1# 2# This file is part of pyasn1-modules software. 3# 4# Created by Russ Housley with assistance from asn1ate v.0.6.0. 5# 6# Copyright (c) 2019, Vigil Security, LLC 7# License: http://snmplabs.com/pyasn1/license.html 8# 9# An Internet Attribute Certificate Profile for Authorization 10# 11# ASN.1 source from: 12# https://www.rfc-editor.org/rfc/rfc5755.txt 13# https://www.rfc-editor.org/rfc/rfc5912.txt (see Section 13) 14# 15 16from pyasn1.type import char 17from pyasn1.type import constraint 18from pyasn1.type import namedtype 19from pyasn1.type import namedval 20from pyasn1.type import opentype 21from pyasn1.type import tag 22from pyasn1.type import univ 23from pyasn1.type import useful 24 25from pyasn1_modules import rfc5280 26from pyasn1_modules import rfc5652 27 28MAX = float('inf') 29 30# Map for Security Category type to value 31 32securityCategoryMap = { } 33 34 35# Imports from RFC 5652 36 37ContentInfo = rfc5652.ContentInfo 38 39 40# Imports from RFC 5280 41 42AlgorithmIdentifier = rfc5280.AlgorithmIdentifier 43 44Attribute = rfc5280.Attribute 45 46AuthorityInfoAccessSyntax = rfc5280.AuthorityInfoAccessSyntax 47 48AuthorityKeyIdentifier = rfc5280.AuthorityKeyIdentifier 49 50CertificateSerialNumber = rfc5280.CertificateSerialNumber 51 52CRLDistributionPoints = rfc5280.CRLDistributionPoints 53 54Extensions = rfc5280.Extensions 55 56Extension = rfc5280.Extension 57 58GeneralNames = rfc5280.GeneralNames 59 60GeneralName = rfc5280.GeneralName 61 62UniqueIdentifier = rfc5280.UniqueIdentifier 63 64 65# Object Identifier arcs 66 67id_pkix = univ.ObjectIdentifier((1, 3, 6, 1, 5, 5, 7, )) 68 69id_pe = id_pkix + (1, ) 70 71id_kp = id_pkix + (3, ) 72 73id_aca = id_pkix + (10, ) 74 75id_ad = id_pkix + (48, ) 76 77id_at = univ.ObjectIdentifier((2, 5, 4, )) 78 79id_ce = univ.ObjectIdentifier((2, 5, 29, )) 80 81 82# Attribute Certificate 83 84class AttCertVersion(univ.Integer): 85 namedValues = namedval.NamedValues( 86 ('v2', 1) 87 ) 88 89 90class IssuerSerial(univ.Sequence): 91 componentType = namedtype.NamedTypes( 92 namedtype.NamedType('issuer', GeneralNames()), 93 namedtype.NamedType('serial', CertificateSerialNumber()), 94 namedtype.OptionalNamedType('issuerUID', UniqueIdentifier()) 95 ) 96 97 98class ObjectDigestInfo(univ.Sequence): 99 componentType = namedtype.NamedTypes( 100 namedtype.NamedType('digestedObjectType', 101 univ.Enumerated(namedValues=namedval.NamedValues( 102 ('publicKey', 0), 103 ('publicKeyCert', 1), 104 ('otherObjectTypes', 2)))), 105 namedtype.OptionalNamedType('otherObjectTypeID', 106 univ.ObjectIdentifier()), 107 namedtype.NamedType('digestAlgorithm', 108 AlgorithmIdentifier()), 109 namedtype.NamedType('objectDigest', 110 univ.BitString()) 111 ) 112 113 114class Holder(univ.Sequence): 115 componentType = namedtype.NamedTypes( 116 namedtype.OptionalNamedType('baseCertificateID', 117 IssuerSerial().subtype(implicitTag=tag.Tag( 118 tag.tagClassContext, tag.tagFormatConstructed, 0))), 119 namedtype.OptionalNamedType('entityName', 120 GeneralNames().subtype(implicitTag=tag.Tag( 121 tag.tagClassContext, tag.tagFormatSimple, 1))), 122 namedtype.OptionalNamedType('objectDigestInfo', 123 ObjectDigestInfo().subtype(implicitTag=tag.Tag( 124 tag.tagClassContext, tag.tagFormatConstructed, 2))) 125) 126 127 128class V2Form(univ.Sequence): 129 componentType = namedtype.NamedTypes( 130 namedtype.OptionalNamedType('issuerName', 131 GeneralNames()), 132 namedtype.OptionalNamedType('baseCertificateID', 133 IssuerSerial().subtype(implicitTag=tag.Tag( 134 tag.tagClassContext, tag.tagFormatConstructed, 0))), 135 namedtype.OptionalNamedType('objectDigestInfo', 136 ObjectDigestInfo().subtype(implicitTag=tag.Tag( 137 tag.tagClassContext, tag.tagFormatConstructed, 1))) 138 ) 139 140 141class AttCertIssuer(univ.Choice): 142 componentType = namedtype.NamedTypes( 143 namedtype.NamedType('v1Form', GeneralNames()), 144 