Port tools to Python 3

5 files changed, 155 insertions, 48 deletions

diff --git a/tools/Pipfile b/tools/Pipfile
new file mode 100644
index 0000000..75dd450
--- /dev/null
+++ b/tools/Pipfile
@@ -0,0 +1,12 @@
+[[source]]
+url = "https://pypi.org/simple"
+verify_ssl = true
+name = "pypi"
+
+[packages]
+cryptography = "*"
+
+[dev-packages]
+
+[requires]
+python_version = "3.6"
diff --git a/tools/Pipfile.lock b/tools/Pipfile.lock
new file mode 100644
index 0000000..da2f4ee
--- /dev/null
+++ b/tools/Pipfile.lock
@@ -0,0 +1,110 @@
+{
+    "_meta": {
+        "hash": {
+            "sha256": "688228320144bd6c0942d8b12483fd041545165a9dae2f68cb2b3af03b5220d5"
+        },
+        "pipfile-spec": 6,
+        "requires": {
+            "python_version": "3.6"
+        },
+        "sources": [
+            {
+                "name": "pypi",
+                "url": "https://pypi.org/simple",
+                "verify_ssl": true
+            }
+        ]
+    },
+    "default": {
+        "asn1crypto": {
+            "hashes": [
+                "sha256:2f1adbb7546ed199e3c90ef23ec95c5cf3585bac7d11fb7eb562a3fe89c64e87",
+                "sha256:9d5c20441baf0cb60a4ac34cc447c6c189024b6b4c6cd7877034f4965c464e49"
+            ],
+            "version": "==0.24.0"
+        },
+        "cffi": {
+            "hashes": [
+                "sha256:151b7eefd035c56b2b2e1eb9963c90c6302dc15fbd8c1c0a83a163ff2c7d7743",
+                "sha256:1553d1e99f035ace1c0544050622b7bc963374a00c467edafac50ad7bd276aef",
+                "sha256:1b0493c091a1898f1136e3f4f991a784437fac3673780ff9de3bcf46c80b6b50",
+                "sha256:2ba8a45822b7aee805ab49abfe7eec16b90587f7f26df20c71dd89e45a97076f",
+                "sha256:3bb6bd7266598f318063e584378b8e27c67de998a43362e8fce664c54ee52d30",
+                "sha256:3c85641778460581c42924384f5e68076d724ceac0f267d66c757f7535069c93",
+                "sha256:3eb6434197633b7748cea30bf0ba9f66727cdce45117a712b29a443943733257",
+                "sha256:495c5c2d43bf6cebe0178eb3e88f9c4aa48d8934aa6e3cddb865c058da76756b",
+                "sha256:4c91af6e967c2015729d3e69c2e51d92f9898c330d6a851bf8f121236f3defd3",
+                "sha256:57b2533356cb2d8fac1555815929f7f5f14d68ac77b085d2326b571310f34f6e",
+                "sha256:770f3782b31f50b68627e22f91cb182c48c47c02eb405fd689472aa7b7aa16dc",
+                "sha256:79f9b6f7c46ae1f8ded75f68cf8ad50e5729ed4d590c74840471fc2823457d04",
+                "sha256:7a33145e04d44ce95bcd71e522b478d282ad0eafaf34fe1ec5bbd73e662f22b6",
+                "sha256:857959354ae3a6fa3da6651b966d13b0a8bed6bbc87a0de7b38a549db1d2a359",
+                "sha256:87f37fe5130574ff76c17cab61e7d2538a16f843bb7bca8ebbc4b12de3078596",
+                "sha256:95d5251e4b5ca00061f9d9f3d6fe537247e145a8524ae9fd30a2f8fbce993b5b",
+                "sha256:9d1d3e63a4afdc29bd76ce6aa9d58c771cd1599fbba8cf5057e7860b203710dd",
+                "sha256:a36c5c154f9d42ec176e6e620cb0dd275744aa1d804786a71ac37dc3661a5e95",
+                "sha256:a6a5cb8809091ec9ac03edde9304b3ad82ad4466333432b16d78ef40e0cce0d5",
+                "sha256:ae5e35a2c189d397b91034642cb0eab0e346f776ec2eb44a49a459e6615d6e2e",
+                "sha256:b0f7d4a3df8f06cf49f9f121bead236e328074de6449866515cea4907bbc63d6",
+                "sha256:b75110fb114fa366b29a027d0c9be3709579602ae111ff61674d28c93606acca",
+                "sha256:ba5e697569f84b13640c9e193170e89c13c6244c24400fc57e88724ef610cd31",
+                "sha256:be2a9b390f77fd7676d80bc3cdc4f8edb940d8c198ed2d8c0be1319018c778e1",
+                "sha256:ca1bd81f40adc59011f58159e4aa6445fc585a32bb8ac9badf7a2c1aa23822f2",
