Add better handling of Subject Directory Attributes, especially related to TPM

1 files changed, 254 insertions, 10 deletions

diff --git a/asn1crypto/x509.py b/asn1crypto/x509.py
index df37205..f749e7c 100644
--- a/asn1crypto/x509.py
+++ b/asn1crypto/x509.py
@@ -28,7 +28,7 @@ from ._errors import unwrap
 from ._iri import iri_to_uri, uri_to_iri
 from ._ordereddict import OrderedDict
 from ._types import type_name, str_cls, bytes_to_list
-from .algos import AlgorithmIdentifier, SignedDigestAlgorithm
+from .algos import AlgorithmIdentifier, AnyAlgorithmIdentifier, DigestAlgorithm, SignedDigestAlgorithm
 from .core import (
     Any,
     BitString,
@@ -36,6 +36,7 @@ from .core import (
     Boolean,
     Choice,
     Concat,
+    Enumerated,
     GeneralizedTime,
     GeneralString,
     IA5String,
@@ -517,6 +518,13 @@ class NameType(ObjectIdentifier):
         '2.5.4.46': 'dn_qualifier',
         '2.5.4.65': 'pseudonym',
         '2.5.4.97': 'organization_identifier',
+        # https://www.trustedcomputinggroup.org/wp-content/uploads/Credential_Profile_EK_V2.0_R14_published.pdf
+        '2.23.133.2.1': 'tpm_manufacturer',
+        '2.23.133.2.2': 'tpm_model',
+        '2.23.133.2.3': 'tpm_version',
+        '2.23.133.2.4': 'platform_manufacturer',
+        '2.23.133.2.5': 'platform_model',
+        '2.23.133.2.6': 'platform_version',
         # https://tools.ietf.org/html/rfc2985#page-26
         '1.2.840.113549.1.9.1': 'email_address',
         # Page 10 of https://cabforum.org/wp-content/uploads/EV-V1_5_5.pdf
@@ -559,6 +567,12 @@ class NameType(ObjectIdentifier):
         'domain_component',
         'name_distinguisher',
         'organization_identifier',
+        'tpm_manufacturer',
+        'tpm_model',
+        'tpm_version',
+        'platform_manufacturer',
+        'platform_model',
+        'platform_version',
     ]
 
     @classmethod
@@ -616,6 +630,12 @@ class NameType(ObjectIdentifier):
             'domain_component': 'Domain Component',
             'name_distinguisher': 'Name Distinguisher',
             'organization_identifier': 'Organization Identifier',
+            'tpm_manufacturer': 'TPM Manufacturer',
+            'tpm_model': 'TPM Model',
+            'tpm_version': 'TPM Version',
+            'platform_manufacturer': 'Platform Manufacturer',
+            'platform_model': 'Platform Model',
+            'platform_version': 'Platform Version',
         }.get(self.native, self.native)
 
 
@@ -656,6 +676,12 @@ class NameTypeAndValue(Sequence):
         'domain_component': DNSName,
         'name_distinguisher': DirectoryString,
         'organization_identifier': DirectoryString,
+        'tpm_manufacturer': UTF8String,
+        'tpm_model': UTF8String,
+        'tpm_version': UTF8String,
+        'platform_manufacturer': UTF8String,
+        'platform_model': UTF8String,
+        'platform_version': UTF8String,
     }
 
     _prepped = None
@@ -1785,6 +1811,232 @@ class NetscapeCertificateType(BitString):
     }
 
