_oid.py 15 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339
  1. # This file is dual licensed under the terms of the Apache License, Version
  2. # 2.0, and the BSD License. See the LICENSE file in the root of this repository
  3. # for complete details.
  4. import typing
  5. from cryptography.hazmat.primitives import hashes
  6. class ObjectIdentifier(object):
  7. def __init__(self, dotted_string: str) -> None:
  8. self._dotted_string = dotted_string
  9. nodes = self._dotted_string.split(".")
  10. intnodes = []
  11. # There must be at least 2 nodes, the first node must be 0..2, and
  12. # if less than 2, the second node cannot have a value outside the
  13. # range 0..39. All nodes must be integers.
  14. for node in nodes:
  15. try:
  16. node_value = int(node, 10)
  17. except ValueError:
  18. raise ValueError(
  19. "Malformed OID: %s (non-integer nodes)"
  20. % (self._dotted_string)
  21. )
  22. if node_value < 0:
  23. raise ValueError(
  24. "Malformed OID: %s (negative-integer nodes)"
  25. % (self._dotted_string)
  26. )
  27. intnodes.append(node_value)
  28. if len(nodes) < 2:
  29. raise ValueError(
  30. "Malformed OID: %s (insufficient number of nodes)"
  31. % (self._dotted_string)
  32. )
  33. if intnodes[0] > 2:
  34. raise ValueError(
  35. "Malformed OID: %s (first node outside valid range)"
  36. % (self._dotted_string)
  37. )
  38. if intnodes[0] < 2 and intnodes[1] >= 40:
  39. raise ValueError(
  40. "Malformed OID: %s (second node outside valid range)"
  41. % (self._dotted_string)
  42. )
  43. def __eq__(self, other: typing.Any) -> bool:
  44. if not isinstance(other, ObjectIdentifier):
  45. return NotImplemented
  46. return self.dotted_string == other.dotted_string
  47. def __ne__(self, other: typing.Any) -> bool:
  48. return not self == other
  49. def __repr__(self) -> str:
  50. return "<ObjectIdentifier(oid={}, name={})>".format(
  51. self.dotted_string, self._name
  52. )
  53. def __hash__(self) -> int:
  54. return hash(self.dotted_string)
  55. @property
  56. def _name(self) -> str:
  57. return _OID_NAMES.get(self, "Unknown OID")
  58. @property
  59. def dotted_string(self) -> str:
  60. return self._dotted_string
  61. class ExtensionOID(object):
  62. SUBJECT_DIRECTORY_ATTRIBUTES = ObjectIdentifier("2.5.29.9")
  63. SUBJECT_KEY_IDENTIFIER = ObjectIdentifier("2.5.29.14")
  64. KEY_USAGE = ObjectIdentifier("2.5.29.15")
  65. SUBJECT_ALTERNATIVE_NAME = ObjectIdentifier("2.5.29.17")
  66. ISSUER_ALTERNATIVE_NAME = ObjectIdentifier("2.5.29.18")
