Add support for RFC 9763

Author: russhousley

CHANGES.txt

@@ -1,3 +1,9 @@
+Revision 0.4.7, released DD-MMM-2025
+------------------------------------
+- Cleanup setup.cfg and setup.py
+- Added RFC9763 for Related Certificates for Use in Multiple Authentications
+  within a Protocol
+
 Revision 0.4.6, released 25-MAR-2025
 ------------------------------------
 - Added RFC9688 for SHA3 One-way Hash Functions in the CMS

pyasn1_alt_modules/rfc9763.py

@@ -0,0 +1,110 @@
+#
+# This file is part of pyasn1-alt-modules software.
+#
+# Created by Russ Housley.
+#
+# Copyright (c) 2025, Vigil Security, LLC
+# License: http://vigilsec.com/pyasn1-alt-modules-license.txt
+#
+# Related Certificates for Use in Multiple Authentications within a Protocol
+#
+# ASN.1 source from:
+# https://www.rfc-editor.org/rfc/rfc9763.txt
+#
+
+from pyasn1.type import char
+from pyasn1.type import constraint
+from pyasn1.type import namedtype
+from pyasn1.type import univ
+
+from pyasn1_alt_modules import rfc5280
+from pyasn1_alt_modules import rfc5652
+from pyasn1_alt_modules import rfc5751
+from pyasn1_alt_modules import rfc6019
+from pyasn1_alt_modules import opentypemap
+
+certificateExtensionsMap = opentypemap.get('certificateExtensionsMap')
+
+certificateAttributesMap = opentypemap.get('certificateAttributesMap')
+
+MAX = float('inf')
+
+
+# Imports from RFC 5280
+
+id_pe = rfc5280.id_pe
+
+Attribute = rfc5280.Attribute
+
+AlgorithmIdentifier = rfc5280.AlgorithmIdentifier
+
+
+
+# Imports from RFC 5652
+
+IssuerAndSerialNumber = rfc5652.IssuerAndSerialNumber
+
+
+# Imports from RFC 5751
+
+id_aa = rfc5751.id_aa
+
+
+# Imports from RFC 6019
+
+BinaryTime = rfc6019.BinaryTime
+
+
+# relatedCertificate Extension
+
+id_pe_relatedCert = id_pe + (36, )
+
+
+class DigestAlgorithmIdentifier(AlgorithmIdentifier):
+    pass
+
+
+class RelatedCertificate(univ.Sequence):
+    componentType = namedtype.NamedTypes(
+        namedtype.NamedType('hashAlgorithm', DigestAlgorithmIdentifier()),
+        namedtype.NamedType('hashValue', univ.OctetString())
+    )
+
+
+# relatedCertRequest Attribute
+
+id_aa_relatedCertRequest = id_aa + (60, )
+
+
+class URI(char.IA5String):
+    pass
+
+
+class UniformResourceIdentifiers(univ.SequenceOf):
+    componentType = URI()
+    subtypeSpec=constraint.ValueSizeConstraint(1, MAX)
+
+
+class RequesterCertificate(univ.Sequence):
+    componentType = namedtype.NamedTypes(
+        namedtype.NamedType('certID', IssuerAndSerialNumber()),
+        namedtype.NamedType('requestTime', BinaryTime()),
+        namedtype.NamedType('locationInfo', UniformResourceIdentifiers()),
+        namedtype.NamedType('signature', univ.BitString())
+    )
+
+
+# Update the Certificate Extension Map and the Certificate Attribute Map
+
+_certificateAttributesMapUpdate = {
+    id_aa_relatedCertRequest: RequesterCertificate(),
+}
+
+certificateAttributesMap.update(_certificateAttributesMapUpdate)
+
+
+_certificateExtensionsMapUpdate = {
+    id_pe_relatedCert: RelatedCertificate(),
+}
+
+certificateExtensionsMap.update(_certificateExtensionsMapUpdate)

tests/__main__.py

@@ -192,7 +192,8 @@
      'tests.test_rfc9691.suite',
      'tests.test_rfc9708.suite',
      'tests.test_rfc9709.suite',
-     'tests.test_rfc9734.suite']
+     'tests.test_rfc9734.suite',
+     'tests.test_rfc9763.suite']
 )
 
