diff options
author | Russ Housley <housley@vigilsec.com> | 2019-11-11 16:09:38 -0500 |
---|---|---|
committer | Ilya Etingof <etingof@gmail.com> | 2019-11-11 22:09:38 +0100 |
commit | bab198ce0c1dd61c46c112684b0ebb0688ea9eec (patch) | |
tree | 6e177fdc50c0e7ffc643038452e8738ea285a50c | |
parent | b61bbfac575cfaa2a58812f66670fd0c04063e7c (diff) | |
download | pyasn1-modules-bab198ce0c1dd61c46c112684b0ebb0688ea9eec.tar.gz |
Add support for RFC 4043 and RFC 7585 (#104)
-rw-r--r-- | CHANGES.txt | 3 | ||||
-rw-r--r-- | pyasn1_modules/rfc4043.py | 43 | ||||
-rw-r--r-- | pyasn1_modules/rfc7585.py | 50 | ||||
-rw-r--r-- | tests/__main__.py | 2 | ||||
-rw-r--r-- | tests/test_rfc4043.py | 120 | ||||
-rw-r--r-- | tests/test_rfc7585.py | 124 |
6 files changed, 342 insertions, 0 deletions
diff --git a/CHANGES.txt b/CHANGES.txt index 49172ae..0838373 100644 --- a/CHANGES.txt +++ b/CHANGES.txt @@ -33,6 +33,9 @@ Revision 0.2.8, released XX-XX-2019 - Add RFC5913 providing Clearance Attribute and Authority Clearance Constraints Certificate Extension - Add RFC5917 providing Clearance Sponsor Attribute +- Add RFC4043 providing Internet X.509 PKI Permanent Identifier +- Add RFC7585 providing Network Access Identifier (NAI) Realm Name + for Certificates Revision 0.2.7, released 09-10-2019 ----------------------------------- diff --git a/pyasn1_modules/rfc4043.py b/pyasn1_modules/rfc4043.py new file mode 100644 index 0000000..cf0a801 --- /dev/null +++ b/pyasn1_modules/rfc4043.py @@ -0,0 +1,43 @@ +# +# This file is part of pyasn1-modules software. +# +# Created by Russ Housley with assistance from asn1ate v.0.6.0. +# +# Copyright (c) 2019, Vigil Security, LLC +# License: http://snmplabs.com/pyasn1/license.html +# +# Internet X.509 Public Key Infrastructure Permanent Identifier +# +# ASN.1 source from: +# https://www.rfc-editor.org/rfc/rfc4043.txt +# + +from pyasn1.type import char +from pyasn1.type import namedtype +from pyasn1.type import univ + +from pyasn1_modules import rfc5280 + + +id_pkix = univ.ObjectIdentifier((1, 3, 6, 1, 5, 5, 7, )) + +id_on = id_pkix + (8, ) + +id_on_permanentIdentifier = id_on + (3, ) + + +class PermanentIdentifier(univ.Sequence): + componentType = namedtype.NamedTypes( + namedtype.OptionalNamedType('identifierValue', char.UTF8String()), + namedtype.OptionalNamedType('assigner', univ.ObjectIdentifier()) + ) + + +# Map of Other Name OIDs to Other Name is added to the +# ones that are in rfc5280.py + +_anotherNameMapUpdate = { + id_on_permanentIdentifier: PermanentIdentifier(), +} + +rfc5280.anotherNameMap.update(_anotherNameMapUpdate) diff --git a/pyasn1_modules/rfc7585.py b/pyasn1_modules/rfc7585.py new file