  67. BASIC_CONSTRAINTS = ObjectIdentifier("2.5.29.19")
  68. NAME_CONSTRAINTS = ObjectIdentifier("2.5.29.30")
  69. CRL_DISTRIBUTION_POINTS = ObjectIdentifier("2.5.29.31")
  70. CERTIFICATE_POLICIES = ObjectIdentifier("2.5.29.32")
  71. POLICY_MAPPINGS = ObjectIdentifier("2.5.29.33")
  72. AUTHORITY_KEY_IDENTIFIER = ObjectIdentifier("2.5.29.35")
  73. POLICY_CONSTRAINTS = ObjectIdentifier("2.5.29.36")
  74. EXTENDED_KEY_USAGE = ObjectIdentifier("2.5.29.37")
  75. FRESHEST_CRL = ObjectIdentifier("2.5.29.46")
  76. INHIBIT_ANY_POLICY = ObjectIdentifier("2.5.29.54")
  77. ISSUING_DISTRIBUTION_POINT = ObjectIdentifier("2.5.29.28")
  78. AUTHORITY_INFORMATION_ACCESS = ObjectIdentifier("1.3.6.1.5.5.7.1.1")
  79. SUBJECT_INFORMATION_ACCESS = ObjectIdentifier("1.3.6.1.5.5.7.1.11")
  80. OCSP_NO_CHECK = ObjectIdentifier("1.3.6.1.5.5.7.48.1.5")
  81. TLS_FEATURE = ObjectIdentifier("1.3.6.1.5.5.7.1.24")
  82. CRL_NUMBER = ObjectIdentifier("2.5.29.20")
  83. DELTA_CRL_INDICATOR = ObjectIdentifier("2.5.29.27")
  84. PRECERT_SIGNED_CERTIFICATE_TIMESTAMPS = ObjectIdentifier(
  85. "1.3.6.1.4.1.11129.2.4.2"
  86. )
  87. PRECERT_POISON = ObjectIdentifier("1.3.6.1.4.1.11129.2.4.3")
  88. SIGNED_CERTIFICATE_TIMESTAMPS = ObjectIdentifier("1.3.6.1.4.1.11129.2.4.5")
  89. class OCSPExtensionOID(object):
  90. NONCE = ObjectIdentifier("1.3.6.1.5.5.7.48.1.2")
  91. class CRLEntryExtensionOID(object):
  92. CERTIFICATE_ISSUER = ObjectIdentifier("2.5.29.29")
  93. CRL_REASON = ObjectIdentifier("2.5.29.21")
  94. INVALIDITY_DATE = ObjectIdentifier("2.5.29.24")
  95. class NameOID(object):
  96. COMMON_NAME = ObjectIdentifier("2.5.4.3")
  97. COUNTRY_NAME = ObjectIdentifier("2.5.4.6")
  98. LOCALITY_NAME = ObjectIdentifier("2.5.4.7")
  99. STATE_OR_PROVINCE_NAME = ObjectIdentifier("2.5.4.8")
  100. STREET_ADDRESS = ObjectIdentifier("2.5.4.9")
  101. ORGANIZATION_NAME = ObjectIdentifier("2.5.4.10")
  102. ORGANIZATIONAL_UNIT_NAME = ObjectIdentifier("2.5.4.11")
  103. SERIAL_NUMBER = ObjectIdentifier("2.5.4.5")
  104. SURNAME = ObjectIdentifier("2.5.4.4")
  105. GIVEN_NAME = ObjectIdentifier("2.5.4.42")
  106. TITLE = ObjectIdentifier("2.5.4.12")
  107. GENERATION_QUALIFIER = ObjectIdentifier("2.5.4.44")
  108. X500_UNIQUE_IDENTIFIER = ObjectIdentifier("2.5.4.45")
  109. DN_QUALIFIER = ObjectIdentifier("2.5.4.46")
  110. PSEUDONYM = ObjectIdentifier("2.5.4.65")
  111. USER_ID = ObjectIdentifier("0.9.2342.19200300.100.1.1")
  112. DOMAIN_COMPONENT = ObjectIdentifier("0.9.2342.19200300.100.1.25")
  113. EMAIL_ADDRESS = ObjectIdentifier("1.2.840.113549.1.9.1")
