s\"" % arg
@@ -324,7 +319,7 @@ class main(rpki.cli.Cmd):
try:
self.zoo.delete_rootd()
- self.zoo.synchronize()
+ self.zoo.synchronize_ca()
except rpki.irdb.Rootd.DoesNotExist:
print "No associated rootd"
@@ -355,7 +350,7 @@ class main(rpki.cli.Cmd):
r.save("%s.repository-response.xml" % client_handle.replace("/", "."), sys.stdout)
try:
- self.zoo.synchronize()
+ self.zoo.synchronize_pubd()
except rpki.irdb.Repository.DoesNotExist:
pass
@@ -367,7 +362,7 @@ class main(rpki.cli.Cmd):
try:
self.zoo.delete_publication_client(arg).delete()
- self.zoo.synchronize()
+ self.zoo.synchronize_pubd()
except rpki.irdb.Client.DoesNotExist:
print "No such client \"%s\"" % arg
@@ -396,7 +391,7 @@ class main(rpki.cli.Cmd):
raise BadCommandSyntax, "Need to specify filename for repository.xml on command line"
self.zoo.configure_repository(argv[0], parent_handle)
- self.zoo.synchronize()
+ self.zoo.synchronize_ca()
def do_delete_repository(self, arg):
"""
@@ -408,7 +403,7 @@ class main(rpki.cli.Cmd):
try:
self.zoo.delete_repository(arg)
- self.zoo.synchronize()
+ self.zoo.synchronize_ca()
except rpki.irdb.Repository.DoesNotExist:
print "No such repository \"%s\"" % arg
@@ -422,7 +417,7 @@ class main(rpki.cli.Cmd):
"""
self.zoo.delete_self()
- self.zoo.synchronize()
+ self.zoo.synchronize_deleted_ca()
def do_renew_child(self, arg):
@@ -441,7 +436,9 @@ class main(rpki.cli.Cmd):
raise BadCommandSyntax, "Need to specify child handle"
self.zoo.renew_children(argv[0], valid_until)
- self.zoo.synchronize(self.zoo.handle)
+ self.zoo.synchronize_ca()
+ if self.autosync:
+ self.zoo.run_rpkid_now()
def complete_renew_child(self, *args):
return self.irdb_handle_complete(self.zoo.resource_ca.children, *args)
@@ -463,7 +460,9 @@ class main(rpki.cli.Cmd):
raise BadCommandSyntax, "Unexpected arguments"
self.zoo.renew_children(None, valid_until)
- self.zoo.synchronize(self.zoo.handle)
+ self.zoo.synchronize_ca()
+ if self.autosync:
+ self.zoo.run_rpkid_now()
def do_load_prefixes(self, arg):
@@ -478,7 +477,7 @@ class main(rpki.cli.Cmd):
self.zoo.load_prefixes(argv[0], True)
if self.autosync:
- self.zoo.synchronize(self.zoo.handle)
+ self.zoo.run_rpkid_now()
def do_show_child_resources(self, arg):
@@ -513,7 +512,7 @@ class main(rpki.cli.Cmd):
self.zoo.load_asns(argv[0], True)
if self.autosync:
- self.zoo.synchronize(self.zoo.handle)
+ self.zoo.run_rpkid_now()
def do_load_roa_requests(self, arg):
@@ -528,7 +527,7 @@ class main(rpki.cli.Cmd):
self.zoo.load_roa_requests(argv[0])
if self.autosync:
- self.zoo.synchronize(self.zoo.handle)
+ self.zoo.run_rpkid_now()
def do_synchronize(self, arg):
@@ -542,7 +541,7 @@ class main(rpki.cli.Cmd):
if arg:
raise BadCommandSyntax("Unexpected argument(s): %r" % arg)
- self.zoo.synchronize(self.zoo.handle)
+ self.zoo.synchronize()
def do_force_publication(self, arg):
diff --git a/rpkid/rpki/rpkid.py b/rpkid/rpki/rpkid.py
index f3fc38fa..42671f7f 100644
--- a/rpkid/rpki/rpkid.py
+++ b/rpkid/rpki/rpkid.py
@@ -42,7 +42,6 @@ import os
import time
import getopt
import sys
-import lxml.etree
import re
import random
import rpki.resource_set
@@ -57,6 +56,7 @@ import rpki.relaxng
import rpki.log
import rpki.async
import rpki.daemonize
+import rpki.rpkid_tasks
class main(object):
"""
@@ -73,6 +73,8 @@ class main(object):
self.foreground = False
self.irdbd_cms_timestamp = None
self.irbe_cms_timestamp = None
+ self.task_current = None
+ self.task_queue = []
opts, argv = getopt.getopt(sys.argv[1:], "c:dfhp:?",
["config=", "debug", "foreground", "help", "profile="])
@@ -135,11 +137,17 @@ class main(object):
self.publication_kludge_base = self.cfg.get("publication-kludge-base", "publication/")
+ # Icky hack to let Iain do some testing quickly, should go away
+ # once we sort out whether we can make this change permanent.
+
+ self.merge_publication_directories = self.cfg.getboolean("merge_publication_directories",
+ False)
+
self.use_internal_cron = self.cfg.getboolean("use-internal-cron", True)
self.initial_delay = random.randint(self.cfg.getint("initial-delay-min", 10),
self.cfg.getint("initial-delay-max", 120))
-
+
# Should be much longer in production
self.cron_period = rpki.sundial.timedelta(seconds = self.cfg.getint("cron-period", 120))
self.cron_keepalive = rpki.sundial.timedelta(seconds = self.cfg.getint("cron-keepalive", 0))
@@ -269,7 +277,6 @@ class main(object):
cb(200, body = reply)
try:
- self.sql.ping()
q_cms = rpki.left_right.cms_msg(DER = query)
q_msg = q_cms.unwrap((self.bpki_ta, self.irbe_cert))
self.irbe_cms_timestamp = q_cms.check_replay(self.irbe_cms_timestamp)
@@ -296,7 +303,6 @@ class main(object):
cb(200, body = reply)
try:
- self.sql.ping()
match = self.up_down_url_regexp.search(path)
if match is None:
raise rpki.exceptions.BadContactURL, "Bad URL path received in up_down_handler(): %s" % path
@@ -323,6 +329,38 @@ class main(object):
if force or self.cron_timeout is not None:
self.cron_timeout = rpki.sundial.now() + self.cron_keepalive
+ def task_add(self, task):
+ """
+ Add a task to the scheduler task queue, unless it's already queued.
+ """
+ if task not in self.task_queue:
+ rpki.log.debug("Adding %r to task queue" % task)
+ self.task_queue.append(task)
+ return True
+ else:
+ rpki.log.debug("Task %r was already in the task queue" % task)
+ return False
+
+ def task_next(self):
+ """
+ Pull next task from the task queue and put it the deferred event
+ queue (we don't want to run it directly, as that could eventually
+ blow out our call stack).
+ """
+ try:
+ self.task_current = self.task_queue.pop(0)
+ except IndexError:
+ self.task_current = None
+ else:
+ rpki.async.event_defer(self.task_current)
+
+ def task_run(self):
+ """
+ Run first task on the task queue, unless one is running already.
+ """
+ if self.task_current is None:
+ self.task_next()
+
def cron(self, cb = None):
"""
Periodic tasks.
@@ -330,53 +368,42 @@ class main(object):
rpki.log.trace()
- def loop(iterator, s):
- self.checkpoint()
- s.cron(iterator)
+ now = rpki.sundial.now()
+
+ rpki.log.debug("Starting cron run")
def done():
self.sql.sweep()
self.cron_timeout = None
rpki.log.info("Finished cron run started at %s" % now)
- if not self.use_internal_cron:
+ if cb is not None:
cb()
- def lose(e):
- self.cron_timeout = None
- if self.use_internal_cron:
- rpki.log.traceback()
- else:
- raise
-
- try:
- now = rpki.sundial.now()
-
- assert self.use_internal_cron or self.cron_timeout is None
-
- if self.use_internal_cron:
+ completion = rpki.rpkid_tasks.CompletionHandler(done)
+ for s in rpki.left_right.self_elt.sql_fetch_all(self):
+ s.schedule_cron_tasks(completion)
+ nothing_queued = completion.count == 0
- if self.cron_timeout is not None and self.cron_timeout < now:
- rpki.log.warn("cron keepalive threshold %s has expired, breaking lock" % self.cron_timeout)
- self.cron_timeout = None
+ assert self.use_internal_cron or self.cron_timeout is None
- when = now + self.cron_period
- rpki.log.debug("Scheduling next cron run at %s" % when)
- self.cron_timer.set(when)
+ if self.cron_timeout is not None and self.cron_timeout < now:
+ rpki.log.warn("cron keepalive threshold %s has expired, breaking lock" % self.cron_timeout)
+ self.cron_timeout = None
- if self.cron_timeout is not None:
- rpki.log.warn("cron already running, keepalive will expire at %s" % self.cron_timeout)
- return
+ if self.use_internal_cron:
+ when = now + self.cron_period
+ rpki.log.debug("Scheduling next cron run at %s" % when)
+ self.cron_timer.set(when)
- self.sql.ping()
+ if self.cron_timeout is None:
self.checkpoint(self.use_internal_cron)
- rpki.async.iterator(rpki.left_right.self_elt.sql_fetch_all(self), loop, done)
+ self.task_run()
- except (rpki.async.ExitNow, SystemExit):
- self.cron_timeout = None
- raise
+ elif self.use_internal_cron:
+ rpki.log.warn("cron already running, keepalive will expire at %s" % self.cron_timeout)
- except Exception, e:
- lose(e)
+ if nothing_queued:
+ done()
def cronjob_handler(self, query, path, cb):
"""
@@ -391,6 +418,7 @@ class main(object):
if self.use_internal_cron:
cb(500, reason = "Running cron internally")
else:
+ rpki.log.debug("Starting externally triggered cron")
self.cron(done)
class ca_obj(rpki.sql.sql_persistent):
@@ -403,15 +431,22 @@ class ca_obj(rpki.sql.sql_persistent):
"ca_id",
"last_crl_sn",
("next_crl_update", rpki.sundial.datetime),
- "last_issued_sn", "last_manifest_sn",
+ "last_issued_sn",
+ "last_manifest_sn",
("next_manifest_update", rpki.sundial.datetime),
- "sia_uri", "parent_id", "parent_resource_class")
+ "sia_uri",
+ "parent_id",
+ "parent_resource_class")
last_crl_sn = 0
last_issued_sn = 0
last_manifest_sn = 0
+ def __repr__(self):
+ return rpki.log.log_repr(self, repr(self.parent), self.parent_resource_class)
+
@property
+ @rpki.sql.cache_reference
def parent(self):
"""
Fetch parent object to which this CA object links.
@@ -447,6 +482,13 @@ class ca_obj(rpki.sql.sql_persistent):
return ca_detail_obj.sql_fetch_where(self.gctx, "ca_id = %s AND state = 'deprecated'", (self.ca_id,))
@property
+ def active_or_deprecated_ca_details(self):
+ """
+ Fetch active and deprecated ca_details for this CA, if any.
+ """
+ return ca_detail_obj.sql_fetch_where(self.gctx, "ca_id = %s AND (state = 'active' OR state = 'deprecated')", (self.ca_id,))
+
+ @property
def revoked_ca_details(self):
"""
Fetch revoked ca_details for this CA, if any.
@@ -473,7 +515,11 @@ class ca_obj(rpki.sql.sql_persistent):
sia_uri = parent.sia_base
if not sia_uri.endswith("/"):
raise rpki.exceptions.BadURISyntax, "SIA URI must end with a slash: %s" % sia_uri
- return sia_uri + str(self.ca_id) + "/"
+ # With luck this can go away sometime soon.
+ if self.gctx.merge_publication_directories:
+ return sia_uri
+ else:
+ return sia_uri + str(self.ca_id) + "/"
def check_for_updates(self, parent, rc, cb, eb):
"""
@@ -588,6 +634,7 @@ class ca_obj(rpki.sql.sql_persistent):
callback = cb,
errback = eb)
+ rpki.log.debug("Sending issue request to %r from %r" % (parent, self.create))
rpki.up_down.issue_pdu.query(parent, self, ca_detail, done, eb)
def delete(self, parent, callback):
@@ -663,6 +710,7 @@ class ca_obj(rpki.sql.sql_persistent):
callback = cb,
errback = eb)
+ rpki.log.debug("Sending issue request to %r from %r" % (parent, self.rekey))
rpki.up_down.issue_pdu.query(parent, self, new_detail, done, eb)
def revoke(self, cb, eb, revoke_all = False):
@@ -716,6 +764,11 @@ class ca_detail_obj(rpki.sql.sql_persistent):
crl_published = None
manifest_published = None
latest_ca_cert = None
+ latest_crl = None
+ latest_manifest = None
+
+ def __repr__(self):
+ return rpki.log.log_repr(self, repr(self.ca), self.state, self.ca_cert_uri)
def sql_decode(self, vals):
"""
@@ -726,6 +779,7 @@ class ca_detail_obj(rpki.sql.sql_persistent):
assert self.manifest_public_key is None or self.manifest_private_key_id is None or self.manifest_public_key.get_DER() == self.manifest_private_key_id.get_public_DER()
@property
+ @rpki.sql.cache_reference
def ca(self):
"""
Fetch CA object to which this ca_detail links.
@@ -815,14 +869,10 @@ class ca_detail_obj(rpki.sql.sql_persistent):
child_cert.reissue(ca_detail = self, publisher = publisher)
for roa in predecessor.roas:
roa.regenerate(publisher = publisher)
-
- # Need to do something to regenerate ghostbusters here?
- # Yes, I suspect so, since presumably we want the ghostbuster to
- # be issued by the new ca_detail at this point. But check code.
-
- if predecessor.ghostbusters:
- rpki.log.warn("Probably should be regenerating Ghostbusters %r here" % ghostbuster)
-
+ for ghostbuster in predecessor.ghostbusters:
+ ghostbuster.regenerate(publisher = publisher)
+ predecessor.generate_crl(publisher = publisher)
+ predecessor.generate_manifest(publisher = publisher)
publisher.call_pubd(callback, errback)
@@ -898,10 +948,7 @@ class ca_detail_obj(rpki.sql.sql_persistent):
nextUpdate = rpki.sundial.now()
if self.latest_manifest is not None:
- try:
- self.latest_manifest.get_content()
- except rpki.exceptions.CMSContentNotSet:
- self.latest_manifest.extract()
+ self.latest_manifest.extract_if_needed()
nextUpdate = nextUpdate.later(self.latest_manifest.getNextUpdate())
if self.latest_crl is not None:
@@ -942,7 +989,10 @@ class ca_detail_obj(rpki.sql.sql_persistent):
"""
def issued(issue_response):
- self.latest_ca_cert = issue_response.payload.classes[0].certs[0].cert
+ new_ca_cert = issue_response.payload.classes[0].certs[0].cert
+ if self.latest_ca_cert != new_ca_cert:
+ self.latest_ca_cert = new_ca_cert
+ self.sql_mark_dirty()
new_resources = self.latest_ca_cert.get_3779resources()
publisher = publication_queue()
@@ -952,11 +1002,12 @@ class ca_detail_obj(rpki.sql.sql_persistent):
if sia_uri_changed or child_resources.oversized(new_resources):
child_cert.reissue(
ca_detail = self,
- resources = child_resources.intersection(new_resources),
+ resources = child_resources & new_resources,
publisher = publisher)
publisher.call_pubd(callback, errback)
+ rpki.log.debug("Sending issue request to %r from %r" % (parent, self.update))
rpki.up_down.issue_pdu.query(parent, ca, self, issued, errback)
@classmethod
@@ -994,7 +1045,6 @@ class ca_detail_obj(rpki.sql.sql_persistent):
notAfter = self.latest_ca_cert.getNotAfter(),
is_ca = False)
-
def generate_manifest_cert(self):
"""
Generate a new manifest certificate for this ca_detail.
@@ -1005,7 +1055,7 @@ class ca_detail_obj(rpki.sql.sql_persistent):
ca = self.ca,
resources = resources,
subject_key = self.manifest_public_key,
- sia = ((rpki.oids.name2oid["id-ad-signedObject"], ("uri", self.manifest_uri)),))
+ sia = (None, None, self.manifest_uri))
def issue(self, ca, child, subject_key, sia, resources, publisher, child_cert = None):
"""
@@ -1015,6 +1065,8 @@ class ca_detail_obj(rpki.sql.sql_persistent):
containing the newly issued cert.
"""
+ self.check_failed_publication(publisher)
+
assert child_cert is None or child_cert.child_id == child.child_id
cert = self.latest_ca_cert.issue(
@@ -1036,6 +1088,7 @@ class ca_detail_obj(rpki.sql.sql_persistent):
rpki.log.debug("Created new child_cert %r" % child_cert)
else:
child_cert.cert = cert
+ del child_cert.ca_detail
child_cert.ca_detail_id = self.ca_detail_id
rpki.log.debug("Reusing existing child_cert %r" % child_cert)
@@ -1058,6 +1111,8 @@ class ca_detail_obj(rpki.sql.sql_persistent):
new CRL is needed.
"""
+ self.check_failed_publication(publisher)
+
ca = self.ca
parent = ca.parent
crl_interval = rpki.sundial.timedelta(seconds = parent.self.crl_interval)
@@ -1071,7 +1126,7 @@ class ca_detail_obj(rpki.sql.sql_persistent):
if now > revoked_cert.expires + crl_interval:
revoked_cert.sql_delete()
else:
- certlist.append((revoked_cert.serial, revoked_cert.revoked.toASN1tuple(), ()))
+ certlist.append((revoked_cert.serial, revoked_cert.revoked))
certlist.sort()
self.latest_crl = rpki.x509.CRL.generate(
@@ -1100,22 +1155,30 @@ class ca_detail_obj(rpki.sql.sql_persistent):
Generate a new manifest for this ca_detail.
"""
+ self.check_failed_publication(publisher)
+
ca = self.ca
parent = ca.parent
crl_interval = rpki.sundial.timedelta(seconds = parent.self.crl_interval)
now = rpki.sundial.now()
+ uri = self.manifest_uri
if nextUpdate is None:
nextUpdate = now + crl_interval
if self.latest_manifest_cert is None or self.latest_manifest_cert.getNotAfter() < nextUpdate:
+ rpki.log.debug("Generating EE certificate for %s" % uri)
self.generate_manifest_cert()
+ rpki.log.debug("Latest CA cert notAfter %s, new %s EE notAfter %s" % (
+ self.latest_ca_cert.getNotAfter(), uri, self.latest_manifest_cert.getNotAfter()))
+ rpki.log.debug("Constructing manifest object list for %s" % uri)
objs = [(self.crl_uri_tail, self.latest_crl)]
objs.extend((c.uri_tail, c.cert) for c in self.child_certs)
objs.extend((r.uri_tail, r.roa) for r in self.roas if r.roa is not None)
objs.extend((g.uri_tail, g.ghostbuster) for g in self.ghostbusters)
+ rpki.log.debug("Building manifest object %s" % uri)
self.latest_manifest = rpki.x509.SignedManifest.build(
serial = ca.next_manifest_number(),
thisUpdate = now,
@@ -1124,10 +1187,11 @@ class ca_detail_obj(rpki.sql.sql_persistent):
keypair = self.manifest_private_key_id,
certs = self.latest_manifest_cert)
+ rpki.log.debug("Manifest generation took %s" % (rpki.sundial.now() - now))
self.manifest_published = rpki.sundial.now()
self.sql_mark_dirty()
- publisher.publish(cls = rpki.publication.manifest_elt, uri = self.manifest_uri, obj = self.latest_manifest, repository = parent.repository,
+ publisher.publish(cls = rpki.publication.manifest_elt, uri = uri, obj = self.latest_manifest, repository = parent.repository,
handler = self.manifest_published_callback)
def manifest_published_callback(self, pdu):
@@ -1144,6 +1208,7 @@ class ca_detail_obj(rpki.sql.sql_persistent):
"""
publisher = publication_queue()
+ self.check_failed_publication(publisher)
for roa in self.roas:
roa.regenerate(publisher, fast = True)
for ghostbuster in self.ghostbusters:
@@ -1152,6 +1217,48 @@ class ca_detail_obj(rpki.sql.sql_persistent):
child_cert.reissue(self, publisher, force = True)
publisher.call_pubd(cb, eb)
+ def check_failed_publication(self, publisher):
+ """
+ Check for failed publication of objects issued by this ca_detail.
+
+ All publishable objects have timestamp fields recording time of
+ last attempted publication, and callback methods which clear these
+ timestamps once publication has succeeded. Our task here is to
+ look for objects issued by this ca_detail which have timestamps
+ set (indicating that they have not been published) and for which
+ the timestamps are not very recent (for some definition of very
+ recent -- intent is to allow a bit of slack in case pubd is just
+ being slow). In such cases, we want to retry publication.
+
+ As an optimization, we can probably just check the manifest and
+ CRL; if these are up to date we probably don't need to check other
+ objects (which would involve several more SQL queries). Not sure
+ yet whether this optimization is worthwhile.
+
+ At the moment, we only check CRL and manifest, full stop. This
+ should be expanded to check other objects, but that would take
+ longer and I have a user who needs this fix today.
+ """
+
+ stale = rpki.sundial.now() - rpki.sundial.timedelta(seconds = 60)
+ repository = self.ca.parent.repository
+
+ if self.latest_crl is not None and self.crl_published is not None and self.crl_published < stale:
+ rpki.log.debug("Retrying publication for %s" % self.crl_uri)
+ publisher.publish(cls = rpki.publication.crl_elt,
+ uri = self.crl_uri,
+ obj = self.latest_crl,
+ repository = repository,
+ handler = self.crl_published_callback)
+
+ if self.latest_manifest is not None and self.manifest_published is not None and self.manifest_published < stale:
+ rpki.log.debug("Retrying publication for %s" % self.manifest_uri)
+ publisher.publish(cls = rpki.publication.manifest_elt,
+ uri = self.manifest_uri,
+ obj = self.latest_manifest,
+ repository = repository,
+ handler = self.manifest_published_callback)
+
class child_cert_obj(rpki.sql.sql_persistent):
"""
Certificate that has been issued to a child.
@@ -1166,6 +1273,9 @@ class child_cert_obj(rpki.sql.sql_persistent):
"ski",
("published", rpki.sundial.datetime))
+ def __repr__(self):
+ return rpki.log.log_repr(self, self.uri)
+
def __init__(self, gctx = None, child_id = None, ca_detail_id = None, cert = None):
"""
Initialize a child_cert_obj.
@@ -1180,19 +1290,28 @@ class child_cert_obj(rpki.sql.sql_persistent):
self.sql_mark_dirty()
@property
+ @rpki.sql.cache_reference
def child(self):
"""
Fetch child object to which this child_cert object links.
"""
return rpki.left_right.child_elt.sql_fetch(self.gctx, self.child_id)
-
+
@property
+ @rpki.sql.cache_reference
def ca_detail(self):
"""
Fetch ca_detail object to which this child_cert object links.
"""
return ca_detail_obj.sql_fetch(self.gctx, self.ca_detail_id)
+ @ca_detail.deleter
+ def ca_detail(self):
+ try:
+ del self._ca_detail
+ except AttributeError:
+ pass
+
@property
def uri_tail(self):
"""
@@ -1353,6 +1472,9 @@ class revoked_cert_obj(rpki.sql.sql_persistent):
("revoked", rpki.sundial.datetime),
("expires", rpki.sundial.datetime))
+ def __repr__(self):
+ return rpki.log.log_repr(self, repr(self.ca_detail), self.serial, self.revoked)
+
def __init__(self, gctx = None, serial = None, revoked = None, expires = None, ca_detail_id = None):
"""
Initialize a revoked_cert_obj.
@@ -1367,6 +1489,7 @@ class revoked_cert_obj(rpki.sql.sql_persistent):
self.sql_mark_dirty()
@property
+ @rpki.sql.cache_reference
def ca_detail(self):
"""
Fetch ca_detail object to which this revoked_cert_obj links.
@@ -1406,6 +1529,7 @@ class roa_obj(rpki.sql.sql_persistent):
published = None
@property
+ @rpki.sql.cache_reference
def self(self):
"""
Fetch self object to which this roa_obj links.
@@ -1413,12 +1537,20 @@ class roa_obj(rpki.sql.sql_persistent):
return rpki.left_right.self_elt.sql_fetch(self.gctx, self.self_id)
@property
+ @rpki.sql.cache_reference
def ca_detail(self):
"""
Fetch ca_detail object to which this roa_obj links.
"""
return rpki.rpkid.ca_detail_obj.sql_fetch(self.gctx, self.ca_detail_id)
+ @ca_detail.deleter
+ def ca_detail(self):
+ try:
+ del self._ca_detail
+ except AttributeError:
+ pass
+
def sql_fetch_hook(self):
"""
Extra SQL fetch actions for roa_obj -- handle prefix lists.
@@ -1569,12 +1701,13 @@ class roa_obj(rpki.sql.sql_persistent):
resources = rpki.resource_set.resource_bag(v4 = v4, v6 = v6)
keypair = rpki.x509.RSA.generate()
+ del self.ca_detail
self.ca_detail_id = ca_detail.ca_detail_id
self.cert = ca_detail.issue_ee(
ca = ca,
resources = resources,
subject_key = keypair.get_RSApublic(),
- sia = ((rpki.oids.name2oid["id-ad-signedObject"], ("uri", self.uri_from_key(keypair))),))
+ sia = (None, None, self.uri_from_key(keypair)))
self.roa = rpki.x509.ROA.build(self.asn, self.ipv4, self.ipv6, keypair, (self.cert,))
self.published = rpki.sundial.now()
self.sql_store()
@@ -1685,7 +1818,11 @@ class ghostbuster_obj(rpki.sql.sql_persistent):
published = None
vcard = None
+ def __repr__(self):
+ return rpki.log.log_repr(self, self.uri)
+
@property
+ @rpki.sql.cache_reference
def self(self):
"""
Fetch self object to which this ghostbuster_obj links.
@@ -1693,6 +1830,7 @@ class ghostbuster_obj(rpki.sql.sql_persistent):
return rpki.left_right.self_elt.sql_fetch(self.gctx, self.self_id)
@property
+ @rpki.sql.cache_reference
def ca_detail(self):
"""
Fetch ca_detail object to which this ghostbuster_obj links.
@@ -1748,7 +1886,7 @@ class ghostbuster_obj(rpki.sql.sql_persistent):
ca = ca,
resources = resources,
subject_key = keypair.get_RSApublic(),
- sia = ((rpki.oids.name2oid["id-ad-signedObject"], ("uri", self.uri_from_key(keypair))),))
+ sia = (None, None, self.uri_from_key(keypair)))
self.ghostbuster = rpki.x509.Ghostbuster.build(self.vcard, keypair, (self.cert,))
self.published = rpki.sundial.now()
self.sql_store()
@@ -1879,6 +2017,7 @@ class publication_queue(object):
def call_pubd(self, cb, eb):
def loop(iterator, rid):
+ rpki.log.debug("Calling pubd[%r]" % self.repositories[rid])
self.repositories[rid].call_pubd(iterator, eb, self.msgs[rid], self.handlers)
def done():
self.clear()
@@ -1888,3 +2027,7 @@ class publication_queue(object):
@property
def size(self):
return sum(len(self.msgs[rid]) for rid in self.repositories)
+
+ def empty(self):
+ assert (not self.msgs) == (self.size == 0)
+ return not self.msgs
diff --git a/rpkid/rpki/rpkid_tasks.py b/rpkid/rpki/rpkid_tasks.py
new file mode 100644
index 00000000..79eb3c2b
--- /dev/null
+++ b/rpkid/rpki/rpkid_tasks.py
@@ -0,0 +1,574 @@
+"""
+rpkid task objects. Split out from rpki.left_right and rpki.rpkid
+because interactions with rpkid scheduler were getting too complicated.
+
+$Id$
+
+Copyright (C) 2012 Internet Systems Consortium ("ISC")
+
+Permission to use, copy, modify, and distribute this software for any
+purpose with or without fee is hereby granted, provided that the above
+copyright notice and this permission notice appear in all copies.
+
+THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+PERFORMANCE OF THIS SOFTWARE.
+"""
+
+import rpki.log
+import rpki.rpkid
+import rpki.async
+import rpki.up_down
+import rpki.sundial
+import rpki.publication
+import rpki.exceptions
+
+class CompletionHandler(object):
+ """
+ Track one or more scheduled rpkid tasks and execute a callback when
+ the last of them terminates.
+ """
+
+ ## @var debug
+ # Debug logging.
+
+ debug = False
+
+ def __init__(self, cb):
+ self.cb = cb
+ self.tasks = set()
+
+ def register(self, task):
+ if self.debug:
+ rpki.log.debug("Completion handler %r registering task %r" % (self, task))
+ self.tasks.add(task)
+ task.register_completion(self.done)
+
+ def done(self, task):
+ try:
+ self.tasks.remove(task)
+ except KeyError:
+ rpki.log.warn("Completion handler %r called with unregistered task %r, blundering onwards" % (self, task))
+ else:
+ if self.debug:
+ rpki.log.debug("Completion handler %r called with registered task %r" % (self, task))
+ if not self.tasks:
+ if self.debug:
+ rpki.log.debug("Completion handler %r finished, calling %r" % (self, self.cb))
+ self.cb()
+
+ @property
+ def count(self):
+ return len(self.tasks)
+
+
+class AbstractTask(object):
+ """
+ Abstract base class for rpkid scheduler task objects. This just
+ handles the scheduler hooks, real work starts in self.start.
+
+ NB: This assumes that the rpki.rpkid.rpkid.task_* methods have been
+ rewritten to expect instances of subclasses of this class, rather
+ than expecting thunks to be wrapped up in the older version of this
+ class. Rewrite, rewrite, remove this comment when done, OK!
