diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000000000000000000000000000000000000..6d85c242d838afc67ea62f3c6459a18760bc8d50 --- /dev/null +++ b/.gitignore @@ -0,0 +1,9 @@ +__pycache__/ui.cpython-37.pyc +./tokens/*.der +./credentials/*.der +__pycache__/ui.cpython-39.pyc + +.vscode/launch.json +.vscode/settings.json + + diff --git a/ATK_DUMP.png b/ATK_DUMP.png new file mode 100644 index 0000000000000000000000000000000000000000..75e106d48a7a6ad858a1c9ee304d12460ecb2fd8 Binary files /dev/null and b/ATK_DUMP.png differ diff --git a/CreateAuthCommand.py b/CreateAuthCommand.py new file mode 100644 index 0000000000000000000000000000000000000000..bc2898f24e084649415b17a31decfc0b30040f2e --- /dev/null +++ b/CreateAuthCommand.py @@ -0,0 +1,418 @@ +import uuid +import asn1tools +import yaml +from cryptography import x509 +from cryptography.hazmat.backends import default_backend +from cryptography.hazmat.primitives import hashes, serialization +from cryptography.hazmat.primitives.asymmetric import ec +from cryptography.hazmat.primitives.ciphers import Cipher, algorithms, modes +from cryptography.hazmat.primitives.kdf.x963kdf import X963KDF +from cryptography.x509.oid import NameOID + +import constante as cts +from CreateCertificate import PrivateKey +from ui import UI + +AAS_MODEL = ['RFC5280.asn', 'RFC3279.asn', 'SSP_ASN.asn'] + + +class SSPAuthenticationCommand: + """Base class for a handling a SSP token.""" + + def __init__(self): + """Instantiate the object.""" + self.setModel(AAS_MODEL) + + def setModel(self, modeles): + """Set the ASN.1 model.""" + self.model = asn1tools.compile_files(modeles, 'der') + # for type in self.model.types: + # print(type) + + def generateChallengeCommand(self, parameters=None): + """ Generate the AAS-OP-GET-CHALLENGE-Service-Command.""" + m_aas_command = self.model.encode( + 'AAS-CONTROL-SERVICE-GATE-Commands', + ('aAAS-OP-GET-CHALLENGE-Service-Command', {}) + ) + with open(cts.PATH_CREDENTIALS + + "aAAS-OP-GET-CHALLENGE-Service-Command" + + ".der", "wb") as f: + f.write(m_aas_command) + + def generateChallengeResponse(self, parameters=None): + """ Generate the AAS-OP-GET-CHALLENGE-Service-Response.""" + with open(cts.PATH_CREDENTIALS + parameters[cts.KW_PATH] + + ".der", "rb") as f: + aCertificates = f.read() + m_aCertificates = self.model.decode('Certificates', aCertificates) + with open(cts.PATH_CREDENTIALS + parameters[cts.KW_CHALLENGE] + + ".bin", "rb") as f: + aChallenge = f.read() + + m_aas_response = self.model.encode( + 'AAS-CONTROL-SERVICE-GATE-Responses', + ('aAAS-OP-GET-CHALLENGE-Service-Response', + {'aParameter': {'aChallenge': aChallenge, + 'aCertificates': m_aCertificates + } + })) + with open(cts.PATH_CREDENTIALS + parameters[cts.KW_NAME] + + ".der", "wb") as f: + f.write(m_aas_response) + + def readChallengeResponse(self, parameters=None): + """ Read the AAS-OP-GET-CHALLENGE-Service-Response.""" + with open(cts.PATH_CREDENTIALS + parameters[cts.KW_NAME] + + ".der", "rb") as f: + aResponse = f.read() + m_aResponse = self.model.decode('AAS-CONTROL-SERVICE-GATE-Responses', + aResponse) + mCert509dict = {} + for certificate in m_aResponse[1]['aParameter']['aCertificates']: + der_data = self.model.encode('Certificate', certificate) + cert = x509.load_der_x509_certificate(der_data, default_backend()) + CN = cert.subject.get_attributes_for_oid(NameOID.COMMON_NAME) + mCert509dict[CN[0].value] = cert + + for k in mCert509dict: + v = mCert509dict[k] + CN = v.issuer.get_attributes_for_oid(NameOID.COMMON_NAME) + cert_issuer = mCert509dict[CN[0].value] + public_key_issuer = cert_issuer.public_key() + print(k, " verified by:", CN[0].value) + public_key_issuer.verify( + v.signature, + v.tbs_certificate_bytes, + ec.ECDSA(hashes.SHA256()) + ) + + def generateAuthenticateCommand(self, parameters=None): + """ Generate the AAS-OP-AUTHENTICATE-Service-Command.""" + with open(cts.PATH_CREDENTIALS + parameters[cts.KW_PATH] + + ".der", "rb") as f: + aCertificates_der = f.read() + m_aCertificates = self.model.decode('Certificates', aCertificates_der) + with open(cts.PATH_TOKENS + parameters[cts.KW_AUTHENTICATIONTOKEN] + + ".der", "rb") as f: + aToken_der = f.read() + m_aaa_token = self.model.decode('AuthenticationToken', aToken_der) + + m_aaa_token_param = {'aCredential': ( + 'aAccessorTokenCredential', { + 'aToken': m_aaa_token, + 'aTokenCertificationPath': m_aCertificates + } + ) + } + + m_aas_command = self.model.encode( + 'AAS-CONTROL-SERVICE-GATE-Commands', + ('aAAS-OP-AUTHENTICATE-ACCESSOR-Service-Command', + m_aaa_token_param) + ) + + with open(cts.PATH_CREDENTIALS + + "aAAS-OP-AUTHENTICATE-Service-Command.der", + "wb") as f: + f.write(m_aas_command) + + def generateAuthenticateResponse(self, parameters=None): + """ Generate the AAS-OP-AUTHENTICATE-Service-Response.""" + with open(cts.PATH_TOKENS + parameters[cts.KW_AUTHENTICATIONTOKEN] + + ".der", "rb") as f: + aToken_der = f.read() + m_aaa_token = self.model.decode('AuthenticationToken', aToken_der) + m_aas_command = self.model.encode( + 'AAS-CONTROL-SERVICE-GATE-Responses', + ('aAAS-OP-AUTHENTICATE-ACCESSOR-Service-Response', { + 'aParameter': ('aServiceToken', m_aaa_token) + } + ) + ) + with open(cts.PATH_CREDENTIALS + parameters[cts.KW_NAME] + + ".der", + "wb") as f: + f.write(m_aas_command) + + def generateSharedSecret(self, parameters=None): + """Generate the shared secret.""" + + m_private_key = PrivateKey(parameters[cts.KW_PRIVATE]).get() + # Read the authentication token + with open(cts.PATH_TOKENS + parameters[cts.KW_PUBLIC] + + ".der", "rb") as f: + aToken_der = f.read() + # Extract the authentication token with its model + m_token = self.model.decode('AuthenticationToken', aToken_der) + # Convert the public key info from a model to a DER + m_pk_der = self.model.encode('SubjectPublicKeyInfo', + m_token['tbsToken']['subjectPublicKeyInfo']) + # Retrieve the public key from the DER file + m_public_key = serialization.load_der_public_key( + m_pk_der, backend=default_backend() + ) + # Extract the key size for the streamcipher + m_key_size_idx = m_token['tbsToken']['aATK-Content']['aKey-Size'] + # Compute the shared key + shared_key = m_private_key.exchange( + ec.ECDH(), m_public_key) + # Compute the diversifier from aChallenge and the gate identifier. + m_diversifier = bytes(a ^ b for (a, b) in zip( + m_token['tbsToken']['aATK-Content']['aChallenge'], + self.m_aGateIdentifier)) + # Compute the shared info. + m_SI = cts.SI_KEYS[m_key_size_idx] + m_diversifier + # Derive the key for the shared info + derived_key = X963KDF( + algorithm=hashes.SHA256(), + length=cts.MD_LENGTH[m_key_size_idx], + sharedinfo=m_SI, + backend=default_backend() + ).derive(shared_key) + # Storage of the GCM key and IV + if m_key_size_idx == cts.KEY_SIZE_E128: + m_gcm_key = derived_key[0:16] + m_gcm_iv = derived_key[16:32] + else: + m_gcm_key = derived_key[0:32] + m_gcm_iv = derived_key[32:48] + m_model = asn1tools.compile_files(['SSPToken.asn'], 'der') + m_save_der = m_model.encode('GCM-Parameters', { + 'aKey': m_gcm_key, + 'aIV': m_gcm_iv + }) + with open(cts.PATH_CREDENTIALS + parameters[cts.KW_NAME] + + ".der", + "wb") as f: + f.write(m_save_der) + + def generateOAScommand(self, parameters=None): + """Generate the AAS-OP-ACCESS-SERVICE-Service-Command command.""" + m_aas_command = self.model.encode( + 'AAS-CONTROL-SERVICE-GATE-Commands', + ('aAAS-OP-ACCESS-SERVICE-Service-Command', { + 'aServiceIdentifier': bytes.fromhex(parameters[cts.KW_SI]), + 'aUseSecurePipe': True + } + ) + ) + with open(cts.PATH_CREDENTIALS + parameters[cts.KW_NAME] + + ".der", + "wb") as f: + f.write(m_aas_command) + + def generateOASresponse(self, parameters=None): + """ Generate the AAS-OP-ACCESS-SERVICE-Service-Response.""" + aRand = uuid.uuid4() + m_aGateIdentifier = uuid.uuid5(namespace=uuid.NAMESPACE_DNS, + name=aRand.urn + ) + m_aas_command = self.model.encode( + 'AAS-CONTROL-SERVICE-GATE-Responses', + ('aAAS-OP-ACCESS-SERVICE-Service-Response', { + 'aParameter': {'aGateIdentifier': m_aGateIdentifier.bytes} + } + ) + ) + with open(cts.PATH_CREDENTIALS + parameters[cts.KW_NAME] + + ".der", + "wb") as f: + f.write(m_aas_command) + + def readOASResponse(self, parameters=None): + """ Read the AAS-OP-ACCESS-SERVICE-Service-Response.""" + with open(cts.PATH_CREDENTIALS + parameters[cts.KW_NAME] + + ".der", "rb") as f: + aResponse = f.read() + m_aResponse = self.model.decode('AAS-CONTROL-SERVICE-GATE-Responses', + aResponse) + self.m_aGateIdentifier =\ + m_aResponse[1]['aParameter']['aGateIdentifier'] + + def encryptLargeMessage(self, parameters=None): + """Encrypt large message from an input file.""" + self.m_counter = parameters[cts.KW_SEQUENCE] + with open(cts.PATH_CREDENTIALS + parameters[cts.KW_NAME] + + ".der", + "rb") as f: + m_data = f.read() + m_model = asn1tools.compile_files(['SSPToken.asn'], 'der') + m_gcm = m_model.decode('GCM-Parameters', m_data) + # Read IV and key + self.m_gcm_key = m_gcm['aKey'] + self.m_gcm_iv = m_gcm['aIV'] + # Read the input file + with open(cts.PATH_CREDENTIALS + parameters[cts.KW_IN] + + ".bin", + "rb") as f: + m_large_message = f.read() + m_mtu = parameters[cts.KW_MTU] + m_nb_bloc = int((len(m_large_message)+(m_mtu-1)) / (m_mtu-1)) + m_start = 0 + m_end = 0 + # Write the encrypted output file + with open(cts.PATH_CREDENTIALS + parameters[cts.KW_OUT] + + ".bin", + "wb") as f: + for i in range(m_nb_bloc): + m_end = m_start + min(len(m_large_message)-m_end, m_mtu-1) + m = self.messageFragment(m_large_message[m_start:m_end], + (i == m_nb_bloc)) + m_start = m_end + m = self.encrypt(m) + f.write(m) + + def decryptLargeMessage(self, parameters=None): + """ Decrypt a large file from an input file.""" + with open(cts.PATH_CREDENTIALS + parameters[cts.KW_NAME] + + ".der", + "rb") as f: + m_data = f.read() + m_model = asn1tools.compile_files(['SSPToken.asn'], 'der') + m_gcm = m_model.decode('GCM-Parameters', m_data) + # Read IV and key + self.m_gcm_key = m_gcm['aKey'] + self.m_gcm_iv = m_gcm['aIV'] + # Read the encrypted input file + with open(cts.PATH_CREDENTIALS + parameters[cts.KW_IN] + + ".bin", + "rb") as f: + m_large_message = f.read() + m_mtu = parameters[cts.KW_MTU] + m_nb_bloc = int((len(m_large_message) / (m_mtu + 16 + cts.SCL_SIZE_SEQ))+1) + m_start = 0 + m_end = 0 + # Write the plaintext output file + with open(cts.PATH_CREDENTIALS + parameters[cts.KW_OUT] + + ".bin", + "wb") as f: + for i in range(m_nb_bloc): + m_end = m_start + min(len(m_large_message)-m_end, m_mtu+16 + cts.SCL_SIZE_SEQ) + seq = m_large_message[m_start:m_start + cts.SCL_SIZE_SEQ] + m = m_large_message[m_start + cts.SCL_SIZE_SEQ:m_end] + m_start = m_end + m = self.decrypt(m, seq) + m, c = self.messageAssembly(m) + f.write(m) + + def generateIVC(self, m_seq): + """Generate IVC (96 bit) from IV and SEQ.""" + cipher = Cipher( + algorithms.AES(self.m_gcm_key), + modes.ECB(), + backend=default_backend()) + encryptor = cipher.encryptor() + ivc = encryptor.update( + self.m_gcm_iv[0:16-cts.SCL_SIZE_SEQ] + m_seq + ) + encryptor.finalize() + return ivc[0:12] + + def messageFragment(self, message_fragment, cb): + """ Create a message fragment.""" + PL = (len(message_fragment)+1) % 16 + if PL > 0: + PL = 16 - PL + if cb == 1: + H = PL | 128 + else: + H = PL + m_message = message_fragment+bytes(PL)+H.to_bytes(1, byteorder='big') + # Return the message fragment ready for encryption + return m_message + + def messageAssembly(self, message_fragment): + """Allow the fragment message assembly.""" + m_len_M = len(message_fragment) + H = int.from_bytes(message_fragment[m_len_M-1:m_len_M], 'big') + if H > 127: + CB = True + PL = H-128 + else: + CB = False + PL = H + # return the plaintext message fragment and the chaining bit + return message_fragment[0:m_len_M-PL-1], CB + + def encrypt(self, plaintext): + m_seq = self.m_counter.to_bytes(cts.SCL_SIZE_SEQ, 'big') + ivc = self.generateIVC(m_seq) + self.encryptor = Cipher( + algorithms.AES(self.m_gcm_key), + modes.GCM(ivc), + backend=default_backend() + ).encryptor() + # associated_data will be authenticated but not encrypted, + # it must also be passed in on decryption. + self.encryptor.authenticate_additional_data(b'') + # Encrypt the plaintext and get the associated ciphertext. + # GCM does not require padding. + ciphertext = self.encryptor.update(plaintext) +\ + self.encryptor.finalize() + self.m_counter = self.m_counter + 1 + return (m_seq+ciphertext + self.encryptor.tag) + + def decrypt(self, ciphertext, m_seq): + # Construct a Cipher object, with the key, iv, and additionally the + # GCM tag used for authenticating the message. + len_cipher = len(ciphertext) + tag = ciphertext[len_cipher-16:len_cipher] + ctext = ciphertext[0:len_cipher-16] + self.decryptor = Cipher( + algorithms.AES(self.m_gcm_key), + modes.GCM(self.generateIVC(m_seq), tag), + backend=default_backend() + ).decryptor() + + # We put associated_data back in or the tag will fail to verify + # when we finalize the decryptor. + self.decryptor.authenticate_additional_data(b'') + + # Decryption gets us the authenticated plaintext. + # If the tag does not match an InvalidTag exception will be raised. + return self.decryptor.update(ctext) + self.decryptor.finalize() + + +# Open the YAML parameter file +AUTHCONFIGURATION = { + 'options': 'c:h:i:o', + 'description': ["ifile=", "ofile=", "ccommand="], + 'usage': 'CreateAuthCommand.py -c [-i ] [-o ]' +} + +if __name__ == "__main__": + try: + my_ui = UI(AUTHCONFIGURATION) + m_auth = SSPAuthenticationCommand() + if my_ui.isInputFile(): + f = open(my_ui.getInputFile(), 'r', encoding='utf-8') + # Load the YAML file containing the parameters. + paths = list(yaml.load_all(f, Loader=yaml.FullLoader)) + f.close() + for path in paths: + for m_token in path: + parameters = path[m_token] + if m_token == cts.KW_CHALLENGE_COMMAND: + m_auth.generateChallengeCommand(parameters) + if m_token == cts.KW_CHALLENGE_RESPONSE: + m_auth.generateChallengeResponse(parameters) + if m_token == cts.KW_READ_CHALLENGE_RESPONSE: + m_auth.readChallengeResponse(parameters) + if m_token == cts.KW_AUTHENTICATION_COMMAND: + m_auth.generateAuthenticateCommand(parameters) + if m_token == cts.KW_AUTHENTICATION_RESPONSE: + m_auth.generateAuthenticateResponse(parameters) + if m_token == cts.KW_GENERATE_SHARED_KEY: + m_auth.generateSharedSecret(parameters) + if m_token == cts.KW_ENCRYPT: + m_auth.encryptLargeMessage(parameters) + if m_token == cts.KW_DECRYPT: + m_auth.decryptLargeMessage(parameters) + if m_token == cts.KW_OAS_COMMAND: + m_auth.generateOAScommand(parameters) + if m_token == cts.KW_OAS_RESPONSE: + m_auth.generateOASresponse(parameters) + if m_token == cts.KW_READ_OAS_RESPONSE: + m_auth.readOASResponse(parameters) + except ValueError as e: + print("Oops!..", e) diff --git a/CreateCertificate.py b/CreateCertificate.py new file mode 100644 index 0000000000000000000000000000000000000000..7acddddcd6116dfeddcb9daafa4e8c410ece7fc9 --- /dev/null +++ b/CreateCertificate.py @@ -0,0 +1,238 @@ +import yaml +import datetime +from cryptography import x509 +from cryptography.hazmat.backends import default_backend +from cryptography.hazmat.primitives import hashes, serialization +from cryptography.x509.oid import NameOID +import io +from ui import UI +import constante as cts + + +class PublicKey: + """Base class for a handling a public key.""" + + def __init__(self, name): + """Instantiate the object.""" + pu_name = cts.PATH_PUBLIC + name + "-public-key.der" + with io.open(pu_name, 'rb') as f: + buf = f.read() + f.close() + self.public_key = serialization.load_der_public_key( + buf, backend=default_backend() + ) + + def get(self): + """Get the native public key.""" + return self.public_key + + +class PrivateKey: + """Base class for a handling a public key.""" + + def __init__(self, name): + """Instantiate the object.""" + f = open(cts.PATH_PRIVATE + name + "-private-key.der", "rb") + buf = f.read() + f.close() + self.private_key = serialization.load_der_private_key( + buf, password=None, + backend=default_backend() + ) + + def get(self): + """Get the native private key.""" + return self.private_key + + +class SSPcertificate: + """Base class for a handling a SSP certificate.""" + + def __init__(self): + """Instantiate the object.""" + pass + + def generate(self, certificate_parameter): + """ Generate a certificate according to a set of parameters.""" + try: + # Creation of the certificate builder + cert = x509.CertificateBuilder() + + # Collection of the subjet attributes + attribute_subject = [] + attribute_issuer = [] + for k, m_field in certificate_parameter.items(): + + if k == cts.KW_ISSUER: + # Collect of the issuer attributes + for k, v in m_field.items(): + if k == cts.KW_C: + attribute_issuer.append(x509.NameAttribute( + NameOID.COUNTRY_NAME, v) + ) + if k == cts.KW_ST: + attribute_issuer.append(x509.NameAttribute( + NameOID.STATE_OR_PROVINCE_NAME, v)) + if k == cts.KW_O: + attribute_issuer.append(x509.NameAttribute( + NameOID.ORGANIZATION_NAME, v) + ) + if k == cts.KW_OU: + attribute_issuer.append(x509.NameAttribute( + NameOID.ORGANIZATIONAL_UNIT_NAME, v) + ) + if k == cts.KW_CN: + attribute_issuer.append(x509.NameAttribute( + NameOID.COMMON_NAME, v) + ) + # Get the issuer private key. + self.issuer_private_key = PrivateKey(v) + # Get the issur public key. + self.issuer_public_key = PublicKey(v) + if k == cts.KW_LN: + attribute_issuer.append(x509.NameAttribute( + NameOID.LOCALITY_NAME, v) + ) + + # Add the Authority Key Identifier (back chaining) + cert = cert.add_extension( + x509.AuthorityKeyIdentifier.from_issuer_public_key( + self.issuer_public_key.get()), critical=True) + + if k == cts.KW_SUBJECT: + # Collect of the subject attribute + for k, v in m_field.items(): + if k == cts.KW_C: + attribute_subject.append(x509.NameAttribute( + NameOID.COUNTRY_NAME, v) + ) + if k == cts.KW_ST: + attribute_subject.append(x509.NameAttribute( + NameOID.STATE_OR_PROVINCE_NAME, v)) + if k == cts.KW_O: + attribute_subject.append(x509.NameAttribute( + NameOID.ORGANIZATION_NAME, v) + ) + if k == cts.KW_OU: + attribute_subject.append(x509.NameAttribute( + NameOID.ORGANIZATIONAL_UNIT_NAME, v) + ) + if k == cts.KW_CN: + attribute_subject.append(x509.NameAttribute( + NameOID.COMMON_NAME, v) + ) + print("Certificate generation: ", v) + # Getting of the certificate public key. + self.public_key = PublicKey(v) + self.cert_name = v + + if k == cts.KW_LN: + attribute_subject.append(x509.NameAttribute( + NameOID.LOCALITY_NAME, v) + ) + + # Add the Subject Key Identifier extension. + cert = cert.add_extension( + x509.SubjectKeyIdentifier.from_public_key + (self.public_key.get()), + critical=False) + + if k == cts.KW_SERIAL_NUMBER: + # Add the serial number. + cert = cert.serial_number(m_field) + if k == cts.KW_NOT_BEFORE: + # Add the low limit validity date. + cert = cert.not_valid_before( + datetime.datetime.fromisoformat(m_field) + ) + if k == cts.KW_NOT_AFTER: + # Add the high limit validity date + cert = cert.not_valid_after( + datetime.datetime.fromisoformat(m_field) + ) + if k == cts.KW_EXTENSIONS: + # Collect the extensions. + for k, v in m_field.items(): + if k == cts.KW_BASICCONSTRAINTS: + # Add the basic constraints extension. + if v[cts.KW_VALUE][cts.KW_CA]: + cert = cert.add_extension( + x509.BasicConstraints( + ca=True, + path_length=v[cts.KW_VALUE][cts.KW_PATHLEN] + ), + critical=v[cts.KW_CRITICAL] + ) + else: + cert = cert.add_extension( + x509.BasicConstraints( + path_length=None, + ca=False), + critical=v[cts.KW_CRITICAL] + ) + if k == cts.KW_CERTIFICATEPOLICIES: + # Add the certificate policies extension. + cert = cert.add_extension( + x509.CertificatePolicies([ + x509.PolicyInformation( + x509.ObjectIdentifier( + v[cts.KW_VALUE] + [cts.KW_IDENTIFIER]), + [x509.UserNotice( + explicit_text=v[cts.KW_VALUE] + [cts.KW_EXPLICIT_TEXT], + notice_reference=None + )]) + ]), + critical=v[cts.KW_CRITICAL]) + # Init the issuer name. + cert = cert.issuer_name(x509.Name(attribute_issuer)) + # Init the subject name. + cert = cert.subject_name(x509.Name(attribute_subject)) + # Init of the subject public key + cert = cert.public_key(self.public_key.get()) + # Add the key usage extension + cert = cert.add_extension(x509.KeyUsage( + True, False, False, False, False, False, False, False, False + ), + critical=True + ) + # Sign the certificate with the issuer private key. + cert = cert.sign( + self.issuer_private_key.get(), + hashes.SHA256(), + default_backend() + ) + # Write our certificate out to disk. + with open(cts.PATH_CERTIFICATES + + self.cert_name+".der", "wb") as f: + f.write(cert.public_bytes(encoding=serialization.Encoding.DER)) + with open(cts.PATH_CERTIFICATES + + self.cert_name+".pem", "wb") as f: + f.write(cert.public_bytes(encoding=serialization.Encoding.PEM)) + + except ValueError as e: + print("Oops!..", e) + +# Open the YAML parameter file + + +CERTCONFIGURATION = { + 'options': 'c:h:i:o', + 'description': ["ifile=", "ofile=", "ccommand="], + 'usage': 'CreateCertificate.py -c [-i ] [-o ]' +} +if __name__ == "__main__": + my_ui = UI(CERTCONFIGURATION) + if my_ui.isInputFile(): + f = open(my_ui.getInputFile(), 'r', encoding='utf-8') + # Load the YAML file containing the parameters. + paths = list(yaml.load_all(f, Loader=yaml.FullLoader)) + f.close() + # print(paths) + # Scan all certificate parameters. + for certificate in paths[0]: + # Instantiate a certificate. + m_cert = SSPcertificate() + # # Generate the certificate according to the parameters. + m_cert.generate(certificate) diff --git a/CreateToken.py b/CreateToken.py new file mode 100644 index 0000000000000000000000000000000000000000..6c51c1127026382d51c1210848b43991a5955b3e --- /dev/null +++ b/CreateToken.py @@ -0,0 +1,284 @@ + +import uuid +import asn1tools +import yaml +from cryptography import x509 +from cryptography.hazmat.primitives import serialization +from cryptography.hazmat.primitives import hashes +from cryptography.hazmat.primitives.asymmetric import ec + +from pyasn1.codec.der import decoder, encoder +from pyasn1.type import univ, namedtype + +import constante as cts +from CreateCertificate import PrivateKey, PublicKey +from ui import UI + + +class Certificate(univ.Sequence): + pass + + +class CertificationPath(univ.SetOf): + """Base class for a certificate lists.""" + pass + + +class AuthenticationToken(univ.Sequence): + """Base class for an authentication token.""" + componentType = namedtype.NamedTypes( + namedtype.NamedType('tbsToken', univ.Sequence()), + namedtype.NamedType('signatureAlgorithm', univ.Sequence()), + namedtype.NamedType('signature', univ.Sequence()) + ) + + +class AuthenticationTokenCredential(univ.Sequence): + """Base class for an authentication token.""" + componentType = namedtype.NamedTypes( + namedtype.NamedType('token', univ.Sequence()), + namedtype.NamedType(cts.KW_PATH, univ.SetOf()) + ) + + +class SSPtoken: + """Base class for a handling a SSP token.""" + + def __init__(self, path): + """Instantiate the object.""" + self.path = path + + def setModel(self, modeles): + """Set the ASN.1 model.""" + self.model = asn1tools.compile_files(modeles, 'der') + + def generateChallenge(self, parameters): + file_name = cts.PATH_CREDENTIALS + parameters[cts.KW_NAME] + ".bin" + if parameters[cts.KW_GENERATE]: + # Generate a challenge as a random + aRand = uuid.uuid4() + self.m_challenge = aRand.bytes + # Save the private key for additional operations. + with open(file_name, "wb") as f: + f.write(self.m_challenge) + else: + with open(file_name, "rb") as f: + self.m_challenge = f.read() + + def generatePath(self, parameters): + """ Generate the certification path.""" + # Load the models + self.setModel(parameters[cts.KW_MODELES]) + # Instantiate the CertificationPath + self.path = CertificationPath() + # Load the certificates according to the configuration file + position = 0 + for certificate in parameters[cts.KW_PATH]: + # Load the certificate from the disk. + filename = cts.PATH_CERTIFICATES + certificate+".der" + with open(filename, "rb") as f: + certificate_der = f.read() + value = decoder.decode(certificate_der, + asn1Spec=Certificate()) + self.path.setComponentByPosition(position, value[0]) + position = position + 1 + # If Name of the certification path is present then the data are + # serialized and saved on a file + if cts.KW_NAME in parameters: + certificationPath_der = encoder.encode(self.path) + with open(cts.PATH_CREDENTIALS + parameters[cts.KW_NAME] + + ".der", "wb") as f: + f.write(certificationPath_der) + + def generateToken(self, parameters): + """ Generate a token according to a set of parameters.""" + try: + # Creation of the token builder + print(parameters[cts.KW_MODELES]) + self.setModel(parameters[cts.KW_MODELES]) + self.token_name = parameters[cts.KW_NAME] + # Generate a pair of private/public keys for EDCDH operations. + if parameters[cts.KW_ECKA_CURVE] not in cts.CURVES: + raise Exception("wrong ECC curve") + private_ekey = ec.generate_private_key( + cts.CURVES[parameters[cts.KW_ECKA_CURVE]]) + # Serialize the private key to a DER format + private_ekey_der = private_ekey.private_bytes( + encoding=serialization.Encoding.DER, + format=serialization.PrivateFormat.TraditionalOpenSSL, + encryption_algorithm=serialization.NoEncryption() + ) + # Save the private key for additional operations. + with open(cts.PATH_PRIVATE + self.token_name + + "-private-key.der", "wb") as f: + f.write(private_ekey_der) + # Compute the public key from the private key. + public_ekey = private_ekey.public_key() + # Encode the public key according to the DER format. + public_key_der = public_ekey.public_bytes( + encoding=serialization.Encoding.DER, + format=serialization.PublicFormat.SubjectPublicKeyInfo + ) + # Create a public key info. + public_key_data = self.model.decode( + 'SubjectPublicKeyInfo', public_key_der) + + # Collection of the subjet attributes + for k, m_field in parameters.items(): + + if k == cts.KW_ISSUER: + # Get the issuer private key. + self.issuer_private_key = PrivateKey(m_field).get() + self.issuer_public_key = PublicKey(m_field).get() + + # Create the structure for generating the authentication token body + atbsToken = {'version': cts.V1} + # Fill the signature parameters + atbsToken['signature'] = {} + atbsToken['signature']['algorithm'] = cts.OID_ECDSASHA256 + atbsToken['subjectPublicKeyInfo'] = public_key_data + + # Fill the ATK-Content + atbsToken['aATK-Content'] = { + 'aChallenge': self.m_challenge} + if parameters[cts.KW_KEYSIZE] not in cts.KEY_SIZES: + raise Exception("wrong Key size") + # fill the challenge field + atbsToken['signatureAlgorithm'] = {} + atbsToken['signatureAlgorithm']['algorithm'] = cts.OID_ECDSASHA256 + atbsToken['aATK-Content']['aKey-Size'] = cts.KEY_SIZES[parameters[cts.KW_KEYSIZE]] # 'Key-Size 128 or 256' + atbsToken['aATK-Content']['aStreamCipherIdentifier'] = cts.AES_CGM # 'aAES-CGM-StreamCipherIdentifier' + # Create the AKI structure + m_AKI = x509.AuthorityKeyIdentifier.from_issuer_public_key( + self.issuer_public_key) + # Fill the AKI extension + atbsToken['extensions'] = [{}] + atbsToken['extensions'][0]['extnID'] = cts.OID_AKI + atbsToken['extensions'][0]['critical'] = True + atbsToken['extensions'][0]['extnValue'] = m_AKI.key_identifier + # Encode the TBSToken + tbsToken = self.model.encode('TBSToken', atbsToken) + + # Generate the signature + signature_der = self.issuer_private_key.sign( + tbsToken, ec.ECDSA(hashes.SHA256())) + # Convert the DER format to a dictionary + signature_data = self.model.decode( + 'ECDSA-Sig-Value', signature_der) + + # Create the authentication token structure + auth_token = {} + # Fill the authentication token body + auth_token['tbsToken'] = atbsToken + # Fill the authentication token signature + auth_token['signature'] = signature_data + auth_token['signatureAlgorithm'] = {} + auth_token['signatureAlgorithm']['algorithm'] = cts.OID_ECDSASHA256 + # Encode the authentication token using the DER formaty + auth_token_der = self.model.encode( + cts.KW_AUTHENTICATIONTOKEN, auth_token) + # Save the authentication token on to disk. + with open(cts.PATH_TOKENS + + self.token_name+".der", "wb") as f: + f.write(auth_token_der) + # Verify the authentication token + # self.verifyToken(parameters) + + except ValueError as e: + # Catch an execption if it is occured + print("Oops!..", e) + + def verifyToken(self, parameters): + """ Generate a token according to a set of parameters.""" + try: + # Creation of the token builder + self.setModel(parameters[cts.KW_MODELES]) + self.token_name = parameters[cts.KW_NAME] + for k, m_field in parameters.items(): + + if k == "issuer": + # Get the issuer public key. + self.issuer_public_key = PublicKey(m_field).get() + # Create a subject key identifier from the issuer public key + authorityKeyIdentifier = x509.SubjectKeyIdentifier.from_public_key(self.issuer_public_key) + auth_token_der = 0 + # Load the authentication token from the disk. + with open(cts.PATH_TOKENS + + self.token_name+".der", "rb") as f: + auth_token_der = f.read() + + # Decode the authentication token DER data + token_verif = self.model.decode(cts.KW_AUTHENTICATIONTOKEN, + auth_token_der + ) + # Check if the version is right + if token_verif['tbsToken']['version'] != cts.V1: + raise Exception("wrong Version") + # Check if the signature algorithm identifier is right before + # verifying the signature + if token_verif['tbsToken']['signatureAlgorithm']['algorithm'] != cts.OID_ECDSASHA256: + raise Exception("wrong Signature algorithm") + # Check if the signature streamcipher algorithm identifier is right + if token_verif['tbsToken']['aATK-Content']['aStreamCipherIdentifier'] not in [cts.AES_CGM]: + raise Exception("wrong stream cipher identifier") + # Check if the key sizz is known + if token_verif['tbsToken']['aATK-Content']['aKey-Size'] not