Python ASN.1 library with a focus on performance and a pythonic API

Overview

asn1crypto

A fast, pure Python library for parsing and serializing ASN.1 structures.

GitHub Actions CI Travis CI AppVeyor CircleCI PyPI

Features

In addition to an ASN.1 BER/DER decoder and DER serializer, the project includes a bunch of ASN.1 structures for use with various common cryptography standards:

Standard Module Source
X.509 asn1crypto.x509 RFC 5280
CRL asn1crypto.crl RFC 5280
CSR asn1crypto.csr RFC 2986, RFC 2985
OCSP asn1crypto.ocsp RFC 6960
PKCS#12 asn1crypto.pkcs12 RFC 7292
PKCS#8 asn1crypto.keys RFC 5208
PKCS#1 v2.1 (RSA keys) asn1crypto.keys RFC 3447
DSA keys asn1crypto.keys RFC 3279
Elliptic curve keys asn1crypto.keys SECG SEC1 V2
PKCS#3 v1.4 asn1crypto.algos PKCS#3 v1.4
PKCS#5 v2.1 asn1crypto.algos PKCS#5 v2.1
CMS (and PKCS#7) asn1crypto.cms RFC 5652, RFC 2315
TSP asn1crypto.tsp RFC 3161
PDF signatures asn1crypto.pdf PDF 1.7

Why Another Python ASN.1 Library?

Python has long had the pyasn1 and pyasn1_modules available for parsing and serializing ASN.1 structures. While the project does include a comprehensive set of tools for parsing and serializing, the performance of the library can be very poor, especially when dealing with bit fields and parsing large structures such as CRLs.

After spending extensive time using pyasn1, the following issues were identified:

  1. Poor performance
  2. Verbose, non-pythonic API
  3. Out-dated and incomplete definitions in pyasn1-modules
  4. No simple way to map data to native Python data structures
  5. No mechanism for overridden universal ASN.1 types

The pyasn1 API is largely method driven, and uses extensive configuration objects and lowerCamelCase names. There were no consistent options for converting types of native Python data structures. Since the project supports out-dated versions of Python, many newer language features are unavailable for use.

Time was spent trying to profile issues with the performance, however the architecture made it hard to pin down the primary source of the poor performance. Attempts were made to improve performance by utilizing unreleased patches and delaying parsing using the Any type. Even with such changes, the performance was still unacceptably slow.

Finally, a number of structures in the cryptographic space use universal data types such as BitString and OctetString, but interpret the data as other types. For instance, signatures are really byte strings, but are encoded as BitString. Elliptic curve keys use both BitString and OctetString to represent integers. Parsing these structures as the base universal types and then re-interpreting them wastes computation.

asn1crypto uses the following techniques to improve performance, especially when extracting one or two fields from large, complex structures:

  • Delayed parsing of byte string values
  • Persistence of original ASN.1 encoded data until a value is changed
  • Lazy loading of child fields
  • Utilization of high-level Python stdlib modules

While there is no extensive performance test suite, the CRLTests.test_parse_crl test case was used to parse a 21MB CRL file on a late 2013 rMBP. asn1crypto parsed the certificate serial numbers in just under 8 seconds. With pyasn1, using definitions from pyasn1-modules, the same parsing took over 4,100 seconds.

For smaller structures the performance difference can range from a few times faster to an order of magnitude or more.

Related Crypto Libraries

asn1crypto is part of the modularcrypto family of Python packages:

Current Release

1.4.0 - changelog

Dependencies

Python 2.6, 2.7, 3.2, 3.3, 3.4, 3.5, 3.6, 3.7, 3.8 or pypy. No third-party packages required.

Installation

pip install asn1crypto

License

asn1crypto is licensed under the terms of the MIT license. See the LICENSE file for the exact license text.

Documentation

The documentation for asn1crypto is composed of tutorials on basic usage and links to the source for the various pre-defined type classes.

Tutorials

Reference

Continuous Integration

Various combinations of platforms and versions of Python are tested via:

Testing

Tests are written using unittest and require no third-party packages.

Depending on what type of source is available for the package, the following commands can be used to run the test suite.

Git Repository

When working within a Git working copy, or an archive of the Git repository, the full test suite is run via:

python run.py tests

To run only some tests, pass a regular expression as a parameter to tests.

python run.py tests ocsp

PyPi Source Distribution

When working within an extracted source distribution (aka .tar.gz) from PyPi, the full test suite is run via:

python setup.py test

Package

When the package has been installed via pip (or another method), the package asn1crypto_tests may be installed and invoked to run the full test suite:

pip install asn1crypto_tests
python -m asn1crypto_tests

Development

To install the package used for linting, execute:

pip install --user -r requires/lint

The following command will run the linter:

python run.py lint

Support for code coverage can be installed via:

pip install --user -r requires/coverage

Coverage is measured by running:

python run.py coverage

To change the version number of the package, run:

python run.py version {pep440_version}

To install the necessary packages for releasing a new version on PyPI, run:

pip install --user -r requires/release

Releases are created by:

  • Making a git tag in PEP 440 format

  • Running the command:

    python run.py release

Existing releases can be found at https://pypi.org/project/asn1crypto/.

CI Tasks

A task named deps exists to download and stage all necessary testing dependencies. On posix platforms, curl is used for downloads and on Windows PowerShell with Net.WebClient is used. This configuration sidesteps issues related to getting pip to work properly and messing with site-packages for the version of Python being used.

