Jouni Malinen | 9541ee8 | 2020-06-22 21:46:31 +0300 | [diff] [blame] | 1 | #!/usr/bin/env python3 |
| 2 | # |
| 3 | # Sigma Control API DUT (DPP CA) |
| 4 | # Copyright (c) 2020, The Linux Foundation |
| 5 | # All Rights Reserved. |
| 6 | # Licensed under the Clear BSD license. See README for more details. |
| 7 | |
| 8 | import base64 |
| 9 | import OpenSSL |
| 10 | import os |
| 11 | import subprocess |
| 12 | import sys |
| 13 | |
| 14 | def dpp_sign_cert(cacert, cakey, csr_der): |
| 15 | csr = OpenSSL.crypto.load_certificate_request(OpenSSL.crypto.FILETYPE_ASN1, |
| 16 | csr_der) |
| 17 | cert = OpenSSL.crypto.X509() |
| 18 | cert.set_serial_number(12345) |
| 19 | cert.gmtime_adj_notBefore(-10) |
| 20 | cert.gmtime_adj_notAfter(100000) |
| 21 | cert.set_pubkey(csr.get_pubkey()) |
| 22 | dn = csr.get_subject() |
| 23 | cert.set_subject(dn) |
| 24 | cert.set_version(2) |
| 25 | cert.add_extensions([ |
| 26 | OpenSSL.crypto.X509Extension(b"basicConstraints", True, |
| 27 | b"CA:FALSE"), |
| 28 | OpenSSL.crypto.X509Extension(b"subjectKeyIdentifier", False, |
| 29 | b"hash", subject=cert), |
| 30 | OpenSSL.crypto.X509Extension(b"authorityKeyIdentifier", False, |
| 31 | b"keyid:always", issuer=cacert), |
| 32 | ]) |
| 33 | cert.set_issuer(cacert.get_subject()) |
| 34 | cert.sign(cakey, "sha256") |
| 35 | return cert |
| 36 | |
| 37 | def main(): |
| 38 | if len(sys.argv) < 2: |
| 39 | print("No certificate directory path provided") |
| 40 | sys.exit(-1) |
| 41 | |
| 42 | cert_dir = sys.argv[1] |
| 43 | cacert_file = os.path.join(cert_dir, "dpp-ca.pem") |
| 44 | cakey_file = os.path.join(cert_dir, "dpp-ca.key") |
| 45 | csr_file = os.path.join(cert_dir, "dpp-ca-csr") |
| 46 | cert_file = os.path.join(cert_dir, "dpp-ca-cert") |
| 47 | pkcs7_file = os.path.join(cert_dir, "dpp-ca-pkcs7") |
| 48 | certbag_file = os.path.join(cert_dir, "dpp-ca-certbag") |
| 49 | |
| 50 | with open(cacert_file, "rb") as f: |
| 51 | res = f.read() |
| 52 | cacert = OpenSSL.crypto.load_certificate(OpenSSL.crypto.FILETYPE_PEM, |
| 53 | res) |
| 54 | |
| 55 | with open(cakey_file, "rb") as f: |
| 56 | res = f.read() |
| 57 | cakey = OpenSSL.crypto.load_privatekey(OpenSSL.crypto.FILETYPE_PEM, res) |
| 58 | |
| 59 | if not os.path.exists(csr_file): |
| 60 | print("No CSR file: %s" % csr_file) |
| 61 | sys.exit(-1) |
| 62 | |
| 63 | with open(csr_file) as f: |
| 64 | csr_b64 = f.read() |
| 65 | |
| 66 | csr = base64.b64decode(csr_b64) |
| 67 | if not csr: |
| 68 | print("Could not base64 decode CSR") |
| 69 | sys.exit(-1) |
| 70 | |
| 71 | cert = dpp_sign_cert(cacert, cakey, csr) |
| 72 | with open(cert_file, 'wb') as f: |
| 73 | f.write(OpenSSL.crypto.dump_certificate(OpenSSL.crypto.FILETYPE_PEM, |
| 74 | cert)) |
| 75 | |
| 76 | subprocess.check_call(['openssl', 'crl2pkcs7', '-nocrl', |
| 77 | '-certfile', cert_file, |
| 78 | '-certfile', cacert_file, |
| 79 | '-outform', 'DER', '-out', pkcs7_file]) |
| 80 | |
| 81 | with open(pkcs7_file, 'rb') as f: |
| 82 | pkcs7_der = f.read() |
| 83 | certbag = base64.b64encode(pkcs7_der) |
| 84 | with open(certbag_file, 'wb') as f: |
| 85 | f.write(certbag) |
| 86 | |
| 87 | if __name__ == "__main__": |
| 88 | main() |