# coding: utf-8 """ ASN.1 type classes for X.509 certificates. Exports the following items: - Attributes() - Certificate() - Extensions() - GeneralName() - GeneralNames() - Name() Other type classes are defined that help compose the types listed above. """ from __future__ import unicode_literals, division, absolute_import, print_function from contextlib import contextmanager from encodings import idna # noqa import hashlib import re import socket import stringprep import sys import unicodedata from ._errors import unwrap from ._iri import iri_to_uri, uri_to_iri from ._ordereddict import OrderedDict from ._types import type_name, str_cls, bytes_to_list from .algos import AlgorithmIdentifier, AnyAlgorithmIdentifier, DigestAlgorithm, SignedDigestAlgorithm from .core import ( Any, BitString, BMPString, Boolean, Choice, Concat, Enumerated, GeneralizedTime, GeneralString, IA5String, Integer, Null, NumericString, ObjectIdentifier, OctetBitString, OctetString, ParsableOctetString, PrintableString, Sequence, SequenceOf, Set, SetOf, TeletexString, UniversalString, UTCTime, UTF8String, VisibleString, VOID, ) from .keys import PublicKeyInfo from .util import int_to_bytes, int_from_bytes, inet_ntop, inet_pton # The structures in this file are taken from https://tools.ietf.org/html/rfc5280 # and a few other supplementary sources, mostly due to extra supported # extension and name OIDs class DNSName(IA5String): _encoding = 'idna' _bad_tag = 19 def __ne__(self, other): return not self == other def __eq__(self, other): """ Equality as defined by https://tools.ietf.org/html/rfc5280#section-7.2 :param other: Another DNSName object :return: A boolean """ if not isinstance(other, DNSName): return False return self.__unicode__().lower() == other.__unicode__().lower() def set(self, value): """ Sets the value of the DNS name :param value: A unicode string """ if not isinstance(value, str_cls): raise TypeError(unwrap( ''' %s value must be a unicode string, not %s ''', type_name(self), type_name(value) )) if value.startswith('.'): encoded_value = b'.' + value[1:].encode(self._encoding) else: encoded_value = value.encode(self._encoding) self._unicode = value self.contents = encoded_value self._header = None if self._trailer != b'': self._trailer = b'' class URI(IA5String): def set(self, value): """ Sets the value of the string :param value: A unicode string """ if not isinstance(value, str_cls): raise TypeError(unwrap( ''' %s value must be a unicode string, not %s ''', type_name(self), type_name(value) )) self._unicode = value self.contents = iri_to_uri(value) self._header = None if self._trailer != b'': self._trailer = b'' def __ne__(self, other): return not self == other def __eq__(self, other): """ Equality as defined by https://tools.ietf.org/html/rfc5280#section-7.4 :param other: Another URI object :return: A boolean """ if not isinstance(other, URI): return False return iri_to_uri(self.native) == iri_to_uri(other.native) def __unicode__(self): """ :return: A unicode string """ if self.contents is None: return '' if self._unicode is None: self._unicode = uri_to_iri(self._merge_chunks()) return self._unicode class EmailAddress(IA5String): _contents = None # If the value has gone through the .set() method, thus normalizing it _normalized = False @property def contents(self): """ :return: A byte string of the DER-encoded contents of the sequence """ return self._contents @contents.setter def contents(self, value): """ :param value: A byte string of the DER-encoded contents of the sequence """ self._normalized = False self._contents = value def set(self, value): """ Sets the value of the string :param value: A unicode string """ if not isinstance(value, str_cls): raise TypeError(unwrap( ''' %s value must be a unicode string, not %s ''', type_name(self), type_name(value) )) if value.find('@') != -1: mailbox, hostname = value.rsplit('@', 1) encoded_value = mailbox.encode('ascii') + b'@' + hostname.encode('idna') else: encoded_value = value.encode('ascii') self._normalized = True self._unicode = value self.contents = encoded_value self._header = None if self._trailer != b'': self._trailer = b'' def __unicode__(self): """ :return: A unicode string """ if self._unicode is None: contents = self._merge_chunks() if contents.find(b'@') == -1: self._unicode = contents.decode('ascii') else: mailbox, hostname = contents.rsplit(b'@', 1) self._unicode = mailbox.decode('ascii') + '@' + hostname.decode('idna') return self._unicode def __ne__(self, other): return not self == other def __eq__(self, other): """ Equality as defined by https://tools.ietf.org/html/rfc5280#section-7.5 :param other: Another EmailAddress object :return: A boolean """ if not isinstance(other, EmailAddress): return False if not self._normalized: self.set(self.native) if not other._normalized: other.set(other.native) if self._contents.find(b'@') == -1 or other._contents.find(b'@') == -1: return self._contents == other._contents other_mailbox, other_hostname = other._contents.rsplit(b'@', 1) mailbox, hostname = self._contents.rsplit(b'@', 1) if mailbox != other_mailbox: return False if hostname.lower() != other_hostname.lower(): return False return True class IPAddress(OctetString): def parse(self, spec=None, spec_params=None): """ This method is not applicable to IP addresses """ raise ValueError(unwrap( ''' IP address values can not be parsed ''' )) def set(self, value): """ Sets the value of the object :param value: A unicode string containing an IPv4 address, IPv4 address with CIDR, an IPv6 address or IPv6 address with CIDR """ if not isinstance(value, str_cls): raise TypeError(unwrap( ''' %s value must be a unicode string, not %s ''', type_name(self), type_name(value) )) original_value = value has_cidr = value.find('/') != -1 cidr = 0 if has_cidr: parts = value.split('/', 1) value = parts[0] cidr = int(parts[1]) if cidr < 0: raise ValueError(unwrap( ''' %s value contains a CIDR range less than 0 ''', type_name(self) )) if value.find(':') != -1: family = socket.AF_INET6 if cidr > 128: raise ValueError(unwrap( ''' %s value contains a CIDR range bigger than 128, the maximum value for an IPv6 address ''', type_name(self) )) cidr_size = 128 else: family = socket.AF_INET if cidr > 32: raise ValueError(unwrap( ''' %s value contains a CIDR range bigger than 32, the maximum value for an IPv4 address ''', type_name(self) )) cidr_size = 32 cidr_bytes = b'' if has_cidr: cidr_mask = '1' * cidr cidr_mask += '0' * (cidr_size - len(cidr_mask)) cidr_bytes = int_to_bytes(int(cidr_mask, 2)) cidr_bytes = (b'\x00' * ((cidr_size // 8) - len(cidr_bytes))) + cidr_bytes self._native = original_value self.contents = inet_pton(family, value) + cidr_bytes self._bytes = self.contents self._header = None if self._trailer != b'': self._trailer = b'' @property def native(self): """ The a native Python datatype representation of this value :return: A unicode string or None """ if self.contents is None: return None if self._native is None: byte_string = self.__bytes__() byte_len = len(byte_string) cidr_int = None if byte_len in set([32, 16]): value = inet_ntop(socket.AF_INET6, byte_string[0:16]) if byte_len > 16: cidr_int = int_from_bytes(byte_string[16:]) elif byte_len in set([8, 4]): value = inet_ntop(socket.AF_INET, byte_string[0:4]) if byte_len > 4: cidr_int = int_from_bytes(byte_string[4:]) if cidr_int is not None: cidr_bits = '{0:b}'.format(cidr_int) cidr = len(cidr_bits.rstrip('0')) value = value + '/' + str_cls(cidr) self._native = value return self._native def __ne__(self, other): return not self == other def __eq__(self, other): """ :param other: Another IPAddress object :return: A boolean """ if not isinstance(other, IPAddress): return False return self.__bytes__() == other.