polhenarejos / pycvc Goto Github PK
View Code? Open in Web Editor NEWCard Verifiable Certificates (CVC) tools for Python
License: GNU General Public License v3.0
Card Verifiable Certificates (CVC) tools for Python
License: GNU General Public License v3.0
I am trying to create RSA based certificate but running into this issue here:
File "*\Anaconda3\lib\site-packages\cvc\asn1.py", line 40, in make_tag
return to_bytes(tag) + ASN1.calculate_len(len(b)) + bytearray(b)
TypeError: object of type 'int' has no len()
Command I used with RSA-2K key generated using openssl:
cvc-create --role=cvca --type=at --chr=ZZATCVCA00001 --valid=365 --sign-key=ZZATCVCA00001.pkcs8 --scheme=RSA_v1_5_SHA_256
Does the package support RSA based certificates at all?
Even though the help content describes "--since" argument for valid_from date, it is not supported. Can we add the support for that? Can we also add support for valid_to date as well (in addition to # of days)?
Command: cvc-create --role=cvca --type=at --chr=ZZATCVCA00001 --since "2014/10/09" --valid=365 --sign-key=ZZATCVCA00001.pkcs8 --scheme=ECDSA_SHA_256
Traceback:
usage: cvc-create [-h] [--version] [-o FILENAME] [-r {cvca,dv_domestic,dv_foreign,terminal}] [-t {at,is,st}] [--valid VALID] -k FILENAME [--sign-as FILENAME] [--outer-as FILENAME] [--outer-key FILENAME]
[-p FILENAME] [-q FILENAME] [--out-key FILENAME]
[-s {ECDSA_SHA_1,ECDSA_SHA_224,ECDSA_SHA_256,ECDSA_SHA_384,ECDSA_SHA_512,RSA_v1_5_SHA_1,RSA_v1_5_SHA_256,RSA_v1_5_SHA_512,RSA_PSS_SHA_1,RSA_PSS_SHA_256,RSA_PSS_SHA_512}] [-c CHR]
[-a REQ_CAR] [--write-dg17] [--write-dg18] [--write-dg19] [--write-dg20] [--write-dg21] [--write-dg22] [--rfu31] [--psa] [--read-dg1] [--read-dg2] [--read-dg3] [--read-dg4] [--read-dg5]
[--read-dg6] [--read-dg7] [--read-dg8] [--read-dg9] [--read-dg10] [--read-dg11] [--read-dg12] [--read-dg13] [--read-dg14] [--read-dg15] [--read-dg16] [--read-dg17] [--read-dg18]
[--read-dg19] [--read-dg20] [--read-dg21] [--read-dg22] [--install-qual-cert] [--install-cert] [--pin-management] [--can-allowed] [--privileged] [--rid] [--verify-community]
[--verify-age] [--rfu5] [--rfu4] [--rfu3] [--rfu2] [--gen-qual-sig] [--gen-sig] [--read-iris] [--read-finger]
cvc-create: error: unrecognized arguments: --since 2014/10/09
Can I generate RSA certificate for ECC public key? I want the terminal to have ECC private/public key pair but DV and CVCA to have RSA key pairs. In that case, can I generate RSA certificate for IS's ECC key pair? It doesn't seem it is supported but ideally should be possible.
Here is the batch script I am running:
SET seq=003
SET CA=DETestingCV
SET DV=DETESTDVDE
SET IS=DETESTISDE
SET SCHEME=RSA_v1_5_SHA_256
SET KEY_SIZE=2048
openssl genrsa -out %CA%%seq%.pem %KEY_SIZE%
openssl pkcs8 -topk8 -nocrypt -in %CA%%seq%.pem -outform DER -out %CA%%seq%.pkcs8
cvc-create --role=cvca --type=at --chr=%CA%%seq% --valid=365 --sign-key=%CA%%seq%.pkcs8 --scheme=%SCHEME%
openssl genrsa -out %DV%%seq%.pem %KEY_SIZE%
openssl pkcs8 -topk8 -nocrypt -in %DV%%seq%.pem -outform DER -out %DV%%seq%.pkcs8
openssl rsa -in %DV%%seq%.pem -out %DV%%seq%.pub -pubout -outform DER
cvc-create --role=dv_domestic --type=at --chr=%DV%%seq% --valid=180 --sign-key=%CA%%seq%.pkcs8 --scheme=%SCHEME% --sign-as=%CA%%seq%.cvcert --public-key=%DV%%seq%.pub
openssl ecparam -out %IS%%seq%.pem -name prime256v1 -genkey
openssl pkcs8 -topk8 -nocrypt -in %IS%%seq%.pem -outform DER -out %IS%%seq%.pkcs8
cvc-create --chr=%IS%%seq% --scheme=%SCHEME% --sign-key=%IS%%seq%.pkcs8 --out-cert=%IS%%seq%.cvreq --req-car=%DV%%seq%
cvc-create --role=terminal --type=at --valid=60 --sign-key=%DV%%seq%.pkcs8 --sign-as=%DV%%seq%.cvcert --request=%IS%%seq%.cvreq
and the error I am getting:
Traceback (most recent call last):
File "\Anaconda3\lib\runpy.py", line 197, in _run_module_as_main
return _run_code(code, main_globals, None,
File "\Anaconda3\lib\runpy.py", line 87, in run_code
exec(code, run_globals)
File "*\Anaconda3\Scripts\cvc-create.exe_main.py", line 7, in
