pygost/asn1schemas/cert-selfsigned-example.py

   1 """Create example self-signed X.509 certificate
   2 """
   3
   4 from base64 import standard_b64encode
   5 from datetime import datetime
   6 from datetime import timedelta
   7 from os import urandom
   8 from sys import argv
   9 from sys import exit as sys_exit
  10 from textwrap import fill
  11
  12 from pyderasn import Any
  13 from pyderasn import BitString
  14 from pyderasn import Integer
  15 from pyderasn import OctetString
  16 from pyderasn import PrintableString
  17 from pyderasn import UTCTime
  18
  19 from pygost.asn1schemas.oids import id_at_commonName
  20 from pygost.asn1schemas.oids import id_ce_subjectKeyIdentifier
  21 from pygost.asn1schemas.oids import id_tc26_gost3410_2012_512
  22 from pygost.asn1schemas.oids import id_tc26_gost3410_2012_512_paramSetA
  23 from pygost.asn1schemas.oids import id_tc26_signwithdigest_gost3410_2012_512
  24 from pygost.asn1schemas.prvkey import PrivateKey
  25 from pygost.asn1schemas.prvkey import PrivateKeyAlgorithmIdentifier
  26 from pygost.asn1schemas.prvkey import PrivateKeyInfo
  27 from pygost.asn1schemas.x509 import AlgorithmIdentifier
  28 from pygost.asn1schemas.x509 import AttributeType
  29 from pygost.asn1schemas.x509 import AttributeTypeAndValue
  30 from pygost.asn1schemas.x509 import AttributeValue
  31 from pygost.asn1schemas.x509 import Certificate
  32 from pygost.asn1schemas.x509 import CertificateSerialNumber
  33 from pygost.asn1schemas.x509 import Extension
  34 from pygost.asn1schemas.x509 import Extensions
  35 from pygost.asn1schemas.x509 import GostR34102012PublicKeyParameters
  36 from pygost.asn1schemas.x509 import Name
  37 from pygost.asn1schemas.x509 import RDNSequence
  38 from pygost.asn1schemas.x509 import RelativeDistinguishedName
  39 from pygost.asn1schemas.x509 import SubjectKeyIdentifier
  40 from pygost.asn1schemas.x509 import SubjectPublicKeyInfo
  41 from pygost.asn1schemas.x509 import TBSCertificate
  42 from pygost.asn1schemas.x509 import Time
  43 from pygost.asn1schemas.x509 import Validity
  44 from pygost.asn1schemas.x509 import Version
  45 from pygost.gost3410 import CURVES
  46 from pygost.gost3410 import prv_unmarshal
  47 from pygost.gost3410 import pub_marshal
  48 from pygost.gost3410 import public_key
  49 from pygost.gost3410 import sign
  50 from pygost.gost34112012512 import GOST34112012512
  51
  52 if len(argv) != 2:
  53     sys_exit("Usage: cert-selfsigned-example.py COMMON-NAME")
  54
  55
  56 def pem(obj):
  57     return fill(standard_b64encode(obj.encode()).decode("ascii"), 64)
  58
  59
  60 key_params = GostR34102012PublicKeyParameters((
  61     ("publicKeyParamSet", id_tc26_gost3410_2012_512_paramSetA),
  62 ))
  63
  64 prv_raw = urandom(64)
  65 print("-----BEGIN PRIVATE KEY-----")
  66 print(pem(PrivateKeyInfo((
  67     ("version", Integer(0)),
  68     ("privateKeyAlgorithm", PrivateKeyAlgorithmIdentifier((
  69         ("algorithm", id_tc26_gost3410_2012_512),
  70         ("parameters", Any(key_params)),
  71     ))),
  72     ("privateKey", PrivateKey(prv_raw)),
  73 ))))
  74 print("-----END PRIVATE KEY-----")
  75
  76 prv = prv_unmarshal(prv_raw)
  77 curve = CURVES["id-tc26-gost-3410-12-512-paramSetA"]
  78 pub_raw = pub_marshal(public_key(curve, prv))
  79 subj = Name(("rdnSequence", RDNSequence([
  80     RelativeDistinguishedName((
  81         AttributeTypeAndValue((
  82             ("type", AttributeType(id_at_commonName)),
  83             ("value", AttributeValue(PrintableString(argv[1]))),
  84         )),
  85     ))
  86 ])))
  87 not_before = datetime.utcnow()
  88 not_after = not_before + timedelta(days=365)
  89 ai_sign = AlgorithmIdentifier((
  90     ("algorithm", id_tc26_signwithdigest_gost3410_2012_512),
  91 ))
  92 tbs = TBSCertificate((
  93     ("version", Version("v3")),
  94     ("serialNumber", CertificateSerialNumber(12345)),
  95     ("signature", ai_sign),
  96     ("issuer", subj),
  97     ("validity", Validity((
  98         ("notBefore", Time(("utcTime", UTCTime(not_before)))),
  99         ("notAfter", Time(("utcTime", UTCTime(not_after)))),
 100     ))),
 101     ("subject", subj),
 102     ("subjectPublicKeyInfo", SubjectPublicKeyInfo((
 103         ("algorithm", AlgorithmIdentifier((
 104             ("algorithm", id_tc26_gost3410_2012_512),
 105             ("parameters", Any(key_params)),
 106         ))),
 107         ("subjectPublicKey", BitString(OctetString(pub_raw).encode())),
 108     ))),
 109     ("extensions", Extensions((
 110         Extension((
 111             ("extnID", id_ce_subjectKeyIdentifier),
 112             ("extnValue", OctetString(
 113                 SubjectKeyIdentifier(GOST34112012512(pub_raw).digest()[:20]).encode()
 114             )),
 115         )),
 116     ))),
 117 ))
 118 cert = Certificate((
 119     ("tbsCertificate", tbs),
 120     ("signatureAlgorithm", ai_sign),
 121     ("signatureValue", BitString(sign(
 122         curve,
 123         prv,
 124         GOST34112012512(tbs.encode()).digest()[::-1],
 125     ))),
 126 ))
 127 print("-----BEGIN CERTIFICATE-----")
 128 print(pem(cert))
 129 print("-----END CERTIFICATE-----")