470 lines
16 KiB
Python
470 lines
16 KiB
Python
![]() |
#
|
||
|
# This file is part of pyasn1-modules software.
|
||
|
#
|
||
|
# Created by Russ Housley with assistance from asn1ate v.0.6.0.
|
||
|
#
|
||
|
# Copyright (c) 2019, Vigil Security, LLC
|
||
|
# License: http://snmplabs.com/pyasn1/license.html
|
||
|
#
|
||
|
# Electronic Signature Policies
|
||
|
#
|
||
|
# ASN.1 source from:
|
||
|
# https://www.rfc-editor.org/rfc/rfc3125.txt
|
||
|
# https://www.rfc-editor.org/errata/eid5901
|
||
|
# https://www.rfc-editor.org/errata/eid5902
|
||
|
#
|
||
|
|
||
|
from pyasn1.type import constraint
|
||
|
from pyasn1.type import namedtype
|
||
|
from pyasn1.type import namedval
|
||
|
from pyasn1.type import tag
|
||
|
from pyasn1.type import useful
|
||
|
from pyasn1.type import univ
|
||
|
|
||
|
from pyasn1_modules import rfc5280
|
||
|
|
||
|
MAX = float('inf')
|
||
|
|
||
|
|
||
|
# Imports from RFC 5280
|
||
|
|
||
|
AlgorithmIdentifier = rfc5280.AlgorithmIdentifier
|
||
|
|
||
|
Attribute = rfc5280.Attribute
|
||
|
|
||
|
AttributeType = rfc5280.AttributeType
|
||
|
|
||
|
AttributeTypeAndValue = rfc5280.AttributeTypeAndValue
|
||
|
|
||
|
AttributeValue = rfc5280.AttributeValue
|
||
|
|
||
|
Certificate = rfc5280.Certificate
|
||
|
|
||
|
CertificateList = rfc5280.CertificateList
|
||
|
|
||
|
DirectoryString = rfc5280.DirectoryString
|
||
|
|
||
|
GeneralName = rfc5280.GeneralName
|
||
|
|
||
|
GeneralNames = rfc5280.GeneralNames
|
||
|
|
||
|
Name = rfc5280.Name
|
||
|
|
||
|
PolicyInformation = rfc5280.PolicyInformation
|
||
|
|
||
|
|
||
|
# Electronic Signature Policies
|
||
|
|
||
|
class CertPolicyId(univ.ObjectIdentifier):
|
||
|
pass
|
||
|
|
||
|
|
||
|
class AcceptablePolicySet(univ.SequenceOf):
|
||
|
componentType = CertPolicyId()
|
||
|
|
||
|
|
||
|
class SignPolExtn(univ.Sequence):
|
||
|
componentType = namedtype.NamedTypes(
|
||
|
namedtype.NamedType('extnID', univ.ObjectIdentifier()),
|
||
|
namedtype.NamedType('extnValue', univ.OctetString())
|
||
|
)
|
||
|
|
||
|
|
||
|
class SignPolExtensions(univ.SequenceOf):
|
||
|
componentType = SignPolExtn()
|
||
|
|
||
|
|
||
|
class AlgAndLength(univ.Sequence):
|
||
|
componentType = namedtype.NamedTypes(
|
||
|
namedtype.NamedType('algID', univ.ObjectIdentifier()),
|
||
|
namedtype.OptionalNamedType('minKeyLength', univ.Integer()),
|
||
|
namedtype.OptionalNamedType('other', SignPolExtensions())
|
||
|
)
|
||
|
|
||
|
|
||
|
class AlgorithmConstraints(univ.SequenceOf):
|
||
|
componentType = AlgAndLength()
|
||
|
|
||
|
|
||
|
class AlgorithmConstraintSet(univ.Sequence):
|
||
|
componentType = namedtype.NamedTypes(
|
||
|
namedtype.OptionalNamedType('signerAlgorithmConstraints',
|
||
|
AlgorithmConstraints().subtype(explicitTag=tag.Tag(
|
||
|
tag.tagClassContext, tag.tagFormatSimple, 0))),
|
||
|
namedtype.OptionalNamedType('eeCertAlgorithmConstraints',
|
||
|
AlgorithmConstraints().subtype(explicitTag=tag.Tag(