File "\Anaconda3\lib\site-packages\cvc\tools\cvc_create.py", line 233, in run
main(args)
File "\Anaconda3\lib\site-packages\cvc\tools\cvc_create.py", line 175, in main
pub_key = rsa.RSAPublicNumbers(int.from_bytes(CVC().decode(data).pubkey().find(0x82).data(), 'big'), int.from_bytes(CVC().decode(data).pubkey().find(0x81).data(), 'big')).public_key()
File "\Anaconda3\lib\site-packages\cryptography\hazmat\primitives\asymmetric\rsa.py", line 413, in public_key
return ossl.load_rsa_public_numbers(self)
File "\Anaconda3\lib\site-packages\cryptography\hazmat\backends\openssl\backend.py", line 573, in load_rsa_public_numbers
rsa._check_public_key_components(numbers.e, numbers.n)
File "*\Anaconda3\lib\site-packages\cryptography\hazmat\primitives\asymmetric\rsa.py", line 201, in _check_public_key_components
raise ValueError("e must be odd.")
ValueError: e must be odd.
Thanks for fixing the issue I reported earlier. We have similar issue with RSA certificate verification. Data types expected and provided are different. Could you fix this one as well? Thanks.
Command: cvc-print -d certs ZZATCVCA00001.cvcert
Traceback: below
Traceback (most recent call last):
File "\Anaconda3\lib\runpy.py", line 197, in _run_module_as_main
return _run_code(code, main_globals, None,
File "\Anaconda3\lib\runpy.py", line 87, in run_code
exec(code, run_globals)
File "*\Anaconda3\Scripts\cvc-print.exe_main.py", line 7, in
File "\Anaconda3\lib\site-packages\cvc\tools\cvc_print.py", line 125, in run
main(args)
File \Anaconda3\lib\site-packages\cvc\tools\cvc_print.py", line 88, in main
if (CVC().decode(cdata).verify(cert_dir=cert_dir, dica=cdata if isreq else None)):
File "\Anaconda3\lib\site-packages\cvc\certificates.py", line 188, in verify
pubkey = rsa.RSAPublicNumbers(ASN1().decode(puk).find(0x82).data(), ASN1().decode(puk).find(0x81).data()).public_key()
File "\Anaconda3\lib\site-packages\cryptography\hazmat\primitives\asymmetric\rsa.py", line 395, in init
raise TypeError("RSAPublicNumbers arguments must be integers.")
TypeError: RSAPublicNumbers arguments must be integers.
See subject line.
Seems like the certificates that are generated are meant to be used in the terminal authentication protocol to authenticate the inspection system accessing data from a card. What changes will be required to generate certificates for the card itself which are verified by the inspection system to authenticate the card?
I've run into a certificate which doesn't have correctly encoded signature for ECC algorithms. The problem is that the r and s components of ECDSA signature are encoded to minimum number of bytes required to fit those integers. However, they should be encoded to fixed number of bytes (derived based on the curve size, e.g. 32 bytes for P256, 28 bytes for P224, 24 bytes for P192, and so on). Could you please look into it and fix the issue?
From certificates.py:
def sign(self, key, scheme):
h,p = get_hash_padding(scheme)
if (isinstance(key, ec.EllipticCurvePrivateKey)):
signature = key.sign(self.__a.encode(), ec.ECDSA(h))
r,s = utils.decode_dss_signature(signature)
n = math.ceil(key.curve.key_size / 8)
_**signature = r.to_bytes(n, 'big') + s.to_bytes(n, 'big')**_
elif (isinstance(key, rsa.RSAPrivateKey)):
signature = key.sign(self.__a.encode(), p, h)
elif (isinstance(key, (ed25519.Ed25519PrivateKey, ed448.Ed448PrivateKey))):
signature = key.sign(self.__a.encode())
self.__a = self.__a.add_tag(0x5f37, bytearray(signature))
return self
To configure read/write access permissions/authorization for different data groups, we pass --read-dgX arguments from the commandline while creating the certificate which gets reflected in the CHAT data (tag 53 in the certificate object). I don't see these arguments changing anything. The bits corresponding to different data groups are always set to 0.
Can you fix this? Let me know if you need more detail.
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google โค๏ธ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.