+                "sha256:d5d8555d9bfc3f02385c1c37e9f998e2011f0db4f90e250e5bc0c0a85a813085",
+                "sha256:e55e22ac0a30023426564b1059b035973ec82186ddddbac867078435801c7801",
+                "sha256:e90f17980e6ab0f3c2f3730e56d1fe9bcba1891eeea58966e89d352492cc74f4",
+                "sha256:ecbb7b01409e9b782df5ded849c178a0aa7c906cf8c5a67368047daab282b184",
+                "sha256:ed01918d545a38998bfa5902c7c00e0fee90e957ce036a4000a88e3fe2264917",
+                "sha256:edabd457cd23a02965166026fd9bfd196f4324fe6032e866d0f3bd0301cd486f",
+                "sha256:fdf1c1dc5bafc32bc5d08b054f94d659422b05aba244d6be4ddc1c72d9aa70fb"
+            ],
+            "version": "==1.11.5"
+        },
+        "cryptography": {
+            "hashes": [
+                "sha256:02602e1672b62e803e08617ec286041cc453e8d43f093a5f4162095506bc0beb",
+                "sha256:10b48e848e1edb93c1d3b797c83c72b4c387ab0eb4330aaa26da8049a6cbede0",
+                "sha256:17db09db9d7c5de130023657be42689d1a5f60502a14f6f745f6f65a6b8195c0",
+                "sha256:227da3a896df1106b1a69b1e319dce218fa04395e8cc78be7e31ca94c21254bc",
+                "sha256:2cbaa03ac677db6c821dac3f4cdfd1461a32d0615847eedbb0df54bb7802e1f7",
+                "sha256:31db8febfc768e4b4bd826750a70c79c99ea423f4697d1dab764eb9f9f849519",
+                "sha256:4a510d268e55e2e067715d728e4ca6cd26a8e9f1f3d174faf88e6f2cb6b6c395",
+                "sha256:6a88d9004310a198c474d8a822ee96a6dd6c01efe66facdf17cb692512ae5bc0",
+                "sha256:76936ec70a9b72eb8c58314c38c55a0336a2b36de0c7ee8fb874a4547cadbd39",
+                "sha256:7e3b4aecc4040928efa8a7cdaf074e868af32c58ffc9bb77e7bf2c1a16783286",
+                "sha256:8168bcb08403ef144ff1fb880d416f49e2728101d02aaadfe9645883222c0aa5",
+                "sha256:8229ceb79a1792823d87779959184a1bf95768e9248c93ae9f97c7a2f60376a1",
+                "sha256:8a19e9f2fe69f6a44a5c156968d9fc8df56d09798d0c6a34ccc373bb186cee86",
+                "sha256:8d10113ca826a4c29d5b85b2c4e045ffa8bad74fb525ee0eceb1d38d4c70dfd6",
+                "sha256:be495b8ec5a939a7605274b6e59fbc35e76f5ad814ae010eb679529671c9e119",
+                "sha256:dc2d3f3b1548f4d11786616cf0f4415e25b0fbecb8a1d2cd8c07568f13fdde38",
+                "sha256:e4aecdd9d5a3d06c337894c9a6e2961898d3f64fe54ca920a72234a3de0f9cb3",
+                "sha256:e79ab4485b99eacb2166f3212218dd858258f374855e1568f728462b0e6ee0d9",
+                "sha256:f995d3667301e1754c57b04e0bae6f0fa9d710697a9f8d6712e8cca02550910f"
+            ],
+            "index": "pypi",
+            "version": "==2.3.1"
+        },
+        "idna": {
+            "hashes": [
+                "sha256:156a6814fb5ac1fc6850fb002e0852d56c0c8d2531923a51032d1b70760e186e",
+                "sha256:684a38a6f903c1d71d6d5fac066b58d7768af4de2b832e426ec79c30daa94a16"
+            ],
+            "version": "==2.7"
+        },
+        "pycparser": {
+            "hashes": [
+                "sha256:a988718abfad80b6b157acce7bf130a30876d27603738ac39f140993246b25b3"
+            ],
+            "version": "==2.19"
+        },
+        "six": {
+            "hashes": [
+                "sha256:70e8a77beed4562e7f14fe23a786b54f6296e34344c23bc42f07b15018ff98e9",
+                "sha256:832dc0e10feb1aa2c68dcc57dbb658f1c7e65b9b61af69048abc87a2db00a0eb"
+            ],
+            "version": "==1.11.0"
+        }
+    },
+    "develop": {}
+}
diff --git a/tools/ssh_host_keys.py b/tools/ssh_host_keys.py
index df0c45a..8d8eddd 100755
--- a/tools/ssh_host_keys.py
+++ b/tools/ssh_host_keys.py
@@ -1,19 +1,18 @@
 #!/usr/bin/env python
 