|
||
|
tag.tagClassContext, tag.tagFormatSimple, 1))),
|
||
|
namedtype.OptionalNamedType('caCertAlgorithmConstraints',
|
||
|
AlgorithmConstraints().subtype(explicitTag=tag.Tag(
|
||
|
tag.tagClassContext, tag.tagFormatSimple, 2))),
|
||
|
namedtype.OptionalNamedType('aaCertAlgorithmConstraints',
|
||
|
AlgorithmConstraints().subtype(explicitTag=tag.Tag(
|
||
|
tag.tagClassContext, tag.tagFormatSimple, 3))),
|
||
|
namedtype.OptionalNamedType('tsaCertAlgorithmConstraints',
|
||
|
AlgorithmConstraints().subtype(explicitTag=tag.Tag(
|
||
|
tag.tagClassContext, tag.tagFormatSimple, 4)))
|
||
|
)
|
||
|
|
||
|
|
||
|
class AttributeValueConstraints(univ.SequenceOf):
|
||
|
componentType = AttributeTypeAndValue()
|
||
|
|
||
|
|
||
|
class AttributeTypeConstraints(univ.SequenceOf):
|
||
|
componentType = AttributeType()
|
||
|
|
||
|
|
||
|
class AttributeConstraints(univ.Sequence):
|
||
|
componentType = namedtype.NamedTypes(
|
||
|
namedtype.OptionalNamedType('attributeTypeConstarints',
|
||
|
AttributeTypeConstraints().subtype(explicitTag=tag.Tag(
|
||
|
tag.tagClassContext, tag.tagFormatSimple, 0))),
|
||
|
namedtype.OptionalNamedType('attributeValueConstarints',
|
||
|
AttributeValueConstraints().subtype(explicitTag=tag.Tag(
|
||
|
tag.tagClassContext, tag.tagFormatSimple, 1)))
|
||
|
)
|
||
|
|
||
|
|
||
|
class HowCertAttribute(univ.Enumerated):
|
||
|
namedValues = namedval.NamedValues(
|
||
|
('claimedAttribute', 0),
|
||
|
('certifiedAttribtes', 1),
|
||
|
('either', 2)
|
||
|
)
|
||
|
|
||
|
|
||
|
class SkipCerts(univ.Integer):
|
||
|
subtypeSpec = constraint.ValueRangeConstraint(0, MAX)
|
||
|
|
||
|
|
||
|
class PolicyConstraints(univ.Sequence):
|
||
|
componentType = namedtype.NamedTypes(
|
||
|
namedtype.OptionalNamedType('requireExplicitPolicy',
|
||
|
SkipCerts().subtype(explicitTag=tag.Tag(
|
||
|
tag.tagClassContext, tag.tagFormatSimple, 0))),
|
||
|
namedtype.OptionalNamedType('inhibitPolicyMapping',
|
||
|
SkipCerts().subtype(explicitTag=tag.Tag(
|
||
|
tag.tagClassContext, tag.tagFormatSimple, 1)))
|
||
|
)
|
||
|
|
||
|
|
||
|
class BaseDistance(univ.Integer):
|
||
|
subtypeSpec = constraint.ValueRangeConstraint(0, MAX)
|
||
|
|
||
|
|
||
|
class GeneralSubtree(univ.Sequence):
|
||
|
componentType = namedtype.NamedTypes(
|
||
|
namedtype.NamedType('base', GeneralName()),
|
||
|
namedtype.DefaultedNamedType('minimum',
|
||
|
BaseDistance().subtype(explicitTag=tag.Tag(
|
||
|
tag.tagClassContext, tag.tagFormatSimple, 0)).subtype(
|
||
|
value=0)),
|
||
|
namedtype.OptionalNamedType('maximum',
|
||
|
BaseDistance().subtype(explicitTag=tag.Tag(
|
||
|
tag.tagClassContext, tag.tagFormatSimple, 1)))
|
||
|
)
|
||
|
|
||
|
|
||
|
class GeneralSubtrees(univ.SequenceOf):
|
||
|
componentType = GeneralSubtree()
|
||
|
subtypeSpec = constraint.ValueSizeConstraint(1, MAX)
|
||
|
|
||
|
|
||
|
class NameConstraints(univ.Sequence):
|
||
|
