当前位置: 文江博客话题详情

如何使用 pyasn1 解析 subjectAltName 扩展数据?

发布于 2024-10-30 04:25:30 字数 4630 浏览 3 评论 0原文

我有 pyOpenSSL 给我的一些数据,'0\r\x82\x0bexample.com'。这应该是 subjectAltName X509 扩展的值。我尝试使用 pyasn1 对此扩展的 ASN1 规范的必要部分进行编码(并基于 pyasn1 示例之一):

from pyasn1.type import univ, constraint, char, namedtype

from pyasn1.codec.der.decoder import decode

MAX = 64

class DirectoryString(univ.Choice):
    componentType = namedtype.NamedTypes(
        namedtype.NamedType(
            'teletexString', char.TeletexString().subtype(
                subtypeSpec=constraint.ValueSizeConstraint(1, MAX))),
        namedtype.NamedType(
            'printableString', char.PrintableString().subtype(
                subtypeSpec=constraint.ValueSizeConstraint(1, MAX))),
        namedtype.NamedType(
            'universalString', char.UniversalString().subtype(
                subtypeSpec=constraint.ValueSizeConstraint(1, MAX))),
        namedtype.NamedType(
            'utf8String', char.UTF8String().subtype(
                subtypeSpec=constraint.ValueSizeConstraint(1, MAX))),
        namedtype.NamedType(
            'bmpString', char.BMPString().subtype(
                subtypeSpec=constraint.ValueSizeConstraint(1, MAX))),
        namedtype.NamedType(
            'ia5String', char.IA5String().subtype(
                subtypeSpec=constraint.ValueSizeConstraint(1, MAX))),
        )


class AttributeValue(DirectoryString):
    pass


class AttributeType(univ.ObjectIdentifier):
    pass


class AttributeTypeAndValue(univ.Sequence):
    componentType = namedtype.NamedTypes(
        namedtype.NamedType('type', AttributeType()),
        namedtype.NamedType('value', AttributeValue()),
        )


class RelativeDistinguishedName(univ.SetOf):
    componentType = AttributeTypeAndValue()

class RDNSequence(univ.SequenceOf):
    componentType = RelativeDistinguishedName()


class Name(univ.Choice):
    componentType = namedtype.NamedTypes(
        namedtype.NamedType('', RDNSequence()),
        )


class Extension(univ.Sequence):
    componentType = namedtype.NamedTypes(
        namedtype.NamedType('extnID', univ.ObjectIdentifier()),
        namedtype.DefaultedNamedType('critical', univ.Boolean('False')),
        namedtype.NamedType('extnValue', univ.OctetString()),
        )


class Extensions(univ.SequenceOf):
    componentType = Extension()
    sizeSpec = univ.SequenceOf.sizeSpec + constraint.ValueSizeConstraint(1, MAX)


class GeneralName(univ.Choice):
    componentType = namedtype.NamedTypes(
        # namedtype.NamedType('otherName', AnotherName()),
        namedtype.NamedType('rfc822Name', char.IA5String()),
        namedtype.NamedType('dNSName', char.IA5String()),
        # namedtype.NamedType('x400Address', ORAddress()),
        namedtype.NamedType('directoryName', Name()),
        # namedtype.NamedType('ediPartyName', EDIPartyName()),
        namedtype.NamedType('uniformResourceIdentifier', char.IA5String()),
        namedtype.NamedType('iPAddress', univ.OctetString()),
        namedtype.NamedType('registeredID', univ.ObjectIdentifier()),
        )


class GeneralNames(univ.SequenceOf):
    componentType = GeneralName()
    sizeSpec = univ.SequenceOf.sizeSpec + constraint.ValueSizeConstraint(1, MAX)


class SubjectAltName(GeneralNames):
    pass

print decode('0\r\x82\x0bexample.com', asn1Spec=GeneralNames())

显然,我在接近尾声时感到有点无聊,并且没有完全指定 GeneralName 类型。但是,测试字符串应该包含一个 dNSName,而不是跳过的值之一,所以我希望这并不重要。

当程序运行时,它失败并出现我无法解释的错误:

Traceback (most recent call last):
  File "x509.py", line 94, in <module>
    print decode('0\r\x82\x0bexample.com', asn1Spec=GeneralNames())
  File "/usr/lib/pymodules/python2.6/pyasn1/v1/codec/ber/decoder.py", line 493, in __call__
    length, stGetValueDecoder, decodeFun
  File "/usr/lib/pymodules/python2.6/pyasn1/v1/codec/ber/decoder.py", line 202, in valueDecoder
    substrate, asn1Spec
  File "/usr/lib/pymodules/python2.6/pyasn1/v1/codec/ber/decoder.py", line 453, in __call__
    __chosenSpec.getTypeMap().has_key(tagSet):
  File "/usr/lib/pymodules/python2.6/pyasn1/v1/type/univ.py", line 608, in getTypeMap
    return Set.getComponentTypeMap(self)
  File "/usr/lib/pymodules/python2.6/pyasn1/v1/type/univ.py", line 535, in getComponentTypeMap
    def getComponentTypeMap(self): return self._componentType.getTypeMap(1)
  File "/usr/lib/pymodules/python2.6/pyasn1/v1/type/namedtype.py", line 126, in getTypeMap
    'Duplicate type %s in map %s'%(k,self.__typeMap)
pyasn1.error.PyAsn1Error: Duplicate type TagSet(Tag(tagClass=0, tagFormat=0, tagId=22)) in map {TagSet(Tag(tagClass=0, tagFormat=0, tagId=22)): IA5String()}

任何有关我出错的地方以及如何使用 pyasn1 成功解析此扩展类型的提示将不胜感激。

原文

I have some data that pyOpenSSL gave me, '0\r\x82\x0bexample.com'. This should be the value of a subjectAltName X509 extension. I tried to encode the necessary parts of the ASN1 specification for this extension using pyasn1 (and based on one of the pyasn1 examples):

from pyasn1.type import univ, constraint, char, namedtype

from pyasn1.codec.der.decoder import decode

MAX = 64

class DirectoryString(univ.Choice):
    componentType = namedtype.NamedTypes(
        namedtype.NamedType(
            'teletexString', char.TeletexString().subtype(
                subtypeSpec=constraint.ValueSizeConstraint(1, MAX))),
        namedtype.NamedType(
            'printableString', char.PrintableString().subtype(
                subtypeSpec=constraint.ValueSizeConstraint(1, MAX))),
        namedtype.NamedType(
            'universalString', char.UniversalString().subtype(
                subtypeSpec=constraint.ValueSizeConstraint(1, MAX))),
        namedtype.NamedType(
            'utf8String', char.UTF8String().subtype(
                subtypeSpec=constraint.ValueSizeConstraint(1, MAX))),
        namedtype.NamedType(
            'bmpString', char.BMPString().subtype(
                subtypeSpec=constraint.ValueSizeConstraint(1, MAX))),
        namedtype.NamedType(
            'ia5String', char.IA5String().subtype(
                subtypeSpec=constraint.ValueSizeConstraint(1, MAX))),
        )


class AttributeValue(DirectoryString):
    pass


class AttributeType(univ.ObjectIdentifier):
    pass


class AttributeTypeAndValue(univ.Sequence):
    componentType = namedtype.NamedTypes(
        namedtype.NamedType('type', AttributeType()),
        namedtype.NamedType('value', AttributeValue()),
        )


class RelativeDistinguishedName(univ.SetOf):
    componentType = AttributeTypeAndValue()

class RDNSequence(univ.SequenceOf):
    componentType = RelativeDistinguishedName()


class Name(univ.Choice):
    componentType = namedtype.NamedTypes(
        namedtype.NamedType('', RDNSequence()),
        )


class Extension(univ.Sequence):
    componentType = namedtype.NamedTypes(
        namedtype.NamedType('extnID', univ.ObjectIdentifier()),
        namedtype.DefaultedNamedType('critical', univ.Boolean('False')),
        namedtype.NamedType('extnValue', univ.OctetString()),
        )


class Extensions(univ.SequenceOf):
    componentType = Extension()
    sizeSpec = univ.SequenceOf.sizeSpec + constraint.ValueSizeConstraint(1, MAX)


class GeneralName(univ.Choice):
    componentType = namedtype.NamedTypes(
        # namedtype.NamedType('otherName', AnotherName()),
        namedtype.NamedType('rfc822Name', char.IA5String()),
        namedtype.NamedType('dNSName', char.IA5String()),
        # namedtype.NamedType('x400Address', ORAddress()),
        namedtype.NamedType('directoryName', Name()),
        # namedtype.NamedType('ediPartyName', EDIPartyName()),
        namedtype.NamedType('uniformResourceIdentifier', char.IA5String()),
        namedtype.NamedType('iPAddress', univ.OctetString()),
        namedtype.NamedType('registeredID', univ.ObjectIdentifier()),
        )


class GeneralNames(univ.SequenceOf):
    componentType = GeneralName()
    sizeSpec = univ.SequenceOf.sizeSpec + constraint.ValueSizeConstraint(1, MAX)


class SubjectAltName(GeneralNames):
    pass

print decode('0\r\x82\x0bexample.com', asn1Spec=GeneralNames())

Clearly I got a little bored near the end and didn't fully specify the GeneralName type. However, the test string should contain a dNSName, not one of the skipped values, so I hope it doesn't matter.

