2 """Create example self-signed X.509 certificate
5 from argparse import ArgumentParser
6 from base64 import standard_b64decode
7 from base64 import standard_b64encode
8 from datetime import datetime
9 from datetime import timedelta
10 from os import urandom
11 from textwrap import fill
13 from pyderasn import Any
14 from pyderasn import BitString
15 from pyderasn import Boolean
16 from pyderasn import IA5String
17 from pyderasn import Integer
18 from pyderasn import OctetString
19 from pyderasn import PrintableString
20 from pyderasn import UTCTime
22 from pygost.asn1schemas.oids import id_at_commonName
23 from pygost.asn1schemas.oids import id_ce_authorityKeyIdentifier
24 from pygost.asn1schemas.oids import id_ce_basicConstraints
25 from pygost.asn1schemas.oids import id_ce_subjectAltName
26 from pygost.asn1schemas.oids import id_ce_subjectKeyIdentifier
27 from pygost.asn1schemas.oids import id_tc26_gost3410_2012_256
28 from pygost.asn1schemas.oids import id_tc26_gost3410_2012_256_paramSetA
29 from pygost.asn1schemas.oids import id_tc26_gost3410_2012_256_paramSetB
30 from pygost.asn1schemas.oids import id_tc26_gost3410_2012_256_paramSetC
31 from pygost.asn1schemas.oids import id_tc26_gost3410_2012_256_paramSetD
32 from pygost.asn1schemas.oids import id_tc26_gost3410_2012_512
33 from pygost.asn1schemas.oids import id_tc26_gost3410_2012_512_paramSetA
34 from pygost.asn1schemas.oids import id_tc26_gost3410_2012_512_paramSetB
35 from pygost.asn1schemas.oids import id_tc26_gost3410_2012_512_paramSetC
36 from pygost.asn1schemas.oids import id_tc26_signwithdigest_gost3410_2012_256
37 from pygost.asn1schemas.oids import id_tc26_signwithdigest_gost3410_2012_512
38 from pygost.asn1schemas.prvkey import PrivateKey
39 from pygost.asn1schemas.prvkey import PrivateKeyAlgorithmIdentifier
40 from pygost.asn1schemas.prvkey import PrivateKeyInfo
41 from pygost.asn1schemas.x509 import AlgorithmIdentifier
42 from pygost.asn1schemas.x509 import AttributeType
43 from pygost.asn1schemas.x509 import AttributeTypeAndValue
44 from pygost.asn1schemas.x509 import AttributeValue
45 from pygost.asn1schemas.x509 import AuthorityKeyIdentifier
46 from pygost.asn1schemas.x509 import BasicConstraints
47 from pygost.asn1schemas.x509 import Certificate
48 from pygost.asn1schemas.x509 import CertificateSerialNumber
49 from pygost.asn1schemas.x509 import Extension
50 from pygost.asn1schemas.x509 import Extensions
51 from pygost.asn1schemas.x509 import GeneralName
52 from pygost.asn1schemas.x509 import GostR34102012PublicKeyParameters
53 from pygost.asn1schemas.x509 import KeyIdentifier
54 from pygost.asn1schemas.x509 import Name
55 from pygost.asn1schemas.x509 import RDNSequence
56 from pygost.asn1schemas.x509 import RelativeDistinguishedName
57 from pygost.asn1schemas.x509 import SubjectAltName
58 from pygost.asn1schemas.x509 import SubjectKeyIdentifier
59 from pygost.asn1schemas.x509 import SubjectPublicKeyInfo
60 from pygost.asn1schemas.x509 import TBSCertificate
61 from pygost.asn1schemas.x509 import Time
62 from pygost.asn1schemas.x509 import Validity
