wip

synrc · Oct 31, 2024 · bad28ca · bad28ca
1 parent 7ad38ec
commit bad28ca
Show file tree

Hide file tree

Showing 7 changed files with 200 additions and 72 deletions.
diff --git a/include/KEP.hrl b/include/KEP.hrl
@@ -1,4 +1,4 @@
-%% Generated by the Erlang ASN.1 compiler. Version: 5.2.1
+%% Generated by the Erlang ASN.1 compiler. Version: 5.2.2
 %% Purpose: Erlang record definitions for each named and unnamed
 %% SEQUENCE and SET, and macro definitions for each value
 %% definition in module KEP.

diff --git a/lib/encryption/cms.ex b/lib/encryption/cms.ex
@@ -151,10 +151,37 @@ defmodule CA.CMS do
       parseSignData(bin)
   end
 
+  def parseSignerInfo(si) do
+      {:SignerInfo, :v1, {_,{_,issuer,_}}, {_,keyAlg,_}, signedAttrs, {_,signatureAlg,_}, sign, attrs} = si
+      signedAttributes = :lists.map(fn {:Attribute,code,[{:asn1_OPENTYPE,b}],_} ->
+         CA.CRT.oid(code, b)
+      end, signedAttrs)
+      attributes = :lists.map(fn {:Attribute,code,[{:asn1_OPENTYPE,b}],_} ->
+         CA.CRT.oid(code, b)
+      end, attrs)
+      [
+         resourceType: :SignerInfo,
+         issuer: CA.CRT.rdn(issuer),
+         keyAlg: :erlang.element(1,CA.ALG.lookup(keyAlg)),
+         signatureAlg: :erlang.element(1,CA.ALG.lookup(signatureAlg)),
+         signedAttrs: signedAttributes,
+         attrs: attributes,
+      ]
+  end
+
+  def parseSignerInfos(sis) do :lists.map(fn si -> CA.CMS.parseSignerInfo(si) end, sis) end
+
   def parseSignData(bin) do
       {_, {:ContentInfo, oid, ci}} = :KEP.decode(:ContentInfo, bin)
-      {:ok, {:SignedData, a, alg, x, c, x1, si}} = :KEP.decode(:SignedData, ci)
-      {:SignedData, a, alg, x, parseSignDataCert({alg,oid,x,c,x1,si}), x1, si}
+      {:ok, {:SignedData, ver, alg, x, c, x1, sis}} = :KEP.decode(:SignedData, ci)
+      {:EncapsulatedContentInfo, contentOid, data} = x
+      [
+         resourceType: :SignedData,
+         version: ver,
+         cert: parseSignDataCert({alg,oid,x,c,x1,sis}),
+         signerInfo: parseSignerInfos(sis),
+         signedContent: data,
+      ]
   end
 
   def parseSignDataCert({_,_,_,:asn1_NOVALUE,_,_}), do: []

diff --git a/lib/oid/alg.ex b/lib/oid/alg.ex
@@ -1,33 +1,35 @@
 defmodule CA.ALG do
    @moduledoc "CA algorithms definitions."
 
