"""Create example self-signed X.509 certificate """ from argparse import ArgumentParser from base64 import standard_b64encode from datetime import datetime from datetime import timedelta from os import urandom from textwrap import fill from pyderasn import Any from pyderasn import BitString from pyderasn import Boolean from pyderasn import Integer from pyderasn import OctetString from pyderasn import PrintableString from pyderasn import UTCTime from pygost.asn1schemas.oids import id_at_commonName from pygost.asn1schemas.oids import id_ce_basicConstraints from pygost.asn1schemas.oids import id_ce_subjectKeyIdentifier from pygost.asn1schemas.oids import id_tc26_gost3410_2012_256 from pygost.asn1schemas.oids import id_tc26_gost3410_2012_256_paramSetA from pygost.asn1schemas.oids import id_tc26_gost3410_2012_256_paramSetB from pygost.asn1schemas.oids import id_tc26_gost3410_2012_256_paramSetC from pygost.asn1schemas.oids import id_tc26_gost3410_2012_256_paramSetD from pygost.asn1schemas.oids import id_tc26_gost3410_2012_512 from pygost.asn1schemas.oids import id_tc26_gost3410_2012_512_paramSetA from pygost.asn1schemas.oids import id_tc26_gost3410_2012_512_paramSetB from pygost.asn1schemas.oids import id_tc26_gost3410_2012_512_paramSetC from pygost.asn1schemas.oids import id_tc26_signwithdigest_gost3410_2012_256 from pygost.asn1schemas.oids import id_tc26_signwithdigest_gost3410_2012_512 from pygost.asn1schemas.prvkey import PrivateKey from pygost.asn1schemas.prvkey import PrivateKeyAlgorithmIdentifier from pygost.asn1schemas.prvkey import PrivateKeyInfo from pygost.asn1schemas.x509 import AlgorithmIdentifier from pygost.asn1schemas.x509 import AttributeType from pygost.asn1schemas.x509 import AttributeTypeAndValue from pygost.asn1schemas.x509 import AttributeValue from pygost.asn1schemas.x509 import BasicConstraints from pygost.asn1schemas.x509 import Certificate from pygost.asn1schemas.x509 import CertificateSerialNumber from pygost.asn1schemas.x509 import Extension from pygost.asn1schemas.x509 import Extensions from pygost.asn1schemas.x509 import GostR34102012PublicKeyParameters from pygost.asn1schemas.x509 import Name from pygost.asn1schemas.x509 import RDNSequence from pygost.asn1schemas.x509 import RelativeDistinguishedName from pygost.asn1schemas.x509 import SubjectKeyIdentifier from pygost.asn1schemas.x509 import SubjectPublicKeyInfo from pygost.asn1schemas.x509 import TBSCertificate from pygost.asn1schemas.x509 import Time from pygost.asn1schemas.x509 import Validity from pygost.asn1schemas.x509 import Version from pygost.gost3410 import CURVES from pygost.gost3410 import prv_unmarshal from pygost.gost3410 import pub_marshal from pygost.gost3410 import public_key from pygost.gost3410 import sign from pygost.gost34112012256 import GOST34112012256 from pygost.gost34112012512 import GOST34112012512 parser = ArgumentParser(description="Self-signed X.509 certificate creator") parser.add_argument( "--ca", action="store_true", help="Enable BasicConstraints.cA", ) parser.add_argument( "--cn", required=True, help="Subject's CommonName", ) parser.add_argument( "--ai", required=True, help="Signing algorithm: {256[ABCD],512[ABC]}", ) args = parser.parse_args() ai = { "256A": { "publicKeyParamSet": id_tc26_gost3410_2012_256_paramSetA, "key_algorithm": id_tc26_gost3410_2012_256, "prv_len": 32, "curve": CURVES["id-tc26-gost-3410-2012-256-paramSetA"], "sign_algorithm": id_tc26_signwithdigest_gost3410_2012_256, "hasher": GOST34112012256, }, "256B": { "publicKeyParamSet": id_tc26_gost3410_2012_256_paramSetB, "key_algorithm": id_tc26_gost3410_2012_256, "prv_len": 