The ci task runs lint (if flake8 is available for the version of Python) and coverage (or tests if coverage is not available for the version of Python). If the current directory is a clean git working copy, the coverage data is submitted to codecov.io.

python run.py deps
python run.py ci
Comments
  • ECPrivateKey creation

    ECPrivateKey creation

    opened by ofek 29
  • Stuck on building an extension authority information access URI

    Stuck on building an extension authority information access URI

    Hello, I'm stuck on trying to build an extension:

    authority_information_access = Extension({'extn_id': ExtensionId('1.3.6.1.5.5.7.1.1'), 'critical': False, 'extn_value': {'access_method': AccessMethod('1.3.6.1.5.5.7.48.5'), 'access_location': GeneralName(URI('http://test.com'))} })

    I get:

    .virtualenv/lib/python3.5/site-packages/asn1crypto/core.py", line 1100, in __init__ if name not in self._name_map: TypeError: unhashable type: 'URI' while constructing asn1crypto.x509.GeneralName

    I tried many ways, like uri = URI() uri.set(value='http://test.com') GeneralName(uri) But no success. Don't know what else to try to make it works

    opened by ftbarata 19
  • CMS Enveloped Data creation failure

    CMS Enveloped Data creation failure

    I am trying to create a CMS Enveloped Data using asn1crypto as a substitution of the Google's certificate-transparency source code I forked on my project https://github.com/balena/python-smime. I had the idea of using asn1crypto after having some trouble when parsing indefinite-length attributes generated by certain E-Mail managers (like Thunderbird).

    While asn1crypto is great for parsing all kinds of CMS data, I am getting some trouble when generating them. I have an unit test where the PKCS7 output is passed as input to command-line OpenSSL in order to make sure the implementation is compatible. But all I get is an error from OpenSSL when parsing ASN.1 tags (I don't know exactly which one).

    There is a single function responsible for returning a CMS ContentInfo structure as follows:

    def __get_enveloped_data(pubkey_cipher, sym_cipher, x509_cert,
                             encrypted_key, iv, encrypted_content):
        return cms.ContentInfo({
            'contentType': cms.ContentType(u'enveloped_data'),
            'content': cms.EnvelopedData({
                'version': u'v0',
                'recipient_infos': cms.RecipientInfos([
                    cms.RecipientInfo(
                        name='ktri',
                        value=cms.KeyTransRecipientInfo({
                            'version': u'v0',
                            'rid': cms.RecipientIdentifier(
                                name='issuer_and_serial_number',
                                value=__get_issuer_and_serial_number(x509_cert)
                            ),
                            'key_encryption_algorithm': cms.KeyEncryptionAlgorithm({
                                'algorithm': pubkey_cipher.oid,
                                'parameters': core.Null()
                            }),
                            'encrypted_key': encrypted_key
                        })
                    )
                ]),
                'encrypted_content_info': cms.EncryptedContentInfo({
                    'content_type': cms.ContentType(u'data'),
                    'content_encryption_algorithm': cms.EncryptionAlgorithm({
                        'algorithm': sym_cipher.oid,
                        'parameters': iv
                    }),
                    'encrypted_content': cms.OctetString(
                        encrypted_content, tag=0, tag_type='implicit')
                })
            }, tag=0, tag_type='explicit')
        })
    

    The object returned by the above function is encoded using:

    encoded_content = __encode_in_base64(enveloped_data.dump())
    

    And the __encode_in_base64 is just a pretty printer function to convert the DER output into BASE64.

    When I execute the OpenSSL function:

    $ openssl smime -decrypt -in tmp -inkey private_key.pem
    

    All I get is the following:

    Error reading S/MIME message
    140702704453280:error:0D0680A8:asn1 encoding routines:ASN1_CHECK_TLEN:wrong tag:tasn_dec.c:1338:
    140702704453280:error:0D06C03A:asn1 encoding routines:ASN1_D2I_EX_PRIMITIVE:nested asn1 error:tasn_dec.c:852:
    140702704453280:error:0D08303A:asn1 encoding routines:ASN1_TEMPLATE_NOEXP_D2I:nested asn1 error:tasn_dec.c:772:Field=type, Type=PKCS7
    140702704453280:error:0D0D106E:asn1 encoding routines:B64_READ_ASN1:decode error:asn_mime.c:193:
    140702704453280:error:0D0D40CB:asn1 encoding routines:SMIME_read_ASN1:asn1 parse error:asn_mime.c:528:
    

    Do you have any idea what could be the problem? Is there any caveat when encoding asn1crypto structures like the above?

    enhancement 
    opened by balena 18
  • cms.AttributeCertificateInfoV2  KeyError: None

    cms.AttributeCertificateInfoV2 KeyError: None

    Hi @joernheissler and everyone, I'm stuck on the 'attributes' key of AttributeCertificateInfoV2. I tried many ways, no success:

    attribute_certificate_infov2 = cms.AttributeCertificateInfoV2({
                                    'version': 1,
                                    'serial_number': int(SERIAL),
                                    'issuer': cms.AttCertIssuer({
                                        'v1_form':  [GeneralName('directory_name', Name.build({'common_name': EEA_COMMON_NAME})),
                                                     GeneralName('directory_name', Name.build({'organization_name':'Some organization name'})),
                                                     GeneralName('directory_name', Name.build({'organizational_unit_name':'Some CA Name'}))
                                         ]})
                                    ,
                                    'holder': {
                                            'entity_name': [GeneralName('directory_name',Name.build({'common_name': COMMON_NAME})),
                                                            GeneralName('directory_name',Name.build({'country_name':'BR'})),
                                                            GeneralName('directory_name',Name.build({'organization_name': 'Some organization name'})),
                                                            GeneralName('directory_name',Name.build({'organizational_unit_name':'Some Name'}))
                                                            ]
                                        },
                                    'attributes': [cms.AttCertAttribute(cms.AttCertAttributeType('authentication_info'), cms.SvceAuthInfo({'service':Name.build({'common_name':'Test'}), 'ident':Name.build({'common_name':'Test2'})}))],
    