-   def oid(x) do {_,v} = :lists.keyfind(x, 1, algorithms()) ; v end
+   def oid(x) do case :lists.keyfind(x, 2, algorithms()) do {v,_} ->  v ; false -> x end end
    def lookup(oid), do: :lists.keyfind(oid, 2, algorithms())
    def algorithms() do
        [
-            {:iitStoreOID,           {1,3,6,1,4,1,19398,1,1,1,2}},
-            {:dstu4145Curve,         {1,3,6,1,4,1,19398,1,1,2,2}},
-            {:dstu4145Key,           {1,3,6,1,4,1,19398,1,1,2,3}},
-            {"iit",                  {1,3,6,1,4,1,19398,1,1,4,1}},
-            {:pbes1,                 {1,3,6,1,4,1,42,2,19,1}},
-            {:keyProtector,          {1,3,6,1,4,1,42,2,17,1,1}},
-            {:'id-PasswordBasedMac', {1,2,840,113533,7,66,13}},
-            {:'id-DHBasedMac',       {1,2,840,113533,7,66,30}},
-            {:'id-gost28147-ofb',    {1,2,804,2,1,1,1,1,1,1,2}},
-            {:'id-gost28147-cfb',    {1,2,804,2,1,1,1,1,1,1,3}},
-            {:'id-gost28147-wrap',   {1,2,804,2,1,1,1,1,1,1,5}},
-            {:'id-Dstu7624cfb-x256', {1,2,804,2,1,1,1,1,1,3,3,2}},
-            {:'id-Dstu7624ofb-x256', {1,2,804,2,1,1,1,1,1,3,6,2}},
-    {:'dstu4145WithGost34311-pb',    {1,2,804,2,1,1,1,1,3,1,1}},
-    {:'dstu4145WithGost34311onb',    {1,2,804,2,1,1,1,1,3,1,2}},
-    {:'gost34310WithGost34311',      {1,2,804,2,1,1,1,1,3,2}},
-    {:'dh-ua',                       {1,2,804,2,1,1,1,1,3,3}},
+            {:iitStoreOID,                    {1,3,6,1,4,1,19398,1,1,1,2}},
+            {:dstu4145Curve,                  {1,3,6,1,4,1,19398,1,1,2,2}},
+            {:dstu4145Key,                    {1,3,6,1,4,1,19398,1,1,2,3}},
+            {"iit",                           {1,3,6,1,4,1,19398,1,1,4,1}},
+            {:pbes1,                          {1,3,6,1,4,1,42,2,19,1}},
+            {:keyProtector,                   {1,3,6,1,4,1,42,2,17,1,1}},
+            {:'id-PasswordBasedMac',          {1,2,840,113533,7,66,13}},
+            {:'id-DHBasedMac',                {1,2,840,113533,7,66,30}},
+            {:'id-gost28147-ofb',             {1,2,804,2,1,1,1,1,1,1,2}},
+            {:'id-gost28147-cfb',             {1,2,804,2,1,1,1,1,1,1,3}},
+            {:'id-gost28147-wrap',            {1,2,804,2,1,1,1,1,1,1,5}},
+            {:'id-Dstu7624cfb-x256',          {1,2,804,2,1,1,1,1,1,3,3,2}},
+            {:'id-Dstu7624ofb-x256',          {1,2,804,2,1,1,1,1,1,3,6,2}},
+            {:gost34311,                      {1,2,804,2,1,1,1,1,2,1}},
+            {:dstu7564,                       {1,2,804,2,1,1,1,1,2,2}},
+    {:'dstu4145WithGost34311-pb',             {1,2,804,2,1,1,1,1,3,1,1}},
+    {:'dstu4145WithGost34311onb',             {1,2,804,2,1,1,1,1,3,1,2}},
+    {:'gost34310WithGost34311',               {1,2,804,2,1,1,1,1,3,2}},
+    {:'dh-ua',                                {1,2,804,2,1,1,1,1,3,3}},
     {:'dhSinglePass-cofactorDH-gost34311kdf', {1,2,804,2,1,1,1,1,3,4}},
     {:'dhSinglePass-stdDH-gost34311kdf',      {1,2,804,2,1,1,1,1,3,5}},
-            {:dstu4145WithDstu7564,  {1,2,804,2,1,1,1,1,3,6}},
-            {:"dstu4145WithDstu7564-256",  {1,2,804,2,1,1,1,1,3,6,1}},
-            {:"dstu4145WithDstu7564-384",  {1,2,804,2,1,1,1,1,3,6,2}},
-            {:"dstu4145WithDstu7564-512",  {1,2,804,2,1,1,1,1,3,6,3}},
+            {:dstu4145WithDstu7564,           {1,2,804,2,1,1,1,1,3,6}},
+            {:"dstu4145WithDstu7564-256",     {1,2,804,2,1,1,1,1,3,6,1}},
+            {:"dstu4145WithDstu7564-384",     {1,2,804,2,1,1,1,1,3,6,2}},
+            {:"dstu4145WithDstu7564-512",     {1,2,804,2,1,1,1,1,3,6,3}},
 