32, "curve": CURVES["id-tc26-gost-3410-2012-256-paramSetB"], "sign_algorithm": id_tc26_signwithdigest_gost3410_2012_256, "hasher": GOST34112012256, }, "256C": { "publicKeyParamSet": id_tc26_gost3410_2012_256_paramSetC, "key_algorithm": id_tc26_gost3410_2012_256, "prv_len": 32, "curve": CURVES["id-tc26-gost-3410-2012-256-paramSetC"], "sign_algorithm": id_tc26_signwithdigest_gost3410_2012_256, "hasher": GOST34112012256, }, "256D": { "publicKeyParamSet": id_tc26_gost3410_2012_256_paramSetD, "key_algorithm": id_tc26_gost3410_2012_256, "prv_len": 32, "curve": CURVES["id-tc26-gost-3410-2012-256-paramSetD"], "sign_algorithm": id_tc26_signwithdigest_gost3410_2012_256, "hasher": GOST34112012256, }, "512A": { "publicKeyParamSet": id_tc26_gost3410_2012_512_paramSetA, "key_algorithm": id_tc26_gost3410_2012_512, "prv_len": 64, "curve": CURVES["id-tc26-gost-3410-12-512-paramSetA"], "sign_algorithm": id_tc26_signwithdigest_gost3410_2012_512, "hasher": GOST34112012512, }, "512B": { "publicKeyParamSet": id_tc26_gost3410_2012_512_paramSetB, "key_algorithm": id_tc26_gost3410_2012_512, "prv_len": 64, "curve": CURVES["id-tc26-gost-3410-12-512-paramSetB"], "sign_algorithm": id_tc26_signwithdigest_gost3410_2012_512, "hasher": GOST34112012512, }, "512C": { "publicKeyParamSet": id_tc26_gost3410_2012_512_paramSetC, "key_algorithm": id_tc26_gost3410_2012_512, "prv_len": 64, "curve": CURVES["id-tc26-gost-3410-2012-512-paramSetC"], "sign_algorithm": id_tc26_signwithdigest_gost3410_2012_512, "hasher": GOST34112012512, }, }[args.ai] def pem(obj): return fill(standard_b64encode(obj.encode()).decode("ascii"), 64) key_params = GostR34102012PublicKeyParameters(( ("publicKeyParamSet", ai["publicKeyParamSet"]), )) prv_raw = urandom(ai["prv_len"]) print("-----BEGIN PRIVATE KEY-----") print(pem(PrivateKeyInfo(( ("version", Integer(0)), ("privateKeyAlgorithm", PrivateKeyAlgorithmIdentifier(( ("algorithm", ai["key_algorithm"]), ("parameters", Any(key_params)), ))), ("privateKey", PrivateKey(prv_raw)), )))) print("-----END PRIVATE KEY-----") prv = prv_unmarshal(prv_raw) curve = ai["curve"] pub_raw = pub_marshal(public_key(curve, prv)) subj = Name(("rdnSequence", RDNSequence([ RelativeDistinguishedName(( AttributeTypeAndValue(( ("type", AttributeType(id_at_commonName)), ("value", AttributeValue(PrintableString(args.cn))), )), )) ]))) not_before = datetime.utcnow() not_after = not_before + timedelta(days=365) ai_sign = AlgorithmIdentifier(( ("algorithm", ai["sign_algorithm"],), )) exts = [ Extension(( ("extnID", id_ce_subjectKeyIdentifier), ("extnValue", OctetString( SubjectKeyIdentifier(GOST34112012256(pub_raw).digest()[:20]).encode() )), )), ] if args.ca: exts.append(Extension(( ("extnID", id_ce_basicConstraints), ("extnValue", OctetString(BasicConstraints((("cA", Boolean(True)),)).encode())), ))) tbs = TBSCertificate(( ("version", Version("v3")), ("serialNumber", CertificateSerialNumber(12345)), ("signature", ai_sign), ("issuer", subj), ("validity", Validity(( ("notBefore", Time(("utcTime", UTCTime(not_before)))), ("notAfter", Time(("utcTime", UTCTime(not_after)))), ))), ("subject", subj), ("subjectPublicKeyInfo", SubjectPublicKeyInfo(( ("algorithm", AlgorithmIdentifier(( ("algorithm", ai["key_algorithm"]), ("parameters", Any(key_params)), ))), ("subjectPublicKey", BitString(OctetString(pub_raw).encode())), ))), ("extensions", Extensions(exts)), )) cert = Certificate(( ("tbsCertificate", tbs), ("signatureAlgorithm", ai_sign), ("signatureValue", BitString(sign( curve, prv, ai["hasher"](tbs.encode()).digest()[::-1], ))), )) print("-----BEGIN CERTIFICATE-----") print(pem(cert)) print("-----END CERTIFICATE-----")