namedtype.NamedType('v2Form', V2Form().subtype(implicitTag=tag.Tag( 145 tag.tagClassContext, tag.tagFormatConstructed, 0))) 146 ) 147 148 149class AttCertValidityPeriod(univ.Sequence): 150 componentType = namedtype.NamedTypes( 151 namedtype.NamedType('notBeforeTime', useful.GeneralizedTime()), 152 namedtype.NamedType('notAfterTime', useful.GeneralizedTime()) 153 ) 154 155 156class AttributeCertificateInfo(univ.Sequence): 157 componentType = namedtype.NamedTypes( 158 namedtype.NamedType('version', 159 AttCertVersion()), 160 namedtype.NamedType('holder', 161 Holder()), 162 namedtype.NamedType('issuer', 163 AttCertIssuer()), 164 namedtype.NamedType('signature', 165 AlgorithmIdentifier()), 166 namedtype.NamedType('serialNumber', 167 CertificateSerialNumber()), 168 namedtype.NamedType('attrCertValidityPeriod', 169 AttCertValidityPeriod()), 170 namedtype.NamedType('attributes', 171 univ.SequenceOf(componentType=Attribute())), 172 namedtype.OptionalNamedType('issuerUniqueID', 173 UniqueIdentifier()), 174 namedtype.OptionalNamedType('extensions', 175 Extensions()) 176 ) 177 178 179class AttributeCertificate(univ.Sequence): 180 componentType = namedtype.NamedTypes( 181 namedtype.NamedType('acinfo', AttributeCertificateInfo()), 182 namedtype.NamedType('signatureAlgorithm', AlgorithmIdentifier()), 183 namedtype.NamedType('signatureValue', univ.BitString()) 184 ) 185 186 187# Attribute Certificate Extensions 188 189id_pe_ac_auditIdentity = id_pe + (4, ) 190 191id_ce_noRevAvail = id_ce + (56, ) 192 193id_ce_targetInformation = id_ce + (55, ) 194 195 196class TargetCert(univ.Sequence): 197 componentType = namedtype.NamedTypes( 198 namedtype.NamedType('targetCertificate', IssuerSerial()), 199 namedtype.OptionalNamedType('targetName', GeneralName()), 200 namedtype.OptionalNamedType('certDigestInfo', ObjectDigestInfo()) 201 ) 202 203 204class Target(univ.Choice): 205 componentType = namedtype.NamedTypes( 206 namedtype.NamedType('targetName', 207 GeneralName().subtype(implicitTag=tag.Tag( 208 tag.tagClassContext, tag.tagFormatSimple, 0))), 209 namedtype.NamedType('targetGroup', 210 GeneralName().subtype(implicitTag=tag.Tag( 211 tag.tagClassContext, tag.tagFormatSimple, 1))), 212 namedtype.NamedType('targetCert', 213 TargetCert().subtype(implicitTag=tag.Tag( 214 tag.tagClassContext, tag.tagFormatConstructed, 2))) 215 ) 216 217 218class Targets(univ.SequenceOf): 219 componentType = Target() 220 221 222id_pe_ac_proxying = id_pe + (10, ) 223 224 225class ProxyInfo(univ.SequenceOf): 226 componentType = Targets() 227 228 229id_pe_aaControls = id_pe + (6, ) 230 231 232class AttrSpec(univ.SequenceOf): 233 componentType = univ.ObjectIdentifier() 234 235 236class AAControls(univ.Sequence): 237 componentType = namedtype.NamedTypes( 238 namedtype.OptionalNamedType('pathLenConstraint', 239 univ.Integer().subtype( 240 subtypeSpec=constraint.ValueRangeConstraint(0, MAX))), 241 namedtype.OptionalNamedType('permittedAttrs', 242 AttrSpec().subtype(implicitTag=tag.Tag( 243 tag.tagClassContext, tag.tagFormatSimple, 0))), 244 namedtype.OptionalNamedType('excludedAttrs', 245 AttrSpec().subtype(implicitTag=tag.Tag( 246 tag.tagClassContext, tag.tagFormatSimple, 1))), 247 namedtype.DefaultedNamedType('permitUnSpecified', 248 univ.Boolean().subtype(value=1)) 249 ) 250 251 252# Attribute Certificate Attributes 253 254id_aca_authenticationInfo = id_aca + (1, ) 255 256 257id_aca_accessIdentity = id_aca + (2, ) 258 259 260class SvceAuthInfo(univ.Sequence): 261 componentType = namedtype.NamedTypes( 262 namedtype.NamedType('service', GeneralName()), 263 namedtype.NamedType('ident', GeneralName()), 264 namedtype.OptionalNamedType('authInfo', univ.OctetString()) 265 ) 266 267 268id_aca_chargingIdentity = id_aca + (3, ) 269 270 271id_aca_group = id_aca + (4, ) 272 273 274class IetfAttrSyntax(univ.Sequence): 275 componentType = namedtype.NamedTypes( 276 namedtype.OptionalNamedType('policyAuthority', 