                                    'signature': {
                                        'algorithm': signed_digest_algo,
                                        'parameters': None,
                                    },
                                    'extensions': (extensions_tuple),
    
                                    'att_cert_validity_period': cms.AttCertValidityPeriod({
                                        'not_before_time': GeneralizedTime(parser.parse(NOT_VALID_BEFORE)),
                                        'not_after_time': GeneralizedTime(parser.parse(NOT_VALID_AFTER))
                                    })
                                })
    
    
    File "agent.py", line 149, in createCertificateOsCrypto
        'attributes': [cms.AttCertAttribute(cms.AttCertAttributeType('authentication_info'), cms.SvceAuthInfo({'service':Name.build({'common_name':'Teste'}), 'ident':Name.build({'common_name':'Test2'})}))],
      File "/root/sigcerta/.virtualenv/lib/python3.5/site-packages/asn1crypto/core.py", line 3154, in __init__
        self.__setitem__(key, value[key])
      File "/root/sigcerta/.virtualenv/lib/python3.5/site-packages/asn1crypto/core.py", line 3310, in __setitem__
        new_value = self._make_value(field_name, field_spec, value_spec, field_params, value)
      File "/root/sigcerta/.virtualenv/lib/python3.5/site-packages/asn1crypto/core.py", line 3541, in _make_value
        wrapper.validate(value.class_, value.tag, value.contents)
      File "/root/sigcerta/.virtualenv/lib/python3.5/site-packages/asn1crypto/core.py", line 1224, in validate
        asn1 = self._format_class_tag(class_, tag)
      File "/root/sigcerta/.virtualenv/lib/python3.5/site-packages/asn1crypto/core.py", line 1243, in _format_class_tag
        return '[%s %s]' % (CLASS_NUM_TO_NAME_MAP[class_].upper(), tag)
    KeyError: None
    

    What's wrong? This error is not so helpfull

    If I try to use AttributeCertificateInfoV1:

    attribute_certificate_infov1 = cms.AttributeCertificateInfoV1({
                                'subject': cms.AttCertSubject('subject_name', [GeneralName('directory_name', Name.build({'common_name': COMMON_NAME}))]),
                                'issuer': [GeneralName('directory_name', Name.build({'common_name': EEA_COMMON_NAME}))],
                                'signature': {
                                    'algorithm': signed_digest_algo,
                                    'parameters': None,
                                },
                                'serial_number': int(SERIAL),
                                'att_cert_validity_period': cms.AttCertValidityPeriod({
                                    'not_before_time': GeneralizedTime(parser.parse(NOT_VALID_BEFORE)),
                                    'not_after_time': GeneralizedTime(parser.parse(NOT_VALID_AFTER))
                                }),
                                'extensions': (extensions_tuple),
                                'attributes': [Attribute(ObjectIdentifier('2.5.4.3'), {'common_name': 'test'})]
    
                                })
    

    I get:

    File "agent.py", line 177, in createCertificateOsCrypto
        'attributes': [Attribute( ObjectIdentifier('2.5.4.3'), {'common_name': 'test'})]
      File "/root/sigcerta/.virtualenv/lib/python3.5/site-packages/aenum/__init__.py", line 1961, in __call__
        return cls._create_(value, names, module=module, type=type, start=start)
      File "/root/sigcerta/.virtualenv/lib/python3.5/site-packages/aenum/__init__.py", line 2087, in _create_
        _, first_enum = cls._get_mixins_(bases)
      File "/root/sigcerta/.virtualenv/lib/python3.5/site-packages/aenum/__init__.py", line 2152, in _get_mixins_
        raise TypeError("cannot extend enumerations via subclassing.")
    TypeError: cannot extend enumerations via subclassing.
    

    I don't really know how to set the sequence of Attribute object, I tried some ways, no success too.

    opened by ftbarata 17
  • Can libcrypto dependency be optional?

    Can libcrypto dependency be optional?

    https://github.com/wbond/asn1crypto/blob/9e15efd73f1b7cfba73cb56b3188eb879480f77c/asn1crypto/_perf/_big_num_ctypes.py#L35-L39

    This code may cause SEGV, when binary incompatible OpenSSL version is used in same process. In our case, we use custom (newer) OpenSSL for Python's ssl, uwsgi, cryptography, and pysqlcipher. But asn1crypto loads system's libcrypto and it caused SEGV.

    We solved the SEGV by manually removing _perf module. But this manual step is not idiomatic. How about making libcrypto dependency optional and make it asn1crypto (and pyca/cryptography) safe by default?

    opened by methane 17
  • Failing to load timestamp from globalsign

    Failing to load timestamp from globalsign

    Hi, thanks for a great library. I am writing a small library intended to be a high level (as in simple to use) library for digitally signing pdf's generated with the WeasyPrint library (https://github.com/Kozea/WeasyPrint).