in [cts.KEY_SIZE_E128, cts.KEY_SIZE_E256]: + raise Exception("wrong Key size") + # Scan the extensions + m_AKI = b'x00' + for extension in token_verif['tbsToken']['extensions']: + # Check if the extension is AKI + if extension['extnID'] == cts.OID_AKI: + # Intermediate saving of the AKI + m_AKI = extension['extnValue'] + # Check if Authority Key Identifier (AKI) is right + if authorityKeyIdentifier.digest != m_AKI: + raise Exception("wrong AKI") + # Check if the authentication is well-formed + self.authenticationToken = decoder.decode( + auth_token_der, asn1Spec=AuthenticationToken() + ) + # Verify the signature + self.issuer_public_key.verify( + encoder.encode(self.authenticationToken[0].getComponentByPosition(2)), + encoder.encode(self.authenticationToken[0].getComponentByPosition(0)), + ec.ECDSA(hashes.SHA256())) + except ValueError as e: + print("Oops!..", e) + +# Open the YAML parameter file + + +tokenConfiguration = { + 'options': ':c:hi:o', + 'description': ["ifile=", "ofile=", "ccommand="], + 'usage': 'CreateToken.py [-c ] [-i ] [-o ]' +} +if __name__ == "__main__": + try: + my_ui = UI(tokenConfiguration) + if my_ui.isInputFile(): + f = open(my_ui.getInputFile(), 'r', encoding='utf-8') + # Load the YAML file containing the parameters. + paths = list(yaml.load_all(f, Loader=yaml.FullLoader)) + f.close() + # print(paths) + # Scan all token parameters. + m_cert = SSPtoken("") + for path in paths: + for m_token in path: + parameters = path[m_token] + if m_token == cts.KW_CHALLENGE: + m_cert.generateChallenge(parameters) + + if m_token == cts.KW_CERTIFICATIONPATH: + m_cert.generatePath(parameters) + + if m_token == cts.KW_AUTHENTICATIONTOKEN: + print("token generation: ", parameters[cts.KW_NAME]) + # Instantiate a token. + # # Generate the token according to the parameters. + m_cert.generateToken(parameters) + + except ValueError as e: + print("Oops!..", e) diff --git a/ETSI-SSP-AAA-FAKE-param.yaml b/ETSI-SSP-AAA-FAKE-param.yaml new file mode 100644 index 0000000000000000000000000000000000000000..7e1598287aa1e97ec41a5f755e75cb847c997f4a --- /dev/null +++ b/ETSI-SSP-AAA-FAKE-param.yaml @@ -0,0 +1,70 @@ +--- +AAA_FAKE: # certification path name + - certificate: + extensions: + CertificatePolicies: + critical: true + value: + identifier: 0.4.0.3666.1 + explicit_text: id-role + basicConstraints: + critical: true + value: + CA: true + pathlen: 1 + Name: ETSI-SSP-CI # Base name of the certificate + serial_number: 1 + not_after: '2021-12-01T12:00:00' + issuer: ETSI-SSP-CI # Base name of the issuer's keys + not_before: '2021-01-01T12:00:00' + subject: + C: FR + ST: PACA + CN: ETSI.ORG + O: ETSI-SSP-TTF + OU: ETSI + - certificate: + extensions: + CertificatePolicies: + critical: true + value: + identifier: 0.4.0.3666.1.1 + explicit_text: id-role-aaa + basicConstraints: + critical: true + value: + CA: true + pathlen: 0 + Name: ETSI-SSP-AAA-CA + serial_number: 3 + not_after: '2021-12-01T12:00:00' + issuer: ETSI-SSP-CI + not_before: '2021-01-01T12:00:00' + subject: + C: FR + ST: PACA + CN: ETSI.ORG + O: ETSI-SSP-TTF + OU: ETSI + - certificate: + extensions: + CertificatePolicies: + critical: true + value: + identifier: 0.4.0.3666.1.1.1 + explicit_text: id-role-aaa-application + basicConstraints: + critical: true + value: + CA: false + Name: ETSI-SSP-AAA-EE + serial_number: 5 + not_after: '2021-12-01T12:00:00' + issuer: ETSI-SSP-AAS-CA + not_before: '2021-01-01T12:00:00' + subject: + C: FR + ST: PACA + CN: ETSI.ORG + O: ETSI-SSP-TTF + OU: ETSI diff --git a/ETSI-SSP-AAA-TOKEN-param.yaml b/ETSI-SSP-AAA-TOKEN-param.yaml new file mode 100644 index 0000000000000000000000000000000000000000..f4464dfe8546bb093c8061ba1996d9cbff7b38ce --- /dev/null +++ b/ETSI-SSP-AAA-TOKEN-param.yaml @@ -0,0 +1,23 @@ +Challenge: + Generate: false # Do not generate a challenge + Name: AAS01 # File name of the file containing the challenge +CertificationPath: + Name: CP_AAA # File name of the DER file containing the certification path + Path: + - ETSI-SSP-AAA-CI # AAA CI + - ETSI-SSP-AAA-CA # AAA CA + - ETSI-SSP-AAA-EE # AAA EE + Modeles: + - RFC5280.asn # x509v3 certificate model + - RFC3279.asn # ECC signature parameters +AuthenticationToken: + Name: ATK-AAA-ECKA # File name of the authentication token DER file + Issuer: ETSI-SSP-AAA-EE # Certificatte verifying the authentication token + ECKA-Curve: BrainpoolP256R1 # ECC curve for key agreement + KeySize: 256 # key size of the streamcipher + Modeles: + - RFC5280.asn # x509v3 certificate model + - RFC3279.asn # ECC signature parameters + - SSP_ASN.asn + + \ No newline at end of file diff --git a/ETSI-SSP-AAA-param.yaml b/ETSI-SSP-AAA-param.yaml new file mode 100644 index 0000000000000000000000000000000000000000..839f39fc13cfdfd40b19fbc23824f611b8e61bac --- /dev/null +++ b/ETSI-SSP-AAA-param.yaml @@ -0,0 +1,77 @@ +- Extensions: + CertificatePolicies: + Critical: true + Value: + Identifier: 0.4.0.3666.1 + Explicit_text: id-role + BasicConstraints: + Critical: true + Value: + CA: true + Pathlen: 1 + Serial_number: 1 + Not_after: '2021-12-01T12:00:00' + Not_before: '2021-01-01T12:00:00' + Issuer: + C: FR + ST: PACA + CN: ETSI-SSP-AAA-CI + O: ETSI.ORG + OU: SSP-TTF + Subject: + C: FR + ST: PACA + CN: ETSI-SSP-AAA-CI + O: ETSI.ORG + OU: SSP-TTF +- Extensions: + CertificatePolicies: + Critical: true + Value: + Identifier: 0.4.0.3666.1.2 + Explicit_text: id-role-AAA + BasicConstraints: + Critical: true + Value: + CA: true + Pathlen: 0 + Serial_number: 3 + Not_after: '2021-12-01T12:00:00' + Not_before: '2021-01-01T12:00:00' + Issuer: + C: FR + ST: PACA + CN: ETSI-SSP-AAA-CI + O: ETSI.ORG + OU: SSP-TTF + Subject: + C: FR + ST: PACA + CN: ETSI-SSP-AAA-CA + O: ETSI.ORG + OU: SSP-TTF +- Extensions: + CertificatePolicies: + Critical: true + Value: + Identifier: 0.4.0.3666.1.2.1 + Explicit_text: id-role-aaa-application + BasicConstraints: + Critical: true + Value: + CA: false + Serial_number: 5 + Not_after: '2021-12-01T12:00:00' + Not_before: '2021-01-01T12:00:00' + Issuer: + C: FR + ST: PACA + CN: ETSI-SSP-AAA-CA + O: ETSI.ORG + OU: SSP-TTF + Subject: + C: FR + ST: PACA + CN: ETSI-SSP-AAA-EE + O: ETSI.ORG + OU: SSP-TTF \ No newline at end of file diff --git a/ETSI-SSP-AAS-TOKEN-param.yaml b/ETSI-SSP-AAS-TOKEN-param.yaml new file mode 100644 index 0000000000000000000000000000000000000000..f310ca39174b6f9efa650b0ea2e5a2598b7a3f69 --- /dev/null +++ b/ETSI-SSP-AAS-TOKEN-param.yaml @@ -0,0 +1,24 @@ +Challenge: + Generate: true + Name: AAS01 +CertificationPath: + Name: CP_AAS + Path: + - ETSI-SSP-AAS-CI + - ETSI-SSP-AAS-CA + - ETSI-SSP-AAS-EE + Modeles: + - RFC5280.asn + - RFC3279.asn +AuthenticationToken: + Name: ATK-AAS-ECKA + Issuer: ETSI-SSP-AAS-EE + ECKA-Curve: BrainpoolP256R1 + KeySize: 256 + Modeles: + - RFC5280.asn # x509v3 certificate model + - RFC3279.asn # ECC signature parameters + - SSP_ASN.asn + + + \ No newline at end of file diff --git a/ETSI-SSP-AAS-param.yaml b/ETSI-SSP-AAS-param.yaml new file mode 100644 index 0000000000000000000000000000000000000000..4ac857e764984c9617b3f4b63451ca3adf711d7a --- /dev/null +++ b/ETSI-SSP-AAS-param.yaml @@ -0,0 +1,77 @@ +- Extensions: + CertificatePolicies: + Critical: true + Value: + Identifier: 0.4.0.3666.1 + Explicit_text: id-role + BasicConstraints: + Critical: true + Value: + CA: true + Pathlen: 1 + Serial_number: 1 + Not_after: '2021-12-01T12:00:00' + Not_before: '2021-01-01T12:00:00' + Issuer: + C: FR + ST: PACA + CN: ETSI-SSP-AAS-CI + O: ETSI.ORG + OU: SSP-TTF + Subject: + C: FR + ST: PACA + CN: ETSI-SSP-AAS-CI + O: ETSI.ORG + OU: SSP-TTF +- Extensions: + CertificatePolicies: + Critical: true + Value: + Identifier: 0.4.0.3666.1.1 + Explicit_text: id-role-aas + BasicConstraints: + Critical: true + Value: + CA: true + Pathlen: 0 + Serial_number: 3 + Not_after: '2021-12-01T12:00:00' + Not_before: '2021-01-01T12:00:00' + Issuer: + C: FR + ST: PACA + CN: ETSI-SSP-AAS-CI + O: ETSI.ORG + OU: SSP-TTF + Subject: + C: FR + ST: PACA + CN: ETSI-SSP-AAS-CA + O: ETSI.ORG + OU: SSP-TTF +- Extensions: + CertificatePolicies: + Critical: true + Value: + Identifier: 0.4.0.3666.1.1.1 + Explicit_text: id-role-aas-service + BasicConstraints: + Critical: true + Value: + CA: false + Serial_number: 5 + Not_after: '2021-12-01T12:00:00' + Not_before: '2021-01-01T12:00:00' + Issuer: + C: FR + ST: PACA + CN: ETSI-SSP-AAS-CA + O: ETSI.ORG + OU: SSP-TTF + Subject: + C: FR + ST: PACA + CN: ETSI-SSP-AAS-EE + O: ETSI.ORG + OU: SSP-TTF diff --git a/ETSI-SSP-AUTHENTICATE-param.yaml b/ETSI-SSP-AUTHENTICATE-param.yaml new file mode 100644 index 0000000000000000000000000000000000000000..d7b75679f4bd725e6379a149520c06842840d868 --- /dev/null +++ b/ETSI-SSP-AUTHENTICATE-param.yaml @@ -0,0 +1,37 @@ +Challenge command: # Generate a challenge + Name: AAS01 # Write a binary file containing a 128 bit challenge +Challenge response: + Path: CP_AAS # AAS certification path + Challenge: AAS01 # Write a binary file containing a 128 bit challenge + Name: aAAS-OP-GET-CHALLENGE-Service-Response +Read Challenge response: + Name: aAAS-OP-GET-CHALLENGE-Service-Response +Authenticate command: + Path: CP_AAA + AuthenticationToken: ATK-AAA-ECKA + Name: aAAS-OP-AUTHENTICATE-Service-Command +Authenticate response: + AuthenticationToken: ATK-AAS-ECKA + Name: aAAS-OP-AUTHENTICATE-Service-Response +OAS command: + Name: OAS_COMMAND + Service Identifier: 'DD61116FF0DD57F48A4F52EE70276F24' # Root accessor identifier +OAS response: + Name: OAS_RESPONSE +Read OAS response: + Name: OAS_RESPONSE +Generate shared key: + Private: ATK-AAA-ECKA + Public: ATK-AAS-ECKA + Name: GCM_AAA_AAS +Encrypt: + Name: GCM_AAA_AAS # Container for the derived keys/IV + MTU: 240 + Sequence: 1 + In: Text_In + Out: Text_Out +Decrypt: + Name: GCM_AAA_AAS + MTU: 240 + In: Text_Out + Out: Text_Out_bis \ No newline at end of file diff --git a/ETSI-SSP-CI-param.yaml b/ETSI-SSP-CI-param.yaml new file mode 100644 index 0000000000000000000000000000000000000000..66998b94b3b758452fded7a0a31aaff2cc596754 --- /dev/null +++ b/ETSI-SSP-CI-param.yaml @@ -0,0 +1,93 @@ +- Name: "ETSI-SSP-CI" + subject: + C: "FR" + ST: "PARIS" + O: "ETSI-SSP-TTF" + OU: "ETSI" + CN: "ETSI.ORG" + serial_number: 1 + not_before: '2021-01-01T12:00:00' # YYYYMMDDhhmmssZ + not_after: '2021-12-01T12:00:00' # YYYYMMDDhhmmssZ + issuer: "ETSI-SSP-CI" + extensions: + basicConstraints: + critical: True + value: + CA: True + pathlen: 1 + +- Name: "ETSI-SSP-AAA-CA" + subject: + C: "FR" + ST: "PARIS" + O: "ETSI-SSP-TTF" + OU: "ETSI" + CN: "ETSI.ORG" + issuer: "ETSI-SSP-CI" + serial_number: 2 + not_before: '2021-01-01T12:00:00' # YYYYMMDDhhmmssZ + not_after: '2021-12-01T12:00:00' # YYYYMMDDhhmmssZ + extensions: + basicConstraints: + critical: True + value: + CA: True + pathlen: 0 + +- Name: "ETSI-SSP-AAS-CA" + subject: + C: "FR" + ST: "PARIS" + O: "ETSI-SSP-TTF" + OU: "ETSI" + CN: "ETSI.ORG" + serial_number: 3 + not_before: '2021-01-01T12:00:00' # YYYYMMDDhhmmssZ + not_after: '2021-12-01T12:00:00' # YYYYMMDDhhmmssZ + issuer: "ETSI-SSP-CI" + extensions: + basicConstraints: + critical: True + value: + CA: True + pathlen: 0 + id-ce-CertificatePolicies: + type_name: 'certificatePolicies' + critical: TRUE + value: '0 4 0 3666 1 1' + subject: + issuer: + +- Name: "ETSI-SSP-AAA-EE" + subject: + C: "FR" + ST: "PARIS" + O: "ETSI-SSP-TTF" + OU: "ETSI" + CN: "ETSI.ORG" + serial_number: 4 + issuer: "ETSI-SSP-CA-AAA" + not_before: '2021-01-01T12:00:00' # YYYYMMDDhhmmssZ + not_after: '2021-12-01T12:00:00' # YYYYMMDDhhmmssZ + extensions: + basicConstraints: + critical: True + value: + CA: False +- Name: "ETSI-SSP-AAS-EE" + subject: + C: "FR" + ST: "PARIS" + O: "ETSI-SSP-TTF" + OU: "ETSI" + CN: "ETSI.ORG" + serial_number: 5 + not_before: '2021-01-01T12:00:00' # YYYYMMDDhhmmssZ + not_after: '2021-12-01T12:00:00' # YYYYMMDDhhmmssZ + issuer: "ETSI-SSP-CA-AAS" + extensions: + basicConstraints: + critical: True + value: + CA: False + \ No newline at end of file diff --git a/GENKEY.bat b/GENKEY.bat new file mode 100644 index 0000000000000000000000000000000000000000..bcac71f6ddd870a0dd9411795644b76d708d4341 --- /dev/null +++ b/GENKEY.bat @@ -0,0 +1,44 @@ +clear +echo del private_keys/*.* +del public_keys/*.* +echo openssl ecparam -name brainpoolP384r1 -genkey -noout -outform der -out private_keys/ETSI-SSP-CI-private-key.der +echo openssl ecparam -name brainpoolP384r1 -genkey -noout -outform der -out private_keys/ETSI-SSP-AAA-CA-private-key.der +echo openssl ecparam -name brainpoolP384r1 -genkey -noout -outform der -out private_keys/ETSI-SSP-AAA-EE-private-key.der +echo openssl ecparam -name brainpoolP384r1 -genkey -noout -outform der -out private_keys/ETSI-SSP-AAS-CA-private-key.der +echo openssl ecparam -name brainpoolP384r1 -genkey -noout -outform der -out private_keys/ETSI-SSP-AAS-EE-private-key.der +openssl ecparam -name brainpoolP384r1 -genkey -noout -outform der -out private_keys/ETSI-SSP-AAA-CA-FAKE-private-key.der + +openssl ec -inform DER -in private_keys/ETSI-SSP-AAA-CA-private-key.der -outform PEM -out private_keys/ETSI-SSP-AAA-CA-FAKE-private-key.pem +openssl ec -inform der -in private_keys/ETSI-SSP-AAA-CA-private-key.der -pubout -outform der -out public_keys/ETSI-SSP-AAA-CA-FAKE-public-key.der + +openssl ec -inform DER -in private_keys/ETSI-SSP-CI-private-key.der -outform PEM -out private_keys/ETSI-SSP-AAA-CI-private-key.pem +openssl ec -inform DER -in private_keys/ETSI-SSP-CI-private-key.der -outform PEM -out private_keys/ETSI-SSP-AAS-CI-private-key.pem +openssl ec -inform DER -in private_keys/ETSI-SSP-AAA-CA-private-key.der -outform PEM -out private_keys/ETSI-SSP-AAA-CA-private-key.pem +openssl ec -inform DER -in private_keys/ETSI-SSP-AAA-EE-private-key.der -outform PEM -out private_keys/ETSI-SSP-AAA-EE-private-key.pem +openssl ec -inform DER -in private_keys/ETSI-SSP-AAS-CA-private-key.der -outform PEM -out private_keys/ETSI-SSP-AAS-CA-private-key.pem +openssl ec -inform DER -in private_keys/ETSI-SSP-AAS-EE-private-key.der -outform PEM -out private_keys/ETSI-SSP-AAS-EE-private-key.pem +openssl ec -inform DER -in private_keys/ETSI-SSP-AAA-CA-private-key.der -outform PEM -out private_keys/ETSI-SSP-AAA-CA-private-key.pem + +openssl ec -inform der -in private_keys/ETSI-SSP-AAA-CI-private-key.der -pubout -outform der -out public_keys/ETSI-SSP-AAA-CI-public-key.der +openssl ec -inform der -in private_keys/ETSI-SSP-AAS-CI-private-key.der -pubout -outform der -out public_keys/ETSI-SSP-AAS-CI-public-key.der +openssl ec -inform der -in private_keys/ETSI-SSP-AAA-CA-private-key.der -pubout -outform der -out public_keys/ETSI-SSP-AAA-CA-public-key.der +openssl ec -inform der -in private_keys/ETSI-SSP-AAA-CA-FAKE-private-key.der -pubout -outform der -out public_keys/ETSI-SSP-AAA-CA-FAKE-public-key.der +openssl ec -inform der -in private_keys/ETSI-SSP-AAA-EE-private-key.der -pubout -outform der -out public_keys/ETSI-SSP-AAA-EE-public-key.der +openssl ec -inform der -in