1#!/usr/bin/env python3 2# 3# Sigma Control API DUT (DPP CA) 4# Copyright (c) 2020, The Linux Foundation 5# All Rights Reserved. 6# Licensed under the Clear BSD license. See README for more details. 7 8import base64 9import OpenSSL 10import os 11import subprocess 12import sys 13 14def dpp_sign_cert(cacert, cakey, csr_der): 15 csr = OpenSSL.crypto.load_certificate_request(OpenSSL.crypto.FILETYPE_ASN1, 16 csr_der) 17 cert = OpenSSL.crypto.X509() 18 cert.set_serial_number(12345) 19 cert.gmtime_adj_notBefore(-10) 20 cert.gmtime_adj_notAfter(100000) 21 cert.set_pubkey(csr.get_pubkey()) 22 dn = csr.get_subject() 23 cert.set_subject(dn) 24 cert.set_version(2) 25 cert.add_extensions([ 26 OpenSSL.crypto.X509Extension(b"basicConstraints", True, 27 b"CA:FALSE"), 28 OpenSSL.crypto.X509Extension(b"subjectKeyIdentifier", False, 29 b"hash", subject=cert), 30 OpenSSL.crypto.X509Extension(b"authorityKeyIdentifier", False, 31 b"keyid:always", issuer=cacert), 32 ]) 33 cert.set_issuer(cacert.get_subject()) 34 cert.sign(cakey, "sha256") 35 return cert 36 37def main(): 38 if len(sys.argv) < 2: 39 print("No certificate directory path provided") 40 sys.exit(-1) 41 42 cert_dir = sys.argv[1] 43 cacert_file = os.path.join(cert_dir, "dpp-ca.pem") 44 cakey_file = os.path.join(cert_dir, "dpp-ca.key") 45 csr_file = os.path.join(cert_dir, "dpp-ca-csr") 46 cert_file = os.path.join(cert_dir, "dpp-ca-cert") 47 pkcs7_file = os.path.join(cert_dir, "dpp-ca-pkcs7") 48 certbag_file = os.path.join(cert_dir, "dpp-ca-certbag") 49 50 with open(cacert_file, "rb") as f: 51 res = f.read() 52 cacert = OpenSSL.crypto.load_certificate(OpenSSL.crypto.FILETYPE_PEM, 53 res) 54 55 with open(cakey_file, "rb") as f: 56 res = f.read() 57 cakey = OpenSSL.crypto.load_privatekey(OpenSSL.crypto.FILETYPE_PEM, res) 58 59 if not os.path.exists(csr_file): 60 print("No CSR file: %s" % csr_file) 61 sys.exit(-1) 62 63 with open(csr_file) as f: 64 csr_b64 = f.read() 65 66 csr = base64.b64decode(csr_b64) 67 if not csr: 68 print("Could not base64 decode CSR") 69 sys.exit(-1) 70 71 cert = dpp_sign_cert(cacert, cakey, csr) 72 with open(cert_file, 'wb') as f: 73 f.write(OpenSSL.crypto.dump_certificate(OpenSSL.crypto.FILETYPE_PEM, 74 cert)) 75 76 subprocess.check_call(['openssl', 'crl2pkcs7', '-nocrl', 77 '-certfile', cert_file, 78 '-certfile', cacert_file, 79 '-outform', 'DER', '-out', pkcs7_file]) 80 81 with open(pkcs7_file, 'rb') as f: 82 pkcs7_der = f.read() 83 certbag = base64.b64encode(pkcs7_der) 84 with open(certbag_file, 'wb') as f: 85 f.write(certbag) 86 87if __name__ == "__main__": 88 main() 89