__bytes__() class Attribute(Sequence): _fields = [ ('type', ObjectIdentifier), ('values', SetOf, {'spec': Any}), ] class Attributes(SequenceOf): _child_spec = Attribute class KeyUsage(BitString): _map = { 0: 'digital_signature', 1: 'non_repudiation', 2: 'key_encipherment', 3: 'data_encipherment', 4: 'key_agreement', 5: 'key_cert_sign', 6: 'crl_sign', 7: 'encipher_only', 8: 'decipher_only', } class PrivateKeyUsagePeriod(Sequence): _fields = [ ('not_before', GeneralizedTime, {'implicit': 0, 'optional': True}), ('not_after', GeneralizedTime, {'implicit': 1, 'optional': True}), ] class NotReallyTeletexString(TeletexString): """ OpenSSL (and probably some other libraries) puts ISO-8859-1 into TeletexString instead of ITU T.61. We use Windows-1252 when decoding since it is a superset of ISO-8859-1, and less likely to cause encoding issues, but we stay strict with encoding to prevent us from creating bad data. """ _decoding_encoding = 'cp1252' def __unicode__(self): """ :return: A unicode string """ if self.contents is None: return '' if self._unicode is None: self._unicode = self._merge_chunks().decode(self._decoding_encoding) return self._unicode @contextmanager def strict_teletex(): try: NotReallyTeletexString._decoding_encoding = 'teletex' yield finally: NotReallyTeletexString._decoding_encoding = 'cp1252' class DirectoryString(Choice): _alternatives = [ ('teletex_string', NotReallyTeletexString), ('printable_string', PrintableString), ('universal_string', UniversalString), ('utf8_string', UTF8String), ('bmp_string', BMPString), # This is an invalid/bad alternative, but some broken certs use it ('ia5_string', IA5String), ] class NameType(ObjectIdentifier): _map = { '2.5.4.3': 'common_name', '2.5.4.4': 'surname', '2.5.4.5': 'serial_number', '2.5.4.6': 'country_name', '2.5.4.7': 'locality_name', '2.5.4.8': 'state_or_province_name', '2.5.4.9': 'street_address', '2.5.4.10': 'organization_name', '2.5.4.11': 'organizational_unit_name', '2.5.4.12': 'title', '2.5.4.15': 'business_category', '2.5.4.17': 'postal_code', '2.5.4.20': 'telephone_number', '2.5.4.41': 'name', '2.5.4.42': 'given_name', '2.5.4.43': 'initials', '2.5.4.44': 'generation_qualifier', '2.5.4.45': 'unique_identifier', '2.5.4.46': 'dn_qualifier', '2.5.4.65': 'pseudonym', '2.5.4.97': 'organization_identifier', # https://www.trustedcomputinggroup.org/wp-content/uploads/Credential_Profile_EK_V2.0_R14_published.pdf '2.23.133.2.1': 'tpm_manufacturer', '2.23.133.2.2': 'tpm_model', '2.23.133.2.3': 'tpm_version', '2.23.133.2.4': 'platform_manufacturer', '2.23.133.2.5': 'platform_model', '2.23.133.2.6': 'platform_version', # https://tools.ietf.org/html/rfc2985#page-26 '1.2.840.113549.1.9.1': 'email_address', # Page 10 of https://cabforum.org/wp-content/uploads/EV-V1_5_5.pdf '1.3.6.1.4.1.311.60.2.1.1': 'incorporation_locality', '1.3.6.1.4.1.311.60.2.1.2': 'incorporation_state_or_province', '1.3.6.1.4.1.311.60.2.1.3': 'incorporation_country', # https://tools.ietf.org/html/rfc2247#section-4 '0.9.2342.19200300.100.1.25': 'domain_component', # http://www.alvestrand.no/objectid/0.2.262.1.10.7.20.html '0.2.262.1.10.7.20': 'name_distinguisher', } # This order is largely based on observed order seen in EV certs from # Symantec and DigiCert. Some of the uncommon name-related fields are # just placed in what seems like a reasonable order. preferred_order = [ 'incorporation_country', 'incorporation_state_or_province', 'incorporation_locality', 'business_category', 'serial_number', 'country_name', 'postal_code', 'state_or_province_name', 'locality_name', 'street_address', 'organization_name', 'organizational_unit_name', 'title', 'common_name', 'initials', 'generation_qualifier', 'surname', 'given_name', 'name', 'pseudonym', 'dn_qualifier', 'telephone_number', 'email_address', 'domain_component', 'name_distinguisher', 'organization_identifier', 'tpm_manufacturer', 'tpm_model', 'tpm_version', 'platform_manufacturer', 'platform_model', 'platform_version', ] @classmethod def preferred_ordinal(cls, attr_name): """ Returns an ordering value for a particular attribute key. Unrecognized attributes and OIDs will be sorted lexically at the end. :return: An orderable value. """ attr_name = cls.map(attr_name) if attr_name in cls.preferred_order: ordinal = cls.preferred_order.index(attr_name) else: ordinal = len(cls.preferred_order) return (ordinal, attr_name) @property def human_friendly(self): """ :return: A human-friendly unicode string to display to users """ return { 'common_name': 'Common Name', 'surname': 'Surname', 'serial_number': 'Serial Number', 'country_name': 'Country', 'locality_name': 'Locality', 'state_or_province_name': 'State/Province', 'street_address': 'Street Address', 'organization_name': 'Organization', 'organizational_unit_name': 'Organizational Unit', 'title': 'Title', 'business_category': 'Business Category', 'postal_code': 'Postal Code', 'telephone_number': 'Telephone Number', 'name': 'Name', 'given_name': 'Given Name', 'initials': 'Initials', 'generation_qualifier': 'Generation Qualifier', 'unique_identifier': 'Unique Identifier', 'dn_qualifier': 'DN Qualifier', 'pseudonym': 'Pseudonym', 'email_address': 'Email Address', 'incorporation_locality': 'Incorporation Locality', 'incorporation_state_or_province': 'Incorporation State/Province', 'incorporation_country': 'Incorporation Country', 'domain_component': 'Domain Component', 'name_distinguisher': 'Name Distinguisher', 'organization_identifier': 'Organization Identifier', 'tpm_manufacturer': 'TPM Manufacturer', 'tpm_model': 'TPM Model', 'tpm_version': 'TPM Version', 'platform_manufacturer': 'Platform Manufacturer', 'platform_model': 'Platform Model', 'platform_version': 'Platform Version', }.get(self.native, self.native) class NameTypeAndValue(Sequence): _fields = [ ('type', NameType), ('value', Any), ] _oid_pair = ('type', 'value') _oid_specs = { 'common_name': DirectoryString, 'surname': DirectoryString, 'serial_number': DirectoryString, 'country_name': DirectoryString, 'locality_name': DirectoryString, 'state_or_province_name': DirectoryString, 'street_address': DirectoryString, 'organization_name': DirectoryString, 'organizational_unit_name': DirectoryString, 'title': DirectoryString, 'business_category': DirectoryString, 'postal_code': DirectoryString, 'telephone_number': PrintableString, 'name': DirectoryString, 'given_name': DirectoryString, 'initials': DirectoryString, 'generation_qualifier': DirectoryString, 'unique_identifier': OctetBitString, 'dn_qualifier': DirectoryString, 'pseudonym': DirectoryString, # https://tools.ietf.org/html/rfc2985#page-26 'email_address': EmailAddress, # Page 10 of https://cabforum.org/wp-content/uploads/EV-V1_5_5.pdf 'incorporation_locality': DirectoryString, 'incorporation_state_or_province': DirectoryString, 'incorporation_country': DirectoryString, 'domain_component': DNSName, 'name_distinguisher': DirectoryString, 'organization_identifier': DirectoryString, 'tpm_manufacturer': UTF8String, 'tpm_model': UTF8String, 'tpm_version': UTF8String, 'platform_manufacturer': UTF8String, 'platform_model': UTF8String, 'platform_version': UTF8String, } _prepped = None @property def prepped_value(self): """ Returns the value after being processed by the internationalized string preparation as specified by RFC 5280 :return: A unicode string """ if self._prepped is None: self._prepped = self._ldap_string_prep(self['value'].native) return self._prepped def __ne__(self, other): return not self == other def __eq__(self, other): """ Equality as defined by https://tools.ietf.org/html/rfc5280#section-7.1 :param other: Another NameTypeAndValue object :return: A boolean """ if not isinstance(other, NameTypeAndValue): return False if other['type'].native != self['type'].native: return False return other.prepped_value == self.prepped_value def _ldap_string_prep(self, string): """ Implements the internationalized string preparation algorithm from RFC 4518. https://tools.ietf.org/html/rfc4518#section-2 :param string: A unicode string to prepare :return: A prepared unicode string, ready for comparison """ # Map step string = re.sub('[\u00ad\u1806\u034f\u180b-\u180d\ufe0f-\uff00\ufffc]+', '', string) string = re.sub('[\u0009\u000a\u000b\u000c\u000d\u0085]', ' ', string) if sys.maxunicode == 0xffff: # Some installs of Python 2.7 don't support 8-digit unicode escape # ranges, so we have to break them into pieces # Original was: \U0001D173-\U0001D17A and \U000E0020-\U000E007F string = re.sub('\ud834[\udd73-\udd7a]|\udb40[\udc20-\udc7f]|\U000e0001', '', string) else: string = re.sub('[\U0001D173-\U0001D17A\U000E0020-\U000E007F\U000e0001]', '', string) string = re.sub( '[\u0000-\u0008\u000e-\u001f\u007f-\u0084\u0086-\u009f\u06dd\u070f\u180e\u200c-\u200f' '\u202a-\u202e\u2060-\u2063\u206a-\u206f\ufeff\ufff9-\ufffb]+', '', string ) string = string.replace('\u200b', '') string = re.sub('[\u00a0\u1680\u2000-\u200a\u2028-\u2029\u202f\u205f\u3000]', ' ', string) string = ''.join(map(stringprep.map_table_b2, string)) # Normalize step string = unicodedata.normalize('NFKC', string) # Prohibit step for char in string: if stringprep.in_table_a1(char): raise ValueError(unwrap( ''' X.509 Name objects may not contain unassigned code points ''' )) if stringprep.in_table_c8(char): raise ValueError(unwrap( ''' X.509 Name objects may not contain change display or zzzzdeprecated characters ''' )) if stringprep.in_table_c3(char): raise ValueError(unwrap( ''' X.509 Name objects may not contain private use characters ''' )) if stringprep.in_table_c4(char): raise ValueError(unwrap( ''' X.509 Name objects may not contain non-character code points ''' )) if stringprep.in_table_c5(char): raise ValueError(unwrap( ''' X.509 Name objects may not contain surrogate code points ''' )) if char == '\ufffd': raise ValueError(unwrap( ''' X.509 Name objects may not contain the replacement character ''' )) # Check bidirectional step - here we ensure that we are not mixing # left-to-right and right-to-left text in the string has_r_and_al_cat = False has_l_cat = False for char in string: if stringprep.in_table_d1(char): has_r_and_al_cat = True elif stringprep.in_table_d2(char): has_l_cat = True if has_r_and_al_cat: first_is_r_and_al = stringprep.in_table_d1(string[0]) last_is_r_and_al = stringprep.in_table_d1(string[-1]) if has_l_cat or not first_is_r_and_al or not last_is_r_and_al: raise ValueError(unwrap( ''' X.509 Name object contains a malformed bidirectional sequence ''' )) # Insignificant space handling step string = ' ' + re.sub(' +', ' ', string).strip() + ' ' return string class RelativeDistinguishedName(SetOf): _child_spec = NameTypeAndValue @property def hashable(self): """ :return: A unicode string that can be used as a dict key or in a set """ output = [] values = self._get_values(self) for key in sorted(values.keys()): output.append('%s: %s' % (key, values[key])) # Unit separator is used here since the normalization process for # values moves any such character, and the keys are all dotted integers # or under_score_words return '\x1F'.join(output) def __ne__(self, other): return not self == other def __eq__(self, other): """ Equality as defined by https://tools.ietf.org/html/rfc5280#section-7.1 :param other: Another RelativeDistinguishedName object :return: A boolean """ if not isinstance(other, RelativeDistinguishedName): return False if len(self) != len(other): return False self_types = self._get_types(self) other_types = self._get_types(other) if self_types != other_types: return False self_values = self._get_values(self) other_values = self._get_values(other) for type_name_ in self_types: if self_values[type_name_] != other_values[type_name_]: return False return True def _get_types(self, rdn): """ Returns a set of types contained in an RDN :param rdn: A RelativeDistinguishedName object :return: A set object with unicode strings of NameTypeAndValue type field values """ return set([ntv['type'].native for ntv in rdn]) def _get_values(self, rdn): """ Returns a dict of prepped values contained in an RDN :param rdn: A RelativeDistinguishedName object :return: A dict object with unicode strings of NameTypeAndValue value field values that have been prepped for comparison """ output = {} [output.update([(ntv['type'].native, ntv.prepped_value)]) for ntv in rdn] return output class RDNSequence(SequenceOf): _child_spec = RelativeDistinguishedName @property def hashable(self): """ :return: A unicode string that can be used as a dict key or in a set """ # Record separator is used here since the normalization process for # values moves any such character, and the keys are all dotted integers # or under_score_words return '\x1E'.join(rdn.hashable for rdn in self) def __ne__(self, other): return not self == other def __eq__(self, other): """ Equality as defined by https://tools.ietf.org/html/rfc5280#section-7.1 :param other: Another RDNSequence object :return: A boolean """ if not isinstance(other, RDNSequence): return False if len(self) != len(other): return False for index, self_rdn in enumerate(self): if other[index] != self_rdn: return False return True class Name(Choice): _alternatives = [ ('', RDNSequence), ] _human_friendly = None _sha1 = None _sha256 = None @classmethod def build(cls, name_dict, use_printable=False): """ Creates a Name object from a dict of unicode string keys and values. The keys should be from NameType._map, or a dotted-integer OID unicode string. :param name_dict: A dict of name information, e.g. {"common_name": "Will Bond", "country_name": "US", "organization": "Codex Non Sufficit LC"} :param use_printable: A bool - if PrintableString should be used for encoding instead of UTF8String. This is for backwards compatibility with old software. :return: An x509.Name object """ rdns = [] if not use_printable: encoding_name = 'utf8_string' encoding_class = UTF8String else: encoding_name = 'printable_string' encoding_class = PrintableString # Sort the attributes according to NameType.preferred_order name_dict = OrderedDict( sorted( name_dict.items(), key=lambda item: NameType.preferred_ordinal(item[0]) ) ) for attribute_name, attribute_value in name_dict.items(): attribute_name = NameType.map(attribute_name) if attribute_name == 'email_address': value = EmailAddress(attribute_value) elif attribute_name == 'domain_component': value = DNSName(attribute_value) elif attribute_name in set(['dn_qualifier', 'country_name', 'serial_number']): value = DirectoryString( name='printable_string', value=PrintableString(attribute_value) ) else: value = DirectoryString( name=encoding_name, value=encoding_class(attribute_value) ) rdns.append(RelativeDistinguishedName([ NameTypeAndValue({ 'type': attribute_name, 'value': value }) ])) return cls(name='', value=RDNSequence(rdns)) @property def hashable(self): """ :return: A unicode string that can be used as a dict key or in a set """ return self.chosen.hashable def __len__(self): return len(self.chosen) def __ne__(self, other): return not self == other def __eq__(self, other): """ Equality as defined by https://tools.ietf.org/html/rfc5280#section-7.1 :param other: Another Name object :return: A boolean """ if not isinstance(other, Name): return False return self.chosen == other.chosen @property def native(self): if self._native is None: self._native = OrderedDict() for rdn in self.chosen.native: for type_val in rdn: field_name = type_val['type'] if field_name in self._native: existing = self._native[field_name] if not isinstance(existing, list): existing = self._native[field_name] = [existing] existing.append(type_val['value']) else: self._native[field_name] = type_val['value'] return self._native @property def human_friendly(self): """ :return: A human-friendly unicode string containing the parts of the name """ if self._human_friendly is None: data = OrderedDict() last_field = None for rdn in self.chosen: for type_val in rdn: field_name = type_val['type'].human_friendly last_field = field_name if field_name in data: data[field_name] = [data[field_name]] data[field_name].append(type_val['value']) else: data[field_name] = type_val['value'] to_join = [] keys = data.keys() if last_field == 'Country': keys = reversed(list(keys)) for key in keys: value = data[key] native_value = self._recursive_humanize(value) to_join.append('%s: %s' % (key, native_value)) has_comma = False for element in to_join: if element.find(',') != -1: has_comma = True break separator = ', ' if not has_comma else '; ' self._human_friendly = separator.join(to_join[::-1]) return self._human_friendly def _recursive_humanize(self, value): """ Recursively serializes data compiled from the RDNSequence :param value: An Asn1Value object, or a list of Asn1Value objects :return: A unicode string """ if isinstance(value, list): return', '.join( reversed([self._recursive_humanize(sub_value) for sub_value in value]) ) return value.native @property def sha1(self): """ :return: The SHA1 hash of the DER-encoded bytes of this name """ if self._sha1 is None: self._sha1 = hashlib.sha1(self.dump()).digest() return self._sha1 @property def sha256(self): """ :return: The SHA-256 hash of the DER-encoded bytes of this name """ if self._sha256 is None: self._sha256 = hashlib.sha256(self.dump()).digest() return self._sha256 class AnotherName(Sequence): _fields = [ ('type_id', ObjectIdentifier), ('value', Any, {'explicit': 0}), ] class CountryName(Choice): class_ = 1 tag = 1 _alternatives = [ ('x121_dcc_code', NumericString), ('iso_3166_alpha2_code', PrintableString), ] class AdministrationDomainName(Choice): class_ = 1 tag = 2 _alternatives = [ ('numeric', NumericString), ('printable', PrintableString), ] class PrivateDomainName(Choice): _alternatives = [ ('numeric', NumericString), ('printable', PrintableString), ] class PersonalName(Set): _fields = [ ('surname', PrintableString, {'implicit': 0}), ('given_name', PrintableString, {'implicit': 1, 'optional': True}), ('initials', PrintableString, {'implicit': 2, 'optional': True}), ('generation_qualifier', PrintableString, {'implicit': 3, 'optional': True}), ] class TeletexPersonalName(Set): _fields = [ ('surname', TeletexString, {'implicit': 0}), ('given_name', TeletexString, {'implicit': 1, 'optional': True}), ('initials', TeletexString, {'implicit': 2, 'optional': True}), ('generation_qualifier', TeletexString, {'implicit': 3, 'optional': True}), ] class OrganizationalUnitNames(SequenceOf): _child_spec = PrintableString class TeletexOrganizationalUnitNames(SequenceOf): _child_spec = TeletexString class BuiltInStandardAttributes(Sequence): _fields = [ ('country_name', CountryName, {'optional': True}), ('administration_domain_name', AdministrationDomainName, {'optional': True}), ('network_address', NumericString, {'implicit': 0, 'optional': True}), ('terminal_identifier', PrintableString, {'implicit': 1, 'optional': True}), ('private_domain_name', PrivateDomainName, {'explicit': 2, 'optional': True}), ('organization_name', PrintableString, {'implicit': 3, 'optional': True}), ('numeric_user_identifier', NumericString, {'implicit': 4, 'optional': True}), ('personal_name', PersonalName, {'implicit': 5, 'optional': True}), ('organizational_unit_names', OrganizationalUnitNames, {'implicit': 6, 'optional': True}), ] class