1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
|
# $Id$
"""One X.509 implementation to rule them all...
...and in the darkness hide the twisty maze of partially overlapping
X.509 support packages in Python.
There are several existing packages, none of which do quite what I
need, due to age, lack of documentation, specialization, or lack of
foresight on somebody's part (perhaps mine). This module attempts to
bring together the functionality I need in a way that hides at least
some of the nasty details. This involves a lot of format conversion.
"""
import POW, tlslite.api, POW.pkix, base64, rpki.exceptions, rpki.resource_set
class PEM_converter(object):
"""Convert between DER and PEM encodings for various kinds of ASN.1 data."""
def __init__(self, kind): # "CERTIFICATE", "RSA PRIVATE KEY", ...
self.b = "-----BEGIN %s-----" % kind
self.e = "-----END %s-----" % kind
def looks_like_PEM(self, text):
return text.startswith(self.b)
def to_DER(self, pem):
"""Convert from PEM to DER."""
lines = pem.splitlines(0)
while lines and lines.pop(0) != self.b:
pass
while lines and lines.pop(-1) != self.e:
pass
assert lines
return base64.b64decode("".join(lines))
def to_PEM(self, der):
"""Convert from DER to PEM."""
b64 = base64.b64encode(der)
pem = self.b + "\n"
while len(b64) > 64:
pem += b64[0:64] + "\n"
b64 = b64[64:]
return pem + b64 + "\n" + self.e + "\n"
class DER_object(object):
"""Virtual class to hold a generic DER object."""
## Formats supported in this object
formats = ("DER",)
## PEM converter for this object
pem_converter = None
## Other attributes that self.clear() should whack
other_clear = ()
## @var DER
## DER value of this object
def empty(self):
"""Test whether this object is empty."""
for a in self.formats:
if getattr(self, a, None) is not None:
return False
return True
def clear(self):
"""Make this object empty."""
for a in self.formats + self.other_clear:
setattr(self, a, None)
def __init__(self, **kw):
self.clear()
if len(kw):
self.set(**kw)
def set(self, **kw):
"""Set this object by setting one of its known formats.
This method only allows one to set one format at a time.
Subsequent calls will clear the object first. The point of all
this is to let the object's internal converters handle mustering
the object into whatever format you need at the moment.
"""
name = kw.keys()[0]
if len(kw) == 1:
if name in self.formats:
self.clear()
setattr(self, name, kw[name])
return
if name == "PEM":
text = self.pem_convert.to_DER(kw[name])
self.clear()
self.DER = text
return
if name == "Base64":
text = base64.b64decode(kw[name])
self.clear()
self.DER = text
return
if name in ("PEM_file", "DER_file", "Auto_file"):
f = open(kw[name], "r")
text = f.read()
f.close()
if name == "PEM_file" or (name == "Auto_file" and self.pem_converter.looks_like_PEM(text)):
text = self.pem_converter.to_DER(text)
self.clear()
self.DER = text
return
raise rpki.exceptions.DERObjectConversionError, "Can't honor conversion request %s" % repr(kw)
def get_DER(self):
"""Get the DER value of this object.
Subclasses will almost certainly override this method.
"""
assert not self.empty()
if self.DER:
return self.DER
raise rpki.exceptions.DERObjectConversionError, "No conversion path to DER available"
def get_Base64(self):
"""Get the Base64 encoding of the DER value of this object."""
return base64.b64encode(self.get_DER())
def get_PEM(self):
"""Get the PEM representation of this object."""
return self.pem_converter.to_PEM(self.get_DER())
class X509(DER_object):
"""X.509 certificates.
This class is designed to hold all the different representations of
X.509 certs we're using and convert between them. X.509 support in
Python a nasty maze of half-cooked stuff (except perhaps for
cryptlib, which is just different). Users of this module should not
have to care about this implementation nightmare.
"""
formats = ("DER", "POW", "POWpkix", "tlslite")
pem_converter = PEM_converter("CERTIFICATE")
other_clear = ("POW_extensions",)
def get_DER(self):
"""Get the DER value of this certificate."""
assert not self.empty()
if self.DER:
return self.DER
if self.POW:
self.DER = self.POW.derWrite()
return self.get_DER()
if self.POWpkix:
self.DER = self.POWpkix.toString()
return self.get_DER()
raise rpki.exceptions.DERObjectConversionError, "No conversion path to DER available"
def get_POW(self):
"""Get the POW value of this certificate."""
assert not self.empty()
if not self.POW:
self.POW = POW.derRead(POW.X509_CERTIFICATE, self.get_DER())
return self.POW
def get_POWpkix(self):
"""Get the POW.pkix value of this certificate."""
assert not self.empty()
if not self.POWpkix:
cert = POW.pkix.Certificate()
cert.fromString(self.get_DER())
self.POWpkix = cert
return self.POWpkix
def get_tlslite(self):
"""Get the tlslite value of this certificate."""
assert not self.empty()
if not self.tlslite:
cert = tlslite.api.X509()
cert.parseBinary(self.get_DER())
self.tlslite = cert
return self.tlslite
def getIssuer(self):
"""Get the issuer of this certificate."""
return self.get_POW().getIssuer()
def getSubject(self):
"""Get the subject of this certificate."""
return self.get_POW().getSubject()
def _get_POW_extensions(self):
"""Parse extensions from the POW value of this certificate.