  114. JURISDICTION_COUNTRY_NAME = ObjectIdentifier("1.3.6.1.4.1.311.60.2.1.3")
  115. JURISDICTION_LOCALITY_NAME = ObjectIdentifier("1.3.6.1.4.1.311.60.2.1.1")
  116. JURISDICTION_STATE_OR_PROVINCE_NAME = ObjectIdentifier(
  117. "1.3.6.1.4.1.311.60.2.1.2"
  118. )
  119. BUSINESS_CATEGORY = ObjectIdentifier("2.5.4.15")
  120. POSTAL_ADDRESS = ObjectIdentifier("2.5.4.16")
  121. POSTAL_CODE = ObjectIdentifier("2.5.4.17")
  122. INN = ObjectIdentifier("1.2.643.3.131.1.1")
  123. OGRN = ObjectIdentifier("1.2.643.100.1")
  124. SNILS = ObjectIdentifier("1.2.643.100.3")
  125. UNSTRUCTURED_NAME = ObjectIdentifier("1.2.840.113549.1.9.2")
  126. class SignatureAlgorithmOID(object):
  127. RSA_WITH_MD5 = ObjectIdentifier("1.2.840.113549.1.1.4")
  128. RSA_WITH_SHA1 = ObjectIdentifier("1.2.840.113549.1.1.5")
  129. # This is an alternate OID for RSA with SHA1 that is occasionally seen
  130. _RSA_WITH_SHA1 = ObjectIdentifier("1.3.14.3.2.29")
  131. RSA_WITH_SHA224 = ObjectIdentifier("1.2.840.113549.1.1.14")
  132. RSA_WITH_SHA256 = ObjectIdentifier("1.2.840.113549.1.1.11")
  133. RSA_WITH_SHA384 = ObjectIdentifier("1.2.840.113549.1.1.12")
  134. RSA_WITH_SHA512 = ObjectIdentifier("1.2.840.113549.1.1.13")
  135. RSASSA_PSS = ObjectIdentifier("1.2.840.113549.1.1.10")
  136. ECDSA_WITH_SHA1 = ObjectIdentifier("1.2.840.10045.4.1")
  137. ECDSA_WITH_SHA224 = ObjectIdentifier("1.2.840.10045.4.3.1")
  138. ECDSA_WITH_SHA256 = ObjectIdentifier("1.2.840.10045.4.3.2")
  139. ECDSA_WITH_SHA384 = ObjectIdentifier("1.2.840.10045.4.3.3")
  140. ECDSA_WITH_SHA512 = ObjectIdentifier("1.2.840.10045.4.3.4")
  141. DSA_WITH_SHA1 = ObjectIdentifier("1.2.840.10040.4.3")
  142. DSA_WITH_SHA224 = ObjectIdentifier("2.16.840.1.101.3.4.3.1")
  143. DSA_WITH_SHA256 = ObjectIdentifier("2.16.840.1.101.3.4.3.2")
  144. ED25519 = ObjectIdentifier("1.3.101.112")
  145. ED448 = ObjectIdentifier("1.3.101.113")
  146. GOSTR3411_94_WITH_3410_2001 = ObjectIdentifier("1.2.643.2.2.3")
  147. GOSTR3410_2012_WITH_3411_2012_256 = ObjectIdentifier("1.2.643.7.1.1.3.2")
  148. GOSTR3410_2012_WITH_3411_2012_512 = ObjectIdentifier("1.2.643.7.1.1.3.3")
  149. _SIG_OIDS_TO_HASH: typing.Dict[
  150. ObjectIdentifier, typing.Optional[hashes.HashAlgorithm]
  151. ] = {
  152. SignatureAlgorithmOID.RSA_WITH_MD5: hashes.MD5(),
  153. SignatureAlgorithmOID.RSA_WITH_SHA1: hashes.SHA1(),
  154. SignatureAlgorithmOID._RSA_WITH_SHA1: hashes.SHA1(),
  155. SignatureAlgorithmOID.RSA_WITH_SHA224: hashes.SHA224(),
  156. SignatureAlgorithmOID.RSA_WITH_SHA256: hashes.SHA256(),
  157. SignatureAlgorithmOID.RSA_WITH_SHA384: hashes.SHA384(),