+ """
+
+ ## @var timeslice
+ # How long before a task really should consider yielding the CPU to
+ # let something else run.
+
+ timeslice = rpki.sundial.timedelta(seconds = 15)
+
+ def __init__(self, s, description = None):
+ self.self = s
+ self.description = description
+ self.completions = []
+ self.continuation = None
+ self.due_date = None
+ self.clear()
+
+ def __repr__(self):
+ return rpki.log.log_repr(self, self.description)
+
+ def register_completion(self, completion):
+ self.completions.append(completion)
+
+ def exit(self):
+ while self.completions:
+ self.completions.pop(0)(self)
+ self.clear()
+ self.due_date = None
+ self.self.gctx.task_next()
+
+ def postpone(self, continuation):
+ self.continuation = continuation
+ self.due_date = None
+ self.self.gctx.task_add(self)
+ self.self.gctx.task_next()
+
+ def __call__(self):
+ self.due_date = rpki.sundial.now() + self.timeslice
+ if self.continuation is None:
+ rpki.log.debug("Running task %r" % self)
+ self.clear()
+ self.start()
+ else:
+ rpki.log.debug("Restarting task %r at %r" % (self, self.continuation))
+ continuation = self.continuation
+ self.continuation = None
+ continuation()
+
+ @property
+ def overdue(self):
+ return rpki.sundial.now() > self.due_date
+
+ def __getattr__(self, name):
+ return getattr(self.self, name)
+
+ def start(self):
+ raise NotImplementedError
+
+ def clear(self):
+ pass
+
+
+class PollParentTask(AbstractTask):
+ """
+ Run the regular client poll cycle with each of this self's
+ parents, in turn.
+ """
+
+ def clear(self):
+ self.parent_iterator = None
+ self.parent = None
+ self.ca_map = None
+ self.class_iterator = None
+
+ def start(self):
+ rpki.log.trace()
+ self.gctx.checkpoint()
+ rpki.log.debug("Self %s[%d] polling parents" % (self.self_handle, self.self_id))
+ rpki.async.iterator(self.parents, self.parent_loop, self.exit)
+
+ def parent_loop(self, parent_iterator, parent):
+ self.parent_iterator = parent_iterator
+ self.parent = parent
+ rpki.up_down.list_pdu.query(parent, self.got_list, self.list_failed)
+
+ def got_list(self, r_msg):
+ self.ca_map = dict((ca.parent_resource_class, ca) for ca in self.parent.cas)
+ self.gctx.checkpoint()
+ rpki.async.iterator(r_msg.payload.classes, self.class_loop, self.class_done)
+
+ def list_failed(self, e):
+ rpki.log.traceback()
+ rpki.log.warn("Couldn't get resource class list from parent %r, skipping: %s (%r)" % (
+ self.parent, e, e))
+ self.parent_iterator()
+
+ def class_loop(self, class_iterator, rc):
+ self.gctx.checkpoint()
+ self.class_iterator = class_iterator
+ try:
+ ca = self.ca_map.pop(rc.class_name)
+ except KeyError:
+ rpki.rpkid.ca_obj.create(self.parent, rc, class_iterator, self.class_create_failed)
+ else:
+ ca.check_for_updates(self.parent, rc, class_iterator, self.class_update_failed)
+
+ def class_update_failed(self, e):
+ rpki.log.traceback()
+ rpki.log.warn("Couldn't update class, skipping: %s" % e)
+ self.class_iterator()
+
+ def class_create_failed(self, e):
+ rpki.log.traceback()
+ rpki.log.warn("Couldn't create class, skipping: %s" % e)
+ self.class_iterator()
+
+ def class_done(self):
+ rpki.async.iterator(self.ca_map.values(), self.ca_loop, self.ca_done)
+
+ def ca_loop(self, iterator, ca):
+ self.gctx.checkpoint()
+ ca.delete(self.parent, iterator)
+
+ def ca_done(self):
+ self.gctx.checkpoint()
+ self.gctx.sql.sweep()
+ self.parent_iterator()
+
+
+class UpdateChildrenTask(AbstractTask):
+ """
+ Check for updated IRDB data for all of this self's children and
+ issue new certs as necessary. Must handle changes both in
+ resources and in expiration date.
+ """
+
+ def clear(self):
+ self.now = None
+ self.rsn = None
+ self.publisher = None
+ self.iterator = None
+ self.child = None
+ self.child_certs = None
+
+ def start(self):
+ rpki.log.trace()
+ self.gctx.checkpoint()
+ rpki.log.debug("Self %s[%d] updating children" % (self.self_handle, self.self_id))
+ self.now = rpki.sundial.now()
+ self.rsn = self.now + rpki.sundial.timedelta(seconds = self.regen_margin)
+ self.publisher = rpki.rpkid.publication_queue()
+ rpki.async.iterator(self.children, self.loop, self.done)
+
+ def loop(self, iterator, child):
+ self.gctx.checkpoint()
+ self.gctx.sql.sweep()
+ self.iterator = iterator
+ self.child = child
+ self.child_certs = child.child_certs
+ if self.overdue:
+ self.publisher.call_pubd(lambda: self.postpone(self.do_child), self.publication_failed)
+ else:
+ self.do_child()
+
+ def do_child(self):
+ if self.child_certs:
+ self.gctx.irdb_query_child_resources(self.child.self.self_handle, self.child.child_handle, self.got_resources, self.lose)
+ else:
+ self.iterator()
+
+ def lose(self, e):
+ rpki.log.traceback()
+ rpki.log.warn("Couldn't update child %r, skipping: %s" % (self.child, e))
+ self.iterator()
+
+ def got_resources(self, irdb_resources):
+ try:
+ for child_cert in self.child_certs:
+ ca_detail = child_cert.ca_detail
+ ca = ca_detail.ca
+ if ca_detail.state == "active":
+ old_resources = child_cert.cert.get_3779resources()
+ new_resources = old_resources & irdb_resources & ca_detail.latest_ca_cert.get_3779resources()
+
+ if new_resources.empty():
+ rpki.log.debug("Resources shrank to the null set, revoking and withdrawing child %s certificate SKI %s" % (self.child.child_handle, child_cert.cert.gSKI()))
+ child_cert.revoke(publisher = self.publisher)
+ ca_detail.generate_crl(publisher = self.publisher)
+ ca_detail.generate_manifest(publisher = self.publisher)
+
+ elif old_resources != new_resources or (old_resources.valid_until < self.rsn and irdb_resources.valid_until > self.now):
+ rpki.log.debug("Need to reissue child %s certificate SKI %s" % (self.child.child_handle, child_cert.cert.gSKI()))
+ child_cert.reissue(
+ ca_detail = ca_detail,
+ resources = new_resources,
+ publisher = self.publisher)
+
+ elif old_resources.valid_until < self.now:
+ rpki.log.debug("Child %s certificate SKI %s has expired: cert.valid_until %s, irdb.valid_until %s"
+ % (self.child.child_handle, child_cert.cert.gSKI(), old_resources.valid_until, irdb_resources.valid_until))
+ child_cert.sql_delete()
+ self.publisher.withdraw(cls = rpki.publication.certificate_elt, uri = child_cert.uri, obj = child_cert.cert, repository = ca.parent.repository)
+ ca_detail.generate_manifest(publisher = self.publisher)
+
+ except (SystemExit, rpki.async.ExitNow):
+ raise
+ except Exception, e:
+ self.gctx.checkpoint()
+ self.lose(e)
+ else:
+ self.gctx.checkpoint()
+ self.gctx.sql.sweep()
+ self.iterator()
+
+ def done(self):
+ self.gctx.checkpoint()
+ self.gctx.sql.sweep()
+ self.publisher.call_pubd(self.exit, self.publication_failed)
+
+ def publication_failed(self, e):
+ rpki.log.traceback()
+ rpki.log.warn("Couldn't publish for %s, skipping: %s" % (self.self_handle, e))
+ self.gctx.checkpoint()
+ self.exit()
+
+
+class UpdateROAsTask(AbstractTask):
+ """
+ Generate or update ROAs for this self.
+ """
+
+ def clear(self):
+ self.orphans = None
+ self.updates = None
+ self.publisher = None
+ self.ca_details = None
+ self.count = None
+
+ def start(self):
+ rpki.log.trace()
+ self.gctx.checkpoint()
+ self.gctx.sql.sweep()
+ rpki.log.debug("Self %s[%d] updating ROAs" % (self.self_handle, self.self_id))
+
+ rpki.log.debug("Issuing query for ROA requests")
+ self.gctx.irdb_query_roa_requests(self.self_handle, self.got_roa_requests, self.roa_requests_failed)
+
+ def got_roa_requests(self, roa_requests):
+ self.gctx.checkpoint()
+ rpki.log.debug("Received response to query for ROA requests")
+
+ if self.gctx.sql.dirty:
+ rpki.log.warn("Unexpected dirty SQL cache, flushing")
+ self.gctx.sql.sweep()
+
+ roas = {}
+ seen = set()
+ self.orphans = []
+ self.updates = []
+ self.publisher = rpki.rpkid.publication_queue()
+ self.ca_details = set()
+
+ for roa in self.roas:
+ k = (roa.asn, str(roa.ipv4), str(roa.ipv6))
+ if k not in roas:
+ roas[k] = roa
+ elif (roa.roa is not None and roa.cert is not None and roa.ca_detail is not None and roa.ca_detail.state == "active" and
+ (roas[k].roa is None or roas[k].cert is None or roas[k].ca_detail is None or roas[k].ca_detail.state != "active")):
+ self.orphans.append(roas[k])
+ roas[k] = roa
+ else:
+ self.orphans.append(roa)
+
+ for roa_request in roa_requests:
+ k = (roa_request.asn, str(roa_request.ipv4), str(roa_request.ipv6))
+ if k in seen:
+ rpki.log.warn("Skipping duplicate ROA request %r" % roa_request)
+ else:
+ seen.add(k)
+ roa = roas.pop(k, None)
+ if roa is None:
+ roa = rpki.rpkid.roa_obj(self.gctx, self.self_id, roa_request.asn, roa_request.ipv4, roa_request.ipv6)
+ rpki.log.debug("Couldn't find existing ROA, created %r" % roa)
+ else:
+ rpki.log.debug("Found existing %r" % roa)
+ self.updates.append(roa)
+
+ self.orphans.extend(roas.itervalues())
+
+ if self.overdue:
+ self.postpone(self.begin_loop)
+ else:
+ self.begin_loop()
+
+ def begin_loop(self):
+ self.count = 0
+ rpki.async.iterator(self.updates, self.loop, self.done, pop_list = True)
+
+ def loop(self, iterator, roa):
+ self.gctx.checkpoint()
+ try:
+ roa.update(publisher = self.publisher, fast = True)
+ self.ca_details.add(roa.ca_detail)
+ self.gctx.sql.sweep()
+ except (SystemExit, rpki.async.ExitNow):
+ raise
+ except rpki.exceptions.NoCoveringCertForROA:
+ rpki.log.warn("No covering certificate for %r, skipping" % roa)
+ except Exception, e:
+ rpki.log.traceback()
+ rpki.log.warn("Could not update %r, skipping: %s" % (roa, e))
+ self.count += 1
+ if self.overdue:
+ self.publish(lambda: self.postpone(iterator))
+ else:
+ iterator()
+
+ def publish(self, done):
+ if not self.publisher.empty():
+ for ca_detail in self.ca_details:
+ rpki.log.debug("Generating new CRL for %r" % ca_detail)
+ ca_detail.generate_crl(publisher = self.publisher)
+ rpki.log.debug("Generating new manifest for %r" % ca_detail)
+ ca_detail.generate_manifest(publisher = self.publisher)
+ self.ca_details.clear()
+ self.gctx.sql.sweep()
+ self.gctx.checkpoint()
+ self.publisher.call_pubd(done, self.publication_failed)
+
+ def publication_failed(self, e):
+ rpki.log.traceback()
+ rpki.log.warn("Couldn't publish for %s, skipping: %s" % (self.self_handle, e))
+ self.gctx.checkpoint()
+ self.exit()
+
+ def done(self):
+ for roa in self.orphans:
+ try:
+ self.ca_details.add(roa.ca_detail)
+ roa.revoke(publisher = self.publisher, fast = True)
+ except (SystemExit, rpki.async.ExitNow):
+ raise
+ except Exception, e:
+ rpki.log.traceback()
+ rpki.log.warn("Could not revoke %r: %s" % (roa, e))
+ self.gctx.sql.sweep()
+ self.gctx.checkpoint()
+ self.publish(self.exit)
+
+ def roa_requests_failed(self, e):
+ rpki.log.traceback()
+ rpki.log.warn("Could not fetch ROA requests for %s, skipping: %s" % (self.self_handle, e))
+ self.exit()
+
+
+class UpdateGhostbustersTask(AbstractTask):
+ """
+ Generate or update Ghostbuster records for this self.
+
+ This was originally based on the ROA update code. It's possible
+ that both could benefit from refactoring, but at this point the
+ potential scaling issues for ROAs completely dominate structure of
+ the ROA code, and aren't relevant here unless someone is being
+ exceptionally silly.
+ """
+
+ def start(self):
+ rpki.log.trace()
+ self.gctx.checkpoint()
+ rpki.log.debug("Self %s[%d] updating Ghostbuster records" % (self.self_handle, self.self_id))
+
+ self.gctx.irdb_query_ghostbuster_requests(self.self_handle,
+ (p.parent_handle for p in self.parents),
+ self.got_ghostbuster_requests,
+ self.ghostbuster_requests_failed)
+
+ def got_ghostbuster_requests(self, ghostbuster_requests):
+
+ try:
+ self.gctx.checkpoint()
+ if self.gctx.sql.dirty:
+ rpki.log.warn("Unexpected dirty SQL cache, flushing")
+ self.gctx.sql.sweep()
+
+ ghostbusters = {}
+ orphans = []
+ publisher = rpki.rpkid.publication_queue()
+ ca_details = set()
+ seen = set()
+
+ parents = dict((p.parent_handle, p) for p in self.parents)
+
+ for ghostbuster in self.ghostbusters:
+ k = (ghostbuster.ca_detail_id, ghostbuster.vcard)
+ if ghostbuster.ca_detail.state != "active" or k in ghostbusters:
+ orphans.append(ghostbuster)
+ else:
+ ghostbusters[k] = ghostbuster
+
+ for ghostbuster_request in ghostbuster_requests:
+ if ghostbuster_request.parent_handle not in parents:
+ rpki.log.warn("Unknown parent_handle %r in Ghostbuster request, skipping" % ghostbuster_request.parent_handle)
+ continue
+ k = (ghostbuster_request.parent_handle, ghostbuster_request.vcard)
+ if k in seen:
+ rpki.log.warn("Skipping duplicate Ghostbuster request %r" % ghostbuster_request)
+ continue
+ seen.add(k)
+ for ca in parents[ghostbuster_request.parent_handle].cas:
+ ca_detail = ca.active_ca_detail
+ if ca_detail is not None:
+ ghostbuster = ghostbusters.pop((ca_detail.ca_detail_id, ghostbuster_request.vcard), None)
+ if ghostbuster is None:
+ ghostbuster = rpki.rpkid.ghostbuster_obj(self.gctx, self.self_id, ca_detail.ca_detail_id, ghostbuster_request.vcard)
+ rpki.log.debug("Created new Ghostbuster request for %r" % ghostbuster_request.parent_handle)
+ else:
+ rpki.log.debug("Found existing Ghostbuster request for %r" % ghostbuster_request.parent_handle)
+ ghostbuster.update(publisher = publisher, fast = True)
+ ca_details.add(ca_detail)
+
+ orphans.extend(ghostbusters.itervalues())
+ for ghostbuster in orphans:
+ ca_details.add(ghostbuster.ca_detail)
+ ghostbuster.revoke(publisher = publisher, fast = True)
+
+ for ca_detail in ca_details:
+ ca_detail.generate_crl(publisher = publisher)
+ ca_detail.generate_manifest(publisher = publisher)
+
+ self.gctx.sql.sweep()
+
+ self.gctx.checkpoint()
+ publisher.call_pubd(self.exit, self.publication_failed)
+
+ except (SystemExit, rpki.async.ExitNow):
+ raise
+ except Exception, e:
+ rpki.log.traceback()
+ rpki.log.warn("Could not update Ghostbuster records for %s, skipping: %s" % (self.self_handle, e))
+ self.exit()
+
+ def publication_failed(self, e):
+ rpki.log.traceback()
+ rpki.log.warn("Couldn't publish Ghostbuster updates for %s, skipping: %s" % (self.self_handle, e))
+ self.gctx.checkpoint()
+ self.exit()
+
+ def ghostbuster_requests_failed(self, e):
+ rpki.log.traceback()
+ rpki.log.warn("Could not fetch Ghostbuster record requests for %s, skipping: %s" % (self.self_handle, e))
+ self.exit()
+
+class RegenerateCRLsAndManifestsTask(AbstractTask):
+ """
+ Generate new CRLs and manifests as necessary for all of this self's
+ CAs. Extracting nextUpdate from a manifest is hard at the moment
+ due to implementation silliness, so for now we generate a new
+ manifest whenever we generate a new CRL
+
+ This code also cleans up tombstones left behind by revoked ca_detail
+ objects, since we're walking through the relevant portions of the
+ database anyway.
+ """
+
+ def start(self):
+ rpki.log.trace()
+ self.gctx.checkpoint()
+ rpki.log.debug("Self %s[%d] regenerating CRLs and manifests" % (self.self_handle, self.self_id))
+
+ now = rpki.sundial.now()
+ regen_margin = rpki.sundial.timedelta(seconds = self.regen_margin)
+ publisher = rpki.rpkid.publication_queue()
+
+ for parent in self.parents:
+ for ca in parent.cas:
+ try:
+ for ca_detail in ca.revoked_ca_details:
+ if now > ca_detail.latest_crl.getNextUpdate():
+ ca_detail.delete(ca = ca, publisher = publisher)
+ for ca_detail in ca.active_or_deprecated_ca_details:
+ if now + regen_margin > ca_detail.latest_crl.getNextUpdate():
+ ca_detail.generate_crl(publisher = publisher)
+ ca_detail.generate_manifest(publisher = publisher)
+ except (SystemExit, rpki.async.ExitNow):
+ raise
+ except Exception, e:
+ rpki.log.traceback()
+ rpki.log.warn("Couldn't regenerate CRLs and manifests for CA %r, skipping: %s" % (ca, e))
+
+ self.gctx.checkpoint()
+ self.gctx.sql.sweep()
+ publisher.call_pubd(self.exit, self.lose)
+
+ def lose(self, e):
+ rpki.log.traceback()
+ rpki.log.warn("Couldn't publish updated CRLs and manifests for self %r, skipping: %s" % (self.self_handle, e))
+ self.gctx.checkpoint()
+ self.exit()
diff --git a/rpkid/rpki/sql.py b/rpkid/rpki/sql.py
index 14d1e1fb..d4426680 100644
--- a/rpkid/rpki/sql.py
+++ b/rpkid/rpki/sql.py
@@ -3,7 +3,7 @@ SQL interface code.
$Id$
-Copyright (C) 2009 Internet Systems Consortium ("ISC")
+Copyright (C) 2009-2012 Internet Systems Consortium ("ISC")
Permission to use, copy, modify, and distribute this software for any
purpose with or without fee is hereby granted, provided that the above
@@ -32,19 +32,26 @@ OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
PERFORMANCE OF THIS SOFTWARE.
"""
+import weakref
+
from rpki.mysql_import import (MySQLdb, _mysql_exceptions)
-import rpki.x509, rpki.resource_set, rpki.sundial, rpki.log
+import rpki.x509
+import rpki.resource_set
+import rpki.sundial
+import rpki.log
class session(object):
"""
SQL session layer.
"""
- ## @var clear_threshold
- # Size above which .cache_clear_maybe() should clear the cache.
+ ## @var ping_threshold
+ # Timeout after which we should issue a ping command before the real
+ # one. Intent is to keep the MySQL connection alive without pinging
+ # before every single command.
- clear_threshold = 5000
+ ping_threshold = rpki.sundial.timedelta(seconds = 60)
def __init__(self, cfg):
@@ -52,15 +59,24 @@ class session(object):
self.database = cfg.get("sql-database")
self.password = cfg.get("sql-password")
- self.cache = {}
+ self.conv = MySQLdb.converters.conversions.copy()
+ self.conv.update({
+ rpki.sundial.datetime : MySQLdb.converters.DateTime2literal,
+ MySQLdb.converters.FIELD_TYPE.DATETIME : rpki.sundial.datetime.DateTime_or_None })
+
+ self.cache = weakref.WeakValueDictionary()
self.dirty = set()
self.connect()
def connect(self):
- self.db = MySQLdb.connect(user = self.username, db = self.database, passwd = self.password)
+ self.db = MySQLdb.connect(user = self.username,
+ db = self.database,
+ passwd = self.password,
+ conv = self.conv)
self.cur = self.db.cursor()
self.db.autocommit(True)
+ self.timestamp = rpki.sundial.now()
def close(self):
if self.cur:
@@ -70,11 +86,12 @@ class session(object):
self.db.close()
self.db = None
- def ping(self):
- return self.db.ping(True)
-
def _wrap_execute(self, func, query, args):
try:
+ now = rpki.sundial.now()
+ if now > self.timestamp + self.ping_threshold:
+ self.db.ping(True)
+ self.timestamp = now
return func(query, args)
except _mysql_exceptions.MySQLError:
if self.dirty:
@@ -95,19 +112,13 @@ class session(object):
def cache_clear(self):
"""
- Clear the object cache.
+ Clear the SQL object cache. Shouldn't be necessary now that the
+ cache uses weak references, but should be harmless.
"""
rpki.log.debug("Clearing SQL cache")
self.assert_pristine()
self.cache.clear()
- def cache_clear_maybe(self):
- """
- Clear the object cache if its size is above clear_threshold.
- """
- if len(self.cache) >= self.clear_threshold:
- self.cache_clear()
-
def assert_pristine(self):
"""
Assert that there are no dirty objects in the cache.
@@ -173,7 +184,7 @@ class sql_persistent(object):
sql_debug = False
@classmethod
- def sql_fetch(cls, gctx, id):
+ def sql_fetch(cls, gctx, id): # pylint: disable=W0622
"""
Fetch one object from SQL, based on its primary key.
@@ -309,7 +320,7 @@ class sql_persistent(object):
Delete this object from SQL.
"""
if self.sql_in_db:
- id = getattr(self, self.sql_template.index)
+ id = getattr(self, self.sql_template.index) # pylint: disable=W0622
if self.sql_debug:
rpki.log.debug("sql_fetch_delete(%r, %r)" % (self.sql_template.delete, id))
self.sql_delete_hook()
@@ -371,3 +382,32 @@ class sql_persistent(object):
"""
pass
+
+def cache_reference(func):
+ """
+ Decorator for use with property methods which just do an SQL lookup based on an ID.
+ Check for an existing reference to the object, just return that if we find it,
+ otherwise perform the SQL lookup.
+
+ Not 100% certain this is a good idea, but I //think// it should work well with the
+ current weak reference SQL cache, so long as we create no circular references.
+ So don't do that.
+ """
+
+ attr_name = "_" + func.__name__
+
+ def wrapped(self):
+ try:
+ value = getattr(self, attr_name)
+ assert value is not None
+ except AttributeError:
+ value = func(self)
+ if value is not None:
+ setattr(self, attr_name, value)
+ return value
+
+ wrapped.__name__ = func.__name__
+ wrapped.__doc__ = func.__doc__
+ wrapped.__dict__.update(func.__dict__)
+
+ return wrapped
diff --git a/rpkid/rpki/sundial.py b/rpkid/rpki/sundial.py
index dc322b96..95a44142 100644
--- a/rpkid/rpki/sundial.py
+++ b/rpkid/rpki/sundial.py
@@ -15,7 +15,7 @@ inspection of the datetime module, to wit:
$Id$
-Copyright (C) 2009--2011 Internet Systems Consortium ("ISC")
+Copyright (C) 2009--2012 Internet Systems Consortium ("ISC")
Permission to use, copy, modify, and distribute this software for any
purpose with or without fee is hereby granted, provided that the above
@@ -72,58 +72,6 @@ class datetime(pydatetime.datetime):
return int(self.strftime("%s"))
@classmethod
- def fromUTCTime(cls, x):
- """
- Convert from ASN.1 UTCTime.
- """
- x = str(x)
- return cls.fromGeneralizedTime(("19" if x[0] >= "5" else "20") + x)
-
- def toUTCTime(self):
- """
- Convert to ASN.1 UTCTime.
- """
- return self.strftime("%y%m%d%H%M%SZ")
-
- @classmethod
- def fromGeneralizedTime(cls, x):
- """
- Convert from ASN.1 GeneralizedTime.
- """
- return cls.strptime(x, "%Y%m%d%H%M%SZ")
-
- def toGeneralizedTime(self):
- """
- Convert to ASN.1 GeneralizedTime.
- """
- return self.strftime("%Y%m%d%H%M%SZ")
-
- @classmethod
- def fromASN1tuple(cls, x):
- """
- Convert from ASN.1 tuple representation.
- """
- assert isinstance(x, tuple) and len(x) == 2 and x[0] in ("utcTime", "generalTime")
- if x[0] == "utcTime":
- return cls.fromUTCTime(x[1])
- else:
- return cls.fromGeneralizedTime(x[1])
-
- ## @var PKIX_threshhold
- # Threshold specified in RFC 3280 for switchover from UTCTime to GeneralizedTime.
-
- PKIX_threshhold = pydatetime.datetime(2050, 1, 1)
-
- def toASN1tuple(self):
- """
- Convert to ASN.1 tuple representation.
- """
- if self < self.PKIX_threshhold:
- return "utcTime", self.toUTCTime()
- else:
- return "generalTime", self.toGeneralizedTime()
-
- @classmethod
def fromXMLtime(cls, x):
"""
Convert from XML time representation.
@@ -143,13 +91,24 @@ class datetime(pydatetime.datetime):
return self.toXMLtime()
@classmethod
- def fromdatetime(cls, x):
+ def from_datetime(cls, x):
"""
Convert a datetime.datetime object into this subclass. This is
whacky due to the weird constructors for datetime.
"""
return cls.combine(x.date(), x.time())
+ def to_datetime(self):
+ """
+ Convert to a datetime.datetime object. In most cases this
+ shouldn't be necessary, but convincing SQL interfaces to use
+ subclasses of datetime can be hard.
+ """
+ return pydatetime.datetime(year = self.year, month = self.month, day = self.day,
+ hour = self.hour, minute = self.minute, second = self.second,
+ microsecond = 0, tzinfo = None)
+
+
@classmethod
def fromOpenSSL(cls, x):
"""
@@ -165,22 +124,13 @@ class datetime(pydatetime.datetime):
"""
Convert from SQL storage format.
"""
- return cls.fromdatetime(x)
+ return cls.from_datetime(x)
def to_sql(self):
"""
Convert to SQL storage format.
-
- There's something whacky going on in the MySQLdb module, it throws
- range errors when storing a derived type into a DATETIME column.
- Investigate some day, but for now brute force this by copying the
- relevant fields into a datetime.datetime for MySQLdb's
- consumption.
-
"""
- return pydatetime.datetime(year = self.year, month = self.month, day = self.day,
- hour = self.hour, minute = self.minute, second = self.second,
- microsecond = 0, tzinfo = None)
+ return self.to_datetime()
def later(self, other):
"""
@@ -199,6 +149,24 @@ class datetime(pydatetime.datetime):
def __rsub__(self, y): return _cast(pydatetime.datetime.__rsub__(self, y))
def __sub__(self, y): return _cast(pydatetime.datetime.__sub__(self, y))
+ @classmethod
+ def DateTime_or_None(cls, s):
+ """
+ MySQLdb converter. Parse as this class if we can, let the default
+ MySQLdb DateTime_or_None() converter deal with failure cases.
+ """
+
+ for sep in " T":
+ d, _, t = s.partition(sep)
+ if t:
+ try:
+ return cls(*[int(x) for x in d.split("-") + t.split(":")])
+ except:
+ break
+
+ from rpki.mysql_import import MySQLdb
+ return MySQLdb.times.DateTime_or_None(s)
+
class timedelta(pydatetime.timedelta):
"""
Timedelta with text parsing. This accepts two input formats:
@@ -297,7 +265,7 @@ def _cast(x):
Cast result of arithmetic operations back into correct subtype.
"""
if isinstance(x, pydatetime.datetime):
- return datetime.fromdatetime(x)
+ return datetime.from_datetime(x)
if isinstance(x, pydatetime.timedelta):
return timedelta.fromtimedelta(x)
return x
@@ -309,9 +277,6 @@ if __name__ == "__main__":
print "str: ", t
print "repr: ", repr(t)
print "seconds since epoch:", t.strftime("%s")
- print "UTCTime: ", t.toUTCTime()
- print "GeneralizedTime: ", t.toGeneralizedTime()
- print "ASN1tuple: ", t.toASN1tuple()
print "XMLtime: ", t.toXMLtime()
print
diff --git a/rpkid/rpki/up_down.py b/rpkid/rpki/up_down.py
index 1562e8e8..cea4e27f 100644
--- a/rpkid/rpki/up_down.py
+++ b/rpkid/rpki/up_down.py
@@ -3,7 +3,7 @@ RPKI "up-down" protocol.
