aboutsummaryrefslogtreecommitdiff
path: root/scripts/rpki/cms.py
blob: 3bb85986746da7ae0d4c462423835ef7306ef71f (plain) (blame) 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67

# $Id$

"""
CMS routines.  For the moment these just call the OpenSSL CLI tool,
which is slow and requires disk I/O and likes PEM format.  Fix later.
"""

import os, POW

# openssl smime -sign -nodetach -outform DER -signer biz-certs/Alice-EE.cer -certfile biz-certs/Alice-CA.cer -inkey biz-certs/Alice-EE.key -in PLAN -out PLAN.der

def encode(xml, key, cert_files):

  # This is a little tricky, the OpenSSL CLI really wants us to tell
  # it which cert is the signer and which ones are not.  We don't know
  # a priori, so we have to figure it out.  Simple algorithm: assuming
  # this is a well-formed chain, we're looking for the one cert in
  # this collection that's not the issuer of any other cert in this
  # collection.

  def readPEM(filename):
    f = open(filename, "r")
    pem = f.read()
    f.close()
    return POW.pemRead(POW.X509_CERTIFICATE, pem)

  certs = [readPEM(x) for x in cert_files]
  issuers = [x.getIssuer() for x in certs]
  issuers = [x for x in certs if x.getSubject() in issuers]
  signers = [x for x in certs if x not in issuers]
  assert len(signers) == 1

  signer_filename = "cms.tmp.signer.pem"
  certfile_filename = "cms.tmp.certfile.pem"

  f = open(signer_filename, "w")
  f.write(signers[0].pemWrite())
  f.close()

  f = open(certfile_filename, "w")
  for cert in issuers:
    f.write(cert.pemWrite())
  f.close()

  i,o = os.popen2(["openssl", "smime", "-sign", "-nodetach", "-outform", "DER", "-signer", signer_filename, "-certfile", certfile_filename, "-inkey", key])
  i.write(xml)
  i.close()
  cms = o.read()
  o.close()

  os.unlink(signer_filename)
  os.unlink(certfile_filename)

  return cms

# openssl smime -verify -inform DER -in PLAN.der -CAfile biz-certs/Alice-Root.cer 

def decode(cms, ta):
  i,o,e = os.popen3(["openssl", "smime", "-verify", "-inform", "DER", "-CAfile", ta])
  i.write(cms)
  i.close()
  xml = o.read()
  o.close()
  status = e.read()
  e.close()
  assert status == "Verification successful\n", "CMS verification failed: %s" % status
  return xml
generated by cgit v1.2.3 (git 2.25.1) at 2025-05-15 11:03:27 +0000