componentType = namedtype.NamedTypes(
|
||
|
namedtype.OptionalNamedType('permittedSubtrees',
|
||
|
GeneralSubtrees().subtype(explicitTag=tag.Tag(
|
||
|
tag.tagClassContext, tag.tagFormatSimple, 0))),
|
||
|
namedtype.OptionalNamedType('excludedSubtrees',
|
||
|
GeneralSubtrees().subtype(explicitTag=tag.Tag(
|
||
|
tag.tagClassContext, tag.tagFormatSimple, 1)))
|
||
|
)
|
||
|
|
||
|
|
||
|
class PathLenConstraint(univ.Integer):
|
||
|
subtypeSpec = constraint.ValueRangeConstraint(0, MAX)
|
||
|
|
||
|
|
||
|
class CertificateTrustPoint(univ.Sequence):
|
||
|
componentType = namedtype.NamedTypes(
|
||
|
namedtype.NamedType('trustpoint', Certificate()),
|
||
|
namedtype.OptionalNamedType('pathLenConstraint',
|
||
|
PathLenConstraint().subtype(explicitTag=tag.Tag(
|
||
|
tag.tagClassContext, tag.tagFormatSimple, 0))),
|
||
|
namedtype.OptionalNamedType('acceptablePolicySet',
|
||
|
AcceptablePolicySet().subtype(explicitTag=tag.Tag(
|
||
|
tag.tagClassContext, tag.tagFormatSimple, 1))),
|
||
|
namedtype.OptionalNamedType('nameConstraints',
|
||
|
NameConstraints().subtype(explicitTag=tag.Tag(
|
||
|
tag.tagClassContext, tag.tagFormatConstructed, 2))),
|
||
|
namedtype.OptionalNamedType('policyConstraints',
|
||
|
PolicyConstraints().subtype(explicitTag=tag.Tag(
|
||
|
tag.tagClassContext, tag.tagFormatConstructed, 3)))
|
||
|
)
|
||
|
|
||
|
|
||
|
class CertificateTrustTrees(univ.SequenceOf):
|
||
|
componentType = CertificateTrustPoint()
|
||
|
|
||
|
|
||
|
class EnuRevReq(univ.Enumerated):
|
||
|
namedValues = namedval.NamedValues(
|
||
|
('clrCheck', 0),
|
||
|
('ocspCheck', 1),
|
||
|
('bothCheck', 2),
|
||
|
('eitherCheck', 3),
|
||
|
('noCheck', 4),
|
||
|
('other', 5)
|
||
|
)
|
||
|
|
||
|
|
||
|
class RevReq(univ.Sequence):
|
||
|
componentType = namedtype.NamedTypes(
|
||
|
namedtype.NamedType('enuRevReq', EnuRevReq()),
|
||
|
namedtype.OptionalNamedType('exRevReq', SignPolExtensions())
|
||
|
)
|
||
|
|
||
|
|
||
|
class CertRevReq(univ.Sequence):
|
||
|
componentType = namedtype.NamedTypes(
|
||
|
namedtype.NamedType('endCertRevReq', RevReq()),
|
||
|
namedtype.NamedType('caCerts',
|
||
|
RevReq().subtype(explicitTag=tag.Tag(
|
||
|
tag.tagClassContext, tag.tagFormatConstructed, 0)))
|
||
|
)
|
||
|
|
||
|
|
||
|
class AttributeTrustCondition(univ.Sequence):
|
||
|
componentType = namedtype.NamedTypes(
|
||
|
namedtype.NamedType('attributeMandated', univ.Boolean()),
|
||
|
namedtype.NamedType('howCertAttribute', HowCertAttribute()),
|
||
|
namedtype.OptionalNamedType('attrCertificateTrustTrees',
|
||
|
CertificateTrustTrees().subtype(explicitTag=tag.Tag(
|
||
|
tag.tagClassContext, tag.tagFormatSimple, 0))),
|
||
|
namedtype.OptionalNamedType('attrRevReq',
|
||
|
CertRevReq().subtype(explicitTag=tag.Tag(
|
||
|
tag.tagClassContext, tag.tagFormatConstructed, 1))),
|
||
|
namedtype.OptionalNamedType('attributeConstraints',
|
||
|
AttributeConstraints().subtype(explicitTag=tag.Tag(