$Id$
-Copyright (C) 2009--2011 Internet Systems Consortium ("ISC")
+Copyright (C) 2009--2012 Internet Systems Consortium ("ISC")
Permission to use, copy, modify, and distribute this software for any
purpose with or without fee is hereby granted, provided that the above
@@ -260,7 +260,7 @@ class list_pdu(base_elt):
if not ca_detail:
rpki.log.debug("No active ca_detail, can't issue to %s" % child.child_handle)
continue
- resources = ca_detail.latest_ca_cert.get_3779resources().intersection(irdb_resources)
+ resources = ca_detail.latest_ca_cert.get_3779resources() & irdb_resources
if resources.empty():
rpki.log.debug("No overlap between received resources and what child %s should get ([%s], [%s])" % (child.child_handle, ca_detail.latest_ca_cert.get_3779resources(), irdb_resources))
continue
@@ -384,7 +384,7 @@ class issue_pdu(base_elt):
if irdb_resources.valid_until < rpki.sundial.now():
raise rpki.exceptions.IRDBExpired, "IRDB entry for child %s expired %s" % (child.child_handle, irdb_resources.valid_until)
- resources = irdb_resources.intersection(ca_detail.latest_ca_cert.get_3779resources())
+ resources = irdb_resources & ca_detail.latest_ca_cert.get_3779resources()
req_key = self.pkcs10.getPublicKey()
req_sia = self.pkcs10.get_SIA()
child_cert = child.fetch_child_certs(ca_detail = ca_detail, ski = req_key.get_SKI(), unique = True)
@@ -434,11 +434,13 @@ class issue_pdu(base_elt):
Send an "issue" request to parent associated with ca.
"""
assert ca_detail is not None and ca_detail.state in ("pending", "active")
- sia = ((rpki.oids.name2oid["id-ad-caRepository"], ("uri", ca.sia_uri)),
- (rpki.oids.name2oid["id-ad-rpkiManifest"], ("uri", ca_detail.manifest_uri)))
self = cls()
self.class_name = ca.parent_resource_class
- self.pkcs10 = rpki.x509.PKCS10.create_ca(ca_detail.private_key_id, sia)
+ self.pkcs10 = rpki.x509.PKCS10.create(
+ keypair = ca_detail.private_key_id,
+ is_ca = True,
+ caRepository = ca.sia_uri,
+ rpkiManifest = ca_detail.manifest_uri)
rpki.log.info('Sending "issue" request to parent %s' % parent.parent_handle)
parent.query_up_down(self, callback, errback)
@@ -630,7 +632,7 @@ class message_pdu(base_elt):
"""
Convert a message PDU to a string.
"""
- lxml.etree.tostring(self.toXML(), pretty_print = True, encoding = "UTF-8")
+ return lxml.etree.tostring(self.toXML(), pretty_print = True, encoding = "UTF-8")
def serve_top_level(self, child, callback):
"""
diff --git a/rpkid/rpki/x509.py b/rpkid/rpki/x509.py
index 92194a96..6f28e6f7 100644
--- a/rpkid/rpki/x509.py
+++ b/rpkid/rpki/x509.py
@@ -13,7 +13,7 @@ some of the nasty details. This involves a lot of format conversion.
$Id$
-Copyright (C) 2009--2011 Internet Systems Consortium ("ISC")
+Copyright (C) 2009--2012 Internet Systems Consortium ("ISC")
Permission to use, copy, modify, and distribute this software for any
purpose with or without fee is hereby granted, provided that the above
@@ -43,10 +43,21 @@ OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
PERFORMANCE OF THIS SOFTWARE.
"""
-import rpki.POW, rpki.POW.pkix, base64, lxml.etree, os, subprocess, sys
-import email.mime.application, email.utils, mailbox, time
-import rpki.exceptions, rpki.resource_set, rpki.oids, rpki.sundial
-import rpki.manifest, rpki.roa, rpki.log, rpki.async, rpki.ghostbuster
+import rpki.POW
+import base64
+import lxml.etree
+import os
+import subprocess
+import email.mime.application
+import email.utils
+import mailbox
+import time
+import rpki.exceptions
+import rpki.resource_set
+import rpki.oids
+import rpki.sundial
+import rpki.log
+import rpki.async
import rpki.relaxng
def base64_with_linebreaks(der):
@@ -58,17 +69,6 @@ def base64_with_linebreaks(der):
n = len(b)
return "\n" + "\n".join(b[i : min(i + 64, n)] for i in xrange(0, n, 64)) + "\n"
-def calculate_SKI(public_key_der):
- """
- Calculate the SKI value given the DER representation of a public
- key, which requires first peeling the ASN.1 wrapper off the key.
- """
- k = rpki.POW.pkix.SubjectPublicKeyInfo()
- k.fromString(public_key_der)
- d = rpki.POW.Digest(rpki.POW.SHA1_DIGEST)
- d.update(k.subjectPublicKey.get())
- return d.digest()
-
class PEM_converter(object):
"""
Convert between DER and PEM encodings for various kinds of ASN.1 data.
@@ -107,6 +107,18 @@ class PEM_converter(object):
"""
return self.b + base64_with_linebreaks(der) + self.e + "\n"
+def first_rsync_uri(xia):
+ """
+ Find first rsync URI in a sequence of AIA or SIA URIs.
+ Returns the URI if found, otherwise None.
+ """
+
+ if xia is not None:
+ for uri in xia:
+ if uri.startswith("rsync://"):
+ return uri
+ return None
+
def _find_xia_uri(extension, name):
"""
Find a rsync URI in an SIA or AIA extension.
@@ -126,22 +138,17 @@ class X501DN(object):
Class to hold an X.501 Distinguished Name.
This is nothing like a complete implementation, just enough for our
- purposes. POW has one interface to this, POW.pkix has another. In
- terms of completeness in the Python representation, the POW.pkix
- representation is much closer to right, but the whole thing is a
- horrible mess.
-
- See RFC 5280 4.1.2.4 for the ASN.1 details. In brief:
+ purposes. See RFC 5280 4.1.2.4 for the ASN.1 details. In brief:
- - A DN is a SEQUENCE of RDNs.
+ - A DN is a SEQUENCE OF RDNs.
- - A RDN is a set of AttributeAndValues; in practice, multi-value
+ - A RDN is a SET OF AttributeAndValues; in practice, multi-value
RDNs are rare, so an RDN is almost always a set with a single
element.
- - An AttributeAndValue is an OID and a value, where a whole bunch
- of things including both syntax and semantics of the value are
- determined by the OID.
+ - An AttributeAndValue is a SEQUENCE consisting of a OID and a
+ value, where a whole bunch of things including both syntax and
+ semantics of the value are determined by the OID.
- The value is some kind of ASN.1 string; there are far too many
encoding options options, most of which are either strongly
@@ -157,37 +164,43 @@ class X501DN(object):
BPKI certificates should (we hope) follow the general PKIX guideline
but the ones we construct ourselves are likely to be relatively
simple.
-
- The main purpose of this class is to hide as much as possible of
- this mess from code that has to work with these wretched things.
"""
- def __init__(self, ini = None, **kwargs):
- assert ini is None or not kwargs
- if len(kwargs) == 1 and "CN" in kwargs:
- ini = kwargs.pop("CN")
- if isinstance(ini, (str, unicode)):
- self.dn = (((rpki.oids.name2oid["commonName"], ("printableString", ini)),),)
- elif isinstance(ini, tuple):
- self.dn = ini
- elif kwargs:
- raise NotImplementedError("Sorry, I haven't implemented keyword arguments yet")
- elif ini is not None:
- raise TypeError("Don't know how to interpret %r as an X.501 DN" % (ini,), ini)
-
def __str__(self):
- return "".join("/" + "+".join("%s=%s" % (rpki.oids.safe_oid2name(a[0]), a[1][1])
+ return "".join("/" + "+".join("%s=%s" % (rpki.oids.safe_dotted2name(a[0]), a[1])
for a in rdn)
for rdn in self.dn)
def __cmp__(self, other):
return cmp(self.dn, other.dn)
- def get_POWpkix(self):
- return self.dn
+ def __repr__(self):
+ return rpki.log.log_repr(self, str(self))
+
+ def _debug(self):
+ if False:
+ import traceback
+ for chunk in traceback.format_stack(limit = 5):
+ for line in chunk.splitlines():
+ rpki.log.debug("== %s" % line)
+ rpki.log.debug("++ %r %r" % (self, self.dn))
+
+ @classmethod
+ def from_cn(cls, s):
+ assert isinstance(s, (str, unicode))
+ self = cls()
+ self.dn = (((rpki.oids.safe_name2dotted("commonName"), s),),)
+ return self
+
+ @classmethod
+ def from_POW(cls, t):
+ assert isinstance(t, tuple)
+ self = cls()
+ self.dn = t
+ return self
def get_POW(self):
- raise NotImplementedError("Sorry, I haven't written the conversion to POW format yet")
+ return self.dn
class DER_object(object):
"""
@@ -368,57 +381,66 @@ class DER_object(object):
Get the AKI extension from this object. Only works for subclasses
that support getExtension().
"""
- aki = (self.get_POWpkix().getExtension(rpki.oids.name2oid["authorityKeyIdentifier"]) or ((), 0, None))[2]
- return aki[0] if isinstance(aki, tuple) else aki
+ return self.get_POW().getAKI()
def get_SKI(self):
"""
Get the SKI extension from this object. Only works for subclasses
that support getExtension().
"""
- return (self.get_POWpkix().getExtension(rpki.oids.name2oid["subjectKeyIdentifier"]) or ((), 0, None))[2]
+ return self.get_POW().getSKI()
def get_SIA(self):
"""
Get the SIA extension from this object. Only works for subclasses
- that support getExtension().
+ that support getSIA().
"""
- return (self.get_POWpkix().getExtension(rpki.oids.name2oid["subjectInfoAccess"]) or ((), 0, None))[2]
+ return self.get_POW().getSIA()
def get_sia_directory_uri(self):
"""
Get SIA directory (id-ad-caRepository) URI from this object.
- Only works for subclasses that support getExtension().
+ Only works for subclasses that support getSIA().
"""
- return _find_xia_uri(self.get_SIA(), "id-ad-caRepository")
+ sia = self.get_POW().getSIA()
+ return None if sia is None else first_rsync_uri(sia[0])
def get_sia_manifest_uri(self):
"""
Get SIA manifest (id-ad-rpkiManifest) URI from this object.
- Only works for subclasses that support getExtension().
+ Only works for subclasses that support getSIA().
+ """
+ sia = self.get_POW().getSIA()
+ return None if sia is None else first_rsync_uri(sia[1])
+
+ def get_sia_object_uri(self):
+ """
+ Get SIA object (id-ad-signedObject) URI from this object.
+ Only works for subclasses that support getSIA().
"""
- return _find_xia_uri(self.get_SIA(), "id-ad-rpkiManifest")
+ sia = self.get_POW().getSIA()
+ return None if sia is None else first_rsync_uri(sia[2])
def get_AIA(self):
"""
Get the SIA extension from this object. Only works for subclasses
- that support getExtension().
+ that support getAIA().
"""
- return (self.get_POWpkix().getExtension(rpki.oids.name2oid["authorityInfoAccess"]) or ((), 0, None))[2]
+ return self.get_POW().getAIA()
def get_aia_uri(self):
"""
Get AIA (id-ad-caIssuers) URI from this object.
- Only works for subclasses that support getExtension().
+ Only works for subclasses that support getAIA().
"""
- return _find_xia_uri(self.get_AIA(), "id-ad-caIssuers")
+ return first_rsync_uri(self.get_POW().getAIA())
def get_basicConstraints(self):
"""
Get the basicConstraints extension from this object. Only works
for subclasses that support getExtension().
"""
- return (self.get_POWpkix().getExtension(rpki.oids.name2oid["basicConstraints"]) or ((), 0, None))[2]
+ return self.get_POW().getBasicConstraints()
def is_CA(self):
"""
@@ -426,14 +448,13 @@ class DER_object(object):
extension and its cA value is true.
"""
basicConstraints = self.get_basicConstraints()
- return basicConstraints and basicConstraints[0] != 0
+ return basicConstraints is not None and basicConstraints[0]
def get_3779resources(self):
"""
- Get RFC 3779 resources as rpki.resource_set objects. Only works
- for subclasses that support getExtensions().
+ Get RFC 3779 resources as rpki.resource_set objects.
"""
- resources = rpki.resource_set.resource_bag.from_rfc3779_tuples(self.get_POWpkix().getExtensions())
+ resources = rpki.resource_set.resource_bag.from_POW_rfc3779(self.get_POW().getRFC3779())
try:
resources.valid_until = self.getNotAfter()
except AttributeError:
@@ -486,7 +507,7 @@ class DER_object(object):
d.update(self.get_DER())
return "%s %s %s" % (uri, self.creation_timestamp,
"".join(("%02X" % ord(b) for b in d.digest())))
- except:
+ except: # pylint: disable=W0702
return uri
class X509(DER_object):
@@ -500,7 +521,7 @@ class X509(DER_object):
have to care about this implementation nightmare.
"""
- formats = ("DER", "POW", "POWpkix")
+ formats = ("DER", "POW")
pem_converter = PEM_converter("CERTIFICATE")
def get_DER(self):
@@ -513,9 +534,6 @@ class X509(DER_object):
if self.POW:
self.DER = self.POW.derWrite()
return self.get_DER()
- if self.POWpkix:
- self.DER = self.POWpkix.toString()
- return self.get_DER()
raise rpki.exceptions.DERObjectConversionError, "No conversion path to DER available"
def get_POW(self):
@@ -523,44 +541,33 @@ class X509(DER_object):
Get the rpki.POW value of this certificate.
"""
self.check()
- if not self.POW:
- self.POW = rpki.POW.derRead(rpki.POW.X509_CERTIFICATE, self.get_DER())
+ if not self.POW: # pylint: disable=E0203
+ self.POW = rpki.POW.X509.derRead(self.get_DER())
return self.POW
- def get_POWpkix(self):
- """
- Get the rpki.POW.pkix value of this certificate.
- """
- self.check()
- if not self.POWpkix:
- cert = rpki.POW.pkix.Certificate()
- cert.fromString(self.get_DER())
- self.POWpkix = cert
- return self.POWpkix
-
def getIssuer(self):
"""
Get the issuer of this certificate.
"""
- return X501DN(self.get_POWpkix().getIssuer())
+ return X501DN.from_POW(self.get_POW().getIssuer())
def getSubject(self):
"""
Get the subject of this certificate.
"""
- return X501DN(self.get_POWpkix().getSubject())
+ return X501DN.from_POW(self.get_POW().getSubject())
def getNotBefore(self):
"""
Get the inception time of this certificate.
"""
- return rpki.sundial.datetime.fromASN1tuple(self.get_POWpkix().tbs.validity.notBefore.get())
+ return self.get_POW().getNotBefore()
def getNotAfter(self):
"""
Get the expiration time of this certificate.
"""
- return rpki.sundial.datetime.fromASN1tuple(self.get_POWpkix().tbs.validity.notAfter.get())
+ return self.get_POW().getNotAfter()
def getSerial(self):
"""
@@ -572,7 +579,13 @@ class X509(DER_object):
"""
Extract the public key from this certificate.
"""
- return RSApublic(DER = self.get_POWpkix().tbs.subjectPublicKeyInfo.toString())
+ return RSApublic(POW = self.get_POW().getPublicKey())
+
+ def get_SKI(self):
+ """
+ Get the SKI extension from this object.
+ """
+ return self.get_POW().getSKI()
def expired(self):
"""
@@ -600,7 +613,7 @@ class X509(DER_object):
resources = resources,
is_ca = is_ca,
aki = self.get_SKI(),
- issuer_name = self.get_POWpkix().getSubject())
+ issuer_name = self.getSubject())
@classmethod
@@ -611,6 +624,7 @@ class X509(DER_object):
"""
ski = subject_key.get_SKI()
+
if cn is None:
cn = "".join(("%02X" % ord(i) for i in ski))
@@ -626,11 +640,11 @@ class X509(DER_object):
resources = resources,
is_ca = True,
aki = ski,
- issuer_name = (((rpki.oids.name2oid["commonName"], ("printableString", cn)),),))
+ issuer_name = X501DN.from_cn(cn))
- @staticmethod
- def _issue(keypair, subject_key, serial, sia, aia, crldp, notAfter,
+ @classmethod
+ def _issue(cls, keypair, subject_key, serial, sia, aia, crldp, notAfter,
cn, resources, is_ca, aki, issuer_name):
"""
Common code to issue an RPKI certificate.
@@ -642,58 +656,50 @@ class X509(DER_object):
if cn is None:
cn = "".join(("%02X" % ord(i) for i in ski))
- # if notAfter is None: notAfter = now + rpki.sundial.timedelta(days = 30)
+ cert = rpki.POW.X509()
- cert = rpki.POW.pkix.Certificate()
cert.setVersion(2)
cert.setSerial(serial)
- cert.setIssuer(issuer_name)
- cert.setSubject((((rpki.oids.name2oid["commonName"], ("printableString", cn)),),))
- cert.setNotBefore(now.toASN1tuple())
- cert.setNotAfter(notAfter.toASN1tuple())
- cert.tbs.subjectPublicKeyInfo.fromString(subject_key.get_DER())
-
- exts = [ ["subjectKeyIdentifier", False, ski],
- ["authorityKeyIdentifier", False, (aki, (), None)],
- ["certificatePolicies", True, ((rpki.oids.name2oid["id-cp-ipAddr-asNumber"], ()),)] ]
-
+ cert.setIssuer(issuer_name.get_POW())
+ cert.setSubject(X501DN.from_cn(cn).get_POW())
+ cert.setNotBefore(now)
+ cert.setNotAfter(notAfter)
+ cert.setPublicKey(subject_key.get_POW())
+ cert.setSKI(ski)
+ cert.setAKI(aki)
+ cert.setCertificatePolicies((POWify_OID("id-cp-ipAddr-asNumber"),))
if crldp is not None:
- exts.append(["cRLDistributionPoints", False, ((("fullName", (("uri", crldp),)), None, ()),)])
+ cert.setCRLDP((crldp,))
if aia is not None:
- exts.append(["authorityInfoAccess", False, ((rpki.oids.name2oid["id-ad-caIssuers"], ("uri", aia)),)])
+ cert.setAIA((aia,))
if is_ca:
- exts.append(["basicConstraints", True, (1, None)])
- exts.append(["keyUsage", True, (0, 0, 0, 0, 0, 1, 1)])
- else:
- exts.append(["keyUsage", True, (1,)])
+ cert.setBasicConstraints(True, None)
+ cert.setKeyUsage(frozenset(("keyCertSign", "cRLSign")))
- if sia is not None:
- exts.append(["subjectInfoAccess", False, sia])
else:
- assert not is_ca
+ cert.setKeyUsage(frozenset(("digitalSignature",)))
- # This next bit suggests that perhaps .to_rfc3779_tuple() should
- # be raising an exception when there are no resources rather than
- # returning None. Maybe refactor later.
+ assert sia is not None or not is_ca
- if resources is not None:
- r = resources.asn.to_rfc3779_tuple()
- if r is not None:
- exts.append(["sbgp-autonomousSysNum", True, (r, None)])
- r = [x for x in (resources.v4.to_rfc3779_tuple(), resources.v6.to_rfc3779_tuple()) if x is not None]
- if r:
- exts.append(["sbgp-ipAddrBlock", True, r])
+ if sia is not None:
+ caRepository, rpkiManifest, signedObject = sia
+ cert.setSIA(
+ (caRepository,) if isinstance(caRepository, str) else caRepository,
+ (rpkiManifest,) if isinstance(rpkiManifest, str) else rpkiManifest,
+ (signedObject,) if isinstance(signedObject, str) else signedObject)
- for x in exts:
- x[0] = rpki.oids.name2oid[x[0]]
- cert.setExtensions(exts)
+ if resources is not None:
+ cert.setRFC3779(
+ asn = ((r.min, r.max) for r in resources.asn),
+ ipv4 = ((rpki.POW.IPAddress(r.min, 4), rpki.POW.IPAddress(r.max, 4)) for r in resources.v4),
+ ipv6 = ((rpki.POW.IPAddress(r.min, 6), rpki.POW.IPAddress(r.max, 6)) for r in resources.v6))
cert.sign(keypair.get_POW(), rpki.POW.SHA256_DIGEST)
- return X509(POWpkix = cert)
+ return cls(POW = cert)
def bpki_cross_certify(self, keypair, source_cert, serial, notAfter,
now = None, pathLenConstraint = 0):
@@ -764,27 +770,21 @@ class X509(DER_object):
assert pathLenConstraint is None or (isinstance(pathLenConstraint, (int, long)) and
pathLenConstraint >= 0)
- extensions = [
- (rpki.oids.name2oid["subjectKeyIdentifier" ], False, subject_key.get_SKI())]
- if issuer_key != subject_key:
- extensions.append(
- (rpki.oids.name2oid["authorityKeyIdentifier"], False, (issuer_key.get_SKI(), (), None)))
- if is_ca:
- extensions.append(
- (rpki.oids.name2oid["basicConstraints" ], True, (1, pathLenConstraint)))
-
- cert = rpki.POW.pkix.Certificate()
+ cert = rpki.POW.X509()
cert.setVersion(2)
cert.setSerial(serial)
- cert.setIssuer(issuer_name.get_POWpkix())
- cert.setSubject(subject_name.get_POWpkix())
- cert.setNotBefore(now.toASN1tuple())
- cert.setNotAfter(notAfter.toASN1tuple())
- cert.tbs.subjectPublicKeyInfo.fromString(subject_key.get_DER())
- cert.setExtensions(extensions)
+ cert.setIssuer(issuer_name.get_POW())
+ cert.setSubject(subject_name.get_POW())
+ cert.setNotBefore(now)
+ cert.setNotAfter(notAfter)
+ cert.setPublicKey(subject_key.get_POW())
+ cert.setSKI(subject_key.get_POW().calculateSKI())
+ if issuer_key != subject_key:
+ cert.setAKI(issuer_key.get_POW().calculateSKI())
+ if is_ca:
+ cert.setBasicConstraints(True, pathLenConstraint)
cert.sign(keypair.get_POW(), rpki.POW.SHA256_DIGEST)
-
- return cls(POWpkix = cert)
+ return cls(POW = cert)
@classmethod
def normalize_chain(cls, chain):
@@ -807,15 +807,27 @@ class X509(DER_object):
"""
return self.getNotBefore()
-
class PKCS10(DER_object):
"""
Class to hold a PKCS #10 request.
"""
- formats = ("DER", "POWpkix")
+ formats = ("DER", "POW")
pem_converter = PEM_converter("CERTIFICATE REQUEST")
-
+
+ ## @var expected_ca_keyUsage
+ # KeyUsage extension flags expected for CA requests.
+
+ expected_ca_keyUsage = frozenset(("keyCertSign", "cRLSign"))
+
+ ## @var allowed_extensions
+ # Extensions allowed by RPKI profile.
+
+ allowed_extensions = frozenset(rpki.oids.safe_name2dotted(name)
+ for name in ("basicConstraints",
+ "keyUsage",
+ "subjectInfoAccess"))
+
def get_DER(self):
"""
Get the DER value of this certification request.
@@ -823,33 +835,31 @@ class PKCS10(DER_object):
self.check()
if self.DER:
return self.DER
- if self.POWpkix:
- self.DER = self.POWpkix.toString()
+ if self.POW:
+ self.DER = self.POW.derWrite()
return self.get_DER()
raise rpki.exceptions.DERObjectConversionError, "No conversion path to DER available"
- def get_POWpkix(self):
+ def get_POW(self):
"""
- Get the rpki.POW.pkix value of this certification request.
+ Get the rpki.POW value of this certification request.
"""
self.check()
- if not self.POWpkix:
- req = rpki.POW.pkix.CertificationRequest()
- req.fromString(self.get_DER())
- self.POWpkix = req
- return self.POWpkix
+ if not self.POW: # pylint: disable=E0203
+ self.POW = rpki.POW.PKCS10.derRead(self.get_DER())
+ return self.POW
def getSubject(self):
"""
Extract the subject name from this certification request.
"""
- return X501DN(self.get_POWpkix().certificationRequestInfo.subject.get())
+ return X501DN.from_POW(self.get_POW().getSubject())
def getPublicKey(self):
"""
Extract the public key from this certification request.
"""
- return RSApublic(DER = self.get_POWpkix().certificationRequestInfo.subjectPublicKeyInfo.toString())
+ return RSApublic(POW = self.get_POW().getPublicKey())
def check_valid_rpki(self):
"""
@@ -866,72 +876,129 @@ class PKCS10(DER_object):
RPKI profile only allows EKU for EE certificates.
"""
- if not self.get_POWpkix().verify():
+ if not self.get_POW().verify():
raise rpki.exceptions.BadPKCS10, "Signature check failed"
- if self.get_POWpkix().certificationRequestInfo.version.get() != 0:
- raise rpki.exceptions.BadPKCS10, \
- "Bad version number %s" % self.get_POWpkix().certificationRequestInfo.version
+ ver = self.get_POW().getVersion()
- if rpki.oids.oid2name.get(self.get_POWpkix().signatureAlgorithm.algorithm.get()) != "sha256WithRSAEncryption":
- raise rpki.exceptions.BadPKCS10, "Bad signature algorithm %s" % self.get_POWpkix().signatureAlgorithm
+ if ver != 0:
+ raise rpki.exceptions.BadPKCS10, "Bad version number %s" % ver
- exts = dict((rpki.oids.oid2name.get(oid, oid), value)
- for (oid, critical, value) in self.get_POWpkix().getExtensions())
+ alg = rpki.oids.safe_dotted2name(self.get_POW().getSignatureAlgorithm())
- if any(oid not in ("basicConstraints", "keyUsage", "subjectInfoAccess") for oid in exts):
- raise rpki.exceptions.BadExtension, "Forbidden extension(s) in certificate request"
+ if alg != "sha256WithRSAEncryption":
+ raise rpki.exceptions.BadPKCS10, "Bad signature algorithm %s" % alg
- if "basicConstraints" not in exts or not exts["basicConstraints"][0]:
+ bc = self.get_POW().getBasicConstraints()
+
+ if bc is None or not bc[0]:
raise rpki.exceptions.BadPKCS10, "Request for EE certificate not allowed here"
- if exts["basicConstraints"][1] is not None:
+ if bc[1] is not None:
raise rpki.exceptions.BadPKCS10, "basicConstraints must not specify Path Length"
- if "keyUsage" in exts and (not exts["keyUsage"][5] or not exts["keyUsage"][6]):
- raise rpki.exceptions.BadPKCS10, "keyUsage doesn't match basicConstraints"
+ ku = self.get_POW().getKeyUsage()
- sias = dict((rpki.oids.oid2name.get(oid, oid), value[1])
- for oid, value in exts.get("subjectInfoAccess", ())
- if value[0] == "uri" and value[1].startswith("rsync://"))
+ if ku is not None and self.expected_ca_keyUsage != ku:
+ raise rpki.exceptions.BadPKCS10, "keyUsage doesn't match basicConstraints: %r" % ku
- for oid in ("id-ad-caRepository", "id-ad-rpkiManifest"):
- if oid not in sias:
- raise rpki.exceptions.BadPKCS10, "Certificate request is missing SIA %s" % oid
+ if any(oid not in self.allowed_extensions
+ for oid in self.get_POW().getExtensionOIDs()):
+ raise rpki.exceptions.BadExtension, "Forbidden extension(s) in certificate request"
- if not sias["id-ad-caRepository"].endswith("/"):
- raise rpki.exceptions.BadPKCS10, "Certificate request id-ad-caRepository does not end with slash: %r" % sias["id-ad-caRepository"]
+ sias = self.get_POW().getSIA()
- if sias["id-ad-rpkiManifest"].endswith("/"):
- raise rpki.exceptions.BadPKCS10, "Certificate request id-ad-rpkiManifest ends with slash: %r" % sias["id-ad-rpkiManifest"]
+ if sias is None:
+ raise rpki.exceptions.BadPKCS10, "Certificate request is missing SIA extension"
- @classmethod
- def create_ca(cls, keypair, sia = None):
- """
- Create a new request for a given keypair, including given SIA value.
- """
- exts = [["basicConstraints", True, (1, None)],
- ["keyUsage", True, (0, 0, 0, 0, 0, 1, 1)]]
- if sia is not None:
- exts.append(["subjectInfoAccess", False, sia])
- for x in exts:
- x[0] = rpki.oids.name2oid[x[0]]
- return cls.create(keypair, exts)
+ caRepository, rpkiManifest, signedObject = sias
+
+ if signedObject:
+ raise rpki.exceptions.BadPKCS10, "CA certificate request has SIA id-ad-signedObject"
+
+ if not caRepository:
+ raise rpki.exceptions.BadPKCS10, "Certificate request is missing SIA id-ad-caRepository"
+
+ if not any(uri.startswith("rsync://") for uri in caRepository):
+ raise rpki.exceptions.BadPKCS10, "Certificate request SIA id-ad-caRepository contains no rsync URIs"
+
+ if not rpkiManifest:
+ raise rpki.exceptions.BadPKCS10, "Certificate request is missing SIA id-ad-rpkiManifest"
+
+ if not any(uri.startswith("rsync://") for uri in rpkiManifest):
+ raise rpki.exceptions.BadPKCS10, "Certificate request SIA id-ad-rpkiManifest contains no rsync URIs"
+
+ if any(uri.startswith("rsync://") and not uri.endswith("/") for uri in caRepository):
+ raise rpki.exceptions.BadPKCS10, "Certificate request SIA id-ad-caRepository does not end with slash"
+
+ if any(uri.startswith("rsync://") and uri.endswith("/") for uri in rpkiManifest):
+ raise rpki.exceptions.BadPKCS10, "Certificate request SIA id-ad-rpkiManifest ends with slash"
@classmethod
- def create(cls, keypair, exts = None):
+ def create(cls, keypair, exts = None, is_ca = False,
+ caRepository = None, rpkiManifest = None, signedObject = None):
"""
- Create a new request for a given keypair, including given extensions.
+ Create a new request for a given keypair.
