quickjs-tart

quickjs-based runtime for wallet-core logic
Log | Files | Refs | README | LICENSE

generate_server9_bad_saltlen.py (3241B)

      1 #!/usr/bin/env python3
      2 """Generate server9-bad-saltlen.crt
      3 
      4 Generate a certificate signed with RSA-PSS, with an incorrect salt length.
      5 """
      6 
      7 # Copyright The Mbed TLS Contributors
      8 # SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
      9 
     10 import subprocess
     11 import argparse
     12 from asn1crypto import pem, x509, core #type: ignore #pylint: disable=import-error
     13 
     14 OPENSSL_RSA_PSS_CERT_COMMAND = r'''
     15 openssl x509 -req -CA {ca_name}.crt -CAkey {ca_name}.key -set_serial 24 {ca_password} \
     16     {openssl_extfile} -days 3650 -outform DER -in {csr}  \
     17     -sigopt rsa_padding_mode:pss -sigopt rsa_pss_saltlen:{anounce_saltlen} \
     18     -sigopt rsa_mgf1_md:sha256
     19 '''
     20 SIG_OPT = \
     21     r'-sigopt rsa_padding_mode:pss -sigopt rsa_pss_saltlen:{saltlen} -sigopt rsa_mgf1_md:sha256'
     22 OPENSSL_RSA_PSS_DGST_COMMAND = r'''openssl dgst -sign {ca_name}.key {ca_password} \
     23     -sigopt rsa_padding_mode:pss -sigopt rsa_pss_saltlen:{actual_saltlen} \
     24     -sigopt rsa_mgf1_md:sha256'''
     25 
     26 
     27 def auto_int(x):
     28     return int(x, 0)
     29 
     30 
     31 def build_argparser(parser):
     32     """Build argument parser"""
     33     parser.description = __doc__
     34     parser.add_argument('--ca-name', type=str, required=True,
     35                         help='Basename of CA files')
     36     parser.add_argument('--ca-password', type=str,
     37                         required=True, help='CA key file password')
     38     parser.add_argument('--csr', type=str, required=True,
     39                         help='CSR file for generating certificate')
     40     parser.add_argument('--openssl-extfile', type=str,
     41                         required=True, help='X905 v3 extension config file')
     42     parser.add_argument('--anounce_saltlen', type=auto_int,
     43                         required=True, help='Announced salt length')
     44     parser.add_argument('--actual_saltlen', type=auto_int,
     45                         required=True, help='Actual salt length')
     46     parser.add_argument('--output', type=str, required=True)
     47 
     48 
     49 def main():
     50     parser = argparse.ArgumentParser()
     51     build_argparser(parser)
     52     args = parser.parse_args()
     53 
     54     return generate(**vars(args))
     55 
     56 def generate(**kwargs):
     57     """Generate different salt length certificate file."""
     58     ca_password = kwargs.get('ca_password', '')
     59     if ca_password:
     60         kwargs['ca_password'] = r'-passin "pass:{ca_password}"'.format(
     61             **kwargs)
     62     else:
     63         kwargs['ca_password'] = ''
     64     extfile = kwargs.get('openssl_extfile', '')
     65     if extfile:
     66         kwargs['openssl_extfile'] = '-extfile {openssl_extfile}'.format(
     67             **kwargs)
     68     else:
     69         kwargs['openssl_extfile'] = ''
     70 
     71     cmd = OPENSSL_RSA_PSS_CERT_COMMAND.format(**kwargs)
     72     der_bytes = subprocess.check_output(cmd, shell=True)
     73     target_certificate = x509.Certificate.load(der_bytes)
     74 
     75     cmd = OPENSSL_RSA_PSS_DGST_COMMAND.format(**kwargs)
     76     #pylint: disable=unexpected-keyword-arg
     77     der_bytes = subprocess.check_output(cmd,
     78                                         input=target_certificate['tbs_certificate'].dump(),
     79                                         shell=True)
     80 
     81     with open(kwargs.get('output'), 'wb') as f:
     82         target_certificate['signature_value'] = core.OctetBitString(der_bytes)
     83         f.write(pem.armor('CERTIFICATE', target_certificate.dump()))
     84 
     85 
     86 if __name__ == '__main__':
     87     main()