          {:'id-ecPublicKey',      {1,2,840,10045,2,1}},
          {:secp192r1,             {1,2,840,10045,3,1,1}},

diff --git a/lib/oid/at.ex b/lib/oid/at.ex
@@ -1,22 +1,44 @@
 defmodule CA.AT do
   @moduledoc "CA CSR Attributes OIDs."
-  def oid(:"id-at-rsaEncryption"),                        do: {1, 2, 840, 113549, 1, 1, 1}
-  def oid(:"id-at-sha1WithRSAEncryption"),                do: {1, 2, 840, 113549, 1, 1, 5}
-  def oid(:"id-at-sha512-256WithRSAEncryption"),          do: {1, 2, 840, 113549, 1, 1, 16}
-  def oid(:"id-at-dhKeyAgreement"),                       do: {1, 2, 840, 113549, 1, 3, 1}
-  def oid(:"id-at-emailAddress"),                         do: {1, 2, 840, 113549, 1, 9, 1}
-  def oid(:"id-at-unstructuredName"),                     do: {1, 2, 840, 113549, 1, 9, 2}
-  def oid(:"id-at-contentType"),                          do: {1, 2, 840, 113549, 1, 9, 3}
-  def oid(:"id-at-messageDigest"),                        do: {1, 2, 840, 113549, 1, 9, 4}
-  def oid(:"id-at-signingTime"),                          do: {1, 2, 840, 113549, 1, 9, 5}
-  def oid(:"id-at-counterSignature"),                     do: {1, 2, 840, 113549, 1, 9, 6}
-  def oid(:"id-at-challengePassword"),                    do: {1, 2, 840, 113549, 1, 9, 7}
-  def oid(:"id-at-unstructuredAddress"),                  do: {1, 2, 840, 113549, 1, 9, 8}
-  def oid(:"id-at-extendedCertificateAttributes"),        do: {1, 2, 840, 113549, 1, 9, 9}
-  def oid(:"id-at-issuerAndSerialNumber"),                do: {1, 2, 840, 113549, 1, 9, 10}
-  def oid(:"id-at-passwordCheck"),                        do: {1, 2, 840, 113549, 1, 9, 11}
-  def oid(:"id-at-publicKey"),                            do: {1, 2, 840, 113549, 1, 9, 12}
-  def oid(:"id-at-signingDescription"),                   do: {1, 2, 840, 113549, 1, 9, 13}
-  def oid(:"id-at-extensionRequest"),                     do: {1, 2, 840, 113549, 1, 9, 14}
-  def oid(:"id-at-smimeCapabilities"),                    do: {1, 2, 840, 113549, 1, 9, 15}
+  def oid(x) do
+      case :lists.keyfind(x, 2, algorithms()) do
+           {val,_} -> val
+           false -> CA.ALG.oid(x)
+      end
+  end
+  def algorithms() do
+    [
+      {:"id-at-rsaEncryption",                        {1, 2, 840, 113549, 1, 1, 1}},
+      {:"id-at-sha1WithRSAEncryption",                {1, 2, 840, 113549, 1, 1, 5}},
+      {:"id-at-sha512-256WithRSAEncryption",          {1, 2, 840, 113549, 1, 1, 16}},
+      {:"id-at-dhKeyAgreement",                       {1, 2, 840, 113549, 1, 3, 1}},
+      {:"id-at-emailAddress",                         {1, 2, 840, 113549, 1, 9, 1}},
