Merge pull request #21 from fdistorted/issue-20
chore: add ec certificate support to pycert_bearssl
This commit is contained in:
commit
a7bcbfba2a
2 changed files with 71 additions and 21 deletions
|
@ -32,6 +32,10 @@ DN_PRE = "TA_DN"
|
|||
RSA_N_PRE = "TA_RSA_N"
|
||||
# RSA public key exponent prefix
|
||||
RSA_E_PRE = "TA_RSA_E"
|
||||
# EC public key number prefix
|
||||
EC_CURVE_PRE = "TA_EC_CURVE"
|
||||
# EC curve type enum prefix
|
||||
EC_CURVE_NAME_PRE = "BR_EC_"
|
||||
|
||||
|
||||
# Template that defines the C header output format.
|
||||
|
@ -81,7 +85,7 @@ static const {ray_type} {ray_name}[] = {{
|
|||
{ray_data}
|
||||
}};"""
|
||||
|
||||
# Template that defines a single root certificate entry in the BearSSL trust
|
||||
# Template that defines a single root RSA certificate entry in the BearSSL trust
|
||||
# anchor list
|
||||
# This takes in a few named parameters:
|
||||
# - ta_dn_name: The name of the static byte array containing the distunguished
|
||||
|
@ -101,6 +105,25 @@ CROOTCA_TEMPLATE = """\
|
|||
}}
|
||||
}},"""
|
||||
|
||||
# Template that defines a single root EC certificate entry in the BearSSL trust
|
||||
# anchor list
|
||||
# This takes in a few named parameters:
|
||||
# - ta_dn_name: The name of the static byte array containing the distunguished
|
||||
# name of the certificate.
|
||||
# - ec_number_name: Varible name of the static array containing ec public key
|
||||
# - ec_curve_name: Varible name of the enum that describes curve type
|
||||
CROOTCA_EC_TEMPLATE = """\
|
||||
{{
|
||||
{{ (unsigned char *){ta_dn_name}, sizeof {ta_dn_name} }},
|
||||
BR_X509_TA_CA,
|
||||
{{
|
||||
BR_KEYTYPE_EC,
|
||||
{{ .ec = {{{ec_curve_name}, (unsigned char *){ec_number_name}, sizeof {ec_number_name}}}
|
||||
}}
|
||||
}}
|
||||
}},"""
|
||||
|
||||
|
||||
# Template that defines a description of the certificate, so that the header
|
||||
# file can be slightly more human readable
|
||||
# This takes in a few named parameters:
|
||||
|
@ -267,6 +290,8 @@ def x509_to_header(x509Certs, cert_var, cert_length_var, output_file, keep_dupes
|
|||
# next, the RSA public numbers
|
||||
pubkey = cert.get_pubkey()
|
||||
numbers = pubkey.to_cryptography_key().public_numbers()
|
||||
numbers_typename = type(numbers).__name__
|
||||
if 'RSA' in numbers_typename:
|
||||
# starting with the modulous
|
||||
n_bytes_str = bytes_to_c_data(numbers.n.to_bytes(pubkey.bits() // 8, byteorder="big"))
|
||||
static_arrays.append(CRAY_TEMPLATE.format(
|
||||
|
@ -284,6 +309,24 @@ def x509_to_header(x509Certs, cert_var, cert_length_var, output_file, keep_dupes
|
|||
ta_dn_name=DN_PRE + str(cert_index),
|
||||
rsa_number_name=RSA_N_PRE + str(cert_index),
|
||||
rsa_exp_name=RSA_E_PRE + str(cert_index)))
|
||||
elif 'Elliptic' in numbers_typename:
|
||||
# starting with the modulous
|
||||
curve_bytes = b'\x04' + numbers.x.to_bytes(pubkey.bits() // 8, byteorder="big") + numbers.y.to_bytes(
|
||||
pubkey.bits() // 8, byteorder="big")
|
||||
curve_str = bytes_to_c_data(curve_bytes)
|
||||
curve_name = numbers.curve.name
|
||||
static_arrays.append(CRAY_TEMPLATE.format(
|
||||
ray_type="unsigned char",
|
||||
ray_name=EC_CURVE_PRE + str(cert_index),
|
||||
ray_data=curve_str))
|
||||
# and then the exponent
|
||||
CAs.append(CROOTCA_EC_TEMPLATE.format(
|
||||
ta_dn_name=DN_PRE + str(cert_index),
|
||||
ec_number_name=EC_CURVE_PRE + str(cert_index),
|
||||
ec_curve_name=EC_CURVE_NAME_PRE + curve_name
|
||||
))
|
||||
else:
|
||||
raise Exception(f'Unknown public key type {numbers_typename}')
|
||||
# concatonate it all into the big header file template
|
||||
# cert descriptions
|
||||
cert_desc_out = '\n * \n'.join(cert_desc)
|
||||
|
|
|
@ -86,7 +86,11 @@ def download(port, cert_var, cert_length_var, output, use_store, keep_dupes, dom
|
|||
# append cert to array
|
||||
down_certs.append(cert)
|
||||
# Combine PEMs and write output header.
|
||||
try:
|
||||
cert_util.x509_to_header(down_certs, cert_var, cert_length_var, output, keep_dupes, domains=domain)
|
||||
except Exception as E:
|
||||
click.echo(f'Recieved error when converting certificate to header: {E}')
|
||||
exit(1)
|
||||
|
||||
|
||||
@pycert_bearssl.command(short_help='Convert PEM certs into a C header.')
|
||||
|
@ -144,8 +148,11 @@ def convert(cert_var, cert_length_var, output, use_store, keep_dupes, no_search,
|
|||
else:
|
||||
root_certs.append(cert_dict[cn_hash])
|
||||
# Combine PEMs and write output header.
|
||||
try:
|
||||
cert_util.x509_to_header(root_certs, cert_var, cert_length_var, output, keep_dupes)
|
||||
|
||||
except Exception as E:
|
||||
click.echo(f'Recieved error when converting certificate to header: {E}')
|
||||
exit(1)
|
||||
|
||||
if __name__ == '__main__':
|
||||
pycert_bearssl()
|
Loading…
Reference in a new issue