"""
+
+ assert exts is None, "Old calling sequence to rpki.x509.PKCS10.create()"
+
cn = "".join(("%02X" % ord(i) for i in keypair.get_SKI()))
- req = rpki.POW.pkix.CertificationRequest()
- req.certificationRequestInfo.version.set(0)
- req.certificationRequestInfo.subject.set((((rpki.oids.name2oid["commonName"],
- ("printableString", cn)),),))
- if exts is not None:
- req.setExtensions(exts)
+
+ if isinstance(caRepository, str):
+ caRepository = (caRepository,)
+
+ if isinstance(rpkiManifest, str):
+ rpkiManifest = (rpkiManifest,)
+
+ if isinstance(signedObject, str):
+ signedObject = (signedObject,)
+
+ req = rpki.POW.PKCS10()
+ req.setVersion(0)
+ req.setSubject(X501DN.from_cn(cn).get_POW())
+ req.setPublicKey(keypair.get_POW())
+
+ if is_ca:
+ req.setBasicConstraints(True, None)
+ req.setKeyUsage(cls.expected_ca_keyUsage)
+
+ if caRepository or rpkiManifest or signedObject:
+ req.setSIA(caRepository, rpkiManifest, signedObject)
+
req.sign(keypair.get_POW(), rpki.POW.SHA256_DIGEST)
- return cls(POWpkix = req)
+ return cls(POW = req)
+
+## @var generate_insecure_debug_only_rsa_key
+# Debugging hack to let us save throwaway RSA keys from one debug
+# session to the next. DO NOT USE THIS IN PRODUCTION.
+
+generate_insecure_debug_only_rsa_key = None
+
+class insecure_debug_only_rsa_key_generator(object):
+
+ def __init__(self, filename, keyno = 0):
+ try:
+ try:
+ import gdbm as dbm_du_jour
+ except ImportError:
+ import dbm as dbm_du_jour
+ self.keyno = long(keyno)
+ self.filename = filename
+ self.db = dbm_du_jour.open(filename, "c")
+ except:
+ rpki.log.warn("insecure_debug_only_rsa_key_generator initialization FAILED, hack inoperative")
+ raise
+
+ def __call__(self):
+ k = str(self.keyno)
+ try:
+ v = rpki.POW.Asymmetric.derReadPrivate(self.db[k])
+ except KeyError:
+ v = rpki.POW.Asymmetric(rpki.POW.RSA_CIPHER, 2048)
+ self.db[k] = v.derWritePrivate()
+ self.keyno += 1
+ return v
class RSA(DER_object):
"""
@@ -949,7 +1016,7 @@ class RSA(DER_object):
if self.DER:
return self.DER
if self.POW:
- self.DER = self.POW.derWrite(rpki.POW.RSA_PRIVATE_KEY)
+ self.DER = self.POW.derWritePrivate()
return self.get_DER()
raise rpki.exceptions.DERObjectConversionError, "No conversion path to DER available"
@@ -958,8 +1025,8 @@ class RSA(DER_object):
Get the rpki.POW value of this keypair.
"""
self.check()
- if not self.POW:
- self.POW = rpki.POW.derRead(rpki.POW.RSA_PRIVATE_KEY, self.get_DER())
+ if not self.POW: # pylint: disable=E0203
+ self.POW = rpki.POW.Asymmetric.derReadPrivate(self.get_DER())
return self.POW
@classmethod
@@ -969,19 +1036,22 @@ class RSA(DER_object):
"""
if not quiet:
rpki.log.debug("Generating new %d-bit RSA key" % keylength)
- return cls(POW = rpki.POW.Asymmetric(rpki.POW.RSA_CIPHER, keylength))
+ if generate_insecure_debug_only_rsa_key is not None:
+ return cls(POW = generate_insecure_debug_only_rsa_key())
+ else:
+ return cls(POW = rpki.POW.Asymmetric(rpki.POW.RSA_CIPHER, keylength))
def get_public_DER(self):
"""
Get the DER encoding of the public key from this keypair.
"""
- return self.get_POW().derWrite(rpki.POW.RSA_PUBLIC_KEY)
+ return self.get_POW().derWritePublic()
def get_SKI(self):
"""
Calculate the SKI of this keypair.
"""
- return calculate_SKI(self.get_public_DER())
+ return self.get_POW().calculateSKI()
def get_RSApublic(self):
"""
@@ -1005,7 +1075,7 @@ class RSApublic(DER_object):
if self.DER:
return self.DER
if self.POW:
- self.DER = self.POW.derWrite(rpki.POW.RSA_PUBLIC_KEY)
+ self.DER = self.POW.derWritePublic()
return self.get_DER()
raise rpki.exceptions.DERObjectConversionError, "No conversion path to DER available"
@@ -1014,15 +1084,15 @@ class RSApublic(DER_object):
Get the rpki.POW value of this public key.
"""
self.check()
- if not self.POW:
- self.POW = rpki.POW.derRead(rpki.POW.RSA_PUBLIC_KEY, self.get_DER())
+ if not self.POW: # pylint: disable=E0203
+ self.POW = rpki.POW.Asymmetric.derReadPublic(self.get_DER())
return self.POW
def get_SKI(self):
"""
Calculate the SKI of this public key.
"""
- return calculate_SKI(self.get_DER())
+ return self.get_POW().calculateSKI()
def POWify_OID(oid):
"""
@@ -1036,21 +1106,13 @@ def POWify_OID(oid):
class CMS_object(DER_object):
"""
- Class to hold a CMS-wrapped object.
-
- CMS-wrapped objects are a little different from the other DER_object
- types because the signed object is CMS wrapping inner content that's
- also ASN.1, and due to our current minimal support for CMS we can't
- just handle this as a pretty composite object. So, for now anyway,
- a CMS_object is the outer CMS wrapped object so that the usual DER
- and PEM operations do the obvious things, and the inner content is
- handle via separate methods.
+ Abstract class to hold a CMS object.
"""
formats = ("DER", "POW")
- other_clear = ("content",)
econtent_oid = POWify_OID("id-data")
pem_converter = PEM_converter("CMS")
+ POW_class = rpki.POW.CMS
## @var dump_on_verify_failure
# Set this to True to get dumpasn1 dumps of ASN.1 on CMS verify failures.
@@ -1109,30 +1171,15 @@ class CMS_object(DER_object):
Get the rpki.POW value of this CMS_object.
"""
self.check()
- if not self.POW:
- self.POW = rpki.POW.derRead(rpki.POW.CMS_MESSAGE, self.get_DER())
+ if not self.POW: # pylint: disable=E0203
+ self.POW = self.POW_class.derRead(self.get_DER())
return self.POW
- def get_content(self):
- """
- Get the inner content of this CMS_object.
- """
- if self.content is None:
- raise rpki.exceptions.CMSContentNotSet, "Inner content of CMS object %r is not set" % self
- return self.content
-
- def set_content(self, content):
- """
- Set the (inner) content of this CMS_object, clearing the wrapper.
- """
- self.clear()
- self.content = content
-
def get_signingTime(self):
"""
Extract signingTime from CMS signed attributes.
"""
- return rpki.sundial.datetime.fromGeneralizedTime(self.get_POW().signingTime())
+ return self.get_POW().signingTime()
def verify(self, ta):
"""
@@ -1145,18 +1192,21 @@ class CMS_object(DER_object):
raise
except Exception:
if self.print_on_der_error:
- rpki.log.debug("Problem parsing DER CMS message, might not really be DER: %r" % self.get_DER())
+ rpki.log.debug("Problem parsing DER CMS message, might not really be DER: %r" %
+ self.get_DER())
raise rpki.exceptions.UnparsableCMSDER
if cms.eContentType() != self.econtent_oid:
- raise rpki.exceptions.WrongEContentType, "Got CMS eContentType %s, expected %s" % (cms.eContentType(), self.econtent_oid)
+ raise rpki.exceptions.WrongEContentType, "Got CMS eContentType %s, expected %s" % (
+ cms.eContentType(), self.econtent_oid)
certs = [X509(POW = x) for x in cms.certs()]
crls = [CRL(POW = c) for c in cms.crls()]
if self.debug_cms_certs:
for x in certs:
- rpki.log.debug("Received CMS cert issuer %s subject %s SKI %s" % (x.getIssuer(), x.getSubject(), x.hSKI()))
+ rpki.log.debug("Received CMS cert issuer %s subject %s SKI %s" % (
+ x.getIssuer(), x.getSubject(), x.hSKI()))
for c in crls:
rpki.log.debug("Received CMS CRL issuer %r" % (c.getIssuer(),))
@@ -1168,43 +1218,52 @@ class CMS_object(DER_object):
for x in X509.normalize_chain(ta):
if self.debug_cms_certs:
- rpki.log.debug("CMS trusted cert issuer %s subject %s SKI %s" % (x.getIssuer(), x.getSubject(), x.hSKI()))
+ rpki.log.debug("CMS trusted cert issuer %s subject %s SKI %s" % (
+ x.getIssuer(), x.getSubject(), x.hSKI()))
if x.getNotAfter() < now:
- raise rpki.exceptions.TrustedCMSCertHasExpired("Trusted CMS certificate has expired", "%s (%s)" % (x.getSubject(), x.hSKI()))
+ raise rpki.exceptions.TrustedCMSCertHasExpired("Trusted CMS certificate has expired",
+ "%s (%s)" % (x.getSubject(), x.hSKI()))
if not x.is_CA():
if trusted_ee is None:
trusted_ee = x
else:
- raise rpki.exceptions.MultipleCMSEECert("Multiple CMS EE certificates", *("%s (%s)" % (x.getSubject(), x.hSKI()) for x in ta if not x.is_CA()))
+ raise rpki.exceptions.MultipleCMSEECert("Multiple CMS EE certificates", *("%s (%s)" % (
+ x.getSubject(), x.hSKI()) for x in ta if not x.is_CA()))
store.addTrust(x.get_POW())
if trusted_ee:
if self.debug_cms_certs:
- rpki.log.debug("Trusted CMS EE cert issuer %s subject %s SKI %s" % (trusted_ee.getIssuer(), trusted_ee.getSubject(), trusted_ee.hSKI()))
+ rpki.log.debug("Trusted CMS EE cert issuer %s subject %s SKI %s" % (
+ trusted_ee.getIssuer(), trusted_ee.getSubject(), trusted_ee.hSKI()))
if len(certs) > 1 or (len(certs) == 1 and
(certs[0].getSubject() != trusted_ee.getSubject() or
certs[0].getPublicKey() != trusted_ee.getPublicKey())):
- raise rpki.exceptions.UnexpectedCMSCerts("Unexpected CMS certificates", *("%s (%s)" % (x.getSubject(), x.hSKI()) for x in certs))
+ raise rpki.exceptions.UnexpectedCMSCerts("Unexpected CMS certificates", *("%s (%s)" % (
+ x.getSubject(), x.hSKI()) for x in certs))
if crls:
- raise rpki.exceptions.UnexpectedCMSCRLs("Unexpected CRLs", *("%s (%s)" % (c.getIssuer(), c.hAKI()) for c in crls))
+ raise rpki.exceptions.UnexpectedCMSCRLs("Unexpected CRLs", *("%s (%s)" % (
+ c.getIssuer(), c.hAKI()) for c in crls))
else:
untrusted_ee = [x for x in certs if not x.is_CA()]
if len(untrusted_ee) < 1:
raise rpki.exceptions.MissingCMSEEcert
if len(untrusted_ee) > 1 or (not self.allow_extra_certs and len(certs) > len(untrusted_ee)):
- raise rpki.exceptions.UnexpectedCMSCerts("Unexpected CMS certificates", *("%s (%s)" % (x.getSubject(), x.hSKI()) for x in certs))
+ raise rpki.exceptions.UnexpectedCMSCerts("Unexpected CMS certificates", *("%s (%s)" % (
+ x.getSubject(), x.hSKI()) for x in certs))
if len(crls) < 1:
if self.require_crls:
raise rpki.exceptions.MissingCMSCRL
else:
rpki.log.warn("MISSING CMS CRL! Ignoring per self.require_crls setting")
if len(crls) > 1 and not self.allow_extra_crls:
- raise rpki.exceptions.UnexpectedCMSCRLs("Unexpected CRLs", *("%s (%s)" % (c.getIssuer(), c.hAKI()) for c in crls))
+ raise rpki.exceptions.UnexpectedCMSCRLs("Unexpected CRLs", *("%s (%s)" % (
+ c.getIssuer(), c.hAKI()) for c in crls))
for x in certs:
if x.getNotAfter() < now:
- raise rpki.exceptions.CMSCertHasExpired("CMS certificate has expired", "%s (%s)" % (x.getSubject(), x.hSKI()))
+ raise rpki.exceptions.CMSCertHasExpired("CMS certificate has expired", "%s (%s)" % (
+ x.getSubject(), x.hSKI()))
try:
content = cms.verify(store)
@@ -1221,8 +1280,7 @@ class CMS_object(DER_object):
rpki.log.warn(line)
raise rpki.exceptions.CMSVerificationFailed, "CMS verification failed"
- self.decode(content)
- return self.get_content()
+ return content
def extract(self):
"""
@@ -1245,12 +1303,13 @@ class CMS_object(DER_object):
raise rpki.exceptions.UnparsableCMSDER
if cms.eContentType() != self.econtent_oid:
- raise rpki.exceptions.WrongEContentType, "Got CMS eContentType %s, expected %s" % (cms.eContentType(), self.econtent_oid)
+ raise rpki.exceptions.WrongEContentType, "Got CMS eContentType %s, expected %s" % (
+ cms.eContentType(), self.econtent_oid)
- content = cms.verify(rpki.POW.X509Store(), None, rpki.POW.CMS_NOCRL | rpki.POW.CMS_NO_SIGNER_CERT_VERIFY | rpki.POW.CMS_NO_ATTR_VERIFY | rpki.POW.CMS_NO_CONTENT_VERIFY)
+ return cms.verify(rpki.POW.X509Store(), None,
+ (rpki.POW.CMS_NOCRL | rpki.POW.CMS_NO_SIGNER_CERT_VERIFY |
+ rpki.POW.CMS_NO_ATTR_VERIFY | rpki.POW.CMS_NO_CONTENT_VERIFY))
- self.decode(content)
- return self.get_content()
def sign(self, keypair, certs, crls = None, no_certs = False):
"""
@@ -1272,21 +1331,17 @@ class CMS_object(DER_object):
crls = (crls,)
if self.debug_cms_certs:
- rpki.log.debug("Signing with cert issuer %s subject %s SKI %s" % (cert.getIssuer(), cert.getSubject(), cert.hSKI()))
+ rpki.log.debug("Signing with cert issuer %s subject %s SKI %s" % (
+ cert.getIssuer(), cert.getSubject(), cert.hSKI()))
for i, c in enumerate(certs):
- rpki.log.debug("Additional cert %d issuer %s subject %s SKI %s" % (i, c.getIssuer(), c.getSubject(), c.hSKI()))
-
- cms = rpki.POW.CMS()
+ rpki.log.debug("Additional cert %d issuer %s subject %s SKI %s" % (
+ i, c.getIssuer(), c.getSubject(), c.hSKI()))
- cms.sign(cert.get_POW(),
- keypair.get_POW(),
- self.encode(),
- [x.get_POW() for x in certs],
- [c.get_POW() for c in crls],
- self.econtent_oid,
- rpki.POW.CMS_NOCERTS if no_certs else 0)
-
- self.POW = cms
+ self._sign(cert.get_POW(),
+ keypair.get_POW(),
+ [x.get_POW() for x in certs],
+ [c.get_POW() for c in crls],
+ rpki.POW.CMS_NOCERTS if no_certs else 0)
@property
def creation_timestamp(self):
@@ -1296,24 +1351,92 @@ class CMS_object(DER_object):
return self.get_signingTime()
-class DER_CMS_object(CMS_object):
+class Wrapped_CMS_object(CMS_object):
"""
- Class to hold CMS objects with DER-based content.
+ Abstract class to hold CMS objects wrapping non-DER content (eg, XML
+ or VCard).
+
+ CMS-wrapped objects are a little different from the other DER_object
+ types because the signed object is CMS wrapping some other kind of
+ inner content. A Wrapped_CMS_object is the outer CMS wrapped object
+ so that the usual DER and PEM operations do the obvious things, and
+ the inner content is handle via separate methods.
"""
- def encode(self):
+ other_clear = ("content",)
+
+ def get_content(self):
"""
- Encode inner content for signing.
+ Get the inner content of this Wrapped_CMS_object.
"""
- return self.get_content().toString()
+ if self.content is None:
+ raise rpki.exceptions.CMSContentNotSet, "Inner content of CMS object %r is not set" % self
+ return self.content
- def decode(self, der):
+ def set_content(self, content):
+ """
+ Set the (inner) content of this Wrapped_CMS_object, clearing the wrapper.
"""
- Decode DER and set inner content.
+ self.clear()
+ self.content = content
+
+ def verify(self, ta):
+ """
+ Verify CMS wrapper and store inner content.
+ """
+
+ self.decode(CMS_object.verify(self, ta))
+ return self.get_content()
+
+ def extract(self):
+ """
+ Extract and store inner content from CMS wrapper without verifying
+ the CMS.
+
+ DANGER WILL ROBINSON!!!
+
+ Do not use this method on unvalidated data. Use the verify()
+ method instead.
+
+ If you don't understand this warning, don't use this method.
"""
- obj = self.content_class()
- obj.fromString(der)
- self.content = obj
+
+ self.decode(CMS_object.extract(self))
+ return self.get_content()
+
+ def _sign(self, cert, keypair, certs, crls, flags):
+ """
+ Internal method to call POW to do CMS signature. This is split
+ out from the .sign() API method to handle differences in how
+ different CMS-based POW classes handle the inner content.
+ """
+
+ cms = self.POW_class()
+ cms.sign(cert, keypair, self.encode(), certs, crls, self.econtent_oid, flags)
+ self.POW = cms
+
+
+class DER_CMS_object(CMS_object):
+ """
+ Abstract class for CMS-based objects with DER-encoded content
+ handled by C-level subclasses of rpki.POW.CMS.
+ """
+
+ def _sign(self, cert, keypair, certs, crls, flags):
+ self.get_POW().sign(cert, keypair, certs, crls, self.econtent_oid, flags)
+
+
+ def extract_if_needed(self):
+ """
+ Extract inner content if needed. See caveats for .extract(), do
+ not use unless you really know what you are doing.
+ """
+
+ try:
+ self.get_POW().getVersion()
+ except rpki.POW.NotVerifiedError:
+ self.extract()
+
class SignedManifest(DER_CMS_object):
"""
@@ -1321,41 +1444,43 @@ class SignedManifest(DER_CMS_object):
"""
pem_converter = PEM_converter("RPKI MANIFEST")
- content_class = rpki.manifest.Manifest
econtent_oid = POWify_OID("id-ct-rpkiManifest")
+ POW_class = rpki.POW.Manifest
def getThisUpdate(self):
"""
Get thisUpdate value from this manifest.
"""
- return rpki.sundial.datetime.fromGeneralizedTime(self.get_content().thisUpdate.get())
+ return self.get_POW().getThisUpdate()
def getNextUpdate(self):
"""
Get nextUpdate value from this manifest.
"""
- return rpki.sundial.datetime.fromGeneralizedTime(self.get_content().nextUpdate.get())
+ return self.get_POW().getNextUpdate()
@classmethod
def build(cls, serial, thisUpdate, nextUpdate, names_and_objs, keypair, certs, version = 0):
"""
Build a signed manifest.
"""
- self = cls()
+
filelist = []
for name, obj in names_and_objs:
d = rpki.POW.Digest(rpki.POW.SHA256_DIGEST)
d.update(obj.get_DER())
filelist.append((name.rpartition("/")[2], d.digest()))
filelist.sort(key = lambda x: x[0])
- m = rpki.manifest.Manifest()
- m.version.set(version)
- m.manifestNumber.set(serial)
- m.thisUpdate.set(thisUpdate.toGeneralizedTime())
- m.nextUpdate.set(nextUpdate.toGeneralizedTime())
- m.fileHashAlg.set(rpki.oids.name2oid["id-sha256"])
- m.fileList.set(filelist)
- self.set_content(m)
+
+ obj = cls.POW_class()
+ obj.setVersion(version)
+ obj.setManifestNumber(serial)
+ obj.setThisUpdate(thisUpdate)
+ obj.setNextUpdate(nextUpdate)
+ obj.setAlgorithm(POWify_OID(rpki.oids.name2oid["id-sha256"]))
+ obj.addFiles(filelist)
+
+ self = cls(POW = obj)
self.sign(keypair, certs)
return self
@@ -1365,31 +1490,23 @@ class ROA(DER_CMS_object):
"""
pem_converter = PEM_converter("ROUTE ORIGIN ATTESTATION")
- content_class = rpki.roa.RouteOriginAttestation
econtent_oid = POWify_OID("id-ct-routeOriginAttestation")
+ POW_class = rpki.POW.ROA
@classmethod
def build(cls, asn, ipv4, ipv6, keypair, certs, version = 0):
"""
Build a ROA.
"""
- try:
- self = cls()
- r = rpki.roa.RouteOriginAttestation()
- r.version.set(version)
- r.asID.set(asn)
- r.ipAddrBlocks.set((a.to_roa_tuple() for a in (ipv4, ipv6) if a))
- self.set_content(r)
- self.sign(keypair, certs)
- return self
- except rpki.POW.pkix.DerError, e:
- rpki.log.debug("Encoding error while generating ROA %r: %s" % (self, e))
- rpki.log.debug("ROA inner content: %r" % (r.get(),))
- raise
-
- _afi_map = dict((cls.resource_set_type.afi, cls)
- for cls in (rpki.resource_set.roa_prefix_set_ipv4,
- rpki.resource_set.roa_prefix_set_ipv6))
+ ipv4 = ipv4.to_POW_roa_tuple() if ipv4 else None
+ ipv6 = ipv6.to_POW_roa_tuple() if ipv6 else None
+ obj = cls.POW_class()
+ obj.setVersion(version)
+ obj.setASID(asn)
+ obj.setPrefixes(ipv4 = ipv4, ipv6 = ipv6)
+ self = cls(POW = obj)
+ self.sign(keypair, certs)
+ return self
def tracking_data(self, uri):
"""
@@ -1398,42 +1515,25 @@ class ROA(DER_CMS_object):
"""
msg = DER_CMS_object.tracking_data(self, uri)
try:
- if self.content is None:
+ try:
+ self.get_POW().getVersion()
+ except rpki.POW.NotVerifiedError:
self.extract()
- roa = self.get_content()
- asn = roa.asID.get()
- prefix_sets = {}
- for fam in roa.ipAddrBlocks:
- afi = fam.addressFamily.get()
- prefix_sets[afi] = prefix_set = self._afi_map[afi]()
- addr_type = prefix_set.resource_set_type.range_type.datum_type
- for addr in fam.addresses:
- prefix = addr.address.get()
- prefixlen = len(prefix)
- prefix = addr_type(rpki.resource_set._bs2long(prefix, addr_type.bits, 0))
- maxprefixlen = addr.maxLength.get()
- prefix_set.append(prefix_set.prefix_type(prefix, prefixlen, maxprefixlen))
- msg = "%s %s %s" % (msg, asn,
- ",".join(str(prefix_sets[i]) for i in sorted(prefix_sets)))
- except:
+ asn = self.get_POW().getASID()
+ text = []
+ for prefixes in self.get_POW().getPrefixes():
+ if prefixes is not None:
+ for prefix, prefixlen, maxprefixlen in prefixes:
+ if maxprefixlen is None or prefixlen == maxprefixlen:
+ text.append("%s/%s" % (prefix, prefixlen))
+ else:
+ text.append("%s/%s-%s" % (prefix, prefixlen, maxprefixlen))
+ text.sort()
+ msg = "%s %s %s" % (msg, asn, ",".join(text))
+ except: # pylint: disable=W0702
pass
return msg
-class Ghostbuster(DER_CMS_object):
- """
- Class to hold a signed Ghostbuster record.
- """
-
- content_class = rpki.ghostbuster.Ghostbuster
-
- @classmethod
- def build(cls, vcard, keypair, certs):
- self = cls()
- gbr = content_class(vcard)
- self.set_content(gbr)
- self.sign(keypair, certs)
- return self
-
class DeadDrop(object):
"""
Dead-drop utility for storing copies of CMS messages for debugging or
@@ -1465,7 +1565,7 @@ class DeadDrop(object):
rpki.log.warn("Could not write to mailbox %s: %e" % (self.name, e))
self.warned = True
-class XML_CMS_object(CMS_object):
+class XML_CMS_object(Wrapped_CMS_object):
"""
Class to hold CMS-wrapped XML protocol data.
"""
@@ -1484,11 +1584,24 @@ class XML_CMS_object(CMS_object):
dump_inbound_cms = None
+ ## @var check_inbound_schema
+ # If set, perform RelaxNG schema check on inbound messages.
+
+ check_inbound_schema = True
+
+ ## @var check_outbound_schema
+ # If set, perform RelaxNG schema check on outbound messages.
+
+ check_outbound_schema = False
+
def encode(self):
"""
Encode inner content for signing.
"""
- return lxml.etree.tostring(self.get_content(), pretty_print = True, encoding = self.encoding, xml_declaration = True)
+ return lxml.etree.tostring(self.get_content(),
+ pretty_print = True,
+ encoding = self.encoding,
+ xml_declaration = True)
def decode(self, xml):
"""
@@ -1500,7 +1613,10 @@ class XML_CMS_object(CMS_object):
"""
Pretty print XML content of this message.
"""
- return lxml.etree.tostring(self.get_content(), pretty_print = True, encoding = self.encoding, xml_declaration = True)
+ return lxml.etree.tostring(self.get_content(),
+ pretty_print = True,
+ encoding = self.encoding,
+ xml_declaration = True)
def schema_check(self):
"""
@@ -1531,7 +1647,8 @@ class XML_CMS_object(CMS_object):
self.set_content(msg)
else:
self.set_content(msg.toXML())
- self.schema_check()
+ if self.check_outbound_schema:
+ self.schema_check()
self.sign(keypair, certs, crls)
if self.dump_outbound_cms:
self.dump_outbound_cms.dump(self)
@@ -1544,11 +1661,12 @@ class XML_CMS_object(CMS_object):
if self.dump_inbound_cms:
self.dump_inbound_cms.dump(self)
self.verify(ta)
- self.schema_check()
+ if self.check_inbound_schema:
+ self.schema_check()
if self.saxify is None:
return self.get_content()
else:
- return self.saxify(self.get_content())
+ return self.saxify(self.get_content()) # pylint: disable=E1102
def check_replay(self, timestamp):
"""
@@ -1583,7 +1701,7 @@ class SignedReferral(XML_CMS_object):
schema = rpki.relaxng.myrpki
saxify = None
-class Ghostbuster(CMS_object):
+class Ghostbuster(Wrapped_CMS_object):
"""
Class to hold Ghostbusters record (CMS-wrapped VCard). This is
quite minimal because we treat the VCard as an opaque byte string
@@ -1623,7 +1741,7 @@ class CRL(DER_object):
Class to hold a Certificate Revocation List.
"""
- formats = ("DER", "POW", "POWpkix")
+ formats = ("DER", "POW")
pem_converter = PEM_converter("X509 CRL")
def get_DER(self):
@@ -1636,9 +1754,6 @@ class CRL(DER_object):
if self.POW:
self.DER = self.POW.derWrite()
return self.get_DER()
- if self.POWpkix:
- self.DER = self.POWpkix.toString()
- return self.get_DER()
raise rpki.exceptions.DERObjectConversionError, "No conversion path to DER available"
def get_POW(self):
@@ -1646,56 +1761,49 @@ class CRL(DER_object):
Get the rpki.POW value of this CRL.
"""
self.check()
- if not self.POW:
- self.POW = rpki.POW.derRead(rpki.POW.X509_CRL, self.get_DER())
+ if not self.POW: # pylint: disable=E0203
+ self.POW = rpki.POW.CRL.derRead(self.get_DER())
return self.POW
- def get_POWpkix(self):
- """
- Get the rpki.POW.pkix value of this CRL.
- """
- self.check()
- if not self.POWpkix:
- crl = rpki.POW.pkix.CertificateList()
- crl.fromString(self.get_DER())
- self.POWpkix = crl
- return self.POWpkix
-
def getThisUpdate(self):
"""
Get thisUpdate value from this CRL.
"""
- return rpki.sundial.datetime.fromASN1tuple(self.get_POWpkix().getThisUpdate())
+ return self.get_POW().getThisUpdate()
def getNextUpdate(self):
"""
Get nextUpdate value from this CRL.
"""
- return rpki.sundial.datetime.fromASN1tuple(self.get_POWpkix().getNextUpdate())
+ return self.get_POW().getNextUpdate()
def getIssuer(self):
"""
Get issuer value of this CRL.
"""
- return X501DN(self.get_POWpkix().getIssuer())
+ return X501DN.from_POW(self.get_POW().getIssuer())
+
+ def getCRLNumber(self):
+ """
+ Get CRL Number value for this CRL.
+ """
+ return self.get_POW().getCRLNumber()
@classmethod
- def generate(cls, keypair, issuer, serial, thisUpdate, nextUpdate, revokedCertificates, version = 1, digestType = "sha256WithRSAEncryption"):
+ def generate(cls, keypair, issuer, serial, thisUpdate, nextUpdate, revokedCertificates, version = 1):
"""
Generate a new CRL.