+      {:"id-at-unstructuredName",                     {1, 2, 840, 113549, 1, 9, 2}},
+      {:"id-at-contentType",                          {1, 2, 840, 113549, 1, 9, 3}},
+      {:"id-at-messageDigest",                        {1, 2, 840, 113549, 1, 9, 4}},
+      {:"id-at-signingTime",                          {1, 2, 840, 113549, 1, 9, 5}},
+      {:"id-at-counterSignature",                     {1, 2, 840, 113549, 1, 9, 6}},
+      {:"id-at-challengePassword",                    {1, 2, 840, 113549, 1, 9, 7}},
+      {:"id-at-unstructuredAddress",                  {1, 2, 840, 113549, 1, 9, 8}},
+      {:"id-at-extendedCertificateAttributes",        {1, 2, 840, 113549, 1, 9, 9}},
+      {:"id-at-issuerAndSerialNumber",                {1, 2, 840, 113549, 1, 9, 10}},
+      {:"id-at-passwordCheck",                        {1, 2, 840, 113549, 1, 9, 11}},
+      {:"id-at-publicKey",                            {1, 2, 840, 113549, 1, 9, 12}},
+      {:"id-at-signingDescription",                   {1, 2, 840, 113549, 1, 9, 13}},
+      {:"id-at-extensionRequest",                     {1, 2, 840, 113549, 1, 9, 14}},
+      {:"id-at-smimeCapabilities",                    {1, 2, 840, 113549, 1, 9, 15}},
+      {:"id-at-smime",                                {1, 2, 840, 113549, 1, 9, 16}},
+      {:"id-aa",                                      {1, 2, 840, 113549, 1, 9, 16, 2}},
+      {:"id-aa-timeStampToken",                       {1, 2, 840, 113549, 1, 9, 16, 2, 14}},
+      {:"id-aa-ets-signerAttr",                       {1, 2, 840, 113549, 1, 9, 16, 2, 18}},
+      {:"id-aa-ets-otherSigCert",                     {1, 2, 840, 113549, 1, 9, 16, 2, 19}},
+      {:"id-aa-20",                                   {1, 2, 840, 113549, 1, 9, 16, 2, 20}},
+      {:"id-aa-ets-CertificateRefs",                  {1, 2, 840, 113549, 1, 9, 16, 2, 21}},
+      {:"id-aa-ets-revocationRefs",                   {1, 2, 840, 113549, 1, 9, 16, 2, 22}},
+      {:"id-aa-ets-certValues",                       {1, 2, 840, 113549, 1, 9, 16, 2, 23}},
+      {:"id-aa-ets-revocationValues",                 {1, 2, 840, 113549, 1, 9, 16, 2, 24}},
+      {:"id-aa-signingCertificateV2",                 {1, 2, 840, 113549, 1, 9, 16, 2, 47}},
+      {:"id-at-pgpKeyID",                             {1, 2, 840, 113549, 1, 9, 17}},
+    ]
+  end
 end
diff --git a/lib/services/crt.ex b/lib/services/crt.ex
@@ -73,16 +73,44 @@ defmodule CA.CRT do
   def oid({1,2,840,113549,1,9,3},v), do: {:contentType, hd(mapOidsDecode([v]))}
   def oid({1,2,840,113549,1,9,4},v), do: {:messageDigest, :base64.encode(:erlang.element(2,:KEP.decode(:MessageDigest, v)))}
