537 lines
16 KiB
Python
537 lines
16 KiB
Python
|
# coding: utf-8
|
||
|
|
||
|
"""
|
||
|
ASN.1 type classes for certificate revocation lists (CRL). Exports the
|
||
|
following items:
|
||
|
|
||
|
- CertificateList()
|
||
|
|
||
|
Other type classes are defined that help compose the types listed above.
|
||
|
"""
|
||
|
|
||
|
from __future__ import unicode_literals, division, absolute_import, print_function
|
||
|
|
||
|
import hashlib
|
||
|
|
||
|
from .algos import SignedDigestAlgorithm
|
||
|
from .core import (
|
||
|
Boolean,
|
||
|
Enumerated,
|
||
|
GeneralizedTime,
|
||
|
Integer,
|
||
|
ObjectIdentifier,
|
||
|
OctetBitString,
|
||
|
ParsableOctetString,
|
||
|
Sequence,
|
||
|
SequenceOf,
|
||
|
)
|
||
|
from .x509 import (
|
||
|
AuthorityInfoAccessSyntax,
|
||
|
AuthorityKeyIdentifier,
|
||
|
CRLDistributionPoints,
|
||
|
DistributionPointName,
|
||
|
GeneralNames,
|
||
|
Name,
|
||
|
ReasonFlags,
|
||
|
Time,
|
||
|
)
|
||
|
|
||
|
|
||
|
# The structures in this file are taken from https://tools.ietf.org/html/rfc5280
|
||
|
|
||
|
|
||
|
class Version(Integer):
|
||
|
_map = {
|
||
|
0: 'v1',
|
||
|
1: 'v2',
|
||
|
2: 'v3',
|
||
|
}
|
||
|
|
||
|
|
||
|
class IssuingDistributionPoint(Sequence):
|
||
|
_fields = [
|
||
|
('distribution_point', DistributionPointName, {'explicit': 0, 'optional': True}),
|
||
|
('only_contains_user_certs', Boolean, {'implicit': 1, 'default': False}),
|
||
|
('only_contains_ca_certs', Boolean, {'implicit': 2, 'default': False}),
|
||
|
('only_some_reasons', ReasonFlags, {'implicit': 3, 'optional': True}),
|
||
|
('indirect_crl', Boolean, {'implicit': 4, 'default': False}),
|
||
|
('only_contains_attribute_certs', Boolean, {'implicit': 5, 'default': False}),
|
||
|
]
|
||
|
|
||
|
|
||
|
class TBSCertListExtensionId(ObjectIdentifier):
|
||
|
_map = {
|
||
|
'2.5.29.18': 'issuer_alt_name',
|
||
|
'2.5.29.20': 'crl_number',
|
||
|
'2.5.29.27': 'delta_crl_indicator',
|
||
|
'2.5.29.28': 'issuing_distribution_point',
|
||
|
'2.5.29.35': 'authority_key_identifier',
|
||
|
'2.5.29.46': 'freshest_crl',
|
||
|
'1.3.6.1.5.5.7.1.1': 'authority_information_access',
|
||
|
}
|
||
|
|
||
|
|
||
|
class TBSCertListExtension(Sequence):
|
||
|
_fields = [
|
||
|
('extn_id', TBSCertListExtensionId),
|
||
|
('critical', Boolean, {'default': False}),
|
||
|
('extn_value', ParsableOctetString),
|
||
|
]
|
||
|
|
||
|
_oid_pair = ('extn_id', 'extn_value')
|
||
|
_oid_specs = {
|
||
|
'issuer_alt_name': GeneralNames,
|
||
|
'crl_number': Integer,
|
||
|
'delta_crl_indicator': Integer,
|
||
|
'issuing_distribution_point': IssuingDistributionPoint,
|
||
|
'authority_key_identifier': AuthorityKeyIdentifier,
|
||
|
'freshest_crl': CRLDistributionPoints,
|
||
|
'authority_information_access': AuthorityInfoAccessSyntax,
|
||
|
}
|
||
|
|
||
|
|
||
|
class TBSCertListExtensions(SequenceOf):
|
||
|
_child_spec = TBSCertListExtension
|
||
|
|
||
|
|
||
|
class CRLReason(Enumerated):
|
||
|
_map = {
|
||
|
0: 'unspecified',
|
||
|
1: 'key_compromise',
|
||
|
2: 'ca_compromise',
|
||
|
3: 'affiliation_changed',
|
||
|
4: 'superseded',
|
||
|
5: 'cessation_of_operation',
|
||
|
6: 'certificate_hold',
|
||
|
8: 'remove_from_crl',
|
||
|
9: 'privilege_withdrawn',
|
||
|
10: 'aa_compromise',
|
||
|
}
|
||
|
|
||
|
@property
|
||
|
def human_friendly(self):
|
||
|
"""
|
||
|
:return:
|
||
|
A unicode string with revocation description that is suitable to
|
||
|
show to end-users. Starts with a lower case letter and phrased in
|
||
|
such a way that it makes sense after the phrase "because of" or
|
||
|
"due to".