    I have already got it working for self-signed certificates and now I'm working on an adapter for digital signatures from the Globalsign DSS API (https://www.globalsign.com/en/resources/apis/api-documentation/digital-signing-service-api-documentation.html)

    This is a direct link to the API Doc for the API call for a timestamp: https://www.globalsign.com/en/resources/apis/api-documentation/digital-signing-service-api-documentation.html#timestamp__digest__get

    I get an error when I try to load the timestamp token:

    resp = requests.get(self._url + '/timestamp/{digest}'.format(digest=signed_value.hex().upper()))
    timestamp_token = resp.json()['token']
    timestamp_token = base64.b64decode(timestamp_token)
    tsp_resp = tsp.TimeStampResp.load(timestamp_token)
    
    # When I try to access properties I get exceptions
    print(tsp_resp['status'])
    
      File "/usr/local/src/python/WeasySign/weasysign/globalsign.py", line 335, in _sign
        print(tsp_resp['status'])
      File "/usr/local/lib/python3.6/site-packages/asn1crypto/core.py", line 3514, in __getitem__
        raise e
      File "/usr/local/lib/python3.6/site-packages/asn1crypto/core.py", line 3509, in __getitem__
        return self._lazy_child(key)
      File "/usr/local/lib/python3.6/site-packages/asn1crypto/core.py", line 3456, in _lazy_child
        child = self.children[index] = _build(*child)
      File "/usr/local/lib/python3.6/site-packages/asn1crypto/core.py", line 5535, in _build
        METHOD_NUM_TO_NAME_MAP.get(method, method)
    ValueError: Error parsing asn1crypto.tsp.PKIStatusInfo - method should have been constructed, but primitive was found
        while parsing asn1crypto.tsp.TimeStampResp
    
    # And when I try to access the 'time_stamp_token' property:
    print(tsp_resp['time_stamp_token'])
    
     File "/usr/local/src/python/WeasySign/weasysign/globalsign.py", line 336, in _sign
        print(tsp_resp['time_stamp_token'])
      File "/usr/local/lib/python3.6/site-packages/asn1crypto/core.py", line 3514, in __getitem__
        raise e
      File "/usr/local/lib/python3.6/site-packages/asn1crypto/core.py", line 3509, in __getitem__
        return self._lazy_child(key)
      File "/usr/local/lib/python3.6/site-packages/asn1crypto/core.py", line 3456, in _lazy_child
        child = self.children[index] = _build(*child)
      File "/usr/local/lib/python3.6/site-packages/asn1crypto/core.py", line 5522, in _build
        CLASS_NUM_TO_NAME_MAP.get(class_, class_)
    ValueError: Error parsing asn1crypto.cms.ContentInfo - class should have been universal, but context was found
        while parsing asn1crypto.tsp.TimeStampResp
    

    Do you have an idea of what is wrong? Is globalsign using it a different format for the timestamp token? Thanks Bjarni

    opened by hejsan 15
  • Indefinite length encoding supported on input?

    Indefinite length encoding supported on input?

    v0.21.1

    Encountered a p12 file using indefinite length encoding in auth_safe. The Content-Info OctetString is not aggregated correctly from the substrings. The reconstructed OctetString is too large and the native value contains the ASN.1 headers of the substrings instead of only content.

    Test case

    Input string in hex = '2480040d8dfff0980736af936e423acfcc04159277f7f0e479ffc7dc33b2d03d7b1a186d4472aa490000'

    dummy.zip

    $ openssl asn1parse -inform DER -in dummy.da2 0:d=0 hl=2 l=inf cons: OCTET STRING
    2:d=1 hl=2 l= 13 prim: OCTET STRING [HEX DUMP]:8DFFF0980736AF936E423ACFCC 17:d=1 hl=2 l= 21 prim: OCTET STRING [HEX DUMP]:9277F7F0E479FFC7DC33B2D03D7B1A186D4472AA49 40:d=1 hl=2 l= 0 prim: EOC

    Expected behaviour: an OctetString whose native value is a byte string of length 34

    >>> data = binascii.unhexlify('2480040d8dfff0980736af936e423acfcc04159277f7f0e479ffc7dc33b2d03d7b1a186d4472aa490000')
    >>> x = core.OctetString.load(data)
    >>> len(x.native)
    34
    >>> binascii.hexlify(x.native)
    b'8dfff0980736af936e423acfcc9277f7f0e479ffc7dc33b2d03d7b1a186d4472aa49'
    

    Observed behaviour:

    >>> data = binascii.unhexlify('2480040d8dfff0980736af936e423acfcc04159277f7f0e479ffc7dc33b2d03d7b1a186d4472aa490000')
    >>> x = core.OctetString.load(data)
    >>> len(x.native)
    38
    >>> binascii.hexlify(x.native)
    b'040d8dfff0980736af936e423acfcc04159277f7f0e479ffc7dc33b2d03d7b1a186d4472aa49'
    
    ## note ASN.1 headers 040d and 0415 are in the native value
    
    opened by aalba6675 15
  • Cannot extract pubkey from certificate

    Cannot extract pubkey from certificate

    I have this code below working, but:

    1. I'm unable to read pubkey from the generated certificate. AFAIK, a certificate is composed by some elements, including signature algorithm, public key and the signature itself, so anyone could verify the signature using same algorithm and the pubkey, right? I tried
    openssl x509 -pubkey -noout -in cert.pem 
    Error getting public key
    140003854860736:error:0D0680A8:asn1 encoding routines:asn1_check_tlen:wrong tag:../crypto/asn1/tasn_dec.c:1129:
    140003854860736:error:0D06C03A:asn1 encoding routines:asn1_d2i_ex_primitive:nested asn1 error:../crypto/asn1/tasn_dec.c:693:
    140003854860736:error:0D08303A:asn1 encoding routines:asn1_template_noexp_d2i:nested asn1 error:../crypto/asn1/tasn_dec.c:626:Field=n, Type=RSA
    140003854860736:error:0408B004:rsa routines:rsa_pub_decode:RSA lib:../crypto/rsa/rsa_ameth.c:51:
    140003854860736:error:0B09407D:x509 certificate routines:x509_pubkey_decode:public key decode error:../crypto/x509/x_pubkey.c:124:
    

