17

我有一些 pyOpenSSL 给我的数据,'0\r\x82\x0bexample.com'. 这应该是 subjectAltName X509 扩展的值。我尝试使用 pyasn1 (并基于 pyasn1 示例之一)对此扩展的 ASN1 规范的必要部分进行编码:

from pyasn1.type import univ, constraint, char, namedtype

from pyasn1.codec.der.decoder import decode

MAX = 64

class DirectoryString(univ.Choice):
    componentType = namedtype.NamedTypes(
        namedtype.NamedType(
            'teletexString', char.TeletexString().subtype(
                subtypeSpec=constraint.ValueSizeConstraint(1, MAX))),
        namedtype.NamedType(
            'printableString', char.PrintableString().subtype(
                subtypeSpec=constraint.ValueSizeConstraint(1, MAX))),
        namedtype.NamedType(
            'universalString', char.UniversalString().subtype(
                subtypeSpec=constraint.ValueSizeConstraint(1, MAX))),
        namedtype.NamedType(
            'utf8String', char.UTF8String().subtype(
                subtypeSpec=constraint.ValueSizeConstraint(1, MAX))),
        namedtype.NamedType(
            'bmpString', char.BMPString().subtype(
                subtypeSpec=constraint.ValueSizeConstraint(1, MAX))),
        namedtype.NamedType(
            'ia5String', char.IA5String().subtype(
                subtypeSpec=constraint.ValueSizeConstraint(1, MAX))),
        )


class AttributeValue(DirectoryString):
    pass


class AttributeType(univ.ObjectIdentifier):
    pass


class AttributeTypeAndValue(univ.Sequence):
    componentType = namedtype.NamedTypes(
        namedtype.NamedType('type', AttributeType()),
        namedtype.NamedType('value', AttributeValue()),
        )


class RelativeDistinguishedName(univ.SetOf):
    componentType = AttributeTypeAndValue()

class RDNSequence(univ.SequenceOf):
    componentType = RelativeDistinguishedName()


class Name(univ.Choice):
    componentType = namedtype.NamedTypes(
        namedtype.NamedType('', RDNSequence()),
        )


class Extension(univ.Sequence):
    componentType = namedtype.NamedTypes(
        namedtype.NamedType('extnID', univ.ObjectIdentifier()),
        namedtype.DefaultedNamedType('critical', univ.Boolean('False')),
        namedtype.NamedType('extnValue', univ.OctetString()),
        )


class Extensions(univ.SequenceOf):
    componentType = Extension()
    sizeSpec = univ.SequenceOf.sizeSpec + constraint.ValueSizeConstraint(1, MAX)


class GeneralName(univ.Choice):
    componentType = namedtype.NamedTypes(
        # namedtype.NamedType('otherName', AnotherName()),
        namedtype.NamedType('rfc822Name', char.IA5String()),
        namedtype.NamedType('dNSName', char.IA5String()),
        # namedtype.NamedType('x400Address', ORAddress()),
        namedtype.NamedType('directoryName', Name()),
        # namedtype.NamedType('ediPartyName', EDIPartyName()),
        namedtype.NamedType('uniformResourceIdentifier', char.IA5String()),
        namedtype.NamedType('iPAddress', univ.OctetString()),
        namedtype.NamedType('registeredID', univ.ObjectIdentifier()),
        )


class GeneralNames(univ.SequenceOf):
    componentType = GeneralName()
    sizeSpec = univ.SequenceOf.sizeSpec + constraint.ValueSizeConstraint(1, MAX)


class SubjectAltName(GeneralNames):
    pass

print decode('0\r\x82\x0bexample.com', asn1Spec=GeneralNames())

显然我在接近尾声时有点无聊,并没有完全指定GeneralName类型。但是,测试字符串应该包含 a dNSName,而不是跳过的值之一,所以我希望没关系。

当程序运行时,它失败并出现我无法解释的错误:

Traceback (most recent call last):
  File "x509.py", line 94, in <module>
    print decode('0\r\x82\x0bexample.com', asn1Spec=GeneralNames())
  File "/usr/lib/pymodules/python2.6/pyasn1/v1/codec/ber/decoder.py", line 493, in __call__
    length, stGetValueDecoder, decodeFun
  File "/usr/lib/pymodules/python2.6/pyasn1/v1/codec/ber/decoder.py", line 202, in valueDecoder
    substrate, asn1Spec
  File "/usr/lib/pymodules/python2.6/pyasn1/v1/codec/ber/decoder.py", line 453, in __call__
    __chosenSpec.getTypeMap().has_key(tagSet):
  File "/usr/lib/pymodules/python2.6/pyasn1/v1/type/univ.py", line 608, in getTypeMap
    return Set.getComponentTypeMap(self)
  File "/usr/lib/pymodules/python2.6/pyasn1/v1/type/univ.py", line 535, in getComponentTypeMap
    def getComponentTypeMap(self): return self._componentType.getTypeMap(1)
  File "/usr/lib/pymodules/python2.6/pyasn1/v1/type/namedtype.py", line 126, in getTypeMap
    'Duplicate type %s in map %s'%(k,self.__typeMap)
pyasn1.error.PyAsn1Error: Duplicate type TagSet(Tag(tagClass=0, tagFormat=0, tagId=22)) in map {TagSet(Tag(tagClass=0, tagFormat=0, tagId=22)): IA5String()}

任何关于我哪里出错以及如何使用 pyasn1 成功解析此扩展类型的提示将不胜感激。

4

2 回答 2

15

我在 pyasn1-users 列表上发布了这个问题,Ilya Etingof(pyasn1 的作者)指出了我的错误。简而言之,每个NamedTypein都GeneralName.componentType需要被赋予标签信息。这是通过subtype方法完成的。例如,而不是:

namedtype.NamedType('rfc822Name', char.IA5String()),

定义应该是:

namedtype.NamedType('rfc822Name', char.IA5String().subtype(
        implicitTag=tag.Tag(tag.tagClassContext,
                            tag.tagFormatSimple, 1))),

其中1来自GeneralName的 ASN.1 定义:

GeneralName ::= CHOICE {
   otherName                       [0]     OtherName,
   rfc822Name                      [1]     IA5String,
   dNSName                         [2]     IA5String,
   x400Address                     [3]     ORAddress,
   directoryName                   [4]     Name,
   ediPartyName                    [5]     EDIPartyName,
   uniformResourceIdentifier       [6]     IA5String,
   iPAddress                       [7]     OCTET STRING,
   registeredID                    [8]     OBJECT IDENTIFIER
}

为 的每个字段定义标签后componentType,解析成功:

(GeneralNames().setComponentByPosition(
    0, GeneralName().setComponentByPosition(1, IA5String('example.com'))), '')
于 2011-04-03T13:44:12.990 回答
2

这个答案迟到了,但您也可以使用pyasn1-modules 中提供的 RF2459 模块(也由 Ilya Etingof 编写),而不是手动编写 ASN.1 Schema

这段代码至少应该可以工作,并且希望足以让您开始使用更复杂的 ANS.1 结构。确保你已经运行pip install pyasn1pip install pyasn1-modules否则pip install pyopenssl你会得到导入错误。

# Import pyasn and the proper decode function
import pyasn1
from pyasn1.codec.der.decoder import decode as asn1_decoder

# Import SubjectAltName from rfc2459 module
from pyasn1_modules.rfc2459 import SubjectAltName

# Import native Python type encoder
from pyasn1.codec.native.encoder import encode as nat_encoder

# Import OpenSSL tools for working with certs.
from OpenSSL import crypto
# Read raw certificate file
with open('PATH/TO/CERTIFICATE.crt', 'r') as cert_f:
    raw_cert = cert_f.read()

cert = crypto.load_certificate(crypto.FILETYPE_PEM, raw_cert)

# Note this example assumes SubjectAltName is the only Extension for this cert. 
raw_alt_names = cert.get_extension(0).get_data()

decoded_alt_names, _ = asn1_decoder(raw_alt_names, asn1Spec=SubjectAltName())

# Unless a raw string of ASN.1 is what you need encode back to native Python types
py_alt_names = nat_encoder(decoded_alt_names)

# And Finally a plain Python list of UTF-8 encoded strings representing the SubjectAltNames
subject_alt_names = [ x['dNSName'].decode('utf-8') for x in py_alt_names]

这将是这样的输出

['cdn1.example.com', 'cdn2.example.com']

如果您正在处理的证书有多个扩展,您将需要使用来自 X509 对象的get_extension_count和来自 pyopenssl 中提供的 X509Extension 对象的get_short_name

于 2018-08-07T15:55:01.137 回答