private_keys/ETSI-SSP-AAA-EE-private-key.der -pubout -outform der -out public_keys/ETSI-SSP-AAA-EE-FAKE-public-key.der +openssl ec -inform der -in private_keys/ETSI-SSP-AAS-CA-private-key.der -pubout -outform der -out public_keys/ETSI-SSP-AAS-CA-public-key.der +openssl ec -inform der -in private_keys/ETSI-SSP-AAS-EE-private-key.der -pubout -outform der -out public_keys/ETSI-SSP-AAS-EE-public-key.der + +openssl ec -inform der -in private_keys/ETSI-SSP-AAA-CI-private-key.der -pubout -outform pem -out public_keys/ETSI-SSP-AAA-CI-public-key.pem +openssl ec -inform der -in private_keys/ETSI-SSP-AAS-CI-private-key.der -pubout -outform pem -out public_keys/ETSI-SSP-AAS-CI-public-key.pem +openssl ec -inform der -in private_keys/ETSI-SSP-AAA-CA-private-key.der -pubout -outform pem -out public_keys/ETSI-SSP-AAA-CA-public-key.pem +openssl ec -inform der -in private_keys/ETSI-SSP-AAA-EE-private-key.der -pubout -outform pem -out public_keys/ETSI-SSP-AAA-EE-public-key.pem +openssl ec -inform der -in private_keys/ETSI-SSP-AAS-CA-private-key.der -pubout -outform pem -out public_keys/ETSI-SSP-AAS-CA-public-key.pem +openssl ec -inform der -in private_keys/ETSI-SSP-AAS-EE-private-key.der -pubout -outform pem -out public_keys/ETSI-SSP-AAS-EE-public-key.pem + + + +dir private_keys +dir public_keys + +echo openssl x509 -in ETSI-SSP-AAS-EE.asn -inform der -text +echo openssl x509 -text -in certificates/ETSI-SSP-AAA-CA.crt -noout \ No newline at end of file diff --git a/RFC3279.asn b/RFC3279.asn new file mode 100644 index 0000000000000000000000000000000000000000..2056a20e5f23fc718c240666e91b3fd3aa9ac255 --- /dev/null +++ b/RFC3279.asn @@ -0,0 +1,275 @@ + PKIX1Algorithms88 { iso(1) identified-organization(3) dod(6) + internet(1) security(5) mechanisms(5) pkix(7) id-mod(0) + id-mod-pkix1-algorithms(17) } + + DEFINITIONS EXPLICIT TAGS ::= BEGIN + + -- EXPORTS All; + + -- IMPORTS NONE; + + -- + -- One-way Hash Functions + -- + + md2 OBJECT IDENTIFIER ::= { + iso(1) member-body(2) us(840) rsadsi(113549) + digestAlgorithm(2) 2 } + + md5 OBJECT IDENTIFIER ::= { + iso(1) member-body(2) us(840) rsadsi(113549) + digestAlgorithm(2) 5 } + + id-sha1 OBJECT IDENTIFIER ::= { + iso(1) identified-organization(3) oiw(14) secsig(3) + algorithms(2) 26 } + + -- + -- DSA Keys and Signatures + -- + + -- OID for DSA public key + + id-dsa OBJECT IDENTIFIER ::= { + iso(1) member-body(2) us(840) x9-57(10040) x9algorithm(4) 1 } + + -- encoding for DSA public key + + DSAPublicKey ::= INTEGER -- public key, y + + Dss-Parms ::= SEQUENCE { + p INTEGER, + q INTEGER, + g INTEGER } + + -- OID for DSA signature generated with SHA-1 hash + + id-dsa-with-sha1 OBJECT IDENTIFIER ::= { + iso(1) member-body(2) us(840) x9-57 (10040) x9algorithm(4) 3 } + + -- encoding for DSA signature generated with SHA-1 hash + + Dss-Sig-Value ::= SEQUENCE { + r INTEGER, + s INTEGER } + + -- + -- RSA Keys and Signatures + -- + + -- arc for RSA public key and RSA signature OIDs + + pkcs-1 OBJECT IDENTIFIER ::= { + iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) 1 } + + -- OID for RSA public keys + + rsaEncryption OBJECT IDENTIFIER ::= { pkcs-1 1 } + + -- OID for RSA signature generated with MD2 hash + + md2WithRSAEncryption OBJECT IDENTIFIER ::= { pkcs-1 2 } + + -- OID for RSA signature generated with MD5 hash + + md5WithRSAEncryption OBJECT IDENTIFIER ::= { pkcs-1 4 } + + -- OID for RSA signature generated with SHA-1 hash + + sha1WithRSAEncryption OBJECT IDENTIFIER ::= { pkcs-1 5 } + + -- encoding for RSA public key + + RSAPublicKey ::= SEQUENCE { + modulus INTEGER, -- n + publicExponent INTEGER } -- e + + -- + -- Diffie-Hellman Keys + -- + + dhpublicnumber OBJECT IDENTIFIER ::= { + iso(1) member-body(2) us(840) ansi-x942(10046) + number-type(2) 1 } + + -- encoding for DSA public key + + DHPublicKey ::= INTEGER -- public key, y = g^x mod p + + DomainParameters ::= SEQUENCE { + p INTEGER, -- odd prime, p=jq +1 + g INTEGER, -- generator, g + q INTEGER, -- factor of p-1 + j INTEGER OPTIONAL, -- subgroup factor, j>= 2 + validationParms ValidationParms OPTIONAL } + + ValidationParms ::= SEQUENCE { + seed BIT STRING, + pgenCounter INTEGER } + + -- + -- KEA Keys + -- + + id-keyExchangeAlgorithm OBJECT IDENTIFIER ::= + { 2 16 840 1 101 2 1 1 22 } + + KEA-Parms-Id ::= OCTET STRING + + -- + -- Elliptic Curve Keys, Signatures, and Curves + -- + + ansi-X9-62 OBJECT IDENTIFIER ::= { + iso(1) member-body(2) us(840) 10045 } + + FieldID ::= SEQUENCE { -- Finite field + fieldType OBJECT IDENTIFIER, + parameters ANY DEFINED BY fieldType } + + -- Arc for ECDSA signature OIDS + + id-ecSigType OBJECT IDENTIFIER ::= { ansi-X9-62 signatures(4) } + + -- OID for ECDSA signatures with SHA-1 + + ecdsa-with-SHA1 OBJECT IDENTIFIER ::= { id-ecSigType 1 } + + -- OID for an elliptic curve signature + -- format for the value of an ECDSA signature value + + ECDSA-Sig-Value ::= SEQUENCE { + r INTEGER, + s INTEGER } + + -- recognized field type OIDs are defined in the following arc + + id-fieldType OBJECT IDENTIFIER ::= { ansi-X9-62 fieldType(1) } + + -- where fieldType is prime-field, the parameters are of type Prime-p + + prime-field OBJECT IDENTIFIER ::= { id-fieldType 1 } + + Prime-p ::= INTEGER -- Finite field F(p), where p is an odd prime + + -- where fieldType is characteristic-two-field, the parameters are + -- of type Characteristic-two + + characteristic-two-field OBJECT IDENTIFIER ::= { id-fieldType 2 } + + Characteristic-two ::= SEQUENCE { + m INTEGER, -- Field size 2^m + basis OBJECT IDENTIFIER, + parameters ANY DEFINED BY basis } + + -- recognized basis type OIDs are defined in the following arc + + id-characteristic-two-basis OBJECT IDENTIFIER ::= { + characteristic-two-field basisType(3) } + + -- gnbasis is identified by OID gnBasis and indicates + -- parameters are NULL + + gnBasis OBJECT IDENTIFIER ::= { id-characteristic-two-basis 1 } + + -- parameters for this basis are NULL + + -- trinomial basis is identified by OID tpBasis and indicates + -- parameters of type Pentanomial + + tpBasis OBJECT IDENTIFIER ::= { id-characteristic-two-basis 2 } + + -- Trinomial basis representation of F2^m + -- Integer k for reduction polynomial xm + xk + 1 + + Trinomial ::= INTEGER + + -- for pentanomial basis is identified by OID ppBasis and indicates + -- parameters of type Pentanomial + + ppBasis OBJECT IDENTIFIER ::= { id-characteristic-two-basis 3 } + + -- Pentanomial basis representation of F2^m + -- reduction polynomial integers k1, k2, k3 + -- f(x) = x**m + x**k3 + x**k2 + x**k1 + 1 + + Pentanomial ::= SEQUENCE { + k1 INTEGER, + k2 INTEGER, + k3 INTEGER } + + -- The object identifiers gnBasis, tpBasis and ppBasis name + -- three kinds of basis for characteristic-two finite fields + + FieldElement ::= OCTET STRING -- Finite field element + + ECPoint ::= OCTET STRING -- Elliptic curve point + + -- Elliptic Curve parameters may be specified explicitly, + -- specified implicitly through a "named curve", or + -- inherited from the CA + + EcpkParameters ::= CHOICE { + ecParameters ECParameters, + namedCurve OBJECT IDENTIFIER, + implicitlyCA NULL } + + ECParameters ::= SEQUENCE { -- Elliptic curve parameters + version ECPVer, + fieldID FieldID, + curve Curve, + base ECPoint, -- Base point G + order INTEGER, -- Order n of the base point + cofactor INTEGER OPTIONAL } -- The integer h = #E(Fq)/n + + ECPVer ::= INTEGER {ecpVer1(1)} + + + Curve ::= SEQUENCE { + a FieldElement, -- Elliptic curve coefficient a + b FieldElement, -- Elliptic curve coefficient b + seed BIT STRING OPTIONAL } + + id-publicKeyType OBJECT IDENTIFIER ::= { ansi-X9-62 keyType(2) } + + id-ecPublicKey OBJECT IDENTIFIER ::= { id-publicKeyType 1 } + + -- Named Elliptic Curves in ANSI X9.62. + + ellipticCurve OBJECT IDENTIFIER ::= { ansi-X9-62 curves(3) } + + c-TwoCurve OBJECT IDENTIFIER ::= { + ellipticCurve characteristicTwo(0) } + + c2pnb163v1 OBJECT IDENTIFIER ::= { c-TwoCurve 1 } + c2pnb163v2 OBJECT IDENTIFIER ::= { c-TwoCurve 2 } + c2pnb163v3 OBJECT IDENTIFIER ::= { c-TwoCurve 3 } + c2pnb176w1 OBJECT IDENTIFIER ::= { c-TwoCurve 4 } + c2tnb191v1 OBJECT IDENTIFIER ::= { c-TwoCurve 5 } + c2tnb191v2 OBJECT IDENTIFIER ::= { c-TwoCurve 6 } + c2tnb191v3 OBJECT IDENTIFIER ::= { c-TwoCurve 7 } + c2onb191v4 OBJECT IDENTIFIER ::= { c-TwoCurve 8 } + c2onb191v5 OBJECT IDENTIFIER ::= { c-TwoCurve 9 } + c2pnb208w1 OBJECT IDENTIFIER ::= { c-TwoCurve 10 } + c2tnb239v1 OBJECT IDENTIFIER ::= { c-TwoCurve 11 } + c2tnb239v2 OBJECT IDENTIFIER ::= { c-TwoCurve 12 } + c2tnb239v3 OBJECT IDENTIFIER ::= { c-TwoCurve 13 } + c2onb239v4 OBJECT IDENTIFIER ::= { c-TwoCurve 14 } + c2onb239v5 OBJECT IDENTIFIER ::= { c-TwoCurve 15 } + c2pnb272w1 OBJECT IDENTIFIER ::= { c-TwoCurve 16 } + c2pnb304w1 OBJECT IDENTIFIER ::= { c-TwoCurve 17 } + c2tnb359v1 OBJECT IDENTIFIER ::= { c-TwoCurve 18 } + c2pnb368w1 OBJECT IDENTIFIER ::= { c-TwoCurve 19 } + c2tnb431r1 OBJECT IDENTIFIER ::= { c-TwoCurve 20 } + + primeCurve OBJECT IDENTIFIER ::= { ellipticCurve prime(1) } + + prime192v1 OBJECT IDENTIFIER ::= { primeCurve 1 } + prime192v2 OBJECT IDENTIFIER ::= { primeCurve 2 } + prime192v3 OBJECT IDENTIFIER ::= { primeCurve 3 } + prime239v1 OBJECT IDENTIFIER ::= { primeCurve 4 } + prime239v2 OBJECT IDENTIFIER ::= { primeCurve 5 } + prime239v3 OBJECT IDENTIFIER ::= { primeCurve 6 } + prime256v1 OBJECT IDENTIFIER ::= { primeCurve 7 } + + END \ No newline at end of file diff --git a/RFC5280.asn b/RFC5280.asn new file mode 100644 index 0000000000000000000000000000000000000000..f4ba763f704a2cf7c245a2dbcaeddc1cce68f300 --- /dev/null +++ b/RFC5280.asn @@ -0,0 +1,1030 @@ +PKIX1Explicit88 { iso(1) identified-organization(3) dod(6) internet(1) + security(5) mechanisms(5) pkix(7) id-mod(0) id-pkix1-explicit(18) } + +DEFINITIONS EXPLICIT TAGS ::= + +BEGIN + +-- EXPORTS ALL -- + +-- IMPORTS NONE -- + +-- UNIVERSAL Types defined in 1993 and 1998 ASN.1 +-- and required by this specification + +UniversalString ::= [UNIVERSAL 28] IMPLICIT OCTET STRING + -- UniversalString is defined in ASN.1:1993 + +BMPString ::= [UNIVERSAL 30] IMPLICIT OCTET STRING + -- BMPString is the subtype of UniversalString and models + -- the Basic Multilingual Plane of ISO/IEC 10646 + +UTF8String ::= [UNIVERSAL 12] IMPLICIT OCTET STRING + -- The content of this type conforms to RFC 3629. + +-- PKIX specific OIDs + +id-pkix OBJECT IDENTIFIER ::= + { iso(1) identified-organization(3) dod(6) internet(1) + security(5) mechanisms(5) pkix(7) } + + +-- PKIX arcs + +id-pe OBJECT IDENTIFIER ::= { id-pkix 1 } + -- arc for private certificate extensions +id-qt OBJECT IDENTIFIER ::= { id-pkix 2 } + -- arc for policy qualifier types +id-kp OBJECT IDENTIFIER ::= { id-pkix 3 } + -- arc for extended key purpose OIDS +id-ad OBJECT IDENTIFIER ::= { id-pkix 48 } + -- arc for access descriptors + +-- policyQualifierIds for Internet policy qualifiers + +id-qt-cps OBJECT IDENTIFIER ::= { id-qt 1 } + -- OID for CPS qualifier +id-qt-unotice OBJECT IDENTIFIER ::= { id-qt 2 } + -- OID for user notice qualifier + +-- access descriptor definitions + +id-ad-ocsp OBJECT IDENTIFIER ::= { id-ad 1 } +id-ad-caIssuers OBJECT IDENTIFIER ::= { id-ad 2 } +id-ad-timeStamping OBJECT IDENTIFIER ::= { id-ad 3 } +id-ad-caRepository OBJECT IDENTIFIER ::= { id-ad 5 } + +-- attribute data types + +Attribute ::= SEQUENCE { + type AttributeType, + values SET OF AttributeValue } + -- at least one value is required + +AttributeType ::= OBJECT IDENTIFIER + +AttributeValue ::= ANY -- DEFINED BY AttributeType + +AttributeTypeAndValue ::= SEQUENCE { + type AttributeType, + value AttributeValue } + +-- suggested naming attributes: Definition of the following +-- information object set may be augmented to meet local +-- requirements. Note that deleting members of the set may +-- prevent interoperability with conforming implementations. +-- presented in pairs: the AttributeType followed by the +-- type definition for the corresponding AttributeValue + + + + +-- Arc for standard naming attributes + +id-at OBJECT IDENTIFIER ::= { joint-iso-ccitt(2) ds(5) 4 } + +-- Naming attributes of type X520name + +id-at-name AttributeType ::= { id-at 41 } +id-at-surname AttributeType ::= { id-at 4 } +id-at-givenName AttributeType ::= { id-at 42 } +id-at-initials AttributeType ::= { id-at 43 } +id-at-generationQualifier AttributeType ::= { id-at 44 } + +-- Naming attributes of type X520Name: +-- X520name ::= DirectoryString (SIZE (1..ub-name)) +-- +-- Expanded to avoid parameterized type: +X520name ::= CHOICE { + teletexString TeletexString (SIZE (1..ub-name)), + printableString PrintableString (SIZE (1..ub-name)), + universalString UniversalString (SIZE (1..ub-name)), + utf8String UTF8String (SIZE (1..ub-name)), + bmpString BMPString (SIZE (1..ub-name)) } + +-- Naming attributes of type X520CommonName + +id-at-commonName AttributeType ::= { id-at 3 } + +-- Naming attributes of type X520CommonName: +-- X520CommonName ::= DirectoryName (SIZE (1..ub-common-name)) +-- +-- Expanded to avoid parameterized type: +X520CommonName ::= CHOICE { + teletexString TeletexString (SIZE (1..ub-common-name)), + printableString PrintableString (SIZE (1..ub-common-name)), + universalString UniversalString (SIZE (1..ub-common-name)), + utf8String UTF8String (SIZE (1..ub-common-name)), + bmpString BMPString (SIZE (1..ub-common-name)) } + + + + + + + + + +-- Naming attributes of type X520LocalityName + +id-at-localityName AttributeType ::= { id-at 7 } + +-- Naming attributes of type X520LocalityName: +-- X520LocalityName ::= DirectoryName (SIZE (1..ub-locality-name)) +-- +-- Expanded to avoid parameterized type: +X520LocalityName ::= CHOICE { + teletexString TeletexString (SIZE (1..ub-locality-name)), + printableString PrintableString (SIZE (1..ub-locality-name)), + universalString UniversalString (SIZE (1..ub-locality-name)), + utf8String UTF8String (SIZE (1..ub-locality-name)), + bmpString BMPString (SIZE (1..ub-locality-name)) } + +-- Naming attributes of type X520StateOrProvinceName + +id-at-stateOrProvinceName AttributeType ::= { id-at 8 } + +-- Naming attributes of type X520StateOrProvinceName: +-- X520StateOrProvinceName ::= DirectoryName (SIZE (1..ub-state-name)) +-- +-- Expanded to avoid parameterized type: +X520StateOrProvinceName ::= CHOICE { + teletexString TeletexString (SIZE (1..ub-state-name)), + printableString PrintableString (SIZE (1..ub-state-name)), + universalString UniversalString (SIZE (1..ub-state-name)), + utf8String UTF8String (SIZE (1..ub-state-name)), + bmpString BMPString (SIZE (1..ub-state-name)) } + + + + + + + + + + + + + + + + + + + + +-- Naming attributes of type X520OrganizationName + +id-at-organizationName AttributeType ::= { id-at 10 } + +-- Naming attributes of type X520OrganizationName: +-- X520OrganizationName ::= +-- DirectoryName (SIZE (1..ub-organization-name)) +-- +-- Expanded to avoid parameterized type: +X520OrganizationName ::= CHOICE { + teletexString