277 GeneralNames().subtype(implicitTag=tag.Tag( 278 tag.tagClassContext, tag.tagFormatSimple, 0))), 279 namedtype.NamedType('values', univ.SequenceOf( 280 componentType=univ.Choice(componentType=namedtype.NamedTypes( 281 namedtype.NamedType('octets', univ.OctetString()), 282 namedtype.NamedType('oid', univ.ObjectIdentifier()), 283 namedtype.NamedType('string', char.UTF8String()) 284 )) 285 )) 286 ) 287 288 289id_at_role = id_at + (72,) 290 291 292class RoleSyntax(univ.Sequence): 293 componentType = namedtype.NamedTypes( 294 namedtype.OptionalNamedType('roleAuthority', 295 GeneralNames().subtype(implicitTag=tag.Tag( 296 tag.tagClassContext, tag.tagFormatSimple, 0))), 297 namedtype.NamedType('roleName', 298 GeneralName().subtype(implicitTag=tag.Tag( 299 tag.tagClassContext, tag.tagFormatSimple, 1))) 300 ) 301 302 303class ClassList(univ.BitString): 304 namedValues = namedval.NamedValues( 305 ('unmarked', 0), 306 ('unclassified', 1), 307 ('restricted', 2), 308 ('confidential', 3), 309 ('secret', 4), 310 ('topSecret', 5) 311 ) 312 313 314class SecurityCategory(univ.Sequence): 315 componentType = namedtype.NamedTypes( 316 namedtype.NamedType('type', 317 univ.ObjectIdentifier().subtype(implicitTag=tag.Tag( 318 tag.tagClassContext, tag.tagFormatSimple, 0))), 319 namedtype.NamedType('value', 320 univ.Any().subtype(implicitTag=tag.Tag( 321 tag.tagClassContext, tag.tagFormatSimple, 1)), 322 openType=opentype.OpenType('type', securityCategoryMap)) 323 ) 324 325 326id_at_clearance = univ.ObjectIdentifier((2, 5, 4, 55, )) 327 328 329class Clearance(univ.Sequence): 330 componentType = namedtype.NamedTypes( 331 namedtype.NamedType('policyId', 332 univ.ObjectIdentifier()), 333 namedtype.DefaultedNamedType('classList', 334 ClassList().subtype(value='unclassified')), 335 namedtype.OptionalNamedType('securityCategories', 336 univ.SetOf(componentType=SecurityCategory())) 337 ) 338 339 340id_at_clearance_rfc3281 = univ.ObjectIdentifier((2, 5, 1, 5, 55, )) 341 342 343class Clearance_rfc3281(univ.Sequence): 344 componentType = namedtype.NamedTypes( 345 namedtype.NamedType('policyId', 346 univ.ObjectIdentifier().subtype(implicitTag=tag.Tag( 347 tag.tagClassContext, tag.tagFormatSimple, 0))), 348 namedtype.DefaultedNamedType('classList', 349 ClassList().subtype(implicitTag=tag.Tag( 350 tag.tagClassContext, tag.tagFormatSimple, 1)).subtype( 351 value='unclassified')), 352 namedtype.OptionalNamedType('securityCategories', 353 univ.SetOf(componentType=SecurityCategory()).subtype( 354 implicitTag=tag.Tag( 355 tag.tagClassContext, tag.tagFormatSimple, 2))) 356 ) 357 358 359id_aca_encAttrs = id_aca + (6, ) 360 361 362class ACClearAttrs(univ.Sequence): 363 componentType = namedtype.NamedTypes( 364 namedtype.NamedType('acIssuer', GeneralName()), 365 namedtype.NamedType('acSerial', univ.Integer()), 366 namedtype.NamedType('attrs', univ.SequenceOf(componentType=Attribute())) 367 ) 368 369 370# Map of Certificate Extension OIDs to Extensions added to the 371# ones that are in rfc5280.py 372 373_certificateExtensionsMapUpdate = { 374 id_pe_ac_auditIdentity: univ.OctetString(), 375 id_ce_noRevAvail: univ.Null(), 376 id_ce_targetInformation: Targets(), 377 id_pe_ac_proxying: ProxyInfo(), 378 id_pe_aaControls: AAControls(), 379} 380 381rfc5280.certificateExtensionsMap.update(_certificateExtensionsMapUpdate) 382 383 384# Map of AttributeType OIDs to AttributeValue added to the 385# ones that are in rfc5280.py 386 387_certificateAttributesMapUpdate = { 388 id_aca_authenticationInfo: SvceAuthInfo(), 389 id_aca_accessIdentity: SvceAuthInfo(), 390 id_aca_chargingIdentity: IetfAttrSyntax(), 391 id_aca_group: IetfAttrSyntax(), 392 id_at_role: RoleSyntax(), 393 id_at_clearance: Clearance(), 394 id_at_clearance_rfc3281: Clearance_rfc3281(), 395 id_aca_encAttrs: ContentInfo(), 396} 397 398rfc5280.certificateAttributesMap.update(_certificateAttributesMapUpdate) 399