"""
- crl = rpki.POW.pkix.CertificateList()
+ crl = rpki.POW.CRL()
crl.setVersion(version)
- crl.setIssuer(issuer.get_POWpkix().getSubject())
- crl.setThisUpdate(thisUpdate.toASN1tuple())
- crl.setNextUpdate(nextUpdate.toASN1tuple())
- if revokedCertificates:
- crl.setRevokedCertificates(revokedCertificates)
- crl.setExtensions(
- ((rpki.oids.name2oid["authorityKeyIdentifier"], False, (issuer.get_SKI(), (), None)),
- (rpki.oids.name2oid["cRLNumber"], False, serial)))
- crl.sign(keypair.get_POW(), digestType)
- return cls(POWpkix = crl)
+ crl.setIssuer(issuer.getSubject().get_POW())
+ crl.setThisUpdate(thisUpdate)
+ crl.setNextUpdate(nextUpdate)
+ crl.setAKI(issuer.get_SKI())
+ crl.setCRLNumber(serial)
+ crl.addRevocations(revokedCertificates)
+ crl.sign(keypair.get_POW())
+ return cls(POW = crl)
@property
def creation_timestamp(self):
diff --git a/rpkid/rpki/xml_utils.py b/rpkid/rpki/xml_utils.py
index 27c1f1e6..156d0e48 100644
--- a/rpkid/rpki/xml_utils.py
+++ b/rpkid/rpki/xml_utils.py
@@ -3,7 +3,7 @@ XML utilities.
$Id$
-Copyright (C) 2009-2011 Internet Systems Consortium ("ISC")
+Copyright (C) 2009-2012 Internet Systems Consortium ("ISC")
Permission to use, copy, modify, and distribute this software for any
purpose with or without fee is hereby granted, provided that the above
@@ -206,7 +206,7 @@ class base_elt(object):
"""
Convert a base_elt object to string format.
"""
- lxml.etree.tostring(self.toXML(), pretty_print = True, encoding = "us-ascii")
+ return lxml.etree.tostring(self.toXML(), pretty_print = True, encoding = "us-ascii")
@classmethod
def make_pdu(cls, **kargs):
@@ -451,7 +451,7 @@ class msg(list):
"""
Convert msg object to string.
"""
- lxml.etree.tostring(self.toXML(), pretty_print = True, encoding = "us-ascii")
+ return lxml.etree.tostring(self.toXML(), pretty_print = True, encoding = "us-ascii")
def toXML(self):
"""
diff --git a/rpkid/setup.py b/rpkid/setup.py
index 28a447e1..2695ceba 100644
--- a/rpkid/setup.py
+++ b/rpkid/setup.py
@@ -1,6 +1,6 @@
# $Id$
#
-# Copyright (C) 2011 Internet Systems Consortium ("ISC")
+# Copyright (C) 2011-2012 Internet Systems Consortium ("ISC")
#
# Permission to use, copy, modify, and distribute this software for any
# purpose with or without fee is hereby granted, provided that the above
@@ -37,6 +37,8 @@ ac_libexecdir = os.getenv("AC_LIBEXECDIR", "").strip()
# this insanity is to kludge around pre-existing OpenSSL libraries
# that would screw up our build without these gymnastics.
+# pylint: disable=W0622
+
pow = Extension("rpki.POW._POW", ["ext/POW.c"],
extra_compile_args = ac_cflags,
extra_link_args = ac_ldflags + ac_libs)
diff --git a/rpkid/tests/Makefile.in b/rpkid/tests/Makefile.in
index 35cd70c3..e4820738 100644
--- a/rpkid/tests/Makefile.in
+++ b/rpkid/tests/Makefile.in
@@ -63,9 +63,25 @@ yamltest:
${PYTHON} sql-cleaner.py
${PYTHON} yamltest.py ${YAMLTEST_CONFIG}
+YAMLCONF_CONFIG = ${YAMLTEST_CONFIG}
+
+yamlconf:
+ rm -rf yamltest.dir rcynic-data
+ ${PYTHON} sql-cleaner.py
+ ${PYTHON} yamlconf.py --loopback ${YAMLCONF_CONFIG}
+ @echo
+ ${PYTHON} yamltest.py --skip_config --synchronize ${YAMLCONF_CONFIG}
+
+yamlconf-profile:
+ rm -rf yamltest.dir rcynic-data
+ ${PYTHON} sql-cleaner.py
+ ${PYTHON} yamlconf.py --loopback --profile yamlconf.prof ${YAMLCONF_CONFIG}
+ @echo
+ ${PYTHON} yamltest.py --skip_config --synchronize --profile ${YAMLCONF_CONFIG}
+
backup:
${PYTHON} sql-dumper.py
- tar cvvzf yamltest.backup.$$(TZ='' date +%Y.%m.%d.%H.%M.%S).tgz screenlog.* yamltest.dir backup.*.sql
+ tar cvvJf yamltest.backup.$$(TZ='' date +%Y.%m.%d.%H.%M.%S).txz screenlog.* yamltest.dir backup.*.sql
rm backup.*.sql
distclean: clean
diff --git a/rpkid/tests/myrpki-xml-parse-test.py b/rpkid/tests/myrpki-xml-parse-test.py
index 5aaf5cbf..6818dbe5 100644
--- a/rpkid/tests/myrpki-xml-parse-test.py
+++ b/rpkid/tests/myrpki-xml-parse-test.py
@@ -3,7 +3,7 @@ Test parser and display tool for myrpki.xml files.
$Id$
-Copyright (C) 2009--2010 Internet Systems Consortium ("ISC")
+Copyright (C) 2009--2012 Internet Systems Consortium ("ISC")
Permission to use, copy, modify, and distribute this software for any
purpose with or without fee is hereby granted, provided that the above
@@ -29,9 +29,9 @@ if False:
relaxng.assertValid(tree)
-def showitems(x):
+def showitems(y):
if False:
- for k, v in x.items():
+ for k, v in y.items():
if v:
print " ", k, v
diff --git a/rpkid/tests/rcynic.conf b/rpkid/tests/rcynic.conf
index ade1c1a3..ea31fe58 100644
--- a/rpkid/tests/rcynic.conf
+++ b/rpkid/tests/rcynic.conf
@@ -11,5 +11,4 @@ use-stderr = yes
log-level = log_debug
max-parallel-fetches = 32
-#trust-anchor = yamltest.dir/RIR/publication/root.cer
trust-anchor-locator = yamltest.dir/root.tal
diff --git a/rpkid/tests/smoketest.py b/rpkid/tests/smoketest.py
index bb97108b..67e31fed 100644
--- a/rpkid/tests/smoketest.py
+++ b/rpkid/tests/smoketest.py
@@ -17,7 +17,7 @@ things that don't belong in yaml_script.
$Id$
-Copyright (C) 2009--2011 Internet Systems Consortium ("ISC")
+Copyright (C) 2009--2012 Internet Systems Consortium ("ISC")
Permission to use, copy, modify, and distribute this software for any
purpose with or without fee is hereby granted, provided that the above
@@ -46,9 +46,25 @@ OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
PERFORMANCE OF THIS SOFTWARE.
"""
-import os, yaml, warnings, subprocess, signal, time, getopt, sys, errno
-import rpki.resource_set, rpki.sundial, rpki.x509, rpki.http
-import rpki.log, rpki.left_right, rpki.config, rpki.publication, rpki.async
+# pylint: disable=W0621
+
+import os
+import yaml
+import subprocess
+import signal
+import time
+import getopt
+import sys
+import errno
+import rpki.resource_set
+import rpki.sundial
+import rpki.x509
+import rpki.http
+import rpki.log
+import rpki.left_right
+import rpki.config
+import rpki.publication
+import rpki.async
from rpki.mysql_import import MySQLdb
@@ -158,6 +174,11 @@ class CouldntIssueBSCEECertificate(Exception):
Couldn't issue BSC EE certificate
"""
+sql_conversions = MySQLdb.converters.conversions.copy()
+sql_conversions.update({
+ rpki.sundial.datetime : MySQLdb.converters.DateTime2literal,
+ MySQLdb.converters.FIELD_TYPE.DATETIME : rpki.sundial.datetime.DateTime_or_None })
+
def main():
"""
Main program.
@@ -194,21 +215,21 @@ def main():
# Apparently os.walk() can't tell the difference between directories
# and symlinks to directories, so we have to handle both.
for root, dirs, files in os.walk(".", topdown = False):
- for file in files:
- if not file.endswith(".key"):
- os.remove(os.path.join(root, file))
- for dir in dirs:
+ for fn in files:
+ if not fn.endswith(".key"):
+ os.remove(os.path.join(root, fn))
+ for d in dirs:
try:
- os.rmdir(os.path.join(root, dir))
+ os.rmdir(os.path.join(root, d))
except OSError, e:
if e.errno == errno.ENOTDIR:
- os.remove(os.path.join(root, dir))
+ os.remove(os.path.join(root, d))
else:
raise
rpki.log.info("Reading master YAML configuration")
y = yaml_script.pop(0)
-
+
rpki.log.info("Constructing internal allocation database")
db = allocation_db(y)
@@ -218,6 +239,7 @@ def main():
rpki.log.info("Constructing BPKI keys and certs for pubd")
setup_bpki_cert_chain(pubd_name, ee = ("PUBD", "IRBE"))
+
for a in db:
a.setup_bpki_certs()
@@ -322,13 +344,15 @@ def main():
for proc, name in ((rootd_process, "rootd"),
(pubd_process, "pubd"),
(rsyncd_process, "rsyncd")):
- if proc is not None:
+ # pylint: disable=E1103
+ if proc is not None and proc.poll() is None:
rpki.log.info("Killing %s, pid %s" % (name, proc.pid))
try:
- os.kill(proc.pid, signal.SIGTERM)
+ proc.terminate()
except OSError:
pass
- proc.wait()
+ if proc is not None:
+ rpki.log.info("Daemon %s, pid %s exited with code %s" % (name, proc.pid, proc.wait()))
def cmd_sleep(cb, interval):
"""
@@ -409,17 +433,14 @@ class allocation_db(list):
self.root.regen_margin = rpki.sundial.timedelta.parse(cfg.get("regen_margin", "1d")).convert_to_seconds()
for a in self:
if a.sia_base is None:
- a.sia_base = (rootd_sia if a.is_root else a.parent.sia_base) + a.name + "/"
+ a.sia_base = (rootd_sia + "root/trunk/" if a.is_root else a.parent.sia_base) + a.name + "/"
if a.base.valid_until is None:
a.base.valid_until = a.parent.base.valid_until
if a.crl_interval is None:
a.crl_interval = a.parent.crl_interval
if a.regen_margin is None:
a.regen_margin = a.parent.regen_margin
- i = 0
- for j in xrange(4):
- i = a.sia_base.index("/", i) + 1
- a.client_handle = a.sia_base[i:].rstrip("/")
+ a.client_handle = "/".join(a.sia_base.split("/")[4:]).rstrip("/")
self.root.closure()
self.map = dict((a.name, a) for a in self)
self.engines = [a for a in self if a.is_engine]
@@ -471,6 +492,8 @@ class allocation(object):
crl_interval = None
regen_margin = None
last_cms_time = None
+ rpkid_process = None
+ irdbd_process = None
def __init__(self, yaml, db, parent = None):
"""
@@ -482,7 +505,7 @@ class allocation(object):
self.kids = [allocation(k, db, self) for k in yaml.get("kids", ())]
valid_until = None
if "valid_until" in yaml:
- valid_until = rpki.sundial.datetime.fromdatetime(yaml.get("valid_until"))
+ valid_until = rpki.sundial.datetime.from_datetime(yaml.get("valid_until"))
if valid_until is None and "valid_for" in yaml:
valid_until = rpki.sundial.now() + rpki.sundial.timedelta.parse(yaml["valid_for"])
self.base = rpki.resource_set.resource_bag(
@@ -498,9 +521,9 @@ class allocation(object):
self.roa_requests = [roa_request.parse(y) for y in yaml.get("roa_request", yaml.get("route_origin", ()))]
for r in self.roa_requests:
if r.v4:
- self.base.v4 = self.base.v4.union(r.v4.to_resource_set())
+ self.base.v4 |= r.v4.to_resource_set()
if r.v6:
- self.base.v6 = self.base.v6.union(r.v6.to_resource_set())
+ self.base.v6 |= r.v6.to_resource_set()
self.hosted_by = yaml.get("hosted_by")
self.extra_conf = yaml.get("extra_conf", [])
self.hosts = []
@@ -511,7 +534,7 @@ class allocation(object):
"""
resources = self.base
for kid in self.kids:
- resources = resources.union(kid.closure())
+ resources |= kid.closure()
self.resources = resources
return resources
@@ -531,31 +554,31 @@ class allocation(object):
rpki.async.iterator(yaml.items(), loop, cb)
def apply_add_as(self, text, cb):
- self.base.asn = self.base.asn.union(rpki.resource_set.resource_set_as(text))
+ self.base.asn |= rpki.resource_set.resource_set_as(text)
cb()
def apply_add_v4(self, text, cb):
- self.base.v4 = self.base.v4.union(rpki.resource_set.resource_set_ipv4(text))
+ self.base.v4 |= rpki.resource_set.resource_set_ipv4(text)
cb()
def apply_add_v6(self, text, cb):
- self.base.v6 = self.base.v6.union(rpki.resource_set.resource_set_ipv6(text))
+ self.base.v6 |= rpki.resource_set.resource_set_ipv6(text)
cb()
def apply_sub_as(self, text, cb):
- self.base.asn = self.base.asn.difference(rpki.resource_set.resource_set_as(text))
+ self.base.asn |= rpki.resource_set.resource_set_as(text)
cb()
def apply_sub_v4(self, text, cb):
- self.base.v4 = self.base.v4.difference(rpki.resource_set.resource_set_ipv4(text))
+ self.base.v4 |= rpki.resource_set.resource_set_ipv4(text)
cb()
def apply_sub_v6(self, text, cb):
- self.base.v6 = self.base.v6.difference(rpki.resource_set.resource_set_ipv6(text))
+ self.base.v6 |= rpki.resource_set.resource_set_ipv6(text)
cb()
def apply_valid_until(self, stamp, cb):
- self.base.valid_until = rpki.sundial.datetime.fromdatetime(stamp)
+ self.base.valid_until = rpki.sundial.datetime.from_datetime(stamp)
cb()
def apply_valid_for(self, text, cb):
@@ -711,7 +734,8 @@ class allocation(object):
Set up this entity's IRDB.
"""
rpki.log.info("Setting up MySQL for %s" % self.name)
- db = MySQLdb.connect(user = "rpki", db = self.rpki_db_name, passwd = rpki_db_pass)
+ db = MySQLdb.connect(user = "rpki", db = self.rpki_db_name, passwd = rpki_db_pass,
+ conv = sql_conversions)
cur = db.cursor()
db.autocommit(True)
for sql in rpki_sql:
@@ -721,7 +745,8 @@ class allocation(object):
if "DROP TABLE IF EXISTS" not in sql.upper():
raise
db.close()
- db = MySQLdb.connect(user = "irdb", db = self.irdb_db_name, passwd = irdb_db_pass)
+ db = MySQLdb.connect(user = "irdb", db = self.irdb_db_name, passwd = irdb_db_pass,
+ conv = sql_conversions)
cur = db.cursor()
db.autocommit(True)
for sql in irdb_sql:
@@ -733,7 +758,7 @@ class allocation(object):
for s in [self] + self.hosts:
for kid in s.kids:
cur.execute("INSERT registrant (registrant_handle, registry_handle, valid_until) VALUES (%s, %s, %s)",
- (kid.name, s.name, kid.resources.valid_until.to_sql()))
+ (kid.name, s.name, kid.resources.valid_until))
db.close()
def sync_sql(self):
@@ -743,7 +768,8 @@ class allocation(object):
this entity.
"""
rpki.log.info("Updating MySQL data for IRDB %s" % self.name)
- db = MySQLdb.connect(user = "irdb", db = self.irdb_db_name, passwd = irdb_db_pass)
+ db = MySQLdb.connect(user = "irdb", db = self.irdb_db_name, passwd = irdb_db_pass,
+ conv = sql_conversions)
cur = db.cursor()
db.autocommit(True)
cur.execute("DELETE FROM registrant_asn")
@@ -760,7 +786,7 @@ class allocation(object):
cur.execute("INSERT registrant_net (start_ip, end_ip, version, registrant_id) VALUES (%s, %s, 4, %s)", (v4_range.min, v4_range.max, registrant_id))
for v6_range in kid.resources.v6:
cur.execute("INSERT registrant_net (start_ip, end_ip, version, registrant_id) VALUES (%s, %s, 6, %s)", (v6_range.min, v6_range.max, registrant_id))
- cur.execute("UPDATE registrant SET valid_until = %s WHERE registrant_id = %s", (kid.resources.valid_until.to_sql(), registrant_id))
+ cur.execute("UPDATE registrant SET valid_until = %s WHERE registrant_id = %s", (kid.resources.valid_until, registrant_id))
for r in s.roa_requests:
cur.execute("INSERT roa_request (roa_request_handle, asn) VALUES (%s, %s)", (s.name, r.asn))
roa_request_id = cur.lastrowid
@@ -782,17 +808,18 @@ class allocation(object):
"""
Kill daemons for this entity.
"""
- rpki.log.info("Killing daemons for %s" % self.name)
- try:
- for proc in (self.rpkid_process, self.irdbd_process):
+ # pylint: disable=E1103
+ for proc, name in ((self.rpkid_process, "rpkid"),
+ (self.irdbd_process, "irdbd")):
+ if proc is not None and proc.poll() is None:
+ rpki.log.info("Killing daemon %s pid %s for %s" % (name, proc.pid, self.name))
try:
- rpki.log.info("Killing pid %d" % proc.pid)
- os.kill(proc.pid, signal.SIGTERM)
+ proc.terminate()
except OSError:
pass
- proc.wait()
- except AttributeError:
- pass
+ if proc is not None:
+ rpki.log.info("Daemon %s pid %s for %s exited with code %s" % (
+ name, proc.pid, self.name, proc.wait()))
def call_rpkid(self, pdus, cb):
"""
@@ -1140,7 +1167,7 @@ def setup_rootd(rpkid, rootd_yaml):
f.close()
s = "exec >/dev/null 2>&1\n"
#s = "set -x\n"
- if not os.path.exists(rootd_name + ".key"):
+ if not os.path.exists("root.key"):
s += rootd_fmt_2 % d
s += rootd_fmt_3 % d
subprocess.check_call(s, shell = True)
@@ -1175,15 +1202,15 @@ def setup_publication(pubd_sql):
Set up publication daemon.
"""
rpki.log.info("Configure publication daemon")
- pubd_dir = os.getcwd() + "/publication/"
+ publication_dir = os.getcwd() + "/publication"
assert rootd_sia.startswith("rsync://")
- i = 0
- for j in xrange(4):
- i = rootd_sia.index("/", i + 1)
global rsyncd_dir
- rsyncd_dir = pubd_dir.rstrip("/") + rootd_sia[i:]
- os.makedirs(rsyncd_dir)
- db = MySQLdb.connect(db = pubd_db_name, user = pubd_db_user, passwd = pubd_db_pass)
+ rsyncd_dir = publication_dir + "/".join(rootd_sia.split("/")[4:])
+ if not rsyncd_dir.endswith("/"):
+ rsyncd_dir += "/"
+ os.makedirs(rsyncd_dir + "root/trunk")
+ db = MySQLdb.connect(db = pubd_db_name, user = pubd_db_user, passwd = pubd_db_pass,
+ conv = sql_conversions)
cur = db.cursor()
db.autocommit(True)
for sql in pubd_sql:
@@ -1198,7 +1225,7 @@ def setup_publication(pubd_sql):
"pubd_db_name" : pubd_db_name,
"pubd_db_user" : pubd_db_user,
"pubd_db_pass" : pubd_db_pass,
- "pubd_dir" : pubd_dir }
+ "pubd_dir" : rsyncd_dir }
f = open(pubd_name + ".conf", "w")
f.write(pubd_fmt_1 % d)
f.close()
@@ -1432,21 +1459,21 @@ child-bpki-cert = %(rootd_name)s-TA-%(rpkid_name)s-SELF.cer
server-port = %(rootd_port)s
-rpki-root-dir = %(rsyncd_dir)s
-rpki-base-uri = %(rootd_sia)s
-rpki-root-cert-uri = %(rootd_sia)s%(rootd_name)s.cer
+rpki-root-dir = %(rsyncd_dir)sroot
+rpki-base-uri = %(rootd_sia)sroot/
+rpki-root-cert-uri = %(rootd_sia)sroot.cer
-rpki-root-key = %(rootd_name)s.key
-rpki-root-cert = %(rootd_name)s.cer
+rpki-root-key = root.key
+rpki-root-cert = root.cer
rpki-subject-pkcs10 = %(rootd_name)s.subject.pkcs10
rpki-subject-lifetime = %(lifetime)s
-rpki-root-crl = Bandicoot.crl
-rpki-root-manifest = Bandicoot.mft
+rpki-root-crl = root.crl
+rpki-root-manifest = root.mft
-rpki-class-name = Wombat
-rpki-subject-cert = Wombat.cer
+rpki-class-name = trunk
+rpki-subject-cert = trunk.cer
include-bpki-crl = yes
enable_tracebacks = yes
@@ -1455,7 +1482,6 @@ enable_tracebacks = yes
default_bits = 2048
encrypt_key = no
distinguished_name = req_dn
-#req_extensions = req_x509_ext
prompt = no
default_md = sha256
default_days = 60
@@ -1472,7 +1498,7 @@ authorityKeyIdentifier = keyid:always
basicConstraints = critical,CA:true
subjectKeyIdentifier = hash
keyUsage = critical,keyCertSign,cRLSign
-subjectInfoAccess = 1.3.6.1.5.5.7.48.5;URI:%(rootd_sia)s,1.3.6.1.5.5.7.48.10;URI:%(rootd_sia)sBandicoot.mft
+subjectInfoAccess = 1.3.6.1.5.5.7.48.5;URI:%(rootd_sia)sroot/,1.3.6.1.5.5.7.48.10;URI:%(rootd_sia)sroot/root.mft
sbgp-autonomousSysNum = critical,AS:0-4294967295
sbgp-ipAddrBlock = critical,IPv4:0.0.0.0/0,IPv6:0::/0
certificatePolicies = critical, @rpki_certificate_policy
@@ -1483,17 +1509,17 @@ policyIdentifier = 1.3.6.1.5.5.7.14.2
'''
rootd_fmt_2 = '''\
-%(openssl)s genrsa -out %(rootd_name)s.key 2048 &&
+%(openssl)s genrsa -out root.key 2048 &&
'''
rootd_fmt_3 = '''\
-echo >%(rootd_name)s.tal %(rootd_sia)s%(rootd_name)s.cer &&
+echo >%(rootd_name)s.tal %(rootd_sia)sroot.cer &&
echo >>%(rootd_name)s.tal &&
-%(openssl)s rsa -pubout -in %(rootd_name)s.key | awk '!/-----(BEGIN|END)/' >>%(rootd_name)s.tal &&
-%(openssl)s req -new -sha256 -key %(rootd_name)s.key -out %(rootd_name)s.req -config %(rootd_name)s.conf -text -extensions req_x509_rpki_ext &&
-%(openssl)s x509 -req -sha256 -in %(rootd_name)s.req -out %(rootd_name)s.cer -outform DER -extfile %(rootd_name)s.conf -extensions req_x509_rpki_ext \
- -signkey %(rootd_name)s.key &&
-ln -f %(rootd_name)s.cer %(rsyncd_dir)s
+%(openssl)s rsa -pubout -in root.key | awk '!/-----(BEGIN|END)/' >>%(rootd_name)s.tal &&
+%(openssl)s req -new -sha256 -key root.key -out %(rootd_name)s.req -config %(rootd_name)s.conf -text -extensions req_x509_rpki_ext &&
+%(openssl)s x509 -req -sha256 -in %(rootd_name)s.req -out root.cer -outform DER -extfile %(rootd_name)s.conf -extensions req_x509_rpki_ext \
+ -signkey root.key &&
+ln -f root.cer %(rsyncd_dir)s
'''
rcynic_fmt_1 = '''\
@@ -1504,7 +1530,6 @@ use-links = yes
use-syslog = no
use-stderr = yes
log-level = log_debug
-#trust-anchor = %(rootd_name)s.cer
trust-anchor-locator = %(rootd_name)s.tal
'''
diff --git a/rpkid/tests/sql-cleaner.py b/rpkid/tests/sql-cleaner.py
index 5db122e1..34a72fd3 100644
--- a/rpkid/tests/sql-cleaner.py
+++ b/rpkid/tests/sql-cleaner.py
@@ -3,7 +3,7 @@
$Id$
-Copyright (C) 2009--2011 Internet Systems Consortium ("ISC")
+Copyright (C) 2009--2012 Internet Systems Consortium ("ISC")
Permission to use, copy, modify, and distribute this software for any
purpose with or without fee is hereby granted, provided that the above
@@ -18,7 +18,8 @@ OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
PERFORMANCE OF THIS SOFTWARE.
"""
-import rpki.config, rpki.sql_schemas
+import rpki.config
+import rpki.sql_schemas
from rpki.mysql_import import MySQLdb
cfg = rpki.config.parser(None, "yamltest", allow_missing = True)
@@ -34,12 +35,16 @@ for name in ("rpkid", "irdbd", "pubd"):
schema = " ".join(schema).strip(";").split(";")
schema = [statement.strip() for statement in schema if statement and "DROP TABLE" not in statement]
- for i in xrange(12):
+ db = MySQLdb.connect(user = username, passwd = password)
+ cur = db.cursor()
- database = "%s%d" % (name[:4], i)
+ cur.execute("SHOW DATABASES")
- db = MySQLdb.connect(user = username, db = database, passwd = password)
- cur = db.cursor()
+ databases = [r[0] for r in cur.fetchall() if r[0][:4] == name[:4] and r[0][4:].isdigit()]
+
+ for database in databases:
+
+ cur.execute("USE " + database)
cur.execute("SHOW TABLES")
tables = [r[0] for r in cur.fetchall()]
@@ -52,5 +57,5 @@ for name in ("rpkid", "irdbd", "pubd"):
for statement in schema:
cur.execute(statement)
- cur.close()
- db.close()
+ cur.close()
+ db.close()
diff --git a/rpkid/tests/sql-dumper.py b/rpkid/tests/sql-dumper.py
index cff62d4f..e4bb1a28 100644
--- a/rpkid/tests/sql-dumper.py
+++ b/rpkid/tests/sql-dumper.py
@@ -3,7 +3,7 @@ Dump backup copies of SQL tables used by these programs.
$Id$
-Copyright (C) 2009--2010 Internet Systems Consortium ("ISC")
+Copyright (C) 2009--2012 Internet Systems Consortium ("ISC")
Permission to use, copy, modify, and distribute this software for any
purpose with or without fee is hereby granted, provided that the above
@@ -18,7 +18,9 @@ OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
PERFORMANCE OF THIS SOFTWARE.
"""
-import subprocess, rpki.config
+import subprocess
+import rpki.config
+from rpki.mysql_import import MySQLdb
cfg = rpki.config.parser(None, "yamltest", allow_missing = True)
@@ -28,5 +30,14 @@ for name in ("rpkid", "irdbd", "pubd"):
password = cfg.get("%s_sql_password" % name, "fnord")
cmd = ["mysqldump", "-u", username, "-p" + password, "--databases"]
- cmd.extend("%s%d" % (name[:4], i) for i in xrange(12))
+
+ db = MySQLdb.connect(user = username, passwd = password)
+ cur = db.cursor()
+
+ cur.execute("SHOW DATABASES")
+ cmd.extend(r[0] for r in cur.fetchall() if r[0][:4] == name[:4] and r[0][4:].isdigit())
+
+ cur.close()
+ db.close()
+
subprocess.check_call(cmd, stdout = open("backup.%s.sql" % name, "w"))
diff --git a/rpkid/tests/testpoke.py b/rpkid/tests/testpoke.py
index 1f7713a1..49919709 100644
--- a/rpkid/tests/testpoke.py
+++ b/rpkid/tests/testpoke.py
@@ -12,7 +12,7 @@ Default configuration file is testpoke.yaml, override with --yaml option.
$Id$
-Copyright (C) 2010--2011 Internet Systems Consortium ("ISC")
+Copyright (C) 2010--2012 Internet Systems Consortium ("ISC")
Permission to use, copy, modify, and distribute this software for any
purpose with or without fee is hereby granted, provided that the above
@@ -138,10 +138,12 @@ def do_list():
def do_issue():
q_pdu = rpki.up_down.issue_pdu()
req_key = get_PEM("cert-request-key", rpki.x509.RSA, yaml_req) or cms_key
- sia = ((rpki.oids.name2oid["id-ad-caRepository"], ("uri", yaml_req["sia"][0])),
- (rpki.oids.name2oid["id-ad-rpkiManifest"], ("uri", yaml_req["sia"][0] + req_key.gSKI() + ".mft")))
q_pdu.class_name = yaml_req["class"]
- q_pdu.pkcs10 = rpki.x509.PKCS10.create_ca(req_key, sia)
+ q_pdu.pkcs10 = rpki.x509.PKCS10.create(
+ keypair = req_key,
+ is_ca = True,
+ caRepository = yaml_req["sia"][0],
+ rpkiManifest = yaml_req["sia"][0] + req_key.gSKI() + ".mft")
query_up_down(q_pdu)
def do_revoke():
@@ -152,7 +154,7 @@ def do_revoke():
dispatch = { "list" : do_list, "issue" : do_issue, "revoke" : do_revoke }
-def fail(e):
+def fail(e): # pylint: disable=W0621
rpki.log.traceback(debug)
sys.exit("Testpoke failed: %s" % e)
diff --git a/rpkid/tests/yamlconf.py b/rpkid/tests/yamlconf.py
new file mode 100644
index 00000000..f9f69ba1
--- /dev/null
+++ b/rpkid/tests/yamlconf.py
@@ -0,0 +1,788 @@
+"""
+Test configuration tool, using the same YAML test description format
+as smoketest.py and yamltest.py, but doing just the IRDB configuration
+for a massive testbed, via direct use of the rpki.irdb library code.
+
+For most purposes, you don't want this, but when building a
+configuration for tens or hundreds of thousands of elements, being
+able to do the initial configuration stage quickly can help a lot.