BuiltInDomainDefinedAttribute(Sequence): _fields = [ ('type', PrintableString), ('value', PrintableString), ] class BuiltInDomainDefinedAttributes(SequenceOf): _child_spec = BuiltInDomainDefinedAttribute class TeletexDomainDefinedAttribute(Sequence): _fields = [ ('type', TeletexString), ('value', TeletexString), ] class TeletexDomainDefinedAttributes(SequenceOf): _child_spec = TeletexDomainDefinedAttribute class PhysicalDeliveryCountryName(Choice): _alternatives = [ ('x121_dcc_code', NumericString), ('iso_3166_alpha2_code', PrintableString), ] class PostalCode(Choice): _alternatives = [ ('numeric_code', NumericString), ('printable_code', PrintableString), ] class PDSParameter(Set): _fields = [ ('printable_string', PrintableString, {'optional': True}), ('teletex_string', TeletexString, {'optional': True}), ] class PrintableAddress(SequenceOf): _child_spec = PrintableString class UnformattedPostalAddress(Set): _fields = [ ('printable_address', PrintableAddress, {'optional': True}), ('teletex_string', TeletexString, {'optional': True}), ] class E1634Address(Sequence): _fields = [ ('number', NumericString, {'implicit': 0}), ('sub_address', NumericString, {'implicit': 1, 'optional': True}), ] class NAddresses(SetOf): _child_spec = OctetString class PresentationAddress(Sequence): _fields = [ ('p_selector', OctetString, {'explicit': 0, 'optional': True}), ('s_selector', OctetString, {'explicit': 1, 'optional': True}), ('t_selector', OctetString, {'explicit': 2, 'optional': True}), ('n_addresses', NAddresses, {'explicit': 3}), ] class ExtendedNetworkAddress(Choice): _alternatives = [ ('e163_4_address', E1634Address), ('psap_address', PresentationAddress, {'implicit': 0}) ] class TerminalType(Integer): _map = { 3: 'telex', 4: 'teletex', 5: 'g3_facsimile', 6: 'g4_facsimile', 7: 'ia5_terminal', 8: 'videotex', } class ExtensionAttributeType(Integer): _map = { 1: 'common_name', 2: 'teletex_common_name', 3: 'teletex_organization_name', 4: 'teletex_personal_name', 5: 'teletex_organization_unit_names', 6: 'teletex_domain_defined_attributes', 7: 'pds_name', 8: 'physical_delivery_country_name', 9: 'postal_code', 10: 'physical_delivery_office_name', 11: 'physical_delivery_office_number', 12: 'extension_of_address_components', 13: 'physical_delivery_personal_name', 14: 'physical_delivery_organization_name', 15: 'extension_physical_delivery_address_components', 16: 'unformatted_postal_address', 17: 'street_address', 18: 'post_office_box_address', 19: 'poste_restante_address', 20: 'unique_postal_name', 21: 'local_postal_attributes', 22: 'extended_network_address', 23: 'terminal_type', } class ExtensionAttribute(Sequence): _fields = [ ('extension_attribute_type', ExtensionAttributeType, {'implicit': 0}), ('extension_attribute_value', Any, {'explicit': 1}), ] _oid_pair = ('extension_attribute_type', 'extension_attribute_value') _oid_specs = { 'common_name': PrintableString, 'teletex_common_name': TeletexString, 'teletex_organization_name': TeletexString, 'teletex_personal_name': TeletexPersonalName, 'teletex_organization_unit_names': TeletexOrganizationalUnitNames, 'teletex_domain_defined_attributes': TeletexDomainDefinedAttributes, 'pds_name': PrintableString, 'physical_delivery_country_name': PhysicalDeliveryCountryName, 'postal_code': PostalCode, 'physical_delivery_office_name': PDSParameter, 'physical_delivery_office_number': PDSParameter, 'extension_of_address_components': PDSParameter, 'physical_delivery_personal_name': PDSParameter, 'physical_delivery_organization_name': PDSParameter, 'extension_physical_delivery_address_components': PDSParameter, 'unformatted_postal_address': UnformattedPostalAddress, 'street_address': PDSParameter, 'post_office_box_address': PDSParameter, 'poste_restante_address': PDSParameter, 'unique_postal_name': PDSParameter, 'local_postal_attributes': PDSParameter, 'extended_network_address': ExtendedNetworkAddress, 'terminal_type': TerminalType, } class ExtensionAttributes(SequenceOf): _child_spec = ExtensionAttribute class ORAddress(Sequence): _fields = [ ('built_in_standard_attributes', BuiltInStandardAttributes), ('built_in_domain_defined_attributes', BuiltInDomainDefinedAttributes, {'optional': True}), ('extension_attributes', ExtensionAttributes, {'optional': True}), ] class EDIPartyName(Sequence): _fields = [ ('name_assigner', DirectoryString, {'implicit': 0, 'optional': True}), ('party_name', DirectoryString, {'implicit': 1}), ] class GeneralName(Choice): _alternatives = [ ('other_name', AnotherName, {'implicit': 0}), ('rfc822_name', EmailAddress, {'implicit': 1}), ('dns_name', DNSName, {'implicit': 2}), ('x400_address', ORAddress, {'implicit': 3}), ('directory_name', Name, {'explicit': 4}), ('edi_party_name', EDIPartyName, {'implicit': 5}), ('uniform_resource_identifier', URI, {'implicit': 6}), ('ip_address', IPAddress, {'implicit': 7}), ('registered_id', ObjectIdentifier, {'implicit': 8}), ] def __ne__(self, other): return not self == other def __eq__(self, other): """ Does not support other_name, x400_address or edi_party_name :param other: The other GeneralName to compare to :return: A boolean """ if self.name in ('other_name', 'x400_address', 'edi_party_name'): raise ValueError(unwrap( ''' Comparison is not supported for GeneralName objects of choice %s ''', self.name )) if other.name in ('other_name', 'x400_address', 'edi_party_name'): raise ValueError(unwrap( ''' Comparison is not supported for GeneralName objects of choice %s''', other.name )) if self.name != other.name: return False return self.chosen == other.chosen class GeneralNames(SequenceOf): _child_spec = GeneralName class Time(Choice): _alternatives = [ ('utc_time', UTCTime), ('general_time', GeneralizedTime), ] class Validity(Sequence): _fields = [ ('not_before', Time), ('not_after', Time), ] class BasicConstraints(Sequence): _fields = [ ('ca', Boolean, {'default': False}), ('path_len_constraint', Integer, {'optional': True}), ] class AuthorityKeyIdentifier(Sequence): _fields = [ ('key_identifier', OctetString, {'implicit': 0, 'optional': True}), ('authority_cert_issuer', GeneralNames, {'implicit': 1, 'optional': True}), ('authority_cert_serial_number', Integer, {'implicit': 2, 'optional': True}), ] class DistributionPointName(Choice): _alternatives = [ ('full_name', GeneralNames, {'implicit': 0}), ('name_relative_to_crl_issuer', RelativeDistinguishedName, {'implicit': 1}), ] class ReasonFlags(BitString): _map = { 0: 'unused', 1: 'key_compromise', 2: 'ca_compromise', 3: 'affiliation_changed', 4: 'superseded', 5: 'cessation_of_operation', 6: 'certificate_hold', 7: 'privilege_withdrawn', 8: 'aa_compromise', } class GeneralSubtree(Sequence): _fields = [ ('base', GeneralName), ('minimum', Integer, {'implicit': 0, 'default': 0}), ('maximum', Integer, {'implicit': 1, 'optional': True}), ] class GeneralSubtrees(SequenceOf): _child_spec = GeneralSubtree class NameConstraints(Sequence): _fields = [ ('permitted_subtrees', GeneralSubtrees, {'implicit': 0, 'optional': True}), ('excluded_subtrees', GeneralSubtrees, {'implicit': 1, 'optional': True}), ] class DistributionPoint(Sequence): _fields = [ ('distribution_point', DistributionPointName, {'explicit': 0, 'optional': True}), ('reasons', ReasonFlags, {'implicit': 1, 'optional': True}), ('crl_issuer', GeneralNames, {'implicit': 2, 'optional': True}), ] _url = False @property def url(self): """ :return: None or a unicode string of the distribution point's URL """ if self._url is False: self._url = None name = self['distribution_point'] if name.name != 'full_name': raise ValueError(unwrap( ''' CRL distribution points that are relative to the issuer are not supported ''' )) for general_name in name.chosen: if general_name.name == 'uniform_resource_identifier': url = general_name.native if url.lower().startswith(('http://', 'https://', 'ldap://', 'ldaps://')): self._url = url break return self._url class CRLDistributionPoints(SequenceOf): _child_spec = DistributionPoint class DisplayText(Choice): _alternatives = [ ('ia5_string', IA5String), ('visible_string', VisibleString), ('bmp_string', BMPString), ('utf8_string', UTF8String), ] class NoticeNumbers(SequenceOf): _child_spec = Integer class NoticeReference(Sequence): _fields = [ ('organization', DisplayText), ('notice_numbers', NoticeNumbers), ] class UserNotice(Sequence): _fields = [ ('notice_ref', NoticeReference, {'optional': True}), ('explicit_text', DisplayText, {'optional': True}), ] class PolicyQualifierId(ObjectIdentifier): _map = { '1.3.6.1.5.5.7.2.1': 'certification_practice_statement', '1.3.6.1.5.5.7.2.2': 'user_notice', } class PolicyQualifierInfo(Sequence): _fields = [ ('policy_qualifier_id', PolicyQualifierId), ('qualifier', Any), ] _oid_pair = ('policy_qualifier_id', 'qualifier') _oid_specs = { 'certification_practice_statement': IA5String, 'user_notice': UserNotice, } class PolicyQualifierInfos(SequenceOf): _child_spec = PolicyQualifierInfo class PolicyIdentifier(ObjectIdentifier): _map = { '2.5.29.32.0': 'any_policy', } class