TeletexString + (SIZE (1..ub-organization-name)), + printableString PrintableString + (SIZE (1..ub-organization-name)), + universalString UniversalString + (SIZE (1..ub-organization-name)), + utf8String UTF8String + (SIZE (1..ub-organization-name)), + bmpString BMPString + (SIZE (1..ub-organization-name)) } + +-- Naming attributes of type X520OrganizationalUnitName + +id-at-organizationalUnitName AttributeType ::= { id-at 11 } + +-- Naming attributes of type X520OrganizationalUnitName: +-- X520OrganizationalUnitName ::= +-- DirectoryName (SIZE (1..ub-organizational-unit-name)) +-- +-- Expanded to avoid parameterized type: +X520OrganizationalUnitName ::= CHOICE { + teletexString TeletexString + (SIZE (1..ub-organizational-unit-name)), + printableString PrintableString + (SIZE (1..ub-organizational-unit-name)), + universalString UniversalString + (SIZE (1..ub-organizational-unit-name)), + utf8String UTF8String + (SIZE (1..ub-organizational-unit-name)), + bmpString BMPString + (SIZE (1..ub-organizational-unit-name)) } +-- Naming attributes of type X520Title + +id-at-title AttributeType ::= { id-at 12 } + +-- Naming attributes of type X520Title: +-- X520Title ::= DirectoryName (SIZE (1..ub-title)) +-- +-- Expanded to avoid parameterized type: +X520Title ::= CHOICE { + teletexString TeletexString (SIZE (1..ub-title)), + printableString PrintableString (SIZE (1..ub-title)), + universalString UniversalString (SIZE (1..ub-title)), + utf8String UTF8String (SIZE (1..ub-title)), + bmpString BMPString (SIZE (1..ub-title)) } + +-- Naming attributes of type X520dnQualifier + +id-at-dnQualifier AttributeType ::= { id-at 46 } + +X520dnQualifier ::= PrintableString + +-- Naming attributes of type X520countryName (digraph from IS 3166) + +id-at-countryName AttributeType ::= { id-at 6 } + +X520countryName ::= PrintableString (SIZE (2)) + +-- Naming attributes of type X520SerialNumber + +id-at-serialNumber AttributeType ::= { id-at 5 } + +X520SerialNumber ::= PrintableString (SIZE (1..ub-serial-number)) + +-- Naming attributes of type X520Pseudonym + +id-at-pseudonym AttributeType ::= { id-at 65 } + +-- Naming attributes of type X520Pseudonym: +-- X520Pseudonym ::= DirectoryName (SIZE (1..ub-pseudonym)) +-- +-- Expanded to avoid parameterized type: +X520Pseudonym ::= CHOICE { + teletexString TeletexString (SIZE (1..ub-pseudonym)), + printableString PrintableString (SIZE (1..ub-pseudonym)), + universalString UniversalString (SIZE (1..ub-pseudonym)), + utf8String UTF8String (SIZE (1..ub-pseudonym)), + bmpString BMPString (SIZE (1..ub-pseudonym)) } + + +-- Naming attributes of type DomainComponent (from RFC 4519) + +id-domainComponent AttributeType ::= { 0 9 2342 19200300 100 1 25 } + +DomainComponent ::= IA5String + +-- Legacy attributes + +pkcs-9 OBJECT IDENTIFIER ::= + { iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) 9 } + +id-emailAddress AttributeType ::= { pkcs-9 1 } + +EmailAddress ::= IA5String (SIZE (1..ub-emailaddress-length)) + +-- naming data types -- + +Name ::= CHOICE { -- only one possibility for now -- + rdnSequence RDNSequence } + +RDNSequence ::= SEQUENCE OF RelativeDistinguishedName + +DistinguishedName ::= RDNSequence + +RelativeDistinguishedName ::= SET SIZE (1..MAX) OF AttributeTypeAndValue + +-- Directory string type -- + +DirectoryString ::= CHOICE { + teletexString TeletexString (SIZE (1..MAX)), + printableString PrintableString (SIZE (1..MAX)), + universalString UniversalString (SIZE (1..MAX)), + utf8String UTF8String (SIZE (1..MAX)), + bmpString BMPString (SIZE (1..MAX)) } + +-- certificate and CRL specific structures begin here + +Certificate ::= SEQUENCE { + tbsCertificate TBSCertificate, + signatureAlgorithm AlgorithmIdentifier, + signature BIT STRING } + +TBSCertificate ::= SEQUENCE { + version [0] Version DEFAULT v1, + serialNumber CertificateSerialNumber, + signature AlgorithmIdentifier, + issuer Name, + validity Validity, + subject Name, + subjectPublicKeyInfo SubjectPublicKeyInfo, + issuerUniqueID [1] IMPLICIT UniqueIdentifier OPTIONAL, + -- If present, version MUST be v2 or v3 + subjectUniqueID [2] IMPLICIT UniqueIdentifier OPTIONAL, + -- If present, version MUST be v2 or v3 + extensions [3] Extensions OPTIONAL + -- If present, version MUST be v3 -- } + +Version ::= INTEGER { v1(0), v2(1), v3(2) } + +CertificateSerialNumber ::= INTEGER + +Validity ::= SEQUENCE { + notBefore Time, + notAfter Time } + +Time ::= CHOICE { + utcTime UTCTime, + generalTime GeneralizedTime } + +UniqueIdentifier ::= BIT STRING + +SubjectPublicKeyInfo ::= SEQUENCE { + algorithm AlgorithmIdentifier, + subjectPublicKey BIT STRING } + +Extensions ::= SEQUENCE SIZE (1..MAX) OF Extension + +Extension ::= SEQUENCE { + extnID OBJECT IDENTIFIER, + critical BOOLEAN DEFAULT FALSE, + extnValue OCTET STRING + -- contains the DER encoding of an ASN.1 value + -- corresponding to the extension type identified + -- by extnID + } + +-- CRL structures + +CertificateList ::= SEQUENCE { + tbsCertList TBSCertList, + signatureAlgorithm AlgorithmIdentifier, + signature BIT STRING } + +TBSCertList ::= SEQUENCE { + version Version OPTIONAL, + -- if present, MUST be v2 + signature AlgorithmIdentifier, + issuer Name, + thisUpdate Time, + nextUpdate Time OPTIONAL, + revokedCertificates SEQUENCE OF SEQUENCE { + userCertificate CertificateSerialNumber, + revocationDate Time, + crlEntryExtensions Extensions OPTIONAL + -- if present, version MUST be v2 + } OPTIONAL, + crlExtensions [0] Extensions OPTIONAL } + -- if present, version MUST be v2 + +-- Version, Time, CertificateSerialNumber, and Extensions were +-- defined earlier for use in the certificate structure + +AlgorithmIdentifier ::= SEQUENCE { + algorithm OBJECT IDENTIFIER, + parameters ANY DEFINED BY algorithm OPTIONAL } + -- contains a value of the type + -- registered for use with the + -- algorithm object identifier value + +-- X.400 address syntax starts here + +ORAddress ::= SEQUENCE { + built-in-standard-attributes BuiltInStandardAttributes, + built-in-domain-defined-attributes + BuiltInDomainDefinedAttributes OPTIONAL, + -- see also teletex-domain-defined-attributes + extension-attributes ExtensionAttributes OPTIONAL } + +-- Built-in Standard Attributes + +BuiltInStandardAttributes ::= SEQUENCE { + country-name CountryName OPTIONAL, + administration-domain-name AdministrationDomainName OPTIONAL, + network-address [0] IMPLICIT NetworkAddress OPTIONAL, + -- see also extended-network-address + terminal-identifier [1] IMPLICIT TerminalIdentifier OPTIONAL, + private-domain-name [2] PrivateDomainName OPTIONAL, + organization-name [3] IMPLICIT OrganizationName OPTIONAL, + -- see also teletex-organization-name + numeric-user-identifier [4] IMPLICIT NumericUserIdentifier + OPTIONAL, + personal-name [5] IMPLICIT PersonalName OPTIONAL, + -- see also teletex-personal-name + organizational-unit-names [6] IMPLICIT OrganizationalUnitNames + OPTIONAL } + -- see also teletex-organizational-unit-names + +CountryName ::= [APPLICATION 1] CHOICE { + x121-dcc-code NumericString + (SIZE (ub-country-name-numeric-length)), + iso-3166-alpha2-code PrintableString + (SIZE (ub-country-name-alpha-length)) } + +AdministrationDomainName ::= [APPLICATION 2] CHOICE { + numeric NumericString (SIZE (0..ub-domain-name-length)), + printable PrintableString (SIZE (0..ub-domain-name-length)) } + +NetworkAddress ::= X121Address -- see also extended-network-address + +X121Address ::= NumericString (SIZE (1..ub-x121-address-length)) + +TerminalIdentifier ::= PrintableString (SIZE (1..ub-terminal-id-length)) + +PrivateDomainName ::= CHOICE { + numeric NumericString (SIZE (1..ub-domain-name-length)), + printable PrintableString (SIZE (1..ub-domain-name-length)) } + +OrganizationName ::= PrintableString + (SIZE (1..ub-organization-name-length)) + -- see also teletex-organization-name + +NumericUserIdentifier ::= NumericString + (SIZE (1..ub-numeric-user-id-length)) + +PersonalName ::= SET { + surname [0] IMPLICIT PrintableString + (SIZE (1..ub-surname-length)), + given-name [1] IMPLICIT PrintableString + (SIZE (1..ub-given-name-length)) OPTIONAL, + initials [2] IMPLICIT PrintableString + (SIZE (1..ub-initials-length)) OPTIONAL, + generation-qualifier [3] IMPLICIT PrintableString + (SIZE (1..ub-generation-qualifier-length)) + OPTIONAL } + -- see also teletex-personal-name + +OrganizationalUnitNames ::= SEQUENCE SIZE (1..ub-organizational-units) + OF OrganizationalUnitName + -- see also teletex-organizational-unit-names + +OrganizationalUnitName ::= PrintableString (SIZE + (1..ub-organizational-unit-name-length)) + +-- Built-in Domain-defined Attributes + +BuiltInDomainDefinedAttributes ::= SEQUENCE SIZE + (1..ub-domain-defined-attributes) OF + BuiltInDomainDefinedAttribute + +BuiltInDomainDefinedAttribute ::= SEQUENCE { + type PrintableString (SIZE + (1..ub-domain-defined-attribute-type-length)), + value PrintableString (SIZE + (1..ub-domain-defined-attribute-value-length)) } + +-- Extension Attributes + +ExtensionAttributes ::= SET SIZE (1..ub-extension-attributes) OF + ExtensionAttribute + +ExtensionAttribute ::= SEQUENCE { + extension-attribute-type [0] IMPLICIT INTEGER + (0..ub-extension-attributes), + extension-attribute-value [1] + ANY DEFINED BY extension-attribute-type } + +-- Extension types and attribute values + +common-name INTEGER ::= 1 + +CommonName ::= PrintableString (SIZE (1..ub-common-name-length)) + +teletex-common-name INTEGER ::= 2 + +TeletexCommonName ::= TeletexString (SIZE (1..ub-common-name-length)) + +teletex-organization-name INTEGER ::= 3 + +TeletexOrganizationName ::= + TeletexString (SIZE (1..ub-organization-name-length)) + +teletex-personal-name INTEGER ::= 4 + +TeletexPersonalName ::= SET { + surname [0] IMPLICIT TeletexString + (SIZE (1..ub-surname-length)), + given-name [1] IMPLICIT TeletexString + (SIZE (1..ub-given-name-length)) OPTIONAL, + initials [2] IMPLICIT TeletexString + (SIZE (1..ub-initials-length)) OPTIONAL, + generation-qualifier [3] IMPLICIT TeletexString + (SIZE (1..ub-generation-qualifier-length)) + OPTIONAL } + +teletex-organizational-unit-names INTEGER ::= 5 + +TeletexOrganizationalUnitNames ::= SEQUENCE SIZE + (1..ub-organizational-units) OF TeletexOrganizationalUnitName + +TeletexOrganizationalUnitName ::= TeletexString + (SIZE (1..ub-organizational-unit-name-length)) + +pds-name INTEGER ::= 7 + +PDSName ::= PrintableString (SIZE (1..ub-pds-name-length)) + +physical-delivery-country-name INTEGER ::= 8 + +PhysicalDeliveryCountryName ::= CHOICE { + x121-dcc-code NumericString (SIZE (ub-country-name-numeric-length)), + iso-3166-alpha2-code PrintableString + (SIZE (ub-country-name-alpha-length)) } + +postal-code INTEGER ::= 9 + +PostalCode ::= CHOICE { + numeric-code NumericString (SIZE (1..ub-postal-code-length)), + printable-code PrintableString (SIZE (1..ub-postal-code-length)) } + +physical-delivery-office-name INTEGER ::= 10 + +PhysicalDeliveryOfficeName ::= PDSParameter + +physical-delivery-office-number INTEGER ::= 11 + +PhysicalDeliveryOfficeNumber ::= PDSParameter + +extension-OR-address-components INTEGER ::= 12 + +ExtensionORAddressComponents ::= PDSParameter + +physical-delivery-personal-name INTEGER ::= 13 + +PhysicalDeliveryPersonalName ::= PDSParameter + +physical-delivery-organization-name INTEGER ::= 14 + +PhysicalDeliveryOrganizationName ::= PDSParameter + +extension-physical-delivery-address-components INTEGER ::= 15 + +ExtensionPhysicalDeliveryAddressComponents ::= PDSParameter + +unformatted-postal-address INTEGER ::= 16 + +UnformattedPostalAddress ::= SET { + printable-address SEQUENCE SIZE (1..ub-pds-physical-address-lines) + OF PrintableString (SIZE (1..ub-pds-parameter-length)) OPTIONAL, + teletex-string TeletexString + (SIZE (1..ub-unformatted-address-length)) OPTIONAL } + +street-address INTEGER ::= 17 + +StreetAddress ::= PDSParameter + +post-office-box-address INTEGER ::= 18 + +PostOfficeBoxAddress ::= PDSParameter + +poste-restante-address INTEGER ::= 19 + +PosteRestanteAddress ::= PDSParameter + +unique-postal-name INTEGER ::= 20 + +UniquePostalName ::= PDSParameter + +local-postal-attributes INTEGER ::= 21 + +LocalPostalAttributes ::= PDSParameter + +PDSParameter ::= SET { + printable-string PrintableString + (SIZE(1..ub-pds-parameter-length)) OPTIONAL, + teletex-string TeletexString + (SIZE(1..ub-pds-parameter-length)) OPTIONAL } + +extended-network-address INTEGER ::= 22 + +ExtendedNetworkAddress ::= CHOICE { + e163-4-address SEQUENCE { + number [0] IMPLICIT NumericString + (SIZE (1..ub-e163-4-number-length)), + sub-address [1] IMPLICIT NumericString + (SIZE (1..ub-e163-4-sub-address-length)) + OPTIONAL }, + psap-address [0] IMPLICIT PresentationAddress } + +PresentationAddress ::= SEQUENCE { + pSelector [0] EXPLICIT OCTET STRING OPTIONAL, + sSelector [1] EXPLICIT OCTET STRING OPTIONAL, + tSelector [2] EXPLICIT OCTET STRING OPTIONAL, + nAddresses [3] EXPLICIT SET SIZE (1..MAX) OF OCTET STRING } + +terminal-type INTEGER ::= 23 + +TerminalType ::= INTEGER { + telex (3), + teletex (4), + g3-facsimile (5), + g4-facsimile (6), + ia5-terminal (7), + videotex (8) } (0..ub-integer-options) + +-- Extension Domain-defined Attributes + +teletex-domain-defined-attributes INTEGER ::= 6 + +TeletexDomainDefinedAttributes ::= SEQUENCE SIZE + (1..ub-domain-defined-attributes) OF TeletexDomainDefinedAttribute + +TeletexDomainDefinedAttribute ::= SEQUENCE { + type TeletexString + (SIZE (1..ub-domain-defined-attribute-type-length)), + value TeletexString + (SIZE (1..ub-domain-defined-attribute-value-length)) } + + + +-- specifications of Upper Bounds MUST be regarded as mandatory +-- from Annex B of ITU-T X.411 Reference Definition of MTS Parameter +-- Upper Bounds + +-- Upper Bounds +ub-name INTEGER ::= 32768 +ub-common-name INTEGER ::= 64 +ub-locality-name INTEGER ::= 128 +ub-state-name INTEGER ::= 128 +ub-organization-name INTEGER ::= 64 +ub-organizational-unit-name INTEGER ::= 64 +ub-title INTEGER ::= 64 +ub-serial-number INTEGER ::= 64 +ub-match INTEGER ::= 128 +ub-emailaddress-length INTEGER ::= 255 +ub-common-name-length INTEGER ::= 64 +ub-country-name-alpha-length INTEGER ::= 2 +ub-country-name-numeric-length INTEGER ::= 3 +ub-domain-defined-attributes INTEGER ::= 4 +ub-domain-defined-attribute-type-length INTEGER ::= 8 +ub-domain-defined-attribute-value-length INTEGER ::= 128 +ub-domain-name-length INTEGER ::= 16 +ub-extension-attributes INTEGER ::= 256 +ub-e163-4-number-length INTEGER ::= 15 +ub-e163-4-sub-address-length INTEGER ::= 40 +ub-generation-qualifier-length INTEGER ::= 3 +ub-given-name-length INTEGER ::= 16 +ub-initials-length INTEGER ::= 5 +ub-integer-options INTEGER ::= 256 +ub-numeric-user-id-length INTEGER ::= 32 +ub-organization-name-length INTEGER ::= 64 +ub-organizational-unit-name-length INTEGER ::= 32 +ub-organizational-units INTEGER ::= 4 +ub-pds-name-length INTEGER ::= 16 +ub-pds-parameter-length