+
+$Id$
+
+Copyright (C) 2009--2012 Internet Systems Consortium ("ISC")
+
+Permission to use, copy, modify, and distribute this software for any
+purpose with or without fee is hereby granted, provided that the above
+copyright notice and this permission notice appear in all copies.
+
+THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+PERFORMANCE OF THIS SOFTWARE.
+
+Portions copyright (C) 2007--2008 American Registry for Internet Numbers ("ARIN")
+
+Permission to use, copy, modify, and distribute this software for any
+purpose with or without fee is hereby granted, provided that the above
+copyright notice and this permission notice appear in all copies.
+
+THE SOFTWARE IS PROVIDED "AS IS" AND ARIN DISCLAIMS ALL WARRANTIES WITH
+REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+AND FITNESS. IN NO EVENT SHALL ARIN BE LIABLE FOR ANY SPECIAL, DIRECT,
+INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+PERFORMANCE OF THIS SOFTWARE.
+"""
+
+# pylint: disable=W0702,W0621,W0602
+
+import subprocess
+import re
+import os
+import sys
+import yaml
+import time
+import argparse
+import rpki.resource_set
+import rpki.sundial
+import rpki.config
+import rpki.log
+import rpki.csv_utils
+import rpki.x509
+import rpki.sql_schemas
+
+from rpki.mysql_import import MySQLdb
+
+section_regexp = re.compile(r"\s*\[\s*(.+?)\s*\]\s*$")
+variable_regexp = re.compile(r"\s*([-a-zA-Z0-9_]+)\s*=\s*(.+?)\s*$")
+
+flat_publication = False
+only_one_pubd = True
+yaml_file = None
+loopback = False
+quiet = False
+dns_suffix = None
+mysql_rootuser = None
+mysql_rootpass = None
+publication_base = None
+publication_root = None
+
+# The SQL username mismatch between rpkid/examples/rpki.conf and
+# rpkid/tests/smoketest.setup.sql is completely stupid and really
+# should be cleaned up at some point...but not today, at least not as
+# part of writing this program. These default values are wired into
+# yamltest to match smoketest.setup.sql, so wire them in here too but
+# in a more obvious way.
+
+config_overrides = {
+ "irdbd_sql_username" : "irdb", "irdbd_sql_password" : "fnord",
+ "rpkid_sql_username" : "rpki", "rpkid_sql_password" : "fnord",
+ "pubd_sql_username" : "pubd", "pubd_sql_password" : "fnord" }
+
+def cleanpath(*names):
+ return os.path.normpath(os.path.join(*names))
+
+this_dir = os.getcwd()
+test_dir = None
+rpki_conf = None
+
+class roa_request(object):
+ """
+ Representation of a ROA request.
+ """
+
+ def __init__(self, asn, ipv4, ipv6):
+ self.asn = asn
+ self.v4 = rpki.resource_set.roa_prefix_set_ipv4("".join(ipv4.split())) if ipv4 else None
+ self.v6 = rpki.resource_set.roa_prefix_set_ipv6("".join(ipv6.split())) if ipv6 else None
+
+ def __eq__(self, other):
+ return self.asn == other.asn and self.v4 == other.v4 and self.v6 == other.v6
+
+ def __hash__(self):
+ v4 = tuple(self.v4) if self.v4 is not None else None
+ v6 = tuple(self.v6) if self.v6 is not None else None
+ return self.asn.__hash__() + v4.__hash__() + v6.__hash__()
+
+ def __str__(self):
+ if self.v4 and self.v6:
+ return "%s: %s,%s" % (self.asn, self.v4, self.v6)
+ else:
+ return "%s: %s" % (self.asn, self.v4 or self.v6)
+
+ @classmethod
+ def parse(cls, y):
+ return cls(y.get("asn"), y.get("ipv4"), y.get("ipv6"))
+
+class allocation_db(list):
+ """
+ Allocation database.
+ """
+
+ def __init__(self, y):
+ list.__init__(self)
+ self.root = allocation(y, self)
+ assert self.root.is_root
+ if self.root.crl_interval is None:
+ self.root.crl_interval = 24 * 60 * 60
+ if self.root.regen_margin is None:
+ self.root.regen_margin = 24 * 60 * 60
+ if self.root.base.valid_until is None:
+ self.root.base.valid_until = rpki.sundial.now() + rpki.sundial.timedelta(days = 2)
+ for a in self:
+ if a.base.valid_until is None:
+ a.base.valid_until = a.parent.base.valid_until
+ if a.crl_interval is None:
+ a.crl_interval = a.parent.crl_interval
+ if a.regen_margin is None:
+ a.regen_margin = a.parent.regen_margin
+ self.root.closure()
+ self.map = dict((a.name, a) for a in self)
+ for a in self:
+ if a.is_hosted:
+ a.hosted_by = self.map[a.hosted_by]
+ a.hosted_by.hosts.append(a)
+ assert not a.is_root and not a.hosted_by.is_hosted
+
+ def dump(self):
+ for a in self:
+ a.dump()
+
+
+class allocation(object):
+ """
+ One entity in our allocation database. Every entity in the database
+ is assumed to hold resources. Entities that don't have the
+ hosted_by property run their own copies of rpkid, irdbd, and pubd.
+ """
+
+ base_port = 4400
+ base_engine = -1
+ parent = None
+ crl_interval = None
+ regen_margin = None
+ engine = -1
+ rpkid_port = 4404
+ irdbd_port = 4403
+ pubd_port = 4402
+ rootd_port = 4401
+ rsync_port = 873
+
+ @classmethod
+ def allocate_port(cls):
+ cls.base_port += 1
+ return cls.base_port
+
+ @classmethod
+ def allocate_engine(cls):
+ cls.base_engine += 1
+ return cls.base_engine
+
+ def __init__(self, y, db, parent = None):
+ db.append(self)
+ self.name = y["name"]
+ self.parent = parent
+ self.kids = [allocation(k, db, self) for k in y.get("kids", ())]
+ valid_until = None
+ if "valid_until" in y:
+ valid_until = rpki.sundial.datetime.from_datetime(y.get("valid_until"))
+ if valid_until is None and "valid_for" in y:
+ valid_until = rpki.sundial.now() + rpki.sundial.timedelta.parse(y["valid_for"])
+ self.base = rpki.resource_set.resource_bag(
+ asn = rpki.resource_set.resource_set_as(y.get("asn")),
+ v4 = rpki.resource_set.resource_set_ipv4(y.get("ipv4")),
+ v6 = rpki.resource_set.resource_set_ipv6(y.get("ipv6")),
+ valid_until = valid_until)
+ if "crl_interval" in y:
+ self.crl_interval = rpki.sundial.timedelta.parse(y["crl_interval"]).convert_to_seconds()
+ if "regen_margin" in y:
+ self.regen_margin = rpki.sundial.timedelta.parse(y["regen_margin"]).convert_to_seconds()
+ self.roa_requests = [roa_request.parse(r) for r in y.get("roa_request", ())]
+ for r in self.roa_requests:
+ if r.v4:
+ self.base.v4 |= r.v4.to_resource_set()
+ if r.v6:
+ self.base.v6 |= r.v6.to_resource_set()
+ self.hosted_by = y.get("hosted_by")
+ self.hosts = []
+ if not self.is_hosted:
+ self.engine = self.allocate_engine()
+ if loopback and not self.is_hosted:
+ self.rpkid_port = self.allocate_port()
+ self.irdbd_port = self.allocate_port()
+ if loopback and self.runs_pubd:
+ self.pubd_port = self.allocate_port()
+ self.rsync_port = self.allocate_port()
+ if loopback and self.is_root:
+ self.rootd_port = self.allocate_port()
+
+ def closure(self):
+ resources = self.base
+ for kid in self.kids:
+ resources |= kid.closure()
+ self.resources = resources
+ return resources
+
+ @property
+ def hostname(self):
+ if loopback:
+ return "localhost"
+ elif dns_suffix:
+ return self.name + "." + dns_suffix.lstrip(".")
+ else:
+ return self.name
+
+ @property
+ def rsync_server(self):
+ if loopback:
+ return "%s:%s" % (self.pubd.hostname, self.pubd.rsync_port)
+ else:
+ return self.pubd.hostname
+
+ def dump(self):
+ if not quiet:
+ print str(self)
+
+ def __str__(self):
+ s = self.name + ":\n"
+ if self.resources.asn: s += " ASNs: %s\n" % self.resources.asn
+ if self.resources.v4: s += " IPv4: %s\n" % self.resources.v4
+ if self.resources.v6: s += " IPv6: %s\n" % self.resources.v6
+ if self.kids: s += " Kids: %s\n" % ", ".join(k.name for k in self.kids)
+ if self.parent: s += " Up: %s\n" % self.parent.name
+ if self.is_hosted: s += " Host: %s\n" % self.hosted_by.name
+ if self.hosts: s += " Hosts: %s\n" % ", ".join(h.name for h in self.hosts)
+ for r in self.roa_requests: s += " ROA: %s\n" % r
+ if not self.is_hosted: s += " IPort: %s\n" % self.irdbd_port
+ if self.runs_pubd: s += " PPort: %s\n" % self.pubd_port
+ if not self.is_hosted: s += " RPort: %s\n" % self.rpkid_port
+ if self.runs_pubd: s += " SPort: %s\n" % self.rsync_port
+ if self.is_root: s += " TPort: %s\n" % self.rootd_port
+ return s + " Until: %s\n" % self.resources.valid_until
+
+ @property
+ def is_root(self):
+ return self.parent is None
+
+ @property
+ def is_hosted(self):
+ return self.hosted_by is not None
+
+ @property
+ def runs_pubd(self):
+ return self.is_root or not (self.is_hosted or only_one_pubd)
+
+ def path(self, *names):
+ return cleanpath(test_dir, self.host.name, *names)
+
+ def csvout(self, fn):
+ path = self.path(fn)
+ if not quiet:
+ print "Writing", path
+ return rpki.csv_utils.csv_writer(path)
+
+ def up_down_url(self):
+ return "http://%s:%d/up-down/%s/%s" % (self.parent.host.hostname,
+ self.parent.host.rpkid_port,
+ self.parent.name,
+ self.name)
+
+ def dump_asns(self, fn):
+ with self.csvout(fn) as f:
+ for k in self.kids:
+ f.writerows((k.name, a) for a in k.resources.asn)
+
+ def dump_prefixes(self, fn):
+ with self.csvout(fn) as f:
+ for k in self.kids:
+ f.writerows((k.name, p) for p in (k.resources.v4 + k.resources.v6))
+
+ def dump_roas(self, fn):
+ with self.csvout(fn) as f:
+ for g1, r in enumerate(self.roa_requests):
+ f.writerows((p, r.asn, "G%08d%08d" % (g1, g2))
+ for g2, p in enumerate((r.v4 + r.v6 if r.v4 and r.v6 else r.v4 or r.v6 or ())))
+
+ @property
+ def pubd(self):
+ s = self
+ while not s.runs_pubd:
+ s = s.parent
+ return s
+
+ @property
+ def client_handle(self):
+ path = []
+ s = self
+ if not flat_publication:
+ while not s.runs_pubd:
+ path.append(s)
+ s = s.parent
+ path.append(s)
+ return ".".join(i.name for i in reversed(path))
+
+ @property
+ def host(self):
+ return self.hosted_by or self
+
+ @property
+ def publication_base_directory(self):
+ if not loopback and publication_base is not None:
+ return publication_base
+ else:
+ return self.path("publication")
+
+ @property
+ def publication_root_directory(self):
+ if not loopback and publication_root is not None:
+ return publication_root
+ else:
+ return self.path("publication.root")
+
+ def dump_conf(self):
+
+ r = dict(
+ handle = self.name,
+ run_rpkid = str(not self.is_hosted),
+ run_pubd = str(self.runs_pubd),
+ run_rootd = str(self.is_root),
+ irdbd_sql_username = "irdb",
+ rpkid_sql_username = "rpki",
+ rpkid_server_host = self.hostname,
+ rpkid_server_port = str(self.rpkid_port),
+ irdbd_server_host = "localhost",
+ irdbd_server_port = str(self.irdbd_port),
+ rootd_server_port = str(self.rootd_port),
+ pubd_sql_username = "pubd",
+ pubd_server_host = self.pubd.hostname,
+ pubd_server_port = str(self.pubd.pubd_port),
+ publication_rsync_server = self.rsync_server)
+
+ if loopback:
+ r.update(
+ irdbd_sql_database = self.irdb_name,
+ rpkid_sql_database = "rpki%d" % self.engine,
+ pubd_sql_database = "pubd%d" % self.engine,
+ bpki_servers_directory = self.path(),
+ publication_base_directory = self.publication_base_directory)
+
+ r.update(config_overrides)
+
+ with open(self.path("rpki.conf"), "w") as f:
+ f.write("# Automatically generated, do not edit\n")
+ if not quiet:
+ print "Writing", f.name
+
+ section = None
+ for line in open(rpki_conf):
+ m = section_regexp.match(line)
+ if m:
+ section = m.group(1)
+ m = variable_regexp.match(line)
+ option = m.group(1) if m and section == "myrpki" else None
+ if option and option in r:
+ line = "%s = %s\n" % (option, r[option])
+ f.write(line)
+
+ def dump_rsyncd(self):
+ lines = []
+ if self.runs_pubd:
+ lines.extend((
+ "# Automatically generated, do not edit",
+ "port = %d" % self.rsync_port,
+ "address = %s" % self.hostname,
+ "log file = rsyncd.log",
+ "read only = yes",
+ "use chroot = no",
+ "[rpki]",
+ "path = %s" % self.publication_base_directory,
+ "comment = RPKI test"))
+ if self.is_root:
+ assert self.runs_pubd
+ lines.extend((
+ "[root]",
+ "path = %s" % self.publication_root_directory,
+ "comment = RPKI test root"))
+ if lines:
+ with open(self.path("rsyncd.conf"), "w") as f:
+ if not quiet:
+ print "Writing", f.name
+ f.writelines(line + "\n" for line in lines)
+
+ @property
+ def irdb_name(self):
+ return "irdb%d" % self.host.engine
+
+ @property
+ def irdb(self):
+ prior_name = self.zoo.handle
+ return rpki.irdb.database(
+ self.irdb_name,
+ on_entry = lambda: self.zoo.reset_identity(self.name),
+ on_exit = lambda: self.zoo.reset_identity(prior_name))
+
+ def syncdb(self):
+ import django.core.management
+ assert not self.is_hosted
+ django.core.management.call_command("syncdb",
+ database = self.irdb_name,
+ load_initial_data = False,
+ interactive = False,
+ verbosity = 0)
+
+ def hire_zookeeper(self):
+ assert not self.is_hosted
+ self._zoo = rpki.irdb.Zookeeper(
+ cfg = rpki.config.parser(self.path("rpki.conf")),
+ logstream = None if quiet else sys.stdout)
+
+ @property
+ def zoo(self):
+ return self.host._zoo
+
+ def dump_root(self):
+
+ assert self.is_root and not self.is_hosted
+
+ root_resources = rpki.resource_set.resource_bag(
+ asn = rpki.resource_set.resource_set_as("0-4294967295"),
+ v4 = rpki.resource_set.resource_set_ipv4("0.0.0.0/0"),
+ v6 = rpki.resource_set.resource_set_ipv6("::/0"))
+
+ root_key = rpki.x509.RSA.generate(quiet = True)
+
+ root_uri = "rsync://%s/rpki/" % self.rsync_server
+
+ root_sia = (root_uri, root_uri + "root.mft", None)
+
+ root_cert = rpki.x509.X509.self_certify(
+ keypair = root_key,
+ subject_key = root_key.get_RSApublic(),
+ serial = 1,
+ sia = root_sia,
+ notAfter = rpki.sundial.now() + rpki.sundial.timedelta(days = 365),
+ resources = root_resources)
+
+ with open(self.path("publication.root", "root.cer"), "wb") as f:
+ f.write(root_cert.get_DER())
+
+ with open(self.path("root.key"), "wb") as f:
+ f.write(root_key.get_DER())
+
+ with open(cleanpath(test_dir, "root.tal"), "w") as f:
+ f.write("rsync://%s/root/root.cer\n\n%s" % (
+ self.rsync_server, root_key.get_RSApublic().get_Base64()))
+
+ def mkdir(self, *path):
+ path = self.path(*path)
+ if not quiet:
+ print "Creating directory", path
+ os.makedirs(path)
+
+ def dump_sql(self):
+ if not self.is_hosted:
+ with open(self.path("rpkid.sql"), "w") as f:
+ if not quiet:
+ print "Writing", f.name
+ f.write(rpki.sql_schemas.rpkid)
+ if self.runs_pubd:
+ with open(self.path("pubd.sql"), "w") as f:
+ if not quiet:
+ print "Writing", f.name
+ f.write(rpki.sql_schemas.pubd)
+ if not self.is_hosted:
+ username = config_overrides["irdbd_sql_username"]
+ password = config_overrides["irdbd_sql_password"]
+ cmd = ("mysqldump", "-u", username, "-p" + password, self.irdb_name)
+ with open(self.path("irdbd.sql"), "w") as f:
+ if not quiet:
+ print "Writing", f.name
+ subprocess.check_call(cmd, stdout = f)
+
+
+def pre_django_sql_setup(needed):
+
+ username = config_overrides["irdbd_sql_username"]
+ password = config_overrides["irdbd_sql_password"]
+
+ # If we have the MySQL root password, just blow away and recreate
+ # the required databases. Otherwise, check for missing databases,
+ # then blow away all tables in the required databases. In either
+ # case, we assume that the Django syncdb code will populate
+ # databases as necessary, all we need to do here is provide empty
+ # databases for the Django code to fill in.
+
+ if mysql_rootpass is not None:
+ if mysql_rootpass:
+ db = MySQLdb.connect(user = mysql_rootuser, passwd = mysql_rootpass)
+ else:
+ db = MySQLdb.connect(user = mysql_rootuser)
+ cur = db.cursor()
+ for database in needed:
+ try:
+ cur.execute("DROP DATABASE IF EXISTS %s" % database)
+ except:
+ pass
+ cur.execute("CREATE DATABASE %s" % database)
+ cur.execute("GRANT ALL ON %s.* TO %s@localhost IDENTIFIED BY %%s" % (
+ database, username), (password,))
+
+ else:
+ db = MySQLdb.connect(user = username, passwd = password)
+ cur = db.cursor()
+ cur.execute("SHOW DATABASES")
+ existing = set(r[0] for r in cur.fetchall())
+ if needed - existing:
+ sys.stderr.write("The following databases are missing:\n")
+ for database in sorted(needed - existing):
+ sys.stderr.write(" %s\n" % database)
+ sys.stderr.write("Please create them manually or put MySQL root password in my config file\n")
+ sys.exit("Missing databases and MySQL root password not known, can't continue")
+ for database in needed:
+ db.select_db(database)
+ cur.execute("SHOW TABLES")
+ tables = [r[0] for r in cur.fetchall()]
+ cur.execute("SET foreign_key_checks = 0")
+ for table in tables:
+ cur.execute("DROP TABLE %s" % table)
+ cur.execute("SET foreign_key_checks = 1")
+
+ cur.close()
+ db.commit()
+ db.close()
+
+class timestamp(object):
+
+ def __init__(self, *args):
+ self.count = 0
+ self.start = self.tick = rpki.sundial.now()
+
+ def __call__(self, *args):
+ now = rpki.sundial.now()
+ if not quiet:
+ print "[Count %s last %s total %s now %s]" % (
+ self.count, now - self.tick, now - self.start, now)
+ self.tick = now
+ self.count += 1
+
+
+def main():
+
+ global flat_publication
+ global config_overrides
+ global only_one_pubd
+ global loopback
+ global dns_suffix
+ global mysql_rootuser
+ global mysql_rootpass
+ global yaml_file
+ global test_dir
+ global rpki_conf
+ global publication_base
+ global publication_root
+ global quiet
+
+ os.environ["TZ"] = "UTC"
+ time.tzset()
+
+ parser = argparse.ArgumentParser(description = "yamlconf")
+ parser.add_argument("-c", "--config", help = "configuration file")
+ parser.add_argument("--dns_suffix",
+ help = "DNS suffix to add to hostnames")
+ parser.add_argument("-l", "--loopback", action = "store_true",
+ help = "Configure for use with yamltest on localhost")
+ parser.add_argument("-f", "--flat_publication", action = "store_true",
+ help = "Use flat publication model")
+ parser.add_argument("-q", "--quiet", action = "store_true",
+ help = "Work more quietly")
+ parser.add_argument("--profile",
+ help = "Filename for profile output")
+ parser.add_argument("yaml_file", type = argparse.FileType("r"),
+ help = "YAML file describing network to build")
+ args = parser.parse_args()
+
+ dns_suffix = args.dns_suffix
+ loopback = args.loopback
+ flat_publication = args.flat_publication
+ quiet = args.quiet
+ yaml_file = args.yaml_file
+
+ rpki.log.use_syslog = False
+ rpki.log.init("yamlconf")
+
+ # Allow optional config file for this tool to override default
+ # passwords: this is mostly so that I can show a complete working
+ # example without publishing my own server's passwords.
+
+ cfg = rpki.config.parser(args.config, "yamlconf", allow_missing = True)
+ try:
+ cfg.set_global_flags()
+ except:
+ pass
+
+ # Use of "yamltest.dir" is deliberate: intent is for what we write to
+ # be usable with "yamltest --skip_config".
+
+ only_one_pubd = cfg.getboolean("only_one_pubd", True)
+ test_dir = cfg.get("test_directory", cleanpath(this_dir, "yamltest.dir"))
+ rpki_conf = cfg.get("rpki_conf", cleanpath(this_dir, "..", "examples/rpki.conf"))
+ mysql_rootuser = cfg.get("mysql_rootuser", "root")
+
+ try:
+ mysql_rootpass = cfg.get("mysql_rootpass")
+ except:
+ pass
+
+ try:
+ publication_base = cfg.get("publication_base")
+ except:
+ pass
+
+ try:
+ publication_root = cfg.get("publication_root")
+ except:
+ pass
+
+ for k in ("rpkid_sql_password", "irdbd_sql_password", "pubd_sql_password",
+ "rpkid_sql_username", "irdbd_sql_username", "pubd_sql_username"):
+ if cfg.has_option(k):
+ config_overrides[k] = cfg.get(k)
+
+ if args.profile:
+ import cProfile
+ prof = cProfile.Profile()
+ try:
+ prof.runcall(body)
+ finally:
+ prof.dump_stats(args.profile)
+ if not quiet:
+ print
+ print "Dumped profile data to %s" % args.profile
+ else:
+ body()
+
+def body():
+
+ global rpki
+
+ ts = timestamp()
+
+ for root, dirs, files in os.walk(test_dir, topdown = False):
+ for fn in files:
+ os.unlink(os.path.join(root, fn))
+ for d in dirs:
+ os.rmdir(os.path.join(root, d))
+
+ if not quiet:
+ print
+ print "Reading YAML", yaml_file.name
+
+ db = allocation_db(yaml.safe_load_all(yaml_file).next())
+
+ # Show what we loaded
+
+ #db.dump()
+
+ # Do pre-Django SQL setup
+
+ pre_django_sql_setup(set(d.irdb_name for d in db if not d.is_hosted))
+
+ # Now ready for fun with multiple databases in Django!
+
+ # https://docs.djangoproject.com/en/1.4/topics/db/multi-db/
+ # https://docs.djangoproject.com/en/1.4/topics/db/sql/
+
+ database_template = {
+ "ENGINE" : "django.db.backends.mysql",
+ "USER" : config_overrides["irdbd_sql_username"],
+ "PASSWORD" : config_overrides["irdbd_sql_password"],
+ "HOST" : "",
+ "PORT" : "",
+ "OPTIONS" : { "init_command": "SET storage_engine=INNODB" }}
+
+ databases = dict((d.irdb_name,
+ dict(database_template, NAME = d.irdb_name))
+ for d in db if not d.is_hosted)
+
+ databases["default"] = databases[db.root.irdb_name]
+
+ from django.conf import settings
+
+ settings.configure(
+ DATABASES = databases,
+ DATABASE_ROUTERS = ["rpki.irdb.router.DBContextRouter"],
+ INSTALLED_APPS = ("rpki.irdb",))
+
+ import rpki.irdb
+
+ rpki.irdb.models.ca_certificate_lifetime = rpki.sundial.timedelta(days = 3652 * 2)
+ rpki.irdb.models.ee_certificate_lifetime = rpki.sundial.timedelta(days = 3652)
+
+ ts()
+
+ for d in db:
+ if not quiet:
+ print
+ print "Configuring", d.name
+
+ if not d.is_hosted:
+ d.mkdir()
+ if d.runs_pubd:
+ d.mkdir("publication")
+ if d.is_root:
+ d.mkdir("publication.root")
+
+ if not d.is_hosted:
+ d.dump_conf()
+ d.dump_rsyncd()
+
+ d.dump_asns("%s.asns.csv" % d.name)
+ d.dump_prefixes("%s.prefixes.csv" % d.name)
+ d.dump_roas("%s.roas.csv" % d.name)
+
+ if not d.is_hosted:
+ if not quiet:
+ print "Initializing SQL"
+ d.syncdb()
+ if not quiet:
+ print "Hiring zookeeper"
+ d.hire_zookeeper()
+
+ with d.irdb:
+ if not quiet:
+ print "Creating identity"
+ x = d.zoo.initialize()
+
+ if d.is_root:
+ if not quiet:
+ print "Creating RPKI root certificate and TAL"
+ d.dump_root()
+ x = d.zoo.configure_rootd()
+
+ else:
+ with d.parent.irdb:
+ x = d.parent.zoo.configure_child(x.file)[0]
+ x = d.zoo.configure_parent(x.file)[0]
+
+ with d.pubd.irdb:
+ x = d.pubd.zoo.configure_publication_client(x.file, flat = flat_publication)[0]
+ d.zoo.configure_repository(x.file)
+
+ if loopback and not d.is_hosted:
+ with d.irdb:
+ d.zoo.write_bpki_files()
+
+ ts()
+
+ if not loopback:
+ if not quiet:
+ print
+ for d in db:
+ d.dump_sql()
+
+if __name__ == "__main__":
+ main()
diff --git a/rpkid/tests/yamltest.py b/rpkid/tests/yamltest.py
index 74013980..609a2599 100644
--- a/rpkid/tests/yamltest.py
+++ b/rpkid/tests/yamltest.py
@@ -15,7 +15,7 @@ Still to do:
$Id$
-Copyright (C) 2009--2010 Internet Systems Consortium ("ISC")
+Copyright (C) 2009--2012 Internet Systems Consortium ("ISC")
Permission to use, copy, modify, and distribute this software for any
purpose with or without fee is hereby granted, provided that the above
@@ -42,19 +42,31 @@ INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
PERFORMANCE OF THIS SOFTWARE.
-
"""
-import subprocess, re, os, getopt, sys, yaml, signal, time
-import rpki.resource_set, rpki.sundial, rpki.config, rpki.log
-import rpki.csv_utils, rpki.x509
+# pylint: disable=W0702,W0621
+
+import subprocess
+import re
+import os
+import getopt
+import sys
+import yaml
+import signal
+import time
+import rpki.resource_set
+import rpki.sundial
+import rpki.config
+import rpki.log
+import rpki.csv_utils
+import rpki.x509
# Nasty regular expressions for parsing config files. Sadly, while
# the Python ConfigParser supports writing config files, it does so in
# such a limited way that it's easier just to hack this ourselves.
-section_regexp = re.compile("\s*\[\s*(.+?)\s*\]\s*$")
-variable_regexp = re.compile("\s*([-a-zA-Z0-9_]+)\s*=\s*(.+?)\s*$")
+section_regexp = re.compile(r"\s*\[\s*(.+?)\s*\]\s*$")
+variable_regexp = re.compile(r"\s*([-a-zA-Z0-9_]+)\s*=\s*(.+?)\s*$")
def cleanpath(*names):
"""
@@ -99,11 +111,11 @@ class roa_request(object):
return "%s: %s" % (self.asn, self.v4 or self.v6)
@classmethod
- def parse(cls, yaml):
+ def parse(cls, y):
"""
Parse a ROA request from YAML format.
"""
- return cls(yaml.get("asn"), yaml.get("ipv4"), yaml.get("ipv6"))
+ return cls(y.get("asn"), y.get("ipv4"), y.get("ipv6"))
class allocation_db(list):
"""
@@ -121,12 +133,6 @@ class allocation_db(list):
if self.root.base.valid_until is None:
self.root.base.valid_until = rpki.sundial.now() + rpki.sundial.timedelta(days = 2)
for a in self:
- if a.sia_base is None:
- if a.runs_pubd:
- base = "rsync://localhost:%d/rpki/" % a.rsync_port
- else:
- base = a.parent.sia_base
- a.sia_base = base + a.name + "/"
if a.base.valid_until is None:
a.base.valid_until = a.parent.base.valid_until
if a.crl_interval is None:
@@ -168,6 +174,7 @@ class allocation(object):
pubd_port = -1
rsync_port = -1
rootd_port = -1
+ rpkic_counter = 0L
@classmethod
def allocate_port(cls):
@@ -195,7 +202,7 @@ class allocation(object):
self.kids = [allocation(k, db, self) for k in yaml.get("kids", ())]
valid_until = None
if "valid_until" in yaml:
- valid_until = rpki.sundial.datetime.fromdatetime(yaml.get("valid_until"))
+ valid_until = rpki.sundial.datetime.from_datetime(yaml.get("valid_until"))
if valid_until is None and "valid_for" in yaml:
valid_until = rpki.sundial.now() + rpki.sundial.timedelta.parse(yaml["valid_for"])
self.base = rpki.resource_set.resource_bag(
@@ -203,7 +210,6 @@ class allocation(object):
v4 = rpki.resource_set.resource_set_ipv4(yaml.get("ipv4")),
v6 = rpki.resource_set.resource_set_ipv6(yaml.get("ipv6")),
valid_until = valid_until)
- self.sia_base = yaml.get("sia_base")
if "crl_interval" in yaml:
self.crl_interval = rpki.sundial.timedelta.parse(yaml["crl_interval"]).convert_to_seconds()
if "regen_margin" in yaml:
@@ -211,9 +217,9 @@ class allocation(object):
self.roa_requests = [roa_request.parse(y) for y in yaml.get("roa_request", yaml.get("route_origin", ()))]
for r in self.roa_requests:
if r.v4:
- self.base.v4 = self.base.v4.union(r.v4.to_resource_set())
+ self.base.v4 |= r.v4.to_resource_set()
if r.v6:
- self.base.v6 = self.base.v6.union(r.v6.to_resource_set())
+ self.base.v6 |= r.v6.to_resource_set()
self.hosted_by = yaml.get("hosted_by")
self.hosts = []
if not self.is_hosted:
@@ -233,7 +239,7 @@ class allocation(object):
"""
resources = self.base
for kid in self.kids:
- resources = resources.union(kid.closure())
+ resources |= kid.closure()
self.resources = resources
return resources
@@ -250,7 +256,6 @@ class allocation(object):
if self.resources.v6: s += " IPv6: %s\n" % self.resources.v6
if self.kids: s += " Kids: %s\n" % ", ".join(k.name for k in self.kids)
if self.parent: s += " Up: %s\n" % self.parent.name
- if self.sia_base: s += " SIA: %s\n" % self.sia_base
if self.is_hosted: s += " Host: %s\n" % self.hosted_by.name
if self.hosts: s += " Hosts: %s\n" % ", ".join(h.name for h in self.hosts)
for r in self.roa_requests: s += " ROA: %s\n" % r
@@ -300,41 +305,48 @@ class allocation(object):
"""
Construct service URL for this node's parent.