|
||
|
"""
|
||
|
|
||
|
return {
|
||
|
'unspecified': 'an unspecified reason',
|
||
|
'key_compromise': 'a compromised key',
|
||
|
'ca_compromise': 'the CA being compromised',
|
||
|
'affiliation_changed': 'an affiliation change',
|
||
|
'superseded': 'certificate supersession',
|
||
|
'cessation_of_operation': 'a cessation of operation',
|
||
|
'certificate_hold': 'a certificate hold',
|
||
|
'remove_from_crl': 'removal from the CRL',
|
||
|
'privilege_withdrawn': 'privilege withdrawl',
|
||
|
'aa_compromise': 'the AA being compromised',
|
||
|
}[self.native]
|
||
|
|
||
|
|
||
|
class CRLEntryExtensionId(ObjectIdentifier):
|
||
|
_map = {
|
||
|
'2.5.29.21': 'crl_reason',
|
||
|
'2.5.29.23': 'hold_instruction_code',
|
||
|
'2.5.29.24': 'invalidity_date',
|
||
|
'2.5.29.29': 'certificate_issuer',
|
||
|
}
|
||
|
|
||
|
|
||
|
class CRLEntryExtension(Sequence):
|
||
|
_fields = [
|
||
|
('extn_id', CRLEntryExtensionId),
|
||
|
('critical', Boolean, {'default': False}),
|
||
|
('extn_value', ParsableOctetString),
|
||
|
]
|
||
|
|
||
|
_oid_pair = ('extn_id', 'extn_value')
|
||
|
_oid_specs = {
|
||
|
'crl_reason': CRLReason,
|
||
|
'hold_instruction_code': ObjectIdentifier,
|
||
|
'invalidity_date': GeneralizedTime,
|
||
|
'certificate_issuer': GeneralNames,
|
||
|
}
|
||
|
|
||
|
|
||
|
class CRLEntryExtensions(SequenceOf):
|
||
|
_child_spec = CRLEntryExtension
|
||
|
|
||
|
|
||
|
class RevokedCertificate(Sequence):
|
||
|
_fields = [
|
||
|
('user_certificate', Integer),
|
||
|
('revocation_date', Time),
|
||
|
('crl_entry_extensions', CRLEntryExtensions, {'optional': True}),
|
||
|
]
|
||
|
|
||
|
_processed_extensions = False
|
||
|
_critical_extensions = None
|
||
|
_crl_reason_value = None
|
||
|
_invalidity_date_value = None
|
||
|
_certificate_issuer_value = None
|
||
|
_issuer_name = False
|
||
|
|
||
|
def _set_extensions(self):
|
||
|
"""
|
||
|
Sets common named extensions to private attributes and creates a list
|
||
|
of critical extensions
|
||
|
"""
|
||
|
|
||
|
self._critical_extensions = set()
|
||
|
|
||
|
for extension in self['crl_entry_extensions']:
|
||
|
name = extension['extn_id'].native
|
||
|
attribute_name = '_%s_value' % name
|
||
|
if hasattr(self, attribute_name):
|
||
|
setattr(self, attribute_name, extension['extn_value'].parsed)
|
||
|
if extension['critical'].native:
|
||
|
self._critical_extensions.add(name)
|
||
|
|
||
|
self._processed_extensions = True
|
||
|
|
||
|
@property
|
||
|
def critical_extensions(self):
|
||
|
"""
|
||
|
Returns a set of the names (or OID if not a known extension) of the
|
||
|
extensions marked as critical
|
||
|
|
||
|
:return:
|
||
|
A set of unicode strings
|
||
|
"""
|
||
|
|
||
|
if not self._processed_extensions:
|
||
|
self._set_extensions()
|
||
|
return self._critical_extensions
|
||
|
|
||
|
@property
|
||
|
def crl_reason_value(self):
|
||
|
"""
|
||
|
This extension indicates the reason that a certificate was revoked.