PolicyInformation(Sequence): _fields = [ ('policy_identifier', PolicyIdentifier), ('policy_qualifiers', PolicyQualifierInfos, {'optional': True}) ] class CertificatePolicies(SequenceOf): _child_spec = PolicyInformation class PolicyMapping(Sequence): _fields = [ ('issuer_domain_policy', PolicyIdentifier), ('subject_domain_policy', PolicyIdentifier), ] class PolicyMappings(SequenceOf): _child_spec = PolicyMapping class PolicyConstraints(Sequence): _fields = [ ('require_explicit_policy', Integer, {'implicit': 0, 'optional': True}), ('inhibit_policy_mapping', Integer, {'implicit': 1, 'optional': True}), ] class KeyPurposeId(ObjectIdentifier): _map = { # https://tools.ietf.org/html/rfc5280#page-45 '2.5.29.37.0': 'any_extended_key_usage', '1.3.6.1.5.5.7.3.1': 'server_auth', '1.3.6.1.5.5.7.3.2': 'client_auth', '1.3.6.1.5.5.7.3.3': 'code_signing', '1.3.6.1.5.5.7.3.4': 'email_protection', '1.3.6.1.5.5.7.3.5': 'ipsec_end_system', '1.3.6.1.5.5.7.3.6': 'ipsec_tunnel', '1.3.6.1.5.5.7.3.7': 'ipsec_user', '1.3.6.1.5.5.7.3.8': 'time_stamping', '1.3.6.1.5.5.7.3.9': 'ocsp_signing', # http://tools.ietf.org/html/rfc3029.html#page-9 '1.3.6.1.5.5.7.3.10': 'dvcs', # http://tools.ietf.org/html/rfc6268.html#page-16 '1.3.6.1.5.5.7.3.13': 'eap_over_ppp', '1.3.6.1.5.5.7.3.14': 'eap_over_lan', # https://tools.ietf.org/html/rfc5055#page-76 '1.3.6.1.5.5.7.3.15': 'scvp_server', '1.3.6.1.5.5.7.3.16': 'scvp_client', # https://tools.ietf.org/html/rfc4945#page-31 '1.3.6.1.5.5.7.3.17': 'ipsec_ike', # https://tools.ietf.org/html/rfc5415#page-38 '1.3.6.1.5.5.7.3.18': 'capwap_ac', '1.3.6.1.5.5.7.3.19': 'capwap_wtp', # https://tools.ietf.org/html/rfc5924#page-8 '1.3.6.1.5.5.7.3.20': 'sip_domain', # https://tools.ietf.org/html/rfc6187#page-7 '1.3.6.1.5.5.7.3.21': 'secure_shell_client', '1.3.6.1.5.5.7.3.22': 'secure_shell_server', # https://tools.ietf.org/html/rfc6494#page-7 '1.3.6.1.5.5.7.3.23': 'send_router', '1.3.6.1.5.5.7.3.24': 'send_proxied_router', '1.3.6.1.5.5.7.3.25': 'send_owner', '1.3.6.1.5.5.7.3.26': 'send_proxied_owner', # https://tools.ietf.org/html/rfc6402#page-10 '1.3.6.1.5.5.7.3.27': 'cmc_ca', '1.3.6.1.5.5.7.3.28': 'cmc_ra', '1.3.6.1.5.5.7.3.29': 'cmc_archive', # https://tools.ietf.org/html/draft-ietf-sidr-bgpsec-pki-profiles-15#page-6 '1.3.6.1.5.5.7.3.30': 'bgpspec_router', # https://msdn.microsoft.com/en-us/library/windows/desktop/aa378132(v=vs.85).aspx # and https://support.microsoft.com/en-us/kb/287547 '1.3.6.1.4.1.311.10.3.1': 'microsoft_trust_list_signing', '1.3.6.1.4.1.311.10.3.2': 'microsoft_time_stamp_signing', '1.3.6.1.4.1.311.10.3.3': 'microsoft_server_gated', '1.3.6.1.4.1.311.10.3.3.1': 'microsoft_serialized', '1.3.6.1.4.1.311.10.3.4': 'microsoft_efs', '1.3.6.1.4.1.311.10.3.4.1': 'microsoft_efs_recovery', '1.3.6.1.4.1.311.10.3.5': 'microsoft_whql', '1.3.6.1.4.1.311.10.3.6': 'microsoft_nt5', '1.3.6.1.4.1.311.10.3.7': 'microsoft_oem_whql', '1.3.6.1.4.1.311.10.3.8': 'microsoft_embedded_nt', '1.3.6.1.4.1.311.10.3.9': 'microsoft_root_list_signer', '1.3.6.1.4.1.311.10.3.10': 'microsoft_qualified_subordination', '1.3.6.1.4.1.311.10.3.11': 'microsoft_key_recovery', '1.3.6.1.4.1.311.10.3.12': 'microsoft_document_signing', '1.3.6.1.4.1.311.10.3.13': 'microsoft_lifetime_signing', '1.3.6.1.4.1.311.10.3.14': 'microsoft_mobile_device_software', # https://support.microsoft.com/en-us/help/287547/object-ids-associated-with-microsoft-cryptography '1.3.6.1.4.1.311.20.2.2': 'microsoft_smart_card_logon', # https://opensource.apple.com/source # - /Security/Security-57031.40.6/Security/libsecurity_keychain/lib/SecPolicy.cpp # - /libsecurity_cssm/libsecurity_cssm-36064/lib/oidsalg.c '1.2.840.113635.100.1.2': 'apple_x509_basic', '1.2.840.113635.100.1.3': 'apple_ssl', '1.2.840.113635.100.1.4': 'apple_local_cert_gen', '1.2.840.113635.100.1.5': 'apple_csr_gen', '1.2.840.113635.100.1.6': 'apple_revocation_crl', '1.2.840.113635.100.1.7': 'apple_revocation_ocsp', '1.2.840.113635.100.1.8': 'apple_smime', '1.2.840.113635.100.1.9': 'apple_eap', '1.2.840.113635.100.1.10': 'apple_software_update_signing', '1.2.840.113635.100.1.11': 'apple_ipsec', '1.2.840.113635.100.1.12': 'apple_ichat', '1.2.840.113635.100.1.13': 'apple_resource_signing', '1.2.840.113635.100.1.14': 'apple_pkinit_client', '1.2.840.113635.100.1.15': 'apple_pkinit_server', '1.2.840.113635.100.1.16': 'apple_code_signing', '1.2.840.113635.100.1.17': 'apple_package_signing', '1.2.840.113635.100.1.18': 'apple_id_validation', '1.2.840.113635.100.1.20': 'apple_time_stamping', '1.2.840.113635.100.1.21': 'apple_revocation', '1.2.840.113635.100.1.22': 'apple_passbook_signing', '1.2.840.113635.100.1.23': 'apple_mobile_store', '1.2.840.113635.100.1.24': 'apple_escrow_service', '1.2.840.113635.100.1.25': 'apple_profile_signer', '1.2.840.113635.100.1.26': 'apple_qa_profile_signer', '1.2.840.113635.100.1.27': 'apple_test_mobile_store', '1.2.840.113635.100.1.28': 'apple_otapki_signer', '1.2.840.113635.100.1.29': 'apple_test_otapki_signer', '1.2.840.113625.100.1.30': 'apple_id_validation_record_signing_policy', '1.2.840.113625.100.1.31': 'apple_smp_encryption', '1.2.840.113625.100.1.32': 'apple_test_smp_encryption', '1.2.840.113635.100.1.33': 'apple_server_authentication', '1.2.840.113635.100.1.34': 'apple_pcs_escrow_service', # http://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.201-2.pdf '2.16.840.1.101.3.6.8': 'piv_card_authentication', '2.16.840.1.101.3.6.7': 'piv_content_signing', # https://tools.ietf.org/html/rfc4556.html '1.3.6.1.5.2.3.4': 'pkinit_kpclientauth', '1.3.6.1.5.2.3.5': 'pkinit_kpkdc', # https://www.adobe.com/devnet-docs/acrobatetk/tools/DigSig/changes.html '1.2.840.113583.1.1.5': 'adobe_authentic_documents_trust', # https://www.idmanagement.gov/wp-content/uploads/sites/1171/uploads/fpki-pivi-cert-profiles.pdf '2.16.840.1.101.3.8.7': 'fpki_pivi_content_signing' } class ExtKeyUsageSyntax(SequenceOf): _child_spec = KeyPurposeId class AccessMethod(ObjectIdentifier): _map = { '1.3.6.1.5.5.7.48.1': 'ocsp', '1.3.6.1.5.5.7.48.2': 'ca_issuers', '1.3.6.1.5.5.7.48.3': 'time_stamping', '1.3.6.1.5.5.7.48.5': 'ca_repository', } class AccessDescription(Sequence): _fields = [ ('access_method', AccessMethod), ('access_location', GeneralName), ] class AuthorityInfoAccessSyntax(SequenceOf): _child_spec = AccessDescription class SubjectInfoAccessSyntax(SequenceOf): _child_spec = AccessDescription # https://tools.ietf.org/html/rfc7633 class Features(SequenceOf): _child_spec = Integer class EntrustVersionInfo(Sequence): _fields = [ ('entrust_vers', GeneralString), ('entrust_info_flags', BitString) ] class NetscapeCertificateType(BitString): _map = { 0: 'ssl_client', 1: 'ssl_server', 2: 'email', 3: 'object_signing', 4: 'reserved', 5: 'ssl_ca', 6: 'email_ca', 7: 'object_signing_ca', } class Version(Integer): _map = { 0: 'v1', 1: 'v2', 2: 'v3', } class TPMSpecification(Sequence): _fields = [ ('family', UTF8String), ('level', Integer), ('revision', Integer), ] class SetOfTPMSpecification(SetOf): _child_spec = TPMSpecification class TCGSpecificationVersion(Sequence): _fields = [ ('major_version', Integer), ('minor_version', Integer), ('revision', Integer), ] class TCGPlatformSpecification(Sequence): _fields = [ ('version', TCGSpecificationVersion), ('platform_class', OctetString), ] class SetOfTCGPlatformSpecification(SetOf): _child_spec = TCGPlatformSpecification class EKGenerationType(Enumerated): _map = { 0: 'internal', 1: 'injected', 2: 'internal_revocable', 3: 'injected_revocable', } class EKGenerationLocation(Enumerated): _map = { 0: 'tpm_manufacturer', 1: 'platform_manufacturer', 2: 'ek_cert_signer', } class EKCertificateGenerationLocation(Enumerated): _map = { 0: 'tpm_manufacturer', 1: 'platform_manufacturer', 2: 'ek_cert_signer', } class EvaluationAssuranceLevel(Enumerated): _map = { 1: 'level1', 2: 'level2', 3: 'level3', 4: 'level4', 5: 'level5', 6: 'level6', 7: 'level7', } class EvaluationStatus(Enumerated): _map = { 0: 'designed_to_meet', 1: 'evaluation_in_progress', 2: 'evaluation_completed', } class StrengthOfFunction(Enumerated): _map = { 0: 'basic', 1: 'medium', 2: 'high', } class URIReference(Sequence): _fields = [ ('uniform_resource_identifier', IA5String), ('hash_algorithm', DigestAlgorithm, {'optional': True}), ('hash_value', BitString, {'optional': True}), ] class CommonCriteriaMeasures(Sequence): _fields = [ ('version', IA5String), ('assurance_level', EvaluationAssuranceLevel), ('evaluation_status', EvaluationStatus), ('plus', Boolean, {'default': False}), ('strengh_of_function', StrengthOfFunction, {'implicit': 0, 'optional': True}), ('profile_oid', ObjectIdentifier, {'implicit': 1, 'optional': True}), ('profile_url', URIReference, {'implicit': 2, 'optional': True}), ('target_oid', ObjectIdentifier, {'implicit': 3, 'optional': True}), ('target_uri', URIReference, {'implicit': 4, 'optional': True}), ] class SecurityLevel(Enumerated): _map = { 1: 'level1', 2: 'level2', 3: 'level3', 4: 'level4', } class FIPSLevel(Sequence): _fields = [ ('version', IA5String), ('level', SecurityLevel), ('plus', Boolean, {'default': False}), ] class