  158. SignatureAlgorithmOID.RSA_WITH_SHA512: hashes.SHA512(),
  159. SignatureAlgorithmOID.ECDSA_WITH_SHA1: hashes.SHA1(),
  160. SignatureAlgorithmOID.ECDSA_WITH_SHA224: hashes.SHA224(),
  161. SignatureAlgorithmOID.ECDSA_WITH_SHA256: hashes.SHA256(),
  162. SignatureAlgorithmOID.ECDSA_WITH_SHA384: hashes.SHA384(),
  163. SignatureAlgorithmOID.ECDSA_WITH_SHA512: hashes.SHA512(),
  164. SignatureAlgorithmOID.DSA_WITH_SHA1: hashes.SHA1(),
  165. SignatureAlgorithmOID.DSA_WITH_SHA224: hashes.SHA224(),
  166. SignatureAlgorithmOID.DSA_WITH_SHA256: hashes.SHA256(),
  167. SignatureAlgorithmOID.ED25519: None,
  168. SignatureAlgorithmOID.ED448: None,
  169. SignatureAlgorithmOID.GOSTR3411_94_WITH_3410_2001: None,
  170. SignatureAlgorithmOID.GOSTR3410_2012_WITH_3411_2012_256: None,
  171. SignatureAlgorithmOID.GOSTR3410_2012_WITH_3411_2012_512: None,
  172. }
  173. class ExtendedKeyUsageOID(object):
  174. SERVER_AUTH = ObjectIdentifier("1.3.6.1.5.5.7.3.1")
  175. CLIENT_AUTH = ObjectIdentifier("1.3.6.1.5.5.7.3.2")
  176. CODE_SIGNING = ObjectIdentifier("1.3.6.1.5.5.7.3.3")
  177. EMAIL_PROTECTION = ObjectIdentifier("1.3.6.1.5.5.7.3.4")
  178. TIME_STAMPING = ObjectIdentifier("1.3.6.1.5.5.7.3.8")
  179. OCSP_SIGNING = ObjectIdentifier("1.3.6.1.5.5.7.3.9")
  180. ANY_EXTENDED_KEY_USAGE = ObjectIdentifier("2.5.29.37.0")
  181. SMARTCARD_LOGON = ObjectIdentifier("1.3.6.1.4.1.311.20.2.2")
  182. KERBEROS_PKINIT_KDC = ObjectIdentifier("1.3.6.1.5.2.3.5")
  183. class AuthorityInformationAccessOID(object):
  184. CA_ISSUERS = ObjectIdentifier("1.3.6.1.5.5.7.48.2")
  185. OCSP = ObjectIdentifier("1.3.6.1.5.5.7.48.1")
  186. class SubjectInformationAccessOID(object):
  187. CA_REPOSITORY = ObjectIdentifier("1.3.6.1.5.5.7.48.5")
  188. class CertificatePoliciesOID(object):
  189. CPS_QUALIFIER = ObjectIdentifier("1.3.6.1.5.5.7.2.1")
  190. CPS_USER_NOTICE = ObjectIdentifier("1.3.6.1.5.5.7.2.2")
  191. ANY_POLICY = ObjectIdentifier("2.5.29.32.0")
  192. class AttributeOID(object):
  193. CHALLENGE_PASSWORD = ObjectIdentifier("1.2.840.113549.1.9.7")
  194. UNSTRUCTURED_NAME = ObjectIdentifier("1.2.840.113549.1.9.2")
  195. _OID_NAMES = {
  196. NameOID.COMMON_NAME: "commonName",
  197. NameOID.COUNTRY_NAME: "countryName",
  198. NameOID.LOCALITY_NAME: "localityName",
  199. NameOID.STATE_OR_PROVINCE_NAME: "stateOrProvinceName",
  200. NameOID.STREET_ADDRESS: "streetAddress",
  201. NameOID.ORGANIZATION_NAME: "organizationName",
  202. NameOID.ORGANIZATIONAL_UNIT_NAME: "organizationalUnitName",
  203. NameOID.SERIAL_NUMBER: "serialNumber",