-from glob import glob
 import argparse
 import os.path
 import subprocess
+from glob import glob
 
-
-SUPPORTED_SSH_KEYTYPES = ('RSA', 'DSA', 'ECDSA', 'ED25519')
+SUPPORTED_SSH_KEY_TYPES = ('RSA', 'DSA', 'ECDSA', 'ED25519')
 
 
 if __name__ == '__main__':
     parser = argparse.ArgumentParser(
         description=(
             'Convert a set of ssh host keys to the syntax expected by the '
-            'sshkeys directive of the CAcert infrastructur documentation'))
+            'sshkeys directive of the CAcert infrastructure documentation'))
     parser.add_argument(
         'root', metavar='ROOT', type=str, help='root directory'
     )
@@ -25,13 +24,14 @@ if __name__ == '__main__':
     ):
         fp = subprocess.check_output(
             ['ssh-keygen', '-l', '-f', host_key]).strip().split()
-        keys[fp[3][1:-1]] = fp[1]
+        keys[fp[3][1:-1].decode('ascii')] = fp[1].decode('ascii')
 
-    maxlen = max([len(key) for key in keys.keys() if key in SUPPORTED_SSH_KEYTYPES])
+    max_length = max([len(key) for key in keys.keys()
+                      if key in SUPPORTED_SSH_KEY_TYPES])
 
-    print ".. sshkeys::"
+    print(".. sshkeys::")
     for typ, key in [
-        (typ, keys[typ]) for typ in SUPPORTED_SSH_KEYTYPES
+        (typ, keys[typ]) for typ in SUPPORTED_SSH_KEY_TYPES
         if typ in keys
     ]:
-        print "   :%s:%s %s" % (typ, ' ' * (maxlen - len(typ)), key)
+        print("   :{}:{} {}".format(typ, ' ' * (max_length - len(typ)), key))
diff --git a/tools/sslcert.py b/tools/sslcert.py
index cb1dc78..aca3753 100755
--- a/tools/sslcert.py
+++ b/tools/sslcert.py
@@ -2,65 +2,54 @@
 
 from __future__ import print_function
 
-from datetime import datetime
-from hashlib import sha1
 import argparse
 import os.path
+from datetime import datetime
+from hashlib import sha1
 
-from pyasn1_modules import pem
-from pyx509.pkcs7.asn1_models.X509_certificate import Certificate
-from pyx509.pkcs7_models import X509Certificate
-from pyx509.pkcs7.asn1_models.decoder_workarounds import decode
-
+from cryptography import x509
+from cryptography.hazmat.backends import default_backend
+from cryptography.x509 import ExtensionOID, NameOID
 
 ALTNAME_MAP = (
-    ('dNSName', 'DNS'),
-    ('rfc822Name', 'EMAIL'),
-    ('iPAddress', 'IP')
+    (x509.DNSName, 'DNS'),
+    (x509.RFC822Name, 'EMAIL'),
+    (x509.IPAddress, 'IP')
 )
 
