X-Git-Url: http://www.git.cypherpunks.ru/?a=blobdiff_plain;f=pygost%2Fasn1schemas%2Fcert-selfsigned-example.py;h=edce6969a92feef39d3d629fc575f26d40c64efa;hb=f7d7f4e37cc84e0b188b8445009f2ee11d8a250b;hp=94b4b34cf4ba318dc5bf75a0ac427b12d58dab65;hpb=a57c47d89bb73d7967a6cfbf26c6db2d41e1ca8d;p=pygost.git diff --git a/pygost/asn1schemas/cert-selfsigned-example.py b/pygost/asn1schemas/cert-selfsigned-example.py index 94b4b34..edce696 100755 --- a/pygost/asn1schemas/cert-selfsigned-example.py +++ b/pygost/asn1schemas/cert-selfsigned-example.py @@ -20,7 +20,9 @@ from pyderasn import PrintableString from pyderasn import UTCTime from pygost.asn1schemas.oids import id_at_commonName +from pygost.asn1schemas.oids import id_ce_authorityKeyIdentifier from pygost.asn1schemas.oids import id_ce_basicConstraints +from pygost.asn1schemas.oids import id_ce_keyUsage from pygost.asn1schemas.oids import id_ce_subjectAltName from pygost.asn1schemas.oids import id_ce_subjectKeyIdentifier from pygost.asn1schemas.oids import id_tc26_gost3410_2012_256 @@ -41,6 +43,7 @@ from pygost.asn1schemas.x509 import AlgorithmIdentifier from pygost.asn1schemas.x509 import AttributeType from pygost.asn1schemas.x509 import AttributeTypeAndValue from pygost.asn1schemas.x509 import AttributeValue +from pygost.asn1schemas.x509 import AuthorityKeyIdentifier from pygost.asn1schemas.x509 import BasicConstraints from pygost.asn1schemas.x509 import Certificate from pygost.asn1schemas.x509 import CertificateSerialNumber @@ -48,6 +51,8 @@ from pygost.asn1schemas.x509 import Extension from pygost.asn1schemas.x509 import Extensions from pygost.asn1schemas.x509 import GeneralName from pygost.asn1schemas.x509 import GostR34102012PublicKeyParameters +from pygost.asn1schemas.x509 import KeyIdentifier +from pygost.asn1schemas.x509 import KeyUsage from pygost.asn1schemas.x509 import Name from pygost.asn1schemas.x509 import RDNSequence from pygost.asn1schemas.x509 import RelativeDistinguishedName @@ -148,6 +153,7 @@ AIs = { ai = AIs[args.ai] ca_prv = None +ca_cert = None ca_subj = None ca_ai = None if args.issue_with is not None: @@ -163,7 +169,8 @@ if args.issue_with is not None: cert_raw = standard_b64decode(lines[idx + 1]) pki = PrivateKeyInfo().decod(prv_raw) ca_prv = prv_unmarshal(bytes(OctetString().decod(bytes(pki["privateKey"])))) - tbs = Certificate().decod(cert_raw)["tbsCertificate"] + ca_cert = Certificate().decod(cert_raw) + tbs = ca_cert["tbsCertificate"] ca_subj = tbs["subject"] curve_oid = GostR34102012PublicKeyParameters().decod(bytes( tbs["subjectPublicKeyInfo"]["algorithm"]["parameters"] @@ -206,7 +213,7 @@ subj = Name(("rdnSequence", RDNSequence([ )) ]))) not_before = datetime.utcnow() -not_after = not_before + timedelta(days=365) +not_after = not_before + timedelta(days=365 * (10 if args.ca else 1)) ai_sign = AlgorithmIdentifier(( ("algorithm", (ai if ca_ai is None else ca_ai)["sign_algorithm"]), )) @@ -230,8 +237,29 @@ exts = [ if args.ca: exts.append(Extension(( ("extnID", id_ce_basicConstraints), - ("extnValue", OctetString(BasicConstraints((("cA", Boolean(True)),)).encode())), + ("critical", Boolean(True)), + ("extnValue", OctetString(BasicConstraints(( + ("cA", Boolean(True)), + )).encode())), ))) + exts.append(Extension(( + ("extnID", id_ce_keyUsage), + ("critical", Boolean(True)), + ("extnValue", OctetString(KeyUsage(("keyCertSign",)).encode())), + ))) +if ca_ai is not None: + caKeyId = [ + bytes(SubjectKeyIdentifier().decod(bytes(ext["extnValue"]))) + for ext in ca_cert["tbsCertificate"]["extensions"] + if ext["extnID"] == id_ce_subjectKeyIdentifier + ][0] + exts.append(Extension(( + ("extnID", id_ce_authorityKeyIdentifier), + ("extnValue", OctetString(AuthorityKeyIdentifier(( + ("keyIdentifier", KeyIdentifier(caKeyId)), + )).encode())), + ))) + tbs = TBSCertificate(( ("version", Version("v3")), ("serialNumber", CertificateSerialNumber(12345)),