1*9541ee87SJouni Malinen#!/usr/bin/env python3 2*9541ee87SJouni Malinen# 3*9541ee87SJouni Malinen# Sigma Control API DUT (DPP CA) 4*9541ee87SJouni Malinen# Copyright (c) 2020, The Linux Foundation 5*9541ee87SJouni Malinen# All Rights Reserved. 6*9541ee87SJouni Malinen# Licensed under the Clear BSD license. See README for more details. 7*9541ee87SJouni Malinen 8*9541ee87SJouni Malinenimport base64 9*9541ee87SJouni Malinenimport OpenSSL 10*9541ee87SJouni Malinenimport os 11*9541ee87SJouni Malinenimport subprocess 12*9541ee87SJouni Malinenimport sys 13*9541ee87SJouni Malinen 14*9541ee87SJouni Malinendef dpp_sign_cert(cacert, cakey, csr_der): 15*9541ee87SJouni Malinen csr = OpenSSL.crypto.load_certificate_request(OpenSSL.crypto.FILETYPE_ASN1, 16*9541ee87SJouni Malinen csr_der) 17*9541ee87SJouni Malinen cert = OpenSSL.crypto.X509() 18*9541ee87SJouni Malinen cert.set_serial_number(12345) 19*9541ee87SJouni Malinen cert.gmtime_adj_notBefore(-10) 20*9541ee87SJouni Malinen cert.gmtime_adj_notAfter(100000) 21*9541ee87SJouni Malinen cert.set_pubkey(csr.get_pubkey()) 22*9541ee87SJouni Malinen dn = csr.get_subject() 23*9541ee87SJouni Malinen cert.set_subject(dn) 24*9541ee87SJouni Malinen cert.set_version(2) 25*9541ee87SJouni Malinen cert.add_extensions([ 26*9541ee87SJouni Malinen OpenSSL.crypto.X509Extension(b"basicConstraints", True, 27*9541ee87SJouni Malinen b"CA:FALSE"), 28*9541ee87SJouni Malinen OpenSSL.crypto.X509Extension(b"subjectKeyIdentifier", False, 29*9541ee87SJouni Malinen b"hash", subject=cert), 30*9541ee87SJouni Malinen OpenSSL.crypto.X509Extension(b"authorityKeyIdentifier", False, 31*9541ee87SJouni Malinen b"keyid:always", issuer=cacert), 32*9541ee87SJouni Malinen ]) 33*9541ee87SJouni Malinen cert.set_issuer(cacert.get_subject()) 34*9541ee87SJouni Malinen cert.sign(cakey, "sha256") 35*9541ee87SJouni Malinen return cert 36*9541ee87SJouni Malinen 37*9541ee87SJouni Malinendef main(): 38*9541ee87SJouni Malinen if len(sys.argv) < 2: 39*9541ee87SJouni Malinen print("No certificate directory path provided") 40*9541ee87SJouni Malinen sys.exit(-1) 41*9541ee87SJouni Malinen 42*9541ee87SJouni Malinen cert_dir = sys.argv[1] 43*9541ee87SJouni Malinen cacert_file = os.path.join(cert_dir, "dpp-ca.pem") 44*9541ee87SJouni Malinen cakey_file = os.path.join(cert_dir, "dpp-ca.key") 45*9541ee87SJouni Malinen csr_file = os.path.join(cert_dir, "dpp-ca-csr") 46*9541ee87SJouni Malinen cert_file = os.path.join(cert_dir, "dpp-ca-cert") 47*9541ee87SJouni Malinen pkcs7_file = os.path.join(cert_dir, "dpp-ca-pkcs7") 48*9541ee87SJouni Malinen certbag_file = os.path.join(cert_dir, "dpp-ca-certbag") 49*9541ee87SJouni Malinen 50*9541ee87SJouni Malinen with open(cacert_file, "rb") as f: 51*9541ee87SJouni Malinen res = f.read() 52*9541ee87SJouni Malinen cacert = OpenSSL.crypto.load_certificate(OpenSSL.crypto.FILETYPE_PEM, 53*9541ee87SJouni Malinen res) 54*9541ee87SJouni Malinen 55*9541ee87SJouni Malinen with open(cakey_file, "rb") as f: 56*9541ee87SJouni Malinen res = f.read() 57*9541ee87SJouni Malinen cakey = OpenSSL.crypto.load_privatekey(OpenSSL.crypto.FILETYPE_PEM, res) 58*9541ee87SJouni Malinen 59*9541ee87SJouni Malinen if not os.path.exists(csr_file): 60*9541ee87SJouni Malinen print("No CSR file: %s" % csr_file) 61*9541ee87SJouni Malinen sys.exit(-1) 62*9541ee87SJouni Malinen 63*9541ee87SJouni Malinen with open(csr_file) as f: 64*9541ee87SJouni Malinen csr_b64 = f.read() 65*9541ee87SJouni Malinen 66*9541ee87SJouni Malinen csr = base64.b64decode(csr_b64) 67*9541ee87SJouni Malinen if not csr: 68*9541ee87SJouni Malinen print("Could not base64 decode CSR") 69*9541ee87SJouni Malinen sys.exit(-1) 70*9541ee87SJouni Malinen 71*9541ee87SJouni Malinen cert = dpp_sign_cert(cacert, cakey, csr) 72*9541ee87SJouni Malinen with open(cert_file, 'wb') as f: 73*9541ee87SJouni Malinen f.write(OpenSSL.crypto.dump_certificate(OpenSSL.crypto.FILETYPE_PEM, 74*9541ee87SJouni Malinen cert)) 75*9541ee87SJouni Malinen 76*9541ee87SJouni Malinen subprocess.check_call(['openssl', 'crl2pkcs7', '-nocrl', 77*9541ee87SJouni Malinen '-certfile', cert_file, 78*9541ee87SJouni Malinen '-certfile', cacert_file, 79*9541ee87SJouni Malinen '-outform', 'DER', '-out', pkcs7_file]) 80*9541ee87SJouni Malinen 81*9541ee87SJouni Malinen with open(pkcs7_file, 'rb') as f: 82*9541ee87SJouni Malinen pkcs7_der = f.read() 83*9541ee87SJouni Malinen certbag = base64.b64encode(pkcs7_der) 84*9541ee87SJouni Malinen with open(certbag_file, 'wb') as f: 85*9541ee87SJouni Malinen f.write(certbag) 86*9541ee87SJouni Malinen 87*9541ee87SJouni Malinenif __name__ == "__main__": 88*9541ee87SJouni Malinen main() 89