"""
- parent_port = self.parent.hosted_by.rpkid_port if self.parent.is_hosted else self.parent.rpkid_port
- return "http://localhost:%d/up-down/%s/%s" % (parent_port, self.parent.name, self.name)
+ return "http://localhost:%d/up-down/%s/%s" % (self.parent.host.rpkid_port,
+ self.parent.name,
+ self.name)
- def dump_asns(self, fn, skip_rpkic = False):
+ def dump_asns(self):
"""
Write Autonomous System Numbers CSV file.
"""
- f = self.csvout(fn)
- for k in self.kids:
- f.writerows((k.name, a) for a in k.resources.asn)
- f.close()
- if not skip_rpkic:
+ fn = "%s.asns.csv" % d.name
+ if not skip_config:
+ f = self.csvout(fn)
+ for k in self.kids:
+ f.writerows((k.name, a) for a in k.resources.asn)
+ f.close()
+ if not stop_after_config:
self.run_rpkic("load_asns", fn)
- def dump_prefixes(self, fn, skip_rpkic = False):
+ def dump_prefixes(self):
"""
Write prefixes CSV file.
"""
- f = self.csvout(fn)
- for k in self.kids:
- f.writerows((k.name, p) for p in (k.resources.v4 + k.resources.v6))
- f.close()
- if not skip_rpkic:
+ fn = "%s.prefixes.csv" % d.name
+ if not skip_config:
+ f = self.csvout(fn)
+ for k in self.kids:
+ f.writerows((k.name, p) for p in (k.resources.v4 + k.resources.v6))
+ f.close()
+ if not stop_after_config:
self.run_rpkic("load_prefixes", fn)
- def dump_roas(self, fn, skip_rpkic = False):
+ def dump_roas(self):
"""
Write ROA CSV file.
"""
- f = self.csvout(fn)
- for g1, r in enumerate(self.roa_requests):
- f.writerows((p, r.asn, "G%08d%08d" % (g1, g2))
- for g2, p in enumerate((r.v4 + r.v6 if r.v4 and r.v6 else r.v4 or r.v6 or ())))
- f.close()
- if not skip_rpkic:
+ fn = "%s.roas.csv" % d.name
+ if not skip_config:
+ f = self.csvout(fn)
+ for g1, r in enumerate(self.roa_requests):
+ f.writerows((p, r.asn, "G%08d%08d" % (g1, g2))
+ for g2, p in enumerate((r.v4 + r.v6 if r.v4 and r.v6 else r.v4 or r.v6 or ())))
+ f.close()
+ if not stop_after_config:
self.run_rpkic("load_roa_requests", fn)
@property
@@ -365,7 +377,7 @@ class allocation(object):
def host(self):
return self.hosted_by or self
- def dump_conf(self, fn):
+ def dump_conf(self):
"""
Write configuration file for OpenSSL and RPKI tools.
"""
@@ -392,7 +404,7 @@ class allocation(object):
r.update(config_overrides)
- f = open(self.path(fn), "w")
+ f = open(self.path("rpki.conf"), "w")
f.write("# Automatically generated, do not edit\n")
print "Writing", f.name
@@ -409,13 +421,13 @@ class allocation(object):
f.close()
- def dump_rsyncd(self, fn):
+ def dump_rsyncd(self):
"""
Write rsyncd configuration file.
"""
if self.runs_pubd:
- f = open(self.path(fn), "w")
+ f = open(self.path("rsyncd.conf"), "w")
print "Writing", f.name
f.writelines(s + "\n" for s in
("# Automatically generated, do not edit",
@@ -426,9 +438,20 @@ class allocation(object):
"read only = yes",
"use chroot = no",
"path = %s" % self.path("publication"),
- "comment = RPKI test"))
+ "comment = RPKI test",
+ "[root]",
+ "log file = rsyncd_root.log",
+ "read only = yes",
+ "use chroot = no",
+ "path = %s" % self.path("publication.root"),
+ "comment = RPKI test root"))
f.close()
+ @classmethod
+ def next_rpkic_counter(cls):
+ cls.rpkic_counter += 10000
+ return str(cls.rpkic_counter)
+
def run_rpkic(self, *args):
"""
Run rpkic for this entity.
@@ -439,7 +462,9 @@ class allocation(object):
cmd.append(self.path("rpkic.%s.prof" % rpki.sundial.now()))
cmd.extend(a for a in args if a is not None)
print 'Running "%s"' % " ".join(cmd)
- subprocess.check_call(cmd, cwd = self.host.path())
+ env = os.environ.copy()
+ env["YAMLTEST_RPKIC_COUNTER"] = self.next_rpkic_counter()
+ subprocess.check_call(cmd, cwd = self.host.path(), env = env)
def run_python_daemon(self, prog):
"""
@@ -502,10 +527,12 @@ skip_config = False
flat_publication = False
profile = False
stop_after_config = False
+synchronize = False
opts, argv = getopt.getopt(sys.argv[1:], "c:fhkp:?",
- ["config=", "flat_publication", "help", "keep_going",
- "pidfile=", "skip_config", "stop_after_config", "profile"])
+ ["config=", "flat_publication", "help",
+ "keep_going", "pidfile=", "profile",
+ "skip_config", "stop_after_config", "synchronize"])
for o, a in opts:
if o in ("-h", "--help", "-?"):
print __doc__
@@ -522,6 +549,8 @@ for o, a in opts:
skip_config = True
elif o == "--stop_after_config":
stop_after_config = True
+ elif o == "--synchronize":
+ synchronize = True
elif o == "--profile":
profile = True
@@ -556,13 +585,14 @@ try:
"rpkid_sql_username", "irdbd_sql_username", "pubd_sql_username")
if cfg.has_option(k))
- # Start clean
+ # Start clean, maybe
- for root, dirs, files in os.walk(test_dir, topdown = False):
- for file in files:
- os.unlink(os.path.join(root, file))
- for dir in dirs:
- os.rmdir(os.path.join(root, dir))
+ if not skip_config:
+ for root, dirs, files in os.walk(test_dir, topdown = False):
+ for fn in files:
+ os.unlink(os.path.join(root, fn))
+ for d in dirs:
+ os.rmdir(os.path.join(root, d))
# Read first YAML doc in file and process as compact description of
# test layout and resource allocations. Ignore subsequent YAML docs,
@@ -574,62 +604,69 @@ try:
#db.dump()
- # Set up each entity in our test
+ if skip_config:
+
+ print "Skipping pre-daemon configuration, assuming you already did that"
+
+ else:
+
+ # Set up each entity in our test
- for d in db:
- if not d.is_hosted:
- os.makedirs(d.path())
- d.dump_conf("rpki.conf")
- if d.runs_pubd:
- d.dump_rsyncd("rsyncd.conf")
+ for d in db:
+ if not d.is_hosted:
+ os.makedirs(d.path())
+ d.dump_conf()
+ if d.runs_pubd:
+ d.dump_rsyncd()
- # Initialize BPKI and generate self-descriptor for each entity.
+ # Initialize BPKI and generate self-descriptor for each entity.
- for d in db:
- d.run_rpkic("initialize")
+ for d in db:
+ d.run_rpkic("initialize")
- # Create publication directories.
+ # Create publication directories.
- for d in db:
- if d.is_root or d.runs_pubd:
- os.makedirs(d.path("publication"))
+ for d in db:
+ if d.runs_pubd:
+ os.makedirs(d.path("publication"))
+ if d.is_root:
+ os.makedirs(d.path("publication.root"))
- # Create RPKI root certificate.
+ # Create RPKI root certificate.
- print "Creating rootd RPKI root certificate"
+ print "Creating rootd RPKI root certificate"
- root_resources = rpki.resource_set.resource_bag(
- asn = rpki.resource_set.resource_set_as("0-4294967295"),
- v4 = rpki.resource_set.resource_set_ipv4("0.0.0.0/0"),
- v6 = rpki.resource_set.resource_set_ipv6("::/0"))
+ root_resources = rpki.resource_set.resource_bag(
+ asn = rpki.resource_set.resource_set_as("0-4294967295"),
+ v4 = rpki.resource_set.resource_set_ipv4("0.0.0.0/0"),
+ v6 = rpki.resource_set.resource_set_ipv6("::/0"))
- root_key = rpki.x509.RSA.generate(quiet = True)
+ root_key = rpki.x509.RSA.generate(quiet = True)
- root_uri = "rsync://localhost:%d/rpki/" % db.root.pubd.rsync_port
+ root_uri = "rsync://localhost:%d/rpki/" % db.root.pubd.rsync_port
- root_sia = ((rpki.oids.name2oid["id-ad-caRepository"], ("uri", root_uri)),
- (rpki.oids.name2oid["id-ad-rpkiManifest"], ("uri", root_uri + "root.mnf")))
+ root_sia = (root_uri, root_uri + "root.mft", None)
- root_cert = rpki.x509.X509.self_certify(
- keypair = root_key,
- subject_key = root_key.get_RSApublic(),
- serial = 1,
- sia = root_sia,
- notAfter = rpki.sundial.now() + rpki.sundial.timedelta(days = 365),
- resources = root_resources)
+ root_cert = rpki.x509.X509.self_certify(
+ keypair = root_key,
+ subject_key = root_key.get_RSApublic(),
+ serial = 1,
+ sia = root_sia,
+ notAfter = rpki.sundial.now() + rpki.sundial.timedelta(days = 365),
+ resources = root_resources)
- f = open(db.root.path("publication/root.cer"), "wb")
- f.write(root_cert.get_DER())
- f.close()
+ f = open(db.root.path("publication.root/root.cer"), "wb")
+ f.write(root_cert.get_DER())
+ f.close()
- f = open(db.root.path("root.key"), "wb")
- f.write(root_key.get_DER())
- f.close()
+ f = open(db.root.path("root.key"), "wb")
+ f.write(root_key.get_DER())
+ f.close()
- f = open(os.path.join(test_dir, "root.tal"), "w")
- f.write(root_uri + "root.cer\n")
- f.write(root_key.get_RSApublic().get_Base64())
- f.close()
+ f = open(os.path.join(test_dir, "root.tal"), "w")
+ f.write("rsync://localhost:%d/root/root.cer\n\n" % db.root.pubd.rsync_port)
+ f.write(root_key.get_RSApublic().get_Base64())
+ f.close()
# From here on we need to pay attention to initialization order. We
# used to do all the pre-configure_daemons stuff before running any
@@ -643,16 +680,16 @@ try:
for d in db:
- print
- print "Running daemons for", d.name
- if d.is_root:
- progs.append(d.run_rootd())
if not d.is_hosted:
+ print
+ print "Running daemons for", d.name
+ if d.is_root:
+ progs.append(d.run_rootd())
progs.append(d.run_irdbd())
progs.append(d.run_rpkid())
- if d.runs_pubd:
- progs.append(d.run_pubd())
- progs.append(d.run_rsyncd())
+ if d.runs_pubd:
+ progs.append(d.run_pubd())
+ progs.append(d.run_rsyncd())
print
print "Giving daemons time to start up"
@@ -661,7 +698,7 @@ try:
if skip_config:
- print "Skipping configure_*, you'll have to do that yourself"
+ print "Skipping configure_*, you'll have to do that yourself if needed"
else:
@@ -670,7 +707,7 @@ try:
print
print "Configuring", d.name
print
- if d.is_root:
+ if d.is_root:
assert not d.is_hosted
d.run_rpkic("configure_publication_client",
"--flat" if flat_publication else None,
@@ -693,22 +730,31 @@ try:
d.pubd.path("%s.repository-response.xml" % d.client_handle))
print
- print
- print "Loading CSV files"
- print
+ print
+ print "Done with initial configuration"
+ print
- for d in db:
- d.dump_asns("%s.asns.csv" % d.name, stop_after_config)
- d.dump_prefixes("%s.prefixes.csv" % d.name, stop_after_config)
- d.dump_roas("%s.roas.csv" % d.name, stop_after_config)
+ if synchronize:
+ print
+ print "Synchronizing"
+ print
+ for d in db:
+ if not d.is_hosted:
+ d.run_rpkic("synchronize")
- print
- print "Done with initial configuration"
- print
+ if synchronize or not skip_config:
+ print
+ print "Loading CSV files"
+ print
+ for d in db:
+ d.dump_asns()
+ d.dump_prefixes()
+ d.dump_roas()
# Wait until something terminates.
if not stop_after_config:
+ print
print "Waiting for daemons to exit"
signal.signal(signal.SIGCHLD, lambda *dont_care: None)
while (any(p.poll() is None for p in progs)
@@ -723,9 +769,31 @@ try:
print
signal.signal(signal.SIGCHLD, signal.SIG_DFL)
+
+ if profile:
+ how_long = 300
+ else:
+ how_long = 30
+
+ how_often = how_long / 2
+
+ for i in xrange(how_long):
+ if i % how_often == 0:
+ for p in progs:
+ if p.poll() is None:
+ print "Politely nudging pid %d" % p.pid
+ p.terminate()
+ print
+ if all(p.poll() is not None for p in progs):
+ break
+ time.sleep(1)
+
for p in progs:
if p.poll() is None:
- os.kill(p.pid, signal.SIGTERM)
+ print "Pulling the plug on pid %d" % p.pid
+ p.kill()
+
+ for p in progs:
print "Program pid %d %r returned %d" % (p.pid, p, p.wait())
finally:
diff --git a/rtr-origin/Makefile.in b/rtr-origin/Makefile.in
index 0f29c797..8a50e528 100644
--- a/rtr-origin/Makefile.in
+++ b/rtr-origin/Makefile.in
@@ -28,7 +28,7 @@ clean:
rm -f ${BIN}
install: all
- ${INSTALL} -d ${DESTDIR}${bindir}
+ if test -d ${DESTDIR}${bindir} ; then :; else ${INSTALL} -d ${DESTDIR}${bindir}; fi
${INSTALL} ${BIN} ${DESTDIR}${bindir}/${BIN}
deinstall uninstall:
diff --git a/rtr-origin/rtr-origin.py b/rtr-origin/rtr-origin.py
index d2986c1f..95bef50e 100755
--- a/rtr-origin/rtr-origin.py
+++ b/rtr-origin/rtr-origin.py
@@ -9,7 +9,7 @@
#
# $Id$
#
-# Copyright (C) 2009-2011 Internet Systems Consortium ("ISC")
+# Copyright (C) 2009-2012 Internet Systems Consortium ("ISC")
#
# Permission to use, copy, modify, and distribute this software for any
# purpose with or without fee is hereby granted, provided that the above
diff --git a/scripts/Old/test-pow-tls.py b/scripts/Old/test-pow-tls.py
deleted file mode 100644
index bc9ea9a0..00000000
--- a/scripts/Old/test-pow-tls.py
+++ /dev/null
@@ -1,61 +0,0 @@
-"""
-Grope towards testing TLS functionality in POW
-
-$Id$
-
-Copyright (C) 2008 American Registry for Internet Numbers ("ARIN")
-
-Permission to use, copy, modify, and distribute this software for any
-purpose with or without fee is hereby granted, provided that the above
-copyright notice and this permission notice appear in all copies.
-
-THE SOFTWARE IS PROVIDED "AS IS" AND ARIN DISCLAIMS ALL WARRANTIES WITH
-REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
-AND FITNESS. IN NO EVENT SHALL ARIN BE LIABLE FOR ANY SPECIAL, DIRECT,
-INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
-LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
-OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
-PERFORMANCE OF THIS SOFTWARE.
-"""
-
-# openssl s_server -tls1 -Verify 9 -cert biz-certs/Alice-EE.cer -key biz-certs/Alice-EE.key -www -CApath biz-certs -chain
-
-# openssl s_client -connect localhost:4433 -tls1 -cert biz-certs/Bob-EE.cer -key biz-certs/Bob-EE.key -verify 9 -CApath biz-certs -crlf
-
-import POW, socket
-
-def pow_error_iterator():
- err = POW.getError()
- if err is None:
- raise StopIteration
- else:
- yield err
-
-key = POW.pemRead(POW.RSA_PRIVATE_KEY, open("biz-certs/Bob-EE.key").read())
-cer = POW.pemRead(POW.X509_CERTIFICATE, open("biz-certs/Bob-EE.cer").read())
-ca = POW.pemRead(POW.X509_CERTIFICATE, open("biz-certs/Bob-CA.cer").read())
-
-s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
-s.connect(("localhost", 4433))
-
-try:
- t = POW.Ssl(POW.TLSV1_CLIENT_METHOD)
- t.useCertificate(cer)
- t.useKey(key)
- t.addCertificate(ca)
- t.setFd(s.fileno())
- t.connect()
- x = t.peerCertificate()
- if x is not None:
- print "Peer", x.pprint()
- t.write("GET / HTTP/1.0\r\n")
- if False:
- print t.read(10000)
- else:
- while True:
- print t.read()
-except:
- print "ERROR:"
- for e in pow_error_iterator():
- print e
- raise
diff --git a/scripts/Old/tls-client.py b/scripts/Old/tls-client.py
deleted file mode 100644
index ef879a5c..00000000
--- a/scripts/Old/tls-client.py
+++ /dev/null
@@ -1,27 +0,0 @@
-# $Id$
-
-import socket, POW, time
-
-key = POW.pemRead(POW.RSA_PRIVATE_KEY, open("Carol.key", "r").read())
-cer = POW.pemRead(POW.X509_CERTIFICATE, open("Carol.cer", "r").read())
-ta = POW.pemRead(POW.X509_CERTIFICATE, open("Alice-TA.cer", "r").read())
-
-s = socket.socket()
-s.connect(('',6666))
-
-ssl = POW.Ssl(POW.TLSV1_CLIENT_METHOD)
-
-ssl.useCertificate(cer)
-ssl.useKey(key)
-ssl.setVerifyMode(POW.SSL_VERIFY_PEER | POW.SSL_VERIFY_FAIL_IF_NO_PEER_CERT)
-ssl.trustCertificate(ta)
-
-ssl.setFd(s.fileno())
-ssl.connect()
-
-peer = ssl.peerCertificate()
-if peer is not None:
- print peer.pprint()
-
-print ssl.read(100)
-ssl.write("Bye")
diff --git a/scripts/Old/tls-server.py b/scripts/Old/tls-server.py
deleted file mode 100644
index d3798a32..00000000
--- a/scripts/Old/tls-server.py
+++ /dev/null
@@ -1,40 +0,0 @@
-# $Id$
-
-import socket, POW, time
-
-key = POW.pemRead(POW.RSA_PRIVATE_KEY, open("Alice.key", "r").read())
-cer = POW.pemRead(POW.X509_CERTIFICATE, open("Alice.cer", "r").read())
-ta = POW.pemRead(POW.X509_CERTIFICATE, open("Carol-TA.cer", "r").read())
-
-listener = socket.socket()
-listener.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1)
-listener.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEPORT, 1)
-listener.bind(('',6666))
-listener.listen(5)
-
-s, addr = listener.accept()
-while not s:
- time.sleep(2)
- s, addr = listener.accept()
-
-s.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1)
-s.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEPORT, 1)
-
-print "Got connection %r from %r" % (s, addr)
-
-ssl = POW.Ssl(POW.TLSV1_SERVER_METHOD)
-
-ssl.useCertificate(cer)
-ssl.useKey(key)
-ssl.setVerifyMode(POW.SSL_VERIFY_PEER | POW.SSL_VERIFY_FAIL_IF_NO_PEER_CERT)
-ssl.trustCertificate(ta)
-
-ssl.setFd(s.fileno())
-ssl.accept()
-
-peer = ssl.peerCertificate()
-if peer is not None:
- print peer.pprint()
-
-ssl.write("Hello, TLS")
-print ssl.read(100)
diff --git a/scripts/convert-from-entitydb-to-sql.py b/scripts/convert-from-entitydb-to-sql.py
index 57f7588b..d8147574 100644
--- a/scripts/convert-from-entitydb-to-sql.py
+++ b/scripts/convert-from-entitydb-to-sql.py
@@ -6,7 +6,7 @@ you're doing.
$Id$
-Copyright (C) 2011 Internet Systems Consortium ("ISC")
+Copyright (C) 2011-2012 Internet Systems Consortium ("ISC")
Permission to use, copy, modify, and distribute this software for any
purpose with or without fee is hereby granted, provided that the above
diff --git a/scripts/find-roa-expiration.py b/scripts/find-roa-expiration.py
index 0ae6fa66..151de446 100644
--- a/scripts/find-roa-expiration.py
+++ b/scripts/find-roa-expiration.py
@@ -48,13 +48,13 @@ for line in subprocess.check_output(["find_roa"] + sys.argv[1:]).splitlines():
del words[-1]
print " ".join(words)
- x = rpki.POW.derRead(rpki.POW.CMS_MESSAGE, open(fn, "rb").read()).certs()[0]
+ x = rpki.POW.CMS.derReadFile(fn).certs()[0]
uri = get_aia(x)
print x.getNotAfter(), filename_to_uri(fn)
while uri:
fn = uri_to_filename(uri)
- x = rpki.POW.derRead(rpki.POW.X509_CERTIFICATE, open(fn, "rb").read())
+ x = rpki.POW.X509.derReadFile(fn)
print x.getNotAfter(), uri
uri = get_aia(x)
diff --git a/scripts/format-application-x-rpki.py b/scripts/format-application-x-rpki.py
index a7e58f49..00a101aa 100644
--- a/scripts/format-application-x-rpki.py
+++ b/scripts/format-application-x-rpki.py
@@ -6,7 +6,7 @@ format because nmh makes a handy viewer.
$Id$
-Copyright (C) 2010 Internet Systems Consortium ("ISC")
+Copyright (C) 2010-2012 Internet Systems Consortium ("ISC")
Permission to use, copy, modify, and distribute this software for any
purpose with or without fee is hereby granted, provided that the above
@@ -21,8 +21,18 @@ OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
PERFORMANCE OF THIS SOFTWARE.
"""
-import email.mime, email.mime.application, email.mime.text, email.mime.multipart, email.utils, email.encoders
-import mailbox, rpki.POW, lxml.etree, getopt, sys, base64
+import email.mime
+import email.mime.application
+import email.mime.text
+import email.mime.multipart
+import email.utils
+import email.encoders
+import mailbox
+import rpki.POW
+import lxml.etree
+import getopt
+import sys
+import base64
source_name = None
destination_name = None
@@ -56,7 +66,7 @@ if argv or source_name is None or destination_name is None:
usage(ok = False)
def pprint_cert(b64):
- return rpki.POW.derRead(rpki.POW.X509_CERTIFICATE, base64.b64decode(b64)).pprint()
+ return rpki.POW.X509.derRead(base64.b64decode(b64)).pprint()
def up_down():
msg["X-RPKI-Up-Down-Type"] = xml.get("type")
@@ -101,7 +111,7 @@ try:
continue
assert not srcmsg.is_multipart() and srcmsg.get_content_type() == "application/x-rpki"
payload = srcmsg.get_payload(decode = True)
- cms = rpki.POW.derRead(rpki.POW.CMS_MESSAGE, payload)
+ cms = rpki.POW.CMS.derRead(payload)
txt = cms.verify(rpki.POW.X509Store(), None, rpki.POW.CMS_NOCRL | rpki.POW.CMS_NO_SIGNER_CERT_VERIFY | rpki.POW.CMS_NO_ATTR_VERIFY | rpki.POW.CMS_NO_CONTENT_VERIFY)
xml = lxml.etree.fromstring(txt)
tag = xml.tag
diff --git a/scripts/show-tracking-data.py b/scripts/show-tracking-data.py
index 93b09ab8..b032160a 100644
--- a/scripts/show-tracking-data.py
+++ b/scripts/show-tracking-data.py
@@ -26,12 +26,14 @@ PERFORMANCE OF THIS SOFTWARE.
import os
import sys
import rpki.x509
+import rpki.sundial
rcynic_dir = sys.argv[1]
for root, dirs, files in os.walk(rcynic_dir):
for f in files:
path = os.path.join(root, f)
+ date = rpki.sundial.datetime.utcfromtimestamp(os.stat(path).st_mtime)
uri = "rsync://" + path[len(rcynic_dir):].lstrip("/")
obj = rpki.x509.uri_dispatch(uri)(DER_file = path)
- print obj.tracking_data(uri)
+ print date, obj.tracking_data(uri)
diff --git a/scripts/x509-dot.py b/scripts/x509-dot.py
index 9ad5b79d..c820018e 100644
--- a/scripts/x509-dot.py
+++ b/scripts/x509-dot.py
@@ -3,7 +3,7 @@
"""
Generate .dot description of a certificate tree.
-Copyright (C) 2009-2011 Internet Systems Consortium ("ISC")
+Copyright (C) 2009-2012 Internet Systems Consortium ("ISC")
Permission to use, copy, modify, and distribute this software for any
purpose with or without fee is hereby granted, provided that the above
@@ -61,9 +61,9 @@ class x509(object):
f.close()
if "-----BEGIN" in text:
- self.pow = rpki.POW.pemRead(rpki.POW.X509_CERTIFICATE, text)
+ self.pow = rpki.POW.X509.pemRead(text)
else:
- self.pow = rpki.POW.derRead(rpki.POW.X509_CERTIFICATE, text)
+ self.pow = rpki.POW.X509.derRead(text)
self.extensions = dict((e[0], e[2]) for e in (self.pow.getExtension(i) for i in xrange(self.pow.countExtensions())))
diff --git a/utils/find_roa/Makefile.in b/utils/find_roa/Makefile.in
index 4d2c3139..ebb77106 100644
--- a/utils/find_roa/Makefile.in
+++ b/utils/find_roa/Makefile.in
@@ -43,7 +43,7 @@ test: ${BIN}
sh ./test_roa.sh ${TEST_ARGS}
install: all
- ${INSTALL} -d ${DESTDIR}${bindir}
+ if test -d ${DESTDIR}${bindir} ; then :; else ${INSTALL} -d ${DESTDIR}${bindir}; fi
${INSTALL} ${BIN} ${DESTDIR}${bindir}
deinstall uninstall:
diff --git a/utils/find_roa/find_roa.c b/utils/find_roa/find_roa.c
index 3e1b488c..e91aead3 100644
--- a/utils/find_roa/find_roa.c
+++ b/utils/find_roa/find_roa.c
@@ -37,6 +37,8 @@
#include <openssl/asn1t.h>
#include <openssl/cms.h>
+#include <rpki/roa.h>
+
#ifndef FILENAME_MAX
#define FILENAME_MAX 1024
#endif
@@ -48,102 +50,6 @@
/*
- * ASN.1 templates. Not sure that ASN1_EXP_OPT() is the right macro
- * for these defaulted "version" fields, but it's what the examples
- * for this construction use. Probably doesn't matter since this
- * program only decodes manifests, never encodes them.