mode 100644 index 0000000..b3fd4a5 --- /dev/null +++ b/pyasn1_modules/rfc7585.py @@ -0,0 +1,50 @@ +# +# This file is part of pyasn1-modules software. +# +# Created by Russ Housley with some assistance from asn1ate v.0.6.0. +# +# Copyright (c) 2019, Vigil Security, LLC +# License: http://snmplabs.com/pyasn1/license.html +# +# Network Access Identifier (NAI) Realm Name for Certificates +# +# ASN.1 source from: +# https://www.rfc-editor.org/rfc/rfc7585.txt +# + +from pyasn1.type import char +from pyasn1.type import constraint +from pyasn1.type import univ + +from pyasn1_modules import rfc5280 + + +# NAI Realm Name for Certificates + +id_pkix = univ.ObjectIdentifier('1.3.6.1.5.5.7') + +id_on = id_pkix + (8, ) + +id_on_naiRealm = id_on + (8, ) + + +ub_naiRealm_length = univ.Integer(255) + + +class NAIRealm(char.UTF8String): + subtypeSpec = constraint.ValueSizeConstraint(1, ub_naiRealm_length) + + +naiRealm = rfc5280.AnotherName() +naiRealm['type-id'] = id_on_naiRealm +naiRealm['value'] = NAIRealm() + + +# Map of Other Name OIDs to Other Name is added to the +# ones that are in rfc5280.py + +_anotherNameMapUpdate = { + id_on_naiRealm: NAIRealm(), +} + +rfc5280.anotherNameMap.update(_anotherNameMapUpdate) diff --git a/tests/__main__.py b/tests/__main__.py index 479cd09..a019541 100644 --- a/tests/__main__.py +++ b/tests/__main__.py @@ -35,6 +35,7 @@ suite = unittest.TestLoader().loadTestsFromNames( 'tests.test_rfc3770.suite', 'tests.test_rfc3779.suite', 'tests.test_rfc3852.suite', + 'tests.test_rfc4043.suite', 'tests.test_rfc4055.suite', 'tests.test_rfc4073.suite', 'tests.test_rfc4108.suite', @@ -81,6 +82,7 @@ suite = unittest.TestLoader().loadTestsFromNames( 'tests.test_rfc7292.suite', 'tests.test_rfc7296.suite', 'tests.test_rfc7508.suite', + 'tests.test_rfc7585.suite', 'tests.test_rfc7633.suite', 'tests.test_rfc7773.suite', 'tests.test_rfc7894.suite', diff --git a/tests/test_rfc4043.py b/tests/test_rfc4043.py new file mode 100644 index 0000000..0637b87 --- /dev/null +++ b/tests/test_rfc4043.py @@ -0,0 +1,120 @@ +# +# This file is part of pyasn1-modules software. +# +# Created by Russ Housley +# Copyright (c) 2019, Vigil Security, LLC +# License: http://snmplabs.com/pyasn1/license.html +# + +import sys + +from pyasn1.codec.der.decoder import decode as der_decode +from pyasn1.codec.der.encoder import encode as der_encode + +from pyasn1.type import univ + +from pyasn1_modules import pem +from pyasn1_modules import rfc5280 +from pyasn1_modules import rfc4043 + +try: + import unittest2 as unittest +except ImportError: + import unittest + + +class PermIdCertTestCase(unittest.TestCase): + cert_pem_text = """\ +MIIDDTCCApOgAwIBAgIJAKWzVCgbsG5HMAoGCCqGSM49BAMDMD8xCzAJBgNVBAYT +AlVTMQswCQYDVQQIDAJWQTEQMA4GA1UEBwwHSGVybmRvbjERMA8GA1UECgwIQm9n +dXMgQ0EwHhcNMTkxMTEwMDA0MDIyWhcNMjAxMTA5MDA0MDIyWjBNMQswCQYDVQQG +EwJVUzELMAkGA1UECBMCVkExEDAOBgNVBAcTB0hlcm5kb24xEDAOBgNVBAoTB0V4 +YW1wbGUxDTALBgNVBAMTBEdhaWwwdjAQBgcqhkjOPQIBBgUrgQQAIgNiAAQBoktg +/68xL+uEQaWBoHyOjw8EMLeMEng3R2H7yiEzTGoaMJgPOKvSfzB2P0paHYPL+B5y +Gc0CK5EHRujMl9ljH+Wydpk57rKBLo1ZzpWUS6anLGIkWs1sOakcgGGr7hGjggFL +MIIBRzAdBgNVHQ4EFgQU1pCNZuMzfEaJ9GGhH7RKy6Mvz+cwbwYDVR0jBGgwZoAU +8jXbNATapVXyvWkDmbBi7OIVCMGhQ6RBMD8xCzAJBgNVBAYTAlVTMQswCQYDVQQI +DAJWQTEQMA4GA1UEBwwHSGVybmRvbjERMA8GA1UECgwIQm9ndXMgQ0GCCQDokdYG +kU/O8jAPBgNVHRMBAf8EBTADAQH/MAsGA1UdDwQEAwIBhjBCBglghkgBhvhCAQ0E +NRYzVGhpcyBjZXJ0aWZpY2F0ZSBjYW5ub3QgYmUgdHJ1c3RlZCBmb3IgYW55IHB1 +cnBvc2UuMFMGA1UdEQRMMEqgNgYIKwYBBQUHCAOgKjAoDBs4MjYyMDgtNDE3MDI4 +LTU0ODE5NS0yMTUyMzMGCSsGAQQBgaxgMIEQZ2FpbEBleGFtcGxlLmNvbTAKBggq +hkjOPQQDAwNoADBlAjBT+36Y/LPaGSu+61P7kR97M8jAjtH5DtUwrWR02ChshvYJ +x0bpZq3PJaO0WlBgFicCMQCf+67wSvjxxtjI/OAg4t8NQIJW1LcehSXizlPDc772 +/FC5OiUAxO+iFaSVMeDFsCo= +""" + + def setUp(self): + self.asn1Spec = rfc5280.Certificate() + + def testDerCodec(self): + substrate = pem.readBase64fromText(self.cert_pem_text) + asn1Object, rest = der_decode(substrate, asn1Spec=self.asn1Spec) + assert not rest + assert asn1Object.prettyPrint() + assert der_encode(asn1Object) == substrate + + perm_id_oid = rfc4043.id_on_permanentIdentifier + assigner_oid = univ.ObjectIdentifier('1.3.6.1.4.1.22112.48') + permanent_identifier_found = False + + for extn in asn1Object['tbsCertificate']['extensions']: + if extn['extnID'] == rfc5280.id_ce_subjectAltName: + extnValue, rest = der_decode(extn['extnValue'], + asn1Spec=rfc5280.SubjectAltName()) + assert not rest + assert extnValue.prettyPrint() + assert der_encode(extnValue) == extn['extnValue'] + + for gn in extnValue: + if gn['otherName'].hasValue(): + assert gn['otherName']['type-id'] == perm_id_oid + onValue, rest = der_decode(gn['otherName']['value'], + asn1Spec=rfc4043.PermanentIdentifier()) + assert not rest + assert onValue.prettyPrint() + assert der_encode(onValue) == gn['otherName']['value'] + assert onValue['assigner'] == assigner_oid + permanent_identifier_found = True + + assert permanent_identifier_found + + def testOpenTypes(self): + substrate = pem.readBase64fromText(self.cert_pem_text) + asn1Object, rest = der_decode(substrate, + asn1Spec=self.asn1Spec, + decodeOpenTypes=True) + assert not rest + assert asn1Object.prettyPrint() + assert der_encode(asn1Object) == substrate + + perm_id_oid = rfc4043.id_on_permanentIdentifier + assigner_oid = univ.ObjectIdentifier('1.3.6.1.4.1.22112.48') + permanent_identifier_found = False + + for extn in asn1Object['tbsCertificate']['extensions']: + if extn['extnID'] == rfc5280.id_ce_subjectAltName: + extnValue, rest = der_decode(extn['extnValue'], + asn1Spec=rfc5280.SubjectAltName(), + decodeOpenTypes=True) + assert not rest + assert extnValue.prettyPrint() + assert der_encode(extnValue) == extn['extnValue'] + + for gn in extnValue: + if gn['otherName'].hasValue(): + on = gn['otherName'] + assert on['type-id'] == perm_id_oid + assert on['value']['assigner'] == assigner_oid + permanent_identifier_found = True + + assert permanent_identifier_found + + +suite = unittest.TestLoader().loadTestsFromModule(sys.modules[__name__]) + +if __name__ == '__main__': + import sys + + result = unittest.TextTestRunner(verbosity=2).run(suite) + sys.exit(not result.wasSuccessful()) diff --git a/tests/test_rfc7585.py b/tests/test_rfc7585.py new file mode 100644 index 0000000..ecbd72a --- /dev/null +++ b/tests/test_rfc7585.py @@ -0,0 +1,124 @@ +# +# This file is part of pyasn1-modules software. +# +# Created by Russ Housley +# Copyright (c) 2019, Vigil Security, LLC +# License: http://snmplabs.com/pyasn1/license.html +# + +import sys + +from pyasn1.codec.der.decoder import decode as der_decode +from pyasn1.codec.der.encoder import encode as der_encode + +from pyasn1.type import univ + +from pyasn1_modules import pem +from pyasn1_modules import rfc5280 +from pyasn1_modules import rfc7585 + +try: + import unittest2 as unittest +except ImportError: + import unittest + + +class NAIRealmCertTestCase(unittest.TestCase): + cert_pem_text = """\ +MIIEZzCCA0+gAwIBAgIBBzANBgkqhkiG9w0BAQsFADCBkjELMAkGA1UEBhMCRlIx +DzANBgNVBAgMBlJhZGl1czESMBAGA1UEBwwJU29tZXdoZXJlMRQwEgYDVQQKDAtF +eGFtcGxlIEluYzEgMB4GCSqGSIb3DQEJARYRYWRtaW5AZXhhbXBsZS5vcmcxJjAk +BgNVBAMMHUV4YW1wbGUgQ2VydGlmaWNhdGUgQXV0aG9yaXR5MB4XDTE5MTExMTE4 +MDQyMVoXDTIwMDExMDE4MDQyMVowezELMAkGA1UEBhMCRlIxDzANBgNVBAgMBlJh +ZGl1czEUMBIGA1UECgwLRXhhbXBsZSBJbmMxIzAhBgNVBAMMGkV4YW1wbGUgU2Vy +dmVyIENlcnRpZmljYXRlMSAwHgYJKoZIhvcNAQkBFhFhZG1pbkBleGFtcGxlLm9y +ZzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAM9HqbuyWpsTMKo739Dm +DwmQo2HUkNdQYbvsB+e7ILsw8fWa2qnsF1CoRr/1bcZqXUR1To/QbHse7xSMZH9t +F7rdlDMc7QtgdwVfn8TiL3hCg5LSE8iaBzfJUjrts/V5WOByP1DwJVM7W3Va/5dN +oOiceVeC7ThghMlwIx/wN5cy78a8fPYV2FvPR6e+U2HG35zaIv2PizYcliF/QmZG +gnw4Q9dYC1Lw/ogVBZBALlv+/MuGheb/xIuL8lu1PFZ0YbW65WLD9Cx4wvytAke7 +tKlhL/Kd4OBSeOY3OYmpxbc1gEUmFoLTlZesY2NP9Jyl5mGsIHtPdvVkh/tSBy8o +VLUCAwEAAaOB3TCB2jAJBgNVHRMEAjAAMAsGA1UdDwQEAwIF4DATBgNVHSUEDDAK +BggrBgEFBQcDATA2BgNVHR8ELzAtMCugKaAnhiVodHRwOi8vd3d3LmV4YW1wbGUu +Y29tL2V4YW1wbGVfY2EuY3JsMDcGCCsGAQUFBwEBBCswKTAnBggrBgEFBQcwAYYb +aHR0cDovL3d3dy5leGFtcGxlLm9yZy9vY3NwMDoGA1UdEQQzMDGCEnJhZGl1cy5l +eGFtcGxlLm9yZ6AbBggrBgEFBQcICKAPDA0qLmV4YW1wbGUuY29tMA0GCSqGSIb3 +DQEBCwUAA4IBAQBOhtH2Jpi0b0MZ8FBKTqDl44rIHL1rHG2mW/YYmRI4jZo8kFhA +yWm/T8ZpdaotJgRqbQbeXvTXIg4/JNFheyLG4yLOzS1esdMAYDD5EN9/dXE++jND +/wrfPU+QtTgzAjkgFDKuqO7gr1/vSizxLYTWLKBPRHhiQo7GGlEC6/CPb38x4mfQ +5Y9DsKCp6BEZu+LByCho/HMDzcIPCdtXRX7Fs8rtX4/zRpVIdm6D+vebuo6CwRKp +mIljfssCvZjb9YIxSVDmA/6Lapqsfsfo922kb+MTXvPrq2ynPx8LrPDrxKc8maYc +Jiw8B0yjkokwojxyRGftMT8uxNjWQVsMDbxl +""" + + def setUp(self): + self.asn1Spec = rfc5280.Certificate() + + def testDerCodec(self): + substrate = pem.readBase64fromText(self.cert_pem_text) + asn1Object, rest = der_decode(substrate, asn1Spec=self.asn1Spec) + assert not rest + assert asn1Object.prettyPrint() + assert der_encode(asn1Object) == substrate + + nai_realm_oid = rfc7585.id_on_naiRealm + nai_realm_found = False + + for extn in asn1Object['tbsCertificate']['extensions']: + if extn['extnID'] == rfc5280.id_ce_subjectAltName: + extnValue, rest = der_decode(extn['extnValue'], + asn1Spec=rfc5280.SubjectAltName()) + assert not rest + assert extnValue.prettyPrint() + assert der_encode(extnValue) == extn['extnValue'] + + for gn in extnValue: + if gn['otherName'].hasValue(): + assert gn['otherName']['type-id'] == nai_realm_oid + onValue, rest = der_decode(gn['otherName']['value'], + asn1Spec=rfc7585.NAIRealm()) + assert not rest + assert onValue.prettyPrint() + assert der_encode(onValue) == gn['otherName']['value'] + assert 'example' in onValue + nai_realm_found = True + + assert nai_realm_found + + def testOpenTypes(self): + substrate = pem.readBase64fromText(self.cert_pem_text) + asn1Object, rest = der_decode(substrate, + asn1Spec=self.asn1Spec, + decodeOpenTypes=True) + assert not rest + assert asn1Object.prettyPrint() + assert der_encode(asn1Object) == substrate + + nai_realm_oid = rfc7585.id_on_naiRealm + nai_realm_found = False + + for extn in asn1Object['tbsCertificate']['extensions']: + if extn['extnID'] == rfc5280.id_ce_subjectAltName: + extnValue, rest = der_decode(extn['extnValue'], + asn1Spec=rfc5280.SubjectAltName(), + decodeOpenTypes=True) + assert not rest + assert extnValue.prettyPrint() + assert der_encode(extnValue) == extn['extnValue'] + + for gn in extnValue: + if gn['otherName'].hasValue(): + assert gn['otherName']['type-id'] == nai_realm_oid + assert 'example' in gn['otherName']['value'] + nai_realm_found = True + + assert nai_realm_found + + +suite = unittest.TestLoader().loadTestsFromModule(sys.modules[__name__]) + +if __name__ == '__main__': + import sys + + result = unittest.TextTestRunner(verbosity=2).run(suite) + sys.exit(not result.wasSuccessful()) |