 
-def x509_parse(derData):
-    """Decodes certificate.
-    @param derData: DER-encoded certificate string
-    @returns: pkcs7_models.X509Certificate
-    """
-    cert = decode(derData, asn1Spec=Certificate())[0]
-    x509cert = X509Certificate(cert)
-    return x509cert
-
-
 def get_altnames(cert):
-    altnames = cert.tbsCertificate.subjAltNameExt.value.values
+    altnames = cert.extensions.get_extension_for_oid(
+        ExtensionOID.SUBJECT_ALTERNATIVE_NAME)
+
     retval = []
-    for typ, data in [(field[1], altnames[field[0]]) for field in ALTNAME_MAP]:
-        for item in sorted(data):
-            retval.append("{typ}:{item}".format(typ=typ, item=item))
+    for altname_type, field_name in ALTNAME_MAP:
+        names = altnames.value.get_values_for_type(altname_type)
+        for item in sorted(names):
+            retval.append("{typ}:{item}".format(typ=field_name, item=item))
     return ", ".join(retval)
 
 
 def get_serial(cert):
-    serial = "%X" % cert.tbsCertificate.serial_number
+    serial = "%X" % cert.serial_number
     return "0" * (len(serial) % 2) + serial
 
 
 def get_expiration(cert):
-    return datetime.strptime(
-        cert.tbsCertificate.validity.valid_to, '%Y%m%d%H%M%SZ'
-    ).strftime('%b %d %H:%M:%S %Y GMT')
+    return cert.not_valid_after.strftime('%b %d %H:%M:%S %Y GMT')
 
 
 def get_sha1fp(certdata):
     hexhash = sha1(certdata).hexdigest().upper()
-    return ":".join([hexhash[i:i+2] for i in range(0, len(hexhash), 2)])
+    return ":".join([hexhash[i:i + 2] for i in range(0, len(hexhash), 2)])
 
 
 def get_issuer(cert):
-    return cert.tbsCertificate.issuer.get_attributes()['CN'][0]
+    return cert.issuer.get_attributes_for_oid(NameOID.COMMON_NAME)[0].value
 
 
 def get_subject(cert):
-    return cert.tbsCertificate.subject.get_attributes()['CN'][0]
+    return cert.subject.get_attributes_for_oid(NameOID.COMMON_NAME)[0].value
 
 
 if __name__ == '__main__':
@@ -70,10 +59,10 @@ if __name__ == '__main__':
             'X.509 certificate file and its corresponding PEM encoded RSA key '
             'file.'))
     parser.add_argument(
-        'cert', metavar='CERT', type=open,
+        'cert', metavar='CERT', type=argparse.FileType('rb'),
         help='PEM encoded X.509 certficate file')
     parser.add_argument(
-        '--key', metavar='KEY', type=open,
+        '--key', metavar='KEY', type=argparse.FileType('rb'),
         help='PEM encoded RSA private key', default=None)
     parser.add_argument(
         '--root', metavar='ROOT', type=str,
@@ -81,20 +70,19 @@ if __name__ == '__main__':
 
     args = parser.parse_args()
 
-    certpem = pem.readPemFromFile(args.cert)
     certpath = os.path.abspath(args.cert.name)
     if args.root:
         certpath = '/' + os.path.relpath(certpath, args.root)
     if args.key:
         haskey = True
-        keypem = pem.readPemFromFile(args.key)
         keypath = os.path.abspath(args.key.name)
         if args.root:
             keypath = '/' + os.path.relpath(keypath, args.root)
     else:
         keypath = 'TODO: define key path'
 
-    cert = x509_parse(certpem)
+    certpem = args.cert.read()
+    cert = x509.load_pem_x509_certificate(certpem, default_backend())
     data = {
         'altnames': get_altnames(cert),
         'certfile': certpath,
diff --git a/tools/tool-requirements.txt b/tools/tool-requirements.txt
deleted file mode 100644
index e00844f..0000000
--- a/tools/tool-requirements.txt
+++ /dev/null
@@ -1,3 +0,0 @@
-pyasn1==0.1.9
-pyasn1-modules==0.0.8
-git+https://github.com/hiviah/pyx509@a35702c3d514c96d75a1c3498307a16991cdd0d3#egg=pyx509