Where is the trust chain? [python] asn1crypto and pkcs11 Aladdin USB eToken

我怕爱的太早我们不能终老 提交于 2019-12-24 23:42:57

问题


I have this code working fine. I am signing with an USB eToken. But after copying and pasting the PEM output of this code in the https://lapo.it/asn1js/ the trust chain is not shown. This eToken was provided by a CA and thus it has a trust chain of the signature. What's wrong?

lib = pkcs11.lib('/usr/lib/libeToken.so.9')

for slot in lib.get_slots():
    try:
        token = slot.get_token()
        with token.open(user_pin='****') as session:
        priv = session.get_key(object_class=pkcs11.constants.ObjectClass.PRIVATE_KEY)
        pub = session.get_key(object_class=pkcs11.constants.ObjectClass.PUBLIC_KEY)

        tbs = TbsCertificate({
            'version': 'v1',
            'serial_number': 1,
            'issuer': Name.build({
                'common_name': 'Test Certificate',
            }),
            'subject': Name.build({
                'common_name': 'Test Certificate',
            }),
            'signature': {
                'algorithm': 'sha256_rsa',
                'parameters': None,
            },
            'validity': {
                'not_before': Time({
                    'utc_time': datetime.datetime(2017, 1, 1, 0, 0),
                }),
                'not_after': Time({
                    'utc_time': datetime.datetime(2038, 12, 31, 23, 59),
                }),
            },
            'subject_public_key_info': {
                'algorithm': {
                    'algorithm': 'rsa',
                    'parameters': None,
                },
                'public_key': RSAPublicKey.load(encode_rsa_public_key(pub)),
            }
        })

        # Sign the TBS Certificate
        value = priv.sign(tbs.dump(),
                          mechanism=Mechanism.SHA256_RSA_PKCS)

        cert = Certificate({
            'tbs_certificate': tbs,
            'signature_algorithm': {
                'algorithm': 'sha256_rsa',
                'parameters': None,
            },
            'signature_value': value,
        })
        print(pem.armor('CERTIFICATE', cert.dump()).decode())
except TokenNotPresent:
    pass

回答1:


You have constructed and signed one individual X.509 certificate and then output it in PEM format. A chain of trust is multiple certificates, commonly provided as a list of PEM-encoded certificates starting from the leaf.

Thus you need to output the signing certificate as well. In X.509 there are two pieces of information: your public certificate (including public key) signed by the issuer and the private key you have used on your token.

PKCS#11 devices can store X.509 certificates so there's a good chance the signed X.509 object for this certificate is on your token and you can retrieve it with Session.get_objects.

# Retrieve first certificate object from the HSM
cert = next(session.get_objects({Attribute.CLASS: ObjectClass.CERTIFICATE}))
# Retrieve the DER-encoded value of the certificate
der_bytes = cert[Attribute.VALUE]
# Convert to PEM encoding
pem_bytes = pem.armor('CERTIFICATE', der_bytes)

This example is from Exporting Certificates.

If you have multiple certificates on your token you can include additional search parameters including the certificate type, issuer, etc. The docs contain more information on the parameters for certificate objects. The PKCS#11 spec contains further information still.

Alternatively, if you have the X.509 certificate in some other form you can simply append it. It does not need to be stored in the HSM.



来源:https://stackoverflow.com/questions/50416132/where-is-the-trust-chain-python-asn1crypto-and-pkcs11-aladdin-usb-etoken

易学教程内所有资源均来自网络或用户发布的内容,如有违反法律规定的内容欢迎反馈
该文章没有解决你所遇到的问题?点击提问,说说你的问题,让更多的人一起探讨吧!