|
||
|
|
||
|
:return:
|
||
|
None or a CRLReason object
|
||
|
"""
|
||
|
|
||
|
if self._processed_extensions is False:
|
||
|
self._set_extensions()
|
||
|
return self._crl_reason_value
|
||
|
|
||
|
@property
|
||
|
def invalidity_date_value(self):
|
||
|
"""
|
||
|
This extension indicates the suspected date/time the private key was
|
||
|
compromised or the certificate became invalid. This would usually be
|
||
|
before the revocation date, which is when the CA processed the
|
||
|
revocation.
|
||
|
|
||
|
:return:
|
||
|
None or a GeneralizedTime object
|
||
|
"""
|
||
|
|
||
|
if self._processed_extensions is False:
|
||
|
self._set_extensions()
|
||
|
return self._invalidity_date_value
|
||
|
|
||
|
@property
|
||
|
def certificate_issuer_value(self):
|
||
|
"""
|
||
|
This extension indicates the issuer of the certificate in question,
|
||
|
and is used in indirect CRLs. CRL entries without this extension are
|
||
|
for certificates issued from the last seen issuer.
|
||
|
|
||
|
:return:
|
||
|
None or an x509.GeneralNames object
|
||
|
"""
|
||
|
|
||
|
if self._processed_extensions is False:
|
||
|
self._set_extensions()
|
||
|
return self._certificate_issuer_value
|
||
|
|
||
|
@property
|
||
|
def issuer_name(self):
|
||
|
"""
|
||
|
:return:
|
||
|
None, or an asn1crypto.x509.Name object for the issuer of the cert
|
||
|
"""
|
||
|
|
||
|
if self._issuer_name is False:
|
||
|
self._issuer_name = None
|
||
|
if self.certificate_issuer_value:
|
||
|
for general_name in self.certificate_issuer_value:
|
||
|
if general_name.name == 'directory_name':
|
||
|
self._issuer_name = general_name.chosen
|
||
|
break
|
||
|
return self._issuer_name
|
||
|
|
||
|
|
||
|
class RevokedCertificates(SequenceOf):
|
||
|
_child_spec = RevokedCertificate
|
||
|
|
||
|
|
||
|
class TbsCertList(Sequence):
|
||
|
_fields = [
|
||
|
('version', Version, {'optional': True}),
|
||
|
('signature', SignedDigestAlgorithm),
|
||
|
('issuer', Name),
|
||
|
('this_update', Time),
|
||
|
('next_update', Time, {'optional': True}),
|
||
|
('revoked_certificates', RevokedCertificates, {'optional': True}),
|
||
|
('crl_extensions', TBSCertListExtensions, {'explicit': 0, 'optional': True}),
|
||
|
]
|
||
|
|
||
|
|
||
|
class CertificateList(Sequence):
|
||
|
_fields = [
|
||
|
('tbs_cert_list', TbsCertList),
|
||
|
('signature_algorithm', SignedDigestAlgorithm),
|
||
|
('signature', OctetBitString),
|
||
|
]
|
||
|
|
||
|
_processed_extensions = False
|
||
|
_critical_extensions = None
|
||
|
_issuer_alt_name_value = None
|
||
|
_crl_number_value = None
|
||
|
_delta_crl_indicator_value = None
|
||
|
_issuing_distribution_point_value = None
|
||
|
_authority_key_identifier_value = None
|
||
|
_freshest_crl_value = None
|
||
|
_authority_information_access_value = None
|
||
|
_issuer_cert_urls = None
|
||
|
_delta_crl_distribution_points = None
|
||
|
_sha1 = None
|
||
|
_sha256 = None
|
||
|
|
||
|
def _set_extensions(self):
|
||
|
"""
|
||
|
Sets common named extensions to private attributes and creates a list
|
||
|
of critical extensions
|
||
|
"""
|
||
|
|
||
|
self._critical_extensions = set()
|
||
|
|
||
|
for extension in self['tbs_cert_list']['crl_extensions']:
|
||
|
name = extension['extn_id'].native
|
||
|