   def oid({1,2,840,113549,1,9,5},v), do: {:signingTime, :erlang.element(2,:erlang.element(1,:asn1rt_nif.decode_ber_tlv(v)))}
-  def oid({1,2,840,113549,1,9,16,2,47},v) do
-      {:SigningCertificateV2,[{:ESSCertIDv2, _, _, {_,_,serial}}],_} = :erlang.element(2,:KEP.decode(:SigningCertificateV2, v))
-      {:signingCertificateV2, serial}
-  end
-  def oid({1,2,840,113549,1,9,16,2,20},v) do
-      {:ContentInfo, oid, value} = :erlang.element(2,:KEP.decode(:ContentInfo,v))
+
+  def oid({1, 2, 840, 113549, 1, 9, 16, 2}, v) do {:"id-aa", v} end
+  def oid({1, 2, 840, 113549, 1, 9, 16, 2, 14}, v) do {:"id-aa-timeStampToken", v}
+      {:ok, {:ContentInfo, oid, value}} = :KEP.decode(:ContentInfo,v)
+      {:ok, {:SignedData, _, _alg, {_,_,x}, _c, _x1, _si}} = :KEP.decode(:SignedData, value)
+      {:ok, {:TSTInfo, _vsn, _oid, {:MessageImprint, _, x}, serial, ts, _,_,_,_}} = :KEP.decode(:TSTInfo, x)
+      {:timeStampToken, {hd(mapOids([oid])), serial, :erlang.iolist_to_binary(ts), :base64.encode(x)}}
+      end
+  def oid({1, 2, 840, 113549, 1, 9, 16, 2, 18}, v) do {:"id-aa-ets-signerAttr", v} end
+  def oid({1, 2, 840, 113549, 1, 9, 16, 2, 19}, v) do {:"id-aa-ets-otherSigCert", v} end
+  def oid({1, 2, 840, 113549, 1, 9, 16, 2, 20}, v) do
+      {:ok, {:ContentInfo, oid, value}} = :KEP.decode(:ContentInfo,v)
       {:ok, {:SignedData, _, _alg, {_,_,x}, _c, _x1, _si}} = :KEP.decode(:SignedData, value)
       {:ok, {:TSTInfo, _vsn, _oid, {:MessageImprint, _, x}, serial, ts, _,_,_,_}} = :KEP.decode(:TSTInfo, x)
       {:contentTimestamp, {hd(mapOids([oid])), serial, :erlang.iolist_to_binary(ts), :base64.encode(x)}}
   end
+  def oid({1, 2, 840, 113549, 1, 9, 16, 2, 21}, v) do
+      {:ok, x} = :KEP.decode(:CertificateList, v)
+      {:"id-aa-ets-CertificateRefs", v}
+  end
+  def oid({1, 2, 840, 113549, 1, 9, 16, 2, 22}, v) do
+#      {:ok, x} = :KEP.decode(:CrlOcspRef, v)
+      {:"id-aa-ets-revocationRefs", v}
+  end
+  def oid({1, 2, 840, 113549, 1, 9, 16, 2, 23}, v) do
+#      {:ok, x} = :KEP.decode(:CertificateList, v)
+      {:"id-aa-ets-certValues", v}
+  end
+  def oid({1, 2, 840, 113549, 1, 9, 16, 2, 24}, v) do
+#      {:ok, x} = :KEP.decode(:CertificateList, v)
+      {:"id-aa-ets-revocationValues", v}
+  end
+
+  def oid({1, 2, 840, 113549, 1, 9, 16, 2, 47}, v) do
+      {:ok, {:SigningCertificateV2,[{:ESSCertIDv2, _, _, {_,_,serial}}],_}} = :KEP.decode(:SigningCertificateV2, v)
+      {:"id-aa-signingCertificateV2", serial}
+  end
+
   def oid(x,v) when is_binary(x), do: {:oid.decode(x),pair(v,[])}
   def oid(x,v), do: {x,v}
 