When the program is run, it fails with an error I'm not able to interpret:

Traceback (most recent call last):
  File "x509.py", line 94, in <module>
    print decode('0\r\x82\x0bexample.com', asn1Spec=GeneralNames())
  File "/usr/lib/pymodules/python2.6/pyasn1/v1/codec/ber/decoder.py", line 493, in __call__
    length, stGetValueDecoder, decodeFun
  File "/usr/lib/pymodules/python2.6/pyasn1/v1/codec/ber/decoder.py", line 202, in valueDecoder
    substrate, asn1Spec
  File "/usr/lib/pymodules/python2.6/pyasn1/v1/codec/ber/decoder.py", line 453, in __call__
    __chosenSpec.getTypeMap().has_key(tagSet):
  File "/usr/lib/pymodules/python2.6/pyasn1/v1/type/univ.py", line 608, in getTypeMap
    return Set.getComponentTypeMap(self)
  File "/usr/lib/pymodules/python2.6/pyasn1/v1/type/univ.py", line 535, in getComponentTypeMap
    def getComponentTypeMap(self): return self._componentType.getTypeMap(1)
  File "/usr/lib/pymodules/python2.6/pyasn1/v1/type/namedtype.py", line 126, in getTypeMap
    'Duplicate type %s in map %s'%(k,self.__typeMap)
pyasn1.error.PyAsn1Error: Duplicate type TagSet(Tag(tagClass=0, tagFormat=0, tagId=22)) in map {TagSet(Tag(tagClass=0, tagFormat=0, tagId=22)): IA5String()}

Any tips on where I went wrong and how to successfully parse this extension type with pyasn1 would be much appreciated.

如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。

扫码二维码加入Web技术交流群

发布评论

需要 登录 才能够评论, 你可以免费 注册 一个本站的账号。

评论(2

一百个冬季 2024-11-06 04:25:30

我在 pyasn1-users 列表上发布了这个问题,Ilya Etingof(pyasn1 的作者)指出了我的错误。简而言之,GeneralName.componentType 中的每个 NamedType 都需要被赋予标签信息。这是通过 subtype 方法完成的。例如,

namedtype.NamedType('rfc822Name', char.IA5String()),

定义不应为:

namedtype.NamedType('rfc822Name', char.IA5String().subtype(
        implicitTag=tag.Tag(tag.tagClassContext,
                            tag.tagFormatSimple, 1))),

其中 1 来自 GeneralName 的 ASN.1 定义:

GeneralName ::= CHOICE {
   otherName                       [0]     OtherName,
   rfc822Name                      [1]     IA5String,
   dNSName                         [2]     IA5String,
   x400Address                     [3]     ORAddress,
   directoryName                   [4]     Name,
   ediPartyName                    [5]     EDIPartyName,
   uniformResourceIdentifier       [6]     IA5String,
   iPAddress                       [7]     OCTET STRING,
   registeredID                    [8]     OBJECT IDENTIFIER
}

的每个字段定义标签后>componentType,解析成功:

(GeneralNames().setComponentByPosition(
    0, GeneralName().setComponentByPosition(1, IA5String('example.com'))), '')

I posted this question on the pyasn1-users list and Ilya Etingof (the author of pyasn1) pointed out my mistake. In brief, each NamedType in GeneralName.componentType needs to be given tag information. This is done with the subtype method. For example, instead of:

namedtype.NamedType('rfc822Name', char.IA5String()),

the definition should be:

namedtype.NamedType('rfc822Name', char.IA5String().subtype(
        implicitTag=tag.Tag(tag.tagClassContext,
                            tag.tagFormatSimple, 1))),

where 1 comes from the ASN.1 definition of GeneralName:

GeneralName ::= CHOICE {
   otherName                       [0]     OtherName,
   rfc822Name                      [1]     IA5String,
   dNSName                         [2]     IA5String,
   x400Address                     [3]     ORAddress,
   directoryName                   [4]     Name,
   ediPartyName                    [5]     EDIPartyName,
   uniformResourceIdentifier       [6]     IA5String,
   iPAddress                       [7]     OCTET STRING,
   registeredID                    [8]     OBJECT IDENTIFIER
}

After defining a tag for each of these fields of the componentType, parsing succeeds:

(GeneralNames().setComponentByPosition(
    0, GeneralName().setComponentByPosition(1, IA5String('example.com'))), '')
回复 原文
心在旅行 2024-11-06 04:25:30

这个答案来得太晚了,但您也可以使用 pyasn1-modules (也是由 Ilya Etingof 创作)

这段代码至少应该可以工作,并且希望足以让您开始构建更复杂的 ANS.1 结构。确保您已运行 pip install pyasn1pip install pyasn1-modulespip install pyopenssl 否则您将收到导入错误。

# Import pyasn and the proper decode function
import pyasn1
from pyasn1.codec.der.decoder import decode as asn1_decoder

# Import SubjectAltName from rfc2459 module
from pyasn1_modules.rfc2459 import SubjectAltName

# Import native Python type encoder
from pyasn1.codec.native.encoder import encode as nat_encoder

# Import OpenSSL tools for working with certs.
from OpenSSL import crypto
# Read raw certificate file
with open('PATH/TO/CERTIFICATE.crt', 'r') as cert_f:
    raw_cert = cert_f.read()

cert = crypto.load_certificate(crypto.FILETYPE_PEM, raw_cert)

# Note this example assumes SubjectAltName is the only Extension for this cert. 
raw_alt_names = cert.get_extension(0).get_data()

decoded_alt_names, _ = asn1_decoder(raw_alt_names, asn1Spec=SubjectAltName())

# Unless a raw string of ASN.1 is what you need encode back to native Python types
py_alt_names = nat_encoder(decoded_alt_names)

# And Finally a plain Python list of UTF-8 encoded strings representing the SubjectAltNames
subject_alt_names = [ x['dNSName'].decode('utf-8') for x in py_alt_names]

其输出将类似于

['cdn1.example.com', 'cdn2.example.com']

如果您正在处理的证书有多个扩展,您将需要使用 get_extension_count 来自 X509 对象和 get_short_name 来自 pyopenssl 中提供的 X509Extension 对象。

Coming in way late with this answer but instead of writing the ASN.1 Schema by hand you can also use the RF2459 module provided in pyasn1-modules (also authored by Ilya Etingof)

Minimally this code should work and will hopefully be enough to get you started on more complex ANS.1 constructs. Make sure you have run pip install pyasn1, pip install pyasn1-modules and pip install pyopenssl otherwise you'll get import errors.

# Import pyasn and the proper decode function
import pyasn1
from pyasn1.codec.der.decoder import decode as asn1_decoder

# Import SubjectAltName from rfc2459 module
from pyasn1_modules.rfc2459 import SubjectAltName

# Import native Python type encoder
from pyasn1.codec.native.encoder import encode as nat_encoder

# Import OpenSSL tools for working with certs.
from OpenSSL import crypto
# Read raw certificate file
with open('PATH/TO/CERTIFICATE.crt', 'r') as cert_f:
    raw_cert = cert_f.read()

cert = crypto.load_certificate(crypto.FILETYPE_PEM, raw_cert)

# Note this example assumes SubjectAltName is the only Extension for this cert. 
raw_alt_names = cert.get_extension(0).get_data()

decoded_alt_names, _ = asn1_decoder(raw_alt_names, asn1Spec=SubjectAltName())

# Unless a raw string of ASN.1 is what you need encode back to native Python types
py_alt_names = nat_encoder(decoded_alt_names)

# And Finally a plain Python list of UTF-8 encoded strings representing the SubjectAltNames
subject_alt_names = [ x['dNSName'].decode('utf-8') for x in py_alt_names]

The output of this will be something like

['cdn1.example.com', 'cdn2.example.com']

If the cert you are working on has multiple extensions you will need to use get_extension_count from the X509 object and get_short_name from the X509Extension object provided in pyopenssl.

回复 原文
~没有更多了~

关于作者

尴尬癌患者

暂无简介

0 文章
0 评论
23 人气
发私信

相关话题

更多

热门标签

操作系统 程序设计 IT运维 Linux系统管理 JavaScript 服务器应用 solaris C/C++ PHP Shell BSD Vue.js aix Oracle Python HTML 系统管理 HTML5 CSS 前端
更多

推荐作者

胡图图

文章 0 评论 0

zt006

文章 0 评论 0

z祗昰~

文章 0 评论 0

冰葑

文章 0 评论 0

野の

文章 0 评论 0

天空

文章 0 评论 0

更多

友情链接

文江博客
    我们使用 Cookies 和其他技术来定制您的体验包括您的登录状态等。通过阅读我们的 隐私政策 了解更多相关信息。 单击 接受 或继续使用网站,即表示您同意使用 Cookies 和您的相关数据。
    原文