INTEGER ::= 30 +ub-pds-physical-address-lines INTEGER ::= 6 +ub-postal-code-length INTEGER ::= 16 +ub-pseudonym INTEGER ::= 128 +ub-surname-length INTEGER ::= 40 +ub-terminal-id-length INTEGER ::= 24 +ub-unformatted-address-length INTEGER ::= 180 +ub-x121-address-length INTEGER ::= 16 + +-- Note - upper bounds on string types, such as TeletexString, are +-- measured in characters. Excepting PrintableString or IA5String, a +-- significantly greater number of octets will be required to hold +-- such a value. As a minimum, 16 octets, or twice the specified +-- upper bound, whichever is the larger, should be allowed for + + +-- TeletexString. For UTF8String or UniversalString at least four +-- times the upper bound should be allowed. + +END + +PKIX1Implicit88 { iso(1) identified-organization(3) dod(6) internet(1) + security(5) mechanisms(5) pkix(7) id-mod(0) id-pkix1-implicit(19) } + +DEFINITIONS IMPLICIT TAGS ::= + +BEGIN + +-- EXPORTS ALL -- + +IMPORTS + id-pe, id-kp, id-qt-unotice, id-qt-cps, + -- delete following line if "new" types are supported -- + BMPString, UTF8String, -- end "new" types -- + ORAddress, Name, RelativeDistinguishedName, + CertificateSerialNumber, Attribute, DirectoryString + FROM PKIX1Explicit88 { iso(1) identified-organization(3) + dod(6) internet(1) security(5) mechanisms(5) pkix(7) + id-mod(0) id-pkix1-explicit(18) }; + +-- ISO arc for standard certificate and CRL extensions + +id-ce OBJECT IDENTIFIER ::= {joint-iso-ccitt(2) ds(5) 29} + +-- authority key identifier OID and syntax + +id-ce-authorityKeyIdentifier OBJECT IDENTIFIER ::= { id-ce 35 } + +AuthorityKeyIdentifier ::= SEQUENCE { + keyIdentifier [0] KeyIdentifier OPTIONAL, + authorityCertIssuer [1] GeneralNames OPTIONAL, + authorityCertSerialNumber [2] CertificateSerialNumber OPTIONAL } + -- authorityCertIssuer and authorityCertSerialNumber MUST both + -- be present or both be absent + +KeyIdentifier ::= OCTET STRING + + + + +-- subject key identifier OID and syntax + +id-ce-subjectKeyIdentifier OBJECT IDENTIFIER ::= { id-ce 14 } + +SubjectKeyIdentifier ::= KeyIdentifier + +-- key usage extension OID and syntax + +id-ce-keyUsage OBJECT IDENTIFIER ::= { id-ce 15 } + +KeyUsage ::= BIT STRING { + digitalSignature (0), + nonRepudiation (1), -- recent editions of X.509 have + -- renamed this bit to contentCommitment + keyEncipherment (2), + dataEncipherment (3), + keyAgreement (4), + keyCertSign (5), + cRLSign (6), + encipherOnly (7), + decipherOnly (8) } + +-- private key usage period extension OID and syntax + +id-ce-privateKeyUsagePeriod OBJECT IDENTIFIER ::= { id-ce 16 } + +PrivateKeyUsagePeriod ::= SEQUENCE { + notBefore [0] GeneralizedTime OPTIONAL, + notAfter [1] GeneralizedTime OPTIONAL } + -- either notBefore or notAfter MUST be present + +-- certificate policies extension OID and syntax + +id-ce-certificatePolicies OBJECT IDENTIFIER ::= { id-ce 32 } + +anyPolicy OBJECT IDENTIFIER ::= { id-ce-certificatePolicies 0 } + +CertificatePolicies ::= SEQUENCE SIZE (1..MAX) OF PolicyInformation + +PolicyInformation ::= SEQUENCE { + policyIdentifier CertPolicyId, + policyQualifiers SEQUENCE SIZE (1..MAX) OF + PolicyQualifierInfo OPTIONAL } + +CertPolicyId ::= OBJECT IDENTIFIER + +PolicyQualifierInfo ::= SEQUENCE { + policyQualifierId PolicyQualifierId, + qualifier ANY DEFINED BY policyQualifierId } + +-- Implementations that recognize additional policy qualifiers MUST +-- augment the following definition for PolicyQualifierId + +PolicyQualifierId ::= OBJECT IDENTIFIER ( id-qt-cps | id-qt-unotice ) + +-- CPS pointer qualifier + +CPSuri ::= IA5String + +-- user notice qualifier + +UserNotice ::= SEQUENCE { + noticeRef NoticeReference OPTIONAL, + explicitText DisplayText OPTIONAL } + +NoticeReference ::= SEQUENCE { + organization DisplayText, + noticeNumbers SEQUENCE OF INTEGER } + +DisplayText ::= CHOICE { + ia5String IA5String (SIZE (1..200)), + visibleString VisibleString (SIZE (1..200)), + bmpString BMPString (SIZE (1..200)), + utf8String UTF8String (SIZE (1..200)) } + +-- policy mapping extension OID and syntax + +id-ce-policyMappings OBJECT IDENTIFIER ::= { id-ce 33 } + +PolicyMappings ::= SEQUENCE SIZE (1..MAX) OF SEQUENCE { + issuerDomainPolicy CertPolicyId, + subjectDomainPolicy CertPolicyId } + +-- subject alternative name extension OID and syntax + +id-ce-subjectAltName OBJECT IDENTIFIER ::= { id-ce 17 } + +SubjectAltName ::= GeneralNames + +GeneralNames ::= SEQUENCE SIZE (1..MAX) OF GeneralName + +GeneralName ::= CHOICE { + otherName [0] AnotherName, + rfc822Name [1] IA5String, + dNSName [2] IA5String, + x400Address [3] ORAddress, + directoryName [4] Name, + ediPartyName [5] EDIPartyName, + uniformResourceIdentifier [6] IA5String, + iPAddress [7] OCTET STRING, + registeredID [8] OBJECT IDENTIFIER } + +-- AnotherName replaces OTHER-NAME ::= TYPE-IDENTIFIER, as +-- TYPE-IDENTIFIER is not supported in the '88 ASN.1 syntax + +AnotherName ::= SEQUENCE { + type-id OBJECT IDENTIFIER, + value [0] EXPLICIT ANY DEFINED BY type-id } + +EDIPartyName ::= SEQUENCE { + nameAssigner [0] DirectoryString OPTIONAL, + partyName [1] DirectoryString } + +-- issuer alternative name extension OID and syntax + +id-ce-issuerAltName OBJECT IDENTIFIER ::= { id-ce 18 } + +IssuerAltName ::= GeneralNames + +id-ce-subjectDirectoryAttributes OBJECT IDENTIFIER ::= { id-ce 9 } + +SubjectDirectoryAttributes ::= SEQUENCE SIZE (1..MAX) OF Attribute + +-- basic constraints extension OID and syntax + +id-ce-basicConstraints OBJECT IDENTIFIER ::= { id-ce 19 } + +BasicConstraints ::= SEQUENCE { + cA BOOLEAN DEFAULT FALSE, + pathLenConstraint INTEGER (0..MAX) OPTIONAL } + + +-- name constraints extension OID and syntax + +id-ce-nameConstraints OBJECT IDENTIFIER ::= { id-ce 30 } + +NameConstraints ::= SEQUENCE { + permittedSubtrees [0] GeneralSubtrees OPTIONAL, + excludedSubtrees [1] GeneralSubtrees OPTIONAL } + +GeneralSubtrees ::= SEQUENCE SIZE (1..MAX) OF GeneralSubtree + +GeneralSubtree ::= SEQUENCE { + base GeneralName, + minimum [0] BaseDistance DEFAULT 0, + maximum [1] BaseDistance OPTIONAL } + +BaseDistance ::= INTEGER (0..MAX) + +-- policy constraints extension OID and syntax + +id-ce-policyConstraints OBJECT IDENTIFIER ::= { id-ce 36 } + +PolicyConstraints ::= SEQUENCE { + requireExplicitPolicy [0] SkipCerts OPTIONAL, + inhibitPolicyMapping [1] SkipCerts OPTIONAL } + +SkipCerts ::= INTEGER (0..MAX) + +-- CRL distribution points extension OID and syntax + +id-ce-cRLDistributionPoints OBJECT IDENTIFIER ::= {id-ce 31} + +CRLDistributionPoints ::= SEQUENCE SIZE (1..MAX) OF DistributionPoint + +DistributionPoint ::= SEQUENCE { + distributionPoint [0] DistributionPointName OPTIONAL, + reasons [1] ReasonFlags OPTIONAL, + cRLIssuer [2] GeneralNames OPTIONAL } + +DistributionPointName ::= CHOICE { + fullName [0] GeneralNames, + nameRelativeToCRLIssuer [1] RelativeDistinguishedName } + + +ReasonFlags ::= BIT STRING { + unused (0), + keyCompromise (1), + cACompromise (2), + affiliationChanged (3), + superseded (4), + cessationOfOperation (5), + certificateHold (6), + privilegeWithdrawn (7), + aACompromise (8) } + +-- extended key usage extension OID and syntax + +id-ce-extKeyUsage OBJECT IDENTIFIER ::= {id-ce 37} + +ExtKeyUsageSyntax ::= SEQUENCE SIZE (1..MAX) OF KeyPurposeId + +KeyPurposeId ::= OBJECT IDENTIFIER + +-- permit unspecified key uses + +anyExtendedKeyUsage OBJECT IDENTIFIER ::= { id-ce-extKeyUsage 0 } + +-- extended key purpose OIDs + +id-kp-serverAuth OBJECT IDENTIFIER ::= { id-kp 1 } +id-kp-clientAuth OBJECT IDENTIFIER ::= { id-kp 2 } +id-kp-codeSigning OBJECT IDENTIFIER ::= { id-kp 3 } +id-kp-emailProtection OBJECT IDENTIFIER ::= { id-kp 4 } +id-kp-timeStamping OBJECT IDENTIFIER ::= { id-kp 8 } +id-kp-OCSPSigning OBJECT IDENTIFIER ::= { id-kp 9 } + +-- inhibit any policy OID and syntax + +id-ce-inhibitAnyPolicy OBJECT IDENTIFIER ::= { id-ce 54 } + +InhibitAnyPolicy ::= SkipCerts + +-- freshest (delta)CRL extension OID and syntax + +id-ce-freshestCRL OBJECT IDENTIFIER ::= { id-ce 46 } + +FreshestCRL ::= CRLDistributionPoints +-- authority info access + +id-pe-authorityInfoAccess OBJECT IDENTIFIER ::= { id-pe 1 } + +AuthorityInfoAccessSyntax ::= + SEQUENCE SIZE (1..MAX) OF AccessDescription + +AccessDescription ::= SEQUENCE { + accessMethod OBJECT IDENTIFIER, + accessLocation GeneralName } + +-- subject info access + +id-pe-subjectInfoAccess OBJECT IDENTIFIER ::= { id-pe 11 } + +SubjectInfoAccessSyntax ::= + SEQUENCE SIZE (1..MAX) OF AccessDescription + +-- CRL number extension OID and syntax + +id-ce-cRLNumber OBJECT IDENTIFIER ::= { id-ce 20 } + +CRLNumber ::= INTEGER (0..MAX) + +-- issuing distribution point extension OID and syntax + +id-ce-issuingDistributionPoint OBJECT IDENTIFIER ::= { id-ce 28 } + +IssuingDistributionPoint ::= SEQUENCE { + distributionPoint [0] DistributionPointName OPTIONAL, + onlyContainsUserCerts [1] BOOLEAN DEFAULT FALSE, + onlyContainsCACerts [2] BOOLEAN DEFAULT FALSE, + onlySomeReasons [3] ReasonFlags OPTIONAL, + indirectCRL [4] BOOLEAN DEFAULT FALSE, + onlyContainsAttributeCerts [5] BOOLEAN DEFAULT FALSE } + -- at most one of onlyContainsUserCerts, onlyContainsCACerts, + -- and onlyContainsAttributeCerts may be set to TRUE. + +id-ce-deltaCRLIndicator OBJECT IDENTIFIER ::= { id-ce 27 } + +BaseCRLNumber ::= CRLNumber +-- reason code extension OID and syntax + +id-ce-cRLReasons OBJECT IDENTIFIER ::= { id-ce 21 } + +CRLReason ::= ENUMERATED { + unspecified (0), + keyCompromise (1), + cACompromise (2), + affiliationChanged (3), + superseded (4), + cessationOfOperation (5), + certificateHold (6), + removeFromCRL (8), + privilegeWithdrawn (9), + aACompromise (10) } + +-- certificate issuer CRL entry extension OID and syntax + +id-ce-certificateIssuer OBJECT IDENTIFIER ::= { id-ce 29 } + +CertificateIssuer ::= GeneralNames + +-- hold instruction extension OID and syntax + +id-ce-holdInstructionCode OBJECT IDENTIFIER ::= { id-ce 23 } + +HoldInstructionCode ::= OBJECT IDENTIFIER + +-- ANSI x9 arc holdinstruction arc + +holdInstruction OBJECT IDENTIFIER ::= + {joint-iso-itu-t(2) member-body(2) us(840) x9cm(10040) 2} + +-- ANSI X9 holdinstructions + +id-holdinstruction-none OBJECT IDENTIFIER ::= + {holdInstruction 1} -- deprecated + +id-holdinstruction-callissuer OBJECT IDENTIFIER ::= {holdInstruction 2} + +id-holdinstruction-reject OBJECT IDENTIFIER ::= {holdInstruction 3} +END \ No newline at end of file diff --git a/Readme.md b/Readme.md new file mode 100644 index 0000000000000000000000000000000000000000..5e73c890752eaa411007fbc3c66c04c01d6b14e5 --- /dev/null +++ b/Readme.md @@ -0,0 +1,123 @@ +# ETSI SSP TTF x509 certificates generation +## Overview +This set of programs and files aims at generating the x509v3 certificates used for the Accessor Authentication Service as described in annex C of the [TS 103.666 part 1 V15.2.0 (2020-04)](https://www.etsi.org/deliver/etsi_ts/103600_103699/10366601/15.00.00_60/ts_10366601v150000p.pdf) . +## Installation +OpenSSL 3.0.0 shall be installed. The guidelines for performing the installation are available in [OpenSSL](https://www.openssl.org) +Python Cryptography package shall be installed. The guidelines for performing the installation are available in [Cryptography.io](https://cryptography.io/en/latest/installation.html) . +## Generation of the private and public keys +The batch file GENKEY.bat contains the OpenSSL instruction for generating the private and public keys acccording to annex C of ETSI TS 103.666 part 1. +The following shell command shall be executed. + +`./GENKEY.bat` + +## Generation of the certificates +The following command shall be executed. + +`python3 CreateCertificate.py -i */, + aSimultaneousFileSessions 1/* */, + aSimultaneousFileSessionsPerFile 1/* */, + aTotalCapacity 0/**/, + aFreeCapacity 0/**/, + aMaxMetaDataSizePerNode 0 /**/ + } +} + +END \ No newline at end of file diff --git a/certificates/ETSI-SSP-AAA-CA.der b/certificates/ETSI-SSP-AAA-CA.der new file mode 100644 index 0000000000000000000000000000000000000000..c33a81664caee6e89d254f1f201dfbfd8447089d Binary files /dev/null and b/certificates/ETSI-SSP-AAA-CA.der differ diff --git a/certificates/ETSI-SSP-AAA-CA.pem b/certificates/ETSI-SSP-AAA-CA.pem new file mode 100644 index 0000000000000000000000000000000000000000..ce0bbb0aa54ffaff692e6a49617ffd8ea22cab32 --- /dev/null +++ b/certificates/ETSI-SSP-AAA-CA.pem @@ -0,0 +1,16 @@ +-----BEGIN CERTIFICATE----- +MIIChTCCAgygAwIBAgIBAzAKBggqhkjOPQQDAjBbMQswCQYDVQQGEwJGUjENMAsG +A1UECAwEUEFDQTEYMBYGA1UEAwwPRVRTSS1TU1AtQUFBLUNJMREwDwYDVQQKDAhF +VFNJLk9SRzEQMA4GA1UECwwHU1NQLVRURjAeFw0yMTAxMDExMjAwMDBaFw0yMTEy +MDExMjAwMDBaMFsxCzAJBgNVBAYTAkZSMQ0wCwYDVQQIDARQQUNBMRgwFgYDVQQD +DA9FVFNJLVNTUC1BQUEtQ0ExETAPBgNVBAoMCEVUU0kuT1JHMRAwDgYDVQQLDAdT +U1AtVFRGMHowFAYHKoZIzj0CAQYJKyQDAwIIAQELA2IABBmrd8h4LvSfmK88I0KI +cwBRzLY6SdrikCvonESDSbtnlkhNYQSGV8bAUsM4v8PUHl+ogFKnYCXNY015N6a9 +bB3K3LszDYVvPBiMJyojGuvgEvMU/6zXIpZBfp287ftqCqOBnzCBnDAzBgNVHSAB +Af8EKTAnMCUGBgQAnFIBAjAbMBkGCCsGAQUFBwICMA0MC2lkLXJvbGUtQUFBMBIG +A1UdEwEB/wQIMAYBAf8CAQAwIgYDVR0jAQH/BBgwFoAUzedt9sI1v6cCjBYTG8Xm +A+yMrUcwHQYDVR0OBBYEFA0ykuEFcBc3fpFxWHghf6NfCm41MA4GA1UdDwEB/wQE +AwIHgDAKBggqhkjOPQQDAgNnADBkAjBkE2/0NcSZ+V2a/d3F0Ee1ZaQm8Z7scVTa +Q2UO/UVHOyo1JzHY+baxZQ3ONJzLdEgCMCo2z4b1m9YNiK7DoRo+zY/jh3bGxgTZ +Pjo6d5LnKEzEtZg//VJI5w4sLqOy9FIzaQ== +-----END CERTIFICATE----- diff --git a/certificates/ETSI-SSP-AAA-CI.der b/certificates/ETSI-SSP-AAA-CI.der new file mode 100644 index 0000000000000000000000000000000000000000..6db91a02dee4e526c765c594396b4fce7de04b07 Binary files /dev/null and b/certificates/ETSI-SSP-AAA-CI.der differ diff --git a/certificates/ETSI-SSP-AAA-CI.pem b/certificates/ETSI-SSP-AAA-CI.pem new file mode 100644 index 0000000000000000000000000000000000000000..953162e9f8e9d3bb6438c919fb835c5cb98dac93 --- /dev/null +++ b/certificates/ETSI-SSP-AAA-CI.pem @@ -0,0 +1,16 @@ +-----BEGIN CERTIFICATE----- +MIICgDCCAgegAwIBAgIBATAKBggqhkjOPQQDAjBbMQswCQYDVQQGEwJGUjENMAsG +A1UECAwEUEFDQTEYMBYGA1UEAwwPRVRTSS1TU1AtQUFBLUNJMREwDwYDVQQKDAhF +VFNJLk9SRzEQMA4GA1UECwwHU1NQLVRURjAeFw0yMTAxMDExMjAwMDBaFw0yMTEy +MDExMjAwMDBaMFsxCzAJBgNVBAYTAkZSMQ0wCwYDVQQIDARQQUNBMRgwFgYDVQQD +DA9FVFNJLVNTUC1BQUEtQ0kxETAPBgNVBAoMCEVUU0kuT1JHMRAwDgYDVQQLDAdT +U1AtVFRGMHowFAYHKoZIzj0CAQYJKyQDAwIIAQELA2IABEXfoLJouwwLaLkQ2Rj4 ++lU6a+bR0vTNAqkvPkPpfa4mt6vv6WA2xU2tfwrkcBOHvQeEZYw8DcvlqrbPIcqi +PXIP7E26u5txTeTwfJDshFHhUChqxtWBrR7hiwRRLym5dKOBmjCBlzAuBgNVHSAB +Af8EJDAiMCAGBQQAnFIBMBcwFQYIKwYBBQUHAgIwCQwHaWQtcm9sZTASBgNVHRMB +Af8ECDAGAQH/AgEBMCIGA1UdIwEB/wQYMBaAFM3nbfbCNb+nAowWExvF5gPsjK1H +MB0GA1UdDgQWBBTN5232wjW/pwKMFhMbxeYD7IytRzAOBgNVHQ8BAf8EBAMCB4Aw +CgYIKoZIzj0EAwIDZwAwZAIwXblY+4jp6wtTtRBDHGtFogRZUE97hk0o7yKWkfgv +aXIq3B4rU95hFf9xcnEYa5krAjB2arGy6K1RbVhg35ox6Tk5PIsgGbQ2nSSaRYKA ++TpovhHsQvy9zdn1P3sJy5NgaWE= +-----END CERTIFICATE----- diff --git a/certificates/ETSI-SSP-AAA-EE.der b/certificates/ETSI-SSP-AAA-EE.der