  204. NameOID.SURNAME: "surname",
  205. NameOID.GIVEN_NAME: "givenName",
  206. NameOID.TITLE: "title",
  207. NameOID.GENERATION_QUALIFIER: "generationQualifier",
  208. NameOID.X500_UNIQUE_IDENTIFIER: "x500UniqueIdentifier",
  209. NameOID.DN_QUALIFIER: "dnQualifier",
  210. NameOID.PSEUDONYM: "pseudonym",
  211. NameOID.USER_ID: "userID",
  212. NameOID.DOMAIN_COMPONENT: "domainComponent",
  213. NameOID.EMAIL_ADDRESS: "emailAddress",
  214. NameOID.JURISDICTION_COUNTRY_NAME: "jurisdictionCountryName",
  215. NameOID.JURISDICTION_LOCALITY_NAME: "jurisdictionLocalityName",
  216. NameOID.JURISDICTION_STATE_OR_PROVINCE_NAME: (
  217. "jurisdictionStateOrProvinceName"
  218. ),
  219. NameOID.BUSINESS_CATEGORY: "businessCategory",
  220. NameOID.POSTAL_ADDRESS: "postalAddress",
  221. NameOID.POSTAL_CODE: "postalCode",
  222. NameOID.INN: "INN",
  223. NameOID.OGRN: "OGRN",
  224. NameOID.SNILS: "SNILS",
  225. NameOID.UNSTRUCTURED_NAME: "unstructuredName",
  226. SignatureAlgorithmOID.RSA_WITH_MD5: "md5WithRSAEncryption",
  227. SignatureAlgorithmOID.RSA_WITH_SHA1: "sha1WithRSAEncryption",
  228. SignatureAlgorithmOID.RSA_WITH_SHA224: "sha224WithRSAEncryption",
  229. SignatureAlgorithmOID.RSA_WITH_SHA256: "sha256WithRSAEncryption",
  230. SignatureAlgorithmOID.RSA_WITH_SHA384: "sha384WithRSAEncryption",
  231. SignatureAlgorithmOID.RSA_WITH_SHA512: "sha512WithRSAEncryption",
  232. SignatureAlgorithmOID.RSASSA_PSS: "RSASSA-PSS",
  233. SignatureAlgorithmOID.ECDSA_WITH_SHA1: "ecdsa-with-SHA1",
  234. SignatureAlgorithmOID.ECDSA_WITH_SHA224: "ecdsa-with-SHA224",
  235. SignatureAlgorithmOID.ECDSA_WITH_SHA256: "ecdsa-with-SHA256",
  236. SignatureAlgorithmOID.ECDSA_WITH_SHA384: "ecdsa-with-SHA384",
  237. SignatureAlgorithmOID.ECDSA_WITH_SHA512: "ecdsa-with-SHA512",
  238. SignatureAlgorithmOID.DSA_WITH_SHA1: "dsa-with-sha1",
  239. SignatureAlgorithmOID.DSA_WITH_SHA224: "dsa-with-sha224",
  240. SignatureAlgorithmOID.DSA_WITH_SHA256: "dsa-with-sha256",
  241. SignatureAlgorithmOID.ED25519: "ed25519",
  242. SignatureAlgorithmOID.ED448: "ed448",
  243. SignatureAlgorithmOID.GOSTR3411_94_WITH_3410_2001: (
  244. "GOST R 34.11-94 with GOST R 34.10-2001"
  245. ),
  246. SignatureAlgorithmOID.GOSTR3410_2012_WITH_3411_2012_256: (
  247. "GOST R 34.10-2012 with GOST R 34.11-2012 (256 bit)"
  248. ),
  249. SignatureAlgorithmOID.GOSTR3410_2012_WITH_3411_2012_512: (
  250. "GOST R 34.10-2012 with GOST R 34.11-2012 (512 bit)"
  251. ),
  252. ExtendedKeyUsageOID.SERVER_AUTH: "serverAuth",
  253. ExtendedKeyUsageOID.CLIENT_AUTH: "clientAuth",
