Clever Geek Handbook

CrlDistributionPoints dirName

I am a new user of pyOpenSSL, I want to make a certificate with the following code

from OpenSSL import crypto as c

cert = c.X509()
cert.add_extensions([
    c.X509Extension('crlDistributionPoints', False, 'dirName:/C=US/O=TEST'),
])

this code cannot work, can anyone help me? pyOpenSSL doesn't seem to support dirName

cert.add_extensions([
    c.X509Extension('crlDistributionPoints', False, 'URI:http://somesite') can work
])
+3


source to share


2 answers


I had exactly the same problem, and yet I also couldn't find a real solution, I was able to find some kind of workaround to do it through Python. This page explains the formatting http://openssl.org/docs/apps/x509v3_config.html#CRL-distribution-points and also the ability to use raw DER bytes. (Section: ARBITRATION EXPANSION)

First, "collect" the DER bytes from a certificate that already has the correct URI and dirName. Alternative certificate with openssl with correct crlDistributionPoint, tmpcert in this example is the certificate. Also indicate which extension index is used. get_short_name will give the "key" of the extension, so search for crlDistributionPoint. Build it using:

from binascii import hexlify
print tmpcert.get_extension(5).get_short_name()
print hexlify(tmpcert.get_extension(5).get_data())


And after that, format this output and use it in the X509Extension () initializer

crypto.X509Extension('crlDistributionPoints', False,  
"DER:30:6a:xx:xx:xx:..........:xx:xx")

As you can imagine, this is a "hardcoded" solution, so there is no easy way to change the contents of this field in this way.

0


source


Here is the way you can generate the DER ... it doesn't include the code for the dirName, but I hope it gives an idea of ​​how you can create the DER



from pyasn1.codec.der import encoder as der_encoder
from pyasn1.type import tag
from pyasn1_modules import rfc2459

class GeneralNames(rfc2459.GeneralNames):
    """
    rfc2459 has wrong tagset.
    """
    tagSet = tag.TagSet(
        (),
        tag.Tag(tag.tagClassContext, tag.tagFormatConstructed, 0),
        )

class DistributionPointName(rfc2459.DistributionPointName):
    """
    rfc2459 has wrong tagset.
    """
    tagSet = tag.TagSet(
        (),
        tag.Tag(tag.tagClassContext, tag.tagFormatConstructed, 0),
        )

cdps = [('uri', 'http://something'), ('dns', 'some.domain.com')]

cdp = rfc2459.CRLDistPointsSyntax()
values = []
position = 0
for cdp_type, cdp_value in cdps:
    cdp_entry = rfc2459.DistributionPoint()

    general_name = rfc2459.GeneralName()

    if cdp_type == 'uri':
        general_name.setComponentByName(
            'uniformResourceIdentifier',
            cdp_value,
            )
    elif cdp_type == 'dns':
        general_name.setComponentByName(
            'dNSName',
            cdp_value,
            )

    general_names = GeneralNames()
    general_names.setComponentByPosition(0, general_name)

    name = DistributionPointName()
    name.setComponentByName('fullName', general_names)
    cdp_entry.setComponentByName('distributionPoint', name)

    cdp.setComponentByPosition(position, cdp_entry)
    position += 1

cdp_der = der_encoder.encode(cdp)

extensions.append(
    crypto.X509Extension(
        b'crlDistributionPoints',
        False,
        'DER:' + cdp_der.encode('hex'),
        ),
    )
0


source






More articles:


All Articles