|
||
|
tag.tagClassContext, tag.tagFormatConstructed, 2)))
|
||
|
)
|
||
|
|
||
|
|
||
|
class CMSAttrs(univ.SequenceOf):
|
||
|
componentType = univ.ObjectIdentifier()
|
||
|
|
||
|
|
||
|
class CertInfoReq(univ.Enumerated):
|
||
|
namedValues = namedval.NamedValues(
|
||
|
('none', 0),
|
||
|
('signerOnly', 1),
|
||
|
('fullPath', 2)
|
||
|
)
|
||
|
|
||
|
|
||
|
class CertRefReq(univ.Enumerated):
|
||
|
namedValues = namedval.NamedValues(
|
||
|
('signerOnly', 1),
|
||
|
('fullPath', 2)
|
||
|
)
|
||
|
|
||
|
|
||
|
class DeltaTime(univ.Sequence):
|
||
|
componentType = namedtype.NamedTypes(
|
||
|
namedtype.NamedType('deltaSeconds', univ.Integer()),
|
||
|
namedtype.NamedType('deltaMinutes', univ.Integer()),
|
||
|
namedtype.NamedType('deltaHours', univ.Integer()),
|
||
|
namedtype.NamedType('deltaDays', univ.Integer())
|
||
|
)
|
||
|
|
||
|
|
||
|
class TimestampTrustCondition(univ.Sequence):
|
||
|
componentType = namedtype.NamedTypes(
|
||
|
namedtype.OptionalNamedType('ttsCertificateTrustTrees',
|
||
|
CertificateTrustTrees().subtype(explicitTag=tag.Tag(
|
||
|
tag.tagClassContext, tag.tagFormatSimple, 0))),
|
||
|
namedtype.OptionalNamedType('ttsRevReq',
|
||
|
CertRevReq().subtype(explicitTag=tag.Tag(
|
||
|
tag.tagClassContext, tag.tagFormatConstructed, 1))),
|
||
|
namedtype.OptionalNamedType('ttsNameConstraints',
|
||
|
NameConstraints().subtype(explicitTag=tag.Tag(
|
||
|
tag.tagClassContext, tag.tagFormatConstructed, 2))),
|
||
|
namedtype.OptionalNamedType('cautionPeriod',
|
||
|
DeltaTime().subtype(explicitTag=tag.Tag(
|
||
|
tag.tagClassContext, tag.tagFormatConstructed, 3))),
|
||
|
namedtype.OptionalNamedType('signatureTimestampDelay',
|
||
|
DeltaTime().subtype(explicitTag=tag.Tag(
|
||
|
tag.tagClassContext, tag.tagFormatConstructed, 4)))
|
||
|
)
|
||
|
|
||
|
|
||
|
class SignerRules(univ.Sequence):
|
||
|
componentType = namedtype.NamedTypes(
|
||
|
namedtype.OptionalNamedType('externalSignedData', univ.Boolean()),
|
||
|
namedtype.NamedType('mandatedSignedAttr', CMSAttrs()),
|
||
|
namedtype.NamedType('mandatedUnsignedAttr', CMSAttrs()),
|
||
|
namedtype.DefaultedNamedType('mandatedCertificateRef',
|
||
|
CertRefReq().subtype(explicitTag=tag.Tag(
|
||
|
tag.tagClassContext, tag.tagFormatSimple, 0)).subtype(
|
||
|
value='signerOnly')),
|
||
|
namedtype.DefaultedNamedType('mandatedCertificateInfo',
|
||
|
CertInfoReq().subtype(explicitTag=tag.Tag(
|
||
|
tag.tagClassContext, tag.tagFormatSimple, 1)).subtype(
|
||
|
value='none')),
|
||
|
namedtype.OptionalNamedType('signPolExtensions',
|
||
|
SignPolExtensions().subtype(explicitTag=tag.Tag(
|
||
|
tag.tagClassContext, tag.tagFormatSimple, 2)))
|
||
|
)
|
||
|
|
||
|
|
||
|
class MandatedUnsignedAttr(CMSAttrs):
|
||
|
pass
|
||
|
|
||
|
|
||
|
class VerifierRules(univ.Sequence):
|
||
|
componentType = namedtype.NamedTypes(
|
||
|
namedtype.NamedType('mandatedUnsignedAttr', MandatedUnsignedAttr()),