Build a dictionary to ease lookup, and cache the result.
"""
if not self.POW_extensions:
cert = self.get_POW()
exts = {}
for i in range(cert.countExtensions()):
x = cert.getExtension(i)
exts[x[0]] = x[2]
self.POW_extensions = exts
return self.POW_extensions
def get_AKI(self):
"""Get the AKI extension from this certificate."""
return self._get_POW_extensions().get("authorityKeyIdentifier")
def get_SKI(self):
"""Get the SKI extension from this certificate."""
return self._get_POW_extensions().get("subjectKeyIdentifier")
def get_3779resources(self):
"""Get RFC 3779 resources as rpki.resource_set objects."""
return rpki.resource_set.parse_extensions(self.get_POWpkix().getExtensions())
class X509_chain(list):
"""Collections of certs.
This class provides sorting and conversion functions for various
packages.
"""
def chainsort(self):
"""Sort a bag of certs into a chain, leaf first.
Various other routines want their certs presented in this order.
"""
bag = self[:]
issuer_names = [x.getIssuer() for x in bag]
subject_map = dict([(x.getSubject(), x) for x in bag])
chain = []
for subject in subject_map:
if subject not in issuer_names:
cert = subject_map[subject]
chain.append(cert)
bag.remove(cert)
if len(chain) != 1:
raise rpki.exceptions.NotACertificateChain, "Certificates in bag don't form a proper chain"
while bag:
cert = subject_map[chain[-1].getIssuer()]
chain.append(cert)
bag.remove(cert)
self[:] = chain
def tlslite_certChain(self):
"""Return a certChain in the format tlslite likes."""
self.chainsort()
return tlslite.api.X509CertChain([x.get_tlslite() for x in self])
def tlslite_trustList(self):
"""Return a trustList in the format tlslite likes."""
return [x.get_tlslite() for x in self]
def clear(self):
"""Drop all certs from this bag onto the floor."""
self[:] = []
def load_from_PEM(self, files):
"""Load a set of certs from a list of PEM files."""
self.extend([X509(PEM_file=f) for f in files])
def load_from_DER(self, files):
"""Load a set of certs from a list of DER files."""
self.extend([X509(DER_file=f) for f in files])
class PKCS10_Request(DER_object):
"""Class to hold a PKCS #10 request."""
formats = ("DER", "POWpkix")
pem_converter = PEM_converter("CERTIFICATE REQUEST")
def get_DER(self):
"""Get the DER value of this certification request."""
assert not self.empty()
if self.DER:
return self.DER
if self.POWpkix:
self.DER = self.POWpkix.toString()
return self.get_DER()
raise rpki.exceptions.DERObjectConversionError, "No conversion path to DER available"
def get_POWpkix(self):
"""Get the POW.pkix value of this certification request."""
assert not self.empty()
if not self.POWpkix:
req = POW.pkix.CertificationRequest()
req.fromString(self.get_DER())
self.POWpkix = req
return self.POWpkix
class RSA_Keypair(DER_object):
"""Class to hold an RSA key pair."""
formats = ("DER", "POW", "tlslite")
pem_converter = PEM_converter("RSA PRIVATE KEY")
def get_DER(self):
assert not self.empty()
if self.DER:
return self.DER
if self.POW:
self.DER = self.POW.derWrite(POW.RSA_PRIVATE_KEY)
return self.get_DER()
raise rpki.exceptions.DERObjectConversionError, "No conversion path to DER available"
def get_POW(self):
assert not self.empty()
if not self.POW:
self.POW = POW.derRead(POW.RSA_PRIVATE_KEY, self.get_DER())
return self.POW
def get_tlslite(self):
assert not self.empty()
if not self.tlslite:
self.tlslite = tlslite.api.parsePEMKey(self.get_PEM(), private=True)
return self.tlslite
def generate(self, keylength):
self.clear()
self.set(POW=POW.Asymmetric(POW.RSA_CIPHER, keylength))
def get_public_DER(self):
return self.get_POW().derWrite(POW.RSA_PUBLIC_KEY)
|