new file mode 100644 index 0000000000000000000000000000000000000000..a6c8bca923957a56b38d02cbdee2193b6b789460 Binary files /dev/null and b/certificates/ETSI-SSP-AAA-EE.der differ diff --git a/certificates/ETSI-SSP-AAA-EE.pem b/certificates/ETSI-SSP-AAA-EE.pem new file mode 100644 index 0000000000000000000000000000000000000000..71fb9715e2dd4b8c0588e6d78ea8cb1f03686b57 --- /dev/null +++ b/certificates/ETSI-SSP-AAA-EE.pem @@ -0,0 +1,16 @@ +-----BEGIN CERTIFICATE----- +MIICjDCCAhOgAwIBAgIBBTAKBggqhkjOPQQDAjBbMQswCQYDVQQGEwJGUjENMAsG +A1UECAwEUEFDQTEYMBYGA1UEAwwPRVRTSS1TU1AtQUFBLUNBMREwDwYDVQQKDAhF +VFNJLk9SRzEQMA4GA1UECwwHU1NQLVRURjAeFw0yMTAxMDExMjAwMDBaFw0yMTEy +MDExMjAwMDBaMFsxCzAJBgNVBAYTAkZSMQ0wCwYDVQQIDARQQUNBMRgwFgYDVQQD +DA9FVFNJLVNTUC1BQUEtRUUxETAPBgNVBAoMCEVUU0kuT1JHMRAwDgYDVQQLDAdT +U1AtVFRGMHowFAYHKoZIzj0CAQYJKyQDAwIIAQELA2IABFkioLYXBNIajFonWCMA +u3cm60mtK92FX8s0khiM3ycpqjTtrljbbZOMbSeDfcvXh4TyCi1Hmxdt3O1oo9t2 +R/KcWq4glyQn/AAsuKem8lKCYPj7PaJ1XAMije4F/WZviqOBpjCBozBABgNVHSAB +Af8ENjA0MDIGBwQAnFIBAgEwJzAlBggrBgEFBQcCAjAZDBdpZC1yb2xlLWFhYS1h +cHBsaWNhdGlvbjAMBgNVHRMBAf8EAjAAMCIGA1UdIwEB/wQYMBaAFA0ykuEFcBc3 +fpFxWHghf6NfCm41MB0GA1UdDgQWBBTcNg23ofa8FZoZ/W4rQKUQmK6BhjAOBgNV +HQ8BAf8EBAMCB4AwCgYIKoZIzj0EAwIDZwAwZAIwdD7M2KiiRTzYrGGBJ2khF0T2 +FIB+M+ub+BeclwC3VUFggtin2Jkjl7ujoFfCcoTHAjB/HSO5kkBqagLvuLirk1jq +LtEIl9F6cIqVFtyKvSm+8K2Nw6XuGQ/iQWi/iewB3O0= +-----END CERTIFICATE----- diff --git a/certificates/ETSI-SSP-AAS-CA.der b/certificates/ETSI-SSP-AAS-CA.der new file mode 100644 index 0000000000000000000000000000000000000000..251a842db13b6623b22b409fa20bbd8ce55834a1 Binary files /dev/null and b/certificates/ETSI-SSP-AAS-CA.der differ diff --git a/certificates/ETSI-SSP-AAS-CA.pem b/certificates/ETSI-SSP-AAS-CA.pem new file mode 100644 index 0000000000000000000000000000000000000000..887ddbcdb86b47f767d8c4ad7e3555cd93b0fbb3 --- /dev/null +++ b/certificates/ETSI-SSP-AAS-CA.pem @@ -0,0 +1,16 @@ +-----BEGIN CERTIFICATE----- +MIIChTCCAgygAwIBAgIBAzAKBggqhkjOPQQDAjBbMQswCQYDVQQGEwJGUjENMAsG +A1UECAwEUEFDQTEYMBYGA1UEAwwPRVRTSS1TU1AtQUFTLUNJMREwDwYDVQQKDAhF +VFNJLk9SRzEQMA4GA1UECwwHU1NQLVRURjAeFw0yMTAxMDExMjAwMDBaFw0yMTEy +MDExMjAwMDBaMFsxCzAJBgNVBAYTAkZSMQ0wCwYDVQQIDARQQUNBMRgwFgYDVQQD +DA9FVFNJLVNTUC1BQVMtQ0ExETAPBgNVBAoMCEVUU0kuT1JHMRAwDgYDVQQLDAdT +U1AtVFRGMHowFAYHKoZIzj0CAQYJKyQDAwIIAQELA2IABIv3eQL0X6Can3mnXC/v +2+fpDPADAdCf2FuzBr47lmI4lJVxWJUcJ3TAkhyekWJWeFILX1A0ZTYkHwO5J3a4 +UiL8yZfilvnlWlgF9HkMM0i3cYDbKThMckJEpRQJhrMET6OBnzCBnDAzBgNVHSAB +Af8EKTAnMCUGBgQAnFIBATAbMBkGCCsGAQUFBwICMA0MC2lkLXJvbGUtYWFzMBIG +A1UdEwEB/wQIMAYBAf8CAQAwIgYDVR0jAQH/BBgwFoAUzedt9sI1v6cCjBYTG8Xm +A+yMrUcwHQYDVR0OBBYEFNU19vSvqLYRA5oA7TphgqAAqZA2MA4GA1UdDwEB/wQE +AwIHgDAKBggqhkjOPQQDAgNnADBkAjAksbkFzESADOVy9VhEIcibDNCHqeTq+ouF +SS6S3Gm+6XOui4ROa5oOZiMXgptZn88CMGJsQkWMYEbSG96UH00zQOI7pOWKxT9Z +FYO0nJ+iaPXGE2bhjFbGdS+fp+HsJYXrRQ== +-----END CERTIFICATE----- diff --git a/certificates/ETSI-SSP-AAS-CI.der b/certificates/ETSI-SSP-AAS-CI.der new file mode 100644 index 0000000000000000000000000000000000000000..8283a27991fe3c716beb14cd1627fdcd25b4e2c8 Binary files /dev/null and b/certificates/ETSI-SSP-AAS-CI.der differ diff --git a/certificates/ETSI-SSP-AAS-CI.pem b/certificates/ETSI-SSP-AAS-CI.pem new file mode 100644 index 0000000000000000000000000000000000000000..9258ebea01110b0f883587bca980745d0dd9b8ae --- /dev/null +++ b/certificates/ETSI-SSP-AAS-CI.pem @@ -0,0 +1,16 @@ +-----BEGIN CERTIFICATE----- +MIICfzCCAgegAwIBAgIBATAKBggqhkjOPQQDAjBbMQswCQYDVQQGEwJGUjENMAsG +A1UECAwEUEFDQTEYMBYGA1UEAwwPRVRTSS1TU1AtQUFTLUNJMREwDwYDVQQKDAhF +VFNJLk9SRzEQMA4GA1UECwwHU1NQLVRURjAeFw0yMTAxMDExMjAwMDBaFw0yMTEy +MDExMjAwMDBaMFsxCzAJBgNVBAYTAkZSMQ0wCwYDVQQIDARQQUNBMRgwFgYDVQQD +DA9FVFNJLVNTUC1BQVMtQ0kxETAPBgNVBAoMCEVUU0kuT1JHMRAwDgYDVQQLDAdT +U1AtVFRGMHowFAYHKoZIzj0CAQYJKyQDAwIIAQELA2IABEXfoLJouwwLaLkQ2Rj4 ++lU6a+bR0vTNAqkvPkPpfa4mt6vv6WA2xU2tfwrkcBOHvQeEZYw8DcvlqrbPIcqi +PXIP7E26u5txTeTwfJDshFHhUChqxtWBrR7hiwRRLym5dKOBmjCBlzAuBgNVHSAB +Af8EJDAiMCAGBQQAnFIBMBcwFQYIKwYBBQUHAgIwCQwHaWQtcm9sZTASBgNVHRMB +Af8ECDAGAQH/AgEBMCIGA1UdIwEB/wQYMBaAFM3nbfbCNb+nAowWExvF5gPsjK1H +MB0GA1UdDgQWBBTN5232wjW/pwKMFhMbxeYD7IytRzAOBgNVHQ8BAf8EBAMCB4Aw +CgYIKoZIzj0EAwIDZgAwYwIvNut9Mbtrj9qE3il1bVLZUI9ogkMR6HzqNlgSwnzY +sQ4m6NIVRGxCc+qza83/h9wCMDsqWeBQECwjVGQPPTRTrcbdVl1LUv/iKTMFQxdV +1sbO7yH8vUnGaL5D5DN7Ry7cVg== +-----END CERTIFICATE----- diff --git a/certificates/ETSI-SSP-AAS-EE.der b/certificates/ETSI-SSP-AAS-EE.der new file mode 100644 index 0000000000000000000000000000000000000000..f8e4e65c6eb80af8b821f66b422ec2d343664781 Binary files /dev/null and b/certificates/ETSI-SSP-AAS-EE.der differ diff --git a/certificates/ETSI-SSP-AAS-EE.pem b/certificates/ETSI-SSP-AAS-EE.pem new file mode 100644 index 0000000000000000000000000000000000000000..30e9d92a7c73de512a925c3e557bb4036bb82f6e --- /dev/null +++ b/certificates/ETSI-SSP-AAS-EE.pem @@ -0,0 +1,16 @@ +-----BEGIN CERTIFICATE----- +MIICiDCCAg+gAwIBAgIBBTAKBggqhkjOPQQDAjBbMQswCQYDVQQGEwJGUjENMAsG +A1UECAwEUEFDQTEYMBYGA1UEAwwPRVRTSS1TU1AtQUFTLUNBMREwDwYDVQQKDAhF +VFNJLk9SRzEQMA4GA1UECwwHU1NQLVRURjAeFw0yMTAxMDExMjAwMDBaFw0yMTEy +MDExMjAwMDBaMFsxCzAJBgNVBAYTAkZSMQ0wCwYDVQQIDARQQUNBMRgwFgYDVQQD +DA9FVFNJLVNTUC1BQVMtRUUxETAPBgNVBAoMCEVUU0kuT1JHMRAwDgYDVQQLDAdT +U1AtVFRGMHowFAYHKoZIzj0CAQYJKyQDAwIIAQELA2IABGCQZHHKCQ+nPexg+o/Y +nWvGcvmTM6XkAtnlGdPuAk7FtNqkl8BmAjEBVBN1jBQ+EhzBkueP+MVRcW0wnMlS +DSafAsC7EodHQGy0VDN7pyc7h0GRZ81gvTe2rEGXSopLVKOBojCBnzA8BgNVHSAB +Af8EMjAwMC4GBwQAnFIBAQEwIzAhBggrBgEFBQcCAjAVDBNpZC1yb2xlLWFhcy1z +ZXJ2aWNlMAwGA1UdEwEB/wQCMAAwIgYDVR0jAQH/BBgwFoAU1TX29K+othEDmgDt +OmGCoACpkDYwHQYDVR0OBBYEFDZBrZaDHDIkfVfpotFaZlKmjNnnMA4GA1UdDwEB +/wQEAwIHgDAKBggqhkjOPQQDAgNnADBkAjBB0o6vhS3qt8IY2Du7hvjm2Wa93XjJ +XJw0iOruN60fpx/TFKJmqMUjYLau/nIBa+kCMCBecaXYzw4wgIAAt8MPw6fAxwBd +taB6jIC8BqmSiXidrixGdjKNP18W5netoQzBZQ== +-----END CERTIFICATE----- diff --git a/constante.py b/constante.py new file mode 100644 index 0000000000000000000000000000000000000000..a82808d7ef3f03d9db143972546495f7c00e6fed --- /dev/null +++ b/constante.py @@ -0,0 +1,85 @@ +from cryptography.hazmat.primitives.asymmetric import ec +OID_PUBLICKEY = '1.2.840.10045.2.1' +OID_BRAINPOOLP384R1 = '1.3.36.3.3.2.8.1.1.11' +KEY_SIZE_E128 = 0 # Key_Size e128 +KEY_SIZE_E256 = 1 # Key_Size e256 +AES_CGM = 0 # aAES-CGM-StreamCipherIdentifier +OID_ECDSASHA256 = '1.2.840.10045.4.3.2' # ecdsa-with-SHA256(2) +OID_AKI = '2.5.29.35' # Authority Key Identifier +V1 = 0 # Version 1 +CURVES = {'BrainpoolP256R1': ec.BrainpoolP256R1, + 'BrainpoolP384R1': ec.BrainpoolP384R1, + 'NIST P-256': ec.SECP256R1, + 'NIST P-384': ec.SECP384R1 + } +KEY_SIZES = { + 128: KEY_SIZE_E128, + 256: KEY_SIZE_E256 + } +# Keywords in the Yaml configuration file + +KW_ATK_CREDENTIALS = 'Authentication Credentials' +KW_AUTHENTICATION_COMMAND = 'Authenticate command' +KW_AUTHENTICATION_RESPONSE = 'Authenticate response' +KW_AUTHENTICATIONTOKEN = 'AuthenticationToken' +KW_AUTHENTICATIONTOKENCREDENTIALS = 'AuthenticationTokenCredentials' +KW_BASICCONSTRAINTS = 'BasicConstraints' +KW_C = 'C' +KW_CA = 'CA' +KW_CERTIFICATE = 'Certificate' +KW_CERTIFICATEPOLICIES = 'CertificatePolicies' +KW_CERTIFICATIONPATH = 'CertificationPath' +KW_CHALLENGE = 'Challenge' +KW_CHALLENGE_COMMAND = 'Challenge command' +KW_CHALLENGE_RESPONSE = 'Challenge response' +KW_CN = 'CN' +KW_CRITICAL = 'Critical' +KW_DECRYPT = 'Decrypt' +KW_ECKA_CURVE = 'ECKA-Curve' +KW_ENCRYPT = 'Encrypt' +KW_EXPLICIT_TEXT = 'Explicit_text' +KW_EXTENSIONS = 'Extensions' +KW_GENERATE = 'Generate' +KW_GENERATE_SHARED_KEY = 'Generate shared key' +KW_IDENTIFIER = 'Identifier' +KW_IN = 'In' +KW_ISSUER = 'Issuer' +KW_KEYSIZE = 'KeySize' +KW_LN = 'LN' +KW_MODELES = 'Modeles' +KW_MTU = 'MTU' +KW_NAME = 'Name' +KW_NOT_AFTER = 'Not_after' +KW_NOT_BEFORE = 'Not_before' +KW_O = 'O' +KW_OAS_COMMAND = 'OAS command' +KW_OAS_RESPONSE = 'OAS response' +KW_OU = 'OU' +KW_OUT = 'Out' +KW_PATH = 'Path' +KW_PATHLEN = 'Pathlen' +KW_PRIVATE = 'Private' +KW_PUBLIC = 'Public' +KW_READ_CHALLENGE_RESPONSE = 'Read Challenge response' +KW_READ_OAS_RESPONSE = 'Read OAS response' +KW_SEQUENCE = 'Sequence' +KW_SERIAL_NUMBER = 'Serial_number' +KW_SI = "Service Identifier" +KW_ST = 'ST' +KW_SUBJECT = 'Subject' +KW_VALUE = 'Value' +# Paths of the folders + +PATH_PRIVATE = 'private_keys/' +PATH_PUBLIC = 'public_keys/' +PATH_CERTIFICATES = 'certificates/' +PATH_TOKENS = 'tokens/' +PATH_CREDENTIALS = 'credentials/' + +# SI information for derivation keys +SI128 = b'\x10\x90\x10' +SI256 = b'\x20\x90\x20' +SI_KEYS = {KEY_SIZE_E128: SI128, KEY_SIZE_E256: SI256} +MD_LENGTH = {KEY_SIZE_E128: 32, KEY_SIZE_E256: 48} +# secure SCL +SCL_SIZE_SEQ = 4 # Size of SEQ field (32 bit) in the secure SCL message diff --git a/credentials/AAS01.bin b/credentials/AAS01.bin new file mode 100644 index 0000000000000000000000000000000000000000..95b49e129782a40e513dc96ea06b91a93f505c8c --- /dev/null +++ b/credentials/AAS01.bin @@ -0,0 +1 @@ +<ù£ÓqÂG7’‡K)‡>>… \ No newline at end of file diff --git a/credentials/CP_AAA.der b/credentials/CP_AAA.der new file mode 100644 index 0000000000000000000000000000000000000000..28dbba187ff4dbf38ec6d40fbe570fdadd8d9f7f Binary files /dev/null and b/credentials/CP_AAA.der differ diff --git a/credentials/CP_AAS.der b/credentials/CP_AAS.der new file mode 100644 index 0000000000000000000000000000000000000000..6baa89614427fd3eb0020057d7173d90a4e120d0 Binary files /dev/null and b/credentials/CP_AAS.der differ diff --git a/credentials/GCM_AAA_AAS.der b/credentials/GCM_AAA_AAS.der new file mode 100644 index 0000000000000000000000000000000000000000..8305c3925d34cb33aa24500a46e1ff23638e5b51 --- /dev/null +++ b/credentials/GCM_AAA_AAS.der @@ -0,0 +1 @@ +04 i’2³µüþ¶E}¦h¬b¯Ùs²AßÙpœlÜd†!ŠR¿J•gDê+)÷ \ No newline at end of file diff --git a/credentials/Text_in.bin b/credentials/Text_in.bin new file mode 100644 index 0000000000000000000000000000000000000000..47dc990d167875365d4fd8e74b72e7f81dfdb22d --- /dev/null +++ b/credentials/Text_in.bin @@ -0,0 +1,8 @@ +We are responsible for the development and maintenance of specifications for Secure Elements (SEs) in a multi-application capable environment, +the integration into such an environment, as well as the secure provisioning of services making use of SEs. + +Our work includes the development and maintenance of specifications for the SE and its interface to the outside world for use in telecommunication systems, +for general telecommunication purposes as well as for Machine-to-Machine (M2M)/Internet of Things (IoT) communications. +The committee’s work comprises the interface, +procedures and protocol specifications between the SE and entities (remote or local) used in its management. It also includes interfaces, +procedures and protocol specifications used between such entities for the secure provisioning and operation of services making use of the SE. \ No newline at end of file diff --git a/credentials/aAAS-OP-AUTHENTICATE-Service-Command.der b/credentials/aAAS-OP-AUTHENTICATE-Service-Command.der new file mode 100644 index 0000000000000000000000000000000000000000..be224d7e5c72e3758c2093f8b20528c5fbc75c38 Binary files /dev/null and b/credentials/aAAS-OP-AUTHENTICATE-Service-Command.der differ diff --git a/credentials/aAAS-OP-AUTHENTICATE-Service-Response.der b/credentials/aAAS-OP-AUTHENTICATE-Service-Response.der new file mode 100644 index 0000000000000000000000000000000000000000..6b5775f92b85ec7455a7f990baa9969be053b522 Binary files /dev/null and b/credentials/aAAS-OP-AUTHENTICATE-Service-Response.der differ diff --git a/credentials/aAAS-OP-GET-CHALLENGE-Service-Command.der b/credentials/aAAS-OP-GET-CHALLENGE-Service-Command.der new file mode 100644 index 0000000000000000000000000000000000000000..b2b9e0cd0648b4863aa3426c6a5cb67c65e938c4 Binary files /dev/null and b/credentials/aAAS-OP-GET-CHALLENGE-Service-Command.der differ diff --git a/credentials/aAAS-OP-GET-CHALLENGE-Service-Response.der b/credentials/aAAS-OP-GET-CHALLENGE-Service-Response.der new file mode 100644 index 0000000000000000000000000000000000000000..2b8d4c506799dd1835609a36318c8aee55f30d5c Binary files /dev/null and b/credentials/aAAS-OP-GET-CHALLENGE-Service-Response.der differ diff --git a/private_keys/ATK-AAA-ECKA-private-key.der b/private_keys/ATK-AAA-ECKA-private-key.der new file mode 100644 index 0000000000000000000000000000000000000000..26bcf0ac29bc3323410846c2fd58c0653f60af28 Binary files /dev/null and b/private_keys/ATK-AAA-ECKA-private-key.der differ diff --git a/private_keys/ATK-AAS-ECKA-private-key.der b/private_keys/ATK-AAS-ECKA-private-key.der new file mode 100644 index 0000000000000000000000000000000000000000..7b5f90aab5c133326d296532ce643b6209fb8139 Binary files /dev/null and b/private_keys/ATK-AAS-ECKA-private-key.der differ diff --git a/private_keys/ETSI-SSP-AAA-CA-FAKE-private-key.der b/private_keys/ETSI-SSP-AAA-CA-FAKE-private-key.der new file mode 100644 index 0000000000000000000000000000000000000000..a4d330ed45087fce759e118497bd98e70cfe1f34 Binary files /dev/null and b/private_keys/ETSI-SSP-AAA-CA-FAKE-private-key.der differ diff --git a/private_keys/ETSI-SSP-AAA-CA-FAKE-private-key.pem b/private_keys/ETSI-SSP-AAA-CA-FAKE-private-key.pem new file mode 100644 index 0000000000000000000000000000000000000000..6523c2fd7e8c0a160e0b35ca1e72c87af632187e --- /dev/null +++ b/private_keys/ETSI-SSP-AAA-CA-FAKE-private-key.pem @@ -0,0 +1,6 @@ +-----BEGIN EC PRIVATE KEY----- +MIGoAgEBBDA8wK4BXTmZTCypQrC3T2Qp1e8fhznxxZj0gLCl7Fib3Os2Dcin9t7i +j9B5nUc1bXmgCwYJKyQDAwIIAQELoWQDYgAEGat3yHgu9J+YrzwjQohzAFHMtjpJ +2uKQK+icRINJu2eWSE1hBIZXxsBSwzi/w9QeX6iAUqdgJc1jTXk3pr1sHcrcuzMN +hW88GIwnKiMa6+AS8xT/rNcilkF+nbzt+2oK +-----END EC PRIVATE KEY----- diff --git a/private_keys/ETSI-SSP-AAA-CA-private-key.der b/private_keys/ETSI-SSP-AAA-CA-private-key.der new file mode 100644 index 0000000000000000000000000000000000000000..bb24e2993985a33d4929ff02fd3bed85357bce27 Binary files /dev/null and b/private_keys/ETSI-SSP-AAA-CA-private-key.der differ diff --git a/private_keys/ETSI-SSP-AAA-CA-private-key.pem b/private_keys/ETSI-SSP-AAA-CA-private-key.pem new file mode 100644 index 0000000000000000000000000000000000000000..6523c2fd7e8c0a160e0b35ca1e72c87af632187e --- /dev/null +++ b/private_keys/ETSI-SSP-AAA-CA-private-key.pem @@ -0,0 +1,6 @@ +-----BEGIN EC PRIVATE KEY----- +MIGoAgEBBDA8wK4BXTmZTCypQrC3T2Qp1e8fhznxxZj0gLCl7Fib3Os2Dcin9t7i +j9B5nUc1bXmgCwYJKyQDAwIIAQELoWQDYgAEGat3yHgu9J+YrzwjQohzAFHMtjpJ +2uKQK+icRINJu2eWSE1hBIZXxsBSwzi/w9QeX6iAUqdgJc1jTXk3pr1sHcrcuzMN +hW88GIwnKiMa6+AS8xT/rNcilkF+nbzt+2oK +-----END EC PRIVATE KEY----- diff --git a/private_keys/ETSI-SSP-AAA-CI-private-key.der b/private_keys/ETSI-SSP-AAA-CI-private-key.der new file mode 100644 index 0000000000000000000000000000000000000000..7e86bf44f94fbba6a0560367a0a89883e3475afa Binary files /dev/null and b/private_keys/ETSI-SSP-AAA-CI-private-key.der differ diff --git a/private_keys/ETSI-SSP-AAA-EE-private-key.der