|
||
|
namedtype.OptionalNamedType('signPolExtensions', SignPolExtensions())
|
||
|
)
|
||
|
|
||
|
|
||
|
class SignerAndVerifierRules(univ.Sequence):
|
||
|
componentType = namedtype.NamedTypes(
|
||
|
namedtype.NamedType('signerRules', SignerRules()),
|
||
|
namedtype.NamedType('verifierRules', VerifierRules())
|
||
|
)
|
||
|
|
||
|
|
||
|
class SigningCertTrustCondition(univ.Sequence):
|
||
|
componentType = namedtype.NamedTypes(
|
||
|
namedtype.NamedType('signerTrustTrees', CertificateTrustTrees()),
|
||
|
namedtype.NamedType('signerRevReq', CertRevReq())
|
||
|
)
|
||
|
|
||
|
|
||
|
class CommitmentTypeIdentifier(univ.ObjectIdentifier):
|
||
|
pass
|
||
|
|
||
|
|
||
|
class FieldOfApplication(DirectoryString):
|
||
|
pass
|
||
|
|
||
|
|
||
|
class CommitmentType(univ.Sequence):
|
||
|
componentType = namedtype.NamedTypes(
|
||
|
namedtype.NamedType('identifier', CommitmentTypeIdentifier()),
|
||
|
namedtype.OptionalNamedType('fieldOfApplication',
|
||
|
FieldOfApplication().subtype(explicitTag=tag.Tag(
|
||
|
tag.tagClassContext, tag.tagFormatSimple, 0))),
|
||
|
namedtype.OptionalNamedType('semantics',
|
||
|
DirectoryString().subtype(explicitTag=tag.Tag(
|
||
|
tag.tagClassContext, tag.tagFormatSimple, 1)))
|
||
|
)
|
||
|
|
||
|
|
||
|
class SelectedCommitmentTypes(univ.SequenceOf):
|
||
|
componentType = univ.Choice(componentType=namedtype.NamedTypes(
|
||
|
namedtype.NamedType('empty', univ.Null()),
|
||
|
namedtype.NamedType('recognizedCommitmentType', CommitmentType())
|
||
|
))
|
||
|
|
||
|
|
||
|
class CommitmentRule(univ.Sequence):
|
||
|
componentType = namedtype.NamedTypes(
|
||
|
namedtype.NamedType('selCommitmentTypes', SelectedCommitmentTypes()),
|
||
|
namedtype.OptionalNamedType('signerAndVeriferRules',
|
||
|
SignerAndVerifierRules().subtype(explicitTag=tag.Tag(
|
||
|
tag.tagClassContext, tag.tagFormatConstructed, 0))),
|
||
|
namedtype.OptionalNamedType('signingCertTrustCondition',
|
||
|
SigningCertTrustCondition().subtype(explicitTag=tag.Tag(
|
||
|
tag.tagClassContext, tag.tagFormatConstructed, 1))),
|
||
|
namedtype.OptionalNamedType('timeStampTrustCondition',
|
||
|
TimestampTrustCondition().subtype(explicitTag=tag.Tag(
|
||
|
tag.tagClassContext, tag.tagFormatConstructed, 2))),
|
||
|
namedtype.OptionalNamedType('attributeTrustCondition',
|
||
|
AttributeTrustCondition().subtype(explicitTag=tag.Tag(
|
||
|
tag.tagClassContext, tag.tagFormatConstructed, 3))),
|
||
|
namedtype.OptionalNamedType('algorithmConstraintSet',
|
||
|
AlgorithmConstraintSet().subtype(explicitTag=tag.Tag(
|
||
|
tag.tagClassContext, tag.tagFormatConstructed, 4))),
|
||
|
namedtype.OptionalNamedType('signPolExtensions',
|
||
|
SignPolExtensions().subtype(explicitTag=tag.Tag(
|
||
|
tag.tagClassContext, tag.tagFormatSimple, 5)))
|
||
|
)
|
||
|
|
||
|
|
||
|
class CommitmentRules(univ.SequenceOf):
|
||
|
componentType = CommitmentRule()
|
||
|
|
||
|
