Ability to create certificate examples with various curves

[pygost.git] / pygost / asn1schemas / cert-selfsigned-example.py

"""Create example self-signed X.509 certificate
"""

from argparse import ArgumentParser
from base64 import standard_b64encode
from datetime import datetime
from datetime import timedelta
from os import urandom
from textwrap import fill

from pyderasn import Any
from pyderasn import BitString
from pyderasn import Boolean
from pyderasn import Integer
from pyderasn import OctetString
from pyderasn import PrintableString
from pyderasn import UTCTime

from pygost.asn1schemas.oids import id_at_commonName
from pygost.asn1schemas.oids import id_ce_basicConstraints
from pygost.asn1schemas.oids import id_ce_subjectKeyIdentifier
from pygost.asn1schemas.oids import id_tc26_gost3410_2012_256
from pygost.asn1schemas.oids import id_tc26_gost3410_2012_256_paramSetA
from pygost.asn1schemas.oids import id_tc26_gost3410_2012_256_paramSetB
from pygost.asn1schemas.oids import id_tc26_gost3410_2012_256_paramSetC
from pygost.asn1schemas.oids import id_tc26_gost3410_2012_256_paramSetD
from pygost.asn1schemas.oids import id_tc26_gost3410_2012_512
from pygost.asn1schemas.oids import id_tc26_gost3410_2012_512_paramSetA
from pygost.asn1schemas.oids import id_tc26_gost3410_2012_512_paramSetB
from pygost.asn1schemas.oids import id_tc26_gost3410_2012_512_paramSetC
from pygost.asn1schemas.oids import id_tc26_signwithdigest_gost3410_2012_256
from pygost.asn1schemas.oids import id_tc26_signwithdigest_gost3410_2012_512
from pygost.asn1schemas.prvkey import PrivateKey
from pygost.asn1schemas.prvkey import PrivateKeyAlgorithmIdentifier
from pygost.asn1schemas.prvkey import PrivateKeyInfo
from pygost.asn1schemas.x509 import AlgorithmIdentifier
from pygost.asn1schemas.x509 import AttributeType
from pygost.asn1schemas.x509 import AttributeTypeAndValue
from pygost.asn1schemas.x509 import AttributeValue
from pygost.asn1schemas.x509 import BasicConstraints
from pygost.asn1schemas.x509 import Certificate
from pygost.asn1schemas.x509 import CertificateSerialNumber
from pygost.asn1schemas.x509 import Extension
from pygost.asn1schemas.x509 import Extensions
from pygost.asn1schemas.x509 import GostR34102012PublicKeyParameters
from pygost.asn1schemas.x509 import Name
from pygost.asn1schemas.x509 import RDNSequence
from pygost.asn1schemas.x509 import RelativeDistinguishedName
from pygost.asn1schemas.x509 import SubjectKeyIdentifier
from pygost.asn1schemas.x509 import SubjectPublicKeyInfo
from pygost.asn1schemas.x509 import TBSCertificate
from pygost.asn1schemas.x509 import Time
from pygost.asn1schemas.x509 import Validity
from pygost.asn1schemas.x509 import Version
from pygost.gost3410 import CURVES
from pygost.gost3410 import prv_unmarshal
from pygost.gost3410 import pub_marshal
from pygost.gost3410 import public_key
from pygost.gost3410 import sign
from pygost.gost34112012256 import GOST34112012256
from pygost.gost34112012512 import GOST34112012512