attribute_name = '_%s_value' % name
|
||
|
if hasattr(self, attribute_name):
|
||
|
setattr(self, attribute_name, extension['extn_value'].parsed)
|
||
|
if extension['critical'].native:
|
||
|
self._critical_extensions.add(name)
|
||
|
|
||
|
self._processed_extensions = True
|
||
|
|
||
|
@property
|
||
|
def critical_extensions(self):
|
||
|
"""
|
||
|
Returns a set of the names (or OID if not a known extension) of the
|
||
|
extensions marked as critical
|
||
|
|
||
|
:return:
|
||
|
A set of unicode strings
|
||
|
"""
|
||
|
|
||
|
if not self._processed_extensions:
|
||
|
self._set_extensions()
|
||
|
return self._critical_extensions
|
||
|
|
||
|
@property
|
||
|
def issuer_alt_name_value(self):
|
||
|
"""
|
||
|
This extension allows associating one or more alternative names with
|
||
|
the issuer of the CRL.
|
||
|
|
||
|
:return:
|
||
|
None or an x509.GeneralNames object
|
||
|
"""
|
||
|
|
||
|
if self._processed_extensions is False:
|
||
|
self._set_extensions()
|
||
|
return self._issuer_alt_name_value
|
||
|
|
||
|
@property
|
||
|
def crl_number_value(self):
|
||
|
"""
|
||
|
This extension adds a monotonically increasing number to the CRL and is
|
||
|
used to distinguish different versions of the CRL.
|
||
|
|
||
|
:return:
|
||
|
None or an Integer object
|
||
|
"""
|
||
|
|
||
|
if self._processed_extensions is False:
|
||
|
self._set_extensions()
|
||
|
return self._crl_number_value
|
||
|
|
||
|
@property
|
||
|
def delta_crl_indicator_value(self):
|
||
|
"""
|
||
|
This extension indicates a CRL is a delta CRL, and contains the CRL
|
||
|
number of the base CRL that it is a delta from.
|
||
|
|
||
|
:return:
|
||
|
None or an Integer object
|
||
|
"""
|
||
|
|
||
|
if self._processed_extensions is False:
|
||
|
self._set_extensions()
|
||
|
return self._delta_crl_indicator_value
|
||
|
|
||
|
@property
|
||
|
def issuing_distribution_point_value(self):
|
||
|
"""
|
||
|
This extension includes information about what types of revocations
|
||
|
and certificates are part of the CRL.
|
||
|
|
||
|
:return:
|
||
|
None or an IssuingDistributionPoint object
|
||
|
"""
|
||
|
|
||
|
if self._processed_extensions is False:
|
||
|
self._set_extensions()
|
||
|
return self._issuing_distribution_point_value
|
||
|
|
||
|
@property
|
||
|
def authority_key_identifier_value(self):
|
||
|
"""
|
||
|
This extension helps in identifying the public key with which to
|
||
|
validate the authenticity of the CRL.
|
||
|
|
||
|
:return:
|
||
|
None or an AuthorityKeyIdentifier object
|
||
|
"""
|
||
|
|
||
|
if self._processed_extensions is False:
|
||
|
self._set_extensions()
|
||
|
return self._authority_key_identifier_value
|
||
|
|
||
|
@property
|
||
|
def freshest_crl_value(self):
|
||
|
"""
|
||
|
This extension is used in complete CRLs to indicate where a delta CRL
|
||
|
may be located.
|
||
|
|
||
|
:return:
|
||
|
None or a CRLDistributionPoints object
|
||
|
"""
|
||
|
|
||
|
if self._processed_extensions is False:
|
||
|
self._set_extensions()
|
||
|
return self._freshest_crl_value
|
||
|
|
||
|
@property
|
||
|
def authority_information_access_value(self):
|
||
|
"""
|
||
|
This extension is used to provide a URL with which to download the
|
||
|
certificate used to sign this CRL.