|
||
|
class CommonRules(univ.Sequence):
|
||
|
componentType = namedtype.NamedTypes(
|
||
|
namedtype.OptionalNamedType('signerAndVeriferRules',
|
||
|
SignerAndVerifierRules().subtype(explicitTag=tag.Tag(
|
||
|
tag.tagClassContext, tag.tagFormatConstructed, 0))),
|
||
|
namedtype.OptionalNamedType('signingCertTrustCondition',
|
||
|
SigningCertTrustCondition().subtype(explicitTag=tag.Tag(
|
||
|
tag.tagClassContext, tag.tagFormatConstructed, 1))),
|
||
|
namedtype.OptionalNamedType('timeStampTrustCondition',
|
||
|
TimestampTrustCondition().subtype(explicitTag=tag.Tag(
|
||
|
tag.tagClassContext, tag.tagFormatConstructed, 2))),
|
||
|
namedtype.OptionalNamedType('attributeTrustCondition',
|
||
|
AttributeTrustCondition().subtype(explicitTag=tag.Tag(
|
||
|
tag.tagClassContext, tag.tagFormatConstructed, 3))),
|
||
|
namedtype.OptionalNamedType('algorithmConstraintSet',
|
||
|
AlgorithmConstraintSet().subtype(explicitTag=tag.Tag(
|
||
|
tag.tagClassContext, tag.tagFormatConstructed, 4))),
|
||
|
namedtype.OptionalNamedType('signPolExtensions',
|
||
|
SignPolExtensions().subtype(explicitTag=tag.Tag(
|
||
|
tag.tagClassContext, tag.tagFormatSimple, 5)))
|
||
|
)
|
||
|
|
||
|
|
||
|
class PolicyIssuerName(GeneralNames):
|
||
|
pass
|
||
|
|
||
|
|
||
|
class SignPolicyHash(univ.OctetString):
|
||
|
pass
|
||
|
|
||
|
|
||
|
class SignPolicyId(univ.ObjectIdentifier):
|
||
|
pass
|
||
|
|
||
|
|
||
|
class SigningPeriod(univ.Sequence):
|
||
|
componentType = namedtype.NamedTypes(
|
||
|
namedtype.NamedType('notBefore', useful.GeneralizedTime()),
|
||
|
namedtype.OptionalNamedType('notAfter', useful.GeneralizedTime())
|
||
|
)
|
||
|
|
||
|
|
||
|
class SignatureValidationPolicy(univ.Sequence):
|
||
|
componentType = namedtype.NamedTypes(
|
||
|
namedtype.NamedType('signingPeriod', SigningPeriod()),
|
||
|
namedtype.NamedType('commonRules', CommonRules()),
|
||
|
namedtype.NamedType('commitmentRules', CommitmentRules()),
|
||
|
namedtype.OptionalNamedType('signPolExtensions', SignPolExtensions())
|
||
|
)
|
||
|
|
||
|
|
||
|
class SignPolicyInfo(univ.Sequence):
|
||
|
componentType = namedtype.NamedTypes(
|
||
|
namedtype.NamedType('signPolicyIdentifier', SignPolicyId()),
|
||
|
namedtype.NamedType('dateOfIssue', useful.GeneralizedTime()),
|
||
|
namedtype.NamedType('policyIssuerName', PolicyIssuerName()),
|
||
|
namedtype.NamedType('fieldOfApplication', FieldOfApplication()),
|
||
|
namedtype.NamedType('signatureValidationPolicy', SignatureValidationPolicy()),
|
||
|
namedtype.OptionalNamedType('signPolExtensions', SignPolExtensions())
|
||
|
)
|
||
|
|
||
|
|
||
|
class SignaturePolicy(univ.Sequence):
|
||
|
componentType = namedtype.NamedTypes(
|
||
|
namedtype.NamedType('signPolicyHashAlg', AlgorithmIdentifier()),
|
||
|
namedtype.NamedType('signPolicyInfo', SignPolicyInfo()),
|
||
|
namedtype.OptionalNamedType('signPolicyHash', SignPolicyHash())
|
||
|
)
|
||
|
|
||
|
|