 
+class Version(Integer):
+    _map = {
+        0: 'v1',
+        1: 'v2',
+        2: 'v3',
+    }
+
+
+class TPMSpecification(Sequence):
+    _fields = [
+        ('family', UTF8String),
+        ('level', Integer),
+        ('revision', Integer),
+    ]
+
+
+class SetOfTPMSpecification(SetOf):
+    _child_spec = TPMSpecification
+
+
+class TCGSpecificationVersion(Sequence):
+    _fields = [
+        ('major_version', Integer),
+        ('minor_version', Integer),
+        ('revision', Integer),
+    ]
+
+
+class TCGPlatformSpecification(Sequence):
+    _fields = [
+        ('version', TCGSpecificationVersion),
+        ('platform_class', OctetString),
+    ]
+
+
+class SetOfTCGPlatformSpecification(SetOf):
+    _child_spec = TCGPlatformSpecification
+
+
+class EKGenerationType(Enumerated):
+    _map = {
+        0: 'internal',
+        1: 'injected',
+        2: 'internal_revocable',
+        3: 'injected_revocable',
+    }
+
+
+class EKGenerationLocation(Enumerated):
+    _map = {
+        0: 'tpm_manufacturer',
+        1: 'platform_manufacturer',
+        2: 'ek_cert_signer',
+    }
+
+
+class EKCertificateGenerationLocation(Enumerated):
+    _map = {
+        0: 'tpm_manufacturer',
+        1: 'platform_manufacturer',
+        2: 'ek_cert_signer',
+    }
+
+
+class EvaluationAssuranceLevel(Enumerated):
+    _map = {
+        1: 'level1',
+        2: 'level2',
+        3: 'level3',
+        4: 'level4',
+        5: 'level5',
+        6: 'level6',
+        7: 'level7',
+    }
+
+
+class EvaluationStatus(Enumerated):
+    _map = {
+        0: 'designed_to_meet',
+        1: 'evaluation_in_progress',
+        2: 'evaluation_completed',
+    }
+
+
+class StrengthOfFunction(Enumerated):
+    _map = {
+        0: 'basic',
+        1: 'medium',
+        2: 'high',
+    }
+
+
+class URIReference(Sequence):
+    _fields = [
+        ('uniform_resource_identifier', IA5String),
+        ('hash_algorithm', DigestAlgorithm, {'optional': True}),
+        ('hash_value', BitString, {'optional': True}),
+    ]
+
+
+class CommonCriteriaMeasures(Sequence):
+    _fields = [
+        ('version', IA5String),
+        ('assurance_level', EvaluationAssuranceLevel),
+        ('evaluation_status', EvaluationStatus),
+        ('plus', Boolean, {'default': False}),
+        ('strengh_of_function', StrengthOfFunction, {'implicit': 0, 'optional': True}),
+        ('profile_oid', ObjectIdentifier, {'implicit': 1, 'optional': True}),
+        ('profile_url', URIReference, {'implicit': 2, 'optional': True}),
+        ('target_oid', ObjectIdentifier, {'implicit': 3, 'optional': True}),
+        ('target_uri', URIReference, {'implicit': 4, 'optional': True}),
+    ]
+
+
+class SecurityLevel(Enumerated):
+    _map = {
+        1: 'level1',
+        2: 'level2',
+        3: 'level3',
+        4: 'level4',
+    }
+
+
+class FIPSLevel(Sequence):
+    _fields = [
+        ('version', IA5String),
+        ('level', SecurityLevel),
+        ('plus', Boolean, {'default': False}),
+    ]
+
+
+class TPMSecurityAssertions(Sequence):
+    _fields = [
+        ('version', Version, {'default': 'v1'}),
+        ('field_upgradable', Boolean, {'default': False}),
+        ('ek_generation_type', EKGenerationType, {'implicit': 0, 'optional': True}),
+        ('ek_generation_location', EKGenerationLocation, {'implicit': 1, 'optional': True}),
+        ('ek_certificate_generation_location', EKCertificateGenerationLocation, {'implicit': 2, 'optional': True}),
+        ('cc_info', CommonCriteriaMeasures, {'implicit': 3, 'optional': True}),
+        ('fips_level', FIPSLevel, {'implicit': 4, 'optional': True}),