TPMSecurityAssertions(Sequence): _fields = [ ('version', Version, {'default': 'v1'}), ('field_upgradable', Boolean, {'default': False}), ('ek_generation_type', EKGenerationType, {'implicit': 0, 'optional': True}), ('ek_generation_location', EKGenerationLocation, {'implicit': 1, 'optional': True}), ('ek_certificate_generation_location', EKCertificateGenerationLocation, {'implicit': 2, 'optional': True}), ('cc_info', CommonCriteriaMeasures, {'implicit': 3, 'optional': True}), ('fips_level', FIPSLevel, {'implicit': 4, 'optional': True}), ('iso_9000_certified', Boolean, {'implicit': 5, 'default': False}), ('iso_9000_uri', IA5String, {'optional': True}), ] class SetOfTPMSecurityAssertions(SetOf): _child_spec = TPMSecurityAssertions class SubjectDirectoryAttributeId(ObjectIdentifier): _map = { # https://tools.ietf.org/html/rfc2256#page-11 '2.5.4.52': 'supported_algorithms', # https://www.trustedcomputinggroup.org/wp-content/uploads/Credential_Profile_EK_V2.0_R14_published.pdf '2.23.133.2.16': 'tpm_specification', '2.23.133.2.17': 'tcg_platform_specification', '2.23.133.2.18': 'tpm_security_assertions', # https://tools.ietf.org/html/rfc3739#page-18 '1.3.6.1.5.5.7.9.1': 'pda_date_of_birth', '1.3.6.1.5.5.7.9.2': 'pda_place_of_birth', '1.3.6.1.5.5.7.9.3': 'pda_gender', '1.3.6.1.5.5.7.9.4': 'pda_country_of_citizenship', '1.3.6.1.5.5.7.9.5': 'pda_country_of_residence', # https://holtstrom.com/michael/tools/asn1decoder.php '1.2.840.113533.7.68.29': 'entrust_user_role', } class SetOfGeneralizedTime(SetOf): _child_spec = GeneralizedTime class SetOfDirectoryString(SetOf): _child_spec = DirectoryString class SetOfPrintableString(SetOf): _child_spec = PrintableString class SupportedAlgorithm(Sequence): _fields = [ ('algorithm_identifier', AnyAlgorithmIdentifier), ('intended_usage', KeyUsage, {'explicit': 0, 'optional': True}), ('intended_certificate_policies', CertificatePolicies, {'explicit': 1, 'optional': True}), ] class SetOfSupportedAlgorithm(SetOf): _child_spec = SupportedAlgorithm class SubjectDirectoryAttribute(Sequence): _fields = [ ('type', SubjectDirectoryAttributeId), ('values', Any), ] _oid_pair = ('type', 'values') _oid_specs = { 'supported_algorithms': SetOfSupportedAlgorithm, 'tpm_specification': SetOfTPMSpecification, 'tcg_platform_specification': SetOfTCGPlatformSpecification, 'tpm_security_assertions': SetOfTPMSecurityAssertions, 'pda_date_of_birth': SetOfGeneralizedTime, 'pda_place_of_birth': SetOfDirectoryString, 'pda_gender': SetOfPrintableString, 'pda_country_of_citizenship': SetOfPrintableString, 'pda_country_of_residence': SetOfPrintableString, } def _values_spec(self): type_ = self['type'].native if type_ in self._oid_specs: return self._oid_specs[type_] return SetOf _spec_callbacks = { 'values': _values_spec } class SubjectDirectoryAttributes(SequenceOf): _child_spec = SubjectDirectoryAttribute class ExtensionId(ObjectIdentifier): _map = { '2.5.29.9': 'subject_directory_attributes', '2.5.29.14': 'key_identifier', '2.5.29.15': 'key_usage', '2.5.29.16': 'private_key_usage_period', '2.5.29.17': 'subject_alt_name', '2.5.29.18': 'issuer_alt_name', '2.5.29.19': 'basic_constraints', '2.5.29.30': 'name_constraints', '2.5.29.31': 'crl_distribution_points', '2.5.29.32': 'certificate_policies', '2.5.29.33': 'policy_mappings', '2.5.29.35': 'authority_key_identifier', '2.5.29.36': 'policy_constraints', '2.5.29.37': 'extended_key_usage', '2.5.29.46': 'freshest_crl', '2.5.29.54': 'inhibit_any_policy', '1.3.6.1.5.5.7.1.1': 'authority_information_access', '1.3.6.1.5.5.7.1.11': 'subject_information_access', # https://tools.ietf.org/html/rfc7633 '1.3.6.1.5.5.7.1.24': 'tls_feature', '1.3.6.1.5.5.7.48.1.5': 'ocsp_no_check', '1.2.840.113533.7.65.0': 'entrust_version_extension', '2.16.840.1.113730.1.1': 'netscape_certificate_type', # https://tools.ietf.org/html/rfc6962.html#page-14 '1.3.6.1.4.1.11129.2.4.2': 'signed_certificate_timestamp_list', } class Extension(Sequence): _fields = [ ('extn_id', ExtensionId), ('critical', Boolean, {'default': False}), ('extn_value', ParsableOctetString), ] _oid_pair = ('extn_id', 'extn_value') _oid_specs = { 'subject_directory_attributes': SubjectDirectoryAttributes, 'key_identifier': OctetString, 'key_usage': KeyUsage, 'private_key_usage_period': PrivateKeyUsagePeriod, 'subject_alt_name': GeneralNames, 'issuer_alt_name': GeneralNames, 'basic_constraints': BasicConstraints, 'name_constraints': NameConstraints, 'crl_distribution_points': CRLDistributionPoints, 'certificate_policies': CertificatePolicies, 'policy_mappings': PolicyMappings, 'authority_key_identifier': AuthorityKeyIdentifier, 'policy_constraints': PolicyConstraints, 'extended_key_usage': ExtKeyUsageSyntax, 'freshest_crl': CRLDistributionPoints, 'inhibit_any_policy': Integer, 'authority_information_access': AuthorityInfoAccessSyntax, 'subject_information_access': SubjectInfoAccessSyntax, 'tls_feature': Features, 'ocsp_no_check': Null, 'entrust_version_extension': EntrustVersionInfo, 'netscape_certificate_type': NetscapeCertificateType, 'signed_certificate_timestamp_list': OctetString, } class Extensions(SequenceOf): _child_spec = Extension class TbsCertificate(Sequence): _fields = [ ('version', Version, {'explicit': 0, 'default': 'v1'}), ('serial_number', Integer), ('signature', SignedDigestAlgorithm), ('issuer', Name), ('validity', Validity), ('subject', Name), ('subject_public_key_info', PublicKeyInfo), ('issuer_unique_id', OctetBitString, {'implicit': 1, 'optional': True}), ('subject_unique_id', OctetBitString, {'implicit': 2, 'optional': True}), ('extensions', Extensions, {'explicit': 3, 'optional': True}), ] class Certificate(Sequence): _fields = [ ('tbs_certificate', TbsCertificate), ('signature_algorithm', SignedDigestAlgorithm), ('signature_value', OctetBitString), ] _processed_extensions = False _critical_extensions = None _subject_directory_attributes = None _key_identifier_value = None _key_usage_value = None _subject_alt_name_value = None _issuer_alt_name_value = None _basic_constraints_value = None _name_constraints_value = None _crl_distribution_points_value = None _certificate_policies_value = None _policy_mappings_value = None _authority_key_identifier_value = None _policy_constraints_value = None _freshest_crl_value = None _inhibit_any_policy_value = None _extended_key_usage_value = None _authority_information_access_value = None _subject_information_access_value = None _private_key_usage_period_value = None _tls_feature_value = None _ocsp_no_check_value = None _issuer_serial = None _authority_issuer_serial = False _crl_distribution_points = None _delta_crl_distribution_points = None _valid_domains = None _valid_ips = None _self_issued = None _self_signed = None _sha1 = None _sha256 = None def _set_extensions(self): """ Sets common named extensions to private attributes and creates a list of critical extensions """ self._critical_extensions = set() for extension in self['tbs_certificate']['extensions']: name = extension['extn_id'].native attribute_name = '_%s_value' % name if hasattr(self, attribute_name): setattr(self, attribute_name, extension['extn_value'].parsed) if extension['critical'].native: self._critical_extensions.add(name) self._processed_extensions = True @property def critical_extensions(self): """ Returns a set of the names (or OID if not a known extension) of the extensions marked as critical :return: A set of unicode strings """ if not self._processed_extensions: self._set_extensions() return self._critical_extensions @property def private_key_usage_period_value(self): """ This extension is used to constrain the period over which the subject private key may be used :return: None or a PrivateKeyUsagePeriod object """ if not self._processed_extensions: self._set_extensions() return self._private_key_usage_period_value @property def subject_directory_attributes_value(self): """ This extension is used to contain additional identification attributes about the subject. :return: None or a SubjectDirectoryAttributes object """ if not self._processed_extensions: self._set_extensions() return self._subject_directory_attributes @property def key_identifier_value(self): """ This extension is used to help in creating certificate validation paths. It contains an identifier that should generally, but is not guaranteed to, be unique. :return: None or an OctetString object """ if not self._processed_extensions: self._set_extensions() return self._key_identifier_value @property def key_usage_value(self): """ This extension is used to define the purpose of the public key contained within the certificate. :return: None or a KeyUsage """ if not self._processed_extensions: self._set_extensions() return self._key_usage_value @property def subject_alt_name_value(self): """ This extension allows for additional names to be associate with the subject of the certificate. While it may contain a whole host of possible names, it is usually used to allow certificates to be used with multiple different