@@ -91,17 +119,30 @@ defmodule CA.CRT do
   def flat(code,k,acc) when is_list(k), do: [:lists.map(fn x -> flat(code,x,acc) end, k)|acc]
   def flat(_code,k,acc) when is_binary(k), do: [k|acc]
 
-  def rdn({2, 5, 4, 3}),  do: "cn"
-  def rdn({2, 5, 4, 4}),  do: "surname"
-  def rdn({2, 5, 4, 5}),  do: "sn"
-  def rdn({2, 5, 4, 6}),  do: "c"
-  def rdn({2, 5, 4, 7}),  do: "l"
-  def rdn({2, 5, 4, 10}), do: "o"
-  def rdn({2, 5, 4, 11}), do: "ou"
-  def rdn({2, 5, 4, 12}), do: "t"
+  def rdn({2, 5, 4, 3}),  do: "cn" # commonName
+  def rdn({2, 5, 4, 4}),  do: "sn" # sureName
+  def rdn({2, 5, 4, 5}),  do: "serialNumber"
+  def rdn({2, 5, 4, 6}),  do: "c" # country
+  def rdn({2, 5, 4, 7}),  do: "l" # localityName
+  def rdn({0,9,2342,19200300,100,1,25}),  do: "dc"
+  def rdn({2, 5, 4, 10}), do: "o" # organization
+  def rdn({2, 5, 4, 11}), do: "ou" # organizationalUnit
+  def rdn({2, 5, 4, 12}), do: "title"
+  def rdn({2, 5, 4, 13}), do: "description"
+  def rdn({2, 5, 4, 14}), do: "device"
+  def rdn({2, 5, 4, 15}), do: "businessCategory"
   def rdn({2, 5, 4, 42}), do: "givenName"
+  def rdn({2, 5, 4, 97}), do: "organizationIdentifier"
+  def rdn({2, 5, 6, 3}),  do: "locality"
+  def rdn({2, 5, 6, 4}),  do: "organization"
+  def rdn({2, 5, 6, 5}),  do: "organizationalUnit"
+  def rdn({2, 5, 6, 6}),  do: "person"
+  def rdn({2, 5, 6, 7}),  do: "organizationalPerson"
+  def rdn({2, 5, 6, 8}),  do: "organizationalRole"
+  def rdn({2, 5, 6, 9}),  do: "groupOfNames"
   def rdn({:rdnSequence, list}) do
-      Enum.join :lists.map(fn {_,oid,{_,list}} -> "#{rdn(oid)}=#{list}"
+      Enum.join :lists.map(fn [{_,oid,{_,list}}] -> "#{rdn(oid)}=#{list}"
+                              {_,oid,{_,list}} -> "#{rdn(oid)}=#{list}"
                               {_,oid,list} -> "#{rdn(oid)}=#{list}" end, list), "/"
   end
 
@@ -125,8 +166,8 @@ defmodule CA.CRT do
       extensions = :lists.map(fn {:Extension,code,_x,b} ->
          oid(code, :lists.flatten(flat(code,:asn1rt_nif.decode_ber_tlv(b),[])))
       end, exts)
-      :io.format '~p', [oid]
-      [ version: ver,
+      [ resourceType: :Certificate,
+        version: ver,
         signatureAlgorithm: :erlang.element(1,CA.ALG.lookup(alg)),
         subject: rdn(unsubj(issuee)),
         issuer:  rdn(unsubj(issuer)),

diff --git a/priv/csr/KEP.asn1 b/priv/csr/KEP.asn1
@@ -17,7 +17,7 @@ BEGIN
 
 IMPORTS Attribute, Name
   FROM  InformationFramework {joint-iso-itu-t ds(5) module(1) informationFramework(1) 3}
-        AlgorithmIdentifier, AttributeCertificate, Certificate, CertificateList,
+        AlgorithmIdentifier, AttributeCertificate, Certificate,
         CertificateSerialNumber, HASH{}, SIGNED{}, Extensions, Version
    FROM AuthenticationFramework {joint-iso-itu-t ds(5) module(1) authenticationFramework(7) 3}
         PolicyInformation, CRLReason
@@ -59,7 +59,6 @@ OcspIdentifier ::= SEQUENCE {
   producedAt GeneralizedTime
 }
 
-
 CMSVersion ::= INTEGER {v0(0), v1(1), v2(2), v3(3), v4(4), v5(5)}
 
 gost34311 OBJECT IDENTIFIER ::= {iso(1) member-body(2) ua(804)
@@ -84,6 +83,7 @@ SubjectKeyIdentifier ::= KeyIdentifier
 RevocationInfoChoices ::= SET OF CertificateList
 SignerInfos ::= SET OF SignerInfo
 CertificateSet ::= SET OF Certificate
+CertificateList ::= SET OF Certificate
 SignedData ::= SEQUENCE {
   version CMSVersion,
   digestAlgorithms DigestAlgorithmIdentifiers,