mrts/mock-ocsp-response.py

## mock-ocsp-response.py
"""
A small utility that creates OCSP responses for testing for the web-eid-authtoken-validation-java library.

Run it as follows:

  python -m venv venv
  . venv/bin/activate
  pip install asn1crypto
  python ocsp.py

The result will be in /tmp/ocsp-response.der.
"""

from datetime import datetime

from asn1crypto import x509, ocsp, core
from asn1crypto.util import timezone


now = datetime.now(timezone.utc)

# Values from IntelliJ debugger watcher expression
# new GsonBuilder().setPrettyPrinting().create().toJson(requestCertificateId)
issuer_name_hash = bytes(b % 256 for b in [
        50,
        -105,
        66,
        -110,
        -100,
        102,
        -11,
        87,
        11,
        -49,
        -45,
        36,
        -114,
        84,
        -120,
        -42,
        -47,
        -82,
        -85,
        -85
])
issuer_key_hash = bytes(b % 256 for b in [
        -64,
        -124,
        -103,
        41,
        -60,
        78,
        -97,
        59,
        2,
        52,
        -10,
        -103,
        -31,
        10,
        86,
        0,
        8,
        41,
        62,
        123
])
serial_number = int.from_bytes((b % 256 for b in [
        57,
        105,
        1,
        89,
        115,
        67,
        38,
        109,
        91,
        -56,
        87,
        119,
        94,
        -59,
        -92,
        -66
]), byteorder='big')

rd = ocsp.ResponseData({
    'responder_id': ocsp.ResponderId(name='by_key', value=b'1234'),
    'produced_at': now,
    'responses': [
        {
            'cert_id': {
                'hash_algorithm': {
                    'algorithm': 'sha1', # "identifier": "1.3.14.3.2.26"
                    'parameters': {}
                },
                'issuer_name_hash': issuer_name_hash,
                'issuer_key_hash': issuer_key_hash,
                'serial_number': serial_number,
            },
            'cert_status': ocsp.CertStatus(
                name='good',
                value=core.Null()
            ),
            'this_update': now,
            'next_update': now,
            # 'single_extensions': [] <- BouncyCastle no longer accepts empty extensions
        },
    ],
    # 'response_extensions': [] <- BouncyCastle no longer accepts empty extensions
})

with open('/path/to/web-eid-authtoken-validation-java/src/test/resources/ESTEID2018.cer', 'rb') as f:
    cert = x509.Certificate.load(f.read())

r = ocsp.OCSPResponse({
            'response_status': 'successful',
            'response_bytes': {
                'response_type': 'basic_ocsp_response',
                'response': {
                    'tbs_response_data': rd,
                    'signature_algorithm': {'algorithm': 'sha1_rsa'},
                    'signature': b'1234',
                    'certs': [cert, cert]
                }
            }
        })

with open('/tmp/ocsp-response.der', 'wb') as f:
    f.write(r.dump())
	"""
	A small utility that creates OCSP responses for testing for the web-eid-authtoken-validation-java library.

	Run it as follows:

	python -m venv venv
	. venv/bin/activate
	pip install asn1crypto
	python ocsp.py

	The result will be in /tmp/ocsp-response.der.
	"""

	from datetime import datetime

	from asn1crypto import x509, ocsp, core
	from asn1crypto.util import timezone


	now = datetime.now(timezone.utc)

	# Values from IntelliJ debugger watcher expression
	# new GsonBuilder().setPrettyPrinting().create().toJson(requestCertificateId)
	issuer_name_hash = bytes(b % 256 for b in [
	50,
	-105,
	66,
	-110,
	-100,
	102,
	-11,
	87,
	11,
	-49,
	-45,
	36,
	-114,
	84,
	-120,
	-42,
	-47,
	-82,
	-85,
	-85
	])
	issuer_key_hash = bytes(b % 256 for b in [
	-64,
	-124,
	-103,
	41,
	-60,
	78,
	-97,
	59,
	2,
	52,
	-10,
	-103,
	-31,
	10,
	86,
	0,
	8,
	41,
	62,
	123
	])
	serial_number = int.from_bytes((b % 256 for b in [
	57,
	105,
	1,
	89,
	115,
	67,
	38,
	109,
	91,
	-56,
	87,
	119,
	94,
	-59,
	-92,
	-66
	]), byteorder='big')

	rd = ocsp.ResponseData({
	'responder_id': ocsp.ResponderId(name='by_key', value=b'1234'),
	'produced_at': now,
	'responses': [
	{
	'cert_id': {
	'hash_algorithm': {
	'algorithm': 'sha1', # "identifier": "1.3.14.3.2.26"
	'parameters': {}
	},
	'issuer_name_hash': issuer_name_hash,
	'issuer_key_hash': issuer_key_hash,
	'serial_number': serial_number,
	},
	'cert_status': ocsp.CertStatus(
	name='good',
	value=core.Null()
	),
	'this_update': now,
	'next_update': now,
	# 'single_extensions': [] <- BouncyCastle no longer accepts empty extensions
	},
	],
	# 'response_extensions': [] <- BouncyCastle no longer accepts empty extensions
	})

	with open('/path/to/web-eid-authtoken-validation-java/src/test/resources/ESTEID2018.cer', 'rb') as f:
	cert = x509.Certificate.load(f.read())

	r = ocsp.OCSPResponse({
	'response_status': 'successful',
	'response_bytes': {
	'response_type': 'basic_ocsp_response',
	'response': {
	'tbs_response_data': rd,
	'signature_algorithm': {'algorithm': 'sha1_rsa'},
	'signature': b'1234',
	'certs': [cert, cert]
	}
	}
	})

	with open('/tmp/ocsp-response.der', 'wb') as f:
	f.write(r.dump())