domain names. :return: None or a GeneralNames object """ if not self._processed_extensions: self._set_extensions() return self._subject_alt_name_value @property def issuer_alt_name_value(self): """ This extension allows associating one or more alternative names with the issuer of the certificate. :return: None or an x509.GeneralNames object """ if not self._processed_extensions: self._set_extensions() return self._issuer_alt_name_value @property def basic_constraints_value(self): """ This extension is used to determine if the subject of the certificate is a CA, and if so, what the maximum number of intermediate CA certs after this are, before an end-entity certificate is found. :return: None or a BasicConstraints object """ if not self._processed_extensions: self._set_extensions() return self._basic_constraints_value @property def name_constraints_value(self): """ This extension is used in CA certificates, and is used to limit the possible names of certificates issued. :return: None or a NameConstraints object """ if not self._processed_extensions: self._set_extensions() return self._name_constraints_value @property def crl_distribution_points_value(self): """ This extension is used to help in locating the CRL for this certificate. :return: None or a CRLDistributionPoints object extension """ if not self._processed_extensions: self._set_extensions() return self._crl_distribution_points_value @property def certificate_policies_value(self): """ This extension defines policies in CA certificates under which certificates may be issued. In end-entity certificates, the inclusion of a policy indicates the issuance of the certificate follows the policy. :return: None or a CertificatePolicies object """ if not self._processed_extensions: self._set_extensions() return self._certificate_policies_value @property def policy_mappings_value(self): """ This extension allows mapping policy OIDs to other OIDs. This is used to allow different policies to be treated as equivalent in the process of validation. :return: None or a PolicyMappings object """ if not self._processed_extensions: self._set_extensions() return self._policy_mappings_value @property def authority_key_identifier_value(self): """ This extension helps in identifying the public key with which to validate the authenticity of the certificate. :return: None or an AuthorityKeyIdentifier object """ if not self._processed_extensions: self._set_extensions() return self._authority_key_identifier_value @property def policy_constraints_value(self): """ This extension is used to control if policy mapping is allowed and when policies are required. :return: None or a PolicyConstraints object """ if not self._processed_extensions: self._set_extensions() return self._policy_constraints_value @property def freshest_crl_value(self): """ This extension is used to help locate any available delta CRLs :return: None or an CRLDistributionPoints object """ if not self._processed_extensions: self._set_extensions() return self._freshest_crl_value @property def inhibit_any_policy_value(self): """ This extension is used to prevent mapping of the any policy to specific requirements :return: None or a Integer object """ if not self._processed_extensions: self._set_extensions() return self._inhibit_any_policy_value @property def extended_key_usage_value(self): """ This extension is used to define additional purposes for the public key beyond what is contained in the basic constraints. :return: None or an ExtKeyUsageSyntax object """ if not self._processed_extensions: self._set_extensions() return self._extended_key_usage_value @property def authority_information_access_value(self): """ This extension is used to locate the CA certificate used to sign this certificate, or the OCSP responder for this certificate. :return: None or an AuthorityInfoAccessSyntax object """ if not self._processed_extensions: self._set_extensions() return self._authority_information_access_value @property def subject_information_access_value(self): """ This extension is used to access information about the subject of this certificate. :return: None or a SubjectInfoAccessSyntax object """ if not self._processed_extensions: self._set_extensions() return self._subject_information_access_value @property def tls_feature_value(self): """ This extension is used to list the TLS features a server must respond with if a client initiates a request supporting them. :return: None or a Features object """ if not self._processed_extensions: self._set_extensions() return self._tls_feature_value @property def ocsp_no_check_value(self): """ This extension is used on certificates of OCSP responders, indicating that revocation information for the certificate should never need to be verified, thus preventing possible loops in path validation. :return: None or a Null object (if present) """ if not self._processed_extensions: self._set_extensions() return self._ocsp_no_check_value @property def signature(self): """ :return: A byte string of the signature """ return self['signature_value'].native @property def signature_algo(self): """ :return: A unicode string of "rsassa_pkcs1v15", "rsassa_pss", "dsa", "ecdsa" """ return self['signature_algorithm'].signature_algo @property def hash_algo(self): """ :return: A unicode string of "md2", "md5", "sha1", "sha224", "sha256", "sha384", "sha512", "sha512_224", "sha512_256" """ return self['signature_algorithm'].hash_algo @property def public_key(self): """ :return: The PublicKeyInfo object for this certificate """ return self['tbs_certificate']['subject_public_key_info'] @property def subject(self): """ :return: The Name object for the subject of this certificate """ return self['tbs_certificate']['subject'] @property def issuer(self): """ :return: The Name object for the issuer of this certificate """ return self['tbs_certificate']['issuer'] @property def serial_number(self): """ :return: An integer of the certificate's serial number """ return self['tbs_certificate']['serial_number'].native @property def key_identifier(self): """ :return: None or a byte string of the certificate's key identifier from the key identifier extension """ if not self.key_identifier_value: return None return self.key_identifier_value.native @property def issuer_serial(self): """ :return: A byte string of the SHA-256 hash of the issuer concatenated with the ascii character ":", concatenated with the serial number as an ascii string """ if self._issuer_serial is None: self._issuer_serial = self.issuer.sha256 + b':' + str_cls(self.serial_number).encode('ascii') return self._issuer_serial @property def authority_key_identifier(self): """ :return: None or a byte string of the key_identifier from the authority key identifier extension """ if not self.authority_key_identifier_value: return None return self.authority_key_identifier_value['key_identifier'].native @property def authority_issuer_serial(self): """ :return: None or a byte string of the SHA-256 hash of the isser from the authority key identifier extension concatenated with the ascii character ":", concatenated with the serial number from the authority key identifier extension as an ascii string """ if self._authority_issuer_serial is False: akiv = self.authority_key_identifier_value if akiv and akiv['authority_cert_issuer'].native: issuer = self.authority_key_identifier_value['authority_cert_issuer'][0].chosen # We untag the element since it is tagged via being a choice from GeneralName issuer = issuer.untag() authority_serial = self.authority_key_identifier_value['authority_cert_serial_number'].native self._authority_issuer_serial = issuer.sha256 + b':' + str_cls(authority_serial).encode('ascii') else: self._authority_issuer_serial = None return self._authority_issuer_serial @property def crl_distribution_points(self): """ Returns complete CRL URLs - does not include delta CRLs :return: A list of zero or more DistributionPoint objects """ if self._crl_distribution_points is None: self._crl_distribution_points = self._get_http_crl_distribution_points(self.crl_distribution_points_value) return self._crl_distribution_points @property def delta_crl_distribution_points(self): """ Returns delta CRL URLs - does not include complete CRLs :return: A list of zero or more DistributionPoint objects """ if self._delta_crl_distribution_points is None: self._delta_crl_distribution_points = self._get_http_crl_distribution_points(self.freshest_crl_value) return self._delta_crl_distribution_points def _get_http_crl_distribution_points(self, crl_distribution_points): """ Fetches the DistributionPoint object for non-relative, HTTP CRLs referenced by the certificate :param crl_distribution_points: A CRLDistributionPoints object to grab the DistributionPoints from :return: A list of zero or more DistributionPoint objects """ output = [] if crl_distribution_points is None: return [] for distribution_point in crl_distribution_points: distribution_point_name = distribution_point['distribution_point'] if