parser = ArgumentParser(description="Self-signed X.509 certificate creator")
parser.add_argument(
    "--ca",
    action="store_true",
    help="Enable BasicConstraints.cA",
)
parser.add_argument(
    "--cn",
    required=True,
    help="Subject's CommonName",
)
parser.add_argument(
    "--ai",
    required=True,
    help="Signing algorithm: {256[ABCD],512[ABC]}",
)
args = parser.parse_args()
ai = {
    "256A": {
        "publicKeyParamSet": id_tc26_gost3410_2012_256_paramSetA,
        "key_algorithm": id_tc26_gost3410_2012_256,
        "prv_len": 32,
        "curve": CURVES["id-tc26-gost-3410-2012-256-paramSetA"],
        "sign_algorithm": id_tc26_signwithdigest_gost3410_2012_256,
        "hasher": GOST34112012256,
    },
    "256B": {
        "publicKeyParamSet": id_tc26_gost3410_2012_256_paramSetB,
        "key_algorithm": id_tc26_gost3410_2012_256,
        "prv_len": 32,
        "curve": CURVES["id-tc26-gost-3410-2012-256-paramSetB"],
        "sign_algorithm": id_tc26_signwithdigest_gost3410_2012_256,
        "hasher": GOST34112012256,
    },
    "256C": {
        "publicKeyParamSet": id_tc26_gost3410_2012_256_paramSetC,
        "key_algorithm": id_tc26_gost3410_2012_256,
        "prv_len": 32,
        "curve": CURVES["id-tc26-gost-3410-2012-256-paramSetC"],
        "sign_algorithm": id_tc26_signwithdigest_gost3410_2012_256,
        "hasher": GOST34112012256,
    },
    "256D": {
        "publicKeyParamSet": id_tc26_gost3410_2012_256_paramSetD,
        "key_algorithm": id_tc26_gost3410_2012_256,
        "prv_len": 32,
        "curve": CURVES["id-tc26-gost-3410-2012-256-paramSetD"],
        "sign_algorithm": id_tc26_signwithdigest_gost3410_2012_256,
        "hasher": GOST34112012256,
    },
    "512A": {
        "publicKeyParamSet": id_tc26_gost3410_2012_512_paramSetA,
        "key_algorithm": id_tc26_gost3410_2012_512,
        "prv_len": 64,
        "curve": CURVES["id-tc26-gost-3410-12-512-paramSetA"],
        "sign_algorithm": id_tc26_signwithdigest_gost3410_2012_512,
        "hasher": GOST34112012512,
    },
    "512B": {
        "publicKeyParamSet": id_tc26_gost3410_2012_512_paramSetB,
        "key_algorithm": id_tc26_gost3410_2012_512,
        "prv_len": 64,
        "curve": CURVES["id-tc26-gost-3410-12-512-paramSetB"],
        "sign_algorithm": id_tc26_signwithdigest_gost3410_2012_512,
        "hasher": GOST34112012512,
    },
    "512C": {
        "publicKeyParamSet": id_tc26_gost3410_2012_512_paramSetC,
        "key_algorithm": id_tc26_gost3410_2012_512,
        "prv_len": 64,
        "curve": CURVES["id-tc26-gost-3410-2012-512-paramSetC"],
        "sign_algorithm": id_tc26_signwithdigest_gost3410_2012_512,
        "hasher": GOST34112012512,
    },
}[args.ai]


def pem(obj):
    return fill(standard_b64encode(obj.encode()).decode("ascii"), 64)


key_params = GostR34102012PublicKeyParameters((
    ("publicKeyParamSet", ai["publicKeyParamSet"]),
))

prv_raw = urandom(ai["prv_len"])
print("-----BEGIN PRIVATE KEY-----")
print(pem(PrivateKeyInfo((
    ("version", Integer(0)),
    ("privateKeyAlgorithm", PrivateKeyAlgorithmIdentifier((
        ("algorithm", ai["key_algorithm"]),
        ("parameters", Any(key_params)),
    ))),
    ("privateKey", PrivateKey(prv_raw)),
))))
print("-----END PRIVATE KEY-----")

prv = prv_unmarshal(prv_raw)
curve = ai["curve"]
pub_raw = pub_marshal(public_key(curve, prv))
subj = Name(("rdnSequence", RDNSequence([
    RelativeDistinguishedName((
        AttributeTypeAndValue((
            ("type", AttributeType(id_at_commonName)),
            ("value", AttributeValue(PrintableString(args.cn))),
        )),
    ))
])))
not_before = datetime.utcnow()
not_after = not_before + timedelta(days=365)
ai_sign = AlgorithmIdentifier((
    ("algorithm", ai["sign_algorithm"],),
))
exts = [
    Extension((
        ("extnID", id_ce_subjectKeyIdentifier),
        ("extnValue", OctetString(
            SubjectKeyIdentifier(GOST34112012256(pub_raw).digest()[:20]).encode()
        )),
    )),
]
if args.ca:
    exts.append(Extension((
        ("extnID", id_ce_basicConstraints),
        ("extnValue", OctetString(BasicConstraints((("cA", Boolean(True)),)).encode())),
    )))
tbs = TBSCertificate((
    ("version", Version("v3")),
    ("serialNumber", CertificateSerialNumber(12345)),
    ("signature", ai_sign),
    ("issuer", subj),
    ("validity", Validity((
        ("notBefore", Time(("utcTime", UTCTime(not_before)))),
        ("notAfter", Time(("utcTime", UTCTime(not_after)))),
    ))),
    ("subject", subj),
    ("subjectPublicKeyInfo", SubjectPublicKeyInfo((
        ("algorithm", AlgorithmIdentifier((
            ("algorithm", ai["key_algorithm"]),
            ("parameters", Any(key_params)),
        ))),
        ("subjectPublicKey", BitString(OctetString(pub_raw).encode())),
    ))),
    ("extensions", Extensions(exts)),
))
cert = Certificate((
    ("tbsCertificate", tbs),
    ("signatureAlgorithm", ai_sign),
    ("signatureValue", BitString(sign(
        curve,
        prv,
        ai["hasher"](tbs.encode()).digest()[::-1],
    ))),
))
print("-----BEGIN CERTIFICATE-----")
print(pem(cert))
print("-----END CERTIFICATE-----")