|
||
|
|
||
|
:return:
|
||
|
None or an AuthorityInfoAccessSyntax object
|
||
|
"""
|
||
|
|
||
|
if self._processed_extensions is False:
|
||
|
self._set_extensions()
|
||
|
return self._authority_information_access_value
|
||
|
|
||
|
@property
|
||
|
def issuer(self):
|
||
|
"""
|
||
|
:return:
|
||
|
An asn1crypto.x509.Name object for the issuer of the CRL
|
||
|
"""
|
||
|
|
||
|
return self['tbs_cert_list']['issuer']
|
||
|
|
||
|
@property
|
||
|
def authority_key_identifier(self):
|
||
|
"""
|
||
|
:return:
|
||
|
None or a byte string of the key_identifier from the authority key
|
||
|
identifier extension
|
||
|
"""
|
||
|
|
||
|
if not self.authority_key_identifier_value:
|
||
|
return None
|
||
|
|
||
|
return self.authority_key_identifier_value['key_identifier'].native
|
||
|
|
||
|
@property
|
||
|
def issuer_cert_urls(self):
|
||
|
"""
|
||
|
:return:
|
||
|
A list of unicode strings that are URLs that should contain either
|
||
|
an individual DER-encoded X.509 certificate, or a DER-encoded CMS
|
||
|
message containing multiple certificates
|
||
|
"""
|
||
|
|
||
|
if self._issuer_cert_urls is None:
|
||
|
self._issuer_cert_urls = []
|
||
|
if self.authority_information_access_value:
|
||
|
for entry in self.authority_information_access_value:
|
||
|
if entry['access_method'].native == 'ca_issuers':
|
||
|
location = entry['access_location']
|
||
|
if location.name != 'uniform_resource_identifier':
|
||
|
continue
|
||
|
url = location.native
|
||
|
if url.lower()[0:7] == 'http://':
|
||
|
self._issuer_cert_urls.append(url)
|
||
|
return self._issuer_cert_urls
|
||
|
|
||
|
@property
|
||
|
def delta_crl_distribution_points(self):
|
||
|
"""
|
||
|
Returns delta CRL URLs - only applies to complete CRLs
|
||
|
|
||
|
:return:
|
||
|
A list of zero or more DistributionPoint objects
|
||
|
"""
|
||
|
|
||
|
if self._delta_crl_distribution_points is None:
|
||
|
self._delta_crl_distribution_points = []
|
||
|
|
||
|
if self.freshest_crl_value is not None:
|
||
|
for distribution_point in self.freshest_crl_value:
|
||
|
distribution_point_name = distribution_point['distribution_point']
|
||
|
# RFC 5280 indicates conforming CA should not use the relative form
|
||
|
if distribution_point_name.name == 'name_relative_to_crl_issuer':
|
||
|
continue
|
||
|
# This library is currently only concerned with HTTP-based CRLs
|
||
|
for general_name in distribution_point_name.chosen:
|
||
|
if general_name.name == 'uniform_resource_identifier':
|
||
|
self._delta_crl_distribution_points.append(distribution_point)
|
||
|
|
||
|
return self._delta_crl_distribution_points
|
||
|
|
||
|
@property
|
||
|
def signature(self):
|
||
|
"""
|
||
|
:return:
|
||
|
A byte string of the signature
|
||
|
"""
|
||
|
|
||
|
return self['signature'].native
|
||
|
|
||
|
@property
|
||
|
def sha1(self):
|
||
|
"""
|
||
|
:return:
|
||
|
The SHA1 hash of the DER-encoded bytes of this certificate list
|
||
|
"""
|
||
|
|
||
|
if self._sha1 is None:
|
||
|
self._sha1 = hashlib.sha1(self.dump()).digest()
|
||
|
return self._sha1
|
||
|
|
||
|
@property
|
||
|
def sha256(self):
|
||
|
"""
|
||
|
:return:
|
||
|
The SHA-256 hash of the DER-encoded bytes of this certificate list
|
||
|
"""
|
||
|
|
||
|
if self._sha256 is None:
|
||
|
self._sha256 = hashlib.sha256(self.dump()).digest()
|
||
|
return self._sha256
|