 

tests/test_rfc9763.py

@@ -0,0 +1,137 @@
+#
+# This file is part of pyasn1-alt-modules software.
+#
+# Created by Russ Housley
+# Copyright (c) 2025, Vigil Security, LLC
+# License: http://vigilsec.com/pyasn1-alt-modules-license.txt
+#
+import sys
+import unittest
+
+from pyasn1.codec.der.decoder import decode as der_decoder
+from pyasn1.codec.der.encoder import encode as der_encoder
+
+from pyasn1_alt_modules import pem
+from pyasn1_alt_modules import rfc2986
+from pyasn1_alt_modules import rfc4055
+from pyasn1_alt_modules import rfc5280
+from pyasn1_alt_modules import rfc9763
+from pyasn1_alt_modules import opentypemap
+
+
+class CertificationRequestTestCase(unittest.TestCase):
+    pem_text = """\
+MIICcTCCAfcCAQAwcDELMAkGA1UEBhMCVVMxCzAJBgNVBAgTAlZBMRAwDgYDVQQH
+EwdIZXJuZG9uMRAwDgYDVQQKEwdFeGFtcGxlMQ4wDAYDVQQDEwVBbGljZTEgMB4G
+CSqGSIb3DQEJARYRYWxpY2VAZXhhbXBsZS5jb20wdjAQBgcqhkjOPQIBBgUrgQQA
+IgNiAAT4zZ8HL+xEDpXWkoWp5xFMTz4u4Ae1nF6zXCYlmsEGD5vPu5hl9hDEjd1U
+HRgJIPoy3fJcWWeZ8FHCirICtuMgFisNscG/aTwKyDYOFDuqz/C2jyEwqgWCRyxy
+ohuJXtmgggEGMIIBAgYLKoZIhvcNAQkQAjwxgfIwge8wVzBRMQswCQYDVQQGEwJV
+UzELMAkGA1UECBMCVkExEDAOBgNVBAcTB0hlcm5kb24xEDAOBgNVBAoTB0V4YW1w
+bGUxETAPBgNVBAMTCEJvZ3VzIENBAgICmgIEZ+2IIzAlFiNodHRwczovL3JlcG8u
+ZXhhbXBsZS5jb20vbXljZXJ0LnA3YwNnADBkAjBhJnt/AN5PKuERkhLNg04UEDkM
+90wSayFvM6/dkvHvATT5EXEA0fgu9kxIS/6qDwkCMBqRmguBEYlMqRE5Ar6DT9Dg
+xYYZaRaOpcFR3fBrvuoUoQtjynQH7OEBQ0vWSoEHmTAKBggqhkjOPQQDAwNoADBl
+AjEAikPcXx+k7i2rRhd0sC+U4nRvoWbmaNqouskMTMFLhZR8lqy+Ue25oxjLKB80
+cL9BAjAA8qyl4itjffQIbI2cXBP2h5yZJ91/5lNf5Qp7ogi+1M1uIMVJaRQ++sHC
+/N8yKhw=
+"""
+
+    def setUp(self):
+        self.asn1Spec = rfc2986.CertificationRequest()
+
+    def testDerCodec(self):
+        substrate = pem.readBase64fromText(self.pem_text)
+        asn1Object, rest = der_decoder(substrate, asn1Spec=self.asn1Spec)
+        self.assertFalse(rest)
+        self.assertTrue(asn1Object.prettyPrint())
+        self.assertEqual(substrate, der_encoder(asn1Object))
+
+        certificateAttributesMap = opentypemap.get('certificateAttributesMap')
+        self.assertIn(rfc9763.id_aa_relatedCertRequest, certificateAttributesMap)
+
+        found = False
+        for attr in asn1Object['certificationRequestInfo']['attributes']:
+            if attr['type'] == rfc9763.id_aa_relatedCertRequest:
+                rc, rest = der_decoder(attr['values'][0],
+                    asn1Spec=certificateAttributesMap[attr['type']])
+                self.assertFalse(rest)
+                self.assertTrue(rc.prettyPrint())
+                self.assertEqual(attr['values'][0], der_encoder(rc))
+                self.assertIn("p7c", rc['locationInfo'][0])
+                found = True
+
+        self.assertTrue(found)
+
+    def testOpenTypes(self):
+        substrate = pem.readBase64fromText(self.pem_text)
+        asn1Object, rest = der_decoder(substrate,
+            asn1Spec=self.asn1Spec, decodeOpenTypes=True)
+        self.assertFalse(rest)
+        self.assertTrue(asn1Object.prettyPrint())
