From 0a222bc1e121d463351d0c259a403c3e8d331e60 Mon Sep 17 00:00:00 2001 From: Sergey Matveev Date: Wed, 15 Sep 2021 18:17:37 +0300 Subject: [PATCH] cert-selfsigned-example.py creates more correct CA --- pygost/asn1schemas/cert-selfsigned-example.py | 8 +++++++- pygost/asn1schemas/oids.py | 1 + pygost/asn1schemas/x509.py | 14 ++++++++++++++ 3 files changed, 22 insertions(+), 1 deletion(-) diff --git a/pygost/asn1schemas/cert-selfsigned-example.py b/pygost/asn1schemas/cert-selfsigned-example.py index 1f505aa..df832ba 100755 --- a/pygost/asn1schemas/cert-selfsigned-example.py +++ b/pygost/asn1schemas/cert-selfsigned-example.py @@ -22,6 +22,7 @@ from pyderasn import UTCTime from pygost.asn1schemas.oids import id_at_commonName from pygost.asn1schemas.oids import id_ce_authorityKeyIdentifier from pygost.asn1schemas.oids import id_ce_basicConstraints +from pygost.asn1schemas.oids import id_ce_keyUsage from pygost.asn1schemas.oids import id_ce_subjectAltName from pygost.asn1schemas.oids import id_ce_subjectKeyIdentifier from pygost.asn1schemas.oids import id_tc26_gost3410_2012_256 @@ -51,6 +52,7 @@ from pygost.asn1schemas.x509 import Extensions from pygost.asn1schemas.x509 import GeneralName from pygost.asn1schemas.x509 import GostR34102012PublicKeyParameters from pygost.asn1schemas.x509 import KeyIdentifier +from pygost.asn1schemas.x509 import KeyUsage from pygost.asn1schemas.x509 import Name from pygost.asn1schemas.x509 import RDNSequence from pygost.asn1schemas.x509 import RelativeDistinguishedName @@ -211,7 +213,7 @@ subj = Name(("rdnSequence", RDNSequence([ )) ]))) not_before = datetime.utcnow() -not_after = not_before + timedelta(days=365) +not_after = not_before + timedelta(days=365 * (10 if args.ca else 1)) ai_sign = AlgorithmIdentifier(( ("algorithm", (ai if ca_ai is None else ca_ai)["sign_algorithm"]), )) @@ -237,6 +239,10 @@ if args.ca: ("extnID", id_ce_basicConstraints), ("extnValue", OctetString(BasicConstraints((("cA", Boolean(True)),)).encode())), ))) + exts.append(Extension(( + ("extnID", id_ce_keyUsage), + ("extnValue", OctetString(KeyUsage(("keyCertSign",)).encode())), + ))) if ca_ai is not None: caKeyId = [ bytes(SubjectKeyIdentifier().decod(bytes(ext["extnValue"]))) diff --git a/pygost/asn1schemas/oids.py b/pygost/asn1schemas/oids.py index b1a178f..4638900 100644 --- a/pygost/asn1schemas/oids.py +++ b/pygost/asn1schemas/oids.py @@ -55,5 +55,6 @@ id_pbkdf2 = ObjectIdentifier("1.2.840.113549.1.5.12") id_at_commonName = ObjectIdentifier("2.5.4.3") id_ce_basicConstraints = ObjectIdentifier("2.5.29.19") id_ce_subjectKeyIdentifier = ObjectIdentifier("2.5.29.14") +id_ce_keyUsage = ObjectIdentifier("2.5.29.15") id_ce_subjectAltName = ObjectIdentifier("2.5.29.17") id_ce_authorityKeyIdentifier = ObjectIdentifier("2.5.29.35") diff --git a/pygost/asn1schemas/x509.py b/pygost/asn1schemas/x509.py index cda11da..f434fbb 100644 --- a/pygost/asn1schemas/x509.py +++ b/pygost/asn1schemas/x509.py @@ -246,3 +246,17 @@ class AuthorityKeyIdentifier(Sequence): # CertificateSerialNumber(impl=tag_ctxp(2), optional=True), # ), ) + + +class KeyUsage(BitString): + schema = ( + ("digitalSignature", 0), + ("nonRepudiation", 1), + ("keyEncipherment", 2), + ("dataEncipherment", 3), + ("keyAgreement", 4), + ("keyCertSign", 5), + ("cRLSign", 6), + ("encipherOnly", 7), + ("decipherOnly", 8), + ) -- 2.44.0