Blame - tests/scripts/generate_server9_bad_saltlen.py - mirror/mbed-tls

blob: 9af4dd3b6dda5330943bb41efb5904f87765d3f5 [file] [log] [blame]

Jerry Yu	a3d911b	2023-05-23 17:21:52 +0800	[diff] [blame]	1	#!/usr/bin/env python3
				2	"""Generate server9-bad-saltlen.crt
				3
Jerry Yu	baf7ba4	2023-10-24 15:44:00 +0800	[diff] [blame]	4	Generate a certificate signed with RSA-PSS, with an incorrect salt length.
Jerry Yu	a3d911b	2023-05-23 17:21:52 +0800	[diff] [blame]	5	"""
				6
				7	# Copyright The Mbed TLS Contributors
Jerry Yu	de7ead0	2023-11-09 10:10:33 +0800	[diff] [blame]	8	# SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
Jerry Yu	a3d911b	2023-05-23 17:21:52 +0800	[diff] [blame]	9
				10	import subprocess
				11	import argparse
				12	from asn1crypto import pem, x509, core #type: ignore #pylint: disable=import-error
				13
				14	OPENSSL_RSA_PSS_CERT_COMMAND = r'''
				15	openssl x509 -req -CA {ca_name}.crt -CAkey {ca_name}.key -set_serial 24 {ca_password} \
				16	{openssl_extfile} -days 3650 -outform DER -in {csr} \
				17	-sigopt rsa_padding_mode:pss -sigopt rsa_pss_saltlen:{anounce_saltlen} \
				18	-sigopt rsa_mgf1_md:sha256
				19	'''
				20	SIG_OPT = \
				21	r'-sigopt rsa_padding_mode:pss -sigopt rsa_pss_saltlen:{saltlen} -sigopt rsa_mgf1_md:sha256'
				22	OPENSSL_RSA_PSS_DGST_COMMAND = r'''openssl dgst -sign {ca_name}.key {ca_password} \
				23	-sigopt rsa_padding_mode:pss -sigopt rsa_pss_saltlen:{actual_saltlen} \
				24	-sigopt rsa_mgf1_md:sha256'''
				25
				26
				27	def auto_int(x):
				28	return int(x, 0)
				29
				30
				31	def build_argparser(parser):
				32	"""Build argument parser"""
				33	parser.description = __doc__
				34	parser.add_argument('--ca-name', type=str, required=True,
				35	help='Basename of CA files')
				36	parser.add_argument('--ca-password', type=str,
				37	required=True, help='CA key file password')
				38	parser.add_argument('--csr', type=str, required=True,
				39	help='CSR file for generating certificate')
				40	parser.add_argument('--openssl-extfile', type=str,
				41	required=True, help='X905 v3 extension config file')
				42	parser.add_argument('--anounce_saltlen', type=auto_int,
				43	required=True, help='Announced salt length')
				44	parser.add_argument('--actual_saltlen', type=auto_int,
				45	required=True, help='Actual salt length')
				46	parser.add_argument('--output', type=str, required=True)
				47
				48
				49	def main():
				50	parser = argparse.ArgumentParser()
				51	build_argparser(parser)
				52	args = parser.parse_args()
				53
				54	return generate(**vars(args))
				55
				56	def generate(**kwargs):
Jerry Yu	2f3f968	2023-10-18 15:06:54 +0800	[diff] [blame]	57	"""Generate different salt length certificate file."""
Jerry Yu	a3d911b	2023-05-23 17:21:52 +0800	[diff] [blame]	58	ca_password = kwargs.get('ca_password', '')
				59	if ca_password:
				60	kwargs['ca_password'] = r'-passin "pass:{ca_password}"'.format(
				61	**kwargs)
				62	else:
				63	kwargs['ca_password'] = ''
				64	extfile = kwargs.get('openssl_extfile', '')
				65	if extfile:
				66	kwargs['openssl_extfile'] = '-extfile {openssl_extfile}'.format(
				67	**kwargs)
				68	else:
				69	kwargs['openssl_extfile'] = ''
				70
				71	cmd = OPENSSL_RSA_PSS_CERT_COMMAND.format(**kwargs)
				72	der_bytes = subprocess.check_output(cmd, shell=True)
				73	target_certificate = x509.Certificate.load(der_bytes)
				74
				75	cmd = OPENSSL_RSA_PSS_DGST_COMMAND.format(**kwargs)
				76	#pylint: disable=unexpected-keyword-arg
				77	der_bytes = subprocess.check_output(cmd,
				78	input=target_certificate['tbs_certificate'].dump(),
				79	shell=True)
				80
				81	with open(kwargs.get('output'), 'wb') as f:
				82	target_certificate['signature_value'] = core.OctetBitString(der_bytes)
				83	f.write(pem.armor('CERTIFICATE', target_certificate.dump()))
				84
				85
				86	if __name__ == '__main__':
				87	main()