63 from pygost.asn1schemas.x509 import Version
64 from pygost.gost3410 import CURVES
65 from pygost.gost3410 import prv_unmarshal
66 from pygost.gost3410 import pub_marshal
67 from pygost.gost3410 import public_key
68 from pygost.gost3410 import sign
69 from pygost.gost34112012256 import GOST34112012256
70 from pygost.gost34112012512 import GOST34112012512
72 parser = ArgumentParser(description="Self-signed X.509 certificate creator")
76 help="Enable BasicConstraints.cA",
81 help="Subject's CommonName",
86 help="Signing algorithm: {256[ABCD],512[ABC]}",
90 help="Path to PEM with CA to issue the child",
92 args = parser.parse_args()
95 "publicKeyParamSet": id_tc26_gost3410_2012_256_paramSetA,
96 "key_algorithm": id_tc26_gost3410_2012_256,
98 "curve": CURVES["id-tc26-gost-3410-2012-256-paramSetA"],
99 "sign_algorithm": id_tc26_signwithdigest_gost3410_2012_256,
100 "hasher": GOST34112012256,
103 "publicKeyParamSet": id_tc26_gost3410_2012_256_paramSetB,
104 "key_algorithm": id_tc26_gost3410_2012_256,
106 "curve": CURVES["id-tc26-gost-3410-2012-256-paramSetB"],
107 "sign_algorithm": id_tc26_signwithdigest_gost3410_2012_256,
108 "hasher": GOST34112012256,
111 "publicKeyParamSet": id_tc26_gost3410_2012_256_paramSetC,
112 "key_algorithm": id_tc26_gost3410_2012_256,
114 "curve": CURVES["id-tc26-gost-3410-2012-256-paramSetC"],
115 "sign_algorithm": id_tc26_signwithdigest_gost3410_2012_256,
116 "hasher": GOST34112012256,
119 "publicKeyParamSet": id_tc26_gost3410_2012_256_paramSetD,
120 "key_algorithm": id_tc26_gost3410_2012_256,
122 "curve": CURVES["id-tc26-gost-3410-2012-256-paramSetD"],
123 "sign_algorithm": id_tc26_signwithdigest_gost3410_2012_256,
124 "hasher": GOST34112012256,
127 "publicKeyParamSet": id_tc26_gost3410_2012_512_paramSetA,
128 "key_algorithm": id_tc26_gost3410_2012_512,
130 "curve": CURVES["id-tc26-gost-3410-12-512-paramSetA"],
131 "sign_algorithm": id_tc26_signwithdigest_gost3410_2012_512,
132 "hasher": GOST34112012512,
135 "publicKeyParamSet": id_tc26_gost3410_2012_512_paramSetB,
136 "key_algorithm": id_tc26_gost3410_2012_512,
138 "curve": CURVES["id-tc26-gost-3410-12-512-paramSetB"],
139 "sign_algorithm": id_tc26_signwithdigest_gost3410_2012_512,
140 "hasher": GOST34112012512,
143 "publicKeyParamSet": id_tc26_gost3410_2012_512_paramSetC,
144 "key_algorithm": id_tc26_gost3410_2012_512,
146 "curve": CURVES["id-tc26-gost-3410-2012-512-paramSetC"],
147 "sign_algorithm": id_tc26_signwithdigest_gost3410_2012_512,
148 "hasher": GOST34112012512,
157 if args.issue_with is not None:
158 with open(args.issue_with, "rb") as fd:
159 lines = fd.read().decode("ascii").split("-----")
160 idx = lines.index("BEGIN PRIVATE KEY")
162 raise ValueError("PEM has no PRIVATE KEY")
163 prv_raw = standard_b64decode(lines[idx + 1])
164 idx = lines.index("BEGIN CERTIFICATE")
166 raise ValueError("PEM has no CERTIFICATE")
167 cert_raw = standard_b64decode(lines[idx + 1])
168 pki = PrivateKeyInfo().decod(prv_raw)
169 ca_prv = prv_unmarshal(bytes(OctetString().decod(bytes(pki["privateKey"]))))
170 ca_cert = Certificate().decod(cert_raw)