+        ('iso_9000_certified', Boolean, {'implicit': 5, 'default': False}),
+        ('iso_9000_uri', IA5String, {'optional': True}),
+    ]
+
+
+class SetOfTPMSecurityAssertions(SetOf):
+    _child_spec = TPMSecurityAssertions
+
+
+class SubjectDirectoryAttributeId(ObjectIdentifier):
+    _map = {
+        # https://tools.ietf.org/html/rfc2256#page-11
+        '2.5.4.52': 'supported_algorithms',
+        # https://www.trustedcomputinggroup.org/wp-content/uploads/Credential_Profile_EK_V2.0_R14_published.pdf
+        '2.23.133.2.16': 'tpm_specification',
+        '2.23.133.2.17': 'tcg_platform_specification',
+        '2.23.133.2.18': 'tpm_security_assertions',
+        # https://tools.ietf.org/html/rfc3739#page-18
+        '1.3.6.1.5.5.7.9.1': 'pda_date_of_birth',
+        '1.3.6.1.5.5.7.9.2': 'pda_place_of_birth',
+        '1.3.6.1.5.5.7.9.3': 'pda_gender',
+        '1.3.6.1.5.5.7.9.4': 'pda_country_of_citizenship',
+        '1.3.6.1.5.5.7.9.5': 'pda_country_of_residence',
+        # https://holtstrom.com/michael/tools/asn1decoder.php
+        '1.2.840.113533.7.68.29': 'entrust_user_role',
+    }
+
+
+class SetOfGeneralizedTime(SetOf):
+    _child_spec = GeneralizedTime
+
+
+class SetOfDirectoryString(SetOf):
+    _child_spec = DirectoryString
+
+
+class SetOfPrintableString(SetOf):
+    _child_spec = PrintableString
+
+
+class SupportedAlgorithm(Sequence):
+    _fields = [
+        ('algorithm_identifier', AnyAlgorithmIdentifier),
+        ('intended_usage', KeyUsage, {'explicit': 0, 'optional': True}),
+        ('intended_certificate_policies', CertificatePolicies, {'explicit': 1, 'optional': True}),
+    ]
+
+
+class SetOfSupportedAlgorithm(SetOf):
+    _child_spec = SupportedAlgorithm
+
+
+class SubjectDirectoryAttribute(Sequence):
+    _fields = [
+        ('type', SubjectDirectoryAttributeId),
+        ('values', Any),
+    ]
+
+    _oid_pair = ('type', 'values')
+    _oid_specs = {
+        'supported_algorithms': SetOfSupportedAlgorithm,
+        'tpm_specification': SetOfTPMSpecification,
+        'tcg_platform_specification': SetOfTCGPlatformSpecification,
+        'tpm_security_assertions': SetOfTPMSecurityAssertions,
+        'pda_date_of_birth': SetOfGeneralizedTime,
+        'pda_place_of_birth': SetOfDirectoryString,
+        'pda_gender': SetOfPrintableString,
+        'pda_country_of_citizenship': SetOfPrintableString,
+        'pda_country_of_residence': SetOfPrintableString,
+    }
+
+    def _values_spec(self):
+        type_ = self['type'].native
+        if type_ in self._oid_specs:
+            return self._oid_specs[type_]
+        return SetOf
+
+    _spec_callbacks = {
+        'values': _values_spec
+    }
+
+
+class SubjectDirectoryAttributes(SequenceOf):
+    _child_spec = SubjectDirectoryAttribute
+
+
 class ExtensionId(ObjectIdentifier):
     _map = {
         '2.5.29.9': 'subject_directory_attributes',
@@ -1824,7 +2076,7 @@ class Extension(Sequence):
 
     _oid_pair = ('extn_id', 'extn_value')
     _oid_specs = {
-        'subject_directory_attributes': Attributes,
+        'subject_directory_attributes': SubjectDirectoryAttributes,
         'key_identifier': OctetString,
         'key_usage': KeyUsage,
         'private_key_usage_period': PrivateKeyUsagePeriod,
@@ -1854,14 +2106,6 @@ class Extensions(SequenceOf):
     _child_spec = Extension
 
 
-class Version(Integer):
-    _map = {
-        0: 'v1',
-        1: 'v2',
-        2: 'v3',
-    }
-
-
 class TbsCertificate(Sequence):
     _fields = [
         ('version', Version, {'explicit': 0, 'default': 'v1'}),