- */
-
-typedef struct ROAIPAddress_st {
- ASN1_BIT_STRING *IPAddress;
- ASN1_INTEGER *maxLength;
-} ROAIPAddress;
-
-DECLARE_STACK_OF(ROAIPAddress)
-
-ASN1_SEQUENCE(ROAIPAddress) = {
- ASN1_SIMPLE(ROAIPAddress, IPAddress, ASN1_BIT_STRING),
- ASN1_OPT(ROAIPAddress, maxLength, ASN1_INTEGER)
-} ASN1_SEQUENCE_END(ROAIPAddress)
-
-typedef struct ROAIPAddressFamily_st {
- ASN1_OCTET_STRING *addressFamily;
- STACK_OF(ROAIPAddress) *addresses;
-} ROAIPAddressFamily;
-
-DECLARE_STACK_OF(ROAIPAddressFamily)
-
-ASN1_SEQUENCE(ROAIPAddressFamily) = {
- ASN1_SIMPLE(ROAIPAddressFamily, addressFamily, ASN1_OCTET_STRING),
- ASN1_SEQUENCE_OF(ROAIPAddressFamily, addresses, ROAIPAddress)
-} ASN1_SEQUENCE_END(ROAIPAddressFamily)
-
-typedef struct ROA_st {
- ASN1_INTEGER *version, *asID;
- STACK_OF(ROAIPAddressFamily) *ipAddrBlocks;
-} ROA;
-
-ASN1_SEQUENCE(ROA) = {
- ASN1_EXP_OPT(ROA, version, ASN1_INTEGER, 0),
- ASN1_SIMPLE(ROA, asID, ASN1_INTEGER),
- ASN1_SEQUENCE_OF(ROA, ipAddrBlocks, ROAIPAddressFamily)
-} ASN1_SEQUENCE_END(ROA)
-
-DECLARE_ASN1_FUNCTIONS(ROAIPAddress)
-DECLARE_ASN1_FUNCTIONS(ROAIPAddressFamily)
-DECLARE_ASN1_FUNCTIONS(ROA)
-
-IMPLEMENT_ASN1_FUNCTIONS(ROAIPAddress)
-IMPLEMENT_ASN1_FUNCTIONS(ROAIPAddressFamily)
-IMPLEMENT_ASN1_FUNCTIONS(ROA)
-
-#define sk_ROAIPAddress_new(st) SKM_sk_new(ROAIPAddress, (st))
-#define sk_ROAIPAddress_new_null() SKM_sk_new_null(ROAIPAddress)
-#define sk_ROAIPAddress_free(st) SKM_sk_free(ROAIPAddress, (st))
-#define sk_ROAIPAddress_num(st) SKM_sk_num(ROAIPAddress, (st))
-#define sk_ROAIPAddress_value(st, i) SKM_sk_value(ROAIPAddress, (st), (i))
-#define sk_ROAIPAddress_set(st, i, val) SKM_sk_set(ROAIPAddress, (st), (i), (val))
-#define sk_ROAIPAddress_zero(st) SKM_sk_zero(ROAIPAddress, (st))
-#define sk_ROAIPAddress_push(st, val) SKM_sk_push(ROAIPAddress, (st), (val))
-#define sk_ROAIPAddress_unshift(st, val) SKM_sk_unshift(ROAIPAddress, (st), (val))
-#define sk_ROAIPAddress_find(st, val) SKM_sk_find(ROAIPAddress, (st), (val))
-#define sk_ROAIPAddress_find_ex(st, val) SKM_sk_find_ex(ROAIPAddress, (st), (val))
-#define sk_ROAIPAddress_delete(st, i) SKM_sk_delete(ROAIPAddress, (st), (i))
-#define sk_ROAIPAddress_delete_ptr(st, ptr) SKM_sk_delete_ptr(ROAIPAddress, (st), (ptr))
-#define sk_ROAIPAddress_insert(st, val, i) SKM_sk_insert(ROAIPAddress, (st), (val), (i))
-#define sk_ROAIPAddress_set_cmp_func(st, cmp) SKM_sk_set_cmp_func(ROAIPAddress, (st), (cmp))
-#define sk_ROAIPAddress_dup(st) SKM_sk_dup(ROAIPAddress, st)
-#define sk_ROAIPAddress_pop_free(st, free_func) SKM_sk_pop_free(ROAIPAddress, (st), (free_func))
-#define sk_ROAIPAddress_shift(st) SKM_sk_shift(ROAIPAddress, (st))
-#define sk_ROAIPAddress_pop(st) SKM_sk_pop(ROAIPAddress, (st))
-#define sk_ROAIPAddress_sort(st) SKM_sk_sort(ROAIPAddress, (st))
-#define sk_ROAIPAddress_is_sorted(st) SKM_sk_is_sorted(ROAIPAddress, (st))
-
-#define sk_ROAIPAddressFamily_new(st) SKM_sk_new(ROAIPAddressFamily, (st))
-#define sk_ROAIPAddressFamily_new_null() SKM_sk_new_null(ROAIPAddressFamily)
-#define sk_ROAIPAddressFamily_free(st) SKM_sk_free(ROAIPAddressFamily, (st))
-#define sk_ROAIPAddressFamily_num(st) SKM_sk_num(ROAIPAddressFamily, (st))
-#define sk_ROAIPAddressFamily_value(st, i) SKM_sk_value(ROAIPAddressFamily, (st), (i))
-#define sk_ROAIPAddressFamily_set(st, i, val) SKM_sk_set(ROAIPAddressFamily, (st), (i), (val))
-#define sk_ROAIPAddressFamily_zero(st) SKM_sk_zero(ROAIPAddressFamily, (st))
-#define sk_ROAIPAddressFamily_push(st, val) SKM_sk_push(ROAIPAddressFamily, (st), (val))
-#define sk_ROAIPAddressFamily_unshift(st, val) SKM_sk_unshift(ROAIPAddressFamily, (st), (val))
-#define sk_ROAIPAddressFamily_find(st, val) SKM_sk_find(ROAIPAddressFamily, (st), (val))
-#define sk_ROAIPAddressFamily_find_ex(st, val) SKM_sk_find_ex(ROAIPAddressFamily, (st), (val))
-#define sk_ROAIPAddressFamily_delete(st, i) SKM_sk_delete(ROAIPAddressFamily, (st), (i))
-#define sk_ROAIPAddressFamily_delete_ptr(st, ptr) SKM_sk_delete_ptr(ROAIPAddressFamily, (st), (ptr))
-#define sk_ROAIPAddressFamily_insert(st, val, i) SKM_sk_insert(ROAIPAddressFamily, (st), (val), (i))
-#define sk_ROAIPAddressFamily_set_cmp_func(st, cmp) SKM_sk_set_cmp_func(ROAIPAddressFamily, (st), (cmp))
-#define sk_ROAIPAddressFamily_dup(st) SKM_sk_dup(ROAIPAddressFamily, st)
-#define sk_ROAIPAddressFamily_pop_free(st, free_func) SKM_sk_pop_free(ROAIPAddressFamily, (st), (free_func))
-#define sk_ROAIPAddressFamily_shift(st) SKM_sk_shift(ROAIPAddressFamily, (st))
-#define sk_ROAIPAddressFamily_pop(st) SKM_sk_pop(ROAIPAddressFamily, (st))
-#define sk_ROAIPAddressFamily_sort(st) SKM_sk_sort(ROAIPAddressFamily, (st))
-#define sk_ROAIPAddressFamily_is_sorted(st) SKM_sk_is_sorted(ROAIPAddressFamily, (st))
-
-
-
-/*
* Error handling.
*/
diff --git a/utils/hashdir/Makefile.in b/utils/hashdir/Makefile.in
index 782561d7..c0cf448a 100644
--- a/utils/hashdir/Makefile.in
+++ b/utils/hashdir/Makefile.in
@@ -45,7 +45,7 @@ clean::
rm -rf ${OUTPUT}
install: all
- ${INSTALL} -d ${DESTDIR}${bindir}
+ if test -d ${DESTDIR}${bindir} ; then :; else ${INSTALL} -d ${DESTDIR}${bindir}; fi
${INSTALL} ${BIN} ${DESTDIR}${bindir}
deinstall uninstall:
diff --git a/utils/print_roa/Makefile.in b/utils/print_roa/Makefile.in
index bbe01a1f..5999b351 100644
--- a/utils/print_roa/Makefile.in
+++ b/utils/print_roa/Makefile.in
@@ -42,7 +42,7 @@ test: all
if test -d ${ROA_DIR}; then find ${ROA_DIR} -type f -name '*.roa' -print -exec ./${BIN} {} \; ; else :; fi
install: all
- ${INSTALL} -d ${DESTDIR}${bindir}
+ if test -d ${DESTDIR}${bindir} ; then :; else ${INSTALL} -d ${DESTDIR}${bindir}; fi
${INSTALL} ${BIN} ${DESTDIR}${bindir}
deinstall uninstall:
diff --git a/utils/print_roa/print_roa.c b/utils/print_roa/print_roa.c
index 7783a180..a4febb0e 100644
--- a/utils/print_roa/print_roa.c
+++ b/utils/print_roa/print_roa.c
@@ -41,6 +41,8 @@
#include <openssl/asn1t.h>
#include <openssl/cms.h>
+#include <rpki/roa.h>
+
/*
* How much buffer space do we need for a raw address?
*/
@@ -49,102 +51,6 @@
/*
- * ASN.1 templates. Not sure that ASN1_EXP_OPT() is the right macro
- * for these defaulted "version" fields, but it's what the examples
- * for this construction use. Probably doesn't matter since this
- * program only decodes manifests, never encodes them.
- */
-
-typedef struct ROAIPAddress_st {
- ASN1_BIT_STRING *IPAddress;
- ASN1_INTEGER *maxLength;
-} ROAIPAddress;
-
-DECLARE_STACK_OF(ROAIPAddress)
-
-ASN1_SEQUENCE(ROAIPAddress) = {
- ASN1_SIMPLE(ROAIPAddress, IPAddress, ASN1_BIT_STRING),
- ASN1_OPT(ROAIPAddress, maxLength, ASN1_INTEGER)
-} ASN1_SEQUENCE_END(ROAIPAddress)
-
-typedef struct ROAIPAddressFamily_st {
- ASN1_OCTET_STRING *addressFamily;
- STACK_OF(ROAIPAddress) *addresses;
-} ROAIPAddressFamily;
-
-DECLARE_STACK_OF(ROAIPAddressFamily)
-
-ASN1_SEQUENCE(ROAIPAddressFamily) = {
- ASN1_SIMPLE(ROAIPAddressFamily, addressFamily, ASN1_OCTET_STRING),
- ASN1_SEQUENCE_OF(ROAIPAddressFamily, addresses, ROAIPAddress)
-} ASN1_SEQUENCE_END(ROAIPAddressFamily)
-
-typedef struct ROA_st {
- ASN1_INTEGER *version, *asID;
- STACK_OF(ROAIPAddressFamily) *ipAddrBlocks;
-} ROA;
-
-ASN1_SEQUENCE(ROA) = {
- ASN1_EXP_OPT(ROA, version, ASN1_INTEGER, 0),
- ASN1_SIMPLE(ROA, asID, ASN1_INTEGER),
- ASN1_SEQUENCE_OF(ROA, ipAddrBlocks, ROAIPAddressFamily)
-} ASN1_SEQUENCE_END(ROA)
-
-DECLARE_ASN1_FUNCTIONS(ROAIPAddress)
-DECLARE_ASN1_FUNCTIONS(ROAIPAddressFamily)
-DECLARE_ASN1_FUNCTIONS(ROA)
-
-IMPLEMENT_ASN1_FUNCTIONS(ROAIPAddress)
-IMPLEMENT_ASN1_FUNCTIONS(ROAIPAddressFamily)
-IMPLEMENT_ASN1_FUNCTIONS(ROA)
-
-#define sk_ROAIPAddress_new(st) SKM_sk_new(ROAIPAddress, (st))
-#define sk_ROAIPAddress_new_null() SKM_sk_new_null(ROAIPAddress)
-#define sk_ROAIPAddress_free(st) SKM_sk_free(ROAIPAddress, (st))
-#define sk_ROAIPAddress_num(st) SKM_sk_num(ROAIPAddress, (st))
-#define sk_ROAIPAddress_value(st, i) SKM_sk_value(ROAIPAddress, (st), (i))
-#define sk_ROAIPAddress_set(st, i, val) SKM_sk_set(ROAIPAddress, (st), (i), (val))
-#define sk_ROAIPAddress_zero(st) SKM_sk_zero(ROAIPAddress, (st))
-#define sk_ROAIPAddress_push(st, val) SKM_sk_push(ROAIPAddress, (st), (val))
-#define sk_ROAIPAddress_unshift(st, val) SKM_sk_unshift(ROAIPAddress, (st), (val))
-#define sk_ROAIPAddress_find(st, val) SKM_sk_find(ROAIPAddress, (st), (val))
-#define sk_ROAIPAddress_find_ex(st, val) SKM_sk_find_ex(ROAIPAddress, (st), (val))
-#define sk_ROAIPAddress_delete(st, i) SKM_sk_delete(ROAIPAddress, (st), (i))
-#define sk_ROAIPAddress_delete_ptr(st, ptr) SKM_sk_delete_ptr(ROAIPAddress, (st), (ptr))
-#define sk_ROAIPAddress_insert(st, val, i) SKM_sk_insert(ROAIPAddress, (st), (val), (i))
-#define sk_ROAIPAddress_set_cmp_func(st, cmp) SKM_sk_set_cmp_func(ROAIPAddress, (st), (cmp))
-#define sk_ROAIPAddress_dup(st) SKM_sk_dup(ROAIPAddress, st)
-#define sk_ROAIPAddress_pop_free(st, free_func) SKM_sk_pop_free(ROAIPAddress, (st), (free_func))
-#define sk_ROAIPAddress_shift(st) SKM_sk_shift(ROAIPAddress, (st))
-#define sk_ROAIPAddress_pop(st) SKM_sk_pop(ROAIPAddress, (st))
-#define sk_ROAIPAddress_sort(st) SKM_sk_sort(ROAIPAddress, (st))
-#define sk_ROAIPAddress_is_sorted(st) SKM_sk_is_sorted(ROAIPAddress, (st))
-
-#define sk_ROAIPAddressFamily_new(st) SKM_sk_new(ROAIPAddressFamily, (st))
-#define sk_ROAIPAddressFamily_new_null() SKM_sk_new_null(ROAIPAddressFamily)
-#define sk_ROAIPAddressFamily_free(st) SKM_sk_free(ROAIPAddressFamily, (st))
-#define sk_ROAIPAddressFamily_num(st) SKM_sk_num(ROAIPAddressFamily, (st))
-#define sk_ROAIPAddressFamily_value(st, i) SKM_sk_value(ROAIPAddressFamily, (st), (i))
-#define sk_ROAIPAddressFamily_set(st, i, val) SKM_sk_set(ROAIPAddressFamily, (st), (i), (val))
-#define sk_ROAIPAddressFamily_zero(st) SKM_sk_zero(ROAIPAddressFamily, (st))
-#define sk_ROAIPAddressFamily_push(st, val) SKM_sk_push(ROAIPAddressFamily, (st), (val))
-#define sk_ROAIPAddressFamily_unshift(st, val) SKM_sk_unshift(ROAIPAddressFamily, (st), (val))
-#define sk_ROAIPAddressFamily_find(st, val) SKM_sk_find(ROAIPAddressFamily, (st), (val))
-#define sk_ROAIPAddressFamily_find_ex(st, val) SKM_sk_find_ex(ROAIPAddressFamily, (st), (val))
-#define sk_ROAIPAddressFamily_delete(st, i) SKM_sk_delete(ROAIPAddressFamily, (st), (i))
-#define sk_ROAIPAddressFamily_delete_ptr(st, ptr) SKM_sk_delete_ptr(ROAIPAddressFamily, (st), (ptr))
-#define sk_ROAIPAddressFamily_insert(st, val, i) SKM_sk_insert(ROAIPAddressFamily, (st), (val), (i))
-#define sk_ROAIPAddressFamily_set_cmp_func(st, cmp) SKM_sk_set_cmp_func(ROAIPAddressFamily, (st), (cmp))
-#define sk_ROAIPAddressFamily_dup(st) SKM_sk_dup(ROAIPAddressFamily, st)
-#define sk_ROAIPAddressFamily_pop_free(st, free_func) SKM_sk_pop_free(ROAIPAddressFamily, (st), (free_func))
-#define sk_ROAIPAddressFamily_shift(st) SKM_sk_shift(ROAIPAddressFamily, (st))
-#define sk_ROAIPAddressFamily_pop(st) SKM_sk_pop(ROAIPAddressFamily, (st))
-#define sk_ROAIPAddressFamily_sort(st) SKM_sk_sort(ROAIPAddressFamily, (st))
-#define sk_ROAIPAddressFamily_is_sorted(st) SKM_sk_is_sorted(ROAIPAddressFamily, (st))
-
-
-
-/*
* Extract signing time from CMS message.
*/
diff --git a/utils/print_rpki_manifest/Makefile.in b/utils/print_rpki_manifest/Makefile.in
index 8a525891..22f1b16b 100644
--- a/utils/print_rpki_manifest/Makefile.in
+++ b/utils/print_rpki_manifest/Makefile.in
@@ -42,7 +42,7 @@ test: all
if test -d ${MANIFEST_DIR}; then find ${MANIFEST_DIR} -type f -name '*.mnf' -print -exec ./${BIN} {} \; ; else :; fi
install: all
- ${INSTALL} -d ${DESTDIR}${bindir}
+ if test -d ${DESTDIR}${bindir} ; then :; else ${INSTALL} -d ${DESTDIR}${bindir}; fi
${INSTALL} ${BIN} ${DESTDIR}${bindir}
deinstall uninstall:
diff --git a/utils/print_rpki_manifest/print_rpki_manifest.c b/utils/print_rpki_manifest/print_rpki_manifest.c
index 727bce5d..53962162 100644
--- a/utils/print_rpki_manifest/print_rpki_manifest.c
+++ b/utils/print_rpki_manifest/print_rpki_manifest.c
@@ -40,44 +40,7 @@
#include <openssl/asn1t.h>
#include <openssl/cms.h>
-/*
- * ASN.1 templates for signed manifests. Not sure that ASN1_EXP_OPT()
- * is the right macro for "version", but it's what the examples for
- * this construction use. Probably doesn't matter since this program
- * only decodes manifests, never encodes them.
- */
-
-typedef struct FileAndHash_st {
- ASN1_IA5STRING *file;
- ASN1_BIT_STRING *hash;
-} FileAndHash;
-
-ASN1_SEQUENCE(FileAndHash) = {
- ASN1_SIMPLE(FileAndHash, file, ASN1_IA5STRING),
- ASN1_SIMPLE(FileAndHash, hash, ASN1_BIT_STRING)
-} ASN1_SEQUENCE_END(FileAndHash)
-
-DECLARE_STACK_OF(FileAndHash)
-DECLARE_ASN1_FUNCTIONS(FileAndHash)
-
-#define sk_FileAndHash_num(st) SKM_sk_num(FileAndHash, (st))
-#define sk_FileAndHash_value(st, i) SKM_sk_value(FileAndHash, (st), (i))
-
-typedef struct Manifest_st {
- ASN1_INTEGER *version, *manifestNumber;
- ASN1_GENERALIZEDTIME *thisUpdate, *nextUpdate;
- ASN1_OBJECT *fileHashAlg;
- STACK_OF(FileAndHash) *fileList;
-} Manifest;
-
-ASN1_SEQUENCE(Manifest) = {
- ASN1_EXP_OPT(Manifest, version, ASN1_INTEGER, 0),
- ASN1_SIMPLE(Manifest, manifestNumber, ASN1_INTEGER),
- ASN1_SIMPLE(Manifest, thisUpdate, ASN1_GENERALIZEDTIME),
- ASN1_SIMPLE(Manifest, nextUpdate, ASN1_GENERALIZEDTIME),
- ASN1_SIMPLE(Manifest, fileHashAlg, ASN1_OBJECT),
- ASN1_SEQUENCE_OF(Manifest, fileList, FileAndHash)
-} ASN1_SEQUENCE_END(Manifest)
+#include <rpki/manifest.h>
/*
* Read manifest (CMS object) in DER format.
diff --git a/utils/scan_roas/Makefile.in b/utils/scan_roas/Makefile.in
index 39936994..3d86532d 100644
--- a/utils/scan_roas/Makefile.in
+++ b/utils/scan_roas/Makefile.in
@@ -42,7 +42,7 @@ test: all
if test -d ${ROA_DIR}; then find ${ROA_DIR} -type f -name '*.roa' -print -exec ./${BIN} {} \; ; else :; fi
install: all
- ${INSTALL} -d ${DESTDIR}${bindir}
+ if test -d ${DESTDIR}${bindir} ; then :; else ${INSTALL} -d ${DESTDIR}${bindir}; fi
${INSTALL} ${BIN} ${DESTDIR}${bindir}
deinstall uninstall:
diff --git a/utils/scan_roas/scan_roas.c b/utils/scan_roas/scan_roas.c
index 84251295..7765a603 100644
--- a/utils/scan_roas/scan_roas.c
+++ b/utils/scan_roas/scan_roas.c
@@ -56,6 +56,8 @@
#include <openssl/asn1t.h>
#include <openssl/cms.h>
+#include <rpki/roa.h>
+
/*
* How much buffer space do we need for a raw address?
*/
@@ -69,102 +71,6 @@
/*
- * ASN.1 templates. Not sure that ASN1_EXP_OPT() is the right macro
- * for these defaulted "version" fields, but it's what the examples
- * for this construction use. Probably doesn't matter since this
- * program only decodes manifests, never encodes them.
- */
-
-typedef struct ROAIPAddress_st {
- ASN1_BIT_STRING *IPAddress;
- ASN1_INTEGER *maxLength;
-} ROAIPAddress;
-
-DECLARE_STACK_OF(ROAIPAddress)
-
-ASN1_SEQUENCE(ROAIPAddress) = {
- ASN1_SIMPLE(ROAIPAddress, IPAddress, ASN1_BIT_STRING),
- ASN1_OPT(ROAIPAddress, maxLength, ASN1_INTEGER)
-} ASN1_SEQUENCE_END(ROAIPAddress)
-
-typedef struct ROAIPAddressFamily_st {
- ASN1_OCTET_STRING *addressFamily;
- STACK_OF(ROAIPAddress) *addresses;
-} ROAIPAddressFamily;
-
-DECLARE_STACK_OF(ROAIPAddressFamily)
-
-ASN1_SEQUENCE(ROAIPAddressFamily) = {
- ASN1_SIMPLE(ROAIPAddressFamily, addressFamily, ASN1_OCTET_STRING),
- ASN1_SEQUENCE_OF(ROAIPAddressFamily, addresses, ROAIPAddress)
-} ASN1_SEQUENCE_END(ROAIPAddressFamily)
-
-typedef struct ROA_st {
- ASN1_INTEGER *version, *asID;
- STACK_OF(ROAIPAddressFamily) *ipAddrBlocks;
-} ROA;
-
-ASN1_SEQUENCE(ROA) = {
- ASN1_EXP_OPT(ROA, version, ASN1_INTEGER, 0),
- ASN1_SIMPLE(ROA, asID, ASN1_INTEGER),
- ASN1_SEQUENCE_OF(ROA, ipAddrBlocks, ROAIPAddressFamily)
-} ASN1_SEQUENCE_END(ROA)
-
-DECLARE_ASN1_FUNCTIONS(ROAIPAddress)
-DECLARE_ASN1_FUNCTIONS(ROAIPAddressFamily)
-DECLARE_ASN1_FUNCTIONS(ROA)
-
-IMPLEMENT_ASN1_FUNCTIONS(ROAIPAddress)
-IMPLEMENT_ASN1_FUNCTIONS(ROAIPAddressFamily)
-IMPLEMENT_ASN1_FUNCTIONS(ROA)
-
-#define sk_ROAIPAddress_new(st) SKM_sk_new(ROAIPAddress, (st))
-#define sk_ROAIPAddress_new_null() SKM_sk_new_null(ROAIPAddress)
-#define sk_ROAIPAddress_free(st) SKM_sk_free(ROAIPAddress, (st))
-#define sk_ROAIPAddress_num(st) SKM_sk_num(ROAIPAddress, (st))
-#define sk_ROAIPAddress_value(st, i) SKM_sk_value(ROAIPAddress, (st), (i))
-#define sk_ROAIPAddress_set(st, i, val) SKM_sk_set(ROAIPAddress, (st), (i), (val))
-#define sk_ROAIPAddress_zero(st) SKM_sk_zero(ROAIPAddress, (st))
-#define sk_ROAIPAddress_push(st, val) SKM_sk_push(ROAIPAddress, (st), (val))
-#define sk_ROAIPAddress_unshift(st, val) SKM_sk_unshift(ROAIPAddress, (st), (val))
-#define sk_ROAIPAddress_find(st, val) SKM_sk_find(ROAIPAddress, (st), (val))
-#define sk_ROAIPAddress_find_ex(st, val) SKM_sk_find_ex(ROAIPAddress, (st), (val))
-#define sk_ROAIPAddress_delete(st, i) SKM_sk_delete(ROAIPAddress, (st), (i))
-#define sk_ROAIPAddress_delete_ptr(st, ptr) SKM_sk_delete_ptr(ROAIPAddress, (st), (ptr))
-#define sk_ROAIPAddress_insert(st, val, i) SKM_sk_insert(ROAIPAddress, (st), (val), (i))
-#define sk_ROAIPAddress_set_cmp_func(st, cmp) SKM_sk_set_cmp_func(ROAIPAddress, (st), (cmp))
-#define sk_ROAIPAddress_dup(st) SKM_sk_dup(ROAIPAddress, st)
-#define sk_ROAIPAddress_pop_free(st, free_func) SKM_sk_pop_free(ROAIPAddress, (st), (free_func))
-#define sk_ROAIPAddress_shift(st) SKM_sk_shift(ROAIPAddress, (st))
-#define sk_ROAIPAddress_pop(st) SKM_sk_pop(ROAIPAddress, (st))
-#define sk_ROAIPAddress_sort(st) SKM_sk_sort(ROAIPAddress, (st))
-#define sk_ROAIPAddress_is_sorted(st) SKM_sk_is_sorted(ROAIPAddress, (st))
-
-#define sk_ROAIPAddressFamily_new(st) SKM_sk_new(ROAIPAddressFamily, (st))
-#define sk_ROAIPAddressFamily_new_null() SKM_sk_new_null(ROAIPAddressFamily)
-#define sk_ROAIPAddressFamily_free(st) SKM_sk_free(ROAIPAddressFamily, (st))
-#define sk_ROAIPAddressFamily_num(st) SKM_sk_num(ROAIPAddressFamily, (st))
-#define sk_ROAIPAddressFamily_value(st, i) SKM_sk_value(ROAIPAddressFamily, (st), (i))
-#define sk_ROAIPAddressFamily_set(st, i, val) SKM_sk_set(ROAIPAddressFamily, (st), (i), (val))
-#define sk_ROAIPAddressFamily_zero(st) SKM_sk_zero(ROAIPAddressFamily, (st))
-#define sk_ROAIPAddressFamily_push(st, val) SKM_sk_push(ROAIPAddressFamily, (st), (val))
-#define sk_ROAIPAddressFamily_unshift(st, val) SKM_sk_unshift(ROAIPAddressFamily, (st), (val))
-#define sk_ROAIPAddressFamily_find(st, val) SKM_sk_find(ROAIPAddressFamily, (st), (val))
-#define sk_ROAIPAddressFamily_find_ex(st, val) SKM_sk_find_ex(ROAIPAddressFamily, (st), (val))
-#define sk_ROAIPAddressFamily_delete(st, i) SKM_sk_delete(ROAIPAddressFamily, (st), (i))
-#define sk_ROAIPAddressFamily_delete_ptr(st, ptr) SKM_sk_delete_ptr(ROAIPAddressFamily, (st), (ptr))
-#define sk_ROAIPAddressFamily_insert(st, val, i) SKM_sk_insert(ROAIPAddressFamily, (st), (val), (i))
-#define sk_ROAIPAddressFamily_set_cmp_func(st, cmp) SKM_sk_set_cmp_func(ROAIPAddressFamily, (st), (cmp))
-#define sk_ROAIPAddressFamily_dup(st) SKM_sk_dup(ROAIPAddressFamily, st)
-#define sk_ROAIPAddressFamily_pop_free(st, free_func) SKM_sk_pop_free(ROAIPAddressFamily, (st), (free_func))
-#define sk_ROAIPAddressFamily_shift(st) SKM_sk_shift(ROAIPAddressFamily, (st))
-#define sk_ROAIPAddressFamily_pop(st) SKM_sk_pop(ROAIPAddressFamily, (st))
-#define sk_ROAIPAddressFamily_sort(st) SKM_sk_sort(ROAIPAddressFamily, (st))
-#define sk_ROAIPAddressFamily_is_sorted(st) SKM_sk_is_sorted(ROAIPAddressFamily, (st))
-
-
-
-/*
* Extract signing time from CMS message.
*/
diff --git a/utils/uri/uri.c b/utils/uri/uri.c
index 2b1b2d24..e741de5c 100644
--- a/utils/uri/uri.c
+++ b/utils/uri/uri.c
@@ -30,6 +30,7 @@
#include <openssl/bio.h>
#include <openssl/pem.h>
#include <openssl/err.h>
+#include <openssl/cms.h>
#include <openssl/x509.h>
#include <openssl/x509v3.h>
#include <openssl/safestack.h>
@@ -42,23 +43,44 @@ static const unsigned char id_ad_signedObject[] = {0x2b, 0x6, 0x1, 0x5
static X509 *read_cert(const char *filename, int format, int verbose)
{
+ BIO *b = BIO_new_file(filename, "r");
+ STACK_OF(X509) *certs = NULL;
+ CMS_ContentInfo *cms = NULL;
X509 *x = NULL;
- BIO *b;
- if ((b = BIO_new_file(filename, "r")) != NULL) {
+ if (b == NULL)
+ return NULL;
+
+ switch (format) {
+ case 'p':
+ x = PEM_read_bio_X509(b, NULL, NULL, NULL);
+ break;
+ case 'd':
+ x = d2i_X509_bio(b, NULL);
+ break;
+ }
+
+ if (x == NULL) {
+ BIO_reset(b);
switch (format) {
case 'p':
- x = PEM_read_bio_X509_AUX(b, NULL, NULL, NULL);
+ cms = PEM_read_bio_CMS(b, NULL, NULL, NULL);
break;
case 'd':
- x = d2i_X509_bio(b, NULL);
+ cms = d2i_CMS_bio(b, NULL);
break;
}
- if (verbose && x != NULL) {
- X509_print_fp(stdout, x);
- printf("\n");
- }
+ if (cms != NULL && (certs = CMS_get1_certs(cms)) != NULL)
+ x = sk_X509_shift(certs);
+ }
+
+ if (x != NULL && verbose) {
+ X509_print_fp(stdout, x);
+ printf("\n");
}
+
+ sk_X509_pop_free(certs, X509_free);
+ CMS_ContentInfo_free(cms);
BIO_free(b);
return x;
}
generated by cgit v1.2.3 (git 2.25.1) at 2025-05-16 07:37:31 +0000