171 tbs = ca_cert["tbsCertificate"]
172 ca_subj = tbs["subject"]
173 curve_oid = GostR34102012PublicKeyParameters().decod(bytes(
174 tbs["subjectPublicKeyInfo"]["algorithm"]["parameters"]
175 ))["publicKeyParamSet"]
177 params for params in AIs.values()
178 if params["publicKeyParamSet"] == curve_oid
183 return fill(standard_b64encode(obj.encode()).decode("ascii"), 64)
186 key_params = GostR34102012PublicKeyParameters((
187 ("publicKeyParamSet", ai["publicKeyParamSet"]),
190 prv_raw = urandom(ai["prv_len"])
191 print("-----BEGIN PRIVATE KEY-----")
192 print(pem(PrivateKeyInfo((
193 ("version", Integer(0)),
194 ("privateKeyAlgorithm", PrivateKeyAlgorithmIdentifier((
195 ("algorithm", ai["key_algorithm"]),
196 ("parameters", Any(key_params)),
198 ("privateKey", PrivateKey(OctetString(prv_raw).encode())),
200 print("-----END PRIVATE KEY-----")
202 prv = prv_unmarshal(prv_raw)
204 pub_raw = pub_marshal(public_key(curve, prv))
205 subj = Name(("rdnSequence", RDNSequence([
206 RelativeDistinguishedName((
207 AttributeTypeAndValue((
208 ("type", AttributeType(id_at_commonName)),
209 ("value", AttributeValue(PrintableString(args.cn))),
213 not_before = datetime.utcnow()
214 not_after = not_before + timedelta(days=365)
215 ai_sign = AlgorithmIdentifier((
216 ("algorithm", (ai if ca_ai is None else ca_ai)["sign_algorithm"]),
220 ("extnID", id_ce_subjectKeyIdentifier),
222 ("extnValue", OctetString(
223 SubjectKeyIdentifier(GOST34112012256(pub_raw).digest()[:20]).encode()
227 ("extnID", id_ce_subjectAltName),
228 ("extnValue", OctetString(
230 GeneralName(("dNSName", IA5String(args.cn))),
236 exts.append(Extension((
237 ("extnID", id_ce_basicConstraints),
238 ("extnValue", OctetString(BasicConstraints((("cA", Boolean(True)),)).encode())),
240 if ca_ai is not None:
242 bytes(SubjectKeyIdentifier().decod(bytes(ext["extnValue"])))
243 for ext in ca_cert["tbsCertificate"]["extensions"]
244 if ext["extnID"] == id_ce_subjectKeyIdentifier
246 exts.append(Extension((
247 ("extnID", id_ce_authorityKeyIdentifier),
248 ("extnValue", OctetString(AuthorityKeyIdentifier((
249 ("keyIdentifier", KeyIdentifier(caKeyId)),
253 tbs = TBSCertificate((
254 ("version", Version("v3")),
255 ("serialNumber", CertificateSerialNumber(12345)),
256 ("signature", ai_sign),
257 ("issuer", subj if ca_ai is None else ca_subj),
258 ("validity", Validity((
259 ("notBefore", Time(("utcTime", UTCTime(not_before)))),
260 ("notAfter", Time(("utcTime", UTCTime(not_after)))),
263 ("subjectPublicKeyInfo", SubjectPublicKeyInfo((
264 ("algorithm", AlgorithmIdentifier((
265 ("algorithm", ai["key_algorithm"]),
266 ("parameters", Any(key_params)),
268 ("subjectPublicKey", BitString(OctetString(pub_raw).encode())),
270 ("extensions", Extensions(exts)),
273 ("tbsCertificate", tbs),
274 ("signatureAlgorithm", ai_sign),
275 ("signatureValue", BitString(
276 sign(curve, prv, ai["hasher"](tbs.encode()).digest()[::-1])
277 if ca_ai is None else
278 sign(ca_ai["curve"], ca_prv, ca_ai["hasher"](tbs.encode()).digest()[::-1])
281 print("-----BEGIN CERTIFICATE-----")
283 print("-----END CERTIFICATE-----")