distribution_point_name is VOID: continue # RFC 5280 indicates conforming CA should not use the relative form if distribution_point_name.name == 'name_relative_to_crl_issuer': continue # This library is currently only concerned with HTTP-based CRLs for general_name in distribution_point_name.chosen: if general_name.name == 'uniform_resource_identifier': output.append(distribution_point) return output @property def ocsp_urls(self): """ :return: A list of zero or more unicode strings of the OCSP URLs for this cert """ if not self.authority_information_access_value: return [] output = [] for entry in self.authority_information_access_value: if entry['access_method'].native == 'ocsp': location = entry['access_location'] if location.name != 'uniform_resource_identifier': continue url = location.native if url.lower().startswith(('http://', 'https://', 'ldap://', 'ldaps://')): output.append(url) return output @property def valid_domains(self): """ :return: A list of unicode strings of valid domain names for the certificate. Wildcard certificates will have a domain in the form: *.example.com """ if self._valid_domains is None: self._valid_domains = [] # For the subject alt name extension, we can look at the name of # the choice selected since it distinguishes between domain names, # email addresses, IPs, etc if self.subject_alt_name_value: for general_name in self.subject_alt_name_value: if general_name.name == 'dns_name' and general_name.native not in self._valid_domains: self._valid_domains.append(general_name.native) # If there was no subject alt name extension, and the common name # in the subject looks like a domain, that is considered the valid # list. This is done because according to # https://tools.ietf.org/html/rfc6125#section-6.4.4, the common # name should not be used if the subject alt name is present. else: pattern = re.compile('^(\\*\\.)?(?:[a-zA-Z0-9](?:[a-zA-Z0-9\\-]*[a-zA-Z0-9])?\\.)+[a-zA-Z]{2,}$') for rdn in self.subject.chosen: for name_type_value in rdn: if name_type_value['type'].native == 'common_name': value = name_type_value['value'].native if pattern.match(value): self._valid_domains.append(value) return self._valid_domains @property def valid_ips(self): """ :return: A list of unicode strings of valid IP addresses for the certificate """ if self._valid_ips is None: self._valid_ips = [] if self.subject_alt_name_value: for general_name in self.subject_alt_name_value: if general_name.name == 'ip_address': self._valid_ips.append(general_name.native) return self._valid_ips @property def ca(self): """ :return; A boolean - if the certificate is marked as a CA """ return self.basic_constraints_value and self.basic_constraints_value['ca'].native @property def max_path_length(self): """ :return; None or an integer of the maximum path length """ if not self.ca: return None return self.basic_constraints_value['path_len_constraint'].native @property def self_issued(self): """ :return: A boolean - if the certificate is self-issued, as defined by RFC 5280 """ if self._self_issued is None: self._self_issued = self.subject == self.issuer return self._self_issued @property def self_signed(self): """ :return: A unicode string of "no" or "maybe". The "maybe" result will be returned if the certificate issuer and subject are the same. If a key identifier and authority key identifier are present, they will need to match otherwise "no" will be returned. To verify is a certificate is truly self-signed, the signature will need to be verified. See the certvalidator package for one possible solution. """ if self._self_signed is None: self._self_signed = 'no' if self.self_issued: if self.key_identifier: if not self.authority_key_identifier: self._self_signed = 'maybe' elif self.authority_key_identifier == self.key_identifier: self._self_signed = 'maybe' else: self._self_signed = 'maybe' return self._self_signed @property def sha1(self): """ :return: The SHA-1 hash of the DER-encoded bytes of this complete certificate """ if self._sha1 is None: self._sha1 = hashlib.sha1(self.dump()).digest() return self._sha1 @property def sha1_fingerprint(self): """ :return: A unicode string of the SHA-1 hash, formatted using hex encoding with a space between each pair of characters, all uppercase """ return ' '.join('%02X' % c for c in bytes_to_list(self.sha1)) @property def sha256(self): """ :return: The SHA-256 hash of the DER-encoded bytes of this complete certificate """ if self._sha256 is None: self._sha256 = hashlib.sha256(self.dump()).digest() return self._sha256 @property def sha256_fingerprint(self): """ :return: A unicode string of the SHA-256 hash, formatted using hex encoding with a space between each pair of characters, all uppercase """ return ' '.join('%02X' % c for c in bytes_to_list(self.sha256)) def is_valid_domain_ip(self, domain_ip): """ Check if a domain name or IP address is valid according to the certificate :param domain_ip: A unicode string of a domain name or IP address :return: A boolean - if the domain or IP is valid for the certificate """ if not isinstance(domain_ip, str_cls): raise TypeError(unwrap( ''' domain_ip must be a unicode string, not %s ''', type_name(domain_ip) )) encoded_domain_ip = domain_ip.encode('idna').decode('ascii').lower() is_ipv6 = encoded_domain_ip.find(':') != -1 is_ipv4 = not is_ipv6 and re.match('^\\d+\\.\\d+\\.\\d+\\.\\d+$', encoded_domain_ip) is_domain = not is_ipv6 and not is_ipv4 # Handle domain name checks if is_domain: if not self.valid_domains: return False domain_labels = encoded_domain_ip.split('.') for valid_domain in self.valid_domains: encoded_valid_domain = valid_domain.encode('idna').decode('ascii').lower() valid_domain_labels = encoded_valid_domain.split('.') # The domain must be equal in label length to match if len(valid_domain_labels) != len(domain_labels): continue if valid_domain_labels == domain_labels: return True is_wildcard = self._is_wildcard_domain(encoded_valid_domain) if is_wildcard and self._is_wildcard_match(domain_labels, valid_domain_labels): return True return False # Handle IP address checks if not self.valid_ips: return False family = socket.AF_INET if is_ipv4 else socket.AF_INET6 normalized_ip = inet_pton(family, encoded_domain_ip) for valid_ip in self.valid_ips: valid_family = socket.AF_INET if valid_ip.find('.') != -1 else socket.AF_INET6 normalized_valid_ip = inet_pton(valid_family, valid_ip) if normalized_valid_ip == normalized_ip: return True return False def _is_wildcard_domain(self, domain): """ Checks if a domain is a valid wildcard according to https://tools.ietf.org/html/rfc6125#section-6.4.3 :param domain: A unicode string of the domain name, where any U-labels from an IDN have been converted to A-labels :return: A boolean - if the domain is a valid wildcard domain """ # The * character must be present for a wildcard match, and if there is # most than one, it is an invalid wildcard specification if domain.count('*') != 1: return False labels = domain.lower().split('.') if not labels: return False # Wildcards may only appear in the left-most label if labels[0].find('*') == -1: return False # Wildcards may not be embedded in an A-label from an IDN if labels[0][0:4] == 'xn--': return False return True def _is_wildcard_match(self, domain_labels, valid_domain_labels): """ Determines if the labels in a domain are a match for labels from a wildcard valid domain name :param domain_labels: A list of unicode strings, with A-label form for IDNs, of the labels in the domain name to check :param valid_domain_labels: A list of unicode strings, with A-label form for IDNs, of the labels in a wildcard domain pattern :return: A boolean - if the domain matches the valid domain """ first_domain_label = domain_labels[0] other_domain_labels = domain_labels[1:] wildcard_label = valid_domain_labels[0] other_valid_domain_labels = valid_domain_labels[1:] # The wildcard is only allowed in the first label, so if # The subsequent labels are not equal, there is no match if other_domain_labels != other_valid_domain_labels: return False if wildcard_label == '*': return True wildcard_regex = re.compile('^' + wildcard_label.replace('*', '.*') + '$') if wildcard_regex.match(first_domain_label): return True return False # The structures are taken from the OpenSSL source file x_x509a.c, and specify # extra information that is added to X.509 certificates to store trust # information about the certificate. class KeyPurposeIdentifiers(SequenceOf): _child_spec = KeyPurposeId class SequenceOfAlgorithmIdentifiers(SequenceOf): _child_spec = AlgorithmIdentifier class CertificateAux(Sequence): _fields = [ ('trust', KeyPurposeIdentifiers, {'optional': True}), ('reject', KeyPurposeIdentifiers, {'implicit': 0, 'optional': True}), ('alias', UTF8String, {'optional': True}), ('keyid', OctetString, {'optional': True}), ('other', SequenceOfAlgorithmIdentifiers, {'implicit': 1, 'optional': True}), ] class TrustedCertificate(Concat): _child_specs = [Certificate, CertificateAux]