  254. ExtendedKeyUsageOID.CODE_SIGNING: "codeSigning",
  255. ExtendedKeyUsageOID.EMAIL_PROTECTION: "emailProtection",
  256. ExtendedKeyUsageOID.TIME_STAMPING: "timeStamping",
  257. ExtendedKeyUsageOID.OCSP_SIGNING: "OCSPSigning",
  258. ExtendedKeyUsageOID.SMARTCARD_LOGON: "msSmartcardLogin",
  259. ExtendedKeyUsageOID.KERBEROS_PKINIT_KDC: "pkInitKDC",
  260. ExtensionOID.SUBJECT_DIRECTORY_ATTRIBUTES: "subjectDirectoryAttributes",
  261. ExtensionOID.SUBJECT_KEY_IDENTIFIER: "subjectKeyIdentifier",
  262. ExtensionOID.KEY_USAGE: "keyUsage",
  263. ExtensionOID.SUBJECT_ALTERNATIVE_NAME: "subjectAltName",
  264. ExtensionOID.ISSUER_ALTERNATIVE_NAME: "issuerAltName",
  265. ExtensionOID.BASIC_CONSTRAINTS: "basicConstraints",
  266. ExtensionOID.PRECERT_SIGNED_CERTIFICATE_TIMESTAMPS: (
  267. "signedCertificateTimestampList"
  268. ),
  269. ExtensionOID.SIGNED_CERTIFICATE_TIMESTAMPS: (
  270. "signedCertificateTimestampList"
  271. ),
  272. ExtensionOID.PRECERT_POISON: "ctPoison",
  273. CRLEntryExtensionOID.CRL_REASON: "cRLReason",
  274. CRLEntryExtensionOID.INVALIDITY_DATE: "invalidityDate",
  275. CRLEntryExtensionOID.CERTIFICATE_ISSUER: "certificateIssuer",
  276. ExtensionOID.NAME_CONSTRAINTS: "nameConstraints",
  277. ExtensionOID.CRL_DISTRIBUTION_POINTS: "cRLDistributionPoints",
  278. ExtensionOID.CERTIFICATE_POLICIES: "certificatePolicies",
  279. ExtensionOID.POLICY_MAPPINGS: "policyMappings",
  280. ExtensionOID.AUTHORITY_KEY_IDENTIFIER: "authorityKeyIdentifier",
  281. ExtensionOID.POLICY_CONSTRAINTS: "policyConstraints",
  282. ExtensionOID.EXTENDED_KEY_USAGE: "extendedKeyUsage",
  283. ExtensionOID.FRESHEST_CRL: "freshestCRL",
  284. ExtensionOID.INHIBIT_ANY_POLICY: "inhibitAnyPolicy",
  285. ExtensionOID.ISSUING_DISTRIBUTION_POINT: ("issuingDistributionPoint"),
  286. ExtensionOID.AUTHORITY_INFORMATION_ACCESS: "authorityInfoAccess",
  287. ExtensionOID.SUBJECT_INFORMATION_ACCESS: "subjectInfoAccess",
  288. ExtensionOID.OCSP_NO_CHECK: "OCSPNoCheck",
  289. ExtensionOID.CRL_NUMBER: "cRLNumber",
  290. ExtensionOID.DELTA_CRL_INDICATOR: "deltaCRLIndicator",
  291. ExtensionOID.TLS_FEATURE: "TLSFeature",
  292. AuthorityInformationAccessOID.OCSP: "OCSP",
  293. AuthorityInformationAccessOID.CA_ISSUERS: "caIssuers",
  294. SubjectInformationAccessOID.CA_REPOSITORY: "caRepository",
  295. CertificatePoliciesOID.CPS_QUALIFIER: "id-qt-cps",
  296. CertificatePoliciesOID.CPS_USER_NOTICE: "id-qt-unotice",
  297. OCSPExtensionOID.NONCE: "OCSPNonce",
  298. AttributeOID.CHALLENGE_PASSWORD: "challengePassword",
  299. }