b/private_keys/ETSI-SSP-AAA-EE-private-key.der new file mode 100644 index 0000000000000000000000000000000000000000..0057a0e0dd40d35d0462c78d8518ef14196b5f48 Binary files /dev/null and b/private_keys/ETSI-SSP-AAA-EE-private-key.der differ diff --git a/private_keys/ETSI-SSP-AAA-EE-private-key.pem b/private_keys/ETSI-SSP-AAA-EE-private-key.pem new file mode 100644 index 0000000000000000000000000000000000000000..0f0723cf004b2266990dc8bad8d2b74ea378e838 --- /dev/null +++ b/private_keys/ETSI-SSP-AAA-EE-private-key.pem @@ -0,0 +1,6 @@ +-----BEGIN EC PRIVATE KEY----- +MIGoAgEBBDBmIUfWSm51jVzkA1d/aszqEpsMyDP91t9or5WXR5by1O/J8d/MGvmH +LcObgBSJhpegCwYJKyQDAwIIAQELoWQDYgAEWSKgthcE0hqMWidYIwC7dybrSa0r +3YVfyzSSGIzfJymqNO2uWNttk4xtJ4N9y9eHhPIKLUebF23c7Wij23ZH8pxariCX +JCf8ACy4p6byUoJg+Ps9onVcAyKN7gX9Zm+K +-----END EC PRIVATE KEY----- diff --git a/private_keys/ETSI-SSP-AAA-Token-private-key.der b/private_keys/ETSI-SSP-AAA-Token-private-key.der new file mode 100644 index 0000000000000000000000000000000000000000..597a1c3d818cfff4c8179b6eddc8e017b67a628a Binary files /dev/null and b/private_keys/ETSI-SSP-AAA-Token-private-key.der differ diff --git a/private_keys/ETSI-SSP-AAS-CA-private-key.der b/private_keys/ETSI-SSP-AAS-CA-private-key.der new file mode 100644 index 0000000000000000000000000000000000000000..d25929b62d8b038b39bd7ce83782c86257a71ad4 Binary files /dev/null and b/private_keys/ETSI-SSP-AAS-CA-private-key.der differ diff --git a/private_keys/ETSI-SSP-AAS-CA-private-key.pem b/private_keys/ETSI-SSP-AAS-CA-private-key.pem new file mode 100644 index 0000000000000000000000000000000000000000..a1f672785709aca9d19c36a4d229f7cf5cb367c3 --- /dev/null +++ b/private_keys/ETSI-SSP-AAS-CA-private-key.pem @@ -0,0 +1,6 @@ +-----BEGIN EC PRIVATE KEY----- +MIGoAgEBBDAxG+K3D9D+gbwfjMleCv94/IgmtAeuydGUUd8yLSQWZtWorSpKSSmV +SC/y5dd2q9ugCwYJKyQDAwIIAQELoWQDYgAEi/d5AvRfoJqfeadcL+/b5+kM8AMB +0J/YW7MGvjuWYjiUlXFYlRwndMCSHJ6RYlZ4UgtfUDRlNiQfA7kndrhSIvzJl+KW ++eVaWAX0eQwzSLdxgNspOExyQkSlFAmGswRP +-----END EC PRIVATE KEY----- diff --git a/private_keys/ETSI-SSP-AAS-CI-private-key.der b/private_keys/ETSI-SSP-AAS-CI-private-key.der new file mode 100644 index 0000000000000000000000000000000000000000..7e86bf44f94fbba6a0560367a0a89883e3475afa Binary files /dev/null and b/private_keys/ETSI-SSP-AAS-CI-private-key.der differ diff --git a/private_keys/ETSI-SSP-AAS-EE-private-key.der b/private_keys/ETSI-SSP-AAS-EE-private-key.der new file mode 100644 index 0000000000000000000000000000000000000000..c9ab68b1b1c9d1ccf3e9601c12f39699d57dee8e Binary files /dev/null and b/private_keys/ETSI-SSP-AAS-EE-private-key.der differ diff --git a/private_keys/ETSI-SSP-AAS-EE-private-key.pem b/private_keys/ETSI-SSP-AAS-EE-private-key.pem new file mode 100644 index 0000000000000000000000000000000000000000..51ce8d436e8d7880480163e89d380adefe92fe8d --- /dev/null +++ b/private_keys/ETSI-SSP-AAS-EE-private-key.pem @@ -0,0 +1,6 @@ +-----BEGIN EC PRIVATE KEY----- +MIGoAgEBBDA5BhKos6R4rCkV0z4wa0ba/sML/+G9dXI5w2wqb90Bh3Z9wzdUe4MT ++ROwQ30/zMugCwYJKyQDAwIIAQELoWQDYgAEYJBkccoJD6c97GD6j9ida8Zy+ZMz +peQC2eUZ0+4CTsW02qSXwGYCMQFUE3WMFD4SHMGS54/4xVFxbTCcyVINJp8CwLsS +h0dAbLRUM3unJzuHQZFnzWC9N7asQZdKiktU +-----END EC PRIVATE KEY----- diff --git a/private_keys/ETSI-SSP-AAS-Token-private-key.der b/private_keys/ETSI-SSP-AAS-Token-private-key.der new file mode 100644 index 0000000000000000000000000000000000000000..bd6724013ae880a479dc614f7f13b89b3200106d Binary files /dev/null and b/private_keys/ETSI-SSP-AAS-Token-private-key.der differ diff --git a/private_keys/ETSI-SSP-CI-private-key.pem b/private_keys/ETSI-SSP-CI-private-key.pem new file mode 100644 index 0000000000000000000000000000000000000000..f555c8ad8edf6e6da53ffc1875a8f9db974c5f5f --- /dev/null +++ b/private_keys/ETSI-SSP-CI-private-key.pem @@ -0,0 +1,6 @@ +-----BEGIN EC PRIVATE KEY----- +MIGoAgEBBDCKmNUVzADHCoVQKWyGjVLaiPyOuFtWNhcrsGUcyt75sIiSdXP/gWJe +9xwrEvlIWZegCwYJKyQDAwIIAQELoWQDYgAERd+gsmi7DAtouRDZGPj6VTpr5tHS +9M0CqS8+Q+l9ria3q+/pYDbFTa1/CuRwE4e9B4RljDwNy+Wqts8hyqI9cg/sTbq7 +m3FN5PB8kOyEUeFQKGrG1YGtHuGLBFEvKbl0 +-----END EC PRIVATE KEY----- diff --git a/public_keys/ETSI-SSP-AAA-CA-FAKE-public-key.der b/public_keys/ETSI-SSP-AAA-CA-FAKE-public-key.der new file mode 100644 index 0000000000000000000000000000000000000000..a0ae667ec94a3e9f6645fe00f7f259f55ac23aa9 Binary files /dev/null and b/public_keys/ETSI-SSP-AAA-CA-FAKE-public-key.der differ diff --git a/public_keys/ETSI-SSP-AAA-CA-public-key.der b/public_keys/ETSI-SSP-AAA-CA-public-key.der new file mode 100644 index 0000000000000000000000000000000000000000..65eaecba67ca057b0c5ae48d3028514a66076e40 Binary files /dev/null and b/public_keys/ETSI-SSP-AAA-CA-public-key.der differ diff --git a/public_keys/ETSI-SSP-AAA-CA-public-key.pem b/public_keys/ETSI-SSP-AAA-CA-public-key.pem new file mode 100644 index 0000000000000000000000000000000000000000..a0253af2c602ba6334590c201790f254767998c1 --- /dev/null +++ b/public_keys/ETSI-SSP-AAA-CA-public-key.pem @@ -0,0 +1,5 @@ +-----BEGIN PUBLIC KEY----- +MHowFAYHKoZIzj0CAQYJKyQDAwIIAQELA2IABBmrd8h4LvSfmK88I0KIcwBRzLY6 +SdrikCvonESDSbtnlkhNYQSGV8bAUsM4v8PUHl+ogFKnYCXNY015N6a9bB3K3Lsz +DYVvPBiMJyojGuvgEvMU/6zXIpZBfp287ftqCg== +-----END PUBLIC KEY----- diff --git a/public_keys/ETSI-SSP-AAA-CI-public-key.der b/public_keys/ETSI-SSP-AAA-CI-public-key.der new file mode 100644 index 0000000000000000000000000000000000000000..8eced246003e4479f04f0d22a61cd47673910e44 Binary files /dev/null and b/public_keys/ETSI-SSP-AAA-CI-public-key.der differ diff --git a/public_keys/ETSI-SSP-AAA-CI-public-key.pem b/public_keys/ETSI-SSP-AAA-CI-public-key.pem new file mode 100644 index 0000000000000000000000000000000000000000..d1fa2b9cc7b86c91fd3fe0b75dfc1c562fab0d87 --- /dev/null +++ b/public_keys/ETSI-SSP-AAA-CI-public-key.pem @@ -0,0 +1,5 @@ +-----BEGIN PUBLIC KEY----- +MHowFAYHKoZIzj0CAQYJKyQDAwIIAQELA2IABEXfoLJouwwLaLkQ2Rj4+lU6a+bR +0vTNAqkvPkPpfa4mt6vv6WA2xU2tfwrkcBOHvQeEZYw8DcvlqrbPIcqiPXIP7E26 +u5txTeTwfJDshFHhUChqxtWBrR7hiwRRLym5dA== +-----END PUBLIC KEY----- diff --git a/public_keys/ETSI-SSP-AAA-EE-FAKE-public-key.der b/public_keys/ETSI-SSP-AAA-EE-FAKE-public-key.der new file mode 100644 index 0000000000000000000000000000000000000000..2b1e1a4ea9596b859dff1ff1b4036c38500463d1 Binary files /dev/null and b/public_keys/ETSI-SSP-AAA-EE-FAKE-public-key.der differ diff --git a/public_keys/ETSI-SSP-AAA-EE-public-key.der b/public_keys/ETSI-SSP-AAA-EE-public-key.der new file mode 100644 index 0000000000000000000000000000000000000000..2b1e1a4ea9596b859dff1ff1b4036c38500463d1 Binary files /dev/null and b/public_keys/ETSI-SSP-AAA-EE-public-key.der differ diff --git a/public_keys/ETSI-SSP-AAA-EE-public-key.pem b/public_keys/ETSI-SSP-AAA-EE-public-key.pem new file mode 100644 index 0000000000000000000000000000000000000000..fcf93a352c10f960c6f0d90aa4d54913cf96d198 --- /dev/null +++ b/public_keys/ETSI-SSP-AAA-EE-public-key.pem @@ -0,0 +1,5 @@ +-----BEGIN PUBLIC KEY----- +MHowFAYHKoZIzj0CAQYJKyQDAwIIAQELA2IABFkioLYXBNIajFonWCMAu3cm60mt +K92FX8s0khiM3ycpqjTtrljbbZOMbSeDfcvXh4TyCi1Hmxdt3O1oo9t2R/KcWq4g +lyQn/AAsuKem8lKCYPj7PaJ1XAMije4F/WZvig== +-----END PUBLIC KEY----- diff --git a/public_keys/ETSI-SSP-AAS-CA-public-key.der b/public_keys/ETSI-SSP-AAS-CA-public-key.der new file mode 100644 index 0000000000000000000000000000000000000000..4d8cd257ec8e6472b52d15cf920bf0cc76621050 Binary files /dev/null and b/public_keys/ETSI-SSP-AAS-CA-public-key.der differ diff --git a/public_keys/ETSI-SSP-AAS-CA-public-key.pem b/public_keys/ETSI-SSP-AAS-CA-public-key.pem new file mode 100644 index 0000000000000000000000000000000000000000..d28db8868d16364e2a698265ffc843eddf5c4ea7 --- /dev/null +++ b/public_keys/ETSI-SSP-AAS-CA-public-key.pem @@ -0,0 +1,5 @@ +-----BEGIN PUBLIC KEY----- +MHowFAYHKoZIzj0CAQYJKyQDAwIIAQELA2IABIv3eQL0X6Can3mnXC/v2+fpDPAD +AdCf2FuzBr47lmI4lJVxWJUcJ3TAkhyekWJWeFILX1A0ZTYkHwO5J3a4UiL8yZfi +lvnlWlgF9HkMM0i3cYDbKThMckJEpRQJhrMETw== +-----END PUBLIC KEY----- diff --git a/public_keys/ETSI-SSP-AAS-CI-public-key.der b/public_keys/ETSI-SSP-AAS-CI-public-key.der new file mode 100644 index 0000000000000000000000000000000000000000..8eced246003e4479f04f0d22a61cd47673910e44 Binary files /dev/null and b/public_keys/ETSI-SSP-AAS-CI-public-key.der differ diff --git a/public_keys/ETSI-SSP-AAS-CI-public-key.pem b/public_keys/ETSI-SSP-AAS-CI-public-key.pem new file mode 100644 index 0000000000000000000000000000000000000000..d1fa2b9cc7b86c91fd3fe0b75dfc1c562fab0d87 --- /dev/null +++ b/public_keys/ETSI-SSP-AAS-CI-public-key.pem @@ -0,0 +1,5 @@ +-----BEGIN PUBLIC KEY----- +MHowFAYHKoZIzj0CAQYJKyQDAwIIAQELA2IABEXfoLJouwwLaLkQ2Rj4+lU6a+bR +0vTNAqkvPkPpfa4mt6vv6WA2xU2tfwrkcBOHvQeEZYw8DcvlqrbPIcqiPXIP7E26 +u5txTeTwfJDshFHhUChqxtWBrR7hiwRRLym5dA== +-----END PUBLIC KEY----- diff --git a/public_keys/ETSI-SSP-AAS-EE-public-key.der b/public_keys/ETSI-SSP-AAS-EE-public-key.der new file mode 100644 index 0000000000000000000000000000000000000000..c75e564e899f09fd9dc36a513f91857faa96d841 Binary files /dev/null and b/public_keys/ETSI-SSP-AAS-EE-public-key.der differ diff --git a/public_keys/ETSI-SSP-AAS-EE-public-key.pem b/public_keys/ETSI-SSP-AAS-EE-public-key.pem new file mode 100644 index 0000000000000000000000000000000000000000..e4b6299ce32a6760d53fa4ebd82078784595bf45 --- /dev/null +++ b/public_keys/ETSI-SSP-AAS-EE-public-key.pem @@ -0,0 +1,5 @@ +-----BEGIN PUBLIC KEY----- +MHowFAYHKoZIzj0CAQYJKyQDAwIIAQELA2IABGCQZHHKCQ+nPexg+o/YnWvGcvmT +M6XkAtnlGdPuAk7FtNqkl8BmAjEBVBN1jBQ+EhzBkueP+MVRcW0wnMlSDSafAsC7 +EodHQGy0VDN7pyc7h0GRZ81gvTe2rEGXSopLVA== +-----END PUBLIC KEY----- diff --git a/public_keys/ETSI-SSP-CI-public-key.pem b/public_keys/ETSI-SSP-CI-public-key.pem new file mode 100644 index 0000000000000000000000000000000000000000..d1fa2b9cc7b86c91fd3fe0b75dfc1c562fab0d87 --- /dev/null +++ b/public_keys/ETSI-SSP-CI-public-key.pem @@ -0,0 +1,5 @@ +-----BEGIN PUBLIC KEY----- +MHowFAYHKoZIzj0CAQYJKyQDAwIIAQELA2IABEXfoLJouwwLaLkQ2Rj4+lU6a+bR +0vTNAqkvPkPpfa4mt6vv6WA2xU2tfwrkcBOHvQeEZYw8DcvlqrbPIcqiPXIP7E26 +u5txTeTwfJDshFHhUChqxtWBrR7hiwRRLym5dA== +-----END PUBLIC KEY----- diff --git a/tokens/ATK-AAA-ECKA.der b/tokens/ATK-AAA-ECKA.der new file mode 100644 index 0000000000000000000000000000000000000000..9fad0d023fc6a8b292cdc6c4c13ffafc7e80ccf5 Binary files /dev/null and b/tokens/ATK-AAA-ECKA.der differ diff --git a/tokens/ATK-AAS-ECKA.der b/tokens/ATK-AAS-ECKA.der new file mode 100644 index 0000000000000000000000000000000000000000..d43ce3f5072be4b007b2328efe47350d8aaf1208 Binary files /dev/null and b/tokens/ATK-AAS-ECKA.der differ diff --git a/ui.py b/ui.py new file mode 100644 index 0000000000000000000000000000000000000000..8dfae1b8c542ba1c9a4a371e5909148c2ae3956a --- /dev/null +++ b/ui.py @@ -0,0 +1,60 @@ +import sys +import getopt + +defaultConfiguration = { + 'options': 'chi:o', + 'description': ["ifile=", "ofile=", "ccommand="], + 'usage': 'Program.py -c [-i ] [-o ]' +} + + +class UI: + """Base class for a handling a public key.""" + + def __init__(self, configuration=defaultConfiguration): + """ Instiate the UI object.""" + argv = sys.argv[1:] + self.inputfile = '' + self.outputfile = '' + self.command = '' + try: + opts, args = getopt.getopt(argv, configuration['options'], + configuration['description']) + except getopt.GetoptError: + print(configuration['usage']) + sys.exit(2) + for opt, arg in opts: + if opt == '-h': + # define the usage + print(configuration['usage']) + sys.exit() + elif opt in ("-i", "--ifile"): + self.inputfile = arg + elif opt in ("-o", "--ofile"): + self.outputfile = arg + elif opt in ("-c", "--ccommand"): + self.command = arg + + def getInputFile(self): + """Get the inpufile.""" + return self.inputfile + + def getOutputFile(self): + """Get the inpufile.""" + return self.outputfile + + def getCommand(self): + """Get the inpufile.""" + return self.command + + def isInputFile(self): + """Return true if the input file exists.""" + return self.inputfile != '' + + def isCommand(self): + """Return true if the input file exists.""" + return self.command != '' + + def isOutputFile(self): + """Return true if the input file exists.""" + return self.outputfile != '' \ No newline at end of file diff --git a/viewcert.bat b/viewcert.bat new file mode 100644 index 0000000000000000000000000000000000000000..3924cdfd851cf3be0fbb905180a14d5f3e858ebb --- /dev/null +++ b/viewcert.bat @@ -0,0 +1,39 @@ +echo ETSI-SSP-CI-private-key >summary.txt +openssl ec -inform DER -in private_keys/ETSI-SSP-CI-private-key.der -text >>summary.txt +echo ETSI-SSP-AAA-CA-private-key >>summary.txt +openssl ec -inform DER -in private_keys/ETSI-SSP-AAA-CA-private-key.der -text >>summary.txt +echo ETSI-SSP-AAA-EE-private-key >>summary.txt +openssl ec -inform DER -in private_keys/ETSI-SSP-AAA-EE-private-key.der -text >>summary.txt +echo ETSI-SSP-AAS-CA-private-key >>summary.txt +openssl ec -inform DER -in private_keys/ETSI-SSP-AAS-CA-private-key.der -text >>summary.txt +echo ETSI-SSP-AAS-EE-private-key >>summary.txt +openssl ec -inform DER -in private_keys/ETSI-SSP-AAS-EE-private-key.der -text >>summary.txt +echo ETSI-SSP-AAA-CA-FAKE-private-key >>summary.txt +openssl ec -inform DER -in private_keys/ETSI-SSP-AAA-CA-FAKE-private-key.der -text >>summary.txt + +echo ETSI-SSP-CI-public-key >>summary.txt +openssl ec -inform der -in private_keys/ETSI-SSP-CI-private-key.der -pubout -text >>summary.txt +echo ETSI-SSP-AAA-CA-public-key >>summary.txt +openssl ec -inform der -in private_keys/ETSI-SSP-AAA-CA-private-key.der -pubout -text >>summary.txt +echo ETSI-SSP-AAA-EE-public-key >>summary.txt +openssl ec -inform der -in private_keys/ETSI-SSP-AAA-EE-private-key.der -pubout -text >>summary.txt +echo ETSI-SSP-AAS-CA-public-key >>summary.txt +openssl ec -inform der -in private_keys/ETSI-SSP-AAS-CA-private-key.der -pubout -text >>summary.txt +echo ETSI-SSP-AAS-EE-public-key >>summary.txt +openssl ec -inform der -in private_keys/ETSI-SSP-AAS-EE-private-key.der -pubout -text >>summary.txt +echo ETSI-SSP-AAA-CA-FAKE-public-key >>summary.txt +openssl ec -inform der -in private_keys/ETSI-SSP-AAA-CA-FAKE-private-key.der -pubout -text >>summary.txt + +echo certificates/ETSI-SSP-CI.pem >>summary.txt +openssl x509 -in certificates/ETSI-SSP-CI.pem -text >>summary.txt +echo certificates/ETSI-SSP-AAA-CA.pem >>summary.txt +openssl x509 -in certificates/ETSI-SSP-AAA-CA.pem -text >>summary.txt +echo certificates/ETSI-SSP-AAS-CA.pem >>summary.txt +openssl x509 -in certificates/ETSI-SSP-AAS-CA.pem -text >>summary.txt +echo certificates/ETSI-SSP-AAA-EE.pem >>summary.txt +openssl x509 -in certificates/ETSI-SSP-AAA-EE.pem -text >>summary.txt +echo certificates/ETSI-SSP-AAS-EE.pem >>summary.txt +openssl x509 -in certificates/ETSI-SSP-AAS-EE.pem -text >>summary.txt + +echo certificates/ETSI-SSP-AAA-EE-FAKE.pem >>summary.txt +openssl x509 -in certificates/ETSI-SSP-AAA-EE-FAKE.pem -text >>summary.txt \ No newline at end of file