    Code:

                try:
                    for token in lib.get_tokens():
                        if token.serial.decode() == TOKEN_SERIAL:
                            with token.open(user_pin=PIN) as session:
                                priv = ''
                                pub = ''
                                try:
                                    # priv = session.get_key(object_class=pkcs11.constants.ObjectClass.PRIVATE_KEY, label=TOKEN_LABEL)
                                    priv = session.get_key(object_class=pkcs11.constants.ObjectClass.PRIVATE_KEY)
                                except pkcs11.exceptions.NoSuchKey:
                                    for j in session.get_objects({Attribute.CLASS: ObjectClass.PRIVATE_KEY}):
                                        priv = j
                                        break
                                except pkcs11.exceptions.MultipleObjectsReturned:
                                    for j in session.get_objects({Attribute.CLASS: ObjectClass.PRIVATE_KEY}):
                                        priv = j
                                        break
    
                                certificate = next(session.get_objects({Attribute.CLASS: pkcs11.constants.ObjectClass.CERTIFICATE}))
                                der_bytes = certificate[Attribute.VALUE]
                                pem_bytes = pem.armor('CERTIFICATE', der_bytes)
                                token_certificate = pem_bytes.decode()
    
                                try:
                                    # pub = session.get_key(object_class=pkcs11.constants.ObjectClass.PUBLIC_KEY, label=TOKEN_LABEL)
                                    pub = encode_rsa_public_key(session.get_key(object_class=pkcs11.constants.ObjectClass.PUBLIC_KEY))
    
                                except pkcs11.MultipleObjectsReturned:
                                    for i in session.get_objects({Attribute.CLASS: pkcs11.constants.ObjectClass.PUBLIC_KEY}):
                                        pub = encode_rsa_public_key(i)
                                        break
    
                                except pkcs11.exceptions.NoSuchKey:
                                    cert2 = x509.load_pem_x509_certificate(pem.armor('CERTIFICATE', der_bytes),default_backend())
                                    # pubdata = cert2.public_key().public_bytes(cryptography.hazmat.primitives.serialization.Encoding.DER,cryptography.hazmat.primitives.serialization.PublicFormat.SubjectPublicKeyInfo)
                                    pubdata = cert2.public_key().public_bytes(cryptography.hazmat.primitives.serialization.Encoding.DER,cryptography.hazmat.primitives.serialization.PublicFormat.SubjectPublicKeyInfo)
                                    # pub = pem.armor('RSA PUBLIC KEY', pubdata)
                                    pub = pubdata
    
                                NASC_CPF_MATRICULA_RG_SIGLAEXPEDIDOR_UF = NASCIMENTO + CPF + MATRICULA + RG + SIGLAEXPEDIDOR_E_UF
                                INSTENSINO_GRAUESCOLARIDADE_NOMECURSO_MUNICINSTIT_UF = str(INSTENSINO) + str(ESCOLARIDADE) + str(NOME_CURSO) + str(MUNICIPIO_INSTENSINO) + str(UF_INSTENSINO)
    
                                extension1 = Extension({'extn_id': ExtensionId('2.16.76.1.10.1'),
                                                        'critical': False,
                                                        'extn_value': NASC_CPF_MATRICULA_RG_SIGLAEXPEDIDOR_UF.encode()
                                                        })
                                extension2 = Extension({'extn_id': ExtensionId('2.16.76.1.10.2'),
                                                        'critical': False,
                                                        'extn_value': unidecode.unidecode(
                                                            INSTENSINO_GRAUESCOLARIDADE_NOMECURSO_MUNICINSTIT_UF).encode()
                                                        })
    
                                extension3 = False
    
                                if NOME_SOCIAL is not False or NOME_SOCIAL != "False":
                                    extension3 = Extension({'extn_id': ExtensionId('2.16.76.1.4.3'),
                                                            'critical': False,
                                                            'extn_value': unidecode.unidecode(
                                                                NOME_SOCIAL).encode()
                                                            })
    
    
                                authority_key_identifier = Extension({
                                    'extn_id': ExtensionId('authority_key_identifier'),
                                    'critical': False,
                                    'extn_value': AuthorityKeyIdentifier({
                                      'key_identifier': AUTHORITY_KEY_IDENTIFIER.encode()
                                        })
                                })
    
                                authority_information_access = Extension({
                                    'extn_id': ExtensionId('authority_information_access'),
                                    'critical': False,
                                    'extn_value': [{
                                        'access_method': AccessMethod('1.3.6.1.5.5.7.48.5'),
                                        'access_location': GeneralName('uniform_resource_identifier', URI(AUTHORITY_INFORMATION_ACCESS))
                                    }]
                                })
                                crl_distribution_point = Extension({
                                    'extn_id': ExtensionId('crl_distribution_points'),
                                    'critical': False,
                                    'extn_value': [{
                                        'distribution_point': DistributionPointName('full_name', [GeneralName('uniform_resource_identifier', URI(CRL_DISTRIBUTION_POINT))]),
                                        # 'crl_issuer': [GeneralName('uniform_resource_identifier', URI(CRL_DISTRIBUTION_POINT))]
                                    }]
                                })
    
                                # sha256_rsa
                                signed_digest_algo = 'sha256_rsa'
    
    
                                if extension3:
                                    extensions_tuple = (extension1, extension2, extension3, authority_information_access, crl_distribution_point, authority_key_identifier)
                                else:
                                    extensions_tuple = (extension1, extension2, authority_information_access, crl_distribution_point, authority_key_identifier)
    