+        self.assertEqual(substrate, der_encoder(asn1Object))
+
+        found = False
+        for attr in asn1Object['certificationRequestInfo']['attributes']:
+            if attr['type'] == rfc9763.id_aa_relatedCertRequest:
+                self.assertEqual(0x67ED8823, attr['values'][0]['requestTime'])
+                found = True
+
+        self.assertTrue(found)
+
+
+class CertificationExtensionTestCase(unittest.TestCase):
+    pem_text = """\
+MIIDWTCCAt+gAwIBAgIJAKWzVCgbsG5VMAoGCCqGSM49BAMDMD8xCzAJBgNVBAYT
+AlVTMQswCQYDVQQIDAJWQTEQMA4GA1UEBwwHSGVybmRvbjERMA8GA1UECgwIQm9n
+dXMgQ0EwHhcNMjUwNDA3MjE0OTA3WhcNMjYwNDA3MjE0OTA3WjBOMQswCQYDVQQG
+EwJVUzELMAkGA1UECBMCVkExEDAOBgNVBAcTB0hlcm5kb24xEDAOBgNVBAoTB0V4
+YW1wbGUxDjAMBgNVBAMTBUtlaXRoMHYwEAYHKoZIzj0CAQYFK4EEACIDYgAErg7y
+rZBUSfy3PIIjWV1+A/UOuVYyp3jTIKnaayr2HsKA+Go46023Hgm6fgZJC9YfGXRj
+6qjerTOkLzuKNYBmJVzfdz6abYMdHGzzJKrTscmQsLrVGn+r5A0c1Bz+Socco4IB
+ljCCAZIwHQYDVR0OBBYEFNGhVu4MQu5yVBtg7oXFoxu4dYfvMG8GA1UdIwRoMGaA
+FPI12zQE2qVV8r1pA5mwYuziFQjBoUOkQTA/MQswCQYDVQQGEwJVUzELMAkGA1UE
+CAwCVkExEDAOBgNVBAcMB0hlcm5kb24xETAPBgNVBAoMCEJvZ3VzIENBggkA6JHW
+BpFPzvIwDAYDVR0TAQH/BAIwADALBgNVHQ8EBAMCBsAwHAYDVR0RBBUwE4ERa2Vp
+dGhAZXhhbXBsZS5jb20wNAYIKwYBBQUHAQEEKDAmMCQGCCsGAQUFBzABhhhodHRw
+Oi8vb2NzcC5leGFtcGxlLmNvbS8wTQYIKwYBBQUHASQEQTA/MAsGCWCGSAFlAwQC
+AgQw1waLIBpBI+G8TFWN/QwSgRtbm+vLYR3LDeqXla8BDhO/zGp9QJE+9I4SGIvF
+1oE0MEIGCWCGSAGG+EIBDQQ1FjNUaGlzIGNlcnRpZmljYXRlIGNhbm5vdCBiZSB0
+cnVzdGVkIGZvciBhbnkgcHVycG9zZS4wCgYIKoZIzj0EAwMDaAAwZQIxAIWf14uO
+eX39ND1Bx+HDMy40GPZSMASoe6dnxVFgphdzvUnPARM2Qpm/9xvILLj0EgIwIt44
+0y/25Xe4wVX+6kR45V8TbByxs4bYCQcgWfeiw9Bu15yi8BYDhmgAK7LgZd6l
+"""
+
+    def setUp(self):
+        self.asn1Spec = rfc5280.Certificate()
+
+    def testDerCodec(self):
+        substrate = pem.readBase64fromText(self.pem_text)
+        asn1Object, rest = der_decoder(substrate, asn1Spec=self.asn1Spec)
+        self.assertFalse(rest)
+        self.assertTrue(asn1Object.prettyPrint())
+        self.assertEqual(substrate, der_encoder(asn1Object))
+
+        certificateExtensionsMap = opentypemap.get('certificateExtensionsMap')
+        self.assertIn(rfc9763.id_pe_relatedCert, certificateExtensionsMap)
+
+        found = False
+        for extn in asn1Object['tbsCertificate']['extensions']:
+            if extn['extnID'] == rfc9763.id_pe_relatedCert:
+                extnValue, rest = der_decoder(extn['extnValue'],
+                    asn1Spec=certificateExtensionsMap[extn['extnID']])
+                self.assertFalse(rest)
+                self.assertTrue(extnValue.prettyPrint())
+                self.assertEqual(extn['extnValue'], der_encoder(extnValue))
+                self.assertEqual(rfc4055.id_sha384,
+                    extnValue['hashAlgorithm']['algorithm'])
+                found = True
+
+        self.assertTrue(found)
+
+
+suite = unittest.TestLoader().loadTestsFromModule(sys.modules[__name__])
+
+if __name__ == '__main__':
+    result = unittest.TextTestRunner(verbosity=2).run(suite)
+    sys.exit(not result.wasSuccessful())