]> Cypherpunks.ru repositories - pygost.git/blobdiff - pygost/asn1schemas/cert-selfsigned-example.py
projects / pygost.git / blobdiff
summary | shortlog | log | commit | commitdiff | tree
raw | inline | side by side
Properly add AKID to issued child certificates
[pygost.git] / pygost / asn1schemas / cert-selfsigned-example.py
diff --git a/pygost/asn1schemas/cert-selfsigned-example.py b/pygost/asn1schemas/cert-selfsigned-example.py
index 94b4b34cf4ba318dc5bf75a0ac427b12d58dab65..1f505aae09e9e327fa9a2ea407690715634b6224 100755 (executable)
--- a/pygost/asn1schemas/cert-selfsigned-example.py
+++ b/pygost/asn1schemas/cert-selfsigned-example.py
@@ -20,6 +20,7 @@ from pyderasn import PrintableString
 from pyderasn import UTCTime
 
 from pygost.asn1schemas.oids import id_at_commonName
+from pygost.asn1schemas.oids import id_ce_authorityKeyIdentifier
 from pygost.asn1schemas.oids import id_ce_basicConstraints
 from pygost.asn1schemas.oids import id_ce_subjectAltName
 from pygost.asn1schemas.oids import id_ce_subjectKeyIdentifier
@@ -41,6 +42,7 @@ from pygost.asn1schemas.x509 import AlgorithmIdentifier
 from pygost.asn1schemas.x509 import AttributeType
 from pygost.asn1schemas.x509 import AttributeTypeAndValue
 from pygost.asn1schemas.x509 import AttributeValue
+from pygost.asn1schemas.x509 import AuthorityKeyIdentifier
 from pygost.asn1schemas.x509 import BasicConstraints
 from pygost.asn1schemas.x509 import Certificate
 from pygost.asn1schemas.x509 import CertificateSerialNumber
@@ -48,6 +50,7 @@ from pygost.asn1schemas.x509 import Extension
 from pygost.asn1schemas.x509 import Extensions
 from pygost.asn1schemas.x509 import GeneralName
 from pygost.asn1schemas.x509 import GostR34102012PublicKeyParameters
+from pygost.asn1schemas.x509 import KeyIdentifier
 from pygost.asn1schemas.x509 import Name
 from pygost.asn1schemas.x509 import RDNSequence
 from pygost.asn1schemas.x509 import RelativeDistinguishedName
@@ -148,6 +151,7 @@ AIs = {
 ai = AIs[args.ai]
 
 ca_prv = None
+ca_cert = None
 ca_subj = None
 ca_ai = None
 if args.issue_with is not None:
@@ -163,7 +167,8 @@ if args.issue_with is not None:
     cert_raw = standard_b64decode(lines[idx + 1])
     pki = PrivateKeyInfo().decod(prv_raw)
     ca_prv = prv_unmarshal(bytes(OctetString().decod(bytes(pki["privateKey"]))))
-    tbs = Certificate().decod(cert_raw)["tbsCertificate"]
+    ca_cert = Certificate().decod(cert_raw)
+    tbs = ca_cert["tbsCertificate"]
     ca_subj = tbs["subject"]
     curve_oid = GostR34102012PublicKeyParameters().decod(bytes(
         tbs["subjectPublicKeyInfo"]["algorithm"]["parameters"]
@@ -232,6 +237,19 @@ if args.ca:
         ("extnID", id_ce_basicConstraints),
         ("extnValue", OctetString(BasicConstraints((("cA", Boolean(True)),)).encode())),
     )))
+if ca_ai is not None:
+    caKeyId = [
+        bytes(SubjectKeyIdentifier().decod(bytes(ext["extnValue"])))
+        for ext in ca_cert["tbsCertificate"]["extensions"]
+        if ext["extnID"] == id_ce_subjectKeyIdentifier
+    ][0]
+    exts.append(Extension((
+        ("extnID", id_ce_authorityKeyIdentifier),
+        ("extnValue", OctetString(AuthorityKeyIdentifier((
+            ("keyIdentifier", KeyIdentifier(caKeyId)),
+        )).encode())),
+    )))
+
 tbs = TBSCertificate((
     ("version", Version("v3")),
     ("serialNumber", CertificateSerialNumber(12345)),
Pure Python GOST cryptographic functions library