    
                                tbs = TbsCertificate({
                                    'version': Version(1),
                                    'serial_number': int(SERIAL),
                                    'issuer': Name.build({
                                        'common_name': EEA_COMMON_NAME,
                                    }),
                                    'subject': Name.build({
                                        'common_name': COMMON_NAME,
                                    }),
                                    'signature': {
                                        'algorithm': signed_digest_algo,
                                        'parameters': None,
                                    },
                                    'extensions': (extensions_tuple),
    
                                    'validity': {
                                        'not_before': Time({
                                            'general_time': GeneralizedTime(parser.parse(NOT_VALID_BEFORE)),
                                        }),
                                        'not_after': Time({
                                            'general_time': GeneralizedTime(parser.parse(NOT_VALID_AFTER)),
                                        }),
                                    },
                                    'subject_public_key_info': {
                                        'algorithm': {
                                            'algorithm': 'rsa',
                                            'parameters': None,
                                        },
                                        # 'public_key': RSAPublicKey.load(encode_rsa_public_key(pub)),
                                        'public_key': RSAPublicKey.load(pub),
                                    }
                                })
    
                                # Sign the TBS Certificate
                                value = priv.sign(tbs.dump(),
                                                  mechanism=Mechanism.SHA256_RSA_PKCS)
    
                                cert = Certificate({
                                    'tbs_certificate': tbs,
                                    'signature_algorithm': {
                                        'algorithm': signed_digest_algo,
                                        'parameters': None,
                                    },
                                    'signature_value': value,
                                })
                                attribute_certificate = pem.armor('CERTIFICATE', cert.dump()).decode()
                                return (attribute_certificate + token_certificate).strip()
                        else:
                            return 'Token not found'
                except TokenNotPresent:
                    pass
    
    opened by ftbarata 14
  • Drop EC math operators?

    Drop EC math operators?

    I noticed that the PrimePoint class for elliptic curve implements multiplication and addition over an elliptic curve. Internally it uses a pure Python implementation with an optional accelerator for inverse mod using CFFI and OpenSSL's big numbers. I'm rather worried about the custom implementation in asn1crypto. It doesn't seem to implement protection against malicious input, see https://safecurves.cr.yp.to/

    Does asn1crypto really need to come with a custom EC math implementation? After all isn't its primary purpose ASN.1 handling and a high level interface to common ASN.1 data structures?

    help wanted 
    opened by tiran 14
  • Create a asn1crypto-testdata pypi package + automate release

    Create a asn1crypto-testdata pypi package + automate release

    Trying to run the unittests in my environment I could not get them to work:

    [cooper:~/asn1crypto-0.22.0:]$ ~/virtualenvs/setup_py_fun/bin/python3 setup.py test
    running test
    running egg_info
    writing asn1crypto.egg-info/PKG-INFO
    writing dependency_links to asn1crypto.egg-info/dependency_links.txt
    writing top-level names to asn1crypto.egg-info/top_level.txt
    reading manifest file 'asn1crypto.egg-info/SOURCES.txt'
    writing manifest file 'asn1crypto.egg-info/SOURCES.txt'
    running build_ext
    tests (unittest.loader._FailedTest) ... ERROR
    
    ======================================================================
    ERROR: tests (unittest.loader._FailedTest)
    ----------------------------------------------------------------------
    ImportError: Failed to import test module: tests
    Traceback (most recent call last):
      File "/usr/local/lib/python3.6/unittest/loader.py", line 153, in loadTestsFromName
        module = __import__(module_name)
    ModuleNotFoundError: No module named 'tests'
    
    
    ----------------------------------------------------------------------
    Ran 1 test in 0.000s
    
    FAILED (errors=1)
    Test failed: <unittest.runner.TextTestResult run=1 errors=1 failures=0>
    error: Test failed: <unittest.runner.TextTestResult run=1 errors=1 failures=0>
    

    Playing with setup.py now.

    help wanted 
    opened by cooperlees 12
  • Refactor BitString parsing

    Refactor BitString parsing

    Closes: #147

    Work in Progress

    This breaks a few test cases, see travis. I wonder if those certificates are correct or not. There are two edge cases to consider:

    • unused bits are all zero. Should the code ignore those unused bits instead of breaking?
    • unused bits are not all zero. Should those be kept, zeroed out or should an exception be raised?
    opened by joernheissler 11
  • Bug in commit 'Handle BER-encoded indefinite length values better'

    Bug in commit 'Handle BER-encoded indefinite length values better'

    I've found the bug in this commit: link to commit c29117fd57deb80fb345cf76cad9d0d48e8bbf17 Definition of length of asn1 package in this part of code "self._header[-1:] == b'\x80':" is incorrect. According this documentation: https://www.w3.org/Protocols/HTTP-NG/asn1.html For the definite form, if the length is less than 128, you just use a single byte, with the high bit set to zero. Otherwise the high bit is set to one, and the low seven bits set to the length of length. The length is then encoded in that many bytes.

    More correct code is:

    
    if self._header is not None and  self._header[1]<128 and  self._header[-1:] == b'\x80':
    
        force = True
    
    opened by vasvlad 7
  • Exception in ValidationContext.validate_usage() during OCSP response parsing

    Exception in ValidationContext.validate_usage() during OCSP response parsing

    While checking a certificate using OCSP, I get the following exception: (Hashed lines added using print(...) just before the exception happens)

    # ocsp url=http://ocsp.quovadisglobal.com
    # ocsp request=<urllib.request.Request object at 0x7efe1df7ada0>
    # ocsp dump=b'0|0z0Q0O0M0\t\x06\x05+\x0e\x03\x02\x1a\x05\x00\x04\x14\xf2\x85\xc2\x91\xd4\x0e\x17\x85\x02\xc5e\x1by\xbb\xe4\xfcL;\x18u\x04\x14\x1a\x84b\xbcHL3%\x04\xd4\xee\xd0\xf6\x03\xc4\x19F\xd1\x94k\x02\x14\x1an\xe8\x93\xc3t\x978\xe1*\xcc\xc7z\x8c\n\xcb\x16~\xaf\x14\xa2%0#0!\x06\t+\x06\x01\x05\x05\x070\x01\x02\x04\x14\x04\x12\x04\x10k\xaf1n\xfd\x0e=\x9f\xacwQ\xd5#\x9d\xc7x'
    # urlopen status=200, reason=OK, headers=Date: Thu, 17 Nov 2022 17:50:55 GMT
    Server: Apache
    Content-Type: application/ocsp-response
    Content-Length: 5
    Connection: close
    
    
    # ocsp response=<asn1crypto.ocsp.OCSPResponse 139629889564456 b'0\x03\n\x01\x06'>
    # request nonce=<asn1crypto.core.OctetString 139629889697216 b'\x04\x12\x04\x10k\xaf1n\xfd\x0e=\x9f\xacwQ\xd5#\x9d\xc7x'>
    UNKNOWN: Exception caught during EAPOL check: 'Void' object is not subscriptable
    Traceback (most recent call last):
      File "./check_ocsp.py", line 102, in main
        file_name, verbose=verbose
      File "./check_ocsp.py", line 54, in validate_certificate_chain
        validator.validate_usage(set(usage))
      File "/home/zeuz/git/wpa_eapol_checker/venv/lib64/python3.6/site-packages/certvalidator/__init__.py", line 193, in validate_usage
        self._validate_path()
      File "/home/zeuz/git/wpa_eapol_checker/venv/lib64/python3.6/site-packages/certvalidator/__init__.py", line 121, in _validate_path
        validate_path(self._context, candidate_path)
      File "/home/zeuz/git/wpa_eapol_checker/venv/lib64/python3.6/site-packages/certvalidator/validate.py", line 50, in validate_path
        return _validate_path(validation_context, path)
      File "/home/zeuz/git/wpa_eapol_checker/venv/lib64/python3.6/site-packages/certvalidator/validate.py", line 386, in _validate_path
        end_entity_name_override=end_entity_name_override
      File "/home/zeuz/git/wpa_eapol_checker/venv/lib64/python3.6/site-packages/certvalidator/validate.py", line 891, in verify_ocsp_response
        ocsp_responses = validation_context.retrieve_ocsps(cert, issuer)
      File "/home/zeuz/git/wpa_eapol_checker/venv/lib64/python3.6/site-packages/certvalidator/context.py", line 497, in retrieve_ocsps
        **self._ocsp_fetch_params
      File "/home/zeuz/git/wpa_eapol_checker/venv/lib64/python3.6/site-packages/certvalidator/ocsp_client.py", line 114, in fetch
        response_nonce = ocsp_response.nonce_value
      File "/home/zeuz/git/wpa_eapol_checker/venv/lib64/python3.6/site-packages/asn1crypto/ocsp.py", line 671, in nonce_value
        self._set_extensions()
      File "/home/zeuz/git/wpa_eapol_checker/venv/lib64/python3.6/site-packages/asn1crypto/ocsp.py", line 631, in _set_extensions
        for extension in self['response_bytes']['response'].parsed['tbs_response_data']['response_extensions']:
    TypeError: 'Void' object is not subscriptable
    

    Minimum working implementation:

    # High-level API for cert validation
    from asn1crypto import pem
    from certvalidator import CertificateValidator, ValidationContext, errors
    
    # Lower-level API for cert info
    from cryptography import x509
    
    
    def load_certs(cert_file):
        end_entity_cert = None
        intermediates = []
        with open(cert_file, "rb") as f:
            data = f.read()
            if not pem.detect(data):
                raise RuntimeError("Invalid cert contents")
            # Usually, the cert is the first part and then the intermediates follow; Seemingly Radiator doesn't follow this convention.
            for _type_name, _headers, der_bytes in pem.unarmor(data, multiple=True):
                cert = x509.load_der_x509_certificate(der_bytes)
                key_usages = cert.extensions.get_extension_for_class(x509.KeyUsage)
                if key_usages.value.key_cert_sign:
                    intermediates.append(der_bytes)
                else:
                    end_entity_cert = der_bytes
        return intermediates, end_entity_cert
    
    
    def validate_certificate_chain( cert_file, usage=["key_encipherment"]):
        # Checks certificate chain for: usage
        rc = 1
        msg = "Unknown validation status"
        intermediates, end_entity_cert = load_certs(cert_file)
        try:
            validation_context = ValidationContext( allow_fetching=True, revocation_mode="soft-fail")
            validator = CertificateValidator( end_entity_cert, intermediates, validation_context)
            validator.validate_usage(set(usage))
            rc = 0
            msg = "Cert valid"
        except (errors.PathValidationError) as e:
            msg = getattr(e, "message", e)
            rc = 1
        except (errors.PathBuildingError) as e:
            msg = getattr(e, "message", e)
            rc = 1
        return rc, msg
    
    validate_certificate_chain('ocsp-fail.pem')
    

    --> If I set allow_fetching=False when creating ValidationContext, I don't get the exception, but OCSP is not validated.

    opened by bbczeuz 5
  • CMS.py Contains TWO Conflicting Definitions of RecipientKeyIdentifier

    CMS.py Contains TWO Conflicting Definitions of RecipientKeyIdentifier

    cms.py contains TWO definitions of "class RecipientKeyIdentifier". Unfortunately, the first defines the field "subject_key_identifier" and the latter defines the field "subjectKeyIdentifier". This snowballs, causing problems due to Python binding time rules. That is, the definition of KeyAgreementRecipientIdentifier picks up the former definition, but a program that imports cms.py will pick up the latter.

    To wit, the following fails:

    >>> temp=RecipientKeyIdentifier()
    >>> temp['subjectKeyIdentifier'] = b'12345678'
    >>> KeyAgreementRecipientIdentifier(name='r_key_id', value=temp)
    

    The following works, but it took me over a day to figure out what was going on:

    >>> temp.native
    OrderedDict([('subjectKeyIdentifier', b'12345678'), ('date', None), ('other', None)])
    >>> temp2=util.OrderedDict([('subject_key_identifier', b'12345678'), ('date', None), ('other', None)])
    >>> KeyAgreementRecipientIdentifier(name='r_key_id', value=temp2)
    
    opened by cjamescook 0
Owner
Will Bond
Software engineer, occasional designer. Working for @sublimehq. Proud husband and father.
Will Bond
High Performance Blockchain Deserializer

bitcoin_explorer is an efficient library for reading bitcoin-core binary blockchain file as a database (utilising multi-threading).

Congyu 2 Dec 28, 2021
Bit is Python's fastest Bitcoin library and was designed from the beginning to feel intuitive, be effortless to use, and have readable source code.

Bit is Python's fastest Bitcoin library and was designed from the beginning to feel intuitive, be effortless to use, and have readable source code.

Ofek Lev 1.1k Jan 2, 2023
A Python library to wrap age and minisign to provide key management, encryption/decryption and signing/verification functionality.

A Python library to wrap age and minisign to provide key management, encryption/decryption and signing/verification functionality.

Vinay Sajip 3 Feb 1, 2022
Python wrapper for the Equibles cryptos API.

Equibles Cryptos API for Python Requirements. Python 2.7 and 3.4+ Installation & Usage pip install If the python package is hosted on Github, you can

Equibles 1 Feb 2, 2022
Python binding to the Networking and Cryptography (NaCl) library

PyNaCl: Python binding to the libsodium library PyNaCl is a Python binding to libsodium, which is a fork of the Networking and Cryptography library. T

Python Cryptographic Authority 941 Jan 4, 2023
A little side-project API for me to learn about Blockchain and Tokens

BlockChain API I built this little side project to learn more about Blockchain and Tokens. It might be maintained and implemented to other projects bu

Loïk Mallat 1 Nov 16, 2021
The leading native Python SSHv2 protocol library.

Paramiko Paramiko: Python SSH module Copyright: Copyright (c) 2009 Robey Pointer <[email protected]> Copyright: Copyright (c) 2020 Jeff Forcier <

null 8.1k Jan 8, 2023
A self-contained cryptographic library for Python

PyCryptodome PyCryptodome is a self-contained Python package of low-level cryptographic primitives. It supports Python 2.7, Python 3.4 and newer, and

Helder Eijs 2.2k Jan 8, 2023
A lightweight encryption library in python.

XCrypt About This was initially a project to prove that I could make a strong encryption but I decided to publish it so that the internet peoples coul

Anonymous 8 Sep 10, 2022
A simple python program to sign text using either the RSA or ISRSAC algorithm with GUI built using tkinter library.

Digital Signatures using ISRSAC Algorithm A simple python program to sign text using either the RSA or ISRSAC algorithm with GUI built using tkinter l

Vasu Mandhanya 3 Nov 15, 2022
Salted Crypto Python library

Salted Crypto Python library. Allows to encrypt and decrypt files and directories using popular cryptographic algorithms with salty key(s).

null 7 Jul 18, 2022
Bsvlib - Bitcoin SV (BSV) Python Library

bsvlib A Bitcoin SV (BSV) Python Library that is extremely simple to use but mor

Aaron 22 Dec 15, 2022
C0mptCrypt - An object-oriented, minamalistic, simple encryption library in Python

C0mptCrypt allows you to encrypt strings of text. It can only be decrypted using C0mptCrypt and not by random online tools. You can use this for a variety of things from creating passwords, to encrypting HWIDs.

c0mpt0 4 Aug 22, 2022
This is an experimental AES-encrypted RPC API for ESP 8266.

URPC This is an experimental AES-encrypted RPC API for ESP 8266. Usage The server folder contains a sample ESP 8266 project. Simply set the values in

Ian Walton 1 Oct 26, 2021
Zach Brewer 1 Feb 18, 2022
Aplicação de monitoramento de valores de criptos através da API do Mercado Bitcoin.

myCrypto_MercadoBitcoin Aplicação de monitoramento de valores de criptos através da API do Mercado Bitcoin. Apoie esse projeto! ?? ?? Olá! Você pode r

Vinícius Azevedo 122 Nov 27, 2022
Tink is a multi-language, cross-platform, open source library that provides cryptographic APIs that are secure, easy to use correctly, and hard(er) to misuse.

Tink A multi-language, cross-platform library that provides cryptographic APIs that are secure, easy to use correctly, and hard(er) to misuse. Ubuntu

Google 12.9k Jan 5, 2023
一个关于摩斯密码解密与加密的库 / A library about encoding and decoding Morse code.

Morsecoder By Lemonix 介绍 一个关于摩斯密码解密与加密的库

Heat Studio 10 Jun 28, 2022
Cryptocurrency application that displays instant cryptocurrency prices and reads prices with the Google Text-to-Speech library.

?? Cryptocurrency Price App ?? ◽ Cryptocurrency application that displays instant cryptocurrency prices and